Cellebrite UFED, Version 1.1.7.6 Evaluation Report
Contents
1. Bed Configuration section on page 5 Call history Received Dialed Missed d Audio Cellebrite s industry expertise provides reliability and ease of use and ensures the broadest support a Video for handset varieties including updates for newly J Pi released models even before they are available in Pictures and images the market 4 Ringtones Portable and easy to operate the UFED can be 3 Phone details IMEI ESN phone number used in the forensic lab as well as in the field The UFED is a handheld device without the need for E The Cellebrite UFED system comes complete with a PC in the field The ruggedized version comes a user friendly PC reporting and analysis software with a hard sided case and battery power for even application Easy to analyze report logs can be greater mobility and flexibility and is fully loaded generated in HTML XLS CSV and XML formats with all needed accessories providing organized printouts for use as a reference and in the courtroom The UFED Report Manager software on your PC creates detailed reports of the extracted data that can be used as evidence Reports include full Target Customers extraction detalls as well as MDS hash information The target customers for the UFED are state and local o SENSE law enforcement organizations that have an interest in the forensic examination of cellphones The UFED is Special Features a forensic acquisition tool that provides reports in an eas2. Cellebrite UFED 4 Selected PC as the Target 5 Connected the phone to the UFED with cable 93 113 as instructed by the UFED and pressed the right arrow to Start 6 Opened the Physical Analyzer application clicked the Read Data from UFED button selected the download path and pressed start to begin the physical dump Results of Physical Dump The physical dump was completed successfully and an image of the phone s flash memory was created Extract Passwords The following steps were performed to extract pass words 1 Selected Extract Passwords from the UFED main menu and pressed OK 2 Selected LG CDMA from the Source Vendor menu and pressed OK 3 Selected VX 9900 enV from the Source Model menu and pressed OK 4 Selected Display Only as the target 5 Connected the phone to the UFED with cable 93 113 as instructed by the UFED and pressed the right arrow to Start Results of Password Extraction The user code ESN MEID phone number and MIN were extracted successfully Test 2 Motorola V3M This test was performed to determine how well the UFED acquires data from a Motorola V3M Prior to starting the test the phone s battery was fully charged and the phone was powered on Logical Data The following steps were performed to extract logical data 1 Powered on UFED device and selected Extract Phone Data from the main menu 2 Selected Motorola CDMA from the Source Vendor menu and pressed
3. GMT Audio 49 Connection Type USB Cable UFED Version Software 1 1 8 6 UFED Full Image 1 0 2 4 Tiny Image 1 0 2 1 UFED S N 5604777 Videos 37 N w 5 Phone Examination Report Index ingtones NLECTC Criminal Justice Electronic Crime Technology Center of Excellence Evaluation and Testing of Cellebrite UFED 9 Images discovered on the device can be displayed and exported by selecting Images from the left pane Title Examination Report Details List of fields Far ren File Images UFED Help ESO LB x New Open Save Copy View Options Read UFED y 03060015483 0306001658 0309001555 0309001556 Examiner s Name Department Location Notes 0515000956 0515000958 0515001000 0515001128 The application allows the user to search through contacts SMS and calendar events Name or phone mages 7 F ae P we number with a simple search dialog can search 10 05150011283 0515001130 05150011308 ss Images 71 contacts 9 AMbfe QS 10 ll Mom The second piece of software supporting the UFED is the Physical Analyzer Physical Analyzer takes the eh input from the UFED device of a physical or file system dump The interface is the same for both types of extractions but the amount of information will vary ISS 5555555888 D a During extraction the interface displays a progress window with statistics on the files that are being
4. Results of File System Dump The file system dump was successful and can be examined within Physical Analyzer Physical Dump The following steps were performed to obtain a physi cal dump 1 Selected File System Dump from the UFED main menu and pressed OK 2 Selected Motorola GSM from the Source Vendor menu and pressed OK 3 Selected V3xx from the Source Model menu and pressed OK 4 Selected PC as the Target Evaluation and Testing of Cellebrite UFED 15 5 Connected the phone to the UFED with cable 80 as instructed by the UFED and pressed the right arrow to Start 6 Instructions for changing the phone s connectivity settings appeared on the UFED but the phone s menu could not be accessed because there was no SIM card 7 Opened the Physical Analyzer application clicked the Read Data from UFED button selected the download path and pressed start to begin the file system extraction 8 Received error that said that a connection could not be made to the phone Attempted to retry sev eral times without success and eventually pressed the left arrow to abort the process Results of Physical Dump A connection could not be established to perform a physical dump It is likely the connection could not be made because the phone was lacking a SIM card It is likely that these shortcomings could be alleviated with the use of a cloned dummy SIM card Test 5 LG C729 Double Play This test was performed to
5. and pressed the right arrow to Start 6 Opened the Physical Analyzer application clicked the Read Data from UFED button selected the download path and pressed start to begin the file system extraction Results of File System Dump The file system dump was successful and can be examined within Physical Analyzer Test 4 Motorola V3xx This test was performed to determine how well the UFED acquires data from a Motorola V3xx Prior to starting the test the phone s battery was fully charged and the phone was powered on Logical Data The following steps were performed to extract logical data 1 Powered on UFED device and selected Extract Phone Data from the UFED main menu and pressed OK 2 Selected Motorola GSM from the Source Vendor menu and pressed OK 3 Selected V3xx from the Source Model menu and pressed OK 4 Checked Phone Phonebook Phone Content and Memory Card Content Note There was a 4 GB SanDisk micro SD card included with the phone 5 Selected PC as the Target 6 Checked all options including Call Logs Phone book SMS Calendar Pictures Videos Ringtones and Audio Music from the Content Types menu and hit the right arrow to continue 7 Connected the phone to the UFED with cable 80 as instructed by the UFED and pressed the right arrow to Start 8 Instructions for changing the phone s connectivity settings appeared on the UFED but the phone s menu could not be accessed beca
6. determine how well the UFED acquires data from an LG C729 The device is running the Android Operating System version 2 3 4 Prior to starting the test the phone s battery was fully charged and the phone was powered on The following steps were performed to extract logical data 1 Powered on UFED device and selected Extract Phone Data from the UFED main menu and pressed OK 2 Selected LG GSM from the Source Vendor menu and pressed OK 3 Selected C729 Double Play Android from the Source Model menu and pressed OK Cellebrite UFED Version 1 1 7 6 BEE NLECTC u 16 Evaluation and Testing of Cellebrite UFED 4 Checked off Phone and Memory Card from the Source Memory menu and hit Next 5 Selected PC as the Target 6 Checked off all options including Call Logs Phonebook SMS Calendar MMS Pictures Vid eos Ringtones and Audio Music from the Content Types menu and hit the right arrow to continue 7 Connected the phone to the UFED with cable 100 as instructed by the UFED and pressed the right arrow to Start 8 When the extraction was completed the UFED Report Manager application was opened and the Read UFED button was clicked to download the report to the computer Result of Logical Extraction The UFED found 87 phonebook contacts 44 calen dar events and 78 entries in the call log including 26 outgoing 36 incoming and 16 missed calls In addi tion one ringtone 193 pictur
7. ensures that future devices are supported prior to retail launch Product Description The following information is from the UFED manual The Cellebrite UFED forensics system empowers law enforcement antiterror and security organiza tions to capture critical forensic evidence from mobile phones smartphones and PDAs UFED extracts vital data such as phonebook cam era pictures videos audio text messages SMS call logs ESN IMEI ICCID and IMSI information from over 1 600 handset models including Sym bian Microsoft Mobile Blackberry and Palm OS devices Cellebrite UFED enables SIM ID cloning allowing you to extract phone data while preventing the cel lular device from connecting to the network The UFED can extract data from a phone or directly from the SIM card When extracting from a phone the UFED connects to the phone via cable Blue tooth or infrared and the data is read logically from the phone It also performs a physical extraction from SIM cards allowing extraction of additional data such as deleted SMS ICCID IMSI location information and more Data is copied to any standard USB flash drive or SD card and is then organized into clear and con cise reports Cellebrite UFED Version 1 1 7 6 TE Overview o Data can also be copied directly to a computer via Deleted text messages SIM USIM the UFED Physical Analyzer interface as is indicated O Il history Recei seed in the Test
8. extract logical data 1 Powered on UFED device and selected Extract Phone Data from the UFED main menu and pressed OK 2 Selected Apple from the Source Vendor menu and pressed OK 3 Selected iPhone 4 45 GSM from the Source Model menu and pressed OK 4 Checked off Phone from the Source Memory menu and hit Next SIM card was not extracted in this test 5 Selected PC as the Target Cellebrite UFED Version 1 1 7 6 EN N A I 18 Evaluation and Testing of Cellebrite UFED 6 Checked off all options including Call Logs Phonebook SMS MMS Ringtones Videos and Audio Music from the Content Types menu and hit the right arrow to continue 7 Connected the phone to the UFED with cable 110 as instructed by the UFED and pressed the right arrow to Start 8 When the extraction was completed the UFED Report Manager application was opened and the Read UFED button was clicked to download the report to the computer Result of Logical Extraction The UFED found 85 phonebook contacts 1 606 SMS messages and 107 entries in the call log including 32 outgoing 53 incoming and 22 missed calls In addi tion 775 pictures and three videos were extracted and four voicemails There were 2 259 songs listed in the phone according to manual examination The results match the data found when manually examining the phone File System Extraction The following steps were performed to extract the file system 1 S
9. hardware is available in both standard and ruggedized versions The ruggedized version is designed for field use by military law enforcement and government agencies and the standard version for office and lab use Along with the standard hardware Cellebrite offers an upgrade package called Physical Pro which is designed to perform physical memory dumps and file system extractions from supported devices Product Information The following information is from Cellebrite s website The Cellebrite UFED forensics system is the ultimate standalone mobile forensic device ready for use out in the field or in the lab The UFED system extracts vital information from 95 percent of all cellular phones on the market today including smartphones and PDA devices Palm OS Microsoft Blackberry Symbian iPhone and Google Android Simple to use even in the field with no PC required the UFED can easily store hundreds of phonebooks and content items onto an SD card or USB flash drive Cellebrite UFED supports all known cellular de vice interfaces including serial USB infrared and Bluetooth Extractions can then be brought back to Overview 3 the forensic lab for review and verification using the reporting analysis tool Cellebrite works exclusively with most major carriers worldwide including Veri zon Wireless AT amp T Sprint Nextel T Mobile Rogers Wireless Canada Orange France and Telstra Aus tralia as well as 140 others This
10. trans SMS messages can be searched using phone number ferred from the UFED to the PC text matching or a particular timeframe Downloading file Physical LG CDMA VX 9100 enV 2012_02_01 001 Flash bin Size 134217728 bytes Elle Folder Number Name Message Date Time SMSC TE A A AA cc rd Total downloaded files 0 Elapsed time 00 01 42 Y 76 tf Inbox Mo hello 3 26 2010 7 21 1 Hey this is Paris Download path C Users Admin Desktop physicalextraction 7 77 af Inbox Rebecca do u guys wanna 3 26 2010 7 21 1 come out and play W 78 Bf Inbox Bret What 3726 2010 7 21 2 Y 79 gif Inbox W 80 f inbox 7 7 81 gif Inbox l i Current file Downloaded 1634688 bytes 1 Y 82 H Inbox i Current file Downloaded 1839024 bytes 1 W 83 gif Inbox i Current file Downloaded 2043360 bytes 1 gt I i Current file Downloaded 2247696 bytes 1 WI 84 uf Inbox i Curent file Downloaded 2452032 bytes 1 Y 85 i Current file Downloaded 2656368 bytes 1 i Current file Downloaded 2860704 bytes 2 1 31 2012 12 00 00 AM 1 31 2012 12 00 00 AM Cellebrite UFED Version 1 1 7 6 10 Evaluation and Testing of Cellebrite UFED When the extraction is complete a summary of the extraction is displayed El Physical Analyzer a N File View Tools Python Plug ins Report Help Sameer SS All Projects Q
11. F formats on Memory Dump I I TE the target media Extraction to the PC vvill export the results to either softvvare UFED Report Man l ager or Physical Analyzer 2 Once an extraction type is selected a mobile device vendor and model selection screen is dis mE Select Target played re NS BT aa PC USB Disk Drive Select Source Vendor SD card OTEK Sagem Sarnisune Samsung GSM samsung TOMA 6 The next screen allows for the selection of content type to be extracted ect Source Model Samsung 2410 2301 Samsung 2 30 Samsung Zw 40 Samsung 000 3 A memory source selection screen is displayed ect Sou Memory Cellebrite UFED Version 1 1 7 6 E 8 Evaluation and Testing of Cellebrite UFED 7 The UFED will provide instructions depending on the connection type selected Instructions for connecting the UFED to a PC are shown in the screenshot Er Transfer Instructions Source Connect Cable 79 Target Target is PC 8 At this point if exporting to USB or SD devices the UFED will request that the target drive is con nected If using a PC connection the UFED will request that the read icon in the PC application is clicked A progress window is displayed 9 Upon completion the UFED displayed a confirmation screen Transfer Summary Transfer completed successfully ESN 355853011541460 If an SD card or USB drive was used to store the results of the a
12. II Criminal Justice Electronic Crime Technology Center of Excellence Cellebrite UFED Version 1 1 6 EVALUATION REPORT 001 001 Ton l 0009 017 in a 11 057 i O O 0400 0 sont ALTA It Man 11040 it 100000001001 0101 ia mea 00000904 erden pl 11100 1 In NOT 000105004 l I 01 o 11 10 011 11110000 010 m ll 101 101010101016100001110 ron esa Im m LS nO OOO i pa i k yq 1011111101010000 ee a FT KL cunt ttt PE 1101 niet il G JO il 000 opon soon ELLE 00001 p01 pa gut 4 1100 010000 Jr 11 pro gr ort HG LECIC NIJ Criminal Justice Electronic Crime Technology Center of Excellence NIJ Electronic Crime Technology Center of Excellence 550 Marshall St Suite B Phillipsburg NJ 08865 www ECTCoE org NIJ ECTCOE TESTING AND EVALUATION PROJECT STAFF Robert J O Leary CFCE DFCP Michael Terminelli ACE Victor Fay Wolfe Ph D Russell Yawn CFCE Randy Becker CFCE Kristen McCooey CCE ACE Chester Hosmer Jacob Fonseca Laurie Ann O Leary Mark Davis Ph D Contents iii Wu Table of Contents INTO 7 PEPA seep ae A E E AAA A E N TEE EEE E AA T A A A T E E 1 QUE AAPP E AA 3 PLOQUGE MTOR TAIN rn ato 3 joo Mob oo AAA eE OE e E EAE EA 3 Special FSE St ee nee 4 USS o o A 4 Law Enforcement Applications ccccccccssccccsccccececeseeseceeceecsaeecaueesaecesaeeeeaeeeeseeeseeeesaeesseeeseeeesaeessaeeseeeessessneeeees 4 Esas E o ON asrni ionni na dec
13. OK 3 Selected V3m RAZR from the Source Model menu and pressed OK 4 Checked Phone Phonebook and Phone Content from the Source Memory menu and pressed the right arrow to continue Note Memory Card Content was not checked since a memory card was not present 5 Selected PC as the Target 6 Checked off all options including Call Logs Phonebook SMS Pictures and Video from the Content Types menu and hit the right arrow to continue 7 Connected the phone to the UFED with cable 80 as instructed by the UFED and pressed the right arrow to Start 8 When the extraction was completed the UFED Report Manager application was opened and the Read UFED button was clicked to download the report to the computer Results of Logical Extraction The UFED found one contact one sent SMS four outgoing calls 31 images and one video The results match the data found when manually examining the phone File System The following steps were performed to dump the file system 1 Selected File System Dump from the UFED main menu and pressed OK MN NLECTC Criminal Justice Electronic Crime Technology Center of Excellence 2 Selected Motorola CDMA from the Source Vendor menu and pressed OK 3 Selected V3m RAZR from the Source Model menu and pressed OK 4 Selected PC as the Target 5 Connected the phone to the UFED with cable 80 as instructed by the UFED and pressed the right arrow to Start 6 Opened the Physical Anal
14. Project Tree a Welcome X Extraction Summary X YX LG CDMA_VX 9100 enV ic v 9100 env Connection Type Cable No 100 Extraction end date time 2 1 2012 12 15 33 PM Extraction start date time 2 1 2012 11 13 11 AM 4 EFS EFS QC Partition EFS2 1 5 NVitems EFS QC Partition EFS 8 mapes Data ee end LG Coma Bookmarks 0 Unit Identifier UFED S N 5604777 S E Data files Unit Version 1 1 8 6 i El Images 76 E Videos 37 Ji Audio 73 8 5 Tet 6 a amp Tags Reports S s Phone Data Data Files Images Videos gt B 76 0 37 0 73 0 Much like the Report Manager Physical Analyzer has the capability to display data files such as images videos audio and text These are also related to the file system where possible El Physical Analyzer nn AAA a File View Tools Python Plug ins EAN E EAE 4 All Projects a Project Tree o Aa Welcome X Y Extraction Summary X y Images 76 X x Report Help an E E LG CDMA_VX 9100 enV E Extraction Summary Path Ibrew mod 10889 art 502 jpg B Device Info a Images Memory Ranges 8 8 File Systems 2 Analyzed Data i Bookmarks 0 EE Data files i Images 76 tH Videos 37 o fd Audio 73 oD Tet 6 5 4 Tags B Reports Ibrew mod 10889 art 506 jpg brew mod 10889 art 509 jpg br
15. a list and provides the capa 23 00 20780 ES ouvesciers mn ie ES 00 EG 80 ES j HE es Eco es bility to organize the bookmarks Bookmarks can be rearranged or deleted Data cannot be browsed within the bookmarks tab The search tool can be used to find particular information u e J SMS Ba OU tem Code 7 Unique results only vi Allow symbols Show low match results Colors Options Search direction Search results window la El Background Y Find all instances Y Show results comments slower 7Bit reversed Maximum number of Upper Lower case switches Maximum number of Letter Digit Symbol switches Minimum number of words Space required every N chars Maximum occurrences of the following characters UES EU TE Contains the following word words divided by spaces The results of the search are presented in a list and highlighted Welcome X Extraction Summary X Y Images 76 X NAND Flash bin X gan Offset 0x4BD8268 0x4BD8272 0 4C64E9E Ox4C64EAS 0x4C64EB2 bubba 0x4C81A8E bubba 0x4C81A98 Bubba Ox4C81AA2 bubba n nan nr mee i 2 Values E Bookmarks a Highlights 44 Search 159 results Length 0x8400000 Offset 0x4BD825E Selection 0x5 Once all of the information has been processed and reviewed a report can be generated in severa
16. and hit Next SIM was not checked because the phone did not contain a SIM card 5 Selected PC as the Target 6 Checked all options including Call Logs Phone book SMS Calendar Ringtones and Audio Music from the Content Types menu and hit the right arrow to continue 7 Connected the phone to the UFED with cable 53 as instructed by the UFED and pressed the right arrow to Start 8 When the extraction was completed the UFED Report Manager application was opened and the Read UFED button was clicked to download the report to the computer Results of Logical Extraction The UFED found one phonebook contact 12 received SMS messages one calendar event one outgoing call eight audio files and 11 ringtones The results match the data found when manually examining the Cellebrite UFED Version 1 1 7 6 7 14 m Evaluation and Testing of Cellebrite UFED phone The phonebook could not be verified because it could not be accessed without a SIM card in the phone A cloned SIM card could alleviate some of these issues File System The following steps were performed to dump the file system 1 Selected File System Dump from the UFED main menu and pressed OK 2 Selected Nokia GSM from the Source Vendor menu and pressed OK 3 Selected 2610 from the Source Model menu and pressed OK 4 Selected PC as the Target 5 Connected the phone to the UFED with cable 53 as instructed by the UFED
17. ane oes een Een as ANERER ERA RAiN ESAR AAEREN ERORE 5 Ha elos Ae a on 5 Evaluation and Testing of Cellebrite UFED 4 u u 0 005000 neun nn ha nn ann nam ann neh ann 7 Test 1 LEN OU een nee E eo o A an 1 Test 2 se ge SS Ve ninnaa aaa AALAN BE a AE A aa a Naam aN E N AE R Aa aaa A ENAA 12 TeSt o NOKT 2 TU rca 13 NE SET MOLITAl I VO Ona 14 Testo LG 0729 Double Play sensei ondaa traia pitt 15 TeSES Apple IPHONE AS moon ae nee een een nee teen 16 Test 7 Apple O e E o E OO A 17 A o 19 This report is current at the time of writing Please be sure to check the vendor website for the latest version and updates Cellebrite UFED Version 1 1 7 6 EEE Introduction he National Institute of Justice NIJ Electronic Crime Technology Center of Excellence ECTCoE has been assigned the responsibil ity of conducting electronic crime and digital evidence tool technology and training testing and evaluations in support of the NIJ Research Development Testing and Evaluation RDT amp E process The National Institute of Justice RDT amp E process helps ensure that NlJ s research portfolios are aligned to best address the technology needs of the criminal jus tice community The rigorous process has five phases m Phase I Determine technology needs princi pally in partnership with the Law Enforcement and Corrections Technology Advisory Council LECTAC and the appropriate Technology Work ing Group TWG NIJ identifies crimina
18. cal Extraction The UFED found 107 phonebook contacts 2 717 SMS messages and 100 entries in the call log including 60 outgoing 26 incoming and 14 missed calls In addi tion 41 ringtones 242 pictures and 16 videos were extracted The results match the data found when manually examining the phone with the exception of audio file extraction causing an error There were 41 songs listed in the phone according to manual exami nation File System The following steps were performed to extract the file system Evaluation and Testing of Cellebrite UFED 1 7 1 Selected File System Extraction from the UFED main menu and pressed OK 2 Selected Apple from the Source Vendor menu and pressed OK 3 Selected iPhone 4S from the Source Model menu and pressed OK 4 Selected PC as the Target 5 Connected the phone to the UFED with cable 110 as instructed by the UFED and pressed the right arrow to start 6 Opened the Physical Analyzer application clicked the Read Data from UFED button selected the download path and pressed start to begin the file system extraction Results The file system extraction was successful and can be examined within Physical Analyzer Test 7 Apple iPhone 3GS This test was performed to determine how well the UFED acquires data from an iPhone 3GS Prior to starting the test the phone s battery was fully charged and the phone was powered on The following steps were performed to
19. cquisition the reports can be viewed by connecting the external media to a PC Ifthe target of the acquisition was a PC the acquisition can be further analyzed by using one of the two pieces of software Analysis of logical extractions can be performed using UFED s Report Manager File system or physical memory extractions can be analyzed with UFED s Physical Analyzer Report Manager s user interface consists of three panes The left pane allows the user to select which in formation will be displayed in the right pane The final pane of the interface is the top icon bar that provides quick access to common features of the tool g y New Open Save Copy Options Read UFED Name Following the extraction of a device with a target des tination of PC the interface displays the Report tab to the user The report can also be exported from Report Manager in several different formats Useful informa tion can be added to the report through the Report Details menu which is accessed with the top icon bar or through the application s menu items File Report UFED Help jos 4 A New Open Save Report Details Options Read UFED Phone Examination Report Properties VX9100 enV2 VX9100M BG LG Electronics Inc Revision SIW VER VX910V07 TA 268435457611796458 HEX A0000010B3FFEA MDN 5172945950 8 images 71 01 02 12 10 41 25 Extraction end date time 01 02 12 10 54 36 Phone Date Time 01 02 12 15 13 45
20. downloaded the setup files were executed and the installer prompts were stepped through In order to connect the UFED to a workstation the UFED Physical Analyzer software needs to register the device to the PC The software supports two methods of activation a hardware license key or an activation code provided by the UFED The configuration of the UFED was performed using the following steps 1 Opened Physical Analyzer Since this was the first time the software was run an activation window loaded automatically 2 Performed activation according to the user manual using the activation code provided by the UFED device Cellebrite UFED Version 1 1 7 6 Evaluation and Testing of Cellebrite UFED 7 Evaluation and Testing of Cellebrite UFED El he UFED interface is three separate parts a hardware device and two software programs The UFED hardware device initiates a connec tion to a mobile device to extract information For each Select Source Phone Link 4 The UFED will ask for the connection method to be used for the extraction of the tests below the following general steps were followed for data extraction 1 When starting the device a screen is presented to select the type of extraction CES A Main Menu 5 Next the target for the extraction results will be Extract Phone Dota Extract SIM USIM Data selected Extraction to the USB device or SD card Clone SIM ID will create a report in HTML and PD
21. elected File System Extraction from the UFED main menu and pressed OK 2 Selected Apple from the Source Vendor menu and pressed OK 3 Selected iPhone 4S from the Source Model menu and pressed OK 4 Selected PC as the Target 5 Connected the phone to the UFED with cable 110 as instructed by the UFED and pressed the right arrow to start 6 Opened the Physical Analyzer application clicked the Read Data from UFED button selected the download path and pressed start to begin the file system extraction Results of File System Extraction The file system extraction was successful and the resultant data was examined within Physical Analyzer The results were the same as the logical extraction MIA NLECTC Criminal Justice Electronic Crime Technology Center of Excellence Conclusion ellebrite s UFED performed consistently well during the testing Connectivity issues be tween the UFED and phones tested were rare In these tests the UFED only had difficulty connect ing to certain GSM phones that did not contain a SIM card and these issues most likely could be remedied by creating a cloned SIM card The UFED s physical interface is simple to use and it is easy to select certain information to extract from a phone The user interface of the software is presented well allowing quick discovery of desired information Searching is implemented well in both software tools providing the ability to search for information rel
22. es and 20 audio files were extracted The results match the data found when manually examining the phone with the exception of SMS extraction causing an error No SMS messages were able to be written to the PC after reading them from the device File System The following steps were performed to extract the file system 1 Selected File System Extraction from the UFED main menu and pressed OK 2 Selected LG GSM from the Source Vendor menu and pressed OK 3 Selected C729 Double Play Android from the Source Model menu and pressed OK 4 Selected PC as the Target 5 Connected the phone to the UFED with cable 100 as instructed by the UFED and pressed the right arrow to Start 6 Opened the Physical Analyzer application clicked the Read Data from UFED button selected the download path and pressed start to begin the file system extraction Result of File System Extraction The file system extraction was successful and can be examined within Physical Analyzer Physical Memory The following steps were performed to extract the physical memory 1 Selected Physical Extraction from the UFED main menu and pressed OK 2 Selected LG GSM from the Source Vendor menu and pressed OK 3 Selected C729 Double Play Android from the Source Model menu and pressed OK 4 Selected PC as the Target 5 Connected the phone to the UFED with cable 100 as instructed by the UFED and pressed the right arrow to Start 6 Ope
23. evant to an investigation Cellebrite s Report Manager Conclusion 19 customizes the search dialog box for the appropri ate fields based within the current view However the Report Manager does not provide the capability to search the entire extraction for a particular string The Physical Analyzer provides additional search capabili ties not found in the Report Manager The physical device and the two software applications do an excellent job of extracting and interpreting the data In order to maintain maximum operational capa bility users will have to keep both software packages and the UFED up to date The combination of a physi cal device and software applications have proven to work together to successfully complete investigations Cellebrite UFED Version 1 1 7 6
24. ew mod 10889 art 512 jpg 0306001548a jpg UL u brew mod 10888 0306001548a jpg brew mod 10888 0306001658 jpg Physical Analyzer allows the user to traverse the file system and view with a familiar tree structure File View Tools Python Plug ins Report Help AUEREA 4 All Projects P ME X Y Btraction Summary x NAND Flash bin X Valarm dat X YX 3 m Hex View File Info gt SE Sai CEA se Els Memory Ranges le 8 8 Bs 0 01 00 94 91 AS 7D 02 00 06 00 00 00 01 00 SE B9 N eis es 0 5 File Systems 9 8 EFS EFS QC Partition EFS2 0000 0 9A 7D 02 00 68 00 00 00 01 00 OF 4C Al 7D 00 00 h L o 69 00 00 00 i EES efs_private E 3 Find o Offset Length Value Source a nm ae 2 Values E Bookmarks Highlights m Length 0x24 Offset 0x0 Selection 0x0 Information can be highlighted bookmarked or copied to the clipboard Welcome Baraction Summary NAND skin X E a AO OB 00 00 EA Al 00 00 EA AO 00 00 EA 9F 00 00 EA 9E 00 00 EA 9D 00 00 EA 9C 00 00 EA 9B 00 00 EA oooooooooo Li A anea AE 20 20 20 20 20 WERE 10 00 00 00 6o Copy selection 58 02 SF E5 0214 Save selection 00 DO AO El 80 E Add bookmarks 48 02 AO E3 00 moro Bookmarked data is highlighted in red by default The bookmarks tab displays
25. l formats Reports can be customized using the application s set tings to edit field names or add new fields to the report These reports can also be customized with formatted text header and a logo NLECTC Criminal Justice Electronic Crime Technology Center of Excellence Test 1 LG VX 9900 This test was performed to determine how well the UFED acquires data from an LG VX 9900 Prior to starting the test the phone s battery was fully charged and the phone was powered on Logical Extraction The following steps were performed to extract logical data 1 Powered on the UFED device and selected Extract Data from the menu 2 Selected LG CDMA from the Source Vendor menu and pressed OK 3 Selected VX 9900 enV from the Source Model menu and pressed OK 4 Checked Phone Phonebook and Phone Content from the Source Memory menu and pressed the right arrow to continue Memory Card Content was not checked because there was no memory card present 5 Selected PC as the Target 6 Checked all options including Call Logs Phone book SMS Pictures Videos and Audio Music from the Content Types menu and hit the right arrow to continue 7 Connected the phone to the UFED with cable 93 113 as instructed by the UFED and pressed the right arrow to Start 8 When the extraction was completed the UFED Report Manager application was opened and the Read UFED button was clicked to download the report to the computer Re
26. l justice practitioners functional requirements for new tools and technologies For more information on LECTAC and the TWGs visit http www justnet org m Phase Il Develop technology program plans to address those needs NIJ creates a multiyear research program to address the needs identified in Phase I One of the first steps is to determine whether products that meet those needs currently exist or whether they must be developed If a solu tion is already available Phases II and III are not necessary and NIJ moves directly to demonstra tion testing and evaluation in Phase IV If solutions do not currently exist they are solicited through annual competitively awarded science and technol ogy solicitations and TWG members help review the applications m Phase Ill Develop solutions Appropriate solici tations are developed and grantees are selected through an open competitive peer reviewed Introduction 1 process After grants are awarded the grantee and the NIJ program manager then work collaboratively to develop the solutions m Phase IV Demonstrate test evaluate and adopt potential solutions into practice A potential solu tion is tested to determine how well it addresses the intended functional requirement NIJ then works with first adopting agencies to facilitate the intro duction of the solution into practice After adoption the solution s impact on practice is evaluated Dur ing the testing and e
27. ned the Physical Analyzer application clicked the Read Data from UFED button selected the download path and pressed start to begin the extraction Result of the Physical Extraction The physical extraction was successful and can be examined within Physical Analyzer Test 6 Apple iPhone 4S This test was performed to determine how well the UFED acquires data from an iPhone 4S Prior to starting the test the phone s battery was fully charged and the phone was powered on Criminal Justice Electronic Crime Technology Center of Excellence The following steps were performed to extract logical data 1 Powered on UFED device and select Extract Phone Data from the UFED main menu and pressed OK 2 Selected Apple from the Source Vendor menu and pressed OK 3 Selected iPhone 4 45 GSM from the Source Model menu and pressed OK 4 Checked off Phone from the Source Memory menu and hit Next The SIM card was not extracted in this test 5 Selected PC as the Target 6 Checked off all options including Call Logs Phonebook SMS MMS Ringtones Videos and Audio Music from the Content Types menu and hit the right arrow to continue 7 Connected the phone to the UFED with cable 110 as instructed by the UFED and pressed the right arrow to Start 8 When the extraction was completed the UFED Report Manager application was opened and the Read UFED button was clicked to download the report to the computer Result of Logi
28. sults of Logical Extraction The UFED found three phonebook contacts 90 incom ing calls 90 outgoing calls 90 missed calls zero SMS messages 43 images eight videos and zero audio Evaluation and Testing of Cellebrite UFED 1 1 files The results match the data found when manually examining the phone File System The following steps were performed to dump the file system 1 Selected File System Dump from the UFED main menu and pressed OK 2 Selected LG CDMA from the Source Vendor menu and pressed OK 3 Selected VX 9900 enV from the Source Model menu and pressed OK 4 Selected Normal EFS as the mode and pressed OK 5 Selected PC as the Target 6 Connected the phone to the UFED with cable 93 113 as instructed by the UFED and pressed the right arrow to Start 7 Opened the Physical Analyzer application clicked the Read Data from UFED button selected the download path and pressed start to begin the file system extraction Results of File System Dump The file system dump was successful and can be examined within Physical Analyzer Physical Dump The following steps were performed to obtain a physical dump 1 Selected Physical Dump from the UFED main menu and pressed OK 2 Selected LG CDMA from the Source Vendor menu and pressed OK 3 Selected VX 9900 enV from the Source Model menu and pressed OK Cellebrite UFED Version 1 1 7 6 EN Y ze Evaluation and Testing of
29. use there was no SIM card 9 The phone book read failed After retrying it several times without success the F3 button was pressed to skip that step 10 The calendar read failed After retrying it several times without success the F3 button was pressed to skip that step 11 When the extraction was completed the UFED Report Manager application was opened and the Read UFED button was clicked to download the report to the computer Results of Logical Extraction The UFED found zero SMS messages 230 images zero videos zero ringtones and two audio files The results could not be verified because the phone menus MIA NLECTC Criminal Justice Electronic Crime Technology Center of Excellence could not be accessed without a SIM card The UFED failed to read the phonebook and calendar This is likely because the phone did not have a SIM card File System The following steps were performed to dump the file system 1 Selected File System Dump from the UFED main menu and pressed OK 2 Selected Motorola GSM from the Source Vendor menu and pressed OK 3 Selected V3xx from the Source Model menu and pressed OK 4 Selected PC as the Target 5 Connected the phone to the UFED with cable 80 as instructed by the UFED and pressed the right arrow to Start 6 Opened the Physical Analyzer application clicked the Read Data from UFED button selected the download path and pressed start to begin the file system extraction
30. valuation process performance standards and guides are developed as appropri ate to ensure safety and effectiveness not all new solutions will require the publication of new stan dards or guides m Phase V Build capacity and conduct outreach to ensure that the new tool or technology benefits practitioners NIJ publishes guides and standards and provides technology assistance to second adopters The High Priority Criminal Justice Technology Needs are organized into five functional areas m Protecting the Public m Ensuring Officer Safety E Confirming the Guilty and Protecting the Innocent E Improving the Efficiency of Justice m Enabling Informed Decision Making The NIJ ECTCoE tool technology and training evalu ation and testing reports support the NIJ RDT amp E pro cess which addresses high priority needs for criminal justice technology National Institute of Justice High Priority Criminal Justice Technology Needs March 2009 NCJ 225375 Cellebrite UFED Version 1 1 7 6 Overview fith the world becoming more mobile every f day law enforcement encounters more cell phones and mobile devices in their inves tigations Many tools exist on the market to process these mobile devices but every tool does not support every device Cellebrite s Universal Forensics Extraction Device UFED is a hardware based platform that supports extraction of data from more than 4 000 phones and devices The
31. y to read format The following features are from Cellebrite s website m The UFED allows you to extract a wide variety Of Law Enforcement Applications data types including Cellebrite s UFED is designed to assist state and local 4 Contacts law enforcement with the acquisition of and reporting on both logical and physical examinations of mobile 3 SMS text messages devices such as cellphones PDAs and GPS device MIA NLECTC Criminal Justice Electronic Crime Technology Center of Excellence Test Bed Configuration 5 Test Bed Configuration he UFED is a hardware device that can be used standalone without a computer to per form data extraction However in order to view any HTML reports a target device thumb drive SD card etc must be connected to a computer Software applications developed by Cellebrite allow captur ing the acquisition directly to a computer this is the method used in this testing The test machine is a Dell OptiPlex 760 with a clean Windows 7 x64 installation 4GB of RAM and a 2 66 GHz Intel Core 2 Duo processor Installed on this machine were Cellebrite s UFED Report Man ager v 1 8 3 171110 and UFED Physical Analyzer v 2 2 0 8966 Report Manager is used to perform logical acquisitions and Physical Analyzer is used for physical acquisitions Configuration of UFED The software installers were downloaded for UFED Report Manager and UFED Physical Analyzer from Cellebrite s website Once
32. yzer application clicked the Read Data from UFED button selected the download path and pressed start to begin the file system extraction Results of File System Dump The file system dump completed successfully although Physical Analyzer could not decode the extracted data Extract Passwords The following steps were performed to extract passwords 1 Selected Extract Passwords from the UFED main menu and pressed OK 2 Selected Motorola CDMA from the Source Vendor menu and pressed OK 3 Selected V3m RAZR from the Source Model menu and pressed OK 4 Selected Display Only as the target 5 Connected the phone to the UFED with cable 80 as instructed by the UFED and pressed the right arrow to Start Results of Password Extraction The user code and the security code were extracted successfully Evaluation and Testing of Cellebrite UFED 13 A O Test 3 Nokia 2610 This test was performed to determine how well the UFED acquires data from a Nokia 2610 Prior to starting the test the phone s battery was fully charged and the phone was powered on Logical Data The following steps were performed to extract logical data 1 Powered on UFED device and selected Extract Phone Data from the UFED main menu and pressed OK 2 Selected Nokia GSM from the Source Vendor menu and pressed OK 3 Selected 2610 2626 from the Source Model menu and pressed OK 4 Checked Phone from the Source Memory menu
Download Pdf Manuals
Related Search