extracting and decoding smartphone and tablet evidence with the ufed series: an in-depth demo
DESCRIPTION
As mobile device manufacturers improve device and operating system security measures in a bid to protect user data, the forensic process becomes more complex. In this hands-on demo, learn how UFED rises to the challenge with advanced technology, including advanced bootloaders enabling physical extractions and enhanced logical extraction enabling app file system extractions even within logical examinations.TRANSCRIPT
![Page 1: Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: An In-Depth Demo](https://reader036.vdocument.in/reader036/viewer/2022081419/554b0c0ab4c9056f098b469f/html5/thumbnails/1.jpg)
Presenters:
Sonny Farinas – Sales
Lee Papathanasiou – Sales Engineer
UFED Series
Delivering mobile forensic solutions
![Page 2: Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: An In-Depth Demo](https://reader036.vdocument.in/reader036/viewer/2022081419/554b0c0ab4c9056f098b469f/html5/thumbnails/2.jpg)
Confidential: Not for distribution - © Cellebrite 2012
Introduction - Cellebrite
•2
Established in 1999, Cellebrite is a world leader in mobile forensics, backup and synchronization solutions
A fully-owned subsidiary of Sun Corporation, a publicly traded company on JASDAQ based in Nagoya, Japan
Based in Israel with offices in the USA, Germany, Brazil, Singapore
More than 60 distributors Worldwide
Over 250 employees (150+ dedicated to R&D)
Forensic customers include highly respected national and local divisions of governmental, military and intelligence agencies.
Over 100,000 units deployed worldwide (UME and UFED)
![Page 3: Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: An In-Depth Demo](https://reader036.vdocument.in/reader036/viewer/2022081419/554b0c0ab4c9056f098b469f/html5/thumbnails/3.jpg)
Confidential: Not for distribution - © Cellebrite 2013
Market Sectors
UFED solutions are being used world wide in the following market sectors:
Police forces Military
Tax authorities
Customs Stock authorities
Anti-terror agencies
Police academies
Forensic specialists
Border controls Special forces
Intelligence services
Enterprises
![Page 4: Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: An In-Depth Demo](https://reader036.vdocument.in/reader036/viewer/2022081419/554b0c0ab4c9056f098b469f/html5/thumbnails/4.jpg)
Confidential: Not for distribution - © Cellebrite 2012
Why Cellebrite?
•4
Technical Foundation
Sales and Tech Support
Strategic Partnership with key Market Leaders
Customer Base
Manufacturer and Carrier Relationship
Creator of Market Trends
*Cellebrite is built to keep up with the future!
![Page 5: Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: An In-Depth Demo](https://reader036.vdocument.in/reader036/viewer/2022081419/554b0c0ab4c9056f098b469f/html5/thumbnails/5.jpg)
Confidential: Not for distribution - © Cellebrite 2012
User Questionaire
•5
Understand Market Needs
Help with our road map and business strategy
Contact users or anonymous
Comment, questions or suggestion box
How can we provide a better product
*Turn in the forms after the meeting
![Page 6: Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: An In-Depth Demo](https://reader036.vdocument.in/reader036/viewer/2022081419/554b0c0ab4c9056f098b469f/html5/thumbnails/6.jpg)
Confidential: Not for distribution - © Cellebrite 2013
Identify Best Practices for mobile forensics
Become familiar with the type of data that can be stored on mobile devices and what can be extracted
Understand the background of mobile forensics along with the challenges in the process of extracting and decoding the data.
Discover Cellebrite Forensic Solutions
Goals
![Page 7: Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: An In-Depth Demo](https://reader036.vdocument.in/reader036/viewer/2022081419/554b0c0ab4c9056f098b469f/html5/thumbnails/7.jpg)
Best Practices
Mobile Forensics
![Page 8: Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: An In-Depth Demo](https://reader036.vdocument.in/reader036/viewer/2022081419/554b0c0ab4c9056f098b469f/html5/thumbnails/8.jpg)
Scenario
It is midnight on a Friday night, it is just beginning to sprinkle with rain. You are the first officer at the scene of a homicide where the victim has been shot several times by one shooter. Witnesses have pointed out a cell phone that they saw the suspect using and threw away as he left the scene. It is clear that the device is still on.
![Page 9: Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: An In-Depth Demo](https://reader036.vdocument.in/reader036/viewer/2022081419/554b0c0ab4c9056f098b469f/html5/thumbnails/9.jpg)
Confidential: Not for distribution - © Cellebrite 2012
Considerations
Airplane mode?
Shielding?
Signal Jammer?
Dangers of leaving it on and transporting the device
Remove SIM card?
![Page 10: Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: An In-Depth Demo](https://reader036.vdocument.in/reader036/viewer/2022081419/554b0c0ab4c9056f098b469f/html5/thumbnails/10.jpg)
UFED Touch: Hardware Description
Exclusively designed for mobile forensics
![Page 11: Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: An In-Depth Demo](https://reader036.vdocument.in/reader036/viewer/2022081419/554b0c0ab4c9056f098b469f/html5/thumbnails/11.jpg)
Confidential: Not for distribution - © Cellebrite 2013
UFED Products
UFED Logical Data stored in the memory is acquired by using the file system or
the phone proprietary protocol (known communication protocols: AT commands, Obex, etc.)
Logical approach represents live system on the phone
UFED Ultimate Bit-by-bitcopyofthephone’sphysicalmemoryandfilesystem
Unallocated areas
The main effort in physical extraction is to obtain the extra data (such as deleted files)
The data that actually exists on the phone.
11
![Page 12: Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: An In-Depth Demo](https://reader036.vdocument.in/reader036/viewer/2022081419/554b0c0ab4c9056f098b469f/html5/thumbnails/12.jpg)
Confidential: Not for distribution - © Cellebrite 2013
UFED Comparison
Portable – easy to carry
10x Faster Extraction Speeds
Device Features:
• 7”touchscreen w/ Stylus
• Windows XP (Locked Down)
• Built in WiFi/Bluetooth & Ethernet port
• SIM card reader/writer slot
• SD card reader slot
• USB 2.0 Ports
• RJ-45 Ports
• 64 GB Internal SSD
- For Software Upgrades & Expansion
• 5 Hour Lithium-ion Battery
w/ Battery Status Indicator
• Compatible with External Hard Drives
![Page 13: Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: An In-Depth Demo](https://reader036.vdocument.in/reader036/viewer/2022081419/554b0c0ab4c9056f098b469f/html5/thumbnails/13.jpg)
Confidential: Not for distribution - © Cellebrite 2013
UFED Touch: Vast Extraction Speed Enhancements
![Page 14: Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: An In-Depth Demo](https://reader036.vdocument.in/reader036/viewer/2022081419/554b0c0ab4c9056f098b469f/html5/thumbnails/14.jpg)
Confidential: Not for distribution - © Cellebrite 2013
UFED Touch: Hardware
Speakers
Touch Screen
Navigation Keys
Right Mouse Click Key
Left Mouse Click Key
![Page 15: Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: An In-Depth Demo](https://reader036.vdocument.in/reader036/viewer/2022081419/554b0c0ab4c9056f098b469f/html5/thumbnails/15.jpg)
Confidential: Not for distribution - © Cellebrite 2013
UFED Touch: Hardware
![Page 16: Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: An In-Depth Demo](https://reader036.vdocument.in/reader036/viewer/2022081419/554b0c0ab4c9056f098b469f/html5/thumbnails/16.jpg)
Confidential: Not for distribution - © Cellebrite 2013
UFED Touch: Hardware
![Page 17: Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: An In-Depth Demo](https://reader036.vdocument.in/reader036/viewer/2022081419/554b0c0ab4c9056f098b469f/html5/thumbnails/17.jpg)
Confidential: Not for distribution - © Cellebrite 2013
UFED Touch: Hardware
![Page 18: Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: An In-Depth Demo](https://reader036.vdocument.in/reader036/viewer/2022081419/554b0c0ab4c9056f098b469f/html5/thumbnails/18.jpg)
Confidential: Not for distribution - © Cellebrite 2013
Tips & Connectors
Removed a total of 70 feet of cable from the old kit
Extract & Chargers Simultaneously
Tip connectors in a magnetic holder replaces long phone connector cables
Color coordinated for simple & quick identification
UFED Classic Cable Kit
UFED Touch Cable Kit
![Page 19: Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: An In-Depth Demo](https://reader036.vdocument.in/reader036/viewer/2022081419/554b0c0ab4c9056f098b469f/html5/thumbnails/19.jpg)
Confidential: Not for distribution - © Cellebrite 2013
Software Upgrades
Software Upgrade Schedule - Upgrades are released every 4 to 6 weeks
- Includes software upgrades to the UFED Touch as well as the Physical Analyzer PC Software
Automatic Upgrade Process - Connect the UFED Touch to a Wi-Fi network or Ethernet cable
- The UFED Touch will automatically prompt you to download the latest upgrade when it is released
Manual Upgrade Process - An Email will be automatically sent including download links to
the upgrade files as well as Full Release Notes
- Login to the MyCellebrite portal and manage your license as well as download the latest upgrade files
- Save the upgrade file to a USB Flash Drive and connect it to the UFED Touch to perform the upgrade.
![Page 20: Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: An In-Depth Demo](https://reader036.vdocument.in/reader036/viewer/2022081419/554b0c0ab4c9056f098b469f/html5/thumbnails/20.jpg)
Confidential: Not for distribution - © Cellebrite 2013
Need Assistance?
Technical Support - Based out of the New Jersey
Office (No Outsourcing)
- Phone Support: Mon – Fri
9am – 7pm EST
- Email Support: 7 Days a week
9am – 9pm EST
Warranty & Repair - Based out of the New Jersey
Office (No Outsourcing)
- Call into Tech Support for an RMA #
- Unit will be Repair or Replaced
- No Repair/Replacement Cost
License Includes Full Warranty
![Page 21: Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: An In-Depth Demo](https://reader036.vdocument.in/reader036/viewer/2022081419/554b0c0ab4c9056f098b469f/html5/thumbnails/21.jpg)
User Interface
Straightforward user experience
![Page 22: Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: An In-Depth Demo](https://reader036.vdocument.in/reader036/viewer/2022081419/554b0c0ab4c9056f098b469f/html5/thumbnails/22.jpg)
Confidential: Not for distribution - © Cellebrite 2013
UFED Touch: GUI
![Page 23: Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: An In-Depth Demo](https://reader036.vdocument.in/reader036/viewer/2022081419/554b0c0ab4c9056f098b469f/html5/thumbnails/23.jpg)
Confidential: Not for distribution - © Cellebrite 2013
UFED Touch: Logical Extraction
![Page 24: Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: An In-Depth Demo](https://reader036.vdocument.in/reader036/viewer/2022081419/554b0c0ab4c9056f098b469f/html5/thumbnails/24.jpg)
Confidential: Not for distribution - © Cellebrite 2013
Extraction Destinations:
Logical Extraction Output
![Page 25: Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: An In-Depth Demo](https://reader036.vdocument.in/reader036/viewer/2022081419/554b0c0ab4c9056f098b469f/html5/thumbnails/25.jpg)
Mobile Forensics
![Page 26: Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: An In-Depth Demo](https://reader036.vdocument.in/reader036/viewer/2022081419/554b0c0ab4c9056f098b469f/html5/thumbnails/26.jpg)
Confidential: Not for distribution - © Cellebrite 2013
Mobile Device Usage
Mobile device market keeps growing
Data, acquired from mobile devices, continues to be used
as evidence in criminal, civil and even high-profile cases.
People use mobile devices to store and transmit personal
and corporate information
Mobile devices are used for online transactions, web
browsing, navigation, instant messaging and more
![Page 27: Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: An In-Depth Demo](https://reader036.vdocument.in/reader036/viewer/2022081419/554b0c0ab4c9056f098b469f/html5/thumbnails/27.jpg)
Confidential: Not for distribution - © Cellebrite 2013
Platforms
![Page 28: Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: An In-Depth Demo](https://reader036.vdocument.in/reader036/viewer/2022081419/554b0c0ab4c9056f098b469f/html5/thumbnails/28.jpg)
Confidential: Not for distribution - © Cellebrite 2013
Device Support
UFED Touch supports the widest range of mobile devices & major mobile platforms
![Page 29: Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: An In-Depth Demo](https://reader036.vdocument.in/reader036/viewer/2022081419/554b0c0ab4c9056f098b469f/html5/thumbnails/29.jpg)
Confidential: Not for distribution - © Cellebrite 2013
Test Devices
![Page 30: Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: An In-Depth Demo](https://reader036.vdocument.in/reader036/viewer/2022081419/554b0c0ab4c9056f098b469f/html5/thumbnails/30.jpg)
Confidential: Not for distribution - © Cellebrite 2013
Connectivity
![Page 31: Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: An In-Depth Demo](https://reader036.vdocument.in/reader036/viewer/2022081419/554b0c0ab4c9056f098b469f/html5/thumbnails/31.jpg)
UFED Touch Ultimate: Extraction Capabilities
All-Inclusive Logical & Physical Extraction
The NEW Industry Standard in Mobile Forensics
![Page 32: Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: An In-Depth Demo](https://reader036.vdocument.in/reader036/viewer/2022081419/554b0c0ab4c9056f098b469f/html5/thumbnails/32.jpg)
Confidential: Not for distribution - © Cellebrite 2013
Logical vs. File System vs. Physical extraction
Logical SMS
Contacts
Call logs
Media
File System SMS
Contacts
Call logs
Media
Files
Hidden Files
Physical SMS
Contacts
Call logs
Media
Files
Hidden Files
Deleted data
Extracted Data
Extraction Speed
![Page 33: Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: An In-Depth Demo](https://reader036.vdocument.in/reader036/viewer/2022081419/554b0c0ab4c9056f098b469f/html5/thumbnails/33.jpg)
Confidential: Not for distribution - © Cellebrite 2013
Can I have your SMS?
UFED Logical Extraction
![Page 34: Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: An In-Depth Demo](https://reader036.vdocument.in/reader036/viewer/2022081419/554b0c0ab4c9056f098b469f/html5/thumbnails/34.jpg)
Confidential: Not for distribution - © Cellebrite 2013
Can I have your pictures as well?
UFED Logical Extraction (2)
![Page 35: Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: An In-Depth Demo](https://reader036.vdocument.in/reader036/viewer/2022081419/554b0c0ab4c9056f098b469f/html5/thumbnails/35.jpg)
Confidential: Not for distribution - © Cellebrite 2013
How about the emails, please?
NO
UFED Logical Extraction (3)
![Page 36: Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: An In-Depth Demo](https://reader036.vdocument.in/reader036/viewer/2022081419/554b0c0ab4c9056f098b469f/html5/thumbnails/36.jpg)
Confidential: Not for distribution - © Cellebrite 2013
Can I copy your File System?
Sure Thing. Good luck with Decoding!
UFED File System Dump
![Page 37: Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: An In-Depth Demo](https://reader036.vdocument.in/reader036/viewer/2022081419/554b0c0ab4c9056f098b469f/html5/thumbnails/37.jpg)
Confidential: Not for distribution - © Cellebrite 2013
Good morning, sir.
Please run this program for me.
Here’smymemory. Have a blast figuring it out!
UFED Physical Dump
![Page 38: Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: An In-Depth Demo](https://reader036.vdocument.in/reader036/viewer/2022081419/554b0c0ab4c9056f098b469f/html5/thumbnails/38.jpg)
Confidential: Not for distribution - © Cellebrite 2013
Mobile Forensic Challenges
![Page 39: Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: An In-Depth Demo](https://reader036.vdocument.in/reader036/viewer/2022081419/554b0c0ab4c9056f098b469f/html5/thumbnails/39.jpg)
Confidential: Not for distribution - © Cellebrite 2013
Hardware Based Data Extraction Methods
Hardware-based methods involve a combination of software and hardware to break or bypass authentication mechanisms and gain access to the device.
■ Hardware-based methods include the following:
■ Gain access through a
hardware interface (JTAG)
■ Examine memory independently
of the device using memory chip reader.
■ Find and exploit vulnerabilities
•3
9
![Page 40: Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: An In-Depth Demo](https://reader036.vdocument.in/reader036/viewer/2022081419/554b0c0ab4c9056f098b469f/html5/thumbnails/40.jpg)
Confidential: Not for distribution - © Cellebrite 2013
When All Else Fails
ZRT2 from www.fernico.com
![Page 41: Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: An In-Depth Demo](https://reader036.vdocument.in/reader036/viewer/2022081419/554b0c0ab4c9056f098b469f/html5/thumbnails/41.jpg)
Confidential: Not for distribution - © Cellebrite 2012
CHINEX – Cellebrite’s Solution for Chinese Knock-Off Devices
•4
1
UFED Physical Analyzer (deleted data)
![Page 42: Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: An In-Depth Demo](https://reader036.vdocument.in/reader036/viewer/2022081419/554b0c0ab4c9056f098b469f/html5/thumbnails/42.jpg)
Confidential: Not for distribution - © Cellebrite 2012
Fake Apple & Android Stores
![Page 43: Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: An In-Depth Demo](https://reader036.vdocument.in/reader036/viewer/2022081419/554b0c0ab4c9056f098b469f/html5/thumbnails/43.jpg)
File Systems Challenge
![Page 44: Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: An In-Depth Demo](https://reader036.vdocument.in/reader036/viewer/2022081419/554b0c0ab4c9056f098b469f/html5/thumbnails/44.jpg)
Confidential: Not for distribution - © Cellebrite 2013
Computers Mobile Phones
![Page 45: Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: An In-Depth Demo](https://reader036.vdocument.in/reader036/viewer/2022081419/554b0c0ab4c9056f098b469f/html5/thumbnails/45.jpg)
Confidential: Not for distribution - © Cellebrite 2013
Computers Mobile Phones
FAT NTFS
HFS EXT
![Page 46: Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: An In-Depth Demo](https://reader036.vdocument.in/reader036/viewer/2022081419/554b0c0ab4c9056f098b469f/html5/thumbnails/46.jpg)
Confidential: Not for distribution - © Cellebrite 2013
Computers Mobile Phones
FAT NTFS
HFS
Motorola Proprietary
XSR MCU
INOD I855 P2K
Yaffs JFFS2 Symbian
FS EFS2
QCP
DCT4
OSE EXT
EXTx
FAT
![Page 47: Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: An In-Depth Demo](https://reader036.vdocument.in/reader036/viewer/2022081419/554b0c0ab4c9056f098b469f/html5/thumbnails/47.jpg)
Decoding Challenge The most powerful decoding, analysis & reporting tool in the industry
![Page 48: Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: An In-Depth Demo](https://reader036.vdocument.in/reader036/viewer/2022081419/554b0c0ab4c9056f098b469f/html5/thumbnails/48.jpg)
All rights reserved © 2011, Cellebrite
File system
SMS
Calls File system reconstruction
Decoding
![Page 49: Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: An In-Depth Demo](https://reader036.vdocument.in/reader036/viewer/2022081419/554b0c0ab4c9056f098b469f/html5/thumbnails/49.jpg)
Confidential: Not for distribution - © Cellebrite 2012
Physical Analyzer: Decoding
![Page 50: Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: An In-Depth Demo](https://reader036.vdocument.in/reader036/viewer/2022081419/554b0c0ab4c9056f098b469f/html5/thumbnails/50.jpg)
Confidential: Not for distribution - © Cellebrite 2012
Decoding – iOS Physical Extraction
![Page 51: Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: An In-Depth Demo](https://reader036.vdocument.in/reader036/viewer/2022081419/554b0c0ab4c9056f098b469f/html5/thumbnails/51.jpg)
Confidential: Not for distribution - © Cellebrite 2013
Advanced Applications Decoding
![Page 52: Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: An In-Depth Demo](https://reader036.vdocument.in/reader036/viewer/2022081419/554b0c0ab4c9056f098b469f/html5/thumbnails/52.jpg)
Confidential: Not for distribution - © Cellebrite 2013
Image Carving
Powerful tool for recovering deleted image files and fragments of files (and only part of them is available)
Only applicable for physical extraction
![Page 53: Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: An In-Depth Demo](https://reader036.vdocument.in/reader036/viewer/2022081419/554b0c0ab4c9056f098b469f/html5/thumbnails/53.jpg)
Standalone GPS Units & Smartphones
Decoded Data: Locations
![Page 54: Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: An In-Depth Demo](https://reader036.vdocument.in/reader036/viewer/2022081419/554b0c0ab4c9056f098b469f/html5/thumbnails/54.jpg)
Confidential: Not for distribution - © Cellebrite 2013
Extraction & Analysis: GPS Devices
Supporting
75% of the
GPS market
![Page 55: Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: An In-Depth Demo](https://reader036.vdocument.in/reader036/viewer/2022081419/554b0c0ab4c9056f098b469f/html5/thumbnails/55.jpg)
Confidential: Not for distribution - © Cellebrite 2013
Smart Phone Location Data
Cell Tower Locations
Wi-Fi Locations
GeoTagged Media
Locations
Harvested Locations
GPS Fixes
![Page 56: Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: An In-Depth Demo](https://reader036.vdocument.in/reader036/viewer/2022081419/554b0c0ab4c9056f098b469f/html5/thumbnails/56.jpg)
Confidential: Not for distribution - © Cellebrite 2013
View in Google Earth
![Page 57: Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: An In-Depth Demo](https://reader036.vdocument.in/reader036/viewer/2022081419/554b0c0ab4c9056f098b469f/html5/thumbnails/57.jpg)
UFED Phone Detective
Identifies mobile phone vendor & model
![Page 58: Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: An In-Depth Demo](https://reader036.vdocument.in/reader036/viewer/2022081419/554b0c0ab4c9056f098b469f/html5/thumbnails/58.jpg)
Confidential: Not for distribution - © Cellebrite 2013
UFED Phone Detective
![Page 59: Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: An In-Depth Demo](https://reader036.vdocument.in/reader036/viewer/2022081419/554b0c0ab4c9056f098b469f/html5/thumbnails/59.jpg)
Confidential: Not for distribution - © Cellebrite 2013
UFED Phone Detective
Identifies phone quickly
Answer up to 8 questions related
to visual attributes
/ by TAC
Phone is identified & displayed according to
filtered results
Shows phone & data supported for
extraction
Database of more than 4,000 phones
![Page 60: Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: An In-Depth Demo](https://reader036.vdocument.in/reader036/viewer/2022081419/554b0c0ab4c9056f098b469f/html5/thumbnails/60.jpg)
Confidential: Not for distribution - © Cellebrite 2013
www.PhoneScoop.com
Enter model of phone
Scroll down to the FCC line to obtain copy of the manual
Save copy of the manual to file
60
Click here for manual
![Page 61: Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: An In-Depth Demo](https://reader036.vdocument.in/reader036/viewer/2022081419/554b0c0ab4c9056f098b469f/html5/thumbnails/61.jpg)
![Page 62: Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: An In-Depth Demo](https://reader036.vdocument.in/reader036/viewer/2022081419/554b0c0ab4c9056f098b469f/html5/thumbnails/62.jpg)
Confidential: Not for distribution - © Cellebrite 2012
iPhone Hardware Versions
iPhone
2007
iPhone 3G
2008
iPhone 3GS
2009
iPhone 4
2010
iPhone 4S
2011
iPhone 5
2012
![Page 63: Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: An In-Depth Demo](https://reader036.vdocument.in/reader036/viewer/2022081419/554b0c0ab4c9056f098b469f/html5/thumbnails/63.jpg)
![Page 64: Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: An In-Depth Demo](https://reader036.vdocument.in/reader036/viewer/2022081419/554b0c0ab4c9056f098b469f/html5/thumbnails/64.jpg)
Confidential: Not for distribution - © Cellebrite 2013
Cellebrite’s Unique Approach to the iOS Challenge
State of the art physical extraction wizard
Support for iPhone, iPod Touch and iPad iPhone, iPhone 3G, iPhone 3GS, iPhone 4 GSM, iPhone 4 CDMA, iPhone 4S, iPad 1, iPod Touch 1G, iPod Touch 2G, iPod touch 3G, iPod Touch 4G
Support for the widest variation of iOS versions
Locked, unlocked, "jailbroken" and "non-jailbroken“,
encrypted/non-encrypted devices
Passcode recovery
Revolutionary decoding
![Page 65: Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: An In-Depth Demo](https://reader036.vdocument.in/reader036/viewer/2022081419/554b0c0ab4c9056f098b469f/html5/thumbnails/65.jpg)
Confidential: Not for distribution - © Cellebrite 2013
Physical Extraction Wizard
![Page 66: Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: An In-Depth Demo](https://reader036.vdocument.in/reader036/viewer/2022081419/554b0c0ab4c9056f098b469f/html5/thumbnails/66.jpg)
Confidential: Not for distribution - © Cellebrite 2013
Cellebrite’s Unique Approach to the iOS Challenge (cont.)
Keychain decryption (application passwords)
Integrated SQLite Browser
iPhone configuration files (Plist and BPlist)
iMessages
![Page 67: Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: An In-Depth Demo](https://reader036.vdocument.in/reader036/viewer/2022081419/554b0c0ab4c9056f098b469f/html5/thumbnails/67.jpg)
Confidential: Not for distribution - © Cellebrite 2013
Keychain Decryption
![Page 68: Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: An In-Depth Demo](https://reader036.vdocument.in/reader036/viewer/2022081419/554b0c0ab4c9056f098b469f/html5/thumbnails/68.jpg)
Confidential: Not for distribution - © Cellebrite 2013
Integrated SQLite Browser
![Page 69: Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: An In-Depth Demo](https://reader036.vdocument.in/reader036/viewer/2022081419/554b0c0ab4c9056f098b469f/html5/thumbnails/69.jpg)
Confidential: Not for distribution - © Cellebrite 2013
Facebook Decryption
![Page 70: Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: An In-Depth Demo](https://reader036.vdocument.in/reader036/viewer/2022081419/554b0c0ab4c9056f098b469f/html5/thumbnails/70.jpg)
Confidential: Not for distribution - © Cellebrite 2012
Most Popular iPhone Passwords
http://amitay.us/blog/files/most_common_iphone_passcodes.php
71
![Page 71: Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: An In-Depth Demo](https://reader036.vdocument.in/reader036/viewer/2022081419/554b0c0ab4c9056f098b469f/html5/thumbnails/71.jpg)
![Page 72: Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: An In-Depth Demo](https://reader036.vdocument.in/reader036/viewer/2022081419/554b0c0ab4c9056f098b469f/html5/thumbnails/72.jpg)
Confidential: Not for distribution - © Cellebrite 2013
Android Challenges
Vendors Using various chipsets
![Page 73: Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: An In-Depth Demo](https://reader036.vdocument.in/reader036/viewer/2022081419/554b0c0ab4c9056f098b469f/html5/thumbnails/73.jpg)
Confidential: Not for distribution - © Cellebrite 2013
Android Challenges
Multiple OS Versions Memory Types
Multiple File systems
• YAFFS2
• FAT32
• Ext2
• Ext3
• Ext4
FTL Types
• Qualcomm FTL
• FSR
• More
![Page 74: Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: An In-Depth Demo](https://reader036.vdocument.in/reader036/viewer/2022081419/554b0c0ab4c9056f098b469f/html5/thumbnails/74.jpg)
Confidential: Not for distribution - © Cellebrite 2013
Please raise your hand if you bumped into this scenario…
![Page 75: Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: An In-Depth Demo](https://reader036.vdocument.in/reader036/viewer/2022081419/554b0c0ab4c9056f098b469f/html5/thumbnails/75.jpg)
Confidential: Not for distribution - © Cellebrite 2013
Pattern Lock Extraction
•7
6
1 2 3
4 5 6
7 8 9
![Page 76: Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: An In-Depth Demo](https://reader036.vdocument.in/reader036/viewer/2022081419/554b0c0ab4c9056f098b469f/html5/thumbnails/76.jpg)
Confidential: Not for distribution - © Cellebrite 2013
“Smudge Attack” Pattern Lock Analysis
For those of you that are lucky enough:
![Page 77: Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: An In-Depth Demo](https://reader036.vdocument.in/reader036/viewer/2022081419/554b0c0ab4c9056f098b469f/html5/thumbnails/77.jpg)
![Page 78: Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: An In-Depth Demo](https://reader036.vdocument.in/reader036/viewer/2022081419/554b0c0ab4c9056f098b469f/html5/thumbnails/78.jpg)
Confidential: Not for distribution - © Cellebrite 2013
BlackBerry Physical Extraction
Covering dozens on models
Any BlackBerry OS version – 4,5,6,7.x
Using Cellebrite proprietary boot loaders ensuring a
forensically sound process
Applicable for non locked devices or devices
with known password
Non-encrypted/encrypted devices
7100
7130e
7250
7520
7750
8130 Pearl
8230 Pearl Flip
8330 Curve
8350i Curve
8530 Curve II
8703e
8830
9330 Curve 3
9350 Curve
9350 Curve Sedona
9370 Curve
9530 Storm
9550 Storm 2
9630 Tour
9650 Bold
9670 Style
9850 Torch
9930 Bold
8300 Curve
9380 Curve
9380 Orlando
7100
7130v
7290
8100 Pearl
8110 Pearl
8120 Pearl
8220 Pearl Flip
8300 Curve
8310 Curve
8320 Curve
8520 Curve
8700f
8700v
8707
8800
8820
8900 Curve
8910
9000 Bold
9100 Pearl
9105 Pearl 3G
9300 Curve
9300 Curve 3G
9350 Curve
9360 Curve
9500 Storm
9520 Storm2
9530 Storm
9550 Storm 2
9630 Tour
9700 Bold
9700 Onyx
9780 Bold
9780 Onyx II
9800 Torch
9810 Torch
9860 Monza
9860 Torch
9900 Bold
First to release physical extraction for dozens of BlackBerry devices
![Page 79: Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: An In-Depth Demo](https://reader036.vdocument.in/reader036/viewer/2022081419/554b0c0ab4c9056f098b469f/html5/thumbnails/79.jpg)
Confidential: Not for distribution - © Cellebrite 2013
Decoding
![Page 80: Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: An In-Depth Demo](https://reader036.vdocument.in/reader036/viewer/2022081419/554b0c0ab4c9056f098b469f/html5/thumbnails/80.jpg)
Confidential: Not for distribution - © Cellebrite 2013
BlackBerry Decoding
UFED Physical Extraction or Chip-off
BlackBerry OS 4, 5, 6, 7.x
Deleted data recovery
Real-time decryption of protected content from selected BlackBerry devices running OS 4-6 using a given password
![Page 81: Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: An In-Depth Demo](https://reader036.vdocument.in/reader036/viewer/2022081419/554b0c0ab4c9056f098b469f/html5/thumbnails/81.jpg)
Confidential: Not for distribution - © Cellebrite 2013
Analyzed Data – Special to Blackberry
Contacts – phones, emails, photos, addresses, PIN
Recent email address (OS 6 and above)
BlackBerry Messenger contact list
BlackBerry Messenger (BBM):
User details (display name, PIN)
Contact list (display name, PIN, email if exists)
Chats: Sender, Body, Timestamp
Cellebrite exclusive – Decoding of BlackBerry Messenger Historyevenconfiguredas‘never’
![Page 82: Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: An In-Depth Demo](https://reader036.vdocument.in/reader036/viewer/2022081419/554b0c0ab4c9056f098b469f/html5/thumbnails/82.jpg)
Questions?
Answers!