22,179 - cellebrite modified imei (android) search using wild cards in hex viewer decode bluetooth...
TRANSCRIPT
UFED PHYSICAL ANALYZER, UFED LOGICAL ANALYZER, UFED READER
RELEASE NOTESVersion 6.3 | July 2017
HIGHLIGHTS
APPS SUPPORT
◼ 2 new apps for Android and iOS: CM Security MasterAntivirus (Android) and Private Zone – AppLock
◼ Decoding support – LinkedIn messages for Android devices
◼ Telegram cloned apps for Android – Telegram is anopen source app, and in Google Play there are many apps available for download. We have added a generic parser which can decode information from various cloned apps, including Telegram + app and Telegram Plus.
◼ 139 updated application versions
FUNCTIONALITY
◼ Quickly identify known media files using Project VIC/CAID ◼ Identify known files using Hash Sets ◼ Carve more locations data from unallocated space and
unsupported databases ◼ View locations by classified origin ◼ Disclose even more web history and search terms from
additional sources ◼ New conditions functionality in SQLite Wizard ◼ Tag global search results ◼ Notifications center ◼ Export image files in Griffeye format ◼ Recover the deleted participants list from iMessages ◼ Decode Google Archive files ◼ Recover locations history data (iOS) ◼ Decode modified IMEI (Android) ◼ Search using wild cards in Hex viewer ◼ Decode Bluetooth history (iOS) ◼ Decode the FindMyiPhone state ◼ Decode the Advertising ID ◼ Decode the last backup date
CHECK OUT OUR NEW VIDEO ON UFED 6.3!
Watch video now! https://vimeo.com/222514207/1d01006bfb
NOW SUPPORTING
DEVICE PROFILES
4,187 APP VERSIONS
22,179
IDENTIFY KNOWN FILES USING MULTIPLE HASH SETS INCLUDING PROJECT VIC/CAID
Quickly identify media files by creating databases using Project VIC or CAID hash values, and matching them against existing media files.
NEW! BOOST LOCATIONS DATA USING AN INNOVATIVE CARVING SOLUTION Get the most locations data possible from a digital device by using a unique carving method to obtain more data from unallocated space and unfamiliar databases.
Cellebrite Release Notes | UFED v 6.3 | July 2017 | 2
QUICKLY IDENTIFY KNOWN MEDIA FILES USING PROJECT VIC/CAID
Cellebrite is proud to provide you with a capability to quickly identify media related to child exploitation, that can incriminate predators. UFED Physical Analyzer 6.3 enables you to create Hash databases by importing Project VIC/CAID files, and matching them against media recovered as part of the extraction, specified with the appropriate VIC/CAID category. Cellebrite’s Analytics solution offers the complete package to fight against child exploitation.
In partnership with law enforcement agencies, Cellebrite has developed a unique and innovative method, complementing the Project VIC/CAID solution, that enables users to identify and tag suspected child exploitation related media (images and video) within a new Suspected Child Exploitation Media category. Click here for more details.
IDENTIFY KNOWN FILES USING HASH SETS
Identify and upload any csv or text file which contains a list of known hash values, and match it against any file recovered from the device. To start using this capability, follow these steps: Tools ––> Watch list ––> Hash set manager. You can customize the hash sets results both in UI and reports, using the following options – Show, Hide and Redact.
CARVE MORE LOCATIONS DATA FROM UNALLOCATED SPACE AND UNSUPPORTED DATABASES
This unique and innovative solution allows you to decode an even greater amount of locations data from unallocated space and unsupported databases. To start using this feature, open the Device Locations and click the carving icon or start the carving process from: Tools ––> Get more data (carving) ––> Carve locations. The carver allows you to either search for additional locations, up to three of the most visited areas, or any other custom area.
Note: The carving results may produce many false positive events.
FUNCTIONALITY
VIEW LOCATIONS BY CLASSIFIED ORIGIN
UFED Physical Analyzer classifies each recovered location record by its origin: Device and External. In this version, 6.3, you can now view and filter for locations that are related and unrelated to the device user’s activities (This does not mean the device has been in this location). For example: A picture taken by the camera on a digital device is classified as a ‘Device’ location. While a picture received on the device is marked as ‘External’ as the location is related to the image sender. Locations are highlighted with a different color on the map.
Note: Some locations are classified as unknown
DISCLOSE EVEN MORE WEB HISTORY AND SEARCH TERMS FROM ADDITIONAL SOURCES
UFED Physical Analyzer can now carve more search history data from allocated and unallocated memory space, and additional web browsers including Chrome, Samsung browser and Firefox.
Intact and deleted new records from this carving process can be found under the Searched Items model. This capability is relevant to iOS, Android and Windows phone devices.
Cellebrite Release Notes | UFED v 6.3 | July 2017 | 3
NEW CONDITIONS FUNCTIONALITY IN SQLITE WIZARD
In cases where the interpretation of a field is based on another field’s value, you can map that data using the new conditions function. For example: SMS participants table in an SQLite database contains SMS information. In several cases, the same column will contain both From and To values of an SMS message. You can now create a new condition to distinguish between the two different field values.
TAG GLOBAL SEARCH RESULTS
Create tags for all Global Search results items in a touch of a button. We have also enhanced the Global Search UI to provide you with a familiar user experience.
NOTIFICATIONS CENTRE
Never miss a thing with the new automatic notifications that will keep you up to date with new feature and capabilities in UFED Physical Analyzer. In the Notification Centre, you can now view the latest alerts, news, warnings, completed actions and much more. To view Notifications, click on the Bell icon ––> View all notifications.
EXPORT IMAGE FILES IN GRIFFEYE FORMAT
Easily export selected images in Griffeye format (* C4P Index.xml). You can import the exported file into Griffeye using a C4All XML data source.
RECOVER THE DELETED PARTICIPANTS LIST FROM IMESSAGES
We have added support for iOS devices, recovering deleted participants’ information from iMessages.
FUNCTIONALITY (CONT...)
DECODE GOOGLE ARCHIVE FILES
Open and decode Google Archive files using UFED Physical Analyzer (via Advanced Search, or by running the Google Archive Databases chain). This archive file contains important information including: Chrome history and bookmarks, contacts from Google account and Google+, emails from Gmail, search history from Google Play, chats, calls and contacts from Hangout, and played/search history from YouTube.
RECOVER LOCATIONS HISTORY DATA (iOS)
We have enhanced the locations data from iOS devices. You can now decode additional location history records from the maps data plist file. This file is used to sync location history from the iOS device to the cloud service.
DECODE MODIFIED IMEI (ANDROID)
It is possible to change the device IMEI number using flash boxes or other methods. UFED Physical Analyzer version 6.3 can now decode the modified IMEI number (when available) in addition to the previous IMEI number.
Note: There is no indication in UFED Physical Analyzer if the IMEI is original.
SEARCH USING WILD CARDS IN HEX VIEWER
Within the Find tab in Hex viewer, you can now search using wild cards - ? and * (? replaces an octet - 4 bit and * replaces an entire byte).
DECODE BLUETOOTH HISTORY (iOS)
Under the Bluetooth Devices model, you could previously view a list of Bluetooth devices that were connected to the device. We have enhanced the results presented with additional Bluetooth history records for iOS devices (using full File System extraction which is available via Cellebrite Advanced Investigative Services (CAIS)).
DECODE FINDMYIPHONE STATE
Under Device Info, for iOS devices, you can now view if the “’FindMyiPhone” setting is enabled.
Cellebrite Release Notes | UFED v 6.3 | July 2017 | 4
DECODE ADVERTISING ID
Under Device Info, for both iOS and Android devices, you can now view the “Advertising ID” of the device. Using Mobile advertising, mobile app developers can identify who is using their mobile applications.
DECODE LAST BACKUP DATE
Under Device Info, for iOS devices, you can now view the “Last Backup Date” of the device.
FUNCTIONALITY (CONT...)
DID YOU KNOW
UFED Physical Analyzer allows you to convert the BSSID values (wireless networks) into location positions/specific addresses, so that you can easily reveal and track connections to wireless networks, within a specific timeframe. You can also download an offline database or use Cellebrite’s enrichment service from My.Cellebrite (~60 GB). To ease the download of this large database, you can now download split database files (6 files, 10 GB file size) and load the files into UFED Physical Analyzer.
Note: From this version, 6.3, onwards, UFED Physical Analyzer will merge all database files.
SOLVED ISSUES
KNOWN ISSUES
The following issues have been resolved: ◼ A decoding issue of iCloud backup (Apple
production data). ◼ A localization issue of SIM information under
device info in Japanese. ◼ A decoding issue of locations from the Endomondo
app for Android devices. ◼ A decoding issue of call logs from a public pay phone,
the from participant appears as -3. ◼ A decoding failure of the WeChat app version
6.5.4 (Android). ◼ A decoding failure of Samsung GSM GT-E1200i
Keystone 2. ◼ A decoding issue with missing POI of a TomTom
GPS device model Start 25, type no. 4EN52.
Redacted thumbnails are not presented in IE 10; they appear as unavailable due to browser limitation.
APP SUPPORT
iOS
ANDROID
Application Type Decoding FeatureLEO Privacy / Private Zone - AppLock
Files Decryption of private pictures, private videos and private files
Application Type Decoding FeatureCM Security Master Antivirus Tools User account
LEO Privacy / Private Zone - AppLock Files
Private bookmarks, decryption of passcode, accounts, VIP cards, bank cards and private albums (file system)
iOS: NEW AND UPDATED APPS1 NEW App 166 UPDATED Apps
Any.DO 4.9.0
Aliwangwang 4.1.6Badoo 5.4.0BeeTalk 2.5.54Blendr 5.6.0Booking.com 14.2Chatous 3.8.7Ctrip 5.0.0Dropbox 46.2Evernote 8.2.1Expedia 17.18Facebook 92Facebook Messenger
117
Firefox 7.4Flipboard 4.0.12Foursquare 10.6Garmin Connect 3.18
Cellebrite Release Notes | UFED v 6.3 | July 2017 | 5
iOS: NEW AND UPDATED APPS (CONT...) ANDROID: NEW AND UPDATED APPS2 NEW Apps 73 UPDATED Apps
ASKfm 4.3.4Badoo 5.10.0BBM 3.3.3.39BeeTalk 2.3.3Blendr 5.11.0Booking.com 12.6Chatous 3.9.45Chrome 58.0.3029.83CM Locker 4.6.8CM Security Browser
5.20.78
Dropbox 46.2.2Endomondo 17.4.0Expedia 8.21.0Facebook 122.0.0.17.71Facebook Messenger
117.0.0.17.70
FireChat 8.0.32Firefox 53.0.2Flipboard 4.0.9Gmail 7.4.9.154371932.releaseGoogle Calendar 5.7.18-154035640-releaseGoogle Drive 2.7.153.14.36Google Maps 9.51.1Google Photos 2.14.1.154467786Google Quick Search Box
7.0.13.21.arm
Google+ 9.11.0.154487446Grindr 3.7.0Hangouts 19.0.154358895HERE WeGo 2.0.11457Hot or Not 5.10.0imo 9.8.000000006371Inbox 1.46.154499565.releaseInstagram 10.19.1InstaMessage 2.6.2Kakao Story 4.4.3KakaoTalk 6.2.2Keeper 10.5.11Kik Messenger 11.18.1.15578LINE 7.3.0LinkedIn 4.1.43Meet24 1.30.5Momo 7.6.2mysms 6.4.7Odnoklassniki 17.4.30ooVoo 3.1.8Outlook.com 2.1.203Path 6.1.0
Gmail 5.0.170423Google App 26Google Docs 1.2017.16203Google Maps 4.31.1Google+ 6.8.0Grindr 3.8.0Hangouts 15.5.0HERE Maps 2.0.21Hot or Not 5.6.0Hushed 3.10.1imo 7.0.73Inbox 1.3.170423Instagram 10.2InstaMessage 2.7.4Kakao Story 4.4.2Keeper 10.7.0Kik Messenger 11.18.0LINE 7.3.0LinkedIn 9.1.29Mail.Ru 8Meet24 1.7.51Odnoklassniki 6.15.1One Drive 8.15.2Pinterest 6.25.1QQ 7.0.1Runtastic 7.2SayHi 6.6Scruff 5.1005Skout 4.24.3Skype 6.35Snapchat 10.8.0.0surespot encrypted messenger
15
Taxify 3.13textPlus 7.0.1Tinder 7.4.0Truecaller 7.5Tumblr 8.5Twitter 6.78Twitterrific 5.17.3Uber 3.244.2Viber 6.8.5Vine 6.0.2Vkontakte 2.13Waze 4.23.1Weibo 7.4.1WhatsApp 2.17.22Whisper 8.5.1Yahoo Mail 4.15.1Yandex Browser 17.4.2.162
Cellebrite Release Notes | UFED v 6.3 | July 2017 | 6
ANDROID: NEW AND UPDATED APPS (CONT...)
POF (Plenty of Fish)
3.47.2.1417465
QQ Browser 7.5.0.3240Runtastic 7.2.1Signal Private Messenger
4.5.3
Skout 4.24.2Skype 7.45.0.598Snapchat 10.8.0.0Swarm 2017.04.21Tango 4.0.218509Taxify CA.2.99Text Free Ultra Texting
6.22
Text Me! 3.8.4Text Now 5.8.0textPlus 7.0.1Tinder 6.11.0Truecaller 8.08Twitter 6.46.0Uber 3.151.3UC Browser 11.3.0.950Viber 6.8.8.5Vine 6.0.0Vkontakte 4.9Voxer 3.15.2.19102Waze 4.23.0.4WhatsApp 2.17.190Whisper 8.5.1Yahoo Messenger 2.7.0
Cellebrite Release Notes | UFED v 6.3 | July 2017 | 7
CRYPTOGRAPHIC HASH VALUES INFORMATIONYou can validate the integrity of Cellebrite’s UFED software files by verifying their cryptographic hash values. This can help you identify whether a file has been changed from its original state.
Product MD5 SHA256UFED Physical Analyzer 480fe5ebaeae192aa3ab90de3a5d5114 0695f1973c63ae6daeae5c55be386bb0cde1ac48b0123c738a0a1d628959b611
UFED Logical Analyzer cb183dca80e2f62e93769ec0c9f82f9a dfe86259244d2811e9e03c3b79f22150ca26b9c7a36b9255193ac826f69b5804
UFED Reader 1c22b2c7addfbd64eb20751d9defdd96 101e312b9f05c552241184e42859b115837a1adee0344f027458400049804f1d