Discover Mobile Forensics Best Practices And Advanced Decoding With UFED Physical Analyzer

Presenter: Dan Embury, CAIS Technical Director, Cellebrite

Join the forum discussion here.
View the webinar on YouTube here.
Read a full transcript of the webinar here.
Dan Embury: Okay, thank you, [Callie]. I’d just like to give a brief little introduction and thank everybody that’s joined the webinar today. In terms of an agenda, there’ll be a brief little introduction and a disclaimer about some of the topics that I will be covering today. Further to that, I’ll be discussing some best practices and interesting techniques, and how you can leverage these other alternative methods and still utilize the UFED Physical Analyzer environment for analyzing the data. And it’ll apply to the platforms for popular smartphone manufacturers that are creating Android, iOS, and BlackBerry devices, and I will also cover TomTom triplog decryption services that we do offer.

So prior to beginning, I just wanted to go over a few key things, that some of the topics covered in this webinar will extend beyond Cellebrite UFED products, as well as Cellebrite Advanced Investigative Services. I would like to make it clear that there is no endorsement of any third-party solutions or practices being given during this webinar, but in the spirit of seeking the truth and maximizing the forensic evidence potential of all the work that we do as forensic examiners, I will be mentioning some of these techniques that may be considered non-forensic by the global community and/or your particular agency or corporation.

So it is possible that these methods do exist, but you may not be allowed to use them within your agency, depending on your practices. Ultimately, it’s important to always seek the permission of the investigating officers before attempting any of these methods. It’s their case, it’s their exhibit ultimately that they want to extract evidence from, and the last thing that we want to do as an examiner is brick the device or wipe all the contents from it. And most importantly, it’s always, always recommended to validate and test any of these non-forensic methods on a matching sample device before handling live evidence.

Cellebrite has defined most likely the concise mobile forensics flow. Ordinarily, we were discussing the concepts of extraction, decoding, and analysis of data, but I think it’s important to mention that in today’s smartphone universe, and with all the recent happenings in the press, it’s important to recognize that the first step in performing any sort of smartphone analysis is bypassing or circumventing the lock on a device. So through unlocking methods, either offered by Cellebrite Advanced Investigative Services, and in particular, our current offering, which is the User01 iOS8 unlocking capability, we also strive to incorporate as much capability into the UFED Touch and the UFED 4PC products for removing the lock from any smartphone device, prior to being able to extract the information.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.


Extraction can be performed with our products, either UFED Physical Analyzer… and you will see, recently we did release the latest UFED 5.0 release. There are some very exciting new additions to it, updates and improvements that many of you have recognized already, and we’ve gotten some very good feedback from the field. I’ll be discussing some upcoming webinars at the end that might be of interest to you. In addition to the extraction capabilities with UFED Physical Analyzer, clearly the trusted platform that’s been established since 2007 is the UFED actual hardware – so the Classic, which has evolved into the Touch, and the UFED 4PC. And the UFED 4PC is an option that many agencies are taking, since it allows the usage of a laptop that they can maximize the RAM and the storage, and leverage our software on it, in addition to the UFED 4PC device adapter.

In addition to extraction from the physical devices, UFED Cloud
Analyzer is an additional, exciting product that we’ve launched over the past year, and it really, really maximizes the evidential potential to extract information from the cloud based on credentials that are stored on the device itself.

Decoding takes place with UFED Physical Analyzer once the extraction has been made using one of the preceding products. It is possible to do a full analysis and report generation. Cellebrite Advanced Investigative Services also offers some decoding, and within that umbrella it is the TomTom triplog decryption service, which I’ll touch on at the end of the webinar.

Analysis can be performed with our UFED Link Analysis product. It allows up to 100 different extractions to be cross-linked as well as linking in call detail records and other sources of data that are all pertinent to a mobile forensics analysis task.

So moving into the meat of the webinar here, we’ll be starting with Android, and what I want to talk about is Android custom recovery. This is a topic that has come about originating in the hacking community, but it is able to be leveraged within the forensics realm, quite simply because in many cases there is just no forensic solution in order to bypass a lock on a lock device.

Cellebrite is always striving to come up with innovative methods based on custom boot loaders and other innovate techniques, but sometimes this might be the only solution. And while we cannot 100% certify that this is safe and possible to solve your problem, I at least wanted to give an overview of this and show how the resultant data can be analyzed within the UFED Physical Analyzer.

So for Android devices with unlocked boot loaders, it may be possible to overcome these device locks by replacing the recovery partition that is present in all Android products with a custom recovery build. Now, again, as I mentioned, this does carry significant risks of bricking the exhibit, perhaps wiping the evidence, and mainly because the underlying technology for these custom recovery partitions that are created… there’s groups of people out there in the world that are trying to help unlock devices to use on another carrier or add additional applications and things like that. So there’s ClockworkMod Recovery, that’s a group of individuals, and there’s also Team Win Recovery Project, so TWRP, that we’ll sort of call Twerp. There’s other groups as well, but ultimately, these are hacking collectives, people that are getting together and creating these packages that have all the necessary tools to do some very low-level debugging and hacking of an Android device. Where they can be leveraged though, ultimately, is in the forensics realm, which I’ll show an overview of the process shortly.

There’s a special note that I should make here, that there’s a concept that Samsung implemented in reaction to the theft of smartphone devices from individuals. In order to thwart that and make a device completely useless to somebody that’s stolen a phone, there’s something called Factory Reset Protection (FRP), and Reactivation Lock (RL). Now, up until January, for any existing Android products that Samsung has developed with this technology, there are methods to remove these locks, and utilizing flasher boxes and things like that, [we] brought about some publicity that Samsung has not really been happy with. So what they’ve done is patched this completely in upcoming builds of Android that were produced after January of 2016. And you can see the Samsung security vulnerability update – it’s 2015-5131.

And again, as I mentioned previously, always test any of these non-forensic methods on a matching sample device first. You do not want to make a mistake of bricking or wiping the evidence from the only potential evidence in the case.

So what does the Android custom recovery process look like for Samsung devices? Well, it’s a multi-step process, and all these steps need to be performed, and there’s obviously more detail within them, but this is the process to make the phone boot up in a different method using these special packages that are built. The first step would involve putting the phone into Download mode, and there’s a variety of ways to do that – you can either use special cables from Cellebrite or you can do a key combination on the device with the Volume buttons, the Power button, and the Home button.

Next, a tool called Odin3, which is actually a Samsung product that was leaked out into the public hacking community a few years back. This is what’s used to flash the custom read-only memory file that’s been produced by these CWM or TWRP groups. Once that flashing is complete, the phone will be turned off, and then it will be started up in recovery mode. So this is a different mode, and it depends on the handset, but again, a combination of the Volume buttons, the Power button, and the Home button would boot the phone up into this recovery mode. It’s [indecipherable] select appropriate settings, [so the modifications] can be made to the device itself. And again, all these changes should only be occurring to the device system partitions, they should not affect the user data, but ultimately, since you are not in control of what this package contains, it is possible that you could lose valuable evidence.

The next step is to connect to the device using Android Debug Bridge, and this is typically done with a Windows PC by running basically the Android developer’s kit software to communicate with the device through USB.
Next, the custom recovery package will most likely contain a lot of different low-level functions, such as dd and netcat. So these can actually be leveraged and utilized to image the entire user data partition across the Android Debug Bridge. And just for your information, this is similar technology that we’re leveraging within out trusted boot loader solutions with UFED Touch and UFED 4PC, so you’re going to have similar timeframes for extraction of all the data. And it’s approximately two and a half hours to image a 32GB device. And the bandwidth limitation is truly through the USB controller and the USB cable, so as we see larger and larger smartphones coming on to the market, it’s going to get to the point where it could take up to a day to do a full extraction of a device.

And as I touched on previously, once you have this full extraction of the user data partition, it’s quite simple to then load up UFED Physical Analyzer and, using the Open (Advanced) from the File menu, you can build a custom AndroidDD chain, and all our software will go through it, and it will parse out all the pertinent data and create everything in a nice, presentable view, and you’ve all come to be accustomed to with our UFED Physical Analyzer.

And again, it goes without emphasizing any further that you should always be testing any of these methods on sample devices first, before handling live evidence.

Going forward with newer technology in Android devices, and the ultimate goal is to make a faster, more powerful, handheld smartphone with more data storage for your media, so Android has adopted UFS technology, which is Universal Flash Storage. Now, this is a new type of flash memory that’s almost like a SATA drive within the circuitry of the smartphone, and it allows for incredible scalability up to 1TB and beyond, as well as very high bandwidth data pass for very fast access by the processor within the smartphone.

So Cellebrite’s been able to develop a very unique forensic method for unlocking the latest Samsung Android device as it utilizes UFS flash technology. And they would include the Galazy S6, the S6 Edge, as well as the Note5, plus all of the variants. In total, there’s probably more than 30 different devices that are applicable, depending on the region in the world where they’re produced and utilized by various carriers. But we’re also hoping to expand this to the Galaxy S7 and the S7 Edge that were recently announced, and it’s worth noting that the LG G5 that is upcoming is also going to utilize this same UFS flash technology.

At this point in time, there is no existing solution for Chip-Off, in-circuit programming, or JTAG due to the fact and the presumed belief that the data within the chip will be encrypted. And the reason for that is that rather than running the encryption within the secure crypto-engine of a processor or even within the software level, the Android ecosystem has moved the dm-crypt functionality into the flash memory chip itself. And clearly, the performance and power gains are significant.

So what’s interesting about this is that there may be other alternatives for some of these devices using the technology that I just described previously for custom recovery. However, Samsung has worked with particular carriers around the globe to prevent any sort of flashing of custom ROMs and custom recovery. So it’s important to recognize that AT&T and Verizon devices fall within this category and they contain these locked boot loaders that would prevent any sort of custom recovery hacking of the device. So ultimately, the only solution is our solution that we’ve created, and we’re currently doing further testing to ensure that we can roll this out over the coming weeks and months at our global Cellebrite locations.

The reason why we’re keeping this within Cellebrite as a service is clearly to ensure that there’s viability going forward for any encryption roadblocks that might be encountered with newer Android devices. Samsung is very cognizant, as we saw earlier, with them blocking the flasher boxes that used to be able to remove the FRP and RL locks from devices, so ultimately, we do not want to take this valuable [inaudible] exploitation that we’ve created and have it patched in the next generation of Samsung devices and [firmwares].

A very interesting new feature of UFED 5.0 that I wanted to touch upon here, that you might not be aware of, is the fact that we can extract many popular Android apps that are currently encrypted due to newer versions of the apps that are in use. What’s interesting is that by downgrading them within the device itself over Android Debug Bridge, by pushing an APK package to it, it’s possible to then have the older app do the interpretation of this newer, inaccessible data.

So within the UFED 4PC or UFED Touch environment, it is possible to connect to the device, as long as it’s unlocked and everything is accessible, and this large handful of applications can actually be downgraded temporarily to enable the extraction of all the device database contents.

Now, obviously, there are some risks, that it is making some changes to the device itself. Everything has been tested to the best of our abilities, with hundreds of sample devices and different applications, but ultimately it does carry some risks and it should be used only as a last resort. But if you know that a target or a suspect in an investigation is utilizing an application and the extraction of all the other databases from a device do not produce any fruitful evidence, it could be possible that they’re communicating through WhatsApp, then ultimately it’s important that you squeeze out every last little bit of evidence from the device.

So moving on from Android to iOS, what I’d like to present here is sort of an overview of the iOS jailbreaking process. Jailbreaking has been around since the early days of the first iPhone that came out almost ten years ago. The ultimate goal back then was to enable the phone to be used on other carriers, because at the time, Apple worked with AT&T singular in the United States, and there was no way to utilize this phone anywhere else in the world. So there was a considerable amount of effort that was put into hacking these early iPhone devices, and not only just for unlocking the sim card utilization, but also to enable other applications to be run on the device, outside of the iTunes ecosystem for apps.

So before we get into the jailbreaking process, I just wanted to cover what the UFED Physical Analyzer software is capable of performing in terms of iOS device extraction. So with newer devices, physical extraction is not possible, and that’s due to hardware encryption that the manufacturer has implemented. However, an advanced logical extraction is possible, and there’s various flavors of them depending on the situation of the device in terms of the version of iOS that is running, as well as the jailbreaking status.

So method one – and you’ll see this pop up within the iOS device extraction in UFED Physical Analyzer – method one relies on the iTunes backup using Apple’s existing backup infrastructure. So it’s quite similar to what iTunes would utilize for creating a backup on a computer, and we’re simply leveraging something similar in a forensic manner to ensure that no changes occur to the device data.

Method two, which was a fruitful way of extracting evidence for earlier versions of iOS, 8 and earlier, it makes it possible to extract backup data if the device is encrypted and the device password is unknown. So it leverages the file relay, but with iOS 8.3 that was released, the sandbox access has been closed, which means that a lot of information that was previously available is no longer possible to extract. And we’re seeing this in not just iOS devices, but in other situations, that the amount of evidence that you’re able to get out of a device is slowly diminishing, but we’re trying our best to overcome these challenges, to present the best possible solution to you.

In some situations though, in order to maximize the extraction of everything from a device running iOS, it’s important to perform a jailbreak. And this would be particularly important for missing persons, high-profile cases like murders, mass murders, those sorts of things, counterterrorism obviously. But what is possible once the jailbreak is performed is a method three extraction. And obviously, where the device is encrypted or unencrypted, particularly for older devices, jailbreaking will provide a much richer data set of extraction.

How does jailbreaking work? Essentially it provides privilege escalation to modify the device system partition. So again, similar to the custom recovery with Android, it should not affect the user data. It is possible that it may affect, and obviously there are some risks that are involved with this non-forensic technique.

Ultimately, by jailbreaking it, it allows the installation of Cydia, which is an application that allows additional applications to be installed outside of the iTunes ecosystem. The only thing that we’re truly interested in with Cydia is to enable this Apple File Conduit type two. And with that, it is then possible to perform a method three.

So depending on the iOS version – if it’s iOS 7 and below – you might find that the Apple File Conduit is already installed on the device. But in my experience with iOS 7 and basically all ranges of iOS 7, you have to add this afc2add module to the device. For iOS 8 and above, it’s called AFC2. And then, as I mentioned previously, once it’s installed, the method three will appear in UFED Physical Analyzer.

Now, going into the benefits of jailbreaking – I’ve touched on it very briefly – but ultimately, it allows for a more complete extraction of the full file system. It may provide access to downloaded email and full application data, including logs and cache files. It may provide details of internet activities and potentially geolocation information, both of which could be very pertinent to your case, your investigation. Quite simply, you don’t know what evidence you could be missing. And let me give you an example of that. Within the Apple software ecosystem there is a lot of background tasks that are always running, and some of these are running as the daemon, and there’s one called powerd. And within the File System/priv/var/log/DiagnosticMessages directory, there is an Apple system log file that is created with the date and time stamp, and within that, that is where the powerd daemon messages are saved.

Now, where this gets really interesting is that it’s essentially keeping a life meter for the batter within the Apple device. In one clear example, based on some information that we received from our partners at CCL Forensics, in particular Mr Alex [Capnis], for this investigation in Queensland, Australia, they were able to go through these Apple system logs and actually plot out the battery life throughout the duration of the logging period. Now, this powerd daemon was saving these logs for a considerable amount of time, and the granularity is quite often down to the minutes. So every few minutes, it’s logging the battery life. Now, they were able to take all this information and graph it out, and create sort of an illustration of how the user of this phone was plugging in the device every single day, and then, once it was unplugged, throughout the day, the battery would slowly deplete. And then, at the next day, the night, they would plug it in, and then the battery would deplete after that.

Now, this particular murder case involved the great-grandson of Lord Baden-Powell, who founded the scouting movement globally, and on one particular night, this man’s wife went missing, and she was murdered. It was proven, through various pieces of evidence, in addition to this Apple system log, that every night this gentleman would plug in his phone before he went to bed. So maybe at around 11 or 12, the pattern was that he would always plug the phone in, it would be charging all night until he woke up in the morning, and then he would disconnect it from the power, and then, slowly, throughout the day, the device would be depleting. Well, it turns out that on the night that his wife went missing, the phone was not plugged in between 11 and 12 at night. It was in fact plugged in after two in the morning, and it was believed that she was murdered in the early morning hours of that night. So again, it’s a pretty amazing piece of circumstantial evidence, but tied into the rest of the particular pieces of evidence from this investigation, it was obviously enough to convict him for murder of his wife. And I would imagine that he was stripped of all of his boy scout badges for this bad deed.

You may find the scripts to parse through this Apple system log data on the Github page for CCL Group Ltd. The link is provided here. And just for reference, this webcast is being recorded, and afterwards, you will be getting a YouTube link to the entire recorded presentation.

So just to illustrate the power of performing an iOS jailbreak – I took some live case data for an investigation that I’m working on, and I’ve run it through UFED Physical Analyzer. And this is an iPhone 5, variant iPhone 5.2, it’s an A1429, and it’s running iOS 7.0.4. So I took a small snapshot of different databases that were interesting, so email, chats, contacts, and device locations, as well as the actual quantity of files that are extracted from the file systems. Now, going through the normal method one, which is the backup type of extraction, you’ll see that there’s 244 emails, 2004 chats, and so on. In total, there was 10,265 files pulled from the file system.

A method two extraction – and you’ll note that this was an iOS 7 device, so it was still possible to extract information using method 2 – you’ll see that there’s a vast increase in the number of emails, a few more chats, there’s less contacts and less device locations. And that’s just basically the nature of the extraction process. And as always, it’s important to try as many extraction types as possible given the timeframe that you have to analyze each exhibit. And what’s really nice about the new UFED 5.0 release is that you can take all of these different extractions for a particular device and merge them together into one unified view. And now it’s not a simple de-duplication, it’s a very intelligent merge that’ll actually rank the most commonly occurring pieces of evidence first, and sort of adaptively show you where each piece of evidence has come from. So you can always rely back and perform the proper validation of the extractions. But ultimately it’s about getting the data quicker, analyzing it, generating reports, and not having to go through separate extractions one by one, like in the past.

Now, moving along, once the jailbreak was performed, it enabled the method three extraction. And you can see a significant increase in a lot of the content here. So of note, protected emails were added – approximately 500 new emails, including 286 that were deleted, they are now accessible and extractable from the iOS device. As I mentioned, third-party applications, so Facebook Messenger and Facebook itself is able to provide additional chats, contacts, and device locations, and even SMS Spotlight Search. So this is something that’s native to the iPhone search. Spotlight is just a way to quickly search through everything on the device for a particular keyword that the user is looking for. But it seems to index actual content within the SMS application. So it’s able to access deeper into the device and pull out lower-level iOS functionality. So what’s most important is that the file system has been extracted in full. You get 124,000 files, which is significantly more than before, and you’re essentially able to dig deep into it and look for log files, cache files, third-party applications that might not be decoded. But it gives you full power to go through everything, and ultimately, this is the best that you will get out of an iOS device.

Now, as I mentioned, there’s a lot of caveats, there’s a lot of risks. I’ll try to summarize them here for you, chief of which… and obviously, Apple’s aware of the jailbreaking efforts in the community globally. It’s been ongoing, sort of a battle between hackers globally and Apple, so they’re slowly closing down any vulnerabilities as they learn of them, and most importantly, jailbreaking is all about finding a solution and then sharing it with the world. Well, by sharing it with the world, these hackers are also enabling Apple to fully reverse-engineer the solution and then patch all of their hard work. So one key thing – it might not be possible to perform a jailbreak if the iCloud password details are not known. So since the user may have enabled Find My iPhone, before the jailbreak can be performed it needs to be disabled. So clearly, it makes sense if somebody has their phone stolen or somebody loses their phone, obviously, jailbreaking should not enable the person that stole it to get into the device. So before we can do a jailbreak it’s important to know that you most likely have to disable the iCloud Find My iPhone functionality.

Another limitation with some of these jailbreaks is that if the user has updated the device firmware at any time over the air rather than connecting it to a computer running iTunes, it might render the jailbreak useless. Now, you’re not going to brick the phone – it just simply will not work. There’s some additional risk, but ultimately, it comes down to the fact that once the solution has been found by the jailbreaking community, they’ll move on to something newer and more exciting. So some of these older jailbreaks that will not work for over-the-air, there’s just simply no other way to get into the device with a jailbreak.

There’s a very concise list on the website canijailbreak.com, and it advises on which possibilities there are for each firmware version of iOS and device type as well. And since this jailbreaking solution is created globally, there’s hacking teams all over the world, there could be malicious software that’s integrated with the jailbreak, there could be some risks that would be undesirable, so I always recommend you to use a Mac or a separate PC other than your forensic machine in order to perform this type of function. And again, everything should be documented. Everything should be tested first, before handling live evidence.

Obviously, there could be some adware, there could be some other, additional software that the jailbreak may wish to install, but ultimately, only Cydia is required in order to add the AFC2 module to the device.

Now, the final thing is that Cydia does not include AFC2 by default within the installation. So the device will need to connect to the internet to install this additional module to facilitate a method three extraction. What I would recommend in the view of full transparency and openness: you would be documenting that you are performing a jailbreak on this exhibit. The easiest way to install this module is to create a Wi-Fi hotspot, name it after your agency, and then connect the evidence to that hotspot long enough to download this module through Cydia. It’s very straightforward, it will leave a trace in the Wi-Fi networks that are extracted using UFED Physical Analyzer, but ultimately, in the view of full openness, it’s something that the ends could justify the means that you go through. The evidence that you extract could make this all very much worth going through this typically non-forensic technique. And again, always test on a matching sample device first.

Now, moving along to iTunes backup encryption. Most of you should be aware of this capability within the iTunes environment. When a user connects their phone to iTunes, whether they want to be transferring apps or music or just performing a backup, it is possible for them to check this box quite easily that states “Encrypt iPhone backup”. Now, in doing so, every single backup that is then performed by the device would be encrypted. So since Cellebrite’s method one is leveraging the Apple infrastructure for backup, that means that the backup that we perform with UFED Physical Analyzer would in turn be encrypted as well. Once you try to open the extraction, you might be presented with this window. So we’re able to quickly determine that the backup’s been encrypted, but we do offer the possibility to try a brute force on that. And with this screen, you can click on the ‘Load from file’ button, and feed a text file of potential words that might have been used as a password.

Now, if you’re able to index the suspect’s entire hard drive on his computer and generate a very concise word list, this would be a good stimulus for our attack, to try to break the encryption on the backup. You can also find a large number of sample word lists at weakpass.com/lists, and on this website, it’s a user-populated site for hackers and forensic professionals, and there’s a large number of common passwords that you may wish to try. Other tools can be used for an offline attack. This is the sort of thing with UFED Physical Analyzer that you may want to start up on a Friday afternoon, and then come back on Monday and see if it’s gotten into the device backup. Ultimately, what we’re doing is attacking the Manifest.plist file that is found within the TarArchive that we’ve extracted in the Backup directory itself.

So it is possible to take out that plist file and utilize other tools that might be able to leverage CPU and GPU cracking to try to get through this password faster, as well as perform variations on the passwords themselves rather than just relying on a simple word list.

What’s interesting is that with our Cellebrite Advanced Investigative Services U01 iOS 8 unlocking service, we are able to remove the backup encryption from the supported models that we can do. So if you’re faced with an iOS 8 device that we support and you’re unable to crack the encryption on the backup, and you’ve exhausted all attempts with either UFED Physical Analyzer or other solutions from other companies, we are able to actually remove the encryption from the device as part of the service.

One final thing to note is that method one within UFED Physical Analyzer can force the backup encryption temporarily, and you have an option for that, and what that means is that once the iOS device knows that the encryption is going to be made, more information is actually provided. So basically, account passwords and other important information that is stored in the Keychain, those will actually be extracted and displayable within UFED Physical Analyzer. As I have mentioned before, this is just a temporary enforcement of this encryption, so we just temporarily turn that on, do the extraction, and then disable it.

So for those that know me well, my claim to fame [at the RCMP] for ten years is that we are inundated with BlackBerry devices, so obviously I cannot do any sort of presentation without mentioning BlackBerry. And it’s kind of funny that these devices are still kicking around, and we do get large amounts of requests that seem to come and go in waves. So I wanted to point out some of the features of UFED Physical Analyzer that are particularly important for BlackBerry 10 devices. So when you perform a file system extraction with UFED Touch or UFED 4PC on a BlackBerry 10 device, the native backup method that BlackBerry itself created with their Link software is the same extraction type that we’re providing to create the equivalent of a .BBB file. So this is a BlackBerry backup file.

Now, previous versions of BlackBerry devices would produce an .IPD file, and for those that recall, there was a way to do an offline attack to get through the encryption on the IPD files. And BlackBerry, the company, obviously they’re focused on security. What they’ve done with this newer BlackBerry 10 format is encrypt it with a key that’s stored within the device, and the key is also backed up at BlackBerry the company itself. There is no way to do an offline attack on the backup itself in any reasonable amount of time, primarily because of the length of the key.

So when you do a file system extraction with UFED Touch or UFED 4PC and then try to open it with UFED Physical Analyzer, you will get a pop-up screen like this, as shown on this slide. Now, the only way to do the decryption of the password – and the user name of the actual backup file is required. So this will be the BlackBerry ID that was created by the user when they first set up the phone. A random encryption key is created in combination with the user ID and the password, and it’s stored within the device and within the BlackBerry server itself at the company. Now, it is possible, if you do not know this, to actually request this encryption key from BlackBerry the company. And by emailing lawfulaccess@blackberry.com and providing the appropriate legal instrument, whether it’s a subpoena or search warrant or production order or assistance order, depending on the region of the world that you’re in, it is possible to receive this key from BlackBerry themselves. You can then paste that within the bottom of this pop-up window, where it says ‘Backup key’, and the decryption can take place with UFED Physical Analyzer.

It’s important to note that devices on a corporate BlackBerry may not be supported, primarily because the key is stored on the corporate server, and not at BlackBerry the company. But again, if you do have the username and password for a consumer-level device, it is possible to enter that into the pop-up window, and by clicking on ‘Get backup key’, it actually goes out on to the internet, communicates with the BlackBerry company, and requests the key, using the username and password. It’s a very simple and straightforward process, but it’s sort of new, in that the UFED Physical Analyzer needs to be running on a computer with internet access. So you may wish to do this offline on another computer, isolated from your forensic network.

For even older generations of BlackBerry devices running OS 7 – and trust me, these are still kicking around out there – there are people utilizing WhatsApp. Now, the problem is, for newer BlackBerry devices, running OS 7, the WhatsApp database is encrypted using a hardware-encrypted key. So that means that there is really no way to extract this from the hardware level during chip-off or talking to the processor directly. And it’ll become apparent when you’re doing the extraction and analysis of a BlackBerry OS 7 device – you will get a pop-up like this in UFED Physical Analyzer. The main indication here shows that there’s a possible encrypted WhatsApp database, and it says, “Please contact Cellebrite for a possible solution.” Now, I’m going to present that here and also recommend how you can go forth with finding a solution.

So by doing a physical extraction or a chip-off of the device, you can do a complete extraction of all the information. The messageStore.db files, which are utilized for storing the WhatsApp messages, those will be contained within the BlackBerry file system. You can also determine the SHA-1 hash of the device password in order to be able to unlock a locked device. I’ve got a breakdown on the right that shows which devices are supported for UFED physical extraction when you know the password, and those would be the Torch and the Bold 9900, 9930. For newer devices, and ultimately, it’s something that BlackBerry the company has patched to prevent any sort of physical extraction with UFED. The Curve and the newer Bold devices, they would require [trip-off], and even further, they would require re-balling of that chip to put it back on to the device itself to be able to boot it up. Now, the reason for that is that you need to actually produce a backup of the device contents, because within that backup is the hardware-encrypted key for the WhatsApp decryption process.

Now, this probably sounds a little bit convoluted, but once you take a step back and look at the process it really makes a whole lot of sense in that the SQLite key that is utilized for these databases, those are stored in the backup. So it’s relatively straightforward to take that key and input it as stimulus into UFED Physical Analyzer using a Python script, and it’ll do all the appropriate decryption and decoding of the WhatsApp databases that might be present on this BlackBerry device.

Now, for those that are interested, please contact support@cellebrite.com to open up a ticket, and our support people will be able to provide you with a script and a PDF explaining this process in detail; but obviously, if you do have some issues, do not hesitate to reach out to support or me. My contact details are at the end.

So finally, we’ll wrap up with TomTom triplog decryption. Now, this is a pretty impressive capability that Cellebrite has created. It’s unique to the world. For those countries and regions of the world that are still seeing TomTom navi systems and GPS devices that are utilized, you might be missing a considerable amount of evidence. This is offered as a service through Cellebrite Advanced Investigative Services. We’re calling it D01 for Decode-Decrypt number one. Essentially, a TomTom GPS device generates a considerable amount of triplogs if the user chooses to share their location information with TomTom. Now, that would be at the point of setting up this device, fresh out of the retail box. It’s possible that they may have turned it on and forgotten that this is actually enabled. So these triplogs could actually illustrate a breadcrumb trail of where that person was with this navi system every meter. So the granularity is really quite impressive, and if you need to try to place somebody at the scene of a crime, it really has its benefits.

In order to protect these triplogs – because they have a lot of personal, private information of where the navigation system was – TomTom has encrypted them. But Cellebrite’s able to decrypt the vast majority of these triplogs, and we offer this as the unique decryption service. The key is to open up the extraction within UFED Physical Analyzer, and then, from the Tools>TomTom menu, you can select ‘Export’, and it’ll create an XML file generated from all these triplogs. These will then be submitted to Cellebrite, and we would do our best to decrypt those in as fast a time period as possible. So this processing service may take several days – it’s depending on the volume of data that’s submitted for your particular investigation, as well as the number of active requests that we’re receiving from our other customers around the world. Ultimately, it’s a free service, we’re currently offering it free, but this may be subject to change going forward. But ultimately, if you are seeing TomTom devices, please do contact us at cais@cellebrite.com.

So that pretty much wraps up this webinar. I’d like to point out that in the upcoming weeks, there are some additional webinars that you might be interested in for the latest UFED 5.0 release. So on April 12th, Karen Carmeli, she’s the product manager for the UFED software platforms – so that’d be Physical Analyzer, Logical Analyzer, and Reader – she’ll be presenting on the entire UFED 5.0 release. The next day Shahaf Rozanski, he’s presenting on what’s new in UFED Cloud Analyzer. And if you’re not aware of the capabilities of UFED Cloud Analyzer it’s very important to educate yourselves, because you truly don’t know what evidence you could be missing. And then the week after that Karen will be doing a live demo of a lot of the important features and how you can leverage them to accelerate your investigations using UFED Physical Analyzer. And again, if you’ve ever filled out any sort of information request or webinar, you should be receiving these invites. If you have not, or if you have other colleagues that are interested, please direct them to the Cellebrite website; under Webinars, you can see a complete listing of current, upcoming, and past webinars that might be of interest.

Ultimately, my contact information: you can reach me by email at dan.embury@cellebrite.com or the general mailbox for CAIS at cellebrite.com. I’d like to point out that voting is now open for the Forensic 4:cast Awards. Please go to this website and vote for Cellebrite for several categories of Phone Forensic Hardware, Phone Forensic Software, and Digital Forensic Organization.

Now, we’ve got a few questions that have come in. There’s another seven or eight minutes left in this one-hour slot. The first question involves TomTom decryption. So I do believe that I did cover that in the last slide on TomTom decryption – so ultimately, the decryption itself is not included in UFED Physical Analyzer, it requires an offline processing, utilizing a large number of computers and processors. So ultimately, one should do the exportation of the TomTom triplogs in XML format. It’s possible to send it to Cellebrite, and we’ll do the decryption, and then provide back to you the decrypted data for you to then analyze within UFED Physical Analyzer. Once you receive it back, you would use the Import function in order to bring it back into the software.

As I mentioned, there was another question about TomTom triplog varieties. There’s different types of encryption that are utilized, whether it’s stored within the device itself or an external memory card. There’s different flavors, ultimately we would like to try to help out as much as possible. We don’t really know what flavor it is until we have a chance to look at the information. So please contact CAIS@cellebrite.com if you have any TomTom questions.

So there’s a question about WhatsApp. I’ve noticed this myself, personally, on WhatsApp, on my BlackBerry Crib device, that they’ve just announced yesterday that they have encrypted chat and voice chat. The question is whether UFED can extract this information or not. Ultimately, time will tell. Our decoding team I imagine is working on this at the moment, and hopefully we’ll have some information going forward, and even maybe integrate some capability into the next release of UFED 5.1.

There’s a question about whether Cellebrite will integrate jailbreaking into the software. I’ve discussed this, it’s something that’s quite interesting. If we can put a repeatable, easy-to-use, somewhat certified method into the UFED, then it’ll make things a lot easier for the forensic community to utilize. It’s still under consideration. It would involve taking other people’s work from the past five years or so, and particularly the jailbreaking community’s work. But we’re going to have to see. But obviously it would make things a lot safer for our users if it’s integrated as a one-touch solution.

And again, there’s a question about whether we recommend jailbreaking all phones in order to extract the maximum amount of data. Clearly, you will not have time to jailbreak every single phone that comes into your lab. But ultimately, if it’s very important, if you have not found the evidence that you believe should be in the phone utilizing method one and method two, then I would strongly encourage you to seek permission from the investigators, [it’ll widen] the risks, and try to perform the jailbreak. Again, as I mentioned, you do not know what you could be missing until you actually try it.

There was a question about the emails that were extracted from the iPhone from the samples that I showed. These emails that were coming from method one and method two were actually from an AOL account I believe. So depending how they were being stored on the device … they might have been stored, I believe, in the non-protected space. So ultimately it’s the protected emails that are not extractable from an iPhone unless you do a jailbreak.

There was a question about PGP-encrypted BlackBerry devices, and this is quite popular in some regions of the world. I’ll ask that contact be made with me offline, and I can provide some guidance on that.

My apologies – I’m just trying to scan through as many of these questions as possible, to try to see if there’s anything additional. What will occur after this webinar – probably tomorrow you’ll receive a link to the YouTube recording of it, as well as my best effort to answer as many of these questions as possible.

So again, as we’re running out of time here, I wanted to close and just thank you all for attending. There was a very, very good number of people that registered and attended. I thank you for that. It was my first webinar. I hope all went well. And again, please do not ever hesitate to contact me for any sort of assistance. Thank you so much.

Leave a Comment