UFED Physical Analyzer 2.0 USER MANUAL
Contents
1. UFED Physical Analyzer 2 0 M Sira USER MANUAL celebrite LEGAL NOTICES This manual is delivered subject to the following conditions and restrictions e This document contains proprietary information belonging to Cellebrite Ltd Such information is supplied solely for the purpose of explicitly assisting authorized users of the Universal Forensic Extraction Device UFED System and its associated components e No part of the content of this document may be used for any other purpose disclosed to any person or firm reproduced by any means electronic or mechanical without the express prior written permission of Cellebrite Ltd e The text and graphics are for the purpose of illustration and reference only The specifications and documented procedures on which they are based are subject to change without notice e Information in this document is subject to change without notice Corporate and individual names and data used in examples herein are fictitious unless otherwise noted Copyright 2009 Cellebrite Ltd All rights reserved CAUTION To avoid damage to the UFED it should be used only with the dedicated AC DC adapter supplied with this device CAUTION To avoid damage to the UFED USB Ethernet and target and source connectors should be connected only to CE approved devices according to IEC EN 60065 standard WARNING To avoid possible harm make sure that all external connections to other devices excluding t2. 7 5 2 1 HTML PDF Report Settings Logo Header Text area where you can enter and format custum text that will appear in the report header before the logo image Logo Click on the Select Image File button to add the logo image that will be added to the report header Available file formats are BMP JPG GIF and PNG Logo Footer Text area where you can enter and format custum text that will appear in the report header after the logo image Page break after sections Selecting this option will set each section of the report to start on a new page es Settings General Settings Document Report Y HTML based repot Ea ral Logo Header Will Appear before the logo A Data Files a Laaa CBI UAn i N Hex viewer Models a Logo Will appear i port s co p Additional report fields Report Defaults Select Image File 5 Logo Footer Will Appear after the logo A Data Files SE ee ae ee ee i e Hex viewer 5 Models a Page break after sections Adds a page break after each section Additional report fields E Yes Ja Number of lines for email preview Report Defaults A Generate PDF Repot Yes Show totals for items not in the report M Yes v Figure 77 Reports Report Defaults settings Number of lines for email preview Sets the maximum number of lines from each email message that will appear in the report Generate PDF Report Generates a PDF version of the report i
3. Both C Show low match results Oe Woes ue Background button in the Hex view toolbar aaa i A Find allinstances ts Show results comments slower 2 Select the SMS 7Bit PDU tab i 7 Bit 7 Bit Reversed 3 Inthe Text Options section set the search options clues of the text string 4 Set the search results Text and Background colors 5 Click Find Figure 50 SMS Text search 79 80 6 3 10 Pattern Search When navigating within a large memory structure the Find Pattern tool locates any content that is textual in nature A user has broad control over what to include within the search criteria 1 D 6 NOTE Pattern search can be used to locate all possible 7 bit SMS text results To minimize the number of false While viewing a Hex dump click on the Find button I in the Hex view toolbar Select the Pattern tab In the Minimal length and Maximal length fields set the pattern length range This option enables filtering the results according to the searched patterns Select the type of the patterns ASCII and or 7 Bit Set the search results Text and Background colors Click Find Find RegEx GREP SMS 7Bit PDU Pattem Code Text options Letters only C Unique results only Numbers only Allow symbols Both C Show low match results Minimal length 1 R Maximal length 9999 a Type CO ASCII 7 Bit E Advance d Figure 51 Pattern search positive results set the Mi
4. When a file is selected the Highlights tab displays the list of chunks that this file is comprised of 6 4 8 Information Frame The Information Frame automatically appears whenever the mouse cursor is positioned over the displayed information in the Hex view The floating information frame displays Links pointers to analyzed data items such as files and folders in the Project Tree Search results associated with the pointed data CTS 298C0000 30400000 bin x Hex view dagua 05990844 00 00 00 00 00 00 00 00 00 00 00 00 00 00 OO 908B3 00 00 00 00 00 00 00 O00 00 O00 O00 OO OO FF DS gt FE BD UD TIO 2A 46 49 46 DU DL Gi HO OOO OG cere Ree cece 01 00 00 FF DB DO 23 00 10 0B Ue GE 0C OA 10 cimra Gia naa ee eee 0E 0D DE 12 11 10 13 18 28 LA I6 16 16 18 J1 fee eee annan 1 23 25 1D 28 3A 33 3D 3c 39 33 38 37 40 48 5c 3 lt 93870H 4E 40 44 57 45 37 38 50 6D 51 57 SF 62 67 68 NODWE78PmOW bgh 0595 67 3E 4D 71 79 70 64 78 Sc 65 67 63 FF DB OO g gt Mqypdx ege 0599091c ar o ie TA 16 ls 1p 2E IA IA 2E Go 42 B eeoa BE 0599092B 2 62 6963 69 Ga oJ GI GI G2 GJ e2 G2 EITE Elec c cece 05990934 62r 63 63 63 63 63 63 63 63 63 6J 63 63 6363 Secret cere 05990949 gan6SrES TES TES 6S 6S Teo 6R 6S 62 6ST 6ST ESTES Secret os cm oamec as BIE LA la Fia Offset Length Comment A 1 2 0x59904C0 0x200 Del_Img2 ipg
5. my cellebrite com ive Search 2 z we Fie Edit View Favorites Tools Help H Favorites H Suggested Sites Free Hotmail web Slice Gallery MyCellebrite ea a CI dh Page Safety Toos mycelebrite Cellebrite product activation My Account Account My Devices Currently Empty My Account Logged In As someone somewhere net Download Software Updates and Utilities Currently Empty eminent tiie aed We would appreciate your feedback Register My Device Go to the information icons to the right for assistance Serial Device ID Internet 7 Q100 Figure 2 The Cellebrite UFED Activation screen In the Add a Device to My Devices section enter the Serial number and Device ID of your UFED which were obtained from the Software Versions screen then click Add Device Register My Device Go to the information icons to the right for assistance Serial 7777777 5 Device ID 94ic padd device cear Figure 3 Adding a new device The device will be added to the My Devices list Click the checkbox beside this device and then click on the Renew License button My Devices 1 E Serial amp Logical Expiration Status Physical Expiration Status m TITT Nis MA Lownie mene tae Figure 4 My Devices list On the Renewal Process page fill in the required fields including email address then click the Se
6. 4 J 6 Manual Activation Process Note the Computer ID displayed in the UFED Physical Analyzer License window on your PC On the UFED unit select Services gt Upgrade gt PC License gt Activate PC License gt Manual Key Entry from the main menu Clone SIM ID Physical Dump File System Oump Extract Passwords es He SEIVICES twork Settings grade Upgrade Application How Upgrade Image How ieee Settings UFED License PL License Uctivate PL License d Manual Fey Entry l L License Upload Key File PC License Information cthyvate PL License Remove FL License Abat J e Back _ Uk sel Using the directional keypad enter the Computer ID that was displayed in the UFED Physical Analyzer License window Select F3 to confirm The UFED unit will display the PC Activation Code On the Physical Analyzer License window enter the Activation Code as it is displayed on your UFED unit Click Activate Your UFED device and Physical Analyzer application are now both ready for use 13 14 24 1 2 File Based Activation Process Manual Key entry can be avoided by saving the key file to a USB drive Doing so shortens the activation process and can save a lot of time when installing multiple instances of the UFED Physical Analyzer On your PC 1 Connect a USB disk drive to your PC 2 Click the Write to USB button next to the Computer
7. Address Column The number information column in Hex or eae comment Decimal value displaying the start address of each row in the Hex and ASCII representation data sections 2 votues R Bookmarks Ba ana Length 0x960000 Offset 0x0 Selection 0x0 Hex data view column The Hex data of the selected item Figure 24 Hex View tab screen ASCII representation view column The ASCII representation of the Hex data 4 3 4 2 2 Hex Data Toolbar Figure 25 The Hex View toolbar Located at the top of the Hex data display pane the Hex data toolbar provides access to the following functions related to the data displayed m Save Click to save the entire memory dump to a local folder Copy Selection Copy the currently selected content of the Hex View tab to the clipboard Find Displays the Find dialog to search for all occurrences of specified information in the displayed Hex display pane Find Next Displays the Find dialog with the search parameters used in the latest search IF Add Bookmark Bookmark the currently selected content of the Hex display pane Sots Redirect the offset to specific address in the content of the Hex display pane See Redirecting the Offset on page 86 Enable Info Frame Toggles on off the display of floating information frame at the cursor location Show Address Toggles on off the left address column display 45 Show ASCII view Toggles on off the right ASCII
8. Click the H icon at every node to expand the tree display under it Continue drilling down in the file system tree to explore its content When you reach a file Double click on it to display its information in the data display area The number information tabs displayed for the file will change according to the file type For example an unknown file may Physical Analyzer File View Tools Python Plug ins Report Help crs crs z9scoo00 30400 mcu Mcu 20000000 22001 Memory Ranges File Systems KFATO E gt B_FSDB E C_FSDB Def H E DAM E DRMCID H E EMAIL gt ILFSDB gt J_FSDB ES JAVA E 0000 1c0 0000 JAD 0000 JAR 0000 SYS 0000 TMP 0001 1CO 0001 JAD 0001 SYS 0001 TMP 0002 1CO 0002 J4D 1A A A iA IA iA 1A iA iA A iA gt 83 FC ES 00000126 5D Offset Length Comment z 2 Values Bookmarks a Highlights Length 0x2D94B Offset 0x0 Selection 0x0 Figure 32 File Hex dump display after double clicking on the file display only the Hex View and File info tabs while a jpeg image may display additional Image view and Meta data tabs The default view is the Hex view 53 While the Hex dump of an image is displayed in the Data Display area selecting a file under the file system tree will highlight the data portion of this file in the Hex dump data The Highlights list under the Hex viewer will display the data chunks in the Hex dump
9. Contact lt 1285 items gt SMS lt 192 items gt 1 4 2 Counting the amount of SMSes gt gt gt ds Models SMS Count 192 1 4 3 Print some details about an SMS gt gt gt s ds Models SMS gt gt gt S SMS Status Field Default To Field 00096970059 Folder Field Drafts Message Field This is a text message 123 1 4 4 Print the SMS Message Field for all SMSes gt gt gt for i in ds Models SMS print 1 Message Value I m at home Please call I m at work Please call I m in a meeting call me later at Meeting is canceled I am late I will be there at See you in See you at Sorry I can t help you on this I will be arriving at 124 14 5 Create anew SMS message Parties Add Party 341414141 PartyRole From add a from party multiple parties are possible so we use Add Parties Add Party 234646335 PartyRole To add a to party When we aren t sure about from to we add a general party s Parties Add Party 353753536 Body Value Example text SMSC Value 238423842 Deleted DeletedState Deleted set this SMS as deleted ds Models Add s Creating a new Call or a new Contact is similar but the fields marked in pink are different 125 1 46 Using AddRange to add models quickly When adding a large amount of models to a project it is much more efficient to use the AddRange method gt gt gt smses create _m
10. TimeStamp gt 107 Doar General 089400742 lt empty gt Contents 118 Kapoaprrag Mobile 6932708907 lt field gt 12 9 Kapoaprrag Home 2103822900 lt field name Status type MessageStatus gt 1310 Kapoaprag Work 2103213739 lt value type MessageStatus gt 1411 KAapn Home 2107660244 i pecami e Ji D contacts 15 12 Kaaipn Work 2107793298 rms 1613 KOQZTONOYAOZ General 2107645281 GnultiModelField name Parties type Party gt M sus messages 17 14 MAKHZ General 5972998088 lt model type Party id a5Sf98c1d 001b 43ef b0cd ee01bff00d64 gt TAR 18 15 MIXAAAKHE General 2105310998 lt field name Identifier type String gt Gq report xlsx Microsoft Excel 5x lt value type String gt Data files Os lt CDATA 00096970059 gt Home Inset PageLayout Formulas Data Review View Acrobat x lt value gt Audio Files z e lt field gt is a E SMe E cener J Ew Bee 2 A lt field name Role type PartyRole gt nd z gee meee ries e ea tees ee eo litre are abaa tye net yeaa Video Files J gt A E EE EE Formatting as Table Styies Si Format 27 Fiter Select aan To J gt value gt E Styles lt field gt lt field name Status type PartyStatus gt lt value type PartyStatus gt lt CDATA Unknown gt lt value gt lt field gt lt model gt lt multiModelField gt lt field name Folder type String gt lt value type S
11. Unload Rey File i Insert USE disk drive with the license filets Lance HLantinue The deactivated license of the UFED Physical Analyzer application is now re added to your UFED unit ready for use to activate another UFED Physical Analyzer installation Chapter 3 Performing Data Extraction The information provided in this chapter is based on the assumption that the user is familiar with the basic operations of the UFED device Please refer to the UFED User Manual Chapter 4 to familiarize yourself with UFED before continuing This chapter describes advanced features specific to the UFED Physical module only NOTE Use the W A keys to move between options in the Main Menu Use the 4q key to return to a previous menu Performing a Physical Dump When performing a physical dump operation the UFED Physical Pro uses advanced extraction methods to create a single hex dump file for each flash memory chip or address range utilized by the mobile device Unlike conventional logical extraction processes the physical extraction method bypasses the phone s operating system acquiring the data directly from the phone s internal flash memory The phone memory is captured into hex dump file s that will later be read and analyzed using the UFED Physical Analyzer application The physical dump created includes memory space unallocated by the phone s OS which may contain deleted data such as SMS Call logs Phonebook entries Pictures Video and us
12. Upgrade gt Upgrade Application Now For further instructions please refer to the UFED User Manual chapter 11 NOTE If the menu options of the UFED Physical Analyzer do not appear contact Cellebrite support to verify that your UFED and UFED Physical Analyzer licenses are registered correctly Installing the UFED Physical Analyzer Application 2 3 1 System Requirements Windows compatible PC with a Pentium IV or compatible processor running EC at 1 6 GHz or higher PREE AEE EEE Microsoft Windows XP with SP1 or later p g gt Y Microsoft Windows Vista or Windows 7 Memory 2 GB RAM Space Requirements 500 MB of free disk space for installation Additional Requirements Microsoft Net version 3 5 Service Pack 1 2 3 2 Software Installation Insert the UFED Physical Analyzer CD into your computer s optical drive and browse the contents 2 3 2 1 Installing the UFED Physical Analyzer 1 Double click on the setup program to install the UFED Physical Analyzer application 2 Select the setup language then click OK to continue ie Setup UFED Physical Analyzer 2 0 TASTEL TTE Welcome to the UFED Physical Analyzer 2 0 Setup Wizard This will install Cellebrite UFED Physical Analyzer on your computer It is recommended that you close all other applications before continuing Click Next to continue or Cancel to exit Setup N Ccelletrite Figure 6 The UFED Physical Analyzer setup wizard 3 Follow the
13. dates and more RegEx GREP Enables searching for strings using Regular Expressions SMS 7Bit PDU Enables searching after SMS text strings Pattern Enables searching for text patterns in cases in which the pattern of the text is understood but not the text itself mainly used for 7 bit search to locate SMS messages Figure 42 Find dialog modes Code Specialized search tool used to find user codes and passwords NOTE The Find modes were built using the Plug ins architecture The following find options can be enhanced and extended by adding new search plug ins developed either by Cellebrite or by the user 71 6 3 2 Search Results If the Find All Instances option was selected for the search the results will appear in the Search results tab at the analysis information section under the Hex view pane To make it easier to distinguish between the given results of each search performed different Text and Background colors can be set for each search you run Search results include the following fields The number of results Hex view da 22 0 3 SEI 00030110 D3 US 0A 00 Be ee 0T Ue es Se 2333 8 Be o0 ee cerea E A 00030120 00 00 00 00 00 OO 00 00 06 00 00 00 K9 6D 61 67 Imag 00030130 65 2F 50 4B 03 04 OA 00 00 00 08 00 47 7B 46 2E e PK G F 00030140 88 ci S57 7p Ec OO O00 OO EB O
14. 1 f While viewing a Hex dump click on the Find button 3 in the Hex view toolbar Select RegEx GREP tab In the expression field enter the search expression Set the Max result length value to filter only results that are up to the specified length Find RegEx GREP SMS 7Bit PDU Pattern Code a2A 20 9_ la 2A Z0 9 a 2dZ 2 4 Max result length 50 Library Description Regex Email a 24 20 9 _ a 24 20 Figure 49 GREP search Set the Search direction Search result window and search colors options Options Search direction Down Search results window N ew Colors Text Background Find all instances Show results comments slower Select Find all instance to display all search results at the end of the process or deselect to move through the found items one by one during the search can also be done by pressing F3 Click Find NOTE The Library list enables you to save the entered regular expression for future use To save the current expression click on the click the Save button lal 78 6 3 9 SMS Text Search This search method enables you to search for SMS text Find RegEx GREP SMS 7Bit PDU Pattem Code oe strings 7bit PDU in the Hex dump Test options Seach ace LEE Letters only C Unique results only Search results window New E A 7 Numbers only Allow symbols While VIEWING a Hex dump click on the Find
15. 6 3 6 SIMICCID Numbers Search This search method enables you to search for SIM ICCID Find RegEx GREP SMS 7Bit PDU Pattem Code Options numbers in the Hex dump Search direction Down 1 m oe S S 8 SIM Search results window New Name Description While viewing a Hex dump click on the Find A icco T Cokes 7 button i in the Hex view toolbar ge aoe Show results comments slower Select SIM from the list at the top of the dialog Search parameters E Numbers sample configuration Select the ICCID Search option Number Allow partial match Enter the ICCID number If only part of the number is known select the Allow Partial Match option For example entering the number 89972 and selecting this option will search for ICCID numbers provided by an Israeli service provider Figure 47 SIM ICCID search Set the Search direction Search result window and search colors options Select Find all instance to display all search results at the end of the process or deselect to move through the found items one by one during the search can also be done by pressing F3 Click Find NOTE If the Number field is left empty the search result will include all the numbers that match the ICCID format 76 6 3 7 SMS Numbers Search This search method enables you to search for SMS Find RegEx GREP SMS 7Bit PDU Patten Code Options a numbers in the Hex dump Search di
16. Add an Attachment to an Email or MMS Attachment Filename Value coolimage jpg ContentType Value image jpg Data Source MemoryRange you can also use a file s data by using this syntax Data Source your_file Data another trick is using GetSubRange to quickly get only part of a file Data Source your _file Data GetSubRange your_offset your length a a a a E a a your_email_ or_mms Attachments Add a add the attachment 129 1 4 12 Create a new Location A Location is a GPS coordinate with added information such as the street address timestamp and others loc Location loc Position Value Coordinate 34 556 20 450534 lat long loc RoadPosition Value Coordinate 34 558 20 451 addr StreetAddress addr City Value Paris addr Country Value France loc Address Value addr loc Name Value My House loc Description Value In the middle of the street ds Models Add loc 130 1 4 13 Create a new Journey A Journey is a name for a list of Locations with some added information about the entire trip This model is useful for trip logs or track logs as they are saved in some GPS devices j Journey j WayPoints Add loc loc is a Location object j WayPoints Add loc2 j WayPoints Add loc3 j WayPoints Add loc4 j Name Value Trip 47 ds Models Add j InstantMessage m From Value PersonA m To Add PersonB m To Add PersonC m B
17. Chain Manager window 91 To display the chains assigned to a specific device 1 From the Devices section of the list PE DAR select Chain Manager All Devices to display a list of all the predefined devices A manufacturer name to display a list of the predefined devices of the selected manufacturer Use the Quick Filter field at the top right of the window to filter the displayed devices 2 Double click on a device to display its chains window The chains window of the device will display at least one chain that was assigned to it Figure 65 Selecting a device chain 6 5 1 1 Constructing a New Chain To construct a new chain New Chain 1 In the Chain Manager window or the New Chain chains list of a specific device click the New Chain area at the top of the chains list The New Chain window appears In the Name field enter a name for the new chain In the Description field enter a short description for the chain optional From the Component Library select a components category Chains Plugins or Devices Device The entire chain of a specific plug in g Binary run on binary dumps g BlackBerryIPD CelleBrite s default chain for BlackBerry Devices gP FSR Chain g FSR Chain CTS P Garmin gP Generic FAT This chain extracts the FAT file systen P iPhone g iPhoneBackup P iPhonePhysical Figure 66 The New Chain window Cha
18. ID field to generate a Computer ID file which will be written to your USB disk drive 3 On the Browse for Folder window select the USB disk drive or target folder to which the Computer ID file will be saved and click OK NOTE The Computer ID file can either be saved directly to a USB disk drive if connected or to any location on your hard drive in case you need to send it to a remote location for Activation Code generation 4 Save the Computer ID file to the root directory of the USB disk drive 5 Safely disconnect the USB disk drive from the PC On your UFED unit 1 Connect the USB disk drive containing the saved ID file to any of the USB ports on the UFED unit 2 From the Main Menu on your UFED unit select Services gt Upgrade gt PC License gt Activate PC License gt Upload Key File to read the Computer ID from the USB disk drive 6 rade Hetivate PL License Upgrade Application How I ee EA i oad key File ad hey File a Insert USB with the key ile License DEIVvICeS Upgrade Image How ee Settings PC License Information UFED License ctivate PL License PL License remove PL License back Uk sel He He The UFED unit will display the generated PC Activation Code Choose Save to USB to save the Activation Code file to the connected USB disk drive twork settings back Ok sel On the Physical Analyzer License window click the Read from US
19. Report For rcject Samsung GSM_SGH E790 Report Tyse HTMLIPDF Report HTML and PDF reports ere generated Report Settings Report Parameters Logo Header Will Appear before the loge Bue My Reports Samsung GSM_SGH E790 2011 01 18 12 19 54 Cancel 57 Report Type The file format of the generated report Select from HTML MS Excel spreadsheet xIsx or XML Report Data e Report Dataset The Analyzed Data and Data Files section that will be included in the report Only checked data types will be included in the generated report e Additional Fields Additional useful information fields added by the user in the Additional Report Fields settings See Additional Report Fields on page 108 Case File number Examiner name Department Location and Notes are 5 additional default fields from which the Case File number and Examiner name are set as required fields You can edit these fields and change their attributes in the report settings See Additional Report Fields on page 108 Click on the Settings button to jump directly into the Additional Report Fields settings to edit existing fields or add more fields The changes and new fields will be automatically applied to the open Generate Report dialog when you click Apply or click OK and return to the Generate Report dialog Use the Reset button to clear all the information entered in the fields and set them back
20. Run Script Debug enabled Enables you to run a pre written Python script py file in debug mode Plug ins menu e Add Remove Plug ins Displays the list of installed plug ins to enable management of the currently installed plug ins See Managing Plug ins on page 97 e Run Plug in Allows the user to select a specific plug in and run it See Running a Specific Plug in on page 98 e Chain Manager Displays the Chain Manager window to enable management and creation of device processing chains See Managing Chains on page 91 Report menu e Generate Report Generates a report summary of all information found by the analysis process See Generating Reports on page 57 Help menu e Manual Launches Adobe Reader aka Acrobat Reader and displays the user manual in PDF format e License sub menu 28 e Enter New License Enables you to enter a new Activation Code e Show License Details Displays the current license code validation period and the current Computer ID and Activation Code e Show Dongle Details When using a hardware license key displays the details of the currently used dongle e Deactivate Deactivates the license used to activate the application on the current workstation See Deactivating a UFED Physical Analyzer License on page 17 e About Provides information about the installed UFED Physical Analyzer application version and its components 29 30 4 3 2 Application T
21. TO sss 116 1 2 10 Viewing data in a textual hex dump 117 1 2 11 Creating a new file without data 118 1 2 12 Creating a new file from CHUNKS ese 119 MENORA O syi 120 1 3 1 Accessing the project Memory Ranges 120 1 3 2 Reading data from a Memory Range 121 1 3 3 Creating a new MemoryRange and adding tone DO lt 5 cs eea 121 PINSON a aaaat aaa aeeae Det 123 1 4 1 Accessing the Model Store ween 123 1 4 2 Counting the amount of SMS S ccssseseee 123 1 4 3 Print some details about an SMS eee 123 1 4 4 Print the SMS Message Field for all I E 124 1 4 5 Create a new SMS MeESSaGe ss 125 1 4 6 Using AddRange to add models quickly 126 LAT Greate a New Call uiucus ts 126 WAS C retea NEW COMA CE e 127 1 4 9 Create a new EMail 128 1 4 10 Create a new MMS Me SSaGE n 129 1 4 11 Add an Attachment to an Email or PAEA E T EE E A ET 129 t412 Create a New LOCO Doini 130 LAIS Creare anew JONO VaN 131 1 4 14 Create a new Instant Message s 131 1 4 15 Create a new Chat ssssssssesressrsssrressrsssrrserrssens 132 1 4 16 Create a new Calendar Entry 133 TANT Creat Se VIN OU O ona 33 1 4 18 Create a new Bluetooth DeVICE eee 134 Chapter 1 Introduction 1 1 Overview The UFED Physical Pro is comprised of two components The UFED hardware with Physical Extraction module used to create Physical and or Logical dumps from mobile devices which can then be saved to a
22. and concise way allowing investigator to use powerful search tools to parse and decode relevant information As a completing step the application will allow you to generate reports of your findings and export them in various file formats such as HTML PDF Excel xlsx and XML Launching UFED Physical Analyzer Application To launch the UFED Physical Analyzer application double click on the UFED Physical Analyzer desktop shortcut icon or select Start gt Programs gt Cellebrite Mobile Synchronization gt UFED Physical Analyzer 25 4 3 Application Structure Overview 26 The UFED Physical Analyzer application structure is comprised of the following components Application Menu Application Toolbar Physical Analyzer Project Tree Area o File View Tools Python Plug ins Report Help p Ss S P 9 A O Data Display Area Welcome X Extraction Data X os m a i E B Dump i Search Field BE Erection Data action Sunma Device Info E Images Memory Ranges Dump Samsung D500 File Systems Extraction start date time 01 06 2009 11 52 31 E KFATO 4 Unit Version 1 0 0 0 Samsung Linked List Samsung MCU Analyzed Data Call Log 3 Contacts 1255 M SMS Messages 192 Bookmarks 0 Data files E Images 127 E Videos 49 fa Audio 83 aE Text 3 H A Tags Reports Be E Contacts SMS Messages i 1255 1228 192 187 D
23. be done by P UFED Physical Analyzer License The product is not yet activated on this computer a Using an activation code To activate it follow these steps 1 Enter the Computer ID in the UFED Unit manually or using a USB drive Services gt Upgrade gt PC License gt Activate PC License gt Manual Key Entry z U S N g d h d rd Wa re Ce nN S e key The UFED Unit will generate a corresponding Activation Code 2 Copy the activation code to the computer manually or using a USB drive To d ct Va te th e d Cd ti O nN i Alternatively you can plug in a dongle if you have one For assistance activating your software please contact Cellebrite support 1 Launch the UFED Physical Analyzer application Dongle Status 2 When launching for the first time or when using a hardwa re Cannot find any plugged in dongles please connect one of your PA dongles license key a license window appears 2 4 1 Using an Activation Code EA A license is required to activate the UFED Physical Analyzer The ae UFED Physical Extraction module which was previously activated ee can generate these licenses Load license file NOTE The number of simultaneous activated copies of the UFED Physical Analyzer application one license per PC is restricted according to the purchased UFED Physical Extraction Figure 8 The UFED Physical Analyzer 12 24 1 1 To manually enter the Activation Code 1 2
24. current chain and edit it to suit your P Sameung EZ90 needs Samsung E790 5 Edit Devices 6 To edit the current chain 1 Click on Customize Chain used Dumps ial The chain structure dialog of the current chain opens and displays the chain 2 To add a component to the chain A Click Add Chain Plugin B From the Component Library select a components category Chains Plugins or Devices Device The entire chain of a specific plug in Chain A specific predefined chain Figure 40 Editing the current chain Plugin A specific plug ins NOTE Both Device and Chain are added to the chain as a Chain component C Click on the at the right of the component line to add it 3 Toremove a component from the chain list click on the x at the right of the component item then click Yes to approve 65 66 4 Click OK to return to the Advanced Customization panel The current chain will be replaced by the customized chain 6 1 1 2 3 Saving a Customized Chain After you customize a chain you can save the changes made to the chain for future use using the Save As or Save buttons added under the Selected Chain section NOTE the Save button is enabled only for customization done for unlocked user defined chains saved in My Chains For more information about user defined chains see Managing Chains on page 91 To save a customized chain 1 Click Save if enabled to replace the u
25. from which this file is comprised Physical Analyzer DAR Fie View Tools Python Plug ins Report Help EILIT Welcome X Extraction Data X75 CTS 298C0000 30400000 b X Hex View E gt J_FSDB ie 2a EE GS JAVA 9 E o000 1c0 0000 JAD 0000 JAR o000 sYS o000 TMP o001 1C0 A 0001 JAD 065 META INF MA 065 NIFEST MFe A 0001 SYS g O65 a 0001 TMP o002 1C0 0002 JAD Offset Length Comment 0002 JAR Ox652DE80 0200 AJAVA 0001 JAR 0003 1c0 Ox652E 080 0x200 AJAVAZ0001 JAR 0652F 280 0200 AVA70O01 JAR values E Bookmarks M Highlights 365 results 3 1A 0A iA iA iA iA iA iA ID Ii 0003 JAD 0003 JAR If Length Ox6B40000 Offset 0x652DE80 Selection 0x0 Figure 33 File data display in the extracted Hex dump Files in the reconstructed file system will display one of the following icons E Existing file found in the file system L Deleted file data found in the file system 54 5 5 Browsing the Analyzed Data The Analyzed Data and Data Files sections of the project tree display data items that were found in the extracted device data during the analysis process The difference between item types grouped under Analyzed Data to those grouped under Data Files is that Analyzed Data item types are related to phone specific features such as Contacts SMS Messages Call Logs and other while Data Files item types are data and media files in common or known file formats
26. installation setup wizard prompts 10 At the end of the installation process you will be prompted to install the HASP USB Kay drivers If you intend to activate the application using a hardware license key dongle provided by Cellebrite check the Install Hasp Dongle Drivers option then click the Finish button ie Setup UFED Physical Analyzer Use ee Completing the UFED Physical Analyzer 2 0 Setup Wizard Setup has finished installing UFED Physical Analyzer 2 0 2 7025 on your computer The application may be launched by selecting the installed icons Click Finish to exit Setup oO Install Hasp Dongle Drivers you can uncheck this item if you have already installed these drivers before Launch UFED Physical Analyzer O Install Hasp Dongle Drivers you can uncheck this item if wou have already installed these drivers before cellebrite obile data secured Figure 7 HASP Dongle Drivers installation option When finished if the Launch UFED Physical Analyzer option was checked at the end of the installation process the application will launch automatically Otherwise run the application by selecting Start gt Programs gt Cellebrite Mobile Synchronization gt UFED Physical Analyzer or by double clicking the UFED Physical Analyzer shortcut added to your desktop if you selected to add it during the installation process 11 2 4 Activating the Physical Analyzer application Activating the UFED Physical Analyzer can
27. new Hex View tab for it in the data display area Z TTS 28000000 30400000 bin fe Hex view zi a pe 04445380 O4AA53FO 044A5400 04445410 04AA5420 04445430 04445440 04445450 04445460 04445470 04445480 04445490 O4A4454C0 O4A4A54D0 O4AA54E0 O4AA54F0 04445500 04445510 E C IG LE FF FF 07 01 00 00 00 00 00 39 88 5E 00 00 00 00 00 00 00 00 00 oo oo OO 00 00 00 oo 00 00 00 00 OO 00 00 00 44 45 41 S00F2 FF EF oo oOo 81 00 oo oOo 9E D3 oo oOo 00 00 oo oOo oo oo oo 00 oo oOo 00 00 oo oOo 44 42 PE EF FF 81 DB ic 2B 11 88 00 O00 OO 59 00 00 00 00 00 00 00 00 00 O00 00 00 11 44 79 D8 4C OF 83 E 41 32 00 00 00 00 00 00 00 O00 00 00 00 00 00 00 00 00 00 O00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 O00 00 00 00 00 00 00 00 00 00 0O 00 00 00 00 00 00 00 00 00 O00 00 00 00 00 00 00 00 00 00 O00 00 00 00 00 00 00 00 00 00 O00 A K B DEADBEEF m Ea Offset 1 On4445488 2 Ox444549E 3 Ox4445496 4 On4A5474 2 X Length 0x8 0x11 Ox 0x8 Comment 972546592364 This is the 1st sms 16 02 2009 19 03 36 UTC 2 97254120032 values E Bookmarks a Highlights 4 results Length 0x8400000 Offset Ox4445640 Selection 0x0 Figure 15 Hex View tab 35 36 4 3 34 Memory Ranges The Memory ranges item of the project tree lists the analyzed memory ranges for each of the me
28. see EMEA a Eonationa omet itt Broma 2 Ste Find she Favortes os E suopested Stes Free Hotmail Web Sice Gallery Extraction Report L cupboard Font T Alignment m Number m Styles cents Editing cADocuments and Settings FourAces My Documents I dy Page Safety Toos CelleBrite Mobile Data Secured j Al O f Summary x Lc DLE Ca 1 0 encoding utf 8 gt lt project id 104f75cd 56dd 43de 9a40 b386f0b8dfb0 name Samsung GSM_SGH E790 reportVersion 2 0b Summarys xmins http pa cellebrite com report 2 0b gt 2 lt metadata section Additional Fields gt Extraction Report vice Stem name Case File number gt FEC 4 Connection Type Cable No 97 Fo 5 Extraction start date time 21 07 2009 17 43 04 ia a amas 6 Selected Device Name SGH E790 lt I CDATA Mark gt 7 Selected Manufacturer Samsung GSM lt item gt 8 Unit Identifier UFED S N 5526165 lt item name Department gt 9 Unit Version 1 1 1 0 10 Image 1 CTS 298C0000 30400000 bin i Summary 11 image 2 MCU 20000000 22000000 bin Stom name Master gt Beg Casale number 10212 iai E a Data gt Connection Type Cable No 97 13 Department lt item name Extraction start date time gt 14 Examiner name Mark lt CDATA 21 07 2009 17 43 04 J gt Extraction start date time 21 07 2009 17 43 04 15 Location lt item gt 16 Master lt item name Unit Identifier gt Selected Device Name SGH E790 17 Notes lt I CDATA UFED S N 5526
29. should be connected to right side Target port SD card storage media should be inserted in the SD card slot on the left side of the UFED unit Make sure both are connected and then press to start the extraction NOTE When connecting the phone to the UFED unit some phone models will prompt you to select the connection mode on the phone s display screen Choose Data Mode PC or PC Sync mode Actual selection choice will vary depending on the phone model pm Hokia B23 Ookla bb Nokia bb Tel Nokia GSAA Nokia 6828 select Target USB Disk Drive SO Card splay Unity Source Connect cable 54 Target Display Only User code 12345 HLontinue When the extraction process is completed the password information will be displayed on the screen When the phone has more than one password multiple passwords will be shown Chapter 4 Overview of UFED Physical Analyzer Application 4 4 2 Introduction The UFED Physical Analyzer application provides powerful analysis tools for the extracted phone data and simplifies the task of navigating through the phone s data structures Using the UFED Physical Analyzer application will assist you in the complex tasks of intelligence gathering investigative research and providing legal evidence in the form of reports The application is designed to utilize the memory extracted by the UFED unit and presents the phone s hex dump file system and analyzed data in a clear
30. to their default values Report Settings The logo header Image and footer sections page breaks PDF generation and item totals display settings of the report The default contents and options of these settings are set by the Report Defaults setting of the application See Report Defaults on page 110 58 Click on the Settings button to jump directly into the Report Defaults settings to edit the contents and options The changes will be automatically applied to the open Generate Report dialog when you click Apply or click OK and return to the Generate Report dialog Use the Reset button to clear all changes made and set the contents and options back to their default values Save to The path and folder name to which the generated report file will be saved Click the button to set a different path The default target folder name will be constructed from the project name and the date and time it was generated for example Samsung GSM_SGH E790 201 1 01 18 12 19 84 Click Generate to generate the new report Note The Generate button will not be enabled until all the required fields are filled When the report generation ends successfully you will be prompted to open the generated report file The file will be opened using the associated application to the file format installed in the workstation Once a report has been generated for the project it can be accessed from the Reports section in the project tree Doub
31. used by devices and computers such as image video audio or text files 5 5 1 Analyzed Data Double clicking on an Analyzed Data group will add a data list tab to the Data Display area listing all items of this type found in the extracted data The structure and content displayed by the list table will vary according to the selected item type For the complete list of Analyzed Data item types see Analyzed Data on page 38 5 5 2 Data Files Data files are image video audio or text files Additional data files groups will display according to the Data Files settings See Data Files Settings on page 102 Double clicking on any data files group will display the list of the data file items images videos etc that were found in the extracted data 55 For each of the data file types the table list includes the following fields Checkbox Indicates whether to include checked or exclude unchecked the item in the report generated Del An icon indicating if the data file was deleted red x 3 not deleted green dot or has an unknown Status gray dot Image A thumbnail of the image or an icon of the file type Name The file name Path The root path of the data file Size The size of file Metadata Additional metadata of the data file Created The creation time stamp of the data file Modified The modification time stamp of the data file Accessed The last access time stamp of the data file
32. where supported GG Contacts 1255 5 SMS Messages 192 z Data files Data files E Images i Tags af Videos a fe Audio Reports aED Tex By opening the Analyzed data or Data files sub trees you can drill down into Ba Repos the tree structure to search for specific information Double clicking on any of the lower level nodes will display the relevant information viewer in the Data Display Figure 11 Project Tree area Overview Each extraction file you open will add a project at the bottom of the Project Tree Every branch in the Project Tree can be expanded or collapsed by clicking the H or E icons In addition the entire tree can be fully expanded or collapsed by clicking the ps or D buttons at the top the tree section 31 32 4 3 3 1 Extraction Data Double clicking the Extraction data item will display its tab in the Data Display area The Extraction data tab displays the following information Device Information Information related to the device extraction Image Hash Information Verification of the logged hash values of the extracted memory dump with the hash values of the parsed images See Hash Verification on page 70 Device Info A Summary of th specific device info pulled from the extracted data See Device Info on page 34 Device Content Analyzed content separted to e Phone Data The types of analyzed phone data found in the extracted memory dump such as Call Log Contact
33. 001 3gp E video 0002 3gp E video 0003 3gp Efe Audio 5 a SM_AQOO2 arr 001 Mid 1 4 mid a 01 Mid mid a 02 MiDi mid 005 MiDi 1 4 midi S Text 3 E _ policy bet alarmist tt pushlist bat Figure 21 Data Files section 4 3 3 8 Tags When the extracted data is processed certain file types are identifed and are tagged accordingly NOTE The four default tags are Image Text Audio and Video and files that were identified and tagged by each of them will also show up under the Data files section You can use plug ins or the Python shell to look for additional data segments and tag them with one of the existing tags or log them under a new branch in the Tags section by applying a custom tag to them NOTE Deleted items appear as ES Double clicking a tagged item will take you to its file item under the File systems item 4 3 3 9 Reports Double clicking a report item listed under Reports will display the report file generated for the project using the application associated with the report format ie Internet Explorer for HTML report Ifa report has not yet been generated for this project the Generate Report dialog will be displayed prompting you to generate one B J Tags E4 Audio y SM_AOOO2 amr 001 Mid 1 4 mid se 01 Mid mid yk D2 MiDi mid D 005 MiDi 1 4 midi amp Image a 001 jpg 1 O01 jpg a 002 jpg O02jpg a 002 jpg O03 jpg a 004 jpg D O04 jpg am
34. 13238 W amp jag yet 5 entries 0 addresses 0 Mobile 051085979 Home 064732757 W E MMS MMS9 128897 Bytes KFATO E SMS 0 186 Bytes KFATO B SMS 40 186 Bytes KFATO Figure 29 The contents search quick results list 5 2 2 The Results Tab Selecting Show All from the top of the quick Rests 7 X results list will display a Results tab in the Data Display area listing all the matching Fp sms Messages s search results The matching string in each BEET PETER RSE E EEEE E EE EEE EEEE E E Tae aa Folder Drafts Parties 0 Identifier 00096970059 SMSC 97254120032 found item will be colored in red As in the quick results list the Results tab list C To 00096928951 Sori can t meet troubled mother cos brendan emergency practice will see SMSC will display the found items sorted according SEN to type categories To 00096928951 Hi janice can we get your group to come at 5 on monday room problem i SMSC Folder Drafts To make it easier to scroll through the results SMSC 97254120032 To 0006597678766 Hello ralitsa ivan sounds fine i think he should be alri arties O identifier SMSC Click on the small triangle at the left of Folder Drafts A Parties 0 Identifier 0006597678766 each sorting category header to collapse ssc 97254120032 or expand the items list of the category aooo thus shortening the list and limiting the SMSC 97254120032 display
35. 165 gt Selected Manufacturer Samsung GSM gt Se nage a O3 Ha s reportxlsx Microsoft Excel x lt I CDATAL 1 1 1 0 i Unit Identifier UFED S N 5526165 f See ee ee ee ee ox lt item gt a lt item name Selected Manufacturer gt Unit ve 1 1 1 0 q oo 2a nit Version T Arial vis A w S Sener i a i gt iba a7 za Samsung Gs gt Case File number 212 166 1 6z T cron s at g B z uE A a a o Je ae dtem name Selected Device Name gt Department clipboard Font 5 Alignment Number g Styles cells Editing oe sareti Ie Examiner name AL Gf Contacts 499 lt item name Connection Type gt al B I T D E lt I CDATA Cable No 97 gt bat 7 lt item gt guts Contacts 499 lt metadata gt Master 21 lt metadata section Device Info gt 3 f Name BlEntries Evalue Source E Deleted EJ lt images gt Notes ahi AATOMYPIANOE M 77202522 lt image key CTS path CTS 298C0000 30400000 bin size 112459776 type File gt 5 2 AATOMYPIANOS Work 2108027412 lt image key MCU path MCU 20000000 22000000 bin size 33554432 type File gt Image 1 CTS 298C0000 30400000 bin 63 Doar Mobile 026290079 lt images gt Eal J lt decodedData gt Image 2 MCU 20000000 22000000 bin F a Doar Home 089301934 lt modelType type SMS gt 835 Doar Work 026290038 lt model type SMS id b7dd5120 8330 4a84 81be 1f11d3e5931c gt 96 Doar Fax 089400795 lt field name TimeStamp type
36. 2 25 3 05990000 0x200 Del_Img2 ipg 3 25 4 0x5990F00 0x200 Del_Img2 ipg 4 25 5 0 5991100 0x200 Del_Ima2 jpa 5 7 25 6 0x5991 300 0x200 Del_Img2 ipg 6 25 z 7 nm Fooikan ANANN Mal lan inn T ORT 2 values a Bookmarks a Highlights 25 results GA Search 470 results Length Ox6B40000 Offset 0x6711210 Selection 0x0 Figure 62 Highlighted data chunks Monet aol com Monet aol com rt KEATOAUIEM YS oundsDownloaded sounds yournight cS Figure 63 Info Frame 6 5 Chains A chain is a set of plug ins grouped together which is used to process the extracted data of a device Each device in the supported devices list of the application has a predefined parsing chain assigned to it As part of its building blocks a chain can also include other predefined chains 6 5 1 Managing Chains The Chain Manager enables you to PichainManness Chain Manager Manage and edit existing chains Chains Li New Chain Create new chains To manage the application chains select Seong e Manager button in the application toolbar FSR Chain CTS The Chains section of list on the left enables Eere you to filter the displayed chains list Select My Chains to display only custom chains you constructed or All Chains to display a list of all the predefined chains Use the Quick Filter field at the top left of the window to filter the displayed list of chains Figure 64 The
37. 83 6 4 4 Redirecting the Offset 86 GAS POOK r nn RET RE 87 6 4 6 Vaile S TaD sen nana E 89 GAZ PIONIN Ca Deuna tes 90 648 IMOMAT INFANE eer rere 90 See We A AARE 91 Oso Manong MNS aenea 91 CO PREI a eecceeeere a sceeeeeeees 97 6 6 1 Managing PNG NS siessen 97 6 6 2 RUNNING a Specific PIUGKMIN veces 98 6603 GENG PUGIN ooe N 98 OF Umoe PNO Ne san 100 6 8 EXDOMIMG TNE Fe SyS tei seenen 100 Chapter 7 General SettingS csscesess 101 TM Genra o N a A 101 PD HATA FESS N E eoaaaaeaceeeet a aes de 102 7 2 1 Data Files Filtering Methods esses 103 7 2 2 Managing Data Files Settings s s s 104 Doo MAIO VIC WET oC UN niaaa N 106 kA MOIE C N tcc eee cet asec 107 Ped TOO HR OU Go a 108 7 5 1 Additional Report Fields cscs 108 F532 ReDo DSA arinn 110 Appendix A Using Python in the Physical Analyzer siiscscesnscsnsssvestseseseeesnesennncseness 112 Lr Accessing the data tO E a 112 1 2 File Systems Files and Directories s 112 1 2 1 Listing the current file systeMsS 112 1 2 2 Geta specific file system by name 113 1 2 3 Go over all files in a file system CCU SIV SI SeA EEN ES 1 2 4 Get a specific file by path 114 1 2 5 Print some information about the flle 114 126 List all les Ina directo sxc 115 1 2 7 Searching for files with a regular 1 2 8 XS S Ol inuennen cissaa saseccasccescocaccoss Oss teeneseeseea 115 Find out if a node is a file or a directory 116 vii 1 3 1 2 9 Reading data from a
38. B button next to the Activation Code field On the Browse for Folder window select the USB disk drive or target folder to which the Activation Code file was saved and click OK The Activation Code will load into the field Click Activate Your UFED device and Physical Analyzer application are now both ready for use 15 2 4 2 Using a Hardware License Key You can also use a HASP hardware license key dongle provided by Cellebrite as part of your UFED system to activate the locally installed copy of UFED Physical Analyzer NOTE Using a hardware license key provides you with a mobile license enabling you to take your license on the road and use it to activate a copy of the UFED Physical Analyzer application wherever you are To activate the UFED Physical Analyzer application using a hardware license key 1 Connect the hardware license key to a USB port on your computer NOTE The HASP dongle drivers must be installed in order to use a hardware license key If the drivers were not installed during the software installation process you can run the installation process again see Installing the UFED Physical Analyzer on page 10 and select the Install Hasp Dongle Drivers option at the end of the process 2 After the key was recognized by the operating system the application will be able to read the license and allow you to continue Your UFED Physical Analyzer application is now ready for use 16 2 5 Deactivating a UFE
39. D Physical Analyzer License In cases where a UFED Physical Analyzer installation activated by an Activation Code needs to be moved to another PC or cleanly installed on the same PC you must first deactivate remove the license from the computer The license should be reloaded in your UFED device for re use on a different PC or a clean install on the same PC To deactivate the PC license perform the following steps 1 2 cs 4 A Launch the UFED Physical Analyzer application From the UFED Physical Analyzer menu select Help gt License gt Deactivate Click the Deactivate button to deactivate the PC license A Browse for Folder window will appear Select the target folder to save the deactivation key then click the OK button The system will open a new window showing the deactivation key On the UFED unit select Services gt Upgrade gt PC License gt Remove PC License from the main menu ITEE Upgrade Application How Upgrade Image How ieee settings PC License Information ED License Activate PC License elp l Hetwork Settings 17 18 10 Select either Manual Key Entry to enter the license manually or Upload Key File to upload it from USB disk drive If Manual Key Entry was selected enter the deactivation key using the directional keypad and select F3 If Upload Key File was selected connect the USB disk drive to any of the UFED USB ports then press the key to continue
40. Extract Plugin button To remove an installed plug in select the plug in and click the Uninstall button NOTE You cannot extract or uninstall a built in plug in of the application 97 To display the plug in status double click on the plug in The Plug in Status dialog will display the status of the plug in which can be either signed or unsigned A signed plug in is a plug in that was approved and signed by Cellebrite 6 6 2 Running a Specific Plug in The Run Plug in window enables you to individually run an installed plug in on your project To open the Run Plug in window select Plug ins gt Run Plug in To run a specific plug in select it from the list of plug ins and click Run 6 6 3 Getting Plug ins To get additional plug ins Plug in Status Plug in Mp BlackBerryIPDCallLog 2 0 By Cellebrite a This is an internal Cellebrite plug in Plug in Status Plug in Nokia SMS Experimental 1 0 By John Doe This plugin is unsigned and should only be used by developers Figure 68 The Plug in Status dialog of a signed and an unsigned plug ins 1 Using your Cellbrite user name and password login to the Cellebrite Community website at community cellebrite com NOTE You must first have a registered UFED unit and license see Activating the UFED Physical Extraction Module on page 4 2 Get new or updated plug ins 98 Home Windows Internet Explorer E http community c
41. NOTE Image files can be displayed either in Table view or Thumbnail view using the two display option tabs at the top of the flles list display pane Double clicking on an item record table row will add a Hex Viewer tab with the Hex data of the selected file to the Data Display area 56 5 6 Generating Reports You can generate a summary report of all information found in the physical dump by Selecting Report gt Generate Report from the application menu Clicking the Generate Report button in the top right corner of the Welcome tab If a report was not previously generated double clicking on Reports section in the Project Tree Using any of these methods will display the Generate Report dialog where you are prompted to provide the following information Report For Project A list of the currently opened projects Select the project for which the report will be generated E Generate Report Repot For rcject Samsung GSM_SGH E790 Repot Tyse HTML PDF Report HTML and PDF reports ere generated Report Data Report Dataset Report Settings j Contacts 499 Video 74 SMS Messages 5 Audio 39 Image 86 Additional Fields Case File number Required Examiner name Required Department Location Master Snee My Reports Samsung GSM_SGH E790 2011 01 18 12 19 54 Cancel Figure 34 The Generate Report dialog 3 Generate Report
42. O 00 00 OB OO O00 00 W 00030150 49 6D 61 67 65 2F 30 2E 70 6E 67 EB OC FO 73 E Image O png s 00030160 ES 92 E2 62 60 60 EO FS F4 70 O09 02 D2 GE 40 cc b p n z Search 53 results x rnd O Offset Lenath Comment a 0x3012C 0x30150 nage Permanent memeryava osmes Boul AINA nc i ET 2 values Ei Bookmarks N Highlights GA Search 53 results Figure 43 Typical String search results Offset The address offset of the data file in the HEX dump Length The string length in bytes Value The string itself Comment The file name number and the location of the result in the Hex dump When empty the found data is in the un allocated area Clicking on any of the search results will display the item in the Hex view The Find field above the results list filters the search results by searching for specific data within the Find results 72 6 3 3 Strings Search Searching for strings enables you to locate different Find RegEx GREP SMS 7Bit PDU Pattem Code Options types of data in the Hex dump e g text message phone se Ex trings Search results window New numbers names or any other type of string data None Destin Nias a ASCII 1 byte per character i om P Unicode 2 bytes per character ard 1 While viewing a Hex dump click on the Find ret 7 bs per characte Britain am Show results comments slower button I in the Hex view toolb
43. OO 00 2c O1 00 OO 01 00 OO 0O 17 00 9A 82 05 00 01 00 OO 00 9E 01 00 00 9D B2 00000040 05 OO O1 00 OO OO A6 O1 00 00 27 88 03 00 O1 00 os Gest 00000080 00 OO 64 00 00 OO 00 90 07 00 04 OO 00 00 30 32 d oz o0o000c0 32 30 03 90 02 OO 14 OO OO OO AE 01 00 OO 04 90 20 000000D0 02 OO 14 00 OO OO C2 O1 OO OO 01 91 07 OO 04 OO Highlights m O BaN Offset Length Comment Figure 53 Hex view gt E lt 84 6 4 3 2 Image View To display the image select the Image Hex view mage view Fe mfo view tab as The Image view controllers on the left provides the following functions e Navigation Zoom In Zoom Out Zoom Slider Zoom to Fit Reset View Rotate Left Rotate Right Show Hide Controller 9oo 000086 6 Figure 55 The Image view controllers Figure 54 Image view 64 3 3 File Info Click the File Info tab to display information about the data file The File Info list includes the following information sections FAT The file system information of the file Date amp Time Created Modified and Last Access time stamps of the data file General The file Size in bytes and the number of file system Chunks of which the data flle is comprised Offsets The offset addresses of the data file in the HEX dump EXIF The embedded EXIF info
44. SMS Messages 192 K merian medica _ o Table View ra m H e 83 Parties To 0546592364 e e e From 972546592364 Message Please call Hi can we get your group to come at 5 on monday Sorry I can t help you on this Figure 20 Analyzed Data display tables Entries 5 Z 053640837 gt E 050600013 Z5 058152345 2 063301358 EE 048527876 J m 022511563 A i 025483683 E 039038250 39 40 4 3 3 7 Data Files This Data files item of the project tree provides access to the files that were found in the extracted data filtered according to the following file types Images Files that were recognized as image file formats Videos Files that were recognized as video file formats Audio Files that were recognized as audio file formats Text Files that were recognized as text file formats NOTE Deleted items appear as E Note New Data File groups for other common file types can be created according to the Data Files setting See Data Files Settings on page 102 Double clicking on each of the filtering groups will display a list of the parsed items in the data display area In addition the tree view can be expanded to allow access to individual files See Working with Data Files on page 82 S A Data files E Images 8 3 001 jpg E O01 ipg 3 002 jpg 002ipg 3 003 jpg 003 jpg 3 004 jpg 004 jpg S Videos 3 E video 0
45. UFED unit or you don t have the ufd file that accompanies them you can use the Open Advanced feature to define how to parse them for the new project The Start without a UFD file option provides you with two starting points for your new project Select Device Enables you to select the specific device definition that will be used to parse the extracted or specified data This option is useful when the device manufacturer and model are known to you Blank Project Provides you with an empty Advanced Customization panel to set your process parameters and data This option is useful when you have no information about the device and or manufacturer and would like to construct a custom parsing process 67 68 6 1 2 1 Starting with Device Selection To create a new project for an extracted data based on a known device 1 2 1 vA 4 5 6 7 8 9 6 Click the Select Device button From the Select Device list select the desired device Use the list of manufacturers on the left to filter the displayed devices by manufacturer and the Quick Filter field to filter the displayed devices Click Next The Advanced Customization panel will display with the name and default parsing chain of the selected device To select a different device see Specifying a Different Device on page 63 To select a different parsing chain see Selecting a Different Chain on page 64 To customize the parsing chain see Ed
46. UIFM Music 8Audio MP3 mp3 lt value type PartyRole gt Sane 4411 KFATO 9Audio MP3 mp3 33145 JUIFM Music 9Audio MP3 mp3 lt I CDATA To gt 2107623349 6944312202 15 12 KFATO Aud_Viadit mp3 247607 JUIFM Music Aud_Viadit mp3 lt value gt 7 16 13 KFATO Aud_Viadi2 mp3 92513 JUIFM Music Aud_Viadi2 mp3 lt field gt BEBO 17 14 KFATO Del_Aud1 mp3 514552 i lt field name Status type PartyStatus gt 1815 KFATO Del_Aud2 mp3 562200 Sees Spe areas pi Inknowen Moyyoyiavvn 6937106788 2103842673 TCDATAL tinkn u gt wean Doss E Summary Contacts _ SMS Messages Tagged Files Images Bl x x x x x x x x x x x x x x x x Figure 35 Typical HTML Excel and XML reports 60 Chapter 6 Physical Analyzer Advanced Use 6 1 Using the Advanced Opening Feature The Open Advanced feature enables you to open projects in advanced mode where you can specify the system dumps and parsing options Selecting File gt Open Advanced or clicking the E3 button in the application toolbar displays the Open Advanced dialog enabling you to set the process of parsing the extracted data for your new project The Open Advanced dialog enables you to select from two main project opening methods Select a UFED extraction Enables you to specify how to parse the extracted or specified data of a UFED extraction file ufd Start without a UFD file Enables you to start a
47. USB disk drive SD memory card or directly to your PC he UFED Physical Analyzer PA PC application which provides an in depth physical memory analysis of the extracted mobile phone data phonebook contents SMS messages call logs image filles video files audio files and more The Physical Analyzer also serves to generate comprehensive and verified evidence reports of relevant data extracted and analyzed from the mobile device The UFED PA work flow consists of two steps Physical memory extraction via UFED hardware Data analysis via PC Physical Analyzer Physical Memory Extraction The UFED s physical memory extraction function provides the most comprehensive access to mobile device data including deleted and hidden information as well as access to phone passwords Unlike the logical extraction process the physical extraction bypasses the phone s operating system acquiring the data directly as an image from the phone s internal flash memory The phone memory is captured into hex dump file or files depending on the memory structure of the specific phone which can later be analyzed and decoded using the UFED Physical Analyzer PA application Data Analysis The UFED Physical Analyzer software allows the investigator to perform in depth analysis of the extracted data and generate reports The UFED PA application provides the following key features Analysis of the hex dump with a layered view of memory content e Provi
48. a Highlights 18 results Figure 60 Bookmarked data segment 87 Clicking on any bookmark item in the Bookmarks list will automatically display it in the Hex view A toolbar at the top of the Bookmarks section provides the following functions Add Bookmark Bookmark the selected data segment Fd Edit Bookmark Edit the selected bookmark parameters Eo Remove Bookmark Delete the selected bookmark 2 Export to Excel Export the bookmarks list to a Microsoft Excel soreadsheet xlsx E Export to CSV Export the bookmarks list to a CSV file Export to HTML Export the bookmarks list to HTML file Export to XML Export the bookmarks list to XML flie Each bookmark displays the following information Offset The address offset of the bookmark paragraph in the HEX dump Length The bookmarked data segment length Description The bookmark name 88 64 6 Values tab A user can decode the raw data to a variety of encoding types which can be expanded in the Values list This enables the user to decode the result of the selected data segment on the fly in real time 1 To access the Values tab click on Values tab at the bottom section of the Hex view 2 Select a data segment in the Hex view 3 Todisplay the decoded data scroll to the desired encoding then click on the H icon next to it to expand the display Some encoding options like 16 Bit have Sub encoding types NOTE You can fully expand or collapse al
49. a MemoryRange with a name and children It can therefore exist in the Memory Ranges section of the project To add a MemoryRange to a project you must first create a MemoryNode from it gt gt gt mr MemoryRange chunks gt gt gt mn MemoryNode MyNode mr gt gt gt ds MemoryRanges Add mn You can also create a MemoryNode directly with a name and a list of chunks gt gt gt mn MemoryNode MyNode chunks gt gt gt ds MemoryRanges Add mn 121 Creating file data from MemoryNodes or MemoryRanges works the same as creating file data from other files get our memoryrange out cts ds MemoryRanges CTS chunks chunks append Chunk cts 1048576 65536 take 64k from offset 1MB chunks append Chunk cts 0x18E0000 32 take 32 bytes from 0x18E0000 new_file Data MemoryRange chunks set the file s data A shorthand for getting just part of aMemoryRange into a new MemoryRange is GetSubRange gt gt gt second kb original GetSubRange 1024 1024 offset length 122 1 4 Models The Physical Analyzer application introduces the concept of Models SMS messages Calls Contacts and the like are all models All the models are based on the same logic so what works for SMS messages works also for Contacts and Calls Also in the future it will be possible to add new user defined models 1 4 1 Accessing the Model Store gt gt gt ds Models ModelStore Call lt 3 items gt
50. acted data excluding duplicates Expanding any of the Analyzed Data item groups by clicking the H icon next to it will reveal a 2nd level sorting of the logged items according to type or folder Clicking H icon will collapse the 2nd level sorting For example SMS Messages will be sorted according to the sorting folders used by the messaging feature of the phone such as Drafts Inbox Outbox Sent etc Double clicking on each of the item type groups or 2nd level sorting group will display a detailed table of all its items in the data display area The structure and information displayed by the table will vary according to the selected item type Selecting any analyzed data category will automatically add it to the highlights list of the displayed binary image and or memory range it belongs to located at the bottom of the Hex view tab and will highlight its data range portions in the displayed data _ Call Log 3 Table iew Ez Del Type Party Timestamp Duration Name D a Outgoing ED Outgoing 039260900 mai SS or ae 7 Contacts 1255 13 04 2004 15 5 13 04 2004 15 5 13 04 2004 15 5 Table View 2285 Del Name Entries 1 031061785 E 066377043 Entries 2 Entries 3 Entries 4 f 058160183 p 068803567 054849562 G 026066602 p 056919633 ft 067762703 065380385 055633637 d 055083890 _
51. any_smses gt gt gt len smses 1356 gt gt gt Now we 1ll add all the SMSes at once gt gt gt ds Models AddRange smses 1 4 7 Create a new Call c Call c Party Value 03453552234 c lype Value CallType Outgoing There s also TimeStamp and Duration ds Models Add c 126 1 4 8 Create anew Contact Contact Name Value Jack Johanson Entries Add PhoneNumber 123123 Home Home is the category Entries Add EmailAddress jack example com Office Mark as deleted Deleted DeletedState Deleted ds Models Add n 127 1 4 9 Create anew Email Email MMS messages have the same fields just create an MMS object From Value Alfred Vogel lt alfred vogel com gt TO Add jim jimmers com Multiple To Cc and Bcc are possible 10 Add jamest abc com Cc Add thomasr abc com Bcc Add contact more com Subject Value An Important Email from Alfred e Body Value You re invited to Alfred s party Priority Value MailPriority High set the timestamp to Feb 1 2009 at 10 50 30 AM e TimeStamp Value TimeStamp DateTime 2009 2 1 10 50 3 ds Models Add e 128 1 4 10 Create anew MMS Message MMS messages are very similar to e mails Therefore to make things easier e mails and MMS behave the same way in the PA world Just create an MMS object instead of an Email object and fill in the fields in the same way 1 4 11
52. ar Search parameters 2 Select String from the list at the top of the dialog a C Case sensitive 3 Check the type of text encoding to search for the given string ASCII UNICODE mainly for non Latin characters 7 bits mainly for SMS text Figure 44 String search Enter the search string in the Term field Select the Case sensitive option if necessary Set the Search direction Search result window and search colors options Sr Oo Oh a Select Find all instance to display all search results at the end of the process or deselect to move through the found items one by one during the search can also be done by pressing F3 8 Click Find 73 6 3 4 Bytes Search Searching for bytes enables you to look for specific Find RegEx GREP SMS 7Bit PDU Pattem Code Options bytes occurrences in the Hex dump This is especially eet Oo useful when the identifying header of a file type or in Desario NT ce information you are looking for is known f aos tas For example the starting Hex bytes of a JPG image are JA FF D8 FF Therefore the result of searching for FF D8 e ie ares Bytes hex FFD8FFL FF will provide us with the locations of all possible JPG image headers in the Hex dump 1 While viewing a Hex dump click on the Find button in the Hex view toolbar Select Bytes from the list at the top of the dialog select the Hex option Figure 45 Bytes search In the B
53. ata Files Figure 9 Application structure overview 4 3 1 Application Menu The application menu provides access to the following menus and commands and functions File menu e Open Select and open a file for analysis using the standard analysis process e Open Advanced Select and open a file for analysis using the advanced analysis process See Using the Advanced Opening Feature on page 61 e Recent Displays a list of the recent projects e Close Closes the currently active project e Exit Closes the application and all active projects View menu e Show Welcome Screen Displays the Welcome screen See The Welcome tab on page 42 e Trace Window Show hide the trace panel at the bottom of the data display area Tools menu e Dump File System Exports and saves the parsed file system to actual files and folders in a directory structure See Exporting the File System on page 100 e Read Data from UFED Extract phone data directly to the computer e Dump GPS Mass Storage Device Reads and saves data from GPS and mass storage devices connected to the workstation via USB connection 27 e Settings Access to the application settings window See General settings on page 101 Python menu e Python Shell Opens the Python Shell window for user customized analysis using Python commands See Using the Python Shell on page 100 e Run Script Runs a pre written Python script py file e
54. baf ssis 30 A FOC TI eee n O 31 4 3 4 Data Display Area sssrin Chapter 5 Physical Analyzer Basic Use Dail QDEMING FIET ANa YS aaa 5 2 Searching for Information in the Project The Quick RESUS Lis Eucera 522 TINERE T n aE 5 3 Browsing the Hex DUMP ssssssesrsssrssssrssserssrssrresserssnrans 5 2 1 54 BROWSING TINE FIG SY STC asna 5 5 Browsing the Analyzed Data oncccccccccsssssssssesseesseeensses 5 5 1 Chapter 6 Physical Analyzer Advanced 6 1 Using the Advanced Opening Feature s s s 6 1 1 Advanced Opening of a UFED Extraction File neer vi Analyzed Data s sssssrssrsssrsereseresessserrsresssresnrsen 332 abel E paa OE 560 Cem Traun Ne WOU aona 6 1 2 Advanced Opening of a non UFED E E a T 67 6 ana UFO FI E n 69 62 Hash Vernea oasis 70 6 3 Searching for Information in the Hex Dump PU APSO DAE E E Fl 6 3 1 Search MOCES ss ssssissesirssrsserissssrrsssrrsssrrssrrrsssrrssnrss 71 632 Sear A RSS ITS oaos 72 O3 SUNOS Seal aA 73 OSA BYES SOC aE 74 639 DATES SCS iG ests cxcvesasscsscosasssdtoesmarvnenvaecaenmaassennaas 75 6 3 6 SIMICCID Numbers SearCh sses 76 6 3 7 SMS Numbers Search usses LI 6 3 8 Regular Expression GREP Search sss 78 63 9 SIS TEXT SCAN Ci e terrence 79 G3 10 at bel He ANG erer 80 65 VAG SCSI i teceseetertccecetectencsasesticcinsas 81 6A ANOKA AW Ite Data FE Sa 82 6 4 1 Accessing Data Files s 82 6 4 2 Data File POINtErS sssri 82 643 Data DEPI MOdES a
55. ct a tag name from the list To delete an exiting data file record 1 Select the Data File row In the Data Files settings 2 Clickon to delete the selected data file row To edit a existing data file record 1 Select the Data File row in the Data Files settings 2 Gothrough the different fields and make the necessary changes 105 7 3 Hex Viewer Settings The Hex Viewer setting enables you to Settings control the display options of Hex dumps so ie General Settings Show address Base format for selection to suit personal preference and enhance ma ae afs Draw separation lines rea d d bi ity ee C Display 0x00 and OxFF string data as space Courier New i z Color settings The following setting are available 7 seas Aepkcain Background Bookmark background Show address Show Hide the line an 1 hes Hex text ighlight background numbers column of the Hex Viewer ssciiet E Horo Additional report fields Ta Separating lines File chunk background Show ASCII view Show Hide the ASCII view column of the Hex Viewer Selection File chunk text Report Daraute Background Selected file chunk background Text Selected file chunk text Draw separation lines Show Hide the separation lines between the address Hex data and ASCII view columns Display 0x00 and OxFF string data as Space Set the string data to display both 0x00 and OxFF characters as space inst
56. dded in the Project Tree area and the Extraction Summary screen will display in the Data Display area Physical Analyzer File View Tools Python Project Tree te mn H Samsung GSM_SGH E790 BS Extraction Data Device Info File Systems iS KFATO 0 Analyzed Data Contacts 499 D SMS Messages 5 Bookmarks 0 Sil Data files 2 Images 86 BB Videos 74 Ja Audio 39 E Text H A Tags E JS Reports Report Help Welcome X Extraction Data X DEK Extraction Summary Image Hash Information Samsung GSM_SGH E790 Samsung E790 Connection Type Extraction start date time Selected Device Name Selected Manufacturer Unit Identifier Unit Version No reference hash information is available for this project Device Content Phone Data Cable No 97 21 07 2009 17 43 04 SGH E790 Samsung GSM UFED S N 5526165 1 1 1 0 JE Generate Report Calculate hashes SMS Messages 5 499 498 Data Files Figure 28 New opened project 49 52 Searching for Information in the Project The search field at the top right of the application window allows you to search for information in the entire project or projects that are currently open in the application 50 To search for contents type the search string in the field 5 2 1 A quick list of matching results will appear under the search field Sorting categories along the left edge
57. des a detailed view of the hex dump e Reconstructs the phone file system e Decodes contact lists SMS messages call logs phone information IMSI ICCID user codes and more e Provides a view of data files images videos etc e Provides access to both current and deleted data e Retrieves phone passwords Simple viewing and user friendly browsing of information Powerful search tools e Instantly search for project content e Search the hex dump or file system e Search by various parameters such as strings bytes numbers dates e Use GREP search regular expressions to look for specific data strings e Bookmarking memory locations for indexing of key areas for later review Ability to use Python shell commands for data analysis Plug ins e Manage installed plug ins e Write your own plug ins using Python scripting language e Get additional plug ins from the community website Generation of customized reports Chapter 2 Installation and Activation 2 1 Introduction This chapter describes the activation process of the UFED Physical Extraction module on the UFED hardware itself as well as the installation and activation process of the UFED Physical Analyzer PA software on your PC 2 2 Activating the UFED Physical Extraction Module Important This section applies to users upgrading their current UFED to the Physical Module It is not required for new UFED Physical Pro systems with the Physical Module already enabled Th
58. e UFED has two types of licenses Logical license Standard license for logical data extraction functionality Physical license Advanced license enabling physical extraction and analysis To enable physical data extraction and analysis capabilities the UFED Physical license must be activated NOTE Activation of the UFED Physical Extraction Module must be performed on the UFED hardware prior to installing the UFED Physical Analyzer software on your PC The installation of the UFED firmware on the UFED device is a two step process and involves Upgrading the UFED software to a version that supports physical extraction Activation of the UFED Physical Extraction Module 2 2 1 Renewing the UFED Physical Extraction Module License To activate the UFED Physical Extraction Module perform the following steps 1 Power on the UFED 2 Locate the UFED device serial number and ID information by selecting Services gt Software Versions from the main menu Make a note of the 7 digit serial number marked S N and ID information SOTTWArE versions App 1 1 5 6 UFED Full 12 9 UM Tings 1 8 2 2 Sa A S527 SE 2f a8 ID ATZE MAC BAER Ae Baad Figure 1 The UFED Software Versions screen On a PC with a web access launch your web browser and go to my cellebrite com You will be asked to enter your user name and password to login into your MyCellebrite web page MyCellebrite Windows Internet Explorer Go kd B https
59. ead ey ofa Figure 74 Hex Viewer settings Base format for selction The line numbers format Decimal Hex or Both Font The font used to display the information Color settings Set the colors applied to different features of the Hex viewer 106 74 Models Settings The Models setting enables you to set the Setting Background and Text color schemes applied 2 7 to various types of phone data r ng o Data Files Background color Text color Hex viewer a Additional report fields Ta Report Defaults Figure 75 Models settings 107 7 5 Report Settings The Report settings enable you to customize several aspects of the generated report 7 5 1 Additional Report Fields Optional information is user defined information presented at the beginning of the report It usually includes information about the case investigator and the organization details Every Optional information record consists of the following fields Settings Name The name of the S iins Add New n E re PO rt fi 2 d Name Required Type DefaultValue Case File number MYes String v Req u l red N d l cates if th e fi e d Data Fies Examiner name es Strnng v must be filled in order Department De r Hes viewer 7 Location s String y to generate the report ra u nE Models Type The types of entry A String or List Report Defaults De
60. ed items to the required types T C Use the Quick Filter field at the top rig ht 8 eighth ladybug 5 entries 0 addresses 0 notes Entries 1 Value Mobile 058391199 Home 051357497 Work 093729814 of the Results tab to filter the found items Entries 1 Value 051357497 by entering a quick filtering string Figure 30 The contents search Results tab 51 5 3 Browsing the Hex Dump Double clicking on a binary PipinsicalAnelyzes hex d U M O in the Project l Fie view Tools Python Plug ins Lo sme Pi 9G Pea Report Help Tree will display its content in a Hex View tab within o H Samsung GSM_SGH E790 the data display area BB Extraction Data E Device Info a 5 a Images YOu can display the B crs CTS 298C0000 30400000 extracted Hex dump by ara clicking on the image links File Systems H E KFATO displayed in the Extraction aaa Contacts 499 Log area at the bottom of a SMS Messages 5 IF Bookmarks the Extraction Summary soll t a b Images 86 EB Videos 74 J Audio 39 Text HA Tags JA Reports Lalas Q A B C D E Q Offset Length Comment 2 values E Bookmarks a Highlights Length Ox6B40000 Offset 0x0 Selection 0x0 Figure 31 Browsing the Hex dump 52 5 4 Browsing the File System The UFED Physical Analyzer has the ability to reconstruct and display the phone file system as a tree structure of folders and files To browse the file system 1
61. el a Page Layout Formulas Data Review View Acrobat 2x e Js A a Esa enea JG oe aw amp iI aT an ii is gt x e g e a a E E ea eor rome E romat 2 SE prda Clipboard 5 Font a Alignment m Number 5 __ Styles _ cells Editing Al fe Tagged Files 113 2105310998 nessa 2107644970 TEABAPHE 2105151942 soaccaacaBBBERBBB88 Simien Tagged Files 113 Avnyovn 6937415726 4 ji Paul Simon The Russian Futurists mp3 IDef Paul Simon The Russian F lt value gt 52 KFATO 021 MP3 1 4 mp3 55206 UIFM Music 021 MP3 1 4 mp3 lt field gt Arovuans 6945876587 63 KFATO 022 MP3 2 4 mp3 191711 JUIFM Music 022 MP3 2 4 mp3 lt multiModelField name Parties type Party gt 7 a KFATO 023 MP3 3 4 mp3 243511 JUIFM Music 023 MP3 3 4 mp3 lt model type Party id 47755841 c5bd 4afb 861a e0605d1811f2 gt ENa Nuxia 6978280403 85 KFATO 024 MP3 4 4 mp3 4096 JUIFM Music 024 MP3 4 4 mp3 lt field name Identifier type String gt 96 KFATO 027 AAC 1 2 aac 21785 IUIFM Music 027 AAC 1 2 aac 7 ee ope String gt Eni ewpnon 2103258230 10 7 KFATO 028 AAC 2 2 aac 46537 UIFM Music 028 AAC 2 2 aac cies foongeszesss gt 11 8 KFATO SAudio MP3 mp3 175488 JUIFM Music SAudio MP3 mp3 lt Jfeld gt Zoeh Seep 129 KFATO 6Audio MP3 mp3 191711 JUIFM Music 6Audio MP3 mp3 field name Role type PartyRole gt 13 10 KFATO Audio MP3 mp3 78417 J
62. ellebrite com a heal x ay Live Search File Edit view Favorites Tools Help ly Favorites Home a mobile data secured Browse by Category ia File System SMS Calls Email GPS Locations Multimedia Device Info Other 2 ft gt O h Page Safety Toos a a login Welcome to the Cellebrite UFED Community Website This community site is for sharing and discussing plugins for UFED Physical Analyzer Fresh Plugins Browse new and recently updated plugins be the first to add review See all Popular Plugins See all a E tert re se Figure 69 The Cellebrite community website 99 6 7 Using the Python Shell The built in Python Shell enables you to run customized analysis using Python commanas To open the Python Shell window select Python gt Python Shell or click the Python Shell button in the application toolbar For detailed examples of how to use Python Shell commands for custom analysis See Appendix A Using Python in the Physical Analyzer on page 112 6 8 Exporting the File System Exporting the extracted file system saves the entire file system to the r ST I Ta selected location on your computer Exporting the File System provides Ten physical files and folders structure saved in the same hierarchy as the The directory will be used to save the phone s file system a With its orig
63. er passwords 19 20 Daily Using Removable Media Select Physical Dump from the Main Menu Press OK or to continue Select the manufacturer of the phone from the Select Vendor menu Press OK or B to continue Select the model of the phone Press OK or gt to continue Select the target storage media USB disk drive or SD Card from the Select Target menu Press OK or to continue You will be instructed to connect the source phone using the appropriate cable to the left USB port of the UFED and then connect the target storage media to the appropriate port right side of the UFED NOTE USB disk drive storage media should be connected to right side Target port SD card storage media should be inserted in the SD card slot on the left side of the UFED unit Make sure both are connected and then press to start the dump process NOTE When connecting the phone to the UFED unit some phone models will prompt you to select the connection mode on the phone s display screen Choose Data Mode PC or PC Sync mode Actual selection choice will vary depending on the phone model Extract Phone Data Extract SIM USIM Data Clone SIM 10 ysical DUM I Hokia GE TE Nokia 6 Nokia 6828 i T _ traction Source Connect cable 54 Target USB Disk Drive Gibac CAUTION To prevent possible loss of data do not disconnect the phone or storage media USB disk drive or SD card during the extraction proces
64. fault value The default content that will appear in the field Figure 76 Reports Optional Information settings 108 7 5 1 1 Adding a New Report Field To add a new report field 1 e A p Click on the J above the fields list to add a new report field entry In the Name field enter the field label that will be displayed Check the Required checkbox if this feld must be filled to generate the report Use the Type list to specify the type of the new field String for a text entry field where you should type your information List for a specified list of options to choose from Set the default content of the field For a String type field enter the default string in the Default Value field For a multiline string click on and enter the default string in the Option Editor then click Save For a List type field click on w and enter the list items each item as a separate line in the Option Editor then click Save 7 5 1 2 Deleting a Report Field To delete an exiting data file record click on amp at the right edge of the field entry to delete report field 7 5 1 3 Editing a Report Field To edit an existing report field go through steps 2 to 5 of Adding a New Report Field and change it to suit your needs 109 110 7 5 2 Report Defaults The Report Defaults settings enables you to specify the following report options Report type Select the type of report to display its relevant report option
65. from My Chains 1 Inthe Chain Manager window select My Chains 2 If necessary use the Quick Filter field to filter the chains list 3 Click on the x at the right of the chain 6 6 Plug ins The Plug ins mechanism is an API that allows users to expand the abilities of the application by adding plug ins provided by Cellebrite or custom tailored plug ins written using Python 6 6 1 Managing Plug ins The Add Remove Plugins window enables you to manage the Add Remove Plugins nN sta ed pl u g nN S Drag a plugin file into the box to install Name Author Type Version A To open the Add Remove Plugins window select Plug ins gt f a Colbie Namel 20 Add Remove Plugins or click the Add Remove Plug ins button a Brees ic in the application toolbar ee oc aca rie sai BlackBerryIPDCallLog Cellebrite Native CH 2 0 BlackBerylPDContacts Cellebrite Native C 20 NOTE To display all the installed plug ins including the built paani me a in plug ins that cannot be removed select the Show built in series te a plug ins option at the bottom left of the window feee a ner RlackReruMessenner Native ICH Show built in plug ins The Add Remove Plugins window enables you to perform the following management tasks Figure 67 The Plug in Manager window To Install additional plug ins drag and drop them into the Add Remove Plugins window To extract a copy of an installed plug in select the plug in and click the
66. g panel Double click the floating panel header strip to dock it back to the default location at the bottom of the Hex View tab Double click the name label of any tab to display it as a floating panel Double click the floating panel header Strip to dock it back to the original location Drag the name label or floating panel over any of the docking labels that appear to dock it at that location in the Hex View tab 434 3 Data Items View tab A Data Item View tab will be added to the data display area whenever you double click on a data item group located under the Analyzed Data or Data Files sections of the project tree The Data Item View tab displays a list of all the files of a specific type images videos audio or text that where found during the data analysis process NOTE Image files can be displayed either in Table view or Thumbnail view using the Images Table iew Thumbnail view Del Image Name z 3 001 jpg 002 jpg e 003 jpg e 3G Path Size Metadata multimedia IMAGES downloaded images 001 jpg 14273 A multimedia IMAGES downloaded images 002 jpg 44803 multimedia IMAGES downloaded images 003 jpg 72237 multimedia IMAGES downloaded images 73 GIV 27774 Time gi Figure 27 Files View tab two display option tabs at the top of the files list display pane 47 Chapter 5 Physical Analyzer Basic Use 5 48 Opening File for Analysis 1 If the ph
67. gnature see in figure 56 will create a signature that identifies JPEG images Figure 73 JPEG Signature 103 104 7 2 1 2 Extension filter A list of common file extensions that are associated with file formats that belong to the specific data file group For example the different image file formats can be filtered by the file extensions jpo jpeg gif ong or bmp 7 2 2 Managing Data Files Settings You can add new types of data files or edit and delete data files of an existing type Using the following buttons at the bottom of the list you can EDES Move Up Down Change the order of data file types by moving the selected type row up or down Add Add a new data fille type or signature filter Delete Delete the selected data file type or signature filter Restore Default Restore the default settings Edit Edit the signature filter To add a new data file record 1 In the Data Files settings click on to add a new data file record 2 Check the Active checkbox to display the added data type in the Data Type section of the project tree 3 Inthe Description field enter file type description 4 f applicable n the Extensions field enter the file extensions commonly used by your data file type in the format iu Xxx Separated by n the Signature filter field click on the button to add a filtering signatures that identify your data file type 5 Inthe Tag As field sele
68. he Hex View tab is comprised of the 00044290 po 00 00 00 00 00D 00 00 00 00 00 00 00D 00 00 00 eee eee ees J 0 J following sections 00044240 00 OO 00 OO OO oo OO OO oo OO OO OO OO OO OO OO seen 000442B0 00 oo OO oo OO OO oo OO OO OO OO oo OO OO oo OO 000442 0 00 00 00 00 OO OO FF 30 00 5F 00 00 FF FF 00 00 Gen eh anaes Hex data display Dane 000442D0 00 01 00 OO OO 12 OO FF FF 30 00 SF OO O1 FF FF eer 9004420 00 00 O00 01 OO OO 00 12 OO FF FF 30 00 23 00 00 O 000442F0 FF FF 00 00 00 OA 00 OO oo 1A 8P a2 a3 ga a5 d 12345 Hex View toolbar 90044300 j0 00 00 FF 30 00 op 00 01 FF FF OO 00 00 o2 UY 00044310 00 00044320 oO Analysis Information tabs 90044320 o0 00044340 FF E 00044350 00 OD FF FF OO 00 00 O1 00 OO OO 12 OO FF FF 30 o 4342 1 Hex Data Display Pane 00044360 00 OD OO OF FF FF 00 00 OO O1 00 OO OO 12 OO FF 5 00044370 FF 30 00 OD OO 2c FF FF 00 OO OO 01 00 00 00 12 D Da 00044380 00 FF FF 30 OO OD 00 2F FF FF 00 00 00 01 00 O0 0 The Hex data display Dane IS divided 90044390 00 12 00 FF FF 30 00 OD 00 30 FF FF 00 00 00 04 or ere 90044340 00 00 00 14 00 3c 00 OO FF 30 OO OD 00 31 FF FF D 0 1 into 3 sections 00044350 00 00 00 01 00 00 OO 12 OO FF FF 30 00 OD 00 32 0 2
69. he data fle name in the Project Tree and select Open 6 4 2 Data File Pointers All data files contain pointers to the file system location so they can be located easily To display the pointers click the sign next to the file name in the Project Tree Double clicking the pointer will redirect you to the relevant file in the file system section of the Hex dump 82 6 4 3 Data Display Modes Each type of data file has several data display modes Image files Hex view Image view and File Info Video files Hex view and File Info Audio files Hex view and File Info Text files Hex view and File Info 6 4 3 1 Hex View To display the data file Hex dump click the Hex BREEN maoe view Mota data Fe nfo TAR P da 8 2 DE Jeann view tab 00000000 FF D8 FF E1 5D 60 45 78 69 66 00 00 49 49 2A 00 Exif II 00000010 08 OO 00 00 08 00 OF O1 02 00 06 OO OO OO 6E 00 n 000020 00 00 10 01 02 OO 04 OO OO OO 4E 39 35 00 12 O1 N95 For more information about the Hex view tab 90000030 03 00 01 00 OO OO 01 00 OO OO 1A 01 05 OO 01 OO 00000040 00 00 74 00 OO OO 1B 01 05 00 O1 OO 00 00 7c 00 t its see Hex View tan On page jd 00000050 00 00 28 01 03 OO 01 OO OO OO 02 OO OO OO 13 O2 o0000060 03 OO 01 00 OO OO 01 OO 00 00 69 87 04 00 O1 OO ER 00000070 00 00 84 00 OO OO A6 OB OO OO 4E 6F 6B 69 61 00 Nokia 0080 2c 01 00 OO 01 00
70. he following settings ie Aas Samsung E790 Device The manufacturer name and model of aaaea as EE A the device l Samsung E790 Selected Chain The standard device parsing a chain automatically assigned to the device a C Documents and a MCU C Documents and Binary Dumps The binary dumps images referenced by the UFD file File System Dumps dd file syst ir older or a zip arch Zip File Folder Select File Select File 3 Customize the file open options as described in sections 6 1 1 1 to 6 1 1 4 lt Back 4 Click Finish Figure 37 Advanced opening of a UFED extraction 6 1 1 1 Specifying a Different Device You can specify an entirely different parsing process of the STERE Bec extracted data by replacing the selected device Device Selection Select the device for your input data To select a different device Soloct ONE 1 Click on the Switch Device button 2 From the Select Device list select the desired device Use the list of manufacturers on the left to filter the displayed devices by manufacturer and the Quick Filter field to filter the displayed devices 3 Click Next to return to the Advanced Customization panel 6 1 1 2 Changing the Parsing Chain A chain is a set of plug ins grouped together in a certain Figure 38 Selecting a different device order which is used to process the extracted data Each device in the supported devices lis
71. he power adapter are only indoor and SELV safety extra low voltage not exceeding 42 4 V peak or 60 VDC Contents Chapter 1 INtroduction sssscccsssssscessseceees 1 dP Mit O ov 21 ore meee te E T EE Cnet 1 12 PHYSICalIMEMmOry EXI ON naa 1 Fees Nc eS N TCT CSE RR 2 Chapter 2 Installation and Activation 4 7 Wid Wim Wa 16 0 E onic rrreee Renn nee rete tr 4 2 2 Activating the UFED Physical Extraction Module 4 2 2 1 Renewing the UFED Physical EXTPAC TION Moale LCE Enan 5 222 MEW Software Upgrade ecccesccectSeessssssscera Sirens 9 2 3 Installing the UFED Physical Analyzer Application 9 231 VSEM REGUTEMEN Siasii 9 232 SOM are Salla n 10 2 4 Activating the Physical Analyzer application 12 2 4 1 Using an Activation Code s s 12 2 4 2 Using a Hardware License Key 16 2 5 Deactivating a UFED Physical Analyzer License 17 Chapter 3 Performing Data Extraction 19 2 1 SPerormnlinGca PAYS Cal DUNO sernu E 19 3 1 1 Using Removable Media 20 3 1 2 Extracting Data Directly to Your PC 21 32 Extracting PME Fle Sy SLOT lastest ssc ae 23 DD ECU PISS IONS keena R 23 Chapter 4 Overview of UFED Physical Analyzer Application sssesssesseesscesocesscesocesoses 25 4AT Irou O aaaea EAE 25 4 2 Launching UFED Physical Analyzer Application 25 4 3 Application Structure OvefvieW s sssssrsser 26 4 3 1 Application MenU uuu 27 4 3 2 Application TOOl
72. ical to performing a Extract Phone Data zadi 7 Extract SIM USIM Data Physical Dump as described in Performing a Physical Dump on page 19 Clone SIM ID Fhysi Start by selecting File System Dump from the Main Menu as in step 1 of Performing a Physical Dump on page 19 and continue with same steps afterwards The resulting folder will include a ZIP archive of the phone s file system instead of the Hex file s of the memory dump files and a ufd info file that enables the file system archive to be read by the Physical Analyzer application Extracting Passwords The Extract Passwords feature provides quick access to the phone s user passwords without the need to analyze a dump using the UFED Physical Analyzer application 1 Select Extract Passwords from the Main Menu Press OK or gt to continue 2 Select the phone s manufacturer from the Select Vendor menu Press OK or to continue 23 Select the phone s model from the Select Model menu Press OK or gt to continue From the Select Target options select USB Disk Drive or SD Card to store the extracted data on the selected storage media or select Display Only to display the extracted password data on the UFED unit without storing it You will be instructed to connect the source phone using the appropriate cable to the left USB port of the UFED unit marked source Connect removable media if extracting to file NOTE USB disk drive storage media
73. identifiers of the phone such as SIM card and user lock codes where Supported The Properties list is divided to display the different Device Info categories NOTE The number of categories and amount of displayed information may vary depending on the device model and manufacturer A checkbox next to each of the categories Device info Properties Find Detected manufacturer Detected model V System IMEI Serial Product code Product basic code Module code Hardware number H V User code H V Memory card code SIM E3 IMSI ICCIB E V Bluetooth Bluetooth activity Bluetooth status Bluetooth device name E3 Bluetooth paired devices General Figure 13 Device Info Nokia Nokia 6230 352953 00 282320 5 KJH7 49332 0513090 0509076 0201879 0600 Off Shown Yaniv likes BT and properties indicate whether this item will be included checked or excluded unchecked in the report A Find field at the top of the properties list allows you to filter the displayed items Categories Subjects and data to display items containing the entered text string 34 4 3 3 3 Images The Images item of the project tree lists all the dump files generated by the data extraction from the memory modules of the device o Images 2 188 i MECU O000000 1 2000000 bin Been Al CTS 28000000 30400000 bin Figure 14 Memory dump images Double clicking on any image item will display it in a
74. in A specific predefined chain Plugin A specific plug ins NOTE Both Device and Chain are added to the chain as a Chain component 93 Click on the at the right of the component line to add it To remove a component from the chain list click on the x at the right of the component item then click Yes to approve To edit the parameters of a plug in or chain select it from the chain components list on the left and set the options displayed NOTE To return to the Component Library display and continue adding more plug ins and chains click on Add Chain Plugin When finished click Save The new chain will be add to your My Chains list 6 5 1 2 Editing an Existing Chain A chain can be opened and edited to suit your needs To edit a existing chain lh oY if Double click on the chain you wish to edit Click on Add Chain Plugin to display the Component Library To make the necessary changes follow steps 4 through 7 of Constructing a New Chain on page 93 When finished click Save to save the changes or Save As to save the edited chain as a new chain If you selected Save As enter a name for the new chain and click Save NOTE Changes made to factory predefined locked chains can only be saved as a new chain 94 6 5 1 3 Managing Device Chains 6 5 1 3 1 Attaching devices to a chain To attach devices to a chain 1 ee NS oe ew 8 Double click on the chain to which you would like to at
75. inal Files hierarchy original file system E F3 I My Documents To export the extracted file system m E My Computer t3 My Network Places 1 From the application menu select Tools gt Dump file system or 2 Recycle Bin click the Dump file system button in the application toolbar 2 In the Browse For Folder dialog select the target location to which the extracted file system will be saved Use the Make New Folder button to create a new folder in the target location 3 Click OK to export the file system Figure 70 Exporting the file system 100 Chapter 7 General settings The Settings window provides access to a set of functional and behavioral setup options used to fine tune and control the functionality and usability of the UFED Physical Analyzer application To access the Settings window select Tools gt Settings or click the Settings shortcut button at the top right of the Welcome screen The main settings categories appear in the column at the left of the window Click on a category to access and change its options General Settings These settings determine the following general application properties Localization Sets the interface language of the application Dump Sets how deleted files are dealt by the Tools gt Dump GPS Mass Storage Device feature Export Sets the encoding and separator of exported CSV files Additional report fields ig Report Defaults Locali
76. iting the Current Chain on page 65 To add binary dumps see Add a Binary Dump on page 66 To add a file system dump see Add a File System Dump on page 67 Click Finish 1 2 2 Starting from a Blank Project Click the Blank Project button To select a device see Specifying a Different Device on page 63 To select a different parsing chain see Selecting a Different Chain on page 64 To customize the parsing chain see Editing the Current Chain on page 65 To add binary dumps see Add a Binary Dump on page 66 To add a file system dump see Add a File System Dump on page 67 Click Finish 2 P e SY 6 1 3 Saving a UFD File At any point of setting the Open Advanced parameters you can click the Save UFD button at the top right corner of the dialog to save a ufd file that logs the selected binary dumps and device information for future use The next time you need to parse that file you can use the saved UFD file to open it with Open or Open Advanced 69 6 2 Hash Verification A hash value is a unique and compact representation of a piece of data which can be used for integrity protection due to the fact that it is computationally improbable to find two distinct inputs that hash to the same value Comparing a reference hash value that was generated during the extraction process for each binary dump against their calculated hash values enables you to verify the integrity of the bina
77. l the encoding types by clicking the ps or buttons Hex iew da 8 i e y e 53 IEC Se 02 79918 77 00 6E 00 6c OO 6F 00 61 00 01 00 GBM w n l o a PF 02079926 FF FF FF FF FF FF FF 00 00 FF FF O2c079934 FF FF FF FF FF 19 xD ee See come a 02079950 FF FF FF FF FF FF FF FF FF FF FF PE PF EP iY iOi iidiw ww ew tt te ama 02C7995E FF PE FF FF FF FPF FF FF FE PE PF FF FF FE oes 8 cnet enina v Values q So m Bit 16 Bit 32 Bit 64 Bit Strings ASCII 250 07 0 ldo 7 Unicode Little endian Tn Big endian hin 7Bit Normal O bits offset l m at work Please call 1 bits offset dS6PO0 Pa pSWAlvipy2Pq06bA 2 bits offset 1 Z 4 9x lt Bh8 3 bits offset PTALAt gt m eJNE lt U04 ELM 4 bits offset lt juei ANS v e AB U Arty 5 bits offset AS ES N PK FA2WVIOWHIIS 6 bits offset DZABi nSew i YKCoKAFCYYA t Reversed Date amp Time jj 2 Values Bookmarks a Highlights 514 results lt Figure 61 Decoded data segment 89 90 6 4 7 Highlights tab The Highlights function presents analyzed data locations within the HEX dump It allows the user find the exact location s of a particular type of analyzed data in HEX dump 1 Click Highlight in the Hex window tab bar to access the Highlights window 2 Upon selecting one of the analyzed data folders e g contacts the location of the selected contacts is listed in the Highlights window
78. le by path gt gt gt f ds FileSystems KFATO SMS sms dat gt gt gt f File SMS sms dat 39600b 1 2 5 Print some information about the file gt gt gt f ds FileSystems KFAT SMS sms dat gt gt gt f Name sms dat gt gt gt f Size 39600L gt gt gt f AbsolutePath SMS sms dat gt gt gt f Deleted Data Files DeletedState Intact gt gt gt Ff Parent Directory SMS 7 children sms dat aniheader ANI imageheader MELODY animation IMAGE 1 2 6 List all files in a directory gt gt gt for f in ds FileSystems KFATO SMS print f Name sms dat aniheader ANI imageheader MELODY animation IMAGE 1 2 7 Searching for files with a regular expression for i in f Search multimedia jpg print 1 AbsolutePath multimedia IMAGES downloaded images 62 New Samsung D500 128x96 1 6 jpg multimedia IMAGES downloaded images 6 LG U8330 94x144 1 5 jpg multimedia IMAGES downloaded images Vladi_ Img3 jpg multimedia IMAGES downloaded images 55 New SAMSUNG S410i 176x148 2 5 jpg 115 1 2 8 Find out if a node is a file or a directory gt gt gt f ds FileSystems KFAT SMS sms dat gt gt gt if f Type NodeType File print This is a file elif f Type NodeType Directory print This is a directory This is a file 1 2 9 Reading data from a file gt gt gt f ds FileSystems KFATO SMS sms dat gt gt gt f
79. le clicking on any of the generated reports will open it in the associated application installed in the workstation Right clicking any of the generated reports will allow you to open the report file or select Open containing folder to browse the files and folders of the report 59 Extraction Report Windows Internet Explorer x Ha e s reportxlsx Microsoft Excel P C Documents and Settings FourAces My Documents My Reports Samsung GSM_SGH E790 2011 01 18 13 3 Windows Internet Explorer E oe le ci Documents and Settings FourAces My Documents My Reports Samsung GSM_SGH 790 2011 01 18 12 194 4 Live search Home Inset Pagetayout Formulas Data Review View Acrobat 2 x Ge LE cxNDocuments and Settings FourAces My Documents My Reports Samsung G5M_SGH E790 2011 01 16 13 33 V MP tive Search je Fie Edt View Favorites Tools Help D 4 arar hs a a alpa Be Generat lt iel a ie Enes pid Fie Edt View Favortes Tools Help Delete gt Favorite Suggested Sites Slice ty ies cece ws A a ue 09 Favorite Suggested Sites G he she Favortes gs E sucoested Stes iE Free Hotmail Web Sice Gallery ate g Brue
80. ll automatically add it to the highlights list of the displayed binary image and or memory range it belongs to located at the bottom of the Hex view tab and will highlight its data range portion in the displayed data B File systems B E KFATO BROWSER dir vip temp DAM a EMAIL a IMAGES fe JAVA a MMS gt multimedia fa SMS f SOUNDS F SYNCML E TEST F gt USER HAS WAP samsung ess SAMSUNG ESS tfsVersionCode tts H Samsung MCU H Samsung Linked List Ill Figure 18 File systems 37 38 43 3 6 Analyzed Data This Analyzed data item of the project tree displays phone data item groups that were found in the extracted data The listed of items will include Personal information such as calendar contacts notes call log Messaging items such as SMS MMS email instant message chat Web browser items such as bookmarks history cookies GPS information such as locations journeys fixes Device information such as bluetooth pairings SIM data NOTE Additional types of Analyzed Data groups may be available according to the device features and the application version Gt Analyzed data S E Call Log 29 Incoming 26 Outgoing 3 T Contacts 1255 Gi SMS Messages 192 LO Drafts 3 5 Inbox 10 5 Sent 173 Figure 19 Analyzed Data section A number in parenthesis next to each item type shows the number of items of this type that were found in the extr
81. mory module dumps of the device listed under Images e Meron ranges Figure 16 Memory ranges Selecting a memory range will automatically add it to the highlights list of the displayed binary image it belongs to located at the bottom of the Hex view tab and will highlight the memory range portion in the displayed data Double clicking on any memory range item will display its content in a new Hex View tab in the data display area 7 CTS 28000000 30400000 bin GS 2 O80E87cO 080E87D0 080E87E0 080E87F0 O80E8800 O80E8810 O80E8820 O80E8830 O80E8840 O80E8850 O80E8860 O80E8870 O80E8s8s8o O80E88 90 080E88A0 O80E88B0 O80E8s8co 080E88D0 080E88E0 080E88F0 O80E8 900 08088910 O080E8 920 08088 930 Offset Ox80E8840 Ox80E 8440 Ox4497780 CTS Remapped SA amp CTS Remapped xSR Comment CTS Remapped XSA CTS Remapped WSA CTS Remapped SAR Figure 17 Highlighted memory range in the image Hex view tab 4 3 3 5 File Systems The File systems item of the project tree lists all the file systems found and reconstructed out of the analyzed binary data Each file system found will appear as a hard drive icon E You can browse the file system to display folders and files by clicking the or El icons NOTE Deleted items appear as EB Double clicking on any file item in the file system tree will display its content in a new Hex View tab in the data display area Selecting a file system item wi
82. mper C Documents and Setti WM Dumper ufd 01 11 2010 13 09 se 2865i New Format C Documents an 2865i New Format ufd 01 11 2010 13 04 Dump 2 mas C Documents and Settings F Dump_ufd oii 0 13 02 Backup i C Documents and Backup ufd 01 11 2010 12 58 rowse Recent Files Samsung SAMDS00 WINMOFA File Name The name of the opened file without the file extension File Path The file system path to the file location Device Model The identified device manufacturer and model or BINARY in case the opened file was a binary dump Date and time The date and time stamp in which the file was opened Browse link A direct link to the file in file system Click on a framed item to open the recently opened files for analysis Click on the Browse link of a recent file item to go directly to the fle associated with it in the file system NOTE Whenever the Welcome tab is not displayed you can display it by selecting View gt Show Welcome Screen 43 4342 Hex View tab 3120 dum A new Hex View tab screen will a Ye appear for each binary item you open O 922205 HOME 00044240 00 00 00 00 OO OO aa eee a from the Project tree 0044250 00 00 00 OO 00 OO OO 00 OO 00 OO OO 00 00 00 O0 eee D 0044260 00 00 oo OO OO OO oo OO OO ao 00 ao OO OO OO oo Sma 00 70 00 oo oo oo oo oo o0 CEP 00 oo oo oo oo oo OO O 000 280 Fee oh A E O aaa eianisnas T
83. n addition to the report file in the selected report format Show totals for items not in the report Adds a Total column to the report displaying the total number of items that were excluded from the report 7 5 2 2 Excel Report Settings Unprintable characters placeholder Set the placeholder character that will replace the unprintable characters Email body size limit Sets the maximum number of lines from each email message that will appear in the report 111 Appendix A Using Python in the Physical Analyzer 1 1 Accessing the data store gt gt gt ds DataStore for device SAMD50 3 file systems 3506 nodes 1398 models 1 2 File Systems Files and Directories 1 2 1 Listing the current file systems gt gt gt for fs in ds FileSystems print fs Name KFAT Samsung MCU Samsung Linked List 112 1 2 2 Geta specific file system by name gt gt gt fs ds FileSystems KFATO gt gt gt fs FileSystem KFAT 712 nodes DRM IMAGES WAP dir_vfp temp multimedia Samsung ess SMS JAVA SYNCML SAMSUNG ESS BROWSER SOUNDS EMAIL TEST USER MMS tfsVersionCode tfs 1 2 3 Go over all files in a file system recursively gt gt gt fs ds FileSystems KFATO gt gt gt for f in fs GetAllNodes print f AbsolutePath DRM DRM RIGHTS DRM RIGHTS macrainit bin DRM RIGHTS ssc dat DRM TEMP IMAGES IMAGES charging ani_ 1 icn 113 114 1 24 Geta specific fi
84. nd Inquiry button A quote for the required license will be sent to you via the specified email address License Information Serial Functionality Expiration Date Months New Expiration Date Price cere ers Logical 12 1041 2010 Quote will be sent via email T TETT Physical 12 10 11 2010 Quote will be sent via email Batch set months for all devices 12 a My Information First Name Email Last Name Verify Email Company Organization Note Many government organizations block system generated emails It is recommended to add at least one other alternate or personal email address Contact Number The activation key will be emailed to all recipients Fax B Additional Recipients You may add up to 5 Country USA Ma y i Recipient 1 Address ne Recipient 2 Recipient 3 ity t city Recipient 4 State wd Recipient 5 ZIP Code Figure 5 The Renewal Process screen After the license purchasing process is concluded you will receive an email message containing the activation key To enter your key power on your UFED System select Services gt Upgrade gt UFED License gt Activate License and enter the key string Zo 2 2 2 UFED Software Upgrade Once activated the UFED Physical Extraction module is ready for use To verify that you have the latest version of the device firmware you should upgrade the software version To upgrade the software version select Services gt
85. new project from extracted data or a file system dump that where not generated by a UFED unit Open Advanced Open Advanced Start a new project while customizing the decoding process Select a UFED extraction Caa If you ve used a UFED unit to extract data from your device select the UFD file in the extraction folder 67 Select a UFED extraction Start without a UFD file Use this option in case another method was used to extract the data e g a chip off or a different tool Blank project Select Device Cancel Figure 36 The Open Advanced dialog 61 62 6 1 1 Advanced Opening of a UFED Extraction File The standard Open process uses a parsing process set according to the device and manufacturer information logged in the ufd file or known file formats bin pm ipd etc to parse the data and create a new project Using the Select a UFED extraction method enables you to skip the standard Open process and specify a custom parsing process or specify how to parse unknown devices To create a new project from UFED extracted data using Open Advanced 1 Click the Select a UFED extraction button 2 Inthe displayed file selection dialog select the ufd file that will be processed and click OK Open Advanced Advanced Customization Customize the current chain and add dumps and file systems The dialog contents changes to Advanced Add Binary Dump Customization and displays t
86. nimal Length value to a higher number Options Search direction Down Search results window New Colors Text Background Find all instances Show results comments slower 6 3 11 Code Search When navigating within a large memory structure the Find RegEx GREP SMS 7Bit PDU Pattern Code Find Code search method can locates user codes and E a AE passwords A Both 1 While viewing a Hex dump click on the Find ee button I in the Hex view toolbar 2 Select the Code tab 3 Inthe Minimal length and Maximal length fields set the pattern length range This option enables filtering the results according to the searched patterns 4 Set the search results Text and Background colors 5 Click Find Figure 52 Code search Options Search direction Down Search results window New Colors Text Background Find all instances Show results comments slower L_ E 81 6 4 Working with Data Files 6 4 1 Accessing Data Files To access one of the Data Files 1 In the Project Tree double click on any of the item type groups under Data files A list view is presented in the data display area NOTE For images the data files can be displayed in Table View or Thumbnail View 2 To display a specific data file perform one of the following Double click on the file icon in the data display area Double click on the data file name in the Project Tree Right click on t
87. ody Value Hi B and C What s up ds Models Add m 131 132 1 4 15 Create a new Chat Chats much like Journeys for Locations are an aggregation of instant messages with some added metadata about the conversation itself Chats are an effective way of storing a list of messages belonging to the same conversation Chat Messages Add msg msg is an InstantMessage object Messages Add msg2 StartTime Value TimeStamp DateTime 2009 10 3 10 45 12 LastActivity Value TimeStamp DateTime 2009 10 3 11 15 32 Participants Value PersonA PersonB PersonC ds Models Add c 1 4 16 Create a new Calendar Entry CalendarEntry models have many fields Therefore only a partial example is given below c CalendarEntry c Details Value Important meeting More fields like Details are Category Subject and Location c StartDate Value TimeStamp DateTime 2010 9 10 15 40 More date fields are EndDate and Reminder ds Models Add c 1 4 17 Create a new Note Note litle Value Note to self Body Value I m awesome Summary Value Summarily I m awesome Creation Value TimeStamp DateTime 2010 9 10 15 40 Modification Value TimeStamp DateTime 2010 9 10 15 40 ds Models Add n 133 1 4 18 Create a new Bluetooth Device d BluetoothDevice d Name Value Gilad s iPhone d MACAddress Value 00 01 34 55 66 77 d Info Val
88. of the quick results list sort the results according to their type such as SMS Messages Contacts Files etc and display the number of matching results found in each type category Selecting a result from the list will display it in the Data Display area using the appropriate information display tab The Quick Results List Physical Analyzer File View Tools Python Plug ins Report Help La os EEA Project Tree BO o Samsung GSM_SGH E790 BS Extraction Data Device Info EP Images lt Memory Ranges i File Systems i KFATO S Analyzed Data Contacts 499 E7 D SMS Messages 5 Bookmarks 0 Sil Data files E7 Images 86 E Videos 74 E I Audio 39 E Text H Tags Reports Extraction Summary Device Information Samsung GSM_SGH E790 Connection Type Extraction start date time Selected Device Name Selected Manufacturer Unit Identifier Unit Version Image Hash Information No reference hash information is available for this project Device Content Phone Data SMS Messages Contacts SMS Messages Contacts 116 Files Dox Minimize x Show All 134 To 00096970059 ABabABabAB Folder Drafts To 00096928951 Sori can t mee To 00096928951 Hi janice can A eighth ladybug 5 entries 0 addre Mobile 058391199 Home 051357497 W A moats fabricate 5 entries 0 addr Mobile 051358583 Home 0679
89. one data was extracted to a removable media connect the USB disk drive or SD card containing the extracted data to a PC with an activated running copy of UFED Physical Analyzer application NOTE For faster processing copy the extracted data folder from the removable media to the PC and open directly from the PC From the application menu select File gt Open or click the Open button on the application toolbar Navigate to the location of the extracted phone data folder and open it In the displayed Open dialog select the data extraction file By default the Open dialog is set to display UFED Dump files ufd which is the information mapping file of the extracted phone data Additional formats available for selection from the Files of Type list of the Open dialog include UFED report xml Logical reports generated by the UFED unit Binary files bin Raw binary files or any hex dump generated by another application NOTE Opening a binary file will only allow hex dump view with no file system or data analysis However you will still be able to perform your own searches and analysis using the provided tools Proprietary phone data File formats such as the Nokia PM 9m and the BlackBerry backup file ipd which are proprietary file formats of specific phones vendors file systems Click Open The data analysis process will begin and run for several seconds At the end of the process a new project will be a
90. oolbar CEPAT Figure 10 The Application Toolbar R as The application toolbar provides shortcuts to quickly access commonly used functions Open Click to open a file for analysis File gt Open p Click to use the advanced options to open a file for analysis File gt Open late Open Advanced Advanced Python Shell Click to display the Python Shell window Python gt Python Shell a Relay Renae PUCAE Click to display the Add Remove Plugins window Plug ins gt Add Remove 7 Plug ins a Chain Manager Click to display the Chain Manager window Plug ins gt Chain Manager Initiates an extraction process of phone data from a UFED unit connected directly to the PC via USB cable Tools gt Read Data from UFED Read Data from UFED Dump GPS Mass Initiates an extraction process of GPS or mass storage device data connected Storage Device directly to the PC via USB cable Tools gt Dump GPS Mass Storage Device 4 3 3 Project Tree Area The Project Tree area displays the following extracted information structure of each Project tree file opened for analysis s T Extraction data FF Extraction data Device info Device info E Images Memory ranges Images one for each extracted memory module or extracted memory range SE File systems H KFATO m Memory ranges H Samsung MCU H Samsung Linked List m File systems G amp S Analyzed data Call Log 3 Analyzed data
91. p Text Ey _ policy bat a alarmist tet a pushlist tet A Video D video 0001 3gp DE video 0002 3gp D video 0003 3gp Figure 22 lags section 41 42 434 Data Display Area Displays the content of the currently selected project tree item A new data display panel is opened for each selected item ex Hex memory list of contacts file content etc Tabs are utilized to navigate between the VIEWS 4 34 1 The Welcome tab The Welcome tab is automatically displayed in the data display area when the application is launched and displays a list of the recently opened files Each recently opened file item in the list is displayed as a framed information group that contains the following items pf i 9 Dump Samsung SAMDSO0 C Documents and Settings F Dump ufd 01 11 2010 13 10 Browse O Device icon A thumbnail image of the device from the application resources if available When not available a general placeholder image is used Welcome Welcome to UFED Physical Analyzer Dump C Documents and Settings F Dump ufd 1 11 2010 13 10 wse EFS LG KC910Q QCOMEFS C Documents and S EFS LG KC910Q_ufd 1 11 2010 Browse Samsung GSM_SGH E 1 11 2010 NOK6230i C Documents and Settin NOK6230i ufd 1 11 2010 13 02 Browse MCU 10000000 12000000 C ADocume spina ata 12000000 bin 4 10 Browse Figure 23 Welcome screen C Document FAA GSM_SGH E790 ufd WM Du
92. pecific locations in the hex dump Bookmarks provide easy access to locate data segments in the future To bookmark a data segment Add Bookmark Description Point 1 1 In the Hex view click and drag to highlight the data Location t Address 45418607 Base Decimal SENEL Length 97 2 Click on the Add Bookmark button in the Hex view toolbar Colors The Add Bookmark dialog is displayed 3 Inthe displayed Add Bookmark dialog Enter a name for the bookmark In the Description field Set the Background and Text colors of the bookmark in the Colors section 4 Click the OK button The new bookmark will be saved and displayed in the Bookmarks tab at the bottom of the Hex view The marked segment is highlighted in the chosen colors Details about the bookmark appear in the results window Background Change Text Change L LI Hex iew da 8 Bis 02550834 FF FF FF FF FF FF FF FF FF FF FF FF EEE 2 4 ia amp 02550842 Be DZ DZ 51 45 49 495 4p 49 4B 45 So 25 23D RITIKRIKRE 02550850 fo ee TA ag ga TBA S4 TI 43 a 2p Zo la be Rae OER n 02585085E 52 52 DL 45 14 DA 4A JA 44 JA 28 AG D2 DI O2B5086 49 4B O2ZBS087A 025850888 02850896 028550844 J2B508B52 2B508c0 OZB508CE A6 D3 AQ 28 AS A4 AZ 96 BA 28 AG DZ O2B508pe Diy So 2S SS so eo feo SS se be ol SAB se a YA fal is a Offset Length Description 2 values E Bookmarks 1
93. rection Poon eS b Search results window New 1 Wh e vi ewi nN g a H ex d U M cl IC k O nN th e Fi n d C Reverse nibbles numbers im numbers search Pade Woes A z SMS PDU numbers SMS PDU numbers search Becton button in the Hex view toolbar Cl Fedatiwanes Show results comments slower lt 2 Select Numbers from the list at the top of the a d ia og Pe sample configuration Allow partial match 3 Select the SMS PDU numbers option 4 Inthe Number field enter the search number 5 If only part of the number is known select the Allow Partial Match option 6 Set the Search direction Search result window and search colors options Figure 48 SMS Numbers search 7 Select Find all instance to display all search results at the end of the process or deselect to move through the found items one by one during the search can also be done by pressing F3 8 Click Find NOTE If the Number field is left empty the search result will include all the numbers that match the SMS Number format 77 6 3 8 Regular Expression GREP Search This search method enables you to invoke the power of regular expressions RegEx in order to look for a specific string structure within the data For example the regular expression a zA Z0 9 a zA Z0 9 A Za z 2 4 will search your data for all the email addresses that match the structure lt string gt lt string gt lt 2 to 4 letters gt
94. representation column display rae Locate File in Tree Selects the displayed file in the File Systems section of the Project Tree 4 3 4 2 3 Analysis Information Tabs Located under the Hex Data display pane by eal ae rd default the Analysis Information tabs displays the Ofset Length Comment r 1 03138100 0x200 multimedia IMAGE downloaded images 001 jpg following types of information related directly to bata mano mutid MABES donnieaded mapes 00 a the displayed Hex data STs I awe Sw eno A O O Values A wide array of value interpretations such as 8 16 32 and 64 bit various String Figure 26 Analysis Information tabs encoding Date amp Time formats and more calculated on the fly for the currently selected data in the Hex view Bookmarks A list of bookmarks added in the displayed Hex data Highlights A list of content segments markups highlighted in the displayed Hex data The number of highlight results is shown in brackets next to the tab name Search Displays results of a search in the displayed Hex data A new search results tab will open for each search query performed The number of results for each search is shown in brackets next to the tab name 4 3424 Rearranging the Analysis Information Tabs You can rearrange the display of the Analysis Information to suit your preference Double click the header strip of the section to display the entire section as a floatin
95. rmation logged by the camera if it exists Image Metadata The general information of the image resolution size and color depth Hex View Image view File Info Header offset Original size Data cluster Short name Date amp Time Creation time Modify time Last access time General File size Chunks Offsets Data offset EXIF Make Model Orientation Resolution Resolution ResolutionUnit Software DateTime YCbCrPositioning ExposureTime FNumber m _ JOUICe Flash Flashpix ersion ColorSpace Pizek Dimension Pizel Dimension CustomRendered ExposureMode WhiteB alance DigitaZoomRatio SceneCaptureType SubjectDistanceR ange Image Metadata Camera Make Camera Model Pixel resolution Resolution 0x006fe4e0 Ox3b209 Ox la DSCOO00 1 JPG 27 11 2007 17 38 40 27 11 2007 17 38 40 27 11 2007 00 00 00 242185 Bytes 2 Ox73B200 Sony Ericsson K550im 1 72 72 2 R1JD001 prglC1250791_GENERIC_L 0 0 2000 01 01 00 51 39 2 0 125 4 u 16 960954701 156512541 12745382407 4086090589 1 1632 1224 0 NOOODOODO Sony Ericsson K550im 1632x1224 72872 Unit Inch Figure 56 Image File Info 85 86 644 Redirecting the Offset When viewing the Hex data of a file or image you can use the offset redirection section in the Hex View toolbar to move to a rf specific address in the displayed data GE Be GE The offset redirection section includes the follo
96. ry dumps you received To verify the hash values 1 Click the Calculate hashes button in the Extracted mage Hash Details Data tab of the project All project images are verified 2 After the hash values were calculated for the project es click the Show Detail S button MD5 7A7BE7C3FD16D610A934261E60293268 SHA2S6 68A94 0781657CB36FEA2E87E7 1ADE837ECF738DBC73ADECCS93746838C01913 The Image Hash Details dialog will display the comparison result of the reference and calculated hash values of each image A vested label indicates matching values A B d verification abel indicates the images do not match DS M BO04FA2B6746CDC8C637940A8A4D1719 SHA256 EAAS81AF276480B13SD0F2ED47A29E48CA307F9F730E66E19945A2FE1 1ASA19FE Figure 41 The Image Hash Details dialog Projects without reference hash values will display a No reference hash information is available for this project alert in the Image Hash Information section of the Welcome tab You can calculate hash values for a project without hash reference values A Hashes have been calculated for this project but no reference data is available message will be displayed in the Image Hash Information section of the Extracted Data tab 70 6 3 Searching for Information in the Hex Dump and Parsed Data 6 3 1 Search Modes The following search modes enable you to search for information within the Hex dump Find Enables searching for specific parameters such as strings bytes
97. s 6 Upon the completion of the dump process the UFED unit will display Extraction Tact completed successfully Estee a coopera It is now safe to disconnect the phone and remove the target storage media for analysis using the UFED Physical Analyzer PC tool 7 A folder named according to the phone model current date and a counter for example Physical Nokia GSM Generic 2009_05_15 001 is created on the target storage drive This folder contains the extracted binary files one for each extracted memory module and the UFD file used by the UFED Physical Analyzer application to access the extracted data Multiple dumps from different phones can be saved to the same USB drive or SD card A new folder will automatically be created for each device dump 3 1 2 Extracting Data Directly to Your PC 1 Connect your UFED device to your PC using a USB to mini USB cable utilizing the port marked PC located on the top of your UFED unit Your PC may prompt you to install drivers refer to chapter 9 in the UFED User Manual On the UFED unit 1 Select Physical Dump from the Main Menu Press OK or gt to continue 2 Select the manufacturer of the phone from the Select Vendor menu Press OK or to continue 21 3 Select the model of the phone Press OK or gt to continue 4 Select PC as the target Press OK or to continue On your PC 5 Launch the UFED Physical Analyzer application 6 Inthe application
98. s SMS Messages and others For Extraction Data X _ Extraction Summary Dump Samsung D500 Extraction start date time 01 06 2009 11 52 31 Unit Version 1 0 0 0 Hashes have been calculated for this project but no reference data is available Show Details IMSI 9425010101216089 Device Content Phone Data Call Log Contacts SMS Messages 3 1 1255 1228 192 187 Data Files Image Audio P B d 127 11 49 19 83 40 Figure 12 The Extraction Data tab the complete list of Phone Data types see Analyzed Data on page 38 e Data Files The types of standard data files found in the extracted memory dump such as Images Video Audio and Text files NOTE The Extraction data tab will be displayed automatically whenever you open a new file for analysis Clicking on any of the Device Content categories will display the relevant information viewer tab in the in the data display area listing all the items logged in this category See Analyzed Data on page 38 and Data Files on page 40 Clicking the Generate Report button at the top right of the tab will prompt you to generate a report for the current project See Generating Reports on page 57 33 4 3 3 2 Device Info Double clicking the Device info item will display its tab in the data display area The Device info tab provides extensive amount of existing and deleted information as well as important
99. s section in the project tree Extensions The file extensions that will be used to filter the data files of this group Signature filter The header and or footer signatures that will be used to filter the data files of this group Tag As The tag name that will be applied to the data file and will be used to list the files under the Tags section of the project tree 102 7 2 1 Data Files Filtering Methods The group filtering can be achieved by using one or more of the following methods Signature filter Extension filter 7 2 1 1 Signature Filter A Signature is a definition of the file header 2 Settings and or footer that will be searched in order a General Settings to detect a file type and associate it with a specific Date File group Description Extensions Signature filter Images ipa ipea gif png bmp 4 signatures Nata File iden aati mona wnmy Jon 392 mp4 0 signatures Data signatures Ed 0 signatures D signatures The header and or footer can be configured nae Meade _Fecte_ einen to be in a defined range from the beginning or Fe FT ate E and end of the file respectively by using the SHE offset parameter see in figure 56 Footer ends with For example a JPEG image starts with the is header FF D8 FF and ends with the footer Header maximum offset 0 1 FF D9 Entering this information in the Header and Footer fields of the si
100. seek go to the beginning of the file gt gt gt Ff read 50 u x07 x 0 x00 x81 x00 x0 0 x00 x00 x18 x96 x18 x00 x00 x01 xfF xOb x81 x00 x90 x96 XO7ZP XFO XfFF xff xffF xff xOO XOO xFFfF xffF xfFf xff xff xff xff xa AaX x1c x14 x86 xc5AaP x18 x16 116 1 2 10 Viewing data in a textual hex dump gt gt gt data f read 3 0 gt gt gt hexdump data 00000000 0785 6171 5018 0685 00000010 6171 5018 1607 4161 00000020 5018 1607 8561 581c 00000030 1406 8561 7150 1486 00000040 c541 6150 1816 c541 00000050 6158 1c14 0685 6158 00000060 1c14 86c5 4161 1814 00000070 86c5 4161 581c 0785 00000080 280800 0000 0000 4144 00000090 4245 4546 0700 9618 000000a0 8000 0100 0b81 IET 000000b0 0000 ffff ffff 1a87 000000c0 dd27 3aa8 5d2e c9aQ 000000d 0 f69b 8e2e cb41 b 1b 000000e0 546e 97e5 e7b2 3d2e 000000f 8740 734 9b 0d 87e9 00000100 65b9 0b44 47af ieee 00000110 fff FfFff Ffff 00000120 fff FFF Ffff 117 1 2 11 Creating a new file without data new file Node new file dat NodeType File new_file Deleted DeletedState Deleted mark this file as deleted Ffs SMS Children Add new_file add to a directory list the files to see if it s there for i in fs SMS print i Name sms dat aniheader ANI imageheader MELODY animation IMAGE new_file dat lt new file exists in the directory 118 1 2 12 Creating a new file from chunks Read more about chunks in the archi
101. ser defined chain with the current one or Save As to save the current chain as a new chain 2 Ifyou click Save As enter a name for the new chain and click Save The new chain will be added to the My Chains list of customized chains of the application and the saved chain will appear as the Selected Chain 6 1 1 3 Adda Binary Dump You can add more binary dump files received from a different source or generated separately to the project To add a binary dump click on Add Binary Bump and select the binary dump fille you wish to add Each binary dump you add will show up as a separate binary dump component in the Binary Dumps section of the dialog To remove a binary dump click on the l icon that appears at its top right corner when rolling over it 6 1 14 Adda File System Dump You can add a file system dump to the project received either as a ZIP archive or as a folder containing the file system dump files To add a file system dump click on either the Zip File or Folder buttons and select the ZIP archive or folder you wish to add NOTE You can add one file system dump Trying to add more than one will remove the previously added file system dump regardless if it s a zip archive or folder To remove a file system dump click on the gj icon that appears at its top right corner when rolling over it 6 1 2 Advanced Opening of a non UFED Extraction File When you receive binary and file system dumps that were not generated by a
102. t of the application has a predefined parsing chain assigned to it NOTE Beside plug ins a chain can also include other chains as part of it which is a simpler way to use a predefined set of plug ins within another chain For more information about parsing chains and plug ins see Chains on page 91 and Plug ins on page 97 63 64 6 1 1 2 1 Selecting a Different Chain To select a different chain switch Chain Switch Chain 1 Click on Switch Chain The Switch Chain dialog opens and displays the pal sn default chain assigned to the device ERE NOTE A device can have several assigned chains but only one of them can be set as the default chain From the chains list select the desired chain Select the manufacturer name under the Current Device section at the top of the list to display the chains assigned to devices of the same manufacturer Figure 39 Selecting a different chain Under the Chains section of the list Select My Chains to select from the list of custom chins you constructed Select All Chains to select from the list of all predefined device chains Use the list of manufacturers on the left to filter the displayed devices by manufacturer Use the Quick Filter field to filter the displayed list items Click Select to return to the Advanced Customization panel The default chain will be replaced by the selected chain 6 1 1 2 2 Editing the Current Chain You can open the
103. tach a device Click on the Edit Devices button at the top right of the chain window In the Devices For Chain window click on the Attach Device button In The Select Device window select the device you would like to attach to the chain Use the Devices list to display only the devices of a specific manufacturer Use the Quick Filter field to filter the displayed devices Click Select Repeat steps 4 and 5 to add more devices When you have finished attaching the devices click Close Click Cancel to close the chain window 6 5 1 3 2 Setting the Default Device Chain To set the default chain of a device 1 2 In the Chain Manager window use the Devices list to locate the device you wish to modify Double click on the device to display its chains window 95 96 3 If the chains list of the device contains more than one chain click the w at the right edge of a chain to set it as the default chain of the device 4 Click Close to close the device chains window 6 5 1 3 3 Detaching Devices from a Chain To detach a device from a chain 1 Double click on the chain from which you wish to detach a device 2 Click on the Edit Devices button at the top right of the chain window 3 Click on the x at the right of every device you wish to detach from the chain 4 Click Close 5 6 Click Cancel to close the chain window 5 14 Removing a Chain NOTE Only chains in the My Chains list can be removed To remove a chain
104. tecture section get the sms dat file out sms dat ds FileSystems KFAT sms sms dat first let s create the MemoryRange with chunks from the sms dat file chunks chunks append Chunk sms_dat Data 1024 take the first KB chunks append Chunk sms_dat Data 5000 1024 take 1KB from offset 5000 chunks append EmptyChunk 100 add 1000 zero bytes new_file Data MemoryRange chunks set the file s data 119 1 3 Memory Ranges 1 3 1 Accessing the project s Memory Ranges gt gt gt ds MemoryRanges MemoryRangeCollection 3 items MCU CTS CTS Remapped XSR gt gt gt for m in ds MemoryRanges All print m Name MCU CTS CTS Remapped XSR gt gt gt cts ds MemoryRanges CTS gt gt gt cts MemoryNode CTS 69206016b in 1 chunks 1 child gt gt gt cts Length 69206016L gt gt gt cts LengthMB length in megabytes 66 0 120 1 3 2 Reading data from a Memory Range This is done the same way as reading data from a file file Data is aMemoryRange object gt gt gt mr ds MemoryRanges CTS gt gt gt mr seek go to the beginning of the data gt gt gt mr read 50 u d x0 0 x00 x00 xOF x00 x00 x00 x01 x00 x00 xBOXSR1 x00 x00 x00 x00 x00 x00 x00 x00 xa5 xa5 xa5 xa5 x08 x08 x00 x00 x01 x90 x00 xOO xFF xXFA XFA XFFI XFFI XFFI KFFI XFF xFe XFF xFF xXFF xXa7 xac 1 3 3 Creating anew MemoryRange and adding to the project A MemoryNode is
105. toolbar click on the Read Data from UFED button 7 Inthe displayed UFED Downloader window specify the download path to which the dump should be saved then click the Start button 8 The UFED unit will create the dump under the specified folder 9 Atthe end of the extraction process you will be prompted to open the 22 extracted dump NOTE Clicking the Open Target Folder button to display the content of the selected target folder Extract Phone Data Extract SIM USIM Data Clone SIM 10 Physical LIM Fie system ump select vendar Recently Used Motorola GS Motorola iDEN Nokia COMA okla lat select Mode Nokia 6238 Okla bb Hokia GE TH Hokia GORE Hokia 6o24 y Motorola GS Motorola iDEN Nokia COMA Hokla last 3 2 s Extracting the File System The File System Dump option extracts all the accessible fles on the mobile phone using a logical process Extracting the file system is an alternative way to get data from phones including phone models that are not currently supported with physical dump UFED Physical Pro provides access and extracts hidden files and databases inaccessible by other file system acquisition tools From the extracted file system you can get many different types of application files that can be decoded and then searched for information such as the Contacts or SMS database files Main Me The process for extracting a File System Dump is almost ident
106. tring gt lt CDATA Drafts gt lt value gt lt field gt lt field name SMSC type String gt lt value type String gt lt I CDATA 97254120032 gt lt value gt lt field gt lt field name Message type String gt lt value type String gt lt CDATA ABabABabABABabABabABABabABabABABabABabABABabABabABABabABabABABabABabABABAbABabABABAbABAabABABAbABAbABABAbABADABA gt lt value gt lt field gt lt field name Name type String gt lt empty gt lt field gt lt field name Source type String gt lt empty gt lt field gt lt model gt lt model type SMS id 41018bd4 17ae 443b 8686 8dd905442add gt lt field name TimeStamp type TimeStamp gt lt empty gt lt field gt lt field name Status type MessageStatus gt lt value type MessageStatus gt lt CDATA Default gt Contacts 499 x Gi a r H E Date E Time Fa Folder El Status EJ SMSC een kA Deleteci 00096970059 To Drafts 97254120032 00096928951 To Drafts 97254120032 00096928951 To Drafts 97254120032 0006597678766 To Drafts 97254120032 0006596928951 To Drafts 97254120032 AATOMYPIANOZ 6977202522 2108027412 089400795 089400742 089301934 026280079 026290038 Kapoapnac 2103822900 6932708907 2103213739 Khaipn 2107793298 KOZTONOYAOE 2107645281 pos 6972998088 report xlsx Microsoft Exc
107. ue An awesome iPhone ds Models Add d 134 misira celebrite www McSira com info McSira com
108. wing Figure cA Theor ened onssa components Go To button Click this button to display the Go To dialog where you can set the offset value in Decimal or Hex and set the reference point Offset From from where this offset is set Beginning of file Current position or End of OEE ct Kelle fi le Decimal Hex Current position O End of file Offset value field Enables you to enter the offset value you wish to go to or select one of the previously entered values from the list You can enter the value in decimal format 20 or Hex value format 0x20 Adding a or before the value indicated the offset should be calculated from the current position Figure 58 The Go To dialog Jump Back button Uses the value entered selected in the offset value field to jump to the set offset For an offset from current position value with or redirects the offset backward or forward for from the current offset For an offset address value decimal or Hex redirects the offset to that address Jump Forward button Uses the value entered selected in the offset value field to jump to the set offset For an offset from current position value with or redirects the offset forward or backward for from the current offset For an offset address value decimal or Hex redirects the offset to that address 6 4 5 Bookmarks The Bookmarks feature is used to define and save s
109. ytes hex field enter the Hex value e g FFD8FF Set the Search direction Search result window and search colors options eo a Select Find all instance to display all search results at the end of the process or deselect to move through the found items one by one during the search can also be done by pressing F3 7 Click Find 6 3 5 Dates Search This search method finds a range of dates in the Hex dump Dates a er kell eee ll i PH HOM Ea NC cee MCW Oeil Sept atoll car 2 Select Dates from the list at the top of the dialog TT E Dates range parameters 3 Select the desired date format to be used in the Medes 0101A i Find RegEx GREP SMS 7Bit PDU Pattern Code Max date 19 10 2009 current search more than one date format can be selected In the Min Date and Max Date fields enter the required date range Set the Search direction Search result window and search colors options Figure 46 Dates search Options Search direction Search results window Colors Text Background Find all instances Show results comments slower Select Find all instance to display all search results at the end of the process or deselect to move through the found items one by one during the search can also be done by pressing F3 Click Find NOTE To reduce the number of given results it is advised to set the date range using the Min Date and Max Date fields 75
110. zation Language SE English Dump Save deleted files Add DEL extension for deleted files Export csy Encoding Separator Report Default folder Browse C Documents and Settings Four4ces My Documents My Reports E UFD Configuration C Automatically verify images on project load Te e Figure 71 General settings 101 Report Sets the default path to the folder where reports you generate are saved UFD Configuration Settings used for loading ufd files 7 2 Data Files Settings The Data Files settings determine the different file and tagging groups under the Data Files and Tags sections of the project tree and the types of files filtered to each Projects need to be reloaded to reflect any changes in this section Description Extensions Signature filter Images ipg ipeg gif png bmp 4 signatures Videos avi mpg wmv 3gp 3g2 mp4 0 signatures Audio wav mp3 mid wma midi am 0 signatures Text tet xml html D signatures ctive group E i Additional report fields Every data file record in the list consists of m the following fields Report Defaults Active Indicates whether to display checked or hide unchecked this group of data files in the project tree Description A descriptive name for the type of data files that will be used as the Figure 72 Data Files settings group name under the Data file
Download Pdf Manuals
Related Search