Cellebrite has been a standard in our labs - both in the Michigan lab used to test products for SC Magazine and at Norwich University's teaching lab, where I taught and was CISO for many years (until last month). We always have enjoyed using the UFED tools and this year is no exception. In keeping with the investigation-centered approach, we are looking at three powerful tools in the UFED series: UFED 4PC Ultimate, UFED Link Analysis and the new UFED Cloud Analyzer.
UFED 4PC Ultimate is a combination of the popular UFED Physical and UFED Logical analyzers placed into a single PC-based product. That worked very well in the lab where we have it installed on our primary forensic computer. The UFED Touch (not reviewed), a standalone device, is appropriate for the field, and extractions done in the field using that tool can be brought back to the lab for additional analysis.
The UFED 4PC supports well over 7,000 devices and is both efficient and fast. You can do physical, logical or file system extractions, and given that breadth of coverage it is unlikely that you will find a device from which you cannot get some useful data. We use it regularly for routine extractions and analysis. It contains excellent reporting and the user interface is intuitive and complete.
UFED Link Analysis is an especially neat tool. While it does not intend to be a full-featured link analyzer for general use, it is optimized for linking multiple UFED extractions. This allows rapid association of commonalities between multiple devices. Those commonalities might include identification of particular individuals who appear across multiple phones - suggesting some sort of group relationship. Prior to Link Analysis we had to perform these associations manually. We have been using general purpose link analysis for years and were excited when UFED Link Analysis hit the market. Along with UFED 4PC, Link Analysis has become our workhorse tool when more than one device is involved in a case.
The newest addition to the suite is UFED Cloud Analyzer. Anyone who ever has conducted an investigation that suggests a link to social media will want this tool. With consent of the social media user or a search warrant - either of which is entered in the analysis summary - a full dump of a social media site, such as Twitter, takes just minutes. We tested it on a Twitter account and it extracted activity in great detail going back a couple of years.
Clearly these three tools fit the usual process of a mobile device investigation. Better, once the mobile device aspect has been completed - start with the extractions and individual analysis, move on to link analysis to find associations and then extract social media information for a complete mobile device investigation - you can often take the extractions and add them to a computer forensic tool for integration into the larger investigation.
The Cellebrite website is excellent with lots of information and downloads. Once you are a Cellebrite customer you have access to a portal that lets you download updates and other important information, such as manuals. There is a wide range of support options and it is best to consult Cellebrite to see which one suits your circumstances best. As an investigation-focused mobile device forensics suite, the UFED series is hard to beat. Mobile device forensics can be the most challenging in the forensic lab and we have found over the years that the UFED tools serve us very well.