Most popular questions

UFED Touch/PC and UFED
Physical/Logical Analyzer
Most popular questions
April 2015
2
Most popular questions
Popular questions related to UFED Touch/PC and UFED Physical/Logical Analyzer.
1. Question: Can Cellebrite decode WhatsApp audio files?
Answer: Yes we can. The file can be opened when double-clicking on it from the Chat view.
Android location: /data/media/WhatsApp/Media/WhatsApp Voice Notes
iOS: It is part of the Messages database files.
2. Question: Does Cellebrite support WhatsApp Crypt8 encryption?
Answer: As of UFED Physical Analyzer (release 4.1.1), support for Crypt8 decoding is available
(relevant for Android devices only) for file system and physical extraction methods only.
In case of a logical or file system extraction via the "Android backup" methods, the key to decrypt
WhatsApp Crypt8 will not be part of the extraction output, and therefore the data will not be
decoded by UFED Physical Analyzer.
This is currently a limitation of the Android OS.
3. Question: Is the pin code extracted in a physical extraction?
Answer:
For Android devices:
When we perform a physical extraction, Cellebrite always extracts the file that has the hash value of
the pin code. The maximum pin code length that UFED Physical Analyzer decodes is 5-digits. If the
pin code is longer, it will not be displayed.
For iOS devices:
For devices that are supported for physical extraction, the pin code (4-digit code) should always be
extracted.
4. Question: What are Frequent Locations on iOS Devices?
Answer: Your iPhone will keep track of places that you have recently been, as well as how often and
when you visited them, in order to learn places that are significant to you. This data is kept solely on
your device and will not be sent to Apple without your consent. It will be used to provide you with
personalized services, such as predictive traffic routing.
As you go about your daily routine, your iPhone makes note of where you are and how long you are
there. When it starts detecting patterns, it marks the spot as a "frequent location." It assumes
workplace location based on where you are during the day, and your house address based on where
you are at night, and it tracks various repeated locations regardless of time: friends' houses, favorite
restaurants, etc.
©2015 Cellebrite Mobile Synchronization Ltd.
3
5. Question: What does "Device Locations" refer to in an extraction (for example from a Facebook Chat)?
Answer: "Device Locations" are actually the locations that are found on the mobile device and not
necessarily the locations where the device has been.
So, for example, in a Facebook chat, the device locations found on the device may refer to the
location of the message sender and not just the location of the receiver, i.e. the device’s owner.
6. Question: How do you perform a logical extraction on a locked iPhone 4S and above using .plist files?
Answer: As of UFED Physical Analyzer 3.7, it is possible to perform a logical extraction of a locked
iPhone 4S and above (4S/5/5S/5C), provided the paired .plist files are available, as follows:
In order to open the .plist file, you need to run UFED Physical Analyzer as an administrator:
Right-click on the UFED Physical Analyzer icon and select Run as administrator.
To extract a locked iOS device using the pairing files located in the lockdown folder, you
simply need to copy the content of the lockdown folder from the computer the device was
paired with, into the local lockdown folder on the computer where UFED Physical Analyzer is
installed.
Additionally, the iOS version on the iPhone must be the same as the version of the .plist files
at hand; meaning, you cannot use the .plist files from iOS version 7.0.4. For example, if the
iPhone was updated and currently running version 7.1, the extraction will not work resulting
in an error.
The Lockdown folders are found as follows:
• On MAC: /private/var/db/lockdown
• On Windows Vista and up: C:\ProgramData\Apple\Lockdown
• On Windows XP: C:\Documents and Settings\All Users\Application
Data\Apple\Lockdown
7. Question: What is the default location of the SMS.db on Android devices?
Answer: The default location is:
/dbdata/databases/com.android.providers.telephony/mmssms.db.