NOW SUPPORTING 22,179 DEVICE PROFILES 4,187 APP VERSIONS

RELEASE NOTES UFED PHYSICAL ANALYZER, Version 6.3 | July 2017 UFED LOGICAL ANALYZER, UFED READER

CHECK OUT OUR NEW VIDEO ON UFED 6.3! HIGHLIGHTS

APPS SUPPORT ◼◼ 2 new apps for Android and iOS: CM Security Master Antivirus (Android) and Private Zone – AppLock ◼◼ Decoding support – LinkedIn messages for Android devices ◼◼ Telegram cloned apps for Android – Telegram is an open source app, and in Google Play there are many apps available for download. We have added a generic parser which can decode information from various cloned apps, including Telegram + app and Telegram Plus. Watch video now! https://vimeo.com/222514207/1d01006bfb ◼◼ 139 updated application versions

FUNCTIONALITY IDENTIFY KNOWN FILES ◼◼ Quickly identify known media files using Project VIC/CAID USING MULTIPLE HASH SETS ◼◼ Identify known files using Hash Sets INCLUDING PROJECT VIC/CAID ◼◼ Carve more locations data from unallocated space and Quickly identify media files by creating databases using Project unsupported databases VIC or CAID hash values, and matching them against existing ◼◼ View locations by classified origin media files. ◼◼ Disclose even more web history and search terms from additional sources ◼◼ New conditions functionality in SQLite Wizard ◼◼ Tag global search results ◼◼ Notifications center ◼◼ Export image files in Griffeye format ◼◼ Recover the deleted participants list from iMessages ◼◼ Decode Google Archive files ◼◼ Recover locations history data (iOS) ◼◼ Decode modified IMEI (Android) ◼◼ Search using wild cards in Hex viewer ◼◼ Decode Bluetooth history (iOS) ◼◼ Decode the FindMyiPhone state ◼◼ Decode the Advertising ID NEW! BOOST LOCATIONS ◼◼ Decode the last backup date DATA USING AN INNOVATIVE CARVING SOLUTION Get the most locations data possible from a digital device by using a unique carving method to obtain more data from unallocated space and unfamiliar databases. FUNCTIONALITY

QUICKLY IDENTIFY KNOWN MEDIA FILES USING PROJECT VIC/CAID

Cellebrite is proud to provide you with a capability to quickly identify media related to child exploitation, that can incriminate predators. UFED Physical Analyzer 6.3 enables you to create Hash databases by importing Project VIC/CAID files, and matching them against media recovered as part of the extraction, specified with the appropriate VIC/CAID category. Cellebrite’s Analytics solution offers the complete package to fight against child exploitation.

In partnership with law enforcement agencies, Cellebrite has developed a unique and innovative method, complementing the Project VIC/CAID solution, that enables users to identify and tag suspected child exploitation related media (images and video) VIEW LOCATIONS BY CLASSIFIED ORIGIN within a new Suspected Child Exploitation Media category. UFED Physical Analyzer classifies each recovered location record Click here for more details. by its origin: Device and External. In this version, 6.3, you can now view and filter for locations that are related and unrelated IDENTIFY KNOWN FILES USING HASH SETS to the device user’s activities (This does not mean the device Identify and upload any csv or text file which contains a list of has been in this location). For example: A picture taken by the known hash values, and match it against any file recovered from camera on a digital device is classified as a ‘Device’ location. the device. To start using this capability, follow these steps: While a picture received on the device is marked as ‘External’ Tools ––> Watch list ––> Hash set manager. You can customize as the location is related to the image sender. Locations are the hash sets results both in UI and reports, using the following highlighted with a different color on the map. options – Show, Hide and Redact. Note: Some locations are classified as unknown

DISCLOSE EVEN MORE WEB HISTORY AND SEARCH TERMS CARVE MORE LOCATIONS DATA FROM UNALLOCATED SPACE AND FROM ADDITIONAL SOURCES UNSUPPORTED DATABASES UFED Physical Analyzer can now carve more search history data This unique and innovative solution allows you to decode an from allocated and unallocated memory space, and additional even greater amount of locations data from unallocated space web browsers including Chrome, Samsung browser and Firefox. and unsupported databases. To start using this feature, open the Device Locations and click the carving icon or start the Intact and deleted new records from this carving process can be carving process from: Tools ––> Get more data (carving) ––> Carve found under the Searched Items model. This capability is relevant locations. The carver allows you to either search for additional to iOS, Android and Windows phone devices. locations, up to three of the most visited areas, or any other custom area.

Note: The carving results may produce many false positive events.

Cellebrite Release Notes | UFED v 6.3 | July 2017 | 2 FUNCTIONALITY (CONT...)

NEW CONDITIONS FUNCTIONALITY IN SQLITE WIZARD DECODE GOOGLE ARCHIVE FILES

In cases where the interpretation of a field is based on another Open and decode Google Archive files using UFED Physical field’s value, you can map that data using the new conditions Analyzer (via Advanced Search, or by running the Google function. For example: SMS participants table in an SQLite Archive Databases chain). This archive file contains important database contains SMS information. In several cases, the same information including: Chrome history and bookmarks, contacts column will contain both From and To values of an SMS message. from Google account and Google+, emails from Gmail, search You can now create a new condition to distinguish between the history from Google Play, chats, calls and contacts from two different field values. Hangout, and played/search history from YouTube.

RECOVER LOCATIONS HISTORY DATA (iOS)

We have enhanced the locations data from iOS devices. You can now decode additional location history records from the maps data plist file. This file is used to sync location history from the iOS device to the cloud service.

DECODE MODIFIED IMEI (ANDROID)

It is possible to change the device IMEI number using flash boxes or other methods. UFED Physical Analyzer version 6.3 can now decode the modified IMEI number (when available) in addition to the previous IMEI number.

TAG GLOBAL SEARCH RESULTS Note: There is no indication in UFED Physical Analyzer if the Create tags for all Global Search results items in a touch of a IMEI is original. button. We have also enhanced the Global Search UI to provide SEARCH USING WILD CARDS IN HEX VIEWER you with a familiar user experience. Within the Find tab in Hex viewer, you can now search using wild cards - ? and * (? replaces an octet - 4 bit and * replaces an entire byte).

NOTIFICATIONS CENTRE

Never miss a thing with the new automatic notifications that will keep you up to date with new feature and capabilities in DECODE BLUETOOTH HISTORY (iOS) UFED Physical Analyzer. In the Notification Centre, you can now view the latest alerts, news, warnings, completed actions and Under the Bluetooth Devices model, you could previously view much more. To view Notifications, click on the Bell icon–– > View a list of Bluetooth devices that were connected to the device. all notifications. We have enhanced the results presented with additional Bluetooth history records for iOS devices (using full File System EXPORT IMAGE FILES IN GRIFFEYE FORMAT extraction which is available via Cellebrite Advanced Investigative Easily export selected images in Griffeye format (* C4P Index. Services (CAIS)). xml). You can import the exported file into Griffeye using a C4All DECODE FINDMYIPHONE STATE XML data source. Under Device Info, for iOS devices, you can now view if the RECOVER THE DELETED PARTICIPANTS LIST FROM IMESSAGES “’FindMyiPhone” setting is enabled. We have added support for iOS devices, recovering deleted participants’ information from iMessages.

Cellebrite Release Notes | UFED v 6.3 | July 2017 | 3 FUNCTIONALITY (CONT...) APP SUPPORT DECODE ADVERTISING ID

Under Device Info, for both iOS and Android devices, you can now view the “Advertising ID” of the device. Using Mobile iOS advertising, mobile app developers can identify who is using their mobile applications.

DECODE LAST BACKUP DATE

Under Device Info, for iOS devices, you can now view the “Last Backup Date” of the device. Application Type Decoding Feature LEO Privacy / Decryption of private pictures, Private Zone - Files private videos and private files AppLock DID YOU KNOW

UFED Physical Analyzer allows you to convert the BSSID ANDROID values (wireless networks) into location positions/ specific addresses, so that you can easily reveal and track connections to wireless networks, within a specific timeframe. You can also download an offline database or use Cellebrite’s enrichment service from My.Cellebrite (~60 GB). To ease the download of this large database, you can now download split database files (6 files, 10 GB file size) and Application Type Decoding Feature CM Security load the files into UFED Physical Analyzer. Tools User account Master Antivirus Note: From this version, 6.3, onwards, UFED Physical LEO Privacy / Private bookmarks, decryption Analyzer will merge all database files. Private Zone - of passcode, accounts, VIP cards, Files AppLock bank cards and private albums (file system) SOLVED ISSUES

The following issues have been resolved: iOS: NEW AND UPDATED APPS A decoding issue of iCloud backup (Apple ◼◼ 1 NEW App production data). 166 UPDATED Apps ◼◼ A localization issue of SIM information under device info in Japanese. Any.DO 4.9.0 ◼◼ A decoding issue of locations from the Endomondo Aliwangwang 4.1.6 app for Android devices. Badoo 5.4.0 ◼◼ A decoding issue of call logs from a public pay phone, BeeTalk 2.5.54 the from participant appears as -3. Blendr 5.6.0 ◼◼ A decoding failure of the WeChat app version 6.5.4 (Android). Booking.com 14.2 ◼◼ A decoding failure of Samsung GSM GT-E1200i Chatous 3.8.7 Keystone 2. Ctrip 5.0.0 ◼◼ A decoding issue with missing POI of a TomTom Dropbox 46.2 GPS device model Start 25, type no. 4EN52. Evernote 8.2.1 Expedia 17.18 Facebook 92 Facebook 117 KNOWN ISSUES Messenger Firefox 7.4 Redacted thumbnails are not presented in IE 10; they Flipboard 4.0.12 appear as unavailable due to browser limitation. Foursquare 10.6 Garmin Connect 3.18

Cellebrite Release Notes | UFED v 6.3 | July 2017 | 4 iOS: NEW AND UPDATED APPS (CONT...) ANDROID: NEW AND UPDATED APPS

Gmail 5.0.170423 2 NEW Apps Google App 26 73 UPDATED Apps Google Docs 1.2017.16203 ASKfm 4.3.4 Google Maps 4.31.1 Badoo 5.10.0 Google+ 6.8.0 BBM 3.3.3.39 Grindr 3.8.0 BeeTalk 2.3.3 Hangouts 15.5.0 Blendr 5.11.0 HERE Maps 2.0.21 Booking.com 12.6 Hot or Not 5.6.0 Chatous 3.9.45 Hushed 3.10.1 Chrome 58.0.3029.83 imo 7.0.73 CM Locker 4.6.8 Inbox 1.3.170423 CM Security 5.20.78 Instagram 10.2 Browser InstaMessage 2.7.4 Dropbox 46.2.2 Kakao Story 4.4.2 Endomondo 17.4.0 Keeper 10.7.0 Expedia 8.21.0 Kik Messenger 11.18.0 Facebook 122.0.0.17.71 LINE 7.3.0 Facebook 117.0.0.17.70 LinkedIn 9.1.29 Messenger Mail.Ru 8 FireChat 8.0.32 Meet24 1.7.51 Firefox 53.0.2 Odnoklassniki 6.15.1 Flipboard 4.0.9 One Drive 8.15.2 Gmail 7.4.9.154371932.release Pinterest 6.25.1 Google Calendar 5.7.18-154035640-release QQ 7.0.1 Google Drive 2.7.153.14.36 Runtastic 7.2 Google Maps 9.51.1 SayHi 6.6 Google Photos 2.14.1.154467786 Scruff 5.1005 Google Quick 7.0.13.21.arm Search Box Skout 4.24.3 Google+ 9.11.0.154487446 Skype 6.35 Grindr 3.7.0 Snapchat 10.8.0.0 Hangouts 19.0.154358895 surespot 15 encrypted HERE WeGo 2.0.11457 messenger Hot or Not 5.10.0 Taxify 3.13 imo 9.8.000000006371 textPlus 7.0.1 Inbox 1.46.154499565.release Tinder 7.4.0 Instagram 10.19.1 Truecaller 7.5 InstaMessage 2.6.2 Tumblr 8.5 Kakao Story 4.4.3 6.78 KakaoTalk 6.2.2 Twitterrific 5.17.3 Keeper 10.5.11 Uber 3.244.2 Kik Messenger 11.18.1.15578 Viber 6.8.5 LINE 7.3.0 6.0.2 LinkedIn 4.1.43 Vkontakte 2.13 Meet24 1.30.5 Waze 4.23.1 Momo 7.6.2 Weibo 7.4.1 mysms 6.4.7 WhatsApp 2.17.22 Odnoklassniki 17.4.30 Whisper 8.5.1 ooVoo 3.1.8 Yahoo Mail 4.15.1 Outlook.com 2.1.203 Yandex Browser 17.4.2.162 Path 6.1.0

Cellebrite Release Notes | UFED v 6.3 | July 2017 | 5 ANDROID: NEW AND UPDATED APPS (CONT...)

POF (Plenty of 3.47.2.1417465 Fish) QQ Browser 7.5.0.3240 Runtastic 7.2.1 Signal Private 4.5.3 Messenger Skout 4.24.2 Skype 7.45.0.598 Snapchat 10.8.0.0 Swarm 2017.04.21 Tango 4.0.218509 Taxify CA.2.99 Text Free Ultra 6.22 Texting Text Me! 3.8.4 Text Now 5.8.0 textPlus 7.0.1 Tinder 6.11.0 Truecaller 8.08 Twitter 6.46.0 Uber 3.151.3 UC Browser 11.3.0.950 Viber 6.8.8.5 Vine 6.0.0 Vkontakte 4.9 Voxer 3.15.2.19102 Waze 4.23.0.4 WhatsApp 2.17.190 Whisper 8.5.1 Yahoo Messenger 2.7.0

Cellebrite Release Notes | UFED v 6.3 | July 2017 | 6 CRYPTOGRAPHIC HASH VALUES INFORMATION You can validate the integrity of Cellebrite’s UFED files by verifying their cryptographic hash values. This can help you identify whether a file has been changed from its original state.

Product MD5 SHA256 UFED Physical 480fe5ebaeae192aa3ab90de3a5d5114 0695f1973c63ae6daeae5c55be386bb0cde1ac48b0123c738a0a1d628959b611 Analyzer UFED Logical cb183dca80e2f62e93769ec0c9f82f9a dfe86259244d2811e9e03c3b79f22150ca26b9c7a36b9255193ac826f69b5804 Analyzer

UFED Reader 1c22b2c7addfbd64eb20751d9defdd96 101e312b9f05c552241184e42859b115837a1adee0344f027458400049804f1d

Cellebrite Release Notes | UFED v 6.3 | July 2017 | 7