0% found this document useful (0 votes)

2K views265 pages

Cellebrite UFED User Manual 7.71

The Touch Overview Guide provides comprehensive information on the Cellebrite UFED, a forensic tool for extracting data from mobile devices, including system requirements, extraction types, and accessories. It covers installation, activation, and various extraction methods such as logical, file system, and physical extractions. The guide also details the capabilities of the Cellebrite UFED and includes instructions for connecting devices and utilizing its features effectively.

Uploaded by

Brandon L

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

2K views265 pages

Cellebrite UFED User Manual 7.71

Uploaded by

Brandon L

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 265

Touch Overview Guide

October 2024 | Version 7.71

Contents

1. What’s new? 2

1.1. Cellebrite YouTube video channel 2

2. Introduction 10

2.1. Overview 10

2.2. System requirements 11

2.3. Extraction types 12

2.4. Accessories 13

2.4.1. Cellebrite UFED Device Adapter with USB 3.0 14

2.4.2. Multi SIM Adapter 16

2.4.3. Using cables and tips 17

2.5. Supported devices 17

2.6. Cellebrite YouTube channel 18

3. Getting started 19

3.1. Installing Cellebrite UFED 20

3.2. View Release Notes in-application 23

3.3. Activating the license 25

3.3.1. Licensing procedure 26

3.3.2. Using a dongle license 32

3.3.3. Using a software license 36

3.3.4. Using a network dongle 39

3.3.5. Online activation of new license from Loader 40

3.3.6. Update software license with one click 41

3.4. Working with UFED 42

3.4.1. Starting the application 42

3 Contents
3.4.2. Home screen 43

3.4.3. Autodetecting a device 44

3.4.4. Searching for a device 46

3.4.5. Case details 51

3.4.6. Investigation notes 51

3.4.7. User predefined filter 59

3.4.8. Manual selection 61

3.4.9. Application taskbar 62

3.4.10. Creating a Support ticket 63

3. Smart flow 66

3.5. Android Live consent-based collection 72

4. Password extraction 74

4.1. Extracting the user lock 74

4.1.1. The extracted passwords folder 76

4.2. Disabling or re-enabling the user lock 77

4.3. Removing the screen lock 79

5. Logical extraction 82

5.1. Advanced logical Android extraction 82

5.1.1. The extracted data folder 88

5.2. Advanced logical iOS extraction 89

5.2.1. Encrypted iTunes backup 92

5.3. Logical (Partial) 92

5.4. Logical extraction via Bluetooth 96

5.5. Faster transfer and verification of logical collection output 100

5.5.1. Enabling the zip feature 100

6. File system extractions 102

Contents 4
6.1. Performing a FULL file system extraction 102

6.1.1. iOS: Animated DFU instructions 105

6.1.2. The file system extraction folder 106

6.1.3. Unlocked Huawei Kirin devices 106

6.1.4. smartStopping an extraction 107

6.2. Performing a SELECTIVE file extraction 110

6.2.1. To extract data using Selective file system extraction: 110

6.2.2. Enhanced selective extraction 112

6.2.3. Selective extraction by file (Android / iOS) 112

6.3. Android backup 117

6.3.1. Extracted apps 121

6.4. Android backup APK downgrade 122

6.4.1. Installing the latest APK version 126

7. Physical extraction 128

7.1. Performing a physical extraction 129

7.1.1. The Physical extraction folder 132

7.2. ADB rooted 133

7.3. Advanced ADB 136

7.3.1. Generic model 144

7.3.2. Errors and notifications 146

7.4. Boot loader (FW flashing) 154

7.5. Decrypting boot loader 158

7.6. Forensic recovery partition 160

7.7. Smart ADB 164

8. Extracting Android devices 168

8.1. Android extraction methods 168

5
8.1.1. Android debugging bridge method 168

8.1.2. Bootloader extraction 170

8.1.3. smartStopping an extraction 170

8.2. Technical terms 172

9. Drone extractions 173

10. Capture images and screenshots 174

10.1. The Cellebrite UFED camera 174

10.2. Capturing images 175

10.3. Capturing screenshots 178

11. SIM card functionality 180

11.1. SIM data extraction 180

11.1.1. Performing SIM data extraction 180

11.2. Clone SIM 184

11.2.1. Cloning an existing SIM card ID 185

11.2.2. Entering SIM data manually 191

11.2.3. Creating a GSM test SIM 195

12. Device tools 196

12.1. Activate TomTom trip log 198

12.2. Android Debug Console 198

12.3. Bluetooth scan 200

12.4. Disable iTunes encryption password 200

12.5. Exit Android recovery mode 201

12.6. Exit iOS recovery mode 202

12.7. Exit Motorola Bootloop 203

12.8. Exit Odin mode 203

12.9. Flash Cable 500 Firmware 204

Contents 6
12.10. LG EDL recovery 204

12.11. Nokia WP8 recovery tool 204

12.12. Remove Android extraction files 205

12.13. Samsung Exynos Recovery 205

12.14. Switch to CDMA offline mode 206

12.15. Uninstall Windows mobile client 207

13. Settings 208

13.1. General settings 209

13.1.1. Changing the application interface language 213

13.1.2. Changing the extraction location 216

13.2. Report settings 217

13.2.1. Managing report fields 221

13.3. System settings 223

13.4. License settings 224

13.4.1. License not found 225

13.4.2. Updating a dongle license online 228

13.4.3. Updating a software license online 230

13.5. Version details 233

13.5.1. Connect a Cellebrite UFED device to Cellebrite Commander 234

13.5.2. Updates and versions 235

13.5.3. Importing settings and configuration files 237

13.6. Activity Log 242

13.6.1. Exporting metadata to Cellebrite Commander 242

13.7. Users permissions 244

13.7.1. Active Directory integration 245

13.7.2. Enabling Active Directory in Cellebrite UFED application 253

7
13.7.3. Permission management 254

14. Special cables 260

14.1. Device power-up cable 260

14.2. Active extension cable 261

14.3. USB extension cable 261

14.4. USB cable for Cellebrite UFED Device Adapter V2 PowerUP 262

15. Index 263

Contents 8
Legal notices
Copyright © 2024 Cellebrite DI Ltd. All rights reserved.

This document is delivered subject to the following conditions and restrictions:

This document contains proprietary information belonging to Cellebrite DI Ltd. Such
information is supplied solely for the purpose of assisting explicitly and properly
authorized users of Cellebrite UFED.
No part of this content may be used for any other purpose, disclosed to any person or
firm, or reproduced by any means, electronic or mechanical, without the express prior
written permission of Cellebrite DI Ltd.
The text and graphics are for the purpose of illustration and reference only. The
specifications on which they are based are subject to change without notice.
Information in this document is subject to change without notice. Corporate and individual
names and data used in examples herein are fictitious unless otherwise noted.
2. Introduction
Cellebrite UFED is a new generation solution that empowers law enforcement, military, intelligence,
personnel to capture critical forensic evidence from Android and iOS mobile devices.

2.1. Overview

Cellebrite UFED is a new generation solution that empowers law enforcement, military, intelligence,
personnel to capture critical forensic evidence from Android and iOS mobile devices.

Cellebrite UFED enables you to:

Perform physical, file system, and logical extraction of device data and passwords.
Capabilities may vary, based on the Cellebrite UFED product purchased - Cellebrite UFED
Logical or Cellebrite UFED Ultimate.
Extract vital data such as call logs, phonebook entries, text messages (SMS), pictures,
videos, audio files, locations, app data, ESN IMEI, ICCID and IMSI information and more,
from a wide range of mobile devices.
Extract data from the widest selection of operating systems, such as Apple iOS,
Blackberry, Android, Symbian, Microsoft Mobile, and Palm OS. You can also extract data
from feature phones and drones.
lone the SIM ID, which allows you to extract phone data while preventing the mobile device
from connecting to the network. It can also help if the SIM card is missing.
Extract the data from a mobile device either by a cable-based connection (serial or USB) or
a Bluetooth wireless connection. The tips and cable kit consists of four master cables and
various tips.

The extracted data can be saved and then generated in the form of clear and concise reports.

Cellebrite’s industry-expertise provides reliability and ease-of-use, and ensures the broadest support
for mobile devices, including updates for newly released models before they are available to the
market.

This manual is also relevant for Cellebrite Responder users.

10
2.2. System requirements
PC Windows compatible PC with Intel i5 or compatible running at 1.9 GHz or higher

Operating Microsoft Windows 11, 64-bit: UFED & Responder require v.7.56 and higher
system Microsoft Windows 10, 64-bit

Required Minimum
Memory (RAM)
32 GB 8 GB

Space
1.5 GB of free disk space for installation
requirements

Additional
Microsoft .NET version 4.5 or higher
requirements

If you intend to activate the application using a hardware license key (dongle) provided by
Permissions
Cellebrite, you must have administrative rights over the computer.

This specification is for a PC running both Cellebrite UFED and the Physical
Analyzer application as the decoding operations of Physical Analyzer require the
higher specification. For a standalone PC running Cellebrite UFED an ATOM-based
chipset (or equivalent) is sufficient.

11
2.3. Extraction types

Cellebrite UFED includes a range of data extraction types.

The available extraction types and methods may vary between devices depending
on their manufacturer, operating system, and chipset.

Extraction types available in Cellebrite UFED products

Cellebrite Cellebrite UFED

Extraction types
UFED Logical Ultimate

Logical / Advanced Logical

Yes Yes
Extraction

File System Extraction Not available Yes

Physical Extraction Not available Yes

Capture Images and

Yes Yes
Screenshots

Chat capture Yes Yes

Extraction type descriptions:

Logical extraction: Extracts user data from a mobile device (SMS, call logs, pictures,
phonebook, videos, audio, certain application data, and more). Quickest extraction method
but least amount of data.
File system extraction: Extracts files embedded in the memory of a mobile device. Retrieve
the artifacts within a Logical extraction, in addition to hidden system files, databases and
other files which were not visible within a logical extraction.
Physical extraction: Extracts a physical bit-for-bit image of the flash memory of a device,
including the unallocated space using advanced methods. Unallocated space is the area of
the flash memory that is no longer tracked by the file system, which may contain images,
videos, files, and more.
Capture images and screenshots: Take pictures or videos of a device using the Cellebrite
UFED camera. You can also capture internal screenshots directly from the connected
device.

Chat capture: Chat Capture is an automated screen capturing process that allows users to extract
and analyze selective chat conversations from third-party application data (available for Android
only).

12
For more information about the extraction types that are available, see the
Performing extractions data sheet.

2.4. Accessories

The Cellebrite UFED kit includes connection cables and tips. These are used to connect mobile devices
to Cellebrite UFED.

Cellebrite UFED Cables and tips

The Cellebrite UFED Ultimate kit contains tips and cables for logical, file system, and physical
extractions.

The Cellebrite UFED Logical kit contains tips and cables for Logical Extraction only.

13
2.4.1. Cellebrite UFED Device Adapter with USB 3.0

The Cellebrite UFED kit contains a device adapter that attaches to your PC’s USB ports. Each connector
has a LED that indicates availability during an extraction and blinks to indicate where to connect the
source device. In addition, there are LEDs for power and Bluetooth.

Depending on when you received your kit, there are two types of device adapters: Cellebrite UFED
Device Adapter with USB 3.0 (latest version) and Cellebrite UFED Device Adapter with USB 2.0
(previous version). This document provides more information about the Cellebrite UFED Device
Adapter with USB 3.0.

This manual is also relevant for Cellebrite Responder users.

Some devices can be extracted only by using the Cellebrite UFED Device Adapter.

14
This device adapter has the following connectors:
GPIO port (for future use)
USB 3.0 port
RJ45 port
DC In power supply (Input 5.3V 3.7A)
2 USB connection cables labeled POWER and DATA.

To connect the Cellebrite UFED Device Adapter with USB 3.0:

1. Connect the DATA cable to a USB port on the computer.

2. Then connect the POWER cable to a second USB port on the computer.

Use the following procedure, if the computer is mounted in a difficult to access or distant location.

15
To connect the Cellebrite UFED Device Adapter with USB 3.0 using extension
cables:
1. Connect the Active Extension cable1 to the DATA connection cable.
2. Connect the other end of this extension cable to a USB port on the PC.
3. Connect a standard USB extension cable to the POWER connection cable.
4. Connect the other end of this extension cable to a USB port on the PC.

2.4.1.0.1. Using the External power supply

The external power supply is NOT required for the smooth operation of the Cellebrite UFED Device
Adapter V3, but is provided for those cases where additional power output is required. The external
power supply provides an output of approximately 5.3V 2.7A.

2.4.2. Multi SIM Adapter

A Multi SIM Adapter supports Micro, Nano and standard SIM cards.

We recommend that you connect the Multi SIM Adapter to an available USB port
on your computer, not to the USB port on the Cellebrite UFED Device Adapter.

1This cable is 150 cm in length and allows for the easy and accessible placement of the UFED

Device Adapter with USB 3.0.

16
2.4.3. Using cables and tips

The cables and tips include various adapter cables (the number of cables depends on the Cellebrite
UFED product and kit purchased). Each cable has a letter and name. For example, A Adapter – USB.

Single cable

For easy recognition, the tips are color coded and numbered; the color represents the vendor.

Cellebrite UFED tip (example)

Before each extraction, the required cable and tip number and color is specified in the Source area of
the Select Content Types screen.

2.5. Supported devices

There are various electronic devices that Cellebrite UFED supports. These include:
Mobile devices: Mobile devices such as phones and tablets are the most widely supported.
SIM cards -Extract SIM card data (logical extraction) or clone a SIM card.
Mass storage: Extract data from SD cards, removable drives, modems, etc via logical,
physical, or file system extractions.
Drones: Extract data from drones via physical orfile system extractions.

To find out more about devices that are supported in Cellebrite UFED and which data extraction
capabilities are available for each, use one of the following:

The Cellebrite UFED <version no> Supported Phone List file is delivered with every Cellebrite UFED
software version update. The Microsoft Excel file contains two worksheets:

The Cellebrite UFED Logical sheet lists the mobile devices supported for logical extraction.

The Cellebrite UFED Physical sheet lists the mobile devices supported for physical, file system,
and password extractions.
UFED Phone Detective (devices supported for logical extraction only).
Cellebrite UFED Supported Devices document in MyCellebrite.

17
2.6. Cellebrite YouTube channel

For your convenience, a selection of useful videos demonstrating typical workflows and common
procedures are available at youtubAxon Evidence/cellebriteufed.

18
3. Getting started
This section includes the following:

3.1. Installing Cellebrite UFED 20

3.2. View Release Notes in-application 23

3.3. Activating the license 25

3.4. Working with UFED 42

19
3.1. Installing Cellebrite UFED
To install Cellebrite UFED:

1. Start the Cellebrite UFED installation wizard. The following window appears.

2. Click Install. The License Agreement window appears.

3. Select I accept the agreement, and click Next. The Select Destination Location window appears.

20
4. Select the folder where you want the application installed, and click Next to continue. The Select
Additional Tasks window appears.

5. Select the additional tasks you want the install wizard to perform, and then click Next. The Ready to
Install window appears.

21
6. Click Install. The following window appears.

7. Click the APK Download link to go to MyCellebrite and search for and download the new APK under
the Cellebrite UFED Software section. The new APK enables Android backup APK downgrade
support for additional app versions.

Install the APK via Settings > Version > File after completing the Cellebrite UFED
installation process.

8. Click Next. The following window appears.

22
9. Select Yes, restart the computer now, and click Finish to restart the computer.

You must now activate the license to use Cellebrite UFED. Proceed to Activating the license (on
page 25).

3.2. View Release Notes in-application

You can now review Release Notes from within the applications.

The release notes display automatically after the first launch of the installed application. In addition,
you can find the release notes at any time by clicking as follows:

“?” > “Release Notes”.

23
24
3.3. Activating the license

Activate Cellebrite UFED in one of the following ways:

Using a dongle license (on page 32)
Using a software license (on page 36)
Using a network dongle (on page 39)
Using an online license
Online activation of new License from loader

Check your Cellebrite UFED kit to verify the method to use.

If you are using Cellebrite UFED for the first time or a license is not found, see
License not found (on page 225).

25
3.3.1. Licensing procedure

Manage licenses for your Cellebrite deployment with Cellebrite Commander. License management via
Cellebrite Commander is supported for the following:

Cellebrite Physical Analyzer (PA),

Cellebrite Logical Analyzer (LA)

Cellebrite Responder

Cellebrite UFED

Cellebrite UFED Touch

The following process must be performed for each UFED unit in order to upload a
new or renewal license via Commander.

1. Connect the UFED unit to Commander.

Connecting a device to Commander
2. Launch the Commander screen selection.

a. Select I'm using Commander.

b. Choose the license type you are using.

c. When using a dongle, choose Dongle.

(When more than one dongle is attached to the UFED - there is a drop-down list of dongles.

26
Choose the dongle containing the device license from the drop-down list.)

3. UFED will

a. Display No license (for that UFED device) in the dialog.

b. Automatically upload a C2V of the device's Dongle ID to Commander.

c. Query Commander for a license until the Commander admin loads a valid license to the UFED
device/dongle.
4. Commander will:

a. Enter the state "waiting_for_admin".

5. When you have done the steps above for all unlicensed devices, go to Commander and click Export
devices & C2V
This sends the C2Vs of all the devices to your account in MyCommunity.
6. Log in to Cellebrite's MyCommunity.

27
7. Go to Products & Licenses.

8. Select Cellebrite Commander.

a. Click the down arrow in the Cellebrite Commander product selection box.
Note: You must have already purchased a Commander license for this option to be available.

28
9. Click Download managed licenses.

10. Select the serial numbers of all of the devices to be managed by this Commander.

11. Click Download.

A zip file containing licenses for all the devices checked above is downloaded to your computer.

29
12. In Commander:

30
a. Click Import devices & licenses.

13. This message displays in MyCellebrite:

14. Select the license file that MyCellebrite downloaded to your computer and when the green check
mark displays, click Done.

31
15. The devices are now licensed and managed by Commander.

3.3.2. Using a dongle license

Use the Cellebrite UFED dongle provided with your Cellebrite UFED kit. The dongle contains licenses for
all the applications purchased.

32
To use Cellebrite UFED with a dongle:
1. Go to community.cellebrite.com and log in with your credentials (or create an account).

2. Go to Products & Licenses > Register Device and enter a name for the device, the serial number,
and the Dongle ID as displayed on the dongle.

3. Click Next. The following window appears.

33
4. Click Download License from the Device Registration Completed window to download the
license key (or click See licenses in the Products tab and then from the menu on the right
select Download license).
5. Download and install the Cellebrite UFED application.

6. Start the Cellebrite UFED application and connect the dongle to a USB port on your computer. The
following window appears.

7. In the Cellebrite product license window, click Load license file and upload the license key.

Congratulations, your Cellebrite UFED application is now ready!

34
If a license dongle is not found:

1. When a license dongle is not found, the Cellebrite product license window appears.

2. Click Dongle. If you connected the dongle to a USB port on your computer, and it still does
not work, contact support@cellebritAxon Evidence.

You can now activate your Dongle or Software license online. Our "Cellebrite License Loader"
application, which can be accessed by all users on the Cellebrite Community portal, now offers an
activation process with an internet connection. To activate the license, install the License Loader on
any computer and activate it with one click.

35
3.3.3. Using a software license

Use the PC activation code provided with your product kit to download a software license.

To use Cellebrite UFED with a software license:

1. Go to the required product link and sign in to your MyCellebrite account:

Cellebrite UFED: community.cellebritAxon Evidence/ufed4pc

(If you do not have an account, click Register now and create a user. Then go back to the product
link).

You are directed to the product activation window.

2. Click Download Cellebrite UFED and save the file to a PC.
3. Extract the zip file, click the installation file and install the software using the Setup Wizard.
Restart the PC if required.
4. Repeat step 1 and go to the product link.

5. In the Activation Code field, enter the Activation code provided with your product kit.

6. Obtain your Computer ID (do not close the MyCellebrite page while performing this step).

36
a. Start the application. The Cellebrite product licensing window appears.

b. Click Software. The following window appears.

c. Click Copy to copy the Computer ID displayed in the window.

7. In MyCellebrite paste the copied Computer ID.

8. Click Generate License to download the application license key to your PC. The license key
is also sent to your registered MyCellebrite email address.

37
9. In the application, click Load license file in the Cellebrite product license window, then locate and
select the license file, or click Load from the web to download the license file from MyCellebrite.

Congratulations, your Cellebrite UFED application is now ready!

3.3.3.1. Software license distribution by Commander

License updates for end points using software licenses can now be distributed from Commander 7.22.
Until now thihs was possible only for dongle licenses.

License distribution via Commander can be done only for updates, new licenses
should be activated manually on the end point before the first use. When working
in offline mode, the license should be applied manually (as before). License
distribution for offline mode will be supported in the next version

3.3.3.1.1.

38
3.3.4. Using a network dongle

The network dongle is connected to your organization’s network and contains licenses for all the
applications purchased.

To use Cellebrite UFED with a network dongle:

Start the application. If the network dongle is connected to the network, the application
starts and you can start working immediately.

If a network dongle is not found:

1. If the network dongle is not recognized, the Cellebrite product licensing window appears.

2. Click Network.

39
If a dongle was not found on the network. Make sure that you have an Internet
connection and that a dongle is connected to the network. Then click Refresh
to search for a network dongle again.

If you click Refresh twice, a new window appears where you can manually
connect to the network dongle. Click Advanced and then enter the IP address
(or host name).

If there is only one network dongle, it is selected automatically. If there are

multiple network dongles, select the required Dongle Serial number.

Congratulations, your Cellebrite UFED application is now ready!

3.3.5. Online activation of new license from Loader

Go to Start > Cellebrite License Loader > Cellebrite License Loader.

Select Dongle or Software.

For software licenses:

In the next screen, activate the license online.

Activation Code

Valid Email address

Press “Online activate”

You receive a license request with:

Activation Code, Email and C2V

Select Dongle license

You can activate the license online.

40
Fill in the following:

Dongle Serial ID (on the stick)

Press “Online activate”

You receive a license request:

Dongle Serial ID and C2V

If the Activation Code or Dongle Serial ID are valid, the loader activates the license.

3.3.6. Update software license with one click

You can now update your software license with one click.

To update your software license:

Go online and click Update. The license file is downloaded and applied automatically.

41
3.4. Working with UFED

This section includes the following:

Starting the application (below)

Home screen (on the facing page)

Autodetecting a device (on page 44)

Searching for a device (on page 46)

Case details (on page 51)

User predefined filter (on page 59)

Manual selection (on page 61)

Application taskbar (on page 62)

3.4.1. Starting the application

Double-click the Cellebrite UFED icon to open the application.

42
3.4.2. Home screen

The home screen groups the extraction data into distinct areas: Mobile device, SIM card and USB
device or Memory card. In addition, users can directly operate the camera for immediate image
capturing or access the device tools. All extraction functionality is driven by automatic identification of
the device, by searching for the device or by manually selecting the vendor and model. Cellebrite UFED
determines what functions are available for the specific device and displays the relevant functions.

43
3.4.3. Autodetecting a device

To use Autodetect to locate the mobile device:

1. Connect the mobile device to the Cellebrite UFED unit.

2. Select Auto Detect at the bottom of the screen.

If the connected device is recognized by the system the following window appears.

If multiple matches are found, the following window appears.

44
3. Select the relevant device.

4. Alternatively, click Browse Devices to manually search for the device.

Click the Console button to access device information using the Android Debug
Console. For more information, refer to the Performing extractions manual.

5. If the connected device cannot be recognized by the system, a message prompts you to try the
following steps or tap Find device manually.

6. If the device still cannot be found, tap Browse Devices or Console.

45
3.4.4. Searching for a device

To search for the mobile device:

1. Narrow the list by vendor, recently used, etc. or begin typing in the search field in the top bar to
search for a device or model. As you type, the list of devices is reduced to match your search
criteria.

You can also search for a device by its IMEI value, which is used to uniquely
identify devices. The IMEI value is usually found printed inside the battery
compartment of the device, or dial *#06# from the phone keypad. Enter the
value in the search field, using a minimum of four digits up to the full number.
If the IMEI value is recognized, matching devices are displayed.

2. Select the device model type from the list.

Having selected the device, Cellebrite UFED determines what extraction functions are available for

46
this combination and presents those functions:

Lock Bypass is displayed for both physical and file system extraction methods that
can bypass the user lock of the device.

3.4.4.1. Device wizard - Beta

The new search capability enables users to view all supported extraction methods available for a
particular mobile device, even before connecting to it.

For Android devices,, you can input device properties such as chipset, OS, OS version etc. Each
property added increases the number of methods available for devices that have been tested by
Cellebrite, and the number of methods available for devices that have not yet been tested but which
have a high probability of success based on the device properties.

47
48
3.4.4.2. TAC search

If you cannot find the Android device which you are looking for after performing a TAC number search,
a window appears. This window appears if Cellebrite UFED does not support the device directly, but
there are applicable generic options available for the device.

To retrieve device information and view generic extraction options:

1. Enter the complete 8-digit TAC number. The following window appears.

The window includes the vendor, operating system and device name.
2. Click See recommended extractions. A window appears with the generic extraction options for the
device.

49
If you enter a partial TAC number (with less than 8-digits) or the device is not
supported by Cellebrite UFED then the following window appears.

50
3.4.5. Case details

The Case details feature enables you to enter case details when performing an extraction or using the
Cellebrite UFED camera. This feature is not enabled by default.

To enable the case details feature:

Select Include Case details screen under Settings > General.

To specify the case details:

1. On the Home screen, select an extraction type or Cellebrite UFED camera. The following window
appears.

2. Use the current case information, or enter and select the case information and then click Continue.

3.4.6. Investigation notes

The Investigation notes feature enables you to add notes during the data extraction process. You can
include observations or report any issues encountered during the process.

51
To enable or disable the feature:

1. Select Settings > General. The following window appears.

2. Select or clear Show investigation notes.

3. Click Save.

52
3.4.6.1. Using the feature

You can add pictures, screenshots and text that are relevant to your investigation to create an audit
trail of actions taken and decisions made.
1. Start an extraction and click Notes. The Investigation notes window appears.

To close the window, click the Cellebrite UFED interface outside of the Investigation notes window.
2. Add text, screenshots and pictures that are relevant to your investigation. The investigation
notes are available as part of the extracted data or report. See Accessing the extraction
notes file (on page 58).

See the following procedures to add text, screenshots and pictures:

To add text notes: (on the next page)

To add screenhots: (on page 55)

To add pictures: (on page 56)

53
To add text notes:

1. In the Investigation notes window click Text ( ). The following window appears.

2. Enter the required text and tap Save.

3. The text is added to the Investigation notes panel and it includes the date, time, and stage of the
extraction process.

To remove a note click Delete (X).

54
To add screenhots:

1. In the Investigation notes window click Screenshot ( ). The following window appears.

2. Enter the required text and tap Save.

3. The screen capture is added to the Investigation notes panel and it includes the date, time, and
stage of the extraction process.

55
To add pictures:

1. In the Investigation notes window click Picture ( ). The following window appears if a camera is
not connected.

2. Connect a camera to Cellebrite UFED.

3. Select the required camera to use.

56
4. Click Camera ( ) to take a picture. If required, tap Refresh ( ) to take a new picture,

or click Rotate to rotate the picture.

5. Enter the required text and tap Save.
6. The picture is added to the Investigation notes panel and it includes the date, time, and
stage of the extraction process.

57
3.4.6.1.1. Accessing the extraction notes file

After completing the extraction, the investigation notes are displayed as an ExtractionNotes.pdf file in
the Notes folder when the report or extraction is saved.

In Cellebrite UFED, the PDF file is only created when you click Finish.

Folder location

Example Investigation notes

58
3.4.7. User predefined filter

The User predefined filter provides the ability to extract and view only a portion of the device content,
based on time range or specific subject information (person, email, phone). This can be useful when:
The agency has a warrant to extract data from a specific time window, and is not allowed to
view additional data that is not covered by the warrant.
The user wishes to save time and get to the relevant data ASAP.

The most time consuming phase during a device extraction is transferring the data from the mobile
device to the extraction tool. Timeframe filtering is performed on the device (when technically
supported), and can reduce the extraction time. Another advantage is the reduced amount of data that
the agent must browse through to find the evidence.

To enable the User predefined filter:

Select Allow user predefined filter under Settings > General.

To specify the timeframe and parties for the extraction:

1. Identify the device and select an extraction type. The following window appears.

The extraction is based on the Cellebrite UFED unit’s date and time. When
selecting a time frame, also consider the device’s time zone.

The timeframe option is not applicable to file system extractions.

2. Select the required time frame. The less time selected, the quicker the extraction.

3. Enter keywords or numbers that you would like to include.

59
Selective extraction by party: Similar to the time frame, the ability to extract
and review only data relevant to a specific party (number or device).

Partial numbers are matched by the application, and names are matched
irrespective to the capitalization.

4. Click Next.

60
3.4.8. Manual selection

To manually select the vendor and model:

1. Click Mobile device and then click Skip.

You can then select All, Vendor, Generic profiles, or Recently used. As displayed next, the Vendor
screen enables you to select the device vendor.

2. After choosing the Vendor, the application presents the Select Model screen where the specific
model of the device is chosen.

Having chosen the Vendor and the Model, Cellebrite UFED determines what extraction functions
are available for this combination and presents those functions.

61
3.4.9. Application taskbar

The application taskbar is located at the top of the screen.

Application taskbar icons and descriptions

Icon Description

Click to select Online help or Extraction flows document.

Click the menu icon to access the following:

3.4.9.1. Export last session logs

Click on the options icon (hamburger) and select Export.

Export All: Exports logs for all sessions, including the current session.

62
Export last Exports all logs from the last session (or the current session - whichever is
session: latest).

3.4.10. Creating a Support ticket

UFED enables opening Support tickets directly from the application. It is not necessary to go to the
Cellebrite Community site or to email / phone the Support team in order to do so.

3.4.10.1. Support ticket issues

Support tickets regarding the following issues can be opened directly from the UFED interface:

Installation/Upgrade

License

Phone Support Status

Application

Android

iOS

SIM

Mass Storage

Drone

Device tools

Other

63
Procedure

1. From any UFED screen, click (the information icon) ? > Report and Issue > Open new ticket.

2. The Support ticket screen displays.

3. In the Support ticket screen, do the following:

a. Enter your email (required field) and select the Subject (required field) from the drop down menu.

b. Enter your name and the device model.

c. Enter a brief description of the problem.

d. To share the last log files, select the option "Share last logs".

e. To select files that are relevant to the Support request, click Attach File. The file names of the
selected files display in the small display pane.
f. To share the current screen, select the option "Share printscreen". The image displays in the display
area above the option and to the right of the file list.

64
g. Select the severity of the problem (Low, High, Critical).

h. Click SEND to send the Support ticket to the Cellebrite Support team

A notice will be sent to the user with a message stating that a Support ticket was opened and will
include the Ticket (case) number.

3.4.10.2. Transfer files

Frequently, transferring files that you attach to a support ticket are large and tranferring them to
Cellebrite Support requires an extended period of time. Cellebrite UFED enables you to continue
working while it transfers the files in the background.

Viewing Transfer file status

To view the status of all your tickets and their associated files after you have created a Support ticket,
do this:

65
1. From any UFED screen, click (the information icon) ? > Report and Issue > transfer files.

2. The Ticket file transfer screen displays and shows all tickets:

3. Smart flow
Smart flow is an automated flow that shortens the time to evidence by shortening the extraction
process. It is an alternative flow for performing a full file system, physical, or selective, exploit-based
extraction, without the need to select a specific phone profile, extraction type, method, etc.

Smart flow is relevant only for:

66
Unlocked Android devices (see Android extraction methods (on page 168)). Locked devices will be
added in the future.

An exploit based flow to get full file system or selective by app token extraction.

The flow is simple flow – connect the phone, start the relevant exploit based on the connected device,
display device info and optional extraction types.

Smart flow automatically tries the compatible method based on the connected device. If the flow fails,
it will try another method that may work.

67
Smart flow

68
1. Open UFED

2. Select the device. The following screen displays.

69
3. In "Choose action", select "Smart Flow".

4. Follow the on-screen directions before connecting the device.

5. Connect your device using the cable appropriate to your device.

6. UFED will select and attempt the best method.

7. From the Select Extraction screen, select the items to extract under "Insights from Installed Apps" or
select VIEW ALL to see all items that can be extracted (and select the items to extract).

70
8. The extraction will proceed.

71
9. The following sceen displays when the extraction completes.

10. To extract using other, specific flows, see the Extraction sections below.

3.5. Android Live consent-based collection

This Smart-flow process is a unique, new industry-leading capability that provides the widest range of
coverage for unlocked Android devices. This simplified flow automatically selects the appropriate
“Live” access method for unlocked Android devices (such as Qualcomm Live, Exynos Live, etc.).

There is no need to select the device profile and method. Just connect the device - the relevant access
method is automatically applied.

After gaining device access, users can select one of the extraction types presented.

Universal Live Android supports the most popular SoCs in the market: Qualcomm, MTK, Kirin, Unisoc
(Spreadtrum), Exynos, and newly introduced SoC, JLQ (used in Xiaomi Poco C4).

This capability adds support to a wide range of devices that were not previously supported in the
current “Live” methods, with no known SPL limitation.

Some of the supported devices are:

Samsung A12, A21, S22 Ultra (Exynos)

All Google Pixel models (including Pixel 7 and 7 pro)

Xiaomi Redmi 9/9A/9C, Xiaomi Redmi K50, Xiaomi Redmi Note 11T [Pro Plus]

72
Oppo A15, Oppo Reno8 Pro Plus 5G, Vivo S15 PR

Moto G Pure, OnePlus 10R 5G, Honor 70 Pro Plus

We encourage you to use Smart flow for devices that are not included in this list.

73
4. Password extraction
It is common to encounter a device that is password protected. Passcodes include a 4-digit PIN, a
complex alphanumeric passcode, or a pattern lock. UFED can identify and bypass some passcodes
depending on the make and model of the device. To find out if the passcode can be identified or
bypassed, refer to the UFED Supported Devices file.

4.1. Extracting the user lock

Extract the password, or user code or PIN, locking the device. The extracted password can be displayed
on the screen or written to a USB flash drive or PC for archiving. The ability to extract passwords
depends on the device’s make and model, the type of passwords enabled on the device, and the
password’s length.

To extract a user lock on a mobile device:

1. Click Mobile device and identify the device, then click Extract User Lock.

The Select Extraction Location screen appears.

2. Select Display Only or Local Drive.

3. Connect the source device to the USB port, or via the UFED Device Adapter.

4. Click Continue.

The Extraction in Progress screen appears.

74
At the end of the extraction process, the extracted passwords are displayed in the Passwords
screen.

5. Click Continue to display a summary of the passwords extraction process.

The following screen appears.

75
6. Click Additional Extractions to add additional extraction types for the same device, or click
Finish to end the process and return to the Home screen.

4.1.1. The extracted passwords folder

At the end of the passwords extraction process, the extracted passwords are saved to a text file named
Passwords.txt at the location you selected during the data extraction process.

The text file is located inside a folder named Password with the name of the
selected device name and the extraction date. For example, Passwords Iden i9
2011_06_11 (001)

76
4.2. Disabling or re-enabling the user lock

You can disable and re-enable the user lock on a device:

Disable the user lock: Disable the user lock (or password), which means that the device is
no longer locked. Each device model has a slightly different process, depending on the
device lock combination and how the model connects to UFED. When more than one
method is available for the device, we recommend that you try both methods if one method
is not successful. If you disable the user lock more than once, you cannot re-enable the
original user lock. For a complete list of supported devices, refer to UFED Phone Detective
or the UFED Supported Devices document in MyCellebrite.
Re-enable the user lock: Re-enable the user lock on a device, after it was disabled by
UFED. This enables you to return a device to its original state.

To re-enable the original user lock on the device, use the Re-Enable User Lock
method and do not create a new user lock manually. If you create a new user lock,
you cannot re-enable the original user lock.

UFED now provides a notification if advanced forensic capabilities are available via
Cellebrite Advanced Services for a growing range of supported Android and iOS
devices. To learn more refer to: https://www.cellebritAxon
Evidence/en/services/advanced-unlocking-services/

To disable (or re-enable) the user lock on the device:

1. Click Mobile device and identify the device, then click Disable/Re-enable User Lock. The following
window appears.

2. Click Disable User Lock to remove the user lock from the device, or click Re-Enable User Lock to re-
enable the user lock on the device. The Waiting for Device screen appears.

77
3. Follow the instructions for the device and then click Continue.

If the device does not unlock, click Abort, and repeat the procedure. Make sure
you are using the correct USB cable.

The Extraction completed successfully screen appears.

4. Click Finish.

78
4.3. Removing the screen lock

The Remove screen lock method disables the user lock from a wide range of Samsung Android devices
for example Galaxy S7, S7 Edge, J7, J5, A7, and A5. This method works on both Qualcomm and Exynos-
based devices.

UFED cannot re-enable the screen lock after running the process.

To remove the screen lock from a device:

1. Click Mobile device and identify the device, then click Disable/Re-enable User Lock. The following
window appears.

2. Click Remove Screen Lock to remove the screen lock from the device. The Waiting for Device
window appears.

79
3. Follow the instructions to place the device in Download mode, then click Continue. The following
window appears.

4. UFED now tries to flash another image to the device. Follow the on-screen instructions until the
device the device displays the Warning screen and Download mode again. Then click Continue in
UFED. The following window appears.

5. Click Continue, then wait about one minute and restart the device again when instructed. The
following window appears.

6. Restart the device for the changes to take effect and then click Continue. The following window
appears.

80
The process completed successfully, but it may not work on all devices. If the
process did not work, try a different method.

7. Click OK. The following window appears.

8. Click Finish.

81
5. Logical extraction
The Logical Extraction function enables you to extract various types of data, such as call logs,
phonebook records, SMS text messages, calendar events, and multimedia files (images, videos, etc.).
Save the extracted data from the source device to your PC or to a removable storage device, as
desired. In most cases, a logical extraction is not possible for locked devices.

A logical extraction can also be used to extract data from many Android, BlackBerry, iOS, and Windows
Phone apps. For an updated list of supported apps and versions for each platform go to Help >
Supported Apps in Physical Analyzer or Logical Analyzer. Data extracted from these apps can be
analyzed using Physical Analyzer or Logical Analyzer (although the data is not included in UFED HTML
and XML reports).

The available types of extracted data may vary depending on the source device
manufacturer and model. The supported data types are listed in the UFED Phone
Detective or within the UFED Supported Devices.

5.1. Advanced logical Android extraction

The following procedure explains the Advanced logical extraction process for an example device. The
procedure may vary depending on the selected device. This section shows only one of the many
extraction types that can be performed.

To perform an Advanced logical extraction from a mobile device:

1. Click Mobile device and identify the device, then click Advanced Logical.

For information about using optional timeframe and party filters, refer to the
Overview Guide.

The Select Extraction Location window appears.

82
2. Use the current location or click the folder icon to change the target path and select a different
location and then click Next. The Waiting for Device window appears.

Click the Console button to access device information using the Android Debug
Console. For more information, refer to the Performing extractions manual.

3. Select the correct cable and tip for the mobile device, and change the device settings
according to the instructions.
4. Connect the source device to the USB port on the computer. If the device is already
connected, disconnect and then reconnect the device.

83
5. Click Continue. The following window appears if Enable device preview info screen is
enabled under General settings.

This window provides information about the device data before performing an Android extraction.
It includes device properties such as model, device name, operating system, chipset, whether the
device is rooted, date security patch installed, IMEA, the number of installed apps, and insights from
installed apps.

Insights from installed apps allows the user to get a peek into the types of apps installed on the
device before the extraction. This areas displays app categories and the number of apps in each.
Click to view all app insights by category.

To update the app categorization database, go to System settings.

On many devices, but not all, it also includes information about storage volume, data types, volume
of storage per data type, and free data.
6. Click Continue. The following window appears.

84
7. Data can be extracted from the Device, SIM and Memory Card of the device. Select from
which memory you want to extract.

8. Different data types can be extracted. Select which data types you want to extract. In the example
above, music and ringtones are excluded and are not extracted.

When Files is selected, UFED performs ADB backup to enable user data to be
extracted.

9. Click Next. The following window appears.

10. Select the required contacts to extract and click Continue. The extraction process starts.

85
11. Click OK. The following window appears.

12. If required, restart the device then tap Continue. When the extraction is complete and if required,
the Source Instructions window appears (this depends on the device model). The following window
appears.

86
13. Follow the instructions to return the mobile device settings to the original settings, and then click
Continue.

14. Click Open Preview Report to view an HTML preview report (Logical extractions only) that
includes information about the device and the extraction, click Open with Physical Analyzer
to open the extraction in Physical Analyzer, click Show in Folder to open the folder where
the UFD extraction file is located, click Additional Extractions to add additional extraction
types for the same device, or click Finish to end the process and return to the Home screen.

87
5.1.1. The extracted data folder

At the end of the data extraction process, the extracted data is saved in the location you selected.

The extracted data folder is named UFED with the selected device name, the IMEI
/ MEID information. and the extraction date. For example, UFED Samsung GSM
GT-i9205 Samsung Galaxy Mega 6.3 2014_11_10 (0001)

The extracted data folder contains:

Multimedia files folders named Audio, Images, Ringtones, and Video folders, containing
each of the respective type of media files.
Phone extraction report files in HTML and XML formats. (One HTML report per content
type)
UFD file.

The XML file can be viewed by both Logical Analyzer and Physical Analyzer.

88
5.2. Advanced logical iOS extraction

The Advanced logical extraction uses other extraction protocols and can potentially extract additional
data compared to the standard logical extraction.

Advanced logical extractions can be used to extract data from Android or iOS operating systems. The
following example shows an Advanced logical iOS extraction.

To perform an advanced logical iOS extraction:

1. Click Mobile device and identify the device.

2. Click Advanced Logical.

For information about using optional timeframe and party filters, refer to the
Overview Guide.

The following window appears.

3. Connect the source device to the USB port using the specified cable. If the device is already
connected, disconnect and then reconnect the device.

4. Click Continue. The following window appears.

5. Unlock the device and select Trust on the device. The following window appears.

89
6. This window displays the device name, UDID, iOS version, and whether the backup is encrypted.
Click OK. If the iTunes backup is not encrypted, the following message about data encryption
appears. If the iTunes backup is encrypted, see Encrypted iTunes backup (on page 92).

7. In the Attention window click Yes to enable backup encryption with the ability to extract additional
information from the device, or click No if you do not require the additional information. The
following window appears.

You can encrypt the iOS file. This additional layer of security allows iOS to
include more sensitive information not found on a standard iCloud or iTunes
backup file, including login details for apps and email accounts and other
services that may be in use. You can extract an iOS keychain (user credentials)
using this extraction method. At the end of the extraction, the encryption is
automatically reset. You can view the user credentials under the Passwords
tree item in Physical Analyzer.

If the extraction was stopped and the device remains encrypted, see Disable
iTunes encryption password (on page 200).

90
After the extraction completes, the Extraction completed window appears.

8. Click Open Preview Report to view an HTML preview report (Logical extractions only) that
includes information about the device and the extraction, click Open with Physical Analyzer
to open the extraction in Physical Analyzer, click Show in Folder to open the folder where
the UFD extraction file is located, click Additional Extractions to add additional extraction
types for the same device, or click Finish to end the process and return to the Home screen.

91
5.2.1. Encrypted iTunes backup

During Advanced Logical Extraction, if iTunes backup encryption is already enabled, then the following
window appears.

If you know the iTunes backup password:

1. Enter the password so that it is not required during the decoding stage (in Physical
Analyzer).
2. Click OK and follow the on-screen instructions to complete the extraction.

If you do not know the iTunes backup password:

Click Skip and follow the on-screen instructions to complete the extraction.

The password is required during the decoding stage (in Physical Analyzer).

If you have exhausted all options to obtain the password (including the
bruteforce option), Cellebrite Services can provide a full file system extraction
that bypasses the iTunes encryption.

5.3. Logical (Partial)

This is a quick extraction method that supports the largest number of devices. You can extract Call logs,
Phone books, SMSs, Calendar events, Multimedia files, and file data. The available types of data may

92
vary depending on the source device’s make and model. In most cases, a logical extraction is not
possible for locked devices.

To perform Logical (Partial) extraction:

1. Click Mobile device and identify the device.

2. Click Logical (Partial) and then select where you want to save the extraction.

For information about using optional timeframe and party filters, refer to the
Overview Guide.

The Select Extraction Location window appears.

3. Use the current location or click the folder icon to change the target path and select a different
location and then click Next. The Waiting for Device window appears.

The Console button is only supported on Android devices.

4. Select the correct cable and tip for the mobile device, and change the device settings
according to the instructions.
5. Connect the source device to a USB port. If the device is already connected, disconnect and
then reconnect the device.

6. Click Continue. The following window appears.

93
7. Different data types can be extracted. Select which data types you want to extract. In the example
above Ringtones are excluded and are not extracted.

When the Files button is selected, UFED performs an iTunes backup to extract
user data.

8. Click Next. The following window appears.

9. Unlock the device and select Trust on the source device.

94
10. Select the multimedia types required and then click OK.

After the extraction completes, the Extraction completed window appears.

11. Click Open Preview Report to view an HTML preview report (Logical extractions only) that
includes information about the device and the extraction, click Open with Physical Analyzer
to open the extraction in Physical Analyzer, click Show in Folder to open the folder where
the UFD extraction file is located, click Additional Extractions to add additional extraction
types for the same device, or click Finish to end the process and return to the Home screen.

95
5.4. Logical extraction via Bluetooth

This extraction method can be used to perform logical extraction via Bluetooth from any Android
device. To use this extraction method, you must load a client onto the source device over the
Bluetooth connection. When extracting data from a device via a Bluetooth connection, some content
types (e.g., apps data, pictures, audio and music, video, and ringtones) and memory types (e.g.,
memory card or SIM card) are not supported. To extract multimedia content via Bluetooth, go to Smart
Phones/PDAs > Android Bluetooth > Logical Extraction > Logical (Only Multimedia). Note that this
method takes much longer.

Previously, the logical extraction via Bluetooth method was only available via the generic profile.

To perform a logical extraction via Bluetooth:

1. Click Mobile device, identify the device, select the extraction location, and then click
Logical.

2. Select the extraction location. The following window appears.

3. Click Use Bluetooth. The following window appears.

4. Click OK.

5. If required, connect the UFED device Adapter.

96
The following window appears.

6. Select the required content types and then click Next.

7. Click Upload to upload the client to the device or click Skip if you have already uploaded the client to
the device. The following window appears.

97
8. Activate Bluetooth on the source device and make it visible to other devices. Follow the on-screen
instructions to set the devices connections, then click Continue. The following window appears.

9. Click the required device. The following window appears.

10. Press Accept on the device when the file transfer request is displayed (this is skipped if the client is
already installed). The following window appears.

11. Follow the instructions to install the client on the source device, then click Continue.

98
12. Open (or start) the client on the source device and confirm the Bluetooth permission
request on the device.

13. Click Continue. The following window appears.

14. Click Continue.

During the extraction process, the progress bar for the Source and then the Target is active.

When the extraction is complete and if required, the Source Instructions screen appears (this
depends on the device model).

15. Click Continue. The following window appears.

99
16. Click Open Preview Report to view an HTML preview report that includes information about
the device and the extraction, click Open with Physical Analyzer to open the extraction in
Physical Analyzer, click Show in Folder to open the folder where the UFD extraction file is
located, click Additional Extractions to add additional extraction types for the same device,
or click Finish to end the process and return to the Home screen.

5.5. Faster transfer and verification of logical collection output

Logical extraction output files can now be zipped for faster transfer. During the procedure, a hash of
the zip is calculated automatically and is added to the UFD file.

5.5.1. Enabling the zip feature

To enable zipping the logical extraction output, go to Settings > General tab > Zip logical extraction
output and mark the checkbox.

Logical extractions that were zipped can be opened in PA 7.52 and above.
In older versions, open the extraction by manually unzipping it.

100
101
6. File system extractions
File system extractions (Full and Selective) enable you to perform extractions from a device.

UFED now provides a notification if advanced forensic capabilities are available via Cellebrite Advanced
Services for a growing range of supported Android and iOS devices. To learn more refer to:
https://www.cellebritAxon Evidence/en/services/advanced-unlocking-services/

Lock Bypass is displayed if the file system extraction method can bypass the user
lock of the device.

6.1. Performing a FULL file system extraction

1. Click Mobile device and identify the device, then click File System.

The Select Mode screen appears.

2. Select ADB (for Android Backup, see Android backup (on page 117)).

For information about using optional timeframe and party filters, refer to the
Overview Guide.

The Select Extraction Location screen appears.

102
3. Select a location. The following window appears.

4. Select the correct cable and tip for the mobile device based on the information written in
the screen.
5. Change the device settings according to the instructions
6. Connect the device.

7. Click Continue. The Extraction in Progress screen appears.

103
During the extraction process, the progress bar for the Source and then the Target is active.

For QCP and Samsung MTK devices, an estimation of the time the extraction
will take is displayed.

When extraction is complete, the File System Extraction Summary screen appears.

104
6.1.1. iOS: Animated DFU instructions

iOS devices have a new animated instructional aid. The new aid displays the iPhone model and an
interactive image with detailed instructions for carrying out the process.

105
6.1.2. The file system extraction folder

At the end of the file system extraction process, the extracted data is saved in the location you selected
previously (see Performing a FULL file system extraction (on page 102)).

The extracted data folder is named FileSystemDump with the selected device
model and name and the extraction operation date. For example,
FileSystemDump Nokia GSM Nokia 2626 2014_03_12 (001)

The extracted data folder contains:

Zipped archive of the device file system containing files and folders in the same structure
they were extracted.
UFD file containing the system extraction information, used by the Physical Analyzer
application.
PM file.

The File System extraction can be viewed using Physical Analyzer.

6.1.3. Unlocked Huawei Kirin devices

This new method enables you to do a full file system collection on unlocked Huawei Kirin devices.

The Huawei Live method is located under file system extraction type in the Android Kirin generic
profile and in several tested Huawei profiles.

The method also appears as untested when connecting Huawei Kirin devices.

106
6.1.4. smartStopping an extraction

You can now stop Android File System extractions (not including Android Backup and APK downgrades)
before they complete and save the (partial) extraction to that point.
1. To stop an extraction in progress, clickthe STOP button in the screen labeled "Extraction in
progress".
A confirmation message displays.
2. Click "Stop Extraction" (the exact wording might change).
The extraction procedure will finish extracting the current file and stop.

107
The partial extraction can be opened in Physical Analyzer.

108
A message stating that the extraction is partial and was stopped by the user displays in Physical
Analyzer v7.54 and above.

To continue with the extraction and not stop the current extraction), click Continue extraction (the
exact wording might change). The extraction continues uninterrupted.

109
6.2. Performing a SELECTIVE file extraction

Selective extractions are a subset of full file system extractions for both Android and iOS devices. A
selective extraction extracts all app data from those files and folders (located under the root directory)
that you select. The app data includes the folders and files associated with the app such as databases,
APKs, images, and keys.

A selective extraction takes less time to complete than a full file system extraction and enables you to
select only the files that you require.

Selective extraction is currently supported for EDL Decrypting Bootloader, Samsung Qualcomm
Decrypting Bootloader and Huawei Decrypting Bootloader methods. Other methods require that you
perform a Full File System Extraction.

When te Selective file system method is available, an indication is made on the method(s) presented.

Selective extraction does not extract data from unallocated space. Use one of the
Physical extraction methods instead.

6.2.1. To extract data using Selective file system extraction:

When performing an extraction method that supports Selective file system extractions, you can see the
Selective file system button on the Device info screen.

110
1. Click Selective file system.

2. Select the apps to extract. You can search for apps by category from the Select categories list.

3. Click Extract. The Extraction Summary window appears.

4. Click Open Preview Report to view an HTML preview report (Logical extractions only) that
includes information about the device and the extraction, click Open with Physical Analyzer
to open the extraction in Physical Analyzer, click Show in Folder to open the folder where
the UFD extraction file is located, click Additional Extractions to add additional extraction
types for the same device, or click Finish to end the process and return to the Home screen.

111
6.2.2. Enhanced selective extraction

Application lists are now grouped by category when using “App categorization”.

Users can select an entire category of applications with a single click for quick and easy “Select by
Application”. Enhanced selective extraction also enables standard selection of individual apps.

To use this feature, download the “App Categorization DB” file from the
Community portal , under the “Add-ons” section of the product, and upload it via
Settings.

6.2.3. Selective extraction by file (Android / iOS)

Selective extraction by file (Android / iOS) enables users to traverse the file system and select specific
folders and files to extract. All relevant metadata from the files is retained and the forensic integrity of
the file remains intact. Additional search capabilities can be applied.

112
1. When performing an extraction method that supports Selective File System extractions, the
Selective file system button displays on the Device info screen.

113
2. Click SELECTIVE FILE SYSTEM > FILES to display the next image:

114
3. Select the folders and files to extract.

4. To select files by name, enter the name (or partial name) into the text entry box at the top. The
screen filters the selection and displays all files that contain the characters entered and their path.

5. To view all files in the same location as any file displayed here, click the file path. The display files
now displays the file that you clicked in its path (location) AND all files that are located in the same

115
path/memory area and which are therefore likely to be associated with the file whose path you
clicked.

Note: In iOS, some files must always be selected as part of the extraction
operation. Cellebrite pre-selects these files; they cannot be deselected.
a.) Your first click selects all the files.
b.) In iOS, a second click returns the selections to the required files only (see
image above) - they remain selected always.
c.) When you move the mouse near the main checkbox, a tooltip displays with the
following text:
Cellebrite pre-selects some files that must be selected as part of the operation;
these files cannot be deselected.

116
6.3. Android backup

The Android Backup feature communicates with a connected Android device and enables you to
extract data from the device. The data that is extracted is dependent on the device’s specific
characteristics. Android backup supports Android devices with version 4.1 and higher.

Android Backup may provide less data then other methods, therefore, only use this feature when other
file system methods such as ADB are not successful or when other file system methods are not
available for the device (for example, if the Android version is not supported).

This feature is controlled under Settings > General.

To extract data using Android backup:

1. Click Mobile device and identify the device, then click File System.

2. Click Android Backup.

3. Select the extraction location.

For information about using optional timeframe and party filters, refer to the
Overview Guide.

4. Click Continue.

The Waiting for Device screen appears.

117
5. Connect the source device to the USB port. If the device is already connected, disconnect
and then reconnect the device.

6. Click Continue. The following window appears.

7. Click Continue and if required select Backup my data on the device. The extraction begins.

The following screen appears.

118
8. Click No if you do not want to extract data from a shared location. Click Yes if you want to try extract
data from a shared location. With a shared location, Cellebrite UFED extracts all the applications
(native and non-native) that reside on the device, as well as data from the device’s internal storage
and memory card (images, videos, etc.), which takes additional time.

The following screen appears.

9. Follow the instructions and click OK.

When the extraction completes the Extraction summary window appears.

119
10. Click Open Preview Report to view an HTML preview report (Logical extractions only) that
includes information about the device and the extraction, click Open with Physical Analyzer
to open the extraction in Physical Analyzer, click Show in Folder to open the folder where
the UFD extraction file is located, click Additional Extractions to add additional extraction
types for the same device, or click Finish to end the process and return to the Home screen.

120
6.3.1. Extracted apps

The App information window can be displayed by clicking the Extracted Apps button after the File
system Android backup extraction completes.

It displays the apps extraction status for the device. Apps that were extracted are listed under
Extracted. These apps are decrypted in Physical Analyzer. Apps that could not be extracted are listed
under Not Extracted and indicates the reason the apps were not extracted. The Notes indicate if
another extraction method is applicable. Unrecognized apps and their status are listed under
Unrecognized. This list contains files that could not be mapped by the system and exist for extraction
results verification. To obtain more information about these files, we recommend that you do an
Internet search for the file names.

121
6.4. Android backup APK downgrade

This method extracts application data using Android backup. It supports Android devices with version
4.1 and higher. During the process, the selected application version (*.apk file) is temporary
downgraded to an earlier version, so that the data can be extracted. The current version is restored at
the end of the extraction process. The potential risk in this method relates to the downgrading and
then restoration of the app version.

Only use the Android Backup APK Downgrade method as a last resort after other
extraction methods have been exhausted (including JTAG and chip-off).

We recommend that you document the process during the extraction.

122
To extract data using Android backup APK downgrade:

1. Click Mobile device and identify the device, then click File System. The following window appears.

2. Click Android Backup APK Downgrade. The following window appears.

3. Click Continue.

For information about using optional timeframe and party filters, refer to the
Overview Guide.

4. Select the target path and click Next. The Waiting for Device screen appears.

123
5. Connect the source device to the USB port using the specified cable. If the device is already
connected, disconnect and then reconnect the device.

6. Follow the on-screen instructions for the device and then click Continue. The following screen
appears.

You are notified when you are required to restart the device or to select
Backup my data on the device. The following screen appears.

The following window appears.

7. Select the required apps (or click Select All) and then click Start. The following window appears.

124
8. Select Backup my data on the device. The following window appears.

9. Click No if you do not want to extract data from a shared location. Click Yes if you want to try extract
data from a shared location. With a shared location, Cellebrite UFED extracts all the applications
(native and non-native) that reside on the device, as well as data from the device’s internal storage
and memory card (images, videos, etc.), which takes additional time.

If some app packages could not be backed up, this screen provides an indication of how many app
packages were backed up successfully.
10. Click Continue. The following screen appears.

11. Follow the instructions and click OK. The Extraction summary window appears.

125
12. Click Open Preview Report to view an HTML preview report (Logical extractions only) that
includes information about the device and the extraction, click Open with Physical Analyzer
to open the extraction in Physical Analyzer, click Show in Folder to open the folder where
the UFD extraction file is located, click Additional Extractions to add additional extraction
types for the same device, or click Finish to end the process and return to the Home screen.

6.4.1. Installing the latest APK version

During the Android backup APK downgrade extraction the following notification appears if you have
not installed the latest APK version. The new APK version enables support for additional apps.

126
To download and install the latest APK version:
1. Go to MyCellebrite and log in with your credentials (or create an account).
2. Click Downloads.

3. Search for the APK under the Cellebrite UFED Software.

4. Download the APK Downgrade Pack and save it on the computer or to a USB drive.
5. In Cellebrite UFED, install the APK via Settings > Version > File.

127
7. Physical extraction
The Physical Extraction function enables you to perform a physical bit-for-bit image of the source
device memory to a removable storage device or PC.

Lock Bypass is displayed if the physical extraction method can bypass the user lock
of the device.

128
7.1. Performing a physical extraction

1. Click Mobile device and identify the device, then click Physical.

The Select Mode screen appears.

2. Click ADB or Boot Loader (Legacy).

ADB: Android Debug Bridge (ADB) is a built-in communication mechanism that allows
device debugging. With this extraction method, you can perform a physical or file system
extraction, provided that the device’s USB debugging option is enabled. If the device is
not already rooted, UFED attempts to temporarily gain the permissions required for the
extraction. In some cases, data from a memory card is extracted; however, we
recommend that you read the card with an external memory card reader.
Boot Loader: An extraction method that performs a physical extraction when the device
is in bootloader mode. With this extraction, the operating system is not running, so the
device cannot connect to the mobile network. It bypasses any user lock and is
forensically sound. The bootloader extraction does not support extractions from a
memory card.

For information about using optional timeframe and party filters, refer to the
Overview Guide.

The Select Extraction Location screen appears.

129
3. Click Next.

Depending on whether or not the device requires the UFED Device Adapter, the Waiting for Device
or Waiting for Device Adapter screen appears.

4. Do the following:
a. Select the correct cable and tip for the mobile device based on the instruction on the
screen.
b. Change the device settings according to the instructions.
c. Connect the device to the PC.

If the device requires the UFED Device Adapter to perform the extraction:

Connect the UFED Device Adapter to a USB port on the computer.

The source port on the UFED Device Adapter flashes.

Connect the device to the UFED Device Adapter.

5. Click Continue. The Extraction in Progress screen appears.

130
6. Follow any on-screen instructions.

For some devices, an estimation of the time the extraction will take is
displayed: For example, Blackberry, Nokia BB5, QCP (SamM550, LgEmergency,
LgP0), Android, (generic and SPF), SpreadTrum, Samsung GSM (MTK,
LGInfinion, and BCM2133), and Palm.

When the extraction completes, the Extraction summary window appears.

131
Additional Extractions to add additional extraction types for the same device, or click Finish
to end the process and return to the Home screen.

If the system cannot connect to the device:

The following window appears with an error message.

Follow the instructions on the screen and click Retry.

7.1.1. The Physical extraction folder

At the end of the physical extraction process, the extracted data is saved in the location you selected
during the physical extraction process.

The extracted data folder is named Physical with the selected device name and
the extraction operation date. For example, Physical Samsung GSM SGH-A711
2011_06_12 (001)

The extracted data folder contains:

Binary file of the device memory.
UFD file containing the system extraction information, used by the Physical Analyzer
application.

The extraction information can be viewed using the Physical Analyzer. You can double click on the UDF
file or open it via the GUI.

132
7.2. ADB rooted

The ADB method for Android rooted devices can be used when the physical extraction method is not
supported. Using the ADB method, you can perform a physical extraction from rooted Android devices.
This extraction method is for pre-rooted devices only, and does not root the device. To root a device
means to gain administrative rights on the file system.

A device can be rooted as part of recovery partition or fully rooted following a

rooting procedure. We recommend that you do not root the device; however, if
there is no other option, use this method.

To perform a physical extraction for a rooted Android device:

1. Click Mobile device and identify the device, then click Physical.

The Select Mode screen appears.

2. Click ADB (Rooted).

For information about using optional timeframe and party filters, refer to the
Overview Guide.

The Select Extraction Location screen appears.

133
3. Click Next. The following window appears.

Depending on whether or not the device requires the UFED Device Adapter, the Waiting for Device
or Waiting for Device Adapter screen appears.

If the device requires the UFED Device Adapter to perform the extraction:

Connect the UFED Device Adapter to a USB port on the computer.

The source port on the UFED Device Adapter flashes.

Connect the device to the UFED Device Adapter.

5. Click Continue.

The Extraction in Progress screen appears.

134
6. Follow any on-screen instructions.

7. When the extraction is complete, the Extraction summary screen appears.

135
7.3. Advanced ADB

Advanced ADB extraction enables physical extraction of data from additional devices. This method
supports devices with Android operating systems up to version 7.1, on devices with a security patch
level up to November 2016, including Galaxy S7, Galaxy Note 5, LG G5, V20, and Nexus devices.

Due to the widely fragmented variance in Android devices, exceptions may apply.

To avoid any interruptions during the extraction, the device must be placed in
Airplane mode.

Before performing an Advanced ADB extraction:

1. Make sure the source device is fully charged.

2. Prepare a target storage device on which to save the extraction file. This target can be either a USB
mass storage device (connected via OTG cable 501 or 508), or an SD memory card.
The target storage device must have FAT32, vFAT, or exFAT format and have sufficient
space for the extraction.

If a USB drive is selected for the target storage, make sure you have an available OTG cable for
the extraction: OTG cable 501 (micro USB connector) or cable 508 (type C connector).

If an SD card is selected for the target storage, place it in the Android device now.

The SD card must be blank and not contain any case evidence.

If the card port location is under the device’s battery, restarting may relock
a device that was locked before. Therefore, for devices with OTG support,
we recommend using a USB drive for the target storage.

136
To perform an Advanced ADB extraction:

1. From the Home screen, detect the relevant device automatically. The following window appears.

If the relevant model is not listed, browse manually for a generic Android
model. See Generic model (on page 144).

2. Click Physical.

The Select Mode screen appears.

3. Click Advanced ADB.

For information about using optional timeframe and party filters, refer to the
Overview Guide.

4. Follow the instructions to set up device connectivity.

5. On the source device, perform the following steps:

a. On an Android OS 4.3 and above, Go to Menu (Apps) > Settings (More) > Security and
clear the Verify apps setting. Approve any pop-ups that may appear.
b. Go to Menu (Apps) > Settings (More) > About (Software information) > More, and tap the
Build number 7 times until developer options are enabled.
c. Go to Development settings and enable USB debugging.
d. Connect the source device to the cable described in UFED.
e. A notification is added to the notification dropdown. Allow MTP and PTP on the device.

6. On the UFED screen, click Continue. The following window appears.

137
7. Click the relevant target storage. The following window appears.

If requested, you should only approve the installation of apps.

UFED is installing the extraction app and attempting to temporarily gain the permissions required
for the extraction. This stage can take approximately 20 minutes. During this process, the device
screen appears.

138
When UFED has prepared the device, a window appears indicating that the device is ready for
extraction. Disconnect the device from UFED and follow the instructions on the source device.
8. Click Continue.
9. Follow the instructions on the Android source device’s screen. For a USB drive target,
continue to the following step. For an SD card target, skip to the next step.

10. If a USB drive target was selected, the following screen appears.

139
a. Follow the on-screen instructions:
i. Disconnect the device from UFED.
ii. Use the OTG cable to connect the source device to the USB drive.

Selecting Switch to SD card changes the target type configuration.

Selecting Abort ends the extraction process and requires a device restart.

b. Skip the SD card step.

11. If an SD card target was selected, the following screen appears.

140
a. Follow the on-screen instructions:
i. Disconnect the device from UFED.

ii. If the target SD card is not yet inserted and is located under the device’s battery, restarting
may relock a device that was locked before. To avoid an extraction failure (for devices with
OTG support), select Switch to USB drive.

Reminder: This target device requires a FAT32*, vFAT, or exFAT format SD card with sufficient
space for the extraction.

Selecting Switch to USB drive changes the target type configuration.

Selecting Abort ends the extraction process and requires a device restart.

12. Select Continue. The reading process begins.

141
When the extraction is successfully completed, the following screen appears.

142
13. Select Exit to uninstall the extraction app without restarting the device, or select Restart to uninstall
the extraction app and return the device to its normal functionality.

Restarting may relock a device that was locked before.

The device only returns to normal functionality after restart.

14. Return to UFED.

15. Follow the on-screen instructions on the source device. When the extraction completes
click Extraction failed, Extraction successful or Abort to update the extraction Activity log.
16. Click the relevant extraction status to update the extraction Activity log.
17. Follow the instructions and click Finish.

143
7.3.1. Generic model

To perform an Advanced ADB extraction:

1. From the Home screen, click Skip > Vendors (tab) and search for Smart Phones. The following
window appears.

2. Click Smart Phones. The following window appears.

3. Click the relevant model. The following window appears.

144
4. Click Physical.
5. Continue with the extraction.
6. To continue, refer to Advanced ADB (on page 136).

145
7.3.2. Errors and notifications

7.3.2.1. Disk format error

If you receive this error message, follow the instructions listed in the error message.

146
To format the storage device from the Android device:

147
1. Open notification.

2. Select the Corrupted USB drive notification. The following screen appears.

148
3. Follow the instructions to erase and format the device. Upon completion, the following screen
appears.

149
150
To format the storage device from the PC:

1. Plug the hard drive into your Windows PC. Right-click on the D drive and select Format The
following window appears.

2. Under File System, select exFAT.

3. Click Start and complete the format process.

151
7.3.2.1.1. Extraction aborted

If Abort was selected during the extraction process, the screen on the left appears. After some time (up
to a few minutes) the screen on the right appears.

Select Exit to uninstall the extraction app without restarting the device.

The device only returns to normal functionality after a restart.

Select Restart to uninstall the extraction app and return the device to its normal functionality.

Restarting may relock a device that was locked before.

152
7.3.2.1.2. Extraction failed

If the extraction failed for any reason, the following screen appears with the failure reason.

Select Exit to uninstall the extraction app without restarting the device.

The device only returns to normal functionality after restart.

Select Restart to uninstall the extraction app and return the device to its normal functionality.

Restarting may relock a device that was locked before.

153
7.4. Boot loader (FW flashing)

The Boot loader (FW flashing) extraction method uses boot loader reflashing, which enables a physical
extraction while bypassing user lock (non-secure startup). This method is for Qualcomm-based
Samsung Galaxy S7 devices running firmware version of Android 7.x. For a complete list of supported
devices, refer to UFED Supported Devices document in MyCellebrite. This extraction does not support
extractions from a memory card.

This Boot loader (FW flashing) extraction method requires the device’s firmware
to be flashed. In some cases the device may experience unexpected behavior and
you must flash the original device firmware, which causes a device wipe. Before
using this method, we recommend trying other Physical bootloader methods.

To perform Boot loader (FW flashing):

1. Click Mobile device and identify the device, then click Physical.

The Select Mode screen appears.

2. Select Boot loader (FW Flashing).

For information about using optional timeframe and party filters, refer to the
Overview Guide.

The following Select extraction location window appears.

154
3. Select the extraction location. Click Next.The Waiting for Device screen appears.

4. Follow the on-screen instructions to place the device in Download mode, then connect the
required cable to the device and UFED.

5. Click Continue. The following window appears.

6. Click Continue to flash the device’s firmware. The following window appears.

155
7. Follow the on-screen instructions to place the device in Download mode again, then
connect the required cable to the device and UFED.

8. Click Continue. The following window appears.

9. Click Continue. The Extraction in Progress window appears.

156
10. Follow any on-screen instructions.

When the extraction completes, the Extraction completed successfully window appears.
11. Click Open Preview Report to view an HTML preview report (Logical extractions only) that
includes information about the device and the extraction, click Open with Physical Analyzer
to open the extraction in Physical Analyzer, click Show in Folder to open the folder where
the UFD extraction file is located, click Additional Extractions to add additional extraction
types for the same device, or click Finish to end the process and return to the Home screen.

157
7.5. Decrypting boot loader

This extraction method performs a physical extraction on encrypted Android devices with the following
Qualcomm chipsets: 8909, 8916, 8939, 8952, and 8396. It performs the extraction when the device is
in boot loader mode. It bypasses the user lock and is forensically sound.

To perform a Decrypting boot loader extraction:

1. Click Mobile device and identify the device, then click Physical.

The Select Mode window appears.

2. Click Decrypting Boot Loader.

For information about using optional timeframe and party filters, refer to the
Overview Guide.

The Select Extraction Location window appears.

3. Select the extraction location. Click Next.The Waiting for Device window appears.

158
4. Follow the on-screen instructions to place the device in the required mode. Click Continue when
enabled.

5. Disconnect the device from UFED, enter the specified mode again (for example, key combination,
EDL cable etc.) using the previous instructions, and then click Continue. The following window
appears.

When the extraction completes, the Extraction completed successfully window appears.
6. Click Open Preview Report to view an HTML preview report (Logical extractions only) that
includes information about the device and the extraction, click Open with Physical Analyzer
to open the extraction in Physical Analyzer, click Show in Folder to open the folder where
the UFD extraction file is located, click Additional Extractions to add additional extraction
types for the same device, or click Finish to end the process and return to the Home screen.

159
7.6. Forensic recovery partition

An extraction method that performs a physical extraction while the device is in recovery mode. UFED
replaces the device’s original recovery partition with Cellebrite’s custom forensic recovery partition.
The original recovery partition on the Android device can be considered as an alternative boot partition
that may also change the user data, while Cellebrite’s recovery partition does not affect any of the user
data. This extraction method bypasses the user lock from several Samsung Android devices and is
forensically sound. It does not support extractions from a memory or SIM card.

For a complete list of supported devices, refer to the UFED Phone Detective Mobile App or the UFED
Supported Devices document in MyCellebrite.

We recommend that you use the Forensic recovery partition method when other
physical extraction methods (e.g., Bootloader) are not successful, or not available
(e.g., if the Android firmware version is not supported).

If the device does not start correctly after using this extraction method, use the
Exit Android Recovery Mode device tool. See Exit Android recovery mode (on
page 201).

To perform a forensic recovery partition extraction:

1. Click Mobile device and identify the device, then click Physical.

The Select Mode screen appears.

2. Select Forensic Recovery Partition.

160
For information about using optional timeframe and party filters, refer to the
Overview Guide.

The following screen appears.

3. Click Next.

Depending on whether or not the device requires the UFED Device Adapter, the Waiting for Device
or Waiting for Device Adapter screen appears.

The Waiting for Device screen appears.

161
4. Click Continue. The following warning is displayed.

5. Click Continue. The device is placed in download mode. The following screen appears.

6. Click Continue. The following screen appears.

162
7. Click Continue. The following screen appears.

8. Follow the instructions to place the device in Download mode. Force it to restart by pressing the
Power and Volume down buttons. When the device restarts, quickly press the Volume up, Home
and Power buttons. Click Continue when Downloading appears on the device’s screen (this can take
a few minutes).

The Extraction in Progress screen appears.

9. Follow any on-screen instructions.

When the extraction completes, the Extraction completed successfully window appears.
10. Click Open Preview Report to view an HTML preview report (Logical extractions only) that
includes information about the device and the extraction, click Open with Physical Analyzer
to open the extraction in Physical Analyzer, click Show in Folder to open the folder where
the UFD extraction file is located, click Additional Extractions to add additional extraction
types for the same device, or click Finish to end the process and return to the Home screen.

163
7.7. Smart ADB

The Smart ADB extraction method enables you to perform physical extractions on Android devices that
include the November 2016 security patch. This method is supported by OTG compatible devices, with
OS versions 6.0 and above. Only security unlocked devices are supported.

On some devices, you may need to enable the OTG option.

We recommend that you place the device in Flight mode.

If a specific device is not supported, we recommend that you use a similar model
or any generic Advanced ADB profile.

To perform a Smart ADB extraction:

1. Click Mobile device and identify the device, then click Physical.

The Select Mode screen appears.

2. Click Smart ADB.

For information about using optional timeframe and party filters, refer to the
Overview Guide.

The Waiting for Device screen appears.

164
3. Follow the on-screen instructions then click Continue. The following window appears.

4. Click Continue. The following window appears.

5. Disconnect the device and connect Cable No. 500 (side A) to UFED, then click Continue.

The initializing stage can take up to 30 minutes.

If required, this process flashes new firmware to the cable. You can also use the
Flash Cable 500 Firmware (on page 204) tool.

165
The following window appears.

6. Connect Cable No. 501 (or other specified cable) to the device and the other end of the cable to
Cable No. 500, then click Continue. The initialization process starts.

The following window appears.

7. Disconnect Cable No. 500 and reconnect the device using Cable No. 100 (or other specified cable).
Click Continue to start the extraction. The following window appears.

When the extraction completes, the Extraction completed successfully window appears. If Cellebrite
UFED could not find a setting for the specific device, UFED can attempt other potential settings. This
process requires user interaction and takes time to complete.
8. Click Continue to try the extraction with other settings. The following window appears.

166
9. Disconnect the cables and connect the device to UFED with Cable No. 100 (or specified cable), then
click Retry.

167
8. Extracting Android devices
This chapter covers the pros and cons of each Android extraction method, and provides answers to
frequently asked questions about the extraction methods.

8.1. Android extraction methods

Many different devices run the Android operating system: phones, MP3 players, tablets, eBook
Readers, and more.

There are two main extraction methods for Android devices:

ADB debugging - extraction using a built-in protocol that runs within the operating system.
This method uses the Android Debugging Bridge (ADB), which is active when USB
Debugging is enabled. Using this method, you can perform a physical or file system
extraction on almost any Android device, provided that device USB debugging is enabled.
All currently available Android OS versions are supported. For more information, see
Android debugging bridge method (below).
Bootloader extraction - extraction that takes place before the Android operating system
starts running (several variations of this method are available). This method can be
performed on locked devices. For more information, see Bootloader extraction (on
page 170).

8.1.1. Android debugging bridge method

Q: How does ADB work?

A: ADB is a built-in protocol within the Android operating system. Every Android-based device has this
protocol, which enables developers to connect to an Android-based device and perform low-level
commands used for development. Cellebrite utilizes this protocol to extract data from Android devices.

Q: Can ADB be used to extract any Android device?

A: In theory, data can be extracted from every Android device using ADB. However, there are some
limitations:
USB debugging must be enabled on the device
Access to the device must be with administrator permissions.

Q: How do I turn on USB debugging?

A: On most Android devices: go to Menu > Settings > Applications > Development and then click USB
debugging.

168
Q: Does this method bypass the unlock password or pattern? Will I be able to retrieve the code?

A: Device USB debugging must be turned on before it is possible to attempt an extraction. For locked
devices, you can perform an extraction if the user enabled USB debugging before locking the device.

For selected Android devices, you can perform a physical extraction, where there is greater support for
extraction from locked devices (pattern lock, PIN, or password). Following a successful physical
extraction, you can view the numeric password or pattern lock protecting the device in Physical
Analyzer, and use it to unlock the device.

Q: How do I get Administrator (root) permissions on the device?

A: When USB debugging enabled, Cellebrite UFED automatically detects the Android OS version, and
whether or not access is at administrator level. If it is not, Cellebrite UFED automatically gains root
permissions.

You can gain access at administrator level manually using third-party tools, but
gaining access this way may harm the integrity of the data on the device, or has
the potential to render the device useless.

Q: I turned on USB debugging. What extraction types can I perform?

A: If USB debugging is enabled, you can perform either a physical extraction which extracts all the data
on the device, or a File System Extraction which extracts only relevant files.

The advantage of a physical extraction is that it retrieves more data from the device, making it possible
to recover deleted files such as photos that were saved on the device. The disadvantage is that it takes
more time, and that file system reconstruction is not supported for all devices.

The advantage of a file system extraction is that it takes less time. You are able to view all vital
information including deleted records (but excluding deleted files), even if file system reconstruction is
not supported.

Q: When selecting the Generic Profile on Cellebrite UFED, what are Method 1 and Method 2? Which
should I choose?

A: Methods 1 and 2 are different connection configurations. You cannot tell which Android devices
requires which method. Try one method, and if unsuccessful, try the second method.

Q: Does the ADB extraction method change any of the data on the device?

A: When extracting using the ADB method, a few client applications are written to the device
/data/local/tmp folder.

169
8.1.2. Bootloader extraction

Q: What is bootloader extraction?

A: The bootloader extraction method performs a physical extraction when the device is in bootloader
mode. In this extraction method, the Android operating system is not running, so the device cannot
connect to the mobile network.

Q: Does this method bypass the unlock password or pattern? Will I be able to retrieve the code?

A: Using this method, you are able to bypass any type of lock, and can retrieve a numeric PIN lock or
unlock pattern.

Q: Does this extraction method change any of the data on the device?

A: No, this method is completely forensically sound.

Q: Which devices are supported by this method?

A: Currently most Motorola Android devices, and selected Samsung Android, Qualcomm, LG GSM, and
LG CDMA are supported.

8.1.3. smartStopping an extraction

170
The partial extraction can be opened in Physical Analyzer.

A message stating that the extraction is partial and was stopped by the user displays in Physical
Analyzer v7.54 and above.

171
To continue with the extraction and not stop the current extraction), click Continue extraction (the
exact wording might change). The extraction continues uninterrupted.

8.2. Technical terms

Android: Google’s mobile operating system. You can find a list of Android devices here:
http://en.wikipedia.org/wiki/List_of_Android_devices. Another very helpful resource is
http://pdadb.net.

Brick: A device that cannot function in any capacity (such as a device with damaged firmware). Refer to
http://en.wikipedia.org/wiki/Brick_%28electronics%29.

Client: A program written by Cellebrite that runs on the Android operating system itself.

Root / rooting: A process that allows users of cell phones and other devices running the Android
operating system to attain privileged control (root access) within Android’s Linux subsystem, similar to
jailbreaking on Apple devices running the iOS operating system, overcoming limitations that the
carriers and manufacturers put on such phones. (http://en.wikipedia.org/wiki/Rooting_%28Android_
OS%29).

172
9. Drone extractions
UFED enables you to extract flight data and multimedia files from supported drones. You can perform
physical extractions, as well capture images of drones. For a complete list of supported drones, refer to
the UFED Supported Devices file in MyCellebrite.
1. When the extraction completes, the Extraction completed successfully window appears.

173
10. Capture images and screenshots
The Cellebrite UFED camera enables you to collect evidence by taking pictures or videos of a device .
You can also use a Screenshot feature to capture internal screenshots directly from a Blackberry,
Android or iOS device. Both these options can be useful as complimentary evidence or in instances
when data cannot be extracted from a device. You can add notes, categories and bookmarks to the
pictures and videos, which will be visible in Physical Analyzer and Logical Analyzer.

The collected evidence can be shown within a standalone custom report or in addition to the extracted
information. The report includes information about the device, connection type, Cellebrite UFED
version, and serial number. Image information includes file name link, file size, date and time, MD5 and
SHA256 hash information. The images are located in a folder called Snapshots and are in PNG format.
Video information includes file name, file size, date and time, and a link to the file. The videos are
located in a folder called Videos and are in AVI format.

10.1. The Cellebrite UFED camera

The Cellebrite UFED camera is offered as an add-on that is controlled by the Cellebrite UFED. All
necessary drivers are preinstalled with the application. The Cellebrite UFED camera includes a camera
stand, which enables you to adjust the height and the angle of the Cellebrite UFED camera, a pad to
place the device, and an anti-glare pad to prevent glare when taking pictures. Connect the camera to
an available USB port of the computer.

174
10.2. Capturing images

You can take pictures or videos of a device.

To capture images or videos:

1. Click Camera.

The Select Extraction Location screen appears.

2. To select an alternate save location, click Change target path . A folder for this extraction is
created in this location and includes the images (snapshots), videos, UFD file, index file, and
report file.
3. Click Next.

4. Connect the Cellebrite UFED camera to a USB port on the computer. The following window appears.

If you have multiple cameras, you can choose the required camera in Select camera field.
5. Do one of the following:

175
Click to start a video recording and click to stop the video
recording.

Click to take a picture.

Click Other to change the default category. Images and videos are displayed in Physical
Analyzer and Logical Analyzer under these categories.
Click an image or video, to add notes, bookmarks ( ), categories ( ), or delete the file
( ). Click to move back to live view.

To rotate a picture or video, or play a recorded video, click the picture or video,
and then click the picture or video in the leftmost screen. Use the rotate

buttons or video buttons . See the

following examples.

176
6. Click Next to continue.

When the extraction completes, the Extraction completed successfully window appears.

7. Click Open Preview Report to view an HTML preview report (Logical extractions only) that
includes information about the device and the extraction, click Open with Physical Analyzer
to open the extraction in Physical Analyzer, click Show in Folder to open the folder where
the UFD extraction file is located, click Additional Extractions to add additional extraction
types for the same device, or click Finish to end the process and return to the Home screen.

177
10.3. Capturing screenshots

The Screenshot feature captures internal screenshots directly from a Blackberry, Android or iOS device.
To capture screenshots from the devices:

1. ClickMobile device and identify the device, then clickScreenshots.

The Select Extraction Location screen appears.

2. If required, select an alternate save location, and click Next.

The Waiting for Device screen appears.

3. Follow the instructions to connect the device.

4. Click Continue.

The Screenshots screen appears.

178
If you have multiple cameras, you can choose the required camera in Select
camera field.

5. Capture the desired screenshots and click Next. The Capture Screenshots Summary
screen appears.
6. Click Open Preview Report to view an HTML preview report (Logical extractions only) that
includes information about the device and the extraction, click Open with Physical Analyzer
to open the extraction in Physical Analyzer, click Show in Folder to open the folder where
the UFD extraction file is located, click Additional Extractions to add additional extraction
types for the same device, or click Finish to end the process and return to the Home screen.

179
11. SIM card functionality
The SIM Card functions enableS you to perform various SIM card related functions:
SIM data extraction
Clone SIM

11.1. SIM data extraction

The SIM Data Extraction function enables you to perform logical extraction from a SIM or USIM card.

11.1.1. Performing SIM data extraction

The following example is performed using a SIM Card.

To perform the SIM Data Extraction:

1. Click SIM Card. The following window appears.

2. Click either SIM or Iden SIM. The Select Extraction Type window appears.

3. Click SIM Data Extraction. The Select Extraction Location window appears.

4. Select the extraction location and tap Next. The following window appears.

180
5. Connect the UFED Device Adapter or UFED SIM Adapter to a USB port.

The Waiting for Device screen appears.

6. Insert the SIM card into the SIM card slot.

7. Click Continue. The extraction begins.

The following window appears.

181
8. Click Use PIN, Use PUK, or Skip protected data.

When the extraction completes, the Extraction completed successfully window appears.

9. Click Open Preview Report to view an HTML preview report (Logical extractions only) that
includes information about the device and the extraction, click Open with Physical Analyzer
to open the extraction in Physical Analyzer, click Show in Folder to open the folder where
the UFD extraction file is located, click Additional Extractions to add additional extraction
types for the same device, or click Finish to end the process and return to the Home screen.

182
11.1.1.1. The extracted SIM data folder

At the end of the SIM data extraction process, the extracted SIM data is saved in the location you
selected previously.

The extracted SIM data folder is named UFED SIM card with the extraction date
and counter: UFED SIM card SIM card <DATE> (001)

If you selected to extract to the local drive, the extracted SIM data folder is located inside the
application’s Backup folder.

The extracted SIM data folder contains a forensic report of extracted data in both HTML and XML
formats and call log file (*.clog).

183
11.2. Clone SIM

The Clone SIM ID function enables you to copy the SIM ID from one SIM card to a UFED SIM ID Access
Card.

Cloning the SIM ID provides a suitable solution to several problems facing forensic examiners, by
allowing extraction of the device data:
While preventing the cellular device from connecting to the network, rendering the device
invisible to the network without the ability to send or receive calls or SMS messages, and
thereby preserving the device’s current information. (No Faraday Bag is required to block
RF signals).
When the original SIM is not available, by manually programming the ICCID or IMSI into the
Cloned SIM ID Card to mimic the original missing card.
When the SIM card is PIN locked, by cloning the identification of the original SIM, which
allows extraction of the device data without losing critical data including call history and
SMS messages.

There are three different ways that a SIM card can be cloned:
Clone an existing SIM card - to create a cloned SIM to use to extract device data without a
network connection. See Cloning an existing SIM card ID (on the facing page).
Manually enter SIM data - to manually program the ICCID and IMSI to the cloned SIM card.
See Entering SIM data manually (on page 191).
Create GSM Test SIM - The GSM test SIM card is used to extract device data when the
original SIM is not available – a default ICCID and IMSI are programmed into the Cloned
SIM ID Card to mimic the original missing card. See Creating a GSM test SIM (on page 195).

184
11.2.1. Cloning an existing SIM card ID

1. Click Clone SIM. The Waiting for Device Adapter screen appears.

2. Connect the UFED Device Adapter or UFED SIM Adapter to a USB port on the computer.

3. Follow the steps below depending on the adapter you are using.

185
If you are using the UFED Device Adapter:

These instructions are for the previous version of the UFED Device Adapter. As
displayed in the picture below:

1. Insert the MultiSIM adapter into the port marked SIM.

2. Insert the SIM card into the slot on the MultiSIM adapter, as indicated on the adapter.

IMPORTANT:
Verify that any previously inserted SIM card is removed before attempting to
insert a SIM.

186
3. Insert the SIM card up to the stopper point, without applying pressure.

4. Tap Continue and follow the instructions (To select the source and clone the SIM card: (on
page 189))

187
If you are using the UFED SIM Adapter:

These instructions are for the UFED SIM Adapter. As displayed in the picture
below:

188
To select the source and clone the SIM card:

The Select Source screen appears.

1. Click Clone an existing SIM card.

The Clone SIM ID prompt appears.

2. Check that the right SIM was inserted into the SIM card reader slot.

3. Click Continue. The following window appears.

4. Click Use PIN, Use PUK or tap Skip protected data. The Extraction in Progress Source screen appears.

189
When the information has been extracted from the SIM, the Insert Target Card prompt appears.

5. Remove the original SIM card from the SIM card reader.
6. Insert a UFED SIM ID Access Card into the SIM slot.

7. Click Continue.

At the end of the data process, a summary of the SIM cloning process is displayed, detailing the
ICCID and IMSI information of the cloned SIM card.

8. To end the process and return to the home screen, click Finish.

190
11.2.2. Entering SIM data manually

1. In the home screen, click Clone SIM.

The Waiting for Device screen appears.

Connect the UFED Device Adapter to a USB port.

2. Insert the UFED SIM ID Access card into the UFED Device Adapter.

3. Click Continue.

The Select Source screen appears.

4. Click Manually enter SIM data. The following screen appears.

5. Enter the SIM ICCID number (up to 20 digits).

6. Click OK. The following screen appears.

191
7. Enter the SIM IMSI number (up to 15 digits), then click OK.

The Select Language screen appears.

8. If required, select either a language or click None. The Enter advanced settings screen appears.

192
9. Click No or Yes to continue.
Click No to continue. Proceed to step 15.

Click Yes to display the advanced settings. Extraction in Progress > Enter SPN screen appears.

10. Enter the SIM SPN number (up to 16 digits), then click OK. The following screen appears.

193
11. Enter the SIM GID 1 number (up to 8 characters) and click OK. The Extraction in Progress >
Enter GID 2 screen appears.
12. Enter the SIM GID 2 number (up to 8 characters).
13. Click OK. The Insert Target Card prompt appears.
14. Insert the UFED SIM ID access card into in the UFED Device Adapter SIM card reader.

15. Click Continue.

The Extraction in Progress screen is displayed throughout the data writing

process.

At the end of the data writing process, a summary of the SIM cloning process is displayed, detailing
the ICCID and IMSI information programmed to the SIM card.
16. To end the process and return to home screen click Finish.

194
11.2.3. Creating a GSM test SIM

1. Click Clone SIM.

The Waiting for Device screen appears.

The SIM port on the Device Adapter continues to flash even after you insert the SIM card into the
SIM reader slot.

2. Insert the SIM card into the SIM card reader slot located in the left of the front panel.
3. Click Continue. The Select Source screen appears.

4. Click Create GSM Test SIM. The following screen appears.

5. Make sure that the target SIM card is inserted correctly into the SIM card reader slot, then
click Continue. The Extraction in Progress screen is displayed throughout the data reading
process. At the end of the data writing process, a summary of the SIM cloning process is
displayed, detailing the ICCID and IMSI information programmed to the SIM card.
6. To end the process and return to the home screen, click Finish.

195
12. Device tools

To access the device tools:

From the Home screen, click Device tools. The following window appears.

The Device Tools screen provides access to the following tools:

12.1. Activate TomTom trip log 198

12.2. Android Debug Console 198

12.3. Bluetooth scan 200

12.4. Disable iTunes encryption password 200

12.5. Exit Android recovery mode 201

12.6. Exit iOS recovery mode 202

12.7. Exit Motorola Bootloop 203

12.8. Exit Odin mode 203

12.9. Flash Cable 500 Firmware 204

12.10. LG EDL recovery 204

196
12.11. Nokia WP8 recovery tool 204

12.12. Remove Android extraction files 205

12.13. Samsung Exynos Recovery 205

12.14. Switch to CDMA offline mode 206

12.15. Uninstall Windows mobile client 207

197
12.1. Activate TomTom trip log

This tool enables you to activate or deactivate the trip log logging feature of a connected TomTom
device, which is often disabled by the user
To activate TomTom trip log:
1. Click Tools and then click Activate TomTom trip log.

2. Connect the UFED Device Adapter.

The Select Mode prompt appears.

3. Select the desired mode.

A prompt labeled Attention appears requesting to connect the device to Cellebrite UFED.
4. Connect the device to Cellebrite UFED.
5. Click Continue.

12.2. Android Debug Console

This tool retrieves device information using Android Debug Bridge (ADB).
To use the tool:
1. Click Tools and then click Android Debug Console.

2. If required, you are prompted to connect the Cellebrite UFED Device Adapter to a USB port (UFED
and non-kiosk platforms only). The following window appears.

3. Follow the on-screen instructions.

198
4. Tap OK to receive the device information. The following window appears.

199
12.3. Bluetooth scan

This tool enables you to scan for available Bluetooth devices in your proximity and to pair with them.
Make sure that Bluetooth is enabled on the device.
To perform a Bluetooth scan:
1. Click tools and then click Bluetooth scan.
2. Connect the Cellebrite UFED Device Adapter (UFED and non-kiosk platforms only).

3. A list of Bluetooth devices in the vicinity appears. Select one or the following options:
Click one of the devices: The Device summary window appears.
Click Continue: Device summary window appears
Click Refresh list: Device tool in progress window appears and Cellebrite UFED tries to
find additional devices.

12.4. Disable iTunes encryption password

If you select to enable backup encryption during an iOS File system extraction (Full or Backup modes),
and for any reason the extraction was stopped in the middle, the device may remain encrypted.
Disable iTunes encryption password resets the encryption on the device.

200
12.5. Exit Android recovery mode

This tool includes two options related to physical extractions using the Forensic Recovery Partition
method on Android devices.
Exit recovery mode: In some cases, due to device failure, or if the mobile device was
improperly disconnected from Cellebrite UFED, the mobile device remains in recovery
mode. Takes the device out of recovery mode.
Exit bootloop: In some cases, due to device failure, or if the mobile device was improperly
disconnected from Cellebrite UFED, the mobile device keeps rebooting instead of entering
the normal mode. Takes the device out of this bootloop.

201
12.6. Exit iOS recovery mode

Occasionally, a mobile device may remain in recovery mode following exploitation. This generally
happens due to device failure, or when the mobile device was improperly disconnected from Cellebrite
UFED. This tool enables the investigator to take the device out of recovery mode manually.

To use the tool:

1. Select Tools > iOS Exit Recovery Mode.

2. Connect the device to Cellebrite UFED.

3. The process is initialized. The following window appears.

202
The device is released from recovery mode and restarts automatically.

12.7. Exit Motorola Bootloop

In some cases, due to device failure, or if the Motorola mobile device was improperly disconnected
from Cellebrite UFED, the mobile device keeps rebooting instead of entering the normal mode. Exit
Motorola Bootloop takes the device out of this bootloop.

12.8. Exit Odin mode

To perform physical extractions on some Samsung devices, the device is placed in Odin mode. In some
cases, due to device failure, or if the mobile device was improperly disconnected from Cellebrite UFED,
the mobile device remains in Odin mode. Exit Odin mode takes the device out of Odin mode.

203
12.9. Flash Cable 500 Firmware

When using the Smart ADB method, the firmware on Cable No. 500 is changed and no longer supports
the Cellebrite UFED User Lock Code Recovery Tool. The Flash Cable 500 Firmware tool flashes the
required firmware to the cable to support either the Smart ADB method or the Cellebrite UFED User
Lock Code Recovery Tool.

In the Smart ADB method, Cellebrite UFED verifies the cable firmware and flashes
it if required. Cellebrite UFED User Lock Code Recovery Tool does not include
cable verification.

To flash the firmware for the Smart ADB extraction method:

1. Click Tools and then click Flash Cable 500 Firmware.
2. Connect the Cellebrite UFED Device Adapter to a USB port (UFED and non-kiosk platforms
only).
3. Connect Cable No. 500 (side A) to the USB port.
4. Tap Smart ADB Firmware and wait for the process to finish.

12.10. LG EDL recovery

In some cases, due to device failure, or if the mobile device was improperly disconnected from
Cellebrite UFED, the LG device remains in emergency download (EDL) mode and appears off. LG EDL
recovery takes the device out of EDL mode.

To use the tool:

1. Click Tools and then click LG EDL recovery.
2. If required, you are prompted to connect the Cellebrite UFED Device Adapter to a USB port
(UFED and non-kiosk platforms only).
3. Follow the on-screen instructions.
4. Tap Continue and wait for the tool to finish running.

12.11. Nokia WP8 recovery tool

To perform physical extraction on some Nokia Windows Phone 8 devices, the device is placed in
recovery mode. In some cases, due to device failure, or if the mobile device was improperly
disconnected from Cellebrite UFED, the mobile device remains in recovery mode. Nokia WP8 recovery
tool takes the device out of recovery mode.

204
12.12. Remove Android extraction files

When performing extractions of devices with Android operating systems, a client is installed and some
files are written to the mobile device. In some cases (e.g., due to a failure, or if the mobile device was
improperly disconnected from Cellebrite UFED) the client and the files remain on the mobile device.
This tool uninstalls the client and removes the files from the device.

12.13. Samsung Exynos Recovery

In some cases, due to device failure, or if the mobile device was improperly disconnected from
Cellebrite UFED, the device remains off and the Android OS does not start. Samsung Exynos Recovery
attempts to resolve this issue.

205
12.14. Switch to CDMA offline mode

This tool enables you to switch radio on CDMA devices to offline mode.
To switch to CDMA offline mode:
1. Click tools and then click Switch to CDMA offline mode.

2. Connect the Cellebrite UFED Device Adapter (UFED and non-kiosk platforms only). The Select Link
prompt appears.

3. Select the link type (USB Cable or Serial Cable). The Device Tool in Progress window appears.

4. Tap OK.

Upon completion, the Device Tool Summary appears.

206
12.15. Uninstall Windows mobile client

To perform logical extractions on devices with Windows Phone operating systems, a client is installed
on the device. In some cases, due to a device failure, or if the mobile device was improperly
disconnected from Cellebrite UFED, the client remains installed on the mobile device. Uninstall
Windows mobile client enables the client to be manually uninstalled.

207
13. Settings
The settings screen provides access to a set of functional and behavioral setup options used to control
the functionality and usability of Cellebrite UFED.

To access the settings screen, click the menu icon in the application taskbar and select Settings.

The settings are grouped in the settings screen in the following tabs:
General settings (on the next page)
Report settings (on page 217)
System settings (on page 223)
License settings (on page 224)
Version details (on page 233)
Activity Log (on page 242)

The settings screen opens on the General tab.

When using the Cellebrite Commander, these settings may be managed by

Cellebrite Commander.

Changes that are made to the settings via Cellebrite Commander or manually by a
user, affect all users on the same machine.

208
13.1. General settings

The settings screen opens on the General tab.

The General tab provides access to the functions and settings listed in the following table.

Setting Description Default

Swap first and last name in Swaps the first and last name in phone
Selected
phonebook book entries.

Changes the interface language. For

more information, see Changing the
Interface language English
application interface language (on
page 213)

Operate in covert mode Renames the application client name from Selected
Cellebrite.sis/exe to AAA.sis/exe.

When enabled, the Cellebrite UFED

Uninstall reminder prompts you to uninstall the client from Selected
the examined device.

209
Setting Description Default

Sets the location where extractions are

Save extractions to saved. For more information, see Changing
the extraction location (on page 216)

Displays the timeframe and select

parties windows during an extraction.
Allow user predefined filter For more information about the User Cleared
predefined filter, see User predefined
filter (on page 59).

Enable extraction of deleted

Extracts deleted messages from a SIM. Selected
messages from SIM

Requires the user to enter a password

Require a password on wakeup Selected
when Cellebrite UFED is in sleep mode.

Enable Android Backup APK Enables the Android Backup APK

Selected
Downgrade Downgrade method.

Displays the online device instructions

instead of the offline device instructions.

This setting is for the

Waiting for Device
instructions, which
explains how to
connect a source
Enable online device instructions Cleared
device to Cellebrite
UFED. If you have
network performance
issues when using the
online device
instructions, clear
Enable online device
instructions.

Show device restart alerts Displays device restart alerts during the Cleared
extraction process.

210
Setting Description Default

Indicates the cable or tip to be used

Cable and Tip mode Tip
during the extraction.

Displays the Case details window during

the extraction process. For more
information, see Case details (on
page 51). If selected, you can also
Include Case details screen Cleared
display the extraction folder name
according to the case details. The
default is according to the device model
name.

Displays the Investigation notes widget,

which enables you to add pictures,
Show investigation notes screen shots and text to document the Cleared
investigation. See Investigation notes
(on page 51).

Displays the camera window during the

Include camera screen Cleared
extraction process.

Automatically open extractions If installed, the extraction is opened

Cleared
with Physical Analyzer automatically in Physical Analyzer.

Select an additional logo that is

Choose additional logo displayed in the title bar of the home
screen.

211
Setting Description Default

Set the video quality of the Cellebrite

UFED camera to Best (1920 x 1280),
Video quality Normal
Normal (1024 x 1280 default) or Low
(640 x 480).

Displays the Device Info window during

the Advanced Logical extraction. This
Enable device info (Advanced
window provides information about the Selected
logical)
device data, before performing an
Android extraction.

212
13.1.1. Changing the application interface language

1. Click the language field.

The Select Language screen appears with the current language selected. (In this case, English).

Use the arrows to scroll through the list of available interface languages.

2. Click the required language.

213
The following message appears (in the selected language).

3. Click OK.

The General tab appears with the language of choice in the Interface language field.
4. Click Save to close the Settings panel.

5. To restart the application:

214
a. To close the application, click in the application taskbar.

b. To restart the application, do one of the following:

Click the application shortcut icon located in the UFED shortcuts panel at the right of
the screen.
Double- click the Cellebrite UFED icon located on the Desktop.
Click Start > Cellebrite UFED
Click Start > All Programs > Cellebrite Mobile Synchronization > Cellebrite UFED.

Cellebrite UFED starts in the selected language.

If Simplified Chinese is added to the Cellebrite UFED license, you must restart the
application before the change takes effect.

215
13.1.2. Changing the extraction location

1. In the Save extractions to area, click Browse. The Browse for folder dialog box appears.

2. Select the folder where you want to save the extraction files, and click OK.

216
13.2. Report settings

To set the report settings:

1. Access the Settings > Reports tab.

2. To set the generated reports language, click next to Generate Reports Language, and
select the desired language.

3. To set how the known issues notes about the extracted device are logged in the generated report,
click next to Note display modes, and select one of the following:
Disable – Do not include device specific notes in the report.
Separated Notes – Add all the device specific notes at the end of the report.
Embedded Notes – Device-specific notes follow the content type they refer to in the
report.

4. To set the generated reports visual formats, click next to Report format, and select one of the
following:
Normal – The standard report structure, suitable to standard display screens.
Compact – A compact report structure, suitable for devices with a small display area.

217
5. To set the generated reports folder name formats, select next to Report folder format, and
select one of the following:

218
Model Serial YYYY_MM_DD – The folder name is constructed from <the model name>
<the model serial> <the year in 4 digits>_<the month in 2 digits>_<the day in 2 digits>

219
YYYYMMDD Model Serial – The folder name is constructed from <the year in 4
digits><the month in 2 digits><the day in 2 digits> <the model name> <the model serial>
6. Select or clear Hash using MD5 to toggle the display of the MD5 values which are generated
for each file in the extracted data. This increases the time required to complete the
extraction.
7. Select Create MD5 list file to generate a Checksums.md5 file that contains all the
generated MD5 values of the extracted data.
8. Select or clear Hash using SHA-256 to toggle the display of the SHA-256 values which are
generated for each file in the extracted data.
9. Select or clear Partial Extraction, in the event of an extraction error, whether or not to
include the partially extracted data up to the error point in the generated report.
10. Click Report custom fields to add, remove and edit report fields. For more information, see
Managing report fields (on the facing page).
11. To set a field as required, click the field in the Required column.
12. Click Save.

220
13.2.1. Managing report fields

1. Click Report custom fields to customize the report by defining additional fields that are filled at the
end of the extraction.

2. To add a new field:

a. Click Add.

b. Enter the field name in the Field Name field.

To display the keyboard, click Keyboard.

c. To set the field as mandatory, select Required next to the field name.
d. Click Update, or to exit without saving, click Cancel.
3. To add additional fields, repeat step 2.

4. To edit an existing field:

221
a. Click the field in the list, and click Edit.
b. Repeat steps 2b-2d.

You cannot edit the field name of a default custom field.

5. To delete a field:

a. Click the field in the list, and click Delete.

b. In the confirmation message, click Yes.

6. Click Save in the Reports tab.

222
13.3. System settings

Define the following additional settings in the System tab:

To set Cellebrite UFED to alert you when your attention is required, such as when it is
waiting for your input or when an extraction fails, select Play notification sounds.

223
13.4. License settings

Change the license type in the License tab.

The current license type is displayed.

To change the license type, follow the instructions in Activating the license (on page 25).

224
13.4.1. License not found

If a license cannot be found the following window appears.

225
If you are using Cellebrite Commander:

1. Click I'm using Cellebrite Commander. The following window appears.

2. Connect the license dongle before validating.

3. Enter the Cellebrite Commander Server information. For more information about entering
the information in this window, see Connect a Cellebrite UFED device to Cellebrite
Commander (on page 234).
4. Click Validate.

226
If you are not using Cellebrite Commander:

1. Click I'm not using Cellebrite Commander. The following window appears.

2. Select your license type.

227
13.4.2. Updating a dongle license online

When an Internet connection is available, you can update the dongle license directly from Cellebrite
UFED.

To update a dongle license online:

1. Contact your Cellebrite sales representative to renew or update the dongle license. After
the license is approved, you can proceed with the following steps.

2. From the Home screen, click and then click the License tab. The following window appears.

3. Click Change license. The following window appears.

228
4. Click Dongle. The following window appears.

5. Click Update license (online).

6. Click OK to complete the process.

229
13.4.3. Updating a software license online

When an Internet connection is available, you can update a software license directly from Cellebrite
UFED.

To update a software license online:

1. Contact your Cellebrite sales representative to renew or update the dongle license. After
the license is approved, you can proceed with the following steps.

2. From the Home screen, click and click the License tab. The following window appears.

3. Click Change license. The following window appears on Cellebrite UFED.

For Cellebrite UFED Touch, accept the Cellebrite UFED License Agreement and
skip to step 6.

230
4. Click Software. The following window appears.

5. Click Update software license. The following window appears.

231
6. Click Load from the web.
7. Click OK in the Cellebrite product license window to complete the process.

232
13.5. Version details

The version tab displays information about the Cellebrite UFED version and build.

Under Software updates, select Automatically check for software updates.

233
13.5.1. Connect a Cellebrite UFED device to Cellebrite Commander

Cellebrite UFED devices automatically detect when a new Cellebrite Commander server is added to
their subnet and prompt the user to connect automatically. If necessary, you can also connect a
Cellebrite UFED device to Cellebrite Commander manually.

To connect a Cellebrite UFED device to Cellebrite Commander automatically:

1. Right-click on the application shortcut and select Run as Administrator

Enable Admin permissions to enable the Cellebrite UFED device to

automatically download the SSL certificate. This ensures secure SSL
communication between a managed Cellebrite UFED unit and Cellebrite
Commander server.
To enable downloading of certificates, make sure the setting is enabled in
Cellebrite UFED Settings.

2. Restart the Cellebrite UFED unit.

3. The unit automatically detects the Cellebrite Commander server and prompts the user to connect.

4. After the unit connects to the Cellebrite Commander server, it automatically switches to managed
mode and downloads the secure SSL certificate.

If more than one Cellebrite Commander is detected, the user can choose from
the list of servers.

234
To connect a Cellebrite UFED device to Cellebrite Commander manually:

1. Go to Settings > Commander. The following window appears.

2. Select Managed mode.

3. Enter the Commander's FQDN (fully qualified domain name). Example: qas99.cellebrite.wxyz

4. Click Connect. If the validation is successful, the status changes to Connected to Cellebrite
Commander.
5. Click Save.

13.5.2. Updates and versions

When Cellebrite UFED is connected to the Internet, automatic notifications appear in the event of
updates and new versions of the application.
Click Refresh in the Settings > Version tab to update the information available on the
screen.

To install a newer version of the Cellebrite UFED application via the web:

1. Ensure that the unit is connected to the network.

2. In the Settings > Version tab, in the Version area, click Web.

The application is upgraded to the latest version available on the Cellebrite Commander (if relevant)
or Cellebrite download server.

235
To install a newer version of the Cellebrite UFED application using the file option:
1. Download the latest application version from your account in MyCellebrite, and save it to
the specified directory on the PC or external device.
2. In the Settings > Version tab, in the Version area, click File.
3. Select the directory where you saved the file and then click Open.

236
13.5.3. Importing settings and configuration files

You can use Cellebrite Commander to download initial export files, which can then be edited if
necessary and manually imported into Cellebrite UFED. These files can also be set using Cellebrite
Commander. For more information, refer to the Cellebrite Commander manual.

Cellebrite UFED can import the following type of settings and configuration files:
Importing a camera checklist (on the next page)
Importing case details (on page 239)
Importing user management (on page 241)
Importing configuration files (on page 242)

237
13.5.3.1. Importing a camera checklist

The camera checklist enables you to upload an XML file that the user can use as a reference as to what
pictures are required of the device. As the user completes each step, they can place a check mark next
to the completed items.

To manually import a Camera checklist file:

1. In the Version tab, click the Import button next to the setting file you would like to import.
The following window appears.
2. Browse to the relevant file and click Open.
3. Click OK to update the application.

The following example shows the structure of the XML file.

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

<CheckListData>
<Version>1.0.0.48</Version>
<CheckListItems>
<CheckListItem>Main screen</CheckListItem>
<CheckListItem>Date and time</CheckListItem>
<CheckListItem>IMEI number</CheckListItem>
</CheckListItems>
</CheckListData>

238
13.5.3.2. Importing case details

You can import an XML file to change the options that appear in the Case Details window (see Case
details (on page 51)).

To manually import a case details file:

1. In the Version tab, click the Import button next to the setting file you would like to import.
2. Browse to the relevant file and click Open.
3. Click OK to update the application.

The following example shows the structure of the XML file.

239
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<CaseDetails>
<Version>1.0.0.38</Version>
<Fields>
<Field>
<Type>String</Type>
<Caption>Case ID</Caption>
<Mandatory>true</Mandatory>
<AutoFill>true</AutoFill>
<IsDefaultFolderName>true</IsDefaultFolderName>
</Field>
<Field>
<Type>String</Type>
<Caption>Seized by</Caption>
<Mandatory>false</Mandatory>
<AutoFill>false</AutoFill>
<IsDefaultFolderName>false</IsDefaultFolderName>
</Field>
<Field>
<Type>String</Type>
<Caption>Crime type</Caption>
<Mandatory>false</Mandatory>
<AutoFill>false</AutoFill>
<IsDefaultFolderName>false</IsDefaultFolderName>
<Values>
<Value>Armed Robbery</Value>
<Value>Attempted Murder</Value>
<Value>Child Exploitation</Value>
</Values>
</Field>
<Field>
<Type>String</Type>
<Caption>Device owner</Caption>
<Mandatory>false</Mandatory>
<AutoFill>false</AutoFill>
<IsDefaultFolderName>false</IsDefaultFolderName>
<Values>
<Value>Victim</Value>
<Value>Suspect</Value>
<Value>Witness</Value>
</Values>
</Field>
</Fields>
</CaseDetails>

240
13.5.3.3. Importing user management

Cellebrite Commander enables user authentication ensuring that only users with the right credentials
can access the application. Access rights are further enforced by defining permission levels per profile.

To manually import a user management file:

1. In the Version tab, select the Import button next to the setting file you would like to import.
2. Browse to the relevant file and click Open.
3. Click OK to update the application.

241
13.5.3.4. Importing configuration files

Configuration files enables you to import various settings into the system.

To manually import a configuration file:

1. In the Version tab, select the Import button next to the setting file you would like to import.
2. Browse to the relevant file and click Open.
3. Click OK to update the application.

13.6. Activity Log

The Activity Log lists all transactions performed by Cellebrite UFED. It includes information such as
when the extraction started and ended, transaction type, duration, status, device vendor, device
model, name, serial number of Cellebrite UFED, case ID, crime type, device owner, and who seized the
device. You can also clear the activity log, export the activity data to a CSV file and show or hide the
activity data.

13.6.1. Exporting metadata to Cellebrite Commander

If a Cellebrite UFED unit is used in an offline environment, you can export the usage metadata file. This
file contains the following: Cellebrite UFED device information (e.g., MAC address, serial number,
software version number), transaction start times and end times, source phone information (e.g.,
vendor, model name, IMEI, and operating system), and type of information extracted (e.g., Phone
memory, SMS memory, MMS, pictures, videos, audio). The exported Zip file can then be manually
imported into Cellebrite Commander. For more information, refer to the Cellebrite Commander
manual.

242
To export the metadata:
1. Connect or reconnect a USB flash drive to the Cellebrite UFED unit. The button is only
available when a USB drive is connected.

2. Click the Export to mgmt (acc) button. The metadata can now be imported into Cellebrite
Commander.

This button is only displayed if you are using the Managed mode (see Version
details (on page 233)).

Exported data is removed from the Cellebrite UFED device and is not available
for export again.

243
13.7. Users permissions

Define and configure user authentication settings to ensure that only users with the right credentials
can access the application. Access rights are further enforced by defining permission levels per profile.

User permissions can be set using Cellebrite Commander (refer to the Cellebrite
Commander manual) or the UFED Permission Manager (see Permission
management (on page 254)).

To disable USB device extraction:

Select Disable USB device extraction. This option is not available on the home screen.

244
To import user permissions:
1. Run the Cellebrite UFED as an administrator.

2. Click Import. The following warning appears.

3. Click Yes and navigate to the directory where the permission management file (*.cp) is
located. For information about creating a permission management file, see Using the
Cellebrite UFED Permission Manager (on page 254).
4. Click Open and then click Save.
5. Restart the Cellebrite UFED application, which now prompts for login credentials.
6. Use one of the login credentials configured in the permission management file. For more
information, see Permission management (on page 254).

Select the checkbox to require password on wakeup.

13.7.1. Active Directory integration

Active Directory is a Microsoft product providing a range of directory-based identity-related services. It

authenticates and authorizes all users and computers in a Windows domain type network, assigning
and enforcing security policies for all computers and installing or updating software.

When a user logs in to the system, Active Directory checks the submitted password and determines
whether the user is a system administrator or normal user before allowing the user to log in. Active
Directory also enables the management and storage of information at the admin level and provides
authentication and authorization mechanisms.

Use the Windows Active Directory account to enable quicker and easier log in to your Cellebrite UFED
applications. Cellebrite UFED can manage the permissions with two permissions levels:
Active Directory Groups
Active Directory Users with Commander roles

13.7.1.1. Determining the Active Directory groups

When using the Groups level, the permissions are applied according to the Active
Directory groups of which the users are members (directly and indirectly). When

245
using the Users level, you must map the users to Cellebrite Commander and then
to the permissions applied according to the selected profile in Cellebrite
Commander. For more information, see To enable Active Directory (on page 248).

You can use the following procedure to determine all the Active Directory groups for a specific user.
1. To get a list of groups for a specific user, replace <user name> with the actual user name

Open a command prompt (cmd.exe) and run:

gpresult /V /user <user name>

2. The output looks like this (truncated with only the group information):

In the above example, you can see that this user is a member of several Active
Directory (security) groups. In the following example we use the Platforms Dev
Team security group.

If a group is contained within another group, other commands (such as whoami

/groups) only display the groups of which the user is a direct member.
Therefore, we recommend that you avoid whoami as an indicator.

246
13.7.1.2. Using Cellebrite Commander

When using Cellebrite Commander, the system administrator must decide the permission
management level. The possible levels are presented below:

13.7.1.3. Initial setup

When Cellebrite Commander is used in conjunction with Active Directory, the following procedures are
required for initial setup.

13.7.1.3.1. Permission Level – Groups

The Cellebrite Commander administrator must:

1. Create profiles with the exact same name of the relevant Active Directory groups.

2. Publish the users and permissions to all the relevant Cellebrite UFED units.

After Active Directory is set up, each login request via a Windows user is sent to Active Directory
before approval. Active Directory checks the user permissions and notifies the Cellebrite UFED unit
whether to approve or deny the login request based on the user profile permissions.

If the Cellebrite UFED units are offline, you cannot log in to the Cellebrite UFED
unit. However, an ongoing session is not disconnected if a disconnection
occurred.

247
Should you choose not to work with Active Directory, the Cellebrite
Commander administrator can regulate the users and permissions via
Cellebrite Commander or the Cellebrite UFED Permission Manager.

13.7.1.3.2. Permission Level – Users

The Cellebrite Commander administrator must:

1. Create profiles and set the permissions for each profile.
2. Import a CSV list of relevant users that matches the Users and Profiles settings in
Cellebrite Commander.
3. Publish the users and permissions to all the relevant Cellebrite UFED units.

13.7.1.4. To enable Active Directory

1. In Cellebrite Commander select Configurations > By product. The following window appears.

2. Click Edit, to enable the following under the Access Control section:

a. Require login.

b. Enable Active Directory integration.

3. Under Permissions level, select one of the following options:

Active Directory groups: Manage permissions at the Active Directory groups level. The match is
performed by Active Directory group names.

Active Directory users with Commander roles: Manage permissions per user independently from
Active Directory groups.
4. Click Save to save the configuration template.
5. Publish the configuration template to the relevant product.

Next you must add the Active Directory profile and select the required permissions.

248
13.7.1.4.1. To add a role and select permissions

Adding roles and selecting permissions are managed in the User Management System. For more
information, see the Managing Roles section in the User Management System manual.

13.7.1.4.2. Adding Users

Adding users is managed in the User Management System. For more information, see the Managing
Users section in the User Management System manual.

249
13.7.1.5. Logging in to Cellebrite UFED

After Active Directory is enabled, the following occurs depending on the Cellebrite UFED device you are
using.
In PC applications such as Cellebrite UFED and Cellebrite Responder, the login occurs
automatically when you start the Cellebrite UFED application.

In closed systems such as Cellebrite UFED Touch and Kiosk, Cellebrite UFED tries to locate the
domain and display the following login screen.

Enter the Active Directory credentials.

Verify the Domain field.

If the text in the Domain field (that is, domain controller host) is missing
or incorrect, contact your IT department.

250
13.7.1.6. Cellebrite UFED Permission Manager

If you are not using Cellebrite Commander, use the following procedures in the Cellebrite UFED
Permission Manager and Cellebrite UFED application to enable Active Directory.

To configure Active Directory in the Cellebrite UFED Permission Manager:

In the Cellebrite UFED Permission Manager, create a profile that corresponds to the required Active
Directory group.
1. Run the Cellebrite UFED Permission Manager. The following window appears.

2. Click Profiles > New Profile. The following window appears.

3. In the Name field enter the name of the Active Directory group (for example, Platforms Dev
Team).
4. (Optional) Enter a description.

251
5. Click Extraction Types and enter all the required permissions for the profile. The following window
appears.

6. Click Save.

To enable Active Directory in the Cellebrite UFED application:

This step is not required if you are using Cellebrite Commander.

1. In Cellebrite UFED go to Settings > User Permissions.

2. Select Use Active Directory.

You can only log in to the application using Active Directory users, there are no
longer Cellebrite UFED users such as Manager and Investigator. After activating
Active Directory either in Cellebrite Commander or Cellebrite UFED application.

3. Click Save. The following window appears.

252
4. Click OK and restart the Cellebrite UFED application.

For information about logging in to the Cellebrite UFED devices, see Logging in to Cellebrite UFED (on
page 250).

13.7.1.7. Turning off default SSO when using Active Directory

This feature enables you to turn off the default permissions for SSO when using Active Directory
authentication.

13.7.2. Enabling Active Directory in Cellebrite UFED application

Active Directory is a Microsoft product providing a range of directory-based identity-related

services. It authenticates and authorizes all users and computers in a Windows domain type

network, assigning and enforcing security policies for all computers and installing or updating

software.

When a user logs in to the system, Active Directory checks the submitted password and

determines whether the user is a system administrator or normal user before allowing the

user to log in. Active Directory also enables the management and storage of information at the

admin level and provides authentication and authorization mechanisms.

Use the Windows Active Directory account to enable quicker and easier login to your Cellebrite

UFED applications. Cellebrite UFED can manage the permissions with two permissions levels:

Active Directory Groups

Active Directory Users with Commander roles

253
13.7.2.1. Turning off default SSO when using Active Directory

This feature enables you to turn off the default permissions for SSO when using Active Directory
authentication.

13.7.3. Permission management

Permission management can be performed via Cellebrite Commander or the Cellebrite UFED
Permission Manager standalone application.

The Cellebrite UFED Permission Manager standalone application is available from MyCellebrite. Each
profile contains access permissions, including operation rights per extraction type and content types. A
single profile can be assigned to multiple users. The users and profiles can be exported into an
encrypted permission management file, which can be imported into multiple Cellebrite UFED
applications.

13.7.3.1. Using the Cellebrite UFED Permission Manager

To create a new profile:

1. Download the latest Cellebrite UFED Permission Manager application from your account in
MyCellebrite, and save it to a directory on a computer or external device.

2. Run the Cellebrite UFED Permission Manager and follow the setup instructions. The Cellebrite UFED
Permission Manager screen appears.

3. Click Profiles.

254
4. Click New Profile. The following screen appears.

5. Enter a name and description for this profile.

6. If required, select User Notification, which enables you to load a RTF file with text and
graphics for the profile.

7. Click the Extraction Types tab.

255
8. Select the options for this profile, such as Admin who can manage users, the Extraction Type
(Logical Extraction, SIM Data extraction, Password extraction etc.) and UFED Settings (Activity Log).

At least one of the enabled users must be an Administrator (Admin).

9. Click Save and proceed to create a new user.

256
To create a new user:

1. In the Cellebrite UFED Permission Manager screen, click Users. The following screen appears.

2. Click New User. The following screen appears.

3. Enter the details for the new user including Username, Display Name, Description, and
Password.
4. Select a profile for the user.
5. Select Enabled to enable the user.
6. Click Save.

257
To manage crime types:

1. Click Crime Types. The following screen appears.

The crime types are only relevant for Cellebrite Responder.

You can delete all crime types; however you must add at least one crime to be
able to export a permission management file.

To edit a crime type, click the crime type and edit the Name.

2. Click New Crime Type. The following window appears.

3. Enter a name for the crime type and (optional) description.

4. Click Save.

258
To export an encrypted permission management file:

1. In the Cellebrite UFED Permission Manager screen, click Export, specify a directory for the file and
click Save. The following screen appears.

2. Click OK. The permission file must be imported into Cellebrite UFED via the User Permissions tab in
the Settings window.

The next time you run the Cellebrite UFED Permission Manager, you are
prompted for your user credentials to access the application.

259
14. Special cables
Cellebrite UFED requires a special cable for certain functions:

Device power-up cable (below)

Active extension cable (on the next page)

USB extension cable (on the next page)

USB cable for Cellebrite UFED Device Adapter V2 PowerUP (on page 262)

14.1. Device power-up cable

If the battery is drained or absent, the device power-up cable powers the device instead of the battery
while performing an extraction.

The device power-up cable contains four parts marked as: Data, Extra power, -, +.

Phone power-up cable

To connect the device power-up cable:

1. Connect the Extra Power connector to the Cellebrite UFED USB Port extension.
2. Connect the Data connector to the Cellebrite UFED USB Port extension.

3. Identify the device’s battery contacts:

a. Open the device battery cover.
b. Locate the positive (+) and negative (–) pole markings of the battery, usually found next to
the contacts area.
c. Make sure that the battery contacts are marked clearly on the device’s body.
d. Remove the battery to gain access to the device’s battery contacts.

TIP: For battery contacts which are not clearly marked on the device’s body, use the pole markings
on the battery body to identify them. To do that, flip the battery along its contacts edge, and place
it along the edge of the battery housing, then mark the device’s contacts according to those on the
battery.

Use a multimeter to identify the positive and negative poles of an unmarked

battery.

260
4. Connect the RED alligator clip to the device’s positive pole (+), the Primary Black alligator
clip to the negative pole (–) and the secondary Black alligator clip to the middle pole if there
are three poles or to the one next to the (-) if there are four poles. Make sure the alligator
clips are not closing a circuit by touching each other.
5. Connect the source device to the phone power-up cable using the references cable from
the cable organizer kit as listed in the Cellebrite UFED menu.

14.2. Active extension cable

This cable is 150 cm in length and allows for the easy and accessible placement of the Cellebrite UFED
Device Adapter with USB 3.0. For more information about the adapter, see Cellebrite UFED Device
Adapter with USB 3.0 (on page 14).

The USB Device Adapter Active extension cable is a custom made, high grade cable with an active USB
3.0 extension. It is a bus-powered extension cable that can be used to increase the length of the
Cellebrite UFED Device Adapter without any signal loss or performance issues. It contains active
electronics, which boost the USB signal for maximum reliability and performance over extended
distances.

Only use the previous USB extension cable (USB Extension cable for Cellebrite
UFED Device Adapter) with the Cellebrite UFED Device Adapter with USB 2.0.

14.3. USB extension cable

This USB extension cable is 150 cm in length and allows for the easy and accessible placement of the
Cellebrite UFED Device Adapter V2. In a desktop environment where the computer is mounted in a
difficult to access or distant location use the USB Extension cable.

The USB Extension cable is a custom made high grade cable. This high grade cable prevents voltage
fluctuation and is shielded from EMI interference which would cause signal degradation or loss.

If you need an extension cable, you must use the provided USB Extension cable. Use of third-party
cables affects performance of your Cellebrite UFED and may prevent some functions from starting or
completing.

261
14.4. USB cable for Cellebrite UFED Device Adapter V2 PowerUP

The following USB PowerUP cables are applicable to the Cellebrite UFED Device
Adapter V2. These cables are no longer required with the Cellebrite UFED Device
Adapter V3.

The USB Cable for Cellebrite UFED Device Adapter PowerUP S for use with your Cellebrite
UFED. It is 75cm in length.
The USB Cable for Cellebrite UFED Device Adapter PowerUP L for use with your Cellebrite
UFED. It is 150cm in length.

Both cables provide the same functionality and differ only in length.

The PowerUP cable has a miniUSB male end which plugs into the Cellebrite UFED Device Adapter V2
and a USB-A connector that can be plugged into any available powered USB port - including A/C
powered USB chargers and car chargers.

The PowerUP cable doubles the power capacity of the Cellebrite UFED Device Adapter V2. This ensures
that all devices with excess power requirements function correctly and allows Cellebrite UFED to
provide all functions. In addition devices that are fully discharged may need the additional power that
the PowerUp cable provides.

In the laptop environment, we recommend that you use the PowerUp cable when Cellebrite UFED
indicates that the extra power is required.

The PowerUp cable is NOT required for smooth operation of the Cellebrite UFED
for most devices, but is provided for those cases where power consumption is
above the capacity of the unpowered Cellebrite UFED Device Adapter V2.

262
15. Index Capture images 12, 173-175

Capture images and screenshots 12, 174

A
Case details 51
Accessories 13
Case details, importing 239
Activating the license 25
Cellebrite YouTube channel 18
Active Directory 245
Changing the application interface
Activity log 242 language 213

Activity Log 256 Changing the extraction location 216

ADB, definition 129 Clone SIM 180, 184-185, 191, 195

Android backup 22, 117, 121-122, 126 Cloning an existing SIM card ID 185

Android backup APK downgrade 123 Console, Android Debug 45, 83

D
Android extraction methods 168
Device power-up cable 260
APK downgrade 123
Device tools 63, 196
APK for Android backup APK downgrade 22
Dongle 26, 33, 40, 229
Application taskbar 62
Dongle license 32
Autodetecting 44
B Drone, extractions 173
E
Bluetooth scan 200
Entering SIM data manually 191
Bluetooth, logical extraction 96
Exit Motorola bootloop 203
Boot Loader, definition 129
Exit recovery mode 202
Bootloader extraction 168, 170
C Export options 27, 62, 237, 242, 258

Camera checklist, importing 238 Extracted passwords folder 76

Camera screen, enabling 211 Extracted SIM data folder 183

Capture 12, 174, 179 Extracting Android devices 168

263 Index
Extraction in progress 74, 103, 130, 134, I
156, 163, 189, 193, 195
IMEI, search 46
Extractions, (Refer to Performing
Importing settings and configuration
extractions in MyCellebrite) 12, 67,
files 237
72, 76, 82, 91, 95, 100, 104, 111, 120,
126, 132, 135, 157, 159, 163, 167,
Interface language 209, 213
169, 177, 179, 182, 252, 255

Extractions, refer to Performing extraction Introduction 10

in MyCellebrite 13
Investigation notes 51
F
iOS extraction 89
File system extraction 12, 200
iTunes backup encryption 92
File system extraction folder 106
J
file system extractions, timeframe
options 59 JTAG 122
L
Files, logical extraction type 85, 94
Legal notices 9
Flashing 154
license not found 225
Forensic recovery partition 160
License settings 224
FW flashing 154
G Licensing 26

General settings 84, 209 Logging in 250

Getting started 19 Logical extraction 10, 12-13, 17, 82, 89, 92,
96, 100, 180, 212, 256
GSM test SIM 195 M
H
Managing report fields 221
Help 82 N

Home screen 43, 51, 76, 87, 91, 95, 100, Network 39
104, 111, 120, 126, 132, 135, 137,
144, 157, 159, 163, 167, 177, 179, Network dongle 39
182, 196, 228, 230
Nokia WP8 recovery tool 204

Index 264
O Select content types 17

Odin mode 203 Select extraction location 154

Online license 25 Selective extraction 59-60

Overview 10, 82, 89, 93, 102, 117, 123, Settings 22, 51-52, 59, 100, 112, 117, 127,
129, 133, 137, 154, 158, 161, 164 137, 168, 208, 214, 217, 234-235,
P 252, 256

Password extraction 74, 256 SIM data extraction 180, 183

Performing a physical extraction 129 Simplified Chinese 215

Performing extractions 13, 45, 83 Smart ADB method, tool 204

Performing SIM data extraction 180 Software license 35-36, 38

Permission management 254 Sounds, play notifications 223

Permission Manager 244, 248, 254 Special cables 260

Permissions Specifications 9

Users 244 Specify a network location 63

Physical extraction 12, 110, 128-129, 132- Starting the application 42

133, 136, 154, 158, 160, 169-170,
204 Supported devices 17
Q
Switch to CDMA offline mode 206
Qualcomm chipsets 158
System requirements 11
R
System settings 84, 223
Re-enable User Lock option 77 T
Report settings 217
TAC number search 49
Rooted Android devices, physical
Technical terms 172
extraction 133
U
S
UFED Device Adapter 14, 16, 74, 130, 134,
Screenshots 12, 53, 174, 178
161, 181, 185, 191, 198, 200, 204,
Searching for a device 46 206, 261-262

265
UFED User Lock Code Recovery Tool 204

Unallocated space 12

Update via the web 235

Updates and versions 235

User permissions 244

User predefined filter 59

Using cables and tips 17

Version details 233

Working with TomTom 198

Index 266

PerformingExtractions 7.45 May 2021
No ratings yet
PerformingExtractions 7.45 May 2021
134 pages
UFED Physical Analyzer v5.0 Manual March2016
No ratings yet
UFED Physical Analyzer v5.0 Manual March2016
238 pages
UFED Physical Analyzer
No ratings yet
UFED Physical Analyzer
475 pages
UFED PhysicalAnalyzer User Guide June 2014
No ratings yet
UFED PhysicalAnalyzer User Guide June 2014
330 pages
Cellebrite Inseyets
No ratings yet
Cellebrite Inseyets
21 pages
Cellebrite Reader v7.60 Jan 2022 Eng PDF
No ratings yet
Cellebrite Reader v7.60 Jan 2022 Eng PDF
129 pages
Cellebrite UFED OverviewGuide
No ratings yet
Cellebrite UFED OverviewGuide
266 pages
Cellebrite Physical Analyzer, Cellebrite Logical Analyzer, UFED Cloud and Cellebrite Reader v7.35
No ratings yet
Cellebrite Physical Analyzer, Cellebrite Logical Analyzer, UFED Cloud and Cellebrite Reader v7.35
5 pages
CMFF - Cellebrite Mobile Forensics Fundamentals 2019
No ratings yet
CMFF - Cellebrite Mobile Forensics Fundamentals 2019
4 pages
Forensic Mobile Data Extraction
100% (1)
Forensic Mobile Data Extraction
13 pages
Physical Extraction Enhanced Bootloaderv7
No ratings yet
Physical Extraction Enhanced Bootloaderv7
15 pages
Cellebrite - UFED 4PC - Overview Guide - v7.44 - April - 2021
No ratings yet
Cellebrite - UFED 4PC - Overview Guide - v7.44 - April - 2021
129 pages
Mobile Forensics Guide by CERT-In
No ratings yet
Mobile Forensics Guide by CERT-In
74 pages
An Analysis of Smartphones Using Open Source Tools Versus The Proprietary Tool Cellebrite UFED Touch
100% (1)
An Analysis of Smartphones Using Open Source Tools Versus The Proprietary Tool Cellebrite UFED Touch
54 pages
Extraction of Persistence and Volatile Forensics Evidences From Computer System
No ratings yet
Extraction of Persistence and Volatile Forensics Evidences From Computer System
5 pages
Android Forensics for Investigators
No ratings yet
Android Forensics for Investigators
109 pages
Android Anti-Forensics Guide
No ratings yet
Android Anti-Forensics Guide
12 pages
Cellebrite Inseyets Physical Analyzer 10.1 Feb 2024 Eng
100% (1)
Cellebrite Inseyets Physical Analyzer 10.1 Feb 2024 Eng
372 pages
Android Forensics
No ratings yet
Android Forensics
8 pages
Mobile Device Forensic Report
100% (1)
Mobile Device Forensic Report
10 pages
Ufed - Touch - User - Manual 2015 Eng PDF
No ratings yet
Ufed - Touch - User - Manual 2015 Eng PDF
255 pages
Smartphone Forensics Guide
No ratings yet
Smartphone Forensics Guide
19 pages
Android Sandbox for Malware Detection
No ratings yet
Android Sandbox for Malware Detection
8 pages
UFED Physical Analyzer
100% (1)
UFED Physical Analyzer
231 pages
10 KnowledgeC Investigation
No ratings yet
10 KnowledgeC Investigation
42 pages
Android Secure Storage
No ratings yet
Android Secure Storage
10 pages
Forensic Express Quick Guide
No ratings yet
Forensic Express Quick Guide
13 pages
A Extraction On MTK-based Android Mobile Phone Forensics
No ratings yet
A Extraction On MTK-based Android Mobile Phone Forensics
13 pages
Android Malware and Analysis 1st Edition Ken Dunham Instant Access 2025
100% (1)
Android Malware and Analysis 1st Edition Ken Dunham Instant Access 2025
161 pages
UFED Analytics Desktop Manuals
100% (2)
UFED Analytics Desktop Manuals
123 pages
DigitalForensics 11 Data Theft
No ratings yet
DigitalForensics 11 Data Theft
168 pages
Android Memory Analysis and Acquisition
No ratings yet
Android Memory Analysis and Acquisition
12 pages
DMF Lab Manual
No ratings yet
DMF Lab Manual
31 pages
UFED PA v2 Userguide PDF
No ratings yet
UFED PA v2 Userguide PDF
144 pages
A Survey On Mobile Forensic For Android Smartphones
No ratings yet
A Survey On Mobile Forensic For Android Smartphones
5 pages
Dfir Cheat Sheets & Notebooks
No ratings yet
Dfir Cheat Sheets & Notebooks
51 pages
XRY-v10.1 ReleaseNotes
No ratings yet
XRY-v10.1 ReleaseNotes
9 pages
Android Digital Forensics - Simplifying Android Forensics Using Regular Expressions
No ratings yet
Android Digital Forensics - Simplifying Android Forensics Using Regular Expressions
7 pages
Android (Operating System)
No ratings yet
Android (Operating System)
13 pages
2023 - Android Cheat Sheet - ADB
No ratings yet
2023 - Android Cheat Sheet - ADB
3 pages
How To Install DOS 6.22
No ratings yet
How To Install DOS 6.22
5 pages
Introduction To Mobile Forensics: Forensic Analysis of Android Applications
No ratings yet
Introduction To Mobile Forensics: Forensic Analysis of Android Applications
32 pages
ADB & Fastboot Guide for Developers
No ratings yet
ADB & Fastboot Guide for Developers
7 pages
Mobile Security Testing Approaches and Challenges: February 2015
No ratings yet
Mobile Security Testing Approaches and Challenges: February 2015
6 pages
Introduction To JTAG & Chip-Off Techniques: Beginner - Five Day - Instructor-Led Course
100% (1)
Introduction To JTAG & Chip-Off Techniques: Beginner - Five Day - Instructor-Led Course
4 pages
NSFB Links
No ratings yet
NSFB Links
3 pages
Cell Phone Forensic Tools:: An Overview and Analysis
No ratings yet
Cell Phone Forensic Tools:: An Overview and Analysis
188 pages
Frida Tutorial 2 - HackTricks
No ratings yet
Frida Tutorial 2 - HackTricks
7 pages
Embedded Forensics: An Ongoing Research On SIM/USIM Cards, Antonio Savoldi
No ratings yet
Embedded Forensics: An Ongoing Research On SIM/USIM Cards, Antonio Savoldi
31 pages
Installation - Magisk
No ratings yet
Installation - Magisk
5 pages
Android System Architecture Guide
No ratings yet
Android System Architecture Guide
23 pages
Digital Forensics for Investigators
No ratings yet
Digital Forensics for Investigators
6 pages
Zte 981 Otro Otro
No ratings yet
Zte 981 Otro Otro
4 pages
Cellebrite UFED
No ratings yet
Cellebrite UFED
11 pages
UFED6.1 ReleaseNotes EN
No ratings yet
UFED6.1 ReleaseNotes EN
8 pages
Cellebrite OnRetrieval UFED Touch Manual Usuario
No ratings yet
Cellebrite OnRetrieval UFED Touch Manual Usuario
249 pages
Forensic Breakthrough White Paper
No ratings yet
Forensic Breakthrough White Paper
7 pages
UFED-4PC Brochure
No ratings yet
UFED-4PC Brochure
2 pages
UFED6.5 ReleaseNotes
No ratings yet
UFED6.5 ReleaseNotes
9 pages
Face Mask Vending Machine
No ratings yet
Face Mask Vending Machine
15 pages
Schematic Diagram
No ratings yet
Schematic Diagram
42 pages
Cracking More Password Hashes With Patterns
No ratings yet
Cracking More Password Hashes With Patterns
28 pages
Thailand Southeast Asia
No ratings yet
Thailand Southeast Asia
2 pages
An Introduction To JavaScript
No ratings yet
An Introduction To JavaScript
6 pages
Introduction Ar
No ratings yet
Introduction Ar
3 pages
Cyber Crime and Law Overview
No ratings yet
Cyber Crime and Law Overview
91 pages
CV PDF Arkis
No ratings yet
CV PDF Arkis
3 pages
SRS Gas Leak
No ratings yet
SRS Gas Leak
12 pages
Be 00380l Tme Techdoc
No ratings yet
Be 00380l Tme Techdoc
10 pages
Algorithmic Forex Trading Using Combination of Numeric Time Series and News Analysis
No ratings yet
Algorithmic Forex Trading Using Combination of Numeric Time Series and News Analysis
5 pages
Unit 04 - Program
No ratings yet
Unit 04 - Program
7 pages
Differentiate Between While Loop and Do-While Loop
No ratings yet
Differentiate Between While Loop and Do-While Loop
2 pages
CHAPTER ONE - E-Commerce
No ratings yet
CHAPTER ONE - E-Commerce
13 pages
Project Proposal Group 13
No ratings yet
Project Proposal Group 13
9 pages
PLSQL - 5 - 2 - Brayan Ferney Perez Moreno PDF
100% (2)
PLSQL - 5 - 2 - Brayan Ferney Perez Moreno PDF
3 pages
Udyam Registration for Micro Enterprise
No ratings yet
Udyam Registration for Micro Enterprise
4 pages
Debugging Parallel Arrays Worksheet
No ratings yet
Debugging Parallel Arrays Worksheet
8 pages
CNC Program for Part 5 Machining
No ratings yet
CNC Program for Part 5 Machining
806 pages
Report
No ratings yet
Report
17 pages
11th_ip Practice Workseet Mid Term
No ratings yet
11th_ip Practice Workseet Mid Term
13 pages
Exam Questions Second Term Examination Computer Studies Primary 3 Basic 3 All TH
No ratings yet
Exam Questions Second Term Examination Computer Studies Primary 3 Basic 3 All TH
10 pages
Manual For VLF Sinus TDM 62
100% (1)
Manual For VLF Sinus TDM 62
48 pages
DSA To Development
No ratings yet
DSA To Development
13 pages
Price List: Fourstar Electronic Technology Co., Ltd. Deyang China
No ratings yet
Price List: Fourstar Electronic Technology Co., Ltd. Deyang China
30 pages
Active Directory Attack Guide
100% (1)
Active Directory Attack Guide
28 pages
Hacker Rank
No ratings yet
Hacker Rank
44 pages
Smart Grid Exam Prep
67% (3)
Smart Grid Exam Prep
10 pages
Asdf
No ratings yet
Asdf
18 pages
Ansys Lab Viva Question
100% (7)
Ansys Lab Viva Question
9 pages