Cellebrite UFED Series of Tools
Strengths: Comprehensive, easy to use and with features that fit well with on-the-go mobile device analysis, as well as use in the lab.
Weaknesses: None that we found.
Verdict: Absolutely solid mobile device forensic tool(s). Add anything else you like to your mobile device lab, but be sure to have at least one UFED product as your cornerstone. SC Lab Approved.
Cellebrite is, arguably, the number one mobile device forensic tool suite available. Marketing aside, there are few mobile device forensic tool sets that are as broad or as deep. We looked at the overall offering and focused on the flagship UFED Touch Ultimate. The suite of available products includes the UFED Touch Ultimate, UFED Touch Logical, UFED Chinex, UFED 4PC and UFED 4PC Logical. The first three are standalone tools provided on a hand-held PC, while the 4PC and 4PC Logical have the same functionality but can be loaded onto a PC. Additionally, the UFED Physical software can be loaded onto a PC as well.
The UFED Touch Ultimate is representative of the rest of the product line in that it has all of the functionality in a single self-contained package. We have used this product in our lab for about three years and have used it on almost every broad type of mobile device. The UFED products collectively support over 11,000 devices. This is updated regularly. The Chinex function allows the analyst to extract from phones using Chinese clone chip sets that often have different pinouts from other chip sets.
We tested the Touch Ultimate using several devices, including an older vintage BlackBerry, a relatively new Android, an older Android, an iPhone, a Windows phone, an older feature phone and both iPad and Samsung (Andorid) tablets. The only one that gave us trouble was the Windows phone. While we were able to extract some data from it, some was not accessible. We know of no tool that can analyse a Windows phone completely.
The tool acquired the devices quickly and cleanly. Acquisition time, of course, depends on the size of the storage to be collected. Not all devices can be acquired physically due to availability of drivers and the architecture of the device. In those cases, the UFED offers two alternatives: logical and file system acquisition. The logical is much the same as logical extraction of a computer disk. File system is between logical and physical, and for many devices provides much the same information. For example, we did both a physical and a file system extraction of an iPhone. The results were almost the same.
Documentation is complete and easy to use, but the Touch has excellent help files that guide users through the extraction process. For example, when extracting an iPhone there is a process that must be used to get the device in a state by which the UFED can read it. The tool walks users through the process step by step.
There is a fair bit of support information - including videos, supported-device lists - generally available to potential customers and there is a customer portal with information targeted at current users of Cellebrite products.
The Touch comes pre-installed on proprietary hardware using a specialised version of MS Windows and comes either standard or ruggedised. A rugged, lightweight carrying case is included as is an extensive collection of pigtails for connecting devices to the tool. UFED Link Analysis is an application that takes the same input file as the Reader and performs link analysis to find non-obvious relationships in the data on the device.