RELEASE NOTES Version 5.2 September 2016 UFED ANALYTICS DESKTOP HIGHLIGHTS UFED Analytics Desktop version 5.2 serves as your virtual partner, saving precious time in the investigative process. Designed as a standalone desktop application, it simplifies and automates analytical tasks, allowing users to easily identify the critical relationships that can focus investigations. By immediately linking and unifying multiple disparate data sources, UFED Analytics Desktop s latest release helps generate leads and uncover actionable insights from existing call logs, application data, text messages, locations, private cloud sources, images, videos and more. This powerful, cost-effective investigative tool allows digital data to be viewed from multiple angles and isolate key details for easy analysis and reporting to case stakeholders. Key capabilities incorporated in the latest release include: New Automated Analytics Tools UFED Analytics Desktop is optimized to improve data search and filtering performance while managing data from an active case. No more painstaking review of large, cumbersome PDF reports. Text Analytics Applies natural language processing to any textual artifact uploaded in the system and tags events related to specific topics of interest. Image Analytics UFED Analytics automatically categorizes the images based on categories relevant for an investigation such as Weapons, Money, Drugs and Nudity. Advanced Filtering Capabilities View common connections based on communications and locations; narrow data using advanced filters and search; tag data based on specific needs; highlight case related data using watch lists. SAVE TIME AND RESOURCES WITH ADVANCED IMAGE ANALYTICS With UFED Analytics Desktop, automatically apply advanced categorization and image recognition methods - identified images of interest can then be used as a starting point of an investigation. ELIMINATE MANUAL ANALYTICAL TASKS AND SPEED INVESTIGATIONS WITH NEW AUTOMATED ANALYTICS TOOLS By using automated analytics tools that are integrated into an easy to use user-flow you can now discover critical evidence hidden in data sources and increase the impact of digital forensic data throughout your investigation. UNCOVER DEEPER DIGITAL DATA INSIGHTS WITH TEXT ANALYTICS The latest version introduces a unique analytical capability to speed investigations integrated text analytics. The tool automatically goes over event content, including attachments, in order to find and highlight entities-of-interest without the need for the user to predefine them, including phone numbers, personal names from a message, or even the language in which the message was written. REVEAL AND VISUALIZE COMMON CONNECTIONS WITH UFED ANALYTICS DESKTOP S FILTERING CAPABILITIES UFED Analytics Desktop filters data by Person, Timeframes, Location Types, Distance, Entity, Tag, and more. With version 5.2, you can set minimum values per data type within link in order to focus on the most frequent communications with key individuals.
New Automated Analytics Tools Version 5.2 introduces several new innovative features that will help you address some of the major challenges in analyzing digital forensic data sources in an effective and timely manner. You will be able to better understand and discover the information hidden in the data sources and increase the impact of digital forensic data in your investigation using automated analytics tools that are integrated into an easy to use user-flow. Text Analytics An advanced integrated text analytics engine automatically goes over event content (including attachments) to find and highlight for the user entities-of-interest without the need for the user to predefine them. For example, phone numbers and personal names from a message, or the language in which the message was written. This capability is not typically available to law enforcement investigators. This unique analytical capability can assist in solving cases where more discovery is required, and/or accelerate an investigation by highlighting events of higher importance, i.e. credit card numbers. Filtering UFED Analytics Desktop filters data by Person, Timeframes, Location Types, Distance, Entity, Tags & more. In addition, you can set minimum values per data type within link in order to focus on the most frequent communications with key individuals. Map, Timeline & image views have additional, context-sensitive filters. Once you ve filtered the information, you can also search globally on the generated tables of data; or search on a single value, for example a name, to obtain highlighted results. You can now view the data either in table or graph form, and save your sessions. In addition, and in order to elevate the investigator s experience in filtering and searching mounds of data in a case, we have integrated a new capability of combining the filter behavior with that of a facet, creating an Advanced Filtering concept. A faceted search is a way to explore large amounts of data by displaying summaries about various dimensions of the data and later allowing narrowing the navigation to a specific dimension value. This is achieved by maintaining multiple dimensions (facets) for each event and thus enabling events to be accessed and ordered in multiple ways. Supported Entity Extraction Categories Person Location Organization Product Title Nationality Religion Credit Card Lat/Long Money Number ID Number Phone Email URL Distance Date Time Image Analytics A typical smartphone may have more than ten thousand Images, and in a case involving multiple devices going over the images can take days, or may therefore be entirely overlooked during the investigation. UFED Analytics automatically categorizes the images based on categories relevant for an investigation such as Weapons, Money, Drugs and Nudity. This categorization is based on the latest in neural network machine learning models that are not typically available to law enforcement members. Subsequently, identified images of interest can then be used as a starting point of an investigation. With UFED Analytics, you can seamlessly link from the image-of-interest to its event, to gain a wider context of the chain of events. Supported Entity Extraction Languages Arabic Italian Chinese, Simp. Japanese Chinese, Trad. Korean Dutch Pashto English Persian French Portuguese German Russian Hebrew Spanish Indonesian Urdu Supported Language Identification Albanian Danish Arabic Dutch Bengali English Bulgarian Estonian Catalan Finnish Chinese, Simp. French Chinese, Trad. German Croatian Greek Czech Gujarati Hebrew Kurdish Hindi Latvian Hungarian Lithuanian Icelandic Macedonian Cellebrite Release Notes v5.2 September 2016 2
Supported Language Identification (continued) Ingesting Cloud Data Source Indonesian Italian Japanese Kannada Korean Polish Portuguese Romanian Russian Serbian Slovak Slovenian Somali Spanish Vietnamese Malay Malayalam Norwegian Pashto Persian Swedish Tagalog Tamil Telugu Thai Turkish Ukrainian Urdu Uzbek Seeing and analyzing the different digital forensic data sources provide the users most closely related to solving the case with more investigative value. With the latest release, UFED Analytics Desktop can now ingest multiple data sources into a single integrated view including cloud data coming from UFED Cloud Analyzer. This enables the users to analyze how data from the various sources interacts. Quick Tagging Tagging events is a powerful tool, allowing the user to classify events and differentiate between what is important and what is not. You can now assign Hot Keys to customized tags, allowing for even quicker tagging of events. Multiple Workspaces A user can now define a workspace, which is a set of filters and views that summarize an analysis path that an investigator performed. Each workspace is independent, enabling the user to easily and quickly switch between analysis paths and follow the entire investigation flow. Conversation View DID YOU KNOW? An event by itself may not contain enough information to further the investigation. Sometimes a wider context is needed to give the user a better understanding of the chain of events. With UFED Analytics Desktop a user can now expand any event into a fully correlated conversation of the participating parties. You can now use UFED Physical Analyzer to create a UFDR file from images. Expand your investigation by utilizing this file in UFED Analytics Desktop via the newest image analytics features. Cellebrite Release Notes v5.2 September 2016 3
UFED ANALYTICS DESKTOP FUNCTIONALITY UFED Analytics Desktop relies on physical, file system or logical extraction UFDR reports from Cellebrite s UFED Physical Analyzer, UFED Logical Analyzer or UFED Cloud Analyzer. It automatically establishes contacts communication directions (uni- or bidirectional). To provide each event with the different contexts that best provide comprehension on a specific event and its relationship to other events, multiple viewing types are supported: Graph View The Graph View displays the person in the center of the diagram, surrounded by the entities (phone numbers, apps ID and email addresses, or all of them combined) that were logged in the analyzed report. Arrowheads at the edges of each connection line represent the type of connections (incoming, outgoing, bidirectional) made between the Person and this phone number or email address. All Links Shows all the persons selected from open reports, and all their linked entities. Filter the display by changing the selected persons, and by setting Timeframes and Entity and Link filters. Mutual Links Displays only the linked entities shared by the persons selected from open reports. Filter the display by changing the selected persons, and by setting Timeframes and Entity and Link filters. Entities Analytics provides a statistical analysis of the interactions of a particular entity and the device owner. Note: Within each diagram, you can change and organize icons arrangement by moving persons and entities anywhere you desire. Map Analysis View The geo-location information in digital and mobile forensic data can be very important in identifying where the owner of the device was. Geo location metadata of events, whether they are images or instant messages, or even location events, can be viewed and filtered on the Map view. UFED Analytics Desktop includes additional analytical capabilities to identify whether two persons were in the same vicinity within a user defined radius and time. Suspects may claim that they don t know each other, but in some cases the forensic data can prove that they were in the same vicinity at a certain time. Version 5.2 provides the deeper insights that accelerate investigations. Locations of interest can then be used as a starting point into the investigation. In UFED Analytics you can then seamlessly link from the location to its event, to gain a wider context of the chain of events. The Map View displays the locations based on GPS coordinates, Wi-Fi or cell tower locations that your persons of interest have visited. Filter the map by persons, timeframes, location category, and or mutual locations. You can zoom in and out of the map, and pan the map; show which locations your device owners and entities have in common Link to the event from location coordinates. Cellebrite Release Notes v5.2 September 2016 4
Timeline View Timeline View displays the time-stamped events of the selected persons (calls, emails, SMS, MMS, and so on) in chronological order. Filter the table by changing the selected persons, and by setting Timeframes and Categorical filters. Show all the events ordered by the time they occurred. Show conversation between two persons over time. Watch-list with set of words to look for and filter by. OTHER FUNCTIONALITY Merge Multiple Entities One of the key challenges in generating a clear map of links is the analytical ability to merge multiple identifiers, such as a person s e-mail and phone number, as belonging to the same person. Now, UFED Analytics Desktop automatically merges identifiers into person objects, an operation that if performed manually is very time consuming and prone to error. Moreover, the merging identifiers is an investigation tool. The investigator can now split and merge identifiers into person as new information arrives from other sources Ingesting Different Forensic Digital Data Sources Seeing and analyzing the different digital forensic data sources enable the investigators and prosecutors most closely related to solving the case with more value. To see how the Call Detail Records (CDR) or Location logs obtained from the communication service providers complement digital data extracted from smartphones. In this context, UFED Analytics can ingest multiple data sources into a single integrated view. The following data sources are supported: UFED Physical Analyzer UFED Logical Analyzer UFED Cloud Analyzer XML report files generated by Micro Systemation XRY (6.15 and 6.16). Call Records and Location Records from Communication Service Providers - CSV, XLS, XLSX, and TXT files that contain calls, SMS, MMS and location data generated by an external data source (CDR). Free Text Search UFED Analytics desktop has the ability to search for ANYTHING in the system. This enables to find key details amongst the sea of information. IMPORTANT INFORMATION Licensing information UFED Analytics Desktop license is available in two flavors: Basic Configuration Basic UFED Analytics Desktop package. Does not include text & image analytics capabilities. Full Configuration Full UFED Analytics Desktop package. Includes support for all new features. Existing customers with active UFED Link Analysis license will be able to download and use UFED Analytics Desktop basic. You can verify your license by navigating to: File > Help > License Details Cellebrite Release Notes v5.2 September 2016 5