Cellebrite UFED

The UFED (Universal Forensics Extraction Device) is a product series of the Israeli company Cellebrite, which is used for the extraction and analysis of data from mobile devices by law enforcement agencies.

Products
Cellebrite sells various products in the UFED series:


 * UFED Physical Analyzer
 * UFED Logical Analyzer
 * UFED Phone Detective
 * UFED Cloud Analyzer

Features
On the UFED Touch, it is possible to select extraction of data and choose from a wide list of vendors. After the data extraction is done, it is possible to analyze the data in the Physical Analyzer application.

The Cellebrite UFED Physical Analyzer supports the following features:


 * Extract device keys which can be used to decrypt raw disk images, as well as keychain items.
 * Revealing device passwords, although this is not available for all locked devices
 * Passcode recovery attacks
 * Analysis and decoding of application data
 * Generating reports in various formats such as PDF and HTML
 * Dump the raw filesystem for analyzing it in other applications

History
In 2019, Cellebrite announced a new version of the UFED, called the UFED Premium. The company claimed that it can unlock iOS devices including those running iOS 12.3 and Android phones such as the Galaxy S9.

Resale
Cellebrite does not allow the resale of their products. The original list price of the product is around US$6000, but they have been sold on eBay for around US$100. Some devices that were resold still contained data about criminal investigations.

Security
In 2021, Moxie Marlinspike, creator of the encrypted messaging app Signal, released a blog post on the app's website detailing a number of vulnerabilities in Cellebrite's UFED and Physical Analyzer software that allowed for arbitrary code execution on Windows computers running the software. One exploit he detailed involved the UFED scanning a specially formatted file which could then be used to execute arbitrary code on the computer running the UFED. Marlinspike wrote that the code could then "[modify] not just the Cellebrite report being created in that scan, but also all previous and future generated Cellebrite reports from all previously scanned devices and all future scanned devices in any arbitrary way". Marlinspike also found that Cellebrite software was bundled with out-of-date FFmpeg DLL files from 2012, which lacked over 100 subsequent security updates. Windows Installer packages, extracted from the Windows installer for iTunes and signed by Apple, were also found, which he said raised legal concerns. Cellebrite issued a statement in response, saying the company "is committed to protecting the integrity of our customers’ data, and we continually audit and update our software in order to equip our customers with the best digital intelligence solutions available." The report by Signal followed an announcement by Cellebrite in 2020 that it had developed technology to crack encrypted messages in the Signal app, a claim the company later retracted and downplayed.

The announcement by Marlinspike raised questions about the integrity of data extracted by the software, and prompted Cellebrite to patch some of the vulnerabilities found by Signal and to remove full support for analyzing iPhones.