Cellebrite UFED 4PC (capabilities and a bonus)

Saturday, April 9, 2022    Post   1425 words   7 mins read

This article might look like an ad but trust me, it’s not. I suggest you stick around until the end of the article, there will be a small-ish surprise.

In case you’re not familiar with Cellebrite, they are an Israeli digital intelligence company that provides tools for federal, state, and local law enforcement as well as enterprise companies and service providers to collect, review, analyze and manage digital data.

Cellebrite UFED 4PC is a universal hardware and software package for forensic research that makes it possible to extract, decode and analyze digital data obtained from mobile devices on an existing PC or laptop. The complex is delivered with a set of UFED applications, peripherals and accessories necessary for successful research. UFED 4PC can work both independently and with third-party software.

In March 2016, it was reported that Cellebrite offered to unlock an iPhone involved in the FBI–Apple encryption dispute. Later, after the FBI announced it had successfully accessed the iPhone thanks to a third party. A press report claimed Cellebrite had assisted with unlocking the device, which an FBI source denied.

A 2017 data dump suggests Cellebrite sold its data extraction products to Turkey, the United Arab Emirates and Russia. On 16 September 2020, Haaretz reported how Cellebrite had provided Saudi Arabia with mobile phone hacking services.

In 2017, Cellebrite entered into a contract with U.S. Immigration and Customs Enforcement (ICE) for $2.2 Million. On June 24, 2019, another contract was signed with ICE for between $30 and $35 million. The 2019 contract was for “universal forensic extraction devices (UFED), accessories licenses, training and support services” for one year, with an option to extend for up to five years.

Basically, they’re DEFINITELY NOT the good guys. Below are the “claimed features” of their Cellebrite UFED package.

Forensic research

  • provides flexibility and ease of research.
  • support for the widest range of data types.
  • compatibility with Windows, easy adaptation to different technological schemes of the user’s work and environments.
  • closed and autonomous environment for conducting research suitable for use as evidence in court.
  • ability to use all the tools for data extraction.
  • special loaders provide the ability to extract data that can be used as evidence in court.
  • ability to perform operations simultaneously on a single platform.
  • Unified Workflow – UFED 4PC, UFED Physical / Logical Analyzer, UFED Phone Detective and UFED Reader software.
  • frequent updates to ensure compatibility with new phones entering the market.
  • a comprehensive tool for forensic research in a compact and lightweight case.
  • the UFED 4PC data extraction software is suitable for using touch screens, so it can be easily used on tablets.
  • UFED 4PC Ultimate includes UFED Physical Analyzer for deep decoding, analysis, and reporting.
  • UFED 4X Logical includes UFED Logical Analyzer for easy decoding, analysis, and reporting.

Ultimate version features

  • extract at the physical level and decode the received data with bypassing the lock by entering a graphic key / password / PIN code from Android devices, including the Samsung Galaxy S, LG, HTC, Motorola family and others.
  • extraction at the physical level and at the file system level. as well as decoding data from Android devices.
  • extract at the physical level from BlackBerry devices. Exclusive decoding: BBM, App, Email, Bluetooth data, and more.
  • extensive support for extracting and decoding from Apple devices.
  • physical level extraction and decoding from locked Nokia BB5 devices – extract password from selected devices.
  • easy and fast access to locked devices by bypassing, opening or disabling a custom lock code.
  • extract and decode data from Windows Phone devices at the physical level.
  • extract at the file system level from any Windows Phone, HTC, Samsung, Huawei, and ZTE devices.
  • recover various types of deleted data from unallocated space in the device’s flash memory.
  • decoding JTAG extraction data at the physical layer from a large number of different data types.
  • decrypt TomTom log and extract data from other portable GPS devices.
  • ability to decrypt an encrypted WhatsApp history database.
  • rich decoding options: app data, passwords, email, call log, SMS, contacts, calendar, multimedia files, location information, etc.
  • comprehensive analysis capability via UFED Physical Analyzer, including timeline, project analytics, malware detection, and tracking lists.
  • convenient report generator in various formats using UFED Physical Analyzer.
  • translate content in foreign languages contained in the data obtained during extraction using the offline translation system included in UFED Physical Analyzer.

Logical version features

  • data extraction at the logical level: application data, passwords, IM (instant messages), contacts, SMS and MMS, email, calendar, multimedia, call logs, phone information (IMEI / ESN), ICCID and IMSI, SIM location information (TMIS, MCC, MNC, LAC).
  • SIM ID cloning to isolate the phone from network activity during analysis.
  • frequent software updates to ensure compatibility with new phones entering the market.

Download

READ THIS, IT'S IMPORTANT

I recommend you not to touch the files unless you know what to do with them. Do not even think of installing them on your main computer or a work computer.

Use a nested VM or an air-gapped computer running Windows 10, there may be dragons inside. You have been warned!

UFED 4PC

Notes: This is the Cellebrite installer, altered or not, can’t tell since I don’t have access to a legit installer.
Size: 5,310,849,019 bytes
Version: 7.49.0.2 from 2022
SHA-256: c3b9c8273baaf0905a790ed466495c2c5c4a355bcdc9b045b4f7e9fe93383043
Download: here

UFED Dongle Manager

Notes: This is the crack, installs some extra files in the Cellebrite main directory and mounts a virtual USB dongle with the license, using ImDisk.
Size: 169,255,198 bytes
Version: 2
SHA-256: 4f6e4869f1916a8200093bcdb17585ad043a17af56a427634e03144ee12cd678
VirusTotal scan: yes, it has 4 warnings but I did tell you to install this in a VM/air-gapped computer, right?
Download: here

Install

You will need Windows 10 or 11 (not tested with anything below) installed in a VM (hopefully). If you’re installing Cellebrite UFED 4PC on a arm64-version of Windows you will need to take some extra steps, since the crack fails to install the virtual disk emulation driver on that platform (for example, if you’re running Windows 10/11 on a M1/MX MacBook in Parallels Desktop or just plain Windows 10 ARM on baremetal).

Normal steps (for i386/amd64 platforms)

  1. Double-click on the Cellebrite UFED Setup 7.49.0.2 UFED4PC (Fat).exe file and install normally. After installation, if you try to run the program it will bitch about the license, so obvious next step is to install the crack.

  2. Double-click on the @UFEDfree.exe file, if you installed Cellebrite UFED 4PC in a different directory you will have to modify the path where the crack will be installed (so that the crack gets installed into the Cellebrite UFED 4PC directory). When it asks for a password, enter @ufed4pccrack. If you are installing the crack on a i386/amd64 system (not arm64), you’re done installing, move to the “Run” section. If you are installing on a arm64 system, you need to manually install ImDisk and run its services.

Extra steps (for arm64 platforms)

Download ImDisk ZIP file and extract it somewhere.

  • Copy sys\arm64\imdisk.sys and awealloc\arm64\awealloc.sys to C:\Windows\system32\drivers.
  • Copy cpl\arm64\imdisk.cpl, cli\arm64\imdisk.exe and svc\arm64\imdsksvc.exe to C:\Windows\system32.
  • Copy cpl\arm\imdisk.cpl and cli\arm\imdisk.exe to C:\Windows\sysarm32.
  • Copy cpl\i386\imdisk.cpl and cli\i386\imdisk.exe C:\Windows\syswow64.
copy /B sys\arm64\imdisk.sys C:\Windows\system32\drivers\
copy /B awealloc\arm64\awealloc.sys C:\Windows\system32\drivers\
copy /B cpl\arm64\imdisk.cpl C:\Windows\system32\
copy /B cli\arm64\imdisk.exe C:\Windows\system32\
copy /B svc\arm64\imdsksvc.exe C:\Windows\system32\
copy /B cpl\arm\imdisk.cpl C:\Windows\sysarm32\
copy /B cli\arm\imdisk.exe C:\Windows\sysarm32\
copy /B cpl\i386\imdisk.cpl C:\Windows\syswow64\
copy /B cli\i386\imdisk.exe C:\Windows\syswow64\
  • Create the required drivers and services by opening an elevated Command Prompt:
sc create imdisk type=kernel error=ignore start=auto binPath=system32\drivers\imdisk.sys
sc create awealloc type=kernel error=ignore start=auto binPath=system32\drivers\awealloc.sys
sc create imdsksvc type=own error=ignore start=auto binPath=system32\imdsksvc.exe
  • Start the drivers and services you just created:
net start imdisk
net start awealloc
net start imdsksvc

I could make a .cmd for that but I’m lazy.

Run

  1. Double-click Cellebrite UFED Dongle Manager that’s on the desktop (the crack) and when it finishes loading click on Start Dongle. This will mount a virtual USB drive with just one file, licenseforreadingdata.dat (112 bytes size), that is the Cellebrite UFED license.

  2. Double-click Cellebrite UFED on the desktop (the Cellebrite software, not the crack) and you’ll get to the Cellebrite Product License screen where you will get notified that “A license for this product was not found.”. Click on the I am not using Commander button and on the next screen click on the Dongle for the license type. If the virtual disk is mounted (as in step 1) by using the crack, Cellebrite UFED should detect automatically the license file on the drive and validate the product (it doesn’t do any remote connections for that). After that, it will restart (the program, not the system).

  3. You need to mount the virtual disk every time, before you start Cellebrite UFED.

  4. Enjoy.