UFED Link Analysis

Trial Guide

June 2013

UFED Link Analysis Trial Guide

Cellebrite Ltd.

Page 1

Legal Notice
This manual is delivered subject to the following conditions and restrictions:

This manual contains proprietary information belonging to Cellebrite Mobile Synchronization

Ltd. Such information is supplied solely for the purpose of assisting explicitly and properly
authorized users of the UFED Touch.

No part of this content may be used for any other purpose, disclosed to any person or firm, or
reproduced by any means, electronic or mechanical, without the express prior written
permission of Cellebrite Ltd.

The text and graphics are for the purpose of illustration and reference only. The specifications on
which they are based are subject to change without notice.

Information in this document is subject to change without notice. Corporate and individual
names and data used in examples herein are Fictitious unless otherwise noted.

Copyright 2013 Cellebrite Mobile Synchronization Ltd. All rights reserved.

UFED Link Analysis Trial Guide

Cellebrite Ltd.

Page 2

Contents
1.

Introduction ................................................................................................................................................. 4

2.

Overview...................................................................................................................................................... 4
2.1.

About Cellebrites forensics products ................................................................................................. 4

2.2.

About UFED Link Analysis .................................................................................................................... 4

2.3.

Video overview .................................................................................................................................... 5

2.4.

About the trial version......................................................................................................................... 5

2.5.

System requirements .......................................................................................................................... 5

3.

Using the sample UFDRs .............................................................................................................................. 6

4.

Using your own extractions ......................................................................................................................... 6

5.

Working with the UFDR samples ................................................................................................................. 7

5.1.

Terms ................................................................................................................................................... 7

5.2.

Opening the sample files ..................................................................................................................... 7

5.3.

Viewing the link analysis diagrams ...................................................................................................... 8

5.4.

Filtering the links ................................................................................................................................. 9

5.5.

Search ................................................................................................................................................ 10

5.5.1.

Global search ............................................................................................................................. 10

5.5.2.

Searching Entities and Locations tables .................................................................................... 10

5.6.

Map view ........................................................................................................................................... 10

5.7.

Timeline view..................................................................................................................................... 11

5.8.

Tips .................................................................................................................................................... 12

5.9.

Generating a report and taking a snapshot....................................................................................... 13

5.10.

Saving the project .......................................................................................................................... 13

UFED Link Analysis Trial Guide

Cellebrite Ltd.

Page 3

1. Introduction
Thank you for your interest in UFED Link Analysis, and welcome to your trial version.
This document guides you through some of the exciting features available in your fully operational trial
version. We hope you benefit from the trial version and welcome your feedback.
This free trial version gives you access to UFED Link Analysis for a period of 30 days from the moment
you activate your trial license. Your free trial will expire 30 days after you activate the license, at which
time you are welcome to purchase the full version.

For any questions, comments, or feedback, please contact us at support@cellebrite.com.

2. Overview
2.1.

About Cellebrites forensics products

UFED Link Analysis is part of Cellebrites mobile forensics UFED series. The UFED Series also includes:
UFED Touch and UFED Classic units that perform logical, password, SIM card, file system, and
physical extractions
UFED Physical Analyzer, the most advanced decoding, analysis, and reporting application in the
mobile forensic industry. UFED Physical Analyzer includes an enhanced decoding reporting function,
malware detection, project analytics, timeline graph, exporting data capabilities and much more.
UFED Phone Detective helps investigators quickly identify a device by its physical attributes or TAC.
A typical device examination work flow consists of the following steps:
1. Extraction (physical, file system, logical, or SIM card), using UFED Touch or UFED Classic.
2. Decoding, analysis, and reporting, using UFED Physical Analyzer or UFED Logical Analyzer.
3. Opening and analyzing the relationship between two or more UFDR report files (generated from
physical, logical, or file system extractions) using UFED Link Analysis.
For more details about UFED Link Analysis, go to:
http://www.cellebrite.com/mobile-forensic-products/ufed-applications/ufed-link-analysis.html

2.2.

About UFED Link Analysis

UFED Link Analysis immediately identifies and visualizes the connections and communication methods
used between multiple mobile devices, based on data extraction reports.
Using UFED Link Analysis, you can:
Quickly and efficiently identify existing connections between persons of interest
Reveal relationships with mutual contacts
Filter data according to time and date, number of events, and categories
Visualize the communication directions, pinpointing unidirectional and bidirectional communication
Drill down to specific events
Determine the suspects' physical locations and movements
Share findings with other investigators
Generate customized reports including detailed information and graphs

UFED Link Analysis Trial Guide

Cellebrite Ltd.

Page 4

2.3.

Video overview

As part of this trial, you will be provided with an overview video that details the capabilities available
within UFED Link Analysis. For more tutorials about the overall UFED workflow, please visit our online
channel in order to learn more about the latest in mobile forensics.
UFED Link Analysis product overview
Video
Cellebrite UFED Video Channel
Channel

2.4.

About the trial version

Use the UFED Link Analysis trial version to analyze multiple extraction reports in the following ways:
1. Are your suspects connected to one another or to their victim(s)? Do they have mutual
acquaintances?
Assess common links between the suspects in the Links - Mutual tab graph.
2. Filter the display by person, time, connected entity or link types to pinpoint the information you are
looking for.
3. How much interaction was there with a particular accomplice or victim?
Drill down to comprehensive information on the suspects relationship with a particular entity in the
Entities Analytics tab.
4. When and where did the suspects cross paths, if at all?
Assess the locations of your suspects in the Map tab.
5. How were the persons of interest communicating, and when?
Assess events as they occurred sequentially in a Timeline tab.
We invite you to explore the user manual and learn more about this powerful software tool. The user
manual can be accessed through the UFED Link Analysis Help menu.

2.5.

System requirements

PC

Windows compatible PC with a Pentium IV or compatible processor running at

1.6 GHz or higher
Operating System Microsoft Windows 8, Windows 7, and Windows XP with SP3 or later
Memory (RAM)
OS
Recommended
Minimum
32 bit
4GB
4GB
64 bit
8GB
4GB
Space
90 MB of free disk space for installation
requirements

UFED Link Analysis Trial Guide

Cellebrite Ltd.

Page 5

3. Using the sample UFDRs

Your trial pack includes three sample UFDR files that you can open and analyze using UFED Link Analysis.
Each UFED report was created by performing an extraction, and opening that extraction in UFED Physical
Analyzer/UFED Logical Analyzer.
The sample files were created to demonstrate how you can analyze the links between three people of
interest using UFED Link Analysis. Section 5 introduces you to ways that you can analyze the links
between the suspects.

4. Using your own extractions

You can open and analyze your own extractions in UFED Link Analysis.
1. Open each of your extraction files in UFED Physical Analyzer or UFED Logical Analyzer.
2. For each file, generate a UFDR file containing all the data.
3. Open the UFDR files in UFED Link Analysis according to the guidelines provided in section 5.

UFED Link Analysis Trial Guide

Cellebrite Ltd.

Page 6

5. Working with the UFDR samples

The following section provides you with some examples of how to analyze the links between the three
sample people of interest.

5.1. Terms
In UFED Link Analysis, the following terms are used:
Person
The owner of the device

5.2.

Entity

A phone number, email account, or application ID, or a combination of the three

(based on the contacts found in the device contact information) that has
interacted with a person.

Link

An indication of communication based on single or multiple events. A link can be

created based on contact information, Bluetooth device, and more. In the links
diagram, the thickness of the link line represents the volume of events; the arrow
represents the direction of communication.

Opening the sample files

1. Click Add UFDR file and open Report1.ufdr.

2.
3.
4.
5.

Enter the person details such as First name, Last name, Organization

TIP: To add a photo, click

.
To add additional fields, click Add field.
Click Add UFDR file and open Report2.ufdr.
Enter the person details
Click Add UFDR file and open Report3.ufdr.
Enter person details

UFED Link Analysis Trial Guide

Cellebrite Ltd.

Page 7

5.3.

Viewing the link analysis diagrams

The links between the suspects are shown. By default, the Links Mutual tab is displayed.
In the Link-Mutual tab, select all the listed persons to display all entities linked to two or more
selected persons.

Access the Links All tab.

In the Links All tab, select all the listed persons to display all entities linked to one or more selected
persons

TIPS:
To zoom in and out of the diagram, use the mouse scroll button.
To pan the diagram, hold CTRL and drag the mouse to the desired location.
Filter the display by changing the selected persons, and by setting timeframes, entity, and link filters.
The links diagrams contain two subtabs:
Graph: a visual representation of the selected persons and their linked entities.
Entities Analytics: a statistical analysis of the interactions of a particular entity and persons

UFED Link Analysis Trial Guide

Cellebrite Ltd.

Page 8

 In the Links All or Links Mutual tabs, click Entities Analysis.

The Entities Analytics subtab opens for the selected entity.

5.4.

Filtering the links

Filter the links diagrams in the following ways:

Person: select the persons to display.
Timeframes: set a time frame to display events that occurred within a particular time period.
Entity: set the minimum number of persons that are connected to displayed entities.
Link: select the content types to display. Set the minimum number of events to be included in
presented links.
Note: Map and Timeline views have additional, context-sensitive filters.

UFED Link Analysis Trial Guide

Cellebrite Ltd.

Page 9

5.5.

Search

5.5.1. Global search

Perform a global search on all the project data:
Enter John in the Search field at the top of the workspace.
The matching results are displayed by event type in a Search Results tab.

5.5.2. Searching Entities and Locations tables

In the Entities or Locations table, enter the string in the Search field. The matching results only are
displayed in the table.

Double-click an entry to highlight the entity in the links diagram or map.

5.6.

Map view

Map view displays multiple device owners' locations on a single map. Filter the map by persons,
timeframes, location category, and by mutual locations.

To pan (move) the map:

Click and drag the map.
To zoom in and out of the map:
Mouse over a location and use the mouse scroll button to zoom in or out on that location.
Double-click a location to zoom into that location.
To center the map:

UFED Link Analysis Trial Guide

Cellebrite Ltd.

Page 10

 Click anywhere on the map to center the map on that location.

You found an interesting location and would like to highlight it in the map:
Search for a location in the Locations table, right click on the entry and select Highlight location.

5.7.

Timeline view

Timeline view displays the time-stamped events of the selected persons (calls, emails, SMS, MMS, and so
on) in chronological order. Filter the table by changing the selected persons, and by setting timeframes
and categorical filters.
To view a timeline for all events:
1. On the Home tab, in the Tabs group, select New Timeline > New Timeline.
2. Select all three persons of interest to show the timeline of their combined events.

To view a timeline for the current links diagram:

On the Home tab, in the Tabs group, select New Timeline > Timeline from graph.
To view a timeline for a particular entity:
1. In a links diagram, select an entity.
2. On the Home tab, in the Tabs group, select New Timeline > Entity timeline.

UFED Link Analysis Trial Guide

Cellebrite Ltd.

Page 11

5.8.

Tips

To display information about links:

Click a person or entity to highlight their links.

Double-click a link to display detailed information about the events connecting the person and the
entity.

To view information about a person:

Right-click a person in the Persons Pane, or the person in the links diagram, and select Person
Details.

UFED Link Analysis Trial Guide

Cellebrite Ltd.

Page 12

5.9.

Generating a report and taking a snapshot

Generate a report on all or filtered information.

To generate a report:
On the Home ribbon, click Generate.

To take a snapshot of your filtered links diagrams:

1. On the Layout ribbon, click Snapshot.
2. Enter a name for the snapshot.
3. Navigate to the desired location and click Save.
Your link analysis diagram is saved as a picture file (*.png).

5.10.

Saving the project

Save your current work session (project) to continue your work from where you left off, or to share
your project with another UFED Link Analysis user.
To save your session:
1. From the application menu, select Save project as.
2. Enter a name for the workspace file.
3. Navigate to the desired location and click Save.
Your session is saved as a Link Analysis Workspace file (*.clw).
To load a saved session:
1. From the application menu, select Open project.
2. Locate and select the workspace file.
3. Click Open.

UFED Link Analysis Trial Guide

Cellebrite Ltd.

Page 13