In this episode, I want to talk about getting started with UFED because access matters, and many people are new to mobile device forensics. We have built in a few new features to help you gain easier access to these devices.

So I start in UFED with Mobile Device. You can go in via Browse Devices, which most of us have done, and search by the model. But you can also use our Device Wizard where you can use the dropdown list to search, or you can start typing the phone model.

When you press Next, it’s going to tell you right away, the type of Encryption it has and the type of Chip Set.

So when you think of doing Qualcomm Live, you will know now that Qualcomm is the option you want to choose. It tells you everything about the Kernel version that it can, but, more importantly, it lets you enter an OS version if you want to do so on a security patch date if you know it.

If you don’t know, press Next at the bottom right of the screen. The next screen is going to tell you your best type of Acquisition. You can do it in Advanced Logical, or do a File System, and when you see File System, this is where I recommend you go first because it will give you the best results.

Qualcomm Live is going to get you a full file system extraction and some access to this Android device. You can also do Manual Evidence where you can do chat capture and things I’ve covered in the past. But again, I would start with File System.

You can then do an Advanced Logical, which will get you additional identifiers. On the right-hand side, we explain exactly what you’re going to expect.

So let’s say you choose File System in Qualcomm Live, you simply set Select Extract and the device will start that acquisition for you. You can then go back and always do additional levels of extraction as needed. And again, you’re going to find this by going to Device Wizard within UFED.

Watch the full episode to learn more.

Share this post