Selective File System Extraction in Cellebrite UFED
Qualcomm Live Support
Qualcomm Live is a gem that currently exists under the File System menu in UFED. The UFED team has been working hard to provide Qualcomm Live support for Android devices, and for Full File System and partial file system extractions for forensic analysis. In fact, the most recent update to UFED 7.44 includes support for most of the Samsung flagship phones such as S20 with Android 11.
Selective File System Extraction
The Selective File System Extraction enables the examiner to select what they are legally allowed to collect from an Android device, and the Full File System will try to collect everything else. These types of data collection provide additional artifacts such as application data. This feature is built into UFED 4PC and the UFED Touch 2.
Performing Qualcomm Live data collection requires an examiner’s full attention, as they must sit with the device and the UFED to ensure the extraction begins. When you hear the “ding” on your system, this means either the Android or the UFED requires your attention. Be patient and concentrate…it’s very important you don’t miss a step.
Watch the video to learn about common successes and failures to ensure you know why errors might appear. I’ll also share tips and tricks regarding the settings on the device, the adapters required (UFED 4PC only) and which cables will help you achieve successful data collection.
At Cellebrite, we understand Android data collection is not easy. Our goal is to provide solutions to help you collect the data you need to support your investigation.
In order to find Qualcomm Live, you need UFED open on the PC. Select mobile device and then you will be given a few options. Choose “File System”
Next you will be presented with some more options, click on “Qualcomm Live” and choose where you want to save the extraction.
If you are using UFED 4PC, you will need to use a specific adapter before being able to continue. At this point, UFED will give you a list of things that you MUST do before continuing.
It is not uncommon that you may have to attempt Qualcomm live a few times before being successful. Be sure to read all the instructions and messages that pop up on the screen and carefully think about your answers before continuing. There are a variety of collection errors that commonly occur. Depending on the issue that comes up, follow the instructions that appear on UFED and retry.
If you keep getting errors it sometimes helps to disconnect the adapter and then reconnect, starting the extraction entirely from the beginning, or go into the settings and revoke USB debugging settings.
While it is saying “Preparing device for extraction,” do not interact with the device. Simply wait until the extraction is ready. Once the device has been successfully detected, this screen will appear with a lot of useful information; the make and model of the device, the security patch, serial numbers, how many apps are installed, and more.
From here you have the choice of doing a full file system extraction or a selective extraction. If time is not an issue, it is recommended to do a full file system extraction in order the largest amount of useful information possible. If you are only allowed to choose certain applications or if you have a time limit, the selective extraction option is perfect for you.
If you are using selective extraction, you can simply go through and pick whichever apps you want to extract. You can search through the list or keyword search using the search bar. At this point, UFED will complete the extraction.