Hello.
I would know if it is possible to open and display, with Autopsy, UFED files.
UFED (Universal Forensic Extraction Device) is the format used par Cellebrite’s UFED Physical Analyser (include in his product UFED Ultimate).
The name extensions of this files are .ufdr, . ufd, .ufdx.
Thank you in advance for your answers.
Kindly.
Hi.
As far as I know Autopsy does not parse the Cellebrite .ufdr, . ufd, .ufdx files. The .ufd file is a simple text document which is in INI format and the .ufdx is a small XML document. Both of these file types could be easily parsed by Autopsy with a plugin. The .ufdr is a .zip archive containing all of the report files as well as a report.xml file which would need to be parsed and linked to all of the files in the archive. If someone was inclined they could write a plugin to parse this as well but I don’t believe it has been done yet.
Thank you very much, atdt0, for your answer.
I understand It is possible to develop a plugin for this, but I can’t do it myself.
Have a good evening.
@ordipb were you able to find any API’s to transfer the Cellebrite format to Autopsy or vice versa? Is there a specific file type that you would prefer being compatible in the transfer?
~Dan
Here is a module that I found on GitHub that imports data from ufdr reports into autopsy.
I haven’t tested it so can’t confirm if it works though
This is a feature I would love. I am doing a forensic analysis of an image of an Android phone that was gathered by Cellebrite UFED now and it is painful. I started with the Cellebrite Physical Image (the .UFD and .BIN files), when I attempt to add the .BIN file as a disk image it gives me the error “Cannot determine file system type (sector 0)”.
I believe the issue is that Cellebrite is combining all of the partitions into a single file rather than splitting them out into separate files the way Autopsy would want it. I’d love if someone could write a module that could import these.
My solution: we used Cellebrite Physical Analyzer to import the .BIN/.UFD files and generate the UFED Report (.UFDR) file. I was then able to open it with Cellebrite Reader (a free tool that does not require a license) and extract the USRDATA folder, which contained the entire contents of /data. I was then able to add this into Autopsy as a logical file system: the Android ingest module ran across it and was able to load the databases.
Would be far better if we had a module that could load the physical .BIN image though, so we could see free space, etc.
Did anybody get it working? I can’t get it running… 
Hi
Just wanted to ask if you have any sample IOS Mobile Image File extracted from Cellebrite?
I am trying to build a system where I can analyze the Mobile Image Files but I need samples for both Android and IOS. So can you help me with this?