UFDR Error when was save with protection

I received an .ufdr file and when processing it with IPED I got the error below.

iped --portable -d "k:\xxx.ufdr" -o "i:\xxx"
2026-02-20 16:15:05     [ERROR] [app.processing.Main]                   Processing Error:
java.lang.Exception: Error decoding datasource k:\xxx.ufdr
        at iped.engine.datasource.ItemProducer.run(ItemProducer.java:153) ~[iped-engine-4.3.0.jar:?]
Caused by: org.xml.sax.SAXParseException: Content is not allowed in prolog.
        at org.apache.xerces.parsers.AbstractSAXParser.parse(Unknown Source) ~[xercesImpl-2.12.2.jar:?]
        at org.apache.xerces.jaxp.SAXParserImpl$JAXPSAXParser.parse(Unknown Source) ~[xercesImpl-2.12.2.jar:?]
        at iped.engine.datasource.UfedXmlReader.read(UfedXmlReader.java:272) ~[iped-engine-4.3.0.jar:?]
        at iped.engine.datasource.UfedXmlReader.read(UfedXmlReader.java:251) ~[iped-engine-4.3.0.jar:?]
        at iped.engine.datasource.ItemProducer.run(ItemProducer.java:123) ~[iped-engine-4.3.0.jar:?]

Then I opened the file with 7z (since ufdr = zip) and started looking at the folder structure, as shown in the images below.

<img width="1459" height="71" alt="image" src="https://github.com/user-attachments/assets/988310bb-5eab-42f1-afe3-c630cd8f7fbc" />

Inside the folders we have:
<img width="683" height="220" alt="image" src="https://github.com/user-attachments/assets/738ae1dc-f817-4fb5-8b25-41078dbaf517" />

Inside the folders, all the files have normal names, but when you try to open them, they are all corrupted.

Then I opened the file with celebrite, which showed that it was a Google file, apparently sent by Google itself, and that someone had converted it to ufder using celebrite.
<img width="540" height="312" alt="image" src="https://github.com/user-attachments/assets/f1a0e46d-877e-4e61-8d08-79b85fb2a154" />

While browsing through it, I can see all the files.

Apparently they are encrypted and only Cellebrite knows how to read them, which explains the corrupted XML IPED error.

After doing some research, I discovered the problem with IPED not being able to index this UFDR; I tested it with several other files in the same situation.
The problem occurs because whoever generated the .ufdr file, which is generated on the Celebritte screen, in the "report" option, sub-option generate report, clicked on the option shown below on the screen.

<img width="681" height="352" alt="image" src="https://github.com/user-attachments/assets/171ded62-07bc-4d0e-9d10-46c5bb994458" />

This generated a protected ufdr file, but in practice it's useless, since you can simply open the file with Cellebrite and everything will be there.

To resolve the issue, after reopening the file with Cellebrite, simply go to the same report generation option and leave the option blank. This will create a new, unprotected .ufdr file, and IPED will then function normally.

Additionally, I observed that all ufdr files contain the Report.xml file, and comparing the first 16 bytes, they all have the same sequence below.
<img width="238" height="33" alt="image" src="https://github.com/user-attachments/assets/df488be4-2d35-4725-a97a-19ffa4748875" />
Would it be worthwhile for IPED to verify this and, in this situation, inform the user on how to resolve it?

@aberenguel analyzed with these results:
https://github.com/sepinf-inc/IPED/discussions/2801#discussioncomment-15891666
https://github.com/sepinf-inc/IPED/discussions/2801#discussioncomment-15891701


paulobreim

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

UFDR Error when was save with protection #2803

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

UFDR Error when was save with protection #2803

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions