Currently, the Google Play store hosts between 2 to 3 million apps, which means digital forensics tools have a lot of apps to constantly cover. Due to the expanding app marketplace, certain smartphone app data can sometimes be inaccessible through regular decoding methods. To combat this challenge Cellebrite developed the Virtual Analyzer (VA). (Watch the introduction video to Virtual Analyzer below)

To understand how valuable a tool it can be for your investigations, let’s explore the top challenges that VA overcomes and how it expedites your digital forensics needs and court procedures:

  1. Data Unavailable Through Conventional Decoding Techniques

In some cases when new apps or unsupported apps are unable to be decoded, VA provides a virtual Android OS environment with data from a physical extraction of any Android mobile device. This assists examiners to see the contents of an app without the need to decode it. This capability complements Cellebrite’s decoding solutions to provide forensically sound access, in a generic way, to data that is initially unavailable.

  1. External Validation of Decoding Solutions

Even the most reliable decoding solutions require external validation before the evidence can be used in court. The VA emulator offers a new way to validate forensic insights. Instead of using several different decoding solutions and comparing results, VA can be used to emulate the data, and see the data appear as it would on an actual Android device.

  1. Ensuring Effective Presentation of Evidence in Court

Court presentations can become challenging to understand when jurors, lawyers, and judges don’t see conversations in mobile apps, such as WhatsApp, in their native format. Mobile app data outside its usual app interface is not friendly to the eye so court members become overwhelmed when digital evidence is presented in table format reports.

Using VA to visualize app data provides a more straight-forward way to display digital evidence in court. Having this data presented in a UFDR  eliminates the struggle of getting the results ‘court-ready’, and the need to create approachable – but time-consuming graphical visualizations of conversations, call logs, contact lists and more.

  1. Inability to Select Individual Apps to Emulate

The idea of using virtualization is common in the world of computer forensics, and it is usually done by loading an entire disk image into a virtual machine.

VA is built around a different concept, as it does not need the whole disk image to be loaded allows for individual apps to be selected for emulation. This enables faster runtime and better efficiency when looking for evidence in specific places, and is more suitable to the application-based world of mobile forensics.

  1. Technical Interruptions

Technical interruptions can be encountered throughout emulation procedures. As an example, some apps might need to perform an initialization process the first time they run. This may cause problems later on in the emulator if the app’s data is overwritten with data from a device on which it was already initialized. In this case, the initialization process might be unintentionally skipped, which can cause runtime issues for the app.

VA seamlessly eliminates this issue by providing a loading process that handles this issue (and others), wrapped in a simple user interface that is accessible through Cellebrite Physical Analyzer after loading a physical extraction.

  1. Data Contamination from the Internet

If a mobile device exhibit connects to the internet, network communication could activate things like user presence alerts, “last seen” status, or even enable the impersonation of suspects by sending messages on their behalf.

VA enables complete isolation of the data on the emulator from the internet, which avoids data contamination. When working in offline mode, no app or Android service can contact its servers in any way. VA achieves this ability by odifying the emulator’s system image before booting so that when the emulator starts, the emulated network hardware is already disabled.

In contrast, having the emulator connected to the internet using the ‘online mode’ creates a powerful tool similar to Cellebrite UFED Cloud – using tokens stored locally on a device to skip logins and connect to cloud services using the owner’s account.

  1. Contaminating Hosted Data on the Mobile Device

Imagine examining a suspect’s mobile device and exploring its contents without the risk of corrupting evidence or performing irreversible actions.

It is important to note that the emulator can always be restarted from a clean image, and apps from the physical extraction can be loaded again to appear exactly as they would on the original device. In court, this is especially useful for the defense because it enables them to verify the integrity of evidence presented using VA.

VA features the ability to completely isolate mobile device data from the original extraction so that any action performed on the emulator does not affect data stored in the original extraction. This enables VA to function as a sandbox where investigators can explore the evidence without fear of corrupting the original data.

In Summary

Virtual Analyzer is a powerful complementary capability to the classic decoding process featured in Cellebrite Physical Analyzer. It can uncover new evidence from apps that are not currently supported by digital forensics tools.

VA can verify the results of decoding procedures by other tools and finally visualize them in a compelling way that is instantly recognizable in court. From investigators to prosecutors, the VA adds significant value to all stakeholders in criminal investigations.

Share this post