Access “Inaccessible” Apps with Virtual Analyzer & SQLite Wizard
There are over 5 million Apps on the Google Play store and iTunes app store combined. To help you cope with this expanding menu of apps, we created an introductory webinar to SQLite Wizard and Virtual Analyzer that empowers you to access as many apps as possible on a suspect’s phone to increase the pool of relevant digital evidence.
Watch the webinar, Access “Inaccessible” Apps with the Cellebrite SQLite Wizard & New Virtual Analyzer, to gain the practical skills that will extend the reach of your search for relevant digital evidence to close your cases faster.
The SQLite Wizard is a user-friendly and powerful tool that allows you to dig deeper and explore every segment of a device’s memory to locate and manually carve or parse hidden and unknown data. You will be able to translate decoded data on demand to examine content in non-native languages to reveal the greatest amount of evidence.
The Virtual Analyzer is an add-on that extends the Cellebrite Physical Analyzer capabilities. It is a tool that runs applications from a binary dump. The original application decodes the user’s data and presents it on-screen. This will allow you to analyze digital artifacts from unsupported Android applications without decoding so you can validate and view content in its original format.
This webinar is organized into five sections:
- Using Cellebrite SQLite Wizard to forensically gather evidence from unsupported iOS and Android applications
- Emulating and validating application data with the new Virtual Analyzer
- Presenting application data in its native format to build clear and compelling reports
- Best practices and considerations for using SQLite Wizard and Virtual Analyzer
- Q&A Session
Buddy Tidwell, Vice President of Global Training, Cellebrite
Buddy is formerly a career Police Detective and master Forensic Instructor. He served as a Forensic Lab Manager and Senior Computer Forensic Examiner at the Joint Computer Forensics Lab for Law Enforcement in Middle Tennessee recovering data from computers, mobile devices, and other electronic mediums. Buddy also served as an investigator and is a recognized expert witness in the field of digital forensics a Federal and State courts.
Mati Goldberg, Head of Forensic Research Group
Mati leads decoding and cloud research efforts at Cellebrite. Prior to joining Cellebrite in 2016, he was a research and development group leader who oversaw engineering teams responsible for designing and building cutting-edge communication systems. Mati holds advanced degrees in Physics and Engineering and specializes in cybersecurity and reverse engineering.
1. Using Cellebrite SQLite Wizard to forensically gather evidence from unsupported iOS and Android applications
In this section, Mati will cover the SQLite Wizard feature of the Virtual Analyzer. You will understand what the SQLite database technology is, and how it is used in a digital forensics investigation. He will then apply it to databases that have not been parsed out. You will learn how to build a query and a query statement in order to map relevant data as a result of our query against the SQLite database.
Using data from a Samsung Gravity phone accessed by the Cellebrite Physical Analyzer, Mati will explore the properties and capabilities of SQLite database tables. He will explore the project tree that provides hundreds of analyzed data items that the Cellebrite Physical Analyzer has parsed from several data locations and areas of storage on the phone.
You will be empowered with techniques to determine where useful data could be residing and why it could be relevant according to its time stamp or geolocation. Mati will look at indicators like data added, date modified and latitude/longitude. These indicators will help you make sense of file path statements when searching for digital artifacts.
Mati will use the interactive interface to build an SQL Query, then create and run definitive models for particular types of digital artifacts that can be run again later in the future for automated parsing.
2. Emulating and validating application data with the new Virtual Analyzer
This section is an introduction to the Virtual Analyzer followed by a short demo. Mati will go “under the hood” to explore details about emulation and how integration is accomplished.
The practical application of this feature will be demonstrated using three use cases to explore data from unsupported applications, validate decoded artifacts, and take screenshots with original application graphics.
3. Presenting application data in its native format to build clear and compelling reports
In order to prepare reports from the data, it is necessary to understand the 4 steps of a successful Virtual Analyzer workflow.
- Preparation: See how to select and prepare the emulator image: API version, phone identifiers, etc.
- Installation: Learn how to isolate an APK file from a dump and use it to install the application in the emulator
- User data: Understand how to push the application and users data into the corresponding folders.
- Run: Finally, you will know how to run the application in the emulator and browse for wanted data to take snapshots or videos of application data.
Additionally, you will get the answers to these important questions:
- Can deleted artifacts be represented?
- Is metadata visible to the user?
- What happens when an application cannot be emulated?
- How can you prevent cross-contamination between the phone data and the computer?
- What are the reasons for an application to reject externally modified user data?
4. Best practices and considerations for using SQLite Wizard and Virtual Analyzer
The Virtual Analyzer wraps the Google Android emulator and supports the latest Android platforms so you will need to download the android studio to begin using the Virtual Analyzer.
Mati will go over the functionality that preserves your data integrity like blocking internet access internally and externally, and how this retains your forensically sound environment. You will also understand the importance of clean images to prevent cross-contamination.
5. Get practical answers to the following 5 questions answered by our experts during the final Q&A session:
- Does the Virtual Analyzer feature come standard in PA or is it an add-on, and can I write my own SQLite statement in the wizard or edit the one the wizard uses?
- Can I use the emulator without the PA?
- Does the SQLite wizard allow one to view both databases with and without WAL files?
- Can the APK file be downloaded externally and used with a logical extraction if the database is extracted?
- How does VA cope with password protected apps or apps that require server tokens to decode the data?