App Genie – A Smart Heuristic Engine to Surface Critical Application Data in Cellebrite Physical Analyzer
According to Statista, as of Q4 2019, Android users have 2.57 million apps available for download, while Apple users have 1.84 million apps available for iOS*. And the number is rising!
When you consider the number of available apps and mobile app downloads, it is virtually impossible for any digital intelligence solution (including Cellebrite Physical Analyzer) to support every app that’s out there.
How To Deal With Unsupported Applications
When faced with an unsupported application in an investigation, digital forensics examiners have several options to collect and report meaningful evidence, but none of them are perfect.
Examiners with time and resources can always perform their own research and then write python scripts that run in Cellebrite Physical Analyzer (PA) to decode the data. This is the most comprehensive method, but it is costly.
Another option is to use a solution like Virtual Analyzer, which can provide visually appealing access to application data with virtually no effort at all on the examiner’s part. The disadvantage to this solution, however, is that reporting options are limited to screen captures or recordings.
App Genie Offers Automated Decoding
To provide examiners with deep access to data including powerful viewing, searching, and reporting, yet without investing precious time researching and developing parsers—we built the App Genie.
App Genie is an automatic decoding solution that can take on any application, dig through its data, and, by using a powerful heuristic engine, collect artifacts like chats, contact lists, user accounts, locations, and cloud tokens.
App Genie is platform-agnostic, so it can run on both Android and iOS data collection procedures, and it is integrated into PA’s new “App Insights” view, to help focus your analysis on the applications that are most relevant to your investigation.
The categories presented in the App Insights view help investigators understand which applications in the data collection were decoded, and which applications can benefit from running App Genie.
App Genie is ideal for investigating communications applications, like messengers or social media, because they have the highest likelihood of containing the artifact types it can decode.
In addition to the App Insights view, App Genie can be run using the Tools menu, or by right-clicking an application in the “Installed Applications” table view.
Generate Artifacts in Real-Time
A key point to understand about App Genie is that decoded artifacts are generated in real-time, and do not rely on Cellebrite’s prior knowledge about the applications. The whole process is automatic, and results are based on what the App Genie finds in the application’s data. This means it can find evidence that might have been overlooked by researchers.
As with any heuristic solution that generates artifacts through automatic tools, results from the App Genie should not be trusted blindly.
This is why we created a visual separation in PA, both in the program’s UI and in generated reports between artifacts that were decoded by Cellebrite authored parsers, as well as the results from App Genie generated in real-time.
To aid in the verification of App Genie results, artifacts decoded by it are accompanied by links to source file information. This means that any piece of data decoded by App Genie can be traced back to the original bytes from which it came.
This makes App Genie a powerful tool for researchers that wish to get a head start on their manual examination of a mobile application.
When beginning research on a new application or a new version of an application, examiners can first use App Genie to quickly surface artifacts that, in addition to having digital intelligence value of their own, can focus the research on specific areas in the application’s data that were already shown by App Genie to contain items of interest.
Learn more about the App Genie here.