Cellebrite Reader Part 2: Familiarizing Yourself with the Reader Platform
In Part 1 of this series, “How to Create And Load Images Into Cellebrite Reader,” we began by learning how to create a UFDR file, add inclusions, and open the UFDR file. In Part 2, we’ll look at how to configure settings and review in Cellebrite Reader to allow you to collaborate and share information with your entire team more easily.
Step 1: Configure Settings
Part 1 ended with Opening the UFDR File. Now that our UFDR file is open, we are ready to configure our settings to ensure we see the expected data. I often find that those who report bugs in the tool forgot to set the option to view this data. Make sure you verify your settings before you assume something is missing in your dataset.
First, to change the time zone settings, you need to select Tools from the toolbar and then Project settings. The time zone can now be set within the General Settings. The default will be the Original UTC value, which is my preference for most investigations because devices are used worldwide.
Figure 1. General Settings
You can also identify required case information types, change/add file names and set default values in the Case Information tab within Project settings as shown in Figure 1 below. When finished, simply select OK.
Figure 2. Case Information Settings
Next, we want to navigate to the Settings within the same Tool dropdown option from the toolbar. When you first use or update Reader, make sure you verify that the settings you prefer are active and set in the manner you expect. A best practice is to verify the settings for each case when you open a UFDR file. Since there are so many settings, I recommend you familiarize yourself with them. I am going to highlight the ones that matter the most to the investigations I work on.
The first is under Timeline. The default is shown in Figure 3 below. Notice the two red boxes and the unchecked boxes. This means that your timeline default settings will only display Captured videos and images. But what about those that were deleted on that day? Or even created or accessed? See my concerns? I prefer to see more and then redact. Lastly, under activities I like to select Show activities. Why not, right? I want to see everything possible in that timeline.
Figure 3. Default Timeline Settings
Here is what my settings look like when I select everything in the Timeline. I find this helps me while using Reader. Yes, you will get a lot more information, but this way you may find a missing link that was previously overlooked.
Figure 4. My preferred Timeline Settings
Other settings that may interest you include Interface, which enables you to select table and theme colors, and Additional Report Fields.
The importance of Additional Report Fields, in my mind, depends on where you work. I normally leave them as a default.
The final setting, I want to look at is Report Defaults. Here, you have a decision to make that can really hurt you if the wrong option is selected.
Do you want to Include source info indication, Hide extraction source indication, Include translations, Include metadata in chat bubbles and more? All these options depend on your case! I like to see the source, as I discussed in the first part of this blog series. I want to know where an artifact was derived from.
Now that we have chosen our options in settings, we are ready to review our Reader platform.
Step 2: Review the Reader Platform
The left-hand pane is what I like to call the “Tree Pane.” Here is where you will find File Systems, Analyzed Data, Data Files and other Reader features. These key categories are shown in Figure 5 below.
Figure 5. Cellebrite Reader Platform Overview
The Analyzed Data pane includes parsed information that was selected for the UFDR file. Keep in mind, anything redacted in Cellebrite Physical Analyzer, or not included, will not be shown in Reader. This is the most common place to start your investigation.
The Data Files pane contains various file types, applications, and multi-media files that may be of interest to you. File Systems will provide you with the opportunity to interact with the dataset just as an investigator would during an examination.
This is how the magic happens! Everyone is trained differently, and our minds work in various ways. What jumps out to you may have been overlooked by me. Collaboration is a powerful tool. Cellebrite Reader provides a platform that enables us to examine and review data that is available to any organization that owns a Cellebrite solution.
Sign Up for Training
Can you get training on it? Yes, you can. Should you? Absolutely. Especially if you plan to testify on the results obtained from Reader. How can you get the training – easy, visit your Cellebrite portal and sign up for the training that is available to organizations or individuals with an active Cellebrite account.