Cellebrite Reader Part 3: Driving Your Investigation with Reader
In Part 1 of this series on Cellebrite Reader, we began by learning how to create a UFDR file, add inclusions, and open the UFDR file. In Part 2, we covered how to configure settings and review the Reader platform to allow you to collaborate and share information with your entire team more easily. In our third and final blog in this series, we’ll look at best practices for conducting keyword searches, writing queries, setting up timelines, and generating reports.
Once settings have been enabled and a review of the platform has been made, you are ready to kick off your analysis. What comes next depends on the type of investigation you are working on. If you are working a child exploitation case, you may go right to images, videos, and browser data.
If you are working on an IR case, however, you may wish to start with installed applications and then a timeline. This is where it becomes an art as we verify or uncover artifacts that may have been identified or even missed by others.
In this blog, I will be sharing key concepts to ensure you are as thorough as possible in your investigation using Reader. First and foremost is keyword searching.
Search for Keywords
A keyword search is done in a logical manner in Reader. The option to search is in the top right corner of Reader, as shown in Figure 1 below. In this example, I conducted a search for the keyword “heather” and received 12 results.
Figure 1. Keyword Searching in Reader
To view your results, select Show All, and the keyword hits will appear on the screen for you to review. Fuzzy searching will be implemented here. This means that if you searched for “hank” you would also get keyword hits for “thanks” and “thanksgiving”, which may useful.
Figure 2. Keyword Results in Reader
Should you find a keyword hit that is relevant or interesting to your investigation, it can be tagged at this point. To tag, select the tag as indicated by the arrow in Figure 3 below and select the category for the tag. You can create unique tags under Manage tags. At any point, you can untag an artifact if it is no longer relevant.
Figure 3. Tagging Results in Reader
Let’s keep following this lead. The SMS message above can be selected and viewed in the SMS Messages section, which is where we will find the source file. If this was not included in the creation of the UFDR file, this is the first time you may notice the exclusion of this important information. If this chat is important to your investigation, I recommend reporting it in the Conversation view, which can be selected by clicking on the message bubbles next to the location where you selected to create the tag.
Figure 4. Verifying Source file in Reader
A few final details that are important to remember.
Within Cellebrite Reader, you have the ability to navigate and examine databases of interest. This may resonate with more experienced examiners who want to peek inside files to ensure everything is parsed. If you want to write a query, you will have to export the file and load it into your tool of choice, or simply switch back to Cellebrite Physical Analyzer.
Remember, this is not a substitute for Cellebrite Physical Analyzer but simply an extended arm that allows others to look at the same data as you without needing an additional site license. The primary investigator using Cellebrite Physical Analyzer should be driving the investigation.
Setting Up Timelines
Timelining is another feature that can be used in Reader. The settings will control some of what you see or do not see in the timeline. Another controlling aspect is the data included in the UFDR file. If you feel that you are missing something, reach out to the investigator who created the file and ask them to verify the existence of the artifact in Cellebrite Physical Analyzer.
The final detail is reporting. Once you have tagged files of interest, you can create a report of your findings. To create a report:
- Select Report from the tool bar.
- Then select Generate Report. You can select what you want to occur for your tagged items, as shown in Figure 5 below. If you didn’t tag anything, you can create a report with everything included if you want. What is included, and the format, is under your control at this point.
Figure 5. Creating a Report in Reader
Training Is Available
Want more on this? Cellebrite offers a training course to customers and their organizations. Log in to the Cellebrite Learning Portal and sign up for the Cellebrite Reader Online On-Demand Course. You will receive detailed training, including datasets, to ensure you know how to use Reader to aid your investigations.
Cellebrite Reader is a special tool that enables effective collaboration as nobody is perfect and we all see data in different ways. Reader empowers us to share our data with others who may not have a Cellebrite Physical Analyzer license. It’s a special thing and I hope you enjoy it. As I like to say, the world (or Reader) is your oyster! Go for it. Give it a shot.