Cellebrite Reader Part 1: The First Stop for Digital Intelligence Collaboration
Part I – How to create and load images into Cellebrite Reader
- Guide you through the steps necessary to create a report that is ingestible into Reader.
- Teach you how to access the data once its ingested into the tool.
Step 1. Create A UFDR File
This may have been done for you already by an investigator who provided you with a report or via Cellebrite Responder. Either way, you should receive a directory with a few files, refer to Figure 1 below. To open the case file (Felicia_Samsung.ufdr), simply click on the Cellebrite Reader application and the data will start parsing for you. Straight forward, right?
Figure 1. Output from UFDR file creation
If the directory above was not provided to you, it is easy to create this file yourself:
- The first step is to create the UFDR in Cellebrite Physical Analyzer. This is as easy as clicking on Report in the toolbar and then on Generate Report.
- You may be prompted to Send to Analytics or to Create Reports. Select Create Reports. The format must be UFDR while other field names are normally based upon your agency/organization standards.
Once this is selected, you simply choose where you want to save your report.
Figure 2. UFDR file creation in Physical Analyzer
Step 2. Add Inclusions
Next, you will be prompted to select what you want to include in your Cellebrite Reader file (aka UFDR). Make sure you select Include source info indication if you want the investigator to know where the files came from.
Figure 3. Preferences in Report
This is important as you may need to state where an artifact came from. For example, if you are looking at contacts on an Android, the investigator using Reader should be able to follow the path of the artifact, which would be USERDATA (ExtX)/Root/data/com.android.providers.contacts/databases/contacts2.db : 0x1985B (Table: data, Size: 405504 bytes). This shows that it was a contact on the Android device and not one associated to a third-party application. This could be key evidence in a testimony! However, this option may drastically increase processing time depending on the image size. Once you select Finish, you’re done!
Step 3. Open the UFDR File
Now that we have our report created, open it in reader by double-clicking the Cellebrite Reader application within the report directory or by downloading Reader from your Cellebrite Portal and selecting File from the toolbar and then Open UFDR file. Simple, right?
Figure 4. Cellebrite Reader Overview
Something important to remember is that while Cellebrite Reader looks almost identical to Cellebrite Physical Analyzer, it is not the same tool. You will find that you do not have the same functionality.
For example, you do not have access to the raw data image (normally seen under Memory Images in Cellebrite Physical Analyzer), nor do you have the full functionality of the licensed Cellebrite Physical Analyzer. However, you do have access to a platform that enables you to implement settings, keyword searches, tag, and export files of interest, and create forensic reports. It’s a powerful tool right at your fingertips!