Hey, have you heard about Chat Capture? It’s a feature built into Cellebrite UFED that helps extract application data from Android devices. Cellebrite’s Chat Capture capability will be rolled out in three phases to offer continued support for your applications.

How to Leverage Chat Capture

With Android, sometimes the application data isn’t available due to encryption settings on the device unless you receive a full file system or physical extraction. But there’s no reason to overlook key artifacts just because you couldn’t obtain the application data you had anticipated. Let us help you collect and capture all your data.

How to Analyze Chat Capture

Don’t see the application you wish to collect in the supported dropdown? The generic option enables the examiner to collect and capture the screens of any application or setting, as long as they’re allowed to legally access it. UFED will guide you through the steps and make the collection easier than ever before by filling in the gaps of data that’s been missed in past extractions.

Chat capture will even output screenshots with textual data so users can perform text searches within Physical Analyzer.

Getting Started

Open UFED and choose MOBILE DEVICE. You can use autodetect or browse devices. At this point, be sure to plug the device into UFED and follow all instructions that appear on the screen. Click on CHAT CAPTURE and you will then be given the option to choose where to save your reports.

A list of instructions will then appear that YOU MUST FOLLOW in order for this to be successful.

A screen will appear warning you that the display settings will be changed on the device. It also says that when the process completes, the system settings will be reverted back to the original. You can choose how you would like to proceed. Keep in mind that at this point you are about to access a live conversation meaning that any unread messages will be marked read.

Now we have some options. At this point, Whatsapp and Signal are the only apps listed in Phase 1 of Chat Capture. Soon Instagram and Snapchat will be included. Generic mode is also very powerful.

You also have the option to select a predefined timeframe, for example, if you only have the legal authority to look at a specific amount of time. You can also choose a custom timeframe.

Unless you are using Generic Mode, do not touch the device while UFED is working. You will see the progress bar running and capturing screenshots of the device including the owner profile information and any chats back and forth within the timeframe of interest.

At any time during the process, you can choose to “Stop Capture”. Once the process is completed, you will see a message telling you that Chat Capture is completed. Click “Continue” in order to access all the captured screenshots.

When you finish with Chat Capture, UFED will remind you to return all the device settings to how they were before the extraction began. You can now open the extraction with Physical Analyzer.

Once Physical Analyzer opens, the Case Wizard is going to launch. From here you can choose to Examine Data. Depending on how much you capture, this could take a few moments to a few minutes to load.

From here, choose Analyzed Data. Under Analyzed Data there is Manual Evidence and Images. You can choose each one individually. Under “Images” you will find the screenshots of the chats captured.

From here, you have the ability to search for specific keywords. Any chat that has the searched word within it will be included and any additional information, giving you a true glimpse of how the conversation looked to the original user.

Share this post