Examining chat applications in Cellebrite Physical Analyzer (PA) is now easier than ever thanks to icons that were introduced to help you identify the “owner” of a message, whether or not the message was forwarded, if it was unread, and key things that may help you determine the who, what, where, when, why, and how, in your investigation.

And if you’re working on a group chat, PA provides you with all the relevant information there as well.

Our goal is to make your examinations easier and more reliable. If you have a chat application that isn’t parsed, find out how to use App Genie to overcome this challenge.

I’m going to start off by going into “Chats” on my Google Pixel 3.

Next, I’m going to choose “Telegram.” Under Telegram you’re going to see “Participants.” I have circled the different names in the example below. One is the receiver of the message and one is the owner. PA clearly identifies the owner by showing you the word “owner” in parenthesis.

If I click on the “iMessage” icon on the checkm8 image on my iPhone (below), you will see Harrison and Bernie in the message as participants.

When I click on “Conversation view” (below), you can see that Harrison Freshman and Bernie were having a conversation.

Following Harrison Freshman’s last response, we see the envelope circled below. When you hover over it, the message says “Unread.” This means the message was not read by the user.

If you see a forward arrow that’s arching, this means the user read the message and then forwarded it along to another user. That may also motivate you to jump into a different conversation to follow that lead.

We hope this information makes analyzing chats easier for you. We understand that diving into mobile forensics in digital intelligence can be challenging, but Cellebrite is here to make it easier.

Learn more tips on how to use Cellebrite Physical Analyzer, here.

Share this post