
Getting Through Data Quickly With Cellebrite Inspector
Data, data, and more data!! With hard drives and mobile devices constantly increasing in size, investigators are always looking for ways to get to data quickly. File filtering within Cellebrite Inspector is one way this can be done.
Using File Filters
Cellebrite Inspector comes with 30+ already configured filters that can make your life a whole lot easier. In this blog post, we are going to focus on four so you can see how quick and powerful these features can be.
These are the file filters available in the File Filter tab in Cellebrite Inspector 2019 R3:
Filter |
Description |
List All Files |
Display all files on selected device |
Name |
Filter files by name |
Path |
Filter files in a named directory (folder) |
Kind |
Filter by genus or category |
Extension |
Filter by file type based on extension (.doc, .txt, .jpg) |
Content Extension |
Filter by file type based on header information |
Extension Matching |
Filter by file type based on header and extension |
Tagged State |
Filter files that are tagged or not tagged |
Tag Name |
Filter files by Tag Name |
Size |
Filter by file size |
Date Created |
Filter by creation date |
Date Modified |
Filter by date modified |
Date Accessed |
Filter by last access date |
Date Added |
Filter by date added |
Cellebrite Inspector ID |
Filter by the record ID stored within the case file database |
File System ID |
Filter by the HFS catalog (node ID) / MFT ID number |
Hash Set |
Filter files with known hash values |
Hash Set Category |
Filter files based on hash set category |
File Hash |
Filter files based on a specific hash set |
List Duplicate Files |
Filter the duplicate files by hash |
Suppress Duplicate Files |
Filter out any duplicate files |
File Entropy |
Filter by file entropy value |
Locked |
Filter files with a locked flag |
Resource Fork |
Filter files that have a resource fork |
Alternate Data Stream |
Filter files that have an alternate data stream |
Visibility |
Filter hidden or visible files |
iOS Hidden Files |
Filter iOS hidden files |
Metadata Field |
Filter on the metadata attribute field |
Metadata Value |
Filter on the metadata attribute value |
Spotlight Field |
Filter on the spotlight attribute field |
Spotlight Value |
Filter on the spotlight attribute value |
Internal Filter |
Filter for displaying custom SQL from the details view |
Snapshot/VSC |
Filter files that have a Snapshot or Volume Shadow Copy version |
File Filter Example 1 – Signature Analysis
You may have noticed within Cellebrite Inspector that there isn’t a column or view that readily points out a file signature mismatch. When you look at the file structure within Browser, Cellebrite Inspector has a column for Extension, showing the file type based solely on the specified extension, and a column for Content Extension, showing the file type based on the header information.
Neither of these columns display information regarding whether the content headers match the specified extension. You are able to sort by each of these columns, but it could be very tedious to try and determine bad signatures in this view.
Cellebrite Inspector 2019 R3 provides an update to file filters making it easier to do compound filtering. You can filter on a group of conditions and/or individual conditions. For signature analysis, there are several ways you can go about it. First, you need to check whether the extension and content extension is not equal, meaning the file extension is different than the file signature.
Second, you can narrow down the results to focus on specific file types. In this example, we are looking for files with a content extension or file signature of JPG, GIF, or PNG, as well as files where the file extension is not null (this gets rid of a lot of false positives that sometimes occur for files with no file extension).
Figure 1 – File Filter for jpg, gif, and png files with mismatched extension
File Filer Example 2 – Changes in Volume Shadow Copies and APFS Snapshots
Sometimes examiners choose not to process volume shadow copies or APFS snapshots because it can be time-intensive. For some examinations, pertinent information can be found in the VSCs or APFS Snapshots. To make the most use of your analysis time, process the VSCs and snapshots overnight.
When you come back to the office you can easily run a filter to show you the differences. Cellebrite Inspector will tell you if there are files in an older VSC or snapshot that are no longer in the active volume, as well as files that have to appear in both but have been changed.
Any snapshots and volume shadow copies that Cellebrite Inspector processes will be brought back into your case file as a virtual evidence item. This allows for easier analysis and filtering. With the active partition and all Snapshots/VSCs selected, we can go to the File Filter tab. Below are the options built into Cellebrite Inspector to filter against Snapshots/VSCs:
Figure 2 – File Filter options for Snapshots/VSCs
In our example below (Figure 3), at the very bottom of the screen, we can see that the data was filtered down to 3,638 files. There is a column for Version Index that shows which snapshot or shadow copy that file appears in.
Figure 3 – VSC File Filter results
After selecting a file, contextual clicking (right-click in Windows, command-click in macOS) will bring up a menu with various options including File History. When File History is selected, Cellebrite Inspector will open a screen that shows the different versions available for that file. A file displayed in red italics with a strikethrough (Figure 4) indicates the file was found in a Snapshot/VSC but is no longer available on the active partition.
Figure 4 – File History view
File Filter Example 3 – Spotlight Information in macOS
The Spotlight index within macOS has proven to contain a wealth of information for examiners. So much additional metadata is available for files, information that could help answer questions about who created the file, how many times a file has been opened, and where the file came from.
Once Spotlight metadata has been processed for an evidence item in Cellebrite Inspector, files can be filtered using this metadata. For example, to look at where a file came from there is a key called kMDItemWhereFroms. Use the built-in Spotlight Field File Filter to search for wherefrom. Combine that with other filters such as file type to narrow down the data even more:
Figure 5 – Spotlight File Filter
In the above example, we are looking for JPEGs that have the kMDItemWhereFroms key populated. After selecting a file, the Metadata tab of the ‘Content Pane’ shows all the associated metadata for that particular file. In this case, the WhereFroms show that this picture came from a specific e-mail address and was sent through Messages file transfer.
File Filter Example 4 – Hash Set Comparisons
BlackBag provides a few hash sets that are optional installs for Cellebrite Inspector including Known Windows System Files, Known OS X System Files, Hashkeeper 2.0 (Known CP), and Hashkeeper 2.0 (Suspected CP). You also have the option of importing your own hash sets as well as creating hash sets from existing case files.
Once the hash sets are imported and processed against the current image, a File Filter can be run to show files that exist in a specific hash set or files that do not exist. Below is an example showing files that are in a user-created hash set Bennett-Racer-R3-Geolocation.
Figure 6 – Hash set File Filter
Conclusion
These are just a few of the filters that can help examiners get through their data quickly. With over 30 filters already built-in within Cellebrite Inspector (and quick triage processing options available), the size of evidence items doesn’t have to be the bane of your existence. The additional filter capabilities in Inspector 2019 R3 and the ability to group these filters is a powerful tool to find information quickly and efficiently.
Learn more about Cellebrite Inspector.