Data, data, and more data!!  With hard drives and mobile devices constantly increasing in size, investigators are always looking for ways to get to data quickly.  File filtering within Cellebrite Inspector is one way this can be done.

Using File Filters

Cellebrite Inspector comes with 30+ already configured filters that can make your life a whole lot easier.  In this blog post, we are going to focus on four so you can see how quick and powerful these features can be.

These are the file filters available in the File Filter tab in Cellebrite Inspector 2019 R3:

Filter

Description

List All Files

Display all files on selected device

Name

Filter files by name

Path

Filter files in a named directory (folder)

Kind

Filter by genus or category

Extension

Filter by file type based on extension (.doc, .txt, .jpg)

Content Extension

Filter by file type based on header information

Extension Matching

Filter by file type based on header and extension

Tagged State

Filter files that are tagged or not tagged

Tag Name

Filter files by Tag Name

Size

Filter by file size

Date Created

Filter by creation date

Date Modified

Filter by date modified

Date Accessed

Filter by last access date

Date Added

Filter by date added

Cellebrite Inspector ID

Filter by the record ID stored within the case file database

File System ID

Filter by the HFS catalog (node ID) / MFT ID number

Hash Set

Filter files with known hash values

Hash Set Category

Filter files based on hash set category

File Hash

Filter files based on a specific hash set

List Duplicate Files

Filter the duplicate files by hash

Suppress Duplicate Files

Filter out any duplicate files

File Entropy

Filter by file entropy value

Locked

Filter files with a locked flag

Resource Fork

Filter files that have a resource fork

Alternate Data Stream

Filter files that have an alternate data stream

Visibility

Filter hidden or visible files

iOS Hidden Files

Filter iOS hidden files

Metadata Field

Filter on the metadata attribute field

Metadata Value

Filter on the metadata attribute value

Spotlight Field

Filter on the spotlight attribute field

Spotlight Value

Filter on the spotlight attribute value

Internal Filter

Filter for displaying custom SQL from the details view

Snapshot/VSC

Filter files that have a Snapshot or Volume Shadow Copy version

File Filter Example 1 – Signature Analysis

You may have noticed within Cellebrite Inspector that there isn’t a column or view that readily points out a file signature mismatch.  When you look at the file structure within Browser, Cellebrite Inspector has a column for Extension, showing the file type based solely on the specified extension, and a column for Content Extension, showing the file type based on the header information.

Neither of these columns display information regarding whether the content headers match the specified extension. You are able to sort by each of these columns, but it could be very tedious to try and determine bad signatures in this view.

Cellebrite Inspector 2019 R3 provides an update to file filters making it easier to do compound filtering.  You can filter on a group of conditions and/or individual conditions.  For signature analysis, there are several ways you can go about it.  First, you need to check whether the extension and content extension is not equal, meaning the file extension is different than the file signature.

Second, you can narrow down the results to focus on specific file types.  In this example, we are looking for files with a content extension or file signature of JPG, GIF, or PNG, as well as files where the file extension is not null (this gets rid of a lot of false positives that sometimes occur for files with no file extension).

Figure 1 – File Filter for jpg, gif, and png files with mismatched extension

File Filer Example 2 – Changes in Volume Shadow Copies and APFS Snapshots

Sometimes examiners choose not to process volume shadow copies or APFS snapshots because it can be time-intensive.  For some examinations, pertinent information can be found in the VSCs or APFS Snapshots.  To make the most use of your analysis time, process the VSCs and snapshots overnight.

When you come back to the office you can easily run a filter to show you the differences.  Cellebrite Inspector will tell you if there are files in an older VSC or snapshot that are no longer in the active volume, as well as files that have to appear in both but have been changed.

Any snapshots and volume shadow copies that Cellebrite Inspector processes will be brought back into your case file as a virtual evidence item.  This allows for easier analysis and filtering.  With the active partition and all Snapshots/VSCs selected, we can go to the File Filter tab.  Below are the options built into Cellebrite Inspector to filter against Snapshots/VSCs:

Figure 2 – File Filter options for Snapshots/VSCs

In our example below (Figure 3), at the very bottom of the screen, we can see that the data was filtered down to 3,638 files.  There is a column for Version Index that shows which snapshot or shadow copy that file appears in.

Figure 3 – VSC File Filter results

After selecting a file, contextual clicking (right-click in Windows, command-click in macOS) will bring up a menu with various options including File History.  When File History is selected, Cellebrite Inspector will open a screen that shows the different versions available for that file.  A file displayed in red italics with a strikethrough (Figure 4) indicates the file was found in a Snapshot/VSC but is no longer available on the active partition.

Figure 4 – File History view

File Filter Example 3 – Spotlight Information in macOS

The Spotlight index within macOS has proven to contain a wealth of information for examiners.  So much additional metadata is available for files, information that could help answer questions about who created the file, how many times a file has been opened, and where the file came from. 

Once Spotlight metadata has been processed for an evidence item in Cellebrite Inspector, files can be filtered using this metadata.  For example, to look at where a file came from there is a key called kMDItemWhereFroms.  Use the built-in Spotlight Field File Filter to search for wherefrom.  Combine that with other filters such as file type to narrow down the data even more:

Figure 5 – Spotlight File Filter

In the above example, we are looking for JPEGs that have the kMDItemWhereFroms key populated.  After selecting a file, the Metadata tab of the ‘Content Pane’ shows all the associated metadata for that particular file.  In this case, the WhereFroms show that this picture came from a specific e-mail address and was sent through Messages file transfer.

File Filter Example 4 – Hash Set Comparisons

BlackBag provides a few hash sets that are optional installs for Cellebrite Inspector including Known Windows System Files, Known OS X System Files, Hashkeeper 2.0 (Known CP), and Hashkeeper 2.0 (Suspected CP).  You also have the option of importing your own hash sets as well as creating hash sets from existing case files. 

Once the hash sets are imported and processed against the current image, a File Filter can be run to show files that exist in a specific hash set or files that do not exist.  Below is an example showing files that are in a user-created hash set Bennett-Racer-R3-Geolocation.

Figure 6 – Hash set File Filter

Conclusion

These are just a few of the filters that can help examiners get through their data quickly.  With over 30 filters already built-in within Cellebrite Inspector (and quick triage processing options available), the size of evidence items doesn’t have to be the bane of your existence.  The additional filter capabilities in Inspector 2019 R3 and the ability to group these filters is a powerful tool to find information quickly and efficiently.

Learn more about Cellebrite Inspector.

Share this post