How to Conduct Keyword Searches With Cellebrite Physical Analyzer
Keyword searching using Cellebrite Physical Analyzer (PA) provides you with many options to sift through massive amounts of data. Understanding your options is the first step in conducting the proper type of keyword search as searches can be conducted at a logical and physical level.
One can search tables or specific artifacts that have been parsed by the tool. Recently, PA was upgraded to allow examiners to conduct advanced keyword searches for “And” and “Or” types of searches. This means you can search for “Heather” and “Mahalik” or “Heather” or “Mahalik” to further narrow your view of relevant search hits.
This video shows you all of the options for keyword searching in Physical Analyzer from basic searches to diving into the Hex to perform further artifact parsing. Watch this video to ensure you are using the proper methods.
Understanding how keywords can help you identify new information is what really matters here. There are several options, so let’s go through this right now.
The first step you’ll want to take is to do a “project search,” which you can see in the top-right corner of our normal “Project View.”
You can see in the example below that I have seven results.
Now, if you had three phones loaded into your investigation (or into your Cellebrite Physical Analyzer project), this step would search all of those, so be careful with that. Make sure you always know your Source.
If you want to search across a specific device, you can choose the little arrow that is right up by the Project View. Click on it and you’ll see an “Advanced Search” window appear.
Here, you can search any of the terms or all of the terms. In the example below I have “Shooly” and “Hank” typed in.
If I select “All of these terms,” the keyword result will show “Shooly” and “Hank.” If I had selected “Any of these terms,” the keyword would show “Shooly” or “Hank.” So, it is very important that you know what you’re searching for and how your keyword search should be set up.
If you’re unfamiliar with this process, I recommend that you find a chat message that has two keywords of interest and simply go through and include those.
Continuing on with another tip, let’s say that web browser activity is of particular interest to you. In this case (below) we would load in “Web History.”
As you can see in the results of the Google pixel, there’s only 209, so it’s not too many. If you wanted to simply search for “Facebook,” however, you would simply type the word into the Table View.
The example below shows that by doing so, we narrowed the total down from 209 to just 10 results.
If you wanted to dig a little bit deeper and see the database that it comes from, simply look at the “Source file.” Below, we can see this comes from Chrome history.
When I select that, I go into a “Hex view.”
This is an interesting way to conduct keyword searches for mobile devices. This is one of the only ways, across any tool I have ever used, that you can actually do what I’m about to show you.
If you select the Magnifying Glass icon, you have a Hex-based physical search. In the example below I’m going to choose “ASCII.”
If you look closely at the screen (and you are familiar with examining “Facebook”), it will usually say “Facebook” and you’ll see “id =.”
I want to search for that, so when I type in “id =” (below) and hit “Find,”…
…you’ll see we have multiple results (below), and that it confirms that the “id =” is a Facebook user ID.
That is a great way for you to look through Chrome artifacts for additional application items of interest.
Knowing how to keyword search is critical to your investigation. Most people don’t even realize these physical searches exist or how powerful and important they can be.
What I just showed you in the “Table View” can also be done across an entire device by going up to “Memory Images.” When you see Hex values, that is your clue that you should be clicking on the Magnifying Glass icon to find further artifacts for your investigation.
Learn more about how Cellebrite Physical Analyzer can help your investigations, here.