How to Detect Unparsed Applications in Cellebrite Physical Analyzer – Part 1
- Did you know that many applications (weather and restaurant apps are good examples) track your location?
- Did you also know that a random fitness application could be used to place a person of interest at a certain location at a specific time?
While it is impossible for any vendor to support and parse all applications, detecting unparsed applications is the examiner’s responsibility. The good news is that detecting them is not as difficult as you may think.
In this video, we provide tips on how to identify applications and better understand how the applications can help your investigation.
In the last part of this series, I gave you a little teaser. When we looked at “installed applications,” there actually was something of interest that the tool was not parsing.
This is where you need to consider why your tool is not parsing the data. And this is the blunt thing I always tell people: “What is your return on your time investment?”
If you are the only person on the planet that cares about the Starbucks app and how many coffees someone is ordering, you will now know how to actually examine this information. When you find the database, you’re good to go.
But what if it’s something the vendor doesn’t know about? If you find an app that you’re seen frequently, it’s up to you to reach out to Cellebrite and say, “Hey, can you guys start parsing this?”
Without your feedback (requesting certain apps for Cellebrite to parse), parsing is going to be limited to the most popular and important applications. When we look closely at the example below, we see some fitness applications. We have “MyFitnessPal” and something called “RunKeeper” on the device.
RunKeeper Pro does exactly what its name implies. It tracks your runs. But guess what? It may also track every place you’ve ever run, your weight, your birthday, your sex, and many other things. This is fantastic from an investigator’s point of view.
Imagine you’re working an investigation where a phone is found beside a body, or if you find a phone that was dropped at the scene of a kidnapping. That device may give you a lot of information to help you get a better glimpse of who your victim is.
Below, I’m looking at the source file, and this is giving me the literal file and how it knows information about RunKeeper.
What we need to do now is conduct a quick keyword search for RunKeeper and find the database file. These databases add so much value to your investigation.
If I click on RunKeeper, we find this amazing table that has glorious amounts of information called “points.”
Now, what we can see in the screenshot above is, “time at point.” The tool is smart enough to convert this for us, so if we were investigating someone and we needed to know where they were on September 13, 2013, around 12:28 PM, we could see that they were at this latitude, this longitude, and this altitude at this time on this day .
Apps can be hugely helpful in determining time and place during an investigation, so, make sure you explore health data, exercise data, and weather apps as they are rich data sources when it comes to putting a device at a location to determine when something occurred.