How to Discover Artifacts in Cellebrite Physical Analyzer – Part 1
At Cellebrite, we want you to validate your data and know the source of the artifact. We try to remain honest and clear on what the results mean. As an examiner, you can leverage Cellebrite Physical Analyzer to review installed applications to identify applications of interest.
Once you identify an application of interest, you must verify the source. Go directly to that directory or database of interest and make sure Cellebrite Physical Analyzer is parsing everything that is available for that application of interest. Make sure you verify what you find in the database with the parsed chats, calls, contacts, and more.
When you want to uncover artifacts using Cellebrite Physical Analyzer (PA)(or if you just want to ensure that the tool is parsing data correctly), the first thing I recommend you do is to go straight to “Install Applications.”
In the screenshot below, if we go under “Apps info,” and look at “Installed Applications,” we can see there are 398 apps listed; seven of which have been deleted.
As seen below, once I open “Installed Applications,” I usually sort by name and look at what the total is that is being parsed.
As you can see below, we have everything from Amazon mobile. The screen also shows that we also have a little bit of malware and some specific calendar applications that may be of interest.
Facebook chat applications are another source of artifacts that we usually want to dig into.
Now that you found an application of interest (Viber), the next thing you have to do is ensure that your tool is parsing it correctly. To do that, I recommend looking at the source files (below). We keep mentioning source files because it is so important that you know where that artifact is coming from.
In the example below, I’m going into Viber. What I want to do is verify the source, so I know where it’s coming from.
On the right-hand panel, we can see under the database that Viber data is parsing calls.
If we click on “Viber Messages” we can see (below) that Viber is parsing the participants table from the Viber messages database.
If you’ve heard me speak before, you know I always say, “Go validate your tool.” In the screen below I’m looking in Viber data. Here I can see the calls, and they look legitimate, so I’m satisfied with that.
Now, if I go back and I click on “viber_messages,” it says it has parsed the participants. In the example below I can there are two participants. However, you may notice there are 32 messages.
Most people will think this means PA is not parsing it. I would be lying if I told you I am not guilty of doing the same thing and wanting to point a finger. But before you do that, go back up to “Chats” and take a quick look to verify if your tool actually parsed it or did it simply miss it? Here we can see that it did parse 29 messages, so we’re good.
In Part 2 of this series, we’ll dig a little bit deeper into chat applications.
And this is going to lead into the second part of the series where we talk ask the question, “Is your tool getting all the data related to chat applications?”