How to Discover Artifacts in Cellebrite Physical Analyzer – Part 2
Chat applications are used by almost every person who owns a mobile device. Secure chat applications are among the most popular. The level of data collection will depend on what you get during your analysis.
When you are examining a chat application, the “conversation view” may be extremely useful to add impact to the communication. I find this is much more helpful than a line-by-line view. Knowing how to add this data to your report is important.
If you need to dig deeper to unveil an unparsed chat application, run the fuzzy model plug-in and app genie to highlight applications that require a further examination on your part.
In this series, a simple gaming application is used to show how conversations can be recovered easily in unparsed application data by using the features built into Cellebrite Physical Analyzer (PA).
In Part 1 of this series, we covered installed applications and began to look at “chats.” In this blog, we’ll dig a little bit deeper into chat applications.
I honestly don’t know anyone who doesn’t chat on their mobile device, which means valuable evidence can be gleaned from chat histories if we know where to look.
So, let’s begin our search by going straight into “Chats.”
In the screenshot below, we can immediately see everything from Facebook to Snapchat, Tango, Viber, and many other chat applications of interest.
Again, what I recommend is that you select a chat app. In the example below I have chosen “Kik Messenger.”
I want to verify my sources again, so below we can see that the Kik database has been parsed. We can also see the tables it’s parsing as well as a preference file.
You may find that switching to “Conversation View” (below) is helpful.
If you provide a spreadsheet of 30,000 text messages with conversations going back and forth, it may not be easy for investigators, prosecutors, or juries to actually identify the importance of the data. However, if you are able to show a “Conversation View,” exactly as the user would have seen it on their device, that’s powerful. Such an example is going to speak volumes and possibly add all the context you need to prove your case.
One of the nice features PA offers is that you can export these views straight from PA to your report. I strongly recommend putting data in your report this way.
Now, if you believe there’s more information and you’re just not seeing it, go to the menu item labeled “Tools.” PA has a feature (shown in the screenshot below) called “Run fuzzy model plugin.”
Fuzzy Model scans your entire data system to see if there are any other databases containing application data, such as contacts, call logs, chat messages, and location data. This data can be seen in alphabetical order and on the left-hand side. In the example below, we can see we have “Fuzzy Events” and “Fuzzy Objects.” Don’t forget to also run the App Genie which may obtain additional information for selected applications.
When you find one of these that’s of interest to you, simply click on it to see anything in that database that may be of value. In the screenshot below for example, “WordsFramework” reveals “Words With Friends.”
Most investigators overlook simple gaming applications as sources for chats. However, most people like to talk while they’re gaming. So, below we can see we have 19 chat messages in “Words With Friends.” We also have all the users (18) that played it.
People commonly reuse names repeatedly. So, I am Hmihalik11 on a lot of these gaming apps. When you find that this is the case in one of your investigations, that should become a new keyword for you to search using the skills you have previously learned.
In Part 3 of this series, we’ll focus on browser data.