How to Do Quick-and-Easy Redactions in Cellebrite Physical Analyzer
A hot topic these days is on methods to quickly redact items from a phone-extraction report. This is relevant in eDiscovery cases and seems to be surfacing more than before. Recently, one of our customers was provided a list of terms and names to be redacted from the report but didn’t know where to begin. We get this question frequently enough, so we thought this would be a good time to share the easiest and quickest way to do redactions on phone extractions.
The first step you need to take is to create a word list in Cellebrite Physical Analyzer (PA) that contains the words you don’t want to see. I know this sounds backwards but stick with me and we’ll get to where we need to be.
Don’t let the screenshot above confuse you! It’s a preview of what’s to come in the next PA update, but the menu is the same in earlier versions of PA that many of you are familiar with.
After you select “Watch list editor,” create a new watch list. In this example, I’m choosing to eliminate all references to two members of Cellebrite’s Solutions Engineering team, Paul Lorentz and Ronen Engler.
For test purposes, I tried a couple of different entries (this will prove important later), but for now, let’s continue. You’ll note I also added a phone number and a partial phone number.
Once your watch list is built, you’ll need to run it against the extraction where you expect to find the information (see screenshot below).
Now, go check the project tree, or, if you’re cool like me and updated to 7.33 already, the “Insights” tab.
The list above is what success looks like. This is also a good time to discuss how you format words and phone numbers in your watch list. We’ll start with the phone number.
Because phones store numbers in different formats, (000)000-0000 or 000000000 or some variant thereof, I generally shy away from searching for an entire number regardless of whether I’m doing a watch list or a project search.
In my experience, searching for the last four digits of the phone number is sufficient in most cases. This proved to be true here in my experiment. You’ll recall that in the watch list above, I put the entire phone number in one entry and the partial number in the other. The partial phone number found and highlighted more instances of the phone number I was targeting than the full number did. Keep this in mind when you are doing your own searches.
Ok that’s great, but how do we redact? This is the “quick-and-easy” part. Below is a snippet of my results.
I’m going to deselect all of the results from the watch list view.
And that’s it. Seriously, that’s all it takes. Let’s validate this by examining the Calendar view.
In the view above, every deselected item represents the watch list hits for Calendar entries that you did not want to include. (How about that timeline graph up top, eh?).
From here, it’s a matter of generating a report with selected items only and you’re good to go. For this example, I generated a UFED Reader report and I left all the defaults in place. Once opened in UFED Reader, I conducted a simple keyword search to ensure the data has been redacted. As you can see, all references to “Paul Lorentz” are now gone, and I promise, all the others are gone as well (I checked!).
One thing to note: when you’re searching word lists, be as granular as you can be without accidentally eliminating anything you may want. Notice my earlier word list (below).
“Paul Lorentz” took out all references to, well, Paul Lorentz. “Paul” took out all the Paul’s. This is where you must be careful because there were other “Pauls” on my phone that I would not have cared or needed to eliminate that were taken out. So, when it comes to names (or anything else for that matter), if your search is too broad, you may lose valuable information. If it’s too narrow, you may miss something. We recommend using a test dataset to practice. This way you know your methods are working.
However, if you know there is something in your report that needs to be redacted (protected legal communication, for instance), a watch list may be the quick-and-easy solution for getting rid of that data without having to go into each tab and individually select items.
As always, best practices include validating your hits before redacting to ensure you don’t over include and omit something of relevance.