Properly loading evidence into Cellebrite Physical Analyzer (PA) is the first step many of us take at the outset of an examination. Recently, PA has undergone an upgrade, so while the “Case Wizard” used for loading data may look slightly different, it’s the same great tool we’ve been using for years. Our capabilities are increasing and the user interface (UI) in PA is advancing as well.

This blog (and the accompanying video) will cover loading all data sets from warrant returns, cloud data, Greykey images, Backups, Google Takeout, and other images via our “Open (Advanced)” feature. Customization can be made to the chains and plugins when “Open (Advanced)” is used, which allows the examiner to take control of the data before it even parses. Let’s get started.

To open a case in PA, go to file -> open case, just like you’ve always done in the past.

The first thing you’ll notice is that the interface here looks a little bit different. Simply select “Add.” If you have a UFDX or a UFD file, just select “load extraction” and your image will load.

If you want to load a warrant return or cloud data, you can select “Warrant returns” then scroll down to the service provider of interest such as Snapchat or Google.

The service provider file I’ve chosen in this example is Google. I’m going to choose “Zip Archive.”

From here, simply navigate out to where you want to save the data.

If you have a Greykey image, simply load Greykey and point it to the file of interest. We’ll talk about “Open (Advanced)” shortly, but before we do, under “Common source,” you’ll find access to “Backup,” which covers Android and iTunes.

To open Backup, you’ll be prompted for the passwords to access data here, just like you’ve always been. PA also supports “Google Takeout,” so if someone pulls their own Google cloud data, or if that’s the only way you have of extracting it,  PA will parse it for you.

If you have an SD card, select “Storage device.” “Drones” and “Android emulator” are also located here.

Under “Open (Advanced),” things get really interesting. Here you can select your UFED extraction or you can go through the process like you always have by selecting “Open Device” or “Open (Advanced)” in general.

In the panel’s top-right corner (shown above), you can actually customize a chain.

For example, anytime I have a Samsung Galaxy S8, I always want to make sure these specific plugins run every time. I can check that here. This is a great way to control an environment when you’re working with less experienced examiners and you want to control every single thing that is run across the board.

Share this post