In this week’s Tip Tuesday, we show you how you can parse a specific application in Physical Analyzer and narrow down your search.

The first step is to follow the source file out to the file system and then exporting out the entire directory.

Next, you need to rebuild that directory.

Put it in file data -> data -> com.whatsapp as if it’s a generic Android device. Then proceed to right-click on the topmost ‘data’ file and zip it up.

Next, you need to add it to Physical Analyzer. Do so by:

going to File -> Open Case -> Add -> Open Advanced -> Select a Device.

From there, type ‘generic’ into the search bar and choose Android generic, and then next.

Select ‘ADB’, and point it to the zipped-up data.zip file. Click next and examine the data.

Physical Analyzer will quickly parse just that application. Now you can see specific calls with WhatsApp contacts, media messages, user accounts, and all the information you need.

Clicking on those files isolates the application specific to what you are looking for. This process can be done with any application

For iOS, rebuild private VAR mobile and where the application data would be.

Share this post
Digital Forensics Tools: Accessing the Cellebrite Notebook View Now