Cellebrite Inspector provides advanced filtering capabilities that make examinations easier and save you time. In this video, we will you walk through examples of how to leverage the filters in Inspector. We will also explain the differences between a “filter” and a “group filter,” and show you how to filter down even further once a filter is in place.

Examples and explanations are provided to ensure you understand the capability. You want to make sure you don’t over-filter and miss something. The details are in this video and the capability is in Cellebrite Inspector.

To take advantage of this feature in Inspector, go to “File Filter” in the main toolbar. From here, you have many options available to you including listing every file that’s available, not only in the partition or the image you have but also in Volume Shadow Copies. You can sort by name, path, size, owner, hash sets (which is really important in a lot of investigations), locked files, hidden files, and more. All these things can be included and filtered down in your investigation.

For example, start with “Extension,” then choose “Doc.” Keep in mind that there are many variations— Doc x, Doc, HK Doc, MK Doc—and all of those options will be included. Click “Extension: Contains: doc” then choose “Filter.”

You also have the choice to say what you want to filter. You can deselect some of the Volume Shadow Copies on the left-hand side or you can choose just to look at “Active Partition.” Selecting “Filter” will show you only those.

From here, you can also add another condition. For example, if I would like to include anything with the word “com”, choose “Name.”

By selecting “Name: contains:” then typing in “com” you’ll see that computer, compensation, and anything with the word “com” will be included.

Remember that you can also always click the “X” on the far right to remove a filter. If you want to filter again, just click “Filter” and it will take you back to the initial filter.

To add a group, you can choose from the subset of “only show me: X” and type in whatever you’re searching for. From here, you can add another extension, click filter, and see how it has been narrowed down.

Anytime you want to add something in, on the left-hand side, you have to click “filter” again as it will only show you what it initially knew and it will forget until you click “filter” again.

You know you’ve done it correctly when you see “1,” which is the “BOOTCAMP (Active)” partition, and “8,” which is your last Volume Shadow Copy.

Filtering saves you a lot of time if you learn how to properly how to use it. Play around with it and try using it with some test data. Make sure that you don’t over-filter to the point of missing evidence, but that you properly learn how to do this in order to save time and find evidence faster than ever before.

Share this post