In the two previous blogs in this series on Cellebrite Physical Analyzer (PA), we talked about how to use the new App Genie, a research tool engine that surfaces data from 3rd-party apps based on sophisticated heuristics and how the Cellebrite research team invested time to develop the application parsers with an internal logic to remove false positives.

In the video below, I’m going to focus on how Cellebrite has substantially advanced the support of application parsing in the latest release of Cellebrite Physical Analyzer (PA) with Application Insights.

The goal of this feature is to arm examiners with the knowledge you need to better understand applications found on the mobile device. Application Insights will compartmentalize applications installed on the device (even those that are not parsed), into categories such as “Social networking,” “Developer tools,” “Chat applications,” “Lifestyle,” “Hide files or pictures,” and much more. You will also see categories highlighting evidence destruction and private browsing.

The best part is that PA conveniently highlights what has been parsed by the tool and what remains up front, to save you precious time. Any remaining apps can be parsed further using the new App Genie or by running the SQLite Wizard.

One of my favorite features in the latest version of PA is the ‘i’ next to each application. This ‘i’ provides information about the app and what it was designed to do, which is often required for apps we haven’t worked with before. Here’s how it works.

The easiest way to get to Application Insights is on the right-hand side of your screen where it says, “Insights Installed from Apps.”

The other way to do it is simply to go to, “Applications” in the tree pane and select “Installed Applications” (below).

Once here, you have two views. You can either choose to see “Insights” with graphics (below)…

…or you can choose the “Table View,” (below), which many are used to working with. Either way, the information is going to be exactly the same.

When you arrive here, you will see different categories to choose from—”Lifestyle,” “Chat applications,” “Social networking,” “Music”— depending on what you’re looking for.

To illustrate what things are included here, I’m going to first choose Insights, then I’m going to select Social networking, which is a very popular topic for most of us who work these types of cases.

One thing unique about Cellebrite tools is that they tell you exactly what they’re capable of doing immediately. In this example, when we look at Social networking, we see “15 of 31 apps decoded by Cellebrite.”

This means that, as of today, Cellebrite supports 15 of those applications. It also means that Cellebrite is chasing down updates for these applications every day. For those of us who do DFIR, we know that these apps change frequently, so knowing that Cellebrite is always up to speed on the latest changes ensures you’re getting the best information possible.

If there’s an app that you care about that is not supported, such as Discord in this example, you can run our App Genie or our SQLITE Wizard. These two features are built-in and designed to dig a little bit deeper into the application to recover contacts, chats, user information, and other items of interest.

And one thing that I think is extremely helpful that I spent a lot of time researching in the past is if you simply click on the “i” next to the application of interest, this is essentially what you would have to Google.

You can go right here in your tool without touching the Internet in an air-gap network and we tell you, “Welcome to Discord this is the best application to do X, Y, and Z.”

Getting started is always the hardest part of any investigation. The new Application Insights dashboard widget will provide you with a high-level overview of the applications installed on the extracted device by category, making it an ideal starting point to kick off examinations. By focusing your examination efforts upfront, you’ll save time and optimize your examination process downstream.

Learn more about this latest version of Cellebrite Physical Analyzer with Application InsightS here.

Share this post