How to Use The Portable Case Function in Cellebrite Inspector
The need to share information during an investigation with another investigator, co-worker, or an attorney is a common occurrence. Portable Case is an option that allows you to take what you are working on—items that you keyword-searched, tagged as evidence or information that may be important for someone’s review, and share it easily. You can do this with a full license of Cellebrite Inspector.
For this to work, you have to click on the “Share” button up at the top of the interface.
Figure 1. Share Button in Inspector
When you click “Share,” it’s going to open – Portable Case.
To demonstrate how this works, I ran keyword searches in advance and I also tagged items of interest. I tagged items of pictures of cars. Now, if you are working a sensitive case, or in a situation where you want to censor photos, you can do that as well.
So, you can include them but censor them at the same time so that someone may see the metadata that includes the creation times and the details of the data but not the actual content. Think of child exploitation cases where this functionality may be relevant to the case.
Once you click on Share you are going to see options for what you want to include. (You can see everything with all the icons across the top.) All of those categories are going to be listed on the left.
Figure 2. Categories to choose from
If you check them all, then you will have all of those icons in your Portable Case. Let’s say that I don’t include Media or Communication, when I create that Portable Case, you won’t see those icons because it will not contain those files of interest.
You can expand each item. For example, everything you see in the actionable intel segment will be available for you. It’s entirely up to you if you want to include them or not. Make sure you don’t exclude things that are important to your investigation. So, take the time to go through each of these items.
If you have created “tags,” you will see them listed in the middle pane. in the example below, you can see that I have created 13 evidence tags.
Figure 3. Evidence Tags
All tags are included and I have also selected to export the files. This ensures that all of the relevant graphics in formats such as JPEG will be pulled out. And finally, if you run keyword searches, you can include each of the searches and export all of the files.
Figure 4. Keyword Searches
Simply select “Generate Portable Case,” and your case will start processing.
Figure 5. Generate Portable Case
If you want to limit extraction data based on date range, you can do that at the bottom of the interface.
Figure 6. Limit Extracted Data to date range
Just click on the calendars and choose date timestamps. You can include a Portable Case reader for Windows and Mac. This is especially useful as you may not know the computer platform other investigators will be using.
I ran a Portable Case in advance, so I’m going to open it and show you what it looks like and point out some differences as it is very important that you understand what you are actually seeing.
If you look closely at the icons in my Portable Case example, you will notice that I am missing Communication, Productivity, System, and Plugins.
Figure 7. Portable Case Example Categories Exported
The categories featured in my report are the result of what I had previously selected to be included or excluded.
You can also see under the Internet category that I only chose Downloads.
Figure 8. Internet Category: Downloads
If you go back to the source case file, under Internet, you will see more information than what is contained only under Downloads such as History, Cookies, Caches, and more. So, what you select is what the end-user is going to receive. Keep this in mind and make sure that you understand what a Portable Case is and how it exports based upon your selections. If it is something sensitive in nature, make sure that you censor the photos.
I recommend that you play around and test the Portable Case functionality to find out how you can leverage it to solve your cases faster and more efficiently. At the end of the day, this is an optimal way for several stakeholders to view the case data if you don’t have a full license of Cellebrite Inspector.