If you’re working an investigation in Cellebrite Physical Analyzer (PA) and you’re not sure where some of the parsed data may be located, here are some tips to help find it.

In Physical Analyzer, on the left side of the screen, we have the “Project Tree.” Within the “Analyzed Data” tab of the Project Tree, we have all of the categories of data that was parsed out by Physical Analyzer. It is the same data you can get to from the extraction summary but with the Project Tree you can drill down to get more specific so you don’t have to look at too much data at once.

For example, if it is an investigation that is Bluetooth related, you’ll find Bluetooth under the “Devices & Networks” tab under Analyzed Data in the Project Tree. I don’t want to look at all 2822 items in Devices & Networks. Tap the down arrow just to the left of Devices & Networks to expand the view so you can see the multiple categories underneath: cell towers, device connectivity, device events, and wireless networks.

If I expand the “Device Connectivity,” I can access Bluetooth. By opening the Bluetooth tab, you can see I now have 124 results instead of almost 3000.

Utilizing the Project Tree to quickly get down to the specific data you’re looking for will save you from having to scroll through thousands of different events.

You can do similar things with other areas of Analyzed Data such as “Messages.” Messages will show you all of the message or message threads that are on that particular device. If you expand Messages, you can now explore: “Chats,” “Emails,” and “Instant Messages.”

We can continue to drill down from here. If we open up Chats, we can see that there are multiple applications that are being used for chats here: Facebook Messenger, Instagram, Kik Messenger, etc.

From here we can actually get more granular. If we expand Facebook Messenger, we can see that it takes us to an actual Facebook Messenger account. If there was more than one Facebook account used on this device, you’d be able to choose which account to look at here.

Instead of having to scroll through data that may not be relevant to you and may be outside of the search authority for your particular case, you can really get granular and make sure that you’re quickly getting to the information that you need.

Anytime you see that arrow on the Project Tree, that means that you can expand that category.

Here are a few other things you can do if you want to get through the data faster:

  1. Expand All: At the top of the Project Tree there are the three dots where you can choose to expand all of the list. Now you can go down and see every subcategory available and get very specific with your searches.

  2. Search Bar: If there is a particular account or a particular data model you’re looking for, you can just type it in up top and search. Also, if you forget where a data model is located, you can search for it and PA will filter it down to the specific model and eliminate all the extra data.

Make sure you’re making good use of the Project Tree’s ability to filter and expand on the categories to get down to the specific data that you need to find.

Share this post