How to Use the Snapchat Features Built Into the New Version of Physical Analyzer
In this episode, I want to share some features we built into Physical Analyzer version 7.57 to provide additional parsing on Snapchat for iOS and Android.
You will see entries without attachments, which means that the Snapchat content was not stored on the device during the extraction, so keep that in mind. You will see a Snapchat link to locations, where the snap was taken with a timestamp, memories, my iOS only, and so on.
When I zoom in up top you’re going to see under Analyzed Data that there are many places that you can look for information. So, I type snap, and the reason I’m recommending this is that we may change locations where data models are being stored.
So the easiest way to find it all is going to be listed here. We see Snapchat contacts under Locations. We have different locations and you can see that there was a photo and we can see the Owner of the photo, the Date Uploaded, the Last Modified date, and the Participants.
If you right-click, you can always retrieve the address if you’re trying to find that information. Under messages, you can go through and review them.
Remember if there is no attachment linked to it, it’s because it was not stored on the device at the time of acquisition. But if the attachments were stored there, you would see them.
Under Upload, you can also see that we have snaps that were shared and as we scroll down, we have more information, with pictures of air tags and so on.
Make sure you filter for information. Filter on snap so that you don’t overlook a location where additional evidence may be located.
Watch the full episode to learn more.