In previous blogs, we’ve covered a number of exciting ways that Cellebrite Physical Analyzer can help examiners discover a wealth of information easily.

In this blog, we’re going to focus on “chat conversations,” and look at how the type of view you have can make a world of difference during investigations.

In the video below, I’ll show you how to:

  • Change the message thread view.
  • Determine whether a message was sent from a PC or mobile device.
  • Understand why this matters in some investigations.

We will dive into how Cellebrite Physical Analyzer (PA) provides information regarding the participants and attachments for each chat so that examiners, don’t have to waste time following the trail of the evidence.

We’ll also cover duplicate data, which can be confusing, and show you the capabilities built in to PA to deduplicate the data and show you what you need. These options can be changed and are under your control.

Our goal is to make viewing chats easier to enable you to quickly determine the relevance of the information to your investigation. Let’s get started.

In Cellebrite Physical Analyzer, you have several options for viewing data on conversations within chat applications. As this is commonly one of the key aspects of an investigation, I’m going to show you different views and the easiest ways to access them. I will also highlight some features you may not be aware of.

Under “Chats” (below), I’m going to start with WhatsApp.

In this WhatsApp example, we’re going to see that we have what looks like just three conversations. However, these are three conversations that may have many message threads within them.

If you like the table view, you can simply stay here and examine the data this way, but I think it’s easier if you double-click on a message of interest, which will take you to a nice “Conversation View.”

In “Conversation View,” you will see what’s being said, exactly how the user would see it on their device. More importantly, if you hover above the phone icon, PA will tell you if this WhatsApp message occurred from a desktop version of WhatsApp or a mobile device.

Why Does This Matter?

I have WhatsApp on my PC and on my mobile device. If I send a message, it puts me in a place behind a device, which may impact your investigation.

You’ll also see the little “Participant” icons.

If you click on one, it will tell you the participant’s name, the date and time the message was delivered, and whether it was read. If there’s an application user ID, that information will also be included.

Here’s another interesting feature. If you open Instagram and there are attachments included there, you will be able to see over on the right-hand pane, something called “File attachments,” (right next to the “Details”). PA pulls those out and shows them to you.

If we go back into WhatsApp and there are file attachments there, PA will show you the graphics and the full path to where those graphics exist so you can dive deeper if needed.

One final thing I want to cover is deduplication of data. If you look on the right-hand side, you’ll see it says, “Duplicate Chats.

This means PA will show you any duplicate content and whether the duplicate content is from two locations or two sources. At Cellebrite, we’re trying to make discovering data easier by paring down this kind of information.

If you don’t prefer that view, you can always use the “Filter” and choose “All” (chats), “Only deduplications,” “Only non-deduplications,” or “Only items with additional information.” The views are totally in your control, so you just have to decide what makes the most sense for you to move forward.

Learn more about Cellebrite Physical Analyzer, here.

Share this post