Cellebrite Physical Analyzer (PA) includes a number of key features that can simplify the investigation process and make examinations easier.

Features like “Source” can aid you in understanding where an artifact exists and on which digital media platform you can find it. With this information you can quickly verify any finding or follow a trail to dig deeper for evidence.

The “Go to” feature lets you hop right to the file of interest or directly into the “Timeline” in Cellebrite Physical Analyzer, while the “Screen Recorder” lets you record the examination in progress.

This series of blogs and videos will walk you through some of PA’s key features including methods for making your reports more inclusive of the artifacts that matter.

You should always verify the source for an artifact that you’re going to include in your forensic report, so let’s begin our look into PA with the “Source” function.

Below, I’m looking at “Chats.” To illustrate how “Source” works, let’s say that I needed to include a chat message in my investigation or in my report.

Below, you will see that this is being pulled from the SMS database and our table of interest is “Chat.”

So, not only does “Source” tell you the database of interest, it tells you exactly which table to go to. Once you’re in that table, you have several options. You can launch the “Database Viewer,” which will carve for deleted artifacts.

You can launch the “SQLite Wizard,” which will enable you to write your own queries and parse additional information.

You can also just tag or go into a “Hex View” and report directly from this view.

For this example, let’s say that the chat mattered. The fact that the conversation took place on 12/28 2019 at a specific time, really impacts your investigation. Here, you will see the “Go to” function at the top and the bottom of the pane.

The “Go to” at the top takes you straight to that installed application. So, if you care that this came from the SMS database, it would take you right to that file.

In this example, I want to jump directly to our timeline, so I use the “Go to” button at the bottom.

Once we’re in the timeline, we will be able to see what happened immediately before and right after that conversation occurred. You can then dive in and filter even more if you find it necessary.

From here, you can bookmark, tag, and include it in your report. You could honestly even export at this point to anything you want, from HTML to Word, or to a PDF.

If you want to get a screenshot or recording, simply click on the camera that is in the top, right-hand corner and you’ll see some options there to do a screenshot or a video.

If you want to possibly include a video and scroll through the images, or even if you want to play a video and record it, you can do that here. I’m going to select an option. It will let you select your range of interest.

I’m going to drag it so I have my chat message in that pane. Then you can choose where you want to save it, and what projects you want to save it to – if you have multiple projects open.

Once that is done, scroll down on the left-hand side and you will see (under “Additional Files”) “Screen captures,” “Screen videos” or “Video recordings” that you have taken.

When you go to create a forensic report, everything will be there.

The important thing to remember is to use the tool to help yourself. If you want to jump to things quickly, use the “Go to” button. We love to call that the “jump to feature.” Use it to hop into the timeline and hop right back out. Don’t stress about losing where you are in your investigation because our tabbed browsing approach enables you to get right back to where you need to be.

Share this post