Keyword Searching in Cellebrite Inspector Content Search
Keyword searching is crucial and often one of the first steps taken during investigations. Cellebrite Inspector has a capability called “Content Search” that enables you to control what is searched and how it is searched.
Instead of searching an entire hard drive or mobile device for keywords, Content Search enables you to select specific artifacts or “partitions” to search. In this video, we will dive into Content Search, how to properly leverage it, how to use the settings, and how to view your results.
Keyword searching in Cellebrite Inspector is easy. All you have to do is go to the left-hand side of the screen and you’ll see “Content Search.” I have two examples showing on the example below, but yours will be empty until you actually add one.
Now I want to click the green “Add” splash button. From here, you can name it at the top. I will call mine “demo.” You don’t necessarily have to name it, but it’s useful if you want to export and share or save these searches.
To add a keyword, click on the little plus sign at the bottom of your screen and add “computer_docs” as a keyword of interest. If you do not want a certain keyword from the list, click on the minus button and it will disappear. If you want to add another, search for whatever word you are interested in and press “Enter.” The more you add, the more that will be included in the keyword list we’ve called “demo.”
On the right-hand side, you can choose what you want to search for. If you want to search “Content only,” it will go into the file content (even if it’s not parsed), and search for these keywords of interest. You can also choose “Content and File Names” or “File Names only.” It’s up to you to select what you want to search for.
You can do a “Case Sensitive” or a “Deep Search” where it will dig into binary plists and other items that are embedded in other files. You can “Skip Files Larger Than” certain items that you choose. You can also choose to “Search All Files” or “Files That Don’t Match Filter,” which will enable you to filter down the information to your liking. Click “Start Search” or “Save Search” and the search will complete.
Below is an example that I’ve already run. On the left-hand side, the 2 and the 1, tell you which partition it’s pulling it from. We can see items from the active partition as well as from Volume Shadow Copies.
Across the bottom, we also have hex, strings, and preview. Under “preview” you will see graphics. If you search for BMW and wanted to see a graphic, this is where you go.
Make sure you’re looking in the proper view at the bottom to get the most out of your keyword search. If you want to take a deeper look at what is actually included here, go into criteria and it will tell you what was actually elected. If you’re sharing a case with someone and a colleague who created the keyword search, it’s likely that you would want to know what the initial search criteria were. Here you can see if it was a deep search if it was case sensitive, and everything you may need to know.
The final option you have is “Statistics.” This tells you how many searches you had. If you update the version of your tool and want to validate that it’s getting the same amount of searches on a test case, this is a great place to find this information.
Keyword searching is easy if you create lists, import lists, export lists, and save them. It’s all up to you as to how you want to handle it and it’s pretty easy to examine when it’s done.