Navigating The Analyzed Data Model In Physical Analyzer
Facebook is a great example of data that can be provided in many formats. You can collect Facebook data from a mobile device or computer. You may have Facebook Takeout data collections or warrant collections provided by Facebook in direct support of your examination.
A previous video covered how to properly load Facebook Warrant Returns and Facebook Takeout into Cellebrite Physical Analyzer (PA). Please review that for more information.
Once the data is loaded inside of PA, where do you start?
In “Analyzed Data,” you will find Facebook under the “Social Media” data model. This video will walk you through how to filter the data to make the most sense of it. Filters are key in identifying locations (check-ins) of interest, wall posts, shares, likes, and more. Often social media plays a huge role in DFIR investigations. PA is a great solution for filtering through the mounds of data to identify points of interest.
It’s easy to get lost in the analyzed data jungle during investigations, so here are some tips to help you navigate the analyzed data model within PA.
If you go into “Devices,” you can see that information is listed, but if you want to see what was actually posted on Facebook, you have to dig a little bit under the Social Media category. Here you can find Facebook Takeout and the person’s name.
There will most likely be a lot of items listed, so it is nearly impossible to go through them, file by file. That is why learning to properly filter inside PA is so important.
Under “Type,” you can choose filters. Normally PA will select all, but depending on your investigation, you can filter it down to something more specific. For example, if you want to know where someone checked-in on Facebook, choose “Check-In” then select “OK.”
Once you have this, you can see specific examples and go directly to the location on a full map.
Here you can see all the places around the world where the person has checked-in. It is also possible to view a timeline from here and see all the specific locations for a particular timeframe.
This is extremely important to your investigations and essential to understanding how to navigate the analyzed data. Also, don’t forget that you can search and hop to specific information that will help you solve cases faster and have more control over your data.