Overview of Parsed Data in Cellebrite Physical Analyzer
At some point in your investigation, you may find yourself asking, did I get everything? How do I know if my tool actually parsed all of the applications? There seems like there is a lot of information here versus what I actually see.
In this episode, I will give you some hints about how to detect unparsed application data within Cellebrite Physical Analyzer.
Start by selecting “Insights” on the Data Collection Summary. From here you can see the “Insights View,” which provides a number of search options.
For example, if you go into “Chat Applications,” a good place to find what has been parsed is in the little triangle with the Cellebrite logo (circled below in orange). This shows that the tool has parsed it.
Below we can see things like Skout, Kik, and Twitter. For Chat Applications specifically, those are parsed. However, with Skype, for example, we see the Cellebrite logo, so we know that Cellebrite has parsed the chat applications for Skype. However, you can also make calls on Skype, so you need to make sure that Cellebrite parsed the calls in Skype as well.
Make sure you understand the capabilities of all the applications. If you’re unsure, click on the little “I” (circled below in orange), which tells you what it is designed to do. That is one way for you to know what has been parsed and what has not.
The next thing you can do is go into “Table View.” Under “Decoded By,” you can select the filter and choose to select only “Blanks.” You’ll see “Blanks,” “App Genie,” and “Cellebrite.” If you don’t see App Genie it’s because you have not yet run it. I’m choosing just Blanks, as I want items that are not decoded by anything.
The top one is listed below as “CoverMe Private.” We can see it’s for social networking and also for hiding files and pictures.
What I often do is look on the right-hand side at “Permissions” where it says “Photos,” “Contacts,” “Microphone,” and “Camera.” If you understand what the application can do, it will help you understand the capability of what you should look at for parsing.
Also, look at the “Source files” and see where that information lives.
You can also conduct a Keyword Search to search for “CoverMe.” You can search the file system but ultimately we want to find the databases, the plist, the DAT files, the log files, and anything that stores valuable information.
Lastly, we will take a look at “Discord,” listed under “Chat Applications.” Discord is extremely popular and it is used a lot for communications.
Here you can choose to run the App Genie, which is a research tool that is built into Physical Analyzer. App Genie is designed to dig through the additional artifacts that are not parsed.
It will tell you what to parse. In the example below, Line and Discord are listed, so I’ll then select “Start.”
Since App Genie is a research tool, you may find that it gets nothing. You may also find that App Genie gets 500 hits. If it does get 500 hits, you need to make sure to validate them. While we trust Cellebrite Physical Analyzer to run properly, we still need to validate our findings.
When App Genie is done parsing, the data will exist in the “Analyzed Data” section under “Manual Data Collection.”
It will parse user accounts, contacts, chats, and additional information that will aid you in your investigation.
Learn more about how to use App Genie, here.