At Cellebrite we aim to parse the latest and greatest artifacts, applications, and operating system updates. If you are a mobile forensic examiner, you know this isn’t an easy feat as everything is constantly changing. This blog will highlight features that have been added into Physical Analzyer 7.57 and 7.58 for Android devices.

Each release of Physical Analyzer will add enhancements to make your examinations a bit easier. This three-part blog series will cover iOS, Android and Application updates added into Physical Analyzer.

This blog will cover the following:

      • Samsung Rubin
      • Samsung Pass

Samsung Rubin

Physical Analyzer supports parsing Samsung Rubin, a unique Samsung source file that contains records of visited locations, device events, device connectivity, and more. As shown below, the Analyzed Data model in Physical Analyzer shows key artifacts that may aid in your Android investigations.

The Analyzed Data model in Physical Analyzer shows key artifacts that may aid in your Android investigations.
The Analyzed Data model in Physical Analyzer shows key artifacts that may aid in your Android investigations.

Samsung Rubin provides a better understanding of how the device was used, applications that were used, other device connections, and locations that may correlate to other data found on the device. While it’s not the same things as KnowledgeC found on iOS, it’s similar in nature. Device Events, as shown below, is a great starting point to determine something as simple if the device was “on” or “off” at a specific time and how it was connected to networks.

Mobile Device Events is a great starting point to determine something as simple if the device was “on” or “off” at a specific time and how it was connected to networks.
Mobile Device Events is a great starting point to determine something as simple if the device was “on” or “off” at a specific time and how it was connected to networks.

As you have heard us say many times, we recommend following the source file to manually verify the artifact, if needed. This is easy to do in Physical Analyzer and enables you to stay within the tool.  For those who like to just dive into the database, this path is a great starting point. /data/data/com.samsung.android.rubin.app/databases/inferenceengine_logging.db/inferenceengine_logging.db.decrypted

We recommend following the source file to manually verify the digital artifact for mobile device forensics.
We recommend following the source file to manually verify the digital artifact for mobile device forensics.

Samsung Pass

Samsung devices offer the Samsung Password Manager to enable users to store passwords for easy access when using their device. This is simply a method to save passwords for applications that enable the user to log in without entering passwords repeatedly. Samsung Password Manager is often unlocked with the biometric unlock set on the device and may also track notes created by the user on the device.

Physical Analyzer parses Samsung Pass as shown below. In this screenshot, we can see the user’s password for Snapchat as stored in Samsung Pass.

samsung pass
The user’s password for Snapchat as stored in Samsung Pass

Stay tuned for more blogs of this nature that highlight feature requests and updates that ensure you are getting the most data out during your examination. Mobile devices progress quickly, and our goal is to provide updates that enhance your examiner experience by providing artifacts that have been tested for accuracy. As you always hear us say, validate the data and follow the source to the file that holds the information.

Share this post