At Cellebrite we aim to parse the latest and greatest artifacts, applications, and operating system updates. If you are a mobile forensic examiner, you know this isn’t an easy feat as everything is constantly changing. This blog will highlight features that have been added into PA 7.57 and 7.58 to parse additional data from applications. Each release of Physical Analyzer will add enhancements to make your examinations a bit easier.

This blog will cover the following:

      • WhatsApp
      • Snapchat
      • Facebook Messenger

WhatsApp

While this isn’t a new application, the updates, additions, and new features force us to update our parsing capability. In the updated versions of Physical Analyzer, you will see decoding support for additional calls including more explicit details on call artifacts. In addition, we alert the examiner if the message was sent from a mobile device or web platform.

Digital forensics examiner gets alert if the message was sent from a mobile device or web platform - source: Cellebrite
Digital forensics examiner gets alert if the message was sent from a mobile device or web platform – source: Cellebrite

Snapchat

As stated with WhatsApp, Snapchat isn’t a new application, but enhancements made within the application force us to revamp how we decode the data. Some parsing updates include parsing more snaps from the Snapchat Gallery, parsing ‘My Eyes Only’ snaps for both iOS and Android and adding location artifacts to snaps including the time the snap was taken.

Parsing ‘My Eyes Only’ snaps for both iOS and Android and adding location artifacts - source: Cellebrite
Parsing ‘My Eyes Only’ snaps for both iOS and Android and adding location artifacts – source: Cellebrite

Since we parse many artifacts for Snapchat, it may be helpful to filter on the keyword “snapchat” to ensure you are not missing any parsed data. This concept was covered in a Tip Tues, which can be located on our website.

Application snapchat analyzed data

Facebook Messenger

Facebook Messenger has been around for longer than I can remember. Like the others, enhancements made to the application force our developers to update parsing support in Physical Analyzer.  In the updated versions of Physical Analyzer offline accounts are now parsed. Facebook started encrypting accounts that were connected to the device but are no longer logged in. Physical Analyzer now supports parsing these accounts for iOS and Android.

Physical Analyzer now supports parsing these accounts for iOS and Android.
Physical Analyzer now supports parsing these accounts for iOS and Android.

In future versions of Physical Analyzer, you will see enhancements supporting additional application parsing and more. Our goal is to make your life easier with a tool you can rely upon.

Share this post