Now Available: Cellebrite Endpoint Inspector 1.6

This release of Endpoint Inspector introduces these features that provide support for incident response:

• Local Attached Storage Destination for Collections from Computers
• Create a Disk Image of a Windows Computer
• Memory Collection

Local Attached Storage Destination for Collections from Computers

When you define a computer collection, it is now possible to save the output to local storage attached to the source computer. You must first create the folder on the local storage destination. The folder name must not include characters that are not permitted on Mac or Windows computers, such as emojis and these characters: # % & { } < > * ? / $ ! ” ’ : @ + ` | = [ ] ~ ( ) ;. The destination folder must be on a different drive from the one being collected from.

After the folder is created on the destination and attached to the source computer, you can specify that local folder as the output location for the computer collection.

If more than one storage device is connected to the source computer, and if the name of destination folder also exists on more than one device, the output is saved to the first appropriate folder it encounters. Therefore, you should avoid common folder names like Data or New Folder.

Create a Disk Image of a Windows Computer

With Endpoint Inspector, you can now create an image for a single volume or disk from a single target Windows computer. This task requires the cooperation of the custodian of the computer that the agent will run on, because the resulting *.e01 file must be saved to locally attached storage. The file cannot be saved over a network connection. The storage destination cannot be the same drive that is being imaged.

Memory Collection

With Endpoint Inspector, you can collect memory from remote Windows and Mac Intel computers. The option to collect memory artifacts is in addition to collection filters. The output for collected memory is a *.dmp file that sits outside the *.l01 file for the collection from the same computer agent.

The Endpoint server automatically sends email messages to custodians of computers, mobile devices, and cloud accounts to notify them of actions they need to take. Administrators and examiners can now customize and manage these types of email templates:

• Cloud Collection Request
• Cloud Collection Success
• Cloud Collection Failure
• Mobile Collection Request

Only users with the Administrator role can customize and manage Agent Installer Distribution email templates.

Users with the Examiner role can modify or delete templates they created themselves; they cannot see email templates they did not create. Users with the Administrator role can see all templates but cannot modify any they did not create themselves. However, administrators can delete templates created by any user.

Each of the template types has placeholder text that you can change as necessary for your organization. When you create custom email templates, the default templates provided by Cellebrite remain, even if you set a custom template as default. When you later create collections, you can choose which template to use. The default template will be either a custom template you set as default or the one labeled Default, which is the one provided by Cellebrite.

You can set a template as your default for each type of template. Each user can set their own defaults. All templates require the use of specific variables to ensure the appropriate information and links appear within the email messages. You can see the list of variables exactly as they must appear within each template type.

These enhancements were made to the Collection page to make it easier and faster to routinely collect from workplace applications.

Directly from the Collections page, you can easily collect only items that are new since the last collection was made. These incremental collections may be faster than a full collection, and the resulting collection files are smaller.

You can also quickly and easily run a full workplace app collection again without having to define a workplace collection each time.

When you open the Details page for a workplace app collection, you can easily see for each instance whether all items were collected or only the latest items.

On the Home page, the table that lists events from the past ten days has been replaced with a graph. To see only one type of event in the graph, click the appropriate event type in the list to the right of the graph.