Utilizing the Portable Case Feature in Cellebrite Inspector
Portable Case is a feature within Cellebrite Inspector that allows case data to be shared for offline review. Data needing to be shared with analysts that do not have access to evidence files or licensing information will be able to view the data in these logical case files. A “reader application” will be included with the data being shared, and no installation or license is required to view the data.
To create a portable case, an examiner will need the full, licensed version of Cellebrite Inspector. There is a “Share” icon in the top “Command Bar.” When selected, another screen will appear to select items to be included. These items include artifacts derived from previous processing within Cellebrite Inspector (left pane, “Extracted Data”), tagged items (middle pane), and search results (right pane).
How to Select Data to Include in the Portable Case
In the “Extracted Data” pane on the left, the examiner can choose what types of artifacts should be included in the logical casefile. One specific point to remember is that processing for specific artifacts must be complete before they will be available to save in a portable case. If the examiner chooses the basic triage processing, they will get most of the information available on the “Command Bar” at the top of the interface, such as Actionable Intel, Communications, etc.
There are expansion arrows along the left side of the list which allow additional sub-views. There is also a number in parenthesis to the right of each artifact type that will display how many items will be included. This number will change depending on what evidence items are selected in the “Component List” to the left, as well as the date range filter that is available at the bottom.
If there are multiple devices in the case file, the examiner has the option to choose which devices they would like to be included by selecting and deselecting the appropriate device in the Component List.
For the date range at the bottom, as noted it is only to limit the data in the ‘Extracted Data’ column (it does not apply to the “Tag” and “Search” panes).
This can help limit the amount of data to be included in the portable case, as well as meet any scope requirements set forth by search warrants. By selecting specific ‘Extracted Data’ fields of interest, the associated files for the artifact will be included in the case file. This is important to remember if the file size is an issue, especially when dealing with media files. The more files that are included, the bigger the portable case file will be.
Next over is the Tag pane. Any tag that was created in the current case file will display in this pane and can be selected for inclusion into the portable case. Next to the tag is a checkbox to denote whether files should be exported with the portable case, so the examiner has the option of including the actual files in addition to the information stored in the tag of the case file.
One item to note here is that if a date range is selected in the “Extract Data” pane, it will not apply to this pane. So even if there are tagged items that fall outside of that date range, if the tag is selected it will be included regardless of the date.
The last item in the Command Bar is the “Search” pane. This section will show the content searches that were performed within Cellebrite Inspector. These searches will also give examiners the ability to export the files that had search hits, or just display a listing of the hits.
Generating a Portable Case
Once the data to be included has been selected, there is a “Generate Portable Case” button at the bottom, right-hand corner. The examiner will have the option of selecting which operating system to include the portable case reader for either Windows, Mac, or both if they are unsure which system will be used for offline viewing.
They can also select neither if the reviewer already has a copy of the reader application. To the left of the button, it will also display the number of evidence items that data will be exported from.
Once the Generate Portable Case button is pressed, a pop-up will appear to indicate where the portable case should be saved. The name of the case defaults to the Inspector case filename. After the location is selected, the examiner will see the Progress Bar at the bottom of Inspector.
The output when complete will be a .PortableCase file, which is a bundle/container just like an Inspector case file. This container will include the case data selected to be exported, as well as the appropriate reader application that was selected if any (Windows, Mac, or both).
The example below shows a portable case created with both readers included (Bennett), one reader included (Search), and no reader included (Tag).
Reviewing a Portable Case
When the portable case has been given to the appropriate person for review, the reader application will display the data in a very similar format to Inspector. The “Menu Bar” will have limited options compared to the full version. Some of the functions available in the portable case include content or index searching, tagging, saving file listings, exporting selected rows, and generating reports.
Menu Bar will also have the ‘Command Bar’ at the top, but this bar will only have icons for the types of data that are included in the portable case. For instance, if only Actionable Intel and Communications data were exported, they will only see those icons and not Media, Locations, etc. The Browser and File Filter icons will always be available. Below are some examples of how the command bar appears in different portable cases, depending on the data selected.
The component list on the left-hand side will include everything that is in the full version except the “Activity” section. The items listed include “Evidence”, “Tags”, “Content Searches”, “Index Searches”, and “Investigative Notes”. The Index Searches section of the Component List provides access to the Smart Index. If the data exported was indexed in the Inspector case the portable case was generated from, the portable case will contain a Smart Index. Queries of the Smart Index created are saved in the portable case file.
Finally, the “Content Pane” will display information related to the selected view in the Command Bar as well as the evidence items selected in the Component List. When Browser is selected in the Command Bar, for instance, the folder tree structure will display in the content pane.
At the top, right-hand corner of the Command Bar, the reviewer will be able to generate a report. They can select the data to be included in the report under the “Report Elements” pane and will have the option of saving the report as HTML, PDF, DOCX, TXT, or CSV.
Accessing the Portable Case Readers
If the examiner doesn’t select the correct reader application at the time the portable case is generated, or if there is a need to get the reader at a later time, both versions of the reader (Mac and Windows) are included in the Cellebrite Inspector installation zip file.
The Cellebrite Inspector reader does not require installation or a license. The reader is designed only for portable cases and will not open regular Cellebrite Inspector case files. If a reader was not included during portable case generation, copy the relevant reader .zip file from the Inspector installation folder and send it with the .PortableCase file. The case reviewer can simply unzip the application and launch the Inspector reader, then open the .PortableCase file.
Learn more about Cellebrite Inspector here.