I work in AI for eDiscovery, and would like to understand better the various ways that chat data is represented in Celebrite captures. I've used lots of chat and social media apps over the years on my Samsung Galaxy S7 phone (which I'm about to upgrade), so I'm going to pay a forensics firm to do a capture from it using a recent version of Celebrite. I gather from articles like this
https://prodigital4n6.com/cellebrite-reader-you-dont-know-what-youre-missing/
that Celebrite Reader files, which can be examined using the free Celebrite Reader application, include only a subset of the data on the phone, and in particular may omit data in databases used by various apps. So, two questions:
-
What form(s) of Celebrite capture should I have the firm provide me?
-
What alternatives are there to paying for a Celebrite Physical Analyzer license to examine data that Celebrite Reader doesn't handle?
You should receive a proper extraction, which should include decrypted physical image (when it comes to S7), as well as a report with Cellebrite Reader and .ufdr file that gets loaded into Reader. Read will only present you data that was already decoded with Physical Analyzer before. .ufdr file is actually a zip archive, and you should be able to find a database files of your "chat and social media" apps that you can analyze with other tools as well, including a free SQLite Browser.
There are couple other forensic tools that may get more, or different data from the same source. With a physical decrypted image from the phone, you can use a free tool like Andriller, or analyze the data manually.
There are couple other forensic tools that may get more, or different data from the same source
If you are capturing a physical of a s7 should all get the same main data partition the same. The issue may come into what tool you are using to parse the data.