![]() ![]() Physical Analyser Pro is sporting a slick new UI, enhanced searching functionality, plugin chaining, enhanced decoding for iPhones and promises to be a huge leap forward in taking cell phone examinations to deeper level. You could have surprises! We learned to not trust fully UFED reader report the hard way here.Cellebrite just recently announced the release of their solution for performing dumping and analysis of mobile devices – Physical Analyser Pro 2.0. If you want to be sure, you should at least test your final report inside a good analysis tool. Again if you do not control the format you deliver the said information, you then cannot be sure 100% of your work product. Just keep in mind that the ufed reader report is like a blackbox and you do not control the information Having said that, if you do not care that some databases or more information can be found inside a production even if you blacklisted it, go ahead and work with the ufed reader report. This is valuable especially when you are trying to exclude some privileged documents, communications, information. The loadfile option would give you more knowledge about exactly what you export, what you are working with and the ability to then remove what you do not seek to disclose. That said, if you use the excel report format, you have less chance to find surprises inside your production as it is similar as a loadfile in ways that you control the information you disclose. This is a no no when you need to work with periods determined in the mandate or with possible privileged information. Those messages would be invisible inside the ufed reader when you open it, but the databases can still be found there hidden inside the ufed report. If you ingest a ufed report inside intella or other tools, you may have the full communications databases be parced even if you choose to only have significant message exported. But in doing so you open yourself to disclose more information than you maybe want to. Tools like intella and others can "ingest" in some ways UFED reports it is true. They really need to step-up their game in regard of the way we can export their data and work with it post-acquisition. ![]() If this kind of feature is valuable to you as well, i suggest that you contact them and ask for this to be implemented inside UFED PA. So I contacted them back to know why such an important feature would not be available to us. Unfortunately when I contacted them, they told me that this feature will not be available for their law enforcement/GOV clients… This is crazy because many of us are user of their solutions. This loadfile can be worked with and then imported in a review platform. In your case, this would make you able to import the loadfile inside tools like NUIX and perform your searches and tags. It will give us the possibility to extract UFED PA "report" in a concordance loadfile format. They partnered up with relativity to enhance exporting and reviewing capabilities. I have reached out to Ron Serber as well but thought the community may have something to offer.Ĭellebrite is working on a solution that can achieve this kind of work, they call it 'legalview'. I've looked at importing the dump into third party tools but this client has had over 30 phones as part of this engagment all resulting in UFED reports, if I start producing completely different reports now it will not go down well.Īny thoughts/idea's on how to accomplish this in PA? It wouldn't be so bad if the watchlist results could be displayed a group at a time (ie all SMS hits, all MMS hits etc) but it looks like the only way to display watchlist results is a single hit at a time (over 8,000 in this instance). If I can display them in a single window this allows a batch select and untag, problem solved. When using a watchlist there doesn't appear to be a way to show all the watchlist items in a single window the way you can with all other search results. This is where the frustrating bit comes in. Okay, so my next thought is to tag everything, then I'll go through and untag the LPP data so I can do a report on 'tagged only'. I can tag the items that are LPP, however when it comes to reporting my options are 'everything or 'tagged only'. My issue is that I cannot find a way within UFED PA to exclude the LPP data. There is a small portion of data which there is an privileged claim (LPP) over so I find myself needing to produce a report of a subset of data which will exclude the privileged data. I have a phone which has been processed with UFED PA, and as luck would have it there is quite a lot of records on the phone. I have an interesting problem which seems simple but is turning out to be deceptively complex. ![]()
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |