User Manual September 2016 Version 5.2
Legal notices Copyright © 2016 Cellebrite Mobile Synchronization Lt d. All rights reserved. This manual is delivered subject to the following conditions and restrictions: n
n
n
n
This manual contains proprietary information belonging to Cellebrite Mobile Synchronization Ltd. Such information is supplied solely for the purpose of assisting explicitly and properly authorized users of the UFED Analytics Desktop. No part of thi s content may be used for any other purpose, disclosed to any person or firm, or reproduced by any means, electronic or mechanical, without the ex press prior written permission of Cellebrite Ltd. The text and graphics are for the purpose of illustration and refe rence only. The specifications on which they are based are subject to cha nge without notice. Information in this document is subject to change without notice. Cor porate and individual names and data used in examples herein are fictitious unless otherwise noted.
1.1. Terms
8
1.2. A workflow example
9
2.1. Installing UFED Analytics Desktop 2.1.1. System requirements
11
2.1.2. Installing UFED Analytics Desktop
11
2.1.3. Activat ing UFED Analytics Desktop
12
2.1.4. Starting UFED Analytics Desktop
22
2.2. Analyzing data sources
23
2.2.1. Auto m erge on open
23
2.2.2. Creating a new case
24
2.2.3. Displaying and editing the properties of a person
29
2.2.4. Addin g a Micro Systemation XRY file to a project
36
2.2.5. Adding a Call Detail Record file
37
2.3. Overview of the workspace
ts n te n o C
11
42
2.3.1. Workspace layout
43
2.3.2. Using the workspace
45
2.4. Performing a global search
47
3.1. Data source owners filter
49
3.2. Timeframes filter
50
3.3. Parties filter
50
3.4. Types filter
51
3.5. Origins filter
52
3.6. Advanced filters
52
3.7. Watch list filter
53
3.8. Extracted categories filter
54
3.9. Mutual location filter
54
3.10. Linked data source owners filter
54
3.11. Links filter
55
3.12. Tags filter
55
4.1. Text analytics
58
4.2. Image analytics
60
5.1. Working with the link diagrams
62
5.1.1. Changing the diagram layout
64
5.1.2. Navigating the diagram
66
5.1.3. Rearranging the diagram
66
5.1.4. Working with links
67
5.1.5. Graph tool s ribbon
70
5.2. Analyzing timelines 5.2.1. Media tools ribbon
71 72
5.3. Details pane
74
5.3.1. Item tab
75
5.3.2. Adjacen t events tab
76
5.3.3. Conversation tab
77
5.4. Working with Parties
79
5.4.1. Highlighting a person's links
79
5.4.2. Working with t he Persons table
80
5.4.3. Viewing a timeli ne for a person
82
5.5. Data by type
83
6.1. Creating Watch lists
85
6.2. Editing Watch lists
88
6.3. Deleting Watch lists
89
6.4. Importing and exporting Watch lists
90
6.5. Activating and deactivating Watch lists
91
6.6. Viewing Watch list results
92
7.1. Adding tags
94
7.2. Editing tags
97
7.3. Deleting tags
97
7.4. Applying tags
98
8.1. About location data
100
8.2. Navigating the map
101
8.3. Viewing offline maps
102
8.4. Markers and information windows
104
8.5. Map tools ribbon
105
8.6. Merge persons
107
8.7. Split persons
110
10.1. Saving a case
115
10.2. Opening a saved case
116
11.1. Setting UFED Analytics Desktop options
118
11.2. File menu
119
11.3. Application ribbon
120
1. Welcome to UFED Analytics Desktop UFED Analytics Desktop simp lifies and automates analytical tasks – allowing inves tigators to easily identify the critical relationships that can focus investigations. By immediately linking and unifying multiple disparate data sources, UFED Analytics Desktop helps generate leads and uncover actionable insights from existing call logs, application data, text messages, locations, private cloud sources, images, videos, and more, based on reports generated from physical, logical, and file system extractions. With UFED Analytics Desktop you can: n n n n
n n n n n n
n n n
1 r e t p a h C
Quickly and efficiently identify existing connections between persons of interest Reveal relationships with mutual contacts Filter data according to time and date, number of events, Watch lists and categories Visualize the communication directions, pinpointing unidir ectional and bidirectional communication Drill-down to specific events Determine the suspects' physical locations and movements Integrate cloud data Automatica lly tag images related to topics of interest with Image analytics Automatica lly categorize terms and phrases with Text analytics Work within a multi-screen environment that enables analysis via multiple views related to the same investigation in parallel Share findings with othe r investigators Generate customized re ports including detaile d information and grap hs Analyze up to 500,000 events per case
In UFED Analytics Desktop, the following terms are used: The files cont aining the extract ed information.
The owner of the device/data that owns the extracted information. An indication of communication based on s ingle or multiple events. A link can be created based on contac t information, Bluetooth device, and more. In the link s diagram, the thickness of the link line represents the volume of events ; the arrow represents the direction of communication. The people with whom t he data source owner has interact ed.
A workflow using UFED Analytics Desktop might look like this: 1. Open two or more UFDR report files generated from the physical, logical, or file system extraction from your suspects’ devices. 2. Open a report generated by other tools such as XRY extended XML or external data s ources (CDR). 3. Are your suspects connected to one anothe r? Do they have mutu al acquai ntances? Assess common links between the suspects using the
.
4. Filter the display by data source owner, type, timeframe, parties, or link types to pinpoint the information for which you are look ing. 5. Create to help filter the data based on sp ecific 6. Tag items for future reference. 7. How much inte raction was there with a particular accomplice? Drill-down to comprehensive information on the suspect’s relationship with a particular party. 8. Are the suspects connected to each othe r through mutual contacts? Assess all links by choosing the relevant data sour ce owners and all parties in the filters. 9. When and where did the suspects cross paths, if at all? Assess the locati ons of your suspects in the .
tab and pinpoint meeting p laces using the
10. What were the suspects communicating ab out, and when ? Assess events as they occurred sequentially in the
tab.
11. Did the suspect take and/or send an incriminating photograph? The new Image analytics feature will automatically tag incriminating photos. 12. Do you have background information about a suspect? Filter for it using the new Text analy tics feature. 13. Create a report of the information you have gleaned using UFED Analytics Desktop.
2. Getting started This section includes the following:
2 r e t p a h C
This section describes the installation and ac tivation of the UFED Analytics Desktop application on your computer.
The computer on which you install UFED Analytics Desktop should meet the following system requirements:
Core i7 (8 cores) running at 3.5 GHz or Core i5 (4 cores) running at 3.3 GHz or higher higher Microsoft Windows 64-bit includi ng Windows 7 Service Pack 1, Windo ws 8, Windows 8.1, and Windo ws 10
16+ GB
8 GB
6 GB of free disk space for text and image analytics
NVidia GPU with compu te capab ility 3.0 or higher, at leas t 640 CUDA cores and 2 GB of memory
Microsoft . Net Framework version 4.5.2
An additional 10+ GB disk space is required for storing cases.
1. Obtain a copy of the UFED Analytics Desktop application. 2. Double click the file. 3. Follow the installation wizard.
Activat e UFED Analytics Desktop in one of the following way s: n n n
Check your UFED kit to make sure which method you should use.
Use the UFED dongle provided with your UFED kit. The dong le contains licenses for all the applications purchased.
1. Connect the don gle to a USB port on your computer. The license is automatical ly located. When the dongle is recognized by the operating system, the application can read the license. 2. Start the UFED application.
1. When starting for the first time, or when a license dongle is not found, the Cellebrite Product Licensing window appears.
2. If you connected the dongle to a USB port on your computer, and it s till does not work, contact
[email protected] . The HASP dongle drivers must be installed in order to use a hardware license key. If the drivers were not installed duri ng the UFED software installation process , you ca n run the installation process again and select at t he end of t he process.
The first time you open the application, you must activate the license.
1. Go to the following link: https://my.cellebrite.com/analyticsdesktop https://my.cellebrite.com/phonedetective 2. Sign into your MyCellebrite account. n n
(If you don't have an account, click UFED application link.)
, create a user, and then go back to the required
You will be directed to the product act ivation window. 3. Click to download the application and save the file to a PC. 4. Extract the zip file, click the installation fi le and install the software us ing the Setup Wizard. Restart the PC if required. 5. Repeat step 1 to go to the ap plication l ink. 6. In the Activation Method b ox, if you purchased UFED 4PC, select . If you purchased UFED Touch, select . The Activation met hod is not required for the UFED Cloud Analyzer or UFED Analytics Desktop applications. For these applications, skip to step 7.
7. Depending on the product you purchased, continue as follows: n
n
In the Activat ion Code field, enter the Activat ion code provided with the UFED kit.
In the Serial Number field, select the UFED serial number displayed on the UFED Touch unit or UFED Touch License Activation screen. To add a n ew device, click and enter the required information.
8. Next obtain your Computer ID (do not close the MyCellebrite page while performing this step). n Start the application. The Cellebrite Product Licensing window appears. n Click to copy the Computer ID displayed in the window.
9. In MyCellebrite, paste the copied Computer ID.
10. Click to download the application license k ey to your PC. The license key will also be sent to your registered MyCellebrite email address. 11. In the application, cl ick in the Cellebrite Product Licensing window. 12. Select the License file and click . A message appears to indicate that the software license was updated successfully.
13. Click
.
In cases where a UFED application that has been activated by a softwar e license needs to be moved to another PC, you must first deactivate ( remove) the license from the srcinal computer.
1. In the UFED application, go to appears.
2. Click
>
. The Cellebrite Product licensing window
. The Software license deactivation window appears .
3. Click to copy the computer ID. 4. Go to http://my.celle brite.com/deactivat ion, and sign in to your MyCellebrite account.
If you do not have an account, click and create a user. Then go back to http://my.cellebrite.com/deactivation . The following window appears.
5. Make sure the device is added to your list of products. n If the device is displayed in your list of products, click the link to navigate to the My Products page. n If the device is not displayed in your list of products, click in the UFED license deactivation window, or in the My Products page. The following window appears.
a. Enter the Serial number, Device ID and a name for the device (optional) as they appear in the Cellebrite Product Licensing window. b. Click page.
. The device is now displayed in the Active Products area in the My Products
6. In the My Products page, locate the d evice, open the options menu and select The following window appears.
.
Do not click 7. Click
until you have completed al l the steps above. and then save the file to the PC.
8. In the Software license deactivation window of the UFED application, you need to upload the deactivation file. Click and open the deactivat ion file. The Software license deactivation window appears.
To complete the deactivation process, you need to upload the deact ivation file to MyCellebrite. 9. In the Software license deactivation window, cli ck click . 10. Return to the Deactivation wizard i n MyCellebrite and click
or
, and then
. The following window appears .
11. Click and upload the deacti vation file that was generated by the UFED application. 12. To activ ate your UFED license on anothe r computer, follow the steps in .
The Network dongle is connected t o your organization’s network and contains licenses for all the app lications purchased.
1. Start the U FED application. I f the networ k dongle is connected to the ne twork, the appl ication s tarts and the user can start working immed iately. If the network dongle is not recognized, the Celle brite Product Licensing window appear s.
2. Click
. The following window appears.
If a dongle was not found on the network – make sure that you have an Inter net connection and that a dongle i s connected to the network. Then cli ck to search for a network dongle again. By default, the network configuration is set to Broadcast. If required, you can manually connect to the network dongle. Click to change the network configuration to Specific host. Enter the host name (or IP address). If there is only one network dongle it will be selected automatic ally. If there are multiple network dongles, select the required dongle from the list and click .
n
Select
>
>
>
>
. n
Double-click the The
shortcut on your desktop. main page appears.
The Recent cases view lists all the cases available in the application , sorted by creation date.
UFED Analytics Desktop supports multiple types of data sources: 1. UFDR report files generated by UFED Physical Analyzer, UFED Logical Analyzer, and UFED Cloud Analyzer. 2. XML report files generated by Micro Systemation XRY. UFED Analytics Desktop supports XRY extended XML reports. 3. CSV, XLS, XLSX, and TXT files that cont ain calls, SMS, MMS and location data generated by an external data source (CDR). Open multiple report files to analyze the links between them. A case can include up to 500,0 00 events from mobile devices (logical, file system, physical extraction s from UFE D or XRY) or external data sources.
When opening a report file, the application will analyze the report content before loading. In some cases, wh ere the same infor mation already exists in the workspace, the application will perfor m an automatic merge of the new content with the exi sting content, or merge only the new content (this occurs for example if there are two or more entities with the same phone number).
If a person (data source owner or party) in the file being loaded has the same contac t information as an existing person, then the application w ill automatically merge both persons. The result will be one person with the merged content. The srcinal person's information will have precedence. You can split a merged per son at a later date if required.
The case wizard enables investigators to easily create a new case, with relevant case informat ion and upload multiple data sources. Investigators can also merge or split data sources and activate Watc h lists for the case.
1. Click
. The following window appears.
2. Enter or select the following information: field), , ,
(mandato ry field), (mandatory field), and
Every Crime type that you enter will be added to the list for future cases. 3. Click
. The following window appears.
(mandatory (mandatory field).
4. Click to open a browser window and select the dat a sources you would like to add or drop files and folders into the area indi cated. You can sele ct multiple data sour ces and assign them to a single or multiple suspects/victims. You can add the following file types: Cellebrite report package (UFDR), Micro Systemation extended XRY (XML) and external data sources (TXT, XLS, XLSX, CSV).
The Open Data Source window enables you to specify how you w ould like to add the new data source. That is, create a new per son for each selected file (default), or create a single new person for all the selected files . The following window appears.
To edit the person's details, right-click on the person and click
.
5. If required, select the data sour ces that you would like to merge, and click . Then, select the data source into which the data should be merged. Use the button to split merged data sources. The merged files will be combined into a single file. This file cannot then be split into separate file s after you click OK. Use this option only if you are sure that all the files belong to a single entity. 6. Click
. If the system already includes Watch lists, the following window appears :
This window enables you to activate previously saved Watc h lists for the case. To c reate a new Watch list, see . 7. Click . The case creation proces s starts, which can take a long time dependi ng on the data sources selected. An example is displayed next.
The workspace enables you to easily navigate between the graph view, the timeline, and the map. The Graph view, the Timeline view, and the Map view are all based on the same data set and filters.
Mouse over a data sour ce owner or party in the Fil ters Pane or in the lin ks diagram. The follo wing window appears.
View the person's details, cloud data, activities, and merge d party information (if r elevant).
1. Click the
button in th e properties window. The Person details window appears.
3. Edit the displayed information or add additional information as desired. 4. To add an image: a. Click
.
b. In the Open dialog box, navigate to the location of the image. c. Select the file, and then click . To remove the image, click 5. If relevant, click
.
to add more information.
6. Click OK.
The data summary pane summarizes device data and activities for each person. n
n n n
- displays all contact and use r ID information for each person, including email addresses, phone numbers, an d social media user IDs. - displays the total number of unique entity identifiers recorded in the device, per category. - displays the total number of activities per activity directory category. - displays the details of each merged person, when relevant.
1. In the Data source owners filter, mouse over the name of the desired person.
2. Click on the De tails, Data, or Activity types (or Merged persons, when rel evant) to see the i nformation displayed in the Details area. Double-click on a data or activity type to open a detailed information table in a new tab.
Includes a number representatio n for each type.
Applications installed and deleted from the Table view device Passwords Maps
Tableview Table view and Map view (includes zoom)
Userd ictionaries
Table view and Userd ictionaryv iew
Contacts
TableandContactview
Phonenumbers
Tableview
EmailAddresses
Tableview
User accounts
Tableview
MAC addresses
Tableview
Bluetooth
Tableview
Webbookmarks
TableandWebbookmarkv iew
URLs
Table view
Includes a number and bar graph representation for each type .
Search items Applications
Table view and Searched items view
Table view and Applications usage view
usage Text files
Table view and Text file reader view (inc ludes find and zoom options)
Audio files
Table view and Audio file player view (includes stop, play, pause, and volume)
Web history
Table view and Web history view
Notes
Table view and Note view (options for Left to right, Right to left, HTML, and Plain Text)
Applications installed
Table view and Application installation
Video file
Table view and Video file player view (includes stop, play, pause, and volume)
Image files
Table view and Image file viewer
Calendar entries
Table view and Calendar entry view
Calls
Table view and Call view
SMS messages
Table view and SMS message view
MMS messages
Table view and MMS message view
Email messages
Table view and Email message view
Chats Locations Wireless connections
Table view and chat view Table view and Location view
Table view and Wireless connection view
1. From the Data Sources Ribbon group, click and choose
, then in the Data Sources window click .
You can also add Micro Sys temation XRY XML files from the New Case Wi zard. 2. In the Open dialog box, navigate to the location of the rep ort file. 3. Select the file, and then click . 4. Repeat these steps to add additional XRY reports (persons) to the project, as required.
You can a dd Call Detail Record (CDR) files generated by an external data source.
1. From the Data Sources Ribbon group, click and choose
, then in the Data Sources window click .
2. In the Open Data Source dialog b ox, navigate to the location of the repor t file. 3. Select the file, and then click . 4. The Add Data Source wizard ap pears. UFED Analytics Desktop will analyze the input file and determine the best method of interpreting the content of the file. If the file content matches a known predetermined format (a ) t hen the system chooses it automatical ly for you. This prevents interruptions when sele cting multipl e files. You can choose to: n n n
Use the suggested preset Use one of the other presets available Create your own custom format to b e used when reading this file
If you use the suggested preset or choose from an exis ting preset, when t he data is loaded, click and skip to the end. 5. When you choose to you use the Add Data Source wizard defining formats and location s for the vari ous pieces of information in the fil e. You have the option to click or at any time during the process to review and change for matting choices. a. Choose the type of content you are importing. The choices are: n Calls n SMS Messages n MMS Message n Locations The type chosen will determine what columns of information UFED Analytics Desktop will look for in the file being imported.
In this screen you also indicate: n n n
If there is a header row What row the header starts on and how many rows it contai ns What row the content s tarts on
Appropriate use of these settings allows for exclusion of "extra" information located at the top of the file which is not useful to the file load process . b. Click to go t o next step in the Add Data Source wizard. 6. If you choose a data type of Calls, the following window app ears:
If you choose a data type of SMS messages, the following window appears:
If you choose the data type of MMS messages, the following window appears:
If you choose the data type of Locat ions, the following window appears:
7. Drag the headers to the correct columns, as indicated. The format definition of the header will determine how the column is formatted. Unless otherwise indicated, all columns are imported as text. Column headers enclosed in shaded area are required. Some colum ns have special for matting opti ons - for example the date c olumn:
and the time column:
8. Click
. You will be prompted to save your new preset file:
Analysis tabs open in the UFED Analytics Desktop workspace. By default, the
tab is displayed.
The Link filters in the filters pane is updated to inc lude the event types found in the opened report(s). 9. Repeat previous steps to add additional files (persons) to the project.
The UFED Analytics Desktop workspace c ontains visualization tools and filters designed to help you analyze and evaluate the links between your suspects/victims.
The workspace contains the following areas: 1.
Contains project manageme nt commands , as well as access to UFED Analytics Desktop settings and help. For more information, see . 2. Includes quick access to commonl y used function s, graph layout tools and Watch list tools. For more information, see . 3. Contains tabs and panes showing links and locati ons: n Filters pane – Use the filter pane in each tab to filte r the data s hown. For more information, see n
n n
. Data area – View your data in Graph, Map, and Timeline views. You can open most of the tabs as many times as required. Information table – List s the infor mation show n in the data area. Details pane- Shows more details about a hig hlighted event. Inclu des Item, Adjacent ev ents, and Conversation tabs. For more information, see
You can also open se arch results, Watch lists results, and person details tabs which display information in a ta ble. For more information, see , and
, .
All tabs and panes in the workspace are dockabl e, and can be rearr anged as desired. To rearrange the layout, you have several options: n
Drag and drop the tabs and panes to be rearranged,
n
Right-click the tabs and panes to be rearranged, and choose an option from the list,
n
Or use the predefined layouts on the
Ribbon.
The layout may be arranged to view the Graph, Timeline, and Map simultan eously, as shown below:
n
To open a new workspace, click the
button on the
Ribbon.
A new workspace is opened. If one or more workspaces are already open, they will not be closed.
n
To copy a workspace, click the
button on the
Ribbon.
A duplicate works pace is opened.
n
To rename a workspace tab, click the
button on the
Ribbon, or press F2.
: You can now a nalyze multiple views related to the same investigation in parallel. For example, you can view the Graph view on one screen and the Map view on another screen.
The Search field at the top of the workspace enables you to perform a global search for data (for example messages, content etc.) within the entire workspace (all persons).
1. Enter the string you want to se arch for in the Search field. The matching results are displayed by data type in a Search Results tab in t he Data area.
2. In the left panel o f the Sear ch Results tab, click the item ty pe to display the matching results in the table. 3. To sort the table according in a order particular in ascending order, click the column heading. Click again to chantogethe thedata sorting fromcolumn ascending to descending.
3. Filters Filter the data by selecting data t ypes to display.
3 r e t p a h C
n n n n n n n n
Choose which data source owners' information to display. Choose to display events within a defined pe riod of time. Choose to display parties that are connected to display ed data source owners . Choose the content t ypes (calls, chats, conta cts, images, locations, etc.) to display . Choose to display data based on the source from which the data srcinated. Filter using predefined Watch lists that use keywords to identify important information. Choose to view text data c ategorized by type. Define a maximum radius and time to be consider ed as mutual locations.
n
n n n
Choose the minimum number of connections between persons to view, based on mutual connections with parties. Define the minimum types of activities between persons to view. Display user-tagged content . Choose images categorized by subject. Sort the filters by name or by number of hits by clicking on the filter name.
button to the right of the
Filter the data by selecting the data sour ce owners you wish to link.
The workspace is updated accordingly.
n
Mouse-over the person. The following window appear s.
Sort the filters by name or by number of hits by clicking on the filter name.
button to the right of the
Filter the data by selecting the timeframe you wish to search.
1. In the
area in the Filters pane, click
. The Timeframes options appear.
2. In the and boxes, enter the desired date or click calendar. 3. Enter, or use the arrows to set the desired hour. 4. Click
, and select the desired date from the
to apply the filter.
The workspace is updated accordingly - only events that occurred within the selected timeframe are displayed. To add an additional timeframe filter, click
again.
To delete a timeframe filter, click .
Filter the data by selecting the par ties you wish to se arch for links with.
The workspace is updated accordingly. Sort the filters by name or by number of hits by clicking on the filter name.
button to the right of the
Filter the data by selecting the content typ es (calls, chats, contacts, images , locations, etc.) to view.
The workspace is updated accordingly. Sort the filters by name or by number of hits by clicking on the filter name.
button to the right of the
Filter the data by selecting the content srcin typ es (Facebook, Twitter, WhatsApp , Google, Dropbox, etc.) to view.
The workspace is updated accordingly. Sort the filters by name or by number of hits by clicking on the filter name.
button to the right of the
Advanced fi lters list the number of relevant hits out of the t otal hits . In addition to enabling the quick extraction of relevant data, advanced filter s enable the investigator to double-check whether important information may have been left out during the fil tering process.
Filter the data with pre-defined Watch lists.
The workspace is updated accordingly. To create a new Watch list, see
.
The Text Analytics feature automatically applies natural language processing to all textual dat a in the system and tags events and terms related to specific topics of interest, including web addr esses, persons, locations, nat ionality, and money. Filter the data using the Extr acted categor ies filter in the Filter s Pane.
The workspace is updated accordingly. For more information, see
.
You can define what the sys tem considers a mutual locat ion. To define mutual locat ions, select t he maximum distance and amoun t of time to be considered a mutual location.
The workspace is updated accordingly.
Filter the data by the minim um numbe r of data source owners that disp layed parties are conne cted to. In the of Data source owners.
area in the Filters pane, click
and select the mi nimum number
The workspace is updated accordingly.
You can filter items so that the system only displays recurring activities. To filter links, select th e minimum number of each activity that you want to display.
The workspace is updated accordingly.
You can filter items so that the system only displays items with the rele vant tags. To filter tags, select the tags that you want to display.
The workspace is updated accordingly. For more information, see
.
4. Advanced Analytics Advanced analy tics features in UFED Analytics Desktop include:
4 r e t p a h C
The Text Analytics feature automatically applies natural language processing to all textual dat a in the system and tags events and term s related to sp ecific topics of interest. The abili ty to automaticall y tag relevant data allows for additional refinement and analysis.
1. Click the Manage Categories button on the
The
window appears.
Ribbon.
2. Choose the categories to be displayed, and their colors. The chosen color will be displayed when viewing data in this category. 3. Filter the data us ing the Extracted categ ories filter in the Filters Pane.
4. View the results in the Timeline tab.
The Image Analytics feature automatically identifies black-listed images, compares digital image signatures, and applie s advanced cat egorization and fac e recognition technology. It elimi nated the need to review images one by one to identify specific subjects, reducing cycle time s while maximizing investigative resources.
1. Click on the Review Images button on the
Ribbon.
The Image files tab is displayed.
2. Filter the images using the Image Analytics Tags Filter.
The workspace is updated accordingly.
5. Analyzing links Analyze the links between your persons of intere st and other persons in the Graph s tab.
5 r e t p a h C
The link diagram in the Graph tab show s the selected data source owners and their linked parties.
To change the types of links to view, use the Linked data source owners filter: shows all the selected Data source owners, and all their linked
n
parties.
shows all the selected Data source owners, and their mutual
n
linked parties.
To ch ange the selected person, double-click the desired person in the Persons table at the bottom of the tab to focus the view on the new per son, and click the desired person.
To enlarge the link diagram, click area. Click
in the
to collapse the table i n this project
again to display the table. You can also minimize the application Ribbon: right-
click the Ribbon and select
click
on the Ribbon, or press Ctrl+F1.
The lower section of the links tabs shows a table of all the filtered persons and ac tivities displayed in the link diagram. For more information, see . Double-click the desired person in the Persons table to focus the view on t he selected person in the link diagram.
Change the diagram layout according to your preference. On the n
n
n
ribbon, in the
group, select one o f the fo llowing:
- horizontal configuration
- vertical configuration
- radial configuration
The workspace is updated accordingly. The graph can support a maximum of 1,000 links. If there are more than 1,000 links to be shown, the graph view will show only the first 1,000 links and the out irrelevant dat a to view the rest of t he results.
icon will appear. Filter
Navigate the link diagram on the diagram itself, or by using the Navigator. To open the Navigator, click the
.
The Navigat or appears:
Perform the followin g actions on the diagram or Navigator to navigate the link diagram: n
n n n
To zoom in and out of the diagr am, use the mouse scroll button, or in the ribbon click the and buttons. To pan the diagram, hold C TRL and drag the mous e to the desired location. On the diagram, to move the display left, right, up, or down, use the scroll bar. On the Navigator, re- size the rectangle.
You can change the arrangement of the diagr am by moving and locating pers ons anywhere in the diagram, as desired. To rearrange the layout of the link diagram, drag a Data source owner or Party to a different location. The workspace is updated accordingly.
Each connection line has a meaning : n n
A black line indicates a direct connection between persons. A thick line indicates a large number of events between the pa rties. The thi ckness of the lin e changes according to the activi ties as follows: n 1 – 50 activiti es (not including contacts) is represented by a normal line n
51 – 100 activiti es (not including contacts ): Semi-strong line 101 – 500 activiti es (not including contacts): Strong line n >500 activitie s (not inclu ding con tacts): Ve ry strong line A continuous line indicates a connection whe re there were events between the party and the data source owner. A dotted line indicates a connection wher e the party appears in the data source owner’s contac t list but ther e were no other events between them n
n
n
Each connect ion line has an arrowhead that represents the type of connection betwee n the data source owner and the party: n
n
n n
Pointing toward the data sour ce owner: Incoming connection (i.e. phone calls made to that data source owner and messages sent to him from that party). Pointing toward the party: Outgoing connection (i.e. phone calls dialed and messages sent by the data source owner to the party). Pointing both ways: Both incoming and outgoing connections. No arrows: Means the direction is irrelevant (for example, contac ts) or unknown.
Click a person to view a label in the center of the link line that displays a summary of the connections made.
Bluetooth devices Calendar entry Calls Chats Chat messages Contacts Email messages SMS messages Wireless connections
n
Double-click a link to display a link timeline that provides detailed information about the connection (s).
Each type of connection (contact , SMS, MMS, email, chat mess age, chat, or call) is displayed in a different ta b, listing each connect ion entity. You can now open multip le views of links and maps in parallel to take different investigation paths.
When viewing a graph, a contextual tab is displayed.
The
button allows you to take snapshots of the workspace.
1. Click the Snapshot button. A Save Graph Snapshot window appears. 2. Enter a name for the snapshot. 3. Navigate to the desired location and cli ck . Link diagrams are saved as a picture fil e (*.png). The Export to Microsoft Excel button allows you to save the filtered data as an Excel file (.xls).
1. Click the button. A Save As window appears. 2. Enter a name for the exported file. 3. Navigate to the desired location and cli ck .
The Timeline tab displays the events of th e selected persons in chronological order. Understand the course of events and data flow between per sons of interest - Data source owners and Parties. Change the typ es and amounts of data using
.
Change the timeline vie w using the predefined layouts on the
To view the Timeline, Graph and/or Map tabs simultaneously, see Events without a date are listed at the end of t he Timeline.
Ribbon:
.
When viewing medi a, a contextual tab is displayed.
n n n
The The The
button opens the media with a default pr ogram. button allows you to save the medi a file in a new location. button opens the media in a new tab.
When viewing image s, a new cont extual tab is displayed.
n n
n
The
button allows you to save the image fi le in a new location.
The
button allo ws you to rotate or flip the image .
The
button allows you to change the image's contrast and brightness.
n
The
button allows you to sharpen the image.
n
The Undo and Redo buttons allow you to undo and redo changes made to the image.
The Details pane displays more details about the selected event. The details tabs include:
The Item t ab displays all stored informat ion about the event.
The data source type for each event is indicated.
Click
to set the text direction.
The Adjac ent events tab displays events of all types that occurred adjacently to the selected event, enabling the inve stigator to view a comprehens ive list of events that oc curred around the time of the selected event.
The Conversation tab displays communicat ion-based data, such as call logs, email, SMS and MMS messages, and so on, that occ urred within two hours of the chosen event, enabling eas ier and better tracking of the communication between two or more persons.
Parties are the per sons with whom the Data source owne r has interacted. You can work with parties in the following ways: n
Highlight links between Data source owners and a particular Party in the Graph tab. See .
n
Split the Party and its contact infor mation. S ee
n
Click a person in the Graph tab to highlight its links.
When a link is highlighted, a link timeline opens.
.
The
table lists the persons of the currently displayed link diagram in table format.
The table contains information such as: Contact name. Contact phone number(s). Contact email address(es). IDs for applications such as Facebook, Skype, and s o on. Multiple columns based on the number of selected persons. Shows the total number of links between this person and the listed per son.
Click the column headings to sort the table i n ascending or descending order.
n
In the
table, enter the string you want to sear ch for in the Search fie ld.
The matching results only are displayed in the table.
n
In the
table, right-click an entity and select
The person is highlighted in the links diagram.
, or double-click the row.
1. In a link diagram in the Graph tab, select the person with events that you want to vie w as a timeline. 2. Right-click and select . The timeline tab appears.
3. Filter the timeline, as desired. Persons timelines and graph timel ines do not filter by parties.
The
button adds a new tab with all items sorted by type in a table format.
The Type filter includes data types such as: Calls, Chats, Cont acts, Image files, Locat ions, and Passwords. The list will vary based on the data found in your case. Use the Type filter to select the required data type.
A new tab is opened. You may filter the data listed using the Filters pane.
6. Watch lists A is a list of keywords that c an be used as search criteria. The criter ia will be used when searching in extracted data t o identify and highlight impor tant and relevant information. Up to 100 keywords can be added to each Watch lis t. Up to 500 Watch lists can be cre ated. The Watch list search can be activated automatically, or run manually. Watch lists are managed in UFED Analytics Desktop using the tools available on the
6 r e t p a h C
Ribbon.
1. Click the
2. Click
button in the
section of t he Ribbon. The following window appears.
. The following window appears.
3. Enter a Name for the new Watch l ist - this name will be used when taking any action on the Watch list - e.g., activat ion, deactivation, deletion, e xport. 4. Enter a Description for the new W atch list - this is useful to giv e a detail ed description of the pur pose of the Watch list. 5. Choose a color for the new W atch list - this color will be used when viewing data while using this Watch list. 6. The keyword data table has an empty row at the end for entering new keywords. Enter keywords and press after each keyword to open a new row.
7. Add and delete as required. in multiple Watch lists to and the tkeyword is found in data being searched, then theIf a keyword fromappears the last Watch list will be used show he keyword in the data. For each keyword, indicate: n
This setting allows for the use of wildcard characters in the keywords.
The following wildcard characters are allowed: ? Use the question mark (?) to represent exactly one character. Al l of the other characters specified are required in matching strings. For example, co?caine matches cocaine (where the ? r eplaces one character). * Use the asterisk character (*) to represent zero or more characters. For example co* matches strings such as cocaine, cok e, coco. n
n
This will result in exact matc hes for the keyword, and will not match on words where your keyword is part of a longer word. This will result in the search being case-sensitive.
wildcards- yes
apple
Match
wildcards -y es
ale
NoMatch
wildcards- no
able
NoMatch
wildcards- no
agdsfggsfgle
No Match
whole word -y es
Myapple
No match
whole word -y es
Mya pple
Match
whole word -n o
Myapple
Match
whole word -n o
Mya pple
Match
With the combined use of these criteria, a powerful search criteria can be defined.
1. Click the
button in the
section of t he Ribbon. The following window appears.
2. Click the Watch list that you want to ed it. You can now: n Change the for the chose n Watch lis t. n Change the for the chose n Watch list. n Change the for the chose n Watch list. n In the right side of the s creen, enter or delete one or more words or strings to be incl uded as keywords in this Watch lis t. n Click on an existing keyword to change it.
1. Click on the
button in the
section of t he Ribbon. The following window appears.
2. Select the Watch list that you want to delete and click lists in this way.
. You may delete multiple Watch
The delete ac tion w ill take effec t as soon as this screen is closed with the button. If you click , all delete act ions will be ignored and the Watch list(s) will NOT be del eted.
The export and import functions enable you to share watch lists and receive Watch lists from your colleagues. Import existing Watch lists (*.csv files) that ha ve been created outside of UFED Analytics Desktop or shared with you. UFED Analytics Desktop also supports .txt files with every keyword on its own line. Click on the
n
button in the
section of t he Ribbon. The following window appears .
Click . You will be presented with a file dialog and can browse to the appropriate location and c hoose the file to impor t (must be a .c sv file). If an imported Watch list alre ady exists, the new w atch list will be added with a numeric extension. A maximum of 500 watch lists can be saved at a time.
n
Select the watch list and click . You will be prompted to provide the destination folder. The Watch list is then extracted to a .csv file in the selected folder.
1. Click on the
button on the
.
You will be presented with the following screen:
A list of the currently available Watch lists is presented. This list is made up of Watch lists previously added or imported. Each Watch lis t is shown with its and the color used to display results. 2. Select the check box next to each Watch list that you want to activate o r deactiv ate. 3. Click to appl y this actio n. Activat ing a Watch list makes it available for filtering. Filtering by Watch list is performed when Watch list filters are applied.
Watch list results are viewable in two ways: 1. While viewing any Data or Activity , the matching k eywords will be highlighted in the color of the Watch list. 2. To view the Watch list results as a comprehensive list, click the button on the Watch list Ribbon - all Data and Activity that has matching ke ywords will be di splayed as follows:
7. Managing tags While reviewing events and contacts, the inves tigator can tag these items for future reference. Each item can have multiple tags. Tags are managed at the appli cation level and not at the project level. This means that the tags are available for all projects and not only the project in which the tag is created.
7 r e t p a h C
A tag name must be unique, and can only include alphanumeric characters and ordinary brackets (). Special characters such as: []{}!@#$%^&* can not be used. The sys tem does include several predefined tags: n n n
Important Irrelevant Need to follow
1. From the Tagging ribbon group, click The following window appears.
.
2. Enter the name for the new tag and click the the list.
button or press ENTER. The new tag is displayed in
3. Optional: Choose a hotkey from the list for future use. 4. Click OK.
You can use the search box to search for a specific tag. Start typing the name and as soon as the system identifies a matc h the tag will be displ ayed. You can also create new tags when applying a tag - see
.
You can edit the na me of all tags, which w ill affect all cases.
1. In the Tag Management screen, click the required tag and edit the text. 2. Click OK.
You can delete any tag, which will affect all cases . If you delete a tag that was applied to an item, that item will no longer include the tag.
1. In the Tag Management screen, click the 2. Click OK.
button of the tag that you want to delete.
Any item that can be tagged is indicated with an with an n n n n
icon. An item that has been tagged is indicated
icon. Tags can be applied to the following items:
Data by type table Timeline table Search table Link details table
1. Select the items that you want to tag. Y ou can select multiple items using the CTRL and SHIFT buttons.
2. Clickth e
button (or clickth e
button on the
ribbon). The following screen appears.
3. Use this screen to app ly tags, search for tags, clear selected tags, create new tags , or reassign tags to specific items. To create a new tag, type a new t ag name in the New tag box and click 4. Click OK. Tags are viewable in t he
.
.
8. Analyzing locations Access the tab to view the locations that your persons of interest have visited. View multiple Data source owners’ locations on a single map. Search for specific locations, and fil ter the locations based on date and time and distance between a few Data source owners' locations. Locat ions are represented by a simple icon in the color you assign to the Data source owner for easy identification.
8 r e t p a h C
During extraction, location data is drawn from different locations within the device. Locat ion data c an be divided into the following categories : n n n n
Cell towers Wi-Fi networks Media locations GPS device data
n
Navigation applications
Locat ion data in the Cell towers and Wi-Fi network categories includes: n n n
n
GPS information - longitude and latitude Accuracy - radius in meters within which the device is located . Confidence - in %. How confident the service provider is that the device lies in the calculated location. Timestamp
Media location data is taken from the location stamp ass ociated with each media file.
n n
Click and drag the map On your keyboard, press the arrows to move the map north, south, east, and west.
n
Mouse over a location and use the mouse scroll button to zoom i n or out on that location. Double-click a location to zoom into that location.
n
Click anywhere on the m ap to cente r the map on that locatio n.
n
Geographic coordinates of the mouse location and t he view scale are alway s displayed on the map. View a map overlay of a greater area to help you use the map by clicking the overlay responds to the map controls.
n
Right click on an event on the map to locate it in the time line:
n
Right click on an event on the time line to locate it on the map:
. The map
View extracted locations using offline maps even without an Interne t connection. The maps package installation is required and it is available to UFED Analytics Desktop users with a valid license. You can choose to us e online or offline maps when viewing map s. The offline maps feature uses a light Windows service that opens and listens to TCP port 3000. To use this feature, you need to select the check box during the UFED Analytics Desktop installation proces s. If this service was not selected, then y ou need to reinstall t he application.
1. Login to MyCellebrite. 2. Click the tab. 3. Download the Offline maps package. There are a number of offline map packages. You can view extracted locations on a worldwide map, and zoom in at a higher resolution to view stree ts in selected continents using offline maps.
1. After downloading the relevant offl ine maps package, in UFE D Analytics Desktop, go to sel ect . The following window appears.
Click
to change the default locatio n where the offline maps are installed.
2. Click to load the o ffline maps package. Due to the size of the file, the loading proces s takes some time to complete. At t he end of the loading pr ocess the following window appe ars.
The offline maps are now installed and ready to use. An example of an offline map is displayed next.
If you have already download the offline m aps with a different UFED product, you can use the same map packages.
Markers signify the location w here a person's device registered. The color of the marker signifies which person was registered at a particular locat ion. A t a low zoom level, markers show the approximate location, and may include the data of more than one pers on. The follow ing markers are examples of the types of markers that are displayed in the map: At low zoom level , this marker displays a number of recorded locati ons in a particul ar area. The marker may include the data of more than one person, as shown by more than one color in the marker. Zoom in t o split th e marker. Markers that do not split at high zoom indicate one location. Indicates the location of the cell tower that registered the person's device.
Indicates the location of the Wi-Fi network receptor that registered the person's device.
Indicates the recorded location of a media ob ject.
Indicates that the categor y of the location is unknown.
When viewing a map, a cont extual tab is displayed.
n n
n
The button allows you to switch between r oad view and aerial vie w. The button allows you to work with the map without an interne t connection. Offline maps must be previously installed to use this function. The button downloads Cellebrite's offline maps package for offline use.
8. Persons management Persons are created when a repor t file is loaded. Persons may be merged and merged persons may, in some cases, be split back to their srcinal state.
When investigating a pers on with multiple mobile devices, the person's information will come from multiple data sources. Merging allows for information from two (or more) data sources to be merged into one person re cord. Persons with mutua l details will be merged even in single data sources . Merging is done at a proje ct level - this means that regar dless of where the me rge was initiated, the person is merged in all v iews.
1. Right-click on the person in any view. The following menu appears.
2. Choose
. The following window appears.
The list of available persons is displayed and you can c hoose to merge with another person. Scroll through the list or use the search option to find specific matc hing persons. 3. Click the relevant person and click OK. The following window appears.
When merging persons, there is an order of precedence to determine what default is suggested for the merged person: o
o
o
n
n
n
Data source owner Merged person Other persons Person picture: You can choose one picture to present in UFED Analytics Desktop. If only a single picture is available – it will be selected automatically. Person details: You can choo se which person name and occupat ion to present in UFED Analytics Desktop. All other information wil l be combined into one list. For example: Address 1 and address 2, custom field 1 and custom field 2. Person identifiers: You can view a single li st of all the identifie rs with the ability to view the source of the identifier. For example: email from person X and phone from person y. While merging, you can c hoose to add additional information using the
list.
4. Any information that was loaded from a report file cannot be changed or removed. For example, n Phone Number n Email Address
n n
MAC Address User Account
After a merge, the merge d person can be identified in the around the picture):
as follows (note the do uble box
For reference, an unmerged pe rson will look like this:
There are a number of reasons why a merged person would need t o be split: n
The investigator may have chosen the wrong person by mistake.
n
n
The UFED Analytics Desktop automatical ly connected two pe rsons into one s ince they used the same number, email address etc. After checking, the investigator found out that the connection was based on general email such as sales or support and therefore the two persons should be split.
Select the merged person (in any view). Right-click, and click
.
If the merged person is composed out of more than more two persons, all persons will be split.
9. Generating reports 1. On the
9 r e t p a h C
Ribbon, in the
2. In the a. session.
group, click
.
tab, set the following: - select to include the properties of each data source owner in the
Data source owner information is included for all data source owners open in the session, regardless of whether they are currently selected in the filters. b.
- select the views that you want to include i n the report.
c.
- enter the Investigator name, Investigator ID, Department name, Case number, and Case name, as desired. 3. In the box, enter the desired file name. If you do not change this name, and there is an existing report with the same name, a counter is automatical ly added to the name. 4. In the
box, enter the path and folder name to which t o save the generated report file. Click to set a different path.
5. By default, the report is created in a sub-directory with a name constructed from the date and time the report was generated (for example, AnalyticsDesktopReport_251212_105908): n To change th e name of the sub directory , select the displ ayed name and enter the desired name. 6. Access the tab.
7. Set the following: n - Enter and format custom text to appear in the report header before the logo image.
- Click to add t he logo image to appear in the report header. Suppor ted file formats are: BMP, JPG, GIF, and PNG. n - Enter and format custom te xt to app ear in the report footer after the logo image. 8. Click . n
is unavailable until all the requi red fields are filled. When the report is successfully generated, you are prompted to open the generated report file. The file opens using the associated application to the file format installed in the workstation.
10. Managing cases This section includes the following:
UFED Analytics Desktop continua lly saves your work so there is no need to ma nually save your case. This includes your last selected filters, tabs, layouts etc. For more information on ope ning a saved case, see .
0 1 r e t p a h C
Open a saved case to continue your work from a previous session or to open a shared project. Close any open cases and start a new session. The Recent case view lists all the cases available in the application ordered by creation date. The inves tigator can easil y navigate betwee n cases or search for a specific case. Only one case can be open at any one time. If you ope n a new case when you are wor king in another project session, UFED Analytics Desktop closes your current session. 1. From an existing project, click
. The following window appears.
2. If relevant, close an open case by clicking 3. Click to open the required case.
.
Previously saved cases will be listed in the Recent cases view, sorted by creation date. To delete a case and all its case data, c lick
.
11. Reference This section includes the following:
1 1 r e t p a h C
1. In the File menu, select
.
2. To set the interface language , select the language in the 3. To set the Theme color, select the theme in the list. 4. To set the measurement system used, select the system in the
list. list.
The default measurement system is based on the Windows OS settings. 5. To set the number of digits used in order to determine phone number uniqueness, select the number in the list. 6. To set how timelines are shown in new views, select the view in the
list.
Provides summary information for each project of all the data sources that were imported into UFED Analytics Desktop, as follows: An indication of whether the data source was successfully imported or
n
not. The location path for the data source file.
n
n n
n
The number of activities in each data source file. The number of ac tivities in each data source file that can be presented on the timeline. The number of locations included in each data source file that can be presented on t he map.
Create a new case using the wizard. Open an existing case. Close the c urrent ana lysis session and clear the workspace. Lists tasks running in the background and their progress. Set your UFED Analytics Desktop preferences. The
n
n
n n
n
menu contains the following items: - View information about the UFED Analytics Desktop version. - Use a local dongle or network dongle, or enter a new acti vation code, by loading it from a fil e using the button. - Opens the user manual in PDF format. - Zips the log fi les and opens the folder where the zipped log files are saved. - Activates Bing maps so that you can vie w locations on a map. It requires Internet access and a valid license.
The tools available in the application Ribbon are organized into tabs. The following:
tab contai ns the
Add or remove data sources. Open a new workspace. Add a new tab to show all items of the same type for persons. Generate a report with t he data you have filtered.
View, manage and activate Wat ch lists.
Tag items and manage tags. View image files with image analytics tags. Manage text analytics tags. The
tab contains the followi ng: Increase the size of the c urrent view. Decrease the size of the current view. Fit the current view into the visible screen dimensions. Refresh the data of the current view. Copy the current works pace. Rename the current workspace. The default layout. Opens the timeline under the map in the Map tab. Control thumbnail size.
Sort data by type, time stamp or deletion. Sort images by size, name, time or analytics tags. The tab is a contextual tab , the buttons of which vary based on the tab yo u are currently working on. There are also contextual tabs for maps, tables of images, videos, and audio files. The
tab, when working on a G raph, also contains the following: View the dat a in a horizontal configuration. View the dat a in a vertical c onfiguration. View the dat a in a radial configuration.
The
tab, when working on a Ti meline, conta ins the following: View the data as a table. View the dat a in a feed format. View the dat a in icon format.
The
tab, when viewing image s, also contains the following: View the image data in a table format. View the images in a grid format. Control image size.
n n
n n
n
In the Ribbon, click . Right-click the Ribbon and select
In the Ribbon, click . Right-click the ribbon and select (clear)
Right-click the Ribbon and select
.
.
.
A
G
A workflow example 9
Getting started 10
About location data 100
Graph ta b 62
activating 12
graph tools 70 H
Advanced filters 52 Help 16 , 119
Analyzing links 61
I
Analyzing locat ions 99 Image Analytics 60 Application Ribbon 42 C
Installing 11 Interface language 118
CDR file 37
L
Changing the diagram layout 64 Legal notices 2 conversation 77 D
Licensing 13, 15 , 18 , 21 link diagrams 62
data sources 23
links 67
Data sources 120
M
Deactivating, software licens e 16 Map 99 Displaying a data summary 32 Markers and information windows 104 Displaying and editing the pr operties of a merge 107
person 29
N
Dongle 13 E
x e d In
Extracted ca tegories 54, 59 F
File menu 42 , 118-119
Navigating the diagram 66 Navigating the map 101 navigator 66 Network 21
W
Network dongle 21 O
Offline maps 102
Watch list 85 Working with links 67
Overview 42
workspace 42 P
persons table 80
XRY XML files 36 R
Rearranging the diagram 66 Reference 117 report 112 S
search 47 snapshot 70 Software license 16 Specifications 2 split 111 System requirements 11 T
T agging 94, 120 tags 93 T erms 8 Text Analytics 58 Timeline view 28 timelines 71
X
