How to Discover Artifacts in Cellebrite Physical Analyzer – Part 3
Browser activity plays a role in most investigations. However, before you dive into browser data, there are some important questions to ask yourself first.
- Do you know where to start?
- Do you know how the data may exist in its native format?
- What about default or obscure browsers?
Browser history, bookmarks, sync data, and cache may exist in multiple locations. Verifying the source of the browsing artifact will ensure you aren’t overlooking any items of interest.
Once you find the database that contains the browsing information, make sure you look for deleted entries that may not have been parsed. The easiest way to do this is to perform a keyword search in Hex if the data is not carved using the DB viewer in Cellebrite Physical Analyzer (PA).
Do not fear the unknown when it comes to application data. Practice with PA on an image you know. Create test data, delete items, and then go on the hunt to find them. Practice and verification will make you a much stronger examiner, and you can rest a little easier knowing that everyone here at Cellebrite has your back.
Thus far in this series, we’ve talked about discovering chats and uncovering general artifacts using Cellebrite Physical Analyzer. In this blog, I’d like to focus on browser data.
There are very few investigations where browser data doesn’t play a key role, so it’s important that you understand where to look for this information.
Here are a few tips and tricks that will get you to the right information more quickly when you’re analyzing data.
Check Web History
One of the first things I do when I activate PA is scroll down to “web history,” just to see what my total is parsing.
In the screenshot below, we can see the “web bookmarks” and then “Android Browser.” Some people may wonder, “what is Android browser?” This is the browser that comes by default with Samsung devices.
The screenshot below is also a good example where, under “web bookmarks,” the tool is actually parsing the data. I have found that in many commercial tools, Samsung browser is not parsed for bookmarks. It’s very important that you have the total picture. For example, if I switch to my iPhone, and do the exact same thing by going down to view “Web History,” we can see we have “Safari.”
Make sure you understand the default browser that comes with the device you’re examining. In this example, clearly, Safari makes sense for iPhone while Ask Browser would make sense for a Samsung. Where you have to be careful on Android, however, is that the user can change their default browser. What you need to do every time you open a new device is go up into the apps folder and look at “Installed Applications” to see if you can find any other browsers of interest.
This is really important when examining Android devices because if you miss it, how are you going to know that something is not hiding from you?
Check The Hex
The tools are really strong. Cellebrite Physical Analyzer will do a great job at parsing browser history. But whether or not it grabs all of the information is up to you. Also, remember “deleted data” that may live inside of these databases. When you go to your database file of interest, make sure you are looking at the hex.
When you’re in the hex, keyword search the hex. Use all the skills that you’ve learned to make sure you’re not missing any browser information that is important.