Editing report fiel...
 
Notifications
Clear all

Editing report fields in CelleBrite PA

9 Posts
5 Users
0 Likes
841 Views
4Rensics
(@4rensics)
Posts: 255
Reputable Member
Topic starter
 

OK, not quite a technical question, but one that's causing me no end of strife.

I can't edit the Report Fields in Physical Analyzer.

I can see them in Settings and Project Settings.

I can add additional ones and remove the additional ones, but I can't have my own set of custom ones without adding to an already long list of default ones. I would end up with about 30 if I had to just add to the ones there?

Am I missing something obvious? I just can't find a setting or config file anywhere? Please help!

4R

PS. Google and CelleBrites website and Help section are of no use!

 
Posted : 31/05/2018 3:25 pm
(@jahearne)
Posts: 35
Eminent Member
 

I've never liked a report exported out of any forensic software of any tool yet. I can get BlackLight to produce an acceptable appended report.

Cellebrite, all I do is export to a spreadsheet and add my own fields, headers and company logo. Insert, cut n paste, delete unnecessary columns… It's a manual process, but what can you do! Automated forensic reports suck.

 
Posted : 01/06/2018 8:04 pm
(@trewmte)
Posts: 1877
Noble Member
 

but I can't have my own set of custom ones

I think that is a sound approach by Cellebrite not to allow hardcoded headers to be changed. No end of chances to receive witness summons to attend court to answer about changes they never knew about.

Perhaps you may wish to approach the problem from another angle. It is the data you want not their headings. So why not export the data but using a mask over the top of their data. You get the data and at the same time get the headings you want. In the past when this was done some organisations used html to produce a cover over the data exported from the data recovery/forensic tool. Others used macros in XLS or Access to a similar effect…

 
Posted : 01/06/2018 8:37 pm
passcodeunlock
(@passcodeunlock)
Posts: 792
Prominent Member
 

These days the time spent on filtering, sorting and styling forensic reports is usually more then actually getting the needed forensic content (

The problem is not only the work which has to be done to make a report good-looking, the biggest problem is the user errors which could occur!!!

Masking the column headers in any way is possible and resolves the issue, but I still consider that forensic programs should be more flexible regarding reporting, otherwise after each human interaction re-validating is needed (

Another problem is misinterpretation which could occur from rewritten column headers in reports, be aware that prosecutors and judges aren't IT experts!

 
Posted : 02/06/2018 6:35 am
(@trewmte)
Posts: 1877
Noble Member
 

Masking the column headers in any way is possible and resolves the issue, but I still consider that forensic programs should be more flexible regarding reporting, otherwise after each human interaction re-validating is needed (

The other side to that coin is that maybe Cellebrite have IP or copyright, etc. in their style to differentiate from competitors product. Moreover, if operators of the tool were freely changing the headers might there be, apart from 'lost in translation', the introduction of loss of product uniformity. E.g. the Cellebrite output reports in, say, France would be completely different to reports in the UK or US.

Another problem is misinterpretation which could occur from rewritten column headers in reports, be aware that prosecutors and judges aren't IT experts!

Reports often reflect interpretative meaning but without giving "expert" opinion. I noted in a recent case in Ireland that the "trained operator" of the Cellebrite system was allowed to give evidence despite legal argument against the operator giving evidence based upon R .v. Cochrane principles. The Court's decision appears much more in line with the principles reflected in R .v. Shepherd.

So if you find creating a template mask time consuming, there might be a way forward albeit it you may consider it a hammer and chisel approach. If the operator had a standard A4 page that fronted the report defining the current Cellebrite headings (recorded in a column based format), so that would be column 1.
Column 2 would be Cellebrite's interpretation of data
Column 3 would be the operator's desired heading.
Column 4 would be the operator's interpretation of the data

Ideally, at least Col 1, 2 and 4 should have no material difference. If they do have differences this exercise might illuminate a deeper problem e.g. standard industry classification… or understanding of the meaning the data conveys.

 
Posted : 02/06/2018 10:07 am
passcodeunlock
(@passcodeunlock)
Posts: 792
Prominent Member
 

I totally agree! Flexibility in reporting is exactly what you wrote in so many words )

 
Posted : 02/06/2018 6:03 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

As often happens, allowing to change the name of columns in a report (*any* report, not only in digital forensics, that is the output of a program or script largely in use) may lead to a Tower of Babel when it comes to actually interpret the data.

Otherwise, a legend/translation table of some kind is needed.

For an unrelated example, check here (old article of mine)
http//jaclaz.altervista.org/Projects/USB/USBstick.html

around halfway you will find a "translation table" for the set of fields in a common partition table, something very "basic" for which there should have been a "common" and "unique" tag name, yet every program manages to call the same field something (slightly) different.

In the specific case, almost any tag is easily understandable (though, still in the example, a "same" field called by one tool "Relative Sectors" and by another one "Starting" can be - to say the least - confusing), but in a digital forensics report a similar difference may lead to misunderstandings with consequences. 😯

jaclaz

 
Posted : 03/06/2018 9:43 am
4Rensics
(@4rensics)
Posts: 255
Reputable Member
Topic starter
 

Apologies, I've just come back to this. Looks like its started a discussion. All are very good and valid points, unfortunately for my specific needs, I have to have the report headers in the download as the excel form is dropped into an analysis tool which reads the file and report headers and does some magic in the background to pull out all the relevant data.

As mentioned, I could edit the excel sheet, but this would not be a viable option to do for every single phone we do (that will be put through this tool)

I can add fields, but I would basically just end up with a messy report with a load of blank headers that I've simply not used. As far as I am concerned, this is extremely poor on CelleBrites part not to give its users this option to edit *ALL* headers.

 
Posted : 07/06/2018 1:35 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Only to understand, but why cannot the "tool" be changed/modified?

Or why you cannot make an "intermediate" step (a simple Excel Macro will do) to change the headers in the excel sheet after it has been generated by the Encase software?

jaclaz

 
Posted : 07/06/2018 3:17 pm
Share: