±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35244
New Yesterday: 3 Visitors: 197

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

Editing report fields in CelleBrite PA

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2  Next 
  

4Rensics
Senior Member
 

Editing report fields in CelleBrite PA

Post Posted: May 31, 18 09:25

OK, not quite a technical question, but one that's causing me no end of strife.

I can't edit the Report Fields in Physical Analyzer.

I can see them in Settings and Project Settings.

I can add additional ones and remove the additional ones, but I can't have my own set of custom ones without adding to an already long list of default ones. I would end up with about 30 if I had to just add to the ones there?

Am I missing something obvious? I just can't find a setting or config file anywhere? Please help!

4R

PS. Google and CelleBrites website and Help section are of no use!  
 
  

jahearne
Member
 

Re: Editing report fields in CelleBrite PA

Post Posted: Jun 01, 18 14:04

I've never liked a report exported out of any forensic software of any tool yet. I can get BlackLight to produce an acceptable appended report.

Cellebrite, all I do is export to a spreadsheet and add my own fields, headers and company logo. Insert, cut n paste, delete unnecessary columns... It's a manual process, but what can you do! Automated forensic reports suck.  
 
  

trewmte
Senior Member
 

Re: Editing report fields in CelleBrite PA

Post Posted: Jun 01, 18 14:37

- 4Rensics
but I can't have my own set of custom ones


I think that is a sound approach by Cellebrite not to allow hardcoded headers to be changed. No end of chances to receive witness summons to attend court to answer about changes they never knew about.

Perhaps you may wish to approach the problem from another angle. It is the data you want not their headings. So why not export the data but using a mask over the top of their data. You get the data and at the same time get the headings you want. In the past when this was done some organisations used html to produce a cover over the data exported from the data recovery/forensic tool. Others used macros in XLS or Access to a similar effect...
_________________
Institute for Digital Forensics (IDF) - www.linkedin.com/groups/2436720
Mobile Telephone Examination Board (MTEB) - www.linkedin.com/groups/141739
Universal Network Investigations - www.linkedin.com/groups/13536130
Mobile Telephone Evidence & Forensics trewmte.blogspot.com 
 
  

passcodeunlock
Senior Member
 

Re: Editing report fields in CelleBrite PA

Post Posted: Jun 02, 18 00:35

These days the time spent on filtering, sorting and styling forensic reports is usually more then actually getting the needed forensic content Sad

The problem is not only the work which has to be done to make a report good-looking, the biggest problem is the user errors which could occur!!!

Masking the column headers in any way is possible and resolves the issue, but I still consider that forensic programs should be more flexible regarding reporting, otherwise after each human interaction re-validating is needed Sad

Another problem is misinterpretation which could occur from rewritten column headers in reports, be aware that prosecutors and judges aren't IT experts!
_________________
Apple passcode unlock + decrypted filesystem dump, Android user locks unlock + physical dump with decrypted userdata partition. We provide our services world-wide, but we reserve the right for choosing which tasks we take and which we deny! 
 
  

trewmte
Senior Member
 

Re: Editing report fields in CelleBrite PA

Post Posted: Jun 02, 18 04:07

- passcodeunlock
Masking the column headers in any way is possible and resolves the issue, but I still consider that forensic programs should be more flexible regarding reporting, otherwise after each human interaction re-validating is needed Sad


The other side to that coin is that maybe Cellebrite have IP or copyright, etc. in their style to differentiate from competitors product. Moreover, if operators of the tool were freely changing the headers might there be, apart from 'lost in translation', the introduction of loss of product uniformity. E.g. the Cellebrite output reports in, say, France would be completely different to reports in the UK or US.


- passcodeunlock
Another problem is misinterpretation which could occur from rewritten column headers in reports, be aware that prosecutors and judges aren't IT experts!


Reports often reflect interpretative meaning but without giving "expert" opinion. I noted in a recent case in Ireland that the "trained operator" of the Cellebrite system was allowed to give evidence despite legal argument against the operator giving evidence based upon R .v. Cochrane principles. The Court's decision appears much more in line with the principles reflected in R .v. Shepherd.

So if you find creating a template mask time consuming, there might be a way forward albeit it you may consider it a hammer and chisel approach. If the operator had a standard A4 page that fronted the report defining the current Cellebrite headings (recorded in a column based format), so that would be column 1.
Column 2 would be Cellebrite's interpretation of data
Column 3 would be the operator's desired heading.
Column 4 would be the operator's interpretation of the data

Ideally, at least Col 1, 2 and 4 should have no material difference. If they do have differences this exercise might illuminate a deeper problem e.g. standard industry classification... or understanding of the meaning the data conveys.
_________________
Institute for Digital Forensics (IDF) - www.linkedin.com/groups/2436720
Mobile Telephone Examination Board (MTEB) - www.linkedin.com/groups/141739
Universal Network Investigations - www.linkedin.com/groups/13536130
Mobile Telephone Evidence & Forensics trewmte.blogspot.com 
 
  

passcodeunlock
Senior Member
 

Re: Editing report fields in CelleBrite PA

Post Posted: Jun 02, 18 12:03

I totally agree! Flexibility in reporting is exactly what you wrote in so many words Smile
_________________
Apple passcode unlock + decrypted filesystem dump, Android user locks unlock + physical dump with decrypted userdata partition. We provide our services world-wide, but we reserve the right for choosing which tasks we take and which we deny! 
 
  

jaclaz
Senior Member
 

Re: Editing report fields in CelleBrite PA

Post Posted: Jun 03, 18 03:43

As often happens, allowing to change the name of columns in a report (*any* report, not only in digital forensics, that is the output of a program or script largely in use) may lead to a Tower of Babel when it comes to actually interpret the data.

Otherwise, a legend/translation table of some kind is needed.

For an unrelated example, check here (old article of mine):
jaclaz.altervista.org/...stick.html

around halfway you will find a "translation table" for the set of fields in a common partition table, something very "basic" for which there should have been a "common" and "unique" tag name, yet every program manages to call the same field something (slightly) different.

In the specific case, almost any tag is easily understandable (though, still in the example, a "same" field called by one tool "Relative Sectors" and by another one "Starting" can be - to say the least - confusing), but in a digital forensics report a similar difference may lead to misunderstandings with consequences. Shocked

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 

Page 1 of 2
Page 1, 2  Next