UFED PA working wit...
 
Notifications
Clear all

UFED PA working with watchlists (keyword lists)

6 Posts
3 Users
0 Likes
1,778 Views
Adam10541
(@adam10541)
Posts: 550
Honorable Member
Topic starter
 

I have an interesting problem which seems simple but is turning out to be deceptively complex.

I have a phone which has been processed with UFED PA, and as luck would have it there is quite a lot of records on the phone. There is a small portion of data which there is an privileged claim (LPP) over so I find myself needing to produce a report of a subset of data which will exclude the privileged data.

My issue is that I cannot find a way within UFED PA to exclude the LPP data. I can tag the items that are LPP, however when it comes to reporting my options are 'everything or 'tagged only'.

Okay, so my next thought is to tag everything, then I'll go through and untag the LPP data so I can do a report on 'tagged only'. This is where the frustrating bit comes in. When using a watchlist there doesn't appear to be a way to show all the watchlist items in a single window the way you can with all other search results.

If I can display them in a single window this allows a batch select and untag, problem solved.

It wouldn't be so bad if the watchlist results could be displayed a group at a time (ie all SMS hits, all MMS hits etc) but it looks like the only way to display watchlist results is a single hit at a time (over 8,000 in this instance).

I've looked at importing the dump into third party tools but this client has had over 30 phones as part of this engagment all resulting in UFED reports, if I start producing completely different reports now it will not go down well.

Any thoughts/idea's on how to accomplish this in PA?
I have reached out to Ron Serber as well but thought the community may have something to offer.

Thanks all.

 
Posted : 12/08/2019 7:55 am
(@agp_analyst)
Posts: 22
Eminent Member
 

I've also run into this issue, although when trying to achieve a different result. There is no way to work in bulk from a Watchlist within PA, it's just not possible.

The only way to transfer results from a Watchlist to tags is by manually tagging each Watchlist results.

It's one of the major limitations of PA and really isn't acceptable with the advancements from other software providers.

 
Posted : 12/08/2019 9:57 am
Adam10541
(@adam10541)
Posts: 550
Honorable Member
Topic starter
 

This is turning out to be a bit of a nightmare.

The only solution I can come up with is to tag everything manually, then run the search strings one at a time with the 'all projects' search at the top right, then untag all the resulting hits.

Not elegant but it should work…..except for some reason this data set is killing UFED PA with multiple freezes and crashes, takes around 3 mins to save a project file.

So it's taken around 3 hours to run and untag 6 keywords thus far … |

So the quiet message for UFED, you have possibly the market leading extraction software, with an underperforming reporting/analysis tool in PA.

 
Posted : 13/08/2019 5:55 am
marky.mark
(@marky-mark)
Posts: 22
Eminent Member
 

Hi Adam,

Cellebrite is working on a solution that can achieve this kind of work, they call it 'legalview'. They partnered up with relativity to enhance exporting and reviewing capabilities. It will give us the possibility to extract UFED PA "report" in a concordance loadfile format. In your case, this would make you able to import the loadfile inside tools like NUIX and perform your searches and tags. This loadfile can be worked with and then imported in a review platform.

Unfortunately when I contacted them, they told me that this feature will not be available for their law enforcement/GOV clients… This is crazy because many of us are user of their solutions. So I contacted them back to know why such an important feature would not be available to us. I am waiting for an answer right now.

If this kind of feature is valuable to you as well, i suggest that you contact them and ask for this to be implemented inside UFED PA. They really need to step-up their game in regard of the way we can export their data and work with it post-acquisition.

Have a nice day.

M.

 
Posted : 13/08/2019 1:51 pm
Adam10541
(@adam10541)
Posts: 550
Honorable Member
Topic starter
 

Hi Mark, working the UFED reports in third party tools is already possible as IEF and Intella can both ingest the UFDR reports that PA creates and can work with them quite well. I suspect NUIX can as well but I don't use that tool much.

In this instance though I need to work within PA as all the other phones I have produced reports for with this engagement were straight up PA reports (excel workbooks). The client loves those and has built a very large complex working document based on data of this type.

If I pull out a report with a third party tool then it's not going to be workable for them to incorporate this data into their existing workflow.

I agree though that UFED needs to look at expanding the PA tool with some flexibility and usability.

 
Posted : 14/08/2019 1:09 am
marky.mark
(@marky-mark)
Posts: 22
Eminent Member
 

Hi Adam,

Tools like intella and others can "ingest" in some ways UFED reports it is true. But in doing so you open yourself to disclose more information than you maybe want to. If you ingest a ufed report inside intella or other tools, you may have the full communications databases be parced even if you choose to only have significant message exported. Those messages would be invisible inside the ufed reader when you open it, but the databases can still be found there hidden inside the ufed report. This is a no no when you need to work with periods determined in the mandate or with possible privileged information.

That said, if you use the excel report format, you have less chance to find surprises inside your production as it is similar as a loadfile in ways that you control the information you disclose.

The loadfile option would give you more knowledge about exactly what you export, what you are working with and the ability to then remove what you do not seek to disclose. This is valuable especially when you are trying to exclude some privileged documents, communications, information.

Having said that, if you do not care that some databases or more information can be found inside a production even if you blacklisted it, go ahead and work with the ufed reader report. Just keep in mind that the ufed reader report is like a blackbox and you do not control the information
with 100% certainty. Again if you do not control the format you deliver the said information, you then cannot be sure 100% of your work product.

If you want to be sure, you should at least test your final report inside a good analysis tool. You could have surprises! We learned to not trust fully UFED reader report the hard way here.

Good luck with that!

M.

 
Posted : 14/08/2019 2:51 pm
Share: