Add Cellebrite mobile data as evidence
1. Add Cellebrite UFED files as evidence
1. View metadata for Cellebrite deleted files
1. View the Cellebrite path in the evidence browser
1. Re-instate missing Cellebrite tags if missing in Nuix Workstation

Add Cellebrite mobile data as evidence

This section covers how to:

Add Cellebrite UFED files as evidence

View metadata for Cellebrite deleted files

View the Cellebrite path in the evidence browser

Re-instate missing Cellebrite tags if missing in Nuix Workstation

Cellebrite produces forensic technology for extracting and analyzing data in seized mobile devices using their UFED product. UFED collects data from mobile phones (both Android and iOS), drones, SIM Cards, SD cards, and GPS devices.

You can easily import and export Cellebrite data into or out of Nuix Workstation. However, you first need to add the requisite Processing Profile to ingest the Cellebrite file's data.

Add Cellebrite UFED files as evidence

To add or extract mobile evidence in the form of UFED data:

Ensure you set the Processing Profile for mobile data ingestions. See this section in Add mobile data as evidence.

From the Add Case Evidence window, click Add to open from the Add/Edit Evidence dialog. For more details, see Add case evidence.

Click the Content field's Add button and select Add Mobile Evidence, then Cellebrite.

Browse and select a UFED file for processing.

The Content pane then displays Cellebrite Mobile Evidence file: {URL of file path}.

Click Add to proceed with processing data.

The added Cellebrite evidence must meet the following requirements:

Files with the extension .UFDR and .zip are filtered in the file browser for selection.

Any other files can be selected via the Add Files/Folder option.

Users can also select .UDFR files via the Add Files/Folder option.

Note: If you select a zip file that does not contain UFED data, a warning message informs you that the evidence file cannot be added.

View metadata for Cellebrite deleted files

The metadata for deleted files in Cellebrite is shown even if the binary does not exist. It helps you better understand the context of deleted files.

View the Cellebrite path in the evidence browser

The Unnamed Container folder name is replaced to display the Cellebrite path correctly as shown in Cellebrite to help with your investigation.

Re-instate missing Cellebrite tags if missing in Nuix Workstation

If, when you have an XML export from Cellebrite with tagged chat data (showing properties:"Cellebrite Tags") and the tags do not populate in Nuix Workstation (even after running a search on has-tag:1), do the following to propagate the missing tags:

To propagate missing Cellebrite tags in Nuix Workstation:

Select all Cellebrite items in the Results pane.

Run the following script to return all tagged Cellebrite items as tagged Nuix items:

current_selected_items.each }}{{do |item|
  value = item.properties[{}}}\\\\\\\{{{}"Cellebrite Tags"{}}}\\\\\\\{{{}]
  if value != nil
    if value.respond_to?(:each)
      value.each }}{{do |tag|
        {{puts }}{ {"Adding # {tag}

to item #

{item.name}

"}}
        item.add_tag(tag)
      end
    else
      {{puts }}{

{"Adding #{value} to item #\{item.name}

"}}
      item.add_tag(value)
    end
  end
end
0