By: Heather Mahalik – Senior Director of Digital Intelligence at Cellebrite

In the two previous blogs in this series we covered, “How to Open A Case In Physical Analyzer” and “How to Do Quick-and-Easy Redactions in Physical Analyzer.”

In this blog, we’re going to cover one of the recent updates to Physical Analyzer called the “App Genie”— a new and innovative research tool engine that surfaces data from 3rd-party apps based on sophisticated heuristics.

The App Genie can be run in many ways within your project and examiners can select which apps are of particular interest for the App Genie to run.

This new tool can be leveraged to extract additional application databases, but they must be validated by the examiner. I think of this as my “Application Cheat Sheet.” The App Genie does not negate what is parsed in Physical Analyzer, but it guides us along our way to uncover additional chats, calls, contacts, and more.

Cellebrite is always striving to provide you with capabilities to dig deeper into the evidence. The App Genie will make you aware of applications that may not be parsed by the tool itself that you can dive into more deeply if you need to. Here’s how it works.

The best way to access the App Genie is either through installed applications or you can go straight to “Tools” -> “App Genie.”

In this example, (shown below) I’m going to go in through the app “Insights” because I like the new view and I think it’s easier to select what you want. I’m going to choose all the “Installed Applications,” “Social networking,” and all the “Chat apps” just for fun.

At the bottom of the pane (shown below), you’ll see where it says, “Run AppGenie.”

The following screen is really important because it reminds you that the App Genie is strictly a research tool and that you must validate the results.

Remember, the results here do not replace what you found in Physical Analyzer.

Now I’m going to press “Next” and you can see in the frame below that it’s giving me the apps I selected. This is where you need to ask yourself whether you want to include these or not.

I’m going to select “Start” and the App Genie is going to run. In the frame below you can see at the bottom that the App Genie is parsing the applications and that it is “getting more data.”

The App Genie may take some time to run depending on the processing power of your computer and how many apps you have selected. Once it’s completed its run you should see that it says App Genie is finished.

You can click the “X” to close it. When you go to the left-hand pane you’ll see an entirely new category called “AppGenie Analyzed Data.”

Here you’ll see everything from device locations (and it breaks these down by application) to Chats, Contacts, Passwords, and User Accounts. Everything is here and it’s really cool that what you’re seeing is not found anywhere else in the tool.

Now (and I cannot stress this strongly enough), you need to go to the source and verify these artifacts. The App Genie is an amazing research tool that can aid in your investigations, but your findings always need to be verified.

Learn more about the App Genie, here.

Digital Forensic Community