Group Chat Digital Forensics Tool was designed to visually display chat conversations as they are displayed on mobile devices, in chat bubbles.
Cellebrite UFED PA is an extremely useful tool, but properly displaying SMS/MMS and Chat conversations for reports can be frustrating especially if those messages contain images or video.
This tool was designed to solve this issue.
It works with the following chat applications:
- Facebook (more testing required)
- WhatsApp (more testing required)
- And many others *
Download Group Chat Digital Forensics Tool (v 1.0)
Download Excel Helper Tool (v. 1.0)
~ Example of iMessages with multiple participants
- Merges SMS & MMS messages into a single chat
- Merge iMessage conversations into a single chat (even if the SIM card has been switched multiple times in the phone)
- Include images in the output
Using the Application
The steps required will depend on if you plan to use this application for SMS/MMS or Chat applications.
- Go into “Timeline”
- Un-check all “Type” values except SMS & MMS Messages
- Export to Excel
- Open the Excel file and re-save it as CSV
NOTE: The application only accepts CSV files.
The Chat section can often contain a number of different Chat applications. As a result, you should perform the following steps for each type of chat app. The one exception is iMessages.
iMessages can often be separated into a number of different chat groups as a result of carved data or SIM cards being switched in and out of the phone. If you want your final report to show all the messages together, then all iMessage chats should be exported into one Excel file. The app will properly show the ‘sending’ phone number.
These records are often duplicates to the actual records on the phone and do not normally add any value to the report. I will often remove these records once it is confirmed that they hold no value to the investigation. This is done prior to exporting to Excel.
- Click into the Chat program you want to export (in UFED PA)
- Export to Excel
- Open Excel file and “Copy” all records including the heading information
- Download and open “Chat App – Helper Tool.xlsm”
- Make sure no records are currently displayed in this helper tool.
- Paste your copied records into the “Chat App – Helper Tool.xlsm” file
- Press the “Run Code” button
- Press the “Export to CSV” button
A CSV file will be created in the folder where you saved the Helper Tool.
Chat App – Helper Tool
The purpose of this tool is to create extra columns which contain the path to the attachments. When Chat records are exported from UFED, it contains a column for each attachment (“Attachment #x”). The filename displayed is different than the actual path to the file. The hyperlink (url) is removed when the file is converted to CSV.
This Excel file separates the two values (displayed file, hyperlink value) into two columns so that the information is available within the CSV file.
As with all Excel sheets that contain Macro’s, I encourage you to take a look at the code (Alt+F11) to confirm that it does not contain malicious code.
Now that you have a CSV file ready, the next step is to export all the images from UFED.
This step is not necessary unless you want the application to do filename matching for those messages where the image is no longer available within the SMS/MMS or Chat extraction.
NOTE: When you export MMS or Chat Apps with attachments, they will be exported with the original Excel file.
- Click into the “Images” section in UFED PA
- Export all images to Excel.
NOTE: The excel file isn’t actually needed, the purpose of this step is to simply get the images exported into a single folder on your investigative computer.
If the original attachment has been deleted and a match is made with an image in the “image” folder, the image within the PDF documents will have a thick red line around it as follows:
Putting it all Together
Now that you have all the proper information exported and in the correct format, you will need to make sure it is all contained in the same folder. The folder should look similar to:
SMS – MMS
Running the Application
Download the program and unzip all files into a folder on your computer. To run the application, click on the “Group Chat Digital Forensics Tool.exe” file.
You must select the appropriate source and related CSV file.
Display Source Info
This option will display the source information of the record.
Clear Output Folder
All files generated will be placed in the “Output” folder located in the same directory as the application. This option will clear all previous files generated prior to running the application again.
Report Output – HTML or PDF
Chats can be exported as either HTML or PDF files.
HTML – Export as HTML5
Benefit: Images, Videos and other file attachments can be clicked to open in external application.
PDF – Export as PDF
Benefit: Ideal for generating reports
Output – Final Records
The files generated will be placed in the “output” directory located in the same folder as the application.
Each Chat Group will have its own folder which will contain the PDF and all files required to generate the PDF including an HTML page.
To make reporting easier, all PDFs are also copied into the _PDFs folder. This allows you to quickly view and merge all PDFs using Adobe Acrobat for your final report.
A log is generated during program execution. This is displayed in both the main window of the application and in a separate “App.log” text file located within the application folder.
Extractions will often contain deleted records and images. If a record is deleted, it will clearly show ‘deleted’ below the message. In situations were only a partial record has been obtained and the date is showing as 2005, then the application will provide a warning to the user.
Often with deleted records, although the record is obtained, the original attached image is no longer available within the applications folder. However, past cases have shown that the image can often be found in different areas of the device, including the DCIM folder.
For this reason, you have the option to output All Images from the extraction and have the app attempt to find the missing image based on filename. Investigations that rely on the sending/receiving of images as part of the offense will see the most benefit from this feature. Since the image is only matched based on filename, the resulting message will show a thick red border around the images which were found in this manner to clearly show the reader of your report that the image isn’t necessarily the image that was sent or received.
What Type of Chats does this work with?
This application has had limited testing (see Disclaimer below) but is believed to work with all SMS/MMS and Chat conversations exported from UFED PA.
Limited tested has been conducted, so please advise of any “bugs” with information on how to replicate the issues. I will attempt to correct any found “bugs” as soon as possible.
Known issues include:
- Emotion icons – These do not display properly. Instead they are displayed as “??”
- SMS & MMS MUST be exported via Timeline.
- iMessages & Chat Messages MUST be exported via Chat section
Future Plans for Application
My plan with this application is to continue to add new features as requested and fix any bugs/issues discovered.
In the future, I plan to add the ability to:
- Display EXIF data of images
- Highlight messages (that were starred in UFED PA)
- Display Investigator Notes (that were added in UFED PA)
- Customize appearance
- Work with all Chat apps displayed in Cellebrite PA.
However, the creation of an app is time-consuming. I only plan to add updates/changes if there is enough user feedback from the community (you). So if you think this application is useful or could be useful with further fixes and tweaks, please post a comment below.
If you have good test data that you are willing to share, please email me so that I can update the examples with more complex data.
Please always remember, this software product is in BETA TESTING and all information should be confirmed to be accurate prior to use in any criminal or civil proceedings. The author of this software and the sites this software is hosted on do NOT TAKE ANY RESPONSIBILITY FOR INFORMATION BEING INACCURATE. YOU ARE EXPECTED TO TEST AND MANUALLY VALIDATE THE RESULTS EVERY TIME YOU USE THIS SOFTWARE.