Doubts (not issue) about new features (parsing of the iCloud backups)

[LuizFerrazBrazil]

Gentlemen, hello!

Today, the version 4.1.4 was published. So, I have some doubts about it:

a) About the parsing of the iCloud backups, do you think interesting/useful to process the iCloud backup in Cellebrite Physical Analyzer and after to parse the UFDR in IPED? Or do you think only IPED processing is enough?

b) About the parsing of the Google backups, do you think interesting/useful to process the Google backup in Cellebrite Physical Analyzer and after to parse the UFDR in IPED? Or do you think only IPED processing is enough?

We would like to hear you.

Thank you and congratulations for the project!!!

[lfcnassif]

Since this is a doubt, I'm moving to discussions and will answer there.

[lfcnassif]

If you have access to Cellebrite Physical Analyzer (PA) software and your goal is to process cellphone backups in the cloud, today I recommend you to process iCloud and Google cloud backups into PA software.

IPED original goal was to process hard drives. Today we have just a few parsers (decoders) for cellphone artifacts: WhatsApp, Telegram and Skype, for example. Today, we don't have some cellphone basic parsers, such as decoders for calls, sms/mms, contacts, calendar, cellphone GPS history, etc. So you would be better to process those backups into PA software, create an UFDR report, then process the UFDR into IPED to take advantage of its features: built-in regexes, index search, communications graph, OCR, audio transcription, face recognition, etc...

Last 4.1.4 release didn't add full support to iCloud backups, just to LZFSE compression algorithm used for some data, like WhatsApp databases. Then, some LZFSE compressed artifacts not recognized before, now are decompressed and sent to their respective decoder, if it exists: WhatsApp, Telegram and Skype. This will be very useful for those that don't have access to Cellebrite PA software today. We plan to focus on improving cellphone support until the end of this year.

However, some IPED existing parsers can give better results than PA software in some situations, for example, attachment linking to WhatsApp conversations is much better using IPED, because we don't rely on file names and paths like PA software does, we use sha-256 hashes of attachments stored into WA database to find them. So we can link to renamed attachments, attachments moved to other folders and even deleted medias recovered from SD cards, if SD cards are processed together with the main evidence. In other situations, PA results can be better, like deleted message recovery from recent Android WhatsApp databases, our deleted WhatsApp message recovery module wasn't updated to last Android WhatsApp versions yet, but it should still work for iOS WhatsApp App.

[LuizFerrazBrazil]

Nassif, thank you so much!
And about files from Google (backups of mobiles and others files,). What do you think about the processing using the Cellebrite PA + IPED? Is it useful?

[lfcnassif]

If you have mobile backups in your data, yes. As I said, today we have just a few mobile artifacts parsers, I refer to both iOS and Android. If you don't have mobile backups in your data (just emails, images, videos, docs, etc) processing directly into IPED should be fine.

[LuizFerrazBrazil]

Excellent! Thank you!