Upload Cellebrite Exports

Everlaw supports native upload of Cellebrite Universal Forensic Extraction Device (UFED) exports. These exports are forensic data collections extracted from sources like cellular phones and other hand-held mobile devices, which can then be analyzed and reviewed on Everlaw. During review of these files, Everlaw displays the chat conversations in a user-friendly way.

Read this article to learn best practices for uploading Cellebrite exports and to understand how the contents are rendered on Everlaw.

Table of Contents

Export data from Cellebrite

When you export data from Cellebrite UFED, you choose the types of information to include in your report, as well as the report’s file format(s). Export the Cellebrite report in UFDR format to extract chats upon upload to Everlaw, and have them displayed in conversation format during review.

The export folder you receive includes the report file and subfolders of relevant data that is necessary to include images and attachments. The screenshot of the sample Cellebrite export folder “Samsung GSM_GT-i9300 Galaxy S III” below shows the Cellebrite reports in different file formats (DOCX,XML, XLS, XLSX, HML, PDF, UFDR), in addition to subfolders that are needed for Everlaw to extract the data properly (AccountPackage, files, contacts, emails).

Screen_Shot_2020-10-15_at_8.33.31_PM.png

Upload Cellebrite data

To render chat conversations and extract file metadata, Everlaw requires the data be uploaded in one of the two following options:

  • A UFDR file (UFED export archive) of the Cellebrite report

    Tip

    We recommend UFDR because it's the simplest way to upload your data

  • A zipped file of the whole Cellebrite export folder that includes the Cellebrite report in XML format. Uploading this as a zipped file ensures chat extraction, spreadsheets of other Cellebrite output, and file metadata.

To get started with a Cellebrite upload, read our article on how to upload native data.

Chat handling

Everlaw extracts short message data (SMS, MMS, and Chats) from the Cellebrite export file and renders conversations with chat bubbles. App-specific visual formatting is currently supported for iMessages and WhatsApp data; other chat formats display in the same styling as iMessages.

Note

Chat rendering for chats is applied only when they are extracted directly from the Cellebrite report file.

Here are more details about how chat conversations extracted from Cellebrite are rendered on Everlaw:

  • Everlaw separates different conversations into separate documents.  Conversations are automatically segmented into new documents per 100 messages. Use our unitization tool to split PDFs to more granular segments.
  • The document displays the conversation name and its participants on its header
  • Images of the chat are displayed in-line and any non-images are extracted as children to the parent chat document

Screen_Shot_2022-08-22_at_11.52.20_AM.png

Chat metadata

Everlaw also extracts metadata from chat conversations:

  • The Chat Contributors metadata field automatically populates with participant names
  • The Application field populates with the chat application name (Slack, iMessage, WhatsApp, etc)
  • The Start Date and End Date metadata fields are populated with the date and time of the first and last message of the conversation  

Additional output in Cellebrite exports

Everlaw creates spreadsheets in XLSX format for other Cellebrite output such as Contacts, Call Logs, and Visited Pages. Everlaw also extracts file metadata from the report. In the review window, you can click into the File Path Explorer in the context panel to find other spreadsheets that Everlaw generated from the Cellebrite export file. The spreadsheets are titled after their data type (such as Contact.xlsx or Call.xlsx). They are in in a folder named “extracted_by_everlaw”.

cellebrite xlsk.png

Note that information may be formatted differently in Everlaw than it would be Cellebrite’s own spreadsheet export. If you prefer the Cellebrite report’s original formatting, be sure to include the report in XLSX format, in addition to XML or UFDR, when uploading to Everlaw.

Note

Everlaw does not support extraction of emails from the Cellebrite UFDR export, only chats. This article from Cellebrite's website outlines how to instead export emails in EML format, which can then be uploaded alongside your original upload.