Everlaw supports native uploads and processing of Cellebrite Universal Forensic Extraction Device (UFED) exports, and displays its chat conversations in a user friendly way. These exports are forensic data collections extracted from sources like cellular phones and other hand-held mobile devices, which can then be analyzed and reviewed on Everlaw. 

Table of Contents

• Exporting Data from Cellebrite
• Uploading Cellebrite Data
• Chat handling
• Chat metadata
• Additional Output for Cellebrite Exports

Exporting Data from Cellebrite

When you export data from Cellebrite UFED, you can choose the types of information that you want to include in your report, as well as the report’s file format(s) like Microsoft Word, Excel, HTML, PDF, XML, and UFDR. We suggest exporting that Cellebrite report in UFDR format if you want Everlaw to extract chats upon upload and display them in conversation format.

The export folder you receive will include the report file and subfolders of relevant data that will be necessary to include images and attachments. In the screenshot of the sample Cellebrite export folder “Samsung GSM_GT-i9300 Galaxy S III” below, you can see the Cellebrite reports in different file formats, in addition to subfolders that are needed for Everlaw to extract the data properly.

Uploading Cellebrite data

In order to render chat conversations and extract file metadata, Everlaw requires the data be uploaded as:

1. A UFDR file (UFED export archive) of the Cellebrite report. We recommend this because it’s the simplest way to upload your data.
2. Or, a zipped file of the whole Cellebrite export folder that includes the Cellebrite report in XML format. Uploading this as a zipped file ensures chat extraction, spreadsheets of other Cellebrite output, and file metadata.

From the previous screenshot, uploading the file “Samsung GSM...Report.ufdr” is the same as uploading the zipped “Samsung GSM_GT-i9300 Galaxy S III”  folder with a report in XML format. 

Chat handling

Everlaw extracts short message data (SMS, MMS, and Chats) from the Cellebrite export file and renders conversations with chat bubbles, with app-specific visual formatting currently supported for iMessages and WhatsApp data. Other chat formats will display in the same styling as iMessages. This chat rendering for chats is applied only when they are extracted directly from the Cellebrite report file.

Everlaw creates a document per conversation that displays the conversation name and its participants on its header. In addition, images of the chat are displayed in-line and any non-images are extracted as children to the parent chat document. Everlaw automatically splits PDFs per 1000 messages, and you can use our unitization tool to split PDFs to more granular segments.

Chat metadata

Everlaw also extracts metadata from chat conversations. The Chat Contributors metadata field is automatically populated with participant names, and the Application field with the chat application name (Slack, iMessage, WhatsApp, etc). Everlaw also populates the Start Date and End Date metadata fields with the date and time of the first and last message of the conversation, respectively.  

Additional Output in Cellebrite Exports

Everlaw creates spreadsheets in XLSX format for other Cellebrite output such as Contacts, Call Logs, and Visited Pages, and extracts file metadata from the report. When you open the document in the review window, you can also click into the File Path Explorer in the context panel to find other spreadsheets of other output that Everlaw generated from the Cellebrite export file. The spreadsheets will be titled after its data type (such as Contact.xlsx or Call.xlsx), and will be in a folder named “extracted_by_everlaw”.

Note that information may be formatted differently in Everlaw than it would be Cellebrite’s own spreadsheet export. If you would prefer the Cellebrite report’s original formatting, be sure to include the report in XLSX format, in addition to XML or UFDR, when uploading to Everlaw.

In addition, Everlaw does not support extraction of emails from the Cellebrite UFDR export, only chats. This article from Cellebrite's website outlines how to instead export emails in EML format, which can then be uploaded alongside your original upload.