Forensic Importer
Overview
Forensic Importer imports UFDR mobile extraction reports and turns them into searchable views such as dashboards, timelines, maps, and communication graphs. You upload a UFDR report or package, select one or more devices, and then explore artifacts such as calls, chats, locations, and media. Inputs are UFDR XML or UFDR package files (including ZIP archives). Outputs are interactive analysis views and exportable tables and files. Results reflect what exists in the extraction and do not replace forensic validation.
When to Use This Application
- You need to review a UFDR extraction from Cellebrite and quickly locate relevant artifacts.
- You need a unified timeline to reconstruct a sequence of events across multiple data types.
- You need to identify key contacts using a communication network view before reading message content.
- You need to compare two or more devices for shared contacts, co-presence, or shared Wi-Fi networks.
- You need CSV exports of calls, contacts, web history, wireless networks, or credentials for reporting.
Before You Begin
Before starting the import:
- Prepare a supported UFDR input.
- Confirm you have enough session storage to upload and process the report.
- If the extraction includes credentials, follow your organization’s policy before revealing or sharing them.
Supported inputs include:
| Input type | Description |
|---|---|
| UFDR XML report | Standard UFDR XML export |
| UFDR package | ZIP package including report and media |
| ZIP archive | ZIP file containing UFDR reports |
Step-by-Step Walkthrough
Step 1 — Upload a UFDR report
Open the app in your browser. In the left sidebar, select Upload UFDR Report and choose a file. The app accepts:
- UFDR XML report files
- UFDR package files (ZIP archives including report and media)
- Standard ZIP archives containing UFDR reports A progress indicator shows while processing runs. When processing completes, the device appears in the sidebar under your uploaded phones list. Repeat this step to upload multiple devices.
Step 2 — Select devices for analysis
In the sidebar, each uploaded device appears as a selectable item.
- Select a device to include it in analysis. A checkmark (
✓) appears next to selected devices. - Select one device to enter single phone analysis.
- Select two or more devices to enter multi-phone analysis.
- To remove a device, select the trash icon (
🗑️) next to its name.
Step 3 — Explore single phone analysis
When you select one device, the left panel shows Insights and Artifacts.
Review insights
Use Insights for high-level summaries derived from the full report.
- Overview dashboard
- 24-hour activity clock
- Top contacts (top 10)
- Movement profile (frequently visited locations, time-of-day coloring, mobility classification)
- Communication breakdown (calls, messages, emails)
- Graph analytics
- Network diagram where nodes are contacts or phone numbers and links are communications
- Hubs are visually emphasized
- Filter by message type, direction, and time range
- Unified timeline
- Scrollable timeline combining calls, messages, web visits, locations, and system events
- Events are color-coded by type
Review artifacts
Use Artifacts to access specific extracted categories. Common artifact sections include:
- Device info
- Calls
- Contacts
- Chats
- Emails
- Media
- Web history
- Locations
- Passwords & credentials
- Wireless networks
Use built-in filters and sorting within each section to narrow the scope (for example date filters in Locations and Web History).
Step 4 — Explore multi-phone analysis
Select two or more devices to switch to multi-phone analysis.
Use the multi-phone views to correlate across devices:
| View | Purpose |
|---|---|
| Communication network | Highlights shared contacts and communication volume Hubs: contacts on three or more devices Bridges: contacts on exactly two devices |
| Location correlation | Overlays GPS points for all selected devices. Helps identify shared locations and possible co-presence (same place, same time) |
| Wi-Fi correlation | Finds Wi-Fi networks that appear across devices. Supports shared-location inference when GPS is missing |
| Unified timeline | Single timeline combining events from all selected devices |
| Media gallery | Shows combined media view across all selected devices |
Step 5 — Manage session storage
Monitor storage usage at the bottom of the sidebar. The app shows:
- Current session storage usage
- Maximum allowed storage When you finish analysis or storage is low, select Clear Cache. Clearing the cache removes uploaded files and processed data from your session.
Step 6 — Export artifacts for reporting
Use export options in artifact views when you need outputs outside the app.
- CSV exports are available for:
- Contacts
- Calls
- Web history
- Wireless networks
- Passwords (redacted and full)
- Media files can be downloaded individually from the media gallery. Credentials export supports:
- Redacted exports (safe for sharing)
- Full exports (sensitive)
Understanding the Output
Forensic Importer organizes results into two layers:
| Layer | Description |
|---|---|
| Insights | Aggregated summaries and visualizations. Use these to identify time windows, key contacts, and movement patterns quickly. |
| Artifacts | Raw extracted categories. Use these to validate findings and retrieve exact messages, timestamps, and metadata. |
Key behaviors:
- Single phone analysis focuses on one device and shows insights and artifacts for that report.
- Multi-phone analysis correlates contacts, locations, Wi-Fi networks, and timelines across selected devices.
- Credentials are redacted by default. You must explicitly reveal them before viewing full values.
Map and timeline outputs depend on what is present in the UFDR report. For large location datasets, the map displays up to
2,000location points for performance.
Saving and Exporting Results
Forensic Importer supports exporting artifacts, primarily as CSV or individual file downloads.
| Export option | What it does | Settings |
|---|---|---|
| CSV export | Exports tabular artifacts for reporting | Section-specific filters (date ranges, types) apply to the exported data |
| Media download | Downloads individual media files from the gallery | Per-file selection |
| Password export | Exports credentials in redacted or full form | Choose redacted or full |
Tips for Best Results
- Start with the overview dashboard to identify key time windows and high-volume contacts.
- Use the unified timeline to reconstruct a specific incident window before reading all chats.
- Load all relevant devices before selecting them so you can switch between single and multi-phone views.
- Apply date filters in locations and web history to reduce noise.
- Use graph analytics to identify hubs before you triage message threads.
- Select Clear Cache at the end of a session to free storage and remove session data.
Known Limitations
| Limitation | Explanation |
|---|---|
| Only UFDR inputs are supported | Other mobile extraction formats are not supported |
| Location maps depend on extracted GPS data | Some devices or apps may provide sparse location records |
| Large location datasets are capped | Maps display up to 2,000 points for performance |
| Session storage is quota-limited | Large UFDR packages can exhaust available storage |
| Clearing the cache removes all session data | Uploaded devices and processed results are deleted |