Skip to main content

Forensic Importer

Overview

Forensic Importer imports UFDR mobile extraction reports and turns them into searchable views such as dashboards, timelines, maps, and communication graphs. You upload a UFDR report or package, select one or more devices, and then explore artifacts such as calls, chats, locations, and media. Inputs are UFDR XML or UFDR package files (including ZIP archives). Outputs are interactive analysis views and exportable tables and files. Results reflect what exists in the extraction and do not replace forensic validation.


When to Use This Application

  • You need to review a UFDR extraction from Cellebrite and quickly locate relevant artifacts.
  • You need a unified timeline to reconstruct a sequence of events across multiple data types.
  • You need to identify key contacts using a communication network view before reading message content.
  • You need to compare two or more devices for shared contacts, co-presence, or shared Wi-Fi networks.
  • You need CSV exports of calls, contacts, web history, wireless networks, or credentials for reporting.

Before You Begin

Before starting the import:

  1. Prepare a supported UFDR input.
  2. Confirm you have enough session storage to upload and process the report.
  3. If the extraction includes credentials, follow your organization’s policy before revealing or sharing them.

Supported inputs include:

Input typeDescription
UFDR XML reportStandard UFDR XML export
UFDR packageZIP package including report and media
ZIP archiveZIP file containing UFDR reports

Step-by-Step Walkthrough

Step 1 — Upload a UFDR report

Open the app in your browser. In the left sidebar, select Upload UFDR Report and choose a file. The app accepts:

  • UFDR XML report files
  • UFDR package files (ZIP archives including report and media)
  • Standard ZIP archives containing UFDR reports A progress indicator shows while processing runs. When processing completes, the device appears in the sidebar under your uploaded phones list. Repeat this step to upload multiple devices.

Step 2 — Select devices for analysis

In the sidebar, each uploaded device appears as a selectable item.

  • Select a device to include it in analysis. A checkmark () appears next to selected devices.
  • Select one device to enter single phone analysis.
  • Select two or more devices to enter multi-phone analysis.
  • To remove a device, select the trash icon (🗑️) next to its name.

Step 3 — Explore single phone analysis

When you select one device, the left panel shows Insights and Artifacts.

Review insights

Use Insights for high-level summaries derived from the full report.

  • Overview dashboard
    • 24-hour activity clock
    • Top contacts (top 10)
    • Movement profile (frequently visited locations, time-of-day coloring, mobility classification)
    • Communication breakdown (calls, messages, emails)
  • Graph analytics
    • Network diagram where nodes are contacts or phone numbers and links are communications
    • Hubs are visually emphasized
    • Filter by message type, direction, and time range
  • Unified timeline
    • Scrollable timeline combining calls, messages, web visits, locations, and system events
    • Events are color-coded by type

Review artifacts

Use Artifacts to access specific extracted categories. Common artifact sections include:

  • Device info
  • Calls
  • Contacts
  • Chats
  • Emails
  • Media
  • Web history
  • Locations
  • Passwords & credentials
  • Wireless networks

Use built-in filters and sorting within each section to narrow the scope (for example date filters in Locations and Web History).


Step 4 — Explore multi-phone analysis

Select two or more devices to switch to multi-phone analysis.

Use the multi-phone views to correlate across devices:

ViewPurpose
Communication networkHighlights shared contacts and communication volume
Hubs: contacts on three or more devices
Bridges: contacts on exactly two devices
Location correlationOverlays GPS points for all selected devices. Helps identify shared locations and possible co-presence (same place, same time)
Wi-Fi correlationFinds Wi-Fi networks that appear across devices. Supports shared-location inference when GPS is missing
Unified timelineSingle timeline combining events from all selected devices
Media galleryShows combined media view across all selected devices

Step 5 — Manage session storage

Monitor storage usage at the bottom of the sidebar. The app shows:

  • Current session storage usage
  • Maximum allowed storage When you finish analysis or storage is low, select Clear Cache. Clearing the cache removes uploaded files and processed data from your session.

Step 6 — Export artifacts for reporting

Use export options in artifact views when you need outputs outside the app.

  • CSV exports are available for:
    • Contacts
    • Calls
    • Web history
    • Wireless networks
    • Passwords (redacted and full)
  • Media files can be downloaded individually from the media gallery. Credentials export supports:
  • Redacted exports (safe for sharing)
  • Full exports (sensitive)

Understanding the Output

Forensic Importer organizes results into two layers:

LayerDescription
InsightsAggregated summaries and visualizations. Use these to identify time windows, key contacts, and movement patterns quickly.
ArtifactsRaw extracted categories. Use these to validate findings and retrieve exact messages, timestamps, and metadata.

Key behaviors:

  • Single phone analysis focuses on one device and shows insights and artifacts for that report.
  • Multi-phone analysis correlates contacts, locations, Wi-Fi networks, and timelines across selected devices.
  • Credentials are redacted by default. You must explicitly reveal them before viewing full values. Map and timeline outputs depend on what is present in the UFDR report. For large location datasets, the map displays up to 2,000 location points for performance.

Saving and Exporting Results

Forensic Importer supports exporting artifacts, primarily as CSV or individual file downloads.

Export optionWhat it doesSettings
CSV exportExports tabular artifacts for reportingSection-specific filters (date ranges, types) apply to the exported data
Media downloadDownloads individual media files from the galleryPer-file selection
Password exportExports credentials in redacted or full formChoose redacted or full

Tips for Best Results

  • Start with the overview dashboard to identify key time windows and high-volume contacts.
  • Use the unified timeline to reconstruct a specific incident window before reading all chats.
  • Load all relevant devices before selecting them so you can switch between single and multi-phone views.
  • Apply date filters in locations and web history to reduce noise.
  • Use graph analytics to identify hubs before you triage message threads.
  • Select Clear Cache at the end of a session to free storage and remove session data.

Known Limitations

LimitationExplanation
Only UFDR inputs are supportedOther mobile extraction formats are not supported
Location maps depend on extracted GPS dataSome devices or apps may provide sparse location records
Large location datasets are cappedMaps display up to 2,000 points for performance
Session storage is quota-limitedLarge UFDR packages can exhaust available storage
Clearing the cache removes all session dataUploaded devices and processed results are deleted