Skip to main content

Forensic Importer

Overview

Forensic Importer imports UFDR mobile extraction reports and turns them into searchable views such as dashboards, timelines, maps, and communication graphs. You upload a UFDR report or package, select one or more devices, and then explore artifacts such as calls, chats, locations, and media. Inputs are UFDR XML or UFDR package files (including ZIP archives). Outputs are interactive analysis views and exportable tables and files. Results reflect what exists in the extraction and do not replace forensic validation.

When to Use This Application

  • You need to review a UFDR extraction from Cellebrite and quickly locate relevant artifacts.
  • You need a unified timeline to reconstruct a sequence of events across multiple data types.
  • You need to identify key contacts using a communication network view before reading message content.
  • You need to compare two or more devices for shared contacts, co-presence, or shared Wi-Fi networks.
  • You need CSV exports of calls, contacts, web history, wireless networks, or credentials for reporting.

Before You Begin

  • Prepare a supported UFDR input:
    • UFDR XML report file
    • UFDR package file (ZIP including report and media)
    • Standard ZIP archive containing UFDR reports
  • Confirm you have sufficient session storage quota to upload and process the report.
  • If you work with sensitive credentials, ensure you follow your organization’s screen and sharing policy before revealing passwords.

Step-by-Step Walkthrough

Step 1 — Upload a UFDR report

Open the app in your browser. In the left sidebar, select Upload UFDR Report and choose a file. The app accepts:

  • UFDR XML report files
  • UFDR package files (ZIP archives including report and media)
  • Standard ZIP archives containing UFDR reports A progress indicator shows while processing runs. When processing completes, the device appears in the sidebar under your uploaded phones list. Repeat this step to upload multiple devices.

Step 2 — Select devices for analysis

In the sidebar, each uploaded device appears as a selectable item.

  • Select a device to include it in analysis. A checkmark () appears next to selected devices.
  • Select one device to enter single phone analysis.
  • Select two or more devices to enter multi-phone analysis.
  • To remove a device, select the trash icon (🗑️) next to its name.

Step 3 — Explore single phone analysis

When you select one device, the left panel shows Insights and Artifacts.

Review insights

Use Insights for high-level summaries derived from the full report.

  • Overview dashboard
    • 24-hour activity clock
    • Top contacts (top 10)
    • Movement profile (frequently visited locations, time-of-day coloring, mobility classification)
    • Communication breakdown (calls, messages, emails)
  • Graph analytics
    • Network diagram where nodes are contacts or phone numbers and links are communications
    • Hubs are visually emphasized
    • Filter by message type, direction, and time range
  • Unified timeline
    • Scrollable timeline combining calls, messages, web visits, locations, and system events
    • Events are color-coded by type

Review artifacts

Use Artifacts to access specific extracted categories. Common artifact sections include:

  • Device info
  • Calls
  • Contacts
  • Chats
  • Emails
  • Media
  • Web history
  • Locations
  • Passwords & credentials
  • Wireless networks

Use built-in filters and sorting within each section to narrow the scope (for example date filters in Locations and Web History).

Step 4 — Explore multi-phone analysis

Select two or more devices to switch to multi-phone analysis. Use the multi-phone views to correlate across devices:

  • Communication network
    • Highlights contacts that appear on multiple phones
    • Hubs: contacts on three or more devices
    • Bridges: contacts on exactly two devices
    • Visualizes communication volume between devices
  • Location correlation
    • Overlays GPS points for all selected devices
    • Helps identify shared locations and possible co-presence (same place, same time)
  • Wi-Fi correlation
    • Finds Wi-Fi networks that appear across devices
    • Supports shared-location inference when GPS is missing
  • Unified timeline
    • Single timeline combining events from all selected devices
  • Media gallery
    • Combined media view across all selected devices

Step 5 — Manage session storage

Monitor storage usage at the bottom of the sidebar. The app shows:

  • Current session storage usage
  • Maximum allowed storage When you finish analysis or storage is low, select Clear Cache. Clearing the cache removes uploaded files and processed data from your session.

Step 6 — Export artifacts for reporting

Use export options in artifact views when you need outputs outside the app.

  • CSV exports are available for:
    • Contacts
    • Calls
    • Web history
    • Wireless networks
    • Passwords (redacted and full)
  • Media files can be downloaded individually from the media gallery. Credentials export supports:
  • Redacted exports (safe for sharing)
  • Full exports (sensitive)

Understanding the Output

Forensic Importer organizes results into two layers:

  • Insights
  • Aggregated summaries and visualizations. Use these to identify time windows, key contacts, and movement patterns quickly.
  • Artifacts
  • Raw extracted categories. Use these to validate findings and retrieve exact messages, timestamps, and metadata. Key behaviors:
  • Single phone analysis focuses on one device and shows insights and artifacts for that report.
  • Multi-phone analysis correlates contacts, locations, Wi-Fi networks, and timelines across selected devices.
  • Credentials are redacted by default. You must explicitly reveal them before viewing full values. Map and timeline outputs depend on what is present in the UFDR report. For large location datasets, the map displays up to 2,000 location points for performance.

Saving and Exporting Results

Forensic Importer supports exporting artifacts, primarily as CSV or individual file downloads.

  • CSV exports
    • What it does: exports tabular artifacts for reporting
    • Settings: section-specific filters (date ranges, types) apply to the exported data
  • Media downloads
    • What it does: downloads individual media files from the gallery
    • Where it ends up: local download
    • Settings: per-file selection
  • Password exports
    • What it does: exports credentials in redacted or full format
    • Settings: choose redacted vs full

Tips for Best Results

  • Start with the overview dashboard to identify key time windows and high-volume contacts.
  • Use the unified timeline to reconstruct a specific incident window before reading all chats.
  • Load all relevant devices before selecting them so you can switch between single and multi-phone views.
  • Apply date filters in locations and web history to reduce noise.
  • Use graph analytics to identify hubs before you triage message threads.
  • Select Clear Cache at the end of a session to free storage and remove session data.

Known Limitations

  • Only UFDR inputs are supported. Other mobile extraction formats are out of scope.
  • Location maps depend on extracted GPS records. Some devices or apps may provide sparse or no location data.
  • Large location datasets are capped at 2,000 points on the map for performance.
  • Session storage is quota-limited. Uploading multiple large UFDR packages can exhaust available space.
  • Clearing the cache removes all uploaded devices and processed results from the session.