How to Choose

a Computer Access
and Analysis Solution
with Confidence
Eight Essential Capabilities to Look for in a Solution
CONTENTS
Introduction 03
Key Considerations 05
The Top Eight Important Capabilities 07
1. Windows Evidence Support 07
2. Mac Support 08
3. Forensic Imaging: Boot Acquisition and Live Data Acquisition 09
4. Collection: Full-Disk, Targeted 10
5. Reporting, Preferences, Tags, and Exporting 14
6. Powerful Analysis 15
7. Decryption: During Collection, During Analysis 17
8. Triage Granularity and Search Capabilities 19
Why Cellebrite Computer Forensic Solutions 20
2
INTRODUCTION
Not All Computer Forensics Solutions Are Created Equal
Today we’re seeing amazing advances in digital technologies and the wide-
spread adoption of Digital Intelligence (DI)—the data that is extracted from
digital sources and data types (smartphones, computers, and the Cloud) and
the process by which agencies access, manage, and leverage data to more
efficiently run their operations. At the same time, we’re also witnessing a
swift rise in computer-related crimes and cybercrime attacks. To meet to-
day’s computer challenges and become “DI ready” for policing in the future,
agency managers need to make smart decisions when investing in computer
forensics solutions.
Between budget constraints and the need to address a growing backlog of
cases, many agencies find themselves caught between a host of technolo-
gy vendors making lots of promises. From delivering powerful tools to fulfill
their mission, to ensuring digital evidence is collected in a forensically sound
manner and making sure digital evidence is maximized to build a strong case,
it can be overwhelming.
This guide is meant to remove any uncertainty in the vetting process by arm-
ing you with the knowledge to make informed decisions about purchasing
computer forensics technology.

3
THE IMPORTANT
QUESTIONS
Selecting the right solution means knowing what to look for and
how it might help your agency achieve its DI readiness goals.
You may be required to handle different types of cases and support triage and
acquisition scenarios on-scene or in the lab. You may be looking into solutions
that integrate well with other tools that have already been implemented. You
may be looking to adopt a solution that complements what you already have.
Whatever the reasoning may be, it is critical to get answers to the questions
that follow when deciding whether to move forward in conversations with a
vendor.
Across the spectrum of available forensics solutions, there may be little ob-
vious variation among their capabilities. However, once the full extent of a
solution’s capabilities is known, a proper evaluation can be conducted with
relevant stakeholders.

4
KEY CONSIDERATIONS WHEN
DECIDING ON A SOLUTION
There are several considerations to keep in mind when trying to determine the
best computer forensics solution for your workflow. While it is always good to
have multiple toolsets in your toolbox, as each may have its unique strengths.
Below are some basic questions that you may want to evaluate when choosing
a computer solution:

What operating systems does the forensics tool run on?

What file systems can the tool analyze?
If time is a constraint, are there triage capabilities to allow the most
important data to be viewed quickly?
Is there a way to verify that data is not modified?
What processing options are necessary for your workflow?
Does it fit into my current workflow?
What kind of training and ramp-up support is available?
What are your cost and budget constraints?

Understanding that you have a trusted partner that will address your current
needs and continue to innovate as you foresee future obstacles is another
critical element in that evaluation.

5
KEY CONSIDERATIONS WHEN
DECIDING ON A SOLUTION
How to Select the Right Solution for You
Know your budget
Determine the type of cases you normally process
Determine what your workflow consists of
• Triaging media
• Identifying patterns in communications,
building out connections or networks
• Application and database analysis
• Geolocation
• Encryption
• Documents
• Foreign language translation

Our experts outlined eight important capabilities

needed for users to effectively fulfill their
operational missions.

6
 1. WINDOWS EVIDENCE SUPPORT
When examining a Windows machine, it’s important to have robust support for Windows® file sys-
tems and Registry, operating systems, user and application artifacts, and more. This could mean the
difference between solving a case or leaving a criminal on the streets. Although some may resort to
open source forensics tools, you need a solution you can trust to maintain the integrity of the data.

Below is a list of some Windows evidence items we think are worth evaluating:

Windows-based file User accounts ShimCache

systems and boot .EVT/.EVTX event logs AmCache
records for FAT, exFAT, $USNJRNL ShellBags
and NTFS $MFT $Recycle.Bin
Windows Registry, $LogFile Device connections
Windows Notifications Volume Shadow Copies Downloaded files
Windows Activity Link files Compressed archives
Timeline
JumpLists Popular Windows OS
Windows Explorer internet browsers (Edge,
Prefetch
Search Chrome, Firefox)
Superfetch
System Resource Network Connections
Utilization Monitor User Assist
(SRUM) Various ComDlg32
Background and Desktop entries
Activity Moderators MUI Cache

7
2. MAC SUPPORT: ADVANCED
APPLE TECHNOLOGIES
Apple devices are more popular than ever, which is why it’s critical for ex-
aminers and investigators to have access to the tools and skills necessary to
work with them. To perform a comprehensive analysis on an Apple device you
may have encountered, you first need to ask yourself:

Recognize computers with the T2 chip

Create decrypted images of APFS containers
With password, decrypt File Vault T2 chip computers
Identify physical device volumes
Correctly identify HFS Plus or APFS Fusion Drives
Image Fusion Drive (HFS Plus or APFS) and physical device volumes
Identify APFS snapshots during evidence ingestion
Individually select processing options for active volume and
APFS snapshots
APFS snapshots are displayed as individual evidence items

Above: Screens from the Cellebrite Digital Collector solution 8

3. FORENSIC IMAGING:
BOOT ACQUISITION AND
LIVE DATA ACQUISITION
Forensic image refers to a copy of a logical volume or physical disk that has
been copied bit-for-bit so that it includes all data and meta-data. To be effec-
tive, you should consider a solution that can be used on both a live machine
and when the source machine is booted, regardless if you are investigating a
Mac or Windows computer.

Forensic imaging can be difficult when acquiring Mac machines. Cellebrite

Digital Collector provides support for Apple file systems along with support
for decrypting systems with T2 chips and FileVault 2. With Digital Collector,
you can boot the source machine to a read-only state to acquire a full bit-by-
bit image of the machine or a physically decrypted image of T2 chip systems.

9
 4. COLLECTION:
FULL DISK, TARGETED
When on-scene and time is of the essence, you need a solution that shortens your collection
time and gives you control on the data to be collected. Consider a solution that supports both
full-disk and targeted acquisitions and allows you to select certain categories of interest, tar-
geted files, or directories to acquire.

Cellebrite Digital collector recognizes physical disks, volumes, and APFS containers on a ma-
chine, and allows you to choose which items to acquire.

10
4. COLLECTION:
FULL DISK, TARGETED
Data collection in Digital Collector
includes these evidence items:
System data
User files
User directories
Files (for each user)
System files
OSX volumes
Files (for each volume)
Additional files

The System Data category collects

data related to the system, like
network and macOS data, and user
directories.

11
4. COLLECTION:
FULL DISK, TARGETED

The Files (per user) category lets you

collect specific data from each user
including chats, documents, images,
email, Internet, and more.

12
4. COLLECTION:
FULL DISK, TARGETED
The “Additional System Files” catego-
ry lets you collect items you find with
the Browser and Search views and
then manually select, such as deleted
user data, logs, and other items.

13
5. REPORTING, PREFERENCES,
TAGS, AND EXPORTING

It’s important to create in-depth reports on your findings to

share and collaborate with investigators offline, and for use in
legal proceedings. You need a solution that’s intuitive and lets
you determine which findings you should include or exclude
in the report via relevant search filters and tagging. These ca-
pabilities can mean the difference between investing many
hours guiding stakeholders or freeing up their time for further
in-depth analysis. The optimal collaborative tool can lead to
improved examiner/investigator efficiency and speedier case
closure, all while maintaining a chain of evidence. It’s also just
as important to be able to export reports in various formats so
they can be used directly or ingested into other investigative
systems for further analysis.

14
6. POWERFUL ANALYSIS
The most important part of any investigation is your ability to per-
form a quick and comprehensive analysis of the evidence, sur-
facing key insights to close cases faster. Having a solution that
supports a wide range of evidence types from the most common
platforms within a single tool, minimizes the learning curve and
can save you time and money. To shed light on a suspect’s actions
and surface leads, you need the ability to perform in-depth analy-
sis or triage, with advanced searching and filtering capabilities to
sift through large data sets quickly.

Cellebrite Inspector parses many items including:

Device connections Wide range of support for

User account information Apple and Windows
artifacts
Downloaded files
Communications,
Recent files
browsing and location
Advanced windows data
program execution
Spotlight and windows
keyword searches

15
6. POWERFUL ANALYSIS
Cellebrite Inspector has powerful
media analysis capabilities.
Display media types, views,
pictures, videos, thumbnail
or combined
Categorize with Lace®, C4All®,
Project Vic®, and S21®
Advanced filtering

Cellebrite Inspector provides

advanced analysis for certain
evidence items.
Spotlight metadata analysis
Windows Registry
Windows log files, .evtx files
macOS/iOS Unified Logs,
.fseventsd, ASL logs

16
7. DECRYPTION: DURING COLLECTION,
DURING ANALYSIS
The ability to decrypt data at time of col-
lection for the purpose of triage, or to
conduct a deep-dive analysis, is import-
ant, when you need real-time insights.
Below are some formats that you may
want to validate if supported:

iOS encrypted backups

Apple Production Returns
macOS keychain processing
BitLocker
FileVault 2
LUKS (Linux Unified Key Setup)
TrueCrypt
VeraCrypt

Above & Right: Screens from the Cellebrite Inspector solution

17
7. DECRYPTION: DURING COLLECTION,
DURING ANALYSIS

Cellebrite Digital Collector

The only tool that can image and
decrypt T2 chip APFS container
Mounts FileVault 2 volumes
and containers

18
8. TRIAGE GRANULARITY
AND SEARCH CAPABILITIES
The goal of digital triage is to perform rapid review of
specific information to prioritize the computer for subse-
quent analysis, or to further an investigation as early as
possible. Having an easy-to-operate solution that allows
comprehensive search on live or booted systems, filter-
ing for file metadata or keywords, and review content
capabilities is a must

19
CONFIDENTLY CHOOSE
CELLEBRITE COLLECTION
SOLUTIONS

Cellebrite Digital Collector is a powerful forensic imaging software solu-

tion to perform triage, live data acquisition, and targeted data collection,
for Windows and Mac computers. As the only forensic solution on the
market today that does live and dead box imaging for Windows and Mac,
Digital Collector is a must have tool in every forensic examiner’s toolbox.

Cellebrite Inspector is the ultimate solution for conducting comprehen-

sive analysis on macOS and Windows extractions. The solution can ana-
lyze common file system and application artifacts as well as structures
that show activity on the system. With an intuitive interface, users can
easily search, filter and sift through large data sets to surface critical
insights quickly.

20
CONFIDENTLY CHOOSE
CELLEBRITE COLLECTION
SOLUTIONS

User friendly
Cellebrite Inspector is a great tool for both junior and expert forensic exam-
iners. The user interface is built to be intuitive and user-friendly. The view is
consistent whether you are looking at data from Windows, Mac, or mobile.
Inspector can run on Windows or Mac forensic workstations. Most common
forensic image files can be ingested, such as E01, DD, AFF4, and DMG. Having
all types of devices in one case file makes full-case examination easier.

Get to data quickly

Some forensic tools make you process media completely before you can be-
gin to look at data. Inspector has a triage level processing option that quickly
gathers and lets you view low-hanging fruit while additional advanced pro-
cessing is running. Inspector also has many pre-configured file filters, which
aid examiners in getting to specific types of data quickly.

21
CONFIDENTLY CHOOSE
CELLEBRITE COLLECTION
SOLUTIONS

Ease of sharing and reporting

The portable case functionality in Inspector allows examiners to share data
with other analysts quickly and easily without requiring additional licenses.
Portable cases include readers for Windows and Mac that view the data at no
additional cost and with no installation.

Frequent releases to capture the most relevant data today

Inspector developers actively research new artifacts and functionality on a
regular basis. While other tools may release new versions a couple of times a
year, we strive for quarterly releases that include new functionality. There are
minor releases as well for any bug fixes.

22
CONFIDENTLY CHOOSE
CELLEBRITE COLLECTION
SOLUTIONS

Integrated with Cellebrite and partner solutions

Extracted reports can be ingested into Cellebrite Pathfinder investigative plat-
form for further analysis. Examiners can also review data from Berla, Seman-
tics 21, Project Vic, APOLLO, PhotoDNA, UFED and GrayKey formats alongside
computer data.

Excellent customer service

One of our biggest satisfaction ratings centers around our excellent customer
service. Most support issues are responded to within 24 hours, and there are
support representatives in many time zones to help provide excellent service
all over the world in a timely manner.

23
Our Consultants
are Here to Help
SCHEDULE A CALL TO LEARN MORE

Cellebrite is the global leader of Digital Intelligence solutions for law enforcement, government, and enterprise organizations.
Cellebrite delivers an extensive suite of innovative software solutions, analytic tools, and training designed to accelerate digital
investigations and address the growing complexity of handling crime and security challenges in the digital era. Trusted by thousands
of leading agencies and companies in more than 150 countries, Cellebrite is helping fulfill the joint mission of creating a safer world.