UFED Analytics Desktop Manuals

UFED Analytics Desktop
User Manual
September 2016
Version 5.2
Legal notices
Copyright 2016 Cellebrite Mobile Synchronization Ltd. All rights reserved.
This manual is delivered subject to the following conditions and restrictions:
n This manual contains proprietary information belonging to Cellebrite Mobile Synchronization Ltd.
Such information is supplied solely for the purpose of assisting explicitly and properly authorized
users of the UFED Analytics Desktop.
n No part of this content may be used for any other purpose, disclosed to any person or firm, or
reproduced by any means, electronic or mechanical, without the express prior written permission of
Cellebrite Ltd.
n The text and graphics are for the purpose of illustration and reference only. The specifications on
which they are based are subject to change without notice.
n Information in this document is subject to change without notice. Corporate and individual names
and data used in examples herein are fictitious unless otherwise noted.
3
1. Welcome to UFED Analytics Desktop 7
1.1. Terms 8
1.2. A workflow example 9
2. Getting started 10
2.1. Installing UFED Analytics Desktop 11
2.1.1. System requirements 11
2.1.2. Installing UFED Analytics Desktop 11
2.1.3. Activating UFED Analytics Desktop 12
2.1.4. Starting UFED Analytics Desktop 22
2.2. Analyzing data sources 23
2.2.1. Auto merge on open 23
2.2.2. Creating a new case 24
2.2.3. Displaying and editing the properties of a person 29
2.2.4. Adding a Micro Systemation XRY file to a project 36
2.2.5. Adding a Call Detail Record file 37
2.3. Overview of the workspace 42
2.3.1. Workspace layout 43
2.3.2. Using the workspace 45

Contents
2.4. Performing a global search 47
3. Filters 48
3.1. Data source owners filter 49
3.2. Timeframes filter 50

4
3.3. Parties filter 50
3.4. Types filter 51
3.5. Origins filter 52
3.6. Advanced filters 52
3.7. Watch list filter 53
3.8. Extracted categories filter 54
3.9. Mutual location filter 54
3.10. Linked data source owners filter 54
3.11. Links filter 55
3.12. Tags filter 55
4. Advanced Analytics 57
4.1. Text analytics 58
4.2. Image analytics 60
5. Analyzing links 61
5.1. Working with the link diagrams 62
5.1.1. Changing the diagram layout 64
5.1.2. Navigating the diagram 66
5.1.3. Rearranging the diagram 66
5.1.4. Working with links 67
5.1.5. Graph tools ribbon 70
5.2. Analyzing timelines 71
5.2.1. Media tools ribbon 72

Contents 5
5.3. Details pane 74
5.3.1. Item tab 75
5.3.2. Adjacent events tab 76
5.3.3. Conversation tab 77
5.4. Working with Parties 79
5.4.1. Highlighting a person's links 79
5.4.2. Working with the Persons table 80
5.4.3. Viewing a timeline for a person 82
5.5. Data by type 83
6. Watch lists 84
6.1. Creating Watch lists 85
6.2. Editing Watch lists 88
6.3. Deleting Watch lists 89
6.4. Importing and exporting Watch lists 90
6.5. Activating and deactivating Watch lists 91
6.6. Viewing Watch list results 92
7. Managing tags 93
7.1. Adding tags 94
7.2. Editing tags 97
7.3. Deleting tags 97
7.4. Applying tags 98
8. Analyzing locations 99
6
8.1. About location data 100
8.2. Navigating the map 101
8.3. Viewing offline maps 102
8.4. Markers and information windows 104
8.5. Map tools ribbon 105
8. Persons management 106
8.6. Merge persons 107
8.7. Split persons 110
9. Generating reports 112
10. Managing cases 115
10.1. Saving a case 115
10.2. Opening a saved case 116
11. Reference 117
11.1. Setting UFED Analytics Desktop options 118
11.2. File menu 119
11.3. Application ribbon 120

7
1. Welcome to UFED
Analytics Desktop
UFED Analytics Desktop simplifies and automates analytical tasks allowing investigators to easily
identify the critical relationships that can focus investigations. By immediately linking and unifying
multiple disparate data sources, UFED Analytics Desktop helps generate leads and uncover actionable
insights from existing call logs, application data, text messages, locations, private cloud sources, images,
videos, and more, based on reports generated from physical, logical, and file system extractions.
With UFED Analytics Desktop you can:
n Quickly and efficiently identify existing connections between persons of interest
n Reveal relationships with mutual contacts
n Filter data according to time and date, number of events, Watch lists and categories
n Visualize the communication directions, pinpointing unidirectional and bidirectional
communication
n Drill-down to specific events
n Determine the suspects' physical locations and movements
n Integrate cloud data
n Automatically tag images related to topics of interest with Image analytics
n Automatically categorize terms and phrases with Text analytics
n Work within a multi-screen environment that enables analysis via multiple views related to the same
investigation in parallel
n Share findings with other investigators
n Generate customized reports including detailed information and graphs
n Analyze up to 500,000 events per case
Chapter 1
8
1.1. Terms
In UFED Analytics Desktop, the following terms are used:
Data
The files containing the extracted information.
Source
Data
Source The owner of the device/data that owns the extracted information.
Owner
An indication of communication based on single or multiple events. A link can be created

based on contact information, Bluetooth device, and more. In the links diagram, the
Link
thickness of the link line represents the volume of events; the arrow represents the direction
of communication.
Party The people with whom the data source owner has interacted.
Chapter 1: Welcome to UFED Analytics Desktop 9
1.2. A workflow example

A workflow using UFED Analytics Desktop might look like this:
1. Open two or more UFDR report files generated from the physical, logical, or file system extraction
from your suspects devices.
2. Open a report generated by other tools such as XRY extended XML or external data sources (CDR).
3. Are your suspects connected to one another? Do they have mutual acquaintances?
Assess common links between the suspects using the Linked data source owners filter.
4. Filter the display by data source owner, type, timeframe, parties, or link types to pinpoint the
information for which you are looking.
5. Create Watch lists to help filter the data based on specific keywords.
6. Tag items for future reference.
7. How much interaction was there with a particular accomplice?
Drill-down to comprehensive information on the suspects relationship with a particular party.
8. Are the suspects connected to each other through mutual contacts?
Assess all links by choosing the relevant data source owners and all parties in the filters.
9. When and where did the suspects cross paths, if at all?
Assess the locations of your suspects in the Map tab and pinpoint meeting places using the Mutual
locations filter.
10. What were the suspects communicating about, and when?
Assess events as they occurred sequentially in the Timeline tab.
11. Did the suspect take and/or send an incriminating photograph?
The new Image analytics feature will automatically tag incriminating photos.
12. Do you have background information about a suspect?
Filter for it using the new Text analytics feature.
13. Create a report of the information you have gleaned using UFED Analytics Desktop.
10
2. Getting started
This section includes the following:
Installing UFED Analytics Desktop (on the next page)
Analyzing data sources (on page23)
Overview of the workspace (on page42)
Performing a global search (on page47)
Chapter 2
Chapter 2: Getting started 11
2.1. Installing UFED Analytics Desktop

This section describes the installation and activation of the UFED Analytics Desktop application on your
computer.
2.1.1. System requirements

The computer on which you install UFED Analytics Desktop should meet the following system
requirements:
Recommended CPU Minimum CPU

PC Core i7 (8 cores) running at 3.5 GHz or
Core i5 (4 cores) running at 3.3 GHz or higher
higher
Operating Microsoft Windows 64-bit including Windows 7 Service Pack 1, Windows 8,

system Windows 8.1, and Windows 10
Recommended Minimum
Memory (RAM)
16+ GB 8 GB
Space
6 GB of free disk space for text and image analytics
requirements
Graphics
Processing Unit NVidia GPU with compute capability 3.0 or higher, at least 640 CUDA cores and 2 GB
(for image of memory
analytics)
Additional
Microsoft .Net Framework version 4.5.2
requirement
An additional 10+ GB disk space is required for storing cases.
2.1.2. Installing UFED Analytics Desktop

1. Obtain a copy of the UFED Analytics Desktop application.
2. Double click the UFED_Analytics_Desktop_<version>.exe file.
3. Follow the installation wizard.
If you reinstall UFED Analytics Desktop, your existing cases will be deleted.
12
2.1.3. Activating UFED Analytics Desktop

Activate UFED Analytics Desktop in one of the following ways:
n Using a license dongle (on the facing page)
n Using a software license (on page14)
n Using a network dongle (on page21)
Check your UFED kit to make sure which method you should use.
2.1.3.1. Using a license dongle
Use the UFED dongle provided with your UFED kit. The dongle contains licenses for all
the applications purchased.
To use UFED applications with a dongle:

1. Connect the dongle to a USB port on your computer. The license is automatically
located. When the dongle is recognized by the operating system, the application
can read the license.
2. Start the UFED application.
Congratulations, your application is now ready!
If a license dongle is not found:

1. When starting for the first time, or when a license dongle is not found, the Cellebrite Product
Licensing window appears.
2. If you connected the dongle to a USB port on your computer, and it still does not work, contact
support@cellebrite.com.
The HASP dongle drivers must be installed in order to use a hardware license key. If the
drivers were not installed during the UFED software installation process, you can run the
installation process again and select Install Hasp Dongle Drivers at the end of the process.
14
2.1.3.2. Using a software license
The first time you open the application, you must activate the license.
To use UFED applications with a software license:

1. Go to the following link:
n UFED Analytics Desktop: https://my.cellebrite.com/analyticsdesktop
n UFED Phone Detective: https://my.cellebrite.com/phonedetective
2. Sign into your MyCellebrite account.

(If you don't have an account, click Register now, create a user, and then go back to the required
UFED application link.)
You will be directed to the product activation window.
3. Click to download the application and save the file to a PC.
4. Extract the zip file, click the installation file and install the software using the Setup Wizard. Restart
the PC if required.
5. Repeat step 1 to go to the application link.
6. In the Activation Method box, if you purchased UFED 4PC, select Activation code. If you purchased
UFED Touch, select UFED Touch/UFED Classic.
The Activation method is not required for the UFED Cloud Analyzer or UFED Analytics
Desktop applications. For these applications, skip to step 7.
7. Depending on the product you purchased, continue as follows:

n UFED 4PC, UFED Cloud Analyzer, UFED Analytics Desktop: In the
Activation Code field, enter the Activation code provided with the
UFED kit.
n UFED Touch: In the Serial Number field, select the UFED serial number displayed on the UFED
Touch unit or UFED Touch License Activation screen. To add a new device, click Add and enter
the required information.
8. Next obtain your Computer ID (do not close the MyCellebrite page while performing this step).
n Start the application. The Cellebrite Product Licensing window appears.
n Click Copy to copy the Computer ID displayed in the window.
9. In MyCellebrite, paste the copied Computer ID.
10. Click Generate license to download the application license key to your PC. The license key will also be
sent to your registered MyCellebrite email address.
11. In the application, click Load license file in the Cellebrite Product Licensing window.
12. Select the License file and click Open. A message appears to indicate that the software license was
updated successfully.
13. Click Close.

16
2.1.3.2.1. Deactivating a software license
In cases where a UFED application that has been activated by a software license needs to be moved to
another PC, you must first deactivate (remove) the license from the original computer.
To deactivate the license:

1. In the UFED application, go to Help > Show License Details. The Cellebrite Product licensing window
appears.
2. Click Deactivate software license. The Software license deactivation window appears.
3. Click Copy to copy the computer ID.

4. Go to http://my.cellebrite.com/deactivation, and sign in to your MyCellebrite account.
If you do not have an account, click Register now and create a user. Then go back to
http://my.cellebrite.com/deactivation. The following window appears.
5. Make sure the device is added to your list of products.

n If the device is displayed in your list of products, click the Go to My Products page link to navigate
to the My Products page.
n If the device is not displayed in your list of products, click Add Device in the UFED license
deactivation window, or Register UFED product/dongle in the My Products page. The following
window appears.
18
a. Enter the Serial number, Device ID and a name for the device (optional) as they appear in the
Cellebrite Product Licensing window.
b. Click Add Device. The device is now displayed in the Active Products area in the My Products
page.
6. In the My Products page, locate the device, open the options menu and select Deactivate Device.
The following window appears.
Do not click Next until you have completed all the steps above.
7. Click Download Deactivation File and then save the file to the PC.
8. In the Software license deactivation window of the UFED application, you need to upload the
deactivation file. Click Select deactivation file and open the deactivation file. The Software license
deactivation window appears.
To complete the deactivation process, you need to upload the deactivation file to
MyCellebrite.
9. In the Software license deactivation window, click Copy path or Open Containing folder, and then
click Close.
10. Return to the Deactivation wizard in MyCellebrite and click Next. The following window appears.
20
11. Click Choose File and upload the deactivation file that was generated by the UFED application.
12. To activate your UFED license on another computer, follow the steps in Using a software license (on
page14).
2.1.3.3. Using a network dongle
The Network dongle is connected to your organizations network and

contains licenses for all the applications purchased.
To use UFED applications with a network dongle:

1. Start the UFED application. If the network dongle is connected to the network, the application starts
and the user can start working immediately.
If the network dongle is not recognized, the Cellebrite Product Licensing window appears.
2. Click Network. The following window appears.
If a dongle was not found on the network make sure that you have an Internet connection
and that a dongle is connected to the network. Then click Refresh to search for a network
dongle again.
By default, the network configuration is set to Broadcast. If required, you can manually
connect to the network dongle. Click Configure to change the network configuration to
Specific host. Enter the host name (or IP address).
If there is only one network dongle it will be selected automatically. If there are multiple
network dongles, select the required dongle from the list and click Apply.

22
2.1.4. Starting UFED Analytics Desktop

To start UFED Analytics Desktop:
n Select Start > All Programs > Cellebrite Mobile Synchronization > UFED Analytics Desktop > UFED
Analytics Desktop.
n Double-click the UFED Analytics Desktop shortcut on your desktop.
The UFED Analytics Desktop main page appears.
The Recent cases view lists all the cases available in the application, sorted by creation date.
2.2. Analyzing data sources

UFED Analytics Desktop supports multiple types of data sources:
1. UFDR report files generated by UFED Physical Analyzer, UFED Logical Analyzer, and UFED Cloud
Analyzer.
2. XML report files generated by Micro Systemation XRY.
UFED Analytics Desktop supports XRY extended XML reports.
3. CSV, XLS, XLSX, and TXT files that contain calls, SMS, MMS and location data generated by an
external data source (CDR).
Open multiple report files to analyze the links between them.
A case can include up to 500,000 events from mobile devices (logical, file system, physical
extractions from UFED or XRY) or external data sources.
2.2.1. Auto merge on open

When opening a report file, the application will analyze the report content before loading. In some
cases, where the same information already exists in the workspace, the application will perform an
automatic merge of the new content with the existing content, or merge only the new content (this
occurs for example if there are two or more entities with the same phone number).
2.2.1.1. Auto merge of persons
If a person (data source owner or party) in the file being loaded has the same contact information as an
existing person, then the application will automatically merge both persons.
The result will be one person with the merged content. The original person's information will have
precedence.
You can split a merged person at a later date if required.

24
2.2.2. Creating a new case

The case wizard enables investigators to easily create a new case, with relevant case information and
upload multiple data sources. Investigators can also merge or split data sources and activate Watch lists
for the case.
To create a new case:

1. Click New. The following window appears.
2. Enter or select the following information: Case number (mandatory field), Case name (mandatory
field), Department, Organization, Investigator (mandatory field), and Crime type (mandatory field).
Every Crime type that you enter will be added to the list for future cases.
3. Click Next. The following window appears.

4. Click Add data source to open a browser window and select the data sources you would like to add
or drop files and folders into the area indicated. You can select multiple data sources and assign
them to a single or multiple suspects/victims.
You can add the following file types: Cellebrite report package (UFDR), Micro Systemation extended
XRY (XML) and external data sources (TXT, XLS, XLSX, CSV).
26
The Open Data Source window enables you to specify how you would like to add the new
data source. That is, create a new person for each selected file (default), or create a single
new person for all the selected files.
To edit the person's details, right-click on the person and click Properties.
5. If required, select the data sources that you would like to merge, and click Merge with. Then, select
the data source into which the data should be merged. Use the button to split merged data
sources.
The merged files will be combined into a single file. This file cannot then be split into
separate files after you click OK. Use this option only if you are sure that all the files belong to
a single entity.
6. Click Next. If the system already includes Watch lists, the following window appears:
This window enables you to activate previously saved Watch lists for the case. To create a
new Watch list, see Creating Watch lists (on page85).
7. Click Create. The case creation process starts, which can take a long time depending on the data
sources selected. An example is displayed next.
28
The workspace enables you to easily navigate between the graph view, the timeline, and the
map. The Graph view, the Timeline view, and the Map view are all based on the same data set
and filters.
2.2.3. Displaying and editing the properties of a person

To display a person's properties:
Mouse over a data source owner or party in the Filters Pane or in the links diagram. The following
window appears.
View the person's details, cloud data, activities, and merged party information (if relevant).
To edit a person's properties:
1. Click the Edit person button in the properties window. The Person details window appears.
30
3. Edit the displayed information or add additional information as desired.

4. To add an image:
a. Click .
b. In the Open dialog box, navigate to the location of the image.
c. Select the file, and then click Open.
To remove the image, click .
5. If relevant, click Add field to add more information.

6. Click OK.
32
2.2.3.1. Displaying a data summary
The data summary pane summarizes device data and activities for each person.
n Details - displays all contact and user ID information for each person, including email addresses,
phone numbers, and social media user IDs.
n Data - displays the total number of unique entity identifiers recorded in the device, per category.
n Activities - displays the total number of activities per activity directory category.
n Merged persons - displays the details of each merged person, when relevant.
To view a data summary:

1. In the Data source owners filter, mouse over the name of the desired person.
2. Click on the Details, Data, or Activity types (or Merged persons, when relevant) to see the information
displayed in the Details area. Double-click on a data or activity type to open a detailed information
table in a new tab.
2.2.3.1.1. Data
Includes a number representation for each type.
Type Description Available Views
Applications installed and deleted from the

Table view
device
Passwords Table view
Table view and Map view (includes

Maps
zoom)
User dictionaries Table view and User dictionary view
Contacts Table and Contact view
Phone numbers Table view
Email Addresses Table view
User accounts Table view
MAC addresses Table view
Bluetooth Table view
Web bookmarks Table and Web bookmark view
URLs Table view

34
2.2.3.1.2. Activities
Includes a number and bar graph representation for each type.
Search items Table view and Searched items view
Applications
Table view and Applications usage view
usage
Text files Table view and Text file reader view (includes find and zoom options)
Table view and Audio file player view (includes stop, play, pause, and
Audio files
volume)
Web history Table view and Web history view
Table view and Note view (options for Left to right, Right to left,
Notes
HTML, and Plain Text)
Applications
Table view and Application installation
installed
Table view and Video file player view (includes stop, play, pause, and
Video file
volume)
Image files Table view and Image file viewer
Calendar entries Table view and Calendar entry view
Calls Table view and Call view
SMS messages Table view and SMS message view
MMS messages Table view and MMS message view
Email messages Table view and Email message view

Chats Table view and chat view
Locations
Table view and Location view
Wireless
connections Table view and Wireless connection view
36
2.2.4. Adding a Micro Systemation XRY file to a project

To add XRY files to a project:
1. From the Data Sources Ribbon group, click Edit data sources, then in the Data Sources window click
Add data source and choose Micro Systemation XRY XML.
You can also add Micro Systemation XRY XML files from the New Case Wizard.
2. In the Open dialog box, navigate to the location of the report file.
3. Select the file, and then click Open.
4. Repeat these steps to add additional XRY reports (persons) to the project, as required.
2.2.5. Adding a Call Detail Record file

You can add Call Detail Record (CDR) files generated by an external data source.
To add CDR files to a project:

1. From the Data Sources Ribbon group, click Edit data sources, then in the Data Sources window click
Add data source and choose External data source (calls, SMS etc.).
2. In the Open Data Source dialog box, navigate to the location of the report file.
3. Select the file, and then click Open.
4. The Add Data Source wizard appears. UFED Analytics Desktop will analyze the input file and
determine the best method of interpreting the content of the file.
If the file content matches a known predetermined format (a preset) then the system
chooses it automatically for you. This prevents interruptions when selecting multiple files.
You can choose to:

n Use the suggested preset
n Use one of the other presets available
n Create your own custom format to be used when reading this file
38
If you use the suggested preset or choose from an existing preset, when the data is loaded, click
Finish and skip to the end.
5. When you choose to Start a new mapping you use the Add Data Source wizard defining formats
and locations for the various pieces of information in the file. You have the option to click Back or
Next at any time during the process to review and change formatting choices.
a. Choose the type of content you are importing. The choices are:
n Calls
n SMS Messages
n MMS Message
n Locations
The type chosen will determine what columns of information UFED Analytics Desktop will look for in
the file being imported.
In this screen you also indicate:

n If there is a header row
n What row the header starts on and how many rows it contains
n What row the content starts on
Appropriate use of these settings allows for exclusion of "extra" information located at the top of the
file which is not useful to the file load process.
b. Click Next to go to next step in the Add Data Source wizard.
6. If you choose a data type of Calls, the following window appears:
If you choose a data type of SMS messages, the following window appears:
If you choose the data type of MMS messages, the following window appears:
40
If you choose the data type of Locations, the following window appears:
7. Drag the headers to the correct columns, as indicated. The format definition of the header will
determine how the column is formatted. Unless otherwise indicated, all columns are imported as
text.
Column headers enclosed in shaded area are required.
Some columns have special formatting options - for example the date column:
and the time column:

8. Click Finish. You will be prompted to save your new preset file:
Analysis tabs open in the UFED Analytics Desktop workspace. By default, the Links tab is displayed.
The Link filters in the filters pane is updated to include the event types found in the opened report(s).
9. Repeat previous steps to add additional files (persons) to the project.
42
2.3. Overview of the workspace

The UFED Analytics Desktop workspace contains visualization tools and filters designed to help you
analyze and evaluate the links between your suspects/victims.
The workspace contains the following areas:

1. File menu: Contains project management commands, as well as access to UFED Analytics Desktop
settings and help. For more information, see File menu (on page119).
2. Application Ribbon: Includes quick access to commonly used functions, graph layout tools and
Watch list tools. For more information, see Application ribbon (on page120).
3. Analysis area: Contains tabs and panes showing links and locations:
n Filters pane Use the filter pane in each tab to filter the data shown. For more information, see
Filters (on page48).
n Data area View your data in Graph, Map, and Timeline views. You can open most of the tabs as
many times as required.
n Information table Lists the information shown in the data area.
n Details pane- Shows more details about a highlighted event. Includes Item, Adjacent events, and
Conversation tabs. For more information, see Details pane (on page74)
You can also open search results, Watch lists results, and person details tabs which display
information in a table.
For more information, see Working with the link diagrams (on page62), Analyzing locations (on
page99), and Analyzing timelines (on page71).
2.3.1. Workspace layout

All tabs and panes in the workspace are dockable, and can be rearranged as desired.
To rearrange the layout, you have several options:
n Drag and drop the tabs and panes to be rearranged,
n Right-click the tabs and panes to be rearranged, and choose an option from the list,
n Or use the predefined layouts on the View Ribbon.
The layout may be arranged to view the Graph, Timeline, and Map simultaneously, as shown below:
44
2.3.2. Using the workspace

n To open a new workspace, click the Workspace button on the Home Ribbon.
A new workspace is opened. If one or more workspaces are already open, they will not be closed.
n To copy a workspace, click the Duplicate active view button on the View Ribbon.
A duplicate workspace is opened.
n To rename a workspace tab, click the Rename view button on the View Ribbon, or press F2.
46
Multi-screen environment: You can now analyze multiple views related to the same
investigation in parallel. For example, you can view the Graph view on one screen and the Map
view on another screen.
2.4. Performing a global search

The Search field at the top of the workspace enables you to perform a global search for data (for
example messages, content etc.) within the entire workspace (all persons).
To perform a global search:

1. Enter the string you want to search for in the Search field.
The matching results are displayed by data type in a Search Results tab in the Data area.
2. In the left panel of the Search Results tab, click the item type to display the matching results in the
table.
3. To sort the table according to the data in a particular column in ascending order, click the column
heading. Click again to change the sorting order from ascending to descending.
48
3. Filters
Filter the data by selecting data types to display.
n Data source owners: Choose which data source owners' information to display.
Chapter 3
n Timeframes: Choose to display events within a defined period of time.

n Parties: Choose to display parties that are connected to displayed data source owners.
n Types: Choose the content types (calls, chats, contacts, images, locations, etc.) to display.
n Origins: Choose to display data based on the source from which the data originated.
n Watch lists: Filter using predefined Watch lists that use keywords to identify important information.
n Extracted categories: Choose to view text data categorized by type.
n Mutual locations: Define a maximum radius and time to be considered as mutual locations.
Chapter 3: Filters 49
n Linked data source owners: Choose the minimum number of connections between persons to view,
based on mutual connections with parties.
n Links: Define the minimum types of activities between persons to view.
n Tags: Display user-tagged content.
n Image Analytics tags: Choose images categorized by subject.
Sort the filters by name or by number of hits by clicking on the button to the right of the
filter name.
3.1. Data source owners filter

Filter the data by selecting the data source owners you wish to link.
The workspace is updated accordingly.
To view a person's details, activities, and data sources:

n Mouse-over the person. The following window appears.
filter name.
50
3.2. Timeframes filter

Filter the data by selecting the timeframe you wish to search.
To set a timeframe filter:
1. In the Timeframes area in the Filters pane, click . The Timeframes options appear.
2. In the From and To boxes, enter the desired date or click , and select the desired date from the
calendar.
3. Enter, or use the arrows to set the desired hour.
4. Click to apply the filter.
The workspace is updated accordingly - only events that occurred within the selected timeframe are
displayed.
To add an additional timeframe filter, click again.
To delete a timeframe filter, click .
3.3. Parties filter

Filter the data by selecting the parties you wish to search for links with.
filter name.
3.4. Types filter

Filter the data by selecting the content types (calls, chats, contacts, images, locations, etc.) to view.
filter name.
52
3.5. Origins filter

Filter the data by selecting the content origin types (Facebook, Twitter, WhatsApp, Google, Dropbox,
etc.) to view.
filter name.
3.6. Advanced filters

Advanced filters list the number of relevant hits out of the total hits.
In addition to enabling the quick extraction of relevant data, advanced filters enable the investigator to
double-check whether important information may have been left out during the filtering process.
3.7. Watch list filter

Filter the data with pre-defined Watch lists.
To create a new Watch list, see Creating Watch lists (on page85).
54
3.8. Extracted categories filter

The Text Analytics feature automatically applies natural language processing to all textual data in the
system and tags events and terms related to specific topics of interest, including web addresses,
persons, locations, nationality, and money.
Filter the data using the Extracted categories filter in the Filters Pane.
For more information, see Text analytics (on page58).
3.9. Mutual location filter

You can define what the system considers a mutual location.
To define mutual locations, select the maximum distance and amount of time to be considered a
mutual location.
3.10. Linked data source owners filter

Filter the data by the minimum number of data source owners that displayed parties are connected to.
In the Linked data source owners Filter area in the Filters pane, click and select the minimum number
of Data source owners.
3.11. Links filter

You can filter items so that the system only displays recurring activities.
To filter links, select the minimum number of each activity that you want to display.
3.12. Tags filter

You can filter items so that the system only displays items with the relevant tags.
To filter tags, select the tags that you want to display.
56
For more information, see Managing tags (on page93).

57
4. Advanced Analytics
Advanced analytics features in UFED Analytics Desktop include:
Text analytics (on the next page)
Image analytics (on page60)
Chapter 4
58
4.1. Text analytics

The Text Analytics feature automatically applies natural language processing to all textual data in the
system and tags events and terms related to specific topics of interest. The ability to automatically tag
relevant data allows for additional refinement and analysis.
To manage the text analysis feature:

1. Click the Manage Categories button on the Home Ribbon.
The Manage categories window appears.

Chapter 4: Advanced Analytics 59
2. Choose the categories to be displayed, and their colors. The chosen color will be displayed when
viewing data in this category.
3. Filter the data using the Extracted categories filter in the Filters Pane.
4. View the results in the Timeline tab.

60
4.2. Image analytics

The Image Analytics feature automatically identifies black-listed images, compares digital image
signatures, and applies advanced categorization and face recognition technology. It eliminated the
need to review images one by one to identify specific subjects, reducing cycle times while maximizing
investigative resources.
To manage the Image analysis feature:

1. Click on the Review Images button on the Home Ribbon.
The Image files tab is displayed.
2. Filter the images using the Image Analytics Tags Filter.

61
5. Analyzing links
Analyze the links between your persons of interest and other persons in the Graphs tab.
Working with the link diagrams (on the next page)
Analyzing timelines (on page71)
Details pane (on page74)
Working with Parties (on page79)
Data by type (on page83)
Chapter 5
62
5.1. Working with the link diagrams

The link diagram in the Graph tab shows the selected data source owners and their linked parties.
UFED Analytics Desktop views

To change the types of links to view, use the Linked data source owners filter:
n Linked to at least 1 data source owner shows all the selected Data source owners, and all their linked
parties.
n Linked to at least 2 data source owners shows all the selected Data source owners, and their mutual
linked parties.
To change the selected person, double-click the desired person in the Persons table at the
bottom of the tab to focus the view on the new person, and click the desired person.
Chapter 5: Analyzing links 63
To enlarge the link diagram, click in the Persons table to collapse the table in this project
area. Click again to display the table. You can also minimize the application Ribbon: right-
click the Ribbon and select Minimize the Ribbon, click on the Ribbon, or press Ctrl+F1.
Persons table
The lower section of the links tabs shows a table of all the filtered persons and activities displayed in the
link diagram. For more information, see Working with the Persons table (on page80).
Double-click the desired person in the Persons table to focus the view on the selected person in
the link diagram.
64
5.1.1. Changing the diagram layout

Change the diagram layout according to your preference.
On the View ribbon, in the Layout group, select one of the following:
n Horizontal - horizontal configuration
n Vertical - vertical configuration
n Radial - radial configuration

The graph can support a maximum of 1,000 links. If there are more than 1,000 links to be
shown, the graph view will show only the first 1,000 links and the icon will appear. Filter
out irrelevant data to view the rest of the results.
66
5.1.2. Navigating the diagram

Navigate the link diagram on the diagram itself, or by using the Navigator.
To open the Navigator, click the .
The Navigator appears:
Perform the following actions on the diagram or Navigator to navigate the link diagram:
n To zoom in and out of the diagram, use the mouse scroll button, or in the View ribbon click the
Zoom in and Zoom out buttons.
n To pan the diagram, hold CTRL and drag the mouse to the desired location.
n On the diagram, to move the display left, right, up, or down, use the scroll bar.
n On the Navigator, re-size the rectangle.
5.1.3. Rearranging the diagram

You can change the arrangement of the diagram by moving and locating persons anywhere in the
diagram, as desired.
To rearrange the layout of the link diagram, drag a Data source owner or Party to a different location.
5.1.4. Working with links

About link lines:
Each connection line has a meaning:

n A black line indicates a direct connection between persons.
n A thick line indicates a large number of events between the parties. The thickness of the line
changes according to the activities as follows:
n 1 50 activities (not including contacts) is represented by a normal line
n 51 100 activities (not including contacts): Semi-strong line
n 101 500 activities (not including contacts): Strong line
n >500 activities (not including contacts): Very strong line
n A continuous line indicates a connection where there were events between the party and the data
source owner.
n A dotted line indicates a connection where the party appears in the data source owners contact list
but there were no other events between them
About link arrowheads:
Each connection line has an arrowhead that represents the type of connection between the data
source owner and the party:
n Pointing toward the data source owner: Incoming connection (i.e. phone calls made to that data
source owner and messages sent to him from that party).
n Pointing toward the party: Outgoing connection (i.e. phone calls dialed and messages sent by the
data source owner to the party).
n Pointing both ways: Both incoming and outgoing connections.
n No arrows: Means the direction is irrelevant (for example, contacts) or unknown.
68
About link labels:
Click a person to view a label in the center of the link line that displays a summary of the connections
made.
Bluetooth devices
Calendar entry
Calls
Chats
Chat messages
Contacts
Email messages
SMS messages
Wireless connections
To view detailed information:

n Double-click a link to display a link timeline that provides detailed information about the connection
(s).
Each type of connection (contact, SMS, MMS, email, chat message, chat, or call) is displayed in a
different tab, listing each connection entity.
Multi-view: You can now open multiple views of links and maps in parallel to take different
investigation paths.
70
5.1.5. Graph tools ribbon

When viewing a graph, a contextual tab is displayed.
The Snapshot button allows you to take snapshots of the workspace.
To take a snapshot:
1. Click the Snapshot button. A Save Graph Snapshot window appears.
2. Enter a name for the snapshot.
3. Navigate to the desired location and click Save.
Link diagrams are saved as a picture file (*.png).
The Export to Microsoft Excel button allows you to save the filtered data as an Excel file (.xls).
To export to Microsoft Excel:

1. Click the Export to Microsoft Excel button. A Save As window appears.
2. Enter a name for the exported file.
3. Navigate to the desired location and click Save.
5.2. Analyzing timelines

The Timeline tab displays the events of the selected persons in chronological order.
Understand the course of events and data flow between persons of interest - Data source owners and
Parties.
Change the types and amounts of data using Filters (on page48).
Change the timeline view using the predefined layouts on the View Ribbon:
To view the Timeline, Graph and/or Map tabs simultaneously, see Workspace layout (on page43).
Events without a date are listed at the end of the Timeline.

72
5.2.1. Media tools ribbon

When viewing media, a contextual tab is displayed.
n The Open with default program button opens the media with a default program.
n The Export button allows you to save the media file in a new location.
n The View media button opens the media in a new tab.
When viewing images, a new contextual tab is displayed.
n The Export button allows you to save the image file in a new location.
n The Rotate button allows you to rotate or flip the image.
n The Contrast button allows you to change the image's contrast and brightness.
n The Sharpen button allows you to sharpen the image.
n The Undo and Redo buttons allow you to undo and redo changes made to the image.
74
5.3. Details pane

The Details pane displays more details about the selected event. The details tabs include:
Item tab (on the facing page)
Adjacent events tab (on page76)
Conversation tab (on page77)
5.3.1. Item tab

The Item tab displays all stored information about the event.
The data source type for each event is indicated.
Click to set the text direction.

76
5.3.2. Adjacent events tab

The Adjacent events tab displays events of all types that occurred adjacently to the selected event,
enabling the investigator to view a comprehensive list of events that occurred around the time of the
selected event.
5.3.3. Conversation tab

The Conversation tab displays communication-based data, such as call logs, email, SMS and MMS
messages, and so on, that occurred within two hours of the chosen event, enabling easier and better
tracking of the communication between two or more persons.
78
5.4. Working with Parties

Parties are the persons with whom the Data source owner has interacted.
You can work with parties in the following ways:
n Highlight links between Data source owners and a particular Party in the Graph tab. See Highlighting
a person's links (below).
n Split the Party and its contact information. See Split persons (on page110).
5.4.1. Highlighting a person's links

n Click a person in the Graph tab to highlight its links.
When a link is highlighted, a link timeline opens.

80
5.4.2. Working with the Persons table

The Persons table lists the persons of the currently displayed link diagram in table format.
The table contains information such as:
Name Contact name.
Phone
Contact phone number(s).
numbers
Email
Contact email address(es).
addresses
User IDs IDs for applications such as Facebook, Skype, and so on.
Multiple columns based on the number of selected persons. Shows the total number of
<PERSON>
links between this person and the listed person.
Click the column headings to sort the table in ascending or descending order.
To search the table for any string:

n In the Persons table, enter the string you want to search for in the Search field.
The matching results only are displayed in the table.
To locate a person in the links diagram:

n In the Persons table, right-click an entity and select Highlight person, or double-click the row.
The person is highlighted in the links diagram.
82
5.4.3. Viewing a timeline for a person

1. In a link diagram in the Graph tab, select the person with events that you want to view as a timeline.
2. Right-click and select show person timeline. The timeline tab appears.
3. Filter the timeline, as desired.
Persons timelines and graph timelines do not filter by parties.

5.5. Data by type

The Data by type button adds a new tab with all items sorted by type in a table format.
The Type filter includes data types such as: Calls, Chats, Contacts, Image files, Locations, and Passwords.
The list will vary based on the data found in your case.
Use the Type filter to select the required data type.
A new tab is opened. You may filter the data listed using the Filters pane.
84
6. Watch lists
A Watch list is a list of keywords that can be used as search criteria. The criteria will be used when
searching in extracted data to identify and highlight important and relevant information.
Up to 100 keywords can be added to each Watch list.
Up to 500 Watch lists can be created.
The Watch list search can be activated automatically, or run manually.

Watch lists are managed in UFED Analytics Desktop using the tools available on the Home Ribbon.
Chapter 6
Chapter 6: Watch lists 85
6.1. Creating Watch lists

To create a new Watch list:
1. Click the Manage button in the Watch lists section of the Ribbon. The following window appears.
2. Click Add. The following window appears.
3. Enter a Name for the new Watch list - this name will be used when taking any action on the Watch
list - e.g., activation, deactivation, deletion, export.
4. Enter a Description for the new Watch list - this is useful to give a detailed description of the purpose
of the Watch list.
5. Choose a color for the new Watch list - this color will be used when viewing data while using this
Watch list.
6. The keyword data table has an empty row at the end for entering new keywords. Enter keywords
and press Enter after each keyword to open a new row.
86
7. Add and delete keywords as required. If a keyword appears in multiple Watch lists and the keyword is
found in data being searched, then the color from the last Watch list will be used to show the
keyword in the data.
For each keyword, indicate:
n Use wildcards: This setting allows for the use of wildcard characters in the keywords.
The following wildcard characters are allowed:
? Use the question mark (?) to represent exactly one character. All of the other characters specified
are required in matching strings. For example, co?caine matches cocaine (where the ? replaces one
character).
* Use the asterisk character (*) to represent zero or more characters. For example co* matches strings
such as cocaine, coke, coco.
n Whole word: This will result in exact matches for the keyword, and will not match on words
where your keyword is part of a longer word.
n Match case: This will result in the search being case-sensitive.
Examples:
Setting Searched text Result
wildcards - yes apple Match
wildcards - yes ale No Match
wildcards - no able No Match
wildcards - no agdsfggsfgle No Match
Setting Searched text Result
whole word - yes Myapple No match
whole word - yes My apple Match
whole word - no Myapple Match
whole word - no My apple Match
With the combined use of these criteria, a powerful search criteria can be defined.
88
6.2. Editing Watch lists

To edit an existing Watch list:
1. Click the Manage button in the Watch lists section of the Ribbon. The following window appears.
2. Click the Watch list that you want to edit. You can now:
n Change the Name for the chosen Watch list.
n Change the Description for the chosen Watch list.
n Change the Color for the chosen Watch list.
n In the right side of the screen, enter or delete one or more words or strings to be included as
keywords in this Watch list.
n Click on an existing keyword to change it.
6.3. Deleting Watch lists

To delete an existing Watch list:
1. Click on the Manage button in the Watch lists section of the Ribbon. The following window appears.
2. Select the Watch list that you want to delete and click . You may delete multiple Watch
lists in this way.
The delete action will take effect as soon as this screen is closed with the OK button. If you click
Cancel, all delete actions will be ignored and the Watch list(s) will NOT be deleted.
90
6.4. Importing and exporting Watch lists

The export and import functions enable you to share watch lists and receive Watch lists from your
colleagues.
Import existing Watch lists (*.csv files) that have been created outside of UFED Analytics Desktop or
shared with you. UFED Analytics Desktop also supports .txt files with every keyword on its own line.
Click on the Manage button in the Watch lists section of the Ribbon. The following window appears.
To import an existing Watch list:
n Click . You will be presented with a file dialog and can browse to the appropriate
location and choose the file to import (must be a .csv file).
If an imported Watch list already exists, the new watch list will be added with a numeric
extension.
A maximum of 500 watch lists can be saved at a time.
To export an existing Watch list:
n Select the watch list and click . You will be prompted to provide the destination folder.
The Watch list is then extracted to a .csv file in the selected folder.
6.5. Activating and deactivating Watch lists

To activate or deactivate a Watch list:
1. Click on the Activate button on the Ribbon.
You will be presented with the following screen:
A list of the currently available Watch lists is presented. This list is made up of Watch lists previously
added or imported. Each Watch list is shown with its Name and the color used to display results.
2. Select the check box next to each Watch list that you want to activate or deactivate.
3. Click Apply to apply this action.
Activating a Watch list makes it available for filtering. Filtering by Watch list is performed when
Watch list filters are applied.
92
6.6. Viewing Watch list results

Watch list results are viewable in two ways:
1. While viewing any Data or Activity, the matching keywords will be highlighted in the color of the
Watch list.
2. To view the Watch list results as a comprehensive list, click the View Results button on the Watch list
Ribbon - all Data and Activity that has matching keywords will be displayed as follows:
93
7. Managing tags
While reviewing events and contacts, the investigator can tag these items for future reference. Each
item can have multiple tags. Tags are managed at the application level and not at the project level.
This means that the tags are available for all projects and not only the project in which the tag is
created.
Adding tags (on the next page)
Editing tags (on page97)
Deleting tags (on page97)
Applying tags (on page98)
Chapter 7
94
7.1. Adding tags

A tag name must be unique, and can only include alphanumeric characters and ordinary brackets ().
Special characters such as: []{}!@#$%^&* cannot be used. The system does include several predefined
tags:
n Important
n Irrelevant
n Need to follow
To add a new tag:
1. From the Tagging ribbon group, click .

Chapter 7: Managing tags 95
2. Enter the name for the new tag and click the button or press ENTER. The new tag is displayed in
the list.
3. Optional: Choose a hotkey from the list for future use.

4. Click OK.
96
You can use the search box to search for a specific tag. Start typing the name and as soon as
the system identifies a match the tag will be displayed.
You can also create new tags when applying a tag - see Applying tags (on page98).
Chapter 7: Managing tags 97
7.2. Editing tags

You can edit the name of all tags, which will affect all cases.
To edit a tag name:

1. In the Tag Management screen, click the required tag and edit the text.
2. Click OK.
7.3. Deleting tags

You can delete any tag, which will affect all cases. If you delete a tag that was applied to an item, that
item will no longer include the tag.
To delete a tag:
1. In the Tag Management screen, click the button of the tag that you want to delete.
2. Click OK.
98
7.4. Applying tags
Any item that can be tagged is indicated with an icon. An item that has been tagged is indicated
with an icon. Tags can be applied to the following items:
n Data by type table
n Timeline table
n Search table
n Link details table
To apply tags to items:

1. Select the items that you want to tag. You can select multiple items using the CTRL and SHIFT
buttons.
2. Click the button (or click the button on the Home ribbon). The following screen appears.
3. Use this screen to apply tags, search for tags, clear selected tags, create new tags, or reassign tags to
specific items.
To create a new tag, type a new tag name in the New tag box and click .
4. Click OK.
Tags are viewable in the Tags filter (on page55).

99
8. Analyzing locations
Access the Map tab to view the locations that your persons of interest have visited. View multiple Data
source owners locations on a single map. Search for specific locations, and filter the locations based on
date and time and distance between a few Data source owners' locations. Locations are represented by
a simple icon in the color you assign to the Data source owner for easy identification.
About location data (on the next page)

Navigating the map (on page101)
Viewing offline maps (on page102)
Markers and information windows (on page104)
Chapter 8
100
8.1. About location data

During extraction, location data is drawn from different locations within the device.
Location data can be divided into the following categories:
n Cell towers
n Wi-Fi networks
n Media locations
n GPS device data
n Navigation applications
Cell towers and Wi-Fi networks
Location data in the Cell towers and Wi-Fi network categories includes:
n GPS information - longitude and latitude
n Accuracy - radius in meters within which the device is located.
n Confidence - in %. How confident the service provider is that the device lies in
the calculated location.
n Timestamp
Media locations
Media location data is taken from the location stamp associated with each media
file.
Chapter 8: Analyzing locations 101
8.2. Navigating the map

To pan (move) the map:
n Click and drag the map
n On your keyboard, press the arrows to move the map north, south, east, and west.
To zoom the map:

n Mouse over a location and use the mouse scroll button to zoom in or out on that location.
n Double-click a location to zoom into that location.
To center the map:

n Click anywhere on the map to center the map on that location.
Geographic coordinates of the mouse location and the view scale are always displayed on the
map.
View a map overlay of a greater area to help you use the map by clicking the . The map
overlay responds to the map controls.
To switch views of a specific event between the map and timeline:
n Right click on an event on the map to locate it in the timeline:
n Right click on an event on the timeline to locate it on the map:

102
8.3. Viewing offline maps

View extracted locations using offline maps even without an Internet connection. The maps package
installation is required and it is available to UFED Analytics Desktop users with a valid license.
You can choose to use online or offline maps when viewing maps.
The offline maps feature uses a light Windows service that opens and listens to TCP port 3000.
To use this feature, you need to select the Install offline maps service check box during the
UFED Analytics Desktop installation process. If this service was not selected, then you need to
reinstall the application.
To download the offline maps package:

1. Login to MyCellebrite.
2. Click the Downloads tab.
3. Download the Offline maps package.
There are a number of offline map packages. You can view extracted locations on a
worldwide map, and zoom in at a higher resolution to view streets in selected continents
using offline maps.
To install the offline maps package:

1. After downloading the relevant offline maps package, in UFED Analytics Desktop, go to select Install
new maps. The following window appears.
Click to change the default location where the offline maps are installed.
2. Click Load from file to load the offline maps package. Due to the size of the file, the loading process
takes some time to complete. At the end of the loading process the following window appears.
The offline maps are now installed and ready to use. An example of an offline map is displayed next.
If you have already download the offline maps with a different UFED product, you can use the
same map packages.
104
8.4. Markers and information windows

Markers signify the location where a person's device registered.
The color of the marker signifies which person was registered at a particular location. At a low zoom
level, markers show the approximate location, and may include the data of more than one person.
The following markers are examples of the types of markers that are displayed in the map:
At low zoom level, this marker displays a number of recorded locations in a particular area.
The marker may include the data of more than one person, as shown by more than one color
in the marker. Zoom in to split the marker. Markers that do not split at high zoom indicate one
location.
Indicates the location of the cell tower that registered the person's device.
Indicates the location of the Wi-Fi network receptor that registered the person's device.
Indicates the recorded location of a media object.
Indicates that the category of the location is unknown.

8.5. Map tools ribbon

When viewing a map, a contextual tab is displayed.
n The Provider button allows you to switch between road view and aerial view.
n The Work offline button allows you to work with the map without an internet connection. Offline
maps must be previously installed to use this function.
n The Install new maps button downloads Cellebrite's offline maps package for offline use.
106
8. Persons management
Persons are created when a report file is loaded. Persons may be merged and merged persons may, in
some cases, be split back to their original state.
Merge persons (on the facing page)
Split persons (on page110)
8.6. Merge persons

When investigating a person with multiple mobile devices, the person's information will come from
multiple data sources. Merging allows for information from two (or more) data sources to be merged
into one person record. Persons with mutual details will be merged even in single data sources.
Merging is done at a project level - this means that regardless of where the merge was initiated, the
person is merged in all views.
To merge a party with a Data source owner:

1. Right-click on the person in any view. The following menu appears.
2. Choose Merge with.... The following window appears.

108
The list of available persons is displayed and you can choose to merge with another person. Scroll
through the list or use the search option to find specific matching persons.
3. Click the relevant person and click OK. The following window appears.
When merging persons, there is an order of precedence to determine what default is

suggested for the merged person:
o Data source owner
o Merged person
o Other persons
n Person picture: You can choose one picture to present in UFED Analytics Desktop. If only a single
picture is available it will be selected automatically.
n Person details: You can choose which person name and occupation to present in UFED Analytics
Desktop. All other information will be combined into one list. For example: Address 1 and address 2,
custom field 1 and custom field 2.
n Person identifiers: You can view a single list of all the identifiers with the ability to view the source of
the identifier. For example: email from person X and phone from person y.
While merging, you can choose to add additional information using the Add field list.
4. Any information that was loaded from a report file cannot be changed or removed. For example,
n Phone Number
n Email Address
110
n MAC Address
n User Account
After a merge, the merged person can be identified in the Graph View as follows (note the double box
around the picture):
For reference, an unmerged person will look like this:
8.7. Split persons

There are a number of reasons why a merged person would need to be split:
n The investigator may have chosen the wrong person by mistake.
n The UFED Analytics Desktop automatically connected two persons into one since they used the
same number, email address etc. After checking, the investigator found out that the connection
was based on general email such as sales or support and therefore the two persons should be split.
To split a merged person:

n Select the merged person (in any view). Right-click, and click Split.
If the merged person is composed out of more than more two persons, all persons will be
split.
112
9. Generating reports
To generate and customize a PDF report, controlling the data, graphs and layout presented:
1. On the Home Ribbon, in the Report group, click Generate.
Chapter 9
2. In the Report Data tab, set the following:

a. Data source owners summary - select to include the properties of each data source owner in the
session.
Data source owner information is included for all data source owners open in the session,
regardless of whether they are currently selected in the filters.
b. Views - select the views that you want to include in the report.
Chapter 9: Generating reports 113
c. Additional Fields - enter the Investigator name, Investigator ID, Department name, Case number,
and Case name, as desired.
3. In the File name box, enter the desired file name.
If you do not change this name, and there is an existing report with the same name, a
counter is automatically added to the name.
4. In the Save to box, enter the path and folder name to which to save the generated report file. Click
to set a different path.
5. By default, the report is created in a sub-directory with a name constructed from the date and time
the report was generated (for example, AnalyticsDesktopReport_251212_105908):
n To change the name of the sub directory, select the displayed name and enter the desired name.
6. Access the Report layout tab.
7. Set the following:

n Header - Enter and format custom text to appear in the report header before the logo image.
114
n Logo - Click Select Image File to add the logo image to appear in the report header. Supported
file formats are: BMP, JPG, GIF, and PNG.
n Footer - Enter and format custom text to appear in the report footer after the logo image.
8. Click Generate.
Generate is unavailable until all the required fields are filled.
When the report is successfully generated, you are prompted to open the generated report file. The
file opens using the associated application to the file format installed in the workstation.
115
10. Managing cases

Saving a case (below)
Opening a saved case (on the next page)
10.1. Saving a case

UFED Analytics Desktop continually saves your work so there is no need to manually save your case. This
includes your last selected filters, tabs, layouts etc. For more information on opening a saved case, see
Opening a saved case (on the next page).
Chapter 10
116
10.2. Opening a saved case

Open a saved case to continue your work from a previous session or to open a shared project.
Close any open cases and start a new session. The Recent case view lists all the cases available in the
application ordered by creation date. The investigator can easily navigate between cases or search for a
specific case.
Only one case can be open at any one time. If you open a new case when you are working in
another project session, UFED Analytics Desktop closes your current session.
1. From an existing project, click File. The following window appears.
2. If relevant, close an open case by clicking Close.

3. Click Open to open the required case.
Previously saved cases will be listed in the Recent cases view, sorted by creation date.
To delete a case and all its case data, click .

117
11. Reference
Setting UFED Analytics Desktop options (on the next page)
File menu (on page119)
Application ribbon (on page120)
Chapter 11
118
11.1. Setting UFED Analytics Desktop options

To set the UFED Analytics Desktop options:
1. In the File menu, select Options.
2. To set the interface language, select the language in the Language list.
3. To set the Theme color, select the theme in the Theme color list.
4. To set the measurement system used, select the system in the Measurement system list.
The default measurement system is based on the Windows OS settings.
5. To set the number of digits used in order to determine phone number uniqueness, select the
number in the Number of digits list.
6. To set how timelines are shown in new views, select the view in the Show timelines in new views list.
Chapter 11: Reference 119
11.2. File menu

Command Description
Provides summary information for each project of all the data sources that were
imported into UFED Analytics Desktop, as follows:
n Status: An indication of whether the data source was successfully imported or
not.
Info n Data source path: The location path for the data source file.
n Number of activities: The number of activities in each data source file.
n Number of activities on timeline: The number of activities in each data source file
that can be presented on the timeline.
n Number of locations on the map: The number of locations included in each data
source file that can be presented on the map.
New Create a new case using the wizard.
Open Open an existing case.
Close Close the current analysis session and clear the workspace.
Background
Lists tasks running in the background and their progress.
tasks
Options Set your UFED Analytics Desktop preferences.
The Help menu contains the following items:

n About UFED Analytics Desktop - View information about the UFED Analytics
Desktop version.
n License details - Use a local dongle or network dongle, or enter a new activation
code, by loading it from a file using the Load license file button.
Help
n User manual - Opens the user manual in PDF format.
n Pack log files for support - Zips the log files and opens the folder where the zipped
log files are saved.
n Activate online Bing Maps - Activates Bing maps so that you can view locations
on a map. It requires Internet access and a valid license.
120
11.3. Application ribbon

The tools available in the application Ribbon are organized into tabs. The Home tab contains the
following:
Data sources Edit data sources Add or remove data sources.
Tabs Workspace Open a new workspace.
Add a new tab to show all items of the same type for
Data by type
persons.
Report Generate Generate a report with the data you have filtered.
View results
Watch lists Manage View, manage and activate Watch lists.
Activate
Tag
Tagging Tag items and manage tags.
Manage tags
Image Analytics Review images View image files with image analytics tags.
Extracted entities Manage categories Manage text analytics tags.
The View tab contains the following:
Zoom Zoom in Increase the size of the current view.
Zoom out Decrease the size of the current view.
Fit to screen Fit the current view into the visible screen dimensions.
Data Refresh Refresh the data of the current view.
Duplicate active view Copy the current workspace.
Rename View Rename the current workspace.
Layout Tabbed layout The default layout.
Map oriented layout Opens the timeline under the map in the Map tab.
Thumbnail size Control thumbnail size.

Chapter 11: Reference 121
Sort data by type, time stamp or deletion.

Sort
Sort images by size, name, time or analytics tags.
The Layout tab is a contextual tab, the buttons of which vary based on the tab you are
currently working on. There are also contextual tabs for maps, tables of images, videos, and
audio files.
The Layout tab, when working on a Graph, also contains the following:
Horizontal View the data in a horizontal configuration.
Vertical View the data in a vertical configuration.
Radial View the data in a radial configuration.
The Layout tab, when working on a Timeline, contains the following:
Table View the data as a table.
Feed View the data in a feed format.
Thumbnails View the data in icon format.
The Layout tab, when viewing images, also contains the following:
Details View the image data in a table format.
Grid View the images in a grid format.
Thumbnail size Control image size.
To minimize the Ribbon, do one of the following:

n In the Ribbon, click .
n Right-click the Ribbon and select Minimize the Ribbon.
To restore the Ribbon, do one of the following:

n In the Ribbon, click .
n Right-click the ribbon and select (clear) Minimize the Ribbon.
To change the location of the Quick Access Toolbar:

n Right-click the Ribbon and select Show Quick Access Toolbar below/above the Ribbon.
Index 122
A G
A workflow example 9 Getting started 10
About location data 100 Graph tab 62
activating 12 graph tools 70
Advanced filters 52 H
Help 16, 119

Analyzing links 61
I
Analyzing locations 99
Image Analytics 60
Application Ribbon 42
Installing 11
C
Interface language 118
CDR file 37
L
Changing the diagram layout 64
Legal notices 2
conversation 77
Licensing 13, 15, 18, 21
D
link diagrams 62
data sources 23
links 67
Data sources 120
M
Deactivating, software license 16
Map 99
Displaying a data summary 32
Markers and information windows 104
Displaying and editing the properties of a
person 29 merge 107
Dongle 13
N
E Navigating the diagram 66

Index
Extracted categories 54, 59 Navigating the map 101
F navigator 66
File menu 42, 118-119
Network 21
123
Network dongle 21 W
O Watch list 85
Offline maps 102 Working with links 67
Overview 42 workspace 42
P X
persons table 80 XRY XML files 36
R
Rearranging the diagram 66
Reference 117
report 112
search 47
snapshot 70
Software license 16
Specifications 2
split 111
System requirements 11
Tagging 94, 120
tags 93
Terms 8
Text Analytics 58
Timeline view 28
timelines 71

UFED Analytics Desktop Manuals

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

UFED Analytics Desktop Manuals

Uploaded by

Copyright:

Available Formats

UFED Analytics Desktop

1. Welcome to UFED Analytics Desktop 7

1.2. A workflow example 9

2.1. Installing UFED Analytics Desktop 11

2.1.1. System requirements 11

2.1.2. Installing UFED Analytics Desktop 11

2.1.3. Activating UFED Analytics Desktop 12

2.1.4. Starting UFED Analytics Desktop 22

2.2. Analyzing data sources 23

2.2.1. Auto merge on open 23

2.2.2. Creating a new case 24

2.2.3. Displaying and editing the properties of a person 29

2.2.4. Adding a Micro Systemation XRY file to a project 36

2.2.5. Adding a Call Detail Record file 37

2.3. Overview of the workspace 42

2.3.1. Workspace layout 43

2.3.2. Using the workspace 45

2.4. Performing a global search 47

3.1. Data source owners filter 49

3.2. Timeframes filter 50

3.3. Parties filter 50

3.4. Types filter 51

3.5. Origins filter 52

3.6. Advanced filters 52

3.7. Watch list filter 53

3.8. Extracted categories filter 54

3.9. Mutual location filter 54

3.10. Linked data source owners filter 54

3.11. Links filter 55

3.12. Tags filter 55

4.1. Text analytics 58

4.2. Image analytics 60

5.1. Working with the link diagrams 62

5.1.1. Changing the diagram layout 64

5.1.2. Navigating the diagram 66

5.1.3. Rearranging the diagram 66

5.1.4. Working with links 67

5.1.5. Graph tools ribbon 70

5.2. Analyzing timelines 71

5.2.1. Media tools ribbon 72

5.3. Details pane 74

5.3.1. Item tab 75

5.3.2. Adjacent events tab 76

5.3.3. Conversation tab 77

5.4. Working with Parties 79

5.4.1. Highlighting a person's links 79

5.4.2. Working with the Persons table 80

5.4.3. Viewing a timeline for a person 82

5.5. Data by type 83

6.1. Creating Watch lists 85

6.2. Editing Watch lists 88

6.3. Deleting Watch lists 89

6.4. Importing and exporting Watch lists 90

6.5. Activating and deactivating Watch lists 91

6.6. Viewing Watch list results 92

7.1. Adding tags 94

7.2. Editing tags 97

7.3. Deleting tags 97

7.4. Applying tags 98

8.1. About location data 100

8.2. Navigating the map 101

8.3. Viewing offline maps 102

8.4. Markers and information windows 104

8.5. Map tools ribbon 105