Cellebrite UFED Physical Analyzer
Sometimes, chats can become extremely large and UFED PA offers no easy way to remove attachments in batch. Besides that, there is no way to know in advance the size of the report.
In the following picture we show a chats extraction that amounts to 28 GB. In the middle of the image, you can see "ChatsCleaner", a tool that was made in python and that integrates with UFED PA.
With ChatsCleaner you can:
- batch remove all attachments, keeping only text messages.
- remove only attachments larger than a specific size (settings tab)
- remove only videos or videos larger than a specific size (settings tab)
- generate a CSV and a log file describing everything that is out of the report
- Download chats cleaner from Download Link
- In UFED Physical Analyzer, go to
Python -> Run Script -> choose main.py in [download/resources/ChatsCleaner]
It is exptected to have an idea of when the user might have deleted messages
First image
select
deleted.next_id-deleted._id as QTD,
deleted.dt_str as DT_INI,
(select strftime('%Y/%m/%d %H:%M', datetime(C.timestamp/1000, 'unixepoch')) from messages C where C._id=deleted.next_id) as DT_END
from (
select A._id,
(select min(_id)
from messages B
where B._id>A._id) as next_id,
strftime('%Y/%m/%d %H:%M', datetime(A.timestamp/1000, 'unixepoch')) as dt_str
from messages A) deleted
where deleted.next_id-deleted._id
order by deleted.dt_strSecond image
select sum(QTD) as SUM_QTD, substr(DT_END,0, 8) as YEAR_MONTH
from (
select
deleted.next_id-deleted._id as QTD,
deleted.dt_str as DT_INI,
(select strftime('%Y/%m/%d %H:%M', datetime(C.timestamp/1000, 'unixepoch')) from messages C where C._id=deleted.next_id) as DT_END
from (
select A._id,
(select min(_id)
from messages B
where B._id>A._id) as next_id,
strftime('%Y/%m/%d %H:%M', datetime(A.timestamp/1000, 'unixepoch')) as dt_str
from messages A) deleted
where deleted.next_id-deleted._id
) as final_group
group by substr(DT_END,0, 8)
order by substr(DT_END,0, 8) descAbout to add some more...