Overview IPED supports multiple mobile device extraction formats, including proprietary formats from commercial forensic tools. The mobile parsers handle both physical and logical extractions, processing app data, system databases, and communication artifacts.
UFDR Support UFDR (Universal Forensic Data Reader) is Cellebrite’s format for mobile device extractions.Overview IPED can process UFDR extractions without requiring Cellebrite Physical Analyzer:
Direct Processing Parse UFDR files directly in IPED
Chat Applications WhatsApp, Telegram, Facebook, Signal, etc.
Call Logs Voice and video call records
Contacts Contact information and relationships
Supported Artifacts Cellebrite extraction container format
UFDR extraction metadata and file listing
UFDR Structure UFDR packages contain:
UFDR Package/ ├── ufdr.xml # Main index ├── data/ # Extracted files │ ├── 0000001/ │ ├── 0000002/ │ └── ... ├── Chats/ # Parsed chat databases │ ├── WhatsApp/ │ ├── Telegram/ │ └── ... └── Reports/ # UFDR reports (optional)
Chat Processing The UfedChatParser handles chats from various apps:
public class UfedChatParser extends AbstractParser { // Supported applications public static final Map < String , MediaType > appToMime = Map . ofEntries ( Map . entry ( "whatsapp" , MediaType . application ( "x-ufed-chat-preview-whatsapp" )), Map . entry ( "telegram" , MediaType . application ( "x-ufed-chat-preview-telegram" )), Map . entry ( "skype" , MediaType . application ( "x-ufed-chat-preview-skype" )), Map . entry ( "facebook" , MediaType . application ( "x-ufed-chat-preview-facebook" )), Map . entry ( "signal" , MediaType . application ( "x-ufed-chat-preview-signal" )), Map . entry ( "snapchat" , MediaType . application ( "x-ufed-chat-preview-snapchat" )), Map . entry ( "instagram" , MediaType . application ( "x-ufed-chat-preview-instagram" )), Map . entry ( "viber" , MediaType . application ( "x-ufed-chat-preview-viber" )), Map . entry ( "discord" , MediaType . application ( "x-ufed-chat-preview-discord" )), Map . entry ( "tiktok" , MediaType . application ( "x-ufed-chat-preview-tiktok" )), Map . entry ( "threema" , MediaType . application ( "x-ufed-chat-preview-threema" )) ); }
Configuration UfedChatParser Configuration
@ Field public void setExtractMessages ( boolean extractMessages); // Extract individual messages (default: true) @ Field public void setExtractActivityLogs ( boolean extractActivityLogs); // Extract activity log events (default: true) @ Field public void setIgnoreEmptyChats ( boolean ignoreEmptyChats); // Skip chats with no user messages (default: false) @ Field public void setMinChatSplitSize ( int minChatSplitSize); // Chat fragmentation threshold (default: 6000000)
ExtraProperties . UFED_META_PREFIX + "*" // UFDR-specific metadata ExtraProperties . CONVERSATION_PREFIX + "*" // Conversation properties ExtraProperties . PARTICIPANTS // Chat participants ExtraProperties . USER_ACCOUNT // Account identifier ExtraProperties . MESSAGE_DATE // Message timestamp ExtraProperties . MESSAGE_BODY // Message content ExtraProperties . LINKED_ITEMS // Media attachments ExtraProperties . SHARED_HASHES // Sent media hashes
Message Hierarchy [UFDR Chat] ├── Chat Preview (HTML) ├── Message 1 ├── Message 2 ├── ... └── Activity Logs ├── Group Member Added ├── Name Changed └── ...
AD1 is AccessData’s logical evidence file format.Overview Logical acquisition format from FTK and other AccessData tools
IPED can process AD1 images containing:
Mobile device logical acquisitions
Partial file system extractions
App data and databases
Media files and documents
Integration AD1 support is provided through:
// Sleuthkit library handles AD1 format // IPED processes contained files with standard parsers
AD1 images are mounted as virtual file systems, then processed like standard disk images.
iOS Artifacts iOS-specific parsers handle Apple mobile device data.
Property List (Plist) Files // Binary property list format // Parsed using NSKeyedArchiverParser
<? xml version = "1.0" encoding = "UTF-8" ?> <! DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd" > < plist version = "1.0" > < dict > < key > UserName </ key > < string > [email protected] </ string > </ dict > </ plist >
WhatsApp iOS See Chat Applications for WhatsApp iOS support.
// ChatStorage.sqlite // ContactsV2.sqlite // Plist configuration files
Telegram iOS Telegram iOS uses SQLite databases:
// Telegram iOS database structure // Parsed by TelegramParser with iOS mode
Safari Artifacts See Browsers for Safari parser details.
// History.db // Bookmarks.plist // Downloads.plist
Android Artifacts Android-specific parsers process Linux-based file structures.
XML Preferences Android apps store preferences in XML:
<? xml version = '1.0' encoding = 'utf-8' standalone = 'yes' ?> < map > < string name = "user_id" > 123456789 </ string > < long name = "timestamp" value = "1234567890000" /> < boolean name = "enabled" value = "true" /> </ map >
WhatsApp Android Processed by WhatsAppParser:
// msgstore.db.crypt* // wa.db // com.whatsapp_preferences.xml
Telegram Android Processed by TelegramParser:
// cache4.db // userconfing.xml (base64-encoded user data)
SQLite Databases Android uses SQLite extensively:
// Standard Android databases: // - contacts2.db (contacts) // - mmssms.db (SMS/MMS) // - telephony.db (call logs) // - calendar.db (calendar events)
Timeline Analysis Mobile parsers extract timeline data:
Message Timestamps Sent, received, and read receipts
Call Logs Call start, end, and duration
Location Data GPS coordinates with timestamps
App Activity App usage and interactions
Unix Epoch
Milliseconds
iOS Core Data
// Seconds since 1970-01-01 long unixTime = 1234567890 ; Date date = new Date (unixTime * 1000 );
// Milliseconds since 1970-01-01 long millis = 1234567890000L ; Date date = new Date (millis);
// Seconds since 2001-01-01 double iosTime = 123456789.0 ; long unixMillis = ( long )((iosTime + 978307200 ) * 1000 );
Location Data Mobile parsers extract and standardize GPS data:
// Standardized as semicolon-separated: ExtraProperties . LOCATIONS = "latitude;longitude" // Example: metadata . set ( ExtraProperties . LOCATIONS , "40.7128;-74.0060" ); // Multiple locations: metadata . add ( ExtraProperties . LOCATIONS , "40.7128;-74.0060" ); metadata . add ( ExtraProperties . LOCATIONS , "34.0522;-118.2437" );
Google Maps Integration IPED can display locations on maps:
// Locations are georeferenced using: // - Google Maps // - Bing Maps // - OpenStreetMaps
Mobile parsers extract contact information:
Phone number (international format preferred)
App-specific account ID or username
Profile picture (base64-encoded)
vCard Support Contacts can be extracted as vCards:
BEGIN:VCARD VERSION:3.0 FN:John Doe TEL;TYPE=CELL:+1-555-123-4567 EMAIL:[email protected] END:VCARD
Processed by VCardParser:
if ( message . getVcards () != null ) { metadata . set ( StandardParser . INDEXER_CONTENT_TYPE , VCardParser . VCARD_MIME . toString ()); for ( String vcard : message . getVcards ()) { extractor . parseEmbedded ( new ByteArrayInputStream ( vcard . getBytes ( StandardCharsets . UTF_8 )), handler, metadata, false ); } }
Mobile parsers link messages to media files:
Hash-Based Linking if ( message . getMediaHash () != null ) { String query = BasicProps . HASH + ":" + message . getMediaHash (); metadata . add ( ExtraProperties . LINKED_ITEMS , query); // For sent media: if ( message . isFromMe ()) { metadata . add ( ExtraProperties . SHARED_HASHES , message . getMediaHash ()); } }
if ( message . getThumb () != null ) { metadata . set ( ExtraProperties . THUMBNAIL_BASE64 , Base64 . getEncoder (). encodeToString ( message . getThumb ())); }
Mobile device extractions can contain millions of records. Consider:
Memory Usage : Large chat databases require significant RAMProcessing Time : Message extraction and HTML generation can be slowStorage : Generated HTML reports increase case sizeIndexing : Individual message items increase search index size
Optimization Options // Disable individual message extraction: setExtractMessages ( false ); // Increase chat split size: setMinChatSplitSize ( 10000000 ); // 10 MB // Ignore empty chats: setIgnoreEmptyChats ( true ); // Disable activity logs: setExtractActivityLogs ( false );
Integration with IPED Mobile parsers integrate with IPED features:
Graph Analysis Contact and communication network visualization
Timeline View Unified timeline of messages, calls, and events
Hash Lookup Automatic CSAM hash database checking
Bookmark System Tag important messages and conversations
Phone Parsing Configuration Control parser behavior for different sources:
// Check if item is from UFDR: if ( PhoneParsingConfig . isFromUfdrDatasourceReader (item)) { // Special handling for UFDR data } // Enable external phone parsers only: if ( PhoneParsingConfig . isExternalPhoneParsersOnly ()) { // Skip internal parsing return ; }
Best Practices
Verify Extraction Integrity
Check UFDR/AD1 extraction logs for completeness
Enable SHA-256 Hashing
Required for media linking in chat applications
Configure Memory
Allocate sufficient heap space for large databases
Use Appropriate Profiles
Select forensic profile for complete extraction
Monitor Processing
Watch for parser errors in large UFDR packages
Troubleshooting
Check if UFDR package contains parsed chats
Verify UFDR extraction was successful
Review Cellebrite extraction logs
Increase JVM heap size (-Xmx)
Disable message extraction for preview
Increase minChatSplitSize
Verify timezone configuration
Check for corrupted database records
Review extraction tool settings
Next Steps
Chat Parsers Detailed chat application parsing
Parser Overview Return to parser architecture overview