The Tools menu in Physical Analyzer allows the user to access carving functions, and specialty tools within the software, such as the AppGenie, fuzzy model plugin, enrichments (media categorization) the ability to create dictionary files, Watch List Editor, and Malware Scanner. A watch list is a list of keywords that are created by the examiner and are used to search for and identify items of interest in the extracted data. Specialized watch lists can be developed and run across multiple extractions. The malware scanner is a signature-based scanner that searches data extractions from mobile devices for known malware. Be sure to update the malware signature database before running the malware scanner so that you are using the most recent definitions. More will be covered on this in Section 4.  The fuzzy model plug-in will help identify and parse databases not already analyzed by Cellebrite. The AppGenie digs for additional application artifacts. Together, these two carvers are powerful! The results from AppGenie and Fuzzy Model Plugin will be in the Analyzed Data section under Manual Data Collection.

The Settings and Project settings are important and are covered below. Make sure you enable the Deep Carving for SQLite and other features discussed by your instructor, so you get the same lab results as explained in the eWorkbook.

The Project settings are where you set the time zone settings. When determining what to select for parsing, we recommend customizing your options. In a lab environment, where time is not a concern, you should select all checkboxes under Decoding. For this class, we want you to check the following boxes:

•  Recover deleted data for Android and Windows Phone devices via carving from unallocated space

•  Use deep carving for SQLite

•  Recover data from archive files

Under Timeline, it is pertinent that you select all boxes. Otherwise, you may see gaps in your timeline for multimedia files.