Chat Capture is a feature built into UFED that enables examiners to extract application data of interest when Physical and File System Acquisition are not possible, or do not extract the data. This feature is extremely helpful for encrypted third-party applications. Once extracted, the data can be parsed by your tools of choice. ADB is required for Chat Capture to function, and it’s important that you not touch the phone during the scroll/capture process. 

The first step is to find your device in UFED. Next select Chat Capture. Take note that the screens on the device may temporarily change. We know that every contact leaves a trace, so a footprint will be left behind. The main Chat Capture screen enables you to select an application of choice (list of supported apps will be shown) or simply a Generic option which enables the examiner to select the screen and then the scroll up or scroll down. Options on how much data you want are also provided. You can select a timeframe of interest. When you select Next, you can keyword search for conversations or names of interest or names of parties in the chats.

NOTE that once you enter a chat, it will be marked as read. All unread messages will be changed to read messages even after the acquisition completes. This means if the user left messages in a new or unread state, they will be marked as viewed or read messages.