Cellebrite CASE UCO mapping

Concept mappings

Cellebrite	CASE/UCO
Report	uco-core.Bundle OR uco-core.Grouping OR uco-investigation.Investigation
Extraction	uco-action.Action
Device	uco-observable.CyberItem(Trace).Device
Files	uco-observable.CyberItem(Trace).File; uco-observable.CyberItem(Trace).ContentData
Contacts	uco-observable.CyberItem(Trace).Contact
Events	uco-action.Action
Web Bookmarks	uco-observable.CyberItem(Trace).BrowserBookmark

Category mappings

Cellebrite	CASE/UCO Class
Report Summary	uco-investigation.Investigation
Source Extraction	uco-action.Action
Device Information	uco-observable.CyberItem(Trace).Device
Image Details	uco-observable.CyberItem(Trace).File; uco-observable.CyberItem(Trace).Image; uco-observable.CyberItem(Trace).ContentData
Plugins	uco-core.Tool
Contents	uco-observable.CyberItem(Trace)
Data Files	uco-observable.CyberItem(Trace).File; uco-observable.CyberItem(Trace).ContentData
Activity Analytics	More information needed
Analytics Phones	More information needed
Contacts	uco-observable.CyberItem(Trace).Contact
Databases	uco-observable.CyberItem(Trace).File; uco-observable.CyberItem(Trace).ContentData
Powering Events	uco-action.Action
Text files	uco-observable.CyberItem(Trace).File; uco-observable.CyberItem(Trace).ContentData
Web Bookmarks	uco-observable.CyberItem(Trace).BrowserBookmark
Timeline	uco-action.Action; uco-core.Relationship

Property mappings

Cellebrite	CASE/UCO Class	CASE/UCO Property	Mapping Examples
Report Summary	uco-investigation.Investigation		Report Summary and Source Extraction mapping
-Report type	uco-investigation.Investigation	uco-investigation.Investigation.investigationForm OR uco-investigation.Investigation.focus
-Case number	uco-investigation.Investigation	uco-investigation.Investigation.id
-Case name	uco-investigation.Investigation	uco-investigation.Investigation.name
-Device	uco-observable.Device	uco-observable.Device.manufacturer; uco-observable.Device.model
-UFED Physical Analyzer version	uco-core.Tool	uco-core.Tool.version
-Unit Identifier	More information needed
-Time zone settings (UTC)	NA (all CASE/UCO timestamps include timezone)
-Examiner name	uco-action.ActionReferences	uco-action.ActionReferences.performer
-Notes	uco-core.Annotation; uco-core.Assertion	uco-core.Annotation.statement; uco-core.Assertion.statement

Cellebrite	CASE/UCO Class	CASE/UCO Property	Mapping Examples	CASE/UCO Example
Source Extraction	uco-action.Action		Report Summary and Source Extraction mapping
-Extraction start date/time	uco-action.Action	uco-action.Action.startTime
-Extraction end date/time	uco-action.Action	uco-action.Action.endTime
-UFED Version	uco-core.Tool	uco-core.Tool.version
-Internal Version	More information needed
-Selected Manufacturer	uco-observable.Device	uco-observable.Device.manufacturer		device.json
-Selected Device Name	uco-observable.Device	uco-observable.Device.model		device.json
-Connection Type	More information needed
-Extraction Type	uco-action.Action	uco-action.Action.name
-Extraction ID	uco-action.Action	uco-action.Action.id

Cellebrite	CASE/UCO Class	CASE/UCO Property	Mapping Examples
Plugins	uco-core.Tool		Plugin mapping
-Name	uco-core.Tool	uco-core.Tool.name
-Description	uco-core.Tool	uco-core.Tool.description
-Author	uco-core.Tool	uco-core.Tool.creator
-Version	uco-core.Tool	uco-core.Tool.version

Cellebrite	CASE/UCO Class	CASE/UCO Property
Image	uco-observable.File
-Name	uco-observable.File.fileName
-Path	uco-observable.File	uco-observable.File.filePath
-Size(bytes)	uco-observable.File OR uco-observable.ContentData	uco-observable.File.sizeInBytes (file system asserted) OR uco-observable.ContentData.sizeInBytes (actual)
-MD5	uco-observable.ContentData	uco-observable.ContentData.Hash.hashMethod="MD5" AND uco-observable.ContentData.Hash.hashValue

Cellebrite	CASE/UCO Class	CASE/UCO Property	CASE/UCO Example
Device Information	uco-observable.Device
-Android Id	NA (GAP)🔴
-Bluetooth device name	uco-observable.Device	uco-observable.Device.model	device.json
-Bluetooth MAC Address	uco-observable.MACAddress	uco-observable.MACAddress.value
-Client Used for Extraction	More information needed
-DeviceInfoDetectedManufacturer	uco-observable.Device	uco-observable.Device.manufacturer	device.json
-DeviceInfoDetectedModel	uco-observable.Device	uco-observable.Device.model
-DeviceInfoPhoneDateTime	More information needed
-DeviceInfoRevision	More information needed
-Factory Number	uco-observable.Device	uco-observable.Device.serialNumber
-Generic	More information needed
-ICCID	NA (GAP)🔴
-IMEI	NA (GAP)🔴
-IMSI	NA (GAP)🔴
-Mock Locations Allowed	More information needed
-MSISDN	NA (GAP)🔴
-MSISDN Type	NA (GAP)🔴
-Phone Activation Time	NA (GAP)🔴

Cellebrite	CASE/UCO Class	CASE/UCO Property	Mapping Examples	CASE/UCO Example
Activity Analytics	More information needed
-More information needed	More information needed

Cellebrite	CASE/UCO Class	CASE/UCO Property	Mapping Examples	CASE/UCO Example
Analytics Phones	More information needed
-More information needed	More information needed

Cellebrite	CASE/UCO Class	CASE/UCO Property
Contact	uco-observable.Contact
-Group	More information needed
-Contact Type	uco-observable.Contact	uco-observable.Contact.contactType
-Created-Date	More information needed
-Created-Time	More information needed
-Modified-Date	More information needed
-Modified-Time	More information needed
-Entries	More information needed
-Notes	More information needed
-Organizations	uco-core.Identity
-Addresses	uco-core.Location
-Last time contacted-Date	More information needed
-Last time contacted-Time	More information needed
-Times contacted	More information needed
-Source	More information needed
-Deleted	More information needed
-Bookmark Note	More information needed

Cellebrite	CASE/UCO Class	CASE/UCO Property
Database	uco-observable.File
-File System	uco-observable.File	uco-observable.File.fileSystemType
-Name	uco-observable.File	uco-observable.File.fileName
-Row count	NA (GAP)🔴
--Size(bytes)	uco-observable.File OR uco-observable.ContentData	uco-observable.File.sizeInBytes (file system asserted) OR uco-observable.ContentData.sizeInBytes (actual)
-Path	uco-observable.File	uco-observable.File.filePath
-Meta Data	More information needed
--Path	uco-observable.File	uco-observable.File.filePath
--File size	uco-observable.File OR uco-observable.ContentData	uco-observable.File.sizeInBytes (file system asserted) OR uco-observable.ContentData.sizeInBytes (actual)
--Chunks	More information needed
--Date & Time
---Creation time	uco-observable.File	uco-observable.File.createdTime
---Modify time	uco-observable.File	uco-observable.File.modifiedTime
---Last access time	uco-observable.File	uco-observable.File.accessedTime
--Offsets	uco-observable.DataRange
---Data offset	uco-observable.DataRange	uco-observable.DataRange.rangeOffset
-Tags	More information needed
-MD5	uco-observable.ContentData	uco-observable.ContentData.Hash.hashMethod="MD5" AND uco-observable.ContentData.Hash.hashValue
-SHA256	uco-observable.ContentData	uco-observable.ContentData.Hash.hashMethod="SHA256" AND uco-observable.ContentData.Hash.hashValue
-Modified-Date	uco-observable.File	uco-observable.File.modifiedTime
-Modified-Time	uco-observable.File	uco-observable.File.modifiedTime
-Created-Date	uco-observable.File	uco-observable.File.createdTime
-Created-Time	uco-observable.File	uco-observable.File.createdTime
-Access-Date	uco-observable.File	uco-observable.File.accessedTime
-Access-Time	uco-observable.File	uco-observable.File.accessedTime
-Deleted	More information needed
-Bookmark Note	More information needed
-Additional file info	More information needed

Cellebrite	CASE/UCO Class	CASE/UCO Property
Powering Events	uco-action.Action
-Element	uco-action.ActionReferences	uco-action.ActionReferences.object
-Timestamp	uco-action.Action	uco-action.Action.startTime
-Event	uco-action.Action	uco-action.Action.name
-Deleted	More information needed
-Bookmark Note	More information needed

Cellebrite	CASE/UCO Class	CASE/UCO Property
Text file	uco-observable.File
-File System	uco-observable.File	uco-observable.File.fileSystemType
-Name	uco-observable.File	uco-observable.File.fileName
--Size(bytes)	uco-observable.File OR uco-observable.ContentData	uco-observable.File.sizeInBytes (file system asserted) OR uco-observable.ContentData.sizeInBytes (actual)
-Path	uco-observable.File	uco-observable.File.filePath
-Meta Data	More information needed
--Path	uco-observable.File	uco-observable.File.filePath
--File size	uco-observable.File OR uco-observable.ContentData	uco-observable.File.sizeInBytes (file system asserted) OR uco-observable.ContentData.sizeInBytes (actual)
--Chunks	More information needed
--Date & Time
---Creation time	uco-observable.File	uco-observable.File.createdTime
---Modify time	uco-observable.File	uco-observable.File.modifiedTime
---Last access time	uco-observable.File	uco-observable.File.accessedTime
--Offsets	uco-observable.DataRange
---Data offset	uco-observable.DataRange	uco-observable.DataRange.rangeOffset
-Tags	More information needed
-MD5	uco-observable.ContentData	uco-observable.ContentData.Hash.hashMethod="MD5" AND uco-observable.ContentData.Hash.hashValue
-SHA256	uco-observable.ContentData	uco-observable.ContentData.Hash.hashMethod="SHA256" AND uco-observable.ContentData.Hash.hashValue
-Modified-Date	uco-observable.File	uco-observable.File.modifiedTime
-Modified-Time	uco-observable.File	uco-observable.File.modifiedTime
-Created-Date	uco-observable.File	uco-observable.File.createdTime
-Created-Time	uco-observable.File	uco-observable.File.createdTime
-Access-Date	uco-observable.File	uco-observable.File.accessedTime
-Access-Time	uco-observable.File	uco-observable.File.accessedTime
-Deleted	More information needed
-Bookmark Note	More information needed
-Additional file info	More information needed

Cellebrite	CASE/UCO Class	CASE/UCO Property
Data file	uco-observable.File
-File System	uco-observable.File	uco-observable.File.fileSystemType
-Name	uco-observable.File	uco-observable.File.fileName
--Size(bytes)	uco-observable.File OR uco-observable.ContentData	uco-observable.File.sizeInBytes (file system asserted) OR uco-observable.ContentData.sizeInBytes (actual)
-Path	uco-observable.File	uco-observable.File.filePath
-Meta Data	More information needed
--Path	uco-observable.File	uco-observable.File.filePath
--File size	uco-observable.File OR uco-observable.ContentData	uco-observable.File.sizeInBytes (file system asserted) OR uco-observable.ContentData.sizeInBytes (actual)
--Chunks	More information needed
--Date & Time
---Creation time	uco-observable.File	uco-observable.File.createdTime
---Modify time	uco-observable.File	uco-observable.File.modifiedTime
---Last access time	uco-observable.File	uco-observable.File.accessedTime
--Offsets	uco-observable.DataRange
---Data offset	uco-observable.DataRange	uco-observable.DataRange.rangeOffset
-Tags	More information needed
-MD5	uco-observable.ContentData	uco-observable.ContentData.Hash.hashMethod="MD5" AND uco-observable.ContentData.Hash.hashValue
-SHA256	uco-observable.ContentData	uco-observable.ContentData.Hash.hashMethod="SHA256" AND uco-observable.ContentData.Hash.hashValue
-Modified-Date	uco-observable.File	uco-observable.File.modifiedTime
-Modified-Time	uco-observable.File	uco-observable.File.modifiedTime
-Created-Date	uco-observable.File	uco-observable.File.createdTime
-Created-Time	uco-observable.File	uco-observable.File.createdTime
-Access-Date	uco-observable.File	uco-observable.File.accessedTime
-Access-Time	uco-observable.File	uco-observable.File.accessedTime
-Deleted	More information needed
-Bookmark Note	More information needed
-Additional file info	More information needed

Cellebrite	CASE/UCO Class	CASE/UCO Property
Web Bookmarks	uco-observable.BrowserBookmark
-Title	uco-observable.CyberItem(Trace)	uco-observable.CyberItem(Trace).name
-URL	uco-observable.BrowserBookmark	uco-observable.BrowserBookmark.urlTargeted
-Last Visited-Date	More information needed
-Last Visited-Time	More information needed
-Visits	uco-observable.BrowserBookmark	uco-observable.BrowserBookmark.visitCount
-Position	More information needed
-Map Address	More information needed
-Source	More information needed
-Date	More information needed
-Time	More information needed
-Deleted	More information needed
-Bookmark Note	More information needed

Cellebrite	CASE/UCO Class	CASE/UCO Property
Timeline	uco-action.Action
-Type	uco-action.Action	uco-action.Action.name
-Direction	More information needed
-Attachments	uco-core.Relationship; uco-observable.CyberItem(Trace)
-Locations	uco-core.Location
-Date	uco-action.Action	uco-action.Action.startTime
-Time	uco-action.Action	uco-action.Action.startTime
-Party	More information needed
-Description	uco-action.Action	uco-action.Action
-Location Info	uco-core.Location
-Deleted	More information needed
-Bookmark Note	More information needed

Identified Gaps

Mobile account properties (e.g. IMSI, MSISDN) (#33)
SIM Card properties (e.g. ICCID) (#34)
Mobile device specific properties (e.g. IMEI) (#35)
Android mobile device specific properties (e.g. AndroidID) (#36)
Database row count (#37)