Cellebrite data source

This topic provides details on how you can remotely capture mobile device messages and attachments from Android or iOS devices using the Cellebrite data source within Collect.

Note: This content contains references to third-party software or technologies. While efforts are made to keep third-party references updated, note that screenshots, documentation or guidance in this topic may not accurately represent the current behavior or user interfaces of the third-party software. For additional considerations regarding third-party software such as copyright and ownership, please see the Terms of Use page.

Note: The steps below apply whether you are using Cellebrite Endpoint Inspector or Endpoint Mobile Now. Going forward in this topic, we will simply refer to them as Cellebrite.

Considerations

Review the list of considerations before starting your collection:

  • This functionality is currently only available to RelativityOne U.S.-based commercial clients. It is not yet available for U.S. Government clients or those outside the U.S.
  • Cellebrite data source requires separate licensing, configuration, and training through Cellebrite, a third party. For more information, log in to your account at MyCellebrite.com to download the installation files and manuals based on which product you are using: Cellebrite Endpoint Inspector User Guide, Cellebrite Endpoint Inspector SaaS Communication and Security Guide, or Cellebrite Endpoint Mobile Now User Guide. Also download and review Cellebrite Mobile Collections for Relativity.

Note: To ensure a successful data collection, be sure that you and the custodian familiarize yourselves with Cellebrite's documentation, recommendations, and tips for mobile collections before you begin collecting. Also be sure to review the "What's New in Version <#.#>" chapter of the Cellebrite Endpoint Inspector or Endpoint Mobile Now user guides.

  • The output generated from mobile device collections consists of all short message-type (such as, Chat) data in Relativity Short Message Format (RSMF) files. The corresponding Cellebrite Universal Forensic Electronic Device (UFDR) file (such as, forensic image) is also uploaded to your Staging Area.
  • UFDR files cannot be processed. However, they are made available if you need the UFDR downloaded for examination outside of RelativityOne.

Prerequisites

Basic configuration for your instance of RelativityOne and Cellebrite must be completed as follows:

  • In Cellebrite:
  • Set up your instance.
  • If using Endpoint Inspector, create the required user account with the Examiner role.
  • Ensure the required ports are open.
  • For use with RelativityOne, you do not need to set up a storage repository.
  • In RelativityOne: The Collect application must be installed into the Relativity workspace that is used to perform Cellebrite collections. For more information on installing Collect in a workspace, see Installing Collect.

Task Checklist

The table below outlines the tasks in the order they need to be performed and within which application to perform them.

Order Application Used Task Type Task
1 RelativityOne Configuration Create the OAuth2 Client in RelativityOne
2 RelativityOne Configuration Set permissions in RelativityOne
3 Cellebrite Configuration Connect Cellebrite to RelativityOne
4 Cellebrite Configuration Generate API key for Cellebrite data source
5 RelativityOne Configuration Create the data source in RelativityOne Collect
6 RelativityOne Configuration Create entities in RelativityOne
8 RelativityOne Collecting Create a Collect job in RelativityOne

Support resources

If you have questions or issues while going through these procedures, please contact the following resources depending on the application:

Create the OAuth2 Client in RelativityOne

To facilitate data transfers and communication of collection status updates from Cellebrite to RelativityOne, an OAuth2 client must be configured in RelativityOne. Use the following steps to create a new OAuth2 Client. For more detailed instructions, see Creating or editing an OAuth2 client.

In RelativityOne:

  1. Navigate to the OAuth2 Client tab within Authentication.
  2. Click the New OAuth2 Client button.
  3. Do the following:
    • Name—enter a unique name for the OAuth2 client.
    • Enabled—ensure the Enabled toggle is on.
    • Flow Grant Type— select Client Credentials from the list.
    • Context User—select a user account from the list. The Context User will also generate the Cellebrite API key that is used to configure the Collect data source.
    • Access Token Lifetime (in minutes)—enter 60.
  1. Click Save.
  2. Make note of the Client ID and Client Secret values that were generated. These values are needed when connecting Cellebrite to RelativityOne.

Set permissions in RelativityOne

Ensure the following account permissions are properly set up. For additional information, see Adding users to groups and Setting workspace permissions.

  • For Context Users—The Context User selected in the previous section must be added to a group in RelativityOne that is assigned to the workspace in which Cellebrite collections are run. The group within the workspace must have Allow Export and Allow Import permissions selected (enabled) under Admin Operations on the Other Settings tab. See Manage Workspace Permissions for more information.
  • For Relativity Service Account—assign the Relativity Service Account (Service Account, Relativity) user to a group (other than the System Admin group) that has been assigned to the workspace in which Cellebrite collections are run.

Connect Cellebrite to RelativityOne

Next, you must connect Cellebrite to RelativityOne using the Client ID and Client Secret obtained in Create the OAuth2 Client in RelativityOne.

In Cellebrite:

  1. Navigate to Settings.
  2. Scroll to the RelativityOne section and do the following:
    • Client ID and Client Secret—enter the ID and secret generated previously when creating the OAuth2 client in RelativityOne.
    • Domain—enter the RelativityOne domain. For example, esus019064-t066.r1.kcura.com. This is not the full URL address, so you do not include "https://" or the ending slash.
  1. Click Save.

Generate API key for Cellebrite data source

After connecting Cellebrite to RelativityOne, you must generate and save the API key. This API key is entered in RelativityOne when creating a new data source outlined in the next section.

Note: The user generating the API key must be the Context User set up in Create the OAuth2 Client in RelativityOne.

In Cellebrite:

  1. Navigate to User Settings if using Endpoint Inspector or to Settings if using Endpoint Mobile Now.
  2. Click Generate Key.
  1. Copy the API Key and save it securely.

Caution: You will not be able to see this API key again in Endpoint Inspector or Endpoint Mobile Now so be sure to copy and save it.

This API key is required when you create a new data source next in RelativityOne. You must also provide the following information:

  • The exact username that was used to generate the API key if you used Endpoint Inspector.
  • The exact email address that was used to generate the API key if you used Endpoint Mobile Now.
  • The URL for your instance of Endpoint Inspector or Endpoint Mobile Now. For example: https://example.ei.cellebrite.cloud/

Create the data source in RelativityOne Collect

Next, create a new Collect data source instance in your RelativityOne workspace.

Note: You must have previously installed the Collect application into your workspace. For more information on installing Collect, see Installing Collect.

In RelativityOne:

  1. Navigate to Collection Admin within Collect Admin in Set Up.
  2. Click New Collection Source Instance.
  3. Do the following:
    • Name—enter a unique name for the data source.
    • Type—select the Cellebrite data source.
    • Settings—enter the required information in the Settings fields. For more information, see Settings fields.
  1. Click Save. The data source displays on the Collection Admin page.

Settings fields

To connect Relativity to the Cellebrite data source, you need to gather and enter the information for the following fields. This information was generated in the Generate API key for Cellebrite data source section.

  • API Key—the API key previously generated in Cellebrite.
  • API Username—the Cellebrite user account used to generate the associated API Key.
    • If Endpoint Inspector was used to create the API key, then enter the user's username (for example, jane.smith).
    • If Endpoint Mobile Now was used to create the API key, then enter the user's email address (for example, jane.smith@relativity.com).
  • API URL—the Cellebrite server URL for the associated API Key.

Create entities in RelativityOne

Within your RelativityOne workspace, populate the Entities list with those individuals from which you wish to collect data. For more information on populating Relativity with entities, see Entity object.

Note: Ensure that the Email address field for the Entity (such as, custodian) contains the primary email address to which you want Cellebrite collection requests emailed. The Secondary Email address information for the entity is not used.

Create a Collect job in RelativityOne

You can begin creating and running collections in RelativityOne. For more information, see Collections. Additionally, be sure that you and the custodian familiarize yourselves with Cellebrite's documentation, particularly the "Before Collecting" section in the Cellebrite Mobile Collections for Relativity document at MyCellebrite.com.

Be aware of the following when performing Cellebrite collections:

  • You cannot combine other data source types with the Cellebrite data source.
  • You can collect from multiple custodians in the same job when using the Cellebrite data source.

Mobile data collection results

The export package created by Cellebrite for ingestion by RelativityOne includes these files:

  • Original collection file in UFED zip format
  • Messages and attachments in an RSMF collection
  • UFED reader file (UFDR)
  • Device Report
  • Collection Report
  • Results.csv file

The nature of data collections from Android and iOS devices differs due to the inherent differences between platforms. These are the most noteworthy differences:

  • iOS message collections target messages from native apps and the most popular third-party apps that iTunes can back up. Attached media and document files are included.
  • Android message collections target SMS, MMS and RCS text messages from native apps. Attached media and document files are included.

Troubleshooting

This table includes troubleshooting for Cellebrite data source.

Area Issue Resolution
Data Source setup User is unable to save a Cellebrite data source configuration in Collect or validation fails on an existing source.
  • Verify the user has entered the correct value for the API key.
  • Verify the API Username is the Cellebrite account used to generate the API key in Cellebrite.
    • For Endpoint Inspector, this is the user account name.
    • For Endpoint Mobile Now, this is the email address of the user.
  • Verify the Context User who configured the OAuth2 client in RelativityOne is also the same user who generated the API key in Cellebrite.
  • If the problem still exits after verifying the information in the previous bullets, then generate a new API key in Cellebrite.
Job start The Collect job fails when the user clicks the Start button.
  • Verify in Cellebrite Settings that the OAuth2 client setup for RelativityOne has the correct values for the Client ID and Secret. They must match the values in RelativityOne for the OAuth2 client configured.
  • Verify in Cellebrite Settings that the Domain for the OAuth client setup for RelativityOne points to the correct RelativityOne instance. The Domain should NOT contain “https://” or end with a trailing slash. For example, the domain should look like this esus019064-t066.r1.kcura.com and not this https://esus019064-t066.r1.kcura.com/.
  • In very rare cases, C4 may be down, in which case Collect jobs will not start regardless of the collection data source. This issue usually resolves itself after a short waiting period. C4 is the shared compute platform on which jobs are run.
Custodian Email Notification The Collect job started successfully, but the custodian never received the collection request email.
  • Verify that the custodian's email address is the same as the one entered in the Email address field of their corresponding entity record. The Secondary Email address information for the entity is not used.
  • Verify that the email is not in the Spam or Junk folder.
  • Verify that the custodian’s organization has not intercepted or quarantined the email via an email security policy or software, such as Proofpoint.
  • If the problem still exits after verifying the information in the previous bullets, then please contact Cellebrite Customer Support to verify that there are no issues sending email messages from Cellebrite.
File Transfers The file transfers into RelativityOne are failing.
  • Verify that the Context User account used to configure the OAuth2 client is in a group assigned to the workspace, and the group has been given the “Allow Import” and “Allow Export” permissions in RelativityOne. See Set permissions in RelativityOne.
  • Verify that the Relativity Service Account user is assigned to one of the groups assigned to the workspace. See Set permissions in RelativityOne.
Target Failure The target collection fails after successful start. If a job successfully started (e.g., was received by Cellebrite), but failed prior to the collection being uploaded to RelativityOne, then the problem resides within Cellebrite. Please contact Cellebrite Customer Support for assistance.