> ## Documentation Index > Fetch the complete documentation index at: https://mintlify.com/sepinf-inc/IPED/llms.txt > Use this file to discover all available pages before exploring further. # Mobile Artifact Parsers > Process mobile device extractions from UFDR, AD1, and native formats ## Overview IPED supports multiple mobile device extraction formats, including proprietary formats from commercial forensic tools. The mobile parsers handle both physical and logical extractions, processing app data, system databases, and communication artifacts. ## UFDR Support **UFDR (Universal Forensic Data Reader)** is Cellebrite's format for mobile device extractions. ### Overview IPED can process UFDR extractions without requiring Cellebrite Physical Analyzer: Parse UFDR files directly in IPED WhatsApp, Telegram, Facebook, Signal, etc. Voice and video call records Contact information and relationships ### Supported Artifacts Cellebrite extraction container format UFDR extraction metadata and file listing ### UFDR Structure UFDR packages contain: ```text theme={null} UFDR Package/ ├── ufdr.xml # Main index ├── data/ # Extracted files │ ├── 0000001/ │ ├── 0000002/ │ └── ... ├── Chats/ # Parsed chat databases │ ├── WhatsApp/ │ ├── Telegram/ │ └── ... └── Reports/ # UFDR reports (optional) ``` ### Chat Processing The UfedChatParser handles chats from various apps: ```java UfedChatParser theme={null} public class UfedChatParser extends AbstractParser { // Supported applications public static final Map appToMime = Map.ofEntries( Map.entry("whatsapp", MediaType.application("x-ufed-chat-preview-whatsapp")), Map.entry("telegram", MediaType.application("x-ufed-chat-preview-telegram")), Map.entry("skype", MediaType.application("x-ufed-chat-preview-skype")), Map.entry("facebook", MediaType.application("x-ufed-chat-preview-facebook")), Map.entry("signal", MediaType.application("x-ufed-chat-preview-signal")), Map.entry("snapchat", MediaType.application("x-ufed-chat-preview-snapchat")), Map.entry("instagram", MediaType.application("x-ufed-chat-preview-instagram")), Map.entry("viber", MediaType.application("x-ufed-chat-preview-viber")), Map.entry("discord", MediaType.application("x-ufed-chat-preview-discord")), Map.entry("tiktok", MediaType.application("x-ufed-chat-preview-tiktok")), Map.entry("threema", MediaType.application("x-ufed-chat-preview-threema")) ); } ``` ### Configuration ```java UfedChatParser Configuration theme={null} @Field public void setExtractMessages(boolean extractMessages); // Extract individual messages (default: true) @Field public void setExtractActivityLogs(boolean extractActivityLogs); // Extract activity log events (default: true) @Field public void setIgnoreEmptyChats(boolean ignoreEmptyChats); // Skip chats with no user messages (default: false) @Field public void setMinChatSplitSize(int minChatSplitSize); // Chat fragmentation threshold (default: 6000000) ``` ### Extracted Metadata ```java UFDR Chat Properties theme={null} ExtraProperties.UFED_META_PREFIX + "*" // UFDR-specific metadata ExtraProperties.CONVERSATION_PREFIX + "*" // Conversation properties ExtraProperties.PARTICIPANTS // Chat participants ExtraProperties.USER_ACCOUNT // Account identifier ExtraProperties.MESSAGE_DATE // Message timestamp ExtraProperties.MESSAGE_BODY // Message content ExtraProperties.LINKED_ITEMS // Media attachments ExtraProperties.SHARED_HASHES // Sent media hashes ``` ### Message Hierarchy ```text theme={null} [UFDR Chat] ├── Chat Preview (HTML) ├── Message 1 ├── Message 2 ├── ... └── Activity Logs ├── Group Member Added ├── Name Changed └── ... ``` ## AD1 Format Support **AD1** is AccessData's logical evidence file format. ### Overview Logical acquisition format from FTK and other AccessData tools IPED can process AD1 images containing: * Mobile device logical acquisitions * Partial file system extractions * App data and databases * Media files and documents ### Integration AD1 support is provided through: ```java theme={null} // Sleuthkit library handles AD1 format // IPED processes contained files with standard parsers ``` AD1 images are mounted as virtual file systems, then processed like standard disk images. ## iOS Artifacts iOS-specific parsers handle Apple mobile device data. ### Property List (Plist) Files ```java theme={null} // Binary property list format // Parsed using NSKeyedArchiverParser ``` ```xml theme={null} UserName user@example.com ``` ### WhatsApp iOS See [Chat Applications](/parsers/chat-applications) for WhatsApp iOS support. ```java theme={null} // ChatStorage.sqlite // ContactsV2.sqlite // Plist configuration files ``` ### Telegram iOS Telegram iOS uses SQLite databases: ```java theme={null} // Telegram iOS database structure // Parsed by TelegramParser with iOS mode ``` ### Safari Artifacts See [Browsers](/parsers/browsers) for Safari parser details. ```java theme={null} // History.db // Bookmarks.plist // Downloads.plist ``` ## Android Artifacts Android-specific parsers process Linux-based file structures. ### XML Preferences Android apps store preferences in XML: ```xml SharedPreferences Format theme={null} 123456789 ``` ### WhatsApp Android Processed by WhatsAppParser: ```java theme={null} // msgstore.db.crypt* // wa.db // com.whatsapp_preferences.xml ``` ### Telegram Android Processed by TelegramParser: ```java theme={null} // cache4.db // userconfing.xml (base64-encoded user data) ``` ### SQLite Databases Android uses SQLite extensively: ```java theme={null} // Standard Android databases: // - contacts2.db (contacts) // - mmssms.db (SMS/MMS) // - telephony.db (call logs) // - calendar.db (calendar events) ``` ## Timeline Analysis Mobile parsers extract timeline data: Sent, received, and read receipts Call start, end, and duration GPS coordinates with timestamps App usage and interactions ### Timestamp Formats ```java theme={null} // Seconds since 1970-01-01 long unixTime = 1234567890; Date date = new Date(unixTime * 1000); ``` ```java theme={null} // Milliseconds since 1970-01-01 long millis = 1234567890000L; Date date = new Date(millis); ``` ```java theme={null} // Seconds since 2001-01-01 double iosTime = 123456789.0; long unixMillis = (long)((iosTime + 978307200) * 1000); ``` ## Location Data Mobile parsers extract and standardize GPS data: ```java Location Format theme={null} // Standardized as semicolon-separated: ExtraProperties.LOCATIONS = "latitude;longitude" // Example: metadata.set(ExtraProperties.LOCATIONS, "40.7128;-74.0060"); // Multiple locations: metadata.add(ExtraProperties.LOCATIONS, "40.7128;-74.0060"); metadata.add(ExtraProperties.LOCATIONS, "34.0522;-118.2437"); ``` ### Google Maps Integration IPED can display locations on maps: ```java theme={null} // Locations are georeferenced using: // - Google Maps // - Bing Maps // - OpenStreetMaps ``` ## Contact Extraction Mobile parsers extract contact information: Contact display name Phone number (international format preferred) Email address App-specific account ID or username Additional notes or bio Profile picture (base64-encoded) ## vCard Support Contacts can be extracted as vCards: ```vcard vCard Format theme={null} BEGIN:VCARD VERSION:3.0 FN:John Doe TEL;TYPE=CELL:+1-555-123-4567 EMAIL:john@example.com END:VCARD ``` Processed by VCardParser: ```java theme={null} if (message.getVcards() != null) { metadata.set(StandardParser.INDEXER_CONTENT_TYPE, VCardParser.VCARD_MIME.toString()); for (String vcard : message.getVcards()) { extractor.parseEmbedded( new ByteArrayInputStream(vcard.getBytes(StandardCharsets.UTF_8)), handler, metadata, false ); } } ``` ## Media Linking Mobile parsers link messages to media files: ### Hash-Based Linking ```java theme={null} if (message.getMediaHash() != null) { String query = BasicProps.HASH + ":" + message.getMediaHash(); metadata.add(ExtraProperties.LINKED_ITEMS, query); // For sent media: if (message.isFromMe()) { metadata.add(ExtraProperties.SHARED_HASHES, message.getMediaHash()); } } ``` ### Thumbnail Extraction ```java theme={null} if (message.getThumb() != null) { metadata.set(ExtraProperties.THUMBNAIL_BASE64, Base64.getEncoder().encodeToString(message.getThumb())); } ``` ## Performance Considerations Mobile device extractions can contain millions of records. Consider: * **Memory Usage**: Large chat databases require significant RAM * **Processing Time**: Message extraction and HTML generation can be slow * **Storage**: Generated HTML reports increase case size * **Indexing**: Individual message items increase search index size ### Optimization Options ```java theme={null} // Disable individual message extraction: setExtractMessages(false); // Increase chat split size: setMinChatSplitSize(10000000); // 10 MB // Ignore empty chats: setIgnoreEmptyChats(true); // Disable activity logs: setExtractActivityLogs(false); ``` ## Integration with IPED Mobile parsers integrate with IPED features: Contact and communication network visualization Unified timeline of messages, calls, and events Automatic CSAM hash database checking Tag important messages and conversations ## Phone Parsing Configuration Control parser behavior for different sources: ```java PhoneParsingConfig theme={null} // Check if item is from UFDR: if (PhoneParsingConfig.isFromUfdrDatasourceReader(item)) { // Special handling for UFDR data } // Enable external phone parsers only: if (PhoneParsingConfig.isExternalPhoneParsersOnly()) { // Skip internal parsing return; } ``` ## Best Practices Check UFDR/AD1 extraction logs for completeness Required for media linking in chat applications Allocate sufficient heap space for large databases Select forensic profile for complete extraction Watch for parser errors in large UFDR packages ## Troubleshooting * Enable SHA-256 hash computation * Verify HashTask is enabled * Check that media files are in case * Check if UFDR package contains parsed chats * Verify UFDR extraction was successful * Review Cellebrite extraction logs * Increase JVM heap size (-Xmx) * Disable message extraction for preview * Increase minChatSplitSize * Verify timezone configuration * Check for corrupted database records * Review extraction tool settings ## Next Steps Detailed chat application parsing Return to parser architecture overview