File referenced by "Local Path" not contained in UFDR file of PA 10

[aberenguel]

I'm processing an UFDR file generated by PA 10.3.

One of the files has the "Local Path" value referencing a file not contained in the UFDR file. This is how it appears in report.xml

<file fs="data" fsid="0f0ca219-92ea-4ecd-91ef-999337fa3c06" path="/Root/data/com.whatsapp/shared_prefs/com.whatsapp_preferences.xml" name="com.whatsapp_preferences.xml" size="258" id="f9f5a501-7615-4a6b-a940-2d495867303e" extractionId="0" deleted="Intact" embedded="false" isrelated="False" source_index="128267">
      <accessInfo>
        <timestamp name="CreationTime" format="TimeStampKnown" formattedTimestamp="2023-06-17T01:32:42+00:00">2023-06-17T01:32:42.000+00:00</timestamp>
        <timestamp name="ModifyTime" format="TimeStampKnown" formattedTimestamp="2023-06-17T01:32:42+00:00">2023-06-17T01:32:42.000+00:00</timestamp>
        <timestamp name="AccessTime" format="TimeStampKnown" formattedTimestamp="2023-06-17T01:32:42+00:00">2023-06-17T01:32:42.000+00:00</timestamp>
      </accessInfo>
      <metadata section="File">
        <item name="Local Path" systemtype="System.String"><![CDATA[files\Text\com.whatsapp_preferences.xml]]></item>
        <item name="SHA256" systemtype="System.String"><![CDATA[037530f51474f32c0431be72bd25aa74423eb7f3e1f3b6d06aca7828eddeb9e1]]></item>
        <item name="MD5" systemtype="System.String"><![CDATA[650282dcd18c136988531d44e01ff684]]></item>
        <item name="Tags" systemtype="System.String"><![CDATA[Text]]></item>
      </metadata>
      <metadata section="MetaData">
        <item name="CoreFileSystemFileSystemNodeChangeTime" group="CoreFileSystemFileSystemNodeDateTime" systemtype="System.String"><![CDATA[]]></item>
        <item name="CoreFileSystemFileSystemNodeCreationTime" group="CoreFileSystemFileSystemNodeDateTime" systemtype="System.String"><![CDATA[16/06/2023 22:32:42(UTC-3)]]></item>
        <item name="CoreFileSystemFileSystemNodeDeletedTime" group="CoreFileSystemFileSystemNodeDateTime" systemtype="System.String"><![CDATA[]]></item>
        <item name="CoreFileSystemFileSystemNodeFileChunks" systemtype="System.String"><![CDATA[1]]></item>
        <item name="CoreFileSystemFileSystemNodeFileDataOffsetName" group="CoreFileSystemFileSystemNodeFileOffsetsCategory" systemtype="System.String"><![CDATA[0x5B962B000]]></item>
        <item name="CoreFileSystemFileSystemNodeFilePath" systemtype="System.String"><![CDATA[data/Root/data/com.whatsapp/shared_prefs/com.whatsapp_preferences.xml]]></item>
        <item name="CoreFileSystemFileSystemNodeLastAccessTime" group="CoreFileSystemFileSystemNodeDateTime" systemtype="System.String"><![CDATA[16/06/2023 22:32:42(UTC-3)]]></item>
        <item name="CoreFileSystemFileSystemNodeModifyTime" group="CoreFileSystemFileSystemNodeDateTime" systemtype="System.String"><![CDATA[16/06/2023 22:32:42(UTC-3)]]></item>
        <item name="Inode Number" systemtype="System.String"><![CDATA[0x9053E]]></item>
        <item name="Owner GID" systemtype="System.String"><![CDATA[0x2838]]></item>
        <item name="Owner UID" systemtype="System.String"><![CDATA[0x2838]]></item>
      </metadata>
    </file>

I've checked the file files/Text/com.whatsapp_preferences.xml is not present in UFDR file.
On other hands, a file with the same md5 value appeared in report.xml before.

So my proposal is to map md5 value with local path if it references an existent file. If it is not, get local path seen before.

[lfcnassif]

Hi @aberenguel, thanks for reporting. This seems another bug from PA 10 and I think it should be first reported to Cellebrite before we implement a workaround, maybe they can fix the issue shortly

[aberenguel]

I checked opening the UFDR in CellebriteReader.exe. The content was there. I think because the Cellebrite Reader uses postgreSQL dump to speed up the opening of UFDR.

In IPED the content is empty, despite the file length is 258.

[aberenguel]

Hi @aberenguel, thanks for reporting. This seems another bug from PA 10 and I think it should be first reported to Cellebrite before we implement a workaround, maybe they can fix the issue shortly

I've just reported the issue to Cellebrite

[lfcnassif]

Ok so they may not fix the issue... Thank you for reporting to them, I think we can wait a bit before applying your proposal, thanks again!

[patrickdalla]

I don't know if I got it right, but maybe this issue is not exactly a problem from PA, but simply a deduplication scheme PA developers implemented. If the same content appears in other localpath it loads from there.

[lfcnassif]

I don't know if I got it right, but maybe this issue is not exactly a problem from PA, but simply a deduplication scheme PA developers implemented. If the same content appears in other localpath it loads from there.

I agree, it should be caused by PA deduplication. But I think they shouldn't populate the ufdr local path property, since it points to an inexistent file, causing an Inconsistency.

[lfcnassif]

But I think they shouldn't populate the ufdr local path property

Or better, they should point to the unique deduplicated internal ufdr path.

I've just reported the issue to Cellebrite

Any response from them?

[aberenguel]

But I think they shouldn't populate the ufdr local path property

Or better, they should point to the unique deduplicated internal ufdr path.

I've just reported the issue to Cellebrite

Any response from them?

Not yet. They want to schedule a meeting to understand better.

[lfcnassif]

Ok, sorry for my long delay @aberenguel, let's merge your PR for now. If they fix it, we can revert and maybe apply another solution. Thank you for reporting, investigating and sending the PR!