One of the most important aspects of digital forensics is the concept I like to call “know your data”. Regularly forensic analysts are provided data with little to no context; it could be from a data breach or maybe a device was seized/imaged by another party and then the image was provided at a later date. In these situations it is even more important to get to know your data, as the volume of data in an investigation can quickly become overwhelming.
It always surprises me how often forensic analysts rely on point-and-click forensics tools to provide their analysis results. Far too often these tools are lightly scratching the surface and are failing to provide in-depth results; or even detailed log files of what the tool accomplished.
One of the best examples of this is related to database files. On modern operating systems (desktop & mobile) there are an abundance of database files storing pertinent user information; e.g. SQLite & ESE databases. A good examiner should be spending some time drilling into these database files to extract user data.
On a recent matter I was working on I was tasked with analysing a mobile phone from a POI. This was an Android mobile phone and the intelligence received indicated that this phone had been used by the POI for quite some time. However upon examining the timeline report created by one of the industry-leading mobile forensic suites it was evident that the internet history extracted for this device was particularly light-on.
Cracking open the device extraction it was clear to see why; the forensic suite had extracted the URL records from the Chrome History SQLite database, but had completely bypassed the Chrome Archived History SQLite database. The result of this action meant that the internet history records in the timeline of events only went back as far as August 2015, whereas the Archived History database included records dating back till September 2014!
The Chrome History SQLite Database (1322 visits)
The Chrome Archived History SQLite Database (3953 visits)
Another similar example came to light recently when I was analyzing an iOS device. Again the internet history from the Safari web browser extracted by the mobile forensic suite was only displaying records from the history_items table (400+ entries). However the software failed to extract any history records from the history_visits table (approximately 800 entries) - this is from the exact same Safari SQLite database! Again the result of this omission mean that the timeline report generated by the mobile forensic suite was woefully inadequate.
The issue of forensic suites only extracting data from certain tables is not limited to the Safari SQLite database. Far more often than not when analysing the individual tables within a database it becomes apparent that pertinent information is being overlooked. Most of these databases store time stamp information for each entry in the database, and a quick SQL join query will correlate data from these various tables, providing a great addition to your timeline reports.
These two examples above are only related to internet history records, but the same can be seen across any number of database types; instant messaging/VoIP, cookies, website storage (including webmail), application-specific and more. You’d be surprised how many internet history records exist in application-specific databases that are being overlooked.
I recommend that you go take a look through all of the tables in the databases you encounter on your next analysis job, as they say, you don’t know what’s there until you take a look. By conducting a detailed analysis of the devices you will get to “know your data” and the insight gained will go a long way to answering the million dollar question, “what actions did the user take?”.
I am often asked about which tools I like to use, and I will probably put a list together one of these days...
One of my favourite SQLite database tools is MiTeC SQLite Query; it supports exporting data in multiple formats (CSV, TXT, XML), internally viewing BLOB data (native, as well as hex), and handles Unicode characters, plus the price is right (free). It won’t recover deleted database entries but for a quick & dirty look at the logical entries it is a great tool.
Any questions get in touch.