anyone have an idea why PA is reporting a call duration of 3:10 and the same backup (copied) with IEF is reporitng 3:11. Happens again with PA reporting 26:56 and IEF reporting 26:57....i can only assume it has to do with rounding numbers/milliseconds. any input as to exactly why? (edited)

I've seen it because of the milliseconds/rounding numbers as well

9:54 AM

@Cellebrite - Quick question. I have a UFED Reader when launched, it gives and error message. Would I be able to replace the reader with the most recent version within the folder and open the UFDR report ? Is it best practice to rerun using the updated version of PA and generate a new report ?

9:54 AM

The version with error is 7.0.2

@Jay528 you can download Reader from My.Cellbrite.com

10:01 AM

its also within the installation folder of PA

10:01 AM

So if you load an extraction that was decoded with version lets say 7.0 and load it into 7.14 you will not get more data. You would only get more data if you re-parse the original extraction with the newer version.

FYI 7.15 came out today :)

1

got it ! thanks @CLB-Paul

7:06 AM

Did 2 extractions with 4PC version 7.15. Loaded the File system extraction, no problems. When loading the logical extraction I get this message. Tried both with 2 ufedPA dongles and a UFED 4pc dongle. Always get this message. Phone was samsung A530W. (Detected model) but no specific profiles. Any idea on how I can parse the logical extraction? I see in the html files in the logical extraction folder that data is revelant.

^ solved. Looks like the logical extraction needed to be opened with PA version 7.15 , while the file system extraction could also be opened using PA 7.12/7.13 (wich didn't open the logical).

@Kramnias the new advanced logical extraction is a combination of Logical & FS

Anyone know this strings ? It's cache.plist My objectif is locate the phone (after murder)

This is regarding the physical extraction of a Samsung SPH-L710 Galaxy S3 cell phone running android 4.1.1 using UFED/PA 4.5 extraction about three years ago. A "Journey" using Google Maps was extracted from the device showing start/stop locations. Does this "Journey" capture indicate the "Journey" was actually started or merley searched for?

Anyone have any ideas how to bypass the lock on a Motorola XT1032. https://www.gsmarena.com/motorola_moto_g-5831.php Ive tried the dedicated bootloader, simlar bootloaders, generic quallcomm . I cant figure out how to get it in to EDL to attempt that. lock removal failed. Only using UFED 7.11 and the newer versions are not authorised for use until they have been tested, which could take months. (edited)

@Majeeko my experience with motorolas is that you need to open up the device and short the emmc CMD line to GND. The problem i then faced was to find the proper loader. I didnt. So i had to dump the device via isp.

@.karate. if im going to open it up i may as well ISP the damn thing. Wanted to try and get it done tonight. Nevermind, thanks for the reply.

Np. It would be great if someone has another solution or loader so that EDL could work.

you could try loaders from here: https://forum.xda-developers.com/moto-g/help/how-to-revive-hard-bricked-moto-g-t2833798

[HOW TO] Unbrick hard bricked Moto G (for Android 4.4.4 (5.x now a...

If you hard bricked after the 4.4.4 (or 5.x) upgrade and your device looks dead and it's only recognized by pc as "qhsusb_bulk" this is the right place fo…

9:31 AM

there are some in Motorola qboot utility lollipop update

1

9:35 AM

Keep in mind, if you manage to dump it, that userdata partition should use F2FS filesystem

@Majeeko Oh the joys of ISO 17025

Waiting until new updates are validated before you are able to use them

@Stevie_C indeed. frustrating is an understatment.

“Yeah boss. I could could get into that phone and download all the evidence but that’s only possible with the new version of the software and we are 4 versions behind in validation. Tell the investigation team we might be able to do something in 6 months time when the version I need to use finally gets approval to be used”

3

2

10:02 AM

ISO great in theory but totally screwing up case progress

1

Yep. I do about 80% paperwork, 15% forensics and 5% cursing the demon that invented ISO17025

2

1

@Majeeko This is really troubling. You are forced to use an outdated version that not only supports less phones and you are left out of evidence, you are also missing possibly key evidence from phone that were already extracted as less data is decoded. Applications on phone are constantly updated and if you don’t use latest PA versions you don’t get data or you get wrong data which is even worse.

1:27 AM

If there is anything Cellebrite can do to help change this wrong procedure, we are ready to help as we put enormous efforts on updating the tools for you to have the most current support possible.

Anyone from @Cellebrite can shed some ligth about how the search function works in PA and Reader? I mean "what" is searched when you input a keyword..??

@RonSerber Ron, this has been ongoing for the last few years in relation to UK Law Enforcement. ISO 17025 accreditation has caused us a great lot of expense, examiners not being able to do real case work as they are having to be taken off live examinations to keep ISO 17025 up to date and validate all new tools and updates. At one stage I managed to do 3 real cases in one calendar year as I was spending my all time writing ISO 17025 SOP's, buying handsets, populating them with data, testing the extractions that the tool was producing and then repeating this procedure every time a new version was released. It is an absolute nightmare. Meanwhile the backlogs increase ...........

@RonSerber what would be amazing is if @Cellebrite and UKAS could get some sort of dialogue going so they know that Cellebrite's tools can be pre-approved for UK Law Enforcement without the need for us investigators having to repeat work you would have already done. I don't pretend to know how or what that conversation would be but it would be an amazing start and hopefully @MSAB @Magnet Forensics could follow suit and we can actually get some real work done. If I can be of any help in this quest, just let me know.

Suggestions over the years have included that rather than every individual force and unit have to each validate every single release, that one central body in UK receive new update, for example UFED v7.15, advise UK LE that it is out and being validated. Then once validated, UK notice bulletin that UFED v7.15 is fit for use by UK LE. That never materialsed and instead when something like UFED v7.15 is released, WYP, Staffs and all other units all individually validate the release and decide if it is fit for purpose ........

2:50 AM

I know NIST for USA and CAST for UK was also suggested as a central body for something like this but I never heard anything since. That is going back many many years......... (edited)

The chance of it NOT passing validation is tiny.

Think of it this way.... you are using a validated and approved UFED v7.11. UFED v7.15 is released. V7.15 addresses known bugs in previous versions. The you have the situation where you are using a known 'approved' buggy version that is outdated, yet approved for use, and not able to yet use the new improved release until it is officially validated. In isolation, users using UFED 7.11 may not be aware of what the bug is or that it even exists .... Even when new version is released, release notes for new version only state something like "fixed bug in carving" - it doesn't specify what release bug arose in, how long know about etc.

Obviously, something is broken here and the regulator missed here big time. Let’s see how we can improve this. Would be good if you can PM me with relevant contacts that I can approach to start the discussion. If this is preventing justice, I am sure this can be leveraged and push for a faster solution.

3

2

Does anyone here have an understanding of UFED carved location data and the 'confidence' column that seems to populate with carved location data only?

Fascinating discussion between @Law Enforcement [UK] and @RonSerber. I hope something can change for the better for you guys. That's very frustrating. Condolences from the USA

2

@RonSerber I actually know a guy in UKAS I'll message him and see if he is still working there and if he knows who will be the best person to approach about this.

@RonSerber Sean Millwaters would be good to liaise with as well. He’s our UK Cellebrite representative here in UK and will know all of us and what we go through. At every UK conference ISO always is a talking point when we all get together and generally the feeling is found to be consistent amongst ourselves

@Stevie_C you know where you can always come to on our great little island to do an examination while you wait on the validation of new version updates

All joking aside having watched this develop in the UK from the outside I believe its turned in to a cottage industry and I believe while standardisation is welcome it should be flexible enough not to thwart people carrying out their work in a timely manner. I dont think the 17025 standard shoved upon agencies in the UK is the correct one but a new more flexible alternative should be developed.

Afternoon Pat

This is a bit like all those conversations at the bar at conferences !

6:41 AM

https://www.forensicnotes.com/iso-17025-right-for-digital-forensics/amp/

ISO 17025 - Right for Digital Forensics?

ISO 17025 is a mandatory standard for Digital Forensics laboratories in the United Kingdom (UK) , but is this standard good for Digital Forensics?

6:42 AM

Happy as a Monkey tweets at the bottom of that link are pretty spot on as to common feeling amongst people I’ve spoken to

6:43 AM

It’s also interesting to see the US Federal Government on that page as well taking about this (edited)

Hopefully this can be a start of something to look forward to.

I was interested that there are US LE agencies that have this accreditation

6:48 AM

“within the law enforcement community alone there are only 67 digital forensic laboratories accredited to the ISO 17025:2005 standards for the nearly 18,000 law enforcement agencies in the country. ~ Josh Moulin Deputy Chief Information Officer US Federal Government, National Security”

Yes at an Interpol conference on digital forensics the only agencies who appeared to support the 17025 initiative were from the UK. Most other coutries agreed with the priciple of standardisation it was more like having SOP's with the flexibility to embrace new techniques and tool updates while abiding by legislation.

@pgpmpgpm I remember back in 2012 / 2013 ish you and me sitting with others across LE looking at this in regard to standardised examinations. We all agreed it was a good thing which we all still believe.

Thanks @RonSerber and everyone from @Law Enforcement [UK] for discussing the issue with not being able to use the latest software due to ISO17025 - We couldn't have achieved this without Discord or google groups, amazing stuff!

3

@Stevie_C Our turn around on updates due to 17025 can vary from a day or a few weeks depending on how big the update is. For minor versions we can fast track it but later versions it's a bit of a pain. Then it's quite a big issue getting the latest reader files updated on our main IT network so officers can use normal terminals instead of standalones to view the content but that's a whole different problem... it's very frustrating and if Cellebrite / MSAB / Magnet could work directly with the regulator that would be fantastic but I think the biggest issue they are going to hit is that each lab is setup differently with different hardware etc... starting that conversation will help massively though. I have some other good contacts in UKAS if needed.

Some parts of ISO 17025 work OK in DF however certainly the areas around validation of analysis tools and especially those which have to update often (such as the mobile device kit) its seriously flawed imo. Also having each department/unit/force do their own validation on the same software is ridiculous, unbelievable waste of resources. There should have been a centralised testing and validation department set up within CAST/DSTL as it is now before the arbitary deadlines imposed by a FSR who has no idea about DF. I sat through a talk at the forensics expo a few years back where the FSR was invited to speak, she just essentially said it has to be done and get on with it, without any meaningful responses to some of the valid questions coming from the chair (Peter Sommer) or the audience

Don’t get me wrong, I’m all for sound robust processes that stand up to scrutiny however it’s the validation that is the biggest issue. I think we all agree central validation by one body is the ideal solution

4

absolutely, couldn't agree more. Unfortunately I think its gone too far now and UKAS must be making a killing (non for profit my arse)

1:53 AM

or perhaps this is the view of someone who spent the last 18 months going through that torture before leaving the country (not because of 17025 at least

)

Anyone from UKAS on here that can chime in with a meaningful argument?

probably not something to own up having seen the negativity around the whole thing

1:54 AM

own up to

1:55 AM

Either way, its not UKAS to blame, they simply assess the units applying for the standard. At least as far as I know its the FSR who decides which is the right standard for the different areas?

Pretty much yes. With 17025 and the codes. My biggest issue with UKAS is the lack of consistency between different assessors and forces when you share the feedback you've had on different things and different issues... it's infuriating at times

Yeah it is

Need a regulator for the regulator!

Quis custodiet ipsos custodes?

1:58 AM

Who watches the watchmen?

Indeed

Do we even have anyone representing UKAS on here?

If they are, they are currently on the phone shouting 'THE PEASANTS ARE REVOLTING'

Hello, newbie question. I'm using cellebrite. There's a GT-I9060. Got physical image. Deleted text messages appear. looks good. But I want to ask. Cellebrite default settings are sufficient for forensic cases? I don't want to keep anything I'm not looking at. How to access more? or where should I look? any advice helps a lot. Regards

@anspoki Still not quite sure what you're asking here. By default settings do you mean for reporting? There are options to try and get "more" data by carving, or by digging into databases and decoding some stuff manually but it depends entirely what you are after and what you need for the case.

3:20 AM

It's one of those things where you could spend days and days really digging down to try and get that extra scrap of data but it might not make a difference to the trial or the case in a big way, we tend to only do that if there is specific intelligence about an application or data that should be on the device, or if we see something that leads us down that rabbit hole. In short, it all depends on the case requirements and the instructions you have been given.

@K23 yes, should I be content with the default settings? for example, text messages came. but I don't know if there is more. I don't know where to look.

3:22 AM

@K23 I understood properly now. one should follow this with the white rabbit.

Well.. you could take a look in the specific databases and try to find some extra stuff manually, but UFED normally does a pretty good job at decoding the messages. If it's deleted stuff you are after it's a bit hit and miss depending on how it's been recovered / carved back. Another alternative is to try decoding it with a second tool to spot the differences and do a manual examination which should show if any live data is missing, but unless you have specific intelligence that an SMS message is present on the handset that you cannot see on your report you should be good on the SMS front. It's not an easy question to answer where you draw the line

@K23 this was even very helpful.

3:30 AM

Thank you

Every day I am thankful that we don't have ISO (yet)

@Sudo how do you not if you're UK?

Channel islands isnt UK or is it? Nobody knows!

1

IIRC you're on an island that's near the UK and technically part of the UK but not at the same time

its a bit like Narnia

4:33 AM

you can access it easily from the UK but its a different world out there

4:33 AM

and from what I am told, very nice too

it is and it isn't!

4:55 AM

it's a magical world

4:55 AM

we do what feels most fun

sounds wonderful

Does anyone know how to get the swipe code of an Sony Experia H8216?

Assuming that it's a hardware backed device (based on age and being a relatively high cost phone), you won't be able to crack the pattern offline, even if you manage to get to the relevant key files

6:10 AM

Do you need to actually know the code, or just remove it?

@OllieD we need the data. We don't have to know the code

Have you tried the LockPick method within UFED?

6:13 AM

I know that some Sony support is claimed, not sure about this particular model (and I believe it's security patch dependent)

Yes. Didn't work. We've also searched for the chipset to go around with the EDL cable. That didn't work either.. I can't tell you anyting else because i haven't got the phone physically.

6:15 AM

Thank you for thinking with me :)

Nokia TA-1057 with a pattern lock upon startup Mediately 6759N chip Androidone running 8.o Oreo possibly 9, anyone come across this to bypass the pattern lock??

6:35 AM

Apologies 6750N chip

Hi there - Newbie here with a Cellebrite error message query. I'm running a watchlist / keyword list in UFED PA against quite a large extraction from an iPhone. When clicking on the results to go to a result I get a very long error box pop up the summary is "Cannot handle more than 5000 text effects". On closing this it pops up again a few times and then closes PA completely. Is it too large to run the keyword list against? Thanks for any help!

@JMK Been there, done that. It seems it has to do with the amount of words you are loading into memory. I was using the crackstation lists on a password one time which was too large. I think anything over 9 gigs was too much. Can't remember but hit up @RonSerber and he can shed some light on this. (edited)

Hi everyone! What is your standard procedure on an iOS device if you need to figure out if data exfiltration was taking place in the past e. g. by having a "legit" application accessing and forwarding taken pictures? is there a way to see network activities of applications and other helpful information in certain databases that might not be covered already within UFED PA?

I have a case where i need to validate when a iPhone was wiped and then restored from a backup. Part from looking at creation times in the filesystem, is there any plist / DB that contains information about this? I have a full filesystem dump of the device.

@.karate. - have you looked to see if there is a .obliterated file? https://www.blackbagtech.com/blog/2013/07/31/iphone-forensics-wiped-iphone-are-you-sure/

iPhone Forensics: Wiped iPhone? Are You Sure?

There are many legitimate reasons why someone might wipe an iOS device. A corporate IT administrator might do so prior to assigning a device to a different user, or a user might do so before they install a major iOS update.

3

@Jonny Thanks! That file combined with the timestamps should be enough! Thanks for the quick reply

@Dr.Who-IACIS Thanks for the reply. The watch list is quite a few but has worked on other downloads so I will try Ron - thanks again!

@JMK Just a heads up, Ron Serber is the Cellebrite CEO, might be better to go through support

Well.. The support.. Isn't responding to anything so..

2

Thanks @Majeeko - he pointed me in the direction of support too

I'm planning to chipoff a Lumia 830 running win10 Mobile, UFED supports decoding for win10 physical extraction ?

In my experience it's flakey at best. We've ended up using AXIOM in the past for Windows 10 phones. You can also do a bit of digging with an ese database viewer which is what the handset uses to store a lot of the data, but it isn't the easiest thing to work with. I have a half decent database viewer for it if you want me to message you a copy

4:17 AM

@Mike

thanks for the info, just wanted to be sure they had no support for win10mobile physical .... UFED only supports win8 mobile physical it seems

That's been our experience as well. UFED tries to decode but doesn't get back calls or SMS... but this was several months ago, things may have changed. On the flipside it's really not a popular OS these days and as it's no longer supported, and while I can't speak for them, I doubt Cellebrite are putting a lot of resources into R&D on it (edited)

@.yuzumi. Hi Yuki, Assuming the device is running a legit version of iOS, I would recommend you start your search by reviewing all app permissions pertaining to camera roll access (1) and running in the background (2). This could greatly refine your search criteria. Determining this can be done forensically with a little work, or on the device itself. At the bare minimum, camera roll permissions would need to be turned ON for this type of thing to work.

@.yuzumi. If you have a filesystem extraction (not UFED Advanced Logical), check out netusage (/private/var/networkd/netusage.sqlite) More info here https://www.mac4n6.com/blog/2019/1/6/network-and-application-usage-using-netusagesqlite-amp-datausagesqlite-ios-databases (edited)

Network and Application Usage using netusage.sqlite & DataUsage.sq...

Two iOS databases that I’ve always found interesting (and probably should test more) are netusage.sqlite and DataUsage.sqlite. These two databases contain very similar information – one is available in a backup (and file system dumps) the other only in file system dumps. ...

Does anyone know if its possible to take an encrypted UFED iPhone extraction and restore it to the phone that was acquired, perhaps via iTunes? One of our test phones has died and its a right pain to re-create all the test data! The UFED extraction is the only copy of the data!

Does anyone have info about how to extract the password from a samsung phone RAM memory?

I did a advance logical and filesystem extraction of an iphone using Cellebrite. However images from the xxxcloud folders wasn’t extracted. Anyone encountered it before?

Any idea why that wasn't included in PA as well?

2:13 PM

Anyone have any insight on Samsung Contextlog.db? (edited)

Soooo.. what is the default pincode used by Cellebrite to encrypt the iTunes backups nowadays?

1234

Has anyone ever had this line of error in PA opening a dump? 15:42:30 >>> Plugin errors (1 of type NullReferenceException): System.NullReferenceException: La référence d'objet n'est pas définie à une instance d'un objet. à Cellebrite.DeviceReaders.Google.AndroidApps.GmmJavaDeSerializedObjectParser.GetLocationsFromStartPageDKLocationsPath(IKNode nodes, String protobufPathFirstKey) à Cellebrite.DeviceReaders.Google.AndroidApps.GmmJavaDeSerializedObjectParser.ParseStartPageDK(List`1 jobj)

6:47 AM

PA continue parsing after but if someone can explain this error thx

Reason i'm asking is because I had an iPhone X with iTunes encryption disabled which I dumped using UFED PA. As usual I choose to enable iTunes encryption but when I decode the dumps UFED PA says that the password is incorrect. I tried 1234 and 12345 and the device's pincode but no luck. Just checked the UFD file and it states that the password is 1234 however UFED PA doesn't agree.

Paging @Cellebrite (edited)

@Sockmoth i can't say i have ever seen that before.

7:29 AM

give support a shout via email or call

@CLB-Paul First time for me too. I'll open a ticket at support.

yea its best bet, they might have seen something like that before.

@Sockmoth i had this exact issue last week, will forward you their response in PM

8:03 AM

tldr is that UFED doesn't always recognise encryption, which is good fun

@Deleted User @CLB-Paul I just found out this device has restrictions enabled from the screen time interface which is protected by a secondary 4 digit pincode. It makes it impossible to use the reset all option from the settings menu so i cannot even disable the backup encryption. Maybe it's also the cause for the problem i'm experiencing?

That could be

8:31 AM

That code is store in the keychain if you get a full file system

@everyone Noob asking : in hexa, phone number is registered before or after the name? (edited)

Can an Android Logical or File System extraction from UFED be loaded into AXIOM? I know how to do a physical but not quite sure about the other two.

If you have access to Oxygen, I know you can ingest UFDX files into there if you're looking for another program to review a Cellebrite dump in

1

@Andrew Rathbun i open it in axiom actually too see

10:17 AM

all contacts are deleted

10:17 AM

but i see all data in hexa

10:17 AM

very strange

10:17 AM

it's physical dump of 935F

10:18 AM

with french and tunisian phone numbers

10:22 AM

I was wondering if the undecoded numbers were assigned to the name below or above in hexa view, I expressed myself wrongly can be

We don't have Oxygen here. I've done the quick image in Axiom on one of the phones but didn't pull seem to decode some of the same stuff Physical Analyzer could decode.

@Adam Cervellone - file system should be fine but Magnet don’t recommend importing a logical

What is the correct way to import the file system in?

https://www.magnetforensics.com/blog/loading-cellebrite-images-into-magnet-axiom/amp/

2

10:51 AM

I found that not all ufd files will play nicely

Last time I tried Magnet it didn't decode that much data out of an Android phone as UFED PA. Has there been some changes to that?

I find Axiom is better with a physical image and tends to do well on chat apps and web history. Using both tools and cross referencing is the best way in my opinion.

3

I use both. All tools have strengths and weaknesses

2

I am examining some phone in a case that involves Instagram. I can't seem to find much documentation about what you can expect to find in android phones regarding this app, anyone can suggest any document / research / whatever ?? I,ve found that in the path "/data/com.instagram.android/shared_prefs" there are many .xml files that seems to contain some interesting stuff in clear text, for example the username used in the last login attempt, some of the last hashtag searched, the app dictionary for autocomplete, some newsfeed notifications that expose the names of many facebook friends of the instagram user etc.

@FabianoQ https://www.google.com.au/search?safe=off&client=ms-unknown&ei=2u5xXL75FoXpvgSYy4f4Bw&q=site%3Athisweekin4n6.com+instagram&oq=site%3Athisweekin4n6.com+instagram&gs_l=mobile-gws-wiz-serp.3...660.3310..3691...0.0..0.428.3261.0j7j4j1j2......0....1.2DJOxYHjFqA every post in the last few years that has mentioned Instagram But really, if you cant find the research, please do it, write it somewhere, and share it so that we can all benefit

@randomaccess Thanks, i'll have a look

Hello (ios 11) Anyone have info with plist contained in "usbredtrictedmode_analytics_v2.db"? Especially : look data on picture

No pb... I have my information

hmmm.... crazy today acquired an iphoneX as usual with UFED PA... hmmm... shows me 2 appleIDs ??? anybody knows why?

Could it be an old account? Someone switched email addresses?

I'm holding a phone at this moment with 2 different apple ID's in it. Nothing weird about it. It's my phone

One account for his gf and the other is for his sidechick

3

oh... i didn´t know that it is possible to have 2 IDs

7:06 AM

i don´t own an iphone

(edited)

Ask for an agency iPhone

I have a problem with UFED Physical Analyzer 7.15. When I'm doing a export from the timeline (including SMS and Facebook Messenger) to Excel the information in the party column is lost for SMS but not for Messenger. I think this "bug" is in earlier version of PA too. Help @Cellebrite (edited)

found this info ;) There are 5 "places" you can sign in with an Apple ID. iTunes, iCloud, Messages, FaceTime and GameCentre. These can be different Apple ID's but each has a different function. You can't use iCloud with 2 unique Apple IDs. You could have a work ID for iCloud and a personal ID for iTunes. I would recommend against it however, but it is doable..

Also all installed apps are connected to the apple id that was logged in to while installing the specific app. You can have many installed apps, connected to different apple id's

Snapchat fans. I am reviewing a physical extraction from an LG phone. Android OS 5.1.1. The extraction reveals the Snapchat User account was setup with one phone number and a mobile_verification_send_to_number was sent to another number. Any ideas on why these numbers would be different? I haven't found a fake phone number program on this device. Any thoughts?

10:18 AM

by the way this is more out of curiosity at this point, and not case relevant.

Maybe google voice? I've seen that a couple of times

Interesting point @Jameson

10:43 AM

Thanks

@sholmes the number doesn’t need to be same.

11:14 AM

Think of accounts switching phones

@CLB-Paul That makes sense too. The area codes throw me for a loop on this one, as one is account number is Michigan and the verify number is Miami. Michigan is where the person is from, so I was just trying to put sense to it. to top things off, the phone is old and doesn't have an assigned phone number to it to confirm if it was either of the listed numbers.

I had a different number I used to@verify my own when I switched phones

definitely could be the case here.

a colleague just called me, asking about an image they see in UFED Reader. The corresponding chat just says "app broadcast" and they want to know if there is a way to see who this has been sent to. I have not seen whatsapp broadcasts yet. any idea what this could be? a user story maybe?

12:28 AM

okay, I just learned about broadcast lists in WhatsApp (I'm getting old, it seems.) Is there a way to see the broadcast list in UFED reader?

okay, in the second call it turned out, that the phone was actually receiving the broadcast. Nevermind then.

Howdy all, I have a Huawei here, done a manual review and I have the VLC history. Lots of indecent images on the handset and further on in the history I have indecent filenames. The ones in the photo are a 32 character hex string and i'm wondering if this is an MD5 as a file name or some sort of guid. anyone have any experience in this?

No phone extraction ? Just manual exam?

I have a logical and a file system backup but the suspect has shredded all the regular media. I have loads of cached images and thumbnails but no full size media. I have acess to CAID here but i dont want to spen god knows how long typing out hex if its not an MD5. Was hoping somone will know. Just about to install VLC on a test phone and see whats what.

4:35 AM

The extractions didn't produce much in the way of chats, web history and so on. Using the Huawei backup app was shot down by the bosses as its an unaccredited method.

What model is it ?

ANE-LX1 - P20 Lite

@Majeeko try using cyberchief to see what they are. Its a pretty good tool...

Good morning Group. Anyone have a good Viber white paper? 2017 or newer? I have a GK download from an iPhone and Search Warrant results from Viber. CDR records from Viber document extensive chat communications with one specific phone number, with some telephone communication with same number. Using PA, some of the telephone communications were recorded in the call log database. Flagged as Viber Audio. None of the Viber chats are documented in PA. A manual search of the file system did not locate a Viber database. It does not appear the Viber app is installed on this device, yet through DataUsage database and other file system sources, Viber / Viber.com is referenced. But the reference times are not even close to the extensive chat history as outlined in the call detail recorded provided by Viber. Internet History does not show a constant connection to Viber.com. nor to logging into that site. No other device was seized and not believed to be in suspect's use. I've read that Viber can be incorporated within other social media programs, but I haven't located it so far. I'm looking for additional ideas as to where the Viber chat database resides.

@perryk_2772 was this an AFU or full GK extraction? (edited)

Hello all - if anyone has any information on accessing Signal (v.4.30) data/comms from a .bin of an android phone, please let me know or DM. I don't know if this has been accomplished yet. CelleBrite's PA emulator won't open the app (it shows up but crashes on open) and there's nothing of use that I can see contained in the database files. Thanks much. // edit: maybe this belongs in the extraction channel.... couldn't decide. (edited)

@BlueNine if the data is there I would have thought UFED could parse it. Do you have access to Axiom? My wife uses signal to speak to friends in China and I remember her saying that message can self delete after they have been read, maybe this is the case and the reason the database is empty.

Anyone have any experience decoding times/dates from Google Maps search history on Android? Cached previous search terms are visible on device and reproduced within "odelay_cache.cs" file but it looks like no file I've seen before...

I've only looked at the URLs produced by maps on browser and didn't see any times

3:03 AM

But I've done a bit of work on Google urls if you want to drop me a pm

@Jameson Full GrayKey extraction

Anyone know if we can crack android passwords from Gatekeeper.password.key for a device that is NOT hardware backed? Running 6.1. I have salt but password.key is not giving me a hash. Im looking through my DALE notes but I must have popped to the toilet when that bit came up.

@Majeeko you can try Mobile Revelator. Some say it can crack 6+ password/pattern if it's not hw backed, but it's slow. Haven't tested it personally.

Yeah, I saw @OllieD put that up. I have MR but struggling to get the actual hash from gatekeeper.password.key. the ASCII is just gibberish. I'll hit Ollie up on the morrow and pick his brain.

11:39 AM

Im excited I might actually get to do some forensics tomorrow, then the mandatory paperwork.

Hmm, from what i see you just select the file and db where salt is stored and it should start cracking

11:42 AM

For some reason this doesn't work for me, no progess and just Intel OpenCL as device i can select. Not sure if it's how it should be

11:48 AM

Hmm, cracked my gatekeeper.password.key from Nexus 4 running custom 7.1 firmware just fine only by selecting .key file

I'll have another try tomorrow. Thanks for the help.

@Majeeko, the fact that the password file is gatekeeper.password.key means it is hardware backed encryption. The word gatekeeper being there indicates this. Therefore you won't be able to crack the password on this. Gatekeeper verifies passwords via a HMAC with a hardware backed secret key.

@Aneesh96 it does not. If you updated 4.4 , 5.x or anything else to 6.0, you'd have gatekeeper password file but not hw backed. I have nexus 4 running custom 7.1 fw and was able to crack it fine. Custom fw is not a vendor one so some chances could be done but this one was built directly from aosp as far as I know so should stick close to reference. (edited)

Some notes about an old version of Instagram Android app .

Instagram_Android_APP.docx

579.27 KB

@Majeeko Had an old Android phone back in December, OS 6.0. Device had been extracted using UFED 4PC but when imported into PA got the message "Android User Data encryption" and requested code. Likewise other tools same issue. Imported dump into Oxygen. It advised dump encrypted and it then automatically started attacking dump with Passware. Got decrypted data and also code 43 mins later! Then used code from recovered from Oxygen to import into UFED PA. Second set of decoded.

Might be worth a try

I have a full non encrypted physical of phone 1, device policies show me it's a 4 digit PIN. I can't get into phone 2, has s 4 digit PIN and I'm fairly sure it's the same as phone 1. That's why I'm eager to get this. I'll have a look at oxygen and see what it's saying.

Is there anyone with experience in a cold boot attack on Samsung phones? I'd like to try this methode.

@Cellebrite Does UFED reader support online maps? I can see the options in settings for online / offline grayed out, but we have a user asking about it and just wanted to check if maps are supported at all by the reader (And if they are not, it's a bit odd that there are settings for it!)

3:59 AM

And there is documentation in the help guide for maps as well, but again just on the setting that is greyed out

@Majeeko Yep, mine was a 4 digit PIN. Was same as handset code

Unfortunately after talking to @Majeeko earlier, his key file appears to be hardware backed

I have an LG Stylo 4 LG-Q710AL. When powered on the message "image of verified boot not installed". It appears that the detective packaged this in a bag so tightly that an unknown button combination was pressed. But that's another storey. Has anyone run into this and successfully recovered from it?

@Forensic@tor Mapping addresses as in you can actually see the maps? Or just the coordinates are present? Our PA is on an airgapped network so that's not really an option for us unfortunately. Plus, it's often the officers that dig into that kind of detail at a later stage unless we are given specific Intel on what they are after.

@OllieD @Stevie_C yeah, that was slightly upsetting. I was sure it wasn't. Never mind, it's all part of the fun and I learned how to use MR to brute force. A wise man once said, " I never loose. I win or I learn". (edited)

@K23. If you go to Device locations and right click on an entry with coordinates you can retrieve addresses if connected to internet. There is a way to use offline maps as well, but not as familiar. Once the address is populated it stays with the dataset during report creation.

Thanks, that might be a work around but still doesn't save the inital problem. We have offline maps working on PA (Although ironically mine have just broken and not letting me point back to the install location) but I cannot see an option to retrieve addresses, as you say that likely needs an internet connection which is not something we can have on our forensic network. And again, officers that will be looking for this information do not have PA licenses and only have access to the reader products so this doesn't solve it for us. I was mainly asking as the functionality appears to be present sort of in Reader as it is refered to in both the settings and the help guide, but if it isn't actually supported that's fine, I'll put in a feature request. I was looking for clarification on if it was supported or not. (edited)

@Majeeko how did you verified that it was hw backed? Just by attempting to crack it?

@Arcainlast byte of the .key file, it's 0 it's not if it's 1 it is.

2

008C7744D9FB1D261A00000000000000000000000000000000FF23B5C2363219CB64406DC62355AD62F1AAB671CB8B67204B1376DBEB1E7CDC01

4:42 AM

So this one would be hw backed? It's gatekeeper.pattern.key from LG G4

@K23 I’ll double check. But I believe only the BSSID one is included in the reader if the user is registered

For coordinates sure you can pull that data back, but I don't think you can actually view them in a map view. Thanks @CLB-Paul

@Arcain Yep.

4:50 AM

01 indicates hardware-backed 00 is non-hardware backed

4:53 AM

The phone i was working on was an LG G4, got a decrypting bootloader physical. For some reason i thought i used a normal bootloader hats why i was convinced it wasnt HW backed. looked at my notes and i was wrong.

This G4 is actually weird. It had password enabled - which i knew. There is gakeeper.pattern.key, with some data, gatekeeper.password.key - empty and password.key from 5.x that can be cracked just fine. Maybe something went wrong with updade and password.key wasn't wiped

I see the mismatch Hash maybe he will destroy!

6:24 AM

your Hash : 008C7744D9FB1D261A00000000000000000000000000000000FF23B5C2363219CB64406DC62355AD62F1AAB671CB8B67204B1376DBEB1E7CDC01 (edited)

6:24 AM

my Hash : B703A889F45103BF0C1441744671FE5E71E3E7CC0D047814F405BA5779EA398DC87FBFDB (edited)

6:25 AM

just need some salt

@BorgSl this is not a hash, this is a hex from gatekeeper, so it's scrypt and does not require salt from locksettings.db

6:35 AM

that's why it's longer

@Arcain I've seen that before, where gatekeeper is present but v5 lock files have been left behind

@Mark on google maps: yes, I did some scripts for MR on map tiles, dates and location

How are you decoding/analyzing instagram chats on both android and ios phones? It seems that the tools i've access to (UFED, Axiom, Oxygen) are not so good at it... What's your opinion, can you suggest anything?

I think, the problem usually is that Instagram doesn't store a lot of chats on the device. If I need data from Instagram I would either use Cloud Analyzer or go online with the device, scroll back to load the messages and then do screenshots.

@Deleted User I talk of messagges that i can see on the device and do not appear in the report, expecially when on the device they use more than one instagram account

@FabianoQ physical or logical extraction?

@Mistercatapulte Physical for android, filesystem for ios

Fs ios it s normal, u don t have access to db without full fs

1:07 AM

For android it s different

1:07 AM

If u have physical u have all

1:07 AM

What phone s model?

3

Just checked two extractions using that database on cases i'm working right now, there's a fair few messages in there. This is defo worth looking into

Take it no one in here has done any research into when and why SMS messages are put into this database when they are deleted?

Quick glance shows there are some live messages pulled back from that location too, and the database itself does not have any flags on if a message is deleted (Besides doing manual cross comparision with SMS.db) (edited)

I am going to be taking a deeper look into this today when I get into the lab. I been tied up with several other artifacts and converting some of the sql.dbs into kml to upload to google earth. It actually makes for a good overlay in court..

2

We've done that a few times with various GPS data. It can look pretty good

Any Python / coding savvy people out there? Im curious if its possible to turn the .txt file that you can export with WhatsApp in to a more viewer friendly chat bubble format by somehow turning it in to a PDF or HTML with the media in the correct places or a link to said media. My Python Kung Fu if feeble at best.

1

Try different SD card readers

2

11:49 AM

different cables

Anyone played with decoding an Instagram download initiated from the users account? Got a zip with a fair few JSON files in it, just wondering if anyone has had a play with putting this data in a nice report format before I start researching options (edited)

@K23 Didn't know that could be done. Is it done from the app or the web page?

Web page. Had a request with the JSON files on a disc, now just trying to find something to make it presentable. I could probably write something in Python, but it's been about 3 years since I did any coding so I'm pretty rusty there. Could defo do with a recap though when I have the time...

4:07 AM

https://www.androidguys.com/tips-tools/get-instagram-data-report/

Alexandra Arici

How to request and download your Instagram data report

Instagram allows users of the platform to download their own data report. If you haven't tried it, this is how to do it.

1

Interesting, thanks

@K23 Cyberchef does some good JSON conversion, although I have never tested the Instagram JSON.

4:12 AM

https://gchq.github.io/CyberChef/

CyberChef

The Cyber Swiss Army Knife - a web app for encryption, encoding, compression and data analysis

On it now thanks, hoping the offline version works with all the functionality

Its does, all in one massive HTML file!

Cheers. hitting an error on the JSON > CSV but likely user error somewhere. Thanks for the advise anyway, I'll keep playing

Someone have work on tracev3 files (ios)? I used this pytho scrpit: https://github.com/ydkhatri/UnifiedLogReader And i have a BIG database of logs (2 millions row for 10 days) ! Except some result is strange... Ex: during battery charging the percent (5 events) increase of 20 but in the same second ! Impossible unless if the date convert aren t precise... If someone has another method to check these events, it interested me a lot! Change the vision of the case (2 testimonials would be wrong so ...) (edited)

ydkhatri/UnifiedLogReader

A parser for Unified logging tracev3 files. Contribute to ydkhatri/UnifiedLogReader development by creating an account on GitHub.

@rico - Yes, I commonly work with the tracev3 files - they are part of the Unified Logs and I have found this page helpful: https://www.blackbagtech.com/blog/2017/09/22/accessing-unified-logs-image/ Specifically: "Using your forensic tool, export the contents of /private/var/db/diagnostics and /private/var/db/uuidtext to a folder on your desktop. Do not include the parent directory ‘diagnostics’ or ‘uuidtext’. Once these files have been exported, add the .logarchive extension to the name of the folder containing the exported files and folders. The folder will change to a bundled folder (.logarchive) that contains the log files." Once you've created the .logarchive folder - you can examine the contents on a Mac using the console. It's not a speedy task as there could be >20 million records - but you will get a great deal of info regarding the activities taking place on the phone.

Accessing Unified Logs from an Image

Starting with the release of macOS Sierra 10.12, Apple began changing over to a new log format.

ios 10, i'm working on the coreduetclassd.db and focussing on the ZCCDEMSLEEPORWAKEEVENT table; within this table i'm attempting to decipher the ZSLEEPSTATE column, and despite rigourous testing am having difficululty idfentifying the different states

6:35 AM

6:36 AM

if anyone has prior work on this table, let me know; it's currently not in any commercial tool, nor any searchable docs (iv'e burned the candle at both ends on google, github, etc)

@jd1345 After a big day... 18 hours of work ! I test soon as possible

12:35 PM

And... Thx you !?!

https://github.com/mac4n6/APOLLO/tree/master/modules In this script ypu have some info but not on your column...

mac4n6/APOLLO

Apple Pattern of Life Lazy Output'er. Contribute to mac4n6/APOLLO development by creating an account on GitHub.

Apollo handled much of the work in this case " within reason" but I have the SQL query written for my particular table, with Empty statements until I can better understand the ZLEEPSTATE type identifiers

2:53 PM

It's been a good process, in comparative testing, there seems to be some inconsistency in what produces one particular value vs another

@Krisaytha reach out to Sarah. Shes the best person to ask

3:00 PM

Also knowledgeC if you can examine it also has events for screen on and off

@randomaccess I've juiced every other facet, this is the one I'm really drilled on, and I did reach out to Sarah; fingers crossed she or someone else has deciphered the state codes

2

In "my" tracev3 files, i have some artefacts about awake. Pehaps in this millions row you have your sleepstate I look today to verify this info is in this tracev3

hello, who has this problem too? have UFED-Project from SM-G960F open (adv.log. + ab + apk-downgrade + sim ) in whatsapp-chat the participants, number of message and attachments are shown correctly... BUT... the pictures, videos are NOT visible in conversation view?? even though the media exists in the adb-backup (sdcard/WhatsApp/Media/WhatsApp Images/Sent) !!! tried loading the different acquisitions in any order.... no luck tried running the plugin "Android Databases" after... no luck may one as solution for this problem..... this problem exists generally, not only in this acquisition.... best regards

one attachment was sent...

4:10 AM

shows as deleted ???

4:10 AM

but is here !

4:11 AM

maybe now it´s better to understand this problem

⬆ I though he was wearing a Darth Vader mask.

9

i´m no artist

after running the plugin...

4:25 AM

attachments and conversations are gone ?

4:25 AM

but picture was linked correctly

4:26 AM

and this is the problem... when generating an ufdr-package there are NO chats !!!

4:27 AM

only way is to make reports for every conversation ?

@Cellebrite

1

@chrisforensic Most logical explanation in this case is that UFED can't tie the chat and images together. I see this all the time with multiple extractions of 1 device. Depending on how and where the data was retrieved UFED will be able to successfully decode and combine the data (or not). You could try and experiment with adding the data separately (UFED PA > Open advanced) and somewhat follow/copy the Android file structure. It's comparable with the Huawei backup method where you have to extract the app data and add it with the media folder to UFED PA to decode it.

@Sockmoth thanks for the hint.... i thinked about this

hope this will be fixed in next update ....

4:34 AM

it´s fine to hear that not just me has this problem !

4:35 AM

sunny greets from austria to netherland

@Krisaytha in tracev3 you have some info like "sleep reverted" or "declared system activity to prevent sleep" "i requesting... To sleep"

6:34 AM

And "i sleep complete"

@Andrew Rathbun are they coming up in convo view together

@CLB-Paul I only mentioned Cellebrite on behalf of @chrisforensic

Does anyone know of any free OS tools that can inject csv files and provide link analysis and filters?

Sorry I guess o missed that

1

@chrisforensic Were you able to actually go to the Whats App database and view the contents ? It could be that the database structure has changed and CB has not caught up. One thing I've noticed, remember when SMS and MMS used to be separate databases? With the ability to send a picture in an SMS environment, the conversation continues but the message changes to MMS. This is due to using the same database for both. I've noticed that many times MMS messages will just have the content with no text. That is where looking at the database comes in handy.

yes, the WA-structure is still the same as i know

@chrisforensic I'd try to drill down in the database itself to see if you can link the attachments to the text.

@bkerler quick question related with MR. Have you even tried loading Android Spreadtrum dumps? I had Wiko Sunny 2, version based on SPD. I was able to create a dump using UFI. UFI detects that system, cache and userdata is YAFFS_IMG2 and while phone is near empty and running Android 6, i can see some data using hex editor. I tried loading it as YAFFS2 in MR but it fails to open it correctly. R-Studio thinks it's ext4, but also can't see correct directory tree. Instead, if i scan the image, i see a partial filesystem, with couple directories (they don't have correct names), one that looks like data/, one like media/0 (but without Android, DCIM or other standard directories inside) etc. I'm unable to see anything that would look like system/ directory.

2:03 PM

I also tried opening system partition image, but this one also can't be viewed correctly.

2:05 PM

I can upload the image if you'd want to take a look. Despite the fact that partition is about 4.5GB, compressed one takes only ~150MB. Doesn't seem to be cut at any point either and phone was working just fine so it's not corrupted and i made the dump twice to verify.

Someone can crack this for me? My hashcat give me a lot of errors

8:52 AM

‬3A362FDAE0C482C402A650A4751A026F8A57AD03005851C5AE42A6CC4DF64B3459809DC1:‭9fd7b87a800b1095

What is it exactly?

hash and salt from android fs extraction

8:54 AM

hashcat64.exe -m5800 3A362FDAE0C482C402A650A4751A026F8A57AD03005851C5AE42A6CC4DF64B3459809DC1:9fd7b87a800b1095 -a0 C:\hashcat\common_02 -O

8:54 AM

it's typical cmd

i get token length exception (edited)

same here

8:56 AM

your hash it too long to m 5800, it should be 40 chars only

9:03 AM

any idea how long is the password and what it contains?

5 digit

9:03 AM

lowercase cara

It's from Samsung phone?

yes

9:08 AM

gt-i9060i android 4.4.4

9:08 AM

don't have pwd but arrived to do partial fs (edited)

can't get a hit, tried with 5 digits, 5 digits mixed with lowercase characters etc

9:14 AM

can you upload locksetttings.db and password.key?

yeah

Your too long hash is maybe a sha1+md5

9:14 AM

https://www.pentestpartners.com/security-blog/cracking-android-passwords-a-how-to/

David Lodge

Cracking Android passwords, a how-to | Pen Test Partners

I've been sort of meaning to write this for a while, but it wasn't until I was asked for further information on how it works that I actually though that it may

You could also just remove password by deleting those files if you flash twrp. I believe there is a working one for i9060i

If its 72 characters long (the hash) check above link to split it and crack it

@Arcain yes it's an option, but i just want to try with this method

9:17 AM

@Kramnias okok

3a362fdae0c482c402a650a4751a026f8a57ad03:9fd7b87a800b1095:kassa

1

9:32 AM

hashcat64.exe -m 110 3A362FDAE0C482C402A650A4751A026F8A57AD03:9fd7b87a800b1095 -O -a3 -1 1234567890abcdefghijklmnopqrstuvwxyz ?1?1?1?1?1

9:34 AM

Seems it used Android standard, not a Samsung variant

9:34 AM

Check if it's correct

@Mistercatapulte

@Arcain i test it now

9:53 AM

@Arcain u a re the best

i save the cmd line

Good ;)

Yeah, some older Samsung's used the 'standard' lock format. The J1 was an example of one, I think

@Deleted User okok thanks

@Arcain instead of -1 1234567890abcdefghijklmnopqrstuvwxyz, you can do -1 ?d?l

11:46 AM

Little bit neater

Didn't know that, thanks

Np

People from Oxygen here? I seek a trial for Oxygen detective. Thanks in advance!

Their support is pretty responsive. I would suggest giving them a call or filling out a ticket here: https://www.oxygen-forensic.com/en/submit-ticket

@Andrew Rathbun Great, thanks for your reply! Will do that!

Any idea what i could use to analyze, MTK based feature phone. The one i have is Prestigio Muze B1, seems to be based on MT6261 CPU. I have a dump, 4MB in size, UFED doesn't have that model and doesn't extract anything when using legacy profile (edited)

11:46 AM

I need to get contacts out of it so i can import them back on different phone

potentially XRY. I am not familiar with that particular phone, but XRY has some support for phones based on OS/chipset. You might (MIGHT!) be able to decode a similar model with same OS/chipset and get data.

11:51 AM

@Arcain

Hmm, sadly i don't have access to that

@Arcain i dont think that run Android does it

I had a friend who used "Chinese Phone MTK (Physical)" on that dump and this did not produce any data. I see contacts inside if viewed in hex editor. I'm able to extract 2 FAT12 partitions, one contains a directory called NVRAM and 2 files seem to have data, one with contact names only, another one with phone numbers only

11:58 AM

Maybe there's a better profile for that in UFED, if so, which one may be worth trying?

Try these two chains

12:01 PM

no guarantees but worth a try

12:01 PM

It looks like it got its own proprietary OS

Ok, i'll check tomorrow. Thanks for the tip

I discovered a relevant image in the folder "clouddrive" on a Huawei device. Does anybody know what app this folder belongs to?

my best guess would be: Huawei cloud? https://huaweimobileservices.com/buy-more-storage/

Huawei Mobile Cloud

Huawei Mobile Cloud enables users to backup and restore their data and phone settings wirelessly, synchronise and easily transfer data

2:48 AM

does this makes sence if you try to cross check this with the app and/or activity of the cloud service?

Thanks, I will check that once I get the device

Weird, on the huawei phone there is no cloud set up

Any information on decrypting the messages from Telegram version 5.0.16? I have a file system extraction from an iPhone that I have brought into the current versions of Cellebrite, Oxygen and Axiom but none of them support that version of Telegram (yet).

@Deleted User i’ve seen that folder on other Huaweis. Could it be that the user has logged out of his account?

@Cellebrite - CAS Support for Motorola XT1921-3 with secure startup ?

@.karate.: Yes possible, can't really tell anymore

@Jay528 not the right channel

but not supported currently.

my bad

@Deleted User i’m out of Office right now. But I’m pretty sure that I’ve looked into what application use that folder. I can pm you when I’m back in office.

@.karate.: thanks, that would be a big help!

It's my undertanding that if you obtain a full file system from an iPhone (graykey, CAS, Jailbreak) you have access to some files that are not grabbed by a "normal " acquisition that permit to know in great detail when the user was "interacting " with the device. Is this correct?

2

Correct

If anyone arrived to get FS with elcomsoft ios forensic toolkit it s interest me... I always have error/crash when i arrive at 21go dump

@Deleted User Hey Chris, I think I saw this clouddrive folder in a Samsung device. I will check this tommorrow.

@Jay528 You know of any document/blog post/white paper etc.. that discuss this argument in depth? The reason i ask is because more and more often we are asked to check if someone was. interacting with his phone when a car crash happened

@FabianoQ PMed you some infos on that.

@FabianoQ https://www.mac4n6.com/blog/2018/8/5/knowledge-is-power-using-the-knowledgecdb-database-on-macos-and-ios-to-determine-precise-user-and-application-usage it might help

Knowledge is Power! Using the macOS/iOS knowledgeC.db Database to ...

Having access to precise and granular user and application usage can be extremely useful in a forensic investigation, some of which are listed here. I find that pattern-of-life data is some of the most useful information on a device - it really does tell the story about a use...

I dont but folks above do

2:28 PM

can i get a copy as well ?

@Kramnias Thank you

3:09 PM

@Dam Thank you

I think none of the "big names" (Physical analyzer, Magnet Axiom, etc....) currently includes the decoding of this stuff in their reports .... or not? ?

@FabianoQ axiom decodes some of the data from knowledgec

7:05 PM

PA doesn't to my knowledge I dont think anyone decodes the powerlog at this time Sarah Edwards is pretty much at the top of this game

7:06 PM

she has released apollo which does a good job of parsing the databases alexis brignoni and i worked on a script that parses the internal plists in the knowledgeC database that will give you some additional context after you process the databases https://abrignoni.blogspot.com/2019/03/ios-bplist-inception.html

iOS Bplist Inception

Short version: Python 3 script that export compound bplists from a specific field on a iOS knowledgeC database, extracts the internal bpli...

1

@FabianoQ https://files.sans.org/summit/Digital_Forensics_and_Incident_Response_Summit_2016/PDFs/iOS-of-Sauron-How-iOS-Tracks-Everything-You-Do-Sarah-Edwards.pdf also interesting

12:36 AM

https://www.mac4n6.com/blog/2019/1/17/apple-pattern-of-life-lazy-outputer-apollo-updates-amp-40-new-modules-location-chat-calls-apple-pay-transactions-wallet-passes-safari-amp-health-workouts and this soft can parse some of the database

Apple Pattern of Life Lazy Output’er (APOLLO) Updates & 40 New M...

I started filling in the gaps to missing APOLLO modules. While doing this I realized there was some capability that was missing with the current script that had to be updated. As far as script updates go the following was done: Support for multiple database name - Depen...

@Dam @randomaccess Thanks, i knew about apollo but never tried because i don't have access to graykey, maybe now that rootless jailbreaks are available for various versions of ios 12 i'll do some testing.. Any equivalent for android where a physical is quite common to obtain?

Dont know about Androïd and specific files

Nothing specific in terms of a framework but Alexis has released a number of scripts and autopsy has some capabilities

12:45 AM

Unfortunately in mobile it truely is a combination of free, paid, and custom purpose built scripts

2

@randomaccess Totally agree

Does anyone have an article/research on the cache.sqlite database from iOS that contains cached locations. I know there a few articles about significant locations and the databases that uses. But was looking for one that focuses on the cache database specifically. Have some key points and want to make sure I accurately say how they are created/where they come from. Going to do some of my own testing, but was looking to compare to other research/testing.

@Jobbins I found this earlier so this was the first thing I came up with, maby it helps. Source: Mobile Forensic Investigations: A Guide to Evidence Collection, Analysis, and Presentation, Second Edition, 2nd Edition By Lee Reiber

Hi ! Known you where the unlock session is save in ios 11 ? I have the startup in some databases ex:lockdown. Log, tracev3... And scann of fingerprint (with other reasons not identification successfully) but a good password of 4 digit... The log of usbrestrictedmode is interressant but not more precise about unlocked session...

@rico try looking in the knowledges dB file.

I try tomorrow... A specific string to look at ? (edited)

@rico https://github.com/mac4n6/APOLLO

mac4n6/APOLLO

Apple Pattern of Life Lazy Output'er. Contribute to mac4n6/APOLLO development by creating an account on GitHub.

12:12 PM

try this

12:13 PM

it parses it out for you

12:14 PM

or you can look specifically in the modules which are in sql and you can see whats going on behind the scenes

12:14 PM

this will parse out what your looking for or you can pull the .db like suggested and do your thing...

Thx ! I look at inside the python but not execut it

12:16 PM

Lol

its safe

1

12:24 PM

Python's are deadly

you have to play nice with the pythons

12:25 PM

https://github.com/mac4n6/Presentations/tree/master/From%20Apple%20Seeds%20to%20Apple%20Pie

mac4n6/Presentations

Presentation Archives for my OS X and iOS Related Research - mac4n6/Presentations

12:25 PM

here is a link to the file path locations of specific databases

I have trouble expressing myself in English.... I believe you for the security of the program. I just wanted to see the values affected

12:45 PM

But thx for your help

12:45 PM

I appreciate it (edited)

@Cellebrite - any ETA on when PA might decode iOS 12.2 data ?

@rico axiom also pulls out a lot of knowledge C Also run through the script that Alexis brignoni put out a couple weeks ago Also you need to have a full file system image. If you don't you can't access this information

Trying to find a database in a physical download of an iPhone which stores alarm clock information. I can see via KnowledgeC that the last activity on this phone was alarm clock, I'm trying to show what was done during that interaction (alarm set to what time, alarm turned on etc)

3:27 PM

KnowledgeC represents the interaction with com.apple.clock.alarm but I'm not having a ton of luck googling the answer

@Deleted User About the CloudDrive folder: It seems like i didn't examine that one any further in my old dump. But this morning i ran the dump in X-ways and searched for CloudDrive. And the only valid references to the path was in "com.huawei.hidisk". After loading the apk in jdx and looking at the source, you can see that the application uses that path for storing various bits of information. For ex: "File file = new File(obj + "/CloudDrive/.thumbnail");". But ofcourse, some other application can use that path too.. My advice is to install the application, try out some different scenarios and see what interaction creates the thumbnails..

@randomaccess my agency get soon axion computer... Not mobile I try this database today i hope have more information Thx to all of you

12:07 AM

@whee30 i have a full physical so it s more easy to find anything

@whee30 will pm you

12:33 AM

@rico axioms parse of the knowledgeC events will pull out unlock and lock events

I haved extract KnowledgeC I use the query sql in specific sript of appolo and i ts working

! Execpt for the gmt+2... Dates in this results inclue or not this 2hours ?

2:48 AM

Dates with this query is the same in the table zobject

2:48 AM

But decoded

@.karate.: Thank you! Looks like my subject at one point in the past used the huawei cloud service but then apparently logged out. that would explain it!

@Deleted User Yeah, when looking into my case i came to the same conclusion.

@Deleted User Nice!

Dates should be in UTC

4:16 AM

@rico also axiom parses computers and mobile out of the box. If you want cloud or command line access you pay extra.

@randomaccess i wait my endowment by my agency (edited)

Anyone have issues with Axiom and iOS devices loosing the source path constantly?

I have this problem but with shadow copy from windows

I am not sure if its due to the evidence being on a server and not on a local drive but that should not matter since the initial path has not changed

Yes - I am also experiencing the source path issue - but all of my evidence is on a local drive and their paths did not change either.

Hi Folks, I've successfull make full FS of iphone with Elcomsoft toolkit. I have contact list with numbers (erased) But i have another entry "identity service" with a lot of phone numbers.(Com.apple. Identityservices. idstatucache.plist ) in my memory this db keep facetime, imessage etc Why i find phone numbers in this?

Was just going to ask this same thing. Seems when I load my GK extraction into PA I am only getting source identity service for all chat. Conatacts have no names only numbers.

1

@Cellebrite

6:04 AM

@Ghosted do you have another workstation to test with 7.14 for example?

I do will have to load it up. @San4n6 do you think it could be the server issue as my device images are on a seperate drive for storage.

@Mistercatapulte I know the PA group is adding more granular decoding in reference to that dB. I’ve never dealt with it so can’t speak to how / why things end up in there

gonna try @San4n6 idea and move one image to my host computer and try and parse. Than I will try the second workstation with 7.14 as @Mistercatapulte recommends

@CLB-Paul ok Paul, thanks! (edited)

@CLB-Paul Thanks

@Cellebrite I have an encrypted iOS backup. PA was able to find the password after I give a txt file with some password. Is the backup password is written somewhere in the extraction?

8:09 AM

How do I know which was the good password

The only place I can think of is ok the extraction summary page

Nothing here

@Dam Never happend to me but have you tried saving a .pas and looking it up afterward with a text editor?

@Talizi never tried. I will try when back to office.

10:06 AM

Thanks

Does anybody know whether a record in the android database localappstate.db definitely only refers to apps viewed/installed/downloaded to that particular phone? Or can it include apps from the same account on a different phone? I understand it can include apps viewed on PlayS without being downloaded - has anyone tested this behaviour? (edited)

question for all the cellebrite physical anlayzer users out there.... Has anyone validated time range filter against mulitple different extractions to verify that its including all data and data without metadata?

10:37 AM

My lab is in the process of doing this and curious as to what others have done for validation

10:37 AM

I know the older versions failed with various applications and data with no timestamps

7.12 PA Parsing of a GK BFU

10:41 AM

7.15 PA Parsing of GK BFU

1

10:42 AM

@San4n6 moving the data to my machine gave me the same results with 7.15 as if it was on my server.

Ty

@Mistercatapulte Seems the new version is parsing more but I still can't understand the way it is parsing chat/sms/contacts.

@Ghosted thanks for feedback

10:47 AM

And i don t understand what are "instant messages"

10:47 AM

Just have phone numbers too in this entry (edited)

Interesting read in my opinion: https://pentest.blog/n-ways-to-unpack-mobile-malware/

Ahmet Bilal Can

N Ways to Unpack Mobile Malware

This article will briefly explain methods behind the mobile malware unpacking. It will be focusing on Anubis since it is the latest trending malware for almost a year now. Actors use dropper applications as their primary method of distribution. Droppers find their ways to Goo...

@CloudCuckooLand I have briefly tested this. Found apps in the record that were on the account but not necessarily on the phone. Not sure if you can say that apps in this db were definitely on the phone or not

@randomaccess Thanks - I'm pretty sure it includes apps not (ever) downloaded to the phone. This is based on having records with no 'first_download_ms' time. A few of these have URLs in the referrer field, I guess they clicked on an additional in those cases, opening Play store. My guesstimate is that the db is just for that phone but that any app 'page' in the Play Store adds a record for that app. I'm currently waiting on a physical of a lab phone to test. Will report findings if they're conclusive!

Sounds good

5:15 PM

I think PA reports stuff in the db as "installed apps" which is incorrect

@CLB-Paul regarding that Prestigio Muze B1 i asked couple days ago (cheap mtk based feature phone). I tried with both of those chains and no data, except for 1 corrupted image. I can see that it's able to find a filesystem (2 partitions), but doesn't recognize anything usefull. Using Hex View i see data that looks like contacts in NVD_DATA/MP0C_003 and MP0H_006 files (edited)

I must be missing something very obvious but ... you acquire an iPhone with 4PC and it puts the password "1234" on the itunes backup part of the acquisition, then you whish to analyze the acquisition also with AXIOM or OXYGEN: how do you tell AXIOM/OXYGEN that they need to use 1234 as password? @Magnet Forensics @Oxygen Forensics (edited)

Oxygen usually has a popup asking for the password, in my experience. Not sure with AXIOM. PA will also have a popup

PA knows of the password because it is written in the .ufd project file and both AXIOM and OXYGEN accept the .ufd as input but then nothing comes out...

Might be worth calling their customer support about and seeing if they have an answer. Or maybe they'll tell the developers to fix this

All good! I don’t know the iPhone 4S version of iOS, the extraction was done in Ufed Touch 2, when opening the image, Physical Analyzer requires you to enter a backup password. Please help !!! How to decrypt encrypted backup iPhone Apple iTunes? only Cellebrite products available. Please tell me in which direction I move, I have little experience. Thank!

@BorgSl You could attempt to crack the backup password with software like Hashcat

Yes, thank you and I study this question.

@BorgSl it is probably the default 1234

no it doesn't fit

11:22 AM

1324/12345/123456/1234567/12345678

11:22 AM

https://www.youtube.com/watch?v=MMySnPzsPYU

AVAIRY Solutions

Crack Encrypted iOS backups with Hashcat

11:26 AM

I’m still going this way, but it’s a problem for 9-10 and for 11-12 iOS I haven’t

2

For iOS 11.4 or somewhere near you can reset setting on the phone to make an other backup without the user password

@BorgSl Mentioned that their device is a 4S, so no go on that front. But at least it's iOS 9 maximum so the password won't be as hard to crack as iOS 10 onwards

Right didn’t see it’s a 4S.

@FabianoQ axiom will ask you for it as well.

Has anyone researched whether large gaps in WhatsApp messages table Row IDs suggest messages have been deleted?

I dont remember it but once i have a db (ios 10) Near the main db... A copy without direction of communication

@rico chatsearchv3.db. Often through this db you can get long time deleted messages, never found an equivalent for android.

6:12 AM

@Magnet Forensics Please Magnet guys, what is the correct way to load in axiom (2.9) an ios acquisition made with ufed that has the default password (1234) set on the ios backup?

If you select the raw data file from the ufed extraction we should automatically prompt you for the password @FabianoQ

@cScottVance You mean the zip file?

Yes.

6:56 AM

If it’s not, let me know. We can collect the logs and take a look at what’s going on.

I'm pretty sure that this is what i did and was never prompted for the password ..

Sending you a DM.

I'll double check

@Oxygen Forensics Please Oxygen guys, what is the correct way to load in Oxygen detective (10.4) an ios acquisition made with ufed that has the default password (1234) set on the ios backup?

@FabianoQ you have just to select import backup, select the .ufd, and go on... oxygen knows that pass is "1234", see this steps....

8:58 AM

8:59 AM

ofcourse if the backup was made with ufed and you selected to encrypt it

@chrisforensic Thanks Chris. This is valid for Oxygen 10.4?

as i know this was the same in oxy 10.4

9:00 AM

never had problems to import iphone-backup from ufed

@chrisforensic. I tried this many times with different iPhone acquisitions and Oxygen quickly traverses the step in your 2.jpg and outputs no databases nor talks about the 1234 password

@Cellebrite Any Cellebrite guy here can confirm if Physical analyzer can parse LG phones backup? The one i am talking is made of 2 files, one with ".LBF" extension and one with ".LBF0" extension.

@FabianoQ Try File - Common Plug In - backup - LG see how it works.

@CLB-Paul This is what i do but my backup is made of 2 files (one with ".LBF" extension and one with ".LBF0"), the Common Plug In - backup - LG wants the .LBF and it seems to give the same results no matter if i let it find the second file (the .LBF0) or move it to another folder so i'm asking what can be missing from the decoding considered that the .LBF is 650mb while the .LBF0 is 4GB ...

Can you add folders where both are in

@CLB-Paul I'm not sure i get what you mean..

Rather than pointing to the LBF file. Try pointing to the folder it’s in

2:03 PM

+ folder just down and right from LBF

Ok

@FabianoQ

@rico Good. Direction of communication sometimes can be inferred through context and attachments

Exactly what im doing

but this db no longer exists

12:07 AM

I remember : he was one of the biggest and most dangerous dealers in my area with 2 pgp phones and He thought he had destroyed all the evidence

hello, maybe someone have a hint for me... PDF-Export of WhatsApp-Chat in PhysicalAnalyzer doesn´t show the "Smileys" ???

3:27 AM

3:28 AM

looks like in exported pdf

lool, i found the solution

selected font "segoe ui emoji" in pdf-export-settings

3

3:51 AM

3:52 AM

@Cellebrite I have a short Window of oppurtunity to work with Advertisment ID from IOS and Android in payed database. (IDFA). Is it possible to get this ID from old cellebrite dumps? (Ufd files). In UFED PA?

Depending on the phone @safenextto

5:08 AM

I’ve seen them in iOS and some android physical extractions

5:09 AM

If you reparse the extraction in new version you might be able to get it

Tnx 4 ur answer. Do u know if this is only If u have done a physical dump or advanced logical 2? And (sorry 4 many questions in first post) do you maybe know if you need to regx it, or it will be indexed?

im just loading up an Advanced Logical extraction from iOS

5:13 AM

give me a sec i'll let you know

5:14 AM

and it should be on the Extraction Summary Window

Love it

5:14 AM

Tnx

@safenextto Android Physical Yes. iOS 12.1.4 no. will have to dig up older extractions if I have any left.

5:33 AM

from logical Android dump

5:33 AM

but that's android 4.0.3...

Tnx a million. No need to disturb your day any further, unless u realy want to dig in your archive.. I have some dumps myself and can post the resultats here if anyone is interested. The information provided was really usefull!!

thats the file that its stored in, on the Android OS side, so if the data is present, it'll be parsed at the Extraction Summary Window.. I just loaded an iOS 11.4 and its not there either. It might need a full FS

Anyone have issue with Samsung Galaxy Note 8? I used Cellebrite and logical extraction. The phone got the SMS and MMS, but failed in the next stage when it try to grab the media portion. Any suggestions?

Question regarding Advanced Logical of an S9 SMG960U. PA is indicating it can't give me a hash value for this extraction because no reference hash is available. I hash the zip file for the advanced logical and get a different hash than PA is giving . Any idea why I am not getting same hash.

7:13 AM

Has anyone done any analysis on the application “LIKE -Video” or legal authority to the company?

@Jobbins We did some analysis some month ago. We also sent a legal request to them, got an automated reply and nothing more. What information are you looking for?

@.karate. if there is any information I can locate about the user account this person talked with

@Jobbins the DB just contained some generic fields for the contacts: uid, yyuid, name, sex, signaturem avatarurl etc. I couldnt find anything more specific about the specific contact then that info.

9:03 AM

The unit i examined was an Iphone. Advanced Logical in UFED. I got both the message db and the contacts db in the extraction.

@Ghosted might be a good question for @Cellebrite

@Andrew Rathbun Thanks

@.karate. I got a FS/Logical on an Android. I don’t see those two databases

just wondering is there any good resources about blob data and extracting them from databases

@RABIDFOX https://www.sqliteforensics.co.uk/, the book by @Paul Sanderson, should have lots of information on the subject

yeah a bit pricey although i will pick it up at some point as its got really good reviews and my lecturer keeps talking about it

@RABIDFOX http://cheeky4n6monkey.blogspot.com/2015/07/extracting-ones-blobs-from-clutches-of.html?m=1

Extracting Ones BLOBs From The Clutches Of SQLite

SQLite BLOB work used to be an adventure ... Not anymore! Did you know that SQLite databases can also hold binary data? BLOB fields ca...

aaaah thankyou so much

@RABIDFOX Paul has taken a break recently due to personal reasons so I don't think you can buy his tools at the moment

2:19 PM

You can extract blobs individually using the sqlite3 executable from the website

2:20 PM

https://github.com/randomaccess3/4n6_stuff/blob/master/Useful%20Tips

randomaccess3/4n6_stuff

Git for me to put all my forensics stuff. Contribute to randomaccess3/4n6_stuff development by creating an account on GitHub.

Did i just spy a Starlord cosplay ⬆

1

SQLite Forensics https://www.amazon.co.uk/dp/1980293074/ref=cm_sw_r_cp_apa_i_r1jKCbVHMPN0H Paul's book is still available. Well worth it

2

@OllieD could not be more correct, this book; is absolutely knocks it out of the park, buy it, buy a copy for a friend

If anyone can find my copy of it I'd appreciate a heads up on where it's at

The range of chapters is great. Starts with internal workings of SQLite (b-trees, why pages move around) through to case studies using the sms db from iOS with lots of juicy bits in between

5:48 AM

Whilst you'd get the most value if you have Paul's tools to follow along, it's extremely useful anyway. If you have Oxygen Forensic Detective, the sqlite viewer bundled with it is good as it can be run as a standalone program and handles the deleted data recovery better than it's competitors (from my testing). Not as good as Forensic Browser, but the best alternative that's included with existing suites of tools

@Forensic@tor I just saw your email. I’m in a meeting and will get you the database names when I get back to my desk.

@sholmes Thanks

1

FinalMobile was apparently working on parsing that phone. Nothing else can do a decent job on it.

@Klimosko Alas, I do not have FinalMobile available to me.

Final mobile has done a good job with it. But on the MDFA group there are scripts you can use against the databases through other forensic tools.

I don't plan on buying it any time soon, lol. There was a conversation last week about the same phone and someone mentioned working with them on it.

1

Finalmobile might give you a trial.

8:13 AM

hmmm... Final Data Demo just within North America ??? (edited)

Lol interesting

LE no problem, but i´am from austria

I would still reach out and talk to them. They have been great to work with.

I will reach out.

the numbers at the front might be different. I always search for the word portion of the database. I find them in the PA database section. databases.passcode db = 2588645841ssegtnti.sqlite 2584670174dsitanleecreR.sqlite for the Call log 226660312ssm.sqlite for the sms 3406066227csotncta.sqlite for contacts

8:44 AM

@Forensic@tor

@sholmes @Forensic@tor This document might be helpful too: https://docs.google.com/document/d/1dGiRFZq_iw3HA749o5lYto9OFpWsnPRrMQL2CKh6Yvk/edit

KaiOs Forensics for Money and Profit

If you are reading this and are expecting to find a nice easy tool to parse your KAI OS extractions you might as well stop reading. The KAI OS is unique operating system. KAI OS uses some data obfuscation techniques that I haven't seen previously “in the wild”. Hopeful...

8:59 AM

It's being written by a cop from Milwaukee

9:00 AM

Here is the cheatsheet that goes with it:

KAIOS_CheetSheeet-final.txt

1.86 KB

@OllieD Yep that is the one I used. Thanks for posting it. I didn’t have access to it when I grabbed the file names.

1

Does anyone know if someone created a youtube video for the APOLLO ?

@sholmes @OllieD Thank you both

2

1

I have a Samsung Tab SM-T580 that I got an advanced logical and file system through @Cellebrite However, PA is not parsing out Google Chrome browsing history. Any ideas on how I can get this without a physical as it is not supported?

@sholmes Well got the messages, just need a way to parse and present it. Have a request into TeelTech to see if they will give me a demo to check it out.

@goalguy what's the OS version?

8.1

I'm not sure if custom recovery will work on 8.1 but to my understanding, Samsung Tab SM-T580 was released with Android 6.0 and is upgradeable to 8.1 therefore it is NOT hardware encrypted.

12:01 PM

Do you have the facility to perform custom recovery or direct eMMC?

@Jay528 sarah has her talk concerning APOLLO from objective by the sea on her site, its a good watch!

thanks

I've been living and breathing it and similar structured scripts and queries for about the last month on a case, so hit me up if you need a steer or two

@Pacman I can do ISP. The @Cellebrite profile for this device has a decrypted bootloader (firmware on my device is too new though) as well as a non decrypting bootloader. Since the device is not hardware encrypted would the non decrypting bootloader work?

@Pacman - the vast majority of devices that were released with Android 6 are hw encrypted, and this is most likely the case for all such Samsung devices

@CLB-Kaminker is there any option outside of CAS to get a physical on this device? or at least get the google chrome data like browsing history?

@goalguy - I think it might be supported in UFED. Did you try it? Do you have the latest UFED version?

4:17 AM

but then again, might not work on the latest firmwares, like you might have experienced (edited)

Can someone explain to me when when I import a logical SIM extraction into PA, file is always saying "Hashes have been calculated for this extraction but no reference data is available". How can I verify the hash of the SIM. I use a second tool to hash the folder but it isn't the same hash as PA is showing.

@Pacman Is this a thing? I've not heard this before - are you saying a device shipping encrypted with 6.0 cannot be upgraded to 8.1? So the presence of 8.1 means no encryption? I note the S7 doesn't have 8.1.

@CloudCuckooLand Not all devices that shipped with Android 6 had hardware backed encryption and not all were encrypted out of the box. You could have a device that shipped with 6 but had now been upgraded that is still not encrypted. Any device that ships with android 7.0 or above WILL be encrypted out of the box and have hardware backed encryption. You might get some dodgy Chinese knock offs that are the exception to the rule but not many.

@Majeeko Yep, I understand all of that. @pacman seemed to suggest that the fact it had 8.1 and was shipped with 6 precluded encryption. I'm hard pressed to think of any 6.0+ shipping Samsungs that dont have HW encryption - even the very cheapest. I'd be very surprised if the T580 was not HW encrypted.

has anybody had experience with TikTok? I have a Samsung Note 9 which I can only get an android backup/logical from, and found a bunch of cached images which I think might be from the TikTok application.

9:43 AM

specifically the files are located in /sdcard/Android/data/video.like/cache/fresco_cache/v2.ols100.1/63/ folder. I have googled the video.like and fresco_cache, with no luck. Before I dive in and start testing, I thought I would ask ya'll.

@CloudCuckooLand okay, my bad then. In theory it's possible but like you, I can't think of an example.

Ok videos were determined to be from the LIKE Video- Magic Video Maker & Community application, not TikTok. (edited)

If anyone is interersted, TikTok videos and images are located in the cache folder associated with com.zhiliaoapp.musically

3

Anyone have a way to parse SMS / Chat logs from a GK extraction. Last five phones I am not getting them to parse in PA or Axiom.

Trying to figure out why an iPhone, using iMessage under iCloud account "A" has what appears to be a complete conversation between two parties. Then checking an iPad under the same iCloud account has almost the whole conversation? Missing key messages from the iPhone on the iPad

1:03 PM

sms.db in the iPhone says is_delivered=1

1:03 PM

for the specific message

Hi all, the following lines are from UFED PA extraction summary. I am new to UFED. The oldest files in the data partion are date 21.07.2016. These lines mean that the phone was factory resetted at 21.07.2016 in my opinion, am I right? What can previous recovery events be? There are no phone activation related to them. Thanks. OS Version 6.0.1 SYSTEM (ExtX)/Root/build.prop : 0x132 (Size: 5353 bytes) Phone Activation Time 21.07.2016 00:50:05(UTC+0) Recovery Event 21.07.2016 00:45:57(UTC+3) CACHE (ExtX)/Root/recovery/last_recovery : 0xDCE7C (Size: 956730 bytes) Recovery Event 21.03.2016 07:48:42(UTC+2) CACHE (ExtX)/Root/recovery/last_recovery : 0x9AB83 (Size: 956730 bytes) Recovery Event 09.10.2015 04:17:51(UTC+3) CACHE (ExtX)/Root/recovery/last_recovery : 0x49069 (Size: 956730 bytes) Recovery Event 28.05.2016 17:15:46(UTC+3) CACHE (ExtX)/Root/recovery/last_log.2 : 0xFC (Size: 105316 bytes) Recovery Event 22.11.2015 11:49:45(UTC+2) CACHE (ExtX)/Root/recovery/last_recovery : 0x6B4A0 (Size: 956730 bytes) Recovery Event 09.03.2016 16:00:06(UTC+2) CACHE (ExtX)/Root/recovery/last_recovery : 0x81F18 (Size: 956730 bytes) Recovery Event 29.06.2016 06:05:45(UTC+3) CACHE (ExtX)/Root/recovery/last_recovery : 0xCC0FE (Size: 956730 bytes)

@whee30 it appears to sync message but doesnt delete from all sources

1:06 PM

it is covered in Heather M's book

1:06 PM

i had to read up on it earlier in the week incase they asked that question

1:07 PM

https://www.amazon.com/Practical-Mobile-Forensics-Heather-Mahalik/dp/1786464209/ref=sr_1_4?keywords=mobile+forensics&qid=1553112423&s=gateway&sr=8-4

@Jay528 practical mobile forensics?

yup

cool - I'll give it a look, thanks!

iOS chapter

1:07 PM

you got lucky with the iPAD !

@yivlik When was the model first released? could be 22-11-2015?

2:32 AM

@yivlik sorry *09-10-2015

@Goovscoov 17 october 2014, in my country

@yivlik A explanation could be files with created date in the assembly/testing process. But not entirely sure..just an assumption

Can I ask a cellebrite pa query pls..on a report in device information, there is a field for ' SIM change operation '. Can anyone provide me an explanation on what this shows please? The result showed 3. I have an idea but can't find an actual explanation..

There's official documentation on the Samsung website somewhere... let me dig through my notes @monkpete (edited)

1

6:50 AM

https://seap.samsung.com/api-references/android-standard/reference/android/app/enterprise/SimChangeInfo.html

SimChangeInfo | Knox Standard SDK

Javadoc API documentation for Knox Standard SDK.

6:51 AM

From that, 3 means: int SIM_INSERTED New SIM card is inserted into the device, which previously had no SIM card

@K23 many thanks for that info..appreciated

I've got a CellAllure Cool s2. Looks like it is factory installed with Android 6.0 so I did a chip-off assuming there wouldn't be any encryption. When attempting to decode in UFED PA I'm not getting all the DBs. Any ideas? I'm using the Generic Android Chain. I've also tried the Android MTK MMC with same results. I feel like I'm missing something here.

11:15 AM

I should note I can see a lot of data...but no much useful user data.

Have you tried loading the dump into a data recovery software, like r-studio or at least testdisk? Scan for lost partitions maybe.

No I haven't done that

12:06 PM

I've loaded the bin in Magnet Axiom and I'm not seeing much more than what I have in UFED

12:06 PM

I've even tried looking for .dbs to see if I need to manually decode them

12:08 PM

it's segmented into like 20 partitions...the whole thing is weird

12:09 PM

Anything in userdata if you look inside? FTK sees it as ext4 so should be fine.

yeah

12:11 PM

but it looks like generic stuff...the images are all known files etc

I found firmware file and decompressed boot.img. There's a "/dev/block/platform/mtk-msdc.0/11120000.msdc0/by-name/userdata /data ext4 noatime,nosuid,nodev,noauto_da_alloc,discard wait,check,resize,encryptable=/dev/block/platform/mtk-msdc.0/11120000.msdc0/by-name/metadata," in fstab

12:13 PM

And also "/devices/mtk-msdc.0/11130000.msdc1* auto auto defaults voldmanaged=sdcard1:auto,encryptable=userdata"

so the user data is encrypted?

Could be, but then you shouldn't be able to see a single userdata partiton, formatted as ext4 i think. I haven't dumped many encrypted MTK so i'm not sure really (edited)

That's what I was thinking

12:15 PM

usually I get nothing

12:15 PM

but at a glance it almost looks like a phone after factory reset

12:15 PM

in terms of what didn't come out

12:16 PM

It looked like a phone with generic DA, so it would be best to try dumping it via software first, then maybe decrypting MTK in UFED. Now it's a bit late to check this out

Yeah it's kind of too late for that. The device was locked with no other means of bypass that I could find

12:17 PM

So chip-off was really my only option to see what there might be to see

No other way, for MTK, with generic DA? SPFlashTool should be capable of creating a dump in such case

12:19 PM

Maybe it is just empty. Check in system directory on userdata partiton if you see .key files, for password

generic DA?

download agent, they're are often bundled with spflashtool, or firmware file if they're signed

ah

12:21 PM

Will have to keep that in mind in the future. Phone is already chipped

To dump MTK phone you need spflashtool, correct download agent, scatter file and preloader. For this one, software and firmware is available on vendor website. I think UFED should be also able to dump it

12:22 PM

Just check the content of system directory for stuff like password.key

12:22 PM

If it was set, you should see it in filesystem

gatekeeper.password.key

12:23 PM

gatekeeper.pattern.key

both present, with some data and not 0 bytes?

password.key is 0 bytes

12:25 PM

pattern.key is 1byte

so its prolly running 5.1

The site says it's 6.0

gatekeeper is for 6.0 and above

but it's probably heavily modified

Firmware file from their website is 6.0

gatekeeper is empty though

12:31 PM

I'm doing another physical extraction at a slower Mhz to avoid any possible errors. My first rip had several errors and restarts before it finished. I'm hoping maybe I just missed something. Otherwise I can't see where there is any other user data to be found

Worth to try, but i think FTK Imager doesn't handle loading corrupted dumps all that well and if yours loaded fine then it might be allright

12:37 PM

Those fstab entries i pasted above suggest that phone is not encrypted by default. it's up to end user to activate it

@Beefhelmet I had this recently. It's a problem with PA, it doesn't properly decode the User Data partition if it isn't the last partition. I couldn't find a way around it with any existing chains. Best thing to do is open the image in FTK imager and export the partition data (the binary, not the FS) and import that as the disk image. It will decode it properly. Cellebrite needs to implement a thing to manually point out the UD partition where PA cannot identify it automatically. (edited)

Awesome I'm gonna give that a shot. You know that makes a lot of sense though. Because there are two user partitions but I'm only seeing the first one in UFED

hmm looks to be the same

12:55 PM

I exported the user partition > .dd

12:58 PM

Yeah doesn't look like it's parsing any new data that way

Bizarre. The device I had was a Chinese android mtk. The partitions were just like yours. Tried doing that with a generic profile?

This partition layout is rather typical for MTK

Btw, what do you mean there are two UD partitions? I only see one

Updated our iOS knowledgeC parser to decoded the protobuf nsdata blocks. If you have access to the database export it out and run it through with this, especially if tools like axiom identify important interactions with the phone https://github.com/abrignoni/iOS-KnowledgeC-StructuredMetadata-Bplists/tree/master

abrignoni/iOS-KnowledgeC-StructuredMetadata-Bplists

Scripts to extract compound bplists in the iOS -> KnowledgeC.db -> structuredmetadata table. - abrignoni/iOS-KnowledgeC-StructuredMetadata-Bplists

1

Just for those that dont know or dont look at the multimedia channel, there has been a recent integration of @iNPUT-ACE with Cellebrite Analytics. You can view mobile / computer data and now CCTV all together.

2

Thanks @CLB-Paul We've been thrilled to see the responses and impact this new integration is already having. There is a joint webinar with Cellebrite and iNPUT-ACE next week about driving an investigation through time sequenced mobile and video data. Hope you can make it! https://lnkd.in/gTm6TRB (edited)

Bogdan Semida

Incorporating Time Sequenced Video and Mobile Data into Case Timel...

Sessions Available: Date: March 27, 2019 | Time: 10AM (New York) | 2PM (London) Date: March 28, 2019 | Time: 11AM (Singapore) | 2PM (Sydney) Videos and images are key sources of evidence in investigations. But tying your video evidence into your other evidence sources eve...

@CloudCuckooLand @Arcain Sorry I got busy yesterday. I was mistaken about the two UD partitions, I had glanced at something else earlier in the day.

Looking at it, all the usual stuff is there in terms of mmsms.db they're just empty. No call log, no contact list. The images and videos all look like default application stuff. If I was just looking at the data having never seen the phone, I'd say it was a factory reset phone. There was a pattern lock enabled on the device and that's reflected in the locksettings.db

Maybe it is what it is, just an nearly empty device

6:18 AM

There is a way to recover some data prior to factory reset, directly from NAND chip inside eMMC and the fact it's not encrypted by default could help here.

Do you mean the NAND inside the proc?

Inside the eMMC, bypassing controller.

@Beefhelmet is there DBs in user/0/ CE and DE? Possibly encrypted ones?

User is empty actually

9:41 AM

one file "0" that has no data

9:42 AM

userdata/root/user

9:47 AM

the vast majority of size of the partition is the unallocated

9:53 AM

I think it's just empty...the userdate partition is only 642MB of logical data

9:54 AM

in a 14GB partition

9:55 AM

is it worth doing a full carve?

You said you've loaded it in Axiom and it didn't find much more. I think it's carving for stuff by default.

10:11 AM

If it's really after factory reset then from my experience you won't be able to find much more that way

Hi all ( @Cellebrite in particular), i have acquired a Samsung SM-N950F (Galaxy Note 8) with Android version 9 and patch level 01/02/2019. With latest UFED4PC i made a Logical, a Filesystem->android backup and an APK downgrade. With latest PA i made the analysis and there is a problem with whatsapp: all vocal notes (.opus files) are listed in their relative chat as "missing" (if you click on the attachmente to listen it says the file does not exist) but if you search the file name with the search function it's found two times (in tha "chat" and "files" categories) and if you go to the file it's where expected and fully functional. This happens for more then 600 .opus files. Is anyone experiencing a similar problem? (edited)

@Arcain I PM'd you but I know discord does an awful job of alerting you to it

@Fabiano The Problem is, UFED analyse the extractions separated and merge only the results. (edited)

1

@FabianoQ had same problem with attachments in chats @Karlsson you are absolutely right - thanks for the hint ! tested a little bit... here my solution for the problem

(edited)

7:11 AM

extract AB and apkdowngrade results into one folder

7:11 AM

import this merged folder this way... select button "folder" to import... (edited)

7:12 AM

yessss

chat with attachments here

Hi guys, What is the bplist to know if an iPad has been reset? (does exist a referential with all bplist?) (edited)

Hello I have an new extraction (not of me) and no access to the iphone. I haven t defaultchat.plist but i have primary. Object (for snapchat) anyone know how restore chat with... Unique File

hmm, anyone out there who can give me an advice how to interpret "timestamps" of thumbnails ? i often see false datas....

1:23 AM

1:24 AM

how are this datas created, because of false time?

@chrisforensic hi Chris, is it deleted data?

no, not deleted, but original photo is not more on phone (edited)

picture deleted yes, maybe whatsapp don't have data about original picture or picture was created with false timestamp no?

hm, there are many pics with same created and modified data, everything is possible

(edited)

1:58 AM

maybe ios related?

Or maybe phone doesn t have good time stamp

1:59 AM

When he took photos

1:59 AM

False date in whatsapp

1:59 AM

All is possible i think..

1

Yes now it up to date but when pictures were created Maybe date was false

What do you usually use to extract content from .ab fikes? I use andriller but would like to know alternatives

UFED & XRY both work for them too. (Only ever manually done it with XRY mind you, but fairly certain it's supported by UFED too). Think they work with all major tools @FabianoQ

@K23 Hi, if you are about .ab files contents i should have been more specific, my quastion was just about tools able to extract the files that are packed into an android backup not make a full forensic analysis of it, something like "android-backup-extractor" https://sourceforge.net/projects/adbextractor/ and similar..

android-backup-extractor

Download android-backup-extractor for free. Android adb backup extractor and creator. None

been looking at \apps\com.google.android.apps.maps\f\DATA_Preferences as magnet picked up some coordinates and was wondering what the relevance of the names are here

@FabianoQ Ahh, missed your point there. Can't say I've needed to do anything for that, if I wanted the files I probably would have just exported them from the forensic tool itself, but if that's not an option then I'd probably look at something like the tool you linked. Sorry that wasn't very helpful!

@chrisforensic I can confirm it works

1

@Forensic@tor I would love to know this as well. It is my understanding that it can't be done, but I would love to be wrong here!

@sholmes I read an interesting article earlier and will have to explore bit tomorrow. Will post it when I get back to office. (edited)

1

In IOS, there's a database "com.apple.MobileBluetooth.ledevices.other.db". The table "OtherDevices" contains a field "LastSeenTime". Anyone know how to decode that field? The values are like "10686763", "10686803"

is it not epoch time @.karate.

weeks i think

from 2001 ??

i saw it in CASA

oh yeah i see what you mean now

@Mistercatapulte @RABIDFOX Please enlight me. I can't see anything

i have to find my CASA book....

5:09 AM

@cibath do u remember what is explication?

The more i look into it i think that the value is just seconds from a predefined startdate. But where is the startdate then?

@sholmes Here is the article: https://securityxploded.com/safari-password-secrets.php

Exposing the Password Secrets of Apple Safari

SecurityXploded is an Infosec Research Organization offering 200+ FREE Security/Password Recovery Tools, latest Research Articles and FREE Training on Reversing/Malware Analysis

2

@.karate. it should be seconds since 1/1/2001

6:06 AM

=(((A1/60)/60)/24)+DATE(2001,1,1) Is what I did for an excell sheet

6:06 AM

to convert an entire .db

https://www.epochconverter.com/coredata

@.karate. but there again I don't think that value is an actual timestamp

6:10 AM

at most it's only 5 digits

6:10 AM

cellebrite doesn't see it as a timestamp

Does anyone know how to identify when an iPhone last applied a software update? I can see in the time line that communication to the update server happened but need to know if and when it was applied to that device. I have a fairly extensive download of 80gb to go through which wasn't done in PA.

@Beefhelmet thanks. No. It’s no real timestamp. But when i add it to other timestamps i find in the setup DB:s ( as unix timestamp + value ) the result converted to date is close to the dates i’m investigating. So i’m quite sure that my previous assumption that the value are seconds from a specific timestamp are correct. I just need to figure out what timestamp is the correct one

Date decode from Sanderson forensic can help

Trying to establish a good method to determine the user/users of a mobile phone. Does anyone have any tips/methods they use and would like to share? I have made an overview of different factors obtained from different acquisition methods on different systems, like activation time, time zone, MSISDN, Bluetooth Device name/Phone Name, registered users/user accounts etc, analyze the communication, media.. Anything else that should be considered in this type of analysis?

@Eli something that is sometimes forgotten is surf-patterns. If you analyze the websites and in what order they are visited, you will often find patterns. People tend to surf the same sites, and often in the same order. And also use the same kind of applications. If you have multiple sources you could make something out of it.

@.karate. Thank you! I will add that to my list

What app / process would write a series of JSON formatted files with a .syn extension to an SD card of a Galaxy S6 and store them in a SncrOtgResponderMTP-[UNIX DATE] folder? I am familiar with USB OTG and the MTP protocol, but this appears to be an application driven sync or backup.

@BSOD grep for the string "SncrOtgResponderMTP" in the dump and maybe you could backtrace it that way. I hade the same problem with another strange folder on a SD-card. After greping and getting some hits on a specifik .apk, i decompiled the apk and that way i could see when and how the folder was created.

1

@.karate. Great suggestions, I will give that a shot.

@Forensic@tor I just read that article. That is pretty dated as it talks about new version of Windows 7. I wonder how accurate it is now? Did you try anything with this data?

@.karate. saw your post from yesterday it's Mac absolute time stored in UTC Epoch is 2001

@sholmes It is dated. I have not tried anything as of yet. Working on another issue right now, but will circle back to it.

1

received an Android 8.1.0 tablet which had been factory reset and set back up. The physical extraction summary shows the Phone Activation Time as 2/7/2019. I believe CB gets this date from the SetupWizardPrefs.xml, whcih shows a created/modified/accessed date of 2/7/19. Is there any file which can indicate when the device was wiped? (edited)

check the dates of the databases found on the tablet

1:15 PM

it should have the dates around 2/7/19

yes many do have those dates

1:17 PM

Which would confirm the date the device was setup again, but not necessarily when the person wiped the phone. Right?

1:18 PM

Or am I making it too complicated.

1:18 PM

I don't necessarily need the date, but if I can show he wiped it right before it was seized, it would be nice.

i can only say for ios devices that the obliterated file is before the dates of the database files found on the device

1:18 PM

im not 100% sure of droids

exactly what I was looking for.....the Android version of the obliterated file.

it looks like the "SncrOtgResponderMTP" folder was temporary cache for an AT&T Mobile Transfer app. Thanks for the suggestion @.karate.

1

@Krisaytha Wow! Thanks for the input!

@MSAB I try to open a xry file and it says that the case is open in an other program. I restart the computer, close everything and same problem. Any solution ?

Try right clicking "Run as administrator"

@Dam it seems surprising to me

4:52 AM

most often this message appears when an xry files is already open in XRY or in XAMN. Same files can't be open in parallel.

4:53 AM

I would suggest to call or write an email to my support

4:53 AM

Phone: +46 8739 0270

4:53 AM

support@msab.com

4:55 AM

@Busta thanks for your help

I will try as administrator and then call the support

@Dam

5:39 AM

Unfortunately that error usually means that the file has become corrupt and will no longer open.

5:39 AM

5:40 AM

answer from my support... You can still contact them

it’s possible because the app crash during the first opening.

@Dam It’s very possible, did it crash during decoding or during opening? Do you have any more info on the crash itself?

During opening. The extraction and decoding was already finish

6:20 AM

The xry windows just freeze

6:20 AM

And when I tried to reopen it says already open. Even after reboot or copy past

6:21 AM

I can open in xamn but not in xry. I need the cloud

Aha so froze after the extraction was completed and the file was to open in XRY? I think the cause must be that something happened with the file at that point so that XRY no longer can open it. Best I can think of would be to try extracting the device again if possible as some sort of corruption has likely occurred

6:26 AM

Strange that it opens in XAMN however...

I will do an other extraction. I think it’s better. Don’t like to work on a corrupt file

6:31 AM

Thanks for the help

1

This is a new category for me in terms of analyzed data. What is extracted here? This is from a iPhone 7 (advanced logical acquisition) (edited)

7:54 AM

this is from UFED PA, sorry forgot to mention

I've seen that on older iPhone / iPad physicals back in the day, back then it related to Skype I believe (Long time since I've done one of them so memory may be wrong)

Anyone with access to graykey? I would llike to ask a question about a ios file.

@Goovscoov They are IPs of Wi-Fi routers

what does psi.sqlite do?

@RABIDFOX what OS, what's the relative path, what's in it? What's the schema? Any triggers, etc

@Krisaytha its apple iphone 5 its in photo data/caches/search it has months years and lots of locations in it

8:42 PM

thats the other tables

6:03 AM

disregard

6:03 AM

got an error indicating i ran out of memory

How much memory do u have on your machine to run reporting ? I have 64 GB

another question i was looking at the downloads 28 databases hex in xways and i found whatsapp mentioned which wasnt mentioned in the database when i looked at it in sql and theres an event time would this correlate to a download?

I'm trying to make sense of some location information. I have GSM tower information with the LAC and CID from the herrevad db. The phone is on the Verizon network. Any ideas why that would be other than switching carriers?

Anyone have a rough idea what Facebook_Stub is? Noticed it took my workstation 16 hours to parse that on a A520F through UFED PA which is a bit crazy for a 30 gig physical

12:16 AM

Especially as the file path for that is only 217kb!

According to this it's a placeholder for Facebook that comes preinstalled on some phones to allow users to easily download FB by clicking the link, so there shouldn't even be any user data there: https://thenextweb.com/finance/2019/01/09/no-samsung-isnt-pre-installing-facebook-on-your-phone/

No, Samsung isn't pre-installing Facebook on your phone

Early this morning, Bloomberg reported that Samsung doesn’t let users uninstall the Facebook app from some of its phones. The story states that Facebook’s app comes pre-installed in select Samsung devices and users can only disable it, but can’t delete it from their pho...

I have to describe the Simcard.dat file. Has anybody a reference where this file is explained somewhere so I can add this to my description?

@Goovscoov Not really a description or reference.. but an observation on simcard.dat. I did a file last week. Galaxy S6. No sim card present. Phone clock was reverted back to Jan 1rst (probably due to battery power loss) I did 2 seperate extractions. Physical at 08h00 AM. File system at 08h00 AM 6 days after. Took a look at both simcard.dat files. The second to last "field" is called simchangetime. For my physical it was 01/01 14h22. For my file system it was 01/07 14h22. So the field (in unix timestamps) was 6 days later. So my guess would be that this field acts like a clock moving on. Maybe because the phone was reverted back to Jan 1rst, the timestamps field kept updating it's time. So just be carefull if this field is of importance. It's also in the UFED report under extraction summary/device info/ SIM change time.

Before I contact support - just curious if anyone else is experiencing a similar issue with Axiom (I hate hearing "you're the ONLY one that's having this issue"). I open Axiom Process - enter my info, select the iOS image I would like to import, but when I click Analyze Evidence - the program hangs. Examine doesn't open, nothing happens (I've waited up to 30 minutes and eventually end task). I've uninstalled and re-installed but it continued to happen. Today I upgraded to 3.0 hoping that would solve the problem but it didn't. I'm running it on a Windows 10 machine with 256GB RAM with no substantial changes to my computer from when Axiom was working until now. I've tried importing different images to rule out a problem with a particular file system - but still get the same results.

Is this a Quick Image or a GrayKey image?

GrayKey

I just added one on 3.0 yesterday afternoon with 35 students in class and the quick image worked for all 35 on I7 laptops 16GB Ram in about 10 minutes

6:51 AM

Ok that might change things, Let me get my Mobile guy to reach out @cScottVance

6:52 AM

He is very aware of Graykey Image sand AXIOM

I haven't had any issues with GK and Axiom until last week - and can't figure out what may have happened with my computer to change things. I'll contact support - I was just curious if others were experiencing a similar problem

how large is th eimage?

7:01 AM

the image

7:01 AM

is the hanging happening after you select the zip before it displays the content of the zip?

7:01 AM

I expect a delay there and it could be substantial depending on the size of the device

I understand as I've imported many GK File systems with success - but in every (previous) case, Examine opened immediately regardless of the file size - but now it's not. I've tried to import files ranging from 1GB - 20GB with no success, so I don't think it's the size of the file.

7:06 AM

It hangs after I select Analyze Evidence

Sounds like an issue then. At that stage it's enumerating files but it shuold still show process. Reach out to support and feel free to reach out again to myself or @cScottVance if you run into anything else.

1

@Jamey thank you

AND @cScottVance is really WWWWAAAAAAYYYYYYY more capable at mobile than I.

hey guys im looking at consolidated.db and the coordinates keep putting me somewhere below africa which is wrong so is there a certain way of interpeting them maybe im doing something wrong

i conducted a chip-off from a galaxy j3 and i want to bring the .bin into PA - is there a preferred method for importing a .bin?

@william beaux file, open (advanced), blank project, switch chain, type in the profile you want to run against the bin, then point the file system dump to the .bin and hit finish and let it ride

@william beaux open advanced / select device / choose the right one

i was once told to bring in chip-offs as JTAG - is that longer recommended?

Honestly, you can try whatever profile you want to throw against it. You could do Samsung Generic - Physical, you could do the device specific profile, you could do Generic Android - Physical, you could try the JTAG one you were told once. Trial and error but the obvious choice would be the device specific profile for the physical dump, if one exists.

2

5:59 AM

You're welcome to open up multiple instances of PA and throw a different profile at the .bin to compare and contrast

this was a chip off from 2016 - pushing it back through to see if we missed something back then before it goes to trial next week. thanks for the input

1

Interesting road to go down when re-running old extractions. It's probable more data will have been decoded since the original extraction due to software advances. We had a few cases at court that were jumping back and fourth in this style which is always fun

hmmm... maybe someone has an answer

(edited)

7:39 AM

7:41 AM

how should i explain this in court?

7:41 AM

such dates should NOT be in an report, created with UFED-Reader out of an .ufdr

I had seen many trouble with time stamp using ufed

@chrisforensic aside from the possiblitity that the displayed timestamp is wrong or that the phones clock was set up wrong and it's just a coincidence that the date is the same as the report generation: when was the phone extracted? Could the thumbnail have been created by the phone automatically, while the phone was running during extraction?

@chrisforensic nevermind, my colleage just noticed that the filename of the timestamp translates to 13.01.2018, so there must be an error with the displayed date

What kind of file manager are you using on the bottom screenshot? What's the nopopup.txt file?

8:16 AM

just curious

No popup is when you create a UFED reader and you don't want the advertisements/features popping up when someone opens the UFDR file.

1

nopopup.txt is created automatically wenn .ufdr is exported

It's a option in UFED PA settings. There is no content in the file. It's just a empty text file which reader looks for.

Cellebrite Hash Question. I have done a logical, file, and physical extraction of the device. And a logical of the SIM. My issue is when the hash for the advanced logical says Hashs have been calculated but no reference data is available. I get the same hash for both the advanced logical of the device and the logical of the SIM why is that.

@Ghosted It's a known bug that is being fixed.

10:52 AM

On a logical, PA is hashing an empty (0b) file, where it should be just saying no hash available

@Cellebrite Please can someone from Cellebrite DM me?

@CLB-TheGeckster thank you. for the answer apprecitate it. What is the reason for logical files not being able to be hashed.

Any ideas how to decrypt a Windows Phone 10 image with Bitlocker? I understand you can download recovery keys from the oneDrive account - can that decode the Userdata or is it just the mainOS partition? Or both? There are some deleted blob files called Key.blob and recovery.blob in the EFIESP partition, I don't know the structure of the blob file though.

Good morning all! I have a question for the Axiom users here. When working with iPhones do you find that Axiom does a better job when given a UFD or Zip file from a Cellebrite Advanced Logical extraction or if Axiom does the extraction itself?

6:00 AM

I did one yesterday with the latest version of 4PC and just pulled it into Axiom 3.0.0.13714 this morning. I was underwhelmed by what was parsed in Axiom but I know there is a ton more data in the extraction based on what PA parsed. I'm wondering if a re-extraction of the iPhone (iPhone 5S running iOS 10.3.2) would give better results. I would love to hear from anyone at @Magnet Forensics as well!

Anyone with access to an LG running Android 6.0 - is the filename convention or thumbnails in DCIM/.thumbnails/ always [millisecond Unix time].jpg?

@CloudCuckooLand On 7.1.2 it is. On 6 i dont know.

1

@.karate. good enough for me!

LG-H790 screen:

6:33 AM

anybody have experience with (or know where to find details about) com.apple.identityservices.idstatuscache.plist ? I have some call records being parsed out this file, but not showing details such as ingoing/outgoing/duration of call. I suspect possible FaceTime records.

@.karate. Thanks v much! EDIT: Just realized that this is standard android behaviour... Duh!! (edited)

Anyone use Oxygen/Axiom/Cellebrite if so can you dm me I have some questions about Oxygen however you would have to have used the other two products to answer my questions. Thanks.....

Our crime analyst is pestering me about looking into some analytic software to use with cell data we pull down on various cases. Does anyone have good experience with something like Cellebrite Analytics. I demo'd it a few years ago and it seemed very...unhelpful for what it does. I'm just trying to come up with a concise answer to pass along to other higher ups. Initially my thoughts are that the vast majority of data I pull down is junk and interconnected analytics only apply in just a few handfuls of use-cases for us. Feel free to DM me or let me know if I should ask elsewhere.

@Beefhelmet what kind of analytics is your analyst looking to get? Do you mean straight out of UFED extractions?

probably something like that. I'm not sure how that really helps what he does. I also wonder what the legal implications might be of keeping a database of stuff like that

Afternoon all, Has anyone come across Facebook Messengers threads_db2 database and noticed the thread_key 'montage:xxxx'. Does anyone know why or what the montage element is referring to?

Hi guys On ps4 can we find the history of usb connections (smartphone in mass memory)?

@Ghosted It kind of is - the individual files will be hashed and the respective hashes show up in PA when you load the extraction, but there isnt one particular "thing" to has in a logical, there is a bunch of files and folders and an HTML report, as opposed to a file system or physical, which will hash the zipped file or .bin, respectively - something you can hash and rehash for verification.

@CLB-TheGeckster Makes sense thank you

1

@Adam Cervellone what would you like to talk about. Feel free to reach out to any of us. We would love to know what you found based on your comparison of tools if you also did side by side with another tool.

Hello good morning . Does anyone have a document comparing the functionalities of msab toolset to that of cellebrite

Does anyone know where I would find an SMS message that was created but not sent under Android's native SMS messenger? I assume it is saved as a draft somewhere. I used Cellebrite for extraction and parsing of data. I can view the message on the device, so I know it exists. Thank you for any response.

@Paul1775 you can check the write ahead log and journal if present. If you have a physical you can grep for a string/pattern as well if you know a portion of the message

5:30 AM

what application was it created on

5:30 AM

?

The native SMS app in android.

Anybody now where iOS stores the "deleted" timestamp for images deleted from camera roll? Cellebrite is showing me the timestamp, but I would like to verify it for myself.

Does Cellebrite's timestamp point to a source?

yes.

10:09 AM

but I don't think the timestamp would actually be stored in the actual image file (JPG), would it?

ahhh...found it in the photos.sqlite database

I generated a UFED reader report in PA 7.16.0.93 - it seems to be stuck on "Saving XML Report", it does not show the report as completed in PA - i believe it is trying to .zip the file at this point - anyone else had issues with it not completing? its been over four hours at this point.

It took me a few hours to load an extraction and the program crashed when applying a date filter

Gave someone a Cellbrite report but the reader keeps asking them to register and when they select no it doesn't parse anything any ideas

12:11 PM

in trace window it is saying failed to execute PA reader

Bit of an odd question, but any ideas on why I'm seeing a movie on an iOS device (12.1.4) with the filename of IJAH4319.MOV when connected to a Windows computer through MTP, but the filename is IMG_1593.MOV when processed with Cellebrite (AdvLog and GrayKey extractions).

12:15 PM

IJAH4319.MOV does not exist in the extract.... I can go to the DCIM storage location and it's IMG_1593.MOV all day long.

Figured mine out but don't know why. I tried to transfer the file by a USB 2.0 and it did not work. I tried using a 3.0 and it works perfect. Unknown why a 2.0 drive would do anything to the file structure other than be at a slower transfer rate. Both drives were NTFS so that wasn't an issue.

update - report eventually finalized, 5 hours later - total size of report is 23GB - nothing excessive. I have not had the program hang like that before, but to its credit, it completed successfully.

1

Oh, and just for fun, if I connect the phone to a macOS computer.. I get IMG_1573_TRIM.MOV as the filename, and neither IMG_1593.MOV or IJAH4319.MOV exist.

12:30 PM

But if I use Image Capture, which uses MTP, I'm back to seeing IJAH4319. Leads me to believe this is a MTP issue.

iOS logical extraction question

2:27 PM

I have reason to believe the owner of a iphone (iOS 11.3.1) reverted to a backup and I have a both logical and file system extraction of the phone less then a month after I believe this occurred. Are there any file creation dates that might confirm there was a revert to backup on a specific date?

Someone know how I can avoid „ram-overload“ in Ufed-PA? @Cellebrite I got a problem with a 128gb physical disk img .... (edited)

Processing ZTE Blade 982 unlocked. The extractions keep failing or only completing partially. Physical EDL didn't work at all, Advanced Logical fails after call log and SMS. File system only gets partial. Anybody had these issues

@Jamey , @cScottVance was able to assist and resolve the issue.

6:02 AM

Axiom is now pulling the data I expected it to. It was not automatically detecting the encrypted backup from an iPhone when the ZIP file was selected and was not prompting me for a password to decrypt it.

@Adam Cervellone Cool, I knew it was something silly. When you said it was not pulling internally I was thinking that it cvan't be anything big as we examiners always chech, check, and recheck the big stuff. Glad it worked out and you are back on track. BTW you missed one hell of a conference/party...

Does anyone know why I may have nothing in the private/var/db/uuidtext folder? These files are part of the unified logs (along with the contents of the diagnostics folder). I have some data in the diagnostics folder, but the uuidtext folder is empty. Trying to get a handle as to why sometimes I may have 20 million entries in the unified logs vs 1 million on some phones vs almost nothing on other phones. This is the first time I've had data in the diagnostics folder, but nothing in the uuidtext. Can't figure out if there is a time cycle (7 days, 2 weeks, etc?) to when these files are overwritten, if it depends on power cycles, or other factors. Tks. I should clarify - this is on an iOS file system extraction. iOS 12.1.2 (edited)

@Beefhelmet if you saw analytics a few years ago. It has went over huge improvements since then.

@Adam Cervellone, I have the same issue with Axiom and an encrypted backup from Cellebrite by selecting the zip file. What did you do to get it to recognize and prompt for a password?

@Adam Cervellone Had same problem, can you share how you solved?

Same here

Go into the zip so it can see the actual backup container rather than the ufed container , is what worked for me

@Krisaytha Sorry, you mean unpack the zip and point axiom to that folder?

@FabianoQ and @twreese sure thing! Once you add the ZIP file and arrive at the processing options screen there is a section for Mobile Backups and Passwords in the side bar on the left. Go to that section and add 1234 into the large box where you can add passwords. Then process as normal.

2:37 PM

The issue seems to be that the selection of the ZIP file isn't prompting for a decryption password automatically so you have to enter it in the Mobile Backups and Passwords section.

Thanks

Thank you all! I will give it a try. Much appreciated.

Hi, Anybody have came across mobistealth spyware application in a mobile device? Managed to find any useful information from it? Like account name linked to mobistealth app.

@deepdive4n6 I saw the same phenomenon in a current case. In all extractions from Cellebrite (4PC advanced logical, 4PC logical, PA advanced logical and cas) two important video files called IMG_XXXX.mp4, but when connecting the iPhone to a Windows PC I can't find these files. Only names like FLENXX.mp4. But this files aren't in the extractions. I opened a case by cellebrite and the want extract the data again and check where the problem is. I will inform you about any news.

PA 7.17 is out

I wonder if this will change snapchat databases any.... https://www.theverge.com/2019/4/8/18300720/snapchat-android-app-rebuilt-release-speed-bugs-features

Snapchat releases rebuilt Android app

Faster app, fewer bugs

Does anyone know if there is away to tell what folders photos are stored in within the iOS gallery with ufed? In particular I would like to export just the photos stored in the Snapchat gallery album

@Elbag1 I would identify the path you are focusing on and filter for it in Images, or navigate to that path in the file system directory tree and export it out. Also, piggybacking on your Snapchat question, is anyone consistently seeing Snapchat message content parsed by PA from a GK extraction, or only if extracting using PA? I see PA supports several versions of Snapchat under their Method 1 and 3 extractions, but not sure about GK or their CAS extractions. (edited)

i am not sure where to direct this question, but this seems like t he most relevant channel. i have been mapping quite a few CDRs from mobile providers recently (perk of a smaller agency, i do everything with digital evid). i have been using the tool provided by the FBIs NDCAC portal, called CASTViz. CASTViz is very particular about the formatting of the records when it ingests, and properly aligning all of the records has proven to be cumbersome and time consuming. short of writing some scripts to pull the required info out of the records and formatting properly, does anyone use any other CDR mapping utilities that dont require extreme manipulation of the returned data to map?

@william beaux I use CellHawk by Hawk Analytics. It's MUCH more user friendly than CASTViz and has many other features. Unfortunately that comes at a cost.

9:43 AM

NW3C has a free tool but I haven't used it much.

iOS forensic peeps....I am trying to use the keychain-backup.plist to figure out what email address a Grindr account is using. There are two email addresses in here associated with Grindr. One is associated with com.grindrguy.grinrx, and one is associated with com.grindrguy.grindr.hockeysdk. I see the kockeysdk is used by the developer to allow communication with the end user. Any idea why therwe would be two different accounts in this section? Anyway to determine which is correct? Neither are listed in the User Accounts section.

Anybody know why when you export out chats with UFED PA, it renames all the message attachments? And more importantly, does anyone one know how to disable this and force UFED to export out chat attachments using their original file names?

anyone got any luck extracting discord content from S8

@mkx ... i tested here with whatsapp-chats from adroid and ios.... single chat export and export via main create report ... all exported attachments have the same name as in chat...

5:02 AM

1

5:02 AM

@Ghosted there's a good writeup linked on Discord forensics in the server. Here's the link: https://cdn.discordapp.com/attachments/428167930853720074/466619644736700416/Discord_Guide_V1_0_0_298.pdf. The preferred method will likely be a search warrant to Discord for the content, though. @forensicmike @Magnet would be your best resource, though

1

@chrisforensic Thanks for the info.

Morning all - anyone know where power on and power off events are stored in ios? I was thinking knowledge C might be useful but whilst it stores plug in/out and battery level I'm not sure it actually specifically shows powering on and off?

Haven't seen power events in knowledgeC. That more related to siri

2:43 AM

Powerlog probably will help but the times can be unreliable apparently Ufed PA pulls out power events. Although I can't recall if this was in a logical

2:43 AM

Advanced logical*

Yeah this isn't my case/exhibit so I can't see it myself but I'm told in this instance ufed is showing power on events but not power off. They have a full file system so they will have access to databases etc

Does anyone know why PA lists names with last name first name, but the call logs shows them first name last name? @Cellebrite (edited)

anyone know how to translate mandarin I don't see a Mandarin to english in the UFED add ons

guess i should of changed the language in IOS before I extracted the data.

Someone use the Project VIC-DB and can tell me how much hash-records you got in PA? Just want to verify my dB

Hi I have a old samsung 7320e wave... Some db is easy to read but a file interest me... This name is phonedb_data. 00 My usual tools decode anything... I see a database but not this format... An idea ? (edited)

You mean S7230e? Is it flashed with Bada 2.0 by any chance? (edited)

1:48 AM

I had S8600 with 2.0 and was unable to find anything that reads those db files correctly, only some partial SMS and no contacts at all

Exactly !

6:25 AM

Same results... Not an android os

6:25 AM

And some files aren t decode by xry or 4pc...

I think i was able to browse that db partially using DADB_Viewer by setting profile to UnknownPhoneType

6:37 AM

You might get something like this that way

6:38 AM

I was unable to find any working profile or chain in PA, AXIOM, Oxygen and MobilEDIT

6:40 AM

You can also try Bada DB2 viewer in Mobile Revelator, but it'll likely open as corrupted and you'll see less data (edited)

Thx for your help ! I have MR... I tryed to get dadb viewer and samsung db viewer... No succes because it s to old app !

DADB_Viewer_v2.0.0.zip

449.9 KB

12:09 PM

@rico there you go

1

@Arcain Excellent ! Thx you so much I try it soon as possible.

Dont know if this is the proper channel. But i have a case where a user wiped an Android 5.1 device, probably from recovery. I made a dump of the device (dd) and when carving the userdata it contains nothing, just zeros. I thought that android 5.1 just made a new filesystem when wiping data, and not writing zeros to the emmc. Or am i wrong?

@.karate. from my experience, it does, and then there is TRIM mechanism. You'll likely be able to recover data only after chip-off at NAND level to bypass the controller in eMMC.

2:21 PM

Multi-COM posted recently an instagram showing that they recovered tons of data from i9300 that way, vs none at all via classic chip-off/dump

@Arcain thanks for the info. I’ve got the tools for a normal chip-off. Maybe i will get some data from it.

@.karate. Normal chip off will be the same as dd in TWRP. You need a tool like VNR or PC3000 to dump and interpret the NAND data, bypassing the memory controller in the eMMC chip.

I can't find the paper they published, but this is the product you (and we all) need https://rusolut.com/emmc-nand-reconstructor-release/

Sasha Sheremetov

eMMC-NAND Reconstructor release - RUSOLUT

https://www.magnetforensics.com/resources/magnet-app-simulator/

Katie Pufall

MAGNET App Simulator - Magnet Forensics

MAGNET App Simulator: What Does it Do? MAGNET App Simulator lets you load application data from Android devices in your case into a virtual environment, enabling you to view and interact with the data as the user would have seen it on their own device. Use this tool to get a ...

@rico mr should be able to handle phonedb.00. use the bada db2 for that. if it doesn't work, please let me know.

1

@bkerler if it's from BADA 2.0, mr probably won't load it correctly. I can send you one from S8600 tomorrow if you want to check (edited)

yeah, sure @Arcain

@bkerler thx for your support Sure I report you my experience

@CloudCuckooLand Thanks for the info!

Belkasoft is the industry-first to support Telegram X decryption for Android devices in the new v.9.5 of BEC

Hi guys,

5:30 AM

Someone have script for PA, for parsing Badoo app?

I'm being daft

... I have a GrayKey extraction, run it through PA - where can I see when the last iOS update was carried out on the handset? Is it in the timeline?

@Mistercatapulte good question

️

@chrisforensic i'm locked in PA, don't arrive to rebuild correctly DB grrrrrr

tried it some months ago, without real success

i don't arrive to add user name to id

7:12 AM

for all it's ok but not for this item (edited)

I have a exported img cache from instagram after a GK export - i exported 1600 files but they do not have extensions - i can open each individually in Irfan, but i need to open all to view. any ideas on how to open a batch? there is no file ext, so i cannot associate irfan to the files and open by default.

maybe use the thumb nail viewer that comes with irfan

7:18 AM

just point to the folder all the images should generate

thumbnail viewer doesnt see it either. is there a way to batch modify the data files into .jpgs?

yes

7:19 AM

you can change all the file extentions

7:19 AM

you in windows or linux ?

windows

use a batch rename in dos

yup

do a file listing and then ren command

7:20 AM

put the filename into excel and use the excel function

used REN to change * files to *.jog

7:24 AM

ty

7:24 AM

*.jpg

ah yes, that works

7:41 AM

did .jpg work ?

7:41 AM

when opening ?

yea jpg worked, able to preview.

anyone from BlackLight here... I would like to know when the update will be out... I have a 67GB .zip files that needs to be processed and its not rendering...

Anyone have any luck parsing out Instagram direct messages? PA, Andriller, Axiom, and PlistExplorer no luck. Sanderson tool has expired waiting for them to be back in business to renew that. But open to any other suggestions.

i think you need a full file system extraction from ios or physical from android.. do you have it

Yeah, FS/AL on UFED 4PC (iphone xsmax

It isnt the same

@deleted-role @Jetten_007 had a question about the new release date

You'll need to either have GK or Cellebrite CAS to get the Full file system extraction (edited)

Really, I thought Cellebrite has said their new AL was the same as their FS. Hmmm.

Jay-kcda do you know if/when this changed cause just 3 weeks ago Shahar was saying UFED 4PC AL was the preferred method for dumping iPhones.

yes

1:35 PM

so Advanced Logical 1 & 2 via Physical Analyzer is the best method

1:35 PM

Then comes UFED4PC Logical/File System

1:36 PM

But a Full File System capture system files/databases that arent available using the traditional methods

1:37 PM

So you'll need to root the phone and perform advanced logical method 3 to get something similar to a full file system

I dont, but this is all before 7.16\

Does ufed 4pc still say file system extraction on iOS? Because I think that's causing people to get confused...

afaik the preferred method is advanced logical via UFED4PC/Touch, however in theory this should be equivalent to methods 1 and 2 via PA. Obv just doing one extraction simplifies things, hence Cellebrite suggesting this is now the way to go

2

I don't think cellebrite were trying to say that the new "Advanced Logical" method is the same as a FULL file system by graykey, CAS or jail breaking, but just the combination of the logical and file system method previously present in 4PC, or method 1 and 2. Can easily see why people have got confused here!

12:29 AM

However in 4PC right now, there is no filesystem option. There is Logical (Partial) and Advanced Logical

Yeah exactly, it is confusing as for Android the Adanced logical should actually be a combo of the old logical and android FS, although I am not sure thats 100% accurate when you test it. For iOS its def not getting you a greykey/CAS/Jailbreak extraction

1

Hi all. Does anyone know where can I see when the last iOS update was carried out on a handset from a GrayKey extraction? Sorry if it's really obvious...

@JMK I'm not really sure what you're asking but generally asking their support will get you answered better than here

1:28 AM

Or are you trying to figure out the time they phone itself was updated to whatever iOS version it's on?

@randomaccess - yep the second bit, trying to see if there's anything in the GrayKey / Physical Analyser report that says when the phone was updated to the version of iOS it's on.

I would probably look here https://dfir.pubpub.org/pub/e5xlbw88

iOS Mobile Installation Logs

What applications were installed on an iOS device and when?

4

1:35 AM

And start from the date right after the update went live

Thank you

I saw the latest PA release notes touted faster report generation. Has anyone else validated that yet? I'm going on 24 hours for this one iPhone (HTML/PDF/UFDR) and it's still not done

@Andrew Rathbun I have not seen an increase myself. At least with UFDR reports.

2

@Andrew Rathbun if you are doing a graykey extraction report and the phone was off considerable size, that many reports at one time will take a while.

These are not GK extractions. Just Advanced Logicals for an iOS device(s).

@Andrew Rathbun what was the ufed extraction size?

@Dr.Who-IACIS 34.6GB

Haha yeah. 100 gigs of report data.

Been like this for almost 24 hours now. Looks like there's a zip file being generated but it's slowly increasing in size by about 20kb per second.

I had an 8 GB extraction take about the same time as the prior release.

Sorry about the on screen keyboard, on a MacBook Pro. Had to use it for the PrtScrn button, didn't think it'd be in the snip

Just throw it on the ground...

I normally wouldn't care but seeing as how I have 22 phones for this one case, this does get in the way of progress. Get paid by the hour though!

I have an Axiom case that has been running for 3 days only 1 TB of data

4:57 AM

<shrug>

@San4n6 when AXIOM was in beta like 1.07 or something, it took 3 days to make .9% progress on chewing through a 500gb image. That got promptly fixed the next release but it was for a high profile case so that was bad timing

I am using the most recent version

Need one of these for reporting / decoding: https://imgs.xkcd.com/comics/compiling.png

2

I had the same problem .... restarted my pc multiple times and then it took around 60 min... Cellebrite told me to edit my „time“ to English us and the seperater from , to . (edited)

I am about to deskpop my workstation maybe it will speed up

5:02 AM

Just happened

5

I had a weird case that took 16 hours to decode and appeared to be using an insane amount of ram for such a small file which was a bug. Unfortunately cellebrite couldn't get to the bottom of it without a copy of the extraction, which I couldn't provide. Appeared to get stuck at decoding facebook_stub which was an empty apk, basically just a pointer for a user to download facebook on their device. This was on a machine with 64gigs of ram, running an Xeon E5-1630 v4 which isn't a slouch

5:03 AM

Extra cooling right with a hole in it?

ya I think it got the point

5:03 AM

its moving a little fster

2

@K23 I remember having issues with GK reports where it'd get caught on some html file or something unimportant like that. I think that issue has since been fixed though.

Yeah this wasn't a graykey dump, it was an EDL I think, can't remember the device

ya one line of a bad decoding script will wreak havoic

I can't see report generation getting better moving forward as phones are larger in size. I saw the Galaxy Fold is 512gb. 4PC sometimes requires a 64gb microSD card to be inserted for extraction. Soon that'll be 128, 256. etc. However, that's only if phone manufacturers keep expandable storage around which is another conversation in itself.... (edited)

And RAM seemed to be a factor as when running in a VM for their testing with identical specs, SSD but ram gimped to 20 gigs it dropped to 25 hours decoding time. Cycle seemed to just use all the available ram slowly, when it hit a limit it dropped back down. No idea what was happening

I am awaiting for a new samsung with 2 TB of data

5:07 AM

phone has 1 TB and SD card with 1TB

Had a similar case I didn't report which was a graykey dump where it was taking an age to load, one of my colleagues was out so I nicked 64 gigs of ram from his machine to make mine 128 and it decoded within an hour. Had been waiting 5 hours on that, urgent job. Likely just a bad decoding script as you said @San4n6

The 22 phones for this case totaled just north of 1.5tb. You're right @San4n6 that soon one phone could take up as much space as my entire case has so far in the not too distant future

Cant blame the software peeps because application data coding changes with almost every update so its very hard to keep the scripts rolling out as well but it is a pain

1

5:09 AM

However that is why god created Whiskey

5:09 AM

to help me wait

1

I've had phones run overnight only to find the report generator in UFED Physical had locked up the machine. Takes a while. That's why when I start one, I sit back and watch Netflix.

5:11 AM

@Andrew Rathbun I generate the report with the UFED Reader option then sit down with the agent and show them how to use it. Saves time and they can generate their own reports.

1

Because of issues with ufed generations when we got new boxes we made sure to up them to 128gb of ram

5:25 AM

Have fewer issues with more ram apparently

5:27 AM

I would love the ability to kick off the extraction, parsing, and report generation in one go though... Like "do an advanced logical and give me a ufdr please, i don't want to interact with anything between those two points"

4

That would be brilliant. Maybe add in a selection process, so "If this datatype is present include this, if this one is present do not include that", but that would be great. Just put the exhibit details in to begin with and bam

Sweet. Just got BSOD after 25 hours. How swell

1

Colleagues PC just had every USB port die, then 5 minutes later it powered itself off with a flashing red LED, beeping ominously. Bad day for computers

RIP

@K23 I believe that is the digital equivalent of my career (edited)

1

@K23

14

Good effort

ty ty

@K23 send the request through to support I send a lot of stuff through to them because they'll add what the most customers want. So if get don't know what we need that don't add it

@randomaccess I did on the last one, but they couldn't do anything about it due to needing the extraction, which I couldn't provide. If it comes up again I'll do the same, but from the last few it sounds like they cannot do much diagnostics on some of these bugs without the extraction

Somebody familiar with the kik.sql database in iOS? I wonder what the tabel ZATTRIBUTION and the column ZTYPE is. The only data in ZTYPE is 4, 25 or 26. I have a chat with one contact who send pictures to the user. One of the pictures is displayed in Physical Analyzer KIK chat but the other one is only shown as a placeholder. (edited)

@K23 I'm saying more about feature requests

1

Guys, I'm working on a threads_db2 having a look at a message. The message is critical in an IIOC case, I could identify it by timestamp. However the text column is empty but the record is live. I know that an attachment was sent here, I can even see that a message has been sent. But the field is empty apart from starting 0D in hex following a few zeros and 13 bytes of something. Any ideas what could have happened here?

5:50 AM

We're talking about Facebook MEssenger btw

OK so when looking at the original phone we can see there is a gap between two dates so it must have been deleted by hand?

ON the other hand: What happend if IIOC is uploaded to Facebook when known? Will it even be posted to the ecosystem?

6:32 AM

DOes anyone know?

6:33 AM

I guess it might now even be "recognized" by Messenger because it's known CEI

I would contact facebook LE support and ask tbh.. If its through messenger I am not sure if they are filtering that I would hope so but I am not sure

6:55 AM

https://www.facebook.com/safety/groups/law/guidelines/

Safety Center

Safety is a conversation and a responsibility we all share. Get to know how Facebook approaches safety, and learn about the tools and resources available to teens, parents and teachers.

6:58 AM

I am assuming you ran it against hashes and its known and if facebook does what it says they will filter it and report it to ncmec..

knowing Facebook it won't work properly and then it'll leak your data for good measure

I got a NCMEC report, that's why there's a case in the first place. I did not run it against hashes myself but I had a case a few weeks ago with exactly the same content. So I guess it muist be known to FB.

Does anyone know if Android OS 7 keeps track of when developer options was turned on or off ? I have a case in which I examining a homicide of a baby and my defendants phone has the Cellebrite Client installed on the phone. I performed a remove lock and then decrypting EDL physical. I do not believe the client would get installed

I have a DB file that minimial data and a WAL file that contains a lot of data. I apptempt to put the .db, .wal, .shm into a DB viewer without success. (stated malformed) How can I parse out the .wal file for the informtion.

11:03 AM

photo

@Jetten_007 do you have sanderson sql lite ?

no i dont.

11:05 AM

@Jay528 I may have access to it... i have to ask a neighboring town

It has the ability to read wal log , i believe it can read .shm files as well

ok

I think if you open the DB in DB Browser, it dumps the contents of the wal file to the DB. (Unless I'm thinking of another program)

db browser will not see the wal file.

11:18 AM

it calls the .db file malformed.

Try to use Belkasoft. You can get the trial here https://belkasoft.com/get . The article is describing same problem https://cyberforensicator.com/2019/03/31/deleting-any-message-from-both-ends-in-telegram-how-will-it-impact-mobile-forensics/ . The problem was solved by Belkasoft

Admin

Deleting Any Message from Both Ends in Telegram: How Will It Impac...

@Igor Mikhaylov thanks I will try it. @San4n6 the process you gave did not work.. the database indicated malformed. when put into db viewer ... so thats prob the issue.

Recently I extracted three IOS devices which were in Mandarin. I didn't think at the time but learned Celllebrite does not have a language pack for Mandarin to English. Has anyone else had any similar issues where the language is not handled by Cellebrite and if so how did you convert the language? I am trying to avoid having an interpreter go through the extractions.

The language packs should not be relied upon for court purposes. Best practice is to always have a certified interpreter review it.

2

@Forensic@tor so you would just have the interpreter go though the extraction and not review it yourself? How do you get the interpreter who most likely is not an investigator to see what you would most likely be seeing. I would love to review the data in english and have the interpreter review my findings. I didn't know if someone had gone through this and maybe exported all the SMS and utilized a script to convert the language.

I would use it as a review tool only for me. The prosecutor would need use an interpreter for accuracy.

2

7:59 AM

I thought you were using it as a tool to give the investigators and the court.

@K23 and @randomaccess I think there may be a solution for your conversation above about

10:17 AM

"I would love the ability to kick off the extraction, parsing, and report generation in one go though... Like "do an advanced logical and give me a ufdr please, i don't want to interact with anything between those two points""

10:17 AM

As long as your Forensic tool has Command Line Intrerface...https://www.magnetforensics.com/blog/announcing-magnet-automate-a-new-solution-to-help-labs-to-complete-investigations-faster/

Jasmine McBride

Announcing Magnet AUTOMATE, a New Solution to Help Labs to Complet...

We’re pleased to announce a new solution for digital forensics labs to get the most out of their forensics tools: Magnet AUTOMATE. AUTOMATE allows labs to complete their investigations faster by powering a repeatable forensic workflow that minimizes downtime and maximize...

10:20 AM

for Example: Image with FTK imager put the resulting E01/Ex01 in a FTK case file AND a Griffeye case file AND an AXIOM case file... If it contains the following artifacts (A,B,C) then kick out a portable case, email me if fail or when successful...

@Jetten_007 I can look at it on Monday if you want me to. I am not sure if you can provide me the db and wal..

@San4n6 I will give you the db file...

copy ill dm you with my le email

k

@Jamey I'm not sure if PA has a command line so not sure it would work. Ideally vendors would just build this in rather than us having to bolt things together. If I want to go from e01 to portable case in axiom it sounds like I'll have to buy cli and automate then?

1

If you wish to process a case and then make a portable out of the resulting info you can just by having AXIOM. If you want to automate the process (Magnet Automate) then you need Automate

You can do it by having axiom yes, but I can't do it from axiom process, unless I'm missing something? IE I can't take an e01 and let it run overnight and come back with a portable case to give to my investigator. I have to interact with it in the middle Which is what I was saying about PA. Just interactions in the middle that cause delays which is unfortunate.

So basically report generation as an option on the front end

Pretty much

6:33 AM

It just lets us get through more and machines aren't tied up because no one was in the office at 3am to kick off the portable case generation

Yeah that totally makes sense. Seems like it'd be an easy thing to implement

@Andrew Rathbun probably, but it's a use case for automate

@Forensic@tor you wouldn't be forced to export to portable case from processing, it would just be an option Also, in my current use case, excluding the cp would be counter productive, but that's just LE work.

2:56 PM

Also you could check the portable case either way

@randomaccess I would love that. I got a bunch of devices yesterday and nowI'm off for the weekend. It would save a bunch of time if I could image and process the drives all at once.

1

I have a physical of a Samsung S7, all the decoding is ok, in WhatsApp i have the user marked by P.A. as "owner" that has just the username and no phone number. What are the possible explanations for this?

i have a full filesystem of an iPhone containing Telegram message but it's not being decoded. Seems UFED does not yet support their new encryption scheme .... any idea how to decrypt them ?

@here someone the other day was asking about Kik ZArttribution. Did this questions ever get answered because I had some devs take a look

That would be @Tilt who asked

Maybe i've found the answer to my own question. Talking about android it seems that WhatsApp stores the phone number of the phone owner inside 2 xml files "registration.RegisterPhone.xml" and "com.whatsapp_preferences.xml" both are placed into "shared_prefs" under whatsapp folder. Apparently this is what happens: the owner transfers the sim on a new phone and activates whatsapp with the same phone number on the new phone, at this point as soon as the old phones connects to the internet becames aware of the activation of whatsapp on the new device and deletes the lines from "registration.RegisterPhone.xml" and "com.whatsapp_preferences.xml" where the phone numers is written. If you examine the old phone with UFED you can find all the chats untouched but you will miss what phone number was in use by the owner of the phone. It would be nice If someone can validate this behavior :-). (edited)

3

with Telegram being closed source that is probably not an easy answer @Mike .. probably considerable RE work required.

4:07 PM

Which might be easier to start with Android as there's a solid chance both platforms are using the same algos / crypto methodology

@Mike Belkasoft supports decoding all versions of Telegram including Telegram X

@Yuri Gubanov (Belkasoft) thanks for the info, unfortunately my departement doesn't have a BCE license

@Mike not a problem, you can extract all the info with the trial version which is not restricted about amount of extracted information (only reports are restricted)

thanks

any eta from @Cellebrite for latest Telegram decoding support on UFED ?

If you open pa under help menu there’s a list of all supported apps @Mike

@CLB-Paul 5.2 is the latest version reported as supported ... any idea about support of newer version ?

You can email support for potential newer versions. Don’t have access to that info

ok

have an IOS device unlocked and can see whatsapp but the data is not being parsed. I read where it says APK downgrade can someone dm about this process

@Ghosted APK would apply to Android devices only

Is there a process for IOS

There's also ADB access for iOS at certain process points but it stioll does not make sense

APK is like the .exe for Android. .IPA is the equivalent for iOS

Any reason Whatsapp is not being parsed in IOS

App downgrade should not be needed on iOS as the data is still included in the iTunes backup. What tools have you tried and did the tool support decoding of that app version?

6:52 AM

You could also look and see if the ChatStorage.sqlite was included among the databases.

it was PA used

Someone out there with same problem? UFED PA doesn´t decode FB Messenger !

Which version

latest 7.17.1.1

of FB-Messenger

made an physical image from J320F with UFED4PC... PA not decoded FB Messenger (edited)

3:04 AM

imported .ufd to oxygen forensic detective and voila

3:05 AM

3:06 AM

it´s very strange

Perhaps the specific App version is not supported by clb yet?

@chrisforensic working here. PA 7.17.1.1. Messenger version 147364521

Concerning Snapchat Main.db. Is rowId in Friend table equivalent to senderId in Message table?

Hey all, I got a dump of an iPhone (A1662 - iPhone SE). It's a good dump as seen in PA but it has an iTunes backup password. Suspect isn't the most cooperative and "can't remember" it. In using the search here, I'm seeing that Reset All Settings is an option to remove the iTunes Backup Password but it also wipes a few other arguably unimportant things (background wallpaper, wifi passwords, etc). I'm also seeing that possibly getting a GK dump will solve this problem as well. Right now my dump is with 4PC. Anyone have any recent experience on this? I'm not sure on exact iOS version and won't know until tomorrow when I can reopen it in PA. (edited)

@Andrew Rathbun Have you tried passwords they've got stored in the saved passwords and forms? I'm about 50/50 with that working right now.

I will check into that tomorrow when I can open up the dump again. Gotta head to the airport in an hour so kinda bad timing to follow through on this today

Does anyone know what the circled term in the attached picture represents?

It's from an iPhone Instagram database extraction.

hmmm... someone here took my pics and tweeted that "he" had "helped out" someone in germany ???

modeltype as i posted above.... shame on you (edited)

9

1

It shouldn't need saying, but publicly tweeting things from this server without asking permission of the poster is bad enough, but incorrectly taking credit for it in the process is clearly wrong. I would strongly recommend that whoever is behind the CPD Forensics twitter account remove that tweet and think twice about incorrectly claiming credit for someone else's work! (edited)

15

Some guys outside EU still think Austria is a part of Germany

5

1

I’m patiently waiting on the reply to Chris’s tweet to see what they have to say for themselves

Yeah thats pretty bad, someone needs to own up to that

4:18 AM

Stuff like this just makes people feel like they don't want to share useful/interesting stuff

It's being dealt with @bizzlyg

4

No problem, sorry

No problem

Anybody run into enchanted cloud photo vault? I have an advanced logical on an iPhone 8 where the user has a lot of photos in com.enchantedcloud.photovault that I cant see the images or videos. Any advice or help would be greatly appreciated

We have an agent in the field that just did an adv/logical (method 1) acquisition on an iPhone 10. There are no addressbook/contacts in the extraction...we have not done too many of these - Normal? Is there a specific place to look other than /var/mobile... for db files?

Correction to @KarateCop 's message from yesterday...that is from a physical extraction of a ZTE N9136. We thought that evidence came from an iPhone. We would greatly appreciate any input!

Been on my list for a while, but I finally got around to it. First blog post is up with a bit of info on LG MPT - the KnowledgeC of the LG-Android ecosystem. http://www.forensicmike1.com/2019/04/27/mpt-lgs-incognito-version-of-knowledgec/ (edited)

Mike Williamson

MPT - LG's incognito version of KnowledgeC

8

5

3

2

Bravo @forensicmike @Magnet

Thanks sir

Great work on that

Added your blog on #dfir-resources

3:12 PM

Did some reorganization, too, as you can see (edited)

@forensicmike @Magnet wow, very deep investigations you did, well done

@forensicmike @Magnet I just finished your paper, well done! It's a great task to do the work you performed, and an even greater task to document it so well.

@forensicmike @Magnet well done ! It's a great paper! What mark do you suspect or have you seen such information? I hope samsung

@forensicmike @Magnet I can add that i have a physical image of an LG M250N with android 7.1. The image was obtained through generic bootloader method and userdata remained unreadable because of encryption but MPT partition is non encrypted and the "LDB_MainData.db" (10.5mb) is full of readable data. I can provide the file if anyone want to expand on Mike's work (edited)

Thanks all for taking the time to read through it!

Can I import a independent Database file in Esther UFED, XRY or Axiom and have it decoded?

11:41 PM

Either

@azkurken Yes, you can accomplish this in UFED PA and AXIOM. I'm guessing you're saying you have a database that would be parsed as part of a full image but you'd like to selectively parse just one DB?

(Can't speak to XRY as I don't use it enough)

XRY should also be able to accomplish that but it depends on where the database is from of course

What app/phone is this database from?

@forensicmike @Magnet Thats exactly the case. I have choosen ”open advanced but am yet to find a suitable option for importing DB. Do you know it by heart?

Just to circle back on my issue from 4/25/2019, as unsettling as it was to Reset All Settings on my suspect's iPhone in order to get past the iTunes Backup password, thanks to @OllieD and the reassurance of https://support.apple.com/en-us/HT205220 I was able to get a good dump of this device this morning. 10/10 would do this again in a heartbeat (edited)

About encrypted backups in iTunes

To protect backups of your iPhone, iPad, or iPod touch in iTunes, you can use password protection and encryption.

1

Hi, does anyone know what "LastSeenTime" in com.apple.MobileBluetooth.ledevices.other.db refers to? I get numbers with 1 to 4 digits - for example "4235" and can't seem to figure out what that timestamp means. Adv.logical iOS extraction.

hello

someone knows if it is possible in oxygen forensic detective, to use an other geodataserver-api (not location-api.com, Yandex.locater) ? like from wigle.net? how can i put in the necessary logins? thanx in advance

1

@BETBAMS Interested in this answer myself. It almost seems like they are relative to a recent-ish 0 based offset.

@forensicmike @Magnet Yes that's what I was thinking too. Something along the lines of seconds/minutes/x passed since midnight or..? Well I don't know.

I've put together a tool that can script SQL queries across iOS extractions in batch. going to see if I can't get find some more answers on this today.

3:47 AM

Seems like it could be mighty useful info in terms of say, putting a bad guy near a victim

@BETBAMS Maybe it's something like "x seconds/minutes/hours ago"

That sounds good! Yes exactly. We have a somewhat old murder case and they asked us to take a second look at the victim's phone. The only idea I have is to see if the victim's phone has been near other BT devices up until her death. There is a suspect and I'm waiting for his phone to arrive at the lab...

3:50 AM

@Orb maybe! I will try to convert and see if that makes sense

Definitely KnowledgeC stuff can be a huge boon for iDevices... check out APOLLO if you aren't familiar

3:50 AM

https://github.com/mac4n6/APOLLO

mac4n6/APOLLO

Apple Pattern of Life Lazy Output'er. Contribute to mac4n6/APOLLO development by creating an account on GitHub.

3:51 AM

Just used KnowledgeC with power logs on a case here to refute bad guys story that "his battery died" (and thats why his phone goes dark for certain periods)

Interesting. I will definitely take a look at that

Can show not only the battery was fine, but the phone was powered off manually (through App In Focus showing "SBShutDownController" followed by the cessation of all phone logs)

Thanks, @forensicmike @Magnet

<3 knowledgeC if you can get to it in time

5:36 AM

Although I need to get back to working on my plist carver. The plists in the db expire but are recoverable

Can anyone explain when you would be utilizing the open advanced feature within Cellebrite, other then importing a GK extraction or if your .ufd file is corrupt?

@DMG maybe running a different chain on your extraction such as Android generic or Qualcomm chip specific instead of phone specific?

have you ever had much luck changing up the chains from what was "recommended" ?

7:57 PM

that being said how could we testify to it in court that it decoded "correctly"

I've never had reason to do that but this is just my observations/best guess based on my GK importing experience

7:59 PM

And to answer the second question would be to make your own image with known data and run the profiles through the extraction and validate the data parsed yourself

7:59 PM

Then you could testify to the fact you've validated it with known data generated by you

I've never had a reason to divert from the recommended chains etc

8:00 PM

just trying to understand this function a little better

Me either. I would be curious to hear any use cases of doing that

I can only imagine trying to decided which of the 1000s of chain s to run to assume it would decode better then the recommended that cellebrite already put together.

8:02 PM

now if the device was not supported for extraction and we knew of a similar device to attempt decoding with those chains i can understand that

1

You took the words out of my mouth. I was about to say that too

8:05 PM

Or maybe you could screw about and throw iPhoneFS chain through an Android phone and see it fall flat on it's face lol

8:05 PM

I don't even know if PA would entertain that idea. Not sure if there are checks and balances as to what chain you can manually select for X phone

I dont think it cares

8:06 PM

but ill test that idea ...

I'd just be curious to do it once haha

I think we need to remember at the end of the day its just looking at a string of hex / 0's and 1's and it knows go to sector X to start decoding like with a fat system or whatever with a computer.

1

8:09 PM

now is when someone way smarter comes in and crushes this theory of mine.....

8:09 PM

....AND GO

@DMG you use open advanced for instances where you used another tool to get a data dump For example ISP/chip removal

8:27 PM

Or even if you use a generic extraction method. For ex the mtk extraction

8:28 PM

Ive had to work with support to figure out which chains need to be added to a custom profile to parse data out of a physical

@randomaccess I appreciate the info how did you ultimately determine which chains to run?

8:35 PM

can you provide an example?

Support helped

gotcha

8:35 PM

then i assume you saved a ufd file after so you wouldnt have to do it again

You would think. But I don't think the ufd actually stores that

it stores the decoding chains

8:36 PM

so once you have them set they will open automatically

Right. Well whatever way K went about generating it it didn't

8:36 PM

But there's fine. Ended up parsing, could see data that I knew was on there. Ufdr produced and provided to client

nice i need to find a chip off image i can test with. My agency doesnt currently have that capacity

Newbie question: If the adb option not available (model not supported), is the ufed downgrade method sufficient for Whatsapp messages?

@DMG All the above suggested scenarios are legit for using "Open Advanced..." in PA. Also, you can use it when you just have a folder with some data on your machine, and want to use some of the viewers PA provides (like for plists, protobufs, etc), or run some of the more advanced tools like location carving, which doesn't really care about the device type.

Another scenario where i sometime use open advanced is when the chain specific for the model did not decode data that i know is there (phone unlocked) while a generic one or one for a similar model does ...

@Orb I tried that function of PA yesterday.. on a folder containing unparsed database containing cell towers IDs. The plan was to map the towers using online enriched data. Didn't work. Then i tried to parse the DB with auto run SQL wizard on opening. The database would show in the analyzed data (cell towers), but still would not pop-up the online enriched data option. Any clues on how to achieve the mapping of the cell towers ID's or it's just not a possibility when the DB is not parsed by PA ?

1:49 AM

Also.. export function to send it to Cellebrite by email was also grayed out.

Oh yeah, @DMG it's been so long since I've done a chip-off I forgot that's how you parse those extractions out.

Anyone got a spare chip off image they can drop box to me for testing purposes ?

4:34 AM

@Orb & @FabianoQ thanks for the follow up and additional scenarios

@DMG the output of a chip off is just a .bin file. If you wanted trigger time on the Open (Advanced) feature of PA, you could always download the test Android 7/8/9 images and throw them in PA and toy around with them - https://aboutdfir.com/dfir-research/

DFIR Research - DFIR - The Definitive Compendium Project

The DFIR Research list is a list of potential digital forensic and incident response research projects contributed by community members in hopes of these topics being researched with information disclosed publicly. The AboutDFIR.com team hopes that this can help those new t...

Works for me thanks @Andrew Rathbun

Chip offs and ISP for mobile devices used to be the shit until Android advances in FDE and FBE and now eng roots and EDL "firehose programmers" and exploits are the way to go.... (edited)

4:51 AM

I did however did a chip off last week so not totally out of question

Out of interest, when dealing with IIoC cases and exporting to griffeye from UFED, have people been turning off the "Merge (group similar items)" option under "Multiple Extractions" (Important: This seems to apply even if there is only one extraction loaded into UFED.) If it is left enabled then there could be potential issues with grading numbers & locations. @Law Enforcement [UK] (edited)

like multiple exhibits?

No, one exhibit

4:11 AM

the option is just confusing, it affects multiple extractions and individual extractions loaded in. Basically we've had images that are in binary copies in different places, one as a cached image and one as a distributed by whatsapp image merged, with UFED only exporting the cached image. So that's the one that's graded in the software, with that file path.

@K23 We had that debate over here. We chose to load up multiple extractions (physical+carving images from physical then add filesystem then add logical). Don't merge anything. Then we upload everything in the image database (similar to grifeye). That way we dont let Ufed merge relevant images location (like your image from whatsapp/sent) into a less relevant location (cache or thumbnail).

5:44 AM

The investigator can then choose to see or not duplicates images in the viewing software, but at least we have all the paths to do further analysis. (edited)

5:46 AM

And... it's a lot more work ;(

Yeah I think we are going to put in a feature request for there to be an option to export ALL media files into griffeye from the images / video tabs regardless of the settings on PA. The annoying thing is that the de-duplication stuff is great if you have multiple reads with the same text messages etc, but for stuff like this where the file paths are vital and could be the difference between a posession charge and a distribution charge it's pretty critical

5:50 AM

And just for clarification the example i provided was on one extraction. Wasn't a combination of a logical, filesystem or physical, it was one extraction where by default, PA only exported the filepath for the cached image

@K23 Exactly.. I have 2 config files for PA. One for child porn importation cases (unmerged and check all entities on load ) and One for other cases analysis were I do want to hide duplicates and check nothing. Can Griffeye carve directly the bin file if you have a physical extraction from ufed ? That feature used to work with our software but is no longer supported. That was the best results.. carve the physical with a good Carver.

5:51 AM

@K23 Exactly... even with just one extraction.. PA can hide duplicate with relevant paths.. :(

It can do, but then it gets problematic in the reporting stages, if say it decodes / carves something slightly different to the extraction or reporting tool it could add a bit of extra work. Plus these days you can't always get a physical extraction, quite often you are left with logicals. Expecially on iPhones. Might have to go down the same road with you (edited)

Can anyone confirm or deny whether a lookup date (the timestamp in CB PA 'IdentityServices' IM tab) of an iOS idstatuscache.plist record means that a communication occured at that time? I found a document that asserts that the time is an occurrence of an email, iMessage or Facetime communication. http://slidehtml5.com/zykj/kwdj/basic "/Library/Preferences/com.apple.identityservices.idstatuscache.plist This property list can also be a gold mine of information for deleted messages in FaceTime, iMessage, or e-mail. Identity services confirm the validity of a user’s credentials as it travels across the ESS (Enterprise Shared Services) of Apple. So within this file are phone numbers and e-mail addresses along with a UNIX date of the lookup for clear credentials. Content is not included, but simply having the metadata of the occurrence is enough"

Mobile Forensic Investigations A Guide to Evidence Collection, Ana...

Mobile Forensic Investigations A Guide to Evidence Collection, Analysis, and Presentation

@K23 Just saw this about PA & Griffeye exports. We’ve had similar issues too. To merge or not to merge. Either has its own issues. Not merging can result in inflated inaccurate results. I’d back you on the request to Cellebrite. Would fancy a chat first thought. I’ll give you a ring tomorrow as soon as I get a chance

1

@CloudCuckooLand Could you shore this up with KnowledgeC and/or InteractionC?

6:19 AM

KnowledgeC could help from a App Focus and App Intent perspective, if its not too dated

@forensicmike @Magnet Does knowledgeC come off with method 1 or is it GK/CAS/Jailbreak only?

Should be from a full file system extraction

@Jay528 Then unfortunately I dont have it :/

Understood. Well, theres definitely work that could be done here and I don't suppose it needs to be specific to your extraction either.

@CloudCuckooLand if you can jailbreak the device you can get knowledgeC

Anyone that can attest to the accuracy (or not) of using lockdownd.log main: Starting Up events to track device powering on?

Ok.. new working theory... one needs to consider the PID when determining whether or not a lockdownd.log main: Starting Up event is ACTUALLY the phone booting up or not.

@forensicmike @Magnet i used it before and i confirmed this event with unifiedlog (edited)

10:12 AM

But iphone sleep never... Except if his battery is realy at zero (policy manager do believe 0 at 20%)

10:14 AM

That's why, if you turn off (or believe it) your iphone, when you wake up, you lose a little% (edited)

10:19 AM

You can see in UnifiedLog when the power button has use

Anybody have experience looking the 8-pim.db (call history) database on Blackberry 10 OS. Timestamps are stored in readable form (ascii) - and I'm trying to determine if they are in UTC or the timezone of device?

I need to create a timeline on the usage of a smartphone which might have been used during a car collision. I've got a physical dump and the OS is Android 4.4.2. So far i've got the standard timeline from the UFED rapport and the whatsapp log but that's not enough to narrow it down to the timeframe i need. Does anybody know which log files could supply more information on my timeline?

@Sockmoth What make ? If it's an LG.. then look at the MPT partition for a goldmine.

6:29 AM

http://www.forensicmike1.com/2019/04/27/mpt-lgs-incognito-version-of-knowledgec/

Mike Williamson

MPT - LG's incognito version of KnowledgeC

@Sockmoth In PA, you should be able to filter the timeline view to timeframe you need:

In ios 12 i have a db of "mobileBluetooth.ledevices.other" the name of timestamp is "LastseenTime". Anyone know how convert this data in human date ?

@mond4y_morNin6 Maybe ask in the password cracking chatroom.. some guys over there could help you with anything encryption.

@rico dcode is usually a good option. Otherwise theres a python script that has a variety of options https://github.com/Fetchered/time_decode

Fetchered/time_decode

A timestamp and date decoder written for python 2 and 3 - Fetchered/time_decode

@randomaccess i will try tomorrow but i believe it isn t easy... Because the date is between 2 and 41567... No way to know if it s day or second and the direction of time... thx to helping me (edited)

Interesting. You may have to create some test data and share it around for people to look at @rico

Is it possible to prevent ufed pa loading a case in ram? @Cellebrite (edited)

@randomaccess

12:46 AM

The data of LastseenTime don t change after a other extraction...

Interesting

@rico I asked the same question a few days ago. Haven't had any luck breaking this yet. Please let me know if you do! Someone directed me to KnowledgeC, but I have not had the time to look at it.

@BETBAMS sorry my question is regrettably without answer

Since this is ios 12 2 no jb so no possibility to have more information

Does anyone have any experiecnce working with the microstackshots.xxxx.gz files found in a file system extraction on an iPhone? I thought I had come across an article or read something about how to open/interpret, etc... but can't find it now. I thought they were from the diagnostic data collected on the iPhone.... Thanks!

Alcatel 4044N, I did a search and found some talk of the EDL decryption methods to dump the data. Anybody know if @Cellebrite can decode everything now without parsing it out with other tools ? Thanks !

@DCSO It can not.

1

Update on the UFED / Griffeye export issue. Cellebrite are aware of the problem and there was a feature request in for it before we called. We've now added onto it, to allow for files with 0 bytes and duplicates to be exported regardless of settings within UFED PA. We are pushing back to get them to give us the option on what file / file path to export with UFEDR files, with the option to select multiple binary copies if needed while operating in Merge mode (As this is really helpful with dealing with duplicate communications data for instance, and indicating that there are binary copies present). Right now it's a bit of pot luck as to what file with associated file path will end up in a UFEDR / Griffeye export where there are binary copies involved. Note: This effects individual extractions and multiple extractions when using the merge feature. I'm fairly certain other export types will also be affected by this but haven't had a chance to check it out yet.

@K23 - did you ask if they are working on ProjectVIC exports?

Afraid not, that would have been a sensible one. I'll try get that added in as another feature request as well but would be helpful for more forces besides us push on the issue

Does anyone have knowledge regarding thumbdata4. I have serveral of these file, ending with _embedded. My goal is to find time stamps of these as the original files are missing

Got an irregularity with location data from this following file taken from an Iphone. Path: /private/var/mobile/Containers/Data/Application/A1890B39-3726-4804-AAA0-D1893153DAF8/Library/Maps/GeoHistory.mapsdata It shows the phone being in London, and then 30 minutes later it is in Birmingham. The usual travel time for this journey is 3 hours 20minutes. So there is no way they could get there, unless they flew in a helicopter, which is unlikely.

7:33 AM

Anyone have any clues or ideas as to why this might be?

7:33 AM

Same information is displayed by UFED as well as Blacklight 2019r1.1

Hi everybody, Would any of you have a "listing" of separators for hexadecimal telephony searches? I often use DEADBEEF but I would like to know if others are commonly used?

in same demand type, i search a referencial of android and Ios DB thanks

@MrMacca (Allan Mc) A total guess, but perhaps the locations can be derived from different sources (IPs, GPS) I was logging into iCloud the other day and when the 2FA popup appeared, it said the login came from London, which it certainly did not. I assume this is based on the ISP my work WiFi uses. Maybe the IP location was London and the GPS location was Brum. Total guess, get a test device!

@MrMacca (Allan Mc) I went to the NCCC last week and someone from Cellebrite explain the localization can come from a picture metadata for example. So if you have a file with location data in London, it could show. I don’t know if it’s your case and if i’m clear enough

@azkurken PA doesn't un-pack all compreressed files, original file names etc. This also used to include zipped files. I dont think it does rar! Need test it. When the files are found they are listed as embedded and not as the original file name.... Locate the file and see how you can get into it. E.g SQL viewer, 7zip....

@4N6Matt Original file is deleted. Usually thumbnails are named using an encoded timestamp. These files however seems to be just randomly named. I’ve checked all of the files in a hexviewer already, to no avail.

@CloudCuckooLand @Picka2018 thanks, I'll mention it to the guys in the lab and see what they can find out. Cheers

Does anyone know how I can decode a signal database of the signal app version 4.33.5 from an Android device? (edited)

Hey quick question. While going through a physical extraction in Physical Analyzer I came across this user account local@special_local.com. I was wondering if this is a account that is automatically put on a phone if you do not set up a Google account or if it comes from some where else. My Google fu has failed me and I couldn't find an answer.

@zero00796 did you see this? https://translate.googleusercontent.com/translate_c?depth=1&hl=el&nv=1&rurl=translate.google.gr&sl=auto&sp=nmt4&tl=en&u=https://www.fjsoft.at/forum/viewtopic.php%3Ft%3D30252%26view%3Dnext%26sid%3Dd42aa64ce12a44257733677cfc5a7bc4&xid=25657,15700019,15700186,15700191,15700253,15700256,15700259&usg=ALkJrhhLo7QL-wAo9gkRatfzQTNExAmcRQ

2

I did not. Thank you

1

@ph0llux same Problem on my side. Signal could not bei decoded.... (Same on msab and oxygen) Btw. Is there a plugin for manually decoding like for WhatsApp?

Anyone has a big powerful rig to try against the hash from an iTunes backup password (iOS 9)??

@FabianoQ you can post the hash in the #password-encryption-cracking channel

anyone have experince rebuilding SQLight DBs unsupported by Cellebrite. Looking for some hints / tips for my own practice / better understanding. Also does anyone have an application they can recommend to do this rebuilding with that might be fairly easy ti piece togather?

@DMG You can try Cellebrite Physical Analyzer's SQLite Wizard... It allows you to query the DB and then map the result to models that will appear in the Analyzed Data tree... If you need more advanced capabilities, you can always try decoding it yourself using the Python shell

@Orb Thats what Im currently working with just trying to build better knowledge

@AlexBB Hello, if you are analyzing an Android device and looking for signal messages I would suggest doing a Signal backup on the device, transferring it to an external SD card, and running it against Signal-back https://github.com/xeals/signal-back .. this tool outputs an SMS Backup and Restore style XML dump that includes call logs, SMS and MMS messages. This will not work for iOS unfortunately. I am thinking of doing a writeup on this process as it is happening more and more.

xeals/signal-back

Decrypt Signal encrypted backups outside the app. Contribute to xeals/signal-back development by creating an account on GitHub.

8:56 AM

Another approach to take if you are feeling crafty is to try and use John the Ripper. One of the JTR jumbo community packs has a Signal encryption mode but I've never tried it and i'm not certain what you would need to do to decrypt the database once you solved it or how long such a thing might take. https://www.forensicfocus.com/Forums/viewtopic/p=6596645/ see post by LeGioN

Signal database decryption - Digital Forensics Forums | ForensicFo...

Hey! I was just quickly dropping by to check if anyone has had any luck with decrypting the Signal messenger database? I have tried using the signal2john.py script.. But I am unfortunatly not smart enough to know what the heck I am to do next. #Signal2

Random question, away from my PA dongle. Anyone know if you can load in an iCloud dump like say serve a warrant to Apple get the iCloud data. Will PA parse it? Got asked and not sure off hand. (edited)

I do not think so

6:41 PM

you have two options for that data since its encrypted

6:41 PM

are you LE ?

6:42 PM

If you are dm me and I can provide you some assistance

@Palazar82 No need to parse data given by Apple. It will come in a readable format. Just make sure your warrant is properly formatted.

umm our last return was encrypted

6:58 PM

but maybe they changed something recently

Interesting, I'll follow up more when I get more info.

7:01 PM

But yes I am LE, fed.

@Palazar82 i'll be seeing our product manager for PA tomorrow, I'll get an answer for you tomorrow morning.

1

I really appreciate that, thank you. It was just a question that came up and I personally haven't served a warrant on apple to know how the product looked.

@San4n6 Did they not provide the decryption code?

@forensicmike @Magnet yeah i have decrypted the database succsessfully but how to Import this in PA? PA won‘t parse it

even the filestructure is build as on the device. .. and the namens of the attachments are not in Original State i think...

legal process will arrive encrypted (Cleopatra) with the process to decrypt, however as of late the files are mangled (lol) and require utilities to help coax into a normal format. If your LE several options exist, of not, o believe blacklight in it's newest versions can help with these productions

@Palazar82 Should work using "File > Open common plug-ins > Production > Apple iCloud production":

I've flashed an S8+ with Odin but now it is i Bootloop. I've already flashed the original back but it stays in bootloop. Does anyone know how to get it out of bootloop?

Orb thank you that was what I was picturing in my head just wasn't positive if it was for iCloud. Thank you.

I never knew Cellebrite did that

6:01 AM

I am going to do some testing against the other program I have.. Thanks for pointing that out peeps...

Other than Axiom - what are people using to analyze the memory obtained from an iPhone? (speaking to the memory extractions from GrayKey) Thanks

@Deleted User No error messages? Go into download mode but dont choose "Continue", instead select "Cancel" to reboot phone and go directly into download mode again. Now try to flash one more time.

@franksvensson thank you. I'll try tommorow

wow... have a big problem! aquired iphone 7 (A1778) over latest PA 7.18.0.106.... FB-Messenger is installed on iphone and chats are there, BUT just FB-contacts and calls are decoded! shows decoded by cellebrite BUT chats not here... (edited)

1:58 AM

tried with latest UFED4PC 7.18.0.199 too, but same result (edited)

Is this only a problem with the newest versions? Have you tried with an older version? (edited)

not just problem with latest version

3:21 AM

tried with oxygen, same... no chatconversations here, too (edited)

3:22 AM

made backup with elcomsoft ios toolkit... same sh...

imported to PA... negative

3:22 AM

maybe a generaly problem with FB-Messenger... maybe since the latest update? (edited)

3:22 AM

no chats in any backup

Hi, @Cellebrite @Grayshift : is it possible to prepare the keychain from a GK extraction somehow useful with the PA, so that you can export an account package afterwards and use it with the CA?

@chrisforensic Do you have access to GK? You will need the database and GK should do the trick.

@Deleted User ... no GK do you know since when fbmessenger not supported by itunes backup?

As far as I know the developer of an app decides whether the data is stored in a backup or not ...

Is it a consent search ?

@Deleted User i know, i know

Has anyone had any luck getting data back from Wickr on Android?

@Cellebrite is the LG L83BL supported by CAS for bypassing secure startup?

@sholmes were working on it. LG's are giving us a bit more of a headache than expected

ok can you confirm the N9560 is still supported

7:30 AM

Thanks @CLB-Paul

regular screen lock or SS

SS

maybe.....

7:35 AM

would have to check with out research guys to confirm

on March 20, 2019, @jifa had stated CAS was able to do it, but I am getting conflicting answers from support. So just confirming while he reconfirms.

Shahar is the one w/ the best answer. Keep in mind the information sometimes takes a bit of time to trickle down to support.

7:37 AM

he leads the team

7:38 AM

he'll probably chime in when he gets a chance.

3

No worries. I asked the sales person to double check since the information was different than what I received previously. And I understand that things can change over night with this field

Sales / Support / us (SE)'s and the research guys.. all have different knowledge in regards to the capabilities.

7:39 AM

but its their work so they know best.. the research team

I am sure it is as hard to keep up with the changes at all those levels, as it is for us to keep up with all the changes.

excatly.. and thats why theres no document of supported models, the list changes probably daily

3

Now if y'all can make that document change to say it can bypass the SS on LG L83BL.

we'll the team is doing the impossible, so just wait it'll come

maybe not a document but support for sure

1

Does anyone know the path or database name for facebook messenger ? My detective retrieved the device and I dont have access to the device

Facebook Messenger messages /data/data/com.facebook.orca/databases/threads_db2 Try that

10:39 AM

Source: https://www.andriller.com/decoders/

Andriller | Sqlite Database Decoders

Andriller - collection of forensic tools for smartphones. It performs read-only, forensically sound, non-destructive acquisition from Android devices. Decode chat databases, crack lockscreen pattern PIN password.

thanks

@ph0llux AXIOM supports loading the keychain.plist alongside the extraction - @Magnet Forensics has a guide on how to do it on their site at https://www.magnetforensics.com/blog/loading-graykey-images-into-magnet-axiom/ ), but in my experience reviewing passwords.txt in Notepad++ will net you the same information. The vast majority of data in there isn't especially useful for traditional forensic analysis unless you are either attempting to decrypt a specific thing, such as iOS secure notes, or discovering installed apps, registered email addresses, etc. in certain extraction scenarios I won't go into great detail about in public channels

. Feel free to DM with any questions.

Magnet Forensics

Loading GrayKey Images into Magnet AXIOM - Magnet Forensics

In recent months, a tool called GrayKey has emerged, allowing law enforcement to crack a user’s passcode and bypass the Data Protection delay to get access to the entire file system of the latest iPhones. Find out how to utilize the results using AXIOM.

This is probably a simple question but, can Android phones natively record video to .MOV files?

@sholmes @CLB-Paul you got it right. Z9560 should be supported for Secure Startup in CAS. This is one of the lesser used methods so indeed some of the info isn't perfectly reflected across all functions. I did inform them earlier today that it's ok to accept.

4

@jifa thank you very much sir.

Good afternoon everyone. This channel seems to be the best place to post my question. I’m currently working on a HTC Desire 530 (running Android 6.0.1) from which I got a physical extraction. There is a file in the Snapchat gallery (com.android.snapchat/files/gallery/files) with a “media.0” file extension that I am particularly interested in, but it appears to be encrypted (based on my observations in hex). Looking at the table entry for this file in the gallery.db, there are values for height, width, ‘has location’ and a timestamp which lines up with the event that triggered both the investigation and my examination. I have tried Magnet’s App Simulator to virtualize the app and the user data, and the pictures in the gallery fail to render ; Cellebrite’s Virtualizer crashes when it tries to open the gallery. Has anyone been successful decrypting these files?

11:57 AM

There was an old Ruby script that was running around that could decrypt the ‘.nomedia’ files, but that script will not work against the file I’m after.

11:58 AM

Oh, and I’ll add that the phone was password protected...my extraction involved bypassing the lock completely, and getting the code from the owner is out of the question at this time.

I've dealt with something similar to this a couple years ago (early 2017) and it was ultimately determined files like these were My Eyes Only pictures and videos, which is a feature within Snapchat

11:59 AM

We were unable to decrypt them

Ah, and, if memory serves, those cannot be decrypted.

Right

12:00 PM

I doubt Snapchat has gotten less secure since early 2017 since that would be opposite of the recent trend in the tech world

There was a file in the ‘snap_media_key’ folder that was the right length...16 characters...I am assuming that key is not for those files.

12:01 PM

This is a 2017 case (phone was submitted last week - go figure).

We tried to get the suspect to give up his My Eyes Only password but he couldn't remember

I’m not too familiar I with snapchat beyond some testing. The password for the files with that designation is separate from the password that is used for the account?

Correct. You can enable that feature from within and it's a separate pin

12:04 PM

Before you can view those photos/videos in your gallery you have to enter that password

12:04 PM

Those are stored as encrypted files when you receive them from Snap in a search warrant return as well

12:04 PM

They cannot decrypt them either

12:05 PM

I went back and forth with them for months about this

12:05 PM

Since it was a higher profile case

I’m sure that was a pleasant experience

It sucked because they only want communication from email and their answers aren't timely

12:06 PM

You can't call them

12:06 PM

Granted, everything I'm saying is from early to mid 2017 and I know things change

Glad to see that haven’t changed in the past 5 years (last time I dealt with them).

12:06 PM

Oh, well, in two.

12:07 PM

Thank you for the help and tip on MyEyes.

Glad to be of service. Thanks for joining and feel free to invite anyone else!

Will do. Had a colleague turn me on this. I didn’t realize it was here (else I would’ve joined a while back).

2

Better late than never

Absolutely.

12:10 PM

BTW, I’ve got a small blog site: https://thebinaryhick.blog.

The Binary Hick

Thoughts From a Digital Forensic Practitioner

I thought your name sounded familiar

12:12 PM

I'll add a role for you when I'm back at a computer. It's a pain on mobile

No worries. Thanks for having me. I look forward to contributing.

http://www.forensicmike1.com/2019/05/15/obtain-logical-signal-android/

Mike Williamson

Obtain a logical dump of Signal data on Android with signal-back

11:07 AM

Great write up @forensicmike @Magnet

6

1

Ty sir!

Afternoon all. Am i missing something in PA regarding keyword searches? I have completed a search but how am i going about exporting what has been found? The only way i can see at the moment is by tagging each hit individually. This can't be right... can it?

5:12 AM

Running 7.17.1.1

@Artea I don't have PA open right now and it would take about 20 minutes to get a dump open. Have you tried tagging the found items then generating a report and seeing if there's an option for just bookmarked items when choosing what is to be in the report?

I can export it by tagging each result individually. You cant just tag a chat hit either as this exports the whole conversation and not just the message that contains the specific key word, so you then have to go in to each conversation to tag the messages containing keywords.

5:17 AM

This is extremely time consuming as you can imagine.

We have MediaTek MT6737T chipset and Quad-core 1.5 GHz ARM Cortex-A53 mobile phone. Device has locked bootloader and if we unlock, user data will be wipe. We dumped physical image via UFED 4PC (MTK Decrypted bootloader profile) but UFED PA says "The userdata partition is encrypted with an unsupported encryption. Data will be missing". Device has no password protected. We dumped file system and logical image. Can we do anything to get decrypt user data on this device?

Did u try Smart ADB ?

@Jay528 not yet, but is there any changing on device via Smart ADB (userdata etc)?

Mobile device is not your typical dead box forensics, once the phone is one and logged into, certain files are updated. So just document and try smart adb

6:11 AM

https://www.amazon.com/Practical-Mobile-Forensics-Heather-Mahalik-ebook/dp/B01BWNXA0K/ref=sr_1_3?crid=VUDEK5TLY91S&keywords=heather+mahalik&qid=1558357881&s=gateway&sprefix=heather+mah%2Caps%2C203&sr=8-3

6:11 AM

this is the author who teaches SANS mobile forensics course

Thanks

^^^ Can confirm.. An amazing course (SANS FOR585) and an amazing instructor (Heather M)

It’s on the to do list, I can recommend FOR518 for iOS, Sarah is excellent

Agreed

Is anyone familiar with the .face files generated for facial recognition by Android? Is there any documentation to explain what process generates these files, is it done when opening gallery or when a photograph containing a face is downloaded?

seems theses are simple jpg of cropped faces from google photos and such apps. https://www.quora.com/Android-operating-system-What-are-face-files-in-Android-Is-it-okay-to-delete-them

Android (operating system): What are .face files in Android? Is it...

It's the facial recognition based auto tagging feature in the Samsung gallery app, Facebook tagging, g+ photos etc. In mostof Android device. * it was at /storage/emulated/.face All the files in there lack the extension .jpg * if you add exten...

Thanks for the response Mati, I'm aware of the contents of the files and they can just be appended to JPGs in order to open them. I was just wondering if anyone know what triggers their creation/ subsequent deletion if the original image they were cropped from was deleted

@Artea Just reference your tagging keyword hits - yep this is exactly the issue. They can't just be tagged as a bulk and then exported out. You have to individually go into each one and then tag them. In addition I don't think you can keyword search uploading a csv file in the report. It's caused us quite significant issues for disclosure and officers review. I've raised it with Cellebrite as a ticket (who said what I've written) but there was no timescale for when it would be improved. Maybe if others raise it as an issue that'll bump it up the developers' list a bit?

@Artea instead of using the tagging function have you tried deselecting all in the chats using the tick function, and then ticking the keyword hits in PA after using the search function. When you go to generate the reports deselect all artefacts other than chats and it should only export the chat messages you've selected. I can't check this right now as i'm not in the lab but you may just get the same issue where it exports the whole chat instead of the selected keywords

New research paper from @heatherDFIR and a couple others titled "Using Apple “Bug Reporting” for forensic purposes" - http://www.for585.com/sysdiagnose

Files shared via Tresorit

Tresorit uses end-to-end encryption to keep file exchange secure and private. Access the received content via this link.

doing some testing with these scripts now looking good....

Anyone have suggestions getting some production data from Google to open in a cleanly parsed out way - the Google Takeout plug-in from CelleBrite isn't working but this isn't a "takeout" download, it's misc text docs and zip files provided by Google.

Is it production data directly from Google? We (Cellebrite) can adapt our Takeout parser to handle production data as well if we have a sample or a template.

Hi @MatiG yep it sure is. They pulled a "malicious compliance" and did produce data, in the form of several hundred csv and txt files regarding the target user's account.

1:05 PM

And I should add, many of them are multi nested: zip files within zip files.

Thanks @BlueNine ! CSVs and text files does not sound like the Google takeout I'm familiar with. We will try to get samples and support this format as well. Thanks again.

DM sent

Hello guys On an Android 8.0 (samsumg g935f) where are stored the data of the notifications? I know the manipulation (widget) with the widget / icon Parameter ... And especially this method does not bring much history!

Does anyone know of a good app for Android or iOS that will take pics, track being plugged in, hot-mic and log it? I am not sure of commercial apps that do this, but figured I would ask.

@MatiG: I noticed that Physical Analyzer does only correctly parse takeout files which have been produced if the google account is set to english. If the account is set to any other language the files inside the takeout zip archive are named differently and PA will not analyze them. Any chance that Cellebrite might support other languages for the takeout file in the future?

@0x3db I did some testing on Android 6.0 .thumbnaiI files, it may be of use to you for your .face file questions. I found: The thumbnails were created when opening that folder in the gallery, not necessarily when the image was created. The thumbnails were deleted the moment the source image was deleted or The thumbnail was deleted when the SD card containing the image was removed, regardless of the state of the gallery app. Thumbnails could be generated out of order to the originals if a few were to be created at once: usually most recent to oldest (so a set would be backwards, the oldest image would have the newest thumbnail, and vice versa) Of course it's pure speculation whether .face files have anything to do with the .thumbnail process - you have to do some testing!

1

2

Hi @Deleted User , I was not aware. We can easily fix it. I'll take it with our support and product teams and will try to fix it shortly. If you have a specific case which requires an immediate response, please DM me and we'll see how we can help.

@CloudCuckooLand very informative, thanks! I'm not sure whether it's a base Android feature or if it is a Samsung feature. I'll see if I can grab together some test devices to see if I can pin point what triggers their creation

@MatiG: Thanks for the response. No immediated response needed, I usually just set the language of the account to english but of course it would be great if that isn't neccesary.

2

@0x3db No problem. Good luck, be sure to let us know what you find!

@rico i found it... It s easy in fact... Data/system/notification_log. Db

you talking to yourself @rico

4

1

4:00 AM

I'm imaging you now patting yourself on the back saying "good boy"

@heatherDFIR to an extent casper...but not sure if it has everything you are looking for. not available in play store and as far as i know only available with android but i havent touched it in a couple years

let me know if you want more details

Thanks!

Anyone know the database for google voice in android?

@CLB_joshhickman1 if he is around, I'd say he'd be one worth asking

@Ghosted what’s your question? I’d be more than happy to help if I can.

@CLB_joshhickman1 trying to help another examiner. Has a phone discovered calls he needs wee made with google voice on the device. They were not parsed with PA wondering if they are in a. Known database and can be carved.

So, the examiner things the owner told the device to make a phone call?

12:23 PM

Or the owner used the app to make the call?

Yes. The owner used an app to make a call via Google Voice. I am trying to see if there is a location on the device that would show the Google Voice call log information.

12:25 PM

Thanks @Ghosted !

I believe GV stores it’s log with that of the phone. It may just show up as a regular call. Do you have a time of the call you’re looking for?

Yeah, I just confirmed. So, look in /data/data/com.android.android.providers.contacts.

12:59 PM

You’ll find the calllog.db there. Look in the calls table.

Sweet! I’ll look when I get back to the office ! Thank you so much!

There doesn’t appear to be a way (as far as I can tell at the moment) to differentiate between GV and non-GV calls.

1:00 PM

And there was a typo...go to /data/data/com.android.providers.contacts

I just ran a quick test on this. My test phone is a Pixel 3 running Pie (patch level of Feb 2019). I used UFED and PA both 7.18). PA is parsing the call log, and my test GV calls are in there, but there isn’t anything indicating that it was via GV.

curious if CDR will show voip protocol ??

@CLB_joshhickman1 thanks for that. I just got to my office and I’m checking now. I know the informant calls this device and we arrested the suspect moments after making the call, so I don’t think he had time to delete, but I’m not finding ANY call log information to reflect the call. That’s why I was wondering if it was in a databadlse that PA wasn’t parsing. I’m looking at the extraction now and will report back what I find. Thanks again!

@Magnet Forensics good morning, I have a GK zip file which i was able to load into AXIOM and process, but after processing i constantly have the yellow box in the details pane which states "some information about this item cannot be displayed". When i go to locate the source, the zip file which i loaded into AXIOM during the initial process is no longer present. I've also tried to unzip the GK folder and load it that way, however that did not work as it takes me to the folder structure, however it will not allow me to select the entire folder. there are times i can see the previews and times i can not, my fear is that i am missing data. Any assistance with how to fix this will be greatly appreciated.

@jenks31 Have you tried to load it in Cellebrite it XRY?

Hey @jenks31 I’ll send you a DM and we can see what’s going on.

@cScottVance sounds good. @Forensic@tor I have in Cellebrite I am able to pull it in there.

@jenks31 I know @cScottVance will get you straight, but I have seen the behavior of Axiom you describe. That error is a result of the GK zip not being where Axiom expects it to be. You can always redirect it to where the zip is and it should straighten out. As far as the extraction disappearing, I’m lost there...haven’t seen it.

7:12 AM

If you create a mobile case and don’t include the GK zip, you’ll get that error if you try to view files that Axiom did parse and categorize.

7:12 AM

Didn’t parse*

@MrMacca (Allan Mc) Being a psychopath I wanted to share the solution

1

HI

12:06 AM

I have a huawei backup make it with HiSuit, anybody know some tool to parse

@Deleted User depends on what version/type of backup. Oxygen has pretty good support for it. On some versions you can extract the tar files and build a virtual file system that can be parsed I PA or any other tool.

@.karate. I have probed both but anyone show me very well, I saw one scrpyt "Parser for Huawei Backup .py" but it didn't found me, any other form

@Deleted User in what form is the files / file structure??

@.karate. I have apks with the aplications and one tar file by aplication with the data

@Deleted User: Decoding Huawei Backups: Extract each tar file with 7Zip. Then put all these extacted app folders it in a folder call filesystem/apps. Now open with PA as File Open (Advanced) - select device - quick filter - Google Android Filesystem (Generic) and select the Folder "filesystem" as source. Bonus points: If you put the "Whatsapp" folder in "filesystem/sdcard" in your folder before you open it, you'll even get Whatsapp with the correct attached multimedia fildes. (edited)

6

2:58 AM

Thanks

Chris's reply could do with being pinned, it's a question that gets asked every now and then @Moderators

Hello guys. The smart doorbell Ring is installed on an iPad device, anyone know if we can get anything off this App? Or is it all hosted in the cloud? As far as I know there isn't any SD card within the doorbell itself to examine. Cheers!

Ring videos are stored in the cloud, check the gallery for downloaded videos

1

Cheers jonny

3:18 AM

So nothing cached within the app as far as you know?

3:18 AM

like any time and dates the device activated etc

Not sure about that, haven’t come across it during examinations, I’m a user of the app

1

Deleted User 5/24/2019 3:45 AM

okay thanks dude.

I second every word @Jonny said. Ring user as well

@Jonny @Rossko No problem. Bring your phone in Tuesday into work and I’ll examine it to see what’s in it

9:47 AM

@Jonny I’ll nip up and ring your doorbell a few times around 0300 hrs to make sure we get some data

@CLB_joshhickman1 thanks for the tip, I’ve tried moving that zip to multiple locations with no luck.

@all @Cellebrite ... info related to Viber-Chats and UFED4PC... maybe helpful

made physical decrypting-bootloader - SM-G935F - with latest UFED4PC
PA could NOT parse viber chats
imported "blk0_sda.bin" from ufed to XRY with "android generic-jtag" - profil... and voila, XRY decoded viber-contacts-calls-chats from ufed-image

(edited)

2:48 AM

... opened the UFED4PC image (same as i imported to XRY) with PA with profil "samsung generic JTAG" to check if PA decodes this way... but did not decode Viber, just the same as in original (edited)

@chrisforensic Happy to hear we were able to get you the Viber messages you were after!

2

hi, yes this is impressive

this chat was very important on an peopletraders-case we actually have !!! it´s always worth to give a try on XRY

(edited)

3

For the @Cellebrite people here, please can anyone help me understand what is the origin of some specific "deleted date" values in a UFED report?

@FabianoQ depends which part you are looking at

1:48 PM

Some sql tables have an entry for a delete date,

@CLB-Paul In particular i'm interested in some deleted whatsapp audio (PTT-xxxx.opus files)

@FabianoQ have you drilled down into the source file

@CLB-Paul I tried to guess where this information about deletion date comes from and my first thought was like you said "must be some table with a deleted date field" but the whatsapp vocals are not inside any db their time properties are from the phone filesystem (i guess) that's why i would like to have a definitive answer from the vendor.. (edited)

@FabianoQ shoot me a pm and I can try to get an answer for you

@Deleted User Thanks for sharing the info regarding Huawei backups on Friday. I've been playing around with the backups from a Y6 2018 and 7-Zip does not like the tar files that HiSuite produces. Have you (or anyone else) encountered anything like this?

hi @OllieD ... don´t make huaweibackup with hisuite on pc! even you choose not to encrypt the backup, you can´t open the tars ! (edited)

Yes, I've just repeated the process with a microsd and it worked well

use the local app on the phone, make backup to otg-usb

6:59 AM

fine!

Thank you

you´re welcome

7:02 AM

if you want, you can make an encrypted backup with hisuite and open backup with mobiledit forensic express

7:04 AM

mobiledit accepts just encrypted huawei backups over hisuite...

Ah ok, that's useful to know

Hey guys, what software do you use for making the location history json from a google takeout download readable? I know you can do it with PA but I am wondering if there is another option which can display stuff like accuracy, tracks etc...

re: the Huawei conversation from yesterday, would be nice to see more commercial tools implementing support for importing Huawei backups (or producing them themselves!) @Cellebrite @MSAB @Oxygen Forensics @Magnet Forensics This paper may be useful if it's not already on your radar! https://www.sciencedirect.com/science/article/pii/S1742287618304511

Decrypting password-based encrypted backup data for Huawei smartphones

Digital investigators sometimes obtain key evidence by extracting user data from the smartphones of suspects. However, it is becoming more difficult t…

Thanks Ollie! I know I have reported the Huawei backup feature before but was put on the backlog because it was encrypted, I will pass this article along to our development team to see if it can provide any interesting tidbits. Thank you!

No problem, the paper is very comprehensive and should hopefully be an excellent basis for implementing a solution (assuming the results from the paper are still valid)

2:48 AM

The paper may already be somewhat out of date, as it references a separate encrypted db file for each app, but it seems that it now produces an encrypted tar file for each app. Better than nothing though!

Yes Huawei recently changed the format. If you use the backup app on the phone you can choose to produce an unencrypted backup. It would really be helpful if the common tools would support that backup format directly.

1

UFED PA 7.19 was just released

7

1

I need to find a better emoji for Cellebrite

Just the logo?

Hey guys - so I got an IIOC job and I reviewed Samsung Internet Browser web history database to look for any possible IIOC keywords. No positive result however when filtering database with com.sec.android.app.browser and I could see a lot of positive IIOC keyword website entries (NOT WITHIN DATABASE) stored in Rootdata/com.sec.android.app.browser/appsbrowser/Default/Local Storage What is this? Are these web history?

http://tutorials.jenkov.com/html5/local-storage.html

HTML5 Local Storage

2:10 AM

Open any of the relevant .localstorage files in a hex editor and you should see that they're SQLite databases

2:14 AM

Each file should have a domain name, and the contents of a file will relate to browsing on that domain. Think cookies on steroids

cheers

Okay so to my understanding it is basically a cookies thing but in a format of SQLite that can hold 2MB - 10MB instead of cookies' 4KB. No problem - I get it.

2:42 AM

I'm slightly confused as to why these local storage websites are not within the web history database - is it because he saved these websites for offline viewing? Or did he access these websites via icognito mode? Or did he wipe his web history and these local storage are evidence that he did visit these websites at one point?

You'd need to do some testing for that particular browser to answer that, I think

2:43 AM

I haven't explored mismatches between localstorage and web history for that browser

4:14 AM

yeah that works @OllieD thanks

9

So I was having issues loading a Cellebrite provided CAS iOS extraction into Axiom due to some errors with the ufd provided. Once I was able to extract the .dar file I then zipped the files and loaded them into Axiom without any issues. Be advised @jifa advised that by doing this you will not get all the artifacts due to some of the encrypted artifacats. Again posting this incase anyone else has issues loading the extraction into Axiom...

2

@San4n6 the .ufd file contains additional decryption keys for some of the content.

8:26 AM

Must learn more!

8:27 AM

Would be nice to get keychain stuff brought into PA for GK zips too

Hi All, I was given a Cellebrite Advanced Logical report yesterday and asked to explain why or how a MMS preview image has a date different than when it was sent. The message that the image was sent in was deleted by the suspect but the preview remains. The message was sent sometime earlier last year but has a created and modified date of 4/15/2012. These are located in /var/mobile/Library/SMS/Parts/18/14/29886-0-preview. Starting at the 18 (which is hex), relates to the message and the numbered preview item relates back to the original or so I believe. How can I find a correct date for this item or give an explanation as to why the date is incorrect? Thanks, Duane

Hey @Dr.Who-IACIS I do know that is the correct file path for mms images I am not really sure how the dates could have been manipulated or changed like that unless it was transfered to a new phone from a back up and its a new created date, maybe he accessed it which created a new time stamp there could be alot of explanations. If you had access to previous backups you might be able to trace it or possibly look at the downloads and see if you can match the photo hashes to see what type of interactions it had with the file system. I know if your able to possibly obtain a full file system it would probably help you more.

4:11 AM

alot of scenarios that could change that time...

you might be able to pull up the sms.db and look for any artifacts related to that which you probably already did.. just some suggestions

hello, maybe someone can help me... it´s about decoding

Nokia LUMIA 650 with windows 10

on it... (edited)

6:20 AM

have aquired the data.bin with winterals, no problem, is not encrypted... PA just decodes media XRY decodes just media and contacts (edited)

6:22 AM

Axiom decodes media, contacts and calls (but looks weired) (edited)

6:23 AM

used the same data.bin on all tools, nothing really works....

6:24 AM

which tool can you recommend to decode an image of a winmobile 10?? (edited)

6:27 AM

nearby, decode an image of a Lumia with win 8.1, there was no problem with PA, but win 10 is the problem

(edited)

I like the new chat bubble reporting for UFED, is there any way for it not to be massive anyone know?

6:52 AM

it could fit in like 10 pages but the bubbles are so big it's like 50 odd

1

@chrisforensic I think people decode Windows phones with X-Ways and the like

7:36 AM

since it's Windows

8:08 AM

Has anybody or @Cellebrite come across this before? I have a bunch of these Snapchat story .0 and .1 image and video's that I can see in PA 7.19, but I cannot export them into a report. The option in UFED Reader grays out the timeline view which is the only place they're decoded, and in an HTML report the file name and path is included, but none of the content.

@Klimosko , we'll look into it right away

3

anyone have an easy way to extract ttf files into pngs ?

@San4n6 cant irfan view handle it?

8:13 AM

batch rename/conversion

umm didnt even think of that

havent tried with ttf. but have used it dozens of times for other types

decode error but its stating it can

eh, sorry

ill figure it out but thanks keep forgetting how powerful that tool is sometimes

im sure it can still do it, but might need a specific plugin or something

8:17 AM

and its crazy cause that program is like 20 years old or something like that

i just updated the plugins

looks like for windows fontforge application and python script

@Sudo oh, will speak with my partners from pc-forensics-departement @work on monday, thanks for the hint

(edited)

is there a way in Cellebrite to select mulitple files to export from the file tree pane??

9:45 AM

i tried everything I could think of never needed to do multiple file extractions but selecting 1x1 will suck

Is it possible in Android 7, based on thumbnail or some sort of database file to find out where the original file was saved? I have a phone that has only 5 photos saved in DCIM directory but thumbnails shows there shuld be much more. They claim that files were not deleted and microSD card was never used in that phone. (edited)

12:00 PM

I only have logical backup, including adb backup, of that phone done, unable to do a physical at this point (edited)

@San4n6 not the best option but you can select the folder it’s in and get them like that. I know not ideal but could work if they’re in the same folder and child folders

@Arcain I was looking into this recently. I had a similar situation - thumbnails where the originals were gone. Strangely, I couldn't replicate it. When I deleted the full size image OR removed the SD card the thumbnails were immediately deleted.

I am looking for sample images (physical dumps, backups) of android devices. Does anybody have them?

@Igor Mikhaylov There were sample extractions available for Samsung’s a while back. Can’t remember if it was on here or another forum. Give me 10 minutes and I’ll see if I can find the links (edited)

Yeah, I was right, there was a post on another forum for that. https://aboutdfir.com/android-nougat-image-available-to-the-dfir-community/ earlier this year (edited)

Android Nougat Image Available to the DFIR Community - DFIR - The ...

Joshua Hickman has created, for the DFIR community, an image of Android 7.x (Nougat) populated with apps and test data for a wide range of usage – everything from testing tools to training to teaching. It was created using a stock Android image from Google. Several popula...

@Igor Mikhaylov Just checked that link. Still working. Direct path to the data types is https://aboutdfir.com/research/dfir-research/ (edited)

DFIR Research - DFIR - The Definitive Compendium Project

The DFIR Research list is a list of potential digital forensic and incident response research projects contributed by community members in hopes of these topics being researched with information disclosed publicly. The AboutDFIR.com team hopes that this can help those new t...

@Igor Mikhaylov there's also ones from the last few dfrws challenges if they're still online

@chrisforensic Regarding loading the Nokia Windows 10 image in Cellebrite PA, which chain did you run on it? Even using the "Windows Phone 8" or "Windows PC Physical" chains might produce some results.

@Orb here results.... just media datas and something other... BUT no contacts, calls, sms etc. that i would need ! (edited)

running plugin "Wndows PC Databases" or "Windows 8 Databases" brings no more results... (edited)

6:08 AM

@chrisforensic We have an in-house tool for store.vol, we found that although the database layout is the same/v similar, the ese library is different between 8 and 10. Before our tool can parse the records, in almost all cases, we need to repair the ESEDB from the 'dirty shutdown' state (not certain of the term here, it's been a while!). We found that the ESEDB library in Win7/Win8 works on WP8 ESE, but does not work fully on Win10 ESE. We need to use a Win10 PC to repair the db, then the Win7/8 library works to parse the fixed DB. So, some things to try - run PA on a Win10 PC, or try mounting the image and repairing store.vol to a clean shutdown state, then parse it.

thanks @CloudCuckooLand for info

.in-house tool, so no chance to get this tool

... meanwhile got help from @Orb cellebrite

(edited)

11:06 AM

@CloudCuckooLand .. how to repair store.vol to a clean shutdown state ?

@Klimosko, did you try to mark Videos for export?

@chrisforensic I think if you use esentutl /mh on a database it'll say something like state: clean or state: dirty. There's apparently a few other states but I've never seen them. There /p for repair and /r for recovery. Basically repair will remove any half written records. Recovery will update the database from the logs. Bit like WAL.

@MatiG Yeah, no matter how or where I mark them, they don't export properly in the full report. We reverted back to PA 7.18 on my machine so I'm going to try with that when I'm back in the office on Tuesday.

@CloudCuckooLand thanks for the hint... state of the store.vol is "clean"

So apparently the specific Windows 10 version in @chrisforensic 's case was different than the one supported by PA, but SMSs, contacts and calls were still able to be decoded by manually running the relevant parsers on the store.vol file in it's new location. Running the following python lines in PA's python shell will get the artifacts: (edited)

1

2

4:29 AM

import WindowsPhone8Content node = ds.FileSystems["Data"]["Root/Users/DefApps/AppData/Local/Comms/UnistoreDB/store.vol"] calls = WindowsPhone8Content.analyze_calls(node, True, True) ds.Add(calls) contacts_and_smses = WindowsPhone8Content.analyze_store_vol(node, True, True) ds.Add(contacts_and_smses)

and afterwards you can run this plugin to have contactsname beside sms and calls

6:09 AM

https://abrignoni.blogspot.com/2019/06/finding-badoo-chats-in-android-using.html

Finding Badoo chats in Android using SQL queries and the MAGNET Ap...

Short version The Badoo Free Chat and Dating app keeps user generated chats in the following SQLite database: userdata/data/com.badoo.mo...

@Cellebrite or anyone else!! Has anyone been able to create your own has set json or txt and apply it to Cellebrites known file list or figured out a way to actually use this function. I been trying with the redaction feature which you do have the option to show redacted or exclude them however once you redact the images or files it displayed redacted which is good. The issue I have is I want to be able to see the files in my hash list and exclude them as well. Maybe I am missing something it just seems like it needs some work to where the user can import their own hash set and then show or hide said files. I been testing nist nsrl hash sets and I think Cellebrite does not ingest those correctly. I followed the NSRL template for Android and iOS with my own hash with knowns in the data set with no hits. I then figure out how to get it to read my hash.txt file and got the 9000 hits of system files pngs.

4:49 AM

I also been looking through there hash set db in attempt to figure out how to make it work but no luck..

I created a custom whitelist (just a textfile with MD5 entries) that I imported into PA and set it so the images are displayed in PA but omitted in the report. Works great.

ya but I want the option to exclude or include the files like cellebrite does for its known

5:06 AM

or any hash set

I am not sure I understand the problem. You can choose if the files should be excluded or included...

yes I get that but I want to be able to flag that while looking through the data

5:11 AM

As of right now

5:11 AM

you can set it to exlcude or inlcude through that setting

The mached images have a yellow H in their thumbnails

yes

5:12 AM

but what if I want to not see them whiel going through the photos

5:12 AM

or see them

5:12 AM

that is what I was curious about since (edited)

5:12 AM

Cellebrite has that option with the known or unknown

5:12 AM

files

5:12 AM

within its database

5:13 AM

where it can show all or unknown only

If you scroll down on the left side to "Watch lists", you get a selection for only the mached files

Yes but when investigators have to scroll through the images looking for CP and you can eliminate known system files quickly from your whitelist there should be a way to hide all whitelisted files or show them in that view or for the whole data set (edited)

Yes, when I generate a UFDR file for the investigator, the whitelisted files are not included so they will never be seen

I get that but what about for validation purposes etc where I woudl want to see them and have that option to see or not see

Ah. Yeah I don't think there's an easy solution for that

I really dont feel like having to open two instances of PA to either exclude all or show all and do my thing

5:22 AM

I am in the process of hashing filesystem of a new iPhone and then whitelisting the files knowning that some of the data is relavent however for a quick image search it will have all of the known system files out and it will help speed up image viewing. Once that is over I can then show all and go into my examination etc..

5:22 AM

That is what I am trying to do

5:22 AM

so instead of viewing 50,000 images it might only be 30k

5:23 AM

We been just using Axiom more and more due to skin tone detection and there AI

thanks for the suggestiosn @Deleted User

5:47 AM

ill let you know if Cellebrite gets back with me

1

I've got an Alcatel 1066G with a Unisoc SC6531E chip (formerly Spreadtrum). I got a full flash read with Infinity Box CM2SCR (call answer is the boot key!!). I have a script to carve SMS from the dump that works but I'm surprised that the SC6531 decoding profiles don't work in either XRY or CB PA. Each tool fails to parse a filesystem. I notice that 6531 profiles in PA run a FTL decoder - has the FTL changed somehow? Are there other profiles anyone can suggest?

@CloudCuckooLand If you could send the log to support@msab.com we'd be glad to have a look at it to see if we have any ideas! I know that we have seen cases where some SC6531 will not dump (1066g among them) but not sure of the decoding. With the log we can hopefully explain why it may be failing and see if there's anything else to try!

@Erumaro I'll get that log to you. I understand that the loader CM2SCR uses is new. I understand Furious gold supports it too.

@San4n6 fire me off a PM we can chat about this or give me a call tomorrow

Those phones run brew os

6:15 AM

Do u have access to final Mobil

Just upgraded PA and now it won't open a PAS file on a case which was saved in a previous version.The error states Load Session Error "This session file was saved from another dump." It wasn't thoug. Is this typical? @Cellebrite

I’ve had that too

9:36 AM

I’m in the middle of trying to force recreate this to give to Cellebrite to look into

frustrating. At least this was just an advanced logical without much evidence. So it was easier to go back through and mark the evidence again then spend time on tech support to fix it

Usually happens after big version upgrades

copy that!

I’ve now got into the habit of saving the pas but also making sure I create a full UFDR as well at the same time with all items checked, bookmarked, added images from camera or carved images just in case I need to reopen months or years later so I’m not stuck if the pas breaks

Good call. thanks for sharing that

There’s another issue with pas files I’ve found which I’m pushing up to Cellebrite tomorrow. If you create your case on local PC and create UFDX and PAS files, then move entire case to a server, if you then try to open later from different location than previously resident, UFDX file loads all extractions OK, how ever all your renaming in project vanishes and reverts back to “Logical”, “Physical” etc. Tags come back OK however. If you move case back to original location where first saved, everything opens perfectly!

9:43 AM

If you look in UFDX file, paths are all relative paths

9:45 AM

If you look inside pas file, towards the bottom, you will see the paths are absolute! My tests show absolute path of something like C:\Users\Stephen\My Documents\My UFED Extractions etc

9:49 AM

@sholmes What you could try is if you have moved the case since creating it, look in those files to see the paths it is expecting. Then copy the case back to where you complied it. Might save you from starting all over again. That's worked for me in the past

Suddenly UFED thinks it is the original extraction again !!

I will check that out, but unfortunately in this case I hadn't moved it yet.

@sholmes I saw that in the classroom with some students a few weeks ago as well. Try closing everything on the PC. Shut down. Restart PC. Reload PA. Find UFDX file and DRAG into UFED PA (edited)

10:00 AM

I can recreate another problem where if you double click the UFDX icon to have it open PA then load the project, the PAS file doesn't load correctly either !!

"Failed to restore check/uncheck states" - the most deflating words ever

@Magnet Forensics is there a way to export the Timeline data from Axiom as some sort of report?

@Adam Cervellone Not yet...

11:13 AM

Let me make sure I understand. you mean the graph image or the filtered contents below?

@Adam Cervellone Try this... We cannot export the line graph but we can export the data like the attached gif shows...

@Jamey The data below like the GIF is fine. I would like to provide an easy to understand timeline of user communications around a certain day/time for a case I am working

@Adam Cervellone Check the GIF that is it. Make sure you use the timeline category filter in the filter bar as I did in the gif to show you. You can also use keyword searching for the case in timeline explorer. Is that what you are looking for?

Yep! I have the CSV exported with all user communications around the date of interest. Thank you!

You are very welcome

@Stevie_C sent PM

RE: Pas files - fairly sure we have a similar case open with Cellebrite already relating to something similar to this @Stevie_C

what forensic tool decodes .EPUB files?

8:58 AM

besides getting an epub converter

Hi guys, about SS7 atacks, does anyone verified any kind of artifacts in the device that was attacked? I have a phone (motorola android 8) with me that claim that was attacked. We would like to prove it

hola everyone

1:29 AM

does anyone have an already made "guide to UFED reader" for officers or users?

1:30 AM

like how to navigate, tag, report on etc

We did make one, but the built in help guide is pretty decent for that I think (edited)

I'm jus makin one nows

I'll send you ours

Funny,we’re just doing one now as well!!

1

2:13 AM

We’re doing it in video form. So we can bring them in, sit them down with a cup of tea or coffee, they watch a quick “How to use UFED Reader” video, plonk them in a viewing room and leave them to it !!

1

That's definitely the way forward as discussed, can't beat a good video!

@K23 @Stevie_C @Sudo I wonder if we can crowd fund David Attenborough to narrate one.

2

Yes please

I can hear it now.....Here we have the illusive iPhone physical extraction failing to load on force PC's, the common response to this is to ring the digital forensic department and complain that the USB is broken.

3

yeah get ol' Davey on board

4:07 AM

whoa wait Majeeko, your guys can use USB's????

Its a new development. Just getting them to use TruCrypt correctly was a challenge.

1

oof

4:13 AM

we tried trucrypt

4:13 AM

didn't work well

4:13 AM

defaulted to just bitlocker from time to time

Im trying to get the powers that be switch to BitLocker.

We use veracrypt as standard across all our discs, and USBs if officers are willing to buy them out of their dept budget

4:16 AM

Truecrypt has some potential issues, I think we did use that before my time but quickly moved to veracrypt. It's a force standard now for disc material

yeah I think as long as it's a Windows PC

4:24 AM

you can just bitlocker to go type deal on USBs and so on

4:24 AM

Trucrypt realistically isn't going to be cracked (unless it's me, but I had a good mask haha), but yea veracrypt I would still switch to

4:24 AM

it's backwards compatible with TC in TC mode

1

Our problem is that our CPS have macs. So bitlocker screws us a bit there

MACS???

4:25 AM

yikes

Some of them. We get enough complaints about UFEDR and XRY files... does me up the wall

maybe they should rename to GPS, Graphics Prosecution Service

so instead they often getting pdfs with thousands of pages that are just a nightmare to trall through

yeah I mean, if they're using macs in a proper business environment...

especially if it's a smaller case that doesn't have an analyst attached

how can they complain lol

It's crazy

Just had an email from CPS asking me to explain the difference between UTC and GMT

4:44 AM

If only there was a LMGTFY for statements.

gotta love CPS

4:48 AM

pinnacle of british prosecuting

2

@K23 I'm convinced there is some sort of 'how to show expert levels of knowledge in digital forensics subjects' document somewhere out there on wikilawyer. The number of times these questions come up could not be coincidence

3

Exactly. This is basic stuff that should be able to be refered back to on another case. If it's been explained once then we should be able to reference that, instead of just explaining the same thing time and time again...

6:45 AM

Also turns out that bit of information was on our examination log which was exhibited in this case, so they had it all along.

@K23 Actually, GMT is a time zone. UTC is a standard.

2

Agreed, which is what is explained on our document. But in essense for this case, there is no different in a time marked UTC+0 and GMT+0. (edited)

True...I get that question so often that it is included in my glossary.

Yeah that that was my point on that its included in our examination log which has a glossary at the end, but in all honesty no officers or lawyers actually read that stuff. The amount of times I've been requested to do an SFR or a statement explaining something that is already explained on a document they have is pretty unreal

I’ve been in the witness box and asked stupid questions. I love it when I can reply “Your Honour, I refer to Page x of my report”

. Polite way of saying “If you actually read what I gave you, you’d have saved yourself some embarrassment “.

3

Yeah that's always fun. Especially when you have that discussion with the lawyer before hand, stating it's in the report and you will just be reading what is in there on paper and they still go for it

@Sudo - I’ve asked Cellebrite Support the same question yesterday. I’m waiting on a response.

Andrew Rathbun 6/9/2019 10:47 AM

I have an issue where I have conducted 2 extractions from an iPhone, Method 1 and GK. Method 1 shows a set of Google searches as being deleted while the GK extraction shows them as being live. XRY says they are deleted also. The source is the same, History.db. To me that indicates the iTunes backup decoder is misreading the db. Has anyone else seen similar?

Found a problem with database decoding in PA, in this case it is a Tor browser database. In PA, it does not appear to contain much data apart from the default bookmarks, etc but when the database is exported to UFDR, search history and URLs appear. I have also exported the db and opened with a database browser and confirmed the presence of the data which does not appear in PA. Issue has been raised.

. (edited)

2

@Zhaan Perhaps it exists in the WAL as a future commit which is being interpreted incorrectly as being deleted?

6:53 AM

If WAL / journal files exist, I'd export the db without either, then open and see if the row in question exists or not.

6:54 AM

Either that or check in the hex directly of each related artifact.

@forensicmike @Magnet I exported the db onto the Desktop and imported it back into PA and it opened it showing images, URLs and search history. The images didnt show in the UFDR report.

I was more replying to your first issue with logical showing live and filesystem showing deleted.

Sorry, my mistake. I am wondering as there isnt a column for deleted in the history.db, has PA decoded another column accidentally. I have noticed that the data that has incorrectly replicated between the 2 extraction types is also data with Daily Visit column populated. The rows without that column populated, dont appear to have been misread. (edited)

@Zhaan I had an iPhone recently that had been restored from a backup where all searches were marked deleted. It wasn't relevant, so I didn't spend long looking into it, but it did seem odd. Definitely not just your phone!

@CloudCuckooLand fancy a swap?

this one is, always the way.

Has anyone had the pleasure of dealing with a Kyocera E4233 DuraPlus? I can see text messages on the phone itself, but I'm not finding much in the extracted data. I have Cellebrite Logical and File System methods 1 and 2 extractions. I found what might be texting data at the path "mod\polaris_imc_1\messaging" but not sure what encoding is used.

any of you got some advice on limiting media in cellebrite reports. Generally I

12:53 PM

a way to exclude all the trash cached web cached images etc. and just dump the gallery images and more "intentional" data?

12:54 PM

a fast way I mean...other than manually selecting/deselecting.

12:55 PM

right now I just deselect all then filter by size s/m/l and select those.

12:55 PM

that cuts down somethign like 27k images to maybe 2k or so.

12:57 PM

when I generate the reports I also exclude the databases and apps etc. My average investigator isn't going to drill down beyond plain text sms/mms and logs anyhow.

does anyone know the specifics of decoding applications, i.e. Messenger, and why Cellebrite or other can decode on one version and not the other?

4:16 AM

is it that the database isn't pulled? the way it's stored? encryption?

Cap I dont have an offical answer however alot of stuff changes with updates...

4:17 AM

they can rename a table, row, change something in the application etc

I'm just curious

4:17 AM

and I kinda wanna know if it's still possible to decode it

tbh people should be verifying all application parsed data due to this because shit is always changing

2

as in, I can do a grep for a known string or something

you can grep within PA for sure

4:18 AM

I use it often when I have a physical

usually with Messenger it's the orca db

yes

yeah a physical, this is an iPhone

4:18 AM

I would assume the database is still pulled

4:18 AM

I'm not thinking that it just, doesn't back it up, it's more just decoding it

4:19 AM

I've certainly done it before, manually found it and brought it out

so your question is why does it change what they can parse ?

yeah twofold really, why can't it be parsed and whatever that answer might be, is it possible to parse it by hand

yes

so if the answer to part one is, well it's this that and the other, encrypted, whatever

4:20 AM

then that answers part two

you can always parse by hand and should always validate by hand

4:20 AM

if the db is not encrypted

4:20 AM

2nd

4:20 AM

its hard for companies to keep up with the apk updates and what not

if it's an iPhone backup it will be encrypted I'd imagine, though it should only be with the backup key 1234 right

4:20 AM

oh yeah I accept that

well if its encrypted by Cellebrite yes

4:21 AM

12345

I'm more interested in if I can find it within this backup

or 1234 i forget

yeah 1234 for iPhone

4:21 AM

12345 for Android

its its not encrypted by cellebrite then you have to crack it or do a reset on the phone to decrypt it

yeah ofc

however an unencrypted backup will get less app data

it was temp backup encryption by cellebrite

ahh

so I do have the decryption key, as such

so yes

just 1234

4:22 AM

but I don't think CB is showing me the raw decrypted data, rather just the tar archive as it sits

there is a way you can extract it /decompress the encrypted backup with libmobiledevice iirc and some other means to look at raw data

4:23 AM

I am at the airport so dont have my notes but I know there is a way

if I can decrypt the tar then I would think I would be able to view the orca db details and at least try something

but what you see in cellebrite should be what you will get

yeah

well if your not seeing the orca db it might not be there

it's just so often that I need some kind of alternative

slap it into Axiom

4:24 AM

if you have it

yeah I do

you looking for fb messenger ?

though in experience that's always had a lot less than CB

4:24 AM

yeah

with the orca ?

yeah just FB Messenger

4:24 AM

everything is always, WhatsApp, Messenger

that is a funny db sometimes its there others not and I dont have an answer

that's all people use

ya

so if I don't get Messenger then I've lost half my evidence

well not really

sure, I photograph it

take pictures of the phone

but that's so time consuming

but sometimes that shit is in the cloud

plus, cracked screen

and not on the device

I have a token for Messenger, I could get it

I do believe if you have a mac you can screen capture

4:25 AM

liek using adb screenrecorder

but everyone's having a big ordeal over cloud data

ya different laws and rules sever is not in state

it's more some other things about surveillance and "live" data and so on

4:26 AM

but realistically they need to get over it somehow because everything is the cloud now

4:26 AM

we can't ignore it

superior court search warrant or or subpoena

4:27 AM

and rock and roll

time consuming again though

4:27 AM

I mean I get it

4:27 AM

I'm not saying that's not the process

4:27 AM

but I know if it were me I'd be going straight home and blowing my account away

4:28 AM

plenty of time in the time it takes to get an order

ya it sucks

I just think it has to modernize that's all

remember you can also subpoena apple for icloud data

4:28 AM

o for sure

like with the HP Stream, comes with a 1TB Google Cloud drive

the legal systems are behind

now, is that technically not part of the device

4:28 AM

it is the devices storage

4:28 AM

it's just not local

4:29 AM

I just think there has to be a reasonable balance between lawful seizure etc and examination time, procedures and so on

well

4:30 AM

Cap I task you with briefing the Supreme Court

4:30 AM

go.now()

hey if they give me an hour of their time...

4:31 AM

gotta word it VERY carefully though, don't particularly want to open the floodgates for unwarranted surveillance

4:31 AM

well

4:31 AM

dont do stupid shit

though that's already happening of course

4:31 AM

yeah that's it, I just mean limit the scope to actual suspects who have been arrested etc

4:31 AM

not just any old person you fancy

I always argue that I really dont care who is watching me and the gov has dug so deep into me I really have nothing to hide

4:32 AM

i they want to watch me @#$@ myself then fkit go for it

4:32 AM

ill wave

I never like that argument because what if what you don't have to hide becomes something you do

4:32 AM

governments can change on a dime you know

ya

but that's just my hot take

your right

4:32 AM

its a fine line for sure

it's unlikely of course

and has to remained balanced

probably more of a concern for the already somewhat marginalized

4:33 AM

since that could flip back over

4:33 AM

I just don't want to bet it all that in 10yr we're still subscribing to the same values we hold now

4:34 AM

but anyway, I'll try Axiom

lol

4:34 AM

o ya you do that

4:34 AM

then we can hack the world l8ter

yaaasss

micro_chips inside everyone!!!!

I'll get my hat

tin foil hat of course ....

few different colors to chose from

4:35 AM

I actually do have a real tinfoil hat

lmao

it's a baseball cap with foil on it

nice

4:35 AM

I should sport that

4:36 AM

wear it to the pub

haha I'm sure it wouldn't seem odd

anyway plane time

enjoy!

Ok long chat there... But I think i can answer generally about app decoding and why some versions are supported while others are not

5:23 AM

Usually the issue is what you guys already mentioned

5:23 AM

App updates sometimes change the way an app's data is structured

5:24 AM

for example, a database scheme might be altered

5:24 AM

or a file format might have been switched

5:25 AM

In theory, app decoding code could be built to be less sensitive to such changes

5:26 AM

but that would introduce some level of "fuzziness" to the decoding logic that could hurt the forensic soundess of the produced artifacts

5:27 AM

So we always try to make the logic as tight as possible, to minimize the chance of producing a false-positive result or missing an artifact

5:27 AM

But there could also be other reasons...

5:27 AM

You guys already mentioned issues like different extraction types including different data

5:28 AM

so, for example, if an application requires a decryption key that's stored in an iPhone's keychain

5:28 AM

that will only be available in an encrypted iPhone backup

5:29 AM

so even the same app version, on a not-encrypted backup, would not be decoded

5:30 AM

But unless the data was encrypted by the app itself, you should always be able to decode stuff out yourselves with a bit of research

5:30 AM

for example, by using the SQLite Wizard, or by writing a python script

5:32 AM

And of course, as apps keep updating, so does the decoding code

5:33 AM

So it's very likely that an app version that's not being decoded now, will be decoded in the upcoming PA version

4

Looking to decode sms messages from an LG B470 flip phone. I have a full flash bin from octoplus as well as the recmmgr.bin where I believe the messages reside.

6:21 AM

Any ideas/scripts/tools/suggestions would be appreciated.

back on the discussion from yesterday. It seems like the data from Messenger is always incomplete or encrypted anyhow. Even on physical extractions. I almost always tell my case agents to get a SW for FB messenger dumps

7:45 AM

or get me a SW for the cloud data

7:50 AM

does anyone have a python script for building orca. I'm looking at a physical now that didn't parse messages

@Sudo PM sent.

@Orb Greatly appreciate the thorough explanation re: app version-specific logic. I think this highlights the importance of customers, working in the digital trenches, being able to route feedback directly to the people maintaining the decoding logic.

3

Gotcha William

@Olly1202 we have had no luck decoding the data from B470s. Cellebrite can decode contacts and extract pics and vids through logical. It can also do a file system dump but it couldn't decode that. XRY was unable to do it either. (It has been several months since i've seen one so hopefully something has changed)

I have a physical extraction of a Samsung Galaxy S5. The app Signal is installed and there is a chat inside. I cannot parse this database using UFED, XRY or Axiom. Anyone knows how to decode the Signal database from a physical extraction?

@Dam i'm in same situation like u with s9 dump with signal db

Even on an iPhone the database is not exported

2:22 AM

But with the samsung and a physical extraction we might find a solution

@Dam i've started to ask and make some research, it's appear database is hardware encrypted, and to bruteforcing it it's very hard

@Mistercatapulte so I will search for my camera and start recording the screen

@Dam u have lucky, i don't have pwd of thedevice, i can't do it....

Yes for that point I am lucky enough to have the passcode

@Dam you can make an backup and decode, like @CLB-Paul mentioned it on 19.05.219 this way... see link http://www.forensicmike1.com/2019/05/15/obtain-logical-signal-android/ (edited)

Mike Williamson

Obtain a logical dump of Signal data on Android with signal-back

2

4:33 AM

i did this way weeks ago and that worked

(edited)

@chrisforensic I’ll try. Thanks for the link

because you have the passcode to get in, right ?

Yes right

@chrisforensic just did it. Thanks everything was working great.

3

@chrisforensic What tool did you use to parse the xml? cannot figure out how to add it to ufed

I did it with a virtual android and using sms backup tools.

http://www.forensicmike1.com/2019/05/02/ios-photos-sqlite-forensics/?utm_source=rss&utm_medium=rss&utm_campaign=ios-photos-sqlite-forensics @forensicmike @Magnet Great work. This was a question came up often in examinations... Folders,

Mike Williamson

iOS Photos.sqlite Forensics

5

1

Heck yeah, tons of untapped info in that db!

1

Android version 6.0.1 (physical). Looking for remnants of a logged out Instagram user. Does anyone has any Idea which logs might have any info besides instagram.android_prefrences and android.xml

@azkurken if you know the instagram user account do a grep search if nothing you can then throw in some wildcards on the grep search and maybe find something...

Does anyone find that there's no deleted data decoded for iPhone Xs with iOS 12.2? Contacts, calls, sms, mms have been decoded - all are live and no deleted data? I used UFED PA Method 1 and 2 btw

@Pacman Methode 1 and 2 are just glorified logical extractions. They don't really provide any deleted data. If you need the deleted messages and call log, you may want to try your luck at a GrayKey or CAS extraction

@Talizi I don't know if that's really correct. If you get the database you can recover stuff that has been deleted but not vacuumed.

5

@randomaccess Very true! If an iPhone backup (method 1) contains some SQLite database, and in that database there are leftovers of old (possibly deleted) data, PA should be able to decode that data.

Yep this is what I am seeing from my Advanced Logical/Logical combo - deleted data is being pulled from some of the dbs

Oops, been awhile since I had those now with GK. My bad then. Is it possible the database is committed before the backup then? That could explain the missing lines in the DB.

@Pacman @Talizi Vacuums can be triggered automatically, a behavior seen when opening an exported database with Journal/WAL artifacts via CLI, but can also be manually triggered via the VACUUM; command. For a privacy-first company like Apple, it would make a lot of sense for them to vacuum native databases before exporting. Historically it's pretty clear they weren't. Worth investigating if this has changed. If the DBs did get vacuumed I don't think a Full Filesystem via GK/CAS after the fact will help much.

you can look at the vacuum flag within the db to see what its set at

1

7:29 AM

https://www.sqlite.org/fileformat.html

Offset 52 for 4 bytes.. if anything other than 00, vacuuming is enabled.

you can also look at the schema as well if you have the correct tools

If you still have access to the device, see if Cloud sync is enabled. I've mentioned this before, i've seen that if message sync is enabled no deleted SMS messages are being recovered. Even after that flag is turned back off, same result. no deleted SMS

PRAGMA auto_vacuum; will do it

Anyone familiar with the application SKOUT?

Anything specific you need help with?

Trying to put the images with the chat conversations as they are not being displayed. Is there any way to put them back together?

7:05 AM

I'm trying to recall the software that was boosting about having a free cloud extraction vs a paid add on but i'm having a brain freeze, anyone know ?

Found it, its Belkasoft . It appears to be password based through so no tokens from a dump.

@DCSO I believe Cellebrite has an option as well.

@Forensic@tor I just saw that, i have'nt used that yet. Anybody ?

I've never done a single cloud extraction through a tool. I figure might as well just serve a SW to the provider themselves. It just seems like a much cleaner process that way but I'm happy to be proven wrong

8:43 AM

And by cleaner I mean in terms of being on the stand and testifying as to how you got the data and what data was provided, etc

@Andrew Rathbun Yeah, the awkward "What authority did you use to get this data?" question

"Oh, you used YOUR country's legislation. But the data sits in another country. So YOUR country's legislation entitles you to retrieve data from another country does it?". (edited)

i didnt think either option was free

Google chrome issue/question. Advanced logical extraction of an Asus P01Z provided me the internet history. The history is almost all from "Chrome : synced data: SM-G950U." Guy claims it is a sync'd data from his kid's phone. This has been confirmed. However, on three different days there are individual links to sites which show the source as either Chrome (found in the app_chroem/Default/History) or Chrome: synced data P01Z, and shows the data comes from teh SyncData.sqlite3 database. He claims this couldn't be........... Weirdly, the actual links selected were not accessed on the synced device right before they show accessed on this device. For instance, the link accessed on this device in March 26, 2019, was last sync'd on November 15, 2018. My thought was he scanned the history and clicked a link. We know that on one of the days all the links accessed were by the officer who seized the evidence scrolling through and choosing the links.

11:18 AM

Is there anyway these links were not actually accessed on this device?

11:19 AM

As the officer accessed the links, we have confirmed the history section works appropriately, but defense is saying it must be a glitch.

@sholmes I have a former colleague who is a wizz with Google Chrome. I can send you his contact info if you need

that would be awesome. Thanks

his name is Jacques Boucher from the Canadian Revenue & Tax Agency -

1

You da man!

sent

@sholmes CHROME sync bookmarks across all devices

@Colman thanks, but I know the information was synch'd across devices. And in this case it was web history and bookmarks. the question is- there were links (URLs) in the history which were not showing as sync'd. Is there anyway chrome jacked them up and didn't make them sync'd or were they actually accessed on the device. based upon the location of the URLs that were marked in the Chrome history, and not the sync'd database.

@sholmes Just checking thru research materials.

1

12:33 PM

Thanks @Colman

This is without sync-ing https://developer.chrome.com/extensions/history#transition_types

12:57 PM

How an Android device uses Google Chrome - https://developer.chrome.com/multidevice/android/overview

1:07 PM

A first-class browsing experience When the user signs into Chrome on one device, the tabs and browsing history of that session are available to the user when she signs into Chrome on another device. Note, it's the entire page content that gets synchronized between Chrome instances, not just the URL, so the user doesn't have to resubmit credentials to see a boarding pass or an article on a site that requires a login. The address bar uses prefetching to fill in URLs and performs search queries with suggestions based on browsing history and local bookmarks. To save bandwidth, this feature only runs when the user is connected to a wifi network.

1

1:11 PM

https://developer.chrome.com/extensions/history#transition_types

1:14 PM

Download & Erase (URL) https://developer.chrome.com/extensions/downloads#method-erase

I have extracted emails from an iphone. Is there any way to tell that the emails recovered from that device were sent by that specific phone ? Any UID / GUID within email header / databases to show they have been sent from a device and not written and sent by any other iphone / or iOS device. The emails that were sent do say sent by iphone, but i dont think thats suffice at the moment. *This is to rule out another iPhone having access to the iCloud account / email address and sending emails which sync to this device. Anyone from @Cellebrite @RonSerber @SANS Forensics Institute or have any knowledge of this. (edited)

Can you compare ip address from header with provider's data at moment of fact ? (edited)

Hello! We have a whatsapp database from an android where a "message" sent has attached coordinates in the database msgstore.db. We can see in the phone that the "message" sent is some kind of location shared in whatsapp. We are trying to figure out if this was the location of the device or a location the user shared. Anyone been down this path recently? Havent found anything yet in the database to indicate which one it is.

Hi all, is anyone familiar with decrypting iOS binaries on iOS 11.2 ish? I used undecimus unc0ver to jb my test device and established root ssh access over usb via itunnel.. from there ive tried stuff like bfinject, classdump-dyld, classdump-z, Clutch, dumpdecrypted, even crackerXI with no success for the app I'm after. If anyone's got some pro tips on doing this for iOS 11+ I'd appreciate it and feel free to DM. classdump-dyld is just saying 'done' without actually giving me any output (but works fine on some apps/frameworks). I'd also be interested in injecting the live process via cycript (which I just read this evening has to be done using bfinject nowadays) . (edited)

@forensicmike @Magnet for injecting, use Frida! https://www.frida.re/docs/ios/ If you can’t put the device online just download the compiled iOS binary from the github release page and run it on the device.

iOS

Inject JavaScript to explore native apps on Windows, macOS, GNU/Linux, iOS, Android, and QNX

10:25 PM

And some examples to get you going: https://github.com/interference-security/frida-scripts/tree/master/iOS

interference-security/frida-scripts

Frida Scripts. Contribute to interference-security/frida-scripts development by creating an account on GitHub.

Hello. I have a Huawei tablet which we could really do with gaining a physical out of and struggling to do so. We can see a load of thumbs in an app which won't extract and gaining times and dates would be of importance. UFED4PC says about putting It in EDL mode and everything we have tried just hasn't worked. It is a Media PadT3 10, Model: AGS-W09, Android 7.0, Build no: AGS-W09C100B278, EMUI version 5.1.3, With Snapdragon 425. Does anyone have any suggestions?

Have you tried the huawei backup route? Not sure if it's available on the tablets, but it normally gives you a decent file system. Obviously not a physical but might give you back more than you have right now

@K23 we managed to get an XRY generic logical but experienced issues and now could do with a Physical to gain the images from within the apps.

@4N6Matt I'd still give the huawei backup route a try - It's been discussed on here a few times and there is a pinned post for it - you'd likely get third party apps back through this, in my experience you generally get everything besides chrome (But as it's not a physical do not expect an obundance of deleted data outside of the databases pulled back) Effectively you can create a backup using the huawei backup app on the handset to a memory card or USB, then deocde this through UFED. Feel free to PM me if you want more specifics on how to do this, it might get you what you want if you're still struggling with EDL. (edited)

1

@4N6Matt Sorry to budge in but what were the issues seen in XRY, anything I can do to help?

@K23 yesss.... after many, many connection-problems, problems with apk-downgrade with huawei-mobiles (on UFED and XRY) my first step if i get an huawei nowadays is to do the huawei-backup... and then just a little logical and that´s it! (edited)

1

Agreed, that tends to get the main juice of it for my cases anyway!

1

It was APK that caused some issues hence we were after a physical. We will try the backup. Thanks.

PA 7.20 is available for download.

2

@rico there is no IP present in the headers, the "question / issue" has gone away now, but would still be good to find out.

Thanks to @.karate. for the fantastic advice. Frida is unbelievably good.

OH, thanks @MSAB ... XRY V8.0 is out !

will test it @ work on saturday

1

11:51 AM

Yes it was a really great #teameffort of our threshold department! Congrats

11:52 AM

Thanks @chrisforensic for your follow up!

11:53 AM

Tech département

Hello guy ! When you do a carving in free space on a android dump, what is your method and/or app ? I find some files but no date... Have you a solution to find it ?

@Cellebrite Hi, can you tell me why some names in the chat view (ex. whatsapp) are in red (even if there is no deleted information related to the contact or to the chat)?

Sent you a pm

New improvements

6:50 AM

https://m.youtube.com/watch?v=oyjbwn-zGRY&utm_source=2019+Q2+ENG&utm_campaign=6fac48d9b3-EMAIL_CAMPAIGN_2019_06_25_08_21&utm_term=0_9fbb25aa28-6fac48d9b3-301800131&feature=youtu.be&utm_medium=email

MSAB

All new XRY 8.0 available now

Morning/evening all, Has anyone managed to parse data that has been extracted using Sony's xperia backup and restore application? It appears to be similar to huawei's backup application (for which I have a python script). I can create a manual backup and I pull back a Sony BnR file that I just cant seem to parse.

Looking for some thoughts on KaiOS phones, I've read through what I can that's been posted here which is how I made it to this problem. I have been getting a couple of the Alcatel 4044O models Cellebrite can get a physical dump easily but nothing is being decoded, not the files, file system, pictures, or any databases. Previous people posting indicate you could manually look at the databases to get some data etc but those were on the 4044C variant. I had one in storage and dumped it and it parsed out all the file system and databases etc. Any thoughts why the 4044O isnt recognizing anything?

Went ahead and did another variant 4044W its extraction also does not decode anything useful. Both .bins have mostly 0s in the hex data where as the 4044C is not all 0s. I know the phones should have data on them as they have been used.

Anyone got any pointers of Huawei backups? I've got an extraction to an SD card and each application has both a 0 byte db and a tar file. 7zip won't recognise the tars as archives so I'm unable to extract them as mentioned in the pinned message. Anyone got any guidance?

@0x3db hello

search with "concerning to huawei" and you will find my post about getting unencrypted huaweibackups to import to PA ! posted 24.01.2019... greets from

(edited)

2

1

8:33 AM

first i would make an advanced logical to get the basic-datas like phonebook, calls etc..... the rest like WhatsApp, FB-Messenger etc. will come with the huaweibackup

Just a very simple question, and just to ease my mind. On feature phones/burner phones/block phones, the timestamps on call logs and SMS messages are not reliable (on both devices and extracted data) mainly because timestamp can be manipulated on device? So the best way to obtain accurate timestamp of call logs and SMS messages is to contact the service provider? Example of burner phones, Nokia 105, Samsung keystone 2, Samsung GT-E1205Y etc etc

@Pacman I'd go as far as saying ANY PHONE the time stamp can be manipulated.

10:49 AM

I can just as easily go to my iPhone, set the date and time to yesterday, make a call or send a message, then set it back to correct date and time

I don't think changing device date and time affects aplications like WhatsApp? I might be wrong.

For any examination I do, no matter what the device, feature or smart, I ALWAYS advise the investigating officer to get time corroboration from another source such as CSP

SMS Messages and call logs - sure

10:50 AM

CSP?

I did a test once with a colleague.

10:51 AM

We sent message via WhatsApp after changing the date and time. Then changed Date and time back to real time. Then looked at message. Date and time had changed !! Nearly fell off our seats !!

So if you change date/time - all messages are changed?

I'm going to try what I did before right now. Going to change my D&T and send WhatsApp to @Danny B

10:53 AM

Wait one .......

Glad I had a play there. Set time back one day. Sent message still had correct Date and Time. Set back to 2018 - WhatsApp refused to play saying my phone D&T was wrong. Then put phone to Aug 2019 and sent message. Still recording as correct date. Totally different from what I saw a few years ago. All I can guess is now that when WhatsApp starts it checks the real D&T against the device D&T.

11:04 AM

Think I'll do a bit more playing

Yeah that's what I thought - I don't think that applies for call logs/SMS messages. Especially in feature phones.

Before when myself and Chris tested this with an iPhone 5C a few years ago we were able to make the timestamps on WhatsApp jump all over the place. Even so, if it was a critical case, even with this quick 5 minute test, I'd still be advising the investigating officer to go to WhatsApp and try to get the corroboration. That way it's irrefutable.

@chrisforensic i remerber this post ! It s one of favorite ! And thx for this shared apk. I have always in my Tool kit

1

@Cellebrite What a log entries with application GoogleSearchHistory and the body says : Android Used com.samsung.android.contacts means when this information came from the cloud? Is it that the owner of the phone search a contact in is phone?

Is it possible to get powerloggins from a phone after 6 months? They have been in use

Curious about what you guys are doing in regards to exporting images/videos from Cellebrite. In our office we Semantics 21 and Griffeye to categorize. It seems when you export in Griffeye format from Cellebrite PA it removes all the original filenames and extensions. Anybody else have the same issue? If so what are you doing to get around this?

@Mittens it shouldn't. In my old office we used that technique to get things over to S21.

7:06 AM

What kind of extractions are you dealing with. Logical / FS / Phsyical?

Doesn't matter what kind of extraction

7:13 AM

The export does the same on all

7:13 AM

The most recent was GK/Method1/Method2 on an iPhone

7:15 AM

File names are numbers and no extensions.

@Mittens You need to import as C4ALL XML and not just files. Find the XML file that PA created and import that. all the filenames and paths are stored within and Griffeye will pick them up.

1

7:25 AM

It dosent seem to like my image today. Cellebrite PA exports all the media as numbers, the paths are all stored within the XML file. One file to rule them all.

Ok, I am not a semantics or griffeye user. My investigators may be importing wrong. I'll double check but I'm pretty sure they are pointing to the xml I created.

If you import a folder and point to it all you will get is he numbers with the paths that they have been exported to.

Yep, so it was a PIBKAC on their part. That's what they were doing. My fault for assuming they were doing it correctly LOL

Its an easy mistake to make

Hi there! I have a iPhone involved in a reckless driving with car accident with many people injured. I need to determine if driver use the iPhone. Fortunate I have a Graykey extraction, Cellebrite and Axiom for analyse data. With the graykey extraction, Axiom and Cellebrite parse the knownledgeC.db. Do I need to export this database and run on the side the SQL Appollo script or it will be the same result ? Other question, I have a the moment of the crash a event type "audio output route" , Value "Santa Fe" from this database. Do you think that mean that GPS is working and audio output route was a voice playing about the gps ? thanks !!!

Run it through AXIOM, look in system files or operating system or something like that and there will be tabs such as application focus, lock state. AXIOM parses the data and spits it out in a clear to view format. Ufed PA you will have to view the sq db's, which are quite complicated unless they have parsed this data in the latest release. (edited)

@SPVQct3207 @Dfdan since 7.19 KnowledgeC is decoded in PA. If you want to do additional examination of the knowledge C you can use the built in SQL wizzard or export it.

@SPVQct3207 AXIOM parses some but not all KnowledgeC queries. I think you might get additional results by running Sarah's scripts. There are actually numerous categories for audio output you may want to look at. In my experience I've seen HFP (Hands Free Protocol) and A2DP (Advanced Audio Distribution Profile) being distinguished from one another within the context of being connected to a specific vehicle. I'd also recommend looking at the health DB as it may give you some great info on device motion.

@forensicmike @Magnet would health pick up motion from vehicles..

9:58 AM

i dont think it would.. if not my counts woudl be through the roof

Hmm Idk, I believe I've seen it show distance/time for movement but I could be mistaken. I guess sig locations would be good here too.

i think knowledgeC is best place to go. curious if any of the 3rd party mapping software logs more data, like speed etc.

Yeah GeoTime does that for sure

for example Waze shows your current speed

Oh you mean apps

might be too big to dump all that data into a db file though. esp on long trips

I got ya

thanks @forensicmike @Magnet @CLB-Paul @Dfdan

@forensicmike @Magnet do you know how much is Geotime ?

Does anybody else have problems with merging different extractions with @Cellebrite UFED PA 7.20? I got problems with two different phones where I couldn't add a second extraction. I went back to 7.19 and now it works without problems.

Hi Chris, can you send me your contact details (arnon.tirosh@cellebrite.com) so I can get someone from support to help?

@Deleted User Same problem here

Hi guys does anyone knows if there is a rapid way to find who sent an image by airdrop ( the airdrop ID of the sender on the receiver’s phone ?)

5:41 AM

We could be able to have quickly both sender and reciever’s phones and we will take a 4PC to go on site.

@Quicksilver https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1498146226.pdf this may have what you need

Is there anyway to see when an iPhone was activated or restored from iCloud backup using @Magnet Forensics AXIOM or @Cellebrite PA? I have a case where the suspect has numerous photos with metadata saying they were taken with an iPhone 7 Plus. The file location on his current phone (iPhone Xs Max) puts them in iCloud. Is there anyway for me to determine the phones that have been connected to his iCloud account through @Magnet Forensics AXIOM or @Cellebrite PA?

@goalguy have you looked at the photo.sqlite db file?

Anyone done any work with the Mlite db? i'm trying to manually parse out the messages in CB but can't get figure out how to handle the "Thread_key"

@jifa Any knowledge as to why I can not load more than one extraction into PA? Started in 7.19. If I add an extraction to an existing extraction, it goes through the parsing routines all the way through the project finisher, however, it does not load into the dashboard.

Hello guys ! In android 8.1 stock where are. The log of wifi, with date and hours of connexion ?

@goalguy have a look at this https://www.controlf.net/ios-photo-attribution-flowchart/ from Controlf, its from 2016 so, might have changed a little, hopefully not. (edited)

Richard Slade

iOS Photo Attribution flowchart | Control-F

Flowchart for assisting in attributing photos which may have been synchronised via PhotoStream or shared via iCloud Photo Sharing.

anyone using PA 7.20.0.123 having an error with parsing text now......???? stuck here now for an hour...

I have got a physical dump from an android device which apparently has Signal installed. Using UFED PA (7.20) i get prompted for a password to decrypt it. Does anyone know if there is a default password or is this set by the user? I know that for Wickr, the default is 1234. So I'm not sure if this is the same case. I can't manually check the device as it is damaged. Any tips and pointers would be appreciated. Thanks in advance!

@spadart Don't know about your case but for signal I use this method for backing up data.

3:06 AM

http://www.forensicmike1.com/2019/05/15/obtain-logical-signal-android/

Mike Williamson

Obtain a logical dump of Signal data on Android with signal-back

3:06 AM

Not sure you can read a signal database even from a physical dumb

Just had another case after many years that using test disk to rebuild a partition table has worked a treat - This was on an alcatel Onetouch Pop D1 which XRY managed a physical of but no partitions were readable in XRY, UFED or Encase after extracting the dump. Could only pull back "Deleted" data as it couldn't read the partitions correctly. After rebuilding the partion table with testdisk it decodes perfectly with XRY and UFED - this has also worked well with older Nexus 7 tablets that haven't decoded properly after an ISP. If anyone wants the documentation on this drop me a DM and I'll upload the material.

2

@K23 i think it's the issue with SPD based phones in general

Not just SPD as the nexus was a Tegra, but you're right that's a likely factor. Anyway here's the document I wrote up if it's useful for anyone

Unable_to_decode_data_from_Chip-off_ISP_Physical_Extractions.pdf

901.22 KB

1

I haven't seen tegra base device for a long time now. I do remember they did not use a GPT partition table, but easy-jtag was able to find a valid parition table anyway

2:58 AM

I do have an issue with spd based wiko phone, but i dumped it using UFI (over USB) only and userdata seems incomplete, not empty but a lot of stuff is missing. It's possible that UFI sparses this partition while reading in that mode. Didn't confirm it with ISP or chip-off to be sure

2:59 AM

I know another person who dumped same model using same method and got similar results

Yeah this is much older stuff and is definitely a rarity, hence why I've only used the tool twice. And you're right EasyJTAG is normally pretty good with these, likely uses a similar process. The Alcatel phone in this case was dumped through XRY over USB which I assume uses something similar - I wasn't the examiner though so didn't run this process. But if you can actually view the data partition and the underlying folder structure then this method will not help you there as it sounds like the structure might be in tact. If it's showing up as unrecognised then it might be worth giving it a crack through testdisk.

That wiko looks like this when opened. Filesystem is recognized correctly as ext4, directory names are missing but there seems to be some data inside. Phone worked fine so it has to be a bad dump, maybe there's some limit or issue with dumping spd phones over usb. (edited)

See the fact that all the folders are showing up as deleted makes me think it's just not reading the file system* correctly and it's parsing those folder names. I'd try test disk on a copy of the dump and see what happens, you've got nothing to lose (edited)

3:28 AM

Agreed at the potential dodgyish dump as you shouldn't need to repair that data after the fact

Andrew Rathbun 7/5/2019 4:02 AM

Anyone have any write ups on the cache.sqlite db in IOS? I found some really good location information and I need to articulate where it comes from.

@Joe Schmoe Elcomsoft has a blog post on the subject. https://blog.elcomsoft.com/2018/06/apple-probably-knows-what-you-did-last-summer/

Apple Probably Knows What You Did Last Summer

“Significant Locations” are an important part of the evidence logged on iPhones. Forensic experts doing the acquisition will try accessing Significant Locations. At the same time, many iPhone users are completely unaware of the existence of this feature. What are Signific...

@forensicmike @Magnet X Thank you very much! The article mentions to go cache.sqlite db, but the data does not appear to be limited to "significant" locations. I can see just about everywhere the phone has been.

Frequent and Significant locations are the same depending on the iOS version

1:50 PM

I didnt find much other that Apple writes this into the database

@Jay528 Must be Apple double talk to pretend they care about privacy.

I think they're likely to gather this info so they can provide you with the cheapest massage parlor nearby

I might have to buy an iPhone. I'm tired of paying too much.

1

Haha that was a really interesting article to read thanks for sharing!

A while back I asked a question about Huawei backups and we had a phone which had a newer version of the app v 9.03, which when launched requested access to the internet and WiFi to be activated before it would allow a backup, neither of which we wanted to do for obvious reasons. To get round this, in case anyone is interested, we decided to try using adb commands to uninstall the app and then reinstall an older version (v8) which did not ask for these permissions when launched - it could also be there is another v 9 version that works as well, not sure. The phone was backed up using this older version to a thumb drive, we then used a python script (thanks for sharing @K23 !) to get the backup into a format PA will properly decode

The result - we have whatsapp, viber, FB messenger etc which we did not get from the initial UFED extraction.

6

Happy to help, glad it worked out!

hi @bizzlyg ... i use this backupapk (9.0.2.333)... first uninstall newer one from phone, install this one.... create backup without encryption over otg or on internal sd... result is very nice, because all app-datas are in .tars! no need of further decoding etc... https://mega.nz/#!ARVR0CjJ!-ktXQpcc7MKDpDOqAEyzetSxKnm5akCCQtvQ6j5Pat0 (edited)

2

ah nice @chrisforensic I did wonder if an older v 9 might be easier and produce TAR since this v 8 one did not. Good to know for next time

1

i did not test any older v8..

vielen dank

liebend gern

Andrew Rathbun 7/8/2019 4:15 AM

Does anyone know the meaning of the cloumn "status" containing value '13' in the messages table from a msgstore.db database from WhatsApp? (edited)

It means the message was sent, received and seen (on the device it would show up as a blue VV)

status 5 is only sent & recieved, but not seen then?

8:36 AM

(thats what i get from this paper https://arxiv.org/pdf/1507.07739)

8:36 AM

because i have both

Yup. 5 means a grey VV.

9:52 AM

It appears the 2 blue ticks were introduced just a few months after that article was published

nice, thanks for confirming

@spadart 12345 is the default

1

Hi! Is anyone familiar with OS Series 30+, or have analyzed a Nokia TA-1034? Specifically what I´m after is if it´s possible to see time setting changes done by the user?

That's model 105, right? I always get those with dead batteries and no way of knowing if the time settings have been correct at the time of artifact generation. I'm also interested in an answer to this.

Hi all, on an apple iphone X does anyone have any idea on the purpose of a video file at the following extracted location would be? AFC service/PhotoData/Caches/Neutrino/..... The file name ends with stab.mov

Yes, model 105 @entt_swe

Word of warning RE Huawei backups, if importing with a UFED logical extraction and producing a UFED Reader / other report and you have merging enabled, UFED may only choose to export binary copies relating to the Huawei backup extraction, which may not have the correct time / date information available. This data is however available from the UFED logical copy of the image. When producing reports from merged extractions like this it's always worth making sure the "Merge (Group Similar Items)" is unticked as the different copies of the same file may have different meta data. This is related to an issue I reported a few months ago with exporting to Griffeye, in that with merge enabled you as a user cannot choose which file, when binary copies are present, is exported to griffeye. UFED just chooses this for you. This also has an affect if you have not merged anything, but binary copies of an image are present in the extraction, you might easily miss a file path relating to a live file if a cached image is chosen instead. Same applies with UFEDR, PDF, Excel etc. As long as you check and have the "Merge" feature unticked when creating your reports you shouldn't run into a problem. Of course this does however give you the headache of dealing with other duplicated data such as SMS, chat, web history as this setting is global for all of UFED, not just media files. (edited)

7

@Rom I have started a Sony F3111 phone this morning and also tried the Sony Backup method. From what I have seen and read, the backup uses the OS on that phone to create the backup files so unless you restore to that phone you may struggle to get anything out. That being said, I have seen Python scripts on the web professing to being able to deal with exactly that type of file. I will investigate and let you know. (edited)

does the device_policies.xml stop showing the active password information (length, letters, numbers) after a certain Android OS version?

11:37 AM

anybody know?

@AA yes. If my memory serves me right it changed in Android 7. Or maybe some late patch on 6.

Makes sense why I would stop seeing that data on newer phones. Thank you!

@.karate. I've seen phones that shipped with Android 7 that made use of it. I don't think every manufacturer got on board straight away

1

Anyone done any work on the android twitter folders.? I have some IIOC in the Media\0\Android\Data\com.twitter.android\cache\image_cache and videos folder. The limited research i did using my own twitter profile and dummy one couldn't find any pattern to the folders. They appear to contain a mixture of images from timeline entries, user avatars and backgrounds, sent and received media. The handset shows no chats of use so i assume they have been deleted. The MO of the suspect id to befrend young men and promise them money and gift vouchers for images and videos, we have this on other platforms but i would like to determine of a image was sent to he suspect so I look to ID the victims.

I Just made and iPhone (A1688) with iOS 12.1.4 with ufed4pc and physical analyzer (both latest versions) and in the analysis both fb Messenger and Instagram are missing. Anyone experienced this problem? (edited)

@FabianoQ yes the chat from instagram is not parsed by ufed I already send a message to the support. (edited)

5:11 AM

You can do it manually or with Axiom I think xry also parse it (edited)

5:13 AM

Regarding FB messenger, not sure if you need to do a cloud or if the database is in the backup...

@Dam Thank you. I would like a solution to give investigators only one report ( ufdr ) so i think i'll contact support too.

yes better in one report for investigators

@FabianoQ Hi , Please check your DM Ido

Hi! do you guys knows some valid open-source/free iOS tool that do not require a jailbreaked device? I've an iPhone and I'd like to start learning some DF techiniques for iOS without breaking my phone or buying expensive tools. I don't care if the free tool is not complete, I'd like just to know how they work (if open-source) and start doing some research on iOS devices. (edited)

Try santoku

1

2:49 AM

it's a linux specialize in phone

2:50 AM

But I don't know if there is something special for iOS

2:50 AM

I think you can parse the backup and make a backup from iTunes

@Magnet Forensics produces Magnet Acquire which is free

2

Anyone else experiencing PA hanging when merging Method 1/Method 2 and GK extractions? It gets to Remove DS on trace window and then sits there for over an hour (I havent left it any longer as I'm a busy guy!) v7.20 I have added the same data with 'Merge (group similar items)' unticked and all 3 extractions loaded in 14 minutes. I am going to try and be more patient this time and pass the previous personal best of over an hour and leave it alone... (edited)

Any (good) Android battery status logs similar to root/log/batterystats? Looking for battery level at a specific time!

@OllieD I tried to download the trial version but requires the registration and a background check. They disposed my request because I'm not a professional....

Fair enough. Echoing @Dam then, you could just produce an extraction with iTunes (or something like this https://github.com/libimobiledevice/libimobiledevice if you want to stay away from normal end user software)

libimobiledevice/libimobiledevice

A cross-platform protocol library to communicate with iOS devices - libimobiledevice/libimobiledevice

ok! thank you guys for the hints and the time!

Do you know if the database of telegram is exported in an advance logical from iOS 12 ?

Libimobiledevice contains on a lot of bugs

@Dam no, jailbreak only

11:14 AM

What is ios version?

11:15 AM

New jb is out

@Mistercatapulte 12.3.1. So it will be readable with a file system from Greykey or ufed premium ? Not encrypted like signal

From graykey i suppose no Last information from premium was 12.3, i don t know if 12.3.1 is supported. Ans about jb, only 12.3

But I have the password

11:19 AM

Greykey doesn’t work on last os for file system even with the known passcode ?

I don't know if it s capable to do full fs

Thanks for the help

I am looking at a cellebrite extraction and found: http_backpage_escort.net_0.localstorgae Does anyone know what this artifact means? Did they navigate to backpage or is it like a cookie? (edited)

@natalied4784 In what OS ? In wich path ?

@natalied4784 Seems like a chrome cookie (sqlite databse)

5:36 PM

Info from the hindsight tool manual. Try To open the file or view the file as a Sqlite databse To ses le it contains the revelent information.

PA 7.21 is out guys

6

1

Can't see any release notes yet

@Kramnias thank you. That makes a lot of sense.

@Cellebrite Any release notes for PA 7.21?

@Jameson its coming

Thoughts: have an iphone and per the acquired data there are two IMEI. When I reviewed the day which pointed to a plist it showed the second IMEI not eched into the sim tray as part of a different SIM. I can only assume the SIM swap that occurred logged the other IMEi from the Device the SIM was purchased with and logged it.

@CLB-Paul Thanks

IMEI number saved to SIM? That's the first I've heard about it. My first suspicion would be remains from an iCloud sync from another device.

@Mistercatapulte Apple are still signing 12.3 releases currently. So you could downgrade and then use the jailbreak (edited)

@OllieD yes

@J Harder have you checked to see if the phone has a virtual eSIM. I've not looked into the forensic s of this, but effectively the iPhone can be dual SIM. (edited)

Older phone so no eSIM but did not think of the Cloud backup which I should be able to determine maybe by digging deeper

@Cellebrite Does PA support Samsung S Health decoding ? I am waiting for my extraction to load

@Jay528 not infront of computer, but in PA there is a supported apps list under Help / supported apps.

just checked

But if not supported consider Virtual Analyzer

nice update to supported app

8:27 AM

but i didnt see it there

8:27 AM

ah, nice...

8:27 AM

never thought of it

8:27 AM

you're good sir !!

just guiding you to the right path.

8:28 AM

Can’t keep up with all the apps, but we provide you tools that help get to the data you need. Fuzzy models, SQL builder. VA

@entt_swe We used to see IMEI's saved to SIM Card all the time with O2 SIM Cards when the 2G partition was examined. Provision for 6 of them to be stored. Most recent at the top, if more than 7 IMEI's, oldest one dropped off. Don't see it as much now

Ok guys, i'm officialy confused and hope someone (maybe from @Cellebrite ) can help to shed some light. I have an iPhone 6s (A1688) with iOS 12.1.4 that i extracted as usual with UFED4PC. Then i analyzed it with P.A. and the "Chat" section is totally missing. The phone has WhatsApp installed (but never used it seems) and has FB Messenger v217.0 and Instagram v.93.0 both with plenty of messages. I opened a support request to cellebrite and it was quickly closed saying that this is an expected behaviour and that FB Messenger and Instagram chats are not extracted from iPhones. So i checked some of the last reports i've done on iphones and i've found lots with FB Messenger chats extracted. I've just checked in P.A. (Help->Supported apps->iOS) and my confusion went bigger. I see that, for example, Instagram versions 93.0, 96.0 and 99.0 are all supported for decoding but 93.0 is extracted with "Method 1 Extraction", 96.0 only with a "Full FileSystem Extraction" and 99.0 again with "Method 1 Extraction" and that many version number are not listed. Talking about FB Messenger i see a similar situation: some version number totally missing, some can be extracted with the generally available "Method 1 Extraction" some others require a "Full FileSystem Extraction". The first question that comes to my mind is this: is it possible to upgrade/downgrade an app version on iOS without letting the phone connect to internet?

@FabianoQ if it’s an advanced logical those two do not come out in that form of extraction

2:43 PM

as far as I know you can’t downgrade the app.

2:44 PM

Full file system would pull it out

@CLB-Paul And is it possible to upgrade an app without internet connection?

I’ve side loaded apps when I was messing with my own phone but it would still need a connection to the internet to pull the data

2:45 PM

Have you considered going down the cloud route ?

2:45 PM

The other option is screen recording either with external camera or through a Mac w quick time

What leaves me puzzled is that i have reports from iphones with even newer ios versions and they include FB messenger

2:47 PM

all made with the same method, the normal advanced logical extraction

Can you shoot me an email about the details I can take a look into it

sure

I’m in court the better part of the week so it’ll be the weekend before I can sit down and look at it.

Will you PM your email address?

@J Harder Are you by any chance confusing IMEI with IMSI?

@FabianoQ I noticed that too. Most of the time, FB and Instagram are not extracted from an iPhone but sometimes they do show up in PA. I always use Advanced Logical Extraction with UFED.

@Kr Nope

I think instagram are extracted but just not parsed with UFED, because it's parsed with xry or axiom...

Hi @FabianoQ , regarding your post on FB messenger and Instagram: 1. I'll look into it and post a reply about our specific support. 2. FFS/M1E issue seems like a mistake, again - will look into it. 3. In general, we only mention in our support report application versions that we directly tested. It doesn't mean that there could be support for other versions. We have a giant matrix of apps, versions and OS and we run through it for every release. We add versions to it all the time but sometimes we miss a version update.

has anyone had any luck with discord artifacts from iOS device AFU dump ? The iOS version 11.4.1 and discord app was up to date current release. I looked in all the known artifact locations but nothing. Thanks...

Is there any local databases ?

@San4n6 I think I looked at it once and saw users (contacts?) listed somewhere, but not sure about actual chat data...

np

6:11 AM

no local db

6:11 AM

checked autofill

6:11 AM

regex and grep searches for known strings but nothing

6:12 AM

I am not sure if anyone had a chance to RE a updated Discord app to see local device storage (edited)

@J Harder For my test iPhones that used to be my real device or that I used my Verizon SIM to activate, my phone number is reported as being used even though it wasn't necessarily.

@San4n6 It's on my list! I do have the decrypted app binaries for

<key>CFBundleShortVersionString</key>
    <string>3.0.4</string>

if anyone wants to skip the decryption hurdle and have a gander just DM me (edited)

I am not even seeing the data on the local device

6:45 AM

encrypted or not

Based on the behavior of the app -- ie long load times, inability to show data if no internet connection, I think its quite possible that it only keeps data in memory. So you'd probably get some stuff with a Process Memory Extraction on GK.

I think my counter part did some string and grep searches against it

6:46 AM

i will ask and check it out as well

6:49 AM

thanks and ill let you know if I find anything

@Cellebrite @MSAB Any KaiOS decoding support coming soon?

@AA KaiOS is very rare. Even in India, where it's most popular, it's at about 4%. Do you see a real need of KaiOS extraction/decoding support in your work?

It’s certainly getting more and more popular and certainly something that is on our radar. I know we can dump a couple and I believe we are currently looking into it. No ETA right now I’m afraid

@MatiG I am starting to see more and more, I think it is a cheap prepaid phone right now. Small and easily concealable, which is good for my subjects.

9:20 AM

@MatiG Speaking of the Alcatel 4044 variants

9:21 AM

@Erumaro thanks for the info

@AA that is good to know. I will see if we can push this model at Cellebrite

@MatiG Thank you. I think most of all the variants are running a Qualcomm 8909 so getting physicals is possible, its just the decoding of the stuff which isnt happening currently. (edited)

1

@AA check out Final Mobile

Hey guys Anyone have expérience with bada of samsung ? I want to read a file named phonedb_loglife2595 Dadb viewer, db browser and notepad don t read it This phone is samsung wave 723

@AA @MatiG. I am seeing an uptick of these phones as well. Getting the data is not the issue as KaiOS is founded on an Android backbone. It is the parsing of the data that is lacking.

1

@Jay528 Thanks, i had seen it mentioned before. I don't have it currently and not in budget at the moment. Which is why I was hoping Cellebrite or MSAB might be coming down the pipe soon.

Regarding KaiOS, just in case someone hasn't seen this write up yet. I stumbled on it when I had a 4044 and it was very helpful. http://forensiczone.blogspot.com/2019/01/kai-os-forensics-for-money-and-profit.html?m=1

KAI OS Forensics for Money and Profit

The last month I have been forensically analyzing the KAI OS 2.5, formally FireFox OS. We are seeing a bunch of these feature phones in our...

1

I just noticed that @Cellebrite PA 7.21 is no longer available for download. Should I stop using it and go back to 7.20?

Hey Chris, a bug was found it is being fixed , it should be back up shortly

ok thanks

Can anyone tell me if is there a specific Facebook app db in which is stored data tracking the app usage? I am looking for if the app was used during a specific time

6 90 9

Which platform @Deleted User

Sorry, Android device

I don’t know exactly within fb but take at usagestats log

2:56 AM

They’re pretty in-depth depending how far back you need to go

Thank you for the advice, I will let you know

They are split over daily weekly monthly but the further back it goes it gets difficult

2:57 AM

If it’s within a few days it’s very granular

2:58 AM

It will show what apps are launched , settings changed etc

Where are the file located at?

I don’t have the exact file path off top of my head but the folder is usaagestats with child folders of daily / weekly / monthly

2:59 AM

With. You’ll have the log files

Thank you @CLB-Paul , I have found this very helpful Pyton script to decode usagestats folder: https://abrignoni.blogspot.com/2019/02/android-usagestats-xml-parser.html?m=1

Android Usagestats XML Parser

As I've been testing and using Sarah Edwards' excellent APOLLO pattern of life framework for iOS I reminded myself of the great work done...

Sarah’s work is excellent

I have an extraction from an iPad. I found some relevant images in caches/webkit/version 12/blobs. Is there any way to telling what app was used or what website these came from?

Making good progress. Thank you for the help @forensicmike

PA 7.21 was pulled back due to a problem found in the release, hopefully will be corrected and available early next week

Can you tell us what the issue is ?

7:24 AM

Wondering if it affects my current reports

Will you be emailing all your customers about this issue so those who are not on this forum know there is an issue with UFED PA 7.21?

@Jay528 Apparently reader reports do not display on machines that do not have PA installed

9:18 AM

the UFDR itself is fine just an issue with Reader

THANKS

9:23 AM

sorry, casps

I saw a post that indicated only for Win 7 machines

9:46 AM

disregard it isnt working for me

9:46 AM

on win 10 machine

@Deleted User i need to test but its interesting

11:52 AM

Thx for this tips

@rico welcome, let me know, it worked good for me

Just curious if anyone knows why it takes so long to copy Cellebrite reports.

Probably because there are 10's of thousands of files

1:42 PM

all those really small files requiring the transfer process to start and stop over and over again thousands of times, it takes longer than you'd think. Especially compared to just dragging over a single 16GB file, for example

It just seems abnormally slow. Of course I could be punchy from watching the progress bar slowly tick. Transfer to a USB 3 drive should be faster than a few hundred kb/s.

https://www.quora.com/Why-does-copying-multiple-files-take-longer-time-than-copying-a-single-file-of-same-size

Why does copying multiple files take longer time than copying a si...

There are many factors that impact copy speed. The file system (NTFS, FAT32, HFS+, ext2/ext3/ext4, XFS, JFS, ReiserFS and btrfs) can hinder or speed up the process. Older file systems are single threaded meaning one copy operation at a time instea...

Interesting. It's painful sometimes, especially when multiple copies are needed.

@Andrew Rathbun @Joe Schmoe Another point on that one, if your target volume has a filesystem with a large allocation unit size, every tiny file is going to take up atleast that much room on disk.

@Joe Schmoe Do you mean .ufdr reports? Because in that case there should only one file...

@Orb It was a PDF. That's an interesting point though. I'll have to compare the speed of both. I prefer UFED reports but most of the computers other detectives use here have a hard time opening them.

Hi guys, I've done a full FS of an iphone 6 The guy has erased whatsapp app, and of course i don't have access to db... Where can i find date of erasing of this one?

knowledgeC maybe?

7:53 AM

https://www.mac4n6.com/blog/2018/8/5/knowledge-is-power-using-the-knowledgecdb-database-on-macos-and-ios-to-determine-precise-user-and-application-usage

Knowledge is Power! Using the macOS/iOS knowledgeC.db Database to ...

Having access to precise and granular user and application usage can be extremely useful in a forensic investigation, some of which are listed here. I find that pattern-of-life data is some of the most useful information on a device - it really does tell the story about a use...

i only find "in focus" and install information in this db

I have a consent Samsung GSM SM-N960U Galaxy Note 9. We’re trying to recover deleted WhatsApp messages. We were able to get a File System and Logical with UFED but we don’t have a physical as we don’t have CAS. Before their arrest, the defendant deleted the WhatsApp App from the device. I was wondering there is a way to decode the following dbs which appear to be backups? I have never manually decoded WhatsApp messages but am willing to try whatever it takes to get these. See below: The defendant is very cooperative as they need us to recover these messages. Reinstalling WhatsApp is on the table but I hope to be able to do this without further interaction with the defendant. So far, I’ve only used PA but am about to run the extraction through Axiom. Are there any other tools out there that you guys recommend for this? Thanks in advance. Any advice would be greatly appreciated.

^^ Please share the steps if possible ^^\

@Slats The problem with those backup databases is that they are encrypted (see the ending crypt12). The key for decrypting the databases should be in the whatsapp-sandbox. To get it, you would need a physical extraction. With Whatsapp uninstalled however, I think it very likely that the key is gone for good.

8:22 AM

@Slats What I would try is to see if there is a whatsapp database in the cloud. If legally possible for you , maybe ask the defendend for cloud credentials and try to perform a cloud extraction. Or install whatsapp on an empty phone with his sim-card inserted, connect to his google account and see if it downloads a backup the the new phone

That's what I was afraid of. I was wondering if the same user reinstalling the app would be to use the same key as before.

@Slats I don't know for sure, but I would rather be surprised if that were the case.

@Zoidberg I would be surprised as well if reinstalling the app works. I don’t think getting the defendant to consent to us pulling his cloud backups will be a problem. Thanks for the quick response!

@Slats if you have access to the SIM card which was used to set up the WhatsApp account you could use it to install WhatsApp on one of your test devices. The key for this WhatsApp instance can be used to decode your backups.

8:49 AM

You just need to use the same phone number

@Deleted User Thanks. I'll try that next.

@Luci https://abrignoni.blogspot.com/2018/12/update-on-identifying-installed-and.html i think it's the good way

Update on identifying installed and uninstalled apps in iOS

In my last post I asked the following regarding the values within applicationState.db: Are the key_tab table values the same for all i...

1

Anyone have the location of the test points to trigger EdL on a Kyocera Hydro? (C6742) Has the MSM8909 processor

@Ghosted My notes indicate EDL cable works for that phone. Have you tried that way yet?

@Mistercatapulte awesome

Howdy all, i have a WhatsApp Query. We have quite a serious case on and we are trying to make sense of some sent videos. So we have videos of the crime sent to somone via WhatsApp , we have the chat thread (recovered from deleted) where the videos were recieved, they were named VID-20190201-WA03, VID-20190201-WA04, VID-20190202-WA00. so the recieved videos crossed the midnight timeframe and got assigned the new date. These videos are no longer present but we have an 0b entry for them in Data\WhatsApp\Media\WhatsAppVideos. Now, we DO have the videos in the \WhatsApp\Media\WhatsAppVideos\Sent folder with the naming convention VID-20190202-WA01, VID-20190202-WA02, VID-20190202-WA03 but we have no chat thread that indicates that they have been sent. So I guess my question is what causes a vid to be in the sent folder? I did some tests on my personal phone and forwarding a vid didnt move it to the sent folder. Handset is a Samsung S9 with a full physical via CAS running Android 9

Did you test saving the video to the user directories and resending it?

I think we have just figured it out. The only way that it seems to make sense is that i got sent a video, deleted the thread but DO NOT tick the delete media box. use the add attachment function to forward the vid to somone else, it then gets the new name. IF you then delete the original vid from the gallery its still in the sent folder as it would appear that this is not indexed by the gallery. Still dont have the thread that they were sent to though but its a start.

Anyone have a good password list in the right format for Cellebrite to try and decode an iTunes backup? (edited)

if you have GK, you can find the password in the keychains

11:06 AM

do u have the pin code to get into the device

11:06 AM

heard resetting the settings will get you an unencrpyted itunes backup

2

@Jay528 On iOS 11 and above, yes. There are a few artefacts that get lost in the process, but gets you to the stage of being able to get an encrypted backup with a pin code that you now control (edited)

Hello guys - I've got a media hiding app on iOS called Best Secret Folder. All media has been extracted however I cannot access this application on the device., it is locked with pattern. I've manage to find the location of the passcode/pattern code and obviously this needs to be converted - does anyone have a conversion tool?

1

2

3:41 AM

Above is found within ImageSafeDB.sqlite extracted from the app

According to the pattern in the example you provided, I'm guessing (based on experience with other pattern locks) that each byte in this hex string (if we choose to interpret it this way) represents a point in the pattern board, which is usually ordered trivially

3:44 AM

for example:

3:44 AM

3:45 AM

If this doesn't work, you should also try reversing and/or mirroring the numbers

The string does not appear to be in hex format.

The 8 5 2 (vertical line) and 1 2 3 (horizontal line) definitely make it sound like the pattern needed

So the pattern in your example would be (using the method mentioned above):

3:48 AM

3:49 AM

@Pacman the string 0805020102... Can be interperted in hex as specifying the byte values 8, 5, 2, 1, 2...

2

This worked

3:50 AM

0 is equivalent to an arrow.

Another way to look at it in this case is just ignoring the 0's and looking at the digits that are left

2

8>5>2>1>2>3>2>6>9>8

It's just padding from storing each number as a byte

3:53 AM

@Pacman Is this app not the Best Secret Folder then?

Not exactly the best!

@McMasterFunk I've used Reset All Settings a couple times before and it's been very fruitful. Scary to enable that setting on an evidence phone but just read up on it before you push the button and document your actions

4:37 AM

Great teamwork on that one @Orb @Pacman @Kr

2

Good video on using Cellebrite to decode Apple production files. I would add that you can also select device option and choose Apple iCloud as the device. https://youtu.be/npwLYvS21h0 (edited)

Ed Michael

Using Cellebrite Physical Analyzer to Process Apple Productions

1

@Luci with help of @deepdive4n6 i can say, Just have to look the file mobile_installation.log .0 in \private\var\installd\Library\Logs\MobileInstallation.

So due to some discord discrepancies with iOS devices I did some testing.. This was what I found if you obtain a device place it into airplane mode which is the most forensically sound manner and if you do not load discord and refresh the chat you will not be able to obtain the conversations during the extraction. The FScache/ location will only provide you with the data in json format if refreshed and the data is stored on the device. I am still testing this as I had a device with discord and an extraction was conducted with the phone in the off state and pwd provided. No discord data was stored locally. Myself and lab partners tested several iOS versions and were able to extract the data after logging in a pulling data from the cloud. We then found out the evidence phone victim was still using discord via web application. We made a decision to let the phone touch the net and we refreshed discord and the completed another extraction and discord data was present. Hope this helps... dont mind any spelling errors as I am on my phone and two whiskeys deep... (edited)

3

Does anyone know where to find the Android Search Bar history? When you click on the search bar that is standard in Android, you can see the history of items searched for. Where is the data living in the android filesystem? (Please know i'm not referring to chrome search history.) I know there is information in the search bar. I can see it on the phone. When I do an extraction i'm not sure what database or where in the file structure it is located. Any advice would be helpful. Thank you! (edited)

@San4n6 Examiners with access to process memory dumps might have success finding discord data that isn't otherwise present on the filesystem. See https://youtu.be/QKeW1VDgpP4?t=208

Magnet Forensics

Loading GrayKey Images into Magnet AXIOM

1

Thanks @forensicmike @Magnet for the info the memory dump prior to letting the device touch the net contained no artifacts. I will test this on the new memory dump and advise..

@Paul1775 Josh Hickman at the binary hick did some research on this

@randomaccess Thank you! I reviewed his post and this was what I was looking for.

@Paul1775 Let me know if you have any questions or need help with anything.

Can anyone confirm my suspicions in regards to simdata.dat on android phones? from the small sample of extractions I looked at, it looks like UFEDPA only decodes that dat file if you used the exact profile of the phone when you did the extraction in UFED4PC .... or if you chipped off a phone, used the exact phone's profile's chain in PA when decoding the bin. in the extractions where I used a generic profile, PA didn't decode the simdata.dat file, but for the extractions where I used the exact profile of the phone to do a Physical extraction, PA decoded/parsed out that file. Thanks in advance

@AMB Can't tell the parsing different between correct profile and generic profile, but I've notice that simcard.dat is not always accurate... PM you some infos.

@Kramnias what's difference have you seen about this file ? for other db i understand

9:05 PM

I suppose some missing data

@rico Inaccurate timestamps in the simchangetime field. I did a file : Galaxy S6. No sim card present. Phone clock was reverted back to Jan 1rst (probably due to battery power loss) I did 2 seperate extractions. Physical at 08h00 AM. Then 6 days later.... File system at 08h00 AM (6 days after the physical one). I Took a look at both simcard.dat files. The second to last "field" is called simchangetime. For my physical it was 01/01 14h22. For my file system it was 01/07 14h22. So the field (in unix timestamps) was 6 days later. So my guess would be that this field acts like a clock moving on. Maybe because the phone was reverted back to Jan 1rst, the timestamps field kept updating it's time. So just be carefull... and test... if this field is of importance.

1

@SPVQct3207 by chance was a Honda Santa Fe vehicle involved?

@Kramnias thx for yout share. I will more vigilant !

Hi guys what is the difference, in IOS dump, between "Viber" and "Viber:members" in contacts column? (edited)

Technically, they come from different tables in the Viber database... Though i'm not sure who counts as a member and who as a "regular" contact

that's all the question

@Mistercatapulte I believe when you give Viber access to your phone contacts, all numbers get checked against Viber main database to see whether these numbers have downloaded the application and registered with Viber. I took a screenshot of the application on my phone and you can see that some contacts have “Invite” which means this number never registered with Viber. I believe when you see “regular” it means the number didn’t use Viber. I never examined Viber database but I used Viber every time I deployed overseas to call home so I’m familiar with application

@All_About_FRNZX thanks. It's exactly the same problem with whatsApp contacts, regular list appear in Whataspp column, but many contacts are not really whatsapp contacts, how can u determinate what are real whatsapp contacts for example?

A manual review of the target phone would show for sure which contact is or isn’t a WhatsApp user. From the user perspective, WhatsApp filters the contacts to only WhatsApp users, but you can see all contacts in Viber and shows “Invite” for regular contacts

I go a Motorola Moto XT1676, which has been given a factory reset. I only got the adb backup at the moment. A part from the timestamps of the files, is their a log file of some sort that records factory resets? And is it accesable in a adb backup, or only in a physical extraction? (edited)

Alcatel GoFlip A405DL, running KaiOS 2.5. I have acquired a physical via UFED, but PA still lacks parsing for the call logs, contact list, and SMS messages. I have the databases but need help getting it into a viewable format. The data is contained in Binary Large objects (BLOBS). I am aware that Final Mobil has some support for this, but my trial ended and can't spend money till budget year restarts in October. Anyone able to help? I would love to see a python script to run in PA. I could provide some research if any coders can help. (edited)

I just had the problem that after reopening a cases and loading project sessions, almost all tags are gone (except for those of one category each). Did someone else experience that? @Cellebrite is this a known problem? Is there a way to get those tags back? it was a 4-digit number of tags we set.

@Zoidberg I had an issue with loading saved data in the past. They reached out to me to check on getting it fixed. You might want to reach out to them at tech support

Unfortunately PAS files use .NET serialization that is difficult to work backwards from. I do know the problems with PAS files are more prevalent when attempting to load using a different version of PA than it was saved with.

Any idea how to crack Windows Phone PIN? I have a PIN locked phone. Customer says it's 4 digits, i think it's 6. I made an eMMC dump and extracted SOFTWARE hive from MainOS partiton but i get "Object21 key not found, no PIN used." error when trying to crack the PIN

7:42 AM

This seems to be Windows 8.1, at least emergency dialer looks like it

Try Software:\Microsoft\Comms\Security\DeviceLock\Object22\CurrentCredentialHash

7:44 AM

Or Software:\Microsoft\Comms\Security\DeviceLock\Object464

I'd have to look for compatible registry editor for that. I remember FTK had one

What are you using to try and crack it?

winphonepincrk.py

Ok, could try MR against it?

wp8-sha256-pin-finder.py - i have also this, but this requires to extract hash manually

7:46 AM

I tried, it seems to start and then crashes with no error message

Fair enough, could be the same problem of not finding it in the usual location

7:46 AM

I'd try looking at those other locations manually

7:46 AM

I'll try and dig out the scripts we used to use

I noticed that i had "PIN_KEY = 'Microsoft\Comms\Security\DeviceLock\Object1693'" back when i tried it. Maybe it's hiding in different place on this one

http://blog.digital-forensics.it/2015/07/windows-phone-pin-cracking.html

Windows Phone PIN cracking

DFIR research

7:48 AM

"Adrian Leong aka @Cheeky4n6Monkey correctly pointed out that the PIN hash data could reside in the Object31 key too. Moreover you could find the CredentialHash value in Object736, Object44... so, it's better to manually inspect all the keys in Microsoft\Comms\Security\DeviceLock"

Yea, i'll have to dig that FTK reg editor then

I've pinged you some stuff

7:54 AM

Also the reg editor we previously used was AccessData Registry Viewer

http://blog.digital-forensics.it/2019/07/huawei-backup-decryptor.html

Huawei backup decryptor

DFIR research

3

9:03 AM

Our new work and code available at https://github.com/RealityNet/kobackupdec

RealityNet/kobackupdec

Huawei backup decryptor. Contribute to RealityNet/kobackupdec development by creating an account on GitHub.

Quick update to the pas issue: updating PA did the trick

@OllieD your script carged out hash and salt correctly and i was able to use Hashcat to crack it.

1

10:45 AM

I also checked with FTK registry viewer in SOFTWARE hive. Correct path for that specific phone is \Microsoft\Comms\Security\DeviceLock\Object458 and script i had also works and found same code

@Mattia Epifani

big thanks for the hint to huaweibackupdecryptor.. tried it.... worked excellent !!!

made encrypted backup (P30 pro) with hisuite-pc (9.1.0.303)
executed script as mentioned on website at first try i got an error, because i hadn´t installed the cryptographic library "pycryptodome" - https://pypi.org/project/pycryptodome/

but after install it worked

(edited)

pycryptodome

Cryptographic library for Python

Thanks @chrisforensic : the requirements are mentioned in the requirements.txt file on GitHub. Thanks for testing and for the positive feedback!

1

@Arcain @OllieD it's great you figured out how to crack the pin. Just asking: did the algorithm change with respect to my blog post? Or just the entry location in the registry? Honestly it's a lot I don't see a Windows Phone, but if something changed I could briefly update the post with your info or just add a reference to your work. thanks

11:59 PM

@chrisforensic @Mattia Epifani thanks Chris for testing it and for the feedback! Just a question: do you remember if the script used version3 (DEBUG:root:crypto_init: using version 3) or version4? no problem if you have not that info. Thanks!

Has something changed which results in the Huawei backups being encrypted? The last 2 we did here using the backup app on the phone (tried a v 8 and v9 variant) did not result in this issue?

12:04 AM

Or am I missing something?

@bizzlyg Did you put a password when asked by the backup app?

No, but the way the article reads it sounds like you had no choice to either add a password yourself or one gets auto generated by the backup process

12:09 AM

we left it blank, extracted the data, decoded with UFED, all good

12:10 AM

or this is more for if you come across a backup done by the owner which would probably have a password set?

@bizzlyg maybe I was not clear enough. When using HiSuite the backup will be encrypted, using the password provided by the user (tested and managed by the kobackupdec script) or an auto-generated one (not reversed). When using the app, you can choose to not encrypt the backup. The aim of the script is to decrypt (and re-arrange a bit the output) encrypted backups. The original paper published on Digital Investigations describe the decryption algo up to version 8.x.x, my small research showed how to decrypt the slightly changed encryption schema with v. 9.x.x

great, thanks! I am sure I just misunderstood, that makes sense

Honeslty speaking, with the APP and OTG plus no encryption, it's kind useless

12:14 AM

thanks @bizzlyg for your info!

yeah but in those cases where encryption is present its good you came up with a solution. Not at all suggesting its not useful I was just checking it was still possible to use the app with no password

(edited)

eheheh @bizzlyg 100% I agree with your check. Actually is possible, so it's a great chance to get data/data when physical acquisition is not possible. Hope Huawei will not change that.

yeah its been really useful for us in 2 recent cases

Here too!

12:18 AM

(I'll make a note on the blog post later to clarify what you pointed out, 10x @bizzlyg ) (edited)

1

No worries, could be just me thinking of it this way

2

@dfirfpi @bizzlyg ... concerning huawei-backups and FB-Messenger.... i realized, that hisuite doesn´t make a backup from messenger, but using the app on the phone did a messengerbackup? can you confirm this? i tried sometimes with different huaphones, and just the app made an FB-Messenger-Backup! BR

12:43 AM

just this three FB-related things where backuped with hisuite (edited)

12:45 AM

with a backup over the app i got FB-Messenger !

12:46 AM

so, have you noticed this, too?

@chrisforensic you're pointing out a imho critical piece of info. Generally speaking, which differences will have encrypted vs non-encrypted backups? And app vs hisuite? And versions? I need to check out some phones we're working on just now, but I'm busy till this afternoon (CET). A super fast answer is that one phone made yesterday with HiSuite (I have to ask the version) had katana in.

OK, you´re right! maybe it differs from version to version (apk, hisuite, installed android) (edited)

@chrisforensic : I suppose you used the kobackupdec script... is the encrypted katana tar package inside the backup folders?

@chrisforensic we have only used the backup app so far and not HiSuite, I am just checking a previous case where I think we had FB messenger from it to confirm

@Chris Harris @bizzlyg great! that's something valuable to determine the best process when using huawei backups.

@dfirfpi ... yes, i used the script, and no katana inside nor a saved .apk

ok, at least that is not a script bug

1

@bizzlyg ... YES, i always use the backupapp... no troubles with encryption and faster workflow

just wanted to test the script... it´s usable, ofcourse

(edited)

2

1

Really interesting stuff here guys. Thank you for your collective work on this and also highlighting some potential pitfalls re: completeness of the different Huawei backups!

1:02 AM

@dfirfpi, does your script only support v9.x.x? @bizzlyg previously highlighted that with a v9 KoBackup APK, they were prompted for WiFi connectivity. Their workaround was to use an older version of the backup app. Therefore it seems to me that having a v3 capability is useful! (edited)

@dfirfpi concerning the difference of datas (encrypted vs. non-encrypted)... i didn´t see any difference between them in the results

Scratch that, just reread the blog post and saw that you have v3 schema support

@OllieD @bizzlyg Yes, that's the novelty, supporting the "new" encryption schema

Yes, I'd previously seen the paper that you refer to

Nice to have a one size fits all solution... until something changes!

1

@OllieD @chrisforensic @bizzlyg Yeah, I agree, with a collective "effort" we could get an answer to what is inside the backups and what is not. (edited)

OllieD 7/31/2019 1:09 AM

@chrisforensic @dfirfpi i confirm too : no difference between encrypted and no encrypted data. I don't have db of snapchat (only apk with config files ; no chat). I has codes of wifi in clear (android 5).

@rico, using HiSuite or KoBackup?

Here some important infos! tested Huawei BackupApp - on P30 pro - Android 9 9.1.1.300 (latest) - NOT possible to backup Facebook, FB-Messenger 9.0.2.333 - can backup Facebook and FB-Messenger.. with datas! (edited)

2

That's in addition to the previous issue you saw regarding HiSuite missing FB-Messenger?

@dfirfpi just the location in registry. Last phone i tried also had different location than what's in the blog. I used FTK Registry Viewer (demo is fine) to verify and after adapting the script to new location it cracked it fine. I also used other script to carve out hash and salt from the SOFTWARE hive and was able to crack it with Hashcat as well. (edited)

1

@Arcain thanks!

@chrisforensic @OllieD @dfirfpi Just double checked one of our previous cases, using the backup app on the phone we got FB messenger

2:17 AM

But we did not try it with HiSuite at the time so can't say what differences that may have produced

@OllieD com.huawei.KoBackup_9.0.2.333_OVE-90002333 of @chrisforensic

Folks, be wary of Tor browser db files. Recently had a case where the Tor db contained images and screenshots which did not decode in PA but did appear in the UFDR. If you export the DB and import it back into PA, the images and screenshots appear but only then. I havent been able to assist CB in finding the problem as the db contained child abuse material so couldnt share it.

Hi guys, any ideas how to force a PIN input when the Signal messenger is locked? It only accepts fingerprints it seems but in my personal Signal settings it says "lock with fingerprints or pin", but i cant set a pin so i guess it would be the device PIN (the suspect gave out the device PIN).

@bizzlyg @OllieD @rico @dfirfpi UPDATE - HuaweiBackup with HiSuite HiSuite does backup FB and Messenger - it depends on the version of huaweibackup.apk you have on phone!!! with 9.0.2.333 (as we use to backup over otg or sd-card) installed on phone, you have option to backup FB and Messenger too in Hisuite - TESTED with my p30pro, android 9 it depends NOT on the version of HiSuite! best regards (edited)

4

1

@chrisforensic I"m assuming you can uninstall the lastest version and side load the 9.0 older version to keep the FB backups with data ?

@DCSO ... yes, just deinstall the version on phone, install old 9.0, make backup - with installed older version you can make unencrypted backup (over otg or local on phone), with hi-suite you just can make encrypted backups! (edited)

2

@chrisforensic @DCSO some times phones don t want uninstall their kobackup

1

2:10 PM

But when it works it's super convenient

2:11 PM

So thanks to for sharing this tip @chrisforensic

Android with shared devices question.....I have two subjects who shared a single gmail account on two devices. Device A has web history of interest with a file path of userdata/root/data/com.android.chrome/app_chrome/Default/History It also has web history found under userdata/Root/data/com.google.android.gm/databases/bigTopDataDB Based upon the content of the web browsing, I'm inclined to believe that the bigTopDataDB is web history that was synced from the other phone. Can anyone confirm what BigTopDataDB is?

@dfeyen look inside the history dB. There’s specific tables re sync.

8:58 PM

I’ve never looked at the bigtopdatadb

9:00 PM

I also stumbled upon this http://www.di.unipmn.it/TechnicalReports/TR-INF-2019-06-02-UNIPMN.pdf

Howdy guys and galls. got a job on involving a charming chap tht has been using KiK and Wickr on an iPhone 8. Apps not actually on the handset at the time of seizure but I have the following in the iPhone logs.

6:14 AM

6:16 AM

If Im not too up on this artefact. Can anyone shed some light on what it means?

6:18 AM

My educated guess is that the kick app was used at this time but not sure what the different items in the first column mean.

6:19 AM

My guess for the wifi and wan would be the amount of data up and down for that network.

Yeah, guessing the WAN in this case is cellular traffic ?

6:20 AM

Not sure about the first column either

That was my guess on the WAN, mobile data.

https://www.howtogeek.com/338914/what-is-mdnsresponder-and-why-is-it-running-on-my-mac/

You’re setting up a Mac firewall, or just checking what’s running using Activity Monitor, when you notice something cryptic is running: mDNSResponder. What is this process, and should you be worried? No: this is a core part of macOS.

6:35 AM

https://www.howtogeek.com/331343/what-is-trustd-and-why-is-it-running-on-my-mac/

So you found something called trustd running on your Mac, and are now wondering if it can be…trusted. The good news is you have nothing to worry about: this is part of macOS.

6:36 AM

My best guess (with no real basis for it, so take with a ton of salt) is that entry 1 and 3 are traffic for the com.kik.chat app running through trustd and mDNSResponder services respectively

6:36 AM

And the middle entry is actual Kik traffic?

6:36 AM

Which would potentially fit with the much larger values being recorded in the second record

@Majeeko that database is referencing the cell data usage that can be viewed through the settings / cellular menu

@CLB-Paul is there one for WiFi data?

not that i know of off the top of my head.

6:46 AM

if you have acesss to the full file system, you can look at the KnowledgeC db file but more for application loading etc...

Just finishing off the Graykey extraction now. Thats my next KnowlegeC is my next port of call

1

Anyone know if iPhone log entries data gets synced to a new device? I have data from 2014 on an iPhone 8 that was released in 2017. Im assuming its data carried over from previous apple devices.

https://smarterforensics.com/2019/01/how-was-an-iphone-setup/

How was an iPhone setup?

I’ve realized just how important it is to blog vs just do a webcast when I was completing my course updates. I would stumble upon a webcast, but didn’t have time to watch it, so I looke…

Thanks

Hey all, I have a quick android/fat32 time stamp question. How accurate is the created time for a video stored on a FAT32 microSD card contained in an android phone?

12:59 PM

I have about 18 videos where the file name shows time X but the created time is time y. Once I account for daylight savings time, the difference between when the file name indicates the file was made and the created time ranges from just over a minute to around 8 minutes. The user claims the microSD card was reporting it was getting full

Is it the file system date/time or exif ?

It appears to be EXIF. I just ran a few of the files through EXIFTool and the created time there is the same as what PA is reporting despite the file name indicating it was recorded at a different time

That is weird

1:30 PM

The exif created time would be when the video was first recorded and the filename might be when the video ended

1:30 PM

Does it look that way ?

@Majeeko you got any .dB files for Wickr app

Wickr was un- installed after the suspect had used it. I have some iPhone logs indicating Wickr used some cell data at the exact time of the offence so we believe the suspect uninstalled it after. I left the GrayKey file system processing in Axiom and UFED PA over the weekend and I will pick it back up Monday morning and see what I have. I very well may be hitting you all up for some Info. Not too up on iPhones, evidence is normally bang in front of me as media or Comms. Interesting case though and I do love to expand my knowledge of phones . @Dfdan I'll let you know if I find any remnance (edited)

@Majeeko grab stuff from here for additional info that may not be as fleshed out in the tools https://github.com/abrignoni The knowledgec stuff we did showed just a bit more than the tools at the time , not sure if that's still the same but can't hurt. Also you can carve plists out of the db too if it doesn't cover the timeframe properly

abrignoni - Overview

https://twitter.com/AlexisBrignoni https://abrignoni.com https://keybase.io/abrignoni

abrignoni

@randomaccess thanks, I'll check it out.

Good day! They brought the redmi 4x phone is not blocked, android 7.1.2, security from 08/01/2018, no root, the bootloader is locked. Need to recover deleted files. Has anyone come across? asks for a password decrypt!

If it asks for password to decrypt then it sounds like secure startup

2:13 AM

Otherwise you could check UFEDs qualcom decrypting edl method. I know it doesn't work for some (they stay on charging battery instead of booting)

that's made with edl, but not decrypting i guess?

but for some reason, with a unlocked bootloader, the setup is different; this method works, what do I advise you to do?

phone is factory encrypted, you should try to use decrypting edl method instead, if it'll work on this one

2:19 AM

if you dumped it as is, userdata inside the dump is encrypted

2:21 AM

at least it looks like this to me

however, as I understand it, the analyzer will not be able to do the work of rationalizing the image obtained

@BorgSl I remember being told that some handsets use the default android encryption password in this scenario. I think I was android_password or something along those lines.

9:23 AM

Might have been default_password

9:31 AM

I did not try it yet and there is no instruction if I attach тхт the file with a combination 0000 up to 9999 that it will work?

Not sure. I put an encrypted image into Oxygen and it brute forced the pin for me once.

@BorgSl ... if PA gives you the option to insert a list (txtfile) for decoding, then PA knows how to decode the encrypted image, but wants a list... i had success with some phones with pinlock or patternlock, just had encrypted image, PA did encode with given list (edited)

11:09 AM

https://mega.nz/#F!JFEAWYhR!84tU-BkGTsSw4n6t5sCvFA

11:15 AM

if encrypted with a password, the dictionarylist would be toooo big and i think decoding would last too long (edited)

11:19 AM

info: PA doesn´t show the progress of decoding and after success opens the image . You have to look inside the logfiles to find the code, which was the right one to open the image. (edited)

If I recall correctly, both PA and XRY will automatically use default_password if applicable. However, that would still only work if the device is not using hardware-backed encryption. If it is hardware-backed, trying to get a decrypting bootloader to work sounds like your best bet

12:54 AM

If you import the physical into XRY, you can see how it behaves. One of the more recent versions of XRY built in a bruteforcer which allows you to upload dictionaries etc. It's logs are also pretty easy to read and figure out what's going on with the dump

@chrisforensic thank! i will study

1

I've have done a advanced logical extraction from an Apple iPhone 8 and when I read the extraction in Physical Analyzer I see a post in the "Log Entries" with a timestamp that belongs to com.apple.madrid and the applikation iMessage. The source says Identity Lookup Service. The body contains the following text: Apple authentication process performed for the following apple-ids: +46XXXXXXXXX. The number does not belong to the device. Anybody knows what this is? Is it the Apple service that checks the other ends device if its an Apple device so it can handle iMessage? (edited)

perhaps the phone turned off or the sim card was removed and requires re-authentication

Can't be cause its is another persons phone number.

very often use 2 sim cards, check which sims worked in this phone, maybe the second number was used for accounts and is hidden somewhere

Nope, its not one of the other SIM-cards that have been used lately.

IOS App id's. Are these unique to the app or somehow generated when the app is installed.?

Unique to the app.

@Dfdan In knowlege C i have some filesystem events that refer to a certain app folder. in Mobile/Containers/Application/Appid. The folder is now deleted and i want to see what app it was refering to. Is there a way to look it up?

I tend to look up the app id by searching it in the installed apps database, don't know if it will show up there if it's been removed though

It does for installed apps, i founf the ID for snapchat but i want the ones for KIK and Wickr which were uninstalled after the offence. I want to see what was happening in the file system events in relation to thase app folders.

@Majeeko have you ever looked at fsevents if you have a full file system extraction?

@CLB-Paul Thats what i am going through now. Its a very interesting read.

totally i was introduced to it a few years back but definaetly wealth of knowledge

@Jay528 the thing is the offense that these videos are tied to occurred on a WiFi only phone between March 10 - 11 , the same day daylights savings time switches. Its the perfect storm for jacked up timestamps

Again because it's very important to me: any ideas how to force a PIN input when the Signal messenger is locked? It only accepts fingerprints it seems but in my personal Signal settings it says "lock with fingerprints or pin", but i cant set a pin so i guess it would be the device PIN (the suspect gave out the device PIN). (edited)

ah pl

6:45 AM

ah ok

One of my fellow examiners and I developed an Excel spreadsheet to account for the differences in time. When the phone stopped storing videos on the SD card and switched to storing them on the phone, the filename and created times all match up and there are no discrepancies. That is what made me think that the filename is actually the accurate time and the the FAT32 filesystem on the SD card is somehow part of the reason the created times are off

@Majeeko does UFED PA not list the apps in and APPID in the decoded apps / installed apps. Im not in front of a PC at the moment.

It lists some of them. What i have found by looking at the application install states is that when installed the apps i am interested in get a new folder with a unique GUID or ID ( This is not the App ID in the sense of the unique one to the app) Once uninstalled the file system destroys those containers and any data in them .

@Luci I just did some tests on my iPhone 7 with Signal. When i try to unlock Signal with a finger that i cant open my phone with i get an "Enter Passcode" option, there i can use the phones passcode to unlock the app

Sorry forgot to mention it's an Android and when I test it with my personal phone it does not work like you say :/

If you remove all fingerprints from the phone Signal asks you to enter the password instead

I was thinking about that, yes

7:41 AM

You sure?

(edited)

Tried it on both my iPhone and Android, worked on both

1

@Majeeko i suppose that not found any (deleted) data in à backup or in cloud (edited)

Had an interesting chat with the folks from Mission Darkness (a Faraday bag/box supplier) earlier this year and they made me aware of this app that they produce for testing Faraday equipment: https://play.google.com/store/apps/details?id=com.mos.tester&hl=en_GB

MD Faraday Bag Tester – Apps on Google Play

The Mission Darkness Faraday Bag testing app accesses your WiFi, Cell and bluetooth antennas to test the shielding effectiveness of your faraday bag or faraday enclosure. The app is extremely simple and gives you the ability to know whether your faraday bags are doing their j...

12:48 AM

Will show strength in dB of Wifi and mobile signal, as well as an 'on/off' bluetooth signal

12:48 AM

The apps free and they have an equivalent on iOS

12:48 AM

Did you get a chance to try it @Stevie_C?

@OllieD iOS version works like a charm

Awesome, good news. Hadn't tried it on iOS myself but had been pleased with the Android app performance

Whoops, I'd meant to post this in #mobile-forensic-extractions

@Oscar Thank you it worked

1

@Tilt There's a post on the Cellebrite blog about these "Identity Lookup Service" records:

5:12 AM

https://www.cellebrite.com/en/blog/how-ios-properties-files-can-confirm-a-suspects-contacts-even-if-data-deleted/

Izhar Carmel - Cellebrite R&D Researcher

How iOS Properties Files Can Confirm a Suspect’s Contacts Even I...

Determining a complete list of contacts that a person of interest has on their phone can be challenging due to factors like deleted data, inconsistent app communication records and device migration data loss. Because of these variables, it is important to find a reliable reco...

1

5:13 AM

Basically it means that the device tried to validate that number against Apple's servers, usually because an iMessage was sent or a Facetime call was made

Hi all, I've got a question regarding Facebook messenger and the way it stores video files as .exo files. Some background, I found a video that's important to my investigation in WhatsApp. I found a .exo file that appears to be a fragment of this video while doing my categorisation in Griffeye. So the question of where this video is in FBM came up. I've checked all the chats with people of note but it doesn't appear to be in any of them. So as a test I found a playable video in a chat on the phone and located it in Griffeye and noted the file name, then consulted the files in FBM's "threads" database and couldn't find anything that matched. Is there any way for me to identify this video? We're all a little stumped here. I can clarify if you need more info

I was attempting to just download the SMS messages off of a LG SP200 and I after I chose to "change" the sms on the phone, the phone showed a screen labeled switch access setup guide. Has anyone seen this screen before? I chose "exit" as the option and it did get the sms messages normally.

2:11 PM

Using UFED 2

2:11 PM

Updated version

2:11 PM

normal cables

2:12 PM

DM with replies please

Has anyone seen pictures named ”unadjustednonraw”? Metadata tells me picture might been received or sent using whatsapp

Looks like that file name might be related to copying images out of apple photos @azkurken https://photo.stackexchange.com/questions/96070/why-are-my-photographs-saving-as-unadjustednonraw

Why are my photographs saving as UNADJUSTEDNONRAW?

I am currently studying photography at sixth form and have recently done a few photoshoots with my Nikon D5300. Instead of uploading my photos at school onto the school system, I download them onto...

Quick question guys. Does anyone know where deleted contacts are kept on a iPhone?

Anyone know of a way around the current issue with Elcomsofts Phone Breaker iCloud backup issue. It no longer works. Is there any other way to get the iCloud backup downloaded?

@zero00796 Most likely guess is that they come from deleted records recovered from the AddressBook.sqlitedb database

@Orb or thank you for the information

@yaniv.schiff Option1: https://www.blackbagtech.com/blog/2018/05/31/apple-icloud-production-service/ If a life is in danager it's quick to turn around else you may have to pay and it costs a fair bit. Cheaper to buy a tool. Option2: https://www.cellebrite.com/en/trials/cloud-analyzer-trial/ Trail a another tool.

Apple iCloud Production Service

Based on news reports some may assume Apple doesn't respond to search warrants, but BlackBag has successfully worked with Apple iCloud production sets.

Artem Kovalyk

Cloud Analyzer Trial - Cellebrite

@4N6Matt Thanks for that info. Cloud Analyzer doesn't support iCloud backups with 2FA

would be great if it did.

@yaniv.schiff , 7.8 and 7.9 does. Touch Base with Support but I know i tested my own stuff and it pulled it running 12.x (can't remmeber which version i have on my phone)

Hi ! I have a GK extraction in UFEDPA 7.22, In the videos section, Table View Tab, when I click on the video ( for example IMG_0001.MOV), I see only a green line and I hear the sound of the video but there is no picture. I have to click on Play (default program) to see the video. it seems to me that before we can view the video by double clicking on it ? right ? does Cellebrite change that ?

hey guys, I have a Galaxy S6 physical image and manually decoded the usagestats db, but I am not quite statisfied with those informations. It just says that an App was in foreground. Is there another db with information about screen on/off and the duration, if it was on? Like the knowledgeC on iOS devices? It is really important on that case

The nearest database to the knowledgeC on Android that I’m aware is the lowpowercontext-system-db or ContextLog.db they’re not as granular with added metadata but it shows app on the screen

but they are not logging if the screen was on or not, aren't they?

Anyone ever come across a WhatsApp group with some of the participants numbers are (ten digit number)@broadcast? instead of the normal phonenumber@Whatsapp.net

3:48 AM

Like this

3:54 AM

okay, i think it may mean they are pat of a broadcast list. Can anyone confirm?

@MikeWhiskey I think the fact it is in those logs suggests it’s the application in use so supports the screen is on, it doesn’t record notifications

But arent Apps like Facebook and so on doing many stuff in the background and would get logged there, too?

I haven’t tested it enough to say one way or the other, tried looking at the snapshot pics?

oh thats a good point, if I get a snapshot of the app right after the accident plus the sign in appuseage - maybe this would be enough. Thank you for your help

https://www.reddit.com/r/computerforensics/comments/colngz/how_does_whatsapp_regenerate_encryption_key_to/?utm_source=share&utm_medium=ios_app

r/computerforensics - How does WhatsApp regenerate encryption key ...

0 votes and 0 comments so far on Reddit

11:55 AM

Andybody know this?

Anyone know if there's a way to export multiple SMS conversations in conversation view (chat bubbles) at the same time with UFED or XRY?

5:33 AM

So that the conversations appear separate from each other, not messages from different conversations all over the place @MSAB @Cellebrite (edited)

Or with any other tool for that matter, doesn't have to be fancy chat bubbles, just an easy way to read the conversations separately in a pdf or whatever

@Oscar for fast export you can sort the sms with option "thread-id" in "list-view" and export to xlsx... every thread-id should be a sms-partner... now you can filter the xlsx the way you want....

@chrisforensic Thanks a lot, will try that!

I have an iPhoneX running iOS 12.3.1. I obtained extraction with Cellebrite and it asked to set '1234' for encryption to extract more data, which I did. Extraction completed successfully. When I open the extraction in Physical Analyzer it prompts for a iTunes Backup Encryption password. It is not the phone password and it is not 1234. I have also tried all the passwords the user knows. Anyway to get this password?

Have you also tried 12345 and 123456 ? I know, sounds kinda stupid, but my Touch trolled me once on an iPhoneX with 12345, but said, it was 1234. (not that sure if there was a 6, it was some time ago, never happened again, thought it was a bug, that was fixed)

@twreese It's probably a different password used for the encryption, when the user made a backup. You can remove this encrypted password by erasing all settings on the phone. It will delete some wifi passwords and a few other things as well. I believe it's described properly elsewhere on this server (maybe pinned posts). But it's pretty straight forward: Go to Settings -> General -> Reset -> Reset all settings. Then do a new extraction. The password is now removed.

3

@twreese since you've got the backup, you can always attack the hash to try and recover the password, if my memory serves me correct, and I'm reading your user name right, I showed you how to with hashcat

if not then I'm losing my mind which is a viable option

4:28 AM

@twreese I see your post over in enc now, if you want to email me the output of itunesbackup2hashcat, I've got a rig to toss it onto

@twreese I second the hashcat

Could anyone pls assist? Have a Lumia Lumia 550 chip off.. Unable to decode any sms, contacts or call data.. I have retrieved media using ief but not the above.. Suspect encrypted. I have a lot of partitions but aren't aware of the location of the database files. Can anyone with Windows knowledge pls help?

having an issue where Axiom keeps failing to make a report. anyone ever seen this before? @Magnet Forensics

5:23 PM

trying to make a pdf or html it fails

PM me the ExamineLog file and I can have a look

done

good morning @Cellebrite Need some help... I have a dump of a FP with SC6531E chipset, imported to PA using chain "SpreadTrum Generic" but could not carve out anything... ofcourse i can carve manually for sms, but there are no timestamps or sms-partners! (edited)

9:46 PM

NO PROBLEM for PA to carve a FP with SC6531 chipset! Here decoded many SMS

9:46 PM

Is there a way to decode a spreadtrum FP image with chipset 6531E ? Maybe you have a decoder-plugin for SC6531E chipsets? BR (edited)

@chrisforensic @@Orb what does the file system look like?

@pankon#500 can i send you the image (and a second from another phone with same chipset) per PM? size is just 4MB (edited)

@chrisforensic did you try spreadtrum ftl/content?

yes, without result !

@chrisforensic please send a pm

@chrisforensic That looks like a multi-part concatenated message of which that is part 1 of a 3 part concatenated message. I'm going to DM you something that might help you manually decode it in an emergency as a last resort.

@Stevie_C thanks for PM !

@chrisforensic Hope it helps a bit

1

Hi everybody, I read a bit of everything about Snapchat here, but I did not find an answer. I have a full FS of an iphone, version of snapchat 10.x.x the victim indicates having communicated with the owner of the phone via snapchat, but I can not find any written conversation ... The phone was seized in May and the facts date from July 2018. Is there a delay in keeping text messages or are they simply not stored by the phone?

@Mistercatapulte the application allows you to delete messages only 24 hours after reading them.

@BorgSl thanks for reply

@Mistercatapulte

Check also directly on the phone...

Hey guys, regarding iPhone extraction using Cellebrite. A WhatsApp record is marked as “unknown”. Tried finding the message in the physical phone but it’s not there. Any theory?

@Reedsterz possibly deleted record and the entry for the direction is not available

@Cellebrite is the Tethering Last Activation report field the time the phone was activated? or is it when it was last tethered as a hotspot

@ThurgoodJenkins the last activation report field is for when the phone was last tethered as a HotSpot

thanks

Can someone give me a quick definition for the Identity Lookup Service in iOS?

12:15 PM

and what exactly does it mean when a phone number shows up there with references to iMessage and FaceTime

12:17 PM

the file it is in is com.apple.identityservices.idstatuscache.plist if that helps

@Adam Cervellone Its a service from Apple to checks to see if it can use iMessage vs SMS or if FaceTime is an option. (edited)

Thanks @CLB-Paul Would it be correct to infer that the user manually entered that number or contact that had that number for it to show up in that file?

I’d say yes but never done specific testing in regards to that.

@Adam Cervellone Cellebrite has a blog post with some explanation: https://www.cellebrite.com/en/blog/how-ios-properties-files-can-confirm-a-suspects-contacts-even-if-data-deleted/

Izhar Carmel - Cellebrite R&D Researcher

How iOS Properties Files Can Confirm a Suspect’s Contacts Even I...

Determining a complete list of contacts that a person of interest has on their phone can be challenging due to factors like deleted data, inconsistent app communication records and device migration data loss. Because of these variables, it is important to find a reliable reco...

For all, who are in the need to import an Android-XRY-Extraction (log. full filesystem with apk-downgrade etc.) to UFED PA I had to cross-match the xry-extraction with UFED Here my tested steps... 1) Import .xry to XACT as project 2) save all datas from volumes/storage/emulated/0 and data/data (rightclick on folder - export - export all files) 3) rename folder "0" to "sdcard" 4) put this two folders "sdcard" and "data" into a new folder "backup" 5) make a .tar from folder "backup" (edited)

1:45 AM

6) import this "backup.tar" to UFED PA as adb-backup

1:45 AM

It is important, that you import all data at once (backup.tar) and not data.tar and sdcard.tar seperately! If you import seperately, UFED PA will NOT link the chat-attachments to the right place!

4

Nice work @chrisforensic ! You can likely accomplish the same thing in XAMN Spotlight/Viewer through the File Tree view by simply right clicking on the folder you want to export in the File Tree view

@Erumaro coool, thanks for info

@Erumaro @msab and others hi I have a wiko lubi5plus with spreadtrum chipset. I try to use the generic usb profil but when I plug the micro USB (without battery) the phone start and i have a menu choice with masse storage(u disk) How I do a physical acquisition ? I have any idea about magic button too (edited)

@rico The device rings a bell, not in the office now but let me check tomorrow morning to see what we can offer!

@Erumaro

@rico It seems we have the device here in the office but we only received it recently and have yet to test it out. It seems the device is running a SC6531 chipset so I tried it with 6531 Generic and unfortunately it did not work. This is something we've been seeing on more recent 6531 devices and we hope to be able to solve it with future releases. For now there does not seem to be any solution however, at least not in the current XRY.

@Erumaro thx you for your job.

12:43 AM

It was very important for us to known it

Hi guys Definitely my return from vacation is eventful. Anyone know How to determine the date of the last security pin/patern change on a Samsung android 8 (a6)?

@rico if you have a physical you can just check the timestamp on the gatekeeper.pattern.key file ( or gatekeeper.password.key )

@.karate. good idea. thx i look at this

11:38 AM

I had hoped in Android like ios to have a security file log... (edited)

Hello all. I have an iPhone 6 Plus A1524 with iOS 12.3. I want to know where the phone have been at a specific time. I know that the Health app is registering steps, distance, elevation and time. I wonder if its possible to get coordinates from that in some way? (edited)

1:59 AM

I have done extractions with UFED Advanced logical method 1 and 2 .

Check: Settings - Privacy - Location Services - System Services - Significant Locations

2:45 AM

on the phone directly. Apple really does a good job hiding these deep in the settings

Thanks @Deleted User. I know about that. Any other hint?

@Tilt to extract significant locations you need file system access or use chris’ suggestion of looking on the device specifically

6:01 AM

I would also suggest going down the route of getting information from telco

@Tilt Health def stores coordinates. Especially if the person does a workout.

I remember reading a blog and I think it was yours Heather about that.....

I know the PA and Oxygen parse health data too. But there is more in the data in there that may be of interest to you. I can share the queries but I believe Sarah included all of the work we did for health in APOLLO.

6:03 AM

Yep! I have done many presentations on this too. They are on smarterforensics.com.

6:03 AM

Making a Murderer Health Edition was my jam last year.

3

Dragging your husband. I remember that ..

1

@Tilt metadata in images too. If geotagging is enabled for when the user takes photographs, you’ll have locations embedded in photographs

@heatherDFIR APOLLO? Would really help the case to get the geodata from health. (edited)

@Tilt https://github.com/mac4n6/APOLLO

mac4n6/APOLLO

Apple Pattern of Life Lazy Output'er. Contribute to mac4n6/APOLLO development by creating an account on GitHub.

Thanks @Dam

@Andrew Rathbun Can we pin Apollo to the resources #dfir-resources if not already there

@CLB-Paul done

1

has anyone had issues with Axiom @Magnet Forensics losing the source file when examining GK dumps? Ijust had two different cases run on different workstation have this happen. Checking other's experience before I open a ticket. (edited)

@sholmes same problem with shadow copy.

good to know. I haven't found where it is messing with the extraction. I haven't got to the report side yet though.

10:30 AM

Thanks @Dam

I did the extraction of a full fs of an iphone PA decodes me 270 communications, but when I go to see callhistory.storedata db, I have the base "Zhandle" which contains 3586 phone number, which in the end follow well the deco realized by the application. Do these numerous numbers correspond to deleted calls? (I specify there is no data dating or timestamp)

11:24 AM

@sholmes how are the images being added to process initially? As images or a files and folders search of the extracted content from the zips?

from the zips

1:44 PM

file selection

@Mistercatapulte You think of a history of all the phone numbers that have been used on the device ...

@rico If I follow the end of the db +3000 calls, they correspond exactly to the decoded part of the 270 calls, and as we can see on the screenshot there are numbers that are repeated (edited)

@Mistercatapulte I tested this a while ago and that table contains all the calls that are made, but without timestamps, just like you say ... even calls that are deleted from the call history are included in this "counter". SELECT ZNORMALIZEDVALUE, COUNT(Z_PK) as 'NUMBER OF CALLS' FROM ZHANDLE GROUP BY ZNORMALIZEDVALUE ORDER BY COUNT(Z_PK) DESC;

2

@franksvensson thanks for this confirmation and theses precisions!!!!

Playing around with iOS sysdiagnose logs, trying to figure out where they are written from? I haven't figured out if the logs are written from RAM or if they are collected from existing actual logs. If I were to be able to get a physical and compare I'm sure I could try to figure it out but I don't have access to that at the moment.

8:20 AM

This is the article I've been following:

8:20 AM

https://sarah-edwards-xzkc.squarespace.com/blog/2018/12/3/airdrop-analysis-of-the-udp-unsolicited-dick-pic

AirDrop Analysis of the UDP (Unsolicited Dick Pic) — mac4n6.com

I saw this article “ NYC plans to make AirDropping dick pics a crime ” on Friday and it got me thinking. What exactly are the cops going to find if they do an analysis of a device, either the sender or the receiver? I’ve already done my fair share of analysis when ...

8:22 AM

The article talks about unified logs which makes me think that the logs are "real" files vs volatile memory artifacts

2

Originally posted in extractions sorry for that meant to post here. I have a Moto Z2 force 1789-04, running android 8. I found keepsafe installed and has 266 pictures and videos looks like they maintained naming convention and maintained extensions. The images won't open, not that I have a passcode but there is no prompt to enter a passcode to get the data decrypted. Anyone got any ideas?

I have extracted an iPhone 7 A1778 with UFED Physical Analyzer 7.22 and under Apps Info you can find "Installed Application". How sure is it that the application was installed in the phone when the I did the extraction?

@Tilt we can look manually in this iphone

2:05 AM

Hello Anyone know how a file with the KTX extension on IOS can view? Obviously it's to see application snapshots

@rico This is a problem when the device isn't present

hi folks!, A little question that crumples me I realized, in several jailbroken iphone dump I realized, that the "native" call logs, decoded by PA, only included the WAL from callhistory.store.data is this normal in your opinion?

The WAL stores the most up-to-date version of the data in an sqlite database, so if there were relatively a lot of calls before the time of extraction, or if the device wasn't reset for a long time (or any other event that could have triggered flushing the wal into the main db file), it makes a lot of sense. (edited)

@Orb ok Orb, thanks for this information

7:25 AM

@Orb in reality phone, delete by himself calls?

7:26 AM

to keep between 210 to 270 calls

7:27 AM

in my cases i observed this numbers of calls saved

Sounds logical to me... Even on the device itself you're usually not able to view the entire history of calls. I haven't tested it to see exactly how many calls are kept, but note that the same numbers appear in @Mistercatapulte message from a few days ago

1

8:02 AM

Lol that's you

8:03 AM

very embarassing, I wasn't even looking who I'm talking with

@Orb The db isn't decoded because it isn't integrated in PA or she will be decode in future release? (edited)

Does anyone have a good dictionary file for iOS encrypted backup cracking?

@mitchlang are you sure ? because it's very very long to crack it (edited)

Yeah, I pulled a 10 mil dictionary file. This is not going to be fruitful . It might break it by the time i ret. at this rate... Any other known good work arounds?

@mitchlang if u have the phone, u can reset setting and after make a new dump

1

Reset All Settings sounds scary but it just removes the wallpaper and changes a few other relatively unimportant things about the device. It can be easily explained in court. I'd highly recommend that method. It's worked both times I've needed to do it

1

2

If you are unsure the process is pretty well explained in https://support.apple.com/en-us/HT205220#help, says exactly what it resets if you need any documentation! Doesn't get more official than that!

About encrypted backups in iTunes

To protect backups of your iPhone, iPad, or iPod touch in iTunes, you can use password protection and encryption.

2

1

That's exactly the document I cited in my case notes for both phones

11:06 AM

Thanks for posting that @Erumaro

@rico For KTX extension, I export them on usb drive with UFEDPA and check with my Imac.

@SPVQct3207 thx i know what I must to do... Find a Mac

@rico or a VM

1

Hi erveryone in unified logs of ios the rows about "local area" (Équivalent of Tac or location area code in GSM) are trustworthy ? Because in my actually case (discovery of Cadaver) and after isp réponse this iphone was locate 30km from the corps.... So for us: Of course there is an accomplice

https://blog.elcomsoft.com/2019/08/how-to-extract-and-decrypt-signal-conversation-history-from-the-iphone/ Good article for signal

How to Extract and Decrypt Signal Conversation History from the iPhone

With over half a million users, Signal is an incredibly secure cross-platform instant messaging app. With emphasis on security, there is no wonder that Signal is frequently picked as a communication tool by those who have something to hide. Elcomsoft Phone Viewer can now decr...

2

Quick question anyone know the value meaning for delete direction in store.cloudphotodb? Values are 1 and 2. This is for iOS iCloud data

I know this is a dumb question but....why is the IMEI rarely parsed in PA when you have just a physical? Is the IMEI not usually located in some file at least in text form?

Is the phone a GSM device? If not, it won't have an IMEI

it is an ATT device

I feel like I've got to be missing something obvious or just not understanding it. Logical can find it, why cant the physical? Is it encrypted and becomes unencrypted once booted which is why the logical can parse it?

Comes from lockdown folder. Not same in full file system.

@AA are you talking about GK extractions, or CAS ones?

7:36 PM

with CAS extractions, we pull it and decode it from the AccountToken.txt file

From Logical,

7:48 PM

From full FS

I can vouch for what AA is saying. I've seen this happen a lot of times with some cheaper handsets. Happens with Nokia's as well as some other cheap mtk and spreadtrum devices. Most of the devices this happens with have logical and FS support though and multiple extractions make this sort of a non issue. Would still be nice to know why it's not recovered from physical extractions though

@CLB-Paul Had a look at previously examined devices and can confirm the following devices IMEIs have not been decoded when physical extractions were obtained Nokia TA-1010 RM-638 RM-945 Alcatel 1066G HTC OPA2110 Huawei EVA-L09 Samsung (Case notes are lacking here due to it being a very time limited job but almost certain a forensic recovery partition extraction was completed on this) G925F

@whee30 sysdiagnose is a “snapshot” of configuration files + logs already stored on the device (in various folder, to exactly understand where they are copied from you need, as you said, a full file system access) + execution of some Unix commands with the output stored in txt files. When you “invoke” a sysdiagnose generation the device (iPhone/iPad/Apple Watch/Apple TV) will generate the sysdiagnose.tar.gz file.

2

12:41 AM

We wrote a paper on this with @heatherDFIR and Adrian Leong (Cheeky4n6monkey)

12:42 AM

It is available here http://for585.com/sysdiagnose

Files shared via Tresorit

Tresorit uses end-to-end encryption to keep file exchange secure and private. Access the received content via this link.

1

@Mattia Epifani thanks for the link. Very interesting paper

Thanks! Me and @heatherDFIR will take a presentation on this topic at OSDFCON next October.

This is where the sysdiagnose executable is stored on iOS 12.4

2:05 AM

And this is where the result is stored (accessible also without a jailbreak)

3

Does anybody have a problem to decode the last iOS whatsapp app (2.19.80) in UFED or XRY ? I have the conversation but some last messages (received messages) are missing in some chat but are present in the database. Axiom parse it with no problem

(edited)

@Dam parsing my own iPhone now. Will let you know.

@heatherDFIR thanks. Some messages bubble says system message and they’re empty. But in the database it’s a normal message

6:15 AM

That’s for PA. In XAMN the message are readable but not linked with the conversation.

6:15 AM

And in AXIOM it’s readable and linked

6:17 AM

I only see that in newer message (after the last WhatsApp update)

@CLB-Paul Sorry, I should have specified more clearly. They are physicals from Android devices.

@0x3db Thank you. Most of my issue seems to be when device is locked and all you can obtain is a physical. I feel like the IMEI should be somewhere in that data, some app or DB or something. But i could be way off.

@AA

9:29 AM

@CLB-Paul I apologize, I am not seeing an EFS path in my extraction.

It was from an S7 extraction

10:28 AM

So not sure if on every phone

Okay, gotcha.

I knew the imei and did a strong search for it. And found it there.

yeah, I may need to try that on a known similar device.

I tried to do same w an older Samsung but that directory was empty

@Dam I am not seeing any gaps on mine, but I am not sure when WhatsApp updated last. Do you have a specific date range?

The last update is from the 5th August

11:56 AM

But it’s only in some messages and in some chat. I cannot find why these messages specifically. And in the database I cannot find any relevant difference between these messages and the other one

11:57 AM

@heatherDFIR thank you for the check. I will do more research on Monday and let you know.

I am loading my phone dump from August 7th. Hopefully it has the current whatsapp. What type of dump did you do on the device?

11:58 AM

I may have to dump mine again to compare, but may not get to that today. What version of PA 7.22?

Yes 7.22

11:59 AM

And xry 8.0.2

11:59 AM

Axiom 3.5

Thanks

Extraction was made with 4PC

Okay. That is what I am loading now because my Method 1 and 2 were a few weeks earlier than Aug 5th.

Just check your WhatsApp version. Mine is 2.19.80

Mine is 2.19.79. I will make sure to try this after the weekend. Can it wait until then?I will update and use WhatsApp over the weekend.

@heatherDFIR yes no problem. I actually do this for my understanding because the chat is already parsed anyway. I will do more research on the database and spot the difference between these message and the others

@Mattia Epifani thanks for the reply! I love getting good info from an authority on the subject... this channel has been great to learn from. I’ll look up that conference, I’d love to start getting some more in person training.

To follow up on my previous IMEI question. At least in the 3 AT&T phones I have spent some time on researching; the IMEI is stored in: userdata/root/data/com.synchronoss.dcs.att.r2g/files/dcs.db it is only viewable in the HEX data though and not in the DB file that I could tell.

4:11 PM

I did find a couple instances of Facebook storing the IMEI in their app_analytics in some JSON files. ORCA or KATANA. /Root/data/com.facebook.orca/app_analytics/normal/com.facebook.orca/ and then there are several random folders within folders here didn't spend much time to figure out what they mean or which JSON it actually is.

4:13 PM

And the AT&T phones were 2 ZTE and 1 LG. They all had the dcs.db so it wasn't device specific at least what I could tell.

4:13 PM

This info may all be out there somewhere but hopefully it helps someone and it gave me some more practice of going through tons of hex and manual parsing.

1

@AA there doesnt seem to a be a rhyme or reason where its stored.With Logical it makes sense with extraction via api but not physical. I agree that my other "control" hits for the specific IMEI came out of very strange locations and was not repeatable on other devices.

@CLB-Paul Yeah, makes some more sense now. I am hoping I can keep collecting some data going forward and maybe there are at least some consistent locations that will always store it, perhaps per carrier. So that in the future it can be some sort of script or something that just has all the possible locations and can do quick scans to parse it out. (edited)

1

6:38 PM

Then again, I’ve never done any of that so

‍♂️ haha

Is there any artefacts in Android that show what MicroSD cards have been inserted?

1:17 PM

In a similar vain to Windows Registries showing mounted drives/VID and PIDS?

Question: if we find a video in a UFED extraction under Media/Phone/Telegram/Telegram Video/, does it mean it's downloaded/received? Or are sent items stored there as well?

7:16 AM

(Advanced Logical without actual chat messages or timeline) (edited)

@Pseudonym yes.. kind of... standby let me get my notes for it (edited)

7:31 AM

@Pseudonym take a look at external.db it will tell you if a microSD card was inserted but not the specific one

@Nemesis I just tested it on my phone, I have both directions (sent and received) in this folder. Without the chat messages I could not tell which video was sent/received

2

yes, and if the owner of the phone has an abonnement on a channel in telegram and in settings the option "automatic media download" is activated, all mediafiles from the channel will be downloaded automatically into folders "telegram images" or "telegram videos" (edited)

2

Thanks alot! Couldnt test as I'm on iOS

i've found out that with AT commands i can put a Samanung in mutiple downloadmodes. Does anyone know what these different modes are for?

@Deleted User What are the commands?

I'll have to look at my notes tommorow. I'll let you know

Does anybody know what "Reminder Locations" are in UFED PA? I've got a bunch of them which seem to originate from Google Maps but when I look them up in Google Earth (exported as KML) they are all over the place. In short, the device couldn't have been at all locations listed in the small amount of time available unless the owner was wearing some type of jet pack. @Cellebrite

The locations parsed out by PA and extractions aren't always where the actual device has been. Some apps store GPS data as metadata so that's why you'd see multiple locations far apart in a short timescale. As for the actual explanation of 'Reminder Locations' - could this be something to do with calendar entries? or Reminders app if it's an iPhone? @Sockmoth (edited)

I have seen a lot of my reminder locations be based upon calendar timezones.

PA 7.23 is released guys (edited)

4

Just had an email that Sandersons is back too via @TeelTech which is fantastic news

5

1

https://www.teeltech.com/analysis/forensic-toolkit-for-sqlite/

Sanderson Forensic Toolkit for SQLite - Teel Technologies

Three Tools To Master SQLite Databases Purchase Now Learn How to Use Forensic Toolkit for SQLite in TeelTech’s SQLite Forensics class. Receive a free …

wb @Paul Sanderson !!

a new 7.23 release is out guys

9:38 AM

7.23.191

I am looking at an old Sprint flip phone (Kyocera DuraXT). Cellebrite does not parse SMS or much of anything from this phone. Cellebrite did collect file system data. I have located SMS message text in a file called "msgindex.idx". Anyone had experience parsing this particular file?

Anybody see a physical dump from a device which when decoded only shows ER18 repeated throughout the Hex View of teh Memory Ranges? I have two devices I dumped through the @Cellebrite Touch2. Both devices have the exact same results. One was completed through the phone's profile and the other was generic Qualcomm extraction. Could this be a decrypted vs unencrypted extraction issue? (edited)

Can anyone say how an iPhone we were doing some testing on wiped itself? It was is air plane mode. No esim. No normal sim. No WiFi connection. Its now displaying the hello screen. Rather puzzled !

have you started to walk through the Hello screen to see which version of hello you are getting?

12:16 PM

Is it possible it is just the hello screen after an update?

1

Ran through hello bit ... 6 digit code accepted then it shows connect to iTunes

sounds more like an update than a wipe.

How can it attempt an update if it has never connected to a network? It was extracted last week after successful access using a pin code. Since then powered off. 1 week later powered on and it now shows the hello screen, requests the code but then prompts to connect to iTunes. As @4N6Matt says it’s rather puzzling

That I don't know. I was just putting a guess out there based upon the couple different possibilities for the Hello Screen. Since you had to put in a known password, it doesn't sound like it was wiped. I could be wrong and if someone else from @danmiami0001 @Grayshift @Magnet Forensics might be able to give better insight. @heatherDFIR might also.

1:21 PM

@deleted-role might have suggestions as well

1

@sholmes thank you for your help

No problem. Sorry I didn't have better answers or knowledge

@Tina I have definitely seen a Hola screen post update (usually a major version update). Updates CAN be scheduled though.

1:39 PM

This is one of the reasons exigent extractions are justifiable, there's really no way of knowing.

1:43 PM

Ok scratch that, the Hola screen that occurs after updates doesn't lead to a 'connect to iTunes' prompt, just an irritating 'setup your iphone' workflow (edited)

@Tina Out of interest was you lab computer connected to the internet or previously used to update another iPhone via iTunes?

Hello Guys I got a question, I am working with a ZTE Z232TL that was chipped off and a E01 file gotten. I used Physical Analyzer to view the extraction. I ran in to a issue I have not seen before. When looking through the hex to find web searches of interest I found some that needed to be tagged. I looked at there source and saw they came from browser2.db . However, when I go to the database section and look at that database none of the searches are showing up. I can't figure out why they do not show up in the database even though they show up in the hex. The phone uses the UME browser.

Disregard question. The solution was found. What I had to do was open the database with SQLite wizard and enable the option for including deleted rows and the searches appeared.

@Semantics 21 (Tom) no our workstations are not connected to an internet connection.

@heatherDFIR UFED PA 7.23 resolve the problem with the whatsapp.

Dear @Cellebrite ... today i searched a little bit in your "knowledge base" and found this info about dealing with huawei-backups in PA... hmmm... i wondered since when PA supports import and decoding of encoded huaweibackups... i tested it like mentioned and as expected, the result was ...... (edited)

5:44 AM

5:45 AM

as i know, hisuite makes "encrypted" backups only
- unencrypted backups are only possible with backupapp on phone (as mentioned here in this channel)
PA doesn´t recognize - inform - that the backup is encrypted
PA doesn´t ask for encryption-password to encrypt the backup

(edited)

5:45 AM

5:47 AM

BR

@chrisforensic, I'll check this issue.

@alona thanks

@chrisforensic At the beginning I also thought that it was only encrypted backups, but that there is the step of the encryption must make a return or something of that kind

@rico in latest version hisuite there is defenitely no option to make an unencrypted backup! in older version there was an option, but backup was though encrypted ! (edited)

10:28 AM

@chrisforensic I only use your apk that you shared. But sometimes some devices does not allow uninstallation of this apk

@twreese Can you try running the SamsungPolarisMessage plugin (using Plug-Ins > Run Plug-in...), or the SanyoCDMASMS?

12:06 AM

They both seems to be dealing with files with the name msgindex.idx

good evening @alona ! would you have time to look at the issue with the import of huawei-backups to PA ?

@sholmes I notice the hello screen after I upgrade or downgrade the iPhone, but I am connected to a network.

@heatherDFIR thanks for confirming that information. We were helping @Tina with their phone. I mentioned the screen they were seeing could be one of the few hello screens. Either from brand new hello, upgrade hello, or wiped hello. I didn't know if there were any others, but thought you or some of the other gurus might know off the top of your head. They had a unique situation as stated above.

Anyone notice a change to WhatsApps behaviour in the last few months as to media automatically saving on the device? Noticed that back in July when I recieved an image on my personal device it went into the WhatsApp folder under Photos. However recently recieved images are not present there but still viewable offline. Phone is set to download media over WiFi, that setting hasn't changed. Only images present since July in that WhatsApp folder are ones I've taken with the WhatsApp app and sent. (Device is an android, but I replicated the same thing on my Dads iPhone so now thinking WhatsApp is just saving those images to an app folder instead of the device gallery / camera roll) (edited)

@chrisforensic, hi Chris, I checked it. You are right, our parser expects unencrypted databases, so for current HiSuit version it won't work. I hope we will fix it soon.

2

Where does UFED PA get "Phone Activation Time" info? Recovery starting time values in the last_log and recovery_log.txt files are different from phone activation time. I am a bit confused because in an older case they were the same. Is it last power on time or something else? (edited)

Morning Guys, got a question relating to an Itunes backup and Chrome passwords contained within. I've loaded the Itunes backup into Axiom 3.5 and if I goto the Passwords and tokens section, all of the Passwords show as encrypted. Is there a way to decrypt them?

Looking for some advice.... I have an extraction from an Android device on which there is a torrent app called ZetaTorrent. Does anybody have any resources/information about artefacts that would evidence distribution of files? Please and thank you! Using UFED PA by the way...

@Bob Ross do you have actual .torrent files on the handset? Might be worth firing up and Android emulator and having a play with it to see where it stores stuff. By the nature of torrents if they are downloading they are also uploading, thats how it works.

Some clients will allow you to throttle upload speed all the way down to 0 (but I agree in principle!)

In the clients i have seen 0 indicates unlimited, 1kb/s is the slowest. Worth a test though.

Some clients will do -1 for unlimited, and 0 is therefore actually 0 (however there is still some networking overhead whilst talking to trackers etc)

Im just looking at Zeta torrent now n BlueStacks.

7:01 AM

You can set a share ratio limit from unlimited to 5.0

This appears to be your default path

7:08 AM

for downloaded data

7:08 AM

Start by looking there.

Okay great, that confirms some of my findings also! Thank you

Someone know if iphone keep in a db info about an eventually reset action (don't found "obliterated file" in ffs dump i've done) ios 12.2 Same question about a Samsung J320F Thanks communauty!

You can look at the purplebuddy plist to see how and when it was set up. I like to look at the creation time of the Addressbook.sqlitedb and compare to the plist. Gives you a good idea of when it was wiped if the .obliterated isn't there.

@heatherDFIR thx Heather, i take a look

9:31 AM

@heatherDFIR i've sent DM

So, odd question load extraction on computer A get 700+videos and all sorts of data. Transfer extraction to different computer reopen extraction SHA256 matches, yet only decoding 400ish videos now. Both machines running 1903 for OS, and 7.23 for PA. Looking in settings nothing is set to automatically discard or ignore any files. Any ideas?

Maybe the settings for PA regarding carving from unallocated space or recover data from archives?

I have an Android Q-Innovations QS5509A that is running Android 8.1. I was able to get a full unencrypted physical using @Cellebrite Qualcomm EDL method. When running it through PA i was able to decode everything that was on the phone but did not get any deleted info. I know form statements from the subject that there are deleted photos and text messages. Does anybody have any other suggestions?

@goalguy Along the same lines as i was saying to @Palazar82 you may check your "Decoding" settings recover deleted data from unallocated, recover from archives, and deep carving? For the photos you could always do the additional carving for photos: tools -> get more data -> carve images

I will check the settings when I am back in the office tomorrow @AA

@goalguy I have no idea if that is the problem/solution, just a thought.

@AA I will take any thought with this case so it is appreciated.

@goalguy I also looked back at 2 of my extractions on the QS5509A and they definitely had some deleted data in the MMS/SMS and images.

11:08 AM

That PA found

Ahh interesting will check that out, this is an iPhone X so no unallocated and the settings for decoding didn't have anything ticked to disregard anything. But I'll check out some of the other stuffs.

@goalguy if you have a physical, and have x-ways, you could drop it into there and carve also. I’ve done that before now for deleted data

@goalguy Looks like its sold with Android 8 Go addition. From what i understand about go edition is that is is designed to run on lower spec devices with smaller storage. Its possible that process like wear leveling and garbage collection are more aggressive to keep space free. Just because you know its deleted, does not mean its recoverable. Just another thought, someone correct me if i am wrong.

Anyone else also has the problem in @Cellebrite ufed PA 7.23: when using the sqlite wizard on a db I cannot go to the mapping field page (where i can map the created fields to a data model) because of the error message "No results for the current query"? I have a select-statement with results and I see this results

@MSAB I have a problem with XAMN 4.3 (viewer and spotlight) I cannot make a filter using image type. Don't see the option "create a filter"

Sorry to hear that, do you mean that the Image Type property does not have the create filter when right clicking on it? If you could DM me a screenshot or send to support@msab.com I can have a look!

@Erumaro yes exactly I'll send you a screenshot in DM

@kalinko Please DM

I have huawey safe box files (and I have the password) can anyone tell me if is there a way to open them without using the mobile phone?

Is anyone aware of any research/information in decoding a dump from an encrypted windows 10 phone? (specifically microsoft lumia 950 XL)

I was successfully able to obtain a physical extraction of a phone through EDL method. It appears the suspect was utilizing the Singnal Messaging app for his primary messaging. I understand hte Signal app encrypts message data, and I am unable to bypass the lock screen to manually view the messages. Is there any method or possibility to decrypt these messages? @Magnet Forensics

@renfantino is this on iOS or Android?

@Crabbers (Chris) Android

Newer versions of signal use the android keystore which is hardware backed so can't currently be decrypted from an image. If you are able to get the phone unlocked then a backup from inside the app would be your best bet

Anybody else having issue with @Cellebrite PA 7.21.0.191 getting stuck on trying to open an iPhone Advanced logical? Looking at the trace window it appears to be stuck on "Parsing Health_1.0" and has been for over an hour.

@goalguy you should update. I had issues with that version and Windows 10 updates in general. 7.23 is out.

Thanks @heatherDFIR I meant to say 7.23 It finally finished parsing 2 hours later.

11:10 AM

It could have been an issue with my machine. I was doing some other stuff at the same time so resources could have been spread thinner then normal

I’m travelling this weekend so don’t have access to any of my tools but a colleague has asked me a question. On iOS 12.X (unsure of minor version), is it possible to establish the date a contact was added as a contact? As said, I don’t have any access to tools or test data to check what’s in the Contacts SQLite DB. Thanks (edited)

@goalguy I wonder if your version of Windows is problematic. I couldn't even keyword search - it was that slow. I updated and all went smoother.

@Cellebrite What are the meaning of "Phone Activation Time" and "Last Known Use" in UFED PA? Where does UFED PA get this values?

@yivlik#4649 Check the PA manual as it details a lot of the fields.

Log into MyCellebrite > Go To Technical Support > Knowledge There's a lot of good stuff in here to browse through. If you search for Phone Activation they have a post for that A lot of people don't realise this is in here. They just use MyCellebrite to get updates and miss the Go To Technical Support link at the top right of the page !! (edited)

9

Andrew Rathbun 9/14/2019 4:30 AM

I had no idea that existed, personally. I'll check it out next time I'm in MyCellebrite (edited)

@Andrew Rathbun Careful, you can get lost in there for hours

4:35 AM

A bit like in here

1

4:40 AM

@Andrew Rathbun For those poor souls not yet amongst us in here, they contact @Cellebrite via normal email or portal. Cellebrite often responds in the Knowledge section when they get a lot of queries for the same thing. Things like a recent post of theirs "How to Resolve Nokia GSM 1600 (RH-64) Cable B with Light Blue Tip T-53 Suggested by UFED 4PC not Fitting Phone" with instructions and pictures. Yet another place to keep me from getting around to cutting the lawn .............

@jifa @Cellebrite I know there were some possibilities of extracting the keystore via rooted device. I am curious if you guys can do it or are working on a way ?

4:45 AM

also are you getting a mem dump with any of your newer extraction processes? (edited)

@San4n6 yes, we have some possibilities

we are working on making it more available in our different methods, it may take a while but we will get it.

12:09 AM

Same goes for memdumps.

Are there any tools at the moment that can get mem dumps from live Android devices?

@Majeeko you first need the appropriate permissions (rooted or temp rooted). I would believe many Linux memory forensics tools would apply but haven’t tried personally.

@Majeeko As @jifa said, you need sufficient permissions. If you have root, you can use fridump with frida: https://github.com/Nightbringer21/fridump https://digital-work.space/display/AIRWATCH/Mobile+Application+Memory+Dump

Nightbringer21/fridump

A universal memory dumper using Frida. Contribute to Nightbringer21/fridump development by creating an account on GitHub.

@jifa @OllieD Thanks, ill add it to my long list of things to play with.

https://securityonline.info/whapa/

whapa: WhatsApp Parser Toolset • Penetration Testing

Whapa is a toolset to analyze whatsapp app for android. Whapa toolset is divided in three tools: Whapa, Whademe, Whagodri.

4:04 AM

I have not validated this or tried it.. I just saw it

Hi guys, Anyone have white paper about "Notestore.sqlite"?

is the android version stored/displayed anywhere by Cellebrite after a Logical or Filesystem download? I'm looking at an old acquisition for a case where the version wasn't documented. I can go check out the device again but if it's in front of me and I'm just not seeing it....

8:50 AM

I am not picking it up anywhere obvious like the extraction summary etc

Best decoding profile for Windows mobiles extracted via EDL?

Hi does anyone succes to do physical extraction on Sony XZ F8332 , Phone doest have password lock. and its running android 8. (edited)

@denyzkoo On Xperia's, good luck! Unless you have a rooted phone or unlocked bootloader from your suspect of course. (edited)

iOS question, what's the general retention period for native calls on iPhones? Got a case where all calls after 2 months are not present, but there are calls visible from WhatsApp etc prior to this date.

@K23 How many calls do you see on the phone? I gave this some limited investigation a few weeks back and I believe the iPhone will show the last 100 calls but the callHistoryDB stores a lot more. Also worth keeping in mind that most apps sync the calls to the native call app so a call made with WhatsApp will likely populate both call logs but WhatsApp would likely show more than the last 100.

5:33 AM

In any case extracting the device is likely a good start as more than the last 100 calls will likely be decoded from the database, my limited testing shows it will store something like the last 200-250 calls but been unable to find an exact number.

Don't have the handset in front of me right now, dealing with an extraction. Think there were around 200 calls populated as native calls, with a few hundred more from WhatsApp. I'll reopen and have another look

6:01 AM

I'll get digging into the databases!

Just counted on my test phone and it only seems to show the last 100 in the native phone application itself but the database contained about 240

6:02 AM

241 to be exact!

Good to know, cheers Tobias

https://twitter.com/cellebrite_ufed/status/1176526959863451648?s=21

Cellebrite (@Cellebrite_UFED)

Are you having trouble with #UFED Physical Anaylzer and #iOS13? Are the backups missing? Watch this video from @HeatherMahalik to learn how you can use #iTunes backup. #TipTuesday https://t.co/JJ49hU2RxF

1

I need a little explanation: I realized two dump, one with ufed and the other in chip off. The phones are a Galaxy s3 and a core premium (SM-360f). my concern is that in these two extractions I have no SMSs or call logs, how is this possible? (I reviewed the db call and Sms that are empty) how to determine if these phones have been reset? thank you all (edited)

10:31 AM

Phones have android 4.4.2 ans 5.0.2 (edited)

Are the databases present ?

12:42 PM

o crap didnt read the whole message

12:43 PM

Since you have a physical you can timeline it and see if it was reset there is an xml file that will provide last reset iirc I will have to look in my notes

12:46 PM

Cache/Root/recovery/last_log maybe in this location @Mistercatapulte

12:46 PM

should be a --wipe command

@San4n6 thanks :) very strange case to be honest. In the second phone, i have 2 contacts, video and pictures but no sms or calls

1:04 PM

i'll take a look tomorrow, it's 11PM here

Safari question - anyone with an iPhone dump, do me a favor - look at the history and see if yours has location information in it. If so, please contact me offline. Trying to help someone out! I have tried so many devices and I don't get location information even though it's turned on. I am trying to help him put a phone in a place, but we need to be sure. Thanks!

@Cellebrite, When I import Project VIC Json files to use in PA, what is the best or correct method? I previously used the hash set manager and imported the Initial Json then appended all subsequent jsons to that file. I have a feeling that its not correctly hitting on files that other tools using the same jsons are.

Please disregard the question I asked earlier. I believe my issue is Vics version compatibility. With the exception of Griffeye, are Physical Analyzer and Axiom VICS 1.3 compatible?

@Adam Cervellone AXIOM is compatible with both VICS 1.3 and VICS 2.0

Anyone have any knownledge about Spotify on Android?

1:37 AM

I have a Samsung Galaxy S8 SM-G950F that have Spotify installed but the user is not logged in. When I dump the memory card that was installed in the phone I found this: PHONE CARD/Android/data/com.spotify.music/files/spotifycache/Storage/74/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.file/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.file_embedded_1_partial.jpg. The file is deleted. The picture is interested for our case but I need to explain what this is. 1. Could this be a user added playlist cover picture? 2. And can I find somewhere what users that have been logged in? (edited)

Just a heads-up for anyone working with encrypted sqlite db's: I had a wickr_db, 500kb, that i loaded into "DB Browser for sqlite" and opened with the correct key. The messages table only had one messsage in it. I noticed that the database also had a WAL file that was aprox 1050kb (also encrypted). I then saved the DB without encryption and noticed that the "new" unencrypted wickr_db had the same size as the original file. 500kb. So i assumed the WAL file was not parsed when decrypting the DB the first time. So i simply cat'ed the two files (wickr_db and wickr_db-wal) into a new file. When i then reloaded that file in "DB Browser" the messages table had 120 messages. And when i saved the db unencrypted it was 800kb. Cat'ing the db and wal file will not always work, but this time it did, and the result was alot of more messages.

5

@.karate. I am curious once you decrypt the db if you can use PRAGMA wal_checkpoint or VACUUM to commit the wal into the db as well.

Thank's @MF-cbryant. Our current set is based on 1.2

We should still ingest that as well

5:35 AM

@Adam Cervellone if you need a hand getting them into AXIOM just DM me and id be happy to help with anything

Hi all. Got what I needed for the safari stuff. Thanks everyone!

@San4n6 I've tried it. No more data is displayed. Maybe DB Browser is the reason it wont show up. I'm gonna do some more tests with native sqlite3 and sqlcipher.

Anyone familiar with kakaoTalk app? Specifically what databases may be parsed to obtain the conversations/attachements.

@Forensic@tor Have you tried Talk.sqlite -- messages would be in "zmessage"

@Rene Novoa Not seeing that database. Was only able to get an advanced logical, so may not have gotten all the databases.

@Forensic@tor it could also depend on the version of Kakao you have as well. Is it on Android or ios

Anybody know if there's a system event in iOS 12 for deleting contacts or deleting messages in the standard messages app?

@Rene Novoa Samsung Galaxy S7. Physical extraction fails, so I am not getting the DB with advanced logical or filesystem.

@Forensic@tor do you know the version of Kakao... If you can get an ADB backup then process it. Dont use those methods.. but create it on your own. I can check if Oxygen Supports your version of Kakao... more data should be accessible on Android then iOS, that is why I had asked.

@Rene Novoa I do have Oxygen. I tried to pull it via ADB, but I don't have access to that part of the drive. Needs root to gain access.

Got a BlackBerry device (I know who has this) found wifi of interest. Has last modified_TS but the number is some shit I have never seen. Anyone got any ideas? 33.676060048 I suspect 28 Feb 2018 but unsure time. (edited)

@Cellebrite I have an extraction of an iPhone running ios 12.4. The backup is encrypted and I have the password. When I open it in PA it doesn't ask for the password.

I’m guessing it didn’t open it

@Cellebrite Manually parsing numerous databases from an Android device. The built-in SQL tool grabs every database with the same name regardless of the path and throws it all together. But the table structure is slightly different so it is not clear in the parsed view. I would like to separate the output for each user, I have three separate users. I know it can be determined in the path to see the different user, but I am thinking about the end user in this case. Any information to separate it would be appreciated. I do not have the Sanderson tool otherwise I would dump them into it.

@Dam make sure you do Open Advanced> Apple> iTunes and the prompt should appear. Also, which version of PA are you using?

@heatherDFIR I did open advanced and iTunes. I tried almost all iOS profile. I use PA 7.23

That is so strange. If you open Manifest.plist does it say encrypted True?

11:16 AM

Do any other tools prompt you for the password?

Didn’t try with other tool yet. I will check the manifest tomorrow and let you know

1

11:17 AM

Thanks for the help

Quick Question. If i have a GrayKey extraction and want to find the password for the iPhone where can I look. The extraction was moved off of the GrayKey itself so I can't look at the web browser page, just the files. I have the extraction open in Physical Analyzer as well.

@CloudCuckooLand Did you have any luck with the Alcatel 1066G? I'm experiencing the same problems.

disregard question. I found where it is

@zero00796 mind posting what you found so others can benefit from it in the future if they have the same question?

The passcode for the iPhone that GrayKey unlocks can be found in the GrayKey Extraction Report . There will be a space labeled "Passcode (or unlock mechanism)." However, since we gave the passcode to GrayKey mine stated "Escrow Unlock" and I had to go find where we wrote the code down.

Does anyone have any familiarity with the ios ADDataStore.sqlitedb file? Looks like a running tally of hardware statistics. Any insights?

@dfa_adam found this: https://www.mac4n6.com/blog/2017/3/12/introduction-to-the-aggregate-dictionary-database-addatastoresqlite

Pincodes, Passcodes, & TouchID on iOS - An Introduction to the Agg...

Have you ever wondered how Apple can put out statistics such as “The average iPhone is unlocked 80 times a day”? How the heck do they know?

Interesting, thanks! Doesn't look like it'll be of any use in this file, but it's still an interesting db.

I've got a physical of a Android phone. Anyone know what file the Android ID is stored in?

@Aneesh96 it should be in settings_secure.xml according to the physical I am looking at presently through Physical Analyzer

On newer phones its in: /data/system/users/0/settings_ssaid.xml

9:01 AM

Different id for different apps.

9:02 AM

On older ( >8) its in settings_secure as @sholmes wrote above

9:03 AM

Less then 8

Thanks @.karate. for clarification. mine was defiinitely 8.0.

@sholmes @.karate. that's great. Thanks guys

2

@Busta I dumped it with CM2SCR, but to parse I had to make my own scripts for calls and contacts. Unfortunately, these are not 'mine' to share :/ I seem to remember messages were the same as other Alcatel dumb phones

@Cellebrite When we acquire WhatsApp on android phones through app downgrade the key to decode encrypted backups (.crypt12 files) is extracted too?

@FabianoQ ...should be extracted (edited)

@chrisforensic Thanks.

10:48 PM

I had a Huawei yesterday with v.10 of Huawei backup utility. It does not permit anymore to create a backup not encrypted. The version was updated so i was able to uninstall and replace with v.9 but when it will be the "fabric" version i think this will not be possible...

@FabianoQ I had the same experience. I created a backup with a password, to SD-card. Imported it in oxygen and supplied my password. It worked just fine.

@.karate. I don't have oxygen, for the moment downgrading backup solved..

Having an issue with @Magnet Forensics Axiom 3.4.1.15164 parsing data from an EDL extraction. Achieved a good physical of a phone through the Touch2. Physical Analyzer parses the 3 bin files fine. I can see the images of concern etc. However, I was trying to parse the bin files through Axiom and it doesn't show me any data in the folders which contain the images of concern. Has anyone else seen this? We are opening a ticket on the issue, but was checking to see if anyone else has seen similar results. Thanks

@sholmes didn't have the same issue but try the last version of Axiom before you open a ticket.

@Dam I did just that a few minutes ago with the same results.

8:08 AM

Thanks for that suggestion and reminder

no problem. Sometimes I forget to try with last version and the first thing they tell me to do is "update your version and try again"

1

So @Magnet Forensics got back on the EDL parsing issue listed earlier. They stated they don't support the multi segmented image created by the Cellebrite Touch2.

1

will it work if you concatenate it?

@kmacdonald1565 I don't know. What program would you use to concatenate the bin files? I thought I was slick and renamed them to E01 - E03, and Axiom laughed at me and said "Not to day Fool!" Truly the craziest denial message ever from an application. LOL

1

I tried to do that with my issue from a couple weeks ago with the missing segments and X-Ways called me out and said, "Hah! E02 is actually E03, E03 is actually E04, etc". It outsmarted me

(edited)

LOL damn smart programs. They get me every time. (edited)

Maybe if they weren't so smart my scheme would've worked...I can only dream though

1

hi, can anyone pls assist. have a physical extraction of a galaxy s7.. looking for any clues for a passcode for the 'for my eyes only' section in snapchat (which isn't the passcode pin). I have the images but need to get into to verify.. can anyone advise where I could look for this code?

@monkpete having the images is half the battle so be glad you won that battle. SnapChat cannot decrypt anything in My Eyes Only, even with a search warrant, so that's good you have the images already. I've dealt with My Eyes Only a few times and I've never been able to recover the code. The suspect also "forgot" their code, too, so that honestly would be your best bet is to recover the code from the suspect and use the actual device to go into My Eyes Only and do a manual extraction the old fashioned way

@sholmes honestly i would have to look up the commands to do it. i have only done concatenate on linux terminal

no worries. I can just try the EDL imaging through Axiom if needed.

7:50 AM

Thanks though!

@monkpete are you trying to determine the code, or just confirm they’re in MEO?

Determine the code so I can capture the content

In newer versions of Snapchat the passcode is in bcrypt, which is a tough one. Depending on how updated the app is you may be able to get those files in another way. If you have “memories.db” data about any MEO files can be found in there.

9:18 AM

(Shameless plug) I looked at MEO data in Android a couple of months ago. https://thebinaryhick.blog/2019/06/01/two-snaps-and-a-twist-an-in-depth-and-updated-look-at-snapchat-on-android/amp/?__twitter_impression=true (edited)

Two Snaps and a Twist – An In-Depth (and Updated) Look at Snapch...

There is an update to this post. It can be found after the ‘Conclusion’ section.I was recently tasked with examining a two-year old Android-based phone which required an in-depth look …

2

1

9:18 AM

MEO is towards the end of the article.

@monkpete @CLB_joshhickman1 afaik the content in memories/MEO Android isn't actually encrypted.

@Crabbers (Chris) That is correct.

9:29 AM

But getting data about the files involves examining the correct databases. (edited)

I know my colleagues have updated our support for Android SC recently (want to say Axiom v3.5) to parse memories.db and cracked how to associate the .media files to their respective entries (we have data up to v10.63). The PIN for MEO is really just a UI function (at least in Android).

1

That's great guys, I'll have a look at the article and see what else I can find. Appreciate the assistance

@CLB_joshhickman1 Very interesting thanks

Anyone know if an "advanced forensic tool" will provide more Snapchat content then a Cellebrite advanced logical extraction? I'm trying to figure out if videos have been shared.

For Apple iPhones, I found videos found in this file path , can anyone can infer if they are created by user phone? /private/var/mobile/Containers/Data/Application/

@woody38 That is the app sandbox. I'm assuming we're talking about the files being found within a GUID subfolder in the path you provided? If there are actually videos in that path and not a subfolder, that is definitely weird and the only way I know of to move files there manually would involve jailbreaking the device.

Hi all, I just made a physical on a j600FN and I do not have much data (120sms, 5 contacts, 100 calls). I consult the logs and I found a wipe on 31/12/2017, except this phone is out in May 2018 ...

7:48 AM

file i examined is stored in USERDATA/Root/log

@Mistercatapulte Looks like the phone reset the clock to 2018/01/01 (minus timezone) or 2017/12/31 then did the wipe after. On some LG phone you can find the system file that triggered the wipe and look at the timestamp of that file to see the real date of the wipe. I dont know about the Samsung phone.. but I would take a look at all files under root/log and see if they contain timestamps or look at those file created dates.

8:47 AM

@Mistercatapulte I will PM you an example with LG phones.. maybe you will be lucky and have the same files.

I've found these databases in a GPS system. I can see data in the lastDestinationTable but not in navHistoryTable for example. Could someone explain this to me? And does anyone know wat navShieldhistoryTable is?

Is there any log in android phones (more specifically a Samsung S8 of which i have a physical) that can be used to say WHEN whatsapp was uninstalled from the device?

@FabianoQ localappstate.db

1

@Mistercatapulte Thanks my friend

1

Hey @Cellebrite When decoding an encrypted iPhone backup in PA, would it be possible to prompt for password a bit earlier in the process? Kind of irritating starting a process, then leave my desk to do something else only to return and find it waiting for me to input password...

@jallis I have provided this feedback already. The dev team is on it.

1

@Cellebrite Still testing but it looks like method 1 and method 2 reports cable 220 is used instead of cable 210. (edited)

@heatherDFIR

@Forensic@tor I didn't even notice. I always use my charging cable. :/

8:14 AM

I sent the message though. Thanks for the heads up.

@heatherDFIR I only noticed because I was prepping to test pre iOS 13 and post iOS 13.

Good eye!

8:15 AM

Just a heads up - I am headed to ICAC NW this week, OSDFCON next week and then a glorious vacation the following week. If you need me specifically, shoot me an email. I will try to keep my eye on this, but want you to know I am here for you.

heather@cellebrite.com or hmahalik@gmail.com

Hi folks, working on an Android where owner is no longer around. I'm not that experienced in Android forensics, but my goal is to find last interaction owner had with his device. Any good links to sql queries or writeups on the subject? Android 8, Galaxy S8+, if that is relevant. (edited)

@torskepostei Everything is stored in different databases, and not necessarily all SQL. Do you have any type of extraction from the phone? And what do you have access to as far as forensic software?

I have a physical extraction from the phone

9:37 AM

And I have access to Magnet and Cellebrite tools

If you load the extraction into PA and check the Timeline it should give you a good idea of the the last activity on the phone.

It does show the obvious ones, yes, such as messages sent, incoming calls, etc, but it would be nice to go a bit deeper, looking at other events that may indicate that the device has been handled in some way - unlock(-attempts), screen on/off, charging, bluetooth connections, etc

@torskepostei take a look at this blog post https://abrignoni.blogspot.com/2019/03/usrt-graphical-interface-for-android.html?

UsRT - Graphical interface for Android Usagestats and Recent Tasks...

Introducing UsRT Thanks to the hard work of Chris Weber ( @RD4N6 ) we now have a way to parse the essential data contained in the Android ...

1

@CLB_joshhickman1 That looks very useful, thanks! A quick glance reminds me of some of the functionality in ARTEMIS, they analyze some of the same artifacts, right?

12:51 PM

ARTEMIS, in case you are not familiar with it: https://abrignoni.blogspot.com/2019/08/artemis-android-support-for-apollo.html

ARTEMIS - Android support for APOLLO

Short Version Introducing a Python 3 script, with corresponding modules, that extend Sarah Edwards' APOLLO framework support to Android de...

I believe ARTEMIS handles UsageStat but not Recent Tasks. For RTs, there is a better explanation here: https://abrignoni.blogspot.com/2019/02/android-recent-tasks-xml-parser.html?m=1

Android Recent Tasks XML Parser

This post is a continuation of my last blog post where I introduced a simple parser for the Android usagestats XML files. https://abrignon...

Thanks!

Is it possible to say if a WhatsApp message found on an Android phone was written on this device, or if it was written via web for example?

@jallis when u do an extraction in Excel for example, it's indicate what platform was used (With PA of course) (edited)

@Mistercatapulte Does it show this information for each message?

@jallis yes

2:50 AM

somtimes i don't have this information, "unknow" in colomn but in 90% i have the platform used

But this information is not available in Cellebrite Reader? You have to export to Excel?

2:53 AM

Not sure which column you are referring to?

I never used UFED reader, i don't know

@jallis, you can see it in PA and Reader in conversation view as small PC or phone icon on each message.

@alona Great, that's exactly what I was looking for. Anyone know where this information is located in the database? The "origin" column in the massages table peaked my interest, but not sure if this is where it's at?

Any way to search/filter for messages written on desktop (or mobile)?

@alona What value do you have in the origin column in the db for the two example messages in your screenshot?

@jallis, those example messages I've created manually just now in order to show you how it's looks like in PA. Where exactly this is located in WhatsApp db I'll can check tomorrow.

@alona Thank you. I'm curious, how did you create this manually?

@jallisfrom python shell

Does anyone know where application usage/activity for android are stored? Trying to determine when application was opened/used and how many times etc

I got it - system/usagestats/

A snapchat video was sent to a client and that video is known to be pertinent to a case. It has not been played yet. Is there any way to preserve the video? Whether that be Cellebrite advanced logical extraction (before and after viewing) or just recording the screen of the device as the video is played in snapchat.

@Donflamenco whatever other solution you choose I would really advice you to record the screen. And I would record the whole process from opening Snapchat to viewing the video. If it’s an iOS device you can record the screen with QuickTime from a Mac. If it’s android I’m not sure if Snapchat allows screen capturing, but if it does you can use adb to record.

@.karate. Ultimately I think we are doing both the methods I described just in case. We will be using a video camera watching the entire process of unlocking the device and opening the app and watching the video.

snapchat is weird. Even if you are supposed to be able to view a snap or video a second time some times the media is not present when extracting all data.

Anyone have a good tool for analyzing the keychain extracted from an iPhone via GrayKey?

AXIOM can do it. Are you after a specific app or just looking for generic intel on what's there? @Forensic@tor

@forensicmike @Magnet I have a iPhone 7 with a custom numeric PIN (no idea the length). Hoping to find some data in the keychain which might suggest a possible PIN code.

@Forensic@tor https://www.magnetforensics.com/blog/utilizing-axiom-wordlist-generator-to-optimize-handset-lock-code-breaking/

Jasmine McBride

Utilizing AXIOM Wordlist Generator to Optimize Handset Lock Code B...

An updated version of the free Magnet AXIOM Wordlist Generator tool is now available for download. The long-standing roadblock to examiners when dealing with iOS devices, has been the device’s handset lock code. There are several types of passcodes that an examiner may com...

1

@forensicmike @Magnet I will check it out

Cool! Good luck and let us know if it works for you

@forensicmike @Magnet Waiting for the email so I can download the app.

Man I really like the colour of @forensicmike @Magnet 's name D:

1

2:39 AM

On a serious note does anyone know where can I find information as to when an application was uninstalled? Or any indicators that suggest it was uninstalled on this date?

IOS or Android? IOS store it in KnowlegeC but you need a full file system to get it.

Android

2:43 AM

I should've been more specific!

@Pacman /data/data/com.android.vending/databases/localappstate.db, /data/data/com.android.vending/databases/llibrary.db, /data/data/com.google.android.gms/databases/gcm_registrar.db. Huawei and Samsung have their own brandspecific db's that could or can be interesting.

3:40 AM

Saw that you are looking for uninstalled, then gcm_registrar.db should be the one your looking for.

I'll have a look now, thanks @.karate.

3:47 AM

Ah pants, no data regarding when an application was uninstalled on gcm_registrar.db

If anyone can suggest any methods of determining when an application was uninstalled, that would be great - extremely important for the case I'm working on. I can provide a list of when the application was used and how long the application was opened for, which is great. I just need the dates of when the app was removed.

iOS/iCloud question. If i have two ipads with the same apple id, can open tabs in safari on one device be synchronized with the other device? Or have open tabs displayed on a device in safari originally been opened on this device?

I believe you are referring to Continuity https://support.apple.com/en-ca/HT209455 which does not specifically sync open tabs but allows for a user to open new tabs instantly based on what is open on another device.

Use Handoff to continue a task on your other devices

With Handoff, you can start work on one device, then switch to another nearby device and pick up where you left off.

@forensicmike @Magnet Was able to create word list, but data is large. Nothing is jumping out at me. However, the processing the PLIST gave me a text app which utilized plain text for user name and password. I do have a suggestion. As AXIOM is partnered with Graykey, I would suggest creating a light weight viewer/browser to parse the keychain.plist and password.txt files that are generated from the Graykey extraction. This would be very beneficial to the community. I have found clues to PINs and passcodes from these files, but getting the data sometimes is cumbersome, especially the keychain.plist as you can't easily view it.

Good thinking! I have actually written a C# script to do all the base 64 decoding of atleast the key names and such to make tracking down values easier for the work I do so I know what you mean.

@Pacman have a look Axiom @Magnet Forensics. I have a case where the suspect was going about his naughty business. I 'obtained' a cloud download of his account and phones, keyworded the application and changed view over to timeline, it showed, searched for APPNAME, installed APP, used APP for period of time, deleted APP. It shows this happening over a 4 year period. Not just for one APP but for 4 or 5 applications. Kinda good OPSEC really. (edited)

4

@Dfdan Where do you find information whether if an app is deleted or not?

11:47 AM

I do use AXIOM by the way :p

11:47 AM

Great tool.

1

@@Pacman I've just checked on AXIOM. All my good data came from a cloud DL with regards the download, use and uninstall. On my FS of Android it shows install, use, communications in timeline view. In AXIOM, switch to timeline, select a time period of you wish, keyword an APP and away you go. Timeline Category column shoes you the type of artifact, if an app were deleted it should be there, although this would depend on your source data having it in the first place. (edited)

oh, i just read, latest Oxygen Forensic Detective 12 supports KaiOS

2

@chrisforensic yeah, noticed that myself yesterday on the new home screen after updating ! Excellent

Are there any good white papers on either the mmssms.db or icing_mmssms.db? I'm trying to get as much information as I can about a photo sent through Verizon Messaged+.

@Joe Schmoe https://www.magnetforensics.com/blog/android-messaging-forensics-sms-mms-and-beyond/ not a whitepaper but maybe this will give you a start

Magnet Forensics

Android Messaging Forensics – SMS/MMS and Beyond - Magnet Forensics

In this blog, Jamie McQuaid highlights the different types of messages you may get when dealing with a standard text message investigation in Android devices.

@Andrew Rathbun Thank you.

We just tested Oxygen v12 with a KaiOS physical. It does a great job!

4

Is there anyone who have done any research into Apples "Identity lookup service"? Specifically in regards to what triggers the "Apple authentication process" log post for iMessage and Facetime (edited)

@Oscar You can read the blog post from Cellebrite about this: https://www.cellebrite.com/en/blog/how-ios-properties-files-can-confirm-a-suspects-contacts-even-if-data-deleted/

Izhar Carmel - Cellebrite R&D Researcher

How iOS Properties Files Can Confirm a Suspect’s Contacts Even I...

Determining a complete list of contacts that a person of interest has on their phone can be challenging due to factors like deleted data, inconsistent app communication records and device migration data loss. Because of these variables, it is important to find a reliable reco...

@franksvensson Thanks!

Does anyone have a UFED script to run over a core.db file as part of Facebook Messenger Lite application? UFED has 1 side of the conversation from threads2 and it's listed as deleted. I can visually see the chat on the device. I can see the chat I'm after in core.db and it would be a massive help in the case to decode it. Thanks in advance

@Cellebrite Hi, is there a way to retrieve any kind of data from an iPhone that was remote wiped ?

12:29 AM

I believe not due to encryption, but never know...

Dam you are correct, not much sticks around after a wipe. This is a FBE device (presumably referring to a newer iPhone).

1

Good morning everyone Do you have any suggestions to make UFED PA fast when reporting in PDF or HTML from IPHONE? I have an IPHONE CAS extraction of 80 GB; is generating the report for three days. XEON E5 with 64 GB of ram and SSD Thank you

Does anyone have anything to read Omegle LDB files which contain chat messages of interest to us. We can see it in a hex viewer but nothing seems to open them that we can find. Tried Access, file opener, SQL programs.....

Access Workbench might help you if in fact your file is a locked microsoft access database

6:03 AM

but I doubt Omegle uses access db but never messed with that applciation

6:03 AM

application

Anyone have a source for a Cellebrite plugin or script to search for credit card numbers? Tried running it though axiom hoping it would catch them, but no luck.

physical dump or logical ?

1:22 PM

do you have a bin ?

1:22 PM

you can use regx in Cellebrite and Axiom

1:23 PM

or grep it

1:28 PM

you will have to use different expressions for different Vendors

@cavemnkey just out at the moment but I'll DM you. We should be able to get this to work.

@San4n6 that's the first thing we tried to locate and workbench was no where to be found!

I need help interpreting some of the data in the mobile installation logs (iOS 12.2 file system extraction). I've looked through Alexis' blog on the mobile installation logs (great reference!!) and used his script with great success, but I still have some questions. First, is it fair to believe that when you see: "Attempting Delta patch/data container moved/install successful" - that's an update to an application (as opposed to a new installation)? Second, what can be inferred by the sequence of: "Data Container moved/made container live/install successful" (without seeing delta patches)? In one example, three minutes after the device was rebooted - 10 applications showed: container moved/made container live/install successful. One application has this happen twice within three minutes. I've verified that this doesn't happen after every reboot and I can't find anything else significant occurring on the phone during this time. Thanks!

Anyone encountered cleanmaster generating thumbnails of images which have been previously deleted? There's multiple instances of images which only exist in the gallery cache also cached in the cleanmaster directory and the cleanmaster crystalexpressglobal directory. Just wondering if anyone's aware what generates these images. I'm guessing they're created when the image cleaner function is used and a gallery preview of the images on the device and shown to the user

@Cellebrite Hi, i'm having problems with the analysis of a Huawei. I have a logical + android backup + huawei backup and PA Is having problems to associate media (opus, video, image) with the corresponding chat message (WhatsApp, Telegram). I remember someone talking about a PDF from Cellebrite to correctly manage this kind of situation. Can you please send this pdf? Thanks.

@4N6Matt In the Physical Analyzer Python shell, you can use our LDB parser to try and get the data. For example, if you have the 'leveldb' folder Node from Omegle stored in the variable 'ldb_dir', you can use the following code:

import FileFormatParsers

ldb_parser = FileFormatParsers.LDBParser.LevelDatabase()

ldb = ldbp.FromDirectory(ldb_dir)

If anyone is seeing any issues in your forensic tools (in general) where the seconds are missing from timestamps - try this:RegEdit: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced New DWORD (32-bit) Value Name the key: ShowSecondsInSystemClock Set the Value Data to 1 Restart computer https://www.onmsft.com/how-to/how-to-show-the-seconds-on-windows-10s-taskbar-clock

James Walker

How to show the seconds on Windows 10’s taskbar clock

This is a small trick, but one you might find useful. By default, Windows 10’s taskbar clock shows only the hour and minutes. There’s no built-in option to show the seconds too, which f…

4

6:33 AM

I plan to record a #TipTues for this because I am sure many vendors are hearing that their tools are missing seconds.

Andrew Rathbun 10/17/2019 6:34 AM

Has anyone tried this? How does it compare to other solutions and the DB Browser for SQLite? I haven't tried it yet. https://www.foxtonforensics.com/blog/post/free-sqlite-viewer-software-released

Introducing SQLite Examiner

We have released the first version of SQLite Examiner, a free tool for viewing SQLite databases. SQLite Examiner includes standard features such as viewing data per table and writing custom SQL queries. It also includes a number of features for analysing Binary Large Object...

@heatherDFIR In regard to the seconds, I had this a few years ago - I kept losing seconds in PA. D&T settings kept reverting to HH:MM instead of HH:MM:SS. I kept going in changing them back just through the normal windows settings. I finally figured out that everytime I ran UFED 4PC from scratch, it knocked out the system time settings to HH:MM, knock on effect was that it affected PA. After liaising with Cellebrite (Laurent) they were able to replicate this at their end and fixed it. Strange thing was it didn't effect everyone. (edited)

That is crazy! Thanks for sharing that @Stevie_C

@heatherDFIR I dug out the original email about it to support before I left work and forwarded it to your Cellebrite email address

@heatherDFIR never tried it but heard of it. Does it open the SQLite in read only or make a copy before opening ?

@Dam no clue. Never used it.

Not sure if this is the best place for the question, but one of the examiners on my team just brought me a BQ Aquaris X phone. I thought it sounded familiar, and it turns out this is the exact make and model of an Encrochat phone. I'm fairly certain it is due to the nature of the offence, the phone and the fact the OS has no apps installed and is incredibly limited. Does anyone have any ideas around how I should handle this? I know that if I'm right this is a very sensitive device and I'd hate to put a foot wrong here.

@KeenoRen search this channel for different ways of booting into the encro partition ( depends on version of encroOs ). Tbh, there are no publicly available methods ( as I know of) on how-to extract data without a known passcode. In my experience the passcodes often are simple patterns, due to the demand on password length, and a good start would be to search other evidence or sources for passwords or password patterns.

@.karate. awesome, thank you. I've put a few more feelers out and if I learn anything new I'll post it here.

@KeenoRen Contact MCIS at NCA, who should be able to provide the most up to date guidance for UK LE

12:57 AM

I'll echo @.karate.'s advice based on anecdotal evidence: the minimum length for passwords means that some of the device owners end up writing the codes down. Look for notebooks/sticky notes etc. If they have a separate personal phone, see if they've written the passwords down in that

12:58 AM

Contacting NCA should be done as soon as reasonably possible (if you haven't already) as any capabilities may be timelimited (if there are any at all!)

Hi Someone would have information about this database : userdata\Root\system_de\0\accounts_de.db I know it's about interactions with the Gmail account Main but some raw are mysterious to me...

2:49 AM

Mostly the "remove"

2:50 AM

And "action called account add"

@KeenoRen Even with the passcodes etc we couldn't image them as developer options couldn't be enabled (nothing happened when Build No was pressed, in both partitions). We've had quite a few and have had to just do manual exam of what we can see, which most of the time is just the open, empty partition and the passcode screen of the secure partition. Beware of entering a 4 or 6 digit number pin, they can be set up with a Panic PIN that will wipe the phone. It's normally sets of words, so look for random phrases written on paper. Oh and NCA can only really do something with the X5 if left on... Otherwise if you're in UK you're looking at Section 49 notice. Good luck!

@OllieD Thanks for the advice. I've contacted the NCA and am currently waiting on a response. I'll take a look at trying to find the PIN screen when I'm back in the office tomorrow. @JMK Thank you too. The build number not doing anything is exactly what flagged this to me. Where was the passcode screen of the secure partition? I'll check when I'm back in work.

Secure partition is accessed different ways depending on model, I think for the Aquaris X it's hold the down volume and on button together until it boots to the lock screen but that's off the top of my head! If not try volume up and on :-) @KeenoRen (edited)

Anyone had problems with WhatsApp time stamps in Android 9? Got a UFED physical extraction opened on PA 7.24.0.209 and notice that all the times are over a minute out, for example, on 1 chat message the time is 02:50 but on the extraction the time is 02:51:39. I have checked the sent/read timestamp and, in this example, are sent and seen at 02:50. Messenger timestamps on the same device are fine. (edited)

@Zhaan could be an issue with your local time settings ------ control panel time/date regional setting change the long time settings from hh:mm to hh:mm:ss

@8198-IZ54 nah, time settings are all good, just checked the SQL DB and found what PA has decoded is what is in the DB, just checked the phone and spotted the phone itself wasnt set to Automatic update and was drifting by a minute, emergency over!

6:22 AM

@8198-IZ54 thanks for the suggestion.

@JMK Thank you very much

1

Just found the quick Photon version which doesnt save screenshots minimises the display DPI and doesnt return it to the original settings unless you go into Developer Options and return them. So beware!I had to use a bluetooth mouse and keyboard using the USB-C OTG cable as I couldnt make out anything and certainly not click on it with my frog fingers. (edited)

FYI all IF Photon Fast Mode in XRY 8.1 should fail to set the resolution back to the standard one don't fret and try the Restore option on the Photon profile which will attempt to restore the screen settings back! Photon will always try to automatically change the resolution back once the extraction is complete but there are scenarios where it might fail to do so. If you are having any further issues please do get in touch with us at support@msab.com and we'll have a look! (edited)

3

2

I have a snapchat main.db that I am trying to partially sift through for version 10.67.0.0. It was pulled during a file system using CB. Under the Friends table, I'm having difficulty making sense of the "birthday" for the contacts. I pulled the file into AXIOM which decoded a good part, except for the birthday. I believe it Epoch but when I do the conversions, most of my DOB's are coming in around 1971 or so. When I do the conversions on the other times, such as "added time stamp", I get the exact times as decoded by AXIOM. Any ideas as to why I would be getting what appear to be incorrect dates for the birthdays? I'm certain it's user error (me).

Question regarding purplebuddy.plist on ios 12.4.1. for iOS reset date and time. (AFU only, not full file system) i have a date under "lastpreparelaunchsentinel" wich would make sense if i compare it to the installation date of basic apple apps (knowledgeC) and the modified date of addressbook.sqlitedb. That date is 2 days after crime and that would also make sense . But the other dates under "setuplastexist" and "guessedcountry" are 24 days before crime. I think the user reverted his iOS to a previous backup dated before crime. Is the "lastpreparelaunchsentinel" a valid date for an itunes backup ? i have read heather's blog on that plist but there is no mention of "lastpreparelaunchsentinel". Is there any other way to tell a setup date ? (obliterated file is missing). thanks for your help ! Have a great week.

1

Hello, does anybody have a script to interpret the google search bar .plist on iOS? I believe it's an nskeyed archive.

4:23 PM

Tha name of the .plist is recentsarray.plist. Thank's in advance

I am traveling but if you want to send me one I might be able to create one if tine permits.

1:49 AM

@thaconnecter

I'm having trouble finding info about wifi connection history on a Samsung Galaxy phone. Been looking in these locations/artifacts, but had no luck: herrevad com.google.android.gms/databases /<all db files here...> com.samsung.android.fast/databases/secure_wifi.db com.appmind.radios.no/databases/basic-x-db Also checked out the ones listed on the SANS mobile poster from 2019. Any suggestions on where to find more wifi connection information? (edited)

Hi! I have a CAS Cellebrite physical extraction for a SM-G950W. I looking for a file, database where I can have information about device power on and off. In UFED PA (analyzed data) I have device event but only "Power on". I looking for something like Appollo on iOS...thanks!

You could have a look at ARTEMIS to get Apollo-like info: https://abrignoni.blogspot.com/2019/08/artemis-android-support-for-apollo.html If you have access to Axiom that will also give a very detailed timeline with system events as well.

ARTEMIS - Android support for APOLLO

Short Version Introducing a Python 3 script, with corresponding modules, that extend Sarah Edwards' APOLLO framework support to Android de...

@torskepostei thanks. For Axiom, right now I'm loading extraction on it

Could those scripts be adapted to PA so that it would create a new section with that data? Because that would be nice...lol

@AA of course they could. PA has both a python component and BlackBag has incorporated APOLLO into Blacklight as of 2019R2.

Yeah, i knew the python part which is why i was wondering...I wish i knew how and I would attempt it but I don't even know where to start with that haha

@AA Here's their guide if you're good with python. Straight from the PA Help menu.

I, unfortunately, am not...yet...

Using_the_Python_Shell.pdf

919.56 KB

1

I am definitely not...but thank you this might push me into trying!

Hey guys quick question. I am looking through the hex of a iPhone 5s using Physical Analyzer. I'm trying to find websites of concern and have found some but the file path for them is "system/library/caches/com.apple.dyld/dyld_shared_cache_arm64". From what I can see on goolge, this is a shared cache used by different application. I can not figure out were the websites I am seeing are coming from. Can anyone share their knowledge with me on this subject.

@zero00796 I was under the impression that there wasn't any user data in the system partition. What websites are you seeing in there?

@criley4640 I'm not getting full URLs just the name of the website. I would post the names but I don't think the rules will allow me to post pornographic sites

I think we can all use our imagination about which porn sites lol. I'm sure we've all seen enough porn history for it to not mean much of anything. If you're hinky about anything, you can still post a screenshot and just modify it in Paint to make it more G-rated. Whatever helps provide the most context while still keeping it reasonably professional

1

@criley4640 I am doing a ASCII search of the hex for the term "porn". I'm not getting the full URL just the name of the website (Looks like "porn.com" not "https://www.porn.com".

@zero00796 honestly, I've been doing most of my GrayKey extractions without pulling the system partition lately to reduce size (and purportedly because it doesn't contain any user data), so I'll have to go back and find one that I did both partitions on and see what I see. I'll let you know.

@criley4640 I appreciate the help

Anything that's not inside /private/var on an iPhone is mounted readonly. This means every folder seen at / ( which includes /System/ )... Additionally, dyld_shared_cache_arm64 is known to contain binaries (compiled code) for Frameworks and PrivateFrameworks - which contain dylibs (dynamic libraries or Apple flavored DLL's), but only builtin iOS frameworks, not for instance third party apps. (edited)

2:16 PM

iPhone:~ root# cat /private/etc/fstab 
/dev/disk0s1s1 / apfs ro 0 1
/dev/disk0s1s2 /private/var apfs rw,nosuid,nodev 0 2
/dev/disk0s1s3 /private/var/wireless/baseband_data apfs rw,nosuid,nodev,nobrowse 0 2

http://iphonedevwiki.net/index.php/Dyld_shared_cache

Dyld shared cache

2:18 PM

https://developer.apple.com/library/archive/documentation/DeveloperTools/Conceptual/DynamicLibraries/100-Articles/UsingDynamicLibraries.html

Using Dynamic Libraries

Explains how to design, implement, and use dynamic libraries.

@forensicmike @Magnet Thank you for the information

Yes you're just looking at something in an iOS framework if it's in the shared cache, probably some kind of spelling framework or something

Is it possible to find out whether if the user of Android (Samsung S9) has opened any web browsing application in incognito mode?

Also @Magnet Forensics when looking at data on AXIOM - do you typically associate carved data as deleted data?

I've got a JTAG from an HTC Pharos (WM6.5) with a TI OMAP 850 chipset - can anyone recommend a tool to rebuild the FTL and get a filesystem out of it? Efforts to reverse engineer the passcode lock to get into the phone for an agent physical have so far been unsuccessful. (edited)

@CFV re: Snapchat timestamp, you're probably looking at a "seconds since epoch" format rather than millis, where it's a floating point number rather than integer. If the tool you're using doesn't support this format you can multiply the whole thing by 1000 to convert to milliseconds.

@Pacman it's hard to say re: typically - really depends on the artifact in question and the data being examined. Are we talking file based artifacts, or data coming out of a SQLite DB or elsewhere entirely?

Data stored within databases - it is quite easy to determine whether if something is live and deleted

5:31 AM

Carved from file offset is a strong indicator that it has been deleted and isn't live within database

5:31 AM

I'm just wondering why the data marked as carved (not from databases) aren't marked as deleted (edited)

6:09 AM

Are these Recovery Event's the date and time the device was factory reset?

@Pacman We take a holistic approach with both carving and parsing. We carve from sources that have no structure and we parse from sources that have structure. An example might be most forensic products will look at the header and extension for a file and if they match subsequently ignore it, but lets say an executable file that has an MZ header but also has images inside. We would Carve for those images inside the executable file. So carving alone is not an indication the file was deleted it refers to the structure of the file and the method used to recover it.

1

That does make sense.

8:30 AM

Thanks @Jamey

@Ghosted it's just recovery event, i have many cases where i can't determine exactly wipe's date, because for example, logs files date is 1970/01/01, if u have tips i'm interesting!

@Mistercatapulte Thanks

@Pacman You are very welcome.

Hello, I'm still looking for assistance/advise on the interpretation of how to determine when an app was installed and un-installed and how many times and the dates/times it happened. Here is an example of actual data for "App A": Mobile installation log data: 1/8/2019: App A updated, 1/17/2019: App A data container moved 2x, 1/31/2019: App A data container moved 2x, 2/9/2019: App A updated. (Mobile installation logs have a date range of Dec 19, 2018 - Feb 12, 2019) Appupdates.sqlite: Install date: 2/9/2019 AppPurchaseHistory.6.db: Purchased: 10/29/2014, updated: 1/4/2019 AppUsage.sqlite: 1/8/2019 (unknown what this date signifies) DAAP.sqlite: Purchase 10/29/2014 KnowledgeC.db: Installed on 1/31/2019 (Only one install and no un-installs - the knowledgeC.db has a date range of 1/16 - 2/12) Conflicts: Mobile installation log does not show any 'destroyed containers' or installs for this app - only moved containers and updates. KnowledgeC has an install on 1/31 which isn't reflected anywhere else. AppPurchaseHistory shows an update on 1/4 - but this isn't reflected in the mobile installation logs, Appupdates.sqlite shows an install on 2/9 - but this isn't in the mobile logs or the knowledgeC.db. How in the world is one to determine when and/or if an application was installed and un-installed???

https://youtu.be/4LcQm4ErXpA

SANS Digital Forensics and Incident Response

Tracking Traces of Deleted Applications - SANS DFIR Summit 2019

2

11:26 AM

This was just posted on SANS' YouTube account. I'm sure it'll hit #dfir-newsfeed shortly. Timely for your question @jd1345

Is there any forensic software except for finalmobile that handle Kai OS

@Ghosted Oxygen

I saw Oxygen does

https://www.oxygen-forensic.com/uploads/section_data/8_10_19_Oxygen_Forensic_Detective_12_0_Press_Release.pdf

Oxygen v12 has it on their main menu as an option

Ok thanks

Thanks @Andrew Rathbun - that's a great presentation and reference! I'm interested in when and how many times an app was installed and un-installed - at this point I'm not concerned with app usage or proving an app was on the phone or tracking deleted traces. What I see in the logs and databases doesn't make sense to me. If an app was updated on 1/8 - then it clearly was installed on the phone at some point to be updated. But if I don't see any un-installs and I see that the app was installed on 1/31 - what happened between 1/8 and 1/31? Was the app un-installed at some point between 1/8 and 1/31? And why do I see an install on 2/9 - was it un-installed between 1/31 and 2/9 and re-installed? (edited)

so out of curiosity, is there any way to find out a device shut down time on an iPhone XR. i have a GK full file system and it shows power on times, but no power off when looking in Cellebrite....currently parcing in Axiom (256 phone

. thanks in advance for any information!

@kmacdonald1565 https://github.com/mac4n6/APOLLO is your friend.

mac4n6/APOLLO

Apple Pattern of Life Lazy Output'er. Contribute to mac4n6/APOLLO development by creating an account on GitHub.

7:54 PM

@kmacdonald1565 actually, I think AXIOM might do it for you, too. Oxygen, as well. If you want to manually parse it in PA, find the module in the APOLLO GitHub that gets you what you want and use the SQLite query within it in PA SQLite Wizard. That’ll let you add it to the Analyzed Data in PA.

@jd1345 is there reference to the App version against any of the Time stamps, I was looking at a similar situation on an android device, without testing I thought it maybe First install then updates to the installed app. ie; App Chat version 1.1 first installed 1/8 , App Chat v1.1.1 install 1/31 (update to AppChat) and so on. Only an educated guess though.

@kmacdonald1565 I think it's held in the Knowledge C database bits that Axiom deals with very nicely so you should see it when your Axiom has finished

@8198-IZ54 That's a good question - I did look into updates. I see that the app was updated on 1/8 and 2/9 - so maybe the install on 2/9 could be due to the update (but if that's the case, then I should also see an install on 1/8 - and I don't) But the knowledgeC.db tells me there was an install on 1/31 and I don't have any indication the app was updated on that date, nor do I see a 'destroy container' or an uninstall between 1/8 and 1/31. @cScottVance - any thoughts? (edited)

thanks for your help @criley4640 and @JMK axiom is still parsing

1

Is anyone else having issues with the latest PA parsing a GK FS and it getting stuck on Safari? Seems fine on older PA

the one i did worked fine, but i couldnt tell you how long it was parsing. It was a huge phone and I left it over night. was done when i came in the next day if that helps at all @4N6Matt (edited)

@4N6Matt not yet. iOS version?

Is there a database/log/file that contains historical storage capacity of the iPhone (assuming one can obtain a file system extraction). I'm looking to find how much storage may have been free (or used) on a particular date. ie on 10/21 the phone was using 60GB of 64GB. I know how to find the capacity at present time - but I'm looking for historical data. Thanks.

@criley4640 we have seen it on 12 and 13. Left it for almost 2 Hours and nothing moved on from attempting to parse Safari

@4N6Matt probably a stupid and insulting question but have you tried opening it on a different exam machine? Just to rule out machine issues. I haven't had a problem on any iOS extractions that I've worked (which are about 10/month right now).

@criley4640 we tried 3 machines. The latest PA which hangs and then 2 versions back which went through ok.

Hi there, perhaps anyone has an explanation for this, left side on this picture is @Cellebrite UFED PA 7.24, right side is DB Browser for SQLite 3.11.1. PA says the columns f002 is empty, DB Browser says it has a nice epoch timestamp in it. Same database for both from the same physical image. Also column f003 is empty in the PA but has a value in DB Browser for SQLite. Anybody ever seen something like this? PS: This happens for all tables in this databases, not just the t318.

@criley4640 @JMK @Magnet Forensics or anyone else that wants to chime in, where can i find the power off time(s) in Axiom for a GK extraction. i see a bunch of stuff suggesting the phone is off, but nothing concrete. i looked on the APOLLO GitHub but didnt see which power log info would have been helpful. I am not seeing something that is tells me where to look. any info would be appreciated.

@kmacdonald1565 KnowledgeC has an app in focus log called "SBPowerDownController" which will be present if the user powered off using the standard method that involves the power off slider. If they used a 'hard reset' key combination this won't trigger though.

3

9:18 AM

You can also search for gaps in KnowledgeC logs, which should otherwise be relatively contiguous, and then pair them up with lockdownd.log process spawning (but be careful to note that its only a true restart when lockdown pid is like a 2 digit number)

2

thank you very much!

Just so I'm clear though you're saying power logs aren't present or dont cover the date you need?

i am probably looking in the wrong spot...the iOS PowerLog categories have app usage, battery level, camera state, device lock state, process data usage, screen autolock, and timezone information...the timezone information has a hit in the area where we believe the suspect's phone was powered on...but I didnt see any definative proof. when looking incellebrite, there is a power on event in the same general time, i dont remember specifically off hand.

9:23 AM

long story short, there are obvious gaps in phone usage (suspect was taking a proctored test) and then we believe powered off to commit a crime.

9:23 AM

looking for more specific info for timeline and corroboration

My advice would be to run a knowledgeC query that doesn't care as much about type. Chances are if they are actively using the device it's going to cause a flurry of logs in the range in question. If on the other hand you have only a single row from powerlogs, I wouldn't rely on that as proof personally.

okay, thanks again

You bet

I was just provided with an iTunes backup of an iOS 13.1.3 device. I parsed it in Cellebrite (Advanced iTunes backup) and there are no call logs. Is this a known thing in iOS 13? I have the physical device and am imaging it myself now, just wondering if I'm going to have the same results.

Ahh, looks like encryption just needs to be on! https://www.cellebrite.com/en/blog/a-first-look-at-ios-13-here-are-the-methods-you-can-trust-for-extraction-and-analysis/

A First Look at iOS 13 - Here are the Methods You Can Trust For Ex...

At first glance, it didn’t seem as if much had changed in iOS 13. That all changed, however, when I looked at an unencrypted image and quickly realized what I was missing. Apple likes to change things up and that keeps iOS researchers like myself on our toes. To be honest, ...

1

@kmacdonald1565 yeah, pretty sure (!) it's in the Knowledge C database that Axiom parses out. Can't remember what category it's in down the left side - maybe operating system category? Sorry off work at the moment and about to go on training course so dredging my memory!

@San4n6, thanks!! Ive started something, I might have questions in the near future (edited)

I have a 50GB itunes backup of device running ios13. Physical Analyzer has been opening it for over 1 day. All i care about are text messages. Is there any way to get it opened faster?

@yaniv.schiff create a ufdr containing only the chat...

@Dam thanks, i plan to if it ever opens. my question is, is there any faster way to open the backup. or are there any known issues with PA 7.24 taking a long time to open backups.

Ho i taught that it was open yet. I don’t see any other method to open it faster with PA. Sorry.

i wish. been watching the blue bar crawl for hours

@yaniv.schiff can you open the zip and delete all but the SMS and contacts databases?

@CloudCuckooLand i'm willing to try that at this point. How would i identify which files in the backup are the SMS and Contacts databases

nevermind, found it here https://www.iphonebackupextractor.com/blog/iphone-backup-location-all-files-extension/

iPhone backup database hashes: which filenames do they use?

Find out what each of the files in your iPhone backup contains: which file has your contacts, which one has your notes, etc. See which files are present between iOS versions and what they contain.

2:29 PM

trying that now

Question regarding Signal messages: Is it possible to decrypt them from iTunes encrypted backup (i have the pw). Are there any other ways of getting the Signal messages if not from the backup? Can we get them from the phone itself? Or can i possible restore the backup to a dummy phone and access that way? @Cellebrite (edited)

Does anyone have a workflow for combining iMessages from macOS and an iPhone into one unified deduped chat thread? @Magnet Forensics Axiom's Chat view is not correctly grouping the messages together. @Cellebrite is doing it perfectly for the phone. Can I somehow add the macOS version of the db into Physical Analyzer? I have a different date range on both devices with some overlap. I can't think of an easy way to do this without a bunch of manual work. Any ideas much appreciated!

Just sent you a DM.

@FunkeDope Im travelling but I can look into it. Send me a PM we might be able to do it.

I've got a JTAG from an HTC Pharos (WM6.5) with a TI OMAP 850 chipset - can anyone recommend a tool to rebuild the FTL and get a filesystem out of it?

I would try importing it into XRY using the profile for HTC Pharos, since this phone is supported for Physical extraction, decoding should work.

@MSAB_Sofia I'm pretty sure the XRY physical uses an agent to dump the phone (which I can't do because of a PIN lock) which gets a read through the FTL that isn't scrambled

@CloudCuckooLand didn’t riffbox have a tool ( or function ) of importing and then exporting a file system? Or was it easy-jtag? I remember having the same problem, and I think I solved it by using some old software.

@CloudCuckooLand You are correct, I did not read the specifics in the Device Manual, only checked that we have Physical support for it. I'm sorry about that!

@FunkeDope @CLB-Paul and I were discussing last night with a theory. Must be tested though.

I read elsewhere in here about Oxygen being able to decrypt Wickr-data from Android when you have a physical. How about iOS? I have a full filesystem and an encrypted wickrlocal.sqlite database that I would really like to be able to see the contents of.

@BETBAMS Search for viperbjk’s bruteforce script. ( wickrbruteforce_448.py ) that he posted in this channel. The script requires sk.wic file that is NOT present in iOS. But the field ZPT in wickrlocal.db contains the same information. So extract the data in ZPT and run his script on it ( and a good password list )

2

1

2:55 AM

Oxygen does not parse wickr on iOS the last time i tested it

Thanks @.karate. - I can't seem to find that post. I wrote you a message.

thanks @MSAB ! Spreadtrum SC6531E are supported in new update, yesssss

tested, imported old .bin (made with infinity-dongle) with profile "spreadtrum 6531 generic"... successssssss

2

Happy to hear it! Hopefully XRY can dump and decode most Spreadtrum feature phones now but let us know if you see any new ones!

will post reports if i get one in hand

Hi there, does anyone have some experience in decrypting a Signal database within iOS? I read a blogpost from Elcomsoft about the possibilities with their software but i am wondering if there are any alternative methods without this software?

@010isntjustac0de I can decode it for you

12:15 PM

if you want to send me the database from a .gov or LE work email

12:16 PM

DM me if interested..

Just got an iPhone with the Onion Browser app on it. Does anybody know if @Cellebrite, @Magnet Forensics or @deleted-role can parse anything from the app? Is there anything stored on the phone to even parse?

I think AXIOM has a custom artifact (from our Artifact Exchange) by Jason Readeau that can parse browser bookmarks. If you can find the SQLite db might be worth some manual examination. Happy to assist in DM if you'd like.

@goalguy one of my last big files was an onion browser one but on the PC. Not sure what’s the state of the device but I found Quite a bit in ram. The links. Etc.

1:03 PM

It was mostly manual carving. Lots of work but I got a conviction in the case.

I know that there has been some discussion elsewhere on what data is different between a @Grayshift GrayKey Full File System extraction and an Instant AFU extraction. I had the opportunity today to do both almost back-to-back (about 30 mins between) as the GrayKey successfully bruteforced the extremely difficult passcode of 111111. Here are the differences as far as Analyzed Data and Data Files in @Cellebrite Physical Analyzer 7.24. Obviously this is not comprehensive but, at least as a baseline, this allows us to show case agents/DAs what they'll get if they wait patiently for the bruteforce process. And, obviously, it all depends on what's on the device in the first place.

4

3

Very nice @criley4640 thanks for sharing

Oh, and I should mention that the above device was an iPhone 6 (iPhone7,2 N61AP) running iOS 12.4.1 (16G102). (edited)

@criley4640 Good info, thanks. Keep in mind the keychain is likely*

to look different AFU than it will Full FS also. (edited)

@forensicmike @Magnet Oh, for sure. As a matter of fact, here are the numbers from the GK keychain plist: AFU 53 Keys, 13 Certificates, 35 Internet passwords, 610 General passwords ------ Full 89 Keys, 13 Certificates, 59 Internet passwords, 693 General passwords

2

@010isntjustac0de unless it's a very old version you'll need the keychain. iOS Signal doesn't allow backups, which is a possibility with Android

Interestingly, the databases that exist in the full file system (in my previous graphic) and not in the AFU extraction are, in part, apparently Firebase SDK Remote Config databases. In 3 app directories, the RemoteConfig.sqlite3 databases are just not there in the AFU extraction but are there in the full extraction. Not sure why those databases (or their directories) would be protected/encrypted in the After First Unlock state. The contents of them seem banal relating to a remote configuration from Firebase. However, I am by far not an app developer. The three apps I see are Venmo, Soundcloud, and an app called HOOKED (a mobile reading app for young people that reads like a text message thread).

2:06 PM

Also interesting is that, in the AFU extraction, the healthdb_secure.sqlite database file exists...it's just empty. 0 records. I guess I never paid attention to the fact that the file itself exists but is just empty. Maybe its metadata can be seen during the AFU extraction but just can't be actually transferred so the GrayKey includes it as an empty file?

1

I think there's a setting you can enable or disable to create empty files when they are encrypted

2:07 PM

But that would result in 0 byte files.. not empty db's

@forensicmike @Magnet Actually, you are correct. The AFU healthdb_secure.sqlite file is, in fact, 0 bytes.

Yes, the setting is called something like "Collect metadata for inaccessible files". It is very useful, but it is disabled by default because it can lead to confusion

1

Anyone have experience with iCloud warrant returns? Specifically regarding decryption of ‘Messagesincloud’ and Secure Notes?

again thanks to @MSAB

got some nice WICKR-conversations from physical dump SM-A600FN with latest xry 8.1.2... N.I.C.E

(edited)

1

1

7:36 AM

dumped with UFED4PC, PA asked for password

7:36 AM

I think you can just put 12345 or 123456

7:59 AM

@chrisforensic

8:00 AM

sorry might be 1234

8:01 AM

related to a conversation from @spadart 04/07/2019 "I have got a physical dump from an android device which apparently has Signal installed. Using UFED PA (7.20) i get prompted for a password to decrypt it. Does anyone know if there is a default password or is this set by the user? I know that for Wickr, the default is 1234. So I'm not sure if this is the same case. I can't manually check the device as it is damaged. Any tips and pointers would be appreciated. Thanks in advance!" (edited)

Guys... A colleague has done some SIM extractions using UFED v.7.24. SIM's were 2FF o2 network cards. When opened in UFED PA, it gives several IMEI numbers all of which have been checked and found to be invalid. We've never seen this before, i.e. IMEI numbers from a SIM extraction. Can anybody shine any light on this?

iPhone Battery questions: Has anyone done any research to understand why or what it means when you have a battery level of 100 and a raw level of 16? Or a battery level of 100 and a raw level of 174? This data is taken from the powerlog.plsql PLBatteryAgent_EventBackward_Battery table.

@Dam thanks for this hint, but it´s surely not 1234 in my case, because i gave PA a 4-pin-list (all numbers from 0000 to 9999) and had no success.... (edited)

Does anybody have any experience with Telegram on an iPhone with a @Cellebrite PA extraction?

Keeping in line with obscure iPhone filesystem questions - does anyone know why I might see up to 100 /event/tombstone entries in the KnowledgeC.db all happening at the same time with the same Zstructuremetadata value (but each event with different ZUUIDs and valuestrings)?

Anyone with experience looking at an iOS full filesystem: Are log entries that show as Apple authentication process has been performed for the following apple-ids: <appleid> Indicative of a text that was sent to that ID but no longer exists because it was deleted? The log entry shows flagged as deleted:unknown

10:29 AM

We believe communication occurred but there's no record in imessage. The application that made the log is iMessage

10:33 AM

Same question to do with Facetime Video and Facetime Audio as applications

10:34 AM

Im working on a phone for an IA investigation and wondering if I can tell them that "there should be data but it's missing"

Anybody know where an iPhone on iOS version 12 stores the advertisement ID?

@Andrew Rathbun I got the iCloud password and used iTunes to unencrypted the backup. I was able to use UFED touch 2 to get the phone dump

1

com.apple.lsidentifiers.plist if anyone was wondering

1

Has anyone experienced when trying to parse a gk dump with PA from an iPad 6 running 13.1.2 keeps crashing when it's gets to the end

@Beefhelmet This article by Izhar Carmel explains the process behind these log entries https://www.cellebrite.com/en/blog/how-ios-properties-files-can-confirm-a-suspects-contacts-even-if-data-deleted/

Izhar Carmel - Cellebrite R&D Researcher

How iOS Properties Files Can Confirm a Suspect’s Contacts Even I...

Determining a complete list of contacts that a person of interest has on their phone can be challenging due to factors like deleted data, inconsistent app communication records and device migration data loss. Because of these variables, it is important to find a reliable reco...

@Bob Ross Just saw your post. This is normal on older O2 SIM Cards. Have a look at my previous post https://discordapp.com/channels/427876741990711298/545232743353810946/601081472006357003

8:24 AM

You will note the 15th digit is always '0' on all of them stored. You'll need to calculate the correct check digit for each of them using the Luhn algorithm

8:29 AM

I see you are UK LE. Once you have the correct 15 digits, you can check them on the NMPR https://thenmpr.com or Numbering Plans https://www.numberingplans.com/

NMPR - The National Mobile Property Register

The NMPR (National Mobile Property Register) is a real-time search portal that allows police to securely interrogate Recipero’s vast property history and movement databases

International Numbering Plans provides a variety of tools in the field of telecommunication for businesses, law enforcement agenncies, governmental organisations or regular users. The services are centered around (mobile) numbering plans, billing databases, (reverse) search e...

@Stevie_C, I spoke to @Bob Ross on Friday and it sounds like the 15th digit being 0 instead of the correct luhn checksum was the issue

2

Thanks for the help guys!

2

Looking st snapchat stories.plist. Does anyone know if these are received stories, or just the stories of a person's friend which were not directly received by the creator of the story?

Has anybody done any research specifically on the /inferred/motion activity values in the knowledgeC.db? the Zvaluedouble column shows values of 1,2,4,16,32, and 34 - but I'm unclear as to the meaning of these values.

hi @jd1345 i peeked at this a little bit tonight for u. those values are a motion category. the correlation is as follows:

2

1

1

4:47 PM

automotive: 32 cycling: 16 running: 8 stationary automotive: 34 stationary: 2 unknown: 1 walking: 4

1

4:52 PM

(unknown means unknown to iOS, not unknown due to reverse-engineering)

iPhones leave traces of power on/off actions, not sure about charging. But I wonder if anyone knows wether Samsungs (android) leave any traces of when they were charged?

I cant remember where i found it. But i know that /data/system/sec_batterystats (sqlite db) contains info on battery health and status. You could probably make something out of that

Got an iPhone extracted by Graykey (full file system) - there are voice notes saved within Snapchat conversations, and they are playable. I cannot find these files within XAMN, UFED or AXIOM - can anyone point me to the right direction?

3:49 AM

These files does not appear under Audio, I can't tell if they have been carved or not.

Thanks, Karate

@Pacman Do you remember the file extension? XRY would likely put it in either Audio or in Unrecognizsed if it was an unrecognized file format

First time dealing with Snapchat audio voice notes that have been saved within conversation, so I'm not sure what file type it is - probably .wav if I had to take a wild guess? @Erumaro

4:12 AM

I can't find it anywhere, other than physically able to play it on the handset.

We don't currentl offer decoding support for the later snapchat versions so not sure how the audio notes are stored for it I'm afraid. Not sure if they are included in the backup but should probably be in the Graykey read

I have absolutely no idea where they are stored - pfft

@Braden.Grayshift Thank you so much!!! I had a hunch about 32 and 34 being automotive movements, but was stumped on the others - this is a huge help!!!

yw

@Pacman No luck in getting the Snapchat audio files in a Logical, I don't have access to any more advanced iOS extraction method here currently. Not quite sure what would happen to these files in a Graykey extraction

Anyone from @Magnet Forensics able to assist?

sure, DM'ing

@Joe 🍿🍺 did you find something about power off even ? I have the same questioning right now. In UFED PA I have power on event but i need to find power off event, isn't listed. I have a CAS physical dump of samsung S8. All the 20 power on event is deleted in UFED PA...very strange...

Has anyone come across the application called TamTam before? I have a physical and can see the DB. It would be nice to have it presented better with user names etc.... So wondering if anyone has any script or anything for it? There are about 34000 users listed in its db which would be of interest

Hey ho

anyone have problems with „big“ smartphones (120gb+)? The xml report is writing with 100kb/s (ufed pa). We have these problems with big iOS devices and sometimes with „big“ physical extractions from android

@Dossy Same here. When phone is "full" (just today I had a 64 GB Phone with only 2 gb free space) and there are lot of chats/messages, the XML report writing doesn't finish/takes forever (I waited a whole weekend last time...). Unfortunately I don't have a solution. I normally move to another tool or just export a few/not all artifacts (e.g. only images and videos) into the report to get it done...., if that is possible for the case. Cellebrite support couldn't help last time I contacted them with this issue. But last contact was a few month ago.... In the last 9 months we had about 10 devices with this problem...

Yeah, the problem is here since around 12 months. It must be a bug or something. We reported this as well...and we have a lot devices with this problem....exactly same here -> when the device was nearly full

Anyone know what the ThreeBars.sqlite database is from an iOS 13 full file system extraction? It's located in /private/var/root/Library/Caches/com.apple.wifid so that gives me some clue. I don't recall seeing this in < iOS 13 dumps and its creation date was on 10/25/19. One of the tables contains ~25k records of GPS coordinates and BSSIDs but they're from two specific dates/times (ie. on 10/25/19 at a specific time and 10/27/19 at a specific time). The GPS coordinates correspond with an area that the device would have been located (at a city level, at least). A cursory check of the BSSID MACs show most of them to be "Cisco". Just wondering if anyone has examined this db to determine what it is storing. Thanks.

@criley4640 Nice find! Just located it in an iOS 13 Full FS.

@forensicmike @Magnet thanks. I have a habit of pulling up all db files in an extraction and sorting them by number of records with the thinking that the ones with more may have more value (and roughly indicate more active apps - roughly, of course). I saw this one and had never recalled seeing it before.

Does anyone have experience with Photo Vault on iOS? I have a GK full file system extraction and it appears all the images/videos are encrypted in Axiom & PA. I was able to find the pin and can view them on the phone but just wondering what the best method would be to recover the files? Is there anyway to decrypt the files from the original extraction?

Enchantedcloud? Yes

9:45 AM

https://www.forensicmike1.com/2019/06/26/ios-photo-vault-app-still-pwnable-in-2019/

Mike Williamson

Photo Vault app still pwnable in 2019? An adventure in iOS RE

9:46 AM

Have a python script that sorta works too if c# aint your thing (edited)

4

@renfantino Funny, one of our staff had this exact same issue yesterday with an iOS Full File System extraction. We also had the passcode for the PhotoVault app and in it there are 413 media files present. In the PPVCoreData.sqlite database sure enough zMEDIAITEM has the 413 entries but I am unable to find where these images are being stored. They're not in this one as blob data as the file itself is only 120KB in size. Upon leaving the office yesterday we had started loading the image into UFED PA, XRY, Oxygen and Axiom. Today we'll be doing our very own digital version of "The Curse of Oak Island"

11:11 PM

11:14 PM

@forensicmike @Magnet Many thanks, just reading through that link now

@renfantino @forensicmike @Magnet Have found and dumped out the PPV_Pics folder and found the "ppv_uuidHash1". Cannot for the life of me find the "ppv_dateHash". PhotoVault version we have here is 10.3.

@renfantino I just had a FFS dump from Cellebrite Premium and it parsed the Keepsafe Photo Vault for me. Is this the same application?

@sholmes I had a look at ours. In our case it doesn't appear to be the same application. Ours is by Enchanted Cloud (com.enchantedcloud.photovault). Yours appears to be Keepsafe Software, Inc. Cellebrite didn't parse this one (neither did any of the others I mentioned above) unfortunately.

1

There are a lot of apps that are named Photo Vault of some kind

1

@renfantino Does PA not give you a pop up message indicating the App is encrypted? Usually it will ask you to enter a password etc to decrypt the data when loading/decoding the extraction in PA. Also, Maybe take a look at the trace view window to see what PA tells you in terms of when it decodes the application

@RootBeer403 Guessing @renfantino is just climbing out of bed (LE USA) but in our case - no UFED PA did not request password upon decoding. Neither did Oxygen, XRY or Axiom during import / decoding.

Is anyone using @Oxygen Forensics to analyze KaiOS phones? I see the new version is supposed to do so, but I didn't get anything from an EDL extraction through Oxygen. I can get to the databases, but they didn't parse any of them, nor did it get me images. This is completely backwards to what I was getting previously with the 4044N and 4044O phones. I tried loading the files differently, and still nothing. @Cellebrite was not able to get a physical from the 4044L through an EDL extraction, even though the phone uses an 8909 chipset. I am open for suggestions. I was hoping to not have to extract the databases and use FinalMobile to parse them.

@RootBeer403 @Stevie_C @sholmes Sorry for the delay in responding. The Photo Vault app was the com.enchantedcloud.photovault version. This latest version of the app encrypts the data where older versions did not. With the help of @forensicmike @Magnet I was able to decrypt the data using the key found in the PLIST "ppv_uuidHash1".

6

2

That is awesome. Glad you got it.

@renfantino Niceeee!

@renfantino Awesome. You say you used the "ppv_uuidHash1". I found that key as well. Did you find a "ppv_dateHash" in there as well ? I couldn't find that value in ours .... (edited)

@Stevie_C My mistake it's the key for the "ppv_dateHash". This was parsed in Axiom with the Keychain.plist file

@renfantino Excellent. Back into Axiom tomorrow with the zip file then. I'll see if I can get it that way

Thanks for the heads up

@Stevie_C No problem, let me know if you run into any issues.

@renfantino Will do

I'm putting this out there, anyone have experience with kindle on android, specifically .index files. Outline is I have a pdf downloaded proven via browser activity and database references. Lets call it my bad.pdf. The default viewer for pdf on the handset is com.amazon.kindle. So my bad.pdf was down loaded into /media/downloads at 2019-07-17 10.15.05 utc. In the media/temp folder a few seconds later is a pdf called 1563358656339.pdf created 2019-07-17 10:17:36 utc (this pdf is the same as my bad.pdf). The numeric name is a UNIX millesecond time stamp 2019-07-17 10h:17m:36s:339ms UTC, this name can also be found in a folder /media/kindle 1563358656339.index created 2019-7-17 10:17:47 UTC, my question is is the 1563358656339.pdf related to the kindle 1563358656339.index. Does kindle spawn a so called temp copy of the opened pdf?. Cheers in advance

Is there a way to find folder creation dates within an Android OS in PA with an Advanced Logical? I can see the dates associated with files with their info, but can't seem to find a way to find folder creation dates. Feel like I'm missing something...

@Magnet Forensics Would anyone know why WeChat audio messages aren't showing in Axiom? In conversation view I can see the details about it as text (length, voicelength, username etc) but nothing plays. Is WeChat not fully supported?

@JMK i can certainly take a quick look, but don't have an answer off hand. It's this Android or iOS, and any idea on the app version?

@@MF-cbryant

It's iOS, GK extraction. I don't know the app version I'm afraid

@Stevie_C I'll DM you re: photovault stuff

@JMK can you tell me what value the Type fragment (column) has in the artifact view? Also is there an Attachment Path, and if so what's the file extension?

@Crabbers (Chris) Type is Audio, attachment path is file extension .aud It's multiple messages, not just this one

(edited)

@JMK if you right click and choose "save artifact to..." option does an .aud file get written? If so, what bytes are you seeing in the header? Does it look encrypted, or is there some sort of magic?

Hi All, I was wondering if any of you have had problems with UFED PA decoding duplicate entries from S8+ extractions as unique records? I have checked the 'mmssms.db' and 'icing_mmssms.db' and it appears that instead of PA marking records as duplicates it just decodes them as separate records. I have decoded the physical extraction using PA v7.17.0.112 and v7.24.0.209 with the same issue. Also due to the 'iccing_mmssms.db' being within the 'com.google.android.gms' folder I believe it could be an issue for other devices. I'd highly appreciate if anyone can give me an insight to this? Or come up with a simple explanation if they have resolved this issue. Thanks in advance :)

@Crabbers (Chris) I've gone home for the weekend now - I'll DM you Monday if that's OK? Thanks for your help! Have a good weekend :-)

hey guys, is there a database, that logs airplane mode activation/deactivation or any other network changes on android? Or something similar you could recreate some user activity with the device? Power on/off events could also be interesting.

Like @MikeWhiskey I looking for power on/off events from an Android physical dump. Try with Cellebrite, X-Ways and still not finding power off event. I have only a few power on event in UFEDPA. thanks

@Cellebrite any way to decode google takeout emails with PA 7.24? (I tried the google takeout chain but no result

)

Hmm... Did you try using the "Open common plugins" menu? Maybe that'll give better results. I think it expects the original zip file downloaded from google, or a folder to which it was extracted

Yeah I did that ...and yes that’s was exactly what I did with the files

@SPVQct3207 and @MikeWhiskey ..... Me too !!!! I checked with @Dossy regarding his post https://discordapp.com/channels/427876741990711298/545232743353810946/600284402311757864 but no joy there. I've just had an Android land on my desk. Owner saying his battery ran out, hence no activity on device. Just 'happened' to run out a the exact time of a murder, and again, the following day it ran out 'again' when we think the body was being moved. Ideally we'd like to show owner powered device off for the periods and it didn't run out of power like owner said. If the battery was at 85% when powered off coupled with a power off event, that would be good. Wish he had been using an iOS device

@Stevie_C on Samsung devices you have "/data/log/power_off_reset_reason.txt" and also the files in "/data/log/batterystats/"

5:37 AM

You have also the file "/data/log/sdp_log". When i look into that file on my test device i can se all valid and invalid lockscreen code attempts.

5:38 AM

When you see the line "Mark the beginning of SDP log service!" It states that the device has booted up and is at the first login screen.

5:40 AM

you could also find info in the file "/data/log/latest_shutdown_profile.txt"

5:43 AM

If i remember correctly, Huawei devices has lots of logs on everything that happens on the device. And they are not located in userdata partition. If anyone is interersted i can dig up an old case and locate the artifacts.

1

@.karate. You're a star

Looking at extraction now. We have a physical from the device, which is a Samsung SM-G935F. I've found and looked at power_off_reset_reason.txt however there's only 2 entries in it on 04th June, which is past our date in May. I can see both entries are for "reason : userrequested" so that to me looks like a user shutdown compared to a battery running out.

check /data/log/batterystats

Just did ........... Just found a file in there for the date I'm looking for - 'newbatterystats190530052215'

5:48 AM

Have clicked on it and application has hung - waiting for spinning circle to go away and reveal all

I also have files named "shutdown_profile.1.txt" .. "shutdown_profile.5.txt". They contain info that could be relevant

1

5:51 AM

herolte:/data/log # cat shutdown_profile.*| grep reason 05-26 09:57:07.327 ShutdownThread: !@ run, shutdown requested reason=no power 11-12 14:32:08.845 ShutdownThread: !@ run, shutdown requested reason=userrequested 03-19 08:10:50.985 ShutdownThread: !@ run, reboot requested reason=userrequested 03-19 08:16:12.630 ShutdownThread: !@ run, reboot requested reason=swsel3 03-19 08:27:58.548 ShutdownThread: !@ run, shutdown requested reason=userrequested

5:51 AM

Check first line

@.karate. That's awesome - exactly what would get me going. I'm off hunting once (Not Responding) goes away !! Many thanks

and last

check the file "power_off_reset_reason_backup.txt", it contains older entries that are not in "power_off_reset_reason.txt"

@.karate. I owe you several large beers whenever our paths cross physically

1

@Magnet Forensics Hi guys, I'm currently reviewing location data on this case, so I set the view as World Map View and I cannot see the map? I am connected to the internet at the moment

@Pacman can you take a quick look in the AXIOMExamine.log in the case folder. Scan down to the bottom (we append this file so latest will be at the end) this may show an error. If you can let me know I can look into this for you. Andy.

I don't see any error.

3:52 AM

I restarted AXIOM and this fixed it.

3:53 AM

A wise man in IT Crowd once said.. "Have you tried turning it off and on again?".

6

@Andy Thorpe are you able to confirm that the accuracy of the location decoded is in metres?

Good question, I have answered this before but just away from keyboard right now. I'll get back to you

Developer.apple.com/documentation/corelocation/cllocation

4:34 AM

Confirms this is meters.

4:34 AM

@Pacman ^^ hope this helps

Thank you!

No problem

@.karate. do you have a listing of android files you could share or is it in your head.

@Jetten_007 what files? And in what context?

@.karate. you were listing some Android files that were of forensic interest. do you have a listing of various Android file path/files of forensic interest you could share

@Jetten_007 I’m sorry. But I don’t have a list. Most of my knowledge is from cases I’ve worked on in the past. And I almost never write anything down except the info that are in the reports. But I try to share the info I have here in the channel whenever I can help

3

@Jetten_007 Guys, I'm still working on this case and with @.karate. pointers and help I've got an excellent sequence of events which helps immensely. I've been writing notes as I've been going along and have got a test device to confirm bits and pieces. I'll post them up if you want as all the log files I can supply are from our test device so you can compare them to my manual notes from the test device when I was doing things that you can marry them up

4

1

@Stevie_C any guides you create I can post on AboutDFIR as well. Or, if it's a blog post, I can link it on there as well.

6:14 AM

I've actually been hard at work at this very same thing for https://aboutdfir.com/toolsandartifacts/android/ and https://aboutdfir.com/toolsandartifacts/ios/

I'm trying to take a look at the sms.db-wal from an iPhone. DB Browser opens the DB fine but asks for the encryption key for the .wal file. I feel like I'm missing something obvious.

7:12 AM

Any help would be appreciated. I'm looking for a deleted text message.

@Joe Schmoe think it would be the 1234 or 12345 code that UFED sets? Any other known passwords? Have you tried any passwords yet?

I did try those thinking it might be the backup password. Now that I think of it, it's a full Filesystem and not iTunes backup.

Any passwords generated from GK? Last I recall (it's been a while) there was a PDF relating to the keychain?

There is a pretty lengthy list. I'll take a look. It's odd that the DB opens.

7:47 AM

I'm installing PA 7.25 now. It's supposed to be better for viewing databases.

@Joe Schmoe are you trying to open the .wal on its own? If so, DB browser can’t read the file, assumes it’s encrypted and asks for a password. Use a carving tool or open t he file together with sms.db Sometimes you can cat the files together or hex-add a SQLite header to the file. But I can almost guarantee that you the file is not encrypted. An easy way to validate this is to open the file in a hex-editor and look for entropy or just strings.

That is the issue. Thank you.

1

Is PA decoding deleted iMessages in iOS 13.1?

Hi everyone ! Someone have a script or à software to parse object.primary file of snapchat (ios) ? I have my own method but not completely efficient...Outside a string search (edited)

10:25 PM

My research focuses on lost data. The normal file structure is well taken by blacklight

10:25 PM

@Jetten_007 @SPVQct3207 @MikeWhiskey In regard to your posts about Android powering events and activity, as my post above, I've been working on a Samsung SM-G935F running OS 8 where device activity and powering events has been extremely important. I only got a few powering events decoded as well, however with assistance from @.karate. (Thank you so much, credit to him for providing me an idea of files that should be present) I made rough notes as I was going along. I also dumped our office phone to try to make sense of these files. Here's my rough notes and the test device files I refer to in the notes. You can look at them and see if they are any help to you. They're not perfect and you still need to do a bit more testing and validation, but they might help give you a starting point

1

12:47 AM

Files_Of_Interest.txt

12.17 KB

12:47 AM

Test_Device_Actions_Notes.txt

1.47 KB

12:47 AM

Extracted_Test_Files.zip

451.54 KB

12:48 AM

Test_Device_Actions_Notes.txt is our Office Android. Its an S8 on OS 8.0.0 The files and file paths are the ones Karate referred to in his postings on Wednesday Files_Of_Interest.txt is the files and paths @.karate. posted about on Wednesday and I've added notes to these on what I found Extracted_Test_Files.zip are the files referred to in my scribbles that I dumped out of the extraction for you to look through if you want Hope this helps (edited)

12:48 AM

@.karate. Again, many thanks for your help one this one

2

1

@Stevie_C thank you VERY much

@Stevie_C Awesome!

@Stevie_C thanks, thanks

@Cellebrite Do I need to re-register for the new myCellebrite?

I think I did have to establish a new login.

4:09 AM

And I think you have to re-verify your email, etc

4:09 AM

I did it last week so it's not super fresh in my brain

Also, when I tried to update PA from within the program, it downloaded 7.24

@Luci Yes, you need to establish a new login for the new My.Cellebrite

@Luci old portal will have 7.24, new one will have 7.25+

@Andrew Rathbun oh, so that's why my PA isn't auto-updating to 7.25 (and yes, I work here lol)

1

@CLB-dan.techcrime lol

4:21 AM

so maybe 7.24 is querying the old portal for download? hopefully that's fixed in 7.25

Maybe just relying on an old token or cookie... mmmm... cookie, time for breakfast

1

Your request cannot be processed at this time. The site administrator has been alerted.

5:13 AM

Tried to register.

5:15 AM

OK guys, I had to klick reset PW to create a newaccount from an old one,.

Maby this has crossed multiple times here. But I cannot really find any reference matterial to the kTCCServiceUbiquity permission in the TCC.db

5:57 AM

If somebody could explain to me what this service is about that woudl be great, thnx in advance!

5:57 AM

I have a general idea but not sure

I believe Ubiquity is the name of iCloud-based app storage

5:59 AM

So permission to store/access documents on iCloud

https://github.com/jbrdshw/tcc_database_manager this might have some info

jbrdshw/tcc_database_manager

Easily add items to OS X's TCC.db sqlite database. - jbrdshw/tcc_database_manager

nice!

6:30 AM

will check it, thnx a lot! (edited)

@Stevie_C thanks

Hi all, i've extracted a Samsung A10 with android 9. I made a logical, a filesystem and a downgrade with UFED4PC 7.24. The dowgrade detects "FB Messenger", Snapchat and WhatsApp and completes without problems but when UFED P.A. completes its analysis there in only "FB Messenger" parsed (i tried both 7.24 and latest 7.25) with same results no snapchat, no whatsapp. Looking inside the split zip from downgrade i see 4 .ab files (1 for Snapchet,1 for FB Messenger and 2 for whatsapp) i assume whatsapp android backup was split in two file because the first is 2gb and the second is 350mb and maybe this can cause some problems but what about snapchat? Anyone ever seen similar problem?

Which tools do you know of can be used to extract the content of android backups .ab files?

https://www.andriller.com/

Andriller | Android Forensic Tools

Andriller - collection of forensic tools for smartphones. It performs read-only, forensically sound, non-destructive acquisition from Android devices. Decode chat databases, crack lockscreen pattern PIN password.

8:22 AM

But you should be able to point most commercial forensic tools at an .ab file and import them

8:23 AM

Andriller is nice because it will allow you to decompress/unpack them without any additional decoding (edited)

@OllieD Thanks, but what i mean is extracting the content from the .ab files on the local file system fro manual review

Perhaps I'm misunderstanding. So you already have the .ab files secured through 4PC and you now want something that can extract the contents on your forensic workstation, correct?

9:10 AM

In which case, Andriller can do exactly that

I tried Andriller (not the latest version) and it fails.

9:11 AM

Maybe i need to give some more infos..

9:12 AM

I extracted a samsung A10 with android 9 using 4pc. The phone is not supported for a physical so i used downgrade option to extract chats

If it's failing, perhaps the .ab files are corrupt?

The downgrade got fb messenger, snapchat and whatsapp but PA was able to parse only FB messenger so i want to have a look at the content of the .ab files.

You could also try https://github.com/nelenkov/android-backup-extractor and https://github.com/tcrs/android-backup-extract

nelenkov/android-backup-extractor

Android backup extractor. Contribute to nelenkov/android-backup-extractor development by creating an account on GitHub.

tcrs/android-backup-extract

Extract a tar from an adb backup file. Contribute to tcrs/android-backup-extract development by creating an account on GitHub.

@FabianoQ An script in Java can download at: https://sourceforge.net/projects/adbextractor/ (you need only Abe.jar) You can use this command to convert your specific backup: java.exe -jar abe.jar unpack YourBackUp.ab file_converted.tar Undécompress this file tar and enjoy ! (edited)

android-backup-extractor

Download android-backup-extractor for free. Android adb backup extractor and creator. None

I was able to extract the contents from FB Messenger and snapchat .ab files using "android-backup-extractor" (abe.jar) and all seems good (so why PA can read FB Messenger and not Snapchat?). The biggest problem i'm having with whatsapp. The whatsapp backup is split in two files "WhatsApp_backup.ab" and "WhatsApp_backup(2).ab" i assume this is because of size (the first file is 2.147.483.647 bytes and the second is 320.773.736 bytes). (edited)

9:21 AM

When i try "java -jar abe.jar unpack WhatsApp_backup.ab WhatsApp_backup.tar" it works for a bit then exits with error "Unexpected end of ZLIB input stream"

9:27 AM

So i tried first joining the 2 files (copy /b "WhatsApp_backup.ab" + "WhatsApp_backup(2).ab" wa_join.ab) and then used "java -jar abe.jar unpack wa_join.ab wa_join.tar" and this time the tool completes it's job without errors but when i try to extract the content of the created .tar files (tried winrar and 7zip) both tools say the .tar file is damaged and they extract only a part of the content

@FabianoQ if you have PA you can import your backup. ab

10:04 AM

Sometimes i have the same error when I extra mct data from tar archive

PA have problems with this ab (made with 4PC), It "understands" only the from one from FB Messenger but fails on Snapchat and WhatsApp (edited)

@FabianoQ strange... You can make à New backup and try again

For those that care about distinguishing whether or not an app was actually deleted vs offloaded - I did some research to try and answer some of my questions regarding app install/uninstall/offloading and how it's recorded in the knowledgeC.db and mobile installation logs. Based on limited testing - this is what I think happens - please test and/or let me know if I'm on the right track, or not getting it quite right. When an app is offloaded - it will show as an uninstall in the knowledgeC.db, but in the mobile installation logs it will be recorded as "downgrading to a placeholder" and "Install successful for placeholder". Be careful with interpreting the parsed data in mobile device software for app installs and uninstalls as they are not distinguishing between an uninstall (deleted app) and an offloaded app. Another thing that confused me was seeing in the knowledgeC.db that an app was uninstalled with a start date of Jan 1 - but a creation date of Jan 5. Further research showed that on Jan 1, the mobile installation logs show the app was downgraded (offloaded) and on Jan 5, the app was deleted (destroying container/Uninstall). However, on Jan 5 when the app was actually uninstalled/deleted - there is no record in the knowledgC.db - the only evidence of the actual deletion is the creation date from when the app was offloaded. Not confusing at all.

3

@rico I did It 3 times from 3 different computers, no joy...

@FabianoQ so the same method do the same result... What are the exact commands that were used? (edited)

@Fabiano I read the history of your problem. This week I had the same phone with the same applications. But I preferred using xry rather than ufed on the advice of a colleague(for downgrade ) . Everything worked except Snapchat! In view of what you say I think more than it is the Snapchat application that is difficult to extract (without a full fs) (edited)

@rico So maybe a problem tipical of this phone model..i don't have XRY but i'll try Axiom and Oxygen

1

Does anyone know where Snapchat messages are stored in version 10.59.0.15 on an iphone full fs (ios 12.3.1)? Thank you (edited)

@Mistercatapulte You can't see some of the messages because on Snapchat they get deleted after some amount of time or after the message have been seen. However the messages that are existing you can find under File Systems: /root/mnt2/mobile/Containers/Data/Application/357F7C1C-9C94-4EBD-BB32-ED204FF225AD/Documents/chatConversationStore.plist (edited)

@DaveK thanks Davek, it's where i looked, without any result...

Can someone shed some light on the Identity Lookup Service on an iPhone extraction? I have a bunch of relevant email addresses that show "Apple authentication process has been performed for the following apple-ids:" and I'm wondering the relevance of these entries. Do they indicate that the owner communicated with that address or that he was in control of it?

It doesn't necessarily mean either

7:54 AM

You know how on iOS you open up a new text message window and you type a phone number in there, and you can see a little spinner for a second, and then that phone number will turn either green or blue?

7:55 AM

Or you open up a contact in Contacts and it will take a couple seconds, and then sometimes the Facetime or iMessage icons will un-gray?

7:55 AM

Those couple seconds are spent querying the Identity Lookup Service

7:56 AM

To determine whether those target selectors (phone numbers, emails) are in the Apple ecosystem

7:56 AM

But it doesn't necessarily mean that any communication took place

7:56 AM

( @Expat4n6 )

7:58 AM

(though it is likely that some communication occurred)

2

@Braden.Grayshift Thanks. That makes sense.

Is there a database on android similar to knowledgeC that would show accelerometer data, screen state etc? Trying to work through a collision to see what the phone was up to, running short on ideas.

@Expat4n6 you can also take a look here: https://www.cellebrite.com/en/blog/how-ios-properties-files-can-confirm-a-suspects-contacts-even-if-data-deleted/

Izhar Carmel - Cellebrite R&D Researcher

How iOS Properties Files Can Confirm a Suspect’s Contacts Even I...

Determining a complete list of contacts that a person of interest has on their phone can be challenging due to factors like deleted data, inconsistent app communication records and device migration data loss. Because of these variables, it is important to find a reliable reco...

@whee30 Have a look at my post https://discordapp.com/channels/427876741990711298/545232743353810946/644820801740079114 . I was trying to find causes of power on events and power off events but when I was working with one of those files, in the newbatterystatsxxxxxxxx file I saw entries in it such as "screenwake=1000:"WAKE_UP_REASON_KEY", 'screen brightness' and '+screen wake_reason=0" and things like that. Didn't do any testing around it but it might give you a direction to look (edited)

11:11 PM

My exhibit was a Samsung device that I found these logs on following the advice of @.karate. (edited)

2

@franksvensson Thanks.

Hi all, is there a solution to decrypt the signal database on a iphone 6s (a1633) ios 11.4.1, thank you

A full file system extraction might have some artifacts but the purpose of a signal app is to delete the message after X amount of time making it harder to recover.

Thanks for your answer jay... just want to be sure

Perfect app for criminals

8:25 AM

just saying

this is obviously the case..

1

Just so you know, that feature has to be enabled for the self-destructing messages. It's not on by default

8:35 AM

And it's different for each conversation

was this a new feature ? when i researched this in early 2016, it was like snapchat

https://blog.elcomsoft.com/2019/08/how-to-extract-and-decrypt-signal-conversation-history-from-the-iphone/ has a post that might have some information you can work with @Echmyre[FORENTECH]

How to Extract and Decrypt Signal Conversation History from the iPhone

With over half a million users, Signal is an incredibly secure cross-platform instant messaging app. With emphasis on security, there is no wonder that Signal is frequently picked as a communication tool by those who have something to hide. Elcomsoft Phone Viewer can now decr...

8:39 AM

It probably is a new feature, yes. I use Signal every day with someone who prefers 12 hour self-destructing messages

Side chick ?

8:39 AM

Nope, just another tinfoil hat buddy of mine

8:39 AM

8:40 AM

That's from the desktop client

8:40 AM

Windows

thanks @Andrew Rathbun but i dont have this tool...

@Echmyre[FORENTECH] maybe ask for a trial? Just an idea. Best of luck. If I come across any more documentation I'll pass along. I'm constantly adding to AboutDFIR as I find stuff to add

good idea, yes i will try

Anyone had to do an Android 10 device yet? Just attempted filesystem and advanced logical on a OnePlus 7T and got basically nothing decoded

Can anyone tell me what a SBUSSDAlert is on an iPhone? Discovered in the KnowledgeC.db as the "app/inFocus. Maybe something to do with a Springboard alert? But unsure as to what it means or any significance.

@jd1345 quick search came up with "An Unstructured Supplementary Service Data (USSD) code is a code that is programmed into your SIM card or your cell phone to make it easier to perform certain actions. When you know the code for what you want to do, you can run it with a few simple taps. "

12:37 PM

so maybe like 3282# (DATA#) to check their data

12:37 PM

"*3282#"

12:39 PM

or even "*#06#" for the IMEI, just throwing stuff out there. Not sure if that is what the SBUSSDAlert is. But i like your thought of springboard and then the ussd alert would fit

Thanks @AA - I found that too, and unsure if that's what it could be referring to. If it is in relation to the user dialing, I would think I should have a com.apple.InCallService process around that same time, or a Call as the app/intent - but I don't.

@jd1345 I have seen a couple jailbreak forums indicate it is related to SpringBoard Headers. http://www.developer.limneos.net/?ios=10.1.1&framework=SpringBoard&header=SBUSSDAlert.h

iOS 10.1.1 Runtime Headers - SpringBoard - SBUSSDAlert.h

iOS Headers

12:59 PM

Some of that stuff has got to mean something to someone but i have not studied enough on iOS development to know what any of that is lol

If anyone has a good resource for learning to write Python scripts WITHIN Physical Analyzer (other than PA's included help file), especially for someone that has no formal training/education in Python, please let me know either here or by PM. There are so many Python scripts out there just waiting for adaptation so they can be used inside PA that I want to learn. Our case agents/district attorneys would much rather us include the data within a Cellebrite Reader report instead of separately, if possible, and just adding it into the PA as a separate file makes it disjointed. For example, I want to parse the mobile_installation.log.* files and include that in the Analyzed Data. Alexis Brignoni has an excellent Python script for parsing them but I want to do it within PA's Python shell. Thanks!

2

Does @MSAB supoort import of .tar files of a iPhone backup ? I keep getting an error message it won't unpack / zip. If it's not my issue, is there a work around ?

@Dfdan That's correct, the XRY import only handles .zip files as it stands right now. I guess the best "workaround" to unpack the .tar file and then import the folder using the Apple iOS iTunes Backup profile or the iPhone profile of your chosing. (edited)

Does anyone know of any tool that can brute force a Secure Folder pin on Samsung S8 running Android 9? We have the swipe pattern to unlock the phone but Secure Folder is a separate pin

8:59 AM

Follow up question: number of pin attempts on Secure Folder unlock before locking it out?

@forensicMouse Cellebrite Advanced Services is the only option

Wondering what people are using to decode SD cards from phones and why? At present I've found issues with both tools we are using particularly around TAR, RAR, etc... Which is funny as @Dfdan has recently stated it too.

IEF/Axiom and creating a HTML report was my process

12:18 PM

End user complained about not knowing how to use the portable case

12:18 PM

PDF didnt format nicely

@Erumaro and @4N6Matt UFED handled the .tar fine, no issues. XRY wouldn't import the .tar file. I unpacked the tar used XRY to import the folder, didn't parse correctly. I zipped the folder, still didn't parse. AXIOM I imported the .tar and unzipped folder these both parsed incorrectly just as XRY did. In the end I have just relied on UFED, but delved into the db's and plists to verify things.

@Dfdan What format did you import it as, did you select iOS from the drop down? If not the folder may not be properly decoded. The .tar is not supported but folder should be, if it’s still not working with iOS as the format you could DM me the log and I can see if we can solve it!

@Erumaro I changed to zip / folder and iOS tried so many combinations I can't remember what I have done. I'm not at work now. So if I unpack the .tar change drop down to iOS and let it go....hopefully it should work.

It certainly should but if not send me the log and we can have a look tomorrow!

@Cellebrite. Does ufed physical support decoding huawei backup from SD or external memory? Oxygen has great tool to read huawei Backups. (edited)

You can do it with a bit of manual work for UFED @denyzkoo following this: https://discordapp.com/channels/427876741990711298/545232743353810946/581419461324701696

Has anyone encountered a possible issue with UFED PA (7.25.0.188) decoding iOS 13+ emails from a 'full' file system extraction? I say possible issue, I have senders data to/from/subject line but no email content - manually checked handset and emails appears fine (not the usual 'message not downloaded from server') I've sent a support ticket but just wondering if anyone's seen this issue? handset running iOS 13.1.2 (edited)

@Akko Afraid I haven't.

Hi @Erumaro I have unpacked the .tar and pointed XRY at the file using the iOS profile, still get error message and doesnt parse the file at all. I'm not too bothered as its for a bloody Proficiency Test we have to do, grrrrr.

@Dfdan Could you DM the log please? With that I can have a look and see where we ran into problems (edited)

@Cellebrite anyone having issues with the enrichment feature on CB PA 7.24.0.209 (edited)

Imported some data successfully today on that version @Jetten_007

@K23 thanks...

@Stevie_C Thank you sir.

Someone has a document that explains the meaning of numerical codes you find in the column "ZMESSAGESTATUS" from the "ChatStorage.sqlite" db that contains WhatsApp chats on iPhones (1 = send, 2 = received .... etc...) ??

@Jetten_007 are you using auto online or manual sending in.

@FabianoQ if the message is outgoing, then 1 would be a single V, 3 means failed to sent, 6 would be two grey Vs, 8 is two blue Vs and 9 is waiting to be sent (clock icon). If the message is incoming, then 6 means unread and 8 means read.

@Orb Thank you

Some messages have 5 in ZMESSAGESTATUS column, what should this mean?

Hello! Just a quick question: in the generated UFED report some calls in the call log appear with the status "Blocked". Does this mean that the calls are entered in a automatic blocking list, or does it indicate the user interacting with the phone and swiping away the call?

@Cygonaut "Blocked" call should be in the blocking list (this is not always the case...) and "Rejected" should be when the user swipes away the call. I have found mismatch of those values on some devices so to be 100% sure, check the DB for confirmation. Example on Android: 1 incoming, 2 outgoing, 3 missed, 4 voicemail, 5 rejected, 6 blocked.

@FabianoQ I recommend recreating some data for that version of WhatsApp if you can. This way you are 100% sure what each status flag means. It could be related to attachments, attachment type, etc. The best way to know is to try it. What version of WhatsApp are you looking at? I may have my old queries somewhere.

1

Hi, I’m currently examining a Samsung Galaxy S9 which does not contain an SD Card, however I would like to establish if it ever did contain one. Are there any artefacts/data contained in the Android file system that shows if an SD card was installed or linked to a device? I have reviewed the data in the external.db found at: /USERDATA/data/com.android.providers.mediahowever this has not definitively shown an SD card was present in the device. Many thanks, JC.

@Cellebrite Hi, is it possible to make a nice pdf report of some email? Like a nice email view or something like that and not the unreadable pdf...

@FabianoQ Not sure if this helps you or not. ZWAMESSAGE.ZMESSAGETYPE AS "0=Text,1=Image,2=Video,3=Audio,6=Group,10=empty msg"

I hope someone here is able to help me out! I'm giving a bit of assistance to a colleague with decrypting a dump of an FDE enabled Sony, running 4.4.4. It's using scrypt, standard crypto_footer parameters on the surface

7:49 AM

Mobile Revelator successfully cracked a 6 digit pin, but won't decrypt the data, stating that the password is wrong

7:50 AM

XRY and Oxygen prompt for the PIN/password when importing but also claim that it's wrong

7:50 AM

UFED PA just states it's an unsupported FDE format and doesn't do anything else

7:51 AM

Any clues as to where to go from here? Seems like this Sony is using 'core Android' KDFs, but are applying them to the actual userdata in some kind of non-standard/proprietary way

7:51 AM

@bkerler , encountered this before?

yeah, sony has custom header, so decryption works differently

Ah ok, does Mobile Revelator support this? Or aware of any other tool that does?

@heatherDFIR Hi Heather, sorry if i did'nt answer to your question but at the moment i'm not able to tell which version of whatsapp is on the phone. As we talk of an iphone X with ios 13 i suppose it's a very current version but can't check right now. Thanks anyway for your suggestions, remains a doubt about the meaning of 5 ...

mr doesn't support it, but I might write support for it

3

Is it possible to import an iphone acquisition made with UFED P.A. (Method 1 + method 2) into Oxygen Forensic Detective? The itunes backup part of method 1 is encrypted with standard ufed password "1234" but i can't see how to "tell" this to oxygen...

I have a physical extraction of a Samsung G930F. On this phone is Threema with a unknown PIN. In UFED PA is no decoded Threema under Chats. Has anyone a idea how to get the PIN (numerical max 8 digits afaik)? Or any bypass or something?

I have an image of an android phone and i want to mount in in Linux. It says it's a ext file and Linux supports that. It see's the partitions but it an't mount for some reason. Does anyone know why? Or how i can mount an android image in Linux?

@Deleted User do you have full memory chip image or a single partition dump?

@Arcain It's a full memory image

@Deleted User so you need to specify which partition you want to access as image contains lots of them https://askubuntu.com/questions/69363/mount-single-partition-from-image-of-entire-disk-device (edited)

Mount single partition from image of entire disk (device)

I made an image of my entire disk with dd if=/dev/sda of=/media/external_media/sda.img Now the problem is I'd like to mount an ext4 filesystem that was on that disk but mount -t ext4 -o loop /me...

Does anyone have any tips on decoding Window 7 handsets? I've done an ISP on a Lumia 800 (RM-801). The image is made up of 9 partitions but the main user partition which is 15GB is an unrecognised file system.

it should be NTFS

Only one of the partitions is D:

You should be able to access at least two, the one with system and one with data. I think they were called MainOS and Data. I've never seen Lumia 800 encrypted, but maybe that's the case or dump is corrupted

3:32 AM

Lumia 800 can be dumped over USB if you write unlocked bootloader. It just shows up as a storage device. FTK Imager is then able to browse it without a problem.

We don't have a passcode for it which is why we went for the ISP option, I am thinking it might be encrypted but its not certain. The MainOS is the partition which is recognised

You don't need passcode to unlock bootloader on this one. Infintity BEST and ATF were able to do that. I don't see a free option anywhere. Take a look at partition header, maybe it'll look like something similar. I'm not sure that Windows Phone 7 could be encrypted and finding mixes results now. Some say it wasn't a feature, some say it was possible for corporate devices. (edited)

3:44 AM

Personally, i've never seen any Windows Phone/Mobile encrypted

Only time I've seen encrypted Windows phones is when I've work on internal police investigations since It's what our surrounding forces were using

That would then point to corporate devices having such feature. Anyway, try loading this image into a data recovery software like R-Studio and scan it for missing partitions. Maybe it'll find you a data one. Could be some corruption while dumping.

4:01 AM

R-Studio demo should be enough to verify this

@Arcain Thank you so much!

@Oxygen Forensics @Cellebrite @Magnet Forensics @xry Does any software support import encrypted signal backup file and parse it? Its .backup file. I have password. I allready decrypted and exported to xml/csv file but i need to import it to report and represent all colums. (edited)

DM'ed

Does anybody have insight into the difference between app/usage and app/inFocus from the KnowledgeC.db? An assumption could be made that if an app is in use - then it is also recorded as the app in focus. And this is true seemingly in all but 4 times in my months worth of data. What does it mean when for example, instagram is listed as the app in use, but at the exact same time, the app in focus is the mobile timer? In another case the camera is the app in use, but the app in focus is InCallService (it's not a facetime call). At first I thought maybe if hte app in use is NOT the app in focus - it's because it's running in the background. But If that's true, I would expect to see it happen many more times than just 4x in a month. I've also discovered that Cellebrite, Axiom and Oxygen do not include app/usage in their timelines - they only parse out app/inFocus. I'm guessing the assumption is made that the app in focus is the app in use - and that is not always the case, I'm just not sure how to explain it....

is any way to decrypt dbase whatsapp without having key? (edited)

@denyzkoo No, they can't import the signal backups. But you can use : https://github.com/pajowu/signal-backup-decode to get a decrypted database and the media files. The database structure is little tricky, so you cant use the tools in the PA or in the other tools to get the full data. Send me a message, i wrote a python script to get that data into an html file . But it's developed an tested on a small backup. The database structure of Signal has changed this year, so it depends on the App Version if all will be fine.

pajowu/signal-backup-decode

Decode Signal Backups. Contribute to pajowu/signal-backup-decode development by creating an account on GitHub.

@jd1345 I'd be interested to test a phone call where you open another app while the call is going on. I wonder if that would account for some of what you're seeing?

just check if anyone has a theory, an iphone safari history.db contains a list of records. The origins are all '0' indicating it originates from the phone. Verified with the physical phone and the history is empty...

Hi, does anyone knoe the differnece between "Rejected" and "Blocked" in the status column in the Call Logs table in PA?

@digiforensic You can use a cloud based tool to perform the decryption. Oxygen for example does a good job with this

12:53 AM

You supply the phone number associated with the backups and it will generate a decryption key from WhatsApp's cloud servers. This will however log the device out of WhatsApp, so there are side effects and risks to be considered

Morning all. I am trying to exports specific tags images from UFED PA (7.23.0.191) and am having some issues with duplicate images. There are a few images that have been duplicated. The original files are in the DCIM/100/MEDIA folder and the duplicated have been created for attachments for android mail. When attempting to tag them for export, PA only allows me to tag one of the duplicate attachment files and not the original so when exporting it contains the MAC date and times and file patch of the duplicate file and not the original. Any ideas how i can tag the original image and and not the duplicates (or in a perfect world, tag them, all.) Thanks

Even in the original report the attachement data is being exported and not the original file data.

@Luci Rejected = call swiped away, Blocked = added to blocking list.

Thanks!

@Artea annoyingly to fix that you need to change the merge settings on PA and re-open the case. Images won't be grouped but you will be able to pick what image to export with the appropriate metadata. We raised this as a feature request / issue earlier in the year but haven't heard back on when or if it will be added so that you can choose and export without having to reload the case

Anyone else having a problem with 4Pc taking over your screen and not allowing minimization to run in background while you do other things. Since 7.24 was released I have had this issue. Running on a Dell Latitude that I’ve not had this problem with before. Another examiner at a different agency had the same issue and she’s running a Talino laptop I believe. Support escalated the issue but I’ve received nothing back so far. It’s not a resolution issue and the tech remoted in and was perplexed, too.

PA 7.26 released... should solve troubles with big ios-extractions... will test in few hours at work

(edited)

4

@whee30 - I thought the same thing and hope to test it soon. But - I only have one instance when the InCall Service is the app in focus (unanswered call) when a different app (camera) was in use. One of the other unexplained app/usage different than the app/focus is whatsapp is the app in use, but the SBUSSD is the app in focus. ??

@chrisforensic Perfect! I just sent Support an e-mail about this yesterday morning. Still haven't heard back from them, but we'll see if we can pull and test 7.26

5:46 AM

or not.. UFED_Physical_Analyzer_7.25.0.188_20191106185046.zip is the latest in the portal.

@Klimosko you are using old portal. Update it to new portal, you will see 7.26 (edited)

1

Gotcha! I didn't know community.cellebrite was actually working now. It was a mess last time I used it for CAS and we got told not to use it.

7:23 AM

Thanks @digiforensic

7.26 fixed the issue!

I have Huawei P9 (EVA L09) full disk image. I know the phone lock password and I want to access my data. After opening it in PA (File->Open(Advanced)) and giving the password, PA shows the message "userdata is encrypted with unsupported algorithm". Is there any way to extract my data from the phone image? (edited)

@digiforensic I don’t think you will be able to decrypt the image off of the device. If I remember correctly, the encryption key is hardware based, so just knowing the password doesn’t help.

1

Any idea why PA sometimes decodes less data from facebook messenger than other tools from physical dump? I have same dump analyzed in 3 different tools. PA in chats section decoded 82 msg and say there are (3809) more if i understand this correctly, but i don't see those anywhere. Other tools sees 3853 messagess directly

Hi @Arcain, I've reached out to you via DM

@Arcain let us know what you find out. I have seen this as well.

@sholmes i assume you didn't solve this? I've seen stuff like this on 7.18, 7.25 and now 7.26.

No I didn't solve it either.

out of curiosity, did you get more results via apk downgrade or similar?

Not to suggest that this is necessarily the case here, but a lot of times we see different in counts due to different ways to remove and filter duplicates

@Arcain I didn't test that. I just saw the difference between Axiom and PA.

For example, sometimes a tool might output a deleted copy of an intact message separately while another tools will only display the intact one

5:26 AM

BTW @Arcain , what do you mean by "decoded 82 msg and say there are (3809) more"?

i see under chats, "Facebook Messenger (82) (Messages 3809)" (edited)

5:28 AM

like there were more of them but they're not displayed

5:29 AM

Axiom sees 3853 messenger messages

Could it be that there are 82 different chats (conversations), containing a total of 3809 messages?

Now when i look at it, it might be like this. So this would be 82 threads with multiple messages inside

Mystery solved i guess, some threads have 1000+ messages inside

2

That makes sense.

@K23 Sorry for the late reply (Been off since Thursday) Worked a treat! Many thanks!

@Artea No problem, glad it worked! Worth changing settings back when you're done, otherwise you might experience a lot of duplicates in chat messages / other data types which can get a bit annoying!

1

Question for the group, looking for Netflix username's and password on a G/K dump from an iPhone 6. Looking to see if anyone has had success with this or not.

@jenks31 When you do find it, The Irishman is supposed to be good

3

you can google netflix user names and passwords also.. they had some leaked.

1

1:14 PM

not that I would do that

I am currently running an android (version 6.0.1) ZTE Z837VL on UFED physical analyzer 7.24.0.209, does anyone know why I am getting a different number in the MSISDN last known use, which is listed inside of the phone settings. I can physically confirm the correct number on the phone. What file or database has the phone number listed in the settings.

I have a Bq Aquaris X2 in a case and wonder if the two IMEI-numbers that is displayed in "Settings" is correct or fake.

@Tilt If you haven't been able to access the hidden partition these IMEIs should be randomly generated afaik

Ok thanks for the answer @Oscar

@Dfdan Noted lolol

Is the keychain.plist used for wickr decryption available anywhere in a IOS full filesystem dump or is it GK only? @Magnet Forensics (edited)

1

@Cellebrite does anyone know how to parse single .xml file in ufed pa? Its standart android backup of calllogs and sms. Thank you

Good write up on Mobile Application Pentesting 6 parts iirc: https://medium.com/@patilpiyush/mobile-application-pentesting-part-1-596e82e56e83

Mobile Application Pentesting-Part 1

Mobile Security Checklist, Pentesting and Analyzing the mobile applications, OWASP Top 10, Bug Bounty Vulnerabilities

does anyone have an "Explain like im 5" document on how to run a python script on UFEDPA? I have a KaiOS script (extracts contacts/call logs/sms texts) that one of the guys here got from a training or another colleague, and when I go to try to run it on UFED PA (python >> run script > select python file)... nothing seems to happen. At this point im not sure if i ran it right or if there really is nothing to extract.

@AMB We recently had the same thing. We used Chris' scripts on a few KaiOS phones. What we found out the SMS did not parse with the script on the Alcatel 405 version because the database structure was different than they are on the 4044 models.

2:43 PM

I am pretty sure we ran them just as you show in your post.

2:44 PM

Not that this answers your question, but Oxygen does a pretty good job of parsing KaiOS natively

I think they have to be written in a way that PA can understand them.

2:44 PM

As well, XRY just updated and they say they can parse KaiOS.

@AA that is good to know about XRY covering it as well.

2:45 PM

Good to have other options

Yes, been waiting for awhile for Cellebrite or XRY to support it because those are the only 2 we have. I haven't had an opportunity to test it yet though.

I agree. I was hoping CB would have tackled it by now. I am sure there are bigger fish to fry, but we were getting killed with those phones. Now we only get a few a month. There for a moment it seemed we were getting a few a week.

thanks for the insight @sholmes and @AA . we only have UFED and XRY too. our lab is sitting on 3 Alcatels that are running KaiOS and i'd hate to not be able to run the script successfully.

what Alcatels?

4044 and A405DL

I haven't tried XRY, but might be worth a go. Not sure what scripts you are running. We got ours from the MDFA Google Group. It gave us some data on the 405DL and I thought it gave us call logs, contacts and messags on 4044.

3:04 PM

405DL no messages

i got it from the boss here who attended the cellebrite CASA class.. so either he got it from the class directly or whoever was teaching it. ill try the one from the google group for the 4044.

Good luck

thanks! hopefully i can get an answer that will help all of us all around.

Maybe someone can help me with this?: I have some data thats encrypted: { "data":"U0u7WfBoVUB7xqk3NrmGLoqpDQXFoFliFWHQbo7tl52FZNE-8-9iJhxP3_K2o1b_5d8YpLBGORLnbEH5IYgKt0g_S5rnPyoCpO2S2LZXkZghwg4qYDRjla7o4zGAVnDApp85MKTqpC1JIU3YQqkg9SubbY7_M4XiqSI_4DSq35PeniVLRaGtvANh4ZTXspbGzwkpxvxehfr1qXXdBYfpkVbD-nGoF9Cbe9TPhuSt_58sHdhzJGxECdloUF6NLUOa", "sign":"fV12WdlPo8VnJznjIGTgxr7MYlDgEddExfO_I8TDgXE", "iv":"wZxMLIWbAvanP5n5PBQFcg"} I recovered the key, and the IV is there so i can decode the data part. But, i want to alter the data and resend it. Now there is a 'sign' key, its base64 data which results in a 32 bit key... I think this is some kind of checksum. Does anyone know what this is exactly?

1:45 AM

i meant 32 bytes, so a 256bit key or something..

@AMB i have a kaiOS phone now, i am pretty sure it is the 4044...I got a physical with similar profile but PA isnt decoding text or really anything...can you point me in the direction of a script for it? if i get it working ill report back.

@kmacdonald1565 are you on the MDFA Google Group? They have them in the resource folder.

i am not

@kmacdonald1565 you definitely should, great resource

how do i join?

https://aboutdfir.com/the-community/social-media/

Social Media - AboutDFIR - The Definitive Compendium Project

6:49 AM

there's a few other groups here, too

6:49 AM

join them all, IMO, as they are all good to browse every now and then

6:49 AM

Namely, the Google Groups on that page

Here is the script.

final_kaios.py

9.96 KB

1

6:50 AM

Agree with @Andrew Rathbun

6:50 AM

https://groups.google.com/forum/#!forum/mobile-device-forensics-and-analysis

Google Groups

Google Groups allows you to create and participate in online forums and email-based groups with a rich experience for community conversations.

thank you both!

here's the groups I'm in, I poke in at least once a week to see what all is going on in them

1

is the group I referenced. However I think the others are listed here under resources as well

2

6:51 AM

Yeah I do the same @Andrew Rathbun I also get the emails when someone posts, so I try to clear those out daily

MDFA is where Scott Lorenz lives on the internet so that's a good resource to have

2

6:51 AM

@sholmes great minds think alike

@AMB TL;DR: you have to write python using PA data structures (see python manual in the Help menu in PA). going back to your python/PA question, there are a few things to note about python in PA. First is that it's based on IronPython so there may be some compatibility issues between pure python and IronPython but I'm not sure. Secondly, you have to customize your python script to work within the data structures of PA in order to get the output somewhere. I've spent a few hours trying to learn it and figure out how to do certain things but my main hurdle is that I don't know python in any practical sense (other than just hacking around and Googling the shit out of stuff). I have a moderate understanding of programming in general but there's nothing more dangerous than a tool in a noob's hands. I've crashed PA multiple times due to my "script kiddie hackery".

8:37 AM

@Andrew Rathbun Who do I hit up to join the FOR585 Alumni group? @heatherDFIR?

thanks for the insight @criley4640 ... i have ZERO knowledge of python, so all of this is ammo to the boss to hire someone that actually knows what they are doing with python for our group.

@criley4640 yeah I'd imagine so. Her and Lee run that group. Shoot her an email. She's traveling this week per Twitter so you may not get an instant response

@AMB Or to send you to some training!

1

9:17 AM

@Andrew Rathbun Roger that. I'll shoot her a message. Thanks.

1

I may be mistaken, but iirc, FinalMobile also parses KaiOS.

Hmm, PA doesn't parse Samsung Notes app (com.samsung.android.app.notes) used in, for example J530F?

@dfa_adam You remember correctly. FinalMobile does parse KaiOS databases

Good, the ole steel trap is still working!

1

hmmm... have a question related to FB-Messenger-Chats.... @Cellebrite ..... pictures where sent with Messenger... i can see the online-link in message and this link is still active.... how can i get all datas (pictures, voicemessage etc.) from active links into PA ? Is there a pythonscript available?

4:30 AM

@chrisforensic so you pasted the link into browser and it gave you the picture ?

@Dfdan ... yes, just copy link, paste to browser, and picture is shown... so it would be nice if we could get all datas from active link into messenger-chats !! you can try it - if content of link is available, you get the pic, gif, etc... (edited)

@chrisforensic look up https://www.httrack.com/ see if you can feed it a txt with weblinks to get you the files. I'm away from office on phone so can't test it for you.

HTTrack Website Copier - Free Software Offline Browser (GNU GPL)

HTTrack is a free (GPL, libre/free software) and easy-to-use offline browser utility. It allows you to download a World Wide Web site from the Internet to a local directory, building recursively all directories, getting HTML, images, and other files from the server to your co...

Have an S8 SM-G940U. Was able to get logical / file system / file apk extractions. I need the gmail and proton mail from the device but PA did not parse it. Any recommendations?

@Dfdan i have no problem to download all the onlinefiles in one rush (from the links of exported chats (xlsx)), ... the problem is to get them into PA - linked to the the associated chatmessage

@chrisforensic I agree with you. A function to get it easily in one click or even automatized on all content with a user agreement would save a lot of time!

But you will need a computer connected to internet. What about logic bomb, what about file that will alert people if downloaded. I agree with you if the jpg is somewhere in the phone we need it linked to the chat message

@Bobby when you have an internet connection and you have a thousand links to parse manually, it's very very long to view all images... A function where you only have to click would be welcome!

1

@Bobby ... for better understanding... i just mean active medialinks of FB-Messenger.... as i know, noone will be alerted if this media will be downloaded automatically

ofcourse not all available links of aquisition should be parsed and automatically downloaded ! (edited)

thanks @Oxygen Forensics for the option to download missing pictures into FB-messengerchats

imported messenger-androidbackup (done with UFED4PC) into Oxy, downloaded all available pictures, exported Chat.... responsible agent is satisfied !!!

(edited)

By the legendary Ian Whiffin aka: 'DoubleBlak': http://www.doubleblak.com/ Twitter: https://mobile.twitter.com/BlakDouble Free Software Tools

DoubleBlak (@BlakDouble)

Tweets

17

Followers

66

1

6:42 AM

http://www.doubleblak.com/blogs.php

6:42 AM

http://www.doubleblak.com/software.php

@DF51 Shaf how to become a authenticated member of the digital Forensic community?

He's got a good blog. Worth a follow. All his artifact specific posts are linked on AboutDFIR and he's listed on the men of DFIR page as well

7:25 AM

@florus how do you mean?

Doubleblak software section isnt showing the content.

Oh that would be worth asking him himself on Twitter

✌

Anybody have success in getting a physical from LG Q6 M703. Cellebrite says they support it and the Chipset but so far no luck. Octoplus got a full physical flash but of course the Userdata partition is encrypted. Any suggestions would be greatly appreciated. The phone is completely unlocked, I just cant pull anything. I did an LG backup but cellebrite didn't parse anything from it. Qualcomm MSM8940

10:18 AM

I was able to carve the LG Backup with cellebrites image carving and that yielded a bunch CP but all the location etc is stripped off.

create an account on the http://www.doubleblak.com/index.php

11:26 AM

on the login page, create account tab

11:27 AM

its fairly straightforward. i was just sitting with a colleague from the private sector who did it in 5 minutes and accessed the tools!

11:28 AM

i happen to lucky that I work along side doubleblak and test his tools

@DF51 Shaf i created an account and accessed to the software part but noway to download it

(edited)

Is there a way to decrypt a Huawei backup made with the Huawai backup app v10? I'm currently fiddeling with a python script but no luck so far.

+1 for Doubleblak, he does great work.

3

@Sockmoth I think Axiom can decrypt it. Also , I see you are from dutch LE, i also have a solution if needed

@Sockmoth contact tdo oob (edited)

@Oxygen Forensics @MSAB @Cellebrite @Magnet Forensics any news in decoding the signal Backup with the 30digit pin? I know the Features for ios nur what about android?

@AlexBB we're working on getting this into the 3.9 release scheduled for January

Working on a CP file...and have a number of images that begin with .com.google.Chrome.[6 alpha numeric characters - different for each file]. There are all in the root of an MicroSD card (sadly can't get access to the phone the card came from). My experience these files usually appear in Chrome cache folder (and usually 0 bytes), but i've seen them show-up in other locations, including downloads. Anybody know a bit more about these files? When/why are they usually created?

@AlexBB No support for the backups yet but in the latest XRY release we added Photon support for Signal as well as decrypting support for Signal in Physical extractions. The decoding support generally works best on devices sent in with the MSAB Access Services but we're working on expanding this to further models as well.

Would anybody have a firehose for LG Q6 (M703) Qualcomm 8940 running Android 7.1.1 security path May 2018?

There's one for M700H, but it's same CPU. Phone is encrypted though.

Ya Doesnt' work. @Cellebrite said that I need exact firehose for my phone to work. They are supposed to get back to me.

Hmm, that's odd. I personally had M700A and firehose was ok, but couldn't get decrypted dump in the end, always failed at either step 5 or 6, at least couple months ago. It would be odd if essentially the same phone, based on the same cpu required a different firehose

1:35 PM

Do you have any other tool that can use that firehose to at least verify if it's correct?

I keep seeying "firehose". Maybe a stupid Q, but what y'all mean

✌

@florus From a previous answer by @Andrew Rathbun https://cdn.discordapp.com/attachments/427877097768222740/631101775860072449/unknown.png (edited)

@Oscar thanks

@rico: i logged in and accessed the software.. example from Artex download link

6:21 AM

6:22 AM

see the downward pointing arrow.. that is the download icon link... i did this using brave browser on a mac with no issues.. so im not sure how you cannot download any of the software FORGOT TO ADD: after you create an account, verify it. Login and download the software tools from doubleblak website on a COMPUTER/LAPTOP (NOT SMARTPHONE!!!). The tools are built to run on Windows only, ideally Windows 10. I have not tested them on Windows 7. (edited)

@mkx I’ve come across cached images associated with .../glide/cache/micro (and other directors indicating size of the thumbnail). Not sure if this is what you have going@on, but I recall the images I was working with had a long string as the filename. I ended up on a blog post by Cheeky Monkey, which derailed a little about cached images. I poked around on google and found the follow link: https://android.jlelse.eu/using-glide-few-tips-to-be-a-pro-60f41e29d30a It makes reference to the naming convention being based on a hashing algorithm, and the type of library used to create cached images. Just wanted to share in case it can help.

9:04 AM

Sorry about the image that is associated with the link I referenced. I’m not sure why it populated as part of my message

@Arcain mine is doing the same thing. Failing at step 6/6. I got a full physical from the device using Octoplus but UserData is encrypted. I am wondering if I can make a Firehose from the physical extraction I have.

@Mittens no, it's not stored anywhere on the phone so can't be extracted from dump. Firehose itself is correct if it goes up to step 6, this method just doesn't work for this phone, or at least a firmware version. (edited)

@DF51 Shaf Effectively my connexion on a computer work... So dont use à smartphone for it

@luis511_ Thanx! I'll check it out.

@Erumaro XRY 8.2 decodes the decrypted signal database with contacts and so in but there is no message content. Only empty bubbles. Maybe next Release? Or am i doing something wrong?

@AlexBB Huh, that's interesting! What device was this from and what sort of extraction was it? If you could send the log to support@msab.com I can have a look! If you know the version of Signal it would also be great! (edited)

@Cellebrite In UFED we have Apple maps travels from one point to another. When does Apple maps record the travel? Does the user need to start traveling or is it enough to just look up the directions? The timestamps on both of the GPS positions is the exact same, I guess that's when the search took place or travel started, is that correct? Is there any way to find out if the user is using the phones position versus choosing a different starting point? (edited)

@Oscar Oscar, I know that @heatherDFIR did some work on Apple Maps so she can probably answer that a bit better.

@Erumaro sending log data is not possible. Decrypted the database from A Huawei Backup made with HiSuite v.10. Signal Version 4.17. You Can repeat this behavior with test data.

@AlexBB I see, thank you for confirming! I would need to test this to verify and loop it back to our developers, the support we added is only for Physical extractions as well as when using Photon. I am not currently sure in what format the Huawei HiSuite Signal backups are.

I have an iOS question. I have some "Activities" from healthdb_secure.sqlite surrounding a com.apple.datausage.maps DataUsage.sqlite log entry. Is there anyway to see any type of location data associoted with the healthdb activities or the maps datausage? @Cellebrite ?

Hey Guys, I am trying to assist an agency with some encoded (or I believe they are encoded) in an app called "CoverMe". I was able to pull the encoded messages in Cellebrite PA and get them out to a spreadsheet. However, the messages look like the screenshot I've attached. I thought these to merely be BASE64 (or some other variant). Tried a whole bunch of combos in Cyber Chef to no avail. Anyone have any experience with this type of CoverMe app data? I also have the spreadsheet of what I have attached. Any help is much appreciated.

@Josh Brunty might be worth asking in #password-encryption-cracking as well

1

Thanks @Andrew Rathbun I'll post over there as well

Best of luck

Has anyone had any luck with the app CiphrText and finding a key contained within the user's device to decrypt the messages stored within? I located the folder within the extraction containing what appear to be stored messages, but they're all encrypted.

Has anyone got issues with Cellebrite Reader, tagging and comment issues. Ive raised a ticket but was just wondering. version 7.26.0.206 (edited)

gentlepeople, On an android 9 device, is there any log of the bluetooth requests? If so where could we find that?

3:45 AM

(no BT devices connected, but requests received)

I have a 128MB dump from a Samsung E3309i feature phone - chipset Spreadtrum SC7701 - can anyone recommend a tool to decode a filesystem?

@CloudCuckooLand XRY has support for decoding SC7701, just tested with the 3309 we had here and seems to have decoded everything.

@Erumaro Has anyone brought up any issues with the KiaOS decoding yet? I have 2 extractions and both crash XRY 8.2 once it gets to the step of loading the KAIOSDECODER

@AA Not anything of that sort as of yet, I know there are some improvements coming with 8.2 micro release later this week but not for any crashes. When you say Crash does XRY simply die down or are you getting a crash dump you could possibly send? If you're getting any sort of log feel free to DM it to me and I'll have a look! (edited)

@Erumaro it loads the extraction and then when it gets to the KAIOSDECODER it will completely crash XRY (it disappears like it was never on). My log from the first extraction only shows the last step of EDLDUMPER completed successfully, nothing about any other decoding

@AA That's a first, could you send me the event viewer logs from Windows Logs>Application please? Basically just replicate the issue and export the top 20 logs or so. What device was it that you dumped where it crashed?

hey guys (and gals) I need some help but Google U is letting me down at the moment. I need to find out how android names the images found in the com.sec.android.gallery3d\cache

@AA With that I can see if I can replicate it here in the office, guessing it's not possible to share the dump? I know it likely isn't but never hurts to ask! (edited)

sorry for interrupting the conversation btw

The imgcache0 type files?

the cheekymonkey4n6 article that is very helpful is outdated now and I can't figure how to decipher the 19 digit file name that is assigned to the images found in this cache

7:34 AM

all of the files are being displayed with the file path of data\com.sec.android.gallery3d\cache\0\xxx(19digits)xx.0

7:34 AM

some of the file names start with a positive number and some with a negative

7:35 AM

examples are -116606976584194453.0 & \3386428593817569553.0

7:37 AM

because the old naming convention could be deciphered to show date and time, I would really like to figure out this riddle to also show date and time that the image(s) were viewed on this device.

Jep cheeckymonkey will be a good basis

Anyone know if there is a powering events log on BlackBerry 7 devices?

@goalguy , it should be in PA 7.27

DOes anyone know an option to parse Signal data on an android 9 phone?

@Deleted User What sort of phone is it and what is the lock status? XRY can get Signal data with XRY Photon, we also have some decoding support for Signal in Physical extractions. (edited)

@Erumaro Does Photon support Signal in fast mode?

If you are interested in decrypting the database from Signal (iOS) i've made small HowTo

4:16 AM

https://github.com/Magpol/HowTo-decrypt-Signal.sqlite-for-IOS

Magpol/HowTo-decrypt-Signal.sqlite-for-IOS

Decrypt signal.sqlite IOS. Contribute to Magpol/HowTo-decrypt-Signal.sqlite-for-IOS development by creating an account on GitHub.

4:16 AM

Needs a decrypted keychain

4

@OllieD No Fast Mode for Signal currently, it is being looked into but for now only WhatsApp has Fast Mode support (edited)

Ok, thanks Tobias

Need time date stamp assistance with @Cellebrite Physical Analyzer

5:32 AM

I have a physical extraction which has images of concern. The images are all embedded images within Chrome cache. I can go to the parent file for the embedded file to get the creation date of the parent file. However this is cumbersome and clunky with hundreds of images. Is there an easy way to get these dates?

5:33 AM

@Magnet Forensics did not carve these images, which I found unusual as it would be normal work around for this. In the past Axiom would show the time/date stamp for the parent file of the embedded cache file. (edited)

5:34 AM

I am rerunning all the bin files from the MTK Live extraction through Axiom to see if that fixes the issue. I will update my findings. (edited)

Have a Stylo 4 where I was able to get a APK File extraction along with advanced logical and file android backup. The facebook messenger was successful in the APK downgrade. When looking through the messages I found the one I was looking for however a chat directly before this was a picture which has an X for deleted. Any locations to get that picture back or is it long gone?

When I go into the thread I can see the message but not the picture.

@Erumaro It's an S9+ with a Swipecode. No secureboot, android 9

@Deleted User Thanks, do you have the full model number? Not sure where the Signal decoding is on Samsungs but if you have the complete model number I can check the current status and get back to you

yes: g-965Fxxu6csgd

@sholmes Are the files embedded within it's single own file or embedded in one big file with loads of others. Reason I ask is because in the last week or 2 I did a job where there were 4 "embedded.jpg" files advised to me by one of our departments that they said no date or time, no source and just could say "it's an embedded cache image which we can't get date or time for" or where exactly it originated other then via web browsing. When I got the dump from them and looked at the hex, the "embedded image" in PA was there as they described but when I looked in the file system I found the small file it was "embedded in". When looking one level up at that file in HEX, at the top it had the website URL it came from, then the "embedded" image and way at the bottom of the hex was the Date and Time the website was visited etc (edited)

1

@Deleted User Cheers, let me check and I will get back to you as soon as I am able!

Thank you very much

@Stevie_C These are all single embedded images within a single file. I actually used the same hex review you described to rule a few images of potential child exploitation out because I was able to find the website and the video it came from. The parent file which holds the embedded image also contains the date and time. If I hover over it PA shows me the time and date. I think it also shows it in the lower part of PA by the file path section, but don't have that open right now to confirm. (edited)

7:18 AM

I am now working with @Magnet Forensics peeps to see what is going on with their parsing. Once we figure something out I will post the results.

2

@sholmes Cool. No problem. It's as soon as I see a filename such as 7bace6733f110041_0_embedded_1.jpg and terminology saying "Cached image. No date or time or provenance available". When looking at this image in many tools there is no Created, Accessed or Modified date and time, just the image, size etc. But when you look at the source file it is actually carved from, in this case 7bace6733f110041_0 (no file extension) above the start of the image before FF D8 FF and also after the footer FF D9 there's some crucial information not parsed at times. All my files were in the file path /data/com.android.browser/app_ace/Cache/ in this case (edited)

7:52 AM

7:55 AM

Yes sir that I what I confirmed last night as well. I would love for PA to grab those dates for these embedded images.

@sholmes Yeah. Would be nice. In fairness, it's not only PA. It's just an example I had to hand. It's the same with other tools. Just remember, HEX is sexy

2

LOL Hex is sexy......my new signature line on my work emails.

Hi @sholmes, you (and whoever from @Magnet Forensics that you're speaking to) might benefit from looking at this project: https://github.com/schorlet/simplecache

schorlet/simplecache

Support for reading Chromium simple cache. Contribute to schorlet/simplecache development by creating an account on GitHub.

8:39 AM

I've only started looking at this project recently, and have had mixed success (need to learn Go so I can properly understand why it occasionally goes wrong), but this does a good job at extracting info from those cached files

8:41 AM

Each of those cached files should contain the URL that it was cached from (and a separate index file helps track those), but the information that follows is just a dump of the HTTP stream info, so that too would need parsing

Thanks @OllieD

No problem!

8:46 AM

$ simplecache header $URL $CHROME_CACHE
Status: 200
Content-Type: image/png
Content-Length: 5409
Last-Modified: Thu, 19 May 2016 18:04:32 GMT
Date: Sun, 17 Jul 2016 18:30:09 GMT
Accept-Ranges: bytes
Server: Google Frontend
X-Cloud-Trace-Context: b75923ae8631de089fbc3f00e79cc992
Alternate-Protocol: 443:quic
Alt-Svc: quic=":443"; ma=2592000; v="36,35,34,33,32,31,30,29,28,27,26,25"

You could easily loop over the header function to retrieve all those dates and times (edited)

1

https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html?m=1

Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"

DFIR research

6

1

Such a great read! Tons of great info! Thanks!

Does anyone have a script that can pull Snapchat messages from main.db? (Android)

3:02 AM

They're in blob formats

https://github.com/Magpol/HowTo-decrypt-Signal.sqlite-for-IOS

Magpol/HowTo-decrypt-Signal.sqlite-for-IOS

Decrypt signal.sqlite IOS. Contribute to Magpol/HowTo-decrypt-Signal.sqlite-for-IOS development by creating an account on GitHub.

4:23 AM

this has been able to be done for a while however now its a public thing..

1

Just used the watchlist functionality in UFED PA, and it seems to work great in PA, but when I generate a report to hand over to an investigator, the watchlist is nowhere to be found in UFED Reader. Do I have to do anything extra to make sure the watchlist info is included when generating a report?

I believe there is an option to include at the bottom of the report screens.

@Forensic@tor No options that mention it specifically, tried ticking all the boxes now and generating report again to see what happens.

Hi @torskepostei Currently generating Watch Lists to a report is unavailable. However, there is a workaround: tag the Watch List's that you wish to report and include the Tags in the report.

@CLB - DavidK Hm, not sure I understand how to do that, the searchlist does not seem tag'able. Seems my brain has gone into christmas mode, could you give me some more detailed instructions? Unless you mean tagging individual hits from the searchlist. I can see how that would work, but as the creator of this particular searchlist has been liberal when defining search terms there are about 9000 hits, so I will try avoiding that option

(edited)

@torskepostei I haven't checked the latest version of PA but that's how it used to be - you had to individually click on each keyword hit to view and tag. Couldn't tag them in bulk, couldn't export them out in the report for the investigator to review without tagging. It was really long winded if you had 100,000 hits. We don't do keyword searches now for the investigator in Cellebrite as it doesn't work for the workflow we have

@JMK Thanks for the info!

1

@Cellebrite Hi, anyone help? I have physical dump of Samsung GSM SM-A520F Galaxy A5 2017 - murder case!!! I would like to get cell towers. PA 7.27.0.87 didnt parse me cell towers. Do i need to run special script? or phone doesnt log connected cell towers? Thank you (edited)

@denyzkoo, can't help you with cell towers right now, but if you're actually looking for locations you can run location carver in PA.

@denyzkoo the best way is always go right to the source. Go to the tel co.

6

@denyzkoo have you searched through the databases for cell tower data? I’m not sure what the name@of the db would be, but if you have cell tower data from another dump, maybe you can use some of the column names or db name to search the data in your current situation.

@luis511_ the name of the database file is herrevad. There are bssid and cellid as well. I could find some Cellid inside this database but there are not a lot of entries. Samsung and huawei are little bit different in storing data inside db file. So i need to parse it manually. @alona PA carver didnt parse me those cellIds (positions). Anyway thank you for help. (edited)

I have a full file system extraction from an iPhone XR that I have confirmed was wiped on 12/12. However, I have Safari history that dates back to 11/29. The phone is setup for iCloud and I suspect it is some form of synced data. Does anyone know of any way to prove (or disprove) this?

Yes you can sync Safari to Icloud, not sure if it is enabled by default and not really sure if you can check these settings in a plist or SQLITE db, especially after a wipe...it wont let you check the settings in time of the action (edited)

3:04 AM

So I agree on your assumption, but not realy hard prove

So, I'm seeing some mis-parsing of Waze data from an iOS full file system dump in @Oxygen Forensics 12.1.1.10 (filed tech support request #97103). When parsing the user.db PLACES table, it's not moving the decimal place far enough in the longitude value. For example, the value in the field might be "-97734818" and it's interpreting that to be "-9.7734818" instead of "-97.734818". Obviously, that's a significant different in longitude. Waze version 4.57.0.0 running on iOS 12.4 16G77. Just wanted to put that out there in case anyone else is running into issues.

Question on Wickr-Me. I tried searching the discord but didn't see an answer. Using Cellebrite 7.25 and got a full file system on a phone using Wickr-Me version 2.3. I decrypted a passcode from the suspect's computer and utilized it in Cellebrite when it asks for the Wickr password. The dialogue goes away, so I think it worked, but I can't find any parsed data for Wickr. Do you know where I would find it?

9:07 AM

android btw

nvm looked at trace and it failed

In relation to my last question, I've tried several dictionary attacks on wickr through cellebrite, but to no avail. Is there a brute force attack method available?

Is there any way to import single databases for decoding into an already existing UFED PA project?

Yes, File/Open (Advanced) Start without UFD file.

8:44 AM

You can choose a device, maybe Google Android generic and file system. then you can choose a tar or a folder with the databases.

@Jack Frost both Oxygen and XRY can decrypt wickr without knowing the passcode. There are also several bruteforce scripts available. @bkerler posted his script here some year ago.

trying to look into unified logs, but can't seem to have any success. Wonder if anyone who has worked with them on iOS is around to chat?

@.karate. I don't have access to those tools. I will coordinate with @bkerler to see if he can help

@Jack Frost ill pm you

Hi all, I hope everyone has a good family holiday! I have a Note 9, with the known pwd. So I did a physical but I do not recover the data from the Signal application. Is there a way to recover this data via another means of extraction? Thank you

@Mistercatapulte https://www.forensicmike1.com/2019/05/15/obtain-logical-signal-android/ You can try it

Mike Williamson

Obtain a logical dump of Signal data on Android with signal-back

4

@Mistercatapulte using Photon with XRY you should be able to retrieve the live Signal chats from an unlocked Android phone.

@MSAB_Sofia hello Sofia, don't have XRY

Update on the Phone XR that was wiped on 12/12 but has web history from 11/30: we haven't been able to completely confirm that it was sync data yet, but thanks to some suggestions we did discover that all of the web history before the wipe was found in Safari/History.db and all the web history post wipe was found in the knowledgeC.db. Does anyone know of any plists that could help prove that it was sync data?

Does anyone know if there is a log when failed unlock attempts of a simcard took place resulting in a temp-puk-lock?

4:55 AM

Samsung sm-a920f/ds

On the phone or the sim?

Phone, but havnt considered the sim could contain something as well after i obtain the puk....

For anyone doing an investigation involving the Waze app on iOS (unknown if similar on Android): I recently discovered two log files within the app directory that have been a very good source of data in my case: /private/var/mobile/Containers/Data/Application/APP_GUID/Documents/postmortem and /private/var/mobile/Containers/Data/Application/APP_GUID/Documents/archive_postmortem. They contain a significant amount of detailed data that isn't available just by examining the usual databases. After going through hundreds of thousands of log entries, I've found records of specific actions taken by the user (scrolling the on-screen map, menu selections, search terms as they were typed in, etc). For my particular case, this has been VERY significant. The user turned on Airplane mode for the device but still used Waze to navigate in offline mode. I can see when the app was launched, map scrolled, map zoomed, and then the app placed in the background or even forced closed. While this period doesn't have specific location data, it still gives some very significant evidence. I've also found detour information, discovered when the Waze app sensed that the user changed from driving to walking or stationary, etc. I haven't had a chance to look at a different device and its data to compare, yet, so I'm not sure what versions have these logs and why they are generated so I'd be interested in hearing more about others' experiences. This particular device was running iOS 12.4 and version 4.57.0.0 of Waze.

7

As a follow-up to my previous, I've confirmed that another iOS device with Waze installed had the postmortem log file but no archive_postmortem file. Perhaps the archive_postmortem file gets written when the postmortem log gets to a certain file size or number of log entries? I'll try to find an Android device with Waze and see if it contains a similar file or not.

https://www.blackbagtech.com/blog/making-sense-of-unified-logs/

Making Sense of Unified Logs

By: Bruce Hunter, Senior Forensic Engineer With the release of macOS 10.12 Sierra, Apple introduced a new form of logging referred to as Unified Logs. These logs would replace or at very least supplement most logging

10:36 PM

I will test this New capacity

https://www.cfreds.nist.gov/mobile/index.html Some test images I just came across. Passing along and will be linked on AboutDFIR's https://aboutdfir.com/resources/tool-testing/ page

Tool Testing - AboutDFIR - The Definitive Compendium Project

Below are links to sites that host forensic images of computers, phones, and various other storage media that can be used for tool validation purposes. As always, if you know of a link that’s missing here, please submit it using this link!

Hey All! Its been a while since I've been on. I was wondering if anyone here has ever done any work with TikTok. Is there a way to tell what user a video came from? I have a physical of an Android phone and I processed it in Axiom 3.7 and PA 7.26

@Adam Cervellone https://abrignoni.blogspot.com/2018/11/finding-tiktok-messages-in-android.html

Finding TikTok messages in Android

Short version The Android TikTok app keeps message related data in SQLite databases located in the following location: userdata/data/com...

https://aboutdfir.com/toolsandartifacts/android/ linked here, as well @Adam Cervellone

Android - AboutDFIR - The Definitive Compendium Project

1

2

Hello I have to retrace the course of an iphone (I have a ffs) during one night to determine a secret place. The problem is that I have more than 5000 gps coordinates all in the same sector which confuses the operation. So my question what software would you use for this kind of work?

Did a Huawei backup on a p30 pro. Backup placed on my USB using an otg cable. So i want to analyse the evidence: but when copying to my Workstation (w10 enterprise pro d-drive ntfs formatted) it cant copy all because of the long file names. I dont want to skip these??

@florus This is the limit of the Windows file system ... When it happens to me I create a directory with one character at the root of my c: / to avoid a maximum of failure during the copy ... Otherwise you try to zip it directly

@florus you could try this as well

6:43 AM

https://lifehacker.com/windows-10-allows-file-names-longer-than-260-characters-1785201032

Windows 10 Allows File Paths Longer Than 260 Characters (With a Re...

Ever since Windows 95, Microsoft has only allowed file paths up to 260 characters (which, to be fair, was much nicer than the 8 character limit previously). Now, with a registry tweak, you can exceed that amount in Windows 10.

1

@rico @MF-cbryant thanks for the tips. Placing the folder in the root is a good idea ✌

@rico If you have access to Cellhawk, you can export the GPS info and import it into that.

Looking for assistance parsing Brew files/folders in @Cellebrite PA. CB extraction gave me some pics and a contacts. Nothing else. XRY extracted a file system, but didn't parse much of it. Extracted the files from XRY and I am now running them through PA. I can see the databases for text messages, but it is not parsing them. This is from a Kyocera E4520 DuraXV phone. Any suggestions?

Disregard my last question. The SMS messages are in a folder named "msg." They are plain text with some other junk in the file, including phone numbers.

I have this strange problem trying to decoding an iPhone acquisition done in June 2019:

iPhone X was acquired in June using UFED PA, advanced logical
The acquired file is a tar file (iPhoneBackup.tar) and an accompanying .ufd file.
There are some clues pointing to a working acquisition at the time: a UFED reader report was generated and video/images have been exported from UFED PA. Come January, and I'm trying to re-open the acquisition in UFED PA, by opening the .ufd file, but PA is unable to make sense of it, and only decodes 6 images, 2 config files and about 60.000 uncategorized files. Inspecting the file system there is a folder named Backup, and it contains a lot of files with GUID like names, and nothing more.

I tried loading the .tar file in Axiom as well, and it was also unable to make sense of it. I tried downgrading UFED PA to a version from the time of the acquisition, that made no difference. Any ideas to what has happened? I'm leaning towards a corrupt file, but hoping that I just forgot some minor detail when trying to decode it... Anyone from @Cellebrite that has any ideas? (edited)

@torskepostei Does the PA Trace window (View > Trace Window) indicate any specific errors? It might be that the manifest file(s) is missing/corrupted in the tar?

@Orb I have not checked on the previous decoding attempts, but on the current one there are 4 lines in the trace window:

Program start at 08:59
Thumbnail cache size set to 300 MB
08:59 Loading default layout
09:01 Loading file: (the tar file) using UFED dump (*.ufd) loader Will monitor it during the day and see if anything else is logged.

@Cellebrite: It would be nice to add support for the Samsung Dual Messenger function. PA does not parse the folders of the second messenger App, for example a second WhatsApp, even with a physical extraction.

In ufed PA. Under installed apps there is a purchase date. Is that the exact date say messenger was installed on that device? I'm just confused as the installed date is blank and messenger is free.

anyone have a frp removal tool that will remove frp off a samsung j327w

1:04 PM

work device that was wiped by previous employee and no one knows the google email associated to it

There's really no such tool for Samsung phones. There is paid method via Octoplus and credits, or various tricks with invoking talkback/accessing youtube, then webrowser and adding your own account.

1:09 PM

On some models you can write combination firmware, check if there's OEM Unlocking option and enable it. If there isn't one, then flash regular firmware as an update (with home_csc) and that'll skip the setup and allow you to enable oem unlocking

i tried the talkback thing but it looks like the phones been updated and i can no longer do some of the things that the youtube version of the phone did .

1:27 PM

all the combination file downloads i found links are not working :<

1:27 PM

anyone have a combination file for samsung j327w8

look for a method with sim card that has PIN set

1:28 PM

Essentially, you insert pin locked SIM, then the moment you get it out you press on power button. If you time it correctly there should be a notification on the screen that you can inspect to enter notification settings, then find youtube there

tried but sim is above battery and requires the battery to be removed :<

1:31 PM

thanks for the help though

Ha, expected it to be like J330F and this instead is more like J320F with removable battery

1:37 PM

What firmware does it run at the moment? (edited)

@m_bb., what Samsung version do you have? Because we did support this feature for WhatsApp.

@torskepostei Very strange... It looks like PA never finished opening the extraction. When the file is done loading, there should be a line in the trace stating "Extraction was opened by UFED Physical Analyzer version ...". Is this a very large extraction? Maybe opened from a slow network storage?

@alona, It was a logical extraction from a SM-G973F, merged with apk downgrade of the first WhatsApp and a extracted key for the second WhatsApp from a test Phone. I tried to decrypt the backups from the second with the "WhatsApp with provided key" plugin. I think the PA doesn't find the backups from the second WhatsApp because there is no folder in /data for the second WhatsApp, only the sdcard/ folders. Finally i found a way around it with a little copy and paste. Maybe it is an issue of the plugin.

https://twitter.com/dfirfpi/status/1214698580453277697

fpi (@dfirfpi)

kobackupdec updated to handle v9 and v10 #huawei backups. https://t.co/fw9sSRWKnw #DFIR

3

3:57 AM

Updated version now working with v9 and v10

1

3:57 AM

Please test it and let us know

@Orb The extraction actually finished during the afternoon, still no error messages in the trace window, only info messages. This includes the one you mentioned, it was logged at 14:12 o'clock, then the last one at 20:21, saying "<iPhoneInQuestion> Thumbnail cache loaded to memory". In between those there are about 25 other logmessages as well, all seemingly about different plugins. It is indeed a fairly large extraction (120GB), and it is on a network disk as well, but still it is unusually slow going compare to other extractions. Is there any way to validate the .tar file to check for malformed manifest files or similar issues?

@Mattia Epifani sweet. Ill check this friday.

UFED does not seem to parse the Android ICQ app. Any ideas?. @Cellebrite

@Nemesis Not sure if helpful for you or not, but figure I'd chime in XRY has decoding support for Android & iOS ICQ app

@Nemesis run the AppGenie plugin in PA. It will parse ICQ depending on version.

Thx

12:45 PM

@MSAB_Duncan Thanks, we got XRY too

@Nemesis Oxygen Detective supports some versions (up to 6.0 for android, up to 7.9.1 for ios) so far i can see... (edited)

Should UFED PA be able to open a PAS file created in Cellebrite Reader from the same dump? (edited)

5:15 AM

Or is there any other way of importing tags from Reader to PA? @Cellebrite (edited)

@Oscar No, it won't. The Cellebrite Reader pas file will only work with that UFDR. You can't take that pas file, load the original data into PA from which the UFDR was created and then select that .pas file unfortunately

6:08 AM

This is something I raised with @Cellebrite a few years ago - the ability to create UFDR from a case, pass it out with Reader to an investigator, then select what they want or are interested in, create a file which could then be returned and applied to the full PA which would then select and bookmark everything they had checked in Reader and automatically check and bookmark the same items back in PA

Like a PAS you can import back into PA

6:09 AM

Or something similar along those lines

I did a @Magnet Forensics course recently and Axiom can do that - create a review package as standalone, send it out, get the review package back from the I/O and re-import it back into the main full program when they are finished

6:11 AM

If you try to open the .pas file from the UFDR to the original extraction from where the UFDR was generated from, you get the message "This session file was saved from another dump"

2

6:11 AM

That's normal

Sometimes you get that in PA if you've upgraded the version (With a PAS file made in PA). Think that's mainly fixed now though

If @Cellebrite Reader had the file menu feature to "Export tagged / bookmarked items to PA Import File" option and in PA to "Import tagged / bookmarked items From Reader", that would be awesome and save me loads of time

What I do at the moment is when I create a UFDR for investigators, I make sure before they start using Cellebrite Reader is to go to settings and uncheck "Select all items as default". That way nothing is auto selected on start. Then when they see or want something, I have them check / tick it and also create a tag / bookmark accordingly. Then I say to them "Before you finish let me know". First thing I will do before they close down is ensure I have a .pas file saved as I don't trust them to do it. Then I will quickly create a further sub UFDR from the full UFDR. This will create a mini UFDR with just the items they have checked and bookmarked. That means if anything goes wrong, I've the mini UFDR I can load up in the future very quickly !!

2

@Stevie_C that's pretty much our standard working practice here too. Unselect all, get them to select what they want and tag up anything they want flagged as important. .PAS out and new UFEDR + Spreadsheet or PDF if appropriate

6:23 AM

Being able to view that data in the context of the full extraction within PA would be incredibly useful

There's another major bonus to the above method we use... Say I did a job in early 2019 using UFED PA 7.24.x.x Then today someone gets onto me and says they reviewed the case today and I missed data / evidence or whatever and they saw it at the click of a button. Trouble is although they have used the same extractions I obtained, they used a newer version of PA to RE-DECODE the original extraction, which returned different results (for varying reasons - i.e. better decoding capability in newer version). Good news is that I created a full UFDR early 2019. I can open it in any version I want - it will be exactly the same as it was when I created it. It shows the data as it was decoded at the time of the original extraction. That will show that I didn't miss anything beforehand - it simply wasn't decoded in the earlier version. It's also quicker to load the UFDR 2 months later when someone rings up and says "remember that job you did for me 2 months ago .... could you quickly have a look at see if xxxx was in it ?"

I've got to say that's where I prefer how MSAB handles XRY files in that regard - they are decoded at time of extraction so quicker opening, and if you want to re-decode them in a later version then there is an option for that too through XRY

5

2

Anyone have experience with the Omegle application on iPhone? I have a case I am working and I have 99% of the dots connected. But Cellebrite PA is showing me the cache images have a creation date that doesn't match anything I have anywhere else in the data set. Can elaborate more as need be if anyone is familiar and can potentially walk me through the discrepancy. I am using PA 7.27, and the Omegle ap version is older, 1.3

@Mattia Epifani hello

tested your latest kobackupdec with success! great work! no issues so far ;) imported folder with decoded backup into PA - checked results with original datas on phone Latest Hisuite 10.0.0.510_OVE on PC Latest Huawei-BackupApp 10.0.1.320 on phone Huawei P30pro, Android 10 (10.0.0.173)

(edited)

2

Great! Thanks for the feedback!!

Hi guys, I have a jelly pro phone to analyse. It as secure startup and I have the passcode. I tried a physical with ufed it works well but when I open it un PA it asks for the password. I give the password and then it says that the data partition is encrypted with an unsupported encryption. Any idea?

2:46 AM

Maybe activate oem and try again an extraction?

@Dam remove secure startup before

2:48 AM

in settings disable it

Hi @Dam, if the phone supports hardware backed encryption, you won't be able to decrypt it offline. I agree with @Mistercatapulte of disabling Secure Startup

2:49 AM

What profile did you use to extract this?

The one for jelly pro

2:49 AM

I think it’s decrypted mtk

Definitely worth trying again with secure startup off then

@Mistercatapulte in security settings I only have encrypt phone cannot find secure startup

@Dam https://www.youtube.com/watch?v=_0I438VCUyY

Mads Tech

How To Disable Secure Startup In Any Android Device

2:52 AM

If u don't have it's an FBE device

I'd be very surprised to see FBE on a low-end Android 7 device!

yes me too

@Mistercatapulte thanks i disable it. I’ll try again

nice

@Mistercatapulte @OllieD Thanks guys. It works well after I disable the secure startup.

3

Hi guys, is there a way to find out if a samsung s10 running android 9 has been wiped?

@thaconnecter yes, in logs i suppose (edited)

8:50 AM

don't have s10 to test (only mine) but in logs you can see if android devices are wiped

8:50 AM

data_wipe =1 in the log would mean data_wipe=True

Thanks @Mistercatapulte

1

Tried to create a report from GK full data extraction in PA (latest version) last week and it generated for 6 hours before I shut it down and restarted. Started the report generation iagain and let it run overnight and 15 hours later it was STILL running. Called support, they had no idea so I shut down and restarted. TWO DAYS later I gave up and pulled it into AXIOM which analyzed the file and I generated a portable case in about an hour and a half. Anyone else had this issue with PA and GK extractions? To be fair, it was a 43gb extraction but PA analyzed it fairly quickly. It was the report generation that just killed me.

I had one run for about 12 hours before I gave up. That’s using 7.24. I’m going to update and try again.

@m_bb., Can you, please, send me the printscreen of the filesystem structure with all the directories with WhatsApp?

@Forensicator1005 Creating the rapport local or over the network to a server? (I try to create all reports local and then copy them to the server) (edited)

Hi @Forensicator1005, the issue you reported is most likely fixed by PA 7.28, to be released in the coming days. I'll send you a link to the pre-release version. If anybody else encounters this issue, please contact me at david.krasilshik@cellebrite.com.

5

@florus locally

hello @Cellebrite .... someone has a documentation for the "App Genie" plug-in in PA? what exactly does it do? what is this plugin looking for? when is it expedient to run this plugin and on what things? i asked some colleagues, but noone knew this plugin ... (edited)

1

Hi @chrisforensic! The App Genie is a pretty cool (in my opinion

tool that is currently in beta. Basically, it can perform decoding on any application in a generic way, so you can run it even on apps that are not supported by PA. It is a bit limited, in the sense that it currently only knows to decode chats, contacts, user accounts, locations and tokens, and in the sense that it is heuristic, so it's not guaranteed to identify all available artifacts. Of course, results from the App Genie should be treated with more care compared to "regular" decoding results, since they are generated by a heuristic engine at real time, and were not verified by Cellebrite. But even having said that, it can still be very useful when dealing with applications that have no decoding support, and can be especially helpful to those of us with less technical expertise, that are missing the training to manually decode unknown apps. Even for the technically proficient, it can still be a great time saver. I believe that the first non-beta version of the App Genie should be available a few PA versions from now, and that will also include a proper interface, so you won't have to work hard to find it in the plugins window. Anyway, if anyone happens to use even the beta version to try and decode some stuff, I'll be happy to get feedback about how it went. Hope this answer helps

3

Thanks @Orb for explanation! so if i understand it right - use it, but really verify the results if they are useful and correct !

(edited)

@Forensicator1005 Hi yeah we are experiencing similar with PA particularly with GK....I had 56gb a few days ago took ages to generate a ufdr.....it appears that PA doesn't like handling large data files

@Danny B I'm sending you the PA 7.28 beta version with the fix.

1

Mornin everyone. I have a Amazon Kindle Fire. How can I hide the profile on it so I can use the UFED touch 2

Anyone know of any good tried and tested Android Backup viewers (.ab files)?

@3X3 Cellebrite can ingest that iirc and you can also convert that into .tar file. I would post a link but my net sucks now. Just look on XDA Developers and you will find instructions on how to convert it. I also think (Mr Rev) can convert it as well.

1

@3X3 mobile revelator can do AB files . https://github.com/bkerler/MR

bkerler/MR

Mobile Revelator. Contribute to bkerler/MR development by creating an account on GitHub.

1

MR 2.2.7 dosn´t work with ANDROID BACKUP Version 5 I use java with abe.jar and a batch Script (from my Script Packet) for easy to use. The Backup.ab was convert into a TAR File. Best handle it with 7Zip. If Backup.ab has a Password, you need the UnlimitedJCEPolicy for your JDK too. best regards Karlsson (edited)

1

Thanks @San4n6, @4N6Matt & @Karlsson

(edited)

@Cellebrite I've extracted an iPhone 8 using GK, imported into PA 7.27 via iPhoneFS - some older videos only have audio, screen comes up with a green line on black background. All videos are in .mov, not deleted. No image is displayed though, is this a setting tweak or email into support? Cheers!

Hi @JMK, PA 7.28 is out, it should make it work for you. If you are still having any issues with the 7.28 please contact me.

1

Does anyone have issues with PA where tags are not exporting when it's a GK FFS but they do from a Method 1 fine ? I've noticed it on several cases now and it's a pain.

@JMK When I get videos playing like that, I use VLC by "Open with Default Program"

@gt530 I tried that and it came up that it wasn't in a readable format. I'm currently updating so will try 7.28, thanks!

Hi all, has one come across time stamps like these 293483392 & 817347884 ??

Come from a music player app called Black Player.

Was the date set properly on the device? It looks like epoch time.

I have a couple of questions regarding an iPhone XS Max (A2101) (iOS 13.1.3). My UFED acquisition is showing 3 IMEI numbers? On obviously matches the physical one but neither of the other two match the electronic IMEI. Any ideas as to where these have come from ( I have found information relating to these in the com.apple.comcenter.plist flie under personal wallet. Also, within the cellularusage.db file, i have three IMSI's. Regarding the Last_Update_time, does this relate to when that particular SIM was inserted in to the handset or when it was last pinged by a tower?

Is the cellebrite file system extraction that is now offered the same as what graykey is grabbing?

@Klimosko it was set correctly

6:00 AM

@forensicsnewbie It should be basically the same, the only difference i've seen is in the decoding of the keychain plist

@Firmsky Those time stamps look so sporadic. Maybe reach out to the dev to see if they can tell you what they are. https://github.com/KodarKooperativet

1

those look a little like excel date serials, if not epoch time (edited)

6:16 AM

@Firmsky can you show rest of the column names?

6:19 AM

actually, @Firmsky what version is installed?

1

6:19 AM

of black player

6:21 AM

java android applications are readily decompilable, even if not all the symbols are preserved

@Firmsky Could they be the time stamp within the played video that it was stopped at, to allow for resuming of the video?

1

6:23 AM

*audio

"2.57 beta" is here https://blackplayer-music-player.en.uptodown.com/android/download; imagine you have the actual apk on the phone i'm looking at the output from jadx rn (edited)

It’s version 2.56

are you able to upload the apk, if you have it?

I’ve managed to install that version

6:26 AM

https://mobile.softpedia.com/apk/blackplayer-music-player/2.56/

6:27 AM

@MrMacca (Allan Mc) I’ll give that a test, thanks for the suggestion

thanks

thanks where's that from, a sqlite db on the phone?

Samsung S8 running Android 9. From the mostplayed.db

what was the path to the file?

data/Root/data/com.kodarkooperativet.blackplayerfree/databases/MostPlayed

okay, thanks

@forensicsnewbie The format of the archive file it grabs is quite different (as in not a ZIP). It grabs a .dar file which is a Disk Archive file. In my 11 years in DFIR/cyber, I've never run across it before and there's apparently very little in the way of quick and easy GUI tools to deal with them. DAR files apparently do well with sparse files which is what I'm thinking was the reason for using that format by @Cellebrite . That or just to make our lives more difficult by not making it easy to use the extraction with other tools

. There's a command line utility for dealing with DAR and, if you install that, you can then install DARGui. It's a far cry from 7Zip or similar, though.

@Firmsky it is just unix time, read the decompiled function that sets that value

1

7:02 AM

https://docs.oracle.com/javase/7/docs/api/java/lang/System.html#currentTimeMillis()

@lilac thanks so much

welcome

7:31 AM

the type returned by System.getCurrentTimeMillis() is long, and BlackPlayer 2.56 represents lastPlayed as an int (and INTEGER in sqlite) BlackPlayer just type casts the long to an int, which loses precision of course

7:32 AM

that likely accounts for the weird timestamps you're seeing, though they're only 9 digits which is well below the limit of a signed 32bit integer (-2147483648 to 2147483648)

1

7:32 AM

cleaning up the decompiled code a bit to see what it's actually doing with those, to try work out why

1

2

@Firmsky Did you confirm that your SQLite viewer is interpreting the values correctly? You can either check the hex and/or use another viewer that lets you see/modify the "design" of the fields. I occasionally need to do this so timestamp values are displayed correctly. I use SQLite Expert Pro for this. (edited)

Are there any ways of decrypting a wickr database from an iPhone if the 'activeAccount' token is missing from the Keychain.plist?

Been trying to process a wickr database using @Magnet Forensics Axiom, but the results are barely half of the messages i can read from the manually decrypted database. Does anyone know of another method to get some readable results?

This tells you were to get the decryption key and you can then write a script in python to decrypt it to manually do it. https://support.magnetforensics.com/s/article/Decrypt-app-data-using-the-iOS-Keychain-and-GrayKey

Yhea sorry if i was a bit unclear. I have followed the steps and it kinda worked. it parsed some of the messages that were readable when just looking at the decrypted database directly. So im wondering if anyone else has had this issue before, or if there is any alternate parsers for the database

First I've heard of that

DM'ing and we can have a look.

@Cellebrite minor question but every time PA is updated the checkbox in General Settings->Decoding "Recover data from archive files" is removed and I have to go back in and recheck it. Is that normal behavior?

@San4n6 do you know any similar source in order to decrypt the android signal database? I have asked axiom support with no success although they claim that axiom can do it. I have a smartphone physical dump (hardware platform with api >23) where I can see all the org.thought.securesms folder content. I achieve at the 10085_URSKEY_signal_secret that contains the binary data of the cryptographic key used to encrypt the database key, but I don’t know how it is encrypted... any ideas?

Anyone successful with decrypting Wickr on the new UFEDPA 7.28? tried it yesterday on an extraction obtained from UFED-P, but it didn't decode. got an email into cellebrite support but wanted to see if anyone was able to in the meantime

@AA Yeah, I've had that. Some settings are not persistent after update - they revert to default. I have a lot of settings I modify that are not the default installation. I have a .cnf file that I save which has all my settings. Rather than having to check all my settings after updates to see if anything has defaulted, I just re-import my custom settings cnf file I generated pre-update and that saves me a lot of time and grief

@Stevie_C hmm good to know i guess. I wonder what else I haven't noticed reverting haha

I'd have several .cnf files for different circumstances. For example "Check all entities by default" is checked by default. I have a .cnf for "All Checked" for an initial job where I want everything into a report with the report section having caveats and disclaimers such as "Not A Evidential Report". If I have someone coming in to me, before I load the case I would quickly nip into settings, load my "None Checked.cnf" and the load the case up. That one has caveats which may include "For Evidential Purposes" and the like. That saves me unchecking everything dataset by dataset and changing caveats etc. Just tick what they want, hit the button and give them the report with appropriate caveats etc already embedded in. The switch back and forth as necessary.

Hi all, I will need your lights on Android. I can see in localappstate the dates of installation of the apps, the updates etc. On the other hand, is there a database or a file which stores the dates of uninstallations like the logs found in MobileInstallation on IOS? Thank you (edited)

What is the best tool to scan phone from malware and viruses

@maitha Physical Analyzer

Anyone else have problems updating the definitions? I’ve used the separate bit defender updater on a laptop connected with Wifi to the Internet. No proxy, firewall, filter etc and it always immediately says that I am not connected to the internet

@abefroman I've had that before. Copied the BitDefenderUpdater folder from my forensic PC (not on internet) to an internet enabled PC and download them that way. Sometimes I've went to download updated definitions.msd file but it errors out for different reasons. Way I've got up and running in the past is to go back to C:\Program Files\Cellebrite Mobile Synchronization\UFED Physical Analyzer and get a fresh copy of the BitDefenderUpdater folder from the latest installed version of PA and copy it to my internet PC. Worth a try (edited)

3:54 AM

If you're updating from web via PA interface and having problems, copy the entire BitDefenderUpdater folder from the PA installation folder detailed above and obtain the standalone definitions64.msd file and simply select "Import from file" instead and import the definitions64.msd file. That's how we update all our forensic PC's that are not connected to the internet

I posted something in the password/encryption channel, then saw a post in the computer forensic channel. Just thought I'd ask here. Are people seeing apps using tox protocol? Just came across an iOS device with an app named antidote. The database is encrypted, but the images/videos in the app aren't thankfully. Would like to see whats in the DB, and wondering if any forensic tools have ever had success in decrypting this data? Can't say I remember seeing this type of protocol mentioned much.

@Cellebrite I'm having issues with exporting chats when choosing PDF or HTML. I want to print them nicely. I tagged all chats I want to export. Problem 1) There is no option to select an individual tag to export. Am I missing that option somewhere? Problem 2) I get the chat bubbles but it always includes the source information below.

5:38 AM

These are my settings and the output

5:38 AM

5:39 AM

I only get to choose 'Tags table' and 'Tags only'

Way around it that we've done, is navigate to the chat, deselect everything, filter the tagged messages then PDF export from there. Should just have the chat messages nicely arranged without the source extraction under each one @Nemesis. I agree though, there should be an easier option through "Report, Generate report". The export tagged only is a bit misleading in that it literally just exports the table of tagged items with descriptions instead of the tagged content

6:11 AM

Worth noting that's using conversation view though for individual threads with individual tagged messages, so if you tagged just chat threads that's not going to work (edited)

Thanks @K23. Still includes the source info though...

6:17 AM

Weird. Haven't noticed that before, let me try on my end - what version you using?

6:19 AM

You're right that's there, apologies!

6:20 AM

Although interestingly it isn't when exporting from Reader 7.24 but is from PA 7.27 so somethings changed there

Tried with 25 and 28

6:22 AM

Seems to be bug then! @Cellebrite

6:22 AM

Printing the report with all source information is just wasting trees

Agreed. Trying with the latest Reader version to see if it's a Reader / PA issue instead of just a version one

6:24 AM

Well latest in house validated reader that is - ISO 17025

6:28 AM

It doesn't do it in reader 7.27 so it looks like it's a PA thing.

6:28 AM

If you export your case out as a UFEDR, then open it in reader and export again you will get there... that's a lot of extra steps though for what should be a simple task

Hmm strange, I'm using the reader...

6:30 AM

I'm trying to open te original export with 7.24 now

Yeah. Just had a colleague export a report from reader which included source info. Maybe if you tick the box to include source info when you make the reader file in the first place, it locks it on. It's possible I didn't tick that box when I made the UFEDR in my case where it's making reports without the source info being present

That makes sense. Will try to open in PA and re export the ufdr.

7:21 AM

Thx!

Good evening. A short question: I have a iPhone with 2 different Face-ID's and I made a FullFile-Extraction with GrayKey. Can I see in PA, which Face-ID unlock the phone on which Date and Time and where is that in PA? Thank you for answer.

Evening all, im having trouble with a Nokia 210 (TA-1139). Managed to get a physical with UFED 4PC but when decoding, the decode shows 10 contacts each with 40-50 duplicates (all in possibly Chinese). There are no visible contacts on the handset. Also the call logs are not decoding properly. Not showing numbers etc. I have tried to decode the binary file in XRY but no joy. Any ideas? Thanks in advance

@Artea What profile did you attempt within XRY? Did you try others?

@Nemesis wrt to your other thing where you can't select an individual tag to report on what I've done is load in the officer's .pas file, double click tags, untag the ones I don't want and generate the report as "tags only". Once that's done you can close it but DON'T SAVE the changes so your .pas file is the original still with all your different tags. It's not ideal, would be much handier to be able to select individual tags @Cellebrite

@Firmsky I tried a couple of the MTK Nokia's and a MTK generic profile with no joy regarding a usable decode.

@Artea We have the device here but have been unable to dump it as of yet, can't see why the decoding would be a problem. If you could email (support@msab.com)/DM the log from an import with the Mediatek Generic 2 and/or the Nokia 3310 (TA-1030) we can have a look and see if we have anything else to suggest!

1

At the moment I'm making a list of open source and/or free IOS analysis and parsing tools. I was wondering, which tools do you use, prefer or have experience with analyzing IOS devices and/or iTunes backups? Feel free to reply in this reddit threat, but leaving a comment here or DM would be fine too ;). Thanks in advance: https://www.reddit.com/r/Smartphoneforensics/comments/erqvjk/open_source_free_ios_analysis_tools/ (edited)

Open source / free IOS analysis tools

Hi all, At the moment I'm making a list of open source and/or free IOS analysis and parsing tools. I was wondering, which tools do you use,...

@Cellebrite: I have a Samsung Galaxy J415FN. UFED PA 7.28.1.4 has a physical method for that device but it is marked with "Untested method". Is this save to try out?

@Deleted User in PA or in 4PC? I know that physical available in 4PC works, but last time i checked only up to Android 8/8.1.

@Deleted User if its unsupported it means cellebrite didnt research the specific type but somebody else had succes with it? (Correct me if im wrong)

@Deleted User It is safe to try it out As there are so many different device variants in the Android world, sometimes we don't get to test each one of them explicitly and we gradually add additional tested profiles. We do try to implement our methods in an adaptive and generic manner so they could cover a family of similar devices and if shown as an option to the user it still has a very high chance of success with minimal risk and it is recommended to try it out. If it was an option that is dangerous in nature we would have prompted a more explicit alert. (edited)

5:11 AM

@Arcain - We are also working on enhancing the support for Android 9 for this bootloader method in an upcoming version soon.

1

2

@AMB I tried decoding Wickr but PA asked me for a password that i don't have, at the middle of the analysis which lasts 15minutes. Hard to try different passwords.

I've got a ffs of a Cellebrite Advanced Service of an Apple A1701. The device only has wifi-function. Now, I see that there are some ICCIDs and some MSISDN. The source is the cellularUsage.db. Does anyone know, how this is possible, when there is no chance to put in a SIM card? I haven't found any hints to an eSIM..

@Svenergy , what if the Ipad was setup from a backup off another device? and this retained that info? Not sure if this is possible

@MrMacca (Allan Mc) , that sounds possible to me and may be the reason. Thx for the quick answer.

@Deleted User Wickr has a "Keep me logged in" option. If that was enabled on the extracted device, PA will automatically decrypt the key from the stored data, but if it wasn't it will ask you for a password. Note that when you're prompted for the password there's an option to load a dictionary file, that PA will then try out one by one in hope of a successful decryption, which should make it easier to try different passwords.

@Orb I don't have this possibility, and i don't know how to know if password is good or wrong. Thanks for answer. (edited)

@Deleted User If it's an iOS device and you have access to Axiom @Magnet Forensics check this out https://www.youtube.com/watch?v=gOW21xGDNyM

Magnet Forensics

Using Magnet AXIOM to Get Data From Wickr Me

2

@Stevie_C Thanks ! We have Axiom . I'll try that .

2

1

@Cellebrite In the release notes of PA 7.28 it says: "Decryption and decoding support for the latest versions of the encrypted Wickr app running on devices with the latest Android versions." Any chance someone can elaborate on this? Is it with/without password and where does the communication show up if successful? I dotted in the correct password in the Wickr-dialogue box, but nothing really seems to be happening. Physical extraction of Samsung S9 (G960F).

@BETBAMS I guess the answer is been given yesterday at 1605. (edited)

Partially I suppose, but I still don't know where I am supposed to look for decoded results.

@BETBAMS XRY have support for wickr for android physicals aswell. Don't think they need the password to decrypt it, correct me if im wrong @MSAB

@Oscar Thanks. I tried with XRY, but it is having trouble digesting the .bin file it seems.

What sort of device was it and what profile did you use to import it? If you could DM me the log I'd be glad to take a look!

2:16 AM

@Oscar Not sure what UFED relies on to decrypt it but certainly worth a shot with XRY to try all possible options

@MSAB i# Hi, I extract a Samsung s10+ with no error but every time the file status is error and I cannot open the xry file

2:39 AM

Tried two times with version 8.2

@Dam hiya, if you're able to re-run the extraction again save the extraction log at the end and send it over to Support at MSAB.com - can verify the extraction is going ok at least, are you saving extractions locally or writing them to an external/network drive?

Locally. I’ll try again and will save the log

@MSAB_Duncan no error in the log

@Dam go ahead and send it over to us anyway to have a look at

Yep

3:09 AM

@MSAB_Duncan Ok I just send the mail... I'll let you know if they can solve the problem.

@Dam thanks, we got it! Found something that may indicate a problem will email you back shortly

@Orb re: your post yesterday about the Wickr decoding... so does this mean UFED-PA CANNOT decode Wickr if that "keep me logged in" option was NOT enabled on the extracted device?

Not sure about PA specifically, but in general there are two ways to decrypt Wickr data. With a password, or with a cached key. If the 'keep me logged in' function is disabled, the cached key is gone. However password based decryption remains viable of course. This is true for both iOS and Android.

@forensicmike @Magnet Couldn't have said it better myself. This is also what happens in PA - if "keep me logged in" was not enabled, you will be prompted for a password

1

Was there any change between PA 7.27 and 7.28 in decoding data from MTK based feature phones?

10:46 AM

7.27 extracts contacts and SMS, 2.78 does not, even on the same dump file

While trying to parse Nokia 222 MTK dump i get this error: 20:34:30 Parsing MTK emails 20:34:31 Traceback (most recent call last): File "<string>", line 1, in <module> File "mtk_details", line 42, in mtk_details ImportError: Cannot import name Services 20:34:31 Failed to execute: MTK Content 20:34:31 Cannot import name Services 20:34:31 Plugin MTK Content finished, runtime: 00:00:04.34

@Orb if I am prompted for a password, and do not have the password, will you guys be able to decrypt it? Reason I ask is because I am about to ship an extraction to you for an open ticket but if you will not be able to decrypt it because a password was still required on my end when decoding, then I'd rather not waste any more time with it.

@Orb So does this mean given the right password when PA prompts for it, the wickr database will be decrypted. If I remember correctly, this was not the case some versions ago?

And on another topic, I just managed to get a FFS from an iphone 7 (A1778) which had iOS 12.2 installed although checkm8 is only supposed to work from 12.3 -->. I have double checked and the iOS ver is 12.2 but there was an update waiting to be installed. Has anyone else successfully managed to get checkm8 to work on pre 12.3 versions of iOS?

Ive done an logical extraction of a Apple iPhone 11 A2221 with UFED Physical Analyzer 7.27.0.87. When I open the extraction and look at videos there is no metadata on the file. Shouldnt you get camera model, record date and so on?

4:55 AM

When I check pictures I only get Pixel Resolution, Resolution and Orientation. (edited)

@Tilt extract the images and check them in other tools.

@Tilt Some videos (as well as pictures) have no metadata: for example, if the file is sent using WhatsApp. Indeed, the media is altered and metadata are cleaned for size purpose.

I will do that @.karate. I know meta data can be lost when the media is taken/sent/recived by a 3rd part app. @lp4n6

@Tilt even if filename suggests it was taken with the iPhone camera, it may still be shared to the phone and therefore metadata stripped. PA isn't the best tool for looking at metadata. Especially video files. Use EXIFtool or similar. Irfanview is another good one.

@pexi86 Wickr support for Android was updated on PA 7.28, and updated support for iOS is due in PA 7.29, so newer versions of the app on older version if PA might not decrypt even with the right password, but starting from 7.29 there should be full support again on all platforms.

3

1

6:52 AM

@AMB Having said that, if this is an iOS extraction, Cellebrite support staff might be able to use a test version of 7.29 to try and decode the data, which will be possible even without a password if the 'keep me logged in' option was enabled.

1

Forgive me if this has been posted. PA 7.28 supports KaiOS. (I am behind in work and slacking on the channels - see what I did there?)

@heatherDFIR First time I’ve read that. That’s good news!

I have read other forum posts about splitting a chip-off extraction of a BB Bold 9900 into a NAND bin and a MMC bin for insertion into UFED PA. I did a chip-off of a Curve 9360 and UFED PA wants a NAND bin and a MMC bin as well. The Curve memory chip is only 512MB which is a lot smaller than a Bold so the bin sizes don't jive. Anyone know where I need to split this extraction for the 9360 device profile? Thanks.

Try selecting the same file for twice.

I there someone who can explain the "Aggregated Locations" tab from Device Locations in PA?

@bomben https://blog.elcomsoft.com/2018/06/the-ios-file-system-tar-and-aggregated-locations-analysis not Cellebrite but maybe they did the same thing. Theirs is system logs and metadata from media files

The iOS File System: TAR and Aggregated Locations Analysis

Finally, TAR support is there! Using Elcomsoft iOS Forensic Toolkit to pull TAR images out of jailbroken iOS devices? You’ll no longer be left on your own with the resulting TAR file! Elcomsoft Phone Viewer 3.70 can now open the TAR images obtained with Elcomsoft iOS Forens...

1

Thanks. I have read that and they Aggregate Locations from multiple sources. I have from 0 up to 96 Aggregated Locations in my PA. Can I say that the Location with the highest value is the most credible or do I misunderstand it? (edited)

Does anybody know where the setting is stored that defines 12 or 24 hour time format?

12:36 AM

in iOS 5

Anybody experience with repairing corrupted SQLite databases? Are there best practices?

I would make a copy of the db then run this command from the command line(I am assuming you have sqlite installed): sqlite3 corrupted.db ".dump" | sqlite3 new.db This will try to dump it into a new file. or try this... https://wordpress.semnaitik.com/repair-sqlite-database/

Repair SQLite Database via SQLite Data Recovery Tool

Do you have corrupt SQLite database? There's an easy way to repair SQLite database. Also, you can perform SQLite data recovery from corrupt SQLite database.

Tried that but the header is broken so will get an error message. We're trying to rebuild the header now by taking bytes from a working sqlite database (edited)

9:55 AM

otherwise I will go scrape for pages I guess would be the only option..

9:56 AM

I will try the recovery tool as well, thnx!

@Goovscoov I found this to be really helpful when I was in a similar situation as yours .....

1:23 AM

https://github.com/mdegrazia/SQLite-Deleted-Records-Parser

mdegrazia/SQLite-Deleted-Records-Parser

Script to recover deleted entries in an SQLite database - mdegrazia/SQLite-Deleted-Records-Parser

@Firmsky Thnx for this input Adam, will check it out!. Not sure if this will work, since this focusses on deleted records rather than corrupte databases, but will give it a try (edited)

@Goovscoov I had similar to your issue, ran the script and it parsed what content it could. Better than manually page scraping yourself (edited)

Hello, I get the error with the physical adb with the SM-G532F ( 6.0.1) and it's the same with all other options. Does anyone have experience with this model?

3:02 AM

I had similar to your issue, ran the script and it parsed what content it could. Better than manually page scraping yourself

@Firmsky will try it for sure, but looking at the code it checks for a SQlite header. The header is broken in this case. Will let you know

@Goovscoov I would do some creative HxD editing to get the header added and then run the script and see what happens, got to be worth a shot

Looking at the code once it finds the header it then checks for page sizes and then just scrapes so should be good from there. (edited)

yes that is wat we had in mind indeed

Will keep you posted (edited)

1

I had one where the header was intact but it just would not open even when I tried to repair it so I used the above script and got some valuable evidence so keeping my fingers crossed for you @Goovscoov

3:11 AM

Also whilst I am here I will put a recommendation out which I am sure most of you are aware of but just in case.... https://www.amazon.co.uk/SQLite-Forensics-Paul-Sanderson/dp/1980293074 This book has helped me more times than I can mention! (edited)

@Goovscoov You may want to consider Epilog from CCL Forensics (full disclosure - I work there). It's a great tool for recovering deleted SQL records and rebuilding them into a live db. It can also recover live records from your corrupted database. Enquire here: https://cclgroupltd.com/contact/ (edited)

Get in touch | CCL Group

Find out how advanced digital forensics could benefit your business. Protect your digital assets and identify infrastructure weaknesses with a trusted provider...

@CloudCuckooLand @Firmsky Thnx both for you input! Much appriciated! (edited)

@anspoki Have you tried this profil on 4PC ?

4:42 AM

Decrypted Boot Loader

Anyone here know how to decode/decrypt Private Photo Vault (enchantedcloud) @forensicmike @Magnet has a writeup on it on his blog, but the "ppv_dateHash" doesnt exist in my keychain. Anyone have any insight on the app?

@Deleted User No but i'm trying right now.

@Deleted User I tried but it failed. The battery of the phone is not fully charged, I will charge it fully and try again. Thanks for the advice.

@anspoki no problem

@Cygonaut I had something similar last year and I couldn't find one in mine either. In conjunction with help from@forensicmike @Magnet we quickly concluded that after looking at the size of the databases for Private Photo Vault (enchantedcloud), that as they were only a few Kb in size and nothing large, it looked like the user had installed the application but not actually used it to store anything.

Been working together with @Cygonaut on this and it looks like it's an issue with the keychain extraction in this case. However, I've just found a new way to bruteforce the PIN without using anything from the keychain at all. (Note: doesn't help with decryption, just viewing on device). Going to update my blog post and will share the python script on request for anyone in the same boat.

UFED PA 7.29 is out

https://www.cellebrite.com/en/productupdates/gain-better-user-insights-from-ios-device-activity-with-ufed-physical-analyzer-7-29/?utm_campaign=campaign:775948&utm_medium=organic-social-media&utm_source=Twitter&utm_content=UFED-PA-7-29%20#__prclt=QWB0XqsS

Joanna Shemesh

Gain better user insights from iOS device activity with UFED Physi...

This version of UFED Physical Analyzer surfaces insights derived from a user’s daily and weekly activities and how they interact with their iOS device. With the introduction of new decoding support for Apple’s Screen Time feature, get access to data that is collected and...

4

2

Will Axiom be able to parse Cellebrite Full File System extraction as well as Graykey images? Cause i tried parsing the ufd file to axiom and the knowledgec.db artifacts arent there.

Anyone had experience with LockMyPix app?

I have phone with this installed, some files (probably pictures) can be found inside but looks encrypted. I was able to recover deleted files from .prev and .prev_hd directories and those are not encrypted but still i'm missing lot of data.

For anyone doing any type of RE work with android apps. This might be a good tool to use to download the apks via command line. Have not tested it yet I am currently away from the lab for another couple weeks.

@Arcain Yes! I've written a solution for cracking the pin code and decrypting the media offline to assist a customer previously

6:50 AM

DM me and we can check if my solution is appropriate in your circumstances

6:53 AM

For anyone doing any type of RE work with android apps. This might be a good tool to use to download the apks via command line. Have not tested it yet I am currently away from the lab for another couple weeks.

@San4n6 Looks like you're missing the link there. Was it this by any chance? https://github.com/dweinstein/node-google-play-cli

dweinstein/node-google-play-cli

command line tools using the node-google-play library - dweinstein/node-google-play-cli

6:53 AM

I've used that previously (looks like there are a couple of similar projects available as well)

@OllieD i have a pin code for this one, but inside the app i can only see 2 pictures and while browsing filesystem i see many more (over 200) in .encrypt and .encrypt_prev (edited)

The app can be configured with two pin codes

7:06 AM

For plausible deniability etc

This phone has a free vesion installed, doens't ask me for another PIN from what i can tell

Ah right, yeah you need the pro version (or the pro upgrade within the free version) to get the second pin code option

7:10 AM

Although if it was configured, the app wouldn't make it apparent. It will unlock different environments depending on which code you enter

7:12 AM

Do most of the 200 files end .6zu?

Based on what i was told, pictures suddenly vanished and they provided only this one password

7:14 AM

Except for couple .vp3 files (those seems to be a video clips), yes

Ok, well if that's the case then hopefully my decryption solution should work. If not, you could run the bruteforcer script to find which pin was used

7:14 AM

Ok cool, all of those .6zu files will be encrypted JPGs then

7:15 AM

I'll DM you

What would files stored in .prev and .prev_hd be? They have same extension, but are not encrypted and looks like JPG. Those are marked as deleted and most of them can be recovered and opened

Can't remember exactly, but I think the app copies the original media into .prev, changes the file extension and then dumps encrypted copies into .encrypt before clearing out .prev

7:18 AM

No idea why they make the intermediate step

@Reedsterz was the knowledgec.db viable/parsed in UFED? Edit- visible! (edited)

anyone had issues with Griffeye DI importing extremely slowly? As in 1 file/sec. I exported the media from a couple phones from PA into griffeye format and just getting griffeye to load them is taking forever and a day. It's only like 400 files.

12:44 PM

Does it have anything to do with my GID database being rather large? Is it comparing each file to the GID?

12:44 PM

also I lied, it's up to 5 files/sec

Hello all, didn't find any thing about this (maybe didn't look well) but : on what circumstances does the KnowledgeC database starts or is reset ? I have a iPhoneX FFS exctaction and I have nothing older than approx 30 days in the K-C db ? I dont have traces of a reset of the phone and i know it is at least more that 1 year old. Ideas ?

@Quicksilver The KnowledgeC holds around 4 weeks of data and then its first in first out

@Firmsky thnk you very much i was looking everywhere for this info !! you made my day

Morning all, my question for today :-) How would 2 iPhones have the same WiFi Mac address? The both belong to the same suspect - first was sold on after the offence and was recovered a couple of months later, the second was his replacement. Does the WiFi Mac address transfer over when you restore from one iPhone to another? I've never seen it before, I thought WiFi Mac addresses were a hardware thing. Suspect not the sharpest knife so nothing technical etc. Thanks for any advice!

@JMK I haven't seen that personally, but did find a post where someone stated it came over when they restored a backup onto a new device - https://discussions.apple.com/thread/5835820

@Deleted User Thanks, could be possibility as I assume he would have restored from a backup.

@.karate. In this message from late 2019 I see that you mention the sdp_log file: https://discordapp.com/channels/427876741990711298/545232743353810946/643806741020016670 I am looking at one such file now, but I can't wrap my head around how I identify valid and invalid lockscreen code attempts. Can you give me any tips on what is logged when screen is unlocked?

anyone know how to update the Bitdefender database on UFEDPA?

7:00 AM

I did what it said but it just keeps asking me to update the database

just did it natively in the end, few cable swaps

Someone into Huawei backup decoding (un encrypted), so i can input it to PA?

Question about Facebook Messenger Calls for a collegue. Facebook Messenger Call Log. is this time Hr:Min:Sec or Min:Sec:MicroSec.

8:11 AM

seems odd the call would be 16 hours so leaning towards 16 min (edited)

Does anyone know on iOS what private\var\mobile\Library\CoreDuet\People\interactionC.db is? I found a phone number in here that is relevant to my case.

@Ghosted even the missed call have a duration

9:28 AM

Parse the database manually

Did no change that is what is in the db

9:29 AM

that is our question

@Ghosted they are likely .NET TimeSpans, which are hh:mm:ss

can you explain that

hour min sec

9:30 AM

but +1 to @Dam 's suggestion. you can validate for yourself too

@dfir_rick https://labs.sentinelone.com/macos-incident-response-part-2-user-data-activity-and-behavior/

Phil Stokes

macOS Incident Response | Part 2: User Data, Activity and Behavior...

What can we learn about user activity and behavior on a compromised Mac? Learn about the hidden and obfuscated data stores Apple use on the macOS platform.

Thank you @Dam

Another shoutout about Huawei backups (made by the phone itself). I have 2 back-ups, one encrypted and one without encryption. The encrypted one i succesfully decrypted with kobackupdec. But the un encrypted i am unable to parse with any tool. (Xry, pa, oxygen, axiom) So i looked at the backup. I see lots of data, as example the com.whatsapp.tar. I inputted this tar individual in PA, but it isnt parsing any data. I tried unpacking the tar with 7zip, but it doesnt work. So i looked into this tar with encase and i see the entropy is "high". It think it isnt encrypted, but something happend with the backup making it not readable as it is now. After reading this article; https://www.sciencedirect.com/science/article/pii/S1742287618304511 i think it might be some kind of encryption based on the usercode of the phone... Anyone ideas? (edited)

Addition: un encrypted Huawei y7 2029, backup app V9.1.1.300; no application data, but i do see the sms.db, calllog.db and sms.db. Is there a reason these dbs arnt parsed by PA? If look at them with a db viewer i see content..

@florus you can try this appversion (9.0.2.333) from kobackup.... it can backup appdatas unencrypted (into a .tar-file)... you can easily extract the .tar-files from saved app-datas...

just try https://mega.nz/#!NzQRgY7L!3k3cosiTiAJorzT-Qn7-kdAvpCcJQcm38CwmTBmyuTg

6:07 AM

see here... should work with huawei-phones on android 8 and 9 https://discordapp.com/channels/427876741990711298/427877097768222740/538079239346585630 (edited)

Thanks Chris! Will look into that tomorrow! Have a good weekend.

1

@chrisforensic Ill try your suggestion tomorrow, but have you ever encountered the .tar files unable to unpack with an high entropy? (Case 1) Besides that i have a Huawei backup, without application data But including sms.db calllog.db and contacts.db. any idea why PA and axiom dont parse these dbs? (Case 2) (edited)

@florus 1) as i know it is not possible to make huaweibackup without password nowadays... even if you could do without passwords some times ago, it was not possible to extract them... with this version i mentioned, you can choose to make a backup without password, and you can easily extract them.. 2) this databases has an own format, they are not supported in any tool i know... i prefer to do an adv. logical with 4PC first, then apk-downgrade... and then, if i miss something important from phone (check the phone manually), then i import the huaweibackup, with just the apps etc. that are missing.... BR (edited)

1

ofcourse i prefer to make a physical extraction, if it is possible

How well does Android factory reset write erase? Seven or more passes?

@Deleted User I tried but it failed. The battery of the phone is not fully charged, I will charge it fully and try again. Thanks for the advice.

@anspoki SM-G532F uses MT6737T chipset which enforces encryption. UFED 4PC does not support in ADB profile. I recommend flashing twrp and SU to get root access if you have permission . I usually do this with this phone. Thanks

Hi guys Anyone has the past of FB MESSENGER for IOS 12.4 ? I have a FFS but PA doesn't decode !

PA might still be limited by app versions even with a ffs

1:10 AM

probably worth checking if it pulled it in the first instance

How well does Android factory reset write erase? Seven or more passes?

@vanquish Historically? Not well at all. Carving deleted data from an unencrypted factory reset Android used to be trivial

1

Anyone got any reference material or documentation on the .dthumb directory in Android? Recovered some indecent material from this path on an SD card and struggling to find out how they are generated.

@UA Thank you, yes I noticed and I was able to get a physical image by gaining root rights with Eft.

1

@forensicmike @Magnet I was wondering if I could get a copy of your script for photo vault?

1

@rico, what version of FB messanger do you have?

hello @Oxygen Forensics ... concerning the facial recognition plugin for Oxygen Forensic Detective... can you bring clarity when this plugin can be activated for european users ? we got new cm-dongle, but until now it can´t be activated... greets from austria

(edited)

1

@alona @Sudo thx for your interess but I no longer have access to the case. A suggestion also made in pm: lite version of this application (I hadn't thought about it)

forgot what I said

4:34 AM

ah, decoding, yeah!

I have two Galaxy S8's (SM-G950U).. one secure start and one locked via password - BOTH phones are from the same owner. I was able to get into the non-secure start phone via UFED Premium, but the dictionary was exhausted when I attempted the secure start phone. Is there a file i can look at from the extracted phone to get any and all stored passwords used to unlock that phone, so that I can try those on the other secure start phone?

Hi, does anyone have experience with WhatsApp on iOS? I have an iCloud backup that contains WhatsApp. Cellebrite PA is parsing the data just fine. Many of the attachments are only URLs to what looks like WhatsApp online storage. Anyone know for sure whether these attachments are not stored on the device itself? Thanks.

I've experienced that with multiple chat apps. You usually get a url or a thumbnail, then have to reach out to the web to get the actual picture. I have had success matching the picture name (ending part of url) to a picture on the device. Sometimes it is a "temporary internet file" type of thing where the user clicked the link, so a local copy was stored somewhere and just hasn't been deleted yet

good evening everyone, I made a ffs of an iphone 5c with OS 10.3.3. I get Signal calls in PA but I don't have the names associated with the calls. how to please

@wizrd08 Thanks. I figured it out - there is a table in the sqlite db that contains both the URL to the encrypted file but also to the local file system location. So far there are native local files for each corresponding URL.

Nice. Having the db should make it a bit easier.

@Cellebrite I am trying to decode LG Backup files from a device in PA and I think something is off somewhere. I tried the common plugin for LG Backups and loaded the lbf and lbf0 files in the LBF binary file section all that it decodes is a few "deleted" sms (all are blank) and mms. Adding the 2 LBF files under the "folder" option gets PA to recognize that there are LBF backup files and asks if you want to decode, after selecting yes it decodes some images and 1 user account but nothing else. I know from a logical extraction that there is contacts, calls, sms, and mms. it seems there was a previous similar issue brought up also, but no word of if it was resolved https://discordapp.com/channels/427876741990711298/545232743353810946/556944674837889054

@Cellebrite Question on Physical Analyzer 7.29's ScreenTime parsing: I'm getting hundreds of thousands of records on a single device under the Web History>ScreenTime Analyzed Data subsection. The vast majority of these are marked as deleted, have no last visited timestamp, no title, and the URL appears to contain either unsupported characters or unintelligible ones. Here's a screenshot from one device (GrayKey full filesystem extraction). Is this expected behavior? This is similar to how another device's data was displayed, also.

@AA, it could be that PA supports earlier version of LG backup.

8:56 PM

@criley4640, we will fix it in the next version.

@alona by chance would you have an estimate on release date for the next version?

@criley4640, usually we release new versions every 3 weeks

Just been looking at a checkmate decode (7.28 4PC used for acquisition, 7.28 & 7.29 PA used to decode) and noticed that the phone date/time listed in PA is incorrect. Has anyone else come across this? Are @Cellebrite aware of this?

@Artea what is the source of the phone date/time? Are you comparing it to the actual date/time shown on the phone after fully booting?

data_ark.plist was where it was reporting it from. The date and time was taken before the acquisition and was over a year and 2 months out.

5:26 AM

@CLB-dan.techcrime ^

@Artea Strange... can you email Support?

@CLB-dan.techcrime OK, ill send a email shortly

Hello there, i have a question about an iPhone and knowledgeC. The event "Backlight Status" says: SCREEN IS BACKLIT: NO -- START: 2019-11-08 17:23:40 -- END: 2019-11-08 17:45:36 The event "Application In Focus" says: com.apple.podcasts.TodayExtension -- START: 2019-11-08 17:36:49 -- END: 2019-11-08 17:36:50 com.apple.news.widget -- START: 2019-11-08 17:36:49 -- END: 2019-11-08 17:36:51 com.getdropbox.Dropbox.DropboxTodayView -- START: 2019-11-08 17:36:49 -- END: 2019-11-08 17:37:00 Are these "Application In Focus" events system events? Since the display was off at the time, it cannot be a user action. Or am I wrong? How can i quickly find out which "Application In Focus" events have been triggered by the user? --- 06.02.2020 Isn't there someone who can answer these questions for me? Not even @Cellebrite ? (edited)

Anybody know what the "rebuild cache" icon in web history in @Cellebrite is ? Appears to be new and I did a quick search on here and did not see any related info. (edited)

@DCSO, it means that cached html for this web page exists in the dump. If you want to see the web page after rebuild you should right click on the line and go to rebuild cache.

1

@Karlsson there are two people@that I know that have done a ton if testing on these artifacts. Sarah Edwards and Heather Mahalik you can google there names and apollo script which should be able to answer your question. If it is something that is going to hold weight in your case I would also test this yourself to verify...

2

7:00 AM

https://www.mac4n6.com/blog/2018/12/16/on-the-third-day-of-apollo-my-true-love-gave-to-me-application-usage-to-determine-who-has-been-naughty-or-nice

On the Third Day of APOLLO, My True Love Gave to Me – Applicatio...

On this third day, we will focus on application usage. We will cover three databases: KnowledgeC.db Be sure to check out more detailed information on this database in my two previous articles . Access to this database is limited to a file system dump, it will be...

@Magnet Forensics - either I suck at googling or the info isn’t easily found... I have checkrain acquisitions done by cellebrite ufed 4pc. I want to parse these in axiom... loading the ufdx file crashes and loading the folder doesn’t display expected results. How do?

@whee30 I'll DM you

3

Is it forensically sound to root a user's pixel 3 to obtain a full physical? That being said, is it possible to root one without messing without losing user data?

12:59 PM

Its for a murder case. I can get into it but the logical is really not going to provide me with what I truly need from the phone.

1:00 PM

My understanding is that unlocking the bootloader is going to wipe the device, yeah?

1:01 PM

so nevermind probably

Unless it was rooted by the owner, a physical is going to be very difficult. Unlocking the bootloader will wipe the device. And the Pixel 3's use FBE anyways.

I would also argue that rooting a device is never 'forensically sound', but then again how many of our techniques really are these days? Better to think about whether you feel like you can justify it and weigh the risks against the benefits. Our advice in the past for techniques that made permanent changes to devices (like methods on Samsung that would trip the Knox Warranty) is that the device should not be returned to the owner as you don't know how exactly that device will behave in the future, but doesn't mean that you can't do it if you're competent and it's both lawful and necessary.

1:20 AM

But on this specific case, you're probably not going to have much success going down the rooting path

2

@Beefhelmet I would look at @Cellebrites advanced services first since they have done heavy testing on rooting methods. If you comfortable getting a test phone you can do it yourself however you better have the knowledge to back up the process in court for this type of case. Also most times when you unlock the bootloader it will wipe there are some work arounds sometimes.

Keep in mind “rooting” has different meaning to some people (similar to “jailbreaking”). Usually, when speaking of rooting, people mean modifying a device or installing some permanent way of obtaining “root” permissions. When we extract a device in UFED or in CAS, we temporarily obtain those “root” permissions by exploiting vulnerabilities in the OS, and give them to the extraction agent for the duration of the process. This doesn’t fall under the common interpretation for “rooting”, at most we can say it’s a “temproot” method. This is a simplification of the process, because we don’t necessarily need “root permissions” (maybe another process has the adequate extraction permissions already?), and in fact other mitigations like SELinux significantly limit what you can do even with “root”. To answer @Beefhelmet’s question, each method is quite different. Some are very strict, live in RAM only and maintain very high degree of forensic soundness, and some aren’t. Try to learn the most about the method you are using! As for the Pixel, we can give you a Full File System with our advanced services, not aware of alternatives to Premium / CAS access on those.

3

I have an iPhone 6 GK extraction that I have decoded with Cellebrite. I am looking at the device location data and have a string of locations that support the location where the suspect was located. One of the 8 or so locations however is 12.32 miles away. The times on these locations are roughly 5 seconds apart. All of these have the source being Safari. Other than teleportation, is there a good way to explain to a jury why this would occur?

Is it that the rogue locations are not GPS ? Perhaps cell tower ? Not quite as accurate as GPS?

6:37 AM

Look at the icons beside each entry. Should be a satellite, tower or Wi-fi icon

6:37 AM

I’ve had that before

6:38 AM

I’ve also had GPS oddities where device didn’t have enough satellite connections to provide a precise location. The more satellites it’s connected to the more precise the GPS coordinates

6:41 AM

I’ve seen that a few times on my Sat Nav a few times driving down the road where it’s been 100% accurate and for a brief period it’s shown me in the middle of a field close to where I actually was and then a minute or so later it’s got me back right where I was.

@ds275 Like Stevie said, are all of the locations the same type? Or is the rogue location different (cell tower, etc)

In the device locations tab, they all have the satellite icon

6:56 AM

There are also artifacts in the "Searched Items" tab that have lat/long data included. The suspected ditched a stolen vehicle and soon after searched "Where am I".

I've always taken a method to be forensically sound if it can be reproduced by another party...also once we've exhausted every method available to us we then move to amend the search warrant to allow for other methods and document what is done...finally we don't return mobile devices either...at the end of the day it takes so long to get to trial that more than likely the user doesn't want a 2+ year old phone

Also got a location data question RE latest PA and an iPhone. Can see a very large quantity of Cell towers and wireless access points being recorded with the same timestamp but very different locations. Any idea what the timestamp actually means? These all seem to be sourced from cache_encryptedB.db.

7:35 AM

Talking around 100 entries per timestamp

This isn't unique to one phone either. Have 3 that have FFS showing similar things (edited)

@K23 I seem to notice it more since 7.29...I had one iPhone case where 3 readings from cell towers at the exact same time stamp were several miles apart so unless the suspect is Hulk jumping back and fore, somethings up. (edited)

I am not certain, but it was my understanding that these cached locations are a cache of AP->GPS locations that are downloaded from Apple's WPS server, and then used locally on the device to calculate its location based on those locations. The timestamp could be the time at which the request was made and the locations were cached

8:09 AM

But I could be wrong here, I am simply speaking as someone who has looked at the WPS protocol and it returns a list of APs and corresponding locations to those APs that are nearby you

That actually makes a lot of sense, thanks for the insight. A colleague had just found a research paper but it's in German so you may have just saved us some translating time

No problem, some info here also https://github.com/zadewg/GS-LOC

zadewg/GS-LOC

Apple geolocation services reverse engineering. Database scraper. - zadewg/GS-LOC

@Braden.Grayshift fantastic, thanks

np

Is it possible to decode a pattern code from a locked Samsung S6 running Android 7.0?

9:45 AM

As far as I'm aware, there's no known method.

it can definitely be bypassed or removed...do you need the pattern for some reason?

@Pacman As it is hardware backed the only practical way would be to brute force it after rooting the phone

Any place i can look for contacts from WhatsApp other than wa.db? Somehow i see 52 deleted contacts from WhatsApp but doesn't show their source, wa.db is empty and there's not much more related to contacts in wal file as well. I can't decrypt msgstore.db since there's no key in /data/data/com.whatsapp/files/ for some reason. Phone i work on is HTC Desire 626 (android 6.0) that apparently decided to detele some stuff, including whole contacts database and i'm looking for a way to remover as many of them as possible (edited)

@Cellebrite Quick question re Cellebrite Reader, I've just been asked why the parties data in a call log are blue or black in colour is there a difference? (edited)

Is there a compile list of databases for apps that have been manually decoded? Cellebrite doesn't support RandoChat, so I wrote a SQL query and python script to extract all the conversations, attachments and user profile information. I would like to share it for others to use and I'm wondering if there's a central online resource

@Nullable Truth not that I know of, but Github it and then posting on reddit, here and ForensicFocus would be a good start

Thanks @Deleted User

6:35 AM

I wonder if it would be something to request dfir.training to implement

@Nullable Truth I think it would be great to have a central location for scripts written by others for unsupported apps

1

Likewise. I often have to scour through articles and blogs to see if anyone has figured the tables and columns in a database for a specific app

@Nullable Truth I like this idea as well. I'm just learning python myself, so it would be great to see examples if how those who understand the language have put it to use in DFIR. It would really help me bring the two concepts together, and help me understand better how I can use python scripting to help me with my own career growth

@8198-IZ54 The contacts you see in blue color are contact names that attached to the phone number by the Contacts Cross Reference plugin. This plugin cross references the phone numbers from the device's contacts with numbers found in chats and call logs. The plugin is activated by default in the settings. (edited)

Anyone have any reference material for Digital eSims? @OllieD They seem to be becoming more prevalent, specifically in newer IOS devices.

Does anyone know what the time source for a relatively modern Alcatel MTK dumb phone incoming SMS is? SMS file is the typical MPA3_001 with the PDU messages. The reason I ask is Nokia MTK phones take incoming SMS times from the device clock NOT network. XRY says network, but it also incorrectly states the timezone on ancient PDU encoded SMS

Hi @m0rttz, good question - we've had a few enquiries come in about eSims but not as many as we'd expected to see. Short answer is no, we don't have any material. I'm about to order a few new iPhones to get some testing on this started. What we do know is that eSims obviously change how a device should be network isolated: a traditional device can obviously be isolated by removing the physical SIM card. A device with an eSim would have to be powered on within a Faraday environment (if that's not already your SOP) and placed into flight mode (double checking WiFi and Bluetooth is disabled as well) before any examination can happen outside of that environment

Has anyone had any success with decoding chat data from Skout?

@OllieD @m0rttz Funnily enough I had a query about this the other day, XRY as it stands....officially does not support eSim due to the current low take up of the technology. But since I received the question and have access to an iPhone with eSim capability I am planning to give it a try and will let you know the outcome.

5:48 AM

@CloudCuckooLand @MSAB We'll take a look at this

Motorola Razr 2020 is the first eSim only phone (edited)

1

6:07 AM

But as it's £100 a month on EE, not too worried about that dominating the market just yet

(edited)

1

if anyone has any experience with how iOS APFS timestamps work (particularly Accessed and Modified) give me a shout!

@CloudCuckooLand You are correct in that XRY decodes the timezone incorrectly, I'll put a bug report into our systems for this. But the timestamp is from the network, and not the Device time. This is tested on an Alcatel 2045x, which is an MTK phone.

1

@Mistercatapulte @Sudo @alona#0249 hello I post this information so the little investigator who does not want to waste time

Ios version : 12.4 My Messenger version was : 194978155 The path of db is : /root/private/var/mobile/Containers/Shared/AppGroup/{...GUID...}/lightspeed-10002406XXXXXXX.db where 1000..xxxx is the Facebook id

The Interesting tables was : attachments contacts messages ... Necessarily

(edited)

Good morning, anyone have any luck getting a physical extraction from a Galaxy s10 plus ?

11:21 AM

using cellebrite I should add

Cellebrite got back to me personaly and let me know that its Premium or CAS only at this time

For iPhone fill file system extraction is there a record for each time the phone is switched to flight mode? Cellebrite PA 7.29 release notes mentioned that Rmadminstorelocal will be decoded but no results from my test so far...

2:45 PM

*full

@Reedsterz check the KnowledgeC db under Z_Event_compoundindex table, look for /system/airplanemode (edited)

Alright ty @Zhaan

I've got a CAS dump question if anyone from @Cellebrite is around for a quick chat. FFS received seems a lot smaller than what the internal storage is showing, just wondering if this is normal due to compression or if the dump is incomplete. (edited)

@K23 please dm me

Hi Teb, currently in DM with @CLB-dan.techcrime but cheers!

Thanks

I think 201 might be attempts to resend failed messages, but i'm not entirely sure and can't test this right now - so you should definitely verify me on this

Thanks... that is something I will test.

5:36 AM

And apparently it was just an issue of patience...just needed to wait another 7 hours to open the extraction.

@Zhaan @Reedsterz you can view currentpowerlog.plsql (or his archives) Table : PLBBAgent_EventPoint_TelephonyActivity Column : airplanemode (on-> activated)

Hi Someone knows if an iphone (ios 12.4) keeps mac address view while it is in passive mode (Bluetooth enabled but not in scann mode). I tried unilog without result and the 2 usual databases ... (com.apple.mobile.bluetooth.lediviced.other.db...) (edited)

@rico thats a lovely little table, thanks

@Zhaan yes you can have a lot of informations (Over a few days)

8:29 AM

Ex : shutdown, lightnings connections, % of battery, using of caméra...

@Cellebrite cloud analyzer 7.10 version question. I have over 600 Facebook contacts (friends) in the cloud analyzer software. When I export then using report/pdf or report/UFDR the "identifier in data source" (Aka Facebook profile numbers) are not included. Is there a way to export those 600 profile numbers ?

@mkx , we found performance bug in PA 7.29 which influences Android 8 and higher. Hopefully will be fixed soon.

ahhh...thanks for info @alona ! I was hoping 10 hrs wasn't going to be the typical experience going forward

Does anyone know if it is possible to find sender and timestamp information about the emails in snippets.db from ios/mac? I can't seem to find it in the database in question, isn't that information stored or could there be a cross reference somewhere?

hmmm.... @Cellebrite Something strange here ....

7:34 AM

1) Original Screen from SM-A105FN shows 2 missed INCOMING FB-Messenger calls (videochat and normal call) and OUTGOING call (videochat - 2min36sec).

7:34 AM

2) UFED-PA shows JUST OUTGOING CALLS !!!! and a second participant (who never had any FB-Calls from/to the owner of the phone!)

7:36 AM

datas come from APK-Downgrade (with latest beta 4PC 7.30) and PA 7.29

Group call initiated by one but actually a three way?

and.... i can see this second participant (arabic name) on other FB-Messenger-Calls too ???

7:43 AM

@CLB-dan.techcrime no group between the three on phone

7:44 AM

and just outgoing things from owner, but if i look at phone, there are two missing incoming and one outgoing

@chrisforensic I'm out of ideas for now

‍♂️

@chrisforensic , what is the version of FM? Is it a group chat?

@alona sorry, i´m now at home... will look tomorrow

Got a physical extraction of a Samsung Galaxy S7 - most of the chat apps and web history are locked with a pattern code. I've found an app responsible for this - Swift Cleaner. I've tried to find anything within configuration files for a pattern code - no luck. I did find a gesture key that contain what I assume is the salt (or hash?) for the pattern code

12:52 AM

Anyone got any suggestion or tips for me to remove the pattern code/figure out what it is?

@Pacman https://blog.malwarebytes.com/cybercrime/mobile/2018/02/mobile-menace-monday-first-kotlin-developed-malicious-app/ It seems swift clean is malware that has been removed from the Play Store. That's going to make reversing the app a bit harder...

Gleb Malygin

Kotlin-based malicious apps penetrate Google market - Malwarebytes ...

New malicious apps appear in Google Play abusing Kotlin, the "safest" official programming language for the Android.

@Pacman: did you try uninstalling the app?

I just provided the extraction and explained what swift cleaner is, job done.

12:40 AM

I don't think uninstalling applications is a good practice @Deleted User

@Pacman in the past with those kinds of app locks, i've got round it by disabling the app under settings, or if that's app locked too then booting into safe mode and disabling it in settings. Doesn't uninstall, but generally stops it prompting for the pattern

3

Great idea.

@K23 and then pulling a Physical?

2:00 AM

@sforen what is your question exactly?

@florus Sounds like Pacman already had a physical. This step would more be for the manual examination after

Oké!

Has anyone had luck recovering data from an iPhone which has been disabled from too many password attempts?

2:06 AM

Wondering if any of my forensic tools can help with this if the password is known (celebrite)

I don't think disabled iPhones are supported with 4PC / Checkra1n. @Cellebrite can clarify on this

1

As far as i know, they're not. You can sometimes do an update from recovery mode and get one (or more) attempts to enter valid password but it's not guaranteed

1

I had a conversation similar to this with @jifa a couple of weeks ago. He confirmed that checkra1n support in 4PC does not support disabled iPhones even if you know the passcode (edited)

2:26 AM

I disabled a couple of test devices and confirmed that 4PC will just keep telling you the passcode is wrong

4

Hello! I was wondering if anyone has used Cellebrites LegalView feature to export phone chat data as RSMF files to load into relativity ?

Does anyone have a tool to parse discord data retrieved from a computer?

@ApC use the search, I believe a paper on this has been posted a few times in the past

4:03 AM

https://aboutdfir.com/toolsandartifacts/windows/ has a link for Discord, too

Windows - AboutDFIR - The Definitive Compendium Project

For information on file signature analysis (OS agnostic and file-type specific), please check out Gary Kessler’s File Signature Table.

4:03 AM

Let me find that paper and I'll link it on that site, too

1

4:05 AM

@ApC https://discordapp.com/channels/427876741990711298/428167930853720074/466619645429022732

4:06 AM

@forensicmike @Magnet do you have an external link for this guide so I can link to it on AboutDFIR? Or is it not hosted anywhere currently?

Anyone happen to know where Snapchat saved chats would be located in a full file system dump?

@3X3 https://aboutdfir.com/toolsandartifacts/ios/

iOS - AboutDFIR - The Definitive Compendium Project

5:25 AM

There's a blog post for Snapchat on iOS linked here. That night have something of value for you

Thanks @Andrew Rathbun

2

If people haven't picked up on it yet, I'm trying to build a database of blog posts for artifacts. Hopefully people will eventually check AboutDFIR first and find what they need. That's the goal! Anything I can do to make that a better user experience please let me know. It's all for you guys

10

2

1

Has anyone with Cellebrite Premium removed the iPhone password? Can you explain ? (edited)

What do you mean @sforen

I mean how it works

@sforen sure they will tell you how it works

2

@sforen Premium is (to the best of my knowledge) a capability available exclusively to Law Enforcement agencies. I'm sure the people who have it will be bound by NDA, so you won't get a proper explanation, nor would I recommend that you seek one (edited)

5

1:02 AM

Has anyone with Cellebrite Premium removed the iPhone password? Can you explain ?

@sforen On this side however, I can say with reasonable confidence that you cannot just 'remove' the passcode, no matter what tool you're using. The passcode is integral to the encryption of the device, therefore removing it doesn't make sense (edited)

1

1:04 AM

As an equivalent, there was a capability available in a tool for removing lock screens which accidentally got used on some FBE Android devices. The same principle applied there: the lock code formed part of the encryption process, therefore removing the lockscreen (whilst technically possible) meant it was impossible to decrypt the data

3

2

1

hello, does anyone have any idea what this icon might be?

Great news from Belkasoft: we have supported checkm8-based acquisition on Apple devices on Windows. Learn more at https://belkasoft.com/checkm8 and please pass the news to your peers!

1

@OllieD great explanation to the lock removal

2

Does anyone know the general path where iCloud offline files are stored on an iPhone?

I have a physical acquisition of a Huawei VNS L31 - I was not able to decode activity/application usage log. Can anyone point me to the database that store this data? (I tried UFED PA and AXIOM - no application usage log decoded)

6:31 AM

@Cellebrite @Magnet Forensics

Usagestats. Not sure if huawei runs same way as Samsung’s ..

6:33 AM

I’d start there

@Pacman will be worth dropping @Stevie_C * (Sorry @Stevie_C!) a message too on this. I know he did some work previously in this kind of area on android, but I think that was more related to device power on / off as opposed to app usage. Might be similar databases though (edited)

Thanks - @Stevie_C do you have any input at this stage?

Do you mean @Stevie_C or @Stevie_C?

Poor Stevie_C getting all the notifications...

2

@Pacman I can confirm it was me did that work on the Samsung logs back last November. If you jump to https://discordapp.com/channels/427876741990711298/545232743353810946/643806296117870632 you'll see I had excellent pointers from @.karate. who got me going on it. It was all around device power events and device states at certain times I was working on, not actual App usage, but you'll see in that link @.karate. mentions Huawei's specifically. He might be able to give you a steer too.

7:00 AM

@Pacman I'm at home on leave at the moment however I've found a few files and testing notes I had from the Samsung. I'll DM you with them

did some cropping but could not find anything ... someone got an idea which android app that could be ?

Could be antivirus app, similar to this https://play.google.com/store/apps/details?id=com.taptechnology.antivirus.mobile&hl=en_US

Antivirus Mobile - Cleaner, Phone Virus Scanner - Apps on Google Play

Make your smartphone fast and healthy with our powerful clean virus app, Antivirus Mobile - Cleaner, Phone Virus Scanner. Professional quality antivirus scans devices deeply and keeps your device safe from virus and trojan with one tap scanner function Highlights ➤ Simple in...

I’ll check that out, thanks

Hello guys! Uncover v4.0.3 iOS jailbreak is out. It works with 13.1.3 iOS version and may help when checkm8 fails. My question is how to sideload it from a laptop without internet connection? Apple recently blocked Cydia Impactor and we are waiting for un update by Saurik. Does someone find a way to fix the problem?

Anyone got any idea why Mobile revelator by @bkerler crashes when attempting to bruteforce the pin of a userdata dump?

1:16 AM

i extracted the header and footer. its sais "building kernel"and then crashes.. no log or whatever

1:19 AM

ah, i guess i know, hardware based encryption

@cygnusx sounds about right

https://www.challenges.fr/high-tech/olvid-la-messagerie-francaise-qui-se-veut-plus-securisee-que-whatsapp-telegram-et-signal_699488

Olvid, la messagerie française qui se veut plus sécurisée que Whats...

100% française, la messagerie chiffrée Olvid se veut plus sécurisée que Telegram, WhatsApp ou même Signal.

7:19 AM

sorry only found FR link

1

Is there a difference when running a GK extraction through PA using the iPhone FS or GK FFS chains? @Cellebrite

@OllieD Thanks for your answer

Update to running GK extraction through @Cellebrite Physical Analyzer. Loaded the GK extraction through Open Common Plug-Ins --> Backup --> Apple iTunes Backup / GrayKey. Switched the Chain to iPhoneFS and ran the examination. Re-ran the process switching the Chain to GrayKey Full File System Backup.

10:47 AM

Compared the numbers for parsed items and everything was identical. So looks like it doesn't matter which chain you choose. I did not run it without switching the chain from the default iPhoneBackup choice to see what that does.

6

3

@sholmes we recently found that too - numbers of items the same, although Cellebrite said the "official" way is via plug ins - backup - backup/GrayKey

When we called a few weeks ago tech support said iPhoneFS was official way and to not use default. Lol

11:24 AM

I will run it next week when I get back to confirm the third method gives us the same. On a different phone one of the other examiners ran iPhoneFS and Left it default for backup/GK and he said his too was identical. He called tech support and they said to change it to iPhoneFS.

11:25 AM

This was the first time I saw the GrayKey chain listed. And weirdly the default chain for this method is not the Gk chain.

11:25 AM

Thanks for confirming what we found @JMK

2

When we called a few weeks ago tech support said iPhoneFS was official way and to not use default. Lol

@sholmes well now I'm confused

at least they give the same numbers!

1

Does anyone know any logs or DBs that may detail any private browsing in Safari. I have a FFS dump of the phone.

@Cellebrite ... hm... something wrong today with the enrichment service ?

I got that yesterday as well but it worked a second time. I put it down to my local network at the time.

tried several times without success

I’ve got a question about videos found in the Caches/com.snap.filemanager_SCContent….. folder on a UFED extraction using checkm8. Is there a way to prove the video was recorded on the device itself or if it is just a Snapchat story loaded from another user? The timeline shows iOS locations at the crime scene and that the video in question gets Accessed at this point. The file is named “zip13910……”, a lot of indications that it is but I’m having a hard time proving it can’t be a story uploaded from another user.

I downloaded Messages In The Cloud from an Apple account using Elcomsoft Phone Breaker. I know a little bit of SQL but joining the Attachments table guids to the Messages table guids is a little above my pay grade due to prefixes used in the attachments guid data. Anyone know of a tool or script that will parse this type of data? Thanks!

@chrisforensic I've seen this also, they have the enrichment serves on its own server and time to time they update it by taking it off-line (edited)

@chrisforensic @Cellebrite For info, just been doing a bit of playing here at home on Cloud Analyzer. Just imported an iCloud Backup into PA and got this. Enrichments not working at all now. It was intermittent yesterday.

9:28 AM

Does anyone know of a @Cellebrite python script repository? If not I wonder if anyone had any interest in creating one? I have the servers to host one on but no scripts to add and be helpful.

@savagemic might not be a bad idea to ask on Twitter using #DFIR too. Probably more coders hanging out there as well.

1

11:46 AM

If you get a good enough repository and don't feel like hosting it on your own stuff, we can probably find a spot on AboutDFIR to host it as well. Open offer and don't want to step on your toes. Run with it how you see fit and what will be best for the project

@Andrew Rathbun Oh, I have no issues with were it’s at just hoping to make everyone’s life a little easier!

3

1

@savagemic that's the name of the game! Hopefully you get some bites. Another place to ask will be the MDFA Google Group. There are some ninjas there. Maybe @heatherDFIR too

@sholmes @JMK Regarding the GrayKey FFS vs. iPhoneFS chain question: The only difference between the chain is that the GrayKey FFS chain can also be given the keychain.plist file that GrayKey extracts separately, which is decoded by PA before running the iPhoneFS chain. If you don't have (or don't need) the keychain.plist file, the chains are equivalent.

2

Am I the only person who reads these posts and goes man these people are brilliant and I have no idea how to get close to this brilliance.

7

Am I the only person who reads these posts and goes man these people are brilliant and I have no idea how to get close to this brilliance.

@wldcat06 imposter syndrome is a real thing in this field. If you have questions, just ask and someone will be happy to break it down. I can relate to the feeling. We all can't be experts in everything. It's better to know and network with those who are to learn from them.

4

3

hmm... @Cellebrite still out of order

@Stevie_C @chrisforensic I'm looking into this and update Thanks for letting us know

2

cloud.sqlite and Threebars.sqlite Can anyone direct me to a paper on them or a brief explanation of where the data is coming from to populate the locations for this data?

Thanks for the clarification @Orb

@wchtdev https://www.google.com/url?sa=t&source=web&rct=j&url=https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html%3Fm%3D1&ved=2ahUKEwjd-Iym0ernAhXQyaQKHWJpA8sQFjADegQIAxAB&usg=AOvVaw3dyH5yTVW3Bmnk2UPR0NCW seems new. Hope it helps a bit. "Checkra1n Era - Ep 4 - Analyzing extractions "Before ... - Zena Forensics 18 Dec 2019 · I am confident that someone in the forensics world will come up soon with ... /Caches/com.apple.wifid/ThreeBars.sqlite." (edited)

@wchtdev ThreeBars is very new (iOS 13+), I know @criley4640 and @luis511_ have done some work on it. I believe the current best guess is that it pertains to the new "Find My" crowdsource feature. And I think it's also fairly certain that the location data in there is not necessarily correlated to the phone's precise location at a given point in time. (edited)

1

Anyone ever had checkra1n exploit get stuck on the logo screen. I can't reboot the phone or anything right now. I was following steps in ufed4pc and it stopped wouldn't see thw device. I tried the exit mode tool and key combos.

Is Samsung SM-J710FN encrypted by default ? I have one REALLY damaged and wonder if chip-off is a good idea ?

@DEVNULL not encrypted by default for me. Out of the box with 6.0.1 but can be update to 8.1

12:41 PM

Device is not recognized by ufed?

@Mistercatapulte nope, its dead, just bag of parts

@DEVNULL u can tale the risk if it s the only way u have

12:43 PM

But u have veryyyyyyy low chance to have unencrypted device

12:45 PM

@4N6Matt repeat recovery or dfu process to reboot in normal mode

Does anyone have any information on the API Integers from within the calllog.db for Android 7.1.1

1:06 PM

I know on developer.android there are 7 main ones documented however on this specific dump there are 9 and the (int) do not match up

1:06 PM

I am seeing (int) 1 2 3 5 8 9 10 21

1:06 PM

metropcs

The issue I am having with a particular cell phone extractions physical filesystem and logical is that a number has alot of unknown call direction and type in the call history 0x09. I also have a 0x15 which is baffling as well. Does anyone know why it could be marked as unknown 0x09 or 0x15 luckily I have CDR records indicating what these calls were but its not explaining the issue with in the calllog.db.

@DEVNULL Maybe @Arcain can help you?

@DEVNULL from what i remember, it is factory encrypted

2:09 PM

I checked 4pda and xda-developers and they do mention script to remove encryption or format data in twrp to avoid issues so i guess i remember this right

@Arcain I mean to fix his phone! I think he's local to you. Agree it's encrypted.

Anyone pointers to databases with possible thumbs of a video whom got deleted on a physical dump of a Samsung sm-g950f?

@Mistercatapulte thanks I have already tried that and unfortunately didn't work. The battery died overnight so I hope in a bit after a charge it might boot normally. I will stick it on a different box after that.

Thankfully after allowing the battery to run flat. The iPhone booted find this morning. Panic over

1

@Cellebrite is it possible to automate some parts of UFED Physical Analyser? I mean like loading multiple ufd's as one phone and making a UFDR?

3:50 AM

we would like to automate the generation of UFDR files from dumped phones

@cygnusx Yes, you can multiple pre-load .ufd in one go. Hold on, I'll do a screen shot in a minute to show how

4:29 AM

Unfortunately it doesn't go as far as creating a UFDR at the end !!

4:35 AM

4:36 AM

Load first .ufd file then before hittingexamine or next select add files

yes well the idea is to make a small program that automates loading multiple ufd's and generating UFDR

1

4:36 AM

so i'm looking for command line options, an API or python scripting possibilities

There's nothing that I've ever come across. I'm sure there is a clever programmer out there who could figure something out !! Unfortunately it's not me

It would be a nice feature though to let it start and run overnight to come back and find everything imported and then nicely packaged up in a UFDR the next day !!

1

maybe @Cellebrite knows idea's to do this?

1

Bump for @Cellebrite ? Any CLI for UFED PA?

You can write your own Python scripts to be run by PA

Yes, but i cannot find any documentation how to load UFD files and most of all a way to generate UFDR reports via Python @OllieD

Has anyone decoded Google Pay? Particularly around transactions?

anyone else find UFEDPA struggles to load images and things, nearly crashes

@cygnusx There a testing interface we use that might help you... I'll DM you

anyone else find UFEDPA struggles to load images and things, nearly crashes

@Sudo Yes! Not nearly crashes, but even restarting my pc while trying to load physical images of Samsung J3 and S9. Had to load them into Axiom. No probs there.

@cygnusx There a testing interface we use that might help you... I'll DM you

@Orb I am also interested

@Svenergy yeah I dunno what it is, I've tried it on different drives since I thought it was maybe network related

6:35 AM

but still same deal

One of my colleagues has had the same issues with his pc's with those images. Hopefully, it gets better with the upcoming version

@Cellebrite Ummm...wha?! (PA 7.30 is out of beta today)

@criley4640 what does that mean?

For those that are generating sysdiagnostic logs on an iPhone and syncing the phone to a Mac; a folder is created in ~/Library/Logs/CrashReporter/MobileDevice/iPhone name. Has anyone noticed that after an undetermined amount of time, files that were synced from a phone have 'disappeared'? I had noticed that I'm missing content from some older synced phones, but wasn't entirely sure what was happening. Today I actually saw files disappear from the folders as I opened them. Is there some archival, rotation, deletion process that is happening to items in the CrashReporter folder? Is there a way to retrieve these missing files? Running Mojave 10.14.6

@criley4640 what does that mean?

@florus I think it has to do with Silk audio files that are "convertered" during an exam but the manual doesn't have the setting listed so I'm not positive.

All - I am working a case where the suspect might have wiped their phone about 1-2 months ago. I have a cellebrite advanced logical and file system dumps. The phone is a samsung A10e. I am only getting as far back as 1 month ago in Timeline (Cellebrite). Is there a location in Android that has the install date? I am envisioning something similar to the windows install date. Thanks!

@lehrfeld check the timestamps for some of the system apps. That should hopefully give you a good indication of when they were installed.

Great idea. Thank you. It is looking that is was wiped. Earliest date for a system app like com.android.mtp - db - database-journal is a month after suspected activity.

1

@lehrfeld glad to hear!

Also you could boot into recovery mode and look at the recovery logs. There you should be able to find the right log file where (if you read it carefully) you will find if it installed updates and/or wiped the phone.

10:26 PM

i think you can also copy the logs via ADB when booted...

I'm attempting to import/decode a UFED iPhone 4 binary in XRY and need a decryption file to complete it. Could someone let me know what file i need to use for this? Phone is running iOS 5.0.1 (9A405). Thanks in advance.

@Artea The decryption files should be stored in the .ufdr file so simply point XRY to that one and the decode should proceed! Let me know if there are any issues!

@Erumaro Thank you very much. Worked a treat

1

@Cellebrite ... have problem with latest PA 7.30.0.288... imported .ufdr from former beta PA.... no results

11:33 PM

load an older .ufdr (not done with beta) loads ok !

11:33 PM

Where can I find a timestamp of when iphone XR was last wiped/reset?

Never mind just got it - .obliterated file

12:36 AM

Took me a while to remember

5

Anyone have experience with LineageOS?

How accurate is the .obliterated timestamp?

Is there a way to export C4All files out of XAMN?

I have a bunch of movie files called *.snap.0 under com.snapchat.android/file_manager/snap/. Are these all the clips, sent only or received/saved only? Other evidence tells me that it at least contains sent files but I'm hoping someone here knows more. edit: After testing I have concluded that this folder is the cache folder for Chats in Snapchat. Received and sent files via the chat function are cached here, for quite a while actually. (edited)

Anyone have experience with LineageOS?

@m0rttz What do you want to know?

@MD5/VFC_Aaron D What exactly is it that you want to export from XAMN, just the file hashes or the complete files? Happy to take it in a DM if it's easier to explain! (edited)

For our client, they want us to provide them with a Griffeye grading package with C4All Files. But I've just used VICS and created the Package from there. I think thats more important than the actual C4All Files as the Officers probably won't know what to do with them haha.

Yeah I think the VICS export is probably the one you are looking for here!

Happy to hear you found it but let us know if there's anything else we can do! (edited)

@MSAB In Xamn, im looking into a physical dump. I want to export the data as a binairy file. How to? I had to look at all the data in hex view and then save it what i got told?

@florus Open the extraction in XAMN Elements (open the .xry file and click Examine Hex) and then click the partition in the list and chose Export Data, as explained by my colleague in the following blog post; https://www.msab.com/2019/12/02/how-to-export-binary-data/ (edited)

Thanks

@Erumaro im not seeying the examine hex part. Do i need an active dongle, im on my own Workstation with no xry attached. Im on xamn 4.5.

Correct, it requires an XAMN Elements license which is provided for free with an XRY Physical license so simply connecting the XRY dongle should be enough

Ah i see ✌let me try. Worked like a charm. (edited)

@Cellebrite Ummm...wha?! (PA 7.30 is out of beta today)

@criley4640 This gives you the option to choose if you want to include the audio convertor from silk to wav files when you generate reports. We covert those silk audio files but it adds some time to your report generating process, so if you want to save some time and play those files with player that supports silk files you can. This is a report generated with the checkbox checked: (edited)

3

7:17 AM

This is a report generated without that option checked:

7:18 AM

You can see the wav file isn't included

@Pacman i am just asking, because i genuinely do not know but is it possible to hit Apple with a court order to see if a wipe command was issued? if so, you can find out if something went awry.

I think the process here is different to America, plus I don't think the wipe command was sent to Apple so they wouldn't be able to comment on that? Unless you mean they can clarify how the process work?

if it was a remote wipe it would go through them would it not?

I don't think so, it's just a local function.

anyone have any locations i could look to try and find the telephone numbers associated with a device that weren't parsed automatically. (no sim card, there are only 3 sms/mms and were never sent so there isnt a "from"). Its hard to search these threads sometimes for more than a couple words...it's an Android phone (edited)

11:16 AM

calllogs are only facebook calls. So i'm wondering if they never used something that needed a phone#

@AA conduct a search for the terms "mdn" and "msisdn", you should hopefully get something responsive with the device phone number in proximity, assuming the device utilized a phone number (edited)

@Cellebrite @Magnet Forensics - can one of you, or both, assist me with taking an iPhone FFS extraction (completed by Cellebrite Premium) and import it into AXIOM?

@pa8432cman maybe the new feature of the current iOS where it only needs a Bluetooth connection to another Apple device to enable certain functions?

@Zhaan it is an older iOS version I believe - seized November last year.

11:06 PM

12.3.1

@Pacman also when the erase all content and settings command is issued it does take a few minutes to accomplish, I am guessing this would also apply to a remote wipe? A gradual disappearance of the data as the erase progresses?

11:08 PM

@Pacman just chucking it out there if it’s any help!

Yeah - a few minutes for it to happen, and a few minutes for the new filesystem to be created. I can see the timestamp of the user-specific files/databases and they're all between 07:13 and 07:15 ish

11:10 PM

It is another strong indication that a wipe has occured.

11:10 PM

Just cannot understand how, or when.

@Pacman night be worth going straight to the cloud to grab what you can?

There's nothing on the phone - it was reported by an officer attending the scene that he saw IIOC videos on the handset, and then seized it. 2 days ago was my first time examining it and there's no videos on it. No cloud accounts set up etc.

Wow

The videos have already been saved and uploaded to evidence.com by the attending officer so I don't have to worry about it.

11:13 PM

Additionally, @Zhaan, it's not on set-up screen. It looks like a normal phone, that you can unlock and see all apps etc.

11:13 PM

So it's bizarre

11:14 PM

Do you know where the timezone information is stored?

That is bizarre, restored from a backup maybe? But that’s a lot of arsing about by a witness who grabbed a drunk mans phone! Plus I am surprised the witness grabbed the phone, fiddled with it, changed the passcode, changed the Apple password without the drunk guy throwing some shapes at her! This is better than a crime drama!

11:16 PM

Probably knowledgeC somewhere I’m guessing, everything seems to be in there

11:16 PM

I’m on my way to work so I’ll check when I get there if someone hasn’t answered already

11:18 PM

Sounds like the time zone is right anyway because of the timings you mentioned unless they have offset it or manual

The time and date was found set to automatic so... whether if it was like that before the wipe or not, I don't know

11:20 PM

and the bigger question - who set it up after the wipe

11:20 PM

?

Yeah, I think the witness is either Steve Jobs reincarnate or talking s***e. (edited)

Lol

Appstore.plist is where the time zone is

Just looked into data_ark.plist and com.apple.timed.plist - no timezone information present.

11:50 PM

Looking now

@Pacman com.apple.appstore.plist (edited)

No timezone information but there is a timestamp for "LastOSInstallDate and it's showing as 27/11/2019 07:15:10

11:52 PM

Still 2 hours before seizure, and the time where OIC saw the videos.

All sounds a little odd and maybe not everyone is being completely honest or able to recall their reflection of the incident...

@Pacman cant you compare the video's metadata with the phone you seized? "Does it match?" Can you match the lens of the phone with the video? (edited)

I don't have access to the videos on evidence.com. I can't do anything more than "I don't know what the heck happened but here are the facts" lol

12:16 AM

Btw - I don't think the IIOC was made by this suspect - more of possession and potentially distribution

Anyone else experienced some issues with FB messenger decoding in PA recently? Across three different cases at the moment from iPhones with FFS / AFU, PA does decode some FB messenger data but when looking on the device manually, there is more data visible than what has been decoded. Digging into it atm, looks like there's an additional orca 2 database which was not decoded within PA that has data with newer time stamps. Edit: Posted this in wrong thread originally, oops!

@Pacman I sent an Erase iPhone command to an iPhone SE running 13.3 at 0804 and although the account is reporting the phone as erased, its still functioning fine at this time with all content in place. (edited)

@Pacman @Zhaan Any chance the suspect could have panicked and triggered a remote wipe before the iCloud password was changed, but device didn't wipe until after witness showed officer the video?

3:13 AM

Wouldn't explain why the phone is past the setup screen, of course

Again - very confusing.

@Svenergy seems like UFEDPA 7.30 solved it

4:56 AM

I've not had any crashes so far loading images (or other stuff)

The correct direction u mean? (edited)

Might be a silly question, but what does the "would you like to install the public data capability" mean when installing or updating physical analyser

@Cellebrite

It's for scraping public facing social media details etc

6:47 AM

So essentially it's the free part of cloud analyser

6:47 AM

(to the best of my knowledge)

Oké Workstation is offline, so i have never missed something ✌

@florus its the built in capability of PA to be able to pull cloud based data via PA

6:48 AM

@OllieD quicker than me

Whats everyones experience in Tiktok-messages (privately and forensically?); i have never used the application before and this is the first time looking for 'chats'. I didnt even know there was a chat function in there lol. But i found the database 'containing the messages' in com.zhiliaoapp.musically/databases/ (thanks to abrignoni) ; but the messages table is empty. Does tiktok auto delete chats / vids etc? (edited)

Anyone have experience with android artifacts /d_f/000000_sms_backup ?

10:41 AM

I’ve read they can be rebuilt, curious to try when I get back to the office

10:42 AM

Full path for what I’ve got in a PA file system download is /apps/com.android.providers.telephony/d_f/

@florus the account is it again connected with this device ?

12:10 AM

Some app delete data when à other device connect to the same accound or when the account of device is deconnct... For tiktok i dont know...

@rico Hi Rico, the device was handed to me in flightmode. No idea if the suspect logged into tiktok with another phone, i guess he didnt.

Hi guys, I am looking for an IMSI history in a Samsung tablet physical extraction with Android 8. Any chance to find one? Only found the last ICCID and the last operator

@MSAB someone from msab around on this Sunday

? (edited)

It depends...

1

Could i dm you ? About exporting the bin from a physical made with xamn. (edited)

Yepp

Anyone dealing with youtube app on android? Does it log uploaded files? @Cellebrite @Oxygen Forensics @MSAB @Magnet Forensics THANKS (edited)

@ChucksHari it could be an idea doing a grep search?

Good day everyone. In need of some help. I pulled some binary data from a SQL database in Android 10 that came from a column titled "cartesian_point." This column was present with others such as "latlong," "semanticPlace," and "public_place," so my educated guess is that "cartesian_point" refers to cartesian coordinates. After some trial and error I found that this binary data is protobuf (yay). When decoding it I get the following screenshot. I have not been able to convert these hex strings to anything resembling cartesian coordinates, or any coordinates for that matter. Anyone seen location data stored like this? Thanks!

4:25 PM

@florus did that and unfortunately without success. Am wondering if there is any IMSI somewhere to be found. Found only the first 5 numbers MMC and MNC for the operator

@CLB_joshhickman1 , you can open the database in PA. Our database viewer shows protobuf inside the cells in readable format.

@Cellebrite Hi, how do I import a .Raw file into PA?

7:04 AM

It's an extraction made with Axiom using the Recovery image flash method

7:05 AM

Parses perfectly fine, though exists of 23 partitions

Can you go open advanced and point to raw under image file

7:06 AM

doesnt do more than this

7:07 AM

X-Ways shows following file structure:

7:07 AM

And it does not identify the file structure

7:08 AM

From what im seeing on the first pic

Trying to make an E01 now from the userdata and system partitions

7:10 AM

Gonna try as a file system dump folder

nope, does not seem to work

7:26 AM

@CLB-Paul Ok now it worked. Went to Advanced - Select device - Physical ADB - image file

I have an android phone with an SMS sent time which doesn’t make sense. The time the SMS is recorded as being sent on the device is 12 hours 2 minutes after the time we think the message was actually sent. Advanced Logical and Physical extractions give the same results. The extractions were run through two versions of PA and a version of Axiom. The mmssms.db and mmssms.db-journal was run through Sanderson Forensic Browser. All tools agree on the date/time that the sms was sent. However, it doesn’t make sense that it was sent at this time per other devices in our investigation. What could account for this discrepancy? I’m guessing that the phone time setting was changed to account for this discrepancy. Is there a database/plist/or log which tracks changes to phone time settings? Thanks in advance.

UPDATE: I asked a few days ago about the fragmented logs held here: /apps/com.android.providers.telephony/d_f/ The particular case involved a logical as well as a filesystem download of a galaxy s9. Cellebrite has the text messages available through the logical, not the FS. These partial logs were located in the FS AND logical, however they aren't readable and aren't listed as a source for any of the messages. I was able to find a command line tool here: https://forum.xda-developers.com/android/help/manually-restoring-text-messages-t3587950 which was successful in parsing out these logs into a readable format. The results are basically a mirror of what I have from the logical, I'm not aware of any additional data retrieved in this manner, there's a lot of data to compare and it doesn't output in an apples to apples sort of style. Just thought I would share since i didn't get an actual sms/mms database, this is as close as I've found. Does anyone know why/when these logs are generated?

Manually restoring text messages from partial adb backup on unroote...

Hello all, So I need some more information on how to manually restore text message backups to my new phone. My Nexus 5X died recently and I didn't have a…

1

I have an android phone with an SMS sent time which doesn’t make sense. The time the SMS is recorded as being sent on the device is 12 hours 2 minutes after the time we think the message was actually sent. Advanced Logical and Physical extractions give the same results. The extractions were run through two versions of PA and a version of Axiom. The mmssms.db and mmssms.db-journal was run through Sanderson Forensic Browser. All tools agree on the date/time that the sms was sent. However, it doesn’t make sense that it was sent at this time per other devices in our investigation. What could account for this discrepancy? I’m guessing that the phone time setting was changed to account for this discrepancy. Is there a database/plist/or log which tracks changes to phone time settings? Thanks in advance.

@Slats depending on the device but don’t think one that logs changes. I would consider getting a CDR from telco

Thank you Paul. CDRs should have been done months ago but weren't. I was hoping for a hail Mary here. Thanks for responding.

In my Google return I have a bunch of tar files all beginning with deleted. Anybody know what they are because they are not just regular tar files? Is it encrypted stuff? I cant seem to find any literature on this stuff

@wizrd08 you able to unzip them with 7zip or so?

can I hide an extraction in UFED Reader? I added multiple phones in 1 case to generate 1 timeline. How do I hide one extraction temporarily?

11:46 PM

@Cellebrite

Anyone ever deal with a Meitur S92 device re extractions?

@hradlo. I searched for the device on Google and according to the first link the device is running an MT6850 but I've never heard of a 6850 before so I am guessing it's a typo and that it should say 6580. XRY should support this chip for a Physical with Android Mediatek Generic!

Thanku msab-tobias....much appreciated....

@wizrd08 you able to unzip them with 7zip or so?

@florus nope. 7zip says not an archive

@wizrd08 I had this with a Huawei backup a few weeks ago. It was default encrypted with an unknown password. I did not find a way to decrypt it.

Hi everyone… Given AXIOM’s ability to decrypt Signal on iOS, I’ve tried with an older version of Signal and was successful in getting data decripted from the app (using their instructions). However, for the latest Signal versions (~3.5) I can no longer find the key OWSDatabaseCipherKeySpec on the keychain.plist file. So I checked online and someone made mention of the GRDBDatabaseCipherKeySpec key for the latest iOS Signal versions... Although I find the key and the V_data value, I can only get contact list decoded on Axiom (not the chats as I had with earlier versions). Does anybody know which will be the right key to use? PS: I have tried the latest UFED… no joy (their support appears to be tested for v 3.1 and 3.2) Cheers

@spadart you should use the GRDBDatabaseCipherKeySpec for latest Signal... I dont think the latest Signal versions is supported...yet. You could decrypt the db with db browser for sqlite nightly build. Plaintext header 32 and use raw key.

1

I have a damaged Samsung S8. The motherboard has damages. Is it possible to recover data from the memory chip? The data is going to be encrypted, but I'm not sure whether there is tool can decrypt it?

@devenchen360 nope

5:36 AM

hardware encrypted, so you cannot decrypt it without the cpu and stuff

@cygnusx thank you very much!

@florus Did you try producing a new backup of the Huawei device with a known password?

no, did two backups.. one without media and one with. didnt show any errors or whatsoever. Didnt request for a password when making it. Then had problems with the .tars. Gave the phone back.. so no possibility to re-do it, with another version of huawei backup.

Fair enough, in future you can decrypt Huawei backups with known passwords with something like @Oxygen Forensics

or make Huawei Backup with password with HiSuite.... and decrypt it with https://github.com/RealityNet/kobackupdec this script is my favorite since months

works reliable ! (edited)

RealityNet/kobackupdec

Huawei backup decryptor. Contribute to RealityNet/kobackupdec development by creating an account on GitHub.

@OllieD oxygen, pa didnt parse it

7:44 AM

Kobackupdec didnt match the backup, because no passcode was put in. I used a version of the backup not compatible with kobsckupdec. I talked to the creator of kobackupdec, didnt had a workaround yet (edited)

Hey guys, I have an LG Stylo 5 (LGL722DL) running Android 9 Security Patch 2020-01-01 that I am attempting to get an extraction on. Any hope for a physical on this device @Cellebrite ?

Is anyone recently experiencing trace log errors relating to 'System.new.dat' files on UFED PA? And would I be right in saying that these are just likely to be files left over when a new update has been installed on device? It's an alcatel shine lite for reference

And would I be right in saying that these are just likely to be files left over when a new update has been installed on device? It's an alcatel shine lite for reference

@GC most likely, filename looks like the one used in OTA updates

@Slats happened to me a year ago, the recieved message timestamp came in utc+0 from the tower and the sent message timestamp was the one from the timezone of the phone. Maybe you could take a look on other SMS sent in the same timeline, and look at the recieved sms after and before, the discussions shouldnt make sense, since its sorted by timestamp, so we ended by rebuilding the conversation with the recieved sms timestamp (look at them on utc0) saying this was the good time (edited)

Anyone have experience dealing with spyware apps on iPhones? I understand they claim to be not traceable when I stalled/run on a phone but does that include forensically?

@kartoffel4n6 Ivan Rodriguez reverses stalkerware on iOS for sport. I highly doubt something that's even remotely findable online for sale would be untraceable forensically. Most of them are all hype and are actually coded quite poorly. https://ivrodriguez.com/analyzing-ios-stalkerware-apps/

Analyzing iOS Stalkerware Applications

Stalkerware (a.k.a. Spouseware) applications are invasive applications that an individual installs on a target's device (usually their partner) to spy on them, snooping in as much data as they can. They aim to collect phone calls history, private messages, location data, brows...

3

Thanks!!

So I have two iOS applications that are not decoded by forensic tools (UFED, XRY and AXIOM). These applications are Twitter version 8.4.1 and Bumble version 5.144.1.1576506854. I found messages that appear to be of relevance in both applications - Twitter messages are stored in a plist that is associated with an account. (There's three account, so three plist files). Bumble messages are stored in a database, however the content/body part is stored in a blob format, I believe.

Does anyone have scripts they can share?

@Cellebrite I have a Unhandled Exception error on running PA 7.30 on three separate machines. PA 7.29 ran perfectly on all 3, MD5 of PA 7.30 is correct. Any ideas@ (edited)

@Cellebrite I have a Unhandled Exception error on running PA 7.30 on three separate machines. PA 7.29 ran perfectly on all 3, MD5 of PA 7.30 is correct. Any ideas@

@8198-IZ54 when uninstalling PA 7.29, go to installation path and delete all remaining files before installing new version

1

If you want to try the beta to fix your PA 7.30 issue, shoot me a message heather@Cellebrite or DM me on here and I can get it for you @8198-IZ54

1

@Pacman have you tried PA's new appgenie? it worked pretty well for a couple apps I tried it on.

@AA glad you like it! I personally think it's pretty slick. I love anything that carves more for me to dig into.

Do you all think it would be helpful to have a blog about the App Genie?

9

honestly yeah, if possible. or a decent video

@heatherDFIR yeah, agreed. Some discussion about it and best ways to use it would be great. Also, if i'm not mistaken the way it parsed the data wasn't the best (in my opinion). It put it into a separate section, which was great, but when I parsed a second app it just combined both things together. I think it might be more clear to separate them. And maybe I just need to use it more and that's an option or something?

Send me all feedback to heather@cellebrite.com and I will let R&D know immediately. I have this comment tracked though.

2:04 PM

Maybe I will do a blog and an Ask The Expert video and a Tip Tues.

2:05 PM

I will work on these as soon as I can. Maybe even as early as next week!

1

Hello @Cellebrite is it normal that PA don't decode "Facebook Messenger lite" automatically without APPGENIE on Android devices?

@Deleted User We have found that too with Facebook Messenger in iOS and Android. We created an SQL wizard template to deal with the problem for the time being and although PA reports it is exporting the content and has decoded it, it hasnt. So we put up with the orange box warning for the time being until we know its working again. (edited)

1

@Zhaan are you willing to share this template Zhaan?

@florus it's a very basic one that does the time, from ID and message but it gives the indicator that there is messages there. Of course I will, DM me and I will get it to you.

@Deleted User Good timing on your question

Support for Facebook Messenger Lite on Android is added in PA 7.31, which is the next version to come out.

1

1:25 AM

But i'm glad to hear (if I understand correctly) that the App Genie helps on this app!

1:27 AM

There's currently a blog + ask the expert video in the works about the App Genie, so I hope those will provide some resources for better understanding what it can do and how it does it

@Orb Yes AppGenie work fine on it !

Hi all, does anyone know any other method than CAS to successfully extract and decode data from the secure folder on Samsung S9+ running Android 9?

@Cellebrite hello out there

i have a question which i have asked here several times.... is it planned to give us the opportunity to enrich FB Messenger chats with the media files that are still available online ? (edited)

3:19 AM

3:20 AM

you can see, the link to the picture is available in fbmessenger and data are still online... i think that could be an important feature... (edited)

2

1

these could be important pictures such as stolen goods or drugs or ......

@Cellebrite Is there a way to extract a list of all phone numbers from an extraction that are in the timeline between 2 certain dates?

4:04 AM

All those numbers need to be identified, but there doesn't seem to be an easy way

4:04 AM

I get the From: and To: in every row

@chrisforensic Sounds like a good idea, I hope they will be able to integrate this! You could also try to write to their support

@Deleted User hmm, i hope posting here is a faster way

@Nemesis Couldn't you export to CSV and delete the columns you don't want? I think we are working on selective export though. Will find out. @chrisforensic I also asked the team about yours. That would be a nice enrichment add.

5

thanks @heatherDFIR

@heatherDFIR Thanks for the heads up. Exported to CSV, then exported to .txt and used http://convertcsv.com/phone-extractor.htm to get the distinct phone numbers out.

Extract Phone Numbers

Phone number extractor for web pages and text

First post so hopefully in the right discussion. I have been asked about some dates displayed in by @Cellebrite relating to the created, modified and accessed dates of snapchat related artefacts. The created and accessed are the same and the modified is 1 second later. I assume that the difference is due to the video being posted via the app. Has anyone got any experience of this or results of testing? Thanks (edited)

@Slats happened to me a year ago, the recieved message timestamp came in utc+0 from the tower and the sent message timestamp was the one from the timezone of the phone. Maybe you could take a look on other SMS sent in the same timeline, and look at the recieved sms after and before, the discussions shouldnt make sense, since its sorted by timestamp, so we ended by rebuilding the conversation with the recieved sms timestamp (look at them on utc0) saying this was the good time

@Carl brassard The phone wasn't following UTC or local time yet it appears that other timestamps were 12 hours off as well when we were able to compare them to other devices’ timestamps (via sms and a call). It’s a plausible explanation (but not proof) that the phone was just set 12 hours in the future for some reason. We just don’t know that reason. It was a burner.

Anyone have issue with Checkm8 hanging at 13% of the extraction

@spoon1997 seems like the common answer is to let it sit and run

@Deleted User thanks

Anyone else running into a TextNow parsing issue from a GrayKey full filesystem extraction in @Cellebrite Physical Analyzer 7.30.0.228? This is my second run at it and it hangs up...eventually showing an error in the trace window. Currently, it's 4:10 CST and it started parsing the TextNow app at 1:23 CST.

@criley4640 , can you please send me the logs? alona.zayats@cellebrite.com

@xry hi guys first post for me got an S6 that intermittently turns on with Samsung logo then goes dead engineer put a new battery in it but issue persists device is encrypted so I'm trying to avoid chip off. Any ideas?

@MSAB

@msab oops thanks @RathbunA

What exact model was it that you had? It's possible we have a profile that works but we'd need to know what exact S6 model it was

@idatalab make sure when you're typing @ you click on one of the options that pops up

4:31 AM

just typing @MSAB doesn't ping them

4:31 AM

If you're on mobile, which it looks like you are, make sure you do that when mentioning anyone

Ok sorry I'm a noob in the forum :) thanks again @Andrew Rathbun

You'll get it, no worries! Just helping point you in the right direction

@Erumaro how do I check this if it wont boot I have no serial number on back plate?

You could try connecting it to the PC and see how it shows up or check in download mode what exact model it seems to be

Cheers @Erumaro il give it a bash, it's not powering at the moment il try again after lunch.

@idatalab Why do you think it is encrypted?

@CloudCuckooLandi was advised by client I think they are referring to Knox?

@idatalab The phone is unencrypted by default. It may have some Knox stuff running on it though. Will it go into recovery?

I cant seem to get it into recovery sometimes its completely dead sometimes it will partially boot. @CloudCuckooLand

@idatalab what is the system status/current binary/warranty void number in Download mode (assumk g you can get d/l mode)

@CloudCuckooLand i've had encrypted s6 last month, no secure startup tho so that was a bit odd.

5:34 AM

I believe, that S6, like S7 as well tend to have such issues and heating up to board (on preheater) sometimes help to get them booting and work for a while

anyone have any luck parsing Grindr chats from iOS?

8:15 AM

so far tried PA and nothing

Got access to Mobile Device Investigator from ADF Solutions?

negative..any idea if they offer trials?

I think Axiom parses Grindr.

thx @Majeeko I have it running rn but not seeing anything so far

@tupp3rwar3z Not sure, they offer demos but would need to ask them about trials: https://www.adfsolutions.com/mobile-device-investigator

Mobile Device Investigator iOS Android Forensics

ADF Mobile Device Investigator (MDI) for iOS and Android smartphones and tablets is the best mobile forensic tool for field investigations

Recently we have noticed that full file system extractions on iOS devices have not parsed out Facebook Messenger with Cellebrite and others. It appears the Facebook Msg database has changed to "Lightspeed" vs "orca2.db" We have confirmed this by looking at the database, see the below screenshot. We will reach out to Cellebrite to make sure they are aware of the change. Cellebrite version 7.29 was used and we are working on testing 7.30 to see if it provide the same results. @Cellebrite (edited)

@DCSO I think they already are aware of this... You can run appgenie on Messenger to get it parsed atm. I think I heard this should be fixed in 7.31...?

2

@franksvensson I ran a search for "lightspeed" on the forums and Discord and did not see anything mentioned that would help us out in terms of knowing there is an issue and where to look. I might of missed it but looked prior to posting.

2

@DCSO what version of the app is it?

Is anyone familiar if Knock Code on LG translates to a PIN code? I have a customer trying to restore a backup (on google account) from a LG device that had knock code only. He says while restoring the backup, it asks him for a PIN code that he didn't set. I reviewed LG manuals and it seems that setting knock code doesn't require also setting a backup pin, at least on V40, so which code is it asking for? (edited)

@criley4640 , can you please send me the logs? alona.zayats@cellebrite.com

@alona will do Monday

Answering my own question. Yes, knock code translates to PIN that's being used as a google backup encryption PIN. It's quite simple, 4 squares have assigned numbers, like this: 1 2 3 4 His code turned out to be 113344 and it worked as, he restored backup succesfully. I was also able to find some research on this, including where is (or was) that sequence stored. https://www.cnblogs.com/pieces0310/p/4357472.html

My colleague she forgot the knock code and ask me for help. I know her phone is LG G3 D855 with Andr

3

Hmm never heard of a knock code. Guess that's an LG feature?

9:04 AM

Guess it's LG only it seems

@vanquish Not only LG. I've had it on other makes as well. I've one in at the moment with Secure Startup with Knock Code !!

1

@DCSO i have posted about this db last month (i seem) (edited)

1

@CloudCuckooLandits had a new battery and still wont power in download or recovery it wont power on with mains power going to try again with my engineer in the am. But was hoping I might have missed something obvious.

3:07 PM

@CloudCuckooLandthird party advised it was encrypted the client did not state if it was

,,

anybody ever seen this path for an Android app? ru.CGeYjqDq.ejcyXRsMg My Google Fu has not come back with anything on it. (edited)

Is it a Russian app?

@Cellebrite is it still possible to download the AV signatures DB? I can't seem to find it in MyCellebrite. (edited)

@sholmes bit of grepping over a dumpsys to see if you can get some other names/IDs for that package name? (assuming you saw it at /data/data/...) https://stackoverflow.com/a/16651034 (edited)

Get Application Name/ Label via ADB Shell or Terminal

I'm developing an application that uses ADB Shell to interface with android devices, and I need some way of printing out the application name or label of an application, given maybe their package n...

Thanks @OllieD I actually found it on a MicroSD card pulled from a phone. I didn’t have a dump of the phone so couldn’t figure it out. I got the physical last night and hope to figure it out today. If it isn’t obvious in the physical I will check out your solution.

1

Hi all, I have a test iphone 7 running the latest ios, I have noticed recently when doing test extractions with ufed I'm no longer getting any deleted safari history. As it is a test phone I regularly clear the history to generate new test data, however when viewing the database it appears that this action now seems to wipe the data from the database (all zeroed). The only data left is a history tags field which is not parsed. Anyone else seen this?

Hi @dubfreak are you choosing to encrypt with the 1234 passcode when extracting the device?

Hi @JRCC_4N6 as its a test device, backup encryption is already enabled, and the password is set to 1234, i have noticed this using both PA method 1, and 4PC advanced logical. I have also dropped the itunes backup into PA. I can view the safari History.db and manually viewing it shows no history records, the main table present with readable data is history_tags. Its very strange.

@dubfreak that is unique. Have you compared it to a Full File System (CheckM8) extraction? Maybe someone else will have an explanation.

@heatherDFIR @OllieD I used Premium and achieved a physical from the phone. Found databases associated with the ru.CGeYjqDq.ejcyXRsMg path. It appears to be associated with the LuckyPatcher program.

Using cellebrite, Does anyone have knowledge about names of cookies and what their values mean?

12:58 PM

Example: name: _atssc value: google%3B1 Domain: rapeincestpornxxxsex.com

Has anyone else come across a situation like this? Had a FFS extraction from an iPhone 6 via Graykey. Cellebrite PA v30 parsed nothing aside from 172 device locations, and 330 passwords. Plugged it into Axiom Examine and came up with 73,507 chat artifacts (what I was looking for) and approx 6000 cached device locations (also what I was searching for). Any suggestions why PA didn't give me any chats at all?

@D\\uke10 which chat app? are all artefacts from the same location?

@DeeFIR 🇦🇺 was various. Over 60000 were iOS/SMS/MMS, then there was snapchat, facebook, tinder, and others. The one that I found really strange PA didn't parse was the SMS/MMS stuff. First I'd ever seen that happen

@natalied4784 Cookie names and values are website specific, meaning it's the choice of the web developer how to name them and what to store in them. Regarding the "_atssc" cookie specifically, I found on Google a lot of website cookie policy pages mentioning it's related to tracking share counts from social media. If the specific website your interested in publishes a cookie policy, you can try looking at what they write there.

1:52 AM

@D\\uke10 Sounds like PA didn't start the decoding process at all... It's sounds like the locations came from media file, passwords came from the keychain plist, but no actual processing of the databases in the extraction happened. Can I ask how did you open the extraction?

Anyone encountereda artefacts regarding the "apple authentication process" on an iOS full file system extraction?

5:29 AM

Apple authentication process has been performed for the following apple-ids:...

5:30 AM

That's the message displayed, followed by a mobile number. Asking on behalf of a customer, questions are being asked by CPS about the significance of said artefacts

5:31 AM

PA has decoded that message, source is com.apple.identityservices.idstatuscache.plist

@Orb File - Open Case - Add - GrayKey - Select Folder. Navigate to my GK extraction folder which includes the files_full.zip and mem.zip - Select Folder - Next - Examine Data

@OllieD https://www.cellebrite.com/en/blog/how-ios-properties-files-can-confirm-a-suspects-contacts-even-if-data-deleted/

Izhar Carmel - Cellebrite R&D Researcher

How iOS Properties Files Can Confirm a Suspect’s Contacts Even If D...

Determining a complete list of contacts that a person of interest has on their phone can be challenging due to factors like deleted data, inconsistent app communication records and device migration data loss. Because of these variables, it is important to find a reliable recor...

Fantastic, thanks @Deleted User. The waters are muddied here as there are 3 records for the same Apple ID/mobile number for the same service: 3 for Facetime Video, 1 for iMessage, all correlating to the same contact

5:36 AM

So unfortunately doesn't quite fit the explanation given in the blog post, but I'll be sure to forward it to the customer

2

@D\\uke10 Hmm... I would try, instead of "Select Folder", to choose "ZIP Archive", and choose the files_full.zip specifically. Then, also click "Keychain plist" and choose the keychain plist specifically. (edited)

3

@Orb did that and it seems to have worked out. Thank you

1

@D\\uke10 Last time I spoke to Cellebrite I was told File > Open common plug-ins > Backup > Apple -> iTunes Backup / GrayKey was the method of importing GK files. Gave the exact same numbers as the "iPhoneFS" profile so one of those is best I guess

‍♀️

@JMK that's changed from 7.29 to 7.30. Now you dont get the common plug-ins option. I was able to get it to work by opening the zip archive rather than the folder when I was given the option. For some reason even though it allows you to select your graykey extraction folder as a whole, that doesn't work right

@D\\uke10 I'm assuming the folder option is there in case you unzip the container I believe. I know back in the day when GK first came out PA had issues taking the zip files so that's likely legacy (edited)

@K23

makes sense

@D\\uke10 Great lol - better change the SOP again

2

We've not been that granular with our SOPs for that specific reason. If I had to update our procedures every time there was a UFED update I'd pull my hair out

2

We've not been that granular with our SOPs for that specific reason. If I had to update our procedures every time there was a UFED update I'd pull my hair out

@K23 That's exactly the right way to do it. No point backing yourself into a corner

So unfortunately doesn't quite fit the explanation given in the blog post, but I'll be sure to forward it to the customer

@OllieD my guess is they opened the contact card

10:55 AM

if you open a contact card in iOS you will see it do a lookup

1

10:56 AM

the little icons for mesage, call, video will indicate the result of the lookup

Do you know of any research on the accuracy of the apple watch step counter? We have a "customer" saying he was asleep at a certain time, but his watch claims to have taken about 20 steps. I'm trying to figure out how much we can trust that step count, if it perhaps is prone to registering random sleep movement as steps or has a known expected accuracy. (edited)

Hi all, got a project and wondering if anyone knows anything about android emulators. The basic idea is that I have recovered a database file from a user's facebook messenger. My intention is to attempt to import the database file back into an emulator and attempt to get this "live" handset like view back. As if you’re on the phone viewing it. I'm wondering if anyone knows an emulator possible of this or any way to do this?

@Mr Saturn I've used Magnet's free tool; https://www.magnetforensics.com/resources/magnet-app-simulator/

MAGNET App Simulator - Magnet Forensics

MAGNET App Simulator: What Does it Do? MAGNET App Simulator lets you load application data from Android devices in your case into a virtual environment, enabling you to view and interact with the data as the user would have seen it on their own device. Use this tool to get a f...

thanks a bunch @DeeFIR 🇦🇺 ❤️

@Mr Saturn +1 for Magnet App Simulator, had more success with that than with UFED Virtual Analyzer with these things, although both are a bit buggy and may not work depending on what app you are trying to virtualize. Can't say I've tried messenger recently

1

@torskepostei Maybe @Mattia Epifani could help, he did a bunch of work on this with Vladimir Katalov from Elcomsoft which was presented at DFRWS last year

2:07 AM

@OllieD my guess is they opened the contact card

@Braden.Grayshift Fantastic, thanks so much Braden!

@OllieD Interesting! Do you happen to remember the name of the talk? I combed through the 2019 programs of DFRWS US and DFRWS Europe without finding it. I'll try messaging @Mattia Epifani as well.

The 2019 program listed on the DFRWS 2019 website is actually the 2020 program!

2:13 AM

For the EU event at least

2:14 AM

Apple watch forensics: is it ever possible, and what is the profit? Presentation Mattia Epifani (ITTIG - CNR) Vladimir Katalov (ElcomSoft)

2:14 AM

The iPhone Health App from a forensic perspective: can steps and distances registered during walking and running be used as digital evidence? Paper Jan Peter van Zandwijk Abdul Boztas

@OllieD Aha, that may explain why I could not find it

Already watched the dutch one, a great presentation but they used iPhones only, no watches. Will have a look at the other one to see if it can help shed light on the step count accuracy. Thanks! Edit: YouTube link for anyone else interested: https://www.youtube.com/watch?v=PRaFTDIn1hg (edited)

Forensic Focus

Apple Watch Forensics: Is It Ever Possible, And What Is The Profit?

2

@Mr Saturn If you have UFED PA then you should try using the integrated Virtual Analyzer (https://www.cellebrite.com/en/blog/7-digital-forensic-challenges-virtual-analyzer-overcomes/). It's basically a one-click solution that handles all the emulator preparation and data importing for you .You just have to select the apps you want to emulate.

Or Begam - Team Leader, Forensic Research Group and Natanel Alkalai - Research Technical Leader

7 Digital Forensic Challenges Virtual Analyzer Overcomes

Currently, the Google Play store hosts between 2 to 3 million apps, which means digital forensics tools have a lot of apps to constantly cover. Due to the expanding app marketplace, certain smartphone app data can sometimes be inaccessible through regular decoding methods. To ...

Hi guys, do you know if Axiom interpret the time zone setting of an iPhone SE from a graykey extraction? I found it manually, but I'm wondering if Axiom do interpret it somewhere. Thanks in advance (edited)

Hi guys, Is it normal to obtain a 300go UFDR folder when the source opened in PA is 60Go?

@Cellebrite I have a FFS for an iPhone 10 XS the device location section of PA is showing cell tower records for 3 different states at the same moment. This is not a situation where the person was on a boarder of 3 different states. the cell towers section of PA does not show any data relevant to the time of concern. Both the device location and cell towers come from the same data base cache_encryptedB.db

Hi guys, Is it normal to obtain a 300go UFDR folder when the source opened in PA is 60Go?

@Mistercatapulte thats very unuseable

@florus yes...

App genie overview: https://www.cellebrite.com/en/ask-the-expert/app-genie-a-smart-heuristic-engine-to-surface-critical-application-data/

Or Begam - Team Leader, Decoding Research

App Genie – A Smart Heuristic Engine to Surface Critical Applicatio...

According to Statista, as of Q4 2019, Android users have 2.57 million apps available for download, while Apple users have 1.84 million apps available for iOS*. And the number is rising! When you consider the number of available apps and mobile app downloads, it is virtually im...

2

Anyone know how to parse images and videos from Skout? or if this is possible? I've parsed the chat.

iOS or Android @3X3

iOS @tupp3rwar3z

8:35 AM

Have a full filesystem from Checkm8

Hi guys, Is it normal to obtain a 300go UFDR folder when the source opened in PA is 60Go? I am answering my own question. I tested with versions 7.29 and 7.30, always with the same results. (300go of reader) So I jb the phone with chimera, redo the dump, always the same result, 300go. I donated with Elcomsoft FTK, 60GB dump that I opened with the generic profile of PA and I finally got a 55GB UFDR (only the Grindr app was extracted from the original dump and added in external to the extraction obtained. Cellebrite support has been notified of the problem.

(edited)

@Mistercatapulte i haven't seen a situation like this with PA, but sometimes i see a file sizes in exabytes even on corrupted ext4 filesystems. It's quite common to see some video or cache files being ~30+ GB in size when this happens. Open UFDR file (it's a zip archive) and check what's so big in there.

3:16 AM

On the other hand, it would be strange to see stuff like this with iPhone full filesystem dump

@Arcain In reality, this is what I did and I noticed as you indicate an astronomical quantity of corrupted files, moreover a large quantity of the videos was multiplied by 12!

3:25 AM

the hash (of the 12 duplications) was the same, just the filename changed each time. I spent several hours with support on Friday trying to figure out the problem

What was the problem after all? A bug or some finickery with grindr app parsing?

@Arcain maybe Grindr yes or a bug, don't know in reality (edited)

3:35 AM

i never use UFDR format, it's first time

You create reports in html or pdf instead?

@Arcain no, i never use this function, i always do the analyze himself (edited)

I'm currently dealing with Acer E700, didn't boot. 16GB eMMC. Dumped ok, but PA doesn't find the data i need. When trying to extract filesystem there are some huuuge files inside, like some .exo cache files in youtube app being 42GB in size for example. It's annoying to extract everything correctly but managed to recover ~400 contacts manually

Nice!

have an Iphone 6s where a video of a shooting was deleted from snapchat app. Suspect says he did save it to camera roll. Full File shows no deleted videos. Any chance it will be in a specific db

@Ghosted do a preservation letter and get a search warrant for the account

1

10:39 AM

If it happened in the last 90 days you'll be in luck

@Andrew Rathbun got that done just didn't know if I would find the video deleted somwhere

1

@Ghosted my eyes only?

@florus suspect said he took a video with snapchat but saved it to his camera rolll and than deleted it. Unfortunately I did not get to speak to him so that is all I have to go on.

@Cellebrite ( or a kind colleague) , for some time (with several versions of different PA) I try to use sql formulas in sql wizard. With the preview function I can see the expected result but by doing "next" it gives me an error message. when it is a simple script it sometimes works. An idea ?

I have a question concerning the uninstallation times of a few applications on an iPhone 8. A graykey extraction was obtained and has been processed in Physical Analyzer. The main application in question is Snapchat, although Cash App and KIK are also of interest. As you can see from the attached photos (below), the UninstalledApplications.plist file is showing the 6/20/19 date as the uninstalled date for these apps, within minutes of each other. This date is also observed in the mobile_installation.log.0 file. However, in the Application Usage Logs coming from the KnowledgeC database, it shows a start date of 6/17/19 and end date of 6/20/19. The start times for all of the apps mentioned above (Snapchat, KIK, and Cash App) are all the same down to the second (6/17/19 02:39:00). My question is, which of these dates would be the time the user manually deleted these from the device. I have considered that the user could have manually deleted on 6/17/19 and the containers weren't actually deleted until 6/20/19, however the 6/20/19 date makes more sense in terms of other unmentioned factors to be the actual date/time of deletion by the user. Does anyone have any insight on this that could provide some more clarity? Thanks!

6:35 AM

KnowledgeC

6:35 AM

mobile_installation.log.0

6:36 AM

UninstalledApplications.plist

I have an iPhone 7+ running iOS 13.3.1. In the images, I have a photo that is CP. The path of the photo is DarArchive/root/private/var/mobile/Media/PhotoData/CPL/storage/filecache/AdZ/cplAdZDuhvXn6uQnxvRXl6GPz70HVuN.jpeg There is another photo that is visually similar that has a path of DarArchive/root/private/var/mobile/Media/PhotoData/Thumbnails/3314.ithmb/thumb_2514.bmp. Can anyone tell me anything about this? The photo is not in DCIM. The EXIF shows that it was taken with the same model device. I checked the settings and iCloud photos are on, as well as Optimize iPhone Storage.

@rico can you send me an example of what you are trying to do? heather@cellebrite.com. I will help you out.

Hi Team. I have a homicide phone. Got a physical Extraction off it. It parsed Device Locations and there are only a few Geo locations present. What is the name of the database that holds this data? Is there a possibility that PA didn't parse more locations? Just want to be 100% sure. Cheers

@heatherDFIR with corona virus it s hard to do today but tomorrow pehaps !

4:09 PM

@Gumpoo try modèle fuzzy and if you have the licence and a token... Data on line. But if you want more information give us the OS.

@Russell Abel - Bastrop County SO I believe the path including CPL/storage is referring to iCloud. It seems like possibly a photo taken by the device, stored on the cloud, with a thumbnail saved locally from viewing or possibly from it once being stored locally on the device.

Thank you. That was my guess. I was hoping someone had some kind of documentation.

@Russell Abel - Bastrop County SO CPL paths are in fact converted versions of media that are created in preparation for upload to iCloud Photo Library. You may find several other versions of the file stored at different pixel dimensions. Send me your contact info to jesse.lindmar@dfs.virginia.gov and I'll email you some of our documentation.

1

@Gumpoo What OS is the phone running? Regardless of OS we have found that getting social media accounts asap can be valuable as well. There can be a lot of location info in takeouts from snapchat and google (and probably others as well) (edited)

@Cellebrite Regarding the PA 7.31 update; "Access and modified timestamps presented in the DAR format of checkm8 full file system extraction"; So it is just a timestamp-fix for the checkm8 extraction, not GK/itunes back-up ones? (edited)

There are further details in the release notes @florus: https://cf-media.cellebrite.com/wp-content/uploads/2020/03/ReleaseNotes_UFED_PA_7.31_web.pdf Update to Apple File System Time Stamps Apple file system (APFS) contains 4 timestamps described as below: • Birth –(birthtime) the time the file was created • Change – (ctime) the last time the file attributes (inode) changed • Modify – (mtime) the last time the file data changed (e.g write, mknod, utimes) • Access – (atime) the last time the file data was accessed (e.g read, mknod, utimes) UFED Checkm8 iOS extractions use DAR extractions. DAR extractions, until today, supported only 3 timestamps: Change, Modify, Access. In this version of UFED Physical Analyzer, we added support for the additional time stamp, so now we can fully map correctly all 4 timestamps. There is no need to re-extract the phone for this fix to take effect and reopening in this new UFED Physical Analayzer version will get the file timestamps decoded correctly. (edited)

1:39 AM

Looking at that I'm assuming it just affects checkm8 due to the .DAR format, but would be interesting to see if that extra time/date information is actually available from GK extractions. I'll need to do some testing on that (edited)

im referring to this post from @heatherDFIR

@florus Yes, it is only for the extractions performed with UFED using the Full File System (checkm8) method. Here is a recent blog post from @Brigs that explains this even further. https://abrignoni.blogspot.com/2020/03/trust-but-verify-formats-timestamps-and.html

Trust but verify: Formats, timestamps, and validation

One of the most important aspects of digital forensics is the need to validate tool output. Sadly it is also one of the most overlooked by p...

Does anyone have a script that can decode Microsoft Outlook emails from com.microsoft.outlook/files/olmac/? A single file appears to be an email and there's over 4k files stored in this folder.

6:17 AM

They aren't pst, unfortunately

6:18 AM

The files ending .1 appears to contain email data, and the files ending .0 doesn't contain anything useful

Have a GK extraction from an iPhone 5s, where PA shows 2 different imei numbers. One imei is from a iphone 6...Anyone seen this before, or can explain how this is? Also extracted FFS with Premium, and gets same result. (The phone screen is broken, and for the moment it is not possible to do a manual examination)

7:36 AM

@Pacman Just took a look at this now... It seems the .0 files contain a base64 string that, when decoded, contains the "message id" of the email as it appears in the "acompli.db" database, which is the main database for outlook on android

7:42 AM

BTW, the message Id is itself a base64 string, but it also appears that way in the database, so no need to decode that one

7:43 AM

So this can be a good way to connect the email HTML that's contained in the .1 files with field in the acompli.db "messages" table

7:44 AM

like "firstToContactEmail" and "fromContactEmail"

7:46 AM

BTW, are you seeing emails in the olmac folder that are not being decoded from the database?

Microsoft Outlook emails aren't decoded at all - it appears that the content of each email is stored in olmac folder, and timestamps are stored within acompli.db - the string that joins them up, like you said, is the message id

7:49 AM

.0 files contain message id which matches up the message id found in acompli.db It's having to work out the best way to decode these data is where I'm stuck

in the acompli.db, messages table, does the "trimmedBody" column not contain the email content?

I don't have trimmedBody column as far as I can see

7:50 AM

Wait

7:51 AM

the database isn#t called acompli.db - sorry. It's called olmcore.db

7:51 AM

I don't have acompli.db at all

Hmm... The acompli.db seems to be the only place where the from/to addresses are stored

7:54 AM

at least in the version of outlook i'm testing

Lemme check the version I have here

Microsoft Outlook emails aren't decoded at all - it appears that the content of each email is stored in olmac folder, and timestamps are stored within acompli.db - the string that joins them up, like you said, is the message id

@Pacman So, it seems the timestamps stored in the olmcore.db aren't the timestamps of the original email

7:57 AM

They are the timestamps of when each message was cached on the device

Gotcha (edited)

I have an email from march 3rd, but the olmcore.db shows the timestamp as twenty minutes ago, which is when I installed outlook

So the emails I'm looking at (.1 files) and timestamps are cached files - makes sense

generally when there's a folder full of .0 and .1 files, it's a cache of some sort

@Cellebrite Is there a feature in PA or Reader to export the e-mails on an iPhone to EML files or a PST?

8:53 AM

Ignore my question, you can!

Does the SIM registration Date in iOS get updated every time the SIM is swapped or just the first time a new SIM is inserted?

Anyone have pb with the new version of PA (7.31)? In my case the software froze 3 times yesterday! And no other way than to kill the process (except once I could regain control by killing an AP sub-process) @Cellebrite Have you heard of it?

@rico No problem here, i imported 2 wiko extractions yesterday.

1

@Magnet Forensics Can I import a .dar file into Axiom?

2:00 AM

The .dar file was generated with UFED

2:01 AM

when trying to import the .ufd into Axiom (FFS with checkm8)

@312brs It would seem the timestamp in /private/var/wireless/Library/Databases/CellularUsage.db will update each time the SIM is unlocked so will update if the SIM is reinserted and also when the phone is rebooted. The column is called last_update_time so guess that's why, hope that helps! (edited)

@Magnet Forensics Can I import a .dar file into Axiom?

@Nemesis right now this is not a supported image type. We are looking into adding support for this image format and hope to be able to release it soon.

@Nemesis check abrignoni.blogspot.com to convert the. Dar? Havnt tried it myself btw.

I hope they add it soon.

@florus Thanks a lot, extracting the dar file

Sorry @florus I dropped off for a bit there. did you get your questions answered? Also, we are moving from dar soon.

2

5:53 AM

You can also dump the extraction out of PA and then import it as folders, if you wanted.

@Cellebrite is there any way to refresh/update the Extraction Summary page from python shell in PA? Alternatively close and reopen it through the shell? (edited)

@Nemesis Let me know if it worked

@Erumaro Many thanks

If you can unpack the DAR file and re zip the contents you can add this zip as an image into Axiom

For an Android, non-rooted, how would the usage stats log be deleted? Are there examination processes that would do this?

Fully charge of battery drain? @312brs (edited)

Can't you add the top folder as a Folder in AXIOM? Like a backup file?

@florus we frequently get things battery drained but one of the extraction instructions involves removing the battery so it would have definitely lost power then

@Cellebrite is there any way to refresh/update the Extraction Summary page from python shell in PA? Alternatively close and reopen it through the shell?

@franksvensson Don't think so... The python shell can control the underlying data displayed in PA, but does not control the UI itself...

1

@Orb thanks for the answer even if it wasnt the answer I wanted

Is it possible to recover a deleted video from iOS running 13? I have a full file and I am looking for a deleted video. In looking at all my full file with chkm8 and GK I dont' see any deleted video being parsed. Wondering if anyone has a tip or pointer to a file db location.

@Ghosted you arnt getting unallocated, thats for sure.

Deleted files are a no-go on iOS

12:20 PM

Only success would be if the file is actually live, or is embedded in some other live file

Anybody aware as to if you can import Hancom MD-Next into UFED PA?

@Ghosted with iOS and generally (fbe) devices recovering deleted media is difficult it nearly impossible. Maybe the video was sent or stored elsewhere. Maybe a cloud backup. But on the device it would be tough

1

8:12 PM

@Pseudonym What kind of exterior are you referring to ?

@CLB-Paul physical extraction using hancom

@Pseudonym Can you get the raw bin out of the Hancom extraction?

3:16 AM

Don't have access to it whilst out of the office, but I feel like the archive (.tar?) isn't encrypted or proprietary

Is anybody else having problems doing an online bssid enrichment in PA? it always fails for me.

@Deleted User yes i have the same problem since fiew days but not all the time...

4:10 AM

Anyone know where the db or plist of signal on ios 13 are located ? I have in Keychain : sha1 and vdata (the key for cypher)

4:11 AM

Messages on the screen are deleted after 1 hour... I want to recover it (case of murder) (edited)

@rico https://github.com/Magpol/HowTo-decrypt-Signal.sqlite-for-IOS/blob/master/README.md

Magpol/HowTo-decrypt-Signal.sqlite-for-IOS

Decrypt signal.sqlite IOS. Contribute to Magpol/HowTo-decrypt-Signal.sqlite-for-IOS development by creating an account on GitHub.

2

Have a GK extraction of Apple XR A1984 running 13.3.1. I know the device has Signal installed and that there are messages however they are not being decoded with PA 7.31.0.222 for an unknown reason. Tried App Genie with no luck. Any ideas

5:03 AM

See my post before yours? @Ghosted

1

@florus thx !

1

5:24 AM

@Ghosted i have the same pb

5:25 AM

Of course i want to decode it manually

5:26 AM

With the link provided by @florus

Anyone had this issue with Oxygen before? A physical dump of a Samsung S8 SM-G950F was made with XRY as other tools failed. Device is malfunctioning because it was dumped in water. Created both an XRY and BIN file, both UFED and AXIOM parse the data in the BIN without any issue but if I try to import into Oxygen it keeps asking for a decryption key, I tried importing both XRY and BIN file, same result. Weird stuff. I hope anyone can help, the advantages of Oxygen could realy help me in investigating this device. @Oxygen Forensics

@rico let me know if it worked

@florus yes !

@florus doesn t work... Another participant in this forum suggested that I use Axiom ... But I don't know how this software will associate the key from a file other than the ios ffs ... I try to put in the zip files the Keychain.plist

@rico hm thats a bummer. Axiom should be able to parse it.

@rico I got some items to parse in Axiom from Signal but not the content.

9:01 AM

Basically I can see a few numbers and contacts but the content of the chats must be in a different location that is not being parsed.

Here's an article on Signal: https://blog.elcomsoft.com/2019/08/how-to-extract-and-decrypt-signal-conversation-history-from-the-iphone/

How to Extract and Decrypt Signal Conversation History from the iPhone

With over half a million users, Signal is an incredibly secure cross-platform instant messaging app. With emphasis on security, there is no wonder that Signal is frequently picked as a communication tool by those who have something to hide. Elcomsoft Phone Viewer can now decry...

9:11 AM

Albeit, Elcom specific

@LawDawg thanks I had read that earlier. Its very similar to the Axiom article. I'm just wondering if anyone has been successful parsing the content of signal in the new app version

Looking for some big brain help: iOS 12.4 iPhone 8 PA (7.30) gave me a dropbox user profile, and list of file names. But will not tell me where it came from in the extraction. Nor will it show me the files. And no found associated DB for that user account. Did find fsevents that show the user account and times but never talks about file names. So now I am breaking my brain to figure out where these file names are being parsed from.

@florus @Ghosted I have the same type data (with Axiom) but any message! I was able to access the phone to make visual observations and I was able to realize that the messages were set to self-destruct after an hour! I don't know if we can find anything else ... unless you have an other idea!

@rico I think thats the same case with @Ghosted

4:10 PM

@rico

@florus Hi I often use the notifications located in the knowledgeC but for signal we only have the time stamp of the message received and an incomprehensible uuid

12:31 AM

Unless you are talking about another database

@OllieD Thanks Ollie, I'll take a look at it on Monday, first time using it on a trial.

@rico I have no idea what db they are referring to in that article. Someone else might?

@Palazar82 If you have other tools available try processing there as well. IMHO both Axiom and X-Ways (post RVS) will sometimes make it easier to track file changes.

1

Yeah I had it open in Axiom which didn't parse it out at all. I ended up finding it. FTK imager for the win lol. Found it in plain hex in the DB and Sanderson's tool was able to parse the free pages and give me some insight now to just keep plugging away to decode the data so I can best understand the artifacts. These file names are super indicative of "contraband" so I'm having fun with it.

10:22 AM

Found it in the raw DB for drop box.

Question for Cellebrite guys here. I have a physical acquisition of a Huawei phone. While analyzing it P.A. encounters Surespot and asks for the password to decrypt its message db. I used the "generate dictionary file" from P.A. and started the analysis again, this time when P.A. asked for password i directed it to the dictionaries generated in the previous step. The attack was successful and Surespot chats are now visible in P.A. so here is my question(s): 1. Where do i see which was the password? 2. Many of the messages are links like "https://cac99f5de92a9852ff22-f6bb12f58e02e75c90576a60b40444ac.ssl.cf1.rackcdn.com:443/7bcf398352e7fd7421255698c02637e3" that i assume (from the context) can be voice notes. If i paste the link into a browser it downloads a file (30k, 40k,..) but they seem encrypted, can i do something to decrypt? Thanks.

4

@Palazar82 Is 'Dropbox.sqlite' the database you found?

Spotlight.db

@Palazar82 I have some analysis I did on the iOS Dropbox databases. It covers spotlight.db among others. You can find it here: https://abrignoni.blogspot.com/2018/12/profiling-user-activity-in-dropbox-for.html

Profiling user activity in Dropbox for iOS

Dropbox for iOS Dropbox is one of the most well known cloud storage services in the planet. It needs little to no introduction. In this po...

4

Thank you I really appreciate it.

1

To Anyone from @MSAB , is export to .msabnuix already available?

@cthulhuuuu Coming in the next release but extended XML+files should be importable into Nuix

Morning, is there anyone from @Cellebrite available for DM?

Yes I'm here

1

@cthulhuuuu Coming in the next release but extended XML+files should be importable into Nuix

@Erumaro great! do you have an ETA for the next release?

Should be a couple of weeks away, can’t give a more exact response

1

Hey, iam currently doing an DFIR case on a Samsung Galaxy S9 with Android version starlte:9/PPR1.180610.011. We managed to acquire a Advanced Logical image from the phone using Cellebrite, though the image seems to contain very little information. The problem seems to be that every folder is owned by specific user. Which nets me with a lot of 'permission denied' messages while browsing around using ADB. During other cases I was able to just browse to the user data of a app, though this no longer seems to be the case. Does this sound familiar to somebody?

6:02 AM

Sources online say that I can use 'run-as <package_name> <command>' though this seems only possible when the package in question is debuggable

In Android, each installed app gets a user created for it by the OS. That user owns the app's /data/data/ folder. I believe that's why you're seeing that.

6:10 AM

Indeed, without root access on the device, you shouldn't be able to access these folders

@Orb This is what im seeing, indeed.

6:10 AM

Shoot!

and the comment about the run-as is true... The app needs to be debuggable.

Do you know if this is something specific to the newer android versions? I have not seen this previously.

Actually that usually is the case

Thanks!

Thats why everyone tends to push for methods that can obtain full file systems or physicals if possible. You get very little data back on logicals these days without going down the app-downgrade route, which has it's own pitfalls. If you're just after media files, SMS and calls though logicals can do the trick

1

@K23 im trying to go that route tomorrow. In this case media files, SMS and call logs are not sufficient

6:19 AM

But im glad I got some verification. Since this is the first time seeing this happening.

Actually that usually is the case

@Orb Can you explain? Normally this is not the case with a Advanced logical and you're able to extract much more data?

Advanced logical will get as much as it can from within the /data/data folder, but I think @Deleted User was referring to trying to browse that folder manually using adb

@Orb This seems the case. Cellebrite was able to extract some artefacts from a select range of apps.

6:29 AM

Though I fail to understand why. Isnt this something handled by the OS itself instead of the app in question? (edited)

Advanced logical will get as much as it can from within the /data/data folder, but I think @Deleted User was referring to trying to browse that folder manually using adb

@Orb Ah! I thought you were specifficaly reffering to the output of Advanced Logical extractions!

@Deleted User How much a backup pulls from the app depends on the developer of the app. I've seen adb backups that have all the data from the app directory. Others just one database extracted out of ten as compared to a rooted extraction.

Very true. And of course, this can vary by app version as well... So an updated app may backup different data from the same app a year ago (could be more, could be less...)

4

And made even more confusing by more recent Android versions giving app developers greater granularity over what is backed up. Getting some data in the apps /data/data folder does not mean you have all the data, unlike older Android API versions

1

@Cellebrite Do you all support VICS 1.3 in the latest version of PA?

@Adam Cervellone It should work in 7.31

hey is anyone familiar with any methodology for securing data on an android prior to exfiltration? such as storing it in memory etc (its only about 30mb)

11:51 PM

on a non-rooted device

11:52 PM

doesnt android now have some new file system where its more sandboxed from other applications?

Thanks for the info all!

@CLB-TheGeckster Thanks! Does PA also support PhotoDNA?

Hi everyone ! How find à text of sms un knowledgeC ? I have looked at appolo but i dont found my answer

@rico there are a lot of KnowledgeC blog posts here: https://aboutdfir.com/toolsandartifacts/ios/

iOS - AboutDFIR - The Definitive Compendium Project

7:33 AM

Check them out and see if there is anything that helps you out. There's a LOT so it's worth me sharing as a response to your question

1

@Andrew Rathbun Effectively a doubleblak article notably mentions sms. Apparently if they are deleted from sms.db: they would also be deleted from knowledgeC (edited)

Glad to hear you found something relevant to your question

I will try to verify this

8:09 AM

That was t the purpose of your response

8:09 AM

Thx about your quickness (edited)

hey guys, also consider query_predictions.db on iOS for message recovery (full file system only - and that file isnt always present)...TON of data in there

@Cellebrite is it normal that on any physical dump I make, Signal isn't decode on PA 7.31?

@CLB-TheGeckster i will check it ! Thx

@Cellebrite is it normal that on any physical dump I make, Signal isn't decode on PA 7.31?

@Deleted User it could be the version of the Signal App.

I'll check that but it's not a recent case. So I don't think version is update

8:38 AM

@Deleted User it could be the version of the Signal App.

@CLB-Paul For exemple on a A300FU, version of Signal is 4.50.5, according to changelog of PA 7.31 4.55.8 is ok

it could be that the previous ones had different structure, im not sure tbh

Ok.. I have many different exemple too.. I don't have any exemple where Signal is decode..

Wondering if people have a specific way the yare using the keychain from a GK extraction to gain possible passcodes for a locked device.

@Ghosted look at the voicemail section, if they have pin locked their voicemail the pin will be displayed. you can then try that. (edited)

1

@Ghosted I used notepad++ to clean up the password list and then only display the passwords. 1 click and works a treat once setup as a macro. Then I push this to Passware or hashcat

1

Also then exported out keychain files from other Apple devices, and then used the password list to unlock that to obtain more passwords

1

@Ghosted AXIOM Wordlist Generator (free) is capable of translating the keychain.plist (or other sources) into a list of passcodes to try in a GK-friendly format. https://www.magnetforensics.com/blog/utilizing-axiom-wordlist-generator-to-optimize-handset-lock-code-breaking/

Utilizing AXIOM Wordlist Generator to Optimize Handset Lock Code Br...

An updated version of the free Magnet AXIOM Wordlist Generator tool is now available for download. The long-standing roadblock to examiners when dealing with iOS devices, has been the device’s handset lock code. There are several types of passcodes that an examiner may come ac...

1

Does the Axiom wordlist generator still only work on AXIOM cases?

Is Bruteforce not supported for IOS 13.3.1 or is it not supported for certain models?

Handled Ghosted - we will be in touch.

1

Does anyone have a power point or white paper on how to use APPOLLO or ILEEP for dummies. I not high speed enough to figure this out. Thanks

@MrMacca (Allan Mc) yes, on AXIOM cases.

@wldcat06 if you have blacklight appolo is an option of this soft. Nothing easier

@wldcat06 Go here for a ~12 part blog post on how to use apollo: https://www.mac4n6.com/blog/2018/12/14/on-the-first-day-of-apollo-my-true-love-gave-to-me-a-python-script-an-introduction-to-the-apple-pattern-of-life-lazy-outputer-apollo-blog-series

On the First Day of APOLLO, My True Love Gave to Me - A Python Scri...

I originally released APOLLO at the Objective by the Sea conference in early November. Since then I’ve received a surprising amount of positive feedback about various analysts using this tool or the accompanying SQL queries on their file system dumps to help a variety of i...

@wldcat06 Ileapp id recommended reading the read me on github and use the GUI part. (edited)

1

For iLEAPP: 1) Have your extraction in zip, tar, or logical (folders and files in the computer file system) 2) Install Python 3) Run from command line as such: python ileapp.py --gui 4) Select file if zip or tar. Select directory if logical. 5) Press process. 6) When done press OK at prompt and go through the report. We are also working on an Android version called ALEAPP. Lots of unique artifacts. See https://github.com/abrignoni (edited)

abrignoni - Overview

https://twitter.com/AlexisBrignoni https://abrignoni.com https://keybase.io/abrignoni

abrignoni

5

1

Thanks for the responses I’ll check it out and see if I have any question. I’m sure I will. But I’ll read up first.

@Cellebrite in PA 7.31 i gived a takeout (zip found in a pc) and it didn't decode gps positions. However I see à JSON about it

Is it normal ?

Axiom found 674 Google Mpas ! And 762 818 gps positions (but with no coordinates

) (edited)

@Cellebrite Can you confirm me this pop up happen when there is data to extract and password to be cracked and not just because the wickrlocal.sqlite file is present ? I have the feeling that there is nothing to crack according to the content of the db ...

This pop up is for providing a password (or list of passwords for a brute force) that will generate the key to decrypt the WickrLocal.sqlite db - but there's no way to say for certain whether that database contains useful information or not while it's encrypted, and the db cannot be decrypted without a password (unless the device owner chose the 'keep me logged in' option in wickr, but in that case the database key would have been generated from there and you wouldn't get a pop up asking for a password). (edited)

5:43 AM

So the short answer to your question is - no.

5:43 AM

The pop up may show up even when the database contains no useful information.

5:44 AM

But note that since Wickr keeps messages for a maximum of 6 days, the WickrLocal.sqlite file tends to be small in size even when the app is relatively active (If that was the reason you had the feeling there's nothing there)

@Orb i could not find any hash in the keychain or the wickrlocal.sqlite db and so no password to bruteforce. That's why i had the feeling that popup came just due to the existance of the Wickrlocal.sqlite file but that the dump does not contain the needed information to bruteforce the password

The dump rarely contains the needed information to bruteforce the password... If you have a dictionary file with popular passwords, or even better, a tailored dictionary for this phone's user, you can try using it to brute force

i supplied a small and huge dictionnary and they both processed in a few seconds ... that's also what made me think something was wrong in the bruteforce process

a good place to start looking for information for such a dictionary is in other passwords that might have been extracted in the same dump

5:59 AM

under 'Passwords' or 'User Accounts'

i made a custom dictionnary in PA from the handset and also tried some know generic dictionnary

6:00 AM

my point is i have a feeling something is wrong the wickr bruteforce module

Hmm... I'll try to get it checked out. What's the Wickr version you have?

UFED will not show the version

6:05 AM

this is the only info found in the keychain about wickr

6:05 AM

and that the only 3 tables containing info in the wickrlocal.sqlite file

Hmm... Actually now that I know we're talking about iOS (should've known it from the name of the database)

6:06 AM

It seems you are right...

6:07 AM

Without a proper ZSECEX_ACCOUNT table, there can be no decryption

6:07 AM

But I do admit it's strange that these are the only 3 tables

there a more but empty

6:08 AM

*are

Then you are absolutely right. nothing to decrypt there.

i was wondering what PA was testing the supplied password list with ....

6:13 AM

can i conclude this as an unintended feature ? are you going to escalate or you want me to open a ticket?

Taking this to DMs

Hi everyone Someone have some expérience with signal on android ? I follow the post wrote by Mike forensic but i have always the same error...

I no longer need help ... I just had to use a stable version

And i use an option raw but... Its not really XML and if I dont use this option, my XML file is null

https://twitter.com/BlakDouble/status/1244419295435583488?s=19

DoubleBlak (@BlakDouble)

It's been a while since my last update.. But I think you'll see why...

7:22 PM

Free GK extraction parser

@Andrew Rathbun hm whats the difference between ileapp and the parser from doublak. Thats a Nice thing to compare

Haven't used either. I'm not much into the mobile game anymore since I'm now in IR but I'd love to hear someone's take on either tool

Is there an iphone plist or db that shows what apps are employing iCloud?

Undoubtedly @312brs .. let me see if I can answer that quickly with fsmon

DM'ing

i have a small question about fb messenger I have a message referenced as "voice mail" from the victim, but only the attachment is not available. I looked at the database, in hex and I have the file size. How is it possible to recover this data (if possible) i used app genie without success maybe stored on server? how can i determe it?

8:36 AM

@Andrew Rathbun hm whats the difference between ileapp and the parser from doublak. Thats a Nice thing to compare

@florus ArtEx is timeline based. iLEAPP is more category based. I can't say enough good things about ArtEx. Been testing it this morning and came out extremely impressed.

2

Looking for suggestions for an emulator environment for testing and researching apps in an Android environment. I need to be able to not only create user content using a variety of apps, but also observe and review the files (mostly databases, preference lists, and user created files) created by the app in the file system. I've tried using the emulator packaged in Android Studio which does show parts of the file system, but unless I am doing something wrong, I cannot view files/directories an app is creating in the file system (even with debugging turned on). Suggestions on an Android emulator that would allow me to review app created files in the file system would be greatly appreciated.

Need some assistance with KnowledgeC.db: Trying to determine where there is a gap in device activity during a large period of time. Powering events as decoded by cellebrite only show old (from several months ago) power On events so my assumption is that the device's battery died. Any idea how I can support this theory

1:43 PM

Effectively the device goes dark moments before when we know the murder happened and then comes back a few hours later. Trying to figure out if he turned his phone off or if the battery died or if there is some other explaination for a lack of activity on the phone.

1:47 PM

I can't really decipher anything from the CurrentPowerlog.PLSQL

Suggestions on an Android emulator that would allow me to review app created files in the file system would be greatly appreciated.

@jtren725 Try Genymotion. The free version works great. Takes a little tinkering to set up the shared directory to move files out of the VM but when set up it works great.

(edited)

1:53 PM

@jtren725 https://www.genymotion.com/ Free version is all that's needed. (edited)

Cécile MAURISSET

Genymotion – Fast & Easy Android Emulator

The most powerful Android emulator for app developers & testers. Genymotion counts 5M+ users and is available for free or premium on Windows, Mac and Linux

1

I think you meant that for Brigs

Sorry. Fixing.

or JTren725 rather

2

@Brigs - Awesome! Thank you. I will check it out!

1

Are there any artifacts on an android 8.0 device that show the date it was wiped?

Has anyone done testing on self deleting messages on different apps? I.e. how good the apps are at deleting the messages from the database.

does anybody have any journal articles on dumping live memory?

@ColdKat I spent 3.5 years literally doing this for my day job. It depends on the app, the OS version, Android/iOS and your extraction.

12:21 PM

Some are HORRIBLE and it's great for us forensically, but others are better. I have found that, in general, even if the message isn't recoverable the attachments are.

@jtren725 https://www.genymotion.com/ Free version is all that's needed.

@Brigs Trying to find the doc that says "Why is this product better than installed Andriod SDK and using the ADM cli....

Cécile MAURISSET

Genymotion – Fast & Easy Android Emulator

The most powerful Android emulator for app developers & testers. Genymotion counts 5M+ users and is available for free or premium on Windows, Mac and Linux

Do you have support for houseparty app? @Cellebrite @Magnet Forensics

Running a device through now to see what gets parsed and what I can see

I've created a script for notes and public users

Anyone having trouble opening GrayKey extractions in PA 7.31? I’ve tried a couple extractions on two computers. @Cellebrite

@Joe Schmoe nope, opens fine

@Dfdan Weird. This is what I keep getting.

5:37 AM

Corrupted downloaded perhaps?

5:39 AM

7-Zip has a Test Archive function you can run from the shell if you have it installed.

@Joe Schmoe as @forensicmike @Magnet says could be corrupted, hash the zip and check it has the same SHA256 value in the report

@Dfdan @forensicmike @Magnet Thank you. I’ll try 7ZIP. It’s been on three different extractions. I downgraded to 7.29 and they opened fine. Axiom also opened this one without any issues. The hash values all matches the GK report.

Ah, gotcha.

Does anyone have information on the Unico Live app?

So, I manually decrypted the Signal database using the nightly version of DB Browser with SQLCipher. I then added the decrypted version of the db to my project in Physical Analyzer and used SQLite Wizard to analyze the messages. When I get it all done and attempt to run the query on my externally-added file, it returns no records. Does SQLite Wizard/Query Manager only work on databases that are inside the original extraction? Why does it let me use it on the externally-added db but then not allow me to add those results to the Analyzed Data?? @Cellebrite

4:09 PM

So, I manually decrypted the Signal database using the nightly version of DB Browser with SQLCipher. I then added the decrypted version of the db to my project in Physical Analyzer and used SQLite Wizard to analyze the messages. When I get it all done and attempt to run the query on my externally-added file, it returns no records. Does SQLite Wizard/Query Manager only work on databases that are inside the original extraction? Why does it let me use it on the externally-added db but then not allow me to add those results to the Analyzed Data?? @Cellebrite

@criley4640

Anyone from @Cellebrite knows if (and how) it's possibile to instruct p.a. to execute only the anslysis of surespot without having to run the entire phone every time?

Hey guys, i actually have a case where the facebook messenger on a Galaxy Tablet (physical dump) is quite important. There are a lot of voicemails sent and received in a few conversations. the investigator tells me, he can listen to them at the offline device. (i can check it next week) Now i can't open this voicemails in my extraction. I tried it with the newest PA and with Axiom. Has anyone an idea oder solution for my problem? So i can integrate these voicemails in my report?

And maybe another dumb question

Had anyone of you success in decoding the Outlook app on android systems?

@Matze had outlook recently - it was a negative, will go to a manual review by officer

Hi, Looking at a iPhone X (afu) in UFED. I found a relevant location. The source is Google maps. The phone was extracted 29. January 2020. The “end time” for the location was 3. February 2020. What does the end time referring to? Thank you. (edited)

@Cellebrite can somebody help me with your BSSID database. What is the BSSID field in the BSSID table relate to? Is it a hash of the BSSID? Thanks

10:48 AM

this is our downloaded file ?

Yeah

so its to be used within PA.

10:48 AM

not externally

Oh ok thanks, I just need to import it?

yessir

10:52 AM

Tools - Enrichment BSSID - Install

Thanks

@Magnet Forensics Hello I had a extraction of an iphone 6 this week and i tested it with 2 input methods in Axiom : dar and zip... And i have les with the method of dar ! Look at my pictures. Have you an explication?or is it in développment again ? (edited)

1:52 AM

What annoyed me most was the disappearance of entire messaging

@rico hi pal, I'd love to see the logs for both of these to help. Can you click on help > collect logs for both cases and send the zip files over to Support@magnetforensics.com. Title the subject FAO Andy Thorpe. Also how did you perform the extraction of the phone, cellebrite extraction that produced a DAR file? If so how did you turn this into a zip?

@rico like @Andy Thorpe asked, how did you acquire the ios backup vs the full filesystem? Do you get differing results in PA? Include that with your support email. Itll help our developers a tonne :+1: (edited)

@Nava2 @Andy Thorpe hi I did the extraction with ufed 4pc; so he made a dar. For the zip I used a PA function on the root of the tree to create a zip (this is much faster than exporting the file system)

7:54 AM

I send you in PM the logs

If you can email them to Support@magnetforensics.com that's better

7:55 AM

I'll take a look at them and get back to you

1

@rico If you know which artifacts specifically are missing media thatd be awesome too. If it's too many to figure out easily, dont worry about it

Hi all, has anyone ever come across this as a file header? The file extension is a JPG but it clearly isnt and I can't seem to find anything that will open it? Thanks

@Aneesh96 What's the filepath for it? Quite a few of the hidden apps these days keep the extension but actually encrypt the file. Could be what you're seeing here (edited)

@K23 there are several of these files with a very similar file header, all have the work CONSOLE in them, then have zeros up until the offset 8192 and then seemingly random data. These were found on the memory card in a folder called DCIM/snake. There are also some supposedly mp3 files with the same file structure in a folder called mp3 on the memory card

Can't say i've seen that one / that pattern or folder, but that would still be my gut instinct on it - that it's been encrypted by an app on the device

Yep I'm just having another look at the apps on the phone. Cant see anything obvious atm

@Aneesh96 I would have said the same thing as @K23

8:53 AM

Hi everyone ! Somebody have an idea about scout.bd ? It has a table "power_healt_stats"... I get the impression that fb sporadically records the ON state of the device. All other columns except the timestamp and gpu_measurement are empty (edited)

8:54 AM

It interests him because I have long periods of NO extinction. Can anyone confirm or deny this thought? (edited)

Column core_features seems to have more data... Holy Facebook

@Aneesh96 i actually encountered that before but back then i assumed it's just a corrupted file https://old.reddit.com/r/datarecovery/comments/elay25/android_experts_file_based_encryption/

r/datarecovery - Android experts: file based encryption

2 votes and 8 comments so far on Reddit

10:49 AM

CONSOLE text is often a part of Android boot or recovery image. Any chance for you to make a list of installed apps on that phone? Maybe those are in fact files encrypted by some app

@Arcain ahh ok that's useful. What am I seeing is files on the phone which have the same name as these files I have found on the memory card but these do actually have a valid jpg header and I can open them. So I was thinking these were corrupted somehow. I have checked the installed apps on the phone and none of them look like they could encrypt these jpgs and mp3 files but that of course doesnt mean there wasnt an app installed on the device before that did this and has since been deleted

11:03 AM

@Arcain @rico @K23 I have plugged the memory card in the phone and it does say the memory card is encrypted. But I've got an image of it and can see the file structure, just the files look like they are encrypted.

What phone is that? Maybe one of the built-in apps has such feature? (edited)

It's a samsung S7

11:09 AM

This is a setting on Samsung, in thinking the owner did this

11:09 AM

I will try to image the SD card inside the phone

This should encrypt whole card so if you dumped it outside the phone, you shouldn't be able to find any .jpg or .mp3 files at all (edited)

11:12 AM

If that SD card can be read correctly by the phone at the moment, using decrypting method, with that card inserted should also dump a decrypted card as well.

@Arcain @K23 @rico confirmed with my S10, encrypted the memory card and it uses the phones encryption so FBE. Took the memory card out and plugged it in the computer, it has the same header as the one shown above with console written. So I can see the file structure but no file contents. So my guess with this phone is the memory card wasnt encrypted with the phone it was brought it with and was actually encrypted with a different one and I need it plugged into to other one to decrypt the data. Thanks for your help!!

2

@Aneesh96 ha, FBE is the key here. S7 series should still use FDE so yes, it's very likely that this card was used in another device before. It's still strange to see that unusual header but that at least explain why all of them looks so similar. I'll have to test on some Huawei with FBE i have around here. (edited)

Yes the S7 was definitely FDE as secure startup was enabled. The file header I saw when I encrypted my SD card on my personal phone was very similar

1:47 PM

That was it

That's quite missleading, but good to know for the future.

Cellebrite Physical Analyzer creates a timeline from a full FS acquisition of an iPhone 5S. What should be the meaning of the events described as "Speaker" and "Receiver"??

Yes the S7 was definitely FDE as secure startup was enabled. The file header I saw when I encrypted my SD card on my personal phone was very similar

@Aneesh96 the console part in the HEX is a give away of that.

7:14 PM

On a side note if your device has secure folder enabled. The files inside will look the same.

@Mattia Epifani hello and good morning from austria

thanks for updating your kobackupdec ! https://github.com/RealityNet/kobackupdec

RealityNet/kobackupdec

Huawei backup decryptor. Contribute to RealityNet/kobackupdec development by creating an account on GitHub.

1

@CLB-Paul what exactly does the console part in the hex mean?

@Arcain @Aneesh96 Funny enough, I googled some of the hex from your screenshot and found a similar (but less informative) discussion from 2017 on the exact same case on a Samsung A3 (https://forum.hddguru.com/viewtopic.php?f=10&t=35856)

12:51 AM

also a J5 with Android 7 (https://stackoverflow.com/questions/47712102/sd-card-files-with-encrypted-data-console-text-in-it-how-to-get-my-files-bac)

SD card files with encrypted data (_CONSOLE text in it), how to get...

I have an micro SD card, that was in a Galaxy J5 with Android 7, and all the files are messed up now. (jpg, pdf, mp3) Following characters can be found in the beginning in all of the files, with m...

@Orb @Arcain Yes it's weird. I've now tested it on a FDE samsung S7 and encrypted the memory card and again I can see the file structure but the file contents is encrypted. So looks like even if you encrypt the SD card on an FDE enabled phone, it doesnt use FDE to encrypt the card

When did you get the device?

12:58 AM

if you did not fully charge the device yet, you could grab the batterystats via adb

12:58 AM

but they reset after a full charge

Will look at that now but doubt it'd help much

1:00 AM

(We have a physical of Huawei by the way)

batterystats gives you everything in terms of usage. screen on, how it was unlocked (face, pin, fingerprint) which button was pressed, which app he used and when, etc.

1:01 AM

Yeah, most often the batterstats info is not in the physical dump

Not in the physical dump? (edited)

1:01 AM

That's odd?

no, at least not in readable format

@Aneesh96 there's one more thing here. You can also use SD card as adoptable storage and then it'll behave different yet again and more like internal storage - ext4 filesystem, full disk encryption

1

Are you referring to a database or xml?

can't be memory aswell because it survives a reboot, but i guess it is normally stored in maybe an unreadable format where we can't find it, only after you generate a batterystats you get a txt file (and if you want a dumpsys) with a looooooot of information

1:03 AM

Samsung stores multiple last batterystats, other brands don't as far as i know

I've seen those data from Samsungs

1:07 AM

Just not from Huawei

1:10 AM

Is it possible to create a binary file dump from Cellebrite PA?

1:11 AM

This Huawei was extracted using Premium and it is fragmented into several Z01 files

@Aneesh96 just confirmed same behaviour on J730F with FDE. Each file on SD card is encrypted with that header (CONSOLE) and it can be decrypted back on the phone

1

@Arcain hmm interesting. I wonder if there is a way of identifying the phone from the SD card

@Cellebrite Working from home, when we take over our desktop using RDP, PA is giving us a license error

1:52 AM

Is that normal?

1:52 AM

The dongle is plugged into our desktop at work

1:53 AM

I just physically logged in without RDP on the same desktop and the license is detected fine and PA works

1:53 AM

TeamViewer etc works fine, RDP does not

@Arcain @Aneesh96 doesn't the encryption behave slightly different if there are already files present on the SD card when you start the encryption? I'm used to just seeing cards where the full SD card is encrypted and you can't get anything off of it unless it is in the device so this is pretty interesting. Another area to bring up / highlight in office training as I bet some will just skim over this kind of thing and think it's just corrupted

1:57 AM

It's scary to think how easy it is to miss out on data these days with the time pressures of examinations when there are now so many different ways files can be hidden or manipulated

1

@K23 with the one i tried, i specifically copied data to that sdcard and then encrypted. It looked like it was encrypting each file on its own, and that could be confirmed after inserting the card on PC. Still FAT32, file structure intact etc

@Arcain Interesting. This all points to encryption after the SD card has been setup then

@Nemesis You can send an email to support@cellebrite.com and they will help you workaround the RDP issue.

Let me format it on the phone and then encrypt. It still shouldn't be empty as default directory structure should be created

2:02 AM

Yea, seems to be the same. It encrypted what was on there and there's a file. .MetaEcfsFile in root directory

@CLB-Daniel Borgenicht Will do thx

That file also contains CONSOLE in header, same goes for the only other file (.nomedia) i see which is located in Android/data, also CONSOLE in header

2:05 AM

@K23 it's possible that some vendors doesn't use default Android implementation, or Samsung uses it's own, or the card you saw were setup as adoptable storage - that's the most i've seen so far

2:07 AM

I inserted that card to Huawei and it doesn't prompt me that this is encrypted card

Yeah seeing the same CONSOLE message off of my personal device - lgv30. Think the full memory card encryption was back on older devices from memory, not in office right now so don't actually have access to our test data right now. You're quite right though that could well just be adopted storage, it was very popular for quite some time (edited)

2:07 AM

Remember it not even showing up as a recognisable partition

@K23 @Arcain just tested an S7 and encrypted the SD card with data on. Then used UFED's decrypting boot loader method to get a physical with the card in the phone. UFED did get an image of the SD card but the files are still encrypted! Was going to try the adb method instead but it isnt supported for the version of Android I have installed (Android 8)

@Aneesh96 do you see those files decrypted with card on the phone, like in file manager?

Yes the files are decrypted in the file manager

It's still possible card was used elsewhere, or they're decrypted "on the fly" and you'd need a filesystem dump instead

1

Decrypted on the fly makes the most sense. Doubt they would be able to be opened if they were encrypted with another device - don't have spare phones or cards to test this from home though

I just tested this on Hauwei P20 Lite. It didn't prompt me that card is encrypted on other devices. I wiped it, copied some data and then encrypted. Same CONSOLE text in header but instead .nomedia file is not encrypted and there .cryptsd_cfg in root directory and not .MetaEcfsFile like on Samsung

If they can be opened on another device then that's a pretty shitty encryption method

It does say when you encrypt the card they can only be decrypted on the device you used to encrypt it

1

@K23 i mean, i didn't get a message that card is encrypted once i switched it from J730 to P20 Lite. I didn't expect that it would be decrypted, just notified. I got the message when i inserted it back on Samsung.

@Arcain that makes sense. I'm assuming you didn't try to open up a file that was created on the J730 from the P20 lite?

They won't open.

2:43 AM

I assume that it detects the encryption based on that hidden file in root directory and since Samsung and Huawei uses different filename, despite both being on Android 9, the info doesn't show up

1

Cool. As you say, it sounds like different manufacturers are using different methods so not that surprising that it was not picked up as encrypted.

So do we think there is a way to get a physical image of the SD card with the files encrypted?

If the device was rooted then you might have a shot, guessing that's not an option. With the decrypting bootloader did the phone boot normally before it started dumping?

2:45 AM

Or is it one of those that runs purely off of the bootloader so the handset isn't actually started

@Aneesh96 since you have full physical it's worth to dig in and look for decryption key, maybe in /data/vold/misc like it used to be for adoptable storage (edited)

1

No the phone didn't fully boot, just at the Samsung screen

What's the software version of the phone? If it's old enough it might be worth trying an eng boot and pulling it through ADB once the phone is booted. Not entirely sure it will make a difference but might be worth a shot

Its Android 8.0

It's a bit of a risky process though so I'd definitely attempt it first on a test device using the same software version that is installed on the handset

2:50 AM

There are eng boots for 8.0, just depends on patch level etc. Can you provide the details from the recovery screen?

Patch level September 2019, firmware is G930FXXS6ES16

2:51 AM

I think on this case it wouldn't be worth the risk because it seems quite a clean phone. Just thinking for the future really

There's no eng root for U6 firmware, U5 was the last one i saw

Fairly certain that bootloader is too new, and you won't be able to downgrade, unless there's been a new eng root release

Ahh ok, no go anyway! I'll settle for a logical on this one

Samsung don't support adoptable storage, so don't think that's what's going on here. Plus you get two very distinctive partitions with no individual files

2:58 AM

Check out our webinar on Thursday for some background to adoptable storage, but not sure that will help in this instance

@OllieD they didn't officially but i belive you could still do that via adb command, same on LG that doesn't have GUI for adoptable

That is true, should have clarified that I meant not supported via GUI or SD card popups

In this case, i think we confirmed that it's a built in sdcard encryption feature

I did some more digging

3:04 AM

Not that I know how to decrypt these

@Arcain there is data/void/misc folder, anywhere else youd reccomend looking for keys?

But I do know that the strage headers in this files are written by ecryptfs

The question that remains is, if those files can be decrypted outside the phone, or with a key extracted from the phone in case physical is available

which a linux kernel module for filesystem encryption

I would've thought an adb method would give a decrypted physical image, just a shame it isnt supported for my phone!

The header is described here https://documentation.euresys.com/Products/PICOLO_NET_HD1/PICOLO_NET_HD1/en-us/Content/encrypted-media-storage/ecryptfs-header.htm?TocPath=Resources%7CEncrypted%20Media%20Storage%7C_____3

3:06 AM

And it's followed by what is called a Tag 11 packet (this is the part that contains the "_CONSOLE" string) (edited)

3:06 AM

it's described in the OpenPGP Message Format (RFC 2440 https://www.ietf.org/rfc/rfc2440.txt) section 5.9 (edited)

There is a file in the root of the SD card called .MetaEcfsFile so ecrypt does does sound right

Guess it all depends on if the encryption key is hardware backed or not

Hmm so actually it would be more precise to say that there's a Tag 3 packet, and then a Tag 11 packet. The tag 3 might contain the key, but it doesn't look like it does in your screenshots

@Arcain there is data/void/misc folder, anywhere else youd reccomend looking for keys?

@Aneesh96 there is, or there is not?

3:13 AM

That's where keys for adoptable storage sd cards were usually stored

@Arcain sorry there isnt that folder

3:14 AM

I think with ecryptfs you can only get a logical

Hmm so actually it would be more precise to say that there's a Tag 3 packet, and then a Tag 11 packet. The tag 3 might contain the key, but it doesn't look like it does in your screenshots

@Orb Looks like I was wrong... It still might contain the key.

3:15 AM

Any chance I could get one of those files to test?

@Orb yh sure, I have some test ones

@Orb i can share couple jpg and mp4 files from card encrypted in Huawei

Sure, why not

4:22 AM

doing a few attempts on @Aneesh96's files now, hope I find enough time to solve this through

Where should i upload those? Any specific service?

If they're not heavy or sensitive, a DM is also a good option

~13MB, 3 JPG files, 2 mp4 and .cryptfs_cfg file from root directory

4:29 AM

I can also get non-encrypted versions if you want

Hello, after analyzing an A8 (Android 8) I could see that at the time of the facts there was a connection sharing with another Android. However, the Mac address of this access point is unknown to the websites allowing its identification. Is it a virtual Mac address? Or is there another explanation? (edited)

Àn other question about the same device : can us decrypt SecureHealthData.db of samsung ?

The new smartphone poster is out for585.com/poster

2

2

3

4

hi guys, just to share with you I wrote a Python3 script to parse Telegram cache4.db. A small write-up is there https://blog.digital-forensics.it/2020/04/teleparser.html, while the code is on https://github.com/RealityNet/teleparser. It will not actually parse every Telegram version db, if you have recent cache4.db that could be privately shared with me... I'll be very happy to work on it. The script is quite large, due to the amount of binary blobs (serialized objects) Telegram uses. Moreover it's written to maximize the amount of info you could extract from the db... indeed all the well known commercial tools do their job, but sometimes you need to dig deeper... not couting the possibility to correlate the outputs and to provide evidences based on OSS. 10x (edited)

3

5

1

thanks for sharing !!!

1

Hello,

4:06 PM

Hello, I am trying too figure out why one section of a report table does not show a UTC time table (10032) , while other one are showing a time stamp (10033, 10034). It looks to me that it may be an advertisement of a weather application to the phone (10032). Am I seeing this correctly? (edited)

Hey Team, Hope you all are doing well in these crazy times.. Quick question. I have a phone. UFED was unable to get a physical. UFED was able to do a Android Backup and Logical. I tried UFED APK downgrade but this failed. I downloaded the latest edition of XRY (9.0). XRY released this version 06/04/2020. App downgrade worked using XRY. I want to ingest this data into UFED.

9:53 PM

In Short XRY was successful in downgrading Facebook Messenger, where UFED wasn’t, resulting in XRY obtaining 10,862 Facebook messages. XRY says it can export out in the following formats.

9:54 PM

Following Formats Above... What is the best format? and what is the best way to ingest this data into UFED. Thanks Team.. Love all your work!

@Gumpoo I would say the best is to do a File export with Reflect original path checked in the File export settings, that should export the original files with the original path intact. Hopefully UFED can import that somehow! (edited)

Have you tried using XAMN Elements, Examine hex and creating a .bin file

Will unfortunately not work for a Logical as there is no binary to export, but for a Physical that'd be the way to do it!

Oops. Didn't see that it was a logical. Thanks Tobias.

@🐊Ricky_GFJC @Erumaro in my experience, that options doesnt work because of known error in xamn.

What was the error. I tested it on a Samsung SGH-i547 and opened the bin file in PA with open advanced and it seemed to work. Although I am not an expert, for sure.

@florus Which error are you talking about in this case, file path too long? I mean it depends on the data on the device really.

11:03 AM

Also depends on the length of the export destination and other factors as well so I would not really say it doesn't work as it simply, well, depends

If you could let me know about more about the error I'd be glad to have a further look. (edited)

Has anyone worked a swatting case with COD Modern Warfare Mobile?

@Erumaro Ill dm you

1

Hi Does anyone know how decrypt the file: rCellDb.db (from com.samsung.android.samsungpositioning/databases)?

Anyone have a Tumblr Chart - Where files are stored to inbound and outbound?

Any info on this? I attempted searching in this thread, but didn't come across an answer. Subject has multiple devices (Mac, iPhone and iPad) all setup to use iMessage ... if a message was sent to someone is there a way to determine from which device the message was sent. My initial guess is it might be buried in some plist on the device? Furthermore, I only have one device to examine the data to see. (edited)

Morning all, has anyone had any experience with interactionC.db on an apple device? Any reliable resources online regarding it?

@josephj16402 Maybe by looking at the unilog (you still have to find the right character string) ... But I admit that I never looked for that in particular ... interesting question! If you find the answer I will be happy to read it.

@Andyroid Did you already check that link? https://labs.sentinelone.com/macos-incident-response-part-2-user-data-activity-and-behavior/

Phil Stokes

macOS Incident Response | Part 2: User Data, Activity and Behavior ...

What can we learn about user activity and behavior on a compromised Mac? Learn about the hidden and obfuscated data stores Apple use on the macOS platform.

I didn't, I'll have a look now, thank you

hi there im attempting to reverse engineer an app somewhat and i was wondering if anyone knows how ZDDDATE is calculated

Morning all, has anyone had any experience with interactionC.db on an apple device?...

@Andyroid Check out this post from Sarah Edwards: https://sarah-edwards-xzkc.squarespace.com/blog/2018/12/16/on-the-third-day-of-apollo-my-true-love-gave-to-me-application-usage-to-determine-who-has-been-naughty-or-nice?rq=interactionC Also her APOLLO tool as well as iLEAPP extract data from the databse. https://github.com/mac4n6/APOLLO https://github.com/abrignoni/iLEAPP

On the Third Day of APOLLO, My True Love Gave to Me – Application U...

On this third day, we will focus on application usage. We will cover three databases: KnowledgeC.db Be sure to check out more detailed information on this database in my two previous articles . Access to this database is limited to a file system dump, it will be ...

mac4n6/APOLLO

Apple Pattern of Life Lazy Output'er. Contribute to mac4n6/APOLLO development by creating an account on GitHub.

abrignoni/iLEAPP

iOS Logs, Events, And Preferences Parser. Contribute to abrignoni/iLEAPP development by creating an account on GitHub.

3

@Oxygen Forensics @Cellebrite someone around for a quick question? (edited)

@rico Thx, still working through it and hopefully will get a straight answer.

@florus Did you get your question answered?

@heatherDFIR Hi, i did not. I sent you a dm.

has anyone ever encountered an "Error writing to target" error on UFED4PC? the extraction for this SM-S767VL i was working on was wrapping up and finalizing and as it was disconnecting I received this error. I checked the extraction folder and it looks like it wrote all the files except for the .ufd file? Double checked the free space on my hard drive and thats not the problem. Maybe there's an issue with the newest release? (7.32.0.68) Thoughts from any cellebrite people or any other gurus in here?

10:03 AM

@AMB did you try to open the binary directly in PA?

11:55 AM

I did few extraction with 7.32 and didn’t have this problem

Deleted Chats data from iPhone Advanced Logical. Any way to recover the body of the messages? Sorry for the noob question.

If not the BODY of the message(s), does it show when the message was deleted, by chance?

@Dam i didn't try that yet but ill try it. would I open all the binary files then merge them? or just the big one? thanks for the insight.

@colin.duncan do you mean iMessage?

1:00 PM

@AMB in open advance you can select the Android generic ( is better that the profil for decoding) and you can add as many binary as needed

1:00 PM

But the big one should be enough I think

1:01 PM

@colin.duncan it is not possible to get a file system extraction?

Hey, @Dam. Correct. I mean iMessage. From an iPhone 6 Plus. This is an extraction I got from a cooperative witness but doubt I can go back.

@colin.duncan okay so not possible to get a file system extraction. I’m not sure you can find the deleted time stamp. But I could be wrong. Maybe a backup? From cloud or computer?

Thanks, @Dam. Any chance I can tell what the user's message retention was? The "Keep Messages" option: 30 days, 1 year or Forever?

@colin.duncan do you mean auto deletion?

@Dam, yes

I don’t know about that. I think this information may be found with a file system extraction

1:22 PM

But maybe somebody else have different answer.

Appreciate your responses, @Dam! Thank you much!

@colin.duncan I can check with one of my extraction (file system) if I can find this info

that'd be great.

@Dam, I found the message retention (auto delete setting) under Extraction Summary:

That was easy

2

@Dam, any explanation why we might have very little iMessages from one particular user (who supposedly deleted individual threads) but hundreds of Chats in which this user was a participant found on multiple devices belonging to other custodians? Granted, this is an iPhone 6 in 2019 with some of the deleted messages having a timestamp dating back to 2015-2018. I'm trying to explain this user's behavior - would backups come into play here? @Cellebrite (edited)

1

@Gumpoo I would say the best is to do a File export with Reflect original path checked in the File export settings, that should export the original files with the original path intact. Hopefully UFED can import that somehow!

@Erumaro Thanks mate. Will try that and report the outcome

@AMB I've had that happen to me numerous times lol

9:10 PM

I would try downgrading, or check if they have some kind of management software like norton or airplay which has rights over the device

9:11 PM

usually corporate phones has mdm and you'll need that admin to release the rights

9:11 PM

@colin.duncan physical extraction

@colin.duncan https://sqliteforensictoolkit.com/why-cant-i-see-who-sent-that-deleted-ios-sms-message/ take a look at this.

Paul Sanderson

Why can't I see who sent that deleted IOS SMS message | Sanderson F...

I have seen a number of posts on bulletin boards recently that refer to some of the mainstream software failing to be able to attribute a contact to a deleted message on IOS SMS.db recoveries. My previous post “SMS recovered records and contacts – three ways” shows another met...

3

4:51 AM

Very good explanation of it.

Hi, I'm hoping someone may be able to help with the following? (I'm new to this group/Discord so I hope I am in the right place?!) I have an iPhone Graykey extraction and have been asked to take a look a closer look at two particular videos found in UFED PA from within Snapchat. The videos appear within Caches/com.snap.file_managerSCContent... Both videos have names beginning 'zip' followed by a unique string of numbers. Following a manual review of the phone I can say that neither video currently exists on the phone. PA suggests created, accessed, modified dates are the same although the times are an hour apart. My questions: Why are the files named zip... ? Is this a Snapchat thing or something else? Can the created,accessed, modified dates be relied upon? ie do these relate to the original videos or have they been given the same date now that they exist within Caches...? Can it be established how these videos came to be on the phone? ie. can it be determined if these videos were created on this phone or were sent to the phone? Could it be that the videos are actually part of someone elses story that have just been cached by this phone? I cannot find anything obvious within Timeline to assist me. The videos and their times/date are of great significance to a murder investigation so I really need to be able to offer the correct advice. I have loaded a test iPhone with some data but I cannot get videos to end up in Caches/com.snap.file_managerSCContent... So I cannot draw any conclusions from this line of enquiry. I'm afraid I am struggling a bit and would be extremely grateful for any assistance.

@blake-ee So someone else can chime in whose a bigger expert than I am. First, I would suggest getting a preservation and warrant off to Snapchat (let me know if you need help with that). Snapchat's retention policy is dependent on varying factors and you may recover the video from the phone user's account. Or if you can ID the likely person they were exchanging the chat/videos with, you might capture it on the other end. You may be able to find another phone involved in the case and get to it that way.

@blake-ee as for the details on the actual extraction, be careful with those created/accessed/modified time and date stamps. I'd check the source link and dive into the DB file itself to see where that is coming from. If it's possible for you, and you have a full file systems from GK, I might try to load it up on Blacklight on a Mac workstation. You'll probably be able to see a bit more of the attributes for the files in question. Sometimes those dates/times will get parsed by PA correctly, but double check, especially on a murder case. If you can get some secondary verification (such as through a warrant to Snapchat or on another phone) that would be ideal.

It also depends on what version of snapchat and how long ago this phone was. From what I can tell, they've changed various things about their app throughout the years.

11:37 AM

But as pcsdcell has mentioned, reach out to lawenforcement@snapchat.com

11:37 AM

They have a 30 day retention period

Anyone have any experience with deleted Gmail‘s? Got someone asking if we will be able to recover some deleted Gmail’s from 1 to 2 months ago with an iPhone 7. It’s for someone who will need to go to a private examiner. So I didn’t want them to go get charged an arm and a leg if it’s not going to be extractable in the first place.

Anyone have any idea why @Cellebrite Physical Analyzer doesn't report horizontal accuracy values from /private/var/mobile/Library/Caches/com.apple.routined/Cache.sqlite tables? I'm getting this question from a crime analyst who apparently feels that this is "dramatically important" information. I realize that it could be valuable in certain scenarios. But I am curious as to why it's not reported in Analyzed Data or subsequent reports.

there can be many entries in various dB files that are relevant. Can’t report on them all. Don’t get me wrong I totally agree with you that it could be the smoking gun. I can pass it up the pipe to see if they can add that.

@pcsdcell @DefendingChamp Thank you for your replies. Unfortunately we are outside the window for a preservation order, but I will certainly bear that in mind for future cases. I will attempt loading the GK extraction into Blacklight and see how that goes. Just for info the Snapchat version is 10.67.0.68 installed on an iPhone 6s running iOS 13.1.2.

@pcsdcell check googles email retention

Hello. I am using Cellebrite Physical Analzyer with an iOS Full File System extraction. I have an uninstall date of an application in the Application Usage Log, taken from the knowledgec.db. I was wondering if someone could tell me where this information is, in the knowledgec.db please so I can confirm the data manually. PA confirms the data is taken from the tables ZOBJECT and ZSTRUCTUREDMETADATA. I can see when apps are installed, just not how the db records the un-install data. Thanks in advance for your help

Are images stored in Snapchat's For My Eyes Only usually extracted without having to check it on the handset? (edited)

@Pacman If you are looking at an iPhone, Magnet offer this advice for decoding the MEO: https://support.magnetforensics.com/s/article/Decrypt-app-data-using-the-iOS-Keychain-and-GrayKey

6:27 AM

@Pacman My experience however is that most of the files stored within the MEO are cloud/server based and do not always get extracted.

Oh of course you're right, they're on cloud.

6:27 AM

Thanks for this info

6:33 AM

Can AXIOM parse .dar extractions obtained from UFED Premiun? @Magnet Forensics

@Pacman in 3.11.0, yes! Load the .ufd though to get all of the timestamps

Awesome!

3

6:34 AM

Just checking to see if it has been validated for me to install it... fingers crossed!

you can thank @forensicmike @Magnet for that!

Hahaha.. @Nava2 making it sound like he didn't do a huge chunk of the work

1

I'll take all the credits if neither of you want it?!

2

Seems fair, @Pacman. Congrats!

2

Anybody have any experience parsing Telegram chats on an iPhone Advanced Logical? Would a Full File System (checkm8 or GreyKey) help?

don't have direct exp with TG, but generally speaking for any encrypted messaging app a keychain extraction certainly doesn't hurt

@goalguy I wouldn’t expect to see any Telegram Messages extracted without GK or checkm8 extraction. XRY, Cellebrite and Axiom will decode aspects of the Telegram from these extractions

@goalguy I believe the file you are looking for is ../postbox/db/db_sqlite (with no extension). It is a SQLite database and has many tables, most containing BLOB's.

there can be many entries in various dB files that are relevant. Can’t report on them all. Don’t get me wrong I totally agree with you that it could be the smoking gun. I can pass it up the pipe to see if they can add that.

@CLB-Paul I think the horizontal accuracy number from that specific database would be valuable. It specifically is recorded by the OS so I would think it would be pretty reliable.

Ill pass it up

Hello guys, while a precedent case last year, i developped a script allowing the analysis of the Android Snapchat application com.snapchat.android. With it, you can obtain messages / friend, gps coord / etc. It work for v10.60.2.0 Beta and v10.66.5.0. A small update will potentially be required for new versions (sqlite / xml changes every week..) It's in french but if you need i can translate it in english. This requires a physical extraction : https://github.com/Yann-Ntech/Snapchat_Forensics

Yann-Ntech/Snapchat_Forensics

com.snapchat.android Analysis. Contribute to Yann-Ntech/Snapchat_Forensics development by creating an account on GitHub.

4

Hello guys, while a precedent case last year, i developped a script allowing the analysis of the Android Snapchat application com.snapchat.android. With it, you can obtain messages / friend, gps coord / etc. It work for v10.60.2.0 Beta and v10.66.5.0. A small update will potentially be required for new versions (sqlite / xml changes every week..) It's in french but if you need i can translate it in english. This requires a physical extraction : https://github.com/Yann-Ntech/Snapchat_Forensics

@Deleted User Very Nice. Might be a good idea to add an English translation to make it "more user friendly".

Yann-Ntech/Snapchat_Forensics

com.snapchat.android Analysis. Contribute to Yann-Ntech/Snapchat_Forensics development by creating an account on GitHub.

2

@heatherDFIR Hi Heather, what are you moving to once you move away from DAR if you don't mind me asking?

Possible to load a axiom image in pa?

@florus np, just english report or comments/code ? (edited)

@Dossy yes

10:17 AM

which phone?

10:20 AM

https://discordapp.com/channels/427876741990711298/545232743353810946/684058101858828366

10:20 AM

Went to Advanced - Select device - Physical ADB - image file

(edited)

Anyone have a engine root for a samsung sm-g903w running 7.0

10:33 AM

frp protected

disregard got into it

Question for @MSAB on Photon Manual: can Manual be used on apps that don't allow screenshots? Banking apps, password managers etc. My gut feel is probably not!

@OllieD No, that doesn't work. It has to allow screenshots

Thought as much, cheers Adam! Hope you're keeping well and staying safe on your customer visits!

@OllieD For example Telegram has blocked screenshots for Secret chats but not regular ones, interestingly enough Snapchat does not see Photon as screenshots so you won't see "X took a screenshot" in the chat

Huh, weird!

But of course good from our standpoint!

1

I've been trying to get Signal app decoded/decrypted from an iOS full file system extraction (done with GK) on UFED PA. Pointing the keychain on the open case wizard (GK-specific) had no effect as the app data did not get decoded. As I'm using a test device, I got a full file system using UFED-P and then ran it through UFED-PA and surprisingly it decoded all the data. Anyone's guess for this issue? Could this be the plugin/profile used by UFED PA for GK extractions?

@Cellebrite any chance you'll add huawei notepad app parsing (com.example.android.notepad) tp PA one day, it's a single sqlite db file (edited)

@Cellebrite @MSAB @Magnet Forensics Can someone help me with the SleepDetection.db in a Samsung extraction? (edited)

@Dam How can we be of assistance, DM if needed

@Firmsky Thanks. I have this database but cannot find what userPresent and ScreenState means.

5:57 AM

I think screenState 1 is on and 0 is off

5:58 AM

but what about userPresent 1 and 0

5:58 AM

and also uskeyguard column

@Dam I'll do some testing and come back to you, version of Android?

8.0.0

5:59 AM

samsung galaxy s7

5:59 AM

g930f

@Dam Thanks, will DM you shortly

Thanks

@JJ7 since @heatherDFIR didn't answer your question from yesterday, I'm happy to inform you that we'll be moving from DAR to CAR (Cellebrite ARchive)

and then on to a BAR

and at the end of the night into a TAR (Taxi ARchive)

or maybe a ZIPpy coat and scarf

if it's chilly for a walk home... Happy Friday everyone from all of us @Cellebrite ! Be safe... (edited)

8

5

1

Does anyone have experience with AT&T text message content from a search warrant return? Trying to figure out the best way to view it

Is the only way to acquire iOS emails through a full file system acquisition?

9:02 AM

I did a logical with axiom and I’m not seeing email messages.

9:03 AM

@Magnet Forensics

9:07 AM

This is an IA invest so I doubt the suburb near me with GK will do a full file system for me. Same goes for USSS with cellebrite premium.

‍♂️

Only thing I was able to pull was proof through interactionC. Sender / Date & Time etc. in zinteractions/zcontacts

Is the only way to acquire iOS emails through a full file system acquisition?

@dfir_rick do you have cellebrite, I understand some colleagues in the private sector have had luck with their checkm8 method

My secret service field office has cellebrite premium. I ended up speaking with IA, the victim sent the emails to them already.

11:02 AM

I was able to tag interactionC data pertaining to that contact and that was enough for them. Along with the actual emails from the victim.

Anyone successful at imaging a Samsung J7s (physical) (edited)

@JJ7 we are moving to a new format where we aim to include maximum metadata, while maintaining high-degree of cross-compatibility with other tools. We are still finalising the design, however it will be based on a ZIP archive with a set of attributes available as in-archive metadata files in an openly documented format. The above choices are targeted at ease of ingestion to any 3rd party tool or community effort around the format. (edited)

1

2

6

@JJ7 we are moving to a new format where we aim to include maximum metadata, while maintaining high-degree of cross-compatibility with other tools. We are still finalising the design, however it will be based on a ZIP archive with a set of attributes available as in-archive metadata files in an openly documented format. The above choices are targeted at ease of ingestion to any 3rd party tool or community effort around the format.

@jifa Cellebrite UFRD format still based on ZIP :). But please keep the UFED Reader or similiart free viewer software, my clients (Police, judge, other offices) very like the Reader.

@tiborsz888 Sure. Keep in mind I'm not talking about a report format, but an extraction one. Reader stays

2

nice

@jifa Can I have a question about UFED improvemnets?

Anyone know if it's ever been suggested/requested/know if its possible that once a mobile extraction has been opened in @Cellebrite, that a file is stored or such that allows it to be opened quickly and not have to be decoded every time you need to reopen the dump? It becomes a massive time investment when you have to re-open many large mobile phone extractions (can be an hour or more per one). Would be super nice to have something that allowed you to quickly reopen extractions, even a feature which you can turn on or off if you don't want extra space used for this feature. (edited)

6

Until a dedicated feature for this is released, you could get pretty close by generating a UFDR report. To get the entire filesystem(s) in the report, be sure to also include "Uncategorized" data files when generating the report, as these are not included by default. UFDRs will load much faster than the original extraction, since no decoding is performed (all decoding results are already stored in the report). One limitation of this method is that memory images are not included, but decoded results from carving processes will be included, so make sure to get all you need from unallocated space before generating the report (e.g. make sure unallocated carving is enabled in the settings, or use the image/location carving tools).

Also on that one make sure grouping / merging is unticked otherwise you will not be getting the full picture in the UFDR

2

@3X3 This is one of the reasons why we create a UFED Reader version right away and i tend to work from that, especially after a GK image is parsed.

10:08 AM

Has anybody had any luck adding iOS memory (ram) to UFED, Axiom etc. and been successful parsing any usable data from them ?

In case anyone is interested in finding and parsing Realm databases in iOS, I did a quick blog and video about the iOS Houseparty app. Blog: https://abrignoni.blogspot.com/2020/04/ios-houseparty-app-more-realm.html Video: https://www.youtube.com/watch?v=MmZl4rxz3q8 Thanks to @CLB_joshhickman1 for his iOS test images.

iOS Houseparty app: More Realm

Short version: The Houseparty app keeps user generated data in in the following Realm database: /private/var/mobile/Containers/Data/Appl...

Alexis Brignoni

iOS Houseparty app analysis

3

Nice work as always @Brigs we need more 13Cubed walkthrough style videos in this field IMO

1

I plan on doing one on how to add artifact parsers to ALEAPP & iLEAPP so folks can code their own. Working now on merging the codebases from both so the artifact parsing generation process is uniform.

3

So... I have a full file system from an iphone download using Checkm8te. We know, on the day the phone was seized, the subject had a snapchat video on the device...but now I am unable to locate it in the @Cellebrite file that I am looking at. Can anyone provide me some insite, or point me to reading material, so I can better understand what I am looking for and potentially, if possible, extracting video evidence from the device.

I am looking at snapchat ( 10.78.1.0 ) at a Samsung S7 ( android 8.0.0 ) . In the file_manager is a folder called chat_snap. Anyone know what kind of files that are stored here? Especially those with extension chat_snap.X

@EFU003 what does the file header look like?

Files ending with .0, .1 (and possibly .2 etc.) are usually a form of a request cache. The .0 file will generally contain information about the request (e.g., a url that was requested using http, possibly including headers and POST data). More generally you can look at this as the cache key. The .1, . 2 file will generally contain the responses. For example, in your case (judging by the icons PA shows), the .1 file is a video, and the .2 file is an image.

1

Does anyone know the best way to import a .csv file that contains messages and other data into an easy to view report, like UFED Reader? I have a TextNow search warrant return and the investigator would like to be able to review the data easier. I appreciate it.

@CLB_joshhickman1 See file header info attached

@EFU003 chat_snap.0 is a JSON array of strings... chat_snap.1 sure looks like an MP4

and chat_snap.2 audio? i'd start with just renaming .1 and .2 to .mp4 and .wav respectively and see if they work

1

3:58 PM

Think @Orb nailed it (as usual)

@SomeCallMeTim try Eric's TimelineExplorer. You may need to play around with the input a little bit but it works pretty well

For some time now, I've been manually editing my .UFD files to include additional information in my reports that @Cellebrite Physical Analyzer doesn't include with GrayKey extractions. In the latest version of PA, they seem to be now including some hash or identifier in their generated UFD files that verifies if it has been changed. I can see the additional data in the UFD file itself (which used to be purely a text file). An additional reason that I've manually edited them is so that I can include the SHA256 files and verify them within PA itself. But, now I get this within PA: "Extraction (UFD) file data integrity Corrupt". What's up with that? (edited)

hi @criley4640 ... look here .... https://discordapp.com/channels/427876741990711298/427877097768222740/702148962999861306

@chrisforensic I guess I’m a bit frustrated because I either don’t have the data I would like in my UFD (and the ability to verify the hash of my extraction) or I have something that says “Corrupt” that I then have to explain to a slew of various parties.

@criley4640 it’s an additional checksum that we added to the UFD file

@CLB-Paul I know it’s semantics but “corrupt”? How about “Modified”? Maybe I’m the only one but I use PA as one of my main reporting tools but import non-PA images frequently. I’ve been modifying UFD files for some time for various purposes. It’s not like it contains actual evidence. Why checksum it? Is this a problem?

Good b point for modified vs corrupt. There was numerous requests for tightening down the security aspect of the ufd files

Can anyone tell me if its possible to tell if a video file has been viewed on an iPhone using the native Photos application and if so where would I find this information? iPhone 7, running iOS 12.3.1. GK Full File System extraction, decoded with PA and AXIOM.

@Orb @forensicmike @Magnet Thanks for your input. Much appreciated. Any thoughts on how files end up in the chat_snap folder. ( user input? )

I couldn't find "chat_snap" folders in our snapchat dump repository, but now that you shared the content of the .0 file, I can guess that maybe this is some kind of media overlay. Snapchat has some features that can overlay an image on top of a gif/video (e.g. https://support.snapchat.com/en-US/a/cameos) ,so this might be related to that. If you open the video (you can rename to .mp4 like @forensicmike @Magnet suggested) and the image (rename to .webp) and view them, you might get a better sense of what happened there. (edited)

@Magnet Forensics Hi, someone can explain me what the state (0 or 1) is in the sleepdetection.db

A colleague of mine has discovered incriminating google app searches (iOS) within recentsarray.plist, @Magnet Forensics AXIOM has managed to decode the web history found within recentsarray.plist, but not the google app searches and timestamp. Can anyone assist on the best way to parse data from recentsarray.plist?

@Dam I have sent you a DM

Also does anyone have a script for app SayHi? Database is sayhi_pad.db

Hi there, anyone from @Magnet Forensics around for a DM? Got a tagging issue...

sue @JMK

1

Location question: I have a file system from an iPhone running iOS 13.2.3, and I'm looking at the Cloud-V2.sqlite database (com.apple.routined). Two locations are recorded within one second of each other - but the locations are 12 miles apart. Any explanation for this? This data was found in the ZRTADRESSMO and ZRTMAPITEMMO tables.

@jd1345 if it’s a cloud data it could be the same account used by two devices?

https://artifacts.magnetforensics.com/CommunitiesArtifactExchangeHome is now back up and working if anyone needs the documentation.

11:57 AM

@SDB @sholmes https://artifacts.magnetforensics.com/CommunitiesArtifactExchangeHome is now back up and working if anyone needs the documentation.

@Dam I suppose that could be a theory - but in this case, since neither of the locations are the owner's home, it would mean that the owner has one device while someone else has a second device tied to the same cloud account and both pinged different locations within one second of each other. While I can't verify that the cloud account was not used on multiple devices simultaneously - I don't think the scenario of a second person being in possession of a second device is likely. (edited)

@jd1345 https://www.mac4n6.com/blog/category/update there is an article about your database

mac4n6.com

@Dam - That was the first place I looked, but this was all that was mentioned about it... unless I missed something: "Routined Databases changed a bit in iOS 13. Cloud.sqlite is now Cloud-V2.sqlite. Most modules did not need to be updated; however a new table was introduced ‘ZRTMAPITEMMO’. Modules were updated to include this data as well as a new separate Map Item module"

Yes and if it’s the cloud.sqlite you can find that is synced significant locations

1

1:12 PM

But I can not help you more on your case

‍♂️ I never had to deal with this database

Anyone had any issues try to export ProjectVICS from an AXIOM 3.11 case created from a scan of two GK images? @Magnet Forensics

anyone successful at extraction of moto g7?

@busted4n6 sent a DM.

A colleague of mine has discovered incriminating google app searches (iOS) within recentsarray.plist, @Magnet Forensics AXIOM has managed to decode the web history found within recentsarray.plist, but not the google app searches and timestamp. Can anyone assist on the best way to parse data from recentsarray.plist?

@Magnet Forensics Any chance you could look into this? You have partially decoded the relevant data from this file, which is great; but not all of it. We're trying to figure out the best way to parse out the rest of the data. (edited)

Hi guys I have an issue with a telegram db and maybe anyone knows a solution to this: I have a cache4.db from a physical extraction. It is 136757248 bytes in size but the row count is zero in UFED. I can't see the structure when opening in UFED DB-Viewer or any other regular viewer. Sanderson Forensics Browser will parse the DB and the WAL and its pages, but will then not show any information about tables, sqlite_master or anything else. Sanderson Explorer will not show me anything. I can see in a HEX veiwer that there is in fact some content, also telegram will show me the content live on the running phone. Any clues? Many thanks! (edited)

Try running Brigs script teleparser onto the db? @Luci @Brigs (edited)

1:31 AM

Traceback Error: self._sqlite_db_cursor.execute('SELECT * from chats') sqlite3.DatabaseError: database disk image is malformed

@Luci no idea what that means.. keep me posted if you find out will ya?

@Luci is the db file corrupt if so you can try this command #sqlite3 cache3.db ".dump" | sqlite3 new.db also: a nice blog here https://dflab.blogspot.com/2019/01/cache4db-file-of-telegram-for-android.html?m=1

CACHE4.DB FILE OF TELEGRAM FOR ANDROID (PART 1)

Maksym Boiko, mboiko25@gmail.com, Kyiv, 2018 Telegram-for-Android-Boiko.pdf (ukr., укр.) TABLE OF CONTENTS INTRODUCTION 1. L...

3:48 AM

be mindful that the .dump will have some data loss

@pa8432cman sending a DM

@Pacman

Not even kidding I was waiting for you to finish your sentence, until I realised you pinged me on behalf of the person who tried to tag me

@OllieD (edited)

1

Hahaha, sorry!

@Luci may be a red herring but if it looks like a genuine sqlite3 file you might want to check the version of sqlite you're opening it with (and those tools ship with). Some databases created with older versions can't be parsed by newer versions. Try downloading an old version of e.g. dbbrowser from like 2018

Is anybody familiar with "gyrocal.db" in iPhone? I have the "biasX" and "biasY' of a time and date I'm looking at. I'm just not sure how to reformat the cooridinates. They're listed in the database as "0.#########".

I'm not so sure anymore that it contains actual location data.

path to the file @LawDawg ? biasX and Y sounds like gyro records that typically are recorded from device movement data. doesn't sound like location data based on what you provided.

@bizzybarney Yeah, it dawned on me when I realized what the db was referring to.

4:47 PM

I just can't find any of the usual location databases.

@LawDawg Cache.sqlite, Cloud-V2.sqlite, Local.sqlite? Extraction type matters, but those should be your native front-runners for iOS locations.

It's an iPhone XR with 13.4.1. The little gray box we do not speak of does not support it yet so I did a logical thru physical analyzer

Can anyone help, I'm pulling my hair out!? I have a 1 minute 20 second video on an iPhone 7 running iOS 12.3.1 in .MOV format, then 3 minutes later I have what appears to be a duplicate of the video but in MP4 format - both sitting in 'All Photos' and in the default location /private/var/mobile/Media/DCIM/100APPLE. A manual review of the handset also shows the .MOV video sat in an album labelled Snapchat (although the iPhone in question actually has 4 Snapchat albums???) The videos are named IMG_0357.MOV and IMG_0358.MP4 and appear to be roughly in the correct sequential order as if they were created on this phone. I have reviewed the decoded data in both UFED PA and AXIOM and I cannot establish how this video ended up on the phone or why it would be in two different formats. I have tried to recreate the scenario with a test device with no luck

I am being asked two questions... how did the video end up on the phone and was it ever viewed. I'm stumped on both counts. Any help would be most appreciated.

If you don't get an answer here I would highly recommend emailing them and posing the same question. Lawenforcement@snapchat.com. I've had to ping them on technical questions before and I was met with success in times past

At a guess the user has recorded it in sc but selected save to camera roll and memories

4:15 AM

The mov copy is the camera roll one?

@blake-ee you can probably find an answer to the question in /private/var/mobile/Media/PhotoData/Photos.sqlite. ZGENERICASSET and ZADDITIONALASSETATTRIBUTES join on their Z_PK, but just viewing the tables can show you info about original file names, durations, if it was shared, added, created, modified, deleted times, etc.

1

@bizzybarney Thanks for your help, I'll look into the Photos.splite db (edited)

6:50 AM

@busted4n6 The .MOV exists in the camera roll and Snapchat album. The MP4 also sits in camera roll.

I think if you save a file from snapchat it saves as an mp4 but ok my phone it saves with a full file name rather than an img_ filename.

Yeah, I've been playing around with a test iphone and it does save as an MP4

So it’ll be something to do with taking the video (if you take it with snapchat, it ends up in the snapchat album) and then going into memories and saving it to gallery. But I couldn’t get the file names to add up. But then if you’re doing a method 1+2 aren’t the file names changed anyway?

Could they have taken then video and then uploaded the video into Snaptchat?

8:07 AM

Snapchat then converted the video to MP4?

8:07 AM

@blake-ee

I've just tested that possibility but the filename & path totally changes.

Are the file names on the same as the file names you get when you do the extraction?

8:29 AM

Also is your test device running the same iOS and snapchat version as the subject device?

Can anyone provide any insight as to how Cellebrite obtains its BSSID location data? I have an iPhone file system in which the phone GPS puts the phone in one state (where owner lives) and the BSSID location puts it 4 states away, AT THE EXACT SAME TIME. I can 100% verify the phone never left the owner's residence during this time. Further investigation using the WiFiNetworkStoreModel.sqlite for this particular BSSID (also at the exact time mentioned above) records Geo Coordinates that put it in the same location as the GPS coordinates. How can I explain the erroneous BSSID that puts the phone in another state on three different occasions? Regretting downloading that database

(edited)

@Aaron The extracted filenames are the same as the names on the handset. iOS version is the same but the snapchat version on the test phone is newer. Is there a way to install an older version like in Android to be able to accurately test?

I don't think so (unless anyone knows if you can do this after jailbreaking) :/... Until I tested today I thought anything saved in the gallery got a IMG_Sequential number filename!

Need someone really spun up on device location data parsed by Cellebrite 7.32 of an iPhone 7+ running 12.4

@jd1345 My best guess is that it comes from something like https://wigle.net/

WiGLE: Wireless Network Mapping

Maps and database of 802.11 wireless networks, with statistics, submitted by wardrivers, netstumblers, and net huggers.

2:30 AM

And since pretty much everything is subject to changes all the time, I wouldn't put too much emphasis on it.

2:34 AM

We had a case where a phone was connected to what turned out to be train wifi in the Netherlands, but it showed up in Great Britain. The train was operating across multiple countries or it had been sold. Either way it took quite a few hours of investigation and we ended up not being able to use the data...

@jd1345 your phone is mapping a wifi hotspots for mapping services in the background, now imagine that mapped wifi hotspot moving to another location (eg. exhibitions or poeple simply moving) and stuff like this can happen

3:16 AM

should not happen with cell IDs but they can be kilometers away too

This was a Wi-Fi network the phone auto joined - and has joined many times. Just trying to figure out how how the BSSID from Cellebrite gives me Geo coordinates in New York while at the same exact time the GPS of the phone AND the GeoCoordinates for this network in the WiFiNetworkStoreModel database give the coordinates of the owner's home in Maryland. That's more than a few km away

(edited)

5:06 AM

I did check WiGLE - nothing for this network. I have a feeling it is the owner's home Wi-Fi - but will need to confirm. The owner did not live in NY.

Let's not forget that the BSSID from Cellebrite is to enrich your data - it isn't your data. Don't lose focus on the evidence and data that absolutely was extracted from your subject's device.

@bizzybarney - understood. But if it conflicts with my data -I need to explain it and understand why.

I get it. I'm sure @Cellebrite can offer some clarity on how the data is sourced for you.

Hey on this same running theme how does the "confidence" level affect things? I got a case where geo location is pretty critical. And I got some GPS tags that say 26 for confidence. Is that like a half mile radius or something?

Confidence is usually treated as "How confident the service provider is that the device indeed lies in the calculated location (%)"

As opposed to "Precision", which can be roughly translated to a radius

@Orb are you able to take the question above on where the BSSID data is sourced from to clear up a discrepancy on BSSID enrichment vs data on device?

1

I'm pretty sure BSSID location data enrichment is coming from an externally maintained database, something like wigle.net which was mentioned earlier.

@Orb - I searched every way I knew how on Wigle for this particular network - and came up with zero... so maybe from something else?

@Orb so if something is 26 confidence I should what take it with a grain of salt?

@Cellebrite if I am using PA 7.32 for an iPhone 7+ running 12.4 and I got a full file system extraction. I see some location data that cellebrite says is a GPS Fix coming from the com.apple.routined/cache.sqlite-wal Is this say off possibly by a half mile or so? It has a confidence level of 26. Only data it gives is time stamp position and confidence. And of course sourcefile listed above. (edited)

@Palazar82 what's the source of this location? Is it routined on iOS? Or is this a carved location?

Routined

lol that answered my question before i could ask it

Sorry lol

I could find this source with some interpertation of the confidence field:

7:51 AM

https://articles.forensicfocus.com/2011/11/20/iphone-tracking-from-a-forensic-point-of-view/

4rensiker

iPhone Tracking – from a forensic point of view

– Introduction – iPhoneTracking is sexy!!! Every mobile forensic suite, at least the ones dealing with iPhones, are providing it proudly. iPhoneTracking also has been a hot topic in the…

7:51 AM

The article is from 2011, but the names of the fields are pretty much the same today (edited)

Awesome thank you. I found that article last night but wasn't sure if it aged well lol.

But even that article doesn't really explain how they found out the exact meaning of "confidence"

7:52 AM

So I would take in a relativistic manner:

7:53 AM

I don't know what 26 means, buts is worse than 90 and better than 10

Hahaha yeah that sounds about right. So without any other artifacts to support it. I will say uts a lead to follow but don't expect me to testify the phone was 100% at that GPS fix.

@blake-ee did you get an answer to your snapchat question? I was reading it and would suggest trying the extraction/parsing in Blacklight or using iLEAPP or something that will give you the extended attributes for the particular files. And try using the programs on a mac if you have access to one. I love PA but it's not yet parsing all of the extended attributes for the files and messages. Sarah Edward's Apollo program might also work to give you some of the nuanced details.

anyone have the validation testing done on Torrential Downpour?

@pcsdcell I have tried to load the GK extraction into Blacklight however it has been going for over a week (seemingly stuck!!) I have run some of the Apollo queries over the Knowledge C however the data stops on the 8th May 2019 and frustratingly I require data from the 2nd May 2019. Is it right that the Knowledge C only holds data for around 30 days?

@jd1345 likely the person moved. If not check the bssid mac address in the saved wifi in Maryland and see if mac address matches the one in NYC. Could be two separate routers with the same name. Third option (assuming it's a android) is that they are using a spoof gps app and letting it run in the background. This definitely could give a false hit and the only way to cross reference that is to check geo locations of bssid routers that the background service has listed being nearby.

Thanks for the suggestions @Deleted User . I know the person has been living in the MD area for at least four years (likely more) and the MAC addresses are the same. It's an iPhone and there isn't any intention on the owner's part to spoof or obscure locations.

Hi, got a question on UFED PA PDF reports of chats. Within the chat folders for the generated PDF report, the txt files containing the different chat conversations are named "chat-<number>.txt". I noticed that sometimes numbers are skipped, so for example there's chat-1, chat-2, and chat-4 but no chat-3. Sometimes the gaps are much larger like chat-10 then chat-30. Does this mean that there were conversations that were deleted from the phone and weren't able to be recovered? There are conversations that PA shows as deleted but they are still included in the report, though. So, just wondering how the naming convention worked and where the numbers came from?

anyone have the validation testing done on Torrential Downpour?

@4N64LIFE Likely there is none, although a Judge in Arizona did allow a defense expert access to TD (I am not sure if he ended up performing a review). See this article for that reference and for some additional info. https://www.propublica.org/article/prosecutors-dropping-child-porn-charges-after-software-tools-are-questioned. If you have only received the summary.txt file, you can request more logs. You should be able to be given the following files, which will have more details about the requests to download pieces from the target and confirm the direct connection to the IP. I get that it still doesn't validate the tool. (edited)

@uochaos I have examined TDR many times before and am very familiar with the log files, the pcap, self authentication of the files, erdley's testimony re the pgram, user manuals being copyrighted and about every piece of this. The one thing i have never seen is the validation testing by a private company that was cited in one case. Am interested in the validation testing. Also Jack's article I have all 12 cases where they were dropped and have analyzed them all. The real question is who or what company performed the validation testing.

@Cellebrite I've had several iPhones where in Facebook Messenger chats the sender is 'Unknown' for all text messages. If i run the app in App Genie it parses with correct sender information. PA 7.32, lightspeed version of Messenger Is this a known issue or might I be doing something wrong? (edited)

@Oscar Hi it appears to be a problem I have just had the same issue.....

@Cellebrite Had the same problem with Snapchat on an iPhone just now, PA parsed contacts but not chats, App genie got both. PA have been able to parse it before if im not going insane.(?) (edited)

@4N64LIFE it would seem in LE’s best interest to seek independent validation from NIST or E&Y or elsewhere.

1

@Oscar Hi I just ran the extraction through Axiom got all info sender and receiver

1

@Cellebrite (Or anyone) Are there some source of information about the artifact "Last time contacted" and the "Times contacted"?

@Oscar, what is the version of Snapchat and Facebook Messenger Lite?

@alona Not Messenger Lite, lightspeed as in a new version as I didn't have the exact version at hand at the time. It was Facebook Messenger version 206046776 Snapchat version 10.72.0.61 (edited)

@Oscar, thank you

@alona Discovered issues with Messenger in another iPhone as well, Facebook Messenger version 183109993 did not decode messages at all, shows an error in trace window while decoding. App Genie also fails. Axiom managed to show the chats so we know it's not empty

Hello all. I'm trying to identify when an iPhone was placed into airplane mode. Any ideas? Perhaps a plist entry? Research so far has not produced an answer and has suggested it's simply a switch which is not logged. Identified actions to suggest network isolation at a certain time, but not definitive. Thanks. (edited)

com.android.gallery3d versus com.sec.android.gallery3d Are they essentially the same thing? I have an extraction from a LG Stylos 5. We are finding CSAM images in the com.android.gallery3d file path. I am trying to get a better understanding of what exactly the gallery is but when I Google it, I get results for com.sec.android.gallery3d. If they are essentially the same thing and I am understanding what I am reading correctly, it is merely a native app on the phone that assists with speeding up image browsing. However, it also appears that it may only deal with images that have been deleted. I am also trying to figure out if the path only deals with images that were taken with the phone or if it can deal with images that were obtained from other sources (specifically via TOR browser). We are seeing images (in the path) that we know are a local victim. However, we are also seeing images in the path that we are not sure if it is a local victim or obtained via the net. Any insight would be appreciated...

@Cellebrite Anyone available to answer an Analytics Desktop question? Trying to determine, from FB warrant returns, what friends 4 users have in common.

All the data is obviously there... either I'm not using the filters correctly, or the options do not exist to determine which person entities have more than one owner.

@ddb_uk I would be looking in the powerlog and maybe the knowledgeC database dont have specifics for what to look for but likely there would be where i'd start, and test on a test phone

7:01 PM

@Brigs may know though, he's super smart

Umm... Updated to UFED4PC 7.33 and got this from Windows Defender. Anyone else? @Cellebrite

@BETBAMS See https://discordapp.com/channels/427876741990711298/427877097768222740/705363667473924157

My bad, thanks.

and https://discordapp.com/channels/427876741990711298/427877097768222740/705516787646857339

12:21 AM

I just went to the exclusions and added the entire Cellebrite folder telling the AV to leave it alone and ignore it in future

1

@Stevie_C did this long time ago

Good Idea guys. I will do that. Have a nice weekend

@ddb_uk @randomaccess you can read this file: CurrentPowerLog.PLSQL and at this table : PLBB Agent Event Point Téléphon Activity ; look the column of airplane. The data is on/off... Easy

(edited)

1

There you go

1:26 AM

Also remember to look at the powerlog archives that are gzipped. Not sure if tools unzip them before processing the active powerlog

2

@sh4ka regarding chat view a whatsapp chat only shows one side of the conversation and the whole chat is coloured (he we go trying to describe Light brown

) fawn / light milk chocolate instead of the normal blue / green. Is there any significance? Cheers

oh sorry @8198-IZ54 , i'm not a decoding guy at all, not familiar with that :) maybe someone else from @Cellebrite will be able to answer you

Looking for options on older iPhones 5's with 4 digit passcodes. GK doesn't have support.

@Ghosted what iOS is it? if its low iP box may be a goer

probably low anything other than iP box?

Thanks for the answers, much appreciated

will give that a go.

Hello guys, does anyone have info about this ? https://twitter.com/je5perl/status/1255972695327596548?s=19 (edited)

Jesper Lund (@je5perl)

According to a late night press release from the Danish National Police, a mobile extraction tool has produced wrong timestamps on certain files. The vendor is not named in the press release, but the Danish police is known to use Cellebrite and XRY. https://t.co/wr8raubnq8

1

2:21 PM

Which tool is implied?

Oooo ... that's interesting

@Ghosted Cellebrite has the User Lock Code Recovery Tool - it'll work if it's iOS 7.

@deepdive4n6 that isright going to try it.

@forensicmike @Magnet Would I be able to get my hands on your python script for decrypting Private photo vault on ios?

1

@Oxygen Forensics Isnt oxygen able to parse a .ufd from a checkm8 ffs iPhone x 13.4.1.? Getting the error "cant parse file structure"

Still no info concerning the tool involved in bad timestamp decoding?

@deepdive4n6 where is the unlock tool these days? I am struggling to find it in the new Cellebrite portal, anyone from @Cellebrite like to point me in the right direction? Or is it built in to 4PC or PA perhaps? (edited)

Open the drop down arrows under each tool and look for add-ons.

Last I checked that tool hasn't been updated in years.

@Ghosted Cellebrite has the User Lock Code Recovery Tool - it'll work if it's iOS 7.

@deepdive4n6 yeah that sounds about right. iOS 7 was quite a while ago

3:19 PM

I never got it to work when it was like a year or so since it was last updated. Seemed cool though. I'm sure I was doing something wrong knowing what I know now

@Andrew Rathbun Neither has iOS 7

1

3:59 PM

It is finnicky with webcam setup. I end up cutting out bottom of dixie cup and using it as a light shield.

@dd4n6DET56 everything that starts with com.sec.* is just a samsung bundled package ("sec" is "samsung electronics co."). So it makes sense that on your LG device you won't see that package. Each device vendor tends to make some modifications to the native Android apps, including the Galley app, so if you find information on the com.sec.* variant, you should verify it carefully when trying to apply that onto other variants.

@Orb I forgot about the "sec" and Samsung association, so that makes total sense now. I'm still trying to figure out if the folder is a native folder or if it an add on. Given what I am reading, it looks to be native and nothing special. I've not seen it in the past, but I also have not had to dive this deep into images before.

Hi all, I have a case at court shortly that revolves around the use of an application that the user has since deleted and user has used Andro Shreder just to make sure on the device. I have been able to establish installation through looking at localappstate.db but then remembered covering the ContextLog.db in the Sans 585 course briefly but I have some quesions about it if anyone could help. Path=\data\samsung.android.providers.context\databases\ContextLog.db Firstly are the logs recorded only when the user is actively using an app, or can background activity and system processes also create them? Secondly, I have some web history and email activity shown in UFED PA for a particular period however there are no logs refering to either app in the ContextLog file at those times, why would that be? If anyone has some more detailed research on this file they are happy to share I would be very gratefull. Many Thanks Karl

@Cellebrite Hi, in ufed PA I can see some locations provided by com.apple.routined cache.sqlite. In PA it says gps fixs locations but from these article https://blog.elcomsoft.com/2018/06/apple-probably-knows-what-you-did-last-summer/ I understand that it's more a cell location than a GPS location. Do you have more information about where these location come from?

Apple Probably Knows What You Did Last Summer

“Significant Locations” are an important part of the evidence logged on iPhones. Forensic experts doing the acquisition will try accessing Significant Locations. At the same time, many iPhone users are completely unaware of the existence of this feature. What are Significant L...

12:00 AM

@Elcomsoft

@Dam We didn't find a way to determine what is the exact method taken or what resources where calculated by the routine daemon for each location record, but we believe it can be a combination of GPS with other resources when available, a hint for that can be taken from the core location framework documentation (https://developer.apple.com/documentation/corelocation): "The framework gathers data using all available components on the device, including the Wi-Fi, GPS, Bluetooth, magnetometer, barometer, and cellular hardware".

@CLB-ChenK Thank you for the informations. So the only thing we can say is that at this time the user's phone was somewhere near this point.... (edited)

anyone know what this path relates to? data/data/root/sec/cloud/0/thumbnail from a Samsung S9. Colleague is asking. Its obviously thumbnails for a cloud account but can anyone be a bit more specific?

Hello, I am trying to see if PA shows how many times a video has been viewed on an iphone. Video was recorded but was used for an investigation, the officer was asking would the phone show how many times that video was reviewed? I have searched the board with different key terms, but not having any luck. IS there a link that anyone can send me to point in that direction.

Need help with interpreting information found in the data_ark.plist iOS 13.2.3. "First Purple Buddy Completion" - is that the date the phone was set up for the very first time? Regardless of how many users? (thinking about initial setup vs Factory reset, phone passed on to another user and set up again) And the "TimeIntervalSince1970" value - what does that refer to? PA lists that as "Phone date/time"... Phone date and time for what? And the com.apple.smf-IDLastSeenAtBoot - unsure what that refers to. For example, I have a phone in which First Purple Buddy is April 12, 2018... TimeIntervalsince 1970 = Oct. 24, 2019 and IDLastSeenAtBoot is 4/10/2018 - how can that date be before first purple buddy? Trying to understand what the dates mean. Thanks! (edited)

Hello, I am trying to see if PA shows how many times a video has been viewed on an iphone. Video was recorded but was used for an investigation, the officer was asking would the phone show how many times that video was reviewed? I have searched the board with different key terms, but not having any luck. IS there a link that anyone can send me to point in that direction.

@FATHEAD7466 Does anyone know if this is even recorded anywhere? Like, is there an equivalent to Run Count in the Windows Registry but in iOS? Genuinely curious

I would have to look in the DB and data mine for that information. Got word that it has not been sought after before, nor that the phone would record it or display it. In video section it is labeled the amount of videos, but not how many times it has been reviewed. I am on the hunt, hoping someone had a similar issue.

@Andrew Rathbun can you load it into blacklight? sometimes, with a full file systems extraction (so you'd need to do a checkm8 extraction), you can get the unified logs and extended attributes of the files. I'm trying to get a demo now and can check for something like that.

@Andrew Rathbun yeah, looks like with blacklight you can view all the spotlight artifacts, which include a crazy extra amount of data. So, in the example on their webinar, they show you can see things like "kMDItemUseCount" which may indicate how many times the file was used/viewed in the case of a video file. I'd suggest, if its super important, doing a quick test on another phone. Record a video, watch it 4-5 times, then do a checkm8 extraction, and see if you can load it into blacklight to confirm that is what the kMDItemUseCount column truly represents.

1

@FATHEAD7466

@Andrew Rathbun can i use XRY or axiom instead we dont have blacklight as of yet.

Those are questions for @MSAB and @Magnet Forensics

@FATHEAD7466 Check this video from Trey Amick. https://www.youtube.com/watch?v=OC7hfg9Eem4 And a big +1️⃣ to @pcsdcell's note on validation/testing! (edited)

Magnet Forensics

Exploring Extended Attributes, Spotlight Metadata, and the Quaranti...

2

kMDItemUseCount is indeed what it sounds like. It indicates how many times that file was opened on that volume. However, the count always starts at two, so you have to -1 to obtain the figure

1

Ah yes, I will go and open a FFS to hunt for it. Thanks will update the results.

1

@Blighty good info thx!

When looking at the knowledgeC.db does anyone know what the difference is between the ZOBJECT.ZSTREAMNAME "/keybag/isLocked" and "/device/isLocked"? I can't quite grasp the concept of what a keybag is, and I'm wondering which one to rely on to tell me if the device was sat in a locked state.

Apologies if it's been asked before, i'm looking for reference info regarding "power on events / device events" in ufed PA what do they represent can't see anything in the manual...

In UFED4PC v 7.32.0.16 i'm getting an error in the trace window saying 'Dump is partial. some content may be missing'. does this refer to the entire dump or just the partition that it is trying to currently parse? @Cellebrite (edited)

@Majeeko i would assume it would refer to HIDDEN partition in this case which usually doesn't store anything important

That was my assumption too but just need to be sure.

@Majeeko The only possible clarification would be that it could be a cloud from Samsung?

@rico Thats sort of what we deduced in the end seeing that you need root to access data/data. Thanks for confirming though.

anyone know what this path relates to? data/data/root/sec/cloud/0/thumbnail from a Samsung S9. Colleague is asking. Its obviously thumbnails for a cloud account but can anyone be a bit more specific?

@Majeeko Did you ever find what app was linked to that folder? (edited)

@torskepostei Not definitively, the working theory was thumbnails for Samsung cloud

The exact same path came up in an internal discussion here as well. Google did not return anything useful, I'll see if any of our testphones can give an answer.

It was a colleague from a different unit that asked me, that seemed like the most logical answer.

New PA out!

1

@Mistercatapulte

Does anyone know of a good reference guide for the KnowledgeC ZOBJECT results on an iOS extraction? Specifically looking at what the parameters attached to Activity Level may be as examined in ArtEx by DoubleBlak. I have Activity Level (1.0) and Activity Level (8.0) and would like to learn what the levels in parentheses mean. Extremely new to SQLite and this deep of a dive into the databases for an examination, but I think these two records may be pertinent to this case, so I am hoping to better understand them. Thank you

Still hoping for insight into the data_ark.plist time information. I'm even more intrigued as the new version of @Cellebrite PA has removed "Phone date/time" from the Extraction Summary in the new release. Below is my original question posted yesterday. Need help with interpreting information found in the data_ark.plist iOS 13.2.3. "First Purple Buddy Completion" - is that the date the phone was set up for the very first time? Regardless of how many users? (thinking about initial setup vs Factory reset, phone passed on to another user and set up again) And the "TimeIntervalSince1970" value - what does that refer to? PA lists that as "Phone date/time"... Phone date and time for what? And the com.apple.smf-IDLastSeenAtBoot - unsure what that refers to. For example, I have a phone in which First Purple Buddy is April 12, 2018... TimeIntervalsince 1970 = Oct. 24, 2019 and IDLastSeenAtBoot is 4/10/2018 - how can that date be before first purple buddy? Trying to understand what the dates mean. Thanks!

Does anyone have any experience decrypting a Telegram database. There are two dict entries in the backup_keychain.plist for the device acquisition that include "telegra," but one that was created at the same time in between those two entries. When I decode the v_data entry for that dict entry, it is exactly 64 characters, so my suspicion is that is the decryption key, but when I try to use it to decrypt the database using DB Browser for SQLite, it doesn't work. I'm thinking the SQL Cipher settings are wrong. Also - apologies if this isn't the appropriate thread for this. I'm new to this discord server, and to digital forensics in general.

@gh0st1933 Which database file are you trying to decrypt?

It's db_sqlite located here: DarArchive/root/private/var/mobile/Containers/Shared/AppGroup/{Application GUID}/telegram-data/account-GUID/postbox/db/db_sqlite

I think that database shouldn't be encrypted

There are also two other databases under accounts-metadata for that application, which probably contain valuable evidence, but for now I believe the postbox db contains the actual messages.

8:59 AM

We thought it was strange too, but it came through encrypted.

9:00 AM

I'm wondering if it's because Telegram came up with their own encryption protocol: https://nourbakhsh.ir/wp-content/uploads/2015/11/jakobsen-master-thesis-telegram.pdf

Hmm... interesting. Do you know the app version? How did you determine it was encrypted?

UFED has the application version as 15907

9:02 AM

Any DB browser is prompting for encryption passphrase or raw key

Telegram encrypts all communications, but as far as I'm aware (and i could of course be wrong or not up to date), it doesn't encrypt any storage

9:02 AM

DB Browser suggests that a database is encrypted for any file that it's not able to open

9:03 AM

So that doesn't necessarily means the db is actually encrypted

Hmmm. Any idea why it won't open?

9:05 AM

We've tried viewing in Cellebrite, DB Browser, and a couple of other ones.

Maybe just a corrupt file? Bad extraction?

9:07 AM

It's a good idea to try and open the file in a hex editor and check the entropy of the data (how "random" does it look).

9:07 AM

files with high entropy (very random looking) are more likely to be encrypted

9:08 AM

but if you see a lot of zeros in there, it's most likely some kind of corruption

Pretty random, although you can see the Sqlite3 file header

9:09 AM

The account dbs it looks like we can view in the database browser. In Cellebrite the DB browser icon is grayed out for the postbox db though.

How'd you get ahold of cellebrite if you're a student?

I'm an intern?

ah, gotcha

oops didn't mean to include the question mark

it just seemed a little sassier with the ?, all good (edited)

1

Very interesting... Did you put on the .hxv extension or was that originally there?

probably need to update my role too, because I graduated this week

Congratulations

no the hxv was added by sublime text

9:14 AM

I need to do some more application testing. Is it possible the user can set an additional password on their messages? maybe stored messages aren't encrypted by default but you can opt for them to be? (<----noob)

I followed the manual process outlined here (we don't have a GrayKey, but these dictionary entries are also in the backup_keychain.plist that Cellebrite generates): https://support.magnetforensics.com/s/article/Decrypt-app-data-using-the-iOS-Keychain-and-GrayKey. That's how I was able to locate what I assume would be the correct key. Maybe Magnet didn't include Telegram, because this doesn't work for it? Telegram's iOS code is open source, so I wonder if the correct SQLCipher settings could be discerned from that.

so, very surprisingly, that does actually look like something SQLCipher would do... The first 32 bytes contain the original plaintext data, and after that it just looks random

There are a ton of SQLCipher references in the app's source code

@gh0st1933 I'm banking that they took a page from Signal and encrypted their DB. Signal does the same thing, plaintext header of 32 bytes. The decryption key for Signal is stored in the keychain. I bet it's the same for Telegram. Methinks you might try to find something similar to the Signal key for Telegram in the keychain. It should be 96 hex characters in length, maybe with a leading 0x in front of those.

Hey, @criley4640 ! We've found the key and now we're just trying to get it to work.

2:00 PM

It's stored in a file called .tempkey in the root of the application data folder

2:01 PM

it has a 32 byte key and 16 byte hash

2:01 PM

Now I'm just having trouble getting it to decrypt using SQLcipher. It just keeps telling me it's encrypted.

Hey, @criley4640 ! We've found the key and now we're just trying to get it to work.

@gh0st1933 awesome. make sure you're using the latest nightly build of DB Browser (SQLCipher version). I spent hours on Signal using the release version and it doesn't let you specify the plaintext header length.

I'm worried I may have some version issues going on. The database was created on 11/23/2019. So it would most likely be using SQLcipher 4, right?

Are you on Win or *nix?

I've tried in Kali and on Mac. I don't think Windows has an easy to use command line tool for SQL cipher.

Use DB Browser itself on Windows. Get the nightly from https://nightlies.sqlitebrowser.org/latest

Cool. I'll try that! Thanks!

It has an easy to use GUI for opening the encrypted db. It will install two version of DB Browser. Make sure you open the SQLCipher version (you'll see the two diff icons in the Start menu).

2:06 PM

I tried with DB Browser on Windows, but I definitely could not find a way to change the page header. Telegram is using 32 instead of 16. So hopefully downloading the latest will work!

@gh0st1933 that's why you have to use the nightly version. The current release version of DB Browser doesn't support changing the plaintext header length.

2:11 PM

For reasons not worth explaining here, I'm trying to set up public data avatars in @Cellebrite Physical Analyzer. I have multiple FB, Twitter, and IG accounts with no 2FA that I've tried to use to set up an avatar and it tells me that the avatar is not valid. Yes, I have added a cell phone number to the Twitter account as per the CB Knowledge Base. None of my various accounts will validate. Anyone??

It has an easy to use GUI for opening the encrypted db. It will install two version of DB Browser. Make sure you open the SQLCipher version (you'll see the two diff icons in the Start menu).

@criley4640 This worked! I got it to open!!! thanks so much to you and @Orb . So the bad news for us is that Telegram is now encrypting their message database. The good news is that you can easily get the key with a full file system extraction. But, more bad news it's all in blobs. On to the next hurtle.

@gh0st1933 sweet. At least I'm familiar with the process. Hopefully @Cellebrite , @Magnet Forensics , @Oxygen Forensics , et al can quickly update their tools to accommodate.

@criley4640 The .tempkey thing seems a bit low energy from Telegram

@forensicmike @Magnet don’t ask for more hurdles

@criley4640 The .tempkey thing seems a bit low energy from Telegram

@forensicmike @Magnet Indeed. But I also agree with @CLB-Paul

Granted, it doesn't make much sense to try to be devious with an open source app.

Yeah, kind of surprising. Glad we all get it figured out though!

How cool. A cop, a former cop/current vendor and a student collaborating. Where else can you find that

@gh0st1933 @forensicmike @Magnet @criley4640

2

3:43 PM

And some Cellebrite folks too. Teamwork all around

Pretty awesome experience for my first time participating!

And even better, plain text messages in the blobs in one of the decrypted tables. Thanks, all. Great community.

true story @Andrew Rathbun !!

For reasons not worth explaining here, I'm trying to set up public data avatars in @Cellebrite Physical Analyzer. I have multiple FB, Twitter, and IG accounts with no 2FA that I've tried to use to set up an avatar and it tells me that the avatar is not valid. Yes, I have added a cell phone number to the Twitter account as per the CB Knowledge Base. None of my various accounts will validate. Anyone??

@criley4640 since it may have gotten lost in all the Telegram discussion, anyone out that that can help?

@gh0st1933 that's why you have to use the nightly version. The current release version of DB Browser doesn't support changing the plaintext header length.

@criley4640 Awesome tip about the nightly version! Didn't know that

@gh0st1933 I'm banking that they took a page from Signal and encrypted their DB. Signal does the same thing, plaintext header of 32 bytes. The decryption key for Signal is stored in the keychain. I bet it's the same for Telegram. Methinks you might try to find something similar to the Signal key for Telegram in the keychain. It should be 96 hex characters in length, maybe with a leading 0x in front of those.

@criley4640 BTW, interesting trivia on why the plaintext header length in increased to 32 bytes in iOS apps can be found in the SQLCipher docs: https://www.zetetic.net/sqlcipher/sqlcipher-api/#cipher_plaintext_header_size Apparently iOS read the headers of files in shared containers to check if they are DBs operating in WAL mode, in order to know whether it should allow apps to access them in the background. To not interfere with this check, app developers can choose to keep the beginning of the file header in plaintext

2

I can't get iLEAPP to run on windows, anyone had issues getting it working? Cloned the repo, pip install worked fine, but when running it against a .tar file it reports "No files found" for all types of stuff. VS Code shows an import error as well, can't seem to find the package filetype, but pip says it is installed. Not sure if this is some environment issue or if it is a bug.

@Brigs

Could it be a python 2 vs 3 thing?

Hm, I could be on a too low version (3,7), readme says "This project requires you to have Python > 3.7 installed on your system."

does it error when you actually run it?

6:35 AM

or does it run fine (just finds nothing)?

@ed.greybeard Runs just fine, but finds nothing.

huh!

Finds 41 categories, but all return "No files found for <category>"

so if you try "pip install filetype" on the command line, does it work ok?

C:...\iLEAPP>pip install filetype Requirement already satisfied: filetype in c:...\python\python37-32\lib\site-packages (1.0.5)

So that seems fine - just to definitely cross it off the list, I assume your tar is a full file system dump?

6:46 AM

It's not a backup or something..?

Hm, let me check, I'm helping a colleague and didn't do the acquisition myself

no worries. You could also open the tar and have a peek - does it start with the "private" directory? Or something else?

Right, so I found the problem: it is an advanced logical aquisition - I just got the .tar file and assumed it to be a full file system

‍♂️ (edited)

Meaning the software works perfectly, there just is no information there to find

so it's a backup?

7:17 AM

My friend, do not fear - there is still some stuff you might find. Luckily some guy created a tool recently to put a backup into a zip with full file paths

7:18 AM

But it doesn't take tars (at the moment?) it just takes the backup directory itself

7:18 AM

https://abrignoni.blogspot.com/2020/05/normalizing-itunes-backups-squeeze-more.html

Normalizing iTunes Backups - Squeeze more data out of them, possibl...

Even though iOS full file system extractions are fairly commonplace the need to parse iTunes backups has not subsided. In many situations th...

1

My friend, do not fear - there is still some stuff you might find. Luckily some guy created a tool recently to put a backup into a zip with full file paths

@ed.greybeard I totally endorse some guy's work on turning an iTunes backup in to full paths format zip. Good stuff!!!

Does anyone know if @Magnet Forensics AXIOM Cloud can parse Kik returns? I know its not one of the options but I was curious as to whether it could be imported as another type of return or using the Magnet Cloud Image option.

Currently we cannot but if you’d like to work with our support team we might be able to look at adding some support for that. You can also load it in as a regular computer image image so that we can at least process out any returned pictures/videos and documents.

@forensicmike @Magnet is there a way to install that into our existing software? I am not able to see it on the website or customer portal. (edited)

Hey guys, I actually working on the Facebook Messenger Database (omnistore... not threads), because my investigators realized that the facebook messenger is storing Phone-Numbers of the contacts. I already realized that this information is stored in the omnistore.db of the messenger and all the personal informations are stored in Blobs (I can see the informations in the hex view). Does anyone of you know how i can read or interprete these BLOBs in the database? Cellebrite interprete this information really nice in the PA, but when i export these informations to an excel sheet i have all the informations like facebook id, phone number and link to profile pictures in one cell (called input) . Not quite good for working with it in other tools

For the other tools i would just need facebook id, name and phone number in a excel sheet or csv file.

Looking to find the whatsapp setting for media downloads from a UFED physical read. Have found the preferences.xml file but not sure i really understand what I am looking at. Has anyone successful decoded the details. Please PM if you can help. Thanks

Hey Guys, I have a Samsung Galaxy S5 Neo I did a full physical on. The date and time zone are set manually and are completely wrong. Does anyone know a way to validate date time stamps on artificats. I thought maybe I could use the "capture time" of photographs meta data but I'm not sure if that date/time stamp comes from the network or the device.

@Mittens Does SMS take the time from the network on smart phones? assuming you have SMS on it.

6:48 AM

or get comms data from network and try and match SMS and Call data

No sim card but maybe some of the comm data thanks guys. You gave me a starting point.

7:11 AM

found several google searches with ei= term. Decoded to Google date/time network stamp

Hi Team. Hope you all are well! I have managed to get a physical on a Samsung which then yielded the passcode Yay. This crim uses signal so I created a backup from the handset. I've then extracted the backup. Now.... How do I actually extract the contents? I ran Axiom over the UFED extraction but had no joy. Anyone else had this situation?

@Gumpoo do you have XRY to try Photon?

Is there a way to rename fields inside of PA's SQLite wizard? Running SQLite Wizard throgh @Cellebrite PA and trying to make the output user friendly. The output from the database is a chat, but the Instant Message section doesn't work well because the fields don't match up to the options given by PA. If I choose Generic, then I have field 1, field 2, etc. So I would like to use Generic, but change Filed1 to Account 1, etc.

Anyone seen the problem in PA 7.33 where if you run AppGenie, it overwrites the original chat in the Chat button on the right panel so replacing anything that was extracted prevously? The chat is still there but when you export to UFDR, it isnt in the UFDR only the AppGenie chat, or am I missing something!!? You can export to Excel (great!) and it seems to chuck it all in. (edited)

Does anyone know if there's a way to recover a Huawei AppLock PIN if you have a full filesystem extraction from the device? Data recovered but cannot manually check the device for verification because Huawei AppLock is enabled with a different PIN.

@0x3db maybe this can help you? https://forum.xda-developers.com/huawei-p20-pro/how-to/how-to-reset-bruteforce-emui-app-lock-t3916973/amp/

8:59 AM

Looks like there's a pbkdf2 key stored somewhere

@B perfect, the script works! frogyayy

1

Nice!

@Matze The blobs in the omnistore database are encoded with FlatBuffers (https://google.github.io/flatbuffers/). There's even an article from Facebook about how they're using it in their Android apps (https://engineering.fb.com/android/improving-facebook-s-performance-on-android-with-flatbuffers/). Having said that, I think it will probably be easier to modify the spreadsheet you already have so it is formatted in the way you need it.

Import User

Improving Facebook's performance on Android with FlatBuffers - Face...

[...]Read More...

Hello there! I’m actually analysing the /cache/recovery/last_history log file of an Android device (version 10). Can someone explain me what happened for events with the following options:

data-resizing
delete-apn-changes

Is there some documentation about these recovery logs ? Thanks.

@Zhaan The chats should still be there if you go under Analyzed data > Messages > Chats on the left side instead of the chats button on the extraction summary.

@Oscar Yes they are still there which I found soon after but the problem was when the data was extracted to UFDR, the AppGenie chat came out but not the other chat but the Excel report did contain all chats correctly sectioned. The ticket is in with CB and they are aware of it as part of the problem has been recreated and verified. (edited)

2

@Oscar but thank you for the heads up

Hello, I have a physical read from a Samsung S9 on Android 10 from @Cellebrite Premium. I need the contents of data/Root/knox/sdcard but they appear to be encrypted. What is the extra step required to decode them?

@busted4n6 that’s secure folder.

5:46 AM

I’ll dm you

Yes. Thanks

Nice, nice, nice.... very nice

7:19 AM

... without extra-costs

@Cellebrite @Magnet Forensics I have a physical extraction from a phone. I need to see if there is anything in WhatsApp databases. Bad guy claims to have used it for a short period of time before deleting the application. A review of the actual phone shows the application is not installed on the phone any longer. The extraction has WhatsApp databases, including msgstor-"date".db.crypt12, but nothing was parsed from this application. A search of the discord history revealed numerous conversations about this application, but nothing which answered my question. How can I check these databases for any user information/chats?

1

the .crypt12 are backups made by WhatsApp, usually stored on the SDCard. As their name suggests, they are encrypted, and their decryption key is stored in a file simply called "key" in the "/data/data/com.whatsapp/files" folder. But since the app was uninstalled, it's very possible that that file is already lost.

10:25 AM

if you can somehow still access that file, then you're in luck

Awesome! Thanks for explaining that @Orb

10:26 AM

I will check for the key

10:29 AM

com.whatsapp is empty. Appreciate the explanation of the files associated with WhatsApp.

@sholmes do you have acces to simcard of the phone?

yes

Anybody got any luck parsing « PS Messages » on Android ? It’s the Sony Playstation chat app. So far, I’ve tried PA, XRY,Axiom and my Google-fu isn’t strong enough for this one! It seems like the messages would be stored in the encrypted « messages » database. Thank you!

Hmm... Did you try running the App Genie on it in PA?

Yes I tried! Although, the database doesn’t appear in the database section. I think it might be because there is no extension to the messages file. I’ll try App Genie again and let you know (edited)

Hi all, does anyone one how long does it take iPhone 7 128gb (iOS 12.2) erase app data (like Google Photos)? Is it possible to recover permanently deleted photos (deleted a year ago) from this iPhone? I know the files are encrypted per file basis, but I am not sure if it applies to the copies of these photo/video files that reside in the app data of intrusive apps like Google Photos that scans and uploads photos to their servers. Thank you so much for your time and you guidance.

@Jordan231 Not possible is my guess. Might find thumbs / cache, but a year.... (edited)

@florus Thank you, would you be fine with explaining why. Thank you for much for your time

12:56 PM

it is a 128gb iphone

@Jordan231 hi, just because you don t have access to all the memory, just file system, no freespace (short explain) moreover, even if you had a physical extraction, in which you would look for erased data one year old, you will not find anything, the garbage collector and the wear leveling would have already reduced everything to nothing, sorry (edited)

Thank you @Mistercatapulte , I am just trying to understand how does it work (I am a CS student who wants to be a forensics professional) and I have this iPhone 7 with me to play and learn with. Last year I took some videos and uploaded them to both iPhone's photos app and the Google Photos app, and deleted them a month later. It's been a year now and I want to see if I can manage to get them back.

3:00 PM

What I heard is that google photos has its own app database where files are not encrypted on-file base unlike the photos and videos on iPhone's Photos app.

3:02 PM

When you delete the images, (I have been told) there is a chance that some deleted files would remain on the sqlite/app data base of the google photos., can be recovered.

3:05 PM

I am curious about the process you mentioned (the garbage collector and the wear leveling), how do they work, I know iPhone don't have a garbage collector but ARC. Does it work the same for the mentioned files? Based your experience with iPhones, is 1 year a normal amount for everything deleted to be wiped for good? Thank you! (edited)

@chrisforensic you have this in UFED too

there's an active beta which some here have already successfully tried. Should be released quite soon.

1

@jifa oh, thanks 4 info

@jifa 7.33 does extract the content of SF it but leaves the content encrypted, was that an error?

1

@Zhaan that’s expected behaviour as part of physical extrction.

@CLB-Paul on v7.33?

Secure Folder is encrypted. so this is normal behaviour. We are able to extract it separately with P or CAS. (edited)

Anyone else not so keen on the latest ufed PA interface? Everything is extra clicks away. Just annoying. The only good thing it does seem quicker loading artifacts.

2

Also eats up screen real-estate in a big way if you're looking through the file system tree.

All artifacts in the list are now 1 colour too.

Very poor design, uses too much space, things have moved/renamed/disssolved but like everything else, I'll get over it

7:26 AM

And thats without going on about the bugs!

7:27 AM

Apart from that

@Cellebrite is there any known malware for ios devices at this moment? So, any use to run the malware scanner on an ios (iphone) image?

Has anyone done much work on the android bugle_db database? I'm have an extraction where UFED PA has identified a number of SMS messages from bugle_db, where there is no content in the body, and the folder column is described as "Unknown (manual tag)" as opposed to the typical Sent / Inbox. Looking at the database, one unique thing about these records is the "message_status" of these records are coded as "206" (for example in the index_messages_sort and the index_messages_status_seen tables). Anyone know what 206 means or what UFED means by "Unknown (manual tag)".

You hit the spot in the sense that the folder is indeed determined by the "message_status" column. But it looks like 206 is a relatively new value... The highest value I previously saw was 106.

Ahhh...so I guess they were labelled "unknown" because they really are an unknown value.

Anyone have much knowledge with google drive? I have an android extraction that has a “Google Drive Files/<user email address>/Shared With Me/My Drive/<etc>” and I’m trying to figure out if it’s normal to have “My Drive” as a child of “Shared With Me”. Doesn’t seem like it should be unless someone created it as a shared folder. Basically I’m trying to work out where these files came from with nothing except the path.

@Zhaan the question and answer probably belongs in #mobile-forensic-extractions but I’ll take it here

We recently added Secure Folder extraction to some models as part of the new Exynos support in UFED. It depends on model and version. Counterintuitively, you are more likely to get decrypted Secure Folder in the newer models. We will be extending that support shortly to more models and versions.

12:38 PM

When it is wider we will probably write a decent blog post describing the meaning and some more technical details.

@jifa thanks for the reply. I was just jumping on a previous thread! It’s kind of decoding too though ain’t it?

@jifa - I've tried to extract SF on an S9 on Android 10 with Premium. I didn't get the option to extract SF, the physical read got me the contents but they are encrypted. Support have advised using the Exynos profile in 7.33 - but I didn't think this worked with S9?

@busted4n6 1. The Premium extraction should have gotten you Secure Folder as a separate tar file in the output dir. If not turn to support and we'll sort it out. 2. Exynos S9 Android 10 is getting supported in official UFED shortly. let me DM you. 3. There's no additional decoding stage involved. When it is extracted, the extraction already decrypts it for you. (edited)

Dear all, is it possible to recover photos and videos from google photos appdata on iPhone 7 128gb running on iOS 12.2. They were deleted 11 months ago.

@Jordan231 You asked the same question yesterday? Me and @Mistercatapulte already answered the question.

1

So are they gone for good :/

@Jordan231 do some testing. Make Photos, upload them, make a ffs with MEAT after a week. Redo of after a week. Redo it... etc etc.

I heard the iPhone doesn't have a garbage collector, that's why I don't understand how they can be gone from the appdatabase

Hi all, I'm trying to figure out where I can find the installed application plist file on iOs 13 and above. Till 13, the file /private/var/mobile/Library/Caches/com.apple.mobile.installation.plist use to hold all this info but no such one after 13. PA pointing me to each folder of installed app which contains it's own plist file. Does Apple changed this behavior and there is no such file that holds all apps info ?

@Jordan231 Technically the image is still there when it is deleted (after it's permanently removed from the Recently Deleted folder). The iPhone uses File Based Encryption for each file. Your photo will have it's own encryption key. The encryption key that decrypts the photo is deleted. Rendering the image unrecoverable.

@Orb Thanks a lot for this informations! I will take a look at it and think about what would be the easier way. But i also think it would be easier to modify the exports i already have

That's why wiping an iPhone is so quick. It doesn't actually delete and overwrite all the files on the device. It wipes the encryption key to the data rendering them inaccessible

Hi guys. iPhone question. Is anyone familiar with files stored in the following location? \private\mobile\Media\PhotoData\PhotoCloudSharingData\Caches\CacheMedia... I'm working on a case where a number of video files have been located here. I have a GK FFS extraction and can view the files in AXIOM. I am just wondering what would have caused the videos to be stored here? They do not appear anywhere else in the extracted data.

Hi everyone. I've got this case where a suspect wrote some tweets, that later were deleted by Twitter, that I need to recover. UFED and Axiom won't parse the tweets from my GK full file system extraction but i found the tweets in the modelCache.sqlite3 database in the extraction. private/var/mobile/Containers/Shared/AppGroup/477AF661-28E9-41C9-B75D-94108E93C5FE/TFSModelCache.1/redacted/database/modelCache.sqlite3. My problem is that the timestamp in that database seems to be in an unusable format. Anyone had to parse that database before? I should add that the extraction was done long after the tweets so I have nothing in knowledgeC or any of those with the Tweets. (edited)

@blake-ee Sounds like they may be media that has been shared with the user via iCloud, have you checked the relevant plists 'com.apple.cloudphotod.plist, com.apple.assistant.backedup.plist, data_ark.plist, com.apple.homesharing.plist and com.apple.CoreDuet.plist' to check?

@Firmsky I assumed this too and have tried to get some test data to store here with no success. I'll check the plist files you mention.

@Cellebrite is there any known malware for ios devices at this moment? So, any use to run the malware scanner on an ios (iphone) image?

@florus I always run it because I am paranoid I will miss something. However, I haven't ever seen a hit to date.

6:56 AM

Better to say you did it, right?

@heatherDFIR the good iOS malware knows how to hide

@Talizi which table/column are you looking at? Do you have an example timestamp? I’m looking at that db but the only column I see that you could be talking about is “usagetimestamp” in the Items table and that is no way an actual timestamp?

@CLB_iwhiffin I'm looking at the Items table. There are 2 columns named insertionTimestamp and usageTimestamp but they all have the same digits in there for multiple entries (like 150 entries with the same number, for the purposes of this, in the line i'm looking at, its 53380). But then, on the column archivedObjectData, where the actual tweet is, there is a date object defined with type "Double", "Bits" and the value is 19 char long, in this case: 4738291799972380672. All the tweets should be between november and december 2019 (edited)

Hi, I have a physical extraction of a Samsung. Is it possible to know when the suspect has disable the passcode of the device? In some log maybe?

anyone have a script for cellebrite that will parse proton mail ?

Anyone ever tried to use a hancom mdf file with another tool? Looks like it’s a container for a file system read we did on a huawei lx1-pot with md-next. I’ve done an ‘extract all files’ in md-red but this feels a bit messy (edited)

Running into this problem again and didn't come up with much last time..........anyone know some good places to look for the telephone number of a device when it is not parsed automatically? The SIM Card with the phone did not have anything, but there were definitely some sms/mms in the device. So it had to have had a number at some point. Android phone (edited)

@Talizi OK; that’s totally different to my database. I’ve done a fair bit of work with insta and timestamps and not come across that one. Leave it with me a little bit...

@CLB_iwhiffin I will keep looking because there is another mention of insertion time in another table, gonna look if i can combine the two to give me an actual timestamp that means something

@heatherDFIR Hi Heather, thanks for the reply. Any research to be found on the web, on ios malware?@CLB-dan.techcrime

I have a full file system extraction of an iPhone 6. There are some images in the DCIM folder and I’m trying to determine where they came from. They are screenshots from a phone. (Most likely this one but taken at different time). The files are JPG with odd resolutions. I’m wondering if they came from a cloud backup. Any ideas on how to determine where these files came from would be appreciated.

@AA If you have physical access to the phone, you could check the contacts app. I have occasionally found that the very top contact will be "Me" with phone number displayed (even though not parsed in extraction). But hit & miss.

@Joe Schmoe Check out the photos.sqlite database, you may find your answer in there.

@mkx Thank you. I’ll take a closer look. I skimmed through it while poking around the databases that weren’t parsed in PA.

@heatherDFIR Do you know if Apple's iOS delays passcode input after so many attempts if you don't have the 10-fails to wipe?

@florus not sure if PA has the malware definitions for Pegasus: https://www.firstpost.com/tech/news-analysis/pegasus-malware-explained-all-you-need-to-know-about-the-spyware-affecting-high-profile-targets-7583421.html

Pegasus malware explained: All you need to know about the spyware a...

Pegasus relies on three zero-day vulnerabilities which could be used to remotely jailbreak iOS devices.

6:40 PM

https://www.nytimes.com/2020/01/22/technology/jeff-bezos-hack-iphone.html

By Sheera Frenkel

How Jeff Bezos’ iPhone X Was Hacked

It most likely began with a tiny bit of code that implanted malware, which gave attackers access to Mr. Bezos’ photos and texts.

6:41 PM

iPhone RAM analysis and full file system analysis would be necessary to find things like this

@Joe Schmoe hey Joe, from my experience, screenshots are always PNG files. I don’t think I’ve ever seen an iPhone take a JPG. And the resolution would be consistent. Of course, they could have been cropped but I think they are still saved as PNG. There is an “original file name” field in the photos.sqlite database, and with a bit of sql magic you can pull the album name too. That may help if they were saved from a particular app. There may also be some exif in the database that’s not in the image itself. Worth a look. shameless plug alert my tool ArtEx will quickly pull orig file name/album name for you.

@CLB-dan.techcrime thanks

@CLB_iwhiffin Thank you! I don’t know how I have missed ArtEx up until now. What a fantastic program. I’m having some trouble finding my images though. I selected every category and narrowed the time frame to a few hours before and after the creation date of suspect photos. The results include photos that appear to have been taken with this devices, but I do not see any of the screenshots. Is it looking for photos with metadata! (edited)

After some more digging, I don’t see any reference to the suspect photos in Photos.sqlite. I wonder if it was a simple copy/paste from a PC.

guys i need help! I had a problem today with a samsung j700h / ds mobile phone. I tried a physical extraction with cellebrite ufed4pc and during the extraction it got stuck. it doesn't start anymore. can only be entered in download mode. Has anyone ever encountered this problem? it is a delicate problem and I would really like to solve this problem. I have these messages on the screen.

1:33 PM

1:35 PM

recovery is not seandroid enfocing custom recovery blocked by frp locked

1:39 PM

it is a Qualcomm MSM8939 Snapdragon 615

1:39 PM

6.0.1 android

@Gregtm are you able to enter recovery mode and check exact firmware version?

no sir. does not enter recovery

Message itself points out to one of the key stuff replaced with a custom image, usually it's either recovery or boot. You should be able to write them back with Odin and phone should boot correctly.

1:55 PM

Ok, enter download mode then to at least verify binary version. This will help to match those more closely.

I thought of rewriting his recovery but before doing so I wanted to consult my colleagues. I don't want to lose the data on it

1:56 PM

I'll try this tomorrow morning

As far as i'm aware, you should be fine. Start with just recovery, then proceed with boot if recovery itself won't help.

1:57 PM

https://desktop.firmware.mobi/device:543

1:57 PM

you can get stock images for both recovery and boot from here without having to download whole firmware file

1:59 PM

Of course you have to match "binary" version to the one displayed in download mode. If you see B:3, then firmware with 3 has to be used, like this J700HXXS3BRL4. If it's B:2, then something like this J700HXXU2BPK3 and so on.

I understand. I will try this option. Thank you very much

I had the same problem with an S7 acquisition using Magnet Axiom. I had to download a stock image (BL, AP,CP,CSC) and flash it back onto the phone w/ Odin. Yes, you'd lose all data on the device w/ this method.

Righto you crazy minds... I need a bit of assistance... UFED Extraction. File System and Advanced Logical completed. UFED didn't parse the data I needed on the timeline. Ran AXIOM over it which parsed the data needed. Cut a long story short. I need to prove that our suspect has accessed a few photos and hopefully copied them. Here's what I have so far... I'm compiling an email to the officer in charge........ I have located some further data of interest relating to this case. These files were located in the com.sec.android.gallery3d folder which is a hidden folder that the user doesn't have access to by default. 3rd party software can be used to view this folder. The com.sec.android.gallery3d folder links directly to the DCIM folder which is the folder where photos are stored when a picture is taken. The following images from the cache were verified by 2 other Forensic tools that I used to validate time / date stamp. A screenshot was created 03/12/2019 10.55:07 AM. Photo taken by Phone Cloud employee showing 3rd December 12:13. Photo extracted from Quotation showing Suspect as the ‘Technician’. Between 03/12/2019 2:56:50 PM and 2:58:04 PM the scrolling of the photo gallery commenced. Images cached. At 03/12/2019 3:11:27 PM the photo gallery was opened for 1 second. Images displayed from the cache. At 03/12/2019 3:13:16 PM the photo gallery was opened for 1 second. Images displayed from the cache. Between 03/12/2019 3:29:03 PM and 3:29:14 PM the photo gallery was opened and images were displayed from the cache. At 03:12:2019 3:31:03 PM the photo gallery was opened for 1 second. Images displayed from the cache. @Magnet Forensics (edited)

My questions are.... there are a few seconds inbetween these cached images which are my photos of interest. Does this indicate that the user applied another action? copying perhaps?.. opened to fully screen to view ? Does anyone know what the numbers under 'item value' are? @Magnet Forensics (edited)

This is the complainants phone that was supplied a number of weeks after the fact and he had already accessed these original images on his device so the modified date doesn't help me unfortunately

Anyone ever have any luck getting Lyft information from an extraction? Prolly won't get a full physical be a file system. It would be on a Samsung J7, still on Android 8.

@Palazar82 I’m not sure about the app data, but I’ve had good luck with email receipts for rides.

That could be really useful. I got a Lyft driver who might have given a ride to a person of interest in a case.

5:42 PM

I would be driver side.

@CLB_iwhiffin Hi Ian, what may cause Artex not to install? I am receiving the error; 'cannot download the application. The application is missing required files. Contact application Vendor for assistance.' Someone else an idea? (edited)

Hey there forensicators, I would like to ask you something. Sorry to interrupt the above-mentioned question. Ok, I have viber uninstalled and re-installed(no account connected at the time of extraction). I have a viber-messages.db which has no data in it (obviously from the new installation). Lastly, I have a viber-messages-journal which has some very interesting artifacts for my case (a particular chat-obviously from previous installation). Are you aware of any other way to import the journal contents to the viber or to a new db, so as to view them properly? UFED returned the chat, but is missing some information. Tried some other software, no luck with them. Thank you (edited)

@Arcain @Arcain

ty so much sir. It woooorks

@Gregtm glad to hear that. Just recovery was enough?

@Gumpoo http://cheeky4n6monkey.blogspot.com/2016/07/a-timestamp-seeking-monkey-dives-into.html

A Timestamp Seeking Monkey Dives Into Android Gallery Imgcache

Are you sure?! Those waters look pretty turdy ... UPDATE 4AUG2016: Added video thumbnail imgcache findings and modified version of scri...

@Arcain yes. the link you sent was helpful. I downloaded boot + rec.tar.md5 and wrote it with Odin. after that the phone started in clean download mode and I managed a complete physical extraction. Thank you again. respect!

@florus Hi Florus; that’s a very good question. I’ve not seen that error before ... I’m presuming it downloaded just fine and no one else has reported that issue. I’ll take a look into it and be in touch!

@CLB_iwhiffin I Also sent you an email with the logs. I can re download it. Ill let you know.

@CLB_iwhiffin Hi Ian, i re-downloaded it. Worked this time. For some reason it didnt un-rar of download the 'application files'

Hi, I need to find out when a user removed the password from their phone (android). Is the modified date for the gatekeeper.password.key and fmmpassword.key can be the date and time the user did this?

Good Afternoon, I have a question for the group. I have a iOS 12.4.1 device I got a full file system extraction. In the Google search history there are a number of "near me" searches. Can someone point me in the right direction to being able to find the location of the device when the search was done? I do have a preservation in with Google and will be getting data from them. I just figured the device had to document the location for the device to send it to Google. Just can't seem to find it. THANKS!!!!

Are you aware of any other way to import the journal contents to the viber or to a new db, so as to view them properly? UFED returned the chat, but is missing some information. Tried some other software, no luck with them. Thank you

@theAtropos4n6 Try using SQLite Forensic Tools by Sanderson Forensics. I think it is the best tool to parse journals as well as wal files.

@theAtropos4n6 Also, the database viewer inside PA will process any records in -journal or -wal files, so you should be able to see them. If you don't see the records in the relevant tables, perhaps they were added but then deleted before reaching the main database file. In that case, you could try clicking on "show recovered records" (little pickaxe icon) and it will try to carve those out for you.

@Brigs Thank you very much for answering. I currently do not have access to that tool but will definitely will check that out in the future. Too many references about it. @Orb thank you too for answering. Using the latest PA, the specific records I care about, appear only in the Chatssection, as a carved communication thread. My problem is that one participant(owner of the device ) appears Unknown whereas the other participant appears with both name and phone number. I need his name and phone number to be 100% sure that I got him. I will definitely give your proposed solution a try tomorrow and will come back with feedback. Thanks once more, both of you.

Anybody aware as to if you can import Hancom MD-Next into UFED PA?

@Pseudonym Hi James, This is Jessy. As I just joined, it's quite late to answer to your question. But the method is just simple. You can copy .mdf file as .bin by changing only its file extension. It may be read in UFEA PA as a binary image. (edited)

does anyone know where I can find on Samsung S10/S9 device the type of lock screen that the user choose to use ?

Able to get to device_policies.xml?

I'm opening PA with pysical dump now so I think I will be soon

got it - /root/system/device_policies.xml . do you know the tag name inside the xml cause my device is a testing device and unfortunately we didnt lock the phone with anything (its a test we are doing for something else and we got this quistion after we had finished the extraction)

Will be either quality or password-quality

7:39 AM

can't remember for Samsung off the top of my head

7:39 AM

Should be an integer value

7:42 AM

Something like 0, 32768, 65536, 131072, 196608, 262144, 327680, 393216

7:42 AM

Think those are all the legal values by default

thanks. I'l look into it. Following that, if the phone was locked by face recognition and he certainly has a backup pin/pattern, can i tell if the user use the biometric or the backup to unlock the phone ?

At a specific time or in general?

in general but if there is a log that keeps all or some unlocking successes, that will be great.

@Orb tried your solution today. Was able to retrieve some data but not everything from journal. Anyways, thanks once again. Nice feature by the way!

Anyone run into a problem where you do an logical and fs extraction for a phone (in this case a LG K40; unlocked) and you don't see anything for the kik app? I used cellebrite 4pc to do the extraction and then physical analyzer to parse it out. Then I even tried doing an extraction through Axiom, still no luck. It recognizes that Kik is downloaded on the phone but there are no files for it. Can't find any databases or anything. On the phone there are clearly a lot of chats.

@MM is the app on the device or was it there before. If you manual check on the actual phone is Kik present. There are times that artifacts stay behind after an app is removed

@CLB-Paul Yes, the app is still on the device. I checked manually on the phone itself. That's why I found it so odd.

So the application folder is empty ?

Yes

11:36 AM

I was looking for a com.kik.chat folder in the file system...or pretty much any other folder that had to do anything with kik. No luck :/

@MM What fs extraction you did? Was it android backup? Not all fs extractions will get you the application data. Have you got data from other apps and Kik is missing or you do not have any data from other apps on the phone? (edited)

@theAtropos4n6 Yeah, android backup. That could probably be the issue, I'm not finding the facebook messenger information either and that is also downloaded on the phone. Those two apps are the only ones installed.

@MM if ever uncertain, one thing you can actually check for any given app is to examine the AndroidManifest for the corresponding apk and seeing if it has allowBackup set to false.

6:32 PM

https://developer.android.com/guide/topics/manifest/application-element#allowbackup

| Android Developers

The declaration of the application. This element contains subelements that declare each of the application's components and has attributes that can affect all the components. Many of these attributes (such as icon, label, permission, process, taskAffinity…

6:33 PM

@forensicmike @Magnet okay, I'll check that out!

6:59 PM

Thanks everyone!

@MM if it supported try partial or full file system. That most likely will get you both Kik and messenger data. (edited)

1

Is there a way to make hidden volumes on an android phone version 8?

10:15 PM

Like with veracrypt

https://developer.android.com/guide/topics/manifest/application-element#allowbackup

@forensicmike @Magnet Just need to be careful as on newer OSs (Android 10 onwards?), AllowBackup can be set to true but still have no user data backed up

| Android Developers

The declaration of the application. This element contains subelements that declare each of the application's components and has attributes that can affect all the components. Many of these attributes (such as icon, label, permission, process, taskAffinity…

1

2:19 AM

The controls are more granular now

2:19 AM

WhatsApp has (for at least a few versions) had allowbackup = true, but still no userdata

In ufed PA. Under installed apps there is a purchase date. Is that the exact date say messenger was installed on that device? I'm just confused as the installed date is blank and messenger is free.

@4N6Matt Did anyone answered you that or did you find anything more about that artifact? I have the same question with you for another app. I suspect that it is the original date the particular Gmail user account downloaded for the first time the app. Not necessarily the date it was first installed on the device. @Cellebrite (edited)

@MM @OllieD I think allowBackup == false remains a reliable signal that you won't get anything, But as Ollie alluded to, it being set to true is not enough on its own to say for sure that it will be included. For example, the fullBackupContent attribute can point to an XML file with rules for what goes in or not (when using AutoBackup) as pictured here. Apps can also implement BackupAgent which is also specified in the manifest (which WhatsApp does). (edited)

1

Thanks for clarifying Mike, I agree that allowbackup = false is still a bad thing for us!

5:53 AM

My excitement when I saw allowbackup = true in WhatsApp was short lived

2

Thinking a bit more digging on this could make for a good blog post though

3

@4N6Matt @theAtropos4n6 The purchase date is the date the user downloaded the app from the store. The installed date is the date the user hit the "Install" button after the app was downloaded to the device.

1

@CLB - DavidK thank you for taking the time to respond. You answer is really helpful for me. By the way, if you could provide us an artifact reference as Magnet Forensics has done for AXIOM, that would be EXTREMELY useful and could save you a lot of time from answering our emails or as in this case chat messages. Maybe you should give it a thought. Do not know however if anyone else needs something like that, or its's just me. Anyways, thanks once again.

@theAtropos4n6 You can take a look at our models and fields documentation in MyCellebrite.

1

Hey everyone. We just had a pretty horrible double homicide/arson of an elderly couple. Several suspects involved, and apparently they planned it out on Discord. We've got a warrant in to Discord for the main suspect account and maybe the server. I've never dealt with a Discord production before. Any idea what to expect? Anything out there parse the production like PA/Axiom? Thanks for any input! I also posted this in #cloud-forensics but just want to see if anyone else has any input

From my experience, warrant returns usually come in a relatively "readable" form like html, csv or text files, possibly inside an archive (like zip). This means that while the main tools might not know how to digest it, it should still be readable and searchable by "regular" text editing tools.

10:47 AM

I hope this actually turns out to be the case, but if it's unreadable for some reason, feel free to send me a message and i'll try to help (though I imagine the files won't be shareable)

@theAtropos4n6 You can take a look at our models and fields documentation in MyCellebrite.

@CLB - DavidK Oh this is great! It is what I needed. Thank you.

@Oxygen Forensics Hi, we have a demo of oxygen forensics. Where can we get the oxygen viewer?

Viewer is a valuable from the User Download link but only for licensed copies.

@Brigs try mobile revelator, it does a great job on rebuilding the sqlite database with journal and wal files https://github.com/bkerler/MR

bkerler/MR

Mobile Revelator. Contribute to bkerler/MR development by creating an account on GitHub.

Moving my question here, can anyone help me with querying the sms.db file of my iphone, its a pretty important personal issue.

@Mas0n https://aboutdfir.com/toolsandartifacts/ios/ has a lot of blog posts that might help. It would also help us if you're more specific about what you're looking to accomplish

iOS - AboutDFIR - The Definitive Compendium Project

I am trying to extract data from the sms.db file, but want to make sure I am not missing deleted texts.. dont know how to pull those.

7:58 AM

also does the iphone overwrite deleted data?

@CyberTim Thank you for the information. Is the viewer free after i get a license? is it possible to make an extraction and use the viewer many times? (edited)

@Mas0n do you have a full file sytem read of the device and is there an sms. joournal file or wal file. the sms.db and the journal / wal file should be processed in an sql lite tool that is forensically sound. this stops the db acting as it should and commiting any changes from the journal / wal file. Sanderson forensic sql db browser is perfect for items such as this

I have just learned apple overwrites deleted data so retrieving these texts is basically useless. as proof

8:34 AM

not sure my best course of action now.

@Mas0n Yes, deleted files are not recoverable on iOS. However, deleted DB records may be recoverable

8:39 AM

As the DB file itself is still live on the filesystem

Yes the viewer is free and may be used - shared with your client / case agent for them to view the case with no dongle or license required. You can use the viewer on as many extractions as you wish (there is search functionality and all the great, viewing taging etc. as in Detective but the Processing, Analytics, Social Graph etc must be done and case saved in Detective and THEN viewed in Viewer. We have a short Video "Knowldge Nugget" for it at https://oxygen-forensic.com/en/video_catalog

Oxygen Forensics - Mobile forensic solutions: software and hardware

Oxygen Forensics - Mobile forensic software for cell phones, smartphones and other mobile devices

Not sure this is totally accurate. Deleted texts and files are recoverable in some cases and dependent upon the parent application and the type of extrcation performed.

@OllieD @CyberTim another idea might be to view the phones activity log and see what the user was doing at the time of the alleged. sending-- if the user wasnt on messages text couldnt have. been sent, just an idea.

quick question: How do you load an iOS image (.tar file) into Autopsy 4.15?

@Ezio_A best bet is to unpack the tar and load the folder logically i guess

Is there any way of telling on an android whether location services were turned off for a certain period of time? I have a physical extraction from the device but I'm unsure where to start looking for that kind of information.

@Seladour try iLEAPP

3:28 AM

It will parse the log data

3:28 AM

ALEAPP

3:28 AM

Sorry iLEAPP is for iOS

3:29 AM

https://github.com/abrignoni/ALEAPP

abrignoni/ALEAPP

Android Logs Events And Protobuf Parser. Contribute to abrignoni/ALEAPP development by creating an account on GitHub.

1

Does anyone know when a document is stored in the safari TMP folder on an iPhone? "\var\mobile\Containers\Data\Application{Safari}\tmp"

Thanks Dam, I will have a look. I'm having to work on my forensic computer which is blocked from the internet, do you know where I can get the python pre-requisites listed in the requirements.txt from online to then copy them over onto my workstation?

I don’t know

5:50 AM

But I think you can use axiom

5:51 AM

Just download the custom artifact for android

5:51 AM

@Seladour

Does anyone know of a blog or similar which explains the significance of gps locations in the ZRTCLLOCATIONMO table in com.apple.routined\Cache.sqlite ?

@busted4n6 https://www.mac4n6.com/blog/2019/8/21/i-know-where-you-were-today-yesterday-last-month-and-many-years-ago

iOS Location Mapping with APOLLO - I Know Where You Were Today, Yes...

I added preliminary KMZ (zipped KML) support to APOLLO . If any APOLLO module’s SQL query has “Location” in its Activity field, it will extract the location coordinates in the column “Coordinates” as long as they are in Latitude, Longitude format (ie: 38, -77). These are mo...

Thanks. Trying to figure out how valid this data is

Com.apple.routined is not very precise I think. It takes the geolocation from cell tower, WiFi and everything it can give a location.

Basically I’ve got hundreds of points which are about 20m north of where I think they should be on a road

Hopefully someone out there can help me....I'm working a distracted driver case, iOS exam... At a certain time, I see an unlock entry in the PowerLog Device Lock State. When I look at the KnowledgeC Device Lock State, the device is still in a locked state. I'm thinking the user accessed the phone via vehicle bluetooth. (I only have the phone, not the vehicle for my examination.) Anyone know have any thoughts on this?

@Sloth what’s the backlit state says ?

backlit state: screen off during that time

@Sloth and the currentpowerlog.psql ?

For encrypted iPhone iTunes backup, is there any way to determine what kid of password was used? For example, if it was a PIN-like, or alphanumerical and how long could it be?

@Sloth I am sure there is a 'siri' entry somewhere when siri is used to carry out a command over BT

6:00 AM

Did you mean access the phone via voice control or from button presses on the media centre/car interface? (edited)

6:04 AM

You could also look out for Springboard.transitionReason.homescreen in the App USage Log in the Additional Info column which often indicates an app launch (the app is in the Identifier column)

@Sloth and the currentpowerlog.psql ?

@Dam There are no entries in the currentpowerlog.psql during the time frame. I know the crash happened right around 0138 from a web based video camera system. The Knowledge C device lock state shows the device in a locked state from 0018 hrs to 0140 hrs - (unlocked when the driver calls 9-1-1. ) The last entry for display backlight is off at 0124, The last entry on the powerlog process data usage is at 0126 when the driver receives an email from google. I'm just really stumped as to what event would or could trigger the PowerLog Device Lock State to record an "unlocked" entry at 0137 hrs, that would not trigger the device unlock unless it was one of those commands that the user allows without unlocking the device itself. The only other events on the phone at that time is a PowerLog Battery Entries showing the battery is decreasing from its previous levels (and it was not connected to a charger). I know I will be asked this when it comes time to testify and I am going to conduct a bunch of tests with a test phone, but I am trying to focus my tests on which specific events to validate.

You could also look out for Springboard.transitionReason.homescreen in the App USage Log in the Additional Info column which often indicates an app launch (the app is in the Identifier column)

@Zhaan I don't see any entries for springboard.transitionreason.homescreen... and nothing in application focus, application intents, application usage, the only other activity I see on the device are (4) entries in the WiFi locations at 1 minute before the PowerLog State - Unlock.

@Sloth Have you looked in the unified logs? (Be sure to “normalize” the time in the unified logs as they may not be the same as knowledgeC) Also make sure you are looking at the right time in the powerlogs, taking into account any time offsets.

@Sloth I agree with @jd1345. Getting into the unified logs is prob your best bet. Sarah Edwards has a bunch of great resources on that: https://www.mac4n6.com

mac4n6.com

Mac OS X and iOS forensic research, blog, and resources

Here is a post about benchmark mobile forensics tools: Utilities go for launch! - https://cyberforensicator.com/2020/05/24/utilities-go-for-launch/

@Igor Mikhaylov about extracted artifacts, isn't it because of different grouping used by those apps? For example, Physical Analyzer found 18 chats, but those can be 18 different threads/conversations with hundreds of messages inside, where Axiom displays individual message and not group them on listing. (edited)

I know about it

@Igor Mikhaylov Out of interest how did you process the .tar file using XRY?

yes

7:57 AM

XRY version 8.2.0 (Micro Systemation AB )

7:59 AM

I know what the versionn of XRY s not the latest

I think he might be asking what process did you use to parse the .TAR, not the version of the software.

@Andrew Rathbun Correct, I found that unless processing a .tar using the iOS backup profile for the import it did not decode the image correctly. This has been fed back into the dev team and is going to be fixed for the next release.

@Sloth I agree with @jd1345. Getting into the unified logs is prob your best bet. Sarah Edwards has a bunch of great resources on that: https://www.mac4n6.com

@pcsdcell @jd1345 Thanks for the link! I'll definitely check this out!

mac4n6.com

Mac OS X and iOS forensic research, blog, and resources

What is PA doing during the signing report phase?

5:34 PM

I feel like I've been sitting here for 20min on it

I just tried using Axiom Acquire, it just gave me a dump of an android phone in a zip file. What free readers are out there? I just tried using autopsy with no luck.

ALEAPP by @Brigs should be able to get some good stuff out of there: https://github.com/abrignoni/ALEAPP

abrignoni/ALEAPP

Android Logs Events And Protobuf Parser. Contribute to abrignoni/ALEAPP development by creating an account on GitHub.

1

10:08 AM

And if you know what you're looking for, just browsing the archive and opening up databases with something like "DB Browser for SQLite" should give you a pretty good insight into what's happening

lol does autopsy have plugins for it to look at sms and etc?

12:12 PM

to decode it?

Autopsy has some of the standard parsers for call logs, SMS and more but I haven’t tested it. ALEAPP will get a good amount of artifacts as long as the device is supported. I know Alexis is constantly adding more to it as well

1

Hi there, I have a Xiaomi extraction (miui10, Android 7), decoding with Ufed looks good. I get a lot of "photo_blob.0_embedded_xyz.jpg" files in MIUI/Gallery/cloud/.cache/ but can't find them on the device itself. Did anyone here already dig into this?

I have an Samsung with Signal 4.59.9 installed but there is no account installed. The user have probably logged out. I did a full file system extraction and got 1️⃣ signal.db | 368 kB 2️⃣ SecureSMS-Preference.xml 3️⃣ org.thoughtcrime.securesms_preference.xml A db browser doesnt show anything readable at all. I guess the database is encrypted. Is there a way to decrypt the database?

@Tilt Hi Root, It depends on Android version. Can you let me know its version?

@Deleted User Android 7.0

@Tilt MD-RED can decrypt it if you get db file and its key file. I will let u know how to get those file including its path.

@Deleted User I guess signal.db is the database. What file is the key file?

Hi there, I have a Xiaomi extraction (miui10, Android 7), decoding with Ufed looks good. I get a lot of "photo_blob.0_embedded_xyz.jpg" files in MIUI/Gallery/cloud/.cache/ but can't find them on the device itself. Did anyone here already dig into this?

@MikeWhiskey In Cellebrite PA, embedded files are files that were embedded inside other files. For example, if an sqlite database has a table with a BLOB column that stores jpg images, those BLOBs will be identified, and "embedded files" will be created for them as children of the sqlite file.

I found the correlating database as well with a lot of entries, but Not for every file I found. Probably data tombs - but thanks Orb

@MSAB I am trying to save a subset of my extraction with XAMN, but the subset it's much more bigger than the original extraction. Any suggestions?

If you need to do an export with a smaller footprint, then create a all artifacts report in your export of choice, ie: PDF or HTML, the file size will be smaller, Using the Subset feature will always include the extraction data and the artifacts, unless your extraction is a physical extraction then you have the option to omit the raw binary data in the extraction file in a subset file. If you need further assistance contact MSAB support at support@msab.com or ping me off list, I hope this helps.

@rafael_cs - It depends on the subset you're trying to report on, is there any more detail you could provide to us so we can offer more of a thorough explanation?

@Firmsky I just unselected some media (databases, documents, binaries, folders). I want generate a subset of all others artifacts like messages, contacts, audio, images and videos.

@rafael_cs Please feel free to send me a DM, as something doesn't sound quite right.

Anyone from @Magnet Forensics with knowledge about snapchat around for DM?

Purplebuddy plist om iOS 13 tells me how iPhone was restored. Has anyone done research on value pertaining to "SetupLastExit' is this when the installation was completed? Unable to test because sick

Hi all, trying to get media exported fromSnapchat myeyes only on iOS. I have the PIN to Myeyesonly I have a GK dump, however the Snapchat myeyesonly imagery within the dump is not parsed as it's probably encrypted. Anyone have any ideas. I've tried feeding the keychain into AXIOM and CB PA. No luck, that was with an older version of these products though. Any body have any luck ? (edited)

@Dfdan Axiom have support for it, if you look in options under the snapchat artifact before you process the phone you can add the values from the keychain and decrypt the images. I just had a phone where i couldn't find the values in the keychain so it might not work in all cases :/ (edited)

@Oscar pretty sure that's what I have done already. Processed the keychain, pulled out the keys and used the keys in the Snapchat section. (edited)

@Dfdan Are you able to view the images on the phone?

@Oscar Yes. I can view them on the phone. The PIN was the first 4 digits of handset PIN, good guess huh. I can view the media on phone but not extract out. Or view in a GK dump.

What version of axiom are you running @Dfdan

Could @Oxygen Forensics please DM me for a question?

Anyone from @Magnet Forensics around for a Snapchat decoding question on a ios ffs. (edited)

Anyone from @Magnet Forensics around for a Snapchat decoding question on a ios ffs.

@florus please send in your question to support@magnetforensics.com and we will assist.

Will do

Anyone an idea where to find sent Snapchat video's in the file system on an ffs ios device?

@florus DM'd you

anyone have luck with a LG Q720PS locked ?

Anyone else having issues with PA 7.33.0.30 crashing often? I'm averaging about 3x a day.

@jd1345 Any idea what's triggering it? Specific extraction/action?

No idea - seems a bit random. I may be trying to open a file (from the file system view), click on a open tab, play a video, open an image, etc. I've done all the usual things - reboot, etc. The malware scanner also fails every time. Not extraction dependent. Didn't experience this # of crashes with previous version.

@CLB-TheGeckster Well I tested it and it seems to crash when I choose Accounts artifacts view. More specifically, when you filter out result os when you sort selected accounts it freezes.

@jd1345 yes it's crashed loads for us and we really don't like the new interface as stuff is Extra clicks away and harder to locate quickly. That time line bar is annoying too as it's always in the way.

2

Does anyone know where Telegram stores the name of the room/chat group?

11:35 AM

It looks like Cellebrite parses the Group ID number, but I am having trouble finding the Text Name of the group since you can't search/join based on the backend ID numbers

Currently working a case involving CP and suspect is claiming they "bought the phone off ebay" and "must have had CP on it when I bought it" Now I've been able to find other artifacts throughout other seized devices and chat applications proving otherwise. However I would like to get some idea on if device was restored if info was synced via icould from his account. I've checked the purplebuddy.plist and show a setup last exit date of 10/11/2019 and SetupUsingAssistant. Now my research shows that setup was done via iTunes on that date.. If i'm also reading information from the assistant.backedup.plist it appears iCloud sync was enabled. My question is does the iTunes setup indicate a restore was done (The other options from that list seem to clearly say Restored) I'd like to be able to show that previous users information was clearly removed from the device prior to suspect using it, and also information before this 10/11/2019 was done via cloud sync.

@Mr. Eddie Vedder from Accounting We have tested wiping iPhones a few times over the years and iOS version and they have been very good at not retaining 'old' data, they are rather good at housekeeping. But I am willing to be corrected on that! (edited)

2:25 AM

Has he given you access to his eBay account? If he is 'genuine', he wont mind you speaking to the previous owner

and I am sure the previous owner will be more than happy to help...

@Mr. Eddie Vedder from Accounting What about the obliterated file ? Is there one present ? I've just been clearing old test data off my own server and I have been firing up old test extractions to see what they were about before deleting them. One was an iPhone 5s that was marked with 'Post Setup'. I had a quick look for the obliterated file and saw it was there and dated 20 minutes before I set the device up again. When looking at the last tethering activation D&T sure enough it was dated 20 mins or so after the obliterated file D&T and the tethering activation time was 20 mins later after wiping it when I set it up again. All my test data in that device was successfully deleted post wipe - none of my test user images or videos were present as I would expect.

No obliterated files.

@Zhaan I've just looked at the extractions I did on my old devices which my daughters both have now. One is an iPhone 6s and one is an iPhone 8. Their Apple ID's are both in the usual place - Accounts3.sqlite file but I can see my old Apple ID before I gave them the phones from when I had them still in the kvs.sqlitedb file. Both devices were wiped before they got them

Unless their is a location for them I’m missing. I did a search for .obliterated.

@Mr. Eddie Vedder from Accounting Shame. That would have been very handy !!

@Stevie_C ok, good to know, but are any pictures and videos present from the previous use? (edited)

@Mr. Eddie Vedder from Accounting I just typed obliterated into the general search in PA. Wait one - I'll get the path - I have it open in front of me

@Zhaan I don’t have access to suspect. I’m assisting another agency with the GK extraction. He used MeWe and VK and mega. I was able to rebuild some MeWe conversations so show he was specially asking for “young and taboo”. Plus those accounts are specifically tied to his number. I’ll check for pre existing accounts

@Mr. Eddie Vedder from Accounting DarArchive/root/private/var/root/.obliterated

4:51 AM

Was a checkm8 extraction

4:52 AM

@Zhaan Nope, not a single one

@Stevie_C so that's more in line with what we would expect maybe? After all the media may be there but rendered unextractable due to the way its flagged?

@Zhaan When the device is "wiped" it's not really wiped - the encryption keys are simply destroyed - that's how the 'wipe' is so quick. Think if you have a 128GB USB drive or memory card and "Format" it in Windows. The "Quick Format" is checked by default and "formats the device really quickly". All that does is wipe the likes of the MFT and creates a new fresh one that doesn't reference the data still technically there. Uncheck that and the same device takes a lot longer - it really is wiping it. The quick option just destroys the old MFT or FAT tables. Image the drive and you can recover stuff - data still there, just not referenced by the new table. Full format wipes everything. Same principle for iPhone. Wipes keys so technically the data is still on the memory storage but it's encrypted - the destruction of the keys renders it useless. Theoretically if you had a full disk image of the iPhone memory, old data could still be there, but searching for say FF D8 FF E0 won't get you any pictures as they may still be stored in there, just in encrypted format.

@Stevie_C I'm not reading that much text on a Saturday!

5:05 AM

@Stevie_C thanks for that, I have a feeling you told me this or a colleague last year and now I remember. Thanks for the 'light' reading

@Zhaan This is getting me out of having to go to ASDA to pick up groceries at Click & Collect !!

Wifey going now instead !!

@Stevie_C you go love, busy fighting crime, you know how it is....I may have used that line before!

5:13 AM

@Stevie_C ASDA Click & Collect eh? Wow, classy guy!

Helping colleagues always does the trick

5:14 AM

Yeah, impossible to get a Tesco slot down the road here at the moment. Been like that since this madness started !!

5:15 AM

@Mr. Eddie Vedder from Accounting Device info screen

5:15 AM

@Mr. Eddie Vedder from Accounting Obliterated File

Just checked my old iPhone 8 (A1905) as well - .obliterated file dated 22/01/2020 15:46:47(UTC+0) present. Tethering - Last Activation time dated 22/01/2020 16:52:26(UTC+0). Those timings sound about right - it was my old phone which I wiped then setup again from new. I ran a checkm8 extraction on it before passing it on to my daughter.

@Stevie_C last activation is referred to last connected to hotspot and not the iphone activation after wipe or format (edited)

@S1lv9R Apologies, should have been more clear. Yeah, aware of that. From what I've seen in testing, this field is updated upon setup and from all the testing I have done on my test devices, this value has not changed since setup. Personal Hotspot has never been used since setup on any of my test devices, so it remained constant with the obliterated file showing when device was wiped and this showing when it was next setup after that wipe. I was thinking along the lines of the original OP where if the user has never used the Personal Hotspot, this might help them a little bit. Of course, I always recommend doing your own testing first before taking my word for it if it's something crucial !! If anyone has any other ideas or findings it would be nice to see if if it corresponds to my findings. I'm now guessing my next playing about will be wipe > setup > checkm8 > examine; wipe > setup > checkm8 > examine; wipe > setup > wait a couple of days > activate Personal Hotspot > checkm8 > examine; now that will be interesting if I get time !!!

@Zhaan I've just looked at the extractions I did on my old devices which my daughters both have now. One is an iPhone 6s and one is an iPhone 8. Their Apple ID's are both in the usual place - Accounts3.sqlite file but I can see my old Apple ID before I gave them the phones from when I had them still in the kvs.sqlitedb file. Both devices were wiped before they got them

I was surprised to see my Apple ID present on my daughters iPhones after the wipe. I’ve done other iPhones and not found that happen. @Zhaan and I were DM'ing this morning as it intrigued both of us as really; my Apple ID should not be there after the wipe. The only explanation I have is that possibly because both my daughters are young and in my family share as children, I’m wondering when I set up their account mine goes into that other database as they’re linked to me as parent possibly? Every time they want a new App or purchase I get an authorisation notification. I’m thinking that could be the reason. It's the only thing I can think of to explain this. If anyone else has any ideas they would be greatly appreciated. Not for a case but just out of general curiosity !!

@Zhaan Yeah, I think this is what's going on with my Apple ID appearing in my daughters iPhone in that DB. The SANS Poster references this path & database /private/var/mobile/Library/com.apple.itunesstored/kvs.sqlitedb as Installed Application Another source indicates "kvs.sqlitedb, for example, contains references to installed applications. In particular it contains an embedded plist file containing the list of downloaded apps." As my daughter has to get permission from my Apple ID to purchase or install anything, it makes sense it showing up. If I had extracted the device immediately after wiping but before I set up her account, I'm betting my Apple ID wouldn't have show up

@Stevie_C How much? (edited)

Not enough to ask her to wipe her device to test my theory!! I’m not that brave!!

@Stevie_C

Hi I need help in android studio. I have a virtual device with telegram on it. I have conversations with the virtual device. I'm looking for the file where the calls are stored. Db file. Where i see in android studio the folders. org.telegram.messenger cache4.db Thanks

You mean where is it stored on the host machine? Or within the AVD?

5:45 AM

You can get a root adb shell and navigate to /data/data/org.telegram.messenger

how to root adb shell in android studio?

@Tci https://blog.ctdefense.com/install-and-root-your-android-emulator/

How to install and root your Android emulator | Cyber Treat Defense...

What if you want to learn how to do a mobile penetration test? Where would you begin? Start with installing and rooting your Android emulator. Click here

Hi all, could anyone point me in a direction where an iPhone shows if a handset date and time is changed and then maybe changed back? I have a FFS GK output, processed in UFED and Axiom. I have an iPhone where Axiom, UFED and handset all match call log, however dates and times of just 2 calls do not match network provider data or the officers log of when he made calls Many thanks (edited)

How are off are the network times?

@CLB-TheGeckster The phone, Axiom and UFED show 2 calls on 30th Oct. These aren't shown at all by comms however there are 2 calls the same length on 10th Nov + 12 hours. So 11 days, 12 hours approx? All other calls match

9:09 AM

Can't see anything else going on in Timeline, a couple of network usage entries and 2 SMS received but not read

Quick Q, what are android background image snapshots typically called?

9:29 AM

The static image captured as you flip between multiple applications if that makes sense.

@CLB-TheGeckster The phone, Axiom and UFED show 2 calls on 30th Oct. These aren't shown at all by comms however there are 2 calls the same length on 10th Nov + 12 hours. So 11 days, 12 hours approx? All other calls match

@JMK That's a really odd time difference unless the owner of the phone was intentionally trying to change evidence...do you think that's the case? Possibility the phone call was made over wifi or anything?

@CLB-TheGeckster I know, very odd. It shows in the call log just like all the other normal network calls, doesn't say Facetime / Whatsapp etc. it's an officers phone and he wasn't working the 30th oct which is why he knows he didn't make the call. There are a couple of iPhone Network Data Usage log entries before each call showing Wan In and Wan out numbers (WiFi = 0) Someone changing the date and time is my only thought I could check - would you know if that shows anywhere in a database or plist somewhere? There's nothing in the decoded Knowledge C i could see

Not sure if there's anything that would evidence a change, but there's a laundry list of DBs and Plists that could help with date/time issues...check out the backside of the sans poster: http://for585.com/poster

SANS Institute

@CLB-TheGeckster thank you - that's really useful! Unfortunately I don't have the one for time settings (com.apple.preferences.datetime.plist) in my extraction but I'm definitely filing this poster for future use. I think I'm going to have to say I don't have an explanation, it's really odd - thanks for help though

Nevermind - found it in a different file path but didn't contain anything of note

I have a query about the gps locations in the ZRTCLLOCATIONMO table in com.apple.routined\Cache.sqlite... 1 - are the gps coordinates in WGS84? 2 - can anyone think of any logical reason why in a specific case we have, the gps locations are ‘skewed’ slightly. My user regularly walks along a pair of roads (a roundabout) across a canal. However the mapping consistently shows him about 50m north on a single line across the middle of the canal

10:55 AM

I get it isn’t accurate but why is it consistently (and exactly on a specific line) wrong

@mitchlang I would call it recents thumbnails https://source.android.com/devices/tech/perf/task-snapshots

@B Thank you!

1

Hi, when I launched the malware scan in PA it says that the malware analysis has failed. @Cellebrite Do you know how to fix it?

Hi @Dam , I need to take a closer look at this, I'll DM you.

@Cellebrite I've just been looking at videos from a device extraction with PA 7.33.0.30 when the program crashed. I've opened it up again twice now but both times the videos no longer show any thumbnails, they are all just blank grey boxes ... do you know why this is? It's making it hard to do a quick scan over the thumbnails for what I'm after.

@Seladour , can you check if the PA screen capture feature is working for you? If it's not working either, updating the media player could solve the issue. If it's not helpful please DM me.

@Dam , I have the same problem with the malware scan. PA also crashed on me 4x yesterday. Not enough hours in the day to keep importing file systems.

@jd1345 did you manage to fix it ?

@Dam , no. Nothing I tried has worked. I think the latest version is a bit buggy,

Good morning, I'm looking at a Cellebrite reader file for a ZTE running what appears to be 8.1.0 (per the report). I'm really interested in a thumbnail image of a facebook profile. It is located at ZTE CDMA_Generic Android.zip/sdcard/DCIM/.thumbnails/.thumbdata4--1967290299 and has a file name of .thumbdata4--1967290299_embedded_81.jpg. There is no metadata available other than a filesize of 2112 bytes and the hash value. Is there any information to be had from the numbers in the folder names? Anything else I can do to determine when this thumbnail landed on the device?

Howdy all, i have a weird one. I have a home made tablet computer using a Raspberry Pi looking gadget called a Pine64. Its running Android from a 64G Micro SD card which i have imaged. It has 15 partitions, the largest being 56GB which i am assuming is userdata. Now, can i just plop the whole e01 into UFED PA with a generic android profile or do I need to Export just userdata?

@Majeeko You should be able to load the e01 and choose an android profile, but it might depend on how exactly that image is structured... In any case, you can always run the Android decoding plugin after loading the image (with any profile) using "Plugins > Run Plugin > Android Databases"

Its running as Android Generic over the entire E01 at the moment. Might have to wait until morning to see what i have but i will run the plugin afterwards, thanks.

Android generic should already be running this plugin. You can verify by making sure that a line like "Running plugin: Android Databases" appears in the trace window

Ok, thanks.

Forensicators a telegram cache2.db question: i parsed the db with UFED PA and also with sql queries from Anglano analisys in db browser. I found videos sent in the chat but the db shows me only a simbolyc link named video/mp3 with timestamp. It is impossible to know what exact video is showed? In path backup/sdcard/telegram i found videos that i supposed to be that i m looking for in the cache2db. Any tips or tricks? Also in order to identify senders and receivers db shows me in user table only UID without any phone number synchronized. Any tips or tricks

So, I manually decrypted the Signal database using the nightly version of DB Browser with SQLCipher. I then added the decrypted version of the db to my project in Physical Analyzer and used SQLite Wizard to analyze the messages. When I get it all done and attempt to run the query on my externally-added file, it returns no records. Does SQLite Wizard/Query Manager only work on databases that are inside the original extraction? Why does it let me use it on the externally-added db but then not allow me to add those results to the Analyzed Data?? @Cellebrite

@criley4640 In the same boat as you. Sent my Signal data to Cellebrite. Apparently it's a bug in the Signal decoder. Should be fixed in PA 7.35.

12:15 PM

@Deleted User I guess signal.db is the database. What file is the key file?

@Tilt Also interested in the location of the encryption key if you have it. Thx

12:21 PM

Hi all, I've got 2 Android phones (OS version 7.0 and 8.0) with the ProtonMail secure email app installed. The DBs a in clear, so I was able to write queries to get a listing of emails (timestamp, from, to, cc, bcc, subject), contacts and downloaded attachments. However, the body of the messages are PGP encrypted. According to the ProtonMail website, the private and public keys are stored on the device, but I could not find where. Does anybody know where could the private key be located?

Hey there. I have 3.500 emails, SMS and Facebook Conversations. I am trying to make a report (.HTML) of them using PA 7.33 without their body. Is there any easier way to do it using PA, without having to write custom script about it? -I have diselected Bubble Conversation option under artifacts selection section -I have tried to export no conversation at all (option in the pre-last window of report generator) I have tried using third party html editor, but have to go through every chat table seperately @Cellebrite @CLB - DavidK @Orb (edited)

Hi @jd1345, the 7.34 version worked and fixed the issue for @Dam . Please update PA to the latest version, if you are still facing any issues DM me.

@CLB - DavidK thanks for the help.

I have a question about Apple iMessage if anyone could throw their hat in

12:38 AM

I've got a sent message on 17/04/20, I believe this phone was possibly restored from an iCloud backup

12:39 AM

is there any way that this message could've been sent well before this date, i.e. sometime in February

Question re Telegram DC ID's, does anyone have a list of current data centre ID's and the corresponding geographical locations / areas they cover. Example 4_131176846486772127.mp4........ 4_ is the DC-ID ---- 131176846486772127 can be converted to hex and split in half 1st half is original sender telegram ID and the second half is sequencial count. I'm looking for a current DC-ID list. Cheers (edited)

I found a picture with the name format XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX and it was found in /private/var/mobile/Containers/Data/Application/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX. The name of the file and the folder name doesnt match and I dont feel that is strange at all. I wonder if this can be a thumbnail of a user made screenshot? Or can it be system generated thumbnail of the screen?

@Tilt The path didn't contain anything else than that, such as Snapshot or similar? For example /private/var/mobile/Containers/Data/Application/XXX-XXXX/Library/SplashBoard/Snapshots/sceneID:com.facebook.Facebook-default/downscaled/ (edited)

Is there a plist that shows which phonenumber a user used for 2FA?

Hi @jd1345, the 7.34 version worked and fixed the issue for @Dam . Please update PA to the latest version, if you are still facing any issues DM me.

@CLB - DavidK Unsure if it has solved my malware scan fail issue - I downloaded the new version, imported a file system, clicked on chats to look at a text message and it crashed.

someone has information about decoding Coyote system ? physical dump can be made easily since it's mtk chipset.

@jd1345 i'm contacting you via DM

I have a GK dump of an iPhone, where in the filesystem are the images/videos from the snapchat my eyes only folder stored, any ideas? Tried axiom with the v_data keys from the keychain, hasn't decrypted anything that I can see . Cheers

Has anyone got experiences withe the com.toyagroup.picaboo.plist and videos in the snapchat folder Library - Persistent - SCMedia? I particular how to tie an event in the plist with a video from the folder

@Obi-Wan-IP We haven't been able to get data from the My Eyes Only folder, even with a FFS extraction. I'd be happy to hear if you succeed.

Hey I am looking for files in AXIOM

.jpeg

And it finds nothing

I got a question about WhatsApp in Axiom, if i have an Incoming voice record or video that does not have the attribute "read" does this mean/indicate that the user did not press the attached voice/video recording?

SnapChat SW returns question. I have a detective asking if there is a way to decrypt the "Memeries..._encrtypted" files from the returns. Is there anyway to do that?

Does anyone have any info on the frequency (or trigger) that Android 9 performs a vacuum on SMS Sqlite databases? I have 0 deleted messages in a DB from Cellebrite, but there are clearly missing messages based on provider records and another phone it was communicating with

Hi, repost of this question from a couple of days ago, hopefully someone has the answer: Good morning, I'm looking at a Cellebrite reader file for a ZTE running what appears to be 8.1.0 (per the report). I'm really interested in a thumbnail image of a facebook profile. It is located at ZTE CDMA_Generic Android.zip/sdcard/DCIM/.thumbnails/.thumbdata4--1967290299 and has a file name of .thumbdata4--1967290299_embedded_81.jpg. There is no metadata available other than a filesize of 2112 bytes and the hash value. Is there any information to be had from the numbers in the folder names? Anything else I can do to determine when this thumbnail landed on the device?

@jeffwold without looking at the file, it's very difficult to answer the question. My opinion on your description and the my experience is, that in the file .thumbdata4--19.... there are a bunch of thumbnails stored in a single file without any metadata. UFED had carved this file and detected the embedded pictures, extracted them and named it with ascending numbers. After a google search, the filename including the number seems to be very common

(edited)

@polly that does make sense to me. Yes I have 134 images supposedly "embedded" in the "folder" which could very well be the deal. I wish I could attribute a date to even the folder but I can't. Maybe some of the surrounding embedded thumbnails can be matched to an actual image.

@jeffwold theoratical, the folder (or file) should have metadata like last change and so on. But this information will not be very helpful for your investigation according to the single image. For a better investegation of your problem, it might be helpful to have the dump of the device and not only the reader file. So you could analyze it manual or with other tools

@jeffwold I agree with @polly in looking at the raw data. I had a case recently where looking through the gallery I found images of interest of which the source of all the images I was interested in was the file imgcache.0 file. Upon looking at that specific file in hex directly above those images the unicode indicates the thumbnails were created from a movie file rather than an image or a thumbnail created from an image file.

2:09 AM

I'm pretty certain now that the file I was hoping to recover is gone and overwritten, however I have enough to say it was there at some stage as the thumbnail version of it was found in the file Linux native partition (ExtX)/Root/media/Android/data/com.jrdcom.android.gallery3d/cache/imgcache.0 In my case @Cellebrite simply took the imgcache.0 file, carved out the thumbnails it found inside that single file and gave each one a filename, starting from the start of the file sequentially through the file as it found them, i.e. imgcache.0_embedded_1.jpg imgcache.0_embedded_2.jpg imgcache.0_embedded_3.jpg through to imgcache.0_embedded_84.jpg imgcache.0_embedded_85.jpg

2:10 AM

No dates and times were available other than the creation date of the imgcache.0 file and last modified date of imgcache.0 file etc, but from looking at the data directly before the FF D8 FF E0 file header and before the previous FF D9 footer I could tell whether the thumbnail was generated from an image or a movie file, which helped me, as one of the files I was looking for in full size I believed was an image. However when figuring this out I was able to deduce it was actually a movie file I was looking for and the embedded thumbnail image was generated from the movie file, so I started carving for deleted movie file types. I was also able to narrow down when the movie file was present on the device before deletion. By taking the creation date of the file imgcache.0, I knew a starting point. Then I went through every single thumbnail in that file one by one from the start trying to identify images or movies that were still present (live) on the device and then compare them to the corresponding thumbnail in the imgcache.0 file. I observed that the live ones matched sequentially with their sequencing entries in the imgcache.0 file. Then, my ones of interest I was able to place between known files with known dates and times and was able to slot my "deleted" ones into a very specific timeframe rather than just "sometime" between the imgcache.0 creation date & time and last modified date & time.

2

@Hancom anyone knows how can I import a grayshift extraction to Hancom ? I tried different way but the software keep crashing.

Anyone got any recommendations for software to open a bak file? I have tried Oxygen but as its not a Xiaomi phone and looks to have been from an LG phone it wont play (edited)

@Hancom anyone knows how can I import a grayshift extraction to Hancom ? I tried different way but the software keep crashing.

@Dam can you send us the case log file?

3:01 AM

@Dam can you send us the case log file?

@Deleted User

@Cellebrite Do you have a beta version of PA that can decrypt signal ? I am able to decrypt the database using Axiom...

3:23 AM

It's for iOS FFS

I just tried @Magnet Forensics wordlist decryption for Wickr with a wordlist created by their wordlist generator. After processing is done there is an exception for wickrLocal.sqlite (wickr database) with the reason "File processing timed out". Have anyone tried wordlist decryption before or know how to extend the time before a file times out? The process gave me no wickr data, of course i'm not sure if the password even was in the wordlist either. (edited)

I'll shoot you a DM

Has anyone tried Cellebrite LegalView for export to Relativity?

I got an iPhone dump completed and it is unlocked. Does anyone have an idea where the iTunes encryptions password locate at

@jeffwold I agree with @polly in looking at the raw data. I had a case recently where looking through the gallery I found images of interest of which the source of all the images I was interested in was the file imgcache.0 file. Upon looking at that specific file in hex directly above those images the unicode indicates the thumbnails were created from a movie file rather than an image or a thumbnail created from an image file.

@Stevie_C thank you and @polly for your responses. I am working for the public defender in this case and the ufed reader file was what was provided. There was a file system extraction as part of the reader file but I'm not seeing ANY metadata about the containing folder/file that the image is embedded in. I'll ask the PI on the case if it's possible to request a raw file system extraction but I'm thinking it's not going to be received by the LE Agency very well.

@spoon1997 itunes b/u need to be bruteforced.

10:20 AM

or get a full file system if possible.

@jeffwold I think a file system extraction is a very bad basis for this kind of investigation you want to perform. I don't know the legal situation in your country, but try to get a physical image or even better, ask for the evidence and do it by yourself (if it's possible). (edited)

Can anyone shed some light on iCloud back up files? Pursuant to a search warrant, Apple has provided the iCloud back up attached to the Apple id. In the file is three back ups. Two are attached to a user id with different device ids. The third file is a Blended cloud data for the user id. Does anyone know what a Blended Cloud data file is? It does not seem to be a combination fo the other two. (edited)

@polly right.... I have asked if I can visit LE and do it myself. waiting on that. So, if the embedded thumbnail is on the phone, does that mean that the image was simply viewed, or did the user access the photo by touching/clicking on it? I'm about to do my own simulation but I'm curious......

@CLB-Paul thanks

3:44 PM

I was able to get iOS extraction and file system. When I tried acquiring from AXIOM and it asked for password

So if there is an itunes back up password any tool use will ask for the b/u password. There are ways to Brute force it. But it’s a bit slow. It would be easier to get a full file system extraction @spoon1997

Is it possible to extract GPS data from a android Samsung galaxy J6+ mobile, when the location has been turned off?

@jeffwold The presence of the thumbnail won't tell you if it was clicked on and viewed, simply that it was there at some point. Save a few photo's into your test device. Go to gallery / album whatever. Look at tiles - will all have a thumbnail. It's automatically generated by the OS without you having to open it. Now if for say you saved 5 images to the device which already had 10 images on it which you had already viewed and didn't open any of the new ones. You now go to the gallery and saw all the thumbnails for the 10 existing ones but the 5 new ones were blank. Then you clicked on one of the new 5 and opened it. Then returned to the gallery and now saw 11 thumbnail images and 4 blank tiles. That would make life very easy. Unfortunately it doesn't work like that. Good luck with the testing.

Anyone?

@malrker gotta be patient. It's 0225 EST on a Saturday. Not the best time to be asking questions and expecting immediate responses

@malrker @Control-F did a webinar that talks about how location data is saved and stored when location is turned off etc. Not sure if this helps in your specific case but just in case https://www.controlf.net/5169-2/ (edited)

Kevin Mansell

Join our Android forensics webinar (Thu 9 April 2pm BST) | Control-F

Although our classroom might be temporarily closed, we’re working hard to deliver content that our customers and the wider community can access. We will be hosting a Zoom webinar on Thursday April 9th at 2pm British Summer Time entitled: “Understanding Android Location Service...

Thanks!

@Cellebrite Do you have a beta version of PA that can decrypt signal ? I am able to decrypt the database using Axiom...

@Dam No beta version needed... This should be supported for iOS FFS in the last few versions

@Orb thanks didn’t parse in 7.33 I have to try 7.34

I have a binary file from a Mobiwire Ayasha. Trying to import into latest @Cellebrite UFED PA but the dedicated profile for this model doesn't decode a single thing. Tried generic MTK Physical and it decoded a contact and some images but no SMS or Call History. I know they are there as I can see them in the phone and from other product extractions. Anyone else ran into one of these and found a UFED PA profile that decodes the data ?

Nothing in the CB Knowledge base about the Ayasha

@Stevie_C try posh a100 profile. Not sure why, but i often get more results using this one on NAND/NOR based MTK feature phones using this profile.

@Arcain Damn, no, got me the same as a MTK Generic Android

Hmm, you could try one of the Nokia MTK profiles out of curiosity

@Arcain Nokia MTK profiles were a bust but @Cellebrite Alcatel 1052G profile got all the SMS decoded perfectly along with the contacts and multimedia (No SIM Card or Memory Card in the handset). Only thing not decoded with that profile was the Call History from the Mobwire Ayasha handset.

Anyone have any knowledge of the Apple iPhone folder Documents\Inbox? - I know it's for received files for example email attachments if saved. However, are there other apps that will save here? (I assume so). Any information would be helpful

@Mattia Epifani Thank you so much for your kobackupdec script. So far it has worked perfectly. However the last device I backed up does not appear to include the salt in the info.xml file, so the data cannot be decrypted. Have you come across this problem before?

@Dam No beta version needed... This should be supported for iOS FFS in the last few versions

@Orb Depends on the version of Signal. They had a bug preventing decryption using Keychain which was solved in 7.34. If it’s an old version of Signal, 7.34 will decrypt the DB but won’t parse it. In that case, you’ll have to use SQL Wizard to decode the data.

@ThePM.01 all good for me with version 7.34

1

Does anyone have any resources/documentation/knowledge of iMovie cache on an iPhone? Specifically looking at "ClipStrips" and "PosterFrames" in the iMovie/Library/Cache directory and any information on the original media that they depict.

Hi. I've been given a full fs extraction of an iphone to analyze. it's a .tar archive 47gb (i think it was acquired with elcomsoft). I tried to open it in cellebrite p.a. and it says the tar is corrupted and only 44% of files can be examined. i tried to unpack the tar with winrar and 7zip and they both find the archive to be perfectly working. Anyone ever met a similar situation?

@FabianoQ I hope this is not the iOS Forensic Toolkit fault

Though sometimes the acquisition process is interrupted and the .tar is really corrupted. As far as I know, Cellebrite PA can work with unpacked acquisitions (a bunch of files and folders) too, so if the tarball archive has been unpacked successfully, try PA on the result. I should also note that many forensic packages do not work well on huge .tar archives (well over 100 GB). Have you tried Oxygen Forensic Detective? That's the only package that parsed 220 GB archive (t took 2.5 hours); all others failed.

1

@v_katalov Thank you, i'm pretty sure the .tar is ok. I'm unpacking it and will try P.A. on the unpacked folder. Can also confirm that Axiom parsed the tar without problems

@v_katalov One doubt: working on unpacked tar can bring to problems regarding time properties of the extracted files?

Does anyone know of a HUAWEI Emulator? Where can i get one? I am trying to copy the secure folder to try and bruteforce it. (edited)

@FabianoQ - If you have access to XRY use the iOS Backup profile to import the .tar file.

@Mattia Epifani Thank you so much for your kobackupdec script. So far it has worked perfectly. However the last device I backed up does not appear to include the salt in the info.xml file, so the data cannot be decrypted. Have you come across this problem before?

@ClaireM thanks for you message. I cc my friend and colleague Francesco @dfirfpi Who is the author and developer of the script. Haven’t come across this type of issue yet but maybe you can get in contact and we can try to have a look at your dataset

Hey guys I got a question over different kinds of wipes on an android phone. I have a ZTE phone (Model: N9136, FCC-ID: SRQ-N9136, OS: Android 6.0.1, Processor: Qualcomm 8909) which was powered on inside of a Faraday box and powered on to a set up screen asking me to set up the phone's WiFi. I powered it off and was able to do a decrypting boot loader through the phone's profile on the Touch 2. When I opened the extraction in Physical Analyzer there was data showing in the extraction, such as text messages and call logs. I put the phone back in to the Faraday box and set up the phone while skipping any option I could. I had to set a name for the owner of the phone which i entered in test for the first and last name. I am currently running the same extraction again to see if setting the phone up has any effect on the data. I was able to see the text messages on the phone itself to verify the data Physical Analyzer found. Has anyone run in to a similar scenario or can anyone suggest some ideas as to how something like this occurs. I do not have a test phone to try and replicate this on.

Update- The extraction finished and the data is the same.

@ClaireM thanks for you message. I cc my friend and colleague Francesco @dfirfpi Who is the author and developer of the script. Haven’t come across this type of issue yet but maybe you can get in contact and we can try to have a look at your dataset

@Mattia Epifani hei @ClaireM , some guys on github reported that change (I never had the chance to see such a backup), but it seems the decryption algo did not change. I've pushed a "fix", basically it should jump over the check, allowing the decryption if the password is correct.. If you'd try the last release and provide a feedback, thanks! (edited)

I think this is a simple one but it's not working... If another provider has done an examination on a phone using @Cellebrite and produced the report in PDF and Excel, how do I import that back into PA to generate a UFDR? I've tried open and adding folder but just get lots of failed to read error messages. Cheers for any assistance

@JMK you can add external file. It will be added as separate document. This feature is often used with attaching warrants to extractions

goood morning @Cellebrite have a little issue with decoding skype (version 8.60.0.79) imported huaweibackup (folderstructure) as i always do if i need it, into latest PA... PA doesn´t decode skype.... Oxygen decoded it .... (edited)

10:03 PM

@MSAB just acquired physical of an TA-1010 Nokia , nothing decoded. Acquisition completed with NO errors. Any Ideas Cheers

@8198-IZ54 We had an issue with one of those last week. Label says TA-1010 but if you type *#0000# on handset it returned that it was TA-1034. I have a personal test phone labelled TA-1010 and *#0000# result also says TA-1010. But the other one dumps but doesn't decode correctly in either @MSAB or @Cellebrite

3:50 AM

My test phone dumps perfectly in both of the above tools and both also decode data perfectly.

3:52 AM

The other one which displays as TA-1034 doesn't dump in @Cellebrite but dumps using the TA-1010 profile in @MSAB but both have issues decoding the binary file obtained by XRY

@8198-IZ54 If you could DM me the log I’d be glad to have a look! We’ve seen a couple of Nokia’s in the wild which store their data all over the place so our decoding fails miserably. That goes for you as well @Stevie_C ! (edited)

OK so this handset fails to dump in UFED , starts to dump you get the 0x -400000 address then it disconnects. XRY dumped it straight off, however the decode fails

@8198-IZ54 Yep, exactly what happened to us. Type in *#0000# into handset and see if you get the same as us

3:55 AM

@Cellebrite crashes out after a few seconds of dumping

@8198-IZ54 you tried taking the XRY dump and decoding it with PA? We've had some success with that in the past when there's time/date issues but don't think i've tried it for that model

I think I'm being stupid here. Anyway to*#0000# when its pin locked

@K23 I did that with ours. PA didn't decode the binary file correctly. Turned contacts into Chinese but manual of handset has normal contact names!!

1

4:08 AM

@8198-IZ54 Take SIM Card out

No Sim in.

4:09 AM

My brain is hurting

Ah ! Handset lock, not SIM Card PIN

yeah handset lock

Did XRY not show handset lock code in dump ?

4:10 AM

Try importing binary file into PA

I'll give it a go

I'm at home at the moment but will be in work from 1400 hrs

4:11 AM

I'll be working on our device when I get in

4:13 AM

Just open the .xry file in XAMN and extract the binary file. Once you have that you can try other tools to see if any get the handset lock code

Cheers

@Stevie_C Well the saga continues with the TA-1010. Binary extracted and 144 contacts. However, looks like a 144 contacts on a4 cut into pieces and reassembled in a random fashion

1

If you want to know something weird about them, we’ve had ufed give us the passcode that didn’t work with the TA-1010 but the passcode did work on a related iPhone?

Hey guys has anyone ever seen an Android 6.0.1 device which powered on to the set up wizard but still contained user data such as SMS and MMS

@CLB-Paul Ref my query earlier adding pdfs when I add the folder with all the pdf accompanying files and folders in (and the pdf file itself) I just get "insufficient system resources exist to complete the requested service" error for every file. I'm going file - open case - add - open advanced - blank project - select folder and pointing it at the folder containing all the pdf folders / files etc. Is there a different way?

I guess it depends how many you are planning to add. The add external file isn't meant to add hundreds of documents to a case.

@Cellebrite Having issues with a full file system IOS dump, loaded into PA 7.34.0.38 but it will not let me save as UFDX , Save Project session and Load project session. Everything is grayed out. I added the keychain to the Full file system extraction from the beginning of the PA session. Nothing special

So the UFDX is to save multiple extractions into one... do you only have one thing loaded?

just one loaded i was'nt sure if having the Full File and the plist would make it as a UFDX

that one im not sure off, UFDX is to merge multiple extraction, like Logical, FS, Physical etc, but i can look into it..

@CLB-Paul So when i closed the project it prompt me to save the session and i did, when i opened it back up it saw the saved session and asked me if i wanted it loaded. Just FYI

good evening everyone, I have a problem with the signal application on an iPhone 7 plus, iOS 12.1. I dumped the device with jb and also with elcomsoft, so full fs. I also got the keychain in addition. I opened the dump and the keychain in axiom and ufed and in none of the software I do not see signal ... the version of signal is 2.39, I see live on the phone calls and a written message still available. an idea ?

Anybody know what db iMessages are stored in?

mobile/Library/SMS/sms.db @LawDawg

@CLB-Paul Ok. my partner did an extraction for someone and dumped everything into a report for that person to review. He said he didn't see any iMessages decoded in the dump we gave him.

What kind of extraction was it

7:40 PM

I have personally seen someone that dB not come out in some extractions. This was a few years ago.

I dunno. I had that person bring up the extraction summary, but it didn't say. It was an iphone, i know that. I'm new to the phone side.

No problem. We’re all here to help

7:42 PM

Shoot me a dm so we don’t clog up the main chat

Kind of cool- noticed on a manual of Facebook messenger, we were able to see secret conversations. Further to this, we the application shows phones that have been used for secret conversations along with the security key.

Are UFED Cloud extractions saved somewhere, like a UFD file, or similar? UFED PA (v 7.34) lets me do a cloud extraction based on data from a phone, but I don't fully understand where the acquired cloud content is stored. Want to make sure I get all the correct bits when moving the acquired data from an online computer to long term offline storage. @Cellebrite

@CLB-Paul only adding 1 pdf but the actual pdf doesn't show up as an available file, just the folder it's in, with all its folders of linked documents, pics etc.

@torskepostei I had this same problem. It doesn't behave like 4PC, InField (now Responder) and the like. I did figure it out where it was hiding the stuff. I found it created a UFDR file in one place but the raw data I found in the Appdata folder somewhere. I'm frantically trying to find my notes where I had the path recorded

@Stevie_C The closest I could find to raw data is stored in C:\Users\ <user>\AppData\Local\Temp\Cellebrite Physical Analyzer\ <number>. It holds about 500 folders with varying content, some images, files, some empty. (edited)

@torskepostei Got it. I found my raw iCloud data from which the UFDR was created from in the path C:\ProgramData\CellebriteMobileSynchronisation\UFED Cloud Analyser\Files\BFiles[GUID]\iCB[GUID] (edited)

6:38 AM

Think from memory that was Cloud Analyser v7.11 or thereabouts. Wasn't the new one

Interesting, will check that folder!

6:39 AM

@Stevie_C Apart from the reader file, I don't think there is any way of finding the "raw data" gathered in a single file, like for phone acquisitions. Would be nice, so other investigators could decode the same data and verify the results. As it is now, if there is a bug somewhere in PA the entire acquisition has to be done all over instead of just decoded on a newer version. (unless there is some way to do build a new cloud project from the folders in AppData)

I did a Google dump recently and could not find the raw data for love nor money

6:41 AM

It has to be downloaded somewhere, otherwise the UFDR can't be created. There should be a specific downloaded data folder that's easily found as I want to copy that to my evidence folder on my forensic machine into my case folder, not just the generated UFDR.

@Stevie_C Yes, this is exactly the same thing I want to do: having the raw data neatly stored in the case folder!

I CC'd @CLB - DavidK into an email about this very issue back in May

I fired off an email to cellebrite support as well, they usually have good answers so hoping that may lead to some more info

Equate that to a device data extraction - UFED 4PC extracts the data, creates a UFDR then dumps the extracted data and only gives you the end result UFDR. You really want the original source material to save alongside the output, just like a device extraction, not just the end output. I really want the Cloud Analyzer to behave the same as a normal examination. With question like "Where do you want to store the raw data?" .... "Where do you want to store the UFDR" ? That would make life very easy. I just then copy data from both locations to my air gapped Forensic PC to go with my potential extractions of the device itself

1

Can anyone help with interpretation of the ATXDataStore.db? It shows list of apps, install date, last launch date and subsequent launch Counts (where the value of the table is stored as a bplist). For example, the bplist in the Subsequent Launch Counts for the process com.apple.InCallService contains a list of apps with values: uber: 13.2; safari: 20.7; mobilemail: 63.2; preferences: 0.3; timer: 1.3; sms: 19.5; whats app: 50.8, iBooks: 1.6, InCallService: 63.1 etc How are these apps/process and values interpreted? Does it mean InCallService was launchd from Mobile Mail 63 times, and iBooks 1 time? Having trouble understanding why these apps are listed in relation to InCallService and what the numbers mean. Thanks!

Does anyone know where an apps first install date is stored in the android filesystem?

Hi, i have this chinese super little phone. L8Star BM70. UFED4PC dumps a physical, a 4mb .bin file but P.A. don't parse any data at all out of this image file. If i switch on the phone i can see contacts, phone calls and SMS. If i open the .bin file with an hex editor i can see the names that are stored in the contacts. Anyone knows of a tool to parse this data? (edited)

The xLEAPPS got some new GUI changes, can run individual scripts now https://twitter.com/AlexisBrignoni/status/1271571958908563456?s=19

Brigs (@AlexisBrignoni)

New xLEAPP usability updates!!!

No need to select extraction type

Select only the artifacts you want

More concise GUI Thanks to oleag4n6 (https://t.co/Nva4Krzp63) and Yogesh Khatri (@SwiftForensics ) for their awesome #DFIR #Python coding. https://t.co/wQJTyKm76S

1

@FabianoQ Maybe MR bkerler but not sure https://github.com/bkerler/MR

bkerler/MR

Mobile Revelator. Contribute to bkerler/MR development by creating an account on GitHub.

@rico I'll give it a go

@FabianoQ if's MTK based?

@Arcain Should be so

Try couple different profiles for devices with similar chipset. Sometimes a generic one doesn't decode data, but others do. Try posh a100 profile first

Another one to try is the Alcatel 1052G profile. I had good success with that with a MobiWire Ayasha handset recently

@FabianoQ XRY should have multiple profiles to try as well and see if that can decode the data, both L8star profiles as well as the Mediatek Generic 2 would certainly be worth a try! Just use the Import option to import the binary from UFED, or just dump it with XRY. Whichever is quickest, I am not sure

@Cellebrite any advice on which profile i could use on Samsung C3520 physical dump in PA. It seems to be based on PNX491x (edited)

@Arcain Have you checked for a Generic (non-android) Samsung profile? I would also try profiles starting with C3.

@Forensic@tor generic non-android no, other profiles for c3x series are able to carve out SMS and nothing else (edited)

@Arcain @Stevie_C I tried both Posh A100 and Alcatel 1052G, the results were the same as the L8STAR profile: 0 data. I tried also Axiom, Finalmobile, Oxygen, SPF, Mobile Revelator, MD-RED. All gave same results: 0 data.

1

@FabianoQ Darn, that's an awkward device. Have you tried searching binary file using any forensic tool for 7 bit PDU ? At least that way if there's messages, you might be able to get the SMS bodies, then manually decode the data around it. Long time since I had to do that !! Having said that, it might be quicker just photographing the data if you have access to the device !! As long as you're not looking for deleted !! Then if you're looking for deleted stuff like SMS, at least you have the live ones, find them in the binary file, see how they look and compare them to SMS in the binary to see which ones are live and which are deleted. That's going to be a bit of work !!

@Stevie_C I assume this is my only chance. I did this same model in the past and UFED was able to parse the .bin. Something must have changed. My collegue just got another 8 of these (it's a "prison phone") and they behave the same way, no problem to get a physical but nothing is parsed.

We had something similar with a Nokia TA-1010 the other day. https://discordapp.com/channels/427876741990711298/545232743353810946/720590631466041464 Both labels say TA-1010 but one software version reports TA-1010 which worked perfectly but the other, although saying TA-1010 on label reported TA-1034 by checking using *#0000# on handset and decoding that binary file was causing problems too. Sounds like a similar situation.

5:21 AM

Ideal situation would be if you weren't in a rush and could provide the binary file to forensic companies they could take a look at it and see if they could add decoding support for that model and firmware combination. That way if you get more in the future, you'll been in a better position for any others that appear in your office !!

Sure i'll contact cellebrite

@FabianoQ I'd reach out to all of the ones you have products for, see who comes in first with a solution

Wouldn't be the first time I use product A to get the binary, and use product B, C ,D & E to try to decode it. Especially if your up against time

Does anyone know what timestamp format this is 489961749.753658 Cellebrite converts it to 8/3/2017 7:42:50 PM in the DB viewer, but I am trying to parse the artifact and can't figure out what format it is.

@NickM It seems to me as a cocoa core data timestamp. Here is the link to check it out. Is your device an iOS device? However when I used the timestamp converter it didn't bring me the same results with what your PA brought. https://www.epochconverter.com/coredata

I would have agreed on Cocoa Framework/Mac Absolute (ignoring the decimal precision). But MFT Stampede decodes that as Mon, 11 Jul 2016 20:29:09 for me

Does anyone know what timestamp format this is 489961749.753658 Cellebrite converts it to 8/3/2017 7:42:50 PM in the DB viewer, but I am trying to parse the artifact and can't figure out what format it is.

@NickM Have you more example for us, please. Is it from iOS or Android and what App is it. Say PA an UTC +/- xx hour?

What is the name of the field in the database. (edited)

Had a search through on here, and on the manual and it looks like a few people have asked this but we've never had a clear answer. @Cellebrite what does the Last Known Use field actually indicate on android devices - there's several MSISDN's we have on this case and one of the dates is causing issues as it doesn't match up with billing. If this means that this is the date the SIM with that MSISDN was put in the device, then that will put this to bed. If it means this was actually the last time that MSISDN was used by the handset then it's going to give us some headaches.

@Cellebrite Hello! I noticed a small error (or bug?) when exporting BSSIDs for enrichment. one of the BSSIDs i found interesting had a missing digit/letter. I am assuming this is an omitted zero. This BSSID was not included in the export and was therefore not included in the enrichment. i tried just adding the BSSID to the XML, but i got an email back saying it had some kind of error and didnt work. I might have forgotten to change the amount of total items when i added the BSSID. Would me just adding it manually and changing the amount of total items work or is there anything else i need to change to include all the BSSIDs?

Hello @K23, that field contains the MSISDN of the last SIM that was used in case that more than one SIM has been used on the device, the time indicates the time the SIM was put in the device.

1

Fantastic, thank you for clarifying @CLB - DavidK, that makes a lot of sense!

@NickM It seems to me as a cocoa core data timestamp. Here is the link to check it out. Is your device an iOS device? However when I used the timestamp converter it didn't bring me the same results with what your PA brought. https://www.epochconverter.com/coredata

@theAtropos4n6 It is an iOS Device and it is for the Ookla Speedtest App. From what I have found the PA conversion is wrong based on data I know about the device. And it does seem to be a Cocoa Mac Absolute. I am waiting on a test device to arrive so I can test the time stamps with known data to confirm everything. @OllieD @Karlsson

7:27 AM

What is the name of the field in the database.

@Karlsson ZDATE is the name of the field

Hi all. Does anyone know exactly what app does the 'MessengerMedia' folder under DCIM in the iOS file system relates to? (edited)

@HabbaBabba im only guessing but i would think its related to FB Messenger app.

@mkx To link messages and files you need to use both the main.db and the core.db databases. You need to cross reference the message key in main.db with the contentObjectId in core.db, and then use the cacheKey from the core.db to find the file itself. Feel free to DM me if you have any more questions about it.

Hi all, anyone had a checkm8 download show only 3 plist files in PA, and not decode any data?

4:00 AM

iPhone X download completed fine in 4PC

@Cellebrite I am after some advice. In UFED PA I am seeing 11 dates recorded as 'recovery events' Does anyone know what these dates relate to? Is it user initiated factory resets? If so how accurate are the time/date stamps associated with them?

@TheNetCat iOS 13.5.1 maybe?

@CLB - DavidK yes it is.... Has that killed off the checkm8 exploit?

@blake-ee The recovery evenest dates indicate the dates the device got through factory reset. I guess that those dates are coming out on the recovery partition that doesn't get wiped in the factory reset

6:52 AM

@TheNetCat No. We have an issue to get the keycahin.plist out of iOS 13.5.1. That is supposed to be fixed ASAP, I will send you the fixed version when I'll have it.

@CLB - DavidK awesome thank you. So the device download will be ok as-is until the updated PA version?

@TheNetCat You will need to extract it again using the fixed UFED 4PC version. The issue isn't in PA.

@CLB - DavidK Do you think the dates/times are reliable then?

@blake-ee Yes, it's the same as any other data you are parsing using PA.

@Orb thank you for the info!

I have an advanced logical extraction from an Alcatel and have two folders of interest. .FotoX and .hideme. Has anyone ever dealt with these? .hideme appears to have 44 jpgs and .fotox has 3. Images are parsed as blank images in PA @Cellebrite

The applications do not appear to be on the device any longer.

10:09 AM

Extracted the folder structure from PA and analyzed it with Axiom. Axiom sees the files as well, but doesn't decode them. (edited)

I haven't seen those folders before. But I wonder what are the size of jpgs? are they tiny files? and maybe look at the files in a hex editor and confirm they are jpegs?

@mkx the .FotoX JPGs are between 165KB to 170KB and .,hideme are 6KB to 119KB (with most being between 10KB and 60KB)

10:35 AM

.hideme folders include /.hideme/data/ Inise data is Inbox and Wallet

10:36 AM

.FotoX are all in the Welcome folder inside /.FotoX/

Does the file header start with: FF D8 FF ?

yes

10:41 AM

no for the .hideme images

10:43 AM

CD 45 9C 75 for .hideme .jpeg files

10:46 AM

Looking at the .FotoX makes me think it wasn't used. It is only 2 files int eh Welcome folder.

Does anybody know if the encryption key for the SilentPhone app database on iOS is located in the Keychain?

Not sure if it has been mentioned today or not but DB Browser for SQLite 3.12.0 was released today and the release notes state:

Support custom SQLCipher cipher_plaintext_header_size (6b8fb51f049711274eee3a523a3ab3b477524218)".

That should resolve having to have the nightly build in order to decrypt signal.db. https://sqlitebrowser.org/blog/version-3-12-0-released/ (edited)

Version 3.12.0 released - DB Browser for SQLite

6

HI all.... I'll be examining three Android phones and it seems there will be Chatgum artifacts. Has anyone come across that app?

Dose anybody have experience with MEGA databases? I'm currently examining a mobile where they have been using MEGA and im trying to establish if images extracted from MEGA have been sent or received. MEGA app on device is signed out so im unable to do a manual review to confirm. Having looked at the databases within UFED im not getting much information from them. one type of database file that is reacurring is megaclientstatecache12(file name).db, your help would be much appreciated. (edited)

Hi I'm using Cellebrite Physical Analyzer (currently latest 7.34 version), and I want to be able to exclude all things containing a list of words I've selected from a physical or logical image of a cellphone. The exact thing I'm trying to do in my case is related to the law of privilege. I want to exclude the name of the lawyer and all conversations so I got a list of words and names to exclude. I want to export all the phone into a UFED Reader BUT all wordlist related items. So far, I found Watch lists in the program but my results are inconsistent. I tried including zips in the initial processing, unchecked whole words for every word, and when I created the UFED Reader, I unchecked "Watch lists elements" and leave everything else checked. Then I ran X-ways on my UFDR and I found those keywords everywhere! Someone here have a better way to effectively exclude a list of words from a UFED Reader? Thanks! @Cellebrite

Have you see the blog post by Matt G. Let me dig it up for you

8:40 AM

https://www.cellebrite.com/en/blog/how-to-do-quick-and-easy-redactions/

Matt Goeckel - Solutions Engineer at Cellebrite

How to Do Quick-and-Easy Redactions in Cellebrite Physical Analyzer...

A hot topic these days is on methods to quickly redact items from a phone-extraction report. This is relevant in eDiscovery cases and seems to be surfacing more than before. Recently, one of our customers was provided a list of terms and names to be redacted from the report b...

8:41 AM

@CLB-TheGeckster is the author @S Cote / SQ

1

@CLB-Paul @CLB-TheGeckster Thanks guys

I've read everyhing and it looks like the same thing I was doing in my case, but insead of unchecking the list after the processing of the watch list I was unchecking the whole category before exporting in UFDR format. I'm not sure if this makes a difference or not. I got a couple more questions for you:

If I select "search zip files" before processing, will it find more results or it already get all the info in all the phone with "default" processing?
I have a couple of names in my list with accents ("Stéphanie" for example), and when I import my CSV file, the accents are replaced with black diamond with a question mark in it. Will it search for the accent?;
Can we put wildcards into this list? Related to the previous bullet, could I put a wildcard to replace an accented character, like "St*phanie" for example?;
Last but not least, when I uncheck those artifacts before exporting a UFDR, are they completely removed from the UFDR or they are just hidden from the user reviewing it? (Becaue we found many hits of the same keywords in X-Ways after reviewing a UFDR where I excluded those words with the watch list). If I'm not clear enough (I'm from Quebec) please let me know Thanks again!

c'est bein correct.. moi aussi @S Cote / SQ

@Cellebrite how can sugest some features to your PA?

you can send it here.. or send me an email paul.lorentz@cellebrite.com

1. Add an option into options to remove by default include location on source.

10:29 AM

2. Add an option in options to when you start a new device start desselect everything by default. ( to only chose what you want to include)

#2 should already be there

10:30 AM

3. Add an option into options when opening a new tab to hide the timeline. It steals space on the screen

10:31 AM

Cool

10:34 AM

4. On the vídeo tab you should add a small media player to preview the video, instead of opening in a new tab

10:34 AM

On the lateral tab in vídeos....

i can pass up an request..

These are small changes that make a difference on triaging specialy vídeos

10:42 AM

When you Need to see 4000 vídeos 1 by 1 to triage your gonna see the point

10:42 AM

Thanks for that

@CLB-Paul do you prefer me to contact you directly with me watch list questions? Or open a support ticket?

@S Cote / SQ i sent you a DM..

@CLB-Paul Oops not familiar with Discord. Saw them, will continue here! Thanks!

Is it just me or lately there is not a single recovered message in the "messages" category of physical analyzer regarding iphones acquisitions? Even in full fs acquisitions i never see a single message recovered (wathsapp, fb messenger, etc...) while with android phones something still get recovered in this category....

@Cellebrite Hello! I noticed a small error (or bug?) when exporting BSSIDs for enrichment. one of the BSSIDs i found interesting had a missing digit/letter. I am assuming this is an omitted zero. This BSSID was not included in the export and was therefore not included in the enrichment. i tried just adding the BSSID to the XML, but i got an email back saying it had some kind of error and didnt work. I might have forgotten to change the amount of total items when i added the BSSID. Would me just adding it manually and changing the amount of total items work or is there anything else i need to change to include all the BSSIDs?

Resending my message from a few days ago, I tried just manually changing all the obvious stuff and sending it to enrichment@Cellebrite. but that didnt work. Anyone from @Cellebrite who has any insight how i can include this BSSID in the enrichment?

@Cygonaut I have contacted you via dm

@Cellebrite If I've loaded/merged two extractions into one session of PA is there a way for me to remove one of them? Or create a report from only one of them? edit: using version 7.34.0.38. (edited)

@Cellebrite If I've loaded/merged two extractions into one session of PA is there a way for me to remove one of them? Or create a report from only one of them? edit: using version 7.34.0.38.

@Seladour When you create your Report, the option Project allow you to choose from the dropdown menu which source of extraction you want to use for your reporting

1

@Cellebrite Any work around for PA 7.34 not loading PAS files from iPhone (GK) extractions? Tried to backdate the software and it won't load the PAS because it was made with a newer version. Can the PAS be modified to trick the software? @zero00796 (edited)

@sholmes I've had cellebrite modify the PAS file to allow this, i believe we emailed them the pas file

@DCSO Thanks for that tip. I will see if they can help.

8:46 AM

That was easy. Lets see if the second question is just as easy.

8:47 AM

So here it goes. Looking for iPhone SMS assistance. I have a conversation in the SMS section (associated with the sms.db) of @Cellebrite PA which shows someone else's name where it should be the owner's name. The messages are from the phone's owner, but I can't explain why there is no phone number. (edited)

@sholmes do you have a screen shot ( black out any private data)

stand by

8:54 AM

DM sent

Cellebrite question....if i'm running a watch list in PA that has Arabic words...will PA pick those up if I don't have the language pack?

Anyone from @Cellebrite decoding able to assist with SMS.db in an iPhone question above?

12:27 PM

I started digging around in the db itself, but didn't find anything which was glaring as to why someone else's name is listed as owner when we know it is the actual owner talking in the chat

12:27 PM

and he is listed fine elsewhere?

12:28 PM

I would be able to tackle this next week if you hit me on DM

Anyone mess with ppsqldatabase in iOS? I’m working with multiple relevant location entries with bplist blobs. Having trouble getting the binary data out to see what’s there.

2:23 PM

Any positive responses please hit me up DM. Hard to follow this chain and I can provide little more info.

@sholmes I’m not Cellebrite. But am curious what the source reference is for your message, in terms of the tables being used to display the name you’re seeing.

4:53 PM

I saw your comment about digging into the db. My apologies if this is part of what you’ve done already to troubleshoot

@luis511_ it is the SMS.db from a full file system extraction of an iPhone

7:10 PM

I’m open to any suggestions.

7:11 PM

Or assistance. I’m on vacation next week, but can still access the db

@Cellebrite and @MSAB a random question. Do you guys parse out the metadata in documents - last saved, author etc (where applicable) automatically? (edited)

@Cellebrite I am looking at installed apps (table view) within UFED PA and have noticed a column labelled 'Operation Mode'. The values within this column are either foreground or background. Can anyone explain what this column and its values mean?

Earlier in the week I had a question about timestamps associated to Recovery Events in UFED PA... What I am trying to understand is how in some instances there are recovery events logged as being only 30 seconds apart?? How is this possible? Any help would be appreciated. @Cellebrite

Does anyone know how to interpret "SystemUI changed: 0x2 -> 0x20002" in the Unified Logs (from an iPhone)? The values change: 0x0->0x10, 0x812 ->0x12, 0x1010 -> 0x100.... trying to figure out what it means and/or what is happening on the phone during this entry. Thanks.

Does anyone have any information on the protobuf structures contained within the iOS file 'GeoHistory.mapsdata'?

@Cellebrite @sholmes For PA and the Graykey extractions, if you're having an issue with being able to save, this is what worked for me (no guarantees it will work for everyone): close PA and make sure to hit save when PA asks you if you want to save the session file, and make sure it's in the same folder as the .ufd file(if not you can just drag it into the same folder). After that, open the .ufd file and it should work like normal. If you don't already have a .ufd file, but did save the session after closing PA, open PA then go to file -> open case. On the load evidence Apple iOS GrayKey screen, make sure you click "Save UFD" on the bottom left and save it to the same folder as the .pas file. Once it loads, close it out, then open the newly saved .ufd file and it should find the .pas file in the same folder and restore your session. After that I was able to save as normal.

Hi, does anyone else have problem to get WhatsApp business data from Cellebrite? Although it supposed to be the same parser - apk downgrade does not let you downgrade this apk.

Has anyone seen these phones yet: https://omertadigital.com/ ? They recently made a blogpost about Encrochat being compromised (here: https://omertadigital.com/blogs/news/encrochat-hacked-users-exposed-arrests-galore-the-king-is-dead). The phones are setup based on Google Pixel models and it seems that users are also able to use it as a "regular" phone as they demonstrate in their video. I'm just curious if anyone has actually stumbled upon one and has any information about it.

Security Hardened, Encrypted Premium Smart Phones for Enhanced Privacy

Omerta Digital Technologies provides premium, flagship smartphones with military grade encryption to ensure your privacy is not only respected but enforced. Utilising best in breed technologies we provide the means for you to practise the code of silence.

In the same ballpark, we came across these a couple of times recently as well: https://totalsec.io/en

Improved take on surveillance

TotalSec is provider of next-generation modern technologies to enhance your communication and device with high-end security and privacy solutions.

Potentially some more forensic stuff for us?

2

@Cellebrite Where do i find the malware scan file in the download portal of cellebrite? I would like to update the Malware Signature Database. (edited)

@Cellebrite and @MSAB a random question. Do you guys parse out the metadata in documents - last saved, author etc (where applicable) automatically?

@stephenie No, I'm afraid that this kind of metadata is not decoded by XRY.

@florus if you mean the bitdefender-definitions-updatefile .... then there is now download .... you can create this updatefile if you start "malware definitions downloader.exe" from folder "BitDefenderUpdater" .... definitions will be downloaded and then packed into a .msd-file... inside folder "bitdefenderupdater" ... you can use this file to offlineupdate the bitdefenderdefinitions ....

@chrisforensic Thanks, i found it

1:15 AM

hm @Cellebrite im receiving a download database is corrupt error?

yes, it completes but then runs an error. Im curious if you have the same problem.

1:21 AM

finished... without problems

1:22 AM

@Cellebrite malware database is corrupt, cant figure out what the problem is;

@stephenie No, I'm afraid that this kind of metadata is not decoded by XRY.

@MSAB_Sofia Thanks Sofia

@Cellebrite I am looking at installed apps (table view) within UFED PA and have noticed a column labelled 'Operation Mode'. The values within this column are either foreground or background. Can anyone explain what this column and its values mean?

@blake-ee Foreground: are applications that the user must open in order for them to run such as YouTube, Instagram etc. Background: are for applications that can run in the background without the application being open by the user such as Google Play services, Samsung Push Services etc.

I've found a Samsung Smartswitch Backup on a PC. Any ideas how to decrypt it preferably load it into PA?

@Cellebrite Why am I showing a difference in the number of artifacts from the extraction to the report?

5:56 AM

5:58 AM

Is it because I did not include "merged items"?

@florus Happened to me the other day. At work it kept saying corrupted. Tried on different PC at home and worked first time. Tried again in work again next day and still saying corrupted. Try another PC. Just copy out Updater folder to USB drive

@Stevie_C @florus I had a weird one the other day where the generated report marked as completed fine but wouldn't open on Reader. I could open it with PA and reader on another PC, but my workstation just wasn't having it. Regenerated a few times, same issue. Tried different reader copies / versions, same issue. Just that one case

@Cellebrite It was merged items. Ignore me.

6:09 AM

@Cellebrite I have another question. When I go into the SQL databases and manually carve them, are these the same items that are shown as the recovered deleted items in the "Analyzed Data" section? If so, why is it not automatically carved when I open the databases?

@LawDawg Not exactly the same... First, what you see in the "Analyzed Data" section are not "raw" database records. They're artifacts that may have been decoded using more than a single source of data (different tables, or even different files), or the opposite - they were decoded from only a part of database record. But it may be different even when the primary source for an artifact is a single SQLite record. When recovering records from a SQLite database table, a "signature" for that table is created and used to carve out potentially deleted records from the file. In the database viewer, a default signature is used that is based on the table definition (the "CREATE TABLE" statement), but within the different parsers in PA, more sophisticated signatures are often used to make sure the parser get the most data with the least false positives. Lastly, the actual reason tables are not carved when you open a database is that the recovery process might take time on larger databases, so we didn't want performance to be impacted when it's not necessary.

@Orb Ok. So, if I manually carve deleted messages from the sms.db, are those carved entries already included in the analyzed data section of "SMS Messages"? In other words, do I need to manually carve for deleted messages?

@Cellebrite where the watchlist is store (after parsing) in the new P. A. ?

@florus Happened to me the other day. At work it kept saying corrupted. Tried on different PC at home and worked first time. Tried again in work again next day and still saying corrupted. Try another PC. Just copy out Updater folder to USB drive

@Stevie_C Problem was PA 7.33. Fyi.

@Cellebrite

11:32 AM

Missing...

@florus My malware definitions issue happened with the BitDefender folder from the root installation of PA v7.34.0.38. Didn’t work and said corrupted on PC 1 but same downloader on different PC 2 worked first time. Just plain weird!

c'est bein correct.. moi aussi @S Cote / SQ

@CLB-Paul Ah, c’est bon à savoir Paul!

@Orb Ok. So, if I manually carve deleted messages from the sms.db, are those carved entries already included in the analyzed data section of "SMS Messages"? In other words, do I need to manually carve for deleted messages?

@LawDawg I don't think there's a definitive question to that answer. The SMS parser and the DB Viewer recover records differently. No one way is always better than the other. One way might have less false positives, but miss something that could be useful...

Hey there. I have a quick one. I have an iPhone 7 with the latest iOS and I am trying 2 things: 1) Are there any log/plist/sqlite files that record when the wifi was turned on/off? 2) Is there any cache files that hold which networks were scanned when the wifi was turned on the device? Those logs exists in android enviroment and was wondering which are the iOS equivalent. Thank you

@Orb Would it then be prudent to manually carve the DB and export it into a CSV for review in addition to the generated report? I'm not actually examining it. I'm just dumping it for the case agent.

If this is specifically about sms.db, I think personally I would use just the results from SMSs under "Analyzed Data". This is a relatively well researched database with a well-verified parser for it PA, so I believe not a lot is missed. But this answer can of course change depending on the importance of the case, the priority of SMSs in it, or if you have information you know is missing. Also the technical proficiency of the case agent is important here, if they need to go through CSVs of raw database data.

@Orb Why our case agents are examining dumps is a story unto itself. I do appreciate the answer!

WhatsApp question: It's my understanding that the sender of a whatsapp message can delete it (for himself and for the recipient) only if the recipient has'nt read the message AND within a given time frame. Correct?

Correct

Hi @florus So my next question is: do anyone know of a way to circumvent those limits making possible for the sender to delete (on recipient side) a message that was read and 2 months old?

Not that i know of.

Not sure which channel is best for this question - reposting here: I'm interested in being able to collect AND export "live logs" from an iPhone (not interested in data at rest). Ideally, I'd like to capture about 15 minutes worth of data, but MOST importantly, I need to be able to export that data in a non-proprietary format (csv, json, log, etc). Apple Configurator allows live unified logs to be exported t in a .log format which is perfect, but it only exports 2 minutes worth of data even if the phone was connected for longer. Does anyone know of a way to either: 1) increase the two minute limit in Configurator to allow one to save a live capture of 15 minutes or 2) another way (other than Configurator) to collect and export about 15 minutes worth of live unified logs? Thanks

This looks pretty awesome, made by doubleblak: https://twitter.com/BlakDouble/status/1275256365280186370?s=20

DoubleBlak (@BlakDouble)

ArtEx 1.4.0.0 with ArtExtraction coming very soon :) #DFIR https://t.co/QlfREaKDE7

5

@CLB_iwhiffin

@Andrew Rathbun I was looking for @ double and @ ian but couldnt find him ✌

I had to try a couple myself but starting to type "whiff" worked lol

I have a Samsung Sm-N950F Galaxy Note 8 and the person delete a pdf on the phone, these pdf is very important for us; is there any method to recovery this pdf on this phone? We have a physical extraction with UFED4PC?

@Morph You could always try and load the bin file into x-ways or some other forensic program and carve for it there. Did PA not find it in the automatic carving?

@Oscar Pa list the pdf in a Whatsapp Message, but not as a file; Ok, thx, i would try it in X-Ways

It's possible it was already overwritten. It's not very often to see succesfull deleted files recovery from modern smartphones

In Photos.sqlite tabel ZADDITONALATTRIBUTES there is a column named ZCAMERACAPTUREDEVICE. Does anybody have some information regarding ZCAMERACAPTUREDEVICE?

Anyone know if theres a way out of 'Software Install Failed' on Huawei? Only option is reboot system now. It seems to have just happened after restarting the phone. Was operating as normal before this. Thanks in advance. (edited)

3:07 AM

CLT-L09

iOS Iphone 7. I have some records from knowledgeC.db parsed with Apollo (matching results from PA 7.34), that tell me the phone was in airplane mode from date 10 to day 11 (more than 24h). The problem I am facing is that, the user seems to have received+read (the timestamps I am referring to are "Timestamp" and "Read") two SMS inside the timeframe of being in the ariplane mode. How could that be possible? Also, I am trying to determine if he was using WiFi or not, but the only log I find (wifi.plist), holds only the timestamps of Last Joined and Last Auto Joined dates, which are outside of my desired timeframe. Are there any other wifi logs on iOS?

I'm looking for fingerprints data location on Samsung on A510F. Can't find user.db in its usual location

@Oscar Now i perform a search with x-ways and found the name of the pdf file in /media/data/0/whatssapp, but there is no start-sektor or somethink saved; any other ideas?

@theAtropos4n6 Wifi

5:54 AM

wifi could be active in airplane mode (edited)

@Cellebrite Is there a way to find the first date a SIM card was inserted, like crash logs or something else, on a physical dump of an Android 8 ? I can't find what is corresponding to the field "SIM Change Time" on the extraction summary, as this date is far from nowadays (2018) - EDIT - Forgot to say that I don't have a "simcard.dat" file in the extraction (edited)

maybe the last joined is not very accurate

5:58 AM

the last joined dates is before or after you desired timeframe?

@Dam Thank you very much for answering. Yes that is correct. WiFi is where I am concetrating now. Both of these values are after my desired timeframe. Of course, this could lead to the assumption that he has reconnected to these networks after the incident happened, which needless to say, took place inside my timeframe. From one hand the problem is that both of these timestamps are outside my timeframe. The other problem is that I am not aware of any other wifi kinda log in iOS apart from wifi.plist. Do you have any idea how to proceed in order to prove he was using WiFi in the timeframe?

consolidated.db ?

Anyone know if theres a way out of 'Software Install Failed' on Huawei? Only option is reboot system now. It seems to have just happened after restarting the phone. Was operating as normal before this. Thanks in advance.

@3X3 Just an update from earlier -> turns out by holding power and volume buttons and having it reboot multiple times in quick succession it took it out of this loop.

are there any recommended guides for using app genie? I don't have much practice with it and looking to become more well versed. I am working on a phone now where it popped up with some potentially useful apps and not sure where any decoded data might be found.

@kmacdonald1565 There was a "life has no ctrl+alt+del" episode where @heatherDFIR and I discussed the App Genie and how it can be used: https://www.cellebrite.com/en/life-has-no-ctrlaltdelete/ (Episode 2)

Adam Champagne

Life Has No CTRL+ALT+Delete - Cellebrite

@Orb thanks so much!

@Cellebrite Does anyone know why certain emails decoded with PA get put into an "Unknown" bucket when the email address used is already present as it's own bucket and is full of emails? I have a large number of emails sat in an "unknown" bucket under an "apple-transient-data" child folder - they have a deleted status of "intact" and say that they are unread however the conversation in the emails clearly shows that they have been read as responses are being sent etc. Does this mean that they were maybe read on a different device? and have been deleted from the phone which is why PA has decoded them into an unknown bucket rather than putting them with the other emails from that email address?

Anyone seen issues with PA resolving the wrong images back to messages from TelegramX?

3:40 AM

The image being shown in PA has nothing to do with the message it's been linked to and the correct image is not shown

@OllieD This the latest version? I'll get the office to check. And just TelegramX right not normal Telegram?

Yes yes

4:53 AM

Apologies, Telegram not Telegram X

4:53 AM

Sorry, miscommunication here in the office. So latest PA + latest Telegram

No problem

@Orb I still am having trouble locating the data after app genie does it's thing. Is this the right area?

6:35 AM

Manual data collection?

@kmacdonald1565 Yep, that's where i've been finding it at least

3

Cool thanks

https://twitter.com/EricRZimmerman/status/1276161754968530945?s=20

Eric Zimmerman (@EricRZimmerman)

SQLECmd is now available on https://t.co/JTXOlbsPxh #DFIR

2

Anyone have an idea where Instagram search history would reside for an Android phone?

@Cellebrite Would an error message during decode of a checkm8 extraction in PA of "Error collecting metadata from Metadata/system_metadata.plist" be an issue with the extraction of that file or with PA's decoding of it? I can open and view the system_metadata.plist file in Xcode.

big thanks @Cellebrite for making it possible to import and decode Huawei backup data in the next release of Physical Analyzer !!! made a quick test with pre-release PA 7.35 .... well done

(edited)

4

Unified Log question - for those that analyze unified logs from an iPhone that has been imaged with GK - have you noticed the logs seem to be missing data, or has anyone experienced any problems opening them in the Mac Console? I've noticed that the logs don't seem to be as 'robust' as they used to be (seems that a lot of entries are missing) so I attempted to do a test by generating a sysdiagnose to look at those unified logs (extremely detailed) and then imaged the same phone and pulled the data from the diagnostic and uuidtext folders - and once imported into the console, discovered that I'm missing at least 9 days worth of data. I imaged the phone on May 27 - but the unified logs stop on May 18.

@jd1345 I had an iPhone recently that had no unified logs at all, when it had been active for a few months undercover. I'm fairly new to them but it was iOS 12.something and folks were telling me that was really odd and couldn't explain it. Not sure if that assists you tho

Having a mind blank here, I could swear there's a way to make the thumbnails of images larger in PDF report from Cellebrite PA... Anyone know where the setting for this is? Or maybe I'm thinking of another program. (edited)

Can anyone assist in understanding what's happening here?

1:16 AM

We're looking into POF usage on the handset and some of the identifiers I'm not sure what do they mean

1:16 AM

Or whether if this has happened through an official POF account, or through a web browser

Looking at the image I'd say it was through the pof app.

I'd say that too, don't have any other artifacts relating to POF other than this and cookies.

Hmmmmm

has it been unistalled?

Yes, unfortunately

1:37 AM

All I can say is it was installed at one point, and further evidence (cookies) indicates usage

1:38 AM

Just.. what does each identifier mean?

looking at the identifiers I'd say that its different parts of the POF App and their data usage. IE Webkit allows the pof app to display html content. The notificationexte maybe the part of the app that deals with push notifications such as new message received / new matches etc...

OK here is a question, Ive got a test device SM-G935F Android 8 secure start up Password. Ive got a physical via Hancom MD-Next pretending I didnt know the password. My question is dose anyone know the mecahanics of Secure start up ie Hash type salt etc... etc

I'm thinking of a little project of Vanilla install of OS no security / passwords or pin. Acquire full physical. Add secure startup and full physical again. then hunt down the difference in all the partitions to see whats changed. Im just curious

We did something very similar to feed into a conference presentation

5:17 AM

Happy to send you a webinar version

5:18 AM

But it will be hardware backed, so you won't be able to crack it offline

Please Ollie that would be great

@8198-IZ54 https://us02web.zoom.us/webinar/register/6415882356692/WN_6q0-1ts4SIO3RUaNA-qLuw

Welcome! You are invited to join a webinar: Making Sense of Android...

Android Full Disk Encryption is a jungle. It has evolved over several Android versions and vendors take different proprietary approaches with their implementations. In this webinar, Control-F Managing Director Kevin Mansell will explore how Android devices encrypt their data ...

1

5:42 AM

Essentially it's just the 'crypto footer' that changes

5:43 AM

Everything else can be left unchanged due to the fact that the user's pin/password in secure startup is not used to generate the Disk Encryption Key (DEK/Master key), but is instead used to encrypt the DEK using something called the Key Encryption Key (KEK) (edited)

Hi, on j7 prime samsung phone after physical extraction I found a suspicious movie I was looking for inside a sherd. folder Related to the Whatsapp The suspicious movie appears three times and it's the same movie. Ideas for how I can prove where it came from? It doesn't exist anywhere else on the phone just there.thanks

Morning guys, anyone here aware of anywhere within the android file system that shows you whether a memory card has been mounted previously?

Morning, In logs files (edited)

@Mistercatapulte thanks mate any particular log?

Just to add some more context. I’ve checked the dmsg.log which is empty and the external.db doesn’t show any references to a external sd card nor does it show any logging in the database to show it has lots of deleted entries at a given time

@tnw001 I don't have my notes with me but you can already take a look in the logs recovery if it could have been mounted when the device started.

Anyone had issues with pa crashing constantly? Using 7.34.0.38 and I’m spending ages just reloading cases

@King Pepsi tag @Cellebrite in the call and someone will get back to you

7:58 AM

@King Pepsi and raise a ticket, sounds like a few folk have had that problem

7:59 AM

Anyone noticed WiFi calls still not being decoded on PA? Got a physical from an S9, all good, then noticed any call made on Wifi wasnt present but was on the phone. I remember this issue in PA last year but thought @Cellebrite cured it, maybe not. Any thoughts?

@King Pepsi email ido.kalderon@cellebrite.com for a link to PA v7.35.0.27 Beta. Improvements made in that beta might help. He's on here as well @idokal

8:09 AM

@chrisforensic reported good things with PA v7.35 Beta https://discordapp.com/channels/427876741990711298/545232743353810946/725796218801750047 (edited)

Anyone got any guidance on recovering data from a bluestacks install to analyse in UFED?

Do you know if they use VMDK files as their image format?

Looks like its using VDIs

Entry for the virtual SDCard in the windows Software hive isn't present in its stated path

1:11 AM

+ Bluestacks won't boot when the forensic image has been booted in a VM so it may no longer exist but i'm not overly familiar with how bluestacks stores data

Then the easiest way will probably be to extract the content of the VDI to your hard drive and then open it as a folder in PA

@Cellebrite Samsung SM-G960F running Android 10 decoded using PA 7.34.0.38, does not decode Wifi calls, the calls are in the DB but are not extracted. This was an issue last year and either hasnt been resolved or is back again! BEWARE

Does anybody know if I can brute force an encrypted dump of an S7? Hancom has managed to dump it, even though its got secure startup and a password. Was wondering if hashcat or some other tool might let you throw some dictionaries at it?

Nope the there is hardware input involved on the encryption

3:11 AM

@FantasticAdventure https://discordapp.com/channels/427876741990711298/545232743353810946/726053889870397510

Bugger. Thanks.

Anyone else having problems opening UFDR files across a network? Only seeing it on 7.34.0.38, also seeing a PA splash screen before Reader opens but doesnt actually load the associated UFDR.

@Cellebrite why is UFED decoding/extracting only 1 imei number (Even if‘s a duo sim phone) ?

What type of device @Dossy

Android 8 Samsung SM-J330F Duos @heatherDFIR (edited)

@Dossy ... you´re right... had a lot of dual-sim phones (most samsungs, as i remember) which where dualsim-phones, but PA only shows first IMEI in overview of an adv. log. acquisition... and after processing again just one IMEI ... and not only in adv. log. as i remember ... physical too (edited)

11:20 AM

asked colleagues... same situation... dual-sim phones... just one IMEI shown in PA ...

11:26 AM

so one of my first steps is, if i have a dual-sim-phone, to manually write down the 2 IMEI´s on paper

(edited)

@chrisforensic Yeah ... me too but .... it’s easy to collect the second imei (Android) so maybe ... @heatherDFIR

(edited)

@Cellebrite May I have beta 7.35 for PA ?

@Cellebrite Is there a way to find the first date a SIM card was inserted, like crash logs or something else, on a physical dump of an Android 8 ? I can't find what is corresponding to the field "SIM Change Time" on the extraction summary, as this date is far from nowadays (2018). Neadless to say that i've been looking for the "simcard.dat" but looks like it doesn't exist on the extraction.

@blackrooti Try some of these files: /data/com.google.android.gms/shared_prefs/Checkin.xml , system/SimCard.dat

is it me or did PA remove all analyzed data of phone when you add an extraction to the same report. (adding SIM data) to extraction. pic to follow.

@FATHEAD7466 are you selecting the proper device from the dropdown?

before the addition of SIM data

7:59 AM

after sim data entered, ???

@heatherDFIR Thank you for the file "Checkin.xml", that's what i couldn't find... Sadly, PA doesn't index everything

Is this normal for everyone else? If it is then I can explain to investigator that this change is normal. Once you change something someone is use to it freaks them out.

just4info: PA 7.35 release is out

(edited)

@FATHEAD7466 PA 7.35 should solve your problem :) Solved Issues • Missing device info when merging several extractions.

aw man, I just did six phones. Oh well I will redo them all just in case! Thx for the heads up!

@chrisforensic That solved the problem.

2

@Cellebrite PA 7.35.0.33 crashes after adding screenshot @FATHEAD7466 What a bad PA 7.35.0.33

@Karlsson Have you opened a support ticket? I have it open currently with iphone7 loaded in and have just conducted a screen shot and video capture with no issue....

@Karlsson I will test with a phone today and post results before COB today. If it does not work I will open a ticket if needed.

device info before SIM

@Karlsson Have you opened a support ticket? I have it open currently with iphone7 loaded in and have just conducted a screen shot and video capture with no issue....

@CLB-AndyM yes i have open a ticket

data added, looks like it worked. Even the screen capture worked for it as well. Thx.

10:28 AM

Whoo hoo! on to all those phones now.

Is there a way to tell if a particular movie has been made with a certain device? The movie has been found in a advanced logical extraction from an Apple iPhone XR. The movie has the .MOV extension and an IMGxxxx filename and is located in the DCIM folder. The metadata is almost empty but contains the resolution. As far I can see it's not been send with Whatsapp but I can see in the timeline that Instagram and TikTok has been used around the time the movie was created. Thanks to @Mistercatapulte I've used the exiftool by Phil Harvey on the exported mov file. It doesn't give me any brand/model info but the handler is Snap video. So I'll assume Snapchat was involved at some point but I need to figure out if it was simply downloaded/saved or created by the application. Anybody got experience or documentation on Snapchat/iOS behaviors? Does the MOV extension tell us something in this case? For some reason I always assumed incoming media was downloaded/saved as MP4 but I'm not sure. (edited)

@Cellebrite is there a known issue with PA 7.35 generating empty reports?!

@Sockmoth There might be some clues in the timeline. Which album does the image belong to? Information about an image is stored in the database photos.sqlite, however you might not be able to access it.

@Sockmoth I'm just doing some research into this question now... It appears that Photos.sqlite holds a field with the "creating" app of each media item. Check the ZADDITIONALATTRIBUTES table, in the ZCREATORBUNDLEID column. If that column is empty for your video, it means it was almost certainly taken with the camera app on the device.

Anyone who have knowledge about IoS locations and the table "ZRTHINTMO" ? In the Iphone 8 Plus (A1897) checkm8 report from UFED which im investigate I have to 2 diffrent locations with the same timestamp. The diffrence is that one of the location is from the table "ZRTHINTMO" and the other one is from the table "ZRTCLLOCATIONMO" Thanks in advance! (edited)

@Orb If empty it's created with the device, sure? (edited)

@Orb According to my experience this is incorrect. An update have affected ZCREATORBUNDLEID.

@Sockmoth I'm just doing some research into this question now... It appears that Photos.sqlite holds a field with the "creating" app of each media item. Check the ZADDITIONALATTRIBUTES table, in the ZCREATORBUNDLEID column. If that column is empty for your video, it means it was almost certainly taken with the camera app on the device.

@Orb I did a manual triage on the smartphone instead of the extraction and found out that the .mov was received in a Snapchat conversation. I can confirm that the ZCREATORBUNDLEID column is not empty for this file and is listed as com.toyopagroup.picaboo. Same goes for a video which was sent from the device by Snapchat. (edited)

1

@Orb According to my experience this is incorrect. An update have affected ZCREATORBUNDLEID.

@Deleted User Interesting! I tried uninstalling the apps, but their bundle id persisted in that column. Was it an iOS update? What was the effect on the ZCREATORBUNDLEID data?

@Orb Images created by a third part application does not always add data to ZCREATORBUNDLEID. In my case the image looks like it is downloaded from snapchat memories. Send a PM if you want to discuss further (edited)

Quite a long time ago there was a discussion about the presence on iOS of an sqlite db called "ChatSearch_v3". It's used to give quick search functionality on whatsapp messages and sometimes it contains text from chats that are no longer available in the primary whatsapp db (chatstorage). After this discussion a new voice appeared in P.A. called "InstantMessages" that reported about the content of this db. I recently saw that this unencrypted db is still present on iOS (current name ChatSearch_v5) and still could be a source to recover otherwise deleted w.a. chats but it seems ignored by P.A. Any @Cellebrite guy can shed some ligth on the topic?

@FabianoQ We're aware of this, and support is planned for one of the next few PA versions. (edited)

@Orb Thanks. While waiting for support to be re-introduced in P.A. any chance you can give some tips to manually correlate data from ChatSearch to chat participants?

@FabianoQ I created a custom template to parse the chatsearch_v# in UFED PA using SQL query manager. On loading in an extraction it automatically parses the data. I found that it did have some messages that WhatsApp main dB did not have. See this old post https://www.forensicfocus.com/forums/mobile-forensics/whatsapp-chatsearchv3-sqlite-database/#post-6595678 (edited)

Whatsapp ChatSearchV3 sqlite database

Hello All,I wonder if any of you could point me in the right direction of finding the actual purpose of the whatsapp database 'ChatSearchV3'. I have f...

@Dfdan Thank you

@Orb Thanks. While waiting for support to be re-introduced in P.A. any chance you can give some tips to manually correlate data from ChatSearch to chat participants?

@FabianoQ Using the SQL query manager you may be able to correlate messages to the user.

This is more of an observation than a question, but feel free to correct me if I'm wrong! I've just had to do a bit of research on some router connections from two separate iPhones. I've decoded both GK extractions in PA 7.35 and up on answering my questions happily, I noticed that the iPhone 5 running IOS9 had the info that it was connected to a WPA Personal secured router. Whereas the iPhone X running 13.1.5 did not decode any WPA Info, from the same router. Auto connect was not detailed on either extraction. Not sure if this is anything to be worried about or if its Apple changing something in IOS 13.x.x and its not getting decoded because its something CelleBrite hasn't noticed or approached yet. Like I said, for me, its nothing of concern for this job, but thought I would mention it in case its of relevance for somebody else or maybe somebody knows why?

@Cellebrite I have a bin file from an XRY physical that I am trying to parse with PA. XRY was able to get the user data partition, so I have just extracted that partition into the bin. However, I can't get it to parse correctly. I can extract files and folders which parse fine. I am sure I am just not selecting the right chains/profile for parsing, but selecting different profiles/chains has not been successful. Any suggestions? @Magnet Forensics I had the same issue trying to process the same bin file with Axiom. Suggestions welcome. ** Edit- The original extraction I did from XRY was not the right partition. Extracted just the Data/Data and it worked great. Thanks @Erumaro for all your help (edited)

1

@Cellebrite Trying to decode A Huawei HISUITE backup according to your instructions. The password is correct but PA 7.35 won't decode any apps. I am able to decrypt the backup using Kobackupdec python script. Any suggestions?

@Deleted User , do you see app files in the file system?

@Cellebrite: I have a Samsung Galaxy J415FN. UFED PA 7.28.1.4 has a physical method for that device but it is marked with "Untested method". Is this save to try out?

@Deleted User I tried all sorts of physicals with no success on 4PC for this model of Sammy and found the FFS worked under its profile where others didnt. A little late in responding but I was having issues so guessed maybe others were too... (edited)

@Cellebrite Disclosure wise, what's the easiest way to redact a handsets phone number from reports? I'm aware this is a bit of a nightmare question considering how many places on an extraction the phone number will be present... (edited)

@K23 excel report, find and replace maybe ?

That was plan B @Zhaan, was more wondering if there was anything in PA / Reader to assist with this

@Cellebrite @Firmsky @Oxygen Forensics @Magnet Forensics Good Morning! I have a Samsung G935F and a Samsung A320FL. Is there a way to check if they have been physically dumped previously by UFED or any other tool? They are locked so they can only be dumped physically with bootloader. On Download Mode the Void Warranty is 0x00. I have already done a decrypted bootloader physical dump (with UFED) on the devices and I am looking for a log file that can tell me if it has been previously dumped.

@Flipz4n6 good morning! In theory, that should be impossible. All of the tools by the different vendors try their best to keep extractions forensically sound and prevent any change whatsoever to the evidence. This means we will avoid creating any kind of log or trace to indicate an extraction happened. This is not always 100% achievable, but I’m afraid it is usually challenging to identify previous physical extractions. Logical extractions might be easier to identify if you can find traces for installations of extraction agents apps.

1

@Flipz4n6 good morning! In theory, that should be impossible. All of the tools by the different vendors try their best to keep extractions forensically sound and prevent any change whatsoever to the evidence. This means we will avoid creating any kind of log or trace to indicate an extraction happened. This is not always 100% achievable, but I’m afraid it is usually challenging to identify previous physical extractions. Logical extractions might be easier to identify if you can find traces for installations of extraction agents apps.

@jifa Thank you. It actually makes perfect sense. So let me use metadata of possible extractions instead. Can you please tell me since when (which version of UFED) you provide a physical extraction for the abovementioned devices? This would help me very much.

@Flipz4n6 can you share the Android versions and security patch levels (if available)? It helps us get a better answer because the exynos methods have evolved throughout the years.

11:48 PM

(Also - this conversation is likely more suited for #mobile-forensic-extractions but let’s finish it here for consistency)

@Flipz4n6 can you share the Android versions and security patch levels (if available)? It helps us get a better answer because the exynos methods have evolved throughout the years.

@jifa 1) SM-A320FL Android 7 2) SM-G935F Android 7 . I cannot determine the security patches.

@Flipz4n6 - (1) A320FL - Support was added to UFED in Feb 2019 with UFED 7.15. for (2) G935F I believe it was supported since UFED 6.3 in Aug 2017. Both were supported in other services (such as CAS) even before that.

Anyone from @Cellebrite can confirm if WhatsApp Business can (or cannot) be acquired through apk downgrade method? The phone is a Xiaomi Redmi 4A with Android 7.1.2, security patch 01/07/2018, when i do apk downgrade only Instagram is detected.

@Flipz4n6 You can usually ascertain the Security Patch details if you go into Recovery Mode > View Recovery Logs > Last_Log and scroll down through those. You'd be amazed what you find in there

@Cellebrite Trying to decode A Huawei HISUITE backup according to your instructions. The password is correct but PA 7.35 won't decode any apps. I am able to decrypt the backup using Kobackupdec python script. Any suggestions?

@Deleted User It is great that now PA has an importing feature for Huawei Backup! In the meanwhile, if you decode it with kobackupdec you can then merge togheter an UFED 4PC advanced logical acquisition with a Huawei backup. It is helpful in particular for attachments in chat (like WhatsApp for example)

1

@Cellebrite Hi Cellebrite, I've recently run an SQlite query on the app 'Chathour'. Everything went smoothly however I'm struggling to locate the decoded results in the new UI. Could anyone point me in the correct direction, thanks

Anyone a workaround installing dependancies (for aleapp) on a offline Workstation? EDIT FOUND IT THANKS TO BRIGS: https://twitter.com/TroySchnack/status/1266085323651444736?s=19 EDIT (edited)

👾 The Bald Jedi 👽 (@TroySchnack)

While in the xLEAPP folder using the online machine: pip download -r requirements.txt Copy entire xLEAPP folder to the offline machine, then: pip install --no-index --find-links "path_to_folder" -r requirements.txt 2/2

Is there anyone who can point to a log or database (in an FFS of a Huawei) where a phone registered mac-adresses of WAP? (Just passing by and 'receiving' them not connecting.

@Cellebrite A quick question if I may, when exporting out in PA say in excel or pdf is there a away of not exporting out all of the files and attachments that go with it?

@stephenie I delete everything apart from the Excel file

@Zhaan I am having to do that, but its the time it takes do initially export the attachments/media files with the excel. PA could do with an option to not do that....if there isn;t one already (edited)

@stephenie In the "Generate Report" window, you can de-select data types like images, videos, databases or any other file type you don't need. Also, in the same window under "preferences" there's an option to "redact all attachments" that might be useful.

@Cellebrite A quick question if I may, when exporting out in PA say in excel or pdf is there a away of not exporting out all of the files and attachments that go with it?

@stephenie Try to uncheck the redact attachments and image thumbnails in the Generate report menu

@Orb If I untick the media files, the details within the files will not be extracted. (and @CLB - DavidK ) if I redact attachments, will that include the details for the media files still? P.S Thanks for the swift response

6:27 AM

@Orb and @CLB - DavidK I've unchecked the attachments box and just tried exporting out videos only and it still exported out the individual videos. Thanks anyway

Ok. This can definitely be useful to others. [TL:DR] I have a Xiaomi Redmi 4A, unlocked, android 7.1.2, patch level 01.07.2018. The bad guy was a user of WhatsApp Business that, it's my understanding but correct me if i'm wrong, can't be acquired unless you obtain a physical or a full file system (no downgrade available). The phone is supposed to be supported for a physical by ufed in a number of different ways but they all failed (tried multiple times each). The last resort was "Generic Decrypting Qualcomm EDL" (that is not proposed by 4PC unless you use model autodetection) i found test points and made some first tries that, despite the phone entering EDL mode, failed (procedure starts and fails on step 6 out of 6). @Arcain (thanks a lot) gave me the rigth tip saying that Xiaomi not only need to enter EDL mode but also need this to happen in a way it likes. My failed tries where made by shorting test points then connecting usb cable, the continue button was enabled and the procedure started but failed on step 6 of 6. The successful try was made connecting the usb cable to the phone while switched off, waiting until the recharge simbol appears then long press the power button to force the phone to reboot in EDL.

9

With the latest media attention on iOS 14 tattling on apps that are using the clipboard, does anyone know if it is possible to examine clipboard contents in a file system extraction? I've tried searching pasteboard/clipboard without much luck. Curious as to what or if any artifacts from the clipboard can be found.... Thanks! (edited)

I remember seeing a .clipboard directory somewhere that even contained pictures, but I can’t remember if it was iOS or Android...

Hello, @Cellebrite on PA anyway to find the patern lock combination of a physical extraction ( android 7, G935F)?

@RS nop, only via Premium or CAS

Thanks for the attention

@stephenie there is a bug in the UFDR report that even if you don’t select images or videos, if they occur in WhatsApp or other social media apps, they are still included unless that has been sorted now.

10:27 PM

@Orb de-selecting images and videos doesn’t exclude all images and videos, if the media is in social media apps like WhatsApp, it is usually still included unless that bug has been sorted

Good morning, all. Does anyone know if iOS stores a running log of when a device was backed up? Or does it show only the most recent backup? We've determined the restore date and build version but are trying to determine when our bad guy might've performed the backup he restored from. We're trying to explain why there's a one-month gap in all phone activity that's critical to our case. Thanks in advance!

Everyone out there doing iOS forensics be aware that some tools might not extract all available metadata for your media. For example, some tools will identify as deleted, only those files in the temp trash bin (in my case those files were 100) whereas other tools (for example APOLLO and iLEAP) found that more than 600 files were deleted. So, I checked my self the Photos.sqlite and more particularly these fields (ztrashedstate and ztrasheddate at zgenericasset table) and found that indeed more than 600 files were deleted. The problem here is that the 500 photos were deleted from the temp trash bin as well. So for these 500 files, there were only thumbnails left (which could be used instead just fine). You may not find the original media, but you will find the respective thumbnails. This was really crucial for my case. So please be advised. Always use more than 1 tool. You can use queries from APOLLO and iLEAP, but I used this one (it stills works fine) and validated manually the results as well. https://forensenellanebbia.blogspot.com/2015/10/apple-ios-recently-deleted-images.html (edited)

Apple iOS: Recently Deleted images

Apple iOS 8 introduced a new feature called Recently Deleted album that temporarily displays images that have been removed by the user fro...

7:59 AM

Good morning, all. Does anyone know if iOS stores a running log of when a device was backed up? Or does it show only the most recent backup? We've determined the restore date and build version but are trying to determine when our bad guy might've performed the backup he restored from. We're trying to explain why there's a one-month gap in all phone activity that's critical to our case. Thanks in advance!

@colin.duncan I am not sure if there is any log like that, but it might helps checking com.apple.mobile.ldbackup.plist and data_ark.plist as those files holds some info you might find useful. Also, maybe com.apple.atc.plist might turn out useful as well.

Thanks, @theAtropos4n6. I'll report back with our findings!

2

@Cellebrite Quick question, Does PA support ProtonMail for IOS or Android

2

Anyone from @Cellebrite around for a few questions?

@Oscar DM you

@8198-IZ54 Nope, sorry... But since it's a communications app, maybe running the App Genie on it will produce some useful results.

Looking for some ideas / assistance. I have a crash which occurred at 12:00:41 (911 time). In looking at the Apple Device of the operator who caused the crash I see this activity around the time of the crash. He did have the device linked to Bluetooth. My question is would these device events be caused by user manipulation of the device or is it possible they can be generated based on the vehicle interaction.

5:48 AM

I do see after these logs the following logs which show what I believe to be a call placed utilizing bluetooth to 911. I dont' see any reference to bluetooth prior.

Any idea what the difference between the blue tables and green tables that SQLite Expert produces? Cellebrite Sqlite wizard misses these green tables out? Is it something to do with them being stored in the WAL file? Thanks

@GP Don't have experience with that specific program, but they might be indices (generally, tables that index data from other tables). You can check their creation statements to make sure: tables have "CREATE TABLE" statements and indices have "CREATE INDEX" statements. They can also be views (might even be more probable, given their names), which are basically stored SQL queries. They will have a "CREATE VIEW" statement.

@Orb Thanks I will have a look!

In a full file system extraction of an iPhone XS Maxx Is there a location where I can look and determine if a phone was unlocked by the 6 digit code or face id?

Anyone tried location carving recently in pa? Just tried it on a case that took 12 hours to decode and I think my computer had a heart attack. Maxed out the ram and completely filled an SSD that had 100gbs free and killed out the display drivers. Fixed it by RDPing in from another computer as the displays still were not working, to see UFED had crashed.

@Cellebrite it has happened again - did a filesystem extraction of an iPhone 4s - prompted saying backup is not encrypted and I said yes to password 1234 (backup encryption) When opening the extraction, this has popped up

6:52 AM

I had a similar situation in the past where UFED 4PC failed to detect that the backup is encrypted (edited)

Does Anyone know this symbol? I'ts an app we found on a Phone.

Someone asked about this exact logo a few months ago.

that may have been more than a few months lol. i am looking through files now

In the new version of Reader (and PA) I need to save some files out that were tagged. I want just the files and not the report. Right clicking does not give me that option. Am I missing something? @Cellebrite

did some cropping but could not find anything ... someone got an idea which android app that could be ?

@Mike

12:41 PM

https://discordapp.com/channels/427876741990711298/545232743353810946/679707199190073349

12:42 PM

@David Smalley @Dan15 @Mike just to notify everyone at once

i dont remember if that was resolved

@kmacdonald1565 ah.. i missed that one.

1:09 PM

@Mike did you get an answer back then?

@Dan15 is the blue significant to the app or is that a background?

2:27 PM

this probably wont help but it is a recreation of that logo....yielded some different results in image searches, but nothing jumping out yet as a match.

2:28 PM

Does Anyone know this symbol? I'ts an app we found on a Phone.

@Dan15 Might be worth a shot in the OSINT Channel, I can't find it on Tineye, Google or Bing, but some pretty spectacular OSINT folks out there.

Where on the phone did you find this logo? Maybe there is some data related to it in files near the file.

Hi, @Pacman can you please tell which version of PA you tried to open extraction of that iPhone 4s ?

Hi there. An iOS question here. I have 5 records in netusage.sqlite that says the iPhone has connected to a CELLULAR network along with a corresponding CELL ID. The problem is that the iPhone was in airplane mode during the time the records took place. How is this possible? I suspect that the user was using WiFI in that time instead (WiFi calling enabled). I tried several tools and all return the same results. Does netusage.sqlite stores false positives, or something else happened?

@kmacdonald1565 @NickM we tried that aswell. We've even searched te darkweb but no results. The logo is in the left top corner like a notification symbol. So i guess it's a running app.

@Mike did you get an answer back then?

@Dan15 nope

@Mike ok, we'll keep looking

It was also a notification icon in the top left corner... suspected some kind of antivirus... i could not make research on the phone itself because it was a picture of another handset found in the gallery

@hmleu31524 the latest version available

@Pacman have you tried with 7.35.1 ?

Yes - the latest version available.

Anyone did an investigation on a Huawei lately. Trying to find some logs/db's where i can place the phone on a specific location. Extraction was made 2 months after the incident took place. Log or db to be found, where i can see what ssid/bssid connections been made? (this way i determine if 'the phone' was at home, or not)

Just processing a Huawei LLD-L31 now, its a bit big so I will see what I get once the processing has finished

@8198-IZ54 Appreciated

@florus still processing but have seen GPS data recovered from Chrome search history, also the normal gps data re media. I'm having issues with my bssid recovery at the minute , sorry

@florus ok got a little bit more info. WifiproHistoryRecord.db, local_location.db, wifipro_portal_page_info.db, wifiangenie.db. Thats on a quick look, hope it helps

Thanks!

anyon on here from cellebrite that can help with signing into the new portal? @Cellebrite (edited)

anyone got a regex-cheatsheet to share? i always look for for some stuff on the web on the case specific...

How to decode binary dump of Redmi Note 4, Samsung J8 and Samsung A8+ extracted by JTAG.

@DeepDiveForensics you can't, they're all encrypted

4:27 AM

and by JTAG you mean ISP?

@Arcain yes.

@DeepDiveForensics well, they're nearly useless. You have to use decrypting methods in order to get data out of those devices. Decrypting methods in general requires phone to be booting into Android.

@Arcain thanks

anyone got a regex-cheatsheet to share? i always look for for some stuff on the web on the case specific...

@florus https://www.dfir.training/dfir-resources/search-results?order=featured&dir=29&criteria=16&query=all&usematch=1&matchall=jr_keywordsearchlists&filter=1951&jr_keywordsearchlists=regex-regular-expressions

1

https://www.sans.org/security-resources/posters/dfir-advanced-smartphone-forensics-ineractive-poster/210/download

Andrew Rathbun pinned a message to this channel. 7/12/2020 3:59 AM

https://www.sans.org/security-resources/posters/dfir-advanced-smartphone-forensics-ineractive-poster/210/download

@Andrew Rathbun link seems to be down

@B it just worked for me

7:51 AM

I would recommend downloading it then opening it with Adobe Reader

That's weird.. getting an invalid response error, will try it later on desktop to see if that fixes it

Hi,

3:08 AM

I have to understand something in notification_log.db on android

3:08 AM

I found a log for flashlight but cannot understand if it means that the flashlight was turned on (edited)

3:10 AM

It have a 2 in the flags column. Anyone know what's that mean?

Hello from Austria

Need help from anyone, concerning snapchat (on android).... Is there a summary available 1) what type of datas can be recovered from snapchat 2) where are this files stored 3) what can´t be recovered .... etc. etc. (edited)

4:43 AM

my experience on snapchat is not that good as it should be

@chrisforensic Ill have a look on a huawei ffs what decoded snapchat. Ill om you later on this day.

5:04 AM

@Magnet Forensics Someone around for a process error i keep getting, analysing a huawei ffs. Its keeps erroring out when i want to save the custom artifacts part.

Do you have the log file that I might take a look at?

@chrisforensic Ill have a look on a huawei ffs what decoded snapchat. Ill om you later on this day.

@florus thanks alot mate !

Well it keeps crashing, so im not able to save a log.

5:06 AM

I have let axiom process 'run' for over 12 hours, but no change

There should be a log at the root of the install drive if it is crashing. That log is called "AXIOMProcessCrashLog.txt"

i have analysed the same image for 3 times now.

5:07 AM

Oke let me have a look

Also, what version of AXIOM are you using @florus ?

@Cellebrite Hi, a last connected date/time in the timeline for wireless network (from wificonfigstore.xml) in an android means that it's the last time the phone connect to the wifi? or the last time he sees the wifi? It's the start of the connection or the end?

5:24 AM

@Magnet Forensics Why this information doesn't show in Axiom? Does Axiom parse the wificonfigstore.xml?

@Dam As of April 2019 (AXIOM version 2.7.0) AXIOM added support for the parsing of WiFi profiles from WifiConfigStore.xml. [Android 7 and 8].

@cguymon Thanks for your answer. The wifi is showing but not the timestamp

PA 7.35.2 is out

11

How to manually parse Elyments app database.

Has anyone actually had success with UFED PA Smart Translation? I have a license with arabic to english, persian to english and albanian to english. I have installed the language packages from the customer portal. I have restarted the program, and the computer. I am running UFED PA 7.33 as administrator. Still it will not translate. I don´t even get the language as an option under Tools - Settings - General Settings ( i only get the options dutch, english, italian, polish, russian and ukranian). Any tips?

Has anyone had success in opening XRY dumps in UFED PA? Analyser 7.35.2.16 shows support by going through Open Case -> Load evidence -> Load extraction-> then click on an .XRY file, but this data doesn't get parsed and we end up with a No data in the Extraction summary screen

@sky4n6 There's only support for some versions of physical extraction .XRY files in PA.

@sky4n6 If it's a physical dump I never import the .xry file into PA. Open the .xry file in XAMN and export the binary file out of the .xry file so you end up with the actual raw extraction. Then import the pure binary file into PA. That's always worked best for me in the past.

3

That should be the easiest way forward yeah, here is a blog post on exporting the raw binary, let me know if there are any issues; https://www.msab.com/2019/12/02/how-to-export-binary-data/ (edited)

Does anyone know of any write-ups on com.apple.wifi.plist? I'm looking at UFED's parsed Wireless Networks for com.apple.wifi.plist, which include the events "Last connected", "Last auto connected", and "Timestamp". I'm specifically looking for information on known causes for the event that in UFED is labeled "Timestamp" to be recorded to com.apple.wifi.plist.

@Deleted User https://www.forensicfocus.com/articles/from-iphone-to-access-point/ https://books.google.ch/books?id=BZV_wpGHTcEC&pg=PA259&lpg=PA259&dq=ios+consolidated.db+wifi&source=bl&ots=F14dVrTJ2u&sig=ACfU3U1--w_mVCLiSxaB1SkBZnBu2u6jOw&hl=en&sa=X&ved=2ahUKEwjl3_HayprqAhUn4YUKHVCeB40Q6AEwA3oECAgQAQ#v=onepage&q=wifi.plist&f=false (edited)

From iPhone to Access Point - Forensic Focus

Introduction A wireless Access Point (AP) is a device that allows wireless devices to connect to internet using Wi-Fi. With ... Read moreFrom iPhone to Access Point

iOS Forensic Analysis

@Cellebrite Hi, a last connected date/time in the timeline for wireless network (from wificonfigstore.xml) in an android means that it's the last time the phone connect to the wifi? or the last time he sees the wifi? It's the start of the connection or the end?

@Dam Any info on that?

Has anyone successfully parsed the iOS test images @CLB_joshhickman1 made into @Oxygen Forensics ? The provided TAR isn't plug and play nor is removing the two leading folders and re-TARing.

@Tyler_Leno when did you download the files?

A week or so ago

4:02 PM

Plugs into PA just fine

Interesting. It also worked with Axiom and Autopsy.

Yeah Oxygen is certainly reading/ingesting the files just seems like none of the parsers are working.

I do not have a copy of Oxygen to test.

Have you tried un-tar-ing the file and running it against the directory?

I have not yet - I don't see a way to load a directory in.

4:10 PM

Seems to want tar, tar.gz, zip, rar, 7z, or dar

You might be able to un-tar it and then zip it, I am not sure if the sym links will survive, though.

4:12 PM

If you un-tar it on a Windows box they won't. Not sure what you have available. (edited)

Yeah I attempted that and it parsed the same data.

If you un-tar it on a Windows box the sym links will not survive the process, and that will cause problems with parsing.

I agree that not everything will parse but I don't think it'd fail at something like parsing the SMS.db?

Any idea what the difference between the blue tables and green tables that SQLite Expert produces? Cellebrite Sqlite wizard misses these green tables out? Is it something to do with them being stored in the WAL file? Thanks

@GP Incase someone didn't answer this for you (I don't get on here often so playing catch up), those tables in green are what are called 'Views' . Essentially just pre-packaged SELECT statements that the application uses to query information. SQLite Expert displays them like tables but in reality they are just pulling data from the tables and have no physical structure. To see the actual query used in the view you can flip to the DDL tab or just run the query SELECT * FROM sqlite_master WHERE type LIKE 'view' to pull that info from the schema. The views serve a purpose for the application so they can be very useful as they can tell us where important information is stored. They can also tell us how tables are joined, especially in SQLite databases where the relationships aren't explicitly defined in the schema. You can of course copy the query in the view and use it yourself (why re-create what has already been written for us) . Hope this helps

@Tyler_Leno @CLB_joshhickman1 ... here no problem with import and parsing the ios-test-image with oxygen ... (edited)

6:58 PM

Did you perform any special steps?

hi, no... just imported the .tar image ...

7:00 PM

but you have to take the file from inside folder "Extraction" after extracting ... (edited)

7:01 PM

13-4-1.tar is what I used

Hmm mine is a different swize

7:01 PM

size*

extract the 13-4-1.tar ... you will get folderstructure i posted above... the full image tar is inside the "Extraction"-folder ... (edited)

Yes - that's the one I have, but mine is modified on April 18. Do you have the original one he posted?

don´t remember when i downloaded, but the timestamp on the folders and the tar... says 16.04.2020 .. (edited)

Mine is also just titled 13-4-1.tar. Just verified my downloaded copy too.

@Tyler_Leno ok, checked again the download... seems the actual version is newer (2 days) from 18.04.2020... and the structure differs... there is no tar with the full image... you have to extract and then make a tar to import it to oxygen....

7:59 PM

tar this extracted folder and you should good to go to import into oxy

(edited)

I did attempt that with an understanding Windows will break the symlinks/hardlinks. I'll have to spend a bit to re-tar properly.

@GP Incase someone didn't answer this for you (I don't get on here often so playing catch up), those tables in green are what are called 'Views' . Essentially just pre-packaged SELECT statements that the application uses to query information. SQLite Expert displays them like tables but in reality they are just pulling data from the tables and have no physical structure. To see the actual query used in the view you can flip to the DDL tab or just run the query SELECT * FROM sqlite_master WHERE type LIKE 'view' to pull that info from the schema. The views serve a purpose for the application so they can be very useful as they can tell us where important information is stored. They can also tell us how tables are joined, especially in SQLite databases where the relationships aren't explicitly defined in the schema. You can of course copy the query in the view and use it yourself (why re-create what has already been written for us) . Hope this helps

@DamienAttoe thank you so much for your help!!

Have a phone involved in a shooting and it appears the person was using google maps during the incident. Any idea where I can find the destination information? Nothing was parsed with PA or Axiom.

is there any way to determine if this photo was taken with the phone or received from snapchat: "Dump\data\data\com.snapchat.android\files\file_manager\snap_first_frame\6E1035D12D121AB58BFBCF0F6905B986.snap_first_frame.0"

Have a phone involved in a shooting and it appears the person was using google maps during the incident. Any idea where I can find the destination information? Nothing was parsed with PA or Axiom.

@Ghosted Ios or Droid? I'd say, start off with the application installation and kick off the sqlite wizard?

@florus droid motorola

Did you parse the Google maps application database?

8:33 AM

Also look at web search history the destination could be there, then passed to Google maps for the directions

I have an image from a physical dump of an SM-G955F that resides in \media\0\EmailTempImage - I'm going on the assumption that this is a temp file from an email attachment, either sent or received. The aim is to determine whether the creation time and date of the image is an accurate representation of when the actual picture was taken which I'm heavily leaning towards it not being, its likely the time and date the temp file was created? Does anyone have any other thoughts? The filename follows the time and date convention (20190815_141843_resized.jpg) but the metadata has a created date of 20/08/2019 11:07:52.

@Seladour Is it possible that the original is from 20190815 and the resized was made 20190820?

i wondered that, but then also wondered if the resized was created 20190815 and the temp file of it was made 2019082019 - i feel like there are too many variables to say with any certainty.

Also look at web search history the destination could be there, then passed to Google maps for the directions

@Neon @Ghosted In addition to those suggestions, have you tried playing the MP3s? They may have some data in them that could give you a waypoint. (edited)

1

@Neon @Ghosted you can usually play them in order they were played and get some data out. Also many programs parse this type of data as “Journeys” and not location data so it can be hidden under there.

1

He's had some issues with it switching off of file transfer mode. he's not getting full extractions. We checked power save mode but have run out of ideas. Even tried manual adb

9:09 AM

Yeah I suggested search history. But he's getting like a few megabytes of extraction

@Cellebrite Got Physical of Samsung SM-G960F Galaxy S8 via UFED 4PC v7.34. 1.133. How to identify how many media files locked by samsung secure lock app.

Is it secure app or secure folder ?

@Seladour ,the filename convention is <original_name>_resized. You can verify it by using Samsung's Email application -> compose new email -> Attach - My files - Images - select an image -> select 'resize' -> save draft. Then, using My Files, browse to InternalStorage/.EmailTempImage and see your resized file with the timestamp of the current timestamp.

@Dam Any info on that?

@Dam, it's the last time the phone was connected to that wifi, but I can't tell if it's the time of connection or disconnection.

@CLB-drorimon thanks. That’s the info I need. If it’s time of connection or disconnection.

@CLB-Paul secure app

@Seladour ,the filename convention is <original_name>_resized. You can verify it by using Samsung's Email application -> compose new email -> Attach - My files - Images - select an image -> select 'resize' -> save draft. Then, using My Files, browse to InternalStorage/.EmailTempImage and see your resized file with the timestamp of the current timestamp.

@CLB-drorimon this is unbelievably helpful, thank you so much!!!

0..

How to decode Elyments app realm database.

Hello Can someone help me decode or rather tell me the method to find a date in this place (because I have several of this type of data). This is an important issue for us

@rico If you're using Cellebrite PA you could try sweeping using the values tab. I find that very handy

@Stevie_C thx but I got the wrong section

What type of file is it (name, extension)?

It's à Windows dump (i m seaching à deleted usb connection with an iphone)

3:52 AM

But the décode app of PA... With manually search can work it

Looks like setupapi.dev.log?

@Stevie_C GIFs! My main man! Nice work

If E01 image and all else failed I'd try importing into Cellebrite PA, find those values and use the Values tab to see if that works

3:55 AM

@Andrew Rathbun Oh yeah

@CLB_joshhickman1 with the update win 8.1 to 10... This file was deleted...

3:58 AM

@Stevie_C god idea

Well, if you’re talking Windows, then most likely FILETIME. Look at the area from your screenshot highlighted in grey under LastPresentDate

When read little endian and converted it comes out to 2017-05-24 19:35:59 UTC. Does this date line up with other things you’re seeing/things you’ve corroborated? I’d test it this, out too just to confirm. My coffee has not soaked in completely yet.

(edited)

Precisely I saw that this gray area would correspond to a time stamp but I do not know how to translate this data in an understandable format.

4:10 AM

@CLB_joshhickman1

4:10 AM

I noticed you’re using X-Ways (or WinHex). It will recognize what it thinks are time stamps and present this to you. Just be careful taking the times without confirming/corroborating them with other data points. That date may be non-sensical compared to other dates you see (and I just picked it out based on what little data I saw in your screenshot so I may be wrong, too). (edited)

4:17 AM

DCode will translate this and there are utilities online that will convert it as well, such as https://www.silisoftware.com/tools/date.php?inputdate=131401281592381699&inputformat=filetime

@MSAB Someone around for a quick question

@CLB_joshhickman1 after my sandwich

i ckeck it ! Thx à lot (very)

@florus Let's hear the question.

Free cake to whoever can workout how to decode SkyECC phones!

2

4:59 AM

iPhones- but will gladly accept androids

@rico@CLB_joshhickman1 @Stevie_C exactly the conversion

thx à lot Nb : good website i can to à reversed search

MFT Stampede is a fantastic tool

1

I have access to WhatsApp backups from an android phone. But the app has been uninstalled from the phone. Is it possible to decrypt the backup without using the phone number? (edited)

@King Pepsi we've managed to get a FFS from one where we had PIN but still encrypted

next step probably to get authority to log in to Sky app but that might be a while with our legal system (edited)

@King Pepsi we've managed to get a FFS from one where we had PIN but still encrypted

nice step probably to get authority to log in to Sky app but that might be a while with our legal system

@JMK exactly the same today!

@K23 too! We'll have enough people for a band soon

@Deleted User Android Version

@CLB_joshhickman1 @Stevie_C in fact x way have a good option... More faster

Does anyone have any knowledge of how android renames images that are uploaded to the Cloud? Looking at a physical dump of Samsung SM-G955F I have a thumbnail found in \media\0.cloudagent\thumbnail\ with a filename consisting of a unix timestamp followed by a long unique ID. I have tried to replicate this on a similar device (Samsung SM-G950F) but cannot seem to get anything to drop into this folder. I imagine the unix timestamp is the creation date of the original image but if anyone can verify that, or point me in the direction of how to verify it, I would be grateful!

@Magnet Forensics Hi, I cannot find a way to parse the RMAdminStore-Local.sqlite on an iOS extraction. Cannot find a custom artifact. Related to this article https://www.magnetforensics.com/blog/getting-evidence-from-ios-screen-time-artifacts/ I thought this database was automatically parsed. In my case I cannot find any artifact related to this database. (the database is there and not empty.)

Getting Evidence from iOS Screen Time Artifacts - Magnet Forensics

Learn more about Screen Time, a new feature added to the release of iOS 12, which is designed to supervise activities that are going on within the device and can have some helpful real world uses — and major implications for forensics as well.

Hi @Dam, it should be parsed by the Screen Time artifact, no custom artifact needed. Will send you a DM to see if we can get it sorted!

@forensicmike @Magnet Thanks. You're right. After I click refresh the case I can see those artifacts. (edited)

@JMK exactly the same today!

@King Pepsi I managed to obtain a full file system on an Android device. @dfirfpi is working on it, as we have probably the sky Ecc code. A great pain...though @dfirfpi was able to understand a bit of the database encryption. On my side, I am working on a document with a detailed list of Android artifacts you can use to build at least a timeline of usage of the device. A few logs are available, so at least we can maximize the information we can get from there.

2

3

@Mattia Epifani sounds like an excellent start. We've only had the iPhone ones, haven't heard of anyone with Android versions yet

I had one Nokia Android so far. Most of the Android services are disabled, but still some logs exist. Is there anyone with a full file system or physical of an Android device with Sky ECC?

@Magnet Forensics Is it possible to add a huawei backup into axiom? if yes where do I write the password to decrypt the backup?

Hello fellow colleagues! Does anyone know of the IWCMonitor service that is active in some Samsung phones? The file iwc_dump.txt is created in the directory /data/log/wifi/iwc/, which apparently contains information about the use of WiFi. Many thanks for your help! best regards

@Dam the decryption piece isn’t supported yet natively in axiom, but if you use something like kobackupdec first you should be able to load the decrypted image in axiom then.

@MF-cbryant thanks for thé answer. Kobackupdec is good but not perfect.

The file: Cache.sqlite has locations I need. However, I need to be able to filter them by accuracy. Inside the database there are entries for ZLONGITUDE, ZLATITUDE, ZTIMESTAMP, and ZHORIZONTALACCURACY. What I really need to be able to do is map those locations, with ZHORIZONTALACCURACY, which Cellebrite PA does not do. I wanted to use the SqLite Wizard to build it myself, however there is no field type for Latitude or Longitude in the locations model. Is there any way I can do this, or is there possibly a python script that can get this information parsed? *I opened a support ticket with Cellebrite but they could not do it through SqLite Wizard, and Im on a time crunch.

@wchtdev seems like a bug. Do you have the ticket number? DM me.

The file: Cache.sqlite has locations I need. However, I need to be able to filter them by accuracy...

@wchtdev Artex. But you got informed about that tool already? (edited)

Dear all, I created a one-page document containing a list of files (XML, database, others) that we were able to find on Android SKY ECC devices. This doesn't include SKY ECC data decryption (still working on it with @dfirfpi ), but it includes a list of logs/files you can use to build at least a strong timeline of usage of the device and the app. We haven't had yet the chance to obtain a full file system from an iPhone with SKY ECC, so the document doesn't cover this case at the moment. We are not going at the moment to publicly share the document: if you are interested in obtaining a copy please send me an email to mattia.epifani@realitynet.it from your corporate/work email. Thanks and have you all a great day!

7

1

2

I got a lot of emails. Will answer all of you in the afternoon. Lunch break now

4

@Cellebrite a question if I may. I have a android extraction for ISO where I have conducted a physical, file system and logical examination. I have them loaded them all in PA 7.29, and created a UFDR from these. However I am looking at the results and I am comparing the data extracted and for example the calendar is only showing the data from physical and logical extraction, not the FS. When I open the FS up separately the data in calendar is present. Is / Was this a bug? (edited)

@stephenie the tag didnt work in your post for @Cellebrite so i did it for you. not sure if you got help yet via pm but figured it was only a few minutes ago

@kmacdonald1565 Good spot, I have sorted that. Thanks

does anyone happen to have any info/research on the "sync_deleted_messages" table from iOS sms.db?

Is it possible to extract how many devices are connected from my mobile Hotspot.

@stephenie I can't tell for sure. PA has improved greatly since 7.29 so it might be a good idea to check this certain scenario on the latest version.

I've got a XRY physical dump from a Huawei P Smart which I want to analyze with UFED PA but for some strange reason it doesn't see all partitions like the userdata. XAMN shows analyzed data and in XAMN elements I also see the userdata partition. I've used XAMN elements to extract the actual dump from the XRY file. But when I load this into UFED PA as a physical dump for this device (using the Android DD chain) it almost doesn't show any data. It seems like it doesn't understand/know the filesystem or format being used. Axiom came up with the same results. So is this me begin a derp or can't it be done? (edited)

@Sockmoth I think you can add the XRY file as a bin file in UFED.

1

@abarlev I know it has however this a report for ISO (the bane of my life) and it is the same in the latest version. I was just wondering if there was a bug

@Sockmoth I think you can add the XRY file as a bin file in UFED.

@Dam I should stop derping around. So i'm able to load the XRY file into UFED but it doesn't do anything with it. (edited)

Did you use android generic for decoding? @Sockmoth

1:01 AM

Select the profil physical and add the xry in place of the bin

I've tested multiple profiles including android generic but it seems UFED PA isn't able to read the XRY file. Maybe it's due to the XRY file being compressed.

@Sockmoth I think that only works if you get a Physical using XRY which I can see you have. You can extract a .bin file of the storage blocks using MSAB XACT, I think you can do it using XAMN as well. You then open>advanced in UFED PA selecting the bin file and using the profile of the device or similar.

1:37 AM

To clarify, you can extract the .bin from the .xry file using XACT.

1:40 AM

@wchtdev Did you manage to do this? Have you considered using a SQL query to achieve it?

@Sockmoth I think that only works if you get a Physical using XRY which I can see you have. You can extract a .bin file of the storage blocks using MSAB XACT, I think you can do it using XAMN as well. You then open>advanced in UFED PA selecting the bin file and using the profile of the device or similar.

@Pseudonym I did this in the first place but it doesn't work for some reason. I followed the instructions from the MSAB blog to extract the data dump from the XRY file with XAMN elements. The XRY file is 15GB in size and the extracted physical dump is around 62GB in size. I've tried multiple profiles within UFED PA to analyze the extracted dump but it seems to be missing several partitions including userdata. I'll open a ticket with @Cellebrite support to figure this out.

Is it possible to extract how many devices are connected from my mobile Hotspot.

@DeepDiveForensics @Cellebrite @Oxygen Forensics @MSAB @Magnet Forensics

Hi! I just got asked a question by a investigator that i dont quite know the answer to: In iPhone extraction we get hits for a username in one of the icloud plists, not specified exactly where just that it was named something with icloud. But the owner of the phone claims that he never has had any connection to this instagram account. On the other hand he shares an icloud login with someone else who might have.. So my question is: Is it possible for the login to happen on the ipad and then synced to the iphone as the suspect claims?

@Sockmoth Maybe it changed but i used one xry file from a physical extraction with ufed without doing anything else. But it was a year ago

@DeepDiveForensics it is not anything XRY supports from what I know, I'm afraid.

@Sockmoth Maybe it changed but i used one xry file from a physical extraction with ufed without doing anything else. But it was a year ago

@Dam I did a search on this channel and it seems some physical XRY dumps are supported by UFED PA but certainly not all. The workaround is to extract the actual dump from the XRY file and load it into UFED PA but unfortunately that doesn't work in my case.

I running in some trouble with a Huawei LLD-L31 with unknown 6 digits lock key. To Everyone, is there a way to bypass key lock for examination or make file system copy?

@Ronny Bodach those are FBE based devices. You can't bypass code anymore to get data. It has to be bruteforced

@Arcain right any way known for bruteforcing this

Not supported by any tool so far. EFT doesn't have it listed, Oxygen doesn't support this chipset for key extraction. I guess only CAS at the moment

Hi! I just got asked a question by a investigator that i dont quite know the answer to: In iPhone extraction we get hits for a username in one of the icloud plists, not specified exactly where just that it was named something with icloud. But the owner of the phone claims that he never has had any connection to this instagram account. On the other hand he shares an icloud login with someone else who might have.. So my question is: Is it possible for the login to happen on the ipad and then synced to the iphone as the suspect claims?

@Cygonaut I believe so, but don't quote me on that right now because i'm knackered and my brains mush, let me get back to you tomorrow on it

@Sockmoth Have you tried the next steps? 1. Go to 'File' 2. Choose 'Open Case' 3. Select '+Add' 4. Then 'Open (Advanced)' 5. Select 'Blank Project' 6. Change the Chain by clicking 'Switch chain (right and left arrows)' 7. Select All chains 8. Choose 'Android Generic' 9. Under 'Binary extraction', press the 'Image' 10. Navigate to the folder and choose the .xry file 11. Press 'Next' 12. To start decoding press 'Examine data'

For @Cellebrite users, how have you been doing your work remotely? Last time I tried running Physical Analyzer remotely via RDP, it wouldn't let me. Just wondering if I can get a software license or something to use during this time

@abefroman you need to enable the RDP in your dongle license, I will DM you with the full details

@Sockmoth Have you tried the next steps? 1. Go to 'File' 2. Choose 'Open Case' 3. Select '+Add' 4. Then 'Open (Advanced)' 5. Select 'Blank Project' 6. Change the Chain by clicking 'Switch chain (right and left arrows)' 7. Select All chains 8. Choose 'Android Generic' 9. Under 'Binary extraction', press the 'Image' 10. Navigate to the folder and choose the .xry file 11. Press 'Next' 12. To start decoding press 'Examine data'

@CLB - DavidK I have now. PA seems to detect the different partitions but isn't able to reconstruct the file system. "Failed FS reconstruction (probably not YAFFS2): Other (YAFFS2) It hasn't analyzed any data, not even by carving.

Hey folks. Anyone seeing an issue with Cellebrite PA 7.35.2.16? I’ve added an extraction as a Huawei backup and it’s seemingly decrypted it ok, however for verification I’ve also put the backup through the Kobackup python script and imported the output as an Android file system extraction. When comparing the two, it was noted that the PA decryption was missing Instagram chat. Just wondering if anyone else has noted discrepancies in extractions?

Hey, do you guys also have PA freezing sometimes?

5:38 AM

@Cellebrite

During an examination, what do you use to decode a SD card which came from inside the phone? The reason I ask is that we have found many issues with mainstream tools. The only 1 that we have seen ace it was Oxygen during a trial of the software. Unfortunately we haven't got to purchase it yet. Some of the issues include compressed archive files partially or not decodimg at all, files renamed and not maintaing the original file name etc.... This means data may be missing and you can't pick up the positives during a key word search.

5:42 AM

@Dam disable network traffic in the PA settings and or let PA through the windows firewall. Fixed it for us

@4N6Matt Mine is already disable

Is there any documentation on the different structure inside the KnowldgeC database. I know Android has lots of things which define what something is in regards to coding. I'm looking for something like "KnowldgeC Application Focus" This is when an application is XYZ.

@Ghosted Look at some of Sarah's blogs. mac4n6.com/blog Apple doesn't seem to document and release like Android does.

@heatherDFIR thanks was reading those as I got your message.

1

9:17 AM

This is some data from an iPhone Involved in a serious motor vehicle crash. Crash reported at 12:00:44 to 911. My analysis of this data would be the device was unlocked at 11:55:49, the application Twitter was accessed at that time and kept in focus until 12:00:36 when the device entered a locked state. Does anyone have a different view of this data or other data I should add to the spreadsheet to strengthen my case or even disprove.

@Ghosted have you run it through ArtEx It does a good job of knowledgeC

waiting for authentication to the site to download.

@Ghosted did you try Apollo and ileap ?

@Dam I haven't on this case but have used Apollo in the past. My issue was getting something maybe a white paper on some of the KnowledgeC material. Something like Application Focus means when an application is brought to the foreground for usage. I had located the Android write ups on their material but iOS I could not find. Maybe there is a void in this which research can solve.

Keep in mind that not every Artifact will have documentation it. It can lead you down the path. You can set up some test data pretty easily.

1

Anyone is testing latest P.A. 7.36 beta? I have a question about it.

@Cellebrite Got Physical of Samsung SM-G960F Galaxy S8 via UFED 4PC v7.34. 1.133. How to identify how many media files locked by samsung secure lock app.

@DeepDiveForensics @Cellebrite

@4N6Matt PM - what do we need to do to convince the bean counters to hook you up with Oxygen

10:08 AM

@Arcain What Chipset / OS and version are we talking about. Our release today added 1000 devices and a bunch of other goodies

@CyberTim i belive the phone he was asking has Kirin 659

@CyberTech this chipset is mentioned in your release notes. Does your solution apply only android 9 and 10 for those devices as well, or older firmware is also supported

@Arcain yes. Back to 2017.

12:33 PM

For physical/full filesystem, including passcode bruteforce like nowadays?

@CyberTim I wish we held the purse strings because we would have purchased several by now. When we tested it Oxygen did amazing well and we fed that back to them to buy it. Unfortunately it hasn't happened for us yet. We are working on it.

@4N6Matt Very good. I may have some bang for the buck / ROI, unique capabilities, efficiency drivers if that would help.

Hey guys, i actually have a question related to a blocked phone number on a iOS device. We found a lot of blocked numbers in an AFU Filesystem Dump of an iPhone and it would be great to know when this numbers were blocked. I only found the information that the blocked numbers a stored in the com.apple.cmfsyncagent.plist file, but didn't find some informations when this entry were added. A global search in the dump didn't show me any information about the timestamp it was added. Do you have any idea where I could find this information? Or isn't it available?

Anyone else having issues opening large extractions on PA v7.35.2.16? Tried it several times opening a physical from an S9+ which is around 128gb.

4:16 AM

Ticket raised already but wondering if anyone at the frontline has had similar problems...

4:18 AM

Error is 'Cellebrite Physical Analyzer has stopped working' window popup

@Zhaan Andy in our office was having crashing issues with it as well the last few days. I'm led to be believe PA 7.36 will be out today or tomorrow all being well so we're holding off to see if that helps

@Stevie_C are you referring to Andy 'Crashy McCrashface' in your office? Apparently Notepad crashes when he's around! Thanks mate, I will whip the ISO monkey to get it validated in the next moon phase.

@Zhaan Oi!

4

Anybody having Cellebrite crash after installing the update?

11:53 AM

Yup, I see others have

Is there a file in PA that is an indicator that an Android phone was wiped previosuly? I know that the "obliterated" is the key for iPhones

@woody38 take a look at some of the recovery logs. I’ve never specifically went looking for it.

1

Hello, is anyone able to help me recover an Instagram account? The account has 2FA enabled. I know the email and password but I do not have access to the one-time code or any recovery codes.

@woody38 Check the last_history log. It will be present in a physical extraction, or can be manually inspected in Recovery mode. Usually not a very large file (unlike some of the recovery logs) and in most cases, one of the last entries will refer to the device wipe and may give you some information about how the wipe was initiated. The entry referring to the device wipe is not always timestamped but I have seen some where it is. The same entry may also be present in some of the other recovery logs - hard to find by manual inspection because of the size of the logs but can be found by string search if the logs are extracted

1

@woody38 data_wipe =1 in the log would mean data_wipe=True

2

Hello, is anyone able to help me recover an Instagram account? The account has 2FA enabled. I know the email and password but I do not have access to the one-time code or any recovery codes.

@Ezio_A You're probably going to have to get with Instagram support on that one. Hopefully they can help recover it by providing them with some historical information

I have a Galaxy S20 to dump. When I turn it on, it appears it hasn't been setup. I still want to do a physical on it, but it's not connecting. Any suggestions?

6:12 AM

Cable was bad. But now that it's connected, it's stating only "unlocked" phones are supported. Would I be correct to assume that a phone that has not been setup would not be considered "unlocked"?

@LawDawg You likely need ADB enabled to begin the process, which you won't be able to do from the setup screen. Also that's likely file based encryption too so you won't be getting a physical anyway, maybe a FFS if you're lucky

1

Sooooo, I'm outta luck.

I'd say so. Trevor / CAS might be able to do something, but with a factory reset device I imagine it would be hard to justify the cost

I would have thought that if it was FBE and then been factory reset, best you'd get back from a FFS would be BFU state files anyway - userdata that was previously encrypted with the device passcode should have had keys discarded

1

Roger roger.

Is there an iOS 13 artifact from an Advanced Logical extraction that indicates which iCloud Settings are enabled? I am interested in finding if iMessage for iCloud was enabled.

@LawDawg did you ever get it sorted out. Pa that is.. (edited)

Anyone else having problem with Xamn not showing pictures/videos (shows only file name or url) in chats?

@Eff What apps would these chats be from? Could you perhaps send a screen shot of the details pane to support@msab.com, and we can have a look?

@MSAB_Sofia Already did once, then it was Viber, now FB Messenger.

Do the Device Manual state that XRY should be able to extract the full attachments for that version of that app? Depending on operating system of the phone, unfortunately this may be expected behaviour.

Is there an iOS 13 artifact from an Advanced Logical extraction that indicates which iCloud Settings are enabled? I am interested in finding if iMessage for iCloud was enabled.

@TrevorLahey On iOS 12.1.4, in sms.db, on table message, in column service, you can find the source of msg (sms or iMessage); however, P.A. classify the iMessage from the configured in iCloud account in a separate row inside the chat inspector window; i don't know if, in the iOS 13 -acquisition, the structure reminast the same one (i don't have an iOS 13 Advanced logical dump opened at this moment). (edited)

@CLB-Paul Nope. Haven't had time to really look into it. I think it has to do with location carving. I was doing a phone where the case agent wasn't interested in locations (it was a consent phone), so I did it without location carving, and it worked fine.

Did Apple get rid of the ADDatastore.sqlitedb in iOS 13.5.1? I have a phone without that database, yet it's present in a 13.2.3 phone.

(edited)

I also don't have the ADDatastore.sqlitedb in iOS 13.4.1

@

@TrevorLahey On iOS 12.1.4, in sms.db, on table message, in column service, you can find the source of msg (sms or iMessage); however, P.A. classify the iMessage from the configured in iCloud account in a separate row inside the chat inspector window; i don't know if, in the iOS 13 -acquisition, the structure reminast the same one (i don't have an iOS 13 Advanced logical dump opened at this moment).

@branzu_84 Thanks for the reply! I do know that iMessage in general was enabled. I am trying to find out if this setting was enabled https://support.apple.com/en-us/HT208532. I also took a checkm8 extraction from an iOS 13 device and analyzed the CloudConfigurationDetails.plist, com.apple.assistant.backedup.plist, and om.apple.CoreDuet.plist but none specfically list iMessage for iCloud or reference it. The most promising artifact so far appears to be com.apple.madrid.plist, with it's CloudKitSyncingEnabled = :true/false; key and value but I have not yet got an extraction with iMessage for iCloud enabled to compare to (iOS 13 extractions with iMessage for iCloud disabled displayed false as the value, but i have not yet been able to compare a com.apple.madrid.plist from an iOS 13 extraction that has it enabled)

@ @branzu_84 Thanks for the reply! I do know that iMessage in general was enabled. I am trying to find out if this setting was enabled https://support.apple.com/en-us/HT208532. I also took a checkm8 extraction from an iOS 13 device and analyzed the CloudConfigurationDetails.plist, com.apple.assistant.backedup.plist, and om.apple.CoreDuet.plist but none specfically list iMessage for iCloud or reference it. The most promising artifact so far appears to be com.apple.madrid.plist, with it's CloudKitSyncingEnabled = :true/false; key and value but I have not yet got an extraction with iMessage for iCloud enabled to compare to (iOS 13 extractions with iMessage for iCloud disabled displayed false as the value, but i have not yet been able to compare a com.apple.madrid.plist from an iOS 13 extraction that has it enabled)

@TrevorLahey Tomorrow i recive an iPhone 6S for test purpose. I will made some test to analyze the diff with iOS 12 structure. If i can find something i'll write to you!

Thats super exciting, thanks Branzu!

Anyone know how to work out what Apple Music track is playing on an iPhone when all you have is the series of random number/letters with the suffix .m4p. I cant play it because I would imagine its a form of DRM, which I would expect but I am wondering if there is a temp database that stores the track name and musician because it does display on Apple Music when it is being played...or is it literally live for that 3 minutes or so its playing and then lost in the ether?

1:29 AM

I can see a PLIST associated with the track... (edited)

1:35 AM

But when I chuck the hex through a convertor, it shows the account name, some Apple rights but nothing else readable at this point.

1:40 AM

Think I may have found what I need in the Music cache.db...

@Cellebrite Hi guys, It seems that with recent app versions (10.1.1.x) Huawei has changed its backup format and p.a. can't decode it anymore.

I have done an AFU extraction of a iPhone 7 A1778 and wonder if there is a way to see when the user change SIM-card in the phone. (edited)

I have done an AFU extraction of a iPhone 7 A1778 and wonder if there is a way to see when the user change SIM-card in the phone.

@Tilt You should download the latest SANS Poster "The most relevant Evidence Per Gigabyte", you will find a lot of information there. Check /private/var/wireless/Library/Databases/CellurarUsage.db (Table subscriber_info) and /private/var/wireless/Library/Preferences/com.apple.commcenter.plist

I'm reading Black Back Insight Blog about SIM switching and CellularUsage.db. Gonna check out SANS Poster. Thanks for the info @theAtropos4n6 (edited)

Got a physical dump of an S9 in UFED. Are previous screen on/off, unlock events stored in a DB. Can't find event.db and only found last power on event.

Anyone with experience on the Mega app for IOS. Working a case with CSAM in the cache. I can answer how that possibly got there, however one video is in TMP folder and through testing I can't recreate that.

In the same phone extraction as I mentioned above PA decode two IMEI-numbers. First IMEI originates from com.apple.commcenter.plist. Second IMEI originates from AccountToken.txt. The correct one seems to be the one from AccountToken.txt. (edited)

5:15 AM

What I can understand from Blackbag blog "last_update_time" is changed by many factors so you can't really know what made the update last time.

Morning! I have a Samsung SM-A015AZ where I was able to get an Advanced Logical, File System, and File System APK Downgrade using @Cellebrite UFED. I am looking to parse out the Twitter conversations. I have Chats > Twitter and Instant Messages > Twitter. The chats show the conversation participants but the body of the messages are empty. The Instant Messages just show the suspects side of the conversation. I tried using AppGenie but had no luck. Anybody else got any ideas on how I can get the full Twitter conversations?

I root pixel 3 and got binary dump but after processing unable to get user partition data. What happened in this scenario, user partition is encrypted or something else.

@goalguy if you’re drill into the dB Is the body of the message there ?

I root pixel 3 and got binary dump but after processing unable to get user partition data. What happened in this scenario, user partition is encrypted or something else.

@DeepDiveForensics It's an FBE device I think, so any physical image would be encrypted. Full File System is your best bet - hook it up to your forensic tool of choice and they should hopefully see that there's a root shell available

@OllieD After processing by many tool I'll get only system files. I opened the binary into R-Studio but unable view user partition.

No I mean perform a new extraction of the device using a forensic tool

9:49 AM

Let it perform a full file system for you

9:50 AM

You won't be able to decrypt the acquired binary offline

Let it perform a full file system for you

@OllieD Sure I'll try. Thanks

Is there any tool that can convert SPD NOR dump image into regular FAT, like Mobile Reveleator does with MTK NOR dumps?

Hey all, I have a user that has deleted WeChat from their iOS handset before we got to it. All that is left from what I can tell is some iPhoneNetworkDataUsage logs that have several different identifiers for WeChat network usage. Any idea what these mean and whether it is of any use to determine the type of activity? com.apple.WebKit/com.tencent.xin, mDNSResponder/com.tencent.xin, WeChat/com.tencent.xin, and appstored/com.tencent.xin Also, if anyone has any extra info on things to look at that might have been left behind after the user as deleted WeChat, that would be great

Hello. Just a quick question. I'm sure its a simple one. In Axiom I have an iPhone 11 but its "Model ID" is iPhone12,1. I know Apples numbering scheme is kinda all over the place, just curious if there is a simple explanation for this.

@stps358 actually it's quite straightforward, and more like a generation number and not related to the phone model. https://gist.github.com/adamawolf/3048717

List of Apple's mobile device codes types a.k.a. machine ids (e.g. ...

List of Apple's mobile device codes types a.k.a. machine ids (e.g. iPhone1,1, Watch1,1, etc.) and their matching product names - Apple_mobile_device_types.txt

2

@Arcain Ty!

Hello all, is there an open source tool that I can use to process WAL file?

"DB Browser for sqlite" is open source, and will incorporate data from a wal file into the main database when it sees one https://github.com/sqlitebrowser/sqlitebrowser

sqlitebrowser/sqlitebrowser

Official home of the DB Browser for SQLite (DB4S) project. Previously known as "SQLite Database Browser" and "Database Browser for SQLite". Website at: - sqlite...

I tried it and didn’t work. Thanks @Orb

You need to copy the wal and SQLite file in one directory and open the sqlite file. DB Browser for SQLite will automatically include the Wal file. When you close Db Browser, the Wal file will be merged with the SQLite file and deleted.

I tried it and didn’t work. Thanks @Orb

@All_About_FRNZX What didn't work? Didn't parse the WAL at all, or are you referring to not pulling deleted records etc?

@OllieD, I did just like @Deleted User explained but the main db did include anything from the wal file. The records I’m seeing in the wal file have already been deleted from the main db, which makes me believe what I’m seeing in the wal file is in the unallocated part of the file. I will have to have SQLite recovery tool to automate the recovery process. However, I’m pulling the data manually and it is working but slow

Yeah, visible ascii text in the wal could be a live record, could be deleted, or could just be from an out of date page

1

Anyone know if there is an easy way to add file hashes of unwanted files to a known file database in UFED so as to eleiminate them next time we come across them? Stickers and emojies and such.

@Majeeko Yep - Go to Tools>Watchlist>Hashset Manger and then select new. You can import your list. Then check the box to run. However, I need to test that it can be saved globally to keep running. Is that what you need?

@heatherDFIR Refer to the help guide for more details on how to run it globally. It's already built in.

@heatherDFIR While you're here, I know it's possible to create a report from an already generated report. When I showed one of our detectives how to do it, I did not notice where it asks what to include in the report, i.e., "tagged items". I've never creaated a report from a report because I'm the examiner. So, is it possible to only include the items tagged by the detective when they generate a report from the report I gave them?

12:14 PM

I can't test it right now, 'cause I'm doing an extraction at the moment.

I have a full file system extraction of an Samsung A20. We have SMS messages indicating the use of escort websites, but no parsed websites in the data from @Cellebrite PA or @Magnet Forensics Axiom. A search of the hex through PA revealed websites located in AppDataSearch/main/cur/ds.doc. Looking for information to tell me what the ds.doc file is at that location. Any suggestions?

12:17 PM

I tried my GoogleFu and couldn't find anything which would explain what is stored in this file.

@heatherDFIR I answered my own question. Sorry.

sending DM @sholmes

1

1

@sholmes you’ll get another from me too. I have some thoughts on this one.

1

Has anyone seen the below file path? DarArchive/root/private/var/mobile/Library/Caches/com.apple.mobileSMS/Previews/Search/PhotoSearchSection-at [image name.png]. I’m trying to understand what photosearchsection means. (edited)

@heatherDFIR Thanks, i was more looking for a function to create hash lists on the fly, so as i am deselecting junk from my case before export I was looking for an easy way to add that to a list to be discounted in further cases.

@Cellebrite Hi guys, It seems that with recent app versions (10.1.1.x) Huawei has changed its backup format and p.a. can't decode it anymore.

@FabianoQ @Cellebrite yes, can confirm that latest PA 7.36 can´t decrypt/parse latest HiSuiteBackups...

1:18 AM

HiSuite 10.1.0.550_OVE on PC, installs HiSuiteApp 10.1.0.550_OVE on my P30pro... here short log... 10:10:12 [PA ] [60 ][ERROR] Trace: Failed to execute: Huawei Backup 10:10:12 [PA ] [60 ][ERROR] Trace: Der Wert darf nicht NULL sein. Parametername: source 10:10:12 [PA ] [60 ][ERROR] System.ArgumentNullException: Der Wert darf nicht NULL sein. Parametername: source bei System.Linq.Enumerable.SkipTSource bei Huawei.HuaweiBackup.HuaweiDecryptor.CheckAndSetPassword(String userPassword) bei Huawei.HuaweiBackup.HuaweiBackupParser.GetUserPassword(HuaweiDecryptor decryptor, String date) bei Huawei.HuaweiBackup.HuaweiBackupParser.Parse() bei Huawei.HuaweiBackup.HuaweiBackupPlugin.Run() bei System.Threading.Tasks.Task.Execute() 10:10:12 [PA ] [60 ][INFO ] Trace: Plugin Huawei Backup finished, runtime: 00:00:04.99

1:19 AM

@Oxygen Forensics and Forensic Detective has troubles too ... says password is invalid...

I am looking at a FullFS extraction from an iOS device for locations history. Do anyone know if I would find even more locations extracting Apple Maps from icloud?

additional info .... good old kobackupdec can decrypt this hisuitebackup

without troubles... https://github.com/RealityNet/kobackupdec (edited)

1

@chrisforensic it is being addressed

Anyone know if you can tell when and how often Safari browsing history has been deleted? iOS version.

@CLB-Paul thanks mate

@Cellebrite Can one of you answer some questions I have about UFED Reader?

Has anyone had luck decoding Facebook messenger secret conversations, or recovering deleted messages from it on android? I have the db with the encrypted messages and photos of the conversation on the device itself. I only have messages from one party in that conversation, if it's possible to recover the other half it'd be a huge help. The wal didn't appear to have anything notable when I looked through it. For what its worth, I have a physical extraction of the phone and the subject didn't use this device to send or receive the messages directly, it was a phone he'd just replaced that was still on in his house that was connected to wifi and logged into Facebook.

@LawDawg go for it

@CLB-Paul just got off the phone with one of your coworkers who called me. He suggested I take the 1 day reader class. He said it was free. I didn't know that. I think that class will answer my multitude of questions so I'm not bothering everyone.

nice, and yes, the reader course is free and great for end users of the program

I'm going to take the class and condense it from 8 hours to 1 and teach it to our detectives.

Currently working on a job where an analyst has reported that a SIM card seized has over 140 associated IMEI numbers, only a few devices have been seized so it is the officers assumption that the suspect has been using some form of IMEI tumbler on his devices. Does anyone know how possible this is to do? I was always under the assumption it was very difficult to change a devices IMEI and what the motivation would be? I have reviewed the extractions from his devices and there is no indication of anything relating to this. All device hardware IMEI references match their digital references. Thanks

@JDowson many flasherboxes let users "repair imei" aka rewrite... so they can change the blacklisted imei. In your paticular case, i am not completely sure of that many.. did they do any reverse checks on them to see if tehy are actually valid. they can use a site like imei.info

IMEI change is a tricky topic. It can be done on many feature phones, many MTK based devices (especially generic brands). Some Kirin based (up to P30 series now i think) are also supported. There are couple ways (one poped up yesterday, using DIAG mode) for Qualcomm based devices, although some are protected more than the others. For example Samsung phones have special certificates. You can change IMEI on most Exynos based Samsungs but you need to patch the certificate or such device won't be able to connect to network anymore. This doesn't work on recent firmware revisions, and requires rooted device (so Knox counter will reflect that). I'm not sure how does it look with current Qualcomm based Samsung device. SONY phones are not supported by anything, as always. (edited)

@Cellebrite Anyone available for a quick question about report generation? (edited)

Looking through an android extraction and am trying to interpret newbatterystats in physical>data>log>batterystats>newbatterystats. Anyone aware of any articles or resources that would help me understand what's shown in these files? I'm working on establishing a timeline for a case but am looking for more specific information than is shown in the timeline/analyzed data in PA.

@Turey43 Did anyone reach out to you about this ? I did a job at the end of last year where I had to analyse newbatterystats, power_off_reset_backup.txt, sdp_log and SYSTEM_BOOT@xxxxxxxx.txt files to figure something out on an S7. I might be able to help

Hey all, so I have an android extraction (Samsung). Voicemails weren't parsed. I have the audio files and a vnotes_db which I'm comparing to what I'm seeing on the device in the voicemail app. Specifically looking at the vnotes table, which has a recv_timestamp column and a sent_timestamp column. When comparing to the date and time displayed in the app it sometimes matches the received, sometimes matches the sent other times its off by a minute that could not be explained via rounding for example in the table it will show 8:43:23 and on the phone it would show 8:45. Can someone tell me first, is the app supposed to be displaying the received or sent time, and secondly explain some of the discrepancies? Thank you

Anyone has seen this message when parsing an iphone x full fs (iOS 13.4.1) with physical analyzer (tried last 3 versions)

12:31 PM

20:29:09 Parser Telegram_6.0.1 failed 20:29:09 Object reference not set to an instance of an object.

@FabianoQ, can you please send me the log? You can get it from the menu -> help -> zip log files. My mail is alona.zayats@cellebrite.com

@alona I'll send logs ASAP

does anyone have a white paper or firsthand knowledge of waze artifacts from an iPhone full file system extraction? Specifically looking at the user.db places table / venue_ID. My artifact has a googlePlaces.xxxxxxxxxxxx entry in it. There was another very similar looking entry approx 10 minutes after that one approximately one hundred miles away.The case officer was hoping it would place a suspect in that location, but looking at other entries I'm guessing it's just be the app sending out pings.

@Solec archive_postmortem has interesting information

thanks, I saw that through the search menu after I posted yesterday (prob should have done that first), will def check it out when I get into the office today

someone who can help me out with using APOLLO from Sarah Edwards (for the first time)? (edited)

@florus I've never used it but I know she has a ton of articles on APOLLO on her mac4n6 blog

7:46 AM

have you checked there?

@Andrew Rathbun yeah, reading, but i havnt figired it out yet; specific what to set in these two commands: -p {apple, android, windows, yolo} -v {8,9,10,11,12,13,10.13,10.14,10.15,and9,and10,and11,win10_1803,win10_1809,win10_1903,win10_1909,yolo} (edited)

I got a case where the investigator is asking for OfferUp app artifacts from an iPhone. I am looking into the databases but I can't find anything involving chat or items for sell. Are there any papers on it or any advice? Thanks.

Are there any good guides for recovering Bitcoin private keys from an iPhone?

Does anyone have any insights on decoding a physical extraction from a Avenda Q28A (AT&T)? I was able to get the physical by using the 523 cable and holding the EDL button down while plugging it in to the phone. It gave me a full physical, but PA is not decoding SMS messages. I can't even figure out which SQLite db they are store within. ANy help would be appreciated.

1:14 PM

FYI, I used UFED 4PC and the Generic Qualcomm profile for the MSM8909 with the above method and it worked.

@Mike does the phone use KaiOS? If it does use the advanced open w/ kaios decoding in PA

Ah, I didn't think about that. I'll give that a shot.

1:22 PM

Thanks

@Solec Thanks for the pointer! I created a new Chain and only added the KaiOS functions. Now the SMS messages show. Thanks again for the help.

@Mike BTW you don't have to create a new chain, you can just switch to the built-in KaiOS chain

Hı, there is a motherboard has a faulty ANE-LX1 - P20 Lite. device does not turn on. Does anyone have experience with chipoff etc with these devices. Thank you.

@anspoki file based encryption, not going to work

@Arcain This is bad news. Thank you for answer.

It's completelly dead? Or boots into fastboot for example?

@Arcain unfortunately it doesn't react at all.

3:14 AM

local service indicated it was motherboard problem.

@anspoki if it can boot to fastboot mode you could try Oxygen method. It doesn't seem to be required to boot into Android anymore so maybe could work

i have cellebrite, if it can fast boot could work?

With cellebrite method it current has to boot into Android

3:41 AM

How does it behave exactly? Is it stuck on logo, boots back into erecovery?

Let me explain briefly. the phone was reacting at first. the opening logo remains on the screen. It's not charging. service changed the charging socket and stated that it was a motherboard problem. no response when taken from the service.

I have a weird question. I have an advanced logical extraction of an iPhone XR where we believe the owner of the phone is trying to create fake SMS to another party. All the SMS in the conversation are sent to and received from the same number as the phone has. When looking in the phone it looks like a normal conversation but when we tried to replicate it by sending SMS to our own phone it shows the same message twice, once on either side. We can get the same result by deleting one of the messages but this doesn't prove anything really. When looking at the timeline in PA it shows two incoming SMS messages from this conversation, at the same time there is log entries from InteractionC. For the first message the entry is "incoming sms from <UID>:ABPerson", for the second SMS the entry is "outgoing sms from <Same UID as first entry>:ABPerson". So both are marked as incoming SMS by PA but the logs say otherwise... Anyone got any idea of why this might have happened? @Cellebrite (edited)

@anspoki hmm, verify it is detected in fastboot mode and computer can read it. If ok, you can try to ask for Oxygen demo and give it a try

@Arcain i'll try. Thank you!

iPhone question. I have GrayKey FS dump of a iPhone 5s, IOS 12.1, on the handset is a phone number of interest and in the notes field there are a numer if incoming and outgoing interactions from the InteractionsC DB but i can find no calls, chats or SMS/MMS to this number. Has anyone got anythin that explains the InteractionsC DB a bit better, ive looked at it and before I dive in I thought i would ask. I have found a 4 digit nmber that appears to be associated to my contact but I dont know where else to look to see if the handset owner has communicated with this number of interest. Any help would be appreciated.

Hello, hope everyone is doing OK. I have a question around a file system extraction from an iPhone 5s with iOS 12.3. I found an artefact in the file system called DoNotDisturb.bundle. This is in relation to location data. Can anyone give me a brief explanation to what this means? It appears sporadically along a short time line. Within an hour. Thanks in advance. EDIT: I may have found an answer. A speaker, and/or bluetooth device Output has shown up in device events a few seconds before DoNotDisturb.bundle coming into play, it appears to have an effect. I take it that connectivity by other means, maybe pauses the GPS for some reason? Handling Resources or something else? (edited)

@Magnet Forensics someone from magnet around for errors i keep getting while parsing an iPhone extraction with the latest version. I keep getting an error "ffmpeg.exe has stopped working" Error keeps popping up even after closing and the decoding freezes. I collected the logs. (edited)

Hey, is it at the moment possible to import a xry extraction to ufed pa? .... it was in the past possible

@Dossy If it's a physical extraction I've found the best way is to open the XRY extraction in XAMN, export the binary file out and simply import the pure binary file into PA using "Open Advanced" option in UFED PA

It’s not a physical :-> last year there was some time period where you can choose .xry directly as file into pa but I think Msab changed it

@Andrew Rathbun Do you know if Blackbag is active in discord?

@deleted-role

Hi @OllieD i reached out on the computer forensics channel, but i have a mobile question. So might reach out here as well. Thanks

(edited)

@Majeeko InteractionC.db and KnowledgeC.db https://www.mac4n6.com/blog/2020/6/21/socially-distant-but-still-interacting-new-and-improved-updates-to-macosios-coreduet-interactioncdb-apollo-modules https://www.mac4n6.com/blog/2018/12/16/on-the-third-day-of-apollo-my-true-love-gave-to-me-application-usage-to-determine-who-has-been-naughty-or-nice https://www.mac4n6.com/blog/2018/8/5/knowledge-is-power-using-the-knowledgecdb-database-on-macos-and-ios-to-determine-precise-user-and-application-usage https://doubleblak.com/blogPosts.php?id=2 I would also read these articles paying attention to KnowledgeC.db ZOBJECT ZSTREAMNAME "/app/intents" I've done some recent research and Ian Whiffin's blogs is right on and you might find some deleted messages by searching for intents. (edited)

Socially Distant but Still Interacting! New and Improved Updates to...

The interactionC.db database certainly does not get as much as attention as its CoreDuet partner in crime, knowledgeC.db. However, I think it has quite a bit of investigative potential. I’ve written about it before in a prior blog , however I’d like to give it more attention ...

On the Third Day of APOLLO, My True Love Gave to Me – Application U...

On this third day, we will focus on application usage. We will cover three databases: KnowledgeC.db Be sure to check out more detailed information on this database in my two previous articles . Access to this database is limited to a file system dump, it will be ...

Knowledge is Power! Using the macOS/iOS knowledgeC.db Database to D...

Having access to precise and granular user and application usage can be extremely useful in a forensic investigation, some of which are listed here. I find that pattern-of-life data is some of the most useful information on a device - it really does tell the story about a user...

@florus do you figure out #APOLLO?

@ScottKjr3347 worked with blacklight plugin, but didnt as a ran it in cmd

@ScottKjr3347 Thank you

@Cellebrite Hi Cellebrite, trying to generate Excel report of phone download. Goes through the steps etc with green bar but then fails saying "Sequence contains no Elements". UFDR creation worked ok. Nothing different done, is it a glitch or me?

Having a bit of a senior moment but could you previously open AMR audio files in PA by double clicking on them? I am told this is not the case and you can either right click open with default or click on Play (default program). This also raises the issue of all those AMR files that may not have been played because reviewing officers have double clicked an MP3, it played, double clicked a wav file, it played, double clicked an AMR file it didnt play. Now a non tech officer or member of staff would naturally assume file must be corrupt, broken, empty, etc. and move on to the next file. So if this is an issue, which I am told is in the PA knowledgebase(!!!!), why am I pretty confident I used to be able to open an AMR with double clicking previously to v7.36 of PA? Or am I losing it and need a beer and a nutella bagel?? But more importantly, how much data has not been heard? @Cellebrite (edited)

Having a bit of a senior moment but could you previously open AMR audio files in PA by double clicking on them? I am told this is not the case and you can either right click open with default or click on Play (default program). This also raises the issue of all those AMR files that may not have been played because reviewing officers have double clicked an MP3, it played, double clicked a wav file, it played, double clicked an AMR file it didnt play. Now a non tech officer or member of staff would naturally assume file must be corrupt, broken, empty, etc. and move on to the next file. So if this is an issue, which I am told is in the PA knowledgebase(!!!!), why am I pretty confident I used to be able to open an AMR with double clicking previously to v7.36 of PA? Or am I losing it and need a beer and a nutella bagel?? But more importantly, how much data has not been heard?

@Zhaan I recall a couple years ago being able to listen to AMR audio files within PA by double clicking on them. I did that all the time. I haven't used PA in a while though since I don't do mobile anymore

@Andrew Rathbun thanks, I vividly remember double clicking everything and not pulling faces at it when it didnt work. The fact the process to open AMR and SILK files is in the knowledgebase tells me its been around a while but am now wondering why isnt it programmed in to open in a default player if it just those 2 file types? Have a great weekend!

1

Anybody know the follow? com.apple.wifi.plist has the value networkusage: real = 3029.660383737 Does anyone know what that value represents? Bits, bytes, megs, gigs etc

@Cellebrite Hi Cellebrite, trying to generate Excel report of phone download. Goes through the steps etc with green bar but then fails saying "Sequence contains no Elements". UFDR creation worked ok. Nothing different done, is it a glitch or me?

@JMK Which version of PA? I can try to replicate it. And do you have anything specific tagged or just a report in general?

I have a LG Stylo 5 running Android v10. It is unlocked and I was able to place in developer mode, allow Debugging, but when I try to change the USB Configuration to file transfer it flashes the option screen for a split second and goes away. The problem is stays in charging mode only. I have tried EDL in Cellebrite and Oxy Agent doesn't work. Any ideas on how to get out of USB Charging only and why the USB Configuration only flashes for a split second and goes away?

@heatherDFIR PA Version 7.35.2.16. Nothing tagged just a report of the whole extraction (it's a combined Logical, FS and FS with apk downgrade). No worries if not, the officer has the UFDR to be getting on with.

@florus ill make a video and post it later using the latest version.

Does anyone know if a factory reset leave some kind of trace in logs file on an android device

@thaconnecter on a number of Android devices where factory reset was suspected, we saw a date/time stamp on the "first run" applet - I'm not in front of an analysis machine, but feel free to PM me and I'll look at one of our cases to find the name of the process that runs on initial setup

Thanks @CyberTruth

@Cellebrite There is a maximum size for a dictionary file to use in P.A. to attack, for example, surespot?

@thaconnecter you could check the creation dates of some of the databases also recovery events dates and last_history

@Zhaan thank you

@Cellebrite are full case Excel reports ok in PA 7.36.0.42? Exported an Excel report from a 64gb Sammy and found the only way to get it under 100mb (which is the maximum size for our reporting system) was to remove Applications, Archives, Audio, Configs, DBs, Images, Videos, Timeline and Redact all attachments which brought it down to 42mb from its original size of 1.6gb! It was 1.6gb before I removed Timeline and Redact all attachments. I know it could just be a busy phone but the Excel report took 1 hour and 38 minutes to compile plus this is the second time I have ever seen an Excel so large! The first time was a 64gb Sammy too from a different case. I am exporting the full UFDR currently which will include the media and thats taken 1 hour so far so here's hoping its under 1tb! I will try an older version of PA for the moment because I remember 7.36 had issues with big phones... (edited)

@Cellebrite OK, so I exported the UFDR from the 64gb Sammy which took 10 hours. The UFDR is 553mb. Now tell me there isnt a problem? Images, videos, applications, configurations, databases and archives were left off the report. I will raise a ticket because this isnt good? I aint Bill Gates or Steve Jobs but surely thats an issue. I remember previous problems with Sammy 64gb phones and this continues the trend. Ticket in.

1

Anyone have issues with decoding in PA 7.36 aswell=

5:53 AM

It keeps hanging at Parsing Facebook_stub

5:53 AM

kinda pissing me off

@Cellebrite P.A. is parsing an extraction that includes surespot, it stops and asks for the password or for a dictionary file, i don't have password so i try the second choice.

6:21 AM

Question: Is there a way to know how far in the dictionary file the process is? (edited)

@B is it a Samsung?

Yes, a Samsung

I rolled back to an older version for one of the phones.

it took a full hour to load in just that Facebook. Something funky is going on

6:47 AM

it eventually loaded it in

Apparently not, I was told...

it's finishing up now as we speak

It took 10 hours to export a UFDR of 553mb!!!

Lol

6:48 AM

So weird

Another hit on that album is 'Is my UFDR to big for you' and 'I love Excel but not THAT much' (edited)

1

6:50 AM

Older versions of PA load it and export the data fine but you miss all the enhancements of the newer versions....

Yeah, rolling back isn't worth it with PA

6:51 AM

i'll submit a bug report in the portal

The good folk at @Cellebrite might have a BETA to turn that frown upside down

@B my ticket regarding the whole big bad Sammy issue has now been escalated along with a bouquet of logs and associated supporting info so hopefully the folk at Cellebrite Towers can make PA great!

1

Ah great to hear

It took a while as we have a 1mb upload speed and the logs were 4mb so as you can imagine, that was fun.

someone who can help me out with using APOLLO from Sarah Edwards (for the first time)?

@florus Here are links to 2 rough videos of the basics that should help you get started with APOLLO. If you have any questions reach out via email and I'll step you through any issues you might run into. bskoenig3347@gmail.com Make sure you share any success stories with Sarah Edwards (twitter @iamevltwin) she and the other contributors have worked hard on this and its an amazing OS tool. https://youtu.be/6O4rGLdn1-w https://youtu.be/Hr7XIGBKKXw (edited)

Scott Koenig

Part1 Download and Install Python and APOLLO Windows

Scott Koenig

Part 2 – Running APOLLO in Windows CMD and Using APOLLO Scripts in ...

@ScottKjr3347 this is awesome. Thanks for your effort. I will sure do and share any sucess to Sarah.

@Cellebrite what is the icing_mmssms.db? I have SMS, the ones from mmssms.db are live and the ones from icing_mmssms.db are being shown as deleted. I have manually verified the content as being live. This is a Sammy S6 running Andy 7.0. I am guessing it is some sort of cache/WAL/temp area? But that's a guess...

12:45 AM

Just found info on that DB using Gerry, amazing tool the search engine! (edited)

12:45 AM

But it doesnt answer why one DB says live and the other says deleted, could be a problem in court...

@Zhaan disclosure: I don't work for Cellebrite, but are you referring to the icing_mmssms.db or the icing_mmssms.db-journal? https://www.magnetforensics.com/blog/android-messaging-forensics-sms-mms-and-beyond I looked at recent FFS extraction I had for a Samsung S8. The icing_mmssms.db-journal contained data that was also in the mmssms.db. It appeared (have not tested) the data contained in the icing_mmssms.db-journal was being parsed via a carving method of the journal file, thus giving the red X notification. The data being parsed from the mmssms.db was parsed from the database (no red X). I no longer have this device to do a handscroll validation. I don't know how the device determines what gets saved to the icing_mmssms.db and to the mmssms.db. I would need to set up a test device to validate, but if the data you are seeing is in the mmssms.db and the data is present on the device (verified via handscroll) i believe it would be safe to say the message was not deleted and the red X is an indication of recovery / parsing method for the tool. I would also encourage you to parse the data using a 2nd tool (non-Cellebrite) to look at the results. Hope this helps... (edited)

Android Messaging Forensics – SMS/MMS and Beyond - Magnet Forensics

In this blog, Jamie McQuaid highlights the different types of messages you may get when dealing with a standard text message investigation in Android devices.

Unlocked Motorola XT1710-02. Anyone been able to get a physical on this? CB keeps failing

@RBegs2637 What Android version and security patch is it running?

If I have a full file system extraction of an iPhone 5S, is there a way to see when a specific app was uninstalled from the phone? We believe the suspect deleted both Signal and Wickr as police was breaking in to his apartment. If someone can just point me to the right database (or maybe KnowledgeC?) I'd be happy.

2:27 AM

I can see his Wickr username via keychain, so I know for a fact he has been using it. But the database is gone. Now the investigators just want a report that says he deleted the app.

@BETBAMS yes u have to analyze logs file stored in private\var\installd\Library\Logs\MobileInstallation

@Mistercatapulte Thank you! I now owe you a beer

@BETBAMS u r welcome

Hi all, has anyone had any success getting useful data such from the databases of the application iShredder by ProtectStar?

2:49 AM

I've got a logical and F/S of a Huawei P Smart 2019 and would like to know if the application has been used to delete files

2:50 AM

I am looking at the com.google.android.gsm.measurement.prefs folder for the app but the dates converted within dont marry up

2:51 AM

For example last run time states 06.11.2019 but then app install is 17.11.2019?

@Erumaro running Android 8.0 & Security patch June 1,2019

@RBegs2637 Could definitely be worth a shot with the Android Exploit Dumper 201 if you have access to XRY! We’ve had great luck with it on Motorola devices, specially on Android 8

So i've just discovered Mega on iOS stores caches in 2 separate locations. One located in var\mobile\containers\shared\appgroup...... caches approximately the first 15 media files from the link the user clicked. So if the link contained 100's of images it will not cache them all unless user scrolled through them. The second cache folder located in \containers\data\application.... caches only the media files the user has actually clicked on. I had an expert for defense giving the opinion "the user would likely not know what was located in these area". So I fired up my old jailbroken iphone, downgraded mega to the same version the suspect was using and ran my own test.

3

Hey I have a case involving Discord on an Android. I have a full file system and can see messages in some of the files but neither @Cellebrite or @Magnet Forensics are deciding them. Anyone know of any good tools?

@busted4n6 do you have access to Hancom Red and Next. I know discord is supported via RED (unsure what versions)

I do. Wonder if I can load a filesystem in without reimags the phone

Hello, I need to check if some USB keys had been connected on a mobile phone running Android 8.1.0. Do you know if there are any logs or files recording OTG connection?

@busted4n6 have a version number for discord?

@MF-cbryant v23.0

Good afternoon, I have a picture named user followed by a range of numbers (eg user171091) followed by a underscore and some further characters. They have been recovered from secure vault, therefore can’t link them to anything. Anyone familiar with this naming convention. Is it specific to a certain app?

Hey I have a case involving Discord on an Android. I have a full file system and can see messages in some of the files but neither @Cellebrite or @Magnet Forensics are deciding them. Anyone know of any good tools?

@busted4n6 did you try App Genie?

Anyone encountered the local_location.db in an android/huawei extraxtion before? I have table called 'bssid_fix_info' with a latitude and longtitude row. The data is encoded, in a format i cant convert or 'read'. This is one of the values: fd2a72c5ec3b445ead09e4fced368161f66c5afcbc19293ed720888eb7e15b75 ; any suggestions? (edited)

@busted4n6 did you try App Genie?

@CLB-drorimon does app genie do text files or only SQLite

@busted4n6 App Genie do Sqlite, xml, plist, etc. But not raw text files.

Anyone know why I can't access a network drive in Axiom. I'm trying to load an image into a new case and I cannot see the network drive where the image is located. I can see/access this drive with all other applications. I can also load Axiom case files from this drive but I cannot create new cases to this drive. I always have to make them on a local hard drive then transfer them to our storage server. Any help would be greatly appreciated.

How old is the system? Win 10?

11:17 AM

Saying that, because there's a thing in Win 10 that a registry fix was needed to enable the ability to see network drives in applications.

2

11:18 AM

https://www.easeus.com/storage-media-recovery/mapped-network-drive-not-showing.html

Mapped Network Drive Not Showing in Windows 10/8/7 - EaseUS

This page includes full solutions for mapped network drive not showing up in file explorer/my computer/application, mapped drive not showing all files and folders, and other commonly seen drive mapping problems in Windows 10, 8 and 7. Hope at least one troubleshooting method w...

11:19 AM

Solution 1 is what fixed our issue

can anyone point me in the right direction as far as Cash App parsing. Phone has a whole bunch of transactions and what not, but nothing parsed by Cellebrite (PA 7.34.0.38)

@Rob That did the trick! Thank you!

1

Just a quick question ( I promise I am searching also) Hoping some will have the answer / link to the answer at their finger tips. Logging of Sim card removal in Android 10. I am researching as I type.

I have been testing iOS devices (currently 21 separate dumps) recently to get my head round currentpower logs, KnowledgeC, etc. and have come to the conclusion that if the evidence depends on when a torch was turned on or off or maybe when music is turned up or down, then be very careful trusting the dates and times in the different areas. I am seeing some wild results from testing but also noticing forensic software not carving it correctly either which has led me to question where the dates and times have come from which they have generated. Tickets raised! For all my testing I used a radio synced clock and several different iPhone models and iOS versions just to see the variety of data. Has anyone else seen a similar issue? (edited)

@Zhaan Ha ha, yeah, funnily enough I dumped my own iPad Air 2 A1566 yesterday to test checkm8 as I had updated it to iOS 13.6.1. checkm8 worked fine and I had a quick look the timeline of the extracted data. Now bearing in mind my iPad had been sitting in my bag untouched for several days, there were reported details of "activity" that surprised me as I hadn't touched the thing. Some data did correspond to my iPhone X which is on the same account though !!! I haven't delved any further into it, but it did stand out as unusual events on my iPad tied in with things I know happened on my iPhone over the last few days. Oh the joy of synced devices ..............

@Stevie_C Now this is the problem and I am taking it further because on some GK extractions, it couldnt be more accurate but then on other extractions its claiming I used the torch, when I didnt, claiming I pressed a button, when I didnt. i have noticed that there is a time drift on some activities and they are nearly always a set time like 7 seconds BUT when the prosecution are waiting for my SFR and the last paragraph is going to be along the lines of ' but in testing I found this was not always the case and sometimes the recording of activities could be false.' I'll end up working on Skomer Island if I carry on like that!

1

@blake-ee Foreground: are applications that the user must open in order for them to run such as YouTube, Instagram etc. Background: are for applications that can run in the background without the application being open by the user such as Google Play services, Samsung Push Services etc.

@CLB - DavidK @Cellebrite Hi. Do these background apps still require the act of purchase/download by the user? They can’t be purchased/downloaded automatically can they? (edited)

So what are your experience getting Cellebrite's .dar files to play ball in iLEAPP? Using the "dar" command to extract the archive (in Linux) I keep getting a lot of errors regarding Extended Attributes (EA). But on the other hand, trying to dump the data from within Cellebrite Reader/PA I see a lot of file-renameing going on? (Which makes me sceptical) I've seen your blog about extracting the dar archive @Brigs. but a simple "dar -x" does not seem to be sufficient for me?

@CLB - DavidK @Cellebrite Hi. Do these background apps still require the act of purchase/download by the user? They can’t be purchased/downloaded automatically can they?

@pinball Widgets etc. can be background apps, so some of the background apps are require the user to actively download them, usually as a bundle with the main 'foreground' app.

@jallis The dar extraction from Cellebrite has two plists that contain attribute metadata in addition to the dar file itself. To get the proper dates on all the files one has to combine these files together. At the time I wrote my blogpost the artifacts included in ileapp did not have a need to look at the date metadata of the files being processed hence it was not an issue. But yes you are right. There is no clean way of decompressing dar since cellebrite has their own implementation of it. Heck, for a while the implementation had erroneously change one date for another. See here for details: https://abrignoni.blogspot.com/2020/03/trust-but-verify-formats-timestamps-and.html?m=1 Long story short the best way to look at a cellebrite dar in another tool is to take PA and export all as a zip file. It is my understanding that they are moving away from dar to another format. (edited)

Trust but verify: Formats, timestamps, and validation

One of the most important aspects of digital forensics is the need to validate tool output. Sadly it is also one of the most overlooked by p...

1

@pinball Widgets etc. can be background apps, so some of the background apps are require the user to actively download them, usually as a bundle with the main 'foreground' app.

@CLB-drorimon thanks. I’ve got a couple of mainstream apps that you would imagine to be in the foreground, but they are background. I think they may well be Google Play apps in the cloud or possibly deleted. Thanks.

@Cellebrite Had a wi-fi question issue. Did a data extraction on my work phone for testing and for some reason PA (or the data enrichment option) is showing a bad GPS for my home wi-fi. See attached image

1

Morning all! Anyone had any luck decoding wickr 5.60.3 database at all?

@tnw001 I think decrypting wickr might be very difficult without password... Bruteforcing scrypt is so tough. I dont know any commercial tools which support wickr

1

1:58 AM

though

@Cellebrite Hi, I have a physical extraction of a honor phone (os 7) PA doesn't decode signal app (version 4.69.6). Do I miss something ? the messages are on the phone.

@Dam To date latest supported Signal version in PA is 4.66.8, so probably something changed.

@CLB-drorimon thanks I didn’t check the supported version.

Afternoon all, in my pervious job i had begun/was maintaining my own known/ignorable files hash list but did not bring this with me to my new job. Before i start to build another up i was wondering if there was one available online that i can build from or am i best just starting from scratch? cheers.

@tnw001 what platform?

@tnw001 Wickr switched from sqlcipher3 to sqlcipher4 for android on that version, that's probably why none of the tools work anymore. I hope it's fixed in upcoming releases of the forensic tools

I haven't noticed any big difference between 5.60.3 and older releases for IOS and Windows, only Android strangely (edited)

2

iOS wickr doesn't use sqlcipher at all , i believe due to Apple being stupidly restrictive (shocked emoji) on allowing background handles to the wal file , so that's why no change there. but windows does

8:10 AM

apple requires the header of the wal file to be unencrypted which isn't standard behavior of sqlcipher. there are developer specific workarounds for this in the wild but its one of the reasons you don't see nearly as much sqlcipher use on ios when compared to android

1

8:13 AM

ref: https://github.com/groue/GRDB.swift/issues/302

Important fix for using SQLCipher in shared app container · Issue #...

There was a discovery by the Signal developers that when using YapDatabase+SQLCipher inside shared app containers the database header needs to remain unencrypted, or iOS will kill the app/extension...

Question regarding Signal messages: Is it possible to decrypt them from iTunes encrypted backup (i have the pw). Are there any other ways of getting the Signal messages if not from the backup? Can we get them from the phone itself? Or can i possible restore the backup to a dummy phone and access that way? @Cellebrite

@yaniv.schiff Any luck with the Signal Messages?

@forensicmike @Magnet Does AXIOM supports Wickr? as far as I know. Wickr encrypts DB(Android), message records(iOS), media file(both).

Indeed it does! In fact, we're to the point where most of the forensic tools out there do.

OK. thanks for reply. I guess

@Bighead Axiom have support for Signal messages if you have a full filesystem extraction with the keychain https://support.magnetforensics.com/s/article/Decrypt-app-data-using-the-iOS-Keychain-and-GrayKey

@Magnet Forensics Hi, someone from magnet can DM me regarding Signal decryption from an android phone? thanks (edited)

Hi, anyone who could explain the "Aggregated Application Usage" in PA?

@CLB-drorimon Do you have maybe a beta version that support signal 4.69.6 ?

Looking at the "Media Playing" category in iLEAPP (data extracted from knowledgeC.db) I notice an entry with no Bundle ID recorded. What puzzels me is that there are no other artifacts indicating any activity on the phone in this time period (the screen is locked). Any help tracking down what caused this entry to be created is highly appreciated! See attached screenshot. /cc @Brigs

@Dam DM'ing

@jallis The Zobject table ID can help you with locating the row of data in question. The first step would be to verify it. After verification then one would have to spend some time generating theories on why the data was recorded as it is. Here is an example of the sometimes non-intuitive way KnowledgeC records data courtesy of @forensicmike @Magnet : https://www.forensicmike1.com/2019/10/07/knowledgec-now-playing-entries/

Mike Williamson

KnowledgeC: Now Playing entries - forensicmike1

I know it’s been ages since I’ve posted! I have been settling in with Magnet Forensics and have to say – it’s been an incredible experience so far. I continue to be amazed and inspired by the dedication and skill of the folks who work tirelessly to make Magnet AXIOM and countl...

3

@Brigs (and @forensicmike @Magnet ) Thanks. Somehow I get the feeling that this is yet another rabbit hole

Haha isn't it always!!

But the fact that my little friend has no Bundle ID, that is considered "normal" for some entries in knowledgeC?

I don't know that I've seen that. This is an excellent example of where being able to run the same query on a number of device extractions at once to see if this condition exists in the wild frequently would be super handy. Let me send you a DM real quick.

@Cellebrite Can detectives who don't have any licenses create a cellebrite account to download UFED Reader, get an activation code, and take the UFED Reader class?

@LawDawg it is a free class

anyone do any research on Samsung Rubin? Not a ton of documentation online about it.

@Cellebrite Do you think it´s possible to fix the huaweibackup-import/decode on next release PA ? (edited)

@fraser What is Samsung Rubin sir?

12:57 PM

@chrisforensic At the moment i am mostly solving downgrading the backup app on the phone but (i may be wrong) It looks like with current p.a. version some regression occurred because i am having again the problem of WhatsApp voice notes not correctly linked with the chat they belong

@FabianoQ i haven't been able to come up with too many answers about Rubin. I have a device with saved locations for a user with places like 'home', 'work', and other frequent locations. I was wondering if it's like Apple's Frequent Location data. Analyzing my own Samsung device, I have the app installed, but haven't been able to get data populated into the app yet.

@fraser mmhh, it seems much like microsoft telemetry on windows... https://galaxystore.samsung.com/prepost/000003332727?appId=com.samsung.android.rubin.app (edited)

Customization Service - Galaxy Store

What is Customization Service? Samsung devices and services (collectively “Services”) are design...

2:22 PM

Maybe to see it's data populated you need to "enable the Customization Service option" (whatever it means ...)

Thanks. I had set some of the places in settings on my phone, but it didnt populate any data within the rubin files. I hadn't turned on customization though. I'll try that next at I currently have it off.

@LawDawg

@Cellebrite Can detectives who don't have any licenses create a cellebrite account to download UFED Reader, get an activation code, and take the UFED Reader class?

I have told detectives (who don't have a license) to go register the Reader so they can get the map functionality when looking at location data in our extractions. Not sure about the Reader class though.

I extracted an Apple iPhone 8 (A1905) using UFED 4PC checkm8 and looking at device locations in UFED PA. There are 3 seperate locations logged at the same time but quite far apart from eachother. Carved results with a confidence value of 20. How can I interpret this? Appreciate any help and guidance

Does anyone know where in Snapchat is the password for "my eyes only" is kept

@turbospeed440 If you haven't already, try the persons phone PIN first.

5:55 AM

From experience, I've never seen someone not use their main PIN for it (edited)

@danielj91 not sure exactly what file(s) you're looking at - so this may not apply - but we had a recent case involving multiple photos taken by an iPhone that had been taken within maybe 10 minutes of each other, but the locations were different in a way that noone could travel in that time. We got Apple reps on phone who discussed how if GPS is not available (which was the case - the photos were taken inside), the iPhone can go off its location as it has determined by proximity to wireless networks. The iPhone also can go off its last known location. Basically, when the iPhone is out of contact with GPS and wireless networks, it makes its "best guess." Your role lists LEO in Sweden, so I would think you would be able to contact Apple as my former agency had, if you need it straight from the horse's mouth. On the other hand, we carved locations from a different phone and the locations originated from a RetailMeNot file that lists known GPS coordinates for stores to provide you coupons when you get near it - so in that case it was irrelevant to the case. Hope that helps.

I extracted an Apple iPhone 8 (A1905) using UFED 4PC checkm8 and looking at device locations in UFED PA. There are 3 seperate locations logged at the same time but quite far apart from eachother. Carved results with a confidence value of 20. How can I interpret this? Appreciate any help and guidance

@danielj91 https://www.doubleblak.com/m/blogPosts.php?id=14

@Amanda Rankhorn thank you for your reply. In my case the location information originated from a database called "PPSQLDatabase.db". The filepath suggest it is related to something called "PersonalizationPortrait". Looking at the database in SQLite DB Browser I see the mapping between GPS coordinates and locations but I still have no clear answer regarding the timestamps. @ScottKjr3347 thank you for the link, I will check it out

Hi, anyone who could explain the "Aggregated Application Usage" in PA?

@EFU003 it is a usage list of application and it displays the usage of an application in one hour.

4:49 AM

@Cellebrite Do you think it´s possible to fix the huaweibackup-import/decode on next release PA ?

@chrisforensic Will Be fixed in the 7.37, if you need a beta version please DM me

1

@Cellebrite Bit of a funky question. Is there a way in PA to have a gallery view of attachments? To summarise, I currently have a image extracted from a FFS and trying to locate the original chat to work out if that image was sent/received.

7:01 AM

They're in the tmp folder which relates to Kik so nothing obvious straight off

@Cellebrite Bit of a funky question. Is there a way in PA to have a gallery view of attachments? To summarise, I currently have a image extracted from a FFS and trying to locate the original chat to work out if that image was sent/received.

@Rob are they graphics? what if you go to kick and then use the filter of "Attachment" only

7:10 AM

@Rob if that doesn't make sense let me know.

if that doesn't make sense let me know.

@heatherDFIR I've used the filter and I'm in the midst of scrolling down through 100 odd different chats looking in the conversation panel to find the Image to work out who sent it. (edited)

7:28 AM

In an ideal situation, if there was a way to have a galley view I could identify the image quicker and then jump to the associated chat.

7:29 AM

There's probably an easier way that I'm not seeing due to lack of coffee

Have you put a ticket in with support yet? This may be a feature request. Send me a screenshot so I can try to replicate it. heather@cellebrite.com

They're in the tmp folder which relates to Kik so nothing obvious straight off

@Rob have you thought about using the HASH to filter on the image you want to find?

That'd work. Heh. Simple things.

7:50 AM

Probably a sign I've stared at a screen too long.

7:52 AM

I'll submit a ticket in the morning anyho with the feature request

What’s the best way to tell what date an iPhone went into use?

First known app install date? / usage log 1st entry

7:56 AM

Something along those lines would be my guess.

Thank you. Most of the apps appear to have been installed around the same time. I’m trying to confirm my suspicion. It looks like they upgraded from another iPhone so it muddies the waters.

8:03 AM

Manifest.plist has a creation date around the same time.

That'd work. Heh. Simple things.

@Rob like @heatherDFIR stated you are able to filter down to all attachments within the Analyzed Data - Media - Images thumbnail view. There is a dropdown "filter" for attachments. Use this filter to view all photos/images that were attachments. See attached screenshots

1

8:07 AM

@danielj91 You may have already seen this: https://www.mac4n6.com/blog/tag/patternoflife - if not, it speaks to that particular file. The author references their plan to do a presentation at the DFIR Summit in July. I missed the summit but have seen where recordings are available in my SANS account, but that might have been because I signed up ahead of time.

mac4n6.com

anyone successful at extraction of moto g7?

@iluv4n6#2464 only file system and advanced logical...don't think there is a firehose for EDL and can't get into EDL mode. Also, may have FBE, so no physical supported right now. Anyone else have different?

Anyone had any luck with Facebook Messenger calls, they're present on the handset but not decoded on PA, I got a checkm8 extraction, I'm using UFED PA 7.36.0.42

@JLongTackle Are the rest of the Messenger messages retrieved from PA? If PA got the messages it should have gotten calls as well. Check under the Calls section not the Chats section in PA. Or give another tool a try (Axiom, Oxygen, aLEAPP) (edited)

iirc I've seen blank messages in Facebook chats within PA which correlated to Facebook Messenger calls

Hi everyone, i have a FFS from a Huawei MRD-LX1 running android 9. I found a database at /data/system/local_location.db. In this db im seeying a table called 'bssid_fix_info'. This table has multiple rows, which longtitude and latitude are of interest. The value of these rows are 'hashed in some way'. Im trying to figure in what way, but cant figure it out. I hope someone can help me out. The latitude = fd2a72c5ec3b445ead09e4fced368161f66c5afcbc19293ed720888eb7e15b75. (I can only share longtitude to LE in the Netherlands because of an on-going case)

@JLongTackle Are the rest of the Messenger messages retrieved from PA? If PA got the messages it should have gotten calls as well. Check under the Calls section not the Chats section in PA. Or give another tool a try (Axiom, Oxygen, aLEAPP)

@theAtropos4n6 It should be under calls. If not, send me a screenshot or email to heather@cellebrite.com and I can help.

1

Anyone know why I am getting this error. Trying to run iLEAPP and getting Errno 13. Maybe my script has an error?

@Brigs

@Ghosted What version of ileapp is this? Seems to be extremely old. Download the latest version and try again.

Ok will do I downloaded it in March

1

@Brigs @Andrew Rathbun updating did the trick thank you.

1

1

iOS 13 Database: knowledgeC.db Table: ZOBJECT Column: ZSTREAMNAME In the column zstreamname='/event/tombstone/' occurs regularly. It seems to be indicating earlier usage of deleted applications? Does anyone have a clarification around the criteria for the creation of these events?

@Ghosted What version of ileapp is this? Seems to be extremely old. Download the latest version and try again.

@Brigs Being able to call a March release extremely old is the sign of a good open source project

1

@daw005 Have you checked @Sarah Edwards (SANS/BlackBag) research? It is awesome. I'd start there.

@OllieD I am blessed to have great collaborators and community support. ❤️

8

Hi All, I have a GK dump of an iPhone XS on 13.3, got some IIOC in twitter cache. Anyone done any work on the application files, db's etc to attribute the images? Ta.

Hello All! Some of you may be familiar with our work in the Turkish Balyoz (Sledgehammer) and Ergenekon cases, in which we found evidence tampering involving an interesting (that's putting it mildly) combination of local and remote attacks. We are working on another high-profile case in which we have found even more fascinating evidence tampering. Now to the mobile question - we found that the attackers scrubbed an important dropper from the expected location on a compromised Windows system, but it seems to be intact within an iTunes backup on that same system. Specifically, within the folder "/Users/(User Name)/AppData/Roaming/Apple Computer/MobileSync/Backup/(Backup Identifier)/Manifest.mbdb»private»var»mobile»Containers»Data»Applications»ph.telegra.Telegraph»Documents»Inbox»(Filename)". The content of all the files here appears to be encrypted. Is there a way for us to decrypt these files if we have all the user's passwords?

Hi All, I have a GK dump of an iPhone XS on 13.3, got some IIOC in twitter cache. Anyone done any work on the application files, db's etc to attribute the images? Ta.

@Obi-Wan-IP You were not very specific so I' m not sure if you are looking for posted items from the device or saved items to the device but take a read through this. I did not test twitter specifically but might give you a place to start. DM if you have any questions. https://smarterforensics.com/2020/08/does-photos-sqlite-have-relations-with-cameramessagesapp-by-scott-koenig/

Does Photos.sqlite have relations with CameraMessagesApp? By Scott ...

First, I would like to thank Heather Mahalik for her help with this process and for allowing me to post something on her blog. It’s an honor! Additionally, thanks to Jared Barnhart for his assistan…

1

Hi all, got an ebook app on Android com.ebooks.ebookreader has an encrypted database

I have virtualised and can see that when I copy over my data the app is accessing the .db but cannot seem to find a decryption key from anywhere. Anyone come across this app before or had a similar issue?

Hey Everyone, I get a frequent question from investigators about whether a video located wihin a given phone was taken by that phone. In this example, a Huawei, there is no metadata beyond capture times and android version that I can see. It is located in the default /internal storage/dcim/camera location, which I think is a good indicator. However, if the filename timestamp, internal metadata timestamp and filesystem creation date are all consistent, is this further supporting evidence that the phone was used to capture the video? Or are there too many scenarios where these would match for it to have any weight?

Would fitbit forensics be involved here or in #iot-forensics ?

@kairos might as well do IOT

Thanks. I'll keep relevant questions there from now on.

Hey Everyone, I get a frequent question from investigators about whether a video located wihin a given phone was taken by that phone. In this example, a Huawei, there is no metadata beyond capture times and android version that I can see. It is located in the default /internal storage/dcim/camera location, which I think is a good indicator. However, if the filename timestamp, internal metadata timestamp and filesystem creation date are all consistent, is this further supporting evidence that the phone was used to capture the video? Or are there too many scenarios where these would match for it to have any weight?

@Sarei_the_Original Too many scenarios in my opinion I'm afraid. 3rd party apps can write to DCIM folders and I've seen examples where they write to camera. Timestamps of received media from messaging apps may reflect file transmission or file delivery etc

12:29 AM

If you have other Exif like camera model etc that can of course help to corroborate

12:29 AM

I'd look for external.db or external_<someidentifier>.db

hello mates ! someone has experience in decoding geolocations from the androidapp "Sygic" ? https://play.google.com/store/apps/details?id=com.sygic.aura&hl=en It´s like other navigationapps... stores routes as kml-files in folder "travelbook" BUT without timestamps? no problem to view the route, but without time

(edited)

1:25 AM

1:28 AM

in same folder "travelbook" are log-files for every .kml with same name of the kml-file... but seems to be encrypted ? (edited)

1:28 AM

@Cellebrite is the app "MeWe" supported by PA?

1:34 AM

Used 7.28.2 to deal with a case back in Feb but wondering if the latest supports it

Hey Everyone, I get a frequent question from investigators about whether a video located wihin a given phone was taken by that phone. In this example, a Huawei, there is no metadata beyond capture times and android version that I can see. It is located in the default /internal storage/dcim/camera location, which I think is a good indicator. However, if the filename timestamp, internal metadata timestamp and filesystem creation date are all consistent, is this further supporting evidence that the phone was used to capture the video? Or are there too many scenarios where these would match for it to have any weight?

@Sarei_the_Original Thats a question i get very often as well. Anyone a best workaround ?

@Rob Unfortunately no. You can see the supported apps under the under the Help tab

2:14 AM

You can try and run the AppGenie tool on that app, maybe it will bring up some interesting results.

Thanks!

Hi All, does anyone know where the app GUID's are stored on iPhones so we can link an app to a GUID. Thanks

5:04 AM

GUID is shown as application ID in UFED PA

5:09 AM

Never mind, found it!

care to share next time someone searches here for the answer @Aneesh96? this is like one of those forum threads where the OP disappears into the ether

1

Hahaha yes shouldve done that really. Its in a dB called applicationState.db

1

@tnw001 , @chrisforensic , @Rob , For (encrypted) Android apps, you should give a shot to the Virtual Analyzer. It has the potential to provide access to the (encrypted) data.

Hi all, got an ebook app on Android com.ebooks.ebookreader has an encrypted database

I have virtualised and can see that when I copy over my data the app is accessing the .db but cannot seem to find a decryption key from anywhere. Anyone come across this app before or had a similar issue?

@tnw001 For anyone following this, solution found with a bit of dynamic analysis

hard-coded but obfuscated sqlcipher key. DM me if interested or want to give it a go yourself

Silly question. I have Samsung i5510 - Android 2.2. I have physical and password.key, but no locksettings.db (edited)

Where are you looking?

7:51 AM

Just in /system?

7:51 AM

Or have you checked /data/com.android.providers.settings/databases/locksettings.db @Arcain

1

there is settings.db in that location, but salt is also in that database

1

Is that all you were missing?

Yes, cracked the passcode

1

Nice one! It's a file path we used to reference in older copies of our training materials (still included in the course book, just not the slides), but it's listed on the awesome FOR585 posters from SANS

8:09 AM

https://digital-forensics.sans.org/media/DFPS_FOR585_v3.1_0420_R8.pdf

Haven't seen Android 2.2 based phone for quite a while so forgot about this. (edited)

I only remembered it because I've been updating a few chapters of our books so saw it quite recently!

Lucky me then. Thanks for helping out.

2

Any time

@Sarei_the_Original Too many scenarios in my opinion I'm afraid. 3rd party apps can write to DCIM folders and I've seen examples where they write to camera. Timestamps of received media from messaging apps may reflect file transmission or file delivery etc

@OllieD Thanks mate. I'm pretty confident the file was recorded, but there's no way I can entirely rule out 3rd party transfer. All I can say is that the file location, timestamps, naming convention and metadata are consistent with video taken by the device I guess, but not proven.

@Sarei_the_Original Is there a picture in dcim you can determine its made by the suspect/owner of the device (vlog)? You can compare metadata of pic of interest and this one?

Anyone know the best way to get the samsung secure folder contents out in a non-encrypted format? I have an S8 with all the juicy stuff hidden away. (edited)

@equalexpert I had successfully read the secure folder of Samsung using @Hancom

3

1

@equalexpert I had successfully read the secure folder of Samsung using @Hancom

@Dam Ive heard of it. Ill have a look thanks

Blue Lights Digital can hook you up with a demo @equalexpert, they're a UK reseller (edited)

‘afternoon all! would anyone be able to help me decode this timestamp : 595555648 ? i’m expecting the value to be around late 2019 although i can’t seem to ID it properly. the value was found in a bplist holding timestamps for comments in Apple Photos.

Original date format 595555648 11/16/2019 12:07:28 AM NSDate

7:49 AM

@qqqqqqqqqq it could be that

that looks like it, thanks a lot! how’d you convert it?

datedecoder from sanderson

1

thank you!

great soft for timestamp

will definitely take note of that!

CyberChef is another option for timestamp conversion. Worth bookmarking on your forensic computer

3

2

I love CyberChef hence the

but I'm not sure it supports decoding NSDate/Mac Absolute Time

8:51 AM

Not without adding the difference in seconds between the Unix and Mac Absolute epochs

I have extracted a samsung SM B313E from UFED 4PC. I got a 16MB NOR file but unable to get single file by UFED PA. I tried with XRY and Oxygen but no result. Any idea what to do @Cellebrite @MSAB @Oxygen Forensics

Hi @DeepDiveForensics You should try using Spreadtrum 6531 Generic or Spreadtrum USB generic for this device in XRY. Let me know how it goes.

@MSAB_Ash sure I'll try

@Sarei_the_Original Thats a question i get very often as well. Anyone a best workaround ?

@florus Have you considered this: Camera identification based on Photo Response Non Uniformity (PRNU) in forensic science. The average PRNU pattern of a camera is determined and compared and can be stored on disk. A camera can be retrieved based on the pattern in the image or video. https://forensicnerd.wordpress.com/techniques/image-forensics/prnu-analysis/

MJC Koopman

PRNU analysis

What is PRNU? Photo Response Non Uniformity (PRNU) analysis is used in image forensics to determine whether multiple digital images were made by the same digital camera. The word digital is importa…

@equalexpert is your S8 a Qualcomm processor ? You can try Qcomm Live and pull a physical and i believe its non-encrypted.

@florus > @Sarei_the_Original Is there a picture in dcim you can determine its made by the suspect/owner of the device (vlog)? You can compare metadata of pic of interest and this one? @florus the metadata in the video is pretty limited, whereas the photo metadata is quite descriptive

Need help on a SQL database. I'm working in DB Browser for SQLite and I have column titled "start-uptime" that only has six digits (639654). This column is preceded by "Start_WallTime" and a simple conversion was applied (Datetime (start_walltime, 'unixepoch')). Can someone help with what conversion I should use for the uptime?

@equalexpert Cellbrite premium can also get it I believe.

@SomeCallMeTim maybe start-uptime is ms from start_walltime? Try adding it together and see if it makes sense?

@MSAB I have some XRY files of memory cards that have been sent to me for some work, they are coming up as read only and password protected. When I enter the password and open them in Elements to attempt to export the binary so I can pass it through other software i dont seem to get the full hex. The DISK icon in the top left is showing no data. I can see the files when i look at the volume and it gives me the option to export all the files. How can i get the binary out so i can get it in to X-Ways?

@Majeeko Where are you opning them from? If the are opening as read only it may mean that they are opened from a network location which will open it in read only, although that should not cause it to now show any hex.

2:18 AM

Could you try copying it to another location and see if that makes a difference?

@Erumaro Ill check that, thanks.

Hello, is there a way to extract certificates or to check the certificate type of installed applications in a UFED dump within UFED PA? (I have a Full File System extraction of an iPad Pro) The idea is to check if an application has been installed using a Developer or Entreprise signed certificate. Thanks

I have extracted a samsung SM B313E from UFED 4PC. I got a 16MB NOR file but unable to get single file by UFED PA. I tried with XRY and Oxygen but no result. Any idea what to do @Cellebrite @MSAB @Oxygen Forensics

@DeepDiveForensics It seems that this is a plain Samsung model that is not based on any supported chipset. Then unfortunately we have no solution.

@DeepDiveForensics have you processed the dump in X-ways or FTK? ( any tool that allows for file carving would be fine ). In cases where i work with unknown binaries ( dumps or whatever ) i always start with running binwalk and/or strings on the dump. I also have a light ruleset for Scalpel that i also run on the dump.

@DeepDiveForensics I had a deeper look in our systems and the device seems to be very similar to the B310e which we can both and decode, this device has a 16 MB memory. The 313E is also a device we have here but our model is 32 MB, dumps fine but does not decode in the same way as other similar devices. It should be running a Spreadtrum 6530 as far as I can tell at least, if that is of any help

@Oxygen Forensics thanks

4:58 AM

@.karate. Sure I'll try

hello @Control-F ... i ask for a colleague... he has a huawei with privatespace activated.... i never had one.... i remember an webinar about this theme from you.. is it possible to share information about huawei privatespace to me/us ?? would be very nice... thanks !!!! (edited)

I'll ping you a message about it @chrisforensic

1

great @OllieD

Please anyone from @Cellebrite can tell when the ability to recover deleted WhatsApp messagges from ChatSearchV5 db (iOS) will be restored in P.A. ??

Not sure if this channel or the other mobile one is better to ask in: If I grab an encrypted iTunes backup of an iPhone from a computer will this include all of the messages and photos on the phone at time of backup even though Messages in iCloud and iCloud Photos is enabled?

@abefroman By default iTunes backups literally all data on the phone, according to Apple, including messages. Even if iCloud is enabled, a PC/Mac backup will still contain these messages and photos

Ah interesting. I was reading this article on Apple Support: https://support.apple.com/en-us/HT204136 and it said: A computer backup of your device, which is not the same as a sync, includes almost all of your device's data and settings. A backup from a computer doesn't include: Data already stored in iCloud, like iCloud Photos, iMessages, and text (SMS) and multimedia (MMS) messages

About backups for iPhone, iPad, and iPod touch

You can copy and save the information on your iPhone, iPad, or iPod touch by backing it up. If you replace your device, you can use its backup to transfer your information to a new device.

10:56 AM

So I was skeptical about whether the iTunes backup would be all encompassing

iTunes backups should still include messages, but I suppose things could have changed in the more recent iOS updates

Yeah I should clarify this is a current iPhone running 13.7 so as recent as it gets

So If I'm reading it properly, I believe the part you quoted there about data stored in the Cloud is that iTunes backups won't include any backlog data that's stored in the cloud but isn't currently on the phone.

11:04 AM

That's my belief anyways

Ahhh that would make sense. I just parsed an iTunes backup I just made and all my messages were in there so sounds right @Deleted User Thanks for your help!

Of course!

Is someone from @Cellebrite available for a quick question re: parsing files related to iTunes backup?

@abefroman

Can anyone provide a step by step guide on how to install turn it into an .exe and launch ileaap?

@wildcard_02066 it is pretty straightforward. As mentioned in the github page of iLEAPP. Nonetheless, supposedly you are running a Windows machine, you have to follow these steps: 0) Make sure you have Python installed (preferably version 3). 1.1) Make sure you have pip installed for Windows (when you install pip make sure it is added to the PATH, so as to run it from cmd-it's just a tickbox in the wizard). 1.2) Download pyinstaller for Windows. You will need that in order to create the executable. 2) (Optional) Download git for WIndows, just like Step 1.1 make sure you add it to the PATH. There are other ways to download iLeapp if you do not want git installed (download zip file from github). 3) (If you follow Step 2 do this step too- if not extract the files into a directory and navigate to that directory using cmd) Open up a terminal (cmd.exe), navigate to the directory where you want to save ileapp and run the following command: git clone https://github.com/abrignoni/iLEAPP.git 4) Now you have iLEAPP in your computer. Lets make sure we have its requirements. Now using cmd run the following command pip install -r requirements.txt (all the requirements of iLEAPP will be installed on your computer. They are probably not mandatory for building the executable, but I downloaded them just to be sure). 5) Last command you will have to run through the terminal is (if you want the cli version execute command i, if you want GUI version, execute command ii): i)pyinstaller --onefile ileapp.spec ii)pyinstaller --onefile --noconsole ileappGUI.spec And voila! You have the super iLeapp exe ready to go and do its magic! Hope this helps. (edited)

abrignoni/iLEAPP

iOS Logs, Events, And Plist Parser. Contribute to abrignoni/iLEAPP development by creating an account on GitHub.

4

Does anyone know a working UFED PA profile for an emmc dump of a Huawei? got the extraction off Oxygen but I want to use it in PA

2:40 AM

The emmc is encrypted, I need a profile where I can decrypt it with a known passcode

@B as far as i know, you can't. Oxygen decrypts it "on the fly" with their app during parsing, using the keys they extracted from the phone and that passcode. You should be able to save a filesystem to a tar or zip after opening the extraction in Oxygen and then parse this with UFED (edited)

Interesting. Thanks Arcain for your quick reply

Andrew Rathbun pinned a message to this channel. 9/10/2020 3:19 AM

@Brigs might want a guide like this in his GitHub page. This is very valuable to those, including myself, who have no clue what to do with Python due to lack of knowledge, exposure etc

1

@Arcain just got a workaround. Noticed that Oxy didnt decrypt the Signal data, so since we have the passcode I did a ffs with the UFED

@B that works too if firmware version is supported by UFED. Currently, UFED doesn't support 9.1, 10 or 10.1 while Oxygen will still dump them

yeah but no luck with decrypting Signal with UFED either

6:26 AM

something funky's up

Looking for insight into analysis of a physical from a Galaxy Note 9 and the secure folder. I think secure folder was active, but empty. Can someone from @Cellebrite, or anyone else, confirm what I think I found for the secure folder entries?

Dm me@

1

Quick question for @Cellebrite PA, it seems there is no progress bar while performing "Image Carver" in the newer versions?! Trace window only show when it started. After 2 days on a 15GB chip-off dump, can't create a report and nothing has changed. Is there a way to see progression?! Thanks in advance

Hmm give me a few I’ll send you message

Can anyone provide a step by step guide on how to install turn it into an .exe and launch ileaap?

@wldcat06 Also checkout the releases section on the github page. I have already Windows 10 excutables available for download. See here: https://github.com/abrignoni/iLEAPP/releases

Releases · abrignoni/iLEAPP

iOS Logs, Events, And Plist Parser. Contribute to abrignoni/iLEAPP development by creating an account on GitHub.

2

Thanks everyone. Trying to learn. Although it seems straightforward to some, I’m truing to learn

@wldcat06 There was a session during the 2020 National Cyber Crime Conference Virtual Edition hosted on Whova "Cellebrite: Mobile Triage Analysis, Because more devices aren't always better" by Ed Michael which was a great step-by-step video how to setup and use the cmd version of iLEAPP. Im not sure who has the power to get the video released for the public, but if you registered for the conference you can still watch the video.

^ Ed is a wealth of knowledge...

1

Morning all! Telegram channels question, am I right in thinking individual messages within a channel can’t be linked back to the sender? In this case there’s 2 admins and I can’t seem to find anything relating back to the sender. No software seems to decode it either so I’m starting to think it’s not possible but thought I would check with you guys first!

@tnw001 is this on iOS or Android? It may be worth doing some testing to see if there is any differences in the known data

Hi everybody. Anyone from @Cellebrite for a quick question? I am using PA 7.36. In the "Application Usage" artifact, does "ActiveTime" time refers to HH:MM:SS format? I suspect that, but just to be sure! (edited)

Looking for a timestamp related to a person-search through Facebook app on iOS. The file in question is graph_search_entity_bootstrap.data. Cannot find any obvious timestamps, but a value cost : float = 0,48………………. Could this be an encoded timestamp?

@tnw001 @jjh2320 On iOS there is a menu where you can choose to have any messages send by admins signed so subscribers can see which admin sent the message. I did some research on Telegram a few years back and none of the software we use show information like that regarding channels. Also you can’t see if the user you are investigating is admin or mod in any channels. There’s still lot to be done for @Cellebrite and @Magnet Forensics (edited)

@Cellebrite in my unity we have more crash of PA since the last version (7.37.0.40) we are alone in this situation ? Since the time that PA crashes regularly (and in view of the time before the new decoding) has it already been mentioned a temporary recording of the state of PA before the bug? (like not losing all your tags and starting over from the beginning)?

@gadget.inspector @jjh2320 thanks guys, this ones android unfortunately. Checking on the device itself I can see the admin accounts, hancom also points towards the expected admin accounts. Just no attribution to the individual posts.

Hi everyone. Anyone have any experience with the packageactionhistory file within the com.verizon.mips.services folder? It appears to keep track of changes to applications such as when they were added, removed, or updated. I noticed that the Kik application was added then removed multiple times within the same day. Is the user just uninstalling and installing the app again, or is there another reason for this behavior? Thanks in advance.

@rico you mind DM's me about some more details.

@Cellebrite is there a way to export a bplist from within the database viewer in PA?

Hi! I have a Samsung A105FN with pattern lock. Was able to perform a BFU extraction. Is it possible to obtain the pattern lock hash from the db in Android 9?

@B Not sure, but take a look within the File System view. We extract embedded files, they might already be there. Naviage to where the db file is, where they would appear as child files of the db you are looking at

Hi! I have a Samsung A105FN with pattern lock. Was able to perform a BFU extraction. Is it possible to obtain the pattern lock hash from the db in Android 9?

@Lpx Even if you find it, you won't be able to do much with it

6:21 AM

It'll be gatekeeper based and hardware-backed, so no offline cracking capability

6:22 AM

For reference you're looking for gatekeeper.pattern.key as the file that contains the signature (haven't looked on the A10 specifically) (edited)

@CLB-Paul Hi Paul, too bad it does not appear extracted. Instead of copying the bytes over to hxd and rename it to plist, I think a better option would be to have an export button

1

@Cellebrite , sir Any soultion for redmen note 6 pro pin locked , sdm 636 qualcomm

@CLB-Paul Hi Paul, too bad it does not appear extracted. Instead of copying the bytes over to hxd and rename it to plist, I think a better option would be to have an export button

@B sent the request up the chain since I agree that it makes sense. https://github.com/threeplanetssoftware/sqlite_miner You can try to use this, free tool to rip stuff out of db's

1

Thanks alot @CLB-Paul! Sqlite miner looks like a good alternative for now

@B I'd also recommend Ribbon from CCL: https://www.cclsolutionsgroup.com/

Home - Your trusted data partner

1

1:42 PM

Contact them for info on it. It supports all kinds of nested and serialized data formats, stored within each other to arbitrary depths. NSKeyed binary plist which has been encoded as base64, stored within another plist and then stored within a DB? No problem, Ribbon will allow you to extract each stage and reparse each one correctly

1:42 PM

It's great for R&D and testing before automating the process yourself

Hi folks, I’m having some trouble deciphering how Cellebrite has marked an entire category of iMessages as “deleted” from an iPhone 11 Pro Max extraction running iOS 13.6. I’m able to see the participants, time stamps, and message body for most. I’m looking at the underlying sms.db that it’s referencing but I don’t understand what column/table Cellebrite is referencing in order to mark them as “deleted”. I see nothing within the “deleted-messages” table and I can’t seem to find a “deleted” column within some of these tables. Any insight/guidance is much appreciated!

@OllieD will test it out, thanks!

Hi folks, I’m having some trouble deciphering how Cellebrite has marked an entire category of iMessages as “deleted” from an iPhone 11 Pro Max extraction running iOS 13.6. I’m able to see the participants, time stamps, and message body for most. I’m looking at the underlying sms.db that it’s referencing but I don’t understand what column/table Cellebrite is referencing in order to mark them as “deleted”. I see nothing within the “deleted-messages” table and I can’t seem to find a “deleted” column within some of these tables. Any insight/guidance is much appreciated!

@vee review this thread for a conversation on Aug 18. The discussion is an example / explanation. Even though the conversation was about Android data. The methodology is similar with ios. You will have to investigate multiple aspects of the data. Most specifically is the data being parsed from multiple locations or databases. Just because a tool indicates a red x or its marked as deleted doesn't necessarily mean it's deleted. Validation is key. Also if you search this discord for "deleted sms" you should get results for some other conversations related to this topic. (edited)

Hi folks, I’m having some trouble deciphering how Cellebrite has marked an entire category of iMessages as “deleted” from an iPhone 11 Pro Max extraction running iOS 13.6. I’m able to see the participants, time stamps, and message body for most. I’m looking at the underlying sms.db that it’s referencing but I don’t understand what column/table Cellebrite is referencing in order to mark them as “deleted”. I see nothing within the “deleted-messages” table and I can’t seem to find a “deleted” column within some of these tables. Any insight/guidance is much appreciated!

@vee these sites should help you out: http://forensicsfromthesausagefactory.blogspot.com/2011/04/carving-sqlite-databases-from.html https://sqliteforensictoolkit.com/recovering-deleted-records-from-an-sqlite-database/

Carving SQLite databases from unallocated clusters

Have you missed me? Background Carving SQLite databases from unallocated clusters is problematic because although these types of database ha...

Paul Sanderson

Recovering deleted records from an SQLite database | Sanderson Fore...

@ScottKjr3347 @B thank you!

Hello everyone, I would like to convert .xry file to .bin. I tried with Xamn but I do not find any process. Do you have a solution please ? (edited)

@Toff_Ibou XAMN Elements is what you are looking for, if you have a Physical extraction you want to export the binary from. Please see the following guide which will help: https://www.msab.com/2019/12/02/how-to-export-binary-data/

12:43 AM

The interface has changed slightly, but the process should be roughly the same!

OK @Erumaro I look that ! Thanks

All right @Erumaro , the .bin file is OK. Have a good day !

1

Perfect, happy to help!

@Erumaro In the .bin file, user data partition is encrypted. Have you a process to find the good key with differents hexa keys in XRY logs please ?

@Toff_Ibou Did XRY decrypt the dump or not, where was this dump from? If you can DM me the log I'd be glad to have a look.

Android 8.1 Oreo (Go edition) isn’t encrypted is it? I’ve got a binary but I’m struggling to get much from it- it has got very little WhatsApp so surely it’s not encrypted? Any help is much appreciated!

@King Pepsi depends on the device. I have Nokia 1, Android Go 8 and it's encrypted

Hi all, i have dumped the android RAM and got the health key, no i would like to open the database what is a good free program for it dbBrowser for SQLite wont work any ideas?

@medapi😎 I have no idea, but im very curious if you pulled it off. I have this on my list to try this as well. Let me know if it worked? (edited)

How to extract Decrypted bin file from Oxygen Forensics. Scenario is oxygen extracted binary along with hwkey and readable by oxygen only but I wanted to parse that bin file with another tool but user partition is encrypted. @Oxygen Forensics

Hi all, i have dumped the android RAM and got the health key, no i would like to open the database what is a good free program for it dbBrowser for SQLite wont work any ideas?

@medapi😎 You could use sqlcipher. I made a small write up on how-to decrypt Signal DB with sqlcipher on Linux ( or whatever os you prefer ). Check the commands and alter the params for your specific dB. https://github.com/Magpol/HowTo-decrypt-Signal.sqlite-for-IOS

Magpol/HowTo-decrypt-Signal.sqlite-for-IOS

Decrypt signal.sqlite IOS. Contribute to Magpol/HowTo-decrypt-Signal.sqlite-for-IOS development by creating an account on GitHub.

10:41 AM

Btw. You can find lots of juicy stuff in the ram-dump. Like deleted Signal artifacts, Wickr dB-key etc etc

WARNING - I am using Physical Analyzer 7.36 for a CSAM case. I selected 57 images and redacted most for my final report. I selected redact all attachments as well. When I built my UFDR report I viewed it in Reader to confirm no CSAM carried over. I was surprised that 403 images were present, many were unredacted images of CSAM. It appears these files are embedded images within other processes and they do not redact and I could not find away to keep them from carrying over to Reader. I was able to redact the images in Reader and build the report via Reader to get my desired result. I was unable to deselect the artifacts and they would return to the file, but at least they were redacted. Cellebrite Tech Support has been informed. Make sure to validate any UFDR report to ensure only selected images are present. (edited)

How to extract Decrypted bin file from Oxygen Forensics. Scenario is oxygen extracted binary along with hwkey and readable by oxygen only but I wanted to parse that bin file with another tool but user partition is encrypted. @Oxygen Forensics

@DeepDiveForensics If you imported this dump in Oxygen Forensic Detective you can save it as ZIP archive in the Files section and then import it in another tool.

@Cellebrite I'm having issues decoding an FBE extraction from a Samsung Galaxy S10 - it seems to take a long time and I can't tell if it has crashed. I can see a Plugin error in Trace view.

2:08 AM

Anyone able to DM me so I can send over screenshots?

@Pacman The last 3 S10 phones I have done have either taken far too long to decode or far too long exporting the reports. Is it PA 7.36?

Oh yes it is! I forgot there's a new update that has been validated last week.

2:15 AM

Will try newer version now

Might be worth trying that then, previously I have rolled back to an older version.

2:15 AM

Tickets were raised.

2:16 AM

Older version doesnt have an issue.

Just for your info that might help -

2:16 AM

This is what I received.

It would hang on the FB parse for ages (17 hours!)

2:17 AM

But looking at that version of FB, it was an older version so perhaps there was something nasty and crunchy in there

Will try on 7.37 and let you know

Anyone had issues exporting from oxygen to project vics? I’m only getting a few of the thousand of files available Thanks

@King Pepsi @Oxygen Forensics nope

Uuuuuuuurgh it's still the same for 7.37

3:02 AM

I might leave it over the weekend.

@Pacman oh

What version did you rollback to? @Zhaan

7.35 at the time @Pacman (edited)

The trace error is coming from parsing the graph store, a feature that doesn't exist on 7.35. At any rate, it does not affect the decoding of the other FB artifacts, so no need to rollback because of it. Specifically the error is saying it failed parsing only 1 object, out of potentially many more.

@Cellebrite @CLB-Paul Hello all, today I noticed that in UFED Physical Analyzer 7.37 when I create a report and choose the option "Split HTML report" in the last window, the software changes the path location of the chat.txt attachments in conversation page and the links of the report don't work. I created a ticket about that in Cellebrite.

1

Anyone had issues exporting from oxygen to project vics? I’m only getting a few of the thousand of files available Thanks

@King Pepsi We do not know about this issue. Will send you a DM.

@Flipz4n6 perfect. Loop in our support you’ll be in good hands

@Forensic@tor Yep it still copies the files out. I do a PDF and then go in and delete the folder containing images and videos. I almost got burned creating a redacted report like that.

7:37 PM

@Forensic@tor Yep it still copies the files out. I do a PDF and then go in and delete the folder containing images and videos. I almost got burned creating a redacted report like that.

Those of you using multiple tools with Cellebrite. I have Axiom, Amped5, FTK Imager, Belkasoft, FEX and Oxygen installed on my forensic machine. I tried to install Cellebrite Virtual Analyzer and it failed numerous times. I contacted support and was told to uninstall several Microsoft Visual C++ versions and reinstall. Did that and got Visual analyzer to install. Later I tried to use Axiom and it wouldn't run. Contacted support and they suggested reinstalling the Microsoft Visual C++ packages. Tried numerous times before I figured it out. Cellebrite Virtual Analyzer uses older versions of Visual C++ which are incomparable with most every other forensic tool that uses Visual C++. I ended up removing Virtual Analyzer due to its inability to play well with others until Cellebrite fixes the issue. I won't be holding my breath.

@Dr.Who-IACIS yeap Virtual Analyzer has some serious issues. They are currently working on fixing that. It is a really useful feature and will be nice to have it with us on one of the upcoming releases.

@Dr.Who-IACIS Can't use current version of VM Ware either or VA won't run

@Brigs For some reason my fresh compiled ileappGUI.exe fails to open. If i run the script 'normally' it works fine. (for your info) (edited)

@Brigs For some reason my fresh compiled ileappGUI.exe fails to open. If i run the script 'normally' it works fine. (for your info)

@florus Just downloaded it, ran it, and parsed and image. Worked fine on my end. I also used a different computer than my testing Windows box just in case.

10:44 AM

@florus Did you try the binary from the release? Check dependencies again and rebuild if needed. (edited)

@Brigs tested your binary from github... no problem at all

2

@Brigs tested your binary from github... no problem at all

@chrisforensic @Brigs That means something went wrong with compiling at my end. Ill download the binairy today

Run requirements.txt and compile again.

10:58 PM

You might be missing a new library.

1

10:58 PM

Or download binary. Either way.

Those of you using multiple tools with Cellebrite. I have Axiom, Amped5, FTK Imager, Belkasoft, FEX and Oxygen installed on my forensic machine. I tried to install Cellebrite Virtual Analyzer and it failed numerous times. I contacted support and was told to uninstall several Microsoft Visual C++ versions and reinstall. Did that and got Visual analyzer to install. Later I tried to use Axiom and it wouldn't run. Contacted support and they suggested reinstalling the Microsoft Visual C++ packages. Tried numerous times before I figured it out. Cellebrite Virtual Analyzer uses older versions of Visual C++ which are incomparable with most every other forensic tool that uses Visual C++. I ended up removing Virtual Analyzer due to its inability to play well with others until Cellebrite fixes the issue. I won't be holding my breath.

@Dr.Who-IACIS Hard to deal with Virtual Analyzer. Just succes two times to lauch it. Sometimes when I try to install it on a PC, installer just auto reboot computer at the middle of the installation. Tips : lauch mutiple application in the same time, and try to stop auto reboot, and probably you can finish the installation. But It's just one problem, after installation if you can lauch anything it's you are plenty of chance .

Hey guys. Have an iOS 12.1.4 question. I have a Live Photo, named IMG_6123. I find this file in the below mentioned directories: -/root/private/var/mobile/Media/PhotoData/Metadata/DCIM/110APPLE/IMG_6123.JPG -//root/private/var/mobile/Media/PhotoData/Thumbnails/V2/DCIM/110APPLE/IMG_6123.JPG -/root/private/var/mobile/Media/PhotoData/Metadata/DCIM/110APPLE/IMG_6123.medium.MOV I believe that this file was taken by this iPhone (iPhone 7-Metadata match Model). However I cannot determine it for sure. So I ask the following: 1) Was this photo indeed taken with this iPhone (if yes why it is in the PhotoData directory)? 2) Am I correct assuming that this photo was taken as a Live Photo, but was taken with the high quality setting off (this is why I cannot find any corresponding MG_6123.HEIC file)? 3) Can anyone help me determine the source of this file (if it is not taken with the iPhone camera)? Thank you in advance.!

Have you checked Photos.sqlite? @theAtropos4n6

1

@florus yeap I did. I found both of the JPG files in the ZGENERICASSET table. Should I look for a particular field or table that can help me?

Hello everyone, did anyone find a way to decrypt signal database on android. I was able to do a physical on a samsung s9 running android 9

@Cellebrite Any PA people around? Exported a bunch of WhatsApp chats (html) and in some the avatar images are visible but in the others they're broken links yet I have the .j file for the corresponding WhatsApp where it needs to be (party_photos\WhatsApp_Native\1). Hoping there's an easy fix because I don't really want to tag 1000+ things again as I don't have the project session anymore.

Comparing two (one with the broken link and the other with the visible link) and the file they both read is identical in location and name

@Deleted User It is an issue involving Microsoft Visual C++ packages. There are different versions in use by multiple forensic tools. While some play nice with others, it seems Cellebrite's Virtual Analyzer needs another. Here is what I found while trying to figure it out: Axiom uses Microsoft Visual C++ 2015-2019 Redistributable (x86) 14.21.277702 Virtual Analyzer uses Microsoft Visual C++ 2015 14.0.24212 for both x86 and x64

5:47 AM

@Deleted User Those two Visual C++ packages cannot be installed at the same time, at least when I tried to do it. I also found out that my FTK imager and Belkasoft Ultimate stopped working after the Virtual Analyzer install. Apparently they rely on Visual C++ as well.

1

@Deleted User Those two Visual C++ packages cannot be installed at the same time, at least when I tried to do it. I also found out that my FTK imager and Belkasoft Ultimate stopped working after the Virtual Analyzer install. Apparently they rely on Visual C++ as well.

@Dr.Who-IACIS Okey ! Thanks for all that informations. So if we want use it correctly, better have a special computer only for that with good visual C++ install on it.

@Deleted User Maybe or if you can get a virtual machine to run it. What I would suggest is set up a virtual machine with Cellebrite installed and only Cellebrite. Do your extraction on your forensic machine then drop it in a shared folder for the Virtual or just share your working forensic folder with your virtual. That way you can use the Visual analyzer without interfering with your forensic machine setup. I'm in the process of doing just that but having an issue with VBOX seeing the dongle.

1

I'll try that.

@Cellebrite Any PA people around? Exported a bunch of WhatsApp chats (html) and in some the avatar images are visible but in the others they're broken links yet I have the .j file for the corresponding WhatsApp where it needs to be (party_photos\WhatsApp_Native\1). Hoping there's an easy fix because I don't really want to tag 1000+ things again as I don't have the project session anymore.

Ignore that, I think I met a filesystem filepath issue. ~314 characters in length :x

Hey guys. Have an iOS 12.1.4 question. I have a Live Photo, named IMG_6123. I find this file in the below mentioned directories: -/root/private/var/mobile/Media/PhotoData/Metadata/DCIM/110APPLE/IMG_6123.JPG -//root/private/var/mobile/Media/PhotoData/Thumbnails/V2/DCIM/110APPLE/IMG_6123.JPG -/root/private/var/mobile/Media/PhotoData/Metadata/DCIM/110APPLE/IMG_6123.medium.MOV I believe that this file was taken by this iPhone (iPhone 7-Metadata match Model). However I cannot determine it for sure. So I ask the following: 1) Was this photo indeed taken with this iPhone (if yes why it is in the PhotoData directory)? 2) Am I correct assuming that this photo was taken as a Live Photo, but was taken with the high quality setting off (this is why I cannot find any corresponding MG_6123.HEIC file)? 3) Can anyone help me determine the source of this file (if it is not taken with the iPhone camera)? Thank you in advance.!

@theAtropos4n6 Check this out https://smarterforensics.com/2020/08/does-photos-sqlite-have-relations-with-cameramessagesapp-by-scott-koenig/ Additionally here is a link to a sqlite query that might help. https://drive.google.com/file/d/1b1a270OCtQytFBdZrkIw96vuWG_s1rxs/view?usp=sharing Like @florus stated you want to look at the Photos.sqlite and check out the creator bundle ID and edited bundle ID. During a recent Cellebrite Ctrl Alt Del talk several of us learned that a HEIC file is not always created when a live photo is captured. Within iOS messenger (iOS 13) if a live photo is captured a mov file and jpg file are created but not a HEIC. If this is the smoking gun in your case, take the time to test and validate you theories. You will learn so much more than expected. (edited)

Using Photos.sqlite to show the relationships between photos and th...

First, I would like to thank Heather Mahalik for her help with this process and for allowing me to post something on her blog. It’s an honor! Additionally, thanks to Jared Barnhart for his assistan…

Photos.sqlite_Query_iOS_13_WithFaceDetection_bskoenig3347@gmail.com...

1

@ScottKjr3347 Thank you! I will look into it. Yeap that is exactly how things are as far the smoking gun.

@theAtropos4n6 if you need anything additional feel free to dm

1

Does anyone know if timestamps for Facebook Messenger messages are reliable? I presume they aren't as the received/sent timestamps are recorded off the device's timestamp

Or are the messages timestamps recorded from a server?

@Oxygen Forensics When passware cracked the passcode for a Huawei phone using the Huawei extraction method in Oxygen , should the passcode be visible in Oxygen Forensic Detective?

@rck5109 the passcode should be visible in the Extraction info but we already have several customers who have not seen it there. Here is a workaround: Run PasswareKitMobile.exe from folder \Oxygen Forensic Detective\Passware. Tools -> Known Passwords Dictionary -> Export. Save to file, open file with any Notepad.

does anyone know if the newer Samsungs are F2FS or EXT4?

@rck5109 the passcode should be visible in the Extraction info but we already have several customers who have not seen it there. Here is a workaround: Run PasswareKitMobile.exe from folder \Oxygen Forensic Detective\Passware. Tools -> Known Passwords Dictionary -> Export. Save to file, open file with any Notepad.

@Oxygen Forensics It worked! Thanks

1

@Sudo ext4 as far as i'm aware

1:35 AM

Motorola and Huawei switched to f2fs quite early and uses it to this day

cool, thanks

Not sure if anyone's come across this issue before, using PA v7.37 for a FFS GK extraction - PA seems to show email data/contents in the snippet section and nothing in the HTML body, when I switch to plain text I get some data, looking on the handset the email displays 'fine' so must be downloaded/cached to the handset meaning or assuming the GK extraction has pulled the email - I logged with Cellebrite but R&D have just said that the eml file must not exist for the email - but I can view the email ok on the handset? - issue I have is PA must only allow so many characters and does't display the full email content??? - anyone seen this before?

Heya, Does someone know the most important lines to notice in a batterystats android file in terms of usage?

@Akko Not just you. Yep, saw it a week or so ago. Not just GK. I noted it happen with a checkm8 extraction as well https://discordapp.com/channels/427876741990711298/427877097768222740/753908726590865469

1

5:35 AM

I didn't put a ticket into @Cellebrite at the time but I can confirm I saw exactly the same as you. Email is on the handset and was decoded previously as it was an old email. I first noticed this in PA v7.37 and not in previous versions

Hello Someone has tried this https://0day.today/exploit/description/34938

6:36 AM

iOS 12 13 14 Passcode Bypass 0day Exploit

- anyone seen this before?

@Akko I have this issue with a FFS of a Samsung S20 atm. Clicking on the text option shows a load of HTML code but thats it. Nothing displayed under the HTML option

1

Hello Someone has tried this https://0day.today/exploit/description/34938

@sforen that is quite plainly BS.

3

2

8:04 AM

basically, you checkra1n a device, you must enter the known passcode first to reach AFU, then you apply their "exploit" and the passcode entry accepts any passcode.

8:04 AM

so 1. must be checkra1nable, 2. not bypassing anything

8:05 AM

==> zero applicability to forensics use case

1

@sforen, I refer you to my answer from last time you asked about removing a passcode: https://discordapp.com/channels/427876741990711298/545232743353810946/679613852971040808

I didn't put a ticket into @Cellebrite at the time but I can confirm I saw exactly the same as you. Email is on the handset and was decoded previously as it was an old email. I first noticed this in PA v7.37 and not in previous versions

@Stevie_C, @Akko Thanks, we are aware of this bug (on Email and Note html view). It is expected to be fixed on 7.38. (edited)

2

@Cellebrite Am I incorrect in thinking Cellebrite came with five languages for translation?

@LawDawg this is correct users can select 5 from the basic language pack which has 14 core languages to choose from

It's not working for me, or more correctly, I'm an idiot.

Five languages are included. You need to specify which ones in the online portal

I downloaded the Basic Translation Pack and installed it. I'm lost at that point

Have you specified the languages you want via the online portal and linked them to your licence?

probably not

12:54 PM

how does one accomplish this? I'm in community.cellebrite.com now in my account

Dm me your email I'll send you instructions

Hello everyone, inspecting a WhatsApp conversation between two subjects from the 'UFED physical analyzer' , appears "message system". What does It refer to? Are system communication between the app and the server ?

@CLB-drorimon Many thanks !! That was on my to do list later today to put in a ticket but if you've been able to replicate I'll strike that off the list

@Kramnias not sure if exactly this, but some times there are messages “conversation are encrypted “ “Paul changed his number...”

Anyone know where is the PGP key of Protonmail ?

@Cellebrite I have an extraction (UFDX) that I created from a logical, file system, and physical of the same phone. I'm trying to load it now, but it is hanging up on me. It's stuck on "Running Plugin (Android Databases)". I tried it yesterday as well and it did the same thing. So, yesterday, I tried just loading one of the three extractions and it did the same thing. Any ideas?

6:45 AM

All three combined are only 18 gigs.

Hi @LawDawg, I would like to take a look at the logs.

6:48 AM

I DM the instruction on how to get them

Awesome, thanks!

@Cellebrite brite Is there a way to translate more than one item at a time? I've got 23593 SMS messages and I don't want to do them one at a time. I tried highlighting several at a time, but it will only do one of those highlighted. And do I need to pay someone for asking so many questions?

7:29 AM

I just found it.

Is there a specific Plist file that one could look at to determine if "messages in iCloud" is enabled?

If I extract just the sms.db file from an iTunes backup on a computer, is there any tool that I can just feed that one file to and have it parse the messages out? Like what would Cellebrite or AXIOM be able to parse the messages or does it need the entire iTunes backup to do so?

It should in theory - however you will of course not have any attachments. Also the SMS.db does not store contact info only numbers/apple IDs.

Yeah it's a whole separate folder with the attachments in it I believe, right?

Received attachments generally

Can UFED Physical Analyzer be run from command line in order to automate processing and report creating if an forensic image of the phone has been achieved by other means?

The date/time associated with the gallery3d cache, will it create a cache as soon as the phone receives or saves the photo or when the folder is browsed to...

Can UFED Physical Analyzer be run from command line in order to automate processing and report creating if an forensic image of the phone has been achieved by other means?

@FinForensics Think this was brought up previously and I believe the answer was no. Would be brilliant if we could, as we could make a few things a lot easier / better flowing. Say put a dump in a certain location, run a script and it will automatically create a UFDR / Griffeye dump. That would be brilliant

3

Hi, i have a FFS-Dump of an Huawei. In the Physical Analyzer the link between Facebook Messenger voice messages and the audio files are missing. When i search the .mp4 files they cant be found. In the cache folder of the Messenger i find .cnt files. They seem to be the voice messages. At the moment i can link the files by size and duration to the database entrys. Does anybody tackle the same problem? And has an more forensic solution than mine?

Can UFED Physical Analyzer be run from command line in order to automate processing and report creating if an forensic image of the phone has been achieved by other means?

@FinForensics @K23 Magnet AUTOMATE can automate the processing, report creation and ingestion of data into other tools (like Griffeye) for extractions created in various tools, including UFED. DM me if you’re interested and I can take you through a little more of what it can do.

2

Hi all, I've just posted a blog regarding LevelDB, both in terms of what it is, how it works/stores data and why its usage is on the rise. There will be a follow up post digging into the indexedDB serialization that sits atop it and hopefully some code to deal with all of that (the code is basically working, I just have to negotiate the open-sourcing of the code): https://www.cclsolutionsgroup.com/post/hang-on-thats-not-sqlite-chrome-electron-and-leveldb

2

Anybody got any luck parsing « PS Messages » on Android ? It’s the Sony Playstation chat app. So far, I’ve tried PA, XRY,Axiom and my Google-fu isn’t strong enough for this one! It seems like the messages would be stored in the encrypted « messages » database. Thank you!

@Krypton Did you finally succes to parse " PS messages " ?

Hello,

7:03 AM

has anyone had an issue with WhatsApp Calls not being decoded in UFED PA 7.36.0.42

7:03 AM

for iOS

@PapiChulo Haven't noticed it but I'm using the latest PA version, PA v7.37.0.40. Might be worth trying it in the latest version

1

PA 37 is out if that helps

Hey guys, i actually have an iphone dumped with a ffs. Now i'm searching the data from the private section of snapchat. I know the PIN and can look at them on the device. But I don't find the media files in my physical analyzer.

Is there a spot in the file system from a Physical SM-G950F where i can find the user passcode?

Nope

oke

@Matze I've PM'd you

I'm trying to get data from a cheap Onn brand tablet that has secure start-up enabled. I know my options are basically CAS or no data but unfortunately CAS doesn't support it. Is there any possibility of decrypting a physical image of the chip if I remove/image it?

@tolsen I am interested in this as well if you get any information. I am in the same situation.

I've got a test tablet of the same model on order. Expectations are low though.

@tolsen Great! Please keep me updated on your findings. What specific model are you working with?

Its an onn 100005206 tablet.

Same model for me as well.

https://twitter.com/Scott_Kjr/status/1309283770164363264?s=19

🎰 Scott_Koenig (@Scott_Kjr)

Used @Cellebrite_UFED PA #Beta 7.38.0.46 today & my biggest complaint has been answered! Single thread chats or "Consolidated Messages"!! This is a must update when it gets released! Great JOB dev team!! I'm sure @HeatherMahalik @mattforensic @PaulScurvy @TheNewMyself helped

4

1

Hi guys, we recently had a request to investigate an iPhone (do not have information yet about which model). Some context: Owner of the iPhone thinks his iPhone got compromised, reasoning for that is that the owner noticed that every whatsapp message he sends or receives is copied to the 'about' section of his WhatsApp profile. So basically everybody can read along with what the owner sends and receives. In addition, during the heat of the moment he updated his iPhone to the latest IOS14. I have 3 questions for now which I can use some of your thoughts: 1. I've never heard of such thing before in regards to malware or anything else that does that to WhatsApp, anyone here has and? And/Or has any pointers to look for in the investigation? 2. We have only access to the commercial tool @Cellebrite . Is this already compatible with IOS14, does it encounter some problems with parsing things under the current profile or is it just fine? 3. I know there is some research ongoing for jailbreaking IOS14 with checkra1n, I havent had time to catch up and do proper reading of the blogs out there for now. Is it already possible to use checkra1n? Thanks in advance! (edited)

According to this, checkra1n currently works for iOS14 on only the iPhone 6s, 6s Plus, and SE with support for iPhone 7 and 7 Plus coming soon.

1

5:52 AM

https://checkra.in/news/2020/09/iOS-14-announcement

The state of checkra1n on iOS 14

Jailbreak for iPhone 5s through iPhone X, iOS 12.0 and up

@Goovscoov dont forget the piece that whatsapp can be attached to a computer. Its totally possible its not the iphone thats compromised it could be the account logged in else where. Just something to consider.

@CLB-Paul good point! We will look into that

And can't give too much advice on what to look for. in regards to compromise, Maybe strange installed apps?

will definitely do 'all the checks' in which you might find evidence of a compromise. Was just curious if someone has seen before what the owner of the iPhone described. If we find anything worth sharing I will drop it here in the chat

The evidence suggests that Jeff Bezos' phone was hacked using WhatsApp, but Jeff Bezos is a multi-billionaire and the exploit appears to have been engineered to target him specifically. https://www.theguardian.com/technology/2020/jan/21/amazon-boss-jeff-bezoss-phone-hacked-by-saudi-crown-prince

Jeff Bezos hack: Amazon boss's phone 'hacked by Saudi crown prince'

Exclusive: investigation suggests Washington Post owner was targeted five months before murder of Jamal Khashoggi

@Goovscoov @CLB-Paul like Paul said, it could be signed in elsewhere. This is easily checked on the iPhone whatsapp settings for whatsapp web/desktop. I've also seen whatsapp installed on devices for which there is no official whatsapp app (an iPad - I don't know if this is still the case, but it was in 2018). The user had actually installed a third party app that mimicked safari (the user agent) and was using the desktop option to sign in. This would be a good way to compromise someone's account.

1

Thnx @Sha1_4n6! We will definitely look into other WhatsApp instances that might be involved.

Im a little confused on the difference in manifest.plist, info.plist, and status.plist. I am trying to find the last time the device was backed up. Based on what I know, it says this information in all three. But looking at the individual files, I see three times within two minutes. Am I not understanding the definitions of these sections?

12:11 PM

This is on an iPad Mini 4. I dont see the device_values.plist as referenced in https://smarterforensics.com/2018/08/determining-when-an-ios-backup-was-created/ .

Determining when an iOS backup was created

One point of contention in the FOR585 Advanced Smartphone Forensic class is – which files store the correct datetime for when a user created an iOS backup? I’ve engaged in a few friendly arg…

Apologies if someone has already posted this. Has anyone done a deep dive on the new private MAC address feature for wifi networks in iOS 14? https://support.apple.com/en-au/HT211227

Use private Wi-Fi addresses in iOS 14, iPadOS 14 and watchOS 7

To further protect your privacy, your iPhone, iPad, iPod touch or Apple Watch can use a different MAC address with each Wi-Fi network.

@Sha1_4n6 , @CLB-Paul or anybody else know if Whatsapp leaves artifacts about connected devices to whatsapp? I haven't found artifacts of this for now. (edited)

@DeeFIR 🇦🇺 No but that is very interesting topic eh. My colleage pointed out that change to me as well.

@Goovscoov yes if you go to menu -->whatsappweb it will show you signed in devices

@Sha1_4n6 I was pointing more towards artifacts on the FS like in a sqlite database. The configured whatsapp profile on the phone has been deleted by the sysadmins ( I know.. :P) (edited)

Ooooohhh

9:26 AM

That I don't know. Maybe there's a plist lying around (if it was on an iPhone). You may need checkm8 to get more useful info from config files

1

Apologies if someone has already posted this. Has anyone done a deep dive on the new private MAC address feature for wifi networks in iOS 14? https://support.apple.com/en-au/HT211227

@DeeFIR 🇦🇺 Check out the plist at private/var/preferences/SystemConfiguration/com.apple.wifi-private-mac-networks.plist and see if that helps

Use private Wi-Fi addresses in iOS 14, iPadOS 14 and watchOS 7

To further protect your privacy, your iPhone, iPad, iPod touch or Apple Watch can use a different MAC address with each Wi-Fi network.

does anyone have any good knowledge on Gallery3D date/times, particularly with how PA decodes that?

6:29 AM

or a good resouce on Android/Samsung filesystems

6:35 AM

I have a file (x2) - it appears once in the Gallery 3D .trash at 15:50, then a cache version from Gallery3D at 15:55

6:36 AM

normally the cache one is made when the user sees it, unless I'm wrong, just wondering why it would effectively show up later (if the datetime is even correct)

@Cellebrite In my PA I have installed Hash-values to search after known childporn images and videos. I now have results, but where can I see what and which images/videos it has found ? (edited)

2:09 AM

I found it under "insights" in left part of screen. Tanks anyway

How would I go about decrypting a Snapchat database? I have the egocipher.key and a value from the keychain if that helps

@Cellebrite and others: We are still experiencing huge problems with the new built-in cloud Analyzer in PA. Are we the only ones? 1: We can't see real progress. The progress bar just goes all the way to the "end" as if it's done, but it continues for an unknown period of time. There's no way to tell if there's 10 minutes or 10 hours left. Before in the old version we were able to see some kind of number (ie. 100 of 500 artifacts downloaded). 2: The report generation is confusing and it often fails. I just had my machine extract cloud-data from an iPhone 11 pro overnight. This morning report generation says it failed ("unknown error"). And when trying to create a UFDR of the entire phone that report also fails ("unknown error"). That's 8-10 hours of work wasted...

I got my answer - there's a Recycle Bin since Android 9, the files were in there and the cache was generated later when the user went into the bin to view

2

@King Pepsi https://support.magnetforensics.com/s/article/Decrypt-app-data-using-the-iOS-Keychain-and-GrayKey If you have Axiom I've done it this way before

Do any of the products from @MSAB @Cellebrite @Oxygen Forensics do anything to detect images that contain additional hidden data? (edited)

3:36 AM

I've got a 'vault app' that encrypts its media but appends them to the end of a valid PNG file, so forensic tools just display them as a valid image and don't appear to draw attention to the fact there's additional data at the end (edited)

3:36 AM

Would be useful if the tools had functionality to highlight a disparity between the size of the usable image (measured from header to footer), compared to the actual file

3:37 AM

I'm concerned that an examiner who wasn't scrutinising these files closely would miss this

@OllieD XRY will do file extension/header matching to see if they match up and flag if the extension is not matching the header, I am not sure we have looked at files being appended at the end of other files however! Happy to discuss in direct messages to see if there's anything we can do to assist!

Sure, I'll DM you

@King Pepsi https://support.magnetforensics.com/s/article/Decrypt-app-data-using-the-iOS-Keychain-and-GrayKey If you have Axiom I've done it this way before

@JMK lovely, thanks!

@OllieD Yeah, I did this on a number of files for my test phones for my courses. I'd get a picture, look at where the FF D9 fell within the sector, then use HxD to stick some "evidence" in the slack and copy it back to the media. Unless a thorough search was done by the examiner, then the "evidence" would be missed

1

Yep, that's exactly my concern. In this particular case it's the app doing it, but I've seen it happen with images being traded on imageboards - content to be hidden is appended to the end of an innocent image, causing it to be missed.

1

@OllieD Just how many individual files do you get off a phone these days ?

Well I'm a little detached from reality here in my ivory training tower, but it's something like a few dozen files per phone right?

3

I can just imagine @K23 reading this chat and thinking "Oh No, I've enough problems to consider without this"

something like that. My problem list is astoundingly long as it is, needs it's own calendar at this rate

@K23 more like a PA you'd need mate with your workload !!

1

5:43 AM

And not the Cellebrite sort of PA !!

5:48 AM

@OllieD Now you mention that, I do recall being on an EnCase course about 15 years ago and they had layered photo's/images in the training E01's. Export out, double click in Windows or whatever and see normal innocuous image. Open with another tool and see a second layered image. I recall something about Adobe Photoshop being involved in creating it. Your post just brought that back to mind. I wonder what those images would present as in current mobile forensic software .........

1

@OllieD thanks for a great idea about hidden data. We'll discuss internally how it can be implemented in our software.

4

Thanks!

Can anyone point me to a plist file within an iCloud device backup that would keep the date/time of the backup?

@Cellebrite Hi guys... Everyone knows if you can use regular exp directly from Physical Analyzer search bar? (edited)

@Cellebrite Hi guys... Everyone knows if you can use regular exp directly from Physical Analyzer search bar?

@branzu_84 No, you can't. But you can do it in the Hex-view search window.

Oki, thnx

Does anybody have experience with Garmin .FIT files? I am working a fatal crash where a runner was struck and killed. The runner was wearing a Garmin Forerunner 235 watch that was tracking their run at the time of the incident. I extracted the runner’s cell phone with Cellebrite as they had the Garmin Connect app on the device. However, Cellebrite did not parse any data from the app. In looking at the file system, I could not find anything that appeared to be associated with data syncing from the watch and I am not seeing anything to verify if the watch was connected to the cell phone at the time of the incident. I also did a manual search of the app on the phone and it appears the app was not being used on a regular basis. Explains why the cell phone is not telling me anything. I reached out to Garmin and posed the situation to them. Garmin suggested downloading their Connect app and syncing the watch to the app. In doing that, I got very generic data from the watch. In digging into the watch data, I am seeing a .FIT file associated with the day of the crash. I am wondering what data the file may contain and if it would be any more comprehensive/precise than what the Garmin Connect app decoded/parsed from the file. If anybody has any experience with the data contained in the .FIT file and would share what they used to decode/parse it, I would be very appreciate of some direction.

@dd4n6DET56 no experience with this file type but this may help: https://wiki.openstreetmap.org/wiki/FIT It looks like you can load the fit file into Garmin Basecamp and get a map out or use gpsbabel to convert to gpx (the file format used for making maps of routes like trails). I would however think the Garmin connect app got about the same info. (edited)

FIT

@Sha1_4n6 I have not looked at that app. However, I would agree with you that the two apps would most likely be very similar. I'll try it to check mark the box.

@dd4n6DET56 My section has worked with decoding Garmin .FIT files. @Sha1_4n6's suggestion to use Basecamp is the right track. I'll DM you my contact information.

Hi the magnet automate and atlas is an installation tool or is a service that magnet provide?

@Jack New Reach out to @Magnet Forensics and or @Patrick.Beaver They should be able to answer your questions about #automate and #atlas.

So have an Android where Kik messenger was deleted before seizure. I have a full file system on the device but can't find anything except the kik installed application information. I dont' see anything located at data/data/kik.android and the App Genie in Cellebrite did not recover anything. Anyone have any other steps I could take?

Today's been my first battle with KaiOS (Alcatel). Was able to get a BIN and mostly decode with PA "KaiOS content" plugin. I'm looking specifically for call logs and they didn't decode. I've been looking around the file system for them but no luck so far. Anyone know where/how the call logs are stored?

good morning, is there any solution to import an xry-extraction into oxygen or axiom?

@Morph Good morning, if you have a Physical you should be able to export the binary from XAMN Elements which I presume they should be able to parse. If you have a Logical it could be more tricky but exporting the file system from XAMN and importing this might work. Not sure what other options Oxygen/Axiom might offer however.

@Morph you can directly import a .xry file to oxygen if i recall this correct.

@florus oxygen has an error to import, they want to fix the bug... so i hope somebody has a workaround to solv this issue

@Morph then export the binairy as Tobias said

Does anyone know if there is any way to find out what version of apps are supported in AXIOM? @Magnet Forensics

@florus oxygen has an error to import, they want to fix the bug... so i hope somebody has a workaround to solv this issue @Morph yes, currently we have an error at XRY file import. As a workaround, you can try to import a binary file or a zip archive.

Anyone know if i can see in a NOT Full-File-System (Adv. Logical) iPhone Xs Extraction (UFED 4PC) if a WhatsApp Voice Message was opened/listened at a specific time? (edited)

@Dossy I think you can... but someone else can confirm. Let me check in an extraction

what is the equivalent of knowledge C in Android?

@Ghosted do you mean with app usage?

yes

8:27 AM

and device status lock unlock

in android there are many different db not only one like in ios and knowledgeC

Would they be displayed / parsed by PA or would a script need to be run?

There is different log for app usage let me find the name

8:28 AM

I used AXIOM

Ok

and custom artifact

Would full file system allow for them or is a physical needed.

‍♂️

hahaha

8:29 AM

Well if I find them I will let you know.

8:29 AM

I have FOR585 poster I will check

@Dossy I cannot find that info...

@Dossy @Dam @Ghosted digital wellbeing: https://eforensicsmag.com/walking-the-android-timeline-using-androids-digital-wellbeing-to-timeline-android-activity-by-joshua-hickman/ (edited)

Walking the Android (time)line. Using Android’s Digital Wellbeing t...

Walking the Android (time)line. Using Android’s Digital Wellbeing to timeline Android activity Each time I have created an Android image I have found something new. Google Assistant and Android Auto were results of Nougat and Oreo,

3

@Oscar in Axiom examine go to Help -> documentation -> artifact reference. Might work in process too I just have examine open in front of me

@JMK That doesn't show specific app versions afaik, just if it's supported for IOS, Android, etc. Wanted to know if AXIOM supported a specific super old version of Signal, @cScottVance gave me something to try on Monday

Ah yes sorry I see what you were after, my bad

Would they be displayed / parsed by PA or would a script need to be run?

@Ghosted use ALEAPP to decode digital wellbeing and usage stats. Check out the artifact folder for ALEAPP for the py scripts and what is decoded. https://github.com/abrignoni/ALEAPP (edited)

abrignoni/ALEAPP

Android Logs Events And Protobuf Parser. Contribute to abrignoni/ALEAPP development by creating an account on GitHub.

2

Today's been my first battle with KaiOS (Alcatel). Was able to get a BIN and mostly decode with PA "KaiOS content" plugin. I'm looking specifically for call logs and they didn't decode. I've been looking around the file system for them but no luck so far. Anyone know where/how the call logs are stored?

@Inspector_Gadget Call records can be found on dsitanleecreR.sqlite (anagram for dialerRecents). PA should decode them. Please DM to get to the bottom of it.

I have a video extracted from an iOS device where the change date and time is > created and modified time. Anyone knows what does change date and time represents?

@Reedsterz icloud?

@florus it’s a video in the camera roll

I have a video extracted from an iOS device where the change date and time is > created and modified time. Anyone knows what does change date and time represents?

@Reedsterz Old but gold: https://lwn.net/Articles/397442/ tl;dr ctime is updated whenever a file's metadata is changed

File creation times

Linux systems, like the Unix systems that came before, maintain three different timestamps for each file. The semantics of those timestamps are often surprising to users, though, and they don't provide the information that users often want to know. The possible addition of a...

@CLB-drorimon ty!

@Dossy I cannot find that info...

@Dam Thx for checking this!

Hey guys, I’m not sure if this belongs here, but it rather fits the topic decoding than extraction. I’m having a ufed-report and I’m trying to create an overview of all participants found in the chat-tab (WhatsApp, Facebook, viber, ...). I don’t need any of the messages written; just names. Unfortunately I can not find a way to exclude the messages, meaning that every export contains all messages of each chat. Speaking in X-Ways, id want to create a list containing all file names, without their content. Am I missing something, or is this simply not possible having only the ufdr-file. Thanks in advance!

@beforethelaw could use the contacts? That area splits the contacts per app

@Rob seems legit, unfortunately I end up missing a few. If you get (WhatsApp-)messaged by a person and end up not saving this person into your contacts, but still have a conversation with, the number might not display in the contacts-tab. I got told, didn’t believe, cross checked, got surprised

Funky

1:09 AM

Only way then I'd say is do contacts and chats in excel and formula it up to find the differences to get a complete list

And that’s where I’d have to manually filter, since excel doesn’t like too big charts. Wouldn’t be too bad, if I wasn’t talking about 100+ reports

ty anyways

@Rob

Ahaha. I know that feeling.

I feel like I've done this previously but I'm having a total mind blank - is there a way to parse an Android operating system from a microSD card in PA as if you've done a phone extraction? - So that it'll attempt to parse chats or anything found within the operating system app folders.

@3X3 Open -> Advanced -> Should be something like common devices -> SD Card profile (edited)

2:03 AM

Haven't got PA open and someone else is using the licence but from memory that should be it

2:05 AM

@Cellebrite Got a report that appears to be stuck on "Zip Report" stage now for almost 3hrs. Using Reader to create a password protected version. Any ideas?

Anyone familiar with the Momentum Smart Home app? I’m searching the databases for either video or logs that show video was deleted.

@beforethelaw i haven't looked in a long time, but do you have a whatsapp contact database you could review? This would probably have the info you need where the phone's contact database may not. Since clb parsed it you can make a report template query with sqlite wizard which may work. You can save this for future use and it will be added as a report in the analyzed data tab

Hey, anyone know of any databases or artefacts that can tell you if Safari is synced on a different device?

@3X3 Open -> Advanced -> Should be something like common devices -> SD Card profile

@Rob this will have you decode the file system only. To decode an Android from any physical dump go to: Open case -> Add -> Open (Advanced) -> Select device -> 'Google Android Generic' -> 'Physical - Android ADB'

1

New PA released guys

4

1

Has anyone encountered Privacy Messenger for Android? If so, how did you decrypted the messages in the DB? TIA

@Sha1_4n6 thanks for your answer!

Yes, I do have the database. I’ll take a look at generating a report-template.

Anyone have a script to parse VCF contact cards from an Apple production-iCloud backup?

@ScottKjr3347 @Brigs Is ALEAPP and ILEAPP scripts already built into Axiom?

Quick query - is the build.prop file the most reliable way of determining android version?

@Ghosted No but you can run ileapp and use MCAG to import xLEAPP TSV files into axiom.

2

Quick query - is the build.prop file the most reliable way of determining android version?

@busted4n6 You can query it with an adb command without checking the entire file

4:50 AM

Or have you already got an extraction?

I’ve got a read, just being a bit lazy to go get the exhibit from the store

4:51 AM

I can open the read in ufed (currently have it open in axiom which doesn’t appear to show the version)

4:56 AM

Well axiom does kind of do it I guess!

Hi, I have a full file system on an Iphone. In PA when playing a video with .mov format I only get the sound. But if I save it to my desktop and play the video with VLC there is a video feed. Multiple videos are affected by this problem. Is this a known issue? PA version 7.37.0.40 @Cellebrite (edited)

Has anyone had issue with Cellebrite PA carving records out of databases. I carved the ChatStorage.sqlite (whatsapp) and it recovers thousands of records per table. However when I look at the records not a single one is readable. Axiom doesn't even show any free pages. I don't have a current license to Sanderson's so was wondering if anyone knew of any work around to see if any of this data is just not being properly decoded? Like is it base64 encoded and live records get parsed free pages do not? It doesn't give me a real offset either to manually go to the DB in hex highlight and try various decoding methods. Just having the offset could help me then manually open the DB and highlight the hex and try decoding it.

6:16 AM

Hi, I have a full file system on an Iphone. In PA when playing a video with .mov format I only get the sound. But if I save it to my desktop and play the video with VLC there is a video feed. Multiple videos are affected by this problem. Is this a known issue? PA version 7.37.0.40 @Cellebrite

@callzor One of the solutions I have found is going into my computer settings making VLC default movie player. Then in PA if you right click and hit play with default it saves you the headache of saving each out and faster screening.

6:17 AM

Still doesn't solve your problem but might be a faster workaround.

@callzor Also if you can extract the entire media folder out and then process through Griffeye, it will allow you to scrub through videos quickly without having to watch each and every one of them.

Facts, Griffeye has the best video preview tool I have used to date.

@Palazar82 Yep. I'm trying to get my agency to purchase the full package. I like the way it integrates with Project Vic.

I have only used the LEO free software but love it. Been using it since 2017 and love how it has developed.

@Ghosted No but you can run ileapp and use MCAG to import xLEAPP TSV files into axiom.

@Brigs mcag & tsv?

https://www.magnetforensics.com/resources/magnet-custom-artifact-generator/

MAGNET Custom Artifact Generator - Magnet Forensics

Custom Artifact Generator: What does it do? The Magnet Custom Artifact Generator (MCAG) tool makes it easy to create custom artifacts for use within Magnet AXIOM from CSV (and other delimited files) and SQLite databases. This means you can now build your own custom artifacts t...

6:32 AM

TSV = tab separated values. My scripts produce TSV files. Using mcag you can create a custom artifact that will import the TSV files into axiom.

@Palazar82 I want it to do more. Right now Belkasoft is my other forensic tool and they don't currently support the importation of the Project Vic files. I had all kinds of trouble with Axiom and importing that hash set. I've been in touch with Yuri and they are looking at making Belkasoft accept flat hashes and hopefully in December they will get access to the format for the PV import.

1

@Ghosted See above.

1

@Brigs I'm going to try this

@Ghosted awesome. The cool thing is thst after you do the custom artifact any future import of ileapp or aleapp artifacts is automatic asong as you enable the relevant custom artifacts in axiom.

6:58 AM

*as long

@Brigs nice

Good morning, all! Just a quick question about PA 7.38. I upgraded yesterday and reparsed a couple of Qualcomm live extractions I got month or so ago just to see what changed. I noticed that I now have two threads of the same chat, one from each of the locations in the picture. The mmssms.db one has more messages but both list the device owner as Unknown. Can anyone from @Cellebrite help me to understand this?

7:10 AM

I have also noticed that this new update doesn’t have the deleted messages I was seeing in previous PA releases. The deleted ones I was seeing from this extraction before seemed to be empty messages anyway.

Doe anyone know if PA support Wire app decoding?

@Adam Cervellone those messages could have been an artifact of contacts being added to a group (ios does this, and cellerbrite was parsing these as deleted messages)

Hi all. Anyone knows of any tool/blog/article/study/... about decoding useful info from Skrill and/or SkrillPayments apps on iOS?

Doe anyone know if PA support Wire app decoding?

@B as i know PA and Oxygen don´t (maybe i´m wrong) but HanCom MD-RED can decode it

(edited)

1

11:39 AM

Interesting.. thanks alot Chris! Will try Appgenie first. If that doesn't work out, i'll have to check if we have a Hancom license somewhere..

@B as i know PA and Oxygen don´t (maybe i´m wrong) but HanCom MD-RED can decode it

@chrisforensic we are planning to support Wire app in OFD 13.1.

2

1

@Magnet Forensics Is there a specific difference between a base.dm and base.apk that someone can explain to me. I am trying to us the Magnet App Simulator with TikTok however the listing is not for a base.apk but for a base.dm. Although I can export it I can't load a base.dm into magnet app simulator. Every app has a base.dm and not a base.apk. (edited)

Using AXIOM I try to do physical memory copy of ASUS ZenFone 4 Selfie Pro (ZD552KL) with a broken screen via EDL mode. But AXIOM does not have a valid programmer file. UFED also does not support this phone. Maybe someone has a programmer file for this phone?

@arforensic this model should be factory encrypted. Firehose won't help you with that. You need decrypting method and Axiom doesn't have one for phones as far as i remember

I have done physical copy of memory with Ultimate Multi Tool QcFire v4.1 and "000460E1143A8953_FHPRG.bin" programmer via EDL mode. And got encrypted image.. I thought AXIOM can make decrypted image...

That's not gonna work with Axiom. I'm not following their release notes carefully but don't remember them adding support for encrypted devices with that mode. UFED has decrypting methods assuming that phone boots and it has valid firehose or one of their "universal" ones will work. Oxygen may be able to also dump encryption keys as it's Snapdragon 625 which should be supported (edited)

@Arcain @arforensic in fact Oxygen Forensic Detective supports extraction and decryption of devices based on Qualcomm MSM8953. You can give it a try.

https://thebinaryhick.blog/2020/10/07/new-android-image-available-this-one-goes-to-11/

Binary Hick

New Android Image Available. This One Goes to 11!

I am happy to announce a new Android image, Android 11, is now available for download. This image contains the same apps as the Android 10 image, plus a few new ones: Apple Music, Brave (browser), …

2

Thanks I will try

My brain might be broken but if I do a chip off on an encrypted Android device and know the pin code, will Cellbrite be able to decode it? I remember there being an option to put a password in if known when attempting to decode an encrypted bin in the past

@Jameson no, ufed won't decode it. Part of the encryption keys rely on the CPU and in most cases you can't really extract those. The way UFED works, most of the time, is that it exploits the phone so it boots, with authorized adb access and root permissions to be able to dump already decrypted data. Oxygen supports some chipsets for keys extract as well and then use those key when importing the image.

10:44 AM

In both cases you need to have the phone at least somewhat working to use this. Just chip-off won't do it

10:45 AM

Unless it's an old device, pre Android 5.0 era i think

Thanks, that makes sense. I kind of figured. This phone unfortunately is not detected by Windows due to a bad USB port or damage with an error "device malfunctioned." I looked up the device on FCCID.io and noticed it had convenient USB taps above the port. I soldered a USB cable directly to the pins and still same issue. So I'm kind of dead in the water with this one

What phone is it?

LG LM-X420MM

Seems to be US version of K40. Not something i see here lately. I haven't seen schematics for LG phones for a long time now so maybe getting a working boand and measuring everything neabry may the the only solution to find a fault.

Appreciate you looking into it. I put it under the microscope and didn't see any obvious signs of corrosion or damage.

10:54 AM

I initially thought maybe the USB port was shorting out but I tested that and it's not the case

That also seems to be using Snapdragon 450 so you'll need it to boot, know the passcode and hope that Qualcomm Live profile will work if logical won't be enough. If logical is fine, you could make an agent based extraction over bluetooth or WiFi and also do lg backup for more data.

I was able to obtain an initial extraction using bluetooth. I'll look into LG backup

10:58 AM

thanks for the help

@Cellebrite A colleague has an issue with an extraction which keeps saying the extraction has backup encryption enabled -> We've attempted to reset the backup password using the usual methods and it still throws the same message after extractions. iPhone 4s.

@3X3 if you by "the usual methods" mean to reset the settings in the phone, this feature was added in iOS 11 - and an iPhone 4S can not run iOS later than 9.3 from what I can find. So probably the password for the encryption hasn't been removed by the menu options.

1

Hi All: I recently performed an extraction of a Samsung SM-G937U GALAXY S10 with Cellebrite UFED 7.38.0.12. I was able to do an advanced logical and file system (Android back up). Does anyone know why I'm seeing timestamps listed as 31-Dec-1969 19:00:00 (UTC-5) (created)? I have never seen this before and need to be able to explain? Any help would be greatly appreciated.

We have a Kazuna KAZ-F019 feature phone, no profiles in Cellebrite or XRY. It is running the 8909 so getting a physical should be easy, but I dont know that we can decode it. Everything we are seeing online says it is running some form of AOSP but it looks pretty custom. @Cellebrite @MSAB either of you guys have similar profiles that you know of that can help decode maybe?

You try looking at kaios

@AA We have recently purchased the KAZUNA eTalk, still waiting for delivery but the OS indeed seems to be AOSP. I would agree with the above, see if KaiOS decodes anything but it might as well be a proprietary OS! We'll see what we can find once we get it (edited)

@CLB-Paul @Erumaro awesome, thank you. Once we get it dumped we will try and see if it gets anything and report back.

@AA As AOSP apparently stands for Android Open Source Project could be worth just trying a decode with Android Generic as well once you have the dump!

(edited)

@AA Specs for that device on Newegg show it's running Silent OS, which appears to be from Silent Circle (and what they were running on their "Blackphone"). (edited)

@Erumaro @CLB-Paul @JLindmar (83AR) We did get a good physical off of it through Cellebrite generic qualcomm. Then it decoded successfully running just the generic android. Don't know for sure if it decoded everything everything but it did get all the major stuff. And it did seem to be structured pretty much like original android, same databases etc.

9:14 AM

going to run it through XRY see if anything additional is decoded too

thanks for the update @AA

Looking for helping creating a pdf export of a single note. Every time I do it the pdf export is blank with no content or metadata. @Cellebrite

@Matt I've had that happen for other data and worked around it by creating an HTML report (that did contain the data) that I later saved to PDF.

Anyone know why a search term inside UFED PA like a name or phone number will hit for SMS messages but won't for iMessages? Example search for name Britt hit on several SMS messages (35) but missed iMessages (1944) any ideas

Looking for helping creating a pdf export of a single note. Every time I do it the pdf export is blank with no content or metadata. @Cellebrite

@Matt is this specific to Android or iOS?

@CLB-Paul iOS

dm sent

UPDATED iOS13 & 14 Photos.sqlite queries. Text for general query & XML 4 @MagnetForensics Custom Artifact. Thanks 2 @bizzybarney @qubytelogic @forensicmike1 @BlakDouble these include Facial Recognition, Album Titles & Org File Names. #DFIR iOS13 https://drive.google.com/drive/folders/1rCT_TVTF5cgsaq-rbNuwOnqEyKjJEa_Q?usp=sharing iOS14 https://drive.google.com/drive/folders/1v6T6OqD8eyL1xwHXDMePaXxEZ3IZssp2?usp=sharing You might notice double entries for files with multiple faces. As always test, validate, and share your findings. Let me know if you have any questions. Might be helpful with the upcoming @Magnet Forensics & @Cellebrite_UFED #Capturetheflag Happy hunting!!

1

4

1

@ScottKjr3347 Awesome! Will implement in iLEAPP as well.

2

Hi! I have an Iphone FFS processed in Axiom. There is an artifact called "My received videos". I have some questions regarding this artifact. Can anyone confirm that the videos have been received and not sent?

I have an Android 7.1.1 extraction which has secure startup enabled. Got a full dump using UFED (edited)

4:08 AM

it's asking for a password however, Oxygen with the Passware tool cant brute force the userdata unfortunately (edited)

4:08 AM

does anyone have other options?

What phone is it? Only non-hw backed phones can be bruteforced like that, and those are rather rare

SM-J250

5:38 AM

Galaxy J2 Core

J2 Pro (2018) ? J2 Core seems to be Android Go

yes

5:44 AM

j2 pro 2018

5:44 AM

correct, Android Go

5:45 AM

7.1.1

UPDATED iOS13 & 14 Photos.sqlite queries. Text for general query & XML 4....

@ScottKjr3347 Added support for both iOS 13 and iOS 14 queries. Also extracted location and postal information from available nskeyedarchived bplist blobs in the reverse location field. Great work Scott!

2

1

2

dark mode FTW

1

@ScottKjr3347 Added support for both iOS 13 and iOS 14 queries. Also extracted location and postal information from available nskeyedarchived bplist blobs in the reverse location field. Great work Scott!

@Brigs I’ll vouch for the location accuracy.

2

Hi, @Cellebrite can you explain me what is the information from mobile/library/recents/recents database? Those information is parsed as chat (there is a recent "folder" under chat) but most of the data contain only some date and time. I cannot understand what is this database use for.

Hi guys Recently the chatsearchv3.sqlite file has been replaced by chatsearch5f.Sqlite. During my tests we no longer find the deleted messages from WhatsApp on ios. Can someone confirm this?

@rico PA 7.39 will include support for chatsearchV5

2

anyone know what the file user_model_ngram_v1.bin is for? it is located on my samsung j3 eclipse in the following folder structure- data\com.sec.android.inputmethod\app_userLM\en_us

4:57 AM

When looking through the hex for this bin I find a bunch of web history of interest. just trying to figure out if this is a rabbit hole I need to ignore or dive into

@CLB-drorimon very good but Can this file allow you to find deleted messages?

5:00 AM

@CLB-drorimon I check to download it

When looking through the hex for this bin I find a bunch of web history of interest. just trying to figure out if this is a rabbit hole I need to ignore or dive into

@sholmes Based on the package name and the mention of 'ngrams' I would guess it's related to predictive typing

5:15 AM

https://en.wikipedia.org/wiki/N-gram

N-gram

In the fields of computational linguistics and probability, an n-gram is a contiguous sequence of n items from a given sample of text or speech. The items can be phonemes, syllables, letters, words or base pairs according to the application. The n-grams typically are collecte...

That would make sense based upon the items located in the bin file.

5:16 AM

Thanks @OllieD

1

@CLB-drorimon Not yet possible to download ... When will it be available please?

@rico Oh, my apologies, PA 7.38 just came out, so it will take a few weeks till 7.39 is out. I'll make sure you'll get a beta, OK? (edited)

Looking to find a log file or database which would identify the type of, or common names, external media attached to a Samsung J3 Eclipse phone. I have the physical extraction. I have three or four databases which show media was placed/accessed on external media files. /storage/3331-6631 and /storage/50A4-7260. Person claims they moved files to an external MP3 player, but then wiped the mp3 player. MP3 player has a common name based upon make/model of MP3 player (ie. Sport Clip).

8:17 AM

I believe /storage/3331-6631 and /storage/50A4-7260 were either going to be MicroSD or USB (OTG) devices.

8:18 AM

I was hoping there was a file in Android which might give me more details about these devices.

8:20 AM

cmh.db shows the storage_id for the 50A4-7260 device. A search of this ID through hex led me to external.db which shows mount and unmount times and dates, but nothing else I can articulate as relavent.

Hi all, Anyone have success parsing Line data from an Android device ? Have acquired a back up from Google drive but the contact/group names haven't parsed, instead get a string beginning with U. This is with latest versions of Cellebrite cloud and Oxygen. In testing, have used Cellebrite VM feature / the Andy Launcher application to sign into Line, restore from the G Drive backup then parse this in Cellebrite PA with contact/group names parsed fine - However when testing some numbers didn't receive the verification sms so couldn't sign in (seems to be a fault with Line itself). Before proposing the VM route to client (which may not work due to sms issue) wondering if there's any alternatives or anything I'm missing as to why cellebrite/oxygen isn't parsing names from G drive backup?

Anyone had luck locating the Meet24 message db on Android? I have a physical.

@Mountaineer316 ni but you can use appGénie of PA to parse datas on this software (edited)

Samsung Galaxy S10+ (G975U).... Why am I not seeing any file create or access times? Only modification. What's the explanation for this?

Anyone know of any tool or any scripts which can parse data from a mobile device which was linked to this Spytec GPS Tracker?

@rico AppGenie did not work yesterday. Thanks for the response tho!

Anyone familiar with this Application and if any tool will parse it?

12:15 PM

I can read all the messages on the device however none are present in the extraction. I did only get adv. logical and file as the device S10E doesn't seem to work on qualcomm live with the 5/1/20 Security patch update.

Is there a way to hide apps on an Android device that will not show up in a file system extraction and those hidden apps would use a different Android ID than what a file system extraction shows for the device?

2:06 PM

Another Android ID question. Would changing mobile carriers on a phone also change the Android ID? I have a case where everything is matching up but the Android IDs are somehow different.

@FullTang On Android 8+ AndroidID has a different value for each application and each user of the device. Check /data/system/users/0/settings_ssaid.xml for what id an specifik application has.

@Cellebrite @Oxygen Forensics ... Info concerning decoding of huaweibackups... backups done with the last hisuite 11.0.0.320 are not decoded ..

(edited)

1

@chrisforensic we will test it and let you know. Thank you for informing us!

1

@Cellebrite @Oxygen Forensics ... Info concerning decoding of huaweibackups... backups done with the last hisuite 11.0.0.320 are not decoded ..

@chrisforensic https://github.com/RealityNet/kobackupdec is still working to decrypt Huawei Backup

RealityNet/kobackupdec

Huawei backup decryptor. Contribute to RealityNet/kobackupdec development by creating an account on GitHub.

@Ypso hi, tried it, but failed ...

Error message ?

I have a Honor & the same Hisuite version, I will make a test

1

Does anybody know how PA decodes searched items for Chrome (Android) looking at the history database (visits table) cannot see for the life of me how PA has got these results. Any help would be greatly appreciated

Good morning all, I have a dump of a s7 edge and the image of an sd card on the sd card, I have the tree structure of two phones (g920 and g935) which for the first contains viber videos and whatsapp, of course encrypted. Is there a way to verify that the phone keys match these videos? For information, I mounted the phone image and the e01 from the sd card, but nothing is decoded from the sd card on these two apps Thanks in advance

@Mistercatapulte have you tried imaging the card while inside the phone? Sometimes that helps decrypt I think

@JMK i don't have the card

5:08 AM

AHH I see, soz

@JMK and to top it off I don't have the drawer to put another card with the image on it, everything is fine ....

@Mistercatapulte it's nearly the weekend...

@JMK yeah

Does anybody know how PA decodes searched items for Chrome (Android) looking at the history database (visits table) cannot see for the life of me how PA has got these results. Any help would be greatly appreciated

@Deleted User it's in the table 'keyword_search_terms'

Good evening we have an ECROCHAT BQ X2 Is there a service or company (similar to CAS service) that can extract data? Christian Mauro

@Deleted User since they took down the encrochat servers is there a way they can get you the unlock information or data from the server side?

10:00 AM

Just ran a physical extraction of an Alcatel A405DL, which is running the KaiOS 2.5, through @Magnet Forensics Axiom and it did an amazing job. Using PA, I was able to find all the images of concern. However, the images contained all the web URLs in the hex. So instead of manually getting them from each image, I thought I would give Axiom a stab at it. It not only parsed all the URLs for each image, it also parsed all the other URLs, bluetooth connections, wireless connections, images and videos. The only things it didn't get for me was the email, call logs, contacts and text messages. @Cellebrite PA was able to give me the same images and videos and wireless connections, but also gave me the text messages, contacts, and call logs. So if you have access to both software packages, I highly recommend validating your findings using them both on the KaiOS dumps. (edited)

2

1

@.karate. That is exactly what I needed to know. I found documentation online to support that as well. Thank you so much!

1

@Deleted User no, you need the passcode for the secure boot prompt and for the screen unlock and then you have to carry out manual examination. The handsets can not connect to forensic software. If you don't have passcodes then you can't get in to the secure side of phone. You may be able to obtain the server data however. You would need to talk to your national LE i would guess

@Cellebrite so it used to be that if I entered an iTunes backup password into physical analyzer and this worked, the password was stored in the ufd file in the clear. Now I see no password but PA no longer asks for the password. There's also an HMAC format hash at the bottom of the ufd file. Is this the password? (edited)

@Sha1_4n6 that hash is an integrity check hash for the ufd file itself. Not sure about the iTunes password issue -- Support would be good to contact since it's the weekend in HQ with little chance of a response here before Sunday

My colleague said PA didn't ask for a password so I thought maybe the format changed.he said he closed PA and opened it again then it asked for a password. Go figure

Encrochat

@sholmes the phone was in use until 10 days ago we never turned it on we're afraid you're canceling

11:12 PM

> @JMK i try to ask if they have a chance Thank you

11:12 PM

Christian

On a full file system from a SM-G973U running android 10, I can't seem to locate digital wellbeing. I have checked everywhere I can think and nothing. I understood this to be installed on all devices running Android 10 am I wrong? I guess my better question is does a device need to be rooted to give you access to digital wellbeing? (edited)

Manual search of the device shows it is present. Is it possible it is turned off and if so is there a way to document.

Hi guys! Just performed a BFU extraction on locked G975F with pattern lock. I was able to get the password salt but i never worked with hashes or salts from pattern locks. What should i do next?

@Lpx that model will be hardware backed, as far as I'm aware you won't be able to do a lot yourself without commercial options such as CAS / Trevor. Password salt method used to work back on older versions of android that were not hardware backed, a lot has changed since them though

@Lpx what tool did you use to get the BFU?

I did a file system and logical extraction on a LG B470 in UFED but PA doesn't parse the texts/call logs...anyone know of a solution that does? I'd rather not manually go through the phone and take pictures of the screen...

@K23 thanks for enlightenment. What is Trevor? Never heard about it (edited)

6:45 AM

@Ghosted I used UFED

@Lpx Trevor is a nickname for UFED Premium

@Arcain new 4N6 terminology... got to keep up

Anyone have any experience and can speak to TikTok file path?

Can someone with Physical Analyzer please tell me where the PhotoDNA section is located. I’m trying to walk someone through over the phone and I haven’t touched CB in about 10 months.

Galaxy A10e.zip/sdcard/Android/data/com.zhiliaoapp.musically/cache/picture/fresco_cache/v2.ols100.1/29/ In checking this on a test device it appears to images are saved. The first image appears to be the icon or picture for the TikToc account and the second is a picture of the video the user watched. If the application is moved to the background and allowed to run I don't see any artifacts loaded while in this position. When the application is moved back to the background the same two files are created for each video. Can anyone share any analysis they have seen with this application? (edited)

Morning all, I have a S9+ running Android 10 (SP 1 may 2020). Does PA decrypt data stored in the secure folder? I have the pattern code for both the lock screen and secure folder. If not, how can i go about recovering data stored here? I have a decrypting bootloader acquisition of the handset.

Try decrypting bootloader FFS, not physical. The data can be decrypted in PA under /data/Knox

2

@K23 thanks for enlightenment. What is Trevor? Never heard about it

@Lpx You can blame @Zhaan for that

He started that back in June !! https://discordapp.com/channels/427876741990711298/537760691302563843/725004817184981014

1

7:35 AM

@Stevie_C you’ll never take me alive copper!

@Zhaan if you can dodge me for the next 236 days you’ll be safe

My desk will be empty after that !

@Cellebrite An investigator asked me if I can explain - under contacts in a Cellebrite extraction on a mobile device - what the meaning of the contact-folder "InteractionC" is and what action happened that the contact ended up in that folder and not the "normal" contact folder. I could not give him an answer, but I looked in an extaction of an iPad, that I had open and saw that the exact same contact-folder was pressent. I picked out one contakt that was pressent there, but saw that the same contact was pressent 2 other places under contact.

@Gulyás InteractionC.db hold information on recent activity on your iOS. You can read more on @Sarah Edwards (SANS/BlackBag) blog: https://www.mac4n6.com/blog/2020/6/21/socially-distant-but-still-interacting-new-and-improved-updates-to-macosios-coreduet-interactioncdb-apollo-modules Regarding the "folder like view", each 'contact-folder' stand for data source from which the data, in this case contact, was decoded.

Socially Distant but Still Interacting! New and Improved Updates to...

The interactionC.db database certainly does not get as much as attention as its CoreDuet partner in crime, knowledgeC.db. However, I think it has quite a bit of investigative potential. I’ve written about it before in a prior blog , however I’d like to give it more attention ...

@CLB-drorimon By looking in InteractionC folder in the extraction I have open, it gives sense. dispite the timestamp of the contact can be 2 years old, I could see attachment that there had been conversation resently. Thanks alot for good and quick response

Question for the masses, glide_cache (from Google Photos Cache). How "reliable" are the creation times?

6:28 AM

I understand that when an image is loaded into Google Photo's, Glide (the framework behind it all) creates a cache copy.

6:29 AM

Initial looking at the dataset I have appears all normal

@Ghosted I just did a validation of a paper on TikTok that includes analysis of cached content. My write-up is still rough around the edges (and long), but I'd be more than happy to send it to you. Feel free to DM me.

If anybody is interested, Cellebrite is hosting their first Capture The Flag event.

10:23 AM

https://www.cellebrite.com/en/blog/join-the-first-cellebrite-capture-the-flag-ctf-event/

Heather Mahalik - Senior Director of Digital Intelligence and Ronen Engler - Senior Manager of Technology and Innovation at Cellebrite

Join The First Cellebrite Capture the Flag (CTF) Event - Cellebrite

Why a CTF? A “Capture the Flag” (CTF) event is a great way for the DFIR community to come together and challenge themselves. Whether you are new to DFIR or a seasoned veteran, this CTF has something for everyone. The types of questions were written so that some are easier, and...

Hi everyone, A colleague and I are looking at Android phone application usage and trying to better understand some of the databases where we are seeing package names. Does anyone have any insights on how Android is using any of the following databases: gass.db - can not find anything written on this aside from the SANs 585 poster mentioning traces of application usage. frosting.db - tracks the package and last updated timestamp but what packages are noted here; only ones that the user has installed? sm.db - A Samsung specific database. Alexis Brignoni blogs about packages that crash ending up in the crash_info table but what does the appfreezer table track? contextlog.db - can this be cleared/re-set? If a package name is only seen in "manage_app" (and not "use_app"), should we be relatively confident that the app was installed but not used?

@florus Did you get any results in relation to decoding the latitude and longitude in the local_location.db

@nmcc4175 No i did not. A collegea tried decrypting them with hashcat, no succes. Do you have an idea?

Question for the masses, glide_cache (from Google Photos Cache). How "reliable" are the creation times?

If anyone know of this let me know

@florus no I have encountered the same issue and was looking for a push in the right direction. I will look at it over the next few days and let you know how I get on

@nmcc4175 You could drop a question at the programming_reverse_engeneering channel. They might be of help?

@Cellebrite I have a question regarding the following scenario: 1. sender sends message via WhatsApp 2. receiver uses the "quote function" to reply to the message (preview of the message appears on screen) 3. receiver replies to the message 4. sender deletes message On the smartphone screen of the receiver (viewed on iPhone X and iPhone 11, iOS 13.5.1, WhatsApp v2.20.92), the deleted message still appears as a quoted message in the reply but the content is nowhere to be found in the extraction. Do you know if this deleted/quoted content is actually somewhere on the device and if so, where? Thanks! (edited)

@Jb.gva Heather did a bit of a write up about the quote messages but on iOS 14. Not sure how it relates to iOS 13. Iirc within sms.dB it had guids pointing to the other original message.

Can anyone explain to me what the below means please from downloads.db on an android? non-dwnldmngr-download-dont-retry2download Is it just a common placed for pdf's from anywhere - web, Telegram etc......

Question - I think I know the answer - we have a dead Huawei P9. Colleague has done a chip off and has a bin with the data. It’s an Android 7 device. Userdata partition appears to be fde. I am assuming there is no way to brute force this because the kdf is based on the hardware?

@Magnet Forensics I have axiom 4.6 installed on my computer and I'm trying to decode a physical extraction acquired from Cellebrite Premium (.ufd) however it keeps telling me "one or more segments are corrupt or invalid". Any advice?

So back to our? Is it worth it to do a BFU extraction and will you get anything. I have an armed robbery 4 suspects. One suspect drops his phone (Nice.....). I get the phone powered off 4 days later (No......) its and iPhone XR (No......) Was able to id owner/subscirber of device through SIM/MSISDN. A few hours before the robbery inside the BFU extraction timeline. I find com.apple.private.alloy.facetime.video with three individuals. The Apple authentication process has been performed for the following apple-ids (listing the MSISDN for the other three individuals. So not a lock in evidence but I now have three more persons of interest identified by their MSISDN. Also showed installed applications a few hours before the robbery (police Scanner and Police Light). These robbers did pretend to be the police upon entry. So my experience is always worth taking a look. I'm not done either seems location and pictures of individuals are present. These images appear to come from FB. FB contacts are present too.

@CLB-Paul Thanks! from what I read this is for the native message application. I'm actually trying to find the behavior for whatsapp... I tested some more and could find the "replied-to" message in ChatStorage.sqlite but my knowledge of the way this DB is organized is not good enough, I can't find the link between the reply and the original deleted message. UPDATE - here's what I found during my testing. When quoting a message WhatsApp appears to create the message in ChatStorage.sqlite and uses a link to a newly created media entry to create the "thumbnail" of the quoted message. In the ZWAMESSAGE table, the text of the message is in the ZTEXT field, the link to the media is in the ZMEDIAITEM field. The ZWAMEDIATEM table contains a Z_PK field with the index number for the media. @Cellebrite @Magnet Forensics do you concur ?

(edited)

@claireh - sending a DM.

So back to our? Is it worth it to do a BFU extraction and will you get anything. I have an armed robbery 4 suspects. One suspect drops his phone (Nice.....). I get the phone powered off 4 days later (No......) its and iPhone XR (No......) Was able to id owner/subscirber of device through SIM/MSISDN. A few hours before the robbery inside the BFU extraction timeline. I find com.apple.private.alloy.facetime.video with three individuals. The Apple authentication process has been performed for the following apple-ids (listing the MSISDN for the other three individuals. So not a lock in evidence but I now have three more persons of interest identified by their MSISDN. Also showed installed applications a few hours before the robbery (police Scanner and Police Light). These robbers did pretend to be the police upon entry. So my experience is always worth taking a look. I'm not done either seems location and pictures of individuals are present. These images appear to come from FB. FB contacts are present too.

@Ghosted BFU is better than nothing. You'll get largely system info but a chance of user data (very very low chance, but could be worth it)

@MSAB is there a way to load a keyword list into Xamn?

@Rob I have gotten log entries for imessages which contain the phone numbers of other individuals associated with my target. These were logged at the time directly before the robbery. I am curious maybe if I ever get into the device if these correspond to messages sent/received.

@JMK Yes, you add a wordlist filter and then you can import a keyword list (or several) to that filter.

2

With an Android physical, does anyone know if and where log files are stored for the AudioManager class events. For instance plugging in headphones to the headphone jack, or answering a call whilst headphones are plugged in etc? (edited)

5:57 AM

I have an understanding of how I'd be able to detect such things if I were making an app, but unsure if logs are kept of such events on an Android OS. (edited)

I'm basically looking for any sort of log files which would indicate something has been plugged into the auxiliary audio port, or that headphones were being used at a certain time. I presume there won't be anything like what iOS has whereby it's quite extensive logging of every user action for X amount of time.

Anyone on @Magnet Forensics Axiom having issues with gk reads in 4.6? I am getting stuck at the end of the scan on “gathering artifact index data” 0%

Seems I can crash out of everything and then start examine and it’ll do the ‘building index’ successfully but still annoying. I’ve tried this case numerous times

DM'ing Aaron

Anyone using latest P.A. beta 7.39?

Is there anyone that is an android extraction expert that I could PM? We just got back a FFS extraction from CAS on a homicide phone. I’m seeing some partial messages between our suspect and victim but they are cut off and in a weird DB. I am very confused and my brain no workie. (edited)

are they cut to 50 caracters maximum and inside android call log database ? @pcsdcell

6:29 PM

callog.db ? (edited)

I think so! Not sure on the character limit but that sounds about right. And yes , they are randomly in the calllogs.db

6:30 PM

Or callog.dB or whatever (edited)

ok, if you export them to excel and then caracter counts the messages, the ones below 50 caracter will match the sms in mmssms.db ... the one aboe 50 caracters will get truncated to 50. when a sms is received it goes to mmssms.db and a copy will go in callog.db (only first 50 caracters). so if user deletes an SMS in mmssms.db you can still recover the partial (or complete if under 50) in the call log. they can also be flushed from the callog.db ( i don't think they stay there all the time)

Holy cow that’s my answer! I had previously got an android back up on the phone and noted that the texts between the suspect and victim were missing (because we had call records from the carrier). So I knew they were deleted. That must be the reason that they are in the calllog.db file and some of them are cut off. It’s because he deleted all of the messages from the mmssmS.db Between his number and her number! Thank you so much! I will be having an adult beverage because this has been stressing me out!

1

will try to find you a white paper or a official source.. better than a random french guy told me

Lol

6:38 PM

I use the phrase “subject matter experts”

https://forensenellanebbia.blogspot.com/2018/10/calllogdb-and-sms-data-on-android-70.html

Calllog.db and SMS data on Android 7.0 Nougat

A few weeks ago, Jamie McQuaid at Magnet Forensics wrote an interesting article titled Android Messaging Forensics – SMS/MMS and Beyond . T...

1

6:40 PM

m_content: first 50 characters of SMS message body.

Thanks so much! I’ll read up on it tonight!

Hi Question about @Cellebrite UFED PA timezones and memory cards. If I load a microSD card extraction (done with touch 2) in PA, then load my phone extraction in the same project, they get combined as per expected. When I then choose to apply my region timezone (-5) the phone's files gets the corrects times but the card's files get an extra (-5) as they were already at my region time. Now the pictures have a capture time (-5) but a created time on the card (-10) which is incorrect. (Or they get a -4 / -8 in daylight saving time.) Question is, can this be corrected in a setting (still leaving the 2 extraction combined) or do i have to absolutly look at the card and the phone as a seperate project ? (I haven't tested to load the phone, correct the timezone, then join the card, will try that tomorrow). Thanks for your time.

@pcsdcell @Kramnias great collaboration! Nice work!

1

@Magnet Forensics Whenever i use the Dynamic app finder it always hangs. I can select my artifacts i want to include, map the fields etc. But when i press the button to process it just hangs. I've tried it in 3-4 cases now, and always the same problem. The process stays at 5% cpu and after 10-12 hours i manually have to kill it. Any solution? Or maybe someone else have had the same problems?

Anyone from @Cellebrite for a question regarding timestamps in PA?

@Kramnias in exFAT, sometimes the timestamps stored with timezone and sometimes as local time. Currently in PA there's a bug that it regards all exFAT timestamps as if they are with timezone. We're working to fix the problem.

11:55 PM

@rck5109 you can DM me

1

@Magnet Forensics Whenever i use the Dynamic app finder it always hangs. I can select my artifacts i want to include, map the fields etc. But when i press the button to process it just hangs. I've tried it in 3-4 cases now, and always the same problem. The process stays at 5% cpu and after 10-12 hours i manually have to kill it. Any solution? Or maybe someone else have had the same problems?

@.karate. this may be related to an issue I am having with 4.6. It hangs at the end of the scan using a few % cpu - might be worth dropping @b1n2h3x a message

1

@.karate. this may be related to an issue I am having with 4.6. It hangs at the end of the scan using a few % cpu - might be worth dropping @b1n2h3x a message

@busted4n6 I had a very long chat about this a while ago with several magnet technical support people. It kept freezing for me. Havnt tried this with 4.6.

1

Any tips on decoding Windows 10 phones?

Axiom is good @Aaron D (MD5)

Currently in PA there's a bug that it regards all exFAT timestamps as if they are with timezone.

We're working to fix the problem.

@CLB-drorimon ...thanks for the info... Exactly that.. exFAT file system on the microSD card.

Does anybody know what the source of the GPS is which is included in the cache_encryptedA.db in the table locationHarvest on een ios device. Is this the current GPS of the device?

@rck5109 www.mac4n6.com/blog/2016/6/6/new-script-ios-locations-scraper You can also check her blog and powerpoint presentations on ios location services. (edited)

1

@Magnet Forensics Someone from magnet around, for a Axiom question regarding the custom artifacts setup.

@rck5109 www.mac4n6.com/blog/2016/6/6/new-script-ios-locations-scraper You can also check her blog and powerpoint presentations on ios location services.

@Kramnias Thanks. It seems that the database also stores information about speed and confidence. Anybody aware which type of metric is used for these values?

sure thing @florus

5:44 AM

sending a dm

@rck5109 There is a ton of infos to read on that subject. You can also check video presentations by Sarah Edwards ( the above blog).

I have an iPhone 7 running iOS 13.7. I performed a Cellebrite CheckM8 extraction on it. This phone belongs to a 14 year old boy and it only has 10,000 images on it, and there doesn't appear to be any aftermarket apps on it. Is there a way I can find out if/when it was reset?

@.karate. sending a DM

1

@Russell Abel - Bastrop County SO https://www.blackbagtech.com/blog/iphone-forensics-wiped-iphone-are-you-sure/

iPhone Forensics: Wiped iPhone? Are You Sure?

There are many legitimate reasons why someone might wipe an iOS device. A corporate IT administrator might do so prior to assigning a device to a different user, or a user might do so before

6:58 AM

The .obliterated File

Awesome! Thank you

6:59 AM

Should this show up in a CheckM8 extraction?

6:59 AM

Or does it need to be a GreyKey extraction?

It would show up in both I'd assume if theyre full file system extraction

7:09 AM

havent had experience with CheckM8

ok. Thanks

Anyone have any info, research, or white papers regarding the data/.cliptray on an LG phone??

Anyone dealt with aloha browser? Having a look, it’s vpn and tor, unencrypted so that should be fun

hello mates @Cellebrite ... can you please tell me where to download the GPU package for the Image classification (iman) AI in testversion of PA 7.39 ❓ it´s not available at customer portal... thanks (edited)

Hello all! I have an iPhone X extraction (UFED Full File System) which I'm currently reviewing in PA v. 7.35.2.16. I've found some images of interest in 'Swapfile0' which sits within the VM folder. I'd like to report on the images, but there isn't a lot of info out there about this location to explain how the images would have become present there, under what circumstances, etc. Can anyone shine any light on this? Thanks.

I have an iPhone 7 running iOS 13.7. I performed a Cellebrite CheckM8 extraction on it. This phone belongs to a 14 year old boy and it only has 10,000 images on it, and there doesn't appear to be any aftermarket apps on it. Is there a way I can find out if/when it was reset?

@Russell Abel - Bastrop County SO try looking at this https://www.cellebrite.com/en/series/episode-9-ibeg-to-dfir-what-happens-when-a-device-gets-wiped-top-ten-questions-answered/

Good video. Thank you

Hi ,after secsessfuly extraction of full file system iphone 8 + i cant find deleted movi ,dose anyone have idea of place to serch? Thanks

4:03 AM

I has been sent via whats app and then deleted by the sender

4:04 AM

The phone belong to the sender

@kfir_m hi, this video is gone for sure in unallocated space, and this part isn't dumped when u are doing ffs

iOS MAC address randomization. Great article. Worth a read. Also an iLEAPP parser for the data.

https://ciofecaforensics.com/2020/10/24/apple-private-addresses/

2

Hello everybody, Query is on parsing Google Assistant cache. Located on a Samsung S9 physical/binary extraction in X-Ways. AXIOM/UFED PA could not (currently) parse this out. I had the cloud extraction of the users data to compare it against. Cached “Hey Google” & “OK Google...” queries located in: \data\com.google.android.gms\files\fcm_qued_messages.ldb\ and are a series of .db files- 00015l.db 00018.ldb Looking to see if anyone has luck on parsing the data or a plug-in that can be added to the artifacts database for AXIOM or UFED PA.

@Cellebrite Hello, any1 free to take a question in PM?

@Johnie Yes, feel free to DM me

@Cellebrite Trying to register a UFED4PC licence. Anyone free to help me

@Rob did you get that licence sorted out?

@CLB-Paul almost. I'll pm

I downloaded and parsed Joshhickman

https://thebinaryhick.blog/2020/10/07/new-android-image-available-this-one-goes-to-11/

@Andrew Rathbun Is there any specific password to parse signal.db or any default password applied by App?

Binary Hick

New Android Image Available. This One Goes to 11!

I am happy to announce a new Android image, Android 11, is now available for download. This image contains the same apps as the Android 10 image, plus a few new ones: Apple Music, Brave (browser), …

@CLB_joshhickman1

Hello everybody, Query is on parsing Google Assistant cache. Located on a Samsung S9 physical/binary extraction in X-Ways. AXIOM/UFED PA could not (currently) parse this out. I had the cloud extraction of the users data to compare it against. Cached “Hey Google” & “OK Google...” queries located in: \data\com.google.android.gms\files\fcm_qued_messages.ldb\ and are a series of .db files- 00015l.db 00018.ldb Looking to see if anyone has luck on parsing the data or a plug-in that can be added to the artifacts database for AXIOM or UFED PA.

@sky4n6 I am not sure about that particular database, but there is another location you can go to get "Ok Google" queries. It depends on what version of Android the device was/is running. In Android 10 there is a database that contains all of the "Ok Google" queries (that are done via the physical phone): "opa_history." You can find it in /data/data/com.google.android.googlequicksearchbox/databases/. Not all "Ok Google" queries are here, though. If the user was using Android Auto, you will need to look in the protobuf files found in /data/data/com.google.android.googlequicksearchbox/app_sessions. The protobuf files can be parsed, but you can find the query along with the date/time of the query. For Android 9 and below, there is no database. Check out @Brigs ALEAPP tool. It has support for Google Assistant queries. https://github.com/abrignoni/ALEAPP/tree/master/scripts (edited)

abrignoni/ALEAPP

Android Logs Events And Protobuf Parser. Contribute to abrignoni/ALEAPP development by creating an account on GitHub.

1

7:43 AM

Also, I have a couple of blog posts on parsing the protobuf. This link addresses the non-Android Auto Google Assistant protobufs. https://thebinaryhick.blog/2019/03/08/ok-computer-er-google-dissecting-google-assistant-part-deux/

Binary Hick

OK Computer…er…Google. Dissecting Google Assistant (Part Deux)

In part two of this article I will be looking at Google Assistant artifacts that are generated when using a device outside of the car (non-Android Auto). Since this post is a continuation of the fi…

Is anyone aware of the exact process or moment which triggers the deletion of files in the recently deleted folder in iOS? I know photos.sqlite contains a record of the exact date/time the image image was deleted and this is probably used as a reference of when the image is to be deleted. But is this done the next time the user launches the photos app? Is it done when the user powers on and unlocks the device or is it a periodic process which will check for files which are due to be deleted forever which is triggered at a predetermined date etc. Working with seized devices we often analyse phones which haven't been used for 30+ Days so it would be beneficial to know what triggers this permanent deletion for peace of mind knowing that any of our examination processes aren't losing us potentially critical information during analysis + extraction.

1

@Magnet Forensics Does the latest version of AXIOM support conversation view for Discord chats?

Does anyone have any direct knowledge on the values associated with the WifiConfigStore.xml file from a Motorola Android device? It's a murder for hire case where the "bad son" got his former "cellmate" who lived on the other side of the state to kill his father for him. The bad son was kind enough to transport the cellmate to and from his house to commit the act. The file shows the cellmate connected to the bad son's unique password protected wifi network the day of the incident. The cellmate confessed but the bad son is trying to drag this to trial so we're looking for any additional leverage against him (there's already a ton but every additional bit helps). If we can prove he gave him his wireless password the day of, it should help as an additional proof he knew he dropped the cellmate off at the house.

Same question for @Cellebrite Physical Analyzer. I've got a Graykey extraction from an iPad. Not seeing the discord chats at all in PA but Axiom has parsed them, just not into conversation view.

@Adam Cervellone do you have access to @Hancom ?

No, I do not. What is it?

@Adam Cervellone - Sending DM

No, I do not. What is it?

@Adam Cervellone Hi Sir, I am Jessy Jun at Hancom. Our MD-RED supports the chat view of Discord analysis result from our own extractions or from other extraction tool images. You can contact to me personally if you need the demo of our products.

@Cellebrite We got problem with new visibility on SMS/MMS, some are on chat and other on instant message. Very confusing.

1

1:16 AM

Does this is improve un 7.39? May I got link to download it?

Instant messages are an overflow when they can't identity a conversation thread. It was very well explained in I believe the release notes or manual.

1

Maybe someone tried to read the physical reading from the memory card from the navigation, where are gpx files to analyze with the analyzer?

We have a temporary Remote Desktop solution to allow analysts working from home to access their physical desktop in the office. Apparently @Cellebrite Physical Analyser can detect this and that there is an extra licence fee to pay. Has anyone come up across this? Does anyone know when this changed? (edited)

@busted4n6 As far as I know they have always had a limitation on Remote Desktop and the dongles. I know they were helping people out during these times with those license but not sure what exactly that entails.

@busted4n6 contact support about it, pretty sure they will help you out enabling the usage of the dongle while using rdp

@busted4n6 yes and they will charge $500 per dongle for the pleasure...and it doesn't work for ufed4pc either (edited)

11:34 AM

Imagine it's 2020 and software companies are still telling you how you can use software you paid thousands and thousands of dollars for

There are some limitations to RDP licencing model. It is avaialble and was made available for many to use during the WFH time during covid. @busted4n6 PM me and we can chat about it, or I can direct you to one of my UK counterparts since I drive on the other side of the road

1

Someone from @Cellebrite who can help with a question regarding the new image classification feature?

@rck5109 Sure, DM me

2

@CLB - DavidK I DM to you, I have a question about p40 lite. Please wirte back when you have a moment (edited)

iOS- question: what does "nani" stand for in the filepath: "Nani/mobile/Media/DCIM/100APPLE/...." Could it be that this is a location for the "hidden files" album.

Awesome! Thank you

@Russell Abel - Bastrop County SO I have even seen it in backups!

8:49 AM

iOS- question: what does "nani" stand for in the filepath: "Nani/mobile/Media/DCIM/100APPLE/...." Could it be that this is a location for the "hidden files" album.

@mac.ddr The hidden files stay right in the normal gallery view. They are just marked hidden. Does it say Nano or Nani? Nano would be watch. I haven't seen Nani before unless that is what the user named their device.

You’re absolutely right! Nani is the device name. A little stupid that I didn’t check this first.

Hi all. Looking at an extraction in Physical Analyzer. Under Wireless Networks I see several instances of an SSID with a name of "John's iPhone". Not actually John in this case but for example purposes. Each instance has the same SSID, but a different BSSID. Did an OUI lookup for all, no results for any of them. Can anyone explain?

Has anyone been successful in recovering conversations from discord in an extraction. I've been asked to do so

1:06 PM

Deleted*

@Neon anything against just getting a SW for the messages in question?

@Andrew Rathbun No, just the amount of time

ah alright. Guessing it's not an emergency exception then

1:09 PM

No clue the turnaround on Discord SW's. I don't have a badge anymore and I never served one to them in my time in, but https://aboutdfir.com/resources/preservation-letter-search-warrant-templates/discord/ if you ever need some assistance in what to consider for your SW verbiage

ah alright. Guessing it's not an emergency exception then

@Andrew Rathbun Nah but at the same time still important.

1:10 PM

No clue the turnaround on Discord SW's. I don't have a badge anymore and I never served one to them in my time in, but https://aboutdfir.com/resources/preservation-letter-search-warrant-templates/discord/ if you ever need some assistance in what to consider for your SW verbiage

@Andrew Rathbun Awesome, thanks

Not sure the OS you're inquiring about, but https://aboutdfir.com/toolsandartifacts/android/ and https://aboutdfir.com/toolsandartifacts/ios/ exist which have blog posts for Discord

@Andrew Rathbun I've never been to the site. I'll check it out. Its android

Best of luck

I have found some important media files in an iOS file system download buried in a Snapchat directory. I can get the exact directory but it’s close to: Root/private/var/mobile/containers/data/application/[app id]/documents/com.snap.file_manager**/ These files have no extensions and have a long numerical value that is not a time stamp. What I have learned so far is that the conversation “plist” that stores the chats will reference a specific number, often followed by an “r” as a reference when a media file is sent but “not recovered” by the forensic tool. Looking into the contentManagerDb.db elsewhere in the folder tree, these “r” values are seen. Corresponding media file names from the file manager directory can be found in a BLOB of the contentManagerDb. This is the only place I’ve been able to correlate the “r” value to a media file.

6:55 PM

The problem I’m running into now is that I am only finding this correlation with incoming media files. The outgoing media files aren’t represented by an “r” value but rather a guid looking value. PA keeps crashing (and takes an hour to load), Axiom won’t parse the plist and xways won’t load the DAR file. So I’m using a db browser for the contentManagerDb, hex editor for the plist (which doesn’t open in a plist viewer) and axiom to open the media files (...in paint since axiom isn’t opening them internally)

6:56 PM

I feel like I’m close to correlating these files but my brain is full. Does any of this make sense or sound familiar to anyone here?

@whee30 check this out and see if it helps... @CLB_iwhiffin is a smart man!

I have found some important media files in an iOS file system download buried in a Snapchat directory. I can get the exact directory but it’s close to: Root/private/var/mobile/containers/data/application/[app id]/documents/com.snap.file_manager**/ These files have no extensions and have a long numerical value that is not a time stamp. What I have learned so far is that the conversation “plist” that stores the chats will reference a specific number, often followed by an “r” as a reference when a media file is sent but “not recovered” by the forensic tool. Looking into the contentManagerDb.db elsewhere in the folder tree, these “r” values are seen. Corresponding media file names from the file manager directory can be found in a BLOB of the contentManagerDb. This is the only place I’ve been able to correlate the “r” value to a media file.

@whee30 DMed you

@Magnet Forensics Any1 free that i can DM a question to?

Sure! Feel free to shoot me a message.

anyone having problem using the new image classification from PA ? it gets grayed after 1 second and can't select it....

Does anyone know a file or database inside of an android which would identify application that have been disabled.

anyone having problem using the new image classification from PA ? it gets grayed after 1 second and can't select it....

@Mike No, I tested it today on an iPhone 8+ FFS extraction and Galaxy S9+ physical extrcation. Both worked

https://play.google.com/store/apps/details?id=eztools.calculator.photo.vault

Calculator - Photo Vault & Video Vault hide photos - Apps on Google...

Calculator+ Vault for photo, The best calculator photo vault, hide your photo, security the hide private photos Calculator+ Vault for photo is a photo hide app that lets you hide your pictures, Calculator+ Vault for photo looks like a beautiful calculator, and works very well...

12:09 PM

PA can not decode, password is known

Check the sqlite and build your own views or use appgenie @BorgSl

@BorgSl I had a lazy evening and got bored so... The app uses DES encryption with a hardcoded key. It stores encrypted files in “../emulated/USERID/Android/data/eztools.calculator.photo.vault/files/photo_encrypt/FILENAME”. Info on the files is found in cal.db. You can also find references to the original unencrypted files in the db... The key is “12345678”

and if you want a quick way of decrypting the files it works with online tools like the one found on http://des.online-domain-tools.com ( I wouldn’t use that site for real work

). Just supply your file and enter key “12345678” as plaintext. (edited)

DES Encryption – Easily encrypt or decrypt strings or files

Online interface to Data Encryption Algorithm (DEA), an algorithm used by US government in the past, later replaced by 3DES and AES.

2

Mobile Relevator supports DES encryption and decryption. And also to decrypt all files in a directory. https://github.com/bkerler/MR Just enter the key in hex and also set “block size in hex bytes” to zero. Then you can decrypt all files at once ✌️

bkerler/MR

Mobile Revelator. Contribute to bkerler/MR development by creating an account on GitHub.

4

@.karate. - I’ve found some of these apps with passwords in plaintext in a plist before, but I’m lost on how you determined the type of encryption and key... are there clues in the files or is it documented somewhere? Hashcat to determine the key?

6:11 PM

I’d love to know the thought process on figuring this one out, I really need time to populate a test device and play.

anyone having problem using the new image classification from PA ? it gets grayed after 1 second and can't select it....

@Mike Yes, i tried it on 3 computers and the result is: on one pc it is grayed out and can't be selected (i've heard that this can be related to the type of graphic card), on the second pc (a notebook) it works perfectly , on the last pc when you start the case wizard it keeps jumping from being grayed out to being selectable so eventually i check it and let all categories selected but in the end i always obtain all images in the category "unclassified". Anyone from @Cellebrite can shed some light? (edited)

@whee30 @ScottKjr3347 funnily enough I have been working on this the last couple of days after someone else asked me. I’ll be back soon with an update for you

1

7:02 AM

@FabianoQ @Mike I’ve been playing with the image classification a fair amount but haven’t seen this issue. Can you shed any light on the GPUs in the machines you have? I did have an issue one time with it being greyed out due to an uninstall that I’d done of a different version of PA. But a reinstall fixed it for me.

I have a Quadro p4000 in my machine. It doesn't seem to use gpu for me at all

10:09 AM

Only cpu, same happened to one of my fellow colleague

@B if you open the file "application-pa.properties", is there a "true" for cpu_only? so i think iman does just use cpu .... (edited)

12:48 PM

on first install PA 7.39 there was a "true"..iman did not recognize my gpu... i changed it to "false" and then iman recognized my gpu

(edited)

12:50 PM

you can look into the logfile "iman.log" in folder logs ..... here my entry....2020-10-31 07:32:37:251 [INFO ] TFBinariesTool: Found GPU: GeForce GTX 1660 Ti Compute capability: 7.5 (edited)

On my pc where image classification fails i find logs (C:\Program Files\Cellebrite Mobile Synchronization\AnalyticsEngines\logs\iman.log) talking about "openvino not started" "2020-10-31 00:01:00:468 [ERROR] PAEngineConfiguration: OpenVINO did not start, shutting down {main, com.cellebrite.analytics.iman.config.pa.PAEngineConfiguration.openvinoStartedCheck(PAEngineConfiguration.groovy:229)}"

2:08 PM

On the other computer (where everything works fine) i find:

2:09 PM

2020-10-31 12:28:07:017 [INFO ] PAEngineConfiguration: OpenVINO passed {main, com.cellebrite.analytics.iman.config.pa.PAEngineConfiguration.openvinoStartedCheck(PAEngineConfiguration.groovy:225)}

2:10 PM

On both i have "analytics.iman.cpu_only=true"

@FabianoQ > @FabianoQ @Mike I’ve been playing with the image classification a fair amount but haven’t seen this issue. Can you shed any light on the GPUs in the machines you have? I did have an issue one time with it being greyed out due to an uninstall that I’d done of a different version of PA. But a reinstall fixed it for me. @CLB_iwhiffin I am currently using PA 7.39.0.53 on a Dell Laptop i9, Quadro T1000 and the image classification is working for me with all classifications. I would recommend the following: Uninstall all Cellebrite products using a product called revouninstaller or similar and ensure that you use the advance scans to remove all remnants of the old/past versions of PA. Then update the GPU drivers. Install only the most recent version of PA and the GPU package listed under the add ons section of cellebrite community. If you still aren't having success I would recommend updating windows to the most recent version. I am currently using v20H2. I just checked on my laptop the "application-pa.properties" and is set "analytics.iman.cpu_only=true"

@ScottKjr3347 Thanks sir, i'll give it a try

@ScottKjr3347 good morning mate, you are right, iman runs as installed, without any changes.... but did you check if cuda/memory of your graphic card is used ? p.s.: i made a fresh install of PA (as always)... running latest windows 10/20H2, latest nvidia-drivers, cellebrite gpu-package installed... (edited)

9:54 PM

no use of gpu as i see ..... "analytics.iman.cpu_only=true" (edited)

9:55 PM

cuda / memory used with "analytics.iman.cpu_only=false"

maybe @Cellebrite can shed some light on the matter and provide more detailed information about iman...hope so

checked the log file, something seems wrong with the OpenVINO service ...

1:11 AM

2020-11-01 10:08:50:087 [INFO ] PAEngineConfiguration: Cheking connection with OpenVINO service, iteration 2 {main,

1:12 AM

config file has analytics.iman.cpu_only=true

Everyone having issues. It’s been raised to the product team. I also suggest looping in the support team

1

Hi @chrisforensic @ScottKjr3347 @B , PA will use the GPU just in case you have an an suitable NVIDIA GPU card (with CUDA compute capability 3.5 or higher with latest drivers installed). You also required to install the GPU package available for download in MyCellebrite. The proper way to do it is first to install PA and then the the GPU package, if the GPU package was installed before PA you might have some issue, in such case please make sure there is "flase" in the "application-pa.properties" under the "AnalyticsEngines" folder.

7:20 AM

7:23 AM

@Mike @FabianoQ Your issue is not related to the GPU, we are checking it now and as soon as we will have a fixed version for this I'll make sure to send it out to you.

thanks

Thank you

Hi @chrisforensic @ScottKjr3347 @B , PA will use the GPU just in case you have an an suitable NVIDIA GPU card (with CUDA compute capability 3.5 or higher with latest drivers installed). You also required to install the GPU package available for download in MyCellebrite. The proper way to do it is first to install PA and then the the GPU package, if the GPU package was installed before PA you might have some issue, in such case please make sure there is "flase" in the "application-pa.properties" under the "AnalyticsEngines" folder.

@CLB - DavidK thanks, did this before... it´s running fine with my gpu... see my above post from yesterday

https://discord.com/channels/427876741990711298/545232743353810946/772185066725703710 (edited)

I have a Quadro p4000 in my machine. It doesn't seem to use gpu for me at all

@B Funny, I have a Quadro 4000 (not the P4000) in my test machine and I was getting nothing categorised either. I have a support ticket in with Cellebrite about it.

cuda / memory used with "analytics.iman.cpu_only=false"

@chrisforensic

checked the log file, something seems wrong with the OpenVINO service ...

@Mike Yep, it was my OpenVino service that was causing my problem

Hi @chrisforensic @ScottKjr3347 @B , PA will use the GPU just in case you have an an suitable NVIDIA GPU card (with CUDA compute capability 3.5 or higher with latest drivers installed). You also required to install the GPU package available for download in MyCellebrite. The proper way to do it is first to install PA and then the the GPU package, if the GPU package was installed before PA you might have some issue, in such case please make sure there is "flase" in the "application-pa.properties" under the "AnalyticsEngines" folder.

@CLB - DavidK Thanks David!

@ScottKjr3347 yes, in my case defenitely...

@whee30 I made a small tutorial on how i figured out how to decrypt the files in @BorgSl post. Nothing fancy. But maybe someone will find it useful. https://github.com/Magpol/decrypt-calculatorPlusApk

Magpol/decrypt-calculatorPlusApk

Decrypt hidden images from Android application Calculator+ - Magpol/decrypt-calculatorPlusApk

1

3

anyone having problem using the new image classification from PA ? it gets grayed after 1 second and can't select it....

@Mike Same problem for two of my collegue.

@Mike @FabianoQ Your issue is not related to the GPU, we are checking it now and as soon as we will have a fixed version for this I'll make sure to send it out to you.

@CLB - DavidK if a fixed version is available, please provide it to us, thanks

@chrisforensic Yes please

Helly everybody, does anyone has a "guide" for a playstation 4 investigation? It's my first PS4 and i'm not sure whats the best practice for such a device. Physical Image from the HDD with a forensic bridge and the investigation with axiom, x-ways etc. or any known "problems" with a PS4 ?

@chrisforensic @Deleted User I've been on with @CLB - DavidK this morning doing some testing regarding this. They're working on a fix at the moment. It's to do with the actual machine, a bit like the problem I was having with certain machines not running checkm8. I'm hoping for a solution very soon. I've a test machine at home here to try fixes on rather than mess with my work setup.

2

Does anyone know of a way to determine how an iPhone was unlocked e.g with face ID or PIN code? i have a full filesystem extraction. Thanks!

@xavor0 In my experience, the information you can get out of a PS4 is very limited. The hard drives are encrypted in such a way that a physical image will provide no readable information. The most forensically sound way to investigate a PS4 that I am aware of is to connect the drive to the PS4 with a man-in-the-middle write protection, like a Voom Shadow, and browse the consoles GUI for chats or timestamps.

@dotmatrix Thank you! I will try it with the man-in-the-middle version - and you are right, E01-Image is encrypted

Hi all, regarding "com.apple.MobileBackup.plist" (iPhone8 + IOS 13.3.1), what is "AccountEnabledDate"? Date of the backup that was restored ? Anyone know ?

@chrisforensic @Deleted User I've been on with @CLB - DavidK this morning doing some testing regarding this. They're working on a fix at the moment. It's to do with the actual machine, a bit like the problem I was having with certain machines not running checkm8. I'm hoping for a solution very soon. I've a test machine at home here to try fixes on rather than mess with my work setup.

@Stevie_C I can only get to complete the image categorization when the "application-pa.properties" is set to true. When set to false it finishes but only has uncategorized items and no other categories.

Hi everybody. Question: I'm analysing a iPhone 7 Plus ios 13.5.1 in a reckless driving. I have health data showing before the time of driving (steps and distances) but after the crash no more health data. The phone was powered on, no visible damage, seem to work fine. The driver get out of the car almost immediately after the crash and the phone was left in the car powered on. Couples of hours after the phone was taken by an investigator and put in his pockets without securing it. After sometimes it was put in a police car. How come I don't have any health data during the period the investigator had the phone on him and moving around?

@whee30 @ScottKjr3347 funnily enough I have been working on this the last couple of days after someone else asked me. I’ll be back soon with an update for you

@CLB_iwhiffin So I WAS looking into this on Friday and started to get somewhere. Came back to it today to find that my test phone had updated to the latest SnapChat and... well. It's all pretty different by the looks of it.

1

My case was resolved without needing to solve the problem so I’ve been forced to move on to stay “efficient”... someday I’ll get to work on something start to finish!

Hi everybody. Question: I'm analysing a iPhone 7 Plus ios 13.5.1 in a reckless driving. I have health data showing before the time of driving (steps and distances) but after the crash no more health data. The phone was powered on, no visible damage, seem to work fine. The driver get out of the car almost immediately after the crash and the phone was left in the car powered on. Couples of hours after the phone was taken by an investigator and put in his pockets without securing it. After sometimes it was put in a police car. How come I don't have any health data during the period the investigator had the phone on him and moving around?

@Picka2018 Was the user wearing an Apple watch? Was the device still on the network?

4:06 PM

Curious on this one, so if I don't respond, feel free to email me too - heather@cellebrite.com. I am teaching this week but trying to be active on the channels where possible.

Hi everybody. Question: I'm analysing a iPhone 7 Plus ios 13.5.1 in a reckless driving. I have health data showing before the time of driving (steps and distances) but after the crash no more health data. The phone was powered on, no visible damage, seem to work fine. The driver get out of the car almost immediately after the crash and the phone was left in the car powered on. Couples of hours after the phone was taken by an investigator and put in his pockets without securing it. After sometimes it was put in a police car. How come I don't have any health data during the period the investigator had the phone on him and moving around?

@Picka2018 If it's possible for you to start up the device, a quick way of checking data sources is to go to settings -> health ->Data access and devices and check what kind of apps and/or devices have access to adding data. As @heatherDFIR suggested it could be that his watch or some other app, part from the device itself, is responsible for adding data. Even if you don't have a ffs of the device you can get some more insight in where the data is from if you choose to export data from the Health app (also requires a powered on phone). The xml that is produced contains both sourceName (name of the device) and device ( deviceidentifier).

Hello, I got a huawei backup done directly on the phone and put on a sd card. I open it on PA with the option "huawei backup" and PA doesn't decode automaticly the sms.db . Is it normal? Did I open it in the wrong way?

Think it may depend on the version of Huawei Backup on the device

2:35 AM

The later versions encrypt them

2:36 AM

https://github.com/RealityNet/kobackupdec

RealityNet/kobackupdec

Huawei backup decryptor. Contribute to RealityNet/kobackupdec development by creating an account on GitHub.

2:38 AM

I'd consider using that if there is encryption and a password, then put the folder as in the input into PA using the huawei profile

2:39 AM

You could also do the backup directly to your terminal using Hi-Suite then do the same

2:41 AM

You could do a quick check by opening a copy of the sms.db in an any old viewer and seeing if it's encrypted, or even just chucking it into a hex editor and see if it's encrypted there

2:47 AM

My case was resolved without needing to solve the problem so I’ve been forced to move on to stay “efficient”... someday I’ll get to work on something start to finish!

@whee30 This summarises digital forensics now.

@.karate. , @heatherDFIR Thank you both for the insight, I'll look in to that.

How to enable Image Categorization during import?

@DeepDiveForensics Have a look in Task Manager > Services and look for cellebrite_ufed_iman and cellebrite_ufed_openvino - they should both be running

10:04 AM

10:05 AM

I'm having issues with it too. @Cellebrite are aware

10:05 AM

You can see my cellebrite_ufed_openvino is showing as stopped. It fluctuates between running and starting. It's an issue with older CPU's

10:08 AM

Is yours grey all the time ? Did you install the Cellebrite Physical Analyzer GPU Support.exe as well as the latest PA version ? If both those services aren't running, it could be the CPU issue I'm having

@Stevie_C yes i have installed both the packages

@CLB - DavidK is remoting into my test rig tomorrow to see if we can figure this out in my case

10:09 AM

But you're not the only one

10:09 AM

What about your services ?

@Stevie_C in my case there is no service as mentioned by you.

This is mine at the moment

@Stevie_C services by default in running condition or when the while the PA start

I have PA running in the background. Never looked in there when PA was not running !! I have a test case running at the moment so can't close it to check. Try running PA v7.39 and then look in Task Manager Services. They should definitely be running when PA is !! (edited)

10:15 AM

If you can't see them at all, then you might want to reach out to Cellebrite Support

@Stevie_C okay I'll try

Good luck

I'd consider using that if there is encryption and a password, then put the folder as in the input into PA using the huawei profile

@Pseudonym My backup isn't encrypted. I see SMS and MMS in sms.db. This is why I don't understand why PA can't analyse it and parse it.

@Deleted User not a scooby then!

@Pseudonym Thansk for your informations. I'll do it manually. I try on Axiom same result.

@Deleted User If it's viewable, I can't see any reason not to use something like Sanderson, just to get result put together. Interesting that Axiom couldn't do it either.

Anyone else find since UFED PA. 7.38 that Textnow is not being parsed on Android extractions. Just curious if it's my specific extraction that is causing it to fail? (Though it parses that same extraction successfully using earlier versions of UFED PA)

Afternoon all, just wondering if anyone could give me a little help. I have a case involving a SM-G950F . The suspect is stating that they only had the phone a day before their arrest and had got it from a friend. The suspect appears to be lying as there is data on the handset from before this date (ie whatsapp conversations that contain photos with meta data stating it was taken from this model phone etc). But the OIC wants to make sure this data on the handset hasnt come from a back up etc. How do i go about proving this? I hope this makes sense

@Artea check /data/data/com.Samsung.android.providers.context/databases/ContextLog.db. Look for SetupWizard entries. It will have a duration >0 when a new phone is setup. If he claims he has used a Samsung backup or something like that it should also be present in that log.

7:20 AM

Also check creation date of accounts etc that are connected to him.

@.karate. Thanks alot. I'll have a look at this shortly.

Good luck

@Stevie_C Same Issue as Yours, after re-installation of UFED PA+GPU.

@DeepDiveForensics Good news. After liaising with the Guru @CLB - DavidK this morning he got my machine to work. In my case we confirmed that it is simply an older CPU generation that was causing the issue, not actually PA itself. I didn't have an issue with my work PC as it's pretty modern and has more powerful newer CPU's. It was just my test rig at home I was having the issue with, and that's what it turned out to be. It should be resolved in a future commercial release, so hang on in there.

10:04 AM

1

@DeepDiveForensics Good news. After liaising with the Guru @CLB - DavidK this morning he got my machine to work. In my case we confirmed that it is simply an older CPU generation that was causing the issue, not actually PA itself. I didn't have an issue with my work PC as it's pretty modern and has more powerful newer CPU's. It was just my test rig at home I was having the issue with, and that's what it turned out to be. It should be resolved in a future commercial release, so hang on in there.

@Stevie_C Sure. In my scenario I'm using dual xeon processor with quadro graphics card (edited)

@DeepDiveForensics Same as my test rig. HP Z620 with NVIDIA Quadro 4000 graphics card and Dual Intel Xeon E5-2665 CPUs

@Cellebrite PA 7.39.1 is out. Got an email with the following subject: "Important Update: Cellebrite Physical Analyzer 7.39.1" The mail contains information about the following: "Version 7.39.1 fixes an issue for iOS extractions processed in PA: there is a potential for messages to be merged incorrectly into a native chat". Can you please tell a little bit more about the problem? What do you mean by "is a potential"? Thank you.

We uploaded a document with more details to PA discussion group on MyCellebrite

Thank you @CLB - Oshrit . It is important to communicate that the issue has existed since PA 7.38. Since this is important information for us, the document should have been available under the "Release notes" for PA 7.39.1. When downloading the 7.39.1 release notes i only get the old 7.39 release notes. (edited)

@Izzy point taken. We will add that to RN section

1

@Cellebrite and anyone else:). I’m looking at a data extraction of an encrypted iTunes back up that I haven’t had any luck with the existing passwords on the device. Is it still safe or advisable to do the reset all settings option to reset the iTunes back up encryption and then redo the data extraction? Just wanna make sure before I do that (edited)

@pcsdcell this has worked for me in the last year. You lose call logs, internet hsitroy, and Apple health data (along with anything else encrypted by the former password) so you may at least want to take pics of the call logs first, or anything else that's of interest

12:54 PM

Also if you need to return the phone, you'll lose custom folders, ring tones, and alarms, in case the user cares

Thx!

@Deleted User If it's viewable, I can't see any reason not to use something like Sanderson, just to get result put together. Interesting that Axiom couldn't do it either.

@Pseudonym I just succes to extract a Full File system on this phone. It's ok now. We don't have Sanderson, but I was managing to get something with SQlite assistant in PA

So my mom's iphone got disabled because of a new non apple approved screen. It basically registered a bunch of phantom touch inputs and attempted to log in to the phone. I have the apple id and password as well as the passcode to the iphone. Normally it would be fixed by pluging the phone into itunes but I have not logged her account into my computer. And when I try to do so it basically asks me to give an activation code sent to the mobile

2:56 AM

What can I do ? It is an Iphone she got from UAE, currently in India. The apple repair center said that they can't guarantee the phone won't be bricked in the process of unlocking the phone

So my mom's iphone got disabled because of a new non apple approved screen. It basically registered a bunch of phantom touch inputs and attempted to log in to the phone. I have the apple id and password as well as the passcode to the iphone. Normally it would be fixed by pluging the phone into itunes but I have not logged her account into my computer. And when I try to do so it basically asks me to give an activation code sent to the mobile

@drnkwtr "non apple approved" screen has nothing to do with that. They work just fine. It's either ghost touch from old screen, or the new one is just faulty. If it's disabled, then in some cases you can do an update with iTunes and this will trigger "press home to recover" screen with an option to enter correct passcode and unlock the phone, preserving the data. Sometimes it doesn't and you'll be back to disabled screen.

3:16 AM

And sometimes, if storage is full or there's some other hardware issue you may get stuck in recovery mode because firmware update won't be able to finish

She is okay with me completely formatting it, is it possible to just restore the phone from the recovery menu?

Not without a PC. iPhone don't have any factory reset option in their recovery mode. You have to do a firmware restore in that cases if you don't care about data.

How would I go about doing that? I have a pc. I forgot to mention its an iphone X

"HardReset.info: 1. To enter Recovery Mode first connect your APPLE iPhone X to PC via USB cable. 2. Now you have to press buttons in the following order, one after another Volume up then Volume down and then press and hold Side button until you see Recovery Mode."

3:21 AM

You'll need iTunes installed as well. Once you have the phone in recovery mode and it gets detected by iTunes, you'll have 2 options - update or restore. Click on restore and it should download latest firmware and flash it to the phone, wiping the data

3:21 AM

"Side button" is a power button here

thanks a lot man

3:22 AM

one more quick question- Once the device is completely formatted, will itunes let me log into the apple id if there is no phone left to send activation code to ?

If "find my phone" was enabled, you'll be asked to login to iCloud account during activation. If you know the passcode, there's an option to use that instead

3:25 AM

The passcode option will show on the phone only. iTunes will ask you to login to iCloud account only

3:25 AM

Passcode option is easier since you won't face 2 factor authentication and such

thanks alot

Just catching up - well done as usual @.karate. -sensei!!!

5:47 AM

(re the vault app you checked out randomly) lol

@forensicmike @Magnet

@Cellebrite do you know why an older version of PA would decode apps (messenger etc) but not in the most recent one?

12:39 AM

my colleague is having issues

@Sudo I'm not aware of any issues, but if true it's a bug. Please turn to Support with the relevant details ( OS, app version, logs)

Anybody have @Cellebrite PA take forever to decode an iPhone advanced logical (Non checkm8)? Mine has been running for 4+hours.

@goalguy in my experience, it can take forever if 1)the image is very large or 2) the apple health database has tons of entries, which I guess take a long time to parse

Thanks @Sha1_4n6 It’s a pretty large image for just being an advanced logical.

Getting an error installing the requirements.txt with ileapp. @Brigs an idea? Thanks for the help. (edited)

1:49 AM

A GDAL API version must be specified. Provide a path to gdal-config using a GDAL_CONFIG environment variable or use a GDAL_VERSION environment variable. ---------------------------------------- ERROR: Command errored out with exit status 1: python setup.py egg_info Check the logs for full command output. I have compiled the ileapp.exe; but it aint running. Probably because of this same error occuring installing the requirements?

(edited)

@Pseudonym Think it may depend on the version of Huawei Backup on the device @Pseudonym hello, same problem with a huawei honor FRD_l09...I used the kobackupdec script and I reinject the result in PA and it works! thks to you

Is there a db or plist in an Iphone FFS what records MSISDN's? I have a case where a suspect swapped sims on purpose. (I have checked com.apple.commcenter.plist and cellularusage.db) (edited)

@kali_478 excellent, success!!

Getting an error installing the requirements.txt with ileapp. @Brigs an idea? Thanks for the help.

@florus Did you pip install all the requirements on your box before compiling? If compiling, are you using the spec file from the repo? Have you tried the binary from the repo? Right side under releases.

1:08 PM

Getting an error installing the requirements.txt with ileapp. @Brigs an idea? Thanks for the help.

@florus Also install the items one by one so we can isolate what is the issue. Not sure what package gives you the error.

@Brigs Ill check today. Im quite positive its the geopandas/fiona one. EDIT: i just checked. Its the geopandas package. I dm'ed you. I apologize for the amount of messages. (edited)

So im looking into the cache.sqlite and specific to the zrtcllocationmo table. Im have googled and checked Sarah Edwards blog, but cant find the answers. Does anyone know how accurate the speed-row recorded is? What does the horizontal and vertical accuracy mean? I see values from - 1 to 300+ in the cells. What does the Course column mean? (I am going to some testing in the upcoming week, but need to deliver today or tomorrow) (edited)

@Cellebrite In Physical Analyser, how do i export tagged gps coordinates to an excel? If i export them from the evidence tab i dont get the coordinates, because they are in the location(details) section. Is there shortcut button to quickly select items in the main area so i can just use shift click to select a portion of interest? (edited)

So im looking into the cache.sqlite and specific to the zrtcllocationmo table. Im have googled and checked Sarah Edwards blog, but cant find the answers. Does anyone know how accurate the speed-row recorded is? What does the horizontal and vertical accuracy mean? I see values from - 1 to 300+ in the cells. What does the Course column mean? (I am going to some testing in the upcoming week, but need to deliver today or tomorrow)

@florus horizontal and vertical accuracy are in metres. Check out my post (www.doubleblak.com/blog/locations) for my research.

1

4:08 AM

The speed is a littler harder, but anecdotally, it seems to match with the speed I’d expect for the road the person is on. In KM/h. But I don’t know this for fact. Someone else may be able to add more.

Can someone tell me where in the Photos.sqLite database would indicate if an image came from an iCloud backup? I found the entry in ZGENERICASSET and I need to validate that it came from iCloud.

@Joe Schmoe not sure if this is 100% what you're looking for but this is a super good resource: https://www.controlf.net/ios-photo-attribution-flowchart/

Richard Slade

iOS Photo Attribution flowchart | Control-F

Flowchart for assisting in attributing photos which may have been synchronised via PhotoStream or shared via iCloud Photo Sharing.

I have a phone it is giving error Find Device Closed Unexpectedly and reboot and again come to lock screen, after giving the password it give the error again , Please guide me how to solve its mi Mobile 8A

@Aero Thank you for that. I did check that but this file is “outside of the scope of the flowchart”.

hello

11:30 AM

i am a noobie

11:32 AM

I am trying to pull the mmssms.db with adb but having issues. I was able to do a backup of the mmssms.db but not sure what to do now. I tried pulling it directly but got "permission denied". Thanks

@Deleted User you can't do that. It would only work if you had adbd running with root permissions which is not a normal behaviour.

@Arcain so i need to root the phone before hand?

Yes, and no. To be able to do adb pull on mmssms.db from it's default location you would need to have adbd (adb daemon) on the phone running with root permission

11:47 AM

With root access on the phone, you would be able to access that path with adb shell, copy it to /sdcard/, and then pull from there (edited)

ah ok

@Cellebrite in the new PA how How can we comment on an artefact ? We can see the section reserved for that ... But the right clicks and other instinctive manipulations have no effect

Anyone experienced with statements surrounding images and videos stored on an Apple device, specifically associated to WhatsApp?

Hello! We have an Samsung A202F (locked with code) that probably has Wickr installed. We have CB P. What is the best way to get something out of this app?

@Izzy i have almost the same (SM-A207F) with no known code, & I am stuck.

I have two phones from one person. I have @Cellebrite full file system extractions of both phone. PA shows both phones have the same SIM phone number. Not unexpected, as I thought one might be an older phone since the screen was cracked. However, the cracked screen phone's, a Galaxy A20, SIM phone number is different than the phone number listed in the phone's About Phone settings. The number listed in the About Phone also happens to be the same as his WhatsApp number. I think this is caused by porting of an old number to the phone. Google searches indicate the same, but I am afraid I am just confirming what I want to see. Does anyone have any insight into this?

@sholmes keep in mind the imporant piece on the SIM is the imsi, not the tel number. Some carriers do not even update the tel #.

1

@Cellebrite I'm liking the new image categorization feature in Physical Analyzer but can we get an option to change the data directory for the AnalyticsEngine? You're killing my system drive and I'd like to put it on a faster drive with more space. Or did I have that option when I installed the GPU portion?

2

@Cellebrite I'm liking the new image categorization feature in Physical Analyzer but can we get an option to change the data directory for the AnalyticsEngine? You're killing my system drive and I'd like to put it on a faster drive with more space. Or did I have that option when I installed the GPU portion?

@criley4640 I will send this along.

1

@criley4640 @heatherDFIR @Cellebrite yes, iman boosts up the folder "rocksdbdata" inside "AnalyticsEngines" on the systemdisk ! Here in my case i have 72158 pictures... rocksdbdata increases to 12,2 GB !!! (edited)

1

11:44 PM

on next start of PA, most files are cleaned up (folder has just 224MB), that´s good, but the option to select a destination (on another partition/harddrive) for this temporary datas iman creates, would be nice

(edited)

@Cellebrite (Apple extraction, iPhone 6s) In Physical Analyzer - you can find duplication of WhatsApp videos within DCIM folder like this on top right of PA

3:16 AM

How come this is not the case for images? I'm looking at illegal images and videos within a whatsapp conversation, and I can say that these files are stored within the photos app

3:16 AM

It's easier for videos because of Duplicate Videos section on top right

3:16 AM

but I can't do the same for images?

Okay I did a little mess about, some of the images received within WhatsApp can also be found in Photos and some aren't.

@Cellebrite Random question, but is there a way when generating reports to stop it creating the folder containing the date/time

3:56 AM

The "Report sub directory"

Hi! Does anyone know if there is a way of determining how an image ended up in com.samsung.android.messaging/cache/image_manager_disk_cache/ ?

@Cellebrite Using PA v7.39.1.2 - looks like the HTML view for emails has dropped, was an issue in 7.38, which was rectified in the 7.39 update but the latest version doesn't display emails? - known issue? or raise with support?.. Thanks

@Cellebrite I'm liking the new image categorization feature in Physical Analyzer but can we get an option to change the data directory for the AnalyticsEngine? You're killing my system drive and I'd like to put it on a faster drive with more space. Or did I have that option when I installed the GPU portion?

@criley4640 It's being adjusted!

5:58 AM

@Cellebrite Using PA v7.39.1.2 - looks like the HTML view for emails has dropped, was an issue in 7.38, which was rectified in the 7.39 update but the latest version doesn't display emails? - known issue? or raise with support?.. Thanks

@Akko I would raise to support. If it's a known issue they will cancel the ticket.

@criley4640 It's being adjusted!

@heatherDFIR Thank you, ma'am!

Anyone know why @Cellebrite Physical Analyzer doesn't report horizontal accuracy values from Cache.sqlite? I'm working a major case and they're definitely coming into play. It reports a location for the device but other tools are reporting the horz accuracy value so we can see that it's possibly highly inaccurate. Like betw 1500 and 7000 feet. Just looking at a PA report would not give examiners/detectives any idea that it's so inaccurate versus other locations at single digit accuracies.

@Cellebrite Random question, but is there a way when generating reports to stop it creating the folder containing the date/time

@Rob I've always just selected my destination as one folder up from where I actually want to put it and then write whatever folder I want in the Report Sub Directory bit.

hm

7:31 AM

I guess that works somewhat

Bit of an awkward work around - but I don't know if you can get rid of that field.

1

Hi! I have a bunch on interesting images found on an iPad in the folder /private/var/mobile/Containers/Shared/AppGroup/<Application-ID>/File Provider Storage/ In this folder there are a bunch of subfolders called either item-1-<numbers/letters> or item-1-tmp_<numbers> The interesting stuff is in the latter. Other files in the App-id folder suggests that its from OneDrive. But im wondering what the pictures in item-1-tmp_<numbers> are. If anyone has encountered them before or have any whitepapers on the matter i would be very thankful!!

It's easier for videos because of Duplicate Videos section on top right

@Pacman use caution

️ when using the merge duplicate setting in PA. I would encourage you to view your device data with that setting turned off when you first analyze the data. PA uses the hash of a file, the name of a file and other algorithms to determine if a file is a duplicate. I have found that the same file (hash match) can exist in different file locations and the files existing in the different file locations could indicate a user's interaction. Thus if you merge duplicates you will not see items being placed in the timeline in their appropriate location chronologically. Very similarly to what you are seeing in your screenshot. Here is a short video demonstrating some differences in merge and not merge. https://youtu.be/dhO3wxb4ncE

Scott Koenig

Getting to Know CB PA Duplicate Settings

4

Hi! I have a bunch on interesting images found on an iPad in the folder /private/var/mobile/Containers/Shared/AppGroup/<Application-ID>/File Provider Storage/ In this folder there are a bunch of subfolders called either item-1-<numbers/letters> or item-1-tmp_<numbers> The interesting stuff is in the latter. Other files in the App-id folder suggests that its from OneDrive. But im wondering what the pictures in item-1-tmp_<numbers> are. If anyone has encountered them before or have any whitepapers on the matter i would be very thankful!!

@Cygonaut might be not 100% accurate, but I believe the 1st relates to WhatsApp potentially.

8:56 AM

At least I saw that folder in conjuction with WhatsApp in a case yesterday

Wow...it's been a bit since I've used @Brigs iLEAPP on a FFS. I used the GUI version for what I thought was a quick hit for some things and didn't read the latest versions of the README. Please be aware that it exports a lot of media files now and the run time is significantly longer than it used to be. I suggest that you customize your options and use the cli, if possible. Still a phenomenal tool!

Yes! If you deselect the photometada module it will avoid the media files portion which does take time.

@Brigs Thanks. I realized that a bit late and so, at least, I'll get to see all that it can do now!

11:05 AM

Hey, @Brigs , I did have a question: with your custom AXIOM artifacts on the Exchange, how much crossover is there between iLEAPP/ALEAPP standalone versus the custom artifacts in AXIOM? I just went to the Artifact Exchange for the first time in quite a while and saw your artifacts and haven't had a chance to test.

There is some but not all since I can't do certain parsing due to the Python version and restrictions Axiom has. Restrictions that make sense from the security standpoint of a third party vendor product. That is one of the reasons iLEAPP exists. You can use it as a framework to parse anything. I believe that if the vendors see open source artifacts being used they will try to emulate/add similar parsers faster because the community is showing there is a need. Hope that made sense.

@Brigs Definitely makes sense. Thanks!

1

@Brigs Definitely makes sense. Thanks!

@criley4640 So I made the photosMetadata artifact deselected by default. I will do so with any modules that take a lot of time. If the user wants to run all (if processing time is not an issue) they can press Select All or go to the artifact and enable it via the checkbox. Let me know if this solution works better.

1

@chrisforensic Hey Chris, if you want a quick fix to set a new destination folder for AnalyticsEngine, you can use Symbolic Links

1:16 AM

@Brigs What are the python restrictions on AXIOM? Is it similar to UFED where they use IronPython 2.7 ?

Anyone know a tool which decodes yahoo mail? Tried ufed and axiom but no dice

1:52 AM

Also, has anyone had issues adding a ufed binary to axiom?

@King Pepsi what AXIOM version are you running?

@King Pepsi What version of Yahoo Mail and was it on iOS or Android? XRY should offer decoding support for Yahoo Mail version 6.2.4 on Android (edited)

@King Pepsi what AXIOM version are you running?

@Aero 431.20814 is our current one

2:23 AM

@King Pepsi What version of Yahoo Mail and was it on iOS or Android? XRY should offer decoding support for Yahoo Mail version 6.2.4 on Android

@Erumaro ahh 5.36, I’ll give that a go!

@King Pepsi 5.36.0 has also been confirmed as supported since XRY 7.11 so shouldn't be any issues, just let me know if you run into anything!

@Erumaro awesome, thank you!

@Cellebrite Is it possible to tag multiple items at once in PA in the thumbnail view? I am only able to select one picture. (edited)

Is anyone from @Cellebrite available to discuss an error occurring in UFED PA? Many thanks.

@Pixel , you can DM me

1

@Brigs What are the python restrictions on AXIOM? Is it similar to UFED where they use IronPython 2.7 ?

@Nullable Truth iLEAPP is Python 3. Regarding Axiom (just like PA) you can't just import any library you want. Honestly I'm not sure what Axiom uses.

@Cellebrite Is it possible to tag multiple items at once in PA in the thumbnail view? I am only able to select one picture.

@rck5109 I would like an option to shift or control select several images/or rows of interest and then use a shortcut-button to 'select them all'. Now we have to click them one by one.

@florus I just tried and I can use SHIFT and CTRL to select images and then click on the tags and it works. I am using 7.39.1.2.

@heatherDFIR You are right. In my case; i tagged GPS coordinates and wanted to export them in the tagview: It exported all information, except the coordinates...

If i export them directly from the analysed-view, it does export them. A ticket has been raised on this specific case. It would be handy if i could just select multiple, not using the tag option.

1

@heatherDFIR along that same idea is there a way to scrape all locations at once in the location tab?

@Neon To do what with it? Export to a spreadsheet or something? My concern with this request is to make sure you validate first.

But you can go to Locations>Export> and then choose your format. Let me know if that doesn't make sense.

6:06 AM

You know - you all are giving me great Tip Tuesday ideas.

6:07 AM

@Neon you can also select kml if you want to leverage that!

@Brigs, perhaps one of the @Magnet Forensics users know, which flavour of python their software is using

The speed is a littler harder, but anecdotally, it seems to match with the speed I’d expect for the road the person is on. In KM/h. But I don’t know this for fact. Someone else may be able to add more.

@CLB_iwhiffin Hi Ian, i did check your blog. I forgot about that. Any idea what the local.sqlite-wal means? from the 8000 gps coordinates i have 1 from the local.sqlite-wal... (PA decodes this as an entry 'for' frequent location in ZRTLEARNEDLOCATIONOFINTERESTMO but it doesnt show up if i look into the .wal manually. So im trying to understand how PA determines this) (edited)

Hi people, does anyone have any insights if iOS/iPadOS tracks a user disabling the option to set the date/time automatically and then manually changing the settings themselves? The question relates to an ipad but I do not have further info on the OS version or ipad model

@bizzlyg Heather helped me a little while ago and suggested this... Do you have a date around when you know this might have happened? Could try going to timeline view and looking around the date of interest. You might see an entry in the current powerlog or have a look in that

(edited)

1

Hi all, I've written up an interesting Android artefact that I don't hear that much talk about, hope it's useful and/or interesting! https://www.cclsolutionsgroup.com/post/fcm-queued-messages-on-android

FCM Queued Messages on Android

"Life always offers you a second chance. It’s called tomorrow" (or FCM Queued Messages if you're talking to our Principal Analyst Alex Caithness). In his latest blog, Alex explains how FCM Queued Messages can lead us to Android artefacts that present a golden second opportunit...

1

1

@bizzlyg also have a look at the time / date locations on the back page of this Sans poster

iOS_-_Android_Poster.pdf

2.96 MB

@JMK thanks a lot

1

@Akko I would raise to support. If it's a known issue they will cancel the ticket.

@heatherDFIR Thanks Heather!

So far the person investigating this has not provided answers to further questions we had, its one of those "we think they did this, can you prove it" opened ended/borderline fishing requests.

7:48 AM

but at least if they can provide some proper details there is some places to look, thanks

@CLB_iwhiffin Hi Ian, i did check your blog. I forgot about that. Any idea what the local.sqlite-wal means? from the 8000 gps coordinates i have 1 from the local.sqlite-wal... (PA decodes this as an entry 'for' frequent location in ZRTLEARNEDLOCATIONOFINTERESTMO but it doesnt show up if i look into the .wal manually. So im trying to understand how PA determines this)

@florus It's likely just an entry that has not been committed to the main sqlite database yet.

@Neon you can also select kml if you want to leverage that!

@heatherDFIR Sorry, I meant in PA you can't select retrieve all addresses. I think it's limited to 300 at a time.

@Neon they recently increased it to 2000 at one time.

@criley4640 Is there a way to select all?

@Neon no but you can Shift-click a set of 2000 at a time.

@criley4640 Okay making sure there wasn't an easier way. Thanks

1

can anyone point me in the right direction as far as Cash App parsing. Phone has a whole bunch of transactions and what not, but nothing parsed by Cellebrite (PA 7.34.0.38)

@binarycanary did anyone respond to your question back in August or did you find anything to help other than pure manual parsing? Thanks!

@criley4640 If anyone has some sample data to share I could give it a shot and add the capability to iLEAPP if possible.

@Brigs if I remember correctly, there's Cash App data in at least one of the Cellebrite CTF images...

Hey, @Brigs , I did have a question: with your custom AXIOM artifacts on the Exchange, how much crossover is there between iLEAPP/ALEAPP standalone versus the custom artifacts in AXIOM? I just went to the Artifact Exchange for the first time in quite a while and saw your artifacts and haven't had a chance to test.

@criley4640 Hi! So there are a few artifacts on the Artifact Exchange that say iLEAPP and ALEAPP, those are for bringing the results from ALEAPP/iLEAPP into AXIOM. Actually working on getting WAY more up there by the end of next week. This will allow you to look at iLEAPP/ALEAPP results alongside your parsed results in AXIOM :). I will be doing a tips and tricks session next Thursday at 11am ET where I will be demonstrating this.

1:18 PM

@Brigs ^

@Brigs, perhaps one of the @Magnet Forensics users know, which flavour of python their software is using

@Nullable Truth uses IronPython 2.7 I think

Jessica is correct, as always, regarding importing results. With MCAG you can import all sorts of reuslts. Good stuff. This is good because some of the ILEAPP artifacts cannot be made directly into a custom artifact. Being able to import the output bridges that gap.

Yes, did this for one the other week ago, if you can get any results back to TSV or CSV, MCAG can make it easy for making a custom artifact for AXIOM

Also, I just made about 30 ALEAPP artifacts that will be on the Artifact Exchange soon

- They just need to go through the approval process

1

3

@Cellebrite Had a random PA parsing question for anyone who can answer it. We had a recent homicide where a witness and the suspect were chatting using iMessage prior to the incident. (Im pretty sure it was iMessage, I don’t have the data extraction at home with me.) After the incident there are no messages or calls between the witness and the suspect but there is an entry in timeline with the suspect’s number. the category of data is instant message and when I look for the source file it’s in the recent‘s database. The lead detective is wondering what this entry actually means and I didn’t really have a great answer. (edited)

It’s a remnant of the message that was sent/received, but the actual message has been deleted. Check the sms.db file for a missing rowID at the time you expect and also check InteractionC / contacts for lastreceived or lastsent for the number of interest for additional confirmation. You likely won’t recover the message itself (although outgoing messages can sometimes be found in KnowledgeC as a “SendMessageIntent” object)

6

@Brigs The values displayed in the output of ileapp, is that the raw timestamp/date from the database, or converted to detected timestamp on the device?

@florus Html report home page: (edited)

1

I'm having issues importing this binary file into UFED, it doesn't seem to decode anything normal. This is a Samsung S8 extracted using XRY - I'm doing some comparison tests

6:02 AM

@Cellebrite Can you assist? The binary file was exported using XAMN element, and I've selected Samsung S8 G950F Physical ADB profile and selected the binary file. (edited)

6:03 AM

This is the result which is very little.

@Cellebrite The aggregated location, how must i interpretate the value its showing in PA? I have a GPS coordinate from Cache.sqlite from the table ZRTCLLOCATIONMO with an aggregated value of 15. Are there 15 registrations on the exact same coordinate, so it merges it as row in PA? (edited)

@binarycanary did anyone respond to your question back in August or did you find anything to help other than pure manual parsing? Thanks!

@criley4640 Nope unfortunately not.

@Cellebrite The aggregated location, how must i interpretate the value its showing in PA? I have a GPS coordinate from Cache.sqlite from the table ZRTCLLOCATIONMO with an aggregated value of 15. Are there 15 registrations on the exact same coordinate, so it merges it as row in PA?

@florus there are 15 location records, all within the threshold of 15 meters and no more than 5 minutes between them

@CLB-ChenK Thanks. That makes sense. Ill dive into the database, to do some validating

1

Sure, You can also disable the aggregation in the PA settings if you want all the locations parsed from this table

1

It’s a remnant of the message that was sent/received, but the actual message has been deleted. Check the sms.db file for a missing rowID at the time you expect and also check InteractionC / contacts for lastreceived or lastsent for the number of interest for additional confirmation. You likely won’t recover the message itself (although outgoing messages can sometimes be found in KnowledgeC as a “SendMessageIntent” object)

@CLB_iwhiffin thx Ian!

@Pacman is it a single bin, you should be able to just run Android DD chain

@CLB_iwhiffin Reference that possible deleted text message. The device was a iPhone XR and I was only able to get a partial file system and advanced logical. Checkm8 wasn’t available to get a Full File System. I can’t recall if the interactionC and KnowledgeC db are available with that limited extraction? Or is it in the sysdiagnos file? (edited)

Using Ufed PA 7.38 for a ffs dump of an iPad I found a screenshot picture of a webpage opened in Safari. The webpage was interesting but I could also see another tab was opened with a Google search string which was even more interesting. I could only see the text describing what was searched for. In the screenshot I could see Safari was in Private mode, but in history.db-wal I found the opened webpage which was screenshot, but the Google search made in that other tab was not found. Any ideas of how I can find more evidence of that other tab? Made a string search in history.db-wal for the text in the tab but did not find anything.

Is there a way to load Paraben .ds files into Axiom or Cellebrite?

good morning mates

how do you handle the extraction/decoding of existing mods of whatsapp ? there are some out there (GBWhatsapp, OGWhatsapp, YoWhatsapp etc.)... there are so far as i know not supported by our used forensic products.. ❓

10:36 PM

@chrisforensic XRY should have decoding support for some versions of GB WhatsApp, OB WhatsApp and WhatsApp Plus

No downgrade support currently but should decode from Physical extractions! For some reason these are not yet mentioned in the device manual but I will check and see if this can be improved!

thanks @Erumaro will try it tommorow at work

12:01 AM

but as i remember, phone is a SM-A015F... can´t get physical at the moment

(edited)

I have a full file system dump from an iPhone X with iOS 13 and I have located some pictures in root/private/private/var/Containers/Data/Application/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/tmp/MFScreenshotService/ The file names are the format XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX just like the folder. The application points to com.apple.mobilemail The pictures are screenshot on emails. I guess this is screendumps the system makes. I analyzed the files and its not picture files. Its pdf. It seems the files are created by the system when the user use the function "Print Email". The files are also available in a BFU-dump. (edited)

Has anyone come across the app 'coffee meets bagel' and know if any tools parse it? Thanks

@dfmiket XRY Supports it on Android

The package name is com.coffeemeets.bagel if you need help locating it.

Is there a way to extract a passcode from a physical extraction of a device using KaiOS 1.0? (edited)

Does anyone know of a repository of previously decoded SQLite databases for mobile apps using Cellebrite? I need to get Cash App transactions from the Square database.

@Oysterhook look at supported app excel within PA.

Hello

Is there an Android Dev specialist ? Do you have a cheatsheet for Symlinks ? It's about CSE content localization. Thank you in advance

DFIR_FOR585_Digital_Poster.pdf

40.95 MB

2:27 AM

@Nitraz_ it's not only for you

2:30 AM

Thx to @heatherDFIR and others for this jobs

Hi @Cellebrite or anyone else that may know...I am patiently waiting for PA 7.39.1.2 to open a checkm8 extraction for me however it has been stalling on Parsing Emails for the last two hours? Do I need more patience or is it a known issue? Thank you

@ApC is that showing via the trace window? I'm assuming if no error has been thrown there may be a large volume of emails. I've had it hang on chats for hours before (due to the large volume of chat messages), so it may be a similar case with the emails, I could be wrong though

@Aero No error just stuck on emails. Hopefully it is that. The phone seems quite empty so I am hoping the owner is a email hoarder and thats the cause of the delay

Fingers crossed!

Good morning, would anyone have knowledge of examining Hike Chat App artefacts? Or know of any tools for parsing the associated DBs?

Would anyone happen to have a Telegram deep dive analysis paper, possibly highlighting potential configuration options (such as default save to roll options being enabled)? Thanks in advance.

Aero

Fingers crossed!

Just the 8 hours to parse through the emails!!

1

Bloody hell! Glad it got there in the end for you

1

does anyone know what die .shared folder in WhatsApp is there for? (/media/0/WhatsApp/.Shared/) I found some incriminating videos in there and now the question is: have those been sent/received/mixed/unknown?

@Cellebrite Getting a potential parsing error for Emails in PA 7.39.1.2, just hoping someone can clarify if all is fine or not.

2:46 AM

iPhone XR, iOS 14.01

@Rob you can DM

does anyone know what die .shared folder in WhatsApp is there for? (/media/0/WhatsApp/.Shared/) I found some incriminating videos in there and now the question is: have those been sent/received/mixed/unknown?

@Zoidberg We have done some research about that. But my final conclusion is "Mixed"... For exemple, Some previewed gif before sending can be stocked here. It seems this is a temporary hub for potential shared things.

Thanks!

If someone got better explanation. We would like to know too

(edited)

Is anybody intimately familiar with Kik? I have some illegal videos in the path of "co.happybits.anyvideo.kik". I assume these aren't cached videos as there is another file path of "kik.android.cache". I'm trying to figure out in what state these videos exist on the phone. Are they saved (by user or phone), already viewed, etc. If cache on a phone is like that of a computer (of which I'm familiar), then there was no user input to save the videos and they'll get thrown out. But, this is a phone, not a computer.

A GPG file came back from Apple (70GB) and it was decrypted using Cleopatra software (70GB) and it produced a zipped file. Once it was uzipped using 7zip only 20 GB file was produced is that a normal process for that much data to be missing?

LawDawg

Is anybody intimately familiar with Kik? I have some illegal videos in the path of "co.happybits.anyvideo.kik". I assume these aren't cached videos as there is another file path of "kik.android.cache". I'm trying to figure out in what state these videos exist on the phone. Are they saved (by user or phone), already viewed, etc. If cache on a phone is like that of a computer (of which I'm familiar), then there was no user input to save the videos and they'll get thrown out. But, this is a phone, not a computer.

Is it shared content, or is it user generated content?

Is anyone able to tell me whether a user's interaction in the default "Files" app on an Android device is recorded anywhere? I'm looking to see if there are any logs or configuration files which would indicate a user has manually browsed to a specific location on the device or microSD card and viewed those images.

@Cellebrite Anyone able to DM? Got an issue where a UFDR fails unexpectedly in PA but it lets me create an HTML file for the same case without erorr (with exact same data types)

Hey guys. I have an GK AFU which i decode in Axiom. I wonder if someone have more infomation about an specific path that is used with the Snapchat app. Axiom defines media in this position as "Received Snapchat Videos" private\var\mobile\Containers\Data\Application\84AF5B0E-A6FF-4B99-B44A-0AC6E375C2CE\Library\Persistent\SCMedia\cm-chat-media-video-ELDOwx4i6vaai9X2yyZLk.mov But I also find media that is carved in this folder, what about this position? private\var\mobile\Containers\Data\Application\84AF5B0E-A6FF-4B99-B44A-0AC6E375C2CE\Documents\com.snap.file_manager_3_SCContent_49cde46f-1272-4fff-9fc8-d7fff3469376\3837228004108678161 Thankful for all info that could be passed on.

Hey all, I'm currently looking at a BFU dump of an iPhone. In particular some videos in the WhatsApp folder Containers\Shared\AppGroup\APP ID HERE\Message\Media\MOBILE_NUMBER_HERE@s.whatsapp.net Other than the sent folder being present (which it isn't), and without the chat logs... Is there any other way to determine if the video content in this folder is sent to or received from the mobile number of the chat folder in question? Thanks in advance! (edited)

Anyone from @Magnet Forensics for a quick DM about Wickr?

Hi all, I'd like to ask if has anyone searched about the meaning of facebook urls, especially what do the m.facebook.com/messages refid numbers mean? If there is any paper or just personal tests, I'd appreciate any help. I tried to recreate these urls, but I only could recreate refids 8,11 and 12. I am interested what does refid=17 mean. These are urls from mobile facebook from the browser.

@Cellebrite In a Cellebrite extraction of an iPhone, I have a question about the health-app. I ask for explenation of the meening of "Last Launch", "Start time" and "End time". The "Last Launch" is confusing, because it can be timestamped between start and end, but it can allso be timestamped long time after End-time. I will try to insert rows to show examples of both situations... It has to be explained in court in a case about attempted murder.

3:51 AM

Row 4, 5 and 6 shows the difference

JMK

Anyone from @Magnet Forensics for a quick DM about Wickr?

I Am here if you need me.

@Gulyás DM me (edited)

General Question about Cellebrite Reader. If you run a watchlist in PA and identify items from it. You exclude those items as they are privledged communication. Can you still possibly recover those from the Reader file in maybe another tool at the hex level, or when marked as do not include and the reader report made they are excluded entirely.

3X3

Hey all, I'm currently looking at a BFU dump of an iPhone. In particular some videos in the WhatsApp folder Containers\Shared\AppGroup\APP ID HERE\Message\Media\MOBILE_NUMBER_HERE@s.whatsapp.net Other than the sent folder being present (which it isn't), and without the chat logs... Is there any other way to determine if the video content in this folder is sent to or received from the mobile number of the chat folder in question? Thanks in advance! (edited)

Just bumping this incase anyone were to know, any help appreciated.

Ghosted

General Question about Cellebrite Reader. If you run a watchlist in PA and identify items from it. You exclude those items as they are privledged communication. Can you still possibly recover those from the Reader file in maybe another tool at the hex level, or when marked as do not include and the reader report made they are excluded entirely.

Excluded items aren't included in a report. If you are referring to ufdr format, it is just a zipped xml. You can verify the privileged communication isn't there by looking into it with 7z, for example.

2

@DeepDiveForensics Just tried the @Cellebrite PA v7.40.0.63 Beta last night. It has solved the Image Categorisation issue for older CPU's that were having difficulty. Works like a charm on both my older test PC's

2

@Cellebrite Anyone available for a really quick question regarding PA? (edited)

@FATHEAD7466 you have to decrypt it but leave it zipped. Parse it with PA.

Hello! Does anyone know if it's possible to resize thumbnails on Images tab in Oxygen Forensic Detective? (I want to make them larger so i don't have to open each file for preview) (edited)

@s.m. Hello! No, currently it is not possible to resize thumbnails on Images tab.

1

Anyone familiar with the Kik db? I'm trying to determine if the suspect was admin/mod for some of the channels he traded it. Trying to see if their is a flag anywhere, or other indications like him receiving DM's from RageBot when a user joins or leaves

@Cellebrite I have an older extraction from a samsung galaxy s3 which we use for testing. In older versions of PA there was an Application usage tab within the installed applications category which looked at the dmappmgr.db and showed things like last launch, app usage duration etc. In more recent versions of PA (I am using 7.39.1.2 now) this information is no longer shown, in the applications tab there is now only a sub tab for installed applications and not application usage. Was this an intentional change? Is the information previously shown as 'Application Usage' now displayed somewhere else? I can manually locate the dmappmgr.db in the new PA and look at it in the database view and the raw data is all there, as expected. Thanks (edited)

5:49 AM

The older PA which shows this info as 'Application Usage' I just tested with was 7.28 (edited)

I can’t say I know. I’ll let one of the R&D people answer that one @bizzlyg

@Mr. Eddie Vedder from Accounting I would also be interested in this.

7:34 AM

I know the IMEI from your gmail account can be found with legal compliance, however can you utilize an IMEI number to google and say. "Can you tell me all other Google Accounts utilizing this IMEI"?

Anyone have issues with pulling messages from groups on Snapchat? Thanks in advance

Is it a known issue for Huawei phones not having this folder "/data/system/usagestats/" ?? Or they save usagestats data in a different path ? This particular device is a P30 Pro with android 10.

@FabianoQ https://www.swiftforensics.com/2020/01/usagestats-on-android-10-q.html

Usagestats on Android 10 (Q)

UsageStats If you are unfamiliar with this artifact, Alex Brignoni explains the UserStats artifact in the blog post here . Located at /da...

8:34 AM

or maybe @Brigs can help u more

8:35 AM

i don't have "a lot" of XP with huawei devices... (edited)

@Mistercatapulte I knew about this but in my image the folder where usagestats logs should be seems missing

Usegestats can be turned off. Maybe that's it?

@Brigs I assume this is a possible explanation. If this is not the case, is it possible to look at usagestats data from the phone itself?

https://www.businessinsider.com/how-to-check-app-usage-on-android

How to check your app usage stats an Android device to figure out w...

There are several ways to check your app usage on an Android phone or tablet, all of which can be found in your Settings app.

8:40 AM

Don't forget screen time.

Thanks @Brigs . "Screen time"??

Well digital well being.

8:42 AM

Is android version of screen time.

8:42 AM

https://thebinaryhick.blog/2020/02/22/walking-the-android-timeline-using-androids-digital-wellbeing-to-timeline-android-activity/

Binary Hick

Walking the Android (time)line. Using Android’s Digital Wellbeing ...

Each time I have created an Android image I have found something new. Google Assistant and Android Auto were results of Nougat and Oreo, and the changes I found in Google Assistant were a result of…

Aleapp parses those as well.

The reason for these questions is that i'm trying to establish if a driver was interacting with the phone at the time of a car crash

https://github.com/abrignoni/ALEAPP

abrignoni/ALEAPP

Android Logs Events And Protobuf Parser. Contribute to abrignoni/ALEAPP development by creating an account on GitHub.

8:44 AM

Yes. Thst is a pretty common reason for using these databases.

@Brigs I tried Aleapp but it gets very limited data because relevant files seems to be missing

No tool can pull out data that does not exist.

2

@Brigs This is an universal law

1

Brigs

Yes. Thst is a pretty common reason for using these databases.

This is often a very difficult question to answer. By the way, in this case i extracted the phone with UFED (Logical + File system + APK Downgrade), i made a Huawei backup and extracted a physical with Oxygen (then exported the entire file system as an archive). Using these "mixed" extractions i analyzed data with Cellebrite P.A. ,Magnet Axiom and Oxygen Forensic Detective. Now comparing the timeline view from the 3 tools and they are all different .....

1) Full file system or unencrypted physical will give better results. Some of those databases are not accessible any other way as you know. 2) Tool parsing time differences happen a lot. It depends on settings, time zone difference, data source, sometimes only modified time available etc... If something is important I export it and manually verify it. Build on top of what I know and have the tools assist me.

9:06 AM

But yes, not an easy task at all.

9:07 AM

You are absolutely correct @FabianoQ (edited)

Ever heard about this: "/Data/log/dubai/dubai.db" ? @Brigs (edited)

Searching google for "/Data/log/dubai/dubai.db" i get 1 result coming fron this site that seems quite interesting ... http://newandroidbook.com/ddb/

@FabianoQ If you got your phone in less than 24 hours and you haven't restarted it ... You can possibly make an adb report. You have very precise details of the interactions

@rico Thanks, unfortunately this is not the case but please tell me more about this maybe can be good to know in a future circumstance

In some cases it's even my 1st thing I do (I created a script to go faster)

is it something public?

These are the system logs. And the detail is sometimes eye-catching but sometimes poor or anonymized.

Can be obtained with native adb commands?

I don't have a min script here but tomorrow at the office I can share it

1

Thanks i would really appreciate. What circumstances make the difference between "eye-catching" and "poor or anonymized"? Different make? Different android version?

You can do this commande : adb logcat adb shell dumpsys

FabianoQ

Thanks i would really appreciate. What circumstances make the difference between "eye-catching" and "poor or anonymized"? Different make? Different android version?

All these parameters!

and this data is lost when the phone is switched off or rebooted?

As always, you need luck ... and also knowing how to take your chance

FabianoQ

and this data is lost when the phone is switched off or rebooted?

Some yes and some no

I'll introduce this into my habits..

1:27 PM

in the best conditions this logs contain informations that can tell if user was physically interacting with the phone in a given moment?

Although the raw files are quite small in the range of 3 to 5MB ... you can really have the kind of detail you were looking for. In RAM there can be time for each app with start-end ... Display time, foreground application, some geo-location ....

1:31 PM

I invite you to test these commands if you are curious and filter with keywords ... or timestamps

1:32 PM

I do it as soon as I can because as my old boss used to say: the demon is in the details!

1:34 PM

On the other hand, parsing thid data can be long and austere ... But with practice we know where and how to search

if it does not require root access can't harm to collect this data as a standard part of an android device examination..

You don’t need root access. Only adb enable.

did a quick test against my oneplus6t, logcat produced 6300 lines and dumpsys 8700. tomorrow i'll study these logs (edited)

1

1:45 PM

Thanks @rico

1

Greetings & Salutations! I have a question similar to what @jeffwold had earlier this year. I have some illegal files in a SM-G955U. I was only able to get a logical from the phone. All the files have similar paths, with one example being sdcard/DCIM/.thumbnails/.thumbdata4-1763508120/.thumbdata4-1763508120_embedded_46.jpg. My question is, are thumbnails in phones similar to that of computers? Are they created upon the opening of an image? I want to be able to answer how the thumbnail came to be.

Hi All, anyone have any experience with Huawei safes? The one present under my files. Is anyone aware if the safe wipes if the pin is entered so many times? As it states only 3 attempts left etc.

@Cellebrite Is there a way to generate a report with "Tags Only" and still include the device info? I'm limited by my search warrant what I can include in the report, but when checking the "Tags Only" box, it removes the ability to include the device info.

@LawDawg isn't device info included by default?

I thought it was in the past. But I just did a report and opened it and the device info was not included.

Hmm strange

I'll check my settings. Maybe I screwed it up.

LawDawg

@Cellebrite Is there a way to generate a report with "Tags Only" and still include the device info? I'm limited by my search warrant what I can include in the report, but when checking the "Tags Only" box, it removes the ability to include the device info.

Once you select "Tags Only", the Data Types section gets greyed out. You can't select Device Info. However, a quick workaround is to Select your "Tags Only" and create a UFDR. Then create a second UFDR for Device Info only. Downside is you end up with 2 UFDR's. If you want a single UFDR simply load the "Tags Only" UFDR then load the "Device Info" UFDR and merge them. Now create a single UFDR to get both into one single UFDR. That's what I do.

11:42 AM

11:43 AM

You didn't screw up

Okay. Maybe @heatherDFIR can beat someone at @Cellebrite with a stick to change this.

1

2

1

11:44 AM

Or even just add a check box to include it with the "tags only".

We accept also chocolate, just saying

If that fixes it, send me an address.

With a long stick attached to dangle it

Gonna need a long stick to reach Israel fellas!

2

CLB-dan.techcrime

Gonna need a long stick to reach Israel fellas!

Don't worry, there's something big I'd love you to do for us, so chocolates could be coming west as well

PA will include any checked item in a report (likewise unchecked items can’t be reported). If you go to settings and mark everything unchecked by default, you can then check your tags and device info to be included in a single report.

1

@FabianoQ https://github.com/Magpol/AndroidLiveInfo/blob/master/AndroidLiveInfo.sh Old script i made. But if you look into it you will see what kind of info you can get from dumpsys and other dump commands. usagestats, device state, accounts etc etc. (edited)

Magpol/AndroidLiveInfo

Script to gather basic information about a live android device. - Magpol/AndroidLiveInfo

.karate.

@FabianoQ https://github.com/Magpol/AndroidLiveInfo/blob/master/AndroidLiveInfo.sh Old script i made. But if you look into it you will see what kind of info you can get from dumpsys and other dump commands. usagestats, device state, accounts etc etc. (edited)

Thanks a lot

Hi, is there anyone at@Cellebrite able to answer a query about 'scrambled' deleted WhatsApp messages within the ChatSearchv5f database. Thanks!

Vsteph33

Hi, is there anyone at@Cellebrite able to answer a query about 'scrambled' deleted WhatsApp messages within the ChatSearchv5f database. Thanks!

Sure! Want to DM me? Do you have a screenshot of what you are looking at?

@Cellebrite I'm looking at a phone's MSISDN and want to cite its source. PA is saying "Taken from XML extraction file". Where did the extraction file get it from? I want to know where on the phone it is. I'm thinking it's in some db, but don't know which.

LawDawg

@Cellebrite I'm looking at a phone's MSISDN and want to cite its source. PA is saying "Taken from XML extraction file". Where did the extraction file get it from? I want to know where on the phone it is. I'm thinking it's in some db, but don't know which.

Sounds like a Logical extraction. I've an Android extraction open at the moment - I've also got it in telephony.db and SimCard.dat databases on Android if that's any help but I have a File System and a Physical in the project as well which is where they are

It is. I forgot to add that.

6:30 AM

I wasn't able to get anything but a logical. I can't remember why. I might pull it and try again.

Good luck

Vsteph33

Hi, is there anyone at@Cellebrite able to answer a query about 'scrambled' deleted WhatsApp messages within the ChatSearchv5f database. Thanks!

They aren't scrambled, the messages are stripped of repetitive words so original message will not necessarily be there. The dB is an index of the messages. The phone number string is base64 encrypted. This is from memory so may be a bit different. (edited)

Dfdan

They aren't scrambled, the messages are stripped of repetitive words so original message will not necessarily be there. The dB is an index of the messages. The phone number string is base64 encrypted. This is from memory so may be a bit different. (edited)

The message itself has a header saying 'scrambled' and all the words for the messages are also there, they're just in the wrong order. Its not something any of us in the office have seen ( scrambled message), so was a bit confused.

Hello guys, I'm currently investigating a checkm8 BFU-Dump of an iPhone 7, where I unexpectedly got the chatstorage.sqlite (WhatsApp-database). I'm not sure if the phone was used as secondary device, since the owner had a newer modell. It's all about received/sent messages in WhatsApp. The chatstorage.sqlite has a size of about 770.000 bytes (0,77 MB), which is not really big. Using UFED PA I was able to decode 190 messages (table ZWAMESSAGE) and 1050 entries for contacts (ContactsV2.sqlite ZWAADDRESSBOOKCONTACT). The "Installed Applications"-Tab contains 2 entries for WhatsApp, one marked with the category "App may not be from store", with no further Information about App-Version, et cetera, App-ID beginning with 7742... The 190 decoded messages all refer to the chatstorage.sqlite laying under the file-path with mentioned App-ID thus DarArchive/root/private/var/mobile/Containers/Shared/AppGroup/7742.../Chatstorage.sqlite. Same goes for the ContactsV2.sqlite. The second entry, App-ID beginning with 1D68 gets perfectly recognized as Version 2.19.50.24, but I don’t seem to find a corresponding Chatstorage.sqlite under .../Shared/AppGroup/1D68.../. When installing a new version of an app, do I get a new file-path, meaning that 1D68... is just another version of WhatsApp than 7742...? Is it possible to find more than one chatstorage.sqlite laying under different file-paths on a device? Do you see a chance in finding more received/sent messages with special services? @Cellebrite Unfortunately, we don’t know the code to this phone. Your help is much appreciated!

beforethelaw

Hello guys, I'm currently investigating a checkm8 BFU-Dump of an iPhone 7, where I unexpectedly got the chatstorage.sqlite (WhatsApp-database). I'm not sure if the phone was used as secondary device, since the owner had a newer modell. It's all about received/sent messages in WhatsApp. The chatstorage.sqlite has a size of about 770.000 bytes (0,77 MB), which is not really big. Using UFED PA I was able to decode 190 messages (table ZWAMESSAGE) and 1050 entries for contacts (ContactsV2.sqlite ZWAADDRESSBOOKCONTACT). The "Installed Applications"-Tab contains 2 entries for WhatsApp, one marked with the category "App may not be from store", with no further Information about App-Version, et cetera, App-ID beginning with 7742... The 190 decoded messages all refer to the chatstorage.sqlite laying under the file-path with mentioned App-ID thus DarArchive/root/private/var/mobile/Containers/Shared/AppGroup/7742.../Chatstorage.sqlite. Same goes for the ContactsV2.sqlite. The second entry, App-ID beginning with 1D68 gets perfectly recognized as Version 2.19.50.24, but I don’t seem to find a corresponding Chatstorage.sqlite under .../Shared/AppGroup/1D68.../. When installing a new version of an app, do I get a new file-path, meaning that 1D68... is just another version of WhatsApp than 7742...? Is it possible to find more than one chatstorage.sqlite laying under different file-paths on a device? Do you see a chance in finding more received/sent messages with special services? @Cellebrite Unfortunately, we don’t know the code to this phone. Your help is much appreciated!

With WhatsApp installed, there are ~5 different ../Shared/AppGroup/ paths associated with it. If you are seeing more than one path for the application in the ../Shared/AppGroup that is normal, but one contains the ChatStorage.sqlite and the other doesn't. If you install a new version of an app, yes, it gets a new file path but from what you describe that is not what you're seeing here.

LawDawg

@Cellebrite I'm looking at a phone's MSISDN and want to cite its source. PA is saying "Taken from XML extraction file". Where did the extraction file get it from? I want to know where on the phone it is. I'm thinking it's in some db, but don't know which.

Be sure to process the SIM card separate from the phone.

I just finished doing a file system on it and did exactly that.

Load the SIM extraction in PA and you will likely find the MSISDN. If you don't have it and cannot find it elsewhere, you can take the ICCID from the SIM card itself and ask the cellular provider to send you records just based on the ICCID. They will provide the MSISDN (phone number) in their production if it is requested.

I got less from the file system than I did the advanced logical.

LawDawg

I got less from the file system than I did the advanced logical.

are you doing a SIM extraction? or extractions from the handset?

I just did an extraction of the sim

10:35 AM

both

10:35 AM

did a logical, file system, and now sim

your only trying to get the MSISDN? Or determine where it came from?

Cellebrite gives me the MSISDN. I just want to be able to point at it and say it came from here. In the weeds so to speak.

New Cellebrite Physical Analyzer is out

1

It's not an entirely huge deal for this case, but I'll never let it go until I can get an answer.

Stevie_C

New Cellebrite Physical Analyzer is out

Just got the email.

bizzybarney

Load the SIM extraction in PA and you will likely find the MSISDN. If you don't have it and cannot find it elsewhere, you can take the ICCID from the SIM card itself and ask the cellular provider to send you records just based on the ICCID. They will provide the MSISDN (phone number) in their production if it is requested.

Sim card doesn't have the phone number. I tried to load the hex by double clicking in the memory image, but it won't give me the hex viewer. Just says "XML". I hate phones.

If you did a logical extraction, there isn't a memory image to load.

When I become King of America, all phones will require NTFS.

2

Remember a logical extraction is a conversational exchange between extraction tool and device via some shared API. So perhaps the Cellebrite extraction sends a request to the device asking for the MSISDN and it replies with the value which is then outputted into an XML file stored in your extraction folder. You open the extraction and it parses the XML file and other pieces of the extraction and displays it for you. Ultimately its coming from the SIM card and can sometimes be found in the file system, depending on OS version and device model.

bizzybarney

Remember a logical extraction is a conversational exchange between extraction tool and device via some shared API. So perhaps the Cellebrite extraction sends a request to the device asking for the MSISDN and it replies with the value which is then outputted into an XML file stored in your extraction folder. You open the extraction and it parses the XML file and other pieces of the extraction and displays it for you. Ultimately its coming from the SIM card and can sometimes be found in the file system, depending on OS version and device model.

You just answered my next of how does UFED get the MSISDN and other device info. Thank you! It was driving me insane.

If you need to be 1000% sure that 123-456-7890 is the phone number bc Cellebrite said so, then just sent a subpoena to the wireless provider and let them provide it to you.

1

I already have. I have the mindset of a four year old. I always ask, "why?'.

10:47 AM

I'm thinking of putting off FOR500 for now and taking FOR585. I have too many cell phone questions I need answered.

585 is amazing. have you taken cellebrite CCO / CCPA?

bizzybarney

If you need to be 1000% sure that 123-456-7890 is the phone number bc Cellebrite said so, then just sent a subpoena to the wireless provider and let them provide it to you.

I agree. I NEVER trust an MSISDN from an extraction, whether SIM Card or device. If needed for evidence, I ALWAYS advise the investigating officer to toddle off with the ICCID I provide them to go and get it confirmed from the CSP

I've taken CCO and CCPA through the NCFI. Unfortunately, the Secret Service only paid for the CCO test and not the CCPA test. So, I'm only CCO

Dig your CCO manual out and flip to page 42 or so, find the SIM section and suffer through the details of those pages for an hour.

LawDawg

I'm thinking of putting off FOR500 for now and taking FOR585. I have too many cell phone questions I need answered.

The FOR585 is fantastic. I did it last October. Couldn't fault it one bit. The instructor was extremely knowledgeable

I want to learn so much about cell phone operating systems that I can design them

Then flip to the extractions module and read through the logical and file system extractions sections.

bizzybarney

Then flip to the extractions module and read through the logical and file system extractions sections.

good idea

Stevie_C

The FOR585 is fantastic. I did it last October. Couldn't fault it one bit. The instructor was extremely knowledgeable

I learned so much new material in FOR585 when I took it this summer

1

stark4n6

I learned so much new material in FOR585 when I took it this summer

Then you slayed that CTF like a boss.

2

Nerd! (I'm jealous.)

I also strongly recommend @Cellebrite CCME

Stevie_C

I also strongly recommend @Cellebrite CCME

Yeah, it's only money.

Yeah, your question about opening the memory image in PA is expressly covered in CCPA.

1

bizzybarney

Yeah, your question about opening the memory image in PA is expressly covered in CCPA.

I sometimes have a hard time separating computer and cell phone forensics. When I don't have access to hex, I start breaking stuff.

if you open your phone and go to your contacts, scroll and see all the names and numbers...when you run a logical extraction of your phone your essentially are getting the same thing printed onto some xml file. Its simply asking for the contacts and the phone replies with the values.

10:55 AM

when you do a file system extraction, you end up with whole files in a zip file (most of the time). Now you have whole files to dig into and the zip you can open in the memory images

10:56 AM

when you do a physical, you're getting the entire range of flash memory outputted as a binary dump (.bin), so first byte to last. when you go to memory images you have a .bin file to dig into.

bizzybarney

if you open your phone and go to your contacts, scroll and see all the names and numbers...when you run a logical extraction of your phone your essentially are getting the same thing printed onto some xml file. Its simply asking for the contacts and the phone replies with the values.

I don't see how that is never challenged. When I get depod on a computer exam and they ask how I know my software got the right information, I can confirm with a manual exam and point to the hex.

If you're doing a logical extraction, you arent getting deleted data and you have access to the OS of the device. So if challenged, you could literally power the phone on, go to contacts, and show it to them. There's no magic here..

11:00 AM

and you have to verify and validate your findings and your tool. manual verification is one option for that which is what I just described.

bizzybarney

If you're doing a logical extraction, you arent getting deleted data and you have access to the OS of the device. So if challenged, you could literally power the phone on, go to contacts, and show it to them. There's no magic here..

Again, it's hard for me to think like that. You don't turn on a computer.

11:04 AM

What about thumbnails in the DCIM/.thumbnails folder? Where do they come from and how do they come to exist?

mobile is definitely not computer forensics. a lot of this stuff is laid out nicely in the CCO manual though so seriously dig it out and spend some time in there.

11:05 AM

I gotta run man, maybe someone else can help you with your next ?

I have not dismissed you.

@CLB - DavidK @Stevie_C @Deleted User @chrisforensic @ScottKjr3347 UFED PA 7.40 released today fixed my image classification problem

6

Hi, is there a good parser for snapchat chatConversationStore.plist?

Has anyone looked into CLSPublicEventCache.sqlite, extracted from an iphone?

callzor

Hi, is there a good parser for snapchat chatConversationStore.plist?

https://doubleblak.com/blogPosts.php?id=5

mr.rookay

https://doubleblak.com/blogPosts.php?id=5

I tried but it gave a lot of errors. Thanks anyway! (edited)

Stevie_C

New Cellebrite Physical Analyzer is out

UFED4PC NEW UPDATE IDEA? WHEN IT IS COMING

Haven’t heard about UFED 4PC yet. (edited)

10:37 AM

I always work on the theory the longer the wait for it the more special it will be

1

Stevie_C

I always work on the theory the longer the wait for it the more special it will be

they are giving there all hard work on premium lol,

Stevie_C

The FOR585 is fantastic. I did it last October. Couldn't fault it one bit. The instructor was extremely knowledgeable

Thanks Stevie!

mr.rookay

https://doubleblak.com/blogPosts.php?id=5

I think the new format messed everything up.

Hi Guys, I perform Physical Acquisition of Honor Play via Oxygen Forensic and successfully got the HW Keys and Passware decrypted the Binary dump. During the analysis I found that I got the Whatsapp crypt12 DB but unable to find the Key File in the "data/data/com.WhatsApp" directory. File System in F2FS. Any idea of how to get the WhatsApp key. (edited)

@DeepDiveForensics Hello, give me a few. Contacting the devs about that.

3:27 AM

If anyone has a question to Oxygen team, please tag @Oxygen Forensics otherwise we may not spot the message as fast as we wanted to

3:30 AM

@DeepDiveForensics what version of Detective do you have? Did you check data\data\com.whatsapp\files\key ? Are there any files there? (edited)

DMed you with an additional solution

If an AppleID is currently signed in to an iPhone is there a plist hidden away somewhere that would tell you the date when that ID signed in?

Hi everyone. I made an ffs dump from HW LDN-L21 using Ufed qualcom live profile. A secure folder is enabled on the device. is it possible to obtain data ? I have a pin for secure folder. The app is Folder Lock (edited)

Is it possibile to tell if a WhatsApp voice message was sent "hand free" through car infotainement system (carplay / android auto) or "normal way"?

@FabianoQ What is the kind of car? Can you analyze his main Unit? For mobile analyses you can read too : https://github.com/mac4n6/Presentations/blob/master/They%20See%20Us%20Rollin%2C%20They%20Hatin%20-%20Forensics%20of%20iOS%20CarPlay%20and%20Android%20Auto/RollinHatin_iOSCarplay_AndroidAuto.pdf

mac4n6/Presentations

Presentation Archives for my macOS and iOS Related Research - mac4n6/Presentations

10:20 PM

@FabianoQ Or/and see this video : https://youtu.be/IGhXsfZXL6g

SANS Digital Forensics and Incident Response

They See Us Rollin’; They Hatin’: Forensics of iOS CarPlay and Andr...

Morning all, quick question, I'm looking to determine if an app has been installed on a handset. I have no other data or artifacts from Plenty of Fish app but it appears in the localappstate.db with an install date of 1970 and an external_referrer_timestamp_ms timestamp of 12/2019. Thx

Hey all. I've got a FFS from an iPhone ran through PA but I'm having an issue with parsing chatConversationStore.plist from Snapchat. The TimeStamp and DateRead fields have been pulled but not the body of the message, yet the body of the message is visible though the hex view. Has anyone come across this, or have any suggestions?

FabianoQ

Is it possibile to tell if a WhatsApp voice message was sent "hand free" through car infotainement system (carplay / android auto) or "normal way"?

@FabianoQ If it is an Android device and you think the user utilized Google Assistant via Android Auto to send the message, there will be a protobuf file left behind with the Google Assistant interaction that contains the message and a timestamp. I know ALEAPP will parse these protobuf files. For CarPlay, you could use knowledgeC to book end CarPlay sessions and look at the activity between.

4:20 AM

Also see below. The CarPlay article might have something in it you can use. https://thebinaryhick.blog/2019/01/30/ka-chow-driving-android-auto/ https://thebinaryhick.blog/2019/05/08/ridin-with-apple-carplay/

Binary Hick

Ka-Chow!!! Driving Android Auto

Recently I purchased a new car. I am talking brand spankin’ new. I had been looking for a compact SUV for a while because of a growing family, and I found it: a 2019 Nissan Rogue. I purchased i…

Binary Hick

Ridin’ With Apple CarPlay

I have been picking on Google lately. In fact, all of my blog posts thus far have focused on Google things. Earlier this year I wrote a blog about Android Auto, Google’s solution for unifying tel…

1

@Magnet Forensics Hi magnet, decrypting wickr on ios is a Nice feature of axiom, but what about on an Android (Huawei) device? Walkthrough on obtaining or decrypting the wickr database?

It's supported @florus. Less examiner steps than iOS because the stuff needed for key derivation are also stored in the filesystem. That is of course contingent on the device owner having auto login enabled. If it's not enabled you'll need to know the wickr account password.

1

@florus if you only have a huawei backup of the device you need to know the app specific id ( from settings_ssaid.xml ). If you have a ffs ( or physical ) then you also have that specific file and axiom should be able to decrypt wickr. Wickr uses device_id as a parameter for key derivation, and on android 7+ that id is ( should be ) app specifik.

1

leigh4352

Hey all. I've got a FFS from an iPhone ran through PA but I'm having an issue with parsing chatConversationStore.plist from Snapchat. The TimeStamp and DateRead fields have been pulled but not the body of the message, yet the body of the message is visible though the hex view. Has anyone come across this, or have any suggestions?

Check out @CLB_iwhiffin Spoopy https://www.doubleblak.com/m/blogPosts.php?id=5

1

What version of Snapchat? They fairly recently moved to a SQLite db instead of the chatCoverstaionStore.plist although there may still be some remnants. If it’s the old version (and it sounds like it may be) then Spoopy may work, but ArtEx will also parse that version of Snapchat and has a little more support for different schemas.

Thanks guys. I’ll check it out. I’m not sure on the version but I’ll take a look when I’m back in on Monday.

Hello all just wondering if anyone has any idea on the com.sec.android.gallery3d, I've retrieved a number of images and I'm just reviewing the journal file contained with the folder /cache/0 and have the following entries

9:51 AM

I'm just wondering is there anyway to say where they came from etc....

9:51 AM

.

9:52 AM

The img of interest has the filename of the above high lighted number

9:52 AM

It's a samsung note 8

9:57 AM

I've had a look at the cheeky4n6 blog it's very detailed but it appears the app has changed the way it handles and stores the cache file's

rico

@FabianoQ What is the kind of car? Can you analyze his main Unit? For mobile analyses you can read too : https://github.com/mac4n6/Presentations/blob/master/They%20See%20Us%20Rollin%2C%20They%20Hatin%20-%20Forensics%20of%20iOS%20CarPlay%20and%20Android%20Auto/RollinHatin_iOSCarplay_AndroidAuto.pdf

Thanks

CLB_joshhickman1

@FabianoQ If it is an Android device and you think the user utilized Google Assistant via Android Auto to send the message, there will be a protobuf file left behind with the Google Assistant interaction that contains the message and a timestamp. I know ALEAPP will parse these protobuf files. For CarPlay, you could use knowledgeC to book end CarPlay sessions and look at the activity between.

Thank you

10:28 AM

I have a question about @Cellebrite report about instagram

FabianoQ

I have a question about @Cellebrite report about instagram

What’s the question? I’ll see if I can help?

Hi. In p.a. many "activities" made by an Instagram id followed by the owner of the phone that i examined are all flagged as "post". I would ask if there is any known way to distinguish "posts" from "stories".

Having never used Instagram for anything in real life, I’ll have to find out for you. Stand by and I’ll see what I can learn.

CLB_iwhiffin

Having never used Instagram for anything in real life, I’ll have to find out for you. Stand by and I’ll see what I can learn.

Thanks

Original message was deleted or could not be loaded.

What’s going on ?

Morning world, has anyone fully decoded Aqua Mail found on Lenovo devices? Cheers

Is anyone from @Cellebrite about to discuss an issue within PA 7.40?

@Rob Sure, i'll DM you

1

JLindmar (83AR)

Check out @CLB_iwhiffin Spoopy https://www.doubleblak.com/m/blogPosts.php?id=5

Spoopy worked great! @CLB_iwhiffin you've made a great tool, thank you

(edited)

1

Sweet thanks

leigh4352

Spoopy worked great! @CLB_iwhiffin you've made a great tool, thank you

(edited)

Did you also try @CLB_iwhiffin's ArtEx (as he recommended)? I'm curious how it would perform compared to Spoopy.

JLindmar (83AR)

Did you also try @CLB_iwhiffin's ArtEx (as he recommended)? I'm curious how it would perform compared to Spoopy.

I've not had chance to but it looks great.

Hello! After some slight difficulties I finally managed to use sboot_dump to dump the memory of a Samsung S9. However I am not having any luck with PA decrypting the Samsung Health DB. Grep-ing does show some keys, but while monitoring the trace window I cannot help but notice that the parser "SbootDumpPasswords" is missing/not run.. So the big question is.. Where have I messed up? Anyone been successful in running it that might share some insight? Have been following this guide: https://www.cellebrite.com/en/blog/decrypting-databases-using-ram-dump-health-data/

Michal Rozin - Researcher in R&D at Cellebrite

Decrypting Databases Using RAM Dump - Health Data - Cellebrite

Extracting memory from Samsung devices to decrypt Samsung Health DB’s can uncover critical data for investigators Samsung Health is a wellness application that helps users track their physical activities. As one might expect, the application stores a lot of interesting location data that interests the forensics community and specifically law enf...

Does anyone think there might be a chance Apple could provide an associated iCloud / iTunes account based off the UUID found in the MediaLibrary.sqlite file? Or if anyone has tried and failed? I'm assuming it's pretty unlikely. It's located in the following file path: /private/var/mobile/Media/iTunes_Control/iTunes/MediaLibrary.sqlitedb

@Cellebrite Anyone free to chat regarding the status of a facebook chat message? i.e. showing as "Status: Sent" but seems to have been Received. Just seeking some clarification of what the Status means, as we'd expect Status Read/Received.

Hey @Rob

hello folks... just i short question concerning the app "waze".... if there is a geoposition stored in the category "navigates", can we say that the phone was at that position, at that time ? (edited)

5:12 AM

and the category "searches" are just searched destinations ?

Did anyone have the immense pleasure of working on a dump from a Samsung SM-B550H? I've received one after a chip-off, I guess it's bare flash, there's clearly unencrypted file and filesystem data in there but didn't have any luck decoding it (I need the hierarchy, not just carved files) Update: I found a PIT, so that's a start (edited)

@Magnet Forensics I processed a physical extraction from an HTC Droid Incredible. While doing timeline analysis I find CSAM videos and images. However, these items are not listed in Artifacts area of Axiom. The deleted items are located in deleted folders which are visible in the File System view. Some of the videos do appear in the Unallocated Clusters section of the Artifacts, but these don't have file names or dates. The deleted folder section contains the deleted files with names and dates (created, modified, accessed). Using version 4.7.0.22371. Is this an expected behavior? I will be happy to submit to tech support, but thought I would see if someone could brainstorm this with me in case I am just missing something obvious at the end of a long day.

Hello, you have encountered problems in generating the report with the new physical analyzer?

manuelevlr

Hello, you have encountered problems in generating the report with the new physical analyzer?

I DM you

@Cellebrite Anyone free to talk regarding Wickr, got a FFS (iOS 14.1, iPhone 7). I can see a username but trying to see if it's possible to recover the password for it. (edited)

@Rob I believe the short answer is no... PA should be able to use the keychain to decrypt the Wickr chats

I can accept no

7:14 AM

PA has parsed it, but was just curious

@sholmes Sending DM

1

Hi. It is possibile decode pin to whatsapp? I have FFS dump and whatsapp user data but I want to decode PIN to application in phone.

criley4640

can anyone point me in the right direction as far as Cash App parsing. Phone has a whole bunch of transactions and what not, but nothing parsed by Cellebrite (PA 7.34.0.38)

@binarycanary did anyone respond to your question back in August or did you find anything to help other than pure manual parsing? Thanks!

I know this was a month ago- but I have a case right now on an iphone trying to find the cashapp transaction DB- can you point me in the right direction? THANKS!

dabeersboys

I know this was a month ago- but I have a case right now on an iphone trying to find the cashapp transaction DB- can you point me in the right direction? THANKS!

I haven't gotten anywhere with this, yet. Sorry!

criley4640

I haven't gotten anywhere with this, yet. Sorry!

no worries- I was hoping to find the DB then I could create a custom artifact for axiom to process it.

@dabeersboys how urgently do you need it?

DeeFIR 🇦🇺

@dabeersboys how urgently do you need it?

Not urgently. I plan on playing with it tomorrow to see if I can find it. It's just taking some drilling

Ok, I can download the app and generate test sandpit data if you need it urgently. I have an iOS test environment which would provide some insight. Have competing priorities atm but if you need a hand please reach out

DeeFIR 🇦🇺

Ok, I can download the app and generate test sandpit data if you need it urgently. I have an iOS test environment which would provide some insight. Have competing priorities atm but if you need a hand please reach out

I appreciate it. Not urgent. I'll reached out here after searching the channel and a few people mentioned seeing the transactions. All good! Thanks so much!

1

@dabeersboys Let us know what you find :)

@dabeersboys not sure if this will help but there were some questions involving Cash app for the recent Cellebrite CTF. Searching for the write-ups might turn up something useful

varbytes

@dabeersboys not sure if this will help but there were some questions involving Cash app for the recent Cellebrite CTF. Searching for the write-ups might turn up something useful

Thanks! I appreciate that , if I strike out today digging around I'll take a look!

Has anyone done any testing on when or what triggers a commit for the SMS.db-wal file? I’m doing some testing now and would appreciate anyone’s input or past experience to help guide me.

Matt

Has anyone done any testing on when or what triggers a commit for the SMS.db-wal file? I’m doing some testing now and would appreciate anyone’s input or past experience to help guide me.

Commit or checkpoint? Checking the most recent SMS.db I have from an iOS device, when a COMMIT occurs that causes the WAL to be 1000 pages or more in size, a checkpoint automatically occurs.

sholmes

@Magnet Forensics I processed a physical extraction from an HTC Droid Incredible. While doing timeline analysis I find CSAM videos and images. However, these items are not listed in Artifacts area of Axiom. The deleted items are located in deleted folders which are visible in the File System view. Some of the videos do appear in the Unallocated Clusters section of the Artifacts, but these don't have file names or dates. The deleted folder section contains the deleted files with names and dates (created, modified, accessed). Using version 4.7.0.22371. Is this an expected behavior? I will be happy to submit to tech support, but thought I would see if someone could brainstorm this with me in case I am just missing something obvious at the end of a long day.

I just wanted to update this thread since I posted a question which was solved in DMs and emails with Tech Support. After much work, we found Axiom was working as intended. The physical extraction of the HTC Droid Incredible contained a 6.6GB FAT32 partition, which the user was using for nefarious reasons. This was one of the partitions inside the Physical Extraction. We noticed files associated with MacOS and Windows inside the partition, as well as Android files. When run as an Android Axiom would parse the items which could be viewed in the File System view, but it wasn't listing them in the Artifacts view. Since this is a FAT32 partition, if I ran the extraction as a Windows device, it would parse the items and load them into the Artifacts view. Hopefully this helps someone out should you get an Android 2.2 HTC Droid Incredible where the user enables Developer Option so they can use the phone as a mobile storage device. Thanks to the entire @Magnet Forensics team for jumping in and helping me solve this dilemma.

8

7

sholmes

I just wanted to update this thread since I posted a question which was solved in DMs and emails with Tech Support. After much work, we found Axiom was working as intended. The physical extraction of the HTC Droid Incredible contained a 6.6GB FAT32 partition, which the user was using for nefarious reasons. This was one of the partitions inside the Physical Extraction. We noticed files associated with MacOS and Windows inside the partition, as well as Android files. When run as an Android Axiom would parse the items which could be viewed in the File System view, but it wasn't listing them in the Artifacts view. Since this is a FAT32 partition, if I ran the extraction as a Windows device, it would parse the items and load them into the Artifacts view. Hopefully this helps someone out should you get an Android 2.2 HTC Droid Incredible where the user enables Developer Option so they can use the phone as a mobile storage device. Thanks to the entire @Magnet Forensics team for jumping in and helping me solve this dilemma.

Awesome info! Thank you for letting us know what you found.

2

@sholmes Awesome... will share internally

2

1

Hello, I have Positivo S430 Android 6 and MT6580. It's locked with unknown alphanumeric password. I was able to do a userdata backup in recovery menu. But no success in decoding in PA with MTK backup option. Tried to remove the first 512 bytes of each file and still no success. With hex viewer looks like it's encrypted or compressed. Any way to try decode it?

@rafael_cs if phone is encrypted, this backup will also be encrypted and useless (edited)

Matt

Has anyone done any testing on when or what triggers a commit for the SMS.db-wal file? I’m doing some testing now and would appreciate anyone’s input or past experience to help guide me.

There's the doc for SQLite's WAL: https://sqlite.org/wal.html Having worked with it a bit, the WAL file is written back to the main db file when the database is correctly closed by the program using it. A buggy app, a crash or a power failure could cause the wal file to stay around, but SQLite will pick it up the next time the db is opened (and hopefully merge the WAL when it's closed). As @JLindmar (83AR) said the WAL is also written back when it hits the 1000 pages threshold. (edited)

chrisforensic

and the category "searches" are just searched destinations ?

Navigates is when you click on "go to" after the search, but it doesn't mean that the user actually went to this address

1

Arcain

@rafael_cs if phone is encrypted, this backup will also be encrypted and useless (edited)

Ok. I wasn't expecting that. Thank you

@rafael_cs i had same problem not that long time ago, with some Alcatel with Android 7

Any suggestions on reading an ADB physical extraction from a Toshiba Thrive (Model: AT100)? I used @Cellebrite Touch2 to get the extraction, and have actually done 4 extractions. I am working with tech support, but was wondering if anyone had experience they could share while waiting on tech support help. FYI, when I look at the hex of the dump, it shows DEAD throughout the hex. I am not sure this is a good thing.

seriously though, although I have a 16GB extraction, I am thinking something might be off during the extraction process. My extraction logs show it rooted and extracted, but at the end of the file it shows error writing to USB. It also finishes while waiting to reboot I have run numerous chains against the loaded extraction. I have tried to process it through XRY @MSAB , Oxygen @Oxygen Forensics , Axiom @Magnet Forensics with the same results of no parsed data.

@sholmes any chance you can reacquire from the device with another tool to validate? Might not be a bad shout

I definitely can try that @MSAB_Duncan

@MSAB_Duncan No physical able to be completed with Axiom/Oxygen/XRY. CB roots it when it does the ADB extraction. The others declined as it wasn't already rooted.

Anyone aware of what the values in the iOS transfer_state row of the SMS.db represent?

https://www.vice.com/en/article/4ag5yj/unlock-apple-iphone-database-for-police

We Built a Database of Over 500 iPhones Cops Have Tried to Unlock

"It is the world we are in today, and so have to deal with it," former FBI general counsel Jim Baker said about device encryption.

@Cellebrite Pls tell me the difference between ufed4pc and ufed responder

wojotk_1

@Cellebrite Pls tell me the difference between ufed4pc and ufed responder

Shoot me a dm and we can chat about it

@Cellebrite and everyone else; im having issues with a cellebrite report not showing thumbnails for a majority of the contents in at least DCIM. cant really find any correlation between why those files specifically dont get thumbnails... they show up in the preview without any issues but there are just no thumbnails in the thumbnail view. Anyone know what could be the cause or how i can fix it?

Hi guys I'm Côme back with CHATSEARCH5F.SQLITE ( IOS 14.2) my tests show that file contraint the deleted messages from WhatsApp on ios. But I have some difficults... To Identif correspondens. Indeed the contact column contains a unique identifier per correspondent, but after having parsed the dar file, these references do not exist anywhere else. I have already identified some correspondents with comparisons to the still existing data and reconstituted the list of all the candidates ... But here I am at an dead end! Have you already found the solution? (edited)

2:21 PM

I specify that since the last version of PA:Snapchat chats, WhatsApp ... are no longer automatically decoded (edited)

Good morning! A colleague of mine has made a vendor backup with ufed4pc of a Huawei P30 Lite (MAR-LX1A). Now, the PA asks for a password, but he did not set one, as he wasn't allowed to touch the device. Is there a standard password set by UFED4PC, @Cellebrite ?

@rico what software are you using? With what software was CHATSEARCH5F.SQLITE extracted and from which model of iPhone?

@Svenergy 12345?

Mr Saturn

@Svenergy 12345?

I've seen that as the default password previously.

Mr Saturn

@Svenergy 12345?

That would have been too easy!

We've found the pw in the ufd-file. Opened in an editor, the pw is shown there. A pretty long complexe password. I don't think, Cellebrite wants the users to pick it out there manually. I hope, it gets fixed in the next PA-update.

Svenergy

That would have been too easy!

We've found the pw in the ufd-file. Opened in an editor, the pw is shown there. A pretty long complexe password. I don't think, Cellebrite wants the users to pick it out there manually. I hope, it gets fixed in the next PA-update.

Interesting, set by the handset user?

Mr Saturn

Interesting, set by the handset user?

Nope. I think, it's set by UFED4PC. But it has to be complexe, as Huawei hisuite backup need a complexe password

Svenergy

That would have been too easy!

We've found the pw in the ufd-file. Opened in an editor, the pw is shown there. A pretty long complexe password. I don't think, Cellebrite wants the users to pick it out there manually. I hope, it gets fixed in the next PA-update.

Is the 4PC beta newer than your PA version?

OllieD

Is the 4PC beta newer than your PA version?

We use the 4PC 7.40 and also the PA 7.40. So both actual versions. No betas.

Ah right, nvm then!

Hello

I'm on Samsung SM-J330FN, i found CSE contents on Google Drive but Anyone know the meaning of com.google.android.apps.docs/cache/shiny_blobs/blobs/ ? (edited)

2:28 AM

Usually they are here : data/com.google.android.apps.docs/cache/docs_glide/

Svenergy

Nope. I think, it's set by UFED4PC. But it has to be complexe, as Huawei hisuite backup need a complexe password

Try 1234

2:45 AM

It's what ufed 7.38 wants to use for backup encryption password

@Magnet Forensics how do I go about decoding a database from ufed? I’ve dumped it and added as an image but it fails straight away

@Magnet Forensics can someone message me please, network issue with Axiom

@King Pepsi - Sending a DM

Rob

Try 1234

That would have been too easy! I've shared our solution before! But thx for your suggestion!

1

using PA 7.40.0.68 Apple search warrant, items unzipped, parsed in PA. Unable to get UFDR to generate is that a common problem with everyone else?

scratch that the computer need rebooting. I got the report needed.

@Lordicode Oxygen Forensics sorry for my late response my Day was just... Crazy ! IPhone 8 ios 14.2 checkm8 Extraction with the last ufed and decode with my sql browser

@OllieD I just sent you a request so that I can DM you regarding your LockMyPix script. I've just come across it on a Samsung J7. The majority of the files are .6zu files. They were not decrypted by Cellebrite.

1

djGordy

@OllieD I just sent you a request so that I can DM you regarding your LockMyPix script. I've just come across it on a Samsung J7. The majority of the files are .6zu files. They were not decrypted by Cellebrite.

Accepted

Cygonaut

@Cellebrite and everyone else; im having issues with a cellebrite report not showing thumbnails for a majority of the contents in at least DCIM. cant really find any correlation between why those files specifically dont get thumbnails... they show up in the preview without any issues but there are just no thumbnails in the thumbnail view. Anyone know what could be the cause or how i can fix it?

Hi @Cygonaut . Not sure the reason why, but I've had the same issue happen on a number of recent extractions. Check the trace window, do you have a message (near the bottom) saying that thumbnail cache not loaded to memory. Not sure if issue with PA or just that my extractions have too many thumbnails to load? (Haven't looked deeper into the issue yet myself)

2

trying to discern some info in callhistory.storedata on iOS. Under ZCALLTYPE I am trying to figure out what the values stand for, Google is leaving me high and dry so far. I can run a test device but I'm trying to get this report done... Any help out there? I've found one reference for 8 = facetime video/audio, 16 = facetime audio only.

Followup: just loaded my test phone data (finally). Facetime audio shows up as ZCALLTYPE=16, Facetime video shows up as ZCALLTYPE = 8. In case anyone else needs it.

@rico DM'ed you

1

@Cellebrite I just extracted my first iOS 14 FFS. When looking at the keychain it looks very wonky, not at all what i'm used to. Are the layout of iOS 14 keychain plists very different from how they looked before or is there some problem in my extraction?

Oscar

@Cellebrite I just extracted my first iOS 14 FFS. When looking at the keychain it looks very wonky, not at all what i'm used to. Are the layout of iOS 14 keychain plists very different from how they looked before or is there some problem in my extraction?

Yes, in iOS 14 the Keychain is partially decrypted on the device, and partially in PA (7.41).

CLB-drorimon

Yes, in iOS 14 the Keychain is partially decrypted on the device, and partially in PA (7.41).

Okay, is there any estimation of when 7.41 is released?

Oscar

Okay, is there any estimation of when 7.41 is released?

Soon, in a few days.

3

1

Oscar

@Cellebrite I just extracted my first iOS 14 FFS. When looking at the keychain it looks very wonky, not at all what i'm used to. Are the layout of iOS 14 keychain plists very different from how they looked before or is there some problem in my extraction?

Hi. In iOS14 keychain changed significantly, UFED 7.40 and Premiun 7.16 are supporting iOS 14 changes, PA 7.41 will be released shortly with the matching support of iOS 14 keychain. If you have done the extraction through one of UFED version i have mentioned just wait for PA 7.41.release

1

Any sql guru's on here ? I have a Telegram cache4.db and WAL and SHM files. I have run them through UFED PA v7.40 in db view using pickaxe numerous deleted messages have been recovered. The data column is a blob, which i can see has valuable text strings in them. I have exported this out to CSV when opened in the data column I get >System.Byte[]< where the message string should be. I have done the same thing in sqlite wizard too, same result. Any ideas where i am going wrong@Cellebrite ? I have CTRL+A and exported the HEX of the blob into excel and can figure out hex to ASCII at a push, but figure there should be an easier method than this. (edited)

@Dfdan https://blog.digital-forensics.it/2020/04/teleparser.html (thanks to @dfirfpi) No idea if it works, let me know if it does will ya. (edited)

teleparser

DFIR research

1

Dfdan

Any sql guru's on here ? I have a Telegram cache4.db and WAL and SHM files. I have run them through UFED PA v7.40 in db view using pickaxe numerous deleted messages have been recovered. The data column is a blob, which i can see has valuable text strings in them. I have exported this out to CSV when opened in the data column I get >System.Byte[]< where the message string should be. I have done the same thing in sqlite wizard too, same result. Any ideas where i am going wrong@Cellebrite ? I have CTRL+A and exported the HEX of the blob into excel and can figure out hex to ASCII at a push, but figure there should be an easier method than this. (edited)

DMed you

King Pepsi

@Magnet Forensics how do I go about decoding a database from ufed? I’ve dumped it and added as an image but it fails straight away

Did you get an answer on how to have Axiom decode a database?

sholmes

Did you get an answer on how to have Axiom decode a database?

Turned out the issue was a server issue thankfully!

Thought that might be the follow up question, but if not I was gonna offer suggestions

Arcain

@rafael_cs if phone is encrypted, this backup will also be encrypted and useless (edited)

@Arcain I was checking this MTK backup files again and tried to parse it with XRY or another tool to carve files. Surprisingly they were able to carve a lot of user images and some whatsapp audio, so I think it wasn't encrypted. Checking again the files in hex viewer and still looks like a compressed file, but no success when trying as tar, tar.gz or zip.

@rafael_cs https://android.stackexchange.com/questions/141805/how-to-extract-backup-files-created-by-android-stock-recovery - check like this (the first answer)

How to extract .backup files created by android stock recovery?

I'm using Coolpad note 3 lite, running Android 5.1. I created internal memory backup using stock recovery. Files were created in this format: userdata_yyyymmdd_HHMMSS.backup = 2GB

What does it mean if an iPhone has three different IMEIs and two IMSIs?

@LawDawg What model is it, could it be physical SIM and eSIM? Not sure where the third would be from however! (edited)

iPhone 11 model MWHX2LL/A. I'm looking in the hex now to see what i can

Should support eSIM at least so I would suspect something along those lines!

@LawDawg I've deleted your messages just because the uncensored IMEIs were in the pics, probably best not to share those (if it was a test device, I apologise!)

You're right. I apologize.

It's ok, it happens!

@LawDawg number in Settings > General is different to the IMEI number when you dial *#06#? Are the first 8 numbers the same? If you want to know which is the phone's IMEI - if IMEI under Primary and IMEI when you dial *#06# is the same then that's the IMEI you should be using for reports, because it is the one associated with the device itself. (edited)

Hi ! Cellebrite PA custom decoding chains questions : Is it possible that upgrading UFED PA removed my previous custom chains ? Also, someone knows where the custom chains are stored on the computer so i could save them and possibly export them to other computers in the lab (hoping they will show up in the chain manager) ? Thanks !

Anybody else's @Cellebrite PA not automatically running media classification when selected during the open case process? Mine was working perfectly until I updated to 7.40.0.68

@Cellebrite or anyone, I'm trying to search across the hex memory dump for an IP address, but it's not liking the search, I assume as it's full of . characters. Any recommendations, or is it a regex situation?

Hey all can anyone point me in the right direction as far as what artifacts and databases to look at on an iPhone that would show settings changes and what not resulting from an abrupt change in phone ownership (theft)

Is it just me or Huawei phones have a different digital wellbeing app/db ?

binarycanary

Hey all can anyone point me in the right direction as far as what artifacts and databases to look at on an iPhone that would show settings changes and what not resulting from an abrupt change in phone ownership (theft)

Refer to for585.com/poster and look at anything iCloud or sync settings to start. Also SIM card identifiers may help too. They are all searchable on that poster.

FabianoQ

Is it just me or Huawei phones have a different digital wellbeing app/db ?

Interesting. I don't have a Huawei to look at. I am interested in seeing what you find though. I will also ask our dev who works on this.

10:21 AM

Before I re-invent a wheel that exists, has anyone looked into environmental sounds from the Apple Watch and where the data is stored?

heatherDFIR

Interesting. I don't have a Huawei to look at. I am interested in seeing what you find though. I will also ask our dev who works on this.

the "/com.google.android.apps.wellbeing/" path is missing, and i see a "/com.huawei.health/databases" that i assume should be the huawei equivalent. Inside this databases folder i see what looks like sqlite databases but they seems encrypted. I can share with you a sample if you want.

FabianoQ

Is it just me or Huawei phones have a different digital wellbeing app/db ?

Yes. I’ve made some reports parsing huawei health. I have some scripts I’ve created if your interested. You can also take a look at the following url, maybe not exactly what you are looking for. But might contain useful info: https://forum.xda-developers.com/t/share-exercise-data-from-the-huawei-health-app.3909998/ I some cases the app also creates log files that are stored on /sdcard/huawei/* ( older version of the app always created log files). They are quite complex but contains everything from steps to location data. (edited)

Share exercise data from the Huawei Health app

Huawei TCX Converter A makeshift python tool that enables the extraction of TCX files from the Huawei Health app. Your phone must be a Huawei Phone or Rooted to access Huawei Health app data! Introduction Users of Huawei Watches/Bands sync...

2

goalguy

Anybody else's @Cellebrite PA not automatically running media classification when selected during the open case process? Mine was working perfectly until I updated to 7.40.0.68

I just had the same thing happen to me. I had to run the media classification manually, but once it was completed it worked like normal.

FullTang

I just had the same thing happen to me. I had to run the media classification manually, but once it was completed it worked like normal.

Same situation here. No problem running it manually.

.karate.

Yes. I’ve made some reports parsing huawei health. I have some scripts I’ve created if your interested. You can also take a look at the following url, maybe not exactly what you are looking for. But might contain useful info: https://forum.xda-developers.com/t/share-exercise-data-from-the-huawei-health-app.3909998/ I some cases the app also creates log files that are stored on /sdcard/huawei/* ( older version of the app always created log files). They are quite complex but contains everything from steps to location data. (edited)

Thanks, sure i'm interested

Does anyone have a write up on manually decrypting signal data on iOS?

dfir_rick

Does anyone have a write up on manually decrypting signal data on iOS?

https://github.com/Magpol/HowTo-decrypt-Signal.sqlite-for-IOS

Magpol/HowTo-decrypt-Signal.sqlite-for-IOS

Decrypt signal.sqlite IOS. Contribute to Magpol/HowTo-decrypt-Signal.sqlite-for-IOS development by creating an account on GitHub.

12:28 PM

You still need the key from the keychain. If you don’t have access to “tools” you can jailbreak the device and get the key with frida.

heatherDFIR

Refer to for585.com/poster and look at anything iCloud or sync settings to start. Also SIM card identifiers may help too. They are all searchable on that poster.

Thank you

.karate.

You still need the key from the keychain. If you don’t have access to “tools” you can jailbreak the device and get the key with frida.

Thank you, I really appreciate it! I actually do have a full file system acquisition and the keychain.

dfir_rick

Thank you, I really appreciate it! I actually do have a full file system acquisition and the keychain.

Np. I wrote the instructions some time ago. If you get errors just go to signals GitHub and check if something has changed.

.karate.

Np. I wrote the instructions some time ago. If you get errors just go to signals GitHub and check if something has changed.

Will do, thank you!

Physical Analyzer 7.41 is out. (edited)

3

2

Anyone is experimenting this problem with Cellebrite P.A. being stuck for days on this message:

7:44 AM

I've tried many times with version 7.40 and 7.41 on 3 different computers. Always the same Xiaomi full fs extraction, always stuck, analysis completed all data accessible but "Generate report" greyed out ...

@FabianoQ I would like to take a look at the logs, I DM you

@FabianoQ i had exactly the same pb with a xiaomi dump

@Mistercatapulte Little update, on a pc with version 7.35 of P.A. the problem manifests itself only partially; the trace windows still remains stuck on "Adding project processor" message but the "Generate report" menu item is not greyed out so, at least, i could generate a report. Cellebrite support is working on it.

1

@FabianoQ yeah i've reported it to support 1 week ago

Hey I don’t know if this topic should be in this room. I have an android device that I need to collect all the data from Snapchat. Is it possible that the phone keep a log even for the deleted ones ?

Hello all - I have a full filesystem extraction off an iPhone 7, is there any way to determine when a PIN code was set up on the device? Many thanks.

Quick question regarding cached images that are stored in com.sec.android.gallery3d/cache. can anyone let me know (or point me in the direction of information regarding)when these are created. Are these images created when the gallery app is open and the system refreshes what images are stored on the device, are these created as soon as an image is on the device, or something else? (edited)

@.karate. you willing to share the script tot the Huawei digital wellbeing with me as well? (edited)

@Cellebrite Within UFED Cloud, is "Uploads" simply the time the user uploaded a file to their cloud account?

7:14 AM

This case is a Dropbox acc if that helps.

Pixel

Hello all - I have a full filesystem extraction off an iPhone 7, is there any way to determine when a PIN code was set up on the device? Many thanks.

iLEAPP shows the various locks used on a device and provides dates. I would start there.

1

florus

@.karate. you willing to share the script tot the Huawei digital wellbeing with me as well? (edited)

Our R&D are looking into this as well.

1

@Cellebrite How do I move a file from "Uncategorized" to "Videos"

12:12 AM

So that I can export it via Griffeye Export?

Rob

@Cellebrite How do I move a file from "Uncategorized" to "Videos"

In the python shell you can write something like this:

f = ds.FileSystems['filesystem name']['full path to file'] f.Tags.Add('Video')

CLB-drorimon

In the python shell you can write something like this:

f = ds.FileSystems['filesystem name']['full path to file'] f.Tags.Add('Video')

thanks! Would you have a rough idea why two playable videos within UFED were initially marked as Uncatergorized

6:54 AM

I'm not familiar with what sends a file there, assuming usually ones without a file type or something

6:55 AM

There's 3 in there. One isn't playable which makes sense

6:56 AM

One from memory was a .flv if that helps

You can control "Data Files" from the Tools -> Settings -> Data Files.

Rob

@Cellebrite How do I move a file from "Uncategorized" to "Videos"

In the settings. I plan to do a tip tues on these settings. But it's all under Tools>Settings>Data File

heatherDFIR

In the settings. I plan to do a tip tues on these settings. But it's all under Tools>Settings>Data File

I did have a play with it. Added ;.flv and closed and re-opened the project but couldn't get it to move.

7:59 AM

Wondered if it were something to do with the signature headers but didn't have time to continue testing

Rob

I did have a play with it. Added ;.flv and closed and re-opened the project but couldn't get it to move.

Figured it. Tired me didn't realise I was playing with a ufdr file

An old classic: I'm trying to determine (or at least trying to understand) whether a HEIC photo from an iPhone extraction was taken with that phone. I'm looking through ZADDITIONALASSETATTRIBUTES in photos.sqlite, but it seems ZCREATORBUNDLED shows info for everything but HEIC files. So JPG, PNG, MP4, etc. all have details about the app being used, but HEIC files don't (And MOV too it seems?). Any experts out there willing to share some knowledge? (edited)

Telegram requires a passcode to open, anyone know where this can be found?

@Cellebrite Anyone around for a few questions about iOS 14 keychains?

Has anyone else had success in decoding a keychain from an UFED iOS 14 Checkm8 extraction? PA 7.41 should support the new format but none of my keychain information is parsed from my extractions from what i can see

Oscar

Has anyone else had success in decoding a keychain from an UFED iOS 14 Checkm8 extraction? PA 7.41 should support the new format but none of my keychain information is parsed from my extractions from what i can see

Oxygen Supports. https://twitter.com/oxygenforensic/status/1338853927379472384

Oxygen Forensics (@oxygenforensic)

Oxygen Forensic® Detective offers full file system and keychain extractions using the checkm8 vulnerability from Apple iOS devices running iOS up to and including 14.2. Read our new blog post to learn more about our checkm8 support https://t.co/2ULdXgIYuc #DFIR

@CyberTim thanks! I'll try that :)

Working with Cached Locations in Magnet Axiom, what would be the best way to export this data into a map view and keeping the timestamps and additional information?

9:27 AM

Exporting to KML does not keep all of the data

I have a standalone Android Signal backup that I'm looking to parse into a forensic platform to avoid manually parsing the database. I have the 30 digit pin and know the backup is valid. @Cellebrite @Oxygen Forensics @Magnet Forensics

Sending a DM @Tyler_Leno but we do support those.

@Tyler_Leno i got you fam DM me if you need more help

Hi, anyone know of a tool that can decode Samsung Kies backups? I’ve tried PA, Oxygen, but they don’t seem to support it.

Tyler_Leno

I have a standalone Android Signal backup that I'm looking to parse into a forensic platform to avoid manually parsing the database. I have the 30 digit pin and know the backup is valid. @Cellebrite @Oxygen Forensics @Magnet Forensics

Hello, we support parsing of Signal backup. In addition to the ability to extract Signal data from the device with OxyAgent.

anyone experiencing crashes without anything on logs in cellebrite PA ? got blackscreen then exits on the latest version

3:34 AM

Got 2 times the samething, selecting images

@King Pepsi I don’t think Telegram stores the passcode in plain but I do see fields for “passcodeHash1” and “passcodeSalt” in the shared_prefs/userconfing.xml (yes confing, not my typo

)

@King Pepsi Expanding on what @varbytes has mentioned. You can use telegram2john.py https://github.com/openwall/john/blob/bleeding-jumbo/run/telegram2john.py to extract the password hash from the userconfig.xml file (you can also try and crack it using the script - but hashcat will be quicker), just use the script to pull out the hash. Once you have the hash, you can then feed this hash into hashcat with mode -m 22301 and attempt to crack the passcode. If you want any help doing this feel free to DM me, or ask in this channel or password-encryption-cracking channel. I'm sure there are a lot of people who will help!

(edited)

openwall/john

John the Ripper jumbo - advanced offline password cracker, which supports hundreds of hash and cipher types, and runs on many operating systems, CPUs, GPUs, and even some FPGAs - openwall/john

1

Hi guys! A couple of questions if you don't mind - does anyone know what I can use to view the calllog.db-journal file in a decent format? From what I can see in UFED PA the truncated SMS entries in the journal are marked as deleted - does this refer to the fact that the specific SMS are deleted (they aren't in the mmsssms.db anymore) or to the fact that the journal file is deleted?

@Cellebrite So, I screwed up and added a SIM card extraction from another device to a phys and adv log ext I was working on. I went through and tagged multiple artifacts, then saved a session file and a ufdx file. I realized what I did after was through working on the extractions. I was able to go through and edit out the sim card extraction from the ufdx file pretty easily with Notepad++. I opened the .pas file, though, and it does not appear to be as straight forward. How can I edit out the SIM card extraction from the pas file? What I want to do is open the Phys and Adv Log extractions again, then open the session file so I get my tags back, then generate a new report. I just don't want to lose my tags and have to go back and completely re-analyze the device.

Russell Abel - Bastrop County SO

@Cellebrite So, I screwed up and added a SIM card extraction from another device to a phys and adv log ext I was working on. I went through and tagged multiple artifacts, then saved a session file and a ufdx file. I realized what I did after was through working on the extractions. I was able to go through and edit out the sim card extraction from the ufdx file pretty easily with Notepad++. I opened the .pas file, though, and it does not appear to be as straight forward. How can I edit out the SIM card extraction from the pas file? What I want to do is open the Phys and Adv Log extractions again, then open the session file so I get my tags back, then generate a new report. I just don't want to lose my tags and have to go back and completely re-analyze the device.

I submitted a similar support ticket feature request just the other day. I don't believe there is an easy way to do this other than unchecking the items you don't want to include in the report. Here is what I asked as the feature to be added. If you think you or anyone else might need this in the future please submit a ticket to let CB know we need this. Hello Everyone, I am not sure if this has been mentioned or asked, but will there be a way to delete items / individual acquisitions from a case after the case has been processed? Example: If I add a case, added devices and acquisitions and process the case, then later I realize I did not want a particular item or acquisition in the case with the others, can I delete the item or acquisition from the case and still have the other items in the case? Or is that too much to ask? It would be nice to have a feature that would allow a user to delete individual items, say an SD Card or SIM card or select device acquisitions from a case without having to process the entire case over.

1

I absolutely agree that it would be nice to be able to remove extractions. It seems kind of asinine that if you screw up, you have to completely start over and have it carve, categorize, etc, all over. It would be nice to be able to just right-click on an extraction, click remove, click "Yes, I'm sure", and have it gone.

Any grayshift people on here for a time critical question?

@Grayshift

Any @Grayshift on on here for a time critical quetion?

I’ll send you a message

Seladour

Hi guys! A couple of questions if you don't mind - does anyone know what I can use to view the calllog.db-journal file in a decent format? From what I can see in UFED PA the truncated SMS entries in the journal are marked as deleted - does this refer to the fact that the specific SMS are deleted (they aren't in the mmsssms.db anymore) or to the fact that the journal file is deleted?

An SMS (or any other artifact for that matter) marked as deleted can mean one of two, that it came from a deleted record we managed to recover or that the record itself is intact, but the user delete the artifact it represent, for example, record exist in a log DB, but not in the main DB. In this case, you can distinguish between the two by looking in the calllog.db, and see if the said record is intact or recovered.

any ideas why in newest PA when I try to save session it always fails ? Its possible only right after opening extraction but when I bookmark something it always fails

@Cellebrite ?

@DEVNULL I am not having that issue. May want to reinstall.

I am working remotely with an examiner who has a physical and FFS from an LG Stylo 5 Android 10 (SPL 8/1/20). The phone is unlocked and he can see approximately 34 message threads in the Signal application. Neither @Cellebrite PA 7.40 nor @Magnet Forensics Axiom parsed data from Signal. PA shows 2 DBs associated with Signal, but the DBs have minimal to no data in them. Search of the hex for message/contact data was unsuccessful. (I wasn't expecting it since it should be encrypted). However, we know he was using the SMS/MMS feature of Signal, so I was hoping there would be some of those messages in hex which would be recoverable. He has already performed a photo report of the application, but I was hoping to be able to understand why neither application parsed any of the data. (edited)

3:00 PM

update- rerunning the extractions through Axiom 4.8 to see if this changes things.

Dm’d

Thanks for clarifying. @CLB-Paul I was thinking PA was parsing Signal. Glad to know I wasn't going crazy.

Depends on version of course

Much appreciated.

sholmes

I am working remotely with an examiner who has a physical and FFS from an LG Stylo 5 Android 10 (SPL 8/1/20). The phone is unlocked and he can see approximately 34 message threads in the Signal application. Neither @Cellebrite PA 7.40 nor @Magnet Forensics Axiom parsed data from Signal. PA shows 2 DBs associated with Signal, but the DBs have minimal to no data in them. Search of the hex for message/contact data was unsuccessful. (I wasn't expecting it since it should be encrypted). However, we know he was using the SMS/MMS feature of Signal, so I was hoping there would be some of those messages in hex which would be recoverable. He has already performed a photo report of the application, but I was hoping to be able to understand why neither application parsed any of the data. (edited)

An alternative is to make a backup from the application itself: https://support.signal.org/hc/en-us/articles/360007059752-Backup-and-Restore-Messages And then use signalBack to create a report of the data: https://github.com/xeals/signal-back

Backup and Restore Messages

Signal messages, pictures, files, and other contents are stored locally on your device. If you have your old device, select the platform to transfer messages: Android iOS Desktop Message restor...

xeals/signal-back

Decrypt Signal encrypted backups outside the app. Contribute to xeals/signal-back development by creating an account on GitHub.

8:53 PM

Worth mentioning is that as default it stores the backup on your internal sdcard, so the device will be tampered with. (edited)

@sholmes Did you resolve this? I thought as per the recent article that cellebrite could decrypt signal?

Ho! Ho ! Ho! It would appear PA 7.40.0.68 (and earlier versions) is having issues with extracting data from KnowledgeC and the currentpowerlog so please be careful when relying on this data. Issues translated as 'not reflecting what is actually in the log' so if I was a defence examiner, I would be all over it. (edited)

2

I have an iphone 7 (A1778) with iOS version 10.2.1. I would like to proceed with checkm8 but I see that it only supports the version equal to or greater than 12.3. Have any of you tried with an older version?

@Cellebrite The latest PA just absorbed about 95% of my ram and my machine has blacked out when trying to add an SD card into a project. That sound normal?

2:37 AM

Managed to fix the above with the good ol fashioned Win+P

Hello all, for those who can not get their iOS keychain dump, I just published a small tool to decrypt it on iOS 14. It has some limitations but should be enough to get the keys for apps such as Signal or Snapchat (cf Magnet article https://support.magnetforensics.com/s/article/Decrypt-app-data-using-the-iOS-Keychain-and-GrayKey ). https://github.com/xperylabhub/ios_keychain_decrypter

xperylabhub/ios_keychain_decrypter

script to decrypt iOS keychain. Contribute to xperylabhub/ios_keychain_decrypter development by creating an account on GitHub.

4

Anyone got a working regex for UK mobile numbers? (including the potential to have spaces in it) (For use in X-Ways) - I've tried ^(?:\s*\d){11}$ to no luck (edited)

@Rob try ( *#){11}

john2

@Rob try ( *#){11}

Will do

5:06 AM

Found ^(+44\s?7\d{3}|(?07\d{3})?)\s?\d{3}\s?\d{3}$

5:06 AM

But not entirely sure on it yet.

5:10 AM

From my understanding of it, it'll get +44 1234567890 but not +44 01234567890 as some do accidentally type.

5:11 AM

Not sure if there's effectively a single one that captures all possible formats

you may need to tweak it. i did get your first regex working outside of x-ways

5:12 AM

I'll give it a go and see.

5:13 AM

Do you know roughly what formats it picked up?

it should work on any 11-digit format with or without spaces

Sounds ideal

5:15 AM

Thanks

let me know if its not working as needed and i can help you adjust it

Will do

@Rob (44)?( *0)?( *#){10} should be more robust. it will take into consideration the 44 prefix and account for a missing 0 at the beginning.

CCC

@sholmes Did you resolve this? I thought as per the recent article that cellebrite could decrypt signal?

If it can, it can’t do this version. I was hoping @Magnet Forensics axiom might be able to since they list it as well.

6:39 AM

Next week I might play with some GitHub stuff and see what it does decoding signal.

sholmes

Next week I might play with some GitHub stuff and see what it does decoding signal.

I published some notebooks to decrypt and parse Signal. However it is not tested on every version... https://github.com/xperylabhub/4n6notebooks

xperylabhub/4n6notebooks

Notebooks for forensic examinations and research. Contribute to xperylabhub/4n6notebooks development by creating an account on GitHub.

1

@sholmes did you get a full file system image of the device? Cellebrite is pulling the stored signal decryption key from a file you would get with this

1

7:19 AM

I found a cool thing on github a while back that decrypts the signal for Android backup file using the key generated when you make the backup, for those times when a ffs doesn't work or isn't possible. But you have to generate the backup in either the phone's internal storage or an SD card (if it has a slot for one)

I did get a physical from the LG phone. Thanks @Sha1_4n6 and @GrayShift_Matthieu I’ll check those both out.

My thinking from the the cellebrite blog post was that they figured out how to do this and it will be in the next release...hopefully soon!

@Cellebrite any tips to import a signal db file (signal.sqlite) and the keychain to decode in UFED PA ? Didn't work for me even if i recreate the correct path ... keychain is well decrypted tough ...

1:18 AM

the point is to import only the needed file assuming you don't have a complet extraction of the handset

@Mike You can DM me with more details about what files you are able to import and how they were extracted initially from the phone, I'll try to help

1

Anyone has recommendations for parsing data from WhatsApp-like app (YoWhatsApp)? The files and database organisation looks very similar to standard WhatsApp. @Cellebrite is able to parse WhatsApp and GBWhatsApp - is there any way to reuse the same parser for YoWhatsApp without having to reinvent the wheel?

@varbytes you will either need to use the sqlite wizard and build the connections yourself or you could try axiom and use its built in option to find more data

Would AppGenie be of help there?

Sha1_4n6

@varbytes you will either need to use the sqlite wizard and build the connections yourself or you could try axiom and use its built in option to find more data

I could, but I guess I’m greedy in hoping to be able to reuse the parsers with minimal edits so that the contacts, call logs, and attachments could be parsed and linked, similar to how it is currently done for WhatsApp and GBWhatsApp.

(Not a huge fan of reinventing the wheel) (edited)

Rob

Would AppGenie be of help there?

I tried AppGenie - user chat messages were parsed fine but it fell short in detecting call logs and attachments

Ah, some success then. See what Axiom finds then would be the next quick fix step else sounds like sha1s suggestion could be it.

varbytes

I tried AppGenie - user chat messages were parsed fine but it fell short in detecting call logs and attachments

Try Fuzzy Model Plugin too! It fills the gap often. It's under Tools.

Cool! Thanks Heather, I'll have to remember that one!

heatherDFIR

Try Fuzzy Model Plugin too! It fills the gap often. It's under Tools.

Cool, I’ll try that one. Thanks!

heatherDFIR

Try Fuzzy Model Plugin too! It fills the gap often. It's under Tools.

What does that one do

Rob

What does that one do

It's the older brother of the AppGenie, which create 'Fuzzy Models', and not ordinary models (not 'Call', 'Chat' etc.).

CLB-drorimon

It's the older brother of the AppGenie, which create 'Fuzzy Models', and not ordinary models (not 'Call', 'Chat' etc.).

Thanks : )

varbytes

Anyone has recommendations for parsing data from WhatsApp-like app (YoWhatsApp)? The files and database organisation looks very similar to standard WhatsApp. @Cellebrite is able to parse WhatsApp and GBWhatsApp - is there any way to reuse the same parser for YoWhatsApp without having to reinvent the wheel?

You can try and rename (!) the directory name from data/com.YoWhatsApp into data/com.WhatsApp, and the same under media, and if you're lucky, it will be enough.

CLB-drorimon

You can try and rename (!) the directory name from data/com.YoWhatsApp into data/com.WhatsApp, and the same under media, and if you're lucky, it will be enough.

We did that but it seems we’ll need to do strings search replacement of the package name in a number of config files as well if we are to get the pretty output with the owner name and all.

1:18 AM

Thanks all for the help!

Is there any way to save the program state (where in the case I'm located) in Axiom like with Physical Analyzers PAS files.

Is anything parsing snapchat 11.7.1.51 within iOS extractions?

Anyone know the current file path of the cash app db in iPhone.

cCan you extract telegram chats on ios? i am having problems.

Has anyone seen this? Trying to explain the Last Access time on mmssms.db in Android 8 EXT4. Phone activated: 12/17/18 .db Creation date 6/2/20 .db Modify date 12/14/20 .db Access date 4/3/18

Anyone from @Cellebrite able to take a look at some PA logs to try and figure why a case is stuck at the Adding Project Processor stage?

@Rob Please DM me

Hey! Have anyone figured out a way to parse Snapchat from iPhones after the update? The messages is no longer stored in conversationstore.plist (edited)

@callzor#4481 you can found à lot of informations and msg in arroyo.sqlite, scdb-27.sqlite For the contacts in the plist file friendsForAsync... With an internal id

(edited)

The MSAB site seems to be down right now. Does anyone have a DL for the XAMN viewer tool?

Hi everyone. Does some one knows if its possible to know, on an android device, if a SDCard was present in the phone before we seized it? When we seized it, the SDCad slot was emply but we suspect that one was present and would like to confirm this.

Do you have access to dmesg logs, it should show if there was a mounted card on last boot

6:46 PM

Otherwise, logcat messages filtered using "vold"

Tyler_Leno

The MSAB site seems to be down right now. Does anyone have a DL for the XAMN viewer tool?

@MSAB

Falzar

Do you have access to dmesg logs, it should show if there was a mounted card on last boot

@Falzar Thanks for the reply.The phone needs to be rooted to access those logs i guess? I still don’t have legal authorization to root the device. (edited)

theapprentice0714

@Falzar Thanks for the reply.The phone needs to be rooted to access those logs i guess? I still don’t have legal authorization to root the device. (edited)

Assuming the device is still on you might be able to read /proc/last_kmsg without sudo

Falzar

Assuming the device is still on you might be able to read /proc/last_kmsg without sudo

The device was turned off after it got seized. So i guess that the info will only be in dmesg logs? Am i right? Sorry if i sound like a newbie, but i usually take charge of the apple devices

theapprentice0714

The device was turned off after it got seized. So i guess that the info will only be in dmesg logs? Am i right? Sorry if i sound like a newbie, but i usually take charge of the apple devices

dmesg is probably the clearest way to check for newly attached peripherals but it is refreshed on boot so that may be a problem last_kmesg holds the dmesg from previous boot and similarly may be cleared another alternative is to look for symlinks that may point to the existence of a path to the sdcard, which may be /storage/emulated/1 or /storage/sdcard1

8:24 PM

Hopefully you don't have to do anything drastic like ramdump a frozen chip

Falzar

Hopefully you don't have to do anything drastic like ramdump a frozen chip

The symlinks are my only option right now i think. Do sdcard always mounted in storage/emulated/1 or /storage/sdcard1 by default? (edited)

theapprentice0714

The symlinks are my only option right now i think. Do sdcard always mounted in storage/emulated/1 or /storage/sdcard1 by default? (edited)

For current Android versions yes, /storage/emulated/0 - internal storage, /1 is external (sdcard) (edited)

Falzar

For current Android versions yes, /storage/emulated/0 - internal storage, /1 is external (sdcard) (edited)

Yes! You really helped me, it’s 23:45 here, im all alone in the lab and everybody else gone on vacation

️ i will get some sleep and check that out in the morning...thank you 1000x

Season's greetings!

U too

@Tyler_Leno It seems to be working for me, the no-install version can always be downloaded from https://www.msab.com/downloads/ as well! Let me know if there are any issues

Hi ,i got a sm-g6100 i have a phisical extraction after anunce me that it has a secure boot when i try to parse it he ask for password and dictionery atteck fail,i try to parse it with axiom and now i can see all the fs as partions 1-50 ,what is my options? Can i find the kyes somwere?. Thanks

Hi, is it possible to see when an android phone (Samsung a405fn) has received an update from android 9 to 10? Does anyone know in wich database that is in?

Yea, i noticed that this doesn't anwer your question, but i think that you'd have to look in recovery logs

Haha, yes thanks. I am looking at those but i was cutious if someone already knew this.

theapprentice0714

Hi everyone. Does some one knows if its possible to know, on an android device, if a SDCard was present in the phone before we seized it? When we seized it, the SDCad slot was emply but we suspect that one was present and would like to confirm this.

Check out this #life-has-no-ctrlaltdelete with @CLB-Paul discussing how SD Cards Impact digital investigations.https://www.cellebrite.com/en/series/how-sd-card-data-impacts-digital-investigations/

Heather Mahalik - Senior Director of Digital Intelligence at Cellebrite

How SD Card Data Impacts Digital Investigations - Cellebrite

Special Guest: Paul Lorentz- Solutions Engineer at Cellebrite Many extractions, specifically on Android devices, involve an SD card as part of the device data storage, but this can potentially cause an extraction to be much more confusing. In this episode, we are joined by Paul Lorentz, Solutions Engineer at Cellebrite, who will explain how SD …...

External.dB

9:42 AM

I did up some other work also. There was a good write up done. Let me find it

9:42 AM

https://thebinaryhick.blog/2020/10/19/androids-external-db-everything-old-is-new-again/ (edited)

Binary Hick

Android’s external.db – Everything Old Is New Again

“Sooner or later, everything old is new again.” – Stephen King, The Colorado Kid I have a really bad DFIR habit: sometimes I get overly excited when searching through my test imag…

any suggestions for decoding search_result.db from the Android Searchlite applciation? The phone is a Cricket Icon running Android 9 Go. @Cellebrite PA doesn't parse it, and the data in the DB is not clean. I can see the searches, but they have various letters and icons around the words. @Magnet Forensics doesn't like this file system format F2F, so I just ran the db and it didn't parse it, but gave me a cleaner view of the data in the DB. Using DB Browser for SQLite, I see the data similar to that of PA. Any thoughts or suggestions to get a clean report from this DB? (edited)

@Oxygen Forensics could one of you lads please contact me regarding the Oxygen viewer application?

@B On it

@sholmes I'll send a DM

Does anyone happen to know where the default memo app is stored in the file system of a Samsung phone? I have an extraction from a Galaxy S7 and I am trying to locate the text stored in the memos.

Have you checked the system app folders or around /data/data/<notes app package name> for any db or files, assuming you dumped the whole fs and can see / root (edited)

Falzar

Have you checked the system app folders or around /data/data/<notes app package name> for any db or files, assuming you dumped the whole fs and can see / root (edited)

I'll check on it tomorrow when I get back to the lab. Thanks for the hint.

Anyone examined Discord on an Android?

I am trying to investigate whether or not two videos where created on an iPhone XS device. They are located in the "DCIM/100APPLE" directory and they are named "IMG_0xxx.MOV". I have looked into the Photos.sqlite database and found them in the ZGENERICASSET table, however the values for ZDATECREATED are 5 minutes earlier than the creation time in the filesystem. The resolution is also quite low 144x256. In the table ZADDITIONALASSETATTRIBUTES the values for ZCREATORBUNDLEID are com.toyopagroup.picaboo and ZORIGINALFILENAME are cm-chat-media-video-[randomcharacters].mov, so I assume the files were created from a chat in Snapchat. Are the filepath and filename enough to tell if they were created on the device though?

@DarkHelmet I am assuming there is no Exif data for this video? (edited)

Is anyone at @Magnet Forensics available for a quick question regarding importing a Cellebrite Extraction into Axiom?

@mond4y_morNin6 - sending a DM

1

DFLSher

@DarkHelmet I am assuming there is no Exif data for this video? (edited)

Unfortunately, none

DarkHelmet

I am trying to investigate whether or not two videos where created on an iPhone XS device. They are located in the "DCIM/100APPLE" directory and they are named "IMG_0xxx.MOV". I have looked into the Photos.sqlite database and found them in the ZGENERICASSET table, however the values for ZDATECREATED are 5 minutes earlier than the creation time in the filesystem. The resolution is also quite low 144x256. In the table ZADDITIONALASSETATTRIBUTES the values for ZCREATORBUNDLEID are com.toyopagroup.picaboo and ZORIGINALFILENAME are cm-chat-media-video-[randomcharacters].mov, so I assume the files were created from a chat in Snapchat. Are the filepath and filename enough to tell if they were created on the device though?

Do you have @Magnet Forensics AXIOM? There is a custom artifact that you can use to query the db. iLEAPP has also incorporated the following sqlite queries into it, but here is a sqlite queries for ios 13 and 14 if you want to do it outside of the tool. Export the photos.sqlite and run the query. Dm me if you have questions. https://drive.google.com/file/d/1f7OSXTm-W4afh_x6AZy4apmfEPeJUq1x/view?usp=drivesdk. https://drive.google.com/file/d/1JVd7eInFMgUbuhPXQxmxt4c_NODlyeYb/view?usp=drivesdk (edited)

iOS_13_Photossqlite_Query_bskoenig3347@gmail.com.txt

iOS14_Photossqlite_Query_bskoenig3347@gmail.com.txt

3

1

Anyone having issues with Physical Analyzer 7.40.0.68 not finishing loading up extractions properly? It keeps greying out a lot of the options including generate report which is becoming quite frustrating. I've tried it on multiple machines now and it has been over 4 hours.

Looks like upgrading to the latest version fixed it.

@Cellebrite Does classification work with RDP license? I installed the GPU package. Getting this error in logs: [ERROR] TFBinariesTool: error with tensorflow library loading. Try running maven clean install in order to download the relevant libraries. {main, com.cellebrite.analytics.iman.util.Binaries.TFBinariesTool.<init>(TFBinariesTool.java:37)}

2:36 AM

PA V 7.41.0.8 (edited)

2:39 AM

This happens when CPU only is siwtched to false

2:39 AM

However, if I do CPU only true I get this error:

2:39 AM

[ERROR] SpringApplication: Application run failed {main, org.springframework.boot.SpringApplication.reportFailure(SpringApplication.java:826)}

What happens in PA is that the classification "finishes" in a second without classifiyng anything

@Luci this is best to be handled by the support team.

@Cellebrite what may cause the Report function to grey out after importing a extraction using a .ufd file?

Is it done loading

Yeah that was my guess.

11:04 AM

Check the trace window

I noticed the issue happens when using the new classification feature on my extractions, but haven't validated it.

@CLB-Paul @Neon it was. It had a lot of errors though. Ill redo it tomorrow, will get back to you in 2021.

1

It might be related to the carving of locations

11:59 AM

Some apparently don't succeed and it sticks on adding processor.

11:59 AM

Worthwhile to do it, but if it's hanging on that redo it without carving locations.

Tilt

Anyone examined Discord on an Android?

Some posts regarding Discord, Android, and how to virtualize it. Magnet App Simulator can do it and it is free. Also Cellebrite's Virtual Analizer. https://abrignoni.blogspot.com/search?q=Discord+android&m=1

Initialization vectors

Digital Forensics and Incident Response. All things InfoSec.

2

@Rob @CLB-Paul @DFIR Pad1 re-doing of as we speak. Getting errors "failed to get data for zip entry:....." Someone from @Cellebrite around to show these errors? Edit: with these errors im able to make a report, but it didnt create a ufed reader... the 7.39 version does make a ufedreader.exe file. (edited)

Did you use AppGenie? @florus (edited)

8:30 AM

Has been known of late to stop the creation of ufdr files

@Rob I did not. Thanks for helping me crack this nut.

1

hi all, is there a common way to detect timezone changes pushed by mobile network provider when suspect is moving (my interest is on android and iOS) ?

rooxy

hi all, is there a common way to detect timezone changes pushed by mobile network provider when suspect is moving (my interest is on android and iOS) ?

Could check for SMS messages if they're entering a new country etc (edited)

1

If the phone has accuweather widgets you can also look out for periodic pings and very rough location updates

3:55 AM

Check the packets for those, the accuweather api sends down the city in one of the fields as well

I was wondering if there is a solution that works in all cases (whether app are installed or not). I have considered sms from mobile network provider but there does not seem to be a standard content that could be set as a way to detect those changes.

from what I understand SMS messages are sent when phone logs into a new network in other country, it doesn't necessarily mean crossing the border

Afternoon all, Is there a flag in an iphone extraction that would let me know if a handset has been set up fresh or if its been restored from a back up

@Cellebrite Hi, is it planned to update the huawei backup in physical analyzer? I tried many times with different extractions to decode the hisuite backup and it never decode everything. The huawei script in github works just better. (kobackupdec)

See kirin decrypt profile

@wojotk_1 Works better than huawei backup ?

7:30 AM

It doesn't support OS10 I think

Try once

Good morning! I have a question about native chat attachments in Android. There is a particular conversation i'm looking at in Physical Analyzer and the file name for one of the attachments is listed as "content://mms/part/31". What does this mean exactly. I can find the file elsewhere on the phone but I need to identify it within this conversation. There are other photos sent from the sender in the same chat bubble, some have typical names like IMG_XXXX.jpg and other are listed as Content://mms/part/XX. Any help would be greatly appreciated.

That's a content URI, registered to a specific content provider application, the path part of the URI gets resolved internally to a query to some system resource, such as a file, database, etc. if you have adb access, try dumping the result of adb dumpsys package providers then check for anything that may match the package name

Artea

Afternoon all, Is there a flag in an iphone extraction that would let me know if a handset has been set up fresh or if its been restored from a back up

There's some good info in the following blog posts:

Artea

Afternoon all, Is there a flag in an iphone extraction that would let me know if a handset has been set up fresh or if its been restored from a back up

https://dfir.pubpub.org/pub/2q177smo/release/5

How was an iPhone set up? · DFIR Review

Was an iPhone restored from iCloud, iTunes backup or started from scratch?

1

Artea

Afternoon all, Is there a flag in an iphone extraction that would let me know if a handset has been set up fresh or if its been restored from a back up

https://www.cellebrite.com/en/blog/upgrade-from-null-detecting-ios-wipe-artifacts/

Heather Mahalik - Senior Director of Digital Intelligence and Ian Whiffin - Sr. Digital Intelligence Expert

Upgrade From NULL—Detecting iOS Wipe Artifacts - Cellebrite

One of the most common questions we’re asked is, “How do you determine when an iOS device was wiped?” Wiping is a common way to trample potential evidence on a device. Over the years, we have seen some savvy moves to try to cover up wiping efforts on devices and prevent the act from being … Continue reading "Upgrade From NULL—Detecting iOS Wipe ...

1

Thanks @DannyH_603 knew I had seen something on cellebrite a few weeks ago. I'll pass this on to work mate who needs it

1

@Falzar you have forgetten 'shell' in your command

rico

@Falzar you have forgetten 'shell' in your command

Yes I did lol, typed that at 3am thanks for the catch

1

@CLB - DavidK I've send you PM, please take a look

@Cellebrite Anyone about to take a look at a screenshot of a few errors in relation to a Qualcomm Live extraction from a Nokia GSM_TA-1196 7.2

@heatherDFIR @Brigs @bizzybarney @CLB-Paul Has anyone tested the following: iOS 13 or 14 When using Safari or other browser in “Private Browser” mode and a KTX file is created. Is the data from the browser omitted or wiped from the image? I don’t believe the user closed tab(s) prior to closing the application, but I have a blank Safari KTX image. In this instance it is Safari but it appeared to happen to other private chat applications also. I just started populating data on a test device to make sure. Just curious if anyone else has encountered this…? (edited)

4:36 PM

75DA####AE18@3x.ktx

We recently had a case which had an iPhone X and an iPhone 12 as evidence. iPhone X had no sim and a icloud id. This was used by the suspect for contacting victims through whatsapp. iPhone 12 was the phone which the suspect used as a daily driver. Has a different icloud id. iPhone X was used by the suspect to send data using whatsapp. Unfortunately, the app was deleted by the suspect. I have looked into Wifi, Bluetooth and health data. Even though there are similar entries, I couldn't find anything which points without a doubt that both phones were at the same location at the same time. Is there any way to link iPhone X and iPhone 12 and prove was used by the same suspect? Any other places to look? I have got itunes backup folder of both the phones.

In Physical Analyzer is there a way to tell if an iPhone has been restored from a backup when activated? or even more helpful - is there a way to tell if WhatsApp was restored from a backup after the phone was activated/app was installed.

3X3

In Physical Analyzer is there a way to tell if an iPhone has been restored from a backup when activated? or even more helpful - is there a way to tell if WhatsApp was restored from a backup after the phone was activated/app was installed.

Specifically in WhatsApp, if you can see messages with timestamp earlier to the installation time, it means that a backup was restored.

CLB-drorimon

Specifically in WhatsApp, if you can see messages with timestamp earlier to the installation time, it means that a backup was restored.

That was my conclusion, was just looking for some sort of hard way to prove that. Thanks for the reply drorimon!

Any solution for vivo 1811 patten lock

Hello, all. I have an extraction well over 100GB from an iPhone. I can't generate a report because the extraction fills what's left of my OS drive. Is there a way to have PA store the temp files on a different drive?

10:47 AM

Or should I just reinstall it on that separate but empty drive?

Using the Cellebrite sql carver on a SMS.db, we have recovered deleted messages and when sorting by time, the deleted fit perfectly to where they are missing from before running the carver. In this case, we have screen shots (witness conveniently took prior to deleting) that corroborate. The deleted messages have random ROWIDs, lots of 1's, 0's and random multi-digit . I realize that because these messages were carved from unallocated, these ROWIDs are not valid, but the question has arisen as to how does this data get there. Is there a rationale in the Cellebrite carver?

@TheCos When a record is dropped from a SQLITE table it is usually added to the freeblock list of the page. The first four bytes of the record are overwritten to form the freeblock chain (the first two bytes point to the offset of the next free block and the next two bytes record the size of the current freeblock). For most records the first four bytes of the record contain the rowID information in the form of a VARINT. PA may be interpreting the four freeblock bytes as part of the complete record. https://www.sqlite.org/fileformat.html

2

Tyler_Leno

@TheCos When a record is dropped from a SQLITE table it is usually added to the freeblock list of the page. The first four bytes of the record are overwritten to form the freeblock chain (the first two bytes point to the offset of the next free block and the next two bytes record the size of the current freeblock). For most records the first four bytes of the record contain the rowID information in the form of a VARINT. PA may be interpreting the four freeblock bytes as part of the complete record. https://www.sqlite.org/fileformat.html

Thank you!

Hi everyone. I have a .mp4 file that I would like to view the time stamps data in hex, but I can not figure out the offset to do this. Time stamps agree in both AXIOM and PA, but I just want to manually decode them to be sure. Does anyone know the offset locations for C, M, A?

Does anybody have any experience using Cellebrite to export .ktx files (images) from an iOS device in such a way that they’re viewable in Windows? (edited)

Question about mmssms.db. Can anyone explain what determines whether a message shows up in the “message” table vs the “sms” table. Thanks

Hey all, in cellebrite reader what is the artifact that is being referenced on the extract ion summary page for "Tethering- Last Activation Time" and exactly what is this referencing?

11:08 AM

Would this update when attached to a gray key?

nvx66778

Hi everyone. I have a .mp4 file that I would like to view the time stamps data in hex, but I can not figure out the offset to do this. Time stamps agree in both AXIOM and PA, but I just want to manually decode them to be sure. Does anyone know the offset locations for C, M, A?

Have you used exif tool on it ?

FunkeDope

Hey all, in cellebrite reader what is the artifact that is being referenced on the extract ion summary page for "Tethering- Last Activation Time" and exactly what is this referencing?

I’m not in front of my machine but is this when wifi tethering enabled / I.e hot spotting

I have a question for a way from the Cellebrite support. I have made a Huawei backup and after indicating the folder with its location in PA, I try to enter the correct password. The program displays an error related to incorrect password. The password is definitely correct. I made the backup again and the same error, I tried to change the computer, I changed the program version to an older one, but without positive effects. For other PA errors a PA downgrade helps, but it doesn't work here.

7:10 AM

The Huawei model is RVL-AL09, Honor Note 10

7:11 AM

Android 9, Emui 9.1.0, SPL 1 July 2020

@Zolwik_MF try kobackupdec from github. @dfirfpi made it if im correct. Then import that output to PA.

florus

@Zolwik_MF try kobackupdec from github. @dfirfpi made it if im correct. Then import that output to PA.

Thank you for your answer. I'll have to try your advice.

@Magnet Forensics Are there any reported issues in Axiom with Graykey extractions getting hung up in processing on the Full Text Search? We have had two separate extractions that this has happened on now. It just sits at 0%. (edited)

3X3

In Physical Analyzer is there a way to tell if an iPhone has been restored from a backup when activated? or even more helpful - is there a way to tell if WhatsApp was restored from a backup after the phone was activated/app was installed.

How_was_an_iPhone_setup____Smarter_Forensics.pdf

562.99 KB

1

Corey

Does anybody have any experience using Cellebrite to export .ktx files (images) from an iOS device in such a way that they’re viewable in Windows? (edited)

Hey Corey, Look in your settings and you should find an option to convert the ktx to png upon exporting.

CLB_iwhiffin

Hey Corey, Look in your settings and you should find an option to convert the ktx to png upon exporting.

Hi @CLB_iwhiffin, I ended up emailing Cellebrite and they got back to me today telling me exactly that, thanks for your reply

1

LawDawg

Hello, all. I have an extraction well over 100GB from an iPhone. I can't generate a report because the extraction fills what's left of my OS drive. Is there a way to have PA store the temp files on a different drive?

Soon we’ll have the capability to change the temp folder. For now it’s using what is set as default.

facelessg00n

Have you used exif tool on it ?

Yes I did. The time stamps matched. I thought about messaging the author of the program to see how his program determines where the time stamps are located, but I decided to try here first

nvx66778

Yes I did. The time stamps matched. I thought about messaging the author of the program to see how his program determines where the time stamps are located, but I decided to try here first

Ah yep. The ISO/IEC 14496-14:2003 standard for MP4 list the offsets where its stored.

ScottKjr3347

@heatherDFIR @Brigs @bizzybarney @CLB-Paul Has anyone tested the following: iOS 13 or 14 When using Safari or other browser in “Private Browser” mode and a KTX file is created. Is the data from the browser omitted or wiped from the image? I don’t believe the user closed tab(s) prior to closing the application, but I have a blank Safari KTX image. In this instance it is Safari but it appeared to happen to other private chat applications also. I just started populating data on a test device to make sure. Just curious if anyone else has encountered this…? (edited)

Sorry Scott just saw this and no. I’ve seen prior fruitfull in private tabs. That’ was in iOS 11/12

1

Would anyone from @Cellebrite be able to assist with a query? An officer has used 3 tags, some evidence tagged with 1 but also other bits tagged with 2 and 3 tags. He only wants 1 tag produced in a report though. Is there a way to select which tag I want? Seems like if I select "tags only" I can only get all 3 tags.

@Corey How does that work? In PA I can see in report settings you can change the report output to HEIC/KTX/JPEG but cannot find the convert to png?

CCC

@Corey How does that work? In PA I can see in report settings you can change the report output to HEIC/KTX/JPEG but cannot find the convert to png?

Sorry; I think I confused things. I meant JPG. In my reply.

@CLB_iwhiffin Related question then, when I have that selected, my ktx are still coming out as ktx when I am going into images and pulling them out as a report from there? Do you have to create a report of the whole thing as UFDR?

2:55 PM

@CLB_iwhiffin Never mind, you cannot export them you have to make a report.

1

When the origin of a position from an android phone is something like this: "data/data/com.android.chrome/cache/Cache/9bc5d9b3eefdbf05_0/9bc5d9b3eefdbf05_0_embedded_1 : 0x528 (Dimensions: 2241 byte" what does it means? The chrome browser saved this position? An image in the cache of the chrome browser contains this position? ... ?

Bowman4n6

Click to see attachment 🖼️

Thanks! Will give this a read.

1:32 AM

@Bowman4n6 This is exactly what I was looking for... Appreciate that!

Bowman4n6

Click to see attachment 🖼️

Why a pdf and not just a link to the article? https://smarterforensics.com/2019/01/how-was-an-iphone-setup/

How was an iPhone setup?

I’ve realized just how important it is to blog vs just do a webcast when I was completing my course updates. I would stumble upon a webcast, but didn’t have time to watch it, so I looke…

1

Is anyone aware of a log or any artifact in iOS 14 that keeps track of when a user removed the passcode off the device? @heatherDFIR @CLB-Paul @Sarah Edwards (SANS/BlackBag) @Brigs (edited)

Hey all, has anybody had any luck getting into or cracking an app called Vaulty? Any suggestions welcome! Thanks

@Cellebrite Samsung S10 Lite (SM-G770F), android 10, unlocked. I've got a full fs via qualcomm live. The device has "personal area" activated and protected with unknown gesture, should i find the content of personal area in the report from P.A.?

I’ll send you message

Bowman4n6

Is anyone aware of a log or any artifact in iOS 14 that keeps track of when a user removed the passcode off the device? @heatherDFIR @CLB-Paul @Sarah Edwards (SANS/BlackBag) @Brigs (edited)

Nothing comes to mind.

Error (edited)

@Cellebrite Hi, I have many different extraction (android) where snapchat (11.7.0.62) is used and PA never decode the messages. I always need to use Axiom for this app. Is there a beta version available that decode snapchat?

@Cellebrite Simply question. iOS device without checkm8 option. What should I do? filesystem and logical extraction merged together OR only filesystem is enought. Is there any additional data in logical etraction ? (edited)

@Cellebrite where can I change the default media player for videos inside of a ufed reader report?

1

Hi, anyone know if there is a file that tracks changes to language settings on iOS? Logs in a plist? Knowledge C logs? Any ideas?

Anyone have info on the telegram database in IOS? Trying to make sense of the tables

Has anyone had any luck with locating Bluetooth Connections in Android Version 11? I am working with a Samsung Galaxy S20+ 5G (SM-G986U) and I do not see any of the connection databases using Cellebrite. I did already read @heatherDFIR 's blog on the DFIR Review site.

@Cellebrite in reference to "scrambled" WhatsApp messages from iOS full FS extractions in Physical Analyzer, is there a way to unscramble the messages in PA, or would the best avenue be to take a picture of the conversation on the source device for reference.

Any elaborate on the difference between \media\photodata\metadata\dcim\100apple and the standard \media\dcim\100apple

Artea

Any elaborate on the difference between \media\photodata\metadata\dcim\100apple and the standard \media\dcim\100apple

Wild guess is thumbnails

I hadn't come across the file path before. \media\photodata\metadata\dcim\100apple holds both IMG****.jpg and a corresponding IMG*.thm file. \media\dcim\100apple has a corresponding IMG_***.mov file and the IMG_**.jpg appears to be the first frame of the video.

Could it be a live photo? If memory serves me right live photos save a short video of the "Live" portion of the photo while the other just stores the Image part

the video is 16 seconds long and is in the \media\dcim\100apple folder. Would the JPG files in the other folder then be classed as accessible? Im also wondering why it isnt in the same folder as the video file.

Ah, the live photos should only be a couple of seconds long so that's probably not it then. Let me check some of my extractions and see if I can find anything similar!

Thanks @Erumaro Its a 6s running 11.4 (15F79) if that helps at all

1

@Artea I had a look and it seems that the DCIM\100Apple only stores the original pictures and videos while a thumbnail of the video is created and saved in the photodata\metadata folder so I think it might simply be the thumbnail displayed in the Photos application. Out of all the files I had in private/var/mobile/Media/PhotoData/Metadata/DCIM/100APPLE/ all are from videos and I also had one .jpg and one .thmb. Not sure exactly what it means but I suspect it's simply the thumbnail. Let me know if you want me to look for anything specific

@Cellebrite or anyone else for that matter, can the com.apple.commcenter.plist file be populated with Synced data including devices connected to other apple devices?

5:43 AM

Looked at the Sans forensic poster which suggested it contained device info (which I can see it does) but seems to contain 3rd party device info

What are you seeing that you are labeling as 3rd party device info?

5:47 AM

And which OS version are you inspecting?

5:54 AM

@Rob

Well I can see a serial number and an IMEI that doesn't match the handset

5:56 AM

The IMEI however does match a device that was backed up to a macbook

5:58 AM

To summarise, I have an iPhone 7 with iOS 13.3. On that handset within that particular plist were some foreign device info that doesn't match the handset I extracted. The IMEI matches against a device (another iPhone 7 with iOs 11.2.5) that was backed up to a macbook we had seized. (edited)

Erumaro

@Artea I had a look and it seems that the DCIM\100Apple only stores the original pictures and videos while a thumbnail of the video is created and saved in the photodata\metadata folder so I think it might simply be the thumbnail displayed in the Photos application. Out of all the files I had in private/var/mobile/Media/PhotoData/Metadata/DCIM/100APPLE/ all are from videos and I also had one .jpg and one .thmb. Not sure exactly what it means but I suspect it's simply the thumbnail. Let me know if you want me to look for anything specific

Thank you for your time fella. This is brilliant. Enjoy the rest of your day

1

Hello, I have a physical dump of Samsung J610M. Any tool that can decode discord app messages or only manual capture? I could check manually on the phone and I see some messages that are important to the case.

@rafael_cs I know Axiom can pull discord for iOS, I believe it can for Android. Here is more information on how to manually find the artifacts for Discord on Android: https://abrignoni.blogspot.com/2017/07/discord-app-forensic-artifacts-in.html (edited)

Discord Android App Review - DFIR

What is Discord? Discord is a communication platform for video gamers. It advertises minimal CPU usage, high voice quality and multiple s...

1

Morning all. Could is anyone able to shed some light on (or point me in the direction of information) "SetupLastExit" date/time within the purplebuddy.plist.

Artea

Morning all. Could is anyone able to shed some light on (or point me in the direction of information) "SetupLastExit" date/time within the purplebuddy.plist.

https://www.cellebrite.com/en/blog/upgrade-from-null-detecting-ios-wipe-artifacts/

Heather Mahalik - Senior Director of Digital Intelligence and Ian Whiffin - Sr. Digital Intelligence Expert

Upgrade From NULL—Detecting iOS Wipe Artifacts - Cellebrite

One of the most common questions we’re asked is, “How do you determine when an iOS device was wiped?” Wiping is a common way to trample potential evidence on a device. Over the years, we have seen some savvy moves to try to cover up wiping efforts on devices and prevent the act from being … Continue reading "Upgrade From NULL—Detecting iOS Wipe ...

Has anyone been able to pull the meet24 chat log from an ios? I can't seem to do anything with it beyond advanced logical and it's not there.

@rafael_cs @Drew I confirm Axiom is okay for Discord on Android.

@Dam thanks for this

I will check it @Deleted User @Dam

1

I found residue from IMO messenger on an iphone. The database IMODb2.sqlite contains the messages but I cannot find the timestamps. Any suggestions?

Hello, I have a bunch of images within the following file path on an IOS device 'private\var\mobile\Containers\Data\Application#########-####-####-####-####-############\Library\Caches\com.facebook.Facebook.MosaicIGImageDiskCache', they're all named 'FBImageDownloader - #####'. Does anyone have any idea what this is referring too? is it just simply cached files that have been viewed or are they relating to some other user interactions? Thanks

JDowson

Hello, I have a bunch of images within the following file path on an IOS device 'private\var\mobile\Containers\Data\Application#########-####-####-####-####-############\Library\Caches\com.facebook.Facebook.MosaicIGImageDiskCache', they're all named 'FBImageDownloader - #####'. Does anyone have any idea what this is referring too? is it just simply cached files that have been viewed or are they relating to some other user interactions? Thanks

It sounds like cached images. Does the images in question only exists in one place in the filesystem?

Help! Full file system image of an iPhone SE, I can see conversations in the arroyo.db but they are not decoded and looks like the messages column has complex plists inside. Hoping someone has tackled this before @Cellebrite @Magnet Forensics

Yes only within the file path above

Anyone have trouble with AXIOM hanging on “Full Text Search”? I’m trying open a full file system IOS extraction. It opened with Cellebrite but didn’t parse what I’m looking for. I updated to the latest version but had the same issue. I opened a support ticket but I’m in somewhat of a rush. @Magnet Forensics

Joe Schmoe

Anyone have trouble with AXIOM hanging on “Full Text Search”? I’m trying open a full file system IOS extraction. It opened with Cellebrite but didn’t parse what I’m looking for. I updated to the latest version but had the same issue. I opened a support ticket but I’m in somewhat of a rush. @Magnet Forensics

Sending a DM

Matt

Help! Full file system image of an iPhone SE, I can see conversations in the arroyo.db but they are not decoded and looks like the messages column has complex plists inside. Hoping someone has tackled this before @Cellebrite @Magnet Forensics

PA 7.42 will contain support for it (only partial since there was another update to snapchat after we worked on it, but there's more to come in next versions

)

CLB-ChenK

PA 7.42 will contain support for it (only partial since there was another update to snapchat after we worked on it, but there's more to come in next versions

)

Thanks. Does that mean this database is in the newest version of Snapchat? I didn’t look to see what the user has.

Yes.

Anyone have any resources to help with finding out if media in the Telegram for Android folder were sent or received? Edit:. Via looking at the database. (edited)

Majeeko

Anyone have any resources to help with finding out if media in the Telegram for Android folder were sent or received? Edit:. Via looking at the database. (edited)

in cache4.db look at media_v2 table in the data column has some useful data relating to media send, its BLOB so hex view needed. USe pickaxe tool to recover any deleted from WAL - freepages. I've got a similar instance myself re messages and media.

@Dfdan thanks, not had too many Telegram jobs crop up, I guess it going to increase with everyone leaving WhatsApp.

Anyone from @Cellebrite available for a quick question?

CLB-ChenK

PA 7.42 will contain support for it (only partial since there was another update to snapchat after we worked on it, but there's more to come in next versions

)

Any idea when 7.42 will be released? Have another phone in the same condition

Hi anyone, i have two questions about iphones connected to car infotainment system. 1. Is there any way to tell if a whatsapp voice note has been created using exclusively voice commands or (initially) interacting with phone screen? 2. Is there any way to tell if a whatsapp text message was created by typing or by dictation? (edited)

Hi all. Question regarding Cellebrite Physical Analyzer, Analyzed Data, category Social Media. Seeing items in this category that are Facebook posts (not by the user). Are these items indicative of the user viewing these posts? Or if hypothetically the phone is on and Facebook app notifies of a post it would create this item without any interaction by the user?

snoop168

Any idea when 7.42 will be released? Have another phone in the same condition

Should be during this week. The beta is already out, if you want to get the beta versions, feel free to send a request to Edi.Gamarnik@cellebrite.com

2

3

@CLB-ChenK can the release notes pls be updated in relation to Snapchat my eyes only? Perhaps under which circumstances you may be able to access the data and whether there’s a prompt in the workflow or when decoding with PA? Right now having it noted as ‘supported’ doesn’t provide a great deal of insight.

Hello, I'm using Cellebrite PA on an iPhone, and have a question regarding location data. If the location data identifies as a cell tower, the source file for the data is /private/var/root/Library/Caches/locationd/cache_encryptedB.db-wal, table: LteCellLocation, does the position data correspond to the cell tower itself, or the position of the handset?

Good morning! Is there any way to see when a FaceID has been created from a full file system extraction? florus01/15/2021

@Cellebrite Hi,

11:40 PM

Why I have the word scrambled in chat message? (edited)

Dam

@Cellebrite Hi,

Hey, You're probably referring to WhatsApp messages decoded from ChatSearchV5f.sqlite. This DB is a search index DB, and preserve all words of the message, but don't preserve their order.

1

CLB-drorimon

Hey, You're probably referring to WhatsApp messages decoded from ChatSearchV5f.sqlite. This DB is a search index DB, and preserve all words of the message, but don't preserve their order.

Ok thanks that make sense.

another mobilephone with alternativ WhatsApp-Versions

unsupported (PA)... so have to do manually

(edited)

hello, is there a way to run only wickr parser without running all parsers chain on PA @Cellebrite ?

Artea

Morning all. Could is anyone able to shed some light on (or point me in the direction of information) "SetupLastExit" date/time within the purplebuddy.plist.

Hi Artea, This is the last time the setup screen was exited. Its important to realise that this could refer to setting up fingerprint ID, Passcode, Wallet etc and not necessarily when the device was setup as a new device. Whenever any of the setup screens are accessed this value is updated so could be months or even years after the device was originally setup. https://www.cellebrite.com/en/blog/upgrade-from-null-detecting-ios-wipe-artifacts/

Heather Mahalik - Senior Director of Digital Intelligence and Ian Whiffin - Sr. Digital Intelligence Expert

Upgrade From NULL—Detecting iOS Wipe Artifacts - Cellebrite

One of the most common questions we’re asked is, “How do you determine when an iOS device was wiped?” Wiping is a common way to trample potential evidence on a device. Over the years, we have seen some savvy moves to try to cover up wiping efforts on devices and prevent the act from being … Continue reading "Upgrade From NULL—Detecting iOS Wipe ...

1

@Cellebrite @Magnet Forensics does axiom OR ufed support export pictures and files in original folder structure?

Morning all, i have a BFU acquisition of an iphone 12. in PA it displays 3 IMEI's (IMEI, IMEI and IMEI2) I have used IMEI.info and found 2 are iphone 12 related and one is iphone XS related. The XS IMEI is being pulled from com.apple.commcenter.plist (EntitlementsSelfRegistrationUpdateImei) and is listed under another ICCID. Could someone let me know where this has come from. My thought is its something to do with the backup used to set the phone up as i can see the handset was set up from another device?

denyzkoo

@Cellebrite @Magnet Forensics does axiom OR ufed support export pictures and files in original folder structure?

With PA, you can use the file system view to navigate to the top level of the picture folder (for example the DCIM folder), right click it and select Dump Folder. Is that what you want?

CLB_iwhiffin

With PA, you can use the file system view to navigate to the top level of the picture folder (for example the DCIM folder), right click it and select Dump Folder. Is that what you want?

yes i can do it this way. What about photos from whatsup, viber, dropbox, and other services. i would like to copy all photos from mobile in original path.

iPhone XR iOS 13.3.1, 64 GB storage capacity... How is it possible that the extraction size is 105GB? Manual verification show that this is the right extraction for this device.

@Magnet Forensics can axiom parse a Android Emulator VMDK? What the correct way to load it in?

@DT Emile Groleau Not necessarily unexpected- particularly if the initial backup file is retained. On top of this unpacking zipped and compressed files, creating linked artifacts from databases etc etc, the work of decoding an extraction and presenting it in a searchable way will generate more data

Hello, i'm on iOS FFS, i've some interesting files located in

 DarArchive/root/private/var/mobile/Containers/Data/Application/$ID/Caches/com.facebook.Facebook.MosaicIGImageDiskCache/

($ID = 90CE98E51-CC04-etc). Filenames in this dir are FBImageDownloader-$id . Does anyone know its meaning? (Other than Facebook app cache). Thanks

(edited)

@Cellebrite does anyone have link for ufed beta 7.42?

@denyzkoo check #mobile-forensic-extractions

Long shot, do we know what the datacount refers to in the database "ZRTLEARNEDLOCATIONSOFINTERESTVISITMO" in an iPhone? I suspect it is how many times in a given time interval the phone has been pinged by the GPS

TwiZtah

Long shot, do we know what the datacount refers to in the database "ZRTLEARNEDLOCATIONSOFINTERESTVISITMO" in an iPhone? I suspect it is how many times in a given time interval the phone has been pinged by the GPS

From my labs it seems to be the number of GPS points from the cache.sqlite database that were used to create the "visit" in local.sqlite. However, there is no one I am completely sure of, just an observation

I have been looking into iOS powerlogs from an iPhone 11 Pro running iOS 13.3.1 The goal is to find hints about how the screen was unlocked (faceid or pin), and I have been looking at the screen codes in powerlogs to check if they reveal any information. Sarah Edwards has done some research on iOS 11 and found some of the codes:

Homescreen(s) = 2
Widgets = 19
Control Center = 5
Lock Screen = 9
Pin Unlock Screen = 15
Blank Screen = 0
App Switcher = 4
Spotlight Search = 18
Lock Screen Camera = 11
Lock Screen Widgets = 17

(See this blogpost: https://www.mac4n6.com/blog/2018/12/22/on-the-ninth-day-of-apollo-my-true-love-gave-to-me-a-beautiful-portrait-analysis-of-the-ios-interface) I can't find any other sources that document other codes, or if these codes are still the same. Does anyone know of any other documentation/research of these codes? (edited)

5:40 AM

Findings so far indicate that screen code 9 (Lock screen) is often followed by 2 (Home screen), and the timing for these overlap with screen unlock time from knowledgeC. Sometimes there is a 15 (Pin unlock screen) thrown into the mix as well, perhaps indicating the phone was unlocked using pin instead of face unlock, a bit early to conclude anything. Then there are other codes that I have not found any documentation for (esp. 3 and 14) that seem to appear a lot together with 9 and 2.

@Cellebrite Hi, what does the small logo in the conversation view means? Sometimes I have mobile or participants and sometimes not.

Dam

@Cellebrite Hi, what does the small logo in the conversation view means? Sometimes I have mobile or participants and sometimes not.

Not sure if we're talking on the same logo, but when we are able to parse the time that a certain recipient of a message have received or read it, there should be a small icon with that information (delivered an read times per recipient)

8:23 AM

I mean these logo

8:24 AM

I have a blank message but with geolocation participants and mobile logo

8:26 AM

@CLB-ChenK I thought that mobile is when it's whatsapp on the mobile but I have some message without this logo and I'm pretty sure it was made on the mobile

Google Photos XXXXXXXX@hotmail.com/local media/VID_20191208_230129355.mp4.mp4 Anyone know what 230129355 in this scheme is? I was hoping it was a time but can't get it decoded.

Ghosted

Google Photos XXXXXXXX@hotmail.com/local media/VID_20191208_230129355.mp4.mp4 Anyone know what 230129355 in this scheme is? I was hoping it was a time but can't get it decoded.

23:01:29.355 ? (One minute, 29 seconds and 355 msec past 11 pm)?

@busted4n6 That is a possibility.

9:36 AM

but 355 msec?

Ghosted

but 355 msec?

Ext4 (perhaps if the video originated on an android device) supports time stamps down to the nanosecond. So 355 msec could means 355 milliseconds.

@busted4n6 this is a Motorola. I will reach out to the investigator and see when the incident supposedly took place.

9:39 AM

The date is right on

Can you see if the file has a timestamp? Does it marcgx?

9:40 AM

Time could be in Utc

The file was deleted and has zero bytes

Ah so it could be some kind of placeholder for@cloud data?

9:41 AM

Depending on your read you should still be able to see time stamp data for your 0b file

I was able to locate under data/com.google.android.apps.photos/files/trash_files the videos

9:41 AM

and match the trashed names to the original date and time

9:41 AM

name

So it might have a created time - if you’re using ufed I think you can switch extra timestamp fields on in the options

So doing that It shows 11:01:33 AM

9:42 AM

which makes great sense

I’ve had a child abuse came with similar names videos. Filmed on a Samsung

I mean PM

9:43 AM

sorry

Yes it will be that. I’d go with ‘the file name of this file suggests it was created around 11:01 PM’

Thanks I think it is correct but will double check with examiner.

9:44 AM

investigator

9:44 AM

@busted4n6 thanks

Hopefully it makes sense!

Drove me crazy not finding the files.

9:45 AM

Yeah. Sometimes if I have gotten a physical read I use other tools like encase to look at stuff like that in some more detail. Obviously no good if you file system

This db helped me match up the trash_file_name which had data and the local path with the correct file name.

:). Nice

Ghosted

This db helped me match up the trash_file_name which had data and the local path with the correct file name.

What's the db name?

@Rob local_trash.db

10:42 AM

It got me the video file, the ability to match the file name (trash_file_name) to the name of the file I found with zero bytes, and the deleted date and time.

Not too bad then

better than I thought

Will pass that on to colleagues

If you need me to send you any of the paths or my report when done just let me know. As long as your LEO I can.

Sure thing, I'll pm

Does anyone else have issues generating a report in Physical Analyzer after using AppGenie? I have had several phones over the last few days that throw an error when I try to make a UFED Reader report after using AppGenie, so I have been doing my reports without using AppGenie. @Cellebrite

FullTang

Does anyone else have issues generating a report in Physical Analyzer after using AppGenie? I have had several phones over the last few days that throw an error when I try to make a UFED Reader report after using AppGenie, so I have been doing my reports without using AppGenie. @Cellebrite

That was an issue a while back. Are you using the most recent version?

Neon

That was an issue a while back. Are you using the most recent version?

As far as I know. I am using PA version 7.41.0.8

FullTang

As far as I know. I am using PA version 7.41.0.8

Cellebrite PA v7.42 Beta is available and the release notes advise fixes in regard to AppGenie. If it's urgent I suggest you reach out to @Cellebrite to get a copy of the Beta to see if that helps. If not so urgent, I don't think it won't be long until the official PA v7.42 is released

1

Still having issues using the GPU classification. SUpport gave me the Beta, but this changes nothing. Iman.log throws errors about missing DLLs, installed the GPU package and PA multiple times in various orders. CPU only setting is always default true. Nothing changes when editing this. This is highly annoying.

Ghosted

@Rob local_trash.db

Decoding of this Google Photos DB is supported in PA. Did you find the support not sufficient in some way?

Solec

@Cellebrite in reference to "scrambled" WhatsApp messages from iOS full FS extractions in Physical Analyzer, is there a way to unscramble the messages in PA, or would the best avenue be to take a picture of the conversation on the source device for reference.

Did you get an answer to this? We have just found this our self and the message its self is in another language. We do longer have access to the physical device.

@dabeersboys I didnt get a direct response but after reading some other messages on here and looking through the extraction, the scrambled messages are from a seperate data base from what I understand WhatsApp to use to track words for lookup services instead of the message content itself. There wouldn't be a way to unscramble it other than seeing if the original entry in the messages table was still present. In my instance the original messages were all deleted. The scrambled messages may or may not remove duplicate words as well.

Solec

@dabeersboys I didnt get a direct response but after reading some other messages on here and looking through the extraction, the scrambled messages are from a seperate data base from what I understand WhatsApp to use to track words for lookup services instead of the message content itself. There wouldn't be a way to unscramble it other than seeing if the original entry in the messages table was still present. In my instance the original messages were all deleted. The scrambled messages may or may not remove duplicate words as well.

Thanks for this!!!

np gl

@Solec so was the words in this Scrambled text acatually all contained in an unscrambled text?

from what I understood every word in the scrambled bubble would correlate with a word in the actual chat message, however I read that duplicate words may be omitted from the scrambled message.

1:56 PM

I didn't really end up doing further digging or testing because the content of the scrambled messages didnt really appear to matter to the case, I just got hit with a question from a case officer I had no idea about when he asked me at like 9pm at night

@Cellebrite Is there a way to import XRY files into PA?

Tyler_Leno

@Cellebrite Is there a way to import XRY files into PA?

Yes - here are the steps:

6:28 PM

1. Go to 'File' 2. Choose 'Open Case' 3. Select '+Add' 4. Then 'Open (Advanced)' 5. Select 'Blank Project' 6. Change the Chain by clicking 'Switch chain (arrows right and left)' 7. Select All chains 8. Choose 'Android Generic' 9. Under 'Binary extraction', press the 'Image' 10. Navigate to the folder and choose the .xry file 11. Press 'Next' 12. To start decoding press 'Examine data'

6:28 PM

As long as the XRY file is binary format, this should work

I'm assuming this will work even if the source device is an iPhone?

Is it a physical or file system extraction? it only works with the former (and I believe you'd have to set it to 'iPhonePhysical' instead of 'Android Generic')

It's a client provided extraction - my guess is that it's filesystem/iTunes backup style acquisition.

I don't think that will go through - there is an iphoneBackup chain available, but I'm not sure how up to date it is

Tyler_Leno

@Cellebrite Is there a way to import XRY files into PA?

Have a look here. Similar question was posed regarding importing from XRY to PA. https://discord.com/channels/427876741990711298/427877097768222740/746313149854253187 . A read through the posts and following the links should help you out

sunile

From my labs it seems to be the number of GPS points from the cache.sqlite database that were used to create the "visit" in local.sqlite. However, there is no one I am completely sure of, just an observation

@TwiZtah @sunile http://www.doubleblak.com/m/blogPosts.php?id=14

1

Anyone else having a problem with Media Classifications being "Grayed out" when starting an examination? As far as i know it is a part of PA by default and not something i have to install like offline maps.

I know a lot of people have been asking about the WhatsApp scrambled messages, but would someone from @Cellebrite be able to DM me in regards to them? I have a couple of questions. Thanks!

(edited)

Is there a way to extract app data from secret folders (knox)? I have the password and tried using cellebrite but nothing from these folders where extracted

@jaikl try to open (unlock) those folders first, then do advanced logical dump. https://discord.com/channels/427876741990711298/427877097768222740/781206145372913674

Arcain

@jaikl try to open (unlock) those folders first, then do advanced logical dump. https://discord.com/channels/427876741990711298/427877097768222740/781206145372913674

I've tried but nothing where extracted

Could be that they weren't setup as available over USB then, or patched.

Hmm, is that possible to see in some way?

@jaikl i'm not sure, try asking @CloudCuckooLand

Deleted User

Anyone else having a problem with Media Classifications being "Grayed out" when starting an examination? As far as i know it is a part of PA by default and not something i have to install like offline maps.

I've got the problem on one computer, not all. It's an 2nd generation of intel I7. Probably the cause but I'm not sur.

Deleted User

Anyone else having a problem with Media Classifications being "Grayed out" when starting an examination? As far as i know it is a part of PA by default and not something i have to install like offline maps.

It happens on CPU’s older than Gen 6. I have a PC with a fifth generation older CPU which did it in v7.39. It was sorted in later versions but I’ve noticed it greying out intermittently in PA v7.42 Beta again

Stevie_C

It happens on CPU’s older than Gen 6. I have a PC with a fifth generation older CPU which did it in v7.39. It was sorted in later versions but I’ve noticed it greying out intermittently in PA v7.42 Beta again

Thanks for the answer. Just when reading about it on Cellebrites hp they just state that the process will be slower. Not unavailable. Anyways, new computer on its way.

Deleted User

Thanks for the answer. Just when reading about it on Cellebrites hp they just state that the process will be slower. Not unavailable. Anyways, new computer on its way.

I’ve already been in contact with @Cellebrite about it. With older Gen CPU’s yes, it will work but be slower. If yours is permanently greyed out then you can’t select options. In my case it’s fluctuating between White (active) and Greyed out. I just have to wait for it to go white, select what I want and then run it. Alternatively you can load case as normal and run Media Categorisation after the case has loaded from the Tools > Enrichment Engines menu

I have 3 phones, Samsung A5, S8, S20. When extracted and loaden into PA they wont show the IMEI numbers. How could this be possible?

Deleted User

Thanks for the answer. Just when reading about it on Cellebrites hp they just state that the process will be slower. Not unavailable. Anyways, new computer on its way.

Just done a bit more testing on PA v7.42 Beta. If you are at the Case Wizard > Examination Tools screen, if the "Enrichment Engines > Media Classifications" box is greyed out, let it sit for a few seconds - it may go white. When it does, you can select your categories. Once you've selected your categories, don't hit "Examine Data" straight away. Wait for it to go grey and then when it goes white again, then select "Examine Data" and it will categorise no problem. If you select the "Examine Data"while it's grey, it won't categorise the images / videos. Likewise if you've already loaded the case and it hasn't categorised correctly and you go to the “Tools > Enrichment Engines > Media Classification”, depending on when you select that menu, you may find it unselectable / greyed out. Simply keep returning to that menu option and as soon as you catch it selectable, select it then and it will categorise fine. I just replicated that on my test machine. My newer machines with the newer CPU's have no issues whatsoever, it's just this older one I like to keep going and it's perfect for testing things like this !!

3

thanks @Stevie_C for your tests... will help some people here... I myself have no problem with the categorization

chrisforensic

thanks @Stevie_C for your tests... will help some people here... I myself have no problem with the categorization

Hey Chris !! Happy New Year !! Ha ha !! I'm on leave this week and was bored so I thought I'd do a bit of testing as I hit this issue when the feature was released in v7.39 !! @Cellebrite very quickly fixed it in later releases but I got my hands on PA v7.42 Beta and stumbled across this issue again. Didn't have it in PA v7.41. I'm writing up a quick document with my notes and logs and will get it to them this evening

1

8:37 AM

Annual Leave not much fun in lockdown !!

Stevie_C

Have a look here. Similar question was posed regarding importing from XRY to PA. https://discord.com/channels/427876741990711298/427877097768222740/746313149854253187 . A read through the posts and following the links should help you out

Closing the loop on this - I was able to export out the files with recreating the original path using XAMN and parse using the iPhoneFS chain/plugin when pointing it at the exported folder.

2

Can some explain how a .JPG image on an iOS device with the file path containing DCIM has appeared on the device without the camera capturing the image. Within the database there is mention of picaboo could this be that the user has saved an image they have received from Snapchat? Ta

jw

Can some explain how a .JPG image on an iOS device with the file path containing DCIM has appeared on the device without the camera capturing the image. Within the database there is mention of picaboo could this be that the user has saved an image they have received from Snapchat? Ta

WhatsApp images also appear in DCIM path, and I think your idea about Snapchat is true.

Given a logical UFED extraction of an iPhone 7, How would you determine when this device was first used? (which data was part of a backup, and what is "new" data?) Will the creation date of sms.db give an indication?

does someone know the database where apple is storing device mdm policy enforcement related stuff?

Does anyone know if a Cellebrite XML Report contains details of which data types & preferences were selected by the user in the report creation GUI? <caseInformation> contains info such as the examiner name and there are further metadata sections "Additional Fields" (which includes device info creation time, UFED version), "Extraction Data" (selected manufacturer, device name) and "Device Info" (MACs, ICCID, MSISDN, IMSI etc.) but I haven't been able to find anything relating to the data types that were chosen for export. Grateful for any pointers!

Does Android have a Purplebuddy.plist equivalent? Looking to see how and when a phone was set up

jallis

Given a logical UFED extraction of an iPhone 7, How would you determine when this device was first used? (which data was part of a backup, and what is "new" data?) Will the creation date of sms.db give an indication?

SMS.db is a good start. Can be verified with the other integral databases too such as CallHistory and AddressBook. You can also check the com.apple.purplebuddy.plist file for the "GuessedCountry" Key. https://www.cellebrite.com/en/upgrade-from-null-detecting-ios-wipe-artifacts/

Heather Mahalik - Senior Director of Digital Intelligence and Ian Whiffin - Sr. Digital Intelligence Expert

Upgrade From NULL—Detecting iOS Wipe Artifacts - Cellebrite

One of the most common questions we’re asked is, “How do you determine when an iOS device was wiped?” Wiping is a common way to trample potential evidence on a device. Over the years, we have seen some savvy moves to try to cover up wiping efforts on devices and prevent the act from being … Continue reading "Upgrade From NULL—Detecting iOS Wipe ...

jw

Can some explain how a .JPG image on an iOS device with the file path containing DCIM has appeared on the device without the camera capturing the image. Within the database there is mention of picaboo could this be that the user has saved an image they have received from Snapchat? Ta

You and Jeri are correct. The "CreatorBundleID" relates to the app that saved the image. Picaboo is SnapChat. So either this image was taken via SnapChat or was received by the device and saved via SnapChat.

1

CLB_iwhiffin

SMS.db is a good start. Can be verified with the other integral databases too such as CallHistory and AddressBook. You can also check the com.apple.purplebuddy.plist file for the "GuessedCountry" Key. https://www.cellebrite.com/en/upgrade-from-null-detecting-ios-wipe-artifacts/

Thanks!

com.google.android.apps.photos/files/shadowcopies and com.google.android.apps.photos/files/trash_files. Would these be classed as inaccessible (i.e. require a forensic tool or advanced knowledge to recover the files)

6:03 AM

Or are both folders accessible via an app / easily navigatable

6:07 AM

The latter seems to be Google Photos Trash, which to me suggests it might be accessible (and possibly act in a similar way to the Recycle Bin on a PC?)

Has anyone ever seen cloudmessagebuffertable.db found this DB in my case cellebrite and axiom failed to parse conversations I found in it, but it is stored plain text so found conversations. But cannot figure out what application it is associated with. Samsung galaxy S8 active

new PA is out guys

5

1

Hello everyone. I have an EXIF question. I have some videos of interest located in ...\DCIM\Camera. The phone is a HUAWEI CLT-L09. Exiftool,mediainfo returned me Android version, screen resolution and some generic information but apparently no camera make/model is stored in the EXIF data. As for timestamps, the creation date of the video s(derived from EXIF) matches File System creation date and the filenames of the videos as well. In such cases, would it be safe enough to conclude that the videos were taken from the phone's camera? Or, if it is not the case, what other artifacts would you search for, if any, to support that ? Also, I searched in external.db and found under Files table that date added also matches the creation date of the videos. Thanks for your time

sorry wrong chat

theAtropos4n6

Hello everyone. I have an EXIF question. I have some videos of interest located in ...\DCIM\Camera. The phone is a HUAWEI CLT-L09. Exiftool,mediainfo returned me Android version, screen resolution and some generic information but apparently no camera make/model is stored in the EXIF data. As for timestamps, the creation date of the video s(derived from EXIF) matches File System creation date and the filenames of the videos as well. In such cases, would it be safe enough to conclude that the videos were taken from the phone's camera? Or, if it is not the case, what other artifacts would you search for, if any, to support that ? Also, I searched in external.db and found under Files table that date added also matches the creation date of the videos. Thanks for your time

I don't think you could say for certain it did, but seems likely. In theory that folder could contain files downloaded or received etc

2

theAtropos4n6

Hello everyone. I have an EXIF question. I have some videos of interest located in ...\DCIM\Camera. The phone is a HUAWEI CLT-L09. Exiftool,mediainfo returned me Android version, screen resolution and some generic information but apparently no camera make/model is stored in the EXIF data. As for timestamps, the creation date of the video s(derived from EXIF) matches File System creation date and the filenames of the videos as well. In such cases, would it be safe enough to conclude that the videos were taken from the phone's camera? Or, if it is not the case, what other artifacts would you search for, if any, to support that ? Also, I searched in external.db and found under Files table that date added also matches the creation date of the videos. Thanks for your time

If you still have access to the device you could try doing additional test photos and compare EXIF after a new acquisition. The Software field in the EXIF data can also be interesting, on some phones it will contain the firmware version of the phone (at least on Samsungs) Edit: Looking at a P30 Lite extraction now, looks like the Software field is populated here as well. If the version info in that field is the same as on the other pictures that would further indicate that the image originates from the phone camera. Just be aware that phone updates can alter the number, so if pictures are far apart in time they can have different software version imprinted in the EXIF. (edited)

torskepostei

If you still have access to the device you could try doing additional test photos and compare EXIF after a new acquisition. The Software field in the EXIF data can also be interesting, on some phones it will contain the firmware version of the phone (at least on Samsungs) Edit: Looking at a P30 Lite extraction now, looks like the Software field is populated here as well. If the version info in that field is the same as on the other pictures that would further indicate that the image originates from the phone camera. Just be aware that phone updates can alter the number, so if pictures are far apart in time they can have different software version imprinted in the EXIF. (edited)

Thank for your time. I would rather not alter the evidence as far as taking more videos or photos. Looking again at the EXIF data of videos in question, it seems that Software field is not populated. That would be extremely useful however in case of photos. Will keep that in mind. Also, yesterday I came across this interesting article. https://www.forensicfocus.com/articles/how-to-investigate-the-source-camera-of-digital-videos/

How To Investigate The Source Camera Of Digital Videos - Forensic F...

Unique features that allow for identification are considered a real blessing in investigations. First, there was fingerprint analysis, then DNA ... Read moreHow To Investigate The Source Camera Of Digital Videos

1

Hi. It is possibile to decode knox folder password. I have phisical dump image. My phone is SM-A530f.

skipper

Hi. It is possibile to decode knox folder password. I have phisical dump image. My phone is SM-A530f.

Hi Skipper what what is the security patch version and Android version. Hancom MD-NEXT can extract the secure folder

I have Hancom. Android 9, but I cant find pin to secure folder. Hancom decode all image but i wanted to check the content.

Ah sorry i miss understood, Hancom got you all the data from secure folder and you want to manually check the handset against the recovered data.

2:47 AM

I don't think hancom recovers the PIN / password

Aero

I know a lot of people have been asking about the WhatsApp scrambled messages, but would someone from @Cellebrite be able to DM me in regards to them? I have a couple of questions. Thanks!

(edited)

Morning, did you get any clarification regarding the scrambled messages? If so, could you pass it on to me?

8198-IZ54

Ah sorry i miss understood, Hancom got you all the data from secure folder and you want to manually check the handset against the recovered data.

Thank for you help

No Worries Ive been looking at two extractions G935F and a G965F both with secure folder (test handsets) I'm sure it uses the gatekeeper style password protocol and its very difficult / impossible to recover the password /pin

Artea

Morning, did you get any clarification regarding the scrambled messages? If so, could you pass it on to me?

Morning @Artea, no reply as of yet but I've searched various other posts on here, shall DM you!

Aero

Morning @Artea, no reply as of yet but I've searched various other posts on here, shall DM you!

The "scrambled" message are from WA DB called ChatSearchV5f, this DB is holding messages content for indexing, reducing the search time within WA UI. We parse this DB as another source for potentially deleted messages (which stored for index while original record was deleted). The DB in fact is scrambled and we didn't found any option to know the order of the word within the message (we have put our best WA researcher to research it

). We do check if the message is available through other source (not scrambled one) and if so we do not parse it from the chatsearch. At the end users get the scrambled message which they cannot get from any other source so I guess it's pretty valuable than getting nothing, we added the "scrambled" indication so user will know it's not necessary the exact order of the words within the message and he should understand the context. Hope it covers it.

11

2

1

Thanks for the clarification @CLB_iwhiffin

is it true that it also possibly gets rid of duplicated words? for example if I said "I have this and that and those" only one instance of "and" would be displayed in the V5f DB? (for that particular message) (edited)

Aero

Thanks for the clarification @CLB_iwhiffin

is it true that it also possibly gets rid of duplicated words? for example if I said "I have this and that and those" only one instance of "and" would be displayed in the V5f DB? (for that particular message) (edited)

I believe so. I need to look into it more myself.

Thanks @CLB_iwhiffin

New to Python and trying to run APOLLO on an extracted database. I keep coming across a syntax error. Can anyone help me please? @ScottKjr3347

Anyone from @Cellebrite about? Is it common atm for a PA 7.42 project to be at the zip report stage when trying to make a UFDR report after almost an hour.

7:33 AM

Only carved archive files and ran a watch list

7:34 AM

Image was from a .bin file if that makes any difference

@Bowman4n6 Check this out. @ScottKjr3347 made it

https://m.youtube.com/watch?v=6O4rGLdn1-w (edited)

Scott Koenig

Part1 Download and Install Python and APOLLO Windows

Bowman4n6

New to Python and trying to run APOLLO on an extracted database. I keep coming across a syntax error. Can anyone help me please? @ScottKjr3347

Haven't used #APOLLO recently. I would need to test and respond. Unfortunately I'll be out for 2 weeks. If I get some free time I'll take a look. Here are a few people smarter than I that might be able to help @Brigs he has a tool called iLEAPP that you might find useful it has a gui @heatherDFIR Sarah Edwards Mac4n6 (Twitter @iamevltwin) (edited)

PA keeps getting hung up on parsing Telegram (PA 7.40 and PA 7.42) anyone from @Cellebrite around for an assist?

MyFingerHurts

PA keeps getting hung up on parsing Telegram (PA 7.40 and PA 7.42) anyone from @Cellebrite around for an assist?

You tried the latest version ? You can also export out the telegram directory and import the telegram folder and parse as a blank project in PA.

Bowman4n6

New to Python and trying to run APOLLO on an extracted database. I keep coming across a syntax error. Can anyone help me please? @ScottKjr3347

Looks like your apollo.py is corrupted somehow. I just downloaded it and there's no problem at line 339. Try downloading it again

@Bowman4n6, looking at the source code there aren't any syntax errors on or around line 339 which your screenshot points out. Are you sure you're running it with Python3? And as @Deleted User suggested, your copy may be corrupted.

Can someone confirm that I should be able to create a dump from an xry logical to run through axiom?

1:39 AM

Used to do it using xact but it doesn't exist anymore

1:40 AM

Trying to do it through xamn but can't find the optiob

@Pseudonym Exporting a dump is only possible from a Physical extraction, from a Logical you would need to export the file system from it (depending on what device was extracted). Feel free to DM me if you have any further questions!

@Cellebrite Is it possible within Reader to change the colour of the text / format for chat messages boxes?

2:52 AM

Atm it's a grey box with white text which isn't exactly easy on the eye

2:53 AM

It's between an "Unknown" person and a listed indivdiual.

2:53 AM

Having a few officers state they can't read the reports we're creating

@Cellebrite was there a change in the python “physical” libraries in update 7.42? A python script that worked in 7.41 stopped working when I updated to the new version. Not sure if this is the right channel or not.

Drew

@Cellebrite was there a change in the python “physical” libraries in update 7.42? A python script that worked in 7.41 stopped working when I updated to the new version. Not sure if this is the right channel or not.

Not that I'm aware of. DM.

Drew

@Cellebrite was there a change in the python “physical” libraries in update 7.42? A python script that worked in 7.41 stopped working when I updated to the new version. Not sure if this is the right channel or not.

This has happened to me as well a number of colleagues every now and then. From personal experience, periodically during the updates of PA, Cellebrite keeps modifying the html tags in their reports. So I would suggest inspect that first. The most probable cause would be html tags name changed. Which brings me to something I would like to kindly ask from @Cellebrite . Could you please provide us with the capability to leave out from our reports, the message body from the diversity of chats you parse. Due to privacy legislation, in some investigations we are not allowed to export messages' body, only messages' metadata. I believe this would be useful for a plethora of investigators. It is a request that has been made in the past several times.

@Cellebrite is the chart on this page still accurate or are more devices/ios versions supported for checkm8 now? https://www.cellebrite.com/en/a-practical-guide-to-checkm8/

Roey Arato | UFED Product Manager at Cellebrite

A Practical Guide to checkm8 - Cellebrite

It’s been almost three and a half months since independent researcher axi0mX has made public the groundbreaking “checkm8” exploit. Our recent blog, “iOS Breakthrough Enables Lawful Access for Full File System Extraction”, provided an introduction to the basics. In this blog, we’ll focus on the digital forensic use of checkm8 and introduce the fi...

@Sha1_4n6 no. This was initially released / published Jan 2020.

@Magnet Forensics I’m processing a few iPhone reads (gk). I seem to be getting 2x messages; some are showing as ‘parsed’ others as ‘carved’

@busted4n6 That’s common. DM incoming so I don’t spam the chat with a long explanation.

1

I've got a question that I'm not even sure how to search for. I have an evidence file in a phone that I found for a case. It's a picture, but the path does not indicate an obvious source, as in, what application did it originate or where it came from. The path is "private/var/mobile/Containers/Data/Application/704AB0D4-64C7-4814-B1CC-C18FE392DB05/Library/Caches/WebKit/NetworkCache/Version 16/Records/0926CDDE8A5F5E96749257AFAC1E9A33FD930E73/Resource/". My first thought is to search thru the specific application folder of "704AB0D4-64C7-4814-B1CC-C18FE392DB05" to see if that would give me any clues as to what application it is. It only has a few files, 17,110, to be exact. There is a "Documents" folder where I found a plist called "HomeAPI". It references Webtoons.com, which is not a site I would expect the picture of evidence to originate, as it is a clean website. But, maybe there's a messaging feature? I don't know. Any ideas?

Rob

Anyone from @Cellebrite about? Is it common atm for a PA 7.42 project to be at the zip report stage when trying to make a UFDR report after almost an hour.

@Cellebrite To give an update on this, downgraded to 7.41 and I can make a report.

@Oxygen Forensics Hi! Is it possible to do a physical extraction on an honor 8. it have a kirin 950 chip

@jaikl Android 9 or 10 is required, android 8 is the highest for that phone according to gsmarena

LawDawg

I've got a question that I'm not even sure how to search for. I have an evidence file in a phone that I found for a case. It's a picture, but the path does not indicate an obvious source, as in, what application did it originate or where it came from. The path is "private/var/mobile/Containers/Data/Application/704AB0D4-64C7-4814-B1CC-C18FE392DB05/Library/Caches/WebKit/NetworkCache/Version 16/Records/0926CDDE8A5F5E96749257AFAC1E9A33FD930E73/Resource/". My first thought is to search thru the specific application folder of "704AB0D4-64C7-4814-B1CC-C18FE392DB05" to see if that would give me any clues as to what application it is. It only has a few files, 17,110, to be exact. There is a "Documents" folder where I found a plist called "HomeAPI". It references Webtoons.com, which is not a site I would expect the picture of evidence to originate, as it is a clean website. But, maybe there's a messaging feature? I don't know. Any ideas?

Search that application folder name within PA if you have it. It'll return a result of an application. That'll be the origin application. Going to estimate Safari.

@jaikl it should be supported by UFED technically. Shipped with Android 6 so it'll be FDE still so no passcode required and ohysical dump actually make sense. (edited)

Hi there. I have a Samsung Galaxy S9+ running Android 10 that we were able to get a physical extraction for. The subject was using Signal to communicate with people and admitted to a 3rd party that they deleted the app. We are being asked if we can determine when the app was deleted off the phone. Is this information logged anywhere? If it is i'm assuming somewhere in the Google Play database? Any assistance would be appreciated!

LawDawg

I've got a question that I'm not even sure how to search for. I have an evidence file in a phone that I found for a case. It's a picture, but the path does not indicate an obvious source, as in, what application did it originate or where it came from. The path is "private/var/mobile/Containers/Data/Application/704AB0D4-64C7-4814-B1CC-C18FE392DB05/Library/Caches/WebKit/NetworkCache/Version 16/Records/0926CDDE8A5F5E96749257AFAC1E9A33FD930E73/Resource/". My first thought is to search thru the specific application folder of "704AB0D4-64C7-4814-B1CC-C18FE392DB05" to see if that would give me any clues as to what application it is. It only has a few files, 17,110, to be exact. There is a "Documents" folder where I found a plist called "HomeAPI". It references Webtoons.com, which is not a site I would expect the picture of evidence to originate, as it is a clean website. But, maybe there's a messaging feature? I don't know. Any ideas?

You are looking for ".com.apple.mobile_container_manager.metadata.plist" in the root folder. Here is a good blog that discusses it: @cScottVance D20 forensics https://blog.d204n6.com/2020/09/ios-tracking-bundle-ids-for-containers.html?m=1 (edited)

iOS - Tracking Bundle IDs for Containers, Shared Containers, and Pl...

In iOS, one of the more vexing things I've found when working through data or helping a student with questions usually comes back to tracki...

@cScottVance

1

Someone able to help me with the encrypted notes in an iPhone. Pa is asking for a dict file. I have the keychain.. I lost my workaroundnotes (lol).

jaikl

@Oxygen Forensics Hi! Is it possible to do a physical extraction on an honor 8. it have a kirin 950 chip

@Oscar is correct, additionally we do not yet support Kirin 950 chipset. @jaikl Huawei extraction method is work-in-progress though

Lordicode Oxygen Forensics

@Oscar is correct, additionally we do not yet support Kirin 950 chipset. @jaikl Huawei extraction method is work-in-progress though

Okey, thanks

Hi there, i made a report with PA 7.41.0.8 (including cellebritereader). When i start the reader , the analyzed content on the right side is empty. The text “ No data” appears. But on the left side under “Analyzed data” all the data exist and can be opened. Its a configuration issue? Thanks

Erdogeholic

Hi there, i made a report with PA 7.41.0.8 (including cellebritereader). When i start the reader , the analyzed content on the right side is empty. The text “ No data” appears. But on the left side under “Analyzed data” all the data exist and can be opened. Its a configuration issue? Thanks

Mysterious, if i close the tab “extraction summary” in cellebritereader and open again (Doubleclick on Home”, the analyzed content appears on the right side.

Hi, I am not able to save a custom chain since the update to PA 7.42.0.50. When clicking on "save as" the custom chain is saved. But next time PA is lauched the custom chain is no longer there. Any suggestions?

Looking for people where @Cellebrite image classification really works with CUDA calculations. CSAM class works well with CPU with me but the GPU is never touched. Have the newest version and GPU package installed. (edited)

3:51 AM

Mainly to tell me if you changed anything in any config files and/or show me your logs

3:51 AM

My ticket is already handeled by CLB but nothing helped so far

3:52 AM

LawDawg

I've got a question that I'm not even sure how to search for. I have an evidence file in a phone that I found for a case. It's a picture, but the path does not indicate an obvious source, as in, what application did it originate or where it came from. The path is "private/var/mobile/Containers/Data/Application/704AB0D4-64C7-4814-B1CC-C18FE392DB05/Library/Caches/WebKit/NetworkCache/Version 16/Records/0926CDDE8A5F5E96749257AFAC1E9A33FD930E73/Resource/". My first thought is to search thru the specific application folder of "704AB0D4-64C7-4814-B1CC-C18FE392DB05" to see if that would give me any clues as to what application it is. It only has a few files, 17,110, to be exact. There is a "Documents" folder where I found a plist called "HomeAPI". It references Webtoons.com, which is not a site I would expect the picture of evidence to originate, as it is a clean website. But, maybe there's a messaging feature? I don't know. Any ideas?

There should be a file called “.com.apple.mobile_container_manager.metadata.plist” in the root of your “704AB... etc” folder. Open the plist and there should be some indications in there what the app is.

Hi, in snapchat do you knows if the database memories.db contain the saved pictures and videos of both sent and received?

Dam

Hi, in snapchat do you knows if the database memories.db contain the saved pictures and videos of both sent and received?

https://thebinaryhick.blog/2019/06/01/two-snaps-and-a-twist-an-in-depth-and-updated-look-at-snapchat-on-android/

Andrew Rathbun

https://thebinaryhick.blog/2019/06/01/two-snaps-and-a-twist-an-in-depth-and-updated-look-at-snapchat-on-android/

Thanks I already read that one but cannot figure out if we can make a difference between receive or sent.

cc: @CLB_joshhickman1

Dam

Thanks I already read that one but cannot figure out if we can make a difference between receive or sent.

Assuming we're talking about Android, checkout the database main.db. Look in the table Message and find the column senderID. The you can make a determination about the sender of the comms (snap, media, text) by looking at senderID. If the ID equals the _id number of your account owner from the Friend table then that indicates the account owner sent the comm. (edited)

CLB_joshhickman1

Assuming we're talking about Android, checkout the database main.db. Look in the table Message and find the column senderID. The you can make a determination about the sender of the comms (snap, media, text) by looking at senderID. If the ID equals the _id number of your account owner from the Friend table then that indicates the account owner sent the comm. (edited)

Thank you for your message. From the memories.db is it possible to know if it’s a sent or receive? From my test it’s not possible to save a received snap in memories

5:58 AM

So memories contain only personal data

I just tried myself and couldn't save a received snap in that fashion. The only option I could find to "save" was to screenshot the snap, which leaves other residue in the database.

Same for me. So I assume that pictures and videos in memories.dB are not received files

@Dam @CLB_joshhickman1 Its possible to save a received file in snapchat. Im currently working on a snapchat case. Ill dm you Dam. [edit] Ill post the outcome of my testing this weekend, if a received snap can enter the mymemories after saving [edit] (edited)

Hello! With UFED 7.42, is there anyway to change the GUID Snapchat participants to is username related?

SPVQct3207

Hello! With UFED 7.42, is there anyway to change the GUID Snapchat participants to is username related?

Snapchat introduced a new DB just a short time before we sent 7.42 into the oven, so we added only a basic support of that DB, which we will improve in the upcoming versions.

1

@Cellebrite I may be having a brain fart, but when I create a UFED report, I can't get the device info included in the report. Am I doing something wrong?

11:03 AM

I've just downloaded the newest update.

LawDawg

@Cellebrite I may be having a brain fart, but when I create a UFED report, I can't get the device info included in the report. Am I doing something wrong?

Have you deselected everything then ticked what you want? If so, all device info will also be unchecked. Go back to summary page and tick all the device info boxes you want to include. I’ve seen people do that before (edited)

Stevie_C

Have you deselected everything then ticked what you want? If so, all device info will also be unchecked. Go back to summary page and tick all the device info boxes you want to include. I’ve seen people do that before (edited)

I did that. But, I'll change the settings back to everything checked by default and see if that makes a difference.

LawDawg

I did that. But, I'll change the settings back to everything checked by default and see if that makes a difference.

What tool did you use to extract the data?

uuuhhhh, a small little box

LawDawg

uuuhhhh, a small little box

GK? Or UFED touch 2 or something else?

gk

I believe that level of info displayed in the report may vary depending whether it was a ufed extraction or not.

11:25 AM

Should at least show the model either way by default

hmm

11:26 AM

If it's captured during the extraction, the ability to include it in the report should be there..

@LawDawg Wait one. In middle of washing up after dinner. Will nip upstairs and try mine. You using the latest v7.42 ?

yes

11:27 AM

you don't have to go that far

Cracking. I'll test it on mine and see if I have trouble too

it's friday, it can wait

Already upstairs. Wife wondered where the hell I was going as half the dishes are still in the sink

Don't let me get you in trouble

Rather help you than do dishes

3

lol, ok

11:32 AM

So, first, after the update, I went into the settings and made my changes, including deselecting the "everything checked". Then, I ran the report with just the tags. No device info displayed. Happened before, no big deal, I'll do another one with the device info, and merge them. Go to make the second report and notice there is no "Device Info" to select. So, I then went back and checked every single artifact in the project, thinking that may bring "Device Info" back. Go to make report and it still wasn't there.

11:33 AM

Now, I have changed the settings to have everything checked and am restarting PA as we speak.

That sounds odd. Mine test extraction is still loading. Should have a result shortly (edited)

Ok, now I am showing "Device Info" in the data types.

11:36 AM

With the option set to have everything unchecked by default, "Device Info" didn't show.

11:37 AM

@Stevie_C Do you work for Cellebrite, I can't remember.

1

LawDawg

@Stevie_C Do you work for Cellebrite, I can't remember.

No, UK LE. Just been using CB since 2007 !!!

Ah. The problem with having everything unchecked by default, is that you can't necessarily check a box for "device info" as it's aggregated from different sources and displayed in the summary screen. So, with everything unchecked, you would have to go to all the different sources to accomplish the same thing that the summary screen does.

11:40 AM

I think I just answered my own question

OK. Project loaded. Everything unchecked. Plenty in Device Info. Will tick IMEI, ICCID, IMSI and a few other bits & pieces

11:41 AM

Stevie_C

OK. Project loaded. Everything unchecked. Plenty in Device Info. Will tick IMEI, ICCID, IMSI and a few other bits & pieces

You get what I'm saying?

Yeah, like that. When you select uncheck all at start, it really does uncheck ALL !!!

Ah!

11:41 AM

I didn't think to look at the other tab!

11:42 AM

I was stuck in "All Content".

11:42 AM

Better to be thought a fool then to open my mouth and remove all doubt.

1

11:43 AM

@LawDawg Do not worry. I had an examiner on to me one day years ago saying they couldn't get it to work for 2 days !!! Exactly the same issue !!

In case there are any hiring managers on here, let's just keep this to ourselves.

1

That you up and running now? Working?

Yes. Thank you!

11:45 AM

I can make up some questions to keep you off dish duty if you want.

Are you really sure you don't need any more help? Otherwise, it's back to the dishes for me !!

2

11:45 AM

Ha !! Right, catch you later and have a good weekend

I'm back off to the dishes

have fun

does anyone have a problem like me with PA

1:38 AM

1:39 AM

Ryzen 9 3950x, 64gb RAM and 2080RTX (edited)

1:39 AM

and the software stop on parsing keychains (Iphone 11 pro max ios 14.0.1) (edited)

Someone did some telegram research lately on iOS? Can i determine what telegram ID is linked to the account using the telegram databases? (edited)

Hello everyone, I am new here and i hope all is well?. I am a student studying DFIR and doing a thesis for the swedish police authority on analyzing mobile application databases, the problem statement is that sometimes forensic tools can automaticlly extract tables and records from an sqlite database and present it in a very organized way for the forensic examiner. However, sometimes they can encounter an app that the forensic tool cannot parse the database ,and requires manual examination. However, upon examination. The forensic examiner can't know lets say if a phone number is the suspects or not. So my aim is to find and implement a methodology that presents on how to analyze unknown databases, I would like to know if anyone of you has experience on analyzing unknown databases and when encountered with "possible evidence" such as a record that has digits that look as a number, how is youre approach to analyze the unknown database and map evidence?

5:26 AM

I am very thankful for everyones time and would be highly appreciate if anyone could help out a learning DFIR student with this question

5:27 AM

Oh i noticed now, that i may have asked this question in the wrong channel or have i?

skiddyfruit

I am very thankful for everyones time and would be highly appreciate if anyone could help out a learning DFIR student with this question

The best approach is to try to recreate the scenario you're facing on an evidence device on your own device so you can link up your own data with the data on the evidence, so you know which number is the sender's vs the recipient's, etc.

@Andrew Rathbun So if i understood correctly, i shall experiment with doing each step so for example: Launching the application --> Application asking for email --> Input email --> stop the application --> Review the unknown database --> see where it exists --> Map the evidence --> Continue from step 1

5:29 AM

Is that correct Andrew?

That is pretty much how everyone maps out new artifacts. Recreate what you're seeing on your own devices, dump the data, analyze it and map it out to the best of your ability and preferably blog about it so @randomaccess can add it to This Week in 4n6 for industry-wide visibility

1

Oh okay, this has helped me alot very much and i will do that. Is it okay if during my work with my thesis that i can ask further questions? Thank you for youre time and i value youre time as well.

skiddyfruit

Oh okay, this has helped me alot very much and i will do that. Is it okay if during my work with my thesis that i can ask further questions? Thank you for youre time and i value youre time as well.

dude that is the entire point of this server. Ask every question! Just make sure you find the right channel to do it in

5:35 AM

so if it's a computer forensics related question, #computer-forensics, etc

Thank you, then i will do that. I finally found a great resource!! Felt so lost when i started out with my thesis! This is going to be great

skiddyfruit

Thank you, then i will do that. I finally found a great resource!! Felt so lost when i started out with my thesis! This is going to be great

Best of luck to you

What tooling and or methods can all of you recommend regarding bplists, blobs etc.?

florus

What tooling and or methods can all of you recommend regarding bplists, blobs etc.?

bplist = plistutil, plutil. Protobufs = protoc, https://github.com/nccgroup/blackboxprotobuf when using python. Unknown blobs = binwalk, hexdump etc. #all depends on what you are aiming for. What are you aiming for?

nccgroup/blackboxprotobuf

Blackbox protobuf is a Burp Suite extension for decoding and modifying arbitrary protobuf messages without the protobuf type definition. - nccgroup/blackboxprotobuf

@skiddyfruit just remember to always add "@" and then "rathbuna#0679" to your question and you will be fine.

@florus check out Yogesh's version of blackboxprotobuf https://www.swiftforensics.com/2020/03/parsing-unknown-protobufs-with-python.html

Parsing unknown protobufs with python

Protocol Buffers are quite popular, more and more apps and system files are storing data in this format in both iOS and Android operating s...

skiddyfruit

@Andrew Rathbun So if i understood correctly, i shall experiment with doing each step so for example: Launching the application --> Application asking for email --> Input email --> stop the application --> Review the unknown database --> see where it exists --> Map the evidence --> Continue from step 1

This is what most of us do regularly. Sometimes it’s just strange files, other times it’s full analysis of the inner workings of the app itself. I’m also happy to answer any questions if you need a hand. Everyone here seems to be fairly friendly and helpful.

FabianoQ

Searching google for "/Data/log/dubai/dubai.db" i get 1 result coming fron this site that seems quite interesting ... http://newandroidbook.com/ddb/

@FabianoQ I brought this up as it came up in a recent investigation where I am trying to determine which was the user interaction with his Huawei P20 Pro on a particular date. You were the only relevant hit. Apparently, I found 6 zip archives which seem to be backups of this dubai.db and are all located under /Data/log/dubai/backup/. I would like to ask if you found (and willing to share of course )any other useful resources such as scripts, queries that could help me investigate this database efficiently. Would love to avoid re-inventing the wheel here. Thank you.

@theAtropos4n6 I'm sorry but i could not find any documentation about this log and unfortunately i had no time to conduct tests myself. It still looks a promising source of information but needs to be studied

FabianoQ

@theAtropos4n6 I'm sorry but i could not find any documentation about this log and unfortunately i had no time to conduct tests myself. It still looks a promising source of information but needs to be studied

Thank you for the prompt reply. Indeed, it seems this db might be useful for a diversity of investigations. However, I am lacking the time too. Maybe will do some research when I get the time. (edited)

theAtropos4n6

Thank you for the prompt reply. Indeed, it seems this db might be useful for a diversity of investigations. However, I am lacking the time too. Maybe will do some research when I get the time. (edited)

Totally agree.

1

Does anyone know what are the images stored in /private/var/mobile/Library/Caches/Snapshots/com.apple.mobileslideshow/com.apple.mobileslideshow/XXXXXXXXXXXXXXXXXXX@2x.png ?

2:20 AM

Are they thumbnails stored within the app 'Photos', and the original image is (or was at one point) stored within the device's stock gallery app? (edited)

I've just got it - images stored within /private/var/mobile/Library/Caches/Snapshots/ are screenshot images of the app's current screen when switching between two apps/screens.

2:55 AM

FabianoQ

Totally agree.

@FabianoQ just found another db which is stuffed with event logs of a Huawei device. e.g found when the camera was launched, or "strop recording costs 1550ms". With a quick google search, did not find a lot. The database is called log.db and was found under /Data/log/log.db.

theAtropos4n6

@FabianoQ just found another db which is stuffed with event logs of a Huawei device. e.g found when the camera was launched, or "strop recording costs 1550ms". With a quick google search, did not find a lot. The database is called log.db and was found under /Data/log/log.db.

I'm more and more sure that we are currently missing a lot of potentially useful informations that could fundamental, for example, when you need to check if a user was physically interacting with the device in a specific moment (think about car crashes for example).

FabianoQ

I'm more and more sure that we are currently missing a lot of potentially useful informations that could fundamental, for example, when you need to check if a user was physically interacting with the device in a specific moment (think about car crashes for example).

I could not agree more. Android system logs (including android families like MUI EMUI) are pretty much under researched. On one hand, this is a good thing as there is a lot of room for research but on the other, we might lose an amount of evidentiary data that could crack our case.

Mistercatapulte

does anyone have a problem like me with PA

I had the same issue on one of my PCs last week, solved by uninstalling everything related to PA/UFED and reinstalling it. I believe the file misbehaving is related to the PA "Analyticsengine". I had to uninstall it by using iobit uninstaller as the normal windows uninstaller didn't remove everything.

@Oscar thx for tips

I had remove and install 7.41, keychains parsing took 20min, but it work

4:53 AM

maybe some difficult for ios 14 keychain in last release?

@Mistercatapulte Make sure the keychain is parsed correctly if the extraction is from UFED checkm8, I've had major issues with those keychains being encrypted and PA not decrypting them properly

@Oscar was an iphone 11 pro max, ios 14.x

Also my OpenJDK and server.exe ran 100% CPU regardless if PA was running or not

not supported by checkm8

Mistercatapulte

@Oscar was an iphone 11 pro max, ios 14.x

Ohh, right ^^

maybe jailbreak soon....crossed fingers

does anyone know if the UFED chat capture needs extra licensing?

5:41 AM

I can't seem to open the extraction

Sudo

does anyone know if the UFED chat capture needs extra licensing?

No just the regular UFED license would do.

hmm

5:44 AM

when I open it, it says licensing issue

Sudo

hmm

https://youtu.be/RwoaJPBwexY

Cellebrite

How to Use Chat Capture in Cellebrite Responder

Sudo

when I open it, it says licensing issue

Maybe someone from @Cellebrite could come for the rescue (edited)

it's not letting me capture now anyway haha

6:05 AM

it's the decoding aspect that wasn't working before though, now it gets to the capture part and doesn't take any captures

@Sudo In which stage are you exactly? After choosing the app?

@CLB - DavidK yeah after the app

6:19 AM

It starts the process, then silently fails

6:19 AM

No screens are captured

@Sudo I DM you, need to take a look at the logs

ty

Hi there, does anybody know how to bruteforce gatekeeper.pattern.key/gatekeeper.password.key on devices without TEE but Android 6 or 7?

Anyone know if the issue within PA of tags not staying same color or F Key has been fixed? I thought it had but a prosecutor is asking for the notes.

Can anyone give me a hand? I've successfully created a hex tag. It's a plist which describes which application the container belongs to that I found some illicit files. The issue is, when I open the hex tag, it only shows hex and not an ascii translation. Is there any way to show the ascii in the tag so a lay person can make some sense of it?

9:02 AM

Maybe I should be more specific. I can explain the tag in my written report, I just want to be able to point to the words "com.apple.mobileslideshow" in the tag in court if I testify.

@LawDawg i have been requesting it to be shown in ascii for years now. The only way I have found to do this in PA is to copy selection and paste the content into the notes section.

It has been documented that the .obliterated file is created when you wipe an iOS device. I wonder if one could restore an iOS phone to a previous back up without wiping the device and thus not creating the .obliterated file. I have searched but not found anything on this. Has anyone tested this? Would the .obilterated file still be created if just 'rolling back' to a previous backup?

Does anyone @Cellebrite @MSAB @Oxygen Forensics or anyone else already have experience with Plus Messenger. Plus Messenger is an unofficial messaging app that uses Telegram's API. I have a physical image (4PC) of an SM-G960F, but PA does not decode this messenger for me ... Of course I can take screenshots, but a technical solution would be better

Here the playstore link ... https://play.google.com/store/apps/details?id=org.telegram.plus&hl=en&gl=US (edited)

Plus Messenger - Apps on Google Play

Plus Messenger is an unofficial messaging app that uses Telegram's API.

One of the best rated messaging apps on Play Store #

More than 20 million downloads #

Translated into more than 20 languages #

Many support groups in different languages #

Plus Messenger adds some extra features to official Telegram app: • Separated tabs for chat...

@chrisforensic Hello, we support parsing of Plus Messenger of the following versions

1

6:15 AM

Information available for analysis after import is listed under "Data types"

@Lordicode Oxygen Forensics thanks for info... hm, installed version on phone is 7.3.1.0... but will try it later when actually dumping of another phone is finished

(edited)

You can actually request support of any version that is not listed. It takes some time though. So, if you are on time constrain and it won't work with the current version of the Detective, we won't be able to parse it.

6:20 AM

@chrisforensic

6:21 AM

You request support of the specific app version through e-mail and it gets added into the pipeline. Goes into production when there is a spot in the release. (edited)

1

6:22 AM

Other than that we should support this phone if it is not on Android 10

thanks @Lordicode Oxygen Forensics for your help ! it´s on 9.0

importing the extracted filesystem into oxy should be possible, right? no need to acquire together ? (edited)

If it is something non-straightforward like extracting with the goal of getting info from the app of an unsupported version, it is always better to get a full physical. But, yeah, try import - won't hurt. (edited)

it´s a filesystemdump out of PA from the physical extraktion

1

@chrisforensicDMd some additional info

1

Hello All, thank you for all youre valuable time. If i would lets say want to go through this process: Launching the application --> Application asking for email --> Input email --> stop the application --> Review the unknown database --> see where it exists --> Map the evidence and validate--> Continue from step 1

6:49 AM

What tools would be great to use for this following process to go as efficient as possible. I have access to cellebrite Physical analyzer. @Andrew Rathbun @DeeFIR 🇦🇺

6:50 AM

I would like in advance also to send my thanks to you all

I think i foudn something, found cellebrite visual analyzer. Is this a good tool to use for this task?

@skiddyfruit in relation to mobile forensics? I don't do mobile anymore but someone like @CLB_joshhickman1 would be good to ask. I would start by using his images and poking around in the databases. You can also get dumps of your own phone after creating sample data with an app and seeing how it looks in PA. If there's a new artifact to be found, blog about it!

Okay, i will do that then Andrew, thank you. @CLB_joshhickman1 , Do you have android images hosted somewhere?. I unfortunately have only an iphone haha. If i sound like a spoon feeder, i am sorry. I am just very new to this :/

7:14 AM

Oh this is wooow!!. I found it i think so https://thebinaryhick.blog/2020/02/15/android-10-image-now-available/

@skiddyfruit https://aboutdfir.com/resources/tool-testing/

There are others hosted here: https://digitalcorpora.org/corpora/cell-phones (edited)

Thank you guys!! I am actually really suprised that there are so organized communities in DFIR. My background is in infosec, more offensive and ctf style. But it seems that everyone stick togheter here alot!

5

chrisforensic

Does anyone @Cellebrite @MSAB @Oxygen Forensics or anyone else already have experience with Plus Messenger. Plus Messenger is an unofficial messaging app that uses Telegram's API. I have a physical image (4PC) of an SM-G960F, but PA does not decode this messenger for me ... Of course I can take screenshots, but a technical solution would be better

Here the playstore link ... https://play.google.com/store/apps/details?id=org.telegram.plus&hl=en&gl=US (edited)

DMed you

1

skiddyfruit

What tools would be great to use for this following process to go as efficient as possible. I have access to cellebrite Physical analyzer. @Andrew Rathbun @DeeFIR 🇦🇺

I use a mixture of UFED PA, DB browser, Android studio

I have a galaxy s10, locked. Is there anyway to get the password key and salt out of this phone? I have a adb-extraction from ufed but cant seem to find the files I need to get the key and salt.

@the_johanna XRY should have support for brute forcing the code if it's on Android 10! Let me know if you need any assistance

@Erumaro My colleague bruteforced a galaxy s10 and it worked amazing, had the code within 20 min. But with this phone there is an alphanumeric code and I do not know how many characters :/

@the_johanna Ah I understand, could still be worth trying but with an alphanumeric it will probably take quite some time.

@the_johanna try to do BFU and check if device_policies.xml is still accessible

Anyone online from @Amped Software who has 2 minutes for a couple of quick questions - please DM me :)

Will do!

Arcain

@the_johanna try to do BFU and check if device_policies.xml is still accessible

What type of information would I get from the device_policies?

code length and what it contains, how many digits, letters, big letters etc

2

Arcain

code length and what it contains, how many digits, letters, big letters etc

The one key I find interesting there is the "lock-task-features value" and the value is "16". What does this mean?

Arcain

code length and what it contains, how many digits, letters, big letters etc

And also the simplepassword-enabled value is trur

I actually have g973f currently, locked and the passcode provided doesn't work. I'll try to do BFU on it and check

1

@the_johanna any mention of mdm or device_admin in device_policies? Usually those values show up on a dedicated device. https://developer.android.com/work/dpc/dedicated-devices/lock-task-mode

@the_johanna

device_policies.xml

3 KB

2:39 AM

unfortunatelly, no more hints for passcode here, possibly because of FBE

2:39 AM

<failed-password-attempts value="8" /> <lock-task-features value="16" />

@Arcain Was that a "normal" device?

@.karate. yes, heavily cracked screen, Android 9 still

2:42 AM

ro.build.version.incremental=G973FXXU1ASE7 and ro.build.version.security_patch=2019-05-01

1

@.karate. No, no mentions of those values, this does not seem to be a company managed phone.

2:43 AM

@Arcain I think I will just have to let this phone go. Since I am pretty new in the field of digital forensics I have learned a lot trying to get in to this phone. Thank you for your efforts!

Does anyone know which database i need to see how long a screen has been locked from a Android phone? Or where it shows when the device was powerd on. It is a Samsung Galasxy 2

Anyone from @Magnet Forensics around for DM?

Dan15

Does anyone know which database i need to see how long a screen has been locked from a Android phone? Or where it shows when the device was powerd on. It is a Samsung Galasxy 2

Check out this post: https://discord.com/channels/427876741990711298/545232743353810946/644820801740079114

DM incoming @Oscar

@.karate. Thank you very much

Dan15

@.karate. Thank you very much

If you go to that post and scroll up you can follow the diskussion me and @Stevie_C had. Lots of talk about power etc

1

@.karate. Thanks. This helps a lot. I can already prove the phone has been powerd on and off after the victim had passed away.

3

So, I have an android device that keeps showing pictures in a "data\org.videolan.vlc\files\medialib\ *video name*.3pg.jpg." I know these correspond with 3pg videos, but does anyone know what the jpg above would be or if the user can still access the picture after the corresponding video is removed? (edited)

Moses1617

So, I have an android device that keeps showing pictures in a "data\org.videolan.vlc\files\medialib\ *video name*.3pg.jpg." I know these correspond with 3pg videos, but does anyone know what the jpg above would be or if the user can still access the picture after the corresponding video is removed? (edited)

Hi As an Android 8 I was able to see thumbnails of the videos (displayed on vlc). Some were erased others were not. I no longer have the technical detail (time ...)

Dear @Cellebrite! When you find errors in your programs, and the problem gets solved in a newer version. Could you please give us easy access to the root cause analysis? Maybe inside the release notes? But at least is should be accessible from the download site of the new version. This is the second time this information is hiding under "Discussion Groups". Thank you!

Did anybody get offline maps to work with Cellebrite PA 7.42 on a SAN/NAS? We share a central file repository and it would be amazing to only have one copy of the offline maps vs one on every computer. I thought this was supposed to work in 7.42 but i get an error saying something like "unable to get privileged access". Since I have RWX access on SAN, what else would I need to do?

Izzy

Dear @Cellebrite! When you find errors in your programs, and the problem gets solved in a newer version. Could you please give us easy access to the root cause analysis? Maybe inside the release notes? But at least is should be accessible from the download site of the new version. This is the second time this information is hiding under "Discussion Groups". Thank you!

Hey there - I asked around and it appears that it is not only in the Cellebrite portal under PA discussions, but it was also emailed out to registered users of the portal. Could you check to ensure you are allowing Cellebrite emails? Perhaps your IT may also need to check the filters?

@danmiami0001 Thank you for answering. I got it. But why cant you put it in the download site when a new version (that fix known errors) is released? So it is easy to find when we read the RA?

Izzy

@danmiami0001 Thank you for answering. I got it. But why cant you put it in the download site when a new version (that fix known errors) is released? So it is easy to find when we read the RA?

I will pass along the suggestion to the product manager.

1

Cole

Did anybody get offline maps to work with Cellebrite PA 7.42 on a SAN/NAS? We share a central file repository and it would be amazing to only have one copy of the offline maps vs one on every computer. I thought this was supposed to work in 7.42 but i get an error saying something like "unable to get privileged access". Since I have RWX access on SAN, what else would I need to do?

From what I understand, if the central location requires authentication, it may not work. Can you send an email in to support@cellebrite.con to get you to someone that could help you test or resolve it, please?

danmiami0001

From what I understand, if the central location requires authentication, it may not work. Can you send an email in to support@cellebrite.con to get you to someone that could help you test or resolve it, please?

I will, thank you!

1

Cole

Did anybody get offline maps to work with Cellebrite PA 7.42 on a SAN/NAS? We share a central file repository and it would be amazing to only have one copy of the offline maps vs one on every computer. I thought this was supposed to work in 7.42 but i get an error saying something like "unable to get privileged access". Since I have RWX access on SAN, what else would I need to do?

We did some testing in the office the other day. We can copy the maps.mbtiles to a second HDD in the PC or an external HDD and they work perfectly pointing to the database there. We then tried putting the maps.mbtiles onto our server so everyone could point to it. It allows you to connect to the maps.mbtiles database and says connection successful, but we couldn't get it to work either. We haven't had chance to get a ticket into @Cellebrite yet as we were wanting to do a bit ore testing first to make sure we get enough data and findings to give to them

Stevie_C

We did some testing in the office the other day. We can copy the maps.mbtiles to a second HDD in the PC or an external HDD and they work perfectly pointing to the database there. We then tried putting the maps.mbtiles onto our server so everyone could point to it. It allows you to connect to the maps.mbtiles database and says connection successful, but we couldn't get it to work either. We haven't had chance to get a ticket into @Cellebrite yet as we were wanting to do a bit ore testing first to make sure we get enough data and findings to give to them

That also happened to me. I cannot create the maps.mbtiles on a network but I can point at it, but then the maps will not load.

2:11 PM

Also a note on the maps for a potential feature update. If we select offline maps, the "No Internet Connection" icon over the maps is really unnecessary. (edited)

Cole

I will, thank you!

Can you let me know how you get on? Having compatibility requirements such as unauthenticated shares is ridiculous given the industry we’re in. @danmiami0001 if UFED and PA work by pushing and pulling data from authenticated network shares, if maps is working within the same program, why would it cause an issue?

1

Cole

That also happened to me. I cannot create the maps.mbtiles on a network but I can point at it, but then the maps will not load.

Yeah, we're exactlty the same. One thing we did note - after we pointed the test data to the map on the local second HDD or external and it worked perfectly. We have High Res map package for Northern Ireland. We used the local maps to see the High Res map for one image, switched and pointed to our server offline maps, went to another image, and could not see the High Res maps for that image. We then went back to the other image we had previously looked at in High Res and half the tile was High Res and half of it was Low Res. Made us think that the the particular tile was cached somewhere on the local drive after we first viewed it, as technically we should not have been seeing any High Res (edited)

DeeFIR 🇦🇺

Can you let me know how you get on? Having compatibility requirements such as unauthenticated shares is ridiculous given the industry we’re in. @danmiami0001 if UFED and PA work by pushing and pulling data from authenticated network shares, if maps is working within the same program, why would it cause an issue?

I reached out internally and shared what I was provided. Please send in a message to support@cellebrite.con to create the case.

Just sent an email

2:19 PM

For reference, the error is "A problem occurred with the offline maps package: The TileService don't have the privileges to access this folder. Choose a different folder or provide additional privileges for the TileService."

2:20 PM

This looks to me like TileService is running separately than the rest of PA and doesn't share elevated privileges.

2:20 PM

Case ID is 00489985 @DeeFIR 🇦🇺

Ahhhh

2:48 PM

that makes sense @Cole

2:53 PM

Looks like you'll have to create a non-privileged non-interactive service account and grant it privileges for that share. Bit of a pain, but makes sense. Thanks for the quick reply @Cole

Does anyone know what the second key under the MakerApple dict in photos.sqlite metadata plist mean? i cant really find any information about it. The only mention i can even find is http://photoinvestigator.co/blog/the-mystery-of-maker-apple-metadata/ And that just says its a mystery. Anyone have any further research on the subject?

What is the "Maker Apple" Metadata in iPhone Photos? - The Photo In...

When a photo is taken, different kinds of metadata are automatically added by the camera. Most of these kinds of metadata are well understood. The location of the photo is stored in the GPS metadata. Camera information is in the EXIF metadata. However, no one seems to know what is in the “Maker Apple” metadata […]

@Cellebrite Morning. Are there any known issues with creating UFDR reports? I have tried to create 3 different reports over the last couple of weeks that are failing. "Unexpected error. Unable to create UFDR report." i have uninstalled and reinstalled PA, restarted comp, etc but continue to get the error. I am able to create the report on other terminals. PA v7.42.0.50. Thank you

Cole

For reference, the error is "A problem occurred with the offline maps package: The TileService don't have the privileges to access this folder. Choose a different folder or provide additional privileges for the TileService."

We've had that issue in the office. It's a nightmare when it crops up !! Say it doesn't have privileges for the folder yet we're full Admins on Admin accounts !!! There is a solution to this The way we fixed it was Use Revo Uninstaller to remove Node.js Install node-v14.15.1-x64.msi from https://nodejs.org/en/blog/release/v14.15.1/ Then use Revo Uninstaller to remove Node.js again. Restart PC Make sure TilesServer is not running in Services after reboot. If it is you still have a remnant of it somewhere. You need to make sure you have got rid of nssm_64.exe It's default path is C:\Program Files\TileServer Delete any trace of the folder TileServer in C:\Program Files\ Reboot PC Re-install node-v14.15.1-x64.msi It's convoluted but it worked for us !!

Node v14.15.1 (LTS) | Node.js

Node.js® is a JavaScript runtime built on Chrome's V8 JavaScript engine.

1

JJ7

@Cellebrite Morning. Are there any known issues with creating UFDR reports? I have tried to create 3 different reports over the last couple of weeks that are failing. "Unexpected error. Unable to create UFDR report." i have uninstalled and reinstalled PA, restarted comp, etc but continue to get the error. I am able to create the report on other terminals. PA v7.42.0.50. Thank you

@Cellebrite FYI I think it occurs when image classification has been performed. I loaded it back into PA without performing that and the report generated successfully.

JJ7

@Cellebrite FYI I think it occurs when image classification has been performed. I loaded it back into PA without performing that and the report generated successfully.

@JJ7 Ive just sent this up the chain.

1

I had an issue yesterday where generating a report wouldn't un-grey after loading a huge check m8 extraction. I almost cried.

Did the extraction finishing loading

CLB-Paul

Did the extraction finishing loading

It did. I checked the log.

:/ have you reached ! out via the support team with the logs ?

CLB-Paul

Did the extraction finishing loading

It hasn't happened before so I just reloaded it. If it messes up this time I will.

1

CLB-Paul

:/ have you reached ! out via the support team with the logs ?

I said log I meant trace window.

@Neon Did you start the enrichment? It does not record in the trace when finished. It will prevent report generation until completed.

Forensic@tor

@Neon Did you start the enrichment? It does not record in the trace when finished. It will prevent report generation until completed.

I only did hashing because of the nature of the case but it was like and 80-100gig extraction

@Neon I am referring to the request for BSSID enrichment after the parsing is complete. (edited)

Forensic@tor

@Neon I am referring to the request for BSSID enrichment after the parsing is complete. (edited)

I don't think it did but I'd be lieing if I said I was sure I didn't. A lot of that is muscle memory.

Hello! I have an iPhone with a video file where I've been asked to determine if the file is filmed with the phone it was found on. The video file is in the DCIM/100APPLE-folder, has an IMG_XXXX.MOV-filename, and lacks any relevant meta data. I've examined the Photos.sqlite-file and determined that the file originally was named cm-chat-media-video-XXXXX.MOV and belongs to the Snapchat album. The Snapchat app, however, seems removed from the phone, and I can't find any relevant files associated with it. The AddDate-value in Photos.sqlite is earlier than the DateCreated-value. Any other ways I could verify if this file is filmed with the phone, or received in a chat? Any help is appreciated!

Has anyone looked into facebooks new vanishing chats and encrypted chats in their messenger? how much can be recovered and such

dotmatrix

Hello! I have an iPhone with a video file where I've been asked to determine if the file is filmed with the phone it was found on. The video file is in the DCIM/100APPLE-folder, has an IMG_XXXX.MOV-filename, and lacks any relevant meta data. I've examined the Photos.sqlite-file and determined that the file originally was named cm-chat-media-video-XXXXX.MOV and belongs to the Snapchat album. The Snapchat app, however, seems removed from the phone, and I can't find any relevant files associated with it. The AddDate-value in Photos.sqlite is earlier than the DateCreated-value. Any other ways I could verify if this file is filmed with the phone, or received in a chat? Any help is appreciated!

What type of extraction do you have? I have my photos.sqlite and can verify some things today while I teach.

Advanced Logical at the moment.

Anyone know of any good tools to view thumbnail images inside IOS .ithmb files outside of a forensics tool like PA or AXIOM?

Joe Schmoe

Anyone know of any good tools to view thumbnail images inside IOS .ithmb files outside of a forensics tool like PA or AXIOM?

Try https://www.ithmbconverter.com/

www.ithmbconverter.com

The program for open, view and conversion of ITHMB files into JPEG format on Windows

hello everyone, is it possible that the parsing of a .ufd has stopped here for 1 hour? I can't generate the report like that.

4:26 AM

manuelevlr

hello everyone, is it possible that the parsing of a .ufd has stopped here for 1 hour? I can't generate the report like that.

hi, you have to wait for location carving to be finished. On IPhones this will take hours sometimes.

v_katalov

Try https://www.ithmbconverter.com/

Thank you. I did try that one. The trial limited the number of thumbnails shown but it seemed to work well. I was hoping there was a little more info available. I’m curious on what ties the thumbnail to the original photo.

1

Hi, has anyone here looked at WhatsApp launch.logs? I'm looking to try to understand the content stored within the logs. Any help or signposting is really appreciated.

@Cellebrite Has a beta of the next version of PA been made available yet?

Does anyone know where I could find an account that was sharing media files with a suspect on Google Photos? Would accounts that were sharing media with this device be listed in a Google Photos database like gphotos0.db?

mond4y_morNin6

Does anyone know where I could find an account that was sharing media files with a suspect on Google Photos? Would accounts that were sharing media with this device be listed in a Google Photos database like gphotos0.db?

Android or iOS?

@Cellebrite does the new chat capture feature log cellebrite into whatsapp as an application?

1:32 PM

It seems to have logged the phone out of what's app even though the computer and phone are in airplane mode (edited)

stark4n6

Android or iOS?

Android

mond4y_morNin6

Android

let me check but there should be account information in the app DB somewhere

Bit of a funky question, @Cellebrite the exporting of KML files. Is it possible to pull out more than the location/name?

6:39 AM

Kinda like how its displayed within PA (just condensed down and no media)

Does anyone have any idea what an iphone event log ceasing at the point of a car accident could be. I was thinking a bluetooth connection?

Rob

Bit of a funky question, @Cellebrite the exporting of KML files. Is it possible to pull out more than the location/name?

Try exporting out to excel. Leave the columns you are after and use Google earth to import the Excel or CSV, mapping the columns appropriately. In a round about way that's what I have done before

Dfdan

Try exporting out to excel. Leave the columns you are after and use Google earth to import the Excel or CSV, mapping the columns appropriately. In a round about way that's what I have done before

Not a bad idea

9:43 AM

Thanks again :)

Word of warning, don't import loads of locations in one go. Google maps, struggles big time with 1.4million lat and longs

1

mond4y_morNin6

Android

check gphotos0.db and for tables "comments" or "shared_media", doesn't appear to show an actual email address on either, I'll keep hunting further

1

Hi! i have a KIK database from an iPhone backup that has a different name from what it usually has in the filesystem, so it doesn't get parsed in neither Axiom or Cellebrite. Is there any way for me to specify that this database belongs to that app and parse it that way?

Hi guys, i have silent phone installed on a xiaomi, with 4 digits unknown. Anyone know a method to extract and bf it? Thx I have in PA, "zids_sqlite.db, partially decoded with nickmane of contacts, i suppose, but that's all) EDIT : i've found the pwd (edited)

Anyone know how to stop Cellebrite PA from truncating emails in generated reports? (edited)

3X3

Anyone know how to stop Cellebrite PA from truncating emails in generated reports? (edited)

In UFDR data is never truncated. In other formats, near the body in the report you can find a link to a file with the full text. But if you insist to have the data in the report, you can play with this setting: (edited)

1

Thanks @CLB-drorimon - I need to get an eye test it seems!

3X3

Thanks @CLB-drorimon - I need to get an eye test it seems!

It's not as if your nick is 6x6

2

Does anyone know of a python or anything that can bulk convert mac time and date values into regular time?

https://www.epochconverter.com/batch something like this? @CCC (edited)

6:47 AM

if by mac time you mean epoch time

It is also super easy to do in python. Did this as a little exercise. Still learning it, but this gets the job done. Opens the file where you copied your epoch time, opens an empty file to where you will write. Reads the first file, converts and writes to the other file. (edited)

1

7:28 AM

7:31 AM

CCC

Does anyone know of a python or anything that can bulk convert mac time and date values into regular time?

You can do it in MS Excel. CFAbsolute (Cocoa Framework / Mac) time is defined as the number of seconds (9 digits) (or milliseconds [12 digits], microseconds [16 digits], nanoseconds [18 digits]) that have elapsed since January, 01 2001 00:00:00 Coordinated Universal Time (UTC) =A1/86400+date(epoch)-time(h,m,s) A1 = Cell with the encoded timestamp 86,400 = Number of seconds per day 86,400,000 = Number of milliseconds per day 86,400,000,000 = Number of microseconds per day 86,400,000,000,000 = Number of nanoseconds per day epoch = epoch date as year, month, day; e.g., 1970,1,1 or 2001,1,1 time = Offset in hours for Eastern Standard Time (EST) 5 or Eastern Daylight Time (EDT) 4; e.g., 4,0,0 For Example: =A1/86400+date(2001,1,1)-time(5,0,0)

1

stark4n6

check gphotos0.db and for tables "comments" or "shared_media", doesn't appear to show an actual email address on either, I'll keep hunting further

I had located a couple of entities in the shared media table, but I’m thinking that may be media this account has shared with someone else rather than media that is shared with this account from another. I will take a look at comments as well. I appreciate your help!

mond4y_morNin6

I had located a couple of entities in the shared media table, but I’m thinking that may be media this account has shared with someone else rather than media that is shared with this account from another. I will take a look at comments as well. I appreciate your help!

there should be at least a name for the account that shared it, but I couldn't find pointers to an email address specifically

1

Who knows what the difference is between Launches and Activations in the Aggregated Application Usage category? @Cellebrite

@Cellebrite @Magnet Forensics Hi, Why in UFED version 7.42 I have 0 message from snapchat and the exact same extraction in Axiom shows me 1700 messages? All from the Arroyo.db. I have this issue in many different android extraction. UFED never parse the Arroyo.db never had any problem with Axiom. Could you please make something for a next release?

1

2

@Dam You can get a lot of artefacts here : https://cf-media.cellebrite.com/wp-content/uploads/2020/12/Snapchat.pdf

1

Nitraz_

@Dam You can get a lot of artefacts here : https://cf-media.cellebrite.com/wp-content/uploads/2020/12/Snapchat.pdf

Thanks. But Cellebrite knows that aroyo.db has a lot of information (message,...) but doesn't parse it....

I think, there are a lot of artifacts to parse since the release of checkm8 and ffs iOS, stay tuned, probably in next releases

(edited)

But it's on android and the problem was the same in the last release. No changed happend.

Has anyone done any work trying to match up sms message timestamps from billing records to those messages on the phone? It seems like these aren't always accurate and will likely be based on the carrier, but I'm wondering how reliable the timestamps may be in general

Dam

@Cellebrite @Magnet Forensics Hi, Why in UFED version 7.42 I have 0 message from snapchat and the exact same extraction in Axiom shows me 1700 messages? All from the Arroyo.db. I have this issue in many different android extraction. UFED never parse the Arroyo.db never had any problem with Axiom. Could you please make something for a next release?

I'll bring this up to our decoding group.

It’s in the works

4

Has anyone dealt with messages in ufed that have the flag “scrambled”?

1:07 AM

https://discord.com/channels/427876741990711298/545232743353810946/803595251071582218 nvm

yes

5:06 AM

But cannot unscrambled it...

Anyone know where in the hex of browserstate.db it indicates whether something is private or not? I've been trying to compare it to the sql viewer mode, but there does not seem to be any character between date and uuid

Is there a short and dirty on what causing Health.db to start tracking activity vs when it doesn't?

@CCC not entirely sure what you mean. the 'tab's table has a 'private_browsing' column where '1' is marked private. These rows are linked on the 'uuid' column with the 'tab_sessions' table 'tab_uuid' column. The 'session_data' contains a bplist containing history of links.

@Nullable Truth I have a database file, provided with no wal file and it doesn't open in dbviewer, it shows one tab with no history, but if you hex/strings/axiom it then there's ample history. In my test data though, with plists, I still can't see where the 1 is derived from and on this particular db, despite being 3 mb in size there's nothing in the blob (edited)

CCC

@Nullable Truth I have a database file, provided with no wal file and it doesn't open in dbviewer, it shows one tab with no history, but if you hex/strings/axiom it then there's ample history. In my test data though, with plists, I still can't see where the 1 is derived from and on this particular db, despite being 3 mb in size there's nothing in the blob (edited)

Are you able to recover the database into a new working file? https://sqlite.org/cli.html#recover

I'll give it a go

Looking at a test sample, there's no human readable structure to the database rows.

2:38 AM

From the second char, to the second from last char are the bytes being used to store the data on the columns following 'user_visible_url' and 'browser_window__uuid'

2:39 AM

the 7th column relative to the lat url column is the private data field.

Yeah, it's frustrating as you can see the timestamp and then the UUID, but between that should be the value, unless it adds one to something.

I'm thinking sqlite is compressing the bools, it doesn't help when there is a real int type in the middle of the bools

2:42 AM

best bet is to try recover/reconstruct the database using sqlite commands and see if it can be opened then

Yeah, if you change the 1 to something else, a letter or whatever, it appears right there, but the 1 or 0 does not, so it's not obviously a null or not.

If you're missing the .wal file you may be missing last write/update commands. But hopefully there's enough in there for your needs

I think that's the problem, fixing it makes it a 40kb file

Is there any way to see what the autolock time was set to at a certain date in the powerlog of an iPhone?

Hi everyone. iCloud search return and Cellebrite isn't parsing the SMS.db. I tried extracting and pointing to the folder but still no luck. Any suggestions?

Hi there is there a python script or something else that can parse the BLOB data from the cache4.db from Telegram. Android version is supported up to 6.0 by cellebrite en Axiom also no luck. Messages are visable on the phone but partly decoded by the tools. (edited)

@Wimmiedejong yes there is. Let me find it.

florus

@Dfdan https://blog.digital-forensics.it/2020/04/teleparser.html (thanks to @dfirfpi) No idea if it works, let me know if it does will ya. (edited)

Here it is

1

Latest version of XAMN also allows viewing BLOB data with the SQL Viewer

2

1

Wimmiedejong

Hi there is there a python script or something else that can parse the BLOB data from the cache4.db from Telegram. Android version is supported up to 6.0 by cellebrite en Axiom also no luck. Messages are visable on the phone but partly decoded by the tools. (edited)

I ran into similar issue. 1mb cache4.db and a 4mb WAL. I could see deleteted MSG's in the WAL file, however being located in a BLOB Cellebrite wasn't able to parse out the deleted messages, even though I created a custom parser in SQL Wizard, enabling the pickaxe. I tried AXIOM and XAMN, they didn't come close to what UFED semi parsed. I submitted a ticket to Cellebrite and release 7.42.x solved the parsing issue of the deleted messages from WAL file. Instead of 82 live messages I now have 400, majority being deleted all related to the offence. Thanks to @CLB-ChenK for helping me solve this issue. (edited)

2

1

Hi i have heard that the healthdb_secure.hfd file contained within the iPhone Health application may hold GPS data, unfortunately the file is encrypted, would a full file system extraction and access to the associated keychain allow me to decrypt the file?

Hi, I'm trying to save WhatsApp-Data from a Huawei STK-LX1. WhatsApp is installed with version 2.21.1.13. I can see lots of chats. But I don't find the database on the phone. APK-Downgrade with Cellebrite didn't tell a mistake while saving, but using Physical Analyzer I realized, that the database is set zero.

2:35 AM

Other tools didn't work, because there's no WhatsApp-database on the phone.

2:35 AM

Does anybody knows about this problem?

Camelot_46

Hi i have heard that the healthdb_secure.hfd file contained within the iPhone Health application may hold GPS data, unfortunately the file is encrypted, would a full file system extraction and access to the associated keychain allow me to decrypt the file?

Not sure about the GPS part, but yes FFS (especially if checkm8 is suppported for this device)would allow you to see its contents. Also, an encrypted iTunes backup might help as well. (edited)

Frizan

Hi, I'm trying to save WhatsApp-Data from a Huawei STK-LX1. WhatsApp is installed with version 2.21.1.13. I can see lots of chats. But I don't find the database on the phone. APK-Downgrade with Cellebrite didn't tell a mistake while saving, but using Physical Analyzer I realized, that the database is set zero.

Hello. Are you sure that Cellebrite supports this phone. Are we talking about Huawei P Smart Z 2019? Because I have just checked on UFED4PC 7.42 and it does not seem to support this model. What other tools did you use? Oxygen 13.3 seems to support Kirin 710F extraction. So have you tried this? Downgrade option, can be risky sometimes.

@Magnet Forensics Someone around for a mobile decoding question regarding snapchat. In short: what value must i grab for the my eyes only part? (The current decoded keychain values dont match up) (edited)

Anyone know of anyway if decoding photo vault on iOS. Was actually shocked to find they are now encrypting the media files

https://thebinaryhick.blog/2021/02/20/ios-14-macos-big-sur-lots-of-images/

Binary Hick

iOS 14 + macOS Big Sur = Lots of Images

It has taken a while, but I’m happy to announce an iOS 14 image with documentation is now publically available for download. This image contains forty-two (42) third party apps. The list inc…

4

1

stephenie

Anyone know of anyway if decoding photo vault on iOS. Was actually shocked to find they are now encrypting the media files

Android or iOS? EDIT: I'm an idiot, it literally says iOS (edited)

2:10 AM

We have scripts for both, DM me if you want

@Magnet Forensics Hello, Axiom always ask me locate source message after proccesing iOS filesystem or logical image (not Full filesystem) with backup password. It decrypt extraction and save it to case folder. When i open Axiom examiner it always ask me to locate source (decrypted files and folder). when i set up right location after 2 second it ask me again. I cant even export any images or video. How to solve it. Its doing on every iOS encrypted filesystem or logical image as well when i add folder of disk to process. Only way how to do it is to do image of decrypted folder and run procces again - and its not right way how it should work!!! (edited)

Can anyone help? SAMSUNG S8 (G950F) stuck in a boot loop. I have tried wiping the cache partition, tried exynos recovery via UFED, tried exit boot loop via UFED and tried to get an extraction when in download mode. All unsuccessful. Exynos recovery stated success but phone went back into boot loop.

@jw I DM'd you

@Cellebrite came across an iPhone running 13.3.1 that PA version 7.42.0.50 fails to parse SMS.db. It throws a bunch of errors about not finding the key in the dictionary and sizes being out of bounds and such. What odd is only does this for the advanced logical image with PA (the one button push). The "logical" image made with ufed4pc had no issues

@theAtropos4n6 You're right, Cellebrite does not support that type directly. But connecting with usb-debugging-mode Cellebrite offers a Profile. It's standard, but it works. And no, we still don't have Oxygen. So I just tried it with apk-downgrade. But I guess that's not the problem. The phonestorage ist about 64 gb, I just have about 600 mb of free space and there's no memory card inside. I wonder if database is outsourced because of missing free space or something like this. Flightmode ist set, so it can't be any server, because I can see the whole chat on the phone. I'm at a loss.

Frizan

@theAtropos4n6 You're right, Cellebrite does not support that type directly. But connecting with usb-debugging-mode Cellebrite offers a Profile. It's standard, but it works. And no, we still don't have Oxygen. So I just tried it with apk-downgrade. But I guess that's not the problem. The phonestorage ist about 64 gb, I just have about 600 mb of free space and there's no memory card inside. I wonder if database is outsourced because of missing free space or something like this. Flightmode ist set, so it can't be any server, because I can see the whole chat on the phone. I'm at a loss.

Well, if this is the case, then I would say that the database was not extracted with the extractions you used. If you need those chats in your report ASAP and cannot wait for a later release, you can always try the Chat Capture feature of Cellebrite. Have your tried this option?

@Sha1_4n6 Please see my DM

@theAtropos4n6 I will try Chat Capture. I guess that's my only chance to save the chat as long as I'm not able to locate the msgstore on the phone.

Frizan

@theAtropos4n6 I will try Chat Capture. I guess that's my only chance to save the chat as long as I'm not able to locate the msgstore on the phone.

I am afraid yes. Or you could ask a quote for a trial of @Oxygen Forensics to see if it helps your Agency with such cases. I am not sure they offer one, but if they do, it definitely worths checking it out.

Having Oxygen would allow you to do their built in oxygen desktop capture

@theAtropos4n6 OK, thanks a lot for your advise

You need to put the phone online though

12:44 AM

Then you scan the qr code oxygen presents with what'sapp on the device

12:45 AM

It works great (if you can do that without risking evidence destruction)

@Sha1_4n6 No, at this time I won't put the phone online. Thanks

What is the processor of the phone? Maybe Exynos? I've had good luck with a Samsung Exynos based phone using cellebrites Exynos processor based extraction (edited)

Frizan

@theAtropos4n6 OK, thanks a lot for your advise

No problem. Good luck! Salute

Found it, phone arena says kirin710f. I don't think there's support for that.

@Sha1_4n6 It's an Huawei STK-LX1, HiSilicon Kirin 710F - processor

Is there a database that records when Incognito mode has been used?

3:51 AM

iOS 14.3, iPad Pro 2 if that helps.

Do you mean historically or with a phone you have content on? Browserstate.db for safari but that's limited to current activity.

CCC

Do you mean historically or with a phone you have content on? Browserstate.db for safari but that's limited to current activity.

I have an iPad belonging to someone with a SHPO. Looking at his chrome he was last in Incognito mode (as I can actively see it as it was seized)

4:18 AM

Just trying to flesh out a statement by stating how often Incognito mode was used.

4:19 AM

I know I'm very very unlikely to know what was visited since from research Incognito Mode on chrome is pretty private.

Yes, manual check (or write SQL to check) on browserstate - there's a literal incognito column. You might be able to pull more manually from that tab data, I've not checked, hang on

But a flag or something to indicate Chrome was accessed with Incognito mode would be ideal.

4:19 AM

I'll have a look.

4:19 AM

Looking at the History.db atm but nothing there that I can see

browserstate.db

4:20 AM

Oh for chrome

Ye

4:22 AM

Looks like Safari as been used as well. there's a 1 next to private_browsing for one of the web visits

Bingo I guess!

Adds more to it, thanks. I'll have a look at any other db for the browsers I see.

Maybe worth looking at the tab history of that browser, hold out for private photo vault browsing

I'll do a bit of manual examination and review the databases in Cellebrite

4:27 AM

Not looking hopeful for Chrome but looks to be possible for other browsers thus far

I found some save nothing, but leave entries in observed.db

Oh?

Seems to log domains visited, slight problem that cellebrite sql wizard only operate on database name and not path so if you try and wizard it then it sticks all browsers together.

Don't have that db sadly.

Sorry - observations.db

Looks like not a lot there to me but I'll do a little digging in case.

@Magnet Forensics What to do if the full text search freezes at 0%. Been working on an iPhone image for 3 days now. No need for this full text search, zo confused why its doing this.

florus

@Magnet Forensics What to do if the full text search freezes at 0%. Been working on an iPhone image for 3 days now. No need for this full text search, zo confused why its doing this.

Probably too much to troubleshoot in this forum have you logged a ticket with Support? (Support@magnetforensics.com) Although we have quite a few Magnet Forensics employees on this Discord server Support has folks who are solely dedicated to solving issues and this may not be a quick answer... (edited)

1

6:59 AM

Also we have the web interface and a phone number. https://support.magnetforensics.com/s/technical-support both methods listed on this site.

7:00 AM

I have a question regarding snapchat memories.db specificly the "snap_source_type" in memories_snap table, there is either a NONE or IMPORTED entry. Cant find any documentation / research on this

7:20 AM

Is this a way of knowing if the phone took the pic?

florus

Here it is

I used oxygen detective and the data is parsed now. Again thnx

@OggE I had this question in the past

7:50 AM

https://discordapp.com/channels/427876741990711298/545232743353810946/804712066862678037

7:52 AM

I think it doesn't contain received pictures so only pictures made by the phone

Dam

@OggE I had this question in the past

thank you

florus

@Magnet Forensics What to do if the full text search freezes at 0%. Been working on an iPhone image for 3 days now. No need for this full text search, zo confused why its doing this.

It’s a known issue. Hopefully it’s fixed in the newest version. The temporary solution was to just uncheck everything you don’t need.

What do you use to lookup BSSID locations? Cellebrite only "Enriched" 2 out of my list of 30 and one was questionable. I saw Google has an API, but before asking a programmer to write one.

@Cellebrite How do I deselect all chat messages? I've double clicked "Chats" and would like to deselect everything within Chats, so I can select one or two conversations that's relevant to the investigation?

Morning All, i have a couple of cached images stored in com.sec.android.gallery3d/cache... on an Samsung handset but no further artifacts relating to them so i am unable to determine how and when they were viewed/on the handset. I am just wondering if anyone could give me some advice re when and how these thumbnail images are created. Would this be when the gallery app is opened (and they system refreshes to check what images are on the handset and creates thumbnails, or is this done in the background when the handset isn't in use)

Pacman

@Cellebrite How do I deselect all chat messages? I've double clicked "Chats" and would like to deselect everything within Chats, so I can select one or two conversations that's relevant to the investigation?

Between the bar chart icon and # there should be another column with this sign "➖ /✔️ ". Just check the "➖" and everything will be diselected.

That column isn't showing up for me

12:33 AM

@theAtropos4n6

12:33 AM

See above picture

right click on bar and make sure "exclude" is selected @Pacman

Pacman

That column isn't showing up for me

Oh my...never seen that before. Maybe try right click on a column and

Ah that solved it! Thanks @Artea

Oh @Artea

12:35 AM

you got me there on speed. LOL

Thanks guys lol

1

12:35 AM

I was going crazy thinking "I swear there was a column...."

No worries fella

12:41 AM

Does Android store a record of when photos have been taken (ie a database file that holds a record of all sequential images taken whether they have been deleted or not?)

Artea

No worries fella

Unfortunately, none of which am I aware of. Only iOS is helping us with that.

I am looking in gphotos-1.db and in the media table there is a list of capture time stamps (as well as other info). Would this be something like this (edited)

Artea

I am looking in gphotos-1.db and in the media table there is a list of capture time stamps (as well as other info). Would this be something like this (edited)

This is from "Google Photos" app right? Do you have a XIAOMI device? If the media files were found you can always extract their EXIF data and correlated. However, from your answer I assume that they no longer exist. As far as the deleted photos are concerned, maybe check this post https://deagler4n6blog.blogspot.com/2021/01/dumpster-diving-in-google-photos-android-app.html

Dumpster Diving in Google Photos Android App: "local_trash.db"

This article will explore the Trash within the Google Photos Android App. If you delete any media file from Google Photos on your mobile d...

@theAtropos4n6 Cheers, ill have a look now

1

Anyone did some research on snapchat in an IOS device. Is there a db that records about the sending and receiving snapchat video's. Probably a vid has been sent to another suspect, but the file is deleted from memories. (edited)

Hello! UFED has carved out some GPS coordinates from the following files found in an iPhone: /AFC Service/PhotoData/Caches/GraphService/CLSBusinessCategoryCache.Nature.sqlite /AFC Service/PhotoData/Caches/GraphService/CLSBusinessCategoryCache.POI.sqlite /AFC Service/PhotoData/Caches/GraphService/CLSBusinessCategoryCache.ROI.sqlite Does anyone know what function these files have, and what the GPS coordinates refer to?

Im after some clarification still around entries from media database files dme.db and cmh.db from a Samsung handset. Anyone here willing to listen to the ramblings of a madman?

@Artea Fire away

Hello ! I manage to open a Huawei Backup vendor extraction from UFED on Axiom without success. Very low quantity of data are decoded in comparison of PA. I think there is a problem. Does anyone know if there's a specific way to do it ? I need to decode Tik Tok data. Thx ! @Magnet Forensics

1

I have a Samsung A70 (Qualcomm SDM730) I have the phone and need WhatApp. The problem is none of our tools can get a filesystem read and we can’t do a manual because WhatsApp has been offline for for too long so it’s locked us out. Any ideas

Is there anything that can trigger the autolock except if you physically log in and then put it down and just don't do anything with it until the autolock triggers as usual? For example, will a notification to the phone that triggers the screen trigger the autolock once the screen fades to black?

@busted4n6 does the phone have a working simcard in it?

@florus we’re trying to establish that. Apparently we can see the backup files so I’m thinking we could decrypt them with an sms to the sim.

4:30 AM

But basically I’m curious if anyone knows of anyway to get a filesystem read (ideally not cas/premium) from this device or whether it’s possible to get the data (particularly if the sim is no longer active)

4:31 AM

I’d be curious to know whether putting the phone in WiFi would reactivate WhatsApp or whether it will need the sim with the right phone number

@busted4n6 that was indeed my suggestion. Input the crypt12 dbs in a Android vm and then decrypt using the simcard. If i remember it correct the dbs are available when Whatsapp backup is enabled, so it might miss conversations. (edited)

Ah didn’t think of using a vm. I know @Elcomsoft have a tool but of course that’s the one tool I don’t have.

Hi everyone! I have been working with a FFS dump from an iPhone 7 (A1778) for a few days now and I have found some interesting files (documents, photos and videos) at a location that I can't find any information about. Does anyone here know when and why files sometimes is found at the following location \root\private\var\mobile\Containers\Data\Application\"Application ID for Safari"\tmp\com.apple.mobilesafari-Inbox? Fingers crossed that someone have seen this before and have a bit more information about this location. (edited)

J3n

Hi everyone! I have been working with a FFS dump from an iPhone 7 (A1778) for a few days now and I have found some interesting files (documents, photos and videos) at a location that I can't find any information about. Does anyone here know when and why files sometimes is found at the following location \root\private\var\mobile\Containers\Data\Application\"Application ID for Safari"\tmp\com.apple.mobilesafari-Inbox? Fingers crossed that someone have seen this before and have a bit more information about this location. (edited)

It seems you are looking at the app's tmp directory. Check out Apple's documentation for details here: https://developer.apple.com/library/archive/documentation/FileManagement/Conceptual/FileSystemProgrammingGuide/FileSystemOverview/FileSystemOverview.html#//apple_ref/doc/uid/TP40010672-CH2-SW4

File System Basics

Explains how to create and manage files and directories.

Thanks! I will do that asap

Dam

Hi, @Cellebrite can you explain me what is the information from mobile/library/recents/recents database? Those information is parsed as chat (there is a recent "folder" under chat) but most of the data contain only some date and time. I cannot understand what is this database use for.

@Dam Did you ever get an answer to your question? I am running into the exact same issue. @Cellebrite ?

goalguy

@Dam Did you ever get an answer to your question? I am running into the exact same issue. @Cellebrite ?

From here: https://cts-forensics.com/reports/20-5551_Web.pdf

3

That makes sense and kind of what I was thinking. Thanks for that!

1

goalguy

@Dam Did you ever get an answer to your question? I am running into the exact same issue. @Cellebrite ?

Hi, I did not received any information. I don't have any answer for that question yet. (edited)

Dam

Hi, I did not received any information. I don't have any answer for that question yet. (edited)

See here: https://discord.com/channels/427876741990711298/545232743353810946/814139850176856084

@Brigs Thanks. Will look at that file.

@Brigs Good morning and thank you for the tip of Apple's documentation. That was very interesting information. But still my question presist... I'm curious to know what action causes the particular folder com.apple.mobilesafari-Inbox in Safari's tmp directory to be created. Does it for example hold files that have been uploaded to the web via Safari, downloaded or handled in any other way? Is it possible to draw any conclusions from files located in this directory?

What is the meaning of Phone Activation time? @Cellebrite

4n6s

What is the meaning of Phone Activation time? @Cellebrite

Android account setup date afaik

12:03 AM

Check date of data\setupwizard\shared_prefs\SetupWizardPrefs.xml file

J3n

@Brigs Good morning and thank you for the tip of Apple's documentation. That was very interesting information. But still my question presist... I'm curious to know what action causes the particular folder com.apple.mobilesafari-Inbox in Safari's tmp directory to be created. Does it for example hold files that have been uploaded to the web via Safari, downloaded or handled in any other way? Is it possible to draw any conclusions from files located in this directory?

If the content of the directory is not enough to infer answers to your questions then I don't think there is much we can do. It would seem to me that only someone from the app's development team could know the answers.

@Brigs Thank you for your response. I'll try to make some more testing and see if I can re-create this scenario. I haven't succeeded yet

1

@4n6s The activation time refers to the first activation time of the device (as a new device or after a Factory reset when activation is needed).

Morning all, if i have entries for images within the dmb.db file on a samsung handset with the file path .../0/DCIM/Camera (the images also have filenames in the timestamp format). Am i right in assuming that these photos were probably taken on the handset but there is a chance that they could have been moved to this folder and renamed on the handset? Or does this database file add the entry once and doesn't amend it if file is moved/renamed etc?

I see a few people here already asked about the "scramble" feature of messages in WhatsApp. Do we know anything about this feature? Is it built in to WhatsApp or a 3rd party application? I can't seem to dig anything up from just Googling it. Also can't find anything that looks like it in the current Android and iOS app. (edited)

BETBAMS

I see a few people here already asked about the "scramble" feature of messages in WhatsApp. Do we know anything about this feature? Is it built in to WhatsApp or a 3rd party application? I can't seem to dig anything up from just Googling it. Also can't find anything that looks like it in the current Android and iOS app. (edited)

DM'ed you a reply iv previously had

1

@Magnet Forensics Hello, do you know why the location data from local.sqlite is not parsed as "significant location visits" ? I know it has parsed from this location earlier but in my current extraction it has only looked in "Cloud-V2.sqlite" it seems like. And i can see when i manually check inside the local.sqlite that there is alot of location data in there concerning significant locations.

Anyone knows what the Inferred Microlocation Visit means as the Apollo output from Sarah Edwards? Cant find anything about it online (or im not looking right)

florus

Anyone knows what the Inferred Microlocation Visit means as the Apollo output from Sarah Edwards? Cant find anything about it online (or im not looking right)

Here is the module from github: https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_inferred_microlocation_visit.txt. You can see what the query is doing.

@JLindmar (83AR) Ye but what does the micro location visit display? I cant see any gps coördinates or something i can make sense of...

florus

@JLindmar (83AR) Ye but what does the micro location visit display? I cant see any gps coördinates or something i can make sense of...

Well the concept of micro-locations (e.g. iBeacons) is to provide more precise location information within a larger known area. Running this query against the iOS dataset (13.1.2) I have doesn't seem to provide any apparently useful information - I don't know if that is a limitation of my dataset or the usefulness of the data being queried. The "ZSTRUCTUREDMETADATA.Z_DKMICROLOCATIONMETADATAKEY__PROBABILITYVECTOR" BLOB was an NSKeyedArchiver formatted plist containing, as expected, probability vectors, but without knowing the context of their use, again, I'm not sure of their usefulness. Perhaps reaching out to @Sarah Edwards (SANS/BlackBag), she may be able to provide some background on the query and the larger context of using this information.

Anyone from @Magnet Forensics about to discuss how to import a GK extraction? If that's possible in Axiom

2:27 AM

Our forensic machine is separate to the GK box and we're looking to parse Aloha Browser

2:32 AM

Ah turns out there was a helpful yt vid (https://www.youtube.com/watch?v=QKeW1VDgpP4&ab_channel=MagnetForensics)

Magnet Forensics

Loading GrayKey Images into Magnet AXIOM

1

2:32 AM

Hi, i am trying to determine if a Snapchat video has been sent or received, amd i think i have noticed a pattern that when a video is attached (not sent as a snap) in a chat then it receives an original filename in photos.sqlite in the form of a uuid in hex cm-chat-media-video-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.mov, and when a film is downloaded from a chat it receives an original file name in base 64 cm-chat-media-video-xxxxxxxxxxxxxxxxxxxxx.mov in . Has anyone else noticed this or are there other factors involved in the creation of the file name?

Have anyone here worked with the app Life360 and know what the unit for the accuracy is? (Meter, yard, feet etc.) Database location_store_realm, table class_SentLocation, column accuracy. (edited)

heatherDFIR

You can look at the purplebuddy plist to see how and when it was set up. I like to look at the creation time of the Addressbook.sqlitedb and compare to the plist. Gives you a good idea of when it was wiped if the .obliterated isn't there.

what value in purplebuddy shows the date when the iPhone was restored? and is there a way to check to what date backup it was restored?

Does anyone have a script which can parse TikTok messages? @Cellebrite App Genie worked a little bit, but didn't get everything. @Magnet Forensics didn't get them either. I am starting to manually try and get the data from the db, but was hoping someone might already have something for this.

Just an update, I went to @Magnet Forensics Artifact Exchange and found something done by @Brigs in 2018. I will check it out to see if it still works.

@sholmes just sent a DM

2

sholmes

Just an update, I went to @Magnet Forensics Artifact Exchange and found something done by @Brigs in 2018. I will check it out to see if it still works.

Here is the underlying research I did some time ago on TikTok. iOS: https://abrignoni.blogspot.com/2018/11/finding-tiktok-messages-in-ios.html Android: https://abrignoni.blogspot.com/2018/11/finding-tiktok-messages-in-android.html (edited)

Finding TikTok messages in iOS

Short version The iOS TikTok app keeps message related data the TIMMessageORM table from the following SQLite database: /private/var/mob...

Finding TikTok messages in Android

Short version The Android TikTok app keeps message related data in SQLite databases located in the following location: userdata/data/com...

1

sholmes

Just an update, I went to @Magnet Forensics Artifact Exchange and found something done by @Brigs in 2018. I will check it out to see if it still works.

Tiktok has messages? Oh no

@Cellebrite is there any way we can get the participants of a message thread to show up in the filter drop down in PA just like it does in the Excel report? Current state is, if I select only the two contacts of interest, I still get messages they have with other people that I don't care about

10:46 AM

This is useless for filtering prior to export

10:49 AM

I want "participant 1 and participant 2" as an actual item I can select

Working on adding TikTok to iLEAPP... Hopefully done in a few hours...

Done.

6

7:48 PM

Messages added to timeline and TSVs generated for them and the contacts as well.

5

@Camelot_46 I noticed the same for uuids. On the other hand, the idea of the base 64 is not stupid! I will try to confirm it back to the office

i have iphone x this one phone memory full now itunes logo auto coming plb i need data

Data Recovery

i have iphone x this one phone memory full now itunes logo auto coming plb i need data

I replay you in mobile-forensic-extractions

Hello, I should download the BSSID addons present on the cellebrite site related to PA. The full version is too large (80 gb) and since I'm only interested in the one relating to Italy, could you tell me which one is present in the partial version?

4:42 AM

Thk

manuelevlr

Hello, I should download the BSSID addons present on the cellebrite site related to PA. The full version is too large (80 gb) and since I'm only interested in the one relating to Italy, could you tell me which one is present in the partial version?

It helps to use the @Cellebrite tag

Can anyone help me with what "com.snapchat.android/cache/speedway/external_share/" relates to in Snapchat? (Android v10.50.0.0) Main concern is that share = distribution

Got a head-scratcher I can't figure out. Working a CSAM case and the suspect recorded CSAM videos on his phone using another device. In the videos, you can see his fingers manipulating the screen, so its clearly some type of second device doing the recording. I also have videos that he recorded of the traffic stop resulting in his arrest and the seizure of the phone, so he couldn't have had time to manipulate the traffic stop video after he recorded it. Both the CSAM and the recording of the traffic stop are from the same folder, (userdata (ExtX/Root/media/0/DCIM/Camera/[standard file name with timestamp].mp4). In the videos of CSAM using a second device, the phone has a heavily cracked screen and there are distinctive patterns to the cracks. The cracks in the screen in the video exactly match the cracks in the screen of the phone that we extracted the videos from. So how did the suspect make videos of his phone with his phone? (edited)

FullTang

Got a head-scratcher I can't figure out. Working a CSAM case and the suspect recorded CSAM videos on his phone using another device. In the videos, you can see his fingers manipulating the screen, so its clearly some type of second device doing the recording. I also have videos that he recorded of the traffic stop resulting in his arrest and the seizure of the phone, so he couldn't have had time to manipulate the traffic stop video after he recorded it. Both the CSAM and the recording of the traffic stop are from the same folder, (userdata (ExtX/Root/media/0/DCIM/Camera/[standard file name with timestamp].mp4). In the videos of CSAM using a second device, the phone has a heavily cracked screen and there are distinctive patterns to the cracks. The cracks in the screen in the video exactly match the cracks in the screen of the phone that we extracted the videos from. So how did the suspect make videos of his phone with his phone? (edited)

some form of sync app maybe?

Digitalferret

some form of sync app maybe?

It's probably something similar to that, and you got me thinking. Maybe he used a Bluetooth camera or tethered a camera to the phone to record the screen. I checked Bluetooth devices, there were five devices, but no cameras. How could I check USB tethering to see if he used a tethered camera? I do have a physical extraction. (edited)

One of the a wifi SSIDs that the phone connected to has the exact same name as the model number of the phone. Looks like a clue? (edited)

Does anyone know where to look in PA or AXIOM to see if push notifications from apps like Facebook were coming through on a device? And as a follow up, is there a file on an iPhone that logs which apps have notifications allowed etc? (edited)

Hi, is it possible to export tagged images in enlarged size instead of thumbnails (as PDF or equal) for print in PA / Reader?

Hi all, got this from a Cellebrite ffs extraction of a Samsung phone. The path of the images seems weird. Anybody knows why or have a theory?

@Reedsterz maybe someone will correct me, but i think the embedded ones are extracted/carved out from binary files, like cache, databases etc

FullTang

Got a head-scratcher I can't figure out. Working a CSAM case and the suspect recorded CSAM videos on his phone using another device. In the videos, you can see his fingers manipulating the screen, so its clearly some type of second device doing the recording. I also have videos that he recorded of the traffic stop resulting in his arrest and the seizure of the phone, so he couldn't have had time to manipulate the traffic stop video after he recorded it. Both the CSAM and the recording of the traffic stop are from the same folder, (userdata (ExtX/Root/media/0/DCIM/Camera/[standard file name with timestamp].mp4). In the videos of CSAM using a second device, the phone has a heavily cracked screen and there are distinctive patterns to the cracks. The cracks in the screen in the video exactly match the cracks in the screen of the phone that we extracted the videos from. So how did the suspect make videos of his phone with his phone? (edited)

Too easy to assume there could be metadata on the videos?

@Arcain yes but it’s weird it’s under notes and chromium. I think it could be images saved in the Samsung notes? I viewed the notes but nth there, might be deleted.

it's not so much chromium that webview that samsung notes may use to display html stuff?

FullTang

One of the a wifi SSIDs that the phone connected to has the exact same name as the model number of the phone. Looks like a clue? (edited)

possibly, a bit above my level tbh. it just seemed logical he was somehow duplicating what he did, directly, to another device. i'll have a read around, i'm particularly weak on mobile devices, sorry

Has anyone came across .atx files in regards to iOS downloads? Appears to be similar to .ktx files and I was expecting them to be images but neither UFED PA or Irfanview can display them.

claireh

Has anyone came across .atx files in regards to iOS downloads? Appears to be similar to .ktx files and I was expecting them to be images but neither UFED PA or Irfanview can display them.

Looks like they're ArcGIS files.

1

manuelevlr

Hello, I should download the BSSID addons present on the cellebrite site related to PA. The full version is too large (80 gb) and since I'm only interested in the one relating to Italy, could you tell me which one is present in the partial version?

Hello @manuelevlr, there is no separation by location, it's one big db divided to zips, you have to download it all.

CLB-ChenK

@Cellebrite The aggregated location, how must i interpretate the value its showing in PA? I have a GPS coordinate from Cache.sqlite from the table ZRTCLLOCATIONMO with an aggregated value of 15. Are there 15 registrations on the exact same coordinate, so it merges it as row in PA?

@florus there are 15 location records, all within the threshold of 15 meters and no more than 5 minutes between them

Answer for aggregated locations @RW_Digital (edited)

Anyone encountered applications no longer showing live on a mobile phone, however, Cellebrite reports they're not deleted because the application folder structure remains on the device? Any way to check deletion date of these?

7:06 AM

Is there a database within Android files which would show deletion dates?

@3X3 did you use an APK downgrade by any chance? (edited)

@Cellebrite Within "Autofill" are there any definitions for the keys? i.e. "message" and "search" for example.

7:50 AM

Assuming search is the section of a web search that the user has typed and gone to select a recommended/autofilled search (edited)

7:51 AM

Message could be in relation to https://www.androidpolice.com/2020/02/10/autofill-code-from-messages-feature-spotted-makes-entering-sms-based-2fa-keys-a-snap

'Autofill code from Messages' feature spotted, makes entering SMS-b...

Last year, a new "verification code autofill" setting appeared as part of a Play Services update that promised to plug the SMS-based 2FA gap for apps that

7:52 AM

Only mystery of mine is that the recovered phrase seems more like a chat message.

Does anyone have any advice on how i can recover Snapchat MEO media files? the device is an iPhone where I've obtained a Full Filesystem Extraction. When i go into Snapchat to View the MEO Snaps whilst the device is network isolated (i know the passcode to the MEO) however it sticks on the "Loading Snaps" animation and they dont load. would these come out of a Cellebrite or MSAB Extraction tools? if so where would i find them or any other methods to obtain these? Thanks in advance!

@CLB - DavidK thanks ;)

Matt

Too easy to assume there could be metadata on the videos?

@Digitalferret There is metadata, but it is limited to created/accessed/modified times. Turns out I only have some of the electronic devices that he had in his possession, we are looking into a second warrant to seize all of the suspect's electronic devices. Hopefully that will provide some answers.

1

FullTang

@Digitalferret There is metadata, but it is limited to created/accessed/modified times. Turns out I only have some of the electronic devices that he had in his possession, we are looking into a second warrant to seize all of the suspect's electronic devices. Hopefully that will provide some answers.

nice going and best of luck

1

Rob

@Cellebrite Within "Autofill" are there any definitions for the keys? i.e. "message" and "search" for example.

No definition. Keys are decoded directly from the relevant DB.

good morning from austria @Cellebrite

concerning the gpu-package for PA... the releasenotes mention that there is a new gpu-package in customer-portal, but i can see just the old version from october 2020? (edited)

CLB-drorimon

No definition. Keys are decoded directly from the relevant DB.

Interesting, any idea what "message" could be then? Looking at the Web Data database for Google Chrome

Rob

Interesting, any idea what "message" could be then? Looking at the Web Data database for Google Chrome

It should be the name of the field in that form.

chrisforensic

good morning from austria @Cellebrite

concerning the gpu-package for PA... the releasenotes mention that there is a new gpu-package in customer-portal, but i can see just the old version from october 2020? (edited)

Fixed

1

CLB-drorimon

It should be the name of the field in that form.

It is, what my question meant, trying to pin the value to an origin if possible.

1:02 AM

Or at least try and work out how the value ended up within Autofill

Morning all, i have supplied an officer with a @Cellebrite UFDR and they are having trouble opening it. The UFDR opens but no data is showing . Any ideas what the issue is?

florus

@3X3 did you use an APK downgrade by any chance? (edited)

No APK downgrade just a File System extract.

Artea

Morning all, i have supplied an officer with a @Cellebrite UFDR and they are having trouble opening it. The UFDR opens but no data is showing . Any ideas what the issue is?

I DM you

@Arteaif it is a large file he has to wait for it to load. He may be just impatient.

1

Artea

Morning all, i have supplied an officer with a @Cellebrite UFDR and they are having trouble opening it. The UFDR opens but no data is showing . Any ideas what the issue is?

We've had similar issues previously if the person opening it doesn't have the correct read / write permissions for the file or location as well. Green bar loads, everything looks correct but there is just no data

FullTang

@Digitalferret There is metadata, but it is limited to created/accessed/modified times. Turns out I only have some of the electronic devices that he had in his possession, we are looking into a second warrant to seize all of the suspect's electronic devices. Hopefully that will provide some answers.

just had a thought, given the recent "Showercam" post, if there's a trend to use a dumb device to watch from a safe distance. they are less easy to "spot" as recording devices, and may be missed as potential evidence given their standalone nature, when searches are carried out? looks to be worth always checking Bluetooth/Wifi for hookups but now add to that "innocuous" devices maybe with a lens. Watches?/Showercams/Toys?

1

K23

We've had similar issues previously if the person opening it doesn't have the correct read / write permissions for the file or location as well. Green bar loads, everything looks correct but there is just no data

They are using "stand alone" machines but i havent had any officers run in to this issue before

Artea

They are using "stand alone" machines but i havent had any officers run in to this issue before

Could the standalone machine just be terrible?

3:48 AM

Or if you've password protected it using UFED, did they enter not enter the password etc? (edited)

Rob

Could the standalone machine just be terrible?

Its a police computer..... of course its terrible!!!!!

4:04 AM

Must be something their end surely as i are having trouble with a second version i sent them too

Artea

Must be something their end surely as i are having trouble with a second version i sent them too

Are they opening it correctly? Or just opening up Cellebrite Reader without opening up the case contents

Artea

They are using "stand alone" machines but i havent had any officers run in to this issue before

Ahh yes, the infamous standalone machines, aka the crap laptop IT stopped supporting 5 years ago. We've since moved to have Cellebrite Reader whitelisted on applocker for our force machines, so officers can open up Cellebrite direct on there. Was a pain to implement but worth it in the end

Rob

Are they opening it correctly? Or just opening up Cellebrite Reader without opening up the case contents

They are opening it as they should, it apparently shows progress bar and then just completes at the screen with the phone icon with nothing available

K23

Ahh yes, the infamous standalone machines, aka the crap laptop IT stopped supporting 5 years ago. We've since moved to have Cellebrite Reader whitelisted on applocker for our force machines, so officers can open up Cellebrite direct on there. Was a pain to implement but worth it in the end

I have mentioned previously that we should have an area on a server for OIC's to access as and when they need to to save a lot of hassle but the server infrastructure here is APPALLING!!!!

Hi all

5:04 AM

Under which condition will the <acct egocipher.key.avoidkeyderivation svce com.toyopagroup.picaboo> be missing from the iOS keychain, even though there clearly is snapchat on the device? (edited)

@MSAB I successfully conducted a physical extraction from a Galaxy S10 yesterday using XRY. XRY is now in the decoding stage. Last message was at 21:39 hours last night stating "Extracting data from Whatsapp". Nothing has changed since. Do I just need to be patient?

Artea

I have mentioned previously that we should have an area on a server for OIC's to access as and when they need to to save a lot of hassle but the server infrastructure here is APPALLING!!!!

Server access is a completely different ball game but that's definitely the end goal. There's talks of things in the work for our kiosk examinations which we will likely link into, right now it's still our evidential USBs / DVDs which can now be accessed on the force machines as the executables are whitelisted by IT.

@AmNe5iA We are aware of some issues currently which may extend the decoding time for a larger number of WhatsApp messages. We have a micro release scheduled soon which will resolve this and decrease the decoding time. sorry for all the trouble with this pesky phone!

Erumaro

@AmNe5iA We are aware of some issues currently which may extend the decoding time for a larger number of WhatsApp messages. We have a micro release scheduled soon which will resolve this and decrease the decoding time. sorry for all the trouble with this pesky phone!

So... Just wait it out?

Where does iOS keep discord messages? I thought it would be in: root/private/var/mobile/Containers/Data/Application/UUID/Library/Caches/com.hammerandchisel.discord/fsCachedData/

@AmNe5iA Unfortunately yes in this case but as you have the dump completed you can cancel it now and redecode once 9.3.1 is out

Digitalferret

just had a thought, given the recent "Showercam" post, if there's a trend to use a dumb device to watch from a safe distance. they are less easy to "spot" as recording devices, and may be missed as potential evidence given their standalone nature, when searches are carried out? looks to be worth always checking Bluetooth/Wifi for hookups but now add to that "innocuous" devices maybe with a lens. Watches?/Showercams/Toys?

That is a good thought, I'll keep an eye out for it while serving the second warrant. I have found some suspicious wifi SSIDs but Ill look at the BT connections a little closer to see if any of those devices that were connected have a camera capability.

Erumaro

@AmNe5iA Unfortunately yes in this case but as you have the dump completed you can cancel it now and redecode once 9.3.1 is out

I'm using 9.3.1

@AmNe5iA Sorry, 9.3.2! My bad

Not today, 9.3.2

Does anyone have any info on the following filepath; \private\var\mobile\Containers\Data\PluginKitPlugin\BB9CD212-DF30-46A5-ADE3-0AED36A832DA\Library\Caches\com.getdropbox.Dropbox.ActionExtension\fsCachedData There is a Dropbox app installed on the device with a different ID. Thank you.

Deleted User

Under which condition will the <acct egocipher.key.avoidkeyderivation svce com.toyopagroup.picaboo> be missing from the iOS keychain, even though there clearly is snapchat on the device? (edited)

User has never used snapchat memories before?

sholmes

Does anyone have a script which can parse TikTok messages? @Cellebrite App Genie worked a little bit, but didn't get everything. @Magnet Forensics didn't get them either. I am starting to manually try and get the data from the db, but was hoping someone might already have something for this.

Just an update to this post from last week. Axiom 4.10 does in fact parse TikTok without any issues. The contacts and messages are located under the Social Networking tab and not in Chat.

Thanks to @MF-cbryant and @Brigs for all your help.

1

@Law Enforcement [USA] anyone have any experience with search warrants to TextMe? DM me please.

florus

User has never used snapchat memories before?

So the key is only used for non-MEO memories? I thought it was used for other things too

(edited)

Artea

I have mentioned previously that we should have an area on a server for OIC's to access as and when they need to to save a lot of hassle but the server infrastructure here is APPALLING!!!!

Quick follow-up on this one... looks like @Cellebrite have changed their digital signature on Cellebrite Reader for 7.43 compared to 7.40 which was the last one we validated... So we've now got to wait for our force IT to whitelist the new signature before we can roll out the new version. Fun times!

K23

Quick follow-up on this one... looks like @Cellebrite have changed their digital signature on Cellebrite Reader for 7.43 compared to 7.40 which was the last one we validated... So we've now got to wait for our force IT to whitelist the new signature before we can roll out the new version. Fun times!

Im not 100% sure if ours software needs white listing by IT for this or if they just need to have the USB's unlocked to access the data. They had version 7.41.0.8 of reader supplied

Artea

Im not 100% sure if ours software needs white listing by IT for this or if they just need to have the USB's unlocked to access the data. They had version 7.41.0.8 of reader supplied

Depends entirely on your setup I guess, I can only really speak for how it works with us and the steps we took to get it working on our force network. Could be a bit of both for sure, you need at least read only access to the USBs to get it to launch

Ill ask her to get IT to have a look at her permissions, if that doesnt work ill supply a new version of the reader etc for them to try

Artea

Ill ask her to get IT to have a look at her permissions, if that doesnt work ill supply a new version of the reader etc for them to try

Good plan, not sure if a newer version would help but it's worth a try I guess!

K23

Good plan, not sure if a newer version would help but it's worth a try I guess!

Yeah i have asked them to speak to IT first (as i get the feeling its a problem their end as i can open it all here fine). But have given them the option of a new decode etc just incase

1

Deleted User

So the key is only used for non-MEO memories? I thought it was used for other things too

(edited)

I am not sure, it is a wild thought.

florus

I am not sure, it is a wild thought.

I see. Thank you!

anyone can help me for the sslpinning with frida ?

Anyone got heavy experience with databases like gphotos-1.db, cmh.db, dme.db? I have a snapchat video, with no metadata, showing the suspect recording himself assaulting someone. This video was recovered from the suspect's handset and the filepath of this video are:

2:50 AM

Metadata recovered:

2:52 AM

The CPS would like me to prove that the video was recorded on this handset - is there any way I can prove this?

Pacman

Anyone got heavy experience with databases like gphotos-1.db, cmh.db, dme.db? I have a snapchat video, with no metadata, showing the suspect recording himself assaulting someone. This video was recovered from the suspect's handset and the filepath of this video are:

Is that video viewable on the handset? Because if it is SnapChat then it would be either posted to his story or sent to someone.

hola anyone know why i find SMS entry in the calllog.db on a samsung device but limited to the 50 first characters ? i can't find anything in the mmssms.db ...

spicy_caveman

Is that video viewable on the handset? Because if it is SnapChat then it would be either posted to his story or sent to someone.

Is there a way of identifying that it was recorded on the handset and posted onto the story or to someone?

6:01 AM

I don't have the handset right now.

Pacman

Is there a way of identifying that it was recorded on the handset and posted onto the story or to someone?

Have you considered going after the SnapChat account? for Content, Snaps, Stored data, Historical Data?

@Cellebrite Can someone explain to me what the User ID under under Contact Details is referring to? I have two iPhone extractions open in PA which have communicated with each other. One of them has contact information for the other phone and under details it shows the phone number and a User ID. When I look up this information on the other phone the User ID is different but the phone number is the same. (edited)

7:31 AM

Anyone from @Cellebrite have documentation on how this new selective app decoding works? Is it just for logical collections? (edited)

stark4n6

Anyone from @Cellebrite have documentation on how this new selective app decoding works? Is it just for logical collections? (edited)

That could be very useful for the new data protection guidance in the UK if it works for physicals. Often more invasive methods are needed to obtain relevant data and we are actively working on methods to avoid unnecessary intrusion. Will definitely be having a play with that feature

stark4n6

Anyone from @Cellebrite have documentation on how this new selective app decoding works? Is it just for logical collections? (edited)

I wonder if it extracts app data that is not in the app directory but does show app activity like usagestats in Android or KnowledgeC in iOS. Tons of relevant data exist outside the app directories.

1

@K23 @Brigs idk but it's been grayed out for every image I've tried so far

stark4n6

@K23 @Brigs idk but it's been grayed out for every image I've tried so far

Maybe it is only for full file system extractions? What are you parsing?

@Brigs tried it on @CLB_joshhickman1's iOS 13.4.1 and 14.3, as well as some iTunes backups

stark4n6

Anyone from @Cellebrite have documentation on how this new selective app decoding works? Is it just for logical collections? (edited)

Attaching the 7.43 release notes with all the instruction you need, if you have questions feel free the reach me.

PA_Release_Notes_7.43.pdf

736.44 KB

1

stark4n6

@K23 @Brigs idk but it's been grayed out for every image I've tried so far

Selective decoding requires a UFD file. If you don't have UFD file for the extraction you can create one with “Open advance” & “save UFD file" feature. If it's not the case and it's still grayed out please contact me.

stark4n6

Anyone from @Cellebrite have documentation on how this new selective app decoding works? Is it just for logical collections? (edited)

Just a few observations from my initial interaction with the Cellebrite PA Selective Decoding... It only works with a single .ufd import - it does not work with a .ufdx file. If you try to import a .ufdx file, the Selective Decoding box is greyed out. The first time you do run it on a .ufd file, you will notice a .txt document gets added to your extraction directory called InstalledAppsList.txt. That means if you run the Selective Decoding again on the same extraction, it seems to use that the InstalledAppsList.txt file as a reference, as the Selective Decoding options appear instantaneously rather than having to wait like the initial first run.

1

1:09 AM

With one of my Samsung G950F test physical extractions which is 64GB in size, upon loading the .ufd file it runs the relevant plugins to reconstruct the file system and then once the plugins have reconstructed the filesystem, the Android Databases plugin runs to the point where the InstalledAppsList.txt file is created and the selective decoding box appears

2

1:10 AM

1

CLB - DavidK

Selective decoding requires a UFD file. If you don't have UFD file for the extraction you can create one with “Open advance” & “save UFD file" feature. If it's not the case and it's still grayed out please contact me.

Good to know, it was clearly apparent that's what was needed, thanks for the clarification

If I have a physical for a device can you load the .bin files into ALEAPP?

Ghosted

If I have a physical for a device can you load the .bin files into ALEAPP?

@Brigs? my assumption is you may need to extract out the folders before loading into ALEAPP, I don't think it can handle .bin specifically, only .tar and .zip

Ghosted

If I have a physical for a device can you load the .bin files into ALEAPP?

Tar, zip, gz, and file system (as in files and directories. What you get after uncompressing a zip.) If you have a bin user FTK Imager or another tool that can mount or export the data. Then run ALEAPP. (edited)

2

Trying to Determine if an android device was unlocked at a specific time: I located sdp_log for valid and invalid logins. 2020-11-25 04:23:55.734,I,[UserId : 0] [currMethod : doVerifyCredential()] [prevMethod : checkCredential()] [Class : com.android.server.locksettings.LockSettingsService] [UID : 10009] [PID : 4359] 2020-11-25 04:23:55.734,D,Verify credential for user 0 2020-11-25 04:23:55.739,I,[UserId : 0] [currMethod : spBasedDoVerifyCredential()] [prevMethod : doVerifyCredential()] [Class : com.android.server.locksettings.LockSettingsService] [UID : 10009] [PID : 4359] 2020-11-25 04:23:55.739,D,Verify sp based credential for user 0 2020-11-25 04:23:56.172,D,Result of verification of user 0 : Success

10:09 AM

I imagine this indicates a successful login but didn't know if someone had another theory.

Ghosted

Trying to Determine if an android device was unlocked at a specific time: I located sdp_log for valid and invalid logins. 2020-11-25 04:23:55.734,I,[UserId : 0] [currMethod : doVerifyCredential()] [prevMethod : checkCredential()] [Class : com.android.server.locksettings.LockSettingsService] [UID : 10009] [PID : 4359] 2020-11-25 04:23:55.734,D,Verify credential for user 0 2020-11-25 04:23:55.739,I,[UserId : 0] [currMethod : spBasedDoVerifyCredential()] [prevMethod : doVerifyCredential()] [Class : com.android.server.locksettings.LockSettingsService] [UID : 10009] [PID : 4359] 2020-11-25 04:23:55.739,D,Verify sp based credential for user 0 2020-11-25 04:23:56.172,D,Result of verification of user 0 : Success

Don't know if this is any help. @.karate. helped me out with a case well over a year ago where it was alleged a phone was switched of during the time of an incident for over an hour or so and I was trying to prove that the phone was simply on but isolated from the network, for which I did work on the battery logs, but during testing I noted what happened when a device was powered on and logged into, as that would show that if the device was on but just locked rather than having been off and powered on and logged into

11:25 AM

sdp_log Path: USERDATA (ExtX)/Root/log sdp_log records all valid and invalid lockscreen code attempts. Also when you see the line "Mark the beginning of SDP log service!" It appears to state that the device has booted up and is at the first login screen. Again testing on our test device, I found that the times I recorded for booting up the device from powered off state and entering the lockcode matched the time I recorded on a bit of paper when I did it, bit of paper: 0800 hrs - full boot to home screen from powered off state. Battery 96% sdp_log entry: 2019-11-14 08:01:00.801,D,Mark the beginning of SDP log service! [Version : G950FXXS4CRLB] bit of paper: 0806 hrs - Screen locked then re-opened with code sdp_log entry: 2019-11-14 08:06:45.530,I,[UserId : 0] [currMethod : doVerifyCredential()] [prevMethod : checkCredential()] [Class : com.android.server.LockSettingsService] [UID : 10004] [PID : 5678] 2019-11-14 08:06:45.530,D,Verify credential for user 0 2019-11-14 08:06:45.538,I,[UserId : 0] [currMethod : spBasedDoVerifyCredential()] [prevMethod : doVerifyCredential()] [Class : com.android.server.LockSettingsService] [UID : 10004] [PID : 5678] 2019-11-14 08:06:45.538,D,Verify sp based credential for user 0 Confirmed the 'Mark the beginning of SDP log service!' only appears when booting up from powered off state

11:25 AM

That's some rough notes I had here I found

@Stevie_C Thanks. I am not seeing what I would expect on this device when I was able to get a physical extraction. Because the device was locked I was unable to get a file or advance logical. I think this has caused less to be parsed and more manual examination is needed.

@Ghosted I ended up buying a second device, then sitting powering it on, locking it, powering off, plugged into charger, unplugging over and over again, scribbling notes on a bit of paper with exactly what I did and when.

1

11:41 AM

I then dumped it and compared it to my bits of paper to get an idea of what was going on. Took a bit of time but it was worth it in the end

For this device I am trying to determine use at the time of a crash. I don't see any lock settings being parsed or application usage. Despite having a physical extraction.

@Ghosted what type of phone and version of Android is it running?

J7 SM-S767VL

12:00 PM

9

I was going to suggest Digital Wellbeing (Samsung has their own version with the same name) since it gives explicit timestamps for unlocks, but I don't think Samsung rolled that feature into their handsets until Android 10. Since you have a physical you can always check for it: /data/data/com.samsung.android.forest/. If that is present, look for the database dwbCommon.db.

@CLB_joshhickman1 checking now

12:04 PM

negative

12:04 PM

not there

Ah, ok.

@CLB_joshhickman1 the extraction seems bland for what I would expect on a physical

Had anyone successfully imported a Magnet Acquire Android Quick extraction into UFED PA? I need some help on how to get UFED to parse the extracted data. If no one else has done this, can anyone point me to some decent UFED SQL Wizard documentation examples for mapping the Acquire agent_mmssms.db?

punacmc

Had anyone successfully imported a Magnet Acquire Android Quick extraction into UFED PA? I need some help on how to get UFED to parse the extracted data. If no one else has done this, can anyone point me to some decent UFED SQL Wizard documentation examples for mapping the Acquire agent_mmssms.db?

@punacmc maybe try the method mentioned here: https://www.digitalforensics.com/blog/mobile-forensics-ufed-vs-magnet-acquire/ (edited)

Igor Mikhaylov

Mobile Forensics: UFED vs Magnet ACQUIRE

https://www.sans.org/security-resources/posters/ios-third-party-apps-forensics-reference-guide-poster/300/download

4

3

2

9:32 AM

CC: @Mattia Epifani

2

3

2

Andrew Rathbun pinned a message to this channel. 3/6/2021 9:33 AM

@varbytes , I tried that method and I still had to use the SQL wizard to map out the fields. Seems that the Acquire mmssms.db taken from the client application is different enough that UFED doesn't parse it. I'm not so sure that I am mapping the data fields correctly.

Anyone who knows a bit about the wickr sqlite db? I am having trouble figuring out what the relation between a message in the interaction table and an attachment in the attachment table is.

@Magnet Forensics Is there any documentation on exactly what the different types in "type" column in KnowledgeC Notification Usage means? What i'm guessing is that Receive is when a notification is received, DefaultAction is when the user open the notification by clicking on it and IndirectClear is that the notification disappears by the user opening the chat or whatever created the notification manually. Is this correct?

1

Oscar

@Magnet Forensics Is there any documentation on exactly what the different types in "type" column in KnowledgeC Notification Usage means? What i'm guessing is that Receive is when a notification is received, DefaultAction is when the user open the notification by clicking on it and IndirectClear is that the notification disappears by the user opening the chat or whatever created the notification manually. Is this correct?

Hey Oscar, I'm not magnet, but I looked into this a while ago and you've come to pretty much the same conclusions as I did. IndirectClear can also be the user swiping the notification or any other way to get it off the screen.

1

CLB_iwhiffin

Hey Oscar, I'm not magnet, but I looked into this a while ago and you've come to pretty much the same conclusions as I did. IndirectClear can also be the user swiping the notification or any other way to get it off the screen.

Okay, thanks

When reviewing a GrayKey extraction in Physical Analyzer, I see lots of empty messages populating, saying from "Recents". Anyone have knowledge of why this happens or why they contain no content?

@Cellebrite When I open extractions in PA it no longer sorts the chat messages by conversation for easy reading of who they were talking to. Is there an option that I am missing? (edited)

@punacmc for some reason the android client magnet acquire uses is...not good. In my testing of a known phone, this takes for example all of the participants and sticks them in one column, putting the sender first (or last, I forget)

5:34 PM

@punacmc you'll see the same people in groups with the order of the name changing for the mmssms.db and this denotes the sender of a given message

5:35 PM

There's no sender/recipient column

5:35 PM

You have nothing to map, it's just the agent they use to acquire data from the device

chrismyers

When reviewing a GrayKey extraction in Physical Analyzer, I see lots of empty messages populating, saying from "Recents". Anyone have knowledge of why this happens or why they contain no content?

“Recents” is just a record that a message was sent between the device and the user specified. Sadly it doesn’t contain any message data but may be useful if you are comparing to telco records or a third party device for example.

CLB_iwhiffin

“Recents” is just a record that a message was sent between the device and the user specified. Sadly it doesn’t contain any message data but may be useful if you are comparing to telco records or a third party device for example.

Awesome, thank you

FullTang

@Cellebrite When I open extractions in PA it no longer sorts the chat messages by conversation for easy reading of who they were talking to. Is there an option that I am missing? (edited)

I’ve seen this behaviour when PA can’t find the conversation chain. For example if it’s a carved message. I think I may need more info to help though. What version of PA? Is it all recent extractions you’ve tried or just one? What OS/Device? Which app (s) are the messages from? Thanks

CLB_iwhiffin

I’ve seen this behaviour when PA can’t find the conversation chain. For example if it’s a carved message. I think I may need more info to help though. What version of PA? Is it all recent extractions you’ve tried or just one? What OS/Device? Which app (s) are the messages from? Thanks

I have seen it in PA 7.43 and 7.42. The most recent instance was with standard SMS messages in an advanced logical and file system extraction from a Samsung J3, no carved or deleted messages. I will have to check the specifics for older instances, but I think they were all SMS related with no carved messages. (edited)

Ok thanks, I’ll fire one up and be in touch in the morning.

Perfect thanks!

chrismyers

When reviewing a GrayKey extraction in Physical Analyzer, I see lots of empty messages populating, saying from "Recents". Anyone have knowledge of why this happens or why they contain no content?

It came from iPhoneRecentsLog? If so, this is new data that we have added from a database which stores all the latest text communications of the phone. This table contains notifications for locations, outgoing SMS (no trace for incoming SMS), outgoing and incoming emails. It does not contain the SMS or email body, rather just provides an indication.

@Magnet Forensics Is there a way of importing extraction files obtained from Cellebrite Premium, into AXIOM? I've not had much luck so far.

Pacman

@Magnet Forensics Is there a way of importing extraction files obtained from Cellebrite Premium, into AXIOM? I've not had much luck so far.

You should just be able to load the ufd. Failing that just load the zip, tar or dar.

Yeah that's what I usually do for normal UFED extractions - AXIOM doesn't seem to like Premium extractions (android)

Yeah sorry. Just realised I had crossed wires. I've only loaded premium into UFED not Axiom.

sending a DM @Pacman

does anyone know .links are within an Apple phone? Are they similar to lnk files on a computer? It’s within a folder called pluginkitplugin if that helps at all. Thanks!

6:13 AM

Hmm, looking at the hex it says Apple QuickTime- I’m thinking that files here were opened in QuickTime and stored here as a result

CLB - DavidK

It came from iPhoneRecentsLog? If so, this is new data that we have added from a database which stores all the latest text communications of the phone. This table contains notifications for locations, outgoing SMS (no trace for incoming SMS), outgoing and incoming emails. It does not contain the SMS or email body, rather just provides an indication.

Nice, appreciate it

https://nltimes.nl/2021/03/09/dutch-cops-take-encrypted-chat-service-skyecc-thirty-arrests

Dutch cops take out encrypted chat service SkyECC; Thirty arrests

Over the past three weeks authorities in the Netherlands have been monitoring live traffic on the encrypted messaging service SkyECC, which lead police and the financial crimes inspectorate FIOD to raid 75 properties on Tuesday and arrest 30 suspects. Authorities said that 28 firearms were seized in Rotterdam as part of Operation Argus, as well ...

5

1

Anyone having an issue with the inability to save or load project sessions on Cellebrite PA version 7.43.0.34?

Hello, have some interesting files from exporting apple maps journeys from ufed. The journey comes out fine as a kml file, however there comes 4 "Journey_1_1_1_0_0_0.kml" with a bunch of cords that i cant find anwhere else. An ideas?

natalied4784

Has anyone seen the below file path? DarArchive/root/private/var/mobile/Library/Caches/com.apple.mobileSMS/Previews/Search/PhotoSearchSection-at [image name.png]. I’m trying to understand what photosearchsection means. (edited)

https://discordapp.com/channels/427876741990711298/545232743353810946/740695729412243466

natalied4784

Has anyone seen the below file path? DarArchive/root/private/var/mobile/Library/Caches/com.apple.mobileSMS/Previews/Search/PhotoSearchSection-at [image name.png]. I’m trying to understand what photosearchsection means. (edited)

Did you find any info on photosearchsection?

Hey, Has anyone worked on an iPhone running iOS 12.2 or similar come across files within the documents/inbox folder? Its part of Apples inbuilt file browsing application. Is it something the handset user would typically save to?

Does anyone know of a way to play .exo files successfully? Any particular player that supports them? Thank you (edited)

theAtropos4n6

Does anyone know of a way to play .exo files successfully? Any particular player that supports them? Thank you (edited)

Which version? PA support reconstruction of exo v2 files, and present them as an embedded file of the first fragment.

Artea

Morning all, i have a BFU acquisition of an iphone 12. in PA it displays 3 IMEI's (IMEI, IMEI and IMEI2) I have used IMEI.info and found 2 are iphone 12 related and one is iphone XS related. The XS IMEI is being pulled from com.apple.commcenter.plist (EntitlementsSelfRegistrationUpdateImei) and is listed under another ICCID. Could someone let me know where this has come from. My thought is its something to do with the backup used to set the phone up as i can see the handset was set up from another device?

Hi Artea, I came across the exact same thing, I contacted Cellebrite and you are correct, the third IMEI is from another device that was backed up and restored onto the device you extracted.

2

tinycar94

Hi Artea, I came across the exact same thing, I contacted Cellebrite and you are correct, the third IMEI is from another device that was backed up and restored onto the device you extracted.

Thanks for confirming

CLB-drorimon

Which version? PA support reconstruction of exo v2 files, and present them as an embedded file of the first fragment.

Yes it is version 2. I am using PA 7.43 but it does not successfully parse all the .exo files. Should they appear under Video section?

theAtropos4n6

Yes it is version 2. I am using PA 7.43 but it does not successfully parse all the .exo files. Should they appear under Video section?

It will be there if the video type is identified by PA. But this is unrelated to the exo files reconstruction. DM.

sm-

Any one at @Cellebrite able to walk me through the usage of the smart translator packages?

0x3db

Any one at @Cellebrite able to walk me through the usage of the smart translator packages?

I am not super fluent with it, but can find someone if nobody responds.

heatherDFIR

I am not super fluent with it, but can find someone if nobody responds.

I'm not back in the office until Monday so will just open up a support ticket but thanks for the response anyway

the_johanna

Anyone who knows a bit about the wickr sqlite db? I am having trouble figuring out what the relation between a message in the interaction table and an attachment in the attachment table is.

I've had a dive into the Wickr DB on the iOS platform. Remember - Wickr’s data is generated by receiving messages. The second stage is the removal of data. Read more on this here-https://cyberforensicator.com/wp-content/uploads/2017/01/cyber_2016_2_40_80049.pdf I'm working on a process to data-carve & reconstruct deleted messages. My method so far (If you want to try the same): 1) Obtain either checkm8 or GK dump 2) Extract the decryption keys of the Wickr app in AXIOM (https://support.magnetforensics.com/s/article/Decrypt-app-data-using-the-iOS-Keychain-and-GrayKey) 3) Open the dump either in UFED PA or AXIOM 4) Locate the Wickr.DB and copy out 5) Utilise a database carving tool, such as CCL Forensics - Epilog 6) Run free page or Brute force over the SQL records 7) Export to Excel & map out the recovered data out into different worksheets that represent the different tables 8) Make a copy of the GK or checkm8 extraction 9) On the working copy, insert the recovered chunk into the Wickr SQL 10) Re-zip the GK or checkm8 extraction back up 11) Re-process the working copy with the recovered deleted database entries in UFED PA or AXIOM What I found from this process: I got back date/time, user and partial message. I could not determine if it was incoming/outgoing. Considering this when we have tables that handle "encrypted messaging, encrypted file transfer, burn-on-read messages, audio calling, and secure “shredding” of data" https://thebinaryhick.blog/2019/08/23/wickr-alright-well-call-it-a-draw/ As for "figuring out what the relation between a message in the interaction table and an attachment in the attachment table is" - if its an iOS extraction, you would want to be exploring more on the user intentions - in UFED PA this is found inside the Log Entries-From the KnowledgeC database-

Identity Lookup Service
InteractionsC

-iPhoneNetworkDataUsage (edited)

Binary Hick

Wickr. Alright. We’ll Call It A Draw.

Portions of this blog post appeared in the 6th issue of the INTERPOL Digital 4n6 Pulse newsletter. I would like to thank Heather Mahalik and Or Begam, both of Cellebrite, who helped make the Andro…

2

Have an iPhone where I got a BFU extraction. Consolidated.db as I located several lat and longs. They are all tied to /System/Library/LocationBundles/RemindersAlerts.bundle. Has anyone done any research on this db. Wondering what the Table "Fences" is and maybe what the column FenceForeignKey represents.

@Ghosted i guess the fenceForeignKey is a reference for another table?

@Ghosted thats odd indeed. Not what i expected at all. Someone might have an idea...

I am hesitant to put any value as this was just a BFU

Quick iOS question/confirmation. iOS reports that show messages are deleted from and Advanced Logical extraction are basically just marked to be deleted correct? As it is not extracting the data from unallocated blocks.

mitchlang

Quick iOS question/confirmation. iOS reports that show messages are deleted from and Advanced Logical extraction are basically just marked to be deleted correct? As it is not extracting the data from unallocated blocks.

Best of my knowledge this is no unallocated recovery from an iOS device

Yeah, just marked.

2:30 PM

Thanks @pug4N6

Has anyone used exiftool? Have a question about an m4a. File creation is a day earlier than media creation (edited)

Exiftool can be confusing as to where it is getting values from. Try exiftool -g1 input.m4a to see if the time stamps come from the filesystem or file itself. To get more detail (or to manually decode) you can try -v3 or -v4 to see the offset where the values are derived from (edited)

Brandon E

Exiftool can be confusing as to where it is getting values from. Try exiftool -g1 input.m4a to see if the time stamps come from the filesystem or file itself. To get more detail (or to manually decode) you can try -v3 or -v4 to see the offset where the values are derived from (edited)

Thanks, with the -g1 flag I got a new header 'Date/Time Original', which gave a whole new date. Which would be the most accurate header in determining creation date? (edited)

@Bl0ssom it should differentiate between what is derived from the filesystem (Perl) and what is encoded in the movie. Not in front of a computer right now to visualize it. Alternative is -v3/4 and check the time stamps for the “mvhd” and/or “tkhd” boxes within the file

Could anyone help with an iOS location question please? I was under the impression that wireless networks logged in cache_encryptedB.db were as a result of the phone essentially conducting its own war drive of nearby wireless networks. First of all, is that correct? And if so, does anyone know how that database is logging wireless networks nearly 10 miles from where the phone was located at that time?

@CLB_iwhiffin might have an answer @Seladour (edited)

florus

@CLB_iwhiffin might have an answer @Seladour (edited)

thank you for the heads up - im scratching my head here! @CLB_iwhiffin , anything you can share would be greatly appreciated!

I have two questions. 1. In Cellebrite PA, some videos do not display a thumbnail or even play. These same videos do have some size in bytes, so they are not empty. Why is this? 2. In iPhones, I've noticed folders within DCIM that are named"102Apple", 103Apple", etc. Why and what causes this? Any clues?

Possible previously deleted and recovered from the sql database. Not enough of the file recovered to view.

Ghosted

Have an iPhone where I got a BFU extraction. Consolidated.db as I located several lat and longs. They are all tied to /System/Library/LocationBundles/RemindersAlerts.bundle. Has anyone done any research on this db. Wondering what the Table "Fences" is and maybe what the column FenceForeignKey represents.

If the file is in the “System” folder it’s not related to user activities but it’s something native (and in fact, it’s in a bundle). In general, when dealing with a full file system of an iOS device you need to concentrate only on /private/var/ The rest is useless, unless the user did a jailbreak on his own

CLB-drorimon

It will be there if the video type is identified by PA. But this is unrelated to the exo files reconstruction. DM.

Related to this. Within PA 7.43, all my exo v2 files appear to only be playing the first second/few seconds. The video then stops despite stating its longer than 1 second in length.

I'm examining a physical extraction of a Samsung S9+ in PA and Axiom, when looking at the calls there is a huge discrepancy between the programs. When examining the calllog.db it seems like PA skips all calls with duration = 0 where the phone number in the "number" column start with +4607... instead of 070... Is this a decoding decision you have made or a bug? @Cellebrite

Oscar

I'm examining a physical extraction of a Samsung S9+ in PA and Axiom, when looking at the calls there is a huge discrepancy between the programs. When examining the calllog.db it seems like PA skips all calls with duration = 0 where the phone number in the "number" column start with +4607... instead of 070... Is this a decoding decision you have made or a bug? @Cellebrite

Hi, calllog.db has 'logtype' column, type 100 are actual calls, type 300 are message (worth checking that). If those are type 300 you should expect seeing part of the message body on the 'm_content' column. In PA you should see those records under messages.

1

@Cellebrite Is there a specific version of Andy that's needed? I had to reinstall it and now Cellebrite will not let me pick virtual analyzer

Anyone know the format of the birthday field within the Snapchats friends table, an example is something like this 38654705691?

@Cellebrite I have answered my last question, but cannot install VA as it keeps producing fatal errors on installation.

There are some conflicts with Certain vm software.

4:43 AM

Have you touched bases with support team to take a look ?

Not yet, no live support so I'll raise a call if it's not a known issue. You recommend getting rid of virtualbox/bluestacks etc first?

Solved, needs a very specific VMware player build

Can anyone tell me the difference between the tables 'date' and 'date_sent' in an Samsung mmssms.db? @Cellebrite presents date as "Timestamp" and date_sent as "Delivered". @Magnet Forensics presents date as "Message Created" and date_sent as "Message Received" I have an unread incoming SMS with date_sent as 14:33 and date as 15:14 that confuses me. If the SMS was delivered to the phone 14:33, what does the 15:14 timestamp refer to?

Ghosted

I am hesitant to put any value as this was just a BFU

It was key data in one of my cases and it was corroborated with call data

Re above question I posted - what's the purpose of having PDF files in tmp folder on iPhone? Example filepath: private/var/mobile/Containers/Data/Application/A3AD0A9B-6235-4947-BCF6-C76CDAA601F8/tmp/

Any SQlite Wizards available for a speed conversion question?

7:38 AM

Wondering how to convert those to a speed. Is it meters/second, feet/second?

Ghosted

Click to see attachment 🖼️

Check out @Sarah Edwards (SANS/BlackBag) query as part of Apollo: https://github.com/mac4n6/APOLLO/blob/master/modules/routined_cache_zrtcllocationmo.txt. She has it as M/S with conversions to MPH and KM/H. Test to confirm.

1

I have a physical dump from PIN locked LG G5 (H850) running on Android 7.0. It looks like user data partition is encrypted because Oxygen didn't extract any user data from this dump. Any ideas how can I decrypt it?

Anyone ever find out a Reddit username from alineblue app files? I’ve been digging for a while but haven’t come up with one yet. iOS file system download

8:10 PM

Alienblue *

Hello @Cellebrite , i'm on OnePlus IN2010_DS 8 (Logical

️ ) with KeepSafe app. App has been uninstalled but i've lot of logo of the app which appear and which represent the images encrypted by the application. UFED PA tries to decipher them but the result is wrong. Do you have an idea ? These images are very important to the current investigation

3:19 AM

if i check this doc, Keepsafe's logo is well implemented in the encrypted image

3:19 AM

3:23 AM

UFED give me this file (.key), but i don't know if it's a good key. (Doc refer to v7.3.1 while Keepsafe is now in 10.2.15 on Playstore), without FS and with app uninstalled (no xml), is there any chance of successfully decrypting these files ?

(edited)

3:24 AM

(complete doc : https://www.researchgate.net/figure/The-decryption-procedure-for-media-files-in-Keepsafe_fig1_318858478)

3:29 AM

ex :

3:29 AM

3:30 AM

ORIGINAL encrypted :

3:30 AM

and ORIGINAL_decrypted

3:30 AM

Anyone seen this on FB? (I'm not the poster, just curious); Getting slightly worried about my previous reports...

2

Is there a known issue with decrypting wechat on the latest PA build aswell?

4:48 AM

Tried the 2 imei's when PA asked me to enter them and yet still no wechat data

4:48 AM

While Oxygen is parsing them just fine

Timmi.J

Anyone seen this on FB? (I'm not the poster, just curious); Getting slightly worried about my previous reports...

Hey, We've checked the issue. First, there's no issue with intact records, you do get all of them. Second, regarding recovering deleted records, the challenge is how to recover all 'true positive' while minimising 'false positive' detections. Few versions back we adjusted the default configuration of the sms.db parser and now you get much less false positives and duplications, so in that manner less is better. In the case mentioned above, running with the default configuration, among +7000 omitted redundant messages at least one true positive was also omitted. This is obviously problematic. If you want to use the more permissive mode, that do recover the record in question in that case, be sure to enable the 'Deep Carving' option in PA's settings. It will bring the number of decoded messages up, but at the cost of longer run time for large db's (for smaller ones the hit is not significant). Following this case we are reconsidering the change to the default configuration. If you have any stand here, please let me know. (edited)

@Cellebrite Can you not export videos from the lower pane in PA or is mine just being super slow?

Guess it has to be via report

@Cellebrite can someone please DM me where the settings for 'deep carve SQL' are.. I don't have PA in front of me atm

DeeFIR 🇦🇺

@Cellebrite can someone please DM me where the settings for 'deep carve SQL' are.. I don't have PA in front of me atm

Tools -> Settings -> General -> within "Decoding"

Are you able to send me a screenshot pls?

1

7:22 AM

The false positive option mentioned is also there just above.

Hello, I use Oxyviewer of oxygen forensic on a USB key or USB hard drive and I open my 4 ".ofbx" files to work on them. When I connect the USB key or the USB hard drive to another computer, I have to decode the 4 ".ofbx" files again. Could you give me a way to use Oxyviewer on any computer with my 4 ".ofbx" files already opened? Thanks

Legend, thanks @Rob

1

Anyone done some research on the snapchat databases? Im having trouble to understand where the 'snaps' and 'photos' in the application-memories are being referenced in a database. I have 3 snap video's in Snaps under memories, and 5 photos in 'Photos'. When i look at the main.db or memories.db i only find 1 reference in memories_snap. Its a video i made in snapchat, saved it as a preview and then sent to someone else. (p.s. its a test device) (edited)

CLB-drorimon

Hey, We've checked the issue. First, there's no issue with intact records, you do get all of them. Second, regarding recovering deleted records, the challenge is how to recover all 'true positive' while minimising 'false positive' detections. Few versions back we adjusted the default configuration of the sms.db parser and now you get much less false positives and duplications, so in that manner less is better. In the case mentioned above, running with the default configuration, among +7000 omitted redundant messages at least one true positive was also omitted. This is obviously problematic. If you want to use the more permissive mode, that do recover the record in question in that case, be sure to enable the 'Deep Carving' option in PA's settings. It will bring the number of decoded messages up, but at the cost of longer run time for large db's (for smaller ones the hit is not significant). Following this case we are reconsidering the change to the default configuration. If you have any stand here, please let me know. (edited)

Thanks! I will feedback that to our team.

Any advice on looking into BIN files stored within a mobile application cache? Pulled some data from an Android application via ADB and found some artifacts I think may be worth looking into since it pertains to data associated with a wearable

Toff_Ibou

Hello, I use Oxyviewer of oxygen forensic on a USB key or USB hard drive and I open my 4 ".ofbx" files to work on them. When I connect the USB key or the USB hard drive to another computer, I have to decode the 4 ".ofbx" files again. Could you give me a way to use Oxyviewer on any computer with my 4 ".ofbx" files already opened? Thanks

OxyViewer uses default path: "C:\Users%USERNAME%\AppData\Roaming\OxygenEngine" for Extraction Storage and temp files, so when you run it on second computer it creates this folders which are empty and decodes .ofbx files to this location. Try this: 1. Run OxyViewer on computer no 1 2. Change paths to the Folders on USB hard drive 3. Restart OxyViewer and decode .ofbx files 4. Run OxyViewer on the second computer 5. Change paths to the previous selected Folders on USB hard drive 6. Restart OxyViewer Then it should contains the extractions. But remember that You need enough capacity on USB HD for storing .ofbx files and extractions data. (edited)

Rob

The false positive option mentioned is also there just above.

This option is relevant for items recovered from unallocated space from physical extractions only.

1

Hello, in physical analyser I can see a user dictionary with tons of words in it that comes from Swiftkey. Some of these words sorted by usage pattern can build sentences that makes sense and we've found some that correlates with real text messages that have been sent by the user. Anyone knows exactly what usage pattern means? @Cellebrite

I guess its used for predictive suggestions

@Law Enforcement [UK] pixel phone, can anyone tell me what this is please.

Original message was deleted or could not be loaded.

agreed

I'm assisting someone, I haven't got the phone. What mode is it, it is a dodgy phone or in factory reset ?

That symbol looks like benzene ring

1

Benzene ring

10:45 AM

Lol snap @D1g1talDan

Thats a benzene ring

Pseudonym

Thats a benzene ring

Late to the party there mate

3

It’s graphene Android operating system

11

10:47 AM

https://grapheneos.org/

GrapheneOS

GrapheneOS is a security and privacy focused mobile OS with Android app compatibility.

2

@D1g1talDan @Pseudonym we were close

1

I was going down the proton os route

If it’s locked you might be out of luck

Too slow to Google today

Speak to @Cellebrite for some advice

Do we get a prize for second place?

1

Oh good going, virtual pint to @jonez (edited)

It's GrapheneOS

10:52 AM

Could be any hardware. It's a custom ROM.

10:53 AM

Google 'graphene os wallpaper'

Pseudonym

Do we get a prize for second place?

theres half a pint of John Smiths behind the bar at Ryton COP for you when it opens back up. (edited)

1

You know what, I'm actually happy with that.

1

Morning all, i have a image on an iPhone XR that has the standard IMG_****.img file name and is stored in DCIM/102Apple/ but the meta data only shows Pixel Res as 960x1792, Resolution 72X72 and Orientation Horizontal (normal). Other photos taken on the handset has a lot more meta data etc. Any way i can find out how the photo got on to the handset? (edited)

@Artea Could it be a screenshot of some sort or that the file was downloaded some elsewhere?

This is what i am thinking as i believe that if taken on this handset it would have more metadata associated with it.

I am looking at an extractionI have in XRY and I have a package name decoded for the picture which shows what app it might've been from. Not sure what tool you used or if you have anything similar? Currently looking to see where it might've been decoded from, I suspect Photos.sqlite but I can't recall from what table off the top (edited)

If an image is taken using an in app camera(ala snapchat etc) , would it contain metadata that using the original handset camera would?

4:02 AM

Its someone else's job from here. But i believe its been decoded using XRY and PA

If you have it in XRY it could be interesting to see if any package name was decoded

4:11 AM

Here's an example of a photo which was saved down via Microsoft Teams so it wasn't taken by the Teams camera app but downloaded via Teams

Ill get them to have a look when they are back at their desk

For screenshots taken by the device the package name is com.apple.springboard

cheers, ill pass this on. If i run in to issues, Shaun (XRY traininer) is currently in the building

lol

@Artea Just throw it at Shaun then! Say hi to Mr Shaun from Tobias!

@Erumaro funnily enough, the guys whos case it is, Shaun is currently training

Hi guys, I'm using Alexis Brignoni's ALEAPP to parse event logs.

I'm not sure but is Alexis Brignoni in this server?

@Brigs

That was such a fast response lol

6:00 AM

Thanks.

@pa8432cman it's a script for Axiom, right ?

AnTaL

@pa8432cman it's a script for Axiom, right ?

Sorry, script for Axiom?

6:11 AM

I'm using Brignoni's ALEAPP

yep, thought it was the name of a python plugin in Axiom

6:11 AM

my bad

Oh actually I think some of the scripts here you can actually import into AXIOM

6:12 AM

This is what I used and I think it's a pretty neat tool

6:12 AM

Unfortunately didn't help with my situation, I'm fresh out of ideas.

yes, was asking because last month I was look for a python script (plugin) to parse olk15 files in Axiom. Maybe you could have it

6:13 AM

if you used Axiom plugins

Look at the timiline database in aleapp. Look for the time that you're interested in. If there are other artifacts with information about what you need at that time they should show up there.

AnTaL

yes, was asking because last month I was look for a python script (plugin) to parse olk15 files in Axiom. Maybe you could have it

Sorry, what are olk15 files?

Brigs

Look at the timiline database in aleapp. Look for the time that you're interested in. If there are other artifacts with information about what you need at that time they should show up there.

I've exported the data - will it show up on that?

6:16 AM

Wait, sorry - where can I find the timeline database?

In the report for the that the tool creates look for the _timeline folder. There is a sqlite database there. Use DB browser for sqlite to open. Sort by timestamp column or create your own query.

Got it, looking into this now.

6:17 AM

Thanks

@Pacman sorry, not used with channels, I think it's not a mobile data. Fyi, I saw it with a forensic image of an iMac using Outlook 2016. It's temporary files of emails

Useful artifacts are usagestats, wellbeing.

@Brigs these are the latest timestamps I can find

6:18 AM

in Timeline.

Brigs

Useful artifacts are usagestats, wellbeing.

Yeah, I'm looking into these for evidence that he was using snapchat at the time the video was created

Is it a Samsung phone?

Uhhh one sec

6:20 AM

Yes

6:20 AM

Galaxy A51

Read tbis:

6:20 AM

https://abrignoni.blogspot.com/2019/06/android-samsung-my-files-app.html

Android - Samsung My Files App

Short version Samsung mobile devices keep a list of stored media files in the following location and database: data/data/com.sec.android...

1

Thank you - will read now.

1

Pacman

Thank you - will read now.

Had a case where the smoking gun was in the wal file of the my files app database. Look for the wal & journal artifact to triage the proper wal file. If you see ascii values that are rebanr to your case parse the wal file with a proper forensic tool for such.

@Brigs Do you mind if I direct message you, just to avoid spamming in here?

Sure

florus

Anyone done some research on the snapchat databases? Im having trouble to understand where the 'snaps' and 'photos' in the application-memories are being referenced in a database. I have 3 snap video's in Snaps under memories, and 5 photos in 'Photos'. When i look at the main.db or memories.db i only find 1 reference in memories_snap. Its a video i made in snapchat, saved it as a preview and then sent to someone else. (p.s. its a test device) (edited)

I worked on these versions (main.db memories.db) but it wasn't possible for me to make a link in few days between the files in file manager and the names of the files present in the database. By reversing the app, there should be the explanation

(if that can help you : https://github.com/Yann-Ntech/Snapchat_Forensics) (edited)

1

Great article on all things snapchat by @CLB_joshhickman1 https://thebinaryhick.blog/2019/06/01/two-snaps-and-a-twist-an-in-depth-and-updated-look-at-snapchat-on-android/

Binary Hick

Two Snaps and a Twist – An In-Depth (and Updated) Look at Snapchat ...

There is an update to this post. It can be found after the ‘Conclusion’ section.I was recently tasked with examining a two-year old Android-based phone which required an in-depth look …

Hey everyone. I'm working on a Galaxy S20 that I believe was wiped once the suspect was tipped off that he was under investigation. Is there somewhere to look for an initial setup date either in the Cellebrite extraction or on the phone itself? I can't go by the datestamps on much of the data because they were restored from a backup (the dates are earlier than the phone existed)

Anyone from @Cellebrite free for a quick question?

Afternoon all, just a follow up from my question earlier RE an photo i have. file name is IMG_****.jpg and it is in the DCIM/102APPLE/ folder. the acquisition has been redecoded in XRY and it appears to be a Snapchat image. Is there any way of determining if this was received/sent or just taken with the Snapchat camera.

9:52 AM

File is 294.86KB and has metadata attached

hello, any Frida expert on Android?

hi. I am looking at the cellularusage.db on an iphone. it contains three entries for 3 difference ICCIDs. I am curious about 2 columns available in the DB. The first column is Tag. I have values of 3, 7 and 8. Any idea what those mean? The second column of interest is Last_update_time. Im curious about exactly what is the update time regarding? Does this mean the SIM was removed or inserted at this time or is it something else entirely.

Aero

Anyone from @Cellebrite free for a quick question?

Hey

Does a similar file to device_policies.xml exists on Samsung phones that uses FBE? I have device with a passcode, looking for some hints on how long it can be and what i may contain. Huawei with FBE has similar file (lock_settings_db.xml), and while it doesn't say all that device_policies did, it allow to at least find how long the passcode is

Gorp

hi. I am looking at the cellularusage.db on an iphone. it contains three entries for 3 difference ICCIDs. I am curious about 2 columns available in the DB. The first column is Tag. I have values of 3, 7 and 8. Any idea what those mean? The second column of interest is Last_update_time. Im curious about exactly what is the update time regarding? Does this mean the SIM was removed or inserted at this time or is it something else entirely.

I found a resource from the old BlackBag website via the Internet Archive that detailed some information about the last_update_time in the cellularusage.db. the data is circa 2016 but seemed helpful. https://web.archive.org/web/20200925042500/https://www.blackbagtech.com/blog/sim-switching-on-iphones/

SIM-Switching on iPhones

Users who own devices that are unlocked from a carrier are able to change SIM cards from carrier to carrier. There are several ways in which a user can have his or her device unlocked

Anyone know how sms is stored on Brew OS devices? I looks like blob files, but I'm not 100% sure

Good evening all! I am looking for insight into the iPhonenetworkdatausage log files. Do entries definitely indicate user initiated usage at that time?

Hi guys any suggestion on the best way to know when android phone first time use is?

9:13 PM

I'm currently using oxygen if that helps

9:18 PM

I was thinking checking android log and then using several apps and picture exif to cross check it

@Gorp last update time is a new simcard inserted in the iPhone.

@florus Are you sure about that? I remember testing this a few years ago and it seemed the time stamp updated each time the card was mounted in the device. Either restarting the device or removing/reinserting the card seemed to update that. Not sure if something has changed but that could be worth testing!

Erumaro

@florus Are you sure about that? I remember testing this a few years ago and it seemed the time stamp updated each time the card was mounted in the device. Either restarting the device or removing/reinserting the card seemed to update that. Not sure if something has changed but that could be worth testing!

Thanks for keeping me sharp Thomas. I tested this a year ago on IOS 13. I didnt check the rebooting part. To be more specific: When inserting a new simcard it populates an new row with the timestamp row showing the date and time when it got mounted. A new test will bring some new insight

@Gorp Wil you let us know? (edited)

Artea

Morning all, i have a image on an iPhone XR that has the standard IMG_****.img file name and is stored in DCIM/102Apple/ but the meta data only shows Pixel Res as 960x1792, Resolution 72X72 and Orientation Horizontal (normal). Other photos taken on the handset has a lot more meta data etc. Any way i can find out how the photo got on to the handset? (edited)

Hello, an interesting article. Maybe you find some answers. https://smarterforensics.com/2020/08/does-photos-sqlite-have-relations-with-cameramessagesapp-by-scott-koenig/

Using Photos.sqlite to show the relationships between photos and th...

First, I would like to thank Heather Mahalik for her help with this process and for allowing me to post something on her blog. It’s an honor! Additionally, thanks to Jared Barnhart for his assistan…

@MSAB Hi, quick question regarding import from Grayshift. Do we have to only use the Grayshift profil and import only the zip file? or also the plist?

@Dam You can use the Grayshift profile or any other iOS profile really, if you import the .zip any keychain plist in the same folder as the .zip should be imported as well

(edited)

Erumaro

@Dam You can use the Grayshift profile or any other iOS profile really, if you import the .zip any keychain plist in the same folder as the .zip should be imported as well

(edited)

Thanks, I will import the zip. The plist is in the same folder

1

Vanlose

Hello, an interesting article. Maybe you find some answers. https://smarterforensics.com/2020/08/does-photos-sqlite-have-relations-with-cameramessagesapp-by-scott-koenig/

Thanks, I'll take a look at this.

1

florus

Thanks for keeping me sharp Thomas. I tested this a year ago on IOS 13. I didnt check the rebooting part. To be more specific: When inserting a new simcard it populates an new row with the timestamp row showing the date and time when it got mounted. A new test will bring some new insight

@Gorp Wil you let us know? (edited)

depending on how crucial this information is to our stakeholders will determine if I will have time to test the various scenarios that are covered in the blackbag forensics article. I did reach out to cellebrite support about these artifacts. Perhaps they are in a better position than I to research this particular artifact

florus

@Gorp last update time is a new simcard inserted in the iPhone.

thank you for chiming in on this. I appreciate it.

natalied4784

Has anyone seen the below file path? DarArchive/root/private/var/mobile/Library/Caches/com.apple.mobileSMS/Previews/Search/PhotoSearchSection-at [image name.png]. I’m trying to understand what photosearchsection means. (edited)

NatalieD, did you get any answers re this path? I'm trying to figure the same thing.

@Law Enforcement [USA] I obtained a csv file from discord for a case I'm working unfortunately it contains all the Unicode text for emojis( rather then just images). When I view this file on my mobile device it decodes the unicode into emojis. Does anyone have a good way to accomplish this on a computer?

There are online translators you could try pasting a list into.

DMG

@Law Enforcement [USA] I obtained a csv file from discord for a case I'm working unfortunately it contains all the Unicode text for emojis( rather then just images). When I view this file on my mobile device it decodes the unicode into emojis. Does anyone have a good way to accomplish this on a computer?

Bluestacks?

1

Gwaihir Scout

There are online translators you could try pasting a list into.

Is there a way to do this and maintain the chat log I'm working with ? I know i can find out what each bit of unicode translates to but if we want to display this in court per say all the little

's could matter

Palazar82

Bluestacks?

... that might work

DMG

@Law Enforcement [USA] I obtained a csv file from discord for a case I'm working unfortunately it contains all the Unicode text for emojis( rather then just images). When I view this file on my mobile device it decodes the unicode into emojis. Does anyone have a good way to accomplish this on a computer?

You might be able to have it convert correctly if you import into excel as opposed to just opening the csv.

DrXenonBloom

You might be able to have it convert correctly if you import into excel as opposed to just opening the csv.

I tried opening it in excel then saving as an .xlsx file with no luck

Try importing it using these steps. https://www.copytrans.net/support/how-to-open-a-csv-file-in-excel/

How to open a CSV file in Excel

Convert CSV to Excel. Learn how to open a CSV file in Microsoft Excel 2016 and Excel 2003 with our step-by-step guide.

2

DrXenonBloom

Try importing it using these steps. https://www.copytrans.net/support/how-to-open-a-csv-file-in-excel/

This converted 90% of it thanks

3

if you want to remove them you could probably regex a replace all since emojis start and end with “:”

Have you tried dropping it into Zimmerman's EXViewer? It automatically decodes the emojis and keeps the column format

kaulel83

Have you tried dropping it into Zimmerman's EXViewer? It automatically decodes the emojis and keeps the column format

I don't have Exviewer but I'll need to check that out.

Hells

if you want to remove them you could probably regex a replace all since emojis start and end with “:”

I think the context that the emojis add is important to the case

or whatever

1

I double checked with a CSV I dumped and it worked great https://ericzimmerman.github.io/#!index.md

DMG

@Law Enforcement [USA] I obtained a csv file from discord for a case I'm working unfortunately it contains all the Unicode text for emojis( rather then just images). When I view this file on my mobile device it decodes the unicode into emojis. Does anyone have a good way to accomplish this on a computer?

If the data comes from and Android device you can virtualize it. You will get the messages with everything just as the user would have seen it since you will be using the app itself to view the data. I have used it for Discord and it works without a hitch. https://www.youtube.com/watch?v=Rsaoe1YdfZ4

Magnet Forensics

MAGNET App Simulator

Brigs

If the data comes from and Android device you can virtualize it. You will get the messages with everything just as the user would have seen it since you will be using the app itself to view the data. I have used it for Discord and it works without a hitch. https://www.youtube.com/watch?v=Rsaoe1YdfZ4

That's cool but it wasn't pulled via a forensics. It was provided as a part of a CT

Deleted User

Anyone know how sms is stored on Brew OS devices? I looks like blob files, but I'm not 100% sure

If I recall correctly, each SMS message is stored as an individual file. I have a file structure map from two different formats I encountered a few years ago on two different Samsung feature phones. I'm not sure if anything has changed since then. https://developer.brewmp.com/search/apachesolr_search/sms?filters=ss_site_section%3Aresources

@DMG Python can make heads and tails of it - https://www.geeksforgeeks.org/python-program-to-print-emojis/

Python program to print Emojis - GeeksforGeeks

A Computer Science portal for geeks. It contains well written, well thought and well explained computer science and programming articles, quizzes and practice/competitive programming/company interview Questions.

2:56 PM

@JLindmar (83AR) thanks! I confirmed with someone else something similar, appreciate the information!!

PA 7.44 released guys!

3

Mistercatapulte

PA 7.44 released guys!

Looks like beta?

4:38 PM

Unless someone from @Cellebrite Can confirm it's the latest stable version?

Rob

Unless someone from @Cellebrite Can confirm it's the latest stable version?

It's probably listed wrong but it would be nice if @Cellebrite could confirm this.

@AmNe5iA don't know, but like @Sockmoth said, i suppose it's listed wrong

Rob

Unless someone from @Cellebrite Can confirm it's the latest stable version?

This is the pre-release version, the official version is planned to be released next week.

4

That's annoying as I've already started installing it on one of my production machines!

Deleted User

@DMG Python can make heads and tails of it - https://www.geeksforgeeks.org/python-program-to-print-emojis/

Thank I’ll check this out. I know there gonna want something easily readable if it goes to trial

anyone from @Cellebrite free for a quick question, cheeeers

Aero

anyone from @Cellebrite free for a quick question, cheeeers

Sure

1

Has anyone had issues with Physical Analyzer not running correctly after the initial installation and execution? Every subsequent execution, it stalls at 14%. If it makes it past that, it freezes and stops responding when trying to navigate to any of the Tabs (File, Tools, Extraction, etc.) I've reinstalled, uninstalled, and updated several times with no change... @Cellebrite

Moses1617

Has anyone had issues with Physical Analyzer not running correctly after the initial installation and execution? Every subsequent execution, it stalls at 14%. If it makes it past that, it freezes and stops responding when trying to navigate to any of the Tabs (File, Tools, Extraction, etc.) I've reinstalled, uninstalled, and updated several times with no change... @Cellebrite

For the past fews months, I've found PA often delays at 14%, but usually will load within a minute or two. I find the primarily issue has been UFED Reader Reports getting stuck at 14%, often for about 5 minutes, and then finally open. But either way, it always seems 14% is where the delays occur. Unfortunately, I have no idea why.

mkx

For the past fews months, I've found PA often delays at 14%, but usually will load within a minute or two. I find the primarily issue has been UFED Reader Reports getting stuck at 14%, often for about 5 minutes, and then finally open. But either way, it always seems 14% is where the delays occur. Unfortunately, I have no idea why.

Yea, I've noticed it's been stalling there for a bit now, but the not responding after it gets past the 14% and loads is what's killing me at the moment. No amount of patience lets it load either. It just stays frozen

So I am using Cellebrite PA to manually decode and parse some contacts data with the SQLite Wizard. I can get the names column correct, but I cannot get the telephone numbers to show up in the "Numbers" column and they only show up under the "Other Entries" I know I am just not mapping the correct way but I can't figure it out, you would think there is a "number" mapping tag, I cant find one related to it. Anyone got any help? (edited)

12:51 PM

12:55 PM

@Cellebrite

Afternoon all, If an image has been received via snapchat, is any metadata/exif stripped out of it ? I have images that are "related" to snapchat and im trying to see how they came to be on the handset. Taken on it or were they received etc. Also the three images i have were created exactly 10 seconds apart from each other? Just a coincidence? (edited)

Hello @forensicmike @Magnet . I read your blog post on decrypting Private Photo Vault for iOS, and it was a fascinating read. https://www.forensicmike1.com/2019/06/26/ios-photo-vault-app-still-pwnable-in-2019. Is there a way to decrypt the same app in Android? In the meantime, would I get a copy of your Python script for decrypting Private Photo Vault on iOS?

Mike Williamson

Photo Vault app still pwnable in 2019? An adventure in iOS RE -

Explore the inner workings of the Private Photovault app on iOS in this overview of a reverse engineering project and see how decryption can be achieved.

@Deleted User I have python scripts for both app versions [iOS and Android] (PIN and media decryption) I must also commend @forensicmike @Magnet for his awesome work and blogs in regards to this stuff. He's a massive help! (edited)

2

1

Deleted User

Hello @forensicmike @Magnet . I read your blog post on decrypting Private Photo Vault for iOS, and it was a fascinating read. https://www.forensicmike1.com/2019/06/26/ios-photo-vault-app-still-pwnable-in-2019. Is there a way to decrypt the same app in Android? In the meantime, would I get a copy of your Python script for decrypting Private Photo Vault on iOS?

responded in DM

Aero

@Deleted User I have python scripts for both app versions [iOS and Android] (PIN and media decryption) I must also commend @forensicmike @Magnet for his awesome work and blogs in regards to this stuff. He's a massive help! (edited)

thank you!!

just for my own edification, I was looking at some sms messages on a device that ran Brew, they decode when I use reverse 7 bit...what does reverse 7 bit mean?

Artea

Afternoon all, If an image has been received via snapchat, is any metadata/exif stripped out of it ? I have images that are "related" to snapchat and im trying to see how they came to be on the handset. Taken on it or were they received etc. Also the three images i have were created exactly 10 seconds apart from each other? Just a coincidence? (edited)

May not be helpful but if there are videos I have a potential solution, but it only works with videos.

Deleted User

just for my own edification, I was looking at some sms messages on a device that ran Brew, they decode when I use reverse 7 bit...what does reverse 7 bit mean?

@Deleted User Are you referring to the 7-bit SMS PDU format? https://mobileforensics.files.wordpress.com/2007/06/understanding_sms.pdf

varbytes

@Deleted User Are you referring to the 7-bit SMS PDU format? https://mobileforensics.files.wordpress.com/2007/06/understanding_sms.pdf

Good ole 7-bit. I have some old labs that focused on decoding 7-bit. Also, you can do a hex search in PA and find all 7bit messages.

1

Hi, anyone know what the column ZSHARECOUNT and ZSHARETYPE refer to in the photos.sqlite table ZADDITIONALASSETATTRIBUTES?

Hello! Does anyone know of a way i can decrypt the files stored with Private Photo Vault? i have the code so i can access them manually, but neither PA, Axiom or Oxygen allow me to decrypt the files using the code. i only have access to an advanced logical image done via UFED! This is the enchantedcloud ppv im talking about

@Cygonaut I have a python script for iOS and Android that dan decrypt the media

5:51 AM

Happy to share, DM me for more info if you want

Good morning fellow forensicators! Does any one have any experience with an Android app called PhotoLocker from Handy Apps? I've got a full ADB physical from a SM-J320AZ - Galaxy Amp Prime. The app is installed and all the files for it appear to be present in the file system. I don't have the PIN for it and was wondering if it might be stored somewhere on the phone. I've not seen it yet in any of the files but may be looking in the wrong location. The case officer has been contacted and is going to try to get the PIN from the suspect. Any suggestions?

@Adam Cervellone I have a python script for photo/video locker (PIN + file decryption - both encryption versions) (edited)

8:20 AM

I've not used it i like 2 years though, if you can give me the exact version of the app

8:20 AM

I can get it running on my emulator to test it out

8:22 AM

just to confirm: package name is com.handyapps.photolocker right? (edited)

8:28 AM

DM me if you want the script or more info!

Aero

@Adam Cervellone I have a python script for photo/video locker (PIN + file decryption - both encryption versions) (edited)

Just sent you a DM! Thank you!

1

Hello, I am looking for OTG USB history on a Samsung Tab 3 P5210 under Android 4.4.2. There are some files mentioned in emulated.db however I try to make a link with a specific USB Key and files transfered. Anyone know of an equivalent artifact on Android similar to ubstor regsitry or setupapi.log??

Aero

@Adam Cervellone I have a python script for photo/video locker (PIN + file decryption - both encryption versions) (edited)

Thank you for your help! The script worked and was able to unlock the vault with ease!

1

No worries at all!

Hey, all. Does anyone know what the integer values indicate next to phone numbers listed in com.apple.messages.abcache.MobileSMS.plist? iOS version is 14.4

@Aero The vault unlock guru

2

Here is an experience feedback concerning the identification of the origin of SNAPCHAT media (only IOS). The current 4n6 software (at least what I have at my disposal) does not make the links. The document has almost been translated into English. (edited)

media_snap_IOS_ENGLISH.pdf

1.27 MB

7

@Magnet Forensics does axiom support parsing Ufed logical extraction from android devices? I know axiom can parse physical extraction. Is there option to parse android logical extraction?

@denyzkoo yes sir it does.

MF-cbryant

@denyzkoo yes sir it does.

hello , but it didnt parse me SMS, contact and calllogs. Do i Need setup something?

rico

Here is an experience feedback concerning the identification of the origin of SNAPCHAT media (only IOS). The current 4n6 software (at least what I have at my disposal) does not make the links. The document has almost been translated into English. (edited)

My ArtEx tool should do this for you already. Unless SnapChat changed something again.

Brandon E

May not be helpful but if there are videos I have a potential solution, but it only works with videos.

Morning, unfortunately there are only image files. But i would still be interested in hearing your potential solution for future reference.

rico

Here is an experience feedback concerning the identification of the origin of SNAPCHAT media (only IOS). The current 4n6 software (at least what I have at my disposal) does not make the links. The document has almost been translated into English. (edited)

Thanks. It was translated in E,glish from which language?

CLB_iwhiffin

My ArtEx tool should do this for you already. Unless SnapChat changed something again.

Great ! I'm sorry to tell you but I have never been able to make it work, as I see the full potential of your admirable creation. Even more so now that you make you want to use it even more

samsam

Thanks. It was translated in E,glish from which language?

For a french LE not to recognize his mother tongue in the pictures, it's strange (edited)

2

Anyone from @Hancom dm me, Please.

Artea

Morning, unfortunately there are only image files. But i would still be interested in hearing your potential solution for future reference.

There is a new tool (that I am a part of) that is launching in about a month called Medex that works to identify the source/provenance of unknown video files using only that video file. So if in your case of Snapchat, the Medex analysis will could say if the video file is consistent of a video file created on a iPhone XR (or other brand/model) and not transmitted. It could also say the video is consistent with being recorded on a Galaxy Note 9 (or other brand/model) and transmitted via Snapchat. It won’t launch for a little bit but it is currently fully functional, if it could be of assistance in any way or if you have any questions let me know. You can also check out www.medexforensics.com (edited)

3

good morning @Cellebrite ... info concerning import of Huawei-Backups... PA 7.43 doesn´t decode latest backups correctly (exept calllogs, contacts, messages, media...) - user accounts are missing - structure of backups seems to have changed... Backups made with latest HiSuite 11.0.0.510 on PC... P30Pro with Emui 11.0 (edited)

10:25 PM

10:26 PM

by the way @Oxygen Forensics OFD 13.4 has troubles to decode, too ... (edited)

all chat-apps missing... (edited)

10:35 PM

just media in telegram, whatsapp... skype not decoded (edited)

chrisforensic

good morning @Cellebrite ... info concerning import of Huawei-Backups... PA 7.43 doesn´t decode latest backups correctly (exept calllogs, contacts, messages, media...) - user accounts are missing - structure of backups seems to have changed... Backups made with latest HiSuite 11.0.0.510 on PC... P30Pro with Emui 11.0 (edited)

Thanks for letting us know!

1

Physical Analyzer/iOS locations question: I used PA to carve for additional locations in a FFS-extraction of an iPhone 11 pro. The carved data shows a breadcrumb trail of the phone traveling in a car to the crime scene and leaving it 2 hours later, so that is very helpful for the investigators. But the carved data also shows like 200 artifacts in a somewhat static area close by the breadcrumb trail (maybe 500 m away). These 200 artifacts all have the exact same timestamp and this timestamp overlaps with the breadcrumb route data. I know it's an error of some sort, since the phone can't be in two locations at the same time and since the 200 scattered artifacts look weird on the map. But I still need to explain it in my report. Could the scattered artifacts be a cell tower location or something? Anyone who came across something similar when looking at carved locations in PA? I realize there's generally a big risk of false positives, but I still need to explain what causes this error. @Cellebrite (edited)

@BETBAMS What is the sourc? EncryptedB? Very inaccurate. Cache.sqlite is accurate (in my case) (edited)

@florus Caches/com.apple.routined/Local.sqlite (edited)

chrisforensic

by the way @Oxygen Forensics OFD 13.4 has troubles to decode, too ... (edited)

Thank you! Investigating.

1

@BETBAMS https://www.doubleblak.com/m/blogPosts.php?id=14

1

@florus Thank you. Very useful

Thank @CLB_iwhiffin (edited)

Him too! I actually use ArtEX a lot, just didn't realize he had dived into this matter so thoroughly

Forgot to save an Oxygen case. Is it possible to import the dump in Detective again? I actually have a folder with the parsed file system but cant find out how to import it in the viewer? (maybe I'll zip it and try that way..).

I have some images of interest which reside in a chrome cache file. Ufed decoded them as embedded etc... After looking at the chached file I can see the original file name and website which they came from. The website is chat avenue. Has anyone delt with these before and know any further information around the structure and reliability of the information in the cache containers particularly for chat avenue?

Brandon E

There is a new tool (that I am a part of) that is launching in about a month called Medex that works to identify the source/provenance of unknown video files using only that video file. So if in your case of Snapchat, the Medex analysis will could say if the video file is consistent of a video file created on a iPhone XR (or other brand/model) and not transmitted. It could also say the video is consistent with being recorded on a Galaxy Note 9 (or other brand/model) and transmitted via Snapchat. It won’t launch for a little bit but it is currently fully functional, if it could be of assistance in any way or if you have any questions let me know. You can also check out www.medexforensics.com (edited)

@Brandon E any interest in presenting it on Life has no Ctrl+Alt+Del? If so, let me know.

curebits

Forgot to save an Oxygen case. Is it possible to import the dump in Detective again? I actually have a folder with the parsed file system but cant find out how to import it in the viewer? (maybe I'll zip it and try that way..).

Select the device.ewc, import as android physical should work

1

7:51 AM

Ofcourse if you still have the data

Hello world, which files currently hold the most reliable information regarding a factory-reset and remote wipe of android devices (samsung, huawei)? thanks

Raf

Hello world, which files currently hold the most reliable information regarding a factory-reset and remote wipe of android devices (samsung, huawei)? thanks

@AJ Said to check the last_history log. That worked for me recently.

1

Does anyone know of a way to break Samsung S8+ passcode without developer mode enabled? Been trying to find a weak link for about a week now. Cellebrite would, but the battery won’t hold enough charge for it to work.

heatherDFIR

@Brandon E any interest in presenting it on Life has no Ctrl+Alt+Del? If so, let me know.

Absolutely! I will send you a PM to coordinate

BETBAMS

Physical Analyzer/iOS locations question: I used PA to carve for additional locations in a FFS-extraction of an iPhone 11 pro. The carved data shows a breadcrumb trail of the phone traveling in a car to the crime scene and leaving it 2 hours later, so that is very helpful for the investigators. But the carved data also shows like 200 artifacts in a somewhat static area close by the breadcrumb trail (maybe 500 m away). These 200 artifacts all have the exact same timestamp and this timestamp overlaps with the breadcrumb route data. I know it's an error of some sort, since the phone can't be in two locations at the same time and since the 200 scattered artifacts look weird on the map. But I still need to explain it in my report. Could the scattered artifacts be a cell tower location or something? Anyone who came across something similar when looking at carved locations in PA? I realize there's generally a big risk of false positives, but I still need to explain what causes this error. @Cellebrite (edited)

It can be harvested cell tower location or other location with lower accuracy ring.. The key here is the source file, can you point from where those location were carved?

I don't have it in front of me right now, but the source file in PA was Caches/com.apple.routined/Local.sqlite

2:30 PM

And then I think some of the artifacts just displayed "cloud"? I'm not sure of this

2:31 PM

@mg_cellebrite Thanks for responding btw

2:34 PM

The fact that 200+ locations in roughly the same area (we are talking a radius of 500 meters max) have the exact same timestamp is what I'm gonna have to explain

BETBAMS

The fact that 200+ locations in roughly the same area (we are talking a radius of 500 meters max) have the exact same timestamp is what I'm gonna have to explain

The location carver work genericlly to surface locations which might was missed, the idea is that it locates a position (lat/lon) with timestamp. Worth checking what is that timestamp (could it be created timestamp for location saved as freaquent and therefore identical to all locations?) The best practice is to take those leads, drill down just a bit, are all from same DB & table? Are all timestamp are from the same column? What is the table & column names? We will be happy to assist if you wish. Let me know if you able to classified the source for those location thay need clearence and we will do our best to help (edited)

@mg_cellebrite That makes sense. Thanks a lot. I or a colleague might reach out.

BETBAMS

@mg_cellebrite That makes sense. Thanks a lot. I or a colleague might reach out.

Cool. DM me

1

Two quick iOS 14 questions. 1. For photos/videos found in recently deleted, the number of days displayed on the thumbnail tells how many days left until it deletes, correct?

4:34 PM

2. If I see a file path similar to this, afcservice/photodata/Cpl/derivatives/PrimarySync, it’s indicative of iCloud synchronization, correct? @Cellebrite @Magnet Forensics

@Adam Cervellone 1: Yes, From 30 down to 0 (edited)

@Cellebrite could cellebrite please contact me regarding the licence packs for PA?

rico

For a french LE not to recognize his mother tongue in the pictures, it's strange (edited)

I noticed it so it answer my question. do you have it in French?

Hi, I have an erased iPhone 11 Pro Max that is now at the welcome screen and is locked with an apple id. Is there any way of finding out the date and time when it was erased? I don't have the apple id or password.

Cip

Hi, I have an erased iPhone 11 Pro Max that is now at the welcome screen and is locked with an apple id. Is there any way of finding out the date and time when it was erased? I don't have the apple id or password.

.obliterated file also read this one: https://www.cellebrite.com/en/episode-9-ibeg-to-dfir-what-happens-when-a-device-gets-wiped-top-ten-questions-answered/

Heather Mahalik - Senior Director of Digital Intelligence at Cellebrite

Episode 9: iBeg to DFIR - What Happens When A Device Gets Wiped? To...

In this episode, we answer the top 10 questions surrounding wiped devices as well as methods to enable iOS reconstruction of activities and the creation of a timeline of events. Questions include: How do you know if a device has been wiped? What data is recoverable from a wiped device? Has the device been reset? … Continue reading "Episode 9: iB...

2

B

.obliterated file also read this one: https://www.cellebrite.com/en/episode-9-ibeg-to-dfir-what-happens-when-a-device-gets-wiped-top-ten-questions-answered/

Unfortunately, I cannot obtain the .obliterated file because I am unable to perform any extraction (except screen capture) due to the Apple ID lock.

Can't you use a GK? I am not sure if checkm8 includes that file or not

B

Can't you use a GK? I am not sure if checkm8 includes that file or not

No, we do not have GK in our country. I thought that checkm8 only works up to iPhone X. I have UFED, Oxygen, Axiom, EnCase, FTK (edited)

CCC

Solved, needs a very specific VMware player build

Morning, What build number did you use to get your installation completed?

CCC

Solved, needs a very specific VMware player build

Hello ! I'm having the same issue, what build did you need ?

I have a Nokia 106 (TA-1114) - a physical extraction has been completed but unable 5o decode the data on the device using XRY and PA. Anyone else had this issue and found a way to decode the data?

@Artea found it, it's 15.0.0

AnTaL

@Artea found it, it's 15.0.0

Brilliant. Thank you!

@Artea you're welcome

@forensicgeek do you have Infinity Data Explorer? It's not forensic software, but it may be able to confirm if there's something inside to decode

I have problems decoding chat history (WhatsApp) in PA when stickers were sent. The problem occurs only with Android devices (Samsung, Huawei..), iPhone works. The stickers are named with STK-xxxx and also named as such in the chat history, but not displayed. Does anyone know the problem or have a solution for it? thx

Anyone know what the following data_types from healthdb_secure.sqlite represent? 173 182 188 187 194 (edited)

ScottKjr3347

Anyone know what the following data_types from healthdb_secure.sqlite represent? 173 182 188 187 194 (edited)

Have you checked any of these APOLLO Modules to see if the answer resides within? https://github.com/mac4n6/APOLLO/tree/master/modules

mac4n6/APOLLO

Apple Pattern of Life Lazy Output'er. Contribute to mac4n6/APOLLO development by creating an account on GitHub.

Andrew Rathbun

Have you checked any of these APOLLO Modules to see if the answer resides within? https://github.com/mac4n6/APOLLO/tree/master/modules

First place that I checked...no

Also Googled the S#$& out of it and can't find them mentioned in any papers or blogs. Currently loading a test device to try and figure it out but was hopeful someone may have already figured it out. Also looked through apple development docs and couldn't find the list. (edited)

Good morning all, I would like to know how many crypt12 databases can be created at most by whatsapp on one device. I have 07 on the device I am examining, and I would like to know if the number 07 is the maximum and then the cycle is repeated by removing the first. Thank you

Mistercatapulte

Good morning all, I would like to know how many crypt12 databases can be created at most by whatsapp on one device. I have 07 on the device I am examining, and I would like to know if the number 07 is the maximum and then the cycle is repeated by removing the first. Thank you

Yes, one week ago. If the Smartphone is on.

Karlsson

Yes, one week ago. If the Smartphone is on.

Thx

@AnTaL @Artea I installed Andy from the Cellebrite downloads page and it sorted out the rest by installing the version of VMware that it wanted

11:12 AM

Can anyone here tell me what private browsing looks like on a FFS of Huawei using the Huawei browser? I only have the download and no test devices.

Cip

Hi, I have an erased iPhone 11 Pro Max that is now at the welcome screen and is locked with an apple id. Is there any way of finding out the date and time when it was erased? I don't have the apple id or password.

You can try generating a “sysdiagnose” on the wiped phone with button combination and then acquire it via “crash logs” acquisition. It woks also on wiped phones because the service is already running (but not the backup service)

1

Anyone have any insight on the data available inside map_cache.db for google maps on an android device. Appears to be many records with binary data in them just not sure how to decode

Is anyone aware of a tool that parses the fcm queued messages? They are LevelDB files. I have found quite a bit of documentation on the data stored in these files and I am able to decipher what a lot of it means but I have not found a tool that is currently parsing this data. Thank you for any help :)

charpy4n6

Is anyone aware of a tool that parses the fcm queued messages? They are LevelDB files. I have found quite a bit of documentation on the data stored in these files and I am able to decipher what a lot of it means but I have not found a tool that is currently parsing this data. Thank you for any help :)

@Matt

charpy4n6

Is anyone aware of a tool that parses the fcm queued messages? They are LevelDB files. I have found quite a bit of documentation on the data stored in these files and I am able to decipher what a lot of it means but I have not found a tool that is currently parsing this data. Thank you for any help :)

Hey, if they're stored in the Local Storage DB, you could try parsing them with my tool https://github.com/mdawsonuk/LevelDBDumper

mdawsonuk/LevelDBDumper

Dumps all of the Key/Value pairs from a LevelDB database - mdawsonuk/LevelDBDumper

@Matt there are 511 ldb files stored in the fcm_messages_queued.ldb. I will try anything! I can see the evidence and am looking for any way to present it in a better and more readable format.

Any idea what the name of the folder is? IndexedDB and leveldb are common names

10:09 AM

If the MANIFEST-????? file has leveldb.bitwisecomparator set as the comparator, it can read them (the tool will tell you if it can't)

@Matt it is in a files folder under com.google.android.gms

Worth downloading and giving it a shot then

@Matt will do thank you so much!

Feel free to ping/DM if there's any issues!

Does anyone know if there is a log for wifi and USB connections to an android device? I have a physical extraction from an LG Rebel 4 and I am trying to figure out how it had an 'out-of-body-experience' and filmed itself.

anyone that have manage to decrypt the wickr app from a physical extraction from an samsung phone?

florus

@Rob @CLB-Paul @DFIR Pad1 re-doing of as we speak. Getting errors "failed to get data for zip entry:....." Someone from @Cellebrite around to show these errors? Edit: with these errors im able to make a report, but it didnt create a ufed reader... the 7.39 version does make a ufedreader.exe file. (edited)

Hey @florus, did you manage to find out why this error occurred?

can anyone tell me how i can tell when an iphone was first activated?

Does anyone know offhand if dates are present in WebKit history that is parsed out of an iPhone with Axiom? I've looked at a couple of the files Axiom is pointing me toward and I'm not seeing anything obvious in there.

@Cellebrite Anyone know why my reader is generating all these errors now?

skhjr

can anyone tell me how i can tell when an iphone was first activated?

...accounts3.sqilte (also sms.db, call_history.db, usersettings.plist, addressbook.sqlitedb, voicemail.db and notes.db) there are infos... maybe there is the file .obliterated (iphone was deleted). (edited)

Ghosted

@Cellebrite Anyone know why my reader is generating all these errors now?

What version are you using? Latest version fixes something might be related. See picture.

@Brigs I updated to latest and was still getting this.

Ghosted

@Brigs I updated to latest and was still getting this.

Can you open the extraction with the new PA and create a new UFDR? Just wondering.

@Cellebrite did you know excel has a limit of 65530 hyperlinks in a spreadsheet? This fails to export hyperlinks for more than that many images. Could we get a warning box about it or something for people who don't know? (edited)

@TwoHead no i did not

1

Ghosted

@Cellebrite Anyone know why my reader is generating all these errors now?

I DM'd you

Is there a way to access content in knox secure folder without password? We have managed to retrieve a physical extracrion (edited)

Is anyone else experimenting this problem with UFED Reader? When i launch a report generated with image classification It hangs on the splash screen at 14% and never opens.

Any clever clogs here in here able to assist? Got a physical from a S8+ that was pattern locked, extraction summary isn't showing the pattern, what db may contain what it was?

4:00 AM

We have another phone, also pattern locked but need to unlock it to gain a FFS from it so hoping the same pattern was used. (edited)

Rob

Any clever clogs here in here able to assist? Got a physical from a S8+ that was pattern locked, extraction summary isn't showing the pattern, what db may contain what it was?

It's not going to show pattern, those are gatekeeper files, hw-backed, won't get decoded like on old Android from around ~4.x era (edited)

Arcain

It's not going to show pattern, those are gatekeeper files, hw-backed, won't get decoded like on old Android from around ~4.x era (edited)

Thanks for at least confirming our fear

jaikl

Is there a way to access content in knox secure folder without password? We have managed to retrieve a physical extracrion (edited)

i'll send you dm

Working on a physical extraction from a LG Stylo 5, and found a database called "NETREC", which has timestamped columns for SSID and BSSID that wasn't decoded by Cellebrite. The listed BSSID's all appear to be 36 bytes long, and another table in the database shows those associated with a network_rowid, but no other matching tables? Anybody have any experience with this?

Is anyone from @Magnet Forensics available to talk? Need a quick conversation about loading a large amount of data from an iPhone extraction.

Hi, sure

6:05 AM

DM away

Scenario: Cat telephone imaged with Magnet Acquire. Extracted the contents and placed the agent_mmssms.db in the telephony/databases folder. (Renamed both that and the journalfile to mmssms.db) Opened Cellebrite PA and imported the folder as Generic Android Filesystem. Issue is that it does not decode the messages. When I open the mmssms.db in the sqlite wizard it displays the content.. Though I am way to tired to start dragging the boxes to manually do it. Does anyone have an idea why it does not automatically decode/have a mmssms parser.xml they are willing to share?

I suspect it will be much quicker for you to quickly knock up a parser in wizard than it will be waiting for someone with the same problem to reply. My guess is the file name change as Cellebrite relies on the database name and not the file path, so you have potentially confused it.

Is there a reason why classification results are not saved in a session file in @Cellebrite PA or is this a bug on my side?

@MSAB Your new funky huawei exploits, we're staring at the brute force section and we don't actually know what type of passcode the phone has (screen is just a black screen)

8:10 AM

Is there an option to try all?

8:10 AM

We're going to look to see if we have a spare handset we can use as a donor to fix the screen tomorrow but just in case we can't find a donor

@Rob ah, busted screen? If you move the brute force window you should see if it’s simple/complex from the log I believe. Just DM me if you need any further assistance!

Will do tomorrow!

1

Just doing some testing of SD cards from phones to streamline our process. Just wondering what you currently do? We are doing FTK image then load that In to XRY. I've tested acquisition and decoding in ufed and found it took 4 mins but when I added MD5 hash calculation it took an extra 11 minutes to verify the 1gb image hash. Xry was ok. About 5 mins extraction. I already know they both fail to decode various compressed files. So open to suggestions? (edited)

Hi Team I have an unlocked iPhone 12 Pro Max iOS 14.4 with an extraction done by a cell phone extraction tool. Does anyone know of any software that can decrypt the Signal messages? Yes it is unlocked and we can see plenty of good material within the app. But i would like to preserve these artefacts before connecting it back to the internet. Feel free to dm me

8kapileup

Hi Team I have an unlocked iPhone 12 Pro Max iOS 14.4 with an extraction done by a cell phone extraction tool. Does anyone know of any software that can decrypt the Signal messages? Yes it is unlocked and we can see plenty of good material within the app. But i would like to preserve these artefacts before connecting it back to the internet. Feel free to dm me

https://support.magnetforensics.com/s/article/Decrypt-app-data-using-the-iOS-Keychain-and-GrayKey

8kapileup

Hi Team I have an unlocked iPhone 12 Pro Max iOS 14.4 with an extraction done by a cell phone extraction tool. Does anyone know of any software that can decrypt the Signal messages? Yes it is unlocked and we can see plenty of good material within the app. But i would like to preserve these artefacts before connecting it back to the internet. Feel free to dm me

I believe @Magnet Forensics can

Noticed telegram moved from cache4db to db_sqlite now. Does anyone know of 3rd party tool to parse the db?

Random question, running PA 7.43 and now 7.44, both versions the when I run my iPhone 11 AFU extraction (159GB extraction) it eats up 20ish GB on my OS which eh no worries, but odd since I have 128GB of RAM and nothing else running. But then when I run the malware scan it eats up my OS free space, which was 182gb and crashes my system. First time I wasn't there so didn't see what ate the free space just came in saw 0 bytes free. Now I sat there running the program and refreshing the file explorer and watching where my free space goes and when. Anyone else got this problem?

Reedsterz

Noticed telegram moved from cache4db to db_sqlite now. Does anyone know of 3rd party tool to parse the db?

Have not ran it against that particular DB but Sanderson is my go to standalone tool.

2

Hello. Do anyone have experience with android database similar to ios cache.sqlite which stores detailed location data? The phone has location services activated, but the parsed location data does not give us what we are looking for. Feel free to dm me.

Hello, I am working on iPhone 8 iOS 11.4.1 acquisition made in september 2018 with 4PC (FS) and PA (methods 1 & 2). I am looking for information on iCloud activity. In account3.sqlite I have these two accounts used. Does anyone know which plist or sql are likely to keep trace of data backup in iCloud?

I have three images from a KaiOS phone which are of interest. Looking at the hex I see two phone numbers followed by /TYPE=PLMN. I found some articles which indicate this is added to both numbers (senders/receiver) by the teleco. Is there a way to determine which phone was the sender? (edited)

10:20 AM

redacted info of what I am seeing: ...D91203022649600026000070000......+18XXXXX8641/TYPE=PLMN..........+15XXXXX2044/TYPE=PLMN..12030226496000260000

10:24 AM

one of the numbers was confirmed as being the phone number assigned to the phone being examined.

8kapileup

Hi Team I have an unlocked iPhone 12 Pro Max iOS 14.4 with an extraction done by a cell phone extraction tool. Does anyone know of any software that can decrypt the Signal messages? Yes it is unlocked and we can see plenty of good material within the app. But i would like to preserve these artefacts before connecting it back to the internet. Feel free to dm me

Signal decryption requires the key stored in keychain (with high protection attribute), so it is possible with agent extraction only (but it works up to 14.3 for now) or probably with GrayKey.

I have a dump of an iPhone 6s running iOS 13.0 where i need to read signal messages, it was dumped using Cellebrite UFED, i have a keychain dump but i think it's encrypted and im having a hard time extracting the key for signal

@forensicmike @Magnet Didnt Mike do some work on Signal? @sebastianpc Edit here is a blog from magnet: https://support.magnetforensics.com/s/article/Decrypt-app-data-using-the-iOS-Keychain-and-GrayKey (edited)

I think the keychain is encrypted. (edited)

8:31 AM

also i don't have GrayKey

8:31 AM

or any other tools for this

sebastianpc

I think the keychain is encrypted. (edited)

Hi, so the keychain is encrypted on disk, but if you used Cellebrite then the keychain dump you got shouldn't be. They likely are still base64 encoded though. Shoot me a DM if you'd like to chat more.

8kapileup

Hi Team I have an unlocked iPhone 12 Pro Max iOS 14.4 with an extraction done by a cell phone extraction tool. Does anyone know of any software that can decrypt the Signal messages? Yes it is unlocked and we can see plenty of good material within the app. But i would like to preserve these artefacts before connecting it back to the internet. Feel free to dm me

Hi, I have a few ideas for you re: Signal depending on how badly you need it. Shoot me a DM if you still need. (edited)

Is there an easy way to "print" the conversation view in Cellebrite PA? I have used the "export" to PDF and HTML as well as tried the report capabilities, however the the result is far too cluttered with metadata. I need a PDF with a clean view of the back and forth chat w/in a single conversation.

BSOD

Is there an easy way to "print" the conversation view in Cellebrite PA? I have used the "export" to PDF and HTML as well as tried the report capabilities, however the the result is far too cluttered with metadata. I need a PDF with a clean view of the back and forth chat w/in a single conversation.

Have you tried export chat view / chat bubbles via report menu ?>

1

Palazar82

Random question, running PA 7.43 and now 7.44, both versions the when I run my iPhone 11 AFU extraction (159GB extraction) it eats up 20ish GB on my OS which eh no worries, but odd since I have 128GB of RAM and nothing else running. But then when I run the malware scan it eats up my OS free space, which was 182gb and crashes my system. First time I wasn't there so didn't see what ate the free space just came in saw 0 bytes free. Now I sat there running the program and refreshing the file explorer and watching where my free space goes and when. Anyone else got this problem?

The malware scanner shouldn't eat up any space, it must be something else. In your second attempt did you notice where in the file system you space was filled up?

sebastianpc

I have a dump of an iPhone 6s running iOS 13.0 where i need to read signal messages, it was dumped using Cellebrite UFED, i have a keychain dump but i think it's encrypted and im having a hard time extracting the key for signal

If you dumped it using the Checkm8 method it shouldn't be encrypted, can you please share the PA logs via DM so i'll see why Signal wasn't parsed?

CLB - DavidK

The malware scanner shouldn't eat up any space, it must be something else. In your second attempt did you notice where in the file system you space was filled up?

Tips: Hi all, I found InCalc in an iOS extraction. This is a Secret Photo Album app (https://apps.apple.com/us/app/secret-photo-album-incalc/id1136259225). I had no time (and probably not the knowledge to reverse the encryption method

), so I dig into file system (mobile > Containers > Data > Application > cn.photovault.calculator). Hidden content is in Vault folder. Digging into pv_setting_incalc_v5113.json, I found a super_password key, with value 66666666666666666666 (20x 6). Guess what: this master key allows to enter in the (so called) vault and check on the content

. Currently, I don't know how to use that key to decrypt files in Vault folder, but at least one can watch on them. This tips works at least up to the current version 5.1.17 @Cellebrite @MSAB @Oxygen Forensics

12

4

CLB-Paul

Have you tried export chat view / chat bubbles via report menu ?>

Where is this menu voice? Is it in P.A. or in reader? (edited)

CLB-Paul

Have you tried export chat view / chat bubbles via report menu ?>

Thanks Paul. This view is still very cluttered with metadata. I'm looking for a very simple view like the conversation view in PA. I ended up exporting to UFDR and importing into another forensic tool to get a view the looks similar how chats look on a phone. I was just hoping there was an easier solution.

BSOD

Thanks Paul. This view is still very cluttered with metadata. I'm looking for a very simple view like the conversation view in PA. I ended up exporting to UFDR and importing into another forensic tool to get a view the looks similar how chats look on a phone. I was just hoping there was an easier solution.

I have been creating a new UFDR with tags only, without source file information and then created a PDF report from that. Pretty much only the chat bubbles left at that point.

4N6Matt

Just doing some testing of SD cards from phones to streamline our process. Just wondering what you currently do? We are doing FTK image then load that In to XRY. I've tested acquisition and decoding in ufed and found it took 4 mins but when I added MD5 hash calculation it took an extra 11 minutes to verify the 1gb image hash. Xry was ok. About 5 mins extraction. I already know they both fail to decode various compressed files. So open to suggestions? (edited)

If the SD is part of the phone exhibit we use Cellebrite UFED / PA as our primary tool. If it's a SD on its own we treat as a storage device and use TX1, inputting into Axiom (FTK if that doesn't work)

BSOD

Thanks Paul. This view is still very cluttered with metadata. I'm looking for a very simple view like the conversation view in PA. I ended up exporting to UFDR and importing into another forensic tool to get a view the looks similar how chats look on a phone. I was just hoping there was an easier solution.

I'd be interested as well. I sometimes import PA report info MobilEDIT and then export only SMS as it makes it quite clean looking for print.

Does anyone know what files end upp in com.sec.android.app.myfiles/cache? Files that have been interacted with using the app my files?

Does anyone know why a file found within 118APPLE wouldn't be within photosqlite?

@JMK thanks I will try axiom on our test SD. It is for SD from phones. We are reluctant to use PA as it has issues on compressed files, e.g missing files and renaming stuff to embedded.... I raised it about 2 years+ ago with their support. Apparently it went in as a feature request although clearly missing the evidence! And if it's renaming them to embedded it's no good when you are trying to run a key word search over it for certain images.

@jaikl I've noticed some cached images recently in PA for chrome app. The images are normally named embedded... contain Extra data such as original file name and URL where it came from and other stuff. Browse to the image location and look at the file in hex view. You will find it's made of several parts. I think one of them is some sort of certificate etc... Needs more R & D Try opening the chached files in the hex view and it may reveal more.

can anyone tell me when is this file path created? private\var\mobile\Library\Caches\com.apple.MobileSMS\Previews\Search\PhotoSearchSection-at_X_XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX.png Is this path created when someone went into the messages application on an iphone and searched a the top for a specific image/message? (edited)

Anyone have a suggestion for a program to parse out Skype chats that are obtained from Skypes download my data feature. JSON file format

Arcain

I'd be interested as well. I sometimes import PA report info MobilEDIT and then export only SMS as it makes it quite clean looking for print.

Does it work for whatsapp too?

@FabianoQ i don't think i tested, but should do too. You can select to decode and report a single app if you wish (edited)

Worth a test. Thanks.

@Matt Skype has a viewing tool https://support.skype.com/en/faq/FA34894/how-do-i-export-my-skype-files-and-chat-history

How do I export my Skype files and chat history? | Skype Support

12:17 AM

Specifically from that page https://go.skype.com/skype-parser

@lp4n6 I installed that app, just went into the files and they are not encrypted? That superkey always seems to read that as well. However if you go to mobile/Containers/Data/Application/cn.photovault.calculator/Library/Preferences/cn.photovault.calculator.plist then the password and user details are in clear text under SETTING_PASSWORD : AsciiString = (edited)

CCC

@lp4n6 I installed that app, just went into the files and they are not encrypted? That superkey always seems to read that as well. However if you go to mobile/Containers/Data/Application/cn.photovault.calculator/Library/Preferences/cn.photovault.calculator.plist then the password and user details are in clear text under SETTING_PASSWORD : AsciiString = (edited)

Thank you very much for your further analyze!

@Cellebrite Is there a way to import a manually made Signal backup into PA? I have been having issues with Signal since it didn't got decoded from a full filesystem

@Oxygen Forensics - I am trying to load some legacy physical extractions into oxy detective v 13.4 - I have various android images, a dmg from an iphone 4 and various others, however I am getting very limited info after importing - no parsing of contacts, messages, applications or pretty much anything except a list of files. I also have a bin from a Note3 and that did work ok, so clearly something odd happening. Is there some workflow/process I am missing here which might explain why most of them do not work (they work fine in CB PA)? Can take it via PM if easier! Thanks (edited)

Does anyone have a link to an article/blog/etc that talks about when a new folder (ie. 101APPLE, 102APPLE) in the DCIM folder is created on an iPhone? Is it a size limitation, number of photos limit? (edited)

@carterwoof https://medium.com/@7sevens/factoid-about-apples-dcim-directories-328ac00920fa

Factoids about Apple’s DCIM directories

Things I’ve been able to determine using an iPhone 8+ (running iOS 11.2) connected to a PC running Ubuntu 16.04. This may not apply to…

@B thanks for the link. I had read that one, but wasn't sure if there was anything newer. Sometimes, the existence of the folders doesn't seem logical with the number of photos that actually exist.

Could deleted photos maybe explain that? Might check on the photos db if that gives any clues

I have a physical extraction of a KaiOS 4052R phone. @Oxygen Forensics did a great job of parsing the messages, but it isn't getting a draft message. Through @Cellebrite PA I can see the message in hex, but it doesn't show it is associated with any file in particular. I was expecting it to be in the 226660312ssm.sqlite db. PA didn't parse any of the files for this phone. Through Oxygen, I can pull up the db, but haven't been able to figure out how to search the hex of the db or the full phone. Any suggestions?

Hi. Maybe someone from @Cellebrite can answer what is the source of pictures timestamps in PA 7.44 iOS advanced logical extraction. I assume that these are file system timestamps. I have some files of interest under /mobile/Media/DCIM/102APPLE/ with jpg extention. PA shows all timestamps 2020-11-23. These files have thumbnails under mobile/Media/PhotoData/Thumbnails/V2/DCIM/102APPLE/IMG***.JPG/5005.JPG with timestamps 2020-02-15. In Photos.sqlite I see that values of ZASSET.ZDATECREATED and ZASSET.ZADDEDDATE are 2020-02-15. There are no timestamps 2020-11-23 in Photos.sqlite. These files have ZGENERICALBUM.ZTITLE values "Snapchat" and ZASSET.ZSAVEDASSETTYPE values "3". Maybe these files are saved from Snapchat on 2020-11-23, but why then ZADDITIONALASSETATTRIBUTES.ZORIGINALFILENAME values are "IMG***.JPG and ZADDITIONALASSETATTRIBUTES.ZCREATORBUNDLEID values are empty?

bizzlyg

@Oxygen Forensics - I am trying to load some legacy physical extractions into oxy detective v 13.4 - I have various android images, a dmg from an iphone 4 and various others, however I am getting very limited info after importing - no parsing of contacts, messages, applications or pretty much anything except a list of files. I also have a bin from a Note3 and that did work ok, so clearly something odd happening. Is there some workflow/process I am missing here which might explain why most of them do not work (they work fine in CB PA)? Can take it via PM if easier! Thanks (edited)

DM'd

1

sholmes

I have a physical extraction of a KaiOS 4052R phone. @Oxygen Forensics did a great job of parsing the messages, but it isn't getting a draft message. Through @Cellebrite PA I can see the message in hex, but it doesn't show it is associated with any file in particular. I was expecting it to be in the 226660312ssm.sqlite db. PA didn't parse any of the files for this phone. Through Oxygen, I can pull up the db, but haven't been able to figure out how to search the hex of the db or the full phone. Any suggestions?

DM'd

1

Hi, I'm wondering what Confidence mean in the context of carved location data. Specifically in Cellebrite PA. Thanks

I think I know the answer but I just wanna throw it out there and hope for the best - is there a database on Samsung A51 that's equivalent to iOS knowledgeC where it records whether the camera was in use or not?

chrisforensic

hello folks... just i short question concerning the app "waze".... if there is a geoposition stored in the category "navigates", can we say that the phone was at that position, at that time ? (edited)

Have you got any answer about that?

Kar

Hi, I'm wondering what Confidence mean in the context of carved location data. Specifically in Cellebrite PA. Thanks

We did an episode of I beg to DFIF on it. It really depends on the source of the data.

CLB-Paul

We did an episode of I beg to DFIF on it. It really depends on the source of the data.

which ep?

Let me look it up

1

6:31 AM

https://www.cellebrite.com/en/episode-1-nothing-to-see-here-i-beg-to-dfir-carving-for-locations-in-cellebrite-physical-analyzer/

Heather Mahalik - Senior Director of Digital Intelligence at Cellebrite

Episode 1: I Beg to DFIR - Carving for Locations in Cellebrite Phys...

Hosted by: Ronen Engler – Senior Manager, Technology and Innovation at Cellebrite Heather Mahalik – Senior Director of Digital Intelligence at Cellebrite Paul Lorentz – Senior Solutions Engineer at Cellebrite This is the first episode of “Nothing to See Here? I Beg to DFIR” (Digital Forensics and Incidents Response). In this series, we want to …...

1

6:31 AM

The first one

of course ...haha

6:31 AM

thanks

Deleted User

Have you got any answer about that?

no, didn't get any answer/hint...

1

sholmes

I have a physical extraction of a KaiOS 4052R phone. @Oxygen Forensics did a great job of parsing the messages, but it isn't getting a draft message. Through @Cellebrite PA I can see the message in hex, but it doesn't show it is associated with any file in particular. I was expecting it to be in the 226660312ssm.sqlite db. PA didn't parse any of the files for this phone. Through Oxygen, I can pull up the db, but haven't been able to figure out how to search the hex of the db or the full phone. Any suggestions?

I wanted to update my findings on this issue finding a draft text message on a KaiOS phone. The Draft message was not located in the SMS database, but was found in the webappsstore.sqlite database. Through the Search feature under the Analytics sectoin of the Home tab, I was able to search for a specific phrase from the draft message using the following options: "all text data" and "exact phrase." I selected "File Content" and "All Files." Thanks to @Oxygen Forensics tech support for the numerous email responses to get this resolved. Hope this helps others.

2

chrisforensic

hello folks... just i short question concerning the app "waze".... if there is a geoposition stored in the category "navigates", can we say that the phone was at that position, at that time ? (edited)

@Cellebrite May we have answer about that?

sholmes

I wanted to update my findings on this issue finding a draft text message on a KaiOS phone. The Draft message was not located in the SMS database, but was found in the webappsstore.sqlite database. Through the Search feature under the Analytics sectoin of the Home tab, I was able to search for a specific phrase from the draft message using the following options: "all text data" and "exact phrase." I selected "File Content" and "All Files." Thanks to @Oxygen Forensics tech support for the numerous email responses to get this resolved. Hope this helps others.

Nice, I will keep in mind your finding regarding the draft and am glad you found what you were looking for

Hey all, question to see if anyone else has run into this and if there's something that can be done to mitigate..

10:25 AM

for context, the vast majority of my collections are for e-discovery purposes so the workflow is to pull iOS backups using iTunes and process them with axiom

10:25 AM

i pulled a backup from a client's phone this week, processed it, and saw no issues in the logs. Processing a second time gave identical results

10:26 AM

But when I take a look at the results for my searches photos were sent but have broken image links. Upon further inspection there is no Attachments folder

10:27 AM

1. would this be indicative of iOS aggressively managing storage and either purging or offloading attachments to iCloud storage?

10:27 AM

2. Could this be mitigated by making sure that clients take a look at their messages and ensure that they see images and not image icons and file names in the messages app prior to running the iOS backup?

10:31 AM

cc to @Magnet Forensics ^^

Someone asked me if i had a query for Photos.Sqlite in iOS 12 similar to the ones for iOS 13 and iOS 14 posted awhile back. Due to iOS 12 being a little old, I did not search around and dig for additional data in the db, but modified the iOS 13 query to work for iOS 12 and just wanted to post it for everyone's use. These queries have helped me on several different cases and hope they can help you. iOS12 https://drive.google.com/file/d/1Rtzlh1qXduecjs-SdFm-2Hm20tpE2BQD/view?usp=sharing iOS13 https://drive.google.com/file/d/1f7OSXTm-W4afh_x6AZy4apmfEPeJUq1x/view?usp=sharing iOS14 https://drive.google.com/file/d/1JVd7eInFMgUbuhPXQxmxt4c_NODlyeYb/view?usp=sharing

iOS_12_Photossqlite_Query_bskoenig3347@gmail.com.txt

iOS_13_Photossqlite_Query_bskoenig3347@gmail.com.txt

iOS14_Photossqlite_Query_bskoenig3347@gmail.com.txt

6

4

6

Can someone point me in the direction of some Apple documentation that points to where iOS gets its clock time information from? Thanks.

Hi guys. A collegue gave me a full file system extraction of an iPhone made with Elcomsoft. I have UFED so i analyzed it with p.a. and everything is fine except signal not being decoded. I see an xml file about keychain is part of Elcomsoft extraction, Anyone knows how/if is it possibile to decode signal in this situation and have included in UFED report?

FabianoQ

Hi guys. A collegue gave me a full file system extraction of an iPhone made with Elcomsoft. I have UFED so i analyzed it with p.a. and everything is fine except signal not being decoded. I see an xml file about keychain is part of Elcomsoft extraction, Anyone knows how/if is it possibile to decode signal in this situation and have included in UFED report?

Not sure on the answer here unfortunately but definitely would be great if there was some kind of standardized way of doing keychain dumps for cross tool compatibility

FabianoQ

Hi guys. A collegue gave me a full file system extraction of an iPhone made with Elcomsoft. I have UFED so i analyzed it with p.a. and everything is fine except signal not being decoded. I see an xml file about keychain is part of Elcomsoft extraction, Anyone knows how/if is it possibile to decode signal in this situation and have included in UFED report?

Is there anything related to Signal under the password tab in PA? If not you could try to search the keychain manually by following these steps: https://github.com/Magpol/HowTo-decrypt-Signal.sqlite-for-IOS (edited)

Magpol/HowTo-decrypt-Signal.sqlite-for-IOS

Decrypt signal.sqlite IOS. Contribute to Magpol/HowTo-decrypt-Signal.sqlite-for-IOS development by creating an account on GitHub.

Oscar

Is there anything related to Signal under the password tab in PA? If not you could try to search the keychain manually by following these steps: https://github.com/Magpol/HowTo-decrypt-Signal.sqlite-for-IOS (edited)

Thanks

hello, I have a physical and full filesystem extraction of LG LM-X410TK K30 cellphone. Though @Cellebrite parsed some of the messages, i see more in mmssms.db, I tried to manually parse them, but i think i'm having problem connecting all different database, is there a plug-in that i can run? Also why are those messages not parsed? on the device they are located together with the ones that were carved. (edited)

@Cellebrite is there anyway to troubleshoot a session file that no longer applies? Trace window has the following entries “Failed to found entries to bookmark” and “Failed to found entries to check/uncheck” entire session is failing and nothing previously tagged is reapplied

Hello, in Cellebrite PA there ist the option for „generic file carving“ to decode data from unallocated space . Applying this on Gk FFS extractions there are many hits in the carving results. How its possible? So “Generic File Carving” is not only for physical extractions?

@Erdogeholic no use in carving unallocated, because its all encrypted.

florus

@Erdogeholic no use in carving unallocated, because its all encrypted.

Thanks

Hey guys quick question, I got a Samsung Note 10 (Model: SM-N970U, Android: 11) that I am trying to get the Discord chats from. I got a Full File System from the Cellebrite Touch 2. I was unable to get OxyAgent to work on the phone. I found a file named "STORE_MESSAGES_CACHE_V26" which contains partial chats information. Has anyone dealt with this before or know some tips and tricks I could use.

belskayal

hello, I have a physical and full filesystem extraction of LG LM-X410TK K30 cellphone. Though @Cellebrite parsed some of the messages, i see more in mmssms.db, I tried to manually parse them, but i think i'm having problem connecting all different database, is there a plug-in that i can run? Also why are those messages not parsed? on the device they are located together with the ones that were carved. (edited)

I DM'd you

@zero00796 ALEAPP might support the decoding? I thought i read something about that @Brigs

florus

@zero00796 ALEAPP might support the decoding? I thought i read something about that @Brigs

It doesn't. Been on my to do list forever. I have some blogposts about it. Here is on Android: https://abrignoni.blogspot.com/2017/07/discord-app-forensic-artifacts-in.html (edited)

Discord Android App Review - DFIR

What is Discord? Discord is a communication platform for video gamers. It advertises minimal CPU usage, high voice quality and multiple s...

florus

@zero00796 ALEAPP might support the decoding? I thought i read something about that @Brigs

If the Android extraction has the app directory where the apks reside you can use a virtual machine to view them. This blogpost explains the manual process: https://abrignoni.blogspot.com/2017/08/viewing-extracted-android-app-data.html It is way easier if you use the Magnet App Simulator. It is free. https://www.magnetforensics.com/resources/magnet-app-simulator/ Regarding the previous blog post on the Discord file structure here is an explanation on why the last character is always "missing": https://abrignoni.blogspot.com/2017/08/discord-app-missing-values-not-missing.html I also have a list on how to Parse Discord on all sorts of clients and operating systems here: https://abrignoni.blogspot.com/2020/09/its-alive-attachment-links-in-discord.html Anything I can help out with let me know. -Brigs

Viewing extracted Android app data using an emulator

In the previous blog posts I used free and open source forensic tools to view the content and file structure of the Android Discord app. Af...

MAGNET App Simulator - Magnet Forensics

MAGNET App Simulator: What Does it Do? MAGNET App Simulator lets you load application data from Android devices in your…

Discord App - Missing values not missing

Oct 17, 2018 - Update with further insight here . * Last post I did a quick overview of the Discord app for Android. At the time I co...

It's alive! - Attachment links in Discord

What happens to the URL links inside Discord chats if you copy-paste them into an internet connected browser? You might be surprised to know...

1

Great work as always @Brigs

4

1

Hello everyone, I've got several devices Android where neither physical or FFS may decode Signal that is on the phone with messages. Honestly, I think I never see Signal decode on Android. Is there something to do in PA ? What the best way to process? What did you do to decode Signal data? (edited)

Deleted User

Hello everyone, I've got several devices Android where neither physical or FFS may decode Signal that is on the phone with messages. Honestly, I think I never see Signal decode on Android. Is there something to do in PA ? What the best way to process? What did you do to decode Signal data? (edited)

I believe the Signal database key is stored in the device KeyStore which you need a rooted phone to access. If you have the passcode you could try https://github.com/xeals/signal-back (edited)

xeals/signal-back

Decrypt Signal encrypted backups outside the app. Contribute to xeals/signal-back development by creating an account on GitHub.

You must have the decrypted keychain (with iOS ftk for example) and find TSKeyChainService or GRDBKeyChainService (base64) into it.The v_Data key within that object contains the encryption key for Signal in Base64. Convert this Base64 value to hex to get the 96 character key, then import the key in Axiom.

1

1:04 AM

But you want to know for android lol... sorry

Oscar

I believe the Signal database key is stored in the device KeyStore which you need a rooted phone to access. If you have the passcode you could try https://github.com/xeals/signal-back (edited)

I'll look on that ! Thanks

Oxy agent can do it for android

1

Can anyone confirm where I can find the firmware for a Samsung Galaxy A51 I extracted?

4:38 AM

(FBE full filesystem)

4:38 AM

Is it vendor/build.prop?

any @MSAB guys free for pm? thanks

@Echmyre[FORENTECH] Sure thing, what's up?

@Oxygen Forensics would it be possible to get a copy of the reader software please?

Covert_Monkey

@Oxygen Forensics would it be possible to get a copy of the reader software please?

Hello, DM'd

Pacman

Is it vendor/build.prop?

Yes

4:57 AM

write like that : BOOTIMAGE_BUILD_PROPERTIES

ro.bootimage.build.date=Fri Jan 8 14:35:48 KST 2021

ro.bootimage.build.date.utc=1610084148 ro.bootimage.build.fingerprint=samsung/a51nsxx/a51:10/QP1A.190711.020/A515FXXU4CUA1:user/release-keys #

4:58 AM

A515FXXU4CUA1 is firmware PDA

Perfect - thanks

Very quick cellebrite reader question - I have a ticket in but ideally need a quick answer if possible. Is there an installable version of Cellebrite Reader available anywhere? We are still hitting our head against the wall getting this to work on our force IT systems. Whitelisting has just lead to more problems so we are now looking at packaging the program again, which apparantly is not easy to do without an installer. @Cellebrite

1

K23

Very quick cellebrite reader question - I have a ticket in but ideally need a quick answer if possible. Is there an installable version of Cellebrite Reader available anywhere? We are still hitting our head against the wall getting this to work on our force IT systems. Whitelisting has just lead to more problems so we are now looking at packaging the program again, which apparantly is not easy to do without an installer. @Cellebrite

As far as I know there is no installer

CLB-Paul

As far as I know there is no installer

Thanks Paul, that's what I assumed but was hoping there was one hidden somewhere.

Its included in the PA directory, but its not "installed" just the exe..

Yeah. Installing PA on every single force laptop will be a bit of a non-option. We'd just have officers and staff loading that up instead of reader most likely, complaining about licence issues

K23

Yeah. Installing PA on every single force laptop will be a bit of a non-option. We'd just have officers and staff loading that up instead of reader most likely, complaining about licence issues

The executable doesn't need to be "installed" to run. Just put it anywhere on the computer and add a shortcut to it on the desktop. For all intents and purposes it is "installed" at that point.

Honestly I'm not sure where the "Installed" requirement comes from, I'm assuming when it's packaged via intune it needs a nice way to deploy and be "installed" to a location with a shortcut etc to each computer. This is just what i've been fed back from IT so could be we need to package it ourself in a fake installer to carry out these tasks.

6:38 AM

This is the process that is being looked at, again not an expert in this area: https://docs.microsoft.com/en-us/mem/intune/apps/apps-win32-prepare

Prepare a Win32 app to be uploaded to Microsoft Intune

Learn how to prepare a Win32 app to be uploaded to Microsoft Intune.

6:40 AM

Looking at the tool it's looking for install / uninstall options during the preparation phase so that could be where the hiccup is for us

K23

Looking at the tool it's looking for install / uninstall options during the preparation phase so that could be where the hiccup is for us

I don't know how your system is set up. Back in my It admin days in an active directory domain I could just use GPO to copy the files over.

Brigs

I don't know how your system is set up. Back in my It admin days in an active directory domain I could just use GPO to copy the files over.

Yeah I don't think our setup is that simple unfortunately. SCCM, intune and various other things are in play, and the system is used across two forces with a several thousand officers to support. So we've got to use their processes for deployment. Previously we had it packaged through SCCM but this was taking too long for IT to process, to the extent that often a new release was issued by Cellebrite before the current version had been deployed by IT. This intune method is supposed to be a lot quicker, but seems to require an installer. It's been a fun multi year journey

1

@K23 You will also have the issue of having to reinstall it every new release as well. Old readers generally won't open new UFDR reports generated off newer versions of PA.

2

@Kar did you figure this out? My guess is that confidence of 1.0 means the device is fully confident that the location is of interest to the user. If its less that 1.0 then its not so confident.

Forensic@tor

@K23 You will also have the issue of having to reinstall it every new release as well. Old readers generally won't open new UFDR reports generated off newer versions of PA.

Well aware of all the headaches involved including that one. This deployment method will allow us to push out new versions fairly easily. We tried just whitelisting the .exe and publisher via applocker to avoid that but was hitting plenty of other issues. It's been fun!

@Cellebrite Any thoughts on why Media Classification sometimes does not categorize videos at all? I have a CSAM case where it missed some videos that were very apparent and put them in 'Unclassified' instead of 'Nudity'.

FullTang

@Cellebrite Any thoughts on why Media Classification sometimes does not categorize videos at all? I have a CSAM case where it missed some videos that were very apparent and put them in 'Unclassified' instead of 'Nudity'.

Hmm. I assume you selected videos? Did you run it pre or post parsing?

Post. I am running it again to see if it catches them the second time.

1:04 PM

And yes I selected videos. It did put some videos into 'Nudity', but not all.

FullTang

Post. I am running it again to see if it catches them the second time.

I am in a RSA meeting in a bit, but email me if you get the issues again. I will take a look for you. Heather@cellebrite.com

heatherDFIR

I am in a RSA meeting in a bit, but email me if you get the issues again. I will take a look for you. Heather@cellebrite.com

Sounds good, thanks!

iOS WiFi/location data question: I'm trying to figure out a resource or just in general what the significance of the factory.db that is associated with the coreLocation.framework on iOS? I haven't tested yet, so any insight into how those MAC, Lat/Long's, etc are generated would be appreciated.

I have an iPhone 8 running iOS 14.3. I have a successful @Cellebrite full F/S. The phone in question has hundreds of websites/usernames/passwords saved in the default “passwords” vault. Is there any way to parse this data? (edited)

Troy

I have an iPhone 8 running iOS 14.3. I have a successful @Cellebrite full F/S. The phone in question has hundreds of websites/usernames/passwords saved in the default “passwords” vault. Is there any way to parse this data? (edited)

Can you share the path and the format of the vault contents you referenced? If the data format is in an intelligible pattern you can share the pattern with fake data. I can't make promises but maybe it is something that can be parsed with a little bit of Python.

Brigs

Can you share the path and the format of the vault contents you referenced? If the data format is in an intelligible pattern you can share the pattern with fake data. I can't make promises but maybe it is something that can be parsed with a little bit of Python.

I should have been a little more clear. I can see the data on the phone. Not sure what database/file it’s in or if it’s even extracted in the full f/s

Troy

I should have been a little more clear. I can see the data on the phone. Not sure what database/file it’s in or if it’s even extracted in the full f/s

If you can share in what screen/app/functionality of the phone, as seen on the screen, is the data at maybe someone can share info on how to find/parse it. Another option is to try and find the data straight up. A suggestion on how to find it:

Decompress the extraction.
Download and install AgentRansack.
Use AgentRansack to search the extraction for terms you see on the screen.
Assuming the data is not encrypted the tool will tell you in which file the term is located.
After locating the file determine the format and parse as needed. Tool link:

https://www.mythicsoft.com/agentransack/ (edited)

Agent Ransack

1

It’s the builtin keychain password manager for auto filling password, it’s located in settings -> passwords on an iOS device. I can only assume it’s encrypted as a part of the keychain, I have the passcode and a full f/s extract though. I’ll try a raw keyword search but wouldn’t expect a hit, not even sure it’s possible to parse the data that’s why I hoped some one else might have looked into it.

@Brigs Plus one for Agent Ransack - excellent search tool

1

Has anyone dealt with indecent images in the spotify Cache?

@Cellebrite Any way to stop images deduplicating? Having issues when exporting to Griffeye format where it will show a single location for an image and not show all of the same image with all it's file paths.

5:19 AM

DM for more info

@Cellebrite Quick 7.44 PA question - Error message getting thrown when trying to load GrayKey Keychain plist. DM me please for more info, thanks!

1

@Cellebrite have a quick question if you are around.

Hey .. where to start ....

3X3

@Cellebrite Any way to stop images deduplicating? Having issues when exporting to Griffeye format where it will show a single location for an image and not show all of the same image with all it's file paths.

Have you tried the PVIC json export. We’re working on improving both

1

Neon

@Cellebrite have a quick question if you are around.

Hey neon what’s up

3X3

@Cellebrite Any way to stop images deduplicating? Having issues when exporting to Griffeye format where it will show a single location for an image and not show all of the same image with all it's file paths.

@3X3 in PA options, there’s a checkbox for grouping similar items IIRC. Unchecking that box should stop the de-duplicating. Option needs to be configured before decoding though (edited)

1

varbytes

@3X3 in PA options, there’s a checkbox for grouping similar items IIRC. Unchecking that box should stop the de-duplicating. Option needs to be configured before decoding though (edited)

replied via DM also, to 3x3, but this is an option to prevent de-dup

FullTang

@Cellebrite Any thoughts on why Media Classification sometimes does not categorize videos at all? I have a CSAM case where it missed some videos that were very apparent and put them in 'Unclassified' instead of 'Nudity'.

@heatherDFIR Update on this situation. I ran Media Classification a second time and it correctly classified all of those extra videos that were originally unclassified. I then ran it a third time but there was no change between the 2nd and 3rd times. From now on I will be running Media Classification multiple times on cases where pictures and videos are important (CSAM cases).

FullTang

@heatherDFIR Update on this situation. I ran Media Classification a second time and it correctly classified all of those extra videos that were originally unclassified. I then ran it a third time but there was no change between the 2nd and 3rd times. From now on I will be running Media Classification multiple times on cases where pictures and videos are important (CSAM cases).

I had that problem a few versions ago and just wanted to mention that if you are not using the most recent release. Not sure it that will help.

ScottKjr3347

I had that problem a few versions ago and just wanted to mention that if you are not using the most recent release. Not sure it that will help.

Thanks for the heads up. I am using the most recent version but this case had a ton of media and I tend to multitask on my forensic computer because I have to. Not sure if either of those would contribute to it or not.

1

Anyone knows where i can see when an Iphone was set up for the first time. I can see pictures in dcim showing pictures from an iphone6, but the source is a FFS of an IPhone 11. Probably a backup transfered..

@florus try checking creation date of the address book

@florus https://www.cellebrite.com/en/upgrade-from-null-detecting-ios-wipe-artifacts/ https://digital-forensics.sans.org/media/DFIR_FOR585_Digital_Poster.pdf

Heather Mahalik - Senior Director of Digital Intelligence and Ian Whiffin - Sr. Digital Intelligence Expert

Upgrade From NULL—Detecting iOS Wipe Artifacts - Cellebrite

One of the most common questions we’re asked is, “How do you determine when an iOS device was wiped?” Wiping is a common way to trample potential evidence on a device. Over the years, we have seen some savvy moves to try to cover up wiping efforts on devices and prevent the act from being … Continue reading "Upgrade From NULL—Detecting iOS Wipe ...

2

@Oxygen Forensics I have a ANE-LX1 dump and it's hardware key acquired by XRY (but decryption is not done) Is there any way to import those in Oxygen ?

Chuck

@Oxygen Forensics I have a ANE-LX1 dump and it's hardware key acquired by XRY (but decryption is not done) Is there any way to import those in Oxygen ?

There was an issue with the latest stable version in that sometimes the brute force window didn't appear, should be able to ask them for the latest dll file that controls that as a temp solution.

stark4n6

@florus try checking creation date of the address book

What do mean exact? What db are you referring to? (edited)

@Cellebrite too strong !

Sm-g770f (S10 lite) on Android 11 ffs in progress with qc live after only 5 tries

(edited)

2

1

rico

@Cellebrite too strong !

Sm-g770f (S10 lite) on Android 11 ffs in progress with qc live after only 5 tries

(edited)

no.... you must be kidding.... only 5.... OMG

@florus Exactly ! My post was intended to give hope to collègues

florus

What do mean exact? What db are you referring to? (edited)

I think it's addressed in the Cellebrite article @DeeFIR 🇦🇺 posted, basically you can check the creation date on "private/var/mobile/Library/AddressBook/AddressBook.sqlitedb" to see

1

Thanks, havnt read the article yet, im sorry about the misunderstanding

Thanks for reaching out on a sunday!

florus

Thanks, havnt read the article yet, im sorry about the misunderstanding

Thanks for reaching out on a sunday!

sure thing, the article has multiple places you can check, it's a great reference

Chuck

@Oxygen Forensics I have a ANE-LX1 dump and it's hardware key acquired by XRY (but decryption is not done) Is there any way to import those in Oxygen ?

DM'd

I have been able to get a successful physical extraction on a Huawei Honor 8 light using the new XRY method, however the data pulled off is encrypted. Does anyone have any ideas for a work around? the pin code is known to me

Elbag1

I have been able to get a successful physical extraction on a Huawei Honor 8 light using the new XRY method, however the data pulled off is encrypted. Does anyone have any ideas for a work around? the pin code is known to me

Contact @MSAB support, a brute force window should have appeared where you can also enter in the pin if known to start the decryption side of things. They may be able to send you a .dll file that will aid you in seeing this bruteforce window

@Elbag1 If you can DM me the log I send you the workaround!

It's Kirin 655 so probably an issue with that decoder .dll

Does anyone know when on cellebrite reader where you go to timeline and it has installed applications, being pulled from localappstate.db, it lists a purchase date. Is purchase date the date and time it was ordered from Play store, or the time it was installed on the handset?

CCC

Does anyone know when on cellebrite reader where you go to timeline and it has installed applications, being pulled from localappstate.db, it lists a purchase date. Is purchase date the date and time it was ordered from Play store, or the time it was installed on the handset?

It's possible its either, it's the time the interaction ("purchase") from the PlayStore occured. So it could be the time the user of the device has either purchased or installed the application from within The PlayStore on the device.

That's what I need to resolve, I suspect it's install time, but I don't have the physical to check. I will test this on a device to see if it's not clear.

Could compare vs the creation date of the apps' folder

@Cellebrite Did PA 7.44.1.3 stop parsing steps? I can see distance travelled in the Activity Sensor Data but it also lists a "Total Samples Count" by the hour. Is the "Distance Travelled" an aggregate of the Total Samples Count?

Does anyone have a recommendation for a binary plist parsing tool? I used to use a plugin for Notepad++, but that does not work with the current binary format. Need something which is preferably vendor agnostic

DeeFIR 🇦🇺

Does anyone have a recommendation for a binary plist parsing tool? I used to use a plugin for Notepad++, but that does not work with the current binary format. Need something which is preferably vendor agnostic

The best deserializer I know for NSKeyedArchive plists is nska-deserialize by Yogesh Khatri. You will need to know Python though. The output is a Python dictionary/list you can parse or just print using pretty print with indentation. https://pypi.org/project/nska-deserialize/

nska-deserialize

Convert NSKeyedArchiver plist into a deserialized human readable plist

Thanks @Brigs I’ll check it out this morning

DeeFIR 🇦🇺

Does anyone have a recommendation for a binary plist parsing tool? I used to use a plugin for Notepad++, but that does not work with the current binary format. Need something which is preferably vendor agnostic

I'm working on one that'll parse out all the keys/values into a database ... hope to have it ready here real soon

2

DeeFIR 🇦🇺

Does anyone have a recommendation for a binary plist parsing tool? I used to use a plugin for Notepad++, but that does not work with the current binary format. Need something which is preferably vendor agnostic

An easy button option is ian Whiffins Mushy its on his https://www.doubleblak.com/m/ website.

Thanks @ScottKjr3347

DannyH_603

@Cellebrite Did PA 7.44.1.3 stop parsing steps? I can see distance travelled in the Activity Sensor Data but it also lists a "Total Samples Count" by the hour. Is the "Distance Travelled" an aggregate of the Total Samples Count?

This is the first step of an update they are pushing out. Be patient the update will be outstanding. Yes the data is the aggregated data for the hour which is listed in utc. If you view the data in the Analyzed Data - physical activity - activity sensor - heath there is a column that will tell you what samples (measurements) were captured during that hour (example steps, flights climbed, distance traveled). You will have to dive into the db or use another tool to get the step count. I recommend apollo, artex, iLeapp or AXIOM.

DannyH_603

@Cellebrite Did PA 7.44.1.3 stop parsing steps? I can see distance travelled in the Activity Sensor Data but it also lists a "Total Samples Count" by the hour. Is the "Distance Travelled" an aggregate of the Total Samples Count?

The "Total Samples Count" is the number of the samples conducted in that specific hour of interest. The "Distance Traveled" is the aggregate of all the samples that are related to the Distance Traveled in that hour, it doesn’t mean that all 19 samples are distance traveled samples. For example, in that hour there might be 17 samples of “Max heart rate” and 2 samples of distance traveled, the 449.21 you are seeing is the sum of those two samples of “Distance Traveled”. Hope it makes more sense now, feel free to reach me if you have any further questions.

@ScottKjr3347 @CLB - DavidK Thank you!

DannyH_603

@ScottKjr3347 @CLB - DavidK Thank you!

We're also taking a look at this internally

We'll keep you posted

1

Hi. In your opinion, is it possible to recover deleted sms from ios 14.4. ? I have FFS iPhone XR dump and I tried oxy, ufed, XRY and ArtEx .

GM! Anyone from MSAB for a quick doubt?

@Lpx Sure thing, what's up?

@skipper no impossible https://blog.elcomsoft.com/2020/07/the-iphone-data-recovery-myth-what-you-can-and-cannot-recover/ (edited)

The iPhone Data Recovery Myth: What You Can and Cannot Recover

There is no lack of tools claiming the ability to recover lost or deleted information from the iPhone. These tools’ claims range from “Recover data lost due to water damaged, broken, deletion, device loss, etc.” to the much more reserved “Selectively recovers iPhone data from internal memory, iCloud

Mistercatapulte

@skipper no impossible https://blog.elcomsoft.com/2020/07/the-iphone-data-recovery-myth-what-you-can-and-cannot-recover/ (edited)

thx for help

1

Does there exist anywhere a guide to what is brought over to a new phone? Often getting told that someone just bought a phone and the old files must have come from the backup but they have definitely only just bought it. If not, project for me

hello and good morning @Cellebrite can someone please explain, why PA wants to decode "WeChat", but WeChat is not installed on the mobile phone and was not acquired? Extraction: Redmi Note 9, just adv.log. and apk-downgrade... no wechat... thanks for info

(edited)

thanks @abarlev from @Cellebrite for fast and detailed information about above situation !

2

@chrisforensic what was there answer?

anyone having an explanation of how instagram store cached files. I have a rooted iphone where it seems like instagram caches snapshots from videos and store them under a folder called IGMediaQualityDataStore

@florus i´ll DM you

skipper

thx for help

I agree w/ Mistercatapulte, not impossible, but not easy. I know when I was doing my testing a while back when ios 13 dropped. that if iCloud Sync was enabled for iMessages, you were not able to recover deleted SMS.

Question related to the Cash app by Square. I'm looking in the payment table of the cash_money.db SQLite database. I noticed that the amount, sender_amount, and recipient_amount columns are not readable, as they are in a BLOB data type. Any pointers on decoding these values?

Also, since Cash app allows users to send and to receive Bitcoin, are Bitcoin addresses stored within the cash_money.db? I'm seeing within the payment table where Bitcoin transactions may have occurred. (edited)

Anyone have experiencing parsing Robinhood database (iOS)

Hey all, does anyone know what PET stands for in context of IOS ?

12:50 PM

potentially a password ? or Token ?

12:50 PM

the value is base64encodedstring==PET

We have a Physical from an Xiaomi phone where we can see it has Signal installed but not decoded within PA. Understanding we may have to do some wizardry to get the key to decrypt it but wondering if anyone has some nice simple steps on this process.

12:38 AM

Android 9, Xiaomi M1803E7SG, not rooted if that helps

i have few saved videos in a photo vault app which looks like snapchat videos. The investigator what to know info about the pictures. If they are ex. taken with the phones camera. Is it possible?. The only exif data that exists is the created date. Unsure if that is the actual created date of the picture of when it was created in the photo vault app

Can anyone familiar with Photos.SQLite confirm what the numbers for ZSAVEDASSETTYPE mean, I have a number of files i'm trying to confirm were filmed on the device and they all have a ZSAVEDASSETTYPE of 3

Does anyone know, if there is a automatic deletion of whatsapp Images in \Whatsapp\Whatsapp Image\ folder on Android devices? I know, if you remove chats, images in sent folder will be also removed. But when will received images will be removed from Whatsapp gallery folder? Only if a user remove them in gallery or is there any other behaviour the will be removing the images ?

LM

Can anyone familiar with Photos.SQLite confirm what the numbers for ZSAVEDASSETTYPE mean, I have a number of files i'm trying to confirm were filmed on the device and they all have a ZSAVEDASSETTYPE of 3

https://www.github.com/kacos2000/queries/tree/master/Photos_sqlite.sql

4:36 AM

Costas is a genius IMO. He has lots of great queries on his repo. Also, just googling the name of the column with 3 brought this as the first result. I have found most of the time someone on GitHub has this stuff figured out and documented so it's well worth the Google search

1

Hello! Is there a way to track locations from Snapchat map funktion?

@Cellebrite Hi, i've got a few Huawei P30 Pro extractions, (Android Backup, Huawei Backup, Advanced Logical) im trying to merge and decode in PA 7.42.0.50, however it keeps throwing up the error of it not having the "inField package". any ideas? extractions done on 4PC 7.42.0.82

Hello Everyone, a DFIR student, writing a thesis at the moment on how decode arbitary mobile applications in databases that cannot be decoded by tradional forensic tools

6:27 AM

i was wondering, if anyone could review this article, previously posted here a long time ago

6:27 AM

https://abrignoni.blogspot.com/2017/08/viewing-extracted-android-app-data.html

Viewing extracted Android app data using an emulator

In the previous blog posts I used free and open source forensic tools to view the content and file structure of the Android Discord app. Af...

6:28 AM

They article basically works, by pushing the APK to the emulator and further remove the new corresponding apk system files and push the files that was acquired during acquistion instead, to make like a replica

6:28 AM

Which when opened in the emulator, it will show the same interface as the device it was originally installed on. So my question is, as this is demonstrated on the discord application, will it work on all applications?

@skiddyfruit what do you want reviewed? Why not ask the person who wrote it? cc: @Brigs

6:29 AM

Also, my answer would be to try it yourself and report back

6:29 AM

that's how you learn best!

I will do that then Andrew

. The reason i asked was if anyone had tested this method and what theire point of view was on it and what applications they tested.

6:30 AM

@Andrew Rathbun may i ask you a question?

6:32 AM

On my thesis, i am currently doing a case study with an experiment. My question is, as i know that many of the members here are actively working in DFIR and very experienced, any recommendation of android apps that are good for beginners to start with examining as some apps require a higher level of expertise?

I will defer that question to either @CLB_joshhickman1 or @Brigs or anyone else who actively performs mobile investigations that live in the DB level of those apps. I've not touched a phone in almost 2 years so I'm not going to pretend like I can give good advice, but I can play cupid between you and those who do know.

That is understandable Andrew and i appreciate the help a lot. Just a bit nervous to message them, but will shoot my shot

Just see if they'll answer here. They're very approachable guys as well as everyone else here. Just be patient and understand that we all have families, day jobs, etc so answers won't come instant, but patience pays off (edited)

@skiddyfruit if you're looking for an app that's an easy intro then I'd suggest something like Google Chrome. There are multiple DBs associated with it, but a good one to start with would be History.

1

skiddyfruit

Which when opened in the emulator, it will show the same interface as the device it was originally installed on. So my question is, as this is demonstrated on the discord application, will it work on all applications?

Not all apps want to work in a VM. Others require internet communication before opening in a VM. Be careful of legal issues with accessing remote servers without the required legal process. One way of doing this VM analysis easily is by using the Magnet App Simulator. https://www.magnetforensics.com/resources/magnet-app-simulator/

MAGNET App Simulator | Magnet Forensics

MAGNET App Simulator: What Does it Do? MAGNET App Simulator lets you load application data from Android devices in your…

1

Anyone have an artifact that may help explain when a phone was first used.

6:47 AM

I have a Phone Activation Time which corresponds with a SIM change time but just before I use that if there's anything else.

6:48 AM

Phone's an Galaxy S6

6:48 AM

Android 7

6:49 AM

Activation Time is 2019, but there's location data from 2016 linked to Google Photos (which could be synced data) (edited)

@Brigs Thank you alot for this!!! been searching for a while. was going to use ADB and noxplayer or bluestacks. But i never knew axiom already had this free tool, as i know, cellebrite have a tool that have a virtual analyzer and sqlite browser. But this will be compromised and is it okay, if i when i am done with my thesis, get some feedback from you, during youre free time. It will not be much to review, just a few pages that instruct a methodology that can help LAE to correctly examine and validate unknown apps?.. I any case, thank you seriously

CLB_joshhickman1

@skiddyfruit if you're looking for an app that's an easy intro then I'd suggest something like Google Chrome. There are multiple DBs associated with it, but a good one to start with would be History.

Thank you and will be trying this out and see how it goes. Btw youre images on corpora has helped very much and learned a lot from them!

LM

Can anyone familiar with Photos.SQLite confirm what the numbers for ZSAVEDASSETTYPE mean, I have a number of files i'm trying to confirm were filmed on the device and they all have a ZSAVEDASSETTYPE of 3

Based on my testing and research ZSAVEDASSETTYPE "3" indicates Made/Saved with that device. Try this query and see if it helps. iOS 14 https://drive.google.com/folderview?id=1v6T6OqD8eyL1xwHXDMePaXxEZ3IZssp2

Has anyone done any studies on the Safari AutoFillQuirks.plist? Google isn't much help and Axiom is interpreting a lot of data from that plist as Website history/redirects.... and I don't think that's accurate, but I'm not quite sure how that plist is populated. Thanks!

Hello @Cellebrite, on PA 7.44.2.10 on 4 differents advanced logical from iPhone, Snapchat isn't parsed automatically, is it normal?

@Cellebrite anyone having time for a question?

jaikl

@Cellebrite anyone having time for a question?

DM me

Deleted User

Hello @Cellebrite, on PA 7.44.2.10 on 4 differents advanced logical from iPhone, Snapchat isn't parsed automatically, is it normal?

Which version of Snapchat do have? You can see the supported apps in PA -> Help -> Supported Apps. Since Snapchat version 11.17.0.38 some features aren't decoded from iOS Adv. Logical extractions. We are on it

CLB-drorimon

Which version of Snapchat do have? You can see the supported apps in PA -> Help -> Supported Apps. Since Snapchat version 11.17.0.38 some features aren't decoded from iOS Adv. Logical extractions. We are on it

For the one I have now version is 10.84.5.59

Deleted User

For the one I have now version is 10.84.5.59

This version should be fully supported. DM'ed

Hello @Magnet Forensics , what are ways I can add an XRY file into AXIOM ? The error message I get in Process is: Unrecognized format- the selected file is not a recognized image format

@sky4n6 Use XAMN to convert the Xry file to bin file and then you should be able to import the bin file into Axiom

2

Hi, does anyone has experience with decrypting/decoding privary-app data? When opening the app I need to fill in a decimal code. All encrypted files are stored in .privary/.do_not_delete_number (i.e. 12)/ The filename is the original name encoded in base64 with a file extentions .anbn / .bxa0 . The root-folder of .privary contains a file secure3.priv which contains 12 hex characters and a secure.priv which contains 28 hex characters . My guess is that these files contains the encrypted key to unlock the application / data. more info : https://fourchars.com/ (edited)

FourCharsWPAdmin

Home Page

@Cellebrite I have an extraction of a tablet which was done on Cellebrite Premium - every time I try to open it on UFED PA, it closes itself down.

1:45 AM

Is this a known bug?

1:46 AM

Got the latest PA version installed as well

@Pacman Do you get any errors in Trace Window?

One moment, I'll reopen and watch trace window

1:47 AM

It usually closes down within 30 seconds of double clicking the .ufd file

1:47 AM

so I'll try my best and catch the error, if any

1:50 AM

Yep it just crashed again - this is all I saw

1:50 AM

@abarlev

@Cellebrite I have a Samsung extraction which has a phone activation time later than some of the artifacts on the phone. Where does the phone activation time get populated from please?

@ScottKjr3347 just looking at my last iphone, have a lot of type "6" Any thoughts on what that could be?

CCC

@Cellebrite I have a Samsung extraction which has a phone activation time later than some of the artifacts on the phone. Where does the phone activation time get populated from please?

Could be due to a SIM change

3:20 AM

Suspected that was the result in one of my cases, had artifacts much earlier and matched it up to the SIM change time.

Everyone is pointing to the line stating "phone activation time" as gospel, but it would be good to know what this is as I don't trust something I don't understand

3:21 AM

That would make sense as a broad translation though, if it was sim activation.

Pacman

It usually closes down within 30 seconds of double clicking the .ufd file

You can get the logs (Trace window lines are included in it) here: %appdata%\Cellebrite Mobile Synchronization\UFED Physical Analyzer

1

We're taking this data from SetupWizardPrefs.xml. You can find a short resource here: https://www.forensicfocus.com/forums/mobile-forensics/how-to-find-a-date-when-android-os-is-installed/

How to find a date when Android OS is installed

I need to find information about when the particular android OS is installed on mobile device.Is there any way to find that info?Thanks

@CLB-drorimon Thank you very much!

@Cellebrite @MSAB @Magnet Forensics MailRuMail app, any support for parsing/decoding of this? Got a FFS via UFED from an A51

I am drawing a blank. I got a FFS of a Note 20 (SM-N986B/DS) using UFED 4PC exynos chipset extraction. What I am wondering is how do I tell if secure folder is utilized? Wasn't there a way to check the size or something? Just don't want to waste a premium token if the secure folder isn't even setup. @Cellebrite (cross posted in extractions too as I'm not positive where this fits best)

Palazar82

I am drawing a blank. I got a FFS of a Note 20 (SM-N986B/DS) using UFED 4PC exynos chipset extraction. What I am wondering is how do I tell if secure folder is utilized? Wasn't there a way to check the size or something? Just don't want to waste a premium token if the secure folder isn't even setup. @Cellebrite (cross posted in extractions too as I'm not positive where this fits best)

Did you look in the knox folder, user 150?

CLB-dan.techcrime

Did you look in the knox folder, user 150?

Looking there now. I knew there was something I was forgetting. Thank you very much.

@Rob Unfortunately can't find any support for it on the XRY side, has not been requested yet from what I can tell. Any databases or other details available? I guess it should be somewhere in userdata/data/ru.mail.mailapp or similar. Just curious if there were any obvious databases available which aren't encrypted (edited)

Erumaro

@Rob Unfortunately can't find any support for it on the XRY side, has not been requested yet from what I can tell. Any databases or other details available? I guess it should be somewhere in userdata/data/ru.mail.mailapp or similar. Just curious if there were any obvious databases available which aren't encrypted (edited)

That's my next step, going to be manually taking a look at the phone again later today.

anyone from @Magnet Forensics here that can help me?

Rob

@Cellebrite @MSAB @Magnet Forensics MailRuMail app, any support for parsing/decoding of this? Got a FFS via UFED from an A51

MailRuMail app should be supported in PA.

CLB-drorimon

MailRuMail app should be supported in PA.

I haven't found a .db for it yet

6:36 AM

AppGenie didn't pick out anything that I've seen.

jaikl

anyone from @Magnet Forensics here that can help me?

sure, sending a DM

CCC

@ScottKjr3347 just looking at my last iphone, have a lot of type "6" Any thoughts on what that could be?

Not sure what ZSAVEDASSETTYPE "6" indicates. I have some test data that I will be looking at today and try and determine. (edited)

ScottKjr3347

Not sure what ZSAVEDASSETTYPE "6" indicates. I have some test data that I will be looking at today and try and determine. (edited)

https://github.com/kacos2000/Queries/blob/0727f3539d7b1fae21466687bc4f39dfef26fda2/Photos_sqlite.sql#L29

Andrew Rathbun

https://github.com/kacos2000/Queries/blob/0727f3539d7b1fae21466687bc4f39dfef26fda2/Photos_sqlite.sql#L29

Sorry forgot to change the asset type

1

Discord - On iOS what are the Discord files (SQLite, Plist, xml, etc) needed to be reviewed?

9:12 AM

I've been working on Androids for too long ha

ChutzpahAI

Discord - On iOS what are the Discord files (SQLite, Plist, xml, etc) needed to be reviewed?

These are the ones that iLEAPP parses.

9:47 AM

Get iLEAPP here: https://github.com/abrignoni/iLEAPP (edited)

Thanks, a good place to start!

1

Hi, Does anyone know how to decrypt WhatsApp backup database files from Windows Phone device please? In SD card from Lumia 640 RM-1077 we foud some backup database files - Calls.db, Messages.db and Settings.db. It seems they are encrypted. Does anyone know to handle these files?

hey family, I am stuck on an iphone 11 pro where i did cpu swap and complete chips swap. Phone is completely functioning but we do not know the password. XRY can bypass? what tool you recommend please

@Dr. Simba I believe your only option is Graykey. Maybe CAS?

Do they support the newer update ?

That I’m not sure of. Maybe someone else can chime in.

SBPowerDownViewController - If I saw this in a IOS log I am assuming the phone is shutting off the screen to save power. Would this be a correct assumption? Is there anywhere that I could find literature on the SpringBoard?

Anyone from @Cellebrite around for some DM about failed extractions?

Oscar

Anyone from @Cellebrite around for some DM about failed extractions?

Yes, feel free to DM me.

@Dr. Simba Yes, both support the update.

@Magnet Forensics Was there any changes to the parsing of iOS Snapchat in the latest AXIOM 5.0 release? I just ran an extraction with 5.0 that I had ran before with 4.11 to see if there were any new exciting information. Instead I can't see any Snapchat messages at all in 5.0, the 4.11 process shows me over 5000 messages.

Oscar

@Magnet Forensics Was there any changes to the parsing of iOS Snapchat in the latest AXIOM 5.0 release? I just ran an extraction with 5.0 that I had ran before with 4.11 to see if there were any new exciting information. Instead I can't see any Snapchat messages at all in 5.0, the 4.11 process shows me over 5000 messages.

@Oscar I'll pass this along to the product team to have them take a look. Thanks for the heads up!

I have 6 more Techno passes to hand out. It is in person. If interested, let me knwo.

1

@Cellebrite Out of curiosity, is it possible for the location carving to occur after the main processing is done instead of after setting the project timezone?

3:24 PM

Or have I set something up wrong. I have quite a big phone processing which I imagine might finish overnight and only when I'm at my machine would the location carving start so it runs the risk of key time being potentially wasted.

@heatherDFIR may I get details on the Techno passes?

good morning @Cellebrite is there a beta PA out that supports CLBX? If i understood right, iOS full file system collection done with beta 4PC (CLBX format) can only be opened with next PA-release ? (edited)

chrisforensic

good morning @Cellebrite is there a beta PA out that supports CLBX? If i understood right, iOS full file system collection done with beta 4PC (CLBX format) can only be opened with next PA-release ? (edited)

Nope, PA already supports CLBX format.

2

1

Any1 from @Magnet Forensics free to take a question?

Johnie

Any1 from @Magnet Forensics free to take a question?

Sending DM

Hello, I have a iPhone with skyecc. I have extracted a FFS checkm8. Still no way to decode it?

People still use skyecc? @rafael_cs

@B it's rare here. It's only the second phone I have gotten. I have found some messages in cache.db that are interesting to the case, although they are not too recent (from December and January)

Yeah that would be my next answer, cache.db could contain some messages indeed. Just out of curiousity, what kind of other secure communication devices do you see across there?

@B we received some with wickr and surespot.

good morning @Cellebrite please update decoding of tumblr, snapchat, telegram ... have a Qlive-Extraction from a Redmi Note 7, tumblr 17.5.0.00, snapchat 11.6.2.66, telegram 7.2.1. no proper decoding ? bye the way, thanks to @Oxygen Forensics , oxydetective did the job oxygen

(edited)

1

chrisforensic

good morning @Cellebrite please update decoding of tumblr, snapchat, telegram ... have a Qlive-Extraction from a Redmi Note 7, tumblr 17.5.0.00, snapchat 11.6.2.66, telegram 7.2.1. no proper decoding ? bye the way, thanks to @Oxygen Forensics , oxydetective did the job oxygen

(edited)

These versions and newer ones should already be supported. DMing you for more details, thanks!

1

I have Samsung SM-G950F OS 9 Screen Lock need data Recovery it's possible oxygen or other software have support

@Cellebrite Is there any planned improvements on carving locations? i.e. being able to draw an area on the map rather than just having max of a 50km radius circle? Ideally I want just UK location data being carved as carving most visited is crashing my PA case due to the size (suspected running out of memory)

I've just encountered WeChat for the first time, in a logical extraction of an SM-N986F. PA asks me for the IMEI to decrypt the data and i've tried both of the IMEI present in the phone without success. Is there something I am missing or do I need a FFS to parse WeChat? @Cellebrite (edited)

Data Recovery

I have Samsung SM-G950F OS 9 Screen Lock need data Recovery it's possible oxygen or other software have support

Hi, it looks like you can extract this model using both XRY and UFED. Do you know which chipset, Qualcomm or Exynos?

Rob

@Cellebrite Is there any planned improvements on carving locations? i.e. being able to draw an area on the map rather than just having max of a 50km radius circle? Ideally I want just UK location data being carved as carving most visited is crashing my PA case due to the size (suspected running out of memory)

I'm unfamiliar with such request. You are able to draw more than one circle though. Just remember that the wider the area you scan, you will get more false positives hits.

CLB-drorimon

I'm unfamiliar with such request. You are able to draw more than one circle though. Just remember that the wider the area you scan, you will get more false positives hits.

I initially tried to run with just "carve with most visited" and came in this morning to see PA had closed down so took a look at the logs and suspected ran out of memory. As locations are going to be vital for this job, for now I've just drawn multiple circles but just wondered if there's anything else in the works to speed up things instead of drawing a number of circles as my force area covers more than 50km

Data Recovery

I have Samsung SM-G950F OS 9 Screen Lock need data Recovery it's possible oxygen or other software have support

I extracted this device on Saturday with oxygen using exynos dump. As I remember UFED supports it to.

in have one iphone IPHONE XS MAX problem is touch ic problem screen lock,i know password , phone working fine i need data ,, ic remove risk work

2:57 AM

It's possible

2:57 AM

Any solution have

Data Recovery

in have one iphone IPHONE XS MAX problem is touch ic problem screen lock,i know password , phone working fine i need data ,, ic remove risk work

So you're saying the touch screen isn't working? For us then the first thing we'd try would be a screen replacement

@danielj91 Exynos

Data Recovery

@danielj91 Exynos

Okay I can't say for sure using Oxygen as I have yet to try it. I'm assuming the password is unknown. I'm running latest version of Oxygen and it says, for this model, "Devices operated on Android 9-10 installed by manufacturer, bruteforce is not supported." Maybe @Angst can say more

danielj91

Okay I can't say for sure using Oxygen as I have yet to try it. I'm assuming the password is unknown. I'm running latest version of Oxygen and it says, for this model, "Devices operated on Android 9-10 installed by manufacturer, bruteforce is not supported." Maybe @Angst can say more

that only means that devices that came with android 9 from factory are not supported. G950F has Android 9 as last firmware and is supported

danielj91

Okay I can't say for sure using Oxygen as I have yet to try it. I'm assuming the password is unknown. I'm running latest version of Oxygen and it says, for this model, "Devices operated on Android 9-10 installed by manufacturer, bruteforce is not supported." Maybe @Angst can say more

That's because you don't need to use bruteforce. Oxygen extracts all the keys needed to decrypt user data. (edited)

@Angst actually, it won't extract any keys. It will dump userdata image that was already decrypted by the phone, like UFED and other tools does

Arcain

that only means that devices that came with android 9 from factory are not supported. G950F has Android 9 as last firmware and is supported

Ah thanks for clarifying that @Arcain

Arcain

@Angst actually, it won't extract any keys. It will dump userdata image that was already decrypted by the phone, like UFED and other tools does

Good to know. But one of the steps during extraction of this device was (just before extracting user data) - "Extracting passwords" and I thought it was related to the keys

I think it determines whether secure starup is enabled at this point and will either offer you a bruteforce option or move on to dump data directly

@Arcain I think you are right, and I forgot there is no physical dump in exynos method but only user data partition is extracted, so it must be decrypted before the extraction starts.

danielj91

Okay I can't say for sure using Oxygen as I have yet to try it. I'm assuming the password is unknown. I'm running latest version of Oxygen and it says, for this model, "Devices operated on Android 9-10 installed by manufacturer, bruteforce is not supported." Maybe @Angst can say more

Thx brother for support,yea oxygen support have case solved Whitout password data Recovery done

5:45 AM

@danielj91 i have one huawei phone ine-lx1 problem is screen Lock,i need data ,i am checking oxygen brute force but nothing response 10 days brute force, running this case but not done, other have any solution

@Data Recovery what kind of screen lock - digits (PIN) or password? Two days ago I bruteforced 6-digit PIN within 9 minutes (all combinations would take c.a 60 minites). Before starting the bruteforce in Oxygen you can choose the type of the screen lock maybe you choose the wrong one.

@Data Recovery had same problem. I used XRY instead. It can dump and bruteforce using the same method.

@Angst No brother fast Dump done after i ams start starting password recovery defult starting 10 days no Ruls

6:02 AM

@callzor yes bro also me not working

How many digits?

@Arcain Not showing how many digits just minutes i will sand you photos

i mean on the phone, how many dots are on lockscreen?

@Arcain yes showing 6 digit

8 or 9 digits code can take weeks or months even

then something went wrong. either you chose wrong dictionary, or keys extractions failed at some point

6:08 AM

all 6 digits shouldn't take more than a day, even on slower workstation

@Data Recovery then you should select in Oxygen bruteforce options 6-7 digit dictionary and it should take about 1h

@Angst which one better there More option have brute force attk i am using before defult

@Data Recovery I think in Oxygen default is password dictionary so not suitable for 6-digit PIN. When you go to the bruteforce dictionary options you will find something like: "6-7 digit". - I don't remember the exact name.

@Angst oky bro i am check 6-7 digit options have or not

Data Recovery

@Angst oky bro i am check 6-7 digit options have or not

It looks like this (edited)

Angst

@Data Recovery then you should select in Oxygen bruteforce options 6-7 digit dictionary and it should take about 1h

Thank you brother,good ida for me syer i wil try know starting this case

6:21 AM

@Angst thank you brother

6:22 AM

@Arcain also you support thank you brother

I'm really interested in the current situation with if forensic networks are air-gapped still and have a very quick 2 questions questionnaire if anyone is willing to fill it out? Thanks https://docs.google.com/forms/d/e/1FAIpQLSfYGZf0rpDRGqTCs4JpIcfTFy9fB-s2m-PZj19KOM9G1W1iOg/viewform?usp=sf_link

Forensic Network Air-gapped?

I asked a similar question about 5 years ago. I'm interested in knowing if there has been a change... Thank you

2

CLB_iwhiffin

I'm really interested in the current situation with if forensic networks are air-gapped still and have a very quick 2 questions questionnaire if anyone is willing to fill it out? Thanks https://docs.google.com/forms/d/e/1FAIpQLSfYGZf0rpDRGqTCs4JpIcfTFy9fB-s2m-PZj19KOM9G1W1iOg/viewform?usp=sf_link

Curious to know your results and any changes since last survey!

My GrayKey has only 30 advanced actions and I'm worried I'll blow through them. Are there any places you've found the device passcode in a Partial BFU extraction? So far I've found the PIN in the passwords list under: CreditKarma.mobile SSO.EncryptionKey.v2 (edited)

Cole

Curious to know your results and any changes since last survey!

I’ll update the forum in a few days. Thank you

Hey, anyone else ever found traces of unc0ver or cydia in an IOS app before? I think im looking at crash reports within the app where those names appear.

Hi! Have anyone tried to carve the android snapchat database "main" ?

PA has stopped decoding an extraction on "parsing google maps" it has been running 24 hours and gone nowhere. Any one experienced or has any thoughts? I also started it decoding on another machine simultaneously after this one got stuck and it got stuck at the same part.

7:26 AM

@Cellebrite

️

AA

PA has stopped decoding an extraction on "parsing google maps" it has been running 24 hours and gone nowhere. Any one experienced or has any thoughts? I also started it decoding on another machine simultaneously after this one got stuck and it got stuck at the same part.

DMing

@Cellebrite Could someone familiar with UFED PA's redaction capabilities please send me a PM at your convenience?

Struggling to import hashes into @Cellebrite tried all forms, txt, csv, PV etc. any pointers - just get a helpful message saying one or more errors occurred... (edited)

Asking for a colleague; Anyone happen to know what the ‘Change Time’ variable is in relation to on PA? iPhone extraction and the Created, Modified and Accessed are all roughly he same date and time, however, the ‘Change Time’ is significantly different. Any pointers would be handy. Thanks in advance! EDIT: Should mention this is for an audio file. (edited)

RP

Struggling to import hashes into @Cellebrite tried all forms, txt, csv, PV etc. any pointers - just get a helpful message saying one or more errors occurred... (edited)

DMing you

Officer has apparently done an iPhone extraction via UFED Kiosk and it's zipped the multi reports. They can open the zip filr fine, but cannot open the CellebriteReader.exe file (needs to be unzipped). Upon unzipping, it says there's an error with the CellbriteReader file and it cannot be unzipped. Any ideas @Cellebrite (edited)

3X3

Asking for a colleague; Anyone happen to know what the ‘Change Time’ variable is in relation to on PA? iPhone extraction and the Created, Modified and Accessed are all roughly he same date and time, however, the ‘Change Time’ is significantly different. Any pointers would be handy. Thanks in advance! EDIT: Should mention this is for an audio file. (edited)

'Change time' means a metadata change like permission to a file. It's different from modified date. "Change time" is the timestamp of the last time the file's inode has been changed, like by changing permissions, ownership, file name etc.. "Modified time " is the timestamp of the last time the file's content has been modified.

1

Needs some help

need a reference for the column ZIMPORTEDBY from the table ZADDITIONALASSETATTRIBUTES out of the photos.sqlite database from an iphone extraction

7:10 AM

have 0, 1, 3 & 8 but can't fand anything that they stand for

7:13 AM

https://forensics785.rssing.com/chan-29856600/all_p3.html shows some preliminary value's but not backed by other research

CLB - DavidK

'Change time' means a metadata change like permission to a file. It's different from modified date. "Change time" is the timestamp of the last time the file's inode has been changed, like by changing permissions, ownership, file name etc.. "Modified time " is the timestamp of the last time the file's content has been modified.

https://discord.com/channels/427876741990711298/545232743353810946/762268731270234122

Deleted User

Needs some help

need a reference for the column ZIMPORTEDBY from the table ZADDITIONALASSETATTRIBUTES out of the photos.sqlite database from an iphone extraction

To give some additional info on this (i'm working on this as well) The photos.sqlite database contains a lot of information about the pictures on the device that isn't automatically parsed by Cellebrite. We found a script that parses some of this data, but mentioned column isn't included in the parsed data. The concrete values are a single-digit (0, 1, 3, 8) but there is no foreign key to another table in the database structure. It should be a reference to an app of some sorts, since the interpretation would be which app used the camera to take the picture.... (edited)

S3cthor

To give some additional info on this (i'm working on this as well) The photos.sqlite database contains a lot of information about the pictures on the device that isn't automatically parsed by Cellebrite. We found a script that parses some of this data, but mentioned column isn't included in the parsed data. The concrete values are a single-digit (0, 1, 3, 8) but there is no foreign key to another table in the database structure. It should be a reference to an app of some sorts, since the interpretation would be which app used the camera to take the picture.... (edited)

I am also in the process of testing and updating a photos.sqlite query. I haven't found anything that stays consistent within ZADDITIONALASSETATTRIBUTES.ZIMPORTEDBY but here is a part of the query and how the imported by data reflects to my test data. CASE ZADDITIONALASSETATTRIBUTES.ZIMPORTEDBY WHEN 0 THEN '0-#Unknown' WHEN 1 THEN '1-#DCIM-' WHEN 2 THEN '2-#DCIM-' WHEN 3 THEN '3-#WhatsApp' WHEN 6 THEN '6-#Unknown' WHEN 8 THEN '8-#Twitter_SpringBoard_MessageCamera_Sharingd' WHEN 9 THEN '9-#Unknown' ELSE ZADDITIONALASSETATTRIBUTES.ZIMPORTEDBY END AS 'Imported_By', I hope to have another query ready for release later this month.

1

Do you know of any tool that will open/read an exml file? An xml reader won't do it. I have a call log from an Android phone that has an exml extension and I cannot find anything to open it. I suspect that it may be a bogus identification of file type, but can’t tell.

@Rob can always download a copy of reader from mycellebrite

Hi folks, we have an Alcatel 1066G which has been dumped via UFED Touch2, it took around 30 seconds to extract and gave a success message with no errors. The dump is around 52KB, but as far as can be determined this would be about right for this device?Call logs and contacts are present on the handset but the decode in PA is not showing this data, only thing showing is 8 uncategorised. Tried the BIN in XRY, no joy, also tried dump via XRY but would not connect. Was going to try Oxygen but the dongle has been in use on a decode all day

Any suggestions to decode the data or is it the dump?

Forensic@tor

@Rob can always download a copy of reader from mycellebrite

Might well have to suggest that

CLB - DavidK

'Change time' means a metadata change like permission to a file. It's different from modified date. "Change time" is the timestamp of the last time the file's inode has been changed, like by changing permissions, ownership, file name etc.. "Modified time " is the timestamp of the last time the file's content has been modified.

Thanks David!

@Cellebrite Anyone about for a chat about .rar files within PA?

Has anyone got any experience of Vi Pole database examination. Chats appear to be encrypted. Is there any tools for decrypting?

Rob

@Cellebrite Anyone about for a chat about .rar files within PA?

You can DM me. But currently we don't support scan/extraction of rar files.

1

iTunes backup encryption passwords. While it's not the ideal solution, have we gotten to the point where it is fairly standard practice to reset all settings to remove the encryption and then take an unencrypted extraction? I brought this up today while attending a CCPA class and everyone was horrified.

Jessa

iTunes backup encryption passwords. While it's not the ideal solution, have we gotten to the point where it is fairly standard practice to reset all settings to remove the encryption and then take an unencrypted extraction? I brought this up today while attending a CCPA class and everyone was horrified.

I take an encrypted backup (with an unknown password) in the first instance, then discuss options with the investigator and explain the potential issues surrounding making device changes etc. Prompt them to speak to the device owner to see if they can divulge the password, otherwise if they don't/can't/won't, then I reset all settings, document all interaction & provide a copy of the Apple article highlighting the changes which are made

@Jessa my understanding is that pulls off much less as it's only via the encryption that it pulls data off, which is why the big programs add a default encryption password.

4r3ns1c5

Hi folks, we have an Alcatel 1066G which has been dumped via UFED Touch2, it took around 30 seconds to extract and gave a success message with no errors. The dump is around 52KB, but as far as can be determined this would be about right for this device?Call logs and contacts are present on the handset but the decode in PA is not showing this data, only thing showing is 8 uncategorised. Tried the BIN in XRY, no joy, also tried dump via XRY but would not connect. Was going to try Oxygen but the dongle has been in use on a decode all day

Any suggestions to decode the data or is it the dump?

Had the same happen to me the other day on a similar Alcatel. No clue as to why the UFED extractions parse the way they do. But i can add that to get the phone to connect to XRY you need to have it turned off, hold the magic button and connect it. The instructions on the screen are often incorrect or incomplete. In my case the magic button was the "Answer" button, but the left or right select button could also be the case. just try them out and eventually you will see that the phone connects as a COM-port

@Cygonaut yes, had success yesterday with XRY and the magic button, (centre nav key and * in this instance) as you say no real detail in the XRY instructions, probably as it appears it can be any key combo!

1

ScottKjr3347

I am also in the process of testing and updating a photos.sqlite query. I haven't found anything that stays consistent within ZADDITIONALASSETATTRIBUTES.ZIMPORTEDBY but here is a part of the query and how the imported by data reflects to my test data. CASE ZADDITIONALASSETATTRIBUTES.ZIMPORTEDBY WHEN 0 THEN '0-#Unknown' WHEN 1 THEN '1-#DCIM-' WHEN 2 THEN '2-#DCIM-' WHEN 3 THEN '3-#WhatsApp' WHEN 6 THEN '6-#Unknown' WHEN 8 THEN '8-#Twitter_SpringBoard_MessageCamera_Sharingd' WHEN 9 THEN '9-#Unknown' ELSE ZADDITIONALASSETATTRIBUTES.ZIMPORTEDBY END AS 'Imported_By', I hope to have another query ready for release later this month.

Hm, it does seem that it the ID is rather random, since your results differ from other results we've found online. How did you manage to map the values in your case? ( or you could PM me to keep this channel a bit more clean)

S3cthor

Hm, it does seem that it the ID is rather random, since your results differ from other results we've found online. How did you manage to map the values in your case? ( or you could PM me to keep this channel a bit more clean)

The above query case statement is based from the files created bundle ID. I am still working on validating things for this 14 query and putting it together with my past research. Here is a screenshot from a portion from my last writeup. I will dm you with further information later today. (edited)

3

@ScottKjr3347 When you have finished your research will it be online, or a paper and can you share it either way please?

@ScottKjr3347 me too, if it's possible, thx in advance

CCC

@ScottKjr3347 When you have finished your research will it be online, or a paper and can you share it either way please?

Yes there will be a paper/blog and the query will be published. I originally published the queries from my initial write-up via google drive, but those have now been removed. The queries can now be viewed via github at https://github.com/ScottKjr3347/Photos.Sqlite_Queries. This is also where the updated queries will be located. (edited)

4

Quick question. Does anyone have any experience with \Library\Caches\com.burbn.instagram.IGSparseVideoCache I found videos of interest for my case on an iOS device within this directory. Is this a cache of video's that were received or sent through instagram? I have not been able to find any other artifacts involving these video's on the device.

p0tt541

Anyone know the format of the birthday field within the Snapchats friends table, an example is something like this 38654705691?

Did you manage to find out the format? I've run into the same problem

Matt

Did you manage to find out the format? I've run into the same problem

Might (emphasis on the might) be able to get it real quick. What's the file name that you're seeing it in? If it's in a db what's the column name, if it's a prop file what's the key name? (edited)

It's in the main.db file, Friends table, birthday column

7:31 AM

I know what the value is, I'm trying to figure out the way that Snap encodes it into the table so I can decode it

Okay, so it's a long value that represents both the day and month of someone's birthday but no year. Convert the value into hex and you'll see it falls pretty cleanly into two int values. The first four bytes are the month, the last four bytes are the day.

7:48 AM

So for the sample PTurner supplied: Decimal Value: 38654705691 Hex Value: 000000090000001B Hex Month: 00000009, Hex Day: 0000001B Decimal Month: 9, Decimal Day: 27

Ahhh okay

7:51 AM

Thank you so much

No worries!

First time CyberChef has failed me

It never happened to me but i've heard of cases where people found pin code into BFU extractions of iPhones. Can you people share WHERE, in a BFU, have found the code to unlock the idevice?

FabianoQ

It never happened to me but i've heard of cases where people found pin code into BFU extractions of iPhones. Can you people share WHERE, in a BFU, have found the code to unlock the idevice?

One of the users wrote few days ago he found PIN in the passwords list under: CreditKarma.mobile SSO.EncryptionKey.v2. But I’m interested to know any other files.

1

Mistercatapulte

Hi guys, i have silent phone installed on a xiaomi, with 4 digits unknown. Anyone know a method to extract and bf it? Thx I have in PA, "zids_sqlite.db, partially decoded with nickmane of contacts, i suppose, but that's all) EDIT : i've found the pwd (edited)

Still need help with silent phone decoding?

@Magnet Forensics anyone available for a quick question about a data parsing issue

sholmes

@Magnet Forensics anyone available for a quick question about a data parsing issue

Hi Sholmes, I can bring your question to the team if you want to DM me.

1

I know this looks really stupid but using translation modules in Cellebrite P.A. how do you set the FROM and TO languages?

@chrisforensic Written as European style, so it is really 5-12-21 (edited)

@Cellebrite Is there any memory leak issues in regards to location carving in PA 7.44 that are known? Last 2 cases involving 100GB+ extractions end up using every last drop of memory causing a black screen of death.

Rob

@Cellebrite Is there any memory leak issues in regards to location carving in PA 7.44 that are known? Last 2 cases involving 100GB+ extractions end up using every last drop of memory causing a black screen of death.

Yes there was an issue while carving, it was fixed in the official 7.45 PA version. Please update and let me know if you are still facing any issues.

CLB - DavidK

Yes there was an issue while carving, it was fixed in the official 7.45 PA version. Please update and let me know if you are still facing any issues.

Is that the latest stable release to download then?

1:51 AM

Or a beta? Didn't see any emails this time to announce its release.

Rob

We have a Physical from an Xiaomi phone where we can see it has Signal installed but not decoded within PA. Understanding we may have to do some wizardry to get the key to decrypt it but wondering if anyone has some nice simple steps on this process.

Did you have any success with this? I'm in a similar situation, where I have a physical and full filesystem of a Galaxy S8

danielj91

Did you have any success with this? I'm in a similar situation, where I have a physical and full filesystem of a Galaxy S8

Nope, Signal for Android isn't supported for decoding in PA

2:01 AM

only Signal for iOS is supported in PA

2:01 AM

And its due to access to the keystore or something I believe

Got it, thanks!

Looking for help, I’ve got an Apple iCloud warrant return where files found in the icloudphotolibrary have a modified date exactly one hour prior to the captured date and time. Any thoughts on why this would occur?

Rob

Is that the latest stable release to download then?

Latest official PA 7.45, you can download it from the Community

1

CLB - DavidK

Latest official PA 7.45, you can download it from the Community

Just saw the release email

Matt

Looking for help, I’ve got an Apple iCloud warrant return where files found in the icloudphotolibrary have a modified date exactly one hour prior to the captured date and time. Any thoughts on why this would occur?

could be to do with UTC +1 or -1

Rob

Nope, Signal for Android isn't supported for decoding in PA

@danielj91 Signal Android is currently supported in PA for CAS extractions

CLB-ChenK

@danielj91 Signal Android is currently supported in PA for CAS extractions

Ah, just going off what was told by the support ticket I had sorry

9:46 AM

To clarify, if you have a non cas download and you make a backup of signal using the app itself, can pa parse that

FabianoQ

I know this looks really stupid but using translation modules in Cellebrite P.A. how do you set the FROM and TO languages?

Unless it's changed you add the language you need to a specific licence and it detects the language and translates. Not sure how it works if it's not English you want it translated into tho! Maybe it's magic.

They did have some videos or guides on the website but I'm not in work so can't check right now (edited)

How to add SD card dump, a single folder into existing case. @Cellebrite

DeepDiveForensics

How to add SD card dump, a single folder into existing case. @Cellebrite

Are you talking about a project that’s already open. Upon loading you can add it while opening.

CLB-Paul

Are you talking about a project that’s already open. Upon loading you can add it while opening.

Yes, project already open.

CLB - DavidK

Yes there was an issue while carving, it was fixed in the official 7.45 PA version. Please update and let me know if you are still facing any issues.

New version did the trick, no more memory leak issues!

anyone from @Cellebrite for a question ?

2:47 AM

about spreadtrum dump

I have an unlocked Samsung J3, ufed made a logical and a physical but in the P.A. analysis i don't find signal that is present on the phone and contain lot of messages. Any explanation?

In PA signal doesnt supported in Android. You can use Oxygen. In my case it works

Only CAS extractions is it supported

@Cellebrite is this correct? Even a physical is not enough to have signal on Android decoded?

FabianoQ

@Cellebrite is this correct? Even a physical is not enough to have signal on Android decoded?

Correct, only in CAS at this time

Morning all, just after some clarification around the date/times listed in the mobile installation log? Are the times listed here in UTC or device specific? thanks

Hello everyone. On Cellebrite Reader 7.45.0.96, the image thumbnails do not load in the table view or the thumbnail view. The trace window displays "Thumbnail cache (8805376), not loaded to memory". The "Load thumbnail cache to memory" checkbox in the settings is checked. Someone got this? Is it a know issue @Cellebrite ?

hello mates! @Cellebrite @Oxygen Forensics @MSAB and @all here just need some information: Is there a database that has simply stored when an iPhone has fallen or thrown ? at the moment i was thrown, flightmode was enabled... I have a checkm8 of an iphone6s here... just wanna ask before i look around for hours

(edited)

chrisforensic

hello mates! @Cellebrite @Oxygen Forensics @MSAB and @all here just need some information: Is there a database that has simply stored when an iPhone has fallen or thrown ? at the moment i was thrown, flightmode was enabled... I have a checkm8 of an iphone6s here... just wanna ask before i look around for hours

(edited)

Hello, like an accelerometer database?

2:18 AM

What exactly are you looking for?

2:19 AM

Or do you mean errors?

The killer has ran away from the scene and has thrown away the mobile phones of the dead. It was found in the field of the scene

2:20 AM

the healthdata shows activity an hour after he killed the person

Accelerometer has a class (CMMotionManager) and an object (CMSensorRecorder) that programs can call to read its data, then if they decide they can store that data and record it. However, I am not aware of a native database storing the accelerometer data. You should probably analyze dbs available for you and decide which may help you out.

Oxygen Forensics

Accelerometer has a class (CMMotionManager) and an object (CMSensorRecorder) that programs can call to read its data, then if they decide they can store that data and record it. However, I am not aware of a native database storing the accelerometer data. You should probably analyze dbs available for you and decide which may help you out.

thanks 4 info mate

chrisforensic

thanks 4 info mate

Sent some info in a DM, may be useful (edited)

Oxygen Forensics

Sent some info in a DM, may be useful (edited)

thanks, but didn´t get DM

chrisforensic

thanks, but didn´t get DM

Please check again

Oxygen Forensics

Please check again

checked

thanks, and stay healthy !

1

does anyone has a way to convert .mari files into .bin ?

6:10 AM

miracle conversion returns error somehow

Any tools support parsing of the Wink app?

If you are interested in a Techno pass let me know! DM me.

Don't know anything that parses it. Is it encrypted or encoded or something though? Most apps keep their data pretty overt in xmls/sqlites/plists.

I’m not personally familiar with wink, but looking at the App Store it appears to be a more a front for finding Snapchat users rather than it’s own communication app? I’ll give it a whirl this weekend.

It's a very simple SQL db, we can do a few queries or write some scripts no problem, just wondered if someone had done the donkey work for us! I haven't d/l'd it myself, but it appears to be a separate app with its own app folder. I think you sign in with a Snapchat account and meet strangers. I can't imagine what kind of person would want such a service

@MSAB can anyone help me troubleshoot issues im having with decoding a kirin physical??

@0x3db If you could DM me the log from the extraction I can have a quick look and see if I can suggest anything

anyone know if you can see from what device an message via imessage is sent from?

Afternoon all ... does anyone happen to know of an iOS14+ file that contains information about the device storage capacity? Found one on iOS13, but it doesn't seem to be there anymore. Thanks

pug4N6

Afternoon all ... does anyone happen to know of an iOS14+ file that contains information about the device storage capacity? Found one on iOS13, but it doesn't seem to be there anymore. Thanks

If you have full file system access I think it can be pulled here: /private/var/Mobile/Library/Preferences/com.apple.atc.plist

stark4n6

If you have full file system access I think it can be pulled here: /private/var/Mobile/Library/Preferences/com.apple.atc.plist

Found it there on an iOS 13 device, but it doesn't seem to be there on multiple iOS 14 device

What is the default location for Cellebrite carved pictures? Trying to help examiner in another state. They have physical of Android and the file of interest is showing location of Images/image457.jpg. Doesn’t appear the standard locations I’ve seen before and I don’t have access to PA at the moment.

Morning all, are times in iOS log files UTC or dependent on the handsets timezone?

pug4N6

Found it there on an iOS 13 device, but it doesn't seem to be there on multiple iOS 14 device

odd, I'm seeing it on a test image that was running 14.3 I think

Hey! I have a SM-G930F which has Signal installed on it. On a guide for Oxygen Forensics Detective I can see that there is an option called "OxyAgent Signal data extraction". I downloaded the latest version 13.5.0.68 and ran "Android OxyAgent extraction" because "OxyAgent Signal Data" was not an alternative. In the extraction that I did, there was no data from Signal. @Oxygen Forensics, any tips? Thanks!

Hi! Does anyone know a way to bruteforce the "safe" file of a Huawei phone?

@Ment0r depends on the model, but if Kirin, then Oxygen supports Huawei PrivateSpace bruteforce in recent version

Thanks Arcain! But I didn't mean the PrivateSpace but the Safe (in German "Tresor"). It is an encrypted container

7:50 AM

Fair enough, but maybe worth give it ago if you're able to, and if you see private space setup as well. Could be that the passcode will be same

Unfortunately different passcode

Hi @Cellebrite anyone available for a DM about Trevor?

2

@Ment0r Safe are not easy thing… it need to be alphanumeric with min. 1 big letter and digit …. So Bruteforce can be a Challange

1

Anyone @Cellebrite available for a questions about a GPSfix artifact?

I'm trying to get information on a video on an iPhone 12 (iOS 14.4.2). The video is in 2 places: Apple_iPhone 12 (A2172).zip/AFC Service/PhotoData/CPL/storage/filecache/AYe/cplAYeJmg11iYGre0nnvO9lVAsqAKwq.mov and Devyn’s iPhone/mobile/Media/PhotoData/Mutations/DCIM/126APPLE/IMG_6393/Adjustments/FullSizeRender.mov I found information about IMG_6393 in the Photos.SQLite database, ZADDITIONALASSETATTRIBUTES. The original filename has 2 entries. One of the shows the ZCREATORBUNDLEID as com.apple.mobileslideshow. The other entry is blank. Can someone give me some insight as to what Mobileslideshow is? Also why are there 2 separate entries showing the same filename?

dushe

Hey! I have a SM-G930F which has Signal installed on it. On a guide for Oxygen Forensics Detective I can see that there is an option called "OxyAgent Signal data extraction". I downloaded the latest version 13.5.0.68 and ran "Android OxyAgent extraction" because "OxyAgent Signal Data" was not an alternative. In the extraction that I did, there was no data from Signal. @Oxygen Forensics, any tips? Thanks!

You must use Manual OxyAgent extraction using SD card or OTG usb drive. More here: https://blog.oxygen-forensic.com/introducing-new-extraction-methods-for-signal-messenger/. But have you tried Exynos Dump for this device? You should get the user's data partition and Signal data should be parsed. then you don't need to use oxyagent. (edited)

oxygen.forensics

A New Extraction Method for Signal Messenger - Oxygen Forensics, Inc.

Facebook0Tweet0LinkedIn0 Last month we released Oxygen Forensic® Detective v.13.1, the latest version of our all-in-one forensic solution. With this update, we have introduced new extraction methods for several applications, most notably, Signal Messenger. Signal Messenger is a free and secure messaging app that provides end-to-end encrypted com...

SDB

Anyone @Cellebrite available for a questions about a GPSfix artifact?

Hi SDB, Give me a DM and I'll see what I can do.

Russell Abel - Bastrop County SO

I'm trying to get information on a video on an iPhone 12 (iOS 14.4.2). The video is in 2 places: Apple_iPhone 12 (A2172).zip/AFC Service/PhotoData/CPL/storage/filecache/AYe/cplAYeJmg11iYGre0nnvO9lVAsqAKwq.mov and Devyn’s iPhone/mobile/Media/PhotoData/Mutations/DCIM/126APPLE/IMG_6393/Adjustments/FullSizeRender.mov I found information about IMG_6393 in the Photos.SQLite database, ZADDITIONALASSETATTRIBUTES. The original filename has 2 entries. One of the shows the ZCREATORBUNDLEID as com.apple.mobileslideshow. The other entry is blank. Can someone give me some insight as to what Mobileslideshow is? Also why are there 2 separate entries showing the same filename?

Hi Russell; The path with "CPL" is related to the Cloud Photo stream. The path with "Adjustments" has been modified somehow. As its a video it was likely just trimmed but equally could have had filters applied etc. Blank CreatorBundle means that it was the default camera app that created it. (If a 3rd party app such as SnapChat had created it it would say picaboo here). The MobileSlideShow is part of Apple's gallery and is likely the app responsible for the modified version of the video

1

Thank you! The interesting thing is that both files are the same (hashes) match

12:34 PM

So im not sure if they started an edit, which created the new entry, then quit without saving any changes

Russell Abel - Bastrop County SO

So im not sure if they started an edit, which created the new entry, then quit without saving any changes

I'd guess the original file (IMG_6393) was edited and then uploaded to cloud? (Hence matching hash) And the actual original deleted or removed for optimization? (edited)

Could be. The phone is set to optimize storage

Does anyone have experience parsing the coinomi app? (edited)

Thanks @Angst! I'll try Exynos Dump first

@Magnet Forensics Is there any reason why some images does not get a PhotoDNA hash in AXIOM? Specifically all of the Snapchat Memories in my case

Oscar

@Magnet Forensics Is there any reason why some images does not get a PhotoDNA hash in AXIOM? Specifically all of the Snapchat Memories in my case

Thanks for the question- Just sent you a DM.

@MSAB i have that popup when decrypting a dump, is that https://play.google.com/store/apps/details?id=com.xcs.folderlock&hl=en&gl=US coz i can't find it on the phone

FileSafe - Hide File / Folder - Apps on Google Play

Easily Lock / Hide Files OR Entire Folders

@Mike It's the Huawei file safe app which is built-in to most Huawei phones. The password for it requires at least 6 characters where one is a letter. You should be able to see this in Settings>Security>Safe (edited)

ah ok cool thanks for the info ... not BF available ?

@Mike As the code needs to be minimum 6 characters and one letter brute forcing the code would take too long to be reasonable. We aim to support brute force in the future but only via dictionary.

one last thing, it's different of Huawei Private Space ?

Yes it's separate from the Private Space. We can brute force private space data as that has the same requirements as for the regular passcode for the device, not data inside the safe.

thanks for these explanations

Anybody familiar with healthdb_secure? The app that traces direction and distance.

2:38 PM

Sorry. In iOS

@Mike Do you have access to an RE versed in Android? They might be able to get into locker apps for you. Depending on the app

1

In the last 2 days i've found 2 phones with a situation like this:

3:26 PM

in other words telegram is not parsed, i can see the list of conversations (259) but no messages. Both phones are android, one extraction is an apk downgrade while the other is a full fs. UFED versions 7.44 and 7.45. Anyone else had this problem?

@LawDawg a little

5:44 PM

@Mike Not sure if this will help : https://discord.com/channels/427876741990711298/537760691302563843/839919619338534972

@FabianoQ , DMing you

CCC

@Mike Not sure if this will help : https://discord.com/channels/427876741990711298/537760691302563843/839919619338534972

thanks ... unfortunatly that is not an option to me ... the case involved a fast restitution of the handset to the owner ... i'm looking for a way to find info about that app and BF the code ... that might comes in handy in the future as well

Becs

@Mike Do you have access to an RE versed in Android? They might be able to get into locker apps for you. Depending on the app

i'm looking at solution i have ... i don't have the handset anymore ... i'm more in the direction of trying to find a hash/encryption key and to try to bf it

Yeah that would definitely be the way to go. That's where an RE could help a lot. Don't even need the handset just a copy of the apk you can get from anywhere

12:22 AM

Oh wait never mind sorry I misread that. If you want to BF it good luck!

not yet sure it's an apk, it might be integrated in the huawei android emui

Ah apologies I thought it was that apk you linked. Yeah if it's a system thing no such convenient solution exists

Afternoon all, Got some @Cellebrite acquisition files and .pas files back from our outsourcing company and am having trouble opening the pas file. Getting the error "This session was saved from another dump". Is there a way of fixing this?

@Magnet Forensics unable to parse an iPhone extraction using Cellebrite Premium through AXIOM

4:11 AM

Error is... standby

4:13 AM

Uhh well this is awkward...

4:13 AM

it's working now O.O

2

1

Artea

Afternoon all, Got some @Cellebrite acquisition files and .pas files back from our outsourcing company and am having trouble opening the pas file. Getting the error "This session was saved from another dump". Is there a way of fixing this?

Are you using the exact same version of PA?

CLB-dan.techcrime

Are you using the exact same version of PA?

No, this is an old case from 2017/18 - looks like 7.17.1.1 was used to decode originally (edited)

Pacman

it's working now O.O

Will send a DM either way and take a look.

Pacman

it's working now O.O

The power of this forum

4

All hail DFIR discord!

1

Hi. Just sitting and doing a analysis of a iPhone 5 (FFS). In my case its important to say if the phone was used or not in a timeframe of a couple of days (Owner say that it was is started to use the phone day 1 but other things says that the phone isn't used until day 3). I've already have a good idé of how it is but I have some artefacts that i'm not sure how to use. Looking at Mobile Activations Log in ILEAPP (Great software by the way!) and I only get Mobile activation startup from day 3. Anyone knows when and how the activation is done. Should it had activation time from day 1 or could the phone was online 2 days without any activation? The phone is used about a year before "day 1" and had been shutdown and just laying until day 1 (according to suspect) or day 3 (according to me). The phone is synced with an account from iCloud.

Hello, I have a question about confusion timestamps in a WhatsApp Chat-group. A participant sends a Video into a group .. On the victum-device, I decode this with Oxygen and UFED PA, I have some timestamps : Time Stamp UTC 20.01.2020 10:12:13 (UTC+0) Received Time UTC 29.01.2020 18:10:58 (UTC+0) In the msgstore.db I have the media-key-timestamp 19.01.2020 22:13:49 and In the filesystem I have the timestamp last access 29..01.2020 18:17:50 (UTC+0) So I think the msgstore Key Time is the time, when the Video is created on the „sending“-Phone, the time 20.01.2020 10:12 is the time of sending into the group and 29.01.2020 18:10 is the time, when the victum received the message from the group .. But why the timestamps are not equal between receiving and filesystem? Is this a point of viewing the video on the filesystem-time?

@Cellebrite What's the app categorisation db?

Provides category the app is based from ie: text now is a chat app, Waze is map

10:58 AM

It groups applications where users can quickly see what kind of applications are installed on a device

10:59 AM

Like there are numerous crypto related apps installed… look there

CLB-Paul

It groups applications where users can quickly see what kind of applications are installed on a device

Gotcha, just wondering why it's an addon and not included in PA by default out of curiosity

. Only saw it by chance on twitter

11:00 AM

Unless it is included and I've completely confused myself

@Rob if youre referencing Heather's tweet. That was for UFED 4pc/Touch.

CLB-Paul

@Rob if youre referencing Heather's tweet. That was for UFED 4pc/Touch.

Oooh

12:40 PM

Not gonna lie, read it in a second and was like no clue what this is

12:41 PM

But will follow the tip!

Morph

Hello, I have a question about confusion timestamps in a WhatsApp Chat-group. A participant sends a Video into a group .. On the victum-device, I decode this with Oxygen and UFED PA, I have some timestamps : Time Stamp UTC 20.01.2020 10:12:13 (UTC+0) Received Time UTC 29.01.2020 18:10:58 (UTC+0) In the msgstore.db I have the media-key-timestamp 19.01.2020 22:13:49 and In the filesystem I have the timestamp last access 29..01.2020 18:17:50 (UTC+0) So I think the msgstore Key Time is the time, when the Video is created on the „sending“-Phone, the time 20.01.2020 10:12 is the time of sending into the group and 29.01.2020 18:10 is the time, when the victum received the message from the group .. But why the timestamps are not equal between receiving and filesystem? Is this a point of viewing the video on the filesystem-time?

In the filesystem you should have few timestamps. Timestamp created is the time when the file was created on the victim's device, and should be similar to the received timestamp.

bomben

Hi. Just sitting and doing a analysis of a iPhone 5 (FFS). In my case its important to say if the phone was used or not in a timeframe of a couple of days (Owner say that it was is started to use the phone day 1 but other things says that the phone isn't used until day 3). I've already have a good idé of how it is but I have some artefacts that i'm not sure how to use. Looking at Mobile Activations Log in ILEAPP (Great software by the way!) and I only get Mobile activation startup from day 3. Anyone knows when and how the activation is done. Should it had activation time from day 1 or could the phone was online 2 days without any activation? The phone is used about a year before "day 1" and had been shutdown and just laying until day 1 (according to suspect) or day 3 (according to me). The phone is synced with an account from iCloud.

Hi, did you read that pdf : https://github.com/mac4n6/Presentations/blob/master/iOS%20of%20Sauron%20-%20How%20iOS%20Tracks%20Everything%20You%20Do/iOS_of_Sauron_04162016.pdf ?

mac4n6/Presentations

Presentation Archives for my macOS and iOS Related Research - mac4n6/Presentations

11:41 PM

and also the blog https://www.mac4n6.com/blog/2018/8/5/knowledge-is-power-using-the-knowledgecdb-database-on-macos-and-ios-to-determine-precise-user-and-application-usage

Knowledge is Power! Using the macOS/iOS knowledgeC.db Database to D...

Having access to precise and granular user and application usage can be extremely useful in a forensic investigation, some of which are listed here. I find that pattern-of-life data is some of the most useful information on a device - it really does tell the story about a user and their devices. I'v

does anyone know if root/data/com.snapchat.android/files/file_manager/snap/* relates to taken snaps

Sudo

does anyone know if root/data/com.snapchat.android/files/file_manager/snap/* relates to taken snaps

Cant say for sure on that directory, but other dirs do contains overlays, snaps made with the device etc.

do you know which ones?

@Sudo im not in the lab for over a week. This blog was very helpful: https://www.google.com/amp/s/thebinaryhick.blog/2019/06/01/two-snaps-and-a-twist-an-in-depth-and-updated-look-at-snapchat-on-android/amp/

Binary Hick

Two Snaps and a Twist – An In-Depth (and Updated) Look at Snapchat ...

There is an update to this post. It can be found after the ‘Conclusion’ section.I was recently tasked with examining a two-year old Android-based phone which required an in-depth look …

2

ty

not every day Tony Stank teaches you about snapchat

3

Sudo

not every day Tony Stank teaches you about snapchat

2

Does anybody have an easy way to map device locations (iOS) outside of PA?

Can you just load your lat and long into google earth?

12:30 PM

there is another program called GIS ARC but I prefer google earth

12:30 PM

load them from .csv

12:30 PM

plot them all at once

There is any automatic way to tell differences between 2 ufed reports about the same phone taken at few days from one another?

@Cellebrite I think there's some sort of a bug in Cellebrite Reader 7.45 I'm missing the advanced search -> 'search file contents' option and 'Applications Insights'. They are available in PA 7.45 They where also available in Cellebrite Reader 7.44.

FabianoQ

There is any automatic way to tell differences between 2 ufed reports about the same phone taken at few days from one another?

Quite raw...but you can always diff the pdf

forensicres

Quite raw...but you can always diff the pdf

https://vslavik.github.io/diff-pdf/

diff-pdf

diff-pdf : A simple tool for visually comparing two PDF files

mr.rookay

@Cellebrite I think there's some sort of a bug in Cellebrite Reader 7.45 I'm missing the advanced search -> 'search file contents' option and 'Applications Insights'. They are available in PA 7.45 They where also available in Cellebrite Reader 7.44.

Seems like a bug, i'm taking care if it Thanks for letting us know

Hi! I'm trying to find out when WhatsApp was first installed on a iPhone. I have tried looking into log files in /private/var/installd/Library/Logs/MobileInstallation/. But the logs seems to missing some information. Any other suggestions?

Hi all! I have a full file system acquisition of an iPhone X. There is an app called “Nicegram” that is an alternative to the more common “Telegram”. The internal structure of the db_sqlite file is exactly identical to the Telegram database. We tried all the tools but no one was able to recognize the db and parse it. The reason, I think, is because tools are searching for the “Telegram” app and of course the app is not installed on the phone. In the past, I had the same issue on an Android device but I solved it by Renaming the folder as the name of the Telegeam package and it worked. Do you have any idea on how to parse it on iOS, considering that the folder name is a GUID differente in each installation?

@Mattia Epifani can you see the messages or are they encrypted? (edited)

I can see the messages in the database, the issue is that all the tools we used were not able to understand that the db_sqlite is like the real telegram app db

Mattia Epifani

I can see the messages in the database, the issue is that all the tools we used were not able to understand that the db_sqlite is like the real telegram app db

Have you tried teleparser?

Mattia Epifani

Hi all! I have a full file system acquisition of an iPhone X. There is an app called “Nicegram” that is an alternative to the more common “Telegram”. The internal structure of the db_sqlite file is exactly identical to the Telegram database. We tried all the tools but no one was able to recognize the db and parse it. The reason, I think, is because tools are searching for the “Telegram” app and of course the app is not installed on the phone. In the past, I had the same issue on an Android device but I solved it by Renaming the folder as the name of the Telegeam package and it worked. Do you have any idea on how to parse it on iOS, considering that the folder name is a GUID differente in each installation?

If the file structure is the same as in Telegram, you can make the FFS dump of test iOS device with telegram installed, then replace Telegram files in the dump with Nicegram files you extracted from examined device and try to parse it. (edited)

CLB_joshhickman1

Have you tried teleparser?

Hi @CLB_joshhickman1 ! We wrote teleparser

@dfirfpi is the main developer. It only works on Android

Angst

If the file structure is the same as in Telegram, you can make the FFS dump of test iOS device with telegram installed, then replace Telegram files in the dump with Nicegram files you extracted from examined device and try to parse it. (edited)

I tried

No luck and I don’t really know why. I’ll try it again from the beginning. I would love having an option in tools like “parse this database as”

1

LawDawg

Does anybody have an easy way to map device locations (iOS) outside of PA?

It’s pricey but CellHawk does a great job mapping locations.

I've got cellhawk. It's just the output to excel from PA isn't formatted the way cellhawk wants it.

11:01 AM

When you have 19,000 points, it takes a long to reformat everything

@LawDawg i've never used CellHawk, but can it intake KML files rather than our excel. Then ingest the KML.. (edited)

I've got Iphone 11 Xs Max and Iphone 11 pro ,both unlocked ,all security disabled , icloud credentials also available ...but UFED Advance logical FS is not giving whatsapp deleted chat ...neither from itune backup..Any clue ?

𝗖𝗲𝗹𝗹𝗦𝗼𝗹𝗱𝗶𝗲𝗿𝘀

I've got Iphone 11 Xs Max and Iphone 11 pro ,both unlocked ,all security disabled , icloud credentials also available ...but UFED Advance logical FS is not giving whatsapp deleted chat ...neither from itune backup..Any clue ?

I would say getting deleted artifacts from What'sApp is generally diffiuclt. Off the top of my head, I am not 100% but you might need a FFS for WhatApp. Please anyone correct me if im wrong. I play more on the android side.

Mattia Epifani

Hi @CLB_joshhickman1 ! We wrote teleparser

@dfirfpi is the main developer. It only works on Android

I feel like I should’ve known that.

‍♂️

LawDawg

I've got cellhawk. It's just the output to excel from PA isn't formatted the way cellhawk wants it.

How are you exporting the locations? You shouldn’t have to do anything special for CellHawk to recognize it.

LawDawg

I've got cellhawk. It's just the output to excel from PA isn't formatted the way cellhawk wants it.

There should be a drop down selection for “Cellebrite” in CellHawk when locations are exported from PA. CellHawk has been adjusted to ingest a PA location export.

Thanks!

1

Garrett

There should be a drop down selection for “Cellebrite” in CellHawk when locations are exported from PA. CellHawk has been adjusted to ingest a PA location export.

Where is this "dropdown"?

Garrett

There should be a drop down selection for “Cellebrite” in CellHawk when locations are exported from PA. CellHawk has been adjusted to ingest a PA location export.

Or should there be a drop down in CellHawk -- Ingest PA Locations

LawDawg

Where is this "dropdown"?

Drag and drop or upload the file you exported from Cellebrite into CellHawk. (In CellHawk) Under PROVIDER- there should be a drop down menu. Select “Cellebrite” from that list.

roger roger

@LawDawg if that doesn't work send me the excel and the way you want it set up. You should be able to concat any fields you want or separate to your specifications.

Ghosted

@LawDawg if that doesn't work send me the excel and the way you want it set up. You should be able to concat any fields you want or separate to your specifications.

I'll let you know. I'm having to pare down from 14,000 locations to something more manageable.

1

@Deleted User same issue with thumbnails here, were you able to solve this issue? (edited)

7:52 AM

@Cellebrite are you aware about this thumbnail issue?

Bobby

@Deleted User same issue with thumbnails here, were you able to solve this issue? (edited)

Hello, it's a bug, will be fixed in the next PA release.

Ok thanks

I don't have access to a computer right now but was asked if it is possible to recover Snapchat data from an iTunes backup or is a full file system extraction required of the IOS device?

bmac4n6

I don't have access to a computer right now but was asked if it is possible to recover Snapchat data from an iTunes backup or is a full file system extraction required of the IOS device?

Ffs

CLB-Paul

Ffs

For Flips Sake or Full File System?

5:56 PM

Full File System

Bobby

@Deleted User same issue with thumbnails here, were you able to solve this issue? (edited)

No solution except use old version...

1

David said problem will be fixed in the next release, maybe very soon

Hi all, Anyone from Cellebrite around to whom I could ask a question about Physical Analyzer?

Bobby

David said problem will be fixed in the next release, maybe very soon

Fixed Reader version is already available at Cellebrite Community

3

spadart

Hi all, Anyone from Cellebrite around to whom I could ask a question about Physical Analyzer?

Sure, feel free to DM me

@CLB - DavidK great thank you, new reader version downloaded and tested. I can confirm that thumbnail issue is solved. @Deleted User

I'm assuming there's a simple way to generate a report with just a table of MD5 hashes from files in the extraction? @Cellebrite

3:25 AM

Can't be over multiple sheets, looking for one sheet containing every MD5

3:25 AM

Thanks in advance

Bobby

@CLB - DavidK great thank you, new reader version downloaded and tested. I can confirm that thumbnail issue is solved. @Deleted User

Yes, for me too

Are there any programs that allow remote access control of iOS or Android devices? Looking to rule out this defense

forensicMouse

Are there any programs that allow remote access control of iOS or Android devices? Looking to rule out this defense

I had something similar and I was able to help rule that out with the malware scan in Cellebrite. It clearly has its flaws, but it’s better than nothing.

I'm looking at a couple of 3 second video clips located on an iPhone (AFU, unknown passcode), which I'd like to know more about. The files are located in com.snap.file_manager and the file names are just numbers with 19 digits (not timestamps, looks random). They are .mp4 and probably recorded with SnapChat, but whether they are sent/received I cannot figure out. I also cannot find the matching/original corresponding files in various databases (photos.sqlite and scdb-27.sqlite) - maybe because they aren't there, but I have a feeling they might be. Anyone came across this problem who'd be willing to share their thoughts? apple3

Does anyone have any experience recovering the PIN for the iOS app. Keepsafe? UFED PA seems to decode the media stored in it, but I can't confirm this without gaining access to the secured folder.

@Joe.doe not looked at the iOS version of Keepsafe, but I'd check the keychain first. Do you have a GK/checkm8 extraction of the device?

@Aero I've got a GK extraction to work with, but I've not had much experience manually. digging and deciphering the data in the keychain.

Is it anywhere in the passwords.txt file? I find sometimes with iOS apps the PIN codes for these locker apps is just in the decrypted keychain, or in the keychain as a bse64 value (edited)

I've had a look to see if i could identify something but apart from seeing reference to Keepsafe occasionally, I've not seen something like a hash value or base64 value I can convert from and get something that is legible.

@Cellebrite can we please get an auto generated decode log file in the next software update for PA?

Copy and pasting from the trace window doesn't work well anymore, log pastes out of order randomly and we have to go through it manually to make sure everything's in the correct order

CLB-drorimon

You can get the logs (Trace window lines are included in it) here: %appdata%\Cellebrite Mobile Synchronization\UFED Physical Analyzer

@HSleep, you can get the logs here. Copying lines directly from the trace window can behave funny if you don't select the lines in a chronological order.

CLB-drorimon

@HSleep, you can get the logs here. Copying lines directly from the trace window can behave funny if you don't select the lines in a chronological order.

Awesome thank you

HSleep

@Cellebrite can we please get an auto generated decode log file in the next software update for PA?

Copy and pasting from the trace window doesn't work well anymore, log pastes out of order randomly and we have to go through it manually to make sure everything's in the correct order

Did you tried Help-> generate log file ? You should get all the logs gathered

Just compared 2 forensic tools.... Import HuaweiBackup, P30Pro, Android 10 done with latest HiSuite 11.0.0.510 hmmmm.... your opinion?

1

2:13 AM

chrisforensic

Just compared 2 forensic tools.... Import HuaweiBackup, P30Pro, Android 10 done with latest HiSuite 11.0.0.510 hmmmm.... your opinion?

I made similar comparisons many times and noticed that PA has problems with decoding telegram messages. But on the other hand, sometimes PA can decode much more deleted phone calls than Oxygen. PA always finds much more photos/images especially in the browsers cache, I think it is better for searching the locations too. I see that in your case there is no WhatsApp chats in PA, but I think you can decode it using AppGenie tool. Try to use it for Telegram and Skype too. I'm not sure if it will work with Discord - never tried Anyway it's good to decode data using different tools, because the result can vary considerably. I prefer to analyze data with Oxygen so I always start my work with importing extraction to Oxy. (edited)

2

forensicMouse

Are there any programs that allow remote access control of iOS or Android devices? Looking to rule out this defense

Plenty. However, they will most likely be obvious - such as team viewer, which will show up in the user's play store / apple store library. You can also check app permissions to look for sneaky ones. IoS has the advantage that unless you have jailbroken the device, which requires physical access to the device itself and some knowledge to do anything vaguely sneaky and has low probability of malware. Android has a higher chance of getting something malicious but most attacks, in my opinion, are mostly to hijack or credential steal. Depends on the case, there may be IP logs to subsequent online accounts. Cellebrite has a virus scan, or run malware bytes or similar if concerned. (edited)

So, i just found that Cellebrite Physical analyser does not play any video's via the built in video player, also almost 50-70% of all thumbs of images are not generated.

2:18 AM

I tried the same on another pc with PA installed, there it does generate all thumbs, same source files. Also the output reader file is 20 gigs instead of around 13 gigs my PA generates. What to do? @Cellebrite

to clarify more, in PA, i see all thumbs. But when i generate a UFDR and open that one, almost all thumbs are gone

cygnusx

to clarify more, in PA, i see all thumbs. But when i generate a UFDR and open that one, almost all thumbs are gone

Use the latest ufed reader hotfix

2:50 AM

Download it, rename it CellebriteReader.exe and then go to Program Files -> Cellebrite Mobile Synchronization -> Cellebrite Physical Analyzer -> CellebriteReader and overwrite the existing CellebriteReader.exe file

2:50 AM

Then for your already created report (and any others) simply find the folder you made the report in and overwrite the existing CellebriteReader.exe file

2:50 AM

It'll open in the latest and greatest UFED Reader and show all those lovely thumbnails etc. (edited)

i will check, thanks for the tip! still, the UFDR my collegue is around 20gig, mine is 13 gig. Where could this change be.

2:54 AM

His thumbnail cache is 368mb. mine is 93mb...

Sounds like something for the Cellebrite lot to take a look at, best to contact their support.

Yes, will do. at least the thumbnail problem is interesting, will try the new reader. didnt know about that. thx :

1

2:55 AM

Is anybody else having issues with @Cellebrite PA taking forever to parse a phone, particularly iPhones? I have an Advanced Logical of an iPhone 12 that is pushing 2.5+ hours. The UFD file is on a local SSD, 128gb RAM, 2 Xeon processors. (edited)

Sockmoth

Does anybody know what "Reminder Locations" are in UFED PA? I've got a bunch of them which seem to originate from Google Maps but when I look them up in Google Earth (exported as KML) they are all over the place. In short, the device couldn't have been at all locations listed in the small amount of time available unless the owner was wearing some type of jet pack. @Cellebrite

Did anyone ever find out exactly what the "reminder locations" relate to? Tried searching and this is the only thread I found.

goalguy

Is anybody else having issues with @Cellebrite PA taking forever to parse a phone, particularly iPhones? I have an Advanced Logical of an iPhone 12 that is pushing 2.5+ hours. The UFD file is on a local SSD, 128gb RAM, 2 Xeon processors. (edited)

Depends on the size of the extraction - phones are only getting bigger. They have been taking longer but I have not timed it. Just leave it parsing and go do something else

@goalguy iirc Physical analyzer only used 1 CPU core, all those xeon cores and threads aint doing anything. (edited)

goalguy

Is anybody else having issues with @Cellebrite PA taking forever to parse a phone, particularly iPhones? I have an Advanced Logical of an iPhone 12 that is pushing 2.5+ hours. The UFD file is on a local SSD, 128gb RAM, 2 Xeon processors. (edited)

Can you which stage it hangs on? Is it a certain app parser? Could you DM the logs (better if you can send logs for more than one iPhone so I will check for common ground). Did you applied enrichment/post processing like image analytics or archive recovery?

Hello friends On the phone of a Samsung A9 suspect I found a folder in the path ending with com.facebook.katana whose name is exactly the profile tax I am looking for, inside it is a database file named newsfeed_db and three folders named 5f 28 f3. Inside are unopened files whose name is some hash What does this folder mean in this location and can it indicate that the phone owner is the account holder? There is another Facebook account connected to the phone and there is no such folder in the same location what does it mean? In opening the data file there are url with a path to Facebook and various profiles Thanks in advance

Solec

@goalguy iirc Physical analyzer only used 1 CPU core, all those xeon cores and threads aint doing anything. (edited)

Actually PA utilizes the cores for many different tasks, but there are times when one task takes significantly more time then the others (lets say decoding of a really heavy DB), so one can observe starvation of the other cores.

btwilliams

Did anyone ever find out exactly what the "reminder locations" relate to? Tried searching and this is the only thread I found.

Numerous things. It could be 1) reminder as in “hey Siri, remind me to do X when I arrive home” 2) a store geofence so when you get close to it, it know. Apple stores for example if you have the apple store app installed. 3) Real Time monitoring of Frequent Locations (in particular, looking for if you leave the one your in or enter the one it THINKS you are going to. Look in the database for the process name. (edited)

@CLB ... Hello, can I customize the dictionary on Samsung Bruteforce attack? It is known that the lock code is a six digit sequence ... I would like to just have all possibilities tried from 000001 to 999999. Thanks a lot!

Morning All! Looking to confirm the last time a handset was used by a user. Its a Samsung J3 that is locked. got a binary acquisition but no PIN recovered. I have looked in the contextlog.db and can see that the calculator app has a launcher_type entry as 1. I believe this is showing that the application was accessed by the user. Everything after that are missed calls (inCallActivity) that have a launcher_type entry as 0. Is there anything else i should be looking at for this?

@Ment0r hi, as far as i know, you can´t use own dictionarys to bruteforce with PA at this time.... maybe with the next PA-update... would be nice, ofcourse

@Cellebrite (edited)

Hello, someone know a good way to determine the date/time of an Android wipe/reset ? UFED PA says the phone activation Time is 28/05/2021 14:21:50(UTC+0). Can i assume that is the wipe time ? Any way to crosscheck that information?

\data\log\recovery.log

8:34 AM

There you can read a) if a reset has been performed b) when it has been performed and c) which partitions have been wiped in the process.

Great i’ll have a check, thanks for the info

hum no such file (edited)

9:04 AM

but there is a /splash2/recovery/reset_log file which contains only one line which could be the wipe info

9:04 AM

time: 20210528161355; mode: 101; version: ANE-LGRP2-OVS 9.1.0.379; result: success

Mike

Hello, someone know a good way to determine the date/time of an Android wipe/reset ? UFED PA says the phone activation Time is 28/05/2021 14:21:50(UTC+0). Can i assume that is the wipe time ? Any way to crosscheck that information?

When I asked this previously, I can probably find the link, this relates to when a google account was aligned to the device.

This is the first time I've seen this:

12:34 AM

Does this mean Cellebrite has cracked the PIN for secure folder? @Cellebrite

12:38 AM

Oh hang on, the messages within Samsung Secure Folder are almost the same as normal WhatsApp... what happened here?

Is it possible to export decrypted filesystem from FBE like Exynos device or Huawei extracted from XRY to .tar or .zip or anything else then all files on NTFS storage. I have some issue because the length of the path is too long to be export, and probably some specials characters doesn't help too.

12:49 AM

@Erumaro sorry I can't tag MSAB, I don't know why.

Deleted User

@Erumaro sorry I can't tag MSAB, I don't know why.

I get this problem as well sometimes - not sure why

1

Is there a way to determine when a user of an iphone changed the apple ID to the current active user?

@Deleted User No unfortunately not right now, you can put the export in a .zip from XAMN but the data is still cached locally first which will still make it susceptible to file path and illegal character issues. With these Physical extractions from FBE devices they tend to give out quite of a lot of deleted junk which may need to be excluded in XAMN before exporting. I agree this is a problem and is something we have fed back to development. (edited)

2

Erumaro

@Deleted User No unfortunately not right now, you can put the export in a .zip from XAMN but the data is still cached locally first which will still make it susceptible to file path and illegal character issues. With these Physical extractions from FBE devices they tend to give out quite of a lot of deleted junk which may need to be excluded in XAMN before exporting. I agree this is a problem and is something we have fed back to development. (edited)

Does development team tell you good news?

@Deleted User Almost daily, in general, but unfortunately no news relating to this specifically as of yet.

1

Erumaro

@Deleted User Almost daily, in general, but unfortunately no news relating to this specifically as of yet.

thanks

Pacman

This is the first time I've seen this:

Is this from FFS exynos dump? I had the similar problem with duplicated data, described here: https://discordapp.com/channels/427876741990711298/427877097768222740/850365038656356432

Yep! It is a Samsung S10

What is the size of the dumped FFS compared to the FFS ons the device? I had twice bigger dumps. Do you have /data_mirror/ folder in your dump? (edited)

One moment

2:22 AM

On handset it's 36 GB

2:23 AM

dumped FFS is also 36GB

2:23 AM

I do see data_mirror in my dump though

It's wierd. Maybe someone from @Cellebrite will comment on this. Because I compared the dumps from 4PC and Oxygen and those from Oxygen didn't show duplicated data after decoding and didn't contain data_mirror folders.

Angst

It's wierd. Maybe someone from @Cellebrite will comment on this. Because I compared the dumps from 4PC and Oxygen and those from Oxygen didn't show duplicated data after decoding and didn't contain data_mirror folders.

In some cases (Android 11's data_mirror for example) there are multiple mount points of the same partition with the same permissions. To date in FFS 4PC pulls all files from all possible paths, so you get the same files under data and also under data_mirror. PA, for its part, will look for applications in all possible places, and will decode them from both data and data_mirror independently.

Pacman

Oh hang on, the messages within Samsung Secure Folder are almost the same as normal WhatsApp... what happened here?

Almost the same ? It could be that the user added what’s app to SF at a earlier / later point. It’s labeled as SF since it’s contained under user 150. And no need for passcode it gets bypasses.

CLB-Paul

Almost the same ? It could be that the user added what’s app to SF at a earlier / later point. It’s labeled as SF since it’s contained under user 150. And no need for passcode it gets bypasses.

I actually gained access to the secure folder (the PIN is the same as the PIN to unlock the phone) - WhatsApp isn't installed within Secure Folder.

Shoot me a dm and we can chat more about it

Artea

Morning All! Looking to confirm the last time a handset was used by a user. Its a Samsung J3 that is locked. got a binary acquisition but no PIN recovered. I have looked in the contextlog.db and can see that the calculator app has a launcher_type entry as 1. I believe this is showing that the application was accessed by the user. Everything after that are missed calls (inCallActivity) that have a launcher_type entry as 0. Is there anything else i should be looking at for this?

Have a look at batterystats or newbatterystats files. Tracks what apps have been using power and when the screen was turned on. Requires some chewing to understand, but that file is a goldmine when recent usage is important to understand. Digital wellbeing is also a good source for this type of data, have a look at data/com.samsung.android.forest/databases/dwbCommon.db. Look out for events like "KEYGUARD _HIDDEN" and "KEYGUARD_SHOWN", meaning the device may have been locked/unlocked. See more info here: https://thebinaryhick.blog/2020/02/22/walking-the-android-timeline-using-androids-digital-wellbeing-to-timeline-android-activity/ (and note that there is both a Google version and a Samsung version of Digital Wellbeing). (edited)

Binary Hick

Walking the Android (time)line. Using Android’s Digital Wellbeing ...

Each time I have created an Android image I have found something new. Google Assistant and Android Auto were results of Nougat and Oreo, and the changes I found in Google Assistant were a result of…

1

Anyone had any issues after doing a physical OTG whereby it just refuses to open with an error in trace window.

@Oxygen Forensics Hi, does oxygen support an Oppo CPH1931 with Qualcomm SDM665? We have no password

Hello, @Dan15 Oppo A5 2020 CPH1931 is currently out of scope

Thank you so much for the quick response.

@Cellebrite has anyone had PA decode Kik as “kik messanger”? Is there a reason for this

Could be a custom kik apk

King Pepsi

@Cellebrite has anyone had PA decode Kik as “kik messanger”? Is there a reason for this

With the typo in messenger?

Yeah

3:58 AM

That’s the bit that confused me

3:58 AM

Looks like it’s taken it directly from binary as source file is just the dump.bin

@Cellebrite out of interest, is PA and Cloud the same product and licence decides what features you can do or are they two seperate programs and require both to be downloaded?

I have a file system and advanced logical from a Galaxy S20 Ultra. Can anyone help me to understand why Telegram does not show up as installed in the extraction (no installed app and no databases that I can find) even though it was installed on the phone and there are numerous files in the Telegram file directory?

@Cellebrite I've loaded an Google TakeOut extraction with a lot of location history into Cellebrite PA 7.45, but the location history isn't decoded. When viewing the trace window I only see the native location parse, not a specific parser for location history. So I used the option 'carve for location', locations are shown but a lot of locations are missing. How should the location history be parsed in PA?

@Cellebrite Can’t seem to figure out a way to filter images on gallery view on PA...anyone

mr.rookay

@Cellebrite I've loaded an Google TakeOut extraction with a lot of location history into Cellebrite PA 7.45, but the location history isn't decoded. When viewing the trace window I only see the native location parse, not a specific parser for location history. So I used the option 'carve for location', locations are shown but a lot of locations are missing. How should the location history be parsed in PA?

Please send a ticket into support@cellebrite.com This will help you and help everyone else...

King Pepsi

Yeah

I recently heard an interesting podcast about Kik, turns out building custom Kiks is fairly common, could be one of those you encountered: https://darknetdiaries.com/episode/93/ (edited)

Kik – Darknet Diaries

Kik is a wildly popular chat app. Their website says that 1 in 3 American teenagers use Kik. But something dark is brewing on Kik.

2

@wcso_pete I believe that device is file based encrypted. It may only be a click for a developer to say don't provide material during a file system extraction. I imaging a full file would provide you the material you need.

mr.rookay

@Cellebrite I've loaded an Google TakeOut extraction with a lot of location history into Cellebrite PA 7.45, but the location history isn't decoded. When viewing the trace window I only see the native location parse, not a specific parser for location history. So I used the option 'carve for location', locations are shown but a lot of locations are missing. How should the location history be parsed in PA?

As suggested here, you should open a support ticket for Cellebrite support, they will take all the details. TakeOut parser supports location history. Does the TakeOut in English?

mg_cellebrite

As suggested here, you should open a support ticket for Cellebrite support, they will take all the details. TakeOut parser supports location history. Does the TakeOut in English?

I've just created a case. Location history (JSON) is in English. But directories where in Dutch, so I changed them to English and now the locations are being parsed. Thnx! (edited)

mr.rookay

I've just created a case. Location history (JSON) is in English. But directories where in Dutch, so I changed them to English and now the locations are being parsed. Thnx! (edited)

All languages should be supported, from what you said I understand there's an issue. Thanks.

Hi! What artifacts should be taken into account in the iOS system to exclude the possibility of date manipulation in the device ?

@Cellebrite Are there any manuals or samples to follow in order to create plugins for Physical analyzer?

@dahla look under help for the manuals

dahla

@Cellebrite Are there any manuals or samples to follow in order to create plugins for Physical analyzer?

There was also a CTRL+ALT+DEL episode about scripting specifically in PA. I'd have to go dig it up

dahla

@Cellebrite Are there any manuals or samples to follow in order to create plugins for Physical analyzer?

There's the Python scripting guide in PA's help menu, and some samples in PA's installation folder under PythonSamples.

Forensic@tor

@dahla look under help for the manuals

I've been looking at those but they leave a lot to be desired when juggling with encrypted files and some explanation regarding the differences between the shell and the option to run a script with/without debug as the code seems to run differently

Anyone know why I would be seeing the same text messages as “deleted” and not deleted in PA? I realize that they’re using a icing_database for the source for the deleted messages but it’s the exact same conversation that is showing up in the SMS database. Times and messages all match. This makes me question…the other messages that are labeled as “deleted” are they technically deleted messages at all? Thanks!

I need to pull Signal messages from a Samsung Galaxy S20. CB supported apps list indicates that Signal is not supported on Android. I understand that you can backup Signal to a .backup, copy to a PC and decrypt the content w/ https://github.com/xeals/signal-back. That said, it does not appear to link the extracted attachments to the message threads. Any other solutions? Does Axiom support Signal from a Signal .backup? I don't currently own Oxygen and would prefer to not have to acquire another tool just for one type of data. Any other suggestions?

this is the way

8:54 PM

Axiom supports the signal backup format as long as you have the key used to create the backup

8:54 PM

there is also a Linux script you can use for that purpose but it's a bit involved

8:54 PM

and it doesnt do reporting, it just gives you a database you have to run queries on

8:54 PM

talk to @forensicmike @Magnet for more

8:55 PM

@BSOD

8:56 PM

so you can make the backup on the suspect phone before you acquire it or after you acquire the phone, add your own SD card and write the backup to the SD card (assuming it has an SD card slot, i think the only the S20+ has this)

@Sha1_4n6 Cheers! I have extracted the .backup, and I am able to parse with signal-back, just not happy with the results. @forensicmike @Magnet , any guidance on how to process the signal .backup from an Android device? I have the key saved to a pw.txt.

this is the tool I used last November: https://github.com/bepaald/signalbackup-tools. DM me for more info

CLB-ChenK

@Mike You can DM me with more details about what files you are able to import and how they were extracted initially from the phone, I'll try to help

I got the same problem mention up. Available for a help?

2:46 AM

or someone else @Cellebrite

@Cellebrite got an error processing a dump failed to execute: F2FS the matrix isn't long enought to copy all collection items, any suggestion ?

BSOD

@Sha1_4n6 Cheers! I have extracted the .backup, and I am able to parse with signal-back, just not happy with the results. @forensicmike @Magnet , any guidance on how to process the signal .backup from an Android device? I have the key saved to a pw.txt.

hi, yes you can use AXIOM for this. in the artifact selection area in Process, click the options link under Signal. Then provide the numeric key in the textbox. Feel free to DM if you have any issues.

@Cellebrite Looking into whatsapp for the case I'm working on - I keep seeing "System Message" and the body of the message is either true or false

7:38 AM

Can you explain why?

Another example:

7:50 AM

Samsung Galaxy A30s by the way.

7:50 AM

Android 9

Bug?

No idea

7:51 AM

I'm running 7.44 so I'll try update to latest version

@CLB-drorimon @Cellebrite latest version still the same:

The usual thing to check is the app version (you can check it in the Installed Applications section) and compare it to the supported apps versions list by PA (from the help menu). If the app's version is listed as supported then it could be a bug. I'll DM.

I have an android phone running a msm 8937 chipset and Cellebrite detected it to be a 5004S. The phone was factory reset when I turned it on, but I was able to set up the phone and do a Qualcomm Live FFS extraction. Upon reviewing the hex in the /cache/recovery/last_log files, I found where it stated the following:

2:20 PM

" Command: "/system/bin/recovery" "--wipe_data" "--reason=Find My Device wiping device remotely,2019-01-01T11:44:59Z" "--locale=en-US". " (timestamp changed from original, but the format is the same) (edited)

2:21 PM

How do I interpret that timestamp? Is it in Zulu time so it means 11:44:59am UTC? The reason I am confused is if it is UTC that doesn't quite make since based on the case. (edited)

1

Nice find, thanks @FullTang You would think that indicates it's Z/UTC. Why don't you think UTC makes sense?

Thanks. Because if it is UTC it would indicate the phone was remotely wiped hours before LE arrived on scene.

5:19 PM

@DeeFIR 🇦🇺

5:24 PM

There is a little more to it than just, I can DM if you would like.

varbytes

Anyone has recommendations for parsing data from WhatsApp-like app (YoWhatsApp)? The files and database organisation looks very similar to standard WhatsApp. @Cellebrite is able to parse WhatsApp and GBWhatsApp - is there any way to reuse the same parser for YoWhatsApp without having to reinvent the wheel?

You can try apply the whatsapp parser of Physical analyzer and see if it works. My suggestion is to take the Yowhatsapp data and structure the directories so it will match original Whatsapp. DM me if needed and I will love to try and help

mg_cellebrite

You can try apply the whatsapp parser of Physical analyzer and see if it works. My suggestion is to take the Yowhatsapp data and structure the directories so it will match original Whatsapp. DM me if needed and I will love to try and help

yes, right... i use this methode if i have any "unofficial" version of whatsapp

Pacman

@Cellebrite Looking into whatsapp for the case I'm working on - I keep seeing "System Message" and the body of the message is either true or false

Hi. Did you opened a support case to Cellebrite? Can I get the details I want to work on it ASAP

chrisforensic

yes, right... i use this methode if i have any "unofficial" version of whatsapp

You can DM me any WhatsApp variant which works like this and we will add buildin support in PA..

2

RS

@Cellebrite got an error processing a dump failed to execute: F2FS the matrix isn't long enought to copy all collection items, any suggestion ?

@CLB-drorimon

Hey! Does anyone know if whatsapp stores tokens on iphones? And if so where one would find them?

mg_cellebrite

You can try apply the whatsapp parser of Physical analyzer and see if it works. My suggestion is to take the Yowhatsapp data and structure the directories so it will match original Whatsapp. DM me if needed and I will love to try and help

@mg_cellebrite, @chrisforensic yep, that’s what I did in the end although it wasn’t ideal as the phone also had WhatsApp installed. Ended up having to generate report from PA twice - once for actual WhatsApp and another for the ‘masqueraded’ WhatsApp

1

varbytes

@mg_cellebrite, @chrisforensic yep, that’s what I did in the end although it wasn’t ideal as the phone also had WhatsApp installed. Ended up having to generate report from PA twice - once for actual WhatsApp and another for the ‘masqueraded’ WhatsApp

Totally, that's a Work-Around. If you have such variant DM me about it.

Deleted User

I got the same problem mention up. Available for a help?

Sure. Mike's problem was solved just by putting the signal database on the same path as it would appear in the original file system (i.e. in a FFS extraction), feel free to DM if that doesn't help

Anyone know of a way to get information from a phone using celebrity that has family link app set up but the parents lost the phone and password that the account was set up on

CLB-ChenK

Sure. Mike's problem was solved just by putting the signal database on the same path as it would appear in the original file system (i.e. in a FFS extraction), feel free to DM if that doesn't help

Thanks, I try that.

Deleted User

Thanks, I try that.

If you don't get it to work I can send you my fairly primitive Signal parsing script

Oscar

If you don't get it to work I can send you my fairly primitive Signal parsing script

Yes please, I don't get it to work.

Deleted User

Yes please, I don't get it to work.

https://github.com/decryptSignal/decryptSignal

decryptSignal/decryptSignal

Contribute to decryptSignal/decryptSignal development by creating an account on GitHub.

1

Oscar

https://github.com/decryptSignal/decryptSignal

thanks

Looking for some help, anyone. Has anyone worked with encrypted (locked) images on the LG Stylo phones? They show up with a .dm file extension and appear to be encrypted with AES 128.

Has anyone played around with @Elcomsoft's synced iCloud data at all lately? Messages are stored in a Messages.db file now, and the schema is slightly different from the SMS.db you'd normally see. Is there anyway to get @Cellebrite to read/parse this? None of the plugin chains seem to work correctly, and I can't seem to find anyone who has done the SQL mapping yet. TIA

Bobby

@CLB - DavidK great thank you, new reader version downloaded and tested. I can confirm that thumbnail issue is solved. @Deleted User

Is there an easy way for those without cellebrite community accounts to download the latest reader version? To solve the thumbnail issue without having to reprocess?

@Matt well if you are UFED customer you have access to the UFED software update platform where you should be able to download the Reader working version or just wait for PA update (ufed reader is embeded into PA install folders)

Yea. But I’m trying to figure out a way to have non ufed customers download latest UFED reader

To be honest, you could probably just make a cellebrite account and ask for it via support ticket if you can't see if listed under products/licences

FunkeDope

Has anyone played around with @Elcomsoft's synced iCloud data at all lately? Messages are stored in a Messages.db file now, and the schema is slightly different from the SMS.db you'd normally see. Is there anyway to get @Cellebrite to read/parse this? None of the plugin chains seem to work correctly, and I can't seem to find anyone who has done the SQL mapping yet. TIA

I'm curious about this too. When dealing with this data in the past I just purchased Elcomsoft Phone breaker forensic edition to decode.

hi guys, a suspect claims his fb-account has been hacked, we have an iphone dump of the phone where it was used. we can clearly see it being switched at some point. Is there any hint to a hack usually? Thinking of 2FA notifications in a way. Maybe "new device login" emails?

Luci

hi guys, a suspect claims his fb-account has been hacked, we have an iphone dump of the phone where it was used. we can clearly see it being switched at some point. Is there any hint to a hack usually? Thinking of 2FA notifications in a way. Maybe "new device login" emails?

What about logged in devices / ip in settings in the actual fb site

CLB-Paul

What about logged in devices / ip in settings in the actual fb site

It was deactivated bc of the upload of CSAM

7:33 AM

and being non-US based a warrant return seems problematic in most cases

Wondering if anyone has had a different experience with the application tiktok specifically the folder data/media/0/Android/data/com.zhiliaoapp.musically/cache/picture/fresco_cache/v2.ols100.1/98/. My testing and research shows this folder contains images of videos watched and often includes the main photo of the persons account who put the photo on tiktok. In the limited research and testing this database is populated when the user is scrolling through tiktok. When the device is left in a powered on state and no scrolling conducted (application still in background), no activity is recorded in this database during the over 1 hour of non user activity. Interested in anyones opinion on this application and user attribution.

Does anyone have scripts for parsing Cash App dbs on iOS? I checked Magnet Artifact Exchange and didn't find anything. Thought I would check here. The Android dbs are much easier for Cash App.

Hi All, I know some folks have encountered this and have discussed in the past, but I'm wondering if anyone has been able to definitively reach an answer. Here's the scenario: we collected an iPhone device backup using Elcomsoft PB last fall, then parsed it with PA 7.36. PA reported several conversations where all or most of the messages were deleted. For these messages we could see some metadata (participants and timestamps) but no body text. In the Chats tab in PA these messages are marked as deleted. Jump to the present and we loaded the same extraction into PA 7.45 for some additional examination. Now all of these messages are located in the Instant Messages -> Native Messages tab, and are not marked as deleted. They're also all marked unread. When viewing the messages in the sms.db there's no body text. Anyone know if there's a good answer as to whether these are actually deleted? Or could it be something to do with a sync setting or issue between the phone and iCloud since this data came from a backup? Or perhaps there's a way to verify deletion for sure by manually examining the db for a deletion flag, if such a thing still exists? iOS is 13.6.1. Thanks so much.

Does anyone have any theories or knowledge as to why an iPhone would be disabled for 90 minutes after an unexplained (not user initiated) reboot that does NOT involve failed passcode attempts? Unified logs do not show any evidence of failed passcode entries. Trying to think of other reasons as to why/how an iPhone could become disabled..... thanks

Luci

and being non-US based a warrant return seems problematic in most cases

I feel that pain. We had same issue in Canada LE.

1

hI have a samsung j6 mobile phone is unlocked , oem unlock option is on while connecting the phone for file system allow option is not showing in mobile ... any suggestions pls

@boyonnets which model exactly because J6 (as J600F) and J6+ are different phones, one being exynos and the other qualcomm based. They're both FDE so physical extraction is the best you could get

1:09 AM

Qualcomm one may not be supported if on Android 10, but i'm not 100% sure

1

@Cellebrite Anyone available? Query regarding PA decoding. Thanks in advance!

Anyone had an experience with a CLB Checkm8 whereby PA has not decoded the actual files from DCIM, however, has decoded the Thumbnail versions and path for those images? The images are obviously within the Gallery app too. (edited)

We've just posted a blog which continues detailing the client-side storage used by Chrome (and applications based on it, whether they're browsers or Electron apps, etc.) - this time looking at Local Storage and Session Storage: https://www.cclsolutionsgroup.com/post/chromium-session-storage-and-local-storage

Chromium Session Storage and Local Storage

Previously, Principal Analyst Alex Caithness shed some light on IndexedDB on Chrome- one of the methods that websites and web apps can use to store data on a user’s device. In this new post - with accompanying free open-source scripts - he tackles the data structures behind a further two mechanisms that websites can use to persist information: S...

3

3:39 AM

We've also just updated out python library to support these formats, and there are scripts in there for dumping the (leveldbb) data to sqlite: https://github.com/cclgroupltd/ccl_chrome_indexeddb/

cclgroupltd/ccl_chrome_indexeddb

(Sometimes partial) Python re-implementations of the technologies involved in reading IndexedDB data in Chrome-esque applications. - cclgroupltd/ccl_chrome_indexeddb

3

1

Anyone got a lovely definition of data_mirror? So far seems linked to Android 11

Rob

Anyone got a lovely definition of data_mirror? So far seems linked to Android 11

https://discord.com/channels/427876741990711298/545232743353810946/852501014711500820

AmNe5iA

https://discord.com/channels/427876741990711298/545232743353810946/852501014711500820

Cheers, is there like an officer friendly version of that @CLB-drorimon

5:19 AM

In my case there's \data_mirror\ and \data\data and data\user

5:20 AM

With duplicates spread across the 3

Yes, for me it's a big problem too. I always get duplicated or tripled data. Extraction takes 4-5 hours (the same in Oxygen takes just 50 minutes) and the extracted file is 3 times bigger than it should be. Importing it to PA sometimes takes few more hours. So I need to spend whole day for one extraction. I hope @Cellebrite will fix it soon because it's very annoying. (edited)

Angst

Yes, for me it's a big problem too. I always get duplicated or tripled data. Extraction takes 4-5 hours (the same in Oxygen takes just 50 minutes) and the extracted file is 3 times bigger than it should be. Importing it to PA sometimes takes few more hours. So I need to spend whole day for one extraction. I hope @Cellebrite will fix it soon because it's very annoying. (edited)

We are on it

1

@CLB_TarinW I also found some problems with PA 7.45.1 beta and export to reader. When I open the reader the device information section is empty, there's also no info about the extractions dates, etc i know it's beta, but I think you should know about it issue

(edited)

Is it possible to combine two @Cellebrite Session .PAS files? They were both generated from the same Reader version and UFDR file just two different dates.

New PA (7.46) released guys!

2

I have a Motorola Moto G Stylus (2021). I got a QualComm Live File System extraction. I'm trying to find out when it was last reset, but I'm having issues. I searched Memory Images - File Dump for wipe_data and found a few files. I believe that the one of interest is /data/vendor/dontpanic/BL_logs. There are 2 occurrences of wipe_data.... [ 1730] recovery --wipe_data --reason=MasterClearConfirm,2021-06-17T10:36:56Z --locale=en-US and.... [ 1738] recovery --wipe_data --reason=MasterClearConfirm,2021-06-17T11:19:19Z --locale=en-US

9:47 AM

Can someone help me interpret this?

9:48 AM

Here is the BL_Logs file if that will help....

BL_logs

8 MB

goalguy

Is it possible to combine two @Cellebrite Session .PAS files? They were both generated from the same Reader version and UFDR file just two different dates.

Anybody have any ideas on how I can combine these two @Cellebrite session files?

I don’t think you can :/

CLB-Paul

I don’t think you can :/

I was afraid of that answer

We got some much better and deeded fixed for this issue in the near future

11:41 AM

Im still sworn to secrecy though

So no chance at a beta?

Not yet.

CLB-Paul

Im still sworn to secrecy though

Saw that mega support, does it pull conversations?

Unrelated to that

AmNe5iA

used /cat

Oops sorry. I can't/don't know how to delete!

CLB-Paul

Unrelated to that

Should have rephrased the question, saw you've now got mega extraction support. Does it acquire the chat conversations in addition to everything else I. E. Public links etc?

Oh not sure havnt tried the extraction myself.

Effectively not aware currently of any other tool that supports conversation extraction.

2:39 PM

Only know of Axiom that supports everything but conversations currently

Rob

Should have rephrased the question, saw you've now got mega extraction support. Does it acquire the chat conversations in addition to everything else I. E. Public links etc?

Does UFED Cloud / AXIOM Cloud - Get session history (device ID and IP) and recovery keys from a MEGA DL ?

Dfdan

Does UFED Cloud / AXIOM Cloud - Get session history (device ID and IP) and recovery keys from a MEGA DL ?

No, but I know a way to get that easily.

3:27 AM

Just email Mega themselves, you'll get a reply within 15 minutes or so with a json file full of data

3:27 AM

Including creation date of the acc, session history and IPs

Web browser login gets you all that info aswell.

I'll dm you the details if you want.

3:28 AM

Yes it does

3:28 AM

The json gives an advanced view of the account that the web login doesn't.

3:28 AM

You'll see previously shared files etc.

I'm good for info on MEGA, just wondered about support on software tools. Thanks for the tips

1

So far, all I've encountered is Axiom/UFED having support for Mega

3:30 AM

Axiom I've found to be sketchy when it comes to fully downloading everything so will see with ufed

lonely_cash

Hi All, I know some folks have encountered this and have discussed in the past, but I'm wondering if anyone has been able to definitively reach an answer. Here's the scenario: we collected an iPhone device backup using Elcomsoft PB last fall, then parsed it with PA 7.36. PA reported several conversations where all or most of the messages were deleted. For these messages we could see some metadata (participants and timestamps) but no body text. In the Chats tab in PA these messages are marked as deleted. Jump to the present and we loaded the same extraction into PA 7.45 for some additional examination. Now all of these messages are located in the Instant Messages -> Native Messages tab, and are not marked as deleted. They're also all marked unread. When viewing the messages in the sms.db there's no body text. Anyone know if there's a good answer as to whether these are actually deleted? Or could it be something to do with a sync setting or issue between the phone and iCloud since this data came from a backup? Or perhaps there's a way to verify deletion for sure by manually examining the db for a deletion flag, if such a thing still exists? iOS is 13.6.1. Thanks so much.

Sounds like a job for a database...Or turn the phone on.

@Cellebrite, there is problem with new reply display from whatsApp on 7.46.0.64. To see message we need to scroll on every reply message.. Not very usable. (edited)

Deleted User

@Cellebrite, there is problem with new reply display from whatsApp on 7.46.0.64. To see message we need to scroll on every reply message.. Not very usable. (edited)

Hi. Thanks for the feedback. I will take it.

1

Deleted User

@Cellebrite, there is problem with new reply display from whatsApp on 7.46.0.64. To see message we need to scroll on every reply message.. Not very usable. (edited)

That's not a bug, it's a feature, a scrolling feature!

2

AmNe5iA

That's not a bug, it's a feature, a scrolling feature!

Problem is : with this HUGE amount of WhatsApp data we have to read and analyse. I really can't take time to play with this little cute scrollbar

Deleted User

Problem is : with this HUGE amount of WhatsApp data we have to read and analyse. I really can't take time to play with this little cute scrollbar

Use keyword terms to reduce what you need to view, but do agree seems a little annoying to use

Rob

Use keyword terms to reduce what you need to view, but do agree seems a little annoying to use

Yes we are working on that

1

In the Oxygen Import Wizard I miss the opportunity to import multiple extractions of a device at once. For example I want to import a physical extraction of a phone together with the SD and SIM card. I cannot image this is not possible, what am I doing wrong on this Monday morning?

@Oxygen Forensics

Erikk007

In the Oxygen Import Wizard I miss the opportunity to import multiple extractions of a device at once. For example I want to import a physical extraction of a phone together with the SD and SIM card. I cannot image this is not possible, what am I doing wrong on this Monday morning?

@Oxygen Forensics

Hello! You definitely can run multiple extractions at once. Sometimes, you will need to plug in the devices you want to extract after you started another extraction, so that they won't conflict with each other.

1:00 AM

But the extraction processes themselves can run in parallel, same for imports (edited)

Oxygen Forensics

Hello! You definitely can run multiple extractions at once. Sometimes, you will need to plug in the devices you want to extract after you started another extraction, so that they won't conflict with each other.

Sorry maybe my question was not clear. I was not talking about extracting the data from a device itself. I already have extracted the data from the phone with another tool. I want to import the image of the phone together with the bin file of the SD card. If I run the Oxygen import wizard I can only select 1 source file, with other tools like PA of Axiom you can select multiple source files at once that belong together (phone, sd, sim etc) and then start the import process.

Erikk007

Sorry maybe my question was not clear. I was not talking about extracting the data from a device itself. I already have extracted the data from the phone with another tool. I want to import the image of the phone together with the bin file of the SD card. If I run the Oxygen import wizard I can only select 1 source file, with other tools like PA of Axiom you can select multiple source files at once that belong together (phone, sd, sim etc) and then start the import process.

Currently when you are importing you have to start one and then start the other import, then they can go in parallel. Hopefully, it won't be the case for long. We understand the need in what you expressed.

1

@Oxygen Forensics I think it's about possibility of merging two different extraction into one. I suggested this feature 2 months ago to support. (edited)

Angst

@Oxygen Forensics I think it's about possibility of merging two different extraction into one. I suggested this feature 2 months ago to support. (edited)

We always appreciate a good suggestion. That feature is coming oxygen

6

@Cellebrite can you explain me what this it or a way to bypass it ?

RS

@Cellebrite can you explain me what this it or a way to bypass it ?

Are you using app genie?

no

7:43 AM

just loading the extraction

7:43 AM

FFS ios 14.4

7:43 AM

chkm8

Looks like it's still working it's just not going to parse Telegram chats.

7:45 AM

Did it finish loading?

not yet

I think it will be fine. Might want to report the error to them though. Check for the telegram database after it finishes and see if there is anything in there. It may be empty. An out of range error means that it's trying to move to an entry that's not there. I'll bet it's an empty database, but I'm not positive

7:47 AM

Enumerate* is probably a better word to use

Thanks

7:49 AM

have other errors but waiting to finish to email them

quick questions for @Hancomm. I have FFS file from Samsung SM-A405F. I want to open in MD RED., but if i adds ufd or zip file nothing happens ? Any sugestions ?

RS

Thanks

How did it turn out ?

Neon

How did it turn out ?

It parsed messages even with the error

RS

It parsed messages even with the error

Awesome. Glad to hear.

Thanks

@skipper i´m not from HanCom, but here is a little "walkthrough" 1) decompress the .zip of the ffs, generated from UFED4PC e.g. "Samsung GSM_SM-A202F_DS Galaxy A20e.zip" 2) browse into folder "Dump" and into folder "data", mark all files in folder "data" and compress them as .zip, but with compressenlevel "store", because RED does not recognize a really "zipped/compressed" file from UFED (edited)

12:15 AM

3) make new case in RED, import this "data.zip" 4) RED loads the filestructure 5) then click analyze and everything is fine

12:15 AM

1

chrisforensic

@skipper i´m not from HanCom, but here is a little "walkthrough" 1) decompress the .zip of the ffs, generated from UFED4PC e.g. "Samsung GSM_SM-A202F_DS Galaxy A20e.zip" 2) browse into folder "Dump" and into folder "data", mark all files in folder "data" and compress them as .zip, but with compressenlevel "store", because RED does not recognize a really "zipped/compressed" file from UFED (edited)

Hi. Thx for help. Very useful instruction. Everything works greate

2

chrisforensic

@skipper i´m not from HanCom, but here is a little "walkthrough" 1) decompress the .zip of the ffs, generated from UFED4PC e.g. "Samsung GSM_SM-A202F_DS Galaxy A20e.zip" 2) browse into folder "Dump" and into folder "data", mark all files in folder "data" and compress them as .zip, but with compressenlevel "store", because RED does not recognize a really "zipped/compressed" file from UFED (edited)

Thanks for your kind sharing of know-how.

Deleted User

Thanks for your kind sharing of know-how.

no problem

we are here to help eachother

I have a question that I believe I know the answer too but want to be sure. I have a @Cellebrite Android File System and Advanced Logical where some picture of importance where found in the following location: sdcard/Android/data/com.android.gallery3d/cache/imgcache_screen.0/imgcache_screen.0_embedded_146.jpg Is it safe to say that is the screen cache for the Image Gallery and those photos were viewed in the Gallery application resulting in them being cached?

I have an extraction open in PA and I can't figure out why my generate report button is grayed out. I assume that something is still processing in the background, but there is no progress bar, and the trace window hasn't changed in about 4 hours. Anyone have any thoughts?

Concerning the recent research on iOS wipe artifact detection by @heatherDFIR and Ian here: https://dfir.pubpub.org/pub/6i7d593n/release/1

Upgrade From NULL—Detecting iOS Wipe Artifacts · DFIR Review

11:32 AM

Does anyone know what it would mean if the GuessedCountry in the purplebuddy.plist is showing a different date than that of the creation dates for the AddressBook.sqlitedb and CallHistory.storedata? This is an Advanced Logical Extraction and the purplebuddy.plist is showing SetupUsingAssistant.

@mond4y_morNin6 I clicked the link and got a warning from MalwareBytes regarding a trojan. Just a heads up. Probably a false positive.

@Hancom is here

2

Andrew Rathbun

@Hancom is here

Yes, we are here. Any help from us, please let us know.

4

Has anyone has an incident where a photo is inaccessible but has the file path dcim /camera? It’s an android phone and the file name is there in “my files” but it cannot be viewed and comes up with the message “unable to find application to perform this action” Thanks!

wcso_pete

I have an extraction open in PA and I can't figure out why my generate report button is grayed out. I assume that something is still processing in the background, but there is no progress bar, and the trace window hasn't changed in about 4 hours. Anyone have any thoughts?

To update the issue I'm having in PA, this morning I reloaded the extraction and have been manually selecting the data carving tools one at a time. Looks like the issue is with the location carving. It shows location carving started/finished in a 40 min timeframe. It then says "11:36:26 AM PP: Starting last stage for project: [project number] (109244 items)" and never gets past this point. Any thoughts @Cellebrite?

RS

@Cellebrite can you explain me what this it or a way to bypass it ?

Can you open a support ticket? If its super urgent DM me

wcso_pete

To update the issue I'm having in PA, this morning I reloaded the extraction and have been manually selecting the data carving tools one at a time. Looks like the issue is with the location carving. It shows location carving started/finished in a 40 min timeframe. It then says "11:36:26 AM PP: Starting last stage for project: [project number] (109244 items)" and never gets past this point. Any thoughts @Cellebrite?

Sound like it hanged on finalizing the main decoding stage (PP last stage) . Is this happens only when location carver enabled? Without it decoding stage finished completely? How long it hanged in the last stage before you kill it?

I've got a question on using a keychain value to decrypt snapchat in Axiom. This is my first time trying this procedure (https://support.magnetforensics.com/s/article/Decrypt-app-data-using-the-iOS-Keychain-and-GrayKey) Axiom was not able to parse the value, so I am doing it manually:

9:43 AM

YnBsaXN0MDDUAQIDBAUGBwpYJHZlcnNpb25ZJGFyY2hpdmVyVCR0b3BYJG9iamVjdHMSAAGGoF8QD05TS2V5ZWRBcmNoaXZlctEICVRyb290gAGoCwwZGhscHR5VJG51bGzWDQ4PEBESExQVFhcYViRjbGFzc1ZrZXlUYWdZbWFzdGVyS2V5VnVzZXJJZFpwYXNzcGhyYXNlXxAUaW5pdGlhbGl6YXRpb25WZWN0b3KAB4ADgASAAoAGgAVfECRkNjkyYTU5OC1kODFjLTQ4ZWMtODIzMC1lM2NjZTZlZDk3ZDRfEBA5MmxxUmdtQWwwSExPQTZOTxAgRh7b4sKeb3dHgw/Xf8nisrWJfKsT1FnfEp5gNunycpZPEBDBYJT1i5qwtSrS+oBGWbE7TxAg6D/agbBTbRZcAAmTkspsMLvt4d0JMZc4sSS5obAzU9/SHyAhIlokY2xhc3NuYW1lWCRjbGFzc2VzXxAYU0NLZXlTZXJ2aWNlUGVyc2lzdGVkS2V5oiMkXxAYU0NLZXlTZXJ2aWNlUGVyc2lzdGVkS2V5WE5TT2JqZWN0AAgAEQAaACQAKQAyADcASQBMAFEAUwBcAGIAbwB2AH0AhwCOAJkAsACyALQAtgC4ALoAvADjAPYBGQEsAU8BVAFfAWgBgwGGAaEAAAAAAAACAQAAAAAAAAAlAAAAAAAAAAAAAAAAAAABqg==

9:43 AM

That's the value I pulled from the keychain.plist file

9:44 AM

Then the guide says to Convert the Base64 value to hex, which I can do, but the I am supposed to Remove the algorithm identifier to get the valid encryption key, which I do not know.

9:45 AM

How do I proceed?

mg_cellebrite

Sound like it hanged on finalizing the main decoding stage (PP last stage) . Is this happens only when location carver enabled? Without it decoding stage finished completely? How long it hanged in the last stage before you kill it?

Everything had completed properly before I started location carving. When I ran it yesterday I started it first thing in the morning and it ran overnight. Ifinally killed it and started over this morning.

@Cole id suggest to decode the keychain in axiom first, then load the iOS extraction.

florus

@Cole id suggest to decode the keychain in axiom first, then load the iOS extraction.

Yeah I did that. Axiom spits out this as the value, which isn't correct unless its buried:

{"$version":100000,"$archiver":"NSKeyedArchiver","$top":{"root":{"CF$UID":1}},"$objects":["$null",{"$class":{"CF$UID":7},"keyTag":{"CF$UID":3},"masterKey":{"CF$UID":4},"userId":{"CF$UID":2},"passphrase":{"CF$UID":6},"initializationVector":{"CF$UID":5}},"d692a598-d81c-48ec-8230-e3cce6ed97d4","92lqRgmAl0HLOA6N","Rh7b4sKeb3dHgw/Xf8nisrWJfKsT1FnfEp5gNunycpY=","wWCU9YuasLUq0vqARlmxOw==","6D/agbBTbRZcAAmTkspsMLvt4d0JMZc4sSS5obAzU98=",{"$classname":"SCKeyServicePersistedKey","$classes":["SCKeyServicePersistedKey","NSObject"]}]}

(edited)

Use every bit of that @Cole. Seems mad, but thats what snapchat uses. (edited)

Seriously?

Yep. Im quite positive.

my goodness ok I'll give it a shot. Any idea why my manual value is so different?

I have been where you have been, trust me

11:52 AM

@Cole No idea. Might have changed in time. Let us know if it Worked.

What data will I see if it works?

@Cole snapchat memories or eyes only. My guess is eyes only. (edited)

Yeah, there was a different key for memories that looked like a key. This one is "my eyes only". I'll update with results.

Can anyone tell me the plist on iOS that contains the size of physical storage. I saw it mentioned either here or Iacis recently but my Google-fu is failing me this morning.

Nvm I found the screenshot I took from here with the location. /var/mobile/Library/preferences/com.Apple.atc.plist the information it doesn’t appear on this device running 14.4.2 but appears on my test device running 14.3

@Cellebrite We acquired a Samsung S9, the Signal app was not decoded so we used the Chat capture feature to make copies of the chats. Unfortunately for some reason the timestamps of the messages in the screenshots are missing as they are all set to 'Now'. Any idea what could be the cause of this and how to fix? Thank you all in advance.

Has anyone had any luck with getting into the Gallery Vault App for Android?

CCC

Has anyone had any luck with getting into the Gallery Vault App for Android?

@Aero maybe

1

Cleared that right up!

Lemme check one sec

Erikk007

@Cellebrite We acquired a Samsung S9, the Signal app was not decoded so we used the Chat capture feature to make copies of the chats. Unfortunately for some reason the timestamps of the messages in the screenshots are missing as they are all set to 'Now'. Any idea what could be the cause of this and how to fix? Thank you all in advance.

DMing

1

@CCC Any idea what version? I have a script for it (PIN + media decryption) but not used it in months. I can DM you for more info if you want

Please - I don't have the version to hand, but sounds worth a go.

Mr. Eddie Vedder from Accounting

Nvm I found the screenshot I took from here with the location. /var/mobile/Library/preferences/com.Apple.atc.plist the information it doesn’t appear on this device running 14.4.2 but appears on my test device running 14.3

I've noticed this too, sometimes the info is there and other times it isn't ... haven't figured it out yet

@Aero To the rescue with another encrypted app

1

Cole

Yeah, there was a different key for memories that looked like a key. This one is "my eyes only". I'll update with results.

@florus Looks like the memories key worked, but I cannot determine if the My Eyes Only key worked. There is nothing suggesting that there is still encrypted data.

@Cole are there any entries in the db referring to my eyes only?

Hi, someone had decrypt signal on samsung? i have a ffs of a305F, but after searching i failed to get the method to work on the "https://rado0z.github.io/Decrypt_Android_Database" page. I can't find "" app-id "_USERKEY_SignalSecret". A help ? (edited)

@rico you will need the signal-key from a memory dump.

1

@Oxygen Forensics Should I be able to load crypt14 backup files from Whatsapp directly into Oxygen with the key or do i have to analyze the image where I got them from?

Both methods work. In an analyzed image you will get a button to decrypt. And you can just decrypt directly with the Cloud Extractor feature (not with the key file). @Sockmoth (edited)

1

Oxygen Forensics

Both methods work. In an analyzed image you will get a button to decrypt. And you can just decrypt directly with the Cloud Extractor feature (not with the key file). @Sockmoth (edited)

I noticed that the key file only works on the current DB and can't be used to decrypt the backup files.

Sockmoth

I noticed that the key file only works on the current DB and can't be used to decrypt the backup files.

I had the same problem few days ago.

Hi all. I have a question about Telegram chats from a full fs acquisition of an iPhone. The parsing has been made with @Cellebrite Physical Analyzer and i have a "conversation" with illicit material. My doubt is that the "conversation" has only one member (the phone owner) so who are the other parties? All messages are attributed to the owner, how can i explain this?

5:18 AM

Most of the messages look like this:

5:22 AM

or like this:

5:23 AM

and if you use the scroll bar on the right you reveal the link of an attachment (usually a video or a picture), like this: (edited)

5:23 AM

anyone can shed some light?

I have a ProjectVIC question for @Cellebrite and @Magnet Forensics, as well as anyone else who may know....I got a full filesystem GrayKey extraction from an iPhone X. I parsed it with Physical Analyzer and with Axiom, running it against the exact same ProjectVIC DB in each program. Axiom presented me with more "Category 1" hits then Physical Analyzer. At first I thought this may be due to duplication, as Axiom showed multiple occurrences of files with the same hash. However, even after I accounted for duplicate files, Axiom still showed more Cat 1 hits. My primary reason for running the extraction through both programs was to validate my findings, which now has become interesting as one tool gives me one number, another gives me a second number...is this merely due to the way Physical Analyzer and Axiom each have their own ways of parsing a GrayKey extractions? (edited)

Check the parsing settings. If deep carving is enabled.

Chris Myers

I have a ProjectVIC question for @Cellebrite and @Magnet Forensics, as well as anyone else who may know....I got a full filesystem GrayKey extraction from an iPhone X. I parsed it with Physical Analyzer and with Axiom, running it against the exact same ProjectVIC DB in each program. Axiom presented me with more "Category 1" hits then Physical Analyzer. At first I thought this may be due to duplication, as Axiom showed multiple occurrences of files with the same hash. However, even after I accounted for duplicate files, Axiom still showed more Cat 1 hits. My primary reason for running the extraction through both programs was to validate my findings, which now has become interesting as one tool gives me one number, another gives me a second number...is this merely due to the way Physical Analyzer and Axiom each have their own ways of parsing a GrayKey extractions? (edited)

Maybe you have more decoded app in Axiom

@CLB-Paul Just enabled deep carving and will re-run in PA...

FabianoQ

Hi all. I have a question about Telegram chats from a full fs acquisition of an iPhone. The parsing has been made with @Cellebrite Physical Analyzer and i have a "conversation" with illicit material. My doubt is that the "conversation" has only one member (the phone owner) so who are the other parties? All messages are attributed to the owner, how can i explain this?

Did you try to decode the extraction with an other software just to be sure it's not a parsing problem? or maybe parse the database manually.

Decoding apps shouldn’t make a diff as the files exists in the FS. If the pictures are embedded within dB or other compressed files. Could be that.

Anyone done any testing with "photo-picker" within iOS. Have lots of contraband only in this location.

Chris Myers

I have a ProjectVIC question for @Cellebrite and @Magnet Forensics, as well as anyone else who may know....I got a full filesystem GrayKey extraction from an iPhone X. I parsed it with Physical Analyzer and with Axiom, running it against the exact same ProjectVIC DB in each program. Axiom presented me with more "Category 1" hits then Physical Analyzer. At first I thought this may be due to duplication, as Axiom showed multiple occurrences of files with the same hash. However, even after I accounted for duplicate files, Axiom still showed more Cat 1 hits. My primary reason for running the extraction through both programs was to validate my findings, which now has become interesting as one tool gives me one number, another gives me a second number...is this merely due to the way Physical Analyzer and Axiom each have their own ways of parsing a GrayKey extractions? (edited)

As @CLB-Paul stated there shouldnt be any diff related to app parsing, it can be related to either duplications/embbeded files/carving. 1. A good approach it to locate a single diff file and understand the source of it. 2. Applying in both tool the full operation - run image carving and generic carving in PA for example.

@Cellebrite Hi I have a question re location data - quite an urgent one considering the court is at the end of this month. Please DM

1

@MSAB Is it possible to get some help regarding a samsung extraction done in XRY? Please DM me if so, thanks

@Rob I'll send a DM.

1

Anyone know if there's a quick way to add custom file signatures into PA or do you literally have to manually enter them all?

p0tt541

Anyone know if there's a quick way to add custom file signatures into PA or do you literally have to manually enter them all?

I know you can import hash lists. Maybe put all of the custom signatures into a single file and import the file?

Is it only possible to decrypt Signal on Android 9 with Cellebrite CAS and not PA? Edit: with an FFS extract. (edited)

DeeFIR 🇦🇺

Is it only possible to decrypt Signal on Android 9 with Cellebrite CAS and not PA? Edit: with an FFS extract. (edited)

It's do with with access with the keystore as far as I believe which is something UFED4PC doesn't gain access to.

DeeFIR 🇦🇺

Is it only possible to decrypt Signal on Android 9 with Cellebrite CAS and not PA? Edit: with an FFS extract. (edited)

If you have a Samsung phone you can do a RAM dump and get the decryption key https://www.cellebrite.com/en/decrypting-databases-using-ram-dump-health-data/

Decrypting Databases Using RAM Dump - Health Data - Cellebrite

Collecting memory from Samsung devices to decrypt Samsung Health DB’s can uncover critical data for investigators Samsung Health is a wellness application that helps users track their physical activities. As one might expect, the application stores a lot of interesting location data that interests the forensics community and specifically law enf...

4:16 AM

@Cellebrite Would be a great addition if we could add the database key when opening an Android extraction with Signal to use your parsing ability

Same for every other tool maker of course.

2

Oscar

@Cellebrite Would be a great addition if we could add the database key when opening an Android extraction with Signal to use your parsing ability

Same for every other tool maker of course.

Thx @Oscar , very valuable, we are considering it in the near future

1

Oscar

If you have a Samsung phone you can do a RAM dump and get the decryption key https://www.cellebrite.com/en/decrypting-databases-using-ram-dump-health-data/

Recently I tried this method but without success (the python could not see the phone)

rico

Recently I tried this method but without success (the python could not see the phone)

I had some problems with that at first, but it worked after i downloaded libusb from the link to bkerlers Github and followed Cellebrites instructions exactly on how to boot the phone to upload mode. Everything worked much smoother on Linux than Windows, so you can always try that if you haven't

@Cellebrite or anyone for that matter. Can anyone offer insight to ‘Exclu Messenger’ not seen or heard of this before

Mike_G1BCP

@Cellebrite or anyone for that matter. Can anyone offer insight to ‘Exclu Messenger’ not seen or heard of this before

Looks like yet another encrypted PGP messaging platform... if it is any good, the encryption key(s) will be hosted on the server and not the vulnerable endpoint (the phone you have seized)

Mike_G1BCP

@Cellebrite or anyone for that matter. Can anyone offer insight to ‘Exclu Messenger’ not seen or heard of this before

Lots of grammar and spelling mistakes on their website

luckily for us it's "militairy" grade encryption and not military grade encryption

7

1

@Cellebrite I'm having an issue decoding a Graykey extraction, keeps getting stuck when parsing telegram, any ideas?

Hi @alexxxx

2:59 AM

Can you please share the logs with me via DM?

CLB - DavidK

Can you please share the logs with me via DM?

Hi! Sure thing, just generating them.

DeeFIR 🇦🇺

Is it only possible to decrypt Signal on Android 9 with Cellebrite CAS and not PA? Edit: with an FFS extract. (edited)

if you are able to unlock the device, you can check if Signal-backup is enabled. If not enabled, you can create a local backup, get the passphrase and decode the backup with Axiom or https://github.com/bepaald/signalbackup-tools in addition, it would be great if @Cellebrite could create decoder for these offline backups. (edited)

bepaald/signalbackup-tools

Tool to work with Signal Backup files. Contribute to bepaald/signalbackup-tools development by creating an account on GitHub.

@Cellebrite Is there a debug option when launching Reader? I have a computer that it is crashing on and I'm trying to figure out what is going on.

alexxxx

@Cellebrite I'm having an issue decoding a Graykey extraction, keeps getting stuck when parsing telegram, any ideas?

I have the same today

Cole

@florus Looks like the memories key worked, but I cannot determine if the My Eyes Only key worked. There is nothing suggesting that there is still encrypted data.

Any success with my eyes only?

wcso_pete

@Cellebrite Is there a debug option when launching Reader? I have a computer that it is crashing on and I'm trying to figure out what is going on.

Does it also crashes PA? Could you check PA's logs?

Hello everyone. I just chip off an Blackberry Classic with BB OS 10.3.3.1435 . Whats is the best way to parse data. PA doesn't seems to parse Web Browser and XAMN doesn't decode Binary on that model.

Hi, I've extracted an Android BUNDY ELITE 57 with XRY 9.4.2 using the android generic profil. Everything goes fine with the extraction but I've a question about TELEGRAM app. In fact, I've some interesting pictures stored in the default location (/storage/emulated/0/Telegram/Telegram Images/) and others in /storage/emulated/0/Android/data/org.telegram.messenger/cache/. Some of pictures stored in this second folder are associated with chat messages and others aren't. What does this second thing mean (associated with no chat) (deleted message ?) ? Thanks for your help.

CLB-drorimon

Does it also crashes PA? Could you check PA's logs?

No it does not, but I was able to figure it out. The user's .net was out of date. I could open older reports, but once I started trying ones that included 7.45 and up I couldn't get anything to open anymore.

dushe

Any success with my eyes only?

I don't know. I tried looking for the database that would contain information showing My Eyes Only was in use, but I could not find it. It also wasn't super pertinent to the case, so I stopped looking for it after awhile.

Anyone had issues carving E01 files in PA? They are taking a drastically larger amount of time longer compared the the bin file?

@Cellebrite I want to merge a couple of manually decrypted Whatsapp crypt14 backups with an Ufed extraction. Is this something that would work out of the box or do i have to run a script or something? UFED is the preferred tool here because my colleagues are familiar with the software. But I can also use other tools if needed so tips are appreciated.

Got a Samsung g390f that has factory reset. I don’t have the phone available to me but I had the extraction- is there anywhere i should be looking to see how it had been reset? Thanks!

King Pepsi

Got a Samsung g390f that has factory reset. I don’t have the phone available to me but I had the extraction- is there anywhere i should be looking to see how it had been reset? Thanks!

Sorry- it is a g965f. I can see that android.autoinstalls.config.Samsung is present on the date it’s apparently been reset- is that a good indicator?

iphone Full File system + Keychain extraction which software Best

@Data Recovery i would say there is no "best" tool to do.... BUT i prefer oxygen forensic detective.... 4PC sometimes have troubles with ios 14.6

chrisforensic

@Data Recovery i would say there is no "best" tool to do.... BUT i prefer oxygen forensic detective.... 4PC sometimes have troubles with ios 14.6

iphone screen password forget need data possible any tools\ (edited)

11:45 PM

@chrisforensic i see sam people without Password data recovery iPhone

11:48 PM

@chrisforensic oxygen possible iphone whiteout password iphone full file system extraction possible i am not sure

11:49 PM

@chrisforensic you right oxygen good

@Data Recovery Which iPhone model do you have?

normally-iphone 6 iphone 8 etc (edited)

Data Recovery

normally-iphone 6 iphone 8 etc (edited)

For iPhone 6 you can try to use Passware Kit Mobile https://www.passware.com/kit-mobile/

Passware Kit Mobile Beta - bypass or recover PIN locks and passcode...

Forensic tool that provides access to locked mobile devices and data.

6:14 AM

For iPhone 8 i think only Cellebrite Premium or GrayKey for now

Angst

For iPhone 6 you can try to use Passware Kit Mobile https://www.passware.com/kit-mobile/

its working

Angst

For iPhone 6 you can try to use Passware Kit Mobile https://www.passware.com/kit-mobile/

i am not sure

6:15 AM

@Angst its working i am buy

It's quite new tool so I didn't use it yet but some users reported it works.

Angst

It's quite new tool so I didn't use it yet but some users reported it works.

thx bro helpfull

@Data Recovery Sorry, I checked and found you can extract the FFS with Passware Kit Mobile. so you don't need any extra tools

Angst

@Data Recovery Sorry, I checked and found you can extract the FFS with Passware Kit Mobile. so you don't need any extra tools

so Passware Kit Mobile working

6:29 AM

@Angst one more thx i will buy

https://www.youtube.com/watch?v=M7lq7KlGsZU

Passware

Apple 6S Plus decryption

1

6:30 AM

It should, but they say it has 70 percent success rate

Angst

It should, but they say it has 70 percent success rate

understand

app

@Data Recoverywhat about samsung mobile ? Just asking

don't know if here there are some programmers which developed the Passware product, but does it use a mechanism for backup files under /dev/block/ in recovery mode? I am not much updated on that, but do you know if Android still permits to pull "sensitive" data from the device to an host when it is in recovery mode? (edited)

anyone available @Cellebrite @Oxygen Forensics ? i have a problem regarding gmail android app parsing..

s.m.

anyone available @Cellebrite @Oxygen Forensics ? i have a problem regarding gmail android app parsing..

DM'd

1

KR-4n6

Hi, I've extracted an Android BUNDY ELITE 57 with XRY 9.4.2 using the android generic profil. Everything goes fine with the extraction but I've a question about TELEGRAM app. In fact, I've some interesting pictures stored in the default location (/storage/emulated/0/Telegram/Telegram Images/) and others in /storage/emulated/0/Android/data/org.telegram.messenger/cache/. Some of pictures stored in this second folder are associated with chat messages and others aren't. What does this second thing mean (associated with no chat) (deleted message ?) ? Thanks for your help.

UP

@MSAB

Mistercatapulte

@MSAB

What can I help you? I am Oscar , tech sales with MSAB Asia region

oscarchoi_msab

What can I help you? I am Oscar , tech sales with MSAB Asia region

Not for me but @KR-4n6

Mistercatapulte

Not for me but @KR-4n6

I will DM @KR-4n6 . Thank you

Anyone know when a video would be generated from the following path: /private/var/moblie/,edoa/photodata/caches/Neutrino/xxxxxxxxxxxxxxxxx.stab.mov? All i can find about Neutrino is that it is an app to gain instagram followers, but i have a photo and video that contains filters

Hi All. I'm looking for any last options on review for a video or evidence a video was shot with an IOS device. I have adv logical UFED. Is there any way to review for events relevant to sys files (ie create or mod) specific to a date range?

Has anyone got a way of seeing when a Samsung was wiped? The recovery log isn’t giving me anything good!

Do @Magnet Forensics have a suggestions box / contact form for nominating apps to be included in the artifacts it can decode? A research team contact maybe?

MalcolmPowder

Do @Magnet Forensics have a suggestions box / contact form for nominating apps to be included in the artifacts it can decode? A research team contact maybe?

https://www.magnetforensics.com/artifact-exchange/ They have an app you can use to make an artifact yourself

Magnet Artifact Exchange - Upload and Download Artifacts | Magnet F...

Upload artifacts you’ve built, help peers with cases, or download artifacts others have built.

1

Andrew Rathbun

https://www.magnetforensics.com/artifact-exchange/ They have an app you can use to make an artifact yourself

And so how do artifacts become permanent fixtures in Process rather than custom artifacts that need to be added manually? For example, I'm looking at the Wire app at the moment, which I would expect to be fairly widely used, but there isn't anything on the Artifact Exchange for it, and I would guess if someone worked out how to decode it then it might be useful to include within Process in the artifact list?

MalcolmPowder

And so how do artifacts become permanent fixtures in Process rather than custom artifacts that need to be added manually? For example, I'm looking at the Wire app at the moment, which I would expect to be fairly widely used, but there isn't anything on the Artifact Exchange for it, and I would guess if someone worked out how to decode it then it might be useful to include within Process in the artifact list?

Not in the mobile game anymore, but if Wire is just an unencrypted SQLite DB sitting there on a phone, it's just a matter of someone creating a query for it, basically. If it's more than that, then likely that's the reason why it's not in there.

@MalcolmPowder you can either send them through our support team (they do a great job of getting all of those things into the hands of our product management and engineering teams) or could just submit them through to me.

4:16 AM

If you’re looking for something to become natively supported I mean.

1

Thanks Andrew / Cody.

2

1

Hello everyone, for Oxygen users, how can I open all different extraction from Oxyagent manual extraction in the same case? I search but I think I don't find the right button.

@Deleted User as in merging two extractions to one? (edited)

yes

@Deleted User For now you can't merge the extractions, but this feature should be added in the upcoming release

1

2

@Oscar @rico

1

Hello, i need information about how to decode a content from a TamTam database. Its aqcuired from an android smartphone. Has anyone a information about the structure of the BLOBS. Any documents would be nice. Thanks in advance.

1

@Magnet Forensics Online I have found this links which seems to be one of your documents, the url seems strange (a subdomain?), is it "legit"? http://092f67184f02fcdb918c-b3d937de523d4a3d4cea730efa685a0d.r37.cf1.rackcdn.com/AXIOM%20docs/Artifact%20Reference.pdf (edited)

templare cristiano crociato

@Magnet Forensics Online I have found this links which seems to be one of your documents, the url seems strange (a subdomain?), is it "legit"? http://092f67184f02fcdb918c-b3d937de523d4a3d4cea730efa685a0d.r37.cf1.rackcdn.com/AXIOM%20docs/Artifact%20Reference.pdf (edited)

CDN = Content Delivery Network, so it's completely plausible that it's legit, however I'd say finding it on our website/support portal would be the preferred way of retrieving such a doc.

forensicmike @Magnet

CDN = Content Delivery Network, so it's completely plausible that it's legit, however I'd say finding it on our website/support portal would be the preferred way of retrieving such a doc.

I was asking because of that, thanks for the reply!

https://www.magnetforensics.com/docs/artifacts/html-axiom/Content/Resources/PDFs/Artifact%20Reference.pdf (That's the latest one and from their website) (edited)

2

Hello Team! Model: Oneplus 7t Need help to bypass its screen lock or acquire its data.

@h4ck3L you should switch to the extraction channel :)

@h4ck3Lonly solution : CAS (maybe)

@Cellebrite colleague of mine has a 455GB graykey extraction from an iPhone, he started decoding using UFED PA and it took 5 hours until it got to this stage ""Starting last stage for project"

6:56 AM

It's been stuck on that stage overnight and all morning - no progression.

6:56 AM

C Drive was found full though (unsure if it's because of the decoding or colleague has a lot of stuff hah!)

6:56 AM

Can anyone advise?

Suggested to my colleague to try and close down extraction - 259GB free on C Drive @Cellebrite

7:27 AM

Not sure what to do now?

@Pacman BTW, the progress bar in PA is terrible. You never know how much time it needs to decode. There are only 3 steps on the progress bar and when it stops few hours in one of them you don't know if it hung up or still working.

Angst

@Pacman BTW, the progress bar in PA is terrible. You never know how much time it needs to decode. There are only 3 steps on the progress bar and when it stops few hours in one of them you don't know if it hung up or still working.

Yeah, but when my colleague checked his C drive it was absolutely full to the brim - we believe this has caused PA to get stuck

7:33 AM

Though I didn't know PA requires C drive storage

Pacman

Yeah, but when my colleague checked his C drive it was absolutely full to the brim - we believe this has caused PA to get stuck

Yes, and the user does't get any info from PA and don't know if there's an error, a problem or everything is ok. And you waste your time for waiting (edited)

That's true.

7:35 AM

I'll see if anyone from Cellebrite can help

Angst

Yes, and the user does't get any info from PA and don't know if there's an error, a problem or everything is ok. And you waste your time for waiting (edited)

Open the Trace window. That will tell you the progress and any errors encountered.

AmNe5iA

Open the Trace window. That will tell you the progress and any errors encountered.

That's where we got the "Starting last stage for project" from - it's stuck on that.

@AmNe5iA I have the trace window open, but still the communiaction between PA and user is very poor. For example PA informs about last stage of process with (xxxxxx files) and progress bar don't move and you see this messages for hours and nothing changes. So You don't know if it still working or not. (edited)

455gb extraction, what a nightmare

7:58 AM

To load in PA

t12346

455gb extraction, what a nightmare

I know right! From a single 512GB iPhone!

We've discovered within PA the location for temp files is in C drive

8:13 AM

So we've changed this location to a bigger drive and restarted decoding the phone @AmNe5iA @Angst

@Pacman , I would love to see the logs, if possible. Please DM.

Will speak to colleague - logs from PA?

Does anyone know if it's possible to see when an iPhone was triggered into the "iPhone is disabled mode" from a BFU extraction? Is there a file similar to . obliterated? Officers are interested when the phone was disabled as the last activity is around a relevant date but we're not sure how definite of an indicator that is of when it was disabled.

@Cellebrite Did an advanced logical extraction from an iPhone 4s (pin known) via UFED Touch. Chucked it in PA and it said iTunes password incorrect. (edited)

6:34 AM

Any ideas? : s (edited)

6:38 AM

Tried the ol' 1234, 12345 etc (edited)

Has anyone come across CryptoKnox before? We have it on a Samsung J320F and are looking to decrypt the chat messages/mail apps

Yo Brohs, is there a free leo app for viewing Snapchat | Google returns?

9:11 AM

Besides drugging through the HTML files

@mitchlang PA? AXIOM?

No, there was a great free app that just formatted the results into a nice GUI interface.

9:49 AM

It was something like Snap.io or something...

Maybe check NDCAC Website

9:55 AM

@mitchlang Just looked they have a tool called .Social

9:55 AM

Looks like what your looking for

9:55 AM

supports facebook google snapchat and several others

yes, that is it. Thanks @Ghosted

1

Not sure if it's just me or has anyone noticed how Outlook doesn't get decoded by any forensic tools?

Pacman

Not sure if it's just me or has anyone noticed how Outlook doesn't get decoded by any forensic tools?

No problems with decoding Outlook in Oxygen. This is from FFS extraction from Xiaomi Redmi Note 7:

2

Angst

No problems with decoding Outlook in Oxygen. This is from FFS extraction from Xiaomi Redmi Note 7:

We don't have Oxygen, I'm afraid

10:41 AM

running the extraction through AXIOM as we speak

10:41 AM

XRY/UFED didn't work.

Looks like AXIOM didn't work.

Hi Does anyone have regex for all gps standards?

Hey all - has anyone got any suggestions how I can see whether a call was made via Bluetooth headset or via the individual physically using their phone? Many thanks.

Pixel

Hey all - has anyone got any suggestions how I can see whether a call was made via Bluetooth headset or via the individual physically using their phone? Many thanks.

If you're talking iOS device that info might be stored in the knowledgeC database

Does anyone here have a script that can parse Microsoft Outlook? Galaxy S20+ - Android 11

4:23 AM

Outlook version 4.2114.2

@Pacman All Outlook mssages you can find in the folder "/data/data/com.microsoft.office.outlook/files/olmac/". There are two types of files: *.1 - body message in html *.0 - file with message ID Here's how the message ID looks like in the *.0 file: (edited)

5:29 AM

Then you can search the olmcore.db for this ID to get the data related to this message

5:29 AM

5:30 AM

5:32 AM

Oxygen can only decode created/updated dates, body message and account that received the message

5:33 AM

And the account/s info are stored in the acompliAcct.db (edited)

5:36 AM

Attachments from messages are stored in "/data/data/com.microsoft.office.outlook/files/Files/S0"

Rob

@Cellebrite Did an advanced logical extraction from an iPhone 4s (pin known) via UFED Touch. Chucked it in PA and it said iTunes password incorrect. (edited)

Small update on this @Cellebrite, just clicked Cancel in the password box and it's decoded some data just slightly confused in if this means I'm missing data or not.

@Cellebrite, curious if there are any plans for adding any leveldb parsing functionality to Physical Analyzer?

Kind of a simple question that stumped me. I have a .E01 (Physical) of a SD card, how do I open that in Cellebrite so I can carve it? Every time Cellebrite injests it, carving ends in 0 seconds with 0 images found. I'm about to mount it and re-image it with cellebrite, but there must be a better way.

@JLindmar (83AR) i agree!!! It is needed!!!

GRIZZ

Kind of a simple question that stumped me. I have a .E01 (Physical) of a SD card, how do I open that in Cellebrite so I can carve it? Every time Cellebrite injests it, carving ends in 0 seconds with 0 images found. I'm about to mount it and re-image it with cellebrite, but there must be a better way.

Load Evidence --> Open Advanced --> Select Device under the "Start Without UFD file" --> Select No Vendor --> USB MSD

1

Would anyone happen to know if Zoom iOS APP stores Chat Data in an iCloud backup? I don't see it in the supported APP list for Cellebrite but i'm not sure if Zoom even stores Chat data on the Cloud or even Locally. Appreciate any insight you may have.

rdubu

Load Evidence --> Open Advanced --> Select Device under the "Start Without UFD file" --> Select No Vendor --> USB MSD

Thank you very much, that was a bit different than I originally thought. Its working now.

JLindmar (83AR)

@Cellebrite, curious if there are any plans for adding any leveldb parsing functionality to Physical Analyzer?

We do have support for level DB as part of application parser (infra for other parsers). Can you elaborate on the needs? (A call can be great. DM if possible)

How do you all scan for malware on a phone? A customer sent me this and I wasn’t sure how to answer. https://www.theguardian.com/news/2021/jul/18/what-is-pegasus-spyware-and-how-does-it-hack-phones https://www.theguardian.com/news/2021/jul/18/what-is-pegasus-spyware-and-how-does-it-hack-phones

What is Pegasus spyware and how does it hack phones?

NSO Group software can record your calls, copy your messages and secretly film you

@CLB_iwhiffin @Cellebrite good morning

concerning the "scrambled" wa-messages on checkm8-extractions.... is there a way, to easy unmark them if i don´t want include them into the .ufdr ?

Anyone with much experience using the APOLLO tool that Sarah Edwards developed?

chrisforensic

@CLB_iwhiffin @Cellebrite good morning

concerning the "scrambled" wa-messages on checkm8-extractions.... is there a way, to easy unmark them if i don´t want include them into the .ufdr ?

Hi. You can apply search for scrambled in the chat table/message view and mark them out of the report. I just want to emphesize, the scrambled messages are message you cannot get from other source (if we get other source we redact the scrambled and remain with the un-scrambled ) and those can be deleted message.

Morning all, someone here has a iPhone 11 (A2221) running 14.3. We have a full file system via GK but decoding in PA (7.46.0.64), the iMessages are not being decoded. Importing in to XRY says there have been errors and opening read shows nothing. Any ideas?

mg_cellebrite

Hi. You can apply search for scrambled in the chat table/message view and mark them out of the report. I just want to emphesize, the scrambled messages are message you cannot get from other source (if we get other source we redact the scrambled and remain with the un-scrambled ) and those can be deleted message.

thanks for detailed information Salute

Artea

Morning all, someone here has a iPhone 11 (A2221) running 14.3. We have a full file system via GK but decoding in PA (7.46.0.64), the iMessages are not being decoded. Importing in to XRY says there have been errors and opening read shows nothing. Any ideas?

@Artea Could you send me the log from the extraction please? That might help tell what went wrong

Erumaro

@Artea Could you send me the log from the extraction please? That might help tell what went wrong

They are just re-attempting the import. As soon as its finished, ill get the log file to you

1

@Gladros just ask your question here

1

florus

@Gladros just ask your question here

Well I’m just looking into the tool for some log analysis. There are videos on mac4n6.com but all the db files are collected from a jailbroken iPhone via SSH. Can the tool be used with GrayKey extractions?

@Gladros do you have acces to blackbag, then just load the module into BB. And @ScottKjr3347 made some video's about the usage of apollo. (edited)

I have a Sony Xperia g3311- is there anyway to show when it was factory reset? Thanks!

florus

@Gladros do you have acces to blackbag, then just load the module into BB. And @ScottKjr3347 made some video's about the usage of apollo. (edited)

Unfortunately my unit doesn’t have black bag hence why I was looking at the documentation and videos from mac4n6 GitHub. @ScottKjr3347 Would you mind sharing the videos you made? Or DM’ing me a link. It would be hugely appreciated.

Gladros

Unfortunately my unit doesn’t have black bag hence why I was looking at the documentation and videos from mac4n6 GitHub. @ScottKjr3347 Would you mind sharing the videos you made? Or DM’ing me a link. It would be hugely appreciated.

You should be able to use the FFS extraction from any tool. You will probably have to extract the file system from the zip file.

Oscar

You should be able to use the FFS extraction from any tool. You will probably have to extract the file system from the zip file.

Cool, I’ll give it a shot. Thank you

mg_cellebrite

We do have support for level DB as part of application parser (infra for other parsers). Can you elaborate on the needs? (A call can be great. DM if possible)

I'll DM you.

Anyone ever dealt with an older privacy program called PrivateMe Pro? I have the backup of the private images on a computer and looking to decrypt them. Thanks

@Cellebrite I’m having an issue where PA7.47 hash for zip install file does not match the portal SHA256 or MD5 value. Also when I unzip it, a setup log is already there (thank you to DavidK for installing it and doing testing last week!!!)

Greg Kutzbach

How do you all scan for malware on a phone? A customer sent me this and I wasn’t sure how to answer. https://www.theguardian.com/news/2021/jul/18/what-is-pegasus-spyware-and-how-does-it-hack-phones https://www.theguardian.com/news/2021/jul/18/what-is-pegasus-spyware-and-how-does-it-hack-phones

The IOCs for this hack make an interesting read https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/

Forensic Methodology Report: How to catch NSO Group’s Pegasus

NSO Group claims that its Pegasus spyware is only used to “investigate terrorism and crime” and “leaves no traces whatsoever”. This Forensic Methodology Report shows that neither of these statements are true. This report accompanies the release of the Pegasus Project, a collaborative investigation that involves more than 80 journalists from 17 m...

2

sholmes

Anyone ever dealt with an older privacy program called PrivateMe Pro? I have the backup of the private images on a computer and looking to decrypt them. Thanks

Android app?

OllieD

Android app?

I believe so. He has artifacts from iphones as well as Android phones. These files are dated 2017 and earlier. I am guessing they are encoded or encrypted by the PrivateMe application. I found an old Android version online, and it doesn't look like they support it any longer. So I thought I would see what the Discord brain trust knew about it.

@sholmes do you have the device/phone as well? Or just the encrypted photographs?

just the encrypted photoraphs

7:02 PM

no clue what device it came from, but pretty sure it was an Android

7:02 PM

@DeeFIR 🇦🇺

sholmes

I believe so. He has artifacts from iphones as well as Android phones. These files are dated 2017 and earlier. I am guessing they are encoded or encrypted by the PrivateMe application. I found an old Android version online, and it doesn't look like they support it any longer. So I thought I would see what the Discord brain trust knew about it.

When you read the files in a hex editor, are there any identifying file headers? Maybe clues to encryption type or application

I can check them in the morning when I get back in the office.

7:05 PM

@Greg Kutzbach I didn't look at them today. I saw they were png files with a new extension.

feel free to send the apk (upload via mega or similar)

1

My gut tells me that the app key is used to decrypt the privateme files or a default key hard coded in the app decrypts them. I would definitely load up the private me app in a device and play with some test files.

1

@Greg Kutzbach thanks I will take a look at that

1

Sounds a lot like the app we had - gallery vault. The encrypted file contains a png. All the files are encrypted, and there's a file called don't delete. I suspect unlocking the app then decrypted the rest but ultimately it was forensic download followed by manual examination.

Hi all - couple of questions regarding Google Mail. Found evidence of IIOC stored within filepath: data\com.google.android.gm\files\downloads\a9800adf0396639d5XXXXXXXXXXXX\attachments\ Looking at the file system - I can see: (edited)

12:37 AM

12:40 AM

I've searched through Gmail within PA and could not find any IIOC - original email possibly deleted. It's not within stock gallery app so not sure if he did save it to phone memory and then deleted it, or it was downloaded within Gmail for viewing?

12:41 AM

Also there are 6 folders within download, are these associated to different gmail accounts?

King Pepsi

I have a Sony Xperia g3311- is there anyway to show when it was factory reset? Thanks!

Looks like it creates a file called backup upon factory resetting even if no backup options picked- tried it and it’s within a minute of pressing reset

BritishBulldog

Hi all - couple of questions regarding Google Mail. Found evidence of IIOC stored within filepath: data\com.google.android.gm\files\downloads\a9800adf0396639d5XXXXXXXXXXXX\attachments\ Looking at the file system - I can see: (edited)

If you have UFED Cloud, I'd consider trying to pull the Gmail contents if you have the tokens for it.

Anyone know the type of hash MEGA android app uses for media files sent in chats? 28 characters and some contain - or _

What is the best way to handle an Apple Warrant return?

Can someone explain to me timestamps in searched items, I'm a bit confused

sholmes

Anyone ever dealt with an older privacy program called PrivateMe Pro? I have the backup of the private images on a computer and looking to decrypt them. Thanks

For anyone who was following this, looks like the first 1kb of the file is encrypted with XTEA in ECB mode with a static key pulled from a native library. The rest of the file is unencrypted, with a handful of extra bytes after the data ends

2

Amnesty have released a tool that checks ios/android backups for Pegasus. Probably not of much use unless you guys deal with some big fish, but I find this is an industry where we often get asked to do jobs because we have to : https://github.com/mvt-project/mvt

GitHub - mvt-project/mvt: MVT is a forensic tool to look for signs ...

MVT is a forensic tool to look for signs of infection in smartphone devices - GitHub - mvt-project/mvt: MVT is a forensic tool to look for signs of infection in smartphone devices

1

Has anyone managed to decode lockbox from a one plus phone?

OllieD

For anyone who was following this, looks like the first 1kb of the file is encrypted with XTEA in ECB mode with a static key pulled from a native library. The rest of the file is unencrypted, with a handful of extra bytes after the data ends

Thanks for looking into this for me! And to everyone else who offered advice and assistance.

1

Looking for suggestions to make an examination easier. I have an unknown file system/operating system from a smart TV which I am processing. Short story....found ton of URLs which I need to report and would like them to be clean for the digital report. *Long Story** I am using @Magnet Forensics Axiom to process an image of a television memory chip. I chipped the tv today. Not knowing what OS the Sharp TV is using I processed the image as an Android. As I had done this on a test TV, I found I had to do All Artifact Keyword searches to carve data. I grabbed a handful of terms I thought the suspect might have used and was right......to the tune of over 10,000 entries. Axiom lists the terms as Snippets, but there are full URLs which were not carved as potential browser activity like I hoped it would.

Hi, Is it possible to generate in @Cellebrite PA report (pdf/html) with the results of keywords search? (edited)

7:13 AM

It's a simple case, so I don't need the report with all data or export to the reader. I want to show only the keywords search to proof there are no results related to the case

sholmes

Looking for suggestions to make an examination easier. I have an unknown file system/operating system from a smart TV which I am processing. Short story....found ton of URLs which I need to report and would like them to be clean for the digital report. *Long Story** I am using @Magnet Forensics Axiom to process an image of a television memory chip. I chipped the tv today. Not knowing what OS the Sharp TV is using I processed the image as an Android. As I had done this on a test TV, I found I had to do All Artifact Keyword searches to carve data. I grabbed a handful of terms I thought the suspect might have used and was right......to the tune of over 10,000 entries. Axiom lists the terms as Snippets, but there are full URLs which were not carved as potential browser activity like I hoped it would.

Just an update. Ran it through @Cellebrite as a blank project and using Android DD to decode. That got me nothing, but running the URL Carver got the items of concern and I can now export a nice digital report of the items.

However, @Cellebrite only shows the search terms and not the URLs for the searches. I would like to still get the URLs for the search terms in a nice format, because the suspect was using Bing and Google Image search to view some of his images of concern.

Good afternoon. Can anyone explain whats going on in this screen grab? Its from a Cellebrite chat export. There are 19 of the "empty" files with the _n.jpg extension and then 19 of the actual photos that were sent all in one message. I'm assuming its some sort of place holder or something as the user has sent these photos with FB Messenger. There is no relation in the file names whatsoever. Thanks. (edited)

sholmes

However, @Cellebrite only shows the search terms and not the URLs for the searches. I would like to still get the URLs for the search terms in a nice format, because the suspect was using Bing and Google Image search to view some of his images of concern.

Im interested in this ill send you a dm

I'm working on a LG Phoenix 5 (K300, FBE, Android 10, SPL 4/1/2021). I have a @Cellebrite FFS of this phone. I am attempting to determine if/how this device was reset. PA states the phone was setup on 5/1. I have setup wizard activity on 5/1/21, and many of the android OS files are also dated this date. However, @Magnet Forensics Axiom shows usagestats from before this date. I also have some text messages from before May 1. A manual check of the phone does not show a reset date, nor does it show messages are being synched. Are usagestats/ can usagestats be synchronized from google? Or would they have been wiped during a factory reset? I do not have a test device to test my theories

@Magnet Forensics have tried decoding an iPhone 5s usign AXIOM - when it gets to roughly 72% - The processing window closes down and I can still see Examine open

3:23 AM

Bottom left says still processing with the circle .. circling.

3:23 AM

Does having process window closing down stop the whole thing?

Okay yeah just worked out that having process window shutting itself down does stop the processing.

3:57 AM

Can anyone assist with this please?

RyanB

What is the best way to handle an Apple Warrant return?

I would try parsing it with PA, and I think other similar tools will work just fine as well.

@Magnet Forensics Have tried running the decoding 4 or 5 times, all resulted in closing down the process window at 72% (have tried restarting computer, closing everything else except AXIOM)

@MSAB I have a couple of extractions where the files are all listed but are showing as a file size of 0 kb / <actual size> - so for example evidence.png file size 0kb/1.32mb.

6:33 AM

As the actual file is 0kb, then it doesn't open, and this is for every file in the extract.

@CCC The actual file size is 1.32mb but if it shows as 0 it means the file was not extracted. Could be that no files were selected to be extracted (Such as the Logical (No Files) profile selected) or that XRY did not have enough permissions to extract the file.

6:37 AM

If you could send me the log from the extraction we may be able to say more

More likely the latter, I think it was a full logical all files.

BritishBulldog

@Magnet Forensics have tried decoding an iPhone 5s usign AXIOM - when it gets to roughly 72% - The processing window closes down and I can still see Examine open

When process closes processing is complete or sounds like in your case an issue has occurred. There are some items that get sorted in Examine like AI Categorization and Timeline building as well as connections but that is post processing activities. I propose you go to the menu in process and select HELP --> Collect Logs and it will collect all the logs for you and zip them into a container which you can send to support@magnetforensics.com to have support take a look.

Jamey

When process closes processing is complete or sounds like in your case an issue has occurred. There are some items that get sorted in Examine like AI Categorization and Timeline building as well as connections but that is post processing activities. I propose you go to the menu in process and select HELP --> Collect Logs and it will collect all the logs for you and zip them into a container which you can send to support@magnetforensics.com to have support take a look.

Sure thing - I was looking into signing into support on Magnet website, trouble is I can't create an account due to dongle license text thing - we have limited number of dongles here.

6:44 AM

Will send over a email tomorrow AM.

@CCC If you could send me the log I can have a look and see if there's any other reason for it

Thanks

Gladros

Unfortunately my unit doesn’t have black bag hence why I was looking at the documentation and videos from mac4n6 GitHub. @ScottKjr3347 Would you mind sharing the videos you made? Or DM’ing me a link. It would be hugely appreciated.

These videos are about a year old and updates could have been applied to #APOLLO that make these steps outdated, but the videos should get you started. Feel free to DM if you have questions. https://youtu.be/6O4rGLdn1-w https://youtu.be/Hr7XIGBKKXw

Scott Koenig

Part1 Download and Install Python and APOLLO Windows

Scott Koenig

Part 2 – Running APOLLO in Windows CMD and Using APOLLO Scripts in ...

Gladros

Unfortunately my unit doesn’t have black bag hence why I was looking at the documentation and videos from mac4n6 GitHub. @ScottKjr3347 Would you mind sharing the videos you made? Or DM’ing me a link. It would be hugely appreciated.

I would also strongly suggest for you to check out #iLEAPP by alexis brignoni https://github.com/abrignoni and #ArtEx by Ian Whiffin https://www.doubleblak.com/m/ They use the zip file as you discussed.

abrignoni - Overview

https://twitter.com/AlexisBrignoni https://abrignoni.com https://keybase.io/abrignoni

abrignoni

Any ideas on finding Youtube App History on iOS File System. Been combing through it, can not find any kind of history log for videos watched on the iOS Youtube Application.

Thank you hugely @ScottKjr3347, I appreciate it

Hi all. Android phones, in the plain old Messages app, have a setting for 'delete old messages', typically to delete messages over 1000 items old. Anybody know where this setting is stored, any particular file? Thanks in advance

is there a way of decoding a PIN from an Iphone 11 ios 14.4, for an AFU using GK and parsing for the PIN?

FATHEAD7466

is there a way of decoding a PIN from an Iphone 11 ios 14.4, for an AFU using GK and parsing for the PIN?

the actual device PIN? no. its well protected. you can always luck out finding the same or a similar PIN used for other things though in the keychain.

forensicmike @Magnet

the actual device PIN? no. its well protected. you can always luck out finding the same or a similar PIN used for other things though in the keychain.

rgr thx. Will keep digging.

BritishBulldog

Sure thing - I was looking into signing into support on Magnet website, trouble is I can't create an account due to dongle license text thing - we have limited number of dongles here.

Just send them to me and I can take a look.

BritishBulldog

Sure thing - I was looking into signing into support on Magnet website, trouble is I can't create an account due to dongle license text thing - we have limited number of dongles here.

You could also simply email them instead of signing in that will create a ticket support@magnetforensics.com

do Cellebrite dongles not work if you're on remote desktop?

Sudo

do Cellebrite dongles not work if you're on remote desktop?

Unfortunately, they don't work.

weird, all the others ones do

1:23 AM

I'm sure even Cellebrite did earlier this year lol

Sudo

do Cellebrite dongles not work if you're on remote desktop?

They need to activate something on your account. Speak with the support.

OK, thanks

1:26 AM

I swear it worked earlier this year

I have a Huawei tablet on which no Snapchat or Instagram type application is present. Examining the data_usage, install_queue and localappastate databases give me some clues, but I would like to determine exactly what time the apps were uninstalled (if this is possible with Android, as is the case with mobileinstallation on iPhone) Thank you!

hello @Cellebrite when exporting from PA to excel-format, empty columns are always there... would it be possible, to adapt PA, if there are empty columns, PA automatically doesn´t generate this column ? so xlsx is smaller and the investigators just have columns that contains something

(edited)

6:19 AM

empty columns red marked

4

chrisforensic

hello @Cellebrite when exporting from PA to excel-format, empty columns are always there... would it be possible, to adapt PA, if there are empty columns, PA automatically doesn´t generate this column ? so xlsx is smaller and the investigators just have columns that contains something

(edited)

And we don't have to delete them

1

Not exactly sure if its possible, but could they be auto-hidden?

Gladros

Unfortunately my unit doesn’t have black bag hence why I was looking at the documentation and videos from mac4n6 GitHub. @ScottKjr3347 Would you mind sharing the videos you made? Or DM’ing me a link. It would be hugely appreciated.

Here is an Apollo branch that has zip support. https://github.com/abrignoni/APOLLO Here is how to run it: In the terminal: Use gather_from_zip option and in the data directory argument put the path to include the filename. For example: python apollo.py gather_from_zip /modules /extraction_files_full.zip Run extract on the temp directory. For example: python apollo.py extract -o sql_json -v yolo -k /modules /tmp_apollo Tested in macOS. (edited)

GitHub - abrignoni/APOLLO: Apple Pattern of Life Lazy Output'er

Apple Pattern of Life Lazy Output'er. Contribute to abrignoni/APOLLO development by creating an account on GitHub.

2

1

Brigs

Here is an Apollo branch that has zip support. https://github.com/abrignoni/APOLLO Here is how to run it: In the terminal: Use gather_from_zip option and in the data directory argument put the path to include the filename. For example: python apollo.py gather_from_zip /modules /extraction_files_full.zip Run extract on the temp directory. For example: python apollo.py extract -o sql_json -v yolo -k /modules /tmp_apollo Tested in macOS. (edited)

Legend, thank you for this Brigs

2

CCC

Amnesty have released a tool that checks ios/android backups for Pegasus. Probably not of much use unless you guys deal with some big fish, but I find this is an industry where we often get asked to do jobs because we have to : https://github.com/mvt-project/mvt

Quite useful tool to extract artifacts from iTunes backups or decrypt them using a pass. But I guess nothing iLeapp or iTunes Backup Reader can’t handle (edited)

I used mvt last night to see how it would handle a full file system extract. It’s almost like timeline explorer for iOS. The granularity was great, and the data it generated was a lot easier to interpret than APOLLO’s output

1

Brigs

Here is an Apollo branch that has zip support. https://github.com/abrignoni/APOLLO Here is how to run it: In the terminal: Use gather_from_zip option and in the data directory argument put the path to include the filename. For example: python apollo.py gather_from_zip /modules /extraction_files_full.zip Run extract on the temp directory. For example: python apollo.py extract -o sql_json -v yolo -k /modules /tmp_apollo Tested in macOS. (edited)

Been meaning to test this functionality out, wish it also accepted TAR too

stark4n6

Been meaning to test this functionality out, wish it also accepted TAR too

Shouldn't be to hard to add. Will look into it as soon as I can.

1

stark4n6

Been meaning to test this functionality out, wish it also accepted TAR too

Gather from Tar screen output.

2

Brigs

Gather from Tar screen output.

Looking good, will have to test that too this week

stark4n6

Looking good, will have to test that too this week

Output after running Apollo on the tmp_apollo folder.

stark4n6

Looking good, will have to test that too this week

Be aware it is only tested on macOS. Get it here: https://github.com/abrignoni/APOLLO

GitHub - abrignoni/APOLLO: Apple Pattern of Life Lazy Output'er

Apple Pattern of Life Lazy Output'er. Contribute to abrignoni/APOLLO development by creating an account on GitHub.

1

Brigs

Be aware it is only tested on macOS. Get it here: https://github.com/abrignoni/APOLLO

Understood, all the more reason for me to get one set up haha

1

@Cellebrite I processed an extraction of a iPhone 7, during the import I was prompted to provide a password for the Apple Notes but we did not have any known passwords at that time so I continued without. Later on we found some passwords in the phone data, we would like to try these as password for the Apple Notes. Is there an easy way to re-run the Apple Notes process instead of having to process the full image (124 gb) again?

Erikk007

@Cellebrite I processed an extraction of a iPhone 7, during the import I was prompted to provide a password for the Apple Notes but we did not have any known passwords at that time so I continued without. Later on we found some passwords in the phone data, we would like to try these as password for the Apple Notes. Is there an easy way to re-run the Apple Notes process instead of having to process the full image (124 gb) again?

You can create a minidump (Run the Minidumps Creator Plugin) of the Notes and reprocess it.

2

Does anyone know the name of the Android database that records the application usage? Contains info such as when as when an app was closed/open/on-screen etc?

6:26 AM

Remember seeing it in Oxygen and in UFED but been a good while since I've looked at it that I've forgotten its name

Rob

Does anyone know the name of the Android database that records the application usage? Contains info such as when as when an app was closed/open/on-screen etc?

UsageStats?

6:33 AM

https://abrignoni.blogspot.com/2019/02/android-usagestats-xml-parser.html

Android Usagestats XML Parser

As I've been testing and using Sarah Edwards' excellent APOLLO pattern of life framework for iOS I reminded myself of the great work done...

Might well be that, doesn't look like my CellebriteReader file has that tho sadly but could be it!

Rob

Does anyone know the name of the Android database that records the application usage? Contains info such as when as when an app was closed/open/on-screen etc?

ContextLog.db seems to do that on Samsung devices, ALEAPP can parse it

1

Rob

Does anyone know the name of the Android database that records the application usage? Contains info such as when as when an app was closed/open/on-screen etc?

Also https://twitter.com/josh_hickman1/status/1263445217698557953

Josh Hickman (@josh_hickman1)

#DFIR Of course Samsung would choose to use their own version of #Android Digital Wellbeing. Database sits in /data/data/com.samsung.android.forest. Name is dwbCommon.db. 1/3

1

That file I have.

Rob

Might well be that, doesn't look like my CellebriteReader file has that tho sadly but could be it!

ALEAPP parses usagestats.

1

Anyone having issues with @Cellebrite PA (version 7.46.0.64) not parsing Chrome history from Android phones? I have an LG Phoenix 5 (Android 10, SPL 1/11/20). I see the data in the database, and Axiom found it as well. Just seeing if others have seen this before calling tech support.

sholmes

Anyone having issues with @Cellebrite PA (version 7.46.0.64) not parsing Chrome history from Android phones? I have an LG Phoenix 5 (Android 10, SPL 1/11/20). I see the data in the database, and Axiom found it as well. Just seeing if others have seen this before calling tech support.

Try 7.47 release

1

I saw it just came out. I am in the middle of a case and I am not going to update in the middle and risk losing all my bookmarks.

1:55 PM

I will do it afterwards

Thanks @mg_cellebrite

Erikk007

@Cellebrite I processed an extraction of a iPhone 7, during the import I was prompted to provide a password for the Apple Notes but we did not have any known passwords at that time so I continued without. Later on we found some passwords in the phone data, we would like to try these as password for the Apple Notes. Is there an easy way to re-run the Apple Notes process instead of having to process the full image (124 gb) again?

if this scenario happens to you also with other apps, you can use the pre-defined passwords feature ("Add password list" button in the Open Case window). if you can't guess any password you can set an empty file, once you use it PA identifies parsers that required user input for password, tries the passwords from the given file and re-runs the parsers that failed to decrypt using the passwords form the input. on the second run - we try all the passwords that were decoded from the whole extraction (unluckily Notes is the only one we don't re-run automatically because of efficiency considerations, as any note may be secured and require password..) (edited)

1

HI, Anyone from @MSAB can help me ? Let me explain,

@KR-4n6 Sure thing, feel free to DM me in case you need anything

Hi, in my extraction of an android device I got an expiration date on a TIKTOK account. What does that mean ? thanks for your help

@KR-4n6maybe token expiration?

Vivo V2035 screen lock forget data recovery possible, i chk oxygen and ufed not support model (edited)

@Cellebrite My bad if this has been asked/answered before... but when processing an Apple iCloud SW return in Physical Analyzer, do I need to step through each one of the identified backup folders to ensure that all the data is processed? I can only select one at a time, and it gets a little tedious on some of these...

deepdive4n6

@Cellebrite My bad if this has been asked/answered before... but when processing an Apple iCloud SW return in Physical Analyzer, do I need to step through each one of the identified backup folders to ensure that all the data is processed? I can only select one at a time, and it gets a little tedious on some of these...

So currently yes. However I can say we are working on refactor it, the idea is both giving the user a way to select multiple data sets at once while making sure those can be seperated by filtering if needed. 1. DM me and I can help you make sure you get all the data when you open it. 2. It seems from the picture the Warrant return contains only cloud records and no backup of device. If that so I would try the last option (blended cloud data).

I'm working a case where a victim was separated from their iPhone but still wearing their cellular-enabled Apple Watch. This occurred over several hours and then the victim reunited with their iPhone. I'm trying to determine 1) does the Watch record location data independently of the iPhone at all times even without a Workout or some other app being launched? and 2) if so, where does that data go when reunited with the iPhone and resyncs? I have a FFS of the target iPhone.

Can you run APOLLO against the FFS, identify power activity and pairing logs? It should be in there IIRC

mg_cellebrite

Try 7.47 release

I did update to 7.47.0.49. (tags successfully made the transition!) However, Chrome was still not parsed.

DeeFIR 🇦🇺

Can you run APOLLO against the FFS, identify power activity and pairing logs? It should be in there IIRC

I haven't tried APOLLO on it, yet (have to extract the archived FFS correctly), but I did try iLEAPP but I still can't identify if anything is there from the Watch.

@criley4640 What format is the FFS in? You can use the extract zip module against a zip if it’s generated with UFED, for example. Edit: or just extract the relevant DB manually. APOLLO has a module called knowledge_device_watch_nearby which parses relevant entries from knowledgeC, so that should answer your query (edited)

sholmes

I did update to 7.47.0.49. (tags successfully made the transition!) However, Chrome was still not parsed.

I will make sure support approaching you to open a case/bug on it.

1

criley4640

I'm working a case where a victim was separated from their iPhone but still wearing their cellular-enabled Apple Watch. This occurred over several hours and then the victim reunited with their iPhone. I'm trying to determine 1) does the Watch record location data independently of the iPhone at all times even without a Workout or some other app being launched? and 2) if so, where does that data go when reunited with the iPhone and resyncs? I have a FFS of the target iPhone.

If anywhere I would guess it would sync to Cloud-V2.sqlite, check in the devices table for the ID of the apple watch and filter for that in the locations table. I don't have a database open right now so can't check the exact names. (edited)

@Cellebrite @Magnet Forensics Hi, I tried to decode Signal (5.14.035) on an iPhone FFS without any luck (edited)

12:50 AM

Is this version non compatible?

Dam

@Cellebrite @Magnet Forensics Hi, I tried to decode Signal (5.14.035) on an iPhone FFS without any luck (edited)

Is the correct keychain value present?

Oscar

Is the correct keychain value present?

Using Axiom I copy past the value from the decoded keychain and tried to decode signal without any results

12:52 AM

using PA I just select the keychain.plist and the zip file (it's a graykey extraction)

You could always try my script https://github.com/decryptSignal/decryptSignal Place the signal db, keychain file and my exe file in the same folder, run iOS and Auto. DM if you run into any problems (edited)

GitHub - decryptSignal/decryptSignal

Contribute to decryptSignal/decryptSignal development by creating an account on GitHub.

1

Oscar

You could always try my script https://github.com/decryptSignal/decryptSignal Place the signal db, keychain file and my exe file in the same folder, run iOS and Auto. DM if you run into any problems (edited)

Thanks I'll try

Dam

@Cellebrite @Magnet Forensics Hi, I tried to decode Signal (5.14.035) on an iPhone FFS without any luck (edited)

@CLB - DavidK @Dam In PA 7.47 there support for 5.14 on iOS. Can you open a support ticket so we can see what happened?

@Magnet Forensics I'm still having issues with Processing window crashing on me.

Alright so I worked out the issue - and it's created further problems for me.

When you run userinfo from abd, you get something like Userinfo{0:User:13} - what does the second number refer to?

@Magnet Forensics finally it works with Axiom. @Oscar It works also with your script. Just needed to install sqlcipher with brew.

1

5:04 AM

Thanks

CCC

When you run userinfo from abd, you get something like Userinfo{0:User:13} - what does the second number refer to?

IIRC it's user ID : name : user level/flag

Thanks - Is there a reference table for user level/flags?

just trawling through my notepad++ chicken scratchings

5:07 AM

Tbh I have no idea if it's OS version dependant

5:08 AM

https://android.googlesource.com/platform/frameworks/base/+/master/core/java/android/content/pm/UserInfo.java

Genius! Thanks.

1

Dam

@Cellebrite @Magnet Forensics Hi, I tried to decode Signal (5.14.035) on an iPhone FFS without any luck (edited)

Can you please share the logs with me via DM?

CLB - DavidK

Can you please share the logs with me via DM?

Yes

DeeFIR 🇦🇺

Tbh I have no idea if it's OS version dependant

@CCC Looking at the Blame log for that file, several of those values date back to 2011 or 2012. Would be quite surprised if they were OS dependent, unless it's one of the newer values (e.g. the 'Profile' flag dates back to October 2019) (edited)

Original message was deleted or could not be loaded.

@InternalMirroredPrism You can add a extraction to your current project. (edited)

@callzor but its not a UFDR or UFD file. its a raw format

You can still do that

7:16 AM

When you go through the File -> Open Case wizard, you'll get a few radio boxes to tick which controls whether it gets added to an existing project or a new one

7:20 AM

No problem

Oscar

If anywhere I would guess it would sync to Cloud-V2.sqlite, check in the devices table for the ID of the apple watch and filter for that in the locations table. I don't have a database open right now so can't check the exact names. (edited)

You are da' man! Just found it and exactly the evidence we were looking for. Corroborated by other evidence, to boot! Thank you!

1

Oscar

If anywhere I would guess it would sync to Cloud-V2.sqlite, check in the devices table for the ID of the apple watch and filter for that in the locations table. I don't have a database open right now so can't check the exact names. (edited)

Has anybody looked at the data stored within _ATXDataStore.db on iOS? It mentions install and launch dates for applications. I wonder how reliable it is and if anybody has performed any testing on it

@Cellebrite Hi, every time I create an UFDR the thumbnail are white. I cannot see the pictures. In PA with the UFD I can but not using the reader. Do I have to do anything special?

Dam

@Cellebrite Hi, every time I create an UFDR the thumbnail are white. I cannot see the pictures. In PA with the UFD I can but not using the reader. Do I have to do anything special?

On PA 7.47?

Deleted User

On PA 7.47?

No, I will try with 7.47. The problem was on 7.46

1

Dam

No, I will try with 7.47. The problem was on 7.46

Yes normaly problem is only on initial reader of 7.46.

Deleted User

Yes normaly problem is only on initial reader of 7.46.

Thanks for the info

1

Any suggestions for best freeware tool to examine a itunes backup for an iPhone? Tried autopsy but doesn't seem to like backups. (edited)

Jobbins

Any suggestions for best freeware tool to examine a itunes backup for an iPhone? Tried autopsy but doesn't seem to like backups. (edited)

Encrypted or not? iBackupBot does a nice job if it's not

stark4n6

Encrypted or not? iBackupBot does a nice job if it's not

not encrypted

Jobbins

not encrypted

Would try this then https://www.icopybot.com/itunes-backup-manager.htm

iBackupBot - iTunes Backup Manager for iPhone, iPod Touch, iPad

Software for browse, view, export and edit iTunes backed up files, for iPod Touch, iPhone 3G, iPhone 3GS, iPad.

stark4n6

Would try this then https://www.icopybot.com/itunes-backup-manager.htm

Perfect. thank you

@Cellebrite I’ve got a full filesystem extraction up in Physical Analyzer and I’ve found a Snapchat convo that is between my device owner and another person. It doesn’t provide usernames, it lists a long alphanumeric string. When I look in arroyo.db it appears that the alphanumeric string is a “Party Identifier”. I can’t find anywhere in the DB that correlates that alphanumeric string to a user ID that can be used for identifying the user. Any thoughts from anyone? Thanks!

Chris Myers

@Cellebrite I’ve got a full filesystem extraction up in Physical Analyzer and I’ve found a Snapchat convo that is between my device owner and another person. It doesn’t provide usernames, it lists a long alphanumeric string. When I look in arroyo.db it appears that the alphanumeric string is a “Party Identifier”. I can’t find anywhere in the DB that correlates that alphanumeric string to a user ID that can be used for identifying the user. Any thoughts from anyone? Thanks!

Sorry, forgot to mention it's iOS

Chris Myers

Sorry, forgot to mention it's iOS

Ian Whiffin came up clutch with primary.docobjects SQLite table: snapchatter will show a user ID when locating the alphanumeric string

2

For who use Signal Backup and don't how to provide a proper way to read all the conversations properly and well decode. I just find this and it's wonderful https://github.com/GjjvdBurg/signal2html

GitHub - GjjvdBurg/signal2html: Export a Signal backup to pretty HTML

Export a Signal backup to pretty HTML. Contribute to GjjvdBurg/signal2html development by creating an account on GitHub.

I have websites of interested listed in a file named "ds.docs" which is located in com.google.android.gms\files\AppDataSearch\main\cur. I have tried Google searches, but can't find what this file is. Anyone have any insight?

@Cellebrite Watch list keyword searches - does it run a search through hex or through the files?

@BritishBulldog I think it is just on decoded data. The manual states "Run a watch list of keywords against your decoded data to identify important and relevant information. Watch lists can be run automatically or activated manually on selected decoded data."

5:23 AM

But @Cellebrite can definitely confirm or counter that statement

Hmm that's what I thought too - I'm wondering if there's a way of running a wordlist against the hex?

Good question. I have always just searched individually through PA. However, if you have @Magnet Forensics you can search a list of words through the hex when you process the evidence.

Does signing out of WhatsApp on iPhone 12 wipe all messages beyond recoverable?

BritishBulldog

Hmm that's what I thought too - I'm wondering if there's a way of running a wordlist against the hex?

You can search for keywords inside files using the global search box (upper left side in PA), 'advanced options'.

2

BritishBulldog

Hmm that's what I thought too - I'm wondering if there's a way of running a wordlist against the hex?

You could convert your word list to hex and then add that as a watchlist. I've run a watch list of hex code with success before.

Hi It was possible to see in the telegram who the manager was. Why is it not there anymore?

Is anyone else having an issue accessing @Cellebrite MyCellebrite, to download the latest version of PA? I receive an incorrect password alert, and the forget password link does not load. (edited)

@poxglass is it the old portal or the newer one? Newer one should be https://community.cellebrite.com/s/login/?language=en_US

5:16 AM

I know I've accidentally tried the old one too many times to count

Trying to decrypt signal from an android with the help of https://rado0z.github.io/Decrypt_Android_Database however i cant get the same results, i feel like my USRSKEY file is bigger. Any ideas on how to parse usrskey files?

Decrypting Signal DB for Android

Introduction

@OggE pls where is the "(app-id) _USERKEY_SignalSecret"

@rico /data/keystore/user_0/10044_USRSKEY_SignalSecret - it's the one, but 10044 may be different number on the phone you work with

@OggE if it is sourced from a real phone with a hardware-backed keystore, it is probably because it is encrypted. in that blog you linked, the key is not encrypted, most probably because it came from an emulator.

Need help parsing through Grindr chats from iOS. Application is 19213.30701. I can see the chats within the persistencestore.bin file. Anyone have ideas?

@OggE you’ll need a ram dump. What phone are you dealing with?

@DeeFIR 🇦🇺 except for Samsung have a solution to dump ram without root the device ?

8:49 PM

@Arcain i never found data/keystore in any last device

DM me

Hey! I have a case where a person with an iphone 11 pro max claims that his whatsapp account is used by other people via whatsapp web. I have an afu of the phone (since I do not have the code for the phone, I can therefore not see linked accounts in whatsapp). can you see linked accounts in any other way? my second question is about which table and column in the database shows whether a message (WA) was sent via mobile or desktop (the small icons in ufed pa). thanks! (edited)

Good Morning! I have a problem with some geo-locations. A device shows in google maps Location 1 but i'm 400km away with my android phone on Location 2. If we use the "get position" button, we have the correct position. In this case we have more than 20 mobile HotSpots from guys who come from Location 1 next to us. So in our thinking we get with our android phone the geolocations from the HotSpots for a few seconds. Is this information stored on the device? "seen WiFis" with geodata? We were not connected to one of the HotSpots! But we cant found any information on the device (with cloud-data). (iwc_dump.txt, wpa_supplicant.conf or ssrm_heating.log ?!) THANKS!

stark4n6

@poxglass is it the old portal or the newer one? Newer one should be https://community.cellebrite.com/s/login/?language=en_US

You might be right, logged in with ease using your URL. Thanks!

1

I have a Google Pixel 4 that was reset. We have a File System and Advanced Logical image of the device. Does anybody know how we can determine reset date of the device?

Does cellebrite now understand Signal? I forget where that needle landed. have an old samsung phone, full extraction, and popping it open in PA it still doesn't recognise the signal app as decodable. Are there extra steps needed?

@CCC scroll couple posts up

Arcain

@CCC scroll couple posts up

Aha. Do people use the paid for version of sqlcipher or a homebrew one?

5:01 AM

Surprised cellebrite doesn't have the power.

I assume the community one is enough, but you'd have to first check if you're able to recover that key from the dump you made

I have got the key, just not sure what to do with it as I've never seen or built sqlcipher. Potentially axiom looks promising

I'm not sure actually, never done it. Maybe someone who tried it already will be able to help more

CCC

Does cellebrite now understand Signal? I forget where that needle landed. have an old samsung phone, full extraction, and popping it open in PA it still doesn't recognise the signal app as decodable. Are there extra steps needed?

Did you check whether that version of Signal supported? You can check that on the Help menu -> Supported apps.

CCC

Surprised cellebrite doesn't have the power.

How's that for a clickbait? "You wouldn't believe what was @CCC's response when he discovered Cellebrite does have the power." You can decrypt encrypted SQLcipher files from the python shell like this (sqlcipher4 example):

import clr
clr.AddReference('Plugins.Common')
from Plugins.Common import ParserCryptoTools
enc_db_node=ds.FileSystems["FileSystemName"]["path/of/encrypted.db"]
plain_db_node = ParserCryptoTools.DecryptSQLCipher4(enc_db_node, sql_cipher_key)

Calling DecryptSQLCipher4 will also add the decrypted file to the filesystem, under the encrypted file, so you can inspect it manually. (edited)

3

Arcain pinned a message to this channel. 8/5/2021 12:16 PM

CCC

Does cellebrite now understand Signal? I forget where that needle landed. have an old samsung phone, full extraction, and popping it open in PA it still doesn't recognise the signal app as decodable. Are there extra steps needed?

Currently the decoding support is only for extractions that were made via CAS (edited)

3:36 PM

@CCC We had a thread on this topic a couple of weeks ago here - we hope to enable an automated process to parse it in PA if you already have the decryption key in future versions, but it will be a partial solution (the sql cipher key is not enough for full support)

Anyone who can explain what the dummy imeis are for? I have a physical of an Samsung ktouch e50, showing two dummy imeis in physical analyser and one 'Imei'. @Cellebrite

@CLB-ChenK @CLB-drorimon No 7 did shock me, and now I have a secret that your doctor does not want you to know about... Thanks guys, almost sounds like it should be a topic in and of itself. Owing to the nature of CAS, I have not seen the output, nor know much about it but it did seem that if the key was a known quantity in a known place then it could be automated - I looked for a python solution but failed, but this is an exciting development. I will manually crack this if I have to. Think I have an encoded key, as per the thread.

12:27 AM

Oblig - you guys are awesome!

@Cellebrite Anyone online that can help me with PA?

Russell Abel - Bastrop County SO

@Cellebrite Anyone online that can help me with PA?

I can try me best, what is the issue?

4:00 AM

*my

I just installed 7.47.0.49. Now when I try to open extractions, media categorizations is greyed out

4:00 AM

I went ahead and opened the extraction, but I still couldn't do media categorizations

Greyed through the case open setting? Was there any issues with the installation?

not that I saw.

4:03 AM

So it's not my domain. I will ask around

Thank you

Can you check if the following services are running? IMAN and Openvino

Ok. Give me a few minutes. I'm trying to re-install it to see if that helps

Neither one of the services is running

Can you start then manually? It possibly a matter of permissions?

I don't see them

4:56 AM

There is another computer that it's working on, but I checked the services on it, and it doesn't have either one of them either

How urgent is the issue? I can ask support to reach you (DM your email)

I don't need it right at this moment, but I do need it within the next few hours

5:00 AM

if possible

5:05 AM

Those are the services..

5:05 AM

Both do not exist on the two computers?

I found them. Both are running on the good computer. Neither were running on the bad computer. I started the Iman service fine, but when I tried to start the Openvino service, I got this.....

5:07 AM

I suggest to re-install with admin rights and make sure image analytics is checked "V" in the installation exe.

Trying again

It didn't work. I did get it working by copying the openvino folder from the working computer. There were 313 files in that folder, but only 312 in the non-working computer. Not sure which file was missing.

So Im glad its working. I Will forward it to our PA support to understand what went wrong

Thank you

ar1195

I have a Google Pixel 4 that was reset. We have a File System and Advanced Logical image of the device. Does anybody know how we can determine reset date of the device?

check some of the core database creation dates

Has anyone worked with calllog.db on Samsung S9 phones and is familiar with the correlation between this database and mmssms.db? I believe I know enough to say the calllog.db contains snippets of conversations that exist or once existed on a phone. I found a log file by navigating the FS called filelog0 under path data/Root/user_de/0/com.android.providers.telephony/Log/FileLog0.log showing deleted messages both sms and their possible id or IN (guessing index?) numbers. Does anyone know if these id/IN numbers somehow correlate to the calllog.db? I am looking into it but just curious if anyone has come across this. I will probably do some testing on a wiped phone but was curious if anyone had any experience with this already. The log file contains time and date stamps and unfortunately this was a rabbit hole that doesn’t pertain to the case but in the future could be used if the question was did someone delete sms or mms from a phone at a certain time. Added this was from a physical using Qualcomm live. (edited)

Good Morning, I have a Samsung A12 running android 10 where i have a Full File System Extraction - is there anywhere where i can find out if the phone has been recently Wiped / Setup. Thanks In Advance (edited)

@LAmbrose how did you extract Full File System from A12? Currently I have one on my desk, it's based on MT6765 Helio P35 and there's no support for FFS from this device in 4PC and Oxygen. All I could do was logical, and APK downgrade

(edited)

Angst

@LAmbrose how did you extract Full File System from A12? Currently I have one on my desk, it's based on MT6765 Helio P35 and there's no support for FFS from this device in 4PC and Oxygen. All I could do was logical, and APK downgrade

(edited)

I used Trevor for this

Anyone know if Square credit card readers and app leave any useful info on android tablets? It looks like the app is just a shortcut to the website but I wanted to double check.

Joe Schmoe

Anyone know if Square credit card readers and app leave any useful info on android tablets? It looks like the app is just a shortcut to the website but I wanted to double check.

what kind of useful information? Given the nature of the app and the requirements of PCI DSS, I doubt they'd store anything remotely related to PII or similar on the device itself

@Magnet Forensics KnowledgeC Activity Level (iPhones) - Activity Type appears to be between 0 and 8

11:52 PM

Does this mean the activity level is recorded on a scale of 1 to 10?

11:52 PM

0 being no activity whatsoever

11:52 PM

and 10 being heavily used?

DeeFIR 🇦🇺

what kind of useful information? Given the nature of the app and the requirements of PCI DSS, I doubt they'd store anything remotely related to PII or similar on the device itself

Right now I’m looking for anything. Transactions would be great but I’ll take user information.

@Cellebrite I'm currently viewing Skype conversation that has 600 participants and 80k+ messages in it - is there a trick to be able to see ONLY the user's messages? To see if he has participated in the conversation at all?

BritishBulldog

@Cellebrite I'm currently viewing Skype conversation that has 600 participants and 80k+ messages in it - is there a trick to be able to see ONLY the user's messages? To see if he has participated in the conversation at all?

I would try to go into the dB and look that way. Should be simple query to do

1

8:36 AM

Can even leverage sql wiz

BritishBulldog

@Cellebrite I'm currently viewing Skype conversation that has 600 participants and 80k+ messages in it - is there a trick to be able to see ONLY the user's messages? To see if he has participated in the conversation at all?

Double click the chat switch from bubble view to table view, than filter by direction- only outgoing , sent messages will be initiated by the user, or filter by sender name

1

Thanks guys!

@MSAB Is there a way to print/export the spidergram from connections view in XAMN?

@CCC The best that can currently be done is to check the box to Include active view when doing a PDF export to the Standard template which will include a screenshot of the currently selected view in XAMN which can be the connections view.

Erumaro

@CCC The best that can currently be done is to check the box to Include active view when doing a PDF export to the Standard template which will include a screenshot of the currently selected view in XAMN which can be the connections view.

Do you do feature requests?

@CCC We do, and I just checked and this has already been requested from other users

(edited)

Thanks x 2. I would say it is a 100% standout feature for XAMN

3:20 AM

I don't even especially want the content of the connection, just the connections existing at all with number of occurrences.

@CCC - You can also use the XAMN inbuilt screen capture to save it out as a file once you've dragged the specific area required

(edited)

3

We are seeing a lot of requests for creating a “watchlist” for emojis that are being sent between users. Other than hashing the emojis and running the hash list against the extractions, are there any other methods? (edited)

Anyone had any luck decoding the MMS database you get from the Alcatel 4052r running KaiOS?

Anyone know of a tool that will parse Snapchat messages and images into threads?

hi everyone, having these files available: locksettings.db, password.key and device_policies.xml is there no way to get the unlock password? (android 5.1.1)

manuelevlr

hi everyone, having these files available: locksettings.db, password.key and device_policies.xml is there no way to get the unlock password? (android 5.1.1)

You could brute force the code or just rename the .key file if you want to remove the screen lock if you have escalated privileges

4:39 AM

There is a write up I did from a few years ago. Should be pinned to the resources #

manuelevlr

hi everyone, having these files available: locksettings.db, password.key and device_policies.xml is there no way to get the unlock password? (android 5.1.1)

https://github.com/den4uk/andriller

GitHub - den4uk/andriller:

Andriller - is software utility with a...

Andriller - is software utility with a collection of forensic tools for smartphones. It performs read-only, forensically sound, non-destructive acquisition from Android devices. - GitHub - den4uk...

Hi all, Does anyone know how to change the location Oxygen uses to export its files when using KeyScout? At the moment I'm defaulting to Documents :/

Jam1e480

Anyone had any luck decoding the MMS database you get from the Alcatel 4052r running KaiOS?

I can only think of one program that has worked well with KaiOS which is Final mobile. any idea of the KaiOS version? I may have notes on how it was stored somewhere.

NibblesNBits

I can only think of one program that has worked well with KaiOS which is Final mobile. any idea of the KaiOS version? I may have notes on how it was stored somewhere.

It’s kaios 2.5.2

RP

Anyone know of a tool that will parse Snapchat messages and images into threads?

PA or AXIOM should do the trick? Or are you looking for a opensource program?

Jam1e480

It’s kaios 2.5.2

Sorry my notes only reference the sms I had not mms. I did use this as a reference maybe it can help, not sure how mms are stored. i decoded several messages before someone suggested final mobile which basically verified what I started https://mobileforensics.files.wordpress.com/2007/06/understanding_sms.pdf

1

RP

Anyone know of a tool that will parse Snapchat messages and images into threads?

If its a search warrant return from SnapChat, PA should parse it.

Rom

Hi all, Does anyone know how to change the location Oxygen uses to export its files when using KeyScout? At the moment I'm defaulting to Documents :/

It will store its temp file in the same directory as the .exe. Therefore, I always run it off a USB. As for the export ("Save"), it should prompt you and ask where you want to export it to.

@callzor used PA and AXIOM doesnt pull the media into the chat thread, just a empty message with no content.

9:49 AM

@FullTang Its a android physical

@RP there may not be any media files. Can you see them in the phone?

The media is present on the device, as I can see it within the com.snapchat.android folders under com.snapchat.android\files\file_manager\Media and com.snapchat.android files\file_manager\Snap following a manual examination the content is also present on the device.

9:55 AM

The GUID of the image name within com.snapchat.android\files\file_manager\Media can be found in the core.db for a network request for the thumbnail creation, but I cannot seem to decode the Snap folder locations manually using the same method. I am a bit dumbfounded as to why these commercial tools are not able to parse the information out if it is there present on the device and extraction...

9:55 AM

@callzor a bit of a annoying one really

@poxglass Thanks, I'll try running it from a USB tomorrow.

i was wondering if there's a way to identify photos taken on the camera vs downloaded during an initial triage of an iphone in order to help identify 1st generation images?

I found over 1000 of .memo files in the extraction of a Samsung Galaxy S7. They are located in a folder called /ShareMemo/ in the USERDATA partition. They contain owner created content just like memo/notes. UFED PA doesn't seem to analyze these files. Does anybody know from which app or process these files originate from?

Hi there, ive got a Samsung Galaxy S9 (SM-G960F/FS) here secured with unknown PatternLock. I was able to gain a FFS an physical dump (decrypted bootloader) via UFED Touch. Facing some inconsistency after decoding in PA I was now interested in unlocking the device and check some content manually. Deactivating the user locksettings using UFED Touch failed due to Android Version 10 (errormessage). In the decoded filesystem i can find a locksettings.db in the path \data\system, but no gesture.key or password.key as expected. Does anybody know a method to overcome, compute, bruteforce or set back the PatternLock? Thanks in advance, Kai.

kroesus_kai

Hi there, ive got a Samsung Galaxy S9 (SM-G960F/FS) here secured with unknown PatternLock. I was able to gain a FFS an physical dump (decrypted bootloader) via UFED Touch. Facing some inconsistency after decoding in PA I was now interested in unlocking the device and check some content manually. Deactivating the user locksettings using UFED Touch failed due to Android Version 10 (errormessage). In the decoded filesystem i can find a locksettings.db in the path \data\system, but no gesture.key or password.key as expected. Does anybody know a method to overcome, compute, bruteforce or set back the PatternLock? Thanks in advance, Kai.

S9 uses spblob files on more recent Android versions (like devices with FBE) hence no .key files in /data/system. I read that Xry can bruteforce this passcode, but i'm not 100% sure and haven't tried it myself (edited)

@Arcain We can brute force the secure startup code, if enabled, but not the security code at this time afraid. Brute forcing the code only works on the FBE devices currently.

kroesus_kai

Hi there, ive got a Samsung Galaxy S9 (SM-G960F/FS) here secured with unknown PatternLock. I was able to gain a FFS an physical dump (decrypted bootloader) via UFED Touch. Facing some inconsistency after decoding in PA I was now interested in unlocking the device and check some content manually. Deactivating the user locksettings using UFED Touch failed due to Android Version 10 (errormessage). In the decoded filesystem i can find a locksettings.db in the path \data\system, but no gesture.key or password.key as expected. Does anybody know a method to overcome, compute, bruteforce or set back the PatternLock? Thanks in advance, Kai.

Do you mean you got a FFS AND a physical dump? "I was able to gain a FFS an physical dump (decrypted bootloader) via UFED Touch." If you got a full physical and our doubting PA's decoding, why not just dump that physical extraction into another tool like XRY?

Erumaro

@Arcain We can brute force the secure startup code, if enabled, but not the security code at this time afraid. Brute forcing the code only works on the FBE devices currently.

Thanks for clarification

I often open physical cellebrite dumps using X-Ways as a way to verify results.

This was an AND, yes.

AmNe5iA

Do you mean you got a FFS AND a physical dump? "I was able to gain a FFS an physical dump (decrypted bootloader) via UFED Touch." If you got a full physical and our doubting PA's decoding, why not just dump that physical extraction into another tool like XRY?

Unfortunately we have no XRY-License.I will decode it with AXIOM additionally and compare the results. My doubts result out of the fact, that PA shows various installed messenger apps (among others WhatsApp, Snapchat, Wickr, FB Messenger) in the section "Installed Apps" but surprisingly of none of them content has been decoded into the section "Messages/Chats". The purpose was to verify this behaviour (empty messengers) manually on the device.

@Erumaro @Arcain thanks for your replies.

RP

The media is present on the device, as I can see it within the com.snapchat.android folders under com.snapchat.android\files\file_manager\Media and com.snapchat.android files\file_manager\Snap following a manual examination the content is also present on the device.

working on a python script thats right now in experminetal fase, for now i can give you some pointers on how it works on iOS

5:31 AM

for every message in arroyo that is not "content type 1" there is sometimes a 21 char long key that links to a contentmanager.db, dont know how it works on andorid yet but im guessing its something similar

5:32 AM

the messages in arroyo blob can be decoded with protoc.exe use the raw flag, it can be found at googles github

OggE

for every message in arroyo that is not "content type 1" there is sometimes a 21 char long key that links to a contentmanager.db, dont know how it works on andorid yet but im guessing its something similar

Can I please have a copy of that script when done? (edited)

CCC

Can I please have a copy of that script when done? (edited)

Will post on github unless bossman says no :D. Still finding bugs and stuff

Hi people. A Quick question. Do you Know hop to create a wordlist from an XRY extraction? To bruteforce an encrypted disc (edited)

MrNonoss

Hi people. A Quick question. Do you Know hop to create a wordlist from an XRY extraction? To bruteforce an encrypted disc (edited)

I know you can do it with ufed, but not sure about xry srry. Strings can always work :P

Strings on the xry container won’t be of use, but thanks for the ufed tip

@MrNonoss Try this within XAMN

2

Firmsky

@MrNonoss Try this within XAMN

Ahhhh exactly what i was looking for. Thank you

1

Whats the checkbox to include a copy of the noted image in reporting, when exporting a location data report in PA?

Good morning, anyone from @MSAB available for a question regarding XAMN?

@danielj91 Absolut!

Shoot!

1

https://www.forensafe.com/blogs/signal.html For using this soft we need ffs and iOS Keychain/Android Keystore. How can get Android keystore ?

rico

https://www.forensafe.com/blogs/signal.html For using this soft we need ffs and iOS Keychain/Android Keystore. How can get Android keystore ?

https://www.cellebrite.com/en/decrypting-databases-using-ram-dump-health-data/

Michal Rozin - Researcher in R&D at Cellebrite

Decrypting Databases Using RAM Dump - Health Data - Cellebrite

Collecting memory from Samsung devices to decrypt Samsung Health DB’s can uncover critical data for investigators Samsung Health is a wellness application that helps users track their physical activities. As one might expect, the application stores a lot of interesting location data that interests the forensics community and specifically law enf...

1

1:44 AM

So i have a BFU extraction from an Iphone 7, made in may 2018. I need to determine user activity on the phone regarding a fatal accident. Im still not able to get a FFS. Every help is appreciated where to find some useractivity logs in a BFU extraction. Thanks! (edited)

Arcain pinned a message to this channel. 8/16/2021 1:55 AM

Got a question from counsel asking if the two entries here are a conference call:

3:04 AM

Handset is an iPhone and the calls are standard/native calls

Does anyone agree that a group call took place? (forgot to hit send!) (edited)

Looks like you have deleted records that report an outgoing call to that number on the 5/12

5:27 AM

Looks like there was multiple users so I'd say a group call

I would personally grab a test iphone and try it so I could say in court I had done it and whether it worked or not. I Would do it now, but don't have one to hand.

Hi! I dumped a locked Xiaomi Redmi Mi A2 Lite (M1805D1SG) Qualcomm MSM8953 with Oxygen but no keys were extracted (talked to them and there is a general problem with this specific model) does anyone come across the same problem?

Samsung Galaxy S9... Verizon backup files named 000001_sms_backup... Is there any tool to analyze/decode these? Apparenlty they are not decoded automatically in PA (edited)

FabianoQ started a thread. 8/16/2021 12:56 PM

Lpx

Hi! I dumped a locked Xiaomi Redmi Mi A2 Lite (M1805D1SG) Qualcomm MSM8953 with Oxygen but no keys were extracted (talked to them and there is a general problem with this specific model) does anyone come across the same problem?

Use PC3000 Mobile for decryption on the fly… Oxygen will not allows to extract Keys from it

florus

So i have a BFU extraction from an Iphone 7, made in may 2018. I need to determine user activity on the phone regarding a fatal accident. Im still not able to get a FFS. Every help is appreciated where to find some useractivity logs in a BFU extraction. Thanks! (edited)

I believe your going to be hard pressed to find user activity logs in your BFU extraction. From a timeline perspective is there anything happening on the phone around the time of impact?

Does anyone have feedback on running Cellebrite reader on a virtual environment like Vmware (Horizon) ?

Bolo

Use PC3000 Mobile for decryption on the fly… Oxygen will not allows to extract Keys from it

We just have PC3000 Flash... Do you've heard of any other solution?

Lpx

We just have PC3000 Flash... Do you've heard of any other solution?

Sorry - no

thanks anyway

Hello, I have extracted a Feature Phone (Samsung SM-B313e) using UFED but not parsed but PA. Is there any open-source tool to parse that bin File?

Hi all! I have a physical image of a Samsung Galaxy s8. The image contains an encrypted signal.db. I tried reproducing the steps on how to decrypt it using this blog post: https://rado0z.github.io/Decrypt_Android_Database . The blog post states that the key is found inside the file /data/keystore/user_0/{}_USRSKEY_SignalSecret, but I can't manage to find this file. I found a similar file named '{}_USRPKEY_SignalSecret' (usrPkey, not usrSkey). Has anyone got an idea if Signal has moved / renamed this file? The Signal version i'm working on is 5.17.3 . Thanks!

Decrypting Signal DB for Android

Introduction

pexi86

Hi all! I have a physical image of a Samsung Galaxy s8. The image contains an encrypted signal.db. I tried reproducing the steps on how to decrypt it using this blog post: https://rado0z.github.io/Decrypt_Android_Database . The blog post states that the key is found inside the file /data/keystore/user_0/{}_USRSKEY_SignalSecret, but I can't manage to find this file. I found a similar file named '{}_USRPKEY_SignalSecret' (usrPkey, not usrSkey). Has anyone got an idea if Signal has moved / renamed this file? The Signal version i'm working on is 5.17.3 . Thanks!

https://discord.com/channels/427876741990711298/545232743353810946/872194895002075238

ah ty, didn't notice the embedded messages

@pexi86 with help of différents user's discord i learned you must have a ram dump to have direcly the key. Vit it's not reliable and only for Samsung (edited)

rico

@pexi86 with help of différents user's discord i learned you must have a ram dump to have direcly the key. Vit it's not reliable and only for Samsung (edited)

I see... Have to check if I’m able to produce a RAM dump first thing tomorrow

1

For Cellebrite PA, under User Dictionary category, we have a few relevant keyword and i notice its from the swift keyboard. A column name 'Frequency', i suppose this is the number of times the user selected the word?

Hi, Did a Kirin 710 extraction. Looking at the locations and got this information in some of the locations. Can somebody explain this please? @Erumaro @Firmsky

@Izzy The embedded locations mean that XRY has detected a longitude and latitude in a database but not confirmed the validity or source of it. If you right click on it and select View in Source Mode it should let you know what database it's from. Feel free to DM me in case you need anything else!

2

Has anyone done an LG L125DL flip phone with Cellebrite? I was able to do a generic Quallcom decrypting physical on the device, but PA doesn't parse any of the data (I'm guessing since it is running AOSP?). Any thoughts on what chains I should try and load to read the data?

Does anyone know if Browser state.db for Safari shows data synced from iCloud? Or is it all local data?

I'll check but pretty sure there's a flag for that

brundon

Does anyone know if Browser state.db for Safari shows data synced from iCloud? Or is it all local data?

Browserstate is local and suspended tabs to that device. What you want is stored in the history.db, under origin where 1 = icloud, 0 = local

3

@Cellebrite Anyone knows what the 'Highlight information' means in Physical Analyser settings?

@Cellebrite: A demand for the evaluation of the healthdb ... The 998 steps - did they occur between 02:11 and 2:21 or between 2:21 and 02:31 ? I can not assign which steps occurred in which time window. Thanks!

Does someone know what action that creates "device_based_login.growth" in the database on an iPhone 7 plus? (Source: keychain.plist)

@Ment0r i think 2h21 is the beginning for 998 steps but someone from @Cellebrite can confirm You can parse too this db to confirm manually (edited)

florus

@Cellebrite Anyone knows what the 'Highlight information' means in Physical Analyser settings?

Linkage to the bytes offset the artefacts were created from.

Ment0r

@Cellebrite: A demand for the evaluation of the healthdb ... The 998 steps - did they occur between 02:11 and 2:21 or between 2:21 and 02:31 ? I can not assign which steps occurred in which time window. Thanks!

The time you see ( 2:21) is the start time.

Many thanks!

brundon

Does anyone know if Browser state.db for Safari shows data synced from iCloud? Or is it all local data?

In cloudtabs.db -> table cloud_tabs -> column system_fields -> value device_uuid (related to table cloud_tab_devices) will give you an overview of open browser tabs on every attached device in sync. (edited)

1

Does anyone know if callhistory.storedata or callhistorytemp.storedata shows data synced from iCloud?

Hi all! What is your take on video files found at /storage/emulated/0/Snapchat? I get it that the path is a virtual link to another path, but what I really wonder is when does the files get written to this place? Is it done automaticly? In that case, when? When you send a video to someone? When you recieve a video from someone? Or do you manually have to "save" the video for it to be written to this path?

@Magnet Forensics Good morning. Can someone explain why Axiom has taken more than 2 days to process a 24.43GB GrayKey extraction of an iPhone X? The workstation has an i9 and 128GB of ram. It is processing over 10 gigabit network connection. I have never had a phone dump take anywhere near this long. Any help and or suggestions would be greatly appreciated.

DM incoming!

Hi All, I have a FFS extraction of an iPhone running iOS 14.6. I know the user deleted the sms/mms/iMessages/call logs. I don't really care about the content of the deleted messages but rather when it was deleted. Does anyone have any thoughts?

@matto92hi, upp ios 12 it's dead (on the device), maybe icloud backup?

11:41 PM

for calls it's a little bit different, after 200-250 (i can't confirm the exact number) device delete by himself call, first entry first deleted (edited)

betacygni

Hi all! What is your take on video files found at /storage/emulated/0/Snapchat? I get it that the path is a virtual link to another path, but what I really wonder is when does the files get written to this place? Is it done automaticly? In that case, when? When you send a video to someone? When you recieve a video from someone? Or do you manually have to "save" the video for it to be written to this path?

there are references to this folder / files in the "media_packages" database, dont know how to link it past that tho

12:15 AM

wow ok "media_package" row had some very nice json data

@Cellebrite Im having issues starting PA 7.47.0.49. Its stuck on 54 procent. I deinstalled PA , reinstalled, turned the machine off and on.... someone else with the same issue or has an idea whats going on...? (edited)

@Mistercatapulte Thank you. This is an agency phone, so no iCloud enabled. What I am really looking to figure out is the time that it was deleted

betacygni

Hi all! What is your take on video files found at /storage/emulated/0/Snapchat? I get it that the path is a virtual link to another path, but what I really wonder is when does the files get written to this place? Is it done automaticly? In that case, when? When you send a video to someone? When you recieve a video from someone? Or do you manually have to "save" the video for it to be written to this path?

I too would like to know. I only discovered a single chunk (.3sec) of the video in my investigation. I was hoping to find out if its possable to decipher SnapChat file paths to see if the file was incoming or outgoing at the least. (edited)

CLB-drorimon

Linkage to the bytes offset the artefacts were created from.

Does changing the path impact the function?

Hi, quick question - not really a mobile forensics person - but am tinkering a bit with a possible setup for Ufed Reader (latest version released for what it's worth), and am a bit curious to a message that keeps popping up in the "trace window": Failed to get data for zip entry. Anyone else noticed this, and care to enlighten me? Using a test image, and wonder if it has to do with some prerequisite e.g. winzip missing? Files are .db, .mp4 ++. After posting & more googling i stumbled upon this: https://www.forensicfocus.com/forums/mobile-forensics/cellebrite-reader-trace-window-error/ - makes me suspect "it's not just me" (edited)

Cellebrite Reader Trace Window ERROR

Hello, Just wondering if anyone else has come across an issue with UFDR files opened in Cellebrite reader. Of all the work we have produced in 7.4...

mr.rookay

Does anyone know if callhistory.storedata or callhistorytemp.storedata shows data synced from iCloud?

I believe that it’s just history for FaceTime/FaceTime audio calls that gets synced. But it may just be my test setup that makes it look that way.

Neptun5000

Hi, quick question - not really a mobile forensics person - but am tinkering a bit with a possible setup for Ufed Reader (latest version released for what it's worth), and am a bit curious to a message that keeps popping up in the "trace window": Failed to get data for zip entry. Anyone else noticed this, and care to enlighten me? Using a test image, and wonder if it has to do with some prerequisite e.g. winzip missing? Files are .db, .mp4 ++. After posting & more googling i stumbled upon this: https://www.forensicfocus.com/forums/mobile-forensics/cellebrite-reader-trace-window-error/ - makes me suspect "it's not just me" (edited)

I think it’s just some of the metadata that is failing. I have seen this error in PA but it never caused me any issues so never looked deeply into it. I’ll see what I can find out though.

CLB_iwhiffin

I think it’s just some of the metadata that is failing. I have seen this error in PA but it never caused me any issues so never looked deeply into it. I’ll see what I can find out though.

Ok, great - fyi the same message aggregated from a different .ufdr also - so it m i g h t be something that is a release related issue?

Hi All-I am trying to load a pas file into PA, on top of my ufedx file. It keeps telling me that the file can't load. Is this a PA glitch or is the file somehow corrupted? I found an older pas file from 20 minutus prior in the same parent folder that also failed to load..... has anyone had an issue like this? PA is also not allowing me to bulk tag items, it tags the first item highlighted and leaves the rest.....

Anyone familiar with the difference inside the mmssms.db between table sms and table sms restricted?

Looking for a cashapp parsing tool for iOS app

So I have a Samsung Galaxy Note 8 (SM-N950U) that's been wiped. I've been trying to determine if there are any artifacts that can tell me when it was wiped. I've been using this blog as kind of a guide (https://thebinaryhick.blog/2021/08/19/wipeout-detecting-android-factory-resets/) and I think I found one, but I'm not sure how to interpret it compared to theirs... its' the "eRR.p" file but this one is "RR.p" and it doesn't appear as verbose in hex... There is a timestamp that LOOKS like it would be the time/date it was wiped (it makes sense) but the only thing it says after that it "|RP|"... the other stamps are all before it and say "|NP|"... does anyone know if this would indicate the time it was wiped, what it actually means, or if I'm even in the right area? located the file at "data/system/users/service/data"

Binary Hick

Wipeout! Detecting Android Factory Resets

I’d like to thank Alexis Brignoni, Heather Mahalik, and Jared Barnhart for their insight and validation, and Alexis for tooling ALEAPP for these artifacts. DFIR truly is a team effort. They say im…

@Moses1617 what does the file look like in plain text?

2:37 PM

And what type of extraction do you have?

Full File System, and it has "LOGM" at the top and just lists about 7-8 Date/Times with "|RP|" for the latest one and "|NP|" for all others

Look for the earliest date, chronologically, in that file. You should also have a ‘history’ file in /efs/recovery that you can also check against that date.

2:42 PM

The nice thing about Samsung is that there are several spots that you can go to to check.

Morning all, i have an iPad 4th gen and am trying to see app usage and determine when victim (deceased) last used the phone. The app usage in UFED has dates and times but no identifier as to what app. Looking in the KnowledgeC DB shows the same. Any help would be great

CLB_iwhiffin

I believe that it’s just history for FaceTime/FaceTime audio calls that gets synced. But it may just be my test setup that makes it look that way.

Well I have this case where 2 iPhones attached to the same AppleID, with 'Allow Calls on Other Devices' enabled synced their call history. It raised some questions . I've other data (for i.e. knowledgeC.db) to which I can relate the activities, but can't find an artifact that shows if the call history was locally created of synced via iCloud/Cloudkit.

Arcain pinned a message to this channel. 8/27/2021 1:48 AM

Has anyone had Griffeye not show the thumbnails but still have the image- I haven’t hidden thumbnails or anything!

mr.rookay

Well I have this case where 2 iPhones attached to the same AppleID, with 'Allow Calls on Other Devices' enabled synced their call history. It raised some questions . I've other data (for i.e. knowledgeC.db) to which I can relate the activities, but can't find an artifact that shows if the call history was locally created of synced via iCloud/Cloudkit.

I’ll take a look shortly and let you know if I find anything

Has anyone had an issue with Cellebrite showing errors reading from zip when opening a UFDR report?

I have two phones. One a Google Pixel 2 (FFS Extraction), Second Apple iPhone (FFS Extraction). I have SMS messages on the apple, but do not see a matching set of messages on the Google Pixel. When I examine the mmssms.db I can't find the message in the database either. Is this common with Google Pixel devices that deleted messages are not available?

12:57 PM

Basically can see the conversation on the Apple but don't see the conversation on the Google.

12:57 PM

It is important I determine if the Google device messages were deleted.

I guess my question is has anyone recovered a deleted SMS from a Google Pixel 2? I don't see anything deleted in the .db but when I try to recover deleted records I get the following type of items

King Pepsi

Has anyone had Griffeye not show the thumbnails but still have the image- I haven’t hidden thumbnails or anything!

Make sure you don't have two instances of the same case open in Griffeye. Also make sure it's correctly pointing to wherever your carved images are. Failing that, force to reprocess it.

Ghosted

Anyone familiar with the difference inside the mmssms.db between table sms and table sms restricted?

I know I'm a few days late to this one but the sms_restricted isn't actually a table but a "view". A view is essentially a canned statement embedded into the database. In my example mmssms.db I have the view with the following statement: "CREATE VIEW sms_restricted AS SELECT * FROM sms WHERE type=1 OR type=2". The type in this instance is whether or not the sms message has been sent/received with 1=received and 2=sent.

Ghosted

It is important I determine if the Google device messages were deleted.

It might be worthwhile to perform a gap analysis on the sms table. https://dfir.pubpub.org/pub/33vkc2ul/release/1

Missing SQLite Records Analysis · DFIR Review

@Tyler_Leno great idea and I am definitely going to do this. Thanks

Is there anyone from @Magnet Forensics ? I have a question about Wickrme

kawiarz

Is there anyone from @Magnet Forensics ? I have a question about Wickrme

Hi, yes, please shoot me a DM

In “com.apple.MobileBlueTooth.ledevices.other.db” I have a field called ”LastSeenTime”. This field contains values that are 5-7 digits long. Any idea what kind of timestamp this is? My working theory is that it’s seconds from a set value, like the time the device was booted. Any info on this would be appreciated!

12:23 AM

being apple I would guess cocoa, but that makes it 2001 time period. I thought it would be in Unix though.

Yeah. I’ve tried them both. The values should be in the time range of 2021-07-*.

See your point, probably right. Would have to knock up a test device I suppose.

@Magnet Forensics or someone else: So im looking at an extraction of an IPhone. KnowledgeC shows application focus at 17.24.58 com.apple.facetime. Then at 17.25.08 i have the com.apple.incallservice. Has this to do with facetime? Im getting mixed results. Is this incallservice an actual facetime call in play or just a normal call coming in? (edited)

2:35 AM

2:36 AM

As an addition im a bit confused about the usage and focus. At 172510 Whatsapp is in use. At 172511 incallservice is in use as well?! So the real question is, what does the com.apple.InCallService indicate? (edited)

florus

@Magnet Forensics or someone else: So im looking at an extraction of an IPhone. KnowledgeC shows application focus at 17.24.58 com.apple.facetime. Then at 17.25.08 i have the com.apple.incallservice. Has this to do with facetime? Im getting mixed results. Is this incallservice an actual facetime call in play or just a normal call coming in? (edited)

This is InCallService, the user might have switched between a "normal" call and Facetime (edited)

5:01 AM

If someone could explain the exact difference between Application Usage and Application Focus that might help explain it as well

More IOS specific questions

️ Healthdb_secure.sqlite —> “samples” table has the column “data_type”. Anyone has a up to date list of known values? I’m looking for info on values 173, 182-188. My google-fu has failed me in getting info on the mentioned values

I don't have all the answers (yet) but... 173 = Headphone Audio Levels 182 = Double Support Time 183 = Six Minute Walk 184 = ??? 185 = ??? 186 = Stand Minutes 187 = Walking Speed 188 = Step Length (edited)

1

florus

Can @Magnet Forensics @Oxygen Forensics @Cellebrite @MSAB @Belkasoft shine there light on this? I could fire up a test device, but if its investigated already since its parsed... (edited)

Application Usage will include some background items. If Airplay is being used from device to TV for example or Fetches from messaging services such as Telegram etc. (Notifications wouldn't count as Focus as the notification is part of iOS not the app). Application Focus is when the app is visible to the user.

1

mr.rookay

Can you provide some more information? What kind of time notation was shown? Did you check date and time settings? If time is not noted in EPOCH but date/time notation you're looking at the printed clock time (which is current date/time on the device).

I put my test phone into airplane mode and killed wifi etc. and tried to send a message to a made up number. Number turned green as normal. Madrid still ran. So I'm a little confused/concerned why your device ran it at the time it did (Assuming the extractor wasn't doing anything to cause it), but not because it was in airplane mode. If that makes sense

Hi everyone, Does someone knows where is located, and how to parse a KeyBase chat database on iOS? I tried with Axiom without success. I know the app was installed and functional on the iphone.I have a full backup of the device, but not the iphone, it was erased and given back to the owner….thats a bummer

️ any help would help✌️ (edited)

CLB_iwhiffin

I don't have all the answers (yet) but... 173 = Headphone Audio Levels 182 = Double Support Time 183 = Six Minute Walk 184 = ??? 185 = ??? 186 = Stand Minutes 187 = Walking Speed 188 = Step Length (edited)

Much appreciated. Thanks for info

Deleted User

An extraction was done on an iPhone and in the logs, while the device was in airplane mode, the Apple ID Lookup Service ran to check if a number was attached to iMessage...would that be something that happens automatically? Could it occur due to the extraction being run? It's being alleged that it was manually run, which I know was not the case

Does it automatically from time to time as far as I can tell

11:21 PM

Wonder if it repeats when previously unsuccessful

CLB_iwhiffin

I don't have all the answers (yet) but... 173 = Headphone Audio Levels 182 = Double Support Time 183 = Six Minute Walk 184 = ??? 185 = ??? 186 = Stand Minutes 187 = Walking Speed 188 = Step Length (edited)

3 = Weight 5 = Heart Rate 7 = Steps 8 = Distance (M) 9 = Resting Energy 10 = Active Energy 12 = Flights Climbed 20-40 = Nutrition 67 = Weekly Calorie Goal 70 = Watch on 75 = Stand still 76 = Activity 79 = Workout 83 = Some Workouts 173 = Headphone Audio Levels 182 = Double Support Time 183 = Six Minute Walk 184 = ??? 185 = ??? 186 = Stand Minutes 187 = Walking Speed 188 = Step Length

3

1

11:24 PM

Are there any more I don't know about?

florus

Can @Magnet Forensics @Oxygen Forensics @Cellebrite @MSAB @Belkasoft shine there light on this? I could fire up a test device, but if its investigated already since its parsed... (edited)

In our Timeline tab, in User Activity section, both background and focused use is reported. Sometimes it is pretty easy to distinguish as something with such short usage duration is most likely a background process. But otherwise it is up to the investigator's knowledge and experience to tell them apart. (edited)

CCC

Are there any more I don't know about?

2 = height 92 = Ovulation Test - According to slide 16 here https://conference.hitb.org/files/hitbsecconf2018pek/materials/D2T2%20-%20How%20Your%20Smartphone%20Tracks%20Your%20Entire%20Life%20-%20Vladimir%20Katalov.pdf (edited)

3:15 AM

Maybe @v_katalov can provide some more data types

Keepo

Maybe @v_katalov can provide some more data types

I will check with developers and get back to you!

Sounds good. I'm having a dig around a recent backup I made, hopefully I can come up with something useful PES_Happy

CCC

3 = Weight 5 = Heart Rate 7 = Steps 8 = Distance (M) 9 = Resting Energy 10 = Active Energy 12 = Flights Climbed 20-40 = Nutrition 67 = Weekly Calorie Goal 70 = Watch on 75 = Stand still 76 = Activity 79 = Workout 83 = Some Workouts 173 = Headphone Audio Levels 182 = Double Support Time 183 = Six Minute Walk 184 = ??? 185 = ??? 186 = Stand Minutes 187 = Walking Speed 188 = Step Length

16 = Systolic Blood Pressure 17 = Diastolic Blood Pressure 63 = Sleep Hours 83 = I have this as Cycling? More research required maybe! 99 = Mindful Minutes 101 = Pushes ... There are just too many to list. Standby, I'll make it into a proper list...

1

CLB_iwhiffin

16 = Systolic Blood Pressure 17 = Diastolic Blood Pressure 63 = Sleep Hours 83 = I have this as Cycling? More research required maybe! 99 = Mindful Minutes 101 = Pushes ... There are just too many to list. Standby, I'll make it into a proper list...

That would be awesome, thanks!

6:09 AM

Anyone else finding that the recent PA broke their SQL? It seems to interpret the database structure differently

CCC

Anyone else finding that the recent PA broke their SQL? It seems to interpret the database structure differently

Can you give more details? Which version and what are the symptoms?

Hang on, might be PEBCAK

Has anyone had experience with camerarolldomain\media\photodata\metadata\dcim\100apple

Definitely PEBCAK.

2

7:07 AM

Checks PA version, notes it down, goes to Wizard - Hoop Messenger for Android.. well that's why it doesn't work on this ios.

7:08 AM

Almost like they are different phones.

@Cellebrite In PA, is there a "find similar" for media?

7:57 AM

I.e. if you have a particular image, you can find similar others based on the background etc?

Rob

@Cellebrite In PA, is there a "find similar" for media?

Other than using the Media Classification and using the filters there. There is no "Find visually similar" like what you would find on Google Images.

CLB_iwhiffin

Other than using the Media Classification and using the filters there. There is no "Find visually similar" like what you would find on Google Images.

Thanks, assumed so but thought I'd double check. We've found the file we're looking for (found a copy in the trash and WhatsApp sent)

Does anyone know much about the calculator vault app by anzenbokusucal ? I'm trying to see if I can get the pass code or recovery phrase from somewhere and would appreciate any pointers. The officers want to ensure we have all the data and want to look inside the vault app.

@CCC thanks that was how I thought it worked

4N6Matt

Does anyone know much about the calculator vault app by anzenbokusucal ? I'm trying to see if I can get the pass code or recovery phrase from somewhere and would appreciate any pointers. The officers want to ensure we have all the data and want to look inside the vault app.

@Aero Aero might?

1

Rob

Thanks, assumed so but thought I'd double check. We've found the file we're looking for (found a copy in the trash and WhatsApp sent)

That's a function in Pathfinder.

ScottKjr3347

That's a function in Pathfinder.

Interesting! We sadly don't have that but good to know!

CCC

Are there any more I don't know about?

Posted at www.doubleblak.com/blog/health is the list I have at the moment with about 150 types defined. I’ll update it if I find more.

6

CLB_iwhiffin

Posted at www.doubleblak.com/blog/health is the list I have at the moment with about 150 types defined. I’ll update it if I find more.

Superstar! Although some of those categories... how is apple measuring mucus?!

4

CCC

Superstar! Although some of those categories... how is apple measuring mucus?!

I think Apple does not. This is actually just the "container", and the data may come from various sources (not just iPhone and Apple Watch sensors), incl. 3rd party devices and apps. (edited)

4N6Matt

Does anyone know much about the calculator vault app by anzenbokusucal ? I'm trying to see if I can get the pass code or recovery phrase from somewhere and would appreciate any pointers. The officers want to ensure we have all the data and want to look inside the vault app.

Sorry for late reply. On A/L at the moment! Im back in the office next week so am happy to take a look. Never heard of this app though! Is it iOS or Android? Also, cheers for the tag @florus

(edited)

@King Pepsi It should contain a thumbnail with the metadata from the images that is stored in Apple photo app.

CCC

Superstar! Although some of those categories... how is apple measuring mucus?!

There is also the option to add your own data points for anything not covered by phone/watch/device/app.

callzor

@King Pepsi It should contain a thumbnail with the metadata from the images that is stored in Apple photo app.

ahh lovely, thanks!

ok guys got a good one for you. Phone was seized in an AFU state on the 12th, placed into a powered locker in the basement (no GPS signal possible) same day Warrant to search phone executed on 17th Extracted and Analyzed on the 18th Phone was no SIM and in Airplane mode Google maps still reporting some movement on between 12th and 18th, however what's interesting is that these locations are places that the phone has been before, several 10s of miles away. Do iPhones try to acquire signal by trying somewhere that they have been before and cause a log entry to be written?

8:56 AM

Looking for a reference that I can point a Detective to in order to explain the movement, "the guys on the internet told me" kinda doesn't fly in court.

Does anyone know how the "sync_deleted_messages" table inside of an iOS sms.db gets populated or have any info on this table?

Chris

ok guys got a good one for you. Phone was seized in an AFU state on the 12th, placed into a powered locker in the basement (no GPS signal possible) same day Warrant to search phone executed on 17th Extracted and Analyzed on the 18th Phone was no SIM and in Airplane mode Google maps still reporting some movement on between 12th and 18th, however what's interesting is that these locations are places that the phone has been before, several 10s of miles away. Do iPhones try to acquire signal by trying somewhere that they have been before and cause a log entry to be written?

May be these locations were reported by different device, connected to the same Google account?

v_katalov

May be these locations were reported by different device, connected to the same Google account?

Thought about that bu there was no data connection at the time.

@Chris IOS15 beta? (edited)

florus

@Chris IOS15 beta? (edited)

no would have been nov last year

When you say Google maps, is that on the device we are talking about?

3:28 PM

I have noticed that google maps, when you bring it up, sometimes goes to the last place you searched, presumably just to show the pin animating as it zoops to the search you want

Has anyone had any experience with /data/com.instagram.android/file/analytics/? Specifically i am trying to figure out what causes file creations in that location

Chris

ok guys got a good one for you. Phone was seized in an AFU state on the 12th, placed into a powered locker in the basement (no GPS signal possible) same day Warrant to search phone executed on 17th Extracted and Analyzed on the 18th Phone was no SIM and in Airplane mode Google maps still reporting some movement on between 12th and 18th, however what's interesting is that these locations are places that the phone has been before, several 10s of miles away. Do iPhones try to acquire signal by trying somewhere that they have been before and cause a log entry to be written?

What is the location of the artifacts? ( database etc?)

Chris

ok guys got a good one for you. Phone was seized in an AFU state on the 12th, placed into a powered locker in the basement (no GPS signal possible) same day Warrant to search phone executed on 17th Extracted and Analyzed on the 18th Phone was no SIM and in Airplane mode Google maps still reporting some movement on between 12th and 18th, however what's interesting is that these locations are places that the phone has been before, several 10s of miles away. Do iPhones try to acquire signal by trying somewhere that they have been before and cause a log entry to be written?

wanna note that extracting a phone that is in AFU mode speed is CRITICAL if you want a good extraction. Like sirens and lights on critical

@Aero I'm looking at it on Android. I may have a solution. I will find out next week.

1

FYI: Must read article on decrypting Proton Mail in iOS: https://xperylab.medium.com/protonmail-forensic-decryption-of-ios-app-8e9ae9f50953 Already implemented in iLEAPP: https://twitter.com/AlexisBrignoni/status/1433893857759014913

ProtonMail : forensic decryption of iOS App

ProtonMail is a full PGP end-to-end encrypted email provider who is claiming privacy, anonymity and security. As forensic examiners, we…

Brigs 💬 (@AlexisBrignoni)

Thanks to .@TheKateCain for testing the #DFIR iLEAPP Proton Mail for iOS Decryption artifact on Windows. It has been added to the main project repository at https://t.co/rXGW3P3vxL

️ Drop the keychain in the iLEAPP/scripts/keychain directory first.

️ Video demo coming soon!

5

1

Chris

ok guys got a good one for you. Phone was seized in an AFU state on the 12th, placed into a powered locker in the basement (no GPS signal possible) same day Warrant to search phone executed on 17th Extracted and Analyzed on the 18th Phone was no SIM and in Airplane mode Google maps still reporting some movement on between 12th and 18th, however what's interesting is that these locations are places that the phone has been before, several 10s of miles away. Do iPhones try to acquire signal by trying somewhere that they have been before and cause a log entry to be written?

They should send a probe request for any WiFi AP’s they have connected to before. But then the WiFi radio has to be on. I’ve noticed an iPhone with no SIM nor connection to WiFi come out of airplane mode and get picked up by Find My iPhone right away. Beyond me how it phoned home but wonder if this is something similar to your case.

I have a iphone with snapchat on it and when looking at the my eyes only images, the most recent ones are viewable where the older ones are not. Any reason for this?

@Oxygen Forensics can someone drop me a message re Oxygen viewer not opening a .ofbx file

Dfdan

@Oxygen Forensics can someone drop me a message re Oxygen viewer not opening a .ofbx file

Hello, DM'd

Artea

I have a iphone with snapchat on it and when looking at the my eyes only images, the most recent ones are viewable where the older ones are not. Any reason for this?

Snapchat stores both Memories and My Eyes Only on their servers and only keeps the latest/latest viewed locally, downloading them from the server when needed. If you try to scroll Memories while in airplane mode you will see that after a while the images and videos are not viewable. If you connect the phone to the internet you should be able to view the older memories. (edited)

Oscar

Snapchat stores both Memories and My Eyes Only on their servers and only keeps the latest/latest viewed locally, downloading them from the server when needed. If you try to scroll Memories while in airplane mode you will see that after a while the images and videos are not viewable. If you connect the phone to the internet you should be able to view the older memories. (edited)

Thanks for the reply. So if the handset was reconnected to the network, these would be available to view again.

Artea

Thanks for the reply. So if the handset was reconnected to the network, these would be available to view again.

Yes

1

Hello everyone, How to find out the date & time of reset of an Android Device.

DeepDiveForensics

Hello everyone, How to find out the date & time of reset of an Android Device.

https://thebinaryhick.blog/2021/08/19/wipeout-detecting-android-factory-resets/

Binary Hick

Wipeout! Detecting Android Factory Resets

I’d like to thank Alexis Brignoni, Heather Mahalik, and Jared Barnhart for their insight and validation, and Alexis for tooling ALEAPP for these artifacts. DFIR truly is a team effort. They say im…

1

3:24 AM

Might be of some help

Artea

https://thebinaryhick.blog/2021/08/19/wipeout-detecting-android-factory-resets/

Sure Thanks

Arcain pinned a message to this channel. 9/6/2021 4:06 AM

4N6Matt

@Aero I'm looking at it on Android. I may have a solution. I will find out next week.

Do you know what app version it was?

Hello, i'm looking for feedback about signal.db decryption with https://rado0z.github.io/Decrypt_Android_Database methods. Many thanks

Decrypting Signal DB for Android

Introduction

Bobby

Hello, i'm looking for feedback about signal.db decryption with https://rado0z.github.io/Decrypt_Android_Database methods. Many thanks

The method used there by @radosec requires you to have access to the decrypted KeyStore, this is not usually extracted with any tool that I know. (Please correct me if i'm wrong here) If the device is a Samsung phone you can use Cellebrites guide to do a RAM dump and carve for the decryption key. https://www.cellebrite.com/en/decrypting-databases-using-ram-dump-health-data/

Michal Rozin - Researcher in R&D at Cellebrite

Decrypting Databases Using RAM Dump - Health Data - Cellebrite

Collecting memory from Samsung devices to decrypt Samsung Health DB’s can uncover critical data for investigators Samsung Health is a wellness application that helps users track their physical activities. As one might expect, the application stores a lot of interesting location data that interests the forensics community and specifically law enf...

Oscar

The method used there by @radosec requires you to have access to the decrypted KeyStore, this is not usually extracted with any tool that I know. (Please correct me if i'm wrong here) If the device is a Samsung phone you can use Cellebrites guide to do a RAM dump and carve for the decryption key. https://www.cellebrite.com/en/decrypting-databases-using-ram-dump-health-data/

keystore should be extracted with physical/full filesystem type extractions

Arcain

keystore should be extracted with physical/full filesystem type extractions

With what tool? I've tried a UFED FFS extraction of an Samsung S10, the Keystore was extracted but I didn't have all the correct keys. According to https://discord.com/channels/427876741990711298/545232743353810946/872194895002075238 it is not enough with a FFS extraction.

that's a different story, the signal decryption method from that github page assumes you have the proper key in /data/keystore/user_0/10044_USRSKEY_SignalSecret

7:41 AM

and in general, this location, /data/keystore is extracted

Arcain

and in general, this location, /data/keystore is extracted

Okay, yes, that is correct

Does anyone know if there is a forensic artifact that will tell me if an iPhone (latest ios) (full file system extraction) was unlocked via facial recognition? I know sarah edwards had a blog post about passcode and finger biometrics but I have been looking through the dump and have not found anything regarding facial recognition. Thanks

@San4n6 Maybe a quick events check with iLEAPP?

Thanks for the advice but that is a negative.

Does anyone here have good sources (webpages, dissertations, or any source) for decoding snapchat?

@the_johanna This is a bit old but it's a good start. http://www.carpeindicium.com/blog/gone_10-seconds/

"Gone In 10 Seconds" Snapchat Forensics · Carpe Indicium

"Snaps" may be gone in 10 seconds, but that doesn't mean relevant forensic artifacts are not left behind. Examination of iOS and Android Snapchat artifacts.

2

Arcain pinned a message to this channel. 9/7/2021 12:47 AM

Morning all, i have a load of cached images from discord, twitter, reddit, mega. any way of determining if these were uploaded or just viewed via these apps etc?

callzor

@the_johanna This is a bit old but it's a good start. http://www.carpeindicium.com/blog/gone_10-seconds/

Thanks!

matto92

Does anyone know how the "sync_deleted_messages" table inside of an iOS sms.db gets populated or have any info on this table?

A few days late but there's a trigger for that table in the DB. In my experience the sync_deleted_messages table is related to the Messages in iCloud feature being enabled.

Rob

@Cellebrite Getting a potential parsing error for Emails in PA 7.39.1.2, just hoping someone can clarify if all is fine or not.

Hey Rob, did you find out the cause of the reporting error for emails in PA?

I think for this one the cause couldn't be identified

2:43 AM

I sadly couldn't also share the download with the support folk

2:43 AM

So they only had the logs and didn't find anything

Ok, thanks for the response. It's a strange one!

1

Why would Airplane mode have a start and end time? How should I interpret this when the time spans overlap? @Cellebrite (edited)

Anyone have a description of what causes attachments in iOS to have a .pluginPayloadAttachment extension

Has anyone dealt with WhatsApp on a KaiOS 2.5.2 phone? I have an Alcatel 4052R phone with WhatsApp installed. @Cellebrite PA and @Magnet Forensics Axiom parsed the images which had been sent and received, but not the messages. The Database names are encoded like the other KaiOS file names. So I was hoping someone knew which DBs were what, and if there was a successful way to decode them either manually or with a forensic program.

GRIZZ

Why would Airplane mode have a start and end time? How should I interpret this when the time spans overlap? @Cellebrite (edited)

I'm wondering if it's just a misinterpretation by PA. Or maybe there isn't an actual 1/0 interpretation for on off it's just an event. Does the database give you any info?

Luminate

Anyone have a description of what causes attachments in iOS to have a .pluginPayloadAttachment extension

Sometimes you get txt or message that get sent to mail. Messages.app stores links in the sqlite attachment database as files with ".pluginPayloadAttachment" extension. https://discussions.apple.com/thread/251031123

Neon

I'm wondering if it's just a misinterpretation by PA. Or maybe there isn't an actual 1/0 interpretation for on off it's just an event. Does the database give you any info?

This is what I see, unless I should look elsewhere.

GRIZZ

This is what I see, unless I should look elsewhere.

KnowledgeC would be the right place. I would manually work through the database around that offset to see the difference between the on and off interpretation. Obviously what PA is indicating is wrong, so I would go to the source hoping for the best. (Click that blue link)

1

GRIZZ

Why would Airplane mode have a start and end time? How should I interpret this when the time spans overlap? @Cellebrite (edited)

Ian Whiffin had to explain this to me awhile back, so let me try... I guess this confused some so I edited the original posting... In @GRIZZ first screenshot the entry that has a start time of 9:05:47 PM and an end time of 9:53:06 PM, Airplane mode is OFF on the device. When the user turned airplane mode ON an entry is made to indicate the end time of Airplane mode being OFF, thus Airplane mode was turned ON at 9:53:06 PM. You want to use the End Time for the indicator to determine if it is the end of airplane mode being ON or OFF. Just tested this again on my test device... At 20:59:56, the device had Airplane mode turned ON. The ZOBJECT 38356 means the end of Airplane mode being ON. This is an indicator that Airplane mode is OFF at 20:59:56, meaning I had network connectivity. At 21:09:03, the device had Airplane mode OFF. The ZOBJECT 38396 means the end of Airplane mode being OFF. This is an indicator that Airplane mode is ON at 21:09:03, meaning I did not have network connectivity Notice the ZOBJECT entries in the ArtEx screenshots below. I know it seems backwards, but that’s how the examiners I know decode how Apple iOS is documenting airplane mode. Don't take my word for it...validation via other tools or self testing... I also noticed you have a FFS. I would recommend validating what CB is decoding by using Ian Whiffin tool ArtEx www.doubleblak.com Sarah Edwards tool APOLLO Alexis Brignoni tool iLEAPP. ArtEx is probably the easiest if you are not comfortable with Command Line. (edited)

Arcain pinned a message to this channel. 9/9/2021 1:45 AM

Hi, I currently have an issue regarding exporting from the timeline tab in UFED Reader. When I try to do an export (dosent matter what format I use) I get the following error: No records was selected No record was selected. To export select at least one. This was done on the 7.48 beta. I’ve tried the same operation in 7.47 with the same extraction and this works like a charm. The investigator that is doing the analysis is using the beta due to her .pas-file stopped to work in 7.47 for some reason. Any ideas of what to do to fix this?

Hi colleagues, Is it possible to get the Bank account details (Bank name, account number (IBAN), etc.) linked to Paypal account when paypal app is examined with PA ?

AFK

Hi, I currently have an issue regarding exporting from the timeline tab in UFED Reader. When I try to do an export (dosent matter what format I use) I get the following error: No records was selected No record was selected. To export select at least one. This was done on the 7.48 beta. I’ve tried the same operation in 7.47 with the same extraction and this works like a charm. The investigator that is doing the analysis is using the beta due to her .pas-file stopped to work in 7.47 for some reason. Any ideas of what to do to fix this?

Being that you are using a beta, I would suggest submitting at ticket to make @Cellebrite aware of the issue. Make sure you submit your logs with the ticket. I was using the beta and encountered an error while loading. I rolled back to 7.47.

1

ScottKjr3347

Ian Whiffin had to explain this to me awhile back, so let me try... I guess this confused some so I edited the original posting... In @GRIZZ first screenshot the entry that has a start time of 9:05:47 PM and an end time of 9:53:06 PM, Airplane mode is OFF on the device. When the user turned airplane mode ON an entry is made to indicate the end time of Airplane mode being OFF, thus Airplane mode was turned ON at 9:53:06 PM. You want to use the End Time for the indicator to determine if it is the end of airplane mode being ON or OFF. Just tested this again on my test device... At 20:59:56, the device had Airplane mode turned ON. The ZOBJECT 38356 means the end of Airplane mode being ON. This is an indicator that Airplane mode is OFF at 20:59:56, meaning I had network connectivity. At 21:09:03, the device had Airplane mode OFF. The ZOBJECT 38396 means the end of Airplane mode being OFF. This is an indicator that Airplane mode is ON at 21:09:03, meaning I did not have network connectivity Notice the ZOBJECT entries in the ArtEx screenshots below. I know it seems backwards, but that’s how the examiners I know decode how Apple iOS is documenting airplane mode. Don't take my word for it...validation via other tools or self testing... I also noticed you have a FFS. I would recommend validating what CB is decoding by using Ian Whiffin tool ArtEx www.doubleblak.com Sarah Edwards tool APOLLO Alexis Brignoni tool iLEAPP. ArtEx is probably the easiest if you are not comfortable with Command Line. (edited)

This is why I'm here, solid content, thanks for explaining

Wondering if anyone else has come across this: Verizon Messenger+ has sent an old message out again without any input by the user. Group MMS that had been sent 5 months earlier. The message actually displayed the message “Received by Server 1/19/70 7:08 AM”

11:48 AM

Samsung Galaxy S9 (SM-G960U) running Android OS 10

good morning, i have a little problem ẃith my UFED PA, i think i see the tree not in the wood

... i would export a ufedr Report from a extraction, but i cant click on "Generate Report" they is grayout .. and i cant save my Project, this is grayout, too.? I try PA 7.48 and PA 7.47 .. i an older version 7.46 i can export my reports ? Anybody know some special? Thx

Morph

good morning, i have a little problem ẃith my UFED PA, i think i see the tree not in the wood

... i would export a ufedr Report from a extraction, but i cant click on "Generate Report" they is grayout .. and i cant save my Project, this is grayout, too.? I try PA 7.48 and PA 7.47 .. i an older version 7.46 i can export my reports ? Anybody know some special? Thx

Look into the trace window (via View trace window) for running processes. I think there is still a process running like 'carve locations'. (edited)

in the trace windows : the last entry is PP.last Stage completed with ProjectID ... but i think, the PA is still doing something, because my CPU is working about 2,5% and the Memory goes up and down a little bit...

@Cellebrite You should update your min requirement for PA

1

What did you load into it? 512GB iPhone extraction?

iphone 7 plus 32GB

3:03 AM

lol

Yes PA is definitely one of my most memory consuming tools

Afternoon all, a colleague here has completed a Qualcomm live (ffs) acquisition using UFED4PC on a SM-A705 FN running Android 11. Acquisition completed ok but decoding it, they are only getting media. Any ideas?

1

@Artea i think i had similar problem, choose the advanced, select model and then point to a zip archive with the extraction manually

1

@Arcain Will pass that on. Thanks

Arcain

@Artea i think i had similar problem, choose the advanced, select model and then point to a zip archive with the extraction manually

Seems to have worked a treat!

1

Angst

Yes PA is definitely one of my most memory consuming tools

Be patient everyone. I believe @Cellebrite has been working on a fix to that PA RAM problem and it's right around the corner. Check out the new I beg to dfir via their website and it might give you some insights. (edited)

I am processing an iPhone 6s Plus, iOS 13.1.2 for possible malware. In settings ->General -> Profile, there is an installed profile for 'Emergency Alerts'. There is an associated email account in the profile. Owner is not sure about the profile or email address. What information can be learned from a profile certification, or could this be used to monitor the user somehow. I don't see a profile on any of my test phones or other exams. Thanks in advance for any assistance.

Mig

I am processing an iPhone 6s Plus, iOS 13.1.2 for possible malware. In settings ->General -> Profile, there is an installed profile for 'Emergency Alerts'. There is an associated email account in the profile. Owner is not sure about the profile or email address. What information can be learned from a profile certification, or could this be used to monitor the user somehow. I don't see a profile on any of my test phones or other exams. Thanks in advance for any assistance.

Typically a user will only have Profile listed in Settings>General if a configuration profile has been installed - otherwise, I wouldn't expect a phone to have the Profile setting. Apple has many configuration profiles that can be installed for bug reporting purposes and configuration profiles can also be used by organizations for managed devices, etc However, it is possible that malware can also be delivered by having a user install a malicious configuration profile. Here's a link to Apple's configuration profiles - you can install and test to see the Profile setting : https://developer.apple.com/bug-reporting/profiles-and-logs/ (edited)

Mig

I am processing an iPhone 6s Plus, iOS 13.1.2 for possible malware. In settings ->General -> Profile, there is an installed profile for 'Emergency Alerts'. There is an associated email account in the profile. Owner is not sure about the profile or email address. What information can be learned from a profile certification, or could this be used to monitor the user somehow. I don't see a profile on any of my test phones or other exams. Thanks in advance for any assistance.

And a ink to an article discussing malware delivered via Config profile: https://www.securemac.com/news/facebook-finds-new-ios-spyware-phenakite

Facebook Finds New iOS Spyware Phenakite

The iOS spyware threat Phenakite was discovered by Facebook. In this article: What it is | How it works | What iOS users should know.

Best tool to parse Twitter currently from iOS extraction

the_johanna

Does anyone here have good sources (webpages, dissertations, or any source) for decoding snapchat?

Can use my script if you want

1:27 AM

have made some notes on artifacts on the wiki page (edited)

1:27 AM

https://github.com/Ogg3/CheckArroyo

GitHub - Ogg3/CheckArroyo: snapchat parser for iOS, Android (soon) ...

snapchat parser for iOS, Android (soon) and arroyo.db - GitHub - Ogg3/CheckArroyo: snapchat parser for iOS, Android (soon) and arroyo.db

2

1

Arcain pinned a message to this channel. 9/12/2021 4:14 AM

Rather than reinvent the wheel, does anyone have a simple python script to recreate a filesystem/directory listing from an iTunes backup?

4:42 PM

I don't need to parse any of the data within, just parse the manifest db and present a file/folder structure

@DeeFIR 🇦🇺 I know this can recreate but not sure about just reading https://github.com/jfarley248/iTunes_Backup_Reader

GitHub - jfarley248/iTunes_Backup_Reader: Python 3 Script to parse ...

Python 3 Script to parse out iTunes backups. Contribute to jfarley248/iTunes_Backup_Reader development by creating an account on GitHub.

1

PA 7.48.1.3 is ready to catch

2

chrisforensic

PA 7.48.1.3 is ready to catch

a problem with 7.48.0.49?

@Cellebrite

Hi. This is a hotfix following a bug found in 7.48.0.49

1

Greetings. Can someone tell me. There is a killed Samsung sm-j600 phone. The memory is alive. I downloaded a dump from memory but there is no password. Is there an option to decrypt USER_GPT from eMMC dump?

7:22 AM

No, J600F is factory encrypted, and uses hw-backed encryption. If phone is dead, you'd have to swap emmc and cpu onto a working board so it can boot and decrypt

1

@Arcain alas, its processor is mechanically damaged (

then you're out of luck on this one i'm afraid

@Oxygen Forensics about for some ofbx assistance?

Rob

@Oxygen Forensics about for some ofbx assistance?

Of course! DM'd

1

Hi! Is there a database that contains notification history for IOS?

Anyone have experience with the iOS app com.enchantedcloud.photovault and finding the PIN. I only have a file system extraction. Been looking through the apps plist as it used to be stored in plain text in the past but seemingly not the case anymore

LM

Anyone have experience with the iOS app com.enchantedcloud.photovault and finding the PIN. I only have a file system extraction. Been looking through the apps plist as it used to be stored in plain text in the past but seemingly not the case anymore

@Aero probs is the best

4:18 AM

Also, I know I believe v10 isn't plaintext anymore so don't get your hopes up.

Yeh I had a look around and it seemed they made it a fair bit more secure in recent updates. Might be unlikely without a full file system, will keep searching.

LM

Anyone have experience with the iOS app com.enchantedcloud.photovault and finding the PIN. I only have a file system extraction. Been looking through the apps plist as it used to be stored in plain text in the past but seemingly not the case anymore

Run your extraction through axiom if you have it

@CCC thanks I do I'll give it a go

I ran a ufd through it and it got me data and the pin. For funsies you can then use Andy to input that pin using cellebrite PA

CLB_iwhiffin

Numerous things. It could be 1) reminder as in “hey Siri, remind me to do X when I arrive home” 2) a store geofence so when you get close to it, it know. Apple stores for example if you have the apple store app installed. 3) Real Time monitoring of Frequent Locations (in particular, looking for if you leave the one your in or enter the one it THINKS you are going to. Look in the database for the process name. (edited)

Hey, I am also looking into reminder locations atm and in the source database in the "Fences" table there is a name "RTVisitMonitor.RealtimeHighConfidenceExitFenceForCurrentVisit" with timestamp and long+lat coordinates. Any idea what this could be?

@Cellebrite Good morning! Is there a way to merge tags created in a Reader report back into the original case in PA?

Erik

Hey, I am also looking into reminder locations atm and in the source database in the "Fences" table there is a name "RTVisitMonitor.RealtimeHighConfidenceExitFenceForCurrentVisit" with timestamp and long+lat coordinates. Any idea what this could be?

Yup. You are in a frequent location geofence (or at least, it was inside one when the monitor was turned off). It will constantly monitor for when you leave that fence at which point it will be replaced with something to the effect of “RealTimeHighConfidenceEntryFence ForNextPredictedLocation” where it will guess where you are heading and monitor for when you arrive (maybe multiple guesses). Super important to know because these guesses leave artifacts that could be misinterpreted as visits when in reality it’s the device having a guess.

stps358

@Cellebrite Good morning! Is there a way to merge tags created in a Reader report back into the original case in PA?

use .pas don't work?

callzor

Hi! Is there a database that contains notification history for IOS?

KnowedgeC contains limited data on notifications. When and which app mainly. But not much more.

Deleted User

use .pas don't work?

No it did not load anything into the PA version. I'll try again though.

2

@LM @forensicmike @Magnet has also done some amazing work with PV!

1

Hey. I've managed to decrypt the for my eyes only folder on Cellebrite PA. All files are showing the same "file name" - is this to be expected? Is there any way I can check these files have been sent / received ? Many thanks.

@Magnet Forensics Hi guys, is it possible to determine when airplane mode was last enabled?

@BritishBulldog yes, check the pinned thread here. Scott and Ian had some explanation about it. KnowledgeC is your needed resource.

Yeah I'm currently digging through KnowledgeC

2:07 AM

Will check pinned, Thanks (edited)

@BritishBulldog Its a mind cracker this explanation from @ScottKjr3347 , so beware

2:09 AM

Off is on or on is off. Or something like that

1

lol will give it a read in a second

@BritishBulldog let me know if it hurts your brain as well

Thanks! I've got the phone parsed through UFED, AXIOM and soon iLLEAP

2:35 AM

So gonna try and find any entries for airplane mode

2:39 AM

There's a very long story behind this so if I can't figure it out, I'll post a bigger question

Anyone know how I can trick Cellebrite physical analyzer to also decode the 000000_sms_backup from an adb backup?

Hi there; i have a little question about whatsapp decrypt cryp14. I have a fullFile Dump from an Android and my Oxygen can decrypt whatsapp successful; now we need the Cloud Backup, but we havent the Sim-Pin for the 2FA, so now we have the Database.Crypt14 and the Key-File from the device, but any sugestion to dectypt the Cloud-Backup? Thx

@MetaStig does it look like a copy of the mmssms.db? If so, maybe export out the full file with pathing, and process the folder separate with PA?

florus

Off is on or on is off. Or something like that

ON = airplane mode is ON = antennas are OFF.

2

In @Cellebrite is there a way to group photos from an iPhone by what album they are in? There seems to be no easy way to tell what album(s) a photo belongs to. Is this artifact available somewhere?

You can open specific photos based on the folder they’re in. Go to folder view and there’s a green arrow on the folder and it’ll open a new tab. (edited)

There are only 17 photos in the album, but cellebrite is showing 800+ in the "folder" and it doesnt have any actual album name

Can you shoot me a dm with the screenshot. Not sure I understand

FWIW I just threw the extraction into Axiom it fully supports parsing the photo album names

FunkeDope

In @Cellebrite is there a way to group photos from an iPhone by what album they are in? There seems to be no easy way to tell what album(s) a photo belongs to. Is this artifact available somewhere?

Export the Photos.sqlite and use db browser and run the query. Here is an article about albums: https://forensicmike1.com/2019/05/02/ios-photos-sqlite-forensics/ https://www.cellebrite.com/en/identifying-file-to-album-correlation-using-ios-photos-sqlite/ Use this link for Photos.sqlite queries. https://github.com/ScottKjr3347/Photos.Sqlite_Queries DM if you have any specific questions. (edited)

Mike Williamson

iOS Photos.sqlite Forensics - forensicmike1

Discussing with Shafik the correlation of photo albums to pictures on iOS using Photos.sqlite.

Heather Mahalik - Senior Director of Digital Intelligence at Cellebrite

Identifying File-to-Album Correlation Using iOS Photos.sqlite - Cel...

Special guest: Shafik G. Punja, IR In this episode, Shafiq will discuss iOS Photos.sqlite in regard to file-to-album correlation and a reverse-engineering case study regarding an APT attacker. When you open up the photo’s app on an iOS device, you’ll see the default albums, non-default albums, third-party app albums, and user-created albums disp...

GitHub - ScottKjr3347/Photos.Sqlite_Queries: Here are several queri...

Here are several queries that may help with decoding some of the data stored in Photos.sqlite. These queries are based on testing and research and some community published research. - GitHub - Scot...

1

@callzor in reference to your post you may also check in the CurrentPowerlog.plsql file for push notifications

Yall have this sitting here since 2019 and can't implement it into UFED?? lol

Hi all! This feels like a dumb question, but does turning off location services disable the GPS completely? Or can things like Google settings effectively override it and continue to use your location anyway? Had a look online but I can't find anything that points me towards a concrete answer.

Arcain pinned a message to this channel. 9/15/2021 11:38 AM

Need some guidance re: creating Contacts with Pics using Python in Physical Analyzer. Has anyone successfully done it? I've even used their sample scripts with sample ufed but it doesn't add the image to the contact. Help?

ScottKjr3347 started a thread. 9/15/2021 5:12 PM

I'm reading iOS documentation for app development. It talks about how the developer can choose the level of encryption for their application. https://developer.apple.com/documentation/uikit/protecting_the_user_s_privacy/encrypting_your_app_s_files

6:55 PM

6:56 PM

I'm curious, if the device is encrypted by default, how can the file(s) be always accessible?

Hi! Does anyone use a free alternative to UFED Cloud/XRY Cloud?

Hello to all, I am analyzing the internet data consumption in 2016 on an iphone 4s. I see that all these processes consume a lot of 2G/3G data. Do you know if these processes are related to Apple's services or if they are user actions? Thanks for your answers.

Purchase Date - Can this supersede previous installations of the same app?

6:09 AM

Say, if you install MEGA and later uninstall to reinstall does the purchase date get updated

6:10 AM

I haven't sadly got a test phone to check

No, it will remain the first time it was purchased/installed in most cases. As an iOS user, if I go to the App Store and view an app I’ve previously had, it will show the iCloud download icon rather than “buy”. I believe this may be the same for family shared apps too.

Interesting.

6:15 AM

Is that the same if you install it on an SD card and later install it on the phone itself?

6:16 AM

*after uninstalling from the SD card

wynona's big brown beaver

I'm curious, if the device is encrypted by default, how can the file(s) be always accessible?

Device is encrypted while it’s off (which is why chip off won’t work) but upon powering on, a minimum level of encryption is removed. These would be “no protection” files such as what is needed for cellular function. When you first power the phone on, you can still receive calls for example but it doesn’t know who from because contacts is still protected. Once you log in for the first time, some more encryption is removed. Now the contacts is permanently unlocked (until reboot) so even when the device is locked, receiving a call will be able to access contacts. And so on.

Rob

Is that the same if you install it on an SD card and later install it on the phone itself?

Ah. Not as confident about android. I’d need to look into it. My mind defaults to iOS apparently.

‍♂️

No worries!

6:20 AM

I have a situation where traces of Mega were found on an exhibit - Email address/media (that had an SD card) where the creation of the account is 16th Dec 19 and was suspended on the 2nd Feb 20 and the purchase date is 17th March 20. Edit - should note, the traces of mega were from the SD card and found in \MEGA\MEGA Downloads with creation dates of around end of Jan 20 (edited)

CLB_iwhiffin

Device is encrypted while it’s off (which is why chip off won’t work) but upon powering on, a minimum level of encryption is removed. These would be “no protection” files such as what is needed for cellular function. When you first power the phone on, you can still receive calls for example but it doesn’t know who from because contacts is still protected. Once you log in for the first time, some more encryption is removed. Now the contacts is permanently unlocked (until reboot) so even when the device is locked, receiving a call will be able to access contacts. And so on.

Ah. thanks for the explanation (edited)

Is anyone aware of any good write ups for the MEGA iOS app?

Rob

I have a situation where traces of Mega were found on an exhibit - Email address/media (that had an SD card) where the creation of the account is 16th Dec 19 and was suspended on the 2nd Feb 20 and the purchase date is 17th March 20. Edit - should note, the traces of mega were from the SD card and found in \MEGA\MEGA Downloads with creation dates of around end of Jan 20 (edited)

From recollection purchase date here is just install date

Joe Schmoe

Is anyone aware of any good write ups for the MEGA iOS app?

https://www.sans.org/posters/ios-third-party-apps-forensics-reference-guide-poster/

iOS Third-Party Apps Forensics Reference Guide Poster | SANS Poster

The aim of this poster is to provide a list of the most interesting files and folders “Data” and in the “Shared” folders for the most commonly used third-party apps.

Would be yes.

But that comes from the manifest rather than the app

CCC

https://www.sans.org/posters/ios-third-party-apps-forensics-reference-guide-poster/

Thank you for the link. I don’t think that app is on there.

https://github.com/northloopforensics/PEEPER I’ve made a free tool for working with screenshots. Let me know what you think.

GitHub - northloopforensics/PEEPER: An image analysis tool for scre...

An image analysis tool for screenshots and other images containing text. - GitHub - northloopforensics/PEEPER: An image analysis tool for screenshots and other images containing text.

2

Arcain pinned a message to this channel. 9/17/2021 1:14 AM

Anyone ran into SMS.DB on iOS not being parsed. I'm trying to help another examiner out. He noticed it when looking at Cellebrite that they didn't parse. He has an unlocked iPhone and verified messages present. He also navigated to DB in GK extraction and could verify messages in DB Browser. I told him to run ArtEx against it and just process SMS. He said that's been running about a day. He also tried Axiom and still nothing. I had him send me the Cellebrite Logs and noticed parsed the SMS.DB in 0 seconds and further digging I saw the attached screenshot

Rob

Purchase Date - Can this supersede previous installations of the same app?

Did some further digging, turns out there's traces of MEGA that are before this purchase date suggesting that the purchase date can be superseded.

I have a Samsung Galaxy J7 (SM-J701M/DS) that I received in an unlocked, AFU state. In the notifications, it showed Secure Folder was active and running on the phone. I tried to manually open the Secure Folder notification after a logical extraction, but was prompted for an unknown 4-digit PIN. So I have evidence of the user using Secure Folder. I shut the phone down and successfully got a physical bootloader extraction from the phone. I have loaded the extraction into both PA and Axiom, but I can't figure out where the Secure Folder data is stored to decrypt the data. Thoughts? (edited)

8:01 AM

Wondering if anyone has experienced with Facebook messenger audio calls showing sent when they should show received. (edited)

FullTang

I have a Samsung Galaxy J7 (SM-J701M/DS) that I received in an unlocked, AFU state. In the notifications, it showed Secure Folder was active and running on the phone. I tried to manually open the Secure Folder notification after a logical extraction, but was prompted for an unknown 4-digit PIN. So I have evidence of the user using Secure Folder. I shut the phone down and successfully got a physical bootloader extraction from the phone. I have loaded the extraction into both PA and Axiom, but I can't figure out where the Secure Folder data is stored to decrypt the data. Thoughts? (edited)

If I remember right, on a Samsung phone using secure folder, you will need the file system to get the secure folder data.

1

sholmes

If I remember right, on a Samsung phone using secure folder, you will need the file system to get the secure folder data.

@FullTang ill send you dm

1

Thanks for info! I'll give it a shot next week.

hi, where i can find movies on snapchat in iphone 12 ,i see the movie on the app at the phone but i cant find it on the fhisical examiner .thanks

Depends on the extraction type you have. If you have a back up it will likely not be there @kfir_m (edited)

thanks, its a cellebrite ufed file system of iphone12 max pro

Mr. Eddie Vedder from Accounting

Anyone ran into SMS.DB on iOS not being parsed. I'm trying to help another examiner out. He noticed it when looking at Cellebrite that they didn't parse. He has an unlocked iPhone and verified messages present. He also navigated to DB in GK extraction and could verify messages in DB Browser. I told him to run ArtEx against it and just process SMS. He said that's been running about a day. He also tried Axiom and still nothing. I had him send me the Cellebrite Logs and noticed parsed the SMS.DB in 0 seconds and further digging I saw the attached screenshot

I had the same experience. I manually parsed the DB and got 500 Messages. PA showed zero! @Cellebrite you know about this?

kfir_m

thanks, its a cellebrite ufed file system of iphone12 max pro

If it's an iTunes backup/logical (ie not a full file system) then you won't have it.

@Cellebrite No need in adding the keychain anymore for decoding a ffs of an IPhone?? I see that the loading wizard has changed. I dont see the add advanced anymore? (edited)

And another question in generic: do you all use a custom dict by default when loading a new extraction? Thought i saw @ScottKjr3347 talk about this a while ago? If yes, what dicts do you use. All 4 and 6 digit combos?

@Cellebrite Connecting PA to a hashset (CAID), is it possible to choose certain categories to be ignored i.e. Cat 8 etc?

florus

@Cellebrite No need in adding the keychain anymore for decoding a ffs of an IPhone?? I see that the loading wizard has changed. I dont see the add advanced anymore? (edited)

This is all i see after updating to 7.48.0.49. Is this a bug or...

.karate.

I had the same experience. I manually parsed the DB and got 500 Messages. PA showed zero! @Cellebrite you know about this?

I am speaking with Mr. Eddie Vedder about and trying to get to the bottom of it. It does appear the database has some corruption. I'd be interested in hearing more about your issues too.

1

florus

This is all i see after updating to 7.48.0.49. Is this a bug or...

Hi Florus, I've not seen that particular issue, however there is a bug fix to v7.48.1.3 for a load issue. It may be worth upgrading and seeing if that fixes the problem.

Is there somewhere where I can help out describing new iOS 15 artifacts?

The new focus modes in particular can be set to locations and can be useful for determining someone’s location

@Fierry reach out to @Brigs ? He can always use help on his ileapp project?

Will do

Hey everyone, wanted to get some input. I'm trying to determine if Snapchat was open during a certain time. Snapchat was uninstalled from the device prior to the extraction. The KnowledgeC database was analyzed but I can't find any reference to Snapchat (com.toyopagroup.picaboo) in the database. Questions: 1. The app being uninstalled wouldn't have affected the KnowledgeC database, right? 2. Snapchat should show up in knowledgeC, right ?

Neon

Hey everyone, wanted to get some input. I'm trying to determine if Snapchat was open during a certain time. Snapchat was uninstalled from the device prior to the extraction. The KnowledgeC database was analyzed but I can't find any reference to Snapchat (com.toyopagroup.picaboo) in the database. Questions: 1. The app being uninstalled wouldn't have affected the KnowledgeC database, right? 2. Snapchat should show up in knowledgeC, right ?

Yes, SnapChat would show up as AppUsage and AppFocus. iOS does sometimes delete from KnowledgeC but I find it hard to believe it removed app usage. I can test this out, just give me an hour

@CLB_iwhiffin awesome, thank you!

How long ago was the activity you are looking for? any idea?

I think it was about a week but the date is still showing up. So it wasn't purged from rolling off. I must be doing something wrong

11:14 AM

Well I say that. I think I'm right which is that it's not there

Hmmm, I will be interested to see what comes of this one. What kind of extraction did you obtain?

Neon

@CLB_iwhiffin awesome, thank you!

Well, I can tell you that it is not deleted when the app is uninstalled. Not immediately anyway. It seems that KnowledgeC typically stores data for around 30 days for that type of data. I'll check it later to see if its been purged after a reboot etc.

1

anyone familiar with this source path? Root/data/com.samsung.visionprovider/databases/visionprovider.db

11:39 AM

When searching a physical extraction with an important user name in hex it shows two hits in this location but can't figure out what this .db is for.

https://codeby.net/threads/android-cheatsheet-partition-path-table-description.76999/

1:23 PM

"Camera Photo - Samsung Devices"

1:23 PM

Apparently @Ghosted

1:24 PM

sans poster agrees with that, so must be something to do with the camera photo

@Rob makes sense I am finding. A kik username only in this location.

1

I have an AFU extraction of an Iphone. I see a lot of apple maps and google maps usage around and before the time of an incident. There are no gps coordinates parsed by PA. Any hints, or databases i can manually look into? @CLB_iwhiffin

florus

I have an AFU extraction of an Iphone. I see a lot of apple maps and google maps usage around and before the time of an incident. There are no gps coordinates parsed by PA. Any hints, or databases i can manually look into? @CLB_iwhiffin

I think protobufs? Parse them manually in ILEAPP and see if you got more luck

1

florus

I have an AFU extraction of an Iphone. I see a lot of apple maps and google maps usage around and before the time of an incident. There are no gps coordinates parsed by PA. Any hints, or databases i can manually look into? @CLB_iwhiffin

Check if you have cache.sqlite in apple.routined

florus

I have an AFU extraction of an Iphone. I see a lot of apple maps and google maps usage around and before the time of an incident. There are no gps coordinates parsed by PA. Any hints, or databases i can manually look into? @CLB_iwhiffin

Maria is correct. The maps database (mapssync_0.0.1) is full locations, some in plain text and some in protobuf. There are other sources of location data on AFU such as; ThreeBars, consolidated (geofences), media locations, media analytics locations etc. lots if you carve. But not all are reliable.

OggE

Check if you have cache.sqlite in apple.routined

Sadly, everything in routined required FFS not AFU.

CLB_iwhiffin

Sadly, everything in routined required FFS not AFU.

routined is what i need

11:59 AM

Neither PA, Oxygen or Axiom is parsing any location data... Ill look at your db's and will give ileapp and artex a go as well

11:59 AM

Thanks for replying!

FullTang

I have a Samsung Galaxy J7 (SM-J701M/DS) that I received in an unlocked, AFU state. In the notifications, it showed Secure Folder was active and running on the phone. I tried to manually open the Secure Folder notification after a logical extraction, but was prompted for an unknown 4-digit PIN. So I have evidence of the user using Secure Folder. I shut the phone down and successfully got a physical bootloader extraction from the phone. I have loaded the extraction into both PA and Axiom, but I can't figure out where the Secure Folder data is stored to decrypt the data. Thoughts? (edited)

Update on this. I got an FFS and as far as I can tell it decrypted the data in the Secure Folder. The decrypted artifacts do not have a file patch of XXX/150/XXX but there definitely are photos that were not there before. Thanks for the heads up all!

florus

routined is what i need

Could use AXIOMs "look for more atifacts"

CLB_iwhiffin

Sadly, everything in routined required FFS not AFU.

From what ive heared the faster you extract the AFU the more data you get, is this not true?

12:35 PM

Oh btw, there was a new version of snapchat i saw in the wild which kinda broke my script. In contentmanager, KEY is now CONTENT_KEY

OggE

From what ive heared the faster you extract the AFU the more data you get, is this not true?

Depending on extraction method. I believe there is a higher likelihood of recovering the passcode from AFU (and therefore getting FFS) if it is within a few hours of the first time it was entered. But after a few hours of AFU, the chances of recovery drastically reduce.

3

1

@Cellebrite I want to open a video in VLC so whenever I right click a video within PA, and select "Open with default program", it automatically opens in windows viewer. How do I change this to VLC? (edited)

1:42 PM

Found a solution - I exported the video, right click video and "Open program with" Selected to always open VLC and this worked.

1

Good Afternoon I have a phone that has no location exif what so ever on any pictures. It was mentioned to me that by enabling location on the device it could possibly recover exif for items on that device. Has anybody ever heard of this?

I can’t see how it’s going to do that unless the data is already stored somewhere else. iPhones and Androids both store the exif location data in the images and in the databases but if location services if off it won’t record either. Maybe the thought process is that by turning locations off it’s simply hiding all location data, regardless if it exists or not. But if that was the case, the data would still be accessible to forensic tools.

Morning all, had a colleagues reach out with an iOS question and I'm just trying to do help out with researching ... anyone encountered or have information related to the contents of the /private/var/mobile/Library/Biome/streams/public/AppIntents/ folder? Google hasn't provided much insight yet, so I figured I'd reach out to the experts

pug4N6

Morning all, had a colleagues reach out with an iOS question and I'm just trying to do help out with researching ... anyone encountered or have information related to the contents of the /private/var/mobile/Library/Biome/streams/public/AppIntents/ folder? Google hasn't provided much insight yet, so I figured I'd reach out to the experts

From a preliminary view, it seems similar to the intent data from knowledgeC... Certainly worth more investigation

Hi, can i chat with someone from @Cellebrite about crypt14 for whatsapp?

Does anyone know what ZPLAYCOUNT and ZVIEWCOUNT columns are within photos.sqlite? (found within ZADDITIONALASSETATTRIBUTES table. I'm trying to prove a video was played/viewed by the user, but unsure whether if ZPLAYCOUNT means the video was viewed from start to end, or just a count of number of times the play button was pressed.

Pacman

Does anyone know what ZPLAYCOUNT and ZVIEWCOUNT columns are within photos.sqlite? (found within ZADDITIONALASSETATTRIBUTES table. I'm trying to prove a video was played/viewed by the user, but unsure whether if ZPLAYCOUNT means the video was viewed from start to end, or just a count of number of times the play button was pressed.

Doesn't need to be viewed all the way through. Appears that these counts go up on some kind of schedule (daily?) as there is a "PendingViewCount" and "PendingPlayCount" that increment as expected. Appears that as soon as the video starts to play the "PendingPlayCount" increases. The "PendingViewCount" increments a second or so later; presumably because you stopped and viewed it rather than just flicking through.

3

Anyone have experience with the "com.apple.accessibility.heard.plist" file?

anyone know of any artefacts like screen time usage, battery logs or unlock logs for Huaweis?

Quick question for Cellebrite Reader. I have a 65GB report which will open but as soon as i start reviewing some chat (100k+ messages) the RAM spikes to 80GB or more causing the entire software to eventually crash. Any ideas on how to improve RAM usage in Reader?

@equalexpert which version of Reader? I've been opening some fairly large (~100-120GB extracts) and haven't had heavy usage at all

DeeFIR 🇦🇺

@equalexpert which version of Reader? I've been opening some fairly large (~100-120GB extracts) and haven't had heavy usage at all

Currently im using 7.48.1.3. Yeah the downlaod opens and can work just fine. Its just when i open the telegram chats as theres approx 400,000 telegram messages overall and some chats have 40,000 or more messages each

Oh wow, I misread your original comment. I haven't loaded an extract with 400k+ Telegram messages, that's crazy

Haha yup its a first. If they were full of visible images id understand the RAM usage. But theres only a small handful of those so i cant understand why text will use so much

equalexpert

Currently im using 7.48.1.3. Yeah the downlaod opens and can work just fine. Its just when i open the telegram chats as theres approx 400,000 telegram messages overall and some chats have 40,000 or more messages each

Same issue with previous reader version?

I have processed a greykey extraction using axiom. I have in the process entered the decoding key for snapchat memories. I got 310 artefacts of type video and pictures but when i click on any of the artefacts i can´t see any picture or video. Any idea?

Bobby

Same issue with previous reader version?

Ideally i would like to try this but havent had time to go back and re-decode it. That might be on the cards for tomorrow

You don't have to re-decode it, should just be able to replace the CellebriteReader.exe and it'll load with the older version of Reader.

@Magnet Forensics anyone that can help me?

@jaikl Check the filesizes. They are probably not cached.

callzor

@jaikl Check the filesizes. They are probably not cached.

I just tried looking directly in the phone and i can see them there. So i guess they should be cached

I've been asked to verify WhatsApp data from an iPhone specifically they are interested in read receipts (to show the time difference from when the message was received and when it was read.). I can see from the ZWAMessage table the time sent from columns ZMessageDate and ZSentDate (Apple Absolute Time). But I can't see any columns for received or read. It appears for items sent there is another table, ZWAMessageInfo, which has a column ZReceiptInfo. This column contains BLOB data which is appears to be a binary plist. Does this mean it only records time of delivery and time read by recipients ONLY for sent messages? Thanks. The last time I looked at ChatStorage in this level of detail was some years ago and it appears to have changed quite a bit in the interim. (edited)

@Cellebrite I made a physical extraction from a samsung SM-G975F/DS and I want to decode it with PA. The proposed Android ADB decoding chain for the physical does not work. Do you have an idea of the string to use for the 128GB bin?

you should try to do a FFS and not a physical as the device is a FBE one

I made the FFS and I wanted to compare with the binary made with XRY. Thanks @sh4ka

ok then i don't know how to load it in PA but i'm sure some people from the decoding team might know :) cc @CLB-drorimon @CLB_iwhiffin

Toff_Ibou

I made the FFS and I wanted to compare with the binary made with XRY. Thanks @sh4ka

the binary made by Xry, if you do the export, will contain encrypted data. Xry decrypts it during its decoding stage. That binary imported into PA will essentially equal to BFU extraction only (edited)

7:19 AM

You would have to let Xry decode it fully, then only export filesystem to an archive, but it'll be very time consuming, and essentially will give you same results (edited)

ok thanks @Arcain

I imaged a Droid Moto (XT1650) and was unable to get a physical using any of the methods in the profile, however I was able to get a Qualcomm live using the generic profile. Issue is, I cannot get this thing to decode in PA. I load the ufd or ufdx, and it loads all the blk bin files, however the only file it actually parses is procdata.zip, which has nothing. I tried using the Qualcomm EFS profile in PA, and it at least looks like it parses the FS, however all I get are photos, no actual data. Any ideas???

Does anyone know what epoch is used by WhatsApp on iPhone to store read and delivered receipts? In the ZReceiptInfo column of the ZWAMessageInfo table I have a BLOB entry. part of this is 0x18abe5f1d005 and 0x20bfe5f1d005 which appear to be the delivered and read timestamps respectively. I am assuming that 0x18 part indicates a delivery receipt and the 0x20 means a read receipt timestamp. This makes sense as the next bytes 0xab and 0xbf differ by 20 (0x14) which is the number of seconds between the message being delivered and the message being read, 20 seconds. This would indicate to me that the timestamp is therefore stored little endian and 0xabe5f1d005 is the delivery receipt. But this doesn't fit with any epoch I'm aware of. Reversing the number of seconds from the date this message was delivered means that the epoch year is AD 1228. Anyone have a better insight into this? (edited)

AmNe5iA

Does anyone know what epoch is used by WhatsApp on iPhone to store read and delivered receipts? In the ZReceiptInfo column of the ZWAMessageInfo table I have a BLOB entry. part of this is 0x18abe5f1d005 and 0x20bfe5f1d005 which appear to be the delivered and read timestamps respectively. I am assuming that 0x18 part indicates a delivery receipt and the 0x20 means a read receipt timestamp. This makes sense as the next bytes 0xab and 0xbf differ by 20 (0x14) which is the number of seconds between the message being delivered and the message being read, 20 seconds. This would indicate to me that the timestamp is therefore stored little endian and 0xabe5f1d005 is the delivery receipt. But this doesn't fit with any epoch I'm aware of. Reversing the number of seconds from the date this message was delivered means that the epoch year is AD 1228. Anyone have a better insight into this? (edited)

I do not have any "better" insight, but my suggestion would be through the hex values into a tool like Dcode or Zimmerman's time tool (or PA/Axiom if you have them) that runs a swath of time formats against it and see what the closest is. If there nothing remotely close, it could be a novel time format.

coolcalmPC

I do not have any "better" insight, but my suggestion would be through the hex values into a tool like Dcode or Zimmerman's time tool (or PA/Axiom if you have them) that runs a swath of time formats against it and see what the closest is. If there nothing remotely close, it could be a novel time format.

*throw

tried that

As far as i can tell after 04/06/2017 ZReceiptInfo was changed from a binary PList to serialised data. And I can't seem to get my head around it. I haven't been able to find any resource online either.

FunkeDope

I imaged a Droid Moto (XT1650) and was unable to get a physical using any of the methods in the profile, however I was able to get a Qualcomm live using the generic profile. Issue is, I cannot get this thing to decode in PA. I load the ufd or ufdx, and it loads all the blk bin files, however the only file it actually parses is procdata.zip, which has nothing. I tried using the Qualcomm EFS profile in PA, and it at least looks like it parses the FS, however all I get are photos, no actual data. Any ideas???

Worth trying the MOTXT1650_CDMA profile in PA.

Hi anyone ! How ti read hihealth_003.db i read on a great post that containts notifications and app usages... I think it's crypting so how to have the key ?

Hi, does anyone knows if there is a database on iOS where we can find the type of locomotion (similar to google)? Does iPhone records and interpret the type of motion?

Dam

Hi, does anyone knows if there is a database on iOS where we can find the type of locomotion (similar to google)? Does iPhone records and interpret the type of motion?

It seems to me that there is this type of data in the health application but the precision is lower

rico

It seems to me that there is this type of data in the health application but the precision is lower

Thanks for the answer but I cannot find the type of activity for car

Good morning all - does anyone have any experience with the "LockMyPix" application? No PIN has been given, keen to get into this. Many thanks.

1

@Pixel contact @OllieD about it

1

I'll DM

1

Thank you!

1

florus

Neither PA, Oxygen or Axiom is parsing any location data... Ill look at your db's and will give ileapp and artex a go as well

I can confirm, routined isnt available in an AFU extraction.

Dam

Thanks for the answer but I cannot find the type of activity for car

If you have FFS, check the databases in Routined folder (cache, Local, Cloud-V2) they will have recent location activity which includes a table called ZRTLEARNEDLOCATIONOFINTERESTTRANSITIONMO which is related to the journeys between frequent locations locations. This includes a ZPREDOMINANTMOTIONACTIVITY field to identify walking/car etc. But it's all integers and I will need a little time to figure them out.

2

CLB_iwhiffin

If you have FFS, check the databases in Routined folder (cache, Local, Cloud-V2) they will have recent location activity which includes a table called ZRTLEARNEDLOCATIONOFINTERESTTRANSITIONMO which is related to the journeys between frequent locations locations. This includes a ZPREDOMINANTMOTIONACTIVITY field to identify walking/car etc. But it's all integers and I will need a little time to figure them out.

Thanks for the information. I will take a look there

AmNe5iA

Does anyone know what epoch is used by WhatsApp on iPhone to store read and delivered receipts? In the ZReceiptInfo column of the ZWAMessageInfo table I have a BLOB entry. part of this is 0x18abe5f1d005 and 0x20bfe5f1d005 which appear to be the delivered and read timestamps respectively. I am assuming that 0x18 part indicates a delivery receipt and the 0x20 means a read receipt timestamp. This makes sense as the next bytes 0xab and 0xbf differ by 20 (0x14) which is the number of seconds between the message being delivered and the message being read, 20 seconds. This would indicate to me that the timestamp is therefore stored little endian and 0xabe5f1d005 is the delivery receipt. But this doesn't fit with any epoch I'm aware of. Reversing the number of seconds from the date this message was delivered means that the epoch year is AD 1228. Anyone have a better insight into this? (edited)

It's Protobuf data which means the hex you have is a varint. Sadly more complicated than straight hex conversion. 18 AB E5 F1 D0 05 Ignore the first byte as it’s the wiretype/tag. Take each byte as binary until you hit a byte with 0 as the first bit AB = 10101011 E5 = 11100101 F1 = 11110001 D0 = 11010000 05 = 00000101 Now remove the first bit and reverse the order 000101 010000 1110001 1100101 0101011 Now place into one long string 00001011010000111000111001010101011 And convert to Int64 = 1511813803 = Mon 27 Nov 2017 20:16:43 (edited)

5

6

CLB_iwhiffin

It's Protobuf data which means the hex you have is a varint. Sadly more complicated than straight hex conversion. 18 AB E5 F1 D0 05 Ignore the first byte as it’s the wiretype/tag. Take each byte as binary until you hit a byte with 0 as the first bit AB = 10101011 E5 = 11100101 F1 = 11110001 D0 = 11010000 05 = 00000101 Now remove the first bit and reverse the order 000101 010000 1110001 1100101 0101011 Now place into one long string 00001011010000111000111001010101011 And convert to Int64 = 1511813803 = Mon 27 Nov 2017 20:16:43 (edited)

Thanks

CyberChef recently added protobuf support @AmNe5iA

6:27 AM

2

6:27 AM

Allows you to optionally supply the .proto schema if known

6:28 AM

Can also include a bit more verbosity

OllieD

CyberChef recently added protobuf support @AmNe5iA

That's cheating

7

I think it's great to know how to do it manually! But I'm going to be lazy every day of the week on a real device

Just for my FYI, is there a header that indicates it is a protobuf?

no

Dam

Thanks for the answer but I cannot find the type of activity for car

Try this: https://theforensicscooter.com/2021/09/22/iphone-device-speeds-in-cache-sqlite-zrtcllocationmo/

scottkoenig3347

iPhone Device Speeds via Cache.sqlite > ZRTCLLOCATIONMO table

Have you ever wanted to know how fast a vehicle or person was traveling at a particular time? Have you considered acquiring iPhone data to answer that question? The material in this blog will help …

1

ScottKjr3347

Try this: https://theforensicscooter.com/2021/09/22/iphone-device-speeds-in-cache-sqlite-zrtcllocationmo/

Thanks I’ll check

Anyone seen the scenario where they have multiple photographs appearing in the PhotoData/CPL/Derivatives/ that begins with primarysync. I’m trying to figure out what that means. Especially since I don’t have the original versions of the images/videos in DCIM.

Don't take this as gospel, but if I remember right the [primarysync] indicates that the images were part of the iCloud.

I saw that when I searched the forums here.

7:05 AM

But I’m stuck on why I’m not seeing them on the phone. I don’t believe the subject had another device (although possible).

If you're not seeing them in the DCIM, but are seeing them in the CPL assets directory, it could indicate that those images originated from the iCloud, and were simply backed up onto the device second. If that's the case, that would be why there would be missing from the DCIM.

Sorry. I’m not providing all the facts. The metadata for the photos indicate that they were taken by the device and other evidence shows that the location and time is certainly correct. (edited)

8:45 AM

Is there a way to go to the cloud first and not the device other than deletion? Oddly enough the deleted album has content but not these specific photos.

4N6Matt

Does anyone know much about the calculator vault app by anzenbokusucal ? I'm trying to see if I can get the pass code or recovery phrase from somewhere and would appreciate any pointers. The officers want to ensure we have all the data and want to look inside the vault app.

I don't know if it is a standard pass, but the one I did the pass was 1234=

Can anyone help to explain what Activity Log refers to here for Facebook decoded content? (edited)

CLB-dan.techcrime

Click to see attachment 🖼️

Answer solved: it means that the data is not coming from Facebook's Activity Log but rather user's posts/comments, friends' posts/comments, messages database, etc.

1

Does anyone know if an iphone conducts the authentication process for apple-ids on any open imessage threads whether or not the user is actively messaging? I have a phone that was seized on 3/18/21, but according to the idstatuscache.plist there were authentication processes occurring long after that with no corresponding imessage activity

someone has an idea what the Catacomb directory may be used for? It has a few files like master.cat and user_000001f5.cat inside of it

Hi! Got some iPhone device locations in Cellebrite PA where the device is confirmend to not have been at a specific time. According to the source file AZSpotlightStorageModel.sqlite-wal it seems to have something to do with Spotligt.. Can this be caused by having the google maps widget at the spotlight page or could something else explain why this occur? Data from extraction: Source: Google maps Source file: b8762c0177b2a94de94a350f28ef8adb31e4d32e_files_full.zip/private/var/mobile/Containers/Data/Application/51461B99-2318-4315-B62C-087277C2883B/Documents/GMSCacheStorage-AZSpotlightStorageModel/GMSCacheStorage-AZSpotlightStorageModel/AZSpotlightStorageModel.sqlite-wal : 0x1C2941 (Size: 3876952 bytes)

@Cellebrite Hitting an error when trying to export Health data out as a report "Report Generation Error - Self referencing loop detected with Property 'Owner' with type 'Data.Models.Cookie'.Path '[0].Model.Source'. This is using PA 7.48.1.3 using CTF file - Beth. Not sure if anyone has this issue.

@CCC I had something like that last week, kept happening when making a report, I just used the previous version of PA and the report generated fine

2

Fair enough, I updated to current for CTF

Hi all. Having a physical of a samsung J3 is not enough to decode wickr?

Where's the Frontline for news regarding Apple USB restricted mode v graykey or other BF options?

@Aero Thank you, I just encountered the same error. Strangely it doesn't seem to occur on all our systems using PA 7.48. Any idea what causes this problem @Cellebrite

2

Yes, same problem, it's this one

luferox

@Aero Thank you, I just encountered the same error. Strangely it doesn't seem to occur on all our systems using PA 7.48. Any idea what causes this problem @Cellebrite

@Aero @CCC this is indeed a bug that will be resolved with the coming release ( 7.49) in about two weeks. as a workaround try to disable the new crypto feature in the case wizard ( when opening the dump you can select/ unselect this option)

3

Cheers for the info @CLB_TarinW

1

Anyone come across the message "Unsuccessful voice call" when reviewing Snapchat Chat Messages in AXIOM? I've extracted an iPhone with GK and processed the dump in AXIOM. I'm curious what might've generated this message. I have timestamps of an ongoing call through Snapchat and 1 second before this call ends, I see the mentioned message in the Snapchat conversation. The call is to the same contact that the message is generated

Having issues with Andy now, it launches, but the apps don't appear - is this just me?

@Nitraz_ Did you get any success in decrypting Keepsafe files? I have the files but no App on my suspect phone. I've tried various methods in the online articles with both in working so far.

7:54 AM

Correction to the above....with nothing working so far.

I have located a source using a keyword search of a username which is very important to an investigation. The path shows /root/private/var/mobile/Containers/Data/Application/E7150D43-4733-97AA-C3D7DB28C7C6/Documents/global_scoped/global-scoped-preferences/preferences.sqlite

7:50 AM

is the alphanumeric string between application and documents significant in identifying a specific application?

E7150D43-4733-97AA-C3D7DB28C7C6 - that should be the application GUID

8:00 AM

In PA, sticking that in the keywork box normally finds some folders for you to work it out. Looks like it might be snapchat from that file structure - https://duffy.app/snapchat

Snapchat - A False Sense Of Security?

An IntroductionIncase you're not familiar with Snapchat - Snapchat is a social media application consumers download on their mobile devices, mostly on the premis of... Using the 'disappearing' snaps feature where a user sends a picture/video to a friend which expires after a few seconds.Using the private messaging

8:00 AM

So check your installed apps and presumably snapchat will have the same GUID

@CCC you are right. Thank you

Great - good luck!

CCC

In PA, sticking that in the keywork box normally finds some folders for you to work it out. Looks like it might be snapchat from that file structure - https://duffy.app/snapchat

Great article

Ghosted

is the alphanumeric string between application and documents significant in identifying a specific application?

Fyi anytime you find a folder at private\var\mobile\Containers\Data\Application\GUID In the root of that folder you should find the com.apple.mobile_container_manager.metadata.plist which will list a MCMMetadataIdentifier: AsciiString = the application for which that data is associated

4

Arcain pinned a message to this channel. 10/2/2021 2:26 AM

ScottKjr3347

Fyi anytime you find a folder at private\var\mobile\Containers\Data\Application\GUID In the root of that folder you should find the com.apple.mobile_container_manager.metadata.plist which will list a MCMMetadataIdentifier: AsciiString = the application for which that data is associated

iLEAPP has a report for those and the pluginn kit IDs.

1

FabianoQ

Hi all. Having a physical of a samsung J3 is not enough to decode wickr?

To decode wickr on Android without the password you need to have two files present, kck.wic and kcd.wic. These can be missing due to the user's security settings within Wickr (edited)

Oscar

To decode wickr on Android without the password you need to have two files present, kck.wic and kcd.wic. These can be missing due to the user's security settings within Wickr (edited)

I'll check and post back. Thanks

1

Brigs

iLEAPP has a report for those and the pluginn kit IDs.

I finally tried i/A/LEAPP - I'm very impressed! Took me long enough to get to them

3

4

Hello, everyone! I searched everywhere and couldn't find an answer to this question - how can I tell if the phone was turned off at a specific time? Is this infromation getting recorded and is stored somewhere? Or is there a way to tell if the phone had its battery discharged? Android phones

Hey has anyone noticed on iPhone with logical or advanced logical extractions we no longer get any snapchat data? Have noticed this over the past few months. Am I having a bad memory or didn't advanced logical used to pull this information? Using cellebrite to pull and both magnet and cellebrite LA/PA to review.

Deleted User

Hello, everyone! I searched everywhere and couldn't find an answer to this question - how can I tell if the phone was turned off at a specific time? Is this infromation getting recorded and is stored somewhere? Or is there a way to tell if the phone had its battery discharged? Android phones

You might find some logs under "\data\log\batterystats" or similar file path if you have a FFS.

2

Where can I find info on where apps get their time stamps from? Network vs device

@Cellebrite Does "location carving" need to be complete before I can export media using Project Vic? All other export options are working currently.

1:06 AM

There also appears to be numerous errors linked to WhatsApp/TAR files, is this being looked into?

LawDawg

Anybody familiar with healthdb_secure? The app that traces direction and distance.

Anyone done some research on this? I have lots of gps-coordinates originated in healthdb_secure.hfd. What triggers these registration?

Hi guys, i m looking for info for found sql db or plist that contain messages from the playstation Messages application on an iPhone 6s iOS 13 (FFS), I can't find anything although there are many messages. any idea?

RobW

@Nitraz_ Did you get any success in decrypting Keepsafe files? I have the files but no App on my suspect phone. I've tried various methods in the online articles with both in working so far.

Hello @RobW No unfortunately, Keepsafe had been uninstalled by the user so i was unable to decipher these images (edited)

florus

Anyone done some research on this? I have lots of gps-coordinates originated in healthdb_secure.hfd. What triggers these registration?

http://www.mac4n6.com/blog/2018/12/15/on-the-second-day-of-apollo-my-true-love-gave-to-me-holiday-treats-and-a-trip-to-the-gym-a-look-at-ios-health-data and https://www.doubleblak.com/blogPosts.php?id=21

On the Second Day of APOLLO, My True Love Gave to Me - Holiday Trea...

The iOS Health database may be the easiest database to acquire. While other databases need physical file system dumps of the devices, this database can be accessed with an encrypted iOS backup , or possibly an iCloud acquisition . If you happen to have a file system dump these databases can be fou

Does anyone have any idea why a Samsung galaxy a10e sm-s102dl will charge but could not connect Cellebrite or Graykey

Does anyone know where to find more information on the map timeline feature on ALEAPP demoed last year in this video https://youtu.be/-VbNreAFL6I at 12:55. Did the feature ever come out? Does it just show up in the ALEAPP output? @Brigs

Basis Technology

Open Source Mobile Forensics using Python, Alexis Brignoni, OSDFCon...

brundon

Does anyone know where to find more information on the map timeline feature on ALEAPP demoed last year in this video https://youtu.be/-VbNreAFL6I at 12:55. Did the feature ever come out? Does it just show up in the ALEAPP output? @Brigs

There was some licensing changes regarding the third party queries being used so they had to be removed from iLEAPP. Sorry.

6

1

Bummer. Thanks for replying.

Oscar

To decode wickr on Android without the password you need to have two files present, kck.wic and kcd.wic. These can be missing due to the user's security settings within Wickr (edited)

The 2 files are deleted

Deleted User

Hello, everyone! I searched everywhere and couldn't find an answer to this question - how can I tell if the phone was turned off at a specific time? Is this infromation getting recorded and is stored somewhere? Or is there a way to tell if the phone had its battery discharged? Android phones

The stark4n6 write up for the CTF indicates these might help: Dump\data\log\power_off_reset_reason.txt Dump\data\log\power_off_reset_reason_backup.txt

1

FabianoQ

The 2 files are deleted

Okay, then you likely are out of luck unless you can guess the password

spoon1997

Does anyone have any idea why a Samsung galaxy a10e sm-s102dl will charge but could not connect Cellebrite or Graykey

I have this problem at lot with Samsungs. Usually there is just some pocket lint and gunk in the charging port. If you get some rubbi g alcohol on tweezers should be able to pull it out. Then the cables get a better fit and data transfer works. For some reason charging will work with a gunked up port but not data.

Someone here has just got a binary from a blackview A80 using the Generic New MTK profile in 4pc. The binary file didn't decode anything in PA and XRY only got basic media. Any ideas?

@Artea it's android 10 go, so should be using FBE. You got non-decrypted extraction and it only decoded non-encrypted data. It's even less than what a typical BFU extraction is

1:51 AM

Don't think it's supported by any tool at the moment

1

Ah ok! Ill let her know what the issue is

thanks

FabianoQ

The 2 files are deleted

Is sk.wic still present?

/data\media\0\Download\ .com.google.2kwBCD\ .com.google.Chrome.2kwBcD\Videos\uploads (edited)

7:40 AM

Anyone able to give a nice clear definition of the above?

7:41 AM

So far I have found, "This is a location used by the application Google Chrome web browser for download cache"

I'm swayed towards the disagreement of the above, and just settling for a Google Chrome Cache

@MSAB @Cellebrite Hi, I tried a photon in XRY for signal and I don't have the date and time in the extraction. I can see that information on the screenshot but not in the chat (inside XAMN). I also did the chat capture for signal in UFED 4PC and when I open the extraction in PA I can only see the screenshot but no message (no OCR).

Any iOS guru's out there? iPhone 11; iOS 14.4; GrayKey Extraction; Location: /private/var/mobile/Library/CallHistoryTransactions/.dat**.00 files, that contain phone numbers, that none of the tools (AXIOM, PA, etc) parsed. Does anyone have any context to how these get populated? backups? OS research is not getting me anywhere. Thanks in Advanced!

Dam

@MSAB @Cellebrite Hi, I tried a photon in XRY for signal and I don't have the date and time in the extraction. I can see that information on the screenshot but not in the chat (inside XAMN). I also did the chat capture for signal in UFED 4PC and when I open the extraction in PA I can only see the screenshot but no message (no OCR).

If you could send the log to support@msab.com I can have a look tomorrow and see if there’s any explanation and see if there’s anything that can be done!

Erumaro

If you could send the log to support@msab.com I can have a look tomorrow and see if there’s any explanation and see if there’s anything that can be done!

Thanks for the reply. I’ll do that tomorrow

ChutzpahAI

Any iOS guru's out there? iPhone 11; iOS 14.4; GrayKey Extraction; Location: /private/var/mobile/Library/CallHistoryTransactions/.dat**.00 files, that contain phone numbers, that none of the tools (AXIOM, PA, etc) parsed. Does anyone have any context to how these get populated? backups? OS research is not getting me anywhere. Thanks in Advanced!

I just checked 4 of my phones - all GK extractions running iOS 14.4 - 14.7 and in all devices, I only show two emtpy files in that folder: transactions.log and transaction.log. No .dat**.00 files. I know that's not very helpful to you - but now I'm curious as to why I don't see those files across several devices.

jd1345

I just checked 4 of my phones - all GK extractions running iOS 14.4 - 14.7 and in all devices, I only show two emtpy files in that folder: transactions.log and transaction.log. No .dat**.00 files. I know that's not very helpful to you - but now I'm curious as to why I don't see those files across several devices.

Thanks man for the reply. Yeah, it almost looks to be a plist in a .plist, so I'm going try and parse them out.... ClassName= CHRecentCall, they have numbers, date, duration, etc....

11:07 AM

and these numbers are not popping anywhere else on the device, so def got me interested as to where they came from

ChutzpahAI

and these numbers are not popping anywhere else on the device, so def got me interested as to where they came from

If you figure it out - please repost - I'd like to know as well and learn why it may not be on every phone!

Is there a way to easily compare two FFS iOS extractions to find (obvious) differencies?

Joe 🍿🍺

Is there a way to easily compare two FFS iOS extractions to find (obvious) differencies?

I am looking for the same function. I would like to compare two extractions from an iPhone. The difference is that an airtag was paired between the two extractions. (edited)

@Deleted User compare /private/var/containers/Shared/SystemGroup/<GUID>/Library/Database/com.apple.MobileBluetooth.ledevices.other.db and /private/var/containers/Shared/SystemGroup/<GUID>/Library/Database/com.apple.MobileBluetooth.ledevices.paired.db. You can also find info in com.apple.MobileBluetooth.devices.plist

1

2:43 AM

from https://www.cellebrite.com/en/how-to-use-ios-bluetooth-connections-to-solve-crimes-faster/

How to Use iOS Bluetooth Connections to Solve Crimes Faster - Celle...

Here’s how to lawfully access critical evidence from Apple devices using Bluetooth connection data. Bluetooth connections are often a factor in many investigations and can cover a wide range of case types from accident investigations to cases involving proximity to locations. Proving whether a driver was distracted before a fatal accident occurr...

So I have a Samsung galaxy fold 5G which was successfully extracted using Qualcomm live FFS. Decoding in UFED PA has brought back a lot of data... But absolutely no deleted data. Have Samsung improved the data deletion from the databases? (edited)

@Cellebrite forgot to include tag. :)

@MSAB i have a HRY-LX1T i have acquired using XRY but the decode is only showing media files. During decode i was not asked to disconnect, short etc. Any help would be great. Thanks

@Artea Nothing I've heard but as it's a 710 reconnecting should be required, if you could pop the log over to me/support@msab.com and I can have a look and see if there's any explanation

Artea

@MSAB i have a HRY-LX1T i have acquired using XRY but the decode is only showing media files. During decode i was not asked to disconnect, short etc. Any help would be great. Thanks

try to decode it as Kirin 710 profile, should prompt you to re-connect. If it still won't decrypt, it may also be patched with recent SPL

Pacman

@Cellebrite forgot to include tag. :)

It’s file based so already much more difficult to recover. I havnt seen a big change in recent time. So most likely it’s the FBE aspect that it’s affecting it most.

Is there any documentation on the XRY python module? We have plenty of scripts that no longer work and it would be helpful to know what changes are needed for modern XRY.

Anyone have luck decrypting signal.db on android? I have a physical extraction so I'm pretty sure I have all the proper keys needed to decrypt but I can't figure it out. I tried using this blog post: https://rado0z.github.io/Decrypt_Android_Database putting in all the proper keys but cyberchef won't decrypt and says "Unable to decrypt input with these parameters."

Decrypting Signal DB for Android

Introduction

bits_please

Anyone have luck decrypting signal.db on android? I have a physical extraction so I'm pretty sure I have all the proper keys needed to decrypt but I can't figure it out. I tried using this blog post: https://rado0z.github.io/Decrypt_Android_Database putting in all the proper keys but cyberchef won't decrypt and says "Unable to decrypt input with these parameters."

Are you able to get a full file system? Some artifacts are only decrypted in a FFS rather than a physical due to FBE.

CloudCuckooLand

Is there any documentation on the XRY python module? We have plenty of scripts that no longer work and it would be helpful to know what changes are needed for modern XRY.

On our Customer portal, Documents section and 'Other' in the left hand menu you will find the Python documentation available.

FullTang

Are you able to get a full file system? Some artifacts are only decrypted in a FFS rather than a physical due to FBE.

Possibly, I actually didn't do the extraction myself. I'll look into seeing if Cellebrite premium will get a FFS in addition to the physical

Is there a known location which keeps a list of snapchat user accounts? Example if a suspect is logging in with their real account, and than logging in after with another account?

Ghosted

Is there a known location which keeps a list of snapchat user accounts? Example if a suspect is logging in with their real account, and than logging in after with another account?

I believe there should be more than one user ID under .../user_scoped/... if that is the case. For iOS, not sure about Android

bits_please

Possibly, I actually didn't do the extraction myself. I'll look into seeing if Cellebrite premium will get a FFS in addition to the physical

If you have access to premium, could you not just brute-force the password and look at the contents? If you have a Samsung phone and the password you could do a RAM dump to get the decryption key.

@Oscar I only see one but this could be because it only stores the account which is logged in?

Ghosted

@Oscar I only see one but this could be because it only stores the account which is logged in?

That might be correct. I know I have seen multiple user IDs in an extraction before, but I did not dig much deeper to find out exactly why that was the case.

1

Oscar

If you have access to premium, could you not just brute-force the password and look at the contents? If you have a Samsung phone and the password you could do a RAM dump to get the decryption key.

I don't believe bruteforcing the decryption key to signal.db is possible

bits_please

I don't believe bruteforcing the decryption key to signal.db is possible

I mean to the phone

Oscar

I mean to the phone

Oh I have full access to the phone, no passcode

bits_please

Oh I have full access to the phone, no passcode

Then you should be able use XRY Photon or OxyAgent to capture the data. Or extract the decryption key from a RAM dump (If it's a Samsung). The thing with signal is that you need another key to decrypt attachments according to Cellebrite.

Oscar

Then you should be able use XRY Photon or OxyAgent to capture the data. Or extract the decryption key from a RAM dump (If it's a Samsung). The thing with signal is that you need another key to decrypt attachments according to Cellebrite.

Not a samsung. I've got a couple more ideas to try. Thanks for the photon suggestion, I hadnt thought of that yet.

bits_please

Not a samsung. I've got a couple more ideas to try. Thanks for the photon suggestion, I hadnt thought of that yet.

Can you access the application, or is it pin protected? If it’s not pin protected you can use Signals backup function and then parse the bac kup with Axiom, Oxygen or maybe Signal back.

.karate.

Can you access the application, or is it pin protected? If it’s not pin protected you can use Signals backup function and then parse the bac kup with Axiom, Oxygen or maybe Signal back.

Yeah I think the backup option is my best bet so I'm going to do that next, thanks!

2

Hey, I have a Samsung Galaxy S7 edge (SM-G935F). Client has the application the "My Knox" installed, which is a type of secure folder and has forgot their password. I previously read it was possible to retrieve these files through a full file system or physical extraction using cellebrite, however I dont seem to be able to find anything. Any one know any methods to locate such files?

iOS routined from a FFS extraction is device specific right?

Trying to decrypt a Signal database. Usually "APPID_USRSKEY_SIGNALSECRET" contains the key. But lately I have only seen USRP (as oppose to USRS) file is bigger, and I guess it contains a lot more info. Is it structured the same way as USRS, but with different offset? Has anyone hade the chance to do some research on the subject?

@Cellebrite Do you know if theres any issues parsing Viber-chat for iOS devices in UFED PA 7.48.1.5? My processing task have been stuck for 17 hours. (edited)

Anyone else had issues running Artex2? It runs fine at home, but at work I get this:

3:19 AM

This then causes it all to fall apart.

@Oxygen Forensics Hello. Why oxygen cant parse media files (pictures,videos etc) importing Huawei backup - info.xml file into oxygen? All media files are encrypted and oxygen dont decrypt them.

Reedsterz

For Cellebrite PA, under User Dictionary category, we have a few relevant keyword and i notice its from the swift keyboard. A column name 'Frequency', i suppose this is the number of times the user selected the word?

Hi! Have you figured this out

jaikl

Hi! Have you figured this out

Not yet

denyzkoo

@Oxygen Forensics Hello. Why oxygen cant parse media files (pictures,videos etc) importing Huawei backup - info.xml file into oxygen? All media files are encrypted and oxygen dont decrypt them.

Hello! If you don't mind I would like to DM you about this issue

CCC

@Cellebrite Hitting an error when trying to export Health data out as a report "Report Generation Error - Self referencing loop detected with Property 'Owner' with type 'Data.Models.Cookie'.Path '[0].Model.Source'. This is using PA 7.48.1.3 using CTF file - Beth. Not sure if anyone has this issue.

@CLB-Paul

1

5:23 AM

Apparently @Aero had a similar issue and reverted back

1

5:24 AM

I'm just throwing myself against Artex whilst weeping at this point, but can test further if needed

Ill check and get back to you

Calling all iPhone experts: Cellebrite has decoded two Apple ID from a single iPhone, can I tell which apple ID was last logged out/logged in etc? Is it possible to have one apple ID logged into multiple devices (both phones and computers?)

Pacman

Calling all iPhone experts: Cellebrite has decoded two Apple ID from a single iPhone, can I tell which apple ID was last logged out/logged in etc? Is it possible to have one apple ID logged into multiple devices (both phones and computers?)

Accounts3.sqlite, ZUSERNAME where ZACCOUNTDESCRIPTION is iCloud. This should be the currently logged in account, there is also timestamps for the entries. Yes, it is possible to use the same account for multiple devices at the same time.

Alright, another question. Is it possible to determine if a Web search (safari) was carried out on an iPhone and not on a different device which synced the web history data to the iPhone? I hope this question makes sense!

CCC

Apparently @Aero had a similar issue and reverted back

Inbound fix 7.49

1

CLB-Paul

Inbound fix 7.49

Getting an error with Griffeye export currently

Pacman

Alright, another question. Is it possible to determine if a Web search (safari) was carried out on an iPhone and not on a different device which synced the web history data to the iPhone? I hope this question makes sense!

Yes. History.db has a column called Origin, 0 indicates on that device, 1 is another one synched

CCC

Yes. History.db has a column called Origin, 0 indicates on that device, 1 is another one synched

That is a massive massive help.

Great, that's what we are here for, right?

is it possible to be able to determine what device it was if it came from a different device?

Yes, you download them all and find the 0

7:55 AM

Sadly not such a compact answer, but does let you know if anything is outstanding

Hmmm well we don't know what other devices were used

7:56 AM

Origin is 1

7:56 AM

No way of finding a list of synced devices anywhere like Find My?

You could probably use that or just login to their icloud.

I'll see if the tokens for their icloud was extracted.

7:57 AM

Thanks for your help.

Pacman

is it possible to be able to determine what device it was if it came from a different device?

Should be able to. Photosqlite may help.

Depending where you are in the world, the login and password along may be enough.

Rob

Should be able to. Photosqlite may help.

For a web search?

Saw the synched question part

Nuts, I was hoping you knew something cool

I've seen that file at least help identify if a photo has come from icloud etc.

Yeah

Rob

I've seen that file at least help identify if a photo has come from icloud etc.

It does indeed, I wish this investigation was around photos!

8:02 AM

But it's around web history unfortunately. Thanks all.

Ahh

8:03 AM

Ye, jumped into it mid way through

Oscar

Accounts3.sqlite, ZUSERNAME where ZACCOUNTDESCRIPTION is iCloud. This should be the currently logged in account, there is also timestamps for the entries. Yes, it is possible to use the same account for multiple devices at the same time.

Following up on this - I can't seem to see timestamps of when the apple ID logged in/logged out. I only see ZDATE but not sure if these are log in timestamps.

Deleted User

Hello, everyone! I searched everywhere and couldn't find an answer to this question - how can I tell if the phone was turned off at a specific time? Is this infromation getting recorded and is stored somewhere? Or is there a way to tell if the phone had its battery discharged? Android phones

See if you can find the newbatterystats file for the correct timeframe, that file logs the battery percentage on every line and will also log if the phone shuts down. Note that all the timestamps in that log are relative to the entry RESET-TIME, usually found at the top of the file.

-Kryo-

Hey, I have a Samsung Galaxy S7 edge (SM-G935F). Client has the application the "My Knox" installed, which is a type of secure folder and has forgot their password. I previously read it was possible to retrieve these files through a full file system or physical extraction using cellebrite, however I dont seem to be able to find anything. Any one know any methods to locate such files?

Bumping an older question. Does anyone know any methods to extract files from the samsung "My Knox" app without the password?

I've got a Samsung A31 with MTK6768 chipset. Looking for Lock bypass options?

Also - at present - what are the options when I have a pool of say 30 passcodes to attempt on an IOS device (14.7 IP12) - are there any tools or processes to allow these attempts without risking the data?

I might be able to assist in some capacity

do anyone know where i can look in an mobil extraction of an android if time settings is set to automatically fetch time by network? I can´t look in the phone because it it cracked

That setting is stored in the Global Settings located at /data/system/users/0/settings_global.xml In there you can look for the key 'auto_time', value 1 = auto fetch, 0 = manual. If it's an older phone, Android < 4.2, the setting can be found in System Settings. https://developer.android.com/reference/android/provider/Settings.Global#AUTO_TIME

4

Robin Hood

That setting is stored in the Global Settings located at /data/system/users/0/settings_global.xml In there you can look for the key 'auto_time', value 1 = auto fetch, 0 = manual. If it's an older phone, Android < 4.2, the setting can be found in System Settings. https://developer.android.com/reference/android/provider/Settings.Global#AUTO_TIME

thank you so much

Hi guys

6:20 AM

I am looking for a script or a software allowing to parse Yahoo mail 6.16.2, not seen by PA and very moderately decoded by XRY Thank you (edited)

6:21 AM

i've sent dump to a friend who parsed it with oxygen, all is ok, but no parsing of attachment files...

I imagine you could teach PA? If the files are there.

@CCC I checked directly on the phone in an airplane, and I only have access to very little data in the messaging system, I suppose everything is stored in IMAP.

12:37 PM

This version isn t supported by PA

Thanks @Brigs (and who did the research) for adding protonmail decryption. Awesome. Helped me a lot in a case. (edited)

1

In PA under Passwords I see account, Data, Label. My understanding of these is Account is the username for the application, Data is the password, and label is the application and username. Anyone know if my understanding is accurate.

7:32 AM

Just seemed odd the password is in clear text for the application

Sometimes is

@Cellebrite Why can I not download cellebrite reader - It gives me an activation code but no actual file...?

PA 7.49 released guys

2

1

@CCC yeah seems to be a glitch. The file link is not there.

I was able to download PA. The link for UFED Touch 2 is missing though

12:27 PM

@CCC I can download the reader.

I was able to download the touch 2 and get the install hoping it will get me full file on unlocked A51

Searched and could not find. I am looking for a tool to dump db-wal files to a csv or readable format. Any suggestions? I’m sure someone has a tool somewhere.

Have anyone done some research regarding Mega on android?

1

Anything you're after specifically?

DeeFIR 🇦🇺

Anything you're after specifically?

Anything would help really. I have a lot of files in cache subfolders that are of interest. For example some files are stored in a folder that is called MegaPreview and some under Image_cache.

Follwing this guide from Magnet, https://support.magnetforensics.com/s/article/Decrypt-app-data-using-the-iOS-Keychain-and-GrayKey on step 5. "Remove the algorithm identifier to get the valid encryption key". How do I do that, no online tools at least decodes the hex into a good format?

TwiZtah

Follwing this guide from Magnet, https://support.magnetforensics.com/s/article/Decrypt-app-data-using-the-iOS-Keychain-and-GrayKey on step 5. "Remove the algorithm identifier to get the valid encryption key". How do I do that, no online tools at least decodes the hex into a good format?

Cyberchef?

TwiZtah

Follwing this guide from Magnet, https://support.magnetforensics.com/s/article/Decrypt-app-data-using-the-iOS-Keychain-and-GrayKey on step 5. "Remove the algorithm identifier to get the valid encryption key". How do I do that, no online tools at least decodes the hex into a good format?

If it's a Snapchat example, I've yet to actually see an algo identifier and it's worked after converting base64 to hex without any further adjustments

It seems we didn't get the entire key for some reason so I think we are out of luck. Anyone know if the key is time-based? Meaning that it only persists in memory for X amount of time?

@Cellebrite Hello everyone. I have a question on my Samsung SM-A520F, I have an active safe folder. If I do binary extraction, will I also get the contents of this folder in UFED Pa? I don't have a password for it.

@TwiZtah I have noticed that if the user have logged out then there is no key.

Zolwik_MF

@Cellebrite Hello everyone. I have a question on my Samsung SM-A520F, I have an active safe folder. If I do binary extraction, will I also get the contents of this folder in UFED Pa? I don't have a password for it.

Dm inbound

ThatLukeGuy

Searched and could not find. I am looking for a tool to dump db-wal files to a csv or readable format. Any suggestions? I’m sure someone has a tool somewhere.

What are you looking at them in? Cellebrite does. I would have thought any sql browser would, but I tend to open shm,wall,db at once with db browser.

PA has parsed the database. I am attempting to validate what PA has done with Axiom. Axiom failed to parse the particular wal file. This means I need to find a tool to parse the file. Opening the wal file in notepad++, I can ctrl+f to find the telegram messages, however the messages are the only readable part.

6:35 AM

@Magnet Forensics perhaps you guys have a workaround?

Best tool is Forensic Browser for Sanderson Forensics

8:47 AM

In my opinion the hands down best option for dealing with SQLite DBs and WAL files

2

Does anyone have info on the query_predictions.db in iOS? I have an iPhone 6 (11.2.6) with this database and iLEAPP parsed it, but not the sms.db. It has messages in it, but I am not familiar with it or what it is associated with. @Brigs

If you have Oxygen, that does a nice job of attributing records back to either the main DB or the WAL @ThatLukeGuy

Anyone had any experience with the application Secret Calculator Version 2.8.3?

coolcalmPC

Does anyone have info on the query_predictions.db in iOS? I have an iPhone 6 (11.2.6) with this database and iLEAPP parsed it, but not the sms.db. It has messages in it, but I am not familiar with it or what it is associated with. @Brigs

Hi. The sms.db is not currently parsed because I was using a third party query whose license is not MIT. If you, or anyone else, sends me a MIT licensed query I will be happy to add. The database itself is described by the SANS poster ad containing traces of iOS and SMS messages. In my experience this has been the case.

Brigs

Hi. The sms.db is not currently parsed because I was using a third party query whose license is not MIT. If you, or anyone else, sends me a MIT licensed query I will be happy to add. The database itself is described by the SANS poster ad containing traces of iOS and SMS messages. In my experience this has been the case.

Thanks for the info! That was very helpful. Is there a rhyme or reason to these traces?

Is there a way to use the keychain from a UFED Checkm8 extraction for protonmail decryption with iLEAPP?

@Brigs

Oscar

Is there a way to use the keychain from a UFED Checkm8 extraction for protonmail decryption with iLEAPP?

check this out from @Brigs https://www.youtube.com/watch?v=r5KMEhkfouw

Alexis Brignoni

Decrypt ProtonMail emails in iOS

stark4n6

check this out from @Brigs https://www.youtube.com/watch?v=r5KMEhkfouw

Thanks

Not really any clarification regarding UFED keychains but very useful nonetheless ^^

Oscar

Thanks

Not really any clarification regarding UFED keychains but very useful nonetheless ^^

I don't have protonmail so I can't check but UFED may autodecrypt the keychain so you might be able to drop it in and decrypt through iLEAPP

stark4n6

I don't have protonmail so I can't check but UFED may autodecrypt the keychain so you might be able to drop it in and decrypt through iLEAPP

The keychain is decrypted in PA and all the keys are available in the passwords section, but the data in the keychain is still encrypted if I save the keychain from within PA. Usually we run scripts that print the keys we need to the trace window when we need the keys externally, for parsing with Axiom for example. Is there a way to export a keychain file with decrypted v_Data? @Cellebrite Or if we were able to drop the keys needed directly into iLEAPP to get around the need of reading a proper keychain file. @Brigs (edited)

@Law Enforcement [UK] Wondering if anyone can help regarding the photsqlite.db. We have records where we have capture timestamps for 1234.jpg (timestamp found in UFED) and a trash date timestamp for 1234.png (timestamp not seen within UFED). What is the relationship between the .png/.jpg versions?

9:11 AM

i.e., can it be said that the trashed date timestamp for the png can be said to be true for the jpg?

Hmm I'm not quite sure of that - PNG are usually screenshots within iPhones

Both the jpg and png are in CPLAssets/group493

9:13 AM

So same directory file.

9:13 AM

So we're convinced both are related to the same file

9:14 AM

But since one has a trashed timestamp and the other doesn't, we're unsure on the relationship between the two

Has the owner possibly created the PNG as a copy, maybe not converted the way they wanted so trashed it?

We believe the PNG is the original.

9:24 AM

The JPG is thumbnails.

Wonder if it was trashed on a different device and synched

There was definitely some syncing involved.

11:09 AM

But could be the reason

Talking with D.A. he asked why records show up on CDR from provider and not on the phone itself.

2:58 PM

Phone model: ZTE Z855, running 7.1.1, physical download with UFED 7.8 version.

2:58 PM

3:01 PM

top pic is the CALL LOG, the bottom is the Timeline

3:02 PM

is it possible that the data can be removed from the phone and PA is unable to pick up the deleted data and mark it on the Deleted column.

3:03 PM

incident occurred 8/5/2018 appx 2235. Provider records shows activity between suspect and accomplice, but both phones do not show this activity.

FATHEAD7466

incident occurred 8/5/2018 appx 2235. Provider records shows activity between suspect and accomplice, but both phones do not show this activity.

Have you tried checking the SQLite databases to see if there is any evidence of deleted entries?

Im working on a case with the app Gallery Vault. When I restarted the phone (I think) that some Android system app is killing Gallery Vault on startup. I can't any longer see it among the rest of the apps on the phone. But when i go into Settings - Apps I can see it. But it's not running. The phone is running an older version of Android so I can't just press "Launch" on the app in settings. Any suggestions how to get the app running again?

Emtek

Im working on a case with the app Gallery Vault. When I restarted the phone (I think) that some Android system app is killing Gallery Vault on startup. I can't any longer see it among the rest of the apps on the phone. But when i go into Settings - Apps I can see it. But it's not running. The phone is running an older version of Android so I can't just press "Launch" on the app in settings. Any suggestions how to get the app running again?

Boot the phone into Safe Mode and try launching it from there?

@Emtekadb shell monkey -p com.thinkyeah.galleryvault -c android.intent.category.LAUNCHER 1

1

3:36 AM

Or you can get the apps main acitivty with "adb shell cmd package resolve-activity -c android.intent.category.launcher com.thinkyeah.galleryvault"

3:37 AM

and then start it with am start

Does anyone have any information or papers on the VLC application/database for android, more specifically the last played dates of which there seems to be 2 different date columns. Any info on the other tables would also be good, I do plan to do some testing but any pointers before I start would be nice. Thanks!

Oscar

The keychain is decrypted in PA and all the keys are available in the passwords section, but the data in the keychain is still encrypted if I save the keychain from within PA. Usually we run scripts that print the keys we need to the trace window when we need the keys externally, for parsing with Axiom for example. Is there a way to export a keychain file with decrypted v_Data? @Cellebrite Or if we were able to drop the keys needed directly into iLEAPP to get around the need of reading a proper keychain file. @Brigs (edited)

PA doesn't have a built-in feature for exporting a decrypted keychain in a format suitable for iLEAPP, but as you have the data decrypted you can probably create the plist manually.

CLB-drorimon

PA doesn't have a built-in feature for exporting a decrypted keychain in a format suitable for iLEAPP, but as you have the data decrypted you can probably create the plist manually.

Okay, thanks

.karate.

@Emtekadb shell monkey -p com.thinkyeah.galleryvault -c android.intent.category.LAUNCHER 1

@.karate. out of nowhere with the obscure yet awesome adb commands

forensicmike @Magnet

@.karate. out of nowhere with the obscure yet awesome adb commands

Rob

@Law Enforcement [UK] Wondering if anyone can help regarding the photsqlite.db. We have records where we have capture timestamps for 1234.jpg (timestamp found in UFED) and a trash date timestamp for 1234.png (timestamp not seen within UFED). What is the relationship between the .png/.jpg versions?

For the benefit of anyone else who may like to know, I did some testing. Device 1 = Took a screenshot (Lets call it 1234.PNG) Device 2 = Synced via iCloud. This was the device I examined. If Device 2 is set to "Optimize Storage" then <GUID>.JPG and a 5003.JPG are created in the CPLAssets folder. If Device 2 is set to "Download and Keep Original" then <GUID>.PNG and 5003.JPG are created in the CPSAssets folder. If Device 2 is initially set to "Optimize" and later switched to "Download and Keep Originals", then <GUID>.JPG, <GUID>.PNG and 5003.JPG are found in the CPLAssets folder. (The PNG is created at the time the settings are changed) If Device 2 is initially set to "Download and Keep Originals" and changed to "Optimize", then <GUID>.PNG and 5003.JPG are found in the CPLAssets folder. This potentially may change over time and a JPG created but it didn't during my tests.

3

4

1

Oscar

The keychain is decrypted in PA and all the keys are available in the passwords section, but the data in the keychain is still encrypted if I save the keychain from within PA. Usually we run scripts that print the keys we need to the trace window when we need the keys externally, for parsing with Axiom for example. Is there a way to export a keychain file with decrypted v_Data? @Cellebrite Or if we were able to drop the keys needed directly into iLEAPP to get around the need of reading a proper keychain file. @Brigs (edited)

If you have a Keychain from GK you are good to go. If not you can try the decryption portion in this repo: https://github.com/xperylabhub/ios_keychain_decrypter

GitHub - xperylabhub/ios_keychain_decrypter: script to decrypt iOS ...

script to decrypt iOS keychain. Contribute to xperylabhub/ios_keychain_decrypter development by creating an account on GitHub.

4

FullTang

Have you tried checking the SQLite databases to see if there is any evidence of deleted entries?

DB shows no deleted data from dump from phone, but CDR from provider shows activity during incident that occurred

FATHEAD7466

DB shows no deleted data from dump from phone, but CDR from provider shows activity during incident that occurred

So upon a manual inspection of the SQLite DB shows all primary keys are sequential? Forensic tools may not even indicate that data has been deleted if it can’t decode the deleted data. https://sqliteforensictoolkit.com/sms-recovered-records-and-contacts-3-ways/

Angie

SMS recovered records and contacts - 3 ways | Sanderson Forensics

In a recent forensic case involving recovered deleted SMS messages from an sms.db file on an IOS mobile device, none of the mainstream mobile phone forensic software made the link between sender and recipient for the recovered records of interest. I have been asked a few times recently about obtaining the third party of a […]

I've got a suspect's iPad that shows the screenshot service running at the same time as the creation of two identical jpegs. I can obviously understand the creation of one jpeg, but not two. Any idea how this would occur? It was a screenshot taken of a webpage in Safari and the jpegs were created in the Safari /tmp directory. They are identical except for filenames.

Afternoon,

Afternoon, I've got a physical extraction of a Huawei P smart 2019 POT-LX1 using XRY and I've had no problems exporting it to a bin file but I can't import it into PA and decode it correctly. I've tried using the specific profile and android generic profile but neither have decoded the bin properly, I'd like to see more than one decode of this extraction to check some details. Cheers

testermonkey

Afternoon, I've got a physical extraction of a Huawei P smart 2019 POT-LX1 using XRY and I've had no problems exporting it to a bin file but I can't import it into PA and decode it correctly. I've tried using the specific profile and android generic profile but neither have decoded the bin properly, I'd like to see more than one decode of this extraction to check some details. Cheers

You can't export the bin, it'll be encrypted. You need to export filesystem from XAMN to a directory for PA to work with it (edited)

FullTang

So upon a manual inspection of the SQLite DB shows all primary keys are sequential? Forensic tools may not even indicate that data has been deleted if it can’t decode the deleted data. https://sqliteforensictoolkit.com/sms-recovered-records-and-contacts-3-ways/

This has been very helpful and I will dive into the DB to connect the dots. Thanks very much!

1

Added in error (edited)

CLB_iwhiffin

For the benefit of anyone else who may like to know, I did some testing. Device 1 = Took a screenshot (Lets call it 1234.PNG) Device 2 = Synced via iCloud. This was the device I examined. If Device 2 is set to "Optimize Storage" then <GUID>.JPG and a 5003.JPG are created in the CPLAssets folder. If Device 2 is set to "Download and Keep Original" then <GUID>.PNG and 5003.JPG are created in the CPSAssets folder. If Device 2 is initially set to "Optimize" and later switched to "Download and Keep Originals", then <GUID>.JPG, <GUID>.PNG and 5003.JPG are found in the CPLAssets folder. (The PNG is created at the time the settings are changed) If Device 2 is initially set to "Download and Keep Originals" and changed to "Optimize", then <GUID>.PNG and 5003.JPG are found in the CPLAssets folder. This potentially may change over time and a JPG created but it didn't during my tests.

Had to read that back a few times to myself there haha. Good information

Grun M6XYT

Had to read that back a few times to myself there haha. Good information

Thanks; it took a few goes to write it.

azkurken

Trying to decrypt a Signal database. Usually "APPID_USRSKEY_SIGNALSECRET" contains the key. But lately I have only seen USRP (as oppose to USRS) file is bigger, and I guess it contains a lot more info. Is it structured the same way as USRS, but with different offset? Has anyone hade the chance to do some research on the subject?

Noticed this too, and offline decryption definitely does not work for the private keys (USRP) like it does in the writeups of Signal decryption. (Has anyone seen USRSKEY exist outside of the Signal context?) I'm thinking that the longer key might indicate that it's a hardware-based encryption key, which has to be unwrapped during the acquisition of the device before it can be used.

FYI: Use iLEAPP to decrypt ProtonMail in iOS now including attachments. Credit to @GrayShift_Matthieu for the research and code. https://twitter.com/AlexisBrignoni/status/1450265450990931968?s=20

Brigs 💬 (@AlexisBrignoni)

#iOS #ProtonMail decryption update! Updated blogpost by .@xpery adding how to decrypt ProtonMail attachments. As usual it worked like a charm. Implemented now in #iLEAPP as well.

Memes successfully decrypted Blogpost: https://t.co/pEX0bCWY0H iLEAPP: https://t.co/hqj6SdgnfI

2

Arcain

You can't export the bin, it'll be encrypted. You need to export filesystem from XAMN to a directory for PA to work with it (edited)

Unfortunately we can't do that directly in a TAR or a ZIP. So many problem appears.

Brigs

If you have a Keychain from GK you are good to go. If not you can try the decryption portion in this repo: https://github.com/xperylabhub/ios_keychain_decrypter

If you want to decrypt UFED keychain plists you can directly use https://gist.github.com/xperylab/e6b943bbd592eff74af36effc914d44d#file-decrypt_ufed_keychain-py Or https://gist.github.com/wbowling/6bcb6d5c0a2d86b28dc408bf64587c7e (nicer code but I haven’t test)

Decryptor for signalino - Midnight Sun CTF 2021

Decryptor for signalino - Midnight Sun CTF 2021. GitHub Gist: instantly share code, notes, and snippets.

UFED KeychainDump Decrypter

UFED KeychainDump Decrypter . GitHub Gist: instantly share code, notes, and snippets.

Anyone who decrypted wickr recently using PA. Never done this before and looking for a good approach. I have a afu extraction of an IPhone. (edited)

hello everyone, whatsapp was not acquired during parsing. this is the mistake. A physical copy of an oneplus one a0001 has been made.

11:30 PM

@MSAB Anyone about for a very quick question regarding 9.6?

@Rob Sure thing, what's up?

Arcain

You can't export the bin, it'll be encrypted. You need to export filesystem from XAMN to a directory for PA to work with it (edited)

Do you mean to just Export to File instead of using elements? I completely forgot about the encryption bit, i was assuming when i sling it into PA it would give the keys across too.

Erumaro

@Rob Sure thing, what's up?

I note that it says support for iOS 15. Does that include capture of the keychain? I know a few others are struggling with this atm so just checking

@Rob No just standard Logical in this case and no more advanced support at this time.

testermonkey

Do you mean to just Export to File instead of using elements? I completely forgot about the encryption bit, i was assuming when i sling it into PA it would give the keys across too.

You can export the file system from either Elements or XAMN Spotlight by simply exporting all the files

Let me know in case you need any further assistance or guidance!

Erumaro

@Rob No just standard Logical in this case and no more advanced support at this time.

Sweet, just to confirm, no keychain atm but working on it and just a "live view" style download atm?

1

Rob

Sweet, just to confirm, no keychain atm but working on it and just a "live view" style download atm?

Correctomundo!

Perfect thanks!

@Cellebrite someone around for a chat about an report generation error. Im working in a reader. "Self referencing loop detected for property 'Owner' with type 'Data.Models.Note'. Path[0].Model.Title'. (edited)

testermonkey

Do you mean to just Export to File instead of using elements? I completely forgot about the encryption bit, i was assuming when i sling it into PA it would give the keys across too.

No, PA, at least at this point, wouldn't know what to do with them. It needs already decrypted stuff

Deleted User

Unfortunately we can't do that directly in a TAR or a ZIP. So many problem appears.

You can tell XAMN to make a .zip archive, but it'll still export filesystem to a directory, and then make an archive out of it. Very time consuming and often need to set some exclusions (like all Deleted files) for the export process to work

florus

@Cellebrite someone around for a chat about an report generation error. Im working in a reader. "Self referencing loop detected for property 'Owner' with type 'Data.Models.Note'. Path[0].Model.Title'. (edited)

have the same problem, also in reader

1:28 AM

v7.48.0.49

OggE

have the same problem, also in reader

Ugh, i have an open PAS with loads of tags. Any idea how to solve this? Open the newest reader?

Dont know, im just gonna brute force and try and extract the files "manually"

Arcain

You can tell XAMN to make a .zip archive, but it'll still export filesystem to a directory, and then make an archive out of it. Very time consuming and often need to set some exclusions (like all Deleted files) for the export process to work

After long hours trying to do that correctly (with and without support) I never succes to do that correctly

@Deleted User i've done that multiple times, it's annoying but does work

1

@Cellebrite Iphone A1429 unlocked but display damaged. When it starts, it asks to trust, however, as the display is damaged, I can't give this permission. There will be a way to get over this.

florus

Anyone who decrypted wickr recently using PA. Never done this before and looking for a good approach. I have a afu extraction of an IPhone. (edited)

If the correct keys are present in the keychain file PA will decrypt Wickr automatically

GrayShift_Matthieu

If you want to decrypt UFED keychain plists you can directly use https://gist.github.com/xperylab/e6b943bbd592eff74af36effc914d44d#file-decrypt_ufed_keychain-py Or https://gist.github.com/wbowling/6bcb6d5c0a2d86b28dc408bf64587c7e (nicer code but I haven’t test)

Worked like a charm, thanks a lot!

1

Oscar

If the correct keys are present in the keychain file PA will decrypt Wickr automatically

So what does it mean when PA ask for the password or dict file :D?

florus

So what does it mean when PA ask for the password or dict file :D?

Probably that the keychain value is not present

4:34 AM

anyone aware if wickr is secures with a digit passcode, or also possible to use a string?

hi guys... anyone from @Cellebrite to dm me?

1

r1p4t0b3

@Cellebrite Iphone A1429 unlocked but display damaged. When it starts, it asks to trust, however, as the display is damaged, I can't give this permission. There will be a way to get over this.

If you are not allowed/able to repair the screen you could try to connect a Bluetooth keyboard/mouse to the phone.

florus

anyone aware if wickr is secures with a digit passcode, or also possible to use a string?

As far as I am aware it is an alphanumeric password

manuelevlr

Click to see attachment 🖼️

What can this error depend on? @Cellebrite

Good day all. I'm wondering if there is any way to decifer the actual filename of this link in a Facebook Messenger conversation pulled from the threads_db2 database in the messages table under the attachment field "\"https://scontent.xx.fbcdn.net/v/t1.15752-9/cp0/e15/q65/p526x296/243321809_613216216514423_2593542407138268385_n.jpg?_nc_cat=105&ccb=1-5&_nc_sid=58c789&_nc_ohc=tGVWZi_aJxIAX8VjIEz&_nc_oc=AQmXVmD4cjKAFINt-StAuyMRV_9tYUTVcZYs9ftFHpErrR2PlhHrWK1L65dhKbsRf-s&_nc_ad=z-m&_nc_cid=0&_nc_ht=scontent.xx&_nc_rmd=260&oh=51762bf474e94e581ceec3036457a9b0&oe=6190E4AD\\\"}\",\"MEDIUM_PREVIEW\":\"{\\\"width\\\":700,\\\"height\\\":700,\\\"src" Its from an android device. I know this is an image file and I know what the image is as there is luckily a screen shot of the conversation as well. It would be nice however to be able to identify the actual photo. I have located the photo on the phone but none of this matches the file name on the device. Any help is greatly appreciated.

azkurken

Trying to decrypt a Signal database. Usually "APPID_USRSKEY_SIGNALSECRET" contains the key. But lately I have only seen USRP (as oppose to USRS) file is bigger, and I guess it contains a lot more info. Is it structured the same way as USRS, but with different offset? Has anyone hade the chance to do some research on the subject?

Hi no research on this, but dealing with an exhibit now and I I noticed that the same thing that it was USRP not USRS. I was not able to make the method work. I am looking at another file on an extraction called the SecureSMS-preferential.xml has information in it that may be helpful to others but to me with my limited knowledge not so helpful anyone looked at that file?

manuelevlr

What can this error depend on? @Cellebrite

Can you reach out to our support team. That’s the best route to take.

florus

@Cellebrite someone around for a chat about an report generation error. Im working in a reader. "Self referencing loop detected for property 'Owner' with type 'Data.Models.Note'. Path[0].Model.Title'. (edited)

There was a bug in 7.48.0. It is fixed in the newer versions.

Hello, anyone from @Cellebrite to dm me?

Hi! Can I find data about a wickr account on an android?

stps358

Good day all. I'm wondering if there is any way to decifer the actual filename of this link in a Facebook Messenger conversation pulled from the threads_db2 database in the messages table under the attachment field "\"https://scontent.xx.fbcdn.net/v/t1.15752-9/cp0/e15/q65/p526x296/243321809_613216216514423_2593542407138268385_n.jpg?_nc_cat=105&ccb=1-5&_nc_sid=58c789&_nc_ohc=tGVWZi_aJxIAX8VjIEz&_nc_oc=AQmXVmD4cjKAFINt-StAuyMRV_9tYUTVcZYs9ftFHpErrR2PlhHrWK1L65dhKbsRf-s&_nc_ad=z-m&_nc_cid=0&_nc_ht=scontent.xx&_nc_rmd=260&oh=51762bf474e94e581ceec3036457a9b0&oe=6190E4AD\\\"}\",\"MEDIUM_PREVIEW\":\"{\\\"width\\\":700,\\\"height\\\":700,\\\"src" Its from an android device. I know this is an image file and I know what the image is as there is luckily a screen shot of the conversation as well. It would be nice however to be able to identify the actual photo. I have located the photo on the phone but none of this matches the file name on the device. Any help is greatly appreciated.

If it works the same on Android as iOS then it should be 660380798db0ecb1eca9721a419a7d95

callzor

Hi! Can I find data about a wickr account on an android?

there is SANS thridparty apps poster for android

CLB_iwhiffin

If it works the same on Android as iOS then it should be 660380798db0ecb1eca9721a419a7d95

Thank you. However there is no filename on the with that number. Can you tell me which part you decoded to get that number?

I found that it works about 80% of the time... Take the URL and remove "https://scontent.xx.fbcdn.net/v" from the start. Then remove everything after the "n.jpg?" BUT keep the "ccb=1-5" So you end up with "/t1.15752-9/cp0/e15/q65/p526x296/243321809_613216216514423_2593542407138268385_n.jpg?ccb=1-5" which you then MD5. Figuring that out took help from a friend and is time I will never get back...

4

Hi everyone, is there anyone here well versed in Dumpsys Logs from Android? that might have a second to answer some questions? (i.e. parsing, etc) thanks in advanced!

CLB_iwhiffin

I found that it works about 80% of the time... Take the URL and remove "https://scontent.xx.fbcdn.net/v" from the start. Then remove everything after the "n.jpg?" BUT keep the "ccb=1-5" So you end up with "/t1.15752-9/cp0/e15/q65/p526x296/243321809_613216216514423_2593542407138268385_n.jpg?ccb=1-5" which you then MD5. Figuring that out took help from a friend and is time I will never get back...

Thanks a lot! I'll try it out on the other image links in the chat.

stps358

Thanks a lot! I'll try it out on the other image links in the chat.

Again, if this is the same as iOS, there may be numerous URLs in each message for the many different versions of the image (such as different dimensions). Not all images are cached.

@Cellebrite anyone available for a chat regarding Cellebrite courses?

@Cellebrite I don't suppose there's a way to find out the password used to protect the ufdr file

Rob

@Cellebrite I don't suppose there's a way to find out the password used to protect the ufdr file

I sure hope there isn't

CLB-drorimon

I sure hope there isn't

I would hope not as well, but luckily managed to find the password in the end.

Anyone from @Cellebrite about to discuss replacement ufed touches?

Rob

Anyone from @Cellebrite about to discuss replacement ufed touches?

Wrong channel

and wrong platform... you'll have to contact Support for them to commence the RMA process

1

Does anyone know if android has any additional clipboard stores? I’ve found some within data/clipboard/filename Any additional info on this in general would be handy also, such as is there any time limit on storing here, any if the user clears the clipboard is any info regarding that stored anywhere? Thanks!

http://www.doubleblak.com/m/blogPosts.php?id=22 An other great post !

2

4

I have EXIF data from a picture showing a date and time, 0900 01/01/21 for example but the image name is IMG_20210101_0941.jpg. I checked the EXIF data and can see both times, 0900 and 0941 in the EXIF data, 0941 is listed under ExifEnumDateTime and 0900 is listed under ExifEnumDateTimeOriginal. Why is this? The phone is a Android 8.1.0 Huawei phone. I am going to test the theory on my test devices but wanted to post this to see if anyone else had seen this before.

1:05 AM

I think I have answered my own question by testing it, if I crop the image it then saves the cropped image, keeps the original exif date/time but creates a new image name.

Has anyone looked into what happens when Exif data related to a photo is adjusted in the iOS 15 Photos app? See e.g. https://9to5mac.com/2021/06/28/change-photo-date-time-iphone-ios-15/. Is it possible to detect the adjustment after extaction/acquisition of the phone?

Michael Potuck

iOS 15: How to change date, time, and location for individual or mu...

This guide with screenshots covers how to change photo date/time and location on iPhone in iOS 15 for individual or multiple images.

Anyone from @Oxygen Forensics available for a quick message?

stephenie

Anyone from @Oxygen Forensics available for a quick message?

Of course. DM'd

thms

Has anyone looked into what happens when Exif data related to a photo is adjusted in the iOS 15 Photos app? See e.g. https://9to5mac.com/2021/06/28/change-photo-date-time-iphone-ios-15/. Is it possible to detect the adjustment after extaction/acquisition of the phone?

Haven't seen anything yet, but now I'm gonna keep an eye out for something

1

Anyone from @MSAB lingering?

Rob

Anyone from @MSAB lingering?

Tobias is usually here, but for once I was quicker! What's up?

MSAB_Sofia

Tobias is usually here, but for once I was quicker! What's up?

If I pm a log, who'd be better at looking at it

5:20 AM

Just need to get some confirmation my physical is a physical of the entire device.

You can DM me, and I'll have a look.

1

@Cellebrite Has anything changed with location carving? Seems to take longer nowadays.

Rob

@Cellebrite Has anything changed with location carving? Seems to take longer nowadays.

DM Please

1

Any1 from @MSAB in?

@Kar Sure, what's up?

1

thms

Has anyone looked into what happens when Exif data related to a photo is adjusted in the iOS 15 Photos app? See e.g. https://9to5mac.com/2021/06/28/change-photo-date-time-iphone-ios-15/. Is it possible to detect the adjustment after extaction/acquisition of the phone?

It appears it just changes the database values but the EXIF remains unchanged. (This includes the EXIF in the database and the image itself). I’ll check it again tomorrow and see if it does propagate.

CLB_iwhiffin

It appears it just changes the database values but the EXIF remains unchanged. (This includes the EXIF in the database and the image itself). I’ll check it again tomorrow and see if it does propagate.

Interesting… I just took a quick look and I am seeing changes to the image metadata itself. This is from 2 images airdropped to my MacBook

Brandon E

Interesting… I just took a quick look and I am seeing changes to the image metadata itself. This is from 2 images airdropped to my MacBook

I’ll check that and document what I find. Would be interesting if it makes changes upon being sent.

1

CLB_iwhiffin

I’ll check that and document what I find. Would be interesting if it makes changes upon being sent.

It looks like there may be something going on there. I am working on some video files now and am seeing some interesting things depending on file movement that I have not seen before. I don’t know how far down the rabbit hole I will go tonight but will keep you posted.

1

@MSAB Hi, I try to open an extraction and it says "sharing violation". The extraction is not open in any computer. I opened it yesterday and closed it and today it says sharing violation. Any idea how to open it or do I have to make an other extraction again?

@Dam Have you tried making a copy of the file and see if the copy opens? I believe that has done the trick in the past

Erumaro

@Dam Have you tried making a copy of the file and see if the copy opens? I believe that has done the trick in the past

Well I think there is a problem somewhere because I can't even delete it. I just did an other extraction. It's a nokia ta-1034 (only 4mb) I did the trick to decode using doro prim 366

1

@Cellebrite Hi,, I have a FFS of an iPhone 12. I am looking for snapchat. PA parsed the chat but there is no picture. I can see the pictures in the phone so I presume the attachments might be somewhere in a database. Is it a problem of decoding?

azkurken

Trying to decrypt a Signal database. Usually "APPID_USRSKEY_SIGNALSECRET" contains the key. But lately I have only seen USRP (as oppose to USRS) file is bigger, and I guess it contains a lot more info. Is it structured the same way as USRS, but with different offset? Has anyone hade the chance to do some research on the subject?

https://cs.android.com/android/platform/superproject/+/master:system/security/keystore2/src/legacy_blob.rs;drc=d5aaaef8df81873b4bd9e6cc4e9b4ca71ac30c37;l=597

Nancy_VPD

Hi no research on this, but dealing with an exhibit now and I I noticed that the same thing that it was USRP not USRS. I was not able to make the method work. I am looking at another file on an extraction called the SecureSMS-preferential.xml has information in it that may be helpful to others but to me with my limited knowledge not so helpful anyone looked at that file?

On modern Android devices, files representing keystore entries are encrypted using a key that cannot be extracted and does not reside in the filesystem at all. This is why runtime keystore extraction is necessary. The keystore files you've come across likely contain not the key but ciphertext of the key. I say likely because it is still hardware dependent. An emulator, for instance, does nothing to protect the keys at rest and you can read the corresponding file at a given offset. There are some other restrictions too detailed here: https://developer.android.com/training/articles/keystore#ExtractionPrevention It's similar with iOS (and has been for a long time): there is a SQLite database containing keychain data in every full filesystem, but if you open it you'll see that most columns, including the key, are encrypted. You need to interact with (and abuse) the Apple keychain APIs if you want to decrypt them. (edited)

1

Brandon E

It looks like there may be something going on there. I am working on some video files now and am seeing some interesting things depending on file movement that I have not seen before. I don’t know how far down the rabbit hole I will go tonight but will keep you posted.

It appears that the original database is updated with the changes but the original photograph EXIF remains unchanged. But sending the photo (such as via Airdrop) will send an image with the adjusted data. There's a little more to it than that. Too much to write on a discord post. I'll write it up as a blog post tonight.

3

4

CLB_iwhiffin

It appears that the original database is updated with the changes but the original photograph EXIF remains unchanged. But sending the photo (such as via Airdrop) will send an image with the adjusted data. There's a little more to it than that. Too much to write on a discord post. I'll write it up as a blog post tonight.

Cool! Looking forward to it. I hope to share some info on video files soon.

1

Brandon E

Cool! Looking forward to it. I hope to share some info on video files soon.

Here we are : http://www.doubleblak.com/blog/PhotoAdjustments

1

CLB_iwhiffin

Here we are : http://www.doubleblak.com/blog/PhotoAdjustments

Great write up! Thanks!

is it possible to parse an .e01 copy using the physical analyzer? (a physical copy of a microsd was made using ftk imager)

@manuelevlryes

1:26 AM

@manuelevlr

Thanks

yw

Hi, does anyone know if it's possible to decode a whatsapp db with crypt12 (without the key)?

Has anyone compiled a list of ZMESSAGETYPE values from the ZWEMESSAGE table from an iOS WhatsApp DB? I have about 30 records with message type 10's and they have NULL ZTEXT values and nearly identical timestamps.

wcso_pete

Has anyone done an LG L125DL flip phone with Cellebrite? I was able to do a generic Quallcom decrypting physical on the device, but PA doesn't parse any of the data (I'm guessing since it is running AOSP?). Any thoughts on what chains I should try and load to read the data?

Any luck with this?

Question: If i get a full file system of an iPhone will i find signal messages in the report? @Cellebrite

You need keychain if it comes out. It should. Unless there has been changes recently

Has anyone done some digging into the photos.sqlite on different iPhones? I have an iPhone 8 (running 15.0) where in the ZCLOUDMASTER table it shows me more columns (very relevant ones containing information on which app placed the picture in the dcim folder, like WhatsApp or Snapcht) then on an iPhone X (running 14.0.1). I checked a previous extraction of my iPhone 8 while it was still running 14.3, and the colums are also 'missing'. Might these be created when upgrading to 15.0?

Dam

@Cellebrite Hi,, I have a FFS of an iPhone 12. I am looking for snapchat. PA parsed the chat but there is no picture. I can see the pictures in the phone so I presume the attachments might be somewhere in a database. Is it a problem of decoding?

Please see DM

@Cellebrite What´s the differend between "Chats/Native Messages"; "Instant Messages/Nativ"; "Instant Messages/Native Messages" and "Instant Messages/Phone" f.e. on an iPhone Xs? (edited)

Karlsson

@Cellebrite What´s the differend between "Chats/Native Messages"; "Instant Messages/Nativ"; "Instant Messages/Native Messages" and "Instant Messages/Phone" f.e. on an iPhone Xs? (edited)

https://www.youtube.com/watch?v=gdU6Kz-OpqU Nice explanation of Heather

Cellebrite

Native messages & Instant messages in Cellebrite Physical Analyzer

1

Oscar

I've just encountered WeChat for the first time, in a logical extraction of an SM-N986F. PA asks me for the IMEI to decrypt the data and i've tried both of the IMEI present in the phone without success. Is there something I am missing or do I need a FFS to parse WeChat? @Cellebrite (edited)

Have you got any answer about that?

5:00 AM

I'm in the same case and it's not a false positive

Deleted User

Have you got any answer about that?

I believe XRY decoded it it's next update, so it should be supported now if it's the same version as me (edited)

If I import UFD in XRY ? This is what you mean?

Does anyone know if gmm_storage.db for Google Maps data on an Android device contains timestamps? I've parsed my extraction in Axiom and am getting info on Origin/Destination but no timestamps associated with them. If so, is there a tool i can use to parse just this database and get that data? It appears the data is stored in BLOB format in the db.

Been having a go at trying to decode/unlock the secure_database,db present in the new CIPHR Lite application - anyone else had any luck/ experience with it so far?

Hi guys, I have ffs from iphone 11 ios 14.1, i don't find signal key in keychain and nothing parsed of course, any idea?

@Oscar @Deleted User I believe they changed the encryption method a couple of months back so that they no longer use the IMEI for decryption which we resolved in the 9.5.1 micro release

(edited)

Erumaro

@Oscar @Deleted User I believe they changed the encryption method a couple of months back so that they no longer use the IMEI for decryption which we resolved in the 9.5.1 micro release

(edited)

ok ! Thanks Tobias

NL - Jordi Strörmann

Has anyone done some digging into the photos.sqlite on different iPhones? I have an iPhone 8 (running 15.0) where in the ZCLOUDMASTER table it shows me more columns (very relevant ones containing information on which app placed the picture in the dcim folder, like WhatsApp or Snapcht) then on an iPhone X (running 14.0.1). I checked a previous extraction of my iPhone 8 while it was still running 14.3, and the colums are also 'missing'. Might these be created when upgrading to 15.0?

I've been working on updating my iOS 14 query so that will work on iOS 15 and yes there is new data and changes to some of the column names with iOS 15.

ScottKjr3347

I've been working on updating my iOS 14 query so that will work on iOS 15 and yes there is new data and changes to some of the column names with iOS 15.

Yeah they moved it from ZCREATORBUNDLEID to ZIMPORTEDBYBUNDLEIDENTIFIER.

6:57 AM

I'm just diving into these photo databases on iOS, mainly to get an answer on the question I get the most: where does this picture come from and was it taken with this phone. Anyone with some good info or readups, please let me know. I'm checking the WhatsApp and Snapchat applications now (since our 'clients' prefer these).

Me and @Cygonaut just posted a script to parse temporary Snapchat files and connect them to their conversation/message. Have fun! https://github.com/DFIR-HBG/ParseSnapchat

GitHub - DFIR-HBG/ParseSnapchat: iOS Snapchat parser for chats and ...

iOS Snapchat parser for chats and cached files. Contribute to DFIR-HBG/ParseSnapchat development by creating an account on GitHub.

3

11

1

Hi all! I’m an intel analyst looking at @Cellebrite extraction report for a Samsung Galaxy S7. Is the value the exact wordings that the phone user typed in/searched? What does the timestamp represent? How are these records generated? Thanks!

Nooka

Hi all! I’m an intel analyst looking at @Cellebrite extraction report for a Samsung Galaxy S7. Is the value the exact wordings that the phone user typed in/searched? What does the timestamp represent? How are these records generated? Thanks!

You might want to clarify which artefact you’re looking at, where you’ve found these values, which time stamps you’re looking at, etc.

DeeFIR 🇦🇺

You might want to clarify which artefact you’re looking at, where you’ve found these values, which time stamps you’re looking at, etc.

Thanks @DeeFIR 🇦🇺. Much appreciated. I got some assistance from @CLB_iwhiffin in DMs, and got things clarified. I wish I was a digital forensic examiner in addition to an intelligence analyst! It would make my life easier.

1

does anyone know what the file "log-bb-live-stats.txt" is? I found it in Axiom on a iPad Mini 4.

zero00796

does anyone know what the file "log-bb-live-stats.txt" is? I found it in Axiom on a iPad Mini 4.

I think it's an error log/system state log

Thank you

Is there any possibility to import an .xry extraction (kirin testpoint dump) to Oxygen or Ufed? Both software suites cnt parse file structure of .xry file container. Any suggestions?

thanks a lot Edit: nevermind. Found an post here within the search function : import xry (edited)

Stevie_C

Have a look here. Similar question was posed regarding importing from XRY to PA. https://discord.com/channels/427876741990711298/427877097768222740/746313149854253187 . A read through the posts and following the links should help you out

Did someone from @Cellebrite can explain why, in CLBX format, I can have that on a 128Go device?

Deleted User

Did someone from @Cellebrite can explain why, in CLBX format, I can have that on a 128Go device?

From our iOS team leader: It's not a bug per se, rather, we're pretty sure, a result of copy on write. There is no simple way to handle it in clbx (or most other archives). Even when we solve the extraction size one way or the other we would still have challenges running it through PA

Ok thanks for explain.

After reading about the ability to 'Adjust' timestamps of pictures taken on iOS 15, I tested it out. For the most part the thing does what it says on the tin BUT I did notice changing the date on the picture in Photos on iOS 15 did change the date in the EXIF data and if I AirDrop the picture to a Mac, it reports the EXIF as being the adjusted date, which is what I would expect. However, if I connected my test iPhone X running 15.1 to my Macbook via a cable and imported the picture into Photos, the original date and time were still there! No mention of the date I had adjusted it to previously...

1

I haven't tested to see if PA reports both timestamps yet but will do next week. I can only imagine it is caused by the ability to revert the change so it keeps the original date/time. (edited)

Anyone ( @Cellebrite ) can share a list of graphic cards surely supported by P.A. for image classification? When i run it on my workstation it says my hardware is not supported so the procedure will take much longer. I'm willing to upgrade but would like to be sure to get a supported graphic card. Currently have a NVIDIA QUADRO K4200. Thanks.

Anyone familiar with 5005.jpg images. I know they are a smaller sized image of the original but I would like to explain more such as: Are they only created for screenshots Are they displaying to the user in some form Where can I find more metadata in cases where the original file is gone

https://www.forensicfocus.com/forums/mobile-forensics/iphone-7-screenshots-and-5005-jpg-file/

IPhone 7 Screenshots and 5005.jpg File

Can someone help me understand IPhone screenshot artifacts I obtained from an IPhone 7. I have two identical screenshots in two different file locati...

Matt

Anyone familiar with 5005.jpg images. I know they are a smaller sized image of the original but I would like to explain more such as: Are they only created for screenshots Are they displaying to the user in some form Where can I find more metadata in cases where the original file is gone

PM

Zhaan

I haven't tested to see if PA reports both timestamps yet but will do next week. I can only imagine it is caused by the ability to revert the change so it keeps the original date/time. (edited)

Hi Zhaan, did you see my blog post about this? PA doesn’t really take advantage of the photos.db yet so all data is pulled from the images themselves. If the photo being examined was taken on the device being examined then you will see the original, unadjusted exif. If it was received by the device being examined then it will be the adjusted data as the photo exit data was modified on being sent.

Arcain pinned a message to this channel. 11/1/2021 5:24 AM

@CLB_iwhiffin Can you point me to your blog post about photos.db

Ghosted

@CLB_iwhiffin Can you point me to your blog post about photos.db

http://doubleblak.com/blog/PhotoAdjustments

4

MetaStig

Hello! After some slight difficulties I finally managed to use sboot_dump to dump the memory of a Samsung S9. However I am not having any luck with PA decrypting the Samsung Health DB. Grep-ing does show some keys, but while monitoring the trace window I cannot help but notice that the parser "SbootDumpPasswords" is missing/not run.. So the big question is.. Where have I messed up? Anyone been successful in running it that might share some insight? Have been following this guide: https://www.cellebrite.com/en/blog/decrypting-databases-using-ram-dump-health-data/

Hi, did you get any response on this? It seems that the SbootDumpPasswords parser has dissapeared @CLB-Paul, can you help me?

mr.rookay

Hi, did you get any response on this? It seems that the SbootDumpPasswords parser has dissapeared @CLB-Paul, can you help me?

So, unfortunately, it was a proof of concept from us. The git hub is from 2019, dont see it was updated. Where was it failing?

CLB-Paul

So, unfortunately, it was a proof of concept from us. The git hub is from 2019, dont see it was updated. Where was it failing?

Well, I'm using PA 7.49 and don't see a SbootDumpPasswords parser in the trace window and plugins.

CLB-Paul

So, unfortunately, it was a proof of concept from us. The git hub is from 2019, dont see it was updated. Where was it failing?

So there seems to be a problem with my folder structure. I've created a folder 'memdump' and within that folder the folder 'memory' containing the memory files. Then changed the .ufd with Memory=memdump [Memory] Type=Folder and now the SbootDumpPasswords is working

1

good evening, are there any open source software that allows you to parse an instagram backup (.ab)?

@Cellebrite Hi, I tried to parse telegram chat from an android phone. The database cache4.db contains the messages in a readable format but nothing appear in the chat view in PA (7.49).

Dam

@Cellebrite Hi, I tried to parse telegram chat from an android phone. The database cache4.db contains the messages in a readable format but nothing appear in the chat view in PA (7.49).

What Telegram version is it?

Aero

What Telegram version is it?

8.1.2

3:04 AM

Same problem with xry

Do you have access to Oxygen? (edited)

No

In their newest release they state they support 8.1.2, I'm currently decoding this extraction in Oxygen for the exact same reason that you have

We definitely need oxygen

Dam

No

I'll let you know if it works, you can always see if you can get a trial license or I'm sure UFED/XRY wont be too far behind with supporting it tbh

Thanks for your message

1

Hancom is also good for Telegram

I have an Apple device with a MAC that doesn't match any published OUIs from IEEE. There is no known history of repair on this device. Does anyone find this weird?

10:39 AM

maybe I'll move this to network-for

Has anyone here looked into the database MapsSync_0.0.1 from Apple Maps? I have an entry in this database in table ZHISTORYITEM with an address and GPS-coordinates of interest. There is a column in this table called ZQUERY. If this has the value of null for the address of interest, how has this been stored in the database? If you ask me, the user hasn't specifically searched for this address, considering the null value

danielj91

Has anyone here looked into the database MapsSync_0.0.1 from Apple Maps? I have an entry in this database in table ZHISTORYITEM with an address and GPS-coordinates of interest. There is a column in this table called ZQUERY. If this has the value of null for the address of interest, how has this been stored in the database? If you ask me, the user hasn't specifically searched for this address, considering the null value

It could be a default query. Say you search for a city, apple maps will then give you a location in that city that is determined by the app. Unsure if its the same artifact but this was the case for me.

Dam

@Cellebrite Hi, I tried to parse telegram chat from an android phone. The database cache4.db contains the messages in a readable format but nothing appear in the chat view in PA (7.49).

Telegram 8.1.2 is parsed OK with PA 7.50(will be available early next week) see DM for more details

1

Does anyone have some sort of script for decrypting Private Photo Vault on iOS/Android that would'n mind sharing? (edited)

@Aero

OggE

It could be a default query. Say you search for a city, apple maps will then give you a location in that city that is determined by the app. Unsure if its the same artifact but this was the case for me.

Hi OggE, cheers for the quick response. Yeah I can see that being the case for me too. But wouldn't there be an entry in close proximity with a value in column ZQUERY in that case? The most recent entry is a little over 24h from the entry of interest. AXIOM is categorizing the artifact as "Apple Map Searches"

danielj91

Hi OggE, cheers for the quick response. Yeah I can see that being the case for me too. But wouldn't there be an entry in close proximity with a value in column ZQUERY in that case? The most recent entry is a little over 24h from the entry of interest. AXIOM is categorizing the artifact as "Apple Map Searches"

Unsure, could be the app determined it unnecessary to store for a city query. In my case it was also a apple map searches if i remember correctly.

Anyone else running into extended decoding times for ios full file extractions? I did not set up any additional tasks (carving, et al). It's a 60GB extr and its been parsing overnight. Just curious. (Phys Analyzer v 7.49.0.28) (edited)

My XRY decode of a Huawei physical is crashing on processing thumbnails - is there a fix or a workaround? I have video thumbnail generation disabled but there isn't an equivalent for picture thumbs.

CloudCuckooLand

My XRY decode of a Huawei physical is crashing on processing thumbnails - is there a fix or a workaround? I have video thumbnail generation disabled but there isn't an equivalent for picture thumbs.

I would advise you go to the Control Panel>Programs and Features and uninstall the WebP Codec XRY has installed, then run a redecode. We have seen a few crashes relating to this and Huawei Kirin dumps. If you are still having issues let me know!

@Erumaro Ahhh it's that problem. Not done that fix on this PC yet. Thanks.

1

hangulgizmo

Anyone else running into extended decoding times for ios full file extractions? I did not set up any additional tasks (carving, et al). It's a 60GB extr and its been parsing overnight. Just curious. (Phys Analyzer v 7.49.0.28) (edited)

We have seen an increase of long decoding times as well. WE built our own i9, ROG tower with M2 drives,

10:05 AM

thats even with a 20GB FFS download

1

Anyone familiar with the biome/streams/public/appintent/local path on IOS devices?

theAtropos4n6

Does anyone have some sort of script for decrypting Private Photo Vault on iOS/Android that would'n mind sharing? (edited)

magnet axiom sorted this out for me from a ufed extraction, if you have access to such things.

1

CCC

magnet axiom sorted this out for me from a ufed extraction, if you have access to such things.

Oh thank you! I will check this out ASAP

Good morning. Can someone point me where to look for the current device timezone in Physical Analyzer? It is not reported under the extractions summary. This is a full filesystem done using Qualcomm Live. I am not sure which DB to look into to find this information. Thanks in advance!

1

Is there anyone from @Magnet Forensics available to discuss decoding of Google Maps destinations data from the gmm_storage.db of an android phone?

Does anybody have a good parser for Snap Chap My Data downloads directly from Snapchat.com not a warrant return but what the user has direct access too. Tried Axiom, PA, and Griffeye with no results.

Looking for someone from @Cellebrite to clearify "Last Logged in" under Device Users from an Android Full Filesystem. What does this mean exactly? I need to articulate it in court. Thank you.

What is your source file

stps358

Good morning. Can someone point me where to look for the current device timezone in Physical Analyzer? It is not reported under the extractions summary. This is a full filesystem done using Qualcomm Live. I am not sure which DB to look into to find this information. Thanks in advance!

https://www.sans.org/posters/dfir-advanced-smartphone-forensics/

DFIR Advanced Smartphone Forensics | SANS Posters

SQLite databases are a self-contained database stored as a file system file (but may have a few supporting files that will also be needed for analysis!) Files have the magic number “SQLite format 3.” SQLite files correspond to a database that contains tables. Tables contain rows of data with corresponding columns that describe the data in the ro...

Does anyone know if there is a way to fix an MSAB XRY file saying it's truncated, or recover any data from it? Seems to have been corrupted somehow.

Doesn't seem to be an @MSAB generic?

2:30 AM

Or apparently there is.

@CCC DM!

Goodmorning all. I have 3 iOS iTunes backups of the same device within a windows machine. Anyone knows/tried to parse them all at once with one tool in order to combine their artifacts?

Only way I know at all is via ibackupbot

1

If you have PA, you can chuck them into that.

2

CCC

Only way I know at all is via ibackupbot

Thank you! So, essentially my problem is probably that these are incremental backups. For example, AXIOM parsed these backups and returned me some valuable kik chats. When investigating the source file of the artifacts, I found out that this kik's sqlite was stored within the 1st backup folder. However, when reviewed Info.plist and Manifest.plist files of each of these 3 backups, I noticed that kik was installed in the latest backup not the other two. Some type of merge takes place between the backups which I cannot determine/validate/verify.

Rob

If you have PA, you can chuck them into that.

Thank you I will give it a try (edited)

Rob

If you have PA, you can chuck them into that.

I could not get it to work. What's the process?

3:37 AM

I would have thought it's add files but didn't do much

From memory, go to advanced, select device, type itunes and it should give you an option to.

What is your "go to" to decode Facebook lite?

Afternoon all, does anyone know if the android version of VLC has the equivalent of the windows vlc-at-interface.ini, for recently played media? Currently struggling to find anything similar so any pointers greatly appreciated!

A question regarding Physical Analyser - is there a way to search the extraction for a list of words and include the hits in a report, besides searching word for word and tagging them?

@dotmatrix You can add watch lists

@Bob Ross Check out ALEAPP. But you can see timestamps in VLC database if you wanna check manually.

Oscar

@dotmatrix You can add watch lists

Just what I was looking for. Thanks!

Does anyone know anywhere in an iPhone Filesystem extraction I can see what value the display "Auto-Lock" is to set to and maybe how many fingerprints have been added to a device. I can look at the device however wondering if this data can be viewed manually. - Thank You

LAmbrose

Does anyone know anywhere in an iPhone Filesystem extraction I can see what value the display "Auto-Lock" is to set to and maybe how many fingerprints have been added to a device. I can look at the device however wondering if this data can be viewed manually. - Thank You

https://theforensicscooter.com/2021/09/05/ios-settings-display-auto-lock-require-passcode/

scottkoenig3347

iOS Settings Display Auto-Lock & Require Passcode

Forensic Question: A classmate of mine contacted me and posed a question, “Where in an iPhone extraction is the Display Auto-Lock setting stored?” Thanks, Tyler Wuestenhagen, for posing the questio…

Does anyone know how iTunes incremental iOS backups are structured within Windows? I found data files from the latest backup within the folder of the older one. In particular, Kik application was installed shortly before the latest backup but I found Kik chat db within the folder of the oldest backup. When trying to validate file names and paths from corresponding Manifest.db files, I cannot find Kik chat db in any of them (edited)

@Cellebrite when the new physical analyzer is available?

Oscar

https://theforensicscooter.com/2021/09/05/ios-settings-display-auto-lock-require-passcode/

This is perfect thank you

Is anyone aware of any practicals to prepare for the Cellebrite CCME? My chain of command would like me to complete this before the end of the year but I feel like I need more practice, especially with Android phones.... Thanks! #training-education-employment, too.

I am still looking for any information on timestamps for Google Maps Directions stored in gmm_storage.db on an android phone. Data is being parsed out of this database by @Magnet Forensics Axiom, but no timestamps are shown. @Cellebrite doesn't appear to be parsing the data, but I can manually review the blob data in PA whereas I cannot in Axiom. Does anyone have anymore knowledge of this database?

mond4y_morNin6

I am still looking for any information on timestamps for Google Maps Directions stored in gmm_storage.db on an android phone. Data is being parsed out of this database by @Magnet Forensics Axiom, but no timestamps are shown. @Cellebrite doesn't appear to be parsing the data, but I can manually review the blob data in PA whereas I cannot in Axiom. Does anyone have anymore knowledge of this database?

I dont have any Android dumps on this computer. If I can - I will look tomorrow to see if I can see anything. You've piqued my curiosity.

1

manuelevlr

@Cellebrite when the new physical analyzer is available?

The PA 7.50 is available as a Pre-Release version in MyCellebrite

idokal

The PA 7.50 is available as a Pre-Release version in MyCellebrite

For me there is no version 7.50 and only 7.49 that I can download.

Same here, new date of update but no new version

A Pre-Release version is what the Beta version used to be(version that is distributed to users so they could share feedback, it is released a week before the official release), need to register in order to have it available in your community page, ill send the link in DM

1

Oscar

Me and @Cygonaut just posted a script to parse temporary Snapchat files and connect them to their conversation/message. Have fun! https://github.com/DFIR-HBG/ParseSnapchat

Is support for stuff like this in the works or already ready for upcoming releases? @Cellebrite @Magnet Forensics @MSAB (edited)

Under device history location in PA the column precision which has things like Horizontal 16.5. Can someone explain this?

Oscar

Is support for stuff like this in the works or already ready for upcoming releases? @Cellebrite @Magnet Forensics @MSAB (edited)

it is in the works, please see DM

2

@idokal please send me DM with registration for Pre-Release too

ScottKjr3347

https://www.sans.org/posters/dfir-advanced-smartphone-forensics/

Thank you! Found it.

idokal

A Pre-Release version is what the Beta version used to be(version that is distributed to users so they could share feedback, it is released a week before the official release), need to register in order to have it available in your community page, ill send the link in DM

Can I also get this link please?

1

@Matt - trying to use your leveldb parser on a chromebook acquisition. Pertinent folder is at \user\IndexedDB\https_docs.google.com_0.indexeddb.leveldb

8:51 AM

I know there are files in here that are needed for my investigation, I can view them live on the machine. I can find the blob of text buried deep down in ASCII, I would love to be able to parse it to a more readable format.

8:53 AM

Am I pointing your application at the wrong thing? using "LevelDBDumper.exe -d "directory of leveldb" --csv "output directory" and I get an error about "Could not open DB"

@whee30 Hey, so unfortunately IndexedDB uses a different LevelDB comparator, which I still need to take the time to translate from C++ to Go to implement in the tool. It's been a big source of frustration for me, but I believe that CCL have a useful resource that I've pointed others who have asked about this issue to https://github.com/cclgroupltd/ccl_chrome_indexeddb

GitHub - cclgroupltd/ccl_chrome_indexeddb: (Sometimes partial) Pyth...

(Sometimes partial) Python re-implementations of the technologies involved in reading IndexedDB data in Chrome-esque applications. - GitHub - cclgroupltd/ccl_chrome_indexeddb: (Sometimes partial) P...

1

Thanks! I'll go give that a shot. I wonder when the big forensic tools are going to start natively supporting these things.

I believe that Arsenal Recon are working on something

1

9:04 AM

But yeah, I need to just try and take a block of time to get IndexedDB sorted, huge pain for end users of my tool that it isn't supported

I have a small PA decoding question regarding an IOS afu extraction, in the mail application. I have gmail emails decoded. I have a incoming email from example@outlook.com, on the receivingadress receive@gmail.com. This all makes sense, but after the receive@gmail.com i have a name. I see "receive@gmail.com www.test.com". I havnt looked in the db yet, but hoped someone knew already. What is this www.test.com referring to? I checked the contact, its not there. I do want to mention the phone had 6 email accounts setup on the device. @Cellebrite (ps all examples used) (edited)

Arcain pinned a message to this channel. 11/9/2021 11:21 AM

whee30

@Matt - trying to use your leveldb parser on a chromebook acquisition. Pertinent folder is at \user\IndexedDB\https_docs.google.com_0.indexeddb.leveldb

Check this tool out: "New Hindsight Release: Better LevelDB parsing, New Web UI View, & More!" https://dfir.blog/hindsight-better-leveldb-and-new-web-ui/amp/

New Hindsight Release: Better LevelDB parsing, New Web UI View, & M...

Latest Hindsight version (2021.01.16) brings exciting new features: improved LevelDB parsing (including deleted!), viewing Hindsight results in the web UI, and more!

1

manuelevlr

@Cellebrite when the new physical analyzer is available?

Hi, we already share our beta versions to our design partners. Want to join? If you have our license you may register our program here: https://community.cellebrite.com/s/design-partner to get the beta releases. We appreciate any feedback

Anyone from @Cellebrite available for a PM?

Has anyone dived into viber_messages.db? I have an Android phone and I am interested in interpreting the read_message_time column within messages table. I cannot figure out what kind of timestamp it is?

Anyone know where i might find the settings file that dictates the default app settings on a galaxy s6? Thanks in advance

theAtropos4n6

Has anyone dived into viber_messages.db? I have an Android phone and I am interested in interpreting the read_message_time column within messages table. I cannot figure out what kind of timestamp it is?

Have you tossed it in DCode to give that a try?

pug4N6

Have you tossed it in DCode to give that a try?

Yeap. Nothing helpful came out

Original message was deleted or could not be loaded.

it's a 10 digit number (ex. 1899696566) from test data I see, but it's not UNIX timestamp (edited)

@Deleted User @stark4n6 Thank you for your time. Here is a screenshot from the db

theAtropos4n6

@Deleted User @stark4n6 Thank you for your time. Here is a screenshot from the db

I assume the messages with "read_message_time" = 0 were not read?

Yeap exactly

my first thought was it was some sort of time offset after the message timestamp once it was actually read, no idea though

We are in the same page here. I thought the same. After giving it some thought and several conversion/sum etc tests I believe it should be microseconds/nanoseconds and not milliseconds as I initially believed. But I will need to verify it again to be sure. I will give it a try and give you a heads up. (edited)

1

theAtropos4n6

We are in the same page here. I thought the same. After giving it some thought and several conversion/sum etc tests I believe it should be microseconds/nanoseconds and not milliseconds as I initially believed. But I will need to verify it again to be sure. I will give it a try and give you a heads up. (edited)

As a follow up to my previous message, this number always increments so it should be something else than microseconds, nanoseconds.

Has anyone got a way of getting the password for huawei file safe? I have a physical in xry

theAtropos4n6

As a follow up to my previous message, this number always increments so it should be something else than microseconds, nanoseconds.

It’s rather interesting … two of them had the same info, but other than that each was larger then the previous one … what happens if you go back and read one of the unread ones that had a 0 before?

@theAtropos4n6 would the number make sense as a relative time stamp? I assume if this is a test image you documented when you did the various actions? For example, microseconds gives something like 300ish seconds, or 5 minutes. Maybe five minutes after sent it was read? I don’t know if it jives with your setup or not, but based on context it really only makes sense as some sort of time stamp.

whee30

@theAtropos4n6 would the number make sense as a relative time stamp? I assume if this is a test image you documented when you did the various actions? For example, microseconds gives something like 300ish seconds, or 5 minutes. Maybe five minutes after sent it was read? I don’t know if it jives with your setup or not, but based on context it really only makes sense as some sort of time stamp.

Thank you. Well, I have tried that and indeed it was 5 minutes. I made more tests to see if this is accurate but it was not. Some messages were opened less than 1 minute after they were sent and still this timestamp indicated that 5 minutes passed, so no unfortunately. I agree with you, it is a relative timestamp, but I missing the point of reference here. Which is the base time of these timestamps is what I am trying to figure out. I tested to see if it was the delivery timestamp of a first message of a thread but still no. (edited)

Hi guys, PA does not link Snapchat conversations to discovered audio files. These files are located in the path private / var / mobile / Containers / Data / Application / D0E20CDB-A6EA-43F7-B001-9145FFB6644A / Documents / com.snap.filemanager_3 SCContent_6c416328-0db7-4567-9421-e49f1eb9379f. Is this normal, maybe the application loses the link naturally and "forces" us to make a rough link with the files?

3:01 AM

@Cellebrite

Mistercatapulte

Hi guys, PA does not link Snapchat conversations to discovered audio files. These files are located in the path private / var / mobile / Containers / Data / Application / D0E20CDB-A6EA-43F7-B001-9145FFB6644A / Documents / com.snap.filemanager_3 SCContent_6c416328-0db7-4567-9421-e49f1eb9379f. Is this normal, maybe the application loses the link naturally and "forces" us to make a rough link with the files?

We created https://github.com/DFIR-HBG/ParseSnapchat for that, PA should support it in 1-2 versions according to @idokal

GitHub - DFIR-HBG/ParseSnapchat: iOS Snapchat parser for chats and ...

iOS Snapchat parser for chats and cached files. Contribute to DFIR-HBG/ParseSnapchat development by creating an account on GitHub.

6

Big thx to @Oscar

2

@theAtropos4n6 - curious, are your new tests still exclusively going “up” in value? It would be nice to nail down what is happening!

whee30

@theAtropos4n6 - curious, are your new tests still exclusively going “up” in value? It would be nice to nail down what is happening!

Yeap. It always goes up. It has to be a relative timestamp.

theAtropos4n6

Yeap. It always goes up. It has to be a relative timestamp.

Relative to db creation?

8:51 AM

Or app install?

@pug4N6 that was my next thought, if they’re trying to save space by having a shorter timestamp and making it relative to something it’s probably an anchor point like installation

9:11 AM

I wonder how much actual space saving is accomplished by making slightly shorter timestamps though? Maybe there’s another reason for it

whee30

@pug4N6 that was my next thought, if they’re trying to save space by having a shorter timestamp and making it relative to something it’s probably an anchor point like installation

It seems totally insane, but I’m struggling to figure out what else to could be

does anybody know how extract the .fseventd from a iPhone, got it jailbroken, tried a ffs but it doesn’t come with it. Thru ssh it gives permission denied and I cant open the folder

pug4N6

Relative to db creation?

No unfortunately no. It isn't either of these dates.

@Magnet Forensics Looking for anyone from Magnet to discuss Picture Categorization hanging on xxx of xxxxxx for over an hour.

medapi😎

does anybody know how extract the .fseventd from a iPhone, got it jailbroken, tried a ffs but it doesn’t come with it. Thru ssh it gives permission denied and I cant open the folder

Any chance ArtEx will see it? https://doubleblak.com/software.php If you are jailbroken and SSH to the device using 3U tools, maybe it will work? :/

heatherDFIR

Any chance ArtEx will see it? https://doubleblak.com/software.php If you are jailbroken and SSH to the device using 3U tools, maybe it will work? :/

Tnx gone try it!

Graykey Android extraction question anyone available for a DM?

@Grayshift

Has anyone encountered a scenario in which the com.apple.mobilesms.plist has a KeepMessageForDays value of 0 while also having a KeepMessagesVersionID of 1? Typically, I see a version ID of at least 2 (swapping to 30/365 and then back to forever), but not 1.

Does anybody know if /WiFi/connection in KnowledgeC.db is a genuine connection to the WiFi device it refers to? I feel like it is but I can't find anything in blogs or online to confirm. Thanks in advance!

Any expert tips on ingesting a GK Android Extraction into PA? I am loading as a blank project, selecting the profile phone, but the parsing keeps crashing.

@MSAB Any fine individuals about?

Rob

@MSAB Any fine individuals about?

Don't know about fine.... But I'm here

2

MSAB_Sofia

Don't know about fine.... But I'm here

haha, got yet another annoying Nokia burner. TA-1203

5:21 AM

Tried the profile, get to the stage of holding the * and mid select but didn't work. Tried Generic Mediatek to no luck currently.

5:21 AM

Any ideas?

One of my favourites.... Getting the center select button pressed entirely to the bottom can be a bit challenging. Double check; you are using the "normal" microUSB and not any of the yellow cables? It can usually take a few tries to get it working.

MSAB_Sofia

One of my favourites.... Getting the center select button pressed entirely to the bottom can be a bit challenging. Double check; you are using the "normal" microUSB and not any of the yellow cables? It can usually take a few tries to get it working.

Defo a normal micro

5:25 AM

Will try the profile again

5:28 AM

Worked that time, didn't quite remember when I could release the buttons but all good now!

1

callzor

Have anyone done some research regarding Mega on android?

Did you had any answers ? I have the exact same files in cache subfolders. It's a CSA case

1

FAB

Did you had any answers ? I have the exact same files in cache subfolders. It's a CSA case

Most information seems to be encrypted. I had a small timeframe so could not do any experiments.

1

callzor

Most information seems to be encrypted. I had a small timeframe so could not do any experiments.

Ok too bad. Thx

FAB

Ok too bad. Thx

Let me know if you find something. There was a folder named preview in the mega folder. Sounds like a good place to start.

Afternoon all, are secret messages in FB messenger decoded by UFED/XRY? Someone here has some and can't seem to find them in their decodes (Samsung A21s)

callzor

Let me know if you find something. There was a folder named preview in the mega folder. Sounds like a good place to start.

No problem, i'll tell you if i find anything !

Artea

Afternoon all, are secret messages in FB messenger decoded by UFED/XRY? Someone here has some and can't seem to find them in their decodes (Samsung A21s)

There is support, DM for more details (edited)

Is this a plist file that records whether or not Messages in iCloud is enabled? I see various sync_deleted tables in the SMS.db but would like another point of confirmation.

Has anyone had an issue when creating reports in Cellebrite, where the UFDR does not contain pictures and videos ? In both pictures and video sections files are referenced with file path, hash value, however file size being 0 bytes. However in the pdf and excel output produced at the same time in both pictures and videos output files are all present and of the appropriate file size. I don't think this is a Cellebrite issue, more of a network infrastructure qwerk. (edited)

theAtropos4n6

@Deleted User @stark4n6 Thank you for your time. Here is a screenshot from the db

Don't know if this has been answered but Unix Milliseconds Java time works... Much thanks to DCode https://www.digital-detective.net/dcode/

DCode™ – Timestamp Decoder - Digital Detective

DCode™ is a FREE forensic tool for decoding data found during digital forensic examinations into human-readable timestamps.

Dfdan

Has anyone had an issue when creating reports in Cellebrite, where the UFDR does not contain pictures and videos ? In both pictures and video sections files are referenced with file path, hash value, however file size being 0 bytes. However in the pdf and excel output produced at the same time in both pictures and videos output files are all present and of the appropriate file size. I don't think this is a Cellebrite issue, more of a network infrastructure qwerk. (edited)

What version of reader? I'm sure this was a bug a few versions ago

Jamey

Don't know if this has been answered but Unix Milliseconds Java time works... Much thanks to DCode https://www.digital-detective.net/dcode/

Thank you Jamey. DCODE helps but not with the column of interest I was referring to (read_message_time).

Does anyone here know where Axiom gets the timezone information from an Android extraction?

hi everyone, i made a qualcomm live acquisition of a samsung z flip3. After parsing with Physical Analyzer I cannot view the messages on the telegram, even though they are present in the cache4.db. Telegram version 8.1.2 is installed on the device. Is it possible that PA does not correctly decode the data present in the telegram db as it supports up to version 7.9.3?

@Cellebrite

theAtropos4n6

Thank you Jamey. DCODE helps but not with the column of interest I was referring to (read_message_time).

Sorry misunderstood the question.

1

Aero

@Deleted User I have python scripts for both app versions [iOS and Android] (PIN and media decryption) I must also commend @forensicmike @Magnet for his awesome work and blogs in regards to this stuff. He's a massive help! (edited)

Hi could I get your python script for Android?

1

pluizert

Does anyone here know where Axiom gets the timezone information from an Android extraction?

adb bugreport > bugreport.zip

Question from a newbie examiner here: I have an iPhone SE that shows call log use from 8/27/21 onward. Some other artifacts in here as well, but nothing really older than July or so. There's a specific video I'm looking for, and I can't seem to find it. While poking around in the com.apple.purplebuddy.plist though, I see a "GuessedCountry" date of today (11/17/2021) at 6:07am; this would've been just hours before we took possession of it.

1:46 PM

Am I right to assume this phone was likely wiped? Cannot find an ".obliterated" file, it's not a FFS (advanced logical)

https://dfir.pubpub.org/pub/6i7d593n/release/1

Upgrade From NULL—Detecting iOS Wipe Artifacts · DFIR Review

2:27 PM

If the SetupState is SetupUsingAssistant the GuessedCountry timestamp is good. If SetupState is RestoredFromiCloudBackup then you probably shouldn’t rely on GuessedCountry. .obliterated is only present in FFS. (edited)

2:27 PM

(If it exists)

Awesome. It is SetupUsingAssistant

2:27 PM

So safe to say he wiped it, then pushed some old data on it via a backup to make it look used then

You have to account for Cloud syncing, too.

Cinco Uno

So safe to say he wiped it, then pushed some old data on it via a backup to make it look used then

If old data was pushed from a backup, the SetupState would probably be RestoredFromBackup.

Hmm... Okay, absent of a FFS I can't really explain how there is older data on the phone then?

What type of old data?

Ok, so we have a suspect who claims that some files on his phone were synced and he only used the phone for like a week. However we find mulitple artifacts that are older. Now he points out 2 specific files that came from the /private/var/mobile/library/documents/com~apple~clouddocs/.trash folder. He states these were synced (which is probably correct), but can we find anywhere what time/date this was done? It's on an iPhone 5 (A1429 and iOS 10.3.3) (edited)

Hi! I found a folder in a Ios device with name uploadableChatMedia. The folder is connected to Snapchat Application. I have never seen it before. Does anyone know something about it?

is it possible to get wifi bssid addresses from an android FFS (either 9 or 10), phone was specifically a motorola xt1955-5. The wificonfigstore.xml (or something like that) only had null values for the networks bssid

CLB_joshhickman1

What type of old data?

Call logs, media, some health data, that kinda stuff

theAtropos4n6

Has anyone dived into viber_messages.db? I have an Android phone and I am interested in interpreting the read_message_time column within messages table. I cannot figure out what kind of timestamp it is?

@pug4N6 @stark4n6 @whee30 @Jamey Everyone, as a heads up to my question the correct interpretation of read_message_time column was cracked by the one and only Ian @CLB_iwhiffin . This timestamp is the number of Milliseconds since the device booted. New artifact that could be useful in certain cases. Thank you all for your recommendations. Cheers!

4

2

1

What a weird stat to track

whee30

What a weird stat to track

100% weird. And results in numerous “time stamps” being the same and having no bearing on the time it was received. I’ll put together a blog post in the next few days to show how I found it.

4

CLB_joshhickman1

If the SetupState is SetupUsingAssistant the GuessedCountry timestamp is good. If SetupState is RestoredFromiCloudBackup then you probably shouldn’t rely on GuessedCountry. .obliterated is only present in FFS. (edited)

Is there a reason why the GuessedCountry timestamp is not reliable if the SetupState is RestoredFromiCloudBackup?

Are there any solutions/scripts for UFED PA to recover/carve data from the msgstore.db-wal? I found some messages using Axiom but it would be nice if I could include them in an UFDR. @Cellebrite

Ghosted

Any expert tips on ingesting a GK Android Extraction into PA? I am loading as a blank project, selecting the profile phone, but the parsing keeps crashing.

Did you get anywhere with this by any chance?

Yes DM you

@Cellebrite Hi, I have a case where summary extraction shows me 6 ICCID number. I cannot figure out where this data come from (samsung A202F) I don't have the simcard.dat file and the checkin.xml file doesn't contain these ICCID.

5:47 AM

Okay just found it. It seems to be the telephony.db but not timestamp in there.

Tyler_Leno

Is there a reason why the GuessedCountry timestamp is not reliable if the SetupState is RestoredFromiCloudBackup?

It could reflect an old wipe time associated with the backup.

"Is this application currently installed". My brain has melted over the course of the week, in the @Cellebrite "Installed Applications" section, am I right in saying if its present within that area it is currently installed? I don't have the exhibit to confirm manually.

8:03 AM

Related note, does "Feature for Instagram" mean Instagram is currently installed or if that's the only result within "Installed Applications", Instagram has been uninstalled?

CLB_joshhickman1

It could reflect an old wipe time associated with the backup.

Gotcha, could the SetupLastExit timestamp also be associated with the backup then?

@Cellebrite @Magnet Forensics Hi, I have a full file system extract of a iphone 11 pro max running fb messenger 336.1. I am use to the messages being in the lightspeed database however in this case they are showing up in a database titled with the users fb user id # for example 100011XXXXXXXX.db under a folder titled lightspeed-userdatabases. Neither tool parsed the messages from this database. Only PA found it when i ran app genie. I can manually view the messages from the database in PA. In Magnet i can see the files in the file system view but the contents will not display. When trying to view the db i get error"sql logic error or missing database no such module: tam_thread_capabilities." Anyone else encounter this database naming convention for fb messenger?

I am doing a manual examination of a very small Viber contacts.data database (only a couple of messages and four contacts). I am trying to connect the tables so I can sort out who sent and received those messages. I am not finding the foreign keys on the tables. I was hoping that someone can provide me with white papers or resources that detail the tables and their contents. I have not been able to find anything online. On a separate note, is there a way to put the database file into Cellebrite or Axiom and have it parsed? I tried but it imports it as a database but does not parse it.

digitech11

@Cellebrite @Magnet Forensics Hi, I have a full file system extract of a iphone 11 pro max running fb messenger 336.1. I am use to the messages being in the lightspeed database however in this case they are showing up in a database titled with the users fb user id # for example 100011XXXXXXXX.db under a folder titled lightspeed-userdatabases. Neither tool parsed the messages from this database. Only PA found it when i ran app genie. I can manually view the messages from the database in PA. In Magnet i can see the files in the file system view but the contents will not display. When trying to view the db i get error"sql logic error or missing database no such module: tam_thread_capabilities." Anyone else encounter this database naming convention for fb messenger?

In PA, do you have a “Social Media” node under analyzed data? I recently did a lot of work with this file and it should be there.

Rob

Related note, does "Feature for Instagram" mean Instagram is currently installed or if that's the only result within "Installed Applications", Instagram has been uninstalled?

For the benefit of others; all apps ever installed will probably show up in the “installed apps” even if they have been uninstalled since. The source is important here; an installed app shows the AndroidManifest.xml file but an uninstalled app does not. You can probably also see that the com.Instagram.android folder is no longer in the /data/data folder which it would be if the app was still installed.

1

2

Has anyone had any luck carving images from an iOS Partial or FFS? I know anything is worth trying, but I’m sure it’s been attempted before by someone on here.

Matt

Has anyone had any luck carving images from an iOS Partial or FFS? I know anything is worth trying, but I’m sure it’s been attempted before by someone on here.

On an FFS or similar, there is no unallocated space to carve from, they are all “live” files. I think the best you could hope for is to find images within files (such as blobs within databases) or similar. Better than nothing I guess.

CLB_iwhiffin

On an FFS or similar, there is no unallocated space to carve from, they are all “live” files. I think the best you could hope for is to find images within files (such as blobs within databases) or similar. Better than nothing I guess.

Ok. That’s what I was thinking. I’ll give it a go, just thought that likelihood of blobs containing data not already parsed was low. But I’m appreciating the iceberg analogy of cell phone data lately.

1

Matt

Ok. That’s what I was thinking. I’ll give it a go, just thought that likelihood of blobs containing data not already parsed was low. But I’m appreciating the iceberg analogy of cell phone data lately.

Blob records are interesting, they can be small enough that they’d just carve out like normal but if I understand things correctly they can also be large enough that they’d be split across multiple pages and then you’d basically need to read the database to read the whole blob at once

And it’s always just awesome when multiple “files” are mushed together into a single blob … like plists! Currently working on a plist database blob parser/carver, might try for an image one next

CLB_iwhiffin

In PA, do you have a “Social Media” node under analyzed data? I recently did a lot of work with this file and it should be there.

Yes, there is a social media node which contains facebook/user id# but all of those artifacts are the posts and comments made within the fb app and that file path shows graphstoreDb/"userid#".sqlite3. None of the fb messenger chats that were found in app genie are displaying in the social media node.

digitech11

Yes, there is a social media node which contains facebook/user id# but all of those artifacts are the posts and comments made within the fb app and that file path shows graphstoreDb/"userid#".sqlite3. None of the fb messenger chats that were found in app genie are displaying in the social media node.

Interesting. I haven’t seen that file contain anything other than the posts/comments before either. I’ll take a look as soon as I can.

CLB_iwhiffin

Interesting. I haven’t seen that file contain anything other than the posts/comments before either. I’ll take a look as soon as I can.

Thk you. Are you saying that fb messenger chats are supposed to be displayed under the social media node now instead of the chats node?

digitech11

Thk you. Are you saying that fb messenger chats are supposed to be displayed under the social media node now instead of the chats node?

No, messenger chats are still under the chats node. My thought process was that comment threads can appear like conversations, and I thought that may have been what you were looking for.

CLB_iwhiffin

No, messenger chats are still under the chats node. My thought process was that comment threads can appear like conversations, and I thought that may have been what you were looking for.

Gotcha. No i am looking for the basic FB messenger messages. Wondering why native PA decoding did not parse them but luckily App genie did.

digitech11

Gotcha. No i am looking for the basic FB messenger messages. Wondering why native PA decoding did not parse them but luckily App genie did.

That is a concern. I’ll look into it first thing tomorrow.

digitech11

@Cellebrite @Magnet Forensics Hi, I have a full file system extract of a iphone 11 pro max running fb messenger 336.1. I am use to the messages being in the lightspeed database however in this case they are showing up in a database titled with the users fb user id # for example 100011XXXXXXXX.db under a folder titled lightspeed-userdatabases. Neither tool parsed the messages from this database. Only PA found it when i ran app genie. I can manually view the messages from the database in PA. In Magnet i can see the files in the file system view but the contents will not display. When trying to view the db i get error"sql logic error or missing database no such module: tam_thread_capabilities." Anyone else encounter this database naming convention for fb messenger?

Have you tried the custom Artifact Generator MCAG for AXIOMhttps://www.magnetforensics.com/resources/magnet-custom-artifact-generator/

MAGNET Custom Artifact Generator - Magnet Forensics

The MAGNET Custom Artifact Generator tool makes it easy to create custom artifacts for use within Magnet AXIOM

6:02 PM

https://www.magnetforensics.com/blog/how-to-use-the-magnet-custom-artifact-generator/

How To Use the Magnet Custom Artifact Generator - Magnet Forensics

Jessica Hyde talks about our newest free tool, MAGNET Custom Artifact Generator and how it will allow examiners to bring new artifacts into AXIOM.

Anyone experience with the gallery.encrypteddb.decrypted snapchat DB in IOS? There are lat/lon data with snap_id’s. Are those saved snaps with locationdata from the account owner?

t12346

Anyone experience with the gallery.encrypteddb.decrypted snapchat DB in IOS? There are lat/lon data with snap_id’s. Are those saved snaps with locationdata from the account owner?

It contains data on Snapchat memories, location and decryption keys. More info such as timestamps can be found in scdb-27.sqlite3 (edited)

Hi, how can I process a complete physican Rockchip Medion Lifetab extraction? Physical Analyzer only accepts this when I only process the userdata partition image

4:59 AM

*physical

Jamey

Have you tried the custom Artifact Generator MCAG for AXIOMhttps://www.magnetforensics.com/resources/magnet-custom-artifact-generator/

I forgot about that option originally. I just ran it and it did locate the db and it was able to successfully parse it. It appears the FB messenger db name and file path changed in version 336 to private/var/mobile/containers/shared/appgroup/"account id"/library/application support/lightspeed-userDatabases/"fb userid#".db Can you have someone look into this for future update.

1

digitech11

I forgot about that option originally. I just ran it and it did locate the db and it was able to successfully parse it. It appears the FB messenger db name and file path changed in version 336 to private/var/mobile/containers/shared/appgroup/"account id"/library/application support/lightspeed-userDatabases/"fb userid#".db Can you have someone look into this for future update.

Have you tried iLEAPP? I think I made a parser for FB Messenger in it, but it may not be the most up to date. I can try to update it too if it doesn't

@Cellebrite Hi, I cannot see any thumbnail for video files. Is there any option or is there a bug with PA 7.50 beta?

Dam

@Cellebrite Hi, I cannot see any thumbnail for video files. Is there any option or is there a bug with PA 7.50 beta?

The final version of PA 7.50 is already available for download, so you can try with this one.

Angst

The final version of PA 7.50 is already available for download, so you can try with this one.

Thanks. I forget to check

What would be the most efficient way to process a Google Takeout? I've used UFED PA and Axiom but it seems they don't process the various activity HTML files which also contain very valuable data. Is this by design? Also, would Axiom Cloud be able to process this better? It's not active on my license so I'm unable to check it out. @Magnet Forensics @Cellebrite

Sockmoth

What would be the most efficient way to process a Google Takeout? I've used UFED PA and Axiom but it seems they don't process the various activity HTML files which also contain very valuable data. Is this by design? Also, would Axiom Cloud be able to process this better? It's not active on my license so I'm unable to check it out. @Magnet Forensics @Cellebrite

Google takeout should be in JSON format to process it in axiom or PA

1

Angst

Google takeout should be in JSON format to process it in axiom or PA

Agreed. Data like e-mail and location history are stored in json and processed but the HTML files with user activity from google search/youtube aren't. I would like to include these into a report so the detectives have to deal with only one product which contains all the relevant data. FYI i'm dealing with a manually generated takeout from the Google user dashboard. Not a takeout which would be supplied after a warrant.

is there any way to decode surespot db? I used a wordlist but failed via PA

Sockmoth

What would be the most efficient way to process a Google Takeout? I've used UFED PA and Axiom but it seems they don't process the various activity HTML files which also contain very valuable data. Is this by design? Also, would Axiom Cloud be able to process this better? It's not active on my license so I'm unable to check it out. @Magnet Forensics @Cellebrite

As Google Takeout is part of our Cloud functionality, yes it would parse much better with Cloud activated. Right now when you parse through it, it is grabbing artifacts that meet criteria of computers as I am sure you are processing it using those artifact categories and not the cloud artifact categories. Cloud Artifacts were specifically engineered to extract data from cloud sources

Nov 30th - I Beg to DFIR will be on location artifacts including AirTags - Register here: https://www.cellebrite.com/en/episode-17-i-beg-to-dfir-was-it-actually-there-location-education-on-ios-and-android/?utm_campaign=sf258915&utm_medium=referral&utm_source=Dream-Team&utm_content=IBegToDFIRe17

Episode 17: I Beg to DFIR – Was it actually there? Location educati...

Tuesday, November 30, at 12:30 PM EST / 9:30 AM PST Duration: 1 hour Let’s be honest and agree that locations on mobile devices can be a nightmare. How do we know what we can trust? What are the ways to validate the artifact and most importantly, what if a location on the device is the … Continue reading "Episode 17: I Beg to DFIR – Was it actua...

1

Is @Cellebrite PA parsing FB messenger messages on iPhone FFS extractions? 7.50 PA. I just ran a phone dump and got none, but was expecting to see them. The Keychain was loaded at the time of decoding and the Trace Windows shows Messenger was parsed during the normal processing. No messages saying it didn't parse. Any thoughts?

Known issue will be addressed next release. There was changes to db

2

Dang I searched on here for other posts about this. I didn't check release notes thought.

4:15 PM

Thanks @CLB-Paul

Updated Photos.Sqlite queries posted here: https://github.com/ScottKjr3347/Photos.Sqlite_Queries Short blog explaining the queries posted here: https://theforensicscooter.com/2021/11/23/photos-sqlite-queries/ Queries will work for iOS 14, Big Sur, iOS 15, and Monterey.

2

1

ScottKjr3347

Updated Photos.Sqlite queries posted here: https://github.com/ScottKjr3347/Photos.Sqlite_Queries Short blog explaining the queries posted here: https://theforensicscooter.com/2021/11/23/photos-sqlite-queries/ Queries will work for iOS 14, Big Sur, iOS 15, and Monterey.

1654 lines of sql-query!!!!!

Awesome work. Thanks for digging into it!

1

Sockmoth

Agreed. Data like e-mail and location history are stored in json and processed but the HTML files with user activity from google search/youtube aren't. I would like to include these into a report so the detectives have to deal with only one product which contains all the relevant data. FYI i'm dealing with a manually generated takeout from the Google user dashboard. Not a takeout which would be supplied after a warrant.

Have you tried RLEAPP from brigs?

Hi all. Anyone knows of a method to extract Telegram conversations from an iPhone were is NOT POSSIBLE to obtain a full fs?

sholmes

Is @Cellebrite PA parsing FB messenger messages on iPhone FFS extractions? 7.50 PA. I just ran a phone dump and got none, but was expecting to see them. The Keychain was loaded at the time of decoding and the Trace Windows shows Messenger was parsed during the normal processing. No messages saying it didn't parse. Any thoughts?

this issue is fixed, we will include it in PA 7.51, a test version is already available in case anyone wants to check it out (edited)

1

ScottKjr3347

Updated Photos.Sqlite queries posted here: https://github.com/ScottKjr3347/Photos.Sqlite_Queries Short blog explaining the queries posted here: https://theforensicscooter.com/2021/11/23/photos-sqlite-queries/ Queries will work for iOS 14, Big Sur, iOS 15, and Monterey.

Holy smokes, great job Scott!!!

1

FabianoQ

Hi all. Anyone knows of a method to extract Telegram conversations from an iPhone were is NOT POSSIBLE to obtain a full fs?

Cellebrite conversation capture? Presuming the time to login to their account via PC has passed.

Anyone from @Cellebrite able to dm me for a sqlite question?

Looking for some paper, research on WhatsApp backups and how they created, especially when they're skipped for whatever reason. I have a device that is missing some backups, some are named like 10122020, but contain data from 2 days prior, with 09122020 backup file missing etc

2:12 AM

i'm looking why this could happen, and if a not enough free space, or maybe a power cut can lead to this (edited)

Is it still possible to chat via the facebook app without moving over to the messenger application? Because i found a database with messages linked to the facebook application without the messenger application being installed

2:33 AM

I know it was possible early on before they forced people over to Messenger

2:34 AM

Hi I have a picture that is stored in a knox security folder. However the Picture does not provide me with a creation date. Is there a record of this anywhere? I tried looking in knoxContentMgr.db but no luck.

Anyone from @Cellebrite free to answer a question?

I've got a sms conversation between 2 people. However physicals analyser and axiom are indicating the sender and recipient is the same person. However this can't be the case. Axiom reports the recipient as local user (exhibit) I've looked into the iPhone sms.db and it doesn't list a secondary number. Can anyone explain why this is the case?

6:09 AM

And the sender is a mobile number. Which has no link to the actual handset

Arcain

Looking for some paper, research on WhatsApp backups and how they created, especially when they're skipped for whatever reason. I have a device that is missing some backups, some are named like 10122020, but contain data from 2 days prior, with 09122020 backup file missing etc

Possibly some backups are missing because phone Is configured to backup only when WiFi is available?

@FabianoQ any option to verify this in physical extraction? The main, and weird thing here is that backup made on 10th, contains data from 8th, but not 9th (edited)

Aero

Anyone from @Cellebrite free to answer a question?

️

1

There's is one single text message that crucial here, and it's only in this single backup, not in the next one, or in the regular msgstore

Morning all. I'm looking at a Calculator Photo Vault App on Android, com.hld.anzenbokusufake, which I think has since been released under com.hld.anzenbokusucal. Anybody had success decrypting/reverse engineering this app? Thanks in advance

@kibaffo33 what version is it?

jjh2320

@kibaffo33 what version is it?

Calculator-Photo Vault hid photos and videos com.hld.anzenbokusufake version 10.0.2 on the subject device

5:08 AM

That version wouldn't work on my test device so I'm using Calcualtor -photo vault com.hld,anzenbokusucal Version 10.0.1 on that - which appears to be the same but updated...

I'm not aware of any decryption options for version 10 but if you find one let me know!

kibaffo33

That version wouldn't work on my test device so I'm using Calcualtor -photo vault com.hld,anzenbokusucal Version 10.0.1 on that - which appears to be the same but updated...

Sent you a pm!

1

Anyone have any guidance on decoding\ deserializing the telegram db_sqlite blob data?

@Law Enforcement [UK] Anyone ever dealt with Cell Tower related questions? Got a bunch all with the same timestamp but spread across an area (fairly close but with places an hours drive from each other).

8:10 AM

Source file is cache_encryptedB.db-wal

Rob

@Law Enforcement [UK] Anyone ever dealt with Cell Tower related questions? Got a bunch all with the same timestamp but spread across an area (fairly close but with places an hours drive from each other).

Someone in my office had something like this (not sure if the same) @LAmbrose

Cache encrypted B is a terrible source of location data. It is downloaded/harvested from apple and doesn’t mean it was actually seen by the device at the time.

heatherDFIR

Nov 30th - I Beg to DFIR will be on location artifacts including AirTags - Register here: https://www.cellebrite.com/en/episode-17-i-beg-to-dfir-was-it-actually-there-location-education-on-ios-and-android/?utm_campaign=sf258915&utm_medium=referral&utm_source=Dream-Team&utm_content=IBegToDFIRe17

Sign up for this I Beg to DFIR for a location presentation next week

8:41 AM

So effectively, ignore Cache encrypted b

8:41 AM

Or well, don't rely on it.

Artea

Someone in my office had something like this (not sure if the same) @LAmbrose

Mine were in relation to Apple’s Significant locations GPS but feel free to DM and we can discuss further @Rob

Will do Monday!

It may be useful in fringe cases; but basically the phone is downloading hundreds (if not thousands) or location records at the same time. I wrote a blog on it at www.doubleblak.com/blog/harvest

CLB_iwhiffin

It may be useful in fringe cases; but basically the phone is downloading hundreds (if not thousands) or location records at the same time. I wrote a blog on it at www.doubleblak.com/blog/harvest

Amazing as per usual!

I'm decoding a phone acquisition, and PA asked for a password for a database to one of the apps. Gave it the rockyou list for starters, but I am wondering if PA will log the correct password anywhere if it succeeds? Would be great to have the password for other investigative steps later in the process.

CLB_iwhiffin

It may be useful in fringe cases; but basically the phone is downloading hundreds (if not thousands) or location records at the same time. I wrote a blog on it at www.doubleblak.com/blog/harvest

Hey, follow on question. If there is a Wireless Network connection at 12:56 and then later at 15:53 and in between there's the Cell Tower information at 14:36. Is it possible that either the wireless connection went down or the phone went on the move?

5:51 AM

At no other point on the day is there Cell Tower information.

5:51 AM

So suggests to me at 14:36 a harvest event occured.

Does the phone have WiFi assist turned on?

FullTang

Does the phone have WiFi assist turned on?

How do I see that

Rob

How do I see that

Is it an iPhone? Here is a link to the apple website about Wifi assist. https://support.apple.com/en-us/HT205296

About Wi-Fi Assist

With iOS 9 and later, you can use Wi-Fi Assist to automatically switch to cellular when you have a poor Wi-Fi connection.

1

It is.

1:34 PM

I'll look on Monday!

1

Morning all! Is there any log kept in relation to Micro SD cards that have been inserted in a phone?

Hey @Brigs and @GrayShift_Matthieu, I know I'm a bit late to the party, but I'm using iLEAPP 1.16.9 trying to decrypt some Protonmail messages from an iPhone 7 IOS 13.6 (GrayKey FFS/Keychain extraction) Snooping around in a debugger trying to figure out why it is not working I notice that after running keychainStore = ccl_bplist.deserialise_NsKeyedArchiver(keychainStorePlist, parse_whole_structure=True) then keychainStore['root']['NS.objects'] is now just an empty list(?) Then the following code does not have much data to work with... Any reports of similar problems?

Hi @jallis is keychainStore variable containing data?

Can someone explain how web entries have occurred through Gmail?

2:39 AM

@Cellebrite

FM930

Can someone explain how web entries have occurred through Gmail?

It's a parsing of URL in the body of the mail

1

GrayShift_Matthieu

Hi @jallis is keychainStore variable containing data?

Yes, it is of type ccl_bplist.NsKeyedArchiverDictionary and has ['root']['NS.objects'] - are you referring to some special data? And keychainStorePlist and keychainStorePlist1 both seem to contain "ok" data.

3:14 AM

And decryptWithMainKey() produces sane data.

3:18 AM

Seems like the data I'm looking for is not included in the encrypted data that I am successfully able to decrypt somehow? I mean, dec_val seems to be a valid bplist, so this first decryption part seems to be correct? (edited)

It's a stupid bug. Just uncheck them

jallis

Seems like the data I'm looking for is not included in the encrypted data that I am successfully able to decrypt somehow? I mean, dec_val seems to be a valid bplist, so this first decryption part seems to be correct? (edited)

keychainStore should be something like

GrayShift_Matthieu

keychainStore should be something like

Yes, "I know"

What I am seeing is that keychainStore['root']['NS.objects'] == [] somehow...

weird... can you see in keychainStorePlist1 raw data the "AuthCredential.Password" and "privateKeyCoderKey" values ?

So maybe it is the decrypting the wrong enc_val somehow in my case...

enc_val shouald come from 'group.ch.protonmail.protonmail.plist'

GrayShift_Matthieu

weird... can you see in keychainStorePlist1 raw data the "AuthCredential.Password" and "privateKeyCoderKey" values ?

No, they do not seem to be in there... (edited)

GrayShift_Matthieu

enc_val shouald come from 'group.ch.protonmail.protonmail.plist'

In my case it comes from enc_val = keychainVal[b'authKeychainStoreKeyProtectedWithMainKey']

4:01 AM

as enc_val = prefplist.get('authKeychainStoreKeyProtectedWithMainKey', 'empty') returns 'empty'

4:03 AM

So it seems like I end up with the wrong enc_val value somehow?

if it is empty it should get it from the keychainvalue. But can you check the preferenc eplist file for this value ?

GrayShift_Matthieu

if it is empty it should get it from the keychainvalue. But can you check the preferenc eplist file for this value ?

You mean, check the contents of the plist, before it is loaded into prefplist? (edited)

4:17 AM

Like manually inspecting group.ch.protonmail.protonmail.plist?

grep -i auth group.ch.protonmail.protonmail.plist returns no hits (should the string authKeychainStoreKeyProtectedWithMainKey be in cleartext in the bplist?)

yes this string shoud be plaintext. Are you sure the app was configured, and an account was actually set ?

torskepostei

I'm decoding a phone acquisition, and PA asked for a password for a database to one of the apps. Gave it the rockyou list for starters, but I am wondering if PA will log the correct password anywhere if it succeeds? Would be great to have the password for other investigative steps later in the process.

It should appear under the Passwords section.

GrayShift_Matthieu

yes this string shoud be plaintext. Are you sure the app was configured, and an account was actually set ?

All I know is that ProtonMail.sqlite is present and ZMESSAGE contains 100+ entries. Not quite sure where to look next.

5:33 AM

I haven't done a detailed analysis of this phone, I was just looking at the Protonmail part. (edited)

Hello Everyone. Is anyone got any tool that can parse correctly Snapchat (Messages, attachement etc) ?

5:58 AM

version is 11.25.1.32

Deleted User

Hello Everyone. Is anyone got any tool that can parse correctly Snapchat (Messages, attachement etc) ?

iOS or Android? That's a fairly old version of SnapChat now (around 5 months or so I think) so I would hope most tools do a decent job. What have you tried and what is the problem?

It's on Android

6:08 AM

I extract the phone on XRY

6:08 AM

It's isn't parse

6:09 AM

I try to export all the com.snapchat.android and try to parse it on PA withtout succes, just media files. Probably I doesn't do it good?

I've never tried parsing just the application folder for Snapchat in PA but will give it a try. It may be worth letting PA try to entire extraction. Even if that means extracting it from XRY as a folder structure and pointing PA at that. I'll fire it up on a test device and see.

1

CLB_iwhiffin

I've never tried parsing just the application folder for Snapchat in PA but will give it a try. It may be worth letting PA try to entire extraction. Even if that means extracting it from XRY as a folder structure and pointing PA at that. I'll fire it up on a test device and see.

I can try but I'm not sur I'll succes to export all the folder structure from XAMN.

Arcain

@FabianoQ any option to verify this in physical extraction? The main, and weird thing here is that backup made on 10th, contains data from 8th, but not 9th (edited)

Sorry for long delay. I tried but can't seem to find were this setting is saved.

10:19 AM

I have a Samsung phone with dual whatsapp. UFED advice about possible data loss using apk downgrade in this condition (which did happened to me in the past). Anyone can suggest a reliable method to acquire whatsapp data in this scenario without risk of data loss? The phone is not supported for physical or full fs extraction. It's an SM-N986B unlocked phone.

FabianoQ

I have a Samsung phone with dual whatsapp. UFED advice about possible data loss using apk downgrade in this condition (which did happened to me in the past). Anyone can suggest a reliable method to acquire whatsapp data in this scenario without risk of data loss? The phone is not supported for physical or full fs extraction. It's an SM-N986B unlocked phone.

What do you mean by dual whatsapp? https://blog.oxygen-forensic.com/whatsapp-data-extraction-via-oxyagent/ (edited)

oxygen.forensics

WhatsApp data extraction via OxyAgent - Oxygen Forensics, Inc.

Facebook0Tweet0LinkedIn0 When physical extraction is not supported for Android devices, investigators can use OxyAgent to run a logical extraction to collect a plethora of valuable data. Our OxyAgent is typically used to acquire basic artifacts, like contacts, calls, calendars, and messages. With our updated OxyAgent, logical extractions using O...

Thanks. Is what i'm going to try. I had success before with Oxy manual agent extraction, also with WhatsApp + WhatsApp business at the same time, but never had double WhatsApp

@FabianoQ What is double whatsapp?

@Angst You can have 2 WhatsApp accounts at the same time, 2 WhatsApp icons and 2 separate WhatsApp message archives. When this happens apk downgrade will, most likely, end with just one of the 2 WhatsApp instances acquired and the other one LOST (happened to me already).

Never had this. But good to know it could happen. I will be more carefull with apk downgrade

(edited)

UFED warns you about this risk when you have this scenario WatchingYou

But sometimes I use this method in Oxygen too.

Yes, oxy does not warn about this risk. Don't know if the reason is that oxy method is safer, if manual agent acquisition will succeed i'll try. Anyway also manual agent acquisition "sees" only 1 whatsapp...

@forensicmike @Magnet hello, I'm hoping to get some information about bruteforce on a Photovault PIN please. I have the AES encrypted passcode. It's on a Samsung tablet. Do you have any tips on how to find the encryption key in a full filesystem? It's a 6 digit PIN. Thank you

vedmore

@forensicmike @Magnet hello, I'm hoping to get some information about bruteforce on a Photovault PIN please. I have the AES encrypted passcode. It's on a Samsung tablet. Do you have any tips on how to find the encryption key in a full filesystem? It's a 6 digit PIN. Thank you

@forensicmike @Magnet sorry that should have been 4 digit PIN, not 6

manuelevlr

hi everyone, i made a qualcomm live acquisition of a samsung z flip3. After parsing with Physical Analyzer I cannot view the messages on the telegram, even though they are present in the cache4.db. Telegram version 8.1.2 is installed on the device. Is it possible that PA does not correctly decode the data present in the telegram db as it supports up to version 7.9.3?

Any news in this? Tried @Cellebrite @MSAB Adam @forensicmike @Magnet @Oxygen Forensics in the newest Versions with no luck.

AlexBB

Any news in this? Tried @Cellebrite @MSAB Adam @forensicmike @Magnet @Oxygen Forensics in the newest Versions with no luck.

Hi, we checked it in a PA pre-release version(should be available in a few days) and it works, could send you a link for the version in DM (edited)

AlexBB

Any news in this? Tried @Cellebrite @MSAB Adam @forensicmike @Magnet @Oxygen Forensics in the newest Versions with no luck.

Hello! Are you asking about cache4.db parsing issues? As far as I know no issues like this recorded for 8.1.2 Telegram parsing in 14.1 (edited)

3:43 AM

We had issues with parsing in 14.0, as far as I see they were fixed with 14.1 (edited)

Hi, is there any information about android "data_usage.db" tables and columns?

Hi! I'm looking into RPidentity-Friendaccount located in iOS keychain. I can't seem to find any information about. Can someone help me?

Hey, does anyone know where I might find a database entry or an XML file that will tell me if a suspect phone (Android) had WhatsApp auto download enabled or not? I seem to be going round in circles and getting no where!!

blake-ee

Hey, does anyone know where I might find a database entry or an XML file that will tell me if a suspect phone (Android) had WhatsApp auto download enabled or not? I seem to be going round in circles and getting no where!!

No luck with these locations?

@vedmore I have the same issue I was speaking with @forensicmike @Magnet he was passing it on to one of the android dev guys at Magnet. I also was talking with @Aero who was working on something. I have the pin in my case but In a full file system extraction of a Samsung I only get the pictures which are encrypted. I need them unencrypted as they are CSAM.

@Ghosted If you have the pin and cellebrite, have you tried using Andy? (edited)

Soundcloud chat messages, does any1 know if these can be found in IOs extractions? i got a FFS where Soundcloud messages could be of importance, just dont know what database or plist these could be in.

Can anyone confirm for me that Premium is still the only solution for a Samsung A12 (SM-A125F/DSN)?

SPL Sept 2021

Brigs

No luck with these locations?

Thanks for this but I've had a look and I'm still struggling to find what I'm looking for. I'll keep digging around.

@Cellebrite is there a way to filter on the timeline so that rather than a whole chat thread, only chats within a certain timeframe are shown?

Could anyone share an older version of PA? 7.48/7.49/7.50 are failing to parse iOS 3 backups that we have on a live case and @Cellebrite support refuses to provide older versions for "security reasons". Unfortunately I don't know what version of PA broke the old iTunes backup support, so the older the better. (edited)

1

Does anyone have any information on Filelog0.log files? I have found them on two separate Samsung phones ( I am curious now and tend to look for it). It seems to contain a log of when messages were received and deleted and possible conversation ID's, groups, etc. I want to know what possible tables these ID's correspond to and why they dont seem to be listed anywhere. Both phones were Qualcomm live extractions.

eSko

Could anyone share an older version of PA? 7.48/7.49/7.50 are failing to parse iOS 3 backups that we have on a live case and @Cellebrite support refuses to provide older versions for "security reasons". Unfortunately I don't know what version of PA broke the old iTunes backup support, so the older the better. (edited)

https://9to5mac.com/2021/04/27/cellebrite-physical-analyzer-iphone/

Ben Lovejoy

Cellebrite Physical Analyzer has functionality limited with iPhones...

The Cellebrite Physical Analyzer – the most intrusive phone-cracking tool offered by the company – no longer supports iPhones. The company ...

eSko

Could anyone share an older version of PA? 7.48/7.49/7.50 are failing to parse iOS 3 backups that we have on a live case and @Cellebrite support refuses to provide older versions for "security reasons". Unfortunately I don't know what version of PA broke the old iTunes backup support, so the older the better. (edited)

https://www.cellebrite.com/en/our-mission-remains-clear/

Cellebrite

Our Mission Remains Clear - Cellebrite

Last week, a blog published by Signal made several assertions about Cellebrite and our solutions. We would like to address any confusion that post caused.

1

@Cellebrite Hi, I have an FFS extraction from an iPhone 11 iOS 14.8.1. I cannot see the apple voicemail, I have to manually research them in audio files. @MSAB I tried with XAMN the same extraction, the voicemail appear with the voicemail filter but I cannot see the sender of the audio. I can see the phone number in the database...

11:34 PM

Sorry @Cellebrite I found the voicemail

1

Can anyone from @Magnet Forensics (or anyone with knowledge on the issue) explain how cached images in the "Caches\lightspeed-imageCache" directory are tied to the FB messages/attachments themselves in the lightspeed database? This is from an iPhone FFS extraction that I've processed in Axiom. I have referenced the relevant entries in the attachments/messages/threads tables from the lightspeed db, but cannot determine what identifying information is being used for Axiom to be able to display a specific cached image as the attachment being sent in a message.

I have a locked Motorola Moto G Stylus (XT2043-4) Any thoughts for any possible acquisition before I give up?

That'll be qualcomm and FBE, so bruteforce would be required and no tool does this. Not sure about Premium or CAS-like solutions. Maybe they work with the phone, but AFU or BFU state may be important here (edited)

Arcain

That'll be qualcomm and FBE, so bruteforce would be required and no tool does this. Not sure about Premium or CAS-like solutions. Maybe they work with the phone, but AFU or BFU state may be important here (edited)

That's what I figured. It is AFU - ill look into those. Thanks for the help!

sholmes

Does anyone have scripts for parsing Cash App dbs on iOS? I checked Magnet Artifact Exchange and didn't find anything. Thought I would check here. The Android dbs are much easier for Cash App.

By any chance do you have any insight on the android cash_money.db you can provide. I have looked through tables and columns and found information of interest but have no real experience putting it all together. I definitely need to do some training and diving into .db record parsing.

Anyone having issues with Magnet AXIOM 5.7 not processing extractions correctly? I tried one phone and two windows pc’s. They all found almost no artifacts on the first try. The first two worked on the second try. Haven’t tried the last one again yet. (edited)

Joe Schmoe

Anyone having issues with Magnet AXIOM 5.7 not processing extractions correctly? I tried one phone and two windows pc’s. They all found almost no artifacts on the first try. The first two worked on the second try. Haven’t tried the last one again yet. (edited)

I have used it on three different cases, including a case with 15 items so far, and haven't seen that issue.

sholmes

I have used it on three different cases, including a case with 15 items so far, and haven't seen that issue.

Interesting. Thank you. I opened a ticket with support. It’s already a time consuming process so running it twice is tough.

1

NibblesNBits

By any chance do you have any insight on the android cash_money.db you can provide. I have looked through tables and columns and found information of interest but have no real experience putting it all together. I definitely need to do some training and diving into .db record parsing.

I don't have a db for that in front of me, nor do I have anything written up on what I found. I know I was able to find the transactions/amounts/contacts through the DB. I also remember if it showed the transaction was 2000, that was $20.00. Sorry I am not much help. I have a few cases pending right now, and if I find Cash.db in them I will DM you.

Thank you appreciate it. I found a table and row the transaction information you are speaking about seems consistant. I may have enough to figure it out. If you get some free time (HA!) Feel free to share

Anyone have a way to determine if a call was made using bluetooth? I have been reviewing , mobilebluetooth.devices.plist and show a last seen of UConnect system. I am trying to dig and see if I can determine Bluetooth in use on the calls which were made. It is iOS 14 and I have a full file system. Any pointers appreciated.

Joe Schmoe

Anyone having issues with Magnet AXIOM 5.7 not processing extractions correctly? I tried one phone and two windows pc’s. They all found almost no artifacts on the first try. The first two worked on the second try. Haven’t tried the last one again yet. (edited)

I have the similar problem. I need to close Examine and start it again to see the artifacts. (edited)

Angst

I have the similar problem. I need to close Examine and start it again to see the artifacts. (edited)

Ahh. I’ll give that a shot. Thank you.

Angst

I have the similar problem. I need to close Examine and start it again to see the artifacts. (edited)

Ugh. I should have tried that before running process again. Worked like a charm.

1

King Pepsi

@Cellebrite is there a way to filter on the timeline so that rather than a whole chat thread, only chats within a certain timeframe are shown?

I asked that question last year and was told there wasn’t. A pain in the rear for sure!

1

If a device is in a locked state but is still making and receiving calls and SMS is this indicative of hands free use?

iOS CashApp parsing in iLEAPP Here is the code / query: https://github.com/abrignoni/iLEAPP/blob/master/scripts/artifacts/cashApp.py

iLEAPP/cashApp.py at master · abrignoni/iLEAPP

iOS Logs, Events, And Plist Parser. Contribute to abrignoni/iLEAPP development by creating an account on GitHub.

2

Anyone know difference in KnowledgeC Device lock states and KnowledgeC Keybag Lock states

4:51 PM

I know lock state is lock of device but keybag lock state is what

Ghosted

I know lock state is lock of device but keybag lock state is what

https://support.apple.com/guide/security/keybags-for-data-protection-sec6483d5760/web

Keybags for Data Protection

The keys for both file and keychain Data Protection classes are collected and managed in keybags in iOS, iPadOS, watchOS, and tvOS.

Ghosted

Anyone have a way to determine if a call was made using bluetooth? I have been reviewing , mobilebluetooth.devices.plist and show a last seen of UConnect system. I am trying to dig and see if I can determine Bluetooth in use on the calls which were made. It is iOS 14 and I have a full file system. Any pointers appreciated.

For your bluetooth, this may help https://www.youtube.com/watch?v=IGhXsfZXL6g iirc, it's a mixture of interactionc and the plist, which apollo parses very well.

SANS Digital Forensics and Incident Response

They See Us Rollin’; They Hatin’: Forensics of iOS CarPlay and Andr...

anyone else having an issue in PA 7.50 where when selecting the "save to location" PA just freezes? (edited)

1:56 AM

I just can't click anything else within PA but other programs are fine

1:59 AM

ah, just came back to life but that was funky

Someone around who can help me out with a encrypted apple note, or an encrypted container? Cant figure out where the encrypted container is... I have a AFU extraction of an Iphone. Looking at de ZICLOUDSYNCINGOBJECT table is find a column what states a value of 1 'is encryped'. If i move further is see that column ' ZISHIDDENNOTECONTAINER' also states a value of '1'. So, whats next? (edited)

Rob

anyone else having an issue in PA 7.50 where when selecting the "save to location" PA just freezes? (edited)

That was a bug a versions ago and it was something to do with PA checking the licence or something, thankfully it was fixed and now broken again, good to know!

Aha, I'll get it raised in a ticket and pray for the next version

Someone can explain me on recent versions of PA I always have this kind of message ? Android or iPhone

5:32 AM

@Cellebrite

@Deleted User From experience, a lot of those seem to be related to WhatsApp stickers.

1

Deleted User

Someone can explain me on recent versions of PA I always have this kind of message ? Android or iPhone

It's a bug related to extracting files from tar archives. Fixed in 7.51 (not out yet). (edited)

1

Does anyone know where you can find what apps were opened in the background aka App Switcher in iOS? I’m looking for the names of the apps and what time they were put into the app switcher and in a perfect world the actual image the user would see in the app switcher. Any ideas? I have a FFS opened in PA 7.50 and looking for a database I can go through. Thanks in advance. (edited)

Derek F

Does anyone know where you can find what apps were opened in the background aka App Switcher in iOS? I’m looking for the names of the apps and what time they were put into the app switcher and in a perfect world the actual image the user would see in the app switcher. Any ideas? I have a FFS opened in PA 7.50 and looking for a database I can go through. Thanks in advance. (edited)

I have found that the images reside in the data folder for the apps, usually the Library folder, stored as .ktx files. I'm not familiar with the app switcher, but I believe knowledgeC will help you find the last used apps.

CLB-drorimon

It's a bug related to extracting files from tar archives. Fixed in 7.51 (not out yet). (edited)

What does it mean data wise for previous cases parsed within PA?

Rob

What does it mean data wise for previous cases parsed within PA?

It's related to the new support of expanding also tar archive files (besides zip). It means that sometimes PA will not extract all files from some tar files. It has no effect on apps decoding of any kind, even if that app has tar file been expanded during its decoding. The issue effects only tar files which are not connected to apps decoding, so the Analyzed Data section is not effected, and you could only get fewer files than expected in the Data Files section.

3

@Magnet Forensics Anyone encountering processing issues with Axiom, using an IOS AFU extraction. Updated to newest version 5.7, but after processing im getting no artifacts at all....

@florus I had the issue with Android GK extract

florus

@Magnet Forensics Anyone encountering processing issues with Axiom, using an IOS AFU extraction. Updated to newest version 5.7, but after processing im getting no artifacts at all....

@Ghosted i had the same issue with both a iOS afu and android ffs. If you do a search ( I searched for “message”) or create a timeline all the artifacts will show up. In my cases the artifacts was there, but didn’t show up in the artifact view!

@.karate. @Ghosted I noticed the same issue with windows pc extractions. For me closing and runing again Examine solves the problem.

Anyone experienced getting most of the discord messages from a FFS extraction but none of the media? Would advising the investigator to do a search warrant to discord produce those messages more completely with the attached media? I don't think I've done a discord SW before so no idea what data they can produce from their side.

https://mobile.twitter.com/verge/status/1467871584090214400 A good news... Again

The Verge (@verge)

WhatsApp now lets you set all chats to disappear by default https://t.co/gluQ6MnrUC

Likes

236

are CAS prices the same for LE and private, or is there a diff?

has any one had experience witha google search warrant with an extension .pbx? Is so hwo do we decode it? we have seen the .gpg files with an executable on it.

Beefhelmet

Anyone experienced getting most of the discord messages from a FFS extraction but none of the media? Would advising the investigator to do a search warrant to discord produce those messages more completely with the attached media? I don't think I've done a discord SW before so no idea what data they can produce from their side.

Check the artifacts for Discord in RLEAPP to have an idea of what you could get. Your mileage might vary since I can only do parsers based on the data I have available. If your agency is ok with sharing the data with a US Federal LE agency in order to assist do hit me up privately. RLEAPP has tons of search warrant parsers you might want to check out like Kik and Snapchat. I just released the latest version so go to the Releases section in the repository and download the Windows executables. Use the rleappGUI.exe one for the graphical user interface version. Any questions let me know. https://twitter.com/AlexisBrignoni/status/1467270873069539339?s=20 (edited)

Brigs 💬 (@AlexisBrignoni)

New RLEAPP #DFIR artifacts for Discord returns!

Direct messages

Server messages

Messages unknown

Server metadata

Friends lisT with status

RLEAPP 1.0.2 Win10 binary release here: https://t.co/L74tGi37z8 #Python #DigitalForensics

Neptun5000

Hi, quick question - not really a mobile forensics person - but am tinkering a bit with a possible setup for Ufed Reader (latest version released for what it's worth), and am a bit curious to a message that keeps popping up in the "trace window": Failed to get data for zip entry. Anyone else noticed this, and care to enlighten me? Using a test image, and wonder if it has to do with some prerequisite e.g. winzip missing? Files are .db, .mp4 ++. After posting & more googling i stumbled upon this: https://www.forensicfocus.com/forums/mobile-forensics/cellebrite-reader-trace-window-error/ - makes me suspect "it's not just me" (edited)

I noticed the same issue with an UFDR created with 7.46 after complaints from a detective. The report is stored on our network storage and I have opened it from multiple machines. From the 4 times I have opened the UFDR 3 came back with the same results and no errors in the trace window. 1 of them has errors pointing to multiple files including a Whatsapp backup database. This UFDR shows less chats then the other 3 so I would say this has an actual impact on the results shown to the detective/analyst. Were you able to figure out what the cause is for this issue? My next step is to check if it's network related. @Cellebrite

Kinsfolk> That version wouldn't work on my test device so I'm using Calcualtor -photo vault com.hld,anzenbokusucal Version 10.0.1 on that - which appears to be the same but updated... @kibaffo33 Kinsfolk Appreciate a few days have passed now but that should help: https://theincidentalchewtoy.wordpress.com/2021/12/07/decrypting-the-calculator-apps/

theincidentalchewtoy

Decrypting the ‘Calculator’ App(s)

This week I have been looking at another Android application designed to keep files secure. ‘Calculator – hide photos’ has many features, including a vault ‘…Through t…

4

1

2

jjh2320

Kinsfolk> That version wouldn't work on my test device so I'm using Calcualtor -photo vault com.hld,anzenbokusucal Version 10.0.1 on that - which appears to be the same but updated... @kibaffo33 Kinsfolk Appreciate a few days have passed now but that should help: https://theincidentalchewtoy.wordpress.com/2021/12/07/decrypting-the-calculator-apps/

Thanks for the assistance on this one @jjh2320 - great reverse engineering skills on display here!

1

jjh2320

Kinsfolk> That version wouldn't work on my test device so I'm using Calcualtor -photo vault com.hld,anzenbokusucal Version 10.0.1 on that - which appears to be the same but updated... @kibaffo33 Kinsfolk Appreciate a few days have passed now but that should help: https://theincidentalchewtoy.wordpress.com/2021/12/07/decrypting-the-calculator-apps/

DUDE!!!!! Amazing work. It worked like a charm on a case I am literally working on right now. This made my day. Thanks!!!! (edited)

1

@Cellebrite - One of our tools has produced an android keystore file, any suggestion on what we should do with it.

Chris

@Cellebrite - One of our tools has produced an android keystore file, any suggestion on what we should do with it.

PA will use it, if necessary, to decrypt any apps that use it (but there are very few that do) (edited)

Guys anyone knows what happened to the oxygens old timezone configurations? I'm on 14.1 and can't find them anywhere (edited)

8:18 AM

I remember we could pick device timezone and display timezone but in this version I can't find them

s.m.

Guys anyone knows what happened to the oxygens old timezone configurations? I'm on 14.1 and can't find them anywhere (edited)

Forget about it. I just found it.. It's still in the same place

Hi, I have a premium FFS of Galaxy A51 and Facebook Messenger is not parsed. Does the new version of Cellebrite PA is suppose to be release soon? Any beta version available who support the new Messenger database ? Thks

@Cellebrite

@SPVQct3207 Hello, The PA 7.51 Pre-Release version that solves it is available for download through the design partner program, you can register here https://community.cellebrite.com/s/design-partner and download the version, let me know if you further assistance

4

GLU0G

@idokal I just ask for registration, wait the be approuved. thanks

@Cellebrite "Could not find attachments json key" for what I suspect is Signal as it had just parsed Signal Backup and Signal Private Messenger, any idea of if this is the same within 7.51 or if there's a workaround within 7.50?

Rob

@Cellebrite "Could not find attachments json key" for what I suspect is Signal as it had just parsed Signal Backup and Signal Private Messenger, any idea of if this is the same within 7.51 or if there's a workaround within 7.50?

see DM

Could anyone verify that the gPhotos0.db local_media table contains ONLY those photos taken with the cell phone's camera? Android 5.1.1 LG K330 cell phone. Need to testify that the EXIF data stating that is was taken with an LG K330 means this K330 which the photo was recovered from.

Snapchat Question: Does anyone have an explanation as to how files end up in the following folder: "private/var/mobile/Containers/Data/Application/[Snapchat guid]/Persistent/SCMedia"

1:45 AM

Filenames are prefixed with "cm-chat-media-"

1:45 AM

Device is an iPhone

@Nullable Truth like its writing it's from chat but. If you have a ffs you can view the controler cache db and if it's a recent media you can follow id...

Cheers @rico I'll take a look. It's a graykey extraction

Hello everyone. I have been examining a phone with physical analyzer, and in the call log, I notice this

3:40 AM

in the same timestamp I see an incoming call through viber to the phone that has been made multiple times, from the same caller (edited)

3:41 AM

Also in the same timestamp I see an incoming from another caller

3:42 AM

when I look in the messages_calls database, I confirm that all these calls have been recorded

3:43 AM

do you think that this is a software error, or that it it something that could happen?

Hi, I have a question related to "forwarded messages" in WhatsApp: Is it possible to find the original source from which the user has forwarded a message? The extraction is a FFS from an iPhone.

Prometheus

Hello everyone. I have been examining a phone with physical analyzer, and in the call log, I notice this

Group call?

Hey everyone! I have a SUBJECT who is claiming he viewed child porn on Discord (50-60 videos and images), but never downloaded it to his iPhone 6, but believes that once he viewes the CP the application automatically downloaded it onto his phone. The phone was clean, but CP was uploaded to his iCloud account. Has anyone tested this out? I viewed several videos and images (non-CP) on other channels, but these images were not available on the extraction of my iPhone XR. Any thoughts? (edited)

I have never had random discord images put on my devices beyond the occasionaly webp from the avatars kept in the cache. Discord does not leave much on your machine as it relies on solid internet.

9:37 PM

If you have the iphone with the images then something like photos.sqlite may say where they have actually come from.

9:37 PM

Him downloading them deliberately I would imagine.

9:38 PM

I could upload a festive image now and you can see if it appears on your test machine?

Nullable Truth

Filenames are prefixed with "cm-chat-media-"

I looked into that a while ago. I could no fully reproduce the cm- part. Couldnt even say if they were sent or received. If you find something out, please let me know:)

Hey @florus, I've done some extensive review and cross referencing between the following Snapchat databases: Primary.docobjects ContentManagementDb.db Cache_controller.db Scdb-27.sqlite3 Arroyo.db I'm able to find creation/expiration times, content size, read state etc. But I couldn't find any artefacts that directly link this file to a user or message thread.

1

2:05 AM

Axiom is reporting it as "received" but I can't see how it is able to decipher that. My last thoughts are the video came from a shared story, and then the account has unfriended them since, but the file had remained cached due to the presence of an expiration date in the database files. My guess is the cm- part is "content management"

@florus @Nullable Truth check pinned massages, both me and @Oscar have made scripts for snapchat. :)

Thanks for the script @OggE and @Oscar Unfortunately this wasn't able to find a correlation for these particular files of interest either.

Darn :(

Thank you for the suggestion though. I'm probably going to do some testing myself to replicate what I see consistently

Hello everyone. I have trouble with oxygen : all extractor modules work but no one of the import module : I obtain for all "failed". an idea?

kali_478

Hello everyone. I have trouble with oxygen : all extractor modules work but no one of the import module : I obtain for all "failed". an idea?

I found: I forgot to launch the app with admin rights

Does anyonw know if there are any flags within the text message database or phone itself for an iOS FFS extraction to identify whether the subject used voice to text as opposed to typing in manually? Suspect in a luring case has a mental health competency hearing coming up saying he's illiterate, I'm not back in the office to dig through an extraction to look

Solec

Does anyonw know if there are any flags within the text message database or phone itself for an iOS FFS extraction to identify whether the subject used voice to text as opposed to typing in manually? Suspect in a luring case has a mental health competency hearing coming up saying he's illiterate, I'm not back in the office to dig through an extraction to look

iPhones always notify the user if the microphone is being used, I would think it would also log that data as well, right? Maybe something in KnowledgeC? Just a thought.

Hello all, first time attempting data recovery. Forgive me if this is simple: I have an iPhone 14.8.1 and recovered the sms.db using Cellebrite PA 7.45.0.96 I can’t find the deleted messages in table sync_deleted_messages

12:59 PM

Is there any other place I can search

Solec

Does anyonw know if there are any flags within the text message database or phone itself for an iOS FFS extraction to identify whether the subject used voice to text as opposed to typing in manually? Suspect in a luring case has a mental health competency hearing coming up saying he's illiterate, I'm not back in the office to dig through an extraction to look

Yes, there can be records in the Sirianalytics.db which shows signs of usage of voice dictation

2

1:05 PM

Sometimes also gives then location of the speech to text(dictation

1

1:06 PM

The*

1:06 PM

Depends on settings

@FullTang @t12346 Thanks!, supposedly every thing is text to speech since he says he can't read or write and everything was dictated, should be some entries correlating in either i'd imagine if true. I'll check for those on monday

1

If need any help feel free to pm, i have the eventsids stored somewhere to look out for

Hello DFIR community, i need a topic for my master's degree research project. If you have any suggestion or situation that you encounter regarding mobile extracted data feel free to pm me. Have a great weekend

Hi, i have a question that i can't seem to find a a definitive answer to. If i obtain a full fs of an iPhone (iOs 14.x) through checkm8 using UFED will i find SIGNAL conversations in the report or not? If not is there any other known tool/method to get these messages? Thanks in advance @Cellebrite @Oxygen Forensics @Magnet Forensics @Elcomsoft

FabianoQ

Hi, i have a question that i can't seem to find a a definitive answer to. If i obtain a full fs of an iPhone (iOs 14.x) through checkm8 using UFED will i find SIGNAL conversations in the report or not? If not is there any other known tool/method to get these messages? Thanks in advance @Cellebrite @Oxygen Forensics @Magnet Forensics @Elcomsoft

Yes, you should be able to decode Signal in PA out of a checkm8 UFED extraction.

CLB-drorimon

Yes, you should be able to decode Signal in PA out of a checkm8 UFED extraction.

Thanks

FabianoQ

Hi, i have a question that i can't seem to find a a definitive answer to. If i obtain a full fs of an iPhone (iOs 14.x) through checkm8 using UFED will i find SIGNAL conversations in the report or not? If not is there any other known tool/method to get these messages? Thanks in advance @Cellebrite @Oxygen Forensics @Magnet Forensics @Elcomsoft

You should. Or something has changed.

FabianoQ

Hi, i have a question that i can't seem to find a a definitive answer to. If i obtain a full fs of an iPhone (iOs 14.x) through checkm8 using UFED will i find SIGNAL conversations in the report or not? If not is there any other known tool/method to get these messages? Thanks in advance @Cellebrite @Oxygen Forensics @Magnet Forensics @Elcomsoft

Hello! With checkm8 you gain access to the keychain and you should have no issues with the data after import in OFD.

CCC

I have never had random discord images put on my devices beyond the occasionaly webp from the avatars kept in the cache. Discord does not leave much on your machine as it relies on solid internet.

I try to duplicate it on my end using my Discord application and viewing videos and images. I extracted my phone using Cellebrite and could not locate those images. Then again, subjects phone what’s an iPhone 6 with a different version of iOS. It’s not gonna be exact.

Looking for a way to decode a ChipOff from a ZTE Z5157V (Z2 Gabb phone). The phone is not encrypted and the chipoff/image process was successful. @Magnet Forensics doesn't decode most of the user data due to Flash2Friendly. Looking for the right chains to run in @Cellebrite, because Android DD didn't get me any user data. Looking for the messages and images. Any suggestions? On phone with CB support presently, but thought I would also see what y'all thought. (edited)

sholmes

Looking for a way to decode a ChipOff from a ZTE Z5157V (Z2 Gabb phone). The phone is not encrypted and the chipoff/image process was successful. @Magnet Forensics doesn't decode most of the user data due to Flash2Friendly. Looking for the right chains to run in @Cellebrite, because Android DD didn't get me any user data. Looking for the messages and images. Any suggestions? On phone with CB support presently, but thought I would also see what y'all thought. (edited)

Does the user partition get identified. Or do any?

yes I can see the partitions

11:34 AM

I can see the Userdata folder under the File System section in PA

11:38 AM

CLB-Paul

Does the user partition get identified. Or do any?

@CLB-Paul I just ran it as Generic Android with the exact same result

That data folder is small.

12:14 PM

Mind you the read out is small also.

@CLB-Paul It is a Gabb phone, so I am not expecting much data. (edited)

@sholmes i think he pointed out that it's only 60MB in size, and other directories are nearly empty as well, like if the phone was wiped before

@Arcain The phone wasn't wiped. I was able to manually check it prior to Chip Off. This is the full file structure from Axiom.

1:16 PM

This is the phone. https://gabbwireless.com/product/gabb-phone-z2/

Gabb Phone Z2

Finally a safe cell phone for kids! A kids phone to keep them connected to family and friends. The perfect first phone for your kids and teens. The Gabb Phone Z2.

1:16 PM

It is a kid friendly phone with minimal bells/whistles.

1:16 PM

The suspect said he has deleted messages of concern, including some images

1:19 PM

I think it is encrypted

1:19 PM

@Arcain @CLB-Paul I think it is encrypted

1:21 PM

I am betting on encrypted.

Something is really weird. The “app” folders should contain data, apks etc. if you open the extraction in x-ways or ftk imager, do you get the same result?

1:22 PM

FBE

1:22 PM

It’s FBE. And userdata is not decrypted. That’s why you get the weird results.

Yep.

Yea, that's FBE, without any keys loaded

Well crap. The Gab flips are not encrypted. And I didn't see this inside the settings for the phone.

1:25 PM

Thanks for walking me through this one. Sometimes it takes someone else pushing me to get me to the right answer.

1:26 PM

Well we didn't have anything prior to the chip off, so still no loss, but I was hoping we had him.

1:26 PM

Thanks @.karate. @Arcain and @CLB-Paul for your input and suggestions. (edited)

2

JSyber

I try to duplicate it on my end using my Discord application and viewing videos and images. I extracted my phone using Cellebrite and could not locate those images. Then again, subjects phone what’s an iPhone 6 with a different version of iOS. It’s not gonna be exact.

I'm still saying it didn't happen. The photos.sqlite might give you more of an indication.

Hi all, i just updated my iLeapp install and noticed the installation broke giving me the error "ImportError: failed to find libmagic". Strange because libmagic is installed.. So i tried pip install -r requirements, all requirements where fine. The solution was: pip uninstall python-magic (0.4.24) and install python-magic-bin==0.4.14

Anyone have a list of iOS artifacts that are dependent on the keychain file for decoding? Looking to assess whether not having a keychain file is detrimental for a few of my current cases. Specifically using @Cellebrite but also have @Magnet Forensics axiom available. I know the results should be similar would just wonder if either tool shows that an artifact exists but wasn’t decoded due to not having the keychain and if that would appear in a trace log or not. (edited)

snoop168

Anyone have a list of iOS artifacts that are dependent on the keychain file for decoding? Looking to assess whether not having a keychain file is detrimental for a few of my current cases. Specifically using @Cellebrite but also have @Magnet Forensics axiom available. I know the results should be similar would just wonder if either tool shows that an artifact exists but wasn’t decoded due to not having the keychain and if that would appear in a trace log or not. (edited)

I dont htink it would show if it was not decoded. I have a feeling it just would not be there.

CLB-Paul

I dont htink it would show if it was not decoded. I have a feeling it just would not be there.

That’s what I’m afraid of. It won’t be there but I don’t necessarily know what I’m missing…

Are in you a situation you might need it?

12:00 PM

Or more, what are you after?

Has anyone managed to decode Snapchat from an android device where Snapchat is signed out? Device is an honour 8 pro running android 9 and I have a full file system

1:24 AM

Decoding in the most recent physical analyzer

Hi all. Has anybody come across HadesOS? Looks like it’s a modification that runs on top of Android. Essentially to serve encrypted communication apps.

@Government [UK] Anyone have a kik messenger file naming convention explanation? (edited)

6:21 AM

Or is just random

CLB-Paul

Or more, what are you after?

Not really sure. Don’t know what the user was mainly using. I’m going to open now without the keychain to see if I find anything relevant to the case that negates the need to dig any further. Was just hoping there was a way to know what the keychain was helping to parse out

Android Sgallery fake calculator app hidden media decryption now available in ALEAPP. This all comes thanks to @jjh2320 reverse engineering research. Check it out here: https://twitter.com/AlexisBrignoni/status/1470970324737011716?t=FngQ4644Nr0GeZepf9aejA

Brigs 💬 (@AlexisBrignoni)

New #ALEAPP #DFIR artifacts for the #Android Sgallery 'Calculator - Hide Photos' app.

Decrypts photos, videos, & pin.

Thanks to Theincidentalchewtoy for the research & initial code. Read the blogpost: https://t.co/4VpL3QoGxp

Get ALEAPP here: https://t.co/9TVEgX4s1t

9

@Cellebrite I have an encrypted iOS iTunes Backup taken with UFED. When I parse it with PA versions 7.47-7.50 I cannot get at all any DCIM media. No file and no path either. I do not know if I am doing something wrong but it is the first time I experience this problem. @Magnet Forensics When I parse the encrypted backup with AXIOM, I can see all the Media files. The problem is that all media files when viewed from Artifacts pane, they show as their source only the SHA1-value and not the original path (DCIM/APPLE...). However, when navigating through the File system pane, I can see that all the paths have been successfully reconstructed for all the Media files. My question is why AXIOM doesn't show the original path as well, as the source of each media file?

1

Anyone have any suggestions of what to do when Physical Analyzer freezes when trying to export a report?

@ltrain1029 What type of report are you selecting ?

Just a normal excel

@ltrain1029 i would guess that's why, how big is your extraction ? Might be to much data for it to handle. Try a UFED reader version

1

https://thebinaryhick.blog/2021/12/17/android-12-image-now-available/

Binary Hick

Android 12 Image Now Available!

I am happy to announce an Android 12 image with documentation is now publically available for download. This image contains 64 third party apps, all with varying levels (none to a lot) of data gene…

5

4

1

Has anyone managed to find a semi-reliable time for when an iPhone is first used? It’s an iPhone 11 with iOS 13.5.1 but they’ve clearly done a cloud backup

12:53 AM

Right now I’m just going off when databases were created on the handset

Hi, @Oxygen Forensics @MSAB, Sorry we are fairly new in DF field but we got a problem with a Vivo 1938 Y30 phone. We launched the extraction with both Xamn and Oxygen, the android system call and text are retrieving fine but we can't seem to retrieve any information about the text and call through applications (ex: telegram, zalo and messenger). Is there any explanation for this and how to fix it? (edited)

Chim 🐗

Hi, @Oxygen Forensics @MSAB, Sorry we are fairly new in DF field but we got a problem with a Vivo 1938 Y30 phone. We launched the extraction with both Xamn and Oxygen, the android system call and text are retrieving fine but we can't seem to retrieve any information about the text and call through applications (ex: telegram, zalo and messenger). Is there any explanation for this and how to fix it? (edited)

Could you send me the extraction log from XRY so that I can have a look? Either if you send it by DM, or if you email it to support@msab.com.

1

Chim 🐗

Hi, @Oxygen Forensics @MSAB, Sorry we are fairly new in DF field but we got a problem with a Vivo 1938 Y30 phone. We launched the extraction with both Xamn and Oxygen, the android system call and text are retrieving fine but we can't seem to retrieve any information about the text and call through applications (ex: telegram, zalo and messenger). Is there any explanation for this and how to fix it? (edited)

Hello, If you don't mind I will DM you

MSAB_Sofia

Could you send me the extraction log from XRY so that I can have a look? Either if you send it by DM, or if you email it to support@msab.com.

sr, we are using the computer for other files right now (edited)

11:54 PM

I will email the log later (edited)

I'm making a homebrew windows version of the android triage script that Heather talked of in I beg to DFIR - https://blog.digital-forensics.it/2021/03/triaging-modern-android-devices-aka.html and whilst it gets much less than the linux one, this is in some ways not a bad thing for my work and it runs on windows which is convenient. It's just an untidy batch file, but if anyone wants to a look and/or assist with improving or make it properly, then I will gladly take the help.

Triaging modern Android devices (aka android_triage bash script)

DFIR research

1

Chim 🐗

Hi, @Oxygen Forensics @MSAB, Sorry we are fairly new in DF field but we got a problem with a Vivo 1938 Y30 phone. We launched the extraction with both Xamn and Oxygen, the android system call and text are retrieving fine but we can't seem to retrieve any information about the text and call through applications (ex: telegram, zalo and messenger). Is there any explanation for this and how to fix it? (edited)

It looks like you did a logical extraction

1

CCC

Does anyone know if there is a way to fix an MSAB XRY file saying it's truncated, or recover any data from it? Seems to have been corrupted somehow.

Hi, what's the solution to the truncated XRY extraction? @Erumaro Thanks! (edited)

We get this so often, if there is a way to fix it manually, or at least salvage any of it.

6:31 AM

Think it's the dubious quality network causing corruption on save.

i'm trying to connect an image with location /data/user/0/com.snapchat.android/files/file_manager/memories_thumbnail/ and /data/data/com.snapchat.android/files/file_manager/memories_thumbnail/ to memories.db. I have no idea how to do it. Does anyone have an idea? Axiom connects images from /data/data/com.snapchat.android/files/file_manager/ to memories.db. However the memories.db does not mention anything about the files location. My guess that it works in a similar way. Have anyone figured out how it works? (edited)

Evening all, work colleague has an iPhone 6 acquisition open here and have found a conflicting date time stamp for an SMS message. The acquisition was completed in 2018. We have a deleted SMS showing in PA with a date time stamp of 2016 but also a the same message showing a date time stamp of 2021 (both pointing to SMS.db) Opening in Xamin, we see the entry but only with a 2021 date time stamp. Any ideas what is going on here? (edited)

Has the phone been restored at all?

I got a BFU extraction of an iPhone SE, and to my surprise, it got some Snapchat conversations. However, instead of the participant names being their Snapchat names, it is replaced with a long identifier similar to "434be080-605a-4ea0-8f1a-8c41c92hb9b1" for each participant. What is this identifier? Is it unique for that person's Snapchat account? Can it be used for legal process?

AugustBurnsBlue

I got a BFU extraction of an iPhone SE, and to my surprise, it got some Snapchat conversations. However, instead of the participant names being their Snapchat names, it is replaced with a long identifier similar to "434be080-605a-4ea0-8f1a-8c41c92hb9b1" for each participant. What is this identifier? Is it unique for that person's Snapchat account? Can it be used for legal process?

I have gotten the same thing. Try processing the extraction in Axiom, it parses it better than PA and you might get SnapChat names.

FullTang

I have gotten the same thing. Try processing the extraction in Axiom, it parses it better than PA and you might get SnapChat names.

Excellent, I will try that. Thanks!

1

I am using Cellebrite's SQLite Wizard to parse a database from an unsupported chat application. I have built my query in Query builder but when I try to map my fields I am unsure how to get the field names I want. For example I have some contacts with First Name, Last Name and Phone Number. I chose the Contacts drop down but it does not have these exact fields and it does not keep the 'AS' statements I used in my query. How do I edit these fields and not display any extra empty fields?

bmac4n6

I am using Cellebrite's SQLite Wizard to parse a database from an unsupported chat application. I have built my query in Query builder but when I try to map my fields I am unsure how to get the field names I want. For example I have some contacts with First Name, Last Name and Phone Number. I chose the Contacts drop down but it does not have these exact fields and it does not keep the 'AS' statements I used in my query. How do I edit these fields and not display any extra empty fields?

You might try exporting the file and using DB Browser for SQLite. Cellebrite does a great job at making the queries more human readable, but I don't think it is as good as displaying the output as other tools. https://sqlitebrowser.org/

DB Browser for SQLite

Thank you for the reply. I reviewed the database in DB Browser initially without issue, but was looking to have it included in the report.

Anyone have any idea what app the "N" belongs to here? Thanks folks.

Deleted User

Anyone have any idea what app the "N" belongs to here? Thanks folks.

Opera News?

Rob

Opera News?

Ah yes that’s it! Thank you Sir. Also makes sense that my target is using that app.

1

Hi all. Does anyone here have info on the Session private messenger app and possible ways of getting data visible?

Issues decoding a physical extraction Samsung Galaxy XCover 5 2021 (SM-G525F) Tried both XRY and Cellebrite - will bring back no third party application data even with a physical. Any suggestions? Attempted similar profiles, no luck. May try axiom.

@4JSN6🇬🇧 Did you run the Physical in XRY and what were the results, could you DM me the log so I can have a look and see if you faced any errors when decoding?

Erumaro

@4JSN6🇬🇧 Did you run the Physical in XRY and what were the results, could you DM me the log so I can have a look and see if you faced any errors when decoding?

Yes, I’ll dm

Looking for incoming airdrop data on an iPhone 11 iOS 15.1 from a GK FFS - checked /var/mobile/Downloads/com.apple.AirDrop/ but it is empty. Any suggestions? Is that data even captured in a FFS? (edited)

4JSN6🇬🇧

Issues decoding a physical extraction Samsung Galaxy XCover 5 2021 (SM-G525F) Tried both XRY and Cellebrite - will bring back no third party application data even with a physical. Any suggestions? Attempted similar profiles, no luck. May try axiom.

Looks like a FBE device. Try extracting a FFS.

Hello. Does anyone know the reason PA/Axiom can parse some messages from Snapchat but not all (“no message content to display”). I’m assuming the way in which snapchat/user stored or viewed the message but I’m curious to know the real answer and not just have a hunch. I have some messages incoming and outgoing that may be important but I can’t view the messages with a participant at the time I need to but a couple hours earlier, same participant, I can see. IPhoneXR iOS14.4, most recent Magnet and PA7.5. Thanks for any help.

Brandon E

Looking for incoming airdrop data on an iPhone 11 iOS 15.1 from a GK FFS - checked /var/mobile/Downloads/com.apple.AirDrop/ but it is empty. Any suggestions? Is that data even captured in a FFS? (edited)

Sarah Edwards wrote a blog post on AirDrop artifacts a few years back. Might be useful http://www.mac4n6.com/blog/2018/12/3/airdrop-analysis-of-the-udp-unsolicited-dick-pic

AirDrop Analysis of the UDP (Unsolicited Dick Pic) — mac4n6.com

I saw this article “ NYC plans to make AirDropping dick pics a crime ” on Friday and it got me thinking. What exactly are the cops going to find if they do an analysis of a device, either the sender or the receiver? I’ve already done my fair share of analysis when it comes to the Conti

Tyler_Leno

Sarah Edwards wrote a blog post on AirDrop artifacts a few years back. Might be useful http://www.mac4n6.com/blog/2018/12/3/airdrop-analysis-of-the-udp-unsolicited-dick-pic

Thank you! That is a tremendous article and really helpful. Unfortunately I am not seeing any data in the locations referenced in the article. Thinking that it is since moved (or operator error on my part). I am still banging around the FFS and sysdiagnose logs but haven’t had any luck.

Brandon E

Thank you! That is a tremendous article and really helpful. Unfortunately I am not seeing any data in the locations referenced in the article. Thinking that it is since moved (or operator error on my part). I am still banging around the FFS and sysdiagnose logs but haven’t had any luck.

I've had varying success with parsers for iOS unified logs. The benefit of the sysdiagnose generation is that it creates a logarchive bundle of the unified logs that plugs in nicely to the native terminal log commands in Mac OS. From there I usually dump out to a text file and search via something like Glogg if I can't get it to parse via another tool. Typically unified logs retain about a month or so of data and run around 20 million records.

2

CCC

I'm making a homebrew windows version of the android triage script that Heather talked of in I beg to DFIR - https://blog.digital-forensics.it/2021/03/triaging-modern-android-devices-aka.html and whilst it gets much less than the linux one, this is in some ways not a bad thing for my work and it runs on windows which is convenient. It's just an untidy batch file, but if anyone wants to a look and/or assist with improving or make it properly, then I will gladly take the help.

Do you have your script on github? If so, what is the URL?

bmac4n6

Thank you for the reply. I reviewed the database in DB Browser initially without issue, but was looking to have it included in the report.

If you process the case with Axiom you can take your output from SQLite DB Browser and make a custom artifact of the resulting text file. That way you will have all in one report.

Is there anyway to know when a Samsung Galaxy S8 was installera, like it is with the purplebuddy.plist in an iPhone?

Brigs

Do you have your script on github? If so, what is the URL?

Just for you https://github.com/JamesFirth2020/JamesFirth2020

GitHub - JamesFirth2020/JamesFirth2020: Config files for my GitHub ...

Config files for my GitHub profile. Contribute to JamesFirth2020/JamesFirth2020 development by creating an account on GitHub.

5:12 AM

Although as you can tell, I have not used github before

5:12 AM

And I'm not a great coder

5:13 AM

BUT.... I can see me using certainly the short version regularly.

5:13 AM

Obligatory - the original is more powerful, but I use windows

I've stopped it cloning sd card and doing adb backup as I have other tools, this is for the quick extra data alongside my regular checks.

Hello, a relative of mine found an old HiSuite encrypted backup on his pc and isn't 100% sure about the password. We tried the kobackupdec tool but it didn't work so we figured he might have done it the HiSuite-generated-password way. Can anyone suggest a free (trial) tool able to deal with this feature or simply crack it ? (edited)

I have a really dumb question. Where can I download the basic translation pack for PA? My license has the 5 languages selected, but I can't download the pack. From inside PA, the link constantly says there's no internet connection, though there is. The search bar on community.cellebrite.com only shows discussion around the pack, but no link to download it. There's no link in the license description that I've found. I know as soon as I find it I'll feel like an idiot, but I'm out of ideas and quickly getting low on patience, mostly with myself.

1

Axen Cleaver

I have a really dumb question. Where can I download the basic translation pack for PA? My license has the 5 languages selected, but I can't download the pack. From inside PA, the link constantly says there's no internet connection, though there is. The search bar on community.cellebrite.com only shows discussion around the pack, but no link to download it. There's no link in the license description that I've found. I know as soon as I find it I'll feel like an idiot, but I'm out of ideas and quickly getting low on patience, mostly with myself.

This one? Product & licenses - Cellebrite Physical Analyzer Downloads - Basic translation pack 1.0

Tyler_Leno

I've had varying success with parsers for iOS unified logs. The benefit of the sysdiagnose generation is that it creates a logarchive bundle of the unified logs that plugs in nicely to the native terminal log commands in Mac OS. From there I usually dump out to a text file and search via something like Glogg if I can't get it to parse via another tool. Typically unified logs retain about a month or so of data and run around 20 million records.

Thanks for this. I was able to locate what I was looking for in the unified logs. From some online research and testing I found partial SHA-256 hashes of the sender’s email and phone number along with (what I think is) a unique identifier generated by the receiving device based on those hashes. I know it is a long shot but does anyone know if the full SHA256 hash of the email or phone number may be stored on the receiving device? (edited)

@Cellebrite Hi, do you know the problem with dictionaries? I attach my dictionary to cracking and after breaking it, it does not find the password and removes it

kawiarz

@Cellebrite Hi, do you know the problem with dictionaries? I attach my dictionary to cracking and after breaking it, it does not find the password and removes it

What do you mean? It exhausts the dictionary ?

CLB-Paul

What do you mean? It exhausts the dictionary ?

DM

For all and everyone who is doing Android application analysis/reversing i can really recommend installing Windows subsystem for Android. Here is a detailed instruction on how to get root ( Magisk ) working: https://sensepost.com/blog/2021/android-application-testing-using-windows-11-and-windows-subsystem-for-android/

SensePost | Android application testing using windows 11 and wind...

Leaders in Information Security

3

New to this field. Can anyone please explain what information can be found by analyzing a sql database off a phone dump? I’ve heard of a few tools used such as db browser. Any good references to learn up on how to use these tools? Thanks!

slid360

New to this field. Can anyone please explain what information can be found by analyzing a sql database off a phone dump? I’ve heard of a few tools used such as db browser. Any good references to learn up on how to use these tools? Thanks!

The nutshelled version is that phones tend to store data in SQLite databases. Think of an SQLite database as an Excel 2.0 spreadsheet. When a forensic tool shows you the data from a phone in a easy-to-read format, that is because it has parsed the data out of a database or some other raw format. However, sometimes the app data is not supported by the parsing tool, but the data was still extracted. If you analyze the data directly in the SQL database, you will see the data in its raw form and can find useful evidence. (Think unsupported money transfer apps and distribution cases as one of many examples.) It is also useful to analyze the SQL database for validation purposes on key pieces of evidence to make sure the forensic tool parsed the data correctly. For a much deeper dive into deleted entries in SQL databases that also explains how they work, check out https://dfir.pubpub.org/pub/33vkc2ul/release/1

Missing SQLite Records Analysis · DFIR Review

Arcain pinned a message to this channel. 12/27/2021 12:45 AM

Arcain pinned a message to this channel. 12/27/2021 12:46 AM

@Axen Cleaver - log into communit.cellebrite and click the big orange arrow as if you're going to download physical analyzer. Next, there are expandable subdirectories on the pop up that you typically download PA through. One of those expandable topics is the language pack download. There are other goodies in there as well.

@whee30 Yep, it's always something simple and usually obvious that trips me up. Thank you!

1

Anyone around from @Oxygen Forensics for DM chat about Oxygen Viewer?

What have you found to be the best commercial tool for decoding Snapchat warrant returns? I have used both @Cellebrite PA and @Magnet Forensics Axiom, which do a good job but both failed to parse the conversation threads, using most recent releases. RLEAPP did a great job at parsing conversations but having difficulty with displaying the attached media files within the thread...update just found out RLEAPP was updated yesterday...guess I'll update and retry. Any recommendations for other tools? (edited)

ScottKjr3347

What have you found to be the best commercial tool for decoding Snapchat warrant returns? I have used both @Cellebrite PA and @Magnet Forensics Axiom, which do a good job but both failed to parse the conversation threads, using most recent releases. RLEAPP did a great job at parsing conversations but having difficulty with displaying the attached media files within the thread...update just found out RLEAPP was updated yesterday...guess I'll update and retry. Any recommendations for other tools? (edited)

What does the data look like? Is it similar to data that is stored on a phone?

ScottKjr3347

What have you found to be the best commercial tool for decoding Snapchat warrant returns? I have used both @Cellebrite PA and @Magnet Forensics Axiom, which do a good job but both failed to parse the conversation threads, using most recent releases. RLEAPP did a great job at parsing conversations but having difficulty with displaying the attached media files within the thread...update just found out RLEAPP was updated yesterday...guess I'll update and retry. Any recommendations for other tools? (edited)

XRY seems to have a profile for it aswell, https://www.forensicfocus.com/articles/working-with-warrant-returns-in-xry-and-xamn/

Working With Warrant Returns in XRY and XAMN - Forensic Focus

Hi, I’m Kevin Kyono. I’m a technical sales engineer with MSAB, and this is XRY and XAMN in 5. In ... Read more

2

ScottKjr3347

What have you found to be the best commercial tool for decoding Snapchat warrant returns? I have used both @Cellebrite PA and @Magnet Forensics Axiom, which do a good job but both failed to parse the conversation threads, using most recent releases. RLEAPP did a great job at parsing conversations but having difficulty with displaying the attached media files within the thread...update just found out RLEAPP was updated yesterday...guess I'll update and retry. Any recommendations for other tools? (edited)

Can you give details on what the image within thread problem is? Thanks!

When looking at “significant locations” from the Local.sqlite database, is it correct to assume that the column “ZLOCATIONHORIZONTALUNCERTAINTY” is referring to the radius measured in meters regarding the accuracy of the location? I think I recall this column being named something with accuracy before.

This may be a rather basic question, but is there a way to detect the presence of malware on a mobile device? I've received a question on whether there is a way to answer someone's claim that someone had "logged onto their device and began searching the images," especially through the use of malware.

Nilandia

This may be a rather basic question, but is there a way to detect the presence of malware on a mobile device? I've received a question on whether there is a way to answer someone's claim that someone had "logged onto their device and began searching the images," especially through the use of malware.

Cellebrite has a way to scan for malware within Physical Analyzer, but I am sure there are other ways as well.

Brigs

Can you give details on what the image within thread problem is? Thanks!

Had issues with my work station. RLEAPP is working and snapchat conversation and media is joined as it should be. Thanks for the help!!

1

Is there someone from @MSAB available for a chat?

florus

Is there someone from @MSAB available for a chat?

Sure, what’s up?

Driving, so can't do text, but can do voice

Evening all, after some clarification around when thumbnail images are created. Is this when an original photo is taken, or a gallery app is opened and the device scans and creates needed thumbnails or does this depend on the handset/android version?

Artea

Evening all, after some clarification around when thumbnail images are created. Is this when an original photo is taken, or a gallery app is opened and the device scans and creates needed thumbnails or does this depend on the handset/android version?

Yes to all and it depends. Thumbnails can be app specific as well. For example VLC thumbnails are different than the native gallery thumbnails, reside in a different directory, and last time I looked they were generated when the app was pointed to a media directory. Like everything else do test and verify for your particular scenario or use case.

@MSAB I used xry to extract info of a Nokia 110. In the sms/messages-conversation I see an anomaly in the date of the sent messages. Incoming messages have the correct date and time, sent messages have a correct time/day/month but incorrect year. XRY xamn displays the sent and incoming messages in the correct chronological order, the only problem is the incorrect year of the sent messages. Is there an explanation for it? Is it possible to DM me so I can attach redacted examples?

peteyesterday

@MSAB I used xry to extract info of a Nokia 110. In the sms/messages-conversation I see an anomaly in the date of the sent messages. Incoming messages have the correct date and time, sent messages have a correct time/day/month but incorrect year. XRY xamn displays the sent and incoming messages in the correct chronological order, the only problem is the incorrect year of the sent messages. Is there an explanation for it? Is it possible to DM me so I can attach redacted examples?

The timestamp of sent messages is based on the device internal clock. the timestamp of incoming messages is based on the GSM network clock and it's always correct. Maybe the user didn't set the correct time and date in the device (it's very common in feature phones) and that's why there is incorrect year in the sent messages. (edited)

Could be the battery was removed before extraction?

My colleague @florus found the problem. It seems like XRY did not automatically convert the hex value of the date and time to decimal. We used Ufed touch to extract data from the Nokia 110 and the correct date and time were automatically displayed. Thanks for the replies!!

Hey guys, I'm new in this field and currently working on this Telegram Self-Destruct thing, I cant find the messages that had been destructed in cache4.db, is there any other place that I should looking for?

peteyesterday

My colleague @florus found the problem. It seems like XRY did not automatically convert the hex value of the date and time to decimal. We used Ufed touch to extract data from the Nokia 110 and the correct date and time were automatically displayed. Thanks for the replies!!

This needs some looking into from our part. Could you tell me the more exact phone model of this Nokia 110, so that we can investigate it further, to get this fixed, please?

MSAB_Sofia

This needs some looking into from our part. Could you tell me the more exact phone model of this Nokia 110, so that we can investigate it further, to get this fixed, please?

@peteyesterday

Does anyone have experience when photos get stored in a folder named: photopicker? Thete is a function named like that on developer.apple.com. But its not totally clear to me when i use this function exactly and why the photos are stored in a folder named photopicker. Thanks in advance

CCC

Has the phone been restored at all?

Sorry for such a late reply, IV been off all over Xmas and only back in. I will ask when my colleague is in the office. If it has been, how could this cause the 2021 timestamp?

can anyone help with exporting an xry read into a format suitable for griffeye please?

Catherine

can anyone help with exporting an xry read into a format suitable for griffeye please?

You can export the media out as VICS (with files) and import them in to Griffeye for grading.

Artea

You can export the media out as VICS (with files) and import them in to Griffeye for grading.

Thanks! i had a feeling it was that but its been a while!

1

ScottKjr3347

What have you found to be the best commercial tool for decoding Snapchat warrant returns? I have used both @Cellebrite PA and @Magnet Forensics Axiom, which do a good job but both failed to parse the conversation threads, using most recent releases. RLEAPP did a great job at parsing conversations but having difficulty with displaying the attached media files within the thread...update just found out RLEAPP was updated yesterday...guess I'll update and retry. Any recommendations for other tools? (edited)

Hi Scott, We are fixing it for the next PA version.

1

Johnie

When looking at “significant locations” from the Local.sqlite database, is it correct to assume that the column “ZLOCATIONHORIZONTALUNCERTAINTY” is referring to the radius measured in meters regarding the accuracy of the location? I think I recall this column being named something with accuracy before.

HorizontalUncertainty is what it is called when talking about significant locations or visits. HorizontalAccuracy is what it’s called when talking about the ZRTCLLOCATIONCACHEMO. Best I can tell, the difference is basically that the CacheMO is only defining a single location whereas the significant locations is a group of CacheMO locations aggregated into one rough significant location. If that makes sense.

1

Has anyone else had issues with enrichment results from Cellebrite coming back with different results? I raised a ticket and was basically told it isnt to be relied upon which makes me wonder why it is a service in the first place as location data can be crucial in a lot of high profile cases...

I dont see anything in the manual about its accuracy so maybe it should be disclaimer or similar as a lot of people joining forensic units may be blissfully unaware.

Just on the back of that, the help article RE location data accuracy on the Cellebrite portal is a bit misleading so I've put a ticket in.

1

Zhaan

Has anyone else had issues with enrichment results from Cellebrite coming back with different results? I raised a ticket and was basically told it isnt to be relied upon which makes me wonder why it is a service in the first place as location data can be crucial in a lot of high profile cases...

The BSSID isn’t a great artifact anyway (if speaking of iPhones). It often downloads network information for networks miles away from the device at the time. That’s nothing to do with the enrichment, that’s just how iOS works. If you are talking about networks that were actually connected to, that’s much better. But the enrichment data is aging now. We are looking at it. There was a security concern a while ago (not specific to Cellebrite) but that had an affect on all BSSID resolution services.

K23

Just on the back of that, the help article RE location data accuracy on the Cellebrite portal is a bit misleading so I've put a ticket in.

Which article are you referring to?

CLB_iwhiffin

The BSSID isn’t a great artifact anyway (if speaking of iPhones). It often downloads network information for networks miles away from the device at the time. That’s nothing to do with the enrichment, that’s just how iOS works. If you are talking about networks that were actually connected to, that’s much better. But the enrichment data is aging now. We are looking at it. There was a security concern a while ago (not specific to Cellebrite) but that had an affect on all BSSID resolution services.

That maybe the case but it isn’t made clear in any documentation I have seen of it’s reliability. It was only until I raised a ticket I was told ‘don’t rely on it’ after submitting enrichment data for the last 2 years! We know the slightly more accurate data comes from the phone itself but if enrichment is showing it’s age and the service isn’t to be relied upon, why is it running? (edited)

Zhaan

That maybe the case but it isn’t made clear in any documentation I have seen of it’s reliability. It was only until I raised a ticket I was told ‘don’t rely on it’ after submitting enrichment data for the last 2 years! We know the slightly more accurate data comes from the phone itself but if enrichment is showing it’s age and the service isn’t to be relied upon, why is it running? (edited)

It used to be considered a decent artifact; back before it was realised that it downloads bad locations at the same time as good ones (and with no way to differentiate the two). Also, that was back when the BSSID enrichment was still as up to date as was available. Since then, research has led to better understanding of it. And at the same time, the enrichment data started to go stale. It is still running as we work out how to progress it. But in the mean time, I personally have wrote about it (http://doubleblak.com/blogPosts.php?id=16) and have done several presentations (including I Beg to DFIR https://www.cellebrite.com/en/episode-15-ibeg-to-dfir-location-data-on-ios-and-android-devices/) which cover it.

Heather Mahalik - Senior Director of Digital Intelligence at Cellebrite

Episode 15: iBeg to DFIR – Location Data on iOS and Android Devices...

In this episode, we are joined by special guests Jared Barnhart & Ian Whiffin to discuss location information as recorded by iOS and Android devices. Location data has been integral to many investigations but there are so many different types of location artifacts that are recorded by a device making it can be challenging to … Continue reading "...

CLB_iwhiffin

Which article are you referring to?

Oh yeah. I found it and 100% agree with you.

1

CLB_iwhiffin

It used to be considered a decent artifact; back before it was realised that it downloads bad locations at the same time as good ones (and with no way to differentiate the two). Also, that was back when the BSSID enrichment was still as up to date as was available. Since then, research has led to better understanding of it. And at the same time, the enrichment data started to go stale. It is still running as we work out how to progress it. But in the mean time, I personally have wrote about it (http://doubleblak.com/blogPosts.php?id=16) and have done several presentations (including I Beg to DFIR https://www.cellebrite.com/en/episode-15-ibeg-to-dfir-location-data-on-ios-and-android-devices/) which cover it.

I have read a fair few of the blogs, etc, but my point is there is very little in the way of a disclaimer in the PA manual, Cellebrite courses, etc. if, as you say, it’s been like this for some time, why isn’t documented more clearly like it used to be in the older UFDR reports?

Zhaan

I have read a fair few of the blogs, etc, but my point is there is very little in the way of a disclaimer in the PA manual, Cellebrite courses, etc. if, as you say, it’s been like this for some time, why isn’t documented more clearly like it used to be in the older UFDR reports?

I have no good answer for that. It should be clearer. We are working on it is all I can say and it will be better in the future one way or another.

CLB_iwhiffin

I have no good answer for that. It should be clearer. We are working on it is all I can say and it will be better in the future one way or another.

And I appreciate any answer especially from the horses mouth! My point is we all know, no matter what the source, that GPS/location data can be very accurate or suddenly plop you in an ocean miles away from your route but I wish a single bold red line could be put in a PA manual or with the location data in the UFDR stating something along the lines of ‘this stuff is accurate on a good day but may be very inaccurate on a bad day, look for alternative sources to corroborate your results’…

CLB_iwhiffin

Oh yeah. I found it and 100% agree with you.

Yep this was the one: https://community.cellebrite.com/s/article/How-to-Identify-if-a-Certain-Location-is-Accurate-Meaning-the-Device-Was-at-the-Designated-Coordinates Support have messaged the author to discuss so hopefully that gets changed - readers taking the fact that GPS co-ordinates in a database = the handset was definitely at that location seems pretty dangerous!

@MSAB Hi, I have trouble importing UFDR into XRY. I tried the import UFDR feature but nothing is parsed. Does it doesn't work anymore?

Dam

@MSAB Hi, I have trouble importing UFDR into XRY. I tried the import UFDR feature but nothing is parsed. Does it doesn't work anymore?

We have a public holiday in Sweden today, if you could send the log as well as what version of UFED it was created with we’ll have a look and get back to you as soon as we are able to!

1

@Cellebrite Anyone around for a chat?

1

Hi all. I asked this before Christmas but didn't get much of a reply and work colleague is still stumped: A work colleague has an iPhone 6 acquisition open here and have found a conflicting date time stamp for an SMS message. The acquisition was completed in 2018. We have a deleted SMS showing in PA with a date time stamp of 2016 but also a the same message showing a date time stamp of 2021 (both pointing to SMS.db) Opening in Xamin, we see the entry but only with a 2021 date time stamp. Any ideas what is going on here?

5:08 AM

The older version of PA used (7.27) shows this as a "deleted message" where as the current version doesn't show this as a message. But the 7.27 version of the data was the data supplied to CPS. (edited)

The message as an incomplete account guid by one number so our assumption is that the decode hasn't found the end of the guid and is thinking the next part is a date where it actually isn't.

Does the 2021 timestamp match up to it being processed? i.e. re-examined?

No, all examinations were done 2016/2018

So the 2021 doesn't match up to any examination work?

Rob

So the 2021 doesn't match up to any examination work?

Nope, none at all.

Artea

Nope, none at all.

Anything on the phone with the same 2021 timestamp or is it the only one (nothing else 2021) (edited)

From what I have been told, it's only that. I can double check when colleague returns from lunch

Artea

Hi all. I asked this before Christmas but didn't get much of a reply and work colleague is still stumped: A work colleague has an iPhone 6 acquisition open here and have found a conflicting date time stamp for an SMS message. The acquisition was completed in 2018. We have a deleted SMS showing in PA with a date time stamp of 2016 but also a the same message showing a date time stamp of 2021 (both pointing to SMS.db) Opening in Xamin, we see the entry but only with a 2021 date time stamp. Any ideas what is going on here?

What is the OS version ?

7:20 AM

from iOS 11 there were some changes in the timestamps for imessage / sms

7:20 AM

https://smarterforensics.com/2017/09/time-is-not-on-our-side-when-it-comes-to-messages-in-ios-11/

Time is NOT on our side when it comes to messages in iOS 11

This is going to be a series of blog posts due to the limited amount of free time I have to allocate to the proper research and writing of an all-inclusive blog post on iOS 11. More work is needed …

7:22 AM

Better to look manually in the DB

Artea

From what I have been told, it's only that. I can double check when colleague returns from lunch

what is the value of the incorrect timestamp in the db?

Dam

What is the OS version ?

OS version was 10.2

florus

what is the value of the incorrect timestamp in the db?

Not converted its "648100159"

7:40 AM

Also the "message read" time shows as 06/03/2001 20:38:33

Friday, 16 July 2021 the timestamp?

7:41 AM

https://www.epochconverter.com/coredata

7:42 AM

Using that, I get that 2021 timestamp

Yeah the message received date is the one causing the issue and is 2021, there is also a message read timestamp of 2001.

Compare the source files for the 2021 and 2016 one

hm and the extraction was made in 2016?

Strikes me as 2016 being accurate.

7:44 AM

And 2021 a decoding issue

florus

hm and the extraction was made in 2016?

Yup

Rob

And 2021 a decoding issue

This is our thought so far. Was just looking for clarification

Scratch what I just said then regarding 2016.

Artea

This is our thought so far. Was just looking for clarification

and 2016 seems logic?

I would re-emphasize that a recovered deleted data should be validated, as there might be false-positives hits.

Really great read on the Android 12 changes to XML and the implementation of ABX, coding has already been put into ALEAPP thanks to @Brigs https://t.co/TjpPd9xG3e

Android ABX – Binary XML

On Android 12, a new challenger approaches in the form of a new file format that is replacing XML data in a number of key artefacts. In this blog, Principal Analyst Alex Caithness explains the new ‘ABX’ format, provides open-source code for reading the data and emphasises the importance of collaboration in the digital forensics community.

4

1

stark4n6

Really great read on the Android 12 changes to XML and the implementation of ABX, coding has already been put into ALEAPP thanks to @Brigs https://t.co/TjpPd9xG3e

ABX support also in PA 7.52

1

CLB-drorimon

ABX support also in PA 7.52

good to know, is there a release date for that?

stark4n6

good to know, is there a release date for that?

Not official date yet, but it's in the oven.

2

1

Artea

The older version of PA used (7.27) shows this as a "deleted message" where as the current version doesn't show this as a message. But the 7.27 version of the data was the data supplied to CPS. (edited)

Not sure if it is related, but there was a nationally known issue with Cellebrite in relation to decoding of deleted SMS messages on iPhone 6's which was fixed in PA7.16, affecting versions prior to that. 7.16 was released back in 2019, so an older version must have been used to carry out the original extraction on your case back in 2018. I can email over the details but not sure how helpful it will be as the circumstances are slightly different.

Hello was wondering could anyone help with this file path, have videos from tmp location on telegram app. From what I've been able to read files will end up here if they've been opened in application. Sadly we don't have the corresponding messages from the created date. But the user would have been aware of them on the date. Don't know if anyone has encountered it before

8:38 AM

Private\var\mobile\containers\data\application\xxxxcxxxtelegramappid\tmp\xxxxxxxxfolderid\telegram_video.mp4

8:38 AM

Sorry it's an iphone promax

Thanks for all your input on this. I'll pass everything along tomorrow and will come back with any further questions etc. Appreciate it people.

Anyone know a particular reason that GrayKey wouldn't extract iMessages on a Full File System? iPhone 12 Pro Max, iOS 15.1.1 parsed in PA and Axiom

11:28 AM

I'm looking at the messages on the phone (Consent with PIN) but they aren't in the extraction. Not even the database.

FYI - @Magnet Forensics is collecting info on a possible issue effecting AirDrop artifacts on iOS devices running 15.XX. If anyone is having issues with Axiom PROCESS & EXAMINE parsing AirDrop artifacts on iOS 15.XX, please DM me so I can add your specific device info to our open ticket. TY

Arcain pinned a message to this channel. 1/6/2022 11:38 AM

Axen Cleaver

I'm looking at the messages on the phone (Consent with PIN) but they aren't in the extraction. Not even the database.

Did you close the AXIOM extraction and open it again? There is a bug and sometimes the artifacts don’t show until you reopen it.

12:06 PM

The times I’ve noticed it, it was A LOT of artifacts missing though.

Joe Schmoe

Did you close the AXIOM extraction and open it again? There is a bug and sometimes the artifacts don’t show until you reopen it.

I'll try that, but it's missing from both Physical Analyzer and Axiom.

Little fyi…I’ve been using @Cellebrite PA Ultra aka PA8 via design partner program & wanted to share a success. PA Ultra did a fantastic job detecting & parsing all of the iCloud Production Warrant Return to include the encrypted device backups! PA 7 took 5 hrs to decode PA Ultra took 2hrs.

1

Hope you shared the feedback in DPP

7:31 PM

For anyone interested in joining up. Let me know. Im heading up the program.

1

CLB-Paul

For anyone interested in joining up. Let me know. Im heading up the program.

Not yet, but I will. Wanted to get logs from both. Top of the list for Monday.

1

Is there any way to know when an iPhone setup/installation finished? I can’t find the info in the purplebuddy it doesn’t contain as much as it usually do. It’s an AFU extraction of an iPhone 12 mini

Catherine

Thanks! i had a feeling it was that but its been a while!

@Catherine when you jump back into it today let me know if you need any help getting a jump start on your work in Analyze.

Arlakossan

Is there any way to know when an iPhone setup/installation finished? I can’t find the info in the purplebuddy it doesn’t contain as much as it usually do. It’s an AFU extraction of an iPhone 12 mini

There's a few possibilities listed here : https://www.cellebrite.com/en/upgrade-from-null-detecting-ios-wipe-artifacts/ Hopefully one of them will be good for you

Heather Mahalik - Senior Director of Digital Intelligence and Ian Whiffin - Sr. Digital Intelligence Expert

Upgrade From NULL—Detecting iOS Wipe Artifacts - Cellebrite

One of the most common questions we’re asked is, “How do you determine when an iOS device was wiped?” Wiping is a common way to trample potential evidence on a device. Over the years, we have seen some savvy moves to try to cover up wiping efforts on devices and prevent the act from being … Continue reading "Upgrade From NULL—Detecting iOS Wipe ...

ccbdub

Hello was wondering could anyone help with this file path, have videos from tmp location on telegram app. From what I've been able to read files will end up here if they've been opened in application. Sadly we don't have the corresponding messages from the created date. But the user would have been aware of them on the date. Don't know if anyone has encountered it before

Have you opened the telegram dB and tried to recover deleted entries ? A few it's and bits, but better than nothing

@Dfdan thanks for the reply dfdan the iphone was examined with axiom version 5.8, and also cellebrite but no messages from that time were retrieved by axiom or cellebrite. Axiom retrieved a little more but not what we're looking for, so bar that I haven't made any specific efforts to recover messages. Can u reccomend any programs to try on telegram db

UFED physical analysers own in SQLITE database parser. FFS extraction of the device would be beneficial too. https://youtu.be/pktIsT0lMHM https://youtu.be/xqv1OgaUsZ8 (edited)

Cellebrite

Deep Carving Inside SQLite to Find Deleted Data in the Database

Cellebrite

How Deep Carving for SQLite Helps Uncover Missing Data

Hello everyone ! and first of all my wonderful in this new year to this great community. I am analyzing a "disposable" phone (iphone 7 with ios 13.3). A photo is very interesting and depending on the date (I have presumptions about this fact). I obviously analyzed photos.Sqlite. But some column titles disturb me. I read a lot of things but nothing specific as I need. The photo is from 2017. The phone was initialized in June 2020. I have a "transaction" date (atransaction table) in July 2020. I have an import date (zcloudmaster table) and finally I have a date of last modification in September 2020. What interests me is the date of "transaction", What does this value correspond to? (last import in the cloud) I specifythat the main icloud account was filled in in July 2020.

@Cellebrite @MSAB Hi, I have a samsung Galaxy A515F FFS extraction. Both PA and XRY does't decode signal app. I have an other file containing the android Keystore (this file contain the key for signal) is there a way to use this key in PA or XRY?

@Cellebrite Anyone about for an urgent PA question or if anyone knows here, if I have an extraction on a HDD and have processed it in PA, if I pull the HDD out, will the PA continue to be happy?

No

Will it close or ask for the source to be re-inserted?

1:58 AM

I've copied the extraction locally, so hoping I can just re-point it to that ideally.

The Analyzed data will remain, but you be able to view files or generate reports.

Rob

I've copied the extraction locally, so hoping I can just re-point it to that ideally.

It won't work. Sorry.

1

I'll keep the HDD plugged in then ta

Dam

@Cellebrite @MSAB Hi, I have a samsung Galaxy A515F FFS extraction. Both PA and XRY does't decode signal app. I have an other file containing the android Keystore (this file contain the key for signal) is there a way to use this key in PA or XRY?

PA 7.52 will support it for extractions that will be conducted with Premium ES and UFED's next version (all should be release in the next couple of weeks), DMing you to see if we can help in the meanwhile with the extraction you have in hand

Hello! Regarding iOS, anyone know which logs / databases keep track of when the device is turned on / off by the user? I'm not looking for a shutdown triggered by an empty battery..

dpaeno

Hello! Regarding iOS, anyone know which logs / databases keep track of when the device is turned on / off by the user? I'm not looking for a shutdown triggered by an empty battery..

did you check the knowledgeC ?

fastest way is to use Artex against the FFS extraction of your iOS. You need FFS extraction

2

I'm looking for iPhone lockscreen and wallpaper artifacts, is anyone aware of locations other than the following of where these may be stored? iOS 14.x btw /private/var/mobile/Library/SpringBoard/HomeBackgroundThumbnail.jpg /private/var/mobile/Library/SpringBoard/LockBackgroundThumnail.jpg

anyone from @Cellebrite available to help me on this

4:25 AM

This is from a manual huawei backup vender dump

Dam

fastest way is to use Artex against the FFS extraction of your iOS. You need FFS extraction

Thanks. Artex - open source? Do you know which database it gathers data from?

dpaeno

Thanks. Artex - open source? Do you know which database it gathers data from?

https://www.doubleblak.com/m/blogPosts.php?id=26

6:32 AM

It can parse many useful database

Can someone @Magnet Forensics send me a DM.

@Mr. Eddie Vedder from Accounting did anyone DM you if not please let me know...

@Jamey Thanks @Tim F messaged me.

OK thnaks

@MSAB How do I export a decrypted image of my exynos extraction? The .bin I got from datasources doesnt seem to contain the same info compared to the XAMN case.

I'm afraid that you can't get a decrypted binary, if this is a dump from a FBE phone. The encryption is on file level, so any deleted file will still be encrypted in the binary we get.

OggE

@MSAB How do I export a decrypted image of my exynos extraction? The .bin I got from datasources doesnt seem to contain the same info compared to the XAMN case.

If you want to decode it with different tool, you'll have to export filesystem to a directory/archive and then parse it. Can be done, but takes a while, and may require some tweaking at times, to do (edited)

1

Hello fellow forensicators, would anybody know of an updated resource for the latest developments in parsing the sysdiagnose dumps from iOS?

Hi. I'm having a strange problem. Extracted a Samsung M31 (SM-M315F) with 4PC obtaining a Full FS. Now analyzing with P.A. anything works as usual except that WhatsApp media (voice notes etc) are not linked to corresponding chat. Any idea?

FabianoQ

Hi. I'm having a strange problem. Extracted a Samsung M31 (SM-M315F) with 4PC obtaining a Full FS. Now analyzing with P.A. anything works as usual except that WhatsApp media (voice notes etc) are not linked to corresponding chat. Any idea?

I think you can try the PA beta 7.52.

CLB-ChenK

PA 7.52 will support it for extractions that will be conducted with Premium ES and UFED's next version (all should be release in the next couple of weeks), DMing you to see if we can help in the meanwhile with the extraction you have in hand

Sorry if i make a stupid question, what Is "Premium ES"?

@Cellebrite Hi, I have two extraction FFS of two different iPhone. One call the other using WhatsApp. I can see that the outgoing call is 00:00 min and rejected but in the other phone, the incoming call is 14:00 min. I looked at the callhistory.sqlite from whatsapp and the call is outgoing and for 14:00 min. I can also see that information in the wal (the wal file indicate that information in PA but as deleted which is normal for a wal file) but the callhistory.sqlite has a problem when parsed. The same occurred during an other phone call. But for the second phone call it's the other iPhone that is outgoing and shows as 00:00 min. The database is correct. It seems to be a parsing problem...

@Griffeye is there a known issue where Griffeye shows files in the Spotify cache even when they are not there?

Has anyone had Griffeye products from Eurofins ? If so please dm me

FabianoQ

Sorry if i make a stupid question, what Is "Premium ES"?

Ciao @FabianoQ , Premium ES is a new solution we are rolling out that consists of a central server at the agency containing all of the sensitive assets to which multiple endpoints running a client similar to UFED can connect to allow unlocking and extraction of mobile devices

Still LE only?

FabianoQ

Still LE only?

Correct, law enforcement only

1:29 AM

We also offer Cellebrite Mobile Elite to corporations and service providers which allows the fullest extractions possible, without unlocking features

King Pepsi

@Griffeye is there a known issue where Griffeye shows files in the Spotify cache even when they are not there?

Hello! What are the results of the ingestion in Analyze for this area? Are you seeing things consistent with album art in this cache location? Processing for example other music service apps have shown album cover art that can end up in Analyze processed results following an import from your favorite tool. Or are you seeing something really different?

CLB-dan.techcrime

We also offer Cellebrite Mobile Elite to corporations and service providers which allows the fullest extractions possible, without unlocking features

You mean this edition (Mobile Elite) offers full FS or physical extraction (given that you know unlock code) on models that 4pc can only do an advanced logical?

I have a physical extraction from a Samsung Galaxy J1 mini prime J106F. Is there anyway I could locate the passcode that was on the device from the extraction?

@Chris look for for key files in /data/system. Maybe it did not use gatekeeper yet, or it was hw-backed and can be bruteforced (edited)

FabianoQ

You mean this edition (Mobile Elite) offers full FS or physical extraction (given that you know unlock code) on models that 4pc can only do an advanced logical?

Correct... I'll DM you

Arcain

@Chris look for for key files in /data/system. Maybe it did not use gatekeeper yet, or it was hw-backed and can be bruteforced (edited)

Thanks! Found it

ByteSweep

Hello! What are the results of the ingestion in Analyze for this area? Are you seeing things consistent with album art in this cache location? Processing for example other music service apps have shown album cover art that can end up in Analyze processed results following an import from your favorite tool. Or are you seeing something really different?

I am seeing the child abuse in the Spotify cache, yet this is not on the cellebrite or xry decide- I do know that when I took this one over, the griffeye was pointed at the binary extraction of the phone, NOT vics of any other export

King Pepsi

I am seeing the child abuse in the Spotify cache, yet this is not on the cellebrite or xry decide- I do know that when I took this one over, the griffeye was pointed at the binary extraction of the phone, NOT vics of any other export

This is an interesting situation here. With the detection of the CSAM material it does provide an indicator that you are on to something. Pointing at the binary may not be providing you with the most exacting results.

King Pepsi

I am seeing the child abuse in the Spotify cache, yet this is not on the cellebrite or xry decide- I do know that when I took this one over, the griffeye was pointed at the binary extraction of the phone, NOT vics of any other export

Here is what I would do in this situation. First I would export those files to a directory to hold on to. They may not be indicating in the right area as the binary pointing is not ideal.

2:35 AM

That way you “have them” and can refer back in a new processing. Second tag them as appropriate and store those results in your GID your GID will hold the hash data among other things and in a new processing will point them back to you.

ByteSweep

Here is what I would do in this situation. First I would export those files to a directory to hold on to. They may not be indicating in the right area as the binary pointing is not ideal.

Second I would create a fresh new case. Archive the current case for safe keeping until the second one is done and you have located the material again. Being a phone extract it should not take that long. Go back to your initial processing tool and export out a VICs of the media.

King Pepsi

I am seeing the child abuse in the Spotify cache, yet this is not on the cellebrite or xry decide- I do know that when I took this one over, the griffeye was pointed at the binary extraction of the phone, NOT vics of any other export

I apologize I had a string of these messages. Let’s talk by DM here

3

@Law Enforcement [UK] Anyone got a list of all possible 6 digit pins?

5:09 AM

*just numbers

Sorted in terms of likelihood?

5:10 AM

Or just consecutive?

Random please

OllieD

Sorted in terms of likelihood?

Either works, likelihood probably would work best but I'll take any

(edited)

Can anyone explain the lock state history from iOS devices please. Just want to be sure I am correct in what I'm saying

OllieD

Sorted in terms of likelihood?

If you have, could I also have a copy of this?

Rob

@Law Enforcement [UK] Anyone got a list of all possible 6 digit pins?

https://github.com/danielmiessler/SecLists/blob/master/Fuzzing/6-digits-000000-999999.txt

SecLists/6-digits-000000-999999.txt at master · danielmiessler/SecL...

SecLists is the security tester's companion. It's a collection of multiple types of lists used during security assessments, collected in one place. List types include usernames, pas...

stephenie

Can anyone explain the lock state history from iOS devices please. Just want to be sure I am correct in what I'm saying

Are you referring to the record in KnowlwedgeC? Is so : if isLocked = 0 then the device was unlocked. And if isLocked = 1 then it was locked. If you are referring to something else, can you give more detail?

CLB_iwhiffin

Are you referring to the record in KnowlwedgeC? Is so : if isLocked = 0 then the device was unlocked. And if isLocked = 1 then it was locked. If you are referring to something else, can you give more detail?

That's what I thought and it is from the Knowledge C. It was more the fact it has 3 days of it being unlocked at a time which seems long I guess. Thanks @CLB_iwhiffin (edited)

found in the UFED trace window: "Suspicious WhatsApp path" - what's suspicious mean in this context do you think?

Rob

@Law Enforcement [UK] Anyone got a list of all possible 6 digit pins?

If it helps here is a snippit of code to help you with that. six_digit_range = range(1000000) for number in six_digit_range: print(number)

1

Rob

@Law Enforcement [UK] Anyone got a list of all possible 6 digit pins?

A smaller example to show the results from beginning to end would be something like six_digit_range = range(100) for number in six_digit_range: print(number) You can then save out the contents of your console to get your results in a .TXT file

Any suggestion for a good tool/utility to read and parse JTAG NAND Dumps from a Riff Box II? I have 2 very old phones in a case (HTC G1 Dream) & (Kyocera S3015 Brio). The HTC is running Android 1.6 & the Kyocera is running BREW. Can’t get Cellebrite, Oxygen, Paraben, Autopsy, etc. to parse/decode the FS . Would FinalMobile work?

Hi guys, I am currently analyzing a few iOS devices (iPhones and iPads) in a CSAM case. I can see plenty of relevant thumbnails in two different folders on an iPhone 5 (iOS 7.0.4.) and on a iPad Air (iOS 10.3.3):

/private/var/mobile/Media/PhotoData/Thumbnails/
/private/var/mobile/Media/PhotoData/Thumbnails/V2/ Examples of such files are:

/private/var/mobile/Media/PhotoData/Thumbnails/V2/DCIM/106APPLE/IMG_6866.JPEG/5005.JPG /private/var/mobile/Media/PhotoData/Thumbnails/3305.ithmb/thumb_2297.bmp On another device (iPhone 11 Pro Max with iOS 14.6) I can see an additional thumbnail folder located under:

/private/var/mobile/Media/PhotoData/Thumbnails/V2/PhotoData/CPLAssets/ Example of such a file is:

/private/var/mobile/Media/PhotoData/Thumbnails/V2/PhotoData/CPLAssets/group100/5061BDB6-98ED-40FE-8E2D-6B33477DF853.JPG/5005.JPG What is actually the difference between those three folders? When do thumbnails land up in "/Thumbnails/" when do they land up in "/Thumbnails/V2/" and when do they land up in "/Thumbnails/V2/PhotoData/CPLAssets/"? Has anyone already done any research on that? Thanks for any help!

goofycom

Hi guys, I am currently analyzing a few iOS devices (iPhones and iPads) in a CSAM case. I can see plenty of relevant thumbnails in two different folders on an iPhone 5 (iOS 7.0.4.) and on a iPad Air (iOS 10.3.3):

/private/var/mobile/Media/PhotoData/Thumbnails/
/private/var/mobile/Media/PhotoData/Thumbnails/V2/ Examples of such files are:

/private/var/mobile/Media/PhotoData/Thumbnails/V2/DCIM/106APPLE/IMG_6866.JPEG/5005.JPG /private/var/mobile/Media/PhotoData/Thumbnails/3305.ithmb/thumb_2297.bmp On another device (iPhone 11 Pro Max with iOS 14.6) I can see an additional thumbnail folder located under:

/private/var/mobile/Media/PhotoData/Thumbnails/V2/PhotoData/CPLAssets/ Example of such a file is:

/private/var/mobile/Media/PhotoData/Thumbnails/V2/PhotoData/CPLAssets/group100/5061BDB6-98ED-40FE-8E2D-6B33477DF853.JPG/5005.JPG What is actually the difference between those three folders? When do thumbnails land up in "/Thumbnails/" when do they land up in "/Thumbnails/V2/" and when do they land up in "/Thumbnails/V2/PhotoData/CPLAssets/"? Has anyone already done any research on that? Thanks for any help!

Maybe it will helps https://www.forensicfocus.com/forums/mobile-forensics/file-path-question-please-advise-iphone-var-mobile-media-photodata-thumbnails-v2-photodata-cplassets/

File path question. Please advise: iPhone/var/mobile/Media/P...

Hello, Currently I'm dealing with a iPhone iOS 13.3.1 where i found the following location. iPhone/var/mobile/Media/PhotoData/Thumbnails/V2/Photo...

1

Thanks to @jjh2320 for the research and code. Implemented in ALEAPP. https://twitter.com/AlexisBrignoni/status/1482814615239208964?s=20 (edited)

Brigs 💬 (@AlexisBrignoni)

New #Android #DFIR artifact in #ALEAPP: Apps Lock & File Encryption — GOLD version

Access app encrypted media

Encrypted on timestamp

Playground vault bundle ID

Credit to .@4n6chewtoy & Michael Tussaud. Check the blogpost here: https://t.co/PJeV0vkutp

2

whee30

found in the UFED trace window: "Suspicious WhatsApp path" - what's suspicious mean in this context do you think?

It means it found WhatsApp related folders in an unexpected path. PA will try and decode it anyway. If you can't see any following warnings in the log, the decoding should be successful. Please DM the path, see if we can reason it out.

Does anyone have any tips on decrypting Signal Messenger databases? I've now got a full file system following an initial userdata extraction and was hoping to find something juicy in the Android Keystore that differed to the entries seen previously in the UD extraction. AXIOM seems to suggest that the DB can be decrypted with the correct Keystore value, but it doesn't provide much detail and it's not something i've done before. Any advice would be much appreciated! Also, I have found multiple _SignalSecret entries; not certain which to use or if these are indeed what i'm after. (edited)

2

Hello! Maybe someone have some info about iPhone. I need to find - was iphone password locked or not on exact day and when password was set on iphone. Can I find this in iphone? (edited)

Hello all - looking for some advice. I've got a full filesystem extraction of a Samsung Galaxy S8. There are videos of interest from /data/knox/sdcard/150... they are all decent sizes however none of them will play and no thumbnails, I've tried various pieces of software hut no success. Has PA not properly decrypted the secure folder? Anything I can do to get these working? Many thanks.

1

Hi all Does anyone have any suggestions or solutions for extracting email content from HxStore.hxd files on an iOS extraction?

Pixel

Hello all - looking for some advice. I've got a full filesystem extraction of a Samsung Galaxy S8. There are videos of interest from /data/knox/sdcard/150... they are all decent sizes however none of them will play and no thumbnails, I've tried various pieces of software hut no success. Has PA not properly decrypted the secure folder? Anything I can do to get these working? Many thanks.

Check the entropy and header of the files. Do they look encrypted?

Hi, I’ve been asked whether photos that are in the deleted album on an iPhone can be automatically deleted , does anyone know of any ways?

@King Pepsi The Recently deleted items on an iOS device are normally automatically deleted "permanently" after 30 days if memory serves me right, not sure of any other automatic deletion!

Yeah, I thought that was the case, as to how they got there I don’t know if any auto deletion apps or methods, thanks!

1

@King Pepsi You can manually check the photos.sqlite database to check when these files were trashed/recently deleted. If these files have the exact same date and time of deletion, it can either indicate that such an app was used or that user marked several photos for deletion at once. Examining the deletion date will help you evaluate the deletion. If you want to skip the manual part, iLEAPP can parse this db for you. https://github.com/abrignoni/iLEAPP (edited)

GitHub - abrignoni/iLEAPP: iOS Logs, Events, And Plist Parser

iOS Logs, Events, And Plist Parser. Contribute to abrignoni/iLEAPP development by creating an account on GitHub.

Thank you for that, I’ll have to take a look at that one!

@Cellebrite Is there a known bug in the latest version of PA that fails to show images and videos in a standalone report? (edited)

1

@Cellebrite in the new version, is there support for Samsung Galaxy A31 (SM-A315G/DS) with MTK6768?

fferreira

@Cellebrite in the new version, is there support for Samsung Galaxy A31 (SM-A315G/DS) with MTK6768?

Only for logical and apk downgrade

bypx

Only for logical and apk downgrade

thank you What about the new upcoming version?

8:43 AM

UFED 7.52?

@fferreira i think it should be supported in the next one (the one after 7.52) depending on the SPL you have on it for ffs if unlocked

sh4ka

@fferreira i think it should be supported in the next one (the one after 7.52) depending on the SPL you have on it for ffs if unlocked

It is unlocked, yes Thank you

Is there anyone one well versed in analyzing sysdiagnose from iOS devices, that I can ask a couple questions of? please DM me!

ChutzpahAI

Is there anyone one well versed in analyzing sysdiagnose from iOS devices, that I can ask a couple questions of? please DM me!

@Mattia Epifani

I have a problem generating the report. I get a message that says "report generated with errors" but there are no motives for the error. the problem also happens with the new version of physical analazyer.

1:47 AM

@Cellebrite

1:48 AM

Best to approach Support with the log files.

Hello all - could anyone shed some light on the following file path, please? It is: private/var/mobile/containers/shared/appgroup/UUID/file provider storage/photospicker. Thank you.

Has anyone had any issues decoding data from ‘Yubo’? Data is stored in a realm database and is viewable in PA. Won’t decode though. Tried AXIOM and XRY also. No luck. (edited)

manuelevlr

I have a problem generating the report. I get a message that says "report generated with errors" but there are no motives for the error. the problem also happens with the new version of physical analazyer.

did you check if the destination-path for your report is set right? i had same problem, because a path was given that did not exist

(edited)

chrisforensic

did you check if the destination-path for your report is set right? i had same problem, because a path was given that did not exist

(edited)

no this is not the case. the strange thing is that the report is generated and opens regularly.

manuelevlr

no this is not the case. the strange thing is that the report is generated and opens regularly.

How long is the path you're trying to save it to?

@Cellebrite Having issues with PA. No Kik chats timestamps in the reports if the messages happend after 12/31/2021. Anyone else seeing the same? (edited)

Brigs

@Cellebrite Having issues with PA. No Kik chats timestamps in the reports if the messages happend after 12/31/2021. Anyone else seeing the same? (edited)

Which PA version is it? PA 7.52 is just out.

@Magnet Forensics Looking for help on how to best optimize Axiom. It took 6.5 hrs. to ingest an iPhone XR! I don't think its the specs of my machine as its fairly powerful. Any help would be greatly appreciated

CLB-drorimon

Which PA version is it? PA 7.52 is just out.

We are testing the new one right now. Waiting on results.The lack of dates is true for all the previous versions.

1

Brigs

We are testing the new one right now. Waiting on results.The lack of dates is true for all the previous versions.

PA 7.52.0.36 parses correctly.

5

Pixel

Hello all - could anyone shed some light on the following file path, please? It is: private/var/mobile/containers/shared/appgroup/UUID/file provider storage/photospicker. Thank you.

This has moved to the top of my list to test. But here is a link to apple developer info that talks about it. https://developer.apple.com/videos/play/wwdc2020/10652/ Basically it’s an Apple application that can be used by third party apps to access the Photos application (com.apple.mobileslideshow) so file can be shared via the third party apps. I’ve done limited testing for some other research but more work needs to be done. Appears some cache files may exist in the photopicker areas even after the files have been deleted from the photos app. Again just preliminary but if anyone else has or is testing this please dm me so we can share findings.

Meet the new Photos picker - WWDC20 - Videos - Apple Developer

Let people select photos and videos to use in your app without requiring full Photo Library access. Discover how the PHPicker API for iOS...

stps358

@Magnet Forensics Looking for help on how to best optimize Axiom. It took 6.5 hrs. to ingest an iPhone XR! I don't think its the specs of my machine as its fairly powerful. Any help would be greatly appreciated

sending a DM

Jamey

sending a DM

Would love to have any documentation on the topic as well. Thanks!

Jamey

sending a DM

Any additional information would be greatly appreciated from me too.

I have a case with several hidden calculator vaults. The device is a Samsung Galaxy S10 and I have a FFS extraction. The apps are Photo Vault (enchantedcloud.com) and Locked Calculator (com.lkd.calculator). Axiom has identified the PIN and we can access these vaults on the device and can view on the device. In the case of the enchantedcloud vault UFED has recovered these albeit in an encrypted state. Can anybody assist with method for getting these in a decrypted state from the recovered files? Trying to avoid having to recover these out from the vault on the suspect device in order to recover then in a viewable format in UFED.

4JSN6🇬🇧

Any additional information would be greatly appreciated from me too.

here too

(edited)

@Cellebrite Anyone from Cellebrite having time for a quick question

1

bigsi

I have a case with several hidden calculator vaults. The device is a Samsung Galaxy S10 and I have a FFS extraction. The apps are Photo Vault (enchantedcloud.com) and Locked Calculator (com.lkd.calculator). Axiom has identified the PIN and we can access these vaults on the device and can view on the device. In the case of the enchantedcloud vault UFED has recovered these albeit in an encrypted state. Can anybody assist with method for getting these in a decrypted state from the recovered files? Trying to avoid having to recover these out from the vault on the suspect device in order to recover then in a viewable format in UFED.

I've made some scripts that decrypts the files. But it was 2-3 years ago. At that time the key was hardcoded into the application. I can take a quick look into it.

5:25 AM

What version of Photo Vault (enchantedcloud.com) ?

.karate.

What version of Photo Vault (enchantedcloud.com) ?

It is 3.0.40 and the Locked app is running on 1.3.3. Thanks

@bigsiyou got PM

Jeezy

Does anyone have any tips on decrypting Signal Messenger databases? I've now got a full file system following an initial userdata extraction and was hoping to find something juicy in the Android Keystore that differed to the entries seen previously in the UD extraction. AXIOM seems to suggest that the DB can be decrypted with the correct Keystore value, but it doesn't provide much detail and it's not something i've done before. Any advice would be much appreciated! Also, I have found multiple _SignalSecret entries; not certain which to use or if these are indeed what i'm after. (edited)

see here for a good webcast on the process. https://www.magnetforensics.com/resources/tips-tricks-decrypting-application-data-using-the-ios-keychain-and-gray-key/

Tips & Tricks // Decrypting Application Data Using the iOS Keychain...

In this Tips and Tricks we will show you how to look at Keychain data, such as that available with a Keychain image and use that data to decrypt a data from different artifacts.

Arcain pinned a message to this channel. 1/21/2022 1:32 PM

Hi everyone. Question: finding a copy of a video in "\media\WhatsApp.Shared" whatsapp folder is a PROOF that this file has been sent to someone else?

Jeezy

Does anyone have any tips on decrypting Signal Messenger databases? I've now got a full file system following an initial userdata extraction and was hoping to find something juicy in the Android Keystore that differed to the entries seen previously in the UD extraction. AXIOM seems to suggest that the DB can be decrypted with the correct Keystore value, but it doesn't provide much detail and it's not something i've done before. Any advice would be much appreciated! Also, I have found multiple _SignalSecret entries; not certain which to use or if these are indeed what i'm after. (edited)

https://rado0z.github.io/Decrypt_Android_Database

Decrypting Signal DB for Android

Introduction

Is anyone from @MSAB available for a quick dm? Thanks in advance

@King Pepsi Sure, what's up?

Great help as always, thanks!

1

Dam

https://rado0z.github.io/Decrypt_Android_Database

Thanks, I'll give this a go later!

Jeezy

Thanks, I'll give this a go later!

it works for me with the android keystore

just_deduce_it

see here for a good webcast on the process. https://www.magnetforensics.com/resources/tips-tricks-decrypting-application-data-using-the-ios-keychain-and-gray-key/

Unfortunately the device in question isn't iOS. Thanks a lot for the reply though!

Don't know if this is the right channel for this question but here goes. An iPhone (iOS 14.2) has identified a person on a picture. Does this happen with all pictures whether they are sent to the phone or captured with the phone or does it ONLY happen when captured with the phone in question? No other EXIF data exists for the picture.

TwiZtah

Don't know if this is the right channel for this question but here goes. An iPhone (iOS 14.2) has identified a person on a picture. Does this happen with all pictures whether they are sent to the phone or captured with the phone or does it ONLY happen when captured with the phone in question? No other EXIF data exists for the picture.

Easily to test: it seems it needs exifdata. If i save a picture from whatsapp showing me, it doesnt identify a person. If i make a selfie it does identify me as a person. (IOS 14.6) You will need to do some more testing or course. (edited)

That's what my hypothesis was, will have to lab this out. Threw out the question to see if anyone had already done tests like this. But thanks, this is an avenue that I can continue on then.

Has anyone encountered media\sharedvideos on a huawei device? My first thought is that it’s media from the huawei nfc share feature but I can’t find anything on it, thanks!

TwiZtah

Don't know if this is the right channel for this question but here goes. An iPhone (iOS 14.2) has identified a person on a picture. Does this happen with all pictures whether they are sent to the phone or captured with the phone or does it ONLY happen when captured with the phone in question? No other EXIF data exists for the picture.

Are you speaking about a face crop person with name or just a person UUID? (edited)

TwiZtah

Don't know if this is the right channel for this question but here goes. An iPhone (iOS 14.2) has identified a person on a picture. Does this happen with all pictures whether they are sent to the phone or captured with the phone or does it ONLY happen when captured with the phone in question? No other EXIF data exists for the picture.

@Andrew Rathbun Here is another one

Bah, Discord automated the deletion of like 70% of them. Cleaning up the mess now

TwiZtah

Don't know if this is the right channel for this question but here goes. An iPhone (iOS 14.2) has identified a person on a picture. Does this happen with all pictures whether they are sent to the phone or captured with the phone or does it ONLY happen when captured with the phone in question? No other EXIF data exists for the picture.

The analysis will run on any image in the gallery regardless of the source. But it’s up to the user to specify who the person is. Ie. If I tag someone in my photo and send it to you, that tag won’t carry over to your device. It’s also worth noting that face detection only runs when the device is locked and plugged it. Even then, it runs when it wants and can’t be forced.

2

1

Just an FYI for @Law Enforcement [UK] Technical / Quality staff, there’s a significant time stamp issue which has been addressed in the latest @Cellebrite PA update, details in the release notes. You may need to look back on previous cases conducted on phones seized within 2022 and re-process. It looks like the issue has been mentioned on here previously by @Brigs regarding 2022 timestamps on KIK in particular.

4

1

K23

Just an FYI for @Law Enforcement [UK] Technical / Quality staff, there’s a significant time stamp issue which has been addressed in the latest @Cellebrite PA update, details in the release notes. You may need to look back on previous cases conducted on phones seized within 2022 and re-process. It looks like the issue has been mentioned on here previously by @Brigs regarding 2022 timestamps on KIK in particular.

Thanks K23

@K23 thanks

Any indication if Responder is affected?

Priv

Any indication if Responder is affected?

I've put in a ticket with support to try and find out, but couldn't see any details in the Responder release notes regarding the issue

1

Thank you @K23 7.52 has been released today with the issue in the solved section. No further detail though which is disappointing

1

APetro

Hello. Does anyone know the reason PA/Axiom can parse some messages from Snapchat but not all (“no message content to display”). I’m assuming the way in which snapchat/user stored or viewed the message but I’m curious to know the real answer and not just have a hunch. I have some messages incoming and outgoing that may be important but I can’t view the messages with a participant at the time I need to but a couple hours earlier, same participant, I can see. IPhoneXR iOS14.4, most recent Magnet and PA7.5. Thanks for any help.

In my experience (with Axiom at least), when I see, No message content to display I copy the media ID from the metadata of the chat message and paste it into the search field. The media ID corresponds to a particular picture or video.

Brigs

Would love to have any documentation on the topic as well. Thanks!

@4JSN6🇬🇧 here you go for budget is not an issue and I want the most out of my configuration

7:50 PM

Here is the budget is somewhat an issue and I still want to get the most out of what I have.

7:51 PM

Here is the "I really don't have a budget" but I still want the best out of what I have

7:52 PM

Sorry it took so long folks, this has been a busy week so far.

7:53 PM

When processing in Magnet AXIOM Process, the CPU of the machine is a key factor in determining the speed of the processing. There is a balance between adding cores and the speed of those cores. AXIOM Process can create up to 32 threads for processing, one for each core of the machine. AXIOM will also only take advantage of one physical processing unit at a time. The more threads that Magnet AXIOM Process uses, the more the RAM of the system needs to keep up with assigning tasks to each thread. Users will notice a drastic performance increase up to 8 or 12 cores, and after 12 cores, the speed of the cores takes over in performance improvements. While adding additional cores beyond 12 will still increase performance, it will be a less noticeable amount than from 4 to 8 cores. When picking a CPU, focus on processors that have a higher clock speed versus pure number of cores. For example, an Intel i9 processor with 16 threads may perform better than a processor with more available threads but a slower speed available to each thread. For more information about increasing performance in Magnet AXIOM Process, please consult this knowledge base article on the Customer Support Portal: (https://support.magnetforensics.com/s/article/Optimize-the-performance-of-Magnet-AXIOM).

1

7:54 PM

I hope all of that helps and just so you know we teach this information and much more in our AX200 AXIOM Examinations class. https://training.magnetforensics.com/w/courses/

Priv

Any indication if Responder is affected?

Confirmed on support ticket that this does not affect responder reports

So maybe a stupid question. I have a Chinese android smartphone (similar to Melrose) Its encrypted with a number lock. I've got a full physical download but due to its encryption I require a password to open the full report. When opening the Cellebrite report in PA it states I can import a text document with passwords, technically could I for example get a word list with all 4 digit number combinations, load that and it would open... If it was a password in that file. Or would that not work

Nevermind, I think I found my answer. The report opened!

@Chris what changed?

does anyone have a way to combine these darned .pas files in PA? Also opening them in a newer Reader version is not working. I tried changing the version numbers using hxd but no luck.. does anyone know a way to do so?

@Cellebrite anyone for license question?

1

An image located in the data/data/com.google.android.apps.phots/cache has a very long alphanumeric file name an example is 4876809bcb26f1f78fef573c737f05f63ac12ba818f1ec10157b1850f71cc180. Does anyone know if this file name can assist in locating the orignal file name or any investigative value it may have?

Or maybe better question are the photos found at this location from browsing URL's

Or maybe hahaha someone can explain the apk a bit

Good morning! I'm hoping someone here might be able to help me. I am analyzing an iPhone extraction with focus on when the phone was restored. I have found the .obliterated file and the information in com.apple.purplebuddy.plist tells me the phone was restored from an iCloudBackup from 2020 (iOS version 13.4.1). The problem is that there is conflicting information in the file com.apple.migration.plist. The information in that file is dated before the restore date and says the phone was restored from an iCloudBackup running iOS 15.1. I have searched the web and found some guides, one from @Cellebrite , but it doesn't shed any light on what the com.apple.migration.plist file is for... Any advice would be most welcome!

Jeezy

Does anyone have any tips on decrypting Signal Messenger databases? I've now got a full file system following an initial userdata extraction and was hoping to find something juicy in the Android Keystore that differed to the entries seen previously in the UD extraction. AXIOM seems to suggest that the DB can be decrypted with the correct Keystore value, but it doesn't provide much detail and it's not something i've done before. Any advice would be much appreciated! Also, I have found multiple _SignalSecret entries; not certain which to use or if these are indeed what i'm after. (edited)

Could anyone provide me with information regarding this issue? In the same predicament.

4JSN6🇬🇧

Could anyone provide me with information regarding this issue? In the same predicament.

Hi, I ended up connecting a wiped USB to the device via an OTG cable and performing a backup within the settings screen of Signal. It would seem as though my keystore is hardware encrypted so options are limited. I'm told that if you can get a Qualcomm Live full file system to work in UFED that it should generate the file containing the decrypted keystore, otherwise I'm told the new version of Premium should achieve this; haven't verified either yet. Hope this helps!

@Cellebrite anyone from Cellebrite touch base with me please. Have a decode question.

Question for anyone familiar with iLEAPP ... Can iLEAPP accept a zipped iTunes-style extraction without having to unzip the files first?

J Harder

@Cellebrite anyone from Cellebrite touch base with me please. Have a decode question.

Dm inbound

pug4N6

Question for anyone familiar with iLEAPP ... Can iLEAPP accept a zipped iTunes-style extraction without having to unzip the files first?

@Brigs i think brigs is familiar with ileapp

1

anyone aware of any any other methods to bf a wickr password from an android device? Hoping there is something quicker than the built in bf in PA.

pug4N6

Question for anyone familiar with iLEAPP ... Can iLEAPP accept a zipped iTunes-style extraction without having to unzip the files first?

If you ever look at the contents of an iTunes extraction it's not fully readable from a folder perspective. I've had some success with using https://github.com/jfarley248/iTunes_Backup_Reader with the -r (recreate folder structure option). You can then run iLEAPP against the recreated folders (edited)

GitHub - jfarley248/iTunes_Backup_Reader: Python 3 Script to parse ...

Python 3 Script to parse out iTunes backups. Contribute to jfarley248/iTunes_Backup_Reader development by creating an account on GitHub.

fraser

anyone aware of any any other methods to bf a wickr password from an android device? Hoping there is something quicker than the built in bf in PA.

wickr uses SCrypt which is designed to be memory intensive. someone like @chick3nman could probably give you an idea re: potential speed advantages for optimized GPU cracking vs pure CPU. SCrypt is used as proof of work by some cryptocurrencies (e.g. Litecoin and Dogecoin) so you might be able to see what the miners are using for some hints?

Awsome... thanks @forensicmike @Magnet

@Cellebrite Do you have a PDF document on how to utilise tags in UFDR ? I have some investigators in need of some pointers on how to use. Thanks

APetro

Hello. Does anyone know the reason PA/Axiom can parse some messages from Snapchat but not all (“no message content to display”). I’m assuming the way in which snapchat/user stored or viewed the message but I’m curious to know the real answer and not just have a hunch. I have some messages incoming and outgoing that may be important but I can’t view the messages with a participant at the time I need to but a couple hours earlier, same participant, I can see. IPhoneXR iOS14.4, most recent Magnet and PA7.5. Thanks for any help.

Within AXIOM, if the Type is anything other than "Text" then you will see the "no message content to display". (Screenshot is just using dummy data)

pug4N6

Question for anyone familiar with iLEAPP ... Can iLEAPP accept a zipped iTunes-style extraction without having to unzip the files first?

I usually process the backup in Physical Analyzer and then dump the file system from there and run iLEAPP against that.

Does anyone know why I would get an Android ID of one value from a file system extraction and another value with an Advanced logical extraction? I thought the Android ID that is captured by Cellebrite was unique to the device. Using Cellebrite UFED Touch 2 and PA. @Cellebrite

jwatson7428

Does anyone know why I would get an Android ID of one value from a file system extraction and another value with an Advanced logical extraction? I thought the Android ID that is captured by Cellebrite was unique to the device. Using Cellebrite UFED Touch 2 and PA. @Cellebrite

Android IDs are not useful for identifying phones across apps from Android 8 and on. https://developer.android.com/about/versions/oreo/android-8.0-changes Maybe the advanced logical pulled an android ID from an app?

@FullTang Thanks for the feedback. I am curious about that also. I wonder why Cellebrite is singling that data out when they provide the “device info”. If the Android ID is tied to an app and is dynamic, then what is considered their default Android ID that they display? I also read that an Android ID can be changed by the user. @Cellebrite

The API docs you referenced note that the value of ANDROID_ID is now scoped per app signing key, as well as per user so that would explain why pulling a FFS (ie not with an application) would produce a different result to an agent-based extract (being an application which would be scoped).

1

Morning All, I have a Full Filesystem extraction from a Samsung A21s Running android 11 - is it possible to to find out if the device have been backed up or restored? - Thanks in advance

(edited)

Ghosted

An image located in the data/data/com.google.android.apps.phots/cache has a very long alphanumeric file name an example is 4876809bcb26f1f78fef573c737f05f63ac12ba818f1ec10157b1850f71cc180. Does anyone know if this file name can assist in locating the orignal file name or any investigative value it may have?

I think I’ve figured out how the hash is made. It was a rough one

I just need to track down the last value then I can send you a short description on how it’s made. (edited)

.karate.

I think I’ve figured out how the hash is made. It was a rough one

I just need to track down the last value then I can send you a short description on how it’s made. (edited)

That would be great. Is there a way to track the cache back to the original image and maybe its original location at one point.

Ghosted

That would be great. Is there a way to track the cache back to the original image and maybe its original location at one point.

I've made some Java pseudocode ( that are generating the correct hash). In reality the different values came from different classes. I had to hook the java.security.MessageDigest.update function to find out what kind of values it used. Everything is heavily obfuscated in the apk. Example file: -rw------- 1 u0_a220 u0_a220 1798 2022-01-27 23:22 33c2615d2c3d279c8ec8e43b998764cd12cf5f1976512f8fa1fedf227c645f52 Code: "


            HexBinaryAdapter hex = new HexBinaryAdapter();
            MessageDigest md = MessageDigest.getInstance("SHA-256");
            md.update("content://media/external/images/media/82".getBytes());
            md.update(hex.unmarshal("58f7c98c"));
            md.update(hex.unmarshal("0000003200000032"));            
            md.update("com.bumptech.glide.load.resource.bitmap.FitCenter".getBytes());            
            md.update("com.bumptech.glide.load.resource.bitmap.VideoBitmapDecode.TargetFrame".getBytes());   
            md.update(hex.unmarshal("0000000000000000"));  
            md.update("android.graphics.Bitmap".getBytes());           
            System.out.println(hex.marshal(md.digest()).toLowerCase());

" Line 3 is "content_uri" that you can find in the table "local_media" in "gphotos-1.db". Line 4 is "signature" that you can find in the table "local_media" in "gphotos-1.db". Line 5 and 8 seems to always have the same values. (edited)

2

Just for reference: Above is about cache files in Google Photos app. The name of the cachefiles are a sha-256 of different values that are generated when the image is first loaded into the main view of the Google Photo application.

1

If anyone has a case involving deleted messages I wrote a parser that pulls them out of “appintent” files found in iOS dumps. I’d be happy to share. It’s not published yet still testing a bit more before i publish it. Shoot me a DM. We’ve tested on quite a few phones and pulling out a wealth of deleted iMessages/sms. Seems to be limited to about ~30 days worth of messages.

5

Has anyone seen CLR error 80004005 while running @Magnet Forensics Axiom? If so, where you able to do something about it? It seems Process can't stop eating memory even if there is no more to be had. Thoughts?

Brigs

Has anyone seen CLR error 80004005 while running @Magnet Forensics Axiom? If so, where you able to do something about it? It seems Process can't stop eating memory even if there is no more to be had. Thoughts?

Going off what @Jamey suggested yesterday, maybe for your case reduce the amount of threads available which I believe is in the settings?

4:17 PM

More threads = more ram needed from what I can tell (edited)

Rob

Going off what @Jamey suggested yesterday, maybe for your case reduce the amount of threads available which I believe is in the settings?

Thanks for the suggestion. Will try. I'm out of ideas. One would think that the software would regulate its own memory usage though.

How is everyone experiencing PA 7.52? We have a lot of extractions not parsing at all. 24hour+ with no change or crash. Ticket has been made with @Cellebrite but it seems quite a bug if i just look at our own region.

Brigs

Thanks for the suggestion. Will try. I'm out of ideas. One would think that the software would regulate its own memory usage though.

You can only hope one day it will because Axiom is one thirsty application when it comes to RAM

@Cellebrite since updating PA to 7.52 any attempt to open a new or previously working dump file is throwing up the error "Could not locate dump file". The same dump file is opening fine with 7.51 and 7.48 albeit 7.48 is pulling up more chats/images/videos than 7.51. Anyone come across this issue or ideas on what I might be missing?

Hi All. A quick question, can you obtain the original EXIF meta data for an image after its sent over What's App or any other sharing APP/Platform? Any help or info be appreciated.

Hi all, does anyone know what "com.android.chrome/app_tabs/custom_tabs" relates to? Can't find this content anywhere on handset so didn't know if it was private browsing or something more sophisticated

claireh

Hi all, does anyone know what "com.android.chrome/app_tabs/custom_tabs" relates to? Can't find this content anywhere on handset so didn't know if it was private browsing or something more sophisticated

Hi Claire we noticed the same thing in the week with custom tabs and asked about it. I don’t think we got a replay!

1

claireh

Hi all, does anyone know what "com.android.chrome/app_tabs/custom_tabs" relates to? Can't find this content anywhere on handset so didn't know if it was private browsing or something more sophisticated

Based on some test data I have, I believe custom tabs are related to web pages that load within an app. For example, when I authenticate in Fit-To-Fit (an app used to import data from Fitbit to Google Fit) I need to authenticate to Fitbit so that Fit-To-Fit is able to access my data. The Fit-To-Fit app renders the Fitbit authentication page within itself (so it appears). I can also see some activity related to webapps. See https://android-developers.googleblog.com/2015/09/chrome-custom-tabs-smooth-transition.html (edited)

Chrome custom tabs smooth the transition between apps and the web

Originally posted on the Chromium blog Posted by Yusuf Ozuysal, Chief Tab Customizer Android app developers face a difficult tradeoff...

2

7:56 AM

I'd run a few tests to confirm.

padstar561

Hi All. A quick question, can you obtain the original EXIF meta data for an image after its sent over What's App or any other sharing APP/Platform? Any help or info be appreciated.

The majority of original metadata is often altered through WhatsApp transmission (and many other sites). Since metadata is embedded within the file itself it cannot be recovered once it has been changed/re-encoded. For video files we are able to use a different approach than using metadata values to identify source device in files that are transmitted through WhatsApp and similar sites. See www.medexforensics.com for details.

Brandon E

The majority of original metadata is often altered through WhatsApp transmission (and many other sites). Since metadata is embedded within the file itself it cannot be recovered once it has been changed/re-encoded. For video files we are able to use a different approach than using metadata values to identify source device in files that are transmitted through WhatsApp and similar sites. See www.medexforensics.com for details.

Thanks for your help

1

LoccIE

@Cellebrite since updating PA to 7.52 any attempt to open a new or previously working dump file is throwing up the error "Could not locate dump file". The same dump file is opening fine with 7.51 and 7.48 albeit 7.48 is pulling up more chats/images/videos than 7.51. Anyone come across this issue or ideas on what I might be missing?

Can you share logs ?

Ghosted

An image located in the data/data/com.google.android.apps.phots/cache has a very long alphanumeric file name an example is 4876809bcb26f1f78fef573c737f05f63ac12ba818f1ec10157b1850f71cc180. Does anyone know if this file name can assist in locating the orignal file name or any investigative value it may have?

Did you try a keyword search for it?

LoccIE

@Cellebrite since updating PA to 7.52 any attempt to open a new or previously working dump file is throwing up the error "Could not locate dump file". The same dump file is opening fine with 7.51 and 7.48 albeit 7.48 is pulling up more chats/images/videos than 7.51. Anyone come across this issue or ideas on what I might be missing?

Hi, had not the same issue with PA 7.52, but on opening an apk-downgrade (WhatsApp) - Xiaomi_M2006C3LG_DS Redmi 9A - with PA 7.52, the attachments where not linked to the chat... opening same with 7.49, 7.47 and both could link the attachments to the right place in the chat... so what should i think about this

??? things work in the previous version, no longer work in the new version? this really shouldn't be happening !!! Nearby, opened the extraction in another forensic tool, attachment-linking worked.... (edited)

Just a quick one, had three different devices, three workstations all appear to get stuck when parsing WeChat since the upgrade to 7.52. has anyone else had the same issues?

2

jw

Just a quick one, had three different devices, three workstations all appear to get stuck when parsing WeChat since the upgrade to 7.52. has anyone else had the same issues?

7.52 seems very buggy

florus

7.52 seems very buggy

id be curious to hear your feedback on what you mean. shoot me a dm

jw

Just a quick one, had three different devices, three workstations all appear to get stuck when parsing WeChat since the upgrade to 7.52. has anyone else had the same issues?

I re-processed an android image with 7.52 and it took 90 minutes to parse the Facebook app and 2 hours in total for the whole image. I was able to replicate it on another machine so I would say there's something off with this version. I've analyzed this image in the past with no issues with previous versions like 7.46.

4

I see similar issues with other parsers as well. The extraction that I'm trying to load now keep hanging on Google Photos

7:05 AM

In the logs I see a LOT of exceptions related to "videos" : "failed to get video duration". No clue where this is coming from

thanks for sharing, this is helpful @Jackds. we are examining the "failed to get video duration" issue. it is not related to a specific parser/app, and shouldn't affect any parsed data - only a new enriched metadata on video files.

What's your current process for Microsoft outlook email on an iPhone? We have a gk extraction that isn't showing any emails in the latest Physical analyser as well as in Axiom. Manual examination is showing lots of emails and content. What are you guys doing to present this data?

Will Microsoft Outlook on an Iphone be supported within Axiom or Cellebrite PA in the future?

@Cellebrite With the release of PA 7.52 you support android GK extraction but there we cannot add the keystore... Is it plan to support the keystore?

@Cellebrite I'm having some issues with new version of cellebritereader (missing things in file tree, export errors). Opening in PA works fine, but not in reader.

chrisforensic

Hi, had not the same issue with PA 7.52, but on opening an apk-downgrade (WhatsApp) - Xiaomi_M2006C3LG_DS Redmi 9A - with PA 7.52, the attachments where not linked to the chat... opening same with 7.49, 7.47 and both could link the attachments to the right place in the chat... so what should i think about this

??? things work in the previous version, no longer work in the new version? this really shouldn't be happening !!! Nearby, opened the extraction in another forensic tool, attachment-linking worked.... (edited)

Got this issue too. Looks like the whatsapp decoding script is looking only for media files in "/Android/media/com.whatsapp/WhatsApp/". Tested a project with this structure and worked fine.

1

@Deleted User hi Chris, I spotted your post and presently have an image in this very same folder. Any tops or advice you can offer from your past encounter would be welcome

Dam

@Cellebrite With the release of PA 7.52 you support android GK extraction but there we cannot add the keystore... Is it plan to support the keystore?

Yes in the works.

rafael_cs

@Cellebrite I'm having some issues with new version of cellebritereader (missing things in file tree, export errors). Opening in PA works fine, but not in reader.

Can you shoot me a dm and we can take a look

chrisforensic

Hi, had not the same issue with PA 7.52, but on opening an apk-downgrade (WhatsApp) - Xiaomi_M2006C3LG_DS Redmi 9A - with PA 7.52, the attachments where not linked to the chat... opening same with 7.49, 7.47 and both could link the attachments to the right place in the chat... so what should i think about this

??? things work in the previous version, no longer work in the new version? this really shouldn't be happening !!! Nearby, opened the extraction in another forensic tool, attachment-linking worked.... (edited)

Hi Chris, we checked it and it'll be fixed for the next PA update

1

idokal

Hi Chris, we checked it and it'll be fixed for the next PA update

thank you

Evening, I had a quick search but hadn't seen any comments regarding PA 7.52 having a bug when exporting media files via project Vic 1.3 and 2.0. Upon examining the metadata within the Jason, it was found there was no file path reported. Therefore when imported into our grading platform, it reports 'file path unknown'. I tried XML and this exported the files and meta data correctly. Ticket is in with Cellebrite but just as a heads up. Timestamp issue fixed but then finding additional bugs

idokal

Hi Chris, we checked it and it'll be fixed for the next PA update

Hi, but will this update be out soon? as there are several bugs.

Anyone know specifically where images from com.android.com/app_textures/ come from?

MrMacca (Allan Mc)

What's your current process for Microsoft outlook email on an iPhone? We have a gk extraction that isn't showing any emails in the latest Physical analyser as well as in Axiom. Manual examination is showing lots of emails and content. What are you guys doing to present this data?

I am currently facing the same issue. Did you find a work around at all?

@Yoshi4N6 not at the moment. Axiom are working on it atm and cellebrite have also been requested by a colleague to add it to their R&D. We are potentially going down the route of a manual video recording of the emails.

MrMacca (Allan Mc)

@Yoshi4N6 not at the moment. Axiom are working on it atm and cellebrite have also been requested by a colleague to add it to their R&D. We are potentially going down the route of a manual video recording of the emails.

Thanks for the reply. Raised it already with Cellebrite and asked for the same - for it to be added to their R&D Hopefully at some point it will be supported! Looking into the outlook app in general its features and capabilities aren't the best. I've started the manual review, as its better than nothing. Had the same issue with Axiom, it just wasn't pulling anything from outlook, and without it, we're missing a lot of key evidence.

@Yoshi4N6 not sure if this is still relevant: Search on ‘CDNFILES’ to get the right GUID folder. PA doesn’t list it in the installed applications section for the area it’s stored in. Within ‘Files’ there are a series of subfolders but the main folder names (there can be more than one) are EMFData. Each email is then a ‘.dat’ file. Rather than using bulk renamer I just export the ‘Files’ folder and use cmd with the following: for /R %x in (*.dat) do ren "%x" *.html This just does a recursive loop through all the files and if the file extension is ‘.dat’ it changes it to ‘.html’, the emails can then be opened in a web browser.

1

jjh2320

@Yoshi4N6 not sure if this is still relevant: Search on ‘CDNFILES’ to get the right GUID folder. PA doesn’t list it in the installed applications section for the area it’s stored in. Within ‘Files’ there are a series of subfolders but the main folder names (there can be more than one) are EMFData. Each email is then a ‘.dat’ file. Rather than using bulk renamer I just export the ‘Files’ folder and use cmd with the following: for /R %x in (*.dat) do ren "%x" *.html This just does a recursive loop through all the files and if the file extension is ‘.dat’ it changes it to ‘.html’, the emails can then be opened in a web browser.

Thanks for the info! I'll certainly give it a try, as I have a few that's going to face the same issue. I am still relatively new to using PA so always nice to know tips. The main one that I am working on at the moment is an iPhone 12 that has the outlook app installed but GK didn't seem to pull anything from it.

Hello Everyone, I'm looking for a application uninstallation log from a Samung M11 Mobile Phone. Is there any such type of logs maintained by the Mobile Phones?

CLB_joshhickman1

I'd run a few tests to confirm.

Hmmmmmm. I better go on a hunt then! Thanks Josh

Brigs

Has anyone seen CLR error 80004005 while running @Magnet Forensics Axiom? If so, where you able to do something about it? It seems Process can't stop eating memory even if there is no more to be had. Thoughts?

I reported this bug to Magnet Forensics on 23rd April 2021. I found that the issue occurs when Axiom Process encounters a large number of nested containers. In the ticket I opened I informed them of the following, "I have an image where Axiom has identified 48,760 nested containers (almost all of these files are of type zip). The zip files range in size from 128 KB to 660 MB. However, the vast majority are between 1MB and 7MB in size. In this instance the issue occurs after the application has processed approximately 4,700 archives. The error displayed is 'CLR error: 80004005. The program will now terminate.' After viewing the logs it was determined that a "System.OutOfMemoryException: Exception of type 'System.OutOfMemoryException'" is thrown. In my case the issue still occured if 'Max nested container depth' was set to 1. The only way workaround I found was to disable 'Search Archives'. For the record my workstation had 64 GM of RAM installed at the time the bug was reported. (edited)

@Cellebrite Anyone else having trouble creating VICS files in PA 7.52? I don´t seem to get the file path for my files

jaikl

@Cellebrite Anyone else having trouble creating VICS files in PA 7.52? I don´t seem to get the file path for my files

An ex-colleague informed me yesterday that a bug is causing PA to generate JSON exports without any metadata. Hopefully someone from @Cellebrite is able to assist!

Jeezy

An ex-colleague informed me yesterday that a bug is causing PA to generate JSON exports without any metadata. Hopefully someone from @Cellebrite is able to assist!

Thanks

Hi! Is it possible to find Telegram encryption key, if all messages are deleted and Telegram app is reinstalled? Huaewi Kirin phone.

Hello everyone, in PA in the "wireless networks" section there are several connections showing both the BSSID and a date / time in the "timestamp" field. Does this data mean that the device on that date indicated in the "timestamp" field was connected to the network having that "BSSID"? the path where this data was taken is data / log / wifi / iwc / iwc_dump.txt (galaxy a20e)

Anjo

Hi! Is it possible to find Telegram encryption key, if all messages are deleted and Telegram app is reinstalled? Huaewi Kirin phone.

I don't know about Telegram specifically, but Oxygen Forensic Detective could be an option. They usually have good support for Kirin chipsets on bootloader level.

BETBAMS

I don't know about Telegram specifically, but Oxygen Forensic Detective could be an option. They usually have good support for Kirin chipsets on bootloader level.

I did dump with Oxygen, but Telegram chat was deleted or App was reinstalled, just before suspect was arrested. (edited)

A reporting error has been raised with me via a kiosk site, Nokia TA 1010 2017 incorrect timestamps reported in call log, 2022 dates. Responder v7.49. quite a popular burner phone, could be one to be aware of in your areas!

manuelevlr

Hello everyone, in PA in the "wireless networks" section there are several connections showing both the BSSID and a date / time in the "timestamp" field. Does this data mean that the device on that date indicated in the "timestamp" field was connected to the network having that "BSSID"? the path where this data was taken is data / log / wifi / iwc / iwc_dump.txt (galaxy a20e)

Yes, you can count on that and we will also make sure to parse their related position in PA 7.54

1

a curiosity, can an iphone on without a sim automatically switch to airplane mode after a bit of inactivity?

Hello all, working on a plist carver/parser ... my initial though was to output the results to a database so it would be easily searchable by key, subkey, value type information, but I'm curious if folks think a different output format would be better?

Hi all, on an ios, on which file can I see the set timezone?

@Oxygen Forensics I have created a Huawei Kirin FFS for a MAR-LX1A. After extracting the hardware keys Oxygen asks me for a password. However none is set to the device as the device was unlocked. Any suggestions?

theAtropos4n6

@Oxygen Forensics I have created a Huawei Kirin FFS for a MAR-LX1A. After extracting the hardware keys Oxygen asks me for a password. However none is set to the device as the device was unlocked. Any suggestions?

Hello, yes, I have some

I will DM you with some questions if you don't mind

Oxygen Forensics

Hello, yes, I have some

I will DM you with some questions if you don't mind

Thanks

hello everyone, I am checking within the CurrentPowerLog.PLSQL file in the PLB AGENTE EVENT PIONT TELEPHON ACTIVITY table when the airplane mode was active. In the timestamp field there is this value "1628384274.23987". What does the value after the point mean?

manuelevlr

hello everyone, I am checking within the CurrentPowerLog.PLSQL file in the PLB AGENTE EVENT PIONT TELEPHON ACTIVITY table when the airplane mode was active. In the timestamp field there is this value "1628384274.23987". What does the value after the point mean?

Hi! Thats a Unix Time Stamp (https://www.unixtimestamp.com/)

Unix Time Stamp - Epoch Converter

Epoch and unix timestamp converter for developers. Date and time function syntax reference for various programming languages.

Mr.Robot

Hi! Thats a Unix Time Stamp (https://www.unixtimestamp.com/)

I don't understand what the numbers after the dot mean.

It can be the decimal part, some system can log timestamp with microsecond precision.

manuelevlr

I don't understand what the numbers after the dot mean.

That number is a timestamp where the time is displayed (called UNIX). On the website you can convert a UNIX timestamp to a acceptable readible time for us

thank you all

The new version of DCode is really great, if you put a number in it then it runs against all of the variables and shows them all so you can pick the one that looks sensible

DCode is fantastic https://www.digital-detective.net/dcode/

DCode™ – Timestamp Decoder - Digital Detective

DCode™ is a FREE forensic tool for decoding data found during digital forensic examinations into human-readable timestamps.

3

I am in a digital forensics class at the masters level. Taking the class as an elective in my CS degree because I am interested in the field. Part of my class is to do a semester long research project with some sort of experiment or demonstration portion. I have stumbled around looking for about a week or so and I found some studies done on moble phone vault apps. There are studies done on how well the vaults actually protect data and what tools are good and bad at finding photos in them. A study that i found used these 3 tools. -Magnet Axiom -Blackbag mobilize -UFED cellebrite I was thinking about reproducing the study but with an updated version of the vaults, tools and phone OS. was wondering where i could get someone advice on this. Some of those tools have free trials, not sure if thats a good idea to do versus asking the school to buy it. Do not know if there are better tools or programs to use ect. Does anyone have any suggestions on something to try and break into other than a vault app that might be fun? Open to ideas. (edited)

hi all, i have a complete file system capture of an ios 13.5.1. From PA the time zone UTC -8 (Los Angeles) is detected. The data is taken from the data_ark.plist file. However, by accessing the device in the "date and time" menu it was set to automatic, disabling the "rome" timezone appeared. When the device was seized it was real in Italy. I assume the timezone shown by PA is one of the latest but not the current one. Is this possible?

pug4N6

Hello all, working on a plist carver/parser ... my initial though was to output the results to a database so it would be easily searchable by key, subkey, value type information, but I'm curious if folks think a different output format would be better?

I agree on database, that way ppl can build on it easier i think. Will this be available on github?

jw

Just a quick one, had three different devices, three workstations all appear to get stuck when parsing WeChat since the upgrade to 7.52. has anyone else had the same issues?

Also having issues where 2x extractions are stuck parsing WeChat. Is there any solution for this? Thank you.

Hello everyone, is there the possibility of translating an entire section on the PA, for example "messages", without having to select them one at a time?

Can anyone help me here? I see a ton of locations in Snapchat-db gallery.encrypted.decrypted (iOS FFS). The snap_id correlates with the snap_id in db scdb-27.sqlite which contains timestamps etc. The db (locations) is not parsed in PA 7.52 and Axiom 5.9. Does anyone have experience with decoding these locations?

bigsi

I have a case with several hidden calculator vaults. The device is a Samsung Galaxy S10 and I have a FFS extraction. The apps are Photo Vault (enchantedcloud.com) and Locked Calculator (com.lkd.calculator). Axiom has identified the PIN and we can access these vaults on the device and can view on the device. In the case of the enchantedcloud vault UFED has recovered these albeit in an encrypted state. Can anybody assist with method for getting these in a decrypted state from the recovered files? Trying to avoid having to recover these out from the vault on the suspect device in order to recover then in a viewable format in UFED.

Sorry for pulling up an older message. In case anyone else encounters the application 'com.lkd.calculator', here is a solution: https://theincidentalchewtoy.wordpress.com/2022/02/05/decrypting-locked-secret-calculator-vault/

theincidentalchewtoy

Decrypting ‘LOCKED Secret Calculator Vault’

This weeks post was prompted from a live case and actually didn’t take too long to work through because of how remarkably similar the application is to a previous post: ‘Decrypting the …

9

OggE

I agree on database, that way ppl can build on it easier i think. Will this be available on github?

Hopefully soon ... I think I've got it mostly figured out, currently just printing results to the screen right now though. And I had to make an adjustment or two to an imported module, so not sure how it works if I want to post it with my edits

Arcain pinned a message to this channel. 2/8/2022 11:44 AM

manuelevlr

Hello everyone, is there the possibility of translating an entire section on the PA, for example "messages", without having to select them one at a time?

You can shift click, but that's the only quicker solution I found. But beware it can take a very long time depending on how many. Fyi the advanced translate addon they offer does not help with translations on quantity or speed, largely because at least the version I evaluated did both the basic translation that's free and then did the advanced one.

manuelevlr

Hello everyone, is there the possibility of translating an entire section on the PA, for example "messages", without having to select them one at a time?

You can translate an entire category, i.e. chats or messages…I’ll have to double check in the morning when I’m in front of an extraction to guide you exactly…I believe once you click into your category of interest you access the translate selection on the right side of the menu bar…

1

Some tips to see when a iOS Phone was installed?

Hi everyone, got a question about the CallHistory database. I'm analyzing a full filesystem extraction of an iPhone 11 Pro, using Cellebrite PA and Axiom. Looking in the Call Logs I have a record of an outgoing call from Snapchat with "Call Status: Answered". However, when I look in the database manually there is a field in table ZCALLRECORD with the name ZANSWERED with a value of 0. There is also parsed information in category Snapchat Chat Messages, suggesting that the call was not answered. The call record has "Type: Unsuccessful voice call". What do you all make of this?

danielj91

Hi everyone, got a question about the CallHistory database. I'm analyzing a full filesystem extraction of an iPhone 11 Pro, using Cellebrite PA and Axiom. Looking in the Call Logs I have a record of an outgoing call from Snapchat with "Call Status: Answered". However, when I look in the database manually there is a field in table ZCALLRECORD with the name ZANSWERED with a value of 0. There is also parsed information in category Snapchat Chat Messages, suggesting that the call was not answered. The call record has "Type: Unsuccessful voice call". What do you all make of this?

Do both tools give the same result for this record? And is this a logical or recovered (deleted) record from the database?

Both tools says the call has been answered, according to the call logs. I should add that the call has the same, specific call duration as well. This is a logical record from the database @Velcro (edited)

Deleted User

Some tips to see when a iOS Phone was installed?

Are you talking when the iphone was setup? What type of iphone and do you have a FFS extraction? Look at purplebuddy.plist

2:33 AM

Here’s a related article that may help you also https://cellebrite.com/en/upgrade-from-null-detecting-ios-wipe-artifacts/

Upgrade From NULL—Detecting iOS Wipe Artifacts - Cellebrite

One of the most common questions we’re asked is, “How do you determine when an iOS device was wiped?” Wiping is a common way to trample potential evidence on a device. Over the years, we have seen some savvy moves to try to cover up wiping efforts on devices and prevent the act from being … Continue reading "Upgrade From NULL—Detecting iOS Wipe ...

1

Jshoe

Here’s a related article that may help you also https://cellebrite.com/en/upgrade-from-null-detecting-ios-wipe-artifacts/

Thanks, would check that out

manuelevlr

Hello everyone, in PA in the "wireless networks" section there are several connections showing both the BSSID and a date / time in the "timestamp" field. Does this data mean that the device on that date indicated in the "timestamp" field was connected to the network having that "BSSID"? the path where this data was taken is data / log / wifi / iwc / iwc_dump.txt (galaxy a20e)

From Cellebrite training, that is my understanding. If there is a date/time stamp, the device connected to that router/bluetooth. If not, the device may have seen the router/bluetooth beaconing.

Jshoe

You can translate an entire category, i.e. chats or messages…I’ll have to double check in the morning when I’m in front of an extraction to guide you exactly…I believe once you click into your category of interest you access the translate selection on the right side of the menu bar…

Just looked at an extraction…on the menu bar while in the category of interest look for Actions drop down (next to Filters) menu and select Translation Commands > Translate all

manuelevlr

Hello everyone, is there the possibility of translating an entire section on the PA, for example "messages", without having to select them one at a time?

Just looked at an extraction…on the menu bar while in the category of interest look for Actions drop down (next to Filters) menu and select Translation Commands > Translate all

Thanks

Hi Everyone. Hope you all are well. Quick question. Is there anyway to find out from a UFED extraction how many times the user has viewed videos which are located in the DCIM folder? @Cellebrite (edited)

ZADDITIONALASSETATTRIBUTES has ZPLAYCOUNT for videos and ZVIEWCOUNT for photos. There is also a ZPENDINGVIEWCOUNT and ZPENDINGPLAYCOUNT can also be potentially useful.

1

4:39 PM

From a colleague

4:40 PM

@CLB_iwhiffin ftw. he's got more info too

(edited)

2

Anyone having problems with Whatsapp Beta databases? Downgrade worked perfectly, but the database seems different from non-beta Whatsapp. Axiom (5.5.1.26621) and Physical Analyser (latest) didn't parsed correctly @Cellebrite @Magnet Forensics

1

Just for info, I’m not sure of anyone else has come across this but with PA 7.52.0.36 its not showing all of the safari internet history. Looking at the databases information in the “BrowserState.db” and “Favicons.db” are not displayed. When running the checkm8 file from an iPhone 6 in axiom after, It’s a difference of over 150 website hits, and an additional 4.5k potential browser activity. We have noticed this with other iPhones too. @Cellebrite

drauglin

Anyone having problems with Whatsapp Beta databases? Downgrade worked perfectly, but the database seems different from non-beta Whatsapp. Axiom (5.5.1.26621) and Physical Analyser (latest) didn't parsed correctly @Cellebrite @Magnet Forensics

Which AXIOM version did you downgrade from?

Nick

Just for info, I’m not sure of anyone else has come across this but with PA 7.52.0.36 its not showing all of the safari internet history. Looking at the databases information in the “BrowserState.db” and “Favicons.db” are not displayed. When running the checkm8 file from an iPhone 6 in axiom after, It’s a difference of over 150 website hits, and an additional 4.5k potential browser activity. We have noticed this with other iPhones too. @Cellebrite

I know we are expanding / reworking some of the ios safari history. its coming

Tim F

Which AXIOM version did you downgrade from?

Downgraded with UFED Touch. Then used Axiom on the extraction.

drauglin

Downgraded with UFED Touch. Then used Axiom on the extraction.

Have you tried 5.9 yet?

No. License expired couple of months ago

drauglin

No. License expired couple of months ago

whats it not parsing?

CLB-Paul

whats it not parsing?

All chats. It only parsed the call log.

drauglin

No. License expired couple of months ago

We are adding your issue to one of our open tickets.

matto92

Hi All, I have a FFS extraction of an iPhone running iOS 14.6. I know the user deleted the sms/mms/iMessages/call logs. I don't really care about the content of the deleted messages but rather when it was deleted. Does anyone have any thoughts?

Hi, did you ever get to the bottom of this? I have the same issue at the moment and am struggling to find anything on the topic.

jaikl

anyone know if you can see from what device an message via imessage is sent from?

Hi, did you ever get an answer for this? I'm working on a similar investigation at the moment and am struggling to find anything to assist me in the extracted data. Thanks.

blake-ee

Hi, did you ever get to the bottom of this? I have the same issue at the moment and am struggling to find anything on the topic.

I wasn't able to put an exact timeframe to when they were deleted. What I did was use the iPhone recents and interactionC to show that communications had indeed occured. The only way I could get a timeframe was just by inferring that at some point between receiving/sending the message and when I got the phone it was deleted. Also, in the sms.db in the "sqlite_sequence" table I could tell how many messages should have been on the phone by the sequence number

torskepostei

I have found that the images reside in the data folder for the apps, usually the Library folder, stored as .ktx files. I'm not familiar with the app switcher, but I believe knowledgeC will help you find the last used apps.

Update and answer. The files were in fact stored as .ktx, thank you. I parsed the FFS in iLEAP and the “App Snapshots” category had a history of app snapshots (go figure!?!?), including the recent Maps screenshot I was looking for. The only issue was the modified times were displayed as the date/time I parsed the FFS in iLEAP vs the original timestamp back towards the end of November. I don’t know if that was a once off since I am new to using iLEAP (I like it so far, thank you @Brigs and team). Axiom time stamp in iOS snapshots was around the date/time of the crash for the same image. If anyone was looking to get an idea of where the files were located, below is where I found the most recent Maps screenshot: \private\var\mobile\Containers\Data\Application\54AE87B6-6DC9-4D6E-8661-XXXXXXXXXXXX\Library\SplashBoard\Snapshots\sceneID_com.apple.Maps-9447852A-C40C-4299-9728-XXXXXXXXXXXX\F9A36239-1CFE-41CB-93FB-XXXXXXXXXXXX@3x.ktx

1

Derek F

Update and answer. The files were in fact stored as .ktx, thank you. I parsed the FFS in iLEAP and the “App Snapshots” category had a history of app snapshots (go figure!?!?), including the recent Maps screenshot I was looking for. The only issue was the modified times were displayed as the date/time I parsed the FFS in iLEAP vs the original timestamp back towards the end of November. I don’t know if that was a once off since I am new to using iLEAP (I like it so far, thank you @Brigs and team). Axiom time stamp in iOS snapshots was around the date/time of the crash for the same image. If anyone was looking to get an idea of where the files were located, below is where I found the most recent Maps screenshot: \private\var\mobile\Containers\Data\Application\54AE87B6-6DC9-4D6E-8661-XXXXXXXXXXXX\Library\SplashBoard\Snapshots\sceneID_com.apple.Maps-9447852A-C40C-4299-9728-XXXXXXXXXXXX\F9A36239-1CFE-41CB-93FB-XXXXXXXXXXXX@3x.ktx

Did you run iLEAPP by pointing it to a zip/tar container or an extraction sitting in the file system? If from a zip file I fixed it last month to show the proper date as recorded by the zip in the pertinent file metadata section. Will update the binary so the change will be reflected there.

drauglin

All chats. It only parsed the call log.

Ok this is odd shoot me a dm we can chat more about it

https://github.com/AndrewRathbun/DFIRArtifactMuseum/tree/main/Android Posting for the benefit of you mobile forensics folks. Check out the text files in this link to see all the SQLite databases in each of the images @CLB_joshhickman1 put together. Might be something new to dig into!

DFIRArtifactMuseum/Android at main · AndrewRathbun/DFIRArtifactMuseum

The goal of this repo is to archive artifacts from all versions of various OS's and categorizing them by type. This will help with artifact validation processes as well as increase access t...

3

Hi all, happy Friday, Dunno if this ought to be on the mobile-forensic-extraction channel or here... but here goes! I have a physical dump (through chip-off) of a Nokia N95 and from a Samsung Wave 3. I am having issues with decoding it on UFED PA and also on XRY. Both are carving media but I am getting no artifacts (like call records or contacts). Is there any other software you would recommend to decode Symbian and Bada OS? I would appreciate any tips!

@spadart Happy Friday indeed! It does not seem like we have any Physical decoding support for the Bada OS but we do have a couple of Physical profiles for some Symbian devices. What profile did you use to import and can you DM me the log from the Nokia import? EDIT: Scrap that, we can only decode files on the MSAB side for the Symbian as well. Sorry about that! (edited)

Erumaro

@spadart Happy Friday indeed! It does not seem like we have any Physical decoding support for the Bada OS but we do have a couple of Physical profiles for some Symbian devices. What profile did you use to import and can you DM me the log from the Nokia import? EDIT: Scrap that, we can only decode files on the MSAB side for the Symbian as well. Sorry about that! (edited)

No worries thanks for the reply though!

Brigs

Did you run iLEAPP by pointing it to a zip/tar container or an extraction sitting in the file system? If from a zip file I fixed it last month to show the proper date as recorded by the zip in the pertinent file metadata section. Will update the binary so the change will be reflected there.

I pointed it it the GK FFS zip in the GUI version I downloaded last week. It loaded pretty quickly so I can test it when the new version is compiled if you want.

Derek F

I pointed it it the GK FFS zip in the GUI version I downloaded last week. It loaded pretty quickly so I can test it when the new version is compiled if you want.

Made available last night. Give it a shot.

1

Hey! Has anyone managed to find in the Singnal database, if there is any "Linked Device" linked to the signal account? @Cellebrite @Magnet Forensics @MSAB

Has anyone done any work in understanding AZSpotlightStorageModel.sqlite? Have a location on a phone, but it's dated after it was seized and before it was extracted. The location comes from the wal so presuming something to do with commitment date, but not really sure about the reliability of the database.

sunile

Hey! Has anyone managed to find in the Singnal database, if there is any "Linked Device" linked to the signal account? @Cellebrite @Magnet Forensics @MSAB

Hey @sunile We're not aware of anything definitive off hand. There is a model_OWSDevice table with a UID. Signal is open source, so examining the platform specific source code may potentially yield that info. Here's a few things for you to look over: https://github.com/signalapp/Signal-iOS

GitHub - signalapp/Signal-iOS: A private messenger for iOS.

A private messenger for iOS. Contribute to signalapp/Signal-iOS development by creating an account on GitHub.

sunile

Hey! Has anyone managed to find in the Singnal database, if there is any "Linked Device" linked to the signal account? @Cellebrite @Magnet Forensics @MSAB

Interesting. I’ll take a look at this.

1

6:22 AM

Should have scrolled to the newest messages before answering

Does anyone know what axiom uses for a default password for the extracted backup .ab file

Good afternoon all, I am looking through an iPhone 13 extraction using Cellebrite PA. In the iPhoneNetworkDataUsage, I found two log entries for apple weather. I am interested in seeing if the weather app recorded the device location for these two entries. Where might I look in to find the locations, if the device recorded it. Thanks in advance.

As per the excellent cellebrite video blog, if you do get a weather location it will likely be quite vague.

Hello, someone from @Cellebrite for a quick question about Snapchat information's reading in PA ?

1

Hey! Is anyone from @Cellebrite able to answer a dumb question regarding python?

@Cellebrite I did a Huawei vendor backup extraction. opening it with PA I get several errors "Tar file is corrupted". checking in the file system section I see all these unreadable characters. what should I do ?

1:32 AM

Tim F

Hey @sunile We're not aware of anything definitive off hand. There is a model_OWSDevice table with a UID. Signal is open source, so examining the platform specific source code may potentially yield that info. Here's a few things for you to look over: https://github.com/signalapp/Signal-iOS

Thanks! Perfect start to start working on!

Is there anything on Android remotely resembling the iOS photos.sqlite database?

manuelevlr

@Cellebrite I did a Huawei vendor backup extraction. opening it with PA I get several errors "Tar file is corrupted". checking in the file system section I see all these unreadable characters. what should I do ?

We would ahve to take a look at the logs to see whats up with it

Brigs

Made available last night. Give it a shot.

It worked perfect, the modified date issue was corrected to the correct time. Thanks!

1

torskepostei

Is there anything on Android remotely resembling the iOS photos.sqlite database?

I would have a look at the FOR585 SANS poster and check out the Android Cheatsheet section. They mention a couple of databases related to multimedia artifacts. Hopefully that will be useful for you

1

torskepostei

Is there anything on Android remotely resembling the iOS photos.sqlite database?

External.db and cmh.db

1

Hi! I have an iphone 5 that may have been factory reset. However I have not found a .obliterated file. According purplebuddy the iPhone 5 was configured 2019. Which seems odd. Any ideas?

https://github.com/ia0ld

ia0ld - Overview

ia0ld has 2 repositories available. Follow their code on GitHub.

florus

External.db and cmh.db

Also "media.db" but it maybe depends on Android version.

1

callzor

Hi! I have an iphone 5 that may have been factory reset. However I have not found a .obliterated file. According purplebuddy the iPhone 5 was configured 2019. Which seems odd. Any ideas?

Have you checked the other suggestions from the paper by Heather and I? https://cellebrite.com/en/upgrade-from-null-detecting-ios-wipe-artifacts/

Upgrade From NULL—Detecting iOS Wipe Artifacts - Cellebrite

One of the most common questions we’re asked is, “How do you determine when an iOS device was wiped?” Wiping is a common way to trample potential evidence on a device. Over the years, we have seen some savvy moves to try to cover up wiping efforts on devices and prevent the act from being … Continue reading "Upgrade From NULL—Detecting iOS Wipe ...

CLB_iwhiffin

Have you checked the other suggestions from the paper by Heather and I? https://cellebrite.com/en/upgrade-from-null-detecting-ios-wipe-artifacts/

I have checked containermanager log. The result: Did not find last build info; we must be upgradning from pre-9.3.1 or this is an erase install. However I have not managed to find out what the containermanager log contains on a brand new phone after the configuration. I don't have access to a brand new phone to check either.

callzor

I have checked containermanager log. The result: Did not find last build info; we must be upgradning from pre-9.3.1 or this is an erase install. However I have not managed to find out what the containermanager log contains on a brand new phone after the configuration. I don't have access to a brand new phone to check either.

This message is one of the first things written when the device boots, regardless if it’s new from factory or factory reset. If the device is wiped, this file is wiped too and you start fresh again when it next boots. So the record you have found likely is the erase/install or factory fresh. Of course, being an iPhone 5 it came with iOS6 so the message about being an upgrade from pre9.3 could be true.

callzor

Hi! I have an iphone 5 that may have been factory reset. However I have not found a .obliterated file. According purplebuddy the iPhone 5 was configured 2019. Which seems odd. Any ideas?

What type of extraction do you have?

Jshoe

What type of extraction do you have?

I have a FFS

MetaStig

Hey! Is anyone from @Cellebrite able to answer a dumb question regarding python?

No dump questions, only dump answers. Please mail papython@cellebrite.com.

3

Nick

Just for info, I’m not sure of anyone else has come across this but with PA 7.52.0.36 its not showing all of the safari internet history. Looking at the databases information in the “BrowserState.db” and “Favicons.db” are not displayed. When running the checkm8 file from an iPhone 6 in axiom after, It’s a difference of over 150 website hits, and an additional 4.5k potential browser activity. We have noticed this with other iPhones too. @Cellebrite

I'm having huge problems decoding Safari on an IOS FFS in PA 7.5x. Its not possible at all. Axiom (and XRY) did the thing though.

1

https://cheeky4n6monkey.blogspot.com/2022/01/mike-monkey-dumpster-dive-into-samsung.html Very nice article from "Cheeky4n6Monkey" about the Samsung Gallery3d App Trash.... Analysing samsung gallery3d app.... decoding the databases, getting their original names, paths, deleting time... real cool! would be nice feature to get gallery3d-trashfiles analyzed this way in PA

@Cellebrite (edited)

Mike & the Monkey Dumpster Dive Into Samsung Gallery3d App Trash

Monkey assists Mike with another dive into the Samsung Gallery3d App It all started with a post by Michael Lacombe ( iacismikel at gmail...

5

Hi all, I have a full file system extraction from a Xiaomi Mi A3 running Android 9. Been trying to decrypt the database file from Signal. Even though it's version 4.64.6, I had no luck using UFED, XRY, Axiom or Oxygen. I have used the walkthough described on this page (though I don't know what version the author is talking about): https://rado0z.github.io/Decrypt_Android_Database I am running into a wall as the key I get from USRPKEY_SignalSecret is not accepted, and as such I cannot obtain the decrypted key. Would anyone have any pointers or resources I could look into? Thanks in advance!

Decrypting Signal DB for Android

Introduction

@spadart i was told that this walktrough is likely based on devices without hardware backed encryption. Mi A3, as most of the device is hw-backed so that key in keystore is encrypted

5:37 AM

Oxygen just released an update with new method for qualcomm (filesystem) that may also decrypt Signal key from keystore and use it to decode the data. (edited)

1

Arcain

Oxygen just released an update with new method for qualcomm (filesystem) that may also decrypt Signal key from keystore and use it to decode the data. (edited)

I didn't realise Oxygen had a new update, I will give it a go! Thanks for that!

Let us know if it worked for you

spadart

Hi all, I have a full file system extraction from a Xiaomi Mi A3 running Android 9. Been trying to decrypt the database file from Signal. Even though it's version 4.64.6, I had no luck using UFED, XRY, Axiom or Oxygen. I have used the walkthough described on this page (though I don't know what version the author is talking about): https://rado0z.github.io/Decrypt_Android_Database I am running into a wall as the key I get from USRPKEY_SignalSecret is not accepted, and as such I cannot obtain the decrypted key. Would anyone have any pointers or resources I could look into? Thanks in advance!

Check this out https://discord.com/channels/427876741990711298/545232743353810946/872194895002075238

8:19 AM

I contacted the blog owner, he said that he used a VM which obv didn't have hardware backed encryption. Like Arcain said

(edited)

1

Hi all I have a Samsung A3 (A320FL) running android 8.0, I have a physical extraction. I have found cached images relevant to the investigation, but they are dated after a very relevant date. I have been asked if it is possible that the date was changed forward at the time the activity happened and then back before the phone was examined. I thought of examining cookies to look for disparities between server timestamps and local timstamps. any pointers will be gratefully accepted !

Did you check the timeline to see if something is happening around that timestamp? I prefer the AXIOM timeline more, since i feel like it displays a bit more activity than the one in PA. Make sure to verify the timezone by the way

I’m reviewing the message table in an IOS sms.db. If the rowid numbers are not consecutive, is it fair to say that it suggests there were additional messages that are no longer available on the device?

B

Did you check the timeline to see if something is happening around that timestamp? I prefer the AXIOM timeline more, since i feel like it displays a bit more activity than the one in PA. Make sure to verify the timezone by the way

the timeline (PA) shows a number of Google maps cookies immediately before the street view images are cached to the device. Nothing in the cookies seems to be decipherable. I'll try and process the data in axiom - thanks.

A fellow Detective went to training recently and asked me about using Advertising ID from an Apple iPhone to get location based information on a suspect. Has anyone ever done that and would you mind helping me out with that process?

Cyb3rCowboy

A fellow Detective went to training recently and asked me about using Advertising ID from an Apple iPhone to get location based information on a suspect. Has anyone ever done that and would you mind helping me out with that process?

Sent you a DM

Joe Schmoe

I’m reviewing the message table in an IOS sms.db. If the rowid numbers are not consecutive, is it fair to say that it suggests there were additional messages that are no longer available on the device?

Ian Whiffin (doubleblak) has a nice blog on this!

Anyone else found videos from snapchat that ends with <name>_0-128, these have a seperate data file with the same <name>. Combined the two files and you are money

I'm trying to create a hashset from a FFS in PA and compare it to another extraction. But i'm unsuccessful in creating a hashset. Any ideas? (edited)

florus

Ian Whiffin (doubleblak) has a nice blog on this!

Thank you. It was exactly what I was looking for.

Hello, I have list of names of image files. I want to select or tag files whose names' match in PA. I tried to access images files using ptyhon with "ds.Models". But ModelsStore does not include image files. How can I access analyzed image files using python?

Anyone having and idea oh how you could see if an app really is currently installed or not? I have an iPhone FFS in PA who says that snapchat is installed but when i look in the phone manually, it is not. It have been installed previously so i guess that is why PA thinks it´s installed

Anyone from @Cellebrite awake? I wanted to make a custom hashlist to redact images. So (as a test) i grabbed a test dump, copied some of the MD5 values from some images, pasted into a text file. Imported that via Tools -> Watch list -> Hash set manager, and re-opened the test dump. Result? No images were matched / redacted. Is this broken? Or am i missing something?

can anyone confirm for me whether or not the timestamp parsing issue in @Cellebrite PA 7.51 was for one specific application or was it potentially an issue for all communication data extracted?

cygnusx started a thread. 2/21/2022 1:46 AM

Just for info @Cellebrite, tried to decode a WA-Downgrade with 7.53 ist didn't work right. I was missing the media-files in my chats.

1

2:56 AM

Tried with 7.51 and it worked

Lewis

can anyone confirm for me whether or not the timestamp parsing issue in @Cellebrite PA 7.51 was for one specific application or was it potentially an issue for all communication data extracted?

The issue is relevant to PA versions 7.51 and earlier, and not limited to a specific application. It affects only artefacts from 2022.

3

jjh2320

Sorry for pulling up an older message. In case anyone else encounters the application 'com.lkd.calculator', here is a solution: https://theincidentalchewtoy.wordpress.com/2022/02/05/decrypting-locked-secret-calculator-vault/

Thank you for this

They may have just deleted the app on the phone, but not uninstalled it…could be why your not seeing it on the handset, but you got files with the extraction. Since you have FFS w/ knowledgeC, check the Application Usage Log - see if you can find artifacts related to Snapchat being installed or uninstalled…I would also check User Accounts for their account, and also passwords to see if anything related to Snapchat is still present in the keychain. An additional thing to possibly look at via the handset would be to see if in the App Store you see the cloud w/down arrow icon when you search Snapchat…

Photos.Sqlite Queries have been updated for iOS 12, 13, 14 and 15. http://theforensicscooter.com/2022/02/21/photos-sqlite-update-3/ https://github.com/ScottKjr3347/iOS_15_Photos.sqlite_Queries

GitHub - ScottKjr3347/iOS_15_Photos.sqlite_Queries: iOS_15_Photos.s...

iOS_15_Photos.sqlite_Queries. Contribute to ScottKjr3347/iOS_15_Photos.sqlite_Queries development by creating an account on GitHub.

6

4

2

@ScottKjr3347

1

sholmes

I have websites of interested listed in a file named "ds.docs" which is located in com.google.android.gms\files\AppDataSearch\main\cur. I have tried Google searches, but can't find what this file is. Anyone have any insight?

Hello! Wondering if you ever got any useful insights on this file? I've got some keyword hits of interest in this file on an old extraction coming up for trial soon and am looking to get some context on what exactly this file's role is and how it's populated...

@clbell2 I never got anything which was definitive. I passed it on to @Cellebrite and @Magnet Forensics to see if they could ever make sense of what it was. It appears to be a tracking file which details activities from the phone, but I haven't had time to start with a fresh phone and actually do any testing to verify my hunch. (edited)

sholmes

@clbell2 I never got anything which was definitive. I passed it on to @Cellebrite and @Magnet Forensics to see if they could ever make sense of what it was. It appears to be a tracking file which details activities from the phone, but I haven't had time to start with a fresh phone and actually do any testing to verify my hunch. (edited)

Yeah, it definitely looks like some sort of user-generated terms/phrases appear throughout this file, and the file path and frequent appearance of "query" throughout the file make it seem like it could be caching search terms entered by the user, but I don't think I can test this theory, especially given the age of the device (it's a 2016 case). Neither PA or AXIOM parsed anything from this file, so I guess @Cellebrite and @Magnet Forensics haven't solved the puzzle yet either...Anyway, thanks for the quick response! Appreciate it!

Mine actually had the user's email address, call logs, and contacts inside the fiel.

8:28 AM

I don't think anybody is parsing this file. That might mean they haven't really figured out it's evidentiary value. If it is just caching things, but no time stamp, etc.

I'm seeing 'content://sms/###' appearing numerous times in mine, and the subsequent content after those apparent record headers or whatever they are includes "date" and "receivedTime" but so far I'm not having much luck using the PA date search to yield reliable timestamps I can correlate to anything else...

Did you get time/date stamps for internet history. I didn't think I found anything concrete on those. And the history wasn't on the phone, so I couldn't validate one to the other.

9:25 AM

Which is how I ended up finding the file, I searched for specific words I knew he used to find his images, and found the words in this file.

There was web history data recovered from the phone but the content doesn't really correlate with the content of the ds.docs file

1

Hi, I am looking for feedback on an evidence exporter script for XRY. It extracts full filesystem from .xry container into a ZIP archive that can be parsed/decoded by other tools. It seems solid from my testing, but I am looking to use it on a case and would appreciate if anyone had any feedback. https://github.com/jankais3r/XRY-Evidence-Extractor Feel free to hit me up in DMs or in the forum thread linked in the repo.

GitHub - jankais3r/XRY-Evidence-Extractor: Script for extracting lo...

Script for extracting logical file system from .XRY container - GitHub - jankais3r/XRY-Evidence-Extractor: Script for extracting logical file system from .XRY container

6

Frizan

Just for info @Cellebrite, tried to decode a WA-Downgrade with 7.53 ist didn't work right. I was missing the media-files in my chats.

having same issue in Oxygen

Hi all, what are some observations that you can draw here? From the path of this file can one say with certainty that an SD card was at some point used with this device? The device does not have an SD now. In addition, what does the cache say? Can I assume that the photo was at least part of the user photos at one point, meaning that was either taken with the user’s phone or that it was saved to the gallery somehow, and since the original is not there, only a cached/thumbnail version is there now? Does this make any sense? Any suggestions would be greatly appreciated. Thank you

forensics4fun

Hi all, what are some observations that you can draw here? From the path of this file can one say with certainty that an SD card was at some point used with this device? The device does not have an SD now. In addition, what does the cache say? Can I assume that the photo was at least part of the user photos at one point, meaning that was either taken with the user’s phone or that it was saved to the gallery somehow, and since the original is not there, only a cached/thumbnail version is there now? Does this make any sense? Any suggestions would be greatly appreciated. Thank you

Your extraction points to an actual file that resides in the path "sdcard". In that case, if no sd-card was inserted during the extraction, i would say that it refers to your internal storage. At some point, a picture has been available to the Gallery app, and then the app has created a cached copy of that specific picture.

2

@Cellebrite: the location confidence found in PA what metric is used? Metres, percentage?

forensics4fun

Hi all, what are some observations that you can draw here? From the path of this file can one say with certainty that an SD card was at some point used with this device? The device does not have an SD now. In addition, what does the cache say? Can I assume that the photo was at least part of the user photos at one point, meaning that was either taken with the user’s phone or that it was saved to the gallery somehow, and since the original is not there, only a cached/thumbnail version is there now? Does this make any sense? Any suggestions would be greatly appreciated. Thank you

Have you looked in any of the media databases to find more info about the file?

Does anyone have further suggestions than this article for indications of a wiped phone on an Android 10 https://thebinaryhick.blog/2021/08/19/wipeout-detecting-android-factory-resets/amp/ phone is a Samsung

Wipeout! Detecting Android Factory Resets

I’d like to thank Alexis Brignoni, Heather Mahalik, and Jared Barnhart for their insight and validation, and Alexis for tooling ALEAPP for these artifacts. DFIR truly is a team effort. They say im…

Anyone have insight on why PA doesn’t fully parse a FFS extraction acquired via Qualcomm Live? The databases are all there, just not pulled out and categorized like normal.

Jshoe

Anyone have insight on why PA doesn’t fully parse a FFS extraction acquired via Qualcomm Live? The databases are all there, just not pulled out and categorized like normal.

have seen the same problem at some point, solved it by "open advances" and pointed out the model , chain and ZIP file manuel. But I do not know why it does not work automatically

Hello, does anyone know if it worth trying to decrypt .asec files? If there is, is there a method to do this?

@Cellebrite I have a problem in decoding the data of a nokia 105 cell phone (rm-908). the file system extraction was done correctly but once parsing with PA, in the "calls" section I see that some timestamps are completely wrong (some indicated the year 2180). I went to see the raw data (hexadecimal) and using DCODE to convert the hexadecimal I saw that setting, as origin, HEX (Little -endian) I had a more appropriate result (year 2022), while setting big-endian I had the same wrong result that PA gives me.

1

sunile

have seen the same problem at some point, solved it by "open advances" and pointed out the model , chain and ZIP file manuel. But I do not know why it does not work automatically

That worked, thank you for the info!

maddie

Does anyone have further suggestions than this article for indications of a wiped phone on an Android 10 https://thebinaryhick.blog/2021/08/19/wipeout-detecting-android-factory-resets/amp/ phone is a Samsung

the Wipe data for Samsung devices will be parsed in PA 7.54(version will be available in 2 weeks), let me if that's something urgent and we could send you a test version.

clbell2

Hello! Wondering if you ever got any useful insights on this file? I've got some keyword hits of interest in this file on an old extraction coming up for trial soon and am looking to get some context on what exactly this file's role is and how it's populated...

A quick look into "com.android.google.gms" (aka "Google Play [Services]) app data and apk, it looks like "ds.docs" (presuming ds = "data search") is part of the "App[Data]Search" and "Icing Search Library" (https://developer.android.com/guide/topics/search/appsearch#appsearch-concepts; https://android.googlesource.com/platform/external/icing/) indexing functions. "In AppSearch, a unit of data is represented as a document." (https://developer.android.com/guide/topics/search/appsearch#documents) The file works with other "ds." files present in the /data/data/com.google.android.gms/files/AppDataSearch/main/cur/ path. Utilizing @CLB_joshhickman1's Android 11 public image (http://www.mediafire.com/file/q4mjmzr8tx0vinx/Android_11_Image_with_Documentation.zip/file), some of the information in ds.docs was found in other parsed data (e.g. web history), indicating that it captures user activity occurring on or before the ds.docs file system modified timestamp. As far as "decoding" the non-plain text content (e.g timestamps) in ds.docs, I'm not (yet) sure how to proceed there without better understanding the indexing process.

1

Does anyone have any experience with this app? Its on a Samsung phone. By experience i mean have anyone tried to pull the hash out and crack the code to access the application?

Sørensen

Does anyone have any experience with this app? Its on a Samsung phone. By experience i mean have anyone tried to pull the hash out and crack the code to access the application?

Morning, do the following to get the code: open the database: /data/data/com.isbell.ben.safenotes/safenotesv3.db Within the table 'Settings' copy the DeviceID Go to the following url and paste your value in: https://gchq.github.io/CyberChef/#recipe=AES_Decrypt(%7B'option':'Hex','string':'859140914ec6e8ffbab4cd343b6bf5ef'%7D,%7B'option':'Hex','string':''%7D,'ECB','Hex','Raw',%7B'option':'Hex','string':''%7D,%7B'option':'Hex','string':''%7D) You should then get an output of the pin, security question and answer separated by '|'. To explain, the value is encrypted using AES (ECB) with a standard key '859140914ec6e8ffbab4cd343b6bf5ef' The same can be said for any of the other values in the database including the notes within the 'Notes' table. Let me know if you need anything else

CyberChef

The Cyber Swiss Army Knife - a web app for encryption, encoding, compression and data analysis

7

jjh2320

Morning, do the following to get the code: open the database: /data/data/com.isbell.ben.safenotes/safenotesv3.db Within the table 'Settings' copy the DeviceID Go to the following url and paste your value in: https://gchq.github.io/CyberChef/#recipe=AES_Decrypt(%7B'option':'Hex','string':'859140914ec6e8ffbab4cd343b6bf5ef'%7D,%7B'option':'Hex','string':''%7D,'ECB','Hex','Raw',%7B'option':'Hex','string':''%7D,%7B'option':'Hex','string':''%7D) You should then get an output of the pin, security question and answer separated by '|'. To explain, the value is encrypted using AES (ECB) with a standard key '859140914ec6e8ffbab4cd343b6bf5ef' The same can be said for any of the other values in the database including the notes within the 'Notes' table. Let me know if you need anything else

Thank you it's really helpful can you please help me with this application

Mobile_Digger

Thank you it's really helpful can you please help me with this application

This is the post detailing how it works etc. I am yet to post the script but should at least give you access to the application. https://theincidentalchewtoy.wordpress.com/2021/11/17/domobile-applock/ Let me know if you have any issues with it

theincidentalchewtoy

DoMobile AppLock

This is going to turn into a two fur one post… Once again, this was prompted by an active case. Come to think of it, I’m not sure what the requirement was at the time, it may have been …

jjh2320

This is the post detailing how it works etc. I am yet to post the script but should at least give you access to the application. https://theincidentalchewtoy.wordpress.com/2021/11/17/domobile-applock/ Let me know if you have any issues with it

Thank you for sharing But I don't have. Physical extraction of this device and I search for whole files can't find theae files

Knew I could count on you to dig something up, Jesse! Appreciate it!

idokal

the Wipe data for Samsung devices will be parsed in PA 7.54(version will be available in 2 weeks), let me if that's something urgent and we could send you a test version.

What about adding it for iOS too? Also, what about adding in "Phone Activation Time" for iOS - and perhaps renaming the field to "Phone/User Setup Time" as the available artifacts also represent when a device user and/or user account (e.g. email) was added to a device, not necessarily when the device (sans user account) was setup. (edited)

@Cellebrite Is there a way to enter the blackberry encryption password in physical analyzer?

SPVQ CT-3259

@Cellebrite Is there a way to enter the blackberry encryption password in physical analyzer?

From a backup? If so, you will need the BlackBerry ID and password set up by the owner

CLB-dan.techcrime

From a backup? If so, you will need the BlackBerry ID and password set up by the owner

i have a bin file from a chip off, and in physical analyzer, in the extraction summary, there was a encryption passowrd hash, i found the password in a rainbow table, is there something to do with this?

Anyone have any regex for Bitcoin wallet addresses.

SPVQ CT-3259

i have a bin file from a chip off, and in physical analyzer, in the extraction summary, there was a encryption passowrd hash, i found the password in a rainbow table, is there something to do with this?

Unfortunately, you will have to put the phone back together again, boot it up, then enter the passcode on the device itself. The memory and processor need to communicate to perform the decryption. Nothing can be done offline...

CLB-dan.techcrime

Unfortunately, you will have to put the phone back together again, boot it up, then enter the passcode on the device itself. The memory and processor need to communicate to perform the decryption. Nothing can be done offline...

thank you very much for the fast andswer

8:58 AM

answer

Content Protection was enabled and would have been indicated with a tiny lock icon on the screen

I have an Apple iPhone running iOS 15. The suspect visited a website that cached an image, along with every other individual image on that page. Is there a way to determine whether he actually opened the image on the site? Edit: Full File System extraction with GrayKey and parsed with Cellebrite Physical Analyzer. (edited)

Anyone know what “/event/tombstone” means in the KnowledgeC SQLite database on iOS? Anyone know what /event/tombstone means in the knowledgeC SQLite database on iPhone?

OregonDFIR

Anyone know what “/event/tombstone” means in the KnowledgeC SQLite database on iOS? Anyone know what /event/tombstone means in the knowledgeC SQLite database on iPhone?

They are records of deleted entries in the KnowledgeC database.

Is there any potential info to recover there?

OregonDFIR

Is there any potential info to recover there?

I've never successfully tied a tombstone back to any original entry or even metadata of an entry in the wild. I have observed in testing that if you look at KnowledgeC before and after deleting an application, after deletion certain rows associated with the app will be gone and a series of tombstones will show up in rapid succession. But I've not found any joins that produce any useful artifacts.

Awesome! That is great info thank you!

1

Axen Cleaver

I have an Apple iPhone running iOS 15. The suspect visited a website that cached an image, along with every other individual image on that page. Is there a way to determine whether he actually opened the image on the site? Edit: Full File System extraction with GrayKey and parsed with Cellebrite Physical Analyzer. (edited)

Have you taken a look at the photo sqlite.db view count table

I didn't think it would show up there as it's only a cache image. I'll give it a gander

Ah i missed that part

Axen Cleaver

I didn't think it would show up there as it's only a cache image. I'll give it a gander

Cached photos / videos will not be listed in photos.SQLite unless they are saved to the photos application or shared album. Example of cache usage in a case, the user was viewing instagram and creating screenshots of the data being displayed on the screen. Used app in focus and app data usage to show the app was being used at the time. The device cached photos matching those being captured in the screenshots. The created dates and times for the cache files were within the timeframe of the app being used. In my opinion the best thing you might be able to say is that cached files are saved to the device so the website / application can use those files to quickly load previously displayed, viewed, loaded photos or videos. I am not aware of any artifacts that would indicate 100% that a cached file was viewed / displayed on the device. I believe it’s very likely but if your looking for data that indicates a specific file was displayed on the device screen, it would be news to me and would love to hear if someone has found that artifact. (edited)

2

OggE

Anyone else found videos from snapchat that ends with <name>_0-128, these have a seperate data file with the same <name>. Combined the two files and you are money

Made a quick script to combine the files, let me know it there are any issues. https://github.com/Ogg3/snapunscatter

GitHub - Ogg3/snapunscatter: A python script to combin fragmented s...

A python script to combin fragmented snapchat video files - GitHub - Ogg3/snapunscatter: A python script to combin fragmented snapchat video files

4

1

also new version of CheckArroyo. https://github.com/Ogg3/CheckArroyo/releases/tag/v0-6-5

Release V0-6-5 · Ogg3/CheckArroyo

Alot of structure changes Can now parse cachecontroller Added a few more contenttypes and what they mean

4

1

ScottKjr3347

Cached photos / videos will not be listed in photos.SQLite unless they are saved to the photos application or shared album. Example of cache usage in a case, the user was viewing instagram and creating screenshots of the data being displayed on the screen. Used app in focus and app data usage to show the app was being used at the time. The device cached photos matching those being captured in the screenshots. The created dates and times for the cache files were within the timeframe of the app being used. In my opinion the best thing you might be able to say is that cached files are saved to the device so the website / application can use those files to quickly load previously displayed, viewed, loaded photos or videos. I am not aware of any artifacts that would indicate 100% that a cached file was viewed / displayed on the device. I believe it’s very likely but if your looking for data that indicates a specific file was displayed on the device screen, it would be news to me and would love to hear if someone has found that artifact. (edited)

Thank you!

Hi All. I had a quick question regarding Google geolocational JSON exports. Once completed and pulled into Cellebrite PA, with the report timezone settings correct for my country - will the core JSON viewier still be presenting timestamps internally as GMT? Thx in advance.

Jshoe

Anyone have insight on why PA doesn’t fully parse a FFS extraction acquired via Qualcomm Live? The databases are all there, just not pulled out and categorized like normal.

Have you tried 'Open case' -> 'open advanced' select the device/model and then select the .zip?

Hello, I'm looking for a way to retrieve a Facebook ID token from a phone's database or other. Indeed, from a phone turned on (without lock code) and which has an active Facebook session, I proceeded to a Full File System extraction with CELLEBRITE UFED 7.53.0.29 on a Blackview A80 phone. However, Physical Analyser does not decode the Facebook cloud ID token from this extraction. So, I wonder if there is another way to find it? Do you have any documentation about this please? Thanks

@Ryo /data/data/com.facebook.orca/app_light_prefs/com.facebook.orca/logged_in_XXXXXX

1

2:48 AM

your token is supposed to be there

snoop168

Anyone familiar with the biome/streams/public/appintent/local path on IOS devices?

Did you get any response on this? I'm currently investigating some Snapchat-evidence and see some possible relevant files in the /biome/streams/public folder.

mr.rookay

Did you get any response on this? I'm currently investigating some Snapchat-evidence and see some possible relevant files in the /biome/streams/public folder.

I wrote a parser. Dm me your email. Anyone else interested feel free to do the same. So far I’ve found that you’re not going to find message content but dates/times and who it was from/to should be there but still needs to be validated.

thank you @Mistercatapulte except that I realize that the application used is Facebook Lite and that it has the following structure

@Ryo /data/com.facebook.mlite/databases/cross_account.db maybe here

5:39 AM

in the "accounts" row i've found token in my case

the problem is that in my tree structure I don't have a "database" folder. I have just uploaded on discord a view of my tree, do you see it ?

5:42 AM

the problem is that in my tree structure I don't have a "database" folder. I have just uploaded on discord a view of my tree, do you see it ?

@Ryoin my example, it's for "messenger" lite

I can't find the path in question in my file system structure. Maybe it has not been decoded yet

look directly in the databases section

5:51 AM

don't have facebook lite installed in my dumps sorry

Ok I will look at all this carefully. Thanks for your help

1

Hi, does anyone know what the data_type 187 and 188 stands for in the samples table, in the healthdb_secure. SQLite? Thank you.

@Ryogive a look here, if u have it in your file structure /data/com.facebook.lite/shared_prefs/com.facebook.lite.xml

unfortunately I don't have it in the current structure. I will try another extraction method and I will come back to you

thanks again for the time spent helping me

forensics4fun

Hi, does anyone know what the data_type 187 and 188 stands for in the samples table, in the healthdb_secure. SQLite? Thank you.

Check this out from @CLB_iwhiffin https://www.doubleblak.com/m/blogPosts.php?id=21

Nice!! Thank you So much

Ryo

unfortunately I don't have it in the current structure. I will try another extraction method and I will come back to you

thanks again for the time spent helping me

yw

Has anyone been able to pull any Message data from an iOS App called "Confide" - Ephemeral messaging APP ?

@Cellebrite I conducted a physical acquisition of a SM-T387AA. Acquisition seemed to go without issues but when I attempt to open the .ufd in PA I get a dialogue that “dump file could not be located”. The dump file is 29GB from a 32GB device but doesn’t appear to have any data in the file when I look at in a hex viewer. Any thoughts?

FabianoQ

Question for Cellebrite guys here. I have a physical acquisition of a Huawei phone. While analyzing it P.A. encounters Surespot and asks for the password to decrypt its message db. I used the "generate dictionary file" from P.A. and started the analysis again, this time when P.A. asked for password i directed it to the dictionaries generated in the previous step. The attack was successful and Surespot chats are now visible in P.A. so here is my question(s): 1. Where do i see which was the password? 2. Many of the messages are links like "https://cac99f5de92a9852ff22-f6bb12f58e02e75c90576a60b40444ac.ssl.cf1.rackcdn.com:443/7bcf398352e7fd7421255698c02637e3" that i assume (from the context) can be voice notes. If i paste the link into a browser it downloads a file (30k, 40k,..) but they seem encrypted, can i do something to decrypt? Thanks.

@Cellebrite Question for Cellebrite guys: 1. Where do i see which was the password?

Ah.. The right password is located under passwords...

easy.

Can anyone know anyway to know on which number Whatsapp Database Belong to almost every investigator find some Whatsapp Database in mobile user might uninstall Whatsapp but database left is any way to know from which number the database belong to decode data.thank you

Anyone from @Oxygen Forensics free for a DM?

Aero

Anyone from @Oxygen Forensics free for a DM?

Hello, Dm'd

1

burgers_N_bytes

@Cellebrite I conducted a physical acquisition of a SM-T387AA. Acquisition seemed to go without issues but when I attempt to open the .ufd in PA I get a dialogue that “dump file could not be located”. The dump file is 29GB from a 32GB device but doesn’t appear to have any data in the file when I look at in a hex viewer. Any thoughts?

There is a bug in UFED and it doesn't write the correct path to the keys extracted for secure apps (like Signal). It occurs only in physical extractions (not FFS) and causes that Signal chats are not decrypted. Try to add this code into the UFD fie:

1

Am I not looking correctly or is the python menu gone in Physical Analyzer 8?

I have an iphone FFS extraction where hundreds of screenshots are stored in /data/application/<GUID>/tmp The GUID points to com.apple.ScreenshotServicesService The filenames are properly named, "Screen shot <date> <time>.PNG" These files are not found anywhere else, in the gallery or photos.sqlite DB for example. Does anyone know how iOS stores screenshots? In this case it seems like the "original" screenshots are deleted or not saved by the user but still resides in some temp folder from the screenshot system-app

Hi all, does anyone know if there are any artefacts on Android 7 and 11 that details all the backup events?

Does anyone have any good reference material or research explaining all the different subfolders under PhotoData and DCIM (i.e. CPL/Storage, Mutations/DCIM, Metadata/DCIM, V2/DCIM, etc) for Apple iOS 15? I am finding a lot of interesting evidence throughout the different folders, and am just curious how and why each file ends up stored where it does. Thanks!

1

evforensics

Does anyone have any good reference material or research explaining all the different subfolders under PhotoData and DCIM (i.e. CPL/Storage, Mutations/DCIM, Metadata/DCIM, V2/DCIM, etc) for Apple iOS 15? I am finding a lot of interesting evidence throughout the different folders, and am just curious how and why each file ends up stored where it does. Thanks!

DM sent and this post just added a few things to my current work in progress.

@Cellebrite and all. We have a case where a suspect has sent offensive messages. His defence is that someone must have used whats app web to send the messages without his knowledge. The messages can't be found on his device (iPhone extraction) but they can be found on the other parties iPhone extraction. When decoded by Cellebrite there is an icon in the bottom corner showing a mobile icon indicating that it was actually sent by mobile. I initially thought this information was taken from the ZMESSAGETYPE column in the ZWAMESSAGE table of ChatStorage.sqlite but cellebrite seems to indicate it is actually decoded from the ZSTANZAID column. This column appears to contain a text consisting of 20 hexidecimal characters. Cellebrite also indicates that this value is a message identifier and I see examples of it being used as a message identifier when the reply function is being used. Does anyone here know how they decode that the message was sent from mobile from the ZSTANZAID value? Does anyone know what it would look like if sent from whatsapp web instead. I can't appear to find any examples.

@Cellebrite Is the serialised data decoder broken in PA 7.53? Trying to examine ZRECEIPTINFO in ZWAMESSAGEINFO table and I'm only being offered a hex view.

Has anyone dealt with factory resets in android 12?

2:38 AM

nvm- didn't realise https://thebinaryhick.blog/2021/08/19/wipeout-detecting-android-factory-resets/amp/ covers it a bit

Wipeout! Detecting Android Factory Resets

I’d like to thank Alexis Brignoni, Heather Mahalik, and Jared Barnhart for their insight and validation, and Alexis for tooling ALEAPP for these artifacts. DFIR truly is a team effort. They say im…

AmNe5iA

@Cellebrite and all. We have a case where a suspect has sent offensive messages. His defence is that someone must have used whats app web to send the messages without his knowledge. The messages can't be found on his device (iPhone extraction) but they can be found on the other parties iPhone extraction. When decoded by Cellebrite there is an icon in the bottom corner showing a mobile icon indicating that it was actually sent by mobile. I initially thought this information was taken from the ZMESSAGETYPE column in the ZWAMESSAGE table of ChatStorage.sqlite but cellebrite seems to indicate it is actually decoded from the ZSTANZAID column. This column appears to contain a text consisting of 20 hexidecimal characters. Cellebrite also indicates that this value is a message identifier and I see examples of it being used as a message identifier when the reply function is being used. Does anyone here know how they decode that the message was sent from mobile from the ZSTANZAID value? Does anyone know what it would look like if sent from whatsapp web instead. I can't appear to find any examples.

On android the same info seems to be encoded in the same type of data in the 'key_id' column

King Pepsi

nvm- didn't realise https://thebinaryhick.blog/2021/08/19/wipeout-detecting-android-factory-resets/amp/ covers it a bit

The upcoming PA 7.54(Pre-Release will be available on Tuesday) version will parse the Samsung factory reset data

4

Ahh wonderful, I’ll make sure we update as soon as we can then, thanks!

I'm trying to find out if an iPhone logs when the language is changed. Do you have any suggestion where to look?

Hi all, I acquired an iPhone with some privileged (LPP) material on it and the custodian has provided me keywords (emails, phone numbers etc.) that supposedly relate to the privileged material. Is it possible to use these keywords and separate them from the larger dataset in Cellebrite, Oxygen or Magnet? In short, I want to analyse the mobile data without the privileged material in it. Cheers!

ScottKjr3347

DM sent and this post just added a few things to my current work in progress.

Thanks!

idokal

The upcoming PA 7.54(Pre-Release will be available on Tuesday) version will parse the Samsung factory reset data

@Oxygen Forensics I'm hope u Will Also include this in next update

Mobile_Digger

@Oxygen Forensics I'm hope u Will Also include this in next update

I will check our plans

If it is not there I will see what can be done and will create a feature request if needed, cheers!

Oxygen Forensics

I will check our plans

If it is not there I will see what can be done and will create a feature request if needed, cheers!

Thank you so much

1

Hi does anybody knows a tool to decript WhatsApp cript 14??

@mdogilvie most forensic tools should support it but if you are looking to do it independently then have a look here: https://github.com/ElDavoo/WhatsApp-Crypt14-Crypt15-Decrypter

GitHub - ElDavoo/WhatsApp-Crypt14-Crypt15-Decrypter: Decrypts Whats...

Decrypts WhatsApp .crypt14 / .crypt15 files. Contribute to ElDavoo/WhatsApp-Crypt14-Crypt15-Decrypter development by creating an account on GitHub.

jjh2320

@mdogilvie most forensic tools should support it but if you are looking to do it independently then have a look here: https://github.com/ElDavoo/WhatsApp-Crypt14-Crypt15-Decrypter

Do it needs key file?

Yes

jjh2320

Yes

Do u any method I can know which number is belong to DB

hello everyone, an information. I performed an FFS acquisition on an iPhone 8. The device is initialized to the factory settings and by checking on the Physical analyzer IN THE USER ACCOUNT SECTION there is a "local" user created just the day in which the owner was stopped. Could that date indicate when the device was initialized?

Good morning! Has anyone ever had a Kazuna KAZ-N20 that they've extracted successfully? If so, what tool did you use? We have one that's vital to one of our cases and so far, CAS told me it was not supported.

manuelevlr

hello everyone, an information. I performed an FFS acquisition on an iPhone 8. The device is initialized to the factory settings and by checking on the Physical analyzer IN THE USER ACCOUNT SECTION there is a "local" user created just the day in which the owner was stopped. Could that date indicate when the device was initialized?

https://cellebrite.com/en/upgrade-from-null-detecting-ios-wipe-artifacts/

Upgrade From NULL—Detecting iOS Wipe Artifacts - Cellebrite

One of the most common questions we’re asked is, “How do you determine when an iOS device was wiped?” Wiping is a common way to trample potential evidence on a device. Over the years, we have seen some savvy moves to try to cover up wiping efforts on devices and prevent the act from being … Continue reading "Upgrade From NULL—Detecting iOS Wipe ...

Jshoe

https://cellebrite.com/en/upgrade-from-null-detecting-ios-wipe-artifacts/

Check purplebuddy.plist and also look for .obliterated file…the article should will help guide you.

1

jjh2320

@mdogilvie most forensic tools should support it but if you are looking to do it independently then have a look here: https://github.com/ElDavoo/WhatsApp-Crypt14-Crypt15-Decrypter

Thanks a lot worked very well

Hi In murder case i must to analyse the Lsc smart connect (app control a camera). I have a ffs and a crypted db... Anyone have a method to decrypt it ? It's a product of Electro Cirkel Retail BV (rotterdam). (edited)

Vaulty (com.theronrogers.vaultyfree) decoded and submitted to ALEAPP! https://kibaffo33.data.blog/2022/03/05/decoding-vaulty/

kibaffo33

Decoding Vaulty

Intro to Vaulty Vaulty is a free app which provides a PIN/password protected secure folder. Google Play Store Info Users can upgrade to make use of additional privacy features such as disguising th…

7

3

2

Need some help from #DFIR peeps about how I include some Photos.sqlite testing data in my next blog: On average are you finding iCloud Photos is turned ON =

or OFF

during analysis of iPhone data? (edited)

3

Where I live, most people have unlimited or very large 4g/5g data plans though. Don't know if that has effect on people's choice to turn it on/off

snoop168

I wrote a parser. Dm me your email. Anyone else interested feel free to do the same. So far I’ve found that you’re not going to find message content but dates/times and who it was from/to should be there but still needs to be validated.

Would definitely like to know what everyone is finding in "Biome" and their approach for parsing. I'm noting embedded binary plists, that can contain a variety of information (e.g. messaging, web-history, email, etc.), within files found in /private/var/mobile/Library/Biome/streams/public/AppIntent/local and AppLaunch/local.

JLindmar (83AR)

Would definitely like to know what everyone is finding in "Biome" and their approach for parsing. I'm noting embedded binary plists, that can contain a variety of information (e.g. messaging, web-history, email, etc.), within files found in /private/var/mobile/Library/Biome/streams/public/AppIntent/local and AppLaunch/local.

I’m working on getting a blog out about the appintent ones. Seems like a very similar format in most the files. File names are a time stamp and you should find SEGB at offset 52

2

11:24 AM

Hope to publish it today or tomorrow and if you want to give my parser a try send me a DM.

2

CLB_iwhiffin

The "scrambled" message are from WA DB called ChatSearchV5f, this DB is holding messages content for indexing, reducing the search time within WA UI. We parse this DB as another source for potentially deleted messages (which stored for index while original record was deleted). The DB in fact is scrambled and we didn't found any option to know the order of the word within the message (we have put our best WA researcher to research it

). We do check if the message is available through other source (not scrambled one) and if so we do not parse it from the chatsearch. At the end users get the scrambled message which they cannot get from any other source so I guess it's pretty valuable than getting nothing, we added the "scrambled" indication so user will know it's not necessary the exact order of the words within the message and he should understand the context. Hope it covers it.

hi there, is anybody from @Cellebrite there and could shed some more light on this? We have big problems in correlating c1contacts or c2chat to anything from the chatStorage.sqlite. Where does the PA get the names and/or chats from, to display them? (edited)

AmNe5iA

@Cellebrite and all. We have a case where a suspect has sent offensive messages. His defence is that someone must have used whats app web to send the messages without his knowledge. The messages can't be found on his device (iPhone extraction) but they can be found on the other parties iPhone extraction. When decoded by Cellebrite there is an icon in the bottom corner showing a mobile icon indicating that it was actually sent by mobile. I initially thought this information was taken from the ZMESSAGETYPE column in the ZWAMESSAGE table of ChatStorage.sqlite but cellebrite seems to indicate it is actually decoded from the ZSTANZAID column. This column appears to contain a text consisting of 20 hexidecimal characters. Cellebrite also indicates that this value is a message identifier and I see examples of it being used as a message identifier when the reply function is being used. Does anyone here know how they decode that the message was sent from mobile from the ZSTANZAID value? Does anyone know what it would look like if sent from whatsapp web instead. I can't appear to find any examples.

Although I'm very interested in the results, this defence does rely on someone having access to a computer with whatsapp web and a device with the suspect account for them to QR code in. It is also not subtle, whatsapp is very overt about devices being connected.

poxglass

Hi all, I acquired an iPhone with some privileged (LPP) material on it and the custodian has provided me keywords (emails, phone numbers etc.) that supposedly relate to the privileged material. Is it possible to use these keywords and separate them from the larger dataset in Cellebrite, Oxygen or Magnet? In short, I want to analyse the mobile data without the privileged material in it. Cheers!

I can only speak from my end that an independent legal rep would have to go through the extract and create a sub-report with what you can have.

Anyone now the best approach to extract snapchat memories and my eyes only from and checkm8 extraction? I have the password for the my eye only

MikeWhiskey

hi there, is anybody from @Cellebrite there and could shed some more light on this? We have big problems in correlating c1contacts or c2chat to anything from the chatStorage.sqlite. Where does the PA get the names and/or chats from, to display them? (edited)

this is pretty urgent. It's a high profile case and court date is next week.

AmNe5iA

@Cellebrite and all. We have a case where a suspect has sent offensive messages. His defence is that someone must have used whats app web to send the messages without his knowledge. The messages can't be found on his device (iPhone extraction) but they can be found on the other parties iPhone extraction. When decoded by Cellebrite there is an icon in the bottom corner showing a mobile icon indicating that it was actually sent by mobile. I initially thought this information was taken from the ZMESSAGETYPE column in the ZWAMESSAGE table of ChatStorage.sqlite but cellebrite seems to indicate it is actually decoded from the ZSTANZAID column. This column appears to contain a text consisting of 20 hexidecimal characters. Cellebrite also indicates that this value is a message identifier and I see examples of it being used as a message identifier when the reply function is being used. Does anyone here know how they decode that the message was sent from mobile from the ZSTANZAID value? Does anyone know what it would look like if sent from whatsapp web instead. I can't appear to find any examples.

@MSAB Are you able to help with this? XAMN shows the message 'client' as either Phone or PC for each whatsapp message. When one selects either and selects "Examine in source view" it seems to indicate that PC = 0x02005500 and Phone = 0x01005500 it list the property details as Size = 4 Bytes, Format = XRT, Encoding = None. (What format is XRT?) Despite saying encoding = None, as I work down the physical layers it seems to have decoded this data from the first 3 ASCII characters (or first 3 bytes) of the 'key_id' column from the messages table for android or 'ZSTANZAID' column in the ZWAMESSAGE table for iOS. How is decoding 0x01005500 or 0x02005500 from those first three characters? The only pattern I can see is that if the 'key_id'/'ZSTANZAID' start 3EB (0x334542) (and the string is only 20 characters long) then it decodes as PC (0x02005500) and everything else (though primarily, starting 3AX (where X is any hexidecimal character) and only 20 characters long, but also strings 32 characters long) decode as Phone (0x01005500).

1

4:38 AM

At this stage I'm, beginning to believe both PA and XAMN are just using pattern matching, if 'key_id'/'ZSTANZAID' is 20 characters long and starts 3EB then mark as 'PC' (or WhatsApp web) and everything else is marked as 'Phone'. I haven't been able to find an example marked as 'PC' that doesn't start 3EB but I have found a 32 character example that starts 3EB that is decoded as 'Phone' (0x01005500). (edited)

AmNe5iA

@MSAB Are you able to help with this? XAMN shows the message 'client' as either Phone or PC for each whatsapp message. When one selects either and selects "Examine in source view" it seems to indicate that PC = 0x02005500 and Phone = 0x01005500 it list the property details as Size = 4 Bytes, Format = XRT, Encoding = None. (What format is XRT?) Despite saying encoding = None, as I work down the physical layers it seems to have decoded this data from the first 3 ASCII characters (or first 3 bytes) of the 'key_id' column from the messages table for android or 'ZSTANZAID' column in the ZWAMESSAGE table for iOS. How is decoding 0x01005500 or 0x02005500 from those first three characters? The only pattern I can see is that if the 'key_id'/'ZSTANZAID' start 3EB (0x334542) (and the string is only 20 characters long) then it decodes as PC (0x02005500) and everything else (though primarily, starting 3AX (where X is any hexidecimal character) and only 20 characters long, but also strings 32 characters long) decode as Phone (0x01005500).

You seem pretty spot on in the above and it is based on our testing and the ZSTANZAID where 3EB and the length indicates it it was sent from PC or Phone. The hex is just hex representations of the data from the ZSTANZAID. Happy to look into it further for ya in case you have any further questions or doubts! Just shoot me a DM (edited)

I need someone from Cellebrite to DM PLEASE. 4PC is the program of interes

5:57 AM

#cellebrite

Just found out that some VERY relevant Snapchat iOS mediafiles arent decrypted/parsed in CLB PA 7.53 and Axiom 5.9. These files are stored in the folder \private\var\mobile\Containers\Data\Application\APP_GUID\Documents\com.snap.file_manager_3_SCContent_SNAP_UID\ The files are AES256 encrypted media files. The snap_ID for the filename can be found in cache_controller.db. With the snap_id you're able to find the KEY + IV in the db gallery.encrypted.decrypted (only available in iOS FFS + keychain). This db also contains the LAT/LON. (edited)

4

@Cellebrite can anyone DM me?

1

MikeWhiskey

this is pretty urgent. It's a high profile case and court date is next week.

I’m looking into it and will message you shortly.

1

Anyone from @Magnet Forensics available for a quick custom artifact question?

mr.rookay

Just found out that some VERY relevant Snapchat iOS mediafiles arent decrypted/parsed in CLB PA 7.53 and Axiom 5.9. These files are stored in the folder \private\var\mobile\Containers\Data\Application\APP_GUID\Documents\com.snap.file_manager_3_SCContent_SNAP_UID\ The files are AES256 encrypted media files. The snap_ID for the filename can be found in cache_controller.db. With the snap_id you're able to find the KEY + IV in the db gallery.encrypted.decrypted (only available in iOS FFS + keychain). This db also contains the LAT/LON. (edited)

Were you able to decrypt them?

Discord

JLindmar (83AR)

Were you able to decrypt them?

Jep, just put the file and the KEY+IV in CyberChef.

mr.rookay

Jep, just put the file and the KEY+IV in CyberChef.

Spectacular! CBC mode?

A small write up would be very much appreciated (edited)

2

is it similar to this? https://github.com/DFIR-HBG/ParseSnapchat

GitHub - DFIR-HBG/ParseSnapchat: iOS Snapchat parser for chats and ...

iOS Snapchat parser for chats and cached files. Contribute to DFIR-HBG/ParseSnapchat development by creating an account on GitHub.

1

CLB_iwhiffin

The "scrambled" message are from WA DB called ChatSearchV5f, this DB is holding messages content for indexing, reducing the search time within WA UI. We parse this DB as another source for potentially deleted messages (which stored for index while original record was deleted). The DB in fact is scrambled and we didn't found any option to know the order of the word within the message (we have put our best WA researcher to research it

). We do check if the message is available through other source (not scrambled one) and if so we do not parse it from the chatsearch. At the end users get the scrambled message which they cannot get from any other source so I guess it's pretty valuable than getting nothing, we added the "scrambled" indication so user will know it's not necessary the exact order of the words within the message and he should understand the context. Hope it covers it.

Really is it possible to recover deleted whatsapp mesg?

AmNe5iA

@MSAB Are you able to help with this? XAMN shows the message 'client' as either Phone or PC for each whatsapp message. When one selects either and selects "Examine in source view" it seems to indicate that PC = 0x02005500 and Phone = 0x01005500 it list the property details as Size = 4 Bytes, Format = XRT, Encoding = None. (What format is XRT?) Despite saying encoding = None, as I work down the physical layers it seems to have decoded this data from the first 3 ASCII characters (or first 3 bytes) of the 'key_id' column from the messages table for android or 'ZSTANZAID' column in the ZWAMESSAGE table for iOS. How is decoding 0x01005500 or 0x02005500 from those first three characters? The only pattern I can see is that if the 'key_id'/'ZSTANZAID' start 3EB (0x334542) (and the string is only 20 characters long) then it decodes as PC (0x02005500) and everything else (though primarily, starting 3AX (where X is any hexidecimal character) and only 20 characters long, but also strings 32 characters long) decode as Phone (0x01005500).

Can you please give me little tip how can I learn HEX reading

Mobile_Digger

Really is it possible to recover deleted whatsapp mesg?

Its not really deleted. Its an index of messages sent, each line only containing unique words. So you can make sense of it. If the original message is deleted, then yes shows parts of an deleted message.

Anyone have infos about decrypting the app Molly which seems to be a fork of Signal ?

Anyone had a case involving the Life360 app?

florus

Its not really deleted. Its an index of messages sent, each line only containing unique words. So you can make sense of it. If the original message is deleted, then yes shows parts of an deleted message.

Ys I have experience this kind of stuff but do you have any information about deleted or send Whatsapp media

Anyone know what the telegram db is called for iOS? Did a logical and advanced logical on an iPhone 12 with telegram being used. The app was not parsed automatically. I can’t find it in search either.

mcdoz

Anyone know what the telegram db is called for iOS? Did a logical and advanced logical on an iPhone 12 with telegram being used. The app was not parsed automatically. I can’t find it in search either.

I believe it's just called "db_sqlite". It's a "fun" database as all tables are called t1, t2 and t3 etc... That's assuming it hasn't changed recently.

Mobile_Digger

Really is it possible to recover deleted whatsapp mesg?

As Florus pointed out, the question was more about validating the association between the word index and the sender rather than actually recovering deleted messages. "Recovering" messages when the user archived them is no different than reading live messages but recovering messages once they have been actually deleted is not so trivial / not possible to my knowledge.

CLB_iwhiffin

As Florus pointed out, the question was more about validating the association between the word index and the sender rather than actually recovering deleted messages. "Recovering" messages when the user archived them is no different than reading live messages but recovering messages once they have been actually deleted is not so trivial / not possible to my knowledge.

U r right but if you examine closely the DB of Whatsapp u may find some deleted messages and contacts

Mobile_Digger

U r right but if you examine closely the DB of Whatsapp u may find some deleted messages and contacts

Im my experience if you delete an entire chat is possible to recover these (in an unknown time), if you delete a single message in a chat, it gone. @CLB_iwhiffin might have more insight on that.

florus

Im my experience if you delete an entire chat is possible to recover these (in an unknown time), if you delete a single message in a chat, it gone. @CLB_iwhiffin might have more insight on that.

Where I can found it

Mobile_Digger

Where I can found it

Do some testing

florus

Im my experience if you delete an entire chat is possible to recover these (in an unknown time), if you delete a single message in a chat, it gone. @CLB_iwhiffin might have more insight on that.

From my testing, recovery of messages can only be done if they messages are Archived (instead of deleted) OR if the app is still live. I deleted data (both single message and full chat) and was able to recover both until the app closed/minimized. At that point the database cleaned itself and left no scope for recovery. There's certainly room for additional testing. But this has been my experience consistently this last few days.

heyho mates... just4info... PA 7.54 Beta is out.... some solved issues... some new capabilites....

Hello, quick message to point out that Threema4.db (Threema private message app) can be decrypted by https://github.com/wilzbach/threema-decrypt , but you need to follow the steps in the issues tab (change the decrypt.sh script with the new lines of PRAGMA parameters, and also make sure you install sqlcipher version 4 (the provided command install version 3 and updating or compiling sqlcipher version 4 or above was the trick part). Now if someone has infos on where to find or how to attack the pin (max 8 digits) to visually access the app, or infos on decoding the decrypted database (status flags of calls), please PM me

GitHub - wilzbach/threema-decrypt: Decrypt Threema's Android SQLite...

Decrypt Threema's Android SQLite database. Contribute to wilzbach/threema-decrypt development by creating an account on GitHub.

1

4n6_5w3

is it similar to this? https://github.com/DFIR-HBG/ParseSnapchat

That script does not decrypt any files, it connects temporarily cached files with their chats. All encrypted files found in SCContent folders should be Memories/My Eyes Only (correct me if I'm wrong as my info is a few months old). The MEO encryption keys is itself encrypted with a keychain value. You can use links found in one of the databases to download and locally decrypt all memories (as long as you are allowed to). Someone hint @Cygonaut hint should upload that script if it still works

1

anyone having an idea how to decypt the .decrypted files in the snapchat gallery folder? I have an physical extraction from an android phone

jaikl

anyone having an idea how to decypt the .decrypted files in the snapchat gallery folder? I have an physical extraction from an android phone

But aren't those already decrypted?

yeah, but the images are so small so you can´t see anyting

Working on a iphone 12. You can see some FB messenger data on the phone, but can't find it in PA. filesystem and logical Extraction was done. Any ideas where one can find the messenger data?

beamar

Working on a iphone 12. You can see some FB messenger data on the phone, but can't find it in PA. filesystem and logical Extraction was done. Any ideas where one can find the messenger data?

Going to need a Full File System to get the FB data I believe. If the resource to get it is not available but the phone is unlocked, the low-tech solution is to take pictures and video of the information on the phone then import that into PA so it will all be on one report.

1

A full file system was done. Still not seeing it at all. I told the detective to just get a FB SW, they weren't happy with that answer.

disregard, that is the issue. Can't do a full file system on iphone 12. just a logical file system was done. TY

Greetings, Reaching out to the SnapChat Gurus. I have two devices recovered from a crime scene. Suspect and victim. Suspect's device shows 7 outgoing Snapchat audio calls and 1 outgoing chat message to the victim's account. Victim's device shows 3 incoming SnapChat audio calls and 4 incoming chat messages from the suspect's account. Both devices recovered at scene are iPhones and were locked. GK used to get AFU extractions. Analyzing in Cellebrite and Axiom. SnapChat version 11.3.0.64 on both devices. Looking to explain this.

TheCos

Greetings, Reaching out to the SnapChat Gurus. I have two devices recovered from a crime scene. Suspect and victim. Suspect's device shows 7 outgoing Snapchat audio calls and 1 outgoing chat message to the victim's account. Victim's device shows 3 incoming SnapChat audio calls and 4 incoming chat messages from the suspect's account. Both devices recovered at scene are iPhones and were locked. GK used to get AFU extractions. Analyzing in Cellebrite and Axiom. SnapChat version 11.3.0.64 on both devices. Looking to explain this.

Just for clarification, were they FFS extractions or partial file system extractions?

I thought PA would accept and parse Insta chats from an Insta takeout.... I can manually ID the HTML files that contain the individual threads and ultimately read the messages but cant use search etc to interrgoate this data.. Is chat parsing re insta only in Cellebrite Cloud?

2:33 PM

Exported to JSON in zip file from Insta if it makes a difference.

@Cellebrite can anyone DM me about media classification engine?

jaikl

yeah, but the images are so small so you can´t see anyting

IIRC those are just tiny tiny thumbnails from database-blobs for each image. The actual image isnt always on the device. If it is, it should be decrypted by Axiom, or if you're lucky and its in the cache you can use my https://github.com/DFIR-HBG/ParseSnapchat or OggEs https://github.com/Ogg3/snapunscatter

GitHub - DFIR-HBG/ParseSnapchat: iOS Snapchat parser for chats and ...

iOS Snapchat parser for chats and cached files. Contribute to DFIR-HBG/ParseSnapchat development by creating an account on GitHub.

GitHub - Ogg3/snapunscatter: A python script to combin fragmented s...

A python script to combin fragmented snapchat video files - GitHub - Ogg3/snapunscatter: A python script to combin fragmented snapchat video files

1

Hi, I've an UFDR extraction of an Android Phone with CellebriteReader which I never used before. I don't understand the value "Intact" which is associated with "Deleted" (screen below). Anyone can help me ? Thanks in advance.

Just uploaded mine and @Oscar script to download and decrypt snapchat memories and MEO using the databases and keys found on IOS. The script requires you to have some way of fixing the database where the decryption keys are located. Personally i use Forensic browser for sqlite from Sandersson but other programs should work as well if you follow the instructions! https://github.com/DFIR-HBG/Snap_DecryptMemories Hopefully it will be of use for some of you out there!

GitHub - DFIR-HBG/Snap_DecryptMemories: Script to download and decr...

Script to download and decrypt memories and MEO from Snapchat on IOS. Requires the keys for memories to be present in the keychain, as well as the MEO key to get the MEO content. - GitHub - DFIR-HB...

6

1

Hi all, anyone seeing issues with PA v7.53 decoding the SMS.db? - we have an error within the trace window parsing 'Native Messages' tried older version v7.51 - works fine, tried on multiple machines and we get the same error?.

Akko

Hi all, anyone seeing issues with PA v7.53 decoding the SMS.db? - we have an error within the trace window parsing 'Native Messages' tried older version v7.51 - works fine, tried on multiple machines and we get the same error?.

I’m not aware of an issue. Is it just on one extraction of any?

We have submitted the relevant logs regarding the sms.db issue and cellebrite are currently looking in to a fix for it.

Does anyone know if chrome on android natively saves "offline pages", or only if the user specifically downloads the pages? data\data\com.android.chrome\cache\Offline Pages\archives\

7:50 AM

guy had a lot of csam in it, guessing instead of downloading the images themselves he just downloaded the web pages containing the images to his phone? (edited)

KR-4n6

Hi, I've an UFDR extraction of an Android Phone with CellebriteReader which I never used before. I don't understand the value "Intact" which is associated with "Deleted" (screen below). Anyone can help me ? Thanks in advance.

Anyone from @Cellebrite ?

“Intact” just means it’s a complete, non-deleted record.

Has anyone had problems with media classification in PA 7.53? After analysis I only see images categorized while videos remain "unclassified". During the process, however, I see that PA processes the videos in the temporary folder.

Hi, is anyone from @Cellebrite available for a quick question regarding TomTom ? (edited)

FullTang

Just for clarification, were they FFS extractions or partial file system extractions?

1 is a FFS. It shows it received 4 chat messages and 3 voice calls. The second is a Partial FS- it shows it made 7 voice calls and sent one chat message.

Anyone know if Data Pilots set a default password for IOS extractions? I was given an extraction but it’s excepted. No luck with the generics like 1234.

Has anyone managed to find a time that indicates when an anrdoid 8 was wiped? I have a few things but hoping theres something obvious!

Hi. Anyone had issues with decoding emails from a GK image in Axiom, please ?

3:26 AM

it creates "Apple mail" and "Apple mail fragments" but the text in the "Summary" attribute, not in the body so the preview not display properly, for example

Hi all, anyone out there who has experience in decoding datas from BOLT application? https://play.google.com/store/apps/details?id=ee.mtakso.client&hl=en&gl=US Have a FFS-extraction of a SM-N975F, got the folder from the application. 4PC, XRY or Oxygen do not decode something of it.... @Cellebrite @MSAB @Oxygen Forensics Got some infos on manually looking at the databases with some nice datas.. But need more details... Maybe someone can help

(edited)

Bolt: Fast, Affordable Rides - Apps on Google Play

Bolt is a transportation app used for requesting a fast and affordable ride.

6:40 AM

King Pepsi

Has anyone managed to find a time that indicates when an anrdoid 8 was wiped? I have a few things but hoping theres something obvious!

https://thebinaryhick.blog/2021/08/19/wipeout-detecting-android-factory-resets/ To start, try looking at: /data/system/users/#.xml # (starting at "0") indicates each unique user (i.e. Settings > System > Advanced > Multiple users) Additional users are numbered starting at "10" and then progressing by 1; numbers aren't reused if a user is deleted The file's Modified and Birth (created) timestamps should determine the most recent on or about date/time the user was added/setup, unless additional users are added or setup The timestamp is updated to reflect when multiple users ("Use multiple users") was enabled, and again when a new user was setup Of course, timestamp accuracy is dependent on the accuracy of the device's system clock. (edited)

JLindmar (83AR)

https://thebinaryhick.blog/2021/08/19/wipeout-detecting-android-factory-resets/ To start, try looking at: /data/system/users/#.xml # (starting at "0") indicates each unique user (i.e. Settings > System > Advanced > Multiple users) Additional users are numbered starting at "10" and then progressing by 1; numbers aren't reused if a user is deleted The file's Modified and Birth (created) timestamps should determine the most recent on or about date/time the user was added/setup, unless additional users are added or setup The timestamp is updated to reflect when multiple users ("Use multiple users") was enabled, and again when a new user was setup Of course, timestamp accuracy is dependent on the accuracy of the device's system clock. (edited)

Thanks for that, I’ve been using that one and it’s helped a lot, didn’t know if there was anything specific to Android 8!

King Pepsi

Thanks for that, I’ve been using that one and it’s helped a lot, didn’t know if there was anything specific to Android 8!

Updated my original reply. Assuming you at least have a file system acquisition, try to looking for timestamps for files that are created after reset. Like, /data/system/users/#.xml, you can also try: /data/system_de/0/accounts_de.db Accounts_de.db > account > last_password_entry_time_millis_epoch for type = "com.google" may indicate when the primary Google account for the user was last signed into with a password on the device and may reflect an on or about device setup date Search the file system for files with "setup" in the file name or path to locate files associated with device/initial-user setup /data[/user/#]/com.google.android.settings.intelligence/shared_prefs/setup_wizard_info.xml (Also contains "suw_finished_time_ms" with a Unix milliseconds timestamp reflecting the setup date/time) /data[/user_de/#]/com.sec.android.app.SecSetupWizard/shared_prefs/setupwizard_pref.xml /data[/user_de/#]/com.sec.android.app.SecSetupWizard/shared_prefs/setupwizard.xml /data[/user_de/#]/com.google.android.setupwizard/shared_prefs/SetupWizardLocalPrefs.xml /data[/user_de/#]/com.google.android.setupwizard/shared_prefs/SetupWizardPrefs.xml (This is what PA uses to identify "Phone activation time") The file's MB timestamps may determine the most recent on or about date/time the initial user was setup

1

Perfect, thank you for that- there’s a few there I hadn’t considered so that should do the job, thanks!

Tim F

FYI - @Magnet Forensics is collecting info on a possible issue effecting AirDrop artifacts on iOS devices running 15.XX. If anyone is having issues with Axiom PROCESS & EXAMINE parsing AirDrop artifacts on iOS 15.XX, please DM me so I can add your specific device info to our open ticket. TY

Does @Magnet Forensics still have issues effecting AirDrop artifacts on iOS devices running 15.XX?

chrisforensic

Click to see attachment 🖼️

hello which viewer do you use?

did somebody ever had to decode the ding chat app ? I have it on an iPhone and have a full file system extraction.

manuelevlr

hello which viewer do you use?

oxyviewer

chrisforensic

oxyviewer

I guess it is paid

Hi all, has anyone used the Python feature on Cellebrite PA and what sort of things can you do with it on extractions? For example can you use scripts to seach through messages for a whole bunch of drug terms at once? I would like to create scripts for multiple types of offences. Thanks @Cellebrite

manuelevlr

I guess it is paid

ofcourse, the SQLiteViewer comes with oxygen forensic detective (edited)

wabbit_season1313

Hi all, has anyone used the Python feature on Cellebrite PA and what sort of things can you do with it on extractions? For example can you use scripts to seach through messages for a whole bunch of drug terms at once? I would like to create scripts for multiple types of offences. Thanks @Cellebrite

Hi, did you try to use the advanced search for this scenario?

Is it possible to see when a SIM-card was last inserted/ejected in a extraction of an Anroid device? In this case its a huawei logcial extraction. I know I can get the information from the telecomprovider but it would be easier if it was possible to read in the phone. I've researched and didnt find any so I guess it's worth a shot in here

wabbit_season1313

Hi all, has anyone used the Python feature on Cellebrite PA and what sort of things can you do with it on extractions? For example can you use scripts to seach through messages for a whole bunch of drug terms at once? I would like to create scripts for multiple types of offences. Thanks @Cellebrite

Did you try the Watchlist feature?

How do you remove photos that are stored in /mobile/media/PhotoData/Metadata/PhotoData/CPLAssets/group<>/ on an iPhone? I've tried deleting the corresponding photo on the phone itself and it is removed from the DCIM folder, but still remains in the CPLAssets location. I also logged into the iCloud account and verified that the photo is no longer in iCloud. (edited)

ar1195

How do you remove photos that are stored in /mobile/media/PhotoData/Metadata/PhotoData/CPLAssets/group<>/ on an iPhone? I've tried deleting the corresponding photo on the phone itself and it is removed from the DCIM folder, but still remains in the CPLAssets location. I also logged into the iCloud account and verified that the photo is no longer in iCloud. (edited)

The device most likely needs to complete a sync with iCloud Photo Library, but I'm not sure what triggers that event, nor how long after a successful sync does data for previously-existing media get removed from"CPL" locations on the device.

Good morning, anyone else have any luck decoding a Nokia Burner phone TA-1037? (Nokia 105 1010/1034). I've managed to get a physical on XRY, the profile doesn't decode it. I used the Doro Primo 366 profile which manages to decode 200 contacts without phone numbers... I exported the NOR.Bin into UFED and tried various different profiles. Various issues with timestamps and contacts again.

JLindmar (83AR)

Updated my original reply. Assuming you at least have a file system acquisition, try to looking for timestamps for files that are created after reset. Like, /data/system/users/#.xml, you can also try: /data/system_de/0/accounts_de.db Accounts_de.db > account > last_password_entry_time_millis_epoch for type = "com.google" may indicate when the primary Google account for the user was last signed into with a password on the device and may reflect an on or about device setup date Search the file system for files with "setup" in the file name or path to locate files associated with device/initial-user setup /data[/user/#]/com.google.android.settings.intelligence/shared_prefs/setup_wizard_info.xml (Also contains "suw_finished_time_ms" with a Unix milliseconds timestamp reflecting the setup date/time) /data[/user_de/#]/com.sec.android.app.SecSetupWizard/shared_prefs/setupwizard_pref.xml /data[/user_de/#]/com.sec.android.app.SecSetupWizard/shared_prefs/setupwizard.xml /data[/user_de/#]/com.google.android.setupwizard/shared_prefs/SetupWizardLocalPrefs.xml /data[/user_de/#]/com.google.android.setupwizard/shared_prefs/SetupWizardPrefs.xml (This is what PA uses to identify "Phone activation time") The file's MB timestamps may determine the most recent on or about date/time the initial user was setup

Interestingly, I've had another look at this one, in the recovery_kernal.log and there is a bit of text in this which relates to S2mps18 (the power management ic) and has a time and date minutes before the alleged wipe. The way i'm reading it, it's like just before the wipe, it checks the time and date recorded by the battery.. time to test it out

@Cellebrite anyone available for a DM?

Ah, the notorious Nokia 105! As you've probably been able to tell already, we have seen countless different variants of this device and not been able to find a one-size-fits-all solution to support them. In the next release a Nokia 105 (TA-1034) V2 profile will be added which may help and you can also try the MediaTek Generic 2 profile to see if you have any luck. If you are still seeing issues you can DM me the log and I can see if we have anything else we can suggest

ScottKjr3347

DM sent and this post just added a few things to my current work in progress.

Hi Scooter, I was just searching for info on CMMAssets and noticed this post, would you be willing to share what you sent to evforensics?

Someone from @Cellebrite here for a decoding question?

Hi everyone, I have a question regarding decoding of tracks.sqlite and locations.sqlite from a TomTom device. I tried to use navi revelator but I cannot figure out where to put these files. I thought that this software is able to decode these databases. I was able to parse the mapsetting.tlv but not the searchlogging files. Does anyone have done this with navi revelator?

King Pepsi

Interestingly, I've had another look at this one, in the recovery_kernal.log and there is a bit of text in this which relates to S2mps18 (the power management ic) and has a time and date minutes before the alleged wipe. The way i'm reading it, it's like just before the wipe, it checks the time and date recorded by the battery.. time to test it out

Yeah, there are a few files that should be present across the majority of Android devices (others unique to specific vendors and OS versions) that may help with this type of analysis: /data/system/appops.xml /data/system/users/service/data/eRR.p and RR.p /data/property/persistent_properties /data/data/com.google.android.apps.wellbeing/databases/app_usage /data/data/com.samsung.android.forest/databases/dwbCommon.db /data/data/com.android.providers.media/databases/internal.db | external.db /data/data/com.google.android.providers.media.module/databases/internal.db | external.db /data/user/0/com.google.android.providers.media.module/databases/internal.db | external.db Many of these are discussed @CLB_joshhickman1 blog post. I advise my team to look at multiple sources when trying to determine when factory data reset, device/user setup, and/or device usage (activity timeframe) may have occurred. Typically, we identity a timeframe where it most likely occurred because it can be difficult to pinpoint an exact date/time.

Yeah agreed with you on the rough timeline as opposed to pinpoint, many thanks to yourself and @CLB_joshhickman1 !

Dam

Hi everyone, I have a question regarding decoding of tracks.sqlite and locations.sqlite from a TomTom device. I tried to use navi revelator but I cannot figure out where to put these files. I thought that this software is able to decode these databases. I was able to parse the mapsetting.tlv but not the searchlogging files. Does anyone have done this with navi revelator?

Found it. I have to use MR and not VR for the TTContainer.

Regarding the iOS-app Private Photo Vault, is there any forensically good method to access the pictures stored within this app? All data is encrypted in the extraction, but is viewable within the app on the device. The app version is 12.8.

betacygni

Regarding the iOS-app Private Photo Vault, is there any forensically good method to access the pictures stored within this app? All data is encrypted in the extraction, but is viewable within the app on the device. The app version is 12.8.

@Oxygen Forensics supports it if im correct

1

Axiom maybe

Anyone good with AXIOM custom artifacts? Trying to figure out how to create one for plist data.

florus

@Oxygen Forensics supports it if im correct

Got it, will try. Thanks.

4n6_5w3

Axiom maybe

Will try, thanks

Anyone here with more infos to decode the app "Bolt" ? https://discord.com/channels/427876741990711298/545232743353810946/953286434029203466

pug4N6

Anyone good with AXIOM custom artifacts? Trying to figure out how to create one for plist data.

DM'ed

dfir-rick

Does @Magnet Forensics still have issues effecting AirDrop artifacts on iOS devices running 15.XX?

Something to consider: https://gforce4n6.blogspot.com/2022/03/airdropping-some-knowledge-using-rleapp.html

(Air)Dropping some Knowledge: Using RLEAPP to Identify the Phone ...

Summary: This post explains how to use RLEAPP to process sysdiagnose logs extracted from an iOS device to identify the phone number used in ...

King Pepsi

Yeah agreed with you on the rough timeline as opposed to pinpoint, many thanks to yourself and @CLB_joshhickman1 !

Artifacts researched by @CLB_joshhickman1 have been added to ALEAPP here: https://github.com/abrignoni/ALEAPP

GitHub - abrignoni/ALEAPP: Android Logs Events And Protobuf Parser

Android Logs Events And Protobuf Parser. Contribute to abrignoni/ALEAPP development by creating an account on GitHub.

Brigs

Artifacts researched by @CLB_joshhickman1 have been added to ALEAPP here: https://github.com/abrignoni/ALEAPP

Oooh, a nice little tool for the team, thanks!

1

Hi Does anyone know anything about the pictures and movies found in the following path from an iOS device? private/var/mobile/containers/shared/appgroup/uuid/file provider storage/photospicker The plist under uuid is named .com.apple.mobile_container_manager.metadata.plist

Sandtrollet

Hi Does anyone know anything about the pictures and movies found in the following path from an iOS device? private/var/mobile/containers/shared/appgroup/uuid/file provider storage/photospicker The plist under uuid is named .com.apple.mobile_container_manager.metadata.plist

Perhaps this: https://developer.apple.com/videos/play/wwdc2020/10652/

Meet the new Photos picker - WWDC20 - Videos - Apple Developer

Let people select photos and videos to use in your app without requiring full Photo Library access. Discover how the PHPicker API for iOS...

Has anyone dealt with a SD-7000T unit from TMobile? Can this be forensically acquired? If so, what do you use? It states on the TMobile site that it has onboard storage. Looking for possible GPS and device connectivity.

Is there a way to import UFDR files into AXIOM ?

4:58 AM

@Magnet Forensics

MadMac07

Good morning, anyone else have any luck decoding a Nokia Burner phone TA-1037? (Nokia 105 1010/1034). I've managed to get a physical on XRY, the profile doesn't decode it. I used the Doro Primo 366 profile which manages to decode 200 contacts without phone numbers... I exported the NOR.Bin into UFED and tried various different profiles. Various issues with timestamps and contacts again.

I've had success decoding through XRY as an Alcatel 1052g

leigh4352

I've had success decoding through XRY as an Alcatel 1052g

Thanks Leigh. I've just tried that and it hasn't worked for me

I've managed to carve out contacts and numbers through HEX using the BIN file. Will keep my eye on this model.

Nemesis

Is there a way to import UFDR files into AXIOM ?

Try import it as an image.

Doesn’t show me the option. Only ufd or ufdx.

Nemesis

Is there a way to import UFDR files into AXIOM ?

The UFDR is just a ZIP archive (go ahead, open it with 7-Zip for example) whose content Cellebrite Reader can interpret. If AXIOM can't interpret the native format, it should at least be able to process it as a ZIP archive, but I wouldn't expect it to be able to associate some of the information (e.g. MMS message and its attachment). Out of curiosity, why not just open it with Cellebrite Reader and review?

Nemesis

Is there a way to import UFDR files into AXIOM ?

As mentioned, it is basically just a zip, but the files are arranged different than their original paths, and there’s a bunch of metadata/parsed-data stored in a report.xml of the UFDR … you could try https://github.com/DFIRScience/UFDR2DIR

GitHub - DFIRScience/UFDR2DIR: A script to convert a Cellebrite UFD...

A script to convert a Cellebrite UFDR to the original file structure. - GitHub - DFIRScience/UFDR2DIR: A script to convert a Cellebrite UFDR to the original file structure.

Nemesis

Is there a way to import UFDR files into AXIOM ?

https://www.magnetforensics.com/blog/loading-cellebrite-images-into-magnet-axiom/

Loading Cellebrite Images into Magnet AXIOM - Magnet Forensics

Jamie McQuaid walks through how to load Cellebrite images into Magnet AXIOM for further analysis which can be quite easy, but not always straightforward

JLindmar (83AR)

The UFDR is just a ZIP archive (go ahead, open it with 7-Zip for example) whose content Cellebrite Reader can interpret. If AXIOM can't interpret the native format, it should at least be able to process it as a ZIP archive, but I wouldn't expect it to be able to associate some of the information (e.g. MMS message and its attachment). Out of curiosity, why not just open it with Cellebrite Reader and review?

Got the ufdr from another department. No original .dar or zip. Already processed it in UFED, but Snapchat usernames don’t show, only guids… I know Axiom has more success of parsing Snapchat correctly.

11:55 AM

I tried this new script https://github.com/DFIRScience/UFDR2DIR

GitHub - DFIRScience/UFDR2DIR: A script to convert a Cellebrite UFD...

A script to convert a Cellebrite UFDR to the original file structure. - GitHub - DFIRScience/UFDR2DIR: A script to convert a Cellebrite UFDR to the original file structure.

11:56 AM

But it’s flawed. Contacted the creator.

1

Anyone have a copy of the old @Cellebrite testifying cheat sheet they could send me?

The 2014 one?

1:55 PM

https://smarterforensics.com/wp-content/uploads/2014/06/Explaining-Cellebrite-UFED-Data-Extraction-Processes-final.pdf

1:55 PM

Not our hosting site

1:55 PM

https://cellebrite.com/en/what-happens-when-you-press-the-button-prepping-for-court/

What Happens When You Press the Button? – Prepping for Court - Cell...

What happens when you press a button on Cellebrite UFED and Physical Analyzer is often a mystery to some examiners. What happens if you are questioned on what occurs when an extraction method is selected, or a check box is clicked during parsing? This on-demand webinar combined with a white paper you’ll receive following the … Continue reading "...

1:55 PM

Our freshly released one.

2

CLB-Paul

https://cellebrite.com/en/what-happens-when-you-press-the-button-prepping-for-court/

Excellent! Thanks a bunch.

Arcain pinned a message to this channel. 3/19/2022 2:07 AM

Hi, does anyone know what the value in the logcat-system file in TomTom means? There are values like vel= , t= , et= , acc= . navi revelator parse this file but I cannot find any information regarding these values.

I've came across a thumbnail picture in an iphone that i can't figure out. Does the path say anything to anyone? root\private\var\mobile\Containers\Data\PluginKitPlugin\BB16768E-.....\SystemData\com.apple.chrono\snapshots\com.apple.mobileslideshow-PhotosReliveWidget

1:01 AM

Sorry, last "-" should be a "."

Brigs

Artifacts researched by @CLB_joshhickman1 have been added to ALEAPP here: https://github.com/abrignoni/ALEAPP

Am I correct in assuming that ALEAPP only works on a ffs extraction?

King Pepsi

Am I correct in assuming that ALEAPP only works on a ffs extraction?

The tool can parse identified artifacts from a zip, tar, and files in a folder structure. Using it via Autopsy it will parse E01s, bin, and all file system structures supported by it. Adding support for artifacts not in FFS is fairly easy if one has some basic python scripting skills. @DFIRScience has a great preview on ALEAPP here: https://dfir.science/2021/11/Is-this-the-fastest-way-to-analyze-Android.html He also has a great tutorial on how to quickly build a module for ALEAPP here: https://dfir.science/2021/11/Fast-Software-Prototyping-Python-iLEAPP-module-example

Is this the fastest way to analyze Android?

Android forensics can take a long time to process. But if you just need a quick overview of the most common artifacts, check out the Android Logs Events And Protobuf Parser (ALEAPP). We show how to get and install ALEAPP, run an Android forensic analysis in less than a minute, and give an overview of what ALEAPP can show in your investigations. ...

Fast Software Prototyping in Python - iLEAPP module example

When adding code to a large project, like the iPhone forensic triage software iLEAPP, re-running the software over and over again to test your module can become tedious. Instead, prototype your parser in a smaller test file first. This video shows how to start prototyping a module for iLEAPP (or ALEAPP/WLEAPP), but once you have your idea and th...

Thank you for the quick response, I’ll make sure to do that. A brush up on python is definitely needed!

1

Hi, question regarding Chrome app database for Android devices if someone can assist please. I'm navigating the "History" database for Chrome, and located the "urls" table. Within this is a column named "hidden", against which is either the value of 0 or 1. Does this column reflect the use of incognito/private browsing? Or is it something different?

Anyone know where audio output route is stored if it is like in an iPhone? Just trying to see if Bluetooth was connected and in use during a specific phone call. Android 12 on this device

Alex Owen

Hi, question regarding Chrome app database for Android devices if someone can assist please. I'm navigating the "History" database for Chrome, and located the "urls" table. Within this is a column named "hidden", against which is either the value of 0 or 1. Does this column reflect the use of incognito/private browsing? Or is it something different?

Default is 0 but unsure what it means, will see if I can find something I've got written down.

Alex Owen

Hi, question regarding Chrome app database for Android devices if someone can assist please. I'm navigating the "History" database for Chrome, and located the "urls" table. Within this is a column named "hidden", against which is either the value of 0 or 1. Does this column reflect the use of incognito/private browsing? Or is it something different?

Took a look at the chromium source on github and found some interesting stuff. Not saying this is the only reason (the repo is rather large and difficult to navigate) but this comment is a bit telling, suggesting those things with hidden flag set will not show up in the omnibox. (This one is from the iOS browser but comment is still helpful) ref: https://github.com/chromium/chromium/blob/9bed4e4cdfc9fb1ede9d817e5f347e4b383deff0/ios/chrome/browser/history/history_tab_helper.mm#L172 (edited)

6:42 AM

here's another under HistoryTabHelper::CreateHistoryAddPageArgs - this comment suggests it is using the flag to prevent anything but top level frame navigations from showing up in the omnibox search. ref: https://github.com/chromium/chromium/blob/9bed4e4cdfc9fb1ede9d817e5f347e4b383deff0/chrome/browser/history/history_tab_helper.cc#L129 (edited)

forensicmike @Magnet

here's another under HistoryTabHelper::CreateHistoryAddPageArgs - this comment suggests it is using the flag to prevent anything but top level frame navigations from showing up in the omnibox search. ref: https://github.com/chromium/chromium/blob/9bed4e4cdfc9fb1ede9d817e5f347e4b383deff0/chrome/browser/history/history_tab_helper.cc#L129 (edited)

Thank you so much for taking a look at that for me! Much appreciated. This presumably isn't related to incognito browsing then. Are you aware of a way of determining whether a search has been conducted using private/incognito browsing within Chrome application?

Alex Owen

Hi, question regarding Chrome app database for Android devices if someone can assist please. I'm navigating the "History" database for Chrome, and located the "urls" table. Within this is a column named "hidden", against which is either the value of 0 or 1. Does this column reflect the use of incognito/private browsing? Or is it something different?

Although I don't have any research material specifically for Chrome to point you too, there are many blogs/papers that discuss the "hidden" field in the Firefox places.sqlite > moz_places table: https://www.sans.org/blog/firefox-3-history/#:~:text=hidden%20INTEGER%20DEFAULT%200%20NOT%20NULL%2Ceither%200%20or%201.%20if%20the%20URL%20is%20hidden%20then%20the%20user%20did%20not%20navigate%20directly%20to%20it%2C%20usually%20indicates%20an%20embedded%20page%20using%20something%20like%20an%20iframe https://www.stark4n6.com/2022/01/firefox-on-android-web-history-visits.html#:~:text=hidden,RSS%20or%20iframe There are many similarities between Mozilla and Chromium, and situations where Mozilla specifically references using Chromium code, so "hidden" in Chrome may very well function in a similar manner. The Chrome test data I have supports the notion that when hidden = 1 (True), the URL was not visited (at all or not by a user) or displayed. (edited)

Does anyone know how to crack the code of Telegram's attachment file naming convention? 1_xxxx or 4_xxxx? Is there a mob number? A timestamp? A hash? Or just random. (old job resurfaced - logical only extractions only)

@Cellebrite is anyone free to answer some questions regarding Huawei devices?

JLindmar (83AR)

Although I don't have any research material specifically for Chrome to point you too, there are many blogs/papers that discuss the "hidden" field in the Firefox places.sqlite > moz_places table: https://www.sans.org/blog/firefox-3-history/#:~:text=hidden%20INTEGER%20DEFAULT%200%20NOT%20NULL%2Ceither%200%20or%201.%20if%20the%20URL%20is%20hidden%20then%20the%20user%20did%20not%20navigate%20directly%20to%20it%2C%20usually%20indicates%20an%20embedded%20page%20using%20something%20like%20an%20iframe https://www.stark4n6.com/2022/01/firefox-on-android-web-history-visits.html#:~:text=hidden,RSS%20or%20iframe There are many similarities between Mozilla and Chromium, and situations where Mozilla specifically references using Chromium code, so "hidden" in Chrome may very well function in a similar manner. The Chrome test data I have supports the notion that when hidden = 1 (True), the URL was not visited (at all or not by a user) or displayed. (edited)

Thank you so much this has also proved hugely helpful for me in my analysis

much appreciated

1

I have another question in relation to Google Photos, if someone is happy to assist please? I have encountered a set of images in an extraction with a file path as follows: Google Photos (user account details redacted)/local media/ All of the images are reported by the forensic tool to be deleted, and are 0 bytes in size. Is this an indication that there were images in the Google photos local media storage, which were backed up to the cloud account and in the process deleted from the local storage?

Does Cellebrite or Axiom ingest .e3d images?

On another note, does this look like an encrypted database to anyone else?

It is possible to find out when a charger was (dis)connected on a Pixel Android 10 device full system extraction? Also interested in power events such as reboot or power off. I did not find anything yet. \data\log unfortunately only exists on Samsung devices.

burgers_N_bytes

On another note, does this look like an encrypted database to anyone else?

I would guess it's compressed, rather than encrypted.

CLB-drorimon

I would guess it's compressed, rather than encrypted.

I hadn’t thought of that! I’ll try to uncompress and update.

I have PA report with phone locations. One of them is without timestamp and is decribed as:

Type: Searched
Source:    Google Maps
Source File:
Pro.zip/data/data/com.google.android.apps.maps/files/new_recent_history_cache_search.cs : 0x68 (Size: 1222)

How should I interprete it? (edited)

Alex Owen

I have another question in relation to Google Photos, if someone is happy to assist please? I have encountered a set of images in an extraction with a file path as follows: Google Photos (user account details redacted)/local media/ All of the images are reported by the forensic tool to be deleted, and are 0 bytes in size. Is this an indication that there were images in the Google photos local media storage, which were backed up to the cloud account and in the process deleted from the local storage?

What type of acquisition do you have - logical, file system, physical?

JLindmar (83AR)

What type of acquisition do you have - logical, file system, physical?

It's a FFS extraction

DEVNULL

I have PA report with phone locations. One of them is without timestamp and is decribed as:

Type: Searched
Source:    Google Maps
Source File:
Pro.zip/data/data/com.google.android.apps.maps/files/new_recent_history_cache_search.cs : 0x68 (Size: 1222)

How should I interprete it? (edited)

How many individual locations were identified within the source file? Interpreting the file name, along with content, It looks like that file stores information related to a search for directions to a location, but doesn't necessarily mean navigation to the location took place. You might also look at "directions_as_changed_in_navigation.data.cs" and "saved_directions.data.cs" to see if their content relates to that in "new_recent_history_cache_search.cs". Also, the modified timestamp (if available) for "new_recent_history_cache_search.cs" should give you the on or about date that the most recent location in the file was searched.

1

Anybody else having trouble decoding Telegram from an Android device? Has Telegram updated its DB and confused all the tools? Nothing will decode? (AXOIM, Oxygen, MD-RED, CelleBrite -Tried on 7.53 and just installed 7.54 and still nothing)

Anyone know the best tool to determine unlock mode? ie face unlock, pin, gesture ....

Alex Owen

It's a FFS extraction

It appears PA (Cellebrite should be able to confirm) is parsing that information from the following files: "/data/data/com.google.android.apps.photos/databases/gphotos0.db", "local_media" and "remote_media" tables "/data/data/com.google.android.apps.photos/databases/gphotos-1.db", "local_media" and "remote_media" tables "/data/data/com.google.android.apps.photos/databases/local_trash.db", "local" table I would recommend analyzing them for more information, and comparing the local file paths in the databases (as available) to the actual paths in the file system to confirm what files are still present and/or recovered.

General question regarding WhatsApp… if a target deletes files from a victims phone, are those files recoverable? From my experience, those files cease to exist and I have been unable to find deleted files in my exams in Axiom, Cellebrite, and XRY. Anybody out there find anything different? An AUSA is asking for an absolute answer. Thanks. All.

When an iPhone displays that a message was sent with Siri, what exactly triggers that and is it logged in the sms.db or knowledgeC on the sender’s phone?

TCSkyKing

General question regarding WhatsApp… if a target deletes files from a victims phone, are those files recoverable? From my experience, those files cease to exist and I have been unable to find deleted files in my exams in Axiom, Cellebrite, and XRY. Anybody out there find anything different? An AUSA is asking for an absolute answer. Thanks. All.

Deleted what? A single message in chat? An entire chat?

DEVNULL

I have PA report with phone locations. One of them is without timestamp and is decribed as:

Type: Searched
Source:    Google Maps
Source File:
Pro.zip/data/data/com.google.android.apps.maps/files/new_recent_history_cache_search.cs : 0x68 (Size: 1222)

How should I interprete it? (edited)

Seems like a search in Google Maps? You could quickly test that?

florus

Deleted what? A single message in chat? An entire chat?

Apparently the target deleted chats from the cooperators phone. This seems to match my extraction results because I can’t find any chats before “X” date.

Robin Hood

It is possible to find out when a charger was (dis)connected on a Pixel Android 10 device full system extraction? Also interested in power events such as reboot or power off. I did not find anything yet. \data\log unfortunately only exists on Samsung devices.

Info on power events as well as battery charging from @stark4n6: https://www.stark4n6.com/2022/01/shutdown-checkpoints-in-android-12.html https://www.stark4n6.com/2020/12/charging-battery-with-turbo-db.html Also check @CLB_joshhickman1 blog on Android factory resets. One of the files discussed contains reboot data. https://thebinaryhick.blog/2021/08/19/wipeout-detecting-android-factory-resets/ Artifacts are supported in ALEAPP.

Shutdown Checkpoints in Android 12

In scouring Josh Hickman's Android 12 test image, I came across a new folder that was previously found in previous test images. I can be fo...

Charging Battery with Turbo DB

UPDATE: Read Part 2 and Part 3 ! In an effort to continue to look for new mobile artifacts, one that I recently came across was the turbo.d...

Binary Hick

Wipeout! Detecting Android Factory Resets

I’d like to thank Alexis Brignoni, Heather Mahalik, and Jared Barnhart for their insight and validation, and Alexis for tooling ALEAPP for these artifacts. DFIR truly is a team effort. They say im…

2

1

Hello everyone I am glad to be a part of such wonderful community but I am very new to infosec and forensic stuff I googled for mobile forensics but failed to understand wher to start everything is very advance please can you suggest very biginer level stuff to get my feet wet and start learning from their it will be a great help

Anyone had experience Forensically capturing data associated with an Apple Watch?

nbh2493

Anyone had experience Forensically capturing data associated with an Apple Watch?

@Elcomsoft has a couple of interesting blogs about this topic. https://blog.elcomsoft.com/tag/apple-watch/

Apple Watch

«...Everything you wanted to know about password recovery, data decryption, mobile & cloud forensics...»

thanks Wouter... I will give this a good read

florus

Deleted what? A single message in chat? An entire chat?

In my case suspect delete whole folder of Whatsapp Media plus database and physical extraction of that phone is not available in XRY n oxygen n Celebrite . Is any hope?

Hi! I have a android phone with Signal. PA decrypts the database but does not parse the messages. Appgenie does not work either. Tried Axiom without any luck. Any ideas? I'm trying to create a sql query but somehow I cant find the participant phonenumber/username. So if you have done any reasearch regarding signal database you are most welcome to share it.

FantasticAdventure

Anybody else having trouble decoding Telegram from an Android device? Has Telegram updated its DB and confused all the tools? Nothing will decode? (AXOIM, Oxygen, MD-RED, CelleBrite -Tried on 7.53 and just installed 7.54 and still nothing)

Is it "data/data/org.telegram.messenger.web" ? Export it and Mediadata "data/media/0/Telegram" to a folder. Rename "org.telegram.messerenger.web" into "org.telegram.messerenger" and import it in PA as folder. (edited)

Mobile_Digger

In my case suspect delete whole folder of Whatsapp Media plus database and physical extraction of that phone is not available in XRY n oxygen n Celebrite . Is any hope?

Poeh, if file based encrypted, no hope.

florus

Poeh, if file based encrypted, no hope.

It's oppo F11 running on Android 10

Anyone from @Cellebrite free to talk about possible support for certain apps that currently aren't supported?

and again latest PA has troubles do decode whatsapp.... did vendorbackup, huawei p20 lite (ane-lx1), android 9...... attachments of whatsapp are not linked correctly... nearby, i know i can do physical with xry... just wanted to do a fast backup... and PA fails.... it´s just a little bit frustrating... and no, i don´t want send any log ..... have a nice weekend

(edited)

chrisforensic

and again latest PA has troubles do decode whatsapp.... did vendorbackup, huawei p20 lite (ane-lx1), android 9...... attachments of whatsapp are not linked correctly... nearby, i know i can do physical with xry... just wanted to do a fast backup... and PA fails.... it´s just a little bit frustrating... and no, i don´t want send any log ..... have a nice weekend

(edited)

Since WhatsApp Update it's apk all Forensic Tools r failed they r trying to fix it even im Also sending log over n over only QR extraction is working fine now a days

1

Not only Whatsapp, Signal has issues with parsing on PA aswell

Would this indicate iCloud is on? it is the cloudconfigurationdetails.plist.

Anyone know if there’s a way to show if Bluetooth was used during a phone call in an android? It’s an Samsung S21

Ghosted

Would this indicate iCloud is on? it is the cloudconfigurationdetails.plist.

Blog is coming, here is a sample that might help: • Device settings were accessed, and I turned off iCloud Photos and Shared Albums o Just a reminder these settings can be verified via the property list (plist) being stored at the following locations: o \private\var\mobile\Media\PhotoData\private\com.apple.assetsd\cloudServiceEnableLog.plist  Device settings accessed via Settings > Apple ID > iCloud > APPS USING ICLOUD • This plist will have a timestamp when iCloud Photo Library (CPL) was enabled or disabled and will be recorded with a True or False value • Based on testing false indicates the setting was turned off • This plist keeps history of the device settings o \private\var\mobile\Media\PhotoData\private\com.apple.accountsd\cloudServiceEnableLog.plist  Device settings accessed via Settings > Apple ID > iCloud >APPS USING ICLOUD > Photos • This plist will have a timestamp when iCloud Photo Library (CPL) and Shared Albums were enabled or disabled and will be recorded with a True or False value • Based on testing False indicates the setting was turned OFF • This plist keeps a history of the device settings (edited)

4

1

For iOS does anyone know how to tell if a zoom call is a "video" call or just a voice call?

Anyone from @Magnet Forensics around for an Axiom processing question?

Im here feel free to DM

1

If anyone is interested in learning what I know on the appintent files in the biome folder on iOS I wrote a blog on it and have a parser for them. I know a few of you guys have tested it out for me, thanks for that. Looks like there’s 30 days worth of data in here including deleted iMessages. https://bluecrewforensics.com/2022/03/07/ios-app-intents/ (edited)

Analyzing iOS Biome AppIntent Files - Blue Crew Forensics

In this blog I will discuss my findings on the AppIntent files that are located within the Biomes folder in many iOS extractions. These files contain many forensic artifacts that may no longer appear elsewhere on the device including deleted iMessages.

3

6

chrisforensic

and again latest PA has troubles do decode whatsapp.... did vendorbackup, huawei p20 lite (ane-lx1), android 9...... attachments of whatsapp are not linked correctly... nearby, i know i can do physical with xry... just wanted to do a fast backup... and PA fails.... it´s just a little bit frustrating... and no, i don´t want send any log ..... have a nice weekend

(edited)

There's been a recent schema change to msgstore.db in WhatsApp on Android, so that could account for the lack of decoding. (edited)

I have Oppo A57 it's running on Qolcom applocker lock it's settings so I cant enable Debugging can anyone help me @Cellebrite @Oxygen Forensics

Can't parse a FFS qualcomm live xiaomi note 10 pro extraction made with 4pc 7.53 using lastest PA. For example Whatsapp Can't be decoded at all. Any hint? (edited)

Hope someone can shed a bit of light on this; Is there a way to see if Snapchat images found in the FFS of an Iphone are taken (and sent) or received by the user of the phone? I have a FFS extraction from an iPhone 11 (iOS) 14.1). PA shows lots of images in the Snapchat "com.snap.file_manager_3_SCContent.." directory with "Cache_key" names. Is there a way to see if these images are received or sent by the owner of the phone? At this moment i am using a method where you combine the "Cache_key" with the "External_Key" with the "Conversation_messages" value. But so far i had very little luck. Thanks in advance!

bypx

Can't parse a FFS qualcomm live xiaomi note 10 pro extraction made with 4pc 7.53 using lastest PA. For example Whatsapp Can't be decoded at all. Any hint? (edited)

Same phone it's asking for 80GB space did you put SD card ?

Mobile_Digger

Same phone it's asking for 80GB space did you put SD card ?

No, there isn't any sd card. Extraction is about 50GB

I Just plug this phone it's sad not enough space in Target Device need 80 free space phone have total 128 GB space it's have 32 GB available

N Ogee

Hope someone can shed a bit of light on this; Is there a way to see if Snapchat images found in the FFS of an Iphone are taken (and sent) or received by the user of the phone? I have a FFS extraction from an iPhone 11 (iOS) 14.1). PA shows lots of images in the Snapchat "com.snap.file_manager_3_SCContent.." directory with "Cache_key" names. Is there a way to see if these images are received or sent by the owner of the phone? At this moment i am using a method where you combine the "Cache_key" with the "External_Key" with the "Conversation_messages" value. But so far i had very little luck. Thanks in advance!

Try using https://github.com/DFIR-HBG/ParseSnapchat to automate that task, that makes it easier to visualize and search trough the conversations

GitHub - DFIR-HBG/ParseSnapchat: iOS Snapchat parser for chats and ...

iOS Snapchat parser for chats and cached files. Contribute to DFIR-HBG/ParseSnapchat development by creating an account on GitHub.

snoop168

If anyone is interested in learning what I know on the appintent files in the biome folder on iOS I wrote a blog on it and have a parser for them. I know a few of you guys have tested it out for me, thanks for that. Looks like there’s 30 days worth of data in here including deleted iMessages. https://bluecrewforensics.com/2022/03/07/ios-app-intents/ (edited)

It seems like some type of the same data can be found in the knowledgeC database as well --

SELECT
Z_PK,
Z_DKINTENTMETADATAKEY__SERIALIZEDINTERACTION
FROM
ZSTRUCTUREDMETADATA
WHERE
Z_DKINTENTMETADATAKEY__SERIALIZEDINTERACTION IS NOT NULL

-- The results have been blobs that were plist files. Inside those plist files was an entry for NS.data that is also a plist file, which appears to be a match for entries from the Biome/AppIntents files (edited)

7:53 AM

That is supposed to be 2 "_" in the field name, but Discord made it an underline (edited)

@pug4N6 use markdown to code block that out

7:54 AM

try three backticks above and below your query

7:54 AM

SELECT
test from TEST

7:54 AM

like this

7:54 AM

Andrew Rathbun

@pug4N6 use markdown to code block that out

Thanks

single backticks on the front and back of text looks like this

7:56 AM

and you won't lose those underlines, etc

1

pug4N6

It seems like some type of the same data can be found in the knowledgeC database as well --

SELECT
Z_PK,
Z_DKINTENTMETADATAKEY__SERIALIZEDINTERACTION
FROM
ZSTRUCTUREDMETADATA
WHERE
Z_DKINTENTMETADATAKEY__SERIALIZEDINTERACTION IS NOT NULL

-- The results have been blobs that were plist files. Inside those plist files was an entry for NS.data that is also a plist file, which appears to be a match for entries from the Biome/AppIntents files (edited)

You are correct, but as detailed in the write up, the Biome files will contain data that has been removed/deleted from the knowledgeC db. Thanks to @snoop168 and @CLB_iwhiffin I was able to have use the biome data in past cases to recovery message content that could not be found anywhere else on the device. I am only aware of one commercial tool that parses biome data which is AXIOM. (edited)

1

ScottKjr3347

You are correct, but as detailed in the write up, the Biome files will contain data that has been removed/deleted from the knowledgeC db. Thanks to @snoop168 and @CLB_iwhiffin I was able to have use the biome data in past cases to recovery message content that could not be found anywhere else on the device. I am only aware of one commercial tool that parses biome data which is AXIOM. (edited)

Yeah, thanks to @CLB_iwhiffin and his tool Mushy, I stopped trying to decode the Biome data via hex and decoded it as protobuf, made life MUCH easier … I haven’t checked out @snoop168’s parser yet, but the write-up is definitely useful info.

Hey guys, Im using the cellebrite keyword search and I noticed that the search returns anything that contains the string you enter. For example If I do a filter for "Tom", it would return any artefacts that contain words with a "tom" in it eg, "Tomorrow", "Tomahawk", "Bottom", "Stomach". Is there anyway to change the settings and avoid this? Any help would be appreciated thanks

-Kryo-

Hey guys, Im using the cellebrite keyword search and I noticed that the search returns anything that contains the string you enter. For example If I do a filter for "Tom", it would return any artefacts that contain words with a "tom" in it eg, "Tomorrow", "Tomahawk", "Bottom", "Stomach". Is there anyway to change the settings and avoid this? Any help would be appreciated thanks

Haven’t tested but maybe add a space after if you are just looking for “Tom” but that might be a little hacky and more than likely they trim white space from the beginning and end of the search term anyway but worth a try… (edited)

1

@San4n6 @K23 Do you know of anything that has replaced query_precdictions.db in newer iOSs. Got a 14.7.1 and it no longer appears.

Hello guys, i need to search a list of keywords in thousand of databases pulled from 32 phones. Aim would be to quickly target those containing interesting data. I can develop this but i you know an existing project i take thumbsup wink

Nitraz_

Hello guys, i need to search a list of keywords in thousand of databases pulled from 32 phones. Aim would be to quickly target those containing interesting data. I can develop this but i you know an existing project i take thumbsup wink

how about agent ransack on the directory the phones are in? Won't let you access the db directly for a nicer view but will give a nice indication of the keywords you are looking for

Anyone from @Cellebrite able to help with a licence issue? Getting an unhandled exception trying to launch UFED4PC

5:30 AM

But the exception seems to create about 30 windows

Seems like trying and trying again got further and now seems to work

pug4N6

Yeah, thanks to @CLB_iwhiffin and his tool Mushy, I stopped trying to decode the Biome data via hex and decoded it as protobuf, made life MUCH easier … I haven’t checked out @snoop168’s parser yet, but the write-up is definitely useful info.

+1 on manual protobuf parsing in a hex editor being the stuff of nightmares (edited)

snoop168

Haven’t tested but maybe add a space after if you are just looking for “Tom” but that might be a little hacky and more than likely they trim white space from the beginning and end of the search term anyway but worth a try… (edited)

thanks for the suggestion but yea it doesnt work

1:07 PM

very surprising

@Cellebrite Anyone know how PA decodes dynamic.lm for the User Dictionary words? I have a few words of interest, but was wondering if the words were actually used together in a sentence, or if PA just lined them up like that by happenstance.

1

sholmes

@Cellebrite Anyone know how PA decodes dynamic.lm for the User Dictionary words? I have a few words of interest, but was wondering if the words were actually used together in a sentence, or if PA just lined them up like that by happenstance.

The words added to the file, and decode and displayed in PA in a consecutive orther, so, if yoy see two consecutive words it means that the later was used after the former, but you can't tell if other words were already present in the dictionary were used between them.

1

anyone from @Cellebrite for a quick question ? i made a FS dump from iphone 11 on 15.1, missing telegram chat, was able to parse all chats except this one, is it possible to parse it ?

RS

anyone from @Cellebrite for a quick question ? i made a FS dump from iphone 11 on 15.1, missing telegram chat, was able to parse all chats except this one, is it possible to parse it ?

Was it a full file system or regular FS ?

regular one

2:52 AM

no jailbreak

Im going to verify but I would think it likely doesn’t come out in a non FFS extraction

i had that idea but, would like to check

@CLB-Paul if you could confirm me that on a FS telegram is a no go, would be good

Give me a bit and ill get back to you

Thank you

You can also look through the application. I can dm you to continue on ther

RS

Thank you

@CLB_iwhiffin just confirmed that it didn’t come out in a backup. So you would need a ffs

Hi, we have one Sony C2004 model (Android) with screen lock set as a pttern lock. Can we unlock the same by UFED? Please guide.

CLB-drorimon

The words added to the file, and decode and displayed in PA in a consecutive orther, so, if yoy see two consecutive words it means that the later was used after the former, but you can't tell if other words were already present in the dictionary were used between them.

Thanks. That is what I was seeing and thought it might be as you described it. I made the mistake of ordering them by usage and lost the order of conversation. Anyway to reorder them?

@Cellebrite Is there a maximum number of images that PA will process at one time? I have a case where I am trying to use the Media Classification on 177,303 images. (It is quite a few, I know. That is why I am trying to classify them!) After loading the images it shows (177,303) next to the images, but after starting the Media Classification (and after it completes) it drops to (44,481). Thoughts?

JC🧐🧐

Hi, we have one Sony C2004 model (Android) with screen lock set as a pttern lock. Can we unlock the same by UFED? Please guide.

You may be able to bruteforce it via OTG

Is anyone from @Cellebrite able to assist? I'm suddenly only able to open one instance of UFED PA. Many thanks. (edited)

sholmes

Thanks. That is what I was seeing and thought it might be as you described it. I made the mistake of ordering them by usage and lost the order of conversation. Anyway to reorder them?

You can order by the first column, or just close and reopen the tab.

1

CLB-drorimon

You can order by the first column, or just close and reopen the tab.

The first column was the item number, and that did not appear to change the order back. If I remember correctly, this column did not change when the rest of the columns changed. reopening the tab also did not put them back into order. I will reopen the case and doublecheck this and let you know.

Thanks @CLB-drorimon You were right about column sorting. If I sort by the 2nd column it will put them back into original order! However, reopening the tab does not put them back in order. I tested this on both PA 7.54.1.7 and the immediate previous version 7.53.x.x.

1

@Magnet Forensics I have a portable Axiom report, v5.10.0.30634, that has been reviewed by the investigator. They tagged 1169 artifacts. On the home page of the Axiom report, under the "Tags and Comments" drop down on the right, under the 'Tags Added by Reviewers', you can see Bookmark: 1169. Good so far. This is the only tag category here, and it also says there are no comments included in the case. However, next to the header "Tags and Comments", there is the number (2022). Can anyone give me a clue as to where this number is coming from?

@Cellebrite @Magnet Forensics @Oxygen Forensics and to anyone else who might have the answer, please save me before I go down the rabbit hole.

iOS 15.3.2 Has anyone tested and decoded the snapchat (v11.70.0) database: scdb-27.sqlite3 ZGALLERYENTRY table and the following columns: ZENTRYSOURCE ZSOURCES Also, the differences between the multiple timestamp columns? They look pretty self-explanatory, but it’s worth a shot? It’s looking a lot like Photos.sqlite and I'm having severe anxiety

(edited)

FullTang

@Cellebrite Is there a maximum number of images that PA will process at one time? I have a case where I am trying to use the Media Classification on 177,303 images. (It is quite a few, I know. That is why I am trying to classify them!) After loading the images it shows (177,303) next to the images, but after starting the Media Classification (and after it completes) it drops to (44,481). Thoughts?

Does it drop the total number of images or just the classified ones?

mcdoz

Does it drop the total number of images or just the classified ones?

All images. My total number of images in the case is now 44,481. I am also classifying with Axiom, but I wanted to use both tools if possible.

FullTang

All images. My total number of images in the case is now 44,481. I am also classifying with Axiom, but I wanted to use both tools if possible.

Can’t say I have ever seen that. Is it one single extraction or more? (Logical, advanced logical, physical)

mcdoz

Can’t say I have ever seen that. Is it one single extraction or more? (Logical, advanced logical, physical)

I think I figured it out. There are three possible reasons for PA showing a reduced number of photos: 1) Deduplication 2) NSRL lists 3) Blank/empty photos

Hello, i have a FFS extraction done with Qualcomm Live on Samsung A715F. I found Outllok databases with acompliAcct.db for the accounts, but can't find acompli.db to retrieve mails. Anyone knows if the database name can be different ? Or has not been extracted ? (edited)

Anyone having an idea how interpret installation and uninstallation of apps in knowledgeC.db? Im asking because if have like 20 different posts of install and uninstall of the app wickr on an device. Could that really be the case? Some installations and uninstallations are like 1 minute from each other.

jaikl

Anyone having an idea how interpret installation and uninstallation of apps in knowledgeC.db? Im asking because if have like 20 different posts of install and uninstall of the app wickr on an device. Could that really be the case? Some installations and uninstallations are like 1 minute from each other.

My first thought would be app updates

Nutelap

Hello, i have a FFS extraction done with Qualcomm Live on Samsung A715F. I found Outllok databases with acompliAcct.db for the accounts, but can't find acompli.db to retrieve mails. Anyone knows if the database name can be different ? Or has not been extracted ? (edited)

Mail cache seems stored in olmac directory

pug4N6

My first thought would be app updates

seems unrealistic during the same day

jaikl

seems unrealistic during the same day

Ah, same day, well, not sure then, sorry

Hello! Has anyone ever dealt with the decoding of the "batterystats-daily.xml" under Android 6? Located in the file system under "/system/batterystats-daily.xml" Thanks in advance!

3rd1

Hello! Has anyone ever dealt with the decoding of the "batterystats-daily.xml" under Android 6? Located in the file system under "/system/batterystats-daily.xml" Thanks in advance!

Android 6???

Andrew Rathbun

Android 6???

6.0.1

jaikl

Anyone having an idea how interpret installation and uninstallation of apps in knowledgeC.db? Im asking because if have like 20 different posts of install and uninstall of the app wickr on an device. Could that really be the case? Some installations and uninstallations are like 1 minute from each other.

Try corroborating the activity using the mobile_installation.log.# files in "/private/var/installd/Library/Logs/MobileInstallation".

Anyone familiar with the log entry mDNSResponder/com.Apple.Maps in database DataUsage.SQLite?

@Magnet Forensics Is there a way to create a portable case of all the items in the case that were NOT tagged? (edited)

@Brigs Can you select Untagged Items only, then go up to Matching Results, and then Right Click in the Results area and create report. Under items to include, you can then select Items in the Current View, which should match the untagged items number. Might be worth a try.

FullTang

I think I figured it out. There are three possible reasons for PA showing a reduced number of photos: 1) Deduplication 2) NSRL lists 3) Blank/empty photos

Album artwork always gets me. Is always duplicated and, depending on the phone, will have like 4-5 images of the same music album artwork

1

Pixel

Is anyone from @Cellebrite able to assist? I'm suddenly only able to open one instance of UFED PA. Many thanks. (edited)

Which version of PA?

I'm running into long file paths trying to export out to RSMF with @Oxygen Forensics . Exporting to the root of a drive and also tried exporting to a network location with a fully qualified network path, but still getting errors. Anyone encountered this and/or know a way around it?

Luminate

I'm running into long file paths trying to export out to RSMF with @Oxygen Forensics . Exporting to the root of a drive and also tried exporting to a network location with a fully qualified network path, but still getting errors. Anyone encountered this and/or know a way around it?

I don't have specific guidance for you if it's an issue unique to Oxygen, but you can try enabling long paths (>260 characters, Win32): https://docs.microsoft.com/en-us/windows/win32/fileio/maximum-file-path-limitation?tabs=cmd

Maximum Path Length Limitation - Win32 apps

Maximum path length limitation.

JLindmar (83AR)

I don't have specific guidance for you if it's an issue unique to Oxygen, but you can try enabling long paths (>260 characters, Win32): https://docs.microsoft.com/en-us/windows/win32/fileio/maximum-file-path-limitation?tabs=cmd

thanks for the suggestion. We tried the normal work arounds, but seems like it's an issue with the program itself

Luminate

I'm running into long file paths trying to export out to RSMF with @Oxygen Forensics . Exporting to the root of a drive and also tried exporting to a network location with a fully qualified network path, but still getting errors. Anyone encountered this and/or know a way around it?

Hello! This will be addressed with our next release - 14.4

Hey there geeks, can anyone point me to the place where Android WhatsApp records whether or not audio, images, video and documents are downloaded or not and what medium. In the lovely Apple phones they have a great PLIST full of fun crunchy stuff but I am seeing similar things in Android WhatsApp but not specifically for the download policy. I am looking as I type so may update this thread myself!

1:54 AM

I have also checked preferences.xml

1:57 AM

Or is it something that if it isnt set it doesnt feature until it is set? I have seen that in other apps before

Hi, can anyone confirm for me whether UFED PA displays SQL databases with the WAL file having been committed? I can see that the wal file is available to view separately, I'm just getting some inconsistencies with the live data compared to the database and trying to figure out how PA is decoding this

@Cellebrite In your watchlist feature, is there a means to exclude words such as torpedo or pedometer

5:50 AM

But still have other hits containing csam words (just trying to find a means to get rid of false positives)

Rob

@Cellebrite In your watchlist feature, is there a means to exclude words such as torpedo or pedometer

I had a case once where a submarine captain loved walking a lot, that would have been handy

1

Zhaan

Hey there geeks, can anyone point me to the place where Android WhatsApp records whether or not audio, images, video and documents are downloaded or not and what medium. In the lovely Apple phones they have a great PLIST full of fun crunchy stuff but I am seeing similar things in Android WhatsApp but not specifically for the download policy. I am looking as I type so may update this thread myself!

The file you're after is com.whatsapp_preferences_light.xml in the sharedprefs folder. The default setting is only Photos are automatically downloaded over cellular, everything (Photos, Audio, Video, & Documents) is automatically downloaded over Wi-Fi, and nothing is automatically downloaded while roaming. If the defaults have _not changed, then the xml file will not have the tags autodownload_cellular_mask, autodownload_wifi_mask, or autodownload_roaming_mask. If any of them have changed, then the respective tags will be present with a particular value. There are a bunch of different combinations you can have, but what I've observed so far is 0=nothing, 1=Photos, 3=Photos,Audio, 7=Photos,Audio,Video and 15=Photos,Audio,Video,Documents. The values are the same for Cellular, Wifi, and Roaming. (edited)

4

6:35 AM

Obviously, the tags can have other values depending on what combinations are selected by the user.

6:36 AM

This is for the latest version of WhatsApp, btw (2.22.6.72)

CLB_joshhickman1

The file you're after is com.whatsapp_preferences_light.xml in the sharedprefs folder. The default setting is only Photos are automatically downloaded over cellular, everything (Photos, Audio, Video, & Documents) is automatically downloaded over Wi-Fi, and nothing is automatically downloaded while roaming. If the defaults have _not changed, then the xml file will not have the tags autodownload_cellular_mask, autodownload_wifi_mask, or autodownload_roaming_mask. If any of them have changed, then the respective tags will be present with a particular value. There are a bunch of different combinations you can have, but what I've observed so far is 0=nothing, 1=Photos, 3=Photos,Audio, 7=Photos,Audio,Video and 15=Photos,Audio,Video,Documents. The values are the same for Cellular, Wifi, and Roaming. (edited)

Nice one, I had been sniffing round there but hadnt got my test rig to cover it yet, thank you.

Users of Magnet Axiom may have noticed the following screen when loading iOS evidence into Axiom Process. It works with GK plist files, 'UUID_keychain.plist' but doesn't currently work with UFED ones, 'backup_keychain_v2.plist'. I found a python script on github that decrypts the UFED one but it didn't output it in the form Axiom accepted. I've modified it and so now the output is accepted by Axiom. The script can be found at https://gist.github.com/AmNe5iA/f3a35a9f686d185f178edfc55b944b10 . Useful for when loading a UFED checkm8 extraction as potentially more data will be decoded by Axiom. (edited)

UFED KeychainDump Decrypter

UFED KeychainDump Decrypter . GitHub Gist: instantly share code, notes, and snippets.

5

2

7:18 AM

The UFED plist 'backup_keychain_v2.plist' can be found in the 'KeychainDump' folder if you select the legacy DAR method. Or in the 'KeychainDump' subfolder in the 'extras' folder within the zip file if you select the newer CLBX format. Applies to Trevor plists as well.

Arcain pinned a message to this channel. 3/31/2022 7:25 AM

Alex Owen

Hi, can anyone confirm for me whether UFED PA displays SQL databases with the WAL file having been committed? I can see that the wal file is available to view separately, I'm just getting some inconsistencies with the live data compared to the database and trying to figure out how PA is decoding this

My understanding from Cellebrite support years ago, as well as testing with external SQLite viewers, is that PA DOES include the contents of the WAL when viewing a database in its internal viewer. (edited)

Oxygen Forensics

Hello! This will be addressed with our next release - 14.4

When it will be released?

CLB_joshhickman1

The file you're after is com.whatsapp_preferences_light.xml in the sharedprefs folder. The default setting is only Photos are automatically downloaded over cellular, everything (Photos, Audio, Video, & Documents) is automatically downloaded over Wi-Fi, and nothing is automatically downloaded while roaming. If the defaults have _not changed, then the xml file will not have the tags autodownload_cellular_mask, autodownload_wifi_mask, or autodownload_roaming_mask. If any of them have changed, then the respective tags will be present with a particular value. There are a bunch of different combinations you can have, but what I've observed so far is 0=nothing, 1=Photos, 3=Photos,Audio, 7=Photos,Audio,Video and 15=Photos,Audio,Video,Documents. The values are the same for Cellular, Wifi, and Roaming. (edited)

If we found Just database of Whatsapp is it possible we can know the number

Alex Owen

Hi, can anyone confirm for me whether UFED PA displays SQL databases with the WAL file having been committed? I can see that the wal file is available to view separately, I'm just getting some inconsistencies with the live data compared to the database and trying to figure out how PA is decoding this

I don't know the official answer to this, BUT they do have a button to "Include recovered records" when viewing a database file that would likely have to pull information from the WAL ... Seems many folks don't know about the button and I feel it's a FANTASTIC feature

1

Mobile_Digger

When it will be released?

Hello, mid-April

Alex Owen

Hi, can anyone confirm for me whether UFED PA displays SQL databases with the WAL file having been committed? I can see that the wal file is available to view separately, I'm just getting some inconsistencies with the live data compared to the database and trying to figure out how PA is decoding this

Definitely does

Alex Owen

Hi, can anyone confirm for me whether UFED PA displays SQL databases with the WAL file having been committed? I can see that the wal file is available to view separately, I'm just getting some inconsistencies with the live data compared to the database and trying to figure out how PA is decoding this

If you willing to share the name of the database I’m willing to do some testing to see what I can come up with? I recently shared this on another Listserve, it appears recently CB began parsing db free pages. From my past experiences with CB PA If you review the source path it will designate if the artifact is coming from the db or wal. Recently if something is coming from the free pages it will indicate the source is the db but will have a red X. The only way to truly know is to test that specific db. Additionally I believe in a near future release of PA they will have the db table name with the pk or row id from where the data is being parsed which will make it easier to validate your question. I don’t believe they commit the wal data during parsing. (edited)

ScottKjr3347

If you willing to share the name of the database I’m willing to do some testing to see what I can come up with? I recently shared this on another Listserve, it appears recently CB began parsing db free pages. From my past experiences with CB PA If you review the source path it will designate if the artifact is coming from the db or wal. Recently if something is coming from the free pages it will indicate the source is the db but will have a red X. The only way to truly know is to test that specific db. Additionally I believe in a near future release of PA they will have the db table name with the pk or row id from where the data is being parsed which will make it easier to validate your question. I don’t believe they commit the wal data during parsing. (edited)

The database I'm working with is History.db, associated with Safari browser. I have some entries displayed the red X in UFED PA, suggesting deletion, however I'm looking at the raw data and can't work out where it's pulling that from. What makes it more complicated is that the live data in the device for the history is totally blank, so I can't verify what is user viewable.

Mobile_Digger

If we found Just database of Whatsapp is it possible we can know the number

There are several databases, but I haven’t seen any of them include information about this particular setting.

Brigs

@Magnet Forensics Is there a way to create a portable case of all the items in the case that were NOT tagged? (edited)

Answering my own question: Axiom has a Untagged items option in the Tags and Comments menu. 1) Tag what you don't want. 2) Make a portable case of untagged items. 3) Done. (edited)

4

JLindmar (83AR)

My understanding from Cellebrite support years ago, as well as testing with external SQLite viewers, is that PA DOES include the contents of the WAL when viewing a database in its internal viewer. (edited)

Just tested if the internal sqlite viewer in PA 7.54.1.7 and it does include the wal data for the db. The parsed data will be listed according to its source. (edited)

ScottKjr3347

Just tested if the internal sqlite viewer in PA 7.54.1.7 and it does include the wal data for the db. The parsed data will be listed according to its source. (edited)

Exactly correct.

Alex Owen

The database I'm working with is History.db, associated with Safari browser. I have some entries displayed the red X in UFED PA, suggesting deletion, however I'm looking at the raw data and can't work out where it's pulling that from. What makes it more complicated is that the live data in the device for the history is totally blank, so I can't verify what is user viewable.

It’s likely coming from a free page. Have you tried the little pickaxe icon on the SQLite viewer?

1

any idea where to get this password. I have a ffs

12:39 PM

Also have the androidkeystore however it doesn't give me anything for Signal.

Yes this is an android. Device sorry

Dam

@Cellebrite With the release of PA 7.52 you support android GK extraction but there we cannot add the keystore... Is it plan to support the keystore?

Did you get any answer on this question?

Ghosted

Did you get any answer on this question?

Only answer was « yes in the works » so nothing more. I didn’t try with PA 7.54

Ghosted

any idea where to get this password. I have a ffs

Regarding signal, did you try that : https://rado0z.github.io/Decrypt_Android_Database

Decrypting Signal DB for Android

Introduction

1

@Dam Thanks I will review the release notes for PA 7.54 and see if there is anything.

Ghosted

@Dam Thanks I will review the release notes for PA 7.54 and see if there is anything.

It is planned for 7.55, but not guaranteed yet.

1

Does anyone know if its possible to identify if an image was taken using a self-timer on iOS 15 (edited)

Rob

Does anyone know if its possible to identify if an image was taken using a self-timer on iOS 15 (edited)

there might be a flag in the photos database, @ScottKjr3347 do you know?

stark4n6

there might be a flag in the photos database, @ScottKjr3347 do you know?

Checking on it…thought I had one already in a video, but didn’t. Looking for indicators now. (edited)

1

Thanks! (edited)

Rob

Does anyone know if its possible to identify if an image was taken using a self-timer on iOS 15 (edited)

Found in iOS 14.7 and iOS 15.1 for the Native Camera Application (com.apple.camera) Based on very limited testing please verify: If the data is saved for every asset captured, it’s not somewhere easy to find or determine. I haven’t decoded all the values, but I would suggest checking the following in Photos.sqlite: ZCLOUDMASTERMEDIAMETADATA table ZDATA column for the asset of interest. The content is a BLOB that contains metadata for each asset. I believe the answer is in this data but it will take some time to test and decode all of the different values. The other plist located is com.apple.camera.plist This plist is stored at: \private\var\mobile\Library\Preferences\com.apple.camera.plist The plist contains a value for CAMUserPreferenceTimerDuration I have decoded the following values but working on additional testing: 0 = OFF or no timer 1 = 3 seconds 2 = 10 seconds

1

6:09 PM

These values would be populated when the timer setting was set, asset was captured, then the camera application was suspended/sent to the background or closed while the setting was still set. Example: if the timer setting was set to 3 seconds, a photo was captured, and the app was suspended or closed, the value in the plist would be set to 1 in the plist. If I suspended or closed the camera app and then reopened the app, the previous timer setting would be cleared and the timer would be set to off or no timer, meaning the value in the plist would be set back to 0. I had to manually change the timer setting when the camera app was opened or brought back into focus. Based on limited testing, there appears to be two types of settings listed in this plist. There are some settings that were the last settings used by the camera application (like the timer) and there are other settings that are set as the defaults that are controlled via the camera application, which can be accessed on the device by navigating to Settings > Camera. Not really the answer you are looking for but the best I got right now. (edited)

1

Amazing! Gives me a place to start as got a court giving me only a few days to find out

hello everyone, PA or axiom are able to interpret the JSON data relating to an Instagram profile (the automatic download procedure provided by the social network itself has been carried out)?

manuelevlr

hello everyone, PA or axiom are able to interpret the JSON data relating to an Instagram profile (the automatic download procedure provided by the social network itself has been carried out)?

If the json is a search warrant response by the provider try this: https://github.com/abrignoni/RLEAPP (edited)

GitHub - abrignoni/RLEAPP: Returns Logs Events And Properties Parser

Returns Logs Events And Properties Parser. Contribute to abrignoni/RLEAPP development by creating an account on GitHub.

1

Hi, I have an iPhone where I try to understand some geolocation. At the same time the same day I have the cache.sqlite show a geolocation in a particular city and the cache_encryptedB.db (wifi) shows a city 2000 km away. I understand that the cache_encryptedB is not reliable but is it because the suspect travelled with is router? is it something related to the bssid?

Would someone care to give a good explanation on Native messages in Celebrite Reader? Heather Mahalik has a video up on YT but the only explanation there is that it lacks a chat identifier. My take is that it it's native due it being sent with a built in messaging app such as the stock SMS app.. Any takers?

RFC2324

Would someone care to give a good explanation on Native messages in Celebrite Reader? Heather Mahalik has a video up on YT but the only explanation there is that it lacks a chat identifier. My take is that it it's native due it being sent with a built in messaging app such as the stock SMS app.. Any takers?

id say youre bang on

Does anyone have any idea what the difference between data\user\0\com.sec.android.gallery3d and data\data\com.sec.android.gallery3d? (edited)

5:54 AM

Android 11

Pacman

Android 11

I'm looking at a physical for an Galaxy S7 and \data\user\0 is a symlink to \data\data so I'm guessing none.

AmNe5iA

I'm looking at a physical for an Galaxy S7 and \data\user\0 is a symlink to \data\data so I'm guessing none.

Yeah my research came to the same answer - I just wanted to see if anyone here had a better technical explanation.

I had a look through some UFED FFS extractions for Samsung FBE devices and the folder \data\user\ is empty in the UFED extraction zip file. Maybe your extraction tool ignored the fact it was following a symlink and created duplicates?

Pacman

Does anyone have any idea what the difference between data\user\0\com.sec.android.gallery3d and data\data\com.sec.android.gallery3d? (edited)

AFAIK it's to do with Android 11 sandboxing applications for permission settings. but it's the same data. https://developer.android.com/about/versions/11/privacy/storage#other-apps-data (edited)

1

iOS KnowledgeC question: I have a test device where I have deleted a video using the Photos app (com.apple.mobileslideshow). The video was deleted at 11:06:31. When I check knowledgeC I find that there is a row that logs this (among other values):

bundleId=com.apple.mobileslideshow
ZVALUESTRING=com.apple.assetsd.cacheDelete
ZSTREAMNAME=/disk/subsystemAccess
Start=11:06:08
End = 11:07:08 Does anyone know what "com.apple.assetsd.cacheDelete" is?

Does this mean that the Photos app simply had access to internal storage in that timeframe? Is it possible to say that it actually deleted something? (edited)

Pacman

Does anyone have any idea what the difference between data\user\0\com.sec.android.gallery3d and data\data\com.sec.android.gallery3d? (edited)

As @AmNe5iA already said, the cause for the duplicate data has to do with symbolic links and associating the data with the correct device user profile, in this case "0". Depending on the acquisition type, using tar for example, will result in the data being archived to the "main" location (e.g. data/data/com.sec.android.gallery3d), as well as the associated device user profile path (e.g. data/user/0/com.sec.android.gallery3d) because of that symbolic link. It gets more interesting when there is more than one device user! (edited)

CLB-Paul

id say youre bang on

torskepostei

iOS KnowledgeC question: I have a test device where I have deleted a video using the Photos app (com.apple.mobileslideshow). The video was deleted at 11:06:31. When I check knowledgeC I find that there is a row that logs this (among other values):

bundleId=com.apple.mobileslideshow
ZVALUESTRING=com.apple.assetsd.cacheDelete
ZSTREAMNAME=/disk/subsystemAccess
Start=11:06:08
End = 11:07:08 Does anyone know what "com.apple.assetsd.cacheDelete" is?

Does this mean that the Photos app simply had access to internal storage in that timeframe? Is it possible to say that it actually deleted something? (edited)

@ScottKjr3347 might have an idea?

1

AmNe5iA

I had a look through some UFED FFS extractions for Samsung FBE devices and the folder \data\user\ is empty in the UFED extraction zip file. Maybe your extraction tool ignored the fact it was following a symlink and created duplicates?

can you give me some more details

9:24 AM

shoot me a dm

torskepostei

iOS KnowledgeC question: I have a test device where I have deleted a video using the Photos app (com.apple.mobileslideshow). The video was deleted at 11:06:31. When I check knowledgeC I find that there is a row that logs this (among other values):

bundleId=com.apple.mobileslideshow
ZVALUESTRING=com.apple.assetsd.cacheDelete
ZSTREAMNAME=/disk/subsystemAccess
Start=11:06:08
End = 11:07:08 Does anyone know what "com.apple.assetsd.cacheDelete" is?

Does this mean that the Photos app simply had access to internal storage in that timeframe? Is it possible to say that it actually deleted something? (edited)

Dm sent

1

Dam

Hi, I have an iPhone where I try to understand some geolocation. At the same time the same day I have the cache.sqlite show a geolocation in a particular city and the cache_encryptedB.db (wifi) shows a city 2000 km away. I understand that the cache_encryptedB is not reliable but is it because the suspect travelled with is router? is it something related to the bssid?

Some locations within cache_encryptedB.db are simply downloaded from Apple and have nothing to do with the user's actual location. In case you have not watched it, I highly recommend watching this "I beg to DFIR" episode. @CLB_iwhiffin and the team of Cellebrite explain a TON on which location artifacts are trustworthy. https://cellebrite.com/en/episode-15-ibeg-to-dfir-location-data-on-ios-and-android-devices/

Episode 15: iBeg to DFIR – Location Data on iOS and Android Devices...

In this episode, we are joined by special guests Jared Barnhart & Ian Whiffin to discuss location information as recorded by iOS and Android devices. Location data has been integral to many investigations but there are so many different types of location artifacts that are recorded by a device making it can be challenging to … Continue reading "...

theAtropos4n6

Some locations within cache_encryptedB.db are simply downloaded from Apple and have nothing to do with the user's actual location. In case you have not watched it, I highly recommend watching this "I beg to DFIR" episode. @CLB_iwhiffin and the team of Cellebrite explain a TON on which location artifacts are trustworthy. https://cellebrite.com/en/episode-15-ibeg-to-dfir-location-data-on-ios-and-android-devices/

Thanks. I already watched this episode but I cannot figure out why I have this difference. The city that is 2000 km away is a city where the suspect was few days earlier.

Dam

Thanks. I already watched this episode but I cannot figure out why I have this difference. The city that is 2000 km away is a city where the suspect was few days earlier.

Do you have time to check the 21st minute of the video again? This is where cache_encryptedB.db gets explained...

theAtropos4n6

Do you have time to check the 21st minute of the video again? This is where cache_encryptedB.db gets explained...

I will check it again. Maybe I forgot something. Thank you for the information

Dam

I will check it again. Maybe I forgot something. Thank you for the information

No problem

Think about it like this: 1) I travel to New York. It's the first time I have ever been. The cache.sqlite is populated with the locations where I am and accurate timestamps. 2) At some point, my device communicates with Apple servers and says "Hey, this device has been to New York" and Apple respond with useful information about the area including the WiFi networks (Not only the ones I can connect to, but the ones that the device can use to work out where I am if GPS isn't available). 3) I return home to Canada. My device is still recording the devices actual location & timestamp in cache.sqlite. 4) Now when my device communicates with Apple, it may decide to give me updated information on New York, in case I return there. So, cache.sqlite is always recording good locations and good timestamps (with caveats). cache_encryptedB is all information Apple think may be useful to the device, based on location history. The timestamp is the time the data is downloaded to the device, NOT the time the device was there.

7

1

CLB_iwhiffin

Think about it like this: 1) I travel to New York. It's the first time I have ever been. The cache.sqlite is populated with the locations where I am and accurate timestamps. 2) At some point, my device communicates with Apple servers and says "Hey, this device has been to New York" and Apple respond with useful information about the area including the WiFi networks (Not only the ones I can connect to, but the ones that the device can use to work out where I am if GPS isn't available). 3) I return home to Canada. My device is still recording the devices actual location & timestamp in cache.sqlite. 4) Now when my device communicates with Apple, it may decide to give me updated information on New York, in case I return there. So, cache.sqlite is always recording good locations and good timestamps (with caveats). cache_encryptedB is all information Apple think may be useful to the device, based on location history. The timestamp is the time the data is downloaded to the device, NOT the time the device was there.

Nailed it! Salute

1

CLB_iwhiffin

Think about it like this: 1) I travel to New York. It's the first time I have ever been. The cache.sqlite is populated with the locations where I am and accurate timestamps. 2) At some point, my device communicates with Apple servers and says "Hey, this device has been to New York" and Apple respond with useful information about the area including the WiFi networks (Not only the ones I can connect to, but the ones that the device can use to work out where I am if GPS isn't available). 3) I return home to Canada. My device is still recording the devices actual location & timestamp in cache.sqlite. 4) Now when my device communicates with Apple, it may decide to give me updated information on New York, in case I return there. So, cache.sqlite is always recording good locations and good timestamps (with caveats). cache_encryptedB is all information Apple think may be useful to the device, based on location history. The timestamp is the time the data is downloaded to the device, NOT the time the device was there.

That is a great information. Thanks

it will also help me explain to others

Not sure if anyone else has seen this before, but manually reviewing an SMS.db from an iPhone, there are a bunch of messages in the messages table that have a handle_id of 0. There is no 0 handle in the handle table. Anyone else seen this before and know what might cause this?

I have seen it often but can't recall the reason I came up with to explain it off the top of my head. You should still be able to work it back though (at least I can on my test device) Take the messageID and find it in the chat_message_join. Take the chatID and find it in the chat_handle_join Take the handleID and find the person in the handle table. If I recall why it's 0 in the first place I'll update.

Hi, Does anyone know if android stores Google account logins? I’m trying to see if a user has tried logging in to a Google account and failed. Samsung galaxy s9 Android 8.0

3:54 AM

Thanks!

King Pepsi

Hi, Does anyone know if android stores Google account logins? I’m trying to see if a user has tried logging in to a Google account and failed. Samsung galaxy s9 Android 8.0

Failed login when setting up the phone, while using a browser like Chrome, or something else?

Yeah when setting up the phone, I’m not sure it was through the browser though!

King Pepsi

Yeah when setting up the phone, I’m not sure it was through the browser though!

In that case I cannot help. What I would suggest is going through the Android native files of interest (related to account's details) and check each one for any valuable information (timestamps, last login etc). These files are documented in SANS FOR 585 poster in more details. It is available here: https://www.sans.org/posters/dfir-advanced-smartphone-forensics/ (edited)

DFIR Advanced Smartphone Forensics | SANS Posters

SQLite databases are a self-contained database stored as a file system file (but may have a few supporting files that will also be needed for analysis!) Files have the magic number “SQLite format 3.” SQLite files correspond to a database that contains tables. Tables contain rows of data with corresponding columns that describe the data in the ro...

1

Hi! I'm having a iOS FFS with Proton mail. Is there a way to parse it? Does it work with iLEAPP?

callzor

Hi! I'm having a iOS FFS with Proton mail. Is there a way to parse it? Does it work with iLEAPP?

Yes it does. Check this video out. It decrypts attachments as well. https://www.youtube.com/watch?v=r5KMEhkfouw (edited)

Alexis Brignoni

Decrypt ProtonMail emails in iOS

2

I was just using @Magnet Forensics Axiom to parse a windows computer. Axiom located an iPhone 6 backup. When looking at the backup folders, I noticed a second backup on the same day. When looking at the info.plist, I noticed these were for 2 different phones (iPhone 6 and iPhone 12 Mini). Has anyone seen this before? I didn't have any failures during parsing, so not sure why it didn't parse both folders. I will contact support if nobody has seen this before.

3:09 PM

The weird part is, it lists the iOS backup from the 12 mini in iOS backups, but lists the iPhone 6 under iOS Device Information. So it did parse both, but isn't displaying all the information from each.

3:11 PM

using Axiom Axiom 5.10.0.30634

3:16 PM

Installed Applications, Application Permissions, Apple Accounts and iOS Home Screen Items only list items from the iPhone 6. (edited)

I tried to parse the Snapchat database arroyo.db with the tool of ogg3 to recover fragments of deleted messages as well as of other used accounts. Unfortunately I did not succeed. Is there any way at all to find fragments or references to deleted messages? And what about if someone uses Snapchat with three or more accounts? How can or can I parse them at all? UFED only takes over the current account (Android vers.), thx lg

sholmes

The weird part is, it lists the iOS backup from the 12 mini in iOS backups, but lists the iPhone 6 under iOS Device Information. So it did parse both, but isn't displaying all the information from each.

perhaps the iphone 12 backup is encrypted?

1

sholmes

I was just using @Magnet Forensics Axiom to parse a windows computer. Axiom located an iPhone 6 backup. When looking at the backup folders, I noticed a second backup on the same day. When looking at the info.plist, I noticed these were for 2 different phones (iPhone 6 and iPhone 12 Mini). Has anyone seen this before? I didn't have any failures during parsing, so not sure why it didn't parse both folders. I will contact support if nobody has seen this before.

+1 to @4n6_5w3 said. It might be encrypted iOS backup. AXIOM does a terrific job parsing iOS backups. Maybe the iOS Device information artifact from iPhone 6 is retrieved from Info.plist which is not encrypted. Can you see the data within Manifest.db from the iPhone 6 backup folder or not?

1

if you are using axiom then the files from the mobilesync-folders should be visible under the "Encrypted files" artifact section, if they are encrypted..

the .plist can be bruteforced in passware or hashcat

1

@BrigsThanks!

Any guidance on we’re I can get information on what cellebrite can decode in regards to cryptocurrency?

Is such an amount of location data possible? It's an Iphone 7 ( 4PC, checkm8) Location Parsing in CPA is running for 24 hours now and still counting? Btw. is there a command that quits location carving so that the actual acquired part can be used.?

theAtropos4n6

+1 to @4n6_5w3 said. It might be encrypted iOS backup. AXIOM does a terrific job parsing iOS backups. Maybe the iOS Device information artifact from iPhone 6 is retrieved from Info.plist which is not encrypted. Can you see the data within Manifest.db from the iPhone 6 backup folder or not?

I will check that today. As we were spit balling answers around the lab last night, that is what we thought it could be. I will check them today.

1

theAtropos4n6

+1 to @4n6_5w3 said. It might be encrypted iOS backup. AXIOM does a terrific job parsing iOS backups. Maybe the iOS Device information artifact from iPhone 6 is retrieved from Info.plist which is not encrypted. Can you see the data within Manifest.db from the iPhone 6 backup folder or not?

Thanks for the manifest.db lead. iPhone 12 is not readable and iPhone 6 is.

sholmes

Thanks for the manifest.db lead. iPhone 12 is not readable and iPhone 6 is.

No problem. Glad it helped. You can extract the backup folder and try Passware or other tools. Of course if you have the password you can export the folder and process it again with Axiom using the iOS->backup folder import option

1

For testing purposes, I extracted the backups and ran them through Axiom alone. Axiom parsed them the same as it did when they were in the computer E01. I still wonder why it doesn't parse info.plist the same from both extractions. I would think if it was able to get info.plist information from both, which it could, it would display it the same in the artifacts sections. I understand it can't get all the data which is encrypted. But the iOS Device Information screen comes from info.plist and it only lists the iPhone 6. I will run that by them to see what they say. I am going to try and passware the backup now. (edited)

@Cellebrite Does PA parse the browserstate.db on ios I don't see it's results anywhere but can manually see what tabs were open by viewing the db in sqlite viewer. It's relevant because this user had her phone set to private browsing and the name of the tab is a google search that is VERY relevant (edited)

sholmes

For testing purposes, I extracted the backups and ran them through Axiom alone. Axiom parsed them the same as it did when they were in the computer E01. I still wonder why it doesn't parse info.plist the same from both extractions. I would think if it was able to get info.plist information from both, which it could, it would display it the same in the artifacts sections. I understand it can't get all the data which is encrypted. But the iOS Device Information screen comes from info.plist and it only lists the iPhone 6. I will run that by them to see what they say. I am going to try and passware the backup now. (edited)

Well, where is iOS backup information artifact retrieved from?

The Owner Information artifact is located in Info.plist. In my case I can manually read both Info.plists, but Axiom only shows the iPhone 6 data.

7:36 AM

However, it looks like they use 2 other sources for this data, which would be encrypted on the iPhone 12 side, so if they can't get all 3 sources, they probably skip that artifact. That would make sense. Or at least makes sense in my pea brain.

sholmes

The Owner Information artifact is located in Info.plist. In my case I can manually read both Info.plists, but Axiom only shows the iPhone 6 data.

Yeap, I agree with you. You can also, go through Status.plist and Manifest.plist for some extra information about the backups. You only get data from one backup because the other is encrypted as you said.

1

Chris

@Cellebrite Does PA parse the browserstate.db on ios I don't see it's results anywhere but can manually see what tabs were open by viewing the db in sqlite viewer. It's relevant because this user had her phone set to private browsing and the name of the tab is a google search that is VERY relevant (edited)

It’s coming very soon. Maybe even in the next release if I recall.

Does anyone have any information on how/why Telegram stores videos in certain directories? I have an android extraction with videos stored in the 'Telegram Video' Directory as well as a video stored in the 'Telegram Documents' Directory.

theAtropos4n6

Yeap, I agree with you. You can also, go through Status.plist and Manifest.plist for some extra information about the backups. You only get data from one backup because the other is encrypted as you said.

Thanks for all your help today. Passware was able to crack the password, and now @Magnet Forensics Axiom is processing the decrypted version of the iPhone 12.

2

sholmes

Thanks for all your help today. Passware was able to crack the password, and now @Magnet Forensics Axiom is processing the decrypted version of the iPhone 12.

WOW! Huge success there. I am so glad that you were able to get that image. No problem at all! Salute

3

2

CLB_iwhiffin

It’s coming very soon. Maybe even in the next release if I recall.

thanks good to hear

Nice work @theAtropos4n6 @sholmes

1

Has anyone had experience with getting anything from Amazon echo view .... I've downloaded an iPhone 11 (advanced logical only as file system is not possible). DM me if you want

Brigs

Yes it does. Check this video out. It decrypts attachments as well. https://www.youtube.com/watch?v=r5KMEhkfouw (edited)

Do you need to know the account password for this to work?

Rob

Do you need to know the account password for this to work?

Per the video:

iOS Keychain
iOS full file system extraction. For technical details see the following article as contained in the video description:

https://xperylab.medium.com/protonmail-forensic-decryption-of-ios-app-8e9ae9f50953

ProtonMail : forensic decryption of iOS App

ProtonMail is a full PGP end-to-end encrypted email provider who is claiming privacy, anonymity and security. As forensic examiners, we…

1

Thanks!

1

Off the back of your hands, what's your take on this..? (If I can describe the scenario clearly enough

) A number of videoclips are recorded within an hour, same room and incident. Several of the video clips were found under /Android/. Trash/com.sec.android.gallery3d with numerical filenames while one, clip 6 of 7, were saved under /DCIM/Camera with standard timestamp filename. A few days later there's another two clips. The first has a proper timestamp filename and placed in /Camera. The second is also placed in /Camera but is named .trashed-(10 numbers)-timestamp. None of the files have a created-timestamps, only modified, but looking at the files with proper filenames, the modified timestamp corresponds with the filename + length of videoclip. 1: Regarding .trash/[..].gallery3d/, my theory is that the user has been filming and afterwards deleting the files from the Samsung Gallery App. 2: Regarding the .trashed-clip, I'm thinking that it could have been deleted from the camera app directly. 3: Regarding the modified timestamps, my assumption is that the modified timestamp is when the system completes the file save to storage. I don't have access to extraction devices to test this, therefor I'm asking here for input

(Sorry for any excess commas, got big thumbs

)

RFC2324

Off the back of your hands, what's your take on this..? (If I can describe the scenario clearly enough

) A number of videoclips are recorded within an hour, same room and incident. Several of the video clips were found under /Android/. Trash/com.sec.android.gallery3d with numerical filenames while one, clip 6 of 7, were saved under /DCIM/Camera with standard timestamp filename. A few days later there's another two clips. The first has a proper timestamp filename and placed in /Camera. The second is also placed in /Camera but is named .trashed-(10 numbers)-timestamp. None of the files have a created-timestamps, only modified, but looking at the files with proper filenames, the modified timestamp corresponds with the filename + length of videoclip. 1: Regarding .trash/[..].gallery3d/, my theory is that the user has been filming and afterwards deleting the files from the Samsung Gallery App. 2: Regarding the .trashed-clip, I'm thinking that it could have been deleted from the camera app directly. 3: Regarding the modified timestamps, my assumption is that the modified timestamp is when the system completes the file save to storage. I don't have access to extraction devices to test this, therefor I'm asking here for input

(Sorry for any excess commas, got big thumbs

)

Regarding .trash/[..].gallery3d I can, now confirm that pictures from /DCIM/Camera, viewed and deleted within Samsung Gallery will end up in that directory "..gallery3d"

Someone available from @Cellebrite for a quick question about PA ?

RFC2324

Off the back of your hands, what's your take on this..? (If I can describe the scenario clearly enough

) A number of videoclips are recorded within an hour, same room and incident. Several of the video clips were found under /Android/. Trash/com.sec.android.gallery3d with numerical filenames while one, clip 6 of 7, were saved under /DCIM/Camera with standard timestamp filename. A few days later there's another two clips. The first has a proper timestamp filename and placed in /Camera. The second is also placed in /Camera but is named .trashed-(10 numbers)-timestamp. None of the files have a created-timestamps, only modified, but looking at the files with proper filenames, the modified timestamp corresponds with the filename + length of videoclip. 1: Regarding .trash/[..].gallery3d/, my theory is that the user has been filming and afterwards deleting the files from the Samsung Gallery App. 2: Regarding the .trashed-clip, I'm thinking that it could have been deleted from the camera app directly. 3: Regarding the modified timestamps, my assumption is that the modified timestamp is when the system completes the file save to storage. I don't have access to extraction devices to test this, therefor I'm asking here for input

(Sorry for any excess commas, got big thumbs

)

Done some testing and just checked with my phone's Trash bin. The files within Trash have a date marker on the top that indicates how many days are left for each file before it is deleted from the trash bin. So, what I believe about the " .trashed-(10 numbers)-timestamp" is this: -The . denotes that the file is hidden, so the user cannot see it. -The trashed denotes that file has been sent to the trash -The timestamp could potentially denotes when was this file sent to the trash So, when a file is deleted the actual file remains under the same dir, it is renamed so that the user cannot see and a symlink is created within the trash bin to point to that file and the remaining days it has, before being deleted from it. Again this is a wild guess and requires further testing, but my initial thoughts are these.. As far as the modified date, yeap that is when the user ends the video recording and the file is saved. Do not know if this helps as well: https://cheeky4n6monkey.blogspot.com/2022/01/mike-monkey-dumpster-dive-into-samsung.html (edited)

Mike & the Monkey Dumpster Dive Into Samsung Gallery3d App Trash

Monkey assists Mike with another dive into the Samsung Gallery3d App It all started with a post by Michael Lacombe ( iacismikel at gmail...

theAtropos4n6

Done some testing and just checked with my phone's Trash bin. The files within Trash have a date marker on the top that indicates how many days are left for each file before it is deleted from the trash bin. So, what I believe about the " .trashed-(10 numbers)-timestamp" is this: -The . denotes that the file is hidden, so the user cannot see it. -The trashed denotes that file has been sent to the trash -The timestamp could potentially denotes when was this file sent to the trash So, when a file is deleted the actual file remains under the same dir, it is renamed so that the user cannot see and a symlink is created within the trash bin to point to that file and the remaining days it has, before being deleted from it. Again this is a wild guess and requires further testing, but my initial thoughts are these.. As far as the modified date, yeap that is when the user ends the video recording and the file is saved. Do not know if this helps as well: https://cheeky4n6monkey.blogspot.com/2022/01/mike-monkey-dumpster-dive-into-samsung.html (edited)

Thank! I checked the 10 numbers, turns out it's probably Epoch. There seems to be a 29-31 days grace period before deletion, and that epoch coincide with the date it was seized

RFC2324

Thank! I checked the 10 numbers, turns out it's probably Epoch. There seems to be a 29-31 days grace period before deletion, and that epoch coincide with the date it was seized

This is a good lead right? Because items within trash remain there for a period of 30 approximately. Maybe local.db and Cheeky Monkey's scripts can supplement your results

1

AnTaL

it creates "Apple mail" and "Apple mail fragments" but the text in the "Summary" attribute, not in the body so the preview not display properly, for example

Not sure if you got an answer here - but Apple Mail Fragment is carving, which enables us to grab more data. Whereas Apple Mail parses SQL database, which only stores the summary (no body)

@Mel_Hungate Thanks but the preview of Apple Mail is still broken in these cases

7:38 AM

I opened a ticket to Magnet for this and it seems they already have on this issue

dfir-rick

Does @Magnet Forensics still have issues effecting AirDrop artifacts on iOS devices running 15.XX?

Again, not sure if you got an answer (is there a way on Discord to see all replies to a specific thread - discord noob here

‍♀️ ) but we fixed the Airdrop issue for iOS15 in 5.10

AnTaL

I opened a ticket to Magnet for this and it seems they already have on this issue

Oh shoot, ok I'll track down the ticket then. DM'ing you

Hello, does anyone have any information on determining when an Android (LG) device was placed into Airplane Mode? Any suggestions would be helpful!

Hello, I'm working a case where someone was robbed of their iPhone, the suspect forced the unlock of the iPhone and icloud account. Now the mother of the victim suddenly notices a new member to the icloud family with a unfamilliar gmail account. Does anyone know how this can happen (to prove this has to be the gmail address of suspect), location sharing for the family is enabled. Mother has disabled the sharing of her own device. Is there a way to force find my iPhone for this newly added account? Any suggestions on how to further investigate icloud family activity would be helpfull!

Hi all. A logical extraction was made on an android phone (SFR Startrail 7) with XRY 10. No IM app was on the phone and no chat was discovered. During the analysis, i found a whatsapp folder on the SDCard with subfolders such as Backups, Database and Media, full of files (msgstore...db.crypt14) with a timestamp few hours before the extraction. I figure that the whatsapp app was deleted before the police investigation. Is there a way to decrypt these backup files by the use of any other whatsapp extracted files ? Thanks

Has anyone had an issue where a snapchat message is showing as unknown sender and has a completely incorrect time and date? How can I verify the correct time and date and any reason why the date is wrong?

Pixel

Has anyone had an issue where a snapchat message is showing as unknown sender and has a completely incorrect time and date? How can I verify the correct time and date and any reason why the date is wrong?

IOS?

8:22 AM

I had this with an bfu dump where i could not make sense of a time stamp.. (edited)

Pixel

Has anyone had an issue where a snapchat message is showing as unknown sender and has a completely incorrect time and date? How can I verify the correct time and date and any reason why the date is wrong?

did you cross check it with different databases like the primary.docobjects? see this blog: https://xperylab.medium.com/decrypting-and-extracting-juicy-data-snap-17301aa57a87

@Cellebrite Similar questions have been asked before, but I still would like clarification if someone could assist. I am looking at PA under the User Dictionary and was wondering how "Frequency" works. I know it isn't every time the word has been typed because looking at my current list "^" has been used over 2500 times. Who does that? Can someone explain or point me in the right direction as to how frequency is calculated? TIA.

I know its been talked/discussed a lot. But is there an artifact that tells me when an Iphone got set up? I have an .oblitarated file in private/var/root with an creation date of 4-4-2022 at 16:58. (Wiped?) I have a purplebuddy.plist with an setuplastexit at 4- 16:19. The value of CKstartuptime is the 10 milliseconds later as setup last exit. The setupstate has the value of SetupUsingAssistant. So it got set up without itunes or icloud, but a manual walkthrough. I have two accounts in accounts3.sqlite; the first one is of the victim, second of the suspect. What i am trying to find out, when did the suspect use account 2 to set it up? @Magnet Forensics Shows owner information regarding this second account, saying it has an setup date of 4-4-2022 at 16:19.. It doesnt say what is the source is of this piece of information. (Im setting up a test device as we speak, but hope someone van give me some more insight so i can make the correct conclusion) (edited)

florus

I know its been talked/discussed a lot. But is there an artifact that tells me when an Iphone got set up? I have an .oblitarated file in private/var/root with an creation date of 4-4-2022 at 16:58. (Wiped?) I have a purplebuddy.plist with an setuplastexit at 4- 16:19. The value of CKstartuptime is the 10 milliseconds later as setup last exit. The setupstate has the value of SetupUsingAssistant. So it got set up without itunes or icloud, but a manual walkthrough. I have two accounts in accounts3.sqlite; the first one is of the victim, second of the suspect. What i am trying to find out, when did the suspect use account 2 to set it up? @Magnet Forensics Shows owner information regarding this second account, saying it has an setup date of 4-4-2022 at 16:19.. It doesnt say what is the source is of this piece of information. (Im setting up a test device as we speak, but hope someone van give me some more insight so i can make the correct conclusion) (edited)

I believe in purple buddy there’s an entry about the guessed country. Pretty sure that’s the first step in the setup process

snoop168

I believe in purple buddy there’s an entry about the guessed country. Pretty sure that’s the first step in the setup process

Thats what i thought, but its empty. No time stamp

gregb6263

Hi all. A logical extraction was made on an android phone (SFR Startrail 7) with XRY 10. No IM app was on the phone and no chat was discovered. During the analysis, i found a whatsapp folder on the SDCard with subfolders such as Backups, Database and Media, full of files (msgstore...db.crypt14) with a timestamp few hours before the extraction. I figure that the whatsapp app was deleted before the police investigation. Is there a way to decrypt these backup files by the use of any other whatsapp extracted files ? Thanks

Hi, you have only one chance. You need the SIM-card, the PIN, phone number, last backup msgstore.db.crypt14 and the Media Files. You must install WhatsApp, sing in with the correct Phone number (received SMS Code) and import data from backup. Now you can make a APP-Downgrade or other dump. (edited)

1

florus

Thats what i thought, but its empty. No time stamp

Is there more information in info.plist and status.plist? The .obliterated tells you the last date where the phone was reset (in my case, the date before the last reset.), lg (edited)

peMo

Is there more information in info.plist and status.plist? The .obliterated tells you the last date where the phone was reset (in my case, the date before the last reset.), lg (edited)

I will check this and let you know. Will be thuesday. Thanks for letting me know!

1

Karlsson

Hi, you have only one chance. You need the SIM-card, the PIN, phone number, last backup msgstore.db.crypt14 and the Media Files. You must install WhatsApp, sing in with the correct Phone number (received SMS Code) and import data from backup. Now you can make a APP-Downgrade or other dump. (edited)

Their is anyway to know WhatsApp number via Backup?

In this case SIM-CARD phone number and WhatsApp number must identical.

1

Anyone else completed any decoding of \private\var\mobile\Media\PhotoData\CPL\storage\store.cloudphotodb Seems to store some very interesting information about CPLAssets Found in iOS 14.7 and 15.1 DM me if you have written any queries?

Is it currently possible to export an extraction from Xry/XAMN and import it in Cellebrite PA? Found the hint to export the extraction as .bin but PA fails to decode most of the content

Maddino

Is it currently possible to export an extraction from Xry/XAMN and import it in Cellebrite PA? Found the hint to export the extraction as .bin but PA fails to decode most of the content

Has to be a physical extraction I think?

Maddino

Is it currently possible to export an extraction from Xry/XAMN and import it in Cellebrite PA? Found the hint to export the extraction as .bin but PA fails to decode most of the content

depends what phone is it from, if fbe encrypted then you'll like have to export filesystem from XAMN and not the bin, as it'll still be encrypted

Arcain

depends what phone is it from, if fbe encrypted then you'll like have to export filesystem from XAMN and not the bin, as it'll still be encrypted

Thanks, this one was new for me! I'll take a look into XAMN and hope to find the option to export the filesystem

curebits

Has to be a physical extraction I think?

Yes and it is a physical extraction but I thin Arcaink pointed me towards the solution

Maddino

Yes and it is a physical extraction but I thin Arcaink pointed me towards the solution

That should be the best way for FBE devices, let me know in case you face any issues!

Erumaro

That should be the best way for FBE devices, let me know in case you face any issues!

Thanks a lot

Maddino

Thanks, this one was new for me! I'll take a look into XAMN and hope to find the option to export the filesystem

to do it correctly, you may need to use report, and then FILE option, and possibly exclude deleted files as well (edited)

5:39 AM

otherwise you may end up with some files exported in encrypted form, especially ones that changes a lot, like some database files, some pictures also

Arcain

otherwise you may end up with some files exported in encrypted form, especially ones that changes a lot, like some database files, some pictures also

Tank you again. Will try and report back

Arcain

to do it correctly, you may need to use report, and then FILE option, and possibly exclude deleted files as well (edited)

This was updated in XAMN so that the export will no longer fall over in case a single file can't be exported so in theory should not be any reason to filter out deleted data any longer. There can still be a few isolated cases where this is still needed but hopefully we squashed the majority!

Erumaro

This was updated in XAMN so that the export will no longer fall over in case a single file can't be exported so in theory should not be any reason to filter out deleted data any longer. There can still be a few isolated cases where this is still needed but hopefully we squashed the majority!

Good to know, although it wasn't that the export was failing, it's just the wrong version of the file was exported sometimes. Granted it happened more often when exporting data from a file/decrtory tree in XAMN, and not so much when using report->file

Karlsson

Hi, you have only one chance. You need the SIM-card, the PIN, phone number, last backup msgstore.db.crypt14 and the Media Files. You must install WhatsApp, sing in with the correct Phone number (received SMS Code) and import data from backup. Now you can make a APP-Downgrade or other dump. (edited)

Thanks for your answer, but i have no longer access to the phone, only the whole extraction... I could duplicate the SIM, i've got got the PIN, and all the backups... could reproduce the key regeneration in a generic android phone, but the real owner of the phone number would receive the code ... not me ... Any other possibility ??

Sorry, but you need the code from owner.

Is there any .plist or other configuration file in a FFS Extraction of an iPhone that indicates if there is a 2nd, 3rd, etc. fingerprint added?

Has there been any changes in Wickr and Signal lately, that prevents UFED from decoding, despite having an Android FFS? (edited)

florus

I know its been talked/discussed a lot. But is there an artifact that tells me when an Iphone got set up? I have an .oblitarated file in private/var/root with an creation date of 4-4-2022 at 16:58. (Wiped?) I have a purplebuddy.plist with an setuplastexit at 4- 16:19. The value of CKstartuptime is the 10 milliseconds later as setup last exit. The setupstate has the value of SetupUsingAssistant. So it got set up without itunes or icloud, but a manual walkthrough. I have two accounts in accounts3.sqlite; the first one is of the victim, second of the suspect. What i am trying to find out, when did the suspect use account 2 to set it up? @Magnet Forensics Shows owner information regarding this second account, saying it has an setup date of 4-4-2022 at 16:19.. It doesnt say what is the source is of this piece of information. (Im setting up a test device as we speak, but hope someone van give me some more insight so i can make the correct conclusion) (edited)

Cellebrite did a whole blog on it, I can dig it out from there website. The one that sticks in my mind is that it's the date when the contacts database is created.

dotmatrix

Has there been any changes in Wickr and Signal lately, that prevents UFED from decoding, despite having an Android FFS? (edited)

I guess oxygen May help u

florus

I know its been talked/discussed a lot. But is there an artifact that tells me when an Iphone got set up? I have an .oblitarated file in private/var/root with an creation date of 4-4-2022 at 16:58. (Wiped?) I have a purplebuddy.plist with an setuplastexit at 4- 16:19. The value of CKstartuptime is the 10 milliseconds later as setup last exit. The setupstate has the value of SetupUsingAssistant. So it got set up without itunes or icloud, but a manual walkthrough. I have two accounts in accounts3.sqlite; the first one is of the victim, second of the suspect. What i am trying to find out, when did the suspect use account 2 to set it up? @Magnet Forensics Shows owner information regarding this second account, saying it has an setup date of 4-4-2022 at 16:19.. It doesnt say what is the source is of this piece of information. (Im setting up a test device as we speak, but hope someone van give me some more insight so i can make the correct conclusion) (edited)

private/var/root/library/lockdown/data_ark.plist contains the key com.apple.purplebuddy-setupstate, which value can be RestoredFromiCloudBackup, RestoredFromiTunesBackup etc. And the key FirstPurpleBuddyCompletion which contains the timestamp for the setup completion.

1

Hello all, could anyone point me to the right database area/method to get the PIN for Hidden Messages in Viber. My decode in PA has extracted the data from it but I would like to verify it on the phone too.

1

mr.rookay

private/var/root/library/lockdown/data_ark.plist contains the key com.apple.purplebuddy-setupstate, which value can be RestoredFromiCloudBackup, RestoredFromiTunesBackup etc. And the key FirstPurpleBuddyCompletion which contains the timestamp for the setup completion.

Thanks for replying, im going to look into all your input to 'tie it all together'.

testermonkey

Hello all, could anyone point me to the right database area/method to get the PIN for Hidden Messages in Viber. My decode in PA has extracted the data from it but I would like to verify it on the phone too.

In iOS->Check the Settings.data db from Viber application. Within you will find a key named "_hiddenChatsPINData" . This is where the PIN is stored. Where in UFED you find this listed as artifact? (edited)

Hi is anyone from @Cellebrite available to answer a query regarding an android device?

theAtropos4n6

In iOS->Check the Settings.data db from Viber application. Within you will find a key named "_hiddenChatsPINData" . This is where the PIN is stored. Where in UFED you find this listed as artifact? (edited)

Thanks mate, I should of said it's a Samsung but i'll try and dig again based on the "_hiddenchatsPINdata" naming convention

1

Anyone able to DM me? I have questions regarding monotonic and baseband timestamps in relation to ios devices. (edited)

7:03 AM

@Magnet Forensics - forgot to ping you guys!

mr.rookay

private/var/root/library/lockdown/data_ark.plist contains the key com.apple.purplebuddy-setupstate, which value can be RestoredFromiCloudBackup, RestoredFromiTunesBackup etc. And the key FirstPurpleBuddyCompletion which contains the timestamp for the setup completion.

data_ark.plist doesnt contain the key com.apple.purplebuddy-setupstate in my case...

Pacman

@Magnet Forensics - forgot to ping you guys!

If you are using AXIOM, look within Artifact Reference. As far as I remember these are explained there.

Can anyone explain to me why Cellebrites Physical analyser media classification puts everything in "unclassified"? I'm using version 7.54.1 and this is regarding an iPhone image @Cellebrite

testermonkey

Hello all, could anyone point me to the right database area/method to get the PIN for Hidden Messages in Viber. My decode in PA has extracted the data from it but I would like to verify it on the phone too.

Morning the database '/data/data/com.viber.voip/databases/viber_prefs' has a value 'key_hidden_chats_pin'. This is a sha256 of the user provided PIN and a hard coded string in the code: 'Shawl9_Valid_Yeastv'. So ends up looking like: '1234Shawl9_Valid_Yeastv' if 1234 was the PIN. I have written a short script that will bruteforce it for you. It takes one argument, the hash from the database, and applies that concatenation of the PIN and string, hashes it and compares it to the one provided, it then prints the PIN if it is correct: import sys from hashlib import sha256 providedHash = sys.argv[1] for i in range(0,10000): currentPIN = ('{0:04}'.format(i)).encode('utf-8') ## Section of code to try the hash process and print passcode if correct ## Compare the current PIN SHA256 and the provided PIN hash if sha256(currentPIN+"Shawl9_Valid_Yeastv".encode("utf-8")).hexdigest() == providedHash: currentPIN = currentPIN.decode("utf-8") print('------------------------------------------') print(f'FOUND PIN:\t\t{currentPIN}') print('------------------------------------------') break else: continue Let me know if it works / doesn't work.

4

3

Has anyone had any luck finding the factory reset time of a huawei device ? I have a huawei pot-lx1a running android 9. Physical extraction. Thanks!

theAtropos4n6

If you are using AXIOM, look within Artifact Reference. As far as I remember these are explained there.

Thanks for this - I already understand what monotonic and baseband timestamps are. It is a more technical question

hello @Cellebrite ... i saw new Beta PA 8.0.7 is available... can you tell me, when final will be released? with all functions we need

(edited)

chrisforensic

hello @Cellebrite ... i saw new Beta PA 8.0.7 is available... can you tell me, when final will be released? with all functions we need

(edited)

You could check our New PA Ultra Landing page for more details https://cellebrite.com/en/pa-ultra/

PA Ultra

1

thanks @idokal

Anyone from @Cellebrite able to assist with a watchlist hash database quest of mine in relation to images associated with Kik?

Anyone that has had any success with teamviewer logs on a Macbook, to check for suspicious activity? I can only find when it was installed/updated. But no logs regarding connections. Happy Easter!

Does @Magnet Forensics support translation from Chinese to English? I've never tried it before, but could be really helpful in a case I'm working right now

D\\uke10

Does @Magnet Forensics support translation from Chinese to English? I've never tried it before, but could be really helpful in a case I'm working right now

In Examine you can change your encoding type, but we do not do translations of recovered artifacts

Mel_Hungate

In Examine you can change your encoding type, but we do not do translations of recovered artifacts

OK, thank you. That's what I was looking for was a text message conversation translation

D\\uke10

OK, thank you. That's what I was looking for was a text message conversation translation

I'll put in a feature request for you!

1

DIGIMON

Can anyone explain to me why Cellebrites Physical analyser media classification puts everything in "unclassified"? I'm using version 7.54.1 and this is regarding an iPhone image @Cellebrite

I know in my case this happens when you try to apply media classification but your processor is not up to Cellebrite's standards. If you look at trace window (view > trace window) when Cellebrite PA opens it may have a message along the lines of "Your processor is not good enough for media classification."

King Pepsi

Has anyone had any luck finding the factory reset time of a huawei device ? I have a huawei pot-lx1a running android 9. Physical extraction. Thanks!

@Brigs I cheated and used your tool and I can’t believe I forgot to literally just search for the term factory_reset lol, slow day for me

Carcino

I know in my case this happens when you try to apply media classification but your processor is not up to Cellebrite's standards. If you look at trace window (view > trace window) when Cellebrite PA opens it may have a message along the lines of "Your processor is not good enough for media classification."

Thx, but I'm not getting any sort of messages in trace view or other errors. I'm going to rollback a few more versions probably, since it has worked in the past.

TIL that there is a file called localavengers.xml which has the names of captain America and iron man inside said xml- it features as part of Hwpush on huawei phones…

1

Anyone from Cellebrite available for a question?

In Physical Analyser when creating an export of notes its giving me the error: "self referencing loop detected for preperty 'Owner' with type 'Data.Models.Note' Path '[0].Model.Title. Someone ideas? @Cellebrite

1

Question for someone from MSAB. Is there a way to expand tar files within an XRY extraction (Apple Warrant Return) and add the contents to the case? I can see the tar files of interest in the case but they were not expanded initially.

Hello all!, we are a public k-12 with limited forensic capabilites. We mainly use Magnet forensics and mostly work on desktops and laptops investigations. Recently we received request to perform forensic on a student's Ipad. Any resources that can help us would really be appreciated! I'm not entirely sure if Magnet AXIOM can perform this, if it can, we haven't gotten training on that portion yet.

ChrisP

Hello all!, we are a public k-12 with limited forensic capabilites. We mainly use Magnet forensics and mostly work on desktops and laptops investigations. Recently we received request to perform forensic on a student's Ipad. Any resources that can help us would really be appreciated! I'm not entirely sure if Magnet AXIOM can perform this, if it can, we haven't gotten training on that portion yet.

Magnet does a good job on ipad/iPhone extractions for sure.

florus

Magnet does a good job on ipad/iPhone extractions for sure.

Have you had issues where the 'Trust' prompt never shows up on the iPad and thus is not fully connected to the PC

Hi all! Has anyone had much luck gaining access to the contents of Snapchat’s ‘My Eyes Only’ on a Full FileSystem extraction of an Android device? I’m using Magnet Axiom and I’m aware of the method to do this with iOS devices but I’m stuck with the android equivalent. I have already ID’d the content of memories but it’s the content of ‘My Eyes Only’ that is the main objective. Any help/tips are much appreciated

Frenchie

Hi all! Has anyone had much luck gaining access to the contents of Snapchat’s ‘My Eyes Only’ on a Full FileSystem extraction of an Android device? I’m using Magnet Axiom and I’m aware of the method to do this with iOS devices but I’m stuck with the android equivalent. I have already ID’d the content of memories but it’s the content of ‘My Eyes Only’ that is the main objective. Any help/tips are much appreciated

ALEAPP has a parser for this if you want to give it a try https://github.com/abrignoni/ALEAPP

GitHub - abrignoni/ALEAPP: Android Logs Events And Protobuf Parser

Android Logs Events And Protobuf Parser. Contribute to abrignoni/ALEAPP development by creating an account on GitHub.

Did you try PA. I checked with our PA group and it should

9:56 AM

Or follow @stark4n6 suggestion

1

Is it possible to decrypt the pin to snapchat For my eyes only? iOs (edited)

Pacman

Is it possible to decrypt the pin to snapchat For my eyes only? iOs (edited)

that one I don't know

stark4n6

that one I don't know

That's fair - I can see axiom has decodes some data from memories/fmeo - I can see there's attachment url. Is there a way to use this to download the videos?

@Magnet Forensics you might be able to answer above as well

Pacman

Is it possible to decrypt the pin to snapchat For my eyes only? iOs (edited)

Should be in the keychain from memory (the pin)

Rob

Should be in the keychain from memory (the pin)

Well the key chain decrypted information relating to files stored in for my eyes only - I can't see anything re PIN

Pacman

Well the key chain decrypted information relating to files stored in for my eyes only - I can't see anything re PIN

Within the iOS keychain there should be a base64 string that relates to the my eyes only. You can process the data within Magnet Axiom using said base64 string to get access to the data. There is a guide on how to do it on their website

Frenchie

Within the iOS keychain there should be a base64 string that relates to the my eyes only. You can process the data within Magnet Axiom using said base64 string to get access to the data. There is a guide on how to do it on their website

Thanks - I've completed this and got the information related to files stored within my eyes only. Just don't have the PIN unfortunately (edited)

3:53 PM

Unless it does and I've followed the instructions incorrectly?

As far as I’m aware you won’t get the pin, just the content of my eyes only

1

Hi everyone

has anybody dealt with a recent version of the "group.net.whatsapp.shared.plist" file? Older versions had a "savedrecieved" boolean which helped when trying to determine if Automatic Downloads where on or off, but now I'm looking at odd values like "st4", "ge8", etc. I can't access the device. Thanks in advanced.

@Magnet Forensics Hi , Do you know how I can import the keychain in XML format from elcomsoft into Axiom? (edited)

Does anyone know how i can import a ffs from an iPhone, made with oxygen, into physical analyser? @Cellebrite (edited)

@florus on keychain plist select the file xxxx.keychain, on zip-archiv select the file xxxxx.tar

7:24 AM

done several times without problems

Hi Chris, thats what we tried, but it doesnt decode everything, no chats etc. @chrisforensic (edited)

hmmmm

Is there any way to add a manually decrypted database (Signal) to UFED, and parse it to include it in the report file?

chrisforensic

hmmmm

So i re parsed it with newest PA, and it worked.

✌

1

I have an iPad preservation where I'm seeing PowerPoint files stored in this path: DarArchive/root/private/var/mobile/Containers/Data/Application/14D2B1E1-1665-4368-859B-D107D7007EA6/Library/Caches/SideLoading/ -- I know that 14D2B1E1-1665-4368-859B-D107D7007EA6 is the applications identifier for Microsoft PowerPoint on this iPad. Any idea what populates the Caches/SideLoading folder though? I've run some tests on another iOS device including opening a PowerPoint from Dropbox, Google Drive, and one that was downloaded to the device. Nothing populated in this folder. Any ideas?

Hello! Anyone @Cellebrite available for a DM about Trevor? Not urgent, just a few operational questions.

1

Does anyone know how to get the original file name from a picture within Viber?

tmibou

@Magnet Forensics Hi , Do you know how I can import the keychain in XML format from elcomsoft into Axiom? (edited)

I'm about 90% sure you cannot. I'll find the feature request and +1 it

Anyone have experience with the so called "Status" crypto wallet/IM app?

2:03 PM

Was wondering if someone figured out how to decrypt the database or find the password somehow

Urgent Hi, can we do date data extraction of Microsoft Surface Tablet 1866 by using UFED? Regards

I think you would have more chance with paladin

thaconnecter

I think you would have more chance with paladin

Thank You

12:17 AM

Hi All In UFED, for an Android mobile, if we have done 'File System - APK Downgrade Android Backup', then, do we need to go for 'File System - Android Backup' or 'Andvanced Logical' extraction?

Good morning We have a physical extraction of a Samsung S7 running os 8. We have images of note for a case, but they are cashed images. Is there any way of finding out were the original images were stored or located? We think they were on a SD card which wasn’t with the handset

Hello. I have an extraction of an iPhone 8 which has moving images in a /data/PluginKitPlugin//tmp/ folder. The .mov files have a file name starting with trim.[possibly hex string].mov. Does anyone know what apps would use this syntax as a file name? (edited)

Daedalus_13

Hello. I have an extraction of an iPhone 8 which has moving images in a /data/PluginKitPlugin//tmp/ folder. The .mov files have a file name starting with trim.[possibly hex string].mov. Does anyone know what apps would use this syntax as a file name? (edited)

Is there a plist in the folder? It may be worth interrogatating this, it may give you an idea. Possibly, Mobileslideshow, photos app etc

pinball

Is there a plist in the folder? It may be worth interrogatating this, it may give you an idea. Possibly, Mobileslideshow, photos app etc

Thanks for the response. I’ll have a dig around for that.

Daedalus_13

Thanks for the response. I’ll have a dig around for that.

No worries, search for the GUID folder which you have noted [possibly hex string].

I recently wrote a dissertation on the subject of android forensics and an interested in trying to find out more to do with browser password recovery. I’ve tried looking myself, but chrome and the default Samsung browser store the creds encrypted and I can’t find keys or methods to decrypt. Anything I did find suggested passwords will be plaintext or viewable with a hex editor, which I haven’t managed to confirm (it doesn’t work). please could someone help with what i can do?

9:13 AM

I know where the passwords are, just cannot decode them. I have tried finding out how theyre encrypted but cannot find a key, nor anything on how they are encrypted. I understand well about windows chrome password extraction and decryption, so providing android is the same, then im assuming its AES again... just no clue on the key.

I want to start off by saying you must have multiple tools in the tool box, but I just finished reviewing some known device data with @Magnet Forensics AXIOM 6.0.0.31091 and have to say it does a GREAT JOB, congratulations

Magent team!! If you don’t have AXIOM I would highly encourage you to contact sales and pick up a copy! #validation ✅

1

Daedalus_13

Hello. I have an extraction of an iPhone 8 which has moving images in a /data/PluginKitPlugin//tmp/ folder. The .mov files have a file name starting with trim.[possibly hex string].mov. Does anyone know what apps would use this syntax as a file name? (edited)

Did you figure it out?

@Cellebrite I have a query about a PA parsed artifact, happy to ask here or on DM if someone is free?

1

Have anyone done any analysis on the screen recording app "Mobizen"? I have a bunch of videos in the folder /data/media/0/Mobizen/ and i'm trying to find out if it's possible to prove if they are recorded with this phone.

ScottKjr3347

Did you figure it out?

Yes thanks, I’ve had some great help from people here.

Hi i would like your advice in how to analyze kml files, witch software coul i use, i have a google file

mdogilvie

Hi i would like your advice in how to analyze kml files, witch software coul i use, i have a google file

Import KML map data into Google Earth

I would like something different so i can explain more technical

ScottKjr3347

I want to start off by saying you must have multiple tools in the tool box, but I just finished reviewing some known device data with @Magnet Forensics AXIOM 6.0.0.31091 and have to say it does a GREAT JOB, congratulations

Magent team!! If you don’t have AXIOM I would highly encourage you to contact sales and pick up a copy! #validation ✅

That's awesome to hear! I've passed along to the team

Oscar

Have anyone done any analysis on the screen recording app "Mobizen"? I have a bunch of videos in the folder /data/media/0/Mobizen/ and i'm trying to find out if it's possible to prove if they are recorded with this phone.

Look for meta data of the File & Default launcher log

Can anyone help - I have a Telegram database which has been decrypted but unfortunately its not in a readable format. Are there any profiles within Cellebrite or XRY which may be able to read this and produce it in a way which can be read?#

MelissaJane

Can anyone help - I have a Telegram database which has been decrypted but unfortunately its not in a readable format. Are there any profiles within Cellebrite or XRY which may be able to read this and produce it in a way which can be read?#

Is it SQLite? Something else?

Andrew Rathbun

Is it SQLite? Something else?

It is SQLite but there are multiple T0, T1 tables within it

Oscar

Have anyone done any analysis on the screen recording app "Mobizen"? I have a bunch of videos in the folder /data/media/0/Mobizen/ and i'm trying to find out if it's possible to prove if they are recorded with this phone.

I did some quick testing and can say that it appears possible to link Mobizen screen recorded video to a brand/model of device using the video files. Lot of variables at play, but it appears possible to analyze videos and be able to say that they are consistent with Mobizen screen recording on a XYZ brand XYZ model device. Feel free to DM me for more details.

Thanks @Brandon E and @Mobile_Digger! I'll check it out when I get back to work on monday :)

@Magnet Forensics Using Axiom to analyze a KaiOS 2.5.2 physical extraction. I noticed Axiom located Pornography URLs (xnxx and redtube) and Parsed Search Queries from the extraction. Axiom pulled the Parsed Search Queries from YouTube, but doesn't pull the search terms from the Porn sites. I haven't paid attention to see if this is the same on an Android, but was wondering if this was unique to this extraction or KaiOS or does it do this on all OS/extractions?

sholmes

@Magnet Forensics Using Axiom to analyze a KaiOS 2.5.2 physical extraction. I noticed Axiom located Pornography URLs (xnxx and redtube) and Parsed Search Queries from the extraction. Axiom pulled the Parsed Search Queries from YouTube, but doesn't pull the search terms from the Porn sites. I haven't paid attention to see if this is the same on an Android, but was wondering if this was unique to this extraction or KaiOS or does it do this on all OS/extractions?

Did you find search terms in the porn site urls manually? If so look at the variable for them in the URL. Maybe it can be used for a custom artifact and/or it could be sent to Magnet as a feature request.

1

@Brigs I did find them manually. I can definitely do that.

3

I am having some trouble finding some resources that explain how the shared folder is used by 3rd party applictions on iOS. Anyone got a good resource on this?

Gene

I am having some trouble finding some resources that explain how the shared folder is used by 3rd party applictions on iOS. Anyone got a good resource on this?

Shared folder or shared album? Dm me with a little bit more detail specific 3rd party app and stuff like that and I’ll try and help. (edited)

Hi. Does anyone have an idea how to add a decrypted Signal database to the report so that it can be analyzed in the form of a report? The base comes from a dump made PASSWARE and was in a Huawei P9 lite phone. Have @Cellebrite, @Oxygen Forensics

11:48 PM

Both programs do not support the execution of a full file system dump.

11:50 PM

As a last resort, I'll make a backup for the report, but you'll try to find out if you can do that first.

@Zolwik_MF with some time you should be able to piece together the fields for manual database queries. do you also have the associated attachment files?

11:54 PM

axiom also supports it but you didn't say you have this

I don't have access to axiom.

you can do most of these yourself in a sqlite browser easy enough

11:59 PM

try pointing cellebrites app genie tool at the database

12:02 AM

unless I'm reading this wrong, it looks like you have a decrypted signal database from the phone exported for analysis in a tool of your choosing

i used this tool when testing signal backup functionality (using the phone itself, you make a backup of the current state, producing a key/password you must save, output to an sd card of your own or a location in the phone you can acquire without a full file system). https://github.com/pajowu/signal-backup-decode

GitHub - pajowu/signal-backup-decode: Decode Signal Backups

Decode Signal Backups. Contribute to pajowu/signal-backup-decode development by creating an account on GitHub.

Sha1_4n6

i used this tool when testing signal backup functionality (using the phone itself, you make a backup of the current state, producing a key/password you must save, output to an sd card of your own or a location in the phone you can acquire without a full file system). https://github.com/pajowu/signal-backup-decode

Thank you for your help. I already have a decrypted database and I just need to include it in the report.

MelissaJane

It is SQLite but there are multiple T0, T1 tables within it

Sadly, that’s just what the telegram database is like. Some of the tables are obvious such as t2 (contacts) and t7 (messages) but putting it all together is tricky.

CLB_iwhiffin

Sadly, that’s just what the telegram database is like. Some of the tables are obvious such as t2 (contacts) and t7 (messages) but putting it all together is tricky.

No problem, thank you for letting me know

Hello all. I had an issue with some files in a tmp folder with a prefix of “trim.” I had some really useful links and tips from the community. There was info found in stack overflow, an article by heather mahalik in smarter forensics, and a blog on the magnet website. The short answer is that the trim. Prefix is attached by iOS. Thanks

MelissaJane

It is SQLite but there are multiple T0, T1 tables within it

so not decrypted, that's the regular (unencrypted) telegram's db on iOS. PA and other tools support the decoding of it. is there anything particular that you are looking for?

1

Hey, does anyone know if/where Instagram search history would be stored on iOS?

Why would some third party iOS applications choose to encrypt some db files and others not? I know if they do not encrypt they typically rely on the iOS for protection of the data. I am wondering if there is a reason to not encrypt, I am thinking there is some reason as to why this is not done consistently.

Hello, in UFED PA chat-native messages you have the last activity column. What is the source of this timestamp? Have a chat where it shows last-activity 07.04.2021 20:12:26 but the last message in the chat have timestamp 28.10.2020 08:39:36.

@Cellebrite

EFU003

Hello, in UFED PA chat-native messages you have the last activity column. What is the source of this timestamp? Have a chat where it shows last-activity 07.04.2021 20:12:26 but the last message in the chat have timestamp 28.10.2020 08:39:36.

Android/iPhone? What's the source info you see?

CLB-drorimon

Android/iPhone? What's the source info you see?

Sorry, important info missing there. This is from an iPhone and source is sms.db

EFU003

Sorry, important info missing there. This is from an iPhone and source is sms.db

The chat's Last Activity from iPhone's sms.db is derived only from the chat's messages themselves. If you see something different, please DM me.

Does anyone know if SnapChat will accept a GUID as the user account requested for a search warrant? I'm having issues locating the actual username other than the GUID

7:06 AM

its for a child trafficking case and I'm trying to identify a victim

anyone of @Elcomsoft guys free for a keychain question?

p0tt541

Hey, does anyone know if/where Instagram search history would be stored on iOS?

Found it if anyone is interested, there's several plists here: mobile/Containers/Data/Application/<GUID>/Library/Caches/<USER_ID>/autocomplete/blended_search_recent.plist

3

Beefhelmet

Does anyone know if SnapChat will accept a GUID as the user account requested for a search warrant? I'm having issues locating the actual username other than the GUID

You can find the username in the table snapchatter. Its not in the same directory as where arroyo.db is sitting. Its in the dir docobjects, in the db primairy.docobjects. check the username in the column P in asci. @snoop168 pointed me to this table a while ago.

(edited)

2

Daedalus_13

Hello. I have an extraction of an iPhone 8 which has moving images in a /data/PluginKitPlugin//tmp/ folder. The .mov files have a file name starting with trim.[possibly hex string].mov. Does anyone know what apps would use this syntax as a file name? (edited)

This folder and path is likely associated with the Photo-Picker plugin. The short version is this plugin was developed by Apple to not allow apps access to a users entire photo gallery. The plugin will "pick" the "photo" (in my testing it's only ever video files in this location) and when a certain UI is triggered the video will be cached to the TMP folder.

1:19 PM

Once this UI is triggered and the user selects "Choose" the file is "compressed" and then added to the specific application that launched it. In the case of Kik the media does not need to be shared only "Chosen"

https://www.youtube.com/shorts/79J30c6wcss Early on I was only ever able to get the Kik application to write to this area so I focused on that. I have since discovered that applications handle the Photo-Picker plugin in their own way. Some apps (Twitter) will write a file with the prefix Trim_.GUID after video file has been selected and posted and will store in in the applications folder of the app. I have also discovered that Safari and the Maill applications will write to the same location as Kik (I assume Apple is allowing the developers options on how they implement Photo-Picker.) I am in the process of writing up a blog post compiling all the research that I hope to get out this weekend. (edited)

Mr. EVFA

Photo Picker Test 2 Kik

4

3

Excellent work @Mr. Eddie Vedder from Accounting Looking forward to the blog post.

is the release of a new version of Physical analyzer planned?

manuelevlr

is the release of a new version of Physical analyzer planned?

There’s new beta avalable

Looking to confirm what is stored in the Snapchat SCPersistentMedia folder. I have a video in there of concern. @Magnet Forensics Axiom states the video was received. Since the video is of my victim, I just need to make sure this isn't a false artifact identification of "Snapchat Received Videos." I tried doing some Goolge Fu and didn't come up with anything concrete as to what resides in this folder.

manuelevlr

is the release of a new version of Physical analyzer planned?

7.55 beta got released to the design partners to try.

sholmes

Looking to confirm what is stored in the Snapchat SCPersistentMedia folder. I have a video in there of concern. @Magnet Forensics Axiom states the video was received. Since the video is of my victim, I just need to make sure this isn't a false artifact identification of "Snapchat Received Videos." I tried doing some Goolge Fu and didn't come up with anything concrete as to what resides in this folder.

Run it with https://github.com/DFIR-HBG/ParseSnapchat (iOS) or https://github.com/Ogg3/CheckArroyo (iOS/Android) to verify with multiple tools. If I remember correctly that folder contains images/videos that are sent and saved in the chat, but that might not be entirely correct since I have not looked at it for a few months

GitHub - DFIR-HBG/ParseSnapchat: iOS Snapchat parser for chats and ...

iOS Snapchat parser for chats and cached files. Contribute to DFIR-HBG/ParseSnapchat development by creating an account on GitHub.

GitHub - Ogg3/CheckArroyo: snapchat parser for iPhone, Android and ...

snapchat parser for iPhone, Android and arroyo.db. Contribute to Ogg3/CheckArroyo development by creating an account on GitHub.

1

Thanks @Oscar

8:51 AM

I was just hoping someone had specific knowledge of the folder/activities. I will validate it through other tools.

sholmes

Looking to confirm what is stored in the Snapchat SCPersistentMedia folder. I have a video in there of concern. @Magnet Forensics Axiom states the video was received. Since the video is of my victim, I just need to make sure this isn't a false artifact identification of "Snapchat Received Videos." I tried doing some Goolge Fu and didn't come up with anything concrete as to what resides in this folder.

From a brief look, it appears we're reporting anything we find in that directory as a "Received Video" - it's possible the usage of this folder has changed over versions of snapchat and this seems to be something we need to dig deeper into. I'm having a dev take a look

2

Thanks @Mel_Hungate

Echmyre[FORENTECH]

anyone of @Elcomsoft guys free for a keychain question?

Sure

Already answered by mail

thanks @v_katalov

sholmes

Looking to confirm what is stored in the Snapchat SCPersistentMedia folder. I have a video in there of concern. @Magnet Forensics Axiom states the video was received. Since the video is of my victim, I just need to make sure this isn't a false artifact identification of "Snapchat Received Videos." I tried doing some Goolge Fu and didn't come up with anything concrete as to what resides in this folder.

I have seen a change in the names of the files that are stored here, it might not be as easy to tie them to a conversation as it used to be

OggE

I have seen a change in the names of the files that are stored here, it might not be as easy to tie them to a conversation as it used to be

Thanks

Just wanted to give everyone a heads up, @Mr. Eddie Vedder from Accounting recently posted his research for Photo-Picker. https://mr-evfa.blogspot.com/2022/04/photo-picker.html

Photo-Picker

Photo-Picker While digging through an iPhone one day I came across an area that grabbed my attention. Looking at the following location:...

Thanks. If anyone has apps they would like to test just reach out to me. I know some of the research is basic I plan on continuing to add information as I find it. I wanted to get this out so people finding the trim. videos had a better idea how they got there.

4

1

Hi all. I’m currently working a case with relevant iOS location artifacts…can anyone weigh in on if ZLOCATIONHORIZONTALUNCERTAINTY is going to be my horizontal accuracy radius, in meters, from my gps point? Thanks!

Jshoe

Hi all. I’m currently working a case with relevant iOS location artifacts…can anyone weigh in on if ZLOCATIONHORIZONTALUNCERTAINTY is going to be my horizontal accuracy radius, in meters, from my gps point? Thanks!

Forgot to mention my source is local.sqlite\ZRTLEARNEDLOCATIONOFINTERESTVISITMO

Jshoe

Hi all. I’m currently working a case with relevant iOS location artifacts…can anyone weigh in on if ZLOCATIONHORIZONTALUNCERTAINTY is going to be my horizontal accuracy radius, in meters, from my gps point? Thanks!

That is what it should be. For a really good deep dive into location data for iOS devices check out the iBeg to DFIR episode on Location Data. They do a great job of breaking it down. https://cellebrite.com/en/episode-15-ibeg-to-dfir-location-data-on-ios-and-android-devices/

Episode 15: iBeg to DFIR – Location Data on iOS and Android Devices

In this episode, we are joined by special guests Jared Barnhart & Ian Whiffin to discuss location information as recorded by iOS and Android devices. Location data has been integral to many investigations but there are so many different types of location artifacts that are recorded by a device making it can be challenging to … Continue reading "...

1

i have multiple pictures found in applicationID/Libary/cashes/webkit/networkCache/Version 14/records/GUID/Resource. The application in this case is safari. The GUID differs between different files. Does anyone know what this is? (edited)

Has anyone researched Trust/Trust Wallet, the secure crypto app? I'm doing some research on it on iOS, but the app seems to store very little. Information like wallet adresses are available offline, so they must be stored on the device. However I'm sure they are stored encrypted.

Hi all. Does anyone know if iOS removes any records from the ZRTCLLOCATIONMO table that are older than a specific time? Or is that a maximum number of records in this table?

5:58 AM

Reason for asking: I'm looking at a FFS extraction where I can only see the locations of approx. the last 2 weeks. I didn't find any signs of wiping/erasing the iPhone.

Jackds

Hi all. Does anyone know if iOS removes any records from the ZRTCLLOCATIONMO table that are older than a specific time? Or is that a maximum number of records in this table?

According to this blog: https://doubleblak.com/BlogArticles/14/PDF2.pdf (slide 31-34), created june 2020, records do get deleted after some while. Depending on the type of location, frequent/revisited/single visit, it can be deleted between 7 days and a few months after visit. ZRTLEARNEDLOCATIONOFINTERESTMO table should contain a ZPLACEEXPIRATIONDATE field where you can see the expiration dates.

6:39 AM

The blog unfortunately does not contain a write-up of the research

Anyone know how to extract the pattern lock out of Android 12? Found a few write ups but they mention gesture.key which I don’t have in this ffs. I do have a locksettings.db but one blog I found seems to infer that the process is for an alphanumeric password so not sure how a pattern would differ

Robin Hood

According to this blog: https://doubleblak.com/BlogArticles/14/PDF2.pdf (slide 31-34), created june 2020, records do get deleted after some while. Depending on the type of location, frequent/revisited/single visit, it can be deleted between 7 days and a few months after visit. ZRTLEARNEDLOCATIONOFINTERESTMO table should contain a ZPLACEEXPIRATIONDATE field where you can see the expiration dates.

Thanks. In this case it looks that the phone hasn't been used before last month, as there is almost no activity at all on it. It doesn't look like it's been wiped however. It looks more like a new phone with a partial restored back-up. Can't explain it yet....

@snoop168 iirc they're going to be hardware backed, you won't be able to extract the pattern from a hash. I think android 6 was around the last time you could feasibly do that. You'd have to run a client on the phone if it's supported by something like graykey or premium

Solec

@snoop168 iirc they're going to be hardware backed, you won't be able to extract the pattern from a hash. I think android 6 was around the last time you could feasibly do that. You'd have to run a client on the phone if it's supported by something like graykey or premium

Ahh ok. Damn. Looks like gk did not do it on this one.

always have the manual brute force!

Mr. Eddie Vedder from Accounting

https://www.youtube.com/shorts/79J30c6wcss Early on I was only ever able to get the Kik application to write to this area so I focused on that. I have since discovered that applications handle the Photo-Picker plugin in their own way. Some apps (Twitter) will write a file with the prefix Trim_.GUID after video file has been selected and posted and will store in in the applications folder of the app. I have also discovered that Safari and the Maill applications will write to the same location as Kik (I assume Apple is allowing the developers options on how they implement Photo-Picker.) I am in the process of writing up a blog post compiling all the research that I hope to get out this weekend. (edited)

That is a brilliant thread thanks @Mr. Eddie Vedder from Accounting

Anyone skilled in the MapsSyncParser.py from Sarah Edwards. I’m currently dealing with a “database disk image is malformed”

Photos.sqlite queries updated along with new query for store.cloudphotodb https://twitter.com/scott_kjr/status/1521221849882906625?s=21&t=7jrilu_EMsRWGT5mzFn5bw

🛴 Scott_Kjr (@Scott_Kjr)

Well it’s been 2 years in the making & I’ll probably never understanding Photos.sqlite! Updated queries & documentation posted. Be sure to check out the sync status via store.cloudphotodb

➡️

️ or

️➡️

which way did it go? #DFIR https://t.co/5hTji6C9Eu

2

1

@ScottKjr3347 I look forward to using your work. Thank you sincerely for your sharing

Ho @Cellebrite , indicatively the new version of Physical analyzer will be released this week?

Does anyone know a script or tool that will convert a CSV file containing time/sender/receiver/text into a WhatsApp template pdf or sms styled template. Like for each entry in the CSV file produce a little text message box similar to what cellebrite/axiom produces (edited)

3:36 AM

I thought I seen a python script that could do it before

@Cellebrite Is there an email at Cellebrite to make a suggestion in Physical Analyzer ? if not a DM maybe good

thanks!

You can email me. I think you got my email

1

Has anyone managed to decode a Nokia 3310 (TA-1022) spreadtrum chipset? I have obtained a physical extraction however nothing seems to decode it. I had a quick search on here but not seen any success. Any help will be appreciated. Thanks.

Anyone came across "com.apple.mt.lastLaunch.plist" before, it appears to show launch times for applications but I can't seem to find anything documented? It doesn't seem to be completely reliable either for some apps

Has anyone does any analysis over an iPhone where Verizon Push to Talk was of interest in the case?

@Cellebrite Any improvements for Instagram in the next version of PA? Getting a plugin error for Insta

1

Hoping someone can assist me with a question about the interactionc database in a Cellebrite report. All of the dates/times are in the format of 672546597.498181. I can't figure out what format this is in. Is there a way to convert them to a readable format within Reader, or is there a way I can convert them in the exported CSV file I made?

wcso_pete

Hoping someone can assist me with a question about the interactionc database in a Cellebrite report. All of the dates/times are in the format of 672546597.498181. I can't figure out what format this is in. Is there a way to convert them to a readable format within Reader, or is there a way I can convert them in the exported CSV file I made?

https://www.epochconverter.com/coredata Seconds since 2001.1.1

CLB-drorimon

https://www.epochconverter.com/coredata Seconds since 2001.1.1

Ah, thanks. I looked up epoch and UNIX time, and a google search turned me onto HFS time. Definitely missed Core time! I'm assuming there isn't an easy way to put it into a readable format for the investigator?

Hello All - Anyone have any recommendations on proving an SD card was in a Samsung Galaxy S10 besides looking at the File Path of images/etc in File System? Are you aware of a Preferences file that may contain storage information that an Advanced Logical in Cellebrite would have grabbed?

NOSUSHI4U

Hello All - Anyone have any recommendations on proving an SD card was in a Samsung Galaxy S10 besides looking at the File Path of images/etc in File System? Are you aware of a Preferences file that may contain storage information that an Advanced Logical in Cellebrite would have grabbed?

Look at external.db file. It should come out in adv logical.

There has never happened, that msgstore.db.crypt14 databases in the folder whatsapp not be deciphered while having the Key? I'm also using whatsapp viewer but it tells me that the key is invalid.

From the FORMOBILE project - open access (free): Mobile Forensics - The File Format Handbook: https://link.springer.com/content/pdf/10.1007%2F978-3-030-98467-0.pdf

5

Hello, I'm having some troubles with whatsapp version 2.22.7.74 which isn't decoded correctly in @MSAB xry and @Cellebrite PA. I was looking in msgstore.db and didn't found messages table, which is used to store the messages. But I could find some messages in message_ftsv2 and message_ftsv2_content tables (edited)

@rafael_cs Sorry to hear that. Could you DM me the log from XRY. Thanks!

1

Anyone run into a path similar to America/Chicago2$56B2E136-5350-4871-A1D2-981EB208BFD9 ? Its listed as a "Type" for an iOS message parsed with Axiom. @GwenD

Hello

@Cellebrite do you plan to include a .heic viewer in PA/Reader ?

Nitraz_

Hello

@Cellebrite do you plan to include a .heic viewer in PA/Reader ?

It should have been in there already for a long time, no?

12:11 PM

I got a ffs (checkm8) iphone 8 extraction made with Oxygen Forensic Detective. What's the best way to parse it in PA? I can easily load the .tar archive as iPhone File-System but I need to load the Keychain. There's a way?

bypx

Click to see attachment 🖼️

I think you can use the greykey option and select the keychain file there.

Hi everyone. Anyone knows details about this path: "data/com.facebook.katana/cache/compactdisk/image/1/sessionless/storage/" ?

Has anyone dealt with the path: WhatsApp/documents/inbox ?

@Cellebrite I have an iOS FFS extraction. I would like to ask what the artifact 'SMS Spotlight Search' refers to?

King Pepsi

Has anyone dealt with the path: WhatsApp/documents/inbox ?

It’s when you receive a document/attachment and not media

DeeFIR 🇦🇺

It’s when you receive a document/attachment and not media

Awesome, that makes sense- thanks!

Jackds

Hi all. Does anyone know if iOS removes any records from the ZRTCLLOCATIONMO table that are older than a specific time? Or is that a maximum number of records in this table?

In my experience, the records can be longer then two months. IF a location of interest got 'touched'.

bypx

I got a ffs (checkm8) iphone 8 extraction made with Oxygen Forensic Detective. What's the best way to parse it in PA? I can easily load the .tar archive as iPhone File-System but I need to load the Keychain. There's a way?

hi

https://discord.com/channels/427876741990711298/545232743353810946/966343457536876574

Hi guys, I've pulled out an SD card from an S8+ and using XRY, have attempted to extract it. All goes well until it hits a "FileSafe" - I'm guessing a secure folder app? And I'm prompted for a pin/password which we don't have. Is there any way round this? Thanks. (edited)

Jackds

Hi all. Does anyone know if iOS removes any records from the ZRTCLLOCATIONMO table that are older than a specific time? Or is that a maximum number of records in this table?

ZRTCLLOCATIONMO tends to hang around for 7 days now which I believe to be time based rather than max record based. Any aggregation done last longer. So ZRTVISIT lasts about a month or two (has an expiration date) and LearnedLocationsOfInterest lasts even longer.

Hi, I am working with an iPhone Xr and Cellebrite. I am seeing a lot of messages that only have a time stamp and phone number but no other message data. These blank messages all have the file path of /mobile/Library/Recents/Recents. Does anyone know what gets saved to this file and what it is used for?

theAtropos4n6

@Cellebrite I have an iOS FFS extraction. I would like to ask what the artifact 'SMS Spotlight Search' refers to?

The global search on Apple products is called "Spotlight". When you swipe down from the top of the iPhone screen and type a search in, you can include SMS messages in that search. I am guessing but am not certain that there's an artifact created when those search results are clicked on, just like on macOS.

1

PhrostByte

Hi, I am working with an iPhone Xr and Cellebrite. I am seeing a lot of messages that only have a time stamp and phone number but no other message data. These blank messages all have the file path of /mobile/Library/Recents/Recents. Does anyone know what gets saved to this file and what it is used for?

It is just a list of the recently contacted numbers, there never was any message body data there. iOS just uses it to keep track who you contacted recently and how many times etc. most likely to help with its predictions.

Hello all, I have a locked Alcatel 1 with the MT6739 chipset and secure boot enabled, android v8. None of the commercial, forensic tools can extract any data (oxy, Bella soft or CBP). I’ve been really disappointed with them TBH, and I’ve not found any suitable firmware to use with TWRP. MTKClient does extract all partitions from the device, but the user data partition is encrypted. Can anyone suggest any possible, non destructive, solutions or workarounds…? Have a great weekend

di5cordusername1.

Hello all, I have a locked Alcatel 1 with the MT6739 chipset and secure boot enabled, android v8. None of the commercial, forensic tools can extract any data (oxy, Bella soft or CBP). I’ve been really disappointed with them TBH, and I’ve not found any suitable firmware to use with TWRP. MTKClient does extract all partitions from the device, but the user data partition is encrypted. Can anyone suggest any possible, non destructive, solutions or workarounds…? Have a great weekend

secure boot, or secure startup (asking for passcode before Android starts)?

Arcain

secure boot, or secure startup (asking for passcode before Android starts)?

Hi Arcain, Asking for password before Android starts. (edited)

Ok, so that's secure startup. Oxygen should actually support this chipset for bruteforce. What error you're getting with it?

failing to detect the phone when connected and times out. Sometimes with “connection error, can’t connect to phone”. Different laptops with oxygen tested, most recent version of Oxygen was being used and the drivers were installed correctly (passes the test).

that's with or without "disabled daa protection"?

11:29 AM

if without, you may need to select different DA, posibly one of the DWSEC. If with, then you need bootrom mode - like for mtkclient. From my experience, Oxygen didn't work with many phone swith disabled daa protection selected, with some it was required to keep keys for bootrom mode pressed until it started the dump

11:30 AM

What's the exact model number? Maybe it's possible to find specific download agent for it

Thanks for helping Arcain. It’s the 5033x model. Tried both enabled and disabled but without any success.

Arcain

if without, you may need to select different DA, posibly one of the DWSEC. If with, then you need bootrom mode - like for mtkclient. From my experience, Oxygen didn't work with many phone swith disabled daa protection selected, with some it was required to keep keys for bootrom mode pressed until it started the dump

Haven’t tried keeping the keys pressed until it starts dumping. I’ll try that. I’ll kick myself if that’s all it is.

looks like 5033x requires auth file, so in Oxygen, you'll have to select "disable daa protection" and connect phone in bootrom mode. From my experience - this wasn't always working on some devices. Review the log file, and you'll probably see that it did some patching but it never went further. In that case, i'd suggest contacting Oxygen. Maybe they'll have a test version or some hint on how to connect it

wcso_pete

Hoping someone can assist me with a question about the interactionc database in a Cellebrite report. All of the dates/times are in the format of 672546597.498181. I can't figure out what format this is in. Is there a way to convert them to a readable format within Reader, or is there a way I can convert them in the exported CSV file I made?

You could use the SQLite Wizard in PA to create a custom output (that you can build into a report) that decodes the timestamps; in the CSV you can use the following Excel formula to decode into a human readable date/time (UTC): =A1/86400+DATE(2001,1,1) where 86400 = number of seconds per day and 2001,1,1 is the CFAbsolute (Cocoa Framework / Mac) epoch date Example: 672546597.498181/86400+DATE(2001,1,1) = Mon 04/25/2022 02:29.57.498 UTC Excel is formatted for a custom number format ddd mm/dd/yyyy hh:mm.ss.000 If you want to convert it to a local time, add -time(hour, minute, second), e.g. A1/86400+DATE(2001,1,1)-TIME(4,0,0) Example: 672546597.498181/86400+DATE(2001,1,1)-TIME(4,0,0) = Sun 04/24/2022 22:29.57.498 EDT You will have to manually adjust the formula for timestamps that fall in or out of daylight savings time. (edited)

1

Arcain

looks like 5033x requires auth file, so in Oxygen, you'll have to select "disable daa protection" and connect phone in bootrom mode. From my experience - this wasn't always working on some devices. Review the log file, and you'll probably see that it did some patching but it never went further. In that case, i'd suggest contacting Oxygen. Maybe they'll have a test version or some hint on how to connect it

Thanks Arcain. I’ll give that a try.

JLindmar (83AR)

You could use the SQLite Wizard in PA to create a custom output (that you can build into a report) that decodes the timestamps; in the CSV you can use the following Excel formula to decode into a human readable date/time (UTC): =A1/86400+DATE(2001,1,1) where 86400 = number of seconds per day and 2001,1,1 is the CFAbsolute (Cocoa Framework / Mac) epoch date Example: 672546597.498181/86400+DATE(2001,1,1) = Mon 04/25/2022 02:29.57.498 UTC Excel is formatted for a custom number format ddd mm/dd/yyyy hh:mm.ss.000 If you want to convert it to a local time, add -time(hour, minute, second), e.g. A1/86400+DATE(2001,1,1)-TIME(4,0,0) Example: 672546597.498181/86400+DATE(2001,1,1)-TIME(4,0,0) = Sun 04/24/2022 22:29.57.498 EDT You will have to manually adjust the formula for timestamps that fall in or out of daylight savings time. (edited)

Oh awesome. Thanks! I’ll give it a try when I’m back in my office on Monday.

hello @Cellebrite am i right, if i say, actually PA doesn´t support decoding of TelegramX ? https://play.google.com/store/apps/details?id=org.thunderdog.challegram&hl=de_AT&gl=US Have a FFS (QLive) of a Nokia 8, TelegramX-Chat not parsed/decoded with PA... Imported 4PC-extraction into another forensic tool and got decoded TelegramX

(edited)

1:13 AM

chrisforensic

hello @Cellebrite am i right, if i say, actually PA doesn´t support decoding of TelegramX ? https://play.google.com/store/apps/details?id=org.thunderdog.challegram&hl=de_AT&gl=US Have a FFS (QLive) of a Nokia 8, TelegramX-Chat not parsed/decoded with PA... Imported 4PC-extraction into another forensic tool and got decoded TelegramX

(edited)

Can you please tell us about the Tool which Successfully parsed? It's will be helpful for many

wcso_pete

Hoping someone can assist me with a question about the interactionc database in a Cellebrite report. All of the dates/times are in the format of 672546597.498181. I can't figure out what format this is in. Is there a way to convert them to a readable format within Reader, or is there a way I can convert them in the exported CSV file I made?

As per previous comments, this is a ridiculously accurate Mac Absolute nano-second time-stamp. Certainly Sanderson SQLite Forensic Browser understands and decodes these without any issues

Mobile_Digger

Can you please tell us about the Tool which Successfully parsed? It's will be helpful for many

Looks like @Oxygen Forensics to me. oxygen

2

holly

The global search on Apple products is called "Spotlight". When you swipe down from the top of the iPhone screen and type a search in, you can include SMS messages in that search. I am guessing but am not certain that there's an artifact created when those search results are clicked on, just like on macOS.

Thank you!

1

Mobile_Digger

Can you please tell us about the Tool which Successfully parsed? It's will be helpful for many

Oxygen Forensic Detective did the job

2

1

Hi. Does anyone have a good German alphanumeric dictionary?

I have a setuplastexit timestamp in the purplebuddy plist that matches when a user is appealing he recalls a software update but not a reset - is there any way a software update would modify setuplastexit timestamp? Also - plist notes setupusingassistant.. thx in advance.

anyone from @MSAB for a question about XAMN ?

KR-4n6

anyone from @MSAB for a question about XAMN ?

Let's hear it!

MSAB_Sofia

Let's hear it!

Check your DM

Jeeper

I have a setuplastexit timestamp in the purplebuddy plist that matches when a user is appealing he recalls a software update but not a reset - is there any way a software update would modify setuplastexit timestamp? Also - plist notes setupusingassistant.. thx in advance.

Have you found other evidence indicating a reset, like does the .obliterated file have a timestamp? I've had it on a test handset that the "apple Pay" and "Improve Siri & Dictations" set up screens were prompted after completing an update. This has been useful to myself before: https://cellebrite.com/en/upgrade-from-null-detecting-ios-wipe-artifacts/

Upgrade From NULL—Detecting iOS Wipe Artifacts

One of the most common questions we’re asked is, “How do you determine when an iOS device was wiped?” Wiping is a common way to trample potential evidence on a device. Over the years, we have seen some savvy moves to try to cover up wiping efforts on devices and prevent the act from being … Continue reading "Upgrade From NULL—Detecting iOS Wipe ...

the new version of PA has parsing problems with telegram?

2:37 AM

1

I've been asked to confirm that an iPhone was locked with a PIN/passphrase. I would normally just evidence the fact that, when examining the device, it required me to put in a passphrase/PIN to unlock. Unfortunately this device wasn't examined by anyone currently employed at my organisation and it is no longer available to us. I have a graykey FFS extraction that has been introduced into evidence from that device. Is there an artefact within the extraction that would indicate that the device was lcoked with a PIN/passphrase? Like the old "/private/var/mobile/library/coreduet/coreduetd.db" that existed on iOS 9 and before. The device was running 13.2.3 when the graykey FFS extraction was completed. Thanks

AmNe5iA

I've been asked to confirm that an iPhone was locked with a PIN/passphrase. I would normally just evidence the fact that, when examining the device, it required me to put in a passphrase/PIN to unlock. Unfortunately this device wasn't examined by anyone currently employed at my organisation and it is no longer available to us. I have a graykey FFS extraction that has been introduced into evidence from that device. Is there an artefact within the extraction that would indicate that the device was lcoked with a PIN/passphrase? Like the old "/private/var/mobile/library/coreduet/coreduetd.db" that existed on iOS 9 and before. The device was running 13.2.3 when the graykey FFS extraction was completed. Thanks

No GK report?

Rob

No GK report?

Report says "Lock State: Unlocked". Unfortunately, examiners notes are also virtually non existent so can't even introduce hearsay evidence.

AmNe5iA

Report says "Lock State: Unlocked". Unfortunately, examiners notes are also virtually non existent so can't even introduce hearsay evidence.

From experience, means there was a PIN.

5:01 AM

Would say No passcode set

5:01 AM

otherwise

Jeeper

I have a setuplastexit timestamp in the purplebuddy plist that matches when a user is appealing he recalls a software update but not a reset - is there any way a software update would modify setuplastexit timestamp? Also - plist notes setupusingassistant.. thx in advance.

Check out notes for figure #1.2 figure #2 and figure #3 there are some dates that you could check for both reset and software update. https://theforensicscooter.com/2022/05/02/photos-sqlite-query-documentation-notable-artifacts/

scottkoenig3347

Photos.sqlite Query Documentation & Notable Artifacts

As many of you are aware, I recently updated my Photos.sqlite queries. Since releasing the different query iterations, I have received several questions about how I was able to decode the data incl…

1

PA 7.55 released. Does anyone know is the Snapchat encrypted feature the "My eyes only" that it's decoding? It's not very clear.

4N6Matt

PA 7.55 released. Does anyone know is the Snapchat encrypted feature the "My eyes only" that it's decoding? It's not very clear.

Yes, it is supported(it was added several versions ago), you should see it under file system->Snapchat Gallery-> My Eyes Only

hello everyone, on an android 9 (Huawei p smart fig-lx1) in which file can I see information on the battery charge?

Hi guys, I've established that a protected folder I'm unable to access was originally created in an Huawei. The folder path is .File_SafeBox - I'm prompted for a pin during XRY's decode, which we don't have access too. Any tools out there that can help?

slipd

Hi guys, I've established that a protected folder I'm unable to access was originally created in an Huawei. The folder path is .File_SafeBox - I'm prompted for a pin during XRY's decode, which we don't have access too. Any tools out there that can help?

If you don't know the passcode - no. You can try passcodes, and even automate it, but it'll be slow

1

1:39 AM

You should be able to access that vault by adding a known fingerprint on the phone, and allowing to unlock safe using fingerprint, then copy the files out of the safe

Can anyone point me in a direction where I can read more about the Hidden function in IOS photos app? I can't find anything mentioned about it

I am creating a report with PA, and there is the "include items without a timestamp" function. but if they were to select some items are not placed on the reader instead you are on PA?

2:00 AM

@Cellebrite

manuelevlr

I am creating a report with PA, and there is the "include items without a timestamp" function. but if they were to select some items are not placed on the reader instead you are on PA?

Hi, l'm not sure I understand the issue. What seems to be wrong?

manuelevlr

hello everyone, on an android 9 (Huawei p smart fig-lx1) in which file can I see information on the battery charge?

a database called dubai.db jumps to mind, I've found this in a couple Huawei's to contain lots of log information similar to this, can't remember if this will be included though! there might be some sort of batterystats.bin or batterystats.xml

skipper

Hi. Does anyone have a good German alphanumeric dictionary?

Join or combinator attack with German wordlist ?

Erik

Can anyone point me in a direction where I can read more about the Hidden function in IOS photos app? I can't find anything mentioned about it

What information specifically are you looking for? Several mentions in the write-ups here: https://theforensicscooter.com/

scottkoenig3347

The Forensic Scooter

Visit the post for more.

1

Does somebody knows what the dummy imei is that appears in the overview of an Ufed extraction from a Samsung gt-e1205y. We get 1 imei and 2 dummy imei's. (edited)

ScottKjr3347

DM sent and this post just added a few things to my current work in progress.

Any info you can share with me. I am looking at FFS of iOS paths of interest for me are: below. They are all showing a file activity "Modified Time" \private\var\mobile\media\photodata\mutations\DCIM\104APPLEIMG_4039Adjustments\ (filename: Adjustment.plist ) \private\var\mobile\media\photodata\mutations\DCIM\104APPLEIMG_4039Adjustments\ (filename: FullSizeRender.jpg) \private\var\mobile\media\photodata\Thumbnails\V2\DCIM\104APPLEIMG_4039.png (edited)

Ghosted

Any info you can share with me. I am looking at FFS of iOS paths of interest for me are: below. They are all showing a file activity "Modified Time" \private\var\mobile\media\photodata\mutations\DCIM\104APPLEIMG_4039Adjustments\ (filename: Adjustment.plist ) \private\var\mobile\media\photodata\mutations\DCIM\104APPLEIMG_4039Adjustments\ (filename: FullSizeRender.jpg) \private\var\mobile\media\photodata\Thumbnails\V2\DCIM\104APPLEIMG_4039.png (edited)

Have you reviewed my photos.sqlite documentation and notable artifacts write-up? There are examples of these files and file locations in the example videos. If you search the write-up for mutations or adjustments you should find what you are looking for. Specifically figure 7, 8, 12 review those and let me know if you any specific questions. I don’t suggest holding a lot of weight in the modified timestamp. This is also address in the write-up.

⬆️ for the link to the blog to the write-up. (edited)

I have several extractions from UFED CA which puts it in a reader format. Is there a way to put multiple readers into one report such as a single PDF or image report. Or all the reader files into one reader file ? All for same case, phones, person just had to do CA extractions 1 at a time. I need to load it into project VIC as ideally?

4N6Matt

I have several extractions from UFED CA which puts it in a reader format. Is there a way to put multiple readers into one report such as a single PDF or image report. Or all the reader files into one reader file ? All for same case, phones, person just had to do CA extractions 1 at a time. I need to load it into project VIC as ideally?

Open the UFDR in PA and then when you open another I believe you will have an option to add to existing project. Once all loaded kick out a new one.

CLB-Paul

Look at external.db file. It should come out in adv logical.

thank you!

Thanks. Silly me I was just double clicking them to open and didn't think to manually open them in PA

1

FYI mobile peeps, if you don't mind helping out someone prep for a mobile-focused interview here: https://discord.com/channels/427876741990711298/427982915230498826/976457974597951528

Anyone know if it is possible to take the iOS keychain file and reverse it to the username / password? And or if we have the username / password could we do it than?

Ghosted

Anyone know if it is possible to take the iOS keychain file and reverse it to the username / password? And or if we have the username / password could we do it than?

I have found a hashed password in an iOS extraction for the Apple account for the phone that I was able to crack using Hashcat, but it was an older phone.

6:47 AM

If I remember correctly the email address for the account was in plain text

@FullTang I have username for a Twitter account trying to see if any leads can be followed up with the keychain to show the username was on the device. maybe there is an easier way. PA is not parsing any Twitter stuff for me.

Ghosted

@FullTang I have username for a Twitter account trying to see if any leads can be followed up with the keychain to show the username was on the device. maybe there is an easier way. PA is not parsing any Twitter stuff for me.

Even if Twitter uses the keychain, the decrypted data won't necessarily include the username. but in general the keychain is decrypted in PA into the Password model under Analyzed Data, I would suggest to use the global search for the username that you have, and for passwords that contain the name/app identifier of the relevant app (Twitter in your case)

1

CLB-ChenK

Even if Twitter uses the keychain, the decrypted data won't necessarily include the username. but in general the keychain is decrypted in PA into the Password model under Analyzed Data, I would suggest to use the global search for the username that you have, and for passwords that contain the name/app identifier of the relevant app (Twitter in your case)

If you get a password hit, it might be from the keychain, and you can further search in the decrypted data for the username (or any string) you are looking for, using file format viewer - like in this tip tuseday: https://twitter.com/Cellebrite_UFED/status/1518923116432531458?t=Nqlw-a8lW1Ygp4TVO8YQ6Q&s=19

Cellebrite Public Safety (@Cellebrite_UFED)

Keychain data is easily viewed in Full File System extractions when the file format viewer in Physical Analyzer is leveraged. #GettingStarted #TipTuesday

@Cellebrite Hi, is someone available for a quick question?

Hopefully a quick question, using @MSAB XAMN and on the Web History it has a access count of 47 along with other website with differing ‘Access Counts’. Does this mean the amount of times this has been accessed on the device? Would anyone be able to confirm my thoughts on this?

Any locations within Android OS to look for powered on / off information? I obtained a physical image of a LG Model LM-Q710

The Cellebrite 2021 CTF had a write-up on this. Check https://cellebrite.com/en/part-1-walk-through-of-answers-to-the-2021-ctf-investigating-heisenbergs-android-device/

Part 1: Walk-Through of Answers to the 2021 CTF - Investigating Hei...

We would like to say thank you to everyone who participated in the Capture the Flag event. There were many late evenings and lots of hard work put in by many people involved. The CTF annual event is Cellebrite’s way of giving back to the DFIR community and providing continuously helpful resources to upskill expertise. … Continue reading "Part 1:...

10:48 AM

They mention a few places you can look. Try /data/system/users/services/data/eRR.P or data\log\batterystats or power_off_reason.txt or power_off_resets_reason_backup.txt

10:49 AM

@thatboy_leo

thatboy_leo

Any locations within Android OS to look for powered on / off information? I obtained a physical image of a LG Model LM-Q710

Some relevant research here: https://thebinaryhick.blog/2021/08/19/wipeout-detecting-android-factory-resets/

Binary Hick

Wipeout! Detecting Android Factory Resets

I’d like to thank Alexis Brignoni, Heather Mahalik, and Jared Barnhart for their insight and validation, and Alexis for tooling ALEAPP for these artifacts. DFIR truly is a team effort. They say im…

1

FullTang

The Cellebrite 2021 CTF had a write-up on this. Check https://cellebrite.com/en/part-1-walk-through-of-answers-to-the-2021-ctf-investigating-heisenbergs-android-device/

Oh perfect, thank you!

Brigs

Some relevant research here: https://thebinaryhick.blog/2021/08/19/wipeout-detecting-android-factory-resets/

Thank you!

anyone from @Magnet Forensics around? Have an issue with AXIOM Process - keeps crashing on an iPhone XR full file system. I've tried multiple workarounds on different workstations with the same result - Process just disappears, and Examine just waits patiently at the same point for more results that won't be coming...I've submitted a support ticket but just want to see if I'm overlooking anything obvious. Version is 6.0.0.31091.

@clbell2 Hi, Andy Thorpe here from Magnet Forensics. Sorry you have hit a snag processing your evidence. Good job on creating the support ticket they should have you sorted soon. This issue will need some eyes on the log files to see what's going on under the hood. If you have not already provided them it would be great if you could forward over the case logs for our support team to review. The most likely relevant log file is the log.txt file that will be in the case folder. That plus if you have a AxiomProcessCrashLog.txt at the root of C:\ that would be good too. Andy.

clbell2

anyone from @Magnet Forensics around? Have an issue with AXIOM Process - keeps crashing on an iPhone XR full file system. I've tried multiple workarounds on different workstations with the same result - Process just disappears, and Examine just waits patiently at the same point for more results that won't be coming...I've submitted a support ticket but just want to see if I'm overlooking anything obvious. Version is 6.0.0.31091.

Are you able to pull the logs for PROCESS?

clbell2

anyone from @Magnet Forensics around? Have an issue with AXIOM Process - keeps crashing on an iPhone XR full file system. I've tried multiple workarounds on different workstations with the same result - Process just disappears, and Examine just waits patiently at the same point for more results that won't be coming...I've submitted a support ticket but just want to see if I'm overlooking anything obvious. Version is 6.0.0.31091.

Looks like Andy beat me to it.

1

Yeah, it's weird. Nothing was written to CrashLog in root of C: but I did attach the log.txt from the first attempt case directory.

12:33 PM

Appreciate it!

Dam

@Cellebrite Hi, is someone available for a quick question?

@Cellebrite It's about a thumbnail cache question in PA

clbell2

anyone from @Magnet Forensics around? Have an issue with AXIOM Process - keeps crashing on an iPhone XR full file system. I've tried multiple workarounds on different workstations with the same result - Process just disappears, and Examine just waits patiently at the same point for more results that won't be coming...I've submitted a support ticket but just want to see if I'm overlooking anything obvious. Version is 6.0.0.31091.

What are your processing options set to?

facelessg00n

What are your processing options set to?

I've tried different a number variations of processing options...i've exclude entire categories of artifacts (custom and media), i've changed the level of nested archives to search (eventually disabling the option to search archives altogether), i've tried different input formats...no image categorization or OCR or dynamic app finder or keyword searches or anything like that enabled on any of the attempts. Just hashing.

Hi i have an issue with a WhatsApp db, i secriptwd and i ca see all the messages with sql viewer, but when i try to precess it in axiom only shows me 12 messages, and WhatsApp viewer says it can open it due a version problem

Hello, is there a good sqlite query or script to pull location information from the knowledgeC.db?

DA2388

Hello, is there a good sqlite query or script to pull location information from the knowledgeC.db?

https://www.mac4n6.com/blog/2018/8/5/knowledge-is-power-using-the-knowledgecdb-database-on-macos-and-ios-to-determine-precise-user-and-application-usage

Knowledge is Power! Using the macOS/iOS knowledgeC.db Database to D...

Having access to precise and granular user and application usage can be extremely useful in a forensic investigation, some of which are listed here. I find that pattern-of-life data is some of the most useful information on a device - it really does tell the story about a user and their devices. I'v

Andrew Rathbun

https://www.mac4n6.com/blog/2018/8/5/knowledge-is-power-using-the-knowledgecdb-database-on-macos-and-ios-to-determine-precise-user-and-application-usage

Thank you!

DA2388

Hello, is there a good sqlite query or script to pull location information from the knowledgeC.db?

Use these Apollo if you are comfortable with CLI and python APOLLO https://github.com/mac4n6/APOLLO ArtEx for GUI ArtEx https://www.doubleblak.com/m/ I use artex a lot it has some nice timeline and logos to represent the actions being recorded in KnowledgeC

GitHub - mac4n6/APOLLO: Apple Pattern of Life Lazy Output'er

Apple Pattern of Life Lazy Output'er. Contribute to mac4n6/APOLLO development by creating an account on GitHub.

Anyone have experience decrypting an adb backup file? I got one pulled but the encryption password was already set before I acquired the image.

Does anyone have a trick or script to parse sms.ib and ibphone_head.in from a Nokia manual backup?

I thought i have seen a webinar on playing cached navigation audio at some point. Like the turn left etc audio. I found files of interest to a timeline in voiceservices\speechCache on an iphone. I cant recall the lecture now and whether it was iOS related but has anyone run across and got these to play? Or know what they represent

warlock40

I thought i have seen a webinar on playing cached navigation audio at some point. Like the turn left etc audio. I found files of interest to a timeline in voiceservices\speechCache on an iphone. I cant recall the lecture now and whether it was iOS related but has anyone run across and got these to play? Or know what they represent

Its an Android artifact, which has been added to Aleapp (github). Research done by 'kibaffo33'. https://kibaffo33.data.blog/2021/12/30/at-the-roundabout-take-the-second-exit/ (edited)

Joe Schmoe

Anyone know specifically where images from com.android.com/app_textures/ come from?

Hi, did you end up getting an answer to your question? I am wondering the same thing about images under the 'com.android.chrome/app_textures' file path. My very limited understanding is that they might be thumbnail images relating to tabs on the Google Chrome browser but I can't seem to replicate it again on a test phone.

@SMc that's my understanding as well. What version of Android, and what version of Chrome is installed? (edited)

SMc

Hi, did you end up getting an answer to your question? I am wondering the same thing about images under the 'com.android.chrome/app_textures' file path. My very limited understanding is that they might be thumbnail images relating to tabs on the Google Chrome browser but I can't seem to replicate it again on a test phone.

Seems to be the case. "6) Repeat the steps above for everything in /data/data/com.android.chrome/app_textures/ so that you also restore the tab thumbnail images, 7) Unfreeze chrome" https://forum.xda-developers.com/t/chrome-how-to-safely-clone-the-set-of-open-tabs-from-one-device-to-another-in-bulk.3250758/

Chrome: How to safely clone the set of open tabs from one device to...

If I get a new phone and want to make Chrome run exactly as I left it on my old phone, cloning/restoring the set of open tabs seems to be complicated. Note: Let's assume Chrome version 46 and Android 6 (Marshmallow) to be somewhat modern with...

facelessg00n

Seems to be the case. "6) Repeat the steps above for everything in /data/data/com.android.chrome/app_textures/ so that you also restore the tab thumbnail images, 7) Unfreeze chrome" https://forum.xda-developers.com/t/chrome-how-to-safely-clone-the-set-of-open-tabs-from-one-device-to-another-in-bulk.3250758/

Thanks for the link. That's where I got some of my info from also as there doesn't appear to be much else freely available that refers to the app_textures folder.

DeeFIR 🇦🇺

@SMc that's my understanding as well. What version of Android, and what version of Chrome is installed? (edited)

Thanks for your response. I was testing on a Samsung S21 Ultra 5G with Android version 11 (same version as on the exhibit phone too), I'll have to check for the Chrome version tomorrow but would be one of the most recent versions.

You've piqued my interest. Feel free to let me know the APK version and I can do some testing with you if you'd like.

Has anyone had a physical extraction of a FBE Samsung where it has only got media? Tool used: XRY Password: known Android version: 11 Model: SM-A127F/DSN Sec patch: 01-12-2012 Thanks!

SMc

Hi, did you end up getting an answer to your question? I am wondering the same thing about images under the 'com.android.chrome/app_textures' file path. My very limited understanding is that they might be thumbnail images relating to tabs on the Google Chrome browser but I can't seem to replicate it again on a test phone.

I did not. My case involved someone sharing private images on a website. I was trying to show that the images were uploaded and not downloaded from the site. I had other evidence so I moved on. The phone was a Motorola G Play. I’d have to look up the versions of Android and Chrome.

Hi all, I’m looking at a GK full filesystem from an iPhone and reviewing iMessages. I’m trying to definitively say if the iMessage in question was sent by the device, or sent from, for example, a MacBook logged in with the same Apple ID. Any ideas? Also, in the back and forth of the message, it shows the messages from the device being sent by the phone number and iCloud email address. When the other person in the conversation replies, it shows the reply message being sent to the device phone number and the iCloud email address. I’m guessing this is simply due to syncing with the cloud/Apple ID? (edited)

King Pepsi

Has anyone had a physical extraction of a FBE Samsung where it has only got media? Tool used: XRY Password: known Android version: 11 Model: SM-A127F/DSN Sec patch: 01-12-2012 Thanks!

You should extract full file system. In physical dump from FBE most of the userdata is encrypted.

I have an IMEI question as I have been reading older posts. In an iPhone 11. I have two IMEI's appearing for a specific device. The TAC (First 8) of the IMEI of both is the same. The serial number next 6) is different as well as the check digit (last digit). Both come back to same make and model device. Is this a prime example of dual SIM? Is it possible this is example of one transceiver in the device sharing?

@Joe Schmoe Thanks for your response. I’m working on a child abuse material job where I’ve got images of certain cloud-based folders and I want to know for sure they show this guy viewing or interacting with this site. You’ve given me another idea for testing though, I’ll try to replicate the file path by uploading and downloading images to a test site rather than just opening or closing tabs in chrome.

DeeFIR 🇦🇺

You've piqued my interest. Feel free to let me know the APK version and I can do some testing with you if you'd like.

Thanks for the offer. So I’m testing on a phone with chrome version 87.0.4280.141 and android version 11. I’ve been opening and closing tabs, and now downloading from chrome to attempt to recreate the app_textures artefacts.

Is that the same version as the APK on the exhibit?

mdogilvie

Hi i have an issue with a WhatsApp db, i secriptwd and i ca see all the messages with sql viewer, but when i try to precess it in axiom only shows me 12 messages, and WhatsApp viewer says it can open it due a version problem

Hi looks like there are changes in whatsapp db y solved my problem with a program called Avila forensics

mdogilvie

Hi looks like there are changes in whatsapp db y solved my problem with a program called Avila forensics

Thx that helped

Hi, does anyone still see the contents of the Snapchat - Gallery / My Eyes Only folder in extractions? I just made 2 Android dumps of my test device one before going online with Snapchat and one after going online with Snapchat and viewing the contents of the Snapchat Gallery and My Eyes Only. The "before online dump" does not contain Snapchat gallery items, the "after online dump" does contain them. The corresponding files are visible in com.snapchat.android\files\file_manager\memories_media. There are no files there in the "before online dump". No decrypted data either. So it seems that Snapchat is retrieving these (encrypted) files from Snapchat-servers and doesn't store the files permanently locally but maybe is caching them (?!). The encryption keys themselves are in memories.db\memories_snap (media_key & media_IV). I'm curious if anyone came across this or maybe have an idea what could be going on. Snapchat version is 11.73.0.35 on a OnePlus 6 with Android 10. (edited)

mr.rookay

Hi, does anyone still see the contents of the Snapchat - Gallery / My Eyes Only folder in extractions? I just made 2 Android dumps of my test device one before going online with Snapchat and one after going online with Snapchat and viewing the contents of the Snapchat Gallery and My Eyes Only. The "before online dump" does not contain Snapchat gallery items, the "after online dump" does contain them. The corresponding files are visible in com.snapchat.android\files\file_manager\memories_media. There are no files there in the "before online dump". No decrypted data either. So it seems that Snapchat is retrieving these (encrypted) files from Snapchat-servers and doesn't store the files permanently locally but maybe is caching them (?!). The encryption keys themselves are in memories.db\memories_snap (media_key & media_IV). I'm curious if anyone came across this or maybe have an idea what could be going on. Snapchat version is 11.73.0.35 on a OnePlus 6 with Android 10. (edited)

Yes, I've encountered this and had the exact same hypothesis about local caching, perhaps in the order of 30 days? Never got to the bottom of time range, but I extracted an old handset with snapchat installed in flight mode, no memories/my eyes only

8:44 AM

Took phone off of flight mode, ran snapchat, closed the app, put it back into flight mode, performed another extraction and sure enough I got My Eyes Only files etc

mr.rookay

Hi, does anyone still see the contents of the Snapchat - Gallery / My Eyes Only folder in extractions? I just made 2 Android dumps of my test device one before going online with Snapchat and one after going online with Snapchat and viewing the contents of the Snapchat Gallery and My Eyes Only. The "before online dump" does not contain Snapchat gallery items, the "after online dump" does contain them. The corresponding files are visible in com.snapchat.android\files\file_manager\memories_media. There are no files there in the "before online dump". No decrypted data either. So it seems that Snapchat is retrieving these (encrypted) files from Snapchat-servers and doesn't store the files permanently locally but maybe is caching them (?!). The encryption keys themselves are in memories.db\memories_snap (media_key & media_IV). I'm curious if anyone came across this or maybe have an idea what could be going on. Snapchat version is 11.73.0.35 on a OnePlus 6 with Android 10. (edited)

That seems correct based on my observations as well, the download links are present in memories.db so you could just download the files and decrypt them locally if you don't want to remove flight mode or do a second dump. On iOS the cached memories are encrypted afaik but can also be decrypted with the keys stored in gallery.encrypteddb which is decrypted with a keychain entry.

4

1

DeeFIR 🇦🇺

Is that the same version as the APK on the exhibit?

The version on the exhibit phone itself is 94.0.4606.85.

mdogilvie

Hi looks like there are changes in whatsapp db y solved my problem with a program called Avila forensics

tested https://github.com/AvillaDaniel/AvillaForensics ... cool thing.... can decode latest WA-chats (@Cellebrite UFED and @MSAB XRY are not able) decode chats, just the calls... do you know, is there an english version too? my portuguese is very bad

(edited)

GitHub - AvillaDaniel/AvillaForensics: Avilla Forensics 3.0

Avilla Forensics 3.0. Contribute to AvillaDaniel/AvillaForensics development by creating an account on GitHub.

1

OllieD

Took phone off of flight mode, ran snapchat, closed the app, put it back into flight mode, performed another extraction and sure enough I got My Eyes Only files etc

Well, in my case the testphone wasn't used for several weeks (phone was off), so the Snapchat-Gallery and the Snapchat - My Eyes Only didn't contain any files (snaps) in the 'before online dump'. After going online I opened 3 of the 4 gallery snaps and opened the only snap in My Eyes Only. In the 'after online dump' the com.snapchat.android\files\file_manager\memories_media contained 4 of the 5 items. The 1 snap I didn't opened in Gallery wasn't displayed. When I looked up this snap in the memories.db\memories_snap the media_key + media_iv was empty where the encrypted_media_key and encrypted_media_iv had a value. I case of the 4 snaps I did view, the media_key + media_iv had a value, but the encrypted_media_key + encrypted_media_iv was empty. So it seems that not only the contains of My Eyes Only, but also snaps in Gallery are cached for limited time instead of stored permanently. The expiration timestamp for these files is stored in journal.db\expiration where the value in key is also used for the file name. You can find the corresponding snap_id in core.db\DataConsumption in the column ContentObjectID where cacheKey contains the filename, minus '.media'. Experiation time seems to be 60 days.

1

Ah amazing, good find on the expiration time!

Arcain pinned a message to this channel. 5/25/2022 1:43 AM

Hi everyone, I'm going through an iPhone 11 dump and found a picture that is important to my case. The metadata from the picture shows it was taken by an iPhone 11 and includes a capture time. The location for the file is: private/var/mobile/Media/DCIM/102APPLE/ with a file name of IMG_XXXX.JPG. This location and naming convention seem to match the iOS default for a photo taken by the device. Would you agree with the assumption that the device I'm examining took this photo?

It could have been saved to the camera roll from just about anywhere. Someone can correct be if I’m wrong, but I think you would have to dive into the Photos.SQLite database for confirmation.

2

Chris Myers

Hi everyone, I'm going through an iPhone 11 dump and found a picture that is important to my case. The metadata from the picture shows it was taken by an iPhone 11 and includes a capture time. The location for the file is: private/var/mobile/Media/DCIM/102APPLE/ with a file name of IMG_XXXX.JPG. This location and naming convention seem to match the iOS default for a photo taken by the device. Would you agree with the assumption that the device I'm examining took this photo?

Or synced from devices on the same account etc. So I agree with @Joe Schmoe, check that db for answers

Chris Myers

Hi everyone, I'm going through an iPhone 11 dump and found a picture that is important to my case. The metadata from the picture shows it was taken by an iPhone 11 and includes a capture time. The location for the file is: private/var/mobile/Media/DCIM/102APPLE/ with a file name of IMG_XXXX.JPG. This location and naming convention seem to match the iOS default for a photo taken by the device. Would you agree with the assumption that the device I'm examining took this photo?

You are on the right track, just might need to dig a little deeper. Like others have stated, I would encourage you to review the data from Photos.sqlite AND pattern of life files like knowledgec and power logs and even Sysdiagnose logs. EXIF, Metadata and Captured timestamps don’t always mean that’s when the original asset was captured, additional analysis is needed. After a review of those files you should be able to have a better understanding of what took place on the analyzed device at the time you believe the asset was captured. That’s my opinion until Apple starts putting IMEI’s or serial numbers into exif / metadata for capturing device. (edited)

1

ScottKjr3347

You are on the right track, just might need to dig a little deeper. Like others have stated, I would encourage you to review the data from Photos.sqlite AND pattern of life files like knowledgec and power logs and even Sysdiagnose logs. EXIF, Metadata and Captured timestamps don’t always mean that’s when the original asset was captured, additional analysis is needed. After a review of those files you should be able to have a better understanding of what took place on the analyzed device at the time you believe the asset was captured. That’s my opinion until Apple starts putting IMEI’s or serial numbers into exif / metadata for capturing device. (edited)

@OllieD @Joe Schmoe Thanks for the replies. I'm digging through photos.sqlite now and it appears likely that this device took the photo. When I look through the tables, I see ZADDITIONALASSETATTRIBUTES, then ImportedByBundleIdentifier with a value of com.burbn.instagram. I'm thinking this value means the photo was taken using the camera within the Instagram app?

has anyone come across the hide it pro app? https://apps.apple.com/in/app/hide-photos-video-hide-it-pro/id523488488?platform=iphone (edited)

‎Hide Photos Video -Hide it Pro

‎Features By Apple, Reached #1 in 105 App Stores Hide it Pro can securely hide your photos and videos on your iPhone. Never worry about your secrets getting leaked. Hide it pro features : Secure hiding of Pictures and Videos behind an impenetrable lock screen. + Create Multiple photo/video albums…

Chris Myers

@OllieD @Joe Schmoe Thanks for the replies. I'm digging through photos.sqlite now and it appears likely that this device took the photo. When I look through the tables, I see ZADDITIONALASSETATTRIBUTES, then ImportedByBundleIdentifier with a value of com.burbn.instagram. I'm thinking this value means the photo was taken using the camera within the Instagram app?

The chances are good but need to look at power logs. They will tell you if the instagram app turned on the camera and have a timestamp associated with it.

1

Would it be possible to receive any kind of documentation or code sample related to Axiom Custom Artifacts? Unfortunately I don't have access to the Customer Portal, but I would like to try to create a script

Robin Hood

Would it be possible to receive any kind of documentation or code sample related to Axiom Custom Artifacts? Unfortunately I don't have access to the Customer Portal, but I would like to try to create a script

It's open to everyone. Just make an account. https://www.magnetforensics.com/blog/artifact-exchange-now-open/

Artifact Exchange Opens Today for Sharing Custom Artifacts - Magnet...

The Magnet Forensics Artifact Exchange is now available for the forensics community as a resource for building, sharing, and downloading Custom Artifacts

1

Robin Hood

Would it be possible to receive any kind of documentation or code sample related to Axiom Custom Artifacts? Unfortunately I don't have access to the Customer Portal, but I would like to try to create a script

Just as an FYI we also creat custom artifacts using the MCAG (Magnet Custom Artifact Generator) https://www.magnetforensics.com/free-tools/ as well as cover custom artifacts in AX300. MODULE 6: CUSTOM ARTIFACTS Building on information taught over the four-day period, learn how to use AXIOM features such as Dynamic App Finder and custom artifacts to build data that has been manually recovered into fully-functioning supported Artifacts Learn how to extract additional data types using AXIOM’s Search for Custom Files by Type feature. Gain the ability to share this data with other examiners in the community and increase their working efficiency by being able to automatically recover data after the initial building phase. Learn how to create XML-based artifacts to recover data from SQLite databases as well as advanced file carvers. The custom artifacts built in class will go back with the students and can be used to easily identify new unsupported data in future examinations. Learn how to use the Magnet Custom Artifacts Generator to generate artifacts for non-traditional data like Call Detail Records and ingest the data into AXIOM.

Free Tools - Magnet Forensics

1

7:26 PM

Here is the link to the course we teach it in (AX300) https://training.magnetforensics.com/w/courses/17-ax300-magnet-axiom-advanced-mobile-forensics

@Cellebrite Going through PA and have a quick question about safari history data Database: History.db Table: history_visits Source: Safari Under Device Locations I am getting a result listed as a GPS Fixs The coordinates match the location for the search, is this actually a fix or something that PA thinks is a fix but actually isn't.

Chris

@Cellebrite Going through PA and have a quick question about safari history data Database: History.db Table: history_visits Source: Safari Under Device Locations I am getting a result listed as a GPS Fixs The coordinates match the location for the search, is this actually a fix or something that PA thinks is a fix but actually isn't.

From which url the Location is created? (edited)

The URL is a www.google.com/maps return, there are long lat coords in it

Chris

The URL is a www.google.com/maps return, there are long lat coords in it

Oh, so it just means the location is accurate. To know if the location is of the device or not you should look in the 'Origin' field.

All blank

8:21 AM

alright so all that PA is doing is parsing the DB and seeing coordinates at which point it throws it into "device locations" with a tag of gps fix. To be honest it's a bit of a misleading result, it's not a fix in any way shape or form, it's a set of coordinates

8:22 AM

GPS has nothing to do with it

Anyone know or have tested the possibility of a remote wipe command through Apple UWB Bluetooth from another Apple device in the proximity?

DFIR Pad1

Anyone know or have tested the possibility of a remote wipe command through Apple UWB Bluetooth from another Apple device in the proximity?

Very curious about this as well

DFIR Pad1

Anyone know or have tested the possibility of a remote wipe command through Apple UWB Bluetooth from another Apple device in the proximity?

This has been talked about and so far its just a passive system where another Apple device is reporting the blu-tooth signal of the other device and not 2-way from my understanding. Its more of a beacon, if you search the forum you will find more talk about this.

Would anyone know why PA would parse telegram messages but the images in question are not showing up?

dfir-rick

Would anyone know why PA would parse telegram messages but the images in question are not showing up?

have you followed the link to the images and see if they are in the director and just not being parsed ?

@dfir-rick if the images are not locally saved on the device they will not show up

the messages are all showing up as having been deleted so my guess is they are all deleted and not saved on the device.

DFIR Pad1

Anyone know or have tested the possibility of a remote wipe command through Apple UWB Bluetooth from another Apple device in the proximity?

I did some testing when it came in iOS 14(?), you could only update the location through Bluetooth. You still needed internet access for the wipe start

Anyone know why secondary Notes.db as backed up in IOS device arent decoded with the standard notes.db? I can see the backup database and in DB Viewer the ZNOTE column has vastly more notes than the active notes.db but PA doesnt seem to ID and parse the backup.....

Chris

alright so all that PA is doing is parsing the DB and seeing coordinates at which point it throws it into "device locations" with a tag of gps fix. To be honest it's a bit of a misleading result, it's not a fix in any way shape or form, it's a set of coordinates

I stand corrected, for locations we can tell that the device was present, the Type field will state 'Visited'.

https://github.com/Ogg3/CheckArroyo/releases/tag/v0-6-9

Release 0-6-9 · Ogg3/CheckArroyo

New html report Can handel control files in IOS Uppdated CLI output

3

Anyone had problems with exporting a note as pdf, word, excel and html from PA? Half of the text is missing.

Hello, can anyone confirm if there is any database within Android that caches wifi networks that the device detects; ie wifi beacon frames sent out by a BSSID (but does not connect to)? Thanks.

Is there a limit to how many times the pin code can be attempted in my eyes only in Snapchat? Before it may lock out of something.

4N6Matt

Is there a limit to how many times the pin code can be attempted in my eyes only in Snapchat? Before it may lock out of something.

After a few attempts you need to wait 1 minute before attempting again, 3 minutes after that. Not sure how high it goes or if it locks permanently after some time. (edited)

OggE

https://github.com/Ogg3/CheckArroyo/releases/tag/v0-6-9

Forgot to remove a flag I was working on, fixed now

CLB_iwhiffin

The "scrambled" message are from WA DB called ChatSearchV5f, this DB is holding messages content for indexing, reducing the search time within WA UI. We parse this DB as another source for potentially deleted messages (which stored for index while original record was deleted). The DB in fact is scrambled and we didn't found any option to know the order of the word within the message (we have put our best WA researcher to research it

). We do check if the message is available through other source (not scrambled one) and if so we do not parse it from the chatsearch. At the end users get the scrambled message which they cannot get from any other source so I guess it's pretty valuable than getting nothing, we added the "scrambled" indication so user will know it's not necessary the exact order of the words within the message and he should understand the context. Hope it covers it.

Hello - was this ever resolved, so basically is there merit in rerunning an old phone which has scrambled WA messages?

some of you are having trouble with the decoding of instagram in @Cellebrite ?

dfir-rick

has anyone come across the hide it pro app? https://apps.apple.com/in/app/hide-photos-video-hide-it-pro/id523488488?platform=iphone (edited)

Hide It Pro v5.1.2 - iOS: media is stored in /Data/Application/com.cmartanuj.hideitpro/Documents/.Pictures and isn't encrypted or anything. The database /Data/Application/com.cmartanuj.hideitpro/Library/Preferences/mediadb.db contains the tables of interest; "notes" for the notes, and "prefs" which has the pincode in plaintext.

Anyone have any luck decoding BOTIM chat app? Thanks

@Magnet Forensics It doesn't look like you can compare similar pictures in a portable case even if you compiled the database in Examine before creating the portable case. It looks like that is only a feature when using a licensed version of Axiom Examine. Can anyone confirm?

FullTang

@Magnet Forensics It doesn't look like you can compare similar pictures in a portable case even if you compiled the database in Examine before creating the portable case. It looks like that is only a feature when using a licensed version of Axiom Examine. Can anyone confirm?

Can confirm you can't compare similar pictures in a portable case

2

hi everyone, i need to figure out when a device was wipe. it's a Huawei p8 lite with Android 6.

@manuelevlrlogs files

4:15 AM

search about wipe or wipedata=1 Maybe in this path : Root/recovery/last_log (edited)

1

Thanks

manuelevlr

hi everyone, i need to figure out when a device was wipe. it's a Huawei p8 lite with Android 6.

https://thebinaryhick.blog/2021/08/19/wipeout-detecting-android-factory-resets/

Binary Hick

Wipeout! Detecting Android Factory Resets

I’d like to thank Alexis Brignoni, Heather Mahalik, and Jared Barnhart for their insight and validation, and Alexis for tooling ALEAPP for these artifacts. DFIR truly is a team effort. They say im…

1

dfir-rick

the messages are all showing up as having been deleted so my guess is they are all deleted and not saved on the device.

how long ago were these messages deleted?

Hi. Is anyone from @Oxygen Forensics around for a quick question?

Morning all, could anyone give some advice on possible ways to decode Outlook mail on an iPhone 12 running 15.4.1.

Does anyone know what the file path is? \data\media\0\Android\data\com.sec.android.gallery3d\files.internet[FILENAME]

2:08 AM

I understand it is related to the default gallery application on android, Gallery

2:08 AM

Also it can be accessed via File manager app on the device.

2:08 AM

Its my first time encountering a folder ".internet"

Pacman

I understand it is related to the default gallery application on android, Gallery

Specifically the default Samsung gallery application (sec = Samsung Electronics Co)

2:26 AM

But no, can't say I've encountered that .internet naming

OllieD

Specifically the default Samsung gallery application (sec = Samsung Electronics Co)

Oh I didn't know re sec

2:29 AM

Good to know.

OllieD

But no, can't say I've encountered that .internet naming

Yeah, I'm not exactly sure what it is. I don't know if it's a location for cached images when a user download an image?

Pacman

Yeah, I'm not exactly sure what it is. I don't know if it's a location for cached images when a user download an image?

@bang?

Interesting, haven't seen an .Internet file before either. Just looking through some Samsung test dumps

Some more info re handset, it is a Samsung galaxy s10 running android 11

Do you know if the Samsung Gallery has been linked with OneDrive?

bang

Do you know if the Samsung Gallery has been linked with OneDrive?

Good shout, let me check.

bang

Do you know if the Samsung Gallery has been linked with OneDrive?

How do you determine if an app is linked with Gallery?

The easiest way, if you have the device, is to navigate to the Samsung Gallery app and go to settings via the cog at the bottom right.

2:56 AM

If not, it may need digging within the app itself for a configuration file. The only Internet related artefact I can think it would be is OneDrive cache

There is the option to "cloud sync"

2:57 AM

Doesn't say which cloud/app

Perhaps it hasn't identified a cloud app as the device is offline. This test device has identified OneDrive, although OneDrive hasn't been set up. I will try a few scenarios to see if I can generate that Internet folder

I don't have that top bit definitely

3:03 AM

The title where yours say "Sync with One Drive" Mine says "Cloud Sync" The rest is pretty much the same

3:05 AM

Like this

Go to website could be key here. I will have a play

Looking at preferences file associated with Gallery3d - cloud sync is set to "false"

I think it's the website screenshots, I will try and generate some data

bang

Go to website could be key here. I will have a play

Sorry - this is my phone, I didn't crop the bottom bit out

bang

I think it's the website screenshots, I will try and generate some data

Thanks!

Ha, no worries. It's useful to see that option

Anyone from @MSAB available for a quick DM question?

dotmatrix

Anyone from @MSAB available for a quick DM question?

Sure, let's hear it.

KeHei_MoFo

Hi. Is anyone from @Oxygen Forensics around for a quick question?

Hello! DM'd

programdata/android/language/.fr/pictures from which application is this data coming from

shedex

programdata/android/language/.fr/pictures from which application is this data coming from

That's commonly used by the "vault" application - Hide It Pro: https://play.google.com/store/apps/details?id=com.hideitpro&hl=en_GB&gl=US https://troy4n6.blogspot.com/2017/10/hide-it-pro-app-forensics-android.html

Hide Photos, Video-Hide it Pro – Apps on Google Play

Hide photos, videos, music, apps, notes, calls, messages on your phone

Hide It Pro App Forensics - Android

Hide It Pro App Forensics - Android Welcome to my first blog post. Following #DFIR on Twitter has convinced me it's about time I started ...

2

Anyone from @Cellebrite available for a quick DM question?

hmmm... again i have some extractions (FFS or APK-Downgrade with latest WhatsApp).... and PA is still unable to decode the chats... hm, i feel betrayed

‍

(edited)

chrisforensic

hmmm... again i have some extractions (FFS or APK-Downgrade with latest WhatsApp).... and PA is still unable to decode the chats... hm, i feel betrayed

‍

(edited)

Someone here pointed me to https://github.com/AvillaDaniel/AvillaForensics It works until patches for PA, Axiom etc. are deployed

GitHub - AvillaDaniel/AvillaForensics: Avilla Forensics 3.0

Avilla Forensics 3.0. Contribute to AvillaDaniel/AvillaForensics development by creating an account on GitHub.

1

thanks, i know this and use this

but need "official" reports from PA

Does anyone know of a method to decrypt saved browser passwords from an Android device (FFS), more specifically the Samsung Browser? I've done a bit of reading and looks like its based on Chrome. With Chrome browser on Windows I know you can use the DPAPI creds/windows password to decrypt the saved password BLOBS from the Login Data db, but I'm not familiar with how it works on mobile devices... any help is much appreciated! #password-encryption-cracking

Anyone seen video files mp4, 3gp, webm's all with first line of the file showing a b_CONSOLE in the hex. They won't open in any video players or on the phone... Some forums point to it possibly being encryption?

Spotted an issue with XAMN 7.1 and special characters. If messages contain special characters, XAMN is having issues exporting/displaying them and the content isnt always exported correctly. Ticket is in with MSAB.

5:36 AM

To recreate it, find a message with special characters, click on it and then click on something else and then back again. You will see sometimes it shows all, half, all, half, etc.

3X3

Anyone seen video files mp4, 3gp, webm's all with first line of the file showing a b_CONSOLE in the hex. They won't open in any video players or on the phone... Some forums point to it possibly being encryption?

they're encryped using sd card encryption option in Android

Arcain

they're encryped using sd card encryption option in Android

Can always count on Arcain!

https://www.ietf.org/rfc/rfc2440.txt

5:38 AM

https://documentation.euresys.com/Products/PICOLO_NET_HD1/PICOLO_NET_HD1/en-us/Content/encrypted-media-storage/ecryptfs-header.htm?TocPath=Resources%7CEncrypted%20Media%20Storage%7C_____3

1

Do you happen to know the menu to decrypt this on the phone?

5:39 AM

As a bonus question

https://www.samsung.com/au/support/mobile-devices/how-to-encrypt-decrypt-sd-card/ - on Samsung

How can I encrypt or decrypt my microSD card?

FAQ for Samsung Mobile Device. Find more about 'How can I encrypt or decrypt my microSD card?' with Samsung Support.

5:41 AM

but they should work on the phone that card was encrypted on

5:41 AM

you should verify if .MetaEcfsFile (on Samsung), or .cryptsd_cfg (Huawei) exists on the card itself

Got it already, thanks again for the reading materials

I've got an Samsung S7. It has been reset to factory settings. When i use the Cellebrite Touch and load the image in PA or Axiom it will not show me an IMEI. The phone had no external stickers or numbers. Does anyone know why the image won't show me an IMEI?

Dan15

I've got an Samsung S7. It has been reset to factory settings. When i use the Cellebrite Touch and load the image in PA or Axiom it will not show me an IMEI. The phone had no external stickers or numbers. Does anyone know why the image won't show me an IMEI?

If I remember correctly, Android does not store the IMEI in a specific default location (on Samsung). However, it is often parsed due to Samsung apps that store the IMEI in their app data. So that could be the reason it won't get parsed after factory reset. That's something I vaguely remember though, please correct me if I'm wrong

10:37 AM

It can always still be extracted with adb

Anyone have any official Android documentation on IP Multimedia Subsystem (IMS) call types (e.g. 1000, 1001, 1002)? I've found documentation from the Android Ice Cold Project (https://gerrit.aicp-rom.com/c/AICP/frameworks_base/+/57943/1/core/java/android/provider/CallLog.java#227) that lists them, but nothing within official Android code. Although, I am presuming it should be in the official code. (edited)

Dan15

I've got an Samsung S7. It has been reset to factory settings. When i use the Cellebrite Touch and load the image in PA or Axiom it will not show me an IMEI. The phone had no external stickers or numbers. Does anyone know why the image won't show me an IMEI?

What kind of extraction? Which version of Android? IIRC, the IMEI isn't available through the Android API after Android 9 or 10.

DeeFIR 🇦🇺

What kind of extraction? Which version of Android? IIRC, the IMEI isn't available through the Android API after Android 9 or 10.

It was a physocal extraction. The phone had android 7

Dan15

It was a physocal extraction. The phone had android 7

https://cellebrite.com/en/hex-diving-the-easy-way-to-uncover-hidden-forensic-artifacts/ a few pointers here

Hex Diving — The Easy Way to Uncover Hidden Forensic Artifacts

During investigations, you may occasionally find that identifiers of potential interest are not decoded by the tools. This often depends on the type of extraction you’re doing and the supported parsing for that device. This blog will teach you how to use Hex to uncover additional artifacts of interest. We’ll also demonstrate how to locate … Cont...

@Arcain So decrypted SD card successfully but files still showing the header of b _ CONSOLE (and will not open)... any ideas why this would still be encrypted even after decryption completed? (edited)

7:13 AM

The phone now shows 'Encrypt SD Card' in settings.

7:14 AM

@Cellebrite Any ideas also?

how did you extract the data.

Can I DM you?

sure.. just about to head out but shoot me a message we cna chat before i go

Appreciate it alot!

Dealing with a phone with the Telegram X app. None of our lab tools can parsed out the data. I exported out the database of the Full File System extraction but of course it is encrypted. Does anyone know where the passphase / decryption key would be in the extraction?

oh, yes... new PA 7.55.2 was released.... hope the problem with decoding latest WhatsApp-chat in some cases was solved? @Cellebrite ... not mentioned in the release notes

chrisforensic

oh, yes... new PA 7.55.2 was released.... hope the problem with decoding latest WhatsApp-chat in some cases was solved? @Cellebrite ... not mentioned in the release notes

Latest WhatsApp support isn't included in this release.

4

gt530

Dealing with a phone with the Telegram X app. None of our lab tools can parsed out the data. I exported out the database of the Full File System extraction but of course it is encrypted. Does anyone know where the passphase / decryption key would be in the extraction?

Did you try parsing the data with Oxygen Forensic Detective? https://discord.com/channels/427876741990711298/545232743353810946/973134685641261116

Wouter#0195

Did you try parsing the data with Oxygen Forensic Detective? https://discord.com/channels/427876741990711298/545232743353810946/973134685641261116

Sadly, I don't have Oxygen Forensic in my tool kit.

gt530

Sadly, I don't have Oxygen Forensic in my tool kit.

Maybe @Oxygen Forensics can give you a 30 day demo license for this case, so you can prove you need Oxygen to become part of your tool kit.

(edited)

1

DeeFIR 🇦🇺

https://cellebrite.com/en/hex-diving-the-easy-way-to-uncover-hidden-forensic-artifacts/ a few pointers here

Working on the samen problem as Dan15 and followed this to the letter with no results. Trying to find the MEID instead now, all tips are welcome

Anyone from @MSAB available for a quick DM question?

1

I have a Samsung Galaxy S9 running Android 10. My ADA is requesting that I verify location data using WiFi / BSSID locations. He provided an entry which has coordinates related to it and shows to be from the source file but, the report says the events in blue are not extracted from device. What does that mean? Source file: data\logs\wifi\iwc\iwc_dump.txt When I go into the iwc_dump.txt file to the log entries related to this specific request I recognize the date/time stamps and the target BSSID (60:38:e0:e2:4e:bd), but I’m not sure how to read the rest of the entries. More importantly, I don’t see anything that shows locations / coordinates related to that BSSID. On the report the ADA provided, that BSSID shows at more than one location in different entries. How is this possible? I haven’t dealt this this iwc_dump.txt before, so I’m trying to determine where the location info is coming from especially if it is not extracted from the device. If anyone can offer any help, it would be much appreciated. My partner posted this on the MDFA Google group as well, just FYI.

iwc_dump_log.txt

1.25 KB

location_log.pdf

80.83 KB

@Oxygen Forensics Can I get a 30 day demo to try out the software?

1

Can anyone from Cellebrite DM me with information regarding the difference between Physical Analyzer 7.55.1 and 7.55.2? The release information appears to be the same between the two, so I'm not quite sure what the difference is. (edited)

Chris Myers

Hi all, I’m looking at a GK full filesystem from an iPhone and reviewing iMessages. I’m trying to definitively say if the iMessage in question was sent by the device, or sent from, for example, a MacBook logged in with the same Apple ID. Any ideas? Also, in the back and forth of the message, it shows the messages from the device being sent by the phone number and iCloud email address. When the other person in the conversation replies, it shows the reply message being sent to the device phone number and the iCloud email address. I’m guessing this is simply due to syncing with the cloud/Apple ID? (edited)

@Chris Myers did you ever get an answer to thisnquestion?

Is digital wellnbeing default being extracted and decoded in Android dumps? Of do i need an extra step, mem dump etc. I cant think clear at the moment.

florus

Is digital wellnbeing default being extracted and decoded in Android dumps? Of do i need an extra step, mem dump etc. I cant think clear at the moment.

Not sure about the extraction part (depends on the tool and the type of extraction being performed), but I believe many tools do parse this. Also, ALEAPP does parse it if it is present in the extraction.

2

JayB1rd

I have a Samsung Galaxy S9 running Android 10. My ADA is requesting that I verify location data using WiFi / BSSID locations. He provided an entry which has coordinates related to it and shows to be from the source file but, the report says the events in blue are not extracted from device. What does that mean? Source file: data\logs\wifi\iwc\iwc_dump.txt When I go into the iwc_dump.txt file to the log entries related to this specific request I recognize the date/time stamps and the target BSSID (60:38:e0:e2:4e:bd), but I’m not sure how to read the rest of the entries. More importantly, I don’t see anything that shows locations / coordinates related to that BSSID. On the report the ADA provided, that BSSID shows at more than one location in different entries. How is this possible? I haven’t dealt this this iwc_dump.txt before, so I’m trying to determine where the location info is coming from especially if it is not extracted from the device. If anyone can offer any help, it would be much appreciated. My partner posted this on the MDFA Google group as well, just FYI.

This is enriched data. We query a db that we have of locations. Any enriched data you need to take with a grain of salt,.

CLB-Paul

This is enriched data. We query a db that we have of locations. Any enriched data you need to take with a grain of salt,.

Thank you Paul. I wasn't thinking about the UFED BSSID enrichments, so that makes sense that while the BSSID MAC was seen, the location data came from an off-device DB. Thanks a million!

If there are any location-related questions we do have a dedicated email that goes to some very smart people, @heatherDFIR @CLB_iwhiffin and others, locations@cellebrite.com

1

CLB-Paul pinned a message to this channel. 6/6/2022 7:30 AM

Anyone experiencing issues with latest latest Cellebrite PA updates (7.55)? We used to be able to parse specific iCloud/iTunes backups from 2017 but new version does not fully parse the data. Tested an older Version 7.53 and it parses the data fully. Tried this on 3 different computers.

1

CLB-Paul

If there are any location-related questions we do have a dedicated email that goes to some very smart people, @heatherDFIR @CLB_iwhiffin and others, locations@cellebrite.com

Paul, thanks!

Reinard

Anyone experiencing issues with latest latest Cellebrite PA updates (7.55)? We used to be able to parse specific iCloud/iTunes backups from 2017 but new version does not fully parse the data. Tested an older Version 7.53 and it parses the data fully. Tried this on 3 different computers.

checking in to this

1

I have a physical extraction for an Android phone (approx 3 years old). I noticed that it appeared FB messenger messages were missing from threads. Went to the DB and located what appears to be the missing messages, CB just didn’t ‘grab’ them. I am a newbie with SQLITE and was wondering if anyone had a schema for messenger to put these threads together?

Reinard

Anyone experiencing issues with latest latest Cellebrite PA updates (7.55)? We used to be able to parse specific iCloud/iTunes backups from 2017 but new version does not fully parse the data. Tested an older Version 7.53 and it parses the data fully. Tried this on 3 different computers.

Unfortunately, it sometimes happens that after an update of PA, things that worked in previous versions no longer work. I've already come to terms with that (edited)

1

hi all, we have found several occurance that eventhough we have APK Downgrade File System, FFS extraction (qualcomm live generic) and physical extraction, PA could not parsed Whatsapp Chats.. Is there anyone have similar issues..? Note : -For Smartphone Oppo CPH2127 : APK Downgrade and FFS (qualcomm live generic) whatsapp version : v2.22.10.73 -For Smartphone Xiaomi Redmi 5A MCE3B/DS : Physical extraction (EDL Adb) Also happened with XRY extraction.. (edited)

buyzz

hi all, we have found several occurance that eventhough we have APK Downgrade File System, FFS extraction (qualcomm live generic) and physical extraction, PA could not parsed Whatsapp Chats.. Is there anyone have similar issues..? Note : -For Smartphone Oppo CPH2127 : APK Downgrade and FFS (qualcomm live generic) whatsapp version : v2.22.10.73 -For Smartphone Xiaomi Redmi 5A MCE3B/DS : Physical extraction (EDL Adb) Also happened with XRY extraction.. (edited)

Latest WhatsApp version isn’t supported (yet) in PA

buyzz

hi all, we have found several occurance that eventhough we have APK Downgrade File System, FFS extraction (qualcomm live generic) and physical extraction, PA could not parsed Whatsapp Chats.. Is there anyone have similar issues..? Note : -For Smartphone Oppo CPH2127 : APK Downgrade and FFS (qualcomm live generic) whatsapp version : v2.22.10.73 -For Smartphone Xiaomi Redmi 5A MCE3B/DS : Physical extraction (EDL Adb) Also happened with XRY extraction.. (edited)

yes, same here... no decoding with PA or XRY at the moment

I c..Thank you @bypx & @chrisforensic ..

pdog

@Chris Myers did you ever get an answer to thisnquestion?

Nope, I never did

Hi all, has anyone done research or case work into files held on iOS devices in the following location: Media/PhotoData/CPL/Storage/filecache/XXX This relates to iOS v15.1. I wish to understand this further for some case work I am working on, so if anyone can assist me then I would be most appreciative. Thank you!

Maybe @ScottKjr3347's blog https://theforensicscooter.com/ can help. I don't think it directly addresses it as the main topic, but it's still a great write up.

scottkoenig3347

The Forensic Scooter

Visit the post for more.

Alex Owen

Hi all, has anyone done research or case work into files held on iOS devices in the following location: Media/PhotoData/CPL/Storage/filecache/XXX This relates to iOS v15.1. I wish to understand this further for some case work I am working on, so if anyone can assist me then I would be most appreciative. Thank you!

During my testing I was not to create files that would be stored in this location. I checked it several times during testing but no files would be saved there. If you have a theory I would be willing to use my test devices to try and generate them. Feel free to direct message me to discuss specific details.

Alex Owen

Hi all, has anyone done research or case work into files held on iOS devices in the following location: Media/PhotoData/CPL/Storage/filecache/XXX This relates to iOS v15.1. I wish to understand this further for some case work I am working on, so if anyone can assist me then I would be most appreciative. Thank you!

I'm not sure if this is applicable to iOS 15.1 without testing, but my section previously documented the following about the contents of that path:

/filecache/: This is a folder containing numerous subfolders. The subfolders are named with the prefixes for file UIDs found in "store.cloudphotodb". "store.cloudphotodb": "clientCache" and "cloudCache"tables both contain "identifier": This is a UID or a UUID. The UID conforms to files in the /filecache/ subfolder and likely conforms to the file identifier on the iCloud servers. If a UUID, the "relatedIdentifier" field will contain the original file identifier "uploadQueue" contains "itemIdentifier": This contains the UID for the original recorded file. The actual copy is stored in the /filecache/ subfolder, in a secondary subfolder named for the first three characters of the UID. The remaining filename is clipped. Example: "AXFVz/IQVqS4H9Tbj6COHRuIF/g3" is file "Vz/IQVqS4H9Tbj6COHRuIF/g3.mov" in "/filecache/AXF"

1

Need help on Apple Continuity and iMessage syncing across devices. I have an iPhone, iPad and MAC. Some iMessages sent from a user, only show up on one or two devices, but will be missing on another device. Is there a way to determine 1. Which device the message originated from 2. Why did some files not sync? Thanks!

1

pdog

Need help on Apple Continuity and iMessage syncing across devices. I have an iPhone, iPad and MAC. Some iMessages sent from a user, only show up on one or two devices, but will be missing on another device. Is there a way to determine 1. Which device the message originated from 2. Why did some files not sync? Thanks!

First thought is if they are definitely iMessages as regular SMS don't sync. Second would be time; did they have the opportunity to sync? (This only really counts if its the last messages though) I'd be looking into the account GUID's used to send the messages that differ and compare with the other GUIDs that are there etc. See if there is any commonality. I thought there was a way to identify sending device, but can't see it right now.

chrisforensic

yes, same here... no decoding with PA or XRY at the moment

Latest version with verified decoding support for WhatsApp Android in XRY is 2.22.8.79, in XRY 10.1.1. I think that many customers aren't aware that in XRY, you can view what versions of what apps have verified decoding support for. And if there is certain conditions for when XRY can get to the data, so I'm trying my best in spreading the word of using the Device Manual for checking app support, just as well as device support.

MSAB_Sofia

Latest version with verified decoding support for WhatsApp Android in XRY is 2.22.8.79, in XRY 10.1.1. I think that many customers aren't aware that in XRY, you can view what versions of what apps have verified decoding support for. And if there is certain conditions for when XRY can get to the data, so I'm trying my best in spreading the word of using the Device Manual for checking app support, just as well as device support.

thanks for info... just for enlightenment... latest WhatsApp Android 2.22.11.82 is making troubles (edited)

Anyone know if the timestamp in iLeapp ( notifications Duet ) needs to be adjusted to the current timezone? @Brigs ? (edited)

.karate.

Anyone know if the timestamp in iLeapp ( notifications Duet ) needs to be adjusted to the current timezone? @Brigs ? (edited)

I will answer myself: It needs to be adjusted

1

ScottKjr3347

During my testing I was not to create files that would be stored in this location. I checked it several times during testing but no files would be saved there. If you have a theory I would be willing to use my test devices to try and generate them. Feel free to direct message me to discuss specific details.

Thank you for your response; I do not currently have a theory on this, however if I do then I shall message you for some testing

JLindmar (83AR)

I'm not sure if this is applicable to iOS 15.1 without testing, but my section previously documented the following about the contents of that path:

/filecache/: This is a folder containing numerous subfolders. The subfolders are named with the prefixes for file UIDs found in "store.cloudphotodb". "store.cloudphotodb": "clientCache" and "cloudCache"tables both contain "identifier": This is a UID or a UUID. The UID conforms to files in the /filecache/ subfolder and likely conforms to the file identifier on the iCloud servers. If a UUID, the "relatedIdentifier" field will contain the original file identifier "uploadQueue" contains "itemIdentifier": This contains the UID for the original recorded file. The actual copy is stored in the /filecache/ subfolder, in a secondary subfolder named for the first three characters of the UID. The remaining filename is clipped. Example: "AXFVz/IQVqS4H9Tbj6COHRuIF/g3" is file "Vz/IQVqS4H9Tbj6COHRuIF/g3.mov" in "/filecache/AXF"

Thanks for this; that's a whole lot of information but I think I have my head around it!

4:24 AM

Whilst I'm here, does anyone know what causes iOS to create a "localvideokeyframe.jpg" image for a video? In my case, I have the original file, IMG_XXXX.MP4, the thumbnail image for it, 5005.jpg, and also a "localvideokeyframe.jpg" which is in the following location: PhotoData/thumbnails/videokeyframes/DCIM/101APPLE/IMG_XXXX.MP4 What is the difference between the 5005.jpg and localvideokeyframe.jpg thumbnails? Furthermore, the creation dates for these thumbnail are largely different; the 5005.jpg thumbnail was created a month before the localvideokeyframe.jpg

@Cellebrite Hi all, during a decode of a Huawei POT-LX1 - we've noticed some trace window errors decoding NetworkStats giving the error of - [ParseNetworkStatsFile] Unexpected version: 17 - Any insight as to what might cause this/ any remedies?. Thanks

hallo. is there anybody that has played with the latest samsung smartswitch version and by playing I mean acquiring a backup with it and trying to forensically analyze it?

Alex Owen

Thanks for this; that's a whole lot of information but I think I have my head around it!

Well, in the dataset I have, respective files are technically different, although visually similar. Additional testing is needed, but a "localvideokeyframe.jpg" may be a true i-frame extracted from the original video recording, whereas the "5005" files are thumbnails associated with a recording. If created from the same frame in the recording, they would be visually similar, although technically (e.g., hash value, pixel dimension, etc.) different. You'll typically find several related media files associated with a common source file and created as part of various Apple mechanisms. @ScottKjr3347 has great information on many of these artifacts on his blog. Although, if possible, having a flowchart that maps out what files are created where/when would be great!

JLindmar (83AR)

Well, in the dataset I have, respective files are technically different, although visually similar. Additional testing is needed, but a "localvideokeyframe.jpg" may be a true i-frame extracted from the original video recording, whereas the "5005" files are thumbnails associated with a recording. If created from the same frame in the recording, they would be visually similar, although technically (e.g., hash value, pixel dimension, etc.) different. You'll typically find several related media files associated with a common source file and created as part of various Apple mechanisms. @ScottKjr3347 has great information on many of these artifacts on his blog. Although, if possible, having a flowchart that maps out what files are created where/when would be great!

These files are discussed between Figure 23 and 24 in the blog. During testing I attempted to determine if there were any specific user actions that could initiate the creation of the key frames but was not able to find anything conclusively. Full transparency with all other iOS photos stuff, I didn’t test every situation. The biggest forensic takeaway i had was that the key frames existed and were not created by a user. Here is a link to some developer information that might assist: https://developer.apple.com/documentation/avfoundation/media_reading_and_writing/creating_images_from_a_video_asset

The rows in arroyo.db for snapchat has been moved around. While looking for a good fix I found comments in the database describing each row.

2

1:07 AM

did not know you could have comments for database rows

ScottKjr3347

These files are discussed between Figure 23 and 24 in the blog. During testing I attempted to determine if there were any specific user actions that could initiate the creation of the key frames but was not able to find anything conclusively. Full transparency with all other iOS photos stuff, I didn’t test every situation. The biggest forensic takeaway i had was that the key frames existed and were not created by a user. Here is a link to some developer information that might assist: https://developer.apple.com/documentation/avfoundation/media_reading_and_writing/creating_images_from_a_video_asset

Ad you said the key frame is auto created, but it can be changed but the user for videos and Live Photos. Not sure how that changes things when that happens.

1

Question regarding Android thumbnails and please correct me if I am wrong: I have always attributed thumbnail images from DCIM.thumbnails and com.sec.android.gallery3d\cache\ to the default Gallery application, but I am now wondering if anyone can actually tell me the difference between each cache? Both appear to store thumbnails of images that were once accessible for viewing through the gallery?

JLindmar (83AR)

Well, in the dataset I have, respective files are technically different, although visually similar. Additional testing is needed, but a "localvideokeyframe.jpg" may be a true i-frame extracted from the original video recording, whereas the "5005" files are thumbnails associated with a recording. If created from the same frame in the recording, they would be visually similar, although technically (e.g., hash value, pixel dimension, etc.) different. You'll typically find several related media files associated with a common source file and created as part of various Apple mechanisms. @ScottKjr3347 has great information on many of these artifacts on his blog. Although, if possible, having a flowchart that maps out what files are created where/when would be great!

FYI, analyzing/extracting i-frames from a test video with a related image in the "VideoKeyFrames" folder, it doesn't appear that the picture in that folder is a "keyframe" (i-frame) when used in the context of video compression.

1

Is there a specified folder path for iPhone images within native photos apps for a user created folder?

thatboy_leo

Is there a specified folder path for iPhone images within native photos apps for a user created folder?

I'm not sure I'm understanding your question, but I would expect pictures taken natively on the device to reside in /private/var/mobile/Media/DCIM. (edited)

Review Figure 6 information There is also some footage of me creating multiple folders and albums to store assets and shared assets. But I can’t find it right now. I’ll review the material and post the specific figure number tomorrow. If you use my photos.sqlite query it will provide you with the parent folder and albums in that parent folder. The standard parent is root which contains most albums. If a user creates separate folders to contain album(s) it will be listed as the parent in the query output. Hope that answers your question but if not if you could be a little bit more specific we might be able to help. (edited)

chrisforensic

yes, same here... no decoding with PA or XRY at the moment

What about Axiom?

Does anybody know if there's a limit to the number of call logs (voice and video) in Whatsapp on Android?

Are you aware on ways to detect that there has been a remote wipe attempt on a device (Android/IOS) without of course connecting the device to the internet? Thanks. (edited)

Got a FFS of an iPhone and when reviewing the decoded data within the latest ufed and also axiom, I'm noticing that unread WhatsApp messages are nowhere to be seen in the decoded data. The WhatsApp version on the phone is 2.22.3.73. I can see the unread messages on the actual handset, but can't find them in either tool. I've seen mention of WhatsApp issues, and wondered if this is a known one currently. Cheers!

Hello everyone, is anyone experiencing problems with the whatsapp cloud extractor, that messages are not decrypted?

6:25 AM

Oxygen cloud extractor

Good morning all. I'm looking for someone familiar with Google Takeout location data. I'm trying to interoperate one of the .json files and I'm looking for clarification on some of the information I'm seeing. Thanks. (edited)

after verifying the whatsapp code via sms

6:26 AM

in the parsed extraction dont appear messager

6:26 AM

@Oxygen Forensics can u help?

Sherlock

@Oxygen Forensics can u help?

Hello, one second, let me DM you

thanks

stps358

Good morning all. I'm looking for someone familiar with Google Takeout location data. I'm trying to interoperate one of the .json files and I'm looking for clarification on some of the information I'm seeing. Thanks. (edited)

what are you trying to figure out ?

Things like PlaceConfidence and other Candidatelocations. They seem pretty self explanitory but just want to confirm

sky

@Cellebrite Hi all, during a decode of a Huawei POT-LX1 - we've noticed some trace window errors decoding NetworkStats giving the error of - [ParseNetworkStatsFile] Unexpected version: 17 - Any insight as to what might cause this/ any remedies?. Thanks

It means that this version of netstats (Network Statistics) is not currently supported. I think this specific version is a different implementation of Huawei to how they log netstats on the disk. For more context about the feature: https://cellebrite.com/en/network-usage-cellebrite-physical-analyzer/

Network Usage - Cellebrite Physical Analyzer

In this episode, I present a new feature that was released with Cellebrite Physical Analyzer 7.51. Network Usage – View the sending and receiving of information via WiFi and cellular network connections. To find this new feature, navigate to Analyzed Data in the left sidebar menu and you will see the new option Network Usage. … Continue reading ...

CLB-ChenK

It means that this version of netstats (Network Statistics) is not currently supported. I think this specific version is a different implementation of Huawei to how they log netstats on the disk. For more context about the feature: https://cellebrite.com/en/network-usage-cellebrite-physical-analyzer/

Thanks for the response, I did try to have a look around the filesystem to locate a possible database/logfile that it was attempting to parse but no luck. Appreciated.

You should find in the path /system/netstats. If you can reach Cellebrite support and share a file with name starting with "uid", it will help us prioritize and research this version sooner

And as a general advice - you can find more information in the PA log files about errors you see in the trace. I think in this case you could find the specific file that PA tries to parse before reaching to the unexpected version error (edited)

CLB-Paul

what are you trying to figure out ?

Just trying to put a timeline together of where and when this person went. It appears that I can follow him in the JSONView extension but there is a lot of information in there that could be miss-leading [10:12 AM] Things like PlaceConfidence and other Candidatelocations. They seem pretty self explanitory but just want to confirm

stps358

Just trying to put a timeline together of where and when this person went. It appears that I can follow him in the JSONView extension but there is a lot of information in there that could be miss-leading [10:12 AM] Things like PlaceConfidence and other Candidatelocations. They seem pretty self explanitory but just want to confirm

Are you looking for a way to "query" the data or interpret it?

JLindmar (83AR)

Are you looking for a way to "query" the data or interpret it?

I'm just looking for information on what the fields used in the location history .json files mean. For example I have things like "locationConfidence: 92.7266" and "calibratedProbability: 81.153046". I'm guessing in these numbers are out of 100 and that these two would be on the high side but what do things like calabratedProbabily refer to.

stps358

I'm just looking for information on what the fields used in the location history .json files mean. For example I have things like "locationConfidence: 92.7266" and "calibratedProbability: 81.153046". I'm guessing in these numbers are out of 100 and that these two would be on the high side but what do things like calabratedProbabily refer to.

I'm not aware of any official, publicly available information about this from Google, but this project may help: https://locationhistoryformat.com/ Unfortunately, Google is most likely the only source that can provide an accurate explanation of what those field names are. (edited)

JLindmar (83AR)

I'm not aware of any official, publicly available information about this from Google, but this project may help: https://locationhistoryformat.com/ Unfortunately, Google is most likely the only source that can provide an accurate explanation of what those field names are. (edited)

Thank you. I'll give it a read.

JLindmar (83AR)

I'm not aware of any official, publicly available information about this from Google, but this project may help: https://locationhistoryformat.com/ Unfortunately, Google is most likely the only source that can provide an accurate explanation of what those field names are. (edited)

This is actually quite helpful. Thanks

1

forensicres

Are you aware on ways to detect that there has been a remote wipe attempt on a device (Android/IOS) without of course connecting the device to the internet? Thanks. (edited)

any input on this pls? Thanks.

forensicres

any input on this pls? Thanks.

Most people in here are pretty active and trawl through previous messages, so if they haven't answered they either don't know or don't have time to respond. It's not like a forum where you can just bump your post to the top, it won't give you more attention or a quicker response.

2

DeeFIR 🇦🇺

Most people in here are pretty active and trawl through previous messages, so if they haven't answered they either don't know or don't have time to respond. It's not like a forum where you can just bump your post to the top, it won't give you more attention or a quicker response.

Thanks for the clarification

1

forensicres

Are you aware on ways to detect that there has been a remote wipe attempt on a device (Android/IOS) without of course connecting the device to the internet? Thanks. (edited)

iCloud warrant return…not sure on any others

Hi I need help, I have iPhone 12 OS 14, Is there a way to know when an Instagram user started following me, and when a user removed the follower? Is there a record in the database? Thanks

Someone from @MSAB to dm me?

Micke

Someone from @MSAB to dm me?

Sure.

CLB-ChenK

You should find in the path /system/netstats. If you can reach Cellebrite support and share a file with name starting with "uid", it will help us prioritize and research this version sooner

And as a general advice - you can find more information in the PA log files about errors you see in the trace. I think in this case you could find the specific file that PA tries to parse before reaching to the unexpected version error (edited)

Didn't know this - thank you I shall take a look myself

Hi , in ios 14.6 : Where is the file that contains the link between the guid and the name of the applications? (edited)

rico

Hi , in ios 14.6 : Where is the file that contains the link between the guid and the name of the applications? (edited)

/private/var/mobile/Library/FrontBoard/applicationState.db .application_identifier_tab = locate the "application_identifier" and "id" for the application in question .kvs = locate the "application_identifier" where "key" = 1 ("compatibilityInfo" in .key_tab) and review the BLOB (bplist) in "value"

1

Following research by Chris Lees, here is even more on MEGA! https://kibaffo33.data.blog/2022/06/13/even-more-mega/

kibaffo33

Even more MEGA

Chris Lees recently published research into decrypting the MEGA megaprefences database, and went further by releasing a script to automate the process. This was truly excellent work, and generous t…

4

3

1

fu*king WhatsApp decoding

we need a solution... sooon... @Cellebrite

chrisforensic

fu*king WhatsApp decoding

we need a solution... sooon... @Cellebrite

Binary Hick has posted some SQLite queries that may assist you while you wait for mainline tools to support it. https://thebinaryhick.blog/2022/06/09/new-msgstore-who-dis-a-look-at-an-updated-whatsapp-on-android/

Binary Hick

New msgstore – Who ‘Dis? A Look At An Updated WhatsApp On Android

I decided to take a month off from extracurricular DFIR activities after the Magnet User Summit. It was nice not having to carry more than one phone around, to put down the notepad & pen, and t…

1

chrisforensic

fu*king WhatsApp decoding

we need a solution... sooon... @Cellebrite

Please direct all profanities to mark.zuckerberg@meta.com

1

16

chrisforensic

fu*king WhatsApp decoding

we need a solution... sooon... @Cellebrite

@CLB_joshhickman1 @Brigs and I are working on supporting this in ALEAPP soon

5

1

Any LE members in USA can send me a DM. Looking to get some understanding of icloud b/u

stark4n6

@CLB_joshhickman1 @Brigs and I are working on supporting this in ALEAPP soon

p.e.r.f.e.c.t.

chrisforensic

fu*king WhatsApp decoding

we need a solution... sooon... @Cellebrite

The PA 7.56 will be available tomorrow for downloading from the Design Partner Platform, fix for WhatsApp is included.

3

5

3

idokal

The PA 7.56 will be available tomorrow for downloading from the Design Partner Platform, fix for WhatsApp is included.

Does anyone know if there is a way within Cellebrite to provide multiple passwords to decode Apple Secure Notes? Seems to only prompt for one password, but we have two different passwords that we cracked from the extracted hashes that we need to provide that apparently work on different notes. @Cellebrite

dfa_adam

Does anyone know if there is a way within Cellebrite to provide multiple passwords to decode Apple Secure Notes? Seems to only prompt for one password, but we have two different passwords that we cracked from the extracted hashes that we need to provide that apparently work on different notes. @Cellebrite

In the "Load Evidence" (In the case wizard window when doing a new job), there's an option to import a password list, just feed those 2 into that file and import it, should attempt it whilst parsing. (edited)

1

Okay, thanks. We'll give that a try. We have two passwords with two different hints, but PA's prompt only has one hint. Maybe that'll ingest for both passwords. Takes a long time to parse this extraction...

chrisforensic

p.e.r.f.e.c.t.

should be working now, give it a go and let us know https://github.com/abrignoni/ALEAPP

GitHub - abrignoni/ALEAPP: Android Logs Events And Protobuf Parser

Android Logs Events And Protobuf Parser. Contribute to abrignoni/ALEAPP development by creating an account on GitHub.

3

dfa_adam

Does anyone know if there is a way within Cellebrite to provide multiple passwords to decode Apple Secure Notes? Seems to only prompt for one password, but we have two different passwords that we cracked from the extracted hashes that we need to provide that apparently work on different notes. @Cellebrite

If you have problem, you always can get the hash out from applesecurenote and bruteforce it fast with hashcat

R3V3R53

If you have problem, you always can get the hash out from applesecurenote and bruteforce it fast with hashcat

If I'm understanding @dfa_adam correctly, they already have cracked the hashes, but need to decrypt the notes. Hashcat cannot help with the decryption step

Mistercatapulte pinned a message to this channel. 6/15/2022 2:20 AM

OllieD

If I'm understanding @dfa_adam correctly, they already have cracked the hashes, but need to decrypt the notes. Hashcat cannot help with the decryption step

Ah sorry, read it a little too fast ^^

Is there a way to decrypt Signal attachments? They seem to be audio messages that are now a plist file

OggE

Is there a way to decrypt Signal attachments? They seem to be audio messages that are now a plist file

Yes, can you give us more information about the phone and extraction type? You said Plist file so probably from iOS? If yes do you have access to the keychain?

dfa_adam

Okay, thanks. We'll give that a try. We have two passwords with two different hints, but PA's prompt only has one hint. Maybe that'll ingest for both passwords. Takes a long time to parse this extraction...

in general you should be able to load a passwords file with more than one password (even in the default flow when you get a prompt from the parser). what is the iOS version? can you see more than 1 hint in NoteStore.sqlite? we would like to make sure PA has better UX in such scenario (edited)

Bobby

Yes, can you give us more information about the phone and extraction type? You said Plist file so probably from iOS? If yes do you have access to the keychain?

iPhone FFS with keychain, have it going through AXIOM to see if it will decrypt the attachments. UFED could not.

1

Axiom or Oxygen may help for sure

12:21 PM

In case of Android, you have to use options in Axiom and add manually the decryption keys (one for msg and one for attachments) (edited)

Bobby

In case of Android, you have to use options in Axiom and add manually the decryption keys (one for msg and one for attachments) (edited)

Im guessing AXIOM has instructions for where to find the keys for android? (edited)

OggE

Im guessing AXIOM has instructions for where to find the keys for android? (edited)

The keystore is different than the keychain, the content is very small. There should be keys for few apps like signal, protonmail, ... (edited)

Bobby

The keystore is different than the keychain, the content is very small. There should be keys for few apps like signal, protonmail, ... (edited)

Got it, thanks

anyone know if MyEyesOnly is included in a GK extraction and if PA can parse it? I have a dump where PA parsed "Snapchat Gallery\Snaps" under the filesystems, just not as many images as I'd hoped if its MyEyesOnly... Its a consent phone, pin code for MyEyes is known... Any good ways to get them out?

snoop168

anyone know if MyEyesOnly is included in a GK extraction and if PA can parse it? I have a dump where PA parsed "Snapchat Gallery\Snaps" under the filesystems, just not as many images as I'd hoped if its MyEyesOnly... Its a consent phone, pin code for MyEyes is known... Any good ways to get them out?

Hi, I did a quick research, see https://discord.com/channels/427876741990711298/545232743353810946/978940716422160434

mr.rookay

Hi, I did a quick research, see https://discord.com/channels/427876741990711298/545232743353810946/978940716422160434

you had to open each snap while online in order for the device to cache it right?

chrisforensic

fu*king WhatsApp decoding

we need a solution... sooon... @Cellebrite

Hi, if anyone needs a link for PA 7.56 that contains fix for WhatsApp Android , please DM me your email

3

1

snoop168

anyone know if MyEyesOnly is included in a GK extraction and if PA can parse it? I have a dump where PA parsed "Snapchat Gallery\Snaps" under the filesystems, just not as many images as I'd hoped if its MyEyesOnly... Its a consent phone, pin code for MyEyes is known... Any good ways to get them out?

If you have the MEO key in the keychain (com.snapchat.keyservice.persistedkey) you can use our script download and decrypt the images locally. https://github.com/DFIR-HBG/Snap_DecryptMemories Just add the persistedkey as a fourth argument in cmd, just noticed that isn't stated on the page

GitHub - DFIR-HBG/Snap_DecryptMemories: Script to download and decr...

Script to download and decrypt memories and MEO from Snapchat on IOS. Requires the keys for memories to be present in the keychain, as well as the MEO key to get the MEO content. - GitHub - DFIR-HB...

1

OggE

iPhone FFS with keychain, have it going through AXIOM to see if it will decrypt the attachments. UFED could not.

AXIOM 5.10 could not show me the audio messages

idokal

Hi, if anyone needs a link for PA 7.56 that contains fix for WhatsApp Android , please DM me your email

thanks man, PA with fix works fine... WA and WA-Business decoded well, all available attachments linked ok ! cellebrite

3

Oscar

If you have the MEO key in the keychain (com.snapchat.keyservice.persistedkey) you can use our script download and decrypt the images locally. https://github.com/DFIR-HBG/Snap_DecryptMemories Just add the persistedkey as a fourth argument in cmd, just noticed that isn't stated on the page

am i just replicating what Cellebrite PA is already doing? Or... ?

snoop168

am i just replicating what Cellebrite PA is already doing? Or... ?

PA only decrypts the files cached on the device (I don't know about UFED cloud), this script downloads the encrypted memories from snapchats servers and decrypts them locally with the keys available in gallery_encrypteddb

Oscar

PA only decrypts the files cached on the device (I don't know about UFED cloud), this script downloads the encrypted memories from snapchats servers and decrypts them locally with the keys available in gallery_encrypteddb

ok thats what I'm looking for... perfect..

OggE

AXIOM 5.10 could not show me the audio messages

5.10? I think last release is something like 6.2

1

Hi, looking for some info on the user dictionary on a Samsung. Anyone know if the user dictionary is backed up and restored from Google or Samsung account? Also, if using another device with same account will the user dictionary sync across both devices?

Hi everyone. Having a full fs extraction of an iPhone is there a way (a log or similar) to tell if the phone has been restored from a backup (local or icloud)?

FabianoQ

Hi everyone. Having a full fs extraction of an iPhone is there a way (a log or similar) to tell if the phone has been restored from a backup (local or icloud)?

Hey Fabiano, I'd try data_ark.plist, purplebuddy.plist, com.apple.mobile.ldbackup.plist

iOS 15 & iOS 16

Photos.sqlite queries have been updated. Research & write-ups will follow. Here are the queries when you need them. https://github.com/ScottKjr3347/iOS_Photos.sqlite_Queries/tree/main/iOS16_Photos.sqlite_Queries https://github.com/ScottKjr3347/iOS_Photos.sqlite_Queries/tree/main/iOS15_Photos.sqlite_Queries

iOS_Photos.sqlite_Queries/iOS16_Photos.sqlite_Queries at main · Sco...

iOS Photos.sqlite queries that may help with decoding data stored in Photos.sqlite. These queries are based on testing, research and some community published research. These queries were written to...

iOS_Photos.sqlite_Queries/iOS15_Photos.sqlite_Queries at main · Sco...

iOS Photos.sqlite queries that may help with decoding data stored in Photos.sqlite. These queries are based on testing, research and some community published research. These queries were written to...

4

3

I have a full file system of an iPhone13, processed in axiom. I have a lott of rows in knowledgeC keybag lock states. Is there any way to see if the iphone was unlocked with face, thumb or pin code?

@Cellebrite Someone around regarding a decoding question in PA?

the_johanna

I have a full file system of an iPhone13, processed in axiom. I have a lott of rows in knowledgeC keybag lock states. Is there any way to see if the iphone was unlocked with face, thumb or pin code?

I am going to mention a location and file but BIG DISCLAIMER lots more research and validation is needed. I have been speaking with other analyst and think we are working to validate this, but use caution because it needs to be validated, which at this point it has not been. I believe that this file contains timestamp information for the last biometric unlock \private\var\mobile\Library\Preferences\ · Com.apple.biometrickitd.plist

the_johanna

I have a full file system of an iPhone13, processed in axiom. I have a lott of rows in knowledgeC keybag lock states. Is there any way to see if the iphone was unlocked with face, thumb or pin code?

Scott beat me to it.

If it was touchID I may be able to help. But since you have an iPhone13, I’m still working on that.

florus

@Cellebrite Someone around regarding a decoding question in PA?

Fire me a message

I've got a photo of interest located at this filepath from a GK FFS on an iPhone XR running iOS 15.3.1. The filepath is: /private/var/mobile/Library/Photos/Libraries/Syndication.photoslibrary/scopes/syndication/originals/... In looking at the folder view on PA, I see two additional folders in addition to the "originals": .../resources/derivitives .../masters When I GTS, it appears the Syndication.photoslibrary may be all the images stored in iMessage chats. Can anyone confirm this? Also, is this where ALL images ever sent/received in iMessages are stored, or only those after the latest delete of a chat? I'm going to do some testing, but haven't yet.

snoop168

you had to open each snap while online in order for the device to cache it right?

correct!

the_johanna

I have a full file system of an iPhone13, processed in axiom. I have a lott of rows in knowledgeC keybag lock states. Is there any way to see if the iphone was unlocked with face, thumb or pin code?

https://www.mac4n6.com/blog/2017/3/12/introduction-to-the-aggregate-dictionary-database-addatastoresqlite, old blog post but maybe useful

3

Bill (VeriFi)

Hey Fabiano, I'd try data_ark.plist, purplebuddy.plist, com.apple.mobile.ldbackup.plist

Thanks

Hey I'm looking for some help on a mock assignment i've been given. I'm using Cellebrite Physical Analyzer and I have a .tar file.

11:25 AM

I have a whole bunch of things I need to find but I don't know where to start learning. I have to learn from home due to ill health so I feel pretty much lost

Seth

I have a whole bunch of things I need to find but I don't know where to start learning. I have to learn from home due to ill health so I feel pretty much lost

https://cellebrite.com/en/physical-analyzer-fundamentals/ There are ton of resources for all cellebrite products. A little Google magic and you will be set.

Introductory Walkthrough of Cellebrite Physical Analyzer

Aired: November 27, 2019 Join us as we go through an introductory walkthrough of Physical Analyzer. Topics will include: Loading extractions SQLite Wizard BSSID Enrichment Settings Report generation.

Brigs

https://cellebrite.com/en/physical-analyzer-fundamentals/ There are ton of resources for all cellebrite products. A little Google magic and you will be set.

@Seth https://github.com/abrignoni/iLEAPP some pretty kick ass stuff right there

GitHub - abrignoni/iLEAPP: iOS Logs, Events, And Plist Parser

iOS Logs, Events, And Plist Parser. Contribute to abrignoni/iLEAPP development by creating an account on GitHub.

1

You are too kind my dear sir.

️

@Cellebrite The "Selective app decoding", is this not available for GK FFS's? (If so, how can I select it because it's greyed out as an option) (edited)

Rob

@Cellebrite The "Selective app decoding", is this not available for GK FFS's? (If so, how can I select it because it's greyed out as an option) (edited)

Yes because we don’t have an installed app list pre load.

CLB-Paul

Yes because we don’t have an installed app list pre load.

Ooh makes sense! Any chance that'll be included (if possible) for future versions

Rob

Ooh makes sense! Any chance that'll be included (if possible) for future versions

I’ll shoot you a dm but I wouldn’t hold my breath

1

Is it still possible to get web history from Firefox Focus on iOS?

You can look it up manually by finding the history database. If there is nothing in it, then you have your answer. Maybe it keeps tracks of opened tab.

I cant find the history database for it. Do you know where to look?

Sure, depends what OS you have. Theses cheat sheet will surely help you https://www.sans.org/posters/dfir-advanced-smartphone-forensics-interactive-poster/

8:27 AM

https://www.sans.org/posters/android-third-party-apps-forensics/

8:27 AM

https://www.sans.org/posters/ios-third-party-apps-forensics-reference-guide-poster/

Krypton

Sure, depends what OS you have. Theses cheat sheet will surely help you https://www.sans.org/posters/dfir-advanced-smartphone-forensics-interactive-poster/

Those are epic thanks!

9:52 AM

I feel like i combed every file Firefox Focus and cant find anything!

9:53 AM

Btw this is a private file it's a training one

Seth

Btw this is a private file it's a training one

Some old research I did for it on Android. There are some better ways of looking at the data stores mention in the article if you know python. https://abrignoni.blogspot.com/2018/04/local-storage-firefox-focus-privacy.html?m=1

Local Storage - Firefox Focus Privacy Browser Artifacts in Android

Short version: Data placed by websites in the Local Storage folder LevelDB database for the Firefox Focus Privacy Browser (FF-Focus) app ...

Hey friends, anyone work with x-ways xtensions + python? Looking to help someone out and get them set up and wondering if anyone had experience/issues (copying to computer-forensics channel as well)

Hey! I have a (two PREMIUM&GrayKey) FFS extraction from a Samsung S21 and with none tool (PA, Oxygen, AXIOM) we are able to get SIGNAL v.5.12.3 ! We need definitely your help!

1

xavor0

Hey! I have a (two PREMIUM&GrayKey) FFS extraction from a Samsung S21 and with none tool (PA, Oxygen, AXIOM) we are able to get SIGNAL v.5.12.3 ! We need definitely your help!

Did you get the keystore in the extraction? If you know the password or can brute-force it I think Oxygen should be able to extract it with Oxyagent

1

Hi, Anyone know How to convert blob to string in sql query without passing python? Preferably via db browser

timestamps - I have an sqlitedb from an ios extraction for some 3rd party notes app that has a created date matching the app install date. an hour later an entry is added but the accessed/modified times dont change. i know there are some things that ios doesnt update depending on what/when/which direction the wind is blowing so im assuming the tracking of this is something set by the app developer and this one might just be lazy and didnt enable it

rico

Hi, Anyone know How to convert blob to string in sql query without passing python? Preferably via db browser

Would SELECT CAST(data AS TEXT) work for you?

1

In db browser and in command line... Unfortunately

7:34 AM

@varbytes what's your soft that works for this function?

7:34 AM

@rico it might not work as it largely depends on the source type and data format of the blob data. In some instances, type-casting it as text gives a quick and dirty way of viewing printable characters in the blob. More often than not it tends to fail though, like in your case (edited)

1

@varbytes I'm trying to decode the new telegram format (not yet supported by xry, ufed and axiom)... The goal is not to have a clean result but just to be able to query in the fields among the thousands of posts

In WhatsApp, I know chats are stored as they were sent/received in the main DB and some are scrambled in the ChatSearchV5f database. What determines which DB is used and whether the messages are displayed normally or scrambled? I can't find anything in the settings of app itself...

rico

@varbytes I'm trying to decode the new telegram format (not yet supported by xry, ufed and axiom)... The goal is not to have a clean result but just to be able to query in the fields among the thousands of posts

Ah… Hopefully someone else can chime in with their findings then as I’ve not looked at Telegram lately

@JayB1rd Since some month... Years... WhatsApp was changes this db v3 was normally. The chatsearch was only use to find the message

7:51 AM

@varbytes thx you for your message

rico

@JayB1rd Since some month... Years... WhatsApp was changes this db v3 was normally. The chatsearch was only use to find the message

Yeah, now the ChatSearchv5f actually stores the messages in a scrambled format. Just trying to find out the mechanism that determines whether the chat messages are stored scrambled in the V5f db or normally in the ChatStorage.sqlite db.

Anyone ever see an “invalid binary format” error in PA trace window before? Extraction seemed like it loaded fine but the error threw right at the beginning

8:34 AM

@Cellebrite - in case you’re around. I searched here and the knowledge base but haven’t found an explanation yet

We are around. What are you trying to load

@JayB1rd it's only scrambled in searchV5f. According to personal tests confirmed by other colleagues, the order is random... On short messages it can be understood but large ones...

rico

@JayB1rd it's only scrambled in searchV5f. According to personal tests confirmed by other colleagues, the order is random... On short messages it can be understood but large ones...

That's def true. I'm trying to determine WHY some go to the scrambled db and some don't

That's à good question ! If you find the answer dont forgent us

@CLB_iwhiffin is probably someone to ask

JayB1rd

That's def true. I'm trying to determine WHY some go to the scrambled db and some don't

If you only have the scrambled it means the message are only in the chatsearch db. So the message was deleted

1

8:52 AM

If the message is still present in the main db cellebrite and other products will not show them (the scrambled one). @Cellebrite Am I right? (edited)

Dam

If the message is still present in the main db cellebrite and other products will not show them (the scrambled one). @Cellebrite Am I right? (edited)

Yep, that's the case here. The scrambled messages were deleted. THANKS! So if they're not deleted, they will show unscrambled in the ChatStorage db and NOT be in the V5F db? Or are they always in both and the scrambled messages are only shown if they are deleted and no longer in the ChatStorage?

1

I think it’s in both

2

8:57 AM

Old version of chatstorage wasn’t scrambled

Dam

I think it’s in both

Thanks. I really do appreciate it. I thought it was a setting in the chats on the app, but this makes more sense.

JayB1rd

Thanks. I really do appreciate it. I thought it was a setting in the chats on the app, but this makes more sense.

Be aware that the chatsearch is not always created

8:59 AM

I think it’s created the first time a user use the search function. But I’m not sure at all

1

note that the ChatSearchv5 db (the one with scrambled message records) is created because whatsapp (like other apps - telegram and signal among them) uses sqlite's FTS (full text search) module. this is a feature of sqlite to enable fast search on textual content. so whatsapp are indexing the message content (i.e. there will be a record in the main db and in the "scrambled db" once the message is created) so users can find messages with a specific content faster.

2

Good afternoon, all! I'm conducting an analysis of an older Apple device (2020 case) where we were now able to obtain a full file system extraction. After looking at the data for the Bird app (scooter rental app), I noted that there was a significant amount of data saved in the mixpanel files for the app which contained timestamps and GPS location data. These mixpanel files (Mixpanel is an app analytics platform) are bplists, however, and therefore aren't as easily parsed by the usual tools. My script-fu is limited and I was hoping that someone had previously worked with these files or something similar and had a tool to recommend rather than static manual analysis. As you can see in the screenshot, this could be very valuable data for us. Thanks!

CLB-ChenK

note that the ChatSearchv5 db (the one with scrambled message records) is created because whatsapp (like other apps - telegram and signal among them) uses sqlite's FTS (full text search) module. this is a feature of sqlite to enable fast search on textual content. so whatsapp are indexing the message content (i.e. there will be a record in the main db and in the "scrambled db" once the message is created) so users can find messages with a specific content faster.

Welp, that makes much more sense to me now. Thank y'all for all the help @Dam@rico @CLB-ChenK

2

1

criley4640

Good afternoon, all! I'm conducting an analysis of an older Apple device (2020 case) where we were now able to obtain a full file system extraction. After looking at the data for the Bird app (scooter rental app), I noted that there was a significant amount of data saved in the mixpanel files for the app which contained timestamps and GPS location data. These mixpanel files (Mixpanel is an app analytics platform) are bplists, however, and therefore aren't as easily parsed by the usual tools. My script-fu is limited and I was hoping that someone had previously worked with these files or something similar and had a tool to recommend rather than static manual analysis. As you can see in the screenshot, this could be very valuable data for us. Thanks!

You could convert them to XML or JSON with Apple's "plutil" (which may already be present on your PC), and then query the specific field/values you need with XPath or JPath respectively.

JLindmar (83AR)

You could convert them to XML or JSON with Apple's "plutil" (which may already be present on your PC), and then query the specific field/values you need with XPath or JPath respectively.

Good idea, Thanks. As it turns out, the info isn't as critical as I originally thought. But I want to try it anyway so that I have that tool in my toolbox.

Rob

@CLB_iwhiffin is probably someone to ask

Apologies; I fell behind on my discord and only just seen this. I see that Chen has already answered anyway.

1

Hello folks @Cellebrite , would you agree that we should no longer use the BSSID database in PA as it is out of date and many values may no longer be up to date or reliable?

I wouldn’t say it does not hold value. I believe it does. But need to validate it.

1

@Cellebrite Can someone please confirm to me where an artefact is being pulled from? I have a pdf of a samsung and it has recovery events listed. Essentially what exactly do these refer to? I don't have the UFD file to see where this is coming from.

chrisforensic

Hello folks @Cellebrite , would you agree that we should no longer use the BSSID database in PA as it is out of date and many values may no longer be up to date or reliable?

It depends what you want to know. Some records are dated (we are working on it) but as Paul says, it may still hold value depending on what the source of the BSSID is. And again, echoing Paul, if you find anything evidential it requires validating.

1

criley4640

Good afternoon, all! I'm conducting an analysis of an older Apple device (2020 case) where we were now able to obtain a full file system extraction. After looking at the data for the Bird app (scooter rental app), I noted that there was a significant amount of data saved in the mixpanel files for the app which contained timestamps and GPS location data. These mixpanel files (Mixpanel is an app analytics platform) are bplists, however, and therefore aren't as easily parsed by the usual tools. My script-fu is limited and I was hoping that someone had previously worked with these files or something similar and had a tool to recommend rather than static manual analysis. As you can see in the screenshot, this could be very valuable data for us. Thanks!

If you can share some sample data ( and the path to the files )I can try and make an iLEAPP artifact. https://github.com/abrignoni/iLEAPP (edited)

GitHub - abrignoni/iLEAPP: iOS Logs, Events, And Plist Parser

iOS Logs, Events, And Plist Parser. Contribute to abrignoni/iLEAPP development by creating an account on GitHub.

1

Brigs

If you can share some sample data ( and the path to the files )I can try and make an iLEAPP artifact. https://github.com/abrignoni/iLEAPP (edited)

Thanks, Brigs. I'll try to get some sent over next week. If you don't hear from me, remind me. This is some really good data that will most likely get overlooked in a lot of cases. It's also something that could very well exist in other apps depending on how they implement Mixpanel.

1

Has anyone managed to extract/decrypt/decode the PIN for Calculator vault app ID com.flatfish.cal.privacy?

@chrisforensic On one of my unilog analyzes of an iPhone 6 with ios 12 I had the information from bssid for about ten days... To see if this is still the case, if you have an ffs and if this period suits you

1

hi does anyone know how to jailbreak an iphone6(i have heard that i should do it with the pangu software but i would like some opinions on the matter) (edited)

vaghoul

hi does anyone know how to jailbreak an iphone6(i have heard that i should do it with the pangu software but i would like some opinions on the matter) (edited)

What iOS version?

I don't know the device has been rebooted

vaghoul

I don't know the device has been rebooted

And you don't know the passcode? I haven't heard of any way to jailbreak an iphone without knowing the passcode

Oscar

And you don't know the passcode? I haven't heard of any way to jailbreak an iphone without knowing the passcode

Well I know the passcode, that I do not know is the apple ID that's the reason I want to jailbreak it, also about the ios version I thought the program for the jailbreak could detect it

vaghoul

Well I know the passcode, that I do not know is the apple ID that's the reason I want to jailbreak it, also about the ios version I thought the program for the jailbreak could detect it

You could try https://checkra.in/releases/ It's only available for Mac or Linux but you should be able to run it through a Linux VM if you only have a Windows machine (edited)

All Releases

Jailbreak for iPhone 5s through iPhone X, iOS 12.0 and up

Has anyone done any research on emoji forensics? I know they can look slightly different on Android vs iOS. Is it possible to search for an emoji in a forensic tool? How does a tool like AXIOM or Cellebrite display emoji's from different platforms? I am going to do some testing this week but I'm wondering if anyone else has any information about this subject.

PhrostByte

Has anyone done any research on emoji forensics? I know they can look slightly different on Android vs iOS. Is it possible to search for an emoji in a forensic tool? How does a tool like AXIOM or Cellebrite display emoji's from different platforms? I am going to do some testing this week but I'm wondering if anyone else has any information about this subject.

You should be able to search for the Unicode equivalent of the emoji you are looking for. https://unicode.org/emoji/charts/full-emoji-list.html

4

Hey! I'm trying to find some infos on last factory reset date/time of an Huawei AGS-L03 tablet, running Android 7.0. I've looked into some DBs like /data/property/persistent_properties, /data/misc/bootstat, /efs/recovery/history and /data/system/users/service/data/eRR.p but I can't find this info. I think one of my first problems is I don't have a physical extraction of the device, can I have a physical extraction of this device too? (it's fully unlocked), thanks!

S Cote / SQ

Hey! I'm trying to find some infos on last factory reset date/time of an Huawei AGS-L03 tablet, running Android 7.0. I've looked into some DBs like /data/property/persistent_properties, /data/misc/bootstat, /efs/recovery/history and /data/system/users/service/data/eRR.p but I can't find this info. I think one of my first problems is I don't have a physical extraction of the device, can I have a physical extraction of this device too? (it's fully unlocked), thanks!

https://thebinaryhick.blog/2021/08/19/wipeout-detecting-android-factory-resets/

Binary Hick

Wipeout! Detecting Android Factory Resets

I’d like to thank Alexis Brignoni, Heather Mahalik, and Jared Barnhart for their insight and validation, and Alexis for tooling ALEAPP for these artifacts. DFIR truly is a team effort. They say im…

2

@Hancom I got to analyze the mdf file containing the Full File System from the Iphone X. Unfortunately I can not analyze this file because the way to replace the extension with. bin does not work and no program that I have is not able to open it. I tried in Oxygen and UFED PA.

@Cellebrite but do we have a release date for ufed4pc and PA? :)

Morning - I'm attempting to analyse a Samsung SM-A715F, which we suspect is infected with malware in a Domestic Abuse case. I have a Filesystem and Logical, but no useful data recovered. I'm looking at dumping Sysdump logs, but have nothing to parse them with. Does anyone have any insight ?

manuelevlr

@Cellebrite but do we have a release date for ufed4pc and PA? :)

should be this week

Hello all. Has anyone had any experience with the "Blumeter" taxi fare app? Particularly looking where ride data is stored in FFS extraction. Thank you.

thatboy_leo

https://thebinaryhick.blog/2021/08/19/wipeout-detecting-android-factory-resets/

I'll certainly take a great look at that, thanks @thatboy_leo

1

What files can help indicate the first time an iPhone has been used? iOS 15.1.1 iPhone 12

CLB-Paul

should be this week

we hope well

Rob

What files can help indicate the first time an iPhone has been used? iOS 15.1.1 iPhone 12

Hey Rob, try looking at some of the creation dates on core databases, like CallHistory.storedata, SMS.db, AddressBook.sqlite, and PPSQL.Database. These give you an idea of when the phone was setup last. (edited)

3

Bill (VeriFi)

Hey Rob, try looking at some of the creation dates on core databases, like CallHistory.storedata, SMS.db, AddressBook.sqlite, and PPSQL.Database. These give you an idea of when the phone was setup last. (edited)

Thanks! I'll take a look, do you know if these creation dates can be synced? The owner previously owned an iPhone 5s several years prior so trying to isolate the iPhone 12 date range.

Rob

Thanks! I'll take a look, do you know if these creation dates can be synced? The owner previously owned an iPhone 5s several years prior so trying to isolate the iPhone 12 date range.

In my experience, I have not seen them sync. You can look in databases that typically sync (SMS or callhistory) and look at PK and date sequencing to get pretty close to when the data synced. The synced data will be jumbled and out of sequence. The local data will be in sequence. (edited)

Bill (VeriFi)

In my experience, I have not seen them sync. You can look in databases that typically sync (SMS or callhistory) and look at PK and date sequencing to get pretty close to when the data synced. The synced data will be jumbled and out of sequence. The local data will be in sequence. (edited)

Thanks, looking at those now are all matching up with a date I've been given so feeling confident I can say when the phone was purchased/setup.

8:15 AM

Checked the S/N which also gives the same date which seems to be all in order

Rob

Thanks, looking at those now are all matching up with a date I've been given so feeling confident I can say when the phone was purchased/setup.

If you have a full file system, you can look in ContainerManager and exact time the device was first turned on.

1

8:21 AM

Heather Mahalik and Ian Whiffin did a great writeup on the ContainerManager. Search for "Upgrade from Null".

1

Hi all. I have a whatsapp conversations db from an android phone. I have one of these conversations that is made ONLY of the messages from the remote party without any message saying "this message was deleted ....". How do you think this can happen? (excluding that the conversation was going on on 2 channels, like the owner of the phone was writing via sms or another chat program and the remote party was responding via whatsapp).

PhrostByte

Has anyone done any research on emoji forensics? I know they can look slightly different on Android vs iOS. Is it possible to search for an emoji in a forensic tool? How does a tool like AXIOM or Cellebrite display emoji's from different platforms? I am going to do some testing this week but I'm wondering if anyone else has any information about this subject.

https://h11dfs.com/emoji-forensics/

Vanessa

Emoji Forensics

Emojis are everywhere - and that includes your evidence. What is an emoji? It is a small digital image or icon used to express and idea or an emotion. They are much like emoticons, but emoji are actual pictures instead of typographics. Originally meaning pictograph, the word emoji comes from Japanese (絵, "picture") + moji (文字, "character"); the...

9:32 AM

This references a presentation given at Techno Security at Myrtle Beach in 2019 which I saw being delivered

9:33 AM

One of the key takeaways was how different an emoji can appear on different platforms and how that can make interpretation very tricky for an investigator

9:34 AM

At the same event, I approached Cellebrite, MSAB and Magnet (cannot recall if I spoke to Oxygen) to discuss how they handle emoji rendering. At least one of the products renders emojis using the emojis of the host system e.g. if the forensic tool is running on Windows, the Windows emoji set was used

9:35 AM

There was some discussion around copyright and whether it would be possible to even use the proprietary emoji symbols from other platforms. All the representatives could see the value in being able to render the device specific emojis, but I have not heard anything on this since

9:36 AM

On the copyright issue, a creative suggestion from one of the vendors was that if you had a physical/FFS, perhaps you could use the device specific emoji sets when rendering reports, as they'd be artefacts from the target device in question, rather than being baked into the forensic tool

9:37 AM

It'd be great if this could be revisited by the tool vendors as a feature request...

Trying to work on a CSAM case surrounding a production video. The main video in question is highlighted in Green. All other entries show a portion of the video 1 to 2 second or are live photo's of the video. Trying to determine if IMG_3380.MOV is the original video to determine if I can trust the created date and time. The metadata in these entries all show created with my suspect device. Thoughts.

A long shot but would anyone know where within Android you can get details as to the settings of how long native messages are kept for?

thatboy_leo

A long shot but would anyone know where within Android you can get details as to the settings of how long native messages are kept for?

I would think it would depend on the "native" app of the phone. For example, Google phone's native is Messages, where as Samsung may be Samsung Messages or something named different

1

stark4n6

I would think it would depend on the "native" app of the phone. For example, Google phone's native is Messages, where as Samsung may be Samsung Messages or something named different

True. I recall iPhones have it under a certain .plist file but wondered how Android would handle it

thatboy_leo

True. I recall iPhones have it under a certain .plist file but wondered how Android would handle it

I have a Google Pixel and not seeing any settings that would show a retention switch so it may be indefinitely until the user decides to delete (don't quote me on that)

stark4n6

I have a Google Pixel and not seeing any settings that would show a retention switch so it may be indefinitely until the user decides to delete (don't quote me on that)

Thank you for trying sir. I’ll check around a few different blogs to see what I can find

@thatboy_leo have you reviewed the message database to see how far back it goes? you may see the messages go back to when the phone use began.

Ghosted

Trying to work on a CSAM case surrounding a production video. The main video in question is highlighted in Green. All other entries show a portion of the video 1 to 2 second or are live photo's of the video. Trying to determine if IMG_3380.MOV is the original video to determine if I can trust the created date and time. The metadata in these entries all show created with my suspect device. Thoughts.

I interpret it as him taking three or four live (3376, 3377, 3378, and 3379) photos right before he starts recording a video (3380). (Hopefully someone with more experience an knowledge will be able to confirm or deny)

@Carcino The issue I have is those sections you reference as being before the main video seem to be of the main video.

Ghosted

Trying to work on a CSAM case surrounding a production video. The main video in question is highlighted in Green. All other entries show a portion of the video 1 to 2 second or are live photo's of the video. Trying to determine if IMG_3380.MOV is the original video to determine if I can trust the created date and time. The metadata in these entries all show created with my suspect device. Thoughts.

Hard to say with certainty while looking at that spreadsheet if you are looking at file or filesystem metadata. You can always look with a hex editor within the file to be absolutely sure of the created and modified time stamps. Also, if you want a trial of Medex to determine if those are camera original to that model device feel free to shoot me a DM. (edited)

@Brandon E I am leaning towards they are camera original. The metadata of them match the make and model of the device seized but still confirming.

Ghosted

@Carcino The issue I have is those sections you reference as being before the main video seem to be of the main video.

I would imagine in a situation like that photos taken seconds before a video would be very similar to the video itself. However, if they are truly from moments within the video then I do not have an answer for you. Let me know if you figure it out!

Ghosted

@Carcino The issue I have is those sections you reference as being before the main video seem to be of the main video.

I believe some phones allow you to take stills or small segments like live photos during the recording of a video

2:13 PM

This is the case on iPhones at least

Ghosted

@Brandon E I am leaning towards they are camera original. The metadata of them match the make and model of the device seized but still confirming.

What kind of extract do you have? May I suggest looking at app/network data/usage activities surrounding the files themselves? Your scope may be a bit too narrow if you're simply looking at exif/metadata and may need some more context to understand what has actually happened.

@DeeFIR 🇦🇺 there is one network logged at the time of this. I will post tomorrow morning. I have a GK FFS extraction

Ghosted

@DeeFIR 🇦🇺 there is one network logged at the time of this. I will post tomorrow morning. I have a GK FFS extraction

Let me know if you want some help.

Is there a way to determine what device Chrome cookies originates from?

1:33 AM

Quick google suggests Cookies aren't supported via Google Sync (whether that's still the case or not unsure). Hoping someone can simply say that still isn't a thing!

Hi, I was just wondering if anyone has dealt with the YOLO app (com.Popshow.YOLO) on iOS or knows a tool that supports the decoding at all?

Hey, is there someone who knows something about the "Calculator - photo vault" app from "FishingNet" (com.hld.anzenbokosucal)?

@DeeFIR 🇦🇺 CFNetworkDownload_0xWxp0.tmp is created about 1 min prior to the video.

2

4:05 AM

@nicnic have you looked at https://theincidentalchewtoy.wordpress.com/2021/12/07/decrypting-the-calculator-apps/

theincidentalchewtoy

Decrypting the ‘Calculator’ App(s)

This week I have been looking at another Android application designed to keep files secure. ‘Calculator – hide photos’ has many features, including a vault ‘…Through t…

1

Ghosted

@nicnic have you looked at https://theincidentalchewtoy.wordpress.com/2021/12/07/decrypting-the-calculator-apps/

Great, thank you very much!

Ghosted

Trying to work on a CSAM case surrounding a production video. The main video in question is highlighted in Green. All other entries show a portion of the video 1 to 2 second or are live photo's of the video. Trying to determine if IMG_3380.MOV is the original video to determine if I can trust the created date and time. The metadata in these entries all show created with my suspect device. Thoughts.

Check out if there is a ZORIGINALFILENAME in the additional attributes table. If it came from somewhere else, it will say something different to IMG_3380. Also check for OriginBundle and/or imported by. Also see if the camera was in use at the time in either knowledgeC or currentpowerlog.

1

thatboy_leo

https://thebinaryhick.blog/2021/08/19/wipeout-detecting-android-factory-resets/

Found my answer in the /data/data/com.android.providers.media/databases/internal.db as an epoch date, great guide, it will help us a ton in this case. Thanks again!

1

@Cellebrite Is there a known issue regarding Private Photo Vault? "The specified key is not a valid size for this algorithm"

Rob

@Cellebrite Is there a known issue regarding Private Photo Vault? "The specified key is not a valid size for this algorithm"

Supposed to be addressed in PA 7.56, released yesterday.

JayB1rd

Supposed to be addressed in PA 7.56, released yesterday.

Thanks! Didn't spot the release so will download it tomorrow and test it out

1

Sorry for cross-posting this, but I am looking for any assistance with understanding field contents in a Kik messenger SQLite application database. It is older - this Kik application version was used in 2018 and its version number is: 12.2.0.19562 . The database is called LOGS_DB and was located in /apps/kik.android/db. There was also a journal file called LOGS_DB-journal. I exported both and opened them with a SQLite viewer which updated the LOGS_DB with the LOGS_DB-journal contents. I have searched online for any reference material on this database, and found little to none. More specifically, anything to help me interpret the contents of the "log_message" field in the "logs" table within the LOGS_DB database. The contents is text based, sometimes quite large, and each value appears like a JSON/XML type of structure, listing fields and field values in a hierarchical view. I would like to gain an understanding of what those fields mean. I'm not sure how best to test an application version that is now 4 years old, that was running on an Android phone that is now 7 years old. If it helps, I can send a "sterilized" version of the contents from one of the "log_message" entries to show what I mean. Thanks for any assistance possible.

1

Google search with "ndcac kik" returns a white paper from 2018

2:21 PM

It may help answering some questions?

What are folks using the produce chat messages in a clean conversation view? I'm disappointed in the limited production options from both CB and Axiom and would honestly like a simpler PDF view that lawyers can actually read. I've tried several of the consumer solutions (iExplore, AnyTrans, iPhone Backup Extractor, etc.) and not found one that works very well. Most of these will work with an iTunes backup, but don't work with an iCloud Backup or iCloud synced download from EPPB. It looks like many of the eDiscovery shops have developed their own solutions. I appreciate any suggestions! (edited)

BSOD

What are folks using the produce chat messages in a clean conversation view? I'm disappointed in the limited production options from both CB and Axiom and would honestly like a simpler PDF view that lawyers can actually read. I've tried several of the consumer solutions (iExplore, AnyTrans, iPhone Backup Extractor, etc.) and not found one that works very well. Most of these will work with an iTunes backup, but don't work with an iCloud Backup or iCloud synced download from EPPB. It looks like many of the eDiscovery shops have developed their own solutions. I appreciate any suggestions! (edited)

You can export very clean conversations from PA if you disable source indication when exporting. I believe Axiom can do similar if you reduce some of the exported columns

Anyone got any anything for https://iphone.apkpure.com/secret-calculator-vault-hide-photo-lock-videos/com.vasu.calculatorvault (com.vasu.calculatorvault)

Secret Calculator Vault - Hide Photo & Lock Videos App for iPhone -...

Download Secret Calculator Vault - Hide Photo & Lock Videos App 1.0 for iPhone & iPad free online at AppPure. Get Secret Calculator Vault - Hide Photo & Lock Videos for iOS latest version. Are afraid that your personal photos or videos are open on your phone.

1:12 AM

I've got the media just wanna try and find the PIN for completeness

Rob

I've got the media just wanna try and find the PIN for completeness

https://theincidentalchewtoy.wordpress.com/2022/01/27/decrypting-secret-calculator-photo-vault/ Probably not same app but may help anyway?

theincidentalchewtoy

Decrypting ‘Secret Calculator Photo Vault’

Snippet of Application from Android Play Store Calculator applications that store more than you think on the face value are becoming more common. Recently I assisted with a request to decrypt data …

2

PA Ultra is officially publicly available now for those that needed it

8

stark4n6

PA Ultra is officially publicly available now for those that needed it

Available with limitations for now, like no AppGenie, SQLite wizard, carving, ...

1

2

Bobby

Available with limitations for now, like no AppGenie, SQLite wizard, carving, ...

so not worth to download and install for real work? ... Testify

(edited)

1

chrisforensic

so not worth to download and install for real work? ... Testify

(edited)

I would say it depends, new functionnalities may be game changer? Release notes and manual are available too

@Cellebrite Was going to try out 8.1.0 but when loading I get an error "Unable to load one or more of the requested types. Retrieve the LoaderExceptions property for more information."

Original message was deleted or could not be loaded.

Public as in you can download it from your license portal https://cellebrite.com/en/pa-ultra/

PA Ultra

Physical Analyzer Ultra Series enables the ingesting, decoding, and viewing of multi-source digital evidence, and is architected to deliver more resilient and simplified processes at scale, presented in a powerful, user-friendly interface.

stark4n6

Public as in you can download it from your license portal https://cellebrite.com/en/pa-ultra/

Thank you

Oscar

You can export very clean conversations from PA if you disable source indication when exporting. I believe Axiom can do similar if you reduce some of the exported columns

Thanks @Oscar, I will give that a try. Do you know of a way for CB to read data downloaded from Elcomsoft EPB synced messages (messages.db)?

BSOD

Thanks @Oscar, I will give that a try. Do you know of a way for CB to read data downloaded from Elcomsoft EPB synced messages (messages.db)?

I haven't used Elcomsoft so I don't know

Bobby

I would say it depends, new functionnalities may be game changer? Release notes and manual are available too

@chrisforensic you still have access to db's and other files just not all of the features in 7 yet. Location carving is there (edited)

Bobby

It may help answering some questions?

Thanks Bobby. Found that one, but it only briefly describes the database, and doesn't get into the details that I was hoping for. It is certainly a start.

Bill (VeriFi)

Hey Rob, try looking at some of the creation dates on core databases, like CallHistory.storedata, SMS.db, AddressBook.sqlite, and PPSQL.Database. These give you an idea of when the phone was setup last. (edited)

Does looking at the creation dates determine the setup time on Android devices as well?

anyone ever tried to decode information from the Remote Desktop application from microsoft on android (com.microsoft.rdc.androidx) ?

mdogilvie

Hi looks like there are changes in whatsapp db y solved my problem with a program called Avila forensics

hi, just wanna inform you that a translated version (english) is online

(edited)

@Magnet Forensics I got a KaiOS phone (Cricket model: U102AC). I got a physical and processed the extraction through Axiom but have a question. In the Firefox Cache Records I got a bunch of URLs with no dates. However, when I click on the source file it shows me the files the URLs are being taken from and the files have a creation date. Is there away to get those dates to show in the artifacts panel.

Rob

Thanks! Didn't spot the release so will download it tomorrow and test it out

Alas didn't work @JayB1rd but thanks anyho!

FullTang

Does looking at the creation dates determine the setup time on Android devices as well?

Here's a good write-up on Android reset artifacts. https://thebinaryhick.blog/2021/08/19/wipeout-detecting-android-factory-resets/

Binary Hick

Wipeout! Detecting Android Factory Resets

I’d like to thank Alexis Brignoni, Heather Mahalik, and Jared Barnhart for their insight and validation, and Alexis for tooling ALEAPP for these artifacts. DFIR truly is a team effort. They say im…

1

@Cellebrite Hi, I have a question regarding PA ultra. I tried to add two difference devices to a case but it seems that all evidences is added to the same device. Can you please tell me how to add different devices?

Dam

@Cellebrite Hi, I have a question regarding PA ultra. I tried to add two difference devices to a case but it seems that all evidences is added to the same device. Can you please tell me how to add different devices?

Hi Dam, Adding additional devices is a feature that will be enabled in a later release. (edited)

CLB_iwhiffin

Hi Dam, Adding additional devices is a feature that will be enabled in a later release. (edited)

Thank you for your answer.

@Cellebrite another PA Ultra question. How does one save as UFDX, or .PAS? Also, does it matter where you put "Case DB Path"? Is it better to leave at default or should it be in the case folder? And in relation to question from @Dam, when (as in ETA) do you reckon the option for additional devices will be implemented? Thank you.

-It doesn’t matter where the DB goes. Ideally, leave it as default, but know that you have the option to specify a new location if needed (drive filling up for example) -PAS files are redundant now as everything that would have been in the pas is now in the database itself. -UFDX equivalent will be “replaced” with the cases/devices/extraction objects once fully implemented. -there will be import/export feature to allow sharing between examiners or for archiving. -As for a timeline; I’m not 100% sure. Over the next few months you’ll see lots of older features be refreshed and reimplemented into Ultra. We have a rough timeline, but it’s flexible pending the feedback we get about which missing features are causing the most pain.

some of you are having trouble with the decoding of instagram in @Cellebrite ?

Micke

some of you are having trouble with the decoding of instagram in @Cellebrite ?

Which version of PA? And what is your issue?

The last one... 7.56

What is the issue? Not parsing at all or only partial? iOS or Android?

9:34 AM

Don't parse at all (edited)

9:34 AM

Parse*

OK, Let me look into it... I'll be in touch

@Cellebrite it is possible to import the hash db from analyzer version 7 into version 8

CLB_iwhiffin

-It doesn’t matter where the DB goes. Ideally, leave it as default, but know that you have the option to specify a new location if needed (drive filling up for example) -PAS files are redundant now as everything that would have been in the pas is now in the database itself. -UFDX equivalent will be “replaced” with the cases/devices/extraction objects once fully implemented. -there will be import/export feature to allow sharing between examiners or for archiving. -As for a timeline; I’m not 100% sure. Over the next few months you’ll see lots of older features be refreshed and reimplemented into Ultra. We have a rough timeline, but it’s flexible pending the feedback we get about which missing features are causing the most pain.

Thanks for these info. Hope to have a release soon because I have too many bugs with Ultra.

Dam

Thanks for these info. Hope to have a release soon because I have too many bugs with Ultra.

Please send me an email with any bugs or comments (that goes for anyone here) ian.whiffin@cellebrite.com

1

Little4n6Fox

@Cellebrite it is possible to import the hash db from analyzer version 7 into version 8

Good question that I'm not sure about. I will find out. What was the original source of the hash file?

Anyone know if PA parses discord chat from a cellebrite adv logical of an iPhone?

Obi-Wan-IP

Anyone know if PA parses discord chat from a cellebrite adv logical of an iPhone?

Yes; although discord is a bit of a funny beast because it will only give you the messages cached recently. ie. select a single conversation and view the few messages that load. These are all you will get in the extraction. Scroll the conversation to prompt more messages to load (assuming a live network connection) and you should get more messages in the extraction. View additional conversations to put them in cache and make them accessible to the extraction.

CLB_iwhiffin

Good question that I'm not sure about. I will find out. What was the original source of the hash file?

in the original there were txt files and partly csv files. If I remember correctly, pa7 creates a hash.db. importing them into pa8 would be very convenient

Little4n6Fox

in the original there were txt files and partly csv files. If I remember correctly, pa7 creates a hash.db. importing them into pa8 would be very convenient

There isn't currently an easy way to do this. I'll suggest it though. In the mean time, I would open the database (%appdata%\Roaming\Cellebrite Mobile Synchronization\HashSets\HashSets.DB) and copy out the hashes to a txt file for importing to Ultra (edited)

CLB_iwhiffin

Yes; although discord is a bit of a funny beast because it will only give you the messages cached recently. ie. select a single conversation and view the few messages that load. These are all you will get in the extraction. Scroll the conversation to prompt more messages to load (assuming a live network connection) and you should get more messages in the extraction. View additional conversations to put them in cache and make them accessible to the extraction.

Good to know,thanks.

CLB_iwhiffin

There isn't currently an easy way to do this. I'll suggest it though. In the mean time, I would open the database (%appdata%\Roaming\Cellebrite Mobile Synchronization\HashSets\HashSets.DB) and copy out the hashes to a txt file for importing to Ultra (edited)

Ok. Thank you very much

When a user deletes an image from an iPod Touch 7 (I think), does the system permanently delete the image after 30 days?

DFE Travis

When a user deletes an image from an iPod Touch 7 (I think), does the system permanently delete the image after 30 days?

I presume since it's a 7 that it's iOS12 as a minimum so yeah, I'm afraid so. If you can get a FFS there is a chance you'll find a thumbnail of it somewhere, but the actual file itself I would say is gone forever from that device.

@CLB_iwhiffin Thanks for the confirmation, I did check thumbnails, but aside from there being missing numbers from the media sequence, there's no indication anything was there.

Hey, I have a quick question for you all, looking to verify my own feelings on something since I’m not super familiar with mobile forensics. I was presented a situation where a security team is trying to prove that an iPhone accessed a particular website. All they have is a single DNS record of the access, but no corroborating web proxy logs. Would you take this as proof that the iPhone accessed the website, or would you want more evidence? And would there be anything short of handing the phone over and looking to see the web history?

jessthechaosmuppet

Hey, I have a quick question for you all, looking to verify my own feelings on something since I’m not super familiar with mobile forensics. I was presented a situation where a security team is trying to prove that an iPhone accessed a particular website. All they have is a single DNS record of the access, but no corroborating web proxy logs. Would you take this as proof that the iPhone accessed the website, or would you want more evidence? And would there be anything short of handing the phone over and looking to see the web history?

If the phone in question is owned by the business, take the phone. If not owned by the business, it's a gamble.

It’s someone’s personal phone

9:00 PM

The team is trying to claim that a DNS record is sufficient to show that the phone owner accessed a website

Negative.

9:01 PM

Is the DNS tied at layer 2 to the phone? How is the IP tied in. Where are the logs, etc.

That’s what I thought!

I'd want MAC address correlations, etc.

Good good good, that’s what I thought

9:02 PM

Thank you!

If you're not tracing MAC addresses for the corporate network, something is wrong in the force.

Agreed

Also, do not allow personal on corporate lans

9:03 PM

A dedicated guest network for wifi should be available if so chosen, but do not allow non company devices on a given corporate LAN. Someone just might abuse it.

2

Does anyone have any experience with temporary files for Signal being found in ows_temp-folders on iOS? Is there anyway to glean if the files were received or sent?

Hey, I have à quick question, using the newest PA version 8.1, i dont see anymore Python menu. How to use custom python script using this PA version ?

DirTech

Hey, I have à quick question, using the newest PA version 8.1, i dont see anymore Python menu. How to use custom python script using this PA version ?

There is features that are not available for now, complete list available in the release note (AppGenie, SQLite Wizard, running plugins and python shell, ...)

1

I'm trying to figure out how much space is used/available on an iOS device (do not have a ffs). I'm looking at device_values.plist and see both "com.apple.disk_usage" and "com.apple.disk_usage.factory" but none of these values seem to match what is shown on the iOS device's actual settings screen. Anyone have any insight into this?

Looking for a script to decode Reddit chats. They are pretty clear in the DB, but @Magnet Forensics isn't parsing them. I am loading it up in @Cellebrite PA now to see if it does anything with them. I can do the SQL query, but if someone already has it, I don't mind borrowing it.

@Brigs @stark4n6 @CLB_joshhickman1 or any other Android ninjas, any chance someone could help me understand this gap (5h19m06s – 6h24m41s) in an android 10 newbatterystats log: 0 (20) RESET:TIME: 2021-03-15-21-00-11 …. +5h18m59s414ms (2) 100 -wifi_scan +tmpwhitelist=u0a40:"broadcast:u0a40:com.google.android.location.reporting.ACTION_WIFI_SCAN_RESULTS" +5h19m06s425ms (2) 100 status=full +6h24m41s024ms (43) RESET:TIME: 2021-03-16-03-24-51 +6h24m41s024ms (2) 100 status=full health=good plug=ac temp=327 volt=4274 current=0 ap_temp=32 pa_temp=32 heat=-0:"complex,common,complex" -nr_connected -wifi_ap -otg misc_event=0x0 online=3 current_event=0x40 txshare_event=0x0 charge=2845 modemRailChargemAh=0 wifiRailChargemAh=0 +running +wake_lock +mobile_radio +screen +plugged data_conn=lte phone_signal_strength=excellent brightness=dim +video +wifi +charging +ble_scan gps_signal_quality=good fg=u0a25:"com.domobile.applockwatcher" +6h24m41s024ms (2) 100 fg=u0a356:"com.keeptruckin.android" +6h24m41s024ms (2) 100 fg=u0a96:"com.tplink.weather" +6h24m41s024ms (2) 100 top=u0a106:"com.sec.android.app.launcher" First question if you have analyzed this log in the past would be are the reset time stamps in UTC or Local? Based on other device data appears to be local time stamp. Second if the reset time stamps are local I know the device was using the camera at +5h51m06S but it appears to be missing from the log. Best guess I have right now is the gap is due to the battery reaching FULL? Is this what you have seen in the past? Thoughts?? (edited)

ScottKjr3347

@Brigs @stark4n6 @CLB_joshhickman1 or any other Android ninjas, any chance someone could help me understand this gap (5h19m06s – 6h24m41s) in an android 10 newbatterystats log: 0 (20) RESET:TIME: 2021-03-15-21-00-11 …. +5h18m59s414ms (2) 100 -wifi_scan +tmpwhitelist=u0a40:"broadcast:u0a40:com.google.android.location.reporting.ACTION_WIFI_SCAN_RESULTS" +5h19m06s425ms (2) 100 status=full +6h24m41s024ms (43) RESET:TIME: 2021-03-16-03-24-51 +6h24m41s024ms (2) 100 status=full health=good plug=ac temp=327 volt=4274 current=0 ap_temp=32 pa_temp=32 heat=-0:"complex,common,complex" -nr_connected -wifi_ap -otg misc_event=0x0 online=3 current_event=0x40 txshare_event=0x0 charge=2845 modemRailChargemAh=0 wifiRailChargemAh=0 +running +wake_lock +mobile_radio +screen +plugged data_conn=lte phone_signal_strength=excellent brightness=dim +video +wifi +charging +ble_scan gps_signal_quality=good fg=u0a25:"com.domobile.applockwatcher" +6h24m41s024ms (2) 100 fg=u0a356:"com.keeptruckin.android" +6h24m41s024ms (2) 100 fg=u0a96:"com.tplink.weather" +6h24m41s024ms (2) 100 top=u0a106:"com.sec.android.app.launcher" First question if you have analyzed this log in the past would be are the reset time stamps in UTC or Local? Based on other device data appears to be local time stamp. Second if the reset time stamps are local I know the device was using the camera at +5h51m06S but it appears to be missing from the log. Best guess I have right now is the gap is due to the battery reaching FULL? Is this what you have seen in the past? Thoughts?? (edited)

I've only looked at this on CTF images but very unexplored area with lots of information, still not sure how things get populated here either

1

Anyone good at interprate deleted sms for a iphone? I have multipe deleted sms where all information except the counterpart (number) is decoded in PA. I have the number i almost know it is but i´ve done a hex search for that number and it can´t be found. I know because we have got the information from the tele provider

@jaikl try reprocessing and doing a deep carve with AppGenie. Was it with iMessage?

sholmes

Looking for a script to decode Reddit chats. They are pretty clear in the DB, but @Magnet Forensics isn't parsing them. I am loading it up in @Cellebrite PA now to see if it does anything with them. I can do the SQL query, but if someone already has it, I don't mind borrowing it.

Good morning @sholmes - just wanted to ask a clarifying question. You're trying to decode DMs in reddit?

yes

5:43 AM

specifically chat.sqlite

sholmes

specifically chat.sqlite

thanks for highlighting this. I'm going to go digging in our artifact backlog to see if this has been requested before.

No problem. It is a very straight forward DB, so it isn't an issue do decode on my end, but was just being lazy at the end of my day yesterday.

sholmes

No problem. It is a very straight forward DB, so it isn't an issue do decode on my end, but was just being lazy at the end of my day yesterday.

I think you meant "wanted to efficiently use my time" at the end of my day yesterday

1

Michael Paleshi

I think you meant "wanted to efficiently use my time" at the end of my day yesterday

Yes that is exactly what I meant to type. LOLz

All, first time poster here so just want to say thanks up front. Already an outstanding resource. I have an issue where a recorded video was suspected to have been edited with an application (known app, just don't want to say here), the edited version was saved, and the original video was apparently deleted. The hex of the videos only tell me it was recorded with an iOS and which version (which matches the device). Looking in the photos.sqlite database none of the edited videos are assigned primary keys, and I don't know the original video file name or PK. KnowledgeC looks like it was overwritten with various system log files due to the time that has passed, App Usage timestamps don't match video creation dates. Any ideas how to draw the line between the edited videos found on the device and what file they came from?

SectorZero

All, first time poster here so just want to say thanks up front. Already an outstanding resource. I have an issue where a recorded video was suspected to have been edited with an application (known app, just don't want to say here), the edited version was saved, and the original video was apparently deleted. The hex of the videos only tell me it was recorded with an iOS and which version (which matches the device). Looking in the photos.sqlite database none of the edited videos are assigned primary keys, and I don't know the original video file name or PK. KnowledgeC looks like it was overwritten with various system log files due to the time that has passed, App Usage timestamps don't match video creation dates. Any ideas how to draw the line between the edited videos found on the device and what file they came from?

I am happy to help if you would like. Contact me via dm to discuss details. Prior to messaging please use my photos.sqlite query found on my GitHub. It will make question and answer a little bit easier. As it appears that you have a ffs, I would ask that you have the data processed with both Artex and iLEAPP along with any commercial tools that you might have access.

Michael Paleshi

I think you meant "wanted to efficiently use my time" at the end of my day yesterday

Do you, or anyone else from @Magnet Forensics have a second for a DM about this reddit artifact? (edited)

sholmes

Do you, or anyone else from @Magnet Forensics have a second for a DM about this reddit artifact? (edited)

sure - send it my way!

anyone @Cellebrite for chat? (edited)

1

Looking for any assistance on determining the reasoning for the dates. This is a Cellebrite Advanced Logical/File System extraction of an iPhone. The "artwork" comes from a music file and the song was started approximately at the "created" time. What events would contribute to the "accessed" and "modifed" times?

SectorZero

All, first time poster here so just want to say thanks up front. Already an outstanding resource. I have an issue where a recorded video was suspected to have been edited with an application (known app, just don't want to say here), the edited version was saved, and the original video was apparently deleted. The hex of the videos only tell me it was recorded with an iOS and which version (which matches the device). Looking in the photos.sqlite database none of the edited videos are assigned primary keys, and I don't know the original video file name or PK. KnowledgeC looks like it was overwritten with various system log files due to the time that has passed, App Usage timestamps don't match video creation dates. Any ideas how to draw the line between the edited videos found on the device and what file they came from?

Did you conduct a keyword search across the dataset to see if there was anything responsive to the edited file's name? If not, you may find other information that is related to the edited file. Also, what about testing that version of the application to see what artifacts it creates?

JLindmar (83AR)

Did you conduct a keyword search across the dataset to see if there was anything responsive to the edited file's name? If not, you may find other information that is related to the edited file. Also, what about testing that version of the application to see what artifacts it creates?

Yes, keywords didn’t populate anything because the app renamed and prefixed it with its own naming convention. Testing is the next step but requires a step down in iOS and other stuff so if I get to that point, might be a good white paper. Thanks-

SectorZero

Yes, keywords didn’t populate anything because the app renamed and prefixed it with its own naming convention. Testing is the next step but requires a step down in iOS and other stuff so if I get to that point, might be a good white paper. Thanks-

How did you do the keyword search? There are limitations depending on what tool was used and how it was done?

m.bates

Looking for any assistance on determining the reasoning for the dates. This is a Cellebrite Advanced Logical/File System extraction of an iPhone. The "artwork" comes from a music file and the song was started approximately at the "created" time. What events would contribute to the "accessed" and "modifed" times?

Presuming APFS, "Modified" should be the last the time the file was modified, and "Accessed" the last time the file was last read. See https://developer.apple.com/support/downloads/Apple-File-System-Reference.pdf In your case, something caused the file to be modified after it was created - this would be anything in the content of the file that changed. I'm in the process of looking at the ".protobuf" and ".opackCoder" files that are in my dataset to see if there is anything in them of use. You could do a timeline analysis to see what other activity occurred around that modified time? (edited)

JLindmar (83AR)

Presuming APFS, "Modified" should be the last the time the file was modified, and "Accessed" the last time the file was last read. See https://developer.apple.com/support/downloads/Apple-File-System-Reference.pdf In your case, something caused the file to be modified after it was created - this would be anything in the content of the file that changed. I'm in the process of looking at the ".protobuf" and ".opackCoder" files that are in my dataset to see if there is anything in them of use. You could do a timeline analysis to see what other activity occurred around that modified time? (edited)

Thanks...I will read through the APFS manual and poke around.

m.bates

Looking for any assistance on determining the reasoning for the dates. This is a Cellebrite Advanced Logical/File System extraction of an iPhone. The "artwork" comes from a music file and the song was started approximately at the "created" time. What events would contribute to the "accessed" and "modifed" times?

I just tested this for you as you have me interested. I opened Apple Music and started playing music by an artist. At that point, a new Session was created which included the Artwork file (file Creation). The image itself was related to the song that was playing. Moving to the next track changed the album art on my phones screen. Reloading the Artwork file now showed the artwork for the second track. So I would say: Creation is the start of the session and an Artwork is created Modified is when a new album art was loaded due to the song change. (edited)

4

CLB_iwhiffin

I just tested this for you as you have me interested. I opened Apple Music and started playing music by an artist. At that point, a new Session was created which included the Artwork file (file Creation). The image itself was related to the song that was playing. Moving to the next track changed the album art on my phones screen. Reloading the Artwork file now showed the artwork for the second track. So I would say: Creation is the start of the session and an Artwork is created Modified is when a new album art was loaded due to the song change. (edited)

Thanks for testing that, great info...that is my next step. I was concerned because there was no new "artwork" created as if a new song started playing. I am going to test to see if the screen locks while playing, then when it is unlocked...the artwork is brought up again and the Modified time change at that point.

m.bates

Thanks for testing that, great info...that is my next step. I was concerned because there was no new "artwork" created as if a new song started playing. I am going to test to see if the screen locks while playing, then when it is unlocked...the artwork is brought up again and the Modified time change at that point.

I can test that for you while I'm at it. Give me a moment or two.

CLB_iwhiffin

I can test that for you while I'm at it. Give me a moment or two.

Being locked makes no difference. The file is still downloaded/saved/updated as if the device is unlocked. (Assuming the player widget is on screen showing the album art) Unlocking the device makes no difference; the file timestamp was updated while the device was locked and is unchanged when unlocked.

CLB_iwhiffin

Being locked makes no difference. The file is still downloaded/saved/updated as if the device is unlocked. (Assuming the player widget is on screen showing the album art) Unlocking the device makes no difference; the file timestamp was updated while the device was locked and is unchanged when unlocked.

Okay, Thanks. I will have to do some testing because the Modified Time occurs at an sensitive time for this investigation.

CLB_iwhiffin

I just tested this for you as you have me interested. I opened Apple Music and started playing music by an artist. At that point, a new Session was created which included the Artwork file (file Creation). The image itself was related to the song that was playing. Moving to the next track changed the album art on my phones screen. Reloading the Artwork file now showed the artwork for the second track. So I would say: Creation is the start of the session and an Artwork is created Modified is when a new album art was loaded due to the song change. (edited)

So does the modified time align with the creation time of the next played song and associated created artwork; or are you saying that the artwork is redownloaded (hence the updated modified time) based on certain activity? (edited)

m.bates

Thanks for testing that, great info...that is my next step. I was concerned because there was no new "artwork" created as if a new song started playing. I am going to test to see if the screen locks while playing, then when it is unlocked...the artwork is brought up again and the Modified time change at that point.

You might take a look at /Documents/PlaybackEventStreams/Music.sqlpkg/Database if you have that in the location of the artwork. It looks to have activity events.

JLindmar (83AR)

You might take a look at /Documents/PlaybackEventStreams/Music.sqlpkg/Database if you have that in the location of the artwork. It looks to have activity events.

I will take a look. I won’t be back to the lab until tomorrow morning. Thanks for the help though.

JLindmar (83AR)

So does the modified time align with the creation time of the next played song and associated created artwork; or are you saying that the artwork is redownloaded (hence the updated modified time) based on certain activity? (edited)

Looks like a session starts and a new “session” folder is created with a bunch of files, including a file called “artwork” which is the album art for the first track. When the next track starts, the album art for the track is downloaded and saved in place of the original artwork. The file isn’t new, hence the creation date doesn’t change, but the contents are effectively cleared and rewritten with the new data. If this is particularly useful I can document it properly tomorrow.

CLB_iwhiffin

Looks like a session starts and a new “session” folder is created with a bunch of files, including a file called “artwork” which is the album art for the first track. When the next track starts, the album art for the track is downloaded and saved in place of the original artwork. The file isn’t new, hence the creation date doesn’t change, but the contents are effectively cleared and rewritten with the new data. If this is particularly useful I can document it properly tomorrow.

I will be taking a closer look at this tomorrow now that you pointed me in the right direction. No need to waste your time documenting it at this point. Thank You very much though!

sholmes

Looking for a script to decode Reddit chats. They are pretty clear in the DB, but @Magnet Forensics isn't parsing them. I am loading it up in @Cellebrite PA now to see if it does anything with them. I can do the SQL query, but if someone already has it, I don't mind borrowing it.

If the database is like you describe it, could XAMN's manual database parser be an option to try?

Hello to all, I have a FFS extracted from an Iphone 11 Pro ios 14.3 and its keychain in kml version. I extracted it with Elcomsoft IOFT. I have the Wickr me application in version 5.68.7 but I don't have the password to decode it with @Cellebrite UFED PA. I wanted to use @Magnet Forensics axiom with the private key present in the keychain but it doesn't work (maybe I failed). would anyone have a solution to decode the content of wickr me messages ?

ScottKjr3347

I am happy to help if you would like. Contact me via dm to discuss details. Prior to messaging please use my photos.sqlite query found on my GitHub. It will make question and answer a little bit easier. As it appears that you have a ffs, I would ask that you have the data processed with both Artex and iLEAPP along with any commercial tools that you might have access.

I figured out the videos most likely never touched DCIM, so there is no entry in the sqlite or PK, so that was a few days of wasted effort. Thanks for reaching out though-

SectorZero

I figured out the videos most likely never touched DCIM, so there is no entry in the sqlite or PK, so that was a few days of wasted effort. Thanks for reaching out though-

Sorry that you feel that your efforts were wasted. I’m still willing to help you test your theory if you would be willing to dm details that haven’t been shared on the public board. There is only so much we can help with by only knowing limited information. If you could provide application names and file paths for the files you are analyzing maybe someone has already analyzed the same information you are working with.

Always a first for everything, just had my first phone where the path is com.Microsoft.emmx\cache This is for Microsoft edge browser in case anyone encounters it!

1

MSAB_Sofia

If the database is like you describe it, could XAMN's manual database parser be an option to try?

Thanks for your reply. It probably would, and I had not thought to try your tool. I had it loaded in @Cellebrite PA and was able to use their tool to extract everything. However, I was specifically looking at creating a @Magnet Forensics artifact since that was my main reporting tool. I could use the SQL query to see my results through Axiom, but I was having a hard time extracting the results. However, they did create an artifact for iOS Reddit which will be released to their artifact exchange soon.

Hi guys, I have a huawei android 9 for which I made an ffs, and I would like to know the movements of the device over a given period. Over this period, and by referring to the HERREVAD database as well as to that contained in com.google.android.apps.maps, I find only one telephone tower, the place around which the facts took place. Is there a database, other, that references the movements on this type of device? Small precision the facts are from 2018, the device was used until the end of 2020. Thank you in advance for your feedback. (edited)

CLB_iwhiffin

Looks like a session starts and a new “session” folder is created with a bunch of files, including a file called “artwork” which is the album art for the first track. When the next track starts, the album art for the track is downloaded and saved in place of the original artwork. The file isn’t new, hence the creation date doesn’t change, but the contents are effectively cleared and rewritten with the new data. If this is particularly useful I can document it properly tomorrow.

Thanks. I was conflating "track" and "session" so now it makes sense to me.

Hi Anyone know how to create a logarchive file on iOS 11.3 (same as mac os 10.13) after extracting files from diagnostic and uuitext directories? It's the old method and I can only find the new method?

10:51 AM

@Mistercatapulte pm

Has anyone been able to find the option to verify hash in PA Ultra 8.1?

1:36 PM

I can see the SHA256 in PA 7.56 but same extraction just says the hash is verified but no hash value

rico

Hi Anyone know how to create a logarchive file on iOS 11.3 (same as mac os 10.13) after extracting files from diagnostic and uuitext directories? It's the old method and I can only find the new method?

I found this page... With problem between version of mac os

http://www.mac4n6.com/blog/tag/log

mac4n6.com

thatboy_leo

I can see the SHA256 in PA 7.56 but same extraction just says the hash is verified but no hash value

Can you open the ufd with notepad? Might show it there

Hi guys. How to get pattern lock from Samsung S7 SM-G930 running android 7 Nougat /G930FXXS1DQIM/. I can do FFS extraction but i need to decode pattern lock. UFED or Oxygen doesnt recover pattern lock. Is there any option to get user pattern lock. I have few more evidences, where i need user pattern lock. thank you @Cellebrite

it's hardware backed gatekeeper, you don't get the pattern from it

Arcain

it's hardware backed gatekeeper, you don't get the pattern from it

Is there any way to do live bruteforce? Ufed, oxygen had option to bruteforce some samsung devices.

no forensic tool supports this as far as i know, you'd have to find a way on your own

12:38 PM

ufed and oxygen supports some samsung phones with fde, when secure startup is enabled

12:38 PM

but won't do the bruteforce if secure startup is off

thatboy_leo

Has anyone been able to find the option to verify hash in PA Ultra 8.1?

I thought i saw a toggle in the options. Or maybe during the step when loading an extraction?

I'm hitting my head on a wall in trying to explain the concept of mobile timestamps. I understand that Apple time stamps are the number of seconds since 1/1/2001 and if I input the hex into dcode it converts properly. What I'm trying to explain is how dcode converts the hex. I know I'm just missing a conversion somewhere. The hex value: 41C23C7333C93709 Converts to decimal: 4738416223434913545 If I input the decimal into a Cocoa Core Data converter I wind up with the nanosecond output which is wrong since it shows the date being 2051. What is Dcode doing to interpret the decimal number as seconds? Is it just dropping a decimal somewhere?

9:46 AM

the top result is correct. I'm just trying to explain to a layperson how it arrives at this result

9:47 AM

the nanosecond result in dcode is correct. 4738416223434913545 converts to that in CCD

9:47 AM

just trying to explain the missing link there

I guess what I'm asking is what is the value of 41C23C7333C93709 that is the number of seconds since 1/1/2001

10:05 AM

like what is that number of seconds

10:08 AM

I know the number of seconds is: 611,903,079. So where is that found in the hex or am I wrapping my brain around the totally wrong thing

Beefhelmet

the top result is correct. I'm just trying to explain to a layperson how it arrives at this result

You know for certain that 2020-05-23 is the correct time? I ask because I tried multiple different methods of inputting the timestamp (hex and numerical interrupted in both little and big endian) and I do not know where dcode is getting that time from. (I have attached images of my results) The only time I get 2020-05-23 is using dcode v5 with the hex value interpreted as big endian. If I convert to decimal and then manaully calculate the number of years (from nanoseconds) the number you get is +150 years, giving the 2151 output. Little endian gives a consistent and reasonable answer of january 2022 for both decimal and hex.

Yes that's exactly the issue I'm running into

10:59 AM

somewhere there's some math happening because if I calculate the number of seconds between the origin date and the date of the timestamp I get a value that give me 1/1/2001

11:00 AM

if I put that value into a Mac absolute time converter

Beefhelmet

I'm hitting my head on a wall in trying to explain the concept of mobile timestamps. I understand that Apple time stamps are the number of seconds since 1/1/2001 and if I input the hex into dcode it converts properly. What I'm trying to explain is how dcode converts the hex. I know I'm just missing a conversion somewhere. The hex value: 41C23C7333C93709 Converts to decimal: 4738416223434913545 If I input the decimal into a Cocoa Core Data converter I wind up with the nanosecond output which is wrong since it shows the date being 2051. What is Dcode doing to interpret the decimal number as seconds? Is it just dropping a decimal somewhere?

I believe the hex value is stored as a double.

The correct date is 5/23/2020 at 0504

CLB_joshhickman1

I believe the hex value is stored as a double.

So a double-precision floating point.

So basically its a separate conversion. Alright well then I don't think I'm going to have to explain all that

11:06 AM

All I have to do is state that the hex is correct as interpreted by the filesystem and the date is accurate

@CLB_joshhickman1 is correct. Use this to calculate the hexadecimal to decimal (not rounded, double): https://babbage.cs.qc.cuny.edu/IEEE-754.old/64bit.html 41C23C7333C93709 = 611903079.57199200 Which is what DCode is doing. You can verify by inputting the decimal value into DCode as numeric. (edited)

amazing. Thanks so much.

11:27 AM

Yeah I cross checked it and it comes back correct

@CLB_joshhickman1 or @JLindmar (83AR) Out of curiosity, do you know if all timestamps stored by IOS are stored as double precision? edit: I was editing to make a comment about how it may not be IOS, fivethirty confirmed it is IOS as I was typing (edited)

Yes this is within IOS

11:37 AM

well at least my usecase is

11:44 AM

if you're interested:

11:45 AM

this is the hex view of the mobilesafari.plist

11:46 AM

you can see the search term in the ASCII and the stuff highlighted in the black is the timestamp

11:47 AM

that timestamp is where my questions came from because if you look at the plain text in the file format viewer the value is all wrong and I was trying to figure out how to validate it

11:47 AM

11:48 AM

the date is right but the timestamp isn't which I was concerned would bring up a defense argument (edited)

11:48 AM

which is why I ended up trying to dig out out to validate incase a discrepancy get's brought up

11:49 AM

to confirm where cellebrite got this timestamp from:

11:49 AM

11:50 AM

anyways thanks a bunch for ya'lls help that cleared all that up for me

11:51 AM

the tool reported it accurately

Carcino

@CLB_joshhickman1 or @JLindmar (83AR) Out of curiosity, do you know if all timestamps stored by IOS are stored as double precision? edit: I was editing to make a comment about how it may not be IOS, fivethirty confirmed it is IOS as I was typing (edited)

AFAIK not at the file system (inode) level, but I have seen them in plists and SQLite databases.

JLindmar (83AR)

AFAIK not at the file system (inode) level, but I have seen them in plists and SQLite databases.

That’s been my experience, too.

Beefhelmet

Yes this is within IOS

The three screenshots you posted are for two different values, correct (the strings are different)? The hex for the timestamp in the first screenshot decodes to match what is in the third, but the second screenshot is for a different string/date pair. You could always run the plist through "plutil" on PC or "Xcode" on Mac to additionally verify the content/conversions. Nice work verifying it manually! (edited)

JLindmar (83AR)

The three screenshots you posted are for two different values, correct (the strings are different)? The hex for the timestamp in the first screenshot decodes to match what is in the third, but the second screenshot is for a different string/date pair. You could always run the plist through "plutil" on PC or "Xcode" on Mac to additionally verify the content/conversions. Nice work verifying it manually! (edited)

Yeah the strings in the plist are iffy. There are multiple duplicate entries and the date/times are a bit messed up due to entries being deleted. I'm not sure where the conflicting time comes from. I'm going to run the plist like you said and try to figure out what's going on there. At the moment I'm just relying on whats in the hex to build a timeline of events based on the evidence from the phone and trying to eliminate the outliers. But I eventually have to figure out why I can say one date/time is correct and the other is not. Could just be somethign to do with when the dictionary was backedup/updated maybe

@Cellebrite Someone for a question with PA ?

@Cellebrite Hi, Can you help me with google Translate app in iOS and timestamp? I have a deleted entry that have a timestamp in PA 7.56 (doesn't exist in PA 8 btw) but I cannot figure out where the timestamp is come from. I can retrieve the text in hex viewer but don't now where to find the related timestamp.

Nutelap

@Cellebrite Someone for a question with PA ?

Hi, How can I help?

Dam

@Cellebrite Hi, Can you help me with google Translate app in iOS and timestamp? I have a deleted entry that have a timestamp in PA 7.56 (doesn't exist in PA 8 btw) but I cannot figure out where the timestamp is come from. I can retrieve the text in hex viewer but don't now where to find the related timestamp.

Google Translate is a relatively new parser and PA8 is currently aligned with PA7.54 (I believe) in terms of parsers. The database behind Google Translate is simple, if you are able to view it in DB View then you will see the time. Assuming that the record it carved and cannot be viewed in DB, its the first field in the data. You should be able to find the source and target language (en and es in my image) and then work backwards 4 bytes to find the UNIX timestamp

JLindmar (83AR)

@CLB_joshhickman1 is correct. Use this to calculate the hexadecimal to decimal (not rounded, double): https://babbage.cs.qc.cuny.edu/IEEE-754.old/64bit.html 41C23C7333C93709 = 611903079.57199200 Which is what DCode is doing. You can verify by inputting the decimal value into DCode as numeric. (edited)

A tool like HXD will also calculate the double for you, you just need to scroll down the inspector a little bit.

CLB_iwhiffin

Hi, How can I help?

I have an extraction receive from CAS of iPhone 8. Device has Signal app, database was in the files but app are not detected and then not parsed

4:42 AM

Here is a way to show the path to PA ?

Beefhelmet

well at least my usecase is

I'll look into this...

CLB_iwhiffin

A tool like HXD will also calculate the double for you, you just need to scroll down the inspector a little bit.

As will X-Ways, but the webpage I linked shows you how it is calculated.

CLB_iwhiffin

Google Translate is a relatively new parser and PA8 is currently aligned with PA7.54 (I believe) in terms of parsers. The database behind Google Translate is simple, if you are able to view it in DB View then you will see the time. Assuming that the record it carved and cannot be viewed in DB, its the first field in the data. You should be able to find the source and target language (en and es in my image) and then work backwards 4 bytes to find the UNIX timestamp

GREAT!!! thanks for that info. It's exactly what I need.

JLindmar (83AR)

As will X-Ways, but the webpage I linked shows you how it is calculated.

Which is awesome. I just thought I'd mention

Hi I am installing ufed physical analizar 8.1 and it says that I have pathfinder and can not install has anybody know why is this??

mdogilvie

Hi I am installing ufed physical analizar 8.1 and it says that I have pathfinder and can not install has anybody know why is this??

There is a value in your registry that Ultra thinks is related to PF (But it appears it may not solely be) If you delete the node at HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Cellebrite\Analytics and try again you should be good

1

Thanks a lot I’ll give it a try

1:27 PM

THIS SERVER RULES

5

1

CLB_iwhiffin

There is a value in your registry that Ultra thinks is related to PF (But it appears it may not solely be) If you delete the node at HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Cellebrite\Analytics and try again you should be good

Same thing happened here. Thank you

@Nutelap @CLB_iwhiffin these db are encrypted. The key is in the Keychain. If you don't specify it in beginning of your decoding, you dont have any info

1

rico

@Nutelap @CLB_iwhiffin these db are encrypted. The key is in the Keychain. If you don't specify it in beginning of your decoding, you dont have any info

Yeah, key is known, that's just conversation parsing issue. Data's are decrypted in another place as usual

@Nutelapand remake the dump no?

4:09 AM

if possible, i always remake the dump done from Trevor or GK

Mistercatapulte

@Nutelapand remake the dump no?

Yes, i had try, same results, Signal stay in native messages. It's not the best configuration for the analyst team but anyway

what is the Signal version?

Quick hypothetical for our lovely application of snapchat: you get an extraction report showing a photo is located in the /dcim/snapchat folder as snapchat-0000000.jpg. this is the only data recovered with regards to snapchat. Would only photos that are taken using the snapchat camera be placed in the folder, or would photos you save and download to the phone be placed in there as well.

Photos saved from the Snapchat application would be stored there, for example exporting an image from your saved Snapchats

That's what I figured just needed a second opinion as I can't do a test atm. Thank you

Hey all, I've got a juvenile trafficking case with Mr.Pimp, Ms.Pimp, and the Victim.On our seized iPhone 12 Pro Max, there are iMsgs which have 3 entries as "From" and none as "To" or received. Two of the entries are phone numbers and one is an AppleID. I think the are using at least three separate devices signed into the same AppleID, but I'm not sure and I'm not sure how to verify that. The actual conversation in the messages are all sent (none received), but it's clear there are three different people in the thread. Any thoughts?

10:49 AM

Also, there are contacts listed which are named after MrPimp and MsPimp, but it is clear each of those contacts is being used by more than one person.

JayB1rd

Hey all, I've got a juvenile trafficking case with Mr.Pimp, Ms.Pimp, and the Victim.On our seized iPhone 12 Pro Max, there are iMsgs which have 3 entries as "From" and none as "To" or received. Two of the entries are phone numbers and one is an AppleID. I think the are using at least three separate devices signed into the same AppleID, but I'm not sure and I'm not sure how to verify that. The actual conversation in the messages are all sent (none received), but it's clear there are three different people in the thread. Any thoughts?

Could you serve a warrant to Apple requesting machine cookies or other device identifying info for all devices logged into that Apple ID?

1

That's one of the rec's I made to the investigator. Hopefully that shed some light on it, but I was hoping to find something helpful on the device we do have.

JayB1rd

That's one of the rec's I made to the investigator. Hopefully that shed some light on it, but I was hoping to find something helpful on the device we do have.

I just had an idea. Could you check the InteractionC and sent and received data at the times of the messages to determine (A) If the messaging app was even open or if the phone was locked or unlocked, etc. and/or (B) If the phone was sending or receiving data? The (B) option might be a bit of a stretch, but hopefully InteractionC will yield good results.

FullTang

I just had an idea. Could you check the InteractionC and sent and received data at the times of the messages to determine (A) If the messaging app was even open or if the phone was locked or unlocked, etc. and/or (B) If the phone was sending or receiving data? The (B) option might be a bit of a stretch, but hopefully InteractionC will yield good results.

Good ideas. I'll give that a try and see what I find.

1

@Cellebrite Getting an error which is making me unable to open Physical Analyzer 8 ever since install, anyone available?

3X3

@Cellebrite Getting an error which is making me unable to open Physical Analyzer 8 ever since install, anyone available?

What is the error?

@Cellebrite I think there might be an issue with PA 7.56 as I’ve got a Galaxy Note 9 physical image but it’s not decoding the Edge browser databases automatically and a lot of evidential data is in there that needs to be extracted. Can you assist?

CLB_iwhiffin

What is the error?

"Unable to load one or more of the requested types. Retrieve the LoaderExceptions property for more information."

Good morning all! I have a general @Magnet Forensics Axiom question. Does the global date/time filter work off of UTC regardless of what timezone the case is set to? I have an iPhone GK extraction with the device set UTC-5 and all the relevant data occurs between 10AM-12PM on a particular day. I know the data is there and is logged with correct local timestamps but when using the global date/time filter none of what I am interested in is returned. When my search is 3PM - 5PM then all of a sudden the artifacts I am interested in are returned. Is this normal?

2

Adam Cervellone

Good morning all! I have a general @Magnet Forensics Axiom question. Does the global date/time filter work off of UTC regardless of what timezone the case is set to? I have an iPhone GK extraction with the device set UTC-5 and all the relevant data occurs between 10AM-12PM on a particular day. I know the data is there and is logged with correct local timestamps but when using the global date/time filter none of what I am interested in is returned. When my search is 3PM - 5PM then all of a sudden the artifacts I am interested in are returned. Is this normal?

Checking with our dev folks now to get the specifics and will report back when done!

cScottVance

Checking with our dev folks now to get the specifics and will report back when done!

Thank you! Also is there a way that I can bookmark a specific row from one of the tables in KnowledgeC?

Question for @Cellebrite - a colleague found PA was not classifying .flv files as video files, and as a result they were not being exported for Griffeye Analyze. I am not in a position to test currently, but can this be fixed simply by adding *.flv to the Videos section of the Data Files options?

Yes you can check in the settings and adjust as you need add based on extension or even headers

Do I need to add in the extension and signature header, or will just the extension suffice?

Adam Cervellone

Good morning all! I have a general @Magnet Forensics Axiom question. Does the global date/time filter work off of UTC regardless of what timezone the case is set to? I have an iPhone GK extraction with the device set UTC-5 and all the relevant data occurs between 10AM-12PM on a particular day. I know the data is there and is logged with correct local timestamps but when using the global date/time filter none of what I am interested in is returned. When my search is 3PM - 5PM then all of a sudden the artifacts I am interested in are returned. Is this normal?

@Adam Cervellone There's not a way to tag one of the individual records in the SQLite viewer. If what you've located in KnowledgeC (or any sqlite database) is not shown in the Artifacts Explorer, what I typically do is tag that database in the File System Explorer and then add a comment to the tag indicating the table and record ID of interest so it's easy to find later. (edited)

Adam Cervellone

Thank you! Also is there a way that I can bookmark a specific row from one of the tables in KnowledgeC?

Quick question, are you using an absolute or a relative time filter for this search?

cScottVance

Quick question, are you using an absolute or a relative time filter for this search?

Relative time

Adam Cervellone

Relative time

We have identified a bug with relative time filters when timezones are applied unfortunately. This is why your results are not showing up. Apologies for the issue and we're tracking a fix internally now.

Great, thank you!

Has anyone had an issue with PA Ultra (8.1.0.7) not opening the 'Images' category correctly? The 'Gallery' view works but 'Table' and 'Thumbnail' views are empty.

Hello, after updating Physical Analyzer to 7.56 when I load an extraction of ufed it does not show the data analysis. Has someone happened to him?

4:24 AM

The timeline is not active. Neither does data analysis.

4:24 AM

.

Sherlock

Hello, after updating Physical Analyzer to 7.56 when I load an extraction of ufed it does not show the data analysis. Has someone happened to him?

Same thing happened to a coworker. Anyone from @Cellebrite available?

1

Corey

Has anyone had an issue with PA Ultra (8.1.0.7) not opening the 'Images' category correctly? The 'Gallery' view works but 'Table' and 'Thumbnail' views are empty.

Check for filters - specifically remove all filters (Including the Known Files filter)

Sherlock

Hello, after updating Physical Analyzer to 7.56 when I load an extraction of ufed it does not show the data analysis. Has someone happened to him?

DM me as I will need some more information

CLB_iwhiffin

DM me as I will need some more information

i tested to open an old extraation with PA 7.56, not problems happend. But when i open a ufed 7.56 extraction i have this bug

Corey

Has anyone had an issue with PA Ultra (8.1.0.7) not opening the 'Images' category correctly? The 'Gallery' view works but 'Table' and 'Thumbnail' views are empty.

Had same issue. But there is version 8.1.0.12 I think it works better

Before I start my own testing has anyone encountered activity type “com.google.GoogleMobile.Siri.search” in knowledgeC. I’m implying it obviously has something to do with a user utilizing Siri. Would the search terms be stored somewhere else? Any thoughts are helpful.

6:36 PM

Hi I tried to find the explanation of some media used in TELEGRAM according to their path. My personal test was done on a xiaomi Android 12... And the phone analyzed is a Huawei with Android 9. I don't have time to do more tests. Therefore the paths and my findings can they be generalized? Do any of you have more information?

4:50 AM

/storage/emulated/0/Android/data/org.telegram.messenger/files/Pictures:

recorded from a channel

/storage/emulated/0/Movies/Telegram:

Saved from a channel and filename represents the timestamp of the download

/storage/emulated/0/Pictures/Telegram:

Saved from a channel and filename represents the timestamp of the download

/storage/emulated/0/Android/media/org.telegram.messenger/Telegram/Telegram Images: Sending Pictures

/storage/emulated/0/Android/data/org.telegram.messenger/cache/sharing: video sent (and timestamp = date sent)

/storage/emulated/0/Android/data/org.telegram.messenger/files/Telegram/

Telegram Video: cache, send, available or consulted (many possibilities, interaction not necessarily wanted)

4:53 AM

I specify that I did not have an advanced logical ... Ffs impossible (edited)

@Cellebrite is there a known issue where Safari isn't properly decoded from GK IOS extractions? Im stuck for 4 days now and tried on 7.56 and 8.x

B

@Cellebrite is there a known issue where Safari isn't properly decoded from GK IOS extractions? Im stuck for 4 days now and tried on 7.56 and 8.x

standby checking

1

Just curious if anyone else is experiencing PA 7.56 crashing when you try to search a plist file using the File Format viewer?

@Magnet Forensics I'm trying to export Outlook emails from an android extraction using the 'Export Outlook emails to PST' option. On completion of the export, it appears to lose the Senders email and only contain the senders name. I've looked to see if there is a way to generate a custom report, but i'm not coming up with anything. Is this a limitation of that export option or is there a better method to go about it?

MrMacca (Allan Mc)

@Magnet Forensics I'm trying to export Outlook emails from an android extraction using the 'Export Outlook emails to PST' option. On completion of the export, it appears to lose the Senders email and only contain the senders name. I've looked to see if there is a way to generate a custom report, but i'm not coming up with anything. Is this a limitation of that export option or is there a better method to go about it?

good afternoon @MrMacca (Allan Mc) - let me consult with some folks here and see if I can't get you an answer.

@Michael Paleshi Thanks a lot, much appreciated.

MrMacca (Allan Mc)

@Michael Paleshi Thanks a lot, much appreciated.

my pleasure.

I have an data extraction from an iPhone 7 Plus. In this extraction I can see that the suspect wear a Apple Watch. It is possible to see if the suspect slept with the Apple Watch ? Or in another way. That he did not wear the watch while he slept? (edited)

Little4n6Fox

I have an data extraction from an iPhone 7 Plus. In this extraction I can see that the suspect wear a Apple Watch. It is possible to see if the suspect slept with the Apple Watch ? Or in another way. That he did not wear the watch while he slept? (edited)

If you have a full file system extraction of the iPhone 7 you should have health data. If you know the suspect's sleep schedule you should be able to check to see if there is any recorded activity during that timeframe.

FullTang

If you have a full file system extraction of the iPhone 7 you should have health data. If you know the suspect's sleep schedule you should be able to check to see if there is any recorded activity during that timeframe.

I do not have a Full File System. I can not disable the lockcode. If I click on disable nothing is happen. A data extraction with UFED4PC and enable Lockcode does not work in this case. I tried it sometimes. Are there something that I can do better? So I need a FFS for this informations?

@Little4n6Fox which version of iOS?

11:02 PM

You can pull the health database from an encrypted iTunes backup, but you should also be able to get a FFS with UFED using checkm8.

DeeFIR 🇦🇺

@Little4n6Fox which version of iOS?

iOS15.5 I get an error by trying to extract via checkm8 and UFED. Sometime it works when I disable the passcode, but that also does not work. I do not why. When I try to disable it happens nothing

You need to delete the enrolled cards if you want to disable the passcode (if you're doing it offline). But why do you want to remove the passcode? (edited)

In the last time all iOS devices I try to extract with ffs, it does not work when the passcode was enable. The only chance to extract data was to disable the passcode. The 4PC also give the hint to disable it. If there another way please let me know them.

You don't have to disable the passcode for a simple iTunes backup/logical extraction (I'm not talking about a full file system extract via checkm8). The health database is acquired when you perform an encrypted iOS/iTunes backup. Have a look at the APOLLO modules. https://www.mac4n6.com/blog/2018/12/15/on-the-second-day-of-apollo-my-true-love-gave-to-me-holiday-treats-and-a-trip-to-the-gym-a-look-at-ios-health-data

On the Second Day of APOLLO, My True Love Gave to Me - Holiday Trea...

The iOS Health database may be the easiest database to acquire. While other databases need physical file system dumps of the devices, this database can be accessed with an encrypted iOS backup , or possibly an iCloud acquisition . If you happen to have a file system dump these databases can be fou

Oh okay. Sorry. I misunderstood you. I thougt you meant FFS. Thank you for your kind help

1

11:57 PM

I will take a look a look in my extractions. Thank you very much

Hey folks a question to "Snapchat-Analysts", We have gathered data from an iPhone with special interest in Snapchat. We have most of transmitted videos, but since all chats are missing we have trouble to connect them to the contacts. Looking at the data path we have noticed, that they seem to be different but yet we have not identified the specific section of the data path which would rely us to the chat counterpart. Does someone have any advice?

@Cellebrite we have videos that have been sent in Facebook Messenger. The chat shows that the video has been forwarded by a chat participant. PA has decoded four entities of the video. The paths are more or less identical except the last section with one saying attachment redirect. Is this linked to the video being forwarded?

Little4n6Fox

I do not have a Full File System. I can not disable the lockcode. If I click on disable nothing is happen. A data extraction with UFED4PC and enable Lockcode does not work in this case. I tried it sometimes. Are there something that I can do better? So I need a FFS for this informations?

As suggested above, Health data can be extracted from usual backup (but only if it has the password set). In the meantime, we are almost done with improvement of checkm8 for iPhone 7 running iOS 15, so you will be able to get FFS without prior removal of the passcode.

Anyone done a deep drive into iOS CoreAudio's plists? I have an iPhone X 15.3 that created/modified/accessed a coreaudio.plist for the headphone safety function immediately before a fatal crash. Just wondering why this plist was created at that time. The actual device does not show the Headphone safety function turned on.

6:44 AM

Bill (VeriFi)

Anyone done a deep drive into iOS CoreAudio's plists? I have an iPhone X 15.3 that created/modified/accessed a coreaudio.plist for the headphone safety function immediately before a fatal crash. Just wondering why this plist was created at that time. The actual device does not show the Headphone safety function turned on.

Do you know if there are any headphone notifications in the health data that are around that time? Also, what does "com.apple.coreaudio.device.plist" show for "HAENFeatureMandatory"? (edited)

burgers_N_bytes

Before I start my own testing has anyone encountered activity type “com.google.GoogleMobile.Siri.search” in knowledgeC. I’m implying it obviously has something to do with a user utilizing Siri. Would the search terms be stored somewhere else? Any thoughts are helpful.

Are/were any Google apps (e.g. Google Voice) installed that could utilize Siri? Perhaps check "private/var/mobile/Library/Biome/streams/public/AppIntent" (https://bluecrewforensics.com/2022/03/07/ios-app-intents/).

Analyzing iOS Biome AppIntent Files - Blue Crew Forensics

In this blog I will discuss my findings on the AppIntent files that are located within the Biomes folder in many iOS extractions. These files contain many forensic artifacts that may no longer appear elsewhere on the device including deleted iMessages.

JLindmar (83AR)

Do you know if there are any headphone notifications in the health data that are around that time? Also, what does "com.apple.coreaudio.device.plist" show for "HAENFeatureMandatory"? (edited)

HAENFeatureMandatory is "false". I just finished testing and I have figured it out. When I turn the feature on (noise reduction and notifications) a new plist is created with those attributes. When I turned it off, a new plist was created reflecting those attributes.

Bill (VeriFi)

HAENFeatureMandatory is "false". I just finished testing and I have figured it out. When I turn the feature on (noise reduction and notifications) a new plist is created with those attributes. When I turned it off, a new plist was created reflecting those attributes.

Nice! Makes sense.

anyone notice a lack of a date in purplebuddy for the guessed country recently? 2 recent extractions I noticed this in, my most current one is iOS 15.5

We have a Forerunner 245 (garmin) with some log data that looks a bit confusing. Does anyone have a guide or a way to start cracking it? It’s a txt file, but I don’t even know if it logged in UTC or what some of the acronyms are. Any help will be appreciated

trillian

We have a Forerunner 245 (garmin) with some log data that looks a bit confusing. Does anyone have a guide or a way to start cracking it? It’s a txt file, but I don’t even know if it logged in UTC or what some of the acronyms are. Any help will be appreciated

Do the files have ".fit" extension?

JLindmar (83AR)

Do the files have ".fit" extension?

Not the log one, that’s an text file. That’s the one I’m trying to understand. The .fit files with location data I’ve reviewed them with Garmin Basecamp, but they’re very few with random dates so I’m guessing the app wasn’t sync often and rather the watch was mostly used for messages/notifications. The .fit files that I haven’t been able to open with Basecamp I’m converting them to .gpx with GPSBabel and then opening them on Google Earth Pro.

trillian

Not the log one, that’s an text file. That’s the one I’m trying to understand. The .fit files with location data I’ve reviewed them with Garmin Basecamp, but they’re very few with random dates so I’m guessing the app wasn’t sync often and rather the watch was mostly used for messages/notifications. The .fit files that I haven’t been able to open with Basecamp I’m converting them to .gpx with GPSBabel and then opening them on Google Earth Pro.

Sorry, I'm only familiar with the FIT format per the SDK. Perhaps there is something useful here to help you with the log: https://developer.garmin.com/

Home | Garmin Developers

Design, create and build custom software and applications for a wide range of Garmin devices with our different developer programs and APIs. Documentation, downloads and information on Garmin's developer programs and APIs

JLindmar (83AR)

Sorry, I'm only familiar with the FIT format per the SDK. Perhaps there is something useful here to help you with the log: https://developer.garmin.com/

Thank you! I didn’t think of that!

1

Bill (VeriFi)

Anyone done a deep drive into iOS CoreAudio's plists? I have an iPhone X 15.3 that created/modified/accessed a coreaudio.plist for the headphone safety function immediately before a fatal crash. Just wondering why this plist was created at that time. The actual device does not show the Headphone safety function turned on.

iPhone record headphone volume and useage stats in the background, may be part of that? I just know this as mine give me a little report every week of my volume / usage.

trillian

We have a Forerunner 245 (garmin) with some log data that looks a bit confusing. Does anyone have a guide or a way to start cracking it? It’s a txt file, but I don’t even know if it logged in UTC or what some of the acronyms are. Any help will be appreciated

It Recorded in Binay FIT (https://developer.garmin.com/fit/overview). There are quite a few decoders for it on GitHub. This one seems reguarly updated. https://github.com/tormoder/fit

GitHub - tormoder/fit: A Go package for decoding and encoding Garmi...

A Go package for decoding and encoding Garmin FIT files - GitHub - tormoder/fit: A Go package for decoding and encoding Garmin FIT files

1

@Cellebrite Do you have any information on creating a report in PA 8.1.0.12 from SIM cards? We all have problems, I do not understand how something like this can eventually reach end users ...

1

@Cellebrite Should Signal be decoded with a physical android dump and UFED PA 7.56?

@Sockmoth, had the same problem with a physical android dump. Only thing that helped me was a memory dump

facelessg00n

iPhone record headphone volume and useage stats in the background, may be part of that? I just know this as mine give me a little report every week of my volume / usage.

Thanks. I finally got it figured out. The plist in question controls the safety notifications and the volume auto-decrease amount.

9:54 AM

Every time you alter those settings, this plist is re-created to reflect the new settings.

Sockmoth

@Cellebrite Should Signal be decoded with a physical android dump and UFED PA 7.56?

Could you confirm that keystore was extracted ? The .ufd should mention it in order to let PA know that keystore is there.

Are Graykey's android keystore importable to PA? I know there is a button to upload the keystore but wasnt sure if the format was correct or if it was actually doing something...

Bill (VeriFi)

Thanks. I finally got it figured out. The plist in question controls the safety notifications and the volume auto-decrease amount.

Cool, nice work. One to add to the knowledge bank.

A A

Are Graykey's android keystore importable to PA? I know there is a button to upload the keystore but wasnt sure if the format was correct or if it was actually doing something...

It was in the works. I’ll check tomorrow where it sits.

Hello, can someone advice? I am trying to determine whether an ipad has been moved within an apartment or not. I am looking at the knowledgeC.db but it is not completely clear for me what conclusions to draw. 1) Can the screen orientation change without someone holding the device? 2) What is the meaning of the inferred/motion entries in the database? 3) Any other things to look at? Thank you

Hi everyone, I'm having a bit of an issue with WhatsApp in regards to how the ZMEDIAURLDATE column in the ZWAMEDIA table is 4 hours ahead of when the file was downloaded and created on the device. This file was recieved and then forwarded via WhatsApp, so I was wondering if maybe the ZMEDIAURLDATE field can updated/overwritten. Any help in the right direction would be hugely appreciated @Law Enforcement [UK]

My interpretation would be that ZMEDIAURLDATE is when the url to the media was sent from one user to another. The media itself is not downloaded until recipient presses the URL giving you a second timestamp at a later date. If you examine the media item that was linked there may be some corresponding exif data.

https://blog.group-ib.com/whatsapp_forensic_artifacts Also have this blog post bookmarked which may be of value

WhatsApp in Plain Sight: Where and How You Can Collect Forensic Art...

An article on WhatsApp forensics and what data can be obtained from a device during forensic analysis

anngry

Hello, can someone advice? I am trying to determine whether an ipad has been moved within an apartment or not. I am looking at the knowledgeC.db but it is not completely clear for me what conclusions to draw. 1) Can the screen orientation change without someone holding the device? 2) What is the meaning of the inferred/motion entries in the database? 3) Any other things to look at? Thank you

For orientation, ZVALUEINTEGER is portrait when 0 and landscape when 1. I have found this accurate and is logged when the device is inactive (keybag unlocked though). Not had much success with inferred/motion. The results are not always reliable (logged sporadically). Not confident, but pretty sure 1 is 'still', 2 is 'walking'. I am less certain on 3 and 4 but I have some test data that married up with 3 being an increase or decrease in altitude (so going up or down stairs) and 4 is running. It would be great to know if anyone has better test results on this. I am planning on revisiting this stream. You could use back-light and activity streams in knowledgeC to see if the device was awake or I'm use at the time. I haven't got access to an extraction at the moment but it is possible to see the strength of a WiFi connection at a given time. This is in an iOS db but the name escapes me. If the device has been moved during a specific time period you may have an increasing/decreasing wifi strength value.

bang

For orientation, ZVALUEINTEGER is portrait when 0 and landscape when 1. I have found this accurate and is logged when the device is inactive (keybag unlocked though). Not had much success with inferred/motion. The results are not always reliable (logged sporadically). Not confident, but pretty sure 1 is 'still', 2 is 'walking'. I am less certain on 3 and 4 but I have some test data that married up with 3 being an increase or decrease in altitude (so going up or down stairs) and 4 is running. It would be great to know if anyone has better test results on this. I am planning on revisiting this stream. You could use back-light and activity streams in knowledgeC to see if the device was awake or I'm use at the time. I haven't got access to an extraction at the moment but it is possible to see the strength of a WiFi connection at a given time. This is in an iOS db but the name escapes me. If the device has been moved during a specific time period you may have an increasing/decreasing wifi strength value.

I concur with bang. iPhones need an app on screen that reacts to the orientation change too (such as Safari) but since you have an iPad and the entire home/lock screen changes then I expect its recorded then too. There is also a value of 2 which I've only ever seen when the device is booting FYI. InferredMotion is a tricky one. It seems to cache the data for a while and write it in bursts which makes it difficult to test. I've never got a great definition for it but I can take a look again today. I'm working my way through the entirety of knowledgeC still and this was still on my todo list anyway.

Yes, the 'bursts' make sense, good insight. Happy to share some results with you @CLB_iwhiffin if you are interested. So much to cover and difficult to test such a huge array of scenarios

CLB-Paul

It was in the works. I’ll check tomorrow where it sits.

Thank you!

Given a “Telegram Images” folder on an emulated sdcard, is there any chance to map back a file name (images or videos) to a channel/group after the app was uninstalled? I understood with some simple searches that the file name is based on “volume_id” and “local_id” but apparently without the cache4.db file there is no chance to understand the “source” for a specific file. Any experience of cases like this?

@Mattia Epifani i agree for the link between media and caché. Except for Samsung when the sd card is encrypted

Mattia Epifani

Given a “Telegram Images” folder on an emulated sdcard, is there any chance to map back a file name (images or videos) to a channel/group after the app was uninstalled? I understood with some simple searches that the file name is based on “volume_id” and “local_id” but apparently without the cache4.db file there is no chance to understand the “source” for a specific file. Any experience of cases like this?

My last Telegram analysis report resulted in the same conclusion, you need the cache4.db database to definitively identify the provenance of a particular media file. Inferences can be made from its location, but not linked to specific messages/threads etc.

Hi all, hopefully someone can give me some insight, about Snapchat media. I have an FFS extraction of an Iphone 7. I have the code. I reviewed the video's within dcim and the snapchat folder. After my research i quickly looked at the snapchat application, by hand. I manually viewed the 'media' placed in 'Snaps'. This is where i am seeying NEW video's and photo's. The device is disconnected from the network, so it cant be newly cached from the server. Why am i not seeying these video's in my extraction? (edited)

Anyone from @Oxygen Forensics free by any chance?

Aero

Anyone from @Oxygen Forensics free by any chance?

What's up. I will try

1

@Cellebrite Are you aware of a decoding issue, regarding Snapchat media? PA isnt decoding de 'snaps' in snapchat. Its filled with relevant video's and photo's (looked manually), but not to be found in media. (edited)

2

Sam Wise

My interpretation would be that ZMEDIAURLDATE is when the url to the media was sent from one user to another. The media itself is not downloaded until recipient presses the URL giving you a second timestamp at a later date. If you examine the media item that was linked there may be some corresponding exif data.

Thanks for that interpretation, but the created date is 4 hours before the URL date

I'll look more into it, thanks for your help

florus

@Cellebrite Are you aware of a decoding issue, regarding Snapchat media? PA isnt decoding de 'snaps' in snapchat. Its filled with relevant video's and photo's (looked manually), but not to be found in media. (edited)

Magnet Axiom does a much better job with SnapChat AFAIK, the chats appear as they do in the app with media linked

2

1

4:07 AM

Black Bag Forensics used to support a SC parser called Snoopy, not sure if it's still around since Cellebrite acquired them

Sam Wise

Black Bag Forensics used to support a SC parser called Snoopy, not sure if it's still around since Cellebrite acquired them

Are you speaking about Spoopy? That was my SnapChat parser for chatConversationStore.plist back f before any tool supported it. Cellebrite acquired me too but I don’t think Spoopy was ever brought into any of our tools.

CLB_iwhiffin

Are you speaking about Spoopy? That was my SnapChat parser for chatConversationStore.plist back f before any tool supported it. Cellebrite acquired me too but I don’t think Spoopy was ever brought into any of our tools.

That's the one. Was good. Seems like an obvious omission for PA

Thanks

since then snapchat has totally changed and is now much simpler (which only goes to show what a nightmare the previous format was!)

I got a lot of credit for parsing those plists before anyone was used to seeing SC content. Snapchat was like dark magic. Genuine thanks

I have images and videos of interest in Snapchat filepath "/documents/com.snap.filemanager_3_SCContent..../" Does anyone have any info regarding this filepath? Thank you.

Does anyone know if Private Photo Vault does any special deletion of media from an iPhone?

6:24 AM

Also, if Axiom didn't decrypt all of the files (but most) is it possible there is a secondary pin that wasn't discovered to decrypt the remaining files?

Pixel

I have images and videos of interest in Snapchat filepath "/documents/com.snap.filemanager_3_SCContent..../" Does anyone have any info regarding this filepath? Thank you.

Your "..." is the uuid of the user account so you can sur that the files are his

Can someone shed some light on what "pvasset/s" means? I am analyzing photos on am Apple iPhone X device and there are multiple of them. They are not linked to a text message or anything else. Some of them have a known location, but not all. If anyone has a cheat sheet link, listing this information, that would be wonderful. Thank you in advance.

DFTraveler

Can someone shed some light on what "pvasset/s" means? I am analyzing photos on am Apple iPhone X device and there are multiple of them. They are not linked to a text message or anything else. Some of them have a known location, but not all. If anyone has a cheat sheet link, listing this information, that would be wonderful. Thank you in advance.

Perhaps associated with a "Photo Vault" (PV) app? The first reply to this question mentions "PVAsset": https://discussions.apple.com/thread/251730522?page=5

Bobby

Could you confirm that keystore was extracted ? The .ufd should mention it in order to let PA know that keystore is there.

No, I don't have it. The device is a modified Honor smartphone. The bootloader is unlocked and TWRP is installed. It has a custom rom but I haven't figured out which one. The dump is created with TWRP. UFED4PC and Premium weren't able to dump the device which seems logical because of the mods.

I have a Samsung SM-G9555F in another case and created a FFS dump with the Premium. When I load the UFD in physical analyzer I get a notification that a dump couldn't be located. In the trace window it shows that access to path /devicenamefolder/extra/ was denied. In the folder extra is another folder called Secrets which contains the file secrets.json. I tried moving the secrets.json to the root folder which contains the other dump files and modified the UFD and pointed it directly to the json. I don't get the error now but i'm not sure if PA does anything with the file. Is this a known issue? @Cellebrite

i did the apk downgrade to signal, but PA didn't detect anything for me. is it because the database is encrypted?

Sockmoth

I have a Samsung SM-G9555F in another case and created a FFS dump with the Premium. When I load the UFD in physical analyzer I get a notification that a dump couldn't be located. In the trace window it shows that access to path /devicenamefolder/extra/ was denied. In the folder extra is another folder called Secrets which contains the file secrets.json. I tried moving the secrets.json to the root folder which contains the other dump files and modified the UFD and pointed it directly to the json. I don't get the error now but i'm not sure if PA does anything with the file. Is this a known issue? @Cellebrite

Can you share the ufd file

CLB-Paul

Can you share the ufd file

Sure thing, i'll DM you.

@JLindmar (83AR) That is what is was. Looks like Apple removed Photo Vault from their app store. The photos that were associated with PVAssets were all from 2018. Thank you again for the help!

1

Evening all. Has anyone got any reference material for siriremembers.sql. I believe I have managed to understand the database enough to comprehend Siri voice assistant logs, but is this database the definitive source? My case involves a driver on the M way who caused a fatal pile up and claims the only device interactions were Siri and BT pairing to the vehicle.

Sam Wise

Evening all. Has anyone got any reference material for siriremembers.sql. I believe I have managed to understand the database enough to comprehend Siri voice assistant logs, but is this database the definitive source? My case involves a driver on the M way who caused a fatal pile up and claims the only device interactions were Siri and BT pairing to the vehicle.

I don't have information on "siriremembers.sqlite3" (I'm curious what you've figured out!), but, if present in your dataset, you might also take a look at: /private/var/mobile/Library/Assistant/com.apple.siri.applications.laststate.plist /private/var/mobile\Library/Assistant/SiriAnalytics.db /private/var/mobile/Library/Biome/streams/public/AppIntent/local @snoop168 has a blog post and tool that deals with AppIntent: https://bluecrewforensics.com/2022/03/07/ios-app-intents/

Analyzing iOS Biome AppIntent Files - Blue Crew Forensics

In this blog I will discuss my findings on the AppIntent files that are located within the Biomes folder in many iOS extractions. These files contain many forensic artifacts that may no longer appear elsewhere on the device including deleted iMessages.

JLindmar (83AR)

I don't have information on "siriremembers.sqlite3" (I'm curious what you've figured out!), but, if present in your dataset, you might also take a look at: /private/var/mobile/Library/Assistant/com.apple.siri.applications.laststate.plist /private/var/mobile\Library/Assistant/SiriAnalytics.db /private/var/mobile/Library/Biome/streams/public/AppIntent/local @snoop168 has a blog post and tool that deals with AppIntent: https://bluecrewforensics.com/2022/03/07/ios-app-intents/

Great resources. Thanks I'll check out the set and see what I can deduce. Hopefully I get the lot and can give a good assessment.

Just in case folk were unaware, Snapchat audio is often finding itself in the Cellebrite PA video section. I raised a ticket with @Cellebrite who said there is nothing they or we can do but they have created a KB article on it.

rico

Your "..." is the uuid of the user account so you can sur that the files are his

Thank you. There are photos of victim in here, he is denying he knows her. Do you know if this folder store particular snaps, i.e. received / sent ?

@Pixel pm

Anyone using Apollo on iOS 15? Do you use yolo or version 14?

trillian

Anyone using Apollo on iOS 15? Do you use yolo or version 14?

I always use yolo whatever version it is. Works well

thank you! i will give that a try

Pixel

I have images and videos of interest in Snapchat filepath "/documents/com.snap.filemanager_3_SCContent..../" Does anyone have any info regarding this filepath? Thank you.

The folder holds all kinds of stuff, you can use cache_controller.db or contentManagerDB.db to link it to a conversation or memories entry. Try out my tool https://github.com/Ogg3/CheckArroyo, some of the files are segmented so I made a script for that aswell https://github.com/Ogg3/snapunscatter. I can also recommend tools from https://github.com/DFIR-HBG (edited)

DFIR-HBG - Overview

DFIR-HBG has 3 repositories available. Follow their code on GitHub.

4

I have what feels like a really dumb question. In Physical Analyzer (7.56), why can't I tag items from the filesystem view? If I find a relevant file in the app container folder structure, I should be able to tag the specific file as relevant to the case. Instead, I have to switch to hex view and tag the specific hex (cumbersome) or go back to the analyzed data view and search for the same file I just found in the file system view. I just want to hit F6, tag the file as evidence, and move on with my life... @Cellebrite - any suggestions?

12:03 PM

And when I tag the hex, it doesn't matter if I select show as ASCII, the actual tag just shows up as hex. Means I have to manually translate it elsewhere.

whee30

I have what feels like a really dumb question. In Physical Analyzer (7.56), why can't I tag items from the filesystem view? If I find a relevant file in the app container folder structure, I should be able to tag the specific file as relevant to the case. Instead, I have to switch to hex view and tag the specific hex (cumbersome) or go back to the analyzed data view and search for the same file I just found in the file system view. I just want to hit F6, tag the file as evidence, and move on with my life... @Cellebrite - any suggestions?

I just end up dumping whole apps or sections of file system, zip and hash them and then breakout the stuff I want outside PA. But I feel you, if you are going to give access to filesystem you don't directly parse, at least let me index/bookmark it as I need. (edited)

Sam Wise

Great resources. Thanks I'll check out the set and see what I can deduce. Hopefully I get the lot and can give a good assessment.

FYI, looking at the dataset I have, I found data associated with the intents.dkevent_UUID values present in siriremembers.sqlite3 also in: private/var/mobile/Library/Caches/CloudKit/com.apple.coreduetd/c71f032347d6cae25a3164e9ffda52413530d895\Records\pcs.db knowledgeC.db and the AppIntent data I mentioned previously I'm not sure if you also have those sources, nor if they may contain useful content for your scenario.

Telegram ID - im looking at an extraction where a chat between 2 users takes place. I have the chat on a device and ufed shows the standard <Telegram ID> <user account> for example 657645690 MrSmith. all good. the cloud extraction from ufed shows the same chat, same username but a different Telegram ID. theres another chat with a different user and that users ID matches both on both extractions. ideas welcome.

I have an iCloud warrant return which during Cellebrite decoding prompts me to select one of 13 items (User id + blended). I would like to determine the back up date of the datasets. Does anyone have a path for where the backup date resides in the filesystem? (edited)

skhjr

can anyone tell me when is this file path created? private\var\mobile\Library\Caches\com.apple.MobileSMS\Previews\Search\PhotoSearchSection-at_X_XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX.png Is this path created when someone went into the messages application on an iphone and searched a the top for a specific image/message? (edited)

My testing shows that both those folders are created when a user clicks on a contact's info from inside the message. When the contact information comes up, you get a preview of Photos, Links, and Location. So you could potentially see three different file names: PhotoSearchSection, AttachmentSearchSection (Links/Documents), and LocationSearchSection. On the iPhoneX, I'm seeing that default loads 6 photos, 4 links, and 4 locations. But you can click to "See All". In that preview pane it shows both incoming and outgoing and there's not a way to tell the difference from what I can see. You can marry the photos back up to their original message in the sms.db. The photos are named with the attachment.guid. (edited)

whee30

I have what feels like a really dumb question. In Physical Analyzer (7.56), why can't I tag items from the filesystem view? If I find a relevant file in the app container folder structure, I should be able to tag the specific file as relevant to the case. Instead, I have to switch to hex view and tag the specific hex (cumbersome) or go back to the analyzed data view and search for the same file I just found in the file system view. I just want to hit F6, tag the file as evidence, and move on with my life... @Cellebrite - any suggestions?

You are correct that there is no way to do it in PA7. PA Ultra has a new file browser which does allow tagging individual files.

Has anyone come across "com.apple.quicklook.extension.previewUI" before? Is it possible to tell which app the preview was generated in? I've a hunch it's iCloud as similar files exist there.

I would work backwards from the file structure/location of the previewed file as the interaction is likely to be a function of its location. A caution though, MacOS is known to precache whole folders to speed up QL on user demand.

Hello there

I have an iPhone 11 advanced logical parsed with PA 7.56. One of the texts parsed from sms.db is showing as blank with all the other data populated. Looking within sms.db, the text field is also blank. Is there anywhere else that could help me understand why the message is blank?

thatboy_leo

Hello there

I have an iPhone 11 advanced logical parsed with PA 7.56. One of the texts parsed from sms.db is showing as blank with all the other data populated. Looking within sms.db, the text field is also blank. Is there anywhere else that could help me understand why the message is blank?

There may not be available resources on this, but the item_type column for these blank messages are showing with a value ‘1’

thatboy_leo

Hello there

I have an iPhone 11 advanced logical parsed with PA 7.56. One of the texts parsed from sms.db is showing as blank with all the other data populated. Looking within sms.db, the text field is also blank. Is there anywhere else that could help me understand why the message is blank?

It was likely a media item that was sent. I'm writing up a document that explains that amongst other things and will forward it when done it you like. Take a look in the message_attachment_join table to see if you can find the message_id in there

1

CLB_iwhiffin

It was likely a media item that was sent. I'm writing up a document that explains that amongst other things and will forward it when done it you like. Take a look in the message_attachment_join table to see if you can find the message_id in there

I take that back.. It's somewhat related but I'm still working on what the types all mean.

CLB_iwhiffin

I take that back.. It's somewhat related but I'm still working on what the types all mean.

That write up will be very nice thank you so much. I might have trouble finding the message_id from the message table. But it could very likely be an attachment as other data like dates are included in message table. Thank you!

thatboy_leo

That write up will be very nice thank you so much. I might have trouble finding the message_id from the message table. But it could very likely be an attachment as other data like dates are included in message table. Thank you!

I was hoping to have it completed today; but will more likely be tomorrow by now. I'll be in touch.

I have a question relating to Outlook Emails on extractions. At the moment, Cellebrite PA is not decoding Microsoft Outlook emails. As a result of this, the extraction (usually GK) is then processed within Axiom and then the Emails exported out as a PST file so that we can ingest the information into Nuix. My question is, how do I determine the correct folder to only process within Axiom, so that I do not have to process the entire phone? During some testing, once the phone has been processed fully, I can easily see the folder that the emails reside in. And then on a 2nd processing can select only this older within Axiom and it processes everything in 2 minutes, rather than 2 hours for the full phone. I'm therefore wanting to develop a method/system where I can quickly determine the correct filepath for the Outlook emails and eradicate the full processing. Any ideas? Kind regards (sorry if I haven't explained myself too well)

4:49 AM

Just been thinking, and maybe it's as simple as just finding the Hxstore...

CLB_iwhiffin

I take that back.. It's somewhat related but I'm still working on what the types all mean.

I'm also looking at sms.db item_type. Heer's what I have so far, where item_type = 0 = message 1 = member added to group 2 = group renamed (name is in group_title) 3 and group_action_type=0 is member leaves group 3 and group_action_type=1 is group photo changed (cache_has_attachments also 1) 4 = sharing/sending location data 6 = ? Let me know if your test shows different results! (edited)

citizencain

I'm also looking at sms.db item_type. Heer's what I have so far, where item_type = 0 = message 1 = member added to group 2 = group renamed (name is in group_title) 3 and group_action_type=0 is member leaves group 3 and group_action_type=1 is group photo changed (cache_has_attachments also 1) 4 = sharing/sending location data 6 = ? Let me know if your test shows different results! (edited)

That looks very similar to my list

I am struggling to get my test phone to show the results, but what you have matches the conclusion I came to looking at static data.

1

citizencain

I'm also looking at sms.db item_type. Heer's what I have so far, where item_type = 0 = message 1 = member added to group 2 = group renamed (name is in group_title) 3 and group_action_type=0 is member leaves group 3 and group_action_type=1 is group photo changed (cache_has_attachments also 1) 4 = sharing/sending location data 6 = ? Let me know if your test shows different results! (edited)

The OtherHandle appears very useful to the type 1 and is usually the added person. But I also have a lot of other handle = 0

CLB_iwhiffin

That looks very similar to my list

I am struggling to get my test phone to show the results, but what you have matches the conclusion I came to looking at static data.

The handle_id seems to correlate to whoever did the thing. (where 0=device owner and the others can be matched via the chat_handle_join and handle)

citizencain

The handle_id seems to correlate to whoever did the thing. (where 0=device owner and the others can be matched via the chat_handle_join and handle)

Look further along for other_handle. If I add user A and B for example, I’ll get two records (one for each) and the other_handle should be the handle ID of A and B respectively. (edited)

Correct, so: item_type=1, handle_id=0, other_handle=3 (Device Owner [0] adds Alice [3] to the group) item_type=1, handle_id=3, other_handle=6 (Alice [3] adds Bob [6] to the group) (edited)

Agreed. I still have some anomalies to sort out but I think they are related for deleted record.

1

Hi All, I'm looking for guidance on parsing a userdata.img file. Not super familiar with it, so any basic tools or ideas are welcome. Thanks in advance

CLB_iwhiffin

Agreed. I still have some anomalies to sort out but I think they are related for deleted record.

The biggest issue I'm running up against is that all big box programs report the group as having all members from the first message to the last message. But if you look at these columns, you can see when members go in and out of the group. So my target message appears to be sent to the entire group. However, if this is research is correct, then I have at least one member who removed themselves from the conversation days before the target message was posted to the group. Which changes things for that person.

citizencain

The biggest issue I'm running up against is that all big box programs report the group as having all members from the first message to the last message. But if you look at these columns, you can see when members go in and out of the group. So my target message appears to be sent to the entire group. However, if this is research is correct, then I have at least one member who removed themselves from the conversation days before the target message was posted to the group. Which changes things for that person.

In our department, a program was developed that targets this issue for WhatsApp. The tool lists all entries and exits of a group and can tell, which member were in the group at the time the message was sent. If that's of any help to you, you can message me

1

10:22 AM

We also submitted this as a feature request to CB well over a year ago, but

gadget.inspector

We also submitted this as a feature request to CB well over a year ago, but

Rest assured it IS on the list of features. Quite when it will happen I don't know. I recall seeing it working, but it needed work to be more user friendly as having a list of a thousand names (thanks telegram) isn't very helpful.

I have a video that is labled IMG_1234.MOV.mov it appears to have been made using ios 9.1 on a iphone 5c and now currently resides on a iphone 7 plus.... the current movies are labled MOV_1234.mov Does anyone know why I would have IMG_1234.MOV.mov ? did apple change their naming and this file just got a new extenchion ?

11:22 AM

Extension

In a Huawei phone (full fs obtained) where should i search to prove that whatsapp (and other apps) where uninstalled in a given date?

Jetten_007

I have a video that is labled IMG_1234.MOV.mov it appears to have been made using ios 9.1 on a iphone 5c and now currently resides on a iphone 7 plus.... the current movies are labled MOV_1234.mov Does anyone know why I would have IMG_1234.MOV.mov ? did apple change their naming and this file just got a new extenchion ?

They've never used a double extension like that to my knowledge. If you look in photo.sqlite, look for the "ImportedBy" or "CreatorBundle" fields (in the ZADDITIONALATTRIBUTES table) I'd be interested in if it was a 3rd party app that did the saving.

does anyone know how to get any timestamps for when an iOS device was connected to a (trusted) computer? the only references i can find are in the iTunesPrefs file which is already parsed by cellebrite, just with no dates. looking at the raw hex/frpd data i dont see any additional timestamps. any ideas of other places to look? every last tethered/backed up date i see is the day the phone was imaged.

CLB_iwhiffin

They've never used a double extension like that to my knowledge. If you look in photo.sqlite, look for the "ImportedBy" or "CreatorBundle" fields (in the ZADDITIONALATTRIBUTES table) I'd be interested in if it was a 3rd party app that did the saving.

the lower case mov are com.apple.MobileSMS and the upper case MOV do not have a CreatorBundle.

So the upper case were most likely taken using the camera whereas the mov ones were either received or saved via the SMS app. Still doesn't really explain why the double extension though... I'll have to do some digging.

the file was taken on a 5c and sent to the 7 plus with lower case mov... then the files were forwarded to another person.. wonder if that has somthing to do with it...

So potentially the 7 received the video with a .MOV extension and when the user saved it, it named it to the next consecutive IMG_ number and added the .mov without realising/caring it already had an extension.. It doesn't sound like thats what the plan would be, but it would explain it and wouldn't surprise me.

and potentially the file was received on a privious iPhone or lesser iPhone and then brought over to the 7 plus on a device upgrade... this is a 2016 case...

Ive never seen a double extension like that either. But I only have test data from iOS 11 and up.

@Cellebrite there is a new timestamp we're seeing in PA 8 called "Changed" along with the usual created, modified and accessed. Is there any documentation on what this changed timestamp is referring to on an iOS extraction. The usual 3 are one date and time and the changed is showing as 8 hours later.

tricky

@Cellebrite there is a new timestamp we're seeing in PA 8 called "Changed" along with the usual created, modified and accessed. Is there any documentation on what this changed timestamp is referring to on an iOS extraction. The usual 3 are one date and time and the changed is showing as 8 hours later.

Nick can you send me some additional details. feel free to dm.

CLB_iwhiffin

I was hoping to have it completed today; but will more likely be tomorrow by now. I'll be in touch.

Would also love a copy if you are able to share

@Cellebrite Would MTK Live extract data from both a handset and a connected SD Card?

anyone from @Magnet Forensics who has time for support, regarding a parsing question of snapchat?

sunile

anyone from @Magnet Forensics who has time for support, regarding a parsing question of snapchat?

Happy to try and help.

1

@Oxygen Forensics I have a ffs (checkm8) of a iPhone 8 and X, and a ffs (EDL) of an android device. Why attachments of emails from Gmail are not available in any extraction?

Damian

@Oxygen Forensics I have a ffs (checkm8) of a iPhone 8 and X, and a ffs (EDL) of an android device. Why attachments of emails from Gmail are not available in any extraction?

Hello, let me try troubleshooting it. I will DM you some info

I have a Motorola REVVLRY (Model: XT1952-T, Android Version: 10) which has Google Voice and Google Chat installed. I have a full file system extraction which has been processed through Axiom (6.3.0.32040) and Physical Analyzer (7.56.0.20). Does anyone know if PA or Axiom can get information from Google Voice and Google Chat. Im only seeing the email notifications from Google Voice but none of the chats logs from either.

Hello! A client has an xamn reader and phone extraction. Can you open xamn and export to xlsx? (I only have the question, otherwise I'd test it myself)

randomaccess

Hello! A client has an xamn reader and phone extraction. Can you open xamn and export to xlsx? (I only have the question, otherwise I'd test it myself)

Yes, I could using XAMN viewer 7.0

Oscar

Yes, I could using XAMN viewer 7.0

Would that be the installed viewer, or the one that's provided as a 'portable case;?

@Magnet Forensics What is a .pack file? And is it encrypted?

claireh

@Magnet Forensics What is a .pack file? And is it encrypted?

Generally .pack goes with Java and is compressed, but some additional context would help. I'll DM you for some additional details.

randomaccess

Would that be the installed viewer, or the one that's provided as a 'portable case;?

Both, just click export in main bar, select what to export (all or what is available in main screen), next, choose export format (excel format for you), then next to choose destination folder then export (edited)

2

Bobby

Both, just click export in main bar, select what to export (all or what is available in main screen), next, choose export format (excel format for you), then next to choose destination folder then export (edited)

Thanks!

@Cellebrite what could be causing the 'translation license missing' error mean, when the basis translation pack and the language is visable in the license details of the dongle? (edited)

@Cellebrite Is there a way to speed up P.A. 8.1 some? We have a server with 128 Gigs of RAM and a 10 core i9. When loading say a graykey extraction, it takes a long time to load and doesn't appear to use much of the available resources.

Is there a file I could look at that would help explain when a certain application was accessed? Device is an iPhone 11 Pro Max | iOS 13.6.1 | Advanced Logical using UFED. Preferably the notes app but wondering if there was a file that showed all applications

beamar

@Cellebrite Is there a way to speed up P.A. 8.1 some? We have a server with 128 Gigs of RAM and a 10 core i9. When loading say a graykey extraction, it takes a long time to load and doesn't appear to use much of the available resources.

You should notice some improvements with 8.2 when released. Where do you have the database setup? Since we moved to a database, the amount of RAM isn't as important as the speed of the hard drive. Similarly, the chip (although still super important) is irrelevant if you have a slow HDD. We are working on ways of speeding it up and utilizing more resources though, if they are available.

CLB_iwhiffin

You should notice some improvements with 8.2 when released. Where do you have the database setup? Since we moved to a database, the amount of RAM isn't as important as the speed of the hard drive. Similarly, the chip (although still super important) is irrelevant if you have a slow HDD. We are working on ways of speeding it up and utilizing more resources though, if they are available.

Any update when A beta version comes for PA Ultra is available? Been having an error with Hash database during installation

Someone claims they popped about 4TB of Cellebrite data. DDOSecrets currently sitting on the data. https://www.hackread.com/anonymous-leaks-4tb-cellebrite-data-cyberattack/ (edited)

Waqas

Anonymous Source Leaks 4TB of Cellebrite Data Online After Cyberattack

Follow us on Twitter @HackRead - Facebook @ /HackRead

7:27 PM

DDOSecrets previously had all the blueleaks data from 2020 when the fusion centers got breached.

Samsung s6, Android 7. Does anyone know of a logfile/artefact where i can determine that within the camera application the record button was pressed?

conf1ck3r

Someone claims they popped about 4TB of Cellebrite data. DDOSecrets currently sitting on the data. https://www.hackread.com/anonymous-leaks-4tb-cellebrite-data-cyberattack/ (edited)

Cellebrite sold Mobilogy (formerly a division of Cellebrite) to ESW Capital more than 4 years ago. We have had no business connection with them since. We confirmed that the data leakage incidents did not involve Cellebrite’s intellectual property or source code and poses no risk to our business. Cellebrite remains vigilant in monitoring for and tracking data security incidents.

5

thatboy_leo

Any update when A beta version comes for PA Ultra is available? Been having an error with Hash database during installation

Scheduled for sometime in the next couple of weeks. We don’t have an exact date yet as we are trying to address the issues from 8.1

1

Does anyone here know why on a Samsung A21s, a telegram folder with several files in it would be visible in the file browser on the device but is not visible at all in the gallery? It should be noted that telegram is not installed on the device. Any help would be appreciated.

Bassist

Does anyone here know why on a Samsung A21s, a telegram folder with several files in it would be visible in the file browser on the device but is not visible at all in the gallery? It should be noted that telegram is not installed on the device. Any help would be appreciated.

You mean on the device itself? Possibly because of a .nomedia file within the folder. By default in Samsung Browser app you cannot see them, but you can enable the setting to show hidden files. Once removed, the media files will be indexed and shown within the default Gallery app.

1

thatboy_leo

Is there a file I could look at that would help explain when a certain application was accessed? Device is an iPhone 11 Pro Max | iOS 13.6.1 | Advanced Logical using UFED. Preferably the notes app but wondering if there was a file that showed all applications

KnowledgeC.db amongst others shows application usage, but that only comes with a full file system extraction if I'm not mistaken. Can't think of any other file immediately off my mind that would be available with and adv.log.

Peacekeeper

KnowledgeC.db amongst others shows application usage, but that only comes with a full file system extraction if I'm not mistaken. Can't think of any other file immediately off my mind that would be available with and adv.log.

Yes, knowledgeC is not part of a Adv. Logical. I think you are also correct that there is no source for that kind of data from anything other than a FFS/AFU level extraction.

Peacekeeper

You mean on the device itself? Possibly because of a .nomedia file within the folder. By default in Samsung Browser app you cannot see them, but you can enable the setting to show hidden files. Once removed, the media files will be indexed and shown within the default Gallery app.

Thanks thats it. Does anyone know if .nomedia files are present in the telegram subfolders for media by default or would they have to have been moved in manually?

Bassist

Thanks thats it. Does anyone know if .nomedia files are present in the telegram subfolders for media by default or would they have to have been moved in manually?

I guess, but it's only a guess, they are created by Telegram by default. I don't use Telegram myself, so I cannot verify this to be sure. It could well be that Telegram was present on the device before, but removed since, or was copied from a backup or transferred with Samsung Smart Switch. If Smart Switch was used, there are logfiles created which are accessible in, amongst others, a FFS dump.

Bassist

Thanks thats it. Does anyone know if .nomedia files are present in the telegram subfolders for media by default or would they have to have been moved in manually?

Which version of telegram?

DeeFIR 🇦🇺

Which version of telegram?

Unfortunately its not possible to say as the app is no longer installed on the device and the app details have not been recovered in the extraction

Hi All, I'm looking to chat to anyone with experience decoding Discord caches (store_messages_cache_vXX) files on Android devices (and guilds, channels etc, need to be able to say where the message was sent). Been doing lots of searching online and I think I'm close. If anyone has any relevant experience please get in touch. Cellebrite and Magnet aren't decoding anything unfortunately.

Anyone got experience dumping data/getting root on a DJI Mini 2 Drone? Or parsing the DJI Assistant DAT files?

1

@Cellebrite - Does Cellebrite support Samsung Smart Switch backups ? I didnt find it in the software or in the search function

Jay528

@Cellebrite - Does Cellebrite support Samsung Smart Switch backups ? I didnt find it in the software or in the search function

checked internally and doesn't look like it. feel free to dm me we can chat more about it.

Does anyone know of a tool for parsing ldb files? I seem to find them more and more in cases. Cellebrite, Axiom, and EnCase do not seem to parse it. Usually they are smaller files so reviewing in hex isn't horrible but this most recent one is longer than I care to review manually parsing out. fcm_queued_messages.ldb is the file in specific, https://www.cclsolutionsgroup.com/post/fcm-queued-messages-on-android this was a great read going over the purpose of this log file. Useful too since I am looking for snapchat information that has since been deleted so having half the conversation is better than none.

FCM Queued Messages on Android

"Life always offers you a second chance. It’s called tomorrow" (or FCM Queued Messages if you're talking to our Principal Analyst Alex Caithness). In his latest blog, Alex explains how FCM Queued Messages can lead us to Android artefacts that present a golden second opportunity to recover data that might otherwise be unrecoverable.

Palazar82

Does anyone know of a tool for parsing ldb files? I seem to find them more and more in cases. Cellebrite, Axiom, and EnCase do not seem to parse it. Usually they are smaller files so reviewing in hex isn't horrible but this most recent one is longer than I care to review manually parsing out. fcm_queued_messages.ldb is the file in specific, https://www.cclsolutionsgroup.com/post/fcm-queued-messages-on-android this was a great read going over the purpose of this log file. Useful too since I am looking for snapchat information that has since been deleted so having half the conversation is better than none.

Aleapp has a parser for it. You could check the source code.

2

So this is my first time doing mobile forensics for a case. I’m looking for location data but cannot seem to find it anywhere. Can you guys help me figure out where some location can be hidden? I’ve looked in the locations that Cellebrite finds on its own but that is just put through Apple Maps and all the internet searches were done through a price browser in safari and I cannot find any location information from photos. Thanks for any advice!

Afeefah

So this is my first time doing mobile forensics for a case. I’m looking for location data but cannot seem to find it anywhere. Can you guys help me figure out where some location can be hidden? I’ve looked in the locations that Cellebrite finds on its own but that is just put through Apple Maps and all the internet searches were done through a price browser in safari and I cannot find any location information from photos. Thanks for any advice!

https://cellebrite.com/en/episode-15-ibeg-to-dfir-location-data-on-ios-and-android-devices/ https://cellebrite.com/wp-content/uploads/2022/05/IBTD-Location-Cheat-Sheet.xlsx

Episode 15: iBeg to DFIR – Location Data on iOS and Android Devices

In this episode, we are joined by special guests Jared Barnhart & Ian Whiffin to discuss location information as recorded by iOS and Android devices. Location data has been integral to many investigations but there are so many different types of location artifacts that are recorded by a device making it can be challenging to … Continue reading "...

Thank you!

Afeefah

Thank you!

Also try /private/var/mobile/Library/Photos/Libraries/Syndication.photoslibrary/database/Photos.sqlite, that one isn't in the spreadsheet.

2

JLindmar (83AR)

Also try /private/var/mobile/Library/Photos/Libraries/Syndication.photoslibrary/database/Photos.sqlite, that one isn't in the spreadsheet.

Will do! Thanks again!

Hello, I have conducted an ISP on a Lumia 535 (RM-1089) running windows 8.1. When attempting to decode the image using UFED PA and XRY and it’s failing to decode anything. Seems odd that I can’t find the store.vol file either. Axiom seems to have done a better job but just wanted to see if I was going wrong anywhere with PA or XRY. Any suggestions on why or any other profiles to try? Thanks in advance. (edited)

Looking for documentation on how Samsung does their folder structure. I know /150 is secured folder, but anyone have reading material on that?

dmac

Looking for documentation on how Samsung does their folder structure. I know /150 is secured folder, but anyone have reading material on that?

I'm not aware of any official documentation, just observations from testing. Other vendors like Huawei also use predictable IDs for things like privatespace

Hi. I have an iOS SMS.db question. I have an iOS full file system from iPhone 11, running iOS v15.3. In the SMS.db, under the attachments table, I found a large quantity of attachments that don't have a matching message ID in the message_attachment_join table, therefore there is no message that goes with it. The common factor I have found in the attachments table is the historical location of the file name . All the attachments were referenced in the table as being located at /var/tmp/com.apple.messages/[random guid]/[file name of attachment]. Anyone know why this happens?

OllieD

I'm not aware of any official documentation, just observations from testing. Other vendors like Huawei also use predictable IDs for things like privatespace

I see /0 as normal user and /150 for secure… was asked today why that was so trying to do some research.

Not sure why Samsung picked 150. What's interesting is that if you disable and then reenable secure folder, it will then have ID 151

5:29 PM

Repeat to get 152 etc

5:29 PM

It doesn't reuse older IDs

pdog

Hi. I have an iOS SMS.db question. I have an iOS full file system from iPhone 11, running iOS v15.3. In the SMS.db, under the attachments table, I found a large quantity of attachments that don't have a matching message ID in the message_attachment_join table, therefore there is no message that goes with it. The common factor I have found in the attachments table is the historical location of the file name . All the attachments were referenced in the table as being located at /var/tmp/com.apple.messages/[random guid]/[file name of attachment]. Anyone know why this happens?

This is a bit old, but it might help. https://dfir.pubpub.org/pub/v19rksyf/release/1

Using Photos.sqlite to Show the Relationships Between Photos and th...

Hi All.. First time here... Anyone know where to find information regarding shutdowns on iOS. Been looking through knowledgec and currentpowerlog but cant seemt to find my missing link.... The case is that I have a case where the airplane mode is "off" several times in a row without there being any "on"... So I am trying to figure out what causes the off to show multiple times in a row without the "on" in between.

j_matas

Hi All.. First time here... Anyone know where to find information regarding shutdowns on iOS. Been looking through knowledgec and currentpowerlog but cant seemt to find my missing link.... The case is that I have a case where the airplane mode is "off" several times in a row without there being any "on"... So I am trying to figure out what causes the off to show multiple times in a row without the "on" in between.

I remember @ScottKjr3347 figure this out with @CLB_iwhiffin. It has to do with the start and end time if im not mistaken.

florus

I remember @ScottKjr3347 figure this out with @CLB_iwhiffin. It has to do with the start and end time if im not mistaken.

thanks... @CLB_iwhiffin is also on the case and I think I am getting closer. Just missed a files containing the power info which I was looking for, so I have asked for a new extraction.

We are dealing with an iPhone 11 (iOS 15.5), and we are hoping to find some details about the use of "Mobile Hotspot". Any suggestions where we definitely need to look ?

j_matas

Hi All.. First time here... Anyone know where to find information regarding shutdowns on iOS. Been looking through knowledgec and currentpowerlog but cant seemt to find my missing link.... The case is that I have a case where the airplane mode is "off" several times in a row without there being any "on"... So I am trying to figure out what causes the off to show multiple times in a row without the "on" in between.

Power On events can be found in "containermanager.log.0" or "containermanager.log.1" etc. Search for "containermanagerd performing first boot initialization" Power Off events can be found in either: KnowledgeC : ZSTREAMNAME = "/app/inFocus" and ZVALUESTRING = "SBPowerDownViewController" (Though this shows that the "Swipe to Shutdown" screen was visible it doesn't actually show that the device was actually shutdown) logd.0.log : Search for "No userlevel firehose clients left"

1

pdog

Hi. I have an iOS SMS.db question. I have an iOS full file system from iPhone 11, running iOS v15.3. In the SMS.db, under the attachments table, I found a large quantity of attachments that don't have a matching message ID in the message_attachment_join table, therefore there is no message that goes with it. The common factor I have found in the attachments table is the historical location of the file name . All the attachments were referenced in the table as being located at /var/tmp/com.apple.messages/[random guid]/[file name of attachment]. Anyone know why this happens?

I believe Apple just did a poor job of deleting the records from the attachment table when the user deletes the message (or entire thread). It's a difficult one to test because I do not see the same issue with my test phones.

Karamba

We are dealing with an iPhone 11 (iOS 15.5), and we are hoping to find some details about the use of "Mobile Hotspot". Any suggestions where we definitely need to look ?

Get a full file system and parse knowledgeC

I'm working on an iPhone 11 Pro Max (iOS 15.3.1) for a murder case and have two locations which are 1) the location the suspect parked his car, 2) where the murder occurred shortly thereafter. The Source for the locations is Apple Maps MapsSync. I reviewed a location reliability table put out by Cellebrite, which shows MapsSync location to be unreliable in location and timestamp...however, the location is dead on in this case. The time stamps are exactly the same time which is obviously not right. My question is, since the two physical locations are known and the MapsSync locations are accurate, should this data be relied upon? The filepath is iPhone/mobile/Containers/Shared/AppGroup/group.com.apple.Maps/Maps/MapsSync 0.0.1 (edited)

JayB1rd

I'm working on an iPhone 11 Pro Max (iOS 15.3.1) for a murder case and have two locations which are 1) the location the suspect parked his car, 2) where the murder occurred shortly thereafter. The Source for the locations is Apple Maps MapsSync. I reviewed a location reliability table put out by Cellebrite, which shows MapsSync location to be unreliable in location and timestamp...however, the location is dead on in this case. The time stamps are exactly the same time which is obviously not right. My question is, since the two physical locations are known and the MapsSync locations are accurate, should this data be relied upon? The filepath is iPhone/mobile/Containers/Shared/AppGroup/group.com.apple.Maps/Maps/MapsSync 0.0.1 (edited)

Can it be matched up with cctv or something as a verification?

12:26 PM

If the timestamps of those pair up, that helps you :)

I’m unfortunately there is none. After speaking with @CLB_iwhiffin he helped me. The investigator later told me he knew the suspect searched the location and mapped it, which would create the entries in MapsSync. Thanks for the idea though!

2

anyone from @MSAB for a dm ?

RS

anyone from @MSAB for a dm ?

Has anyone been able to get the password for keepsafe recently? No luck in plaintext or keychain but that could just be me!

JayB1rd

I’m unfortunately there is none. After speaking with @CLB_iwhiffin he helped me. The investigator later told me he knew the suspect searched the location and mapped it, which would create the entries in MapsSync. Thanks for the idea though!

As in mapped in... what do you mean exactly? Searched the location in apple maps (typed the adress) and it got plotted in the map? (edited)

florus

As in mapped in... what do you mean exactly? Searched the location in apple maps (typed the adress) and it got plotted in the map? (edited)

Yeah, that's correct. @CLB_iwhiffin do you mind if I post your response to me here?

JayB1rd

Yeah, that's correct. @CLB_iwhiffin do you mind if I post your response to me here?

Not at all

@CLB_iwhiffin response RE: Apple Maps MapsSync locations reliability: As one of the authors of the presentation and research that document is based on, allow me to elaborate. This database is stores the locations that the user searched for and navigated to. That is the reason we scored it as unreliable as it doesn't mean they were actually there. Typically, the starting location of a planned route IS where the user is when they plan the route. Note though that it is possible to change the starting location of a route. The destination may be important to show what the user was doing, but just because they planned the route doesn't mean they actually followed the route and went there. Within the ZHISTORYITEM table you will see "HistoryDirectionsItems". "HistoryPlaceItem" and "HistorySearchItem". HistoryDirectionsItems is the item you want. This contains a protobuf blob with the Start and End locations. There is also a flag in the protobuf that determines if the start location is the location where the user actually is. So, out of all the records that exist in that table, only a fraction can be trusted and it takes a little extra work to find it. There is a very high noise to evidence ratio. Hence the low score. (edited)

1

Hello! Samsung Galaxy A13 Android 11 FFS extraction. Where can I look for the Plenty of Fish application messages? They weren't parsed out by CB or Axiom. I've poked at the pof application databases on my own, but nothing is jumping out at me though I also see a lot of web history on pof.com. Does the app only store messages on the website and they're just accessed through the device? (edited)

Closest I've gotten is the sns-data-tmg table. it has sections for messages, but they're all empty

Can anyone confirm that Android doesn't keep track of last access date/time for files? From what I've been able to find, this seems to be a gray area. (edited)

If WhatsApp is deleted from an Android Phone, does the local backup folder remain on the phone. If it does would PA be able to parse that local backup. From my understanding, WhatsApp could either be backed up from WhatsApp or Google Drive

thatboy_leo

If WhatsApp is deleted from an Android Phone, does the local backup folder remain on the phone. If it does would PA be able to parse that local backup. From my understanding, WhatsApp could either be backed up from WhatsApp or Google Drive

Beginning in version 2.11.431 WhatsApp began encrypting those local backups. They are encrypted with a "key" file contained in the WhatsApp installation folder so if the app is gone you'll have to find other ways to get that key again. The Google Drive backup would contain the key file and depending on your tooling, expose the file directly. Another method is to restore one of those local backups to a "surrogate" device where you have FFS access to pull the key file once the backup has been restored. This methodology assumes you have access to the SIM/phone number the account is registered with and you are not operating in covert as it will sever the active device's authentication to the app (haven't tested since multi-device support was introduced). Once restored, the key should work for other rolling backups (assuming they are the same .crypt versions) and Physical Analyzer even has a plugin to apply the key file so you can apply it back to your original acquisition.

1

CLB_iwhiffin

Power On events can be found in "containermanager.log.0" or "containermanager.log.1" etc. Search for "containermanagerd performing first boot initialization" Power Off events can be found in either: KnowledgeC : ZSTREAMNAME = "/app/inFocus" and ZVALUESTRING = "SBPowerDownViewController" (Though this shows that the "Swipe to Shutdown" screen was visible it doesn't actually show that the device was actually shutdown) logd.0.log : Search for "No userlevel firehose clients left"

There's also likely to be corroborating entries in Unified Logs and the Shutdown.log which can be captured via Sysdiagnose.

1

Tyler_Leno

Beginning in version 2.11.431 WhatsApp began encrypting those local backups. They are encrypted with a "key" file contained in the WhatsApp installation folder so if the app is gone you'll have to find other ways to get that key again. The Google Drive backup would contain the key file and depending on your tooling, expose the file directly. Another method is to restore one of those local backups to a "surrogate" device where you have FFS access to pull the key file once the backup has been restored. This methodology assumes you have access to the SIM/phone number the account is registered with and you are not operating in covert as it will sever the active device's authentication to the app (haven't tested since multi-device support was introduced). Once restored, the key should work for other rolling backups (assuming they are the same .crypt versions) and Physical Analyzer even has a plugin to apply the key file so you can apply it back to your original acquisition.

To add to this, please note that you will have to restore said backup during the setup on the surrogate device. If you don't, a new keyfile will be created. A couple of years back, a colleague of mine and I did some research on the WhatsApp keyfile and if it was possible to crack it using a backup. About half of the keyfile is created from parts of the old backup, and part of it is recovered from the WhatsApp server. However, to crack it would take a lot of time was our conclusion back then. I was looking for one of the websites we found during our research, but cannot find it that quickly. That site states what parts of the keyfile come from where in your backup file (which bytes to use in your keyfile). That's also why, if you don't use a backup to restore the WhatsApp account, you won't get a valid keyfile to recover the old backups with

King Pepsi

Has anyone been able to get the password for keepsafe recently? No luck in plaintext or keychain but that could just be me!

Turns out this was in group.com.keepsafe.keepsafe.plist under shared-pin

1

Peacekeeper

To add to this, please note that you will have to restore said backup during the setup on the surrogate device. If you don't, a new keyfile will be created. A couple of years back, a colleague of mine and I did some research on the WhatsApp keyfile and if it was possible to crack it using a backup. About half of the keyfile is created from parts of the old backup, and part of it is recovered from the WhatsApp server. However, to crack it would take a lot of time was our conclusion back then. I was looking for one of the websites we found during our research, but cannot find it that quickly. That site states what parts of the keyfile come from where in your backup file (which bytes to use in your keyfile). That's also why, if you don't use a backup to restore the WhatsApp account, you won't get a valid keyfile to recover the old backups with

I agree - The app only presents a prompt during the initialization to restore a backup, if you don't restore a new key is created for that "instance" of data. If you happen to run across that article would love to read it.

Tyler_Leno

I agree - The app only presents a prompt during the initialization to restore a backup, if you don't restore a new key is created for that "instance" of data. If you happen to run across that article would love to read it.

I have asked a colleague of mine who I did the research with, if he can find it. I tried googling for it, but currently am unable to find it. I know each file is built up from 158 bytes, from which a part of it is padding (the 00 bytes)... I'll let you know if my colleague knows to find the source we found back in the day

Tyler_Leno

I agree - The app only presents a prompt during the initialization to restore a backup, if you don't restore a new key is created for that "instance" of data. If you happen to run across that article would love to read it.

Found at least some part of it back: https://github.com/EliteAndroidApps/WhatsApp-Key-Generator/blob/master/WhatsAppKeyGenerator.java This Git was gold back then. The only part we needed was the account seed, needed to figure out what that was, how it was built up. For the rest, this script gave us exactly what we needed. Did a lot of testing but never got to how we could figure out the account seed

WhatsApp-Key-Generator/WhatsAppKeyGenerator.java at master · EliteA...

Demonstrates how WhatsApp generates and recovers cipher keys from encrypted backup files on Android devices. - WhatsApp-Key-Generator/WhatsAppKeyGenerator.java at master · EliteAndroidApps/WhatsApp...

I have a question. I have a iPhone 13 Pro Max (Model: D64AP, iOS Version: 15.2) which I got a Full File System extraction on. When looking at the search terms from the Safari browser PA gives me a mixture of terms from the "Favicons.db" and the "History.db." Axiom gets the same information but just from the History.db. PA does not give any dates for the terms from the Favicons.db and when looking at the History.db I can not find the all of the search terms axiom list. Can anyone explain this to me?

1:57 PM

Another question on the same phone. The phone extraction did not get any databases from the Facebook Messenger application. When I tried to open the application on the phone there was no account which us logged into the application. Would that prevent the databases from getting extracted?

zero00796

Another question on the same phone. The phone extraction did not get any databases from the Facebook Messenger application. When I tried to open the application on the phone there was no account which us logged into the application. Would that prevent the databases from getting extracted?

I would check to see if the app was uninstalled/reinstalled (the PLApplicationAgent_EventNone_AppVersions table in the currentpowerlog.psql has a column) which I would expect to limit the ability to recover the data. Alternatively, since you have an FFS acquisition there might be info retained in FSEvents regarding deletions of the app's files.

Tyler_Leno

I would check to see if the app was uninstalled/reinstalled (the PLApplicationAgent_EventNone_AppVersions table in the currentpowerlog.psql has a column) which I would expect to limit the ability to recover the data. Alternatively, since you have an FFS acquisition there might be info retained in FSEvents regarding deletions of the app's files.

Thanks I'll need to check that out on Monday. Also Axiom did show some user notification logs (not the facebook user) which showed some messages from Messenger. Like the messages that show up on your lock screen.

I’ve noticed a few questions in the past related to iOS Photos

and syndication. I’m starting to dig into it and though I would ask if anyone else has researched it, published anything about it or has some notes they would like to share/validated. Looking for file locations that you have seen in exams. I have already found some good data in Photo.sqlite and a file path but thought I would ask to see if there was anything you might need / want related to syndication?

Can anybody help me get my head around some data that is not making sense. I have an iPhone 12 and I've decoded it in Physical Analyser and Oxygen (from a GK extraction) and both report about 400ish calls in the call log. However, when I go to the InteractionC (InCallService) I can see about 4000+ calls sent and received. They are not being reported as deleted in either tool, so technically live data I'm guessing, so why am I not seeing 4400+ calls in my call log history? Does the call log data only come from the CallHistory.Storedata or are the 4000+ actually deleted? (I need to prove if the call history was deleted or not and I'm currently a bit confused). Thanks.

ScottKjr3347

I’ve noticed a few questions in the past related to iOS Photos

and syndication. I’m starting to dig into it and though I would ask if anyone else has researched it, published anything about it or has some notes they would like to share/validated. Looking for file locations that you have seen in exams. I have already found some good data in Photo.sqlite and a file path but thought I would ask to see if there was anything you might need / want related to syndication?

I was going to DM ya only (still will), but maybe someone else has come across this. I posted this in the MDFA Google Group a couple of months ago: I've got a photo of interest located at this filepath from a GK FFS on an iPhone XR running iOS 15.3.1. The filepath is: /private/var/mobile/Library/Photos/Libraries/Syndication.photoslibrary/scopes/syndication/originals/... In looking at the folder view on PA, I see two additional folders in addition to the "originals": .../resources/derivitives .../masters In searching online it appears that the Syndication.photoslibrary may be all the images stored in imessage chats. Can anyone confirm this? Also, is this where ALL images ever sent/received in iMessages are stored, or only those after the latest delete of a chat? (edited)

1

On a Samsung SM-G870A, how do I confirm whether or not there was a passcode enabled. The phone was damaged but I was able to get a physical extraction from it. Thanks in advance!

check device_policies.xml, key files in /data/system as well as content of locksettings.db (edited)

1

Arcain

check device_policies.xml, key files in /data/system as well as content of locksettings.db (edited)

Device_policies.xml has an entry that says "simplepassword-enabled value=true". Locksettings.db is empty. Settings.db (/data/com.android.providers.settings/databases/) has an entry that says lockscreen.disabled with a value of 0. I was leaning toward it does have a password or passcode, but the empty locksettings.db made me think twice about it.

1:38 PM

And thank you for the response!

FantasticAdventure

Can anybody help me get my head around some data that is not making sense. I have an iPhone 12 and I've decoded it in Physical Analyser and Oxygen (from a GK extraction) and both report about 400ish calls in the call log. However, when I go to the InteractionC (InCallService) I can see about 4000+ calls sent and received. They are not being reported as deleted in either tool, so technically live data I'm guessing, so why am I not seeing 4400+ calls in my call log history? Does the call log data only come from the CallHistory.Storedata or are the 4000+ actually deleted? (I need to prove if the call history was deleted or not and I'm currently a bit confused). Thanks.

It would be worthwhile examining the primary keys in the call history DB to see if 4000+ records were even inserted in the first place. You can run the DB through MIRF: https://github.com/sheran/mirf

GitHub - sheran/mirf: A Missing Record Finder for SQLIte Database T...

A Missing Record Finder for SQLIte Database Tables - GitHub - sheran/mirf: A Missing Record Finder for SQLIte Database Tables

1

Is the app UUID for .../Shared/AppGroup/ stored anywhere like the UUID for /Data/Application/ is stored in applicationState.db?

@Cellebrite Anyone free for a question?

regarding?

where specifically the android recovery events on reports is being populated from

12:56 AM

I have been given a pdf so can't use the useful hyperlink

12:59 AM

I think it's just the presence of a recovery/last_log file existing.

Does anyone have a list of useful databases within for Android and iOS extractions? Trying to compile a poster to just stick up in the office to help ingrain it in my memory

Is It Done Yet?

Does anyone have a list of useful databases within for Android and iOS extractions? Trying to compile a poster to just stick up in the office to help ingrain it in my memory

https://sansorg.egnyte.com/dl/ljmbARD8io

420.pdf on Egnyte

File 420.pdf shared using Egnyte

1

1:20 AM

That's the SANS advanced smarphone Forensics poster. Second page has a bunch of databases linked to apps

Of course SANS has something

1

iOS/Android cheat sheet effectively

Cheers! Saves me compiling the list myself!

No worries! No point doing something twice eh

Arcain pinned a message to this channel. 8/16/2022 1:24 AM

When you block someone on Snapchat, does all the messages get erased?

@OggEgood question

OggE

When you block someone on Snapchat, does all the messages get erased?

When I last had a case a while back they didn't

Rob

When I last had a case a while back they didn't

interesting

Afternoon all, has anyone had any luck with the enchanted cloud app? It's an encrypted photo vault. (edited)

@Artea is it from an Iphone? I've had that piece of software a few times. I cleaned up the password list generated and then looked for any 4 to 6 digits and tried them manually.

4:14 AM

Let me see if I can find the cases it was present

hi. in my case i have microSD card in /galeryvault_DoNotDelete/backup folder. It is possible decrypt file inside this folder. or maybe someone assist me ?

skipper

hi. in my case i have microSD card in /galeryvault_DoNotDelete/backup folder. It is possible decrypt file inside this folder. or maybe someone assist me ?

@bang may be able to assist : )

Artea

Afternoon all, has anyone had any luck with the enchanted cloud app? It's an encrypted photo vault. (edited)

What version Artea? I support from 13.8 to 14.0.1

6:36 AM

12.8*

6:38 AM

This is full decryption of the metadata and media from the extracted file system. Please DM me

skipper

hi. in my case i have microSD card in /galeryvault_DoNotDelete/backup folder. It is possible decrypt file inside this folder. or maybe someone assist me ?

Hi Skipper, what is the developer identifier for the application

Artea

Afternoon all, has anyone had any luck with the enchanted cloud app? It's an encrypted photo vault. (edited)

If it's Android, we have a script here for PIN/media decryption too (all app versions). @bang may also have an Android version but unsure, so let us know!

Does anyone have a good explanation for this notification? Its locked with an unknown passcode, but I was able to get a Cellebrite full file system. The extraction has very little information, suggesting it was wiped. However, there is one email stored on the phone with the subject "[name], finish setting up your new Google Account". If the phone was remotely wiped, I wouldn't expect the email to be there.

Cole

Does anyone have a good explanation for this notification? Its locked with an unknown passcode, but I was able to get a Cellebrite full file system. The extraction has very little information, suggesting it was wiped. However, there is one email stored on the phone with the subject "[name], finish setting up your new Google Account". If the phone was remotely wiped, I wouldn't expect the email to be there.

Aren't the phones registered with a gmail account. so it was prob wiped and is sitting in setup.

1

beamar

Aren't the phones registered with a gmail account. so it was prob wiped and is sitting in setup.

Do you think they created a new Google account when setting up the phone? As in the phone is partially set up? (edited)

I have a question being posed by a prosecutor on a murder trial going on right now. I was previously on the stand in the case and got a call a few minutes ago on something I have never tested: Would an iPhone store data about the participants of a conference call/3-way call? An add on to that is would it matter if the phone user did not add the additional participants? Lastly, would @Cellebrite Physical Analyzer parse those additional participants if the data was on the phone. Thanks in advance!

Cole

Do you think they created a new Google account when setting up the phone? As in the phone is partially set up? (edited)

It's possible. Try to do a warrant on the Google account

1

Miller280

I have a question being posed by a prosecutor on a murder trial going on right now. I was previously on the stand in the case and got a call a few minutes ago on something I have never tested: Would an iPhone store data about the participants of a conference call/3-way call? An add on to that is would it matter if the phone user did not add the additional participants? Lastly, would @Cellebrite Physical Analyzer parse those additional participants if the data was on the phone. Thanks in advance!

That's a good question. I believe it will be recorded as a second call just with overlapping times. It shouldn't make a difference (I think) who adds who. I have no idea if PA shows a different icon... I see some possible flags in the database that may be related to more easily identify. I will fire it up and test properly in the morning.

Cole

Does anyone have a good explanation for this notification? Its locked with an unknown passcode, but I was able to get a Cellebrite full file system. The extraction has very little information, suggesting it was wiped. However, there is one email stored on the phone with the subject "[name], finish setting up your new Google Account". If the phone was remotely wiped, I wouldn't expect the email to be there.

This is usually indicative of a user not completing all of the setup process that Android thinks a user should. During the setup process a user can go through the setup process and skip some non essentials at the end. When that happens Android will periodically ping the user (typically by notifications like the one you have).

1

CLB_iwhiffin

That's a good question. I believe it will be recorded as a second call just with overlapping times. It shouldn't make a difference (I think) who adds who. I have no idea if PA shows a different icon... I see some possible flags in the database that may be related to more easily identify. I will fire it up and test properly in the morning.

Thank you!

Hello, We have got the Partial File System of a Samsung Device (OS v7) from UFED, Is there any artifacts available into the extraction by which we can identify the Device Reset/First configure date. @Cellebrite

DeepDiveForensics

Hello, We have got the Partial File System of a Samsung Device (OS v7) from UFED, Is there any artifacts available into the extraction by which we can identify the Device Reset/First configure date. @Cellebrite

Here is some good info on Android Factory Resets. https://thebinaryhick.blog/2021/08/19/wipeout-detecting-android-factory-resets/

Binary Hick

Wipeout! Detecting Android Factory Resets

I’d like to thank Alexis Brignoni, Heather Mahalik, and Jared Barnhart for their insight and validation, and Alexis for tooling ALEAPP for these artifacts. DFIR truly is a team effort. They say im…

Thanks @FullTang , but in my case I don't have root directory.

Ah. You might be able to figure something out by examining the creation times associated with the core database files like logs.db, but I don’t have any reference for that off the top of my head.

FullTang

Ah. You might be able to figure something out by examining the creation times associated with the core database files like logs.db, but I don’t have any reference for that off the top of my head.

Thanks

Anyone use iOS indoor pressure recording to establish when a door was opened or closed?

4

Hello, I have a question about if a iphone 6S and X were jailbroken. I only have the extraction at moment, so I looked for "cydia" and "checkra1n". I was wondering if there any other artifacts that could help answer?

uochaos

Anyone use iOS indoor pressure recording to establish when a door was opened or closed?

This sounds interesting. In which database and table is this info stored? Think it's interesting to take a crack at.

Peacekeeper

This sounds interesting. In which database and table is this info stored? Think it's interesting to take a crack at.

I don't know, but I was researching something on significant locations and discovered that verbiage... I'll post if I find out anything.

2

Peacekeeper

This sounds interesting. In which database and table is this info stored? Think it's interesting to take a crack at.

A quick Google search shows all iPhones after the iPhone 6 have a barometric pressure sensor that works even when the phone is offline, so I would assume it would be stored somewhere in the weather app.

FullTang

A quick Google search shows all iPhones after the iPhone 6 have a barometric pressure sensor that works even when the phone is offline, so I would assume it would be stored somewhere in the weather app.

I'm going to try to find it. Unless @cScottVance knows?

If it's going to be detecting things like doors opening or closing, it would have to be constantly logging, and I don't think that's the case unless an app is active and querying the barometric readings while an exterior door is being opened and closed, then it might detect a quick, temporal variation that could be indicative of something like that... that sounds like an interesting research project, though I'm not sure how practical it is. I think it's much more common to use barometric readings to help determine altitude (i.e. what floor of a building a person is on).

1:33 PM

But even then you have to generally be able to baseline barometric readings at any given point in time, with other sensors around the location, to account for normal day-to-day variations, in order to be more accurate.

@Cellebrite it's possible to open an iOS dump, dar archive, whith PA ?

Nutelap

@Cellebrite it's possible to open an iOS dump, dar archive, whith PA ?

If the dump is made with UFED, yes. Haven't seen any other program use dar archives so you should be fine

Oscar

If the dump is made with UFED, yes. Haven't seen any other program use dar archives so you should be fine

The archive is made with Passware

(edited)

Nutelap

The archive is made with Passware

(edited)

Then I can't say anything for sure since I haven't tested that :/

@Nutelap yes it Opens

Nutelap

@Cellebrite it's possible to open an iOS dump, dar archive, whith PA ?

Open advanced should work

uochaos

Anyone use iOS indoor pressure recording to establish when a door was opened or closed?

I would find it hard to believe it will detect a change that subtle with any kind of reliability. It would require knowing where the device was in the room, if it was in a case/pocket/bag etc. So many variables that I think would have more effect than a door opening/closing. The barometric sensor I believe is mainly used to guesstimate altitude, but even then I wouldn't trust it to be more accurate than 20 or 30ft. It's an interesting idea though.

Sea9

If it's going to be detecting things like doors opening or closing, it would have to be constantly logging, and I don't think that's the case unless an app is active and querying the barometric readings while an exterior door is being opened and closed, then it might detect a quick, temporal variation that could be indicative of something like that... that sounds like an interesting research project, though I'm not sure how practical it is. I think it's much more common to use barometric readings to help determine altitude (i.e. what floor of a building a person is on).

Adding to this answer, the battery temperature can be found in knowledgeC (depending on iOS version) and is measured in milligrade. That will detect the temperature changes quite reliably BUT isn't logged consistently. Would be good to show if the device was inside or outside IF you can remove all other variables from the equation.

1

CLB_iwhiffin

I would find it hard to believe it will detect a change that subtle with any kind of reliability. It would require knowing where the device was in the room, if it was in a case/pocket/bag etc. So many variables that I think would have more effect than a door opening/closing. The barometric sensor I believe is mainly used to guesstimate altitude, but even then I wouldn't trust it to be more accurate than 20 or 30ft. It's an interesting idea though.

I haven't gone through the whole paper yet, but this paper https://www.academia.edu/28170139/Monitoring_Building_Door_Events_using_Barometer_Sensor_in_Smartphones indicates that the phone can detect opening and closing of doors anywhere in a building based on the change in pressure. I could see this being useful in many cases.

Monitoring Building Door Events using Barometer Sensor in Smartphones

Academia.edu is a platform for academics to share research papers.

uochaos

I haven't gone through the whole paper yet, but this paper https://www.academia.edu/28170139/Monitoring_Building_Door_Events_using_Barometer_Sensor_in_Smartphones indicates that the phone can detect opening and closing of doors anywhere in a building based on the change in pressure. I could see this being useful in many cases.

Interesting. I'll take a read.

1

CLB_iwhiffin

Interesting. I'll take a read.

That didn't take long to read and test. I installed a barometer app which registered 879.4 regardless if I was inside (door closed), inside (door open) or outside. Once it fluctuated to 879.3. It did change to 879.2 when I went upstairs. Reading the paper and doing this simple test I stand by my original thought. In the paper the circumstances are much more controlled. And even if the sensor was good enough (It may be that the app I'm using is rounding the figure and the underlying data is better) it would still require the phone to be monitoring/recording extremely frequently to be able to make use of this data. Bear in mind their experiment was sampling at 20hz. And even if it was sampling and recording that frequently, I don't think you'd be able to attribute any changes to an opening door vs someone moving the device etc.

3

I would think that the barometer data could be used in an investigation in two ways. The first would be a very rudimentary form of geolocation. You should be able to say that a phone was in a particular city on a particular date especially if there was a significant weather event on the date in question. This could be compared against statements made by the phone’s owner to debunk or confirm their testimony of their whereabouts. Just compare the data recorded by the phone against historical weather data. The second way it could be used is if there were two phones in a case. Phone A was at a known location and data from Phone A could be compared against data from Phone B to determine if it was at the same location at the same time. This could be very useful to determine if two people slept in the same room as the phones would be stationary for most of the night and the data should be very similar over several hours. Just my thoughts.

The granularity of the data and events like a forced air heater/air conditioner turning on and off would help with the same room theory. Who wants to test it? lol

@Cellebrite anyone for a question about ios?

rafael_cs

@Cellebrite anyone for a question about ios?

Just post the question and they or someone else can answer

So, I found a mention to installation "kjc.loader" and a minute later a mention to a unnistall. This happens aprox 10 minutes before the timestamp of extraction beginning in UFED. So, I searched that kjc.loader is related to checkra1n. That could probably indicate that the examiner tried to jailbreak the phone before the extraction or is extraction related? (edited)

rafael_cs

So, I found a mention to installation "kjc.loader" and a minute later a mention to a unnistall. This happens aprox 10 minutes before the timestamp of extraction beginning in UFED. So, I searched that kjc.loader is related to checkra1n. That could probably indicate that the examiner tried to jailbreak the phone before the extraction or is extraction related? (edited)

Did you select the Full File System (checkm8) option in UFED to perform the extraction for the phone? (Disclaimer: I have not used the software, but if the checkm8 option was selected, then it is very likely related to extraction. There are some folks from Cellebrite here, so hopefully they can confirm). (edited)

Sea9

Did you select the Full File System (checkm8) option in UFED to perform the extraction for the phone? (Disclaimer: I have not used the software, but if the checkm8 option was selected, then it is very likely related to extraction. There are some folks from Cellebrite here, so hopefully they can confirm). (edited)

No, I didn't perform this extraction (it was perfomed two years ago). And the phone now is dead, so I can't acquire it again.

1

I have some snaps under the path "Snapchat Gallery/snaps/xxxxxx/xxxxxx.decrypted_media". I would like to know/confirm if the Snapchat Gallery/snaps folder contains ONLY media taken with the phone (so not snaps received). Does anyone have any experience with this?

rafael_cs

Hello, I have a question about if a iphone 6S and X were jailbroken. I only have the extraction at moment, so I looked for "cydia" and "checkra1n". I was wondering if there any other artifacts that could help answer?

unc0ver is another artifact that gives the possibility to jailbreak iphones. It supports iOS versions up to 14.8.

I recently did a physical extraction to an LG KG225. The problem at the moment is that I can't load this extraction in the PA, that is, it doesn't return any result. anyone from @Cellebrite around here?

So I have a file system location I've not seen before and I was wonder if anyone is able to confirm what it is related to/used for? com.sec.android.app.sbrowser\files\images\share-images

1:03 AM

I know its related to the Samsung Native Browser but not sure what the share-images folder is for? I'm currently assuming it when a user has sent an image from the browser and the handset has cached it? The location is not accessible on the handset

Does anyone know the difference between com.apple.notes and com.apple.mobilesnotes?? I have a number of illegal files listed as from com.apple.mobilesnotes/temporaryassetfiles, they are no longer visible in the notes app but data that is live showing as from com.apple.notes

Similar question about an illegal file with the path /tmp/com.apple.mobilesnotes.SharingExtensions-TemporaryAssetFiles/. The text suggests a thumbnail generated by hitting the sharing option? Will need some testing but just wondered if anyone had seen it before?

LM

Does anyone know the difference between com.apple.notes and com.apple.mobilesnotes?? I have a number of illegal files listed as from com.apple.mobilesnotes/temporaryassetfiles, they are no longer visible in the notes app but data that is live showing as from com.apple.notes

as per https://support.apple.com/en-gb/guide/deployment/depece748c41/web it looks like mobilenotes is for the iphone/ipad Notes app. Maybe the .notes is for the default macos Notes app?

Bundle IDs for native iPhone and iPad apps

If you remove an iPhone or iPad app that was pre-installed, you can add that app back using mobile device management and the app’s bundle ID.

Thanks, and potentially, the files. in .mobilenotes are on longer visible, but the files in .notes are visible within the application. The notes do appear to be iCloud backuped so potentially could be that or create on the default mac app,. unsure currently will keep looking . Thanks for helping

r1p4t0b3

I recently did a physical extraction to an LG KG225. The problem at the moment is that I can't load this extraction in the PA, that is, it doesn't return any result. anyone from @Cellebrite around here?

Check your trace window for red X. You may have a file that exceeds 255 characters that is preventing PA from parsing. You will need to shorten that file name to allow processing.

FabianoQ

In a Huawei phone (full fs obtained) where should i search to prove that whatsapp (and other apps) where uninstalled in a given date?

Did you get any luck with this?

Am I right in saying, the 'last_update_timestamp_ms' in localappstate.db is the latest install or update?

Hello everyone - why do I have CMM assets in my iOS file system extraction? Thanks in advance!

3

CLB_iwhiffin

You should notice some improvements with 8.2 when released. Where do you have the database setup? Since we moved to a database, the amount of RAM isn't as important as the speed of the hard drive. Similarly, the chip (although still super important) is irrelevant if you have a slow HDD. We are working on ways of speeding it up and utilizing more resources though, if they are available.

It's an SSD on the same computer. Had a graykey(22gigs) that sat over night, a good 18 hours, and still didn't load. Just restarted it.

Does the CCleaner mobile app leave any artifacts of deletion? I am unsure of where to look.

Any news on what 15.6.1 did to extractions?

@Elise5678 @ScottKjr3347 has some information which maybe be useful

trillian

I have some snaps under the path "Snapchat Gallery/snaps/xxxxxx/xxxxxx.decrypted_media". I would like to know/confirm if the Snapchat Gallery/snaps folder contains ONLY media taken with the phone (so not snaps received). Does anyone have any experience with this?

If this was from a FFS extraction, you could check system events before and after the file created time of the file of interest for camera events

usermobiles

@Elise5678 @ScottKjr3347 has some information which maybe be useful

Here is something for those who are still looking for information on Cloud Master Moment Share assets. Cloud Master Moment Share assets are items shared from iCloud via a weblink. These iCloud links can be created and shared via connected Apple Devices and while logged into iCloud an account via web browser. These links will be recorded in the Photos.sqlite database. Several artifacts can be located with the database. Here is a link to my queries for each iOS version which might assist you with parsing out the pertinent data for a CMM asset. https://github.com/ScottKjr3347/iOS_Photos.sqlite_Queries Here is a link to a blog that might also help. Search for CMM, Cloud Master Moment, and/or iCloud Link. https://theforensicscooter.com/2022/05/02/photos-sqlite-query-documentation-notable-artifacts/ I have updated the blog to include why the term Cloud Master Moment Share Asset and CCM Asset was used to describe iCloud Share Links in the queries. I have attached a few screenshots that might help you locate how these assets can be created via the device and web iCloud. Because this appears to be some sort of application process, examination, or school project I will not provide all the answers I have been asked, but this should get you started. What if any relevance CMM assets have on artifacts is open to the user’s imagination and I would say the type of investigation. If you have any questions about the queries, please let me know, but ask via a public post. Hope this helps. (edited)

iOS15_Assets_CloudMasterMoment-iCloudShareLink_Photossqlite_Query.txt

13.24 KB

JLindmar (83AR)

Also try /private/var/mobile/Library/Photos/Libraries/Syndication.photoslibrary/database/Photos.sqlite, that one isn't in the spreadsheet.

Have you done any work with this db?

ScottKjr3347

Have you done any work with this db?

Just superficial. When I'm back in the office tomorrow I'll take a look and see what I have.

1

Within iOS, is there a last install timestamp for apps?

Rob

Within iOS, is there a last install timestamp for apps?

Maybe in the iTunesMetadata.plist? The file should be located in the app folder

@Cellebrite Hi, I have a question regarding my certification in myCellebrite portal.

callzor

Maybe in the iTunesMetadata.plist? The file should be located in the app folder

Only saw the Purchase Date there sadly.

On an iPhone what plist contains the information that tells you whether the setting to erase data after 10 failed passcode attempts is enabled or not

ar1195

On an iPhone what plist contains the information that tells you whether the setting to erase data after 10 failed passcode attempts is enabled or not

I have recently been trying to find the Face ID & Password preferences, but I could imagine that they might be encrypted somewhere since you have to enter your password to gain access to these settings, which is why I think its quite difficult to find any settings related to that "menu"?...... but that is only my view, maybe someone else can confirm or dismiss

Hello, i have a huawei p20 pro and i have a copy of the complete full file system. I should know all the movements that have been made on this device, in a very specific time frame. Could you tell me the database that keeps track of this information? Is there a tool that allows you reconstruct the path? Thanks

Wondering if someone is able to help with an iOS related question. From my testing when a photo is edited on an iphone a file called FullSizeRender is created in a file path location similar to DCIM (Mutations/DCIM/122APPLE/MG_1726/Adjustments) and that the original, unedited version stays existing within the DCIM folder. I have identified a photo of interest which is called 'FullSizeRender.jpg' within its corresponding Adjustments folder however when I go to the DCIM folder I am unable to see the original image in the DCIM folder. Just as a side note, the image is also available to be viewed on the device and when you go to edit the photo it offers the option to revert to original so it must be linking back to the original somewhere. Has anyone ever come across this or have any idea why the edited version still exists but not the original or where I may be able to locate the original photo. Thanks! (edited)

KM

Wondering if someone is able to help with an iOS related question. From my testing when a photo is edited on an iphone a file called FullSizeRender is created in a file path location similar to DCIM (Mutations/DCIM/122APPLE/MG_1726/Adjustments) and that the original, unedited version stays existing within the DCIM folder. I have identified a photo of interest which is called 'FullSizeRender.jpg' within its corresponding Adjustments folder however when I go to the DCIM folder I am unable to see the original image in the DCIM folder. Just as a side note, the image is also available to be viewed on the device and when you go to edit the photo it offers the option to revert to original so it must be linking back to the original somewhere. Has anyone ever come across this or have any idea why the edited version still exists but not the original or where I may be able to locate the original photo. Thanks! (edited)

I had something very similar this past week, identified a file of interest in Mutations with file name of FullSizeRender. Did a bit of research and managed to locate the original file which was deleted by the suspect, they had cropped the photo. Luckily they hadn't done a very good job and I managed to locate the original with a bit of searching around with the filenames and timeline. The original was uncropped and displayed all the evidence we needed to attribute the photo to the suspect. Have you already tried doing all project search for the IMG_1726?

Is It Done Yet?

I had something very similar this past week, identified a file of interest in Mutations with file name of FullSizeRender. Did a bit of research and managed to locate the original file which was deleted by the suspect, they had cropped the photo. Luckily they hadn't done a very good job and I managed to locate the original with a bit of searching around with the filenames and timeline. The original was uncropped and displayed all the evidence we needed to attribute the photo to the suspect. Have you already tried doing all project search for the IMG_1726?

I have done a search for the file name without the extension and all it is returning is the thumbnails and mutations. The testing i've done seems to indicate that the mutations image is deleted when the original is deleted too however considering I can see the image physically on the device I have ruled out the image being deleted. The only other theory i've got is that it's something to do with the 'Optimise iPhone Storage' setting being turned on in iCloud and potentially when the original is stored in iCloud the mutations remain on the device but it's hard to test when you have to try and fill a 128GB test iPhone and only 5GB free iCloud storage. I'd have also thought there would be some reference to CPLAssets if it was stored in the cloud but can't find anything. (edited)

Hi all, anyone know a way to decode iOS application names please? I have an officer and solicitor asking

obi95

Hi all, anyone know a way to decode iOS application names please? I have an officer and solicitor asking

What du you men by decode iOS application name? Connect the UUID to a application name?

obi95

Hi all, anyone know a way to decode iOS application names please? I have an officer and solicitor asking

Could applicationState.db help you? Maybe do a query?

j_matas

I have recently been trying to find the Face ID & Password preferences, but I could imagine that they might be encrypted somewhere since you have to enter your password to gain access to these settings, which is why I think its quite difficult to find any settings related to that "menu"?...... but that is only my view, maybe someone else can confirm or dismiss

Not sure the exact preference’s / settings you are looking for but check these out to see if they are any help https://theforensicscooter.com/2021/09/05/ios-settings-display-auto-lock-require-passcode/ I have a video of this data being presented during DFRWS USA 2022, but don’t think they have been posted yet. I’ll post a link as soon as I find it. Sounds like they will be posted later this week. (edited)

KM

Wondering if someone is able to help with an iOS related question. From my testing when a photo is edited on an iphone a file called FullSizeRender is created in a file path location similar to DCIM (Mutations/DCIM/122APPLE/MG_1726/Adjustments) and that the original, unedited version stays existing within the DCIM folder. I have identified a photo of interest which is called 'FullSizeRender.jpg' within its corresponding Adjustments folder however when I go to the DCIM folder I am unable to see the original image in the DCIM folder. Just as a side note, the image is also available to be viewed on the device and when you go to edit the photo it offers the option to revert to original so it must be linking back to the original somewhere. Has anyone ever come across this or have any idea why the edited version still exists but not the original or where I may be able to locate the original photo. Thanks! (edited)

I should have mentioned your testing and results are consistent with what I have found also. But I haven’t had a situation where I couldn’t locate the original asset. You can use Photos.sqlite to find the original file name for the mutation/adjusted asset. This is discussed in my blog https://theforensicscooter.com/2022/05/02/photos-sqlite-query-documentation-notable-artifacts/ and depending on iOS version my queries on GitHub will allow you to view the data for the adjusted assets. When reading the blog adjustments are covered in the multiple sections. If you watch the videos they will show the changes in photos.sqlite after an adjustment is made. If you use a “WHERE zAsset.ZHASADJUSTMENTS = 1” it will only show you the assets that have adjustments. I will try and post a more specific query later today/tonight but for now use the general query and the where statement to get only adjusted assets. (edited)

j_matas

Could applicationState.db help you? Maybe do a query?

I managed to figure it out the annoying way of going through the download logs manually till I found it, thanks anyway thought

8:40 AM

Though*

j_matas

I have recently been trying to find the Face ID & Password preferences, but I could imagine that they might be encrypted somewhere since you have to enter your password to gain access to these settings, which is why I think its quite difficult to find any settings related to that "menu"?...... but that is only my view, maybe someone else can confirm or dismiss

I ended up finding it in the com.apple.springboard.plist file.

@KM Photos.sqlite asset has adjustments query I have created a smaller query that will provide an output of all assets listed in the database where the ZASSET table ZHASADJUSTMENTS column has a value of 1, which indicates the asset has adjustment/mutation. The queries can be found here, in the corresponding iOS version folder. < https://github.com/ScottKjr3347/iOS_Photos.sqlite_Queries> Keep in mind if the adjusted asset was the result of an adjustment/mutation being performed to an original asset and a new asset is created the original asset might be omitted from this targeted query. I would suggest running the targeted query that contains the “WHERE zAsset.ZHASADJUSTMENTS = 1” statement first to see if there are any assets with adjustments or mutations. Then place a hyphen hyphen (--) in front of the WHERE statement or delete the WHERE statement to see all assets in the database and analyze if you can locate the assets original file name. NOTE: If third party applications are used to modify / alter an asset it will not be tracked within the Photos.sqlite database. The “has adjustments” column in the database will only track if adjustments or mutations are made by the Apple Camera Application or other Apple system tools and functions. If you believe the asset, you are viewing was modified via a third party application, review creator bundle ID or imported by column data for the application used.

ar1195

I ended up finding it in the com.apple.springboard.plist file.

cool!... may I ask what the line was? Was looking briefly yesterday, but couldnt quite find it?

Does anyone know if the application Ome TV (omegle.tv for Android) stores relevant data? I can not discover anything relevant in the folders / databases. For example, is there any data about the activities?

Snapchat iOS question... If a given mediafile (content key) in contentmanager.db begins with 3-{name_of_the_user.PSV}~{GUID}... does anyone know if the PSV indicates something. I have been around the arroyo.db, scdb-27.sqlite3, contentmanager, cache_contoller.db, primary.docobjects...... But I am a little lost this time

Need to find out whether the video was sent or received by the user

j_matas

Snapchat iOS question... If a given mediafile (content key) in contentmanager.db begins with 3-{name_of_the_user.PSV}~{GUID}... does anyone know if the PSV indicates something. I have been around the arroyo.db, scdb-27.sqlite3, contentmanager, cache_contoller.db, primary.docobjects...... But I am a little lost this time

Need to find out whether the video was sent or received by the user

Try running the extraction through https://github.com/DFIR-HBG/Snapchat_Auto I'm not sure what PSV means but this script or https://github.com/Ogg3/CheckArroyo might help you connect the file and chats

GitHub - DFIR-HBG/Snapchat_Auto: Automatic extraction and parsing o...

Automatic extraction and parsing of Snapchat for iOS and Android - GitHub - DFIR-HBG/Snapchat_Auto: Automatic extraction and parsing of Snapchat for iOS and Android

GitHub - Ogg3/CheckArroyo: snapchat parser for iPhone and Android

snapchat parser for iPhone and Android. Contribute to Ogg3/CheckArroyo development by creating an account on GitHub.

1

Oscar

Try running the extraction through https://github.com/DFIR-HBG/Snapchat_Auto I'm not sure what PSV means but this script or https://github.com/Ogg3/CheckArroyo might help you connect the file and chats

thanks!... the entries with that file is simply missing

So think I might end it. However, the ".psv" was apparantly in his snapchat username. It just confused me when looking at the content-key.

@Oscar thanks for the tip with the tool "Snapchat_Auto" ! just tested it on an android exynos-live-zip-file... works great! (edited)

1

j_matas

cool!... may I ask what the line was? Was looking briefly yesterday, but couldnt quite find it?

"SBDeviceWipeEnabled" if it has never been turned on it that line won't appear in the plist

ScottKjr3347

I’ve noticed a few questions in the past related to iOS Photos

and syndication. I’m starting to dig into it and though I would ask if anyone else has researched it, published anything about it or has some notes they would like to share/validated. Looking for file locations that you have seen in exams. I have already found some good data in Photo.sqlite and a file path but thought I would ask to see if there was anything you might need / want related to syndication?

I just started looking into this today actually on a case... I have a photo of interest that is a duplicate of an old (2020) photo. Only the duplicate appeared after the phone was in custody, in airplane mode the night it was seized. It's not a chargeable issue, but it is an issue I need to explore and understand, why a photo would be created after a phone was in custody and removed from the network...

whee30

I just started looking into this today actually on a case... I have a photo of interest that is a duplicate of an old (2020) photo. Only the duplicate appeared after the phone was in custody, in airplane mode the night it was seized. It's not a chargeable issue, but it is an issue I need to explore and understand, why a photo would be created after a phone was in custody and removed from the network...

I have a pretty good theory/ hypothesis about how that might happen and I’m working on testing and researching it. For now might be best to DM details to discuss.

whee30

I just started looking into this today actually on a case... I have a photo of interest that is a duplicate of an old (2020) photo. Only the duplicate appeared after the phone was in custody, in airplane mode the night it was seized. It's not a chargeable issue, but it is an issue I need to explore and understand, why a photo would be created after a phone was in custody and removed from the network...

@ScottKjr3347 Just a theory, but I know apple does a lot of image processing overnight so they aren't running their machine learning algorithms during use, is it possible during this process that the device is creating a copy of the photo? Quote from apple on their facial recognition in photos: "This clustering algorithm runs periodically, typically overnight during device charging, and assigns every observed person instance to a cluster." source - https://machinelearning.apple.com/research/recognizing-people-photos

Recognizing People in Photos Through Private On-Device Machine Lear...

Photos (on iOS, iPadOS, and macOS) is an integral way for people to browse, search, and relive life's moments with their friends and family…

Wondering if I can get some help with an iOS Snapchat related question. I found an image file path dump/private/var/mobile/containers/data/application/snapchat guid/documents/com.snap.filemanager_3_SCContentuserssnap guid/file name (alphanumeric gobble goop What I am having trouble is determining did the user of this device send that image or receive it? Add it to their story or see it from someone else's story? Any ideas? When I search the file name in hex I do get 8 results (PA does a horrible job at raw keyword searches) as I scroll up and down in the hex to get an idea what file it may he in I see some context about snap-rendered-lowres as well as topvideo_firstframe and FriendStorySnap Image That last one makes me think it's a friend's story the user is viewing?

Carcino

@ScottKjr3347 Just a theory, but I know apple does a lot of image processing overnight so they aren't running their machine learning algorithms during use, is it possible during this process that the device is creating a copy of the photo? Quote from apple on their facial recognition in photos: "This clustering algorithm runs periodically, typically overnight during device charging, and assigns every observed person instance to a cluster." source - https://machinelearning.apple.com/research/recognizing-people-photos

Yes there is some processing happening when the screen is off for a certain amount of time with these shared with you assets. This setting can be found in a plist Im still very early into the research of these assets and this shared with you feature. I know examiners are encountering them during exams but it’s still to early to provide everything I have learned via sporadic discord posts. It will still take me several more weeks to finish the research and get a blog posted. Sorry I can’t answer everything right now. I would be interested if anyone wants to collaborate on this research and co-author the blog or paper? Just DM me? (edited)

1

Palazar82

Wondering if I can get some help with an iOS Snapchat related question. I found an image file path dump/private/var/mobile/containers/data/application/snapchat guid/documents/com.snap.filemanager_3_SCContentuserssnap guid/file name (alphanumeric gobble goop What I am having trouble is determining did the user of this device send that image or receive it? Add it to their story or see it from someone else's story? Any ideas? When I search the file name in hex I do get 8 results (PA does a horrible job at raw keyword searches) as I scroll up and down in the hex to get an idea what file it may he in I see some context about snap-rendered-lowres as well as topvideo_firstframe and FriendStorySnap Image That last one makes me think it's a friend's story the user is viewing?

Try running your extractions through these tools if your normal tools have not been able to connect it anywhere. https://discord.com/channels/427876741990711298/545232743353810946/1011954356842680401 Other than that, search for the filename in the cachecontroller or contentmanager database and you should be able to make out some origin (edited)

1

Question for a champion: I have seen NMEA references (coded in base 64) several times in smartphones, mainly xiaomi. It is about localization but impossible to go further. Someone know the solution? (edited)

12:44 AM

example : =MI NMEA= 48sfGSxImyIDZpBsozbmdD9NQsz963geZyJANwZGEoosnyP6uFoRThMxBYG20rFyiegb7XgmwD45j/2XoKmf13Xb0tILVEze9fFroMUAOM+hLpCcvDBLd7WtriLog+qoK7zgVfWJXyJ85LIfRIAwJw==

12:46 AM

@Oscar the latest version of PA seems to better decode Sc with in particular the links between media and conversations

Anyone here with knowledge of the ContextLog.db found on Android phones? Specifically the App Sub Id rows for WhatsApp, Signal, Telegram. Also if anyone know of databases that could contain information such as 'screen off' on Android units. We are try to determine last us of the unit and what was done. As detailed as possible.

rico

@Oscar the latest version of PA seems to better decode Sc with in particular the links between media and conversations

Yes, they seem to make improvements with every update but i've still seen cached media not parsed with PA 7.57 that is parsed by my tool.

@Kazhulu what's your brand ? This log dépend of the manufacturer

Samsung!

@Oscar if thé link is dead it's logical

12:56 AM

@Kazhulu if you have a ffs try aleap. It's more easy

1

rico

@Kazhulu if you have a ffs try aleap. It's more easy

Thanks! Will the free version suffice?

Aleap is full free

@Kazhulu both aleap and ileap is highly recommendable as well as artex for ios

Great tools

1

rico

@Oscar if thé link is dead it's logical

In some of my recent extractions the Snapchat parsing in PA have been very lacking, my guess as to why is that PA gathers information on cached files from contenManagerDb.db instead of cache_controller.db where it seems more information is stored or longer.

1

@Cellebrite When i image an Android phone with the UP it will create a FFS01 and FFS02 map. Why is that? They are not the same but not very different.

@Oscar I never understood the reason why we had information in one of these two files rather than the other. So I look "manually" every time

Oscar

In some of my recent extractions the Snapchat parsing in PA have been very lacking, my guess as to why is that PA gathers information on cached files from contenManagerDb.db instead of cache_controller.db where it seems more information is stored or longer.

Oxygen gathers info from the cachecontroller.db.. Still I have a file which starts with a snapusername~{guid-id} in the com.snap.filemanager_3_SCConent{userid} but cant find it in any messages. Would it still be represented in that folder if the user makes the snap, saves it and then decides not to send it?

j_matas

Oxygen gathers info from the cachecontroller.db.. Still I have a file which starts with a snapusername~{guid-id} in the com.snap.filemanager_3_SCConent{userid} but cant find it in any messages. Would it still be represented in that folder if the user makes the snap, saves it and then decides not to send it?

You could try to manually check the BLOB in arroyo>conversation_message>local_message_references if it contains the snapusername~guid-id. The Snapchat_Auto script should find it if the message is still there but you can never be 100% sure

been checking, and its not there

1

Working a Cyber Stalking case with an investigator. We found pertinent TextNow content on the subject's iPad. We believe the subject had TextNow on his IPhone, however TextNow was not installed when we extracted the data. (Subject was informed that a Search Warrant was being conducted at their residence and they were in another state, so multiple hours passed as the subject drove back home). After processing the iPhone we found 8 TextNow accounts linked to the subject in the KeyChain.plist file, records for TextNow in the DataUsage.sqlite database, and files related to TextNow in the path private/var/mobile/Library/Backup/Appplaceholders/com.tinginteractive.usms/Payload/TextNow.app/XXXX. Long story short....can we make the conclusion that TextNow was installed on this device (and most likely deleted?) I feel like alot of this information wouldn't be on this device if he wasn't using TextNow at somepoint.

@Cellebrite PA 7.57 is able to find Signal (7.46) key on an Android FFS dump ? It seems having an issue (edited)

1

Dan15

@Cellebrite When i image an Android phone with the UP it will create a FFS01 and FFS02 map. Why is that? They are not the same but not very different.

Hey Dam. What do you mean

@Grayshift @Cellebrite I've done a selective GK download for WhatsApp and Snapchat and databases have been extracted, however normal GK decoding in PA is failing to extract messages from these databases! Any help appreciated

1

claireh

@Grayshift @Cellebrite I've done a selective GK download for WhatsApp and Snapchat and databases have been extracted, however normal GK decoding in PA is failing to extract messages from these databases! Any help appreciated

Do you have Axiom? Just ran a GK dump through Axiom and Cellebrite... Axiom was WAY better!

Mike B.

Do you have Axiom? Just ran a GK dump through Axiom and Cellebrite... Axiom was WAY better!

Yeah, just my officers are more familiar with PA

Mike B.

Do you have Axiom? Just ran a GK dump through Axiom and Cellebrite... Axiom was WAY better!

But I like PA's interface better and Axiom doesn't give a nice report of device information.

1

claireh

Yeah, just my officers are more familiar with PA

Ours too...

Hi all. Can anyone provide any insight or point me to any research related to Text Input Messages (com.apple.TextInput.Typing.DESPlugin) parsed by iLEAPP? I’m working a case where recent messages with a number of interest are no longer present in sms.db but are being found in Text InPut. BTW working w/ an AFU FS extraction as the source.

@Jshoewhat is the exact path of your file?

Mistercatapulte

@Jshoewhat is the exact path of your file?

temp\private\var\mobile\Library\DES\Records\com.apple.TextInput.TypingDESPlugin\A6BDFFD0-21B2-43E8-919C-3A06EB7A2169.desdata

don't have it on my actual opended dump

Mistercatapulte

@Jshoewhat is the exact path of your file?

And I have two more sets of messages with the same path just different string at end

but it's interesting

10:03 AM

haaaaaa

10:03 AM

just understood a thing

10:04 AM

"temp" folder

10:04 AM

AFU of course

Mistercatapulte

"temp" folder

Thanks for taking a look

1

camdeezee.

Working a Cyber Stalking case with an investigator. We found pertinent TextNow content on the subject's iPad. We believe the subject had TextNow on his IPhone, however TextNow was not installed when we extracted the data. (Subject was informed that a Search Warrant was being conducted at their residence and they were in another state, so multiple hours passed as the subject drove back home). After processing the iPhone we found 8 TextNow accounts linked to the subject in the KeyChain.plist file, records for TextNow in the DataUsage.sqlite database, and files related to TextNow in the path private/var/mobile/Library/Backup/Appplaceholders/com.tinginteractive.usms/Payload/TextNow.app/XXXX. Long story short....can we make the conclusion that TextNow was installed on this device (and most likely deleted?) I feel like alot of this information wouldn't be on this device if he wasn't using TextNow at somepoint.

Being deleted within a few hours of collection any luck with knowledgeC showing they are deleting the app? Or another FS log?

Palazar82

Being deleted within a few hours of collection any luck with knowledgeC showing they are deleting the app? Or another FS log?

I found in the UninstalledApplications.plist file that App was uninstalled.. but months before the Search Warrant execution... though after his girlfriend mentioned something to him... so possibly no Obstruction

Damn

Mike B.

But I like PA's interface better and Axiom doesn't give a nice report of device information.

I just wish if when you searched the extraction in hex it told you what file it was found in. Can't tell you how many times I search globally for something I know is there 0 hits search it in hex numerous hits but then you are scrolling up and down in the hex looking for context clues of the file you are in to go look at it out of hex.

Maybe a simple question.. Can we merge .pas session files from UFED? Multiple examiners have review the same UFED case and now we want all tags together

12:01 AM

@Cellebrite

Anybody knows how to BF PIN to CoverMe applications in Apple Iphone devices, ofcourse i have FFS image ?

1

After you dump the sms.db from an iOS device FFS in cellebrite physical analyzer can you then take that file and load it back in to its own separate physical analyzer session and parse it using a plugin chain or something to that effect?

what are you trying to do.. just parse the sms.db file.

NibblesNBits

After you dump the sms.db from an iOS device FFS in cellebrite physical analyzer can you then take that file and load it back in to its own separate physical analyzer session and parse it using a plugin chain or something to that effect?

https://www.youtube.com/watch?v=r5Q6ATLnysQ You can create a minidump from the original extraction.

Cellebrite

Plugins: What Minidump Does in Cellebrite Physical Analyzer

2

CLB-Paul

what are you trying to do.. just parse the sms.db file.

Pretty much the scenario described in the youtube video. I will give this a shot.

NibblesNBits

Pretty much the scenario described in the youtube video. I will give this a shot.

I love a good commercial tool, but for an iOS device I would recommend giving ArtEx a try. It’s FREE!! It’s designed specifically for this purpose. If you need a little bit more data take the knowledgec db and wal and the sms.db and wal, put them into a folder then process just that folder. ArtEx has an advance sqlite tool built in that will also search the free pages/ blocks for old/deleted data. It’s also got a time stamp tool that will decoded the raw time stamps. And you can run queries from within ArtEx and sort the columns of data. If you haven’t used it I strongly encourage you to give it a try. (edited)

2

ScottKjr3347

I love a good commercial tool, but for an iOS device I would recommend giving ArtEx a try. It’s FREE!! It’s designed specifically for this purpose. If you need a little bit more data take the knowledgec db and wal and the sms.db and wal, put them into a folder then process just that folder. ArtEx has an advance sqlite tool built in that will also search the free pages/ blocks for old/deleted data. It’s also got a time stamp tool that will decoded the raw time stamps. And you can run queries from within ArtEx and sort the columns of data. If you haven’t used it I strongly encourage you to give it a try. (edited)

Thx i'm going to run this while a colleague does a mini dump in Cellebrite. I had seen this before and wanted to give it a whirl.

1

If a snapchat attachment is showing a file size of 0, could this mean the file was deleted. Extraction was of a Samsung Galaxy 4PC physical

thatboy_leo

If a snapchat attachment is showing a file size of 0, could this mean the file was deleted. Extraction was of a Samsung Galaxy 4PC physical

USERDATA (ExtX)/Root/data/com.snapchat.android/files/file_manager/snap/

thatboy_leo

USERDATA (ExtX)/Root/data/com.snapchat.android/files/file_manager/snap/

SnapChat version is 10.56.7.0

hi all, i have a draw regarding the wickrme app. through ufed physical analzyer I was able to decode the database by entering the password that is requested during the access of the app. why does the same password not allow to decrypt the database if it is opened with DB browser? thank you

Are you trying just db browser or are you trying the cypher one that comes with it?

In relation to CloudTabs.db table Cloud_tabs I see a RecordCtime which is an NSDate format to convert. I'm assuming and based on other artifacts (the EI timestamp in the Google search) that's C for created. Ie when the original search was done. My question is RecordMtime being 4+ months later. My assumption is the M is for modified. Is that indicative of reopening that tab and viewing it? Or just that tab refreshed in the background?

iOS 15 Shared with You/syndication research is coming along faster than anticipated. Get those FFS acquisitions!! Let me know if you have any specific case examples that you would like to see tested. #DFIR #validation

2

whee30

Are you trying just db browser or are you trying the cypher one that comes with it?

I opened the database with DB SQL browser and I am prompted for the password. with physical analzyer during the parsing phase I am asked for the password but at this point not for the database.

manuelevlr

I opened the database with DB SQL browser and I am prompted for the password. with physical analzyer during the parsing phase I am asked for the password but at this point not for the database.

Afaik you would need the decryption key, not the password, to be able to decrypt it using DB Browser (SQLCipher)

Oscar

Afaik you would need the decryption key, not the password, to be able to decrypt it using DB Browser (SQLCipher)

but with physical analyzer I can decrypt it using the application access password. so I deduce that PA uses some particular method

Nemesis

Maybe a simple question.. Can we merge .pas session files from UFED? Multiple examiners have review the same UFED case and now we want all tags together

@Cellebrite @CLB-Paul any idea?

Hi, I don't really understand what's the difference in knowledgeC between keybag/islocked and device/islocked. When the passcode is entered the device is unlocked but what about the keybag?

Nemesis

@Cellebrite @CLB-Paul any idea?

There is no way to merge both .pas files.

2

Dam

Hi, I don't really understand what's the difference in knowledgeC between keybag/islocked and device/islocked. When the passcode is entered the device is unlocked but what about the keybag?

<https://support.apple.com/guide/security/keybags-for-data-protection-sec6483d5760/web#:~:text=The%20backup%20keybag%20is%20created,reencrypted%20to%20these%20new%20keys.> (edited)

ScottKjr3347

<https://support.apple.com/guide/security/keybags-for-data-protection-sec6483d5760/web#:~:text=The%20backup%20keybag%20is%20created,reencrypted%20to%20these%20new%20keys.> (edited)

Thanks

@Cellebrite any news on Media pack 3?

1

7:36 AM

sitting on an XR I'd like to brute

Mike B.

But I like PA's interface better and Axiom doesn't give a nice report of device information.

The lack of the device information section in Axiom is one of the reasons it isn't my main tool.

1

I'm reviewing Android messaging records in the bugle_db.sqlite. Does anyone know where I could find what the different values represent in messages.raw_status? Most of the records have a value of 0 in this field, but there are several that have a value of 128 assigned.

Hey guys, anyone have some links where I can go to find some common hash sets to use in my processing?

Talmidim

Hey guys, anyone have some links where I can go to find some common hash sets to use in my processing?

Have you looked at the NSRL lists? https://www.nist.gov/itl/ssd/software-quality-group/national-software-reference-library-nsrl

National Software Reference Library (NSRL)

Welcome to the National Software Reference Library (NSRL) Project Web Site.

why ty

@Cellebrite Hi, I have a big iOS dump (GrayKey extraction) that takes more than 15 hours to parse with PA 7.57 on my computer. After approximately 2 hours of parsing, PA finds some Notes that are password protected and asks for a password or a list of passwords. I started the parsing yesterday before leaving the office, only to find it this morning at the password prompt. I still have 13 hours of parsing left. I cannot sit at my computer for 15 hours waiting for password prompts. This is the 4th time I start the parsing. Every time it crashes somewhere (at parsing, at browsing data, at generating report). Is it possible to supply a list of passwords before starting the parsing? Or can't you make PA try the passwords it finds in the Keychain? Or at least please make PA continue parsing other artifacts while waiting at the password prompt! Thank you.

3

Cip

@Cellebrite Hi, I have a big iOS dump (GrayKey extraction) that takes more than 15 hours to parse with PA 7.57 on my computer. After approximately 2 hours of parsing, PA finds some Notes that are password protected and asks for a password or a list of passwords. I started the parsing yesterday before leaving the office, only to find it this morning at the password prompt. I still have 13 hours of parsing left. I cannot sit at my computer for 15 hours waiting for password prompts. This is the 4th time I start the parsing. Every time it crashes somewhere (at parsing, at browsing data, at generating report). Is it possible to supply a list of passwords before starting the parsing? Or can't you make PA try the passwords it finds in the Keychain? Or at least please make PA continue parsing other artifacts while waiting at the password prompt! Thank you.

I don't know the details and am not fully sure about this, but someone from @Cellebrite certainly will. If you know certain passwords, these can be set in the UFD file if I'm not mistaken. But it would sure be nice if the processing would continue even if the password prompt is shown. Maybe we can make it a feature request for PA.

Peacekeeper

I don't know the details and am not fully sure about this, but someone from @Cellebrite certainly will. If you know certain passwords, these can be set in the UFD file if I'm not mistaken. But it would sure be nice if the processing would continue even if the password prompt is shown. Maybe we can make it a feature request for PA.

Well, it seems that PA has indeed a way to set a known list of passwords before starting the parsing. I must apologize for criticizing PA. In Case Wizzard, in "Load evidence" screen, there is a big "Add password list" button, next to the button that adds evidence. It can be used for all extraction types, includding GrayKey (my case). It was my bad and now I'm paying for it. However, it would still be nice for parsing to continue behind password prompt. You don't always have a password list to provide from the start.

Anyone know if Samsung phone log their gyroscope activities? And if so, what db would that be?

4:09 AM

And if there are a log for notifications/push messages

Kazhulu

And if there are a log for notifications/push messages

For notifications you can see the files in /data/data/com.google.android.gms/files/fcm_queued_messages.ldb

Cip

Well, it seems that PA has indeed a way to set a known list of passwords before starting the parsing. I must apologize for criticizing PA. In Case Wizzard, in "Load evidence" screen, there is a big "Add password list" button, next to the button that adds evidence. It can be used for all extraction types, includding GrayKey (my case). It was my bad and now I'm paying for it. However, it would still be nice for parsing to continue behind password prompt. You don't always have a password list to provide from the start.

I'm glad you found the answer

This is a common request and we've spoken lots about how to implement it. Hopefully one day in the not too distant future it will be there.

1

@Cellebrite Is there a way to view the PA version that a UFDR was made with? I know that you can see the UFED version under each extraction but I am not seeing the PA version anywhere. A setting maybe I am missing?

A A

@Cellebrite Is there a way to view the PA version that a UFDR was made with? I know that you can see the UFED version under each extraction but I am not seeing the PA version anywhere. A setting maybe I am missing?

I think this was added not too long ago.. so it might not show on older UFDRs

11:28 AM

you might be able to find something on the .xml inside it. </caseInformation> <metadata section="Additional Fields"> <item name="DeviceInfoCreationTime" systemtype="System.String"><![CDATA[08/02/2019 10:49:52]]></item> <item name="UFED_PA_Version" systemtype="System.String"><![CDATA[7.10.0.131]]></item> </metadata> (edited)

CLB-Paul

I think this was added not too long ago.. so it might not show on older UFDRs

Thank you! Do you know what version by chance it was added? Like the last 1 or 2?

so we parse it now, but this snipit is from a few years ago. so the data is there inside xml

11:30 AM

or should be *

We are on 7.55 and not seeing it. But 7.57 should be parsing it?

CLB-Paul

or should be *

Also, is it automatic or is it a setting?

Are you creating it with those version ?

yes, currently 7.55

Hmm let me take it with the team. It’s there’s but not showing it

1

Cip

Well, it seems that PA has indeed a way to set a known list of passwords before starting the parsing. I must apologize for criticizing PA. In Case Wizzard, in "Load evidence" screen, there is a big "Add password list" button, next to the button that adds evidence. It can be used for all extraction types, includding GrayKey (my case). It was my bad and now I'm paying for it. However, it would still be nice for parsing to continue behind password prompt. You don't always have a password list to provide from the start.

Worth mentioning, if you use this feature (even if you set an empty passwords file), PA will identify parsers that failed to decrypt using the given passwords, continue to the next parsers and re-run the failed parsers again in the end of the decoding process, this time trying all the passwords that were decoded from the extraction. (edited)

1

2:45 PM

Having said that - we do understand handling prompts for passwords can be better, and plan on investing in it more in future releases

Hopefully a easy one for someone

when saving images from apps do iPhones create thumbnails when viewed in the gallery or generated automatically by the system? I will get round to do testing for myself eventually!

Hello all, anyone familiar with the cloudmessagebuffertable.db on android? Anytime cellebrite marks a message as deleted (red X) the message comes from this database, but not all messages from this database are marked deleted. I’m trying to figure out why @Cellebrite thinks this is a “deleted” message. Let me know if you have any leads or thoughts. Thanks (edited)

NibblesNBits

Pretty much the scenario described in the youtube video. I will give this a shot.

Where do you get the plugins?

OregonDFIR

Hello all, anyone familiar with the cloudmessagebuffertable.db on android? Anytime cellebrite marks a message as deleted (red X) the message comes from this database, but not all messages from this database are marked deleted. I’m trying to figure out why @Cellebrite thinks this is a “deleted” message. Let me know if you have any leads or thoughts. Thanks (edited)

Im not familiar with that specific db, but have you opened it up and looked inside. It could have a flag that its deleted, and we recover it, or it could be recovered from db carving etc. The source will show you the offset / table entry its located at.

1

Have a windowsphone and would like to view the store.vol... Can anyone recommend a viewer/parser for it? thanks in advance

12:44 AM

free and reliable tool

i have a folder including multiple csam files. private/var/mobile/containers/data/pluginKitplugin/UUID/tmp/com.apple.quicklook.extension.previewUI. What type of files ends up here? (edited)

OregonDFIR

Hello all, anyone familiar with the cloudmessagebuffertable.db on android? Anytime cellebrite marks a message as deleted (red X) the message comes from this database, but not all messages from this database are marked deleted. I’m trying to figure out why @Cellebrite thinks this is a “deleted” message. Let me know if you have any leads or thoughts. Thanks (edited)

what @CLB-Paul said, and in this specific case it might come from the "syncaction" column in the "rcsimft" or "sms" table. DMing with more info

I have the following going on: we have a video where the ZORIGINALFILENAME in photos.sqlite is starting with "filtered-". Does anyone know what the source may be of files starting with filtered-?

Depending on the iOS version review the following: iOS 13&14 zAddAssetAttr.ZCREATORBUNDLEID iOS 14 zAddAssetAttr.ZIMPORTEDBYDISPLAYNAME iOS 15 & 16 zAddAssetAttr.ZIMPORTEDBYBUNDLEIDENTIFIER zAddAssetAttr.ZIMPORTEDBYDISPLAYNAME https://github.com/ScottKjr3347/iOS_Local_PL_Photos.sqlite_Queries

1

B

I have the following going on: we have a video where the ZORIGINALFILENAME in photos.sqlite is starting with "filtered-". Does anyone know what the source may be of files starting with filtered-?

currently working on a snapchat case and a lot of the files have "filtered" in front of them

But if it is in photos.sqlite it should be "easy" to determine where it came from

2

@Cellebrite is there a method to merge segmented files together as a single file in Physical Analyzer? The specific instance I'm dealing with involves cached instagram videos from an iPhone FFS. The start of the file w/ the file signature is in a prefetch folder (App ID\Library\Caches\IGSparseVideoPrefetchCache) that allows the video to start playing but ends after a couple seconds. The file has other segments in a media cache folder above the prefetch folder (IGSpraseVideoCache) which can't be played independently. I was able to manually export them and chain them together in FEX to recreate the full video. Just wondering if there might be a faster method to do it fully within PA (edited)

2

j_matas

currently working on a snapchat case and a lot of the files have "filtered" in front of them

But if it is in photos.sqlite it should be "easy" to determine where it came from

Yeah the origin says public.mpeg-4. Guess ill have to dig in further (edited)

Solec

@Cellebrite is there a method to merge segmented files together as a single file in Physical Analyzer? The specific instance I'm dealing with involves cached instagram videos from an iPhone FFS. The start of the file w/ the file signature is in a prefetch folder (App ID\Library\Caches\IGSparseVideoPrefetchCache) that allows the video to start playing but ends after a couple seconds. The file has other segments in a media cache folder above the prefetch folder (IGSpraseVideoCache) which can't be played independently. I was able to manually export them and chain them together in FEX to recreate the full video. Just wondering if there might be a faster method to do it fully within PA (edited)

top was in sparsevideocache, other two were in IGSparsevideoCache. Basically just loaded files into fex, copied hex w/ carving then exported segments into one file and the full video played. I believe they're associated with the owner viewing stories. Happened to get my victim recording himself with suspects walking behind him

9:52 AM

no audio though

9:53 AM

funny enough it was pulled from the suspect's girlfriends phone

‍♂️

Solec

@Cellebrite is there a method to merge segmented files together as a single file in Physical Analyzer? The specific instance I'm dealing with involves cached instagram videos from an iPhone FFS. The start of the file w/ the file signature is in a prefetch folder (App ID\Library\Caches\IGSparseVideoPrefetchCache) that allows the video to start playing but ends after a couple seconds. The file has other segments in a media cache folder above the prefetch folder (IGSpraseVideoCache) which can't be played independently. I was able to manually export them and chain them together in FEX to recreate the full video. Just wondering if there might be a faster method to do it fully within PA (edited)

You could probably do some modification on https://github.com/Ogg3/snapunscatter since that script does exactly the same on cached snapchat videos

GitHub - Ogg3/snapunscatter: A python script to combin fragmented s...

A python script to combin fragmented snapchat video files - GitHub - Ogg3/snapunscatter: A python script to combin fragmented snapchat video files

Hello everyone, is it possible to obtain the passcode to unlock passcode-protected WhatsApp? I got a physical extraction, which decrypted the WhatsApp data, but the app itself is passcode protected so I can't unlock it to verify any extracted data.

Arcain pinned a message to this channel. 9/1/2022 1:29 AM

Has anyone had any experience with recovering the Samsung 'Internet Browser' - 'Secret Mode' password?

Hello everyone. I did a physical extraction of a samsung s9 sm-g960f/ds device. Is there any way i can retrieve the user pattern so i can unlock the phone?

andreidst

Hello everyone. I did a physical extraction of a samsung s9 sm-g960f/ds device. Is there any way i can retrieve the user pattern so i can unlock the phone?

I suggest instead the "disable passcode" feature if you want unlock the phone, it works sometimes on my cases (edited)

No, that's hardware backed gatekeeper. You would have to bruteforce it via the phone, but no tool supports this

@Cellebrite am I right in saying if I export data from ufed PA as reader - the reader version will be the same as PA version?

Thé version of the reader app would be the same

Ta.

@Oscar thanks, I'll check that out

andreidst

Hello everyone. I did a physical extraction of a samsung s9 sm-g960f/ds device. Is there any way i can retrieve the user pattern so i can unlock the phone?

Do you only have the extraction, or still have the device available to you? Both GK and Premium should be able to bruteforce the device's passcode. If secure STARTUP

would be enabled, you could possibly bruteforce it through 4PC as well, depending on the SPL. But since you have a physical dump, I would expect secure boot is not enabled, because you would need the passcode to obtain a physical from an S9 with secure STARTUP. (thanks @Arcain for the fix

) (edited)

Peacekeeper

Do you only have the extraction, or still have the device available to you? Both GK and Premium should be able to bruteforce the device's passcode. If secure STARTUP

would be enabled, you could possibly bruteforce it through 4PC as well, depending on the SPL. But since you have a physical dump, I would expect secure boot is not enabled, because you would need the passcode to obtain a physical from an S9 with secure STARTUP. (thanks @Arcain for the fix

) (edited)

Secure Startup. Secure boot is another thing

Arcain

Secure Startup. Secure boot is another thing

potato potato

has been a long day

CLB-Paul

Im not familiar with that specific db, but have you opened it up and looked inside. It could have a flag that its deleted, and we recover it, or it could be recovered from db carving etc. The source will show you the offset / table entry its located at.

There is no deleted flag, there is a status flag, but doing a little research I found that was not it.

jaikl

i have a folder including multiple csam files. private/var/mobile/containers/data/pluginKitplugin/UUID/tmp/com.apple.quicklook.extension.previewUI. What type of files ends up here? (edited)

Within pluginkitplugin each folder represents different plugins that applications can call. I commonly see files cached within the native gallery ‘photopicker’ plugin folder. Looking at the Apple developer information (https://developer.apple.com/documentation/quicklook) it seems quicklook allows applications to quickly preview files and media. In your case, the files have most likely been previewed in an application and cached here (testing and more research needed to verify this of course). I’d direct you to this blog post - https://mr-evfa.blogspot.com/2022/04/photo-picker.html - which is about photopicker. It goes into some detail about the plugin but the principles will be the same and it might inspire some ideas for testing. The location can be a bit of a gold mine if you can work out the user activity around the time. I’d recommend viewing your data in a timeline view if possible to try and see what apps were being used around the file creation time. It usually leads to more places to dig! Hope that helps in some way!

Photo-Picker

Photo-Picker While digging through an iPhone one day I came across an area that grabbed my attention. Looking at the following location:...

What plist on an iPad will tell you if iCloud Photos was turned on?

Just a Heads Up: It seems that Cellebrite isnt parsing and decoding backup notes.db - only the live one in the correct file table position. The others can be saved and set inplace on any HFS system to open as per if needed tho.

ar1195

What plist on an iPad will tell you if iCloud Photos was turned on?

The setting is located in several plists but try: cloudServiceEnableLog.plist private\var\mobile\Media\PhotoData\private\com.apple.assetsd “iCloud and Sharing Albums turned on” section Figure #19 example video details in the following blog https://theforensicscooter.com/2022/05/02/photos-sqlite-query-documentation-notable-artifacts/ Let me know if you want any specific help

Has anyone ever come across deleted pictures still appearing in the DCIM folder on iOS devices? The device is an iPhone 11 running iOS 14.8.1 I've got 3 pictures which are marked as deleted in the photos.sqlite database and 2 of them are still in the DCIM folder. For reference, when manually reviewing the Photos app the photos aren't present and the Recently Deleted folder is empty on the device.

KM

Has anyone ever come across deleted pictures still appearing in the DCIM folder on iOS devices? The device is an iPhone 11 running iOS 14.8.1 I've got 3 pictures which are marked as deleted in the photos.sqlite database and 2 of them are still in the DCIM folder. For reference, when manually reviewing the Photos app the photos aren't present and the Recently Deleted folder is empty on the device.

When assets are marked for deletion, assets will stay in their file system storage location until they are permanently deleted. They are not moved when marked as recently deleted. Is the third asset a CLP asset or does it have a different directory path than the other recently deleted assets? When you did the manual review, is it possible the time lapsed (30days*) since they were marked as recently deleted and they are now permanently deleted? You can check the delete date and calculate how many days have passed since they were marked as deleted.

Afternoon all, I have a viewer who has stated that their tag descriptions in @Cellebrite Reader are duplicating over different tags. They have a photo of their tags from last night and this morning and some tags (one in notes, one in chats) now have the same description. Has anyone come across this or know if this is a known issue? (edited)

ScottKjr3347

When assets are marked for deletion, assets will stay in their file system storage location until they are permanently deleted. They are not moved when marked as recently deleted. Is the third asset a CLP asset or does it have a different directory path than the other recently deleted assets? When you did the manual review, is it possible the time lapsed (30days*) since they were marked as recently deleted and they are now permanently deleted? You can check the delete date and calculate how many days have passed since they were marked as deleted.

I will have to check this when next in the office but the 30 day deletion was a thought I had. All 3 of them where in the DCIM folder, not CPL Assets. Would the 30 day deletion cause the image to stay in the DCIM folder do you know?

KM

I will have to check this when next in the office but the 30 day deletion was a thought I had. All 3 of them where in the DCIM folder, not CPL Assets. Would the 30 day deletion cause the image to stay in the DCIM folder do you know?

Data acquisition: When a deleted date is added to an asset, it doesn’t get moved it remains in its original directory file path storage location. So if the asset was in DCIM before a user marked it for deletion it would stay in DCIM folder location only entries are changed in the photos.sqlite. On the device: After the user marked the asset for deletion it will be displayed on the device in the “Recently Deleted” utility. Within the utility there will be “## days” displayed on the asset that indicates how many days are left before the asset is permanently deleted. Once the device detects that the asset has been marked as recently deleted for normally ranging between 30-27 days then the on device asset will be deleted. There could be other artifacts left behind but the primary asset will be deleted from the device. The device data acquisition will contain recently deleted assets that are no longer viewable on the device. I am not aware of any way to persevere the recently deleted assets after the acquisition from deletion unless you manually “recover” them using the on device options, thus changing the device data. Hope that helps?

ScottKjr3347

Data acquisition: When a deleted date is added to an asset, it doesn’t get moved it remains in its original directory file path storage location. So if the asset was in DCIM before a user marked it for deletion it would stay in DCIM folder location only entries are changed in the photos.sqlite. On the device: After the user marked the asset for deletion it will be displayed on the device in the “Recently Deleted” utility. Within the utility there will be “## days” displayed on the asset that indicates how many days are left before the asset is permanently deleted. Once the device detects that the asset has been marked as recently deleted for normally ranging between 30-27 days then the on device asset will be deleted. There could be other artifacts left behind but the primary asset will be deleted from the device. The device data acquisition will contain recently deleted assets that are no longer viewable on the device. I am not aware of any way to persevere the recently deleted assets after the acquisition from deletion unless you manually “recover” them using the on device options, thus changing the device data. Hope that helps?

Great, thanks again!

ScottKjr3347

The setting is located in several plists but try: cloudServiceEnableLog.plist private\var\mobile\Media\PhotoData\private\com.apple.assetsd “iCloud and Sharing Albums turned on” section Figure #19 example video details in the following blog https://theforensicscooter.com/2022/05/02/photos-sqlite-query-documentation-notable-artifacts/ Let me know if you want any specific help

Thank you! This was very helpful

1

Would anyone be able to help direct me on where to look in an Android File system extraction for the last activity on a Samsung phone? The phone was located broken in multiple pieces however we were still able to get a full file system extraction. Trying to determine what the phone was doing before it was broken. Is there a specific db I should be looking at? (edited)

slid360

Would anyone be able to help direct me on where to look in an Android File system extraction for the last activity on a Samsung phone? The phone was located broken in multiple pieces however we were still able to get a full file system extraction. Trying to determine what the phone was doing before it was broken. Is there a specific db I should be looking at? (edited)

I would start by looking in the battery usage log, but someone else might have a better idea.

slid360

Would anyone be able to help direct me on where to look in an Android File system extraction for the last activity on a Samsung phone? The phone was located broken in multiple pieces however we were still able to get a full file system extraction. Trying to determine what the phone was doing before it was broken. Is there a specific db I should be looking at? (edited)

What version of Android was it running?

slid360

Would anyone be able to help direct me on where to look in an Android File system extraction for the last activity on a Samsung phone? The phone was located broken in multiple pieces however we were still able to get a full file system extraction. Trying to determine what the phone was doing before it was broken. Is there a specific db I should be looking at? (edited)

I always find recent_tasks and recent_images very helpful (and snapshots) (edited)

1

claireh

I always find recent_tasks and recent_images very helpful (and snapshots) (edited)

Exactly, view the recent_images for the last screens that were opened would be my first thing to look at

1

citizencain

I'm also looking at sms.db item_type. Heer's what I have so far, where item_type = 0 = message 1 = member added to group 2 = group renamed (name is in group_title) 3 and group_action_type=0 is member leaves group 3 and group_action_type=1 is group photo changed (cache_has_attachments also 1) 4 = sharing/sending location data 6 = ? Let me know if your test shows different results! (edited)

would item_type 5 be a audio message?

more likely saving audio message, but cant confirm it 100%

slid360

Would anyone be able to help direct me on where to look in an Android File system extraction for the last activity on a Samsung phone? The phone was located broken in multiple pieces however we were still able to get a full file system extraction. Trying to determine what the phone was doing before it was broken. Is there a specific db I should be looking at? (edited)

In addition to what others have said, I would also recommend looking at Digital Wellbeing if the phone was running Android 10 or above.

Has anyone had any luck with latest feature re Snapchat MyEyesOnly? We have a case where the target cannot recall the pin. There is a video of interest inside the vault..

Is there a way to adapt the carving locations settings in Physical Analyzer? Somehow PA is interpreting the timestamps (which are in generic YYYYMMDDHHMMSS format) as something weird, and I can't find any option to change it. Any ideas?

@Cellebrite when parsing with latest version PA, it crashes on "parsing Google Maps". it has been standing there for over 40 minutes.

1

I've a question for @Cellebrite or anyone else can reply. I've to check if a smartphone was in use while driving in the moment of a car crash. I obtained a FFS using premium (the phone is an OPPO). Analysing the timeline I can see the attached event and "Usage mode: foreground". In this case we can tell whatsapp was opened and in use? (edited)

bypx

I've a question for @Cellebrite or anyone else can reply. I've to check if a smartphone was in use while driving in the moment of a car crash. I obtained a FFS using premium (the phone is an OPPO). Analysing the timeline I can see the attached event and "Usage mode: foreground". In this case we can tell whatsapp was opened and in use? (edited)

I do believe that iOS apps that are in the foreground should enter either the 'not running' state (if they do not support running in the background), or either the 'background' state (if they support running in the background, and are processing) or 'suspended' state (if they support running in the background, and do not have anything to do) when the lock screen is on. This does imply that it is likely the app was active and the device was unlocked. You may be able to see transitions between these application states, which point to times when the device/app was interacted with in the CurrentPowerLog.powerlog. For more supporting evidence, the same log also logs timestamps for when the power button was pressed, which would initialize the lock screen for the device to be unlocked (i.e. the event will be <timestamp_with_ms> [Display] active=yes; brightness=<value>%;). If not interacted with, a device which had its display activated should deactive the display with a corresponding active=no event a short while after. Even if the device is not unlocked, but had the display activated may indicate a user was checking a message preview (but hopefully that is not a major distraction). Additionally, the lock state itself may be found in that log file. That event should look like <timestamp_with_m> [SpringBoard-states] screen_state=unblanked; lock_state=unlocked; These supporting logs, if they exist, should help to provide a pretty detailed picture of how the device was used during any given time interval. Source: https://www.researchgate.net/publication/273401733_Investigating_evidence_of_mobile_phone_usage_by_drivers_in_road_traffic_accidents

(PDF) Investigating evidence of mobile phone usage by drivers in ro...

PDF | The United Kingdom is witnessing some of the highest volumes of motor vehicle traffic on its roads. In addition, a large number of motor vehicle... | Find, read and cite all the research you need on ResearchGate

8:38 AM

I just noticed that it's actually an Android device - that article covers some ways to pull similar information for Android devices. (edited)

@Cellebrite I received a warning during a logical parse for Bad Time Format. Device time and date are correct. Anyone know why this would occur?

I am looking for some guidance. I received an iphone which shows "iPhone Unavailable" on the screen. Need to get into the phone to image and access the email so that I can reset the email password for my client. Phone belonged to clients' father who passed. Sister tried to unlock to many times thus the msg on the screen. I do have access to the icloud account on line. Please help.

mxNinja17

@Cellebrite I received a warning during a logical parse for Bad Time Format. Device time and date are correct. Anyone know why this would occur?

check time zone or set everything to GMT.

Dolphin22

I am looking for some guidance. I received an iphone which shows "iPhone Unavailable" on the screen. Need to get into the phone to image and access the email so that I can reset the email password for my client. Phone belonged to clients' father who passed. Sister tried to unlock to many times thus the msg on the screen. I do have access to the icloud account on line. Please help.

Only way is to reinstall iOS via iTunes. There's no other way, you're not getting into it with the data intact.

Rob

Only way is to reinstall iOS via iTunes. There's no other way, you're not getting into it with the data intact.

That is what I was afraid of.

Rob

Only way is to reinstall iOS via iTunes. There's no other way, you're not getting into it with the data intact.

thank you for confirming this.

Typically wrong PIN ten times in a row can risk disabling it.

3:10 PM

Disabled = no go

Good morning all, I have a Samsung phone which has taken a snapshot and stored itself in the 'data/root/system_ce/0/snapshots' folder. From my understanding, this is system generated, and is used for the "Recents Screen". When I have tested this on another Samsung phone, the expected snapshot is being saved in 'Root/system_ce/0/recent_images' folder. From looking online, I can see other people are finding these images between these two folders too. Has Android changed where these images can be stored after a certain OS version or are these folders used interchangeably?

Hi all, urgent request, where on Cellebrite and XRY will a Samsungs alarm settings be found? We have received a request from CPS where they need to know if the alarm was set on the device. I got a Physical download from the device

obi95

Hi all, urgent request, where on Cellebrite and XRY will a Samsungs alarm settings be found? We have received a request from CPS where they need to know if the alarm was set on the device. I got a Physical download from the device

Do you have \dbspace.alarmmgr.db or similar?

2:42 AM

The alarmmgr.db appears to be where alarm settings per app can be found

I’ve got access to the following files on XRY: alarm.do, alarm.do-wal, alarm.do-shm

Anyone from @Cellebrite around for a quick question?

Rob

Anyone from @Cellebrite around for a quick question?

Hey

Hi, does anybody know how to decrypt application in SecureDimond H1 https://blog.securegroup.com/introducing-x1-encrypted-mobile-device. I have full dump and user pw. Maybe someone assist me

Hello, someone from @Cellebrite for a question about CAS ?

1

skipper

Hi, does anybody know how to decrypt application in SecureDimond H1 https://blog.securegroup.com/introducing-x1-encrypted-mobile-device. I have full dump and user pw. Maybe someone assist me

Did you try mtkclient? The phone should have an MTK chipset

6:42 AM

https://github.com/bkerler/mtkclient

GitHub - bkerler/mtkclient: MTK reverse engineering and flash tool

MTK reverse engineering and flash tool. Contribute to bkerler/mtkclient development by creating an account on GitHub.

B

https://github.com/bkerler/mtkclient

...o know this repo, but i have full memory dump. Every applications are encrypted by different pin

6:46 AM

ufed, xry or other tools cant decrypt any applications

I have Samsung SM-A22F/DS with Unknown PIN if I Export user Data in .Bin and try to Brute force user data do I have any chance? @Oxygen Forensics

Mobile_Digger

I have Samsung SM-A22F/DS with Unknown PIN if I Export user Data in .Bin and try to Brute force user data do I have any chance? @Oxygen Forensics

Answered you in the extraction channel

Does anyone know the difference between /var/mobile/Media/PhotoData/Metadata/DCIM/115APPLE And /var/mobile/Media/PhotoStreamsData/1234567890/111APPLE? (edited)

@Pacman local and Shared picture ?

I believe that the first file path are media files stored within apple icloud, and the second file path are media files that have been shared via photostreams

11:38 AM

Not a definite answer, I'm still figuring it out

@CLB_iwhiffin not sure if you already have answers to above.

I am trying to makes heads or tails of an entry on the keychain. Shows the com.apple.facetime password modified, I am unaware of a password for FaceTime. Would this be a modified device PIN?

1:02 AM

The timeline for this event is what is important to me. It's a death case and it's one of the last acts the device has registered prior to suspected ToD. So trying to figure out if this is a background system function that just happens to line up or of this is a user interaction generated change and potentially worth looking further into.

Hello! Did anyone extracted a punkt mp 01 and with what software?

skipper

...o know this repo, but i have full memory dump. Every applications are encrypted by different pin

Is this something you can share with us. I know our R&D group would like to take a look at it. Or DM me we can chat more about it.

Hello, I have been looking but am having no luck thus why I am coming to you, I have an iPad which I do not have the pin (clients father who pasted away). Is there any way to by-past this? I have an his iCloud account and can ONLY answer his phone as a family member "Locked the phone" by trying to many times. All I can find is I would need to connect it to itunes and reset which I am not allowed to do. What I am looking for is his email password. I am open to any suggestions.

Dolphin22

Hello, I have been looking but am having no luck thus why I am coming to you, I have an iPad which I do not have the pin (clients father who pasted away). Is there any way to by-past this? I have an his iCloud account and can ONLY answer his phone as a family member "Locked the phone" by trying to many times. All I can find is I would need to connect it to itunes and reset which I am not allowed to do. What I am looking for is his email password. I am open to any suggestions.

AFAIK you cannot bypass the pin (or it must be a first gen iPad). You can get access to the device if you could bruteforce it, but I don't think you'll be able to as private sector.

Hello all, do you know if it is possible to tell from an iphone collection, if a whatsapp chat had dissapearing messages turned on?

hello I have kind of a weird question.... if flutter is used to create both android and iOS apps, what are the main reasons(if any) to do mobile app assessments on both the android APK and iOS app? If you have the source code, could you get away with only testing one or the other?

tw0098

hello I have kind of a weird question.... if flutter is used to create both android and iOS apps, what are the main reasons(if any) to do mobile app assessments on both the android APK and iOS app? If you have the source code, could you get away with only testing one or the other?

Might be useful to look for modifications/tampering from the baseline code, but otherwise if you're lucky enough to have the flutter source and verify is the same as what is being ran, I can't think of many other reasons to spend as much time there.

Sea9

Might be useful to look for modifications/tampering from the baseline code, but otherwise if you're lucky enough to have the flutter source and verify is the same as what is being ran, I can't think of many other reasons to spend as much time there.

Thanks!

. I think testing Android version fully and looking over config of iOS app is a decent approach and gives good coverage

bypx

I've a question for @Cellebrite or anyone else can reply. I've to check if a smartphone was in use while driving in the moment of a car crash. I obtained a FFS using premium (the phone is an OPPO). Analysing the timeline I can see the attached event and "Usage mode: foreground". In this case we can tell whatsapp was opened and in use? (edited)

Hi, this artifact means whatsapp was in the foreground in some point(s) of time in the specified time range (12:00-14:01 in this case). the data is written in buckets, usually of 2 hours and we're not sure what makes the bucket 2:01 hours in this case.

2:25 AM

based on our testing, one can use whatsapp in the foreground and in the background simultaneously, even for 5 minutes per foreground/background, and you can see in netstats 2 entries/buckets of whatsapp usage in the same range of 2 hours, one for the foreground usage and one for the background, with the amount of bytes sent/received during that timeframe

Hello guys. I am new. Down to business. As part of a DFIR “test” I am asked to explain what data I would recover from a sysdiagnose.txt to help solve a traffic crime. I already have “send gesture actions” the wifigps locations and dcim for camera usage. Are there any more I am missing? The log is 2.1m lines big. If I am in the wrong channel please let me know. Thank you for your time!!

@Cellebrite iphone extraction trying to open an audio file on a windows computer. File extension is CAF. Whats the best way to open this audio file?

Disregard I got it to work with PotPlayer 64. Had to export the file then drag and drop it into the open application

Pacman

@CLB_iwhiffin not sure if you already have answers to above.

Sorry; not looked at Discord for a few days and totally missed this... I believe the stream just syncs photos between devices if it's turned on

CLB_iwhiffin

Sorry; not looked at Discord for a few days and totally missed this... I believe the stream just syncs photos between devices if it's turned on

This is what I've come to, yes. Also the other file path appears to contain thumbnails of videos stored within DCIM/100APPLE. Just FYI

Rev0lt

Hello guys. I am new. Down to business. As part of a DFIR “test” I am asked to explain what data I would recover from a sysdiagnose.txt to help solve a traffic crime. I already have “send gesture actions” the wifigps locations and dcim for camera usage. Are there any more I am missing? The log is 2.1m lines big. If I am in the wrong channel please let me know. Thank you for your time!!

If you have the full sysdiagnose, you can examine the unified logs for (amongst others) touching-events (Touching=1, screen is touched at that moment, Touching=0, touch is released), device orientation changes, indicating if a device was likely to be handheld, and a LOT of other details (bluetooth connections, lock/unlock of device, if face ID or TouchID was used etc.)

Thank you so much!! That is enough material to work with for now

I'm on an iOS device and examining Snapchat artifacts. I want to convert the USER_ID into a username. Is there a database with these conversions?

Ash4n6

I'm on an iOS device and examining Snapchat artifacts. I want to convert the USER_ID into a username. Is there a database with these conversions?

Primary.docobjects(snapchatter table) or group.snapchat.picaboo.plist (edited)

Anyone from @Cellebrite around for an urgentish question re created timestamps

Anyone has experience decrypting the "inferenceengine_logging.db" on Samsung devices? It should contain a good slice of locationdata

@Cellebrite I have a binary Mobiwire F2 extraction but I can't find this phone model in ufed to decode it with PA. do you have an idea? thanks (edited)

Ash4n6

I'm on an iOS device and examining Snapchat artifacts. I want to convert the USER_ID into a username. Is there a database with these conversions?

Primary.docobjects(snapchatter, index_snapchatterusername).

So a random AT&T SIM card was sent to a federal agent from the states to somewhere in Germany. The SIM is still intact in the card able to be punched out. The person who sent the card does not work at the store it was sent from, and the receiver has no idea what it's for. Does anyone have any ideas or what's the best tool to take a look at this thing?

Power

So a random AT&T SIM card was sent to a federal agent from the states to somewhere in Germany. The SIM is still intact in the card able to be punched out. The person who sent the card does not work at the store it was sent from, and the receiver has no idea what it's for. Does anyone have any ideas or what's the best tool to take a look at this thing?

USIM Detective by Quantaq did supply a reader which inserted and read the full 'credit card' sized holders with the chip in situ.

WhyMe?

USIM Detective by Quantaq did supply a reader which inserted and read the full 'credit card' sized holders with the chip in situ.

That's definitely a good spot to start. Thank you. (edited)

Hello, anyone had issues with "offline maps" readonly on PA ? unable to select. It worked before because I used it but now I can't anymore. @Cellebrite, any idea please ?

Can someone with knowledge about iOS powerlog please explain how this combination is possible?

Own test shows that output category normally gives Audio/Video when an iPhone is playing a recorded voice message but also during a recording. I am trying to determine if activity ("Now Playing" + "Audio Routing") was during a recording or playback. Also, in powerlog, do anyone know the different application states (state/reason) in this table: PLApplicationAgent_EventForward_Application?

8 0
4 1
2 0
4 0
1 0

Does anyone know if the App Privacy Report in iOS is just an aggregation of already known logs or a new log altogether?

Rob

Anyone from @Cellebrite around for an urgentish question re created timestamps

Did you get a response to this?

CLB_iwhiffin

Did you get a response to this?

Alas not currently but have a ticket, will pm : ) (edited)

Hi All. I'm investigating whatsapp on Ios Iphone 11. Chatstorage.sqlite. Is it true that if i see that there are numbers missing from Z_PK table of Z_WAMESSAGES that this indicates these rows (messages) are deleted? Have to investigate that whatsapp messages are deleted... (edited)

jimmyv

Hi All. I'm investigating whatsapp on Ios Iphone 11. Chatstorage.sqlite. Is it true that if i see that there are numbers missing from Z_PK table of Z_WAMESSAGES that this indicates these rows (messages) are deleted? Have to investigate that whatsapp messages are deleted... (edited)

SQLite will always number those records sequentially in the order they are created. It will not skip or reuse numbers. So if you see some missing records, they have been deleted either by the user or by the system. *Note that if you want to use the timestamp from the above and below record to estimate a time range for you missing record, you need to take into account that syncing or restoring can have a serious affect on that. For WhatsApp, they index the messages also in a different database (ChatSearchV5f.sqlite). Here, the words are not in the correct order and repeated words are missing due to indexing, but it may still be helpful. For example, The message "Hope you are treating my sister well. You crazy west coasters!" is saved in ChatSearchV5f as "my well you coasters are hope treating sister crazy west" where you will see that the capitalization and punctuation are removed, as well as the repeated use of the word "you". You cannot rebuild the original message from this (to my knowledge) but you may still find some keywords of interest in there.

2

CLB_iwhiffin

SQLite will always number those records sequentially in the order they are created. It will not skip or reuse numbers. So if you see some missing records, they have been deleted either by the user or by the system. *Note that if you want to use the timestamp from the above and below record to estimate a time range for you missing record, you need to take into account that syncing or restoring can have a serious affect on that. For WhatsApp, they index the messages also in a different database (ChatSearchV5f.sqlite). Here, the words are not in the correct order and repeated words are missing due to indexing, but it may still be helpful. For example, The message "Hope you are treating my sister well. You crazy west coasters!" is saved in ChatSearchV5f as "my well you coasters are hope treating sister crazy west" where you will see that the capitalization and punctuation are removed, as well as the repeated use of the word "you". You cannot rebuild the original message from this (to my knowledge) but you may still find some keywords of interest in there.

Thanks. I'll check this.

CLB_iwhiffin

SQLite will always number those records sequentially in the order they are created. It will not skip or reuse numbers. So if you see some missing records, they have been deleted either by the user or by the system. *Note that if you want to use the timestamp from the above and below record to estimate a time range for you missing record, you need to take into account that syncing or restoring can have a serious affect on that. For WhatsApp, they index the messages also in a different database (ChatSearchV5f.sqlite). Here, the words are not in the correct order and repeated words are missing due to indexing, but it may still be helpful. For example, The message "Hope you are treating my sister well. You crazy west coasters!" is saved in ChatSearchV5f as "my well you coasters are hope treating sister crazy west" where you will see that the capitalization and punctuation are removed, as well as the repeated use of the word "you". You cannot rebuild the original message from this (to my knowledge) but you may still find some keywords of interest in there.

What do you mean by syncing and restoring in your note?

florus

What do you mean by syncing and restoring in your note?

So for example when looking at messages, if I am using two devices syncing to one account, or I restore messages from backup, it can change the order of the messages so that the numbers and the timestamp do not necessarily increase together if that makes sense. In these cases, if you were to sort by timestamp, you would see the rowID/PK number would jump all over the place.

2

Is there a way in PA 7.57 to filter native messages to only show conversation between two specific numbers. I've tried using filters, however, It includes all group discussions with other participants as well as both the numbers are in the group. I just want direct messages. Thank you

Oscar

Primary.docobjects(snapchatter table) or group.snapchat.picaboo.plist (edited)

Thank you

uochaos

Primary.docobjects(snapchatter, index_snapchatterusername).

Thank you

CLB_iwhiffin

SQLite will always number those records sequentially in the order they are created. It will not skip or reuse numbers. So if you see some missing records, they have been deleted either by the user or by the system. *Note that if you want to use the timestamp from the above and below record to estimate a time range for you missing record, you need to take into account that syncing or restoring can have a serious affect on that. For WhatsApp, they index the messages also in a different database (ChatSearchV5f.sqlite). Here, the words are not in the correct order and repeated words are missing due to indexing, but it may still be helpful. For example, The message "Hope you are treating my sister well. You crazy west coasters!" is saved in ChatSearchV5f as "my well you coasters are hope treating sister crazy west" where you will see that the capitalization and punctuation are removed, as well as the repeated use of the word "you". You cannot rebuild the original message from this (to my knowledge) but you may still find some keywords of interest in there.

Thank you! Came here with a similar question and appreciate your detailed answer.

I'm doing an exam related to the Tile Application on Android. Using a Hex Editor I can see that the file objectbox\data.mdb contains the information I need. However, it is kind of a mess to view that way as it's a database. I want to see the actual database formatted in a way that I can browse it. It seems its NOT a Microsoft Access Database...just shares the extention name. Anyone know of any way to browse or read these databases create via Objectbox?

Anyone able to verify iOS 16 devices if PA can view recently deleted images

Trying to search for a range of Mac Absolute Time (Cocoa Core) within all SQLite-databases in an acquisition. The purpose of this, is to identify additional artifacts, not parsed through conventional forensic tools. The tool used for searching is Agent Ransack. Timestamps in the mentioned format is typically stores as integer-datatypes within the databases. Therefore, matching timestamps requires a regular expression suitable to match a range of hex values. Example: 2022-09-15 21:30:00 > Absolute Time 684970200 is stored as 28D3D0D8 in the raw database file. 2022-09-15 22:30:30 > Absolute Time 684973830 is stored as 28D3DF06 in the raw database file. The need is thus a regular expression able to match all timestamps between 28D3D0D8 and 28D3DF06 preferably using Agent Ransack. Any suggestions?

Hello! Does anyone know where PA fetches Phone Activation Time and what it means? Is it the last time the phone was installed or last time it connected to a network? The timestamp in this case under phone activation time in the summary is the same as in setupwizardpref.xml

Arlakossan

Hello! Does anyone know where PA fetches Phone Activation Time and what it means? Is it the last time the phone was installed or last time it connected to a network? The timestamp in this case under phone activation time in the summary is the same as in setupwizardpref.xml

Might be the timestamp from .obliterated file?

Rtwi

Has anyone had any luck with latest feature re Snapchat MyEyesOnly? We have a case where the target cannot recall the pin. There is a video of interest inside the vault..

Did you ever get an answer to this? I'm stuck in the same boat at the moment.

Joe.doe

Did you ever get an answer to this? I'm stuck in the same boat at the moment.

No, nothing. I have 2 ios FFS today that i also need My Eyes Only support. I can see in Uploads that files were uploaded to the My Eyes Only Folder, however, i can not find where they are decoded

Rtwi

No, nothing. I have 2 ios FFS today that i also need My Eyes Only support. I can see in Uploads that files were uploaded to the My Eyes Only Folder, however, i can not find where they are decoded

If the correct keys are in the keychain you can use https://github.com/DFIR-HBG/Snap_DecryptMemories to download the memories and MEO files

GitHub - DFIR-HBG/Snap_DecryptMemories: Script to download and decr...

Script to download and decrypt memories and MEO from Snapchat on IOS. Requires the keys for memories to be present in the keychain, as well as the MEO key to get the MEO content. - GitHub - DFIR-HB...

2

Oscar

If the correct keys are in the keychain you can use https://github.com/DFIR-HBG/Snap_DecryptMemories to download the memories and MEO files

Thanks!

Oscar

If the correct keys are in the keychain you can use https://github.com/DFIR-HBG/Snap_DecryptMemories to download the memories and MEO files

Is it correct that the script is downloading the MEO from the internet instead of it on the device?

Mr.Robot

Is it correct that the script is downloading the MEO from the internet instead of it on the device?

Yes

Oscar

Yes

Thankyou

4:47 AM

Is there a way to decrypt them on the device itself?

If they are cached you should be able to decrypt them with the same keys. I haven't made a script for that though

Ah thats clear, thanks Oscar! If you have a script, let me know

thatboy_leo

Anyone able to verify iOS 16 devices if PA can view recently deleted images

Per Agent Ransack (AR) online help: https://help.mythicsoft.com/agentransack/v9/en/index.html it uses Perl regular expression syntax which uses the \xdd format to define hexadecimal values, e.g. \x28\xD3 You should be able to set up a search for that range as \x28\xD3[\xD0-\xDF][\xD8-\x06] Apparently, there is regex tester built into AR - load that expression and test several hex strings in the range you listed and see if the expression works for them.

Has anyone had any success with retrieving Burn on Read messages from Wickr? Device is an iPhone so looking at a FFS?

Is It Done Yet?

Has anyone had any success with retrieving Burn on Read messages from Wickr? Device is an iPhone so looking at a FFS?

What do you want to know?

Mr.Robot

What do you want to know?

Whether or not they are recoverable / what artifacts can we get from a FFS / does it just show a missing row in the database?

Is It Done Yet?

Whether or not they are recoverable / what artifacts can we get from a FFS / does it just show a missing row in the database?

In a case I was working on we had a AFU. Read messages were readable in UFED (until they were deleted from the device). We didn't know how Wickr was setup because we couldn't get into the phone. But the time periode we saw messages was different on each conversation

Mr.Robot

In a case I was working on we had a AFU. Read messages were readable in UFED (until they were deleted from the device). We didn't know how Wickr was setup because we couldn't get into the phone. But the time periode we saw messages was different on each conversation

In the event that the read messages are set to Burn on Read, deleting them from the device have you been able to recover them from the SQLite database?

Is It Done Yet?

In the event that the read messages are set to Burn on Read, deleting them from the device have you been able to recover them from the SQLite database?

I'm not sure but i can take a look into the report monday if you want? I know for sure that I had take a look into the database but don't know anymore if i saw Burn messages

I am going to do some R&D today to see if they are recoverable or not with FFS - Cellebrite PA / Magnet Axiom I think

Please let me know! I know Oxygen was also very intresting to us with Wickr! (edited)

7:22 AM

I will also take a look

Mr.Robot

Please let me know! I know Oxygen was also very intresting to us with Wickr! (edited)

My current testing of an iPhone 8, I have used the most recent version of Wickr and sent a total of 6 messages to and from two test phones and then conducted a full file system using checkm8 within Cellebrite UFED on my host device. The extraction parsed a selection of messages to and from my host device within Wickr, all of which were messages sent with BOR turned off. The messages that I had sent with BOR turned on, were not recovered. Within the wickrLocal.sqlite database I can identify that column Z_PK is the primary key used within the Z_WICKRMESSAGE table, which in my case of testing show 3 records 1, 2, and 6. This is ratified when I look back at the device itself, the messages sent with BOR turned on were messages 3, 4, and 5. So records can be identified as having been deleted...Now can we recover this data? At present, my testing says no we cannot. From viewing the SQLite file itself in Hex view, vacuuming is turned on and there are no free pages identifiable. So I am kind of stumped at this point... (edited)

thatboy_leo

Anyone able to verify iOS 16 devices if PA can view recently deleted images

Use photos.sqlite to focus your search to the assets with in trash indicators and deleted dates then search those file names using your commercial tool.

JayB1rd

I was going to DM ya only (still will), but maybe someone else has come across this. I posted this in the MDFA Google Group a couple of months ago: I've got a photo of interest located at this filepath from a GK FFS on an iPhone XR running iOS 15.3.1. The filepath is: /private/var/mobile/Library/Photos/Libraries/Syndication.photoslibrary/scopes/syndication/originals/... In looking at the folder view on PA, I see two additional folders in addition to the "originals": .../resources/derivitives .../masters In searching online it appears that the Syndication.photoslibrary may be all the images stored in imessage chats. Can anyone confirm this? Also, is this where ALL images ever sent/received in iMessages are stored, or only those after the latest delete of a chat? (edited)

Here is a link to what I have learned so far. Still a lot of work to be done but thought I would share. I would be interested to hear if this matches what you have seen with your investigations? Shared with You Syndication Photo Library blog has been posted.

working some

to automatically save message attachments to the Local Photo Library! #iOS15 #iOS16 #FFS #DFIR https://theforensicscooter.com/2022/09/16/shared-with-you-syndication-photo-library-message-attachments-linked-assets/

scottkoenig3347

Shared with You Syndication Photo Library – Message Attachments & L...

The Shared with You is a new feature that has been discussed within Apple Worldwide Developers Conference (WWDC) videos and other developer videos. Generally, the comments made indicate that within…

Does ios 15.6 (iPhone13) still save power off/on activity in their databases? I recently opened up a ffs from an iphone13 and could find any traces.. (tried with ufed n oxygen)

thanks in advance for infos

Hans Leißner

Does ios 15.6 (iPhone13) still save power off/on activity in their databases? I recently opened up a ffs from an iphone13 and could find any traces.. (tried with ufed n oxygen)

thanks in advance for infos

Should be in the knowledgeC.db, can you parse it with Axiom?

Ill give it a try with axiom too. Ill post here if positive or negative

Hans Leißner

Ill give it a try with axiom too. Ill post here if positive or negative

I would also give ArtEx a try. It’s free and does a really nice GUI timeline for pattern of life!

1

Is It Done Yet?

My current testing of an iPhone 8, I have used the most recent version of Wickr and sent a total of 6 messages to and from two test phones and then conducted a full file system using checkm8 within Cellebrite UFED on my host device. The extraction parsed a selection of messages to and from my host device within Wickr, all of which were messages sent with BOR turned off. The messages that I had sent with BOR turned on, were not recovered. Within the wickrLocal.sqlite database I can identify that column Z_PK is the primary key used within the Z_WICKRMESSAGE table, which in my case of testing show 3 records 1, 2, and 6. This is ratified when I look back at the device itself, the messages sent with BOR turned on were messages 3, 4, and 5. So records can be identified as having been deleted...Now can we recover this data? At present, my testing says no we cannot. From viewing the SQLite file itself in Hex view, vacuuming is turned on and there are no free pages identifiable. So I am kind of stumped at this point... (edited)

Thats interesting! So you say that messages with BOR on can't be recovered because they are overwritten?

11:08 PM

Can someone say where the private keys are stored for Google Authenticator on IOS?

ScottKjr3347

I would also give ArtEx a try. It’s free and does a really nice GUI timeline for pattern of life!

thanks! im on the way

if i import the knowledgeC.db as a single file.. there are no entries in ArtEx.. hmm

Hi, anyone knows a solution for parsing a unisoc UMS9117 (nokia 215 4g TA-1272) physical extraction done with furious gold dongle. already tried with Xry some generic spd profile and nothing. thanks

Anyone from @Cellebrite able to answer a dm?

1

uochaos

Primary.docobjects(snapchatter, index_snapchatterusername).

Can I find in the database only the current account or all accounts ever connected to the phone? thx

Mobile_Digger

Ys I have experience this kind of stuff but do you have any information about deleted or send Whatsapp media

Hi. I'd also be interested in this. I have information on some deleted WhatsApps (I should do - I created and deleted them myself

), but I cannot find any trace of them in a logical FS extraction or iTunes backup.

peMo

Can I find in the database only the current account or all accounts ever connected to the phone? thx

I don't know the answer to that; if I have the opportunity to test, I'll post the results.

1

For those who in the past may have looked for sample data to compare to an artifact you have on a current case, for iOS and Android (and others), what were they? I ask because I'm trying to populate the https://github.com/AndrewRathbun/DFIRArtifactMuseum with sample data and I don't touch mobile devices much anymore, so I want to make sure this resource is useful for you all. I would appreciate any guidance and if anyone is interesting in helping to feed me with tidbits here and there, DM me and we'll go from there

GitHub - AndrewRathbun/DFIRArtifactMuseum: The goal of this repo is...

The goal of this repo is to archive artifacts from all versions of various OS's and categorizing them by type. This will help with artifact validation processes as well as increase access t...

2

Andrew Rathbun

For those who in the past may have looked for sample data to compare to an artifact you have on a current case, for iOS and Android (and others), what were they? I ask because I'm trying to populate the https://github.com/AndrewRathbun/DFIRArtifactMuseum with sample data and I don't touch mobile devices much anymore, so I want to make sure this resource is useful for you all. I would appreciate any guidance and if anyone is interesting in helping to feed me with tidbits here and there, DM me and we'll go from there

I'm currently looking for Andriod malware datasets as well as non-malicious data for baselines, would that help? I've got some from ~2016 but searching for more recent data so can let you know what I find

1

Anyone available from Cellebrite regarding the TomTom export functionality in PA ?

Has anyone had any experience analysing the /log/sdp_log file within Android? or does anyone have any useful resources to help digest what all of the logs mean?

2:14 AM

I am trying to prove someone had a lockscreen in place at a set date/time

@Cellebrite anyone got any ideas as to why the 000000_sms_backup is not being decoded when I import an adb backup?

hello mates @Cellebrite @MSAB_Sofia @Oxygen Forensics @Law Enforcement [India] @Law Enforcement [UK] , someone out there, who has experience in decoding/parsing this indian chat-app? https://play.google.com/store/apps/details?id=in.mohalla.sharechat&hl=en&gl=US (edited)

Hello everybody. I've got a homicide and we have managed to make a logical extraction of a Samsung active2 watch. Looking to see if anyone knows how to decode their health log files? They seem to be encrypted csv files. Thanks.

chrisforensic

hello mates @Cellebrite @MSAB_Sofia @Oxygen Forensics @Law Enforcement [India] @Law Enforcement [UK] , someone out there, who has experience in decoding/parsing this indian chat-app? https://play.google.com/store/apps/details?id=in.mohalla.sharechat&hl=en&gl=US (edited)

Hello, we do not parse it yet, but seems like a popular app. I will add it as a suggestion for devs to add support to

1

Hopefully no one has to deal with unsent iOS 16 messages just yet but if you do or are interested, the message content seems to still be recoverable if you get an FFS: https://blog.d204n6.com/2022/09/ios-16-paul-unsent-message-or-did-he.html

iOS 16 - "Paul unsent a message." ... OR DID HE?!

With the release of iOS 16, there have been a lot of people talking about Apple's decision to allow for iMessage users to either unsend or ...

4

Hi everyone! Does anyone know if UFED have the ability to extract the application Signal and Wickr if the user has logged out from these apps in the phone?

Hi there! Quick question of the day, what artefact do you guys tend to use on Android to determine first use of a phone? Or last install/update?

Lolokidd

Hi there! Quick question of the day, what artefact do you guys tend to use on Android to determine first use of a phone? Or last install/update?

Here is a good post explaining how to determine when an Android phone was last setup.

7:45 AM

https://thebinaryhick.blog/2021/08/19/wipeout-detecting-android-factory-resets/

Binary Hick

Wipeout! Detecting Android Factory Resets

I’d like to thank Alexis Brignoni, Heather Mahalik, and Jared Barnhart for their insight and validation, and Alexis for tooling ALEAPP for these artifacts. DFIR truly is a team effort. They say im…

thanks for this! Time for some reading

anyone from @Cellebrite for a quick dm about PA ?

is anyone having problems with physical analyzer with Windows 11?

manuelevlr

is anyone having problems with physical analyzer with Windows 11?

I'm not aware of any issues; what problems are you having?

abefroman

Hopefully no one has to deal with unsent iOS 16 messages just yet but if you do or are interested, the message content seems to still be recoverable if you get an FFS: https://blog.d204n6.com/2022/09/ios-16-paul-unsent-message-or-did-he.html

Any extraction that contains sms.db is good enough to get the history from message_info_summary

CLB_iwhiffin

I'm not aware of any issues; what problems are you having?

I sent you a dM

hello all, I have a question regarding Whatsapp for iPhone. I need to provide as much evidence as possible regarding deletions which are at this point evident. Does anyone have any tips/articles/cheat-sheets/ideas to share?

CLB_iwhiffin

Any extraction that contains sms.db is good enough to get the history from message_info_summary

But not the contents of a message that was unsent in iOS 16, right?

abefroman

But not the contents of a message that was unsent in iOS 16, right?

Apologies I just reread the original message. Yes, it’s only edited that’s stored there. Unsent will require FFS and a lot of luck.

I was wondering if anyone had any experience installing the new physical analyzer ultra/8 on a machine with PA 7 installed? Is this possible or do they interfere with each other?

@Alexsaurus You can install both... however be aware that Ultra lacks features and does not parse or list the same amount of data. The difference we've had here is huge, so we are only using PA 7.XX.... Seems like Cellebrite just wanted to release the ULTRa, just because. Seems like an unfinished product and hasnt been updated for quite a while

1

Hmmm, any idea why I am getting this when I try to install? I don't see pathfinder installed on the system.

look likes you have to search in registry

Alexsaurus

Hmmm, any idea why I am getting this when I try to install? I don't see pathfinder installed on the system.

delete this value (looks like a folder) from the registryComputer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Cellebrite\Analytics in my case it worked. @Cellebrite correct? (edited)

2

1

Hi! Does anyone know if it's possible to find back uniquely generated mac-addresses for hotspots in a FFS of an iPhone? Based on Apple documentation it seems that devices use a random mac address for hotspots. Context: victim connected his phone (android) to the attacker's hotspot (iOS). From the victim's phone we know the random mac address of the hotspot (and the SSID, which is a little too generic). It would be great if iOS somewhere keeps a list of mac addresses used for the personal hotspot

Jackds

Hi! Does anyone know if it's possible to find back uniquely generated mac-addresses for hotspots in a FFS of an iPhone? Based on Apple documentation it seems that devices use a random mac address for hotspots. Context: victim connected his phone (android) to the attacker's hotspot (iOS). From the victim's phone we know the random mac address of the hotspot (and the SSID, which is a little too generic). It would be great if iOS somewhere keeps a list of mac addresses used for the personal hotspot

Syslog maybe?

com.apple.MobileBluetooth.devices.plist com.apple.MobileBluetooth.ledevices.paired.db com.apple.MobileBluetooth.ledevices.other.db Iny my extraction - FFS of an iPhone 13, ios15.6 - viewed with Oxygen Forensics i just found those: From 1.291 saved BT Connections.. i only see 17 of it with timestamps

1:23 AM

If i filter it by name - there are indeed more then one MacAdress listed. Maybe u can find it there what u looking for

Hi, I have a question on a call logs history of a XIAOMI Mi 11 5G (M2011K2G). I got some outgoing calls to a "Private Number". Anyone have an idea how is it possible ?

Hello everyone! Does anyone happen to know which application creates the "Now Playing" entries in knowledgeC.db (iOS 15.6, iPhone 13)? Is there any way to track this based on the database? I'm not very skilled at manually sifting through databases, unfortunately.

abefroman

Hopefully no one has to deal with unsent iOS 16 messages just yet but if you do or are interested, the message content seems to still be recoverable if you get an FFS: https://blog.d204n6.com/2022/09/ios-16-paul-unsent-message-or-did-he.html

“As a reminder, "deleted" or should I say "recently deleted" messages are still within the main database until they are either deleted a second time or hit their 30 day period to be deleted. Further testing will continue to search for these messages after they are truly purged to see if they stay in their other areas as mentioned above.” Interesting read…. Does anyone know what the blog author is referencing when he said the deleted messages are still recoverable upto 30 days?

dcs453

“As a reminder, "deleted" or should I say "recently deleted" messages are still within the main database until they are either deleted a second time or hit their 30 day period to be deleted. Further testing will continue to search for these messages after they are truly purged to see if they stay in their other areas as mentioned above.” Interesting read…. Does anyone know what the blog author is referencing when he said the deleted messages are still recoverable upto 30 days?

On iOS 16, when you delete a message, there is now a Recently Deleted "folder" the messages go to, kind of like how there was a recently deleted photos for several versions of iOS now

3:44 AM

You can go into Recently Deleted messages and view the full contents and details of the messages on the phone, so all that data is still in the sms.db database for 30 daysish after it's been marked for deletion

Anyone else experience problems with Watchlists in @Cellebrite ? We have noticed that on three machines, watchlists are not applied to Analyzed Data anymore, no matter what we try.

4:45 AM

Analyzed Data is suddenly unchecked in the watchlist editor. If we check it, and click apply, the checkmark dissapears and the watchlist is executed without searching Analzyed Data

Can anyone give some insight on the Uber app on iOS? It has location data but what is that location coming from? While app is open/searching? The timestamps ranges from one to 10 seconds apart. Three locations has device as origin, the other three are about 28 km away and has addresses, I assume that's the addresses the device user has searched or entered as ride goal.

5:21 AM

Also, location data for Reminder locations in iOS, does anyone know what the location data represents?

When phone is opened?
When an reminder/alarm is triggered?
A location based reminder?
Or something else? For instance, I have reminder locations that differs in location by 13-14 kilometres but not in time, down to the same second..

RFC2324

Also, location data for Reminder locations in iOS, does anyone know what the location data represents?

When phone is opened?
When an reminder/alarm is triggered?
A location based reminder?
Or something else? For instance, I have reminder locations that differs in location by 13-14 kilometres but not in time, down to the same second..

Uber may also record the location of the drivers that the user is looking at if I recall correctly. "Reminder Locations" is a bad name as it also includes other types of geofences. They may be: Reminders such as "Remind me to do X when I get home" (In which case there is a entry fence around home) Reminder such as "remind me to do X when I leave" (in which case there is an exit fence around where they are) Stores related to installed apps (ie if they have the McDonalds application installed, there is a fence around 20 local McDonalds (20 fences per app is the limit) Frequent Location Monitoring (If in a Frequent Location there is an exit fence waiting to leave) or there may be entry fences PREDICTIONS of where the device is heading to next. Ultimately, the timestamp is the time the fence is CREATED which may be totally irrelevant to the location of the device at the time. In some cases, the location is totally irrelevant to where the device has ever been. GeoFence locations can be useful in a limited set of circumstances and I'm happy to discuss further if required or you can watch the webinar I did (https://cellebrite.com/en/episode-17-i-beg-to-dfir-was-it-actually-there-location-education-on-ios-and-android/)

I Beg to DFIR – Was it actually there? Location education on iOS an...

Aired: November 30, 2021 Duration: 1 hour Download our Location Cheat Sheet here Let’s be honest and agree that locations on mobile devices can be a nightmare. How do we know what we can trust? What are the ways to validate the artifact and most importantly, what if a location on the device is the only … Continue reading "I Beg to DFIR – Was it ...

In an iPhone extraction (iOS 14.7.1), I would like to know if there's any possibility to find out when physical SIM cards have been replaced. In Cellebrite, it shows several ICCIDs and MSISDNs of the SIM cards and I tried to check directly in the databases, but no luck. Does anyone knows ?

abefroman

Hopefully no one has to deal with unsent iOS 16 messages just yet but if you do or are interested, the message content seems to still be recoverable if you get an FFS: https://blog.d204n6.com/2022/09/ios-16-paul-unsent-message-or-did-he.html

Thank you for sharing!

8:08 AM

Going to see if I can test it out with Ufed/pa (edited)

ScottKjr3347

Here is a link to what I have learned so far. Still a lot of work to be done but thought I would share. I would be interested to hear if this matches what you have seen with your investigations? Shared with You Syndication Photo Library blog has been posted.

working some

to automatically save message attachments to the Local Photo Library! #iOS15 #iOS16 #FFS #DFIR https://theforensicscooter.com/2022/09/16/shared-with-you-syndication-photo-library-message-attachments-linked-assets/

Read it today and it came in handy with a case I’ve got. CP showed in a syndication path and to be brief, the images were in a message in the Shared with You. Really great work, Scott. I wish I had the time to do some research, but I could never reach that level anyway. Thanks for tools!

JayB1rd

Read it today and it came in handy with a case I’ve got. CP showed in a syndication path and to be brief, the images were in a message in the Shared with You. Really great work, Scott. I wish I had the time to do some research, but I could never reach that level anyway. Thanks for tools!

Happy it came in handy! Would love to hear some details about what you were able to confirm or invalidate from the write up. DM when you have some free time to discuss.

1

Does anyone else have problems with the newest Windows 10 Update and Physical Analyzer 7.57? It seems that the newest Windows Update is not compatible with PA at this moment. I recommend to wait with the Update.

ch40s_ch4r0n

Does anyone else have problems with the newest Windows 10 Update and Physical Analyzer 7.57? It seems that the newest Windows Update is not compatible with PA at this moment. I recommend to wait with the Update.

Ok we figured out that the Windows Update with the version number KB5017262 is responsible for the problem. A deinstallation of that update and a reboot fixes the problem.

3

anyone know what Cellebrite "Highlights" are

3:42 AM

huge db file

Is anyone from @Cellebrite available to pm me about language translation please? License is detected but when selecting 'Translate all' I get a 'Translation license missing' error. (edited)

Corey

Is anyone from @Cellebrite available to pm me about language translation please? License is detected but when selecting 'Translate all' I get a 'Translation license missing' error. (edited)

Hi Corey, I think that may be best answered by support as they have more access to licence details etc to confirm all is good.

Kramnias

Hello, quick message to point out that Threema4.db (Threema private message app) can be decrypted by https://github.com/wilzbach/threema-decrypt , but you need to follow the steps in the issues tab (change the decrypt.sh script with the new lines of PRAGMA parameters, and also make sure you install sqlcipher version 4 (the provided command install version 3 and updating or compiling sqlcipher version 4 or above was the trick part). Now if someone has infos on where to find or how to attack the pin (max 8 digits) to visually access the app, or infos on decoding the decrypted database (status flags of calls), please PM me

Anyone around to let me know how we go about getting to sqlcipher 4

Hi all, I am looking to set up test data and perform decoding/analyzing of the data. Are there any tools/scenarios or apps people would find helpful to be written about?

ToriaT

Hi all, I am looking to set up test data and perform decoding/analyzing of the data. Are there any tools/scenarios or apps people would find helpful to be written about?

I would find a popular messaging, money transfer, or “photo hiding” app that you are seeing in the wild and decode that app. Even better if it’s a newer app that you can’t find documentation on.

Thankyou!

KR-4n6

Hi, I have a question on a call logs history of a XIAOMI Mi 11 5G (M2011K2G). I got some outgoing calls to a "Private Number". Anyone have an idea how is it possible ?

Anyone ?

KR-4n6

Anyone ?

Never seen that, These could be the times when user call someone in private number settings ? (edited)

Hello. One of my colleagues has a Samsung A21S. It has a large number of images which we need to explain but none of them have a created times/date on the device. Some are in zip files which explains them as they are within another file. Some are cached files directly on the device. The reset seem to all be in the downloadeds folders. We have gained a full file system to have everything we can ..... Does anyone know why there are no created dates ? (edited)

4N6Matt

Hello. One of my colleagues has a Samsung A21S. It has a large number of images which we need to explain but none of them have a created times/date on the device. Some are in zip files which explains them as they are within another file. Some are cached files directly on the device. The reset seem to all be in the downloadeds folders. We have gained a full file system to have everything we can ..... Does anyone know why there are no created dates ? (edited)

According to @Cellebrite support when i contacted them about the same thing maybe a year ago, that is a "feature" in the file system that Saumsung uses. Are there a lot of files with created timestamps in your extraction? (edited)

Oscar

According to @Cellebrite support when i contacted them about the same thing maybe a year ago, that is a "feature" in the file system that Saumsung uses. Are there a lot of files with created timestamps in your extraction? (edited)

We have just looked and there are only a few application files which have dates. You are right there seems to be no Samsung associated files with created dates. Do applications cached files get classed as system files (Samsung) tho as these too have no dates ?

Oscar

According to @Cellebrite support when i contacted them about the same thing maybe a year ago, that is a "feature" in the file system that Saumsung uses. Are there a lot of files with created timestamps in your extraction? (edited)

It looks like the external.db holds the data under the header "date added" after converting the Unix time we were presented with the time stamps of the media. Wish PA could associate the name with the date in that or I could do a script for it.

Rom

Afternoon all, Has anyone come across Facebook Messengers threads_db2 database and noticed the thread_key 'montage:xxxx'. Does anyone know why or what the montage element is referring to?

I know i'm 3 years later, might be useful for someone. Haven't been able to establish a definitve answer. Same DB as you, seems to fit with the stories on Messenger.

Any good blogs available for how how iOS photos with edited EXIF timestamps are shown in photos.sqlite?

@ScottKjr3347 is your man regarding to photos.sqlite

How long does kownledgec.db normally span for in terms of entries?

@Cellebrite will UFED4PC pull Wickr chats from a Google Pixel 3a XL? The owner gave consent for access to the phone, but there is still the question about opening the Wickr app in a live environment. We were able to get a File System Android Backup dump, but no Wickr artifacts were present. Thanks. Additionally, would using Premium offer better results? (edited)

TCSkyKing

@Cellebrite will UFED4PC pull Wickr chats from a Google Pixel 3a XL? The owner gave consent for access to the phone, but there is still the question about opening the Wickr app in a live environment. We were able to get a File System Android Backup dump, but no Wickr artifacts were present. Thanks. Additionally, would using Premium offer better results? (edited)

You can't do FFS via UFED for this yet. Premiums / CAS would give you a FFS

CLB-Paul

You can't do FFS via UFED for this yet. Premiums / CAS would give you a FFS

Thanks for the reply

thatboy_leo

Any good blogs available for how how iOS photos with edited EXIF timestamps are shown in photos.sqlite?

https://www.doubleblak.com/m/blogPosts.php?id=23

2

Morning all, I am having trouble decoding WeChat. It's off a Huawei P10 running Android 9. The database is decrypted (EnMicroMsg.decrypted). Any ideas how I can parse this?

Hi All I have a photo (screnshot) on iOS which is named IMG_0220.png. Shortly after it is saved on the device I see that the image is saved as "5050.jpg" in the thumbnailsfolder in the folder named "IMG_0220". Isnt there something about the 5050 is because it has been sent as a MMS or something I think I remember something about it, but cant find any info

Could someone enlighten me? I can also see that there is a "SendMessage" in "Intents Activity" in Oxygen at the time

Anyone from @Cellebrite around for a trace window error i need clarification on

Anyone have an ETA when Cellebrite Physical Analyzer will be able to parse a Graykey extraction again? The temporary solution of unzipping the extraction (with 7 zip) and then parsing with PA isn’t working for me. For some reason a few files won’t unzip.

dcs453

Anyone have an ETA when Cellebrite Physical Analyzer will be able to parse a Graykey extraction again? The temporary solution of unzipping the extraction (with 7 zip) and then parsing with PA isn’t working for me. For some reason a few files won’t unzip.

We have just imported today and have never observed any problems related to your question? What PA are you using?

j_matas

We have just imported today and have never observed any problems related to your question? What PA are you using?

It’s a known issue caused by the way graykey now packages their extractions. When I open the trace window (in the current version of PA), i see a bunch of errors when loading. It still generates a report, but it’s not a ‘complete’ report.

Oscar

According to @Cellebrite support when i contacted them about the same thing maybe a year ago, that is a "feature" in the file system that Saumsung uses. Are there a lot of files with created timestamps in your extraction? (edited)

It's probably better to describe it as a "limitation" on newer versions of Android (that no longer use debugFS - Android 11 and upwards I think). I did some testing on this and even on a rooted the device itself I was not able to get the Created Date as it simply wasn't there to access. The somewhat good news is that the Last Access Date is filled in at the time of creation and never usually updated so can be assumed, for all intents and purposes, to be the Created Date. (Though there are definitely caveats to that and if you are going to rely on that timestamp evidentially it would be worth testing more)

1

dcs453

It’s a known issue caused by the way graykey now packages their extractions. When I open the trace window (in the current version of PA), i see a bunch of errors when loading. It still generates a report, but it’s not a ‘complete’ report.

Aah okay, I get it then. Misunderstodd the question sorry

ScottKjr3347

https://www.doubleblak.com/m/blogPosts.php?id=23

Much appreciated, I remembered seeing this blog but forgot the url, saved now haha

tnw001

Anyone around to let me know how we go about getting to sqlcipher 4

https://discord.com/channels/427876741990711298/433668644904501249/1023909753484754965

dcs453

Anyone have an ETA when Cellebrite Physical Analyzer will be able to parse a Graykey extraction again? The temporary solution of unzipping the extraction (with 7 zip) and then parsing with PA isn’t working for me. For some reason a few files won’t unzip.

There will be a hot fix for 7.57 coming out very soon.

@MSAB is it possible to identify if an app was deleted after XRY apk downgrade using, only with a device ffs done with another tool? I suspect that on a s20FE running android 12. Thx

I just chipped off a smart tv again. This time it is a Samsung Smart TV. I think it is running the Tizen Operating System. Any suggestions on parsing this OS? @Cellebrite @Magnet Forensics @Oxygen Forensics @MSAB (edited)

1

@Cellebrite and @Magnet Forensics Axiom see the partitions, but do not give file structures for the data partition.

sholmes

@Cellebrite and @Magnet Forensics Axiom see the partitions, but do not give file structures for the data partition.

Can you send me a screenshot of the partitions ?

Mistercatapulte

@MSAB is it possible to identify if an app was deleted after XRY apk downgrade using, only with a device ffs done with another tool? I suspect that on a s20FE running android 12. Thx

I'll DM you.

sholmes

I just chipped off a smart tv again. This time it is a Samsung Smart TV. I think it is running the Tizen Operating System. Any suggestions on parsing this OS? @Cellebrite @Magnet Forensics @Oxygen Forensics @MSAB (edited)

We have not looked any deeper into this Operating system, I'm afraid.

1

sholmes

I just chipped off a smart tv again. This time it is a Samsung Smart TV. I think it is running the Tizen Operating System. Any suggestions on parsing this OS? @Cellebrite @Magnet Forensics @Oxygen Forensics @MSAB (edited)

Hello! Not supported I am afraid. I could find this https://content.govdelivery.com/accounts/USDODDC3/bulletins/2e03832 regarding Tizen OS, maybe it will be in any way useful to you as I can't assist here

DC3 Technical Advisory Forensic Potential of Samsung Tizen OS

1

chrisforensic

hello mates @Cellebrite @MSAB_Sofia @Oxygen Forensics @Law Enforcement [India] @Law Enforcement [UK] , someone out there, who has experience in decoding/parsing this indian chat-app? https://play.google.com/store/apps/details?id=in.mohalla.sharechat&hl=en&gl=US (edited)

hello @Cellebrite and @MSAB_Sofia ... do you have any infos about decoding this app? big thanks fly to @Oxygen Forensics for infos and support

1

chrisforensic

hello @Cellebrite and @MSAB_Sofia ... do you have any infos about decoding this app? big thanks fly to @Oxygen Forensics for infos and support

I'm sorry - I missed your original message. We have not yet had any look at this particular app. Depending on how complex the structure is - it is possible that you could use the App database mapper to get chat messages decoded into the .xry file.

hi @MSAB_Sofia i looked at the structure of the databases, could get just some basic infos out there like username, userid and so one ... database is big and seems to be very complex to me (edited)

12:43 AM

I get about 10 mobile phones a week from Indian owners, almost all of them have installed this app and use it... but can´t decode this appdata (edited)

Hello all! I have been digging into Snapchat a lot recently and I'm wondering if anyone else has come across the same stuff as I have.. I haven't been able to find any resources on it. I'm working with iOS, and looking at the primary.docobjects database. The table 'stories_mystoryplaybacksequence_3'. Appears to list the live stories made by the user. In the blob data you can see the Snap username, the external ID for the image (linking that to cache controller.db you can find the image), the retrieval address and the overlay text used over the image. This is all great but I would really like to find a date/time for when the story was posted. Or perhaps an expiry time. I'm wondering whether it's somewhere in this blob data.. Has anyone looked into this before? Or if that information is available somewhere else I would be really interested! Thanks!

what application create media with the filename "SVID_datedate_timetime.mp4" ? on a Huawei device most likely

i assume its from the native screen recorder app but cant verify atm since nobody has a huawei in 2022

Anyone from @Cellebrite around for a question

CLB-Paul

Can you send me a screenshot of the partitions ?

sending now

Artea

Anyone from @Cellebrite around for a question

Hey

Is anyone else seeing @Cellebrite Physical Analyzer (7.57+) issues after applying recent .NET updates (KB5017499, KB5017915) on Windows 10? 7.57.0.51 had been working fine prior to the updates I applied yesterday - loaded an extraction today and once parsing began I got multiple error windows (see attached) where the only option is to allow the program to close. Installed 7.57.1.9 today and receive the same errors. Trace windows progresses through parsing, but shows repeated session file saving, cloud communication errors, and "Object reference not set to an instance of an object" records.

JLindmar (83AR)

Is anyone else seeing @Cellebrite Physical Analyzer (7.57+) issues after applying recent .NET updates (KB5017499, KB5017915) on Windows 10? 7.57.0.51 had been working fine prior to the updates I applied yesterday - loaded an extraction today and once parsing began I got multiple error windows (see attached) where the only option is to allow the program to close. Installed 7.57.1.9 today and receive the same errors. Trace windows progresses through parsing, but shows repeated session file saving, cloud communication errors, and "Object reference not set to an instance of an object" records.

FYI, uninstalling update KB5017262 (which looks to have superseded KB5017499), appears to have corrected the issue.

1

JLindmar (83AR)

Is anyone else seeing @Cellebrite Physical Analyzer (7.57+) issues after applying recent .NET updates (KB5017499, KB5017915) on Windows 10? 7.57.0.51 had been working fine prior to the updates I applied yesterday - loaded an extraction today and once parsing began I got multiple error windows (see attached) where the only option is to allow the program to close. Installed 7.57.1.9 today and receive the same errors. Trace windows progresses through parsing, but shows repeated session file saving, cloud communication errors, and "Object reference not set to an instance of an object" records.

were looking into this, but seems to cause some issues for sure.. The uninstall should work of those updates.

2

Hi, a question regarding the MEGA application in iOS and Android. Does anyone know why physical analyzer or other tools decodes a Purchase Date but not an Install date for this app? Is it safe to say that Purchase Date are the same as Install Date? I know users can utilize X amount of free GB space without paying, maybe it has to do with that... (edited)

@CLB-Paul i've reported the tips 3 days ago for W11 to the support, solved by deleting KB5017859, KB5017915 and KB5017383. (edited)

1

does anyone know where can i read more about the time_in_app databases found in /data/com.facebook.katana/databases? can i trust this to be the intervals in which the user actually interacts with the application?

Rob

Hi, a question regarding the MEGA application in iOS and Android. Does anyone know why physical analyzer or other tools decodes a Purchase Date but not an Install date for this app? Is it safe to say that Purchase Date are the same as Install Date? I know users can utilize X amount of free GB space without paying, maybe it has to do with that... (edited)

Take a look at the source db, will typically contain Purchase Date / Latest Install (+ reason etc.)

1

@Cellebrite Hi, I was just examining a cloud extraction from Facebook Messenger, and have encountered a small trash can icon (deleted. trash). Does this mean that the message was deleted from the conversation, and if so does the time-stamp indicate when the message was sent or when it was deleted? (edited)

CLB-Paul

were looking into this, but seems to cause some issues for sure.. The uninstall should work of those updates.

Does the latest hotfix include this fix?

7.57.1 addresses the new image format for GK dumps.

2

7:17 AM

That was slated to go out before the windows update issue came out.

Understood

7:17 AM

Thanks

Anyone here experience with Conversations app / XMPP clients and how their encryption works?

@Magnet Forensics I'm looking for some advice on merging portable cases into the original case. I have a case that needed to be broken up into three portable cases (7 Hard Drives, multiple Terabytes). I/O is finished tagging them all and I want to merge them back into the original case. Portable case one merged successfully but merging the second case doesn't seem to be working properly. I select the merge option on the conflicts screen, but it will not import new tags with other names. Am I missing something here? v: 6.6.0.33061 (edited)

I’m newer to digital forensics and am trying to determine what this source means. It was collected from an apple iphone. Any thoughts “Source: Native Locations Source file: 00008030- 000279D621FA802E_files_full.zip/private/ var/mobile/Library/Caches/com.apple.rout ined/Cache.sqlite: 0x118777 Table: ZRTCLLOCATIONMO; Size: 7065600”

So the source of whatever the data from just looking at this quickly your looking at the Cache SQLite database for routined locations. The Table: ZRT…. Is the specific table inside the database the data was located in. I don’t want to assume but my guess is your looking at an artifact with some coordinates in it?

1

5:10 PM

This mac4n6 blog explains the data located there much better than myself. https://www.mac4n6.com/blog/2018/12/23/on-the-tenth-day-of-apollo-my-true-love-gave-to-me-an-oddly-detailed-map-of-my-recent-travels-ios-location-analysis

On the Tenth Day of APOLLO, My True Love Gave to Me – An Oddly Deta...

I saved one of my favorite topics for (nearly) last. There is no question that location can play a major role in many investigations. iOS location data as changed drastically with iOS 11 from previous iOS versions. I published research on these locations in the past and parsing scripts.

@Cellebrite please bugfix the SQL wizard from PA. Since the last versions it only makes trouble. I wanted to prepare e.g. the Web.de Mail App (popular mail app in Germany) with it but the PA always crashes. Also the function deleted content with prepare, no longer works properly (from the SQL wizard).

slid360

I’m newer to digital forensics and am trying to determine what this source means. It was collected from an apple iphone. Any thoughts “Source: Native Locations Source file: 00008030- 000279D621FA802E_files_full.zip/private/ var/mobile/Library/Caches/com.apple.rout ined/Cache.sqlite: 0x118777 Table: ZRTCLLOCATIONMO; Size: 7065600”

Give google or your preferred search engine a try using the term “zrtcllocationmo” there are so many great blogs and resources that might help you get a better understanding of these locations. (edited)

Team - best artifact to find when an iPhone was first activated?

11:57 PM

I am re-reviewing an old extraction (2020) - an Advanced Logical (File System) in UFED.

Is It Done Yet?

Team - best artifact to find when an iPhone was first activated?

You could try checking the creation times of core databases (CallHistory.storedata, SMS.db, AddressBook.sqlite, PPSQL.Database).

hello everyone, in which files is there the indication of the time zone set on the phone? on Android devices

manuelevlr

hello everyone, in which files is there the indication of the time zone set on the phone? on Android devices

Depending on os version check: calendar.db netpolicy.xml persistent_properties persist.sys.timezone

ok possibly it is also indicated if the time is set to 24h?

FullTang

You could try checking the creation times of core databases (CallHistory.storedata, SMS.db, AddressBook.sqlite, PPSQL.Database).

Ahh copied, that makes sense

1

Goodmorning everyone! Anyone has dealt with revolut application on either Android or iOS? Databases seem encrypted and I am looking for any artifacts there are there

I'd be surprised if they're storing anything on-device for banking apps, you generally need a network connection to do anything with them

1

Is It Done Yet?

I am re-reviewing an old extraction (2020) - an Advanced Logical (File System) in UFED.

Heya, the plist under private/var/mobile/library/preferences/com.apple.purplebuddy.plist has lots of info about activation including a key "SetupLastExit" (date) and "SetupState" (setup method). I've not had a reason to verify so if anyone else can chip in with a thumbs up or thumbs down, that would be good!

Is It Done Yet?

Team - best artifact to find when an iPhone was first activated?

See if any of this works for you: https://cellebrite.com/en/upgrade-from-null-detecting-ios-wipe-artifacts/

Upgrade From NULL—Detecting iOS Wipe Artifacts

One of the most common questions we’re asked is, “How do you determine when an iOS device was wiped?” Wiping is a common way to trample potential evidence on a device. Over the years, we have seen some savvy moves to try to cover up wiping efforts on devices and prevent the act from being … Continue reading "Upgrade From NULL—Detecting iOS Wipe ...

Is there a way to open a cellebrite extraction without having to reprocess the image every time I open it?

Ash4n6

Is there a way to open a cellebrite extraction without having to reprocess the image every time I open it?

PA Ultra is designed for exactly that purpose. A new version will be out soon which addresses many of the issues from the earlier release.

CLB_iwhiffin

PA Ultra is designed for exactly that purpose. A new version will be out soon which addresses many of the issues from the earlier release.

Thank you, I'll switch over to that one

Ash4n6

Thank you, I'll switch over to that one

I'd use normal PA as your main until all features are ported over to Ultra

1

2:06 PM

Ultra has some features that normal doesn't so would use it as a side tool

Rob

Ultra has some features that normal doesn't so would use it as a side tool

Fair comment.

1

Rob

Ultra has some features that normal doesn't so would use it as a side tool

Good Point Rob

2

You could also make a UFED Reader report of the whole extraction, but you will loose some features. Just depends on how deep of an analysis you are doing.

1

Anyone from @Cellebrite around for a question?

ScottKjr3347

Give google or your preferred search engine a try using the term “zrtcllocationmo” there are so many great blogs and resources that might help you get a better understanding of these locations. (edited)

Much appreciated. Thanks!

MindBreak

Anyone from @Cellebrite around for a question?

Hey

slid360

Much appreciated. Thanks!

If you have any specific questions after reading through those, please don’t hesitate to ask.

Hello All! I was asked if there was a way to determine how a phone call ended on an IOS device - an iPhone 4 actually. Specifically if the end call button was activated. Does anyone know if this is tracked anywhere in a database? Thanks

Hello! Not 100% if it's the right channel but: in iOS User Word Dictionary I have several words of interest. Let's say the word is "potatoes". Several of these words have a weird prefix like this: "N!E_potatoes" or "N#EPotatoes". Does anyone know what that prefix means? Thanks. (edited)

@Cellebrite Hi Cellebrite, any noted issues with dual sim android devices not decoding the 2nd sim successfully in UFED PA? I can provide an example ive noted if required. Thanks

1

stps358

@Magnet Forensics I'm looking for some advice on merging portable cases into the original case. I have a case that needed to be broken up into three portable cases (7 Hard Drives, multiple Terabytes). I/O is finished tagging them all and I want to merge them back into the original case. Portable case one merged successfully but merging the second case doesn't seem to be working properly. I select the merge option on the conflicts screen, but it will not import new tags with other names. Am I missing something here? v: 6.6.0.33061 (edited)

Morning @stps358 - I went looking to see if you got an answer on this. Are you still in need of assistance?

Michael Paleshi

Morning @stps358 - I went looking to see if you got an answer on this. Are you still in need of assistance?

Yes I'm still having this issue.

stps358

Yes I'm still having this issue.

Okay, let me see if I can get you an answer (don't know the answer myself).

Michael Paleshi

Okay, let me see if I can get you an answer (don't know the answer myself).

Thank you!

Unsure if right channel so apologies if not. Bit of unique one maybe. Is there a way to identify traveling speed in a car via GPS coordinates easily? Currently trying to use PA but didn't know if there's a good easy way of doing so. Thanks

Chris

Unsure if right channel so apologies if not. Bit of unique one maybe. Is there a way to identify traveling speed in a car via GPS coordinates easily? Currently trying to use PA but didn't know if there's a good easy way of doing so. Thanks

I usually create a KML-file from the GPS-points. We have a program in which we can load the KML to show the route and I guess pretty accurate distance in meters. I've used this several time to give an average speed for a vehicle involved in an accident.

Has anyone ever come across the file path '\DCIM\Locked' before? It's from an SD card that was in a Samsung S21. X-Ways reads it as previously existing data not necessarily intact. It's not encrypted and there were no hidden folder type apps installed.

Question for plist on an iPhone specifically the com.apple.wifi-private-mac-networks.plist but could be if fitting all plists. Are they stored in UTC 0 or are they stored in local time zone.

Palazar82

Question for plist on an iPhone specifically the com.apple.wifi-private-mac-networks.plist but could be if fitting all plists. Are they stored in UTC 0 or are they stored in local time zone.

Looks like UTC. I’ll do a live test later today, but after reviewing some old test data lastJoined looks like UTC

1

Thank you very much.

Hello! Looking for a bit of direction decoding a physical extraction from a phone. Plum E700US, chipset MTK6276, OS is proprietary. Ran it through @Cellebrite and @Magnet Forensics Axiom and only saw a few images, however Hex searches found bits of SMS messages. Any help is appreciated! (edited)

ScottKjr3347

Looks like UTC. I’ll do a live test later today, but after reviewing some old test data lastJoined looks like UTC

Plists usually have the timestamp as a DATE field which are an epoch/offset from 1st Jan 2001. These are UTC. But sometimes they may be stored as string values instead. These are typically local time and show the offset in the string.

2

CLB_joshhickman1

Hello everybody, Query is on parsing Google Assistant cache. Located on a Samsung S9 physical/binary extraction in X-Ways. AXIOM/UFED PA could not (currently) parse this out. I had the cloud extraction of the users data to compare it against. Cached “Hey Google” & “OK Google...” queries located in: \data\com.google.android.gms\files\fcm_qued_messages.ldb\ and are a series of .db files- 00015l.db 00018.ldb Looking to see if anyone has luck on parsing the data or a plug-in that can be added to the artifacts database for AXIOM or UFED PA.

@sky4n6 I am not sure about that particular database, but there is another location you can go to get "Ok Google" queries. It depends on what version of Android the device was/is running. In Android 10 there is a database that contains all of the "Ok Google" queries (that are done via the physical phone): "opa_history." You can find it in /data/data/com.google.android.googlequicksearchbox/databases/. Not all "Ok Google" queries are here, though. If the user was using Android Auto, you will need to look in the protobuf files found in /data/data/com.google.android.googlequicksearchbox/app_sessions. The protobuf files can be parsed, but you can find the query along with the date/time of the query. For Android 9 and below, there is no database. Check out @Brigs ALEAPP tool. It has support for Google Assistant queries. https://github.com/abrignoni/ALEAPP/tree/master/scripts (edited)

I know I'm late to the party, but is there any deleted flags or would the whole session be deleted? And are the sessions sequential or timestamp based?

Hey, is anybody out there who has a clue what newer samsung gallery3d paths are encoded with in log table in local.db? According to this its base64 but that doesn't work in my case. Strings begin with "#G$", the rest looks like base64 but ain't ... http://cheeky4n6monkey.blogspot.com/2022/01/mike-monkey-dumpster-dive-into-samsung.html?m=1 (edited)

Mike & the Monkey Dumpster Dive Into Samsung Gallery3d App Trash

Monkey assists Mike with another dive into the Samsung Gallery3d App It all started with a post by Michael Lacombe ( iacismikel at gmail...

claireh

I know I'm late to the party, but is there any deleted flags or would the whole session be deleted? And are the sessions sequential or timestamp based?

The protobluf blobs have timestamps in them with the query (or queries if there is some back-and-forth with Assistant). opa_history also contains timestamps. As far as deletion goes, I'm not sure. I suspect it would be at the mercy of any database vacuuming that may occur. Also not aware of any flags/indicators. (edited)

1

has anyone seen recent dumps where the Biome\AppIntent folder is empty recently? I just did a FFS on the GK and that folder turned up empty... It is a more lightly used phone but there's definitely content within the last 30 days that would have generated some of those biome appintent files

9:29 AM

its ios 15.6.1

Has anyone come across a group text/chat where one of the numbers was spoofed? Android Phones.

dcs453

Has anyone come across a group text/chat where one of the numbers was spoofed? Android Phones.

I believe it is possible. In order to find the original, non-spoofed number, a CDR warrant to the victim's phone is the place to start.

Does anyone know how to extract blob data from sql lite databases from a cell dump or have a python script or scripts that do similar for applications that cellebrite may not be parsing data for?

Hey everyone, was wondering if anyone would be able to point me in the right direction or confirm my thoughts on some data I have: Basically I have a contact that was deleted, and we are trying to confirm when it was deleted during the timeline of events. Contact was recovered in full file system extraction in the library/recents/recents-wal file. The issue is there is no time stamps associated in the wal file it appears. I’m able to see in knowledgeC that com.Apple.mobilephone was launched twice around the timeframe we are looking at (no calls were made in timeframe). I sadly can not at the moment test my suspicion but hypothetically would someone opening the phone app, and switch to the contacts tab to then long press a contact to delete the contact create those two entries in knowledgeC? (edited)

Is there any way to virtualize an IOS device to test third party apps or is a physical jailbroken device the only easy way? I looked at Corellium but it seems you cant install third party apps there without a separate jailbroken device

Anyone knows what *Scrambled" means in PA and WhatsApp?

Arlakossan

Anyone knows what *Scrambled" means in PA and WhatsApp?

ill PM you since this question been brought up many times

is it possible to know the pattern lock having the decrypted physical acquisition available?

Android 9

Can someone at @Cellebrite send me a dm?

Arlakossan

Anyone knows what *Scrambled" means in PA and WhatsApp?

its shuffling the words around... Not sure why but I assume that they must store them in a way that are out of order and that information to place them in the right order is no longer present in the extraction... Really threw me for a loop when I was translating Spanish to English using Google Translate...

It's done for more efficient searching. From what I've read/researched the scramble db is solely used for the search feature within the app.

Brayniack

Does anyone know how to extract blob data from sql lite databases from a cell dump or have a python script or scripts that do similar for applications that cellebrite may not be parsing data for?

You can explore the individual BLOBs using the File Format Viewer in PA. X-Ways Forensics will export identified BLOBs as a child object of the database. SQLite Expert has an extension (https://www.sqliteexpert.com/extensions/) for exporting out BLOBs en masse. There are others, but these are the one's I've used recently. (edited)

Brayniack

Does anyone know how to extract blob data from sql lite databases from a cell dump or have a python script or scripts that do similar for applications that cellebrite may not be parsing data for?

https://github.com/pug4N6/blob_exporter … This might help with that some

GitHub - pug4N6/blob_exporter: A Python script to export SQLite blo...

A Python script to export SQLite blob data. Contribute to pug4N6/blob_exporter development by creating an account on GitHub.

Folks I @Law Enforcement [UK] where would I find in instagram DB if a user had changed the username but kept it attached to an existing account. Eg scobby (mystery@email.com) to shaggy (myster@email.com). Can I find this out. Cant find a recent user plist to check login instructions. Ta

If I find CSAM in the Facebook.Orca, but I find no associated messages, is there a way to determine from the ORCA DB if it was incoming, outgoing, or not sent at all? Is there a Orca decoding handbook? (edited)

KnowledgeC zstreamname “isLockedImputed”…….has anyone ran across this artifact and meaning before I conduct some testing?

anybody had to look at Rando Chat and its DBs? -just going through the db and building a query. Thought I had it sorted until I didn't... I'm sure I've marked up my sent/received correctly, either the officer has submitted the 'pee dough' hunters device instead of the suspects without telling us its from the hunters or I've got the decoding backwards. https://play.google.com/store/apps/details?id=com.random.chat.app&hl=en_GB&gl=US

@Cellebrite Does physical analyzer open e01 files? I made a physical e01 on a usb drive as a test with FTK imager. Thought someone said you could open e01s in PA. (edited)

Dear community, do any of you know of a way to virtualize a smartphone extraction (Samsung J6, FFS)? If there is such a thing, this would be a good way to bypass 2FA if the original device is no longer available or broken. Many thanks for your ideas and tips. Best regards and a nice weekend! 3rd1

CLB_iwhiffin

See if any of this works for you: https://cellebrite.com/en/upgrade-from-null-detecting-ios-wipe-artifacts/

I have managed to use this methodology to identify the time of setup, however, the SetupState is RestoredFromiCloudBackup, rather than SetupUsingAssistant. Could you please confirm what this means regarding the artefact?

Hello @Oxygen Forensics I have started the load file export of a mobile dump but after 2 days application closed all of sudden. When I reopen the application there is no notification within the UI. How to check whether the export is complete or not?

1

@Cellebrite anyone of you guys feel the urge to answer an awefully hard question about WhatsApp decoding in PA?

If I wanted to use @Cellebrite to perform a search for the word foot but not return the word football using Advanced search do I need to add double quotes to return just words with foot and not football?

MetaStig

@Cellebrite anyone of you guys feel the urge to answer an awefully hard question about WhatsApp decoding in PA?

Hey. Send me a dm I’ll see what I can help with

Ash4n6

If I wanted to use @Cellebrite to perform a search for the word foot but not return the word football using Advanced search do I need to add double quotes to return just words with foot and not football?

I’ll check on that. Tbh I’m not sure

snoop168

its shuffling the words around... Not sure why but I assume that they must store them in a way that are out of order and that information to place them in the right order is no longer present in the extraction... Really threw me for a loop when I was translating Spanish to English using Google Translate...

It's purely a feature of SQLite to index the words. You'll notice there is no uppercase, no grammar and no repeated words. PA shows the scrambled message where the intact messages doesn't exist as it may still be evidential.

JLindmar (83AR)

Is anyone else seeing @Cellebrite Physical Analyzer (7.57+) issues after applying recent .NET updates (KB5017499, KB5017915) on Windows 10? 7.57.0.51 had been working fine prior to the updates I applied yesterday - loaded an extraction today and once parsing began I got multiple error windows (see attached) where the only option is to allow the program to close. Installed 7.57.1.9 today and receive the same errors. Trace windows progresses through parsing, but shows repeated session file saving, cloud communication errors, and "Object reference not set to an instance of an object" records.

Any word if a hot fix will be pushed out for the windows update issue in Physical Analyzer? Uninstalling the updates is not an option for me.

mxNinja17

@Cellebrite Does physical analyzer open e01 files? I made a physical e01 on a usb drive as a test with FTK imager. Thought someone said you could open e01s in PA. (edited)

You can open them as Advanced, open case, choose 'Open (Advanced)', select the type of device as USB_MSD and then for the on Binary Extraction, click on Image and you can select EO1s here. Hope that helps

1

Oscar

Is there any way to virtualize an IOS device to test third party apps or is a physical jailbroken device the only easy way? I looked at Corellium but it seems you cant install third party apps there without a separate jailbroken device

I'm afraid you're right that you'll need a jailbroken phone to get the unencrypted IPA file. However, that can then be analyzed in Corellium with much greater ease. Worth noting that there may be legal issues to navigate there, so if in doubt consult a lawyer - by not allowing app store access, Corellium can safely leave that tricky issue to the user

1:19 AM

https://support.corellium.com/en/articles/6181345-testing-third-party-ios-apps

Testing Third-Party iOS Apps

Notes on testing installed apps on iOS devices.

Hi All Could anyone help me regarding Apple Photos and the "moment starts" / "moment ends" states? I cant figure out what the meaning of those are and in which DB they are found? It is present (in @Oxygen Forensics in the details view).... maybe a tech guy from Oxygen can help me explain

or maybe @CLB_iwhiffin or @ScottKjr3347 would have some knowledge?

j_matas

Hi All Could anyone help me regarding Apple Photos and the "moment starts" / "moment ends" states? I cant figure out what the meaning of those are and in which DB they are found? It is present (in @Oxygen Forensics in the details view).... maybe a tech guy from Oxygen can help me explain

or maybe @CLB_iwhiffin or @ScottKjr3347 would have some knowledge?

Hello! Let me research the question for you

I will come back to you as soon as I have anything, unless somebody beats me to it

j_matas

Hi All Could anyone help me regarding Apple Photos and the "moment starts" / "moment ends" states? I cant figure out what the meaning of those are and in which DB they are found? It is present (in @Oxygen Forensics in the details view).... maybe a tech guy from Oxygen can help me explain

or maybe @CLB_iwhiffin or @ScottKjr3347 would have some knowledge?

But they are found in photos.sqlite

Oxygen Forensics

But they are found in photos.sqlite

Well, I cant find the "moment start / stop" thing in photos.sqlite. But you have it present in your detail pane when I preview an image

Oxygen Forensics

Hello! Let me research the question for you

I will come back to you as soon as I have anything, unless somebody beats me to it

ok.. found it in the ZMOMENT table. But if anyone could explain what it actually means it would be great

@j_matas check pinned msg from Scott or his blog

Bobby

@j_matas check pinned msg from Scott or his blog

scotts pinned message is about the Knowledge C database, not photos.sqlite I believe, or I looked at the wrong one!

@Pretendigator https://theforensicscooter.com/2022/05/02/photos-sqlite-query-documentation-notable-artifacts/

scottkoenig3347

Local Photo Library Photos.sqlite Query Documentation & Notable Art...

As many of you are aware, I recently updated my Photos.sqlite queries. Since releasing the different query iterations, I have received several questions about how I was able to decode the data incl…

1

4:20 AM

Pinned msg is also about photos.sqlite

Bobby

Pinned msg is also about photos.sqlite

scrolled straight past the first pinned post from him and read about the second which was also involving start/end times for aeroplane mode! Woopsie

1

thanks for the articles

Just surfed my own ios device and found that the moment was probably the ones found in the Photos App. And reading the great piece from @ScottKjr3347 confirmed it. Gread read btw

Thanks!

4:38 AM

but what is the criteria for a photo to be included in a momen?

j_matas

Hi All Could anyone help me regarding Apple Photos and the "moment starts" / "moment ends" states? I cant figure out what the meaning of those are and in which DB they are found? It is present (in @Oxygen Forensics in the details view).... maybe a tech guy from Oxygen can help me explain

or maybe @CLB_iwhiffin or @ScottKjr3347 would have some knowledge?

The moment start date is based on the asset (that is a part of the moment) that has the earliest created date. The moment end date is based on the asset (that is a part of the moment) that has the most recent / latest created date. These dates can change if assets are added and removed from the moment.

2

1

j_matas

but what is the criteria for a photo to be included in a momen?

This is a harder question to answer, that’s Apples secret sauce! I’ve found location to be the easiest one to recognize. For example if I go to a hockey game and take a bunch of photos it can make a hockey moment for that night or same for a concert. Check out Apple documentation for that answer.

ScottKjr3347

This is a harder question to answer, that’s Apples secret sauce! I’ve found location to be the easiest one to recognize. For example if I go to a hockey game and take a bunch of photos it can make a hockey moment for that night or same for a concert. Check out Apple documentation for that answer.

might I trouble you to take a look at: https://discord.com/channels/427876741990711298/537760691302563843/1028981707166195742

Pretendigator

might I trouble you to take a look at: https://discord.com/channels/427876741990711298/537760691302563843/1028981707166195742

Will do

Anyone know if there is a plist with account settings in Snapchat from a full file system extraction? I want to know how the user account handles saved snaps.

Question in regards to the contents of Cache.sqlite. I think I know the answer, but I guess it's better to check nontheless. I have an iPhone where location history is crucial. The device owner will not be able to give the answer on short notice (medically induced coma). I have turned the device off to preserve the data within Cache.sqlite. If I'm not mistaken, with the device off, it'll retain the information, but I don't know for sure if it'll purge the info once the device is unlocked in a couple of weeks. I think not. Just in case I'm currently running a supersonic bruteforce (thanks @Cellebrite!). I don't think it will, but again better safe to check: Does anyone know if this has any impact on the contents of Cache.sqlite? Thanks!

spadart

You can open them as Advanced, open case, choose 'Open (Advanced)', select the type of device as USB_MSD and then for the on Binary Extraction, click on Image and you can select EO1s here. Hope that helps

Worked like a charm thank you!

1

Peacekeeper

Question in regards to the contents of Cache.sqlite. I think I know the answer, but I guess it's better to check nontheless. I have an iPhone where location history is crucial. The device owner will not be able to give the answer on short notice (medically induced coma). I have turned the device off to preserve the data within Cache.sqlite. If I'm not mistaken, with the device off, it'll retain the information, but I don't know for sure if it'll purge the info once the device is unlocked in a couple of weeks. I think not. Just in case I'm currently running a supersonic bruteforce (thanks @Cellebrite!). I don't think it will, but again better safe to check: Does anyone know if this has any impact on the contents of Cache.sqlite? Thanks!

If the device is OFF it will persevere cache.sqlite zrtcllocationmo table data. In the past I have had devices that were off for weeks, then powered on and used the passcode to unlock the device and acquired FFS and had location data from the time in question. I’ve been informed from CB team members that if a device is running a BF agent theses locations are also preserved. From what I know these are the best ways to persevere temporary location data, that would otherwise be overwritten if the device was left connected to a charger in the powered on state collecting location data for your lab. (edited)

1

Peacekeeper

Question in regards to the contents of Cache.sqlite. I think I know the answer, but I guess it's better to check nontheless. I have an iPhone where location history is crucial. The device owner will not be able to give the answer on short notice (medically induced coma). I have turned the device off to preserve the data within Cache.sqlite. If I'm not mistaken, with the device off, it'll retain the information, but I don't know for sure if it'll purge the info once the device is unlocked in a couple of weeks. I think not. Just in case I'm currently running a supersonic bruteforce (thanks @Cellebrite!). I don't think it will, but again better safe to check: Does anyone know if this has any impact on the contents of Cache.sqlite? Thanks!

Another way that should preserve data that is set for deletion is to process the phone with an unknown passcode workflow but when it gets time to bruteforce the PIN you instead enter the known PIN. You never manually unlock the phone (as the process of unlocking the phone triggers the deletion of data), but not all tools support this method of extraction. I know this works for artifacts like photos (and now text messages on iOS 16) that sit in the Recently Deleted folder for ~30 days before being actually deleted. These artifacts can be extracted after the 30 days is up using this method, I don't know if it works for location data as well.

2

Thanks to lots of recent feedback a NEW smaller query has been posted for each iOS version (11-16) Local PL Photos.sqlite. This query is focused on the asset:

UUIDs

️File Names ⌚️Timestamps

Album Titles

Hidden &

️Trash status https://github.com/ScottKjr3347/iOS_Local_PL_Photos.sqlite_Queries Hope they help (edited)

11

Ok, so I've got an Excel doc that has been generated from an iPhone extraction. In the timeline there are entries (source is interactionC) where it's saying com.apple.InCallService: incoming call from Jon doe Only there is no data in the call log section to say a call has occurred Any ideas???

5:30 AM

Cellebrite was used.....

Would this be a case of that call log being deleted from the device?

leedemozza22

Would this be a case of that call log being deleted from the device?

I have seen this same thing when a call is deleted from the call log, but interactionC still shows the activity. I would check the callhistory.sqlite prime key sequencing to see if there are gaps in the sequence during the time of your interactionC activity.

Having a nightmare with a Nokia 105 TA-1174. We have a physical via 4PC but PA decoded 168 unrecognised files. XRY won't extract at all and tried all sorts such as import the physical, different profiles. Nothing seems to be working to get anything out of it and decode. Any suggestions?

Sorted it's seems to be a MTK chipset not a spreadtrum as the tools are trying to decode it as. The generic mtk profile got it.

@Cellebrite If I opening an image file in PA from an iOS FFS extraction located in /private/var/mobile/Media/DCIM/...., under "General" in the "File Info" tab is a row called "iOS classifications". Can you let me know how the data in this row is populated? Where is this data taken from? Thanks

For awareness, Axiom Examine v6.6.0.33061 presently does not display HEIC images in the Conversation View or in the Chat Preview Reports (html or PDF). They are aware of this issue.

Can multiple android applications write data to the following cache folder? 'Dump\data\data\com.google.android.apps.messaging\cache\image_manager_disk_cache\ ' subject was using Kik, a lot of CSAM thumbnails in gallery but source files appear to have been purged. (edited)

AmNe5iA

@Cellebrite If I opening an image file in PA from an iOS FFS extraction located in /private/var/mobile/Media/DCIM/...., under "General" in the "File Info" tab is a row called "iOS classifications". Can you let me know how the data in this row is populated? Where is this data taken from? Thanks

That comes from the photos.sqlite database. It's iOS's own classification of the images subject matter/

Peacekeeper

Question in regards to the contents of Cache.sqlite. I think I know the answer, but I guess it's better to check nontheless. I have an iPhone where location history is crucial. The device owner will not be able to give the answer on short notice (medically induced coma). I have turned the device off to preserve the data within Cache.sqlite. If I'm not mistaken, with the device off, it'll retain the information, but I don't know for sure if it'll purge the info once the device is unlocked in a couple of weeks. I think not. Just in case I'm currently running a supersonic bruteforce (thanks @Cellebrite!). I don't think it will, but again better safe to check: Does anyone know if this has any impact on the contents of Cache.sqlite? Thanks!

Since you are using a bootloader approach, the main OS will not start and you should have the data nice and safe.

1

CLB_iwhiffin

That comes from the photos.sqlite database. It's iOS's own classification of the images subject matter/

I thought so but when I look at the list of databases, Photos.sqlite isn't listed as "Decoded by 'Cellebrite'" so was thrown off

CLB_iwhiffin

Since you are using a bootloader approach, the main OS will not start and you should have the data nice and safe.

And I just realised Scooter beat me to it

AmNe5iA

I thought so but when I look at the list of databases, Photos.sqlite isn't listed as "Decoded by 'Cellebrite'" so was thrown off

OK thanks, I'll look into that. I've heard a couple of times that we are decoding stuff but not reflecting that in that table

@Cellebrite is there any way to merge multiple pas files?

Hi, has anyone had any luck decoding/decrypting .exo files? I see I'm not the only person to have ever asked but just wondered if there were any updates that might assist with an investigation? Thanks in advance. @MSAB @Magnet Forensics @Cellebrite (edited)

Anyone from @Cellebrite for a quick dm?

1

lala1234

@Cellebrite is there any way to merge multiple pas files?

This question has been asked before quite recently if I remember correctly. Also the answer was no, unfortunately not (if I remember correctly again)

Peacekeeper

This question has been asked before quite recently if I remember correctly. Also the answer was no, unfortunately not (if I remember correctly again)

Sorry if I missed it and thank you!

Erik

Anyone know if there is a plist with account settings in Snapchat from a full file system extraction? I want to know how the user account handles saved snaps.

I assume iOS. Logged in user info is in "user.plist", also sent you a dm.

Need some assistance with decrypting telegram database v8.7.1 iOS 14.6 iPhone. Need to know where cached files came from.

OggE

Need some assistance with decrypting telegram database v8.7.1 iOS 14.6 iPhone. Need to know where cached files came from.

I can assist

7:36 AM

I have a script that can do it, DM me

SMS question: When I look at a full filesystem dump in PA from an LG K30, I see duplicate text messages showing in conversations. They always have the exact same text, along with sent/received times. Any idea why this is?

Chris Myers

SMS question: When I look at a full filesystem dump in PA from an LG K30, I see duplicate text messages showing in conversations. They always have the exact same text, along with sent/received times. Any idea why this is?

What are the source of the messages? If I remember correctly, SMS messages are stored in several places in memory.

2

Chris Myers

SMS question: When I look at a full filesystem dump in PA from an LG K30, I see duplicate text messages showing in conversations. They always have the exact same text, along with sent/received times. Any idea why this is?

Android devices will most likely store the messages in the SMSMMS.db along with the specific SMS application used. (IE Samsung Messages for Samsung phones... etc) You just need to determine which application is set as the primary SMS application.

@Law Enforcement [UK] Anyone else encountering UFED reports showing 0 bytes for media? Having a few members of staff encounter this stating it's affecting them when they're creating password protected reports. Fine without a password.

Yes happened with a much earlier version of PA. Don't know what caused it but it seemed to be just failing to create the report. I had to just stick it in a zip and encrypt the zip. Sorry can't be much more help.

1

Achris

Yes happened with a much earlier version of PA. Don't know what caused it but it seemed to be just failing to create the report. I had to just stick it in a zip and encrypt the zip. Sorry can't be much more help.

Do you know which version of PA?

Sorry no but it was around June or July last year and it was the latest version at the time. I was working at a different organision or I would try to find the file. (edited)

Rob

@Law Enforcement [UK] Anyone else encountering UFED reports showing 0 bytes for media? Having a few members of staff encounter this stating it's affecting them when they're creating password protected reports. Fine without a password.

Hiya, I am checking this out but all information is greatly appreciated!

@Cellebrite any reported issue about the following PA error "array dimensions exceeded supported range" when parsing a physical extraction? .UFD loaded into PA, same issue by selecting the phone model too

Rob

@Law Enforcement [UK] Anyone else encountering UFED reports showing 0 bytes for media? Having a few members of staff encounter this stating it's affecting them when they're creating password protected reports. Fine without a password.

Is the core data you are producing the report from networked or local? I know in the past reports from PA had all kinds of issues over a network.

8:58 AM

@Rob - @CLB-ZanR is from Cellebrite (although showing up as LE UK) so she should have a solution in time maybe. (edited)

Zhaan

Is the core data you are producing the report from networked or local? I know in the past reports from PA had all kinds of issues over a network.

Networked. Albeit from intial testing doesn't seem to be a global issue (in our lab at least)

9:18 AM

I'm planning some deeper internal testing for Mondays problem to see if I can't find patterns between which machines are causing havoc.

Zhaan

@Rob - @CLB-ZanR is from Cellebrite (although showing up as LE UK) so she should have a solution in time maybe. (edited)

Spotted their sneaky blending in attempt

If it isn't Gerard responding to tickets it's Zan. (edited)

Rob

Spotted their sneaky blending in attempt

If it isn't Gerard responding to tickets it's Zan. (edited)

I'll get to changing that now!

1

@Cellebrite pa 8.2.0.544 still not loading GK extraction correctly when they are in a zip.

beamar

@Cellebrite pa 8.2.0.544 still not loading GK extraction correctly when they are in a zip.

expected. 7.57.1 does but will be in next sub release

Damn. Kk. Ty

Soon

@Cellebrite Also doesn’t seem to like when i load more than 1 gk extraction. Would be nice if i could remove a loaded extraction without deleting the whole case

questions to @Oxygen Forensics. Does keyscout support aff4 mac file dump? (edited)

anyone knows if PA Ultra 8.2.0.544 prerelease has all features (and more ofcourse ) of PA 7.57.1, or are some features still missing? (edited)

chrisforensic

anyone knows if PA Ultra 8.2.0.544 prerelease has all features (and more ofcourse ) of PA 7.57.1, or are some features still missing? (edited)

I feel like 7.57. is still the better option, you can have both installed

2

beamar

I feel like 7.57. is still the better option, you can have both installed

so still some features of 7.57.1 missing in PA 8 ?

chrisforensic

so still some features of 7.57.1 missing in PA 8 ?

What features are you looking for? As I posted about above, we use graykey a lot also. 8.2 fails(unless unzipped) to load those extractions. I seem to have a hard time loading multiple extractions of 1 phone into 8.2 to create a single report. 8.2 indexes the phone into a database so it loads fast when re-opening, which is awesome. But if you need to make changes, such as remove an extraction, it doesn't seem to work without deleting the entire case and starting over. In my current role, I delete with extracting more than decoding the extraction. So when I create a report, I just like to provide the most information possible.

8:38 AM

I tried 8.1 a bunch and ran into issues which forced me to use 7.57 more. I was happy to see the release of 8.2. It seems odd that 5.57 has issues resolved that 8.2 doesn't. They, imo, appear to be pushing more releases of the older 7 platform. Recently ran into an issue with 8.2 that required us to un-install packages that windows update installed.

8:38 AM

I should make a report and try to compare the 2. I as far as I can tell, 8 doesn't offer anymore in terms of phasing data compared to 7

beamar

What features are you looking for? As I posted about above, we use graykey a lot also. 8.2 fails(unless unzipped) to load those extractions. I seem to have a hard time loading multiple extractions of 1 phone into 8.2 to create a single report. 8.2 indexes the phone into a database so it loads fast when re-opening, which is awesome. But if you need to make changes, such as remove an extraction, it doesn't seem to work without deleting the entire case and starting over. In my current role, I delete with extracting more than decoding the extraction. So when I create a report, I just like to provide the most information possible.

The .net issue last week did sadly affect Ultra and 7.x versions of PA. Both will be fixed very soon. The GK issue of having to unzip the file first has been addressed in 7.57.1 and will be addressed in 8.2.1 along with a few other bits. It will only be a minor release so won't fix all the missing features. Features like App Genie and SQLWizard should be getting an overhaul and won't be making an appearance until early next year I imagine.

Not hating Ian, just saying I want to use ultra, just find myself back in 7 :/

skipper

questions to @Oxygen Forensics. Does keyscout support aff4 mac file dump? (edited)

Hello, currently no, but we are open to suggestions on adding support for it

Have some images stored on a ipad in com.apple-quicklook.extensions.previewUI, there are a bunch of guids. Any way to trace back to where they came from?

Anyone from @Cellebrite around for a question?

1

beamar

Not hating Ian, just saying I want to use ultra, just find myself back in 7 :/

No offence taken! I just wanted to address a couple of the points

1

CLB_iwhiffin

No offence taken! I just wanted to address a couple of the points

Cool. I have to message you later, need to do 3 different warrant returns that I'm not sure are loading all that great.

Achris

Yes happened with a much earlier version of PA. Don't know what caused it but it seemed to be just failing to create the report. I had to just stick it in a zip and encrypt the zip. Sorry can't be much more help.

" I had to just stick it in a zip and encrypt the zip" ... You've got the beginnings of a 4n6 hip hop song there...lol

I will now be repeating that every 2 seconds in my brain for the rest of the day

(edited)

1

JayB1rd

" I had to just stick it in a zip and encrypt the zip" ... You've got the beginnings of a 4n6 hip hop song there...lol

I will now be repeating that every 2 seconds in my brain for the rest of the day

(edited)

Ha thanks now its in my head now too

1

Hi. Has anyone dealt with flags from voicemail.db on iPhone? Interested to know what the flags field means. Numbers include 67, 10 & 3. Thanks

Anyone familiar with the setting to allow XRY to export each data type to an individual spreadsheet? I'm sure I remember it existing.

7:19 AM

@MSAB

Mr Saturn

Anyone familiar with the setting to allow XRY to export each data type to an individual spreadsheet? I'm sure I remember it existing.

Not a separate spredsheet, but each category should be exported to an individual tab in Excel. Or is it the 'Unroll groups' that you are thinking of? To split a sender into 'Name', 'Phone number' etc instead of treating all data for a sender as one artifact? That setting is available on the 'Adaptive' layout. (edited)

MSAB_Sofia

Not a separate spredsheet, but each category should be exported to an individual tab in Excel. Or is it the 'Unroll groups' that you are thinking of? To split a sender into 'Name', 'Phone number' etc instead of treating all data for a sender as one artifact? That setting is available on the 'Adaptive' layout. (edited)

Hmm ok, I thought I recalled you could have it broken down into Contacts, Chats, media etc

Mr Saturn

Hmm ok, I thought I recalled you could have it broken down into Contacts, Chats, media etc

Not that I can remember, but it could be from before my time...

Anyone tried analyzing Alibaba and Aliexpress from a FFS iPhone? Is there any data to fetch?

@Cellebrite @heatherDFIR Can anyone explain what ZLOCATION column in ZCALLRECORD means? in CallHistory.storedata

Hi, does anyone got experience with Google Takeout location history? Especially the waypoints as Place ID's?

1:02 PM

Let's just say we have a route which we see very detailed in the segmented location history as a route of 248 placeid's, which I have looked up via the Google API, and so have 248 lat/long coordinates. It's a pretty detailed car route which could be true, but i wonder if the phone actually logs all of this or if a lot of is is just estimation and guessing by Google...

belskayal

@Cellebrite @heatherDFIR Can anyone explain what ZLOCATION column in ZCALLRECORD means? in CallHistory.storedata

Just for everyone’s benefit; this is just the approximate location of the 3rd party on the call. It may say something like “Texas” or “United Kingdom”. Afaik it’s getting the location from the area code.

cygnusx

Let's just say we have a route which we see very detailed in the segmented location history as a route of 248 placeid's, which I have looked up via the Google API, and so have 248 lat/long coordinates. It's a pretty detailed car route which could be true, but i wonder if the phone actually logs all of this or if a lot of is is just estimation and guessing by Google...

A lot of it will be estimation and guessing by Google. Where able and if possible Google will be as exact as possible. Finding said details which prove or disprove, not likely.

We've heard some rumors regarding Knowledgec in iOS 16. That it might not be present and if you are trying to acquire via Graykey with known password knowledgec might be wiped? Does anyone know something about this or knowledgec in iOS in general?

,

j_matas

We've heard some rumors regarding Knowledgec in iOS 16. That it might not be present and if you are trying to acquire via Graykey with known password knowledgec might be wiped? Does anyone know something about this or knowledgec in iOS in general?

I have an iOS16.0 extraction which has knowledgeC and is full of data. I can see it changing anytime soon but who knows.

Is anybody from Cellebrite available for a quick query?

j_matas

We've heard some rumors regarding Knowledgec in iOS 16. That it might not be present and if you are trying to acquire via Graykey with known password knowledgec might be wiped? Does anyone know something about this or knowledgec in iOS in general?

I think you are reffering to the fact that several artifacts from knowledgeC changed to Biome. I read that Biome gets deleted when an iPhone gets placed in dfu for making an FFS. I havnt tested this yet. @CLB_iwhiffin (edited)

1

Deleted User

A lot of it will be estimation and guessing by Google. Where able and if possible Google will be as exact as possible. Finding said details which prove or disprove, not likely.

Yeah ok, but how much guessing is it. Will it completely guess routes from a to b? Or just connect the dots a little bit?

florus

I think you are reffering to the fact that several artifacts from knowledgeC changed to Biome. I read that Biome gets deleted when an iPhone gets placed in dfu for making an FFS. I havnt tested this yet. @CLB_iwhiffin (edited)

Interesting. Good job I added a SEGB viewer recently to my tools. I'll look into this though. From the extraction I have, I still see lots of the regular type of data (device locked. backlight, notifications etc.) I also have message intent data which includes the party and body text. So little ha changed from what I can see, although the dataset it limited so I can't comment about too much. (edited)

ANDROID USAGE STATS-MAGNET AXIOM I'm currently conducting an analysis on an Android Device running Android 12. The context of this analysis is centered around a pedestrian strike of a 75 year old man…I’m stuck on trying to figure out if the events I see in Android App Usage are user created or app/system created. Specifically with the Instagram app… I've been referred to the Android Developer guide but what I've found doesn't clarify the answer I'm looking for. Looking for help from anyone familiar with these specific artifacts, which are similar in nature to iOS knowledge C database, just not as verbose. See attached photos

Original message was deleted or could not be loaded.

May be worth asking in #password-encryption-cracking too if you don't get an answer here

sqlite

ANDROID USAGE STATS-MAGNET AXIOM I'm currently conducting an analysis on an Android Device running Android 12. The context of this analysis is centered around a pedestrian strike of a 75 year old man…I’m stuck on trying to figure out if the events I see in Android App Usage are user created or app/system created. Specifically with the Instagram app… I've been referred to the Android Developer guide but what I've found doesn't clarify the answer I'm looking for. Looking for help from anyone familiar with these specific artifacts, which are similar in nature to iOS knowledge C database, just not as verbose. See attached photos

With that being Android 12, have you also looked at Digital Wellbeing to help (possibly) give some context around the Usage Stats?

sqlite

ANDROID USAGE STATS-MAGNET AXIOM I'm currently conducting an analysis on an Android Device running Android 12. The context of this analysis is centered around a pedestrian strike of a 75 year old man…I’m stuck on trying to figure out if the events I see in Android App Usage are user created or app/system created. Specifically with the Instagram app… I've been referred to the Android Developer guide but what I've found doesn't clarify the answer I'm looking for. Looking for help from anyone familiar with these specific artifacts, which are similar in nature to iOS knowledge C database, just not as verbose. See attached photos

I'd also take a look at this: https://abrignoni.blogspot.com/2019/02/android-usagestats-xml-parser.html?m=1

Android Usagestats XML Parser

As I've been testing and using Sarah Edwards' excellent APOLLO pattern of life framework for iOS I reminded myself of the great work done...

sqlite

ANDROID USAGE STATS-MAGNET AXIOM I'm currently conducting an analysis on an Android Device running Android 12. The context of this analysis is centered around a pedestrian strike of a 75 year old man…I’m stuck on trying to figure out if the events I see in Android App Usage are user created or app/system created. Specifically with the Instagram app… I've been referred to the Android Developer guide but what I've found doesn't clarify the answer I'm looking for. Looking for help from anyone familiar with these specific artifacts, which are similar in nature to iOS knowledge C database, just not as verbose. See attached photos

you can try running it through ALEAPP, and checking the timeline afterwards to see if we parse out anything around it https://github.com/abrignoni/ALEAPP

GitHub - abrignoni/ALEAPP: Android Logs Events And Protobuf Parser

Android Logs Events And Protobuf Parser. Contribute to abrignoni/ALEAPP development by creating an account on GitHub.

CLB_iwhiffin

I have an iOS16.0 extraction which has knowledgeC and is full of data. I can see it changing anytime soon but who knows.

thanks!

Sounded weird to me as well... think it was a guy from GK who said it on a webinar

stark4n6

you can try running it through ALEAPP, and checking the timeline afterwards to see if we parse out anything around it https://github.com/abrignoni/ALEAPP

Thank you all for the suggestions i.e Android Usage Stats. Much appreciated

j_matas

thanks!

Sounded weird to me as well... think it was a guy from GK who said it on a webinar

I did a little more digging and there is certainly less data data in there (things like Keybag locked and Plugged in have now gone) but as I mentioned above, some stuff remains. I'm sure we'll get a fuller picture soon as we see more FFS extractions come along.

j_matas

thanks!

Sounded weird to me as well... think it was a guy from GK who said it on a webinar

Well, maybe you should also take a look at Christopher Vance's @cScottVance research. Apparently Biome is a thing indeed. Maybe not fully applied yet but still you shouldn't skip that. Here you can find his posts: https://blog.d204n6.com/ What is more, Alexis along with some contributors have already updated iLEAPP in order to successfully parse some of them. Latest version available here: https://github.com/abrignoni/iLEAPP/releases/tag/v.1.18.0 (edited)

D20 Forensics

Release iLEAPP v1.18.0 · abrignoni/iLEAPP

What's Changed Update restoreLog for iOS 15.6 by @stark4n6 in #320 new_plugin_loader based on aleapp by @jijames in #325 In progress by @abrignoni in #326 Appintents by @abrignoni in #327 Heal...

5

Hi, Does anyone know the answer to this?

Is it possible to recover any deleted / expired data in the Wickr database or is this data forensically wiped ?

Hello, Does anyone know the url to update a cellebrite sentinel hasp key using the browser ?

claireh

Does anyone know how to crack the code of Telegram's attachment file naming convention? 1_xxxx or 4_xxxx? Is there a mob number? A timestamp? A hash? Or just random. (old job resurfaced - logical only extractions only)

@claireh did you ever get an answer to this? Trying to figure it out also.

anyone know where the iOS accessibility option for the flash for alerts would be stored?

p0tt541

anyone know where the iOS accessibility option for the flash for alerts would be stored?

might possibly be VisualAlertEnabed from com.apple.Accessibility.plist

Vergas

Hi, Does anyone know the answer to this?

Is it possible to recover any deleted / expired data in the Wickr database or is this data forensically wiped ?

I recently had a job regarding the Burn on Read feature within Wickr, not sure if that is something which is within scope of your question? Or are you just looking for specifically user deleted data?

10:56 AM

FYI - if you are after BoR messages, my testing indicates no. Wickr sends messages with different encryption keys for each message which are deleted after sending so there is no chance of recovery unfortunately. (iPhone 8 iOS 15.1)

1

Is It Done Yet?

I recently had a job regarding the Burn on Read feature within Wickr, not sure if that is something which is within scope of your question? Or are you just looking for specifically user deleted data?

It's more the expiration / burn on read deletion than user deletion

Is It Done Yet?

FYI - if you are after BoR messages, my testing indicates no. Wickr sends messages with different encryption keys for each message which are deleted after sending so there is no chance of recovery unfortunately. (iPhone 8 iOS 15.1)

Thank you

Vergas

It's more the expiration / burn on read deletion than user deletion

Then no - as far as I am aware you are bang out of luck

@Cellebrite Got a iPhone 11 running iOS 16.0.0. Thrown it into PA and all none of the databases etc. have been parsed. Is this a known issue?

iOS 16 is supported (up to new features that will be supported in the coming versions). Id nothing is parsed it's probably related to the extraction structure in general and not specifically to iOS 16 (edited)

CLB-ChenK

iOS 16 is supported (up to new features that will be supported in the coming versions). Id nothing is parsed it's probably related to the extraction structure in general and not specifically to iOS 16 (edited)

The extraction method - GK/iOS combo has been ok in PA before

What PA version are you using? It might be a modified extraction zip structure that is supported in the latest PA version

CLB-ChenK

What PA version are you using? It might be a modified extraction zip structure that is supported in the latest PA version

Latest 7.57.1.9. I've got logs if that helps : ) (edited)

Should be supported.. If it's an urgent case please share in dm, if not please open a support ticket so it is properly handled

1

Anyone got any experience with Snapchat 'senderid' within a BFU extraction. Is this senderid local to the phone or can the user be determined by Snapchat with this same senderid? Happy to have a chat in DM

(edited)

Anyone from cellebrite around I could have a very quick word with?

llysa

Anyone from cellebrite around I could have a very quick word with?

Maybe ping @Cellebrite instead

Nutelap

Maybe ping @Cellebrite instead

That would make sense!

6:53 AM

@Cellebrite anyone free for a quick question please.

1

I have an FFS extraction of a OnePlus 8. We know that Lockbox is active, but we don't know if there is anything in there. Premium doesn't show the option to bruteforce the passcode of the Lockbox, unfortunately. I am searching through several databases to find clues on whether or not we got the decoded contents of the Lockbox. Anyone know where I should look? I do know that on Samsung's Secure Folder you get user 150, but in OnePlus that unfortunately is not the case. Maybe @King Pepsi, you had a similar question over a year ago, did you find your answer? Or possibly someone @Cellebrite that knows the answer to my question? Thanks a bunch!

Hi everyone, bit of a random question and partly due to not being in my lab - can anyone summarise the current capability for Snapchat data recovery and what things the tools don’t get out and parse please? If possible that is - are snaps recoverable? Apologies I havnt looked at this app in anger for years

Peacekeeper

I have an FFS extraction of a OnePlus 8. We know that Lockbox is active, but we don't know if there is anything in there. Premium doesn't show the option to bruteforce the passcode of the Lockbox, unfortunately. I am searching through several databases to find clues on whether or not we got the decoded contents of the Lockbox. Anyone know where I should look? I do know that on Samsung's Secure Folder you get user 150, but in OnePlus that unfortunately is not the case. Maybe @King Pepsi, you had a similar question over a year ago, did you find your answer? Or possibly someone @Cellebrite that knows the answer to my question? Thanks a bunch!

Is this the model IN2020? If so, with which tool were you able to get a FFS? I have the same model but cannot get a FFS. As for you question, I have never faced Lockbox but I have faced Huawei SafeBox. It was located under data\media\0\ directory. Take a look there. Maybe there is a folder named Lockbox.

theAtropos4n6

Is this the model IN2020? If so, with which tool were you able to get a FFS? I have the same model but cannot get a FFS. As for you question, I have never faced Lockbox but I have faced Huawei SafeBox. It was located under data\media\0\ directory. Take a look there. Maybe there is a folder named Lockbox.

IN2020 indeed, if memory serves correctly. I was able to bruteforce and dump the device using UFED Premium

Peacekeeper

IN2020 indeed, if memory serves correctly. I was able to bruteforce and dump the device using UFED Premium

Ok thank you. Check this path maybe it hides something interesting

Premium supports pretty much all OnePlus devices starting with OnePlus 3, both AFU and BF. UFED currently supports getting a FFS from most OnePlus devices with a known passcode. Some OnePlus 8 SPLs are not supported in the latest version, but will be supported in UFED 7.60.

2

Hi all. Is anybody from @Cellebrite around for a quick licensing question?

hello everybody, anyone can help me with upload evidences, i try to extract an image upload evidence from android cell, Samsung S10E, inside it have 2 browser, android and google chrome, thankyou advance.

Anyone had succes lately with decrypting Health database on samsung devices? I thought the way cellebrite describes it in their blogpost should work for Android 11. I do have multiple regex hits on the sqlcipher in a memory dump but none of them seems to work.

Anyone from @Cellebrite able to DM me regarding PA issue?

Paul Mastered

hello everybody, anyone can help me with upload evidences, i try to extract an image upload evidence from android cell, Samsung S10E, inside it have 2 browser, android and google chrome, thankyou advance.

Do you know where the files were uploaded to? domain?URL?

Is there a way to see where a thumbnail had originated from for iPhones? I’m convinced photos.SQLite used to have it somewhere. Working with a ffs of an iPhone 6s running iOS 15.4.1. Thanks!

King Pepsi

Is there a way to see where a thumbnail had originated from for iPhones? I’m convinced photos.SQLite used to have it somewhere. Working with a ffs of an iPhone 6s running iOS 15.4.1. Thanks!

Do you mean see the original file or as in when/where the thumbnail was created?

Just to see where it was created/came from really

Circumstantially, you could use timeline view / look at DataUsage.sqlite, that might give an indication. Not sure if much more is really held in *.ithmb database

1

@OllieD I have sent you a DM regarding Lockmypix, maybe you can help me.

1

Wondering if anyone can give me an idea or fix. I had a successful advanced logical extraction of a Samsung Galaxy device. When I load into PA it appears the chain is not working. I have tried to load the chain through blank project. I thought it was a PA issue but I have loaded the zip into axiom and still get same results.

Ghosted

Wondering if anyone can give me an idea or fix. I had a successful advanced logical extraction of a Samsung Galaxy device. When I load into PA it appears the chain is not working. I have tried to load the chain through blank project. I thought it was a PA issue but I have loaded the zip into axiom and still get same results.

There are different possible causes to this issue: If you open a .ufdx or a .ufd you could open in with a texteditor or so and look a t the paths that it is referencing to. They might be wrong. Another issue might be thet the paths are to long, you could just move the extraction to z: Just ask me if it doesn't work might be that we find the issue

King Pepsi

Is there a way to see where a thumbnail had originated from for iPhones? I’m convinced photos.SQLite used to have it somewhere. Working with a ffs of an iPhone 6s running iOS 15.4.1. Thanks!

What is the path of the thumb?

First one of interest was: Private\var\Mobile\Media\PhotoData\Thumbnails\V2\DCIM101Apple*original image name\ Second was photos picker which whilst I’m happy it relates to the applications asking which photos you want to allow them, I was hoping it would say which app!

King Pepsi

First one of interest was: Private\var\Mobile\Media\PhotoData\Thumbnails\V2\DCIM101Apple*original image name\ Second was photos picker which whilst I’m happy it relates to the applications asking which photos you want to allow them, I was hoping it would say which app!

@ScottKjr3347 apologies, forgot to include you in response.

King Pepsi

First one of interest was: Private\var\Mobile\Media\PhotoData\Thumbnails\V2\DCIM101Apple*original image name\ Second was photos picker which whilst I’m happy it relates to the applications asking which photos you want to allow them, I was hoping it would say which app!

Can’t help the photopicker portion. You bring up a great question/test. For the V2 thumbs If you use Photos.sqlite and ZINTERNALRESOURCE table data it will provide you with information about the thumbs related to the assets including ones stored in /media/PhotoData/Thumbnails/V2/ This is something I am currently written up and working to include in my queries. The new query will decode the internal resource table data and also show the file name, original file name and the imported app id/app name for the asset if it exists. It will also show original file size and the internal resource file length so they can be compared. The blog and research is focused around determining if the thumbs or files located in an iPhone acquisition are related to optimize iPhone storage and if the full sized asset might be stored in iCloud Photos. More than likely if you have a thumb in that file path and no full sized asset it’s due to iPhone Storage Optimization. (edited)

1

Ahh lovely, I’ll take a look at that now. Thanks!

Anyone got anything to decrypt PhotoGuard media, the Android 'vault' app?

ScottKjr3347

Can’t help the photopicker portion. You bring up a great question/test. For the V2 thumbs If you use Photos.sqlite and ZINTERNALRESOURCE table data it will provide you with information about the thumbs related to the assets including ones stored in /media/PhotoData/Thumbnails/V2/ This is something I am currently written up and working to include in my queries. The new query will decode the internal resource table data and also show the file name, original file name and the imported app id/app name for the asset if it exists. It will also show original file size and the internal resource file length so they can be compared. The blog and research is focused around determining if the thumbs or files located in an iPhone acquisition are related to optimize iPhone storage and if the full sized asset might be stored in iCloud Photos. More than likely if you have a thumb in that file path and no full sized asset it’s due to iPhone Storage Optimization. (edited)

@King Pepsi Here is an early release for iOS 15. Keep in mind I’m still working on the decoding. (edited)

iOS15_LPL_Photossqlite_Query_zIntResou_FullSize-Thumb.txt

35.91 KB

theAtropos4n6

Do you know where the files were uploaded to? domain?URL?

The problem is that I do not know, I only know that they have been uploaded to a portal, aggregator of dating portals, where you make a publication and then automatically the ad is replicated on multiple portals, the evidence we are looking for is if the photos taken with the phone have been uploaded since upload through the system browser

hi guys, someone know the path data/media/0/.hidex_dont_delete_me/files/h/i/d/e/x/1 and from what app it's reffered? i've found viedo of interest inside and i'll like to know from what app it is or why it's stored there (Samsung A50 Android 11)

8:09 AM

found the answer

8:09 AM

it's a calcultator named "com.flatfish.cal.privacy"

Paul Mastered

The problem is that I do not know, I only know that they have been uploaded to a portal, aggregator of dating portals, where you make a publication and then automatically the ad is replicated on multiple portals, the evidence we are looking for is if the photos taken with the phone have been uploaded since upload through the system browser

Have you searched by using keywords such as the portal's name and the word upload? Any results? You could also compare the exif data of the photos uploaded with the ones from the device

theAtropos4n6

Have you searched by using keywords such as the portal's name and the word upload? Any results? You could also compare the exif data of the photos uploaded with the ones from the device

yes I did research with the name of the file, unfortunately the original file is no longer present in the device, and the extraction I had is of type "file system", so you can not do data carving, I know the name of the portal where it was loaded, and did some research with cellebrite reader, I was wondering if in the system files were also saved this information maybe on some database sqlite, anyway thanks for the reply

1

Anyone have a fix for PA when the Report / Generate Report is gray and doesn't give you the option. I ran App Genie and malware, confirmed image hash and it's been sitting for awhile not letting me create a report. Thinking of restarting forensic machine but figured I'd check first so to save my work I did.

Ghosted

Anyone have a fix for PA when the Report / Generate Report is gray and doesn't give you the option. I ran App Genie and malware, confirmed image hash and it's been sitting for awhile not letting me create a report. Thinking of restarting forensic machine but figured I'd check first so to save my work I did.

IS something running in the backround? Like sorting images or location stuff? Usually I get that till it is done.

12:10 PM

or if it is hashing the images.

@beamar I waited 5 hours and still nothing. cancelled started over and just finished it no problem. Weird.

weird indeed

Hello all. I have a case where the accused used two different WhatsApp accounts. I have a Full Filesystem of their phone but only the current WhatsApp account information is available. Is there a place somewhere in a database that may contain any of the old account conversations? I was unable to get these messages extracted from the victims phone and was only able to export them from within WhatsApp as .txt files and I don't think these will hold up well in court. With these .txt files I can however see what the conversations that I'm looking for should look like. I also know the phone number of the accused's old account. Thanks in advance.

p0tt541

Anyone got anything to decrypt PhotoGuard media, the Android 'vault' app?

Hey was just wondering if you ever got an answer to this. I know there is media within the application as I have the correct PIN code, obtained full file system extraction the files are listed but not decrypted. Any assistance would be greatly appreciated.

insanlyfused

Hey was just wondering if you ever got an answer to this. I know there is media within the application as I have the correct PIN code, obtained full file system extraction the files are listed but not decrypted. Any assistance would be greatly appreciated.

I know @bang has been looking into a lot of similar apps

insanlyfused

Hey was just wondering if you ever got an answer to this. I know there is media within the application as I have the correct PIN code, obtained full file system extraction the files are listed but not decrypted. Any assistance would be greatly appreciated.

Hi insanlyfused. What version of photoguard?

bang

Hi insanlyfused. What version of photoguard?

I currently don’t know, I can confirm tomorrow when I am on n the office. I do know the application is installed on an android device (huawei). Is there a chance of deciding the media when you know the PIN code?

Okay, PM me tomorrow when you know the version. No, the pin is access only, the decryption requires other things!

bang

Okay, PM me tomorrow when you know the version. No, the pin is access only, the decryption requires other things!

I just direct messaged you the application version.

@Cellebrite extracting an ipad, physical analyzer uses "android decoding", how can i force deconding for ipad?

ScottKjr3347

@King Pepsi Here is an early release for iOS 15. Keep in mind I’m still working on the decoding. (edited)

Awesome, thanks!!

I want to process a popular mail app ( in Germany; it is Web.de Mail & Cloud) in the PA of Cellebrite with the SQLite Assistant (iOS). However, the assignment of the involved emails is solved in the table with two entries to one mail each. How do I set it to merge this? @Cellebrite (edited)

anyone familiar with anything that can decrypt the app named Session - Private Messenger? network.loki.messenger as named within an android ffs.

@fraserit's based on Signal architecture, i'im interested too if someone have info

great.. hopefully there is something out there, or release soon.

1

Good afternoon. I have a android device and identified the file path com.instagram.android/cache/images.stash/clean has anyone seen this file path before and could provide me with some information about it? Thanks in advance.

@Cellebrite I'm having an issue exporting chat messages. I performed a keyword search for chat messages. I want to export only the messages with responsive keyword into excel format. I tagged all the messages and then go to generate the report I choose to export just the tagged items. I have 764 tagged items. I began the export and it it was still exporting 5 hours later. Is there a way to just export out the messages with just the keyword and not the entire conversation thread?

@Cellebrite or @GrayKey......I am hoping someone might be able to shed some light: I'm working an investigation where an individual fired shots in a public park. I received a GrayKey image of the suspects iphone that was processed using both Axiom and Cellebrite PA and PA shows two different types of created timestamps, both showing different times a specific video was created. Emergency dispatch says they received a phone call from a local at 22:46 reporting the shots fired. The suspect took a video of him shooting a weapon in the park. The thing is that the timestamp shows the video was created at 23:09. But in the Axiom PowerLog Timezone Information it has two time references, one is a "Monotonic date/time", the other is a "Baseband date/time". They are about 8 minutes apart. What would the video say it was created 23 minutes after 911 gets a call if the Timezone info shows the time was only off by 8 minutes? (edited)

Just a thought, what is the length of the video?

7:43 AM

Also, @ScottKjr3347 is really good with images and videos from iPhones, he might have some input.

DFTraveler

@Cellebrite or @GrayKey......I am hoping someone might be able to shed some light: I'm working an investigation where an individual fired shots in a public park. I received a GrayKey image of the suspects iphone that was processed using both Axiom and Cellebrite PA and PA shows two different types of created timestamps, both showing different times a specific video was created. Emergency dispatch says they received a phone call from a local at 22:46 reporting the shots fired. The suspect took a video of him shooting a weapon in the park. The thing is that the timestamp shows the video was created at 23:09. But in the Axiom PowerLog Timezone Information it has two time references, one is a "Monotonic date/time", the other is a "Baseband date/time". They are about 8 minutes apart. What would the video say it was created 23 minutes after 911 gets a call if the Timezone info shows the time was only off by 8 minutes? (edited)

Check this out for help with Monotonic time from @forensicmike @Magnet https://www.forensicfocus.com/webinars/time-well-spent-precision-timing-monotonic-clocks-and-the-powerlogs-database-for-ios/ As for the 8 minute difference this might be a null issue if this just due to Monotonic time. If you truly have an 8 minute difference between the video capture timestamp and the 911 call timestamp I can think of a few explanations, but more information would be needed. Like @FullTang stated one explanation could be the length of the video. Another example would be, the app that was used to capture the video? Was it the native camera or Snapchat. Was it captured then saved to the LPL? A little bit more information is needed. Also have you verified the tool decoding with what’s being stored in photos.sqlite? (edited)

2

DFTraveler

@Cellebrite or @GrayKey......I am hoping someone might be able to shed some light: I'm working an investigation where an individual fired shots in a public park. I received a GrayKey image of the suspects iphone that was processed using both Axiom and Cellebrite PA and PA shows two different types of created timestamps, both showing different times a specific video was created. Emergency dispatch says they received a phone call from a local at 22:46 reporting the shots fired. The suspect took a video of him shooting a weapon in the park. The thing is that the timestamp shows the video was created at 23:09. But in the Axiom PowerLog Timezone Information it has two time references, one is a "Monotonic date/time", the other is a "Baseband date/time". They are about 8 minutes apart. What would the video say it was created 23 minutes after 911 gets a call if the Timezone info shows the time was only off by 8 minutes? (edited)

imagine you are standing in a modern kitchen. chances are there will be many clocks present (oven, wall clock, IoT, etc) and they are not exactly in sync because that level of synchronicity would be impossible. a smartphone is actually no different- there are multiple clocks and they can drift apart from each other for a variety of reasons (a common example where a significant shift occurs is daylight savings). however, some clocks also have a way of syncing back up with whichever authority it relies on for establishing the "correct" time. now let's go back to the kitchen example. let's say you are tasked with being able to recall a very specific moment in time, but expressed from the point of view of ANY of the clocks in the kitchen? how would you go about this? it's not trivial thats for sure. this becomes especially difficult when speaking about highly precise units of time, because it would actually take time to execute the code to document each of the clock values individually. Apple solves this by tracking the differences (aka "offset") between each clock and a baseline, unidirectional (aka monotonic) clock that isn't impacted at all by things like an NTP sync, DST changes, or even user manipulation. after the fact, you can precisely determine each clock's time by adding it's respective offset to the monotonic time. the benefit of this is that you can generally read the date/times in chronological order in the db, even if something like a DST change or NTP sync happens. (edited)

3

1

9:45 AM

all this to say - in general when reviewing powerlogs I would suggest paying the most attention to the display and baseband clocks, not the monotonic clock. I also concur with the direction @ScottKjr3347 and @FullTang are going in terms of what to look for next.

The video is 5 seconds in length. Not much EXIF data to go off of, Axiom didn't parse a whole lot.

DFTraveler

@Cellebrite or @GrayKey......I am hoping someone might be able to shed some light: I'm working an investigation where an individual fired shots in a public park. I received a GrayKey image of the suspects iphone that was processed using both Axiom and Cellebrite PA and PA shows two different types of created timestamps, both showing different times a specific video was created. Emergency dispatch says they received a phone call from a local at 22:46 reporting the shots fired. The suspect took a video of him shooting a weapon in the park. The thing is that the timestamp shows the video was created at 23:09. But in the Axiom PowerLog Timezone Information it has two time references, one is a "Monotonic date/time", the other is a "Baseband date/time". They are about 8 minutes apart. What would the video say it was created 23 minutes after 911 gets a call if the Timezone info shows the time was only off by 8 minutes? (edited)

Are you looking at the filesystem metadata as reported by your tool or the file metadata that contains the timestamp within the file? If you export the video and look at time stamps in something like exiftool using a -v2 flag the file metadata may become easier to visualize. Not to be a shameless plug but Medex may also provide additional insight/data from the file. Shoot me a DM if I can help in any way.

1

DFTraveler

The video is 5 seconds in length. Not much EXIF data to go off of, Axiom didn't parse a whole lot.

When I said additional information I was referring to the EXIF data, file metadata, (which discussed above) file paths and information from photos.sqlite if it exists. It’s difficult to provide an explicit answer when we only have very limited information to work with. (edited)

1

Anyone from @Magnet Forensics free for a question?

Hello guys, i have a quick question: In a current case someone has the app Briar. I found the DB in the Filesystem but i sadly dont know how to decode it. The password is also unknown. If anyone has any experience with it please contact me

Anyone have a reference guide for iOS file paths? - I have some weird ones I’ve not had to deal with before. Appreciate it!

Aero

Anyone from @Magnet Forensics free for a question?

I am, how can I help?

1

Gladros

Anyone have a reference guide for iOS file paths? - I have some weird ones I’ve not had to deal with before. Appreciate it!

I assume you already have the SANS iOS cheatsheet?

Is It Done Yet?

I assume you already have the SANS iOS cheatsheet?

I have the third party app iOS cheat sheet

6:11 AM

But I’m trying to understand an apple mail file path

Hi all, Is anyone familiar with the database intent_blocker.db for the Samsung internet browser? I have URL’s within this database that is of relevance to my investigation within the database’s history table, the column named ‘blocked’ has all of these entries set to the value ‘0’. Any assistance in identifying the exact use for this database would be greatly appreciated to determine if these URL’s can be linked to the user’s activity.

I am processing an iPhone 11 (running 15.6.1) extraction with @Cellebrite. The notes are password protected and my initial password list was unsuccessful. Now that I have gone through the extraction and generated a new keyword list, is there a way to try the new list without closing UFED and starting over from the beginning?

wcso_pete

I am processing an iPhone 11 (running 15.6.1) extraction with @Cellebrite. The notes are password protected and my initial password list was unsuccessful. Now that I have gone through the extraction and generated a new keyword list, is there a way to try the new list without closing UFED and starting over from the beginning?

HI Pete, I would use hashcat to decode the notes with a dictionnary then finally I will put only on PA when the paswword is discovered. Good luck.

wcso_pete

I am processing an iPhone 11 (running 15.6.1) extraction with @Cellebrite. The notes are password protected and my initial password list was unsuccessful. Now that I have gone through the extraction and generated a new keyword list, is there a way to try the new list without closing UFED and starting over from the beginning?

I second the hashcat approach!

wcso_pete

I am processing an iPhone 11 (running 15.6.1) extraction with @Cellebrite. The notes are password protected and my initial password list was unsuccessful. Now that I have gone through the extraction and generated a new keyword list, is there a way to try the new list without closing UFED and starting over from the beginning?

While you can attempt to run dictionaries against the password with PA, it might be better to extract the hash of the password and attack the hash with Hashcat as it will be faster than using PA. Once the password is determined (each note can have its own password) you could use that to decrypt the notes, but you might have to reprocess the case. Here is a tutorial on how to extract the hash. https://www.youtube.com/watch?v=RcuUmnx5Jig

Ed Michael

Using hashcat to decrypt iOS notes for Cellebrite's Physical Analyzer

1

8:46 AM

If you need help with using Hashcat or generating wordlists feel free to reach out!

Thanks everyone. I was able to pull the hashes for the 5 notes and thankfully they all had the same password. Nothing in my list was successful, but I was able to find it using rockyou.

2

Mistercatapulte

hi guys, someone know the path data/media/0/.hidex_dont_delete_me/files/h/i/d/e/x/1 and from what app it's reffered? i've found viedo of interest inside and i'll like to know from what app it is or why it's stored there (Samsung A50 Android 11)

Late reply, so I guess you've already figured it out - but for what it's worth, I'm fairly sure it's this app: https://apkpure.com/hidex-calculator-photo-vault-app-lock-app-hider/com.flatfish.cal.privacy/download

Download HideX: Calculator Photo Vault, App Lock, App Hider 3.5.17....

wcso_pete

I am processing an iPhone 11 (running 15.6.1) extraction with @Cellebrite. The notes are password protected and my initial password list was unsuccessful. Now that I have gone through the extraction and generated a new keyword list, is there a way to try the new list without closing UFED and starting over from the beginning?

Out of curiosity….. anyone know where PA gets the password hint to unlock the note file?

wcso_pete

I am processing an iPhone 11 (running 15.6.1) extraction with @Cellebrite. The notes are password protected and my initial password list was unsuccessful. Now that I have gone through the extraction and generated a new keyword list, is there a way to try the new list without closing UFED and starting over from the beginning?

Run the iPhone plugin again

7:34 AM

Might trigger the enter password section again?

@Cellebrite I've noticed in READER(8.2.0.544), it doesn't seem to want to load the pictures in thumbnail view. It will load them in Gallery view, any ideas why that is?

Xenotype

Late reply, so I guess you've already figured it out - but for what it's worth, I'm fairly sure it's this app: https://apkpure.com/hidex-calculator-photo-vault-app-lock-app-hider/com.flatfish.cal.privacy/download

Yeah i validate

1

dcs453

Out of curiosity….. anyone know where PA gets the password hint to unlock the note file?

It’s in the database in clear text

2

Hi everybody What is the most updated way to load a ufed dump file for autopsy

Heads Up @Cellebrite @Oxygen Forensics @MSAB Good morning everyone and may you have a great week. I am sure you have all noticed that already but for the community's shake it seems that Facebook Messenger has changed the name of certain databases on Android, including the one that contains all the messages. com.facebook.orca/databases/threads_db2 has been renamed to ssus.USER-ID.threads_db2. The string ssus.USER-ID. seems to be the prefix for other databases as well (stickers, contact ranking etc) This is the second case I find out that the tools have challenge viewing FB Chats. Of course this is due to the latest updates of FB Messenger (ver. 381.0.0.17.102 and 379.1.0.23.114). If you do not see Facebook chats verify that indeed Messenger is not installed or/and updated. FYI (edited)

3

2

theAtropos4n6

Heads Up @Cellebrite @Oxygen Forensics @MSAB Good morning everyone and may you have a great week. I am sure you have all noticed that already but for the community's shake it seems that Facebook Messenger has changed the name of certain databases on Android, including the one that contains all the messages. com.facebook.orca/databases/threads_db2 has been renamed to ssus.USER-ID.threads_db2. The string ssus.USER-ID. seems to be the prefix for other databases as well (stickers, contact ranking etc) This is the second case I find out that the tools have challenge viewing FB Chats. Of course this is due to the latest updates of FB Messenger (ver. 381.0.0.17.102 and 379.1.0.23.114). If you do not see Facebook chats verify that indeed Messenger is not installed or/and updated. FYI (edited)

Thank you, we will update our parsing for it in 15.2

1

theAtropos4n6

Heads Up @Cellebrite @Oxygen Forensics @MSAB Good morning everyone and may you have a great week. I am sure you have all noticed that already but for the community's shake it seems that Facebook Messenger has changed the name of certain databases on Android, including the one that contains all the messages. com.facebook.orca/databases/threads_db2 has been renamed to ssus.USER-ID.threads_db2. The string ssus.USER-ID. seems to be the prefix for other databases as well (stickers, contact ranking etc) This is the second case I find out that the tools have challenge viewing FB Chats. Of course this is due to the latest updates of FB Messenger (ver. 381.0.0.17.102 and 379.1.0.23.114). If you do not see Facebook chats verify that indeed Messenger is not installed or/and updated. FYI (edited)

Thanks for the heads up. Support for this format will come in our upcoming release of XRY 10.3.1. Please note, that you in XRY Device Manual always can check what versions of the apps we have verified decoding support for.

2

Anyone know when it says zAddAssetAttrImportedby 3 third party app within the photos.sqlite from an iPhone if the photo was taken or not taken by the app name that's given?

Paul Mastered

yes I did research with the name of the file, unfortunately the original file is no longer present in the device, and the extraction I had is of type "file system", so you can not do data carving, I know the name of the portal where it was loaded, and did some research with cellebrite reader, I was wondering if in the system files were also saved this information maybe on some database sqlite, anyway thanks for the reply

So depending on the tool there can still be some value in doing data carving using some 3rd party apps. I have had numerous files even video files that PA and Axiom miss but when I toss a copy of the extraction against another tool I gain a bunch of new files. It isn't carving in the sense of looking in unallocated but rather reviewing the extraction as a raw set of data and just looking for different headers and footers PA and Axiom sometimes miss. DC3 Advanved Carver comes to mind as having better results than PA/Axiom in recent past.

theAtropos4n6

Heads Up @Cellebrite @Oxygen Forensics @MSAB Good morning everyone and may you have a great week. I am sure you have all noticed that already but for the community's shake it seems that Facebook Messenger has changed the name of certain databases on Android, including the one that contains all the messages. com.facebook.orca/databases/threads_db2 has been renamed to ssus.USER-ID.threads_db2. The string ssus.USER-ID. seems to be the prefix for other databases as well (stickers, contact ranking etc) This is the second case I find out that the tools have challenge viewing FB Chats. Of course this is due to the latest updates of FB Messenger (ver. 381.0.0.17.102 and 379.1.0.23.114). If you do not see Facebook chats verify that indeed Messenger is not installed or/and updated. FYI (edited)

Thanks for the update we are working on it to support it ASAP.

4

Does anyone have any knowledge of the 'PhotosMessagesApp' plugin on iOS? From my understanding it adds the functionality for users to attach photos to messages but I could be wrong. The files I'm interested in are within 'private/var/mobile/Containers/Data/PluginKitPlugin/UUID/tmp' and in the plist file the identifier is 'com.apple.mobileslideshow.PhotosMessagesApp' which is obviously related to the Photos applicaton. Any expansion upon this would be great

Arlakossan

Anyone know when it says zAddAssetAttrImportedby 3 third party app within the photos.sqlite from an iPhone if the photo was taken or not taken by the app name that's given?

Long

️ winded answer but: If the assets zAddAssetAttr.ZIMPORTEDBY is Third-Party-App-3 or Third-Party-App-6 than that particular asset was imported into the Local Photo Library via the application listed in the following columns: zAddAssetAttr.ZIMPORTEDBYBUNDLEIDENTIFIER zAddAssetAttr.ZIMPORTEDBYDISPLAYNAME That doesn’t necessarily mean it was captured with that application, it just means that it was imported by that application into the Local Photo Library. To determine if that application was used to capture the asset, further analysis would be needed. This is difficult to answer because the analysis needed is reliant upon logs that are only stored for an average of 7-30 days. So if you have an asset that is older than that you might not be able to answer that question confidently. You will want to look at KnowledgeC, CurrentPowerLog.PLSQL, now with iOS 16 biomes data, and even sysdiagnose to determine if the device camera was being used at the time of capture and creation listed in Photos.sqlite. You can also analyze exif date, creation date, and add date. If those are similar than you might have an asset that was likely captured with the analyzed device, but you would still need the logs to determine if that device camera was on at the time of the capture. It is possible, but the ideal situation would be if the device was acquired within 7 days of the captured asset. Another area of analysis that I haven’t discussed would be the analysis of the third party apps settings. The question I would hope to answer during the analysis of the 3rd party app setting would be: Does the app settings indicate automatic save to the Local Device upon captured media? Of course, this would be different for every app and I don’t have the answer for where that data would be stored for each app. (edited)

4

Corey

Does anyone have any knowledge of the 'PhotosMessagesApp' plugin on iOS? From my understanding it adds the functionality for users to attach photos to messages but I could be wrong. The files I'm interested in are within 'private/var/mobile/Containers/Data/PluginKitPlugin/UUID/tmp' and in the plist file the identifier is 'com.apple.mobileslideshow.PhotosMessagesApp' which is obviously related to the Photos applicaton. Any expansion upon this would be great

This is the application within iPhone Messages that allows access to certain cached Local Photo Library assets. This is dependent upon device settings/user options that have been previously selected. This is the application that you will have in focus prior to Photo-Picker. com.apple.mobileslideshow.PhotosMessagesApp – normally only stores a limited number of assets and are cached to the private/var/mobile/Containers/Data/PluginKitPlugin/* location for the application. If the user presses “All Photos” then the Photo-Picker application will be brought into focus and allows the user to have access to more assets. Here is a short video that might help. https://drive.google.com/file/d/1b-c-ThO_K6mYu8dauRzOOeWf7YN_GX5S/view?usp=sharing

2

Looking in Magnet Axiom to filter media if they are an attachment. I can't locate the option. Any help appreciated.

I am working a traffic accident case where the driver was using a GPS unit and was involved in a crash. The device is a Rand McNally GPS unit that I was able to image physically. I was able to find “Start” and “Destination” indicators however the indicator calls another file labeled ***.SDL . The SDL file appears to conduct the mapping of the display on the GPS unit showing left turn, right turns or other street indicators. Does anyone have experience with a SDL file from a GPS unit and how to decode it.

I think I am just being stupid, but hoping someone can assist - probably @ScottKjr3347 will know - victim device, they have given consent to all photos within a folder named "Evidence" on an iPhone 13 iOS 15.6.1. Advanced Logical extraction within Cellebrite obtained. Is there an easy way to filter specifically for the 40 or so images within this folder?

Is It Done Yet?

I think I am just being stupid, but hoping someone can assist - probably @ScottKjr3347 will know - victim device, they have given consent to all photos within a folder named "Evidence" on an iPhone 13 iOS 15.6.1. Advanced Logical extraction within Cellebrite obtained. Is there an easy way to filter specifically for the 40 or so images within this folder?

The quickest way that I can think of, If you are using PA to view these images is: 1)Double click the Images artifact. This will open the Thumbnail View 2) Write the keyword "Evidence" within the Table Search field (The filter bar with the magnifying glass symbol next to). That should do the trick.

1

Hi ! Someone from @Magnet Forensics for a question about Signal decoding and keystore please ?

theAtropos4n6

The quickest way that I can think of, If you are using PA to view these images is: 1)Double click the Images artifact. This will open the Thumbnail View 2) Write the keyword "Evidence" within the Table Search field (The filter bar with the magnifying glass symbol next to). That should do the trick.

Doesn't bring any results back

Is It Done Yet?

I think I am just being stupid, but hoping someone can assist - probably @ScottKjr3347 will know - victim device, they have given consent to all photos within a folder named "Evidence" on an iPhone 13 iOS 15.6.1. Advanced Logical extraction within Cellebrite obtained. Is there an easy way to filter specifically for the 40 or so images within this folder?

Did the victim create a “folder” or an album on their device that contains the evidence items?

ScottKjr3347

Did the victim create a “folder” or an album on their device that contains the evidence items?

I'm not sure, I don't have the device to hand as it had to be returned promptly. I'm sure I can find out, will there be significant differences in how the artefacts are stored?

Is It Done Yet?

I'm not sure, I don't have the device to hand as it had to be returned promptly. I'm sure I can find out, will there be significant differences in how the artefacts are stored?

Yes I’ll dm you. For clarity and to make sure everyone has information they might need for an investigation, here is a part of a conversation that I had assisting another examiner. If you are using a forensic tool that does not parse Photos.sqlite to its fullest, it might not be parsing which album the asset is associated with. This has been discussed previously by me and others who are way smarter than I. https://www.forensicmike1.com/2019/05/02/ios-photos-sqlite-forensics/ https://cellebrite.com/en/identifying-file-to-album-correlation-using-ios-photos-sqlite/ Basically, to answer the question; If a user creates a folder, then an album within the Apple Photos Application, the folder will be the parent storing the album. If the user only creates an album, the album will be made in the default folder which is “Root.” Just FYI when I tested this recently, using the iPhone, it would not allow me to put assets directly into a folder. I had to create a new album before moving assets into the folder that was created. If you are using my queries, you will be able to clearly see the ParentzGenAlbum-Title and the zGenAlbum-Title. They can be different. But this is only observed if you are using aliases for your table names in Photos.sqlite. If you are doing a straight query without creating aliases for both the parent folder and the albums, you might miss the parent. If they created a “folder” in the files application than you will have to search a totally different way for the files. If the folder was made in the files app here is where you might want to search: /private/var/mobile/Containers/Shared/AppGroup/<FilesAppGUID>/File Provider Storage/<folder name> (edited)

ty, legend

AnTaL

Hi ! Someone from @Magnet Forensics for a question about Signal decoding and keystore please ?

I'm happy to try and help.

theAtropos4n6

Heads Up @Cellebrite @Oxygen Forensics @MSAB Good morning everyone and may you have a great week. I am sure you have all noticed that already but for the community's shake it seems that Facebook Messenger has changed the name of certain databases on Android, including the one that contains all the messages. com.facebook.orca/databases/threads_db2 has been renamed to ssus.USER-ID.threads_db2. The string ssus.USER-ID. seems to be the prefix for other databases as well (stickers, contact ranking etc) This is the second case I find out that the tools have challenge viewing FB Chats. Of course this is due to the latest updates of FB Messenger (ver. 381.0.0.17.102 and 379.1.0.23.114). If you do not see Facebook chats verify that indeed Messenger is not installed or/and updated. FYI (edited)

It seems Messenger can’t make up its mind as we have found data moving BACK to the original source in the latest versions. But no matter the storage location AXIOM will parse and carve both locations.

1

Question on some phone logs... We have a case where there are a bunch of calls from a "-1" number that are rejected. I've never seen this before. Any ideas what it could be? See attached. Also wondering if anyone knows why the highlighted line shows unknown.

Is It Done Yet?

ty, legend

Have you figured it out? (edited)

theAtropos4n6

Have you figured it out? (edited)

yep ty

1

SgtMoose114

Question on some phone logs... We have a case where there are a bunch of calls from a "-1" number that are rejected. I've never seen this before. Any ideas what it could be? See attached. Also wondering if anyone knows why the highlighted line shows unknown.

Do you see any apps installed that blocks calls such as a robokiller?

10:15 AM

Has anyone found easier ways to generate a participant report from Cellebrite of all contacts only that were communicated with via text messages on an iPhone? Right now we generate an excel of chats and instant messages and then run a formula to pull each participant to it's own line. Not sure if anyone knows an easier way.

Just got an S22 Ultra which appears to be factory reset "Welcome Screen". Acquired a FFS just to see if there was anything. Any place to look for a factory reset date? Phone Activation shows the date and time the device powered on. Factory reset show 1970.

Ghosted

Just got an S22 Ultra which appears to be factory reset "Welcome Screen". Acquired a FFS just to see if there was anything. Any place to look for a factory reset date? Phone Activation shows the date and time the device powered on. Factory reset show 1970.

You should be able to find something, check out this blog for further.

10:53 AM

https://thebinaryhick.blog/2021/08/19/wipeout-detecting-android-factory-resets/

Binary Hick

Wipeout! Detecting Android Factory Resets

I’d like to thank Alexis Brignoni, Heather Mahalik, and Jared Barnhart for their insight and validation, and Alexis for tooling ALEAPP for these artifacts. DFIR truly is a team effort. They say im…

@FullTang thanks

1

@FullTang Found what I believe to be the correct time in the last_all_history. Thanks again.

1

Ghosted

@FullTang Found what I believe to be the correct time in the last_all_history. Thanks again.

Happy to hear it!

NOSUSHI4U

Do you see any apps installed that blocks calls such as a robokiller?

The only one I've found is com.android.providers.blockednumber, which I think is a native android app for blocking numbers

@Cellebrite Anyone available for a quick question regarding PA? (edited)

Are there any tools parsing the Bumble app for chats in Android? I see @stark4n6 write-up on iOS. @Brigs does aLEAPP parse the chats? The DB doesn't look too complex, but thought I would check here before starting to write a query.

sholmes

Are there any tools parsing the Bumble app for chats in Android? I see @stark4n6 write-up on iOS. @Brigs does aLEAPP parse the chats? The DB doesn't look too complex, but thought I would check here before starting to write a query.

I started working on one for ALEAPP months back, but never got around to finishing it. I was actually just revisiting it last week so hoping to get it pushed this week

2

@stark4n6 nice!

1:00 PM

Thanks for the quick response. Sorry to call you both out directly.

sholmes

@stark4n6 nice!

it may not be the best solution but it's something at least, I vaguely remember having issues with pulling names of chat participents

Nice write-up on the iOS version.

stark4n6

it may not be the best solution but it's something at least, I vaguely remember having issues with pulling names of chat participents

I was looking at the structure now to figure out the participants IDs

Have an iPhone 11 running iOS 15.5. Obtained a Full file system extraction. Anyone have an idea if the powering on and off of the device is tracked in a specific plist? If so where located. Appreciate any insight. Currently processed with Axiom v6.7

tjgubernick

Have an iPhone 11 running iOS 15.5. Obtained a Full file system extraction. Anyone have an idea if the powering on and off of the device is tracked in a specific plist? If so where located. Appreciate any insight. Currently processed with Axiom v6.7

There are a few places where you can gather evidence on system startups, although none that come to mind are plists. This post from Ian Whiffin ( @CLB_iwhiffin ) covers containermanagerd.log http://www.doubleblak.com/m/blogPosts.php?id=9 which showed up as of iOS 13. Unsure if it's still around in iOS 15. You can also check power logs and sometimes knowledgeC (if the user powered it down manually the standard way you can find "SBPowerDownController" as the app in app focus immediately before going radio silent) (edited)

Hello guys. I got an ffs image of an iphone 13. im examining the data witj oxygen etc. Does those entities mean the find my iphone is deactivated oder activated? Imo .. this is just an activity process and does not mean that its turned off or on or im wrong?

12:47 AM

tjgubernick

Have an iPhone 11 running iOS 15.5. Obtained a Full file system extraction. Anyone have an idea if the powering on and off of the device is tracked in a specific plist? If so where located. Appreciate any insight. Currently processed with Axiom v6.7

Try take a look the following logs

: Device Power Off: logd.0.log Device Power On: containermanagerd.log.1

I thaught about turning off/on findmyiphone, not the device itself sorry

1:23 AM

For example .. if the suspect did not want to get located with his findmyiphone service

Hans Leißner

I thaught about turning off/on findmyiphone, not the device itself sorry

My answer was a response to @tjgubernick

Oh sorry

@Cellebrite in physical analyzer, if a photo or video from the DCIM/10xAPPLE directory has the paperclip "attachment indication" on it, is there anyway to tell where it was attached or where the indication is pulled from?

tjgubernick

Have an iPhone 11 running iOS 15.5. Obtained a Full file system extraction. Anyone have an idea if the powering on and off of the device is tracked in a specific plist? If so where located. Appreciate any insight. Currently processed with Axiom v6.7

I have access to apple gsx and can get uptime and charge cycle data, but you should send me the device serial number

Solec

@Cellebrite in physical analyzer, if a photo or video from the DCIM/10xAPPLE directory has the paperclip "attachment indication" on it, is there anyway to tell where it was attached or where the indication is pulled from?

Maybe trying searching with the filename in the search bar could indicate something? (edited)

no hits for name or hash from another file in any parsed messages or anywhere on device other than the gallery. It looks like it attachment source when exported just says "Location (1)" (edited)

I have a physical extraction of a Samsung Xcover4 (SM-G390F), the device itself has already been returned a while back. Is there anyone here that possibly knows where/what file I can find if the passcode was required to shutdown the device? Thanks in advance!

check locksettings.db if it had the passcode. On Samsung from this era, it was required to enter passcode to reboot/power off it as normal

Hey guys, does anyone have some experience in mounting emmcfs filesystem from samsung? i saw a github repo which i will give a try but it seems to require an old kernel and i was wondering if there is a better/newer solution

Anyone know anything about files located in /private/var/mobile/Media/PhotoData/PhotoCloudSharingData/Caches? @Magnet Forensics have carved out mp4 files from them but I can't find any more info on files in the Caches folder specifically

Oscar

Anyone know anything about files located in /private/var/mobile/Media/PhotoData/PhotoCloudSharingData/Caches? @Magnet Forensics have carved out mp4 files from them but I can't find any more info on files in the Caches folder specifically

I know for some cached files its shown in the header witch website it came from, might not be useful here tho

Arcain

check locksettings.db if it had the passcode. On Samsung from this era, it was required to enter passcode to reboot/power off it as normal

Thanks. Unfortunately I didn't find my answer in locksettings.db. I did find my answer within settings_secure.xml (/data/system/users/0/settings_secure.xml) on the line: name="lock_function_val" value="#" package="com.android.settings" defaultValue="0" defaultSysSet="true" /> Where # equals 1 if enabled, 0 if disabled. There is also a timestamp in base64 within that file that would seem to contain the last modification date/time of some lockscreensettings, but that last part I am not certain about. But settings_secure.xml contains the answer. Thanks!

1

Arcain pinned a message to this channel. 11/3/2022 5:42 AM

Hello , we have a FFS of an iPhone under iOS16. In an interesting time frame user seems to have watched iOS gallery. We have several entries from KnowledgeC with "com.apple.mobileslideshow.album" and "com.apple.mobileslideshow.oneUp". Does anyone know the difference between these two entries ?

Oscar

Anyone know anything about files located in /private/var/mobile/Media/PhotoData/PhotoCloudSharingData/Caches? @Magnet Forensics have carved out mp4 files from them but I can't find any more info on files in the Caches folder specifically

What is your file name? Is it something like <GUID>.medium.MP4?

are there any recommended aroyyo.db parsers out there on Github?

B

are there any recommended aroyyo.db parsers out there on Github?

https://github.com/DFIR-HBG/Snapchat_Auto or https://github.com/Ogg3/CheckArroyo

GitHub - DFIR-HBG/Snapchat_Auto: Automatic extraction and parsing o...

Automatic extraction and parsing of Snapchat for iOS and Android - GitHub - DFIR-HBG/Snapchat_Auto: Automatic extraction and parsing of Snapchat for iOS and Android

GitHub - Ogg3/CheckArroyo: snapchat parser for iPhone and Android

snapchat parser for iPhone and Android. Contribute to Ogg3/CheckArroyo development by creating an account on GitHub.

3

ScottKjr3347

What is your file name? Is it something like <GUID>.medium.MP4?

The files in the Caches folder have names like "CachedMedia-53nd4A. The files contain a plist that has a FileName key that looks like what you said

i was asking if when axiom carved them from the CachedMedia-53nd4A file did it give them a file name? i havent used axiom to look at these and was curious if they related to the plist table?

Nope, no filename at all in Axiom

@Cellebrite PA 7.57.1.9 has added support for Signal and now parses the system messages. However, it is incorrectly displaying EVERY single system message with "USER changed the group avatar" which is incorrect. In the attached screenshot, I checked all of these entries against the signal.sqlite and they are correct that users are joining/leaving the group. They are not correct for the 'avatar' part. None of these users ever changed the avatar, it seems like PA is just reporting that for every system message. I put a ticket into Cellebrite but they closed it when I couldn't provide the extraction of an ongoing investigation. I was told no one else had this issue. Any one else experiencing this and can report it to them? (**updated: still a problem in 7.58). (edited)

citizencain

@Cellebrite PA 7.57.1.9 has added support for Signal and now parses the system messages. However, it is incorrectly displaying EVERY single system message with "USER changed the group avatar" which is incorrect. In the attached screenshot, I checked all of these entries against the signal.sqlite and they are correct that users are joining/leaving the group. They are not correct for the 'avatar' part. None of these users ever changed the avatar, it seems like PA is just reporting that for every system message. I put a ticket into Cellebrite but they closed it when I couldn't provide the extraction of an ongoing investigation. I was told no one else had this issue. Any one else experiencing this and can report it to them? (**updated: still a problem in 7.58). (edited)

I'll take a look internally and bring it up w the team. Can you DM me your details / case #

2

Any Oxygen guru's on? I got a phsycial of a Huwaei (Kirin) and decrypting it with the keys pulled.... just trying to get an idea of what all *shoudl *be decrypted? Thanks in advanced

Solec

@Cellebrite in physical analyzer, if a photo or video from the DCIM/10xAPPLE directory has the paperclip "attachment indication" on it, is there anyway to tell where it was attached or where the indication is pulled from?

Myself and others might have figured out why you might have a

on an asset in @Cellebrite PA when an asset / media file is not an attachment. It appears some programming was updated and if the asset is linked to an “Event” then it will have a

. It appears this no longer means message attachment. Maybe someone from CB can verify this but for right now this is what i think the issue might be. I have checked with others and they agree but we would need some confirmation from CB development. (edited)

2

Having done some reading about analysis iphones I have seen some mention of a 'knowledgeC' database which I seem to not have acquired using UFED. Is it only present with older phones or only one that have been jailbroken?

Alexsaurus

Having done some reading about analysis iphones I have seen some mention of a 'knowledgeC' database which I seem to not have acquired using UFED. Is it only present with older phones or only one that have been jailbroken?

What type of extraction are you working with?

advanced logical

6:52 PM

is the a particular type that will get it?

Correct. I know an Advanced Logical will NOT get it, and I know a Full File System WILL get it. I think (but I am not sure and someone else can confirm) that an iTunes backup will get it.

Anyone who has any input on media from snapchat that is stored in Library/Caches/ and then named filtered-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.mp4? I have multiple of these filtered- files and would love to know if anyone has any input on how they are stored and why, when?

the_johanna

Anyone who has any input on media from snapchat that is stored in Library/Caches/ and then named filtered-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.mp4? I have multiple of these filtered- files and would love to know if anyone has any input on how they are stored and why, when?

From the test I did it seems that these files are created when a user selects to send something that is already present. For example if you choose something from the camera roll or choose to send a snap you received etc. My hunch is that filtered part of the name is a reference to that the app “filters” something that has been created before. I was not able to make these files appear without sending something in my testing but I did not feel I tried everything to make a conclusion on the matter.

Johnie

From the test I did it seems that these files are created when a user selects to send something that is already present. For example if you choose something from the camera roll or choose to send a snap you received etc. My hunch is that filtered part of the name is a reference to that the app “filters” something that has been created before. I was not able to make these files appear without sending something in my testing but I did not feel I tried everything to make a conclusion on the matter.

Thank you! Every nudge in the right direction helps!

Hi anyone from @Cellebrite that can help me please re: WhatsApp databases?

@Cellebrite Has the issue with the watchlists not working properly been fixed in latest PA release (where Analyzed Data would not remain selected) for the seach (edited)

Good morning all…does anyone happen to know the path or file that contains the iOS message retention setting? Thanks

Jshoe

Good morning all…does anyone happen to know the path or file that contains the iOS message retention setting? Thanks

https://www.sans.org/posters/dfir-advanced-smartphone-forensics/ Check “Time to keep messages”

ScottKjr3347

https://www.sans.org/posters/dfir-advanced-smartphone-forensics/ Check “Time to keep messages”

Will do, thank you sir!

How can I find out when some images, videos, audios, voice notes and other graphic data belong to a conversation in which I am analyzing to make my report? @Cellebrite ?

1

Jetten_007

I am working a traffic accident case where the driver was using a GPS unit and was involved in a crash. The device is a Rand McNally GPS unit that I was able to image physically. I was able to find “Start” and “Destination” indicators however the indicator calls another file labeled ***.SDL . The SDL file appears to conduct the mapping of the display on the GPS unit showing left turn, right turns or other street indicators. Does anyone have experience with a SDL file from a GPS unit and how to decode it.

No direct experience, but presuming "SDL" is associated with "SmartDeviceLink"; perhaps the available documentation may help with the file structure: https://smartdevicelink.com/ (edited)

SmartDeviceLink

SmartDeviceLink (SDL) connects in-vehicle infotainment systems to applications. The SDL ecosystem allows collaboration between developers, OEMs, and suppliers.

FullTang

Correct. I know an Advanced Logical will NOT get it, and I know a Full File System WILL get it. I think (but I am not sure and someone else can confirm) that an iTunes backup will get it.

Isn't Cellebrite's Adv Logical = iTunes Backup?

ScottKjr3347

Myself and others might have figured out why you might have a

on an asset in @Cellebrite PA when an asset / media file is not an attachment. It appears some programming was updated and if the asset is linked to an “Event” then it will have a

. It appears this no longer means message attachment. Maybe someone from CB can verify this but for right now this is what i think the issue might be. I have checked with others and they agree but we would need some confirmation from CB development. (edited)

"Attachment" when referring to Videos means that the video has an attached event; not that it was sent/received as an attachment (although being sent/received may be one of the events that is attached). Likewise, if there is location data, it considers the location to be an "Attached Event" and shows the attachment icon. This is not the same in Images however. If you want to see only media that was sent/received as an attachment, there is the "Direction" filter, although you can currently only select ALL / SENT / RECEIVED / UNKNOWN. ALL is the default setting and is used more to disable the other SENT/RECEIVED/UNKNOWN filter. It cannot be used to filter the entire gallery to just items sent/received if that makes sense.

2

FullTang

Correct. I know an Advanced Logical will NOT get it, and I know a Full File System WILL get it. I think (but I am not sure and someone else can confirm) that an iTunes backup will get it.

I don't think I've ever seen knowledgeC in any type of backup, certainly not unencrypted and I'm pretty sure not in encrypted either.

1

chauan

Isn't Cellebrite's Adv Logical = iTunes Backup?

Basically yes

juan21_15

How can I find out when some images, videos, audios, voice notes and other graphic data belong to a conversation in which I am analyzing to make my report? @Cellebrite ?

See my earlier reply about filtering media for direction or looking for Events

CLB_iwhiffin

I don't think I've ever seen knowledgeC in any type of backup, certainly not unencrypted and I'm pretty sure not in encrypted either.

I wasn’t sure, thanks for clarifying!

Hey I am new to the channel and in dfir in general so I am sorry in advance if this isn't the right place to post a question. I got an Android phone to examine and look for illegal videos and pictures because of a NCMEC report from Dropbox and I've extraced the locally stored global.db from Dropbox which has many tables and one of them is shared_links. This table has file paths which lead me to folders which has the same name like the videos and in the folders there are thumbnails of the videos. Does anyone know under what conditions shared_links adds an entry? Or can anyone please give me a hint to where i can read more about it? I've found Alexis Brignionis blog but unfortunately it only has information about iOS with Dropbox. And i couldn't find something about it for Android. Thank you very much

N.A

Hey I am new to the channel and in dfir in general so I am sorry in advance if this isn't the right place to post a question. I got an Android phone to examine and look for illegal videos and pictures because of a NCMEC report from Dropbox and I've extraced the locally stored global.db from Dropbox which has many tables and one of them is shared_links. This table has file paths which lead me to folders which has the same name like the videos and in the folders there are thumbnails of the videos. Does anyone know under what conditions shared_links adds an entry? Or can anyone please give me a hint to where i can read more about it? I've found Alexis Brignionis blog but unfortunately it only has information about iOS with Dropbox. And i couldn't find something about it for Android. Thank you very much

Hi Sorry, I didn't quite understand the question, but maybe it can help https://www.researchgate.net/publication/337419373_Digital_Forensics_Study_of_a_Cloud_Storage_Client_A_Dropbox_Artifact_Analysis

(PDF) Digital Forensics Study of a Cloud Storage Client: A Dropbox ...

PDF | The rapid development of cloud storage technology paired with the prevalence of smartphone usage presents wide-ranging challenges for digital... | Find, read and cite all the research you need on ResearchGate

Tci

Hi Sorry, I didn't quite understand the question, but maybe it can help https://www.researchgate.net/publication/337419373_Digital_Forensics_Study_of_a_Cloud_Storage_Client_A_Dropbox_Artifact_Analysis

Thx for the research paper, I'll definitely look into it. I have 3 questions: 1. Does anyone know what the global.db sqlite database contains in detail (maybe there is a listing of some forensically relevant tables somewhere) 2. Does anyone know what the table shared_links in global.db contains? 3. Is there a way to see locally from my Android device which media (preferably images and videos) have been shared via Dropbox?

N.A

Thx for the research paper, I'll definitely look into it. I have 3 questions: 1. Does anyone know what the global.db sqlite database contains in detail (maybe there is a listing of some forensically relevant tables somewhere) 2. Does anyone know what the table shared_links in global.db contains? 3. Is there a way to see locally from my Android device which media (preferably images and videos) have been shared via Dropbox?

Maybe take a look at this https://arxiv.org/ftp/arxiv/papers/1506/1506.05533.pdf

Tci

Maybe take a look at this https://arxiv.org/ftp/arxiv/papers/1506/1506.05533.pdf

Thank you very much, that's exactly what i was looking for

Morning guys. Does anyone know the format of Telegram media files that have been sent/received please. I know it is the user and other details, but its more if they are unique. Feel free to message me and I can explain more

@Cellebrite anyone available to talk about PA?

Hi. Any forensic write ups on WhstsApp iOS? Need to know if a chat is given a flag and/or time-date when it is deleted? Thanks

CLB_iwhiffin

I don't think I've ever seen knowledgeC in any type of backup, certainly not unencrypted and I'm pretty sure not in encrypted either.

can you get it w/ sysdiagnose ?

8:07 AM

or am I thinking of powerlog

Hi All, looking for any other reference or instance that Whatsapp messages have been altered/mistranscoded between sender and reciever. I have a case where a letter in a recieved message is different to the sent iteration. Pointers or comments welcomed.

Is there a way to recover the pattern lock set for Samsung secure folder if I have a FFS? Is it correct that secure folder contents are still encrypted in a FFS?

Hi everyone, has anyone dealt with the app Life360 in an extraction before? I've never seen the app before but it may have been tracking our suspects location during the time of an armed robbery. In Axiom is shows a lat/long but it seems just for the general area. There's also a start/end time that includes our time frame but I can't find much else. Also, has anyone subpoenaed the company before? Thanks!

breezybriana

Hi everyone, has anyone dealt with the app Life360 in an extraction before? I've never seen the app before but it may have been tracking our suspects location during the time of an armed robbery. In Axiom is shows a lat/long but it seems just for the general area. There's also a start/end time that includes our time frame but I can't find much else. Also, has anyone subpoenaed the company before? Thanks!

Hi, There are a couple of previous posts about Life360, although I couldn't see any obvious answers. https://discord.com/channels/427876741990711298/545232743353810946/951191306607161424 https://discord.com/channels/427876741990711298/545232743353810946/814838486472327179 MOBILedit Forensic shows as supporting of the app and GPS locations for Android. I don't know without testing if it would need root access or not. (edited)

Anyone got a script for batch decrypting AES_CBC encrypted media files? I know the Key and IV values but don't fancy manually decrypting many hundreds of media files manually haha. If not I guess it maybe a project for myself, thanks in advance!

3X3

Anyone got a script for batch decrypting AES_CBC encrypted media files? I know the Key and IV values but don't fancy manually decrypting many hundreds of media files manually haha. If not I guess it maybe a project for myself, thanks in advance!

@bang might be able to help

1

3X3

Anyone got a script for batch decrypting AES_CBC encrypted media files? I know the Key and IV values but don't fancy manually decrypting many hundreds of media files manually haha. If not I guess it maybe a project for myself, thanks in advance!

3:55 AM

Just added you, DM me

1

Thanks both!

1

chauan

Is there a way to recover the pattern lock set for Samsung secure folder if I have a FFS? Is it correct that secure folder contents are still encrypted in a FFS?

You should be able to see the files that are located in secure folder. They should exits in another user directory.

@Cellebrite I’m having an issue with UFED Ultra 8.2.0.544, and trying to export results into a report. The moment I click excel or html it freezes and doesn’t give me the export window. It doesn’t go ‘not responding’ like a typical crash. More like it thinks the export window has opened but it hasn’t. Any ideas?

Bellis

@Cellebrite I’m having an issue with UFED Ultra 8.2.0.544, and trying to export results into a report. The moment I click excel or html it freezes and doesn’t give me the export window. It doesn’t go ‘not responding’ like a typical crash. More like it thinks the export window has opened but it hasn’t. Any ideas?

Hi, could you try first to update your 8.2 to 8.2.1 which has some improvements and retest it ?

7:59 AM

@Bellis the version is available in the design partner program website

3X3

Anyone got a script for batch decrypting AES_CBC encrypted media files? I know the Key and IV values but don't fancy manually decrypting many hundreds of media files manually haha. If not I guess it maybe a project for myself, thanks in advance!

If you want python script to decipher them, dm me with iv and key

Which database would track how an iPhone was unlocked (if biometrics were used). FFS extraction coducted on a iPhone Xs

thatboy_leo

Which database would track how an iPhone was unlocked (if biometrics were used). FFS extraction coducted on a iPhone Xs

Ih whatsapp is installed you i think you should see it in one of its logs

I've got an interesting scenario brewing in a case I'm working...in 2019, a full filesystem extraction was done on an iPhone 7+ using GrayKey. I have since been made to reimage the device and a few weeks ago obtained another full filesystem extraction from the device. The 2019 had some very important location data that is not present in the 2022 extraction. Any ideas on why that might be? I'm thinking some SQLite vacuuming, maybe?

Chris Myers

I've got an interesting scenario brewing in a case I'm working...in 2019, a full filesystem extraction was done on an iPhone 7+ using GrayKey. I have since been made to reimage the device and a few weeks ago obtained another full filesystem extraction from the device. The 2019 had some very important location data that is not present in the 2022 extraction. Any ideas on why that might be? I'm thinking some SQLite vacuuming, maybe?

I think it depends on if it's housed in an app the user actually launches from their homescreen vs an artifact from iOS itself. If the data is from the latter, then I'm with you on your theory. If the data is from the former (even Apple branded apps like Notes) then it would depend if you opened it or not.

10:46 AM

But yeah if it's a pattern of life type datapoint then I could definitely see it being tidied up in the background.

forensicmike @Magnet

But yeah if it's a pattern of life type datapoint then I could definitely see it being tidied up in the background.

The PDF Cellebrite report shows "Source: iOS Locations" and each datapoint appears to be several aggregated locations. Unfortunately, I no longer have access to the original FFS dump from 2019.

Chris Myers

The PDF Cellebrite report shows "Source: iOS Locations" and each datapoint appears to be several aggregated locations. Unfortunately, I no longer have access to the original FFS dump from 2019.

aggregated is the Apple daemon responsible for writing quite a few different logs (including powerlog). from what i've seen of it it receives the log entries via XPC messages from other processes, queues them up in memory, then eventually writes them in batches. we know for sure that powerlogs are purged after just a few days even, so I think again this is suggesting to me that your theory is probably correct

10:56 AM

however, if this is the linchpin of a case, assuming you have the time & resources, there would be no better explanatory aid & source of confidence than testing it yourself. (edited)

thatboy_leo

Which database would track how an iPhone was unlocked (if biometrics were used). FFS extraction coducted on a iPhone Xs

I am not sure there is a .db that holds this information as whole. I would suggest to read this from @ScottKjr3347 https://theforensicscooter.com/2021/09/05/ios-settings-display-auto-lock-require-passcode/ to determine the type of passcode used. Then use knowledgeC to determine when device was unlocked. Also powerlog might be of use to you

scottkoenig3347

iOS Settings Display Auto-Lock & Require Passcode

Forensic Question: A classmate of mine contacted me and posed a question, “Where in an iPhone extraction is the Display Auto-Lock setting stored?” Thanks, Tyler Wuestenhagen, for posing the questio…

callzor

You should be able to see the files that are located in secure folder. They should exits in another user directory.

Thank you. I found several discussion on that and will check on them!

CLB_4n6s_mc

Hi, could you try first to update your 8.2 to 8.2.1 which has some improvements and retest it ?

Thanks, I’ve updated to that version and it’s still doing it. I have tried another extraction and the report window appears, so it appears to be extraction specific. Annoyingly I have all my tags etc so I’d prefer not to reprocess the handset

does anyone know if you can see auto update time settings in an iOS AFU?

Hi guys! I am currently working on the forensic analysis of crypto wallets installed on smartphones. Unfortunately, I have not yet been successful in finding any documentation on this, so I wanted to ask here if there are any known sources on this. Thanks and greetings

Hi, Anyone know if there is a way of telling if a video has been played / viewed in WhatsApp? it's on an iPhone. Not saved to to the camera roll and only received via WhatsApp. photos.sqlite and WA databases have been checked. I cant see anything obvious. thanks

Is anyone else noticing duplication of data including images calls etc. .. from a GK FFS android dumps that are imported into PA? Is there a work around for this? We have noticed 2-3 of the same image name, path, hash everything. Same with calls and other artefacts.

4N6Matt

Is anyone else noticing duplication of data including images calls etc. .. from a GK FFS android dumps that are imported into PA? Is there a work around for this? We have noticed 2-3 of the same image name, path, hash everything. Same with calls and other artefacts.

Data/data, data_mirror etc? If so this something introduced in Android 11 (edited)

We are getting 2 images in data/user and 2 images in data_mirror . Both pairs are identical in every way

After a bit of digging it looks like it's just embedded files that it's duplicating. The dcim still seems to have single images. I assume it's scanning the dB twice for some reason!

Hi, is there any Cellerbite personal here? I have questions regarding WhatsApp disappearing messages

hi there! One of my fellow DF friends is trying to find a way (on a iOS 15.5 FFS) to determine wether FaceId was activated (or even just used…) Anyone knows if such a thing can be found? Maybe in the unified logs somewhere?

Hi, Anyone know how to make dump and bruteforce password on Huawei Mate 10 Pro on Android 8.0.0, Oxygen and Passware not support 8.0.0, XRY after read full dump not crack password (I try my own dictonary, 4-6 digits, always unsuccessfull) or how to update software to version android 9 safe with data. The problem may be that when it tries to enter the code, it automatically accepts only after entering 16 digits

Anyone know of a reliable source that indicates if an iOS device has been unlocked with TouchID?

daw005

Anyone know of a reliable source that indicates if an iOS device has been unlocked with TouchID?

https://discord.com/channels/427876741990711298/545232743353810946/1039623529827668030

8:57 AM

Ty! @theAtropos4n6 @NoFu

4N6Matt

We are getting 2 images in data/user and 2 images in data_mirror . Both pairs are identical in every way

Oh that's odd. Just 1 extraction being added once?

netix

Hi, Anyone know how to make dump and bruteforce password on Huawei Mate 10 Pro on Android 8.0.0, Oxygen and Passware not support 8.0.0, XRY after read full dump not crack password (I try my own dictonary, 4-6 digits, always unsuccessfull) or how to update software to version android 9 safe with data. The problem may be that when it tries to enter the code, it automatically accepts only after entering 16 digits

You can update firmware using a flasher boxes like eft, octoplus huawei etc, but it's always a bit risky and unpredictable with Huawei

10:44 AM

In general, if Xry offers bruteforce and doesn't fail immediatelly, you might in fact have a 16 digits long PIN code which is why it fails to find the code. Instead of updating the code, use export button in Xry bruteforce window, and try to bruteforce the code using hashcat. That should be much faster

Chris Myers

I've got an interesting scenario brewing in a case I'm working...in 2019, a full filesystem extraction was done on an iPhone 7+ using GrayKey. I have since been made to reimage the device and a few weeks ago obtained another full filesystem extraction from the device. The 2019 had some very important location data that is not present in the 2022 extraction. Any ideas on why that might be? I'm thinking some SQLite vacuuming, maybe?

Did you keep the iPhone turned off (not just in airplane mode or in a faraday bag) between acquisitions? We made several tests with our checkm8 extraction (which is completely ramdisk-based), and if the phone was not tuned on (well, Recovery and DFU modes are OK), then extractions matched 100%. Also, did you use the same GrayKey version in both extractions (probably not)? Also, did you use the same software version for data analysis?

1

daw005

Anyone know of a reliable source that indicates if an iOS device has been unlocked with TouchID?

If it’s recent, you can make an educated guess by seeing if the touchID was pressed at the time of an unlock event (power log for button touch and knowledgeC for unlock)

Chris Myers

The PDF Cellebrite report shows "Source: iOS Locations" and each datapoint appears to be several aggregated locations. Unfortunately, I no longer have access to the original FFS dump from 2019.

Sounds like it was some of the routined data, most likely cache.SQLite which is wiped after 7 days so self purging is the most likely reason. That being said, I would hope some record recovery should be possible depending on what the device has been doing in the time between extractions.

I have a time stamp question regarding installed and uninstalled app data found in knowledge c. Guy is stalking his ex. He is installing and uninstalling the textPlus app over and over again. My guess is he is getting a new phone number each time he does this. Question: the app data shows something like this. Installed textPlus: 7am Installed textPlus 7:01am Uninstalled textPlus 7:01:20am Uninstalled textPlus 7:02am The time stamps aren’t lining up in knowledge c. The data shows he is reinstalling the app before the previous version was finished being uninstalled. My theory is the phone is tied up using resources, the uninstall may have been completed, but it hasn’t had a chance to log it in knowledge c just yet. Which is why the time stamps are slightly off.

Andorid -> Snapchat -> core.db -> SnapUserStore -> intVal -> unix UTC+0, Account creation date -> profit

Any @Cellebrite to assist?

peter0015498

Any @Cellebrite to assist?

hi.

CLB-Paul

hi.

Regarding WhatsApp disappearing messages feature. If there are some disappearing messages that are not decoded, what is the reason? Can it be found anywhere in WA database? Premium was used in this.

hello folks @Oxygen Forensics @MSAB_Sofia ... is it planned to implement decoding whatsapp-mods like GBWhatsApp, FMWhatsApp, OBWhatsApp and others? - PA from @Cellebrite supports decoding of this mods

(edited)

7:19 AM

7:21 AM

here we very often have mobile phones (mostly from arabic speaking persons) that have these mods installed (edited)

peter0015498

Regarding WhatsApp disappearing messages feature. If there are some disappearing messages that are not decoded, what is the reason? Can it be found anywhere in WA database? Premium was used in this.

Have you looked at the database

V1i5Q3NfxewybGV5IUAjJA== V1i5Q3NfxewybGV5IUAkIw== fbairaMWK5Y=

CLB-Paul

Have you looked at the database

@peter0015498 it would flag them as deleted, if they are recovered.

Anyone able to decode those passwords for Android database, working a CSAM TC container, need all the passwords I can get

have you tried the base64 conversions to it?

ross4n6

Anyone able to decode those passwords for Android database, working a CSAM TC container, need all the passwords I can get

whats the source of the db?

chrisforensic

hello folks @Oxygen Forensics @MSAB_Sofia ... is it planned to implement decoding whatsapp-mods like GBWhatsApp, FMWhatsApp, OBWhatsApp and others? - PA from @Cellebrite supports decoding of this mods

(edited)

Hello! I can add those to our schedule

2

1

I have tried all base64 decoding on base64guru, I get WXCs2ley!@#$ WXCs_2ley!@$# The smaller one won't parse which makes me think the above is incorrect. The value came from a Android parrells client RDP app, I can see the masked passwords on the device. They are stored in a SQlite DB, under farms passwords

dcs453

I have a time stamp question regarding installed and uninstalled app data found in knowledge c. Guy is stalking his ex. He is installing and uninstalling the textPlus app over and over again. My guess is he is getting a new phone number each time he does this. Question: the app data shows something like this. Installed textPlus: 7am Installed textPlus 7:01am Uninstalled textPlus 7:01:20am Uninstalled textPlus 7:02am The time stamps aren’t lining up in knowledge c. The data shows he is reinstalling the app before the previous version was finished being uninstalled. My theory is the phone is tied up using resources, the uninstall may have been completed, but it hasn’t had a chance to log it in knowledge c just yet. Which is why the time stamps are slightly off.

Perhaps corroborating the timestamps you are finding in KnowledgeC with those that still may be present in \private\var\installd\Library\Logs\MobileInstallation\mobile_installation.log.#? (edited)

I have a quite a few passwords but so far no joy on the TC container. This is the first time I'm seeing a possible keyboard run and _ but I want to make sure those are correct. He uses Marley and ! As a pattern so I'm assuming this is a decoding issue. Base64 Java?

@Cellebrite One question: what does the Reader verification function check? The PA checks the sha256 hash of the zip file with the hash reported in the ufd file but I can't find any hashes in the report.xml file of the ufdr file (edited)

CLB-Paul

@peter0015498 it would flag them as deleted, if they are recovered.

Many thanks. I have not looked at the WA db but will look thro it again for any deleted messages. Thanks

CLB-Paul

@peter0015498 it would flag them as deleted, if they are recovered.

Hi Paul, one of the row appeared to have participants showing ID:-73, while another row has ID: status:status. Is it possible to understand the meaning of this information? Pardoned my ignorance question if it appears to be dumb.

chrisforensic

hello folks @Oxygen Forensics @MSAB_Sofia ... is it planned to implement decoding whatsapp-mods like GBWhatsApp, FMWhatsApp, OBWhatsApp and others? - PA from @Cellebrite supports decoding of this mods

(edited)

We did a drive some years ago and added support for a few mods, but unfortunately the versions supported are outdated by now. I can add this as a feature request to our development team. Have you tried running the manual 'App database mapper' in XAMN to see if you can get these app versions at least partially decoded?

Hi All Currently working on a Xiaomi... Is there a way to see the logs of power on/off and airplane mode? Looked for the pwer_off_reset_reason but it was not available. Thanks

found something new in Snapchat and im almost jumping up and down in my chair

2

4:58 AM

in contentManagerDB.db, the content_definition blobs that contain a download link also contain key and iv to decrypt

2

Has anyone experienced issues with Axiom where the software crashes and shuts down when reviewing keyword search? Seems to happen to me on every cases now. @Magnet Forensics I don't know if you are aware of this issue?

One of our detectives recently got a facebook and IG warrant return. It's in a large PDF file. Is that normal now?

beamar

One of our detectives recently got a facebook and IG warrant return. It's in a large PDF file. Is that normal now?

It was like that few years ago

Dam

It was like that few years ago

hmm, maybe I am thinking of another one.

OggE

in contentManagerDB.db, the content_definition blobs that contain a download link also contain key and iv to decrypt

I want to join in your excitement, but I don’t fully understand. What are you decrypting?

Dam

It was like that few years ago

further review is the detective downloaded the wrong package. There is a archive option. lol

2

FullTang

I want to join in your excitement, but I don’t fully understand. What are you decrypting?

so the scenario i had was a snapchat convo with pictures of high interest, but the files where deleted but the convo was not. However if you take the id of the conversation and filter with that in the file contentmanagerDB.db and get a hit, you look in the "content_definition" protobuffer and find 1. A download link 2. key and iv in base64. You go to the link and download a encrypted version of the chat media that can decrypted with some easy python. To link it back to a message you just look at the key in contentmanagerDB Edit: The protobuffer also contains some timestamps, unknown what they are (edited)

3

OggE

so the scenario i had was a snapchat convo with pictures of high interest, but the files where deleted but the convo was not. However if you take the id of the conversation and filter with that in the file contentmanagerDB.db and get a hit, you look in the "content_definition" protobuffer and find 1. A download link 2. key and iv in base64. You go to the link and download a encrypted version of the chat media that can decrypted with some easy python. To link it back to a message you just look at the key in contentmanagerDB Edit: The protobuffer also contains some timestamps, unknown what they are (edited)

Awesome find; I tested and confirmed working on my extraction too

2

CLB_iwhiffin

Awesome find; I tested and confirmed working on my extraction too

~~I tried experimenting with https://thebinaryhick.blog/public_images/ but I got access denied for one of the Snapchat links in the iOS14 image~~ nvm can still download some of the media

(edited)

Binary Hick

Public Images

Below are links to my public images. If you find a link that isn’t working, please let me know! Android Android 7 (hosted by Digital Corpora) Android 8 (hosted by Digital Corpora) Android 9 …

Made some quick code so you can test it :), https://github.com/Ogg3/SnapchatMediaDownload

GitHub - Ogg3/SnapchatMediaDownload: A tool to download and decrypt...

A tool to download and decrypt chat media using the file contentManager.db - GitHub - Ogg3/SnapchatMediaDownload: A tool to download and decrypt chat media using the file contentManager.db

4

hype, you can do the same for the message_content protobuffer in arroyo.db

is there a way, from an iOS FFS extraction, to know if the user shared his geolocation with his snapchat friends ?

Ypso

is there a way, from an iOS FFS extraction, to know if the user shared his geolocation with his snapchat friends ?

pretty sure you can see it if it was shared in a convo

is there any method for nokia 2.2 android 11 logical or physical extraction or ffs with oxy or Cellebrite?? because not found any option "install via usb" in developer options so popo up with error

MSAB_Sofia

We did a drive some years ago and added support for a few mods, but unfortunately the versions supported are outdated by now. I can add this as a feature request to our development team. Have you tried running the manual 'App database mapper' in XAMN to see if you can get these app versions at least partially decoded?

hellow! i got huawei jkm-lx1 kirlin 710 chipset extraction done with same exact model physical phone was not encrypted no passcode on startup but it unable to get decrypt data during decode, plz help, appreciated

MNS

hellow! i got huawei jkm-lx1 kirlin 710 chipset extraction done with same exact model physical phone was not encrypted no passcode on startup but it unable to get decrypt data during decode, plz help, appreciated

that's FBE device, and it is factory encryppted, use full filesystem method (Kirin Live?) if you used UFED and phone is locked

Arcain

that's FBE device, and it is factory encryppted, use full filesystem method (Kirin Live?) if you used UFED and phone is locked

thnx for quick rply i used XRY

for XRY, it might depend on firmware version. Not all are supported since Huawei changed encryption few times, and Kirin 710 devices are troublesome. Try to re-dump it again using kirin 710 profile instead of the specific model. It used to ask you to reconnect the phone with testpoint to re-read the keys

Arcain

for XRY, it might depend on firmware version. Not all are supported since Huawei changed encryption few times, and Kirin 710 devices are troublesome. Try to re-dump it again using kirin 710 profile instead of the specific model. It used to ask you to reconnect the phone with testpoint to re-read the keys

thnx bud, will try 710 profile, but its not good that actual pre xplained matched profile cant done this (edited)

it used to be an issue early this year, that should be fixed already, but that's something you can try. I suspect it has newer encryption scheme which is not supported by Xry so far and that's why it's not decrypting correctly (edited)

Hi! I'm investigating erased web history in safari where some deleted web searches are found in source file /private/var/mobile/Library/Safari/BrowserState.db-wal using Cellebrite PA. I need to do some manual analysis of this file but it's nowhere to be found in the file system. Anyone got an idea of where/how this write-ahead-log could be found? Phone: iPhone 11 Extraction: FFS

Hello, I am looking at Telegram attachments and the paths for them, trying to figure out what conclusions to make. On the suspect's phone (Android, Telegram v.8.8.5 (2721)) there are pictures in a folder named /data/media/0/Android/data/org.telegram.messenger/files/Pictures. I did some testing on a reference phone but this folder never gets created, instead the folder is named Telegram/Telegram Images/. Is this a matter of Telegram version (my testing was done with Telegram v.9.0.2), or is there any other explanation for when the files/Pictures folder is used?

betacygni

Hi! I'm investigating erased web history in safari where some deleted web searches are found in source file /private/var/mobile/Library/Safari/BrowserState.db-wal using Cellebrite PA. I need to do some manual analysis of this file but it's nowhere to be found in the file system. Anyone got an idea of where/how this write-ahead-log could be found? Phone: iPhone 11 Extraction: FFS

If you are looking in the cellebrite reader filesystem tree it sometimes doesnt show the -wal files, try looking in the source material

Anyone know where I might find unlocks and/or unlock attempts information in an iPhone? I want to find out if the phone was unlocked using biometrics at a certain point to determine if the suspect unlocked the phone or if it could have been someone else

OggE

If you are looking in the cellebrite reader filesystem tree it sometimes doesnt show the -wal files, try looking in the source material

Thanks, i will take a look into that.

Don't suppose anyone knows where (within the cache4.db, or elsewhere) I might find out whether a Telegram Channel was private or public?

Pacman

Has anyone experienced issues with Axiom where the software crashes and shuts down when reviewing keyword search? Seems to happen to me on every cases now. @Magnet Forensics I don't know if you are aware of this issue?

I haven't seen this but can I DM you for some details and we'll see if we can get it sorted out?

chriscone_ar

I haven't seen this but can I DM you for some details and we'll see if we can get it sorted out?

Go for it!

Arlakossan

Anyone know where I might find unlocks and/or unlock attempts information in an iPhone? I want to find out if the phone was unlocked using biometrics at a certain point to determine if the suspect unlocked the phone or if it could have been someone else

KnowledgeC.db might worth a look. You will see unlock/lock states of the device. I am not quite sure if there is way to track whether biometric/PIN/other method was used though. Even if biometric lock was set, a PIN one would also be set as a backup method. Also, powerlogs might worth as well (edited)

1

Arlakossan

Anyone know where I might find unlocks and/or unlock attempts information in an iPhone? I want to find out if the phone was unlocked using biometrics at a certain point to determine if the suspect unlocked the phone or if it could have been someone else

ADDataStore.sqlitedb might give you some hints

1

Does anybody know whether “date/time change” event is recorded somewhere in iOS logs? Have not found it in knowledgeC…

OggE

hype, you can do the same for the message_content protobuffer in arroyo.db

Hi, the contentmanagerdb worked great so thanks for that! Tried it on Arroyo message content and I can see the key and IV but no link?

Anyone familiar with any artifacts available in order to tell how many pin tries there have been used c.q detect possible brute-force? Model for investigation is a Samsung A52 (edited)

Hello...I have a backup from Signal after I made a downgrade with UFED, but UFED PA can't parse the artifacts, neither App Genie. Now I want to try with Axiom to parse the chats and I have the: signal.db and the org.thoughtcrime.securesms_preferences.xml. Any idea how this should be done? Thank you!

Bellis

Hi, the contentmanagerdb worked great so thanks for that! Tried it on Arroyo message content and I can see the key and IV but no link?

try linking it back to contentmanger with the conv id and server id

OggE

try linking it back to contentmanger with the conv id and server id

Thanks, think that worked. I am getting a fair lot of status 403s during the downloads though

Hello, i have a question about tracked Basestation. Is there any possibility to readout any database, that Android tracked the received Basestation-IDs? We have some Xiomi-Android-Devices and we want to know, was on the place any kind stranged base-stations .. So my main-question is, is Android tracking the received last basestatiopn gsm/lte and in with databse i can find it? ..Thanks

ZetLoke77

Hello...I have a backup from Signal after I made a downgrade with UFED, but UFED PA can't parse the artifacts, neither App Genie. Now I want to try with Axiom to parse the chats and I have the: signal.db and the org.thoughtcrime.securesms_preferences.xml. Any idea how this should be done? Thank you!

what kind of extraction did you get

is there anything within the sms.db or somewhere on an iPhone to indicate whether autocorrect modified a draft prior to message being sent? (FFS from the sender's phone who's modified message was sent out) (edited)

Goovscoov

Anyone familiar with any artifacts available in order to tell how many pin tries there have been used c.q detect possible brute-force? Model for investigation is a Samsung A52 (edited)

Sorry for the long post. Physically on the device itself? Sure, easily through sdp_log. You can get this logfile on a FFS dump, you'll find it in /data/data/log. Alternatively if you cannot obtain a FFS dump, but have access to the device itself, you can open dialer, enter *#9900#, then 'Run dumpstate/logcat/modem log'. This might take a while depending on the device (one, maybe two minutes at most). After this, select 'Copy to sdcard(include CP Ramdump)', or if you have placed an external SD-card in the device, 'Copy to external sdcard(include CP Ramdump)'. This will create a folder in your chosen location, called 'log' (if you connect the device to Windows, open either Internal or SD-card. I don't know the exact line by head, but you'll find here lines with something like 'Verify SP user 0:' followed by either success or failed. Failed of course is a failed attempt. This log goes back for a very long time, so you can also create an overview of how often the user enters an incorrect passcode, if it's a habit or if it is unique to that specific moment in time. Keep in mind, all lines are in device local time and change if timezone of the device changes. This and more will be in a future blogpost. Hope this helps. If you need more info, feel free to send me a PB. (edited)

2

1

CLB-Paul

what kind of extraction did you get

Advanced logical plus downgrade for the chats

10:08 PM

Couldn't get a FFS for that particular phone

Outlook email application on iphones. What software are people using to pull the data from a gk extraction?

Anyone can tell me more about the map: com.facebook.Facebook.MosaicGImageDiskCache

ZetLoke77

Couldn't get a FFS for that particular phone

Id recommends trying with 7.60 which went out to design partners today.

I dont have any more updates available right now. I am stuck with 7.54 :)) We must renew the license

MrMacca (Allan Mc)

Outlook email application on iphones. What software are people using to pull the data from a gk extraction?

Axiom has been pretty good for Outlook on iOS and Android

I have a @Cellebrite Premium extraction of an Android. In device events, I can see when the device is powered on and off. Is there somewhere I can find if it was powered off intentionally or due to battery dying?

DFIS721

I have a @Cellebrite Premium extraction of an Android. In device events, I can see when the device is powered on and off. Is there somewhere I can find if it was powered off intentionally or due to battery dying?

Hi as always Android is quite challenging depending on the Android version and the manufacturer. You could try to have a look at Batterystats (\data\data\com.google.android.gms\shared_prefs\Baterystats. Xml and /system/baterystats-daily.xml) but not sure they are on the phone.

CLB_4n6s_mc

Hi as always Android is quite challenging depending on the Android version and the manufacturer. You could try to have a look at Batterystats (\data\data\com.google.android.gms\shared_prefs\Baterystats. Xml and /system/baterystats-daily.xml) but not sure they are on the phone.

So I found that but it’s not quite what I’m looking for. I have a specific power off event that I would like to know if it was powered off by the user or due to the battery. Any thoughts on that?

DFIS721

So I found that but it’s not quite what I’m looking for. I have a specific power off event that I would like to know if it was powered off by the user or due to the battery. Any thoughts on that?

Give more info in DM if needed Android version / Phone model etc... not sure if we can find that but at least you can try if you know the exact time you are looking for

DFIS721

I have a @Cellebrite Premium extraction of an Android. In device events, I can see when the device is powered on and off. Is there somewhere I can find if it was powered off intentionally or due to battery dying?

+1 what @CLB_4n6s_mc says. Maybe this post can help? Maybe give ALEAPP a try? https://www.stark4n6.com/2021/10/samsung-power-off-reset-logs.html (edited)

Samsung Power Off Reset Logs

Playing CTF's has taught me so many things over the past years, case in point this blog post. In the recent Cellebrite CTF, there was a ques...

3

theAtropos4n6

+1 what @CLB_4n6s_mc says. Maybe this post can help? Maybe give ALEAPP a try? https://www.stark4n6.com/2021/10/samsung-power-off-reset-logs.html (edited)

Will do thank you

1

DFIS721

Will do thank you

depending on the phone manufacturer type they may have their own file artifact for tracking these items

DFIS721

I have a @Cellebrite Premium extraction of an Android. In device events, I can see when the device is powered on and off. Is there somewhere I can find if it was powered off intentionally or due to battery dying?

In addition to the guidance you've been given, I would suggest doing a keyword search for files that contain the word "power" (and perhaps variations, e.g. "pwr", etc.) in the file name and content. You may be able to identify relevant information that way.

JLindmar (83AR)

In addition to the guidance you've been given, I would suggest doing a keyword search for files that contain the word "power" (and perhaps variations, e.g. "pwr", etc.) in the file name and content. You may be able to identify relevant information that way.

Tried that. I got several different results but still not quite in looking for. I appreciate all the feedback and assistance.

Hey all, I have a GK image of an iPhone on iOS 14.6. Does anyone know where the artifacts for application uninstallation time has moved to? I found a few good write-ups for older iOS versions, but they do not seem to apply in 14. Looking to find when an app was removed/uninstalled from the phone.

HIK213

Axiom has been pretty good for Outlook on iOS and Android

That's our current goto, but we have an iPhone gk extraction that isn't showing any outlook emails, even though the manual examination of the device we can see them. Was hoping there was an alternative to look into other than axiom.

MrMacca (Allan Mc)

That's our current goto, but we have an iPhone gk extraction that isn't showing any outlook emails, even though the manual examination of the device we can see them. Was hoping there was an alternative to look into other than axiom.

Don’t quote me on it but I’m pretty sure others in our office have used Oxygen as well - I’ve been pretty lucky in that Axiom has decoded Outlook on extractions I’ve had.

Thanks. I'll obtain a trial and see how it goes. Thanks so much.

@Cellebrite Why does PA come to a halt once it hits this stgae? 3:25:35 PM PP: Starting last stage for project: 71368899-8fa6-4b58-82c8-bdfeeab3069b (593604 items)

beamar

@Cellebrite Why does PA come to a halt once it hits this stgae? 3:25:35 PM PP: Starting last stage for project: 71368899-8fa6-4b58-82c8-bdfeeab3069b (593604 items)

Last stage can take few hours with almost 600k items. especially when you selected media categorization and location carving.

Peacekeeper

Sorry for the long post. Physically on the device itself? Sure, easily through sdp_log. You can get this logfile on a FFS dump, you'll find it in /data/data/log. Alternatively if you cannot obtain a FFS dump, but have access to the device itself, you can open dialer, enter *#9900#, then 'Run dumpstate/logcat/modem log'. This might take a while depending on the device (one, maybe two minutes at most). After this, select 'Copy to sdcard(include CP Ramdump)', or if you have placed an external SD-card in the device, 'Copy to external sdcard(include CP Ramdump)'. This will create a folder in your chosen location, called 'log' (if you connect the device to Windows, open either Internal or SD-card. I don't know the exact line by head, but you'll find here lines with something like 'Verify SP user 0:' followed by either success or failed. Failed of course is a failed attempt. This log goes back for a very long time, so you can also create an overview of how often the user enters an incorrect passcode, if it's a habit or if it is unique to that specific moment in time. Keep in mind, all lines are in device local time and change if timezone of the device changes. This and more will be in a future blogpost. Hope this helps. If you need more info, feel free to send me a PB. (edited)

Dankjewel! Very helpfull

@Cellebrite Can I simply delete the temp folder from the PA (i.e. the contents), which is already 300GB in size, or will that cause problems?

Hi, not sure does anyone ask this question before. Can anyone explain what does “phone activation time” in Cellerbite PA means?? The decoded data is from a Samsung Android 12. Where to find this raw file from the file system? Thanks

dcs453

“As a reminder, "deleted" or should I say "recently deleted" messages are still within the main database until they are either deleted a second time or hit their 30 day period to be deleted. Further testing will continue to search for these messages after they are truly purged to see if they stay in their other areas as mentioned above.” Interesting read…. Does anyone know what the blog author is referencing when he said the deleted messages are still recoverable upto 30 days?

a question regarding the sms.db in ios16, i have a device with deleted SMS, currently in the "recently deleted" folder in the SMS app, my question is, if and how is this reflected in the SMS database? any flag/marked for deletion table?

nevermind, found it in this blog post https://www.doubleblak.com/blogPosts.php?id=27

Angst

Last stage can take few hours with almost 600k items. especially when you selected media categorization and location carving.

nah, it does the media before that step (off loads it to the video card too) and it doesn't get to the location carving I believe till after it's all loaded.

7:18 AM

it went smooth in 8.2.1, 7 it seemed to stall

Hello, I have Samsung A41 CPU MT6768 in need for deleted SMS and whatsapp messages. I have done a file system extraction and reading with PA I get 4 deleted messages that are blank. Any info about this, is this even possible on this device currently?

FunkeDope

Hey all, I have a GK image of an iPhone on iOS 14.6. Does anyone know where the artifacts for application uninstallation time has moved to? I found a few good write-ups for older iOS versions, but they do not seem to apply in 14. Looking to find when an app was removed/uninstalled from the phone.

Did you try the mobile installation logs?

1

nikmar

Hello, I have Samsung A41 CPU MT6768 in need for deleted SMS and whatsapp messages. I have done a file system extraction and reading with PA I get 4 deleted messages that are blank. Any info about this, is this even possible on this device currently?

that's common on devices that use FBE. Looks like database is vacuumed quickly, just like on iOS and most of the time you get very few, none or some blank deleted texts

1

FunkeDope

Hey all, I have a GK image of an iPhone on iOS 14.6. Does anyone know where the artifacts for application uninstallation time has moved to? I found a few good write-ups for older iOS versions, but they do not seem to apply in 14. Looking to find when an app was removed/uninstalled from the phone.

KnowledgeC and \private\var\installd\Library\Logs\MobileInstallation\mobile_installation.log.#?

Does anyone know of a "forensic corpus" of phone extractions that can be used for research, tool testing, and testing of custom scripts? The goal would be use the phone extractions in instructional content as well. (edited)

ForensicDev

Does anyone know of a "forensic corpus" of phone extractions that can be used for research, tool testing, and testing of custom scripts? The goal would be use the phone extractions in instructional content as well. (edited)

https://digitalcorpora.org/corpora/cell-phones/ https://digitalcorpora.org/corpora/cell-phones/ios-13/ (edited)

Hi all, I am trying to support a customer with a download for court and they have a screenshot from a Oppo CPH2195. The standard file name of screenshot followed by date time followed by a GUID. Is that the GUID for the device?

I have alot of csam material found under data/data/com.samsung.android.messaging/cache/image_manager_disk_cache. Anyone know if it could be attached images in sms? I´ve looked through all sms in the cellphone and no conversations include these kind of images

ForensicDev

Does anyone know of a "forensic corpus" of phone extractions that can be used for research, tool testing, and testing of custom scripts? The goal would be use the phone extractions in instructional content as well. (edited)

Check out @CLB_joshhickman1's images, all hosted on Digital Corpora too, but they have documentation of steps taken to generate the data https://thebinaryhick.blog/public_images/

Binary Hick

Public Images

Below are links to my public images. If you find a link that isn’t working, please let me know! Android Android 7 (hosted by Digital Corpora) Android 8 (hosted by Digital Corpora) Android 9 …

3

Does anyone have experience with legal requests to Fitbit? Is there something to 'get'? If yes, what? (edited)

ZetLoke77

Hello...I have a backup from Signal after I made a downgrade with UFED, but UFED PA can't parse the artifacts, neither App Genie. Now I want to try with Axiom to parse the chats and I have the: signal.db and the org.thoughtcrime.securesms_preferences.xml. Any idea how this should be done? Thank you!

Is the database decrypted? Absence of the db encryption key seems the first problem to tackle.

This maybe a long shot, would the presence of two .ttf files with a cloud fonts file path appearing on an android phone at the same time as two documents of interest indicate what said documents had been opened?

@Magnet Forensics When loading a portable case, I get an error saying "no case was found in this location. Please select a new location"

Gorightoff

This maybe a long shot, would the presence of two .ttf files with a cloud fonts file path appearing on an android phone at the same time as two documents of interest indicate what said documents had been opened?

When the documents refer the fonts it seems like a possible scenario. Can you copy the documents to a ref phone and test? Of course other documents that refer the same font would have the same effect.,.. do these benign documents existt as well?

There are other documents on there but it seemed too much of a coincidence that the two in question appeared on the handset within seconds of the two fonts files. No other documents appear on that day. Strangely, the two fonts are the same but only one of the documents is written in that particular font.

@Cellebrite @Oxygen Forensics @Elcomsoft @Magnet Forensics @Belkasoft @Grayshift @Griffeye @Semantics 21 or any others: Do you have anyone researching or parsing any data from the following: private/var/mobile/Media/PhotoData/CPL/storage/store.cloudphotodb iOS not sure if it’s in MacOS (edited)

Hi, I played around a bit with the secure folder today. I have done all possible apps and entries in the secure folder. After the FFS extraction I see in data/user/150 everything unencrypted. What I do not quite understand in the path data/knox/ is 0 files, 0 KB. How can this be related? What in particular in the path data/knox/... stored? Do different Android versions make the difference?

fitd2505

Hi, I played around a bit with the secure folder today. I have done all possible apps and entries in the secure folder. After the FFS extraction I see in data/user/150 everything unencrypted. What I do not quite understand in the path data/knox/ is 0 files, 0 KB. How can this be related? What in particular in the path data/knox/... stored? Do different Android versions make the difference?

For Samsung, AFAIK, user 150 is the secure folder. I don't know if there has ever been any data in /data/knox/, but for the secure folder, you just have to filter for data from user 150.

In a FDE physical, it will be under that path.

@Magnet Forensics Is there a way to limit the file size to break it up in smaller chucks on a portable case?

ScottKjr3347

@Cellebrite @Oxygen Forensics @Elcomsoft @Magnet Forensics @Belkasoft @Grayshift @Griffeye @Semantics 21 or any others: Do you have anyone researching or parsing any data from the following: private/var/mobile/Media/PhotoData/CPL/storage/store.cloudphotodb iOS not sure if it’s in MacOS (edited)

@ScottKjr3347 I've got some old research that might be useful (not sure how applicable it still is) - is there something specific you are looking for?

JLindmar (83AR)

@ScottKjr3347 I've got some old research that might be useful (not sure how applicable it still is) - is there something specific you are looking for?

Just looking for what others have found in this db that was useful. I believe I know what it’s being used for, but wanted to see what others have used it for.

ScottKjr3347

Just looking for what others have found in this db that was useful. I believe I know what it’s being used for, but wanted to see what others have used it for.

I don't have any current extractions loaded at the moment to check, but the "serializedRecord" field was present in a few tables (e.g. "clientCache", "cloudCache", etc.) in that DB and it contained information (filename, created timestamp, Exif, upload-device name) about original files uploaded to CPL. I found it particularly useful to identify files that were no longer present on the device, but may still be present in CPL.

2

1

ScottKjr3347

@Cellebrite @Oxygen Forensics @Elcomsoft @Magnet Forensics @Belkasoft @Grayshift @Griffeye @Semantics 21 or any others: Do you have anyone researching or parsing any data from the following: private/var/mobile/Media/PhotoData/CPL/storage/store.cloudphotodb iOS not sure if it’s in MacOS (edited)

It's sqlite3, blobs contain binary plist, contain base64 contain binary plist. Contents contains not much identifiable information besides "keys" and timestamps. The keys are also present in Photos.sqlite. addition: may be more interesting than I initially thought as I missed the fnam which is not present in all plist s (edited)

1

Some the plist contain a fnam property with a filename.

Ruud Schramp

Some the plist contain a fnam property with a filename.

Yes: "serializedRecord" (BLOB > BPlist) > "fNam" (filename) > "crea" (created timestamp) > "memd" (BLOB > base64 > BPlist > Exif)

1

JLindmar (83AR)

Yes: "serializedRecord" (BLOB > BPlist) > "fNam" (filename) > "crea" (created timestamp) > "memd" (BLOB > base64 > BPlist > Exif)

Nice, even contains the GPS of the photo if it was present.

8:40 AM

Cross ref shows the same coordinate in photos.sqlite as well.

Hello everyone, I have an F2FS physical image which i'm not able to decode because the filesystem is not recognized by any of my soft. Do you know a soft which (really) support F2FS physical image ? If not, do you know a way to convert F2FS to another FS (ext4, exfat, NTFS, ...) while preserving the data ? (something like "fstransform" but supporting F2FS) Thanks in advance.

Does anyone know what “behaviorpostprocessorsettings.plist” is or means? @Magnet Forensics

what kind of things are in it? what is the path? also, I don't know, just curious.

I was searching a specific app on the phone but the source path linked to this plist. I’m wondering if it tells me the subject tried to download but was denied access OR if the apps listed aren’t whitelisted for the phone.

Good day. Has anyone had any luck finding actionable evidence from an android dump regarding AnyDesk?

CLB-Paul

In a FDE physical, it will be under that path.

Thanks for the answer. I sent one more question into your DM's.

Good day! In the Android file "power_off_reset_reason_backup.txt" the following entry could be found using ALEAPP. 01:48:49 2022-11-12 01:48:49+0100 | SHUTDOWN | | REASON: no power [48] 01:48:49 terminating init service start 01:48:52 terminating init service end 01:48:52 volume shutdown start 01:48:53 volume shutdown end 01:48:53 sync() before umount... 01:48:53 sync() before umount took 01:48:53 zram start 01:48:53 zram end 01:48:56 TryUmountAndFsck start Does anyone know if this was a user shutdown or due to low battery? (edited)

2:47 AM

No power, does not necessarily mean that the battery was empty, right? When it is turned off, it logically has no more power.

Hans Leißner

Good day! In the Android file "power_off_reset_reason_backup.txt" the following entry could be found using ALEAPP. 01:48:49 2022-11-12 01:48:49+0100 | SHUTDOWN | | REASON: no power [48] 01:48:49 terminating init service start 01:48:52 terminating init service end 01:48:52 volume shutdown start 01:48:53 volume shutdown end 01:48:53 sync() before umount... 01:48:53 sync() before umount took 01:48:53 zram start 01:48:53 zram end 01:48:56 TryUmountAndFsck start Does anyone know if this was a user shutdown or due to low battery? (edited)

That’s going to be due to a depleted battery. I suggest reading @stark4n6 CTF write-up, which can be found here: https://www.stark4n6.com/2021/10/cellebrite-ctf-2021-heisenbergs-android.html

Cellebrite CTF 2021 - Heisenberg's Android

Cellebrite is back with another CTF competition and this year's takes it up a notch. I want to start by giving major props to Heather, Pau...

1

4:21 AM

You can also check the /data/system/users/services/data/eRR.P file.

4:21 AM

Just to corroborate.

CLB_joshhickman1

That’s going to be due to a depleted battery. I suggest reading @stark4n6 CTF write-up, which can be found here: https://www.stark4n6.com/2021/10/cellebrite-ctf-2021-heisenbergs-android.html

Thank you! I also came across the page earlier.

Thanks for the tip. I will have a look at the file right away.

4:24 AM

Found the same entry in eRR.P 2022-11-12 01:48:49+0100 | SHUTDOWN | | REASON: no power [48]

In the eRR.P file user-initiated shutdowns are labeled as userrequested

1

Hey everyone Have a SAMSUNG GALAXY A32 which contains a "map_cache.db" belonging to Google Maps. The data in the database seems encrypted. Its 50MB, so does anyone know how to get readable data out of it if possible? Thanks in advance

Does anyone have a tool to parse data from maxcom mm134 phone? The phone has an SC6531EFM processor. I think Xry does it but I don't have this software. UFED unfortunately does not give me any results.

5:03 AM

I have made a physical dump from this phone.

CLB_joshhickman1

In the eRR.P file user-initiated shutdowns are labeled as userrequested

Perfect! thank you. Thats what i was looking for. There is no entry in the questionable time of the incident.

TiffanyRbns

I was searching a specific app on the phone but the source path linked to this plist. I’m wondering if it tells me the subject tried to download but was denied access OR if the apps listed aren’t whitelisted for the phone.

what was the app? do you have a full path to the plist or just a file name?

Is there a way to change time and date format in PA?

callzor

Is there a way to change time and date format in PA?

Do you mean how it’s displayed? YYYY/MM/DD ? I’m fairly certain it takes it from the computer settings

CLB-Paul

Do you mean how it’s displayed? YYYY/MM/DD ? I’m fairly certain it takes it from the computer settings

Yes. Hmm that might be correct.

Good Morning, has anybody find in an Android Extraction tracking-Information about Cell-Tower/ Cell-IDs ( for Example eNB ID 140758 - LTE)?

Anyone from @Cellebrite available for a question regarding PA?

Arlakossan

Anyone from @Cellebrite available for a question regarding PA?

Hey what is your question ?

Anyone have a good wirteup on importing and using HIST hash set in PA to help reduce report size and un-needed files?

beamar

Anyone have a good wirteup on importing and using HIST hash set in PA to help reduce report size and un-needed files?

In my experience, Cellebrite's built-in "Known Files" hash set was more useful than NIST's NSRL ( RDS v2) for iOS and Android; plus the process of importing and updating hash sets in PA (at least for v7, haven't tested v8) is very time consuming. I haven't had a chance to test the NSRL RDS v3 hash sets (they contain many more values) as the process for updating the deltas is time consuming and the recommended verification process is flawed.

1

Was hoping to cut a bunch of these BS files out of my reports, out of the 115k images found, only 5k known

I my experience there is no good way to easily hide/remove white list hits. It's possible in some views but not in others, because "hash match - non pertinent" is not the same as "known", which can be filtered everywhere

beamar

Was hoping to cut a bunch of these BS files out of my reports, out of the 115k images found, only 5k known

There is limited filtering capabilities in PA, the best you may be able to do is try to identify commonalities (e.g., file size, file path [using "Folder View" for this is helpful], etc.) in groups of files that you've confirmed are irrelevant and then exclude (after confirming irrelevant) files based on those commonalities.

Question regarding the Image Classifications feature of @Cellebrite Physical Analyzer. Can I use a Nvidia Quadro RTX 4000 to speed up the process? It's not listed on the knowledge base but i'm not sure how dependable that article is.

Anyone able to explain minor discrepancies in call duration and timestamp from a Cellebrite extraction vs the data from the carrier? The differences are just a few seconds, but I want to be able to explain it properly to an attorney. Thanks!

Phone later than carrier?@Michelle

yes

Michelle

Anyone able to explain minor discrepancies in call duration and timestamp from a Cellebrite extraction vs the data from the carrier? The differences are just a few seconds, but I want to be able to explain it properly to an attorney. Thanks!

I think the carrier makes a distinction between the time to connect the call (time until the other party picks up) while the phone shows the entire duration of the call.

FullTang

I think the carrier makes a distinction between the time to connect the call (time until the other party picks up) while the phone shows the entire duration of the call.

It's strange though because the durations from the Cellebrite extraction are shorter than what the tolls show

Michelle

It's strange though because the durations from the Cellebrite extraction are shorter than what the tolls show

Then maybe it’s the reverse? The carrier is counting the time it takes to connect while the time counter on the phone only starts once the call is connected. Whatever it is causing the slight difference could even be specific to the phone make/model and carrier.

1

Sockmoth

Question regarding the Image Classifications feature of @Cellebrite Physical Analyzer. Can I use a Nvidia Quadro RTX 4000 to speed up the process? It's not listed on the knowledge base but i'm not sure how dependable that article is.

It should be supported in 7.59 when that releases

1

Michelle

Anyone able to explain minor discrepancies in call duration and timestamp from a Cellebrite extraction vs the data from the carrier? The differences are just a few seconds, but I want to be able to explain it properly to an attorney. Thanks!

What also could be the case is a minor difference in time, that the phone's clock is off for a little bit. If WhatsApp is installed on the device, you can check the WhatsApp logfiles (/data/data/com.whatsapp/files/log/* if I recall this correctly by head). Here you'll find multiple lines in regards to "device time" and "server time", search for either of these two and/or "time server update" and you can check the time difference compared to the WhatsApp server (assumed correct time)

1

Is anyone able to advise if there is a way of obtained an Oxygen Reader? We have a file but no way of reading it - Thanks

Is anyone here a Sqlwizard in Cellebrite PA? Trying to figure out how to import a db into the instant messages template. But the Attachments break..

Parsing FFS Extraction of iPhone 13 running 16.0.2 with PA 7.58.0.66. Haven't seen this error before and just wondering if anyone else has and if there is a fix. Gonna run it through another tool but figured I would see if anyone else has seen this. (edited)

Ghosted

Parsing FFS Extraction of iPhone 13 running 16.0.2 with PA 7.58.0.66. Haven't seen this error before and just wondering if anyone else has and if there is a fix. Gonna run it through another tool but figured I would see if anyone else has seen this. (edited)

Have only seen that error come up once per extraction, never multiple times. At least not what i've noticed. The only AES key in Snapchat i know of that can be the wrong length would be encrypted encryption keys for My eyes only files.

Oscar

Have only seen that error come up once per extraction, never multiple times. At least not what i've noticed. The only AES key in Snapchat i know of that can be the wrong length would be encrypted encryption keys for My eyes only files.

Here is the full error

Ghosted

Parsing FFS Extraction of iPhone 13 running 16.0.2 with PA 7.58.0.66. Haven't seen this error before and just wondering if anyone else has and if there is a fix. Gonna run it through another tool but figured I would see if anyone else has seen this. (edited)

Is there not a PA 7.59 out? Edit: ignore me unless I saw something in beta which I can't check atm

(edited)

i have a TA-1030 successful extracted, but i need to know the pin-code from the device, so maybe somebody can say how to find the pincode in image with PA?

Rob

Is there not a PA 7.59 out? Edit: ignore me unless I saw something in beta which I can't check atm

(edited)

No I show this is most up to date

1

Ghosted

Here is the full error

I of course can't be certain since I don't have the PA parser code but the name GalleryParser seems to be referring to gallery_encrypteddb, so either no key to decrypt the database or no/wrong key to decrypt stuff inside the database (MEO keys+iv). Check the password section for egocipher.key.avoidkeyderivation and com.snapchat.keyservice.persistedkey. You could try to run my Snapchat script to verify the issue. Also ping @Cellebrite

1

Anyone from @Cellebrite know how to export a single message? I've performed a keyword search and I've tagged my results. I want to export the responsive messages with ONLY the keyword. Is there a way to export only the keyword and not the entire message history?

All, I am trying to get a feel for what people are doing when they encounter an eSIM in a cellphone. When seizing a cellphone, other than a faraday bag, how are you keeping the phone from communicating with the network without cutting it off?

Anyone from MSAB free to DM?

p0tt541

Anyone from MSAB free to DM?

I'll DM you.

if I have Snapchat-<numbers>.mp4 what does the numbers represent and what format is it?

5:06 AM

I've got a CreateDate within the exif

5:06 AM

Just trying to see if I can verify from the filename

I have an Agent looking at an extraction. She advised she’s exporting the chats to an excel but the photos aren’t opening or transferring. They appear to be from WeChat and are a .PIC file. Any way to have them convert so she can see them in the exported chats?

Forgedmom

I have an Agent looking at an extraction. She advised she’s exporting the chats to an excel but the photos aren’t opening or transferring. They appear to be from WeChat and are a .PIC file. Any way to have them convert so she can see them in the exported chats?

Sorry - she’s using reader.

Sha1_4n6

what was the app? do you have a full path to the plist or just a file name?

Sorry for the delayed response. The app is Plenty of Fish. Here’s the full path.

TiffanyRbns

Sorry for the delayed response. The app is Plenty of Fish. Here’s the full path.

I'm not seeing how that plist, based on the file path, is associated with the PoF app. Based on the file path, its associated with Apple's "PrivateFrameworks" which are frameworks intended to be used with Apple's apps, and not third-part apps. Is there data of interest in the plist that associates it with PoF?

JLindmar (83AR)

I'm not seeing how that plist, based on the file path, is associated with the PoF app. Based on the file path, its associated with Apple's "PrivateFrameworks" which are frameworks intended to be used with Apple's apps, and not third-part apps. Is there data of interest in the plist that associates it with PoF?

I think their looking at the something type which says pof which still doesn't tell me it is actually pof

Rob

I think their looking at the something type which says pof which still doesn't tell me it is actually pof

Oh, yes, I see the "POF" now. Can't recall offhand what that field is and, therefore, what the "POF" would indicate.

Facebook messenger v387. 0.0.22.106 isn't being fully decoded in ufed pa 7.58. Anyone have a tool that supports this version?

Is there anyway to find out if and how a phone was unlocked? In this case a Samsung Galaxy A20 a FFS from Cellebrite

2:25 AM

And of course when aswell

I got a recovery event from a galaxy s20 ultra running android 12 that occurred just before a suspect came in with a phone barely has any data on it. The strange part is that the other files that usually indicate a factory reset such as (efs/recovery/history) and the file factory_reset from the bootstat folder both do not list the time as a factory reset. My hunch is that some sort of samsung backup restoration occurred but the history file does not provide much info. See the screenshot from two events in the history file, the first one is a wipe and the second one is the unknown event.

Arlakossan

Is there anyway to find out if and how a phone was unlocked? In this case a Samsung Galaxy A20 a FFS from Cellebrite

Im pretty sure you can see this in ALEAPP, probably not HOW it was unlocked but when under the wellbeing events.

1

Hi all, gmails have decoded in Ufed (Bigtopdatadb) but chat messages in gmail have not. To save me a bit of time does anyone happen to know the database name for gmail chat messages. Salute

@Cellebrite available for a question?

Anyone out there who knows if latest PA Ultra can have several devices in one case? Also, after Media classification, is there a way to extract all classified categories? Would be nice to extract to a file tree with all categories and have the corresponding files inside.

hey has anyone ever investigated a phone that has actually connected to a stingray/mitm proxy before? wondering what kind of artifacts i could find with a GK extraction for a device that is known to have been mitm'd by a stingray or (most likely) newer lte device

Anyone done any testing on the iAware.db app? I have a lot of rows in the "capture" table that looks like an appusage log but I don't know for sure.

Joe 🍿🍺

Anyone out there who knows if latest PA Ultra can have several devices in one case? Also, after Media classification, is there a way to extract all classified categories? Would be nice to extract to a file tree with all categories and have the corresponding files inside.

Multi-device part is coming in an upcoming version. Id be curious to hear your view on the second point, in Media Classification. Feel free to DM.

Goovscoov

@Cellebrite available for a question?

Sure, send away

Joe 🍿🍺

Anyone out there who knows if latest PA Ultra can have several devices in one case? Also, after Media classification, is there a way to extract all classified categories? Would be nice to extract to a file tree with all categories and have the corresponding files inside.

Not yet. Multiple devices in one case is coming, but no ETA just yet I'm afraid. As for the categories question... No. I'll have a look/think about it though

MrMacca (Allan Mc)

Facebook messenger v387. 0.0.22.106 isn't being fully decoded in ufed pa 7.58. Anyone have a tool that supports this version?

I believe Facebook made some changes recently. I understand it should be fixed in 7.59.

@Cellebrite I had a kyocera flip phone with android 9 I got a physical extraction of. There were no .db-wal files in the physical so I reran it with a FFS and saw that the extraction did capture the .db-wal files. Is there any reason why they wouldn't be seen in the physical extraction's file system tree but be there in the FFS's?

Solec

@Cellebrite I had a kyocera flip phone with android 9 I got a physical extraction of. There were no .db-wal files in the physical so I reran it with a FFS and saw that the extraction did capture the .db-wal files. Is there any reason why they wouldn't be seen in the physical extraction's file system tree but be there in the FFS's?

Is there any data in those WAL files? I'd hazard a guess that the physical (when the device rebooted) that the wal's were commited; hence not there. But when the device was connected to do the FFS, the WALs were created. If thats the case, there shouldn't be much in there though,.

working on iOS snapchat Db trying to do what I usually do match user ID to the Username. The Index_snapchatterusername is empty. The only place i find usernames is under index_snapchatters_publicinfousername. First time I have come across this. The usernames I have (17) are not the ones I am looking for

Ghosted

working on iOS snapchat Db trying to do what I usually do match user ID to the Username. The Index_snapchatterusername is empty. The only place i find usernames is under index_snapchatters_publicinfousername. First time I have come across this. The usernames I have (17) are not the ones I am looking for

Have you checked the Snapchatter table in primary.docobjects database?

CLB_iwhiffin

Is there any data in those WAL files? I'd hazard a guess that the physical (when the device rebooted) that the wal's were commited; hence not there. But when the device was connected to do the FFS, the WALs were created. If thats the case, there shouldn't be much in there though,.

That was my guess as well. The database was shutdown cleanly and/or open connections were closed, and a checkpoint was triggered and the WAL's content was written to the DB. Depending on the physical acquisition method, perhaps no connection to the database was made, so no WAL was created, but that process did occur in the file system acquisition do to the nature of how it occurs, so a WAL was present. I would also be curious if new records were present in the WAL. (edited)

@JLindmar (83AR) @CLB_iwhiffin it makes sense now it was probably closed out and got reopened. I did the physical via 7.60 smartflow then I had a case officer stop by to return things when he started asking about 911 call that supposedly came from the device which is what made me look for the wal in the first place to see if anything was there. He opened the call logs to show me where it was supposed to be then I redid the ffs. The wal didn't contain any additional records that weren't in the db. I'm assuming it was there because we did something between the extractions which ended up putting it there (edited)

CLB_iwhiffin

Have you checked the Snapchatter table in primary.docobjects database?

Yes it's empty

Ghosted

Yes it's empty

If it's an older version of snapchat; check friendsForAsyncDecode.plist?
Have multiple users logged in to SnapChat on that device? (Each would have their own primary.docobjects database)

Failing that... What version are you looking at? (edited)

CLB_iwhiffin

If it's an older version of snapchat; check friendsForAsyncDecode.plist?
Have multiple users logged in to SnapChat on that device? (Each would have their own primary.docobjects database)

Failing that... What version are you looking at? (edited)

Version is 12.08.0.32 (edited)

Rob

I've got a CreateDate within the exif

Did you ever get an answer for this? I'

keving3047

Did you ever get an answer for this? I'

Did a bit of testing, was using DCode and didn't get a match up with the CreateDate / filename numbers but to me, I believe the numbers have no relation to a timestamp

11:20 AM

I saved two MP4s 1 minute apart and the numbers were vastly different

11:21 AM

Within the properties, you'll likely see something like Snap Video btw, this is an indication that the original source was Snapchat application.

Rob

Within the properties, you'll likely see something like Snap Video btw, this is an indication that the original source was Snapchat application.

Ok thanks for the info. I won’t waste anymore time. It sucks because that would make my case much easier. I appreciate it

keving3047

Ok thanks for the info. I won’t waste anymore time. It sucks because that would make my case much easier. I appreciate it

Use the the exif CreateDate

11:37 AM

My tests matched up those to when I actually downloaded two.

Ok thanks

No worries

Is there an artifact that tells you that the recently deleted folder for either photo or text on an iPhone has been emptied in Cellebrite PA?

Ghosted

Yes it's empty

Did you prepare the image in PA? Otherwise, the username and the User_ID are linked from the Snapchat contacts.

@MSAB Can you run regex keyword searches across xamn reports

@Cellebrite is there any way you can add a function to combine multiple PAS files in a future update?

buckhunter95

@Cellebrite is there any way you can add a function to combine multiple PAS files in a future update?

We are looking at different options for those for the future. (edited)

Thanks for getting back to me! The reason I bring it up is we often have multiple investigators tagging evidence individually. We’re trying to find a better way to make sure we’re on the same page without duplicating work.

1

Can you send me and email I’d love to chat about it further sometime

Absolutely!

Rob

@MSAB Can you run regex keyword searches across xamn reports

Yes, it would require that you have a license for the 'Text Intelligence Package' which is an add on to Spotlight, Horizon and Elements though. But with this you can find the regex functionality from the 'Smart Processing' button in the Ribbon bar. (edited)

1

MSAB_Sofia

Yes, it would require that you have a license for the 'Text Intelligence Package' which is an add on to Spotlight, Horizon and Elements though. But with this you can find the regex functionality from the 'Smart Processing' button in the Ribbon bar. (edited)

Is this something that can be done on the Kiosks as a presetup option?

Rob

Is this something that can be done on the Kiosks as a presetup option?

No I'm afraid that this is XAMN functionality that isn't included in XAMN Express which is what Kiosks are running.

MSAB_Sofia

No I'm afraid that this is XAMN functionality that isn't included in XAMN Express which is what Kiosks are running.

No worries thanks

Will explore that licence option. Do you need it for regular bulk searches as well?

11:18 PM

I.e non regex

Rob

No worries thanks

Will explore that licence option. Do you need it for regular bulk searches as well?

No, other kinds of filtering, such as hashlists, wordlists, and phone number lists are included even in XAMN Viewer, but they are not part of XAMN Express on the Kiosk, however, since XAMN Express is a very slimmed down version of XAMN with only very basic filtering options. Edited for clarification. (edited)

1

peMo

Did you prepare the image in PA? Otherwise, the username and the User_ID are linked from the Snapchat contacts.

I ran it in Axiom, I was getting errors during parsing in PA

peMo

Did you prepare the image in PA? Otherwise, the username and the User_ID are linked from the Snapchat contacts.

This is the errors when I run in PA

buckhunter95

@Cellebrite is there any way you can add a function to combine multiple PAS files in a future update?

Not planned; in fact, the pas file is currently not used at all in PA Ultra although we are exploring that choice again.

Ghosted

This is the errors when I run in PA

This shouldn't be affect the users; I'll take another look at this today

1

stephenie

Morning guys. Does anyone know the format of Telegram media files that have been sent/received please. I know it is the user and other details, but its more if they are unique. Feel free to message me and I can explain more

I'm looking at Telegram media files - has anyone been able to figure out if there is any particular naming convention?

CLB_iwhiffin

This shouldn't be affect the users; I'll take another look at this today

I see the same results I get in Axiom as I do in PA with this reported error.

Arlakossan

Hello! Does anyone know where PA fetches Phone Activation Time and what it means? Is it the last time the phone was installed or last time it connected to a network? The timestamp in this case under phone activation time in the summary is the same as in setupwizardpref.xml

I'm in the same situation where I'm trying to determine what the phone activation time in the extraction summary page in PA is linked to. Anyone figure this one out yet or have more info on it?

Mike_H

I'm in the same situation where I'm trying to determine what the phone activation time in the extraction summary page in PA is linked to. Anyone figure this one out yet or have more info on it?

@Cellebrite

Hans Leißner

if i import the knowledgeC.db as a single file.. there are no entries in ArtEx.. hmm

Hmmmm. That doesn’t sound right. Check the time period you have selected and which artifacts you have selected as it will only show what you select. Failing that, check the database itself and see what’s there. Feel free to DM me if it’s not working still.

Hans Leißner

Does ios 15.6 (iPhone13) still save power off/on activity in their databases? I recently opened up a ffs from an iphone13 and could find any traces.. (tried with ufed n oxygen)

thanks in advance for infos

Also; I meant to say; there’s little in knowledgeC about power events, potentially a “slide to shutdown” app on screen but not much more. You need containermanagerd.log.0 for power on events and logd.0.log for power down.

Anyone have any handy resources (blogs, websites, books) they could point me towards? I want to learn more about how data is stored. I’ve been using a couple scripts I’ve found on here to parse things from extractions but I’m interested in learning. I’ve never really went beyond point and click.

SQLite is a great place to start for mobile data storage artifacts. Here is a 3 part series that may be helpful. https://cellebrite.com/en/how-to-get-started-the-right-way-with-sqlite-queries/

How to Get Started the Right Way with SQLite Queries

In this episode, I will be talking about how to write SQLite queries, why it’s so important, and why you shouldn’t be intimidated by it. I have loaded a few devices in Cellebrite Physical Analyzer and exported some databases, so in this live session, I will explain how to get started, how to do “table … Continue reading "How to Get Started the R...

Mike_H

I'm in the same situation where I'm trying to determine what the phone activation time in the extraction summary page in PA is linked to. Anyone figure this one out yet or have more info on it?

So this date comes from the SetupWizardPrefs.xml file. It has recently been determined to be a less accurate source and is being removed from 7.59. More info should be available in a more formal communication.

@char|i3 thanks!

Ghosted

working on iOS snapchat Db trying to do what I usually do match user ID to the Username. The Index_snapchatterusername is empty. The only place i find usernames is under index_snapchatters_publicinfousername. First time I have come across this. The usernames I have (17) are not the ones I am looking for

not sure if it might help but was looking at interactionC.db this morning and saw the snapchat user GUIDs were in the ZINTERACTIONS Table under the ZDOMAINIDENTIFIER row. I believe the user's vanity name is observed next to it under the ZGROUPNAME row. Not as good as a username but at least might be something to contextualize who the user saw they were chatting to better than a string of characters (edited)

1

Hi Everyone! I have a AFU dump of an IOS device. Does someone know if there is a place in AFU where I can see the device pass code (hashed) so I can Crack it?

Mr.Robot

Hi Everyone! I have a AFU dump of an IOS device. Does someone know if there is a place in AFU where I can see the device pass code (hashed) so I can Crack it?

nope, nothing there as far i am aware. (edited)

florus

nope, nothing there as far i am aware. (edited)

I wasn't aware either but thaugh, if I don't ask I will not know and maybe someone has een idea

1

Mr.Robot

Hi Everyone! I have a AFU dump of an IOS device. Does someone know if there is a place in AFU where I can see the device pass code (hashed) so I can Crack it?

Depending on which tool you used. I'm sure GK can provide # to previous passcodes which might assist if there is a pattern

If I recall it correctly they only give the previous passcode if you have a FFS or did you see otherwise?

CLB_iwhiffin

So this date comes from the SetupWizardPrefs.xml file. It has recently been determined to be a less accurate source and is being removed from 7.59. More info should be available in a more formal communication.

Interested to hear more about the reliability

1

Mr.Robot

If I recall it correctly they only give the previous passcode if you have a FFS or did you see otherwise?

It's only from ffs. I think there might be some more limitations with it on newer devices / iOS versions too so a ffs might not guarantee it

Rob

Interested to hear more about the reliability

I don’t know all the details myself so don’t want to say too much and misspeak. But I think it used to be a reliable artifact that is not so reliable anymore, possibly due to a change by Android. We’ve recently seen some obviously incorrect values, hence it is being removed. Once more details are known, it will be communicated properly.

1

anyone that have been able to parse wickr pro messages? I have a FFS with the wickr pro app without password

Does anyone know of a file/database within an iPhone 11 extraction that shows history for device settings? I'm trying to find out if the device was placed in airplane mode or if location tracking was disabled for a specific 5 day range several months ago. All I can find so far is a plist that shows current state of airplane mode.

wcso_pete

Does anyone know of a file/database within an iPhone 11 extraction that shows history for device settings? I'm trying to find out if the device was placed in airplane mode or if location tracking was disabled for a specific 5 day range several months ago. All I can find so far is a plist that shows current state of airplane mode.

Depending on version, Airplane mode will be stored in knowledegC for a little while. ZSTREAMNAME = '/system/airplaneMode' As for historical settings; I doubt it. There is no reason I can think of why Apple would care to keep that kind of historical data (edited)

wcso_pete

Does anyone know of a file/database within an iPhone 11 extraction that shows history for device settings? I'm trying to find out if the device was placed in airplane mode or if location tracking was disabled for a specific 5 day range several months ago. All I can find so far is a plist that shows current state of airplane mode.

...and @CLB_iwhiffin beat me to it! I'm not sure if this is applicable in your specific scenario, but @Sarah Edwards (SANS/BlackBag) has the following knowledgeC.db query for Airplane Mode activity as part of her APOLLO GitHub repository: https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_system_airplane_mode.txt (edited)

1

Thanks for the replies. Unfortunately I'm only working with an advanced logical and not a full file system, so I'm out of luck there. I had a feeling it was a longshot. We are trying to tie a robbery to an individual that was picked up on unrelated charges. I have his google searches and apple maps searches for the business as well as a journey from his street to the business. After he starts driving there is no activity on his phone for 5 days. I was hoping to show he turned it off or something along those lines.

@wcso_pete are you able to get the syslogs? No idea if there is something to be found in there.... (edited)

Mr.Robot

If I recall it correctly they only give the previous passcode if you have a FFS or did you see otherwise?

If you have a GK extraction, you can recover the previous passcodes with hashcat. Everytime I try it, the last passcode was the good passcode.

https://event.on24.com/wcc/r/3488335/92F18334701A902D17DEF62C008A962C

Using GrayKey Passcode History & Hashcat for Law Enforcement

Thursday, November 04, 2021 at 11:00 AM Eastern Daylight Time.

chpe1

If you have a GK extraction, you can recover the previous passcodes with hashcat. Everytime I try it, the last passcode was the good passcode.

https://event.on24.com/wcc/r/3488335/92F18334701A902D17DEF62C008A962C

Or go to Search their forum for the hidden tutoriel

2

chpe1

If you have a GK extraction, you can recover the previous passcodes with hashcat. Everytime I try it, the last passcode was the good passcode.

https://event.on24.com/wcc/r/3488335/92F18334701A902D17DEF62C008A962C

If there is one hash, that's likely the current passcode...

Anyone from @Cellebrite available to troubleshoot PA Ultra 8.2.1.547, I upgraded and feel I made a mistake somehow. The pointer to my case file in the cases tab is gone but when I navigate to the database folder I still see it and still full of data. Is there a way to recreate that pointer to open it?

1

Any chance of bruteforcing a Kirin 970 Huawei CLT-L29? I've successfully dumped it and it's a 6 digit pin. Made a dump both in oxygen and xry.

Arlakossan

Any chance of bruteforcing a Kirin 970 Huawei CLT-L29? I've successfully dumped it and it's a 6 digit pin. Made a dump both in oxygen and xry.

It's failing with both tools?

Arcain

It's failing with both tools?

Yes, we have an unsupported blob with XRY and the Oxygen bruteforce does not make any progress..

It's not supported encryption for Xry, and regarding Oxygen - contact them directly. You can try entering codes manually in the window, that'll use Oxygen to decrypt the data instead of going through Passware, but it sometimes works, sometimes doesn't but is also much more time consuming.

Anyone had any look with a Nokia TA-1378?

So up until around October 2021 group ID's in whatsapp used to look like 447123456789-1234567890@g.us (in the UK at least) the first part was the telephone number of the person creating the group and the 2nd part was unix time of the creation of the group. Since October 2021 they take the form 1203630nnnnnnnnnnn@g.us where nnnnnnnnnnnnn appears to be a random 11 digit number. Does anyone know how these group id are generated?

hello there, I have a subpoena return from a messaging platform that lists an iOS device ID that is 66 characters long (digits and letters). To my knowledge, the device ID is 40 digit long number so I am wondering if anyone knows what kind of ID would be 66 digits long?

chpe1

If you have a GK extraction, you can recover the previous passcodes with hashcat. Everytime I try it, the last passcode was the good passcode.

https://event.on24.com/wcc/r/3488335/92F18334701A902D17DEF62C008A962C

Do you have a recording of the webcast or any further info, the link is expired. Thanks.

rico

Or go to Search their forum for the hidden tutoriel

I get the LINK, let me know if you want it Salute

@Herodote or the New tuto of fl....

(edited)

1

Has anyone successfully investigated for them being modified or message being deleted by the sender after the message was sent?

Ash4n6

Has anyone successfully investigated for them being modified or message being deleted by the sender after the message was sent?

You should see traces in the database if it is an iOS device. There should be a post if you search in this thread.

Does iOS store past device pins used on a device? Such as if it were a 4,5, or 6 digit?

Hi! Does anyone know if "regretted" Messenger messages shows up in a iOS extraction?

Anyone in law enforcement ever needed to do a filter team for privileged material and extract content from a graykey dump? I've done mbox files easy enough but now I need it done on a phone dump. I was thinking using cellebrite PA and exporting a reader file but not sure what else that would drop vs parsing the raw gk data. Wasn't sure if anyone has any better ideas.

Medi

Anyone in law enforcement ever needed to do a filter team for privileged material and extract content from a graykey dump? I've done mbox files easy enough but now I need it done on a phone dump. I was thinking using cellebrite PA and exporting a reader file but not sure what else that would drop vs parsing the raw gk data. Wasn't sure if anyone has any better ideas.

UFDR/Axiom/Oxygen filtered out is an option, selective App extraction is another one

1

Does anyone know if the digital wellbeing database in android is default in an ffs? And does this get decoded automatically (example PA) or do i need a mem-dump to get insight in this info.

@Cellebrite Is it possible to get the release notes for PA 7.59 please? Link on website is broken. Also, the link to the pdf manual for PA 7.59 appears to be pointing to the version for PA 7.58.

1

thatboy_leo

Does iOS store past device pins used on a device? Such as if it were a 4,5, or 6 digit?

Possibly comes with a FFS GK extraction (pchistory file). You can BF those using hashcat. I've had it once that the pchistory file contained both a 4d and 6d pin

florus

Does anyone know if the digital wellbeing database in android is default in an ffs? And does this get decoded automatically (example PA) or do i need a mem-dump to get insight in this info.

It does come with a FFS. I think PA is only decoding device unlocks and power events (on/off) on Google’s. However, Samsung has their version of it and PA parsing may be slightly different. (edited)

1

AmNe5iA

@Cellebrite Is it possible to get the release notes for PA 7.59 please? Link on website is broken. Also, the link to the pdf manual for PA 7.59 appears to be pointing to the version for PA 7.58.

Link seems to be working now

thanks

Potentially dumb question. I need to recreate some scenarios for testing some artifacts found in an exam. Is there a repository with older still signed apple ios? Specifically looking for 15.4.1 for an iPhone 7 or 8.

Does anyone know how to delete the com.sec.android.gallery3d cache from an unrooted samsung so contents from it can't be recovered?

Any Cellebrite expert that could assist on a question? I have an extraction with like 10 different chat apps, and also contacts for these and maybe other apps as well. How can I get the top frequent persons that the phone’s user is having contact with? The first page with extraction info shows Top 5 messaging parties, but I want some more of this. For each app would be nice? Latest Physical Analyzer… (edited)

@Cellebrite FYI I was parsing @CLB_joshhickman1 Android 13 image in PA 7.59.0.36 ("AndroidContent" chain) and observed the following errors in the trace window:

04:05:41 PM Parsing Google Photos_6.2.0.466466753 04:05:43 PM parsing failed with file /data/data/com.google.android.apps.photos 04:05:43 PM Message: Object reference not set to an instance of an object. Trace: at Cellebrite.DeviceReaders.Google.AndroidApps.GooglePhotosParser.ParseRemotePhotos(Database db) at Cellebrite.DeviceReaders.Google.AndroidApps.GooglePhotosParser.Parse() at DatabaseEngine.Wrappers.CSharpParserWrapper.ParseSpecific(Node node) at DatabaseEngine.Wrappers.NodesParserWrapper.SafeParseNode(Node node) Inner Exception:

04:09:42 PM Parsing Microsoft Teams 04:09:44 PM Failed to run parser: Microsoft Teams System.ArgumentException: An item with the same key has already been added. at System.ThrowHelper.ThrowArgumentException(ExceptionResource resource) at System.Collections.Generic.Dictionary`2.Insert(TKey key, TValue value, Boolean add) at Cellebrite.Affiliated.Parsers.Android.Teams.MicrosoftTeamsParser.ParseUser(IReadOnlyFileNode appDir, People people, Dictionary`2 userIds, ParserServices services) at Cellebrite.Affiliated.Parsers.Android.Teams.MicrosoftTeamsParser.Parse(ParserServices services) at Cellebrite.Decoding.ParsersRunner.Runner.RunParserSafe(Plugin plugin, IParser parser, CreateContextFunc createContext)

@Cellebrite If I encounter Wickr and now know the password do I need to reparse everything to get to the enter password bit

JLindmar (83AR)

@Cellebrite FYI I was parsing @CLB_joshhickman1 Android 13 image in PA 7.59.0.36 ("AndroidContent" chain) and observed the following errors in the trace window:

04:05:41 PM Parsing Google Photos_6.2.0.466466753 04:05:43 PM parsing failed with file /data/data/com.google.android.apps.photos 04:05:43 PM Message: Object reference not set to an instance of an object. Trace: at Cellebrite.DeviceReaders.Google.AndroidApps.GooglePhotosParser.ParseRemotePhotos(Database db) at Cellebrite.DeviceReaders.Google.AndroidApps.GooglePhotosParser.Parse() at DatabaseEngine.Wrappers.CSharpParserWrapper.ParseSpecific(Node node) at DatabaseEngine.Wrappers.NodesParserWrapper.SafeParseNode(Node node) Inner Exception:

04:09:42 PM Parsing Microsoft Teams 04:09:44 PM Failed to run parser: Microsoft Teams System.ArgumentException: An item with the same key has already been added. at System.ThrowHelper.ThrowArgumentException(ExceptionResource resource) at System.Collections.Generic.Dictionary`2.Insert(TKey key, TValue value, Boolean add) at Cellebrite.Affiliated.Parsers.Android.Teams.MicrosoftTeamsParser.ParseUser(IReadOnlyFileNode appDir, People people, Dictionary`2 userIds, ParserServices services) at Cellebrite.Affiliated.Parsers.Android.Teams.MicrosoftTeamsParser.Parse(ParserServices services) at Cellebrite.Decoding.ParsersRunner.Runner.RunParserSafe(Plugin plugin, IParser parser, CreateContextFunc createContext)

I'm looking into it thank you

1

Anyone from @Cellebrite available in regards to PA 7.59?

1

Joe 🍿🍺

Any Cellebrite expert that could assist on a question? I have an extraction with like 10 different chat apps, and also contacts for these and maybe other apps as well. How can I get the top frequent persons that the phone’s user is having contact with? The first page with extraction info shows Top 5 messaging parties, but I want some more of this. For each app would be nice? Latest Physical Analyzer… (edited)

I presume you are referring to Ultra's Dashboard? There is not a way to get that kind of granular breakdown per app at this time. 1) You can change the selected timeframe that could help 2) You can go to the Message > App you are interested in and use the sort on Message count and/or filter by participants (which shows a count) Neither of these is that close to what you want, but may assist?

@CLB_iwhiffin I've DM'd you

Any @Cellebrite people able to explain what the “Precision” column is under locations? (edited)

greg124567

Any @Cellebrite people able to explain what the “Precision” column is under locations? (edited)

I'm not with Cellebrite, but from page 55 of their "Supported Models and Fields" document, "Precision" is: "Radius in meters within which the device was located."

That is super helpful, thank you!! Is that document located inside the community portal?

I need some assistance with an ongoing case, I hope that someone could help me out! I am trying to find out whetever a saved photo from Snapchat to the device is indeed taken by that device using the builtin Snapchat camera or if it was a snap shared by someone else which has been saved by the suspect. They all get assigned the IMG_**** because it is saved in the Snapchat album. Did a few reference testing but no luck unfortunately. Even the timeline does not show any clear activity regarding the Snapchat app

greg124567

That is super helpful, thank you!! Is that document located inside the community portal?

It's available under the PA downloads.

1

Question about parsing Wickr chats. I have a Full File System of a Samsung Galaxy Note 10+ (SM-N975U1) and parsed it using both Cellebrite Physical Analyzer and Magnet AXIOM. AXIOM decrypted the Wickr chats automatically with no issue. Physical Analyzer (PA) prompted me for a decryption password which I did not have, so I had to skip it and let me continue without. Once the extraction finished opening, the Wickr chats weren't in there. I got a list of the User's passwords from the extraction and tried again using those. Didn't work. Am I doing something wrong here with PA or is AXIOM just better in this regard?

greg124567

Any @Cellebrite people able to explain what the “Precision” column is under locations? (edited)

Generally, it should have the value "Horizontal:" and a numeric value. That numeric value is a radius in metres horizontally around the coordinates provided. The device record indicates that the device believes itself to be somewhere inside that radius - Not necessarily at the coordinates, but somewhere in the circle

1

CLB_iwhiffin

Generally, it should have the value "Horizontal:" and a numeric value. That numeric value is a radius in metres horizontally around the coordinates provided. The device record indicates that the device believes itself to be somewhere inside that radius - Not necessarily at the coordinates, but somewhere in the circle

Check out this : https://community.cellebrite.com/s/blog-article/a1H3W000002AWPiUAO/location-accuracy

1

B

I need some assistance with an ongoing case, I hope that someone could help me out! I am trying to find out whetever a saved photo from Snapchat to the device is indeed taken by that device using the builtin Snapchat camera or if it was a snap shared by someone else which has been saved by the suspect. They all get assigned the IMG_**** because it is saved in the Snapchat album. Did a few reference testing but no luck unfortunately. Even the timeline does not show any clear activity regarding the Snapchat app

If it's also in photos.sqlite, look for the OriginalName and/or the BundleID information. The bundle ID will tell you what app imported the image into the Gallery. The original name may indicate if it was taken on device or received. Check KnowledgeC (assuming it's pre-iOS16) for Application Usage at the time and CurrentPowerLog for camera usage at the time.

1

RyanB

Question about parsing Wickr chats. I have a Full File System of a Samsung Galaxy Note 10+ (SM-N975U1) and parsed it using both Cellebrite Physical Analyzer and Magnet AXIOM. AXIOM decrypted the Wickr chats automatically with no issue. Physical Analyzer (PA) prompted me for a decryption password which I did not have, so I had to skip it and let me continue without. Once the extraction finished opening, the Wickr chats weren't in there. I got a list of the User's passwords from the extraction and tried again using those. Didn't work. Am I doing something wrong here with PA or is AXIOM just better in this regard?

I can look into it....

CLB_iwhiffin

If it's also in photos.sqlite, look for the OriginalName and/or the BundleID information. The bundle ID will tell you what app imported the image into the Gallery. The original name may indicate if it was taken on device or received. Check KnowledgeC (assuming it's pre-iOS16) for Application Usage at the time and CurrentPowerLog for camera usage at the time.

Problem is that photos made using the Snapchat app (by the phone owner) and saved afterwards, are showing the same characteristics as saving photos/videos within Snap which were send by someone else. Bundle ID is the same, original filename is not showing any difference. The only thing that differs are the photo dimensions. Checking the currentpowerlog manually, if you have more sources to let me look into let me know!

B

Problem is that photos made using the Snapchat app (by the phone owner) and saved afterwards, are showing the same characteristics as saving photos/videos within Snap which were send by someone else. Bundle ID is the same, original filename is not showing any difference. The only thing that differs are the photo dimensions. Checking the currentpowerlog manually, if you have more sources to let me look into let me know!

If you can share screenshots of the photos.sqlite db data we might be able to help you better. How many rows of data do you have for each asset? This might depend upon the query that you are using. (edited)

CLB_iwhiffin

I can look into it....

Didn't expect a response from an actual Cellebrite employee. I would appreciate that! I'm sure I'm doing something wrong.

ScottKjr3347

If you can share screenshots of the photos.sqlite db data we might be able to help you better. How many rows of data do you have for each asset? This might depend upon the query that you are using. (edited)

DMed you

Does anyone have an easy method in PA8 to do things like select all, deselect all, see everything selected? In 7 you could tick/untick select all by default but that doesn't seem to work in 8.

B

Problem is that photos made using the Snapchat app (by the phone owner) and saved afterwards, are showing the same characteristics as saving photos/videos within Snap which were send by someone else. Bundle ID is the same, original filename is not showing any difference. The only thing that differs are the photo dimensions. Checking the currentpowerlog manually, if you have more sources to let me look into let me know!

Of course... BTW I concur with your findings re the height/width. I can't see anything else to distinguish user taken > saved or user received > saved. CurrentPowerLog (CameraUser) & AppUsage may be the best at the minute. Even lock state and backlight would be useful to know.

1

Alexsaurus

Does anyone have an easy method in PA8 to do things like select all, deselect all, see everything selected? In 7 you could tick/untick select all by default but that doesn't seem to work in 8.

Select/Deselect All still work for everything in the on screen table, as does the View All/Only Selected/Only Deselected. The Select/Deselect All in the case option will be coming back in the near future. Or am I misunderstanding the question?

CLB_iwhiffin

Select/Deselect All still work for everything in the on screen table, as does the View All/Only Selected/Only Deselected. The Select/Deselect All in the case option will be coming back in the near future. Or am I misunderstanding the question?

I am asking about everything in a case not just what is on screen. I like to produce a report using everything on the device and then a second more targeted report which only includes selected items. To do this currently I need to go around deselecting every set of items one by one and I am constantly worried I missed something. Would be nice to have a button somewhere to deselect everything in the case.

Alexsaurus

I am asking about everything in a case not just what is on screen. I like to produce a report using everything on the device and then a second more targeted report which only includes selected items. To do this currently I need to go around deselecting every set of items one by one and I am constantly worried I missed something. Would be nice to have a button somewhere to deselect everything in the case.

The only option at the moment that I think is relevant is within the Settings; you can decide if when you process a new case if everything will be automatically selected or deselected as a starting point. This is all I can offer until the Select/Deselect All feature is brought back/

RyanB

Question about parsing Wickr chats. I have a Full File System of a Samsung Galaxy Note 10+ (SM-N975U1) and parsed it using both Cellebrite Physical Analyzer and Magnet AXIOM. AXIOM decrypted the Wickr chats automatically with no issue. Physical Analyzer (PA) prompted me for a decryption password which I did not have, so I had to skip it and let me continue without. Once the extraction finished opening, the Wickr chats weren't in there. I got a list of the User's passwords from the extraction and tried again using those. Didn't work. Am I doing something wrong here with PA or is AXIOM just better in this regard?

What kind of extraction was it? (GK or UFED)? Did you give the keystore to either tool?

Morning all, I have an iPhone extraction and I’m trying to see if iCloud data has been setup to be synced on the device, any ideas on where I can find this information?

RyanB

Question about parsing Wickr chats. I have a Full File System of a Samsung Galaxy Note 10+ (SM-N975U1) and parsed it using both Cellebrite Physical Analyzer and Magnet AXIOM. AXIOM decrypted the Wickr chats automatically with no issue. Physical Analyzer (PA) prompted me for a decryption password which I did not have, so I had to skip it and let me continue without. Once the extraction finished opening, the Wickr chats weren't in there. I got a list of the User's passwords from the extraction and tried again using those. Didn't work. Am I doing something wrong here with PA or is AXIOM just better in this regard?

Was it Android 12? the Settings_ssaid.xml file is in a new format for android 12 and I've had several cases where PA couldnt parse android wickr because of this, but other tools/method could (edited)

11:28 PM

maybe fixed in the latest PA though, havent encountered this in a while

hello everyone, but do you know the App_GUID of the tellonym app?

obi95

Morning all, I have an iPhone extraction and I’m trying to see if iCloud data has been setup to be synced on the device, any ideas on where I can find this information?

There are many source files containing iCloud-related information. Check out SANS' "FOR585: Smartphone Forensic Analysis In-Depth" poster for a good list of artifacts: https://www.sans.org/posters/dfir-advanced-smartphone-forensics/

Hi everyone, @Cellebrite...i have a bfu extraction of an iphone 12 and there are 8,000 images in a certain file path with filenames starting with PhotosSearchSection. Does anyone know definitively what the images in this file path represent: private/var/mobile/library/caches/com.apple.mobile.sms/previews/search/PhotosSearchSection-at-0-xxxxxxxxxxxxxxx.png

digitech11

Hi everyone, @Cellebrite...i have a bfu extraction of an iphone 12 and there are 8,000 images in a certain file path with filenames starting with PhotosSearchSection. Does anyone know definitively what the images in this file path represent: private/var/mobile/library/caches/com.apple.mobile.sms/previews/search/PhotosSearchSection-at-0-xxxxxxxxxxxxxxx.png

@ScottKjr3347 has a blog post that references "PhotosSearchSection", perhaps it may be helpful: https://theforensicscooter.com/2022/09/16/shared-with-you-syndication-photo-library-message-attachments-linked-assets/#_Toc114172931:~:text=Figure%2356_SWY_GlobalSetting_OFF%2DON_DeletedAssets-,Section%2011%20%E2%80%93%20Bonus%3A%20If%20you%20suspect%20Shared%20with%20You%20assets%20or%20attachments%20may%20have%20been%20deleted,-If%20you%20suspect

@JLindmar (83AR) thank you so much. That was very helpful.

1

manuelevlr

hello everyone, but do you know the App_GUID of the tellonym app?

The guid will be different on every phone I’m afraid. You’ll have to use the “installed apps” feature of whatever tool your using to find it. Or do you mean the reverse domain name where it would be something like “com.callosom.tellonym”

CLB_iwhiffin

The guid will be different on every phone I’m afraid. You’ll have to use the “installed apps” feature of whatever tool your using to find it. Or do you mean the reverse domain name where it would be something like “com.callosom.tellonym”

I use physical analyzer, so finding tellonym in the installed apps section does it also indicate the associated GUID? is this app supported by PA ?

B

Problem is that photos made using the Snapchat app (by the phone owner) and saved afterwards, are showing the same characteristics as saving photos/videos within Snap which were send by someone else. Bundle ID is the same, original filename is not showing any difference. The only thing that differs are the photo dimensions. Checking the currentpowerlog manually, if you have more sources to let me look into let me know!

Medex is able to answer if a Snapchat video is consistent with creation on a device vs received using a novel approach to video file analysis. We may be able to apply our research to images as well. DM me if you would like help on this specific case.

manuelevlr

I use physical analyzer, so finding tellonym in the installed apps section does it also indicate the associated GUID? is this app supported by PA ?

From PA's Installed Applications, go into Table View and search for Tellonym. It will show you the Reverse Domain ID (Identifier) and GUID (Application ID) which is the same as the path the app resides at. Doesn't look like we currently support that app, but that doesn't make a difference to what the Installed Apps will show. (edited)

CLB_iwhiffin

From PA's Installed Applications, go into Table View and search for Tellonym. It will show you the Reverse Domain ID (Identifier) and GUID (Application ID) which is the same as the path the app resides at. Doesn't look like we currently support that app, but that doesn't make a difference to what the Installed Apps will show. (edited)

thank you. Salute

Brandon E

Medex is able to answer if a Snapchat video is consistent with creation on a device vs received using a novel approach to video file analysis. We may be able to apply our research to images as well. DM me if you would like help on this specific case.

Dmed!

RyanB

Question about parsing Wickr chats. I have a Full File System of a Samsung Galaxy Note 10+ (SM-N975U1) and parsed it using both Cellebrite Physical Analyzer and Magnet AXIOM. AXIOM decrypted the Wickr chats automatically with no issue. Physical Analyzer (PA) prompted me for a decryption password which I did not have, so I had to skip it and let me continue without. Once the extraction finished opening, the Wickr chats weren't in there. I got a list of the User's passwords from the extraction and tried again using those. Didn't work. Am I doing something wrong here with PA or is AXIOM just better in this regard?

My first test of a GalaxyS10 with Wickr and extracted FFS via UFED and read into 7.58 worked fine with no prompt for a passcode and a successful decryption of the database. I'll add some more data and test again.

Rob

@Cellebrite If I encounter Wickr and now know the password do I need to reparse everything to get to the enter password bit

Yes. Only one shot for those password popups or reload everything.

chauan

Yes. Only one shot for those password popups or reload everything.

Re-ran the Android database plugin which eventually triggered it again. Does add duplicate data so wouldn't recommend using it as your final version again

Anyone else experiencing random force closure of UFED PA v7.59.0.36? Ive had 3 extractions that were being processed (not at the same time) and when I return to my workstation to see how it is progressing, the App is nowhere to be seen.

Herodote

I get the LINK, let me know if you want it Salute

I'm interested!

Peacekeeper

Possibly comes with a FFS GK extraction (pchistory file). You can BF those using hashcat. I've had it once that the pchistory file contained both a 4d and 6d pin

The passcode is already in the file right?

A hashed version of it. You can crack it with Hashcat

Can I dm you?

Mr.Robot

Can I dm you?

Tag was handig. Stuur maar PB

@Cellebrite where does the online map data come from for physical analyzer? I need to lock down our viewing room so I’m restricting sites that can be visited.

Looking for a url or ip

Chris

@Cellebrite where does the online map data come from for physical analyzer? I need to lock down our viewing room so I’m restricting sites that can be visited.

You can download the maps for offline use from the community portal

Chris

@Cellebrite where does the online map data come from for physical analyzer? I need to lock down our viewing room so I’m restricting sites that can be visited.

Chris, if you want to continue to use the online maps and just want to enable them in your firewall, the base site we need access to is- http://dev.virtualearth.net/

Bing Maps Documentation - Bing Maps

Bing Maps API documentation home.

MrMacca (Allan Mc)

Anyone else experiencing random force closure of UFED PA v7.59.0.36? Ive had 3 extractions that were being processed (not at the same time) and when I return to my workstation to see how it is progressing, the App is nowhere to be seen.

3 times today i've loaded a file into that version, clicked on either an image or video and it's crashed!!! just loading it up again now after rebooting my machine again!!

sootysox

3 times today i've loaded a file into that version, clicked on either an image or video and it's crashed!!! just loading it up again now after rebooting my machine again!!

I've observed similar behavior.

Just want to let those know who might be doing research: Successfully palera1n jailbreak of iPX A11 iOS16.1.2 & SSH Using @BlakDouble ArtEx to dive in!

4

Filza has also been updated for those wanting quick on device testing.

Anyone know if iOS stores the source of a photo/album? I see that the bundleID associated with it is "com.apple.mobilesafari" in the ZCLOUDMASTER table

Murst

Anyone know if iOS stores the source of a photo/album? I see that the bundleID associated with it is "com.apple.mobilesafari" in the ZCLOUDMASTER table

What iOS version

I believe it was iOS 14

12:51 PM

(Sorry don't have that off hand)

12:56 PM

Looking at reproducing, it appears that the information is just exposed as what app saved the photo

Murst

Looking at reproducing, it appears that the information is just exposed as what app saved the photo

Try this & feel free to post or dm if you have any questions. https://github.com/iOS14/iOS14_LPL_Phsql_IntResou-iCldPhotos.txt

FYI that link 404's

1:02 PM

Guessing it was supposed to be: https://github.com/ScottKjr3347/iOS_Local_PL_Photos.sqlite_Queries/blob/main/iOS14/iOS14_LPL_Phsql_IntResou-iCldPhotos.txt

iOS_Local_PL_Photos.sqlite_Queries/iOS14_LPL_Phsql_IntResou-iCldPho...

iOS Photos.sqlite queries that may help with decoding data stored in Photos.sqlite. These queries are based on testing, research and some community published research. These queries were written to...

Murst

FYI that link 404's

Sorry my bad and yes

ScottKjr3347

Sorry my bad and yes

This is a fantastic sql query you put together by the way. I would even say they should go into SQLECmd

Murst

This is a fantastic sql query you put together by the way. I would even say they should go into SQLECmd

It’s been discussed

Rob

Re-ran the Android database plugin which eventually triggered it again. Does add duplicate data so wouldn't recommend using it as your final version again

Thanks for the trick. It's a pain, especially when the extraction is super big...

chauan

Thanks for the trick. It's a pain, especially when the extraction is super big...

No worries, would just not use it as your final version due to data duplication! (edited)

AU_Magneteer21

@sky4n6 Use XAMN to convert the Xry file to bin file and then you should be able to import the bin file into Axiom

Hi, is this still the case as I have been given an xry file from another office and don't have a license to xry

Abby Normal

Hi, is this still the case as I have been given an xry file from another office and don't have a license to xry

You can try XAMN Viewer (free, but need your email) from MSAB. It works similarly to Cellebrite reader.

5:08 PM

Exporting .bin only works for physical extractions and you'll need the licensed version of XAMN (Element) to do it.

chauan

Exporting .bin only works for physical extractions and you'll need the licensed version of XAMN (Element) to do it.

Thanks. I thought there was a way to file dump a logical but the axiom article that magnet has points to a 2018 post using xact for logical files

Abby Normal

Thanks. I thought there was a way to file dump a logical but the axiom article that magnet has points to a 2018 post using xact for logical files

Let's tag @MSAB_Sofia and see if she has other tricks...

1

sootysox

3 times today i've loaded a file into that version, clicked on either an image or video and it's crashed!!! just loading it up again now after rebooting my machine again!!

I experienced the exact same thing. No rhyme or reason. It would just crash.

Abby Normal

Thanks. I thought there was a way to file dump a logical but the axiom article that magnet has points to a 2018 post using xact for logical files

Depending on from what phone the logical extraction comes, it may be similar to (or even exactly) a FFS. So that exporting files from XAMN with 'Reflect original path' checked could be an option. (Filter out only files, use Export/Report - output format: File) But if it is an Android phone for example, any data extracted by the Agent (calls, contacts, SMS/MMS for example) would not be exported in a way that mimics how it was saved on the phone (if the phone wasn't rooted, so that all files could be accessed, of course).

1

Morning all, anyone know the file path for Cellebrite PA logs please on Windows 11

12:42 AM

Also, can someone from @MSAB send me the release notes for XAMN 7.4 please as the download refuses to work

obi95

Morning all, anyone know the file path for Cellebrite PA logs please on Windows 11

I fix.

obi95

Morning all, anyone know the file path for Cellebrite PA logs please on Windows 11

Obi, the easiest way to collect the logs is to use the Zip Log Files capability in the Help menu.

CLB-DannyTheModeler

Obi, the easiest way to collect the logs is to use the Zip Log Files capability in the Help menu.

Very true but alas the technician who was using that machine is off now. We think we’ve managed to get the relevant log though using WizTree

Sometimes we get Samsung phones that are FBE and xry gets a physical. Unfortunately it may not decode something like snapchat so we export it to PA. What's the best way to do this? If we do a bin most of the time PA doesn't seem to decode anything I assume because of the FBE but if we do a file export/import then we get what we are after but the time stamps on the media is the effected with the date you exported the files which we cant use

4N6Matt

Sometimes we get Samsung phones that are FBE and xry gets a physical. Unfortunately it may not decode something like snapchat so we export it to PA. What's the best way to do this? If we do a bin most of the time PA doesn't seem to decode anything I assume because of the FBE but if we do a file export/import then we get what we are after but the time stamps on the media is the effected with the date you exported the files which we cant use

Xry decrypts the physical image using the keys it got during extraction. You'd have to export filesystem in XAMN to an archive and then parse it with PA

5:49 AM

But first, verify the database files for the apps that are missing. I don't know if it happens on Samsung, but on Huawei, sometimes some files, including databases were not decrypted and lead to incomplete results. Maybe that's also the issue here, and if so, you'd have to extract it again using different tool to get full filesystem.

Just an FYI - Facebook Messages has relocated the message content from the threads_db to the msys_database_facebookID. Axiom 6.9 and@Oxygen Forensics 15.2 are the only tools I'm seeing right now that will parse it. Confirmed @Cellebrite PA 7.59 does not parse it. UPDATE: changing this to just Cellebrite, since Oxy 15.2 DOES parse it. Thanks Oxy! (edited)

citizencain

Just an FYI - Facebook Messages has relocated the message content from the threads_db to the msys_database_facebookID. Axiom 6.9 and@Oxygen Forensics 15.2 are the only tools I'm seeing right now that will parse it. Confirmed @Cellebrite PA 7.59 does not parse it. UPDATE: changing this to just Cellebrite, since Oxy 15.2 DOES parse it. Thanks Oxy! (edited)

Hello, if you go to your Customer Portal you will see version 15.2 of Detective available, may change your mind as to what can parse the new messages location

1

Anyone have an idea on why I would show more (3)messages in CDR records than in SMS .db.

Ghosted

Anyone have an idea on why I would show more (3)messages in CDR records than in SMS .db.

Were the messages deleted from the phone? You could check the primary key in the SQLite DB to see if there are any missing entries.

but is there any possibility to do something if Cellebrite Reader won't open due to low RAM available on the machine? @Cellebrite

@FullTang yes I am using that db and I have 3 cdr records more than deleted entries in the phone

Does someone have celver/forensic description what for is folder data/user_de on android phones? Thank you

denyzkoo

Does someone have celver/forensic description what for is folder data/user_de on android phones? Thank you

Here you can find some info about different Androïd folder https://github.com/RealityNet/Android-Forensics-References

GitHub - RealityNet/Android-Forensics-References

Contribute to RealityNet/Android-Forensics-References development by creating an account on GitHub.

Dam

Here you can find some info about different Androïd folder https://github.com/RealityNet/Android-Forensics-References

Thank you

Hey, does anyone know which database format ICQ New utilizes for it's local data? It's a scheme with files like "_idx1" and "_db6" with padded clear text inside

And calls like /archive/mentions/get/result on file system level

Dam

Here you can find some info about different Androïd folder https://github.com/RealityNet/Android-Forensics-References

I didnt find anything.

Hey, I'm currently dealing with a few .3ga audio files on a samsung phone. Looking at them in Cellebrite 8 it lists one of them as having 37 chunks and the others as having only 1. By my understanding of the chunks used in the encoding of mpeg4 this isn't correct and I was wondering where it is getting this from. It is listed under general in the file info category but looking at the files with exfit shows nothng about chunks.

Alexsaurus

Hey, I'm currently dealing with a few .3ga audio files on a samsung phone. Looking at them in Cellebrite 8 it lists one of them as having 37 chunks and the others as having only 1. By my understanding of the chunks used in the encoding of mpeg4 this isn't correct and I was wondering where it is getting this from. It is listed under general in the file info category but looking at the files with exfit shows nothng about chunks.

I wasn’t aware that PA, or any other file system forensic tool, would report the number of “boxes” (ISOBMFF/mp4 version of chunks). To be a playable file there should be more than 1 box encoded. To have a better chance at visualizing the structure of the file I would suggest exiftool using a -V2 or -V3 option. Depending on what your goal is with the analysis, I would caution you that exiftool may not accurately report allobjects within a file. You can also manually decode in a hex editor to evaluate structure without worrying about skipped/missed boxes. I wouldn’t recommend it for video files but the 3ga file may not be complex enough to make it a real headache.

Brandon E

I wasn’t aware that PA, or any other file system forensic tool, would report the number of “boxes” (ISOBMFF/mp4 version of chunks). To be a playable file there should be more than 1 box encoded. To have a better chance at visualizing the structure of the file I would suggest exiftool using a -V2 or -V3 option. Depending on what your goal is with the analysis, I would caution you that exiftool may not accurately report allobjects within a file. You can also manually decode in a hex editor to evaluate structure without worrying about skipped/missed boxes. I wouldn’t recommend it for video files but the 3ga file may not be complex enough to make it a real headache.

Yeah, that is why I am confused as to what cellebrite is talking about. I have looked at the files in winhex and it seems that there is only three chunks, the initial ftyp and then an mdat and finally a moov. The cellebrite chunk count is being brought up as evidence of file editing but I have no idea what that number is referring to.

Alexsaurus

Yeah, that is why I am confused as to what cellebrite is talking about. I have looked at the files in winhex and it seems that there is only three chunks, the initial ftyp and then an mdat and finally a moov. The cellebrite chunk count is being brought up as evidence of file editing but I have no idea what that number is referring to.

Yeah. Maybe someone at @Cellebrite could chime in there. I will say that as a tool designed for filesystem forensics I would not place a whole lot of weight on it (or similar tools) decoding multimedia files accurately. At least with WinHex you have a better visualization of the boxes where you can see them in hex. With just what you said there I wonder if their is a discrepancy between a reported box size in the file and the actual box size causing an issue. But that is really just a guess.

When a file is named filetered-"ID-number" what does that mean?

Brandon E

Yeah. Maybe someone at @Cellebrite could chime in there. I will say that as a tool designed for filesystem forensics I would not place a whole lot of weight on it (or similar tools) decoding multimedia files accurately. At least with WinHex you have a better visualization of the boxes where you can see them in hex. With just what you said there I wonder if their is a discrepancy between a reported box size in the file and the actual box size causing an issue. But that is really just a guess.

I'm looking into it, but my first thought is that we are actually talking about different definitions of chunks. For example, I have a database with a chunk count of 33 and apk's with a chunk count of 1. So I have a feeling it's more to do with the fragmentation within the filesystem, rather than the fragmentation of a media file. The fact it's grouped with the inode information too... (edited)

What is something related to iOS Photos.sqlite you would like to see detailed in a blog? Feel free to dm: Just a few ideas that I’m thinking about, let me know which might be the most useful: New Shared Photo Library Pending/current View/Play counts Snapchat Original File name attribution “Name your app” original file name attribution

ScottKjr3347

What is something related to iOS Photos.sqlite you would like to see detailed in a blog? Feel free to dm: Just a few ideas that I’m thinking about, let me know which might be the most useful: New Shared Photo Library Pending/current View/Play counts Snapchat Original File name attribution “Name your app” original file name attribution

Snapchat please

3

CLB_iwhiffin

I'm looking into it, but my first thought is that we are actually talking about different definitions of chunks. For example, I have a database with a chunk count of 33 and apk's with a chunk count of 1. So I have a feeling it's more to do with the fragmentation within the filesystem, rather than the fragmentation of a media file. The fact it's grouped with the inode information too... (edited)

Ahhh. That makes sense. Thanks! Adding @Alexsaurus for visibility

1

Brandon E

Ahhh. That makes sense. Thanks! Adding @Alexsaurus for visibility

Great thank you. I've just had confirmation that the above explanation is correct.

Thanks @CLB_iwhiffin, so chunk count is how fragmented the file is. This does raise the question as why one file is so fragmented when other files in the same place are not.

Alexsaurus

Thanks @CLB_iwhiffin, so chunk count is how fragmented the file is. This does raise the question as why one file is so fragmented when other files in the same place are not.

That's a little more difficult to answer...

cal

Anyone from @Cellebrite available ?

1

Hi Guys! I have an Extraction of an IOS 14.6 iPhone. The iPhone extraction is from 2th of December. Now I get a question of the team when the last SIM card was inserted in the device. In the CellularUsage.db there is a table "subscriber_info" where the last update time in is but not when the SIM was inserted. In the database DataUsage.sqlite I see there is a gap between 19-11 and 30-11. We think the SIM was inserted on 30-11 but is there a database or something where that is stored? (edited)

Mr.Robot

Hi Guys! I have an Extraction of an IOS 14.6 iPhone. The iPhone extraction is from 2th of December. Now I get a question of the team when the last SIM card was inserted in the device. In the CellularUsage.db there is a table "subscriber_info" where the last update time in is but not when the SIM was inserted. In the database DataUsage.sqlite I see there is a gap between 19-11 and 30-11. We think the SIM was inserted on 30-11 but is there a database or something where that is stored? (edited)

Try to find the com.apple.commcenter.plist it should help.

FYI, just decoded a Nokia TA-1174 in PA but the incoming and outgoing calls are reported the wrong way round.

CLB_4n6s_mc

Try to find the com.apple.commcenter.plist it should help.

In the system or private folder?

Mr.Robot

In the system or private folder?

/private/var/wireless/Library/Preferences

Mr.Robot

Hi Guys! I have an Extraction of an IOS 14.6 iPhone. The iPhone extraction is from 2th of December. Now I get a question of the team when the last SIM card was inserted in the device. In the CellularUsage.db there is a table "subscriber_info" where the last update time in is but not when the SIM was inserted. In the database DataUsage.sqlite I see there is a gap between 19-11 and 30-11. We think the SIM was inserted on 30-11 but is there a database or something where that is stored? (edited)

I think this update time is when the sim was inserted. If im correct you will have three rows max in there right? I think i have some notes on this somewhere.. on our wiki. Edit: so i have a note regarding cellularusage.db iphone 7 on ios 13.x: when inserting a sim it registers the date inserting showing it as "last updated". Im unsure if it also registers it when the sim is not unlocked using the pin. You could easily check this ofcourse with a test device. (edited)

Droptixs

FYI, just decoded a Nokia TA-1174 in PA but the incoming and outgoing calls are reported the wrong way round.

Might be useful to open a support ticket and/or tag @Cellebrite

1

Hi ALL Have a Nokia Lumia (actually 2).... Which way is the best to parse the files? most important are store.vol. Are my best options encase and FTK?

Depends on Windows version. If it's 7 or 8, PA might do the job just fine. If higher, Axiom might be more helpful

Arcain

Depends on Windows version. If it's 7 or 8, PA might do the job just fine. If higher, Axiom might be more helpful

its 8

3:12 AM

and CB does not parse anything.... only mediafiles

then i'd go with Axiom if that's available for you

will try thanks.. found some of the sms'es in HEX in the store.vol. But the content is not there only the sender/rec

3:27 AM

or.. the content is in the hex and not readable in the tables

Someone could help me with the Messenger db structure ? i have to parse one of them manually with SQL builder. I succeed to get the message text, the sender id and name, the timestamp but i miss the receiver. When the sender is external I can deduce that the recipient is the owner of the device but when it is the owner who sends, I cannot find the information on the destination of the message. (edited)

j_matas

will try thanks.. found some of the sms'es in HEX in the store.vol. But the content is not there only the sender/rec

You can view the store.vol with ese database viewer. OSForensics has quite nice tool for that, but tables usually doesn't have very descriptive names, at least when you look for contacts that are also stored in store.vol (edited)

Arcain

You can view the store.vol with ese database viewer. OSForensics has quite nice tool for that, but tables usually doesn't have very descriptive names, at least when you look for contacts that are also stored in store.vol (edited)

had it in te ese db viewer by nirsoft... But it did not show it nicely. Howerver Axiom seems to have done a great job thanks!

If I have a hit for an app such as 'Vaulty' with gass.db being the source and I have no other results. Does this mean that the app was once installed? Looking at the device in question, it is definitely no longer installed (if it was ever?). (edited)

Is it possible to find info regarding imei and ICCID etc in the registry of a Windows Phone 8? (the nokia lumia 920) If anyone has any documentation regarding artifacts etc on windows phones let me know

cant see it covered in any of the books or sans585

florus

I think this update time is when the sim was inserted. If im correct you will have three rows max in there right? I think i have some notes on this somewhere.. on our wiki. Edit: so i have a note regarding cellularusage.db iphone 7 on ios 13.x: when inserting a sim it registers the date inserting showing it as "last updated". Im unsure if it also registers it when the sim is not unlocked using the pin. You could easily check this ofcourse with a test device. (edited)

I think the Last_update_Time isn't when the simcard is inserted because it doesn't fit on the timeline

Mr.Robot

I think the Last_update_Time isn't when the simcard is inserted because it doesn't fit on the timeline

Well, do a few tests please, and find out for us all

(edited)

@Cellebrite someone available for a PA question ? I got a case with uploads in web search, seems coming from snapchat. I got 2 dates, "last modified" and "uploaded". They are often the same but sometimes "lastmodified" is before the "uploaded". Could you help me with that ?

1

Nutelap

@Cellebrite someone available for a PA question ? I got a case with uploads in web search, seems coming from snapchat. I got 2 dates, "last modified" and "uploaded". They are often the same but sometimes "lastmodified" is before the "uploaded". Could you help me with that ?

Hey, this happens when a user uploaded to Snapchat gallery from an existing camera roll media, rather than taking the picture directly from Snapchat. The last modified time is when it was modified on the device, which should mean when the user took the picture/video, and the upload time is when it was uploaded to Snapchat gallery. (edited)

CLB - Ofri

Hey, this happens when a user uploaded to Snapchat gallery from an existing camera roll media, rather than taking the picture directly from Snapchat. The last modified time is when it was modified on the device, which should mean when the user took the picture/video, and the upload time is when it was uploaded to Snapchat gallery. (edited)

Oh well ! Thanks for the answer

j_matas

Is it possible to find info regarding imei and ICCID etc in the registry of a Windows Phone 8? (the nokia lumia 920) If anyone has any documentation regarding artifacts etc on windows phones let me know

cant see it covered in any of the books or sans585

I've got a Lumia 930 here and the IMEISV should be located under ROOT/OEM/Nokia/Variant/IMEISV. img_MainOS.bin/Windows/system32/config/SOFTWARE.

6:28 AM

930 is running 8.1 but should be exactly the same. Edit: Just checked on a Nokia 630 running Windows Phone 8 and yeah exact same location. (edited)

Anyone know how I can manually parse voice memos from an SE Passware extraction? Not sure where they are in the file system. (edited)

Is PA single threaded or multi-threaded?

multi

1

Question....has anyone had imessages in the sms.db with a timestamp later than the read timestamp? Im looking at a phone that has a message received by the device at 4/14/2021 but it has a read date of 3/10/2021. Trying to make heads or tails of it.

charpy4n6

Question....has anyone had imessages in the sms.db with a timestamp later than the read timestamp? Im looking at a phone that has a message received by the device at 4/14/2021 but it has a read date of 3/10/2021. Trying to make heads or tails of it.

Interesting. Is there any other activity of note on that date?

JLindmar (83AR)

Interesting. Is there any other activity of note on that date?

Im just starting to look at it. Was hoping someone has seen it before. Ill update as I find things though

charpy4n6

Im just starting to look at it. Was hoping someone has seen it before. Ill update as I find things though

I can't say I've noticed that, but my first thought was if the message was resynced from iCloud.

Anyone ever have luck decrypting contents of Private Photo Vault? Found a link that claims that the encryption key is stored in the ios keychain.

BenDrinkin

Anyone ever have luck decrypting contents of Private Photo Vault? Found a link that claims that the encryption key is stored in the ios keychain.

Password is in plain text in the key chain where you'll need a ffs extraction to get.

12:24 PM

What version of PhotoVault are you dealing with?

Not sure offhand, I'll be able to check on Tuesday. But from an icloud backup. Out of luck with keychain artifacts?

Hello, I need extract iphone 12 mini with the message "unavaiable iphone". Need extract and don't lose data/information? Now I have the correct password. Anyway to do this?

hello folks @Cellebrite ... Is there an advantage (apart from saving the ssd) if I link the PA standard path of the temp folder to a ramdisk (16 GB)?

chrisforensic

hello folks @Cellebrite ... Is there an advantage (apart from saving the ssd) if I link the PA standard path of the temp folder to a ramdisk (16 GB)?

Hi Chris if the question is it going to accelerate the decoding the answer is not really (of course it depends on the size of the dump). (edited)

1

ha, ok.... and viewing pictures in thumbnailview will be accelerated?

5:23 AM

chrisforensic

Click to see attachment 🖼️

Interesting question. I would also like to know how the generation of thumbnails could be speed up - speed of ram / drive IOPS / or temp folder like what @chrisforensic mentioned

BenDrinkin

Anyone ever have luck decrypting contents of Private Photo Vault? Found a link that claims that the encryption key is stored in the ios keychain.

Axiom automatically decrypts it in my experience and also displays the pin for you.

BenDrinkin

Not sure offhand, I'll be able to check on Tuesday. But from an icloud backup. Out of luck with keychain artifacts?

You'll need the application extracted which I'm not sure if you'll get it from an icloud backup. PPV can be decrypted without the key chain in some cases. Some tools such as PA/Oxygen/Axiom etc support decryption up to certain versions. At last look it was up to version 12.4 approx.

Thanks for all the help! It was run through both Axiom and PA with no luck, so I'll double check the version tomorrow.

BenDrinkin

Thanks for all the help! It was run through both Axiom and PA with no luck, so I'll double check the version tomorrow.

@bang might be able to help if it transpires you do have the full application container. The com.enchantedcloud.photovault folder.

BenDrinkin

Thanks for all the help! It was run through both Axiom and PA with no luck, so I'll double check the version tomorrow.

Hi Ben, we have capability. Il pm you

Thanks @bang I'll keep an eye out for you. Looks like it's version 13.8. After renaming the backup files I have a folder called AppDomain-com.enchantedcloud.photovaultpro. I have no clue if that has everything or just a portion, but I'll try installing to my own device and dumping to compare.

Looking to see if anyone has analyzed the Quora application. I have images of interest associated with the application's HTTP Cache folder. These images aren't illegal, but I think they show his intent and pattern of behavior leading up to his other issues. While digging through the databases, I don't really see any of the topics he might be following, or posts, etc. I found a NOTIFICATIONS file, which has a few strings of value relating to topics, but I don't know if these are notification he received based upon activities, topics he follows, etc. I used some Google-Fu on the intrawebs and didn't really find anything useful. So I thought I would reach out here to see if anyone had any insights.

7:05 AM

To clarify, I can see that the titles and alerts of interest in the Notifications section were all "Push Notifications." I also am aware that this is probably going to require testing to find out if someone hasn't already played with this application.

Can anyone recommend a tool to parse a GK / Premium keychain.plist or passwords.txt file ? Is there a free tool that does this ?

Dfdan

Can anyone recommend a tool to parse a GK / Premium keychain.plist or passwords.txt file ? Is there a free tool that does this ?

@bang might be able to help

Dfdan

Can anyone recommend a tool to parse a GK / Premium keychain.plist or passwords.txt file ? Is there a free tool that does this ?

I have a scraper, il dm you

Alexsaurus

Does anyone know how to delete the com.sec.android.gallery3d cache from an unrooted samsung so contents from it can't be recovered?

Have a look at this; https://www.astucesmobiles.com/en/quest-ce-que-com-android-gallery3d-un-examen-approfondi/?amp=1#:~:text=To%20clear%20the%20Gallery%20app%20cache%3A

What is com.android.gallery3d? A thorough examination

com.android.gallery3d is the apk for the system gallery app that allows you to access, view and edit photos, videos and other media files on your android device.

Hi guys, do you know if there is an application database on iOS which can be use to made some comparison ?

nicnic

Hey, is anybody out there who has a clue what newer samsung gallery3d paths are encoded with in log table in local.db? According to this its base64 but that doesn't work in my case. Strings begin with "#G$", the rest looks like base64 but ain't ... http://cheeky4n6monkey.blogspot.com/2022/01/mike-monkey-dumpster-dive-into-samsung.html?m=1 (edited)

@nicnic were you ever able to get any information regarding the encoding format of newer Samsungs. currently facing the same challenge with the article.

SubnetterOne

@nicnic were you ever able to get any information regarding the encoding format of newer Samsungs. currently facing the same challenge with the article.

Yes, it's Base64 followed by XOR with one of 8 keys ... the key index (the first number after AFAIR $G#) is the index ... unfortunately i'm not in the office so i cannot tell you the keys but they are hardcoded and you can find them using JADX to the APK)

1

10:38 AM

Just convert them from byte to decimal and you can decrypt the log lines easily using CyberChief ... or, what we did, recycle the original decompiled function in a new little Java application (edited)

SubnetterOne

@nicnic were you ever able to get any information regarding the encoding format of newer Samsungs. currently facing the same challenge with the article.

I only have these screenshots left

10:41 AM

i is the index from the byte array (the key number), unfortunately i only have these old screenshots

nicnic

I only have these screenshots left

Thank you so much for the fast response @nicnic... This gives me a path to go a little further for sure since I have been hitting the wall most of the day on this. Please still share the keys when you get an opportunity. Many thanks!

SubnetterOne

Thank you so much for the fast response @nicnic... This gives me a path to go a little further for sure since I have been hitting the wall most of the day on this. Please still share the keys when you get an opportunity. Many thanks!

No problem, wasn't that easy to find out but it was a lucky punch that JADX lead me to the solution ... it will take a few days but its much quicker to download JADX (portable, no install) and search (crtl + f) for "sEncV2Key" - voila, you have the keys

nicnic

No problem, wasn't that easy to find out but it was a lucky punch that JADX lead me to the solution ... it will take a few days but its much quicker to download JADX (portable, no install) and search (crtl + f) for "sEncV2Key" - voila, you have the keys

That sounds like a plan thank you!

SubnetterOne

That sounds like a plan thank you!

You're welcome! What I wanted to say is that it will take a few days until I'm back to office, so extracting the keys and converting them to binary (stackoverflow "java byte array to binary") for use with CyberChef may be much quicker

Rob

@bang might be able to help

ArtEx: https://www.doubleblak.com/

Rob

If I have a hit for an app such as 'Vaulty' with gass.db being the source and I have no other results. Does this mean that the app was once installed? Looking at the device in question, it is definitely no longer installed (if it was ever?). (edited)

Did you have an answer ?

JP

Did you have an answer ?

I went for the safe option, potentially previously installed but cannot confirm if it was and if so when. Possibly could be synced over data so decided to go safe. (edited)

1

JackDFIR

Hi All, I'm looking to chat to anyone with experience decoding Discord caches (store_messages_cache_vXX) files on Android devices (and guilds, channels etc, need to be able to say where the message was sent). Been doing lots of searching online and I think I'm close. If anyone has any relevant experience please get in touch. Cellebrite and Magnet aren't decoding anything unfortunately.

do you found answers about Discord cache file ? UFED PA decoded "store_messages_cache_v38" from a FFS Android extraction, but the messages are displayed in "native messages" instead of Chats/Discord ? (edited)

Rob

I went for the safe option, potentially previously installed but cannot confirm if it was and if so when. Possibly could be synced over data so decided to go safe. (edited)

I have many applications that appear in "installed applications" but they are not on the phone. It is a shame that the software does not indicate whether the application is still installed or not, with a single glance.

1

JP

I have many applications that appear in "installed applications" but they are not on the phone. It is a shame that the software does not indicate whether the application is still installed or not, with a single glance.

Maybe @Cellebrite can seperate out Installed to Potentially Previous / Current?

There is also a txt file "installedappslist.txt" with the extraction of the phone. It seems to be more in line with the apps that are actually installed on the phone." (edited)

1

Anyone dealing with threema backup zip files - threema-backup_xxx_xxx.zip,. It is encrypted zip (filenames inside zip are not encrypted). I cant get hash from zip file to use hashcat to perfrom wordlist attack. zip2john or rar2john did not give me hash. How to get hash for haschat ? (edited)

Dfdan

Can anyone recommend a tool to parse a GK / Premium keychain.plist or passwords.txt file ? Is there a free tool that does this ?

we have a tool that does this and auto cracks the password in pchistory using hashcat etc, DM if interested

(edited)

Anyone has some wickr decoding insight for me? when pa prompting for a password to decrypt the db, does it need a digi code, alfanummeric code? Isnt there a way to use the keychain? @Cellebrite

florus

Anyone has some wickr decoding insight for me? when pa prompting for a password to decrypt the db, does it need a digi code, alfanummeric code? Isnt there a way to use the keychain? @Cellebrite

Can be alphanumeric as had a case recently where it was this. . I don't believe the key chain will help. @bang can help. (edited)

florus

Anyone has some wickr decoding insight for me? when pa prompting for a password to decrypt the db, does it need a digi code, alfanummeric code? Isnt there a way to use the keychain? @Cellebrite

https://github.com/hunjison/Messenger-Forensics

GitHub - hunjison/Messenger-Forensics: Forensic Analysis of Signal,...

Forensic Analysis of Signal, Wickr, Threema - Decrypt all databases and multimedia files - GitHub - hunjison/Messenger-Forensics: Forensic Analysis of Signal, Wickr, Threema - Decrypt all databases...

2

Arcain pinned a message to this channel. 12/31/2022 4:49 AM

I am not having any luck with rooting this Amazon Fire 7 (12th generation) (using the method suggested by @DFIRScience in one of his YT vidoes) it says it is FireOS 8.3.1.3. I was successful at getting into Developer mode, ADB working, installed KingoRoot and BusyBox apks, but when I try to root the device with KingoRoot it fails! Anyone have any ideas or another apk that I should use? I am trying to get an image of the device so I can use a forensic tool to view the browser history for evidence of CSAM? (edited)

AccessInvestigations

I am not having any luck with rooting this Amazon Fire 7 (12th generation) (using the method suggested by @DFIRScience in one of his YT vidoes) it says it is FireOS 8.3.1.3. I was successful at getting into Developer mode, ADB working, installed KingoRoot and BusyBox apks, but when I try to root the device with KingoRoot it fails! Anyone have any ideas or another apk that I should use? I am trying to get an image of the device so I can use a forensic tool to view the browser history for evidence of CSAM? (edited)

Might try in #mobile-forensic-extractions instead of decoding?

first time i did physical extraction for xiaomi note 8 android 11 rooted with ufed result 5 files blk0_mmcblk0.bin blk32_mmcblk0rpmb.bin log.txt procdata.zip and a file with .ufd userdata in bin file are encrypted anyone knows how to decrypt it?

0hasan0.

first time i did physical extraction for xiaomi note 8 android 11 rooted with ufed result 5 files blk0_mmcblk0.bin blk32_mmcblk0rpmb.bin log.txt procdata.zip and a file with .ufd userdata in bin file are encrypted anyone knows how to decrypt it?

It's FBE (file based encryption) so physical dump is useless unless you have the proper keys and know how to use them. You should perform full file system extraction, not physical. And the full file system is the best you can get from FBE divce. (edited)

Angst

It's FBE (file based encryption) so physical dump is useless unless you have the proper keys and know how to use them. You should perform full file system extraction, not physical. And the full file system is the best you can get from FBE divce. (edited)

ok thank you but i wonder if it's useless why on earth ufed has this option

Angst

It's FBE (file based encryption) so physical dump is useless unless you have the proper keys and know how to use them. You should perform full file system extraction, not physical. And the full file system is the best you can get from FBE divce. (edited)

in addition the device stuck in bootloop after the extraction

0hasan0.

ok thank you but i wonder if it's useless why on earth ufed has this option

They already improved it in the smart flow method. For FBE devices it offers only FFS and for FDE offers both - physical and FFS

1

0hasan0.

in addition the device stuck in bootloop after the extraction

Which extraction profile did you use and how device has been rooted? (edited)

magisk rooted adb physical root not the smartflow

florus

Might try in #mobile-forensic-extractions instead of decoding?

Thank you, prior to you linking that channel it did not show on my channel list so I wasn't aware it existed. Thanks

0hasan0.

ok thank you but i wonder if it's useless why on earth ufed has this option

There's a known ufed issue where it's displaying both FFS / Physical as an option via Smart Flow if you're using that. Apparently it's being fixed for next version

1

someone knows what tool can parse the level.db from Skype (Beklasoft not an option)

12:02 AM

belka even

good morning @Cellebrite .. thanks for the support in decoding various whatsapp versions with your PA

no other tool can do that to this extent (edited)

3

12:34 AM

chrisforensic

good morning @Cellebrite .. thanks for the support in decoding various whatsapp versions with your PA

no other tool can do that to this extent (edited)

Good morning Chris and happy new year. Thanks a lot for this wonderful update and for sharing.

1

@CLB_4n6s_mc Are you supporting skype level.db?

j_matas

@CLB_4n6s_mc Are you supporting skype level.db?

@j_matas I need to check.

CLB_4n6s_mc

@j_matas I need to check.

thanks, have a couple of guys asking

Or if there is a script available (edited)

I have Iphone A1661 it is remote wipe its possible to know when it was Wiped?

Mobile_Digger

I have Iphone A1661 it is remote wipe its possible to know when it was Wiped?

Cellebrite has a blog on this. Check out purplebuddy.plist and containermanagerd.log.0 .

1

Mobile_Digger

I have Iphone A1661 it is remote wipe its possible to know when it was Wiped?

creation date of the .obliterated file

1

12:35 PM

https://cellebrite.com/en/upgrade-from-null-detecting-ios-wipe-artifacts/

Upgrade From NULL—Detecting iOS Wipe Artifacts

One of the most common questions we’re asked is, “How do you determine when an iOS device was wiped?” Wiping is a common way to trample potential evidence on a device. Over the years, we have seen some savvy moves to try to cover up wiping efforts on devices and prevent the act from being … Continue reading "Upgrade From NULL—Detecting iOS Wipe ...

Is it possible to specify a time when a WA chat was deleted? In the db chatstorage.sqlite ZWAMESSAGE table the consecutive numbering of the Z_PK table is interrupted. The contact details of the deleted user are contained in the ZWACHATSESSION table. The chatstorage.sqlite last modified entry will refer to the entire db (i think so) . The index db (ChatSearchV5f.sqlite) is not present (no FFS). Is there any approach or containment? Thanks. (https://discord.com/channels/427876741990711298/545232743353810946/1019573457513623592

)

I noticed in an iphone with ios 15 that alot of screenshots has a copy created several hours later with the file name "img_xxxx.large.jpg that has exif data from the original screenshot. Anyone know what this is?

peMo

Is it possible to specify a time when a WA chat was deleted? In the db chatstorage.sqlite ZWAMESSAGE table the consecutive numbering of the Z_PK table is interrupted. The contact details of the deleted user are contained in the ZWACHATSESSION table. The chatstorage.sqlite last modified entry will refer to the entire db (i think so) . The index db (ChatSearchV5f.sqlite) is not present (no FFS). Is there any approach or containment? Thanks. (https://discord.com/channels/427876741990711298/545232743353810946/1019573457513623592

)

What time period are we talking about? I dont know if with adv logical WhatsApp logs are available, for iOS devices these go back for about 5 day. Here you can see exactly when a chat was deleted and the amount of messages within the chat. With a FFS you might also have a backup file you can open which might contain the deleted messages, using Elcomsoft Explorer for WhatsApp.

Peacekeeper

What time period are we talking about? I dont know if with adv logical WhatsApp logs are available, for iOS devices these go back for about 5 day. Here you can see exactly when a chat was deleted and the amount of messages within the chat. With a FFS you might also have a backup file you can open which might contain the deleted messages, using Elcomsoft Explorer for WhatsApp.

Time period is 3 days. The chat (content) was on the perpetrator's cell phone. I am just looking for the time when the chat was deleted on the other phone. Which LogFile do you mean?

As stated, I don't know if WA logs are available on an Advanced Logical extraction. If they are, you are looking for (on an iPhone) files called "whatsapp-202Y-MM-YY-HH-MM-SS-XYZ-WhatsApp-*.log" or something alike. These were very elaborate, but since quite a while, since apps no longer keep running in the background, WhatsApp logs are only created when WhatsApp is active. In here you can find, amongst others if chats were deleted (don't know the exact line you're looking for, but if you search for all items containing 'delete' in Notepad++ you should surely find it if it happened, and when. Be sure to look it up. Let me know if you find it. If you don't I would have to look it up what it is called exactly. Other interesting/useful artifacts in WhatsApp logs: app//shake (if you shake the phone while whatsapp is active, for example to undo an action, but can also happen if you have WhatsApp open during a carcrash) "server-time-shift" to check if the device time was correct compared to the WhatsApp server. A positive value means the device was ahead of current time, a negative value means the device was behind on current time. You can also find what chat was opened, how many unread items there were and much more. On Android the WhatsApp logs are also available, but way more elaborate compared to iPhone, for about 5 days into the past, and these contain logs mostly from 0200-0159hrs the next day. (And here ScreenLockReceiver is quite interesting, for example)

Peacekeeper

As stated, I don't know if WA logs are available on an Advanced Logical extraction. If they are, you are looking for (on an iPhone) files called "whatsapp-202Y-MM-YY-HH-MM-SS-XYZ-WhatsApp-*.log" or something alike. These were very elaborate, but since quite a while, since apps no longer keep running in the background, WhatsApp logs are only created when WhatsApp is active. In here you can find, amongst others if chats were deleted (don't know the exact line you're looking for, but if you search for all items containing 'delete' in Notepad++ you should surely find it if it happened, and when. Be sure to look it up. Let me know if you find it. If you don't I would have to look it up what it is called exactly. Other interesting/useful artifacts in WhatsApp logs: app//shake (if you shake the phone while whatsapp is active, for example to undo an action, but can also happen if you have WhatsApp open during a carcrash) "server-time-shift" to check if the device time was correct compared to the WhatsApp server. A positive value means the device was ahead of current time, a negative value means the device was behind on current time. You can also find what chat was opened, how many unread items there were and much more. On Android the WhatsApp logs are also available, but way more elaborate compared to iPhone, for about 5 days into the past, and these contain logs mostly from 0200-0159hrs the next day. (And here ScreenLockReceiver is quite interesting, for example)

First of all - thank you very much for your detailed answer. I tested it with adv logical backup and another (different) FFS backup. The FFS has in /root/ the corresponding logs (WhatsApp-202x...), which can be searched for "deleted" in the text view (also found "server-times-shift"). I also found the db ChatSearchV5f.sqlite here. My phone in adv log backup has no log files and also no interesting data. Also missing here is the ChatS...sqlite. Again learned something, thanks again for your help.

peMo

First of all - thank you very much for your detailed answer. I tested it with adv logical backup and another (different) FFS backup. The FFS has in /root/ the corresponding logs (WhatsApp-202x...), which can be searched for "deleted" in the text view (also found "server-times-shift"). I also found the db ChatSearchV5f.sqlite here. My phone in adv log backup has no log files and also no interesting data. Also missing here is the ChatS...sqlite. Again learned something, thanks again for your help.

No problem, and if you need more specific help, feel free to reach out through DM (that is for anyone who wants/needs it). But be sure to also tag me here so I get notified that I have a DM

1

Anyone from @Cellebrite or @MSAB for quick dm?

MindBreak

Anyone from @Cellebrite or @MSAB for quick dm?

I'm here for another hour.

MindBreak

Anyone from @Cellebrite or @MSAB for quick dm?

Yes

j_matas

someone knows what tool can parse the level.db from Skype (Beklasoft not an option)

Why not?

j_matas

someone knows what tool can parse the level.db from Skype (Beklasoft not an option)

https://github.com/cclgroupltd/ccl_chrome_indexeddb

i have a Whatsapp "chatsettingsbackup.db.crypt1" database. anyone know how i can decrypt this? i have the key file.

Erik

I noticed in an iphone with ios 15 that alot of screenshots has a copy created several hours later with the file name "img_xxxx.large.jpg that has exif data from the original screenshot. Anyone know what this is?

These types of files are discussed in the following blog postings: https://theforensicscooter.com/2022/12/03/photos-sqlite-zinternalresource-table-reference-guide/ https://theforensicscooter.com/2022/12/05/do-you-have-a-full-sized-assetor-just-a-thumbnail-did-optimized-iphone-storage-process-occur/ Quick-short answer is that they are internal resources for the full sized asset and more than likely related to optimize iPhone storage process occurring due to iCloud Photos syncing. It’s not mentioned in your question but I would guess that you found these assets in the following path: private/var/mobile/Media/PhotoData/Metadata/* The following Photos.sqlite query will be able to show you the internal resources with data that can be matched up to each internal asset based on file size and availability: https://github.com/ScottKjr3347/iOS_Local_PL_Photos.sqlite_Queries/blob/main/iOS15/iOS15_LPL_Phsql_IntResou-iCldPhotos.txt

Anyone know if sound messages sent in Snapchat that are saved in a chat is possible to extract or if they get extracted with a ffs extraction and where i might find them if so? In this case a Samsung

Anyone had issues with malware scanner with PA as of lately?

Anyone know a toll to parse a database of the app Conversations (Jabber / XMPP)?

Hey all. I'm playing around with PA 8 and I'm wondering if storing the DB on a 10 gigabit network drive would be that much worse than having it on a RAID 0 processing drive? Obviously it would be slower but does the DB really matter that much in terms of the device's initial processing? (edited)

thatboy_leo

Anyone had issues with malware scanner with PA as of lately?

Yes, the malware scanner in PA stopped working after the latest update.

dcs453

Yes, the malware scanner in PA stopped working after the latest update.

Don't know if it is a known issue, if not, it might be useful to tag @Cellebrite

(I didn't know of the issue, but we rarely perform a malware scan on an examined device)

Sorry if this is a daft question but how does @Cellebrite link the messages in ChatSearchV5 to a contact? I'm assuming it's using column 'c1contact' in the db however it looks encoded and I can't find the link to the contact in question?

Hi, @Cellebrite or someone knows in which files i could find system events with Xiaomi Android 11 device ? PA seems found nothing

(edited)

Reedsterz

i have a Whatsapp "chatsettingsbackup.db.crypt1" database. anyone know how i can decrypt this? i have the key file.

Physical Analyzer can decrypt it using the WhatsApp plugin

Mr.Robot

Hi Guys! I have an Extraction of an IOS 14.6 iPhone. The iPhone extraction is from 2th of December. Now I get a question of the team when the last SIM card was inserted in the device. In the CellularUsage.db there is a table "subscriber_info" where the last update time in is but not when the SIM was inserted. In the database DataUsage.sqlite I see there is a gap between 19-11 and 30-11. We think the SIM was inserted on 30-11 but is there a database or something where that is stored? (edited)

@CLB_4n6s_mc helped me with accessing the Unified Logs! Thankyou!

1

CLB-LoukaO

Physical Analyzer can decrypt it using the WhatsApp plugin

works fine for the crypt12 or crypt14 files. doesnt seem to decrypt the crypt1

@Peacekeeper @dcs453 @Cellebrite I rolled back to 7.58.0.66 of PA and my malware scanner is still not working. Wondering if a windows update is causing the issue.

Ghosted

@Peacekeeper @dcs453 @Cellebrite I rolled back to 7.58.0.66 of PA and my malware scanner is still not working. Wondering if a windows update is causing the issue.

@Ghosted try to uninstall Physical Analyzer completely, reboot and install it in an different directory.

Ghosted

@Peacekeeper @dcs453 @Cellebrite I rolled back to 7.58.0.66 of PA and my malware scanner is still not working. Wondering if a windows update is causing the issue.

I wonder if it could be an issue with the malware definitions? After I updated PA, I updated the malware definitions. On Monday I’ll do a fresh install of everything and see if that fixed things.

@dcs453 I did that exact same thing @CLB_4n6s_mc I am going to try that as well.

Reedsterz

works fine for the crypt12 or crypt14 files. doesnt seem to decrypt the crypt1

How old is the file?

Ghosted

@Peacekeeper @dcs453 @Cellebrite I rolled back to 7.58.0.66 of PA and my malware scanner is still not working. Wondering if a windows update is causing the issue.

I had issues with the Malware scanner also. They just uploaded a new dictionary (BitDefender). Its under AddOns in the PA download section. Fixed my problem.

2

9:58 AM

Has anyone ever had a hit with the malware scanner? I had one I thought was a sure hit ..... but nope.

Bill (VeriFi)

Has anyone ever had a hit with the malware scanner? I had one I thought was a sure hit ..... but nope.

Pretty sure I have had a hit, but I never dug into it to see how the malware worked.

Bill (VeriFi)

Has anyone ever had a hit with the malware scanner? I had one I thought was a sure hit ..... but nope.

It’s rare I get a get a hit with PA’s malware scanner. I do get frequent hits with windows defender when compressing the report using 7zip. (edited)

Bill (VeriFi)

Has anyone ever had a hit with the malware scanner? I had one I thought was a sure hit ..... but nope.

I’ve had a few hits. I remember one was the “FBI Virus” that was dropping CSAM on phones a few years ago.

hi, does anyone have experience how to decrypt message in aes_crypto.app. I has FFS Iphone extraction. The encrypted message was send by another aplications , and i have it. I need decrypt it.

6:48 AM

the app likes https://github.com/evgenyneu/aes-text-encryption-ios

GitHub - evgenyneu/aes-text-encryption-ios: iOS app for encrypting ...

iOS app for encrypting text messages http://aescrypto.com - GitHub - evgenyneu/aes-text-encryption-ios: iOS app for encrypting text messages http://aescrypto.com

I have seen in several cases in PA and Axiom where when parsing Snapchat Messages, sometimes the usernames don't appear and you only get a GUID. Some friends were asking about this, and I wrote a query that shows the Username to the Associated GUID. Of course I don't have any active cases or previously processed cases still on my computer that have this issue and it was Friday evening when I wrote this for them to be able to test.... But I thought I would pass it along for others experiencing it. Coming from the primary.docobjects database. select snapchatter.rowid, index_snapchatterusername.rowid, snapchatter.userId, index_snapchatterusername.username from snapchatter join index_snapchatterusername on snapchatter.rowid = index_snapchatterusername.rowid (edited)

4:43 PM

I'm trying to work on a custom artifact for AXIOM which will put these together- Even if it's parsed correctly and does display usernames, this artifact / query could be helpful when taking this data and comparing it with cloud returns when also sometimes all you get is a GUID. (edited)

3

dcs453

It’s rare I get a get a hit with PA’s malware scanner. I do get frequent hits with windows defender when compressing the report using 7zip. (edited)

Interesting, I’ll try that.

Bill (VeriFi)

Interesting, I’ll try that.

Please let me know if it works for you! It still needs some testing.

Yuri Gubanov (Belkasoft)

How old is the file?

2019

1

saltyduck

Sorry if this is a daft question but how does @Cellebrite link the messages in ChatSearchV5 to a contact? I'm assuming it's using column 'c1contact' in the db however it looks encoded and I can't find the link to the contact in question?

If I remember correctly (and I’m not 100% I do, and can’t check at the minute) it’s just base64 which results in a number as hex but you ignore the first byte. So for example; gRUWKHmSTw is 81 15 16 28 79 92 4f. Then ignore the 81 to leave 15 16 28 79 92. In this case the account number is 1 516 287 9924 (edited)

1

3

dabeersboys

I have seen in several cases in PA and Axiom where when parsing Snapchat Messages, sometimes the usernames don't appear and you only get a GUID. Some friends were asking about this, and I wrote a query that shows the Username to the Associated GUID. Of course I don't have any active cases or previously processed cases still on my computer that have this issue and it was Friday evening when I wrote this for them to be able to test.... But I thought I would pass it along for others experiencing it. Coming from the primary.docobjects database. select snapchatter.rowid, index_snapchatterusername.rowid, snapchatter.userId, index_snapchatterusername.username from snapchatter join index_snapchatterusername on snapchatter.rowid = index_snapchatterusername.rowid (edited)

Hi, what is the version of PA you are using? 7.58 included fixes for contacts parsing including the usernames and shouldn't have this issue. (edited)

Good Morning @Cellebrite .. anyone available?

fferreira

Good Morning @Cellebrite .. anyone available?

I can give a try or at least redirect you to somone

Good Afternoon. I have attempted to recover the data from a Huawei MAR-LX1a with XRY but get the blob issue cant can’t brute force the unknown code. I have now switched to trying with Oxygen. Oxygen has recovered the data. However, is still encrypted. I am prompted with a passcode require and Passware Kit Mobile when attempting to decode and I have selected 6 digit passcode. It’s been running for 30-40mins and not attempted a single code. This is my first time of using oxygen so if there is anything I’m missing please let me know unless like XRY this is one that cant be bypassed due to the new encryption. Thanks in advance. (edited)

Hello, I have an iPhone with that app "WhatsAgain". It is available on the Apple App store and claims to allow users to have multiple WhatsApp accounts on a single device. Does anyone know any technical details about this app? Both Cellebrite and Axiom were unable to decode anything

From the @Magnet Forensics side, is it possible to see evidence of photo deletion from an iPhone? I believe there is evidence of this in the photos sqlite db.

Murst

From the @Magnet Forensics side, is it possible to see evidence of photo deletion from an iPhone? I believe there is evidence of this in the photos sqlite db.

@ScottKjr3347 is the photos.sqlite expert

Missing rows can indicate something. But you will need an exact date time, that you think something got deleted? (edited)

forensicgeek

Good Afternoon. I have attempted to recover the data from a Huawei MAR-LX1a with XRY but get the blob issue cant can’t brute force the unknown code. I have now switched to trying with Oxygen. Oxygen has recovered the data. However, is still encrypted. I am prompted with a passcode require and Passware Kit Mobile when attempting to decode and I have selected 6 digit passcode. It’s been running for 30-40mins and not attempted a single code. This is my first time of using oxygen so if there is anything I’m missing please let me know unless like XRY this is one that cant be bypassed due to the new encryption. Thanks in advance. (edited)

Hello! From the looks of it is a new encryption. We are actively working on adding support for it

florus

@ScottKjr3347 is the photos.sqlite expert

Missing rows can indicate something. But you will need an exact date time, that you think something got deleted? (edited)

Yup This is the query I was specifically looking at: https://raw.githubusercontent.com/ScottKjr3347/iOS_Local_PL_Photos.sqlite_Queries/main/iOS15/iOS15_LPL_Phsql_RecentlyDeleted.txt just not sure if magnet exposes those records

Murst

Yup This is the query I was specifically looking at: https://raw.githubusercontent.com/ScottKjr3347/iOS_Local_PL_Photos.sqlite_Queries/main/iOS15/iOS15_LPL_Phsql_RecentlyDeleted.txt just not sure if magnet exposes those records

We do expose those records as part of the Photo Media Information artifact.

1

TY! That got me to the column I was struggling to find!

Oxygen Forensics

Hello! From the looks of it is a new encryption. We are actively working on adding support for it

Thank you for the reply. I hope there is a breakthrough soon. Seem to be getting a fair few of them recently.

Anyone from Cellebrite for a quick question regarding "Carve locations" greyed out when importing a GK extraction? We have 3 machines and on the two of them it is not possible to select "Carve Locations". All running the latest versions. Is it a setting somewhere or what can be the issue? Thaaanks in advance

CLB_iwhiffin

If I remember correctly (and I’m not 100% I do, and can’t check at the minute) it’s just base64 which results in a number as hex but you ignore the first byte. So for example; gRUWKHmSTw is 81 15 16 28 79 92 4f. Then ignore the 81 to leave 15 16 28 79 92. In this case the account number is 1 516 287 9924 (edited)

I'll be damned. Thank you so much for helping out

Hexordia released a free tool for monitoring real-time Sysdiagnose Logs which may be helpful in testing. More info here https://www.hexordia.com/blog-1-1/introsysdiagnosemonitoringtool

INTRODUCING THE HEXORDIA SYSDIAGNOSE LOG MONITORING TOOL — Hexordia

A new functionality known as Sysdiagnose Logs was introduced with the 2016 release of iOS 10, Apple's premier mobile operating system. Forensic digital investigators continue to value the Sysdiagnose feature for a variety of reasons: • Log serves as one more data source to look into • Log may be a

5

2

3

Hello ! anyone had to deal with tempfileforshare files ?

6:31 AM

I believe it's the default name for a screenshot from an android device but don't find anything about it

Anyone had success with wickr passwords? I have an android full file system via 4PC of an S20. I get promoted in PA for password and tried loads. I've looked at articles and a script and still can't get it to crack the password as the kcd file isn't there. Any advice would be appreciated?

4N6Matt

Anyone had success with wickr passwords? I have an android full file system via 4PC of an S20. I get promoted in PA for password and tried loads. I've looked at articles and a script and still can't get it to crack the password as the kcd file isn't there. Any advice would be appreciated?

Is there any wickr database in the ffs? PA got me confused last week, prompting for a password, thinking there was something to decrypt, but the wickr dbs werent even around after i took a peak. I tried all 4 5 6 7 8 digits first, before finding out lol. Was an freshly installed, never used wickr App. (edited)

@florus I can see a wickr.db, wal and shm. They are not very big but they are there.

Oké different indeed.

Have anyone the problem with Cellebrite PA and doing generic carving and then generating a UFDR Report, that the ufdr-file becomes very big? The original file savings are about 80 gb big. The ufdr increases up to 800gb and more. A ticket at cellebrite is still opened. (edited)

tost

Have anyone the problem with Cellebrite PA and doing generic carving and then generating a UFDR Report, that the ufdr-file becomes very big? The original file savings are about 80 gb big. The ufdr increases up to 800gb and more. A ticket at cellebrite is still opened. (edited)

Had it with a pdf and it ended up being about 600gb. Support is the best bet. I think at the time we narrowed it down to the timeline data type and had to exclude that from the pdf. I normally start by generating a report with data types from left, then right, top half of which ever is still crashing then one at a time. Yes it takes a while but you can often figure out what data type is causing it. Probably an obscure character or something kicking it out.

Locked Moto G Pure. Where is the best place to start for unlocking/extracting data from the device? Looking around and XRY physical seems like an option (is this only for law enforcement?) Any advice helps. (edited)

puppetpockets

Locked Moto G Pure. Where is the best place to start for unlocking/extracting data from the device? Looking around and XRY physical seems like an option (is this only for law enforcement?) Any advice helps. (edited)

I do not know this model but I know Oxygen support some MT6762 models, you could give a try. I guess it depends your country, but XRY is also for private experts here

Hi @Cellebrite , know this may be an obvious answer but thought I’d double check. Could you give specific context around what the “Phone Activation Time” may be? Is this when the phone was originally setup, or when it was most recently setup after wiping by the user?

4N6Matt

Had it with a pdf and it ended up being about 600gb. Support is the best bet. I think at the time we narrowed it down to the timeline data type and had to exclude that from the pdf. I normally start by generating a report with data types from left, then right, top half of which ever is still crashing then one at a time. Yes it takes a while but you can often figure out what data type is causing it. Probably an obscure character or something kicking it out.

Had you the phenomenon that documents having a size with 100gb and more ? Only documents and video files are more inlcuded. (edited)

good morning, anyone from @Cellebrite available for a quick chat about PA not processing signal

1

Anyone from @Oxygen Forensics available for a lively debate and query?

Zhaan

Anyone from @Oxygen Forensics available for a lively debate and query?

Hello! Of course. I will DM you

Oxygen Forensics

Hello! Of course. I will DM you

Excellent news, prepare yourself!

1

2

4N6Matt

Anyone had success with wickr passwords? I have an android full file system via 4PC of an S20. I get promoted in PA for password and tried loads. I've looked at articles and a script and still can't get it to crack the password as the kcd file isn't there. Any advice would be appreciated?

There was recently a pa bug related to the Wickr passwords brute forcer. Should be fixed in the next release.

1

@Cellebrite is something wrong with the community portal ? got "This username does not exist." on login

RS

@Cellebrite is something wrong with the community portal ? got "This username does not exist." on login

No issues for me logging in

lol

Original message was deleted or could not be loaded.

I'm assisting

Good day all. I have an iPhone 13 parsed and carved in Axiom and I also loaded it into PA 8. I have found 7 deleted Instagram chat messages in PA but I cannot not find any of them in Axiom. Has anyone come across this before? These messages might be helpful in an attempt murder case any help would be greatly appreciated.

4JSN6🇬🇧

Hi @Cellebrite , know this may be an obvious answer but thought I’d double check. Could you give specific context around what the “Phone Activation Time” may be? Is this when the phone was originally setup, or when it was most recently setup after wiping by the user?

First activation (completing/finish skiping the setup wizard) after the most recent factory reset, be it fresh from factory or after a wipe by the user (edited)

3

Anyone having issues with @Cellebrite PA Media Classification being greyed out? It's happening to a colleague while mine has been fine. Trace window looks identical on start up and we're both running 7.59.1.16

HTCG_James

Anyone having issues with @Cellebrite PA Media Classification being greyed out? It's happening to a colleague while mine has been fine. Trace window looks identical on start up and we're both running 7.59.1.16

Hi James, He needs to check his cellebrite services (Cellebrite Iman / Cellebrite openvino). I think one of them should not. be started. If the issue is continuing then uninstall Physical Analyzer and Reinstall it.

CLB_4n6s_mc

Hi James, He needs to check his cellebrite services (Cellebrite Iman / Cellebrite openvino). I think one of them should not. be started. If the issue is continuing then uninstall Physical Analyzer and Reinstall it.

We have reinstalled PA and media classification is working again. (Cellebrite_ufed_iman / Cellebrite_ufed_openvino are both still running in task manager though). Thanks

Hello guys I was wondering if there is better Documentation to the python inteface of cellebrite PA than the one included in Cellebrite help. Because a lot of stuff is actually missing in there Maybe @Cellebrite can help me? (edited)

Arcain

@Cellebrite any chance you'll add huawei notepad app parsing (com.example.android.notepad) tp PA one day, it's a single sqlite db file (edited)

@Cellebrite Still no parsing for Huawei Notepad? Anyone has a good SQLite manager model for this app? Or a plugin? I built a model but I'm not pleased with it (on a previous extraction I had the table named "contents" and now I don't have it; plus that I couldn't show the attachments of the notes in the same view with the notes).

CLB-ChenK

First activation (completing/finish skiping the setup wizard) after the most recent factory reset, be it fresh from factory or after a wipe by the user (edited)

Thanks!

Hi, is it possible to get the original file path from Samsung gallery3d cache images (named like "-12345678910.0")? Can't find any link in the local.db

@nicnic I am on the same hunt and from everything i've researched there doesn’t seem to be anything useful beyond the thumbnails themselves. The names of the thumbnails are encoded which is what you assisted me with last week. I am still researching and will share if i do find something.. please do the same (edited)

SubnetterOne

@nicnic I am on the same hunt and from everything i've researched there doesn’t seem to be anything useful beyond the thumbnails themselves. The names of the thumbnails are encoded which is what you assisted me with last week. I am still researching and will share if i do find something.. please do the same (edited)

Yes, as far as I understand it's a one-way-function involving the original file name (we can extract this from db) but it also involves the "last modified" attribute (probably because outdated thumbnails are worthless for the application) ... and we don't have these last modified timestamps

yeah... one example I read about, if a physical extraction is on hand, is to find the default size for the pictures taken by the device camera is and then using that to carve the hex... but I have not been able to effectively achieve that from a device extraction (edited)

Good idea but my 2 cases are FBE, so no carving unfortunately

same here

I'm working a distracted driving case and the musically app "TikTok" has records at the time of the crash Activity Type: Siri_Suggest_Hot_Homepage The big question is, can we tell if the person interacted with the phone verbally, manually, or not at all and its an automatic process. @Cellebrite (edited)

GRIZZ

I'm working a distracted driving case and the musically app "TikTok" has records at the time of the crash Activity Type: Siri_Suggest_Hot_Homepage The big question is, can we tell if the person interacted with the phone verbally, manually, or not at all and its an automatic process. @Cellebrite (edited)

Do you have an FFS extraction? And what timeframe are we talking about accident --> FFS dump? If it is quite soon after, or you have a sysdiagnose file that is shortly after, you can analyze the logfiles. Every touching event is recorded in the unified logs, but I think it's only available for 24-48 hrs (not sure). Feel free to DM me (and let me know you've sent a DM) and I can help you further with this. I've done a lot of distracted driver cases the past few years and have gotten pretty good at it (edited)

1

@Peacekeeper But in one of my old case i had between 2 and 3 weeks of recording. The analysis of unified logs is difficult because very precise : so excellent idea !

rico

@Peacekeeper But in one of my old case i had between 2 and 3 weeks of recording. The analysis of unified logs is difficult because very precise : so excellent idea !

yeah, true. But the unified logs are extremely detailed, but some parts (like the Touching events) are only stored shortly. I have had cases in which the unified logs were still present, but the touching events were already purged unfortunately. But if you are swift enough with a FFS (to rebuild a logarchive), or at least creating the sysdiagnose and export this afterwards, you have gold in hands in these cases. Device orientation, bluetooth connections, touching events, display events, most likely even more. There is so much information to gather from the unified logs. In regards to the sysdiagnose: pre-iOS16 the sysdiagnose came with a FFS dump. Since iOS 16 quite a few logs are purged by activating the developer mode.

@Peacekeeper thk you very much for this informations ! I admit that you have taught me things! It's always a pleasure to chat

1

heyho folks at @Cellebrite why is the thumbnail-cache sometimes not loaded into memory even though it is set in the settings ? latest PA, 128 GB RAM (edited)

7:41 AM

next phone... thumbnail-cache is loaded in memory

Hi folks, does anyone know how to convert the session_data blobs in the 'tab_sessions' database of the iPhone Safari BrowserState.db into a human-readable format?

@Peacekeeper Do you have any idea of how I could obtain the salt that the logging process uses for redaction when printing mDNSResponder logs? When the logging process is printing mDNSResponder logs to the Console, my understanding is that it takes salt+data and then hashes that and then prints the resulting hash to the Console in the form of something like: %{private, mask.hash}.P <HASH> [1] Do you know of any method for obtaining the salts (from a jailbroken iPhone) that get used for something like this? Thank you, James Pedersen Sources: [1] https://opensource.apple.com/source/mDNSResponder/mDNSResponder-1310.80.1/mDNSCore/mDNSDebug.h.auto.html

James Pedersen

@Peacekeeper Do you have any idea of how I could obtain the salt that the logging process uses for redaction when printing mDNSResponder logs? When the logging process is printing mDNSResponder logs to the Console, my understanding is that it takes salt+data and then hashes that and then prints the resulting hash to the Console in the form of something like: %{private, mask.hash}.P <HASH> [1] Do you know of any method for obtaining the salts (from a jailbroken iPhone) that get used for something like this? Thank you, James Pedersen Sources: [1] https://opensource.apple.com/source/mDNSResponder/mDNSResponder-1310.80.1/mDNSCore/mDNSDebug.h.auto.html

No sorry, that is beyond my knowledge. Maybe someone else here knows

Someone just released a tool on Reddit to parse iMessage conversations. I haven't yet compared it to tools like Cellebrite or Magnet's implementation but this looks pretty promising to cleaning up some of the existing issues: https://github.com/ReagentX/imessage-exporter

GitHub - ReagentX/imessage-exporter: Export MacOS iMessage data + r...

Export MacOS iMessage data + run iMessage Diagnostics - GitHub - ReagentX/imessage-exporter: Export MacOS iMessage data + run iMessage Diagnostics

2

9:33 AM

Reddit thread in case anyone is interested: https://www.reddit.com/r/apple/comments/10cp8dh/i_wanted_to_be_able_to_exportbackup_imessage/

r/apple - I wanted to be able to export/backup iMessage conversatio...

0 votes and 1 comment so far on Reddit

Any response from @Cellebrite or MSAB on the software and documentation that’s been uploaded to DDoSecrets?

3:56 AM

https://www.insicurezzadigitale.com/cellebrite-ora-e-disponibile-per-tutti-cosa-contiene-il-leak-del-software-spia/

Dario Fadda

Cellebrite ora è disponibile per tutti. Cosa contiene il leak del s...

Tramite l'azione di un whistleblower che rimane anonimo, l'organizzazione Enlace Hacktivista pubblica 1.7 TB di dati interni della società israeliana

LordUlthar

Any response from @Cellebrite or MSAB on the software and documentation that’s been uploaded to DDoSecrets?

that's just setup files + documentation you can download from customer portal for both tools, can hardly call it a leak (edited)

What else do you call information that is not usually available publicly being made public?

No sure, but it doesn't contain any internal documentation or tools, any exploits etc, and everything important in those tools is encrypted regardless

chrisforensic

heyho folks at @Cellebrite why is the thumbnail-cache sometimes not loaded into memory even though it is set in the settings ? latest PA, 128 GB RAM (edited)

Hey Chris, we limit the thumbnail cache to 300MB, if it is larger than that we don't load it to memory. We can look at fixing this in a future release by making it relative to the machine's total memory.

3

Hey all, I'm dealing with a wiped iPhone and looking for signs of twitter usage. I've found a 'TwitterFramework.axbudle' in System/Library/AccessibilityBundles/TwitterFramework.axbundle

5:37 AM

Its in there with a bunch of other system files so looks pretty out of place as a third party app. Had a little look around online but cant seem to find anything related. Anyone know what this library is used for or can point me to some reading?

@Cellebrite @Magnet Forensics in reading through here I have found a bunch of questions looking for alternative tools for .ldb files. Android specifically seems to use these file extensions for a useful bit of information the fcm queued. Are either PA or Axiom going to have the ability to parse and present this data? It is primarily plain text scrolling through but that's just painful for reading. Microsoft access doesn't read the ldb files from my experience.

Palazar82

@Cellebrite @Magnet Forensics in reading through here I have found a bunch of questions looking for alternative tools for .ldb files. Android specifically seems to use these file extensions for a useful bit of information the fcm queued. Are either PA or Axiom going to have the ability to parse and present this data? It is primarily plain text scrolling through but that's just painful for reading. Microsoft access doesn't read the ldb files from my experience.

Axiom has added a level db viewer within the more recent versions to allow you to manually review and recover this information. LDB or .LevelDB files both should be recognized within the file system explorer of Axiom when selecting the file. We are also continuing to work on parsing more data from artifacts that use the storage format such as Microsoft Teams.

1

I will have to reparse this, started this exam in August so have not updated to 6.9 for the exam. I will give that a go.

Anyone know of a way to take a WhatsApp export, in .txt format and get it into the standard bubble left and right chat format? I'm sure there was a script that could do it but I can't remember who wrote it. Edit. I found this https://whatsapp-chat-parser.netlify.app/ It does a really good job of parsing the .txt file but there is no export option. Print to PDF works, kind of. (edited)

I am searching a phone in PA for evidence of cheating and was wondering if anyone could point me to a keyword list for intimate language I can run as a search?

Just a quick heads up for Cellebrite Physical Analyzer users, in recent versions of PA you have been able to click around in the background while exporting data BUT it can stop the export from completing successfully yet reports it as being successful. This has been reported to @Cellebrite and it has been escalated. I spotted it yesterday while exporting from Images in the C4All format and did a search in the images section at the same time so i dont know if it also happens anywhere else whilst exporting is going on. DM if you need to know more!

2

Hello Collegues I am currently analyzing photos from a iphone 11 Pro with iOS 16.0.2. There are in particular 9 photos in question. We found that these pictures was taken 15 min AFTER the actual incident. The 9 photos is named from IMG_6194.HEIC to IMG_6202.HEIC accordenly to the iOS photostructure. The first picture before these 9 pictures is named IMG_6184.HEIC which means that we are missing 9 pictures which has been deleted. These pictures has not been recovered, maybe because the pictures is from before March 2020. There are no thumbnails to be found either about these missing pictures. Here is my question, and maybe it is something that@ScottKjr3347 can assist with

: Where in the Photos.sqlite would i be able to find traces of these missing 9 photos? I am particular interested in date, time and locations. Also, can i see somewhere in the database when they got deleted?

Unless you have acquired the device data immediately after a deletion, it’s unlikely you will find data in the Photos.sqlite WAL or free space related to the deletion. Using Photos.sqlite have you conducted a ZASSET > Z_PK analysis to make sure you are correct missing db entries? I would check to see if any of the files captured were burst photos. This can cause the appearance that file names have been skipped. Is the device using iCloud Photos? I would attempt to acquire the iCloud Photos sync data, might get lucky with recovering some of the deleted files. You can also check to see if there are other devices using the same Apple ID. Maybe a sync has occurred and the missing files were not removed/deleted from the other synced devices. Another area of analysis you might consider would be the Shared with You Syndication Photos.sqlite. If a user shared (via Apple messages) a local photo library asset prior to deleting it, there might be original file name data that correspond to the deleted/missing file name(s) you are looking for. (edited)

2

Original message was deleted or could not be loaded.

It looks like the devices only keep track of known networks, providing a last connected and a last autoconnected (if that is enabled for the network). Bluetooth on the other hand appears to keep track of all seen devices. I will like to assume that Android also works like this but this is what i see on iOS. *I see iOS also recognized the (randomized indentifiers seen). (edited)

Original message was deleted or could not be loaded.

That would be an interesting read, if you still have it send it my way. Back to the Guest_Access... got to remember that wifi could potentially reach 350 - 450 feet... the device may have seen it and tried connecting (if its a known network in the past or if the user tried to connect to it) but range was way too far to accomplish the handshake. does that entry have a "last connected" by chance...is it android or ios that you are looking at it. *the user could have been potentially tring to mask their ip, by trying to connect to the "Guest_Access) network which was far away... if you dont have a last_connect for it no MAC, no connection (edited)

Sørensen

Hello Collegues I am currently analyzing photos from a iphone 11 Pro with iOS 16.0.2. There are in particular 9 photos in question. We found that these pictures was taken 15 min AFTER the actual incident. The 9 photos is named from IMG_6194.HEIC to IMG_6202.HEIC accordenly to the iOS photostructure. The first picture before these 9 pictures is named IMG_6184.HEIC which means that we are missing 9 pictures which has been deleted. These pictures has not been recovered, maybe because the pictures is from before March 2020. There are no thumbnails to be found either about these missing pictures. Here is my question, and maybe it is something that@ScottKjr3347 can assist with

: Where in the Photos.sqlite would i be able to find traces of these missing 9 photos? I am particular interested in date, time and locations. Also, can i see somewhere in the database when they got deleted?

if the accident happened less than a week ago, and iCloud Photo sync is enabled, you can get a look at iCloud Photos, as Cellebrite Cloud Analyzer can recover some deleted photos (up to a month, but rare) on Apple's servers. (edited)

1

@Cellebrite Hello. I'm hoping you can help me with something. I am investigating a phone where the SnapChat app has been deleted. PA has returned a number of videos/images on a global search for 'SnapChat' based on the 3rd party image classifications - one of the iOS Classifications is 'SnapChat'. The images are in the DCIM, but I'm wondering if they were saved from the SnapChat gallery prior to the app being deleted. Do you know if this iOS Classification is generated because iOS *knows *its from SnapChat (ie file signature / something else it has identified), or because it *thinks *its from SnapChat (i.e. best guess on its contents)? Thanks

GMP12251

@Cellebrite Hello. I'm hoping you can help me with something. I am investigating a phone where the SnapChat app has been deleted. PA has returned a number of videos/images on a global search for 'SnapChat' based on the 3rd party image classifications - one of the iOS Classifications is 'SnapChat'. The images are in the DCIM, but I'm wondering if they were saved from the SnapChat gallery prior to the app being deleted. Do you know if this iOS Classification is generated because iOS *knows *its from SnapChat (ie file signature / something else it has identified), or because it *thinks *its from SnapChat (i.e. best guess on its contents)? Thanks

Hi, I would investigate in deep in photos.sqlite db. It should help you. You have interesting iOS SQLite infos here : https://github.com/kacos2000/queries/blob/master/Photos_sqlite.sql

Queries/Photos_sqlite.sql at master · kacos2000/Queries

SQLite queries. Contribute to kacos2000/Queries development by creating an account on GitHub.

1

9:10 AM

@GMP12251 have a look here too : https://theforensicscooter.com/2022/05/02/photos-sqlite-query-documentation-notable-artifacts/

Scott_koenig

Local Photo Library Photos.sqlite Query Documentation & Notable Art...

As many of you are aware, I recently updated my Photos.sqlite queries. Since releasing the different query iterations, I have received several questions about how I was able to decode the data incl…

9:11 AM

I think you should see Albums with SNAPCHAT as the album name that should help you.

here to: https://github.com/ScottKjr3347

ScottKjr3347 - Overview

Nerd cop trying not to fall to far down the rabbit hole. - ScottKjr3347

1

@Cellebrite - why isnt FB Messenger parsing from IOS? Thought this was fixed in 7.60?

2

Anyone familiar with Dark Box (photo vault app) and decryption of it :)?

Does anyone have more info on newbatterystats? I couldn't find if ALEAPP decodes the data from there. I am interested in understanding the file a bit better, but I can't figure out where to start tbh.

aleapp has a script that parses battery usage artifacts (see the script), see if this is what you are looking for.

@Magnet Forensics I keep getting an error that causes Axiom Examine to crash while categorizing images. It happens across multiple cases. This is the error and then Examine closes. I am running v 6.9.0.24051. (edited)

8:26 AM

FullTang

@Magnet Forensics I keep getting an error that causes Axiom Examine to crash while categorizing images. It happens across multiple cases. This is the error and then Examine closes. I am running v 6.9.0.24051. (edited)

Mind if I send you a DM so we can try a couple of troubleshooting steps?

chriscone_ar

Mind if I send you a DM so we can try a couple of troubleshooting steps?

Please do!

1

Anyone noticed sms.db has some messages stored in the attribute body and not the text column? Not sure if this was a change for iOS 16

thatboy_leo

Anyone noticed sms.db has some messages stored in the attribute body and not the text column? Not sure if this was a change for iOS 16

on reveal, what is a Biome message?

www.doubleblak.com https://www.doubleblak.com/m/blogPosts.php?id=27 may be useful?

1

beamar

on reveal, what is a Biome message?

biome artefacts included in ileapp. (edited)

1

Could be an edited message. Check out if you have more versions of the message in the "message_summary_info" column, or in the decoded message (in analyzed datal you can check if the "Go To" button leads you to another message

Have anyone decoded Antiland for iOS?

Has anyone looked into the Hidden photo album on iOS 16 at all? We have one with a FaceID lock, can this be removed? Would these be retrieved by a FFS?

Corey

Has anyone looked into the Hidden photo album on iOS 16 at all? We have one with a FaceID lock, can this be removed? Would these be retrieved by a FFS?

Haven’t had an issue with an advanced logical finding it with a test phone, it’s just difficult because I couldn’t filter with PA to specific album

thatboy_leo

Haven’t had an issue with an advanced logical finding it with a test phone, it’s just difficult because I couldn’t filter with PA to specific album

For example, I added a photo to hidden album using Face ID, ran extraction and found it located after loading to PA

5:37 AM

I’m not sure if there’s an easier way to locate the album specifically though

Ah fair enough, wasn't sure if they had started locking them down a bit more since they added the biometric locks

Hidden photos require the PIN to unlock the phone but can be setup to use the FaceID instead. Therefore it would make since to me that they would be pulled with a FFS or advanced logical but not an AFU.

The above also applies to recently deleted with Face ID enabled, no issues location with test data

Locked notes require a password, they don’t default to the user PIN. Those passwords can be attacked by extracting the hash and using JTR or Hashcat.

If anyone could test, I noticed I had some issues with locked notes using Face ID, where it did not decode inputting the devices passcode, only if it was a custom pin

5:41 AM

Not sure if that was user error but I found it strange

Have anyone had issues with PA crashing when trying to parse Snapchat from an iOS FFS extraction? Tried PA 7.59 and PA Ultra 8.1.0.1 @Cellebrite (edited)

Has anyone come across a good white paper to explain messages marked for deletion with iOS?

7:17 AM

The scenario is an iMessage convo string. GK extraction and Cellebrite parsing. My goal is to identify when the string was marked to be deleted.

7:17 AM

It is not clear yet in the .db tables where this value may be.

trying to repair this AVI file for a assignment tried to fix the header of the file but don't quite have the experience to do it any tips

VID_20220825_135235.AVI

32 KB

Toast()

trying to repair this AVI file for a assignment tried to fix the header of the file but don't quite have the experience to do it any tips

it seems like the file index is broken. https://github.com/itsKaspar/tomato have a look at that, it's a script to mess with AVI files, probably will get you clues to clean it

GitHub - itsKaspar/tomato: avi index breaker

avi index breaker. Contribute to itsKaspar/tomato development by creating an account on GitHub.

CLB-LoukaO

it seems like the file index is broken. https://github.com/itsKaspar/tomato have a look at that, it's a script to mess with AVI files, probably will get you clues to clean it

thank you will take a look at this

11:50 AM

how did you discover that the index was broken?

just opened it in a VM with VLC.

Toast()

thank you will take a look at this

or there's always the new guy

CLB-LoukaO

just opened it in a VM with VLC.

oh right and yeah that was my first port of call no luck

11:53 AM

thanks

CLB-ChenK

Could be an edited message. Check out if you have more versions of the message in the "message_summary_info" column, or in the decoded message (in analyzed datal you can check if the "Go To" button leads you to another message

Will see if I can look further, this message in particular wasn’t edited, though I noticed other messages are more often having links, other people seem to say do not disturb plays a factor. Cheers

Toast()

oh right and yeah that was my first port of call no luck

So I couldn't resist, it seems like the end of image marker are missing

CLB-LoukaO

So I couldn't resist, it seems like the end of image marker are missing

oh right no idea what they are Im guessing something that states the video ends here? how did you find that?

Toast()

oh right no idea what they are Im guessing something that states the video ends here? how did you find that?

checked on the file. a jpeg frame start with FFD8 and ends by FFD9 https://github.com/corkami/formats/blob/master/image/jpeg.md

formats/jpeg.md at master · corkami/formats

File formats. Contribute to corkami/formats development by creating an account on GitHub.

CLB-LoukaO

checked on the file. a jpeg frame start with FFD8 and ends by FFD9 https://github.com/corkami/formats/blob/master/image/jpeg.md

ok that makes sense got plenty of reading too do

Toast()

ok that makes sense got plenty of reading too do

ffmpeg -i input.avi -c copy output.mp4 did the trick. not sure about the result, but you can at least compare the files and understand

output.avi

41.27 KB

12:19 PM

next time, there's a #training-education-employment channel

CLB-LoukaO

ffmpeg -i input.avi -c copy output.mp4 did the trick. not sure about the result, but you can at least compare the files and understand

strange the doesn't seem to open still but futher than I was before thanks for the tips

thatboy_leo

I’m not sure if there’s an easier way to locate the album specifically though

You can search for "Hidden by user" https://youtu.be/0P99JtosYXk

Cellebrite

How to Search for Hidden Photos with UFED Cloud in Mobile Forensics

2

Oscar

Have anyone had issues with PA crashing when trying to parse Snapchat from an iOS FFS extraction? Tried PA 7.59 and PA Ultra 8.1.0.1 @Cellebrite (edited)

We have the same problem in region öst, our colleague made a case with cellebrite support

1

Hi! I have a iPhone with pictures in Keepsafe. Tried to parse with Axiom but got nothing. I'm thankful for any pointers that you can give me.

callzor

Hi! I have a iPhone with pictures in Keepsafe. Tried to parse with Axiom but got nothing. I'm thankful for any pointers that you can give me.

I had some devices with this app, usually pictures are not encrypted by the app. An FFS extract give you the content (edited)

Happy Friday! I hope this is the right area to post this - I have a referral case, client needs an audio expert to take a video created on an Android phone and enhance the audio for clarity. Some of the language is also Hebrew. If you are interested, contact Jim McCarthy at 949-683-2505 with your rate.

Hello, can anyone help me with forensically analysing a mobile app (telegram)?

Andrew

Hello, can anyone help me with forensically analysing a mobile app (telegram)?

This might be helpfull: https://blog.digital-forensics.it/2020/04/teleparser.html?m=1

teleparser

DFIR research

Andrew

Hello, can anyone help me with forensically analysing a mobile app (telegram)?

We had a webinar on Telegram forensics at https://belkasoft.com/webinar_telegram_messenger

Can anyone help- I have a FFS from a Galaxy A32 for a homicide investigation and there is crucial evidence I need to recover from the Google Voice application. I know Cellebrite (I put in a feature request) and Axiom don't currently have a parser for Google Voice. Does anyone know of any other options for parsing this data or have any experience with it?

@renfantino good morning... as far as i know Oxygen Forensic Detective has listed Google Voice under supported apps, but i never tried... @Oxygen Forensics

1

renfantino

Can anyone help- I have a FFS from a Galaxy A32 for a homicide investigation and there is crucial evidence I need to recover from the Google Voice application. I know Cellebrite (I put in a feature request) and Axiom don't currently have a parser for Google Voice. Does anyone know of any other options for parsing this data or have any experience with it?

I don’t know if it does, but have you tried ALEAPP?

renfantino

Can anyone help- I have a FFS from a Galaxy A32 for a homicide investigation and there is crucial evidence I need to recover from the Google Voice application. I know Cellebrite (I put in a feature request) and Axiom don't currently have a parser for Google Voice. Does anyone know of any other options for parsing this data or have any experience with it?

What item(s) are you looking to recover?

6:51 AM

I do know messages are stored in protobuf blobs in LegacyMsgDbInstance.db (~/files/accounts/%ACCOUNT_NUMBER%/). You could use protoc to pull message content from the BLOBs if you're in a hurry and you only have a few to do.

renfantino

Can anyone help- I have a FFS from a Galaxy A32 for a homicide investigation and there is crucial evidence I need to recover from the Google Voice application. I know Cellebrite (I put in a feature request) and Axiom don't currently have a parser for Google Voice. Does anyone know of any other options for parsing this data or have any experience with it?

Hello! As @chrisforensic mentioned we do support this app

We haven't had a request for it since 2022.04.18.442881662, so something may not get parsed if newer version is used. If you try parsing this app with Oxygen and spot some issues, you can just shoot us a message and we will update our parsing.

Does anyone know if recent GPS records are included in an iPhone backup?

Does Android also have a db where it registers historical sim cards (imsi, iccid, phone number) (edited)

Fierry

Does anyone know if recent GPS records are included in an iPhone backup?

Depends what GPS records you are reffering to, and what user actvitiy triggers these, but in general the answer is no. Cache.sqlite only comes with an ffs.

florus

Does Android also have a db where it registers historical sim cards (imsi, iccid, phone number) (edited)

sometimes you find them in telephony.db

2

florus

Depends what GPS records you are reffering to, and what user actvitiy triggers these, but in general the answer is no. Cache.sqlite only comes with an ffs.

Need to determine if a specific person was at a specific place at a point in time

Fierry

Need to determine if a specific person was at a specific place at a point in time

An iTunes backup probably wont serve you well.

Anyone from @Cellebrite free for a quick DM?

1

Does anyone know and/or can point me to any current information that details which file system timestamps are retained when an Android and iOS device is backed up using native functions (i.e. iTunes, iCloud, Google Drive/One), as well as which timestamps are restored when a backup is restored? For example, LastModified, LastStatusChange, and Birth are recorded in the Manifest.db of an iTunes backup, but what is recorded in a current iCloud backup, or a Android/Google backup? And do these timestamps restore to a device the same as they are recorded in the backup? (edited)

JLindmar (83AR)

Does anyone know and/or can point me to any current information that details which file system timestamps are retained when an Android and iOS device is backed up using native functions (i.e. iTunes, iCloud, Google Drive/One), as well as which timestamps are restored when a backup is restored? For example, LastModified, LastStatusChange, and Birth are recorded in the Manifest.db of an iTunes backup, but what is recorded in a current iCloud backup, or a Android/Google backup? And do these timestamps restore to a device the same as they are recorded in the backup? (edited)

on iCloud Backups, each record will contain and creation date and modification date, each of them will (most of the time) be the UTC time when the record was uploaded to the iCloud server.

JLindmar (83AR)

Does anyone know and/or can point me to any current information that details which file system timestamps are retained when an Android and iOS device is backed up using native functions (i.e. iTunes, iCloud, Google Drive/One), as well as which timestamps are restored when a backup is restored? For example, LastModified, LastStatusChange, and Birth are recorded in the Manifest.db of an iTunes backup, but what is recorded in a current iCloud backup, or a Android/Google backup? And do these timestamps restore to a device the same as they are recorded in the backup? (edited)

Feel free to contact me should you wish more info

Does anyone know where in the telegram database i can find the unique id from an telegram-username? @Cellebrite is showing an number, but this is the PK number where it gets the username from. (edited)

Hi all, to assist with a debate/discussion. We have a small number of IIOC within the Pictures/.thumbnails folder on a Huawei device. Through the file manager it takes around 4 presses to get to be able to view them on the device. Would these be classed as accessible or inaccessible due to .thumbnails folder being hidden as default

ApC

Hi all, to assist with a debate/discussion. We have a small number of IIOC within the Pictures/.thumbnails folder on a Huawei device. Through the file manager it takes around 4 presses to get to be able to view them on the device. Would these be classed as accessible or inaccessible due to .thumbnails folder being hidden as default

Previously the argument may have been it is difficult to assess the users expertise in matters of this type so we have generally gone with inaccessible unless there is evidence the user would or has known how to engage or disable that feature. It is often to easy for us to simply click a switch and expect the public to know that too BUT at the same time 30 seconds on Google could get you to that point but that would all be a bone of contention and might split a jury. (edited)

1

florus

Does anyone know where in the telegram database i can find the unique id from an telegram-username? @Cellebrite is showing an number, but this is the PK number where it gets the username from. (edited)

I think its in the table named "t2"

OggE

I think its in the table named "t2"

Hi Ogge, in the t2 table i find a key column and a blob (data) where the username persists. The key value does not corrspond with the unique telegramid (used for osint-research)...

florus

Hi Ogge, in the t2 table i find a key column and a blob (data) where the username persists. The key value does not corrspond with the unique telegramid (used for osint-research)...

I would look in the log files, there is sometimes a little bit more info there

OggE

I would look in the log files, there is sometimes a little bit more info there

In what logfiles do you mean?

florus

In what logfiles do you mean?

what type of extraction do you have?

@Cellebrite Got a memory card from a Samsung that I've parsed in PA using the Generic Google profile which has run fine, exporting the media via C4all (again ran fine) but Griffeye says the xml is corrupt.

6:45 AM

Reviewed the xml and can't see anything wrong, tried export twice (reparsed twice) and getting same error. edit: project vic 2.0 works so \o/ (edited)

OggE

what type of extraction do you have?

FFS of an Iphone

7:11 AM

@OggE Im quite sure that the shown id by cellebrite, from t2, is NOT the unique telegram id we are after.... I wonder if it even is around. But a collega of mine says, in some cases this is the 'number' they use for osint research and it does match... (edited)

florus

FFS of an Iphone

Just got home

, can i get back to you tomorrow?

ofcourse

1

After iOS 16 when a message gets recalled and alter does it show the original message in the sql

@Borderbingo Ian W carried out some great research on this... https://doubleblak.com/blogPosts.php?id=27 (edited)

MSAB_Adam

@Borderbingo Ian W carried out some great research on this... https://doubleblak.com/blogPosts.php?id=27 (edited)

Thanks

8:08 AM

Thanks exactly what I needed

1

Does anyone here know how to decode the redacted data in the logs obtained by running a sysdiagnose command on a jailbroken iPhone? (edited)

Borderbingo

After iOS 16 when a message gets recalled and alter does it show the original message in the sql

The text data gets purged out of the sms.db. However, if you want to find what was recalled, there are other sources you can look for. I did a write up on it here: https://blog.d204n6.com/2022/09/ios-16-paul-unsent-message-or-did-he.html

iOS 16 - "Paul unsent a message." ... OR DID HE?!

With the release of iOS 16, there have been a lot of people talking about Apple's decision to allow for iMessage users to either unsend or ...

1

Hi, i got a Honor NTN-LX1 with a Android 11 and i got a full file system. I must check the flightmode data: at which time, the flightmode was switched on and off. I looked for in the /data/com.android.connectivity.metrics/databases/ , /data/com.google.android.gsf/databases/ , /data/com.google.android.gms/shared_prefs/CheckIn.xml and other files. I got the sources from a cheatsheet but the directories or the files does not exists in this branded image. The CheckIn.xml seems to be a file for logging the flightmode-on-data... but.... is there a better way to find complete flightmode-Data? One database with all Informations like the knowledgec.db in an iPhone. Thx (edited)

Does anyone know if 'show hidden files' is disabled as default on the Huawei P Smart through the native files app

tomz

Hi, i got a Honor NTN-LX1 with a Android 11 and i got a full file system. I must check the flightmode data: at which time, the flightmode was switched on and off. I looked for in the /data/com.android.connectivity.metrics/databases/ , /data/com.google.android.gsf/databases/ , /data/com.google.android.gms/shared_prefs/CheckIn.xml and other files. I got the sources from a cheatsheet but the directories or the files does not exists in this branded image. The CheckIn.xml seems to be a file for logging the flightmode-on-data... but.... is there a better way to find complete flightmode-Data? One database with all Informations like the knowledgec.db in an iPhone. Thx (edited)

I'm no forensic specialist, but when I encounter situation like this, I usually download all (relevant) files and then search through all files to find what I need

Question about Kik on android. I have a 'sns-data-tmg' database in the /kik.android/databases directory. It seems to be for storing accounts logged into on that device (I have two accounts my suspect used on a table and not much else) anyone have better info about what it is or how it's used?

Hi all, I've received a question re Apple Maps. Can anyone tell the difference between two types "searched" and "visited" within Cellebrite? I assume the Searched type means the user has searched the location using apple maps. Visited means the user physically visited this location?

Pacman

Hi all, I've received a question re Apple Maps. Can anyone tell the difference between two types "searched" and "visited" within Cellebrite? I assume the Searched type means the user has searched the location using apple maps. Visited means the user physically visited this location?

Jip, thats the explanation. Visited is referenced to a point of interest Apple creates (no idea why). In my testing the visited was accurate, but this research was over a year ago.

Meaning the user has visited this location physically?

florus

Jip, thats the explanation. Visited is referenced to a point of interest Apple creates (no idea why). In my testing the visited was accurate, but this research was over a year ago.

I'm trying to find any research on this

Pacman

I'm trying to find any research on this

What table in what database? Cache.sqlite and zrtlearnedlocationvisitmo?

Just found out it's mapssync0.0.1

Oh, then i dont know, i thought you were referring to cache.sqlite.

cScottVance

The text data gets purged out of the sms.db. However, if you want to find what was recalled, there are other sources you can look for. I did a write up on it here: https://blog.d204n6.com/2022/09/ios-16-paul-unsent-message-or-did-he.html

Thanks

Has anyone dealt with the Wishbone app on IOS?

I am playing around with different iOS databases. I was wondering if there is an easy way to parse out the bplists within the database. Using @Cellebrite PA, I can see the bplist and then manually scroll through them with their db viewer. I was just wondering if there was an easy way to search or parse them to review the data more cleanly. @Magnet Forensics Axiom shows me it is bplist, but doesn't allow me to go through the data with their viewer. I exported the db/wal/shm and reviewed it through DB browser, but that didn't help me either. Any suggestions?

sholmes

I am playing around with different iOS databases. I was wondering if there is an easy way to parse out the bplists within the database. Using @Cellebrite PA, I can see the bplist and then manually scroll through them with their db viewer. I was just wondering if there was an easy way to search or parse them to review the data more cleanly. @Magnet Forensics Axiom shows me it is bplist, but doesn't allow me to go through the data with their viewer. I exported the db/wal/shm and reviewed it through DB browser, but that didn't help me either. Any suggestions?

I usually export the blob out of DB browser and just change the extension from bin to plist. Then you can view it with the plist viewer of your choice.

2

sholmes

I am playing around with different iOS databases. I was wondering if there is an easy way to parse out the bplists within the database. Using @Cellebrite PA, I can see the bplist and then manually scroll through them with their db viewer. I was just wondering if there was an easy way to search or parse them to review the data more cleanly. @Magnet Forensics Axiom shows me it is bplist, but doesn't allow me to go through the data with their viewer. I exported the db/wal/shm and reviewed it through DB browser, but that didn't help me either. Any suggestions?

Just word of warning. Apple often embeds plists inside other plists so you may have to repeat the second step to drill down

1

@chriscone_ar I hadn't used the right click on the table entry and "view as property list (plist)" feature. Thanks for that idea

sholmes

I am playing around with different iOS databases. I was wondering if there is an easy way to parse out the bplists within the database. Using @Cellebrite PA, I can see the bplist and then manually scroll through them with their db viewer. I was just wondering if there was an easy way to search or parse them to review the data more cleanly. @Magnet Forensics Axiom shows me it is bplist, but doesn't allow me to go through the data with their viewer. I exported the db/wal/shm and reviewed it through DB browser, but that didn't help me either. Any suggestions?

If you'd like to view them in in AXIOM, locate the the SQLite database you're interested in within the filesystem explorer and select it so that it is rendered in the SQLite viewer. Use the table drop-down menu and select the table of interest, find your associated record and then right-click the field with the embedded plist. There's an option in the menu to view as plist or to save as if you want to export the blob and look at it with another tool.

1

gh0st1933

Just word of warning. Apple often embeds plists inside other plists so you may have to repeat the second step to drill down

So true! Let's cram several bplists together with some arbitrary length of separation and make it even harder to sort out.

chriscone_ar

So true! Let's cram several bplists together with some arbitrary length of separation and make it even harder to sort out.

Yepppppp. Lol

So the simple answer is.......there is no easy way to pull them out, I would need to do each entry manually.

9:04 AM

I guess you could use SQL queries to remove them all, but that would probably be above my skill level.

9:05 AM

and @gh0st1933 @chriscone_ar this db has embedded plist within the plist. Bless your heart Apple

sholmes

So the simple answer is.......there is no easy way to pull them out, I would need to do each entry manually.

You can export the blob. If the blob contains multiple bplits, there's a fun set of steps for manually carving them out using bplist00 to mark the start + 32-byte trailer to find the end of each one. I've got a couple of custom artifacts for finding them, but it's not effective on db-embedded plists.

Thanks guys. I appreciate input.

1

9:09 AM

I might just try searching the hex for the information I am looking for. If I get a hit, then I will start exporting.

sholmes

I am playing around with different iOS databases. I was wondering if there is an easy way to parse out the bplists within the database. Using @Cellebrite PA, I can see the bplist and then manually scroll through them with their db viewer. I was just wondering if there was an easy way to search or parse them to review the data more cleanly. @Magnet Forensics Axiom shows me it is bplist, but doesn't allow me to go through the data with their viewer. I exported the db/wal/shm and reviewed it through DB browser, but that didn't help me either. Any suggestions?

@sholmes I ran into this exact problem recently. I was trying to examine .plist files which I pulled from a BrowserState.db for Safari on a jailbroken iPhone. I tried running "plutil.exe -p" on these exported .plist files on my Windows laptop, but no success. Then I looked at the files, and noticed that some of them (although not all of them) start with the a byte sequence similar to NUL NUL STX NUL, and then the text "bplist". About 1/4 of the .plist files that I was trying to examine had this form. What I did was I wrote a script which transformed all of these .plist files by removing the first few bytes from them so that they all started with the text "bplist". And then magically, when I tried running "plutil.exe -p" again on the files which I had transformed this way, all of them printed in a human-readable manner, as long as my CMD.exe's current working directory was as the same as the directory on my laptop in which the transformed .plist files were located. I know it's not perfect, but at least with this approach I was able to get 1/4 of the .plist files which I was examining to print in a human readable manner. (edited)

sholmes

Thanks guys. I appreciate input.

@sholmes X-Ways Forensics does a pretty good job at extracting BLOBs from SQLite databases, as well as further extracting data embedded in the BLOBs, making them individually viewable/searchable.

1

JLindmar (83AR)

@sholmes X-Ways Forensics does a pretty good job at extracting BLOBs from SQLite databases, as well as further extracting data embedded in the BLOBs, making them individually viewable/searchable.

Thanks for your response. I don't have access to X-ways, but we might need to look into it for next years budget

James Pedersen

@sholmes I ran into this exact problem recently. I was trying to examine .plist files which I pulled from a BrowserState.db for Safari on a jailbroken iPhone. I tried running "plutil.exe -p" on these exported .plist files on my Windows laptop, but no success. Then I looked at the files, and noticed that some of them (although not all of them) start with the a byte sequence similar to NUL NUL STX NUL, and then the text "bplist". About 1/4 of the .plist files that I was trying to examine had this form. What I did was I wrote a script which transformed all of these .plist files by removing the first few bytes from them so that they all started with the text "bplist". And then magically, when I tried running "plutil.exe -p" again on the files which I had transformed this way, all of them printed in a human-readable manner, as long as my CMD.exe's current working directory was as the same as the directory on my laptop in which the transformed .plist files were located. I know it's not perfect, but at least with this approach I was able to get 1/4 of the .plist files which I was examining to print in a human readable manner. (edited)

Thanks for the response. I will have to take a look at this method. I might DM you for input, if you don't mind.

sholmes

Thanks for your response. I don't have access to X-ways, but we might need to look into it for next years budget

Ok, I'll look in my software repository for recommendations for free products that will allow for the mass export of BLOBs. The ones I can initially think of will export the primary BLOB(s) in a record, but won't handle BLOBs embedded in that primary BLOB.

1

sholmes

Thanks for the response. I will have to take a look at this method. I might DM you for input, if you don't mind.

I do not mind

1

Hi, does anyone here have any tips for recovering, from a jailbroken iPhone, the URL or top-level-domain of a web page that was viewed on the iPhone in Safari in private browsing mode? (edited)

sholmes

I am playing around with different iOS databases. I was wondering if there is an easy way to parse out the bplists within the database. Using @Cellebrite PA, I can see the bplist and then manually scroll through them with their db viewer. I was just wondering if there was an easy way to search or parse them to review the data more cleanly. @Magnet Forensics Axiom shows me it is bplist, but doesn't allow me to go through the data with their viewer. I exported the db/wal/shm and reviewed it through DB browser, but that didn't help me either. Any suggestions?

Try Artex to view the db’s. You can export the dbs & review them individually or load the entire device acquisitions. @CLB_iwhiffin has built mushy into Artex that allows easy viewing of the plists and embedded data. You will have a search capability within mushy for the plists, but I don’t think you can do an “all” search. you will need to find the target blobs/plists and search them individually for your target text. As @JLindmar (83AR) suggested you can X-Ways to do an all search through the entire acquisition. Ive used Xways in the past to search across an iPhone acquisition for text in db blobs/plists. I haven’t tested how far down the rabbit hole it will parse and decode to be searchable. I’m currently in the @deleted-role X-Ways course & instructor Hans has shown me so many searching options & settings. strongly recommended the course if you need a little bit of help with learning how to use the tool to the max.

1

hi, does anyone have any information about à whatsapp db called ChatSearchV5f.sqlite, thk

florus

ofcourse

I did a forget

1

1:15 AM

So for telegram on iOS there is 3 folders in "private/var/mobile/Containers/Shared/AppGroup/<telegram id>/telegram-data" that i've found intressting. 1 Logs. 2 share-logs. 3 notification-logs. Here you can find all sorts of goodies, like sent media, recived notifications, updated message, etc. In the logs the username and userid is mentioned. @florus (edited)

1

No worries Ogge, much appriciated.

Hi guys, Quick question on iOS artifacts: I am looking at the plist file com.apple.commcenter.data.plist and I see a lot of "mdn" entries with potential MSISDN numbers. What can I say about those numbers? Were those MSISDN numbers active at some point on that particular device? I have a case where I see 5 MSISDN numbers in this plist file but only two numbers do show up in the CelluarUsage.db database. Thanks for your help.

Is google maps search history stored on iPhones or in a Google account

Cellebrite PA, parsing data, I thought moving to a threadripper with 24 logical processors, decoding data in PA would be much faster with multiple cores showing in high use. Reality, it just idles on 1, maybe 2 Logical processors. Am I missing something? Is there somewhere in settings to tell it how much processing power it can use?

goofycom

Hi guys, Quick question on iOS artifacts: I am looking at the plist file com.apple.commcenter.data.plist and I see a lot of "mdn" entries with potential MSISDN numbers. What can I say about those numbers? Were those MSISDN numbers active at some point on that particular device? I have a case where I see 5 MSISDN numbers in this plist file but only two numbers do show up in the CelluarUsage.db database. Thanks for your help.

If I remember correctly the CellularUsage.db database only stores the current SIM data + 1 or 2 SIM card data, everything else drops off the database into free page data. Which may be recoverable, so it may be that you can identify the other 3 MSISDNs in the data base that you are not able to see with normal Sqlite API calls. Have you done the Cellebrite Advanced Smartphone Analysis course? I suggest this open source tool: https://github.com/mdegrazia/SQLite-Deleted-Records-Parser (edited)

GitHub - mdegrazia/SQLite-Deleted-Records-Parser: Script to recover...

Script to recover deleted entries in an SQLite database - GitHub - mdegrazia/SQLite-Deleted-Records-Parser: Script to recover deleted entries in an SQLite database

1

Hi everyone. Having just the phone to examine is it possible to tell that a specific message was sent from WhatsApp Web?

anyone have any video documentation that could help a new user utilize PA sqlite wizard on the latest version of PA?

Does @Cellebrite PA (7.59.1.16) detect if an iPhone has been jailbroken? Any pointers on artifacts indicating a jailbreak? I have conducted searches for alternative app stores Cydia etc none identified. (edited)

FabianoQ

Hi everyone. Having just the phone to examine is it possible to tell that a specific message was sent from WhatsApp Web?

I think I can remember that it is indicated by an icon in Cellebrite PA. Provided you use it. No guarantee for that. it is a time ago. (edited)

FabianoQ

Hi everyone. Having just the phone to examine is it possible to tell that a specific message was sent from WhatsApp Web?

If you mean only via Manual review of the device - I don’t. but if you can extract the device and review the sql db have a look at https://discord.com/channels/427876741990711298/545232743353810946/950734267925794836

tost

I think I can remember that it is indicated by an icon in Cellebrite PA. Provided you use it. No guarantee for that. it is a time ago. (edited)

Thanks

collusion11

If you mean only via Manual review of the device - I don’t. but if you can extract the device and review the sql db have a look at https://discord.com/channels/427876741990711298/545232743353810946/950734267925794836

Thanks sir, very useful

CLB-ChenK

Could be an edited message. Check out if you have more versions of the message in the "message_summary_info" column, or in the decoded message (in analyzed datal you can check if the "Go To" button leads you to another message

So it seems this message is just a normal iMessage, no additional info in message_summary_info. Doesn’t decode in PA if I run a global search for the message

9:36 AM

Only found these messages occurring on iOS16, same device with iOS prior hadn’t had this occur

Does anyone have a reference or go-by on connecting cache images from gallery3D to the original file name or any original metadata? It's in reference to a CSAM production/molestation case. Thanks in advance!

thatboy_leo

So it seems this message is just a normal iMessage, no additional info in message_summary_info. Doesn’t decode in PA if I run a global search for the message

PA 7.60 pre-release is out, and should support this weird situation. Please let me know if it's still not decoded in the latest version (or if you don't have access and wish to get it before official release next week)

CLB-ChenK

PA 7.60 pre-release is out, and should support this weird situation. Please let me know if it's still not decoded in the latest version (or if you don't have access and wish to get it before official release next week)

Much appreciated, I just happened to check and can confirm the beta shows these messages. Thank you once again

1

thatboy_leo

Much appreciated, I just happened to check and can confirm the beta shows these messages. Thank you once again

Happy to hear, thanks for updating!

1

ScottKjr3347

Try Artex to view the db’s. You can export the dbs & review them individually or load the entire device acquisitions. @CLB_iwhiffin has built mushy into Artex that allows easy viewing of the plists and embedded data. You will have a search capability within mushy for the plists, but I don’t think you can do an “all” search. you will need to find the target blobs/plists and search them individually for your target text. As @JLindmar (83AR) suggested you can X-Ways to do an all search through the entire acquisition. Ive used Xways in the past to search across an iPhone acquisition for text in db blobs/plists. I haven’t tested how far down the rabbit hole it will parse and decode to be searchable. I’m currently in the @deleted-role X-Ways course & instructor Hans has shown me so many searching options & settings. strongly recommended the course if you need a little bit of help with learning how to use the tool to the max.

Thanks for the lead. I forgot all about Artex! I will play with that tomorrow.

Is It Done Yet?

If I remember correctly the CellularUsage.db database only stores the current SIM data + 1 or 2 SIM card data, everything else drops off the database into free page data. Which may be recoverable, so it may be that you can identify the other 3 MSISDNs in the data base that you are not able to see with normal Sqlite API calls. Have you done the Cellebrite Advanced Smartphone Analysis course? I suggest this open source tool: https://github.com/mdegrazia/SQLite-Deleted-Records-Parser (edited)

Cool thanks a lot. I haven't done the Cellebrite Advanced course but I will definitely try the SQLite deleted records parser.

goofycom

Cool thanks a lot. I haven't done the Cellebrite Advanced course but I will definitely try the SQLite deleted records parser.

Cellebrite Advanced covers this exact topic in their course, of recovering SIM card data from free page. Hope you find something insightful!

1

hello all, i am asked for the password to decrypt wickr me. I created a dictionary and await the outcome. I wanted to understand but the password that is requested is the one that is set by the right user? also the application " threema" is supported by physical analyzer?

@Cellebrite

manuelevlr

hello all, i am asked for the password to decrypt wickr me. I created a dictionary and await the outcome. I wanted to understand but the password that is requested is the one that is set by the right user? also the application " threema" is supported by physical analyzer?

Re wickr, yes, in 7.60 which is in beta, we fixed the password part as it was broken with a previous version of wickr. as for Threema, i'll need to check.

CLB-Paul

Re wickr, yes, in 7.60 which is in beta, we fixed the password part as it was broken with a previous version of wickr. as for Threema, i'll need to check.

there is no alternative way to crack wickr me's db right other than with a dictionary attack?

are you on android or ios

Android , full file system

sholmes

Thanks for your response. I don't have access to X-ways, but we might need to look into it for next years budget

Here are some of the other tools I've used in the past to export out BLOBs en masse: https://www.sqliteexpert.com/ with the https://www.sqliteexpert.com/extensions/ (you can modify the example query to export out any BLOB) https://mvmn.wordpress.com/2011/07/13/sqlite-blob-exporter-with-gui/ or via https://github.com/mvmn/sqlite-blob-export plus the SQLite JDBC driver https://github.com/xerial/sqlite-jdbc I would also suggest taking a look at @AlexC's RabbitHole https://www.cclsolutionsgroup.com/forensic-products/rabbithole which is spectacular at navigating/parsing embedded content.

thatboy_leo

anyone have any video documentation that could help a new user utilize PA sqlite wizard on the latest version of PA?

SQLWizard will be in the next release (8.3) which is scheduled for early Feb

3

2

collusion11

Does @Cellebrite PA (7.59.1.16) detect if an iPhone has been jailbroken? Any pointers on artifacts indicating a jailbreak? I have conducted searches for alternative app stores Cydia etc none identified. (edited)

Yes, it should be in the Extraction Summary page.

FabianoQ

Hi everyone. Having just the phone to examine is it possible to tell that a specific message was sent from WhatsApp Web?

There is a way... IIRC the ZSTANZAID field of ZWAMESSAGE will start with 3E B0 for messages sent via the web app.

Heimdall4N6K

hi, does anyone have any information about à whatsapp db called ChatSearchV5f.sqlite, thk

This is an Index of the messages sent/received via WhatsApp. PA parses them as "Scrambled Messages" becuase during the indexing process, it removes grammer, removes duplicate words and reorders the words. So if I sent "I think I am almost there" the message saved in the index would be something like "am almost i there think"; there is no logic I've been able to figure out to rebuild the message, but it may still be important as it could potentially include important words. Just be careful with it as it could change something relatively innocent to something not so.... "Would I kill you?" could become "I would kill you". There is more information in the Notebook (microblog available on Cellebrite Community Portal)

5

CLB_iwhiffin

SQLWizard will be in the next release (8.3) which is scheduled for early Feb

possible translations come with 8.3 or maybe in the one right after?

CLB_iwhiffin

Yes, it should be in the Extraction Summary page.

Thank you - In the absence of no entry referring to jailbreak is this reliable for it NOT being jailbroken?

Miller280

Does anyone have a reference or go-by on connecting cache images from gallery3D to the original file name or any original metadata? It's in reference to a CSAM production/molestation case. Thanks in advance!

Anybody @Cellebrite that might have some insight on this? Thanks in advance!

collusion11

Thank you - In the absence of no entry referring to jailbreak is this reliable for it NOT being jailbroken?

Yes that should be the case

thatboy_leo

possible translations come with 8.3 or maybe in the one right after?

Iirc that is for 8.4. I will confirm.

1

Miller280

Anybody @Cellebrite that might have some insight on this? Thanks in advance!

I’ve done this before but will need to look into it again. Bear with me.

CLB_iwhiffin

I’ve done this before but will need to look into it again. Bear with me.

Thank you!

@Magnet Forensics , Is there anyone from magnet, I need to ask for information. thank you

manuelevlr

@Magnet Forensics , Is there anyone from magnet, I need to ask for information. thank you

Hello. I’ll try to answer your question

burgers_N_bytes

Is google maps search history stored on iPhones or in a Google account

I am not certain, but I suspect that if you go the folder that contains the Application containers, and you run a find command (case insensitive) for "WebKit", you might be able to find the Container folder for the Google Maps application , and in that folder you might be able to find some data that is relevant to what the user searched for in the Google Maps. I'm sorry that I'm being vague here. A while ago when I was investigating a matter on a jailbroken iphone I thought I stumbled on an Application container folder which I suspected was the Google Maps application container folder, and I also think that in that folder I might have found some data that I thought was relevant to something that was searched for in Google Maps by the user of the iPhone. (edited)

No worries on the vagueness, that gives me some direction which is all I needed.

Anyone here who are into "Callhistory.Storedata" vs. "InteractionC.db"? I have 10 calls from the callhistory between my unit and a given number. However, when looking at the interactionc there the number is way higher?

1:32 AM

need to verify the amount of calls between the user and a given phone number

Hi, I just used iLEAPP to decode the BIOME for hardware reliability in an iPhone iOS 16.1.1. Can someone tell me if the timestamp in iLEAPP is in UTC or in local time?

j_matas

Anyone here who are into "Callhistory.Storedata" vs. "InteractionC.db"? I have 10 calls from the callhistory between my unit and a given number. However, when looking at the interactionc there the number is way higher?

Maybe it is because you can remove calls from the callhistory while the interactionC.db cannot be changed by the user. I know i have seen discrepancies between interactionC and other applications in the past where they dont match.

Johnie

Maybe it is because you can remove calls from the callhistory while the interactionC.db cannot be changed by the user. I know i have seen discrepancies between interactionC and other applications in the past where they dont match.

thanks, could be... its just A LOT of interactions between the two of them in a fairly short time though

j_matas

thanks, could be... its just A LOT of interactions between the two of them in a fairly short time though

If you have an iPhone to preform a test on i would recommend testing some calls and removing them from the history and look if they are recorded in interactionC, or any other thesis you can think off. They should be carved from the DB it many cases i would think tho.

Dam

Hi, I just used iLEAPP to decode the BIOME for hardware reliability in an iPhone iOS 16.1.1. Can someone tell me if the timestamp in iLEAPP is in UTC or in local time?

i think utc as you can read in the python script example;

5:29 AM

Heimdall4N6K

i think utc as you can read in the python script example;

Great, thank you for the info.

Anyone know a good article explaining the Android/iOS file system structure?

cheeseGrater

Anyone know a good article explaining the Android/iOS file system structure?

If you want a deeper dig at it, check out the file format handbook from the FORmobile project

https://www.researchgate.net/publication/360353993_2022_Book_Mobile_Forensics_-The_File_Format_Handbook/link/62720170107cae291986a4de/download

(PDF) 2022 Book Mobile Forensics -The File Format Handbook

PDF | This open access book summarizes knowledge about several file systems and file formats commonly used in mobile devices. In addition to the... | Find, read and cite all the research you need on ResearchGate

j_matas

If you want a deeper dig at it, check out the file format handbook from the FORmobile project

https://www.researchgate.net/publication/360353993_2022_Book_Mobile_Forensics_-The_File_Format_Handbook/link/62720170107cae291986a4de/download

Thanks for the link, but it's not exactly what I'm looking for. I should have been more specific - I meant something that explains more about what is typically stored in each directory for Android and iOS. So, for example, what is stored in the /data/ directory in Android or what is the meaning of the /private/library/ directory in iOS.

@Cellebrite - I've secured / extracted and iPhone X in GK. But when generating a reader file in Physical Analyzer 7.59.1.16 or 7.58.0.66, it doesn't export the reader file. It only generates a folder with content of just a few mb. Even though the process takes 30-50 minutes. I've tried to secure / extract the device several time. The hash is also correct every time. I've also tried other devices without any problem. Any suggestions?

Morning all, we have an iPhone 7 (iOS 15.5) where we are missing the last few call logs from WhatsApp. Database has been checked and they are not listed there either. Calls were made around seizure time

@Loqo What does the trace window say? Did you load this as an iPhone x or GK file? (edited)

Artea

Morning all, we have an iPhone 7 (iOS 15.5) where we are missing the last few call logs from WhatsApp. Database has been checked and they are not listed there either. Calls were made around seizure time

currently analyzing the InteractionC.db which seems to contain calls no longer stored (or deleted) from the CallHistory.storedata. InteractionC.db also contains Whatsapp, snapchat etc. so it might be worth a try? Currently validating my findings

1

Loqo

@Cellebrite - I've secured / extracted and iPhone X in GK. But when generating a reader file in Physical Analyzer 7.59.1.16 or 7.58.0.66, it doesn't export the reader file. It only generates a folder with content of just a few mb. Even though the process takes 30-50 minutes. I've tried to secure / extract the device several time. The hash is also correct every time. I've also tried other devices without any problem. Any suggestions?

How big is the extraction and how much free space do you have on the destination drive? It's a potentially simple solution, but worth checking.

Artea

Morning all, we have an iPhone 7 (iOS 15.5) where we are missing the last few call logs from WhatsApp. Database has been checked and they are not listed there either. Calls were made around seizure time

Worth checking the actual WhatsApp log files too

Anyone from @Cellebrite free for an urgent question?

hi @Aero (edited)

Forensic@tor

@Loqo What does the trace window say? Did you load this as an iPhone x or GK file? (edited)

I can't remember now, but it wasn't any different than others. I didn't notice anything different. If I recall correctly, it even said xml report exported (or something like that).

CLB_iwhiffin

How big is the extraction and how much free space do you have on the destination drive? It's a potentially simple solution, but worth checking.

There's definitely enough space. We have several pentabytes of storage. We've even created other reader-files after this issue with no problem.

Forensic@tor

@Loqo What does the trace window say? Did you load this as an iPhone x or GK file? (edited)

I loaded this as an GK iPhone file since it was a GK extraction.

CLB-Paul

hi @Aero (edited)

Already sorted thanks

1

Hey all, after looking around on here I'm following Radhwan's guide for decrypting the Signal db on android. I've gotten to the stage where I'm trying to get the cypher key by inputting the AES-GCM values in Cyberchef, but its fallen over and not been very verbose in its output error... Don't suppose anyone has gotten to this stage and conquered this issue or has a workaround?

5:31 AM

Radhwan's guide: https://rado0z.github.io/Decrypt_Android_Database

Decrypting Signal DB for Android

Introduction

You need to have a _USERKEY_SignalSecret from hardware keystore. While this guide is good, will work on emulator, it won't work directly on normal device

1

Ah, I understand now. That's a bummer, but thanks for the assist.

4PC doesn't get the correct Signal key from your device?

I have a physical extraction on an S8 running android 9 and signal hasn't been decoded. I have the USRPKEY_SignalSecret from Root/Data/Misc/Keystore

6:10 AM

The key from this file is itself encrypted with the key that is in the hardware Keystore if I understand correctly?

House Whiskey

I have a physical extraction on an S8 running android 9 and signal hasn't been decoded. I have the USRPKEY_SignalSecret from Root/Data/Misc/Keystore

If you still have the device I would also get an FFS extraction. That should decrypt files that are normally encrypted in a physical extraction.

FullTang

If you still have the device I would also get an FFS extraction. That should decrypt files that are normally encrypted in a physical extraction.

I'll give this a go, thanks for the suggestion

1

Hi everyone, just got a little question and hoping someone on here has the answer. Is there anywhere on an iPhone that would state the phone turned of due to the battery been depleted?

FullTang

If you still have the device I would also get an FFS extraction. That should decrypt files that are normally encrypted in a physical extraction.

Correct, that would be a way to go here

cheeseGrater

Thanks for the link, but it's not exactly what I'm looking for. I should have been more specific - I meant something that explains more about what is typically stored in each directory for Android and iOS. So, for example, what is stored in the /data/ directory in Android or what is the meaning of the /private/library/ directory in iOS.

Do you have the SANS Cheatsheats for iOS and Android??

House Whiskey

I'll give this a go, thanks for the suggestion

To decrypt the database you'll need the keys from the KeyStore, a secrets.json should be located in an extra folder in the root of the FFS extraction that includes the decryption key for the signal database. If you still can't see the messages parsed make sure to still check for the decrypted databas, I've seen that the database is decrypted but not parsed in PA on a few occasions, both on Android and iOS. (edited)

Hey all, I have had a iPhone 11 read open in Physical Analyzer displaying the data in a folder called Personavolumes? Has anyone ever encountered this? From what I can see the device is not jailbroken/altered in any way.

1

Hello, I have a FFS from a Samsung SM-A04F. On Messenger "databases" folder I have two files containing Messenger Chats - "threadsdb2" and "msys-database-[AccountID]". Physical Analyzer 7.59 and Oxygen 15.2 is parsing only chats from threads_db2. They completely missed chats from second database. Only Axiom is parsing all chats from both databases (I checked source from Axiom chats that didnt appears on chats from PA and they point to "msys_database[AccountID]" file). Maybe someone knows if PA can parse chats from "msys-database-[FacebookAccountID]" database? (not only from threads_db2). Messenger version is 391.2.0.20.404. (edited)

Hey, I am analysing some files on a phone to see if any were edited and added onto the device. I am looking at the File info tab in Cellebrite and trying to understand the FAT section which includes things like Header offset. I was wondering if anyone had a good resource to explain how the storage is meant to work and what the different hex values mean.

2:13 PM

Does anyone know if there is a new subtlety with the unilog? I am trying to read the unilogs of an ios 15 with ventura... By creating my file with the logarchive extension from ventura... By analyzing it on the command line (as usual) it tells me My archive is corrupt...

PierreX

Hello, I have a FFS from a Samsung SM-A04F. On Messenger "databases" folder I have two files containing Messenger Chats - "threadsdb2" and "msys-database-[AccountID]". Physical Analyzer 7.59 and Oxygen 15.2 is parsing only chats from threads_db2. They completely missed chats from second database. Only Axiom is parsing all chats from both databases (I checked source from Axiom chats that didnt appears on chats from PA and they point to "msys_database[AccountID]" file). Maybe someone knows if PA can parse chats from "msys-database-[FacebookAccountID]" database? (not only from threads_db2). Messenger version is 391.2.0.20.404. (edited)

Are you using 7.59.1.16? this version extracts the msys db messages. More FB messenger improvements are in 7.60 that will release this week.

PierreX

Hello, I have a FFS from a Samsung SM-A04F. On Messenger "databases" folder I have two files containing Messenger Chats - "threadsdb2" and "msys-database-[AccountID]". Physical Analyzer 7.59 and Oxygen 15.2 is parsing only chats from threads_db2. They completely missed chats from second database. Only Axiom is parsing all chats from both databases (I checked source from Axiom chats that didnt appears on chats from PA and they point to "msys_database[AccountID]" file). Maybe someone knows if PA can parse chats from "msys-database-[FacebookAccountID]" database? (not only from threads_db2). Messenger version is 391.2.0.20.404. (edited)

Belkasoft X can also process both databases for Messenger, please give it a try

1

@Cellebrite Hi, I have a question regarding the decoding of the com.apple.MobileBluethooth.devices.plist. The LastSeenTime seems to be stored in local time (https://cellebrite.com/en/how-to-use-ios-bluetooth-connections-to-solve-crimes-faster/) PA show me this time without any information about UTC but in the timeline it shows this information as it's UTC so for exemple, in the timeline I have an information at 09:00 and the last seen (from this plist) shown 08:30 but after the information from 09:00. It look like it change the time zone in the timeline for the last seen information.

How to Use iOS Bluetooth Connections to Solve Crimes Faster

Here’s how to lawfully access critical evidence from Apple devices using Bluetooth connection data. Bluetooth connections are often a factor in many investigations and can cover a wide range of case types from accident investigations to cases involving proximity to locations. Proving whether a driver was distracted before a fatal accident occurr...

1

Arrowsmith

Hey all, I have had a iPhone 11 read open in Physical Analyzer displaying the data in a folder called Personavolumes? Has anyone ever encountered this? From what I can see the device is not jailbroken/altered in any way.

The filepath (taken from a Premium FFS) is: private>var>PersonaVolumes>Data. Can't see any signs of device alteration whatsoever; no MDM, no evidence of jailbreaking etc. Any ideas?

chauan

Is there a way to recover the pattern lock set for Samsung secure folder if I have a FFS? Is it correct that secure folder contents are still encrypted in a FFS?

Hi buddy! running into the same problem! did you by anu chance get a solution.

hypeman

Hi buddy! running into the same problem! did you by anu chance get a solution.

SF could potentially be mounted as part of a FFS. To get the passcode you can't based on the extraction. Need premium / cas @chauan (edited)

1

Are there any artifacts or other items to look for that would indicate the user deleted/cleared internet browsing history on an iPhone? I have an FFS and entries from KnowledgeC but I am not seeing anything of note.

FullTang

Are there any artifacts or other items to look for that would indicate the user deleted/cleared internet browsing history on an iPhone? I have an FFS and entries from KnowledgeC but I am not seeing anything of note.

What iOS version? You may have done it already but parse with iLEAPP and see if you get any Safari biome artifacts or anything via Favicons.

1

you can try the josh hickman public image of ios 14 : https://thebinaryhick.blog/public_images/

Binary Hick

Public Images

Below are links to my public images. If you find a link that isn’t working, please let me know! Android Android 7 (hosted by Digital Corpora) Android 8 (hosted by Digital Corpora) Android 9 …

Jshoe

What iOS version? You may have done it already but parse with iLEAPP and see if you get any Safari biome artifacts or anything via Favicons.

The phone is running iOS 15.3.1. I have parsed with Axiom, parsing with PA now, I will also parse with iLEAPP. Thanks!

9:20 AM

So maybe I shouldn't parse with iLEAPP because the iOS version is too new?

9:20 AM

CLB-Tal

Are you using 7.59.1.16? this version extracts the msys db messages. More FB messenger improvements are in 7.60 that will release this week.

Thanks for the info. I was using 7.59.0.36

BigGamePlayer

Hi everyone, just got a little question and hoping someone on here has the answer. Is there anywhere on an iPhone that would state the phone turned of due to the battery been depleted?

Not quite, but there is a battery state log in either knowledgeC or CurrentPowerLog and (assuming its recent) you'll see the battery level drain before the shutdown. It doesn't necessarily prove the user didn't shut it off when it was low, but if the battery is good then the chances it was a user event is high. Also, depending on iOS version, there is a AppFocus event called SBShutDownController which is the little "Swipe to turn off" screen. Again, not totally indicative, but a decent indicator of activity.

CLB-Paul

SF could potentially be mounted as part of a FFS. To get the passcode you can't based on the extraction. Need premium / cas @chauan (edited)

Thanks. So Premium/CAS are the only solutions to BF the pattern/passcode for SF. Another thing to verify even the phone is unlocked....

If you look for diff User Accounts than 0, Generally UID 150 is SF, UID 95 is workspace

1

hypeman

Hi buddy! running into the same problem! did you by anu chance get a solution.

it's possible to change passcode for secure folder if device has Samsung account setup, and you have the passcode for that account from extraction already. This will require connecting the phone to the internet though.

rico

Does anyone know if there is a new subtlety with the unilog? I am trying to read the unilogs of an ios 15 with ventura... By creating my file with the logarchive extension from ventura... By analyzing it on the command line (as usual) it tells me My archive is corrupt...

Just for the rest here as well (so nothing new for you) you can use Consolation to analyse and filter a logarchive. Filtering on time is needed since the amount of logentries is extreme. Recreate logarchive is possible with the tool Ulbow. Therefore you have to export the /var/db/ folder from your FFS extraction. All of this is on a Mac. If you export the search results to a txt file for example, you can analyze it on a workstation of your choosing.

1

Has anyone here heard of and made investigations into the DarkBox secret photo album? We have a case where we are trying to get access to it.

General question here - Is it ever logged if a device has previously enabled secure folder/ second space/ equivalent on Android so that it can still be identified as a deleted user after-the-fact?

sky

General question here - Is it ever logged if a device has previously enabled secure folder/ second space/ equivalent on Android so that it can still be identified as a deleted user after-the-fact?

Varies between devices, but one thing I've observed before is that in users.xml (or something similar, can't remember exactly), it tracks what the next ID to be assigned is. If Secure Folder is setup with the default user ID of 150 and then deleted, the next time it's setup it will use the ID 151. The same applies to PrivateSpace on Huawei. If you can find a reference to what ID will be used next, that may be a clue

OllieD

Varies between devices, but one thing I've observed before is that in users.xml (or something similar, can't remember exactly), it tracks what the next ID to be assigned is. If Secure Folder is setup with the default user ID of 150 and then deleted, the next time it's setup it will use the ID 151. The same applies to PrivateSpace on Huawei. If you can find a reference to what ID will be used next, that may be a clue

User 12 from the little bit of analysis I've managed (For the OnePlus) version, thanks Ollie

Good indication that it's likely been used before then

2:55 AM

But probably not enough to put before a jury!

1

I have an Lumia 950XL (RM-1085, Windows 10) here, where the extraction via WPinternals failed and the device was bricked. Chipoff was successful, but the data partition is bitlocker encrypted. Is there a way to decrypt it? The device passcode is known, but Axiom says its the wrong passcode. Does anyone know if it is possible to decrypt it?

Anyone from @Cellebrite? quick question

1

Hi

2

m_bb.

I have an Lumia 950XL (RM-1085, Windows 10) here, where the extraction via WPinternals failed and the device was bricked. Chipoff was successful, but the data partition is bitlocker encrypted. Is there a way to decrypt it? The device passcode is known, but Axiom says its the wrong passcode. Does anyone know if it is possible to decrypt it?

Maybe you should ask in the channels password-encryption-cracking or chip-off.

1

Hello Does anyone know if it's possible to say which synced Apple device sent a message when multiple devices are logged into the same iCloud account? A defendant has said that she didn't send certain messages - these were sent by her boyfriend on a different device... However I don't have the actual device, I only have the device that messages were sent to! Anything that can help prove / disprove this? I did have a search but couldn't find anything definitive. Many thanks for any assistance

JMK

Hello Does anyone know if it's possible to say which synced Apple device sent a message when multiple devices are logged into the same iCloud account? A defendant has said that she didn't send certain messages - these were sent by her boyfriend on a different device... However I don't have the actual device, I only have the device that messages were sent to! Anything that can help prove / disprove this? I did have a search but couldn't find anything definitive. Many thanks for any assistance

I don't know to be honest, but for starters you'll need a device from the sending party. I don't think the receiving party would notice/the device would be able to tell.

1

FullTang

So maybe I shouldn't parse with iLEAPP because the iOS version is too new?

No I still would and see what it parses for you….there may be things of interest to you…the iOS version difference would be in 16 + you’ll start seeing the biome data.

1

FullTang

So maybe I shouldn't parse with iLEAPP because the iOS version is too new?

I just need to update the Readme. My bad. It supports iOS 16 decoding. We add things weekly it seems.

3

1

Jshoe

No I still would and see what it parses for you….there may be things of interest to you…the iOS version difference would be in 16 + you’ll start seeing the biome data.

There is some biome in 15 too just not as much as in 16. iLEAPP parses a bunch of them.

Brigs

I just need to update the Readme. My bad. It supports iOS 16 decoding. We add things weekly it seems.

Awesome, Ill give it a try!

Brigs

I just need to update the Readme. My bad. It supports iOS 16 decoding. We add things weekly it seems.

hope python 3.11 support coming soin

Brigs

There is some biome in 15 too just not as much as in 16. iLEAPP parses a bunch of them.

you mean ios 16 support for all artefacts right?

Peacekeeper

I don't know to be honest, but for starters you'll need a device from the sending party. I don't think the receiving party would notice/the device would be able to tell.

Thank you, that helps in itself!

Someone from @Cellebrite available ?

1

Heimdall4N6K

hope python 3.11 support coming soin

I think 3.10 & 3.11 are supported in all the LEAPPs with the exception of iLEAPP.

1

Brigs

I think 3.10 & 3.11 are supported in all the LEAPPs with the exception of iLEAPP.

exact kevin pagano told me to use 3.10.9 for all LEAPP. works fine.

Does anyone know the difference between a PaneSnapshot image vs a .ktx image on iOS? I know a .ktx normally takes snapshots of active applications to show the user the open application window when switching between apps but what does PaneSnapshot do? The image in question was found in Library\Caches\GIPPersistentCache\PaneSnapshots\.

On the @Cellebrite PA main summary screen for an iPhone ffs I have "Factory Reset" time but it doesn't tell me where it is pulling this datetime from, is this from .obliterated ?

11:33 AM

it is the exact same time down to the second as .obliterated modified time so I assume so but it doesnt explicitly say

FunkeDope

On the @Cellebrite PA main summary screen for an iPhone ffs I have "Factory Reset" time but it doesn't tell me where it is pulling this datetime from, is this from .obliterated ?

Yes it is. Since the current design only enables us to point to actual source file data and here the source is coming from the metadata and not some file's content, the source remained empty. Hope we will fix this limitation in the future

CLB-ChenK

Yes it is. Since the current design only enables us to point to actual source file data and here the source is coming from the metadata and not some file's content, the source remained empty. Hope we will fix this limitation in the future

appreciate it!

b8vr

Has anyone here heard of and made investigations into the DarkBox secret photo album? We have a case where we are trying to get access to it.

Ho b8vr, what is the package identifier for your Darkbox app?

Hi, does anyone have any tips for how to recover internet history that was viewed on an iPhone in Safari in private browsing mode?

Anyone from @Elcomsoft and @Cellebrite for a ... "cross tools" question?

FabianoQ

Anyone from @Elcomsoft and @Cellebrite for a ... "cross tools" question?

I am from ElcomSoft, will be happy to help

v_katalov

I am from ElcomSoft, will be happy to help

Thanks a lot. This is the scenario (i think i'm not the only one in the world ...) i,m a UFED user and use Physical Analyzer to analyze phone extractions. Not so rarely i receive extractions made by other agencies, specifically full fs extractions from iphones made with elcomsoft. I use p.a. against this extractions and anything works fine except for fact that elcomsoft decoding of keychain is in a format that p.a. seems to not understand. Do you know of any tool, script, magic trick, whatever to convert elcomsoft keychain decoded file in a format that p.a. can ingest?

FabianoQ

Thanks a lot. This is the scenario (i think i'm not the only one in the world ...) i,m a UFED user and use Physical Analyzer to analyze phone extractions. Not so rarely i receive extractions made by other agencies, specifically full fs extractions from iphones made with elcomsoft. I use p.a. against this extractions and anything works fine except for fact that elcomsoft decoding of keychain is in a format that p.a. seems to not understand. Do you know of any tool, script, magic trick, whatever to convert elcomsoft keychain decoded file in a format that p.a. can ingest?

That’s unfortunately a known problem that some of our customers asked about. At this time, we do not have a quick solution for it, but thinking of adding an option to save keychain in “Cellebrite” format. We have no access to Cellebrite software though, but will do our best. Alternatively, we will be more than happy to provide Cellebrite with details we description of “our” keychain format (and provide them with our software if needed) so they will be able to add its support to PA.

v_katalov

That’s unfortunately a known problem that some of our customers asked about. At this time, we do not have a quick solution for it, but thinking of adding an option to save keychain in “Cellebrite” format. We have no access to Cellebrite software though, but will do our best. Alternatively, we will be more than happy to provide Cellebrite with details we description of “our” keychain format (and provide them with our software if needed) so they will be able to add its support to PA.

Thanks a lot sir. Very kind. This is more probably a question to ask on Cellebrite side. (edited)

Can anyone confirm whether ALEAPP uses UTC by default? Thanks.

Can I split the content of a cell in ufed with the sqlite wizzard?

MrMacca (Allan Mc)

Can anyone confirm whether ALEAPP uses UTC by default? Thanks.

It does. UTC unless otherwise stated in the respective artifacts.

1

Hi all! Apologies if this is the wrong sub. Question specific to the Telegram app on iOS, I have a number of media items within the private/var/mobile/containers/Data/Application/..../tmp/ folder. It doesn't look like they're linked to any chats from the parsed databases from what I can tell but I'm in the process of taking a deeper dive. I know telegram uses some cloud based systems for their application but i'm not too well versed in the app myself

Anyone from @Cellebrite about? Got a ufed reader file question

1

Can anyone recommend me some android artifacts that might contain the date/time when the application microsoft.outlook was uninstalled taking into account that a eraser tool was used to wipe out the microsoft.outlook folder. There is the potential that other artifacts have been deleted as a result of the eraser tool. trying to think of some alternative files to look at that might indicate when the application was no longer used. I've taken a look at the lastaccess.db and the localappstate.db, as well as processed the full filesystem extraction within Axiom and UFED PA, but nothing is jumping out at me at the moment. All ideas are welcome. Kind regards

MrMacca (Allan Mc)

Can anyone recommend me some android artifacts that might contain the date/time when the application microsoft.outlook was uninstalled taking into account that a eraser tool was used to wipe out the microsoft.outlook folder. There is the potential that other artifacts have been deleted as a result of the eraser tool. trying to think of some alternative files to look at that might indicate when the application was no longer used. I've taken a look at the lastaccess.db and the localappstate.db, as well as processed the full filesystem extraction within Axiom and UFED PA, but nothing is jumping out at me at the moment. All ideas are welcome. Kind regards

Mobile phone model/brand? Any luck with Packages.xml file?

MrMacca (Allan Mc)

Can anyone recommend me some android artifacts that might contain the date/time when the application microsoft.outlook was uninstalled taking into account that a eraser tool was used to wipe out the microsoft.outlook folder. There is the potential that other artifacts have been deleted as a result of the eraser tool. trying to think of some alternative files to look at that might indicate when the application was no longer used. I've taken a look at the lastaccess.db and the localappstate.db, as well as processed the full filesystem extraction within Axiom and UFED PA, but nothing is jumping out at me at the moment. All ideas are welcome. Kind regards

I'd start with running a search for the app package name "com.microsoft.office.outlook" and see what is responsive. I've found many undocumented artifacts this way.

I've got some good information from the Firebase cloud messaging LDB files. The phone is a Huawei P20 pro. Packages.xml doesn't contain anything relating to Outlook.

Ahhdrenaline

Hi all! Apologies if this is the wrong sub. Question specific to the Telegram app on iOS, I have a number of media items within the private/var/mobile/containers/Data/Application/..../tmp/ folder. It doesn't look like they're linked to any chats from the parsed databases from what I can tell but I'm in the process of taking a deeper dive. I know telegram uses some cloud based systems for their application but i'm not too well versed in the app myself

What is the name of the files? I've done some digging in this folder, its a mix of user created and received files if I remember correctly. Telegram likes to create copies of files so check for the hash if you haven't already, if you find one that looks like an ID you might be able to link further

MrMacca (Allan Mc)

I've got some good information from the Firebase cloud messaging LDB files. The phone is a Huawei P20 pro. Packages.xml doesn't contain anything relating to Outlook.

The one stored in/data/system/ right? What about ALEAPP? Axiom is an option but you need to index all data at processing and not only the artifacts to be able to search everywhere (Oxygen is another option)

Bobby

The one stored in/data/system/ right? What about ALEAPP? Axiom is an option but you need to index all data at processing and not only the artifacts to be able to search everywhere (Oxygen is another option)

Yeah Aleapp has been a massive help so far, but it's the uninstall date that I'm now trying to either pinpoint or get an indication of when it happened.

7:31 AM

But I think the eraser tool has wiped all of that information.

Is the eraser tool still present?

CLB_joshhickman1

Is the eraser tool still present?

yeah still there

Packages.xml should be updated at installation, update and uninstall that's why i mentioned this xml file first. Eraser can't delete partial information in a file, so if packages.xml contain information about other app even old ones, outlook should be there too There is another file that may contain information about "stopped state application" (like when you uninstall the app) -> packages-stoped.xml

Bobby

Packages.xml should be updated at installation, update and uninstall that's why i mentioned this xml file first. Eraser can't delete partial information in a file, so if packages.xml contain information about other app even old ones, outlook should be there too There is another file that may contain information about "stopped state application" (like when you uninstall the app) -> packages-stoped.xml

Doesn't seem to be present on this handset.

7:51 AM

The packages-stopped one

What version of Android is it running? I believe that phone can upgrade to 10.

CLB_joshhickman1

What version of Android is it running? I believe that phone can upgrade to 10.

Yeah Android 10

In addition to what has already been mentioned, Digital Wellbeing may be an option. I've never tested that particular phone, but if you have the package name of the eraser tool, you can always look for it in DW. It wouldn't be 100%, but it could give you some anchor points to search around to see what else was happening on the device around those times.

I'll give that a shot then

8:04 AM

Watching your vid - https://www.youtube.com/watch?v=xjoFZhiW0OU

SANS Digital Forensics and Incident Response

Healthy Android exams: Timelining digital Wellbeing data

CLB_joshhickman1

In addition to what has already been mentioned, Digital Wellbeing may be an option. I've never tested that particular phone, but if you have the package name of the eraser tool, you can always look for it in DW. It wouldn't be 100%, but it could give you some anchor points to search around to see what else was happening on the device around those times.

Digital wellbeing doesn't appear to be present either.

Interesting. Have you tried Usage Stats?

Yehw the usage stats are also missing any outlook information, and show only a 5 second window where the eraser application was used. Its a very strange phone. Going to try and dig deeper into what was going on, axiom shows file and folder openings, few program executions but there isn't anything in the timeline that screams at me.

9:25 AM

Due to the FCM ldb files, the phone has been in action from 2018 till 2023. So the severe lack of many aspects is interesting.

What’s the go to software to get a .bbb backup file for blackberry devices? I feel like it was blackberry link but the software isn’t showing on blackberry site

@Magnet Forensics Axiom recovered a few videos of interest, but I can't get them to play. The deleted files are 1GB and 41MB. They are listed as being mp4 and mkv. I try to play them through Axiom or through an external player, and neither work. I exported them with the same results. I exported them through FTK Imager, same results. What can I do to get these to play, if anything at all.

sholmes

@Magnet Forensics Axiom recovered a few videos of interest, but I can't get them to play. The deleted files are 1GB and 41MB. They are listed as being mp4 and mkv. I try to play them through Axiom or through an external player, and neither work. I exported them with the same results. I exported them through FTK Imager, same results. What can I do to get these to play, if anything at all.

Have you tried to see if potplayer works with it? That's my goto when a video doesn't play.

I have not. I will Google that now.

https://potplayer.daum.net/

That didn't work, but it at least gave me an error message. It stated the file exists, but does not seem to have any video. I like that it gives you hex within the file.

9:38 AM

Thanks for the new player. I hadn't ever used it before.

sholmes

@Magnet Forensics Axiom recovered a few videos of interest, but I can't get them to play. The deleted files are 1GB and 41MB. They are listed as being mp4 and mkv. I try to play them through Axiom or through an external player, and neither work. I exported them with the same results. I exported them through FTK Imager, same results. What can I do to get these to play, if anything at all.

Do the file headers look normal/intact? Have you tried ffprobe ? When you say recovered, are we talking carved from unallocated?

forensicmike @Magnet

Do the file headers look normal/intact? Have you tried ffprobe ? When you say recovered, are we talking carved from unallocated?

FTK Imager and Axiom identified the files as being deleted with file attributes of Archive. They were not carved.

9:47 AM

Headers do not look normal or what I was expecting

9:47 AM

for an mp4

9:47 AM

or for mkv

sholmes

FTK Imager and Axiom identified the files as being deleted with file attributes of Archive. They were not carved.

Do you know what carving signature AXIOM is using?

no

9:52 AM

Here is what I see in FTK Imager for the file properties, which is similar to Axiom. (edited)

sholmes

Here is what I see in FTK Imager for the file properties, which is similar to Axiom. (edited)

Sorry, I just saw where you said that they were not carved. If AXIOM is flagging them as deleted, perhaps they were overwritten to some degree? What device, OS, and file system are these from?

1

FAT32 -USB drive

10:02 AM

I was thinking it could have been partially overwritten already as well, but wanted to do due diligence to see if I was missing anything obvious, or not so obvious.

sholmes

I was thinking it could have been partially overwritten already as well, but wanted to do due diligence to see if I was missing anything obvious, or not so obvious.

If you have access to X-Ways Forensics, it should provide more insight on the existence state of these files, as well as allow you to see what file may be currently allocated to it's previous space. I'm not sure offhand if AXIOM allows you to navigate that information easily.

1

Thanks @JLindmar (83AR). Unfortunately I don't have access it X-Ways. But this is the second time in a month someone has suggested it, so maybe we need to look into investing.

sholmes

Thanks @JLindmar (83AR). Unfortunately I don't have access it X-Ways. But this is the second time in a month someone has suggested it, so maybe we need to look into investing.

You could try requesting access to DC3's "DC3 Advanced Carver" (https://www.dc3.mil/Products/DC3-Tools/). It has carving functionality specific to video recovery.

1

Is it possible to get more data the than cellebrite shows from maps. Like the current location of the phone?

OggE

What is the name of the files? I've done some digging in this folder, its a mix of user created and received files if I remember correctly. Telegram likes to create copies of files so check for the hash if you haven't already, if you find one that looks like an ID you might be able to link further

Thanks OggE. There’s a mix of files with a different prefix, some have camphoto_xxx, others have long unique numbers, one set with a positive number “6894637900…” and others with a negative “-405968830…”. These ones might be an ID. As for the hash, they’re unique to this folder and don’t appear anywhere else on the handset

beamar

Is it possible to get more data the than cellebrite shows from maps. Like the current location of the phone?

How far back do you need/ what type of extract is it ?

facelessg00n

How far back do you need/ what type of extract is it ?

FFS,, far back isn't the issue. There is a bunch of hits in the knowledgeC where this suspect was in the MAPS apps. I'm assume he was seeing his LOC on the map, but didn't really put in directions. would love to see cords for each time there is a hit in the knowledgeC DB. Someone told me to check the Mapstore.sqlite, which I will do tomorrow

beamar

FFS,, far back isn't the issue. There is a bunch of hits in the knowledgeC where this suspect was in the MAPS apps. I'm assume he was seeing his LOC on the map, but didn't really put in directions. would love to see cords for each time there is a hit in the knowledgeC DB. Someone told me to check the Mapstore.sqlite, which I will do tomorrow

This may help. However there should be a good amount of more accurate location data in routineD as well if the gap between time of incident and time of download isn’t too large https://digitalforensics.io/ios-forensics-data-hidden-within-map-cache-files/amp/

iOS Forensics: Data hidden within Map Cache Files

Part of my master's thesis for DFIR at Champlain College. Examining data hidden within map cache files.

yes, I was reading that article

9:39 PM

Will check that out also tomorrow. I want to say we were able to get the phone a few weeks after the incident. then 2 weeks to crack it

Ahhdrenaline

Thanks OggE. There’s a mix of files with a different prefix, some have camphoto_xxx, others have long unique numbers, one set with a positive number “6894637900…” and others with a negative “-405968830…”. These ones might be an ID. As for the hash, they’re unique to this folder and don’t appear anywhere else on the handset

Camphoto_xxx is a picture that was taken with the camera app via telegram, “6894637900…” is an ID and “-405968830…” is a random hash. Both of the ID and hash might still be referenced in the logs folder, do a wide string search in that folder and in the "db_sqlite" and you might find some answers.

What evidence of deleting internet browsing history would exist on an iPhone? I have an FFS related to a high-profile case and need to see if the user deleted evidence from the phone before it was seized.

FullTang

What evidence of deleting internet browsing history would exist on an iPhone? I have an FFS related to a high-profile case and need to see if the user deleted evidence from the phone before it was seized.

Which kind of browers, safari, chrome, etc.. I would go right to the db's to start digging there

FullTang

What evidence of deleting internet browsing history would exist on an iPhone? I have an FFS related to a high-profile case and need to see if the user deleted evidence from the phone before it was seized.

In the absence of a clear indicator (e.g., table, flag, etc.) of deletion within the primary source file (where history records for the browsing application are expected to be stored), when applicable, I would look for gaps in any sequential record numbers and/or compare records that are not present in the primary source file , but are present in additional sources. If you are a member of the "Browser Forensics" Google Group, Jacques Boucher has a post that includes some SQLite queries for missing record detection: https://groups.google.com/g/browser-forensics/c/jqxbMFmVBhQ (edited)

CLB-Paul

Which kind of browers, safari, chrome, etc.. I would go right to the db's to start digging there

I have Chrome Cache Records on the phone, but I can't seem to find the database for Chrome and it doesn't show up under installed applications. I am wondering if Chrome was deleted altogether.

FullTang

I have Chrome Cache Records on the phone, but I can't seem to find the database for Chrome and it doesn't show up under installed applications. I am wondering if Chrome was deleted altogether.

Might be difficult without the app. DM me and we can continue chatting

1

JLindmar (83AR)

In the absence of a clear indicator (e.g., table, flag, etc.) of deletion within the primary source file (where history records for the browsing application are expected to be stored), when applicable, I would look for gaps in any sequential record numbers and/or compare records that are not present in the primary source file , but are present in additional sources. If you are a member of the "Browser Forensics" Google Group, Jacques Boucher has a post that includes some SQLite queries for missing record detection: https://groups.google.com/g/browser-forensics/c/jqxbMFmVBhQ (edited)

Agreed, Jacques put alot of work into it and Damine from CPC continued to keep it updated. I'll reach out to him and see if we can add this as a resource to the discord channel.

1

FullTang

I have Chrome Cache Records on the phone, but I can't seem to find the database for Chrome and it doesn't show up under installed applications. I am wondering if Chrome was deleted altogether.

You could check the /private/var/installd/Library/Logs/MobileInstallation/ logs to see if there is a record of the app being uninstalled. Also, I've had good luck running NetAnalysis/HstEx (https://www.digital-detective.net/digital-forensic-software/) against mobile device datasets and finding a lot of web-browser activity outside of the traditional locations.

Products

1

JLindmar (83AR)

You could check the /private/var/installd/Library/Logs/MobileInstallation/ logs to see if there is a record of the app being uninstalled. Also, I've had good luck running NetAnalysis/HstEx (https://www.digital-detective.net/digital-forensic-software/) against mobile device datasets and finding a lot of web-browser activity outside of the traditional locations.

Great info, thanks! How do I get added to the Browser Forensics Google Group?

FullTang

Great info, thanks! How do I get added to the Browser Forensics Google Group?

This is the main link: https://groups.google.com/g/browser-forensics You should be able to request access via it.

JLindmar (83AR)

This is the main link: https://groups.google.com/g/browser-forensics You should be able to request access via it.

It doesn't seem to be working. I also tried searching for Browser Forensics and I couldn't find anything.

10:12 AM

10:13 AM

FullTang

It doesn't seem to be working. I also tried searching for Browser Forensics and I couldn't find anything.

Ok, I messaged the moderator and will DM you the details.

JLindmar (83AR)

Ok, I messaged the moderator and will DM you the details.

Perfect thanks!

OggE

Camphoto_xxx is a picture that was taken with the camera app via telegram, “6894637900…” is an ID and “-405968830…” is a random hash. Both of the ID and hash might still be referenced in the logs folder, do a wide string search in that folder and in the "db_sqlite" and you might find some answers.

Great, thank you!

Hello, I am searching a SQLite3 Wizard tool like the one in UFED PA. I search a standalone version. Any ideas ? (edited)

JP

Hello, I am searching a SQLite3 Wizard tool like the one in UFED PA. I search a standalone version. Any ideas ? (edited)

For simple usage like visualizing data, tables structure, some SQL requests etc, i use DBbrowser https://sqlitebrowser.org/about/ (edited)

Morning! Possibly a question for MSAB but figured I would ask generally as well. We are looking at some extended XML exports from MSAB XAMN and there is a node in there called "location_searches_view". Within this are references to several location types, one of which is named "APP_APPLE_NETWORKS" - anyone know how these locations might be generated and/or what "APP_APPLE_NETWORKS" refers to? Thanks!

Nutelap

For simple usage like visualizing data, tables structure, some SQL requests etc, i use DBbrowser https://sqlitebrowser.org/about/ (edited)

yes I like it too but I have a problem with export. I work with an email database and I have HTML content in it. Export in CSV is broken.

hi, anybody already work to analyse comera app?

JP

yes I like it too but I have a problem with export. I work with an email database and I have HTML content in it. Export in CSV is broken.

https://www.sqliteexpert.com/ - Works out of the box. https://dbeaver.io/ - Requires additional dependencies depending on the database type you want to open.

1

Hello, I am looking for information on how iPhones populate the location data in the database: private\var\root\Library\Application Support\com.apple.wifianalyticsd\DeviceAnalyticsModel.sqlite. If you could point me to any papers, documenst or information on this database it would be appreciated.

Are there anyway to determine how an iPhone was unlocked? If it was using fingerprint, faceid and or pin/passphrase and if so at what time. With some help of my collegues I found out that a small "portion" of the information is stored in ADDdatastore.sqlite, however i only found 7 unlocks one for each day the last week, but not timestamp and I'm quiet certain the phone have been unlocked more than once every day.

Arlakossan

Are there anyway to determine how an iPhone was unlocked? If it was using fingerprint, faceid and or pin/passphrase and if so at what time. With some help of my collegues I found out that a small "portion" of the information is stored in ADDdatastore.sqlite, however i only found 7 unlocks one for each day the last week, but not timestamp and I'm quiet certain the phone have been unlocked more than once every day.

Not sure if you've seen this: http://www.mac4n6.com/blog/2017/3/12/introduction-to-the-aggregate-dictionary-database-addatastoresqlite

Pincodes, Passcodes, & TouchID on iOS - An Introduction to the Aggr...

Have you ever wondered how Apple can put out statistics such as “The average iPhone is unlocked 80 times a day”? How the heck do they know?

JLindmar (83AR)

Not sure if you've seen this: http://www.mac4n6.com/blog/2017/3/12/introduction-to-the-aggregate-dictionary-database-addatastoresqlite

Thank you, i've read that and after that and some other digging came to the conclusion that it only shows one unlock for each day, the past 7 days. And in this case a 4 digit pin however touch id is available on the phoene

Arlakossan

Thank you, i've read that and after that and some other digging came to the conclusion that it only shows one unlock for each day, the past 7 days. And in this case a 4 digit pin however touch id is available on the phoene

Did you have "com.apple.fingerprintMain.unlock" entries?

Anyone really good with SQLite/Python? I have an app that i'm trying to write a parser for. The Messages are stored in a BLOB. What is the best way to display that kind of data in python/SQlite?

Has anyone had recent issues with @Cellebrite Physical Analyzer 7.59 or 7.60 crashing without warning? From Windows logs: Faulting application name: CellebritePhysicalAnalyzer.exe, version: 7.60.0.27, time stamp: 0x00000000 Faulting module name: haspdnert_x64.dll, version: 8.5.17218.60001, time stamp: 0x634f716b Exception code: 0xc0000005 Fault offset: 0x00000000001376e5 Faulting process id: 0x0x1118 Faulting application start time: 0x0x1D93CD4E59F1D1A Faulting application path: C:\Program Files\Cellebrite Mobile Synchronization\Cellebrite Physical Analyzer\CellebritePhysicalAnalyzer.exe Faulting module path: C:\Program Files\Cellebrite Mobile Synchronization\Cellebrite Physical Analyzer\haspdnert_x64.dll Report Id: 43d877c6-0f17-4ba8-abd5-280b05ba9932 Faulting package full name: Faulting package-relative application ID: Application: CellebritePhysicalAnalyzer.exe Framework Version: v4.0.30319 Description: The process was terminated due to an unhandled exception. Exception Info: System.AccessViolationException at 131208028._64013957(131208032, 131208043 ByRef, IntPtr) at 131208028._64014064(System.Object) at 131208028._64014075(System.Object) at System.Threading.ExecutionContext.RunInternal(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean) at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean) at System.Threading.TimerQueueTimer.CallCallback() at System.Threading.TimerQueueTimer.Fire() at System.Threading.QueueUserWorkItemCallback.System.Threading.IThreadPoolWorkItem.ExecuteWorkItem() at System.Threading.ThreadPoolWorkQueue.Dispatch()

JP

Hello, I am searching a SQLite3 Wizard tool like the one in UFED PA. I search a standalone version. Any ideas ? (edited)

Artifact Examiner (ArtEx) https://www.doubleblak.com Doesn’t have a visual query builder but will allow you to analyze the db

ltrain1029

Anyone really good with SQLite/Python? I have an app that i'm trying to write a parser for. The Messages are stored in a BLOB. What is the best way to display that kind of data in python/SQlite?

@CLB_joshhickman1 or @Brigs or @stark4n6 might know?

ltrain1029

Anyone really good with SQLite/Python? I have an app that i'm trying to write a parser for. The Messages are stored in a BLOB. What is the best way to display that kind of data in python/SQlite?

Usually I'd pull out the blob with sqlite and then parse whatever it is, if it's protobuf or something else

stark4n6

Usually I'd pull out the blob with sqlite and then parse whatever it is, if it's protobuf or something else

I agree with @stark4n6. What binary large object is it? Could be probut, JSON, gzip, an image, etc... etc... What you do with the blob will depend on what it is.

ltrain1029

Anyone really good with SQLite/Python? I have an app that i'm trying to write a parser for. The Messages are stored in a BLOB. What is the best way to display that kind of data in python/SQlite?

What's your app name? Maybe someone has already encountered the same problem and a parser exists

iME. I think it’s an off shoot of telegram. The BLOBS from what I can tell contain the text of the conversation. I can see the text (it’s in Arabic) but it’s surrounded by random characters so I’m having a hard time displaying it.

Anyone done some insights into "People" in an iOS Album?

Is there a way to get the password/recovery key of a T2 MacBook from the iPhone keychain on the same iCloud account? (edited)

KingLong

Is there a way to get the password/recovery key of a T2 MacBook from the iPhone keychain on the same iCloud account? (edited)

Definitely not the password, and even not the recovery key, but kind of "recovery token", which can be used to decrypt the disk image. Passware has this feature (to image the disk, get the token and decrypt).

v_katalov

Definitely not the password, and even not the recovery key, but kind of "recovery token", which can be used to decrypt the disk image. Passware has this feature (to image the disk, get the token and decrypt).

Do we need the T2 add-on for this? And where would we find the recovery token?

KingLong

Do we need the T2 add-on for this? And where would we find the recovery token?

Sorry, do not know, better to check with @Passware Support !

1

Is there any reasion an iPhone 13 might write iPhone SE, or is there another device out there with evidence?

Scratch that. I called the investigator and told him I think there's a second phone that recorded the incident. "Oh you know what, there was a phone in the inventory of the vehicle".

4

ltrain1029

iME. I think it’s an off shoot of telegram. The BLOBS from what I can tell contain the text of the conversation. I can see the text (it’s in Arabic) but it’s surrounded by random characters so I’m having a hard time displaying it.

Android or iOS? A screen shot of the blob in hex/ascii might be useful

GRIZZ

Is there any reasion an iPhone 13 might write iPhone SE, or is there another device out there with evidence?

maybe an iphone se icloud backup restored on an iphone 13?

I dug deeper and found it was received via iMessage. I missed it at first because in iMessage the attached video was titled IMG_0065.MOV, but the file stored on the phone (..12DCECED6D6A.mov) did not display that filename in any of its properties. So when I searched iMessage for 12DCECED6D6A.mov, no messages came up. (edited)

Passware Support started a thread. 2/10/2023 7:32 AM

ltrain1029

iME. I think it’s an off shoot of telegram. The BLOBS from what I can tell contain the text of the conversation. I can see the text (it’s in Arabic) but it’s surrounded by random characters so I’m having a hard time displaying it.

iME Messenger? Which version? This app is supported by Oxygen and probably by PA too. But for Telegram mods there is a way to have it decoded by PA. For Android you need to export/dump iME folder, rename or copy it into a folder named org.telegram.messenger, zip it then load it as ADB backup

Does anyone in here have any experience decoding a Pilgrim-database from the GasBuddy app?

Cenizas

Does anyone in here have any experience decoding a Pilgrim-database from the GasBuddy app?

https://location.foursquare.com/developer/docs/pilgrim-sdk-overview

Introduction and Overview for Pilgrim SDK | Foursquare

Created by Foursquare, Pilgrim SDK is an always-active, passive location detector engine. It offers contextual awareness to connected devices and apps.

Wow, lots to look at in there. Have you worked with this database much?

Cenizas

Wow, lots to look at in there. Have you worked with this database much?

No, but presuming the database is easily accessible, and the fields/values align with the info in the SDK, it shouldn't be too time consuming to figure out. Do you have any sample data, ideally free of PII, that you can share? (edited)

Let's see if this works. . .

1:29 PM

1:31 PM

This is a line from the debug log table in a column labeled "data". What I'm super interested in is the speed data. It appears that the confidence level of the location is +/- 10meters. I'm wondering if there is anything that would tell me if the speed calculation is more precise than location.

1

1:32 PM

I've plotted an hours worth of driving and it all looks spot on according to witnesses in the case, but it's going to court and I know this will be heavily scrutinized.

Cenizas

Let's see if this works. . .

iOS or Android? What was the name of the table and other fields where the "data" field was found? (edited)

IOS

Cenizas

IOS

Let me dig through the SDK info to see if any of it may be helpful.

That would be awesome. I've looked through it a bit but have come up empty. I'm sure you know more than I do!

Does someone know the file path where telegram stores its media when it has been made by the device itself? Is this any different then downloaded media from telegram groups etc? (On android) (edited)

florus

Does someone know the file path where telegram stores its media when it has been made by the device itself? Is this any different then downloaded media from telegram groups etc? (On android) (edited)

My Android testing shows that the media I create within the app is stored in the same path as all the rest of the telegram media. And I have not found it outside of that location. Good for security, sad for forensics.

citizencain

My Android testing shows that the media I create within the app is stored in the same path as all the rest of the telegram media. And I have not found it outside of that location. Good for security, sad for forensics.

Thats what i thought

(edited)

Hey everyone, just want to double check a hypothetical with you guys. I believe my answer is yes but I just want to make sure as it’s been awhile with Apple UUID’s: If I had a UUID provided to me by an application developer of a device, I would then be able to confirm that UUID is on the suspect device (FFS) for the specific application unless the device was factory reset. A follow up would be, if the application is deleted from the phone, would there be artifacts of the UUID associated with that application?

hello folks at @Cellebrite , anyone can tell me when new release Cellebrite Physical Analyzer Ultra is available ? - with decoding features of PA 7.60 (edited)

chrisforensic

hello folks at @Cellebrite , anyone can tell me when new release Cellebrite Physical Analyzer Ultra is available ? - with decoding features of PA 7.60 (edited)

@chrisforensic good morning we are working to release 8.3 soon in the next days but not ready yet.

3

CLB_4n6s_mc

@chrisforensic good morning we are working to release 8.3 soon in the next days but not ready yet.

thanks for fast info

houndineu

Hey everyone, just want to double check a hypothetical with you guys. I believe my answer is yes but I just want to make sure as it’s been awhile with Apple UUID’s: If I had a UUID provided to me by an application developer of a device, I would then be able to confirm that UUID is on the suspect device (FFS) for the specific application unless the device was factory reset. A follow up would be, if the application is deleted from the phone, would there be artifacts of the UUID associated with that application?

Isn't UUID unique on each device?

houndineu

Hey everyone, just want to double check a hypothetical with you guys. I believe my answer is yes but I just want to make sure as it’s been awhile with Apple UUID’s: If I had a UUID provided to me by an application developer of a device, I would then be able to confirm that UUID is on the suspect device (FFS) for the specific application unless the device was factory reset. A follow up would be, if the application is deleted from the phone, would there be artifacts of the UUID associated with that application?

The UUIDs are randomly generated unfortunately. They will vary between devices and even installation instances. You’d be better off finding the bundle name for the application in question. If it’s been installed/used recently you will find usage artefacts within KnowledgeC etc You normally don’t get much more than usage records once an app is deleted generally.

Is there a way to tell if a keychain plist is decrypted or not? Seems to be cleartext but no words as such when opened in notepad++ (edited)

Has anyone else seen a problem with @Cellebrite PA where you create an SQL Wizard script and the decoded data doesnt instantly appear in Analyzed Data or Extraction Summary but it is there? I have a ticket in at the moment and Cellebrite cannot recreate it but I have had it happen several times, just some backup would be handy! (edited)

5:05 AM

I have seen it happening since 7.58

KingLong

Is there a way to tell if a keychain plist is decrypted or not? Seems to be cleartext but no words as such when opened in notepad++ (edited)

If it's in a plist it's usually decrypted but base64 encoded, if it's from UFED it's encrypted but can be decrypted with https://gist.github.com/xperylab/e6b943bbd592eff74af36effc914d44d

UFED KeychainDump Decrypter

UFED KeychainDump Decrypter . GitHub Gist: instantly share code, notes, and snippets.

1

Hi all, I have a question which I need quite a quick answer to if possible please. In KnowledgeC database, there is an entry for device events called /Device/IsLockedImputed. I am struggling to find an answer to what the "imputed" part represents, does anyone here have an idea please?

TheDale432

Has anyone had recent issues with @Cellebrite Physical Analyzer 7.59 or 7.60 crashing without warning? From Windows logs: Faulting application name: CellebritePhysicalAnalyzer.exe, version: 7.60.0.27, time stamp: 0x00000000 Faulting module name: haspdnert_x64.dll, version: 8.5.17218.60001, time stamp: 0x634f716b Exception code: 0xc0000005 Fault offset: 0x00000000001376e5 Faulting process id: 0x0x1118 Faulting application start time: 0x0x1D93CD4E59F1D1A Faulting application path: C:\Program Files\Cellebrite Mobile Synchronization\Cellebrite Physical Analyzer\CellebritePhysicalAnalyzer.exe Faulting module path: C:\Program Files\Cellebrite Mobile Synchronization\Cellebrite Physical Analyzer\haspdnert_x64.dll Report Id: 43d877c6-0f17-4ba8-abd5-280b05ba9932 Faulting package full name: Faulting package-relative application ID: Application: CellebritePhysicalAnalyzer.exe Framework Version: v4.0.30319 Description: The process was terminated due to an unhandled exception. Exception Info: System.AccessViolationException at 131208028._64013957(131208032, 131208043 ByRef, IntPtr) at 131208028._64014064(System.Object) at 131208028._64014075(System.Object) at System.Threading.ExecutionContext.RunInternal(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean) at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean) at System.Threading.TimerQueueTimer.CallCallback() at System.Threading.TimerQueueTimer.Fire() at System.Threading.QueueUserWorkItemCallback.System.Threading.IThreadPoolWorkItem.ExecuteWorkItem() at System.Threading.ThreadPoolWorkQueue.Dispatch()

7.62 fixes this issue

Hello @Cellebrite Team We are trying to scan a iphone dump on UFED PA 7.59 but we got an error "Malware Scanning has failed". Can you help me out.

1

DeepDiveForensics

Hello @Cellebrite Team We are trying to scan a iphone dump on UFED PA 7.59 but we got an error "Malware Scanning has failed". Can you help me out.

Hi would it be possible to uninstall PA 7.59 and install PA 7.60 in a new directory, it will fix the issue. @DeepDiveForensics (edited)

CLB_4n6s_mc

Hi would it be possible to uninstall PA 7.59 and install PA 7.60 in a new directory, it will fix the issue. @DeepDiveForensics (edited)

Sure, I'll try. Thanks

DeepDiveForensics

Sure, I'll try. Thanks

Please keep me updated.

CLB_4n6s_mc

Please keep me updated.

Sure

Hi guys, I have a question about Facebook SECRET Messenger. I've come across a cellphone running on Android 12, and I found in the HEX data that there are traces of some messenger secret conversations. Has anyone ever decode conversation from Facebook Secret Messenger? If yes, how? At this point, I have tried parsing and carving the facebook DB (which is a msysdatabaseID without any extension) it shows parts of the messages in a garbage table. Reading the HEX data directly shows parts the conversation, but I cannot identify the users nor the timestamps associated with the messages. Any ideas or experience with Facebook Secret Messenger that could help me? Thank you very much

4N6Cookie

Hi guys, I have a question about Facebook SECRET Messenger. I've come across a cellphone running on Android 12, and I found in the HEX data that there are traces of some messenger secret conversations. Has anyone ever decode conversation from Facebook Secret Messenger? If yes, how? At this point, I have tried parsing and carving the facebook DB (which is a msysdatabaseID without any extension) it shows parts of the messages in a garbage table. Reading the HEX data directly shows parts the conversation, but I cannot identify the users nor the timestamps associated with the messages. Any ideas or experience with Facebook Secret Messenger that could help me? Thank you very much

Unfortunately i don't remember which tool, but that was great at carving artifacts from databases... But I'm sure someone here will remind me what tool that was

Peacekeeper

Unfortunately i don't remember which tool, but that was great at carving artifacts from databases... But I'm sure someone here will remind me what tool that was

So far, I've tried sqlparse, fqlite and sanderson SQlite tools.

@Oxygen Forensics In Telegram Group chats, the device user account's Outgoing Messages have the Group Chat Name as the 'Remote Party'. When I export this out, I'm always having to explain to the case agent that "Anytime you see the chat name, that's really your subject talking" - which as you can imagine, does not go over well in court. It's even worse when I have multiple devices in play - I have two devices, both post messages in the group MemesRFun. When I export out those chats, BOTH Device A and Device B's messages in the group are listed with the Remote Party 'MemesRFun'. Making it impossible to review. Am I doing something wrong here, or is this works as designed?

Akko

7.62 fixes this issue

As of last week, PA 7.60 was the latest release on their website, with 7.60.1 now appearing. Are you confusing PA for 4PC? I see 4PC has 7.62 released last week. Or are you running a beta of PA 7.62 that you know the crashing has been fixed in?

Peacekeeper

Unfortunately i don't remember which tool, but that was great at carving artifacts from databases... But I'm sure someone here will remind me what tool that was

I've only ever used the free trail, but from a small amount of testing Belkasoft X did a very good job at decoding and carving from databases

Does anybody know what the following file does, or how it is created on a Hauwei device? \data\user_de\0\com.huawei.systemmanager\files\o_c_utc.dat The contents of the file is basically a list files that are no longer present on the device, and folder structures which are no longer on the device. However they are all folders relating to a wide variety of communication applications that we are interested in. Is it an index of files that were present on the device at the time? Any advice is greatly appreciated.

A A

Thank you!

I scrolled and didn't see an update (or I could have missed it). Did you get an answer for the keystore file?

Alex Owen

Hi all, I have a question which I need quite a quick answer to if possible please. In KnowledgeC database, there is an entry for device events called /Device/IsLockedImputed. I am struggling to find an answer to what the "imputed" part represents, does anyone here have an idea please?

I never was able to perfectly explain this one. Seemed to occur at the same time as a regular lock event. I could not isolate exactly what caused it. I can take another look though, it’s always bugged me.

citizencain

@Oxygen Forensics In Telegram Group chats, the device user account's Outgoing Messages have the Group Chat Name as the 'Remote Party'. When I export this out, I'm always having to explain to the case agent that "Anytime you see the chat name, that's really your subject talking" - which as you can imagine, does not go over well in court. It's even worse when I have multiple devices in play - I have two devices, both post messages in the group MemesRFun. When I export out those chats, BOTH Device A and Device B's messages in the group are listed with the Remote Party 'MemesRFun'. Making it impossible to review. Am I doing something wrong here, or is this works as designed?

Hello! I understand your concern here, do you mind if I send you a message regarding this?

1

Alex Owen

Hi all, I have a question which I need quite a quick answer to if possible please. In KnowledgeC database, there is an entry for device events called /Device/IsLockedImputed. I am struggling to find an answer to what the "imputed" part represents, does anyone here have an idea please?

"Imputation" is when missing data is replaced with substituted values. In my test data, "\System\Library\PrivateFrameworks\CoreDuet.framework\com.apple.coreduet.systemevents.plist" shows the following (thanks Mushy!): <dict> <key>DataCollection</key> <bool>True</bool> <key>EventDescription</key> <string>Event capturing whether or not the screen is locked, with imputed events</string> <key>EventFormattedName</key> <string>Screen Lock State (Imputed)</string> <key>EventName</key> <string>ScreenLockStateImputed</string> <key>EventType</key> <string>BoolCategory</string> <key>KnowledgeBaseEventName</key> <string>/device/isLockedImputed</string> <key>MonitorClass</key> <string>_DKNotificationScreenLockImputedMonitor</string> <key>Platforms</key> <array> <string>iOS</string> <string>watchOS</string> </array> <key>ShouldSaveCurrentEventOnShutdown</key> <bool>True</bool> <key>TimestampPrecisionInSeconds</key> <integer>1</integer> </dict> The question is IF imputed, boolean (True/False) events can be trusted, if we presume they are relying on missing information.

JLindmar (83AR)

"Imputation" is when missing data is replaced with substituted values. In my test data, "\System\Library\PrivateFrameworks\CoreDuet.framework\com.apple.coreduet.systemevents.plist" shows the following (thanks Mushy!): <dict> <key>DataCollection</key> <bool>True</bool> <key>EventDescription</key> <string>Event capturing whether or not the screen is locked, with imputed events</string> <key>EventFormattedName</key> <string>Screen Lock State (Imputed)</string> <key>EventName</key> <string>ScreenLockStateImputed</string> <key>EventType</key> <string>BoolCategory</string> <key>KnowledgeBaseEventName</key> <string>/device/isLockedImputed</string> <key>MonitorClass</key> <string>_DKNotificationScreenLockImputedMonitor</string> <key>Platforms</key> <array> <string>iOS</string> <string>watchOS</string> </array> <key>ShouldSaveCurrentEventOnShutdown</key> <bool>True</bool> <key>TimestampPrecisionInSeconds</key> <integer>1</integer> </dict> The question is IF imputed, boolean (True/False) events can be trusted, if we presume they are relying on missing information.

Thank you so much for your reply, it is much appreciated!

CLB_iwhiffin

I never was able to perfectly explain this one. Seemed to occur at the same time as a regular lock event. I could not isolate exactly what caused it. I can take another look though, it’s always bugged me.

I found the same, it's always at the same time as the /IsLocked event. It might be worth another look. I'm dealing with a case that is going through court where I am relying on KnowledgeC data, so if you have any research material you could share with me that would be amazing!

I have a Moto G Pure running OS version 12. I have a Cellebrite file system extraction that is showing device events, but they only go back to Dec 31. Is there a set timeframe for logging unlock and power state events, or does it go back as far as there is data available?

I am getting errors when trying to parse an FFS extraction from a Samsung Galaxy S22 Ultra. PA has crashed on me twice and now Axiom is also crashing. (edited)

8:05 AM

The end of the AXIOMExamine.log shows the following:

Axiom_Log.txt

1.94 KB

8:05 AM

Anyone from @Magnet Forensics have any ideas?

FullTang

Anyone from @Magnet Forensics have any ideas?

DM Incoming

1

Alex Owen

I found the same, it's always at the same time as the /IsLocked event. It might be worth another look. I'm dealing with a case that is going through court where I am relying on KnowledgeC data, so if you have any research material you could share with me that would be amazing!

If you have a corresponding "IsLocked" event, then I would put more weight on it then the "isLockedImputed" until more is understood about imputed events.

Hello, i have different results with a Google Chrome Android History file. UFED PA show "1" in visit Axiom show 0 the visit_count column is 0 in sqlite history file Also, I have 50 links with the same timestamp to the second - Do you have an explanation ?

@JPmaybe private navigation? i see hidden column incremented by 1

@Mistercatapulte this "hidden" count is not clear I saw discussions about this on the discord and apparently it's not linked with private navigation

1:57 AM

the 50 links I have at the date in April are hidden = 1 and visit count = 0 all the links following, starting from July show a visit count with minimum number 1

@JPfor me, you found the answer

but how is it possible to have 50 links with the same timestamps in seconds ...

@JPmaybe google account sync at this timestamp?

I look at history file with Nirsoft tool and it shows me resultats from "visits" table and not from "url" table. I don't know why there is 50 links with hidden 1 in url table but to talk about navigation I think I must limit me at the visits table.

UFED PA extracts history from "url" table what is different !

JP

UFED PA extracts history from "url" table what is different !

What if its just an indexed page with several x-video's all containing an own URL? So user visited a page with several video's being offered, but they did not get clicked on?

I also have this 6 videos links in the Bookmarks file.

2:53 AM

ChatGPT answer about "hidden" column !

2:53 AM

Sounds legit haha

TheDale432

As of last week, PA 7.60 was the latest release on their website, with 7.60.1 now appearing. Are you confusing PA for 4PC? I see 4PC has 7.62 released last week. Or are you running a beta of PA 7.62 that you know the crashing has been fixed in?

You're right, I was trying a beta, but I found that 7.60.1 did fix the issue I had, GK iOS extractions would crash without warning - now seems to be ok, sorry for the confusion.

Anyone got any idea where to look for search history/activities for iOS youtube? I can't seem to find anything within databases or plists.

Or any recording of user interaction such as pause, play, fast forward, rewind etc?

Pacman

Or any recording of user interaction such as pause, play, fast forward, rewind etc?

What iOS version? KnowledgeC or Biome of it's iOS 16 might contain such interactions

Hi, I know that there will be a presentation on this subject at the next Magnet Summit in March, but I wanted to ask on Discord to learn about some of your experiences... What hardware is best for mainly using Physical Analyzer and AXIOM? Xeon? Threadripper? i9? Ryzen 7000 x3d?

CLB-ChenK

What iOS version? KnowledgeC or Biome of it's iOS 16 might contain such interactions

I've completed bookmarking all relevant data from knowledgeC - not much user interaction during the time frame we're interested in - just shows YouTube being in focus for an hour. We're interested in knowing if he has carried out multiple searches, or tapped the screen to pause/fast forward/rewind etc.

Pacman

Or any recording of user interaction such as pause, play, fast forward, rewind etc?

There is a column in KnowledgeC that gives an integer value correlating to the play, stop, pause events. But it gets tricky with video play events. For example buffering can cause multiple pause events to be registered even though it’s just the user essentially “seeking” in the video.

6:35 PM

Is there any documentation for what causes messages to be logged in the Recents db on older iOS versions? If a message shows up in recents but no longer exists on the device, are there other potential reasons it could show up in recents besides message deletion? Like if a user drafts a message but doesn’t send it?

good morning @Cellebrite please update decoding of android IMO app.... latest PA 7.60.1.9 can´t decode IMO (version 2023.01.1071) ... source is a FFS unisoc, thanks! decoding with other tool works... (edited)

1

gh0st1933

There is a column in KnowledgeC that gives an integer value correlating to the play, stop, pause events. But it gets tricky with video play events. For example buffering can cause multiple pause events to be registered even though it’s just the user essentially “seeking” in the video.

Thank you, do you happen to remember which table and column? I'm currently searching for this.

Hi guys, has anyone had any experience of identifying system apps in Honors? I'm trying to identify file paths - looking at .Gallery2 and .1VideoMaker. Just looking for confirmation that they are system apps I guess

Hey, new to mobile forensics, I kinda need this info asap for a case: which android db is significant for actual cellphone (on or off) usage on a android 8 cellphone lg edge h 850? Trying to specify the exact time a cellphone ran out of battery and when it was turned on again. Thx in advance

forrest7132

Hey, new to mobile forensics, I kinda need this info asap for a case: which android db is significant for actual cellphone (on or off) usage on a android 8 cellphone lg edge h 850? Trying to specify the exact time a cellphone ran out of battery and when it was turned on again. Thx in advance

https://github.com/RealityNet/Android-Forensics-References Several links to battery-related articles/blogs. (edited)

Thank you!!!

Found that one

️ thank you!

1

Gave an investigator a DVD with a UFED Reader Extraction. He couldn't open this so I made another and sent it. He is getting the same error which is seen in the screenshot. Any ideas? He has tried on multiple computers. I had no problem opening on mine.

Ghosted

Gave an investigator a DVD with a UFED Reader Extraction. He couldn't open this so I made another and sent it. He is getting the same error which is seen in the screenshot. Any ideas? He has tried on multiple computers. I had no problem opening on mine.

Is he opening straight from the DVD or copying it first to the C: drive?

tried both

i think the patch notes for 7.60.1.9 mentioned there was sometimes an issue for opening ufdr in 7.60.0, not sure if that might be the case

2

1

CLB_4n6s_mc

Please keep me updated.

Thanks, Issue resolved by latest version.

JLindmar (83AR)

Ok, I messaged the moderator and will DM you the details.

Maybe a little late but can you let me know to?

Mr.Robot

Maybe a little late but can you let me know to?

Sent you a DM.

Hi there! Does anyone have any experience examining Xiaomi devices? Specifically the Xiaomi POCO 3, Android 12 in my case, and the Mi Gallery app?

1:04 AM

APK version 3.4.5.28-global

@exFAT what's your pb ?

rico

@exFAT what's your pb ?

pb?

problematic ? App or data user ?

Oh sorry. I'm wondering about entries within the apps database, specifically regarding the reason codes and tags it labels file with

@exFAT To my for I'm sorry because I've never been interested in this codes. if anyone has any other info on it I think we're all interested

️

good morning @Cellebrite ... concerning new update PA 8.3.... FYI 1) Location of Interests: After getting the adresses online and you close and reopen the "location of interests" the adresses are empty? 2) No detailed information of location of Interests, just "Unknown"... have locations from whatsapp and snapchat here 3) Location of Interests: After getting the adresses online, the locations are NOT visible on right pane? 4) In WhatsAppchat (where locations are inside) - Locations are NOT visible in overview (edited)

I was just wondering if anyone has ever come across a certain file path relating to Safari: /private/var/mobile/Containers/Data/Application/<app GUID>/tmp/ The files stored in this folder are PDFs which appear to be a snapshot of web pages at a certain moment in time. The file names are in the format of a UUID e.g 01AFED6F-1A55-432E-9C93-D47D5F957383.pdf. I’m trying to figure out how these PDF files are created. From the time stamps they do not look like they are generated all the time. I initially thought that they might be similar to the safari thumbnails that are in KTX format relating to the BrowserState.do but I don’t think this is the case. I haven’t been able to find anything online regarding this either. If anyone has any knowledge or advice on this file path / the PDF files it would be greatly appreciated.

1

Original message was deleted or could not be loaded.

Is this live case data? Should probably redact the phone numbers and other sensitive information if so for data protection / GDPR purposes (edited)

LexiRow

I was just wondering if anyone has ever come across a certain file path relating to Safari: /private/var/mobile/Containers/Data/Application/<app GUID>/tmp/ The files stored in this folder are PDFs which appear to be a snapshot of web pages at a certain moment in time. The file names are in the format of a UUID e.g 01AFED6F-1A55-432E-9C93-D47D5F957383.pdf. I’m trying to figure out how these PDF files are created. From the time stamps they do not look like they are generated all the time. I initially thought that they might be similar to the safari thumbnails that are in KTX format relating to the BrowserState.do but I don’t think this is the case. I haven’t been able to find anything online regarding this either. If anyone has any knowledge or advice on this file path / the PDF files it would be greatly appreciated.

What application does the "<app GUID>" relate to in your extraction?

JLindmar (83AR)

What application does the "<app GUID>" relate to in your extraction?

Sorry forgot to include that. It is Safari on an iPhone XS running iOS 13.3.1

LexiRow

Sorry forgot to include that. It is Safari on an iPhone XS running iOS 13.3.1

Perhaps the user was using this feature: https://support.apple.com/guide/iphone/annotate-and-save-a-webpage-as-a-pdf-iphfd5b616b5/ios ?

Annotate and save a webpage as a PDF in Safari on iPhone

In Safari on iPhone, mark up a webpage, highlight your favorite parts, draw and write notes, and share your document as a PDF with others.

Is anyone familiar with the behavior of YouTube on an Android phone, will it download .exo files in the background if you are not actively watching a video? any articles on this? Thanks!

MetaStig

Hello! After some slight difficulties I finally managed to use sboot_dump to dump the memory of a Samsung S9. However I am not having any luck with PA decrypting the Samsung Health DB. Grep-ing does show some keys, but while monitoring the trace window I cannot help but notice that the parser "SbootDumpPasswords" is missing/not run.. So the big question is.. Where have I messed up? Anyone been successful in running it that might share some insight? Have been following this guide: https://www.cellebrite.com/en/blog/decrypting-databases-using-ram-dump-health-data/

I've extracted some encryption keys from a memory dump of a Samsung device. Is there a way to import the raw Keys into Cellebrite PA, perhaps by editing the ufd file. Would it be possible to import the memory image? The SbootDumpPasswords parser does not seem to be there, as I dont see it running in trace window

OregonDFIR

Is anyone familiar with the behavior of YouTube on an Android phone, will it download .exo files in the background if you are not actively watching a video? any articles on this? Thanks!

I don't have any whitepapers, etc. to point you toward, but a quick test on my personal device showed .exo files were cached when a video in my feed autoplayed based on its position in the feed and my display.

wchtdev

I've extracted some encryption keys from a memory dump of a Samsung device. Is there a way to import the raw Keys into Cellebrite PA, perhaps by editing the ufd file. Would it be possible to import the memory image? The SbootDumpPasswords parser does not seem to be there, as I dont see it running in trace window

if you can obtain a FFS extraction using UFED/Premium you should be able to load it in PA and get samsung health decrypted and decoded. the memory dump trick is cool and can sometimes work but it's not bullet proof, eventually it's bruteforce that we didn't test since the mentioned blog about it was published back in 2020

chrisforensic

good morning @Cellebrite ... concerning new update PA 8.3.... FYI 1) Location of Interests: After getting the adresses online and you close and reopen the "location of interests" the adresses are empty? 2) No detailed information of location of Interests, just "Unknown"... have locations from whatsapp and snapchat here 3) Location of Interests: After getting the adresses online, the locations are NOT visible on right pane? 4) In WhatsAppchat (where locations are inside) - Locations are NOT visible in overview (edited)

@chrisforensic after discussing with the team all will be fixed in PA Ultra 8.4 (edited)

Does anyone have any experience with merging calls on iOS, where I might find a trace of this within a full file system etc. Initial searches haven't brought anything more than call logs to light, no apparent reference to a call on hold or calls merged. Thanks

wchtdev

I've extracted some encryption keys from a memory dump of a Samsung device. Is there a way to import the raw Keys into Cellebrite PA, perhaps by editing the ufd file. Would it be possible to import the memory image? The SbootDumpPasswords parser does not seem to be there, as I dont see it running in trace window

If you can identify the correct key maybe you could create your own secrets.json file and add it to the extraction, you'll possibly need to edit the .ufd file for it to find the secrets file

CLB_4n6s_mc

@chrisforensic after discussing with the team all will be fixed in PA Ultra 8.4 (edited)

thank you for your efforts

CLB-ChenK

if you can obtain a FFS extraction using UFED/Premium you should be able to load it in PA and get samsung health decrypted and decoded. the memory dump trick is cool and can sometimes work but it's not bullet proof, eventually it's bruteforce that we didn't test since the mentioned blog about it was published back in 2020

I have a decrypted File System Taken with UFED. In the trace window it reports: could not find key for SecureHealthdata.db. I do have the key, and can confirm it works using DB Browser.

1

Hello! I am taking a deep dive on a timestamp from an artifact recovered in this extraction. Can you please assist with interpretation and tell me what you think? The Extraction is a .zip GreyKey full file system, from an Apple iPhone 12 Pro Max running iOS 15.0.2. I've used both PA and Axiom to review. There is an image taken very obviously in the date time hours because it's light outside. Image appears to have been taken with Snapchat. I emailed Magnet support for info on this, as there are 4 other images that are exactly the same, but the other images have a timestamp in the middle of the night and different source locations. What I've surmised thus far is that the original image was taken with Snapchat in the daytime, then I suspect the user saved it to the camera roll in the middle of the night (because what else is there to do?) - after which iOS made a thumbnail and other copies. My question is this - what mechanism (database?) in the device would show user saving the image to their camera roll? which would change the timestamp to the middle of the night? Can you please lead me in the right direction for further analysis. Thank you. You're welcome to pause and play video at your leisure.

freshman

Hello! I am taking a deep dive on a timestamp from an artifact recovered in this extraction. Can you please assist with interpretation and tell me what you think? The Extraction is a .zip GreyKey full file system, from an Apple iPhone 12 Pro Max running iOS 15.0.2. I've used both PA and Axiom to review. There is an image taken very obviously in the date time hours because it's light outside. Image appears to have been taken with Snapchat. I emailed Magnet support for info on this, as there are 4 other images that are exactly the same, but the other images have a timestamp in the middle of the night and different source locations. What I've surmised thus far is that the original image was taken with Snapchat in the daytime, then I suspect the user saved it to the camera roll in the middle of the night (because what else is there to do?) - after which iOS made a thumbnail and other copies. My question is this - what mechanism (database?) in the device would show user saving the image to their camera roll? which would change the timestamp to the middle of the night? Can you please lead me in the right direction for further analysis. Thank you. You're welcome to pause and play video at your leisure.

Check photos.sqlite

7:48 AM

Look under ZADDITIONALASSETATTRIBUTE table maybe find original filename, and will have the device and application which took the image

Try this: Go to photos.sqlite and check ZADDITIONALASSETATTRIBUTE table. Search ZORIGINALFILENAME column for the filename of the video. It should have a column for ZIMPORTEDBY. If there is a 3 there it means taken using a 3rd party app. Also check the column ZEXIFTIMESTAMPSTRING. Then record the value in Z_PK. Go to Table ZGENERICASSET and find the entry with the same Z_PK value. See if you see a different name under ZFILENAME and compare the ZDATECREATED value.

awesome - thanks!!

freshman

Hello! I am taking a deep dive on a timestamp from an artifact recovered in this extraction. Can you please assist with interpretation and tell me what you think? The Extraction is a .zip GreyKey full file system, from an Apple iPhone 12 Pro Max running iOS 15.0.2. I've used both PA and Axiom to review. There is an image taken very obviously in the date time hours because it's light outside. Image appears to have been taken with Snapchat. I emailed Magnet support for info on this, as there are 4 other images that are exactly the same, but the other images have a timestamp in the middle of the night and different source locations. What I've surmised thus far is that the original image was taken with Snapchat in the daytime, then I suspect the user saved it to the camera roll in the middle of the night (because what else is there to do?) - after which iOS made a thumbnail and other copies. My question is this - what mechanism (database?) in the device would show user saving the image to their camera roll? which would change the timestamp to the middle of the night? Can you please lead me in the right direction for further analysis. Thank you. You're welcome to pause and play video at your leisure.

You can use this that might make it easier to analyze. https://github.com/ScottKjr3347/iOS_Local_PL_Photos.sqlite_Queries/blob/main/iOS15/iOS15_LPL_Phsql_IntResou-iCldPhotos.txt Sorry that was to raw code try that one. (edited)

Oscar

If you can identify the correct key maybe you could create your own secrets.json file and add it to the extraction, you'll possibly need to edit the .ufd file for it to find the secrets file

That's a good idea. Im going to look into that on how to add that for this app

freshman

Hello! I am taking a deep dive on a timestamp from an artifact recovered in this extraction. Can you please assist with interpretation and tell me what you think? The Extraction is a .zip GreyKey full file system, from an Apple iPhone 12 Pro Max running iOS 15.0.2. I've used both PA and Axiom to review. There is an image taken very obviously in the date time hours because it's light outside. Image appears to have been taken with Snapchat. I emailed Magnet support for info on this, as there are 4 other images that are exactly the same, but the other images have a timestamp in the middle of the night and different source locations. What I've surmised thus far is that the original image was taken with Snapchat in the daytime, then I suspect the user saved it to the camera roll in the middle of the night (because what else is there to do?) - after which iOS made a thumbnail and other copies. My question is this - what mechanism (database?) in the device would show user saving the image to their camera roll? which would change the timestamp to the middle of the night? Can you please lead me in the right direction for further analysis. Thank you. You're welcome to pause and play video at your leisure.

Just to make sure one thing, are you accounting for UTC vs. your timezone?

8:25 AM

With Axiom I forget to ajust that all the time

Yes, I've one of the lucky few who's TZ doesn't change. 'Tis a luxury.

But I double check.... all the time.... anyway. (get it?... all the "time"..... I'm hilarious)

ScottKjr3347

You can use this that might make it easier to analyze. https://github.com/ScottKjr3347/iOS_Local_PL_Photos.sqlite_Queries/blob/main/iOS15/iOS15_LPL_Phsql_IntResou-iCldPhotos.txt Sorry that was to raw code try that one. (edited)

That link didn't work. have another one?

freshman

That link didn't work. have another one?

Try that one

ScottKjr3347

Try that one

Bingo. Thanks. Like magic.

Thanks @wchtdev and @ScottKjr3347 I was able to find that the image was imported to Photos.sqlite and the the ZAsset-Add Date is the same as the middle-of-the-night timestamp. Can you tell me what 3-Local_Asset_No_EXIF-3 means? from the ZAddAssetAttr-Date Created Source column? 3 - i think indicates third party app, Local Asset - indicates that it is a local file, rather than cloud, and No EXIF-3 means Exif data was stripped from the third-party app?? Sound right?

@Cellebrite any timeline for PA Ultra to support multiple devices per case?

freshman

Thanks @wchtdev and @ScottKjr3347 I was able to find that the image was imported to Photos.sqlite and the the ZAsset-Add Date is the same as the middle-of-the-night timestamp. Can you tell me what 3-Local_Asset_No_EXIF-3 means? from the ZAddAssetAttr-Date Created Source column? 3 - i think indicates third party app, Local Asset - indicates that it is a local file, rather than cloud, and No EXIF-3 means Exif data was stripped from the third-party app?? Sound right?

correct. So sounds like a download, not an upload. Like if the user uploaded the video to Instagram (Thats my frame of reference, never checked this with snapchat) what you'd get is a ZORIGINALFILENAME in table ZADDITIONALASSETATTRIBUTES with that long hash type filename and a 3 in ZIMPORTEDBY. It would have a Z_PK value of whatever (like say 1249). Then you can go over to the ZGENERICASSET table and look for that Z_PK value and in ZFILENAME you'd have like IMG_0561.MOV or something. That would show me the video was taken with the device you're examining, and it was uploaded to Instagram. With what you're looking at it looks more like it was taken with another device and downloaded

freshman

Thanks @wchtdev and @ScottKjr3347 I was able to find that the image was imported to Photos.sqlite and the the ZAsset-Add Date is the same as the middle-of-the-night timestamp. Can you tell me what 3-Local_Asset_No_EXIF-3 means? from the ZAddAssetAttr-Date Created Source column? 3 - i think indicates third party app, Local Asset - indicates that it is a local file, rather than cloud, and No EXIF-3 means Exif data was stripped from the third-party app?? Sound right?

No-EXIF-3 is related to the date created source, meaning the that asset doesn’t have exif data. That’s how I’ve decoded the original values “3” for that column so far. Asset = video or photo If you are asking questions about other columns and the data you will have to let me know the column name. Most of this is listed in the blogs https://theforensicscooter.com/2022/05/02/photos-sqlite-query-documentation-notable-artifacts/ If iCloud Photos is being used most if not all of the assets are probably in the cloud. You would have to analyze ZINTERNALRESOURCE table data to determine what assets are being stored on the device vs which ones have been optimized for iCloud storage. All depends on device settings. If you would like some specific information or help feel free to dm.

ScottKjr3347

No-EXIF-3 is related to the date created source, meaning the that asset doesn’t have exif data. That’s how I’ve decoded the original values “3” for that column so far. Asset = video or photo If you are asking questions about other columns and the data you will have to let me know the column name. Most of this is listed in the blogs https://theforensicscooter.com/2022/05/02/photos-sqlite-query-documentation-notable-artifacts/ If iCloud Photos is being used most if not all of the assets are probably in the cloud. You would have to analyze ZINTERNALRESOURCE table data to determine what assets are being stored on the device vs which ones have been optimized for iCloud storage. All depends on device settings. If you would like some specific information or help feel free to dm.

Thank you so much for your help so far. This is an incredible resource and I’ve only just found you people! It will take me some time to sift through the info. I will DM you if I can’t find the answer in the documentation.

Hi, someone as hint to get encrypted apple notes ? I have one in clear text and one encrypted. I have the keychain but PA or Oxygen seems to fail to automatically decrypt the encrypted note (edited)

1

Hello, it is possible to find out if an app was start up at a specific time? Inside a log file or something provided by an ufed extraction?

Nutelap

Hi, someone as hint to get encrypted apple notes ? I have one in clear text and one encrypted. I have the keychain but PA or Oxygen seems to fail to automatically decrypt the encrypted note (edited)

https://github.com/openwall/john/blob/bleeding-jumbo/run/applenotes2john.py then bruteforce the hash in hashcat with mode 16200

john/applenotes2john.py at bleeding-jumbo · openwall/john

John the Ripper jumbo - advanced offline password cracker, which supports hundreds of hash and cipher types, and runs on many operating systems, CPUs, GPUs, and even some FPGAs - john/applenotes2jo...

4n6_5w3

https://github.com/openwall/john/blob/bleeding-jumbo/run/applenotes2john.py then bruteforce the hash in hashcat with mode 16200

Thanks i'll try it !

I have a calllog.db from a Huawei device which was acquired by using the HiSuite software which of course is encrypted with the password I set. Anybody have any insights on how I can decrypt the .db file to open in sqlitebrowser? Thank you.

hi; i have an fullfile-system extraction android samsung s21; i have an app that based on the matrix-messanger. the databse are encrypted and my PA cant read it. one databse is located as matrix-sdk-auth.realm and matrix.sdk-global.realm. i found the file "im.vector.matrix.android.keys.xml" there are some strings like "REALM_ENCRYPTED_KEY_matrix-sdk-auth : string = AAwxnKGB1hXhlPwE5pKJ5nbI7j402+2bU3DruzaY2/uipByvOr8VLv6RHfgNBcd4if2c74pomi/K 7R4FIGBcjf5Wdz/yDSgA7MrqmqExp1DBtji1vO2izI3MzXtDndsacojsnwK9hdoIbPnLXeFDQ/9w NU00OA" ... does anybody can give me a hint to decode the realm-database with this entrys? THX

Morph

hi; i have an fullfile-system extraction android samsung s21; i have an app that based on the matrix-messanger. the databse are encrypted and my PA cant read it. one databse is located as matrix-sdk-auth.realm and matrix.sdk-global.realm. i found the file "im.vector.matrix.android.keys.xml" there are some strings like "REALM_ENCRYPTED_KEY_matrix-sdk-auth : string = AAwxnKGB1hXhlPwE5pKJ5nbI7j402+2bU3DruzaY2/uipByvOr8VLv6RHfgNBcd4if2c74pomi/K 7R4FIGBcjf5Wdz/yDSgA7MrqmqExp1DBtji1vO2izI3MzXtDndsacojsnwK9hdoIbPnLXeFDQ/9w NU00OA" ... does anybody can give me a hint to decode the realm-database with this entrys? THX

Did you try opening the database with Realm Studio (https://www.mongodb.com/docs/realm/studio/) to confirm that the data you seek is encrypted?

I have a drawer full of some "donor" devices that I received through my department's destruct board process. Typically I use them to harvest screens, batteries, ports as needed for other investigations. I have a few that I would love to convert to test devices, however I would need to bypass or remove FRP. Are there reliable or accepted tools out there that could accomplish this? I know that the process runs counter to most of our efforts in in this forum but I figure someone has run across the problem in the past.

9:08 AM

I have enough test iPhones, looking at android devices currently.

JLindmar (83AR)

I don't have any whitepapers, etc. to point you toward, but a quick test on my personal device showed .exo files were cached when a video in my feed autoplayed based on its position in the feed and my display.

Thanks! so was YouTube up on your screen? I'm not sure what you mean by position in the feed and my display.

my reading of that suggests when you scroll and pause in the feed and the video starts silently playing to give you a "preview" of the content. I could certainly be wrong though

Does anyone know what causes events to be logged in KnowledgeC? Specifically, I am interested in KnowledgeC Application Activities. (edited)

OregonDFIR

Thanks! so was YouTube up on your screen? I'm not sure what you mean by position in the feed and my display.

Yes, YouTube was active (foreground) on my phone. As @whee30 stated, as I scroll through my feed on the "Home" screen of the app, when a video in my feed reaches a certain position on my display, the video "preview" will autoplay which appears to cause the creation of a .exo file(s) in /storage/emulated/0/Android/data/com.google. android.youtube/cache/exo/[#] folders on my unrooted, Android 10 device with YouTube 18.06.35. (edited)

FullTang

Does anyone know what causes events to be logged in KnowledgeC? Specifically, I am interested in KnowledgeC Application Activities. (edited)

Is there a general setting on the phone that needs to be activated to allow for the logging of events or is it a per-app permission situation?

@JLindmar (83AR) Thank you; i will try to download and open it in the studio

Hi! does iOS log somewhere when a SIM card is removed from the iPhone?

@JLindmar (83AR) Good Morning, no the Realm-Studio can´t open the file, i get this messages:posix_fallocate() failed: Eingabe-/Ausgabefehler

Hello ALEAPP experts

does anyone know if you can get something useful from these records? I am interested in being able to verify when WhatsApp (the entire application) was deleted. thanks in advanced

4:09 AM

from usageStats_0 i got some infos.. last entry was 2023-02-21, 08.42.37 (source \data\system_ce\0\usagestats) (edited)

Morph

@JLindmar (83AR) Good Morning, no the Realm-Studio can´t open the file, i get this messages:posix_fallocate() failed: Eingabe-/Ausgabefehler

Ok, sorry, I'm not sure offhand what could cause that error. My first thoughts are that the database structure isn't compatible with Realm Studio and/or it has no mechanism to handle the encryption that you suspect is being used.

Is there anyway to confirm when Chat has been deleted in WhatsApp? FFS iPhone 12 / iOS 15.6, WA Messenger v2.22.14.74

@whee30, for a Samsung device, I have had success with the WIFI/SIM trick to bypass FRP.

whee30

I have a drawer full of some "donor" devices that I received through my department's destruct board process. Typically I use them to harvest screens, batteries, ports as needed for other investigations. I have a few that I would love to convert to test devices, however I would need to bypass or remove FRP. Are there reliable or accepted tools out there that could accomplish this? I know that the process runs counter to most of our efforts in in this forum but I figure someone has run across the problem in the past.

octoplus frp tool is quite universal and cheap, a lot can be done for free if you spend some time on youtube

1

Hi all. We have the files TrackDB.sqlite and wrapped_key_001_001 from a Bosch AIVIP32R0 part no: 7 513 751 645 infotainment system. The TrackDB.sqlite file is encrypted and we suspect that the wrapped_key_001_001 could somehow be used to unlock it. Does anyone have any experience with this? (edited)

on WhatsApp, in the "calls" section by selecting a contact with whom a call was made, in addition to indicating the time, a value in KB is displayed. does it mean that the call content is saved locally on the device? if yes, where? Can forensic software decode the content?

@Pehr normaly you have the solution in unified logs but it's not easy to find the line...

rico

@Pehr normaly you have the solution in unified logs but it's not easy to find the line...

Thanks rico

Hi folks. Does anyone know the significance of a PDF being recovered from the Adobe Reader flattening temporary file path? This was the location of a PDF recovered from a Samsung running Android. Unfortunately I don’t have any version details to hand. Can anyone please help? (edited)

Trying to play around with iLEAPP, and I'm running into the following issues. Anyone else experience this? I can't get ileappGUI.py to run. Win 10 Machine- Python 3.11

dabeersboys

Trying to play around with iLEAPP, and I'm running into the following issues. Anyone else experience this? I can't get ileappGUI.py to run. Win 10 Machine- Python 3.11

You have to install the required libraries before usage You can install using pip install -r requiremets.txt

yep. I did it. No luck.

5:06 PM

Maybe I'll try a fresh install.

stark4n6

You have to install the required libraries before usage You can install using pip install -r requiremets.txt

did it fresh, and same issue.

@dabeersboys what python version are you in

3.11

dabeersboys

Trying to play around with iLEAPP, and I'm running into the following issues. Anyone else experience this? I can't get ileappGUI.py to run. Win 10 Machine- Python 3.11

What about last release version?

Hi Everyone! Glad to be part of this group. One of my friend advised me to join this. Thanks to him :). Just to let all know that i have read all the instructions. Why am I here ? - i am studying digital forensic and incident respond .it’s really exciting and I am enjoying it so far.

2

Hi all, I have discovered some relevant files at the file path "/mnt/pass_through/0/emulated/0/Telegram/..." on a Samsung Galaxy S21 Ultra running Android 11. I assume this is something to do with emulated storage to make up for the loss of SD card support in later models, but I want to be sure. Can anyone point me in the direction of a good resource about this? Google is being fairly unhelpful

@chms17 can't be more official than this: https://source.android.com/docs/core/storage/fuse-passthrough

FUSE Passthrough | Android Open Source Project

chms17

Hi all, I have discovered some relevant files at the file path "/mnt/pass_through/0/emulated/0/Telegram/..." on a Samsung Galaxy S21 Ultra running Android 11. I assume this is something to do with emulated storage to make up for the loss of SD card support in later models, but I want to be sure. Can anyone point me in the direction of a good resource about this? Google is being fairly unhelpful

This is the path you'll see from the File Browser in the "Telegram" folder. From Android 11 the data/data has become more restricted to the user but still present so to the user they'll see the pass_through file path in info on files. (edited)

.karate.

@chms17 can't be more official than this: https://source.android.com/docs/core/storage/fuse-passthrough

I saw this but found it a bit confusing. I need the idiots guide

Rob

This is the path you'll see from the File Browser in the "Telegram" folder. From Android 11 the data/data has become more restricted to the user but still present so to the user they'll see the pass_through file path in info on files. (edited)

So its just saving bits in a different partition because data/data is more locked down?

Samsung a71, full file system extraction ( smartflow Universal live). when parsing with PA , I get the indication that the Key was not found for Samsung Rubin. does it mean that there were problems with the acquisition?

chms17

So its just saving bits in a different partition because data/data is more locked down?

Honestly no clue, but perhaps

chms17

I saw this but found it a bit confusing. I need the idiots guide

It's the way android 11+ handles access to the artist formerly known as /sdcard =). You can read all about how it works on the link i gave earlier, check the section about scoped storage. But to make things easy, there are different mountpoints ( depending on permission etc ) to access the sdcard. The one you mentioned is the base path for the pass through process. It's declared in init.rc: https://android.googlesource.com/platform/system/core/+/refs/tags/android-11.0.0_r28/rootdir/init.rc . Small edit: Using FUSE pass_through operations on the sdcard improves performance and reduce latency. It allows the underlying file system to handle file system requests more efficiently. (edited)

1

dabeersboys

did it fresh, and same issue.

depending on your installation (no Python install expert here), it might not be pulling the libraries properly

stark4n6

depending on your installation (no Python install expert here), it might not be pulling the libraries properly

Thats what I'm thinking but trying to figure out how I can grab them all. I'll let the group know when I get the solution

dabeersboys

Thats what I'm thinking but trying to figure out how I can grab them all. I'll let the group know when I get the solution

I typically add Python to path, and then run the pip install from the *LEAPP folder, not sure if that makes a difference

didn't work either.

2:12 PM

I'm also going to try to modify some of the scripts to work with Magnet ACQUIRE acquisitions. but we'll see if I get around to that.

dabeersboys

Maybe I'll try a fresh install.

I had to install the Visual Studio Build Tools 2022 in order for the one requirement to compile and setup properly. After you install that rerun the pip command for the requirements.txt.

dabeersboys

Trying to play around with iLEAPP, and I'm running into the following issues. Anyone else experience this? I can't get ileappGUI.py to run. Win 10 Machine- Python 3.11

Try using a python venv (maybe you have some incompatibile modules already installed in system installation) and don't use OneDrive folders to run scripts

1

Flavius

Try using a python venv (maybe you have some incompatibile modules already installed in system installation) and don't use OneDrive folders to run scripts

That happend to me before. Didnt use venv and had lots of libarys mixed up.. @dabeersboys You could make a habit in using pycharm or something for all your scripts. (edited)

florus

That happend to me before. Didnt use venv and had lots of libarys mixed up.. @dabeersboys You could make a habit in using pycharm or something for all your scripts. (edited)

maybe pycharm is overkill for this kind of use if you are not going to program, I use vscode but yes, for the novice, pycharm's virtual environment management is more immediate

Hello people! What would the recommended attack be on Huawei DUA-L22 with Mediatek MT6739 chip with unknown passcode? As I can see it is fareally easy to unlock bootloader. Then I can flash TWRP and bruteforce it somehow? Or is it a good idea to try to bruteforce with this https://github.com/urbanadventurer/Android-PIN-Bruteforce . Thanks for any feedback

GitHub - urbanadventurer/Android-PIN-Bruteforce: Unlock an Android ...

Unlock an Android phone (or device) by bruteforcing the lockscreen PIN. Turn your Kali Nethunter phone into a bruteforce PIN cracker for Android devices! (no root, no adb) - GitHub - urbanadventure...

Anyone fancy taking a stab at a question about Apple DCIM? I thought I had seen most things on Apple devices in terms of DCIM... haha

3X3

Anyone fancy taking a stab at a question about Apple DCIM? I thought I had seen most things on Apple devices in terms of DCIM... haha

I'm curious, but @ScottKjr3347 may be the best person to ask as he has a wealth of knowledge on Apple media artifacts.

1

3X3

Anyone fancy taking a stab at a question about Apple DCIM? I thought I had seen most things on Apple devices in terms of DCIM... haha

Check out @ScottKjr3347's queries https://github.com/ScottKjr3347/iOS_Local_PL_Photos.sqlite_Queries

GitHub - ScottKjr3347/iOS_Local_PL_Photos.sqlite_Queries: iOS Photo...

iOS Photos.sqlite queries that may help with decoding data stored in Photos.sqlite. These queries are based on testing, research and some community published research. These queries were written to...

1

Hello again, I am having a hard time with two S10E G970F Exynos cpu. Both came in with new SPL and logo stuck (second logo stuck where it only shows ''Samsung''. UFED and Oxy not supported with this SPL. Tried ''restore partitions'' option in Oxy. Tried to clear cache and flash new firmware with Home_CSC and also tried to swap CPU, RAM and UFS to new tested working board, still same on both. I don't have access to premium tools. Someone has any idea what to try?

Premium tools wouldn't help since they need a phone to fully boot to Android. Since you already did a swap, did you also test if UFS chip is ok in external reader?

Arcain

Premium tools wouldn't help since they need a phone to fully boot to Android. Since you already did a swap, did you also test if UFS chip is ok in external reader?

Yes, even read the whole userdata and tried in Oxy maybe it decrypts, but it did no

7:12 AM

It did not*

7:16 AM

I am thinking to clone the UFS to the known working one (transfer everything to new UFS), but I am not sure if this even makes sense to try this

dabeersboys

Trying to play around with iLEAPP, and I'm running into the following issues. Anyone else experience this? I can't get ileappGUI.py to run. Win 10 Machine- Python 3.11

DId you ever get this to work?

Anyone know why @Magnet Forensics and @Cellebrite decode the Google Chat application, but don't parse the chats? Ran SQLite Wizard and pulled them manually, but I was curious if this was just how it is, or if I messed something up on my end. Device is a Samsung SM-G975U1, Android 12, SPL 10/01/2022

I think it’s a decoding gap. @CLB_joshhickman1 has a query for you.

1

.karate.

It's the way android 11+ handles access to the artist formerly known as /sdcard =). You can read all about how it works on the link i gave earlier, check the section about scoped storage. But to make things easy, there are different mountpoints ( depending on permission etc ) to access the sdcard. The one you mentioned is the base path for the pass through process. It's declared in init.rc: https://android.googlesource.com/platform/system/core/+/refs/tags/android-11.0.0_r28/rootdir/init.rc . Small edit: Using FUSE pass_through operations on the sdcard improves performance and reduce latency. It allows the underlying file system to handle file system requests more efficiently. (edited)

Thank you! I think it's confirming what I thought but I wanted to put it in layman's terms in an SFR

1

Thanks all for the suggestions! I'm going to play with a few things.

Hey @Cellebrite anyone available for a quick dm? Thanks

1

any to enlighten me regarding the ZRTVEHICLEEVENTMO in "local-sqlite" iOS?

only have one entry. Would that mean that the phone has arrived by car and then parked there? @CLB_iwhiffin (read through your blog) or @CLB_4n6s_mc ?

j_matas

any to enlighten me regarding the ZRTVEHICLEEVENTMO in "local-sqlite" iOS?

only have one entry. Would that mean that the phone has arrived by car and then parked there? @CLB_iwhiffin (read through your blog) or @CLB_4n6s_mc ?

Hi @j_matas where the extraction come from (which version of iOS ?) Is it iOS 16 ? or before ? Thanks a lot.

Quick question: When a google search has no registered timestamp, is it because the user has delete Safari History? Or can it be for any other reasons?. I am working with a FFS iphone 6s, iOS 15.7 in PA @Cellebrite , Thanks (edited)

Has anyone here have experience with cracking "Private notepad - safe notes" or "McAfee true key"? We have a case where the contents could lead to opening an encrypted container containing CSAM.

Hey guys, is there any way to find out the related application from just the apple team ID (e.g. 40E4210C)? The related app seems to have been deleted so there isn't any reference within the extraction. (edited)

dabeersboys

Thanks all for the suggestions! I'm going to play with a few things.

https://discord.com/channels/427876741990711298/712735615418105956/1080474613940752514

5:26 AM

This was posted yesterday for the same issue.

Thanks!!!!!

Pehr

Quick question: When a google search has no registered timestamp, is it because the user has delete Safari History? Or can it be for any other reasons?. I am working with a FFS iphone 6s, iOS 15.7 in PA @Cellebrite , Thanks (edited)

I would say that it would depend on the source location where PA found the URL. Perhaps there isn't a timestamp that can be associated with the URL, or perhaps there is and PA isn't yet programmed to locate/associate it.

JLindmar (83AR)

I would say that it would depend on the source location where PA found the URL. Perhaps there isn't a timestamp that can be associated with the URL, or perhaps there is and PA isn't yet programmed to locate/associate it.

The data is from favicons.sqlite

Pehr

The data is from favicons.sqlite

From an existing record in an existing table, or was it found elsewhere in the database?

JLindmar (83AR)

From an existing record in an existing table, or was it found elsewhere in the database?

Existing record but in History.db from safari oldest record is 2022-11-10 compared to the timestamps I find in favicons.db around 2022-10-01. Is there some indicator or log i can see that The Safari history has been deleted? (edited)

Pehr

Existing record but in History.db from safari oldest record is 2022-11-10 compared to the timestamps I find in favicons.db around 2022-10-01. Is there some indicator or log i can see that The Safari history has been deleted? (edited)

Offhand I'm not aware of a log that would indicate that the history was cleared (doesn't mean one doesn't exist somewhere!), but you could look for gaps in the record ID's. The other consideration is if the user was using Private Browsing Mode (https://support.apple.com/guide/iphone/browse-the-web-privately-iphb01fc3c85/16.0/ios/16.0).

1

JLindmar (83AR)

Offhand I'm not aware of a log that would indicate that the history was cleared (doesn't mean one doesn't exist somewhere!), but you could look for gaps in the record ID's. The other consideration is if the user was using Private Browsing Mode (https://support.apple.com/guide/iphone/browse-the-web-privately-iphb01fc3c85/16.0/ios/16.0).

And history.db contains one month of urls if im correct? Can you share the URL of interest in dm? There might be a timestamp embedded in the URL. (edited)

@magnet full file system extraction of an android device. Manually browsing I stumbled on 2 enc files that were stored in a WhatsApp documents folder. When exported, the enc files extensions could be renamed to zip. And then I can gain access to the contents which were 2x excel documents in 1 of the enc. In the 2nd ENC file, a winzip password had been set. However, the contents of these zips were not present within the results, and also axiom did not flag up 1 of the files as encrypted. A theory we have had is that the WhatsApp key had been deleted, and therefore axiom doesn't attempt to look at the files.

Anyone had to parse out Replika? Samsung SM-G975U1, Android 12, SPL 10/01/2022

What I've found about Replika today, for those interested. Prior to February 2023, the user could pay the annual subscription fee to unlock the Erotic Role Play (ERP) feature as part of the subscription package, including sexting and fantasy roleplay. News article for reference: https://www.abc.net.au/news/science/2023-03-01/replika-users-fell-in-love-with-their-ai-chatbot-companion/102028196 The forensically important part is Replika logs a lot of information on the user, including the chats the user participates in with the AI. In the case I'm currently working, the AI would actively participate in very violent sexual assault roleplay. It can cry on command when the user establishes causing pain and tears is a turn-on. This ERP feature has been disabled as of Feb 3, 2023, according to the above article, but the chat history remains and could be good to grab if you have a Full File System extraction or better. The databases on the Android device I'm working on are really easy to read, very straight-forward. REPLIKA_DB is where the goods are. I'm a SQLite amateur on a good day, and even I could figure it out.

11:42 AM

bot_profile table gives you the basic info about the bot (name, gender, mood, etc) user_profile gives you the user's name, DOB, email and last update chat_message is the big one. The "nature" column is who's posting the message (user is Customer, the AI is Robot). The available reactions to the user are under the "reactions" column for the Robot rows, and what reaction the user selects is in the "action" column. (ex, Robot sends the message "I like daisies", the action column will show the Customer's "Meaningless" reaction in the same row as the Robot's message) This could indicate what the user is looking for in the interaction. "timestamp_ms" column is the easier one to convert in SQLite queries. Replika can send images in the chat, most of which appear to be memes from the company's Amazon AWS cloud server. It apparently can (or could) send images of the AI Avatar, but I haven't figured out how to view them yet. memory_unstructured_fact table appears to be select parts of conversations the AI stores to regurgitate in later conversations, but this is unconfirmed without testing.

11:43 AM

Final bit of fun, Cellebrite parses out additional AI profiles in the User Accounts from the easysignin table of samsungpass.db, so you can see the name, gender, and personality profile of other Replika bots the user created in the past. Hope this helps!

4

2

JLindmar (83AR)

Yes, YouTube was active (foreground) on my phone. As @whee30 stated, as I scroll through my feed on the "Home" screen of the app, when a video in my feed reaches a certain position on my display, the video "preview" will autoplay which appears to cause the creation of a .exo file(s) in /storage/emulated/0/Android/data/com.google. android.youtube/cache/exo/[#] folders on my unrooted, Android 10 device with YouTube 18.06.35. (edited)

Thanks for the info that helps. I was curious if the YouTube continues to download those .exo files in the background if you switch to a different app, or if you just put the phone to sleep.

Hi, I have an Android 11 FFS extraction from a Galaxy S21+ that contains the Yahoo Mail app v. 6.12.1 (localized in Romanian language). I parsed the extraction using the latest version of Physical Analyzer (7.60.1.9) but the mails from Yahoo are not parsed at all. None of them. The attachments are parsed though (in media, documents or other categories). Manually browsing the flux_database.db I can see a lot of data (more than 5000 records in MessagesBody table). There is no error in the trace window regarding Yahoo Mail app. @Cellebrite are you aware of this issue? Is there something I can do to parse those emails? Maybe an older version of PA?

1

heyho @Oxygen Forensics did i ever tell you, that i like the way you show the installed apps in OFD ?

1

chrisforensic

heyho @Oxygen Forensics did i ever tell you, that i like the way you show the installed apps in OFD ?

Hey, you didn't, but I really appreciate the feedback!

1

Hi, someone know if the flashlight activity could be founded somewhere on a Samsung S9 ? Probably Android 9 or 10

@Magnet Forensics I have a .plist in mobile phone extractions that will not open in Axiom, but if I extract the .plist I can open it with other tools that can open .plists. I can open the same .plist on the evidence phone but not on the test phone. Any thoughts?

FullTang

@Magnet Forensics I have a .plist in mobile phone extractions that will not open in Axiom, but if I extract the .plist I can open it with other tools that can open .plists. I can open the same .plist on the evidence phone but not on the test phone. Any thoughts?

There are times the plist spec isn’t always followed by all tools (even by apple) and we have to modify our viewer. If you can share the file I’ll have our devs take a look to update the viewer as we are doing some work on it currently.

cScottVance

There are times the plist spec isn’t always followed by all tools (even by apple) and we have to modify our viewer. If you can share the file I’ll have our devs take a look to update the viewer as we are doing some work on it currently.

I can do that, how do I share it?

Just send it over to christopher.vance@magnetforensics.com and I’ll get it logged. If you can include the path it came from and OS version that would be helpful too!

cScottVance

Just send it over to christopher.vance@magnetforensics.com and I’ll get it logged. If you can include the path it came from and OS version that would be helpful too!

Will do!

Cip

Hi, I have an Android 11 FFS extraction from a Galaxy S21+ that contains the Yahoo Mail app v. 6.12.1 (localized in Romanian language). I parsed the extraction using the latest version of Physical Analyzer (7.60.1.9) but the mails from Yahoo are not parsed at all. None of them. The attachments are parsed though (in media, documents or other categories). Manually browsing the flux_database.db I can see a lot of data (more than 5000 records in MessagesBody table). There is no error in the trace window regarding Yahoo Mail app. @Cellebrite are you aware of this issue? Is there something I can do to parse those emails? Maybe an older version of PA?

I found PA to not be good at parsing Yahoo e-mails last time I tried. I could see the e-mails in the dB but they were embedded in html so not so easy to read through. I used Axiom in the end and that parsed them nicely

Vixsta

I found PA to not be good at parsing Yahoo e-mails last time I tried. I could see the e-mails in the dB but they were embedded in html so not so easy to read through. I used Axiom in the end and that parsed them nicely

Yes, the mails are hard to read from the database file. Not to mention the attachments. I also parsed them with Axiom, but I wished they were also parsed by PA

Hello all, I've decoded some iOS WhatsApp data with PA and some of the deleted messages are being tagged as "Scrambled". I'm fairly new to this status and was wondering if this is a fair explanation for these messages: "Messages marked as Scrambled are messages previously stored on the device which have been deleted. These deleted messages are recovered by the forensic tool but the order of which the sentence was constructed is unknown and as a result, the words in the sentences comes back rearranged.". Also, are the timestamps related to these messages legit or are they also "Scrambled"? Many thanks!

Anyone from @Cellebrite ?

Trye

Hello all, I've decoded some iOS WhatsApp data with PA and some of the deleted messages are being tagged as "Scrambled". I'm fairly new to this status and was wondering if this is a fair explanation for these messages: "Messages marked as Scrambled are messages previously stored on the device which have been deleted. These deleted messages are recovered by the forensic tool but the order of which the sentence was constructed is unknown and as a result, the words in the sentences comes back rearranged.". Also, are the timestamps related to these messages legit or are they also "Scrambled"? Many thanks!

I am also interested in it. You did the extraction with Graykey, right? @Trye I think I can remember, that this will only happen with GK extractions. I had an FFS extraction from UFED Premium and i had no messages with the marker"scrambled". Both extractions were from the same device. @Cellebrite Can you confirm it? (edited)

tost

I am also interested in it. You did the extraction with Graykey, right? @Trye I think I can remember, that this will only happen with GK extractions. I had an FFS extraction from UFED Premium and i had no messages with the marker"scrambled". Both extractions were from the same device. @Cellebrite Can you confirm it? (edited)

That's correct, GK was used on a AFU iPhone 12. That's interesting it potentially only happens on GK extractions and not UFED Prem. I wonder the what the messages would have looked like if the extraction had been initially done using UFED prem

Trye

That's correct, GK was used on a AFU iPhone 12. That's interesting it potentially only happens on GK extractions and not UFED Prem. I wonder the what the messages would have looked like if the extraction had been initially done using UFED prem

with premium they would not be available i think. I am onyl doing iOS extractions with GK because of this Phenomenon. (edited)

tost

with premium they would not be available i think. I am onyl doing iOS extractions with GK because of this Phenomenon. (edited)

ah ok thanks!

@tost @Trye this issue pops up a lot. I'm sure it's articulated better somewhere on here if you search but essentially what it comes down to is the scrambled messages are from an indexing table in the sqlite database, not the messages table the normal decoded messages come from. It can give you an idea of what the message said if you manually put together something that makes sense. You also lose out on duplicate words, capital letters, and punctuation I think. If you get a FFS regardless of a method I don't think it should make a difference, I don't have premium but it should be easy enough to identify the source path from a GK extraction and then follow the path in the premium rip (edited)

1

Solec

@tost @Trye this issue pops up a lot. I'm sure it's articulated better somewhere on here if you search but essentially what it comes down to is the scrambled messages are from an indexing table in the sqlite database, not the messages table the normal decoded messages come from. It can give you an idea of what the message said if you manually put together something that makes sense. You also lose out on duplicate words, capital letters, and punctuation I think. If you get a FFS regardless of a method I don't think it should make a difference, I don't have premium but it should be easy enough to identify the source path from a GK extraction and then follow the path in the premium rip (edited)

Please see the following: https://discord.com/channels/427876741990711298/545232743353810946/803595251071582218 (edited)

3

CLB_joshhickman1

Please see the following: https://discord.com/channels/427876741990711298/545232743353810946/803595251071582218 (edited)

Thanks for the answer. Can you say, why that this is not in a parsed Premium FFS extraction and only from a GK extraction or was it a coincidence? (edited)

@tost In my experience, the scrambled messages are also present with an ios FFS (checkm8), which is made with 4PC or OFD. I have no experience with premium or GK because i have no access to them.

1

chrisforensic

@tost In my experience, the scrambled messages are also present with an ios FFS (checkm8), which is made with 4PC or OFD. I have no experience with premium or GK because i have no access to them.

Chris is correct. A ffs is an ffs. Both contain the db and will be in the same spot in the file system. If not parsed in one.. that is weird. (edited)

1

The data should be available in any FFS extraction, since it's a FULL filesystem extraction. The scrambled messages are from the chatsearch db from WhatsApp, a separate db used to index contents of a message to make it easier/faster searchable on iOS devices. Unfortunately it's not present on an Android device. If a message is deleted in WhatsApp, the deletion doesn't affect the chatsearch db, which is our luck mostly in shorter messages. Some common words, duplicate words, interpunction and capitalization (as mentioned before) are lost in this database, since these are not needed for the fast chatsearch. The DB has been present for a very while now. Firstly we parsed the db on our own, a short time after PA implemented the parsing of this db as well. The db should be present on any iOS FFS extraction if the device had an active installation of WhatsApp.

1

Peacekeeper

The data should be available in any FFS extraction, since it's a FULL filesystem extraction. The scrambled messages are from the chatsearch db from WhatsApp, a separate db used to index contents of a message to make it easier/faster searchable on iOS devices. Unfortunately it's not present on an Android device. If a message is deleted in WhatsApp, the deletion doesn't affect the chatsearch db, which is our luck mostly in shorter messages. Some common words, duplicate words, interpunction and capitalization (as mentioned before) are lost in this database, since these are not needed for the fast chatsearch. The DB has been present for a very while now. Firstly we parsed the db on our own, a short time after PA implemented the parsing of this db as well. The db should be present on any iOS FFS extraction if the device had an active installation of WhatsApp.

@Peacekeeper @florus Sure, it should be. But that's what I saw. Maybe it could have been a bug in my PA installation. (edited)

Anyone from @Cellebrite ?

1

MindBreak

Anyone from @Cellebrite ?

Good morning, happy to help

j_matas

any to enlighten me regarding the ZRTVEHICLEEVENTMO in "local-sqlite" iOS?

only have one entry. Would that mean that the phone has arrived by car and then parked there? @CLB_iwhiffin (read through your blog) or @CLB_4n6s_mc ?

Hey, Sorry for the late reply. Not been on discord for the last week as I've been too busy. I'm working my way down the list now though... From the testing I did, ZRTVEHICLEEVENTMO records a record of the devices location, with good accuracy, when the device disconnects from the infotainment system in a car. This could be when the engine is shut off or when the door is opened (you may notice some cars still play radio until the door opens). There is a table that has a single record for the most recent event and a table of historic records. This is where the little "Parked Car" icon is sourced from in Apple Maps. Note: It's not always immediate. I usually requires some movement away from the car too which you can test. If you connect to a car via bluetooth, open apple maps and watch the screen as you turn off the engine, get out and walk away, it will probably take ~20m of movement before the icon appears. Although this changes depending on if you are in a rural or urban setting.

Pehr

The data is from favicons.sqlite

I wrote a blog about this source a while back (http://doubleblak.com/blogPosts.php?id=13) Depending on the table within favicons, there isn't always a timestamp in the table. You may be able to pull a time from the URL in some cases though.

3

tost

Thanks for the answer. Can you say, why that this is not in a parsed Premium FFS extraction and only from a GK extraction or was it a coincidence? (edited)

As others have mentioned, the database will come out with a FFS regardless of tool. For example, I just ran Premium against an iOS device running 15, and the database was present in the extraction; however, PA did not parse the database b/c it was not populated with any data (the phone had recently been reset). There could be a few reasons as to why the data did not appear in PA, but without access to the extraction itself, it would be hard to theorize as to why the data did not appear as expected. So, three questions: 1. Did you confirm the database was present in the extraction? 2. If it was, was it populated with data? 3. What version(s) of PA was/were used to parse the extraction?

I have an Oppo Find X5 lite mobile device, where within what database would I find when it had been reset? Many thanks!

Solec

@tost @Trye this issue pops up a lot. I'm sure it's articulated better somewhere on here if you search but essentially what it comes down to is the scrambled messages are from an indexing table in the sqlite database, not the messages table the normal decoded messages come from. It can give you an idea of what the message said if you manually put together something that makes sense. You also lose out on duplicate words, capital letters, and punctuation I think. If you get a FFS regardless of a method I don't think it should make a difference, I don't have premium but it should be easy enough to identify the source path from a GK extraction and then follow the path in the premium rip (edited)

100% correct

usermobiles

I have an Oppo Find X5 lite mobile device, where within what database would I find when it had been reset? Many thanks!

https://thebinaryhick.blog/2021/08/19/wipeout-detecting-android-factory-resets/

Binary Hick

Wipeout! Detecting Android Factory Resets

I’d like to thank Alexis Brignoni, Heather Mahalik, and Jared Barnhart for their insight and validation, and Alexis for tooling ALEAPP for these artifacts. DFIR truly is a team effort. They say im…

Peeps anyone knows what is different between PA and logical analyzer if any?

Borderbingo

Peeps anyone knows what is different between PA and logical analyzer if any?

I think iOS extraction is not available for logical

2:22 PM

Or to rephrase, the extract tab

morning everyone, could only point me to an article or advice on what causes the iphone's safari app save web pages in a pdf format in this container: \private\var\mobile\Containers\Data\Application\0B8CC322-C371-4B6C-9580-AD7E898D543A\tmp\450DC57D-C4F1-479F-B1D5-2F92209012BC.pdf otherwise I'll be playing with a test device for a week trying to find a possible answer

CLB_iwhiffin

Hey, Sorry for the late reply. Not been on discord for the last week as I've been too busy. I'm working my way down the list now though... From the testing I did, ZRTVEHICLEEVENTMO records a record of the devices location, with good accuracy, when the device disconnects from the infotainment system in a car. This could be when the engine is shut off or when the door is opened (you may notice some cars still play radio until the door opens). There is a table that has a single record for the most recent event and a table of historic records. This is where the little "Parked Car" icon is sourced from in Apple Maps. Note: It's not always immediate. I usually requires some movement away from the car too which you can test. If you connect to a car via bluetooth, open apple maps and watch the screen as you turn off the engine, get out and walk away, it will probably take ~20m of movement before the icon appears. Although this changes depending on if you are in a rural or urban setting.

thanks mate

Anyone ever successfully reconstructed media from Gallery Vault apk (v3.19.22)? The files located in a physical extraction (data/Root/media/0/.galleryvault_DoNotDelete_1529745598/files/) are either encrypted or obfuscated. I have the PIN so can do a manual inspection, but would make my day to extract the media

Hi everyone. I have a FFS extraction of a OnePlus 7T Pro with Private Photo Vault - Keepsafe installed. I'm looking for a way to decrypt the password for that specific app. I'm tagging @Aero and @forensicmike @Magnet since I see you have posted about solutions for this previously. But anyone with any input, feel free to chime in

@danielj91 Not looked at it in a while but happy to when I get some time

also tagging @bang because he is awesome at this stuff too and may have already looked at it (edited)

1

Perfect, tyvm. It is not an urgent matter

Hey klyvern, I'm afraid I am unable to share the capability outside of the UK at this time. What version of PPV have u got out of interest?

It is version 11.0.1

Hi everybody, do you know why there are no dalvik plugins for volatility ? I'm starting up in android forensics with a lime dump analysis, but can't find any plugins mentioned in papers such as Live_Memory_Forensics_on_Android_with_Volatility

danielj91

It is version 11.0.1

If I can help, I will let you know via direct message.

1

Hi everyone- does anyone here know about how document IDs work in a PDF document? Based on Adobe, the document ID is a unique ID but I have 3 pdf documents created at different dates but with the same document ID

bigben

Anyone ever successfully reconstructed media from Gallery Vault apk (v3.19.22)? The files located in a physical extraction (data/Root/media/0/.galleryvault_DoNotDelete_1529745598/files/) are either encrypted or obfuscated. I have the PIN so can do a manual inspection, but would make my day to extract the media

https://core.ac.uk/download/pdf/214330118.pdf you might have already seen this, but 5.7 mentions Gallery Vault (albeit an older version) does it not apply to the version you’re working with? I haven’t looked too much into it.

Fr0stByt3

https://core.ac.uk/download/pdf/214330118.pdf you might have already seen this, but 5.7 mentions Gallery Vault (albeit an older version) does it not apply to the version you’re working with? I haven’t looked too much into it.

Unfortunately the newer versions aren’t the same

Hi all, is anyone using a new generation GPU card incombination with Pysical Analyser to speed up Image recognition? @Cellebrite doesn't really indicate what is supported except for a few old cards. Wondering before I buy a new generation card if it will work! what is your experience?

Hi, does anyone know how to decode the ***tts.dat files from google translate in android ?

12:01 AM

I have a case where the suspect used google translate and I cannot find anything in the database but the tts_cache_files.xml shows some information and it's related to these tts.dat files. (edited)

Ok find it. It's just a mp3. It can be read as an audio file. (edited)

Fr0stByt3

https://core.ac.uk/download/pdf/214330118.pdf you might have already seen this, but 5.7 mentions Gallery Vault (albeit an older version) does it not apply to the version you’re working with? I haven’t looked too much into it.

Thanks yeah I did see that, unfortunately it's not the same anymore. Not convinced the files are actually encrypted still. I'm running the files through axiom to see if it carves anything.

Anyone dealt with images related to the Samsung Honeyboard (Keyboard) application? There's no way of accessing the saved clipboard images is there? Many thanks

Hi! I did a signal full backup extraction using UFED's Chat Capture flow. When analyzing the data in PI, I have the contacts, media and chats, but no messages. All chats are empty. Manually browsing through the database I cannot find the messages. Is this a problem of signal's backup, or is it something that I'm doing wrong in UFED/PA? In what table/column should the signal messages be located?

Has anyone been able to parse messages from the app "Rocket.Chat" to get them in a readable format? If so, could you please share how exactly or with which tool?

Cip

Hi! I did a signal full backup extraction using UFED's Chat Capture flow. When analyzing the data in PI, I have the contacts, media and chats, but no messages. All chats are empty. Manually browsing through the database I cannot find the messages. Is this a problem of signal's backup, or is it something that I'm doing wrong in UFED/PA? In what table/column should the signal messages be located?

I had some issue with Signal sometimes UFED do not decrypt it. You could try to parse with another soft like Oxygen but if the db is empty i guess it won't works. I could suggest to realize a second extraction but selective on signal, works for me

3:17 AM

If someone had already decode some Outlook cache on Android device, i am searching for help about it. I have attachment and pics in cache but do not found body text

(edited)

Nutelap

I had some issue with Signal sometimes UFED do not decrypt it. You could try to parse with another soft like Oxygen but if the db is empty i guess it won't works. I could suggest to realize a second extraction but selective on signal, works for me

What do you mean by "selective extraction"? The screen capture flow? For full signal backup there are no options. The screen capturing flow keeps crashing every time at different stages.

Cip

What do you mean by "selective extraction"? The screen capture flow? For full signal backup there are no options. The screen capturing flow keeps crashing every time at different stages.

My bad, i'm thinking you get an FFS (edited)

I have a FFS, but signal's database is encrypted, so no luck from there. I just parsed the backup file in Axiom and it contains no messages. Apparently, the backup file generated by Signal is incomplete.

Cip

I have a FFS, but signal's database is encrypted, so no luck from there. I just parsed the backup file in Axiom and it contains no messages. Apparently, the backup file generated by Signal is incomplete.

Then i mean when you run UFED extraction, try to make a slective apps extraction instead of an FFS. It works one time for my case

Cip

I have a FFS, but signal's database is encrypted, so no luck from there. I just parsed the backup file in Axiom and it contains no messages. Apparently, the backup file generated by Signal is incomplete.

Do you have keychain as well? See https://belkasoft.com/signal-decryption-with-belkasoft-x for how to decrypt Signal on iOS

Yuri Gubanov (Belkasoft)

Do you have keychain as well? See https://belkasoft.com/signal-decryption-with-belkasoft-x for how to decrypt Signal on iOS

No, I don't. It's a Blackberry Key2 device with Android 8

Nutelap

Then i mean when you run UFED extraction, try to make a slective apps extraction instead of an FFS. It works one time for my case

I'll try that

bigben

Thanks yeah I did see that, unfortunately it's not the same anymore. Not convinced the files are actually encrypted still. I'm running the files through axiom to see if it carves anything.

Not encrypted, at least, not the image, but the file is mangled and there is a PNG prepended to the file and the media's metadata is encrypted with DES and appended. Bizarre what some developers get up to

2

Any options for decoding Signal app v 6.12.6. I have a ffs extraction from a samsung s20 fe/sm-g781u spl 10/22. Tried PA 7.60 but not parsing and release notes say supports Signal v 6.4.@Cellebrite @magnetforensics

digitech11

Any options for decoding Signal app v 6.12.6. I have a ffs extraction from a samsung s20 fe/sm-g781u spl 10/22. Tried PA 7.60 but not parsing and release notes say supports Signal v 6.4.@Cellebrite @magnetforensics

@digitech11 PA 7.61 will include updates and support for newer Signal versions. Currently tested and verified for Signal v6.11.7. I will make sure the fix applies to v6.12.6 and let you know.

CLB-Tal

@digitech11 PA 7.61 will include updates and support for newer Signal versions. Currently tested and verified for Signal v6.11.7. I will make sure the fix applies to v6.12.6 and let you know.

Great. Thank you!

Is there an estimated date of release. Just to get an idea.

End of March for the official. 7.61 pre-release in about a week or two. DM if you wish to get a version before the official. (edited)

I have an iTunes backup that was created and parsed with Physical Analyzer. Does anyone know if it is possible to identify within the WhatsApp database to see when (date/time) the contact list was added to database?

9:13 AM

I see a column for ZAboutTimeStamp, and the record i am interested in is not populated

Hello, I am working on a file where the messages table in the bugle_db database contains messages sent using two different numbers (PHONE_NUMBER) . The values in the SENT_TIMESTAMP for all messages sent using one of the numbers is all ‘0’s, whereas the messages sent using the other number have a proper Unix MS timestamp value assigned. Wondering if anyone can help shed some light on why all the messages sent with one of the phone numbers have SENT_TIMESTAMP value of ‘0’ assigned. Device: Nokia 2.1 OS Version: 8.1.0

Hello everyone! I have a problem with ArtEx (latest version) and wanted to ask if there are problems with the map display or even if I did something wrong. In the options I have activated "draw small maps". Under locations, locations are displayed, but no map view.

11:09 PM

medapi😎

Hi all, is anyone using a new generation GPU card incombination with Pysical Analyser to speed up Image recognition? @Cellebrite doesn't really indicate what is supported except for a few old cards. Wondering before I buy a new generation card if it will work! what is your experience?

Interesting question!

Borderbingo

Peeps anyone knows what is different between PA and logical analyzer if any?

Logical analyzer only accepts logical extractions, no FFS and physical. PA takes everything.

Hans Leißner

Hello everyone! I have a problem with ArtEx (latest version) and wanted to ask if there are problems with the map display or even if I did something wrong. In the options I have activated "draw small maps". Under locations, locations are displayed, but no map view.

Oooh. That’s a new one. Let me look into it.

Hans Leißner

Hello everyone! I have a problem with ArtEx (latest version) and wanted to ask if there are problems with the map display or even if I did something wrong. In the options I have activated "draw small maps". Under locations, locations are displayed, but no map view.

Also, the “draw small maps” is related to maps drawn in the timeline, not locations tab. I presume you have an internet connection?

I'm looking at two different extractions of iphones that have paired with eachother via bluetooth. When looking at the com.apple.MobileBluetooth.devices.plist I can see both phones in each respective plist but the paired Bluetooth mac address that is posted seems to be a mix of the Wi-Fi Mac address and the bluetooth device address, can anyone shed some light on this?

@Magnet Forensics does Axiom support parsing of the Garmin app on an iPhone paired with a garmin watch?

Rugila

@Magnet Forensics does Axiom support parsing of the Garmin app on an iPhone paired with a garmin watch?

Doesn’t look like that is one that’s currently supported. I don’t have one available for testing, but we could possibly create a custom artifact or two.

@Cellebrite - I'm examining an iPhone with thousands of .CAF audio files attached to SMS messages within PA 7.60.1.9. Double-clicking the audio file from within an SMS opens the .CAF file in an embedded Windows Media Player, but the file will not play. Instead I have to right click the .CAF file as displayed within the SMS message, select Go To Audio, then click the Play (default program) button on the Audio tab's toolbar in order to play the file within VLC Media Player. Is there a way to streamline this, or have an option to play audio files in the default program when double-clicking them?

Is the true location for symbolic link of /emulated/xxx (Android) documented anywhere on a phone and I can verify it with a FFS extraction? (edited)

chriscone_ar

Doesn’t look like that is one that’s currently supported. I don’t have one available for testing, but we could possibly create a custom artifact or two.

Ok thank you. Once I get a ffs off the iPhone I’ll let you know what I see.

1

Hey, I have a case where the SMS.db on iOS 16.2 has some messages without any timestamp. It's very difficult to estimate the date when the message was received or sent. I first thought that first lane in the DB would be the oldest message but because some messages have a date inside of it I cannot trust this. Is it because they are old message and so it came from a backup? Do you know why I don't have timestamp for most of the messages that are in top of the DB?

does anyone know how Silent Phone encrypts its database on iOS?

Looking to see if there is any information which I can gain from a keychain file related to a deleted application. The device had KIK installed, but it was deleted. I can see in the Password file of the keychain it has references to com.kik.chat. Any ideas would be appreciated, or if this is dead end also helpful.

@Ghosted, that's funny... I have the same exact situation in a case I case working on. I came to the same conclusion so far. I only have traces in the keychain which can actually be synched from another device.

1

Hi, i look for a way to decrypt a Signal-Database on a FullFileSystem Extraction from a SamsungA51; i would use this paper https://rado0z.github.io/Decrypt_Android_Database the *xml file was found into the app-root, but i didn´t find the SignalSecret in the keystore root..??

7:59 AM

somebody knows, where the keystore "SignalSecret"file was saved on this samsung-phone?

You need decrypted key from keystore. The one from ffs archive won't do. Check if 4PC (i assume that's what you used) extracted the key automatically and saved to secrects.json

Erik

I'm looking at two different extractions of iphones that have paired with eachother via bluetooth. When looking at the com.apple.MobileBluetooth.devices.plist I can see both phones in each respective plist but the paired Bluetooth mac address that is posted seems to be a mix of the Wi-Fi Mac address and the bluetooth device address, can anyone shed some light on this?

Could it just be the vendor id, the four first bytes? Or because of mac randomization? Have you looked into the two files com.apple.MobileBluetooth.ledevices.*.db? (I also recommend this article https://dfir.pubpub.org/pub/frknihlg/release/1)

How to Use iOS Bluetooth Connections to Solve Crimes Faster

Would files in com.twitter.android/files be accessible via the app? Can't verify using the phone as associated account is suspended. The files start with "tmp" and have what looks like an identifier in the name?

Hello everyone? Has some been able to open a bin file from axiom in PA?

Good morning, I am working on a homicide investigation and trying to bring meaning to Instagram web browsing history from Google Chrome. I am trying to determine if it means they simply visited a particular posting on the site or if the web page title suggested they posted something. The history is back from November 2019, so things I’m sure are different, but wondering if anyone else has had to look into this in the past. Device: Nokia 2.1 Android OS: 8.1 Thanks in advance for any help. Michael Holley Digital Evidence Specialist RCMP E Division, Digital Forensics Services michael.holley@rcmp-grc-gc.ca

Good day! I have a strange timestamp for 5 thumbnails in the \media\0\DCIM.thumbnails\ folder of an android device. This device was seized at 20:13 and these thumbnails all have create dates of 20:26. I was not the one to seize this device. I gained possession this morning. The device was isolated from any network connections. The seizing officer did browse the photos before seizing the device. It would make sense to me that the last accessed and last modifies reflected this time but the create date is throwing me. The original images appear to have been downloaded to the device in 2018. If the device was browsed by the seizing officer at this time would the OS recreate these thumbnails? Thanks in advance.

stps358

Good day! I have a strange timestamp for 5 thumbnails in the \media\0\DCIM.thumbnails\ folder of an android device. This device was seized at 20:13 and these thumbnails all have create dates of 20:26. I was not the one to seize this device. I gained possession this morning. The device was isolated from any network connections. The seizing officer did browse the photos before seizing the device. It would make sense to me that the last accessed and last modifies reflected this time but the create date is throwing me. The original images appear to have been downloaded to the device in 2018. If the device was browsed by the seizing officer at this time would the OS recreate these thumbnails? Thanks in advance.

Browsing the device can always alter timestamps. Or timestampes can be altered by database reorganization. Since the odd part is that it was sized and looked through prior to your timestamp, I would try to recreate the situatin with a clean phone, same model. Take some pics then dump it. Take some pics, wait, browse, dump it. Maybe this brings some clarity (but you'll never know if the internal organisation will work exactly like it did at the time the device was seized).

Morph

Hi, i look for a way to decrypt a Signal-Database on a FullFileSystem Extraction from a SamsungA51; i would use this paper https://rado0z.github.io/Decrypt_Android_Database the *xml file was found into the app-root, but i didn´t find the SignalSecret in the keystore root..??

You can’t decrypt the backup now a days. That script is prior to Signal using hardware backed keys. Open the app and manually create a backup, and screenshot the code. From there you can decrypt it with a commercial tool or python script. Caveat: an extraction from GK Android or Oxygen will force the backup as part of their extraction, which is why you’ll occasionally see them unencrypted in the extraction.

CLB_iwhiffin

Also, the “draw small maps” is related to maps drawn in the timeline, not locations tab. I presume you have an internet connection?

Sorry for the late response! i had some free days from work :D. Yep. i have Internet connection on this machine. (edited)

Mornings... Does anyone have any experience with Paraben Forensics on mobile devices, compared to Oxygen, Axiom, CB etc?

Morning, hoping someone can assist. I have an iPhone with four email apps that have not parsed but are important to the investigation. Proton mail Edison mail Spark Tutanota I have seen that iLeap may parse Proton mail but I'm struggling with the others. PA unsuccessful, Axiom doesn't support these apps. Edison does not have a database associated with it and the other 3 dbs are unreadable. Anyone have any suggestions? Thanks.

Morph

Hi, i look for a way to decrypt a Signal-Database on a FullFileSystem Extraction from a SamsungA51; i would use this paper https://rado0z.github.io/Decrypt_Android_Database the *xml file was found into the app-root, but i didn´t find the SignalSecret in the keystore root..??

can check this: https://github.com/AvillaDaniel/Signal-Forensics

GitHub - AvillaDaniel/Signal-Forensics: Signal database acquisition...

Signal database acquisition and decryption. Contribute to AvillaDaniel/Signal-Forensics development by creating an account on GitHub.

Does anyone know how long approximately received airdrop artifacts would be obtainable from sysdiagnose? e.g. if it's been over 24 hours since someone received an airdrop, would there still be identifier's of the sender's phone on the receiver's sysdiagnose file if generated today? (edited)

Do you have any idea how to open these files? I have a manual Huawei backup (kobackup on mate30) but neither Oxygen nor KoBackupDec decrypting these files. I also tried to merge them into one tar with copy /b from terminal but nothing changed. @Oxygen Forensics

backup\sdcard\DCIM.thumbnails\ and backup\sdcard\DualApp\DCIM.thumbnails\ Anyone have any insight on the DualApp path? I have some images which are the same in both locations but the DualApp seems to have a lot more.

Flavius

Do you have any idea how to open these files? I have a manual Huawei backup (kobackup on mate30) but neither Oxygen nor KoBackupDec decrypting these files. I also tried to merge them into one tar with copy /b from terminal but nothing changed. @Oxygen Forensics

Hello, you can import the zip of the full Huawei Backup into Oxygen using this option

9:31 AM

If you want to import just those files maybe you can unarchive them, zip them up and import as file system (android). I am not familiar with kobackup, so not so sure (edited)

Hi! My colleague has acquired a full file system from an iPhone. To keep it simple, let's say the iPhone was setup January 1 st. In the database there are 100-200 sms. We can group the sms into groups where they have the same exact date and time and where it differs only some seconds between each group. The date and time stamps when the sms are read or sent etc are all blank in the database. From January 2nd there are sms etc registered in chronological order as expected. The first event that my colleague sees in the timeline in Axiom is traces of a gz file and then that the screen turns on and off a couple of times. My initial thought was that it is some kind of backup that has been restored into the iPhone. Regarding the missing datetime stamps it tells me that it probably isn't an apple backup. It seems incompatible with the sms database. The sms that is grouped based in time tells me it might have been written in chunks to the database, and just used the local time settings because of incompatibility. Maybe from an Android that uses a gz file to compress data in order to transfer it. I'm not sure if Apple has native support in the setup wizard to transfer data and restore data from an Android? Should we try to find look for deleted apps what assists when restoring data from Android to iPhone.. Have anyone seen this behaviour before or have any ideas on moving forward? (edited)

Hi everyone. I have a full fs extraction from an android phone with android 10. The "/data/data/com.whatsapp" folder is missing but the folder "/data/media/0/WhatsApp" is present, has all expected data inside including a voice note that (by the file name and fs property of the file) was received a couple of hours before the phone seizure. So i'm pretty confident that WhatsApp was uninstalled from device possibly minutes before the seizure. My question is: is there any system log or any other source that permits to obtain the exact moment of uninstall operation?

Is there any soft to parse signal backup with known passphrase? @Magnet Forensics @Cellebrite @MSAB

denyzkoo

Is there any soft to parse signal backup with known passphrase? @Magnet Forensics @Cellebrite @MSAB

If you have the 30 digit passphrase, I have successfully used scripts to parse them. I've used this one a several months ago and I believe it is still supported: https://github.com/bepaald/signalbackup-tools

GitHub - bepaald/signalbackup-tools: Tool to work with Signal Backu...

Tool to work with Signal Backup files. Contribute to bepaald/signalbackup-tools development by creating an account on GitHub.

denyzkoo

Is there any soft to parse signal backup with known passphrase? @Magnet Forensics @Cellebrite @MSAB

AXIOM can parse the Signal backups with the passphrase.

Original message was deleted or could not be loaded.

You can look at the Mobile Installation Logs for most versions of iOS and then KnowledgeC or Biome data depending on if it's pre iOS 16 or not.

CLB - Mike Joy

If you have the 30 digit passphrase, I have successfully used scripts to parse them. I've used this one a several months ago and I believe it is still supported: https://github.com/bepaald/signalbackup-tools

this is the way, but you'll need to write the database queries yourself to make reports

PA supports signal backup

CLB-ChenK

PA supports signal backup

How to use, and where to add 30 digit passphrase ? its from android device.

Anyone here has worked with Molly?

Hi. In my case I have Samsung A405 with MDM. I know alphanumeric pw, but when I run it, the devices ask for second pw. Anybody help me ? Probably devices has installed chatmail app.

skipper

Hi. In my case I have Samsung A405 with MDM. I know alphanumeric pw, but when I run it, the devices ask for second pw. Anybody help me ? Probably devices has installed chatmail app.

what's the firmware version?

android 11 (a405FNXXU3CUC2)

that's quite old, bootloader full filesystem method doesn't work?

i have FFS, but in PA, Axiom, Oxy, XRY nothing decode. When i start device enter the first pw, android start perfect. I seen this screen and tap i right icon then i have enter next pw

6:47 AM

looks like encrochat

6:48 AM

i want to BF second pw

skipper

looks like encrochat

Thats not encro

6:51 AM

Thats Chatmail

6:51 AM

https://chatmailsecure.com/

so .. anybody has experience with chatmail ?

skipper

so .. anybody has experience with chatmail ?

Never had one, I know its a secure encrypted phone like sky ecc and encrochat, is there no support for it on ufed4pc (for this device)?

not decode (BF) second PW, FFS i have

Does anyone have any insight on how iOS calculates ZSPEED in the ZRTCLLOCATIONMO table of Cache.sqlite? We're investigating a traffic accident but the data doesn't match in any way with reconstruction report. There's a GPS location being logged every second with a pretty good accuracy - but the speed is simply too high to be true

Jackds

Does anyone have any insight on how iOS calculates ZSPEED in the ZRTCLLOCATIONMO table of Cache.sqlite? We're investigating a traffic accident but the data doesn't match in any way with reconstruction report. There's a GPS location being logged every second with a pretty good accuracy - but the speed is simply too high to be true

@ScottKjr3347 tested this if im right.

florus

@ScottKjr3347 tested this if im right.

Yep, read the blog.

Jackds

Yep, read the blog.

Sent you a message.

Jackds

Does anyone have any insight on how iOS calculates ZSPEED in the ZRTCLLOCATIONMO table of Cache.sqlite? We're investigating a traffic accident but the data doesn't match in any way with reconstruction report. There's a GPS location being logged every second with a pretty good accuracy - but the speed is simply too high to be true

From apple developer documentation: “This value reflects the instantaneous speed of the device as it moves in the direction of its current heading. A negative value indicates an invalid speed. Because the actual speed can change many times between the delivery of location events, use this property for informational purposes only.” https://developer.apple.com/documentation/corelocation/cllocation/1423798-speed

Does anyone have experience with analyzing data from the application Confide on iPhone? (edited)

beansidebean2020

Morning, hoping someone can assist. I have an iPhone with four email apps that have not parsed but are important to the investigation. Proton mail Edison mail Spark Tutanota I have seen that iLeap may parse Proton mail but I'm struggling with the others. PA unsuccessful, Axiom doesn't support these apps. Edison does not have a database associated with it and the other 3 dbs are unreadable. Anyone have any suggestions? Thanks.

What for image do you have?

skipper

not decode (BF) second PW, FFS i have

Interesting! Isnt there a database with the password that can be bruteforces?

skipper

i have FFS, but in PA, Axiom, Oxy, XRY nothing decode. When i start device enter the first pw, android start perfect. I seen this screen and tap i right icon then i have enter next pw

How did you make a FFS?

Mr.Robot

What for image do you have?

A FFS

Panda

Does anyone have experience with analyzing data from the application Confide on iPhone? (edited)

A little bit: https://blog.elcomsoft.com/2020/06/researching-confide-messenger-encryption/

Researching Confide Messenger Encryption

iPhone users have access to literally hundreds of instant messaging apps. These apps range all the way from the built-in iMessage app to the highly secure Signal messengers, with all stops in between. Many of the messaging apps are marketed as ‘secure’ or ‘protected’ messengers, touting end-to-end e

v_katalov

A little bit: https://blog.elcomsoft.com/2020/06/researching-confide-messenger-encryption/

Is that one I’m trying to follow. But the key as mentioned in that blog is not written in ascii. So I’m struggling with the decryption

Hello people! I have come across something like this for the first time. Working on HTC Desire 300 chip off. Got the dump with UFI tool with 1bit bus and auto clock setting. When analized, photos get like this, like they are corrupted. When opening the DCIM folder, thumbnails are perfect (without the green corruption) for a second then the photos get like the image here. Is it possible to regenerate the photos?

beansidebean2020

A FFS

It is possible to see the content of a mail application. Please sent me a Dm of you want

Picture stored under Support/Instagram/PostCreation/4987183xxxx/Store.Large/9869axxxx6f52. Can you determine from what feature in Instagram the picture was made? Story,chat,saved?? thanks in advance (edited)

Can someone from @Cellebrite please PM me

1

Panda

Can someone from @Cellebrite please PM me

your user permissions dont allow it.

Good day all. I'm looking for some clarification on this wipe. Why is the start time in 2019 and initiated local time last month? (edited)

stps358

Good day all. I'm looking for some clarification on this wipe. Why is the start time in 2019 and initiated local time last month? (edited)

Which version of PA are you using?

CLB_joshhickman1

Which version of PA are you using?

7.60.1.9

stps358

Good day all. I'm looking for some clarification on this wipe. Why is the start time in 2019 and initiated local time last month? (edited)

Well why not just look at the source file and go from there?

cygnusx

Well why not just look at the source file and go from there?

I did look at the source file and there are multiple entries. "+ [eF | 2019/01/05 17:44:26 | G781U1UEU1ATJ5] --wipe_data --requested_time=2023/02/19 14:46:00.717 --reason=MasterClearConfirm,2020-01-01T00:00:00Z --locale=en-US" I have confirmation that the --requested line is the one that matters. I just didn't know how to interpret the 2019 date vs the 2023 date. (edited)

@Cellebrite Hi, someone available for a question about UFED 8.3 reader?

1

Hey guys, has anyone dealt with this file path before and know what its associated to? File path: /data/data/com.google.android.apps.photos/cache/consumereditor_out (edited)

4:42 AM

I'm currently thinking its cache storage for images edited in the google photos app but after testing haven't seen any edited photos appear here.

Hello, anyone here that is good with decoding Binary plist that could have a quick chat with me on PM?

Hello everyone- does digital collector have the ability to verify image hashes once the imaging is complete?

@Cellebrite

ZlatanX

@Cellebrite

standby. its been a while since i used collector.

ZlatanX

Hello everyone- does digital collector have the ability to verify image hashes once the imaging is complete?

Yes it is.

Anyone know whats triggering the auth msg from signal

new beta PA 7.61.0.12 still has troubles to show locations in wa-chats overview (red square) .... and chatexport to xlsx doesn´t show the location too, hmmm @Cellebrite (edited)

1

11:09 AM

import to other tool shows location in overview and excel-report !

Does anyone know if the iOS photos.sqlite database keeps gyroscope information or accelerometer data? I believe it does not but there are quite a few tables to go through. (edited)

chrisforensic

new beta PA 7.61.0.12 still has troubles to show locations in wa-chats overview (red square) .... and chatexport to xlsx doesn´t show the location too, hmmm @Cellebrite (edited)

thanks it was brought to the attention of the decoding team

1

I am trying to determine when a device was first taken in use, and I'm running into some conflicting data in my search. Hopefully someone can help me out here and knows what's going on. Device extraction is from November 2022, physical dump. The device is a Samsung A5 (SM-A510F) running Android 7 (A510FXXS8CTI7, build date sept 16, 2020). SimCard.dat returns SimChangeTime with a date in October 2020. The weird thing is that all significant databases have a creation time nearly 12 hrs shy of 2 years later. In my mind that could be that the device date/time was updated then to the true local date/time, but the difference in timestamp on SimCard.dat is hard for me to explain, that it is a difference 12 hrs shy of 2 years, and seemingly not related to the build date that was present on the device, and not a 'default' date/time that is present after a factory reset or first time boot. Other artefacts I have looked at: eRR.p, not present on the device SmartSwitch logfile is present with the date in October 2022. Google Play and Samsung databases have a creation date/time in October 2022 sdp_log starts at 2019-12-31, which seems to be the date/time for first boot/factory reset. It updates to October 2022, but four days after my expected time of setup. Most likely the user didn't set a passcode until then, and continued the rest of the setup of the device, which matches my timeline. In regards to: https://thebinaryhick.blog/2021/08/19/wipeout-detecting-android-factory-resets/ /misc/bootstat is empty There is no suggestions.xml, but there is a suggestions.db. Creation time is the expected date in October 2022 Other files and locations were either nonexistent on this device or gave the same expected date in October 2022. Anyone else that has some valuable insights and/or explanation why SimCard.dat and a couple of databases (for Samsung Internet Browser and the Android Music database 'WearableDataSync.db') have a different timestamp?

Binary Hick

Wipeout! Detecting Android Factory Resets

I’d like to thank Alexis Brignoni, Heather Mahalik, and Jared Barnhart for their insight and validation, and Alexis for tooling ALEAPP for these artifacts. DFIR truly is a team effort. They say im…

Peacekeeper

I am trying to determine when a device was first taken in use, and I'm running into some conflicting data in my search. Hopefully someone can help me out here and knows what's going on. Device extraction is from November 2022, physical dump. The device is a Samsung A5 (SM-A510F) running Android 7 (A510FXXS8CTI7, build date sept 16, 2020). SimCard.dat returns SimChangeTime with a date in October 2020. The weird thing is that all significant databases have a creation time nearly 12 hrs shy of 2 years later. In my mind that could be that the device date/time was updated then to the true local date/time, but the difference in timestamp on SimCard.dat is hard for me to explain, that it is a difference 12 hrs shy of 2 years, and seemingly not related to the build date that was present on the device, and not a 'default' date/time that is present after a factory reset or first time boot. Other artefacts I have looked at: eRR.p, not present on the device SmartSwitch logfile is present with the date in October 2022. Google Play and Samsung databases have a creation date/time in October 2022 sdp_log starts at 2019-12-31, which seems to be the date/time for first boot/factory reset. It updates to October 2022, but four days after my expected time of setup. Most likely the user didn't set a passcode until then, and continued the rest of the setup of the device, which matches my timeline. In regards to: https://thebinaryhick.blog/2021/08/19/wipeout-detecting-android-factory-resets/ /misc/bootstat is empty There is no suggestions.xml, but there is a suggestions.db. Creation time is the expected date in October 2022 Other files and locations were either nonexistent on this device or gave the same expected date in October 2022. Anyone else that has some valuable insights and/or explanation why SimCard.dat and a couple of databases (for Samsung Internet Browser and the Android Music database 'WearableDataSync.db') have a different timestamp?

Are the files netpolicy.xml, mmssms.db and telephony.db around? All contain simcard info; you might see corresponding date and time there? Does not answer your question, but might help you a step further. I think @CLB_joshhickman1 might have an idea.

Thanks! netpolicy.xml is around, but timestamps are from date of extraction (creation time) or a couple of weeks earlier (epoch timestamp lastWarningSnooze) mmssms.db creation timestamp is around factory time. Timestamps within are from the date when possibly continuing setup telephony.db also around factory time.

I have a decrypted Threema databse from an Android (for various reasons, I do not have the extraction - just the decrypted database). I'd like to parse it using @Cellebrite or @Magnet Forensics. I've had success parsing various other apps by simply rebuilding the file path and processing it under a generic android profile (Cellebrite) or in the case of Axiom, just selecting the app artifact. (Cellebrite example: throwing the telegram database into data/data/org.telegram.messenger/files and then running the Android Databases plugin. Axiom will take it regardless of path). But Telegram is natively stored in a decrypted state, where Threema is not. Is this possible, or are these tools programmed to only parse Threema when they can locate the encrypted db and a corresponding valid keystore?

citizencain

I have a decrypted Threema databse from an Android (for various reasons, I do not have the extraction - just the decrypted database). I'd like to parse it using @Cellebrite or @Magnet Forensics. I've had success parsing various other apps by simply rebuilding the file path and processing it under a generic android profile (Cellebrite) or in the case of Axiom, just selecting the app artifact. (Cellebrite example: throwing the telegram database into data/data/org.telegram.messenger/files and then running the Android Databases plugin. Axiom will take it regardless of path). But Telegram is natively stored in a decrypted state, where Threema is not. Is this possible, or are these tools programmed to only parse Threema when they can locate the encrypted db and a corresponding valid keystore?

My disclaimer - I haven't looked at Threema in quite awhile. For AXIOM, I'd say it depends on the specific app. For newer versions which are encrypted, yes - the expectation is to find an encrypted database and then use keystore to decrypt. For apps that had prior versions which were not natively encrypted, and if the overall db schema is the same, it may just work (like you said, just point AXIOM at the database Mobile - Android - Files & Folders - point to your db). The ability to parse application data for earlier versions doesn't get removed from AXIOM during updates - you never known which version you'll run into. However, I'm assuming from your message you've already tried and it didn't work

Dynamic App Finder or the free tool Magnet Custom Artifact Generator (MCAG) may work to build a custom artifact for the decrypted copy of the db you've got.

chriscone_ar

My disclaimer - I haven't looked at Threema in quite awhile. For AXIOM, I'd say it depends on the specific app. For newer versions which are encrypted, yes - the expectation is to find an encrypted database and then use keystore to decrypt. For apps that had prior versions which were not natively encrypted, and if the overall db schema is the same, it may just work (like you said, just point AXIOM at the database Mobile - Android - Files & Folders - point to your db). The ability to parse application data for earlier versions doesn't get removed from AXIOM during updates - you never known which version you'll run into. However, I'm assuming from your message you've already tried and it didn't work

Dynamic App Finder or the free tool Magnet Custom Artifact Generator (MCAG) may work to build a custom artifact for the decrypted copy of the db you've got.

Thank you, I'll look at building a custom artifact. Appreciate the response!

citizencain

Thank you, I'll look at building a custom artifact. Appreciate the response!

You're welcome! If you haven't used Dynamic App Finder or MCAG (or if you have any other issue), DM and I can walk you through it. (edited)

1

Peacekeeper

I am trying to determine when a device was first taken in use, and I'm running into some conflicting data in my search. Hopefully someone can help me out here and knows what's going on. Device extraction is from November 2022, physical dump. The device is a Samsung A5 (SM-A510F) running Android 7 (A510FXXS8CTI7, build date sept 16, 2020). SimCard.dat returns SimChangeTime with a date in October 2020. The weird thing is that all significant databases have a creation time nearly 12 hrs shy of 2 years later. In my mind that could be that the device date/time was updated then to the true local date/time, but the difference in timestamp on SimCard.dat is hard for me to explain, that it is a difference 12 hrs shy of 2 years, and seemingly not related to the build date that was present on the device, and not a 'default' date/time that is present after a factory reset or first time boot. Other artefacts I have looked at: eRR.p, not present on the device SmartSwitch logfile is present with the date in October 2022. Google Play and Samsung databases have a creation date/time in October 2022 sdp_log starts at 2019-12-31, which seems to be the date/time for first boot/factory reset. It updates to October 2022, but four days after my expected time of setup. Most likely the user didn't set a passcode until then, and continued the rest of the setup of the device, which matches my timeline. In regards to: https://thebinaryhick.blog/2021/08/19/wipeout-detecting-android-factory-resets/ /misc/bootstat is empty There is no suggestions.xml, but there is a suggestions.db. Creation time is the expected date in October 2022 Other files and locations were either nonexistent on this device or gave the same expected date in October 2022. Anyone else that has some valuable insights and/or explanation why SimCard.dat and a couple of databases (for Samsung Internet Browser and the Android Music database 'WearableDataSync.db') have a different timestamp?

Are you trying to determine when the device was last wiped, or the first time the device was used after it was last wiped?

CLB_joshhickman1

Are you trying to determine when the device was last wiped, or the first time the device was used after it was last wiped?

I don't think the device was wiped at all (haven't found evidence of that yet) so I'm looking for the first activation time of the device

1

Any cellebrite reps please pm me. I have an issue/question

1

@CLB_iwhiffin hey mate.. is there a way to see what triggered the screen in and screen off events from knowledgeC.. i am assuming it's notifications coming in as the owner was deceased during these times and i have a series of on/off within seconds..

@Cellebrite - Unfortunately, the following link is no longer available - a search in your support for the CLI Reference Guide was unsuccessful. Could you send me a copy of the article? https://support.cellebrite.com/hc/en-us/articles/360011151538-Physical-Analyzer-Command-Line-Interface-CLI-Reference-Guide

House Whiskey

Hey guys, has anyone dealt with this file path before and know what its associated to? File path: /data/data/com.google.android.apps.photos/cache/consumereditor_out (edited)

For future reference. I've done some more testing and can confirm that (for google pixel devices at least) if google photos is used to edit an image then a copy of the edited version is held in /data/data/com.google.android.apps.photos/cache/consumereditor_out (edited)

3:38 AM

A copy of the original is held in /data/data/com.google.android.apps.photos/files/shadowcopies (edited)

4

Hi guys, are there any options for extracting and decoding the Wave - Make New Friends app on iOS? I've got a GK FFS but there's no sign of any Wave chats in my PA decode. The app is signed out now on the device.

And Meete?

Hi @Cellebrite, dm requested please when possible. Thanks

1

Hi guys! What are your experiences with restoring Snapchat files? Are files created and sent in the application generally recoverable or is the probability close to zero? (apart from other circumstances like operating system or backup method).

Hans Leißner

Hi guys! What are your experiences with restoring Snapchat files? Are files created and sent in the application generally recoverable or is the probability close to zero? (apart from other circumstances like operating system or backup method).

The files might still be present as cache files even if the user can't see it but if it's a new phone you can't recover the files via carving if that's what you mean

1

Oscar

The files might still be present as cache files even if the user can't see it but if it's a new phone you can't recover the files via carving if that's what you mean

Hi Oscar! Thanks for your message. As far as we are at the state of the art, your message coincides with my knowledge. You have already helped me a lot, thank you!

Hans Leißner

Hi Oscar! Thanks for your message. As far as we are at the state of the art, your message coincides with my knowledge. You have already helped me a lot, thank you!

Be aware of segmented video files.

1

6:37 AM

@Magnet Forensics How can I with the data from a portable case create a VICS? Portable case was made from v6.9.0

@OggE If a portable case user performed media categorization, I believe you'll need to merge the portable case into the parent case it was created from. During the portable case import, there is an option (enabled by default) to merge their media categorization work.

1

chriscone_ar

@OggE If a portable case user performed media categorization, I believe you'll need to merge the portable case into the parent case it was created from. During the portable case import, there is an option (enabled by default) to merge their media categorization work.

The user has manually tagged media items. Currently trying to merge the data files as you said.

OggE

The user has manually tagged media items. Currently trying to merge the data files as you said.

When you say 'manually tagged' do you mean they created their own tags instead of using existing media categories?

chriscone_ar

When you say 'manually tagged' do you mean they created their own tags instead of using existing media categories?

They used existing tags, copyed the mfdb over and it seems to have worked

1

7:26 AM

ok nvm, i cant export as vics with that database

OggE

ok nvm, i cant export as vics with that database

Can you try in Examine to select File - Merge Portable case and walk through the options to merge the portable case into the original case it was created from? When that completes, from the Process menu, select Update hash sets with new media categorizations.

chriscone_ar

Can you try in Examine to select File - Merge Portable case and walk through the options to merge the portable case into the original case it was created from? When that completes, from the Process menu, select Update hash sets with new media categorizations.

Yes now that I did as you actually said it worked xD

1

7:32 AM

and i can see the tags

OggE

Yes now that I did as you actually said it worked xD

Perfect!

1

A more simple question here, feel like I'm having brain fog... Is there a Samsung/Android alternative to the purplebuddy.plist available on iOS for determining last setup and setup method for Saamsungs/Androids? Can be multiple files. (edited)

7:45 AM

(Would bootstat have this information?)

3X3

A more simple question here, feel like I'm having brain fog... Is there a Samsung/Android alternative to the purplebuddy.plist available on iOS for determining last setup and setup method for Saamsungs/Androids? Can be multiple files. (edited)

Like the variety of "setup wizard" files?

JLindmar (83AR)

Like the variety of "setup wizard" files?

More looking for dates/times stamped into a db or file for a conclusive last setup exit, and setup method (wizard/backup from Google drive/proximity)

3X3

A more simple question here, feel like I'm having brain fog... Is there a Samsung/Android alternative to the purplebuddy.plist available on iOS for determining last setup and setup method for Saamsungs/Androids? Can be multiple files. (edited)

This article might be of use. https://thebinaryhick.blog/2021/08/19/wipeout-detecting-android-factory-resets/

Binary Hick

Wipeout! Detecting Android Factory Resets

I’d like to thank Alexis Brignoni, Heather Mahalik, and Jared Barnhart for their insight and validation, and Alexis for tooling ALEAPP for these artifacts. DFIR truly is a team effort. They say im…

1

3X3

More looking for dates/times stamped into a db or file for a conclusive last setup exit, and setup method (wizard/backup from Google drive/proximity)

I typically start by applying a filter across all filenames that include "setup" and then pivot from there. For example, using @CLB_joshhickman1 Android 13 dataset (https://thebinaryhick.blog/public_images/) I see several files and paths that tell the story of the device setup: "com.google.android.gms" and "com.google.android.settings.intelligence" appear to have useful information.

Binary Hick

Public Images

Below are links to my public images. If you find a link that isn’t working, please let me know! Android Android 7 (hosted by Digital Corpora) Android 8 (hosted by Digital Corpora) Android 9 …

I am wondering if anyone has any experience with fake WhatsApp screen recordings. We are currently dealing with a screen recording that has certain artefacts that we are struggling to explain. In particular because it is difficult to determine what is an anomalous artefact and what is simply due to it being a recording of an old version of WhatsApp. For example the background of the chat is the image attached, which is not what the standard background is, and I am unable to find if this is an official background or not.

question about android filesystem.. I have a lot of jpg's that were created that are located within the media/pictures folder in a Cellebrite report. the files are named with a timestamp.jpg like 1554740419029.jpg .... .it looks like some program renamed some images and put them into this folder.. any ideas.. thanks. (edited)

Android - Is there a way to tell when a PIN was created on a phone that has been in use without one for a period of time? Claim is: there was no PIN on the phone and someone downloaded CP and then PIN locked the phone without the users consent. Thanks.

I'm looking to determining the first use date of an iPad. I know with phones you can look at the creating date of sms.db or voicemail.db but how would I do this for an iPad? Is there a file that is created when you're setting up your ipad for the first time?

Hi @Magnet Forensics! I need help with optimizing media categorization with Magnet AI. It is very slow and it doesn't seem to eficiently use my computer resources. Right now I'm categorizing the media from two cases simultaneously and my Threadripper Pro 5965WX is used ~9%, my Nvidia Geforce RTX 3080 Ti is used ~2%. The GPU rarely spikes to ~40% for a second or two. The cases are stored on an NVMe RAID (active ~2%) and the temp folder is on another NVMe (active ~0%). The categorization speed is only about 1000 pictures/minute for one case and about 500 pictures/minute for the other case. Is this normal?

Good morning to the community! Have there been any changes lately regarding restoring data from "Safari private browsing"? My last status was that URL can be recovered, but without timestamp information. Research on the internet has been negative so far, unfortunately. Could only find entries from < 2015. Thanks and greetings!

Hans Leißner

Good morning to the community! Have there been any changes lately regarding restoring data from "Safari private browsing"? My last status was that URL can be recovered, but without timestamp information. Research on the internet has been negative so far, unfortunately. Could only find entries from < 2015. Thanks and greetings!

Have you looked at favicons.db? There might be entries in that, containing an URL, but not with a direct timestamp.

1

florus

Have you looked at favicons.db? There might be entries in that, containing an URL, but not with a direct timestamp.

its decoding atm. Ill post here if pos/neg. Its an FFS of an iPhone 13, iOS 15.5.

1

Good morning everyone. Having a full fs of an iPhone 13 with ios 16.3 can you suggest where to look for proof (and time) of app uninstallation? Thanks

Alexsaurus

I am wondering if anyone has any experience with fake WhatsApp screen recordings. We are currently dealing with a screen recording that has certain artefacts that we are struggling to explain. In particular because it is difficult to determine what is an anomalous artefact and what is simply due to it being a recording of an old version of WhatsApp. For example the background of the chat is the image attached, which is not what the standard background is, and I am unable to find if this is an official background or not.

We had a similar problem - in our case it was a theme for Telegram that visually represented Telegram as WhatsApp and thus generated supposed WhatsApp chats.

Ash4n6

I'm looking to determining the first use date of an iPad. I know with phones you can look at the creating date of sms.db or voicemail.db but how would I do this for an iPad? Is there a file that is created when you're setting up your ipad for the first time?

Purplebuddy.plist should have a date for guessed country which should be when the setup screen first got to the screen for the user to select their country. I know this is on iPhones and don’t see why it wouldn’t be in an iPad also

Cip

Hi @Magnet Forensics! I need help with optimizing media categorization with Magnet AI. It is very slow and it doesn't seem to eficiently use my computer resources. Right now I'm categorizing the media from two cases simultaneously and my Threadripper Pro 5965WX is used ~9%, my Nvidia Geforce RTX 3080 Ti is used ~2%. The GPU rarely spikes to ~40% for a second or two. The cases are stored on an NVMe RAID (active ~2%) and the temp folder is on another NVMe (active ~0%). The categorization speed is only about 1000 pictures/minute for one case and about 500 pictures/minute for the other case. Is this normal?

Doesn’t sound like normal to me. Check the driver version for your GPU, I have an RTX3080ti in one system and utilization is over 90% for media categorization, once I updated GPU drivers. If you still aren’t seeing high GPU usage, I would try only performing categorization for one case at a time and see if that changes things.

chriscone_ar

Doesn’t sound like normal to me. Check the driver version for your GPU, I have an RTX3080ti in one system and utilization is over 90% for media categorization, once I updated GPU drivers. If you still aren’t seeing high GPU usage, I would try only performing categorization for one case at a time and see if that changes things.

I have a recent version of Nvidia Game Ready Drivers (528.02 from January 2023). I'll update them to the latest version, but I don't think it will matter too much. Should I change them to Studio Drivers instead of Game Ready Drivers? I also tried categorizing a single case, but the speed is the same (slow).

Cip

I have a recent version of Nvidia Game Ready Drivers (528.02 from January 2023). I'll update them to the latest version, but I don't think it will matter too much. Should I change them to Studio Drivers instead of Game Ready Drivers? I also tried categorizing a single case, but the speed is the same (slow).

For what it's worth, my RTX3080 system was pretty driver sensitive - meaning it wasn't doing much work at all until getting newer drivers directly from NVIDIA. Also, do you know if the CUDA toolkit is installed on your system? There's a known issue with it interfering with Magnet.AI. (edited)

Anyone experienced Apple Heart rate data after a person died before? Not sure why i see values and makes me questioning the other data aswell. I do see way more data samples when the person was still alive tho

chriscone_ar

For what it's worth, my RTX3080 system was pretty driver sensitive - meaning it wasn't doing much work at all until getting newer drivers directly from NVIDIA. Also, do you know if the CUDA toolkit is installed on your system? There's a known issue with it interfering with Magnet.AI. (edited)

I have the driver directly from Nvidia. Now I don't have the CUDA toolkit installed. I don't remember if I had it sometimes before (I played with hashcat and maybe I had CUDA installed)

Some Cellebrite PA assistance: I have a Database where the Date/Time is saved in a format of: YYYY-MM-DD hh:mm:ss. I want to map this database using SQlite wizard. If I place the Timestamp field type in the DateTime column I get "Format has no valid results". If I use the custom format button I can enter YYYY-MM-DD hh:mm:ss in the field but "ok" will stay grayed out. Any good idea how on Physical Analyzer can work with this timestamp?

To add: Some entries have milliseconds and some dont: like 2023-01-01 12:12:34.345 and 2023-01-01 12:13:33 Could that be part of the problem?

wchtdev

To add: Some entries have milliseconds and some dont: like 2023-01-01 12:12:34.345 and 2023-01-01 12:13:33 Could that be part of the problem?

If the value is stored as text string instead of an integer perhaps try using a field type that allows for text to be passed through instead of it being decoded/formatted? (edited)

That's doable. But then it will not fit in the timeline or be able to adjust from UTC. I will probably go with doing that though if I cant find a way to format them as timestamps.

wchtdev

That's doable. But then it will not fit in the timeline or be able to adjust from UTC. I will probably go with doing that though if I cant find a way to format them as timestamps.

Ahh, gotcha. You could use a query with the wizard instead of using the drag-and-drop fields. That should allow you to force some decoding/formatting that the wizard can't do natively. But if PA still doesn't recognize the output as a timestamp, then the Timeline and offsets still wouldn't work. (edited)

sky

Been having a go at trying to decode/unlock the secure_database,db present in the new CIPHR Lite application - anyone else had any luck/ experience with it so far?

Hey, just found your comment that has been unresponded. Have you had any luck decoding the db? I am facing this same APP that I cannot access.

4N6Cookie

Hey, just found your comment that has been unresponded. Have you had any luck decoding the db? I am facing this same APP that I cannot access.

Let me check my notes - this was a while ago sweatnervous

4N6Cookie

Hey, just found your comment that has been unresponded. Have you had any luck decoding the db? I am facing this same APP that I cannot access.

No sorry, but I'll take another look now that some time has passed any my understanding has improved somewhat

sky

No sorry, but I'll take another look now that some time has passed any my understanding has improved somewhat

Thank you, as of right now, i have found a db_key in the account.xml but i wasn't sure if it was a good start. Might be the decryption key?

no harm in inputting it

working on it since it is also encrypted

t12346

Anyone experienced Apple Heart rate data after a person died before? Not sure why i see values and makes me questioning the other data aswell. I do see way more data samples when the person was still alive tho

Dm

1

Looks like it is because the difference in timestamp formats in the column. side note: this is actually a Berla Cellebrite iVE export. Berla's UI and report creation is just so absolutely hard to work with that I want to do this in PA, so using the SQLite Wizard on the ivo.db file. Berla seriously needs to improve its User interface, its really bad. Exporting and report creating are terrible, even with simple things like filtering times for search limitations.

Hello! I am currently going through the application Spotify on iOS. Does anyone know if this field in the com.spotify.client.plist means that this was the last search done by the user?

wchtdev

Looks like it is because the difference in timestamp formats in the column. side note: this is actually a Berla Cellebrite iVE export. Berla's UI and report creation is just so absolutely hard to work with that I want to do this in PA, so using the SQLite Wizard on the ivo.db file. Berla seriously needs to improve its User interface, its really bad. Exporting and report creating are terrible, even with simple things like filtering times for search limitations.

PA can ingest iVE *.ivo files, is this how you imported the data to begin with?

JLindmar (83AR)

PA can ingest iVE *.ivo files, is this how you imported the data to begin with?

Ya. I creates a database file called export.ivo.db. You can open that with database wizard or export it out and read with a sqlite viewer. Helpful since cellebrite doesnt parse a lot of the stuff in there

12:20 PM

mostly with regards to the event logs

1

hi have a LG G5 PIN locked , I don't know what the sub model is How do I hack it? Thanks

Panda

Hello! I am currently going through the application Spotify on iOS. Does anyone know if this field in the com.spotify.client.plist means that this was the last search done by the user?

What Image do you have? Greykey? FFS? ArtEX (https://www.doubleblak.com/) does a really good job in showing Spotify occurrences. But its limited in importing different images (edited)

Hans Leißner

What Image do you have? Greykey? FFS? ArtEX (https://www.doubleblak.com/) does a really good job in showing Spotify occurrences. But its limited in importing different images (edited)

Advance logical (checkm8) taken with Cellebrite

Panda

Hello! I am currently going through the application Spotify on iOS. Does anyone know if this field in the com.spotify.client.plist means that this was the last search done by the user?

Unsure about that, but assuming Spotify hasn't changed you can get the the recently played songs/playlists from the file recently_played.bnk. the blog and their script to parse it is linked: https://thinkdfir.com/2019/01/11/what-did-i-listen-to-on-spotify-for-ios/ https://github.com/randomaccess3/ParseiOSSpotify/blob/master/parse_recently_played.py

Phill Moore

What Did I Listen To On Spotify For iOS?

I had a recent examination where I was asked what music was someone listening to at a point in time on an iOS device. Here’s what I found! (TLDR at the bottom)

ParseiOSSpotify/parse_recently_played.py at master · randomaccess3/...

Parsing the Recently Played file on the iOS Spotify app - ParseiOSSpotify/parse_recently_played.py at master · randomaccess3/ParseiOSSpotify

p0tt541

Unsure about that, but assuming Spotify hasn't changed you can get the the recently played songs/playlists from the file recently_played.bnk. the blog and their script to parse it is linked: https://thinkdfir.com/2019/01/11/what-did-i-listen-to-on-spotify-for-ios/ https://github.com/randomaccess3/ParseiOSSpotify/blob/master/parse_recently_played.py

I did have a read on that blog and followed the instructions. But my extraction did not provide the recently_played.bnk file. I see that the blog post is from 2019 so I think Spotify might have changed it.

Panda

Advance logical (checkm8) taken with Cellebrite

in case of having a zip File from the checkm8 extraction, u can import it into ArtEx

Hans Leißner

in case of having a zip File from the checkm8 extraction, u can import it into ArtEx

Thanks, I will have a look at that later!

1

anyone from @Cellebrite for dm?

2

florus

Have you looked at favicons.db? There might be entries in that, containing an URL, but not with a direct timestamp.

Hi! As you described, I could find in the database the visited web pages (Safari private browsing), but without timestamp. Too bad, but at least a new insight. Thanks and greetings

Hans Leißner

Hi! As you described, I could find in the database the visited web pages (Safari private browsing), but without timestamp. Too bad, but at least a new insight. Thanks and greetings

There might be a timestamp embedded in the URL?

unix? When I convert this I get Sat Oct 01 2022 08:36:02 GMT+0200 which might actually fit in time.

4:04 AM

I still have a search with the timestamp 1658661677128. Fortunately, I know that the converted time to this entry was actually searched outside of private browsing. Just coincidence or is the URL really storing the timestamp? @ScottKjr3347 (edited)

Hans Leißner

I still have a search with the timestamp 1658661677128. Fortunately, I know that the converted time to this entry was actually searched outside of private browsing. Just coincidence or is the URL really storing the timestamp? @ScottKjr3347 (edited)

It does seem like it yes. Check row 4, after the ved=. That might be an timestamp as well. (edited)

1

florus

It does seem like it yes. Check row 4, after the ved=. That might be an timestamp as well. (edited)

ved=2ahUKEwjW7MjSzLz6AhXT_7sIHaj1BRUQ_AUoAnoECAIQAg&biw=390&bih=664&dpr=3 Either my knowledge of time stamps is decreasing here or I have bad luck here

Does anyone have infos about the timestamps? UTC? or are they UTC+ timezone from the device? https://dfir.blog/unfurl/

unfurl

Extract and Visualized Data from URLs

Hans Leißner

Does anyone have infos about the timestamps? UTC? or are they UTC+ timezone from the device? https://dfir.blog/unfurl/

Utc+0

1

florus

Utc+0

thanks!

Hey all, does anyone know off the top of their heads if the contents of the Files by Google 'safe folder' is decoded properly by PA if collected through a FFS extraction (edited)

Can anyone from @Cellebrite DM me please? (edited)

1

House Whiskey

Hey all, does anyone know off the top of their heads if the contents of the Files by Google 'safe folder' is decoded properly by PA if collected through a FFS extraction (edited)

I was able to find the contents of a locked secure folder on a s22 through a ffs collected by ufed

1

Cellebrite WeChat Q: For an older device seized where the user has moved on and the 'handshake' to their WeChat account is now present on their newer hardware, is there any way to decrypt and include WeChat content when completing Android Backup on their old phone? (Device is on a too new SPL for FBE). Thx in advance.

Alexsaurus

Cellebrite WeChat Q: For an older device seized where the user has moved on and the 'handshake' to their WeChat account is now present on their newer hardware, is there any way to decrypt and include WeChat content when completing Android Backup on their old phone? (Device is on a too new SPL for FBE). Thx in advance.

@Cellebrite

Can you not do a full extraction. ?

CLB-Paul

Can you not do a full extraction. ?

We got a File System Android backup as Full FBE doesn't run on the security patch level.

What is the device ? And which method did you try to use

CLB-Paul

What is the device ? And which method did you try to use

Note 10+ and we performed File System Android backup

Alexsaurus

Note 10+ and we performed File System Android backup

Did you try Smart Flow ?

CLB-Paul

Did you try Smart Flow ?

Running it now, it seems to be doing a backup again but we will see when it completes.

Smart flow doesn’t have a backup aspect to it. Feel free to send me a sceee shot in Dm

florus

Utc+0

I have loaded this URL into NetAnalysis from DigitalDetectives (Vers. 3.4). Interestingly, the decoded timestamps are displayed differently there. Maybe an idea what this could be? Not sure right now if NetAnalysis supports this at all and I should not trust this source. (edited)

1:21 AM

Hans Leißner

I have loaded this URL into NetAnalysis from DigitalDetectives (Vers. 3.4). Interestingly, the decoded timestamps are displayed differently there. Maybe an idea what this could be? Not sure right now if NetAnalysis supports this at all and I should not trust this source. (edited)

Different to what?

Hans Leißner

Click to see attachment 🖼️

This one to the screen below (from unfurl). absolutely different timestamps. But as i mentioned, i guess NetAnalysis is not capable of analyse those URL right

Hans Leißner

This one to the screen below (from unfurl). absolutely different timestamps. But as i mentioned, i guess NetAnalysis is not capable of analyse those URL right

Why dont you decode the timestamp yourself, to validate? Or do some tests with an iPhone, dump it, and compare the timestamp values.

1

3:57 AM

The 166.. value seems a Unix milliseconds timestamp to me.

florus

Why dont you decode the timestamp yourself, to validate? Or do some tests with an iPhone, dump it, and compare the timestamp values.

I unfortunately trusted NetAnalysis to do that xD. I was just surprised, because I thought that they are known to deal with URL. Manual decoding has helped me then thankfully.

Hans Leißner

I unfortunately trusted NetAnalysis to do that xD. I was just surprised, because I thought that they are known to deal with URL. Manual decoding has helped me then thankfully.

Never trust on a tool blind

Well done validating manually!

1

Hello everybody! I need some help in finding IMEI in a physical copy of a L8Star BM70 chinesse phone.

Hans Leißner

I unfortunately trusted NetAnalysis to do that xD. I was just surprised, because I thought that they are known to deal with URL. Manual decoding has helped me then thankfully.

Surprising to read that NA may be decoding a timestamp incorrectly considering they have standalone program for timestamp decoding/encoding. Did you put in a support ticket? In my experience they respond very quickly to support issues.

JLindmar (83AR)

Surprising to read that NA may be decoding a timestamp incorrectly considering they have standalone program for timestamp decoding/encoding. Did you put in a support ticket? In my experience they respond very quickly to support issues.

Ill take a closer look into that tomorrow

10:06 AM

I do not rule out an user error (me) at this point

(edited)

In Axiom under Google Map Queries, there is a column that is called "Center of Map". Anyone know what this column means? Most of the locations on it seem to be totally unrelated to my case.

@Oxygen Forensics hi have nice day i have oppo cph 1909 mt6765 device and i have physical image but device enctpted and i not found password how can i do it thanks for help

Hello all. I'm looking for some guidance with PA 8 Databases. I'm curious where the best location for this should be? Should it be on a separate drive? Is this a singular database for everything you do in PA or do you create a database for each case in its own folder? Thanks.

mutualism

@Oxygen Forensics hi have nice day i have oppo cph 1909 mt6765 device and i have physical image but device enctpted and i not found password how can i do it thanks for help

Hello! Please let me DM you with some questions

stps358

Hello all. I'm looking for some guidance with PA 8 Databases. I'm curious where the best location for this should be? Should it be on a separate drive? Is this a singular database for everything you do in PA or do you create a database for each case in its own folder? Thanks.

@stps358 The database should be on a seperate drive and the best is, when it is a ssd. It is a database for your PA8. It has a case management, but you can only add one device to a case, so far. I used PA8 for some times but i am not satisfied. Now i am only using PA 7.x because of less problems. That is my opinion andy experience. I will wait until there is only PA8. (edited)

Hi very good, I had a question about the iOS mobile_installation.log.0 file. The question is if the times are in UTC 0 or in the time zone of the phone? Thank you very much

tost

@stps358 The database should be on a seperate drive and the best is, when it is a ssd. It is a database for your PA8. It has a case management, but you can only add one device to a case, so far. I used PA8 for some times but i am not satisfied. Now i am only using PA 7.x because of less problems. That is my opinion andy experience. I will wait until there is only PA8. (edited)

I'm aware that you can only add one case at a time. This is a huge detractor for me as I like to be able to have a case with multiple devices as most cases have multiple devices. Thanks for the info on the database. It will be going on an ssd I was just uncertain if I should be changing the database path on a per case basis. Jut testing the waters again on 8 to check it out.

AlbertoBM

Hi very good, I had a question about the iOS mobile_installation.log.0 file. The question is if the times are in UTC 0 or in the time zone of the phone? Thank you very much

Should be local time based on the system clock + settings.

stps358

I'm aware that you can only add one case at a time. This is a huge detractor for me as I like to be able to have a case with multiple devices as most cases have multiple devices. Thanks for the info on the database. It will be going on an ssd I was just uncertain if I should be changing the database path on a per case basis. Jut testing the waters again on 8 to check it out.

You need to create a new case for each device. In the future the case management will be a nice feature with several devices per case , but now it is very annoying. In addition there are still existing bugs, which do not make the work easier and faster. In the past i created tickets at support because of some problems. This is the main reason why i am using PA 7.x now. (edited)

JLindmar (83AR)

Should be local time based on the system clock + settings.

Thank you very much! I thought it might be like that, but I didn't have anything to test. Thank you very much again!!

AlbertoBM

Thank you very much! I thought it might be like that, but I didn't have anything to test. Thank you very much again!!

Generally speaking, most text-based system logs that don't specify timezone (e.g. "Z" = UTC) in the timestamp are presumed to be in local time unless otherwise noted.

If anyone here is familiar with Android extractions and SMSC, please let me know. I need to talk to someone about the meaning of some events in an extraction. (Using PA) @Cellebrite maybe? (edited)

Seeing if anyone has experienced this…. We have extractions of 2 phones with conversations and one phone is missing a section of the text back and forth in the conversation. No indication the text were deleted per the extraction. Seems as though this person is creating incoming/outgoing spoof text. Does anyone know of any specific apps/tools/website that can do this? Example text shows timestamps of 1:57:00pm, 2:54:00pm, 4:30:00pm.

TiffanyRbns

Seeing if anyone has experienced this…. We have extractions of 2 phones with conversations and one phone is missing a section of the text back and forth in the conversation. No indication the text were deleted per the extraction. Seems as though this person is creating incoming/outgoing spoof text. Does anyone know of any specific apps/tools/website that can do this? Example text shows timestamps of 1:57:00pm, 2:54:00pm, 4:30:00pm.

i personally handled a few investigations a few years ago where apps could do this. Check the source. My files were all android devices and found it in the mmsms db file

Russell Abel - Bastrop County SO

If anyone here is familiar with Android extractions and SMSC, please let me know. I need to talk to someone about the meaning of some events in an extraction. (Using PA) @Cellebrite maybe? (edited)

can try.. but that's the short message service centre

Right. I have multiple messages with the SMS field populated with a phone number. I'm fairly certain that number is for the SMSC.... (edited)

1:50 PM

'Many of the messages show a Folder of Unknown or Other. I'm trying to figure out what that means, and whether or not the intended recipient of the messages ever receivedthem

can you send me a dm /w screenshot

Sure

Russell Abel - Bastrop County SO

'Many of the messages show a Folder of Unknown or Other. I'm trying to figure out what that means, and whether or not the intended recipient of the messages ever receivedthem

Message receipt indicator is not a feature of SMS. RCS has that capability, but that would be dependent on how it's implemented. (edited)

I know that SMS doesn't give receipt, but I could have sworn that SMSC being populated was an indicator of the message being unable to be sent from the SMSC to the recipient.

2:05 PM

Here's what I'm looking at...

2:06 PM

JLindmar (83AR)

Generally speaking, most text-based system logs that don't specify timezone (e.g. "Z" = UTC) in the timestamp are presumed to be in local time unless otherwise noted.

Yes, I understand, I was comparing it with the databases that are in UTC 0. Thank you very much for this good explanation.

Hi, do you know where I can find the info on the devices that are connected to an iphone that was used as a wifi hotspot? I can't find the info in the apple.wifi.plist. do you know in which artifacts or plist this info is located? thank you.

Does anyone know if there's a setting in Cellebrite PA that causes images/screenshots in the DCIM folder not showing up in the timeline? Creation/modified/access dates are all there....

Morning morning, is anyone from @Magnet Forensics available for a few questions re iOS processing please?

jjh2320

Morning morning, is anyone from @Magnet Forensics available for a few questions re iOS processing please?

Happy to try and assist!

hello @Cellebrite ... sometimes latest PA freezes on exporting .ufdr-Report... do you know the reason? and no activity on writings to ssd (taskmanager)... waited now 20 minutes on last stage (xml-report will be saved)

4:56 AM

(edited)

4:57 AM

chrisforensic

hello @Cellebrite ... sometimes latest PA freezes on exporting .ufdr-Report... do you know the reason? and no activity on writings to ssd (taskmanager)... waited now 20 minutes on last stage (xml-report will be saved)

The fact that the disk is not being written does not mean its stuck. the CPU is quite active and maybe the XML is being computed prior to writing. How big is the dump ? Maybe let it more than 20mins

it´s just 12 GB

5:00 AM

and the protokoll-window says, that xml was saved ? (edited)

5:00 AM

5:02 AM

i had bigger ones and had no troubles, hm

5:04 AM

i´m sure i'm not the only one who has this problem sometimes

(edited)

chrisforensic

i´m sure i'm not the only one who has this problem sometimes

(edited)

Oh yeah I do agree then can you open a support case ? If you redo the whole process then it work ?

tried sometimes... made new starts of pc too... evertime the same... tried other destinations of report.... always the same

Good morning all! Hopefully someone can help. I’m looking through power logs on an iPhone 8+ on iOS 14.7.1. Phone was seized and had an AFU brute force GrayKey extraction done 1 day after seizure. Looking through the power log /private/var/containers/shared/systemgroup/GUID/library/batterylife/archives/… For information phone was seized on 12/4/21 Power logs have dates 12/1/21-12/5/21 and 6/12/2073 and a current power log. Within these power logs in 12/2021 all of the time stamps are for 11/2021 why the month difference?

5:40 AM

Also with the passcode I did a UFED checkm8 FFS extraction and the power logs are the same

great morning- is there anyone online that can speak to iOS containers/data/application/92B3CD6A-943F-494E-A006-34821F0526D3/Library/Caches/webkit/networkcache/version 14/records ??

might be related to @spicy_caveman's question, but anyone have info on files such as this sample: /private/var/mobile/Containers/Data/Application/388E2237-BAF8-415C-B97E-B406C7C53279/tmp/WKVideoUpload-doXcyMjT/IMG_9685.MOV focusing on the WKVideoUpload-doXcyMjT folder? I assume this is a "WebKit" Video Upload? but any idea to where/what? I'll be searching that GUID momentarily and i'll report back with what app its related to. (edited)

snoop168

might be related to @spicy_caveman's question, but anyone have info on files such as this sample: /private/var/mobile/Containers/Data/Application/388E2237-BAF8-415C-B97E-B406C7C53279/tmp/WKVideoUpload-doXcyMjT/IMG_9685.MOV focusing on the WKVideoUpload-doXcyMjT folder? I assume this is a "WebKit" Video Upload? but any idea to where/what? I'll be searching that GUID momentarily and i'll report back with what app its related to. (edited)

Probably the exact type- I am looking at BLOB files and whether the webkit/networkcache is human viewable by the user on the device-

Have a case where we need to know when a user changed his Instagram bio. Anyone know where to look to find this timestamp?We have an AFU extraction from an iPhone XS running iOS 15.1.

Hi, does anyone deal with folder paths of Telegram. files located in path "Android/data/org.telegram.messenger.web/files/Telegram/Telegram Video" are automatically saved or not? (edited)

Hello. Anyone knows how to decrypt files from Huawei private safe? The password is known.

This is a message in WhatsApp on an iPhone. You can set wether or not you want to see media files of that chat in the device's gallery, and you can select this per chat. A colleague of mine has a question, does anyone know in what table we can see this setting per chat? We can no longer check this on the device itself since it has since been destroyed. We have a FFS extraction

heyho folks! somebody here with knowledge to decode the .sav files, which contain geodatas from the iGO-Navigation-app? some years ago i had a python-script for decoding this .sav files but i lost it ....

6:10 AM

opened in hexeditor i can see here, as example, the adress "Gudulastrasse 16, 46414 Rhede, GER (for germany)" (edited)

6:12 AM

https://play.google.com/store/apps/details?id=com.nng.igo.primong.igoworld&hl=de&gl=US&pli=1

Does anyone here know how to obtain the derived AES keys (key 0x85, key 0x86, etc, see https://www.theiphonewiki.com/wiki/AES_Keys ) from a jailbroken iPhone 6? (edited)

AES Keys

James Pedersen

Does anyone here know how to obtain the derived AES keys (key 0x85, key 0x86, etc, see https://www.theiphonewiki.com/wiki/AES_Keys ) from a jailbroken iPhone 6? (edited)

James one post will do

I'm investigating an iPhone 13 running iOS 16.0.3 and I am trying to identify whether snapchat was installed and then removed. I am fairly certain that its not however I have found this artefact which I am not familiar with. I have spoken to Oxygen support however they have have pointed me to here to try understand what it is. The artefact in question is the com.apple.mobilesafari - Snapchat (highlighted in blue) Any help would be appreciated.

John

I'm investigating an iPhone 13 running iOS 16.0.3 and I am trying to identify whether snapchat was installed and then removed. I am fairly certain that its not however I have found this artefact which I am not familiar with. I have spoken to Oxygen support however they have have pointed me to here to try understand what it is. The artefact in question is the com.apple.mobilesafari - Snapchat (highlighted in blue) Any help would be appreciated.

You could import the public image of Josh Hickman, to see if you can find a similarity? Its odd safari is linked to the snapchat app, so thats probably not it... Is "snapchat" in the zvaluestring column? Of where is this info from? Zobject table? What column? (edited)

It appears it is inside the Zstructuredmetadata table. I've attached a picture. Sorry if I am missing details I am still fairly new to DF

John

It appears it is inside the Zstructuredmetadata table. I've attached a picture. Sorry if I am missing details I am still fairly new to DF

And its not in zobject? Where is the link to com.apple.mobilesafari show? Because this table references to zobject if im correct. (edited)

As far as I can tell its not, while it does say its from the source table Zobject, Zstructuredmetadata and zsource. I have looked through all the zobject records and cannot find the reference to this snapchat record.

3:48 AM

My thinking was it may just be related to an advert or something due to it being exactly the same time as other artefacts relating to web history which is also why there is another record exactly the same for Nintendo

Snapchat via Browser?

There is only this single entry which doesn't mean the web history hasn't been deleted. I will have to create some test data and investigate further

John

There is only this single entry which doesn't mean the web history hasn't been deleted. I will have to create some test data and investigate further

Have u been looking into favicons.db? With unfurl from dfir u can get timestamps from those google.co.uk searches like the one in the first line "is snapchat encrypted". Maybe u can get additional infos by that (edited)

Hi, has anyone had much experience with File Safebox on a Vivo S1 Pro (Vivo 1920). It is locked with a 6 digit numeric code or fingerprint. I am looking for where the code hash is stored so I can try crack it. Thank you

I am looking to understand a GPS blob from google. O have the decrypted data, but I don't have a framework to parse it against, the blob data is supposed to contain speed from using google maps. Can anyone assist or point me in the right direction. Thank you

John

I'm investigating an iPhone 13 running iOS 16.0.3 and I am trying to identify whether snapchat was installed and then removed. I am fairly certain that its not however I have found this artefact which I am not familiar with. I have spoken to Oxygen support however they have have pointed me to here to try understand what it is. The artefact in question is the com.apple.mobilesafari - Snapchat (highlighted in blue) Any help would be appreciated.

Did you look in biome artefact ?

Hi @Cellebrite, anyone available for a quick dm ? Many thanks

1

@Zoe If you have a FFS, you can get the unsalted SHA1 hash of the pattern/PIN of the Safebox from /data/user_de/com.android.settings/ folder. I had a pattern and it was called gatekeeper.secret_pattern.key. Don't let "gatekeeper" put you off, it isn't salted, nor does it use the secure element. For patterns the grid points are the old-style 0-8 grid, not 1-9. I had to dig up the old rainbow table we had for Android 4 devices! Edit: My device is Vivo 1919, running android 12. (edited)

Bobby

Hi @Cellebrite, anyone available for a quick dm ? Many thanks

Hi how could we help

1

CloudCuckooLand

@Zoe If you have a FFS, you can get the unsalted SHA1 hash of the pattern/PIN of the Safebox from /data/user_de/com.android.settings/ folder. I had a pattern and it was called gatekeeper.secret_pattern.key. Don't let "gatekeeper" put you off, it isn't salted, nor does it use the secure element. For patterns the grid points are the old-style 0-8 grid, not 1-9. I had to dig up the old rainbow table we had for Android 4 devices! Edit: My device is Vivo 1919, running android 12. (edited)

Thank you. Yes I have a FFS from Cellebrite Premium. I have found a file called secret_data.xml in the folder /data/user_de/com.android.settings which contains a hash which appears to be SHA256. When running this as a bruteforce in Hashcat it exhausted without finding the 6-digit code. So possibly salted but not sure where to find the salt. Device is a Vivo 1920 running Android 11 and Funtouch OS_10.5. @Cellebrite any suggestions on where I might find the salt for the File Safebox hash? Thank you

Arcain pinned a message to this channel. 4/6/2023 3:40 AM

Zoe

Thank you. Yes I have a FFS from Cellebrite Premium. I have found a file called secret_data.xml in the folder /data/user_de/com.android.settings which contains a hash which appears to be SHA256. When running this as a bruteforce in Hashcat it exhausted without finding the 6-digit code. So possibly salted but not sure where to find the salt. Device is a Vivo 1920 running Android 11 and Funtouch OS_10.5. @Cellebrite any suggestions on where I might find the salt for the File Safebox hash? Thank you

My Safebox password file is from early 2020, maybe a new, more secure algorithm is used if the password is created on newer firmware.

Hi @Cellebrite , anyone available for a quick dm ?

Hello everyone, where can i find the information on the iphone about an apple watch and air pods which are/were connected, especially in Cellebrite PA? I need the serial numbers. (edited)

tost

Hello everyone, where can i find the information on the iphone about an apple watch and air pods which are/were connected, especially in Cellebrite PA? I need the serial numbers. (edited)

try here: historySecureProperties.plist, this article has a few other places to look also for watches https://blog.elcomsoft.com/2019/06/apple-watch-forensics-02-analysis/

Apple Watch Forensics 02: Analysis

Over the last several years, the use of smart wearables has increased significantly. With 141 million smartwatch units sold in 2018, the number of smart wearables sold has nearly doubled compared to the year before. Among the various competitors, the Apple Watch is dominating the field with more tha

2

Hi everyone, we have a iphone 7 iOS 14.4, we dumped this device with @Cellebrite Ufed / @Passware kit mobile and @Elcomsoft EIFT and we have always the same problem, we extract 220 Gb but we have only 50 Gb of data in the device.. Parsing with PA not working. Has someone already had this problem?

Echmyre[FORENTECH]

Hi everyone, we have a iphone 7 iOS 14.4, we dumped this device with @Cellebrite Ufed / @Passware kit mobile and @Elcomsoft EIFT and we have always the same problem, we extract 220 Gb but we have only 50 Gb of data in the device.. Parsing with PA not working. Has someone already had this problem?

Hello, one of our users had 3 TB

Considering that the result is reproducible, the only common denominator is at fault - a bug on Apple's side. You can see a bunch of such issues reported around Reddit and forums. Very easy to find for Voice memos for example: https://www.google.com/search?q=voice+memo+size+on+iphone+terabbytes&oq=voice+memo+size+on+iphone+terabbytes&aqs=chrome..69i57j33i160l3.13032j0j7&sourceid=chrome&ie=UTF-8 https://www.reddit.com/r/applehelp/comments/vs5ua7/voice_memos_app_apparently_taking_up_371_tb_on/

r/applehelp - Voice Memos app apparently taking up 3.71 TB on iPhone

12 votes and 7 comments so far on Reddit

Thanks @Oxygen Forensics , hmm so FFS will be difficult..no solution seems to have been found for this bug

1

Echmyre[FORENTECH]

Thanks @Oxygen Forensics , hmm so FFS will be difficult..no solution seems to have been found for this bug

copy on write is also at play and causing data duplication (that we just de-duplicate in PA rather than try to outsmart it during extraction) https://mac-optimization.bestreviews.net/the-magic-behind-apfs-copy-on-write/#:~:text=The%20copy%2Don%2Dwrite%20technique,overwriting%20the%20data%20in%20place. (edited)

1

Hi guys, I'm currently doing a dissertation on WhatsApp forensics on android and iOS devices, and I have come to a issue. The iPhone was done via an advanced logical extraction on Cellebrite, and the Android a full file system extraction also on Cellebrite. The iPhone shows the the chat logs on WhatsApp perfectly in the report. But the android doesn't show any WhatsApp chats only native messages. Is this because advanced logical is more thorough? Have I done something wrong? I'm new to Cellebrite so any info would be greatly appreciated! Thanks

Thanks CLB-Dan.techcrime for the moment we have no solution, the tar file is corrupted, cannot be open, we will test under linux.

Echmyre[FORENTECH]

Hi everyone, we have a iphone 7 iOS 14.4, we dumped this device with @Cellebrite Ufed / @Passware kit mobile and @Elcomsoft EIFT and we have always the same problem, we extract 220 Gb but we have only 50 Gb of data in the device.. Parsing with PA not working. Has someone already had this problem?

We encountered such problem a couple times. Usually that's a problem in iPhone file system, when one of the files reports an incorrect size. In our acquisition agent, we have an option to skip the files with the size exceeding the given limit; looks like we need to add the same to checkm8 extraction.

1

@v_katalovour problem is the device running 14.4 and your exploit is limited to 14.3

Mistercatapulte

@v_katalovour problem is the device running 14.4 and your exploit is limited to 14.3

Yes, that's why I said we need to implement such an option (to skip "corrupted" files) to checkm8, too...

1

It seems unbutu can open and decompress the corrupted tar file.

So .tar created by EIFT was decompressed with Unbutu (a lot errors) impossible under Windows, winzip, wirar..., the extracted folder now weighs 130 GB (50 Gb in the FS). But PA parsed this one with errors of course but parsed it.

@Cellebrite so CSAM case I’m working and have found bit torrent download folder off a physical on a 32 gb sdcard. I can’t get any of the files to play. I’ve tried media player classic and vlc. MP4 files. Some over a gb. And ideas on how to get a frame from these videos or get them to play. I’m pulling the md5 hashes for ncmec comparison as well.

Lox

Hi guys, I'm currently doing a dissertation on WhatsApp forensics on android and iOS devices, and I have come to a issue. The iPhone was done via an advanced logical extraction on Cellebrite, and the Android a full file system extraction also on Cellebrite. The iPhone shows the the chat logs on WhatsApp perfectly in the report. But the android doesn't show any WhatsApp chats only native messages. Is this because advanced logical is more thorough? Have I done something wrong? I'm new to Cellebrite so any info would be greatly appreciated! Thanks

The FFS extraction from an android device should contain WhatsApp. Do you have only UFED or PA for processing, too? And which versions do you use? It could be that the WhatsApp version on Android is too new for processing with PA if you use an older version. If I remember correctly, the WhatsApp database was changed in the past. This could be a reason for that. Do you see the wa.db and msgstore.db in PA? (edited)

Upon further digging it appears these files might be groups of videos files like a series. But Cellebrite extracted it as one mp4 file. I have a text file describing one as containing 17 mp4 files.

Echmyre[FORENTECH]

So .tar created by EIFT was decompressed with Unbutu (a lot errors) impossible under Windows, winzip, wirar..., the extracted folder now weighs 130 GB (50 Gb in the FS). But PA parsed this one with errors of course but parsed it.

Doesn't our checkm8 extract as a CLBX .zip and not .tar or .dar?

@CLB-dan.techcrime With Unbutu I tested with Elcomsoft's extraction. I had the choice between the three editors but it worked with the first so that was enough for me. With Windows it was impossible to decompress the container (came from CLB / Passware or Elcomsoft)

Echmyre[FORENTECH]

Hi everyone, we have a iphone 7 iOS 14.4, we dumped this device with @Cellebrite Ufed / @Passware kit mobile and @Elcomsoft EIFT and we have always the same problem, we extract 220 Gb but we have only 50 Gb of data in the device.. Parsing with PA not working. Has someone already had this problem?

It is quite common. Sometimes it is caused by Copy-On-Write feature of APFS.

Hi everyone, Im looking for someone that might be willing to chat with me via phone to help me understand Android daily usage stats. I'm looking at the file in a Notepad++ and have several questions about correlation between event logs, package and config data. Ive attempted to use ALEAPP but am not getting any results. This file is completely new to me but appears to have lots of data that would be valuable to my homicide case.

Cenizas

Hi everyone, Im looking for someone that might be willing to chat with me via phone to help me understand Android daily usage stats. I'm looking at the file in a Notepad++ and have several questions about correlation between event logs, package and config data. Ive attempted to use ALEAPP but am not getting any results. This file is completely new to me but appears to have lots of data that would be valuable to my homicide case.

What kind of extraction do you have…full file system?

Cenizas

Hi everyone, Im looking for someone that might be willing to chat with me via phone to help me understand Android daily usage stats. I'm looking at the file in a Notepad++ and have several questions about correlation between event logs, package and config data. Ive attempted to use ALEAPP but am not getting any results. This file is completely new to me but appears to have lots of data that would be valuable to my homicide case.

What it records: https://www.youtube.com/watch?v=ZI_vzeKA_Zg&list=PLfouvuAjspTo6pWGP7otkE6SZ3QQ0b-RD&ab_channel=SANSDigitalForensicsandIncidentResponse How to parse it (If ALEAPP does not return results, it might be due to device's Android version-check 2nd link): https://abrignoni.blogspot.com/2019/02/android-usagestats-xml-parser.html https://www.swiftforensics.com/2020/01/usagestats-on-android-10-q.html (edited)

SANS Digital Forensics and Incident Response

Every Step You Take: Application and Network Usage in Android - SAN...

Android Usagestats XML Parser

As I've been testing and using Sarah Edwards' excellent APOLLO pattern of life framework for iOS I reminded myself of the great work done...

Usagestats on Android 10 (Q)

UsageStats If you are unfamiliar with this artifact, Alex Brignoni explains the UserStats artifact in the blog post here . Located at /da...

Jshoe

What kind of extraction do you have…full file system?

I do have a full file system.

theAtropos4n6

What it records: https://www.youtube.com/watch?v=ZI_vzeKA_Zg&list=PLfouvuAjspTo6pWGP7otkE6SZ3QQ0b-RD&ab_channel=SANSDigitalForensicsandIncidentResponse How to parse it (If ALEAPP does not return results, it might be due to device's Android version-check 2nd link): https://abrignoni.blogspot.com/2019/02/android-usagestats-xml-parser.html https://www.swiftforensics.com/2020/01/usagestats-on-android-10-q.html (edited)

Thanks for sending these. I found them before the post, but honestly some of it is over my head! I'll give it another shot though.

1

hey guys. I have sent a similar message on the other channels and I thought about sending it also here. Could you guys please give me some good verified tutorials on MFD? I would love to learn more about these things

Cenizas

Thanks for sending these. I found them before the post, but honestly some of it is over my head! I'll give it another shot though.

Can you share the path of the files you are interested in and what Android version you are working on?

CLB-Paul

i personally handled a few investigations a few years ago where apps could do this. Check the source. My files were all android devices and found it in the mmsms db file

Thanks a bunch.

Hello everybody, where can i find the information about the last connection date on an iphone with an apple watch?

Hello all ! I did a signal backup from an android device with the passphrase. I have issue with the decoding; in PA I don't have the messages but I have the receiver/sender and dates

2:40 AM

in Axiom I have only the last message of the conversation

2:40 AM

anyone already had this behaviour ? or maybe someone of @Cellebrite @Magnet Forensics ?

1

update: it seems the last messages come from the "thread" table but I have nothing in the "message" table. Tested with signal 6.13 and 6.16, it seems the backup doesn't contain the messages anymore

1

7:22 AM

(on 2 differents phones)

Hi, does anyone know if there's a way to demonstrate that NordVPN was being used on a iPhone at a given time? I have a jailbroken iPhone with NordVPN installed and I want to have something which can confirm whether or not the device owner was using NordVPN on the iPhone at a specific time. (edited)

James Pedersen

Hi, does anyone know if there's a way to demonstrate that NordVPN was being used on a iPhone at a given time? I have a jailbroken iPhone with NordVPN installed and I want to have something which can confirm whether or not the device owner was using NordVPN on the iPhone at a specific time. (edited)

Network usage?

Good morning/afternoon! Got a fun one today. Device: Samsung SM-S908U1, Android 13, SPL 03/01/2023. Screenshots of the device showed an inappropriate SMS conversation. Obtained an FFS Extraction, loaded into @Cellebrite PA, and didn't see the conversation. HEX search of the known verbiage revealed a fragmented version of the conversation in the smsmms.db-wal file. Using PA's Database Viewer, wasn't able to populate the conversation. Exported the db, shm, wal, and ufd files and loaded them into DBBrowser for SQLite, still didn't populate. Any thoughts on recovering the SMS conversation out of the wal to put it into a court-presentational friendly format?

Micke

Hi @Cellebrite , anyone available for a quick dm ?

2

is there a simple explanation as to why the timestamps in interactionC (ZContacts -> zfirstincomingrecipientdate & Zlastincomingrecipientdate) don't marry up exactly with the associated timestamps in the call history (ZCallRecord -> ZDATE)? In this case my firstincomingrecipientdate is three seconds after the associated call log time, while the ZLastIncomingRecipientDate is two seconds before the associated call log

Brigs

Can you share the path of the files you are interested in and what Android version you are working on?

It is running Android 9 and the path is data/root/system/usagestats/0/daily

12:42 PM

Does anyone know where I can find the advertising ID on an Iphone X? Cellebrite supposedly parsed it but it's showing all 0s.

Hello everyone. Is anyone aware of a tool which can read and decode the databases of the tencent QQ mailbox application on iOS? Not having any joy with cellebrite or axiom. I've got a FFS of the device and can see the databases available. Thanks! (edited)

Hi All - Looking to determine if theres any historical record in Android that will outline a user switching between network derived time/date in settings vs manually entered time/date.

hbza

Hello everyone. Is anyone aware of a tool which can read and decode the databases of the tencent QQ mailbox application on iOS? Not having any joy with cellebrite or axiom. I've got a FFS of the device and can see the databases available. Thanks! (edited)

Hi, as far as i know, MD-RED from GMD should decode it... (edited)

2

7:56 PM

chrisforensic

Hi, as far as i know, MD-RED from GMD should decode it... (edited)

OXYGEN supports it too

Hans Leißner

OXYGEN supports it too

hi, sure it supports qqmail and not just qq messenger?

1:37 AM

1

chrisforensic

hi, sure it supports qqmail and not just qq messenger?

ur absolutely right. My fault

1

I have an android and being parsed from usage stats, I have an entry that states “standby bucket changed” & the package name has an email address of interest. What can I derive from usage stats type of “standby bucket change”? What causes this to happen?

Axen Cleaver

Good morning/afternoon! Got a fun one today. Device: Samsung SM-S908U1, Android 13, SPL 03/01/2023. Screenshots of the device showed an inappropriate SMS conversation. Obtained an FFS Extraction, loaded into @Cellebrite PA, and didn't see the conversation. HEX search of the known verbiage revealed a fragmented version of the conversation in the smsmms.db-wal file. Using PA's Database Viewer, wasn't able to populate the conversation. Exported the db, shm, wal, and ufd files and loaded them into DBBrowser for SQLite, still didn't populate. Any thoughts on recovering the SMS conversation out of the wal to put it into a court-presentational friendly format?

That's an interesting one. If you can see the conversation/messages on the device in the associated application, then one would expect to find the conversation/messages in the application's associated source file(s) within the acquired data. Unless the data isn't actively stored on the device and is being loaded in the app from it's cloud storage location whilst connected to the Internet?

Axen Cleaver

Good morning/afternoon! Got a fun one today. Device: Samsung SM-S908U1, Android 13, SPL 03/01/2023. Screenshots of the device showed an inappropriate SMS conversation. Obtained an FFS Extraction, loaded into @Cellebrite PA, and didn't see the conversation. HEX search of the known verbiage revealed a fragmented version of the conversation in the smsmms.db-wal file. Using PA's Database Viewer, wasn't able to populate the conversation. Exported the db, shm, wal, and ufd files and loaded them into DBBrowser for SQLite, still didn't populate. Any thoughts on recovering the SMS conversation out of the wal to put it into a court-presentational friendly format?

What is the app in which you see the message on the device? Is it Samsung Messages or maybe another app that was set as the default SMS app?

Axen Cleaver

Good morning/afternoon! Got a fun one today. Device: Samsung SM-S908U1, Android 13, SPL 03/01/2023. Screenshots of the device showed an inappropriate SMS conversation. Obtained an FFS Extraction, loaded into @Cellebrite PA, and didn't see the conversation. HEX search of the known verbiage revealed a fragmented version of the conversation in the smsmms.db-wal file. Using PA's Database Viewer, wasn't able to populate the conversation. Exported the db, shm, wal, and ufd files and loaded them into DBBrowser for SQLite, still didn't populate. Any thoughts on recovering the SMS conversation out of the wal to put it into a court-presentational friendly format?

Sanderson Forensics tools are great at this.

Brigs

Sanderson Forensics tools are great at this.

In addition to Sanderson, FQLite is also decent at handling .WAL files.

2

1

CLB-ChenK

What is the app in which you see the message on the device? Is it Samsung Messages or maybe another app that was set as the default SMS app?

This device uses Google Messages as the default SMS app. The screenshots were captured by remote software, but were not present on the device. Used the Sanderson Forensics Browser and Explorer, but still couldn't recover it. Also could be my lackluster SQLite skills, but others with more SQLite familiarity also could not recover it. I have not tried FQLite, so I can give that a try if we have it.

Did you try your luck also with the bugle.db sqlite? (Google Messages DB)

anyone has experience with infinitybox chinese miracle ? and if yes, did you manage to run it on windows10 ?

it doesn't need anything extra, just click and it'll run

7:12 AM

you might need to disable virtualization based security, as it doesn't like VM, and it might detect os with VBS as one

okok thx

CLB-ChenK

Did you try your luck also with the bugle.db sqlite? (Google Messages DB)

Not directly. I can try that and see if its not as fragmented in that one

Anyone savvy with iPhone group.snapchat.picaboo - specifically the /load_message.timestamps~b~

I am trying to determine if data in a configuration file from that specific database- if that means that if a "load_message" occurs is that when the Snap is loaded into the app by the system- or if the Snap is loaded because of it being accessed.

anyone here for a quick q regarding callHistory.storedata.... reason 6 (self rejected) in artex. Does that mean that the recepient rejected the call?

7:49 PM

its urgent

7:49 PM

@CLB_iwhiffin

what does self ended and self rejected mean? an incoming call can last for 150 secs and then still be self rejected....

@b1n2h3x morning! Is there anyway I can get an iTunes backup parsed into iLEAPP?

spicy_caveman

@b1n2h3x morning! Is there anyway I can get an iTunes backup parsed into iLEAPP?

Yes if you have the folder extraction - you can load that in.

@b1n2h3x I am having issues with this process. Are you available for DM?

spicy_caveman

@b1n2h3x I am having issues with this process. Are you available for DM?

Apologies on a plane atm.

@b1n2h3x no worries- I have a little time

fly safe

1

spicy_caveman

@b1n2h3x morning! Is there anyway I can get an iTunes backup parsed into iLEAPP?

Itunes backup must be non-password encrypted (no itunes backup password set) (edited)

1

Hans Leißner

Itunes backup must be non-password encrypted (no itunes backup password set) (edited)

the backup I have is non-pw, I just am not able to get it to parse no matter how I load it. I have tried zipping, tar, unzipped- not working for me unfortunately.

spicy_caveman

@b1n2h3x morning! Is there anyway I can get an iTunes backup parsed into iLEAPP?

try this: https://github.com/jfarley248/iTunes_Backup_Reader.

1

12:31 PM

https://youtu.be/l6z9UrjAR9c

Alexis Brignoni

Parse iTunes Backups with iLEAPP

Heimdall4N6K

try this: https://github.com/jfarley248/iTunes_Backup_Reader.

Thank you very much- this solved my issue.

1

Morning gang, got a FFS extraction from a Huawei ELE-L29 P30 running Android 10 but the call logs are missing for the dialler. I have checked all the usual DBs, contact2, calllog, etc. but found nothing. There are calls on there as I can see them! Anyone got a golden nugget of knowledge on this? (edited)

12:41 AM

I had 2 extractions for this phone, 1 from Trevor and the other from UFED and neither show calls. Weirdly, the UFED extraction using Kirin Live contained a lot more data and was decoded better than what Trevor chucked out...

Solved it, Advanced Logical extraction got the missing call data but didnt indicate where from but I dont care!

1:36 AM

Please, dont send me any messages of thanks, it was my pleasure! More pay for me? No! I do this for the love of crime fighting but thank you anyway, unless you think I need to start a GoFundMe or something?

the database files from the initial extractions existed, and you could access them manually? (edited)

what is the difference between "Android Backup" and "Android Backup APK Downgrade" ? which one is better ? (using UFED)

2:58 AM

looks like APK downgrade is worse but I don't know how it works under the hood

it's the opposite

oh

apk downgrade can get you some messenger apps by downgrading them to a version that allowed for adb backup

3:00 AM

but depending on firmware version, it's not fully safe and may, in extreme cases lead to data loss

Did the Android 12 downgrade problem get fixed? Or is the method prevented forever now?

Arcain

but depending on firmware version, it's not fully safe and may, in extreme cases lead to data loss

ok thanks for the informations

Looking at a video that originated from Snapchat - I can see that the original filename was 'cm-chat-media-video-1:snapchatuserID:25:1:0.mov' From experience, cm-chat-media-video refers a video being sent or received as an attachment within a snapchat conversation. (please correct me if I'm wrong on this) UsersnapchatID - recipient user ID that the local snapchat account is talking to However, what are the extra numbers? 1: or :25:1:0? (edited)

Pacman

Looking at a video that originated from Snapchat - I can see that the original filename was 'cm-chat-media-video-1:snapchatuserID:25:1:0.mov' From experience, cm-chat-media-video refers a video being sent or received as an attachment within a snapchat conversation. (please correct me if I'm wrong on this) UsersnapchatID - recipient user ID that the local snapchat account is talking to However, what are the extra numbers? 1: or :25:1:0? (edited)

SnapchatuserID is usually the conversation ID, not a username. :25 is the server_message_id for that message. Basically the 25th message sent by any party in that conversation. :1 should mean that it is the second file sent in that message. If only one file is sent that should be :0 For the last :0 and first 1: I dont know, they are always that in my testing

Oscar

SnapchatuserID is usually the conversation ID, not a username. :25 is the server_message_id for that message. Basically the 25th message sent by any party in that conversation. :1 should mean that it is the second file sent in that message. If only one file is sent that should be :0 For the last :0 and first 1: I dont know, they are always that in my testing

Interesting!

6:07 AM

So 0: could either be 1 or zero file( sent?

Pacman

So 0: could either be 1 or zero file( sent?

Well this is only seen as original filenames or in cachecontroller so an image has been sent

Hi, what is the correct way to import a DAR v9 archive (Passware extraction of iOS locked devices) in Cellebrite PA? (edited)

what does "phantom User" mean in Passware ?

also, has anyone ever had two passwords coming out of passware

1:00 AM

I believe it's because there is multiple users but I'm not too sure

emilie_

also, has anyone ever had two passwords coming out of passware

more investigation on this : I had to use the second password in order to enable the developer option

Anyone know what service/app com.apple.matd is refering to?

Oscar

Anyone know what service/app com.apple.matd is refering to?

Perhaps "/System/Library/PrivateFrameworks/WelcomeKit.framework/matd"? Although I'm having a moment trying to find some documentation on "WelcomeKit".

JLindmar (83AR)

Perhaps "/System/Library/PrivateFrameworks/WelcomeKit.framework/matd"? Although I'm having a moment trying to find some documentation on "WelcomeKit".

After some more digging I think it might be connected to when a new/wiped phone is setup by syncing data from another phone. A Samsung device in this case as some of the images have exifdata that points to that device. All of the images are added to the album roughly at the same time as well (edited)

CloudCuckooLand

Did the Android 12 downgrade problem get fixed? Or is the method prevented forever now?

I believe it is fixed — at least in our Belkasoft X it was addressed few releases ago and I think other vendors fixed it, too

Oscar

After some more digging I think it might be connected to when a new/wiped phone is setup by syncing data from another phone. A Samsung device in this case as some of the images have exifdata that points to that device. All of the images are added to the album roughly at the same time as well (edited)

That makes sense considering where I was seeing "matd" referenced.

Hello! I am currently finishing up my dissertation for my bachelor degree in Digital Forensics. I am writing about the application Spotify on an iOS device. I have made a guide on what data I was able to locate. I am posting the guide here for those who wants to take a look at it! I would also really appreciate getting feedback from those who takes a look at it since it will give me extra marks on my dissertation. Thanks!

Spotify_Data_Guide_v2.pdf

2.34 MB

Panda

Hello! I am currently finishing up my dissertation for my bachelor degree in Digital Forensics. I am writing about the application Spotify on an iOS device. I have made a guide on what data I was able to locate. I am posting the guide here for those who wants to take a look at it! I would also really appreciate getting feedback from those who takes a look at it since it will give me extra marks on my dissertation. Thanks!

I took a quick look (didn't read a lot, let me be honest about that) You might also try @Magnet Forensics AXIOM to analyze an image (don't know if you have access to a license or if Magnet is able to provide you with a trial), which is able to decode what song was playing at what specific time (if I remember correctly, it is within KnowledgeC.db.) Might be a fun addition to your dissertation.

1

Peacekeeper

I took a quick look (didn't read a lot, let me be honest about that) You might also try @Magnet Forensics AXIOM to analyze an image (don't know if you have access to a license or if Magnet is able to provide you with a trial), which is able to decode what song was playing at what specific time (if I remember correctly, it is within KnowledgeC.db.) Might be a fun addition to your dissertation.

The University have a license for Magnet as well. I did analyze some data in Magnet and Cellebrite but not everything. But I will definitely try your suggestion. Thanks a lot!

Hey all, has anyone been able to accomplish a proximity search over mobile data? An example of the search I want to perform is Gun w/10 Robbery. Broken down to mean I want to see anything were the word Gun is within 10 words of Robbery. I exported the data out of cellebrite in xml format and loaded it into Intella. Intella is great for keyword searching however some of my searches are coming from sqlite files and not from a text message conversation.

Oxygen maybe?

Good morning! I am facing the problem that I do not understand the difference between "Journeys" and "Locations" in the Google Location History data. The Physical Analyzer has at least split the Location History data into these two subsections. Does anyone know when a "Journey" is recorded and what exactly the difference is between it and "Locations"?

Hey all, anyone experiencing issues with @Cellebrite Physical Analyzer (7.60.1, 7.61) and parsing iOS FFS extractions specifically pertaining to Native e-mail. Device is 16.1.1, and the emails are parsed properly, but the attachments are not being linked to email when parsed, all have a generic attach.x.ext filename all located in the directory /private/var/mobile/library/Mail/AttachmentData. (edited)

Hi folks, I have an Android file system extraction that I am reviewing in Cellebrite Reader, in which I found some screenshots of Google searches and their associated results under “com.google.android.googlequicksearchbox/files/recently”. The screenshot looked like what I see when using the Google app on android. Does anyone know how these end up in there? (I don’t have corresponding searches under searched items)

Nooka

Hi folks, I have an Android file system extraction that I am reviewing in Cellebrite Reader, in which I found some screenshots of Google searches and their associated results under “com.google.android.googlequicksearchbox/files/recently”. The screenshot looked like what I see when using the Google app on android. Does anyone know how these end up in there? (I don’t have corresponding searches under searched items)

What version of Android?

CLB_joshhickman1

What version of Android?

Sorry, not in front of my work computer anymore, but I wanna say off the top of my head Android 11. I can confirm tomorrow.

Nooka

Sorry, not in front of my work computer anymore, but I wanna say off the top of my head Android 11. I can confirm tomorrow.

No worries. The quicksearchbox folder seems to change often as far as what it contains. Based on my testing for Android 11, the files are the result of searches that have been conducted via the Google search bar that is on a user's home screen (red box). The last modification time of the jpg will be the time of the search. If a user clicks on a link within the search results you may also find jpg files of visited web pages (related to the search). For those files, the last modification time will be the time of the visit.

3

CLB_joshhickman1

No worries. The quicksearchbox folder seems to change often as far as what it contains. Based on my testing for Android 11, the files are the result of searches that have been conducted via the Google search bar that is on a user's home screen (red box). The last modification time of the jpg will be the time of the search. If a user clicks on a link within the search results you may also find jpg files of visited web pages (related to the search). For those files, the last modification time will be the time of the visit.

Thanks!

Hello people! I am working with a Galaxy S3 i9300. Unlocked the passcode, got full file system but it has photo locker and video locker app. Oxy got the video locker app, but not the photo locker. Anyone has an idea how to get photo locker data?

1

@nikmar I have scripts for both versions (XOR and AES) - media decryption + PIN!

is there a way to adjust the timezone being displayed in Axiom?

Sudo

is there a way to adjust the timezone being displayed in Axiom?

Timezone settings should be on the lower right side of the screen.

1

Sudo

is there a way to adjust the timezone being displayed in Axiom?

AFAIK tools > adjust date/time

Snapchat question: I’m working on a file where I am trying to link back several thumbnail files found in data\ com.snapchat.android\files\file_manager\memories_thumbnail folder to their associated records in the memories.db database. I’m particularly interested in the records in the memories_snap table as it has the original capture date/time, but the records don’t refer to the entries with their associated filename, but instead have a UUID value entry in the ‘_id’ and ‘media_id’ columns. Does anyone know if either of these values are somehow generated from the associated filename or some other way of associated them back to which media file is connected to the record. Thanks in advance for any help.

Mike_H

Snapchat question: I’m working on a file where I am trying to link back several thumbnail files found in data\ com.snapchat.android\files\file_manager\memories_thumbnail folder to their associated records in the memories.db database. I’m particularly interested in the records in the memories_snap table as it has the original capture date/time, but the records don’t refer to the entries with their associated filename, but instead have a UUID value entry in the ‘_id’ and ‘media_id’ columns. Does anyone know if either of these values are somehow generated from the associated filename or some other way of associated them back to which media file is connected to the record. Thanks in advance for any help.

If you are allowed to access cloud data I have a script that downloads the memories with information from memories.db, it should still work. I have not looked into cached memories on android unfortunately

Is anyone else getting a cloud service communication error after upgrading to Physical Analyzer 7.61?

1

6:09 AM

It comes up in the trace window as soon as I start parsing an extraction

Oscar

If you are allowed to access cloud data I have a script that downloads the memories with information from memories.db, it should still work. I have not looked into cached memories on android unfortunately

Unfortunately no cloud data access. Only have access to what is on the device. From my testing and I can see the names it has assigned the thumbnail files in the 'memories_thumbnail' folder and I can see the corresponding UUID assigned for this thumbnail in the memories_snap table in the memories.db database, but just don't know what they have done to generate and assign the UUID. An example UUID assigned to the media_id value is ebf190dc-ab60-d8d5-36fd-2122588fb8cf.

@Magnet Forensics I have an iPhone that I've processed with Axiom. I have a Google Search that says it was run at a particular time and it appears to be coming from Safari Suspended States Tabs from the BrowserState.db-wal file. I know that Safari Suspended State Tabs means that the Last Interaction Date/Time is the time the tab was last interacted with, but I'm not seeing this search term committed to the actual Safari History.db. Axiom is saying this term was carved. Am I able to say with relative confidence (especially with dates and times) that this Search Term was run at this date and time and not hours later like the owner of the device states? (edited)

https://github.com/RealityNet/iOS-Forensics-References

GitHub - RealityNet/iOS-Forensics-References: A curated list of iOS...

A curated list of iOS Forensics References, organized by folder with specific references (links to blog post, research paper, articles, and so on) for each interesting file - GitHub - RealityNet/iO...

7

3

7

4

Quick question, Apple iOS 12.4.does anyone know if there is any direct correlation between "recents" and the interactionC databases? I have a single contact of interest in the InteractionC database (all other references having been deleted) I was wondering if its appearence was because of a call to or from the relevant contact? I would have assumed the data would also appear in the recents DB

Aero

@nikmar I have scripts for both versions (XOR and AES) - media decryption + PIN!

I can't thanks enough to @Aero decrypting the passcode from Photo Locker and Video Locker app! He guided me how to get the files containing the passcode and then he got in within one minute of sending him the file Salute

2

Does anyone know when @Cellebrite PA Ultra version 8.x will be in full release as opposed to its current prerelease status?

CIF

Hey all, anyone experiencing issues with @Cellebrite Physical Analyzer (7.60.1, 7.61) and parsing iOS FFS extractions specifically pertaining to Native e-mail. Device is 16.1.1, and the emails are parsed properly, but the attachments are not being linked to email when parsed, all have a generic attach.x.ext filename all located in the directory /private/var/mobile/library/Mail/AttachmentData. (edited)

Just want to bump this, didn't hear any responses. @Cellebrite

Adam Cervellone

Does anyone know when @Cellebrite PA Ultra version 8.x will be in full release as opposed to its current prerelease status?

We are aiming for ~end of May for version 8.5 which should be pretty much feature parity with 7. The big exception would be Python which is penciled in for later in the year.

CIF

Just want to bump this, didn't hear any responses. @Cellebrite

I'm not aware of an issue, but will check it out. It may take a while to parse my data though so standby...

CLB_iwhiffin

I'm not aware of an issue, but will check it out. It may take a while to parse my data though so standby...

Thank you, if you can DM to confirm if you have a similar issue that'd be great. Thanks for the reply

@Cellebrite what kind of graphical card do you recommend to have, especially to make image classification faster?

cygnusx

@Cellebrite what kind of graphical card do you recommend to have, especially to make image classification faster?

At the minute, it's just: NVIDIA GeForce GTX 2070\2080 NVIDIA Quadro P6000 NVIDIA RTX 4000\5000\6000 NVIDIA V100 NVIDIA Ampere (A2000, RTX A4000, RTX A4500, A2) But I believe more may be added soonn.

Sooo... 2070/2080 is supported but 30xx or 40xx not?

Thats the latest information I have. I believe it's relatively up to date

is Briggs on here?

Bill (VeriFi)

is Briggs on here?

@Brigs ?

Yes.

Bill (VeriFi)

is Briggs on here?

Yes.

Does anyone know anything about com.apple.routined cache.sqlite? Specifically what the detection timestamp is in the zrtvisitmo table? I have no data in the zrtcllocationmo table which is all I can find reference to anywhere, and I have entries of interest in zrtvisitmo, but the detection timestamp is outside the entry and exit time periods and I'm trying to understand why

chms17

Does anyone know anything about com.apple.routined cache.sqlite? Specifically what the detection timestamp is in the zrtvisitmo table? I have no data in the zrtcllocationmo table which is all I can find reference to anywhere, and I have entries of interest in zrtvisitmo, but the detection timestamp is outside the entry and exit time periods and I'm trying to understand why

from: user#1234 this may be a good insight into routined cache as a starter http://www.mac4n6.com/blog/2018/12/23/on-the-tenth-day-of-apollo-my-true-love-gave-to-me-an-oddly-detailed-map-of-my-recent-travels-ios-location-analysis

On the Tenth Day of APOLLO, My True Love Gave to Me – An Oddly Deta...

I saved one of my favorite topics for (nearly) last. There is no question that location can play a major role in many investigations. iOS location data as changed drastically with iOS 11 from previous iOS versions. I published research on these locations in the past and parsing scripts.

WhyMe?

from: user#1234 this may be a good insight into routined cache as a starter http://www.mac4n6.com/blog/2018/12/23/on-the-tenth-day-of-apollo-my-true-love-gave-to-me-an-oddly-detailed-map-of-my-recent-travels-ios-location-analysis

Thanks, that doesn't answer my question but is useful anyway, going to try the tool!

Anyone from @Passware available?

https://www.reddit.com/r/blueteamsec/comments/12uyn3q/compromising_garmins_sport_watches_a_deep_dive/?utm_source=share&utm_medium=android_app&utm_name=androidcss&utm_term=13&utm_content=share_button

r/blueteamsec - Compromising Garmin's Sport Watches: A Deep Dive in...

9 votes and 0 comments so far on Reddit

chms17

Does anyone know anything about com.apple.routined cache.sqlite? Specifically what the detection timestamp is in the zrtvisitmo table? I have no data in the zrtcllocationmo table which is all I can find reference to anywhere, and I have entries of interest in zrtvisitmo, but the detection timestamp is outside the entry and exit time periods and I'm trying to understand why

Slightly older, but may be useful: https://www.doubleblak.com/blogPosts.php?id=14

1

Panda

Anyone from @Passware available?

Sure, PM me

CLB_joshhickman1

Slightly older, but may be useful: https://www.doubleblak.com/blogPosts.php?id=14

Unfortunately not, but thank you!

chms17

Thanks, that doesn't answer my question but is useful anyway, going to try the tool!

yup thats why I said it would be a good insight. Have fun

chms17

Does anyone know anything about com.apple.routined cache.sqlite? Specifically what the detection timestamp is in the zrtvisitmo table? I have no data in the zrtcllocationmo table which is all I can find reference to anywhere, and I have entries of interest in zrtvisitmo, but the detection timestamp is outside the entry and exit time periods and I'm trying to understand why

Hi, The DetectionTimestamp is related to a process that runs in the background every day or two and aggregates the cached records in order to group them basically. It can pretty much be disregarded as it is not relevant to where the device was at the time shown, just the time the process ran where it looks back over the last day or two of cached data.

How does duration work for callhistory.storedata. Is 0 signifying the call was not answered? If the duration was 14 seconds, could this be the voicemail length?

Hello, I have a Android phone with Instagram. Looks like e2ee chats are not present anymore in direct.db but instead I could find the messages in ig_msys_database. Also, looks like PA is not parsing this file, any other tool is already aware and parsing these messages?

chms17

Does anyone know anything about com.apple.routined cache.sqlite? Specifically what the detection timestamp is in the zrtvisitmo table? I have no data in the zrtcllocationmo table which is all I can find reference to anywhere, and I have entries of interest in zrtvisitmo, but the detection timestamp is outside the entry and exit time periods and I'm trying to understand why

tou can find something here searching the keyword routine : https://github.com/RealityNet/iOS-Forensics-References

GitHub - RealityNet/iOS-Forensics-References: A curated list of iOS...

A curated list of iOS Forensics References, organized by folder with specific references (links to blog post, research paper, articles, and so on) for each interesting file - GitHub - RealityNet/iO...

CLB_iwhiffin

Hi, The DetectionTimestamp is related to a process that runs in the background every day or two and aggregates the cached records in order to group them basically. It can pretty much be disregarded as it is not relevant to where the device was at the time shown, just the time the process ran where it looks back over the last day or two of cached data.

Omg thank you! Do you have a source for this?

Heimdall4N6K

tou can find something here searching the keyword routine : https://github.com/RealityNet/iOS-Forensics-References

Thanks!

chms17

Omg thank you! Do you have a source for this?

Iwhiffin is the source

3

florus

Iwhiffin is the source

I can't quote a discord user in a report!

chms17

I can't quote a discord user in a report!

Ian Whiffin is Cellebrite Product Manager for Decoding

2

CLB-dan.techcrime

Ian Whiffin is Cellebrite Product Manager for Decoding

Ah! I can probably quote him then!

I have a Huawei Y550 physical extraction. Any ideas how to virtualize the phone if possible?

wadde

I have a Huawei Y550 physical extraction. Any ideas how to virtualize the phone if possible?

is there a specific application you're trying to target? or a Huawei specific item?

Virtualize - no, but with such old and not encrypted phone you could just write userdata parttion from one phone to another, matching the firmware version first and it should boot with data just fine

wadde

I have a Huawei Y550 physical extraction. Any ideas how to virtualize the phone if possible?

I have some experience with this and compatible Android devices. You can use the Android Emulator (https://developer.android.com/studio/run/emulator-commandline.html) as part of Android Studio to boot a virtual device using the userdata partition from the extraction, however, not all data from the partition will load correctly. The most useful function of doing this in the past was being able to automate bruteforcing Secure Startup and device passcodes. You may have better luck virtualizing specific data by injecting it into the emulator rather than attempting to emulate the entire device. Cellebrite's Physical Analyzer software has the ability to virtualize specific application data this way. @Arcain suggestion of writing the extraction data to the memory of a duplicate device will work well, as I've done this before with great results.

Start the emulator from the command line | Android Studio | And...

Discover command-line features that you can use with the Android Emulator.

wadde

I have a Huawei Y550 physical extraction. Any ideas how to virtualize the phone if possible?

You might be able to still use the Magnet App Simulator, I was able to get it to work two weeks ago even though it hasn't been updated in a few years https://www.magnetforensics.com/resources/visualize-mobile-apps-in-a-virtual-environment-with-the-magnet-app-simulator/

Visualize Mobile Apps in a Virtual Environment with the MAGNET App ...

MAGNET App Simulator loads application data from Android devices into a virtual environment, enabling you to interact with data as if on a user's own device

Does anyone have a FFS of an iOS16.3 or above device they can talk to me about? Nothing sensitive, just a quick question.

4

1

does anyone know the password to open a oxygen extraction? I want to unzip the .ocb

CLB_iwhiffin

Does anyone have a FFS of an iOS16.3 or above device they can talk to me about? Nothing sensitive, just a quick question.

on this link there is an ios 16 extraction but I don't know which one exactly : https://www.magnetforensics.com/blog/announcing-the-mvs-2023-ctf-winners-and-a-new-ctf-challenge/

Announcing the MVS 2023 CTF Winners and a NEW CTF Challenge! - Magn...

Jessica Hyde shares the results from the Magnet Virtual Summit 2023 Capture The Flag competition and also announces a new upcoming CTF!

1

Heimdall4N6K

on this link there is an ios 16 extraction but I don't know which one exactly : https://www.magnetforensics.com/blog/announcing-the-mvs-2023-ctf-winners-and-a-new-ctf-challenge/

Thanks, but sadly that looks like an iOS15 dump

Heimdall4N6K

on this link there is an ios 16 extraction but I don't know which one exactly : https://www.magnetforensics.com/blog/announcing-the-mvs-2023-ctf-winners-and-a-new-ctf-challenge/

it's 16.1.1

@JLindmar (83AR) @stark4n6 the investigator would like to see the device as native as possible. There are some specific apps, only available in Sweden, that could be interesting. I will look into your links! Thanks!

wadde

@JLindmar (83AR) @stark4n6 the investigator would like to see the device as native as possible. There are some specific apps, only available in Sweden, that could be interesting. I will look into your links! Thanks!

Honestly, if you ISP capabilities, that device has a known pinout. Creating a dump of the source device and writing it to a donor target, might be easier than troubleshooting an emulator.

JLindmar (83AR)

Honestly, if you ISP capabilities, that device has a known pinout. Creating a dump of the source device and writing it to a donor target, might be easier than troubleshooting an emulator.

I have done a physical extraction already using a paperclip to get it into EDL.

CLB_iwhiffin

Does anyone have a FFS of an iOS16.3 or above device they can talk to me about? Nothing sensitive, just a quick question.

i have an ios16.3.1 from an ipad pro with GK (edited)

wadde

I have done a physical extraction already using a paperclip to get it into EDL.

I haven't tried restoring an EDL extraction. Presuming the data mirrors what you would obtain via ISP, it should work. Worse case is you acquire the data from the phone a second time via ISP.

oops

9:01 PM

sry. was too fast xD write ahead pls

1

Not sure if this is possible, but has anyone had success carving deleted messages from Signal?

Does anyone have a link or a properly referenced source/testing that iPhones store safari history for 30 days?

Bellis

Does anyone have a link or a properly referenced source/testing that iPhones store safari history for 30 days?

https://www.youtube.com/watch?v=CR8gjr68LfM (at ~42 min)

1:47 AM

Does anyone have knowledge about when the username in index_snapchatterlegacyUsername is set and used in Snapchat db primary.docobjects? I can see this legacy username in a blob in table snapchatter together with another username (with the same userID). Tools are parsing this different.

tost

i have an ios16.3.1 from an ipad pro with GK (edited)

Thankyou, I have my answer now.

1

Maybe I am getting too old, but I can't for the life of me figure out how to remove/redact a PDF file from an iPhone extraction in Physical Analyzer before I make a Reader. @Cellebrite or anyone else here who can point me in the right direction?

BETBAMS

Maybe I am getting too old, but I can't for the life of me figure out how to remove/redact a PDF file from an iPhone extraction in Physical Analyzer before I make a Reader. @Cellebrite or anyone else here who can point me in the right direction?

Remove the check mark ✔️ for the item in your table view and it will no be included in the report.

Anyone have a resource to read up on the edge browser for iOS? Looking specifically for information on the following path: /private/var/mobile/containers/data/application/<app id>/library/application support/Microsoft/edge/default/sessions/{synthetic identifier}/snapshots/ The contents are of interest, looking for documentation. Not my case, just trying to help a friend. Plan on messing with a test phone, looking for a blog or write up for now.

BETBAMS

Maybe I am getting too old, but I can't for the life of me figure out how to remove/redact a PDF file from an iPhone extraction in Physical Analyzer before I make a Reader. @Cellebrite or anyone else here who can point me in the right direction?

If you specifically want to redact, I think it’s CTRL+f8, or in the actions drop-down. I know it works for images, not in front of my computer to test on a pdf.

I checked, you can’t “redact” documents only images. So unchecking the box is the way

i am running into an issue with parsing iCloud returns. I have 2 versions of the iCloud, with a backup encrypted and one with the backup decrypted. i believe that there might be an issue with the keyBag.txt file. i parse it with Cellebrite (it has multiple backups) and then with Axiom and i get different results; and i dont feel good about either. In Cellebrite PA if i parse the decrypted backup i dont get all the data that i got when i parse the decrypted backup, which i should. it's becoming an issue for our office. So in the ecrypted backup i can get chats that i dont get when i parse the decrypted backup. any suggestions on how to parse it and if i should remove that keyBag.txt file or what are the steps that you guys use in parsing icloud backup using PA and Axiom. thank you So much. (edited)

whee30

I checked, you can’t “redact” documents only images. So unchecking the box is the way

@char|i3 @whee30 It seems I was just having a "PA moment" as I unchecked the box in table view and nothing seemingly happened. After closing my open tabs in PA and going back to the message containing the PDF, all of the sudden it had the "Redacted" sign written all over it. 300GB extraction, PA was a bit sluggish with it throughout. So closing your tabs and going back to check is still a thing to keep in mind. Thanks guys! (edited)

whee30

Anyone have a resource to read up on the edge browser for iOS? Looking specifically for information on the following path: /private/var/mobile/containers/data/application/<app id>/library/application support/Microsoft/edge/default/sessions/{synthetic identifier}/snapshots/ The contents are of interest, looking for documentation. Not my case, just trying to help a friend. Plan on messing with a test phone, looking for a blog or write up for now.

Test completed - the images here corresponded to thumbnails of open tabs in my edge browser.

@Oxygen Forensics anyone up for a dm? decoding realted. thanks!

Hans Leißner

@Oxygen Forensics anyone up for a dm? decoding realted. thanks!

Hi @Hans Leißner I'll send you a DM so we can discuss this further

1

@Brigs online? apple1

leapp related

Good afternoon. Just wondering if anyone has issues when attempting to export reports using ArtEx? When I attempted to export the first item I see is “some report features are still in progress”. If I then just try and export a CSV or HTML I get an Unhandled exception “The system cannot find the file specified”. Has anyone else had this issue? Any help will be greatly appreciated. Thanks.

forensicgeek

Good afternoon. Just wondering if anyone has issues when attempting to export reports using ArtEx? When I attempted to export the first item I see is “some report features are still in progress”. If I then just try and export a CSV or HTML I get an Unhandled exception “The system cannot find the file specified”. Has anyone else had this issue? Any help will be greatly appreciated. Thanks.

Sadly it’s a known issue with the version that’s out. I have a fix I’ll push out soon.

CLB_iwhiffin

Sadly it’s a known issue with the version that’s out. I have a fix I’ll push out soon.

Thanks for your reply. Will await the fix.

How can I check in a FFS for iPhone if an update to iOS had occurred? I recall something of sorts being mentioned once

thatboy_leo

How can I check in a FFS for iPhone if an update to iOS had occurred? I recall something of sorts being mentioned once

containermanagerd.log.x (replace x with 0 or 1 etc) may have it. When the device boots, an entry is created and it checks the iOS version. At this point, it will show if there is an update occuring, what from and what to etc. I've not checked recently if this still populates though. (edited)

CLB_iwhiffin

containermanagerd.log.x (replace x with 0 or 1 etc) may have it. When the device boots, an entry is created and it checks the iOS version. At this point, it will show if there is an update occuring, what from and what to etc. I've not checked recently if this still populates though. (edited)

Still looks good

CLB_iwhiffin

Still looks good

niceeee, thank you sir, found it here on 14 Pro Max iOS 16.3.1 FFS if anyone else needed to confirm

1

CLB_iwhiffin

Does anyone have a FFS of an iOS16.3 or above device they can talk to me about? Nothing sensitive, just a quick question.

Has anyone replied to you on this? I have one.

freshman

Has anyone replied to you on this? I have one.

disregard, I read back.

1

Hans Leißner

@Brigs online? apple1

leapp related

Send dm. (edited)

https://infosec.exchange/@Loicforensic/110283409958399486

Loicforensic

new release 3.5

: https://github.com/AvillaDaniel/AvillaForensics

@CLB_iwhiffin sent you a dm

1

Hello to everyone! I have an locked S9 plus G965 on Android 10. I have got the physical dump but I would like to find the device passcode. Is it possible to find the user passcode in the decrypted file system?

No, it has to be bruteforced on, and through the phone itself

CLB_iwhiffin

Does anyone have a FFS of an iOS16.3 or above device they can talk to me about? Nothing sensitive, just a quick question.

I just saw this. Do you still need it?

Bill (VeriFi)

I just saw this. Do you still need it?

All good now thank you.

1

Does anyone know how to decrypt blackberry chip offs? got the key from the sha1 hash

7:00 AM

It's the old balckberry curve, not android

Could anyone shed some light on the following file path for WhatsApp from an iOS device: mobile/Containers/Shared/AppGroup/group.net.whatsapp.WhatsApp.shared/Message/Media. Is this location accessible on the device?

p0tt541

It's the old balckberry curve, not android

What's the model number? And did you photograph the screen before you disassembled?

CLB-dan.techcrime

What's the model number? And did you photograph the screen before you disassembled?

I'll have to wait for my colleague to get back to me for the model. yeah it was photographed with only one padlock.

9:37 AM

I do know its blackberry OS 5.0

p0tt541

I'll have to wait for my colleague to get back to me for the model. yeah it was photographed with only one padlock.

If no tiny padlock, then Content Protection is not enabled and PA should decode using BBGeneric chain

Thanks I'll double check in the morning!

Any pointers for investigations checking knowledge C if a phone was used by an individual after a certain time? Was thinking display on/off device events could help but was thinking this could be misleading

thatboy_leo

Any pointers for investigations checking knowledge C if a phone was used by an individual after a certain time? Was thinking display on/off device events could help but was thinking this could be misleading

Display on/off logs could be generated just by the raise to wake feature if I'm not mistaken. So just holding the phone the certain way can turn the screen on. However, a display on log followed by app network usage logs or something could be reasonable to explain as user activity.

Terry_____

Display on/off logs could be generated just by the raise to wake feature if I'm not mistaken. So just holding the phone the certain way can turn the screen on. However, a display on log followed by app network usage logs or something could be reasonable to explain as user activity.

Thank you sir, I took a look at my device to test and it does seem while I’m asleep display turning on could be late night notifications as well possibly, good point on the network usage!

in KnowledgeC.db i have found several entries with ZSTREAMNAME = /inferred/microLocationVisit. Does anyone knows what this streamname covers and if any locationdata is tied up to this streamname?

Question! I have an full file extraction from an iPhone 8, there is a screenshot from the the phone called IMG_0010.png, i have the file set to 2023-02-01 01:35, two days later there have been created a jpg file with the same name, i dont know why the jpg was created, anyone know? Can only see that the file was created, but i dont know why

2

In Cellebrite certain extraction methods are listed as file system extraction methods. Where as other tools list them as logical or physical. Is there technically any differences between a logical and file system In Cellebrite as its still a logical read of data and not carving deleted as a physical would? Just something we are trying to iron out around quality testing.

4N6Matt

In Cellebrite certain extraction methods are listed as file system extraction methods. Where as other tools list them as logical or physical. Is there technically any differences between a logical and file system In Cellebrite as its still a logical read of data and not carving deleted as a physical would? Just something we are trying to iron out around quality testing.

Which specifically. Logical is generally an api extraction, where as FS is generally a back up. We also did a break down of this in our Preparing for Court document https://cellebrite.com/en/what-happens-when-you-press-the-button-prepping-for-court/

1

hsandeberg

Question! I have an full file extraction from an iPhone 8, there is a screenshot from the the phone called IMG_0010.png, i have the file set to 2023-02-01 01:35, two days later there have been created a jpg file with the same name, i dont know why the jpg was created, anyone know? Can only see that the file was created, but i dont know why

Wear-leveling perhaps? Or something else on that block was marked for deletion and this image was written to another, but the process hadn't finished?

CLB-Paul

Which specifically. Logical is generally an api extraction, where as FS is generally a back up. We also did a break down of this in our Preparing for Court document https://cellebrite.com/en/what-happens-when-you-press-the-button-prepping-for-court/

Thank you I will watch that now

1

Looking for deeper insight into the bugle_db database. Anyone know of a good reference or document that provides insight into the various tables and fields and what they represent. I am building some SQL queries and looking at some of the more obscure tables in the DB and wondering how they relate. I sure there a lot of hidden nuggets in these tables. Thanks in advance.

THE WARRANT APPLE RETURNS HAS TWO TYPES OF WHATSAPP BACKUPS. ONE COULD BE IN BACKUP FOLDER AND THE OTHER IN THE "ICLOUD DRIVER" FOLDER. THE PROBLEM IS, AFTER THE 7.44 VERSION CELLEBRITE STOPED TO PARSER THE CHATSTORAGE.SQLITE inside the backup folder. Is possible verify if the database exists analising the file user@email.com/D_HashBackup/FileInfoList.txt com the iclouddriver folder, where´s the database is incrypted (But not the media) has never been parsed before by cellebrite, and it is always necessary to do a another type processo. So the problem is that when we verify that exist the chatstorage.sqlite inside the FileInfoList.txt we need to process with this older version (7.44). We´ve also tried to parser with AXIOM Cloud but the results are worse. Axiom Does note parse the backup folder. help me ? @Cellebrite

JBGA-BR

THE WARRANT APPLE RETURNS HAS TWO TYPES OF WHATSAPP BACKUPS. ONE COULD BE IN BACKUP FOLDER AND THE OTHER IN THE "ICLOUD DRIVER" FOLDER. THE PROBLEM IS, AFTER THE 7.44 VERSION CELLEBRITE STOPED TO PARSER THE CHATSTORAGE.SQLITE inside the backup folder. Is possible verify if the database exists analising the file user@email.com/D_HashBackup/FileInfoList.txt com the iclouddriver folder, where´s the database is incrypted (But not the media) has never been parsed before by cellebrite, and it is always necessary to do a another type processo. So the problem is that when we verify that exist the chatstorage.sqlite inside the FileInfoList.txt we need to process with this older version (7.44). We´ve also tried to parser with AXIOM Cloud but the results are worse. Axiom Does note parse the backup folder. help me ? @Cellebrite

Best to open a support ticket -- you will most likely need to share the data with us for the quickest fix, or at minimum, the full directory path tree that you have been given

Sørensen

in KnowledgeC.db i have found several entries with ZSTREAMNAME = /inferred/microLocationVisit. Does anyone knows what this streamname covers and if any locationdata is tied up to this streamname?

Related to MagicalMoments, I believe related to Siri making suggestions of what app to use based on location. Whatever the reason, I’ve not been able to find any usable location data there.

hsandeberg

Question! I have an full file extraction from an iPhone 8, there is a screenshot from the the phone called IMG_0010.png, i have the file set to 2023-02-01 01:35, two days later there have been created a jpg file with the same name, i dont know why the jpg was created, anyone know? Can only see that the file was created, but i dont know why

This is ringing a bell… I can’t quite put my finger on it but I saw something similar a few weeks ago. Hopefully I’ll have something for you tomorrow.

1

Anyone from @Cellebrite free for a UFED PAU question?

1

hsandeberg

Question! I have an full file extraction from an iPhone 8, there is a screenshot from the the phone called IMG_0010.png, i have the file set to 2023-02-01 01:35, two days later there have been created a jpg file with the same name, i dont know why the jpg was created, anyone know? Can only see that the file was created, but i dont know why

What's the file path of the jpg? Could it be a thumbnail image of the png screenshot?

does anyone know a tool that decodes Facebook Messenger calls and messages from a database within the Facebook app, would be handy for those iPhone logicals: /mobile/Containers/Data/Application/com.facebook.Facebook/Documents/cask/[accountid]/FBMessagingMaiboxCaskStore/1/fb-msys-[accontid].db

hi. any suggestions how to get data skyscanner app. I have iphone FFS dump.

@Cellebrite I am looking at a phone extraction using PA Ultra v 8.4.0.1036 and I cannot seem to change timezone settings. Everything appears in UTC+0 no matter what changes I make in Settings and Project Settings under Tools. I used to be able to change to my current timezone. What am I missing?

1

Anyone from @Cellebrite around for a DM regarding an error in PA?

1

what's the state of the art for a samsung + qualcom device ? (edited)

6:47 AM

is there anything that can be done to retrieve a password ?

Premium solutions can support those

alright and iirc private sector can't have those

depends on the region etc, you have to ask

yeah i think my colleagues have already asked, so I'm not gonna bother them. But appart from that, there's no other solution ?

none that i know of

alright thx

emilie_

yeah i think my colleagues have already asked, so I'm not gonna bother them. But appart from that, there's no other solution ?

Check other devices you may have or ask owner nicely

Does anyone know, if an iTunes backup made by itunes, contains a hash or plist from what i can determine (or bruteforce) the passcode in that time?

florus

Does anyone know, if an iTunes backup made by itunes, contains a hash or plist from what i can determine (or bruteforce) the passcode in that time?

Passcode for the phone, no. If it's an encrypted backup you're trying to into there is a method to obtain a hash for the backup password

1

florus

Does anyone know, if an iTunes backup made by itunes, contains a hash or plist from what i can determine (or bruteforce) the passcode in that time?

You can use hashcat to decrypt the backup and then parse into iLeapp.

2

if you find the password use jack farley tool to decryp: https://github.com/jfarley248/iTunes_Backup_Reader

GitHub - jfarley248/iTunes_Backup_Reader: Python 3 Script to parse ...

Python 3 Script to parse out iTunes backups. Contribute to jfarley248/iTunes_Backup_Reader development by creating an account on GitHub.

1

12:39 PM

the encrypted password should be in the manifest plist

12:44 PM

this article is about itunes backup encrypted: https://blog.elcomsoft.com/2019/06/unusual-iphone-backups/

The Most Unusual Things about iPhone Backups

If you are familiar with breaking passwords, you already know that different tools and file formats require a very different amount of efforts to break. Breaking a password protecting a RAR archive can take ten times as long as breaking a password to a ZIP archive with the same content, while breaki

We've been provided with a UFDR from Cellebrite that contains chats and instant messages. Does anyone know if it is possible to load this into AXIOM and have it display chat bubbles? My client wants me to perform some searches and present the responding message threads in chat bubble format.

skipper

hi. any suggestions how to get data skyscanner app. I have iphone FFS dump.

Oxygen supports this app

Hey newbie phone extractor here. Have an upcoming job to pull geo location data from a couple of phones to verify if the client was at a location or not at the time in question. What sort of artefacts should I be looking at that would be helpful? Extraction tool will be cellebrite Main objective of the job for client is to prove where he was on the days of several incidents. We have I think 5 timeframes to look at over two devices. Just trying to get a bit of a jump on what artefacts I should be looking at or approaches in cellebrite

Picker

Hey newbie phone extractor here. Have an upcoming job to pull geo location data from a couple of phones to verify if the client was at a location or not at the time in question. What sort of artefacts should I be looking at that would be helpful? Extraction tool will be cellebrite Main objective of the job for client is to prove where he was on the days of several incidents. We have I think 5 timeframes to look at over two devices. Just trying to get a bit of a jump on what artefacts I should be looking at or approaches in cellebrite

I had a 3 day suppression hearing on the junk science of cell phone GPS data. If you are going to testify in court, I’d recommend getting a second source to verify the locations. (Traffic cameras, Wi-Fi, something).

Picker

Hey newbie phone extractor here. Have an upcoming job to pull geo location data from a couple of phones to verify if the client was at a location or not at the time in question. What sort of artefacts should I be looking at that would be helpful? Extraction tool will be cellebrite Main objective of the job for client is to prove where he was on the days of several incidents. We have I think 5 timeframes to look at over two devices. Just trying to get a bit of a jump on what artefacts I should be looking at or approaches in cellebrite

If it's an iPhone you're going to need a full file system extraction if you want any useful GPS data.

PhrostByte

We've been provided with a UFDR from Cellebrite that contains chats and instant messages. Does anyone know if it is possible to load this into AXIOM and have it display chat bubbles? My client wants me to perform some searches and present the responding message threads in chat bubble format.

You should be able to export the specific chats you want into a different format (excel, word, html, csv I think). In Reader there will be a button on the chats view called export.

PhrostByte

We've been provided with a UFDR from Cellebrite that contains chats and instant messages. Does anyone know if it is possible to load this into AXIOM and have it display chat bubbles? My client wants me to perform some searches and present the responding message threads in chat bubble format.

Try creating a new report with Reader, but make sure the Settings > Report Defaults > Include conversation bubbles option is checked first.

1

Anyone have any papers or knowledge re. redditdb<userid>?

6:32 AM

*_db

@wcso_pete did u solved the cloud problem with PA?

Mistercatapulte

@wcso_pete did u solved the cloud problem with PA?

Kind of. Unfortunately I was at IACIS the last two weeks, so I wasn't able to do any troubleshooting with Cellebrite. I rolled back to PA 7.60.1 just so I could get caught up and I'll revisit the new version later.

1

Is anyone else getting the PrivateCloudDataServiceError on UFED Cloud extractor? @Cellebrite

1

Picker

Hey newbie phone extractor here. Have an upcoming job to pull geo location data from a couple of phones to verify if the client was at a location or not at the time in question. What sort of artefacts should I be looking at that would be helpful? Extraction tool will be cellebrite Main objective of the job for client is to prove where he was on the days of several incidents. We have I think 5 timeframes to look at over two devices. Just trying to get a bit of a jump on what artefacts I should be looking at or approaches in cellebrite

I’ve worked with location a lot and have blogs and presentations etc about it. It depends a lot on the device/settings/extraction. There is a lot of location data on a device that is recorded for numerous reasons and most is unrelated to where the device was at any given time. Some sources are more reliable, but there is still a margin of error that needs to be taken into account. Try : https://cellebrite.com/en/episode-15-ibeg-to-dfir-location-data-on-ios-and-android-devices/

dcs453

I had a 3 day suppression hearing on the junk science of cell phone GPS data. If you are going to testify in court, I’d recommend getting a second source to verify the locations. (Traffic cameras, Wi-Fi, something).

Not sure if we will be able to get access to 3rd party devices but will see when I get the devices in

Terry_____

If it's an iPhone you're going to need a full file system extraction if you want any useful GPS data.

Should be possible we will be provided with passwords/codes to unlock the device

CLB_iwhiffin

I’ve worked with location a lot and have blogs and presentations etc about it. It depends a lot on the device/settings/extraction. There is a lot of location data on a device that is recorded for numerous reasons and most is unrelated to where the device was at any given time. Some sources are more reliable, but there is still a margin of error that needs to be taken into account. Try : https://cellebrite.com/en/episode-15-ibeg-to-dfir-location-data-on-ios-and-android-devices/

That cheat sheet will be plenty handy for sifting through the noise. Thank you

Picker

That cheat sheet will be plenty handy for sifting through the noise. Thank you

I’m working on some new research/testing that will really show how good/bad each data source can be. Still a (lot of) work in progress but hopefully in a few weeks it will be done.

3

2

Most practical way of installing both PA7 (currently used for active cases) & PA Ultra (for testing) on the same machine?

Is It Done Yet?

Most practical way of installing both PA7 (currently used for active cases) & PA Ultra (for testing) on the same machine?

Vm pa ultra?

Rob

Vm pa ultra?

That was my current thought - albeit, was hoping there might be a workaround to prevent having to load it into a VM

Is It Done Yet?

Most practical way of installing both PA7 (currently used for active cases) & PA Ultra (for testing) on the same machine?

There shouldn't be any conflicts between the two if that's the concern. I've been running both for years without causing any problems. I have PA7 installed on my C drive and PAUltra on D (along with the database) but there is nothing stopping you having both on C.

2

hello, does the iTunes backup allow you to extract approximately the last 10 messages of each chat session on the Instagram application?

CLB_iwhiffin

There shouldn't be any conflicts between the two if that's the concern. I've been running both for years without causing any problems. I have PA7 installed on my C drive and PAUltra on D (along with the database) but there is nothing stopping you having both on C.

I have both installed on the same volume and merely changed the installation path to PA 7 by appending "_7" to the path. I too have not experienced any issues. (edited)

@wcso_pete help from support, and it's worked Go to task manager:

Under services -> if the service: "UFED Cloud Analyzer Monitoring Service" is terminated, please start it.
Under services: --> right click on: "UFED Cloud Analyzer Service" -> go to details --> right click on: "WebEx.Uccm.exe"-> End task

--> go back to Services --> right click on: "UFED Cloud Analyzer Service" -> Start Please be patient as the “UFED Cloud Analyzer Service” may take some time to start.

I have a Samsung cell phone running Android 13. I am trying to verify the time zone information and can't seem to find where it is located in the file system. All the old locations don't exist anymore. Anyone with insights?

chrverm

I have a Samsung cell phone running Android 13. I am trying to verify the time zone information and can't seem to find where it is located in the file system. All the old locations don't exist anymore. Anyone with insights?

Have you checked persistent_properties?

The data in the file is stored as protobuf, but it should look something like this.

CLB_joshhickman1

The data in the file is stored as protobuf, but it should look something like this.

You wouldn't happen to know the path to that file?

USERDATA/property/

That path doesn't exist. Here is the root file system

That's the root of the device. USERDATA refers to /data. So, from your current view, it would be /data/property.

That file is empty unfortunately

1

When you expand the triangle by the “1” it’s empty? (edited)

It's just a bunch of these

chrverm

It's just a bunch of these

You will need find the correct key-value pair in this file. The simplest way is to type "timezone" in the search bar just above where your screenshot starts. (edited)

1

CLB_joshhickman1

You will need find the correct key-value pair in this file. The simplest way is to type "timezone" in the search bar just above where your screenshot starts. (edited)

You are a genius. Thank you for your help.

1

Any time.

Hi, I have a FFS extraction of an Oppo Find X5 pro. PA asks me for the MetaMask password (which I don't know) but there is no option to load a list of passwords. Is there any way to try to find the password with other tools? @Cellebrite

xry have a bruteforce tool i think

@Cellebrite Am I right in saying PA doesn't SHA1 hash media files? Just want to make sure there's no hidden setting or anything?

p0tt541

@Cellebrite Am I right in saying PA doesn't SHA1 hash media files? Just want to make sure there's no hidden setting or anything?

Hi @p0tt541 we use MD5 for hashing media files.

Is any one from @Magnet Forensics available to answer questions about iOS 16/iPhone 11 Significant Locations Visits. Are the Vicinity Entry and Vicinity Exit time date stamps reliable? (edited)

zero00796

Is any one from @Magnet Forensics available to answer questions about iOS 16/iPhone 11 Significant Locations Visits. Are the Vicinity Entry and Vicinity Exit time date stamps reliable? (edited)

Not from magnet, but i can help. From my testing, the timestamps are pretty close to being reliable. There may be a few minutes tolerance either way depending on what the device was doing at the time. Also, it may be possible that the device left and returned without it being registered, but it would have to be fairly fast. I can go into more detail if required.

8

cloud service communication error with ufed 7.61, is there a fix for this? we tried restarting both computer and program. any1 from cellebrite knows how to fix this? @Cellebrite

Johnie

cloud service communication error with ufed 7.61, is there a fix for this? we tried restarting both computer and program. any1 from cellebrite knows how to fix this? @Cellebrite

Curious if this could help, saw someone else mention this but can’t find the other message from the user if your error matches @wcso_pete help from support, and it's worked Go to task manager:

Under services -> if the service: "UFED Cloud Analyzer Monitoring Service" is terminated, please start it.
Under services: --> right click on: "UFED Cloud Analyzer Service" -> go to details --> right click on: "WebEx.Uccm.exe"-> End task

--> go back to Services --> right click on: "UFED Cloud Analyzer Service" -> Start Please be patient as the “UFED Cloud Analyzer Service” may take some time to start.

1

Johnie

cloud service communication error with ufed 7.61, is there a fix for this? we tried restarting both computer and program. any1 from cellebrite knows how to fix this? @Cellebrite

I had this happen a few times- I had to uninstall and reinstall (edited)

Johnie

cloud service communication error with ufed 7.61, is there a fix for this? we tried restarting both computer and program. any1 from cellebrite knows how to fix this? @Cellebrite

check if visual c++ redistributable is installed..

@Cellebrite how come PA Ultra is not using the GPU for media classification? And what is the CPU requirements? Right now I am getting a notice in the trace window, that the CPU is not supported... But in PA 7.61 it is using the nvidia 2060 for this?

Have anyone had any success backtracking from library/cache/filtered-string? My thought is that these are sent memories. Majority of the files can also be found in meo / memories with the original stamps. Is there A way to see how they have been handled?

brnfldt

Have anyone had any success backtracking from library/cache/filtered-string? My thought is that these are sent memories. Majority of the files can also be found in meo / memories with the original stamps. Is there A way to see how they have been handled?

my small experiments with snapchat showed that filtered-string files are basicly everything that is "resent". So if you send something you allready have access to in snapchat

thatboy_leo

Curious if this could help, saw someone else mention this but can’t find the other message from the user if your error matches @wcso_pete help from support, and it's worked Go to task manager:

Under services -> if the service: "UFED Cloud Analyzer Monitoring Service" is terminated, please start it.
Under services: --> right click on: "UFED Cloud Analyzer Service" -> go to details --> right click on: "WebEx.Uccm.exe"-> End task

--> go back to Services --> right click on: "UFED Cloud Analyzer Service" -> Start Please be patient as the “UFED Cloud Analyzer Service” may take some time to start.

This did not help in my case. trying a reinstall now hoping it will work

j_matas

@Cellebrite how come PA Ultra is not using the GPU for media classification? And what is the CPU requirements? Right now I am getting a notice in the trace window, that the CPU is not supported... But in PA 7.61 it is using the nvidia 2060 for this?

Hi, first of all, the error message is incorrect. It is meant to say "GPU is not supported", not CPU. The supported GPUs are officially: · NVIDIA GeForce GTX 2070\2080 · NVIDIA Quadro P6000 · NVIDIA RTX 4000\5000\6000 · NVIDIA V100 · NVIDIA Ampere (A2000, RTX A4000, RTX A4500, A2) It should use GPU for all classifications, but it is a requirement for CSAM. (edited)

1

Johnie

my small experiments with snapchat showed that filtered-string files are basicly everything that is "resent". So if you send something you allready have access to in snapchat

Thank you. Also confirmed my thesis of seeing the same video, 3 diff strings with A few seconds a part. I think the original memory is sent to there different recipients

brnfldt

Thank you. Also confirmed my thesis of seeing the same video, 3 diff strings with A few seconds a part. I think the original memory is sent to there different recipients

Probably yes

i think the "filtered" part of the name refers to snapchat filtering a file already created so to speak. they are not created when you use the snapchat camera for example

1

Hello, has anyone ever had the Mercedes Me application to scan on Android or iOS and if so, were you able to decrypt the files ? I would like to decrypt the vehicle_status.pb file for example.

@Magnet Forensics have you any translating ability within axiom?

Hi, any solution for iPhone 14 / iOs 16.4.1 with known code ? Premium and GK can't get FFS.

1

Hello to all! Any suggestion on a method be for cracking an alphanumerical passcode with 10 characters from a Huawei P20 Lite? I have tried known parts of passcode and genarated a custom wordlist and some weakpass wordlists made of 10 characters but without any success. I am using Passware Kit Mobile and getting around 3500 passwords per second so bruteforcing would take 100+ years.

@CLB_iwhiffin hello, iOS locations question, are you aware what the ZSignalEnvironmentType and ZType columns are in the cache.SQLite? I have 2 entries that have the exact same time stamp, but two different locations. The accuracy of one is larger than the other, but they don’t overlap. Most of the standard locations are environmenttype 2 and type 1. However the inaccurate one is environmentype 0 and type 4. Also based on the PK, I know it was created a fair few minutes after it’s reported timestamp. Thanks

edit: it’s iOS 16.3.1 (edited)

Question in regards to wifigeofence.db. In a case I'm investigating I have nine networks in the wifigeofence.db with their approximate locations, and timestamps. The timestamps is what my question is in regard to. According to this PDF: https://cts-forensics.com/reports/20-5550_Web.pdf (found through Google and Mattia's reference: https://github.com/RealityNet/Android-Forensics-References) And according to FOR585 documentation, the timestamp here should represent the last connection time. However in my case these timestamps are all exactly the same, and since they are physically so far apart, it is impossible for the device to have been connected to these networks at the same time. The timestamps differ only in microseconds, as if they were being scanned. Has anyone any idea what (else) could cause the timestamps to be updated simultaneously? Side note, database timestamp is exactly the same as all the other timestamps, which are also present in the column. Google Maps was being used right around that moment. Thanks for any insights! (edited)

Ypso

Hi, any solution for iPhone 14 / iOs 16.4.1 with known code ? Premium and GK can't get FFS.

it is possible to try the itunes backup which will allow to have already some artifacts

Heimdall4N6K

it is possible to try the itunes backup which will allow to have already some artifacts

It works but no signal data within FS

then use this to decrypt: https://github.com/jfarley248/iTunes_Backup_Reader ang ileapp to read

GitHub - jfarley248/iTunes_Backup_Reader: Python 3 Script to parse ...

Python 3 Script to parse out iTunes backups. Contribute to jfarley248/iTunes_Backup_Reader development by creating an account on GitHub.

Team- I extracted an iPhone 13 Pro w/ passcode and obtained a FFS. Retrieved the keychain and PW list. There is an app called Private Photo Vault that didn’t decode; the files are still encrypted. I’m pretty sure I know the PIN the user had set on it. Any tips on how to decrypt the data in Axiom or manually? @Magnet Forensics https://privatephotovault.com/ (edited)

admin

Private Photo Vault | #1 iOS Photo Privacy App | Now on Android

Private Photo Vault® is the #1 iOS and Android app for password protecting photos and videos.

1

CLB_iwhiffin

Hi, first of all, the error message is incorrect. It is meant to say "GPU is not supported", not CPU. The supported GPUs are officially: · NVIDIA GeForce GTX 2070\2080 · NVIDIA Quadro P6000 · NVIDIA RTX 4000\5000\6000 · NVIDIA V100 · NVIDIA Ampere (A2000, RTX A4000, RTX A4500, A2) It should use GPU for all classifications, but it is a requirement for CSAM. (edited)

thanks... great opportunity to have some new machines

Ypso

Hi, any solution for iPhone 14 / iOs 16.4.1 with known code ? Premium and GK can't get FFS.

i have the same problem. disable 16.4.1 and „downgrade“ to 16.4 still does not work with GK, too. (edited)

Some of you ever had decode Google chat ? I have a dynamite.db file with clear text. PA doesn't decode it. If someone know a tool, it could save me some SQL requests

(edited)

1

I have a I-phone 13 extraction which has probably received an heic image (IMG_2566.heic) via unknown means. This file has then been sent out via Imessage the following day as IMG_3971.HEIC but still retaining the same MD5 as the 2566 one. The 2566 sits in the DCIM whilst the 3971 sits in the Library\SMS. Probably overthinking this but can anyone please explain how this can be?

Hi everyone, hopefully someone can advise me here on the following: I have a full file system extraction from Samsung SM998W. My goal is the following: The phone was used to record a video of an attack. The attacker then got possession of the phone, and deleted the video. Obviously I am not expecting to recover the video, but rather looking for any proof to show that a video was taken at this time - any log or database on the phone that would have an artifact to show that a video was recorded and maybe even deleted at this time. Please point me to the right direction, if possible, thank you

sootysox

I have a I-phone 13 extraction which has probably received an heic image (IMG_2566.heic) via unknown means. This file has then been sent out via Imessage the following day as IMG_3971.HEIC but still retaining the same MD5 as the 2566 one. The 2566 sits in the DCIM whilst the 3971 sits in the Library\SMS. Probably overthinking this but can anyone please explain how this can be?

Is there a record for this image in photos.sqlite? If so, you should be able to see the ZCREATORBUNDLEID (it may have a slightly different name depending on iOS Version) but essentially, it should tell you the app responsible for saving it in the gallery and even the original name. Is there a 3971 in the database? It didn't get that name randomly. Ordinarily, I would say the 3971 was a received image that was saved to gallery at 2566 but it sounds like the timestamps are wrong for that. But more information would be useful. Feel free to DM me or email (ian.whiffin@cellebrite.com) if you can share any more about it.

@Cellebrite I'm trying to figure out how you are linking Instagram pictures from /data/data/com.instagram.android/cache/images with messages recovered from /data/data/com.instagram.android/databases/direct.db . Looking at the direct.db there is no reference to the image filename for example on is, 428a2f45.clean . There is a JSON embedded into the messages table for the relevant message but again there is no reference to the filename 428a2f45.clean. The names always seem to be 8 hex characters followed by .clean extension. Are the first 8 characters a hash of one of the fields from the JSON? I really need to be able to verify this. Thanks

2

Hi. Does anyone have any info regarding images in the "lightspeed-cache folder"? Its found on an iPad Is it images sent/received via messenger or?

Peacekeeper

Question in regards to wifigeofence.db. In a case I'm investigating I have nine networks in the wifigeofence.db with their approximate locations, and timestamps. The timestamps is what my question is in regard to. According to this PDF: https://cts-forensics.com/reports/20-5550_Web.pdf (found through Google and Mattia's reference: https://github.com/RealityNet/Android-Forensics-References) And according to FOR585 documentation, the timestamp here should represent the last connection time. However in my case these timestamps are all exactly the same, and since they are physically so far apart, it is impossible for the device to have been connected to these networks at the same time. The timestamps differ only in microseconds, as if they were being scanned. Has anyone any idea what (else) could cause the timestamps to be updated simultaneously? Side note, database timestamp is exactly the same as all the other timestamps, which are also present in the column. Google Maps was being used right around that moment. Thanks for any insights! (edited)

Is it an iPhone? Perhaps the data was from an iCloud backup when they got a new phone?

Terry_____

Is it an iPhone? Perhaps the data was from an iCloud backup when they got a new phone?

Sorry no, Samsung. This database is Samsung only

Nutelap

Some of you ever had decode Google chat ? I have a dynamite.db file with clear text. PA doesn't decode it. If someone know a tool, it could save me some SQL requests

(edited)

ALEAPP should

j_matas

Hi. Does anyone have any info regarding images in the "lightspeed-cache folder"? Its found on an iPad Is it images sent/received via messenger or?

@j_matas Looking at a filesystem extraction of my own iPhone I can see that the lightspeed-cache folder contains an image that I received via Messenger, presumably while I was using Messenger on my iPhone.

Heimdall4N6K

xry have a bruteforce tool i think

XRY and Oxygen doesn't parse metamask. for PA, the dictionary can be loaded before the parsing

Hello everybody!!! Let's see if you can help me. I have a Samsung S20 Android 12 which appears as installed an application, which is not visually or in the shell. I have checked the following artifacts: localappstate.db which indicates an entry date, but the uninstall field is blank. Library.db indicates date of first installation. Gass.db simply mentions a field in one of its tables. Dumpsys and logcat there is no record of the app. Can you think of any artefacts to look at? Thank you very much!

Anyone happen to know where kaiOS stores messages. Did a physical on a 4052Z, got everything but messages

anyone have experience with unsent messages in facebook messenger? I have both the senders and the receivers phones. Both ends show the message as unsent.

snoop168

anyone have experience with unsent messages in facebook messenger? I have both the senders and the receivers phones. Both ends show the message as unsent.

@snoop168 What operating systems are the phones using?

James Pedersen

@snoop168 What operating systems are the phones using?

Sorry meant to put that. (Un)Sender is iOS, probably 16.x. Receiver is android. I already found a message in a screenshot that was unsent and tried searching a few words from it in the raw on the android with no results. I have to load the iOS back up in pa to try that.

thatboy_leo

Anyone happen to know where kaiOS stores messages. Did a physical on a 4052Z, got everything but messages

Absent an answer here or having a test device you might try viewing one on the device itself for a sample and taking a set of unique-ish words and searching in hex. Guessing. If your tool didn’t parse them it could be a relatively new system/artifact?

snoop168

Sorry meant to put that. (Un)Sender is iOS, probably 16.x. Receiver is android. I already found a message in a screenshot that was unsent and tried searching a few words from it in the raw on the android with no results. I have to load the iOS back up in pa to try that.

@snoop168 I performed a full filesystem extraction of an iPhone recently. I used https://github.com/jfarley248/iTunes_Backup_Reader to perform the extraction from an iTunes backup of the iPhone. While browsing through the extracted files I encountered a file called "lightspeed-<NUMERIC_ID>.db" . I believe that Facebook Messenger on iOS stores some data in this database. When I opened this database in my sqlitebrowser.org database browser, I saw that this database has a 'messages' table with a 'is_unsent' column.

GitHub - jfarley248/iTunes_Backup_Reader: Python 3 Script to parse ...

Python 3 Script to parse out iTunes backups. Contribute to jfarley248/iTunes_Backup_Reader development by creating an account on GitHub.

Hi, does anyone here know where SSL Certificates are stored on the iPhone? I mean SSL Certificates from a website that was viewed on the iPhone.

I am analyzing a warrant return with location data. When I process the data with AXIOM, I see "Directions to "....Ave..." then there is a URL that contains a Lat/Lon. I was analyzing this Lat/Lon as the starting location of the directions (aka. where the device was at the time the directions started). However, when I go to the originating file "My Activity.html" and go to the same entry, it shows the same "directions to" and has "Locations: At this place.." and the "this place" is a hyperlink. This hyperlink opens another map that shows a different Lat/Lon than the one shown in AXIOM. Seems that a couple I checked are half way points? Anyone have insight on this? Which one is accurate? Are any of them accurate?

@Cellebrite anyone online to help me to get release notes from latest beta PA 7.62? I can download beta, but not the release notes

(edited)

chrisforensic

@Cellebrite anyone online to help me to get release notes from latest beta PA 7.62? I can download beta, but not the release notes

(edited)

Thank you Chris we are taking care of it, just wait, will update as soon as I have something new.

CLB_4n6s_mc

Thank you Chris we are taking care of it, just wait, will update as soon as I have something new.

thanks mate

chrisforensic

thanks mate

They should be back up

CLB-Paul

They should be back up

thanks, downloaded.

1

@Cellebrite @Magnet Forensics does anyone have any information on the “geod” daemon in iOS?

1

snoop168

Absent an answer here or having a test device you might try viewing one on the device itself for a sample and taking a set of unique-ish words and searching in hex. Guessing. If your tool didn’t parse them it could be a relatively new system/artifact?

Looks like the .db uses obfuscation, [GUI]ssm.sqlite contains metadata on the messages, but no message body, thank you! Edit- the messages are here, had to look a little closer in the blob (edited)

James Pedersen

@snoop168 I performed a full filesystem extraction of an iPhone recently. I used https://github.com/jfarley248/iTunes_Backup_Reader to perform the extraction from an iTunes backup of the iPhone. While browsing through the extracted files I encountered a file called "lightspeed-<NUMERIC_ID>.db" . I believe that Facebook Messenger on iOS stores some data in this database. When I opened this database in my sqlitebrowser.org database browser, I saw that this database has a 'messages' table with a 'is_unsent' column.

I believe I already looked in the DB on the senders phone and did located the is_unsent column, however it looks like it removes the text from the message column so it cant be seen unless its saved elsewhere... I'll double check on the victims phone with a hex search maybe I'll get lucky and find it, otherwise im piecing screenshots into the chat thread which is tedious especially not in my native language...

Also, Does anyone here have any experience examining the website data for google.com in the caches and cookies folders on iOS?

On another note, can I ask about Google Adsense? Does anyone here know if website advertisements which are served with Google Adsense (https://adsense.google.com/start/) on an iPhone leave any traces or artifacts on the device?

Google AdSense - Earn Money From Website Monetization

Earn money with website monetization from Google AdSense. We'll optimize your ad sizes to give them more chance to be seen and clicked.

thatboy_leo

Looks like the .db uses obfuscation, [GUI]ssm.sqlite contains metadata on the messages, but no message body, thank you! Edit- the messages are here, had to look a little closer in the blob (edited)

for KaiOS there are two documents linked in this post, they cover the artefact locations along with the obfuscation method: https://forensiczone.blogspot.com/2019/01/kai-os-forensics-for-money-and-profit.html

KAI OS Forensics for Money and Profit

The last month I have been forensically analyzing the KAI OS 2.5, formally FireFox OS. We are seeing a bunch of these feature phones in our...

1

p0tt541

for KaiOS there are two documents linked in this post, they cover the artefact locations along with the obfuscation method: https://forensiczone.blogspot.com/2019/01/kai-os-forensics-for-money-and-profit.html

This is truly excellent, thank you for sharing!!!

Hello, Does @Cellebrite support export the chats in RSMF Format.

DeepDiveForensics

Hello, Does @Cellebrite support export the chats in RSMF Format.

Releativity ?

Yes

DeepDiveForensics

Hello, Does @Cellebrite support export the chats in RSMF Format.

Yes, chats/IMs are part of the RSMF export.

CLB_joshhickman1

Yes, chats/IMs are part of the RSMF export.

Thanks, I'll check

DeepDiveForensics

Thanks, I'll check

Anyone from @Cellebrite around re. Media export from PA 7.61

1

CLB_joshhickman1

Click to see attachment 🖼️

This is the add on module? I'm using PA version 7.61 but unable to find out the export module.

DeepDiveForensics

This is the add on module? I'm using PA version 7.61 but unable to find out the export module.

After you select Generate Report, you can choose RSMF in the format field of the General screen. Exporting to RSMF is part of the Legal View add-on for licensing, so if you do not have that as part of your license it will not appear.

CLB_joshhickman1

After you select Generate Report, you can choose RSMF in the format field of the General screen. Exporting to RSMF is part of the Legal View add-on for licensing, so if you do not have that as part of your license it will not appear.

Thank You

DataR

Hi everyone, hopefully someone can advise me here on the following: I have a full file system extraction from Samsung SM998W. My goal is the following: The phone was used to record a video of an attack. The attacker then got possession of the phone, and deleted the video. Obviously I am not expecting to recover the video, but rather looking for any proof to show that a video was taken at this time - any log or database on the phone that would have an artifact to show that a video was recorded and maybe even deleted at this time. Please point me to the right direction, if possible, thank you

I think Samsung Gallery cache is a good place to look, it only tells you if the video was there

1

Hi, would someone please be so kind as to post a document or training guide for web browser forensics on the iPhone? Thank you.

Hi everyone, hoping someone can point me in the right direction. I have a FFS of an Android device, there are 2x Facebook user accounts logged in and I need to determine which user account uploaded a particular image. Can see the image sat in app uploads folder but can't find any indication of which account was responsible. Many thanks.

Hello everyone, I am faced with a Xiaomi Redmi 10 mobile phone running Android 11. Does this phone have a database that records the gyroscopic activity of the phone similar to Apple's unified logs? Additionally, is there a database that keeps track of the phone's shutdowns, indicating whether they are voluntary user-initiated shutdowns or due to battery depletion? I don't know where to look, and I can't use ADB. I'm only searching for persistent databases. Many thanks !

Is there an easy way in Cellebrite to identify a group chat vs a 1 on 1 conversation ?

Jay528

Is there an easy way in Cellebrite to identify a group chat vs a 1 on 1 conversation ?

You can use the participant count in the chats table view.

thanks

Jay528

Is there an easy way in Cellebrite to identify a group chat vs a 1 on 1 conversation ?

depending on the app you're examining, looking on the chat's Name field might also be helpful

This is just regular imessage/sms/mms

10:11 AM

Thank you guys

Alright forensicators, this one has me stumped: On some ios extractions (backups), there is a keychain file "keychain-backup.plist". Previously you could decode these with key 0x835 but those are now moved into the secure enclave so some of the online "decrypting" tools don't work. Plot twist: The contents of the file are displayed "unencrypted" in Cellebrite. Any idea how this is being done, this is being done with no password/passcode provided to Cellebrite. Would probably make for a great ILEAPP plugin

Hi Guys, I have a ffs on an Android device that was opened in Axiom. The phone belongs to a suspect in a double homicide. We know that one victim was killed in the AM, and the other in the PM, and the suspect attempted to clean up the scene. By putting together a timeline of digital artifacts, I'm curious to see if there are gaps in user interaction on the device during the times we believe both victims were killed and while the suspect was cleaning up. I searched the entire phone for artifacts that occurred on the date of the homicide just using a relative date and time filter. Thousands of artifacts came back, many of which are from usage stats and media. This is probably a very difficult question to answer, but is there an easy way to eliminate artifacts that do not represent actual user interaction?

Hello - I've done some testing and determined in iOS I can retrieve deleted text messages by processing the SMS.db in Axiom. The problem I'm running into is that I cannot confirm (without my knowledge of my test phone) that the text message is deleted or not. The message.text field appears NULL in my SMS.db for the message I deleted, but that doesn't not seem to be reliable as I've come across other random messages that were not deleted, but still appear NULL in that field. Any thoughts here?

Hi All - I have an issue whereas a geolocation timestamp is 24 hrs prior to the image taken metadata.. Any ideas? Pull was done in Cellebrite - Samsung Note device.

Mags42

Hello - I've done some testing and determined in iOS I can retrieve deleted text messages by processing the SMS.db in Axiom. The problem I'm running into is that I cannot confirm (without my knowledge of my test phone) that the text message is deleted or not. The message.text field appears NULL in my SMS.db for the message I deleted, but that doesn't not seem to be reliable as I've come across other random messages that were not deleted, but still appear NULL in that field. Any thoughts here?

Take a look in the iMessage Biome, that will store some sms/imessage artifacts and if they are not present in the sms.db then those have been deleted from the application. However, those remaining in the sms.db with the 'null ' value, I cant shed any further light on that.

Jeeper

Hi All - I have an issue whereas a geolocation timestamp is 24 hrs prior to the image taken metadata.. Any ideas? Pull was done in Cellebrite - Samsung Note device.

I would recommend watching the Chris Vance from Magnet Forensics and his 'The Meaning of Messages' which you can view on their portal

WhyMe?

Take a look in the iMessage Biome, that will store some sms/imessage artifacts and if they are not present in the sms.db then those have been deleted from the application. However, those remaining in the sms.db with the 'null ' value, I cant shed any further light on that.

Is the biome only available with a full extraction? Currently, we only have the ability to essentially process from iOS backups.

Mags42

Is the biome only available with a full extraction? Currently, we only have the ability to essentially process from iOS backups.

Yes they are available from FFS

WhyMe?

Yes they are available from FFS

Are you aware of a way open source tools to obtain FFS from iOS. Not sure we’d be willing to get a product from a place like GrayShift at this time.

DeepDiveForensics

Hello, Does @Cellebrite support export the chats in RSMF Format.

Yes you have to have the Legal View add on. Legal View will also give you a Concordance load file export option also.

spicy_caveman

Yes you have to have the Legal View add on. Legal View will also give you a Concordance load file export option also.

That great, thank you

Good day to all. I have a question regarding WhatsApp. I am trying to know WHEN the automatically generated message "Messages and calls are end-to-end encrypted..." is generated. The following situation in a child abuse case: The perpetrator communicates with the witness via WhatsApp. Both know each other and have been writing to each other via WhatsApp for some time. During the chat, the perpetrator confesses that he abused their daughter. However, he deletes these individual messages again directly. In the msgstore.db I see missing _id entries which are probably also the deleted messages. In the timeline I could find the message regarding end-to-end encrypt. Was this automatically generated message sent to the offender because he deleted the entire chat? At least that would correspond with the deleted database entries. Thanks for the help

Hans Leißner

Good day to all. I have a question regarding WhatsApp. I am trying to know WHEN the automatically generated message "Messages and calls are end-to-end encrypted..." is generated. The following situation in a child abuse case: The perpetrator communicates with the witness via WhatsApp. Both know each other and have been writing to each other via WhatsApp for some time. During the chat, the perpetrator confesses that he abused their daughter. However, he deletes these individual messages again directly. In the msgstore.db I see missing _id entries which are probably also the deleted messages. In the timeline I could find the message regarding end-to-end encrypt. Was this automatically generated message sent to the offender because he deleted the entire chat? At least that would correspond with the deleted database entries. Thanks for the help

That sounds like an explanation. In my Whatsapp-experience this 'message' only gets posted when starting a new chat, not in the middle of a chat. But i do re-call the encryption gets updated time to time, but cant recall where of when that is being shown. (edited)

florus

That sounds like an explanation. In my Whatsapp-experience this 'message' only gets posted when starting a new chat, not in the middle of a chat. But i do re-call the encryption gets updated time to time, but cant recall where of when that is being shown. (edited)

Hi Florus, thanks for the tip! I will do some more research. If I learn more info, I'll write it here.

Hans Leißner

Good day to all. I have a question regarding WhatsApp. I am trying to know WHEN the automatically generated message "Messages and calls are end-to-end encrypted..." is generated. The following situation in a child abuse case: The perpetrator communicates with the witness via WhatsApp. Both know each other and have been writing to each other via WhatsApp for some time. During the chat, the perpetrator confesses that he abused their daughter. However, he deletes these individual messages again directly. In the msgstore.db I see missing _id entries which are probably also the deleted messages. In the timeline I could find the message regarding end-to-end encrypt. Was this automatically generated message sent to the offender because he deleted the entire chat? At least that would correspond with the deleted database entries. Thanks for the help

Have you preserved all Google accounts? Have you preserved social media accounts? For these, you may expand your scope of data. Active Pedos tend to find a favorite channel to chat and corroborate with other pedos also.

Cenizas

Hi Guys, I have a ffs on an Android device that was opened in Axiom. The phone belongs to a suspect in a double homicide. We know that one victim was killed in the AM, and the other in the PM, and the suspect attempted to clean up the scene. By putting together a timeline of digital artifacts, I'm curious to see if there are gaps in user interaction on the device during the times we believe both victims were killed and while the suspect was cleaning up. I searched the entire phone for artifacts that occurred on the date of the homicide just using a relative date and time filter. Thousands of artifacts came back, many of which are from usage stats and media. This is probably a very difficult question to answer, but is there an easy way to eliminate artifacts that do not represent actual user interaction?

Do you have display on/off event logs? I'd say it's reasonable that if an event occurs after a display off, and before a display on it's probably system activity.

anyone know anything about the com.apple.siri.inference folder, specifically 2 databases siriremember.sqlite3 and siriremembers2.sqlite3 perhaps may have some connection to AppIntents

Terry_____

Do you have display on/off event logs? I'd say it's reasonable that if an event occurs after a display off, and before a display on it's probably system activity.

I'll look at those. THanks for the response!

Does anyone has experience with wire app on iOS? I have a FFS extraction and i want to parse the messages sent via the app

Someone from @Griffeye available for a question ?

andreidst

Does anyone has experience with wire app on iOS? I have a FFS extraction and i want to parse the messages sent via the app

I decoded successfully in oxygen (edited)

3:21 AM

Does anyone have any experience decoding Session app? I’ve tried 4 tools and so far no results

Loz📱🕵

Does anyone have any experience decoding Session app? I’ve tried 4 tools and so far no results

Android or iOS?

CLB_joshhickman1

Android or iOS?

Android 12

The latest version of PA should handle it. If it didn’t please let me know.

Hi everyone, Does anyone know where could I find data regarding facebook messager pop ups ? I have looked into window artefacts but apparently if facebook messager is running in a browser then window doesnt records pop-ups metadata. Any help would be appreciated. Thank you.

Loz📱🕵

Does anyone have any experience decoding Session app? I’ve tried 4 tools and so far no results

https://thebinaryhick.blog/2022/07/14/session-on-android-an-app-wrapped-in-signal/

Binary Hick

Session On Android – An App Wrapped in Signal

NOTE: parts of this article describe steps by which the order of encryption methods are reversed to render encrypted data in clear-text. This was done in order to investigate the app being discusse…

1

Heimdall4N6K

https://thebinaryhick.blog/2022/07/14/session-on-android-an-app-wrapped-in-signal/

Thank you for this! I managed to parse the data using a different extraction method and decoding again in PA

Loz📱🕵

Thank you for this! I managed to parse the data using a different extraction method and decoding again in PA

no problem many ways for same goal…

Hello. I have an iPhone 12 Pro Max and a Google Pixel 4A that have been communicating with one another. From both devices, there appears to be blank messages being sent to each other. Both of these devices are showing the blank messages after they send a message with multiple attachments to one another. Does anyone know why this is occurring?

Go home PA Ultra, you're drunk...... whats with the 'Select All Entities' not selecting - nor deselecting all.... And the on again off again decision to generate a report or just plain ignore the request. I feel like Im trying to explain algebra to a pelican with this tool..

1

Hello, someone from @Cellebrite available for a question about PA ?

1

@Cellebrite Hi. I have a full fs extraction (qualcomm live) from a Huawei phone (android 7). The phone had no screen lock but has "File Safe" enabled that asks for a password if tapped. Should i find the content of file safe decoded in the report? If yes where? Thanks

8:58 AM

File safe can protect spare files only (pictures and similar) or also entire apps like Telegram for example?

Hi Fabiano how the ffs extraction was made ?

Anyone know if you can import tagged items from a cellebrite reader file back in to the original UFDR. I thought you could load the .pas file back in but it says that it is 'from another dump'.

I have an advanced logical extraction from a cheap Android phone. The timestamps associated with the phone calls do not match up with the CDR records. They are off by up to 27 seconds. Does anyone know why?

FullTang

I have an advanced logical extraction from a cheap Android phone. The timestamps associated with the phone calls do not match up with the CDR records. They are off by up to 27 seconds. Does anyone know why?

is it a constant 27sec. ? you're quite limited with what you can do w/ an adv logical..

FullTang

I have an advanced logical extraction from a cheap Android phone. The timestamps associated with the phone calls do not match up with the CDR records. They are off by up to 27 seconds. Does anyone know why?

I don't think I've ever seen a device call logs and provider cdrs ever match up exactly to the very second. Kinda like a dvrs time and real time haha.

They typically won't match exactly for two reasons: 1) Discrepancies on what time server they sync to and when they last synced. 2) The phone and the provider have different triggering conditions that set an "official" call start and end.

2

CSSDFO29

Anyone know if you can import tagged items from a cellebrite reader file back in to the original UFDR. I thought you could load the .pas file back in but it says that it is 'from another dump'.

You can only load the .pas file into the reader that was used to create it. Whether it works if the reader version is the same, I do not know atm. I would tag the items of interest and export it into a new ufed reader (edited)

FullTang

I have an advanced logical extraction from a cheap Android phone. The timestamps associated with the phone calls do not match up with the CDR records. They are off by up to 27 seconds. Does anyone know why?

Time hitting the tower is rarely going to match the event times on the device, but 27 seconds is interesting?

FullTang

I have an advanced logical extraction from a cheap Android phone. The timestamps associated with the phone calls do not match up with the CDR records. They are off by up to 27 seconds. Does anyone know why?

Any way you can check the time setting to ensure it is or isnt network derived?

Hello everyone! I am stuck on the Lockmypix app again. Is there any new knowledge on this? I found a Korean work on the internet, but unfortunately I cannot get it.

I have acquired a huawei p20 lite with oxygen (kirin dump). It is protected by alphanumeric password. I tried over 3 billion password, any suggest to decrypt data? Is very urgent case.

pykeandmorty

I have acquired a huawei p20 lite with oxygen (kirin dump). It is protected by alphanumeric password. I tried over 3 billion password, any suggest to decrypt data? Is very urgent case.

Hello! Do you know the SPL version on the device? This can be a case of SPL being too new, or alphanumeric password being long and complex. If you don't know the SPL I can check for you, will just need some system files in a DM:)

CLB-Paul

is it a constant 27sec. ? you're quite limited with what you can do w/ an adv logical..

No, it varies between 27 sec and 10 sec. I was worried the adv logical might be an issue, I wish I had a FFS but Smart Flow was not a thing when these were originally examined.

Terry_____

I don't think I've ever seen a device call logs and provider cdrs ever match up exactly to the very second. Kinda like a dvrs time and real time haha.

DVR time is the absolute worst!

1

Jeeper

Any way you can check the time setting to ensure it is or isnt network derived?

That would be a great idea for next time. The warrant has already been executed and it is too late in the game to get another warrant. It is a possibility though.

2:32 PM

Thank you everyone for your ideas! At least I can have some reasons why it could be different even if I don't have the exact reason this go around.

pykeandmorty

I have acquired a huawei p20 lite with oxygen (kirin dump). It is protected by alphanumeric password. I tried over 3 billion password, any suggest to decrypt data? Is very urgent case.

I have the same phone with alphanumeric passcode, did not manage to get it. Locate the lock_settings.db in /data/system_de folder and there is a line called I think ''lockscreen_characters'' mine has 10. This should be the number of characters of the passcode. I have used various word lists and used only 10 character passcodes, still no luck

;

@Magnet Forensics Someone around for a decoding question on an Android device; as in what does the Application Usage - Privacy Dashboard means?

florus

@Magnet Forensics Someone around for a decoding question on an Android device; as in what does the Application Usage - Privacy Dashboard means?

Check out the artifact reference under help>documentation.

1

Does anyone know where i find the auto-lock setting in an Oppo android FFS? I dont recall seeying someone who investigated this before?

fitd2505

Hello everyone! I am stuck on the Lockmypix app again. Is there any new knowledge on this? I found a Korean work on the internet, but unfortunately I cannot get it.

here you can find a preview of the document: https://www.kci.go.kr/kciportal/ci/sereArticleSearch/ciSereArtiView.kci?sereArticleSearchBean.artiId=ART002636120 (at the pdf icon)

포렌식 분석을 위한 LockMyPix의 미디어 파일 복호화 방안 연구

A Study of the Decryption Method of LockMyPix’s Media Files for Forensic Analysis - Vault application;Vault application decryption;Android application decryption;Mobile forensics

@Oxygen Forensics dm

1

reax

here you can find a preview of the document: https://www.kci.go.kr/kciportal/ci/sereArticleSearch/ciSereArtiView.kci?sereArticleSearchBean.artiId=ART002636120 (at the pdf icon)

Thanks, I already have the preview and it already contains very relevant information. But unfortunately the most important information is missing. Would it be possible for someone here to get me this work, of course I will pay for it. The websites selling this document want to use weird payment methods like kakao pay and naver pay, I tried that too but failed to verify the whole thing with a Korean phone number.

Hi all, just a quick one regarding iOS. I’ve taken a picture on an iPhone 14 Pro running 16.2. The picture capture time is being reported correctly, but the creation date, access and modified times are different by a few seconds. Any idea why this is the case as surely the capture time and creation time would be correct

nikmar

I have the same phone with alphanumeric passcode, did not manage to get it. Locate the lock_settings.db in /data/system_de folder and there is a line called I think ''lockscreen_characters'' mine has 10. This should be the number of characters of the passcode. I have used various word lists and used only 10 character passcodes, still no luck

Oxygen is getting a lot of time to open the bin file. Any faster solution to try read this db?

Oxygen Forensics

Hello! Do you know the SPL version on the device? This can be a case of SPL being too new, or alphanumeric password being long and complex. If you don't know the SPL I can check for you, will just need some system files in a DM:)

DM

1

pykeandmorty

Oxygen is getting a lot of time to open the bin file. Any faster solution to try read this db?

use recovery explorer

5:48 AM

this file often is not encrypted and can be accessed directly

5:50 AM

also, it's not a db file, but an xml one

obi95

Hi all, just a quick one regarding iOS. I’ve taken a picture on an iPhone 14 Pro running 16.2. The picture capture time is being reported correctly, but the creation date, access and modified times are different by a few seconds. Any idea why this is the case as surely the capture time and creation time would be correct

I have no experience in this regard, but could it be that he has simply changed the data? Goes quite easily since some iOS versions. To be sure, have a look into the database itself (edited)

Hans Leißner

I have no experience in this regard, but could it be that he has simply changed the data? Goes quite easily since some iOS versions. To be sure, have a look into the database itself (edited)

I should mention that this is an inhouse validation device. I checked the database photos.SQLite but it didn’t say why the creation date was different to the capture time as it didn’t show the creation, only capture time

Hi! I have a Vodafone Tab Prime 7 (VFD-1400, it‘s afaik an Alcatel POP 4, 10“ 9030G). I can get an Image via CB Generic Android Qualcomm, Physical, EDL (Recommended). But the DATA Partition is encrypted. Tried Decrypting EDL, but after step 6 it‘s „says“: Please reconnect the device. In which state has the tablet to be? Again EDL? Or do i have to boot it the normal way? Can‘t get into Bootloader Mode, cause i don‘t know how. Recovery Mode displays: 6.0.1/MMB29M/vBEQ-0

The help says: again into EDL mode. But i‘m getting an extraction error.

Has at least done for CB. I now get the message: this device is locked with secured startup.

Does anyone know if iOS or Android is better for KIK application data extraction/decoding? My thought is that data is data and it’s dependent on the application settings, but I want to see if I am missing anything before relaying my thoughts to my coworkers. Thanks. DM replies are fine.

obi95

Hi all, just a quick one regarding iOS. I’ve taken a picture on an iPhone 14 Pro running 16.2. The picture capture time is being reported correctly, but the creation date, access and modified times are different by a few seconds. Any idea why this is the case as surely the capture time and creation time would be correct

It’s a Live Photo. There is a time gap between the capture button being pressed and the files to be written to the fs and photos.sqlite. The creation date is when the files are created on the FS and within photos.sqlite. Try to do some more testing with a simple non-live photo and a long video file. You should observe the simple non-live photos capture time and creation time will be very similar or an exact match, but a longer video will have a difference between captured time and created time. Capture time for a video will be the beginning of the video while the creation will be near the end of the video, Similar to what you are seeing with a Live Photo. You can also check this by analyzing the photos.sqlite duration column data, there are different ones for videos and Live Photos. The difference in time between the capture and creation will be very close if not exactly the duration of the Live Photo or video.

What are people using for iOS 16+ for iphones that are not supported (unlocked/Consent mode) to get artifacts ? Both premium services can not download the phones. For example iPhone 11 running 16.5 have passcode, iPhone 13 running 16.4.19 (a) ? Itunes backup and parse the data ? Advanced Logical and pray the artifacts you need are there ?

Anyone knows if there a log on android 9 that keeps track of WIFI activation and deactivation? Latest PA doesn’t show any device event

@Luke79 any luck with SANS Android Cheatsheet?

Luke79

Anyone knows if there a log on android 9 that keeps track of WIFI activation and deactivation? Latest PA doesn’t show any device event

have you checked the iwc_dump.txt at "data/log/wifi/iwc/"? (edited)

So I'm scratching my head on this one. I'm working on videos that are in photos gallery app (iPhone running ios 14) Looking at the photos database, I'm able to determine the videos in question came from Snapchat. Original filenames is where I'm stuck on. Example: File Name - Original File Name Filename: IMG_0001.MP4 Original Filename: 8056C790E-FC88-5682-AA2A-A00586DD19238.mp4 Filename: IMG_002.MP4 Original filename: recorded-15586855852586.mp4 Whats the video with original name as GUID? How does a person save a video from Snapchat with original filename as GUID? (and for ios device to rename it as the apple's default file naming convention) (edited)

2:11 AM

I've already sorted the original name with filename recorded-xxxxxx

Pacman

So I'm scratching my head on this one. I'm working on videos that are in photos gallery app (iPhone running ios 14) Looking at the photos database, I'm able to determine the videos in question came from Snapchat. Original filenames is where I'm stuck on. Example: File Name - Original File Name Filename: IMG_0001.MP4 Original Filename: 8056C790E-FC88-5682-AA2A-A00586DD19238.mp4 Filename: IMG_002.MP4 Original filename: recorded-15586855852586.mp4 Whats the video with original name as GUID? How does a person save a video from Snapchat with original filename as GUID? (and for ios device to rename it as the apple's default file naming convention) (edited)

Check to make sure there isn't more than one source. Meaning PA found the vid in 2 locations and is combining the duplicates.

Terry_____

Check to make sure there isn't more than one source. Meaning PA found the vid in 2 locations and is combining the duplicates.

All the original filenames were pulled from photos sqlite database via script No duplications in PA

The original filenames containing GUID are from around 2021. During testing, I've noticed that when I add a filter to a snapchat video and save to camera roll - the original filename is "filtered-GUID.mp4" - my theory is that snapchat has changed the file naming convention by adding the word "filtered" since 2021?

p0tt541

does anyone know a tool that decodes Facebook Messenger calls and messages from a database within the Facebook app, would be handy for those iPhone logicals: /mobile/Containers/Data/Application/com.facebook.Facebook/Documents/cask/[accountid]/FBMessagingMaiboxCaskStore/1/fb-msys-[accontid].db

any update on this? I'm finding a contact in this DB that otherwise wasnt parsed by PA. Wondering what these cask databases are. I have 2 folders and databases, the folder name on one of them starts with a + symbol before the account ID the other is just the account ID, wondering why 2. I have an important username in only one of them.

Pacman

The original filenames containing GUID are from around 2021. During testing, I've noticed that when I add a filter to a snapchat video and save to camera roll - the original filename is "filtered-GUID.mp4" - my theory is that snapchat has changed the file naming convention by adding the word "filtered" since 2021?

Which bit are you trying to understand? Why one video has a different original filename to the other?

sky

Which bit are you trying to understand? Why one video has a different original filename to the other?

That's what I'm trying to work out. From testing - to create a snapchat video and save it to camera roll will have the original filename as recorded-123456789.mp4 To create a snapchat video, add filter, then save it to camera roll will have the original filename as filtered-8056C790E-FC88-5682-AA2A-A00586DD19238.mp4 To download a snapchat video that's sent as an attachment within a snapchat conversation, the original filename will be "cm-chat-media-video etc etc"

Have you pulled the data from Z_ADDITIONALASSETATTRIBUTES as well? Might contain further information to look at that could point out the difference maker

However, in my case - I'm seeing original filename as 8056C790E-FC88-5682-AA2A-A00586DD19238.mp4 I'm not sure how this is done, but I'm wondering if this is a filtered video done on an old snapchat version (2021) and newer snapchat has changed by adding the word "filtered" to the filename?

sky

Have you pulled the data from Z_ADDITIONALASSETATTRIBUTES as well? Might contain further information to look at that could point out the difference maker

Already created a script for photosqlite database and pulled out a lot of useful stuff, including the table you mentioned

Also using scripts created by @ScottKjr3347 for anything I've missed (edited)

1

5:27 AM

I'm just stumped on the filename - I'm trying to recreate that filename on my test phone and no luck so far.

@Magnet Forensics Have you received any reported issues with the decoding of iOS Outlook emails? I'm currently looking at a large iOS FFS where outlook has managed to decode dates and times on 1800+ emails, but the recipients are blank and the message text is still encrypted/ encoded. Thanks in advance

Pacman

I'm just stumped on the filename - I'm trying to recreate that filename on my test phone and no luck so far.

probably a version difference that you won't be able to replicate easily

sky

probably a version difference that you won't be able to replicate easily

That's my thinking too.

sky

@Magnet Forensics Have you received any reported issues with the decoding of iOS Outlook emails? I'm currently looking at a large iOS FFS where outlook has managed to decode dates and times on 1800+ emails, but the recipients are blank and the message text is still encrypted/ encoded. Thanks in advance

Not aware of any issues. Mind if I DM you for some specifics?

chriscone_ar

Not aware of any issues. Mind if I DM you for some specifics?

I'm just running a quick update as I've had this case open for a while and its not the most up-to-date version but I'll let you know if its still not correct after a re-parse

1

j_matas

have you checked the iwc_dump.txt at "data/log/wifi/iwc/"? (edited)

File not available (it’s a FFS btw). Android 9

Sorry to bring this up again. I've been searching through the forums but can't quite get all the info I need for recovering the encrypted files on the enchanted photo vault app on Android. I'm working on a CSAM case and pretty sure I k now what the PIN is, just can't confirm it with what I am seeing in the shared preferences files. And the string names don't quite match the examples I've been reading on. Can someone point me in the right direction? Thank you

rfar

Sorry to bring this up again. I've been searching through the forums but can't quite get all the info I need for recovering the encrypted files on the enchanted photo vault app on Android. I'm working on a CSAM case and pretty sure I k now what the PIN is, just can't confirm it with what I am seeing in the shared preferences files. And the string names don't quite match the examples I've been reading on. Can someone point me in the right direction? Thank you

Have a look at here... https://theincidentalchewtoy.wordpress.com/ I had luck with DoMobile AppLock...

Forensics - One Byte at a Time

He used to byte, now its just a nibble

Hello, Does anyone have any documentation on the walletV14.sqlite database from the Metamask app ? I saw that it was partially decoded by Cellebrite PA but it contains much more data than what is put forward by the software. Thank you. (edited)

rfar

Sorry to bring this up again. I've been searching through the forums but can't quite get all the info I need for recovering the encrypted files on the enchanted photo vault app on Android. I'm working on a CSAM case and pretty sure I k now what the PIN is, just can't confirm it with what I am seeing in the shared preferences files. And the string names don't quite match the examples I've been reading on. Can someone point me in the right direction? Thank you

What app version is it?

Aero

What app version is it?

I believe it is version 3.2.13

testermonkey

morning everyone, could only point me to an article or advice on what causes the iphone's safari app save web pages in a pdf format in this container: \private\var\mobile\Containers\Data\Application\0B8CC322-C371-4B6C-9580-AD7E898D543A\tmp\450DC57D-C4F1-479F-B1D5-2F92209012BC.pdf otherwise I'll be playing with a test device for a week trying to find a possible answer

Did you ever come across anything for this? I was helping a colleague look through a phone rip from a couple years ago and have over one hundred pdfs with csam embedded all in the safari tmp directory

Hello, anyone knows how to decode file_hash from the message_media of WhatsApp's msgstore.db. It's suppost to be a SHA256 base64 encode, but when I try to decode the hash , it has no sense. (edited)

chriscone_ar

Not aware of any issues. Mind if I DM you for some specifics?

Still no luck after the update - feel free to DM whenever

1

anyone familiar with what an "InteractionC Contacts" entry refers to, "Outgoing Interaction Count" is 40 so I am assuming for lack of more that the device has interacted with that contact in some way (i.e. attempted to place a call)

2:15 AM

though there is no supporting call log entry

Sudo

anyone familiar with what an "InteractionC Contacts" entry refers to, "Outgoing Interaction Count" is 40 so I am assuming for lack of more that the device has interacted with that contact in some way (i.e. attempted to place a call)

Had a case where the interactionC showed way more calls than we could find in the call log as well... I think it might have something to do with the calllog beeing flushed. You should be able to see the "groups" of the same callnumber as well... They have an id. Let say the same phonenumber calls you twice it gets the same group id. However if another call is in an then the first number calls again it will get a new groupid each time.

Anyone from the @Magnet Forensics ready for a quick question?

sunile

Anyone from the @Magnet Forensics ready for a quick question?

Happy to try and help.

Hello everyone, does anyone know what the purpose is of files contained in the following file location? Data/data/com.android.chrome/app_textures The file path is self-explanatory, I'm just trying to figure out what the "app textures" part is. Thank you!

HI, does anyone know which file or files contain information about the user settings in Snapchat on an iPhone 11 with IOS 15.6.1 . Need to find out if the user has saved Snaps to memories or camera roll or both. Have looked at user.plist and scdb-27.sqlite3 but have not been able to find anything about the specified settings.

1

Hi. I have an unlocked Xiaomi phone. I performed FFS but unfortunately I was unable to access the Signal application which may contain important data. The application is protected by a graphic pattern unknown to me. The phone does not have a password and it is a security offered by Xiaomi as an additional security application. I found the access_control.key file. Has anyone had a similar problem and managed to solve it? (edited)

Camelot_46

HI, does anyone know which file or files contain information about the user settings in Snapchat on an iPhone 11 with IOS 15.6.1 . Need to find out if the user has saved Snaps to memories or camera roll or both. Have looked at user.plist and scdb-27.sqlite3 but have not been able to find anything about the specified settings.

i think memories are stored between the gallery_encrypted and scdb... Its been a bit but I helped with this script which might help. This script does reach out to the internet to retrieve the memories directly from snapchat so ensure whether you need legal process for that but regardless looking at the code might be able to help. https://github.com/snoop168/Snap_DecryptMemories

GitHub - snoop168/Snap_DecryptMemories: Script to download and decr...

Script to download and decrypt memories and MEO from Snapchat on IOS. Requires the keys for memories to be present in the keychain, as well as the MEO key to get the MEO content. - GitHub - snoop16...

Anyone have experience with _ATXDataStore.db in ios? Seems to be a part of the "DuetExpertCenter"

j_matas

Had a case where the interactionC showed way more calls than we could find in the call log as well... I think it might have something to do with the calllog beeing flushed. You should be able to see the "groups" of the same callnumber as well... They have an id. Let say the same phonenumber calls you twice it gets the same group id. However if another call is in an then the first number calls again it will get a new groupid each time.

yeah call log was flushed on this device too

@MSAB I am wondering how your product is decoding an IMEI from a hex value. I've used MTK Generic 3 profile on a BIN extraction of an unusual device. XAMN is highlighting the following hex value 0xC3F3077F6909D947558B in the "physical layers" but magically decodes this to IMEI 863586056771342. I can't figure out how it is decoding this? Can anyone help?

1

Camelot_46

HI, does anyone know which file or files contain information about the user settings in Snapchat on an iPhone 11 with IOS 15.6.1 . Need to find out if the user has saved Snaps to memories or camera roll or both. Have looked at user.plist and scdb-27.sqlite3 but have not been able to find anything about the specified settings.

did you get an answer to this

Then I would like a DM

Is there an official way to put in a request for additional support decoding of messaging apps that aren't currently recognized? @Cellebrite

1

CIF

Is there an official way to put in a request for additional support decoding of messaging apps that aren't currently recognized? @Cellebrite

Yes, you can contact cellebrite support if you want an official ticket number. I am on the product team and can relay the message too.

Forgive me if this is the wrong channel but can anyone explain what this 0.smil file is on android sms/mms chat? It accompanies an attached photo and appears to provide display instructions for the image.

Hello has anyone managed to open a signal backup file on a windows computer?

1:19 AM

The backup file was exported from another users mobile device

realjh

Forgive me if this is the wrong channel but can anyone explain what this 0.smil file is on android sms/mms chat? It accompanies an attached photo and appears to provide display instructions for the image.

That appears to be exactly what .smil files do. Tell the device how to present the image, timing for a slide show, timing for accompanying audio, associate hyperlinks with the image, and more. Basically it may be more than just a static image.

1

Q: Is a sim swap possible with e-sim devices? (edited)

svchost

Q: Is a sim swap possible with e-sim devices? (edited)

I would say it is possible by social engineering the service provider. The phone would still need to be programmable otherwise it would be locked to a single phone number which we know is not the case. The entity to do that would be the service provider (AT&T, Verizon, T-Mobile, etc).

FullTang

I would say it is possible by social engineering the service provider. The phone would still need to be programmable otherwise it would be locked to a single phone number which we know is not the case. The entity to do that would be the service provider (AT&T, Verizon, T-Mobile, etc).

Is there documentation on this?

svchost

Is there documentation on this?

I don't have or know of any specific documentation. My post was simply based on my understanding of the way phone numbers are assigned and the method historically used for SIM swap methods.

1

svchost

Q: Is a sim swap possible with e-sim devices? (edited)

I agree with Tang- it is doable. Here's an article from 2022 about iOS 16 having a way to transfer e-sim to another iOS device. https://www.macrumors.com/2022/06/08/ios-16-iphone-esim-transfer-via-bluetooth/

iOS 16 Lets You Transfer an eSIM Between iPhones via Bluetooth

iOS 16 introduces a useful new feature that allows an eSIM to be transferred between iPhones via Bluetooth while setting up cellular service. In...

4

What are people seeing as Cellebrite case load times for say later model IOS devices on purpose built forensic workstations?

So I'm looking on an iphone where it appears that the sim card inserted into the phone has called to itself. Anyone else had this issue? Some calls are unanswered and some are answered and have lasted for a maximum of 30 seconds. The calls are stored in Callhistory.storedata

@Cellebrite is there a way to submit feature requests through your support portal, or should I just submit a ticket for this? Thanks

1

Is anyone aware of the ZDisconnected_cause column from an iOS Callhistory.storedata and what the numbers relate to. E.g could 0 be ended by the local user, 6 ended by the other user etc.

I have a @Cellebrite Premium extraction that contains the usual decrypted keychain-2.db AND Cellebrite's recreated version backup_keychain_v2.plist. I want to use Passware and some other cracking tools, but all of them require a decrypted keychain plist that is structured similarly to GrayKey's - with the v_data fields (as opposed to Celle's un/wrapped keys). Does anyone know how to turn the keychain db OR Cellebrite's keychain plist into this format? Or what fields the v_data is comprised of?

1

Jeeper

What are people seeing as Cellebrite case load times for say later model IOS devices on purpose built forensic workstations?

My 14 pro max iOS 16 range has been pretty much the same load time as my iPhone 11 dumps, advanced logicals take five or take 45 minutes on a 32 gb ram 2tb samsung SSD (don’t have cpu specs with me rn)

Jeeper

What are people seeing as Cellebrite case load times for say later model IOS devices on purpose built forensic workstations?

I just had a new workstation installed with nice GPU/ RAM specs and typical PA load times for iOS devices is about 10-30 minutes max.

thatboy_leo

My 14 pro max iOS 16 range has been pretty much the same load time as my iPhone 11 dumps, advanced logicals take five or take 45 minutes on a 32 gb ram 2tb samsung SSD (don’t have cpu specs with me rn)

Forgot to add that extraction I use is at least 192 GB

Looking for some ideas for overcoming Magnet App Simulator failing to load any APK I throw at it. I export the APKs from various Android extractions I have. The emulator will start, I can see and interact with the clean VM, but it always fails at the "Installing applications to the emulator..." phase. I tried running it normally and Run as Administrator, I looked at the VM logs (but failed to notice anything telling), I made sure all of my other virtualization-capable tools were closed (Cellebrite, Android Studio, BlueStacks). I would do the ol' reliable restart of the computer, but can't just yet due to processes I need to wait on. Thank you for reading! (edited)

Hi all, Ive come across some thumbnails within the .THUMBDATA4-1763508120 and .THUMBDATA4--1967290299 folders which after some research I cannot determine what the difference is between these thumbnail containers. initial thought is that the number string relates to a date but it does not as these folders are generic and the numbers never change, Does anyone know the method behind why a thumbnail may go into one over the other? also what determines the creation of the subfolders within?

Bill (VeriFi)

Is anyone else getting the PrivateCloudDataServiceError on UFED Cloud extractor? @Cellebrite

We are getting the same error message. Have you found a solution for this issue?

What combo of Ufed/PA (versions) could do the first full file systems of iPhone 11 and 12 after the release of iOS 16?

goofycom

We are getting the same error message. Have you found a solution for this issue?

Sent you a DM

goofycom

We are getting the same error message. Have you found a solution for this issue?

Hardstop the "UFED Cloud Analyzer Monitoring Service" (WebEx.Uccm.exe) and then restart PA - should work then. I had the same problem.

1

I have a LG-H840 device with a broken connector, so far we've tried :

changing the connector -> did not work, the computer still can't recognise it
compiled dirtycow, and then launch it with a terminal apk -> did not work, permission denied
we are currently trying to extract it through wifi but so far, our router doesnt work

do you have any idea on what sould we try ? (edited)

Hi, Do you know if the chatsearch DB in WA is still available with WA 23 under iOS? I haven't see this DB with this version.

4:57 AM

Actually I found the DB but it's empty

fA

Hardstop the "UFED Cloud Analyzer Monitoring Service" (WebEx.Uccm.exe) and then restart PA - should work then. I had the same problem.

Got same error, tried that but doesn't seem to be working for us :/

6:17 AM

@Cellebrite Any ideas on the above?

1

Does anyone know if Apple removed the "touching" events from the sysdiagnose logs in recent iOS versions?

7:37 AM

I'm no longer able to find any in 16.5

So I've got multiple videos on a report from snapchat.. one of the videos is in the cache but has the users SC username in the title of the video.. why could that be? Also probably stupid Q but what is the best way to definitely say a video was recorded on SC or received by someone? I'm sure it was recorded but just wanted opinions.. thanks

Chris

So I've got multiple videos on a report from snapchat.. one of the videos is in the cache but has the users SC username in the title of the video.. why could that be? Also probably stupid Q but what is the best way to definitely say a video was recorded on SC or received by someone? I'm sure it was recorded but just wanted opinions.. thanks

I believe that when recording to "Memories", SnapChat automatically saves the location (GPS) of the phone (visible from a FFS with the keychain in Axiom if I remember correctly). This and some other other metadata will not be present when that memory is sent/viewed to/by someone else. Which means that if your Memories-recording has GPS, it came from the phone you extracted it from. This is alteast how it used to be a while ago - not sure how SC does things now/if they changed it.

Chris

So I've got multiple videos on a report from snapchat.. one of the videos is in the cache but has the users SC username in the title of the video.. why could that be? Also probably stupid Q but what is the best way to definitely say a video was recorded on SC or received by someone? I'm sure it was recorded but just wanted opinions.. thanks

Check the cache key in cache_controller.db, it will give you some information or ID on what the file is

BETBAMS

I believe that when recording to "Memories", SnapChat automatically saves the location (GPS) of the phone (visible from a FFS with the keychain in Axiom if I remember correctly). This and some other other metadata will not be present when that memory is sent/viewed to/by someone else. Which means that if your Memories-recording has GPS, it came from the phone you extracted it from. This is alteast how it used to be a while ago - not sure how SC does things now/if they changed it.

Since you can import images/videos with GPS data from your gallery to memories, that can't be the only thing to look at. If the memory is imported that will however be recorded in scdb-27.sqlite/memories.db

1

Anyone from cellebrite on? Doing some phone extractions and for some reason the date in the timeline export to excel is going from 24/8/2022 to 8/24/2022 on the time column. I'm not in the US and it's only for [Created] artefacts. (edited)

Bill (VeriFi)

Is anyone else getting the PrivateCloudDataServiceError on UFED Cloud extractor? @Cellebrite

I get the same error message. I have tried the fix on CB website http://cdn5.cellebrite.org/Forensic/Forensic%20Documents/User%20Manuals/UFED_Physical_Analyzer/7.55.0/en-us/Content/UFEDStandalone/Cloud%20Analyzer/Startingtheservice.htm still no resolution. Any ideas @Cellebrite

1

Does anyone know the difference between: \media\0\Pictures.thumbnails \data\com.sec.android.gallery3d\cache\

Dan15

Does anyone know the difference between: \media\0\Pictures.thumbnails \data\com.sec.android.gallery3d\cache\

I assume you mean \media\0\Pictures\.thumbnails. \data\com.sec.android.gallery3d\cache\ are thumbnails relating to Samsung Gallery app. \media\0\Pictures\.thumbnails\ are thumbnails to do with a different gallery type app. Possibly the one created by google? (edited)

Dan15

Does anyone know the difference between: \media\0\Pictures.thumbnails \data\com.sec.android.gallery3d\cache\

Hi. I think (but I'm not sure) thumbnails who are in Pictures.thumbnails, are the thumbnails to the Pictures folder. For cache from gallery3d, it's the Samsung viewer app. The presence of images in the cache of this directory means that they are displayed on the phone screen. Impossible to determine their origin from this application. Imagine that a user connects from his SAMSUNG to a NAS where there are photos that he displays on his phone. The photo will be in the cache of gallery3d but nowhere else on the phone. The image could also come from private browsing on the internet where no trace is available on the medium.

Is it me? I have been away from Axiom for a while, but now I'm using it again and the parsing of SMS/MMS is horrible, especially on Android. Am I missing something? I put it in "conversation view" but the participants are not listed by name, only phone number, which is a real pain to keep straight. Also, most of the media exchanged in a chat is not displayed. I parsed the same extractions in Cellebrite and the names and media appeared in the chat string. Anyone have any suggestions or is this just the state of Axiom these days?

Hi, I have a video that is stored in \data\media\0\WhatsApp\Media\WhatsApp Video (android). I understand that it's the folder for received files but if someone received a video and don't play it will this video be stored in this folder? Do you have to at least open it once to be stored in this path? The WhatsApp conversation containing the video is no longer available on the phone.

if someone received a video and don't play it will this video be stored in this folder? YES. Do you have to at least open it once to be stored in this path? NO

Anyone knows how to bruteforce bitlocker tpm ?

1:51 AM

(is it even possible ?)

emilie_

Anyone knows how to bruteforce bitlocker tpm ?

https://dolosgroup.io/blog/2021/7/9/from-stolen-laptop-to-inside-the-company-network

From Stolen Laptop to Inside the Company Network — Dolos Group

What can you do with a stolen laptop? Can you get access to our internal network? That was the question a client wanted answered recently. Spoiler alert: Yes, yes you can. This post will walk you through how we took a “stolen” corporate laptop and chained several exploits together to get inside the

1:58 AM

maybe this helps

1:58 AM

no need to bf

noice thx

AmNe5iA

if someone received a video and don't play it will this video be stored in this folder? YES. Do you have to at least open it once to be stored in this path? NO

Thank you for your answer. That is very helpful

Hi all, I am looking at cell tower data decoded in UFED PA, and am interested in two fields: Precision and Confidence. Is anyone able to tell me about the relationship between these two fields please? Precision seems self-explanatory, it's horizontal accuracy in metres (presumably), it's more the confidence field that I wish to understand more. Appears to be a percentage value.

1

Alex Owen

Hi all, I am looking at cell tower data decoded in UFED PA, and am interested in two fields: Precision and Confidence. Is anyone able to tell me about the relationship between these two fields please? Precision seems self-explanatory, it's horizontal accuracy in metres (presumably), it's more the confidence field that I wish to understand more. Appears to be a percentage value.

Confidence relates to how confident the decide is that it is within the given radius.

Hi all. Anyone getting huge discrepancies when deciding with PA 7.62? It seems that there can be thousands difference in the same extraction opened 2x.

1

@Cellebrite ^^

1

Open question: What could be the reason for a missing rowID in the “messages” table in a msgstore.db of WhatsApp on Android or chatstorage.sqlite on iOS. 1) The specific single message was deleted 2) The entire chat where that message was stored was deleted or cleared Other possible reasons different then deletion?

Anyone ever analyze an extraction from a leep frog device

Mattia Epifani

Open question: What could be the reason for a missing rowID in the “messages” table in a msgstore.db of WhatsApp on Android or chatstorage.sqlite on iOS. 1) The specific single message was deleted 2) The entire chat where that message was stored was deleted or cleared Other possible reasons different then deletion?

As an addition to deleting: An withdrawal of a received message by the other party perhaps? And the temp setup of auto delete function? And then change it back again. (edited)

BETBAMS

I believe that when recording to "Memories", SnapChat automatically saves the location (GPS) of the phone (visible from a FFS with the keychain in Axiom if I remember correctly). This and some other other metadata will not be present when that memory is sent/viewed to/by someone else. Which means that if your Memories-recording has GPS, it came from the phone you extracted it from. This is alteast how it used to be a while ago - not sure how SC does things now/if they changed it.

I am late to the party but that data come from galleryencrypted.db that holds data for every snap, both sent and received. So locations are coming from these. And to precise they are tied to snap and not to memories. (edited)

1

florus

As an addition to deleting: An withdrawal of a received message by the other party perhaps? And the temp setup of auto delete function? And then change it back again. (edited)

Yes, I agree. But as you said, it’s still a “deletion”. I was trying to think if there could be any other explanation different then: “a message was received and then it was deleted (by the user, by the other party or by auto-delete function).

I’m trying to recover a deleted video from a Motorola cell phone. I did a full file system and an SD card dump. I believe the SD card dump is where the information is coming from. PA sees the video as .pendingFILENAME.mp4 but it’s a zero byte file. The path to the file is No NAME/DCIM/Camera. The SD card dump is a physical extraction stored as a bin file. Any way to carve the data?

dcs453

I’m trying to recover a deleted video from a Motorola cell phone. I did a full file system and an SD card dump. I believe the SD card dump is where the information is coming from. PA sees the video as .pendingFILENAME.mp4 but it’s a zero byte file. The path to the file is No NAME/DCIM/Camera. The SD card dump is a physical extraction stored as a bin file. Any way to carve the data?

What file system is the SD card using?

Hi all! I am trying to locate where Discord Messages / Chats would be stored on an Android 13 phone. For example, I am using the test image by Josh Hickman (https://digitalcorpora.org/corpora/cell-phones/android-13-image/) His report details there should be messages on the phone, but I am unable to locate where Discord may be storing them.

Simson Garfinkel

Android 13

8:22 PM

I have tried all through /data/data/com.discord but still cant find them :/ any help would be greatly appreciated!

Private Derp

I have tried all through /data/data/com.discord but still cant find them :/ any help would be greatly appreciated!

Android 12 image, not 13, but there's 2 Discord SQLite databases here: https://github.com/AndrewRathbun/DFIRArtifactMuseum/blob/main/Android/Android12SQLiteDBs.txt#L965-L966 Maybe the 13 image is similar?

DFIRArtifactMuseum/Android/Android12SQLiteDBs.txt at main · AndrewR...

The goal of this repo is to archive artifacts from all versions of various OS's and categorizing them by type. This will help with artifact validation processes as well as increase access t...

Bookmarked that page anyway, but still cant seem to find where the messages are being stored. The pre-identified DBs on that page are in the Android 13 extraction, they just seem to either be empty or not store the messages that were reported by Hickman.

9:01 PM

will keep playing around and report back here if I find anything

Mattia Epifani

Yes, I agree. But as you said, it’s still a “deletion”. I was trying to think if there could be any other explanation different then: “a message was received and then it was deleted (by the user, by the other party or by auto-delete function).

Less obvious is a bug in the APK, but that is something you cant test... Thats all i got

(edited)

1

Private Derp

I have tried all through /data/data/com.discord but still cant find them :/ any help would be greatly appreciated!

tried aleapp?

florus

Less obvious is a bug in the APK, but that is something you cant test... Thats all i got

(edited)

Thanks

does iLEAPP work well with a partial afu extract (graykey)? or does it only work with full file systems extractions? i know my image has telegram messages, but i didn't get anything out with iLEAPP

FullTang

What file system is the SD card using?

The SD Card is running FAT32 I tried the carving tool inside of PA but it didn’t get anything.

Hi there! I'm going to have to check on two android phones whether the flashlight was turned on... At the moment all I've got is an old android 9 (note 8) for testing, is there a DB logging that on Android?

dcs453

The SD Card is running FAT32 I tried the carving tool inside of PA but it didn’t get anything.

Hi, give x-ways a try. Otherwise you can always use photorec (open-source) it works quit well for multimedia carving. (edited)

dcs453

I’m trying to recover a deleted video from a Motorola cell phone. I did a full file system and an SD card dump. I believe the SD card dump is where the information is coming from. PA sees the video as .pendingFILENAME.mp4 but it’s a zero byte file. The path to the file is No NAME/DCIM/Camera. The SD card dump is a physical extraction stored as a bin file. Any way to carve the data?

What about X-Ways, Axiom or any other tool like photorec as mentioned above

maybe the card, or files on the card were encrypted (edited)

1

Apologies (edited)

Arcain

maybe the card, or files on the card were encrypted (edited)

Yes, that's why a closer look to the SD Card E01 image is needed

CLB_joshhickman1

The latest version of PA should handle it. If it didn’t please let me know.

Does it also work with IOS and a AFU?

Hi. I have got a physical acquisition from an Alcatel phone (unknown model, secure startup enabled). The acquisition was made with @Oxygen Forensics putting the phone into brom mode (both volume keys pressed while plugging usb cable). The phone has been recognized as an MTK "MT6580". Now pw bruteforce is in progress and in the acquisition folder there is a textual extraction log that contains this line: "[MTKExtractor::detectEncryptionType] [Value] State = PasswordEncrypted" (edited)

10:30 AM

My question is: this line means that the secure startup unlock code is an alphanumeric password?

trillian

does iLEAPP work well with a partial afu extract (graykey)? or does it only work with full file systems extractions? i know my image has telegram messages, but i didn't get anything out with iLEAPP

It depends, how's the image look?

Heimdall4N6K

https://thebinaryhick.blog/2022/07/14/session-on-android-an-app-wrapped-in-signal/

Does someone know if there is an article over Session and IOS?

stark4n6

It depends, how's the image look?

i dont understand your question, sorry. It's a zip and even the zip is named "afu_partial". It's iOS 16.3.1

FabianoQ

My question is: this line means that the secure startup unlock code is an alphanumeric password?

Hello! This line refers to a part of the series of checks for the encryption type. It doesn't refer to anything specific like the password type or even FBE or FDE. It just means that the start of the Userdata partition is encrypted and we can proceed with the other checks to determine exact encryption type

Oxygen Forensics

Hello! This line refers to a part of the series of checks for the encryption type. It doesn't refer to anything specific like the password type or even FBE or FDE. It just means that the start of the Userdata partition is encrypted and we can proceed with the other checks to determine exact encryption type

Thanks for your explanation. There is some other place to look for this info? By the way i am quite sure that in this case it is a numerical PIN because i verified that on the unlock code request screen the phone offers only the numeric pad

1

Hello! anyone know the difference between "not answered" and "missed" on UFED ?

@Cellebrite I try to use "activate TomTom trip log" using UFED Device Adapter but when I try to either {enable | disable}, I have this error message : Communication Error, cannot initialise connection. Am I doing something wrong ?

trillian

i dont understand your question, sorry. It's a zip and even the zip is named "afu_partial". It's iOS 16.3.1

I'm not familiar with partial images so how does the file/folder structure look? That will determine how iLEAPP parses it

BobbyD

Hello! anyone know the difference between "not answered" and "missed" on UFED ?

I would have interpreted this in my own use of 4PC as "declined' and 'missed' but I could be wrong. Declined in that the user rejected the call. Missed in that the call rang out.

1

stark4n6

I'm not familiar with partial images so how does the file/folder structure look? That will determine how iLEAPP parses it

I can see: Applications, bin, dev, cores, private, Developer, Library. sbin, System and usr. And while iLEAPP does parse everything else (I believe), it doesn't parse Telegram. So I'd have to do it manually. Maybe I just need to change the directory to look at in the code?

trillian

I can see: Applications, bin, dev, cores, private, Developer, Library. sbin, System and usr. And while iLEAPP does parse everything else (I believe), it doesn't parse Telegram. So I'd have to do it manually. Maybe I just need to change the directory to look at in the code?

It could be multiple things but possible something changed with the application or the path is incorrect

stark4n6

It could be multiple things but possible something changed with the application or the path is incorrect

I will check that out then, thank you!

I just noticed after some secure folder fiddling that clipboard persists after uninstalling and installing a new secure folder on samsung. Is this a known thing? Couldnt find it on simple googling

Anyone know how to load an Elcomsoft cloud extraction into @Cellebrite PA or @Magnet Forensics Axiom? Thanks!

I would say it depend how it looks like. I havn't seen an Elcomsoft extraction in quite some time

OregonDFIR

Anyone know how to load an Elcomsoft cloud extraction into @Cellebrite PA or @Magnet Forensics Axiom? Thanks!

I agree with @CLB-Paul on this, depends on how it's put together.

For data parsed from an iPhone, does Axiom or PA parse the "Saved From" data? If not, does anyone know where this data is pulled from? (edited)

CLB-Paul

I would say it depend how it looks like. I havn't seen an Elcomsoft extraction in quite some time

Well it's hard to describe, it's not compressed but it would take too long to describe it here. Thanks.

renfantino

For data parsed from an iPhone, does Axiom or PA parse the "Saved From" data? If not, does anyone know where this data is pulled from? (edited)

If you are asking about photos, maybe @ScottKjr3347 would know?

1

FullTang

If you are asking about photos, maybe @ScottKjr3347 would know?

I'm referring to images/videos viewed in the Photos app.

renfantino

I'm referring to images/videos viewed in the Photos app.

Ok, he is very savvy when it comes to iOS photos. Here is a link to his blogs, you might find some answers in there. https://theforensicscooter.com/

Scott_koenig

The Forensic Scooter

Visit the post for more.

1

renfantino

For data parsed from an iPhone, does Axiom or PA parse the "Saved From" data? If not, does anyone know where this data is pulled from? (edited)

Haven’t had a chance to verify this, but I’m pretty sure this is where you will find the data you are looking for: The data you are looking for isn’t getting parsed by all of the forensic tools and will require manual parsing. You might want to analyze photos.sqlite ZADDITIONALASSETATTRIBUTES table ZCREATORBUNDLEID column in iOS 14 or ZIMPORTEDBYBUNDLEIDENTIFIER column in iOS 15 and 16.

1

OregonDFIR

Well it's hard to describe, it's not compressed but it would take too long to describe it here. Thanks.

send me a dm we can chat about it, or even schedule a call if needed

Is there a known artifact which tells whetever a password has been changed on x date on ios?

Is it possible to see in any plist file if "Hide my number" have been active or not in a extraction?

So I have come across a 1st for me. . . suspected AI generated CSAM images. Looking at the metadata, it's clear that the images have been through some sampling and other enhancements. There are also parameters in the metadata that appear to be user inputs to describe what type of image the user is trying to create. Ive attached a couple images of the metadata. Does anyone have enough experience with this stuff to know if the images are 100% AI generated or if maybe an actual photo was used and then post processed?

there is a seed given, so I wonder if there is a chance the image can be generated automatically with same same parameters to check

7:50 AM

might depend on the engine, but for example Stable Diffusion is fully deterministic

anyone from @Cellebrite available ?

emilie_

anyone from @Cellebrite available ?

Hi Isaac, how can I help?

B

Is there a known artifact which tells whetever a password has been changed on x date on ios?

It used to be listed in the lockdown.log if you search for "password_changed_callback" but I haven't checked recently if it's still there. It also doesn't give you much info except that a change occured.

CLB_iwhiffin

It used to be listed in the lockdown.log if you search for "password_changed_callback" but I haven't checked recently if it's still there. It also doesn't give you much info except that a change occured.

Thanks Ian!

Cenizas

So I have come across a 1st for me. . . suspected AI generated CSAM images. Looking at the metadata, it's clear that the images have been through some sampling and other enhancements. There are also parameters in the metadata that appear to be user inputs to describe what type of image the user is trying to create. Ive attached a couple images of the metadata. Does anyone have enough experience with this stuff to know if the images are 100% AI generated or if maybe an actual photo was used and then post processed?

Maybe amped five software could help with this? https://ampedsoftware.com/five

Amped FIVE | Forensic Image and Video Enhancement

Amped FIVE is the most trusted software for forensic video analysis and image enhancement for law enforcement, investigations, and intelligence.

4:26 PM

https://ampedsoftware.com/authenticate or this one. I dont have experiance with it tho

Amped Authenticate | Forensic Photo Analysis

Amped Authenticate is the most complete software for forensic image authentication, photo tampering detection, and camera identification.

Have a great day everyone! I have a question regarding iOS wipe artifacts. We have an already wiped iPad in the office. Unfortunately, since this iPad has not been reactivated since the wipe (unknown time), I cannot use the sources I know. My question is, for the wiped iPad, can I determine when the wipe occurred without setting up the iPad? EDIT: just in that second i found the following article: https://blog.digital-forensics.it/2021/05/oh-no-i-have-wiped-iphone-now-what.html Maybe that already answered my question. But if someone know additional infos about it, pls let me know (edited)

Oh no! I have a wiped iPhone, now what?

DFIR research

1

Hans Leißner

Have a great day everyone! I have a question regarding iOS wipe artifacts. We have an already wiped iPad in the office. Unfortunately, since this iPad has not been reactivated since the wipe (unknown time), I cannot use the sources I know. My question is, for the wiped iPad, can I determine when the wipe occurred without setting up the iPad? EDIT: just in that second i found the following article: https://blog.digital-forensics.it/2021/05/oh-no-i-have-wiped-iphone-now-what.html Maybe that already answered my question. But if someone know additional infos about it, pls let me know (edited)

https://dfir.pubpub.org/pub/6i7d593n/release/1 Purplebuddy.plist can give you some insight, if you can get an bfu?

Upgrade From NULL—Detecting iOS Wipe Artifacts

1

florus

https://dfir.pubpub.org/pub/6i7d593n/release/1 Purplebuddy.plist can give you some insight, if you can get an bfu?

Thanks Florus

next week ill dig into it. Ill post my results here (no matter what)

Hi everyone, regarding the "localappstate.db" files on Android devices, does anyone know for certain whether it only contains entries for app installations that have happened specifically on that device? As opposed to any app installations from that Google Play account across multiple devices for example? (edited)

exFAT

Hi everyone, regarding the "localappstate.db" files on Android devices, does anyone know for certain whether it only contains entries for app installations that have happened specifically on that device? As opposed to any app installations from that Google Play account across multiple devices for example? (edited)

I'm pretty sure it's specific to that device. You would need to send a search warrant to Google with the account name to get the entire purchase/download history.

Terry_____

I'm pretty sure it's specific to that device. You would need to send a search warrant to Google with the account name to get the entire purchase/download history.

Awesome that was my thought to be honest. The fact that it can contain multiple Google accounts within that database means it would make sense for it to be device specific. Thank you!

setuplastexit - what else might modify this timestamp other than exit after a reset or on setup of a brand new device?

Morning people, does anyone have any experience of decoding the PlayStation app? Or is it cloud based?

Anyone from @Cellebrite please?

Question for the hive mind: my case agent asked me about this log entry on an iOS device from DataUsage.sqlite. He was wondering if this indicated that a payment was made to someone. There are no other data that indicate activity in the Messages app within 26 minutes of the log entry. Screenshot attached. Any idea what triggered this usage? Could have just been a system call in the background and not actual user activity? Any seen this before? (Searches here and in Google don't reveal anything)

Sorry for the wall of text. I've seen mention in earlier posts about the 'changed timestamp', but can't find a clear answer. I'm examing a phone again, its an Androd Physical Extraction that was performed in 2018. Galaxy S6, Android 7.0.

11:27 AM

@Oxygen Forensics is showing me a 'Changed' timestamp on a database file, where the timestamp doesn't make sense to me. I'm not seeing much to support activity of this particular application recently before the phone was seized. I don't see the application listed in ContentLog.db, which I use to show usage sometimes. I don't see any record within the recent_images/recent_tasks files which I use at times to show the state of recent applications used on the phone, Doing a sort on timestamps for ALL files from this application, looks like this application hasn't been used many weeks prior to the phone being seized when using the traditional Created/Accesssed/Modified timestamps.

11:27 AM

But there are two files within this application, that have 'Changed' timestamps that support a narrative that the user of phone says, that this application was used just prior to the phone being seized. If this changed timestamp wasn't decoded or displayed to me, I'd see nothing else to support this application was used. I had a case not too long ago with some important 'Changed' files but for an iOS case. For that one, I came to the conclusion that the file name may have been changed, but nothing within the file itself. There is nothing inside the database to support when anything may have been accessed or written to, no timestamps of note in the database. Axiom and Cellebrite PA (but not 8.x) did not present these Changed timestamps from this extraction.

And just to add to it, XWays forensics shows the same time stamp under 'Record Changed' as Oxygen does, so two tools are reporting this timestamp, but nothign too sure yet on what causes 'Record Changed' to be affected.

Hello all, got a full filesystem iPhone extraction, phone was seized in Dec 2022. There is some data of interest in safari history.db, however the entries are showing modified dates of late Jan 2023. The device was off after seizure and not powered on for examination until May / Jun 2023. Is anyone able to shed light on what the modified dates could refer to? Thank you.

@Pixel Safari naturally is designed to retain only for 30 days I believe? Your dealing with something happening 30 days roughly after seizure. Could it be related to records purging? Were they deleted entries?

Any tips on how to find an activation date for a iphone (model: a2275, ios 16.2). I have the extraction loaded into physical analyzer and axiom

zero00796

Any tips on how to find an activation date for a iphone (model: a2275, ios 16.2). I have the extraction loaded into physical analyzer and axiom

Try checking the the creation dates of core databases: (CallHistory.storedata, SMS.db, AddressBook.sqlite, PPSQL.Database) Also, the creation time for ContainerManager should be the first time it was turned on.

FullTang

Try checking the the creation dates of core databases: (CallHistory.storedata, SMS.db, AddressBook.sqlite, PPSQL.Database) Also, the creation time for ContainerManager should be the first time it was turned on.

The access date is around the time I think the phone was activated. But the creation dates for these are show 2018 and the phone didn't release until 2020. I feel like I'm missing something

zero00796

The access date is around the time I think the phone was activated. But the creation dates for these are show 2018 and the phone didn't release until 2020. I feel like I'm missing something

Interesting, I wonder if data was imported from a previous phone?

There is data such as messages from before 2020 . The working theory is the data is from a back up. Would that affect the creation dates for those databases?

2:14 PM

Also thank you for the help.

zero00796

There is data such as messages from before 2020 . The working theory is the data is from a back up. Would that affect the creation dates for those databases?

I like the idea that a backup from a computer was uploaded to the phone via USB rather than downloaded from iCloud. To me it makes more sense that the creation time stamp would stay the same with the accessed time changing via a USB backup. If the phone had the data downloaded from the cloud I would think that a whole new database would be created and the creation time stamp would reflect the time it was downloaded.

but the latest Outlook versions are not processed by physical ?

(This may have been asked and answered but I could not find anything concrete. If it’s available point me in the right direction please and thank you.) I have some iChat files that were provided on a thumb drive after being copied over from a MacBook. I do not have any Mac work stations so I’m trying to figure out the best way to read those files on a windows work station. Any advice is appreciated!

1

zero00796

Any tips on how to find an activation date for a iphone (model: a2275, ios 16.2). I have the extraction loaded into physical analyzer and axiom

Check also this post https://cellebrite.com/en/upgrade-from-null-detecting-ios-wipe-artifacts/

Hi all, i have an odd question - not sure if i'm posting in the right place. I have an old Nokia E72 - I have Full Physical dump (using UFED4PC) and PM files using Flasher Box. I need to extract / decrypt the unlock code from the dump. The purpose is for other devices with perhaps the same password. Does anyone know how.? Thanks 9apologies if i'm pposting in multiple channels).

manuelevlr

but the latest Outlook versions are not processed by physical ?

What about Axiom, Oxygen ? Or manual review thanks to https://discord.com/channels/427876741990711298/545232743353810946/865570433852112896

Paolo

Hi all, i have an odd question - not sure if i'm posting in the right place. I have an old Nokia E72 - I have Full Physical dump (using UFED4PC) and PM files using Flasher Box. I need to extract / decrypt the unlock code from the dump. The purpose is for other devices with perhaps the same password. Does anyone know how.? Thanks 9apologies if i'm pposting in multiple channels).

I don't have information about that specific model, but it could be worth checking records 308(5) and 35(0) since these are very common places for the security code to be stored.

Hi @MSAB_Sofia , i've seen that same information posted online somewhere, but was having trouble locating those. Is there a quick rundown on how/where..?

11:50 PM

I have only PA at my disposal.

If i'm looking at the PM file with Notepad, i see 308

11:58 PM

but, it only has records 0,1,3,4,6,7 & 9

Looking for Help, Does anyone understand the nuts and bolts of Google takeout Location data, I'm looking for explanations of data points such as Tilt, GPS - (Does that indicate satellite gps or Cell tower gps best guess or Wifi access point best guess.

Hi all, does anyone have any info on how Huawei devices store activity logs? Thanks!

Anyone know what DB/config file I'd find the bio for a WhatsApp group on iOS?

Anyone know what scenario would cause a physical SIM to give back 2 MSISDN numbers? @Cellebrite

a MSISDN on a sim can be re-written. Can you look at the source file

I, unfortunately do not have the source file, i dident do the extraction.

Hello Everyone, Can some help me by telling me how to detect a mobile phone of Make ZIOX and Model number ZX342 as a MTP device ?

12:33 PM

and also why is UFED Physical Analyzer not playing and video and audio files for me ?

12:33 PM

any video and audio*

Can PA parse WeChat or Telegram backups from a folder? The user has simply done a backup to their desktop, via both Telegram and WeChat Desktop app - I have the backups and the user is somewhat compliant in that I can likely obtain the IMEI but the device is not available. (edited)

1

Jeeper

Can PA parse WeChat or Telegram backups from a folder? The user has simply done a backup to their desktop, via both Telegram and WeChat Desktop app - I have the backups and the user is somewhat compliant in that I can likely obtain the IMEI but the device is not available. (edited)

Maybe this can help: https://youtu.be/IWZB0n_laSg

Cellebrite

Digital Forensics Tools: How to Load and View a Zip File, Database ...

Hi everyone, I have a SD card image (who was used in a phone), which i can mount without any issue and navigate through it in file system view, but can't access any of the file (pictures, pdf, ...), as if the source was missing (but the size of each individual file looks fine). The header of every file contain "..b._CONSOLE". Any idea why ? It obviously looks like the SD card is encrypted, but then why can i still mount it and navigate through it ? Thanks in advance for your help !

@A47199 it's seem fbe... So files are encrypted not the medium

2:56 AM

Hello everyone, I searched quickly but I did not find concrete solutions. I have videos with the evo extension containing videos but cannot play... Is there a way to play them?

rico

@A47199 it's seem fbe... So files are encrypted not the medium

That's what i thought, thanks a lot for your help

1

FullTang

Try checking the the creation dates of core databases: (CallHistory.storedata, SMS.db, AddressBook.sqlite, PPSQL.Database) Also, the creation time for ContainerManager should be the first time it was turned on.

Hello! I need some information regarding the JOURNAL file located in ..../com.sec.android.gallery3d/cache/1/journal. I can see that this file has almost all the filenames of the files stored in folder 0. For each file there is a comment: CLEAN, DIRTY and READ. Can you tell what is the meaning of those information? Thank you.

3:38 AM

Anyone here able to help me out? Just ran into something I just cannot figure out just now, maybe someone here knows the answer. I have an FFS extraction of a Samsung S23, running Android 13. I have found a video file of interest located in: /data/sec/photoeditor/0/* Anyone who knows how/why media files are located/moved to this location? There are several media files in this location, but if these media files were edited through an app on the phone, I would expect them to be in either /data/media/* or in /data/data/<app>/*. It feels like sheer luck that this file is still present, since any and all other media files in regards to the crime have been deleted (only a couple of teeny tiny thumbnails are present that 'looks like' the mediafiles of interest, but since it's just 72x40px it looks like anything you want it to look like quite easily...

Peacekeeper

Anyone here able to help me out? Just ran into something I just cannot figure out just now, maybe someone here knows the answer. I have an FFS extraction of a Samsung S23, running Android 13. I have found a video file of interest located in: /data/sec/photoeditor/0/* Anyone who knows how/why media files are located/moved to this location? There are several media files in this location, but if these media files were edited through an app on the phone, I would expect them to be in either /data/media/* or in /data/data/<app>/*. It feels like sheer luck that this file is still present, since any and all other media files in regards to the crime have been deleted (only a couple of teeny tiny thumbnails are present that 'looks like' the mediafiles of interest, but since it's just 72x40px it looks like anything you want it to look like quite easily...

Is it possible to secure editted photos? Or add a password to them in some way?

Peacekeeper

Anyone here able to help me out? Just ran into something I just cannot figure out just now, maybe someone here knows the answer. I have an FFS extraction of a Samsung S23, running Android 13. I have found a video file of interest located in: /data/sec/photoeditor/0/* Anyone who knows how/why media files are located/moved to this location? There are several media files in this location, but if these media files were edited through an app on the phone, I would expect them to be in either /data/media/* or in /data/data/<app>/*. It feels like sheer luck that this file is still present, since any and all other media files in regards to the crime have been deleted (only a couple of teeny tiny thumbnails are present that 'looks like' the mediafiles of interest, but since it's just 72x40px it looks like anything you want it to look like quite easily...

Let me try and load up my personal S23 FFS Image this weekend and look if I have anything that directory and if it rings a bell what I did with that file that would have pushed it there

1

Jeeper

Can PA parse WeChat or Telegram backups from a folder? The user has simply done a backup to their desktop, via both Telegram and WeChat Desktop app - I have the backups and the user is somewhat compliant in that I can likely obtain the IMEI but the device is not available. (edited)

Sounds more like something AXIOM would be able to do but I don't have the supported artifact list open at the moment

Cip

Maybe this can help: https://youtu.be/IWZB0n_laSg

Hiya, thanks, yeah PA will bring in the content via this route, and the json relative to the chats is in plain english and browsable within the file format viewer but ultimately it would be nice to process this json to appear as 'chats' within Analyzed Data for taggin and export of specific threads. I cant workout why theres not at least a plugin for Telegram .. (edited)

Does anyone have any tips or documentation they can share in relation to the CapCut application (ideally the iOS version)?

@Cellebrite is there a way to filter media based on hash list hits. I.e only show media that hasn’t hit on a hash list so we can exclude known good files without redacting them.

Jeeper

Can PA parse WeChat or Telegram backups from a folder? The user has simply done a backup to their desktop, via both Telegram and WeChat Desktop app - I have the backups and the user is somewhat compliant in that I can likely obtain the IMEI but the device is not available. (edited)

Have a look at telegram-desktop-decrypt on Guthub. Not sure it works with the latest versions tho

1

facelessg00n

@Cellebrite is there a way to filter media based on hash list hits. I.e only show media that hasn’t hit on a hash list so we can exclude known good files without redacting them.

Just throwing this out there, you'll probably need to tag all the "known good" items as "known good" then filter for untagged/not "known good"

Sha1_4n6

Just throwing this out there, you'll probably need to tag all the "known good" items as "known good" then filter for untagged/not "known good"

I was hoping to have it all automated without that extra step. Seems a little odd I can’t filter on any hits apart from the baked in known files list

Anyone from @Magnet Forensics free for a question?

facelessg00n

@Cellebrite is there a way to filter media based on hash list hits. I.e only show media that hasn’t hit on a hash list so we can exclude known good files without redacting them.

If there is anyone else out here that would like this feature please: Submit a ticket…I’ve been asking for this filter to be added for two years.

ScottKjr3347

If there is anyone else out here that would like this feature please: Submit a ticket…I’ve been asking for this filter to be added for two years.

I’ll make sure I submit it as well. Super frustrating not having it. The workaround is to select all from the insights menu and redact them and filter out redacted but for this job I don’t want them redacted.

1

@Cellebrite Good morning! Someone online and a little time? I have problems installing the UFED PA 8. Thanks in advance!

1

Excluding hash lists in XAMN when viewing media is easy FYI, funnily enough I have a MSAB Monday video coming out soon to show that capability

1

MSAB_Adam

Excluding hash lists in XAMN when viewing media is easy FYI, funnily enough I have a MSAB Monday video coming out soon to show that capability

and don't forget that the hash value list filter in the viewer can also be used to exclude hash values.

1

Hello all. I'm looking for a list of fleeting databases in iOS. I know Magnet used to have this somewhere to look at but I can't seem to find it. Any help is appreciated. Thanks.

looking at the Samsung Digital Wellbeing database on an android 13 (SM-N981U) and wondering if theres any reason that the events records would end a few days before expected. Its about 4 days shy of my incident and about 7 days shy of the extraction. Is the data written somewhere else temporarily until some processing occurs?

Has anyone had any success in parsing Grindr on Android? I've an extraction which reports running Grindr version 8.2.0, where Oxygen only supports up to 8.15.1. Cellebrite and Axiom haven't had any success so far. They can see that Grindr is present, but not much else. (edited)

snoop168

looking at the Samsung Digital Wellbeing database on an android 13 (SM-N981U) and wondering if theres any reason that the events records would end a few days before expected. Its about 4 days shy of my incident and about 7 days shy of the extraction. Is the data written somewhere else temporarily until some processing occurs?

I did some testing and validating recently. But thats not something i saw. Its pretty spot on. Only thing i can think off is that the phone was off or that the user changed the app permissions to none? (edited)

Nilandia

Has anyone had any success in parsing Grindr on Android? I've an extraction which reports running Grindr version 8.2.0, where Oxygen only supports up to 8.15.1. Cellebrite and Axiom haven't had any success so far. They can see that Grindr is present, but not much else. (edited)

Have you tried running PA's AppGenie on the App?

Nilandia

Has anyone had any success in parsing Grindr on Android? I've an extraction which reports running Grindr version 8.2.0, where Oxygen only supports up to 8.15.1. Cellebrite and Axiom haven't had any success so far. They can see that Grindr is present, but not much else. (edited)

@Oxygen Forensics might add support for this new version if you ask them nicely

1

Nilandia

Has anyone had any success in parsing Grindr on Android? I've an extraction which reports running Grindr version 8.2.0, where Oxygen only supports up to 8.15.1. Cellebrite and Axiom haven't had any success so far. They can see that Grindr is present, but not much else. (edited)

Hello! I have forwarded the issue to devs and we will update parsing to the newest version

1

I got an investigator asking about the difference between "missed" and "Not answered" on regular call log in UFED reader, any1 from @Cellebrite or any1 for that matter that knows the difference?

1

Johnie

I got an investigator asking about the difference between "missed" and "Not answered" on regular call log in UFED reader, any1 from @Cellebrite or any1 for that matter that knows the difference?

Check to see if you see correlation between the direction of the call and the status- Incoming calls-Missed, Outgoing- Not Answered.

CLB-DannyTheModeler

Check to see if you see correlation between the direction of the call and the status- Incoming calls-Missed, Outgoing- Not Answered.

Update: it´s facebook calls, outgoing and they are either missed or not answered,

@Grayshift what data is typically stored in the process memory dump mem.zip for graykey?

Mr Saturn

@Grayshift what data is typically stored in the process memory dump mem.zip for graykey?

I haven’t parsed one for a while, but in the past I have recovered web page, email and internet artefacts!!

Stevie_C

I haven’t parsed one for a while, but in the past I have recovered web page, email and internet artefacts!!

Thanks Stevie, just wondered out of interest

florus

I did some testing and validating recently. But thats not something i saw. Its pretty spot on. Only thing i can think off is that the phone was off or that the user changed the app permissions to none? (edited)

Any idea where the setting would be shown in the extraction?

snoop168

Any idea where the setting would be shown in the extraction?

No clue, i see you can change the permissions in the wellbeing app, but never looked at it in the database/settings-file.

florus

I did some testing and validating recently. But thats not something i saw. Its pretty spot on. Only thing i can think off is that the phone was off or that the user changed the app permissions to none? (edited)

I can only say the same

snoop168

Any idea where the setting would be shown in the extraction?

You can check permissions in runtime-permissions.xml; look for the package "com.samsung.android.forest". To add to what @florus said, you can look for device power events in Digital Wellbeing (eventId 26 for power off and eventId 27 for power on). (edited)

Oxygen Forensics

Hello! I have forwarded the issue to devs and we will update parsing to the newest version

Much appreciated! Thank you!

CLB-DannyTheModeler

Have you tried running PA's AppGenie on the App?

We did, though the information obtained from it was quite limited.

GRIZZ

Anyone know what scenario would cause a physical SIM to give back 2 MSISDN numbers? @Cellebrite

Where the forensic tool has not described what the results returned from a SIM mean, always refer to the standards: GSM11.11, ETSI TS 31.102 or 3GPP TS 31.102. The prime address source for MSISDN is found under DFTelecom 7F20:6F40 and as the early GSM (11.11) standard describes the EFMSISDN may contain "MSISDNs". The early day users of GSM/PCN SIMs could have more than one MSISDN (and this was particularly true for Orange customers) as the user may have had a "personal mobile number" and a "business mobile number". Can you confirm how many IMSIs are in EFIMSI (which can be done by selecting the MSISDN of relevance which in turn should present the relevant IMSI for the MSISDN)? Within USIM as it contains a PhoneBook, as well, the SIM OS uses ADFusim to keep track of numbering and this can cause duplication in some USIMs response from external card reader commands to return EFMSISDN. It is also correct the point made by CLB-Paul that it is quite possible a user can overwrite numbers in EFMSISDN. You asked for reasons for two MSISDNs but you didn't say whether they were identical or not? (edited)

2

Oxygen Forensics

Hello! I have forwarded the issue to devs and we will update parsing to the newest version

Do you know when the next release is online in customer portal

1

Hi, does anyone at Magnet or anyone else know what “SIM card activity” mean? Does this mean that the user physically took the SIM card out? Or could it be that the device was placed in Airplane mode? I don’t have device logs to confirm the airplane mode. I am including the source of the artifact and the description. If anyone has any info on this, please reach out. Thank you Soo much.

Anyone aware of a means to execute an ADB command on a Huwaei device within the device itself? The data line to the CPU is shorted so the phone will charge but I cannot connect to 4PC and ADB over WiFi/BT doesnt seem to want to work. PS App lock is in place so I cant access anything other than settings. I've BT'd an APK disguised as a jpg and installed this but need to run a command to allow app permissions. (edited)

Anyone from @Cellebrite around for an urgent question?

1

Have you guys ever had an internal drive disappear from windows explorer when using PA? I’m scared my drive is messing up, WD SN750 nvme m.2 SSD. A reboot got it back showing but so weird

@Cellebrite Anyone have time with a Biome research question?

1

Hi guys, Anyone have a parser (not supported by PA, OXY or AXIOM) for Android Signal ver 6.21.3? Thx

I have a SQlite conundrum and welcome any assistance. Android 13 OS. Found a Discord App database containing messages, but the content is embedded among the other metadata in a block of text under a single column. I don't know enough to know how to pull it cleanly and separate the content and metadata into separate columns.

forensics4fun

Hi, does anyone at Magnet or anyone else know what “SIM card activity” mean? Does this mean that the user physically took the SIM card out? Or could it be that the device was placed in Airplane mode? I don’t have device logs to confirm the airplane mode. I am including the source of the artifact and the description. If anyone has any info on this, please reach out. Thank you Soo much.

Check the database cellularusage.db in a sql viewer. It can show up to 3 rows of simcard information. If you change the simcard, a new row gets created with the information of the new second Sim. This also includes a timestamp. (edited)

Johnie

Update: it´s facebook calls, outgoing and they are either missed or not answered,

Not answered - the call was not established for whatever reason. Missed - the call rang and rang, but the recipient never answered, this is more specific than Not answered.

1

@Elcomsoft anyone available for DM ? (edited)

2:50 AM

I ran into some issues with the firewall (edited)

emilie_

@Elcomsoft anyone available for DM ? (edited)

Sure

Jeeper

Anyone aware of a means to execute an ADB command on a Huwaei device within the device itself? The data line to the CPU is shorted so the phone will charge but I cannot connect to 4PC and ADB over WiFi/BT doesnt seem to want to work. PS App lock is in place so I cant access anything other than settings. I've BT'd an APK disguised as a jpg and installed this but need to run a command to allow app permissions. (edited)

If you've got access to a donor device for testing, check out https://github.com/tytydraco/ladb. You need to build the app yourself but you can also buy it from the Play Store if you want to avoid that hassle

5:51 AM

It's dependent on ADB over WiFi on the backend, so you may encounter the same issues you've been encountering so far

anyone knows how to have an iPhone location data with just a logical extraction ?

7:28 AM

(i have access to the unlock device, but I can't do better than an advanced logical)

thatboy_leo

Have you guys ever had an internal drive disappear from windows explorer when using PA? I’m scared my drive is messing up, WD SN750 nvme m.2 SSD. A reboot got it back showing but so weird

Happened to me with a dell laptop i updated the bios and stop the problem

1

Do Graykey extractions result in much reduced metadata present on images and video in IOS?

Does Apple Health consume mobile data? Anyone made any research around it?

12:00 AM

In the background without opening the app, just when it detects a activity

Morning all, not sure if this is the right thread, but hopefully it is...I've been exploring the use of MVT to scan and test devices and am getting a warning for the app "uk.co.myhermes.hermes". I'm presuming this is a false positive as Hermes is a UK-based delivery company and the app is installed, but can anyone advise just to be sure/advise how you would go about confirming either way? Thanks, Ben (edited)

Hi, I've got a FFS of an iPhone 13 mini (A2628) with iOS 16.3.1. I try to import it in MSAB XRY (10.6.0) but get an "0x80004005" error during decoding stage (see screen below). Anyone know what can cause this error ? I try two times but always get this error. (edited)

5:13 AM

Anyone familiar with HideItPro application? Axiom did great job finding the images inside the application, however I would like to show visually the application and the contents. I am thinking to decrypt the images like Axiom did they must have discovered the PIN set by the user to enter the program. Any chance anyone knows where I can view that PIN?

Ghosted

Anyone familiar with HideItPro application? Axiom did great job finding the images inside the application, however I would like to show visually the application and the contents. I am thinking to decrypt the images like Axiom did they must have discovered the PIN set by the user to enter the program. Any chance anyone knows where I can view that PIN?

Sounds like it's not really that encrypted. Is it Android or iOS?

@Rob android

6:59 AM

Looking more looks like the app was deleted however the files obviously are still there.

Ghosted

@Rob android

Would recommend looking at the Keystore if you have first, then the database files for it.

7:00 AM

You may find the password in plaintext

Hello all, I’m examine an android Samsung phone and axiom and celebrite are only showing last modified times, created and accessed at set to the epoch. Can anyone point to a resource that explains why this is?

yeah checked Keystore I'm guessing since the app was deleted nothing was pulled from the keystore reference the app

Maybe @Aero or @bang can help but doesn't sound like it's super encrypted so the pin must be in a file you have

7:01 AM

Or the salted hash etc.

Yeah Axiom pulls the encrypted file as well as the unencrypted

Assuming it's this? https://play.google.com/store/apps/details?id=com.hideitpro

Hide Photos, Video and App Loc - Apps on Google Play

Hide photos, videos, music, apps, notes on your phone - Made in India

encrypted found here: data\media\0\ProgramData\Android\Language.fr\Pictures\Swap\ The cache files unencrypted found here: data\data\com.hideitpro.chat\cache\

7:04 AM

yes thats it

I'm seeing no mention of AES etc so looks like it's not encrypted and just hidden behind a user set password

yeah encrypted may have been strong word.

https://troy4n6.blogspot.com/2017/10/hide-it-pro-app-forensics-android.html?m=1

Hide It Pro App Forensics - Android

Hide It Pro App Forensics - Android Welcome to my first blog post. Following #DFIR on Twitter has convinced me it's about time I started ...

7:07 AM

com.hideitpro_preferences.xml looks like your file to go for

7:08 AM

If you have, looks like upon deletion this may also be deleted.

Yeah its gone

1

7:09 AM

so Axiom is probably just parsing the file header information and that is how they are showing.

Ghosted

so Axiom is probably just parsing the file header information and that is how they are showing.

@Ghosted DM'd you

Hi all, I have an unmarked device, most likely a cheap Chinese knock-off - there are no markings, labels or model numbers & the IMEI number points to an old Samsung Ace.. seems a bit dodgy seeing as though the phone is said to be around 1 year old.

I'm trying to get any form of dump from it, but it has a software issue - "Unfortunately, System UI has stopped" with only an option to tap 'OK'. I can't enable dev options or do anything else.
The device is running SPREADTUM SC7731G chipset - any tools out there i can use to dump the eMMC before i go down the chip-off route? I'm not sure if it's encrypted. Some say this controller doesn't normally encrypt it's contents, but i'm not too sure.

Infinity, Pandora if it's not encrypted, Oxygen may work if it is encrypted

If a device is rooted, is it normal to have no file system created date?

@Cellebrite Hello, we have noticed that the application sesssion is not showing up as an artefact on android devices even when PA has decrypted the database. Just wanna let you know that something is going wrong in that process. app version 1.16.9 (edited)

1

Johnie

@Cellebrite Hello, we have noticed that the application sesssion is not showing up as an artefact on android devices even when PA has decrypted the database. Just wanna let you know that something is going wrong in that process. app version 1.16.9 (edited)

Hi Johnie, I'll look into it thank you.

1

Hello, anyone from @Cellebrite around for a PA decoding question?

1

@Cellebrite is there anybody that can help with iphone SE 16.5 extraction question? Thank you.

2

I'm examining an iPhone 8 Plus running iOS 16.4.1 and going through the location data. One tool is reporting timestamps for location data derived from com.apple.routined/Cache.sqlite Another tool is able to see the locations, but it's not reporting timestamps for them. How reliable would these timestamps be? Is there a way to verify the timestamp data?

Hi all, I have just a general question around SMS messages on to/from an iPhone running the latest iOS version. I have a case where an individual claims he did not send said SMS message, however a subpoena from verzon shows otherwise. Individual still is claiming he did not send the message and is arguing to do a forensic examination of his phone to prove it. Talking with the attorney, I said that the source of truth is the Verizon log of SMS showing he sent them and doing a forensic examination of the phone would prove nothing. Further I stated that, and here is where I need folks on the forum here to weigh in, likely the user has already deleted the SMS message and, for current iOS versions at least, once deleted from the device, they are cleared out of the database on the phone. I did do a quick test on my own iPhone device and deleted an individual message and then a separate whole conversation. I backed up the device and then parsed the sms.db and do not see the deleted messages. Is this claim I am making that any deleted SMS's from the iPhone device running the latest iOS are indeed removed from the device accurate? (edited)

CyberTend

Hi all, I have just a general question around SMS messages on to/from an iPhone running the latest iOS version. I have a case where an individual claims he did not send said SMS message, however a subpoena from verzon shows otherwise. Individual still is claiming he did not send the message and is arguing to do a forensic examination of his phone to prove it. Talking with the attorney, I said that the source of truth is the Verizon log of SMS showing he sent them and doing a forensic examination of the phone would prove nothing. Further I stated that, and here is where I need folks on the forum here to weigh in, likely the user has already deleted the SMS message and, for current iOS versions at least, once deleted from the device, they are cleared out of the database on the phone. I did do a quick test on my own iPhone device and deleted an individual message and then a separate whole conversation. I backed up the device and then parsed the sms.db and do not see the deleted messages. Is this claim I am making that any deleted SMS's from the iPhone device running the latest iOS are indeed removed from the device accurate? (edited)

To be clear, you are talking about SMS (green) messages and not iMessages (blue) on iOS 16, correct?

FullTang

To be clear, you are talking about SMS (green) messages and not iMessages (blue) on iOS 16, correct?

Correct SMS messages on iOS 16

CyberTend

Correct SMS messages on iOS 16

Got it. I read your previous post a little closer and am understanding a bit better. You can still find evidence related to you case by examining the sms.db SQLite database, but it won’t be the content of the messages or the exact time they were sent. SQLite databases use a primary key so you should see missing entries. You can use the timestamps of the previous and next entry to provide a time frame and number of deleted messages. Check your own sms.db to see what I am talking about and if that would be something your attorney would be interested in.

Nilandia

I'm examining an iPhone 8 Plus running iOS 16.4.1 and going through the location data. One tool is reporting timestamps for location data derived from com.apple.routined/Cache.sqlite Another tool is able to see the locations, but it's not reporting timestamps for them. How reliable would these timestamps be? Is there a way to verify the timestamp data?

Cache.sqlite contains accurate GPS and timestamp data. There are a lot of blogposts to be found on the internet. Some tables are less reliable then others though.

Nilandia

I'm examining an iPhone 8 Plus running iOS 16.4.1 and going through the location data. One tool is reporting timestamps for location data derived from com.apple.routined/Cache.sqlite Another tool is able to see the locations, but it's not reporting timestamps for them. How reliable would these timestamps be? Is there a way to verify the timestamp data?

@CLB_iwhiffin has an few excellent blog posts on the subject, including one from last month https://www.doubleblak.com/blogPosts.php?id=28

4:42 AM

Have anyone done any analysis on Atomic Wallet for iOS? Specifically IndexedDB.sqlite3

Does anyone have good third party application for re-organizing Cellebrite (excel) extraction data, timeline visualizer, etc.?

Hi everyone. I'm trying to figure out if documents stored in the following location will be accessible to the user through the PowerPoint application on an iPad Pro /mobile/Containers/Data/Application/com.microsoft.Office.Powerpoint/Library/Application Support/DownloadSession/54BBC8DB-402D-4BDB-BC48-40E1C2B9464E.pptx This case involves an ex employee who has company financial data on his personal iPad. I'm going to do some testing today, but was hoping someone else had some insight.

Anyone else had problem with session in PA and Axiom? It doesn't decrypt any messages

9:13 AM

Manually I've decrypted it and looked into it in DBbrowser it's alot of messages

Arlakossan

Anyone else had problem with session in PA and Axiom? It doesn't decrypt any messages

I asked this earlier yesterday aswell, Cellebrite are looking into it. Im guessing its session for android?

I'm looking at a FFS extraction of an Android device which has Signal 6.11.7 installed. UFED PA indicates that it's parsing it, but I don't see any results. The databases are already fully decrypted and by looking at the sqlite database it should contains chats (edited)

3:16 AM

Are there any known issues?

Arlakossan

Anyone else had problem with session in PA and Axiom? It doesn't decrypt any messages

Can Axiom decrypt Session?

Ghosted

Anyone familiar with HideItPro application? Axiom did great job finding the images inside the application, however I would like to show visually the application and the contents. I am thinking to decrypt the images like Axiom did they must have discovered the PIN set by the user to enter the program. Any chance anyone knows where I can view that PIN?

photo vault or hidden vault apps that are downloaded from the app store are usually not encrypted and the photos can be pulled out with a standard dump. to show the contents- group the file paths of that vault app to show what was hidden in comparison to the normal photo albums.

PhrostByte

Hi everyone. I'm trying to figure out if documents stored in the following location will be accessible to the user through the PowerPoint application on an iPad Pro /mobile/Containers/Data/Application/com.microsoft.Office.Powerpoint/Library/Application Support/DownloadSession/54BBC8DB-402D-4BDB-BC48-40E1C2B9464E.pptx This case involves an ex employee who has company financial data on his personal iPad. I'm going to do some testing today, but was hoping someone else had some insight.

David, I would say it is highly likely.

I know this is probably a dumb question, is there anyway to confirm a photo was saved in the "hidden" folder from an iPhone in the Photos application. Is there a file path indicative that it was saved in the hidden section?

CIF

I know this is probably a dumb question, is there anyway to confirm a photo was saved in the "hidden" folder from an iPhone in the Photos application. Is there a file path indicative that it was saved in the hidden section?

Short answer/read: Yes, see https://github.com/ScottKjr3347/iOS_Local_PL_Photos.sqlite_Queries/blob/main/iOS16/iOS16_LPL_Phsql_Hidden.txt Long answer/read: Yes, see https://theforensicscooter.com/2022/07/29/how-to-find-ios-hidden-assets/

iOS_Local_PL_Photos.sqlite_Queries/iOS16/iOS16_LPL_Phsql_Hidden.txt...

iOS Photos.sqlite queries that may help with decoding data stored in Photos.sqlite. These queries are based on testing, research and some community published research. These queries were written to...

Scott_koenig

How to find iOS Hidden Assets

Hello again! There has been a lot of discussion and curiosity about the recent news that iOS 16 will have an enhanced Hidden assets feature. According to the press releases, this feature will allow…

Oscar

Short answer/read: Yes, see https://github.com/ScottKjr3347/iOS_Local_PL_Photos.sqlite_Queries/blob/main/iOS16/iOS16_LPL_Phsql_Hidden.txt Long answer/read: Yes, see https://theforensicscooter.com/2022/07/29/how-to-find-ios-hidden-assets/

Thanks Oscar, this was super helpful, have you seen any commerical tool be able to parse photos.sqlite and pick out those attributes from a phone extraction?

CIF

Thanks Oscar, this was super helpful, have you seen any commerical tool be able to parse photos.sqlite and pick out those attributes from a phone extraction?

I believe both Axiom and the latest PA 8/Ultra can show you if a photo is hidden, not sure if you can filter on it though

spicy_caveman

photo vault or hidden vault apps that are downloaded from the app store are usually not encrypted and the photos can be pulled out with a standard dump. to show the contents- group the file paths of that vault app to show what was hidden in comparison to the normal photo albums.

A lot of them do encrypt the media though - I can name quite a few locker/vault apps available on the App Store/Play store that do encrypt their media.

2

CIF

Thanks Oscar, this was super helpful, have you seen any commerical tool be able to parse photos.sqlite and pick out those attributes from a phone extraction?

if you just filter on the word 'hidden' in the photos analysed section within PA, you will find them.

CIF

Thanks Oscar, this was super helpful, have you seen any commerical tool be able to parse photos.sqlite and pick out those attributes from a phone extraction?

You can search for "hidden by user" in PA, this will works for photos but videos too (edited)

CIF

Thanks Oscar, this was super helpful, have you seen any commerical tool be able to parse photos.sqlite and pick out those attributes from a phone extraction?

Could try mift too. Might help: https://github.com/controlf/mift

GitHub - controlf/mift: mift - a mobile image forensic toolkit

mift - a mobile image forensic toolkit. Contribute to controlf/mift development by creating an account on GitHub.

CIF

Thanks Oscar, this was super helpful, have you seen any commerical tool be able to parse photos.sqlite and pick out those attributes from a phone extraction?

we could code something for iLEAPP if you wanted that specifically

2

1

Jackds

I'm looking at a FFS extraction of an Android device which has Signal 6.11.7 installed. UFED PA indicates that it's parsing it, but I don't see any results. The databases are already fully decrypted and by looking at the sqlite database it should contains chats (edited)

Anyone from Cellebrite that is able to help with this?

Jackds

Anyone from Cellebrite that is able to help with this?

I've had multiple issues with PA not being able to decrypt/parse Signal and Session from Android in the last few weeks. I wrote a parser for Session last week that probably could work with Signal with minor modifications. DM if you should want to try it

Hello. Looking for some clarification of the "PART" part of this filename: com.android.providers.telephony/app_parts/PART_1658955436158_IMG_3804.HEIC. All the EXIF data appears to be there, geolocations create date camera model etc. and I can see the entire image.

Oscar

I've had multiple issues with PA not being able to decrypt/parse Signal and Session from Android in the last few weeks. I wrote a parser for Session last week that probably could work with Signal with minor modifications. DM if you should want to try it

There's been a(nother) change to Signal & Session. Upcoming release of PA 7.63 addresses both.

1

@Johnie correct. Sorry for late answer. Had to decrypt the database and running SQIte queries while waiting for an update

CLB_joshhickman1

There's been a(nother) change to Signal & Session. Upcoming release of PA 7.63 addresses both.

Josh , any estimated time of release for 7.63?

1

WhyMe?

Josh , any estimated time of release for 7.63?

Goes to design partners tomorrow. Official release is looking like the end of this month.

1

Thanks Josh

1

CLB_joshhickman1

Goes to design partners tomorrow. Official release is looking like the end of this month.

Thanks for info... do you know time of release for next beta 4PC, too ? (edited)

I haven't tried PA Ultra in a while, has anyone been using this version on cases or anything beyond testing yet? Current shortcomings?

I tested ultra it is in line with that latest PA7 without cloud features at the moment. Ultra is very fast compared to 7. Much better for opening and reopening cases. The latest release notes on the download portal details a lot about where ultra is up to. Certainly worth considering upgrading to very soon.

whee30

I haven't tried PA Ultra in a while, has anyone been using this version on cases or anything beyond testing yet? Current shortcomings?

It’s officially out of pre-release, 8.5 being the main release, I haven’t experienced an issue with my limited testing but the simplicity of opening a case saving me hours and days I can’t go back

That’s what I’m looking forward to, I was processing a case today, and can’t add additional devices to the case. Still figuring out the user interface, maybe it’s not there yet.

whee30

That’s what I’m looking forward to, I was processing a case today, and can’t add additional devices to the case. Still figuring out the user interface, maybe it’s not there yet.

Hi, as far as i know, till now it´s not possible to add additional devices (not even a SIM which was inserted in the phone) in PA 8.5 (edited)

whee30

I haven't tried PA Ultra in a while, has anyone been using this version on cases or anything beyond testing yet? Current shortcomings?

Biggest "miss" in ULTRA has to be the advanced search that is STILL not implemented and now moved to H2. That is a dealbreaker for us, and we therefor need to make these searches in other tools. Whats the point if you can only search in indexed artifacts

1

Hi, does anyone know what the "frequency" value in the "dynamic.lm" dictionary of swiftkey represents? Its part of the n-gram language model. Is the frequency the absolute usage of the word by a user?

Has anyone had any luck in tying metadata such as sender and timestamps to Snapchat snaps that are stored in the com.snap.file_manager folders on IOS?

@Dart As long as the message/row is still present in arroyo i've had some success connecting the external key with the ID in local_message_references (edited)

whee30

That’s what I’m looking forward to, I was processing a case today, and can’t add additional devices to the case. Still figuring out the user interface, maybe it’s not there yet.

If you want to add another extraction for the same device (SIM or other) you can do so by going to the Cases tab, clicking the 3 Dots on the specific case and clicking Edit Case. If this option is disabled, you probably have the case open, just close it and then the edit option will become enabled.

1

Oscar

@Dart As long as the message/row is still present in arroyo i've had some success connecting the external key with the ID in local_message_references (edited)

Great thanks! It's already been deleted from arroyo unfortunately so i don't think there is any luck there.

CLB-DannyTheModeler

If you want to add another extraction for the same device (SIM or other) you can do so by going to the Cases tab, clicking the 3 Dots on the specific case and clicking Edit Case. If this option is disabled, you probably have the case open, just close it and then the edit option will become enabled.

I tried that a few times and nothing happened, will try again today

8:40 AM

Almost certainly user error with the new interface

CLB_joshhickman1

Goes to design partners tomorrow. Official release is looking like the end of this month.

Shows on design partners page thanks Josh

4N6Matt

I tested ultra it is in line with that latest PA7 without cloud features at the moment. Ultra is very fast compared to 7. Much better for opening and reopening cases. The latest release notes on the download portal details a lot about where ultra is up to. Certainly worth considering upgrading to very soon.

Still lacking in Advanced Search capability which should be bread and butter feature. Thats definitely lacking compared to standard PA. (edited)

Hi all, Does anyone have experience with decoding and analysis of mspy or similar app on Android phones?

BritishBulldog

@Magnet Forensics KnowledgeC Activity Level (iPhones) - Activity Type appears to be between 0 and 8

hey, did you ever get the answer to this question? im looking at the same thing

JLindmar (83AR)

Would definitely like to know what everyone is finding in "Biome" and their approach for parsing. I'm noting embedded binary plists, that can contain a variety of information (e.g. messaging, web-history, email, etc.), within files found in /private/var/mobile/Library/Biome/streams/public/AppIntent/local and AppLaunch/local.

Curious if anyone can confirm if these files are deleted when device placed in dfu mode

thatboy_leo

Curious if anyone can confirm if these files are deleted when device placed in dfu mode

They're not.

1

Have you seen files in the Biome/.../AppIntent/local folder get deleted? I have an extraction with 17 files in there, and then another extraction a few days later with 1. Device was never manually unlocked. (edited)

I asked this in the network channel but thought I'd ask here too: Bad guy breaks in to an area directly behind my house. We were able to make an arrest the next day and seized the bad guys phone (iOS.) The phone shows it connected to a BSSID that is exactly one digit different than one of the APs in my home (Unifi.) I'm certain it's the same but what's the explanation for the difference? i.e. The BSSID for the AP was E0:63:DA:7E:29:9B. The phone showed: E0:63:DA:7D:29:9B

Ellimist

Have you seen files in the Biome/.../AppIntent/local folder get deleted? I have an extraction with 17 files in there, and then another extraction a few days later with 1. Device was never manually unlocked. (edited)

I’ll DM

1

Thanks @Cellebrite for beta PA 7.63... but when will beta 4PC 7.66 be available, so we can decode Private Photo Vault for android ?

@Law Enforcement [UK] I have a device where Whstsapp chats have been deleted, albeit "scrambled messages" have been recovered, the last message at the bottom of the conversation says something along the lines ""System message" messages and calls are end to end encrypted, no one outside of this chat can read the messages". So my question is, is this system message an indicator of when a conversation has been deleted ? the System message is then sent providing the E2E keys for both parties within the conversation ? (edited)

Is there anyway to do selective app parsing for Graykey Extractions in Physical Analyzer? @Cellebrite

CIF

Is there anyway to do selective app parsing for Graykey Extractions in Physical Analyzer? @Cellebrite

The extraction must be made with Premium sorry about that because the selection is happening during the extraction and not the decoding part @CIF (edited)

12:47 PM

So if GK is supporting it it should work

chrisforensic

Thanks @Cellebrite for beta PA 7.63... but when will beta 4PC 7.66 be available, so we can decode Private Photo Vault for android ?

Hey @chrisforensic be patient it will come soon but some test need to be made. (edited)

1

CLB_4n6s_mc

The extraction must be made with Premium sorry about that because the selection is happening during the extraction and not the decoding part @CIF (edited)

Oh wait, I may've worded it bad, the option for selective app decoding, it doesn't populate when GK extractions are made

Dfdan

@Law Enforcement [UK] I have a device where Whstsapp chats have been deleted, albeit "scrambled messages" have been recovered, the last message at the bottom of the conversation says something along the lines ""System message" messages and calls are end to end encrypted, no one outside of this chat can read the messages". So my question is, is this system message an indicator of when a conversation has been deleted ? the System message is then sent providing the E2E keys for both parties within the conversation ? (edited)

This is a system message usually seen at the beginning of a conversation (1:1 or group). I wouldn't say it is necessarily indicative of a conversation being deleted. (edited)

You're saying the only extractions that work are ones from Cellebrite for this feature in PA?

CIF

You're saying the only extractions that work are ones from Cellebrite for this feature in PA?

Maybe save as .ufd when loading the ffs in pa

CIF

Oh wait, I may've worded it bad, the option for selective app decoding, it doesn't populate when GK extractions are made

Correct, the selective decoding option will be greyed out for GK extractions since it's not an option. (edited)

CLB_joshhickman1

Correct, the selective decoding option will be greyed out for GK extractions since it's not an option. (edited)

Ah gotcha, so will never be an option for GK extractions? only premium?

Just Premium and UFED4PC.

Noted - thank you

CIF

Is there anyway to do selective app parsing for Graykey Extractions in Physical Analyzer? @Cellebrite

You can save a gk extraction as a ufd file using the option in the bottom left corner after you add the extraction and keychain. If you reopen as ufd it should let you do selective decoding.

1

3:00 PM

I did it earlier this year or late last year when I was having an issue with something in the Snapchat plugin causing PA to crash while processing my gk rip, was able to do selective and do everything except Snapchat and got it to open

Ellimist

Have you seen files in the Biome/.../AppIntent/local folder get deleted? I have an extraction with 17 files in there, and then another extraction a few days later with 1. Device was never manually unlocked. (edited)

I believe that system files such as those get deleted after their specified time (30 days for some) as long as the device is powered on in AFU state. Same with locations in cache.sqlite. We try to keep our phones with known passcode/BFU powered off until extraction for this reason. I have only experimented with this for cache.sqlite so someone correct me if this is not the case for Biome files (edited)

Oscar

I believe that system files such as those get deleted after their specified time (30 days for some) as long as the device is powered on in AFU state. Same with locations in cache.sqlite. We try to keep our phones with known passcode/BFU powered off until extraction for this reason. I have only experimented with this for cache.sqlite so someone correct me if this is not the case for Biome files (edited)

in my case it went BFU > BF for 2 months > extraction. Never spent any time in AFU state. So even if it's any powered-on state, what is happening between the first extraction and the second extraction to trigger the deletion of it? (edited)

Hi all - have an OPPO A15 running Android 10 with an 'App Lock' and 'Private Safe' under privacy protection in settings section. 6 digit pin. Obtained FFS with CP. Anyone know whether this will have been extracted/decrypted and how I can get the pin from the dump? Thanks

NosyGecko

Hi all - have an OPPO A15 running Android 10 with an 'App Lock' and 'Private Safe' under privacy protection in settings section. 6 digit pin. Obtained FFS with CP. Anyone know whether this will have been extracted/decrypted and how I can get the pin from the dump? Thanks

Who performed the extraction? If BF was performed you should have a separate folder containing a .ufd file with the password embedded like "phone_model (001)" and "phone_model (002)" folder is your FFS If extraction was performed thanks to AFU state, well phone password is still unknown (edited)

Bobby

Who performed the extraction? If BF was performed you should have a separate folder containing a .ufd file with the password embedded like "phone_model (001)" and "phone_model (002)" folder is your FFS If extraction was performed thanks to AFU state, well phone password is still unknown (edited)

phone was unlocked so no BF required

NosyGecko

phone was unlocked so no BF required

Alright, that's another problem then. For Private safe you should have opened it before performing FFS unless content is encrypted. For App Lock, i don't know for Oppo but generally it prevent manual access only so concerned "locked" App should have been extracted with the FFS (if concerned locked App needs to be opened to retrieve keystore, well you need the PIN and another extraction

)

(Cellebrite, iPhone extraction) Can anyone explain ZLIVEUSAGE in the DataUsage.sqite table and when /why logging occurs?

Solec

I did it earlier this year or late last year when I was having an issue with something in the Snapchat plugin causing PA to crash while processing my gk rip, was able to do selective and do everything except Snapchat and got it to open

thank you so much!!

trillian

hey, did you ever get the answer to this question? im looking at the same thing

From my own research, I found out very little. Value 0 seemed to mean the device was sleeping. Value 1 seemed to mean the device was awake. Value 8 seemed to mean locked, but processing in the background. I never found the answer to 4, 8, 16 or 17 and never saw the other numbers.

Ellimist

in my case it went BFU > BF for 2 months > extraction. Never spent any time in AFU state. So even if it's any powered-on state, what is happening between the first extraction and the second extraction to trigger the deletion of it? (edited)

Comment removed to research. (edited)

@ScottKjr3347 for ios 16 : it's easy to check if biome and cache.Sqlite is in afu. Except for the wal this files aren't in bfu. For locations and to overcome the problem of updating data, it might be more relevant to work with the ZRTVISITMO table rather than ZRTCLLOCATIONMO because there are entry and exit zones (even if they are of questionable degree of precision)

1

Is it possible to get ”screen/device orientation” (landscape) via other options than FFS from Iphone 12, iOS 15/16? Via Sysdiagnose? (Orientation seems to have been moved from KnowledgeC to Biome in iOS 16 or still in both?)

CLB_iwhiffin

From my own research, I found out very little. Value 0 seemed to mean the device was sleeping. Value 1 seemed to mean the device was awake. Value 8 seemed to mean locked, but processing in the background. I never found the answer to 4, 8, 16 or 17 and never saw the other numbers.

thank you!

I'm looking at the timeline in a FFS of an iOS 15.3.1. During a period which I suspect the device hasn't been actively used, there's an Apple Maps search artifact found in a database called MapsSync_0.0.1, does anyone know if there's a way to tell if that particular search is synced from another device, and if so which one? (edited)

chrisforensic

hello and good morning @Cellebrite can someone please explain, why PA wants to decode "WeChat", but WeChat is not installed on the mobile phone and was not acquired? Extraction: Redmi Note 9, just adv.log. and apk-downgrade... no wechat... thanks for info

(edited)

can someone tell me the answer to this problem?

latscho_4n6

can someone tell me the answer to this problem?

Because there is a folder of file in the filesystem called MicroMsg. If this is there, PA thinks Wechat is installed. You could check if this file is there, if so, then you found your answer. You can just ignore it, if wechat is not an installed application. Thanks for @chrisforensic for explaining this to me a while back.

florus

Because there is a folder of file in the filesystem called MicroMsg. If this is there, PA thinks Wechat is installed. You could check if this file is there, if so, then you found your answer. You can just ignore it, if wechat is not an installed application. Thanks for @chrisforensic for explaining this to me a while back.

Thanks for the quick reply. My evidence base definitely has WeChat installed on the device. Is there another option for this?

latscho_4n6

Thanks for the quick reply. My evidence base definitely has WeChat installed on the device. Is there another option for this?

I believe it'll need the IMEI ?

Currently looking at some files in com.android.tethering/netstats/ with magic bytes like "ANET", anyone know how to parse these? Linux says they are "GLS_BINARY_MSB_FIRST". Looking for info of when the device was connected to a network, already checked wificonfig.xml.

OggE

Currently looking at some files in com.android.tethering/netstats/ with magic bytes like "ANET", anyone know how to parse these? Linux says they are "GLS_BINARY_MSB_FIRST". Looking for info of when the device was connected to a network, already checked wificonfig.xml.

Might give this a go: https://android.googlesource.com/platform/frameworks/base/+/fdfef57f498e3021a34342538aef9f1c7ccbae78/services/java/com/android/server/net/NetworkStatsService.java#569

8:15 AM

This is a newer version of that, in case it changed over time: https://cs.android.com/android/platform/superproject/+/master:frameworks/base/core/java/android/net/netstats/NetworkStatsDataMigrationUtils.java;l=269;drc=92028c8d31b3f110a6d9984d69d076d764355a95

Sea9

Might give this a go: https://android.googlesource.com/platform/frameworks/base/+/fdfef57f498e3021a34342538aef9f1c7ccbae78/services/java/com/android/server/net/NetworkStatsService.java#569

thanks! I'll give this a look tomorrow

Someone from @Cellebrite , help me with a question, I have some Android phones, which I am working on, after I perform the extractions, it does not extract the conversations from the WhatsApp social network, it only brings me the calls from it.

1

Added to this channel as well. I have a Python script (and a GUI) to extract contacts from the Cellebrite formatted excels into Flat CSV files for ingestion into other analytics tools. Recently squashed a fair few more bugs in it. https://github.com/facelessg00n/pythonForensics/tree/main/clbExtract

pythonForensics/clbExtract at main · facelessg00n/pythonForensics

Collection of scripts I have made. Contribute to facelessg00n/pythonForensics development by creating an account on GitHub.

1

Hello everyone, I have got an issue with Physical Analyzer 62.2.9 and Signal 6.27 on ios locked with fingerprint. The database is decrypted by PA with the keychain but the decrypted DB is still encrypted with what looks like an extra layer of encryption. Does anybody have a way to fully decrypt this DB? Thanks in advance!

Ish

Hello everyone, I have got an issue with Physical Analyzer 62.2.9 and Signal 6.27 on ios locked with fingerprint. The database is decrypted by PA with the keychain but the decrypted DB is still encrypted with what looks like an extra layer of encryption. Does anybody have a way to fully decrypt this DB? Thanks in advance!

Its a bug in PA, new version will solve it. There is a workaround if urgent

Could you explain to me what the workaround is. In this case it's urgent.

In case you havent heard, there is an issue with Griffeye importing PNGs (most of the time from iPhones), there is a patch out to combat that issue and it came out yesterday.

2:50 AM

Problem version 23.2.1

2:51 AM

Patched version 23.2.3

Ish

Could you explain to me what the workaround is. In this case it's urgent.

person that fixed here is in a meeting now, I can ask him tomorrow and come back to you

Ish

Could you explain to me what the workaround is. In this case it's urgent.

What about another tool? Like Oxygen or Axiom?

Bobby

What about another tool? Like Oxygen or Axiom?

Already tried. No luck

Gizmononootje

person that fixed here is in a meeting now, I can ask him tomorrow and come back to you

Thanks, looking forward to it

Ish

Already tried. No luck

Hum, do you have access to Cellebrite beta version? I think PA 7.63 beta solve this issue

Zhaan

In case you havent heard, there is an issue with Griffeye importing PNGs (most of the time from iPhones), there is a patch out to combat that issue and it came out yesterday.

Thanks:)

Bobby

Hum, do you have access to Cellebrite beta version? I think PA 7.63 beta solve this issue

Do you know how to get eligible for the beta versions?

Ish

Do you know how to get eligible for the beta versions?

You just have to request access, but 7.63 beta is available since days now so final release should be available soon. Maybe we can ask to @Cellebrite to confirm

Alright thank you for the info so far

Anyone from @Cellebrite available for a System.Drawing.Bitmap error when PA start?

1

Bobby

You just have to request access, but 7.63 beta is available since days now so final release should be available soon. Maybe we can ask to @Cellebrite to confirm

Correct. The public release of 7.63 is expected soon. It is currently available to design partners.

1

Hey all, I'm looking for a CSAM video reportedly taken during a short time period on suspect Android device. I have a ffs. I found a .mp4 file with a filename that fits the time frame. The source file starts with a .pending and has a file size of 0. This file is found in the DCIM folder. Any ideas as to what this could be, or other ideas as to how to find evidence that this video was taken?

Ish

Thanks, looking forward to it

could you PM me?

Ish

Hello everyone, I have got an issue with Physical Analyzer 62.2.9 and Signal 6.27 on ios locked with fingerprint. The database is decrypted by PA with the keychain but the decrypted DB is still encrypted with what looks like an extra layer of encryption. Does anybody have a way to fully decrypt this DB? Thanks in advance!

There is sometimes a signaldb.decrypted database next to it that isn’t processed by PA but you can pull it all out with SQL commands or has it failed on that one.

Hi everyone, I have a video file of interest which originates from Snapchat - SCContent. The video file name ends with _PREFETCH. I am unsure what this means, but I can't get the video to play in UFED PA or using a different media player. Can anyone tell me about this file, and how to view it?

Alex Owen

Hi everyone, I have a video file of interest which originates from Snapchat - SCContent. The video file name ends with _PREFETCH. I am unsure what this means, but I can't get the video to play in UFED PA or using a different media player. Can anyone tell me about this file, and how to view it?

If im correct the _prefetch is a cache / pre-loading part of Snapchat. I have no idea how to play it though. Might take a look at the file headers en footers of the file and ask @Amped Software if they recognize the format?

Hello @Cellebrite, I'm currently extracting data from a Graykey Zip (iphone 12) and i would like to know if it's normal that the bar progression is stuck since 2 hours with the commentary : "PP.Starting last stage for project : xxxx-xxx-xxxxx-xxx-xxxx (500000items) ?

1

5:40 AM

should I wait again or abort ? thanks for advices

@Herodote It is not uncommon if it is a large data set. I would wait. (edited)

florus

If im correct the _prefetch is a cache / pre-loading part of Snapchat. I have no idea how to play it though. Might take a look at the file headers en footers of the file and ask @Amped Software if they recognize the format?

We'd be happy to take a look! @Alex Owen I'll message you

1

@melissa_at_amped thank you! I'll keep an eye out for your message

6:07 AM

@florus thank you for your reply, I can take a look into the headers and footers to see if there are any clues regarding the format.

Anyone had succes with sideloading a specific version of an ios(ipa)app extracted from a FFS, on another iphone for test purposes?(app store only has way newer version). The app crashes on launch which seems a signing issue.

Hello people! Got an logical extraction (File System) with UFED for iPhone 13 Pro. Looking for artefacts of a deleted app PhotoVault. Is it possible to know when was the app deleted?

Alex Owen

@florus thank you for your reply, I can take a look into the headers and footers to see if there are any clues regarding the format.

You must share a picture from the hex footers and headers with Amped. They are the True experts regarding video formats...

@florus I'm currently in discussion with them, thanks

1

I have 2x .db that sit in a Oneplus extraction which appear to be SMS/MMS but Cellebrite hasnt/wont see them as such to auto process into standard outputs. Im looking for a resource to explain the process of using query builder to process the messages and their respective metadata out of the .db's. Pointers? I know what I want, and all the pieces seem to be there but any instance of a query I run wont produce the classic sender/reciever | timestamp | message body combo.

anyone from @Cellebrite for dm?

1

Gizmononootje

could you PM me?

@Gizmononootje i tried

Ish

@Gizmononootje i tried

cant PM you, think its your privacy settings

Yea same with yours

4:11 AM

Will change it

Does anyone know the standard time metric for Cellebrite extractions before they are parsed. I am trying to convert this raw time from the Routine.bundle. Standad epoch time is not correct, I dont belive as it gives me a date in 1992. Time: 710517055.600144 (edited)

12:00 PM

@Cellebrite

theshark

Does anyone know the standard time metric for Cellebrite extractions before they are parsed. I am trying to convert this raw time from the Routine.bundle. Standad epoch time is not correct, I dont belive as it gives me a date in 1992. Time: 710517055.600144 (edited)

Mac absolute

12:10 PM

GMT: Saturday, July 8, 2023 1:50:55 PM Your time zone: Saturday, July 8, 2023 9:50:55 AM GMT-04:00

CLB-Paul

Mac absolute

Thank you!

Anyone using @Oxygen Forensics MTK Physical extraction tool on FFS encrypted phones? I just did one and got the physical and it said it got the encryption key. However, I am having issues getting the data. Looking for some insight into what might be going on. Thanks

sholmes

Anyone using @Oxygen Forensics MTK Physical extraction tool on FFS encrypted phones? I just did one and got the physical and it said it got the encryption key. However, I am having issues getting the data. Looking for some insight into what might be going on. Thanks

Can you confirm model and SPL?

xMobile SkyDevices X63 MTMT6739 Android 13 SPL 3/5/23

8:44 AM

The extraction was completed. It is the decryption part that might not be working. But I am not 100% sure.

8:47 AM

Oxygen states it gets the keys, listing it as successful.

8:49 AM

While it is importing the data, I get an error.

8:49 AM

Uninstalled and updated to new version. Same result

8:50 AM

click ok and oxygen states it was successful on Import.

OCR activated at decoding process? We encounter same popup error few version ago and no error without OCR. About physical extraction, you have to wait for Oxygen guys. I would say Android 13 and SPL 05/2023 is a problem. In the meantime, maybe you can run OFD with logs activated and check content in order to confirm what's going on.

2

Thanks for the reply! I appreciate your insight.

@Cellebrite I need information was it possible to BF iPhone 7 Plus phone in 2019 by CAS (in general, not specific iOS ver) ? (edited)

DEVNULL

@Cellebrite I need information was it possible to BF iPhone 7 Plus phone in 2019 by CAS (in general, not specific iOS ver) ? (edited)

No BF included in UFED4PC

@Bobby thanks

DEVNULL

@Bobby thanks

There is BF with CAS or Premium

DEVNULL

@Cellebrite I need information was it possible to BF iPhone 7 Plus phone in 2019 by CAS (in general, not specific iOS ver) ? (edited)

Please open a support ticket and then DM me the number and I'll make sure you get the precise answer

1

CLB-dan.techcrime

Please open a support ticket and then DM me the number and I'll make sure you get the precise answer

Thanks, DM sent

CLB_4n6s_mc

Hey @chrisforensic be patient it will come soon but some test need to be made. (edited)

Heyho and good evening from austria @Cellebrite Any news about release date of new beta 4PC?

11:43 AM

chrisforensic

Heyho and good evening from austria @Cellebrite Any news about release date of new beta 4PC?

Likely next week or the one after. So soon.

1

sholmes

Oxygen states it gets the keys, listing it as successful.

I had this error before too and, instead of OCR, I believe the error was Facial Recognition related. Hence the file name of the error: fr.dll.

sholmes

While it is importing the data, I get an error.

Hello! I will DM you

1

https://www.forbes.com/sites/thomasbrewster/2023/05/23/the-wiretap-fbi-digs-up-deleted-whatsapp-messages/?sh=2be5db4f78d1

The Wiretap: How The FBI Digs Up Deleted WhatsApp Messages

Deleted WhatsApp messages can be dug up by forensics tools, records show.

9:59 PM

10:00 PM

Just a timely reminder to be careful what you post on here and to report / remove suspicious members

2

10:01 PM

facelessg00n

Just a timely reminder to be careful what you post on here and to report / remove suspicious members

Valid point, but lots of these artifacts are well known on the www i presume. But good to keep sharp!

florus

Valid point, but lots of these artifacts are well known on the www i presume. But good to keep sharp!

Mostly well known to practitioners but not the wider community. There is quite a lot of talk about capabilities of various tools vs various phones etc

1

Morning, any friends from @Magnet Forensics able to DM me?

1

the notes application on an Honor device was not processed by physical analyzer. the data in the database exists and is visible. Do you know other applications that process this application? Thanks

manuelevlr

the notes application on an Honor device was not processed by physical analyzer. the data in the database exists and is visible. Do you know other applications that process this application? Thanks

PA SQLWizard to reconstruct the db

Bobby

PA SQLWizard to reconstruct the db

I've never used it.

manuelevlr

I've never used it.

You can check PA user manual or Cellebrite ressources like https://cellebrite.com/en/live-demo-how-to-use-sqlite-wizard-to-investigate-databases/

1

@Cellebrite someone around for a dm, regarding a license error im getting?

1

Does anyone else find ADF terrible for mobiles? I'm trying to find one positive thing about it.

1

In PA I am trying to make a report but for some reason the device gets a red triangle with exclaimation point error next the name in the left side bar - with no wanring or log of that wrong. Has anyone ever seen this? @Cellebrite

1

11:07 AM

It is doing it for all my extractions and essentially I am unable to generate reports

anyone know anything about the cloudkit_cache database in iOS?

snoop168

anyone know anything about the cloudkit_cache database in iOS?

https://developer.apple.com/icloud/cloudkit/#:~:text=CloudKit%20is%20designed%20for%20manageability,by%20access%20type%20or%20function Just general information on what CloudKit is. (edited)

ok thanks.

snoop168

ok thanks.

I'm still working on Apple WebKit data, haven't had a chance to move on to CloudKit! Is there a particular source path or app you are looking at CloudKit data for?

found a filename of significance in there in relation to the app i'm already expecting it to be related to. Just trying to understand what other data is in there that can provide anymore detail

11:46 AM

i see theres manifests and snapshots. Assuming this is their way of tracking sync processes. havent looked too deep yet was going to see if there was any existing research before I start from scratch

theshark

In PA I am trying to make a report but for some reason the device gets a red triangle with exclaimation point error next the name in the left side bar - with no wanring or log of that wrong. Has anyone ever seen this? @Cellebrite

FIX: uninstall and reinstall cellebrite

snoop168

i see theres manifests and snapshots. Assuming this is their way of tracking sync processes. havent looked too deep yet was going to see if there was any existing research before I start from scratch

Not sure if related, but interesting at least: https://ciofecaforensics.com/2020/10/20/apple-notes-cloudkit-data/

has anyone come across a db called local_location.db? Found in a Huawei P20 Lite / Android 9. The database has coordinates hashed. Apologies for the terrible picture (this is a test device)

Is anyone else experiencing an issue with the latest Cellebrite PA, where the temp folder gets filled up with 2 DLL files titled xgboost and librocksdbjni? On 2 of our workstations the C:\windows\temp folderis being filled with a constantly spawning of new versions of this file. The issue goes away when uninstalling Cellebrite PA.

2

morning all, is there an obvious location for the WhatsApp 2fa PIN for android? I've got the chats extracted but it would help for verification (edited)

Anyone @Cellebrite available for PM regarding a PA question- decoding an A2650 iPhone on 16.5.1 (edited)

1

Just a friendly reminder: review those _passwords.txt/_keychain.plist files from BFU extractions. Sometimes you get lucky...like when they reuse a passcode for something else thats unencrypted at BFU. Even from Apple. (edited)

9

Binary Cookies on an iPhone extraction. I have a job where there are cookies on an iPhone extraction and I am being asked whether they could have been created by an automatic process or whether they indicate user internet activity at the time of the cookie accessed date. I have nothing else to go off in terms of user activity (KnowledgeC etc.). Is anyone able to shed some light on the significance of the accessed date in relation to a binary cookie?

Andrew Rathbun pinned a message to this channel. 8/3/2023 3:47 AM

Hi, I have a colleague looking at a chat.db file in @Oxygen Forensics. It's a standalone file and was imported through the Apple Filesystem Import folder process. The sqlite shows up fine, is there a way we can get Oxygen to parse this and get the messages out? (edited)

2

1

Not really a question, but was having a conversation with @Cellebrite personnel at a meetup and I offered a feature request to have entropy testing / easier identification of encrypted files identified in a cell phone extraction while parsing it in PA. Would anyone else in the community benefit from this feature? Current analysis requires me to manually parse through documents/files in the file system and test if they are encrypted. If there was a section in PA that was something like "Encrypted Files", it'd make my life 10x easier. Wanted the community opinion as well.

3

Is anyone able to tell me does Cellebrite decode the passwords which are saved on iOS devices are are accessible from within the phones setttings? If it doesn't (I can't see them) is there a way to get them without looking manually. Thanks in advance!

Can someone help me understand why an account would have 3 ICCID attched to it?

8:14 AM

Also 4 Advertising ID (IDFA's)

I have a Kyocera phone where the entire crime occured via kik message...how do I find these chats using cellebrite?

AZHeat

I have a Kyocera phone where the entire crime occured via kik message...how do I find these chats using cellebrite?

If not decoded, with PA you can try AppGenie or SQL Wizard to reconstruct Chats. Best will be to try another tool like Oxygen or Axiom

theshark

Can someone help me understand why an account would have 3 ICCID attched to it?

ICCID is not an account but related to SIM, so 3 ICCID meaning 3 SIM inserted into that phone.

iOS and Android store the most 3 recent SIMs. Examining the related databases will show if others were present (based on ROWID)

11:39 AM

(SIMs as in ICCIDs)

@Bobby @TheNomad 3 recent sims in that device or historically attached to her. This phone should be out of the box pretty recently..all that was done is a mass backup.

theshark

@Bobby @TheNomad 3 recent sims in that device or historically attached to her. This phone should be out of the box pretty recently..all that was done is a mass backup.

Please give us some more information. What are you seeying? What is the source (database/file) of these 3 iccid's. Its hard to give you a good answer without knowing the context

(edited)

@florus I will have to get back to you with the source info as I just closed it for the day. (i think cellular usage and one other) Thanks for trying to help, I was looking for general understanding on when that occurs but If it becomes more critical to the case I will be back in here asking questions thank you!

1

Hy everyone, i've got a question for the @Cellebrite Premium users

Can someone suggest a good dictionary if cellebrite Premium dictionaries expire?

2

BoaLysann

Hy everyone, i've got a question for the @Cellebrite Premium users

Can someone suggest a good dictionary if cellebrite Premium dictionaries expire?

I found a bunch on the internet, various hacker ones, Facebook, etc. Cant remember the source but it was in the 1st page of hits (edited)

BoaLysann

Hy everyone, i've got a question for the @Cellebrite Premium users

Can someone suggest a good dictionary if cellebrite Premium dictionaries expire?

Have a look on GitHub, there's a load there I just found, I will DM some (edited)

Thanks a lot

i will have a Look Salute

BoaLysann

Hy everyone, i've got a question for the @Cellebrite Premium users

Can someone suggest a good dictionary if cellebrite Premium dictionaries expire?

You can check SecLists on GitHub...various wordlists for different purposes...especially pentesting...but you can find there some top 10.000 common passwords and so on...the problem is that they are based on the English language, not German.

Have a @Cellebrite Advanced Logical > File System from an iPad Pro (2nd. Gen) (iPadOS 16.6). After loading extraction into PA, the unread messages in "Instant Messages" have no body content. The source for them is the sms.db (table: message). What would be the reason why they are not containing any body? Is it because the content is not downloaded/present until the user actually reads the iMessage?

ForensicDev

Have a @Cellebrite Advanced Logical > File System from an iPad Pro (2nd. Gen) (iPadOS 16.6). After loading extraction into PA, the unread messages in "Instant Messages" have no body content. The source for them is the sms.db (table: message). What would be the reason why they are not containing any body? Is it because the content is not downloaded/present until the user actually reads the iMessage?

Can you send me a Dm. Seems off.

I have a Samsung Browser Internet Cookies question from a Physical Analyzer Qualcomm Live full file system extraction from a Samsung N950U. The attached snippet is from the extraction. Can I say forensically the user of the phone visited the website on 3/6/2020 and 3/8/2020? The extraction did not pull Samsung Browser Internet history that went back as far as the Cookie files in question. I have looked up the Cookie names (_ga, _atavc, _pk...) but can't replicate them on my test device. Any help would be greatly appreciated. Thank you. (edited)

Hi all, I wanted to see if anyone else has been using PA Ultra over PA 7.X . I have been using it for a few weeks now but I am not sure if this is really better than regular PA or not and if anyone had some insight. Thanks!

Hi! I have an iPhone with iOS 16.2. Have they moved power off events from logd.0.log? The log only contains error messages, "unable to get path for 4942".

Hello @Cellebrite ... is it known, that latest PA (7 and 8) has troubles to decode newer version of Telegram (Android)? Have a FFS with Telegram 9.7.5 ... it´s really a mess

1

Anyone know if someone logs out of a Kik account is the Kik.sqlite cleared?

7:20 AM

Working off an Advanced Logical

7:20 AM

Kik still installed, I have known PIN, but no active account logged in so can't verify.

FEJelinek

Hi all, I wanted to see if anyone else has been using PA Ultra over PA 7.X . I have been using it for a few weeks now but I am not sure if this is really better than regular PA or not and if anyone had some insight. Thanks!

Decode once feature and so much quicker to open things in much more noticeable and better. We have seen great improvements in the performance during testing. We are waiting for the next big release of a few more features before we fully migrate our entire lab over to it.

1

chrisforensic

Hello @Cellebrite ... is it known, that latest PA (7 and 8) has troubles to decode newer version of Telegram (Android)? Have a FFS with Telegram 9.7.5 ... it´s really a mess

Have you looked at supported apps document. I had a similar problem in the past.

tost

Have you looked at supported apps document. I had a similar problem in the past.

yes, this version seems to be not supported... made ticket on cellebrite-support

@Oxygen Support APAC @Oxygen Forensics How to identify the service messages like "left the group" within the SQLite Database from a iOS backup. (edited)

@MSAB_Sofia do we have a webinar or like for XRY reporting?

DeepDiveForensics

@Oxygen Support APAC @Oxygen Forensics How to identify the service messages like "left the group" within the SQLite Database from a iOS backup. (edited)

Hello! This will depend on the application in question. WhatsApp will have a tag "Service" on service messages like this (as for the database, they will have different ZMESSAGETYPE, ZGROUPEVENTTYPE), something like Teams will have a text of the message and then the type, like "locationsharing" (also ZMESSAGETYPE), for Telegram we will show system messages in the System message column and we will list from which parts of the db we have taken the data from as it is fragmented in the DB. In general, if an application shows server messages as parts of chats, then it will be saved to the database and shown on parsing. Everything else will depend on what and how is saved, what info we have to work with

If you have specific application in mind or you encountered an issue somewhere along the line, please DM me.

I have some question regarding the CurrentPowerlog.PLSQL (iPhone) database I am reviewing these 3 tables: PLBATTERYAGENT_EVENTBACKWARD_BATTERYUI, PLBATTERYAGENT_EVENTBACKWARD_BATTERY and PLSTORAGEOPERATOR_EVENTFORWARD_TIMEOFFSET. The first one is quite straight forward, the second and third are those used on Axiom. However, I am manually checking these tables because the timestamps in table 1 and 2 have a few seconds/minutes difference. My questions are: 1) why does Axiom based their findings on table 2 and 3? 2) does anyone use any of these tables as the most accurate? or any other table instead? Also, the IDs from the tables don't really match between these table or am I the problem? (edited)

2

FEJelinek

Hi all, I wanted to see if anyone else has been using PA Ultra over PA 7.X . I have been using it for a few weeks now but I am not sure if this is really better than regular PA or not and if anyone had some insight. Thanks!

There is an interesting situation with PA versions in general. Some time ago I did some tests based on the same FFS from a Xioami phone. The tested versions are: PA_7.61.0.12, PA_7.62.0.59, PA_8.4.0.1.1036. The best results (most data - especially from communicators) were given by version PA_7.61.0.12. (See in the attachments). It's strange that higher versions were not able to decode what version 7.61 did

3:42 AM

I think there was an issue with the 7.62.0.59 release which got updated a few days after release. That might show the what is was

(edited)

Mr M

There is an interesting situation with PA versions in general. Some time ago I did some tests based on the same FFS from a Xioami phone. The tested versions are: PA_7.61.0.12, PA_7.62.0.59, PA_8.4.0.1.1036. The best results (most data - especially from communicators) were given by version PA_7.61.0.12. (See in the attachments). It's strange that higher versions were not able to decode what version 7.61 did

Oh wow, that is good to know. Thank you for sharing this. The only reason we got 8.5 was due to PA report generating with errors with multiple devices. Ever since moving to 8.5 I have not recieved this error message. My concern is exactly that though, I am worried it is not up to par and getting the best results.

does anyone know where the deviceid field in the knowledgec is comes from? I have 2 device IDs that the first 24 characters match and the last 8 are different. I believe these are the same device but I'm not sure why I'm seeing two deviceIds

2

Hey, where are the played voice message timestamps are stored in WhatsApp Android? In msgstore.db > receipts? (edited)

Hi all. I'm working with someone looking to try and recover some information on a Telegram live stream the device was used to view. They have a full file system extraction of a Google Pixel 6a on Android 13. They know the date/time of the viewing from other means but nothing is immediately visible on the extraction report. Does anyone know if something could be done to recover any of the data for this viewing? Thanks in advance for your support

2

Is there someone in here who have figured out all type "IDS" in a decrypted signal.db extracted from an Android device? I have tried to recreate as much traffic to match its type that im looking for. But so far i'v not stumble upon anything near the type that i need. In/outgoing messages is 10485783/10485780 for example. The one ID that I need to figure out is 2097684. Its presence looks like an empty recieved message.

Oracle

Is there someone in here who have figured out all type "IDS" in a decrypted signal.db extracted from an Android device? I have tried to recreate as much traffic to match its type that im looking for. But so far i'v not stumble upon anything near the type that i need. In/outgoing messages is 10485783/10485780 for example. The one ID that I need to figure out is 2097684. Its presence looks like an empty recieved message.

Hello, these numbers use a multi-mask binary storage scheme described by Signal themselves in the comments of the linked file, along with current definitions needed to parse the value. It appears that BASE_TYPE, which occupies 5 bits according to the diagram, is probably most of the answer youre looking for. https://github.com/signalapp/Signal-Android/blob/main/app/src/main/java/org/thoughtcrime/securesms/database/MessageTypes.java

Looking at an iOS filesystem dump of an iPhone XR running 15.5. Is there any way to see logs of a self disappearing photo or video sent to or received from someone? Only run through Physical Analyzer right now. Waiting on Axiom results. Right now it just looks like there's a big gap in the conversation where photos were sent. Found some in Library\Application Support\Instagram\PostCreation but not everything and nothing that was received

Anyone having issues with @Magnet Forensics Apple Warrant Return Tool lately? I've received 2 warrant returns this month - both now give me an error with the tool. It worked flawlessly before August; I suspect Apple may have changed something. (edited)

1

My iOS phone generates some traffic on the network, and I would like to identify for selected traffic which app(s) are generating it. On an enduser device thats not possible (?). So I am looking for a service (possibly from some research project) that is continually (or on demand) running iOS apps in a sandbox and genrates behavior reports for free (which could show what IPs/domains the app connects to). I have only found that Joe Sandbox did this, but they dont seem to offer it any more? Are any other such cloud services known? (or if it is possible in sth self-hosted, also pointers welcome (Cuckoo Sandbox?).

@d3ck3rt use any sort of mitm with a cert? would be possible with burpsuite for an example

4:08 AM

@d3ck3rt https://redmaple.tech/blogs/2022/analysing-mobile-traffic-strongswan-mitmproxy/

Analysing Mobile App Network Traffic with mitmproxy and StrongSwan ...

Cyber security, technology, and secure digital transformation consultancy run by genuine experts

securityonion

@d3ck3rt use any sort of mitm with a cert? would be possible with burpsuite for an example

that wouldn't give me the name of the app? only the port, which I can see now anyway. I have also tried Proxyman. only port...

4:29 AM

Or is there an iOS app that tells me which apps send from which ports (like lsof)?

4:31 AM

the problem is not that I want to know the traffic for a known app. I want to know which app is generating some known traffic.... it is the other direction.

Does someone has already tried to decrypt .safebox folder from an android dump of the disk ?

This one looks promising: tcpdump -P on iOS gives the sending App, too (the TLS key extraction is not the point), using tcpdump like this shouldn't need a jailbreak https://andydavies.me/blog/2019/12/12/capturing-and-decrypting-https-traffic-from-ios-apps/ (edited)

Capturing and Decrypting HTTPS Traffic From iOS Apps Using Frida

iOS already supports capturing network traffic… here's how to use Frida to capture TLS keys so traffic can be decrypted too

This was probably covered. But what database on an iPhone extraction shows that a certain AirTag was connected to the phone? I only was able to grab an advanced logical

¥SavKenpachi¥

This was probably covered. But what database on an iPhone extraction shows that a certain AirTag was connected to the phone? I only was able to grab an advanced logical

might be com.apple.icloud.searchpartyd & com.apple.locationd.Position that may be helpful

1

8:22 PM

https://blog.d204n6.com/2022/04/airtag-youre-it.html

[Air]Tag You're It!

This is the accompanying blogpost to the Magnet User Summit 2022 talk: [Air]Tag You're It! Bluetooth Low Energy and You First, a primer on ...

Hi, anyone from @Cellebrite able to answer a question about Mac Address Randomisation? Specifically if there is any way of being able to determine what Mac Address was in use by a phone at any given time from within a UFED data extraction? Thanks in advance.

1

@Cellebrite I'm using the new PA Ultra 8.5.x and had a quick question. Is it possible to add multiple devices per case?

Adam Cervellone

@Cellebrite I'm using the new PA Ultra 8.5.x and had a quick question. Is it possible to add multiple devices per case?

Not,yet pending.

Speaking of PA 8 is there an option to select/deselect all evidence in a case? I often find myself wanting to select all evidence to create an overall report and then deselecting it all and selecting specific parts to create sub reporting on those.

any hashcat expert that know how to make a mask that can fit a phone number ? so far I have something like that ?d?d?d?d?d?d?d?d?d?d but it's not really efficient

8:05 AM

ideally, I'd like something like that :

^
    (?:(?:\+|00)33|0)     # Dialing code
    \s*[1-9]              # First number (from 1 to 9)
    (?:[\s.-]*\d{2}){4}   # End of the phone number
$

8:05 AM

but I don't know how to do that

Original message was deleted or could not be loaded.

thank you very much

Is there any way to confirm if the message rention on iOS was changed recently?

emilie_

any hashcat expert that know how to make a mask that can fit a phone number ? so far I have something like that ?d?d?d?d?d?d?d?d?d?d but it's not really efficient

I assume this got answered but if you need more help feel free to ping me

1

thatboy_leo

Is there any way to confirm if the message rention on iOS was changed recently?

I dont think you would have an updated time for the com.apple.mobileSMS.plist file. Id say it likely updates the time of the file but theres too many entries in there to narrow which one was actually changed.

CLB-Paul

I dont think you would have an updated time for the com.apple.mobileSMS.plist file. Id say it likely updates the time of the file but theres too many entries in there to narrow which one was actually changed.

Right on @CLB-Paul didn’t see any explicit time stamp to relate to it there, I’m hoping I can work on a test device, curious if I was to change retention from forever to 30 days, would any texts on iOS 16.6 go to recently deleted

NoFu

does anyone know the password to open a oxygen extraction? I want to unzip the .ocb

Did you ever find the password?

@Oxygen Forensics I was given an .OCB file. I can't unzip it because it is password protected. The other agency doesn't know the password and didn't even know it was password protected. I'm assuming it protected by Oxygen. Is there a way to import this cloud backup into Physical Analyzer?

1

Bill (VeriFi)

@Oxygen Forensics I was given an .OCB file. I can't unzip it because it is password protected. The other agency doesn't know the password and didn't even know it was password protected. I'm assuming it protected by Oxygen. Is there a way to import this cloud backup into Physical Analyzer?

Password protected by Oxygen

9:51 AM

You need Oxygen to open it

Bobby

Password protected by Oxygen

Gotcha

Bill (VeriFi)

@Oxygen Forensics I was given an .OCB file. I can't unzip it because it is password protected. The other agency doesn't know the password and didn't even know it was password protected. I'm assuming it protected by Oxygen. Is there a way to import this cloud backup into Physical Analyzer?

Sadly not... but didn't try to bruteforce or so

But in my opinion it is a bit weird that it is password protected...

NoFu

Sadly not... but didn't try to bruteforce or so

But in my opinion it is a bit weird that it is password protected...

Like some evidence file container it's password protected/encrypted, nothing weird. Just open it then you will be able to export content

Bobby

Like some evidence file container it's password protected/encrypted, nothing weird. Just open it then you will be able to export content

Yeah i know, just had a particular case back then when I didn't have access to Oxygen and got an Oxygen extraction from another agency so it was a bit annoying thats what i wanted to say

1

Hi folks, anyone aware of a tool that can parse the REVOLUT sqlite database? We tried with Cellebrite, Axiom and Oxygen without any success.

goofycom

Hi folks, anyone aware of a tool that can parse the REVOLUT sqlite database? We tried with Cellebrite, Axiom and Oxygen without any success.

Hi, you can check this link https://www.adfsolutions.com/news/investigate-revolut-financial-transactions it doesn't explain how but it present a tool which does transactions on iOS Revolut app (sorry if it is useless

)

Hi all.. quick Android question. The folder "mnt/pass_through/"., Is it correct that this folder is only available when the device is rooted and you want to have acces to the /data/ folder? So its a kind of mirror of the data folder? If anyone could explain it.... Aldo. The files in the pass_through folder... Are theydublicates of files in the "Data" folder? thanks in advance

Hello, has anyone a parser for the likee and/or zangi messenger app? Perhaps anyone knows how to export chats and more. (edited)

Someone from @Cellebrite available regarding a PA python shell question?

Good morning! We are working on a iPhone extraction and curious if anyone with @Cellebrite was available to chat about locations.

Forgedmom

Good morning! We are working on a iPhone extraction and curious if anyone with @Cellebrite was available to chat about locations.

This might help if you haven't seen it yet. https://cellebrite.com/en/episode-15-ibeg-to-dfir-location-data-on-ios-and-android-devices/

1

FullTang

This might help if you haven't seen it yet. https://cellebrite.com/en/episode-15-ibeg-to-dfir-location-data-on-ios-and-android-devices/

Hi! Thank you, yes - I have seen it. We are just trying to narrow down some specifics that we cant find there.

1

Forgedmom

Good morning! We are working on a iPhone extraction and curious if anyone with @Cellebrite was available to chat about locations.

You can also email us the specific questions. Locations@cellebrite.com

CLB-Paul

You can also email us the specific questions. Locations@cellebrite.com

You rock! I’ll send an email over tomorrow! Thank you.

1

does anyone use a database viewer with build in search function to search the entire database? Like Oxygens SQLite viewer?

K8pl3r

Hi, you can check this link https://www.adfsolutions.com/news/investigate-revolut-financial-transactions it doesn't explain how but it present a tool which does transactions on iOS Revolut app (sorry if it is useless

)

Cool - will check it out. Thanks!

1

j_matas

does anyone use a database viewer with build in search function to search the entire database? Like Oxygens SQLite viewer?

RabbitHole

3:13 AM

Does anyone know where I can find how an iOS device was unlocked? E.g. was a PIN entered or did they use a thumbprint etc

3:13 AM

Ios 15.7.1

Anyone from @Cellebrite able to help with a quick technical question?

1

I am also in need of someone from @Cellebrite to speak to regarding UFED PA potentially not decoding all messages of Whatsapp.

1

Is there any artifact on android 10 that can suggest when airplane mode has been activated?

Morning all, looking for some advice with android, I am looking at the /data/system/wifigeofence.db I see that Cellebrite has listed this as an unreliable source, I figure it's because of the "geofence" part of it. I'm looking at the actual db and I don't see a radius defined so I assume there must be a default value that google uses, anyone have any ideas on what this might be or have done any testing with this particular db

Hi. Anyone please can tell me what's the name and location of wickr database on iOS?

FabianoQ

Hi. Anyone please can tell me what's the name and location of wickr database on iOS?

You need to find what’s the app’s guid first and then you’ll find wickr data under these 2 paths: /private/var/mobile/Containers/Data/Application/<APP_GUID> and /private/var/ mobile/Containers/ Shared/AppGroup/<APP_GUID>

trillian

You need to find what’s the app’s guid first and then you’ll find wickr data under these 2 paths: /private/var/mobile/Containers/Data/Application/<APP_GUID> and /private/var/ mobile/Containers/ Shared/AppGroup/<APP_GUID>

Thanks

earlier this year I talked to @CLB_iwhiffin regarding the consolidated.db. I had som questions regarding the FindMyDevice.framework, and although we got around it a bit, I still have a bit of unanswered questions. Does anyone have the time here to help me analyze the consolidated.db and especially the geofences table? We have a location which is pretty interesting to the case, but we cant figure out what the coordinate means and where it comes from.

chms17

RabbitHole

thanks, will take a look at it

Hi everyone, I've just discovered this presentation about sysdiagnose and it could be very useful. https://www.first.org/resources/papers/conf2023/FIRSTCON23-TLPCLEAR-Durvaux-Using-Apple-Sysdiagnose-for-Forensics-and-Integrity-Check.pdf

1

7:01 AM

https://github.com/EC-DIGIT-CSIRC/sysdiagnose

GitHub - EC-DIGIT-CSIRC/sysdiagnose: Forensic toolkit for iOS sysdi...

Forensic toolkit for iOS sysdiagnose feature. Contribute to EC-DIGIT-CSIRC/sysdiagnose development by creating an account on GitHub.

7:01 AM

here is the script related to it

1

Has anyone ever had problems with Oxygen exports not properly labelling CDRs with the "From:" and "To:" columns? E.g. It marks the phone owner's outgoing call as "To: owner #"

3:56 PM

This is timeline view that's giving the trouble

3:57 PM

It more or less marks all calls as "From: owner #"

chms17

Does anyone know where I can find how an iOS device was unlocked? E.g. was a PIN entered or did they use a thumbprint etc

I’m also interested in this, did you find out if this is stored anywhere? Maybe @Cellebrite know?

Good morning all. I'm looking for evidence of use of FindMy on an iPhone 12 Pro Max OS 16.4.1 (20E252). I have an instant AFU of this device. I'm going through the Knowledge C databases and nothing is jumping out at me. I'm specifically looking to see if the user used FindMy to locate an "Apple Family" member or someone who shares their location with the user via FindMy. Any help is greatly appreciated.

working on a case where I think based on searches and large amount of other people's photos that my suspect was logging into other people's snapchat accounts to access their content. I have an AFU download of an iPhone. I have found the snapchat user.plist which shows my suspect's main account information. I have a com.snap.filemanager_3_SCContent<userID> folder consistent with my suspect's user ID found in the user.plist which contains their media... selfies etc. I also have five additional directories populated by other people's information. I'm looking for a log or plist somewhere that shows what user accounts were logged into and when.

8:20 AM

to avoid reinventing the wheel, is anyone aware of such a log?

8:21 AM

I need to identify the victims if they are indeed victims, I can do that with a subpoena. I'm just looking for local information to confirm or deny the activity.

whee30

working on a case where I think based on searches and large amount of other people's photos that my suspect was logging into other people's snapchat accounts to access their content. I have an AFU download of an iPhone. I have found the snapchat user.plist which shows my suspect's main account information. I have a com.snap.filemanager_3_SCContent<userID> folder consistent with my suspect's user ID found in the user.plist which contains their media... selfies etc. I also have five additional directories populated by other people's information. I'm looking for a log or plist somewhere that shows what user accounts were logged into and when.

group.snapchat.picaboo.plist or app_group_plist_storage (depending on Snapchat version) should contain keys like <userID>_appLastUsedTimestamp with timestamps for when each user was last logged in (edited)

1

fantastic. I've been clicking through the files but hadn't found that yet. I'll go check now

I think I clicked too many things and made PA angry... I'll update in a few hours when it loads back up!

JSB

I’m also interested in this, did you find out if this is stored anywhere? Maybe @Cellebrite know?

@chms17 have you looked at unfiied logs ?

1

Dam

Hi everyone, I've just discovered this presentation about sysdiagnose and it could be very useful. https://www.first.org/resources/papers/conf2023/FIRSTCON23-TLPCLEAR-Durvaux-Using-Apple-Sysdiagnose-for-Forensics-and-Integrity-Check.pdf

look at this hexordia tool: https://youtu.be/SvPFA-jmuX0

Hexordia

iO+S Toolkit

Heimdall4N6K

look at this hexordia tool: https://youtu.be/SvPFA-jmuX0

Already use it

Heimdall4N6K

look at this hexordia tool: https://youtu.be/SvPFA-jmuX0

Sorry it's not the one I thought. I used an other one from hexordia for sysdiagnose. Just download this one. Looks great.

yes new tool

Anyone who knows if/where I could find a log on an iPhone if/when the flashlight was turned on or off? Timeframe of interest is approximately five days before the extraction. We have a FFS dump and the device is still available as well if need be. Thanks for any insights!

CLB-Paul

@chms17 have you looked at unfiied logs ?

That was my next port of call!

Does anyone here have a good explanation on how or why snapchat is included in BFU extractions?

Pacman

Does anyone here have a good explanation on how or why snapchat is included in BFU extractions?

Not really an explanation but it’s always recent files I find in BFU’s. As an example, I had a video of a crime filmed that day found in a BFU extraction from Snapchat. (No idea why the phone was turned off

)

chms17

Does anyone know where I can find how an iOS device was unlocked? E.g. was a PIN entered or did they use a thumbprint etc

You can also find some info on the sysdiagnose regarding these informations.

Peacekeeper

Anyone who knows if/where I could find a log on an iPhone if/when the flashlight was turned on or off? Timeframe of interest is approximately five days before the extraction. We have a FFS dump and the device is still available as well if need be. Thanks for any insights!

might try the VAR db

Pacman

Does anyone here have a good explanation on how or why snapchat is included in BFU extractions?

I believe it has something to do with the levels of security on the iphone. Only certain keys are loaded when an iPhone first powers on in a BFU state, the majority of the keys get loaded after it unlocks the first time and becomes AFU. For whatever reason, either intentionally or unintentionally, the Snapchat devs have the keys to be available in a BFU state which is why that data is available.

3

Peacekeeper

Anyone who knows if/where I could find a log on an iPhone if/when the flashlight was turned on or off? Timeframe of interest is approximately five days before the extraction. We have a FFS dump and the device is still available as well if need be. Thanks for any insights!

I had this information in the knowledgeC/BIOME data. You can try these files.

Solec

I believe it has something to do with the levels of security on the iphone. Only certain keys are loaded when an iPhone first powers on in a BFU state, the majority of the keys get loaded after it unlocks the first time and becomes AFU. For whatever reason, either intentionally or unintentionally, the Snapchat devs have the keys to be available in a BFU state which is why that data is available.

I agree. One reason why they may have decided to not encrypt that data is because it allows for a smoother user experience. By not encrypting everything that is normally encrypted by other apps Snapchat runs faster? That's one theory anyway.

FullTang

I agree. One reason why they may have decided to not encrypt that data is because it allows for a smoother user experience. By not encrypting everything that is normally encrypted by other apps Snapchat runs faster? That's one theory anyway.

I always kind of speculated it might allow for more notifications options in a BFU state as well (but have never done any testing to support that theory whatsoever

)

1

Dam

You can also find some info on the sysdiagnose regarding these informations.

I could not find it in that anywhere! Maybe I was missing something

Can anyone offer me an insight into localappstate.db and in particular the tab “install_request_timestamp_ms” I am looking to see if a particular app was used after a certain date and my extraction only displays the original installation date. I think the app has been deleted, reinstalled and deleted again and the “instal request timestamp” is the most recent download but looking to confirm. Anyone @Cellebrite able to confirm?

Dam

I had this information in the knowledgeC/BIOME data. You can try these files.

No joy on the KnowledgeC, but I am looking for the correct biome file(s) that might contain this info. Thanks so far!

@Oxygen Forensics Please send me a DM. I have a question. (edited)

1

Hey has anyone successfully decrypted a WhatsApp database that was found on a Google SW return? If so what were the steps you took

Hi, can someone please confirm that the Apple recovery partition's OS for MacOS 10.13+ does not perform TRIM or the iSCSi analog of TRIM? (edited)

James Pedersen

Hi, can someone please confirm that the Apple recovery partition's OS for MacOS 10.13+ does not perform TRIM or the iSCSi analog of TRIM? (edited)

What does iSCSI have to do with this?

Peacekeeper

No joy on the KnowledgeC, but I am looking for the correct biome file(s) that might contain this info. Thanks so far!

Doesnt artex from @CLB_iwhiffin parse this? (I think he gets it from knowledgeC though, but hé might updated this or have another artifact-lead.) (edited)

Has anyone had any instances of recovering Marco Polo video messages? I have a physical extraction from a CoolPad CS3705AS, Android 9, SPL 6-1-21

Peacekeeper

No joy on the KnowledgeC, but I am looking for the correct biome file(s) that might contain this info. Thanks so far!

@Peacekeeper Hello, and with @Brigs parser nothing?

Mistercatapulte

@Peacekeeper Hello, and with @Brigs parser nothing?

Thanks for the hint, I'll have a look when I'm back in office. I found several powerlog databases, table PLCameraAgent_EventForward_Torch that seems to hold some info, but I have to do some testing to see if this contains the info I'm looking for

1

Peacekeeper

Thanks for the hint, I'll have a look when I'm back in office. I found several powerlog databases, table PLCameraAgent_EventForward_Torch that seems to hold some info, but I have to do some testing to see if this contains the info I'm looking for

In this regard, it looks like the info is contained in the powerlog databases, however we have days (fictive) a, b, e and current, but c and d are missing. And guess what, these are the days of interest... anyone here that has an idea how the powerlog databases could be removed/deleted, what could cause this? Thanks!

*Updated - For anyone following along at home I found the answer to my question in the 'local.db' database, trash table under a column called 'deleteTime.' This appears to be a UNIX timestamp in milliseconds. * Does anyone know where the parsed 'Deleted' time and date is derived from in Cellebrite PA in relation to a file that has been sent to the Recycle Bin on a Samsung A20 mobile phone. I have examined the Files table in the external.db database and am unable to find a field where this time and date has come from. It appears correct but would be great to know where this came from. Thanks

(edited)

Greg Kutzbach

What does iSCSI have to do with this?

The iSCSI analog of TRIM (SATA TRIM) is UNMAP I think. I might be wrong here but I think that some USB-connected hard drives could potentially be using iSCSI rather than SATA to send data between the computer and the hard drive. (edited)

James Pedersen

The iSCSI analog of TRIM (SATA TRIM) is UNMAP I think. I might be wrong here but I think that some USB-connected hard drives could potentially be using iSCSI rather than SATA to send data between the computer and the hard drive. (edited)

I think you mean UASP/ UAS. iSCSI is specifically SCSI over IP.

Hello, anyone from @Oxygen Forensics available for a DM?

tost

Hello, anyone from @Oxygen Forensics available for a DM?

Hello, yes, of course

I have sent you a message

For future reference: Here are some pointers in case somebody encounter an app called Calculator # - Vault by NewSoftwares.net I did a search and noticed a few people asking about this app but couldn't find any follow up/solutions.

based on the iOS version found in a FFS dump
the app doesn't seem to use encryption of some kind
you basically don't need the passcode to view the contents but it could be handy to browse on the phone

Other identifiers: iFolderLock net.newsoftwares.NSVault Filesystem location: /root/private/var/mobile/Containers/Data/Application/APP_UUID/ User content: /root/private/var/mobile/Containers/Data/Application/APP_UUID/Documents/FolderLockAdvanced Plist that contains the passcode listed as CalculatorPin in plain text: /root/private/var/mobile/Containers/Data/Application/APP_UUID/Library/Preferences/net.newsoftwares.NSVault.plist

2

I'm looking for a Hex editor where I can color the data with different colors, any recommendations for good ones?

1

Mistercatapulte pinned a message to this channel. 8/29/2023 1:38 AM

Hi everyone, I am hoping someone can help me with the following location and how the media gets in this location? The location ‘com.snap.file_manager_3_SCContent_bed9ba6a-863a-4225-9b40-9c8ef6d0019c

BigGamePlayer

Hi everyone, I am hoping someone can help me with the following location and how the media gets in this location? The location ‘com.snap.file_manager_3_SCContent_bed9ba6a-863a-4225-9b40-9c8ef6d0019c

That is the cached media for that user (bed9ba6a-863a-4225-9b40-9c8ef6d0019c). If you have a file of interest, information on it can be found in cache_controller.db (edited)

any one here from @Magnet Forensics for a quick question?

1

Can someone help me make sense of a situation where an incoming message to the iPhone I am looking at was labled: "recalled" and no body was found. I understand how this could be the case for an outgoing message, but it is incoming. Incoming message, 'Read' by the iPhone I am looking at, in the trash folder, labeled "recalled". If you can help me make sense of it.

9:20 AM

^ this is an IOS @Cellebrite extraction and I am examining deleted instant messages.

It is due to Biome so due to Biome analysis even if the original message has been deleted the content can still be recovered (edited)

Hey can anyone point me in the right direction for telling if a (voice) call was placed by a paired Apple Watch or the iPhone itself?

Does anyone have any insights/thoughts on how to obtain Signal message from iOS 16 (iPhone 14 Pro Max)? It is my understanding that all Signal data is encrypted and there is no "offline decryption" support by @Cellebrite or other forensic tools at this time. It is a consent situation where the phone custodian is cooperative. Are there any other workflows that would provide access to decrypted Signal messages? Not necessarily in a forensic context, yet rather simply "exporting" the messages to read outside the Signal app?

ForensicDev

Does anyone have any insights/thoughts on how to obtain Signal message from iOS 16 (iPhone 14 Pro Max)? It is my understanding that all Signal data is encrypted and there is no "offline decryption" support by @Cellebrite or other forensic tools at this time. It is a consent situation where the phone custodian is cooperative. Are there any other workflows that would provide access to decrypted Signal messages? Not necessarily in a forensic context, yet rather simply "exporting" the messages to read outside the Signal app?

Chat capture could be an option.

I've bumped into an issue when I use mitmproxy CA from mitm.it and Inset into the android store in ADB, the app denies the fake CA obviously the security being in place. Not so sure what exactly security term is for this

2:38 PM

However, can the use of magisk plugin bypass this and help create fake CA certs

CLB-Paul

Chat capture could be an option.

@CLB-Paul could you elaborate what you mean by "Chat capture"?

ForensicDev

@CLB-Paul could you elaborate what you mean by "Chat capture"?

It´s a feature inside UFED, it´s practically automated screenshots that runs automatically portraying the app you select..

6:59 PM

https://www.youtube.com/watch?v=oC1Alp5ah1Q

Cellebrite

Using Chat Capture Now Built-in to Cellebrite UFED

ForensicDev

@CLB-Paul could you elaborate what you mean by "Chat capture"?

Thanks @nachito 4n6s I missed the iOS part. Its Android only.

CLB-Paul

Thanks @nachito 4n6s I missed the iOS part. Its Android only.

Thanks. Good to know it exists for Android. Separately, has anyone had success with "UFED Premium" to extract/decrypt Signal messages? Speaking of which, can anyone comment on the difference between @Cellebrite Mobile Elite and UFED Ultra? Which one is replacing "UFED Premium"?

1

ForensicDev

Does anyone have any insights/thoughts on how to obtain Signal message from iOS 16 (iPhone 14 Pro Max)? It is my understanding that all Signal data is encrypted and there is no "offline decryption" support by @Cellebrite or other forensic tools at this time. It is a consent situation where the phone custodian is cooperative. Are there any other workflows that would provide access to decrypted Signal messages? Not necessarily in a forensic context, yet rather simply "exporting" the messages to read outside the Signal app?

Unless Signal has changed anything in the last few weeks pretty much every major tool supports if as long as you have a FFS extraction and a keychain. (edited)

5

Can someone please explain the zhandle table in a call history database of an iPhone? I have a device we're attempting to prove the user deleted all call data prior to handing the device over. There are no calls in the zcallrecords table, but over 10,000 in the zhandle table. Also can someone please define the z_ent, z_opt, and ztype headings (found in zhandle). Thank you for any help you can offer!

Steve

Can someone please explain the zhandle table in a call history database of an iPhone? I have a device we're attempting to prove the user deleted all call data prior to handing the device over. There are no calls in the zcallrecords table, but over 10,000 in the zhandle table. Also can someone please define the z_ent, z_opt, and ztype headings (found in zhandle). Thank you for any help you can offer!

https://discord.com/channels/427876741990711298/545232743353810946/614524756074430514 old but may be relevant?

Awesome! Thank you!

I'm examining biome files in a iOS device. Do you guys know a good tool that can read protobuffers? (edited)

Peacekeeper

Anyone who knows if/where I could find a log on an iPhone if/when the flashlight was turned on or off? Timeframe of interest is approximately five days before the extraction. We have a FFS dump and the device is still available as well if need be. Thanks for any insights!

In this regard I have found the powerlogs I was looking for https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_torch_state.txt APOLLO parses the current powerlog (placed in path /Library/BatteryLife/CurrentPowerlog.PLSQL). In this instance the data is no longer in the current powerlog. There are some powerlogs available from previous dates (placed in path /Library/BatteryLife/Archives/powerlogYYYY-MM-DD(some ID).PLSQL.gz). In my instance, my date of interest was not among these. Instead the powerlog was renamed and placed in a different path: /Library/BatteryLife/Quarantine/ArchiveMaxAttemptsPowerlog_<epoch-timestamp>.<6digit>.PLSQL The database structure is (at first glance) exactly the same as the CurrentPowerlog.PLSQL, so probably an archive when the current gets too large, or at specific time interval. Rest of the info in regards to flashlight/torch use you can find in the link above. Thanks for the help and pointing me in the right direction!

APOLLO/modules/powerlog_torch_state.txt at master · mac4n6/APOLLO

Apple Pattern of Life Lazy Output'er. Contribute to mac4n6/APOLLO development by creating an account on GitHub.

1

Oscar

That is the cached media for that user (bed9ba6a-863a-4225-9b40-9c8ef6d0019c). If you have a file of interest, information on it can be found in cache_controller.db (edited)

Thanks Oscar, would this be cached media the user has created and saved as a memory as that is what Axiom reports it as?

Is anyone up to a challenge regarding/understanding the consolidated.db. I have an actual case and want to try and understand the Geofence table... I have read @CLB_iwhiffin s blog but still have some missing bits. I can see that it looks (from the "name" column) to be from the AppleWatch. the name is "apple-watch-guid-idCLFenceHandoffTypeGeo4647. The bundleId is from LocationFenceSync.bundle and the handofftag is from FindMyDevice.framework. The monitorflags has a value of "35" on the relevant entries (there is 3) has the same info as mentioned above, however with three different Geo4647, Geo4648, Geo4648. All three entries has the excact same timestamp. two of the locations are related to places where the person has lived (former and present home), the third on is a location that we do not know the persons relation to. Having spent hours trying to understand this..... does anyone have some input of what this could be the result of? I guess that the person must have been in all three places, and the two homeadresses makes sense. But how is the third one added, and what is the connection to the Applewatch wrting the fence to the consolidated.db ? Hope my question makes sense.... in some way

(edited)

do you have any idea what date format is this ?

7:44 AM

7:45 AM

oh, it looks like apple NSDate

https://www.epochconverter.com/coredata

7:47 AM

Apple Cocoa Core Data

yes thank you, do you have any tips on how to find the date format when it's not something common like unix epoch ? (edited)

usually google or just (((noticing)))

7:50 AM

on the side of that page there is a converter for a bunch of different formats, you can usually tell what something is by looking at the first 3 digits

ok thx

Has anyone came across a swapfile.db in the root of a FFS extraction? When trying to open it in a DB viewer, I get an error saying it is not a DB. Looking at the hex seems there is content. Any suggestions what this is and how to parse it properly?

1

"swapfile" makes me think it's related to RAM

Me as well, just never seen it embedded into a filesystem of a mobile device.

emilie_

yes thank you, do you have any tips on how to find the date format when it's not something common like unix epoch ? (edited)

Try the app DCode, works well with figure out usually https://www.digital-detective.net/dcode/ (edited)

DCode™ – Timestamp Decoder - Digital Detective

DCode™ is a FREE forensic tool for decoding data found during digital forensic examinations into human-readable timestamps.

2

callzor

I'm examining biome files in a iOS device. Do you guys know a good tool that can read protobuffers? (edited)

You can use Cyberchef but it won't convert some of the int64 values for you.

cScottVance

You can use Cyberchef but it won't convert some of the int64 values for you.

Tried using hex and then protobuf decode. But something went wrong. Did not get any output. (edited)

1

Does anyone have any insight what the "transfer_status" field in table "attachments" indicates within an iOS sms.db? I see values of 0, 5, and 6 in this field.

https://www.developershome.com/sms/cmglCommand4.asp

SMS Tutorial: Syntax of the +CMGL AT Command in SMS PDU Mode

Learn the syntax of the +CMGL AT command and the format of the information response when the GSM/GPRS modem or mobile phone is operating in SMS PDU mode.

3:57 PM

i dont see 5 and 6 may be used for imessage

theintern

https://www.developershome.com/sms/cmglCommand4.asp

Interesting. Thank you. Yes, the messages I am seeing values of 5 and 6 are for iMessages.

BigGamePlayer

Thanks Oscar, would this be cached media the user has created and saved as a memory as that is what Axiom reports it as?

Could be, Axiom is usually pretty good at parsing snapchat. You can try to use my tool to verify it if you need https://github.com/DFIR-HBG/Snapchat_Auto

GitHub - DFIR-HBG/Snapchat_Auto: Automatic extraction and parsing o...

Automatic extraction and parsing of Snapchat for iOS and Android - GitHub - DFIR-HBG/Snapchat_Auto: Automatic extraction and parsing of Snapchat for iOS and Android

Anyone @Cellebrite available for DM?

1

callzor

I'm examining biome files in a iOS device. Do you guys know a good tool that can read protobuffers? (edited)

Rabbit hole

Greg Kutzbach

I think you mean UASP/ UAS. iSCSI is specifically SCSI over IP.

Right, yes, my bad, sorry

1

James Pedersen

Right, yes, my bad, sorry

To answer your question, no usb connected devices are using sata to send data to the computer. They use usb bridges to the native drive interface, be it sata/ nvme/ ide/ flash/ … They’ll do this either with UASP/ UAS or native USB bulk transfer. USB bulk transfer is only useful for USB 2.0 speeds, to the best of my knowledge. So most of these USB 3.0/3.1 drives use UASP/ UAS. Then there’re thunderbolt and firewire. Two completely different animals.

Here is an updated script for Encrypted Apple notes, can output the hash in JtR or Hashcat format, will also pull the notes file directly out of a GK extract. https://github.com/facelessg00n/pythonForensics/blob/main/applenotes2hash/applenotes2hash.py

pythonForensics/applenotes2hash/applenotes2hash.py at main · facele...

Collection of scripts I have made. Contribute to facelessg00n/pythonForensics development by creating an account on GitHub.

2

1

Does anyone know what table ZLOCATIONOFINTERESTSOURCE in Local.sqlite represents? Getting several different values

@Cellebrite Any light at the end of the tunnel to get the Select all / Deselect All functionality in PA 8X Settings... Its infuriating.

1

Jeeper

@Cellebrite Any light at the end of the tunnel to get the Select all / Deselect All functionality in PA 8X Settings... Its infuriating.

In the works. Checking on time line.

CIF

Has anyone came across a swapfile.db in the root of a FFS extraction? When trying to open it in a DB viewer, I get an error saying it is not a DB. Looking at the hex seems there is content. Any suggestions what this is and how to parse it properly?

Update - seems the swapfile is acting as virtual ram. was able to parse the file in Axiom by using its Mobile parsers, had a bunch of data pieced today.

@MSAB anyone available?

1

for some reason bruteforce isn´t working

it's unsupported encryption most likely

8:01 AM

scroll and up check if you see something like unsupported blob message

blob version:341

Hi all, what is the best LevelDb parser?

All_About_FRNZX

Hi all, what is the best LevelDb parser?

Id say aim is doing am excellent job @Arsenal

hugogoncalves9063

blob version:341

yes, that's the one. As described here, https://discord.com/channels/427876741990711298/427877097768222740/1136626720779276378, you're out of luck for now. Even Premium tools struggle with models based on this chipset

Discord - A New Way to Chat with Friends & Communities

Discord is the easiest way to communicate over voice, video, and text. Chat, hang out, and stay close with your friends and communities.

10:54 AM

it won't hurt to try if you have the option to try with oxygen, passware, or tool like UFED Premium, but it'll likely fail as well, at least at the moment

Can i get som help here, i have a Samsung full file extraction and a couple of pictures from Whatsapp, they are named like "IMG-20200923-WA0001.jpg" and i dont have any created date, only modified, and that date is 2023-06-21. Is it possible to find out the created date or what?

hsandeberg

Can i get som help here, i have a Samsung full file extraction and a couple of pictures from Whatsapp, they are named like "IMG-20200923-WA0001.jpg" and i dont have any created date, only modified, and that date is 2023-06-21. Is it possible to find out the created date or what?

I've been seeing this on a lot of samsung devices where media/files dont have any created dates. Only modified/accessed

Aero

I've been seeing this on a lot of samsung devices where media/files dont have any created dates. Only modified/accessed

Hi, it looks like that, but i found it now in the external.db file, so its there but PA doesnt present it.

I'm reaching out to see if anyone can help me pinpoint the exact scenario where the image name "iOS_image_upload.jpeg" is generated. I have tried replicating this naming convention using an iPhone under various circumstances, but I haven't been successful in recreating it. Any insights or suggestions would be greatly appreciated.

Anyone from cellebrite available for a question?

1

Tim

Anyone from cellebrite available for a question?

@Cellebrite

Does anyone know what artifact in a FFS, can be used to verify that MAC randomization is turned on, on Google Pixel, Android 13? Plus, are the past randomized MACs stored anywhere on the device (i.e. log file, etc). I've been scouring the device and no luck thus far. Any help would be appreciated, thanks!

daw005

I'm reaching out to see if anyone can help me pinpoint the exact scenario where the image name "iOS_image_upload.jpeg" is generated. I have tried replicating this naming convention using an iPhone under various circumstances, but I haven't been successful in recreating it. Any insights or suggestions would be greatly appreciated.

what path are you finding that file in?

Can someone confirm my suspicion regarding app deletion on an android? I'm trying to see if whatsapp is still present on the phone. PA reports it in the installed applications without a deleted date. But I'm not finding any artifacts related to whatsapp. I used ALEAPP to parse the phone and find that it shows entries in the Installed Apps (GMS, Library and Vending) but nothing under packages. When I test for example com.zhiliaoapp.musically I find its package under there so I assume that if the app is still present on the device its corresponding package will also be? So I'm trying to conclude that it not on the device anymore but looking to confirm thoughts.

ChutzpahAI

Does anyone know what artifact in a FFS, can be used to verify that MAC randomization is turned on, on Google Pixel, Android 13? Plus, are the past randomized MACs stored anywhere on the device (i.e. log file, etc). I've been scouring the device and no luck thus far. Any help would be appreciated, thanks!

Look in the file WifiConfigStore.xml (/data/misc/apexdata/com.android.wifi/). You can set MAC randomization on a per-BSSID basis. Look for the BSSID you are interested in, then find the XML tag "MacRandomizationSetting" associated with that BSSID. A value of 0 indicates the setting is off. A value of 3 (default) indicates MAC randomization is enabled for that specific BSSID. I'm not aware of any file that keeps a historical record of previously used addresses.

Can someone help? Samsung Galaxy running Android 9 - Looking to find a log that tracks plugged in and unplugged status.

snoop168

Can someone confirm my suspicion regarding app deletion on an android? I'm trying to see if whatsapp is still present on the phone. PA reports it in the installed applications without a deleted date. But I'm not finding any artifacts related to whatsapp. I used ALEAPP to parse the phone and find that it shows entries in the Installed Apps (GMS, Library and Vending) but nothing under packages. When I test for example com.zhiliaoapp.musically I find its package under there so I assume that if the app is still present on the device its corresponding package will also be? So I'm trying to conclude that it not on the device anymore but looking to confirm thoughts.

Nothing on these locations? Is there an SDcard?

Anyone from @Magnet Forensics and MSAB available for DM (or probably open discussion)? We get more and more requests from our users asking for support our keychain format (for agent-based iOS extractions, that allow to get keychain and FFS for iOS from 9.0 to 16.5) in most popular forensic analysis software. Right now only @Oxygen Forensics supports it. We also have a good progress talking to Cellebrite. We will be happy to provide vendors with our software (Elcomsoft iOS Forensic Toolkit, https://www.elcomsoft.com/eift.html), of course.

Digital Forensic, Data Decryption and Password Recovery Solutions f...

Try professional password recovery, data decryption, mobile and cloud forensic tools from a manufacturer with 30+ years of expertise, providing tools and training to law enforcement, financial and intelligence agencies. Elcomsoft pioneered numerous cryptography techniques, setting and exceeding expectations by consistently breaking the industry'...

snoop168

what path are you finding that file in?

This remains unclear as these images are located in the download folder of an Android phone, named as "iOS_image_upload.jpeg", "iOS_image_upload.jpeg (2)", and so on. A brief online search indicates images with this naming convention on a series of shady web pages.

daw005

This remains unclear as these images are located in the download folder of an Android phone, named as "iOS_image_upload.jpeg", "iOS_image_upload.jpeg (2)", and so on. A brief online search indicates images with this naming convention on a series of shady web pages.

i would interpret that as the user downloading attachments from some chat-app or forum, not much else to say if there is no other metadata or logs with these names in them

Does anyone know what the "progress" column in the media table in vlc_media.db (on an android) reflects? I assume its how far through the video got before it was paused, but want to confirm this. Also is it recorded in seconds, minutes etc? TIA

daw005

This remains unclear as these images are located in the download folder of an Android phone, named as "iOS_image_upload.jpeg", "iOS_image_upload.jpeg (2)", and so on. A brief online search indicates images with this naming convention on a series of shady web pages.

Try a raw keyword search for the filename and see if any results but yes likely just downloaded from the internet somehow and the hosting site chose that filename somehow. Guessing the file was previously uploaded by an iOS based device. Does the content of the photo provide any context to its possible source?

Good day, may I "bother" someone from @Cellebrite again with a question? :-)) This time it concerns the UFED Reader. Thanks!

1

I’m getting inundated with Snapchat warrant returns which are returning in .csv format. I’ve tried running them through both Axiom and Cellebrite PA which only spit out the .csv files I ingested. Is anyone else facing this problem? Is there a format I can ask for from Snapchat that would parse better through commercial tools? Is there a commercial or free program that ingests these and puts them in an easier format to search?

Can anyone corrobate whether or not missing RowID number in the message table of the SMS.db database is indicative of a user deleting messages?

Is anyone from @Cellebrite available for a DM in relation to an issue I am having with P/A 8 and in particular “insights” tab and CAID. Thanks

Cenizas

Can anyone corrobate whether or not missing RowID number in the message table of the SMS.db database is indicative of a user deleting messages?

This should help. https://dfir.pubpub.org/pub/33vkc2ul

Missing SQLite Records Analysis

1

Greg Kutzbach

To answer your question, no usb connected devices are using sata to send data to the computer. They use usb bridges to the native drive interface, be it sata/ nvme/ ide/ flash/ … They’ll do this either with UASP/ UAS or native USB bulk transfer. USB bulk transfer is only useful for USB 2.0 speeds, to the best of my knowledge. So most of these USB 3.0/3.1 drives use UASP/ UAS. Then there’re thunderbolt and firewire. Two completely different animals.

@Greg Kutzbach Right. But what about whether or not the MacOS recovery OS can send TRIM commands though ? (edited)

James Pedersen

@Greg Kutzbach Right. But what about whether or not the MacOS recovery OS can send TRIM commands though ? (edited)

To the best of my knowledge, I’m going to say no. But read this for more info. If you are worried about this, I recommend using a write blocked forensic os environment and/or a write blocker. https://eclecticlight.co/2023/03/25/should-you-trim-external-ssds/

hoakley

Should you trim external SSDs?

Enabling the TRIM command was once thought important to maintain good write performance on SSDs. What has happened to it? Should we still be enabling it?

bonose4nsix

I’m getting inundated with Snapchat warrant returns which are returning in .csv format. I’ve tried running them through both Axiom and Cellebrite PA which only spit out the .csv files I ingested. Is anyone else facing this problem? Is there a format I can ask for from Snapchat that would parse better through commercial tools? Is there a commercial or free program that ingests these and puts them in an easier format to search?

Have you tried RLEAPP? https://github.com/abrignoni/RLEAPP

GitHub - abrignoni/RLEAPP: Returns Logs Events And Properties Parser

Returns Logs Events And Properties Parser. Contribute to abrignoni/RLEAPP development by creating an account on GitHub.

cupofteaandabiscuit

Is anyone from @Cellebrite available for a DM in relation to an issue I am having with P/A 8 and in particular “insights” tab and CAID. Thanks

Send me a dm and we can chat about it

@FullTang - I haven’t, but I will! Thanks!

1

bonose4nsix

I’m getting inundated with Snapchat warrant returns which are returning in .csv format. I’ve tried running them through both Axiom and Cellebrite PA which only spit out the .csv files I ingested. Is anyone else facing this problem? Is there a format I can ask for from Snapchat that would parse better through commercial tools? Is there a commercial or free program that ingests these and puts them in an easier format to search?

Also, magnet has an easy custom artifact builder. And an artifact library.

If you need help building the custom artifacts, send me a DM and we can do some professional services. Shouldn’t take more than an hour or so.

@Cellebrite Hi, is there a way to decrypt the Notes app or any other app (using the password list for example) after the decoding? It's really painful to decode the data again to try an other password...

1

Morning, has anyone had any joy with decoding MS Outlook email data from a FFS extraction, I have the database and AppContainer, yet tools we use in the lab don't seem to decode the data - and typically on the handset I have around 900 emails (not wanting to manually capture) Cellebrite PA - no decoding Axiom - decodes only a very small percentage of emails Any tips or help greatly appreciated.

1

Akko

Morning, has anyone had any joy with decoding MS Outlook email data from a FFS extraction, I have the database and AppContainer, yet tools we use in the lab don't seem to decode the data - and typically on the handset I have around 900 emails (not wanting to manually capture) Cellebrite PA - no decoding Axiom - decodes only a very small percentage of emails Any tips or help greatly appreciated.

Are the emails actually there on the device or are they in the clould . Sometimes they will only have some headers in there

Yeah, there is email data held on the handset - open an email and see all content...

Anyone from Cellebrite for a very quick PA Ultra question? @Cellebrite

1

Greg Kutzbach

To the best of my knowledge, I’m going to say no. But read this for more info. If you are worried about this, I recommend using a write blocked forensic os environment and/or a write blocker. https://eclecticlight.co/2023/03/25/should-you-trim-external-ssds/

Perhaps you would be so kind as to recommend a write-blocker product or a write-blocked forensic environment tool? @Greg Kutzbach (edited)

James Pedersen

Perhaps you would be so kind as to recommend a write-blocker product or a write-blocked forensic environment tool? @Greg Kutzbach (edited)

Recon itr or tableau hardware write blockers

Hello, I am trying to find information regarding usage of Kik Messenger application on an Android device (the application is no longer present on the device). I have ran a search for kik.android against the hex data and got some results for 'PkgPredictions.db' and 'data_usage.db' but cannot find any information regarding these databases. Is anyone able to help at all please, many thanks in advance.

Akko

Morning, has anyone had any joy with decoding MS Outlook email data from a FFS extraction, I have the database and AppContainer, yet tools we use in the lab don't seem to decode the data - and typically on the handset I have around 900 emails (not wanting to manually capture) Cellebrite PA - no decoding Axiom - decodes only a very small percentage of emails Any tips or help greatly appreciated.

Is this on Android or iOS? I have encountered this on Android recently and ended up doing a screen recording to capture the contents while Magnet / CLB catch up with their app support

Hi! I want to tell when a phone (a Pixel 7 and a Samsung) was first in use/initiated or last restored/reset. I have a vague memory that this was covered in the 585 SANS course but I can't find it now. Anyone who can point me in the right direction? (edited)

wadde

Hi! I want to tell when a phone (a Pixel 7 and a Samsung) was first in use/initiated or last restored/reset. I have a vague memory that this was covered in the 585 SANS course but I can't find it now. Anyone who can point me in the right direction? (edited)

doesnt binary hick have a blogpost about this?

OggE

doesnt binary hick have a blogpost about this?

Thx I will check it out!

does anyone have a answer to why there is entrys from 2023 in knowledgeC and datausage when the extraction was made 2022 (time gap of months). Have check with ufed and axiom, and no its not carved or from wal.

wadde

Hi! I want to tell when a phone (a Pixel 7 and a Samsung) was first in use/initiated or last restored/reset. I have a vague memory that this was covered in the 585 SANS course but I can't find it now. Anyone who can point me in the right direction? (edited)

https://github.com/abrignoni/ALEAPP can extract wipe, factory reset, recovery artifacts

GitHub - abrignoni/ALEAPP: Android Logs Events And Protobuf Parser

Android Logs Events And Protobuf Parser. Contribute to abrignoni/ALEAPP development by creating an account on GitHub.

1

OggE

does anyone have a answer to why there is entrys from 2023 in knowledgeC and datausage when the extraction was made 2022 (time gap of months). Have check with ufed and axiom, and no its not carved or from wal.

are you sure about the extraction time? maybe there are some expiration time entries like cookies etc

s.m.

are you sure about the extraction time? maybe there are some expiration time entries like cookies etc

yes the time is correct. Some of the entrys is that safari has been in focus, which it hasn't.

s.m.

https://github.com/abrignoni/ALEAPP can extract wipe, factory reset, recovery artifacts

Thank you!

wadde

Hi! I want to tell when a phone (a Pixel 7 and a Samsung) was first in use/initiated or last restored/reset. I have a vague memory that this was covered in the 585 SANS course but I can't find it now. Anyone who can point me in the right direction? (edited)

Josh Hickman has two posts on it https://thebinaryhick.blog/2021/08/19/wipeout-detecting-android-factory-resets/ https://thebinaryhick.blog/2023/04/02/wipeout-part-deux-determining-how-an-android-was-setup/

Binary Hick

Wipeout! Detecting Android Factory Resets

There is a Part II to this post, which you can find here. I’d like to thank Alexis Brignoni, Heather Mahalik, and Jared Barnhart for their insight and validation, and Alexis for tooling ALEAPP for …

Binary Hick

Wipeout! Part Deux – Determining How an Android Was Setup

I hope everyone has had a great first quarter of 2023. For me, it has been a busy one with settling into a new role at a new employer. As things continue to settle I hope to get back into a bloggin…

1

Morning all, could I ask for a little help in researching the function that creates the folder "share-cache" within "com.google.android.apps.photos\cache\share-cache"? I've tried a couple of different things on a test handset but haven't been able to make this folder appear in a decode in order to explain it. In the exhibit data there aren't usage logs dating back to the creation date to give me any new ideas yet. (edited)

Someone from @Cellebrite for dm?

1

hbza

Is this on Android or iOS? I have encountered this on Android recently and ended up doing a screen recording to capture the contents while Magnet / CLB catch up with their app support

Hi, this was iOS, ended up screen capturing the email data (alot of junk eamil unrelated to the case brief)

JSB

I’m also interested in this, did you find out if this is stored anywhere? Maybe @Cellebrite know?

I think I found it in the unified logs but it took some digging and some interpretation I'm not 100% sure on, but it matches up with unlock times from knowledgeC etc so I'm making an educated guess...

@Cellebrite anynone?

Hello how we could help ?

Mr.Robot

Does someone know if there is an article over Session and IOS?

Hey there, did you find anything regarding this problem? None of our tools can decrypt the database :/

Henrik

Hey there, did you find anything regarding this problem? None of our tools can decrypt the database :/

You need Keychain/keystore, so more than a logical extraction

1

testermonkey

Morning all, could I ask for a little help in researching the function that creates the folder "share-cache" within "com.google.android.apps.photos\cache\share-cache"? I've tried a couple of different things on a test handset but haven't been able to make this folder appear in a decode in order to explain it. In the exhibit data there aren't usage logs dating back to the creation date to give me any new ideas yet. (edited)

here some info about image on android : https://youtu.be/Rlp-h9V6FI0?si=nIU5AsJ45UcUUqVS

Alexis Brignoni

MFE 0 - ALEAPP - Image Manager Cache & Glide

Good morning all. I'm looking for some assistance with clearing/deleting the call log on an iPhone XR. We have phone records from the service provider showing outgoing 911 calls from the device with a matching phone number and IMEI/ESN to my FFS. I cannot find any calls on the device from the dates provided by the service provider. My question is, is there somewhere to look to see if the call log was cleared. I have been digging through the CallHistoryDB and various other locations looking for traces of destruction but I can't find anything. Does anyone have any idea?

stps358

Good morning all. I'm looking for some assistance with clearing/deleting the call log on an iPhone XR. We have phone records from the service provider showing outgoing 911 calls from the device with a matching phone number and IMEI/ESN to my FFS. I cannot find any calls on the device from the dates provided by the service provider. My question is, is there somewhere to look to see if the call log was cleared. I have been digging through the CallHistoryDB and various other locations looking for traces of destruction but I can't find anything. Does anyone have any idea?

My understanding is that 911 calls are commonly not stored in the call history databases on the phone. It might have something to do with the phone using any and all available towers to make the call because it is an “emergency” call, but maybe someone else has more info on that. Can you check the KnowledgeC to see if there is evidence of the 911 call as recorded by the service provider?

Got a question for the braintrust. Is there any iOS artifact that shows timestamps for photos/screenshots deleted more than 30 days before the extractions? iOS 16 (edited)

FullTang

My understanding is that 911 calls are commonly not stored in the call history databases on the phone. It might have something to do with the phone using any and all available towers to make the call because it is an “emergency” call, but maybe someone else has more info on that. Can you check the KnowledgeC to see if there is evidence of the 911 call as recorded by the service provider?

Thanks for the info. I have found nothing in the KnowledgeC Application Intents, Notification Usage or Screen Backlight States. Also nothing in Interaction C Interactions for the 911 calls. I see other calls etc. but not the 911. Most of the KnowledgeC data doesn't date back far enough. I'm looking for info from June and the phone didn't get dumped until yesterday. I'm guessing some of this information has been erased due to fleeting databases etc.

Cellebrite - Is the "Deletion Date" of trash messages from iMessage a fairly new decoded value? I just noticed it today in timeline view but doesn't show in Chat view. (edited)

@Cellebrite Have we got a release date for 8.7 Ultra?

4JSN6🇬🇧

@Cellebrite Have we got a release date for 8.7 Ultra?

Still testing it in a few days but cannot be more precise

1

Anyone from @Oxygen Forensics available?

Wouter#0195

Anyone from @Oxygen Forensics available?

Hello, sure, DM'd

Morning everyone - does anyone have any guidance for the following 2 rabbit holes I'm going down: 1. Any information on parsing the MEGA application and files that were downloaded or a log of files downloaded to a device? (Android File System) 2. Any information on finding a log of bluetooth transferred files in Android? (edited)

Andrew Rathbun

Got a question for the braintrust. Is there any iOS artifact that shows timestamps for photos/screenshots deleted more than 30 days before the extractions? iOS 16 (edited)

I believe your question is asking: if a user flags media for deletion and the media remains flagged for deletion longer than 30 days and is then auto deleted or the user manually deletes the media can artifacts be found on device related to the deleteed Media? Easy answer is no, but During my iPhone research I have not found any on device artifacts that would provide deleted media insights. Other possible ways to learn more about deleted media: -Acquiring and analyzing iCloud/iTunes backups -Acquiring and analyzing iCloud photos sync data -Locating other devices, that may have been synced in the past, which are now isolated from the network, thus preventing iCloud photos to sync I am unaware of anyone and I have not conducted research in the area of Unified logs/Sysdiagnose logs for artifacts related to deleted media. It’s on my todo list. (edited)

1

2

CIF

Morning everyone - does anyone have any guidance for the following 2 rabbit holes I'm going down: 1. Any information on parsing the MEGA application and files that were downloaded or a log of files downloaded to a device? (Android File System) 2. Any information on finding a log of bluetooth transferred files in Android? (edited)

I had luck with ALEAPP with mega logs for a case from an Android ffs extraction which gave me all the csam file names that weren't parsed by other software. Would def try that (edited)

1

CIF

Morning everyone - does anyone have any guidance for the following 2 rabbit holes I'm going down: 1. Any information on parsing the MEGA application and files that were downloaded or a log of files downloaded to a device? (Android File System) 2. Any information on finding a log of bluetooth transferred files in Android? (edited)

I would also get with MEGA. If it’s a CSAM case, they will help you out. MEGA will provide you with a json file that has account info, device info, access dates and times, and if there is deleted data. They can also use common identifiers to link multiple accounts. They will also provide you with an encrypted file of all of the contents of the account.

Hi all, first time using Cellebrite PA Ultra, is there any way to add multiple devices to a single Case? Or do I need to create a separate case for each device? Cheers!

Henrik

Hey there, did you find anything regarding this problem? None of our tools can decrypt the database :/

Unfortunately not, I think the decryption of session can only happen if you have a FFS, not even with a AFU

Mr.Robot

Unfortunately not, I think the decryption of session can only happen if you have a FFS, not even with a AFU

Makes sense, i just decrypted session on iOS but i had FFS

Mr.Robot

Unfortunately not, I think the decryption of session can only happen if you have a FFS, not even with a AFU

Thanks for the reply

1

does anyone know if magnet acquire 2.67 automatically encrypt the ADB backup it creates... in other words does it encrypt the backup and what is the generic password. ?? @forensicmike @Magnet

Private Derp

Hi all, first time using Cellebrite PA Ultra, is there any way to add multiple devices to a single Case? Or do I need to create a separate case for each device? Cheers!

It is not possible until yet. I am not using it because of still missing some features and having some problems.

4n6_5w3

Makes sense, i just decrypted session on iOS but i had FFS

I had an AFU with Session but can't decrypt it unfortunately

Does anyone know what kind of activity creates a vicinity entry/exit timestamp and the created timestamp?

Cenizas

Does anyone know what kind of activity creates a vicinity entry/exit timestamp and the created timestamp?

Are you talking about locations on an IOS device?

Yes sir

Cenizas

Yes sir

This might help https://cellebrite.com/en/episode-17-i-beg-to-dfir-was-it-actually-there-location-education-on-ios-and-android/

I'll check it out. Thanks!

1

Jetten_007

does anyone know if magnet acquire 2.67 automatically encrypt the ADB backup it creates... in other words does it encrypt the backup and what is the generic password. ?? @forensicmike @Magnet

if you didn't get an answer yet, try mag123. It seems that's the passcode Axiom uses (or used) for iTunes backups, so might as well use it for ADB backups https://discord.com/channels/427876741990711298/427877097768222740/1039280076140855316 (edited)

1

Arcain

if you didn't get an answer yet, try mag123. It seems that's the passcode Axiom uses (or used) for iTunes backups, so might as well use it for ADB backups https://discord.com/channels/427876741990711298/427877097768222740/1039280076140855316 (edited)

It worked... yeah.. !!!!

1

I am curretly trying to deduce when a contact was first entered into a phone. Looking through the device I have found 3 dates in the contacts2.db and the earliest and so one I am interested in is located in the sync3 column of the raw_contacts table. My research suggests that these columns have contents determined by the account type entered or something like that. The account of interest is listed as a com.google. Ulitmately I am asking what the sync3 column of the raw_contacts table of the contacts2 database mean with respect to a com.google account.

heyho folks @Cellebrite ... may i ask if a new beta PA is in preparation?

numbersevenfan

Looking for some ideas for overcoming Magnet App Simulator failing to load any APK I throw at it. I export the APKs from various Android extractions I have. The emulator will start, I can see and interact with the clean VM, but it always fails at the "Installing applications to the emulator..." phase. I tried running it normally and Run as Administrator, I looked at the VM logs (but failed to notice anything telling), I made sure all of my other virtualization-capable tools were closed (Cellebrite, Android Studio, BlueStacks). I would do the ol' reliable restart of the computer, but can't just yet due to processes I need to wait on. Thank you for reading! (edited)

Ever get this to work. I am having same issue.

@Cellebrite Anyone around for a quick question about PA? Regarding clarification of conversion of audio files from PA. (edited)

chrisforensic

Hello @Cellebrite ... is it known, that latest PA (7 and 8) has troubles to decode newer version of Telegram (Android)? Have a FFS with Telegram 9.7.5 ... it´s really a mess

Were you able to get an answer about parsing Telegram within PA?

Ghosted

Were you able to get an answer about parsing Telegram within PA?

I made ticket, the problem was forwarded to the team, ticket was closed on 16.08.2023 (edited)

11:15 AM

It´s not cool to wait long time for a solution (update) for such a parsing-problem... and it´s ofcourse an app that is used from so much people... so i would say it´s important that it is parsed well (edited)

chrisforensic

It´s not cool to wait long time for a solution (update) for such a parsing-problem... and it´s ofcourse an app that is used from so much people... so i would say it´s important that it is parsed well (edited)

I was able to get mine to just open now, but only by adding the APK and data folder. I wanted to add the media items so they would show in the chats I am viewing but that seems to fail everytime.

I am currently almost complete with my CASA certification and wanted to ask about something considering the mobilesms.db I learned in Module 3. Within the content I was told that when the iMessage app is opened that the Plist info is updated (ex. read reciepts) yet wouldn't that be an important aspect to the extraction results and timing? Is anyone in the habit of opening up the messages app prior to each extraction for this reason (to update) or am I understanding this all wrong. I'm assuming airplane mode blocks all the new updates to the table but there can be in-between cases where the app hasn't been opened prior airplane and post an important meta data update that in my head would effect some imperative metadata of the contact or message. Maybe im understanding the update process wrong but seems more important than let on. (edited)

1:53 PM

^ IOS extractions via Cellebrite

I'm currently looking at a Sony C6903 download and in particular the 'gservices.db'. I'm trying to find out if this the initial activation of a Google account on this device or if it is the first time it's connected to the Play store or something entirely different. Basically the phone apparently hadn't been used by the owner since they'd been left it by a deceased relative and it's got IIOC on it after the passing event. Any help is greatly appreciated.

Any tool at all parsing Telegram X?

Anyone available to help with ileapp? I have a new machine and am getting errors and I have no real experience with cmd ... or python... Just trying to see if its the machine, the settings, or me. LMAO

Forgedmom

Anyone available to help with ileapp? I have a new machine and am getting errors and I have no real experience with cmd ... or python... Just trying to see if its the machine, the settings, or me. LMAO

Have you tried putting your command line errors into ChatGPT?

Forgedmom

Anyone available to help with ileapp? I have a new machine and am getting errors and I have no real experience with cmd ... or python... Just trying to see if its the machine, the settings, or me. LMAO

@Brigs @stark4n6

It can sometimes tell you exactly what to do, or at least point you in the right direction.

Forgedmom

Anyone available to help with ileapp? I have a new machine and am getting errors and I have no real experience with cmd ... or python... Just trying to see if its the machine, the settings, or me. LMAO

Hi. Thank you for trying out the scripts. Here is a step by step walkthrough on how to install iLEAPP courtesy of Hexordia. https://youtu.be/7qvVFfBM2NU

Hexordia

iLEAPP Walkthrough

10:15 AM

Here us the one for ALEAPP https://youtu.be/5kYAyWIJcTw

Hexordia

ALEAPP Walkthrough

Can anyone point me to where the MSISDN is stored in the file system of an iOS device?

FullTang

Have you tried putting your command line errors into ChatGPT?

I’ve tried that in the past and it was incredibly wrong. Lol. I can save that as a last ditch! Hahaha

1

Hello, maybe someone know how to get seed phrases from Metamask app what is on iPhone 14? I know Metamask password, have FFS from phone, but do not have password for phone, phone is locked. (edited)

Ghosted

Any tool at all parsing Telegram X?

Oxygen does a really good job here.

2

1

Forgedmom started a thread. 9/19/2023 12:26 PM

@Cellebrite or any PA gurus: Is there a way to better integrate VLC with PA? Other than right click and open with default program? It's adding a ton of hoops to have to jump through when attempting to review multiple media files.

4

1:23 PM

The built in media player isn't doing much of anything

whee30

@Cellebrite or any PA gurus: Is there a way to better integrate VLC with PA? Other than right click and open with default program? It's adding a ton of hoops to have to jump through when attempting to review multiple media files.

better just export vics and use external software that able to view multiple files videos/pics at once

4:47 AM

havent used the media plater in pa in years actually

4:47 AM

*player

I dont suppose anyone has encountered this database in the following location before have they? I am struggling to 'define' it and understand what its actual purpose is...any knowledge would be most welcome! /data/data/com.google.android.googlequicksearchbox/app_si/state_dump_event_content_store/content_store.db

I’m working on a phone where the investigator wants to know if it was being used right before a car crash. I ran across these artifacts in the Privacy Dashboard, would I be correct in saying that these are indicative of the user knowingly handling and using the camera on Snapchat? (edited)

Adam Cervellone

I’m working on a phone where the investigator wants to know if it was being used right before a car crash. I ran across these artifacts in the Privacy Dashboard, would I be correct in saying that these are indicative of the user knowingly handling and using the camera on Snapchat? (edited)

I would corroborate what you find there with other points on the phone along with your knowledge about how the app functions. For example, was there an unlock event in Digital Wellbeing just prior to the entries in your screenshots?

6:36 AM

Further reading: https://thebinaryhick.blog/2022/01/22/snooping-on-android-12s-privacy-dashboard/

Binary Hick

Snooping on Android 12’s Privacy Dashboard

Android 12’s arrival brought a few new things to the platform. While the most notable was the re-design of the user interface (Material You), there was the addition of Privacy Dashboard, whic…

CLB_joshhickman1

I would corroborate what you find there with other points on the phone along with your knowledge about how the app functions. For example, was there an unlock event in Digital Wellbeing just prior to the entries in your screenshots?

Thank you! I checked it and it stopped picking up any events at all about 30 hours prior to the incident. I did have my Axiom scan filtered for 48 hours before and after the incident to make sure caught relevanat information. Where would that same artifact be at in PA Ultra?

7:02 AM

I have already processed it in Ultra as well and it is up on my system as we speak (edited)

Ultra currently does not support that specific artifact.

7:16 AM

Currently under research.

7:16 AM

ALEAPP does support.

Arcain pinned a message to this channel. 9/20/2023 12:37 PM

Is it possible to have the physical analyzer beta release notes?

Does anyone have a good answer on why certain apps like instagram, whatsapp, etc. cant be decoded by cellebrite and sometimes have data to be manually carved, and other times don't and will pop up in instant messages. What makes this the case, is it the app or cellebrite? Im looking for just genral reasoning.

12:58 PM

@Cellebrite ^?

Sam

I dont suppose anyone has encountered this database in the following location before have they? I am struggling to 'define' it and understand what its actual purpose is...any knowledge would be most welcome! /data/data/com.google.android.googlequicksearchbox/app_si/state_dump_event_content_store/content_store.db

Hi @Sam - Researched this for you, it basically means a search was carried out via the google search bar on the home screen. I did 3 searches via it today and the blob table recorded 3 records, if you look in the database, another table (attribute_table, column 'long_attribute_value') holds the timestamp that will link to the record in the history db. The records in the db you found relate to these as the dates and times are the same, unfortunately apart from the timestamp there is nothing else of real relevance that I can find at the moment in that table apart from confirmation that the search was done via the quick google search bar on the android home screen.

(edited)

5

Sam

I dont suppose anyone has encountered this database in the following location before have they? I am struggling to 'define' it and understand what its actual purpose is...any knowledge would be most welcome! /data/data/com.google.android.googlequicksearchbox/app_si/state_dump_event_content_store/content_store.db

This ⬆️ combined with this : https://thebinaryhick.blog/2019/03/20/google-search-bar-search-term-history-are-you-finding-everything/ may help you?

Binary Hick

Google Search Bar & Search Term History – Are You Finding Everythin...

Search history. It is an excellent way to peer into someone’s mind and see what they are thinking at a particular moment in time. In a court room, search history can be used to show intent (mens …

Anyone from @Cellebrite here for a quick question?

1

MSAB_Adam

Hi @Sam - Researched this for you, it basically means a search was carried out via the google search bar on the home screen. I did 3 searches via it today and the blob table recorded 3 records, if you look in the database, another table (attribute_table, column 'long_attribute_value') holds the timestamp that will link to the record in the history db. The records in the db you found relate to these as the dates and times are the same, unfortunately apart from the timestamp there is nothing else of real relevance that I can find at the moment in that table apart from confirmation that the search was done via the quick google search bar on the android home screen.

(edited)

Thanks for this @MSAB_Adam! (edited)

1

While processing a thumb drive, a video of interest was found in Axiom. The video preview shows more than half the video, then just red X's. When playing the video, it stops about half way through. The file does not appear to have been deleted. Anyone know why the whole video was not recovered?

Cenizas

While processing a thumb drive, a video of interest was found in Axiom. The video preview shows more than half the video, then just red X's. When playing the video, it stops about half way through. The file does not appear to have been deleted. Anyone know why the whole video was not recovered?

Have you tried exporting the video and playing it outside of AXIOM in VLC or similar? Maybe the file is corrupt

Andrew Rathbun

Have you tried exporting the video and playing it outside of AXIOM in VLC or similar? Maybe the file is corrupt

Yeah, I tried that. I also suspect its corrupt as well but just wanted other thoughts.

Is there a correct way to add an android full file system extraction (ZIP file) into Autopsy for purposes of using ALEAPP and their Android Analyzer? I added the zip as a logical file but I am not sure if that was the correct way.

Hi! Does anyone knows if files that have the path: data/media/0/Snapchat/ Snapchat- .... are files from Snapchat memories?

Queen-L

Hi! Does anyone knows if files that have the path: data/media/0/Snapchat/ Snapchat- .... are files from Snapchat memories?

Could be, but there is all files saved from Snapchat to the device so will likely contain non-memory files as well (edited)

Hey, does sb know if Xiaomi/Redmi phones log the time and date when an app has been uninstalled?

Anyone from @Oxygen Forensics for a question ? (edited)

GregL

Anyone from @Oxygen Forensics for a question ? (edited)

Hello, sure thing

Anyone point me in the right direction. Trying to determine how an iOS device was unlocked. Was it face, PIN, Fingerprint. Would this be in the Knowledge C.db?

Ghosted

Anyone point me in the right direction. Trying to determine how an iOS device was unlocked. Was it face, PIN, Fingerprint. Would this be in the Knowledge C.db?

Although this does not help your case here is more direction: The KnowledgeC.db database on iOS devices is a repository of a wide variety of usage data. It can provide valuable insight into device usage patterns and user interactions, including when the device screen was unlocked magnetforensics.com. However, it does not directly record the method used to unlock the device. In the KnowledgeC.db database, there's a ZOBJECT table that provides information about whether or not the screen of the device was unlocked and potentially being used during a specific time magnetforensics.com. This can be useful in investigations to determine if a device was in use at the time of an incident. The KnowledgeC.db also records different types of notifications, such as Receive, Clear, Dismiss, IndirectClear, and DefaultAction theforensicscooter.com. These notifications can help infer user interaction with the device. For example, a Receive notification type is when a notification is received and displayed on the device. Depending on user interaction and device status the notification could be viewed from the springboard, the Lock Screen and/or the Notification Center theforensicscooter.com. However, these methods can only provide indirect evidence. There is currently no known method to directly determine the specific unlock method (face, PIN, or fingerprint) used at a specific time on an iOS device due to Apple's strong privacy and security measures. Sources: https://theforensicscooter.com/2021/10/03/ios-knowledgec-db-notifications/ https://www.magnetforensics.com/blog/analysis-of-graykey-images-with-axiom-new-knowledgec-database-artifact-additions/ (edited)

Scott_koenig

iOS KnowledgeC.db Notifications

Cell phone use is routine. Our cell phones are really an extension of ourselves. We carry them around to not only make calls and messages, but they are also our daily planners, to do lists and ente…

Analysis of GrayKey Images with AXIOM: New KnowledgeC Database Arti...

With the past few releases of Magnet AXIOM, we’ve added new artifacts found on iOS file system images seen primarily when investigators have access to tools such as GrayKey. With the release of AXIOM 2.8, we've included additional iOS artifacts, including the KnowledgeC database artifacts found on iOS devices.

Hi, iam new to mobile forensic and I have a question regarding the photo app. Let’s say I tag a person in a picture that info gets written to the ZPERSON table within the photos.sqlite DB. But how is this info mapped to the ZASSET table? I searched several blogs but couldn’t find a answer. So if anyone could point me in the right direction, that would be great:)

In Apple's iOS, the Photos.sqlite database contains two relevant tables, ZPERSON and ZASSET. The ZPERSON table contains information about the people tagged in photos. The ZASSET table holds information about the photos themselves The relationship between the ZPERSON and ZASSET tables is established through the ZDETECTEDFACE table. Here is how this works: When a person is tagged in a photo, a record is created in the ZPERSON table with a unique identifier (Z_PK). In the ZDETECTEDFACE table, there is a ZPERSON field that links to the Z_PK field of the ZPERSON table. This table also contains a ZASSET field, which links to the Z_PK field of the ZASSET table. This effectively creates a many-to-many relationship between people and photos, where each photo can contain multiple people, and each person can appear in multiple photos To find all photos where a specific person appears, you would first find the Z_PK of that person in the ZPERSON table, then look up all records in the ZDETECTEDFACE table where ZPERSON matches that value. The ZASSET values in those records would then indicate the photos (in the ZASSET table) where that person appears. Sources: https://theforensicscooter.com/2022/02/21/photos-sqlite-update/ (edited)

Scott_koenig

Local Photo Library Photos.sqlite Query Variations & WHERE statements

I would like to start off by saying thank you to everyone who has reached out about the Photos.sqlite queries I previously posted. After chatting with some people who have used the queries, it was …

3:48 PM

SELECT A.* FROM ZASSET A JOIN ZDETECTEDFACE F ON A.Z_PK = F.ZASSET JOIN ZPERSON P ON F.ZPERSON = P.Z_PK WHERE P.ZDISPLAYNAME = 'Person's Name'

1

SirBeringer

Hi, iam new to mobile forensic and I have a question regarding the photo app. Let’s say I tag a person in a picture that info gets written to the ZPERSON table within the photos.sqlite DB. But how is this info mapped to the ZASSET table? I searched several blogs but couldn’t find a answer. So if anyone could point me in the right direction, that would be great:)

LEFT JOIN ZDETECTEDFACE ON ZASSET.Z_PK = ZDETECTEDFACE.ZASSET LEFT JOIN ZPERSON ON ZPERSON.Z_PK = ZDETECTEDFACE.ZPERSON LEFT JOIN ZDETECTEDFACEPRINT ON ZDETECTEDFACEPRINT.ZFACE = ZDETECTEDFACE.Z_PK LEFT JOIN ZFACECROP ON ZPERSON.Z_PK = ZFACECROP.ZPERSON As @Rock3t pointed out there are more join statements to connect to ZASSET and zADDITIONALASSETATTRIBUTES but those are the join statements I use for parsing the facecrop and names that have been entered If you are using my queries use the iOS**_LPL_Phsql_Large.txt https://github.com/ScottKjr3347/iOS_Local_PL_Photos.sqlite_Queries/blob/main/iOS16/iOS16_LPL_Phsql_Large.txt Additional research found at http://www.mac4n6.com/blog/2020/7/19/follow-on-to-dfir-summit-talk-lucky-ios-13-time-to-press-your-bets-via-bizzybarney (edited)

2

1

ScottKjr3347

LEFT JOIN ZDETECTEDFACE ON ZASSET.Z_PK = ZDETECTEDFACE.ZASSET LEFT JOIN ZPERSON ON ZPERSON.Z_PK = ZDETECTEDFACE.ZPERSON LEFT JOIN ZDETECTEDFACEPRINT ON ZDETECTEDFACEPRINT.ZFACE = ZDETECTEDFACE.Z_PK LEFT JOIN ZFACECROP ON ZPERSON.Z_PK = ZFACECROP.ZPERSON As @Rock3t pointed out there are more join statements to connect to ZASSET and zADDITIONALASSETATTRIBUTES but those are the join statements I use for parsing the facecrop and names that have been entered If you are using my queries use the iOS**_LPL_Phsql_Large.txt https://github.com/ScottKjr3347/iOS_Local_PL_Photos.sqlite_Queries/blob/main/iOS16/iOS16_LPL_Phsql_Large.txt Additional research found at http://www.mac4n6.com/blog/2020/7/19/follow-on-to-dfir-summit-talk-lucky-ios-13-time-to-press-your-bets-via-bizzybarney (edited)

Im putting that down in my own resources Salute

@stark4n6 hello Kevin. Is it possible to pn u. I have an unusual request

Guys - thank you so much.

@Oxygen Forensics Can you provide me info on potential updates to parsing latest version of Wire app?

1

Hans Leißner

@stark4n6 hello Kevin. Is it possible to pn u. I have an unusual request

@Hans Leißner sure

1

Anyone ever get an iPhone image that just refuses to decode in Cellebrite - Tries decoding Cellebrite Image, Also took an iCloud backup - Just hangs on running the iphone Backup Parser for 2 days until Cellebrite crashes with "Sentinel Key Not Found" even though dongle is connected. Cellebrite support said they haven't seen this before. Data is on SSD storage , 256GB of RAM. It must be some file(s) collected from the iPhone device and the iCloud backup that is causing Cellebrite to hang. Not sure how I'd be able to debug this without sending the data directly to Cellebrite. I appreciate any advice you can provide. (edited)

NOSUSHI4U

Anyone ever get an iPhone image that just refuses to decode in Cellebrite - Tries decoding Cellebrite Image, Also took an iCloud backup - Just hangs on running the iphone Backup Parser for 2 days until Cellebrite crashes with "Sentinel Key Not Found" even though dongle is connected. Cellebrite support said they haven't seen this before. Data is on SSD storage , 256GB of RAM. It must be some file(s) collected from the iPhone device and the iCloud backup that is causing Cellebrite to hang. Not sure how I'd be able to debug this without sending the data directly to Cellebrite. I appreciate any advice you can provide. (edited)

Do you have any idea if the device was a beta version of ios?

Rock3t

Do you have any idea if the device was a beta version of ios?

I'm not sure I can most likely find out.

Also you may be able to double check if they use checkm8 or any varients like checkrain etc. I do believe they do

I have a feeling it’s some sort of conflict in versions of iOS and supported exploits, or exploit that Cellebrite is using.

Disregard. It ended up Decoding after 24 hours!

1

NOSUSHI4U

Disregard. It ended up Decoding after 24 hours!

Can you confirm iOS extraction size? 2 days seems too much yes

Does anyone know what information the file 0_dumpacore_3rd_com.samsung.android.app.dialer.txt logs? I can find the suspects phone number in the log but i don't understand what's happening.

General ALEAPP/iLEAPP question - Do the html results pages have a prefered browser? Just now reviewing results after running it last week and noticed that my browser is struggling with it. Currently using latest version of microsoft edge on windows 11

Adam Cervellone

General ALEAPP/iLEAPP question - Do the html results pages have a prefered browser? Just now reviewing results after running it last week and noticed that my browser is struggling with it. Currently using latest version of microsoft edge on windows 11

@Brigs

Adam Cervellone

General ALEAPP/iLEAPP question - Do the html results pages have a prefered browser? Just now reviewing results after running it last week and noticed that my browser is struggling with it. Currently using latest version of microsoft edge on windows 11

If the web page is to large for the browser to handle you can start a web server at the folder the report is in with python. It is super easy. Only a one line command. https://realpython.com/python-http-server/

How to Launch an HTTP Server in One Line of Python Code – Real Pyth...

In this tutorial, you'll learn how to host files with a single command using an HTTP server built into Python. You'll also extend it by making a miniature web framework able to serve dynamic content from HTML templates. Along the way, you'll run CGI scripts and use encryption over HTTPS.

Brigs

If the web page is to large for the browser to handle you can start a web server at the folder the report is in with python. It is super easy. Only a one line command. https://realpython.com/python-http-server/

Thank you! Is that http.server something I need to install into python?

Comes with it (edited)

This is the error I keep getting

5:56 AM

@Brigs I’ve done it this way by starting python from within the directory I need and by starting cmd there and running python.exe (edited)

python -m http.server, not python, and then -m http.server like on your picture

1

Arcain

python -m http.server, not python, and then -m http.server like on your picture

Okay, just ran that through CMD instead of directly in python and it did start "Serving HTTP on : : port 8000" just waiting for it to launch some sort of browswer

so you have a http server running, serving what's in your current directory on port 8000 at localhost

6:14 AM

i guess he meant that you can run this while in your ALEAP report location, to use web browser instead

Arcain

i guess he meant that you can run this while in your ALEAP report location, to use web browser instead

Okay, so then do I just plug in that IPv6 address into my browswer and go from there?

http://localhost:8000

6:19 AM

no need for ipv6 either, it just hosts it on both v4 and v6

Thank you!

6:23 AM

@Arcain and @Brigs you guys helped so much! I am up and running now !

1

Cenizas

While processing a thumb drive, a video of interest was found in Axiom. The video preview shows more than half the video, then just red X's. When playing the video, it stops about half way through. The file does not appear to have been deleted. Anyone know why the whole video was not recovered?

it might be a carved video...Axiom should tell you the source for ex, parsing or carved. ie, some of the video was scraped together from the memory (outside of the active partition) and put back together by Axiom (edited)

looking for a bypass on FRP for samsung phone with google account.

Phineas Bunce

looking for a bypass on FRP for samsung phone with google account.

What are you trying to accomplish ? and what device / OS is it

CLB-Paul

What are you trying to accomplish ? and what device / OS is it

coolpad and samsung. did a factory reset and trying to bypass the original google account holders. cannot get OS

Phineas Bunce

coolpad and samsung. did a factory reset and trying to bypass the original google account holders. cannot get OS

FRP tying it all up.

Ahh.. was thinking you were after soemthign else. older devices you would be able to use combo files to downgrade to pre FRP. Im dating myself here.. Unfortuantely I dont have a solution for that

CLB-Paul

Ahh.. was thinking you were after soemthign else. older devices you would be able to use combo files to downgrade to pre FRP. Im dating myself here.. Unfortuantely I dont have a solution for that

thanks for responding at least

has anyone here ever worked on youtube search history ?

1:03 AM

I have a Oppo A72 phone tha has Youtube App downloaded with interesting search history, but I can't retrieve it on Physical Analyser (edited)

emilie_

I have a Oppo A72 phone tha has Youtube App downloaded with interesting search history, but I can't retrieve it on Physical Analyser (edited)

Youtube app research could be mixed with chrome browser history on some model

that's what I thought

Morning, before I dive in and start hunting, does anyone know if there is either a DB containing or DB entry of a file being airdropped, sent or received?

Chris

Morning, before I dive in and start hunting, does anyone know if there is either a DB containing or DB entry of a file being airdropped, sent or received?

https://www.magnetforensics.com/resources/following-the-airdrop-breadcrumbs-with-axiom/ hopefully this is helpful

Following the AirDrop Breadcrumbs with AXIOM - Magnet Forensics

AXIOM will parse the unified log for entries surrounding the use of AirDrop, which can be reviewed on computer & mobile sources.

Could anyone with extensive Snapchat on android experience please send me a DM? (edited)

1

Hi, has anyone encountered cellebrite showing two owners for a native message chat?

Raymond

Hi, has anyone encountered cellebrite showing two owners for a native message chat?

Is one owner an iCloud username and the other a phone number? Are they two unique iCloud accounts, or two unique numbers?

Solec

Is one owner an iCloud username and the other a phone number? Are they two unique iCloud accounts, or two unique numbers?

completely unique, one is the actual phone owner and another is a different person.

Raymond

completely unique, one is the actual phone owner and another is a different person.

Is this a single chat thread intermixed with different reported owners, or two different accounts under chat/native messages which have their own sets of messages as the listed owner?

Solec

Is this a single chat thread intermixed with different reported owners, or two different accounts under chat/native messages which have their own sets of messages as the listed owner?

So its several chat threads that are experiencing this, but reported owners are the same for each thread, even ones where its more than the two participants. And we are seeing this across more than one device we've preserved. iOS 16.3.1

Raymond

So its several chat threads that are experiencing this, but reported owners are the same for each thread, even ones where its more than the two participants. And we are seeing this across more than one device we've preserved. iOS 16.3.1

So it shows three total participants, while two unique iCloud are both listed as owners? Which version of PA? I'd go in a check the sms.db and compare the source with what's being parsed in PA. Im not sure if the exact table / column to check off the top of my head

Solec

So it shows three total participants, while two unique iCloud are both listed as owners? Which version of PA? I'd go in a check the sms.db and compare the source with what's being parsed in PA. Im not sure if the exact table / column to check off the top of my head

it shows two participants as owners, but those two can be in group chats with other people and still be listed as both owners. I'll have to check what version of PA tomorrow morning. I started looking at the sms.db, but couldn't find where its stemming from yet. we are speaking with cellebrite as well to see if there is a resolution.

Good morning. I have a bunch of images from a phone that were carved with Axiom. Is it safe to say the the "last modified date" of these images is the possible time of deletion?

stps358

Good morning. I have a bunch of images from a phone that were carved with Axiom. Is it safe to say the the "last modified date" of these images is the possible time of deletion?

Carved in Axiom does not always mean deleted, it could mean carved from a database or other container. They still might be deleted in some form or fashion, but a Moto G Power is likely to be using FBE encryption, so if that is the case the images were not carved from unallocated space.

FullTang

Carved in Axiom does not always mean deleted, it could mean carved from a database or other container. They still might be deleted in some form or fashion, but a Moto G Power is likely to be using FBE encryption, so if that is the case the images were not carved from unallocated space.

Yeah I figured that they aren't from unallocated. Would the File Offset 0 be an indicator of deletion?

stps358

Yeah I figured that they aren't from unallocated. Would the File Offset 0 be an indicator of deletion?

I think it would indicate they are carved from a database or container, because if something is deleted it tends to show the correct offset (File Offset 254836 or similar). Have you researched what the glide_cache is?

FullTang

I think it would indicate they are carved from a database or container, because if something is deleted it tends to show the correct offset (File Offset 254836 or similar). Have you researched what the glide_cache is?

I know that Glide is what is used for image loading etc. on android devices. I'm assuming that the glide_cache is just that, a cache folder.

stps358

I know that Glide is what is used for image loading etc. on android devices. I'm assuming that the glide_cache is just that, a cache folder.

Try ALEAPP, there is image cache manager parser. Your image may be deleted and Glide may still have it in cache

1

Bobby

Try ALEAPP, there is image cache manager parser. Your image may be deleted and Glide may still have it in cache

I will give this a go thanks!

stps358

I will give this a go thanks!

Here is a video on glide and how it works on Android. https://youtu.be/Rlp-h9V6FI0?feature=shared

Alexis Brignoni

MFE 0 - ALEAPP - Image Manager Cache & Glide

stps358

Good morning. I have a bunch of images from a phone that were carved with Axiom. Is it safe to say the the "last modified date" of these images is the possible time of deletion?

Does not look like deleted.

Can anyone help me understand why the title for these entries may be in chinese. It happens many times in the web search entries. This is a google takeout being parsed with @Magnet Forensics axiom (edited)

1

is it possible to load a XRY extraction into PA ? Apparently it should be doable but it doesn't work on the case I'm working on

directly, i don't think so. It was possible to export the filesystem into an archive and then load it in PA but it's quite time consuming on bigger extractions

1

ok, I'll look into that

Brigs

Here is a video on glide and how it works on Android. https://youtu.be/Rlp-h9V6FI0?feature=shared

Thank you so much! This was more informative than any major player webinar I have ever watched. I have always wondered how those crazy file names were created.

1

Hi. What is the best import setting in Oxygen if I have a decrypted testpoint extraction from a Huawei that I created with Passware? I see under Import specifically only the import function for iOS devices, but no separate function for Android. @Oxygen Support APAC (edited)

1

Hi I'm looking to see if there is a record on the iPhone of whether a download was made or attempts to download using cellebrite Thanks

Does Signal store the duration of calls in database for android? (edited)

Outlook is not parsed by PA. Do you know where I can look for to find the emails ? I couldn't find anything in the database (it just look like some repeating base64 message_id)

7:14 AM

Physical extraction, exynos live on a SM-G960F

Does anyone know if it’s possible to get data from a .xry file processed in @Magnet Forensics AXIOM?

1

busted4n6

Does anyone know if it’s possible to get data from a .xry file processed in @Magnet Forensics AXIOM?

data ? like a .bin or something ?

Have a 24gb .xry file along with a small .xrycase file. I’ve just seen @Arcain answer to a similar question this morning

7:48 AM

I meant process data

yes it's possible, I was the one asking the question and I managed to export it

7:48 AM

let me find it again

Can you export a file system xry

7:49 AM

Ok

in XAMN, you have something called data source and then you can "open in hex viewer" and from then you can see your volumes on the top and right click on it and you have something called 'Export data'

Ahhh. Awesome, will give that a go

emilie_

in XAMN, you have something called data source and then you can "open in hex viewer" and from then you can see your volumes on the top and right click on it and you have something called 'Export data'

I’ve managed to export the bin but suspect it’s encrypted (kirin) so am also exporting the files. Is there a way to bring it out as a zip file to preserve meta data do@you know?

busted4n6

I’ve managed to export the bin but suspect it’s encrypted (kirin) so am also exporting the files. Is there a way to bring it out as a zip file to preserve meta data do@you know?

exporting bin from xry is useless for fbe devices, as you'll only get raw, encrypted data

1:05 PM

then way i used to do that, i was adding a filter to exclude deleted files, then used the report feature, report as file, and you can either dump the filesystem into a directory, or tell it to compress it into a .zip archive in the end

1:06 PM

not sure if that's still a thing, but back then, it was exporting files into a directory, then compressing it instead of doing this in the file, so actually just dumping the files and using 7z or zip to compres them on your own was faster

1

1:07 PM

you can also export files from the file tree in xamn, but that used to cause issues with deleted files, or files that were found multiple times (like database some files that changes often). XAMN often exported the wrong one, which resulted in old, and encrypted db instead of the current and decrypted one

1

https://northloopconsulting.com/blog/f/apples-client-side-image-scanning

Apple's Client-Side Image Scanning

Charlie Rubisoff

2

1

PA version 8.6.100.63 - Advanced Search not working? - at all - Anyone else striking this? @Cellebrite

1

Jeeper

PA version 8.6.100.63 - Advanced Search not working? - at all - Anyone else striking this? @Cellebrite

I wanted to ask the same thing right at this moment. What answer u got? cheers @Cellebrite (edited)

Has anyone pulled anything from siriremembers2.sqlite3 before? If so, do you know if "interactions" are specific to that device? Or possibly to an apple id? Seems like a good artifact but I'm not finding anything about it online.

Also @Cellebrite when are we going to see the select all / deselect all feature - There was a get around in 7 but Ultra's 'one-time decision' for an extraction rule is infuriating.

Hans Leißner

I wanted to ask the same thing right at this moment. What answer u got? cheers @Cellebrite (edited)

Advanced Search has not yet been officially released in PA Ultra. We are developing it as we speak. If somebody would like to specifically test an early release version once we release PA Ultra 8.7 (coming soon) and provide feedback, please DM me.

CLB-DannyTheModeler

Advanced Search has not yet been officially released in PA Ultra. We are developing it as we speak. If somebody would like to specifically test an early release version once we release PA Ultra 8.7 (coming soon) and provide feedback, please DM me.

Hey Danny. Thank you for the message. Im actually working on a murder case and needed to search in files for specific text. Is it possible to provide me with a beta (early release) of pa8?

Jeeper

Also @Cellebrite when are we going to see the select all / deselect all feature - There was a get around in 7 but Ultra's 'one-time decision' for an extraction rule is infuriating.

Un/Select All has existed in PA Ultra since version 8.4 I believe. Just go to the three dots next to the device name above the analyzed data tree (similar to PA 7). See attached screenshot.

Safari - History database - the origin column: Does 0 mean local device and 1 means synced device, or is it the other way around? Also, are you able to determine which devices deleted certain web history?

I have an app called trust wallet. I have data stored in a file .realm (I hate realm). The problem is the realm file is encrypted with a 128 character hex-encoded encryption key. Where can I find this key ? I couldn't find it in the keychain.xml

my only solution could be to bruteforce 128 characteres but hmmm yeah ...

1:08 AM

and I don't even know if hashcat has a realm hash mode

It's probably not a problem but can I have UFED PA 7 and Ultra installed on the same machine? I don't need them running at the same time but I'm wondering if the installation would interfere with each other.

Sockmoth

It's probably not a problem but can I have UFED PA 7 and Ultra installed on the same machine? I don't need them running at the same time but I'm wondering if the installation would interfere with each other.

it's currently my setup and I didn't notice any issues

1

1:29 AM

(and you can run them at the same time)

1:29 AM

you will just have a popup when opening PA7 saying "a newer version of PA is installed on your computer" but that's pretty much the only thing I noticed (edited)

Have you ever exported the .realm database from PA and then tried to open it with realm Studio?

Crox

Have you ever exported the .realm database from PA and then tried to open it with realm Studio?

yes

Okay. I had only once the situation that a realm was displayed empty in the PA and I thought it was encrypted, but it was not after the export. Unfortunately I can't tell you how to find the key in the keychain...

the app is open source so I tried to find how they did it and they even create their own method to encrypt text in the keychain.

emilie_

I have an app called trust wallet. I have data stored in a file .realm (I hate realm). The problem is the realm file is encrypted with a 128 character hex-encoded encryption key. Where can I find this key ? I couldn't find it in the keychain.xml

what's the platform ios android?

ios

2:16 AM

the app is coded in swift

if you have ffs check decrypted keychain

it's indeed an FFS (using elcomsoft). The keychain is already decrypted no ?

i dont know never used it. search for com.sixdays.trust in decrypted keychain you will probably get app pincode and realm db key

2:22 AM

keep in mind i've run into this almost one year before so they might have changed security password pin saving etc

I have something like this

<item>
<v_Data bin="1">XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX==</v_Data>
<musr bin="1"></musr>
<svce></svce>
<sync>X</sync>
<tomb>X</tomb>
<pdmn>XXX</pdmn>
<sha1 bin="1">XXXXXXXXXXXX=</sha1>
<persistref bin="1">XXXXXXXXXXXXXXw==</persistref>
<acct>trustwalletsharedRealmKey</acct>
<SecAccessControl bin="1">XXXXXXXXXXXXX</SecAccessControl>
<agrp>9873B38DWV.com.sixdays.trust</agrp>
<UUID>XXXXX-8666-XXXXXX-B842-6EBF5C013C3E</UUID>
<TamperCheck>XXXXXX-F5E3-49C0-B504-62D14592FA72</TamperCheck>
</item>

2:42 AM

@s.m. does that look like yours ?

2:43 AM

(tried my best to anonymise it)

haha

2:43 AM

v_data >> base64 >> your hex key

oh

2:44 AM

nice

i suggest using mac os with realm studio

2:45 AM

i couldn't even open unecrypted dbs on windows

can I DM you ?

1

iPhone 7 running iPhone 14.4.1 AFU (old extraction) - Where can I find Phone Activation timestamp?

Rob

iPhone 7 running iPhone 14.4.1 AFU (old extraction) - Where can I find Phone Activation timestamp?

https://discord.com/channels/427876741990711298/545232743353810946/1150807334512246874

1

Quick question and wondering if anyone knows the answer to this one. I’m looking at the AUTOFILL WEB DATA database associated with the Samsung Browser on Android device. The database contains a table called “CREDIT_CARD_INFO” which contains separate records for each credit card stored. For each of the records, the credit card number is stored as an encrypted value. Does anyone know how this value is encrypted? Means to decrypt it? Cellebrite PA and other tools are able to decrypt the value and represent it, just wondering by what means.

Does anyone know of a .plist within an iPhone that would contain when and what number call forwarding set to?

Hello Discord friends. So I came across a Signal app and some messages that I am trying to verify. I have an iPhone 8 + and acquired a FFS. PA parsed it and was able to decrypt the messages, which then became the source for the artifacts. However, Axiom was not able to parse the newer messages (only Signal messages about 2 years old). From my readings, I believe Axiom and PA should use the keychain file and automatically use the Signal password to decrypt the messages. I tried to manually parse the keychain in Axiom, then enter the keys under the 'options' tab for parsing the Signal app ... no dice. I am weak when it comes to SQL databases but tried to open the encrypted database with DB Browser Cipher, then added the keys from the above Axiom parsing of the keychain... again no dice. Any ideas? I searched for Signal in the forum and get lots of hits in the CTF portion. Perhaps this is easier than i think? (edited)

1

I used Elcomsoft Phone Breaker to download iCloud sync data, I have not been able to get Cellebrite to parse the Messages. Does anyone have a solution ?

1:30 PM

I opened it the same way as iTunes backup

@Jay528 - You can use the Elcomsoft Phone Viewer application to parse out the messages into a CSV for viewing.

I have that option but I wanted to be consistent in having a Cellebrite report

Gtocha.

rfar

Hello Discord friends. So I came across a Signal app and some messages that I am trying to verify. I have an iPhone 8 + and acquired a FFS. PA parsed it and was able to decrypt the messages, which then became the source for the artifacts. However, Axiom was not able to parse the newer messages (only Signal messages about 2 years old). From my readings, I believe Axiom and PA should use the keychain file and automatically use the Signal password to decrypt the messages. I tried to manually parse the keychain in Axiom, then enter the keys under the 'options' tab for parsing the Signal app ... no dice. I am weak when it comes to SQL databases but tried to open the encrypted database with DB Browser Cipher, then added the keys from the above Axiom parsing of the keychain... again no dice. Any ideas? I searched for Signal in the forum and get lots of hits in the CTF portion. Perhaps this is easier than i think? (edited)

You are probably doing everything correctly and it's just that Axiom does not 100% support that version of Signal. Signal have been doing some major restructuring in the database for the past year or so, that might be a cause of the problems you're having. If the PA parsing is not enough and you need help with manually decrypting and parsing of the DB send me a DM and I might be able to help you

Hey, @Jay528. I have yet to find a way to parse elcomsoft’s sync data messages DB with cellebrite. There is an option for parsing iCloud data collected by other tools, but even that doesn’t work. I think the database structure for sync data is proprietary to Elcomsoft and Cellebrite just doesn’t support it.

6:10 AM

Has anyone ever received Apple Returns of iCloud backups that don’t contain the fileinfolist.txt and key bag files? Cellebrite and Axiom keep failing and saying they are not valid warrant returns but these are exactly as received by Apple after decryption. Should I be processing these another way?

gh0st1933

Hey, @Jay528. I have yet to find a way to parse elcomsoft’s sync data messages DB with cellebrite. There is an option for parsing iCloud data collected by other tools, but even that doesn’t work. I think the database structure for sync data is proprietary to Elcomsoft and Cellebrite just doesn’t support it.

Thank you

Hello all, I would appreciate any feedback on the below. I am putting together a case study to strengthen my business case on procuring a Faraday room for our Police service. I recently had a case where data appears to have been remotely wiped from a device (I am still doing the analysis myself to confirm forensically). The device in question is an iPhone 11 (iOS 14.8.1) Question 1: I will be doing some testing when I am able to grab a test device, but does anyone know if the same artifacts (found in com.apple.purplebuddylist plist, containermanagerd.log.0 etc.) are created when a device is wiped remotely using iCloud vs. when a user manually goes into the Settings and selects “Erase all content and settings”? So far the above files do not show evidence that a wipe occurred. Question 2: Is there any iOS artifact that records Control Center being disabled by the user? I believe this was the case as I was unable to access it to place the device in Airplane mode and manually disable Bluetooth. The SIM card was removed and the device placed in a Faraday bag. The device was however removed from the Faraday bag when I was contacted to help put the device in Airplane mode. Thanks.

Regarding question 1 I do not believe any artifacts differ from a remote wipe vs manual as the artifacts we normally look at regarding a wipe are created upon the reboot process. The timestamps though might give you a timeline as to when and therefore how a phone was wiped: IE if timestamps you view from the .obliterate, purplebuddy, and containermanagerd log, ect. all show timestamps of while the phone was in police custody, then you can infer the phone was probably remotely wiped as the user didn’t have physical access to their phone at that time. With regards to question 2: was the phone locked when you attempted to place it into airplane mode? There is a setting within the Face ID and passcode settings that lets the user toggle off being able to access the control center when the phone is locked. However I’d have to go dive into a test phone to find those settings to find the specific plist that would show it but there should be. (edited)

1

Firebase Cloud Messaging and Level DB in Android using ALEAPP https://youtu.be/DJ_BJ-NOi1o (edited)

Alexis Brignoni

MFE 1 - ALEAPP - FCM & Level DB

4

theridlr

Hello all, I would appreciate any feedback on the below. I am putting together a case study to strengthen my business case on procuring a Faraday room for our Police service. I recently had a case where data appears to have been remotely wiped from a device (I am still doing the analysis myself to confirm forensically). The device in question is an iPhone 11 (iOS 14.8.1) Question 1: I will be doing some testing when I am able to grab a test device, but does anyone know if the same artifacts (found in com.apple.purplebuddylist plist, containermanagerd.log.0 etc.) are created when a device is wiped remotely using iCloud vs. when a user manually goes into the Settings and selects “Erase all content and settings”? So far the above files do not show evidence that a wipe occurred. Question 2: Is there any iOS artifact that records Control Center being disabled by the user? I believe this was the case as I was unable to access it to place the device in Airplane mode and manually disable Bluetooth. The SIM card was removed and the device placed in a Faraday bag. The device was however removed from the Faraday bag when I was contacted to help put the device in Airplane mode. Thanks.

The creation timestamp of native databases (sms, calls, etc.) are also a good indication of if/when a wipe has occurred. If this hasn't changed in the last few iOS updates you cannot remote wipe a device through bluetooth. Was there an e-SIM in the phone? That might have connected it since you cannot physically remove it (edited)

2

Anyone from @Cellebrite free for a quick question?

Where shall I look for artifacts to find out if Signal have been installed and removed on a iPhone 12? Any hints? AFU extraktion (edited)

Is there a way to check on an iPhone the status of the icloud sync backup status ? For icloud backup, you can go under the Device Backup. Just didn’t find an option for iCloud sync data

Tilt

Where shall I look for artifacts to find out if Signal have been installed and removed on a iPhone 12? Any hints? AFU extraktion (edited)

https://github.com/abrignoni/iLEAPP has an artifact. also https://abrignoni.blogspot.com/2018/12/identifying-installed-and-uninstalled.html (edited)

GitHub - abrignoni/iLEAPP: iOS Logs, Events, And Plist Parser

iOS Logs, Events, And Plist Parser. Contribute to abrignoni/iLEAPP development by creating an account on GitHub.

Identifying installed and uninstalled apps in iOS

Short Version In this post I look at the applicationState.db SQLite database in detail and ask for help on testing/validating some of t...

s.m.

https://github.com/abrignoni/iLEAPP has an artifact. also https://abrignoni.blogspot.com/2018/12/identifying-installed-and-uninstalled.html (edited)

Thanks @s.m.

rfar

Hello Discord friends. So I came across a Signal app and some messages that I am trying to verify. I have an iPhone 8 + and acquired a FFS. PA parsed it and was able to decrypt the messages, which then became the source for the artifacts. However, Axiom was not able to parse the newer messages (only Signal messages about 2 years old). From my readings, I believe Axiom and PA should use the keychain file and automatically use the Signal password to decrypt the messages. I tried to manually parse the keychain in Axiom, then enter the keys under the 'options' tab for parsing the Signal app ... no dice. I am weak when it comes to SQL databases but tried to open the encrypted database with DB Browser Cipher, then added the keys from the above Axiom parsing of the keychain... again no dice. Any ideas? I searched for Signal in the forum and get lots of hits in the CTF portion. Perhaps this is easier than i think? (edited)

It would also depend on what gave you the FFS. If it’s Premium, Axiom can’t work with their decrypted keychain, it can only handle the GrayKey format for now. (They both store their keys in various stages of unwrapping). When I last spoke to Magnet, they were hoping to provide support for the Premium keychain soon. They do have a script on GitHub to convert the Premium keychain to the GK format. Unfortunately You won’t be able to use DB Browser/SQLcipher without unwrapping the keys, which is above my pay grade

One great feature of a Cellebrite is that when they encounter an encrypted db, they throw the DECRYPTED DB right back into the file system. So you can export out both the DB and the WAL, strip the decrypted from the file name and open in your preferred program. It’s not ideal, but you can commit the WAL, then import the single db into Axiom and custom map the fields.

Does anyone know if Cellebrite will decode "Samsung Notes" from a FFS extraction? I don't see it on the supported list but I think I've seen it decoded before. I'm testing now on my Galaxy S23 but figured I would inquire too. (edited)

citizencain

It would also depend on what gave you the FFS. If it’s Premium, Axiom can’t work with their decrypted keychain, it can only handle the GrayKey format for now. (They both store their keys in various stages of unwrapping). When I last spoke to Magnet, they were hoping to provide support for the Premium keychain soon. They do have a script on GitHub to convert the Premium keychain to the GK format. Unfortunately You won’t be able to use DB Browser/SQLcipher without unwrapping the keys, which is above my pay grade

One great feature of a Cellebrite is that when they encounter an encrypted db, they throw the DECRYPTED DB right back into the file system. So you can export out both the DB and the WAL, strip the decrypted from the file name and open in your preferred program. It’s not ideal, but you can commit the WAL, then import the single db into Axiom and custom map the fields.

Sorry for the delayed response. I have a FFS from a GK acquisition. From what I understand, both Axiom and Cellebrite would have automatically used the keychain to decrypt the database. I will try to loacate the decrypted database that Cellebrite created. thank you

1

NOSUSHI4U

Does anyone know if Cellebrite will decode "Samsung Notes" from a FFS extraction? I don't see it on the supported list but I think I've seen it decoded before. I'm testing now on my Galaxy S23 but figured I would inquire too. (edited)

Samsung Notes is parsed by Physical Analyzer. However, even if you find them parsed in Analyzed Data, go an double check them manually in the database. It happened to me to find 11 notes in the database and only 9 of them were parsed. Don't know what was "wrong" with the other 2.

hi, but when will the new version of physical analyzer be released?

11:10 PM

@Cellebrite

manuelevlr

hi, but when will the new version of physical analyzer be released?

Should be fairly soon

Cip

Samsung Notes is parsed by Physical Analyzer. However, even if you find them parsed in Analyzed Data, go an double check them manually in the database. It happened to me to find 11 notes in the database and only 9 of them were parsed. Don't know what was "wrong" with the other 2.

Do you mind submitting the details to our support team to follow up with. It shouldn’t behave like that.

It was a few versions ago and I don't remember the details. I tried looking into the reports and the leftovers that I have, but couldn't find anything relevant. I don't even remember in which case I had this issue. I wouldn't know what to write to the support team. Sorry.

@Oxygen Forensics Hello! Anyone available for a question regarding Apple Health decoding? thanks

Hans Leißner

@Oxygen Forensics Hello! Anyone available for a question regarding Apple Health decoding? thanks

Hello, sure, please DM me

1

CLB-Paul

Should be fairly soon

hopefully next week?

Cip

Samsung Notes is parsed by Physical Analyzer. However, even if you find them parsed in Analyzed Data, go an double check them manually in the database. It happened to me to find 11 notes in the database and only 9 of them were parsed. Don't know what was "wrong" with the other 2.

Thanks for letting me know. Much appreciated

CLB-Paul

Do you mind submitting the details to our support team to follow up with. It shouldn’t behave like that.

Just tested Samsung notes on my s23. I made a very long notes (few pages long) it's not parsing the whole note and it's cut off on my FFS extraction. I'll submit a support ticket.

@Cellebrite Good day! Someone time explain me something regarding a FFS with PaaS?

1

Hello dear community, does anyone know how the Apple heart rates are handled within the database (healthdb_secure)? Because in a current case I have the problem that when I look at the heart rate data on the smartphone, it shows me for example the following: 03.10.2023, 21.59 - pulse 200 In the database, this data is apparently logged piece by piece and then aggregated. I hope I am reasonably correct in assuming that the data_type is actually the heart rate. Or am I on the so-called "wrong track" xD ? The following screen is from ArtEx

I have two questions about iOS devices. 1️⃣ Is it possible to recover old artifacts from a wiped iOS device? 2️⃣ Where shall I look to see if there have been multiple Apple IDs used on the device?

Tilt

I have two questions about iOS devices. 1️⃣ Is it possible to recover old artifacts from a wiped iOS device? 2️⃣ Where shall I look to see if there have been multiple Apple IDs used on the device?

As much as I know, and also in tests has also turned out: Wiped devices do not contain data of the previous user. but to be 100% sure - test it :b To the second question: I am not sure but, try the following files: Accounts3.sqlite AccountInformation.plist com.apple.accounts.exists.plist (edited)

1

Hans Leißner

As much as I know, and also in tests has also turned out: Wiped devices do not contain data of the previous user. but to be 100% sure - test it :b To the second question: I am not sure but, try the following files: Accounts3.sqlite AccountInformation.plist com.apple.accounts.exists.plist (edited)

Thanks for the help HaLei! Salute

1

I got an extraction of an iPhone Xs Max. I have not done the extraction myself and I think it's a Logical Full read with XRY. Wickr me is installed on the phone but not parsed. I'm afraid that this limited extraction choice hasn't included the data base. I'm not familiar with Wickr Me. What databases should I look for? I guess there have to be encryption keys somewhere too? Can anyone point me in the right direction please? (edited)

wadde

I got an extraction of an iPhone Xs Max. I have not done the extraction myself and I think it's a Logical Full read with XRY. Wickr me is installed on the phone but not parsed. I'm afraid that this limited extraction choice hasn't included the data base. I'm not familiar with Wickr Me. What databases should I look for? I guess there have to be encryption keys somewhere too? Can anyone point me in the right direction please? (edited)

https://discord.com/channels/427876741990711298/545232743353810946/1143767016633811034 Try to find the following paths / Databases (edited)

Hans Leißner

Hello dear community, does anyone know how the Apple heart rates are handled within the database (healthdb_secure)? Because in a current case I have the problem that when I look at the heart rate data on the smartphone, it shows me for example the following: 03.10.2023, 21.59 - pulse 200 In the database, this data is apparently logged piece by piece and then aggregated. I hope I am reasonably correct in assuming that the data_type is actually the heart rate. Or am I on the so-called "wrong track" xD ? The following screen is from ArtEx

Datatype value 5 is (indeed) heart rate. 3 is Weight, 7 steps, 8 distance, 9 resting energie, 10 active energie, 12 flights climbed, 76 activity, 79 workout. (edited)

1

wadde

I got an extraction of an iPhone Xs Max. I have not done the extraction myself and I think it's a Logical Full read with XRY. Wickr me is installed on the phone but not parsed. I'm afraid that this limited extraction choice hasn't included the data base. I'm not familiar with Wickr Me. What databases should I look for? I guess there have to be encryption keys somewhere too? Can anyone point me in the right direction please? (edited)

The database name i WickrLocal.sqlite, it is usually not included in a logical extraction. You also need keys from the keychain (only AFU/FFS) to decrypt fields in the database

houndineu

Regarding question 1 I do not believe any artifacts differ from a remote wipe vs manual as the artifacts we normally look at regarding a wipe are created upon the reboot process. The timestamps though might give you a timeline as to when and therefore how a phone was wiped: IE if timestamps you view from the .obliterate, purplebuddy, and containermanagerd log, ect. all show timestamps of while the phone was in police custody, then you can infer the phone was probably remotely wiped as the user didn’t have physical access to their phone at that time. With regards to question 2: was the phone locked when you attempted to place it into airplane mode? There is a setting within the Face ID and passcode settings that lets the user toggle off being able to access the control center when the phone is locked. However I’d have to go dive into a test phone to find those settings to find the specific plist that would show it but there should be. (edited)

Thank you for this insight @houndineu. I'll continue to dig further and validate those timestamps from a timeline perspective. I don't recall any that scremed out at me. No .obliterate file was observed on this device. I am aware of that "Face ID and passcode settings" toggle setting. If I come across any such plist file I will update you here. Thanks again!

Oscar

The creation timestamp of native databases (sms, calls, etc.) are also a good indication of if/when a wipe has occurred. If this hasn't changed in the last few iOS updates you cannot remote wipe a device through bluetooth. Was there an e-SIM in the phone? That might have connected it since you cannot physically remove it (edited)

Thanks for your response Oscar! I did in fact review the native databases. It was the modified/accessed timestamps that looked suspicious. The creation timestamps were dated and were no where near this year. I will double check whether an e-SIM was ever active on the device. I had not checked that angle. Thank you @Oscar

Oscar

The database name i WickrLocal.sqlite, it is usually not included in a logical extraction. You also need keys from the keychain (only AFU/FFS) to decrypt fields in the database

Ok, thanks, I searched for Wickr but could not find any database. I thought so too, too bad, the it's not extracted properly

Folks, I've found deleted artefacts in Core2.db on android phone. Is there anyway to confirm date of deletion (other than modified date) and method of deletion (system or manual). Bad guy has taken burst photos of IIOC and is there anyway to get them back using dB analysis??

nodster

Folks, I've found deleted artefacts in Core2.db on android phone. Is there anyway to confirm date of deletion (other than modified date) and method of deletion (system or manual). Bad guy has taken burst photos of IIOC and is there anyway to get them back using dB analysis??

According to CB the timestamp in core2.db is unreliable.

1

@Cellebrite anyone available for a quick question regarding Apple Health (Heart rate value / units) ? Thanks PA 7.62.2.9 (edited)

1

Is anyone using the latest version of physical analyzer?

Where to look to see when an iPhone has been wiped or reset. -> https://cellebrite.com/en/upgrade-from-null-detecting-ios-wipe-artifacts/ (I'm posting this because I lost the link and forgot the name of the .obliterated file)

Someone who used the latest version of physical analyzer, found that after generating the ufed reader, if you try to open in the track window this comes out an error “ extraction was in incorrect format.some won ‘t be shown “

7:40 AM

However, the ufdr reader opens correctly.

edit. Figured them out but the two first ones what differs? First one anything covering face? Second one face mask covering face? Hi folks! I’m in research mood/mode and could need some help to understand these zvaluestrings from zstreamname /discoverability/signals in KnowledgeC: com.apple.faceid.any-face-covering.detected com.apple.faceid.face.covering.detected (edited)

can @Belkasoft in demo version decrypt Telegram X data from an Android (FFS)? I am running tests (not with real case data) and I keep getting error saying that Telegram X could not be parsed, but I want to know if it's my demo version or the app itself.

trillian

can @Belkasoft in demo version decrypt Telegram X data from an Android (FFS)? I am running tests (not with real case data) and I keep getting error saying that Telegram X could not be parsed, but I want to know if it's my demo version or the app itself.

Yes — if it does not, we would need extended logs to our support email, please

Yuri Gubanov (Belkasoft)

Yes — if it does not, we would need extended logs to our support email, please

will do! thank you for the quick response

1

Anyone from @MSAB available?

1

Does anyone have a good parser for Discord Downloaded Packages?

Oscar

The database name i WickrLocal.sqlite, it is usually not included in a logical extraction. You also need keys from the keychain (only AFU/FFS) to decrypt fields in the database

Hi Oscar, can i get your permission to put this info on a public app search app i just released? (https://4n6appfinder.habben.net) (edited)

4n6 App Finder

4n6 App Finder is a service to the digital forensics community to let examiners identify which forensic tools will parse artifacts from an app of concern

1

Can anyone think of a reason why a photograph (screenshot) would be imported into photos.sqlite from Springboard?

Habben

Hi Oscar, can i get your permission to put this info on a public app search app i just released? (https://4n6appfinder.habben.net) (edited)

Sure

theridlr

Thank you for this insight @houndineu. I'll continue to dig further and validate those timestamps from a timeline perspective. I don't recall any that scremed out at me. No .obliterate file was observed on this device. I am aware of that "Face ID and passcode settings" toggle setting. If I come across any such plist file I will update you here. Thanks again!

@houndineu , based on my own research and testing the primary plist file that records relevant data (including timestamps) around whether accessing control center from the lockscreen has been enabled/disabled is stored in MCSettingsEvents.plist (iPhone 11, iOS 14.8.1) [/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationsprofiles/Library/ConfigurationProfiles/MCSettingsEvents.plist]. There are other plist files that I found too including EffectiveUserSettings.plist and a few others which contain associated data related to the same activity. I was able to pull the same files through some sysdiagnose logs from a test device (iPhone 11, iOS 16.6.1) and found the timestamp where I toggled the setting from the "Face ID and Passcode Settings". I will do a write up soon and share my findings formally. On another note, the timestamps tied to the artifacts we referenced earlier weren't helpful, unfortunately. Thanks again for your help.

theridlr

Thanks for your response Oscar! I did in fact review the native databases. It was the modified/accessed timestamps that looked suspicious. The creation timestamps were dated and were no where near this year. I will double check whether an e-SIM was ever active on the device. I had not checked that angle. Thank you @Oscar

No evidence that an e-SIM was present. The creation times on the native databases, unfortunately were not helpful. Thanks again for your insight.

Nice work! Glad you were able to find the setting for it.

1

Is anyone encountering errors in cellebrite reader ?

Hello everyone, I extracted a samsung galaxy s20. In the dwbCommon.db (samsung digital wellbeing events) I have a lot of Instagram usage artifacts. I'm trying to understand when the following artifacts are generated: com.instagram.rtc.service.OngoingCallServiceWithMic and com.instagram.rtc.activity.RtcCallActivity

Bruno R

Hello everyone, I extracted a samsung galaxy s20. In the dwbCommon.db (samsung digital wellbeing events) I have a lot of Instagram usage artifacts. I'm trying to understand when the following artifacts are generated: com.instagram.rtc.service.OngoingCallServiceWithMic and com.instagram.rtc.activity.RtcCallActivity

@CLB_joshhickman1 might have an idea. I did some research on an Oppo, but didnt see any of these artifacts.

@Cellebrite Is someone able to tell me where the catagorisation of apps in cellebrite comes from? Is there a database it is comparing against or is there an element of "judgment" by PA?

Alexsaurus

@Cellebrite Is someone able to tell me where the catagorisation of apps in cellebrite comes from? Is there a database it is comparing against or is there an element of "judgment" by PA?

The data base?

As in does PA have a list of apps and what category they belong to and that is where the detail comes from?

ANDROID QUESTION

3:29 PM

(edited)

3:31 PM

3:33 PM

First image is in order of date. At item 897 it goes to 1177. Then at item 1176 it goes back to 899

3:33 PM

Second image in is order by item#. Date goes from 6/8/2021 to 3/20/2021

3:35 PM

In the first image, item# 1170 shows a date error, saying the last event date is more than the current date

3:36 PM

I do not see evidence of factory reset, but the restore logs show a restore from backup on 3/21/2021

3:37 PM

Digital wellbeing and usagestats only show data from 3/20/2021 and 3/21/2021 (edited)

3:42 PM

However, the phone has alot of user activity (calls, messages) past 3/20/2021 all the way to 5/2022. But that activity is not in DWB or Usagestats

@Cellebrite Hi, I have a FFS extraction of an android phone (DODGEE N40Pro) PA don't seems to uncrypt the signal DB. (version 6.35) Do you know if a next release will uncrypt and parse this version? (edited)

1

Dam

@Cellebrite Hi, I have a FFS extraction of an android phone (DODGEE N40Pro) PA don't seems to uncrypt the signal DB. (version 6.35) Do you know if a next release will uncrypt and parse this version? (edited)

Is the decryption key available in the keystore file (secrets.json)?

Oscar

Is the decryption key available in the keystore file (secrets.json)?

It was a ffs live

5:53 AM

I don't have the secrets.json but I should find the key somewhere

Dam

@Cellebrite Hi, I have a FFS extraction of an android phone (DODGEE N40Pro) PA don't seems to uncrypt the signal DB. (version 6.35) Do you know if a next release will uncrypt and parse this version? (edited)

Good afternoon Signal 6.35 will be supported asap which version of pa do you have ?

florus

@CLB_joshhickman1 might have an idea. I did some research on an Oppo, but didnt see any of these artifacts.

On the surface, that looks to be related to in-app calling. How does the call log look on the phone?

7.63.0.126

Dam

It was a ffs live

What tool was used to do the extraction? If it was UFED, what version?

CLB_joshhickman1

What tool was used to do the extraction? If it was UFED, what version?

UFED 4PC 7..66.1.150

1

Are there any scripts or applications decrypting Session Messaging? My Google-Fu shows it is, or was, based upon the Signal Messaging application. (edited)

sholmes

Are there any scripts or applications decrypting Session Messaging? My Google-Fu shows it is, or was, based upon the Signal Messaging application. (edited)

You need keystore to decrypt Session (like Signal)

Thanks I figured you might, since it was based upon Signal. I was looking to see if anyone had any tools which are doing the decryption. I opened the app, and there isn't anything in the app, but I wasn't sure if the db would have any deleted data. I have a FFS.

PA and Oxygen are doing great with Session (Axiom probably too)

1

Hi forensic community -- Question about Cellebrite Reader and malware. Specifically, if a UFDR file contains a file with malware, is there a chance that Cellebrite Reader can 'activate' that malware on the machine while loading the report? I'm thinking stuff like malicious scripting in an email, word doc, or pdf file.

I have a phone examined in 2021 with Snapchat messages going back to 2017. Looking for help identifying the reason why these messages are present when others are not. I know that messages can be saved but looking for more definite answer in the form of a plist etc

Matt

I have a phone examined in 2021 with Snapchat messages going back to 2017. Looking for help identifying the reason why these messages are present when others are not. I know that messages can be saved but looking for more definite answer in the form of a plist etc

Source? is it a backup or from the main snapchat? could be certain chats were never deleted but others deleted after 24h etc.

Rob

Source? is it a backup or from the main snapchat? could be certain chats were never deleted but others deleted after 24h etc.

Sorta a silly question I guess. I just checked the arroyo and found that is_saved is set to 1 for all of those chats.

1

4:33 PM

For some reason I thought there was an old 2021 option to never delete and that’s what I was seeing. I would not have guessed he was saving chats from 2017 but I am pleased he did

Matt

For some reason I thought there was an old 2021 option to never delete and that’s what I was seeing. I would not have guessed he was saving chats from 2017 but I am pleased he did

Sounds funky!

Alexsaurus

@Cellebrite Is someone able to tell me where the catagorisation of apps in cellebrite comes from? Is there a database it is comparing against or is there an element of "judgment" by PA?

There is a large database that we utilize for determining the app category. If there are any specific issues you are seeing, send me a DM, happy to get any feedback.

Carl

Hi forensic community -- Question about Cellebrite Reader and malware. Specifically, if a UFDR file contains a file with malware, is there a chance that Cellebrite Reader can 'activate' that malware on the machine while loading the report? I'm thinking stuff like malicious scripting in an email, word doc, or pdf file.

Fundamentally a ufdr file is a zip file which contains the data the analyst put in it. When I’ve looked before it’s a mixture of files straight off of the device and proprietary Cellebrite files. So the ufdr file could definitely contain nasties. Some forensic software (AXIOM and FTK Imager are examples I’ve seen) tend to place the file into temp files or memory when you open them. I’ve seen examples where this has upset my antivirus software. However simply loading data or making a temp copy doesn’t cause the code to execute unless there is an exploit in one of the libraries Cellebrite Reader uses to show that file or if the user exports the file and runs it. You can guard against the latter by preventing export being enabled (I think it’s an option when creating a report) but the former is trickier. Cellebrite’s software has contained vulnerable libraries in the past which they remediate pretty quickly. You may wish to consider sandboxing Cellebrite reader or use some of the Windows Enterprise features to prevent unknown code from executing on review devices. Also you could consider an EDR tool.

CLB-DannyTheModeler

There is a large database that we utilize for determining the app category. If there are any specific issues you are seeing, send me a DM, happy to get any feedback.

I thought as much. No issues though I am currently working on how to identify malware and am wondering if I can ignore anything Cellebrite categorizes as thus benign or if it is possible to for a malicious app to imitate another app and so get catagorized.

Alexsaurus

I thought as much. No issues though I am currently working on how to identify malware and am wondering if I can ignore anything Cellebrite categorizes as thus benign or if it is possible to for a malicious app to imitate another app and so get catagorized.

This database is not something that we created, but an openly available. While you can't exclude all categorized apps, the fact that an app is registered to an app store, especially the apple store increases the chances that it has been assessed and reviewed, so lowering the risk of malware. I will say however, that software can have unplanned vulnerabilities that may make it suseptable to attacks which are not coming from the software creator, but rather malicious parties (hackers).

@Cellebrite When performing app-selective processing in PA, Signal does not appear as an app. This makes selective processing of only Signal impossible through that workflow. This makes it so that Signal is not processed when doing app-selective to exclude some other app. Tried on PA 7.64. Anyone aware of a way to bypass this problem? I have a case where I need to exclude Telegram with 1.5 million messages to not crash PA

1

Hey, I have a victim's device and the suspect use the victims device as a personal hotspot for internet. I have a FFS extraction and also the sysdiagnose file but cannot find this information on it. Do you know if we can find the MAC address or serial number of the suspects phone in the sysdiagnose? (edited)

Hello guys ! Does anyone know where it is possible to find the alarm artifacts on a redmi note 12, android 13? This is the native application. Thank you.

Dam

Hey, I have a victim's device and the suspect use the victims device as a personal hotspot for internet. I have a FFS extraction and also the sysdiagnose file but cannot find this information on it. Do you know if we can find the MAC address or serial number of the suspects phone in the sysdiagnose? (edited)

I assume you want to analyze the logs on a Mac?

Hans Leißner

I assume you want to analyze the logs on a Mac?

hey, no it's on iOS.

That is what I have read out. Do you have access to the Cellebrite Customer Portal? Analyze the logs on Mac OS is easier and more complete. Perhaps I should mention that I don't mean analyzing the logs of a Mac but the logs of the iOS device WITH a Mac. (edited)

Hans Leißner

That is what I have read out. Do you have access to the Cellebrite Customer Portal? Analyze the logs on Mac OS is easier and more complete. Perhaps I should mention that I don't mean analyzing the logs of a Mac but the logs of the iOS device WITH a Mac. (edited)

My bad. I can try with a Mac but I used different script I found for sysdiagnose but don't find any information regarding the connected phone

1

Dam

Hey, I have a victim's device and the suspect use the victims device as a personal hotspot for internet. I have a FFS extraction and also the sysdiagnose file but cannot find this information on it. Do you know if we can find the MAC address or serial number of the suspects phone in the sysdiagnose? (edited)

With FFS and/or the sysdiagnose logs you have unified logs. I would use the FFS. The unified logs generally store for about 30-40 days. If this connection happened within this time frame you should have something in the UL to help.

Any idea why (seemingly), all the logs on this Android device I'm looking at are using timestamps like this: "01-01 12:01:24:396"? Namely, timestamps without... a year? Is this some kind of implied thing where it means 2023 and it will get rewritten in 2024 or something? lol (edited)

Dam

Hey, I have a victim's device and the suspect use the victims device as a personal hotspot for internet. I have a FFS extraction and also the sysdiagnose file but cannot find this information on it. Do you know if we can find the MAC address or serial number of the suspects phone in the sysdiagnose? (edited)

There are multiple resources for analyzing UL, if you have a macOS device and the folder structure (contained in the FFS) you can build a logarchive from the correct folders and use the macOS to review with Terminal or Console. Cellebrite Inspector will process up to iOS 16 UL.

Dam

Hey, I have a victim's device and the suspect use the victims device as a personal hotspot for internet. I have a FFS extraction and also the sysdiagnose file but cannot find this information on it. Do you know if we can find the MAC address or serial number of the suspects phone in the sysdiagnose? (edited)

https://cellebrite.com/en/making-sense-of-unified-logs-in-cellebrite-inspector/ https://www.mandiant.com/resources/blog/reviewing-macos-unified-logs https://www.mac4n6.com/blog/2020/4/19/introducing-analysis-of-apple-unified-logs-quarantine-edition-entry-0 (multiple entries from Sarah on UL)

macOS Unified Logs | Challenges Related to the Unified Logs

Reviewing macOS Unified Logs. We cover an overview of macOS Unified Logs and the challenges presented in using them during an investigation.

Introducing 'Analysis of Apple Unified Logs: Quarantine Edition' [E...

I’ve decided to spend some time revisiting analysis of Unified Logs as blog series during this quarantine. It is the perfect topic to make bite sized and I can make it as long or as short as Coronavirus deems it so. I’m planning of doing smaller blogs at least a couple times a week on a variety of

vipnola

There are multiple resources for analyzing UL, if you have a macOS device and the folder structure (contained in the FFS) you can build a logarchive from the correct folders and use the macOS to review with Terminal or Console. Cellebrite Inspector will process up to iOS 16 UL.

Great! Thank you for the info. I’ll check that

Can i find thelock pattern in a file of an Android 5.1 phone?

6:43 AM

A physical extraction was done

depends, look for .key file in system on userdata

I'll look into it, thanks

Hi all. I have a gk extraction of an iPhone and within the file system are some images within the notes that are .png-encrypted. Is there anyway of decrypting these files? They are not available within the notes on the phones itself and believe they may contain csam which will be vital for the case. Any help will be greatly appreciated. Thanks in advance.

Hello, I have a ffs extraction from an iPhone 13 and I could see Twitter files. But no accounts were parsed in PA. I was able to found the username in group.com.atebits.tweetie2.plist. Anyone know if posts made by the user are stored in the device or only remotely?

You can decrypt notes on an iPhone, is that is what is going on? https://hashcat.net/forum/thread-8945.html @forensicgeek (edited)

forensicgeek

Hi all. I have a gk extraction of an iPhone and within the file system are some images within the notes that are .png-encrypted. Is there anyway of decrypting these files? They are not available within the notes on the phones itself and believe they may contain csam which will be vital for the case. Any help will be greatly appreciated. Thanks in advance.

Any chance to use @Belkasoft ? Are there any traces to that in the keychain? Maybe u can import the encryption key from they keychain manually (when its not done by default).

1

Anyone here happen to have a sample extraction of WhatsApp from an Android phone? I'm looking to get an example of the format of the "key" file for a .crypt14 encrypted installation.

digitalsleuth

Anyone here happen to have a sample extraction of WhatsApp from an Android phone? I'm looking to get an example of the format of the "key" file for a .crypt14 encrypted installation.

You may find what you are looking for here : https://thebinaryhick.blog/public_images/

Binary Hick

Public Images

Below are links to my public images. If you find a link that isn’t working, please let me know! Android Android 7 (hosted by Digital Corpora) Android 8 (hosted by Digital Corpora) Andro…

1

I have an iOS case where I think both @Magnet Forensics and @Cellebrite tools are incorrectly decoding WhatsApp information. The scenario is a ‘hand me down’ phone where two users have used the phone. Both tools appear to make assumptions when identifying the local user and the directionality of messages. I’ve written it up… what are people’s thoughts…

WhatsAppIssue.txt

4.29 KB

busted4n6

I have an iOS case where I think both @Magnet Forensics and @Cellebrite tools are incorrectly decoding WhatsApp information. The scenario is a ‘hand me down’ phone where two users have used the phone. Both tools appear to make assumptions when identifying the local user and the directionality of messages. I’ve written it up… what are people’s thoughts…

Nice write up and interesting case. I pinged @cScottVance on this and he’s already forwarded the information to the Artifact team for them to have a look.

1

Oscar

@Cellebrite When performing app-selective processing in PA, Signal does not appear as an app. This makes selective processing of only Signal impossible through that workflow. This makes it so that Signal is not processed when doing app-selective to exclude some other app. Tried on PA 7.64. Anyone aware of a way to bypass this problem? I have a case where I need to exclude Telegram with 1.5 million messages to not crash PA

I think you can make a new Cellebrite case, add a blank project, select the chain type to decode your phone image, then select only the chain/plug in for your app of interest. Then add your evidence to the project. If you can export the signal database folder from an open image already, you should be able to make a blank project with just the signal parser for instance, too. Or you can do some joins on the signal database tables with sqlite, it isnt too hard to figure out. You can't really exclude an app when opening an image the normal way, but you can make a black case and select only the chains you want to run- starting with the phone type and image type, then your app of interest.

busted4n6

I have an iOS case where I think both @Magnet Forensics and @Cellebrite tools are incorrectly decoding WhatsApp information. The scenario is a ‘hand me down’ phone where two users have used the phone. Both tools appear to make assumptions when identifying the local user and the directionality of messages. I’ve written it up… what are people’s thoughts…

Please try PA 7.64 should resolve the issue.

CLB-DannyTheModeler

Please try PA 7.64 should resolve the issue.

We’ll give it a go

chriscone_ar

Nice write up and interesting case. I pinged @cScottVance on this and he’s already forwarded the information to the Artifact team for them to have a look.

Thanks Chris. We can’t see a way to find a contemporaneous record of who the local user was (or at least what their phone number was) at the time a WhatsApp message was sent.

Hidden files. Was reading a previous thread and noted that it appears in IOS that the files aren't moved to another folder, simply tagged as Hidden and in this way it knows not to reveal them to a user without a passcode [link they provided https://theforensicscooter.com/2022/07/29/how-to-find-ios-hidden-assets/ ]. But what about Android? Samsung, Google, all of them? Is anyone aware of a cheat sheet for hidden files? Or where Samsung keeps their locked folder which is basically like a Virtual Android session and can even have apps in it? Does Android store these things in a separate folder, or like ios simply tag them as hidden? Thanks!

Scott_koenig

How to find iOS Hidden Assets

Hello again! There has been a lot of discussion and curiosity about the recent news that iOS 16 will have an enhanced Hidden assets feature. According to the press releases, this feature will allow…

Does anyone know off hand where the disappearing message durations are stored in iOS for WhatsApp? Both the default and the contact specific settings? I’ve manually parsed the databases and scrutinized the plists including the ones stored as blobs but I must just be totally missing it.

Can anyone recommend an easy way to export large quantiles of data from a realm db other than the massive awkward json conversion. No tools are parsing newest version of Grindr. Up until the last release or so, both @Cellebrite and @Oxygen Forensics would convert the realm to a SQLite db- You could actually throw in any realm and it would convert it (most amazing feature ever, btw). Now both tools error out when trying to view the SQLite, prompting that it is either encrypted (it is not) or not a valid realm (it is). But db opens just fine in Realm Studio v14+.

1

Hello, Does anyone have experience interpreting android event logs? it is to determine what the device was being used for at a specific time, I have carried out testing which hasn't given me definitive answers. (using AXIOM and ALEAPP)

Anyone come across yesichat and know anything about how it's stored etc? (Android)

@Cellebrite Help needed with Android Usagestats data. Following the CASA manual (2019), it shows that the file should open and have Text File View tab... Such tab does not exist in PA v7.64.038. Is this by design? If so, how can we open this file? Tried Notepad++ and DB browser without success. Thank you.

1

@Cellebrite I've sent a disk with some Cellebrite Reader reports to a local police office. They are trying on a clean windows 10 with i7 12th and 32 GB ram running the reader but loading stops at 14% and then this appears. They have installed net framework 4.8 and 3.5. Any hint? I tried also sending them new 7.64 reader version and is the same.

Good morning, I’ve been comparing Call Detail Records (CDR) obtained from the mobile carrier to call log records extracted from the associated device. I’ve come across several call records that have been deleted (gaps in the _id values assigned to records in the calls table of calllog.db), but I’ve also come across several records in the calls table where the associated timestamp and call duration match an entry in the Call Detail Records, but the calling/called phone number and name associated to the records are blank. I believe these to be the matching records in comparison to the CDR as the timestamp and call duration match, but they aren’t parsed by Cellebrite PA or other tools as the called/calling party details are missing. Does anyone know why a record exists with these values blank, but timestamp and call duration are still populated? I’ve done some call testing and call log entry deletion but have been unable to replicate this behaviour. I’ve circled the missing field values in the below image. The black is simply redaction of user data that can not be shared. The device involved is a Samsung Galaxy A03 running Android OS 12. Thanks in advance for any assistance. Mike

Screenshot of entry in calls table in calllog.db

Mike_H

Good morning, I’ve been comparing Call Detail Records (CDR) obtained from the mobile carrier to call log records extracted from the associated device. I’ve come across several call records that have been deleted (gaps in the _id values assigned to records in the calls table of calllog.db), but I’ve also come across several records in the calls table where the associated timestamp and call duration match an entry in the Call Detail Records, but the calling/called phone number and name associated to the records are blank. I believe these to be the matching records in comparison to the CDR as the timestamp and call duration match, but they aren’t parsed by Cellebrite PA or other tools as the called/calling party details are missing. Does anyone know why a record exists with these values blank, but timestamp and call duration are still populated? I’ve done some call testing and call log entry deletion but have been unable to replicate this behaviour. I’ve circled the missing field values in the below image. The black is simply redaction of user data that can not be shared. The device involved is a Samsung Galaxy A03 running Android OS 12. Thanks in advance for any assistance. Mike

Are all such values incoming? could it be an incoming call from a hidden number?

1

Mike_H

Good morning, I’ve been comparing Call Detail Records (CDR) obtained from the mobile carrier to call log records extracted from the associated device. I’ve come across several call records that have been deleted (gaps in the _id values assigned to records in the calls table of calllog.db), but I’ve also come across several records in the calls table where the associated timestamp and call duration match an entry in the Call Detail Records, but the calling/called phone number and name associated to the records are blank. I believe these to be the matching records in comparison to the CDR as the timestamp and call duration match, but they aren’t parsed by Cellebrite PA or other tools as the called/calling party details are missing. Does anyone know why a record exists with these values blank, but timestamp and call duration are still populated? I’ve done some call testing and call log entry deletion but have been unable to replicate this behaviour. I’ve circled the missing field values in the below image. The black is simply redaction of user data that can not be shared. The device involved is a Samsung Galaxy A03 running Android OS 12. Thanks in advance for any assistance. Mike

Just off the top of my head what sunile says also came to mind. Wonder if it's a known contact and you subsequently delete that contact if the record of the number persists or if it goes away with that contact (ie, if it was a link). It's been a while since I messed with the database, curious what this ends up being. Great question.

Grok

Just off the top of my head what sunile says also came to mind. Wonder if it's a known contact and you subsequently delete that contact if the record of the number persists or if it goes away with that contact (ie, if it was a link). It's been a while since I messed with the database, curious what this ends up being. Great question.

In the call tests that I did, I tested what results when you delete the associated contacts entry for a series of call log entries. The result is the call log entries appear in the database with only the phone number associated, the name value is stripped from the record.

1

sunile

Are all such values incoming? could it be an incoming call from a hidden number?

Thanks. Good point on the hidden/private number. I'll dig in and see if that's the case with the data I have. (edited)

sunile

Are all such values incoming? could it be an incoming call from a hidden number?

Yup. You were right and I can see that Cellebrite PA is parsing them as a private call. Not sure why I didn't notice this before, but they are there. Thanks for your help.

2

Mike_H

Yup. You were right and I can see that Cellebrite PA is parsing them as a private call. Not sure why I didn't notice this before, but they are there. Thanks for your help.

Thanks for giving the update.

citizencain

Can anyone recommend an easy way to export large quantiles of data from a realm db other than the massive awkward json conversion. No tools are parsing newest version of Grindr. Up until the last release or so, both @Cellebrite and @Oxygen Forensics would convert the realm to a SQLite db- You could actually throw in any realm and it would convert it (most amazing feature ever, btw). Now both tools error out when trying to view the SQLite, prompting that it is either encrypted (it is not) or not a valid realm (it is). But db opens just fine in Realm Studio v14+.

I've had success in the past dumping to CSV via the realm libraries in XCode (for iOS anyway)

1

bypx

@Cellebrite I've sent a disk with some Cellebrite Reader reports to a local police office. They are trying on a clean windows 10 with i7 12th and 32 GB ram running the reader but loading stops at 14% and then this appears. They have installed net framework 4.8 and 3.5. Any hint? I tried also sending them new 7.64 reader version and is the same.

Problem solved. Long story short: cellebrite sent me an older version of reader (7.60). You need to run it once and then you're good with new versions.

Did they happen to say "why" though?

4:28 AM

Just curious

4:29 AM

I tried last night running 7.64 and 7.63 from scratch in a brand new Windows VM and they worked fine. Didn't need 7.60

2760

Hi all, is anyone aware of any sigma or yara rules specific to iOS? Or any sort of malware analysis that can be done against the iTunes backup? This user claims they have some sort of malware or remote surveillance software installed on their phone. The phone is NOT jailbroken...sooo...I have doubts. This is an iPhone 11 with iOS version: 16.6.1 installed (edited)

I hope this is the right forum. Is there an area (DB locations) on Cellebrite via search to find Android phone IMEI that is not showing up on any results nor the preliminary report pages? It looks like the phone is not active on carrier but the IMEI should still exist right,? even if subject is using phone for wifi only?

1

Hi all, we have a GK FFS of an iPhone 13 max pro iOS 16.5.1. When we analyze the extraction with Axiom and PA, both doesn’t seems to decode Gmail and Outlook data. Anywhere special we should look at (db etc) or the only option we still have is to manually look at the phone ? Investigator look in the phone when the seize it and there should be some email in both apps. Thanks for your help

1

Anyone ran across the "TeleGuard" application by Hulbee Swisscows (hxxps://teleguard.com/en)?

bypx

@Cellebrite I've sent a disk with some Cellebrite Reader reports to a local police office. They are trying on a clean windows 10 with i7 12th and 32 GB ram running the reader but loading stops at 14% and then this appears. They have installed net framework 4.8 and 3.5. Any hint? I tried also sending them new 7.64 reader version and is the same.

Please open a ticket to support it will be the easiest way to solve it (edited)

Anyone from @MSAB free for a message regarding XAMN?

1

I have an Android app which uses Flutter. The developers have used an important key and generated it as a dart file. The app is open-source, but ofcourse they have not included the dart file with the key into the repository. The key must be somewhere in the distribtued APK file from the Play Store. I know that Flutter apps are troublesome to decompile because they serialize everything and it changes every so often. Does anyone have a trick to get access to the dart file, or make it readable? It is just one key I am interested in. I can use Frida and such but the calls to intercept are made within the Flutter engine and AFAIK i cannot intercept them with FRIDA. (edited)

Chris Myers

Hi all, I’m looking at a GK full filesystem from an iPhone and reviewing iMessages. I’m trying to definitively say if the iMessage in question was sent by the device, or sent from, for example, a MacBook logged in with the same Apple ID. Any ideas? Also, in the back and forth of the message, it shows the messages from the device being sent by the phone number and iCloud email address. When the other person in the conversation replies, it shows the reply message being sent to the device phone number and the iCloud email address. I’m guessing this is simply due to syncing with the cloud/Apple ID? (edited)

Hi, I'm looking into the same issue. Did you find an answer/any resources?

Hi, In @Cellebrite PA (8.6.100.63): is it possible to re-run the initial processing without having to delete/recreate the case? Also; is it possible to add multiple devices per case, given that there's a "Devices (1)" dropdown arrow in the Case Detail tab? I can't seem to figure this out. The latter would be very beneficial for investigating cross-linked devices, given that a real world "case" (more often than not?) will involve several devices (edited)

Hi, Does anyone have any insight into Sysdump Utility on a Samsung mobile device ? I am looking for resources to parse the logcat logs or to parse a CP RAM capture.

I did a quick search but didn't find anything: anyone know why there isn't "Folder View" for the analyzed Media items in @Cellebrite Physical Analyzer 8 Ultra or where it's been moved to? I can't find it anywhere and I just can't believe they'd remove such a valuable way to go through media items. It's still shown in the user manual as being there, also. TIA! (edited)

Xenotype

Hi, In @Cellebrite PA (8.6.100.63): is it possible to re-run the initial processing without having to delete/recreate the case? Also; is it possible to add multiple devices per case, given that there's a "Devices (1)" dropdown arrow in the Case Detail tab? I can't seem to figure this out. The latter would be very beneficial for investigating cross-linked devices, given that a real world "case" (more often than not?) will involve several devices (edited)

Is there something specific you are wanting to decode? There are options, post-processing, to run location carving and media classification, but otherwise, you would need to re-process. Also, no for multi-device per case...for now. (edited)

criley4640

I did a quick search but didn't find anything: anyone know why there isn't "Folder View" for the analyzed Media items in @Cellebrite Physical Analyzer 8 Ultra or where it's been moved to? I can't find it anywhere and I just can't believe they'd remove such a valuable way to go through media items. It's still shown in the user manual as being there, also. TIA! (edited)

Folder View is currently in the pipeline. No ETA.

CLB_joshhickman1

Folder View is currently in the pipeline. No ETA.

not sure about others but that is crucial to my workflow when eliminating media files that aren't part of a known file hash set. I hope it gets bumped up. PAU is essentially unusable for me as it stands now.

CLB_joshhickman1

Is there something specific you are wanting to decode? There are options, post-processing, to run location carving and media classification, but otherwise, you would need to re-process. Also, no for multi-device per case...for now. (edited)

Thanks for the reply! There was a problem with the app detection/decoding process (UFED Advanced Logical) for one of the devices. But I managed by recreating the case. I think they both would be nice features for future versions, in terms of usability. A bit like how Autopsy does it (no comparison otherwise; Autopsy isn't remotely similarly capable. Just the workflow

@Cellebrite Good morning! Any chance to get support reagarding Testlicense? CLB Inspector for MacOS

Hans Leißner

@Cellebrite Good morning! Any chance to get support reagarding Testlicense? CLB Inspector for MacOS

Please contact your sales representative for that

1

Original message was deleted or could not be loaded.

Hi could you open a ticket to support as we cannot handle it on Discord. Thank you

CLB_4n6s_mc

Hi could you open a ticket to support as we cannot handle it on Discord. Thank you

ok, thanks

CLB_4n6s_mc

Please contact your sales representative for that

Inspector trial licence is available via the customer portal for a 30day trial.

CLB-AndyM

Inspector trial licence is available via the customer portal for a 30day trial.

hello Andy. i already downloaded the installfile on my macos. But it doesnt prompt me to choose between Dongle/Software do generate the c2v file. im stuck at this point. Do i need to make changes anywhere? or is there a different way in generating c2v on MacOS? (edited)

Hans Leißner

hello Andy. i already downloaded the installfile on my macos. But it doesnt prompt me to choose between Dongle/Software do generate the c2v file. im stuck at this point. Do i need to make changes anywhere? or is there a different way in generating c2v on MacOS? (edited)

Will dm

1

I'm trying to export just group participants from a WhatsApp thread in an iOS extraction made with XRY. Looking at data in XAMN PRO 7.7. Does anyone know how to get the list of names/WhatsApp ID's out without all the chat context? @MSAB

BETBAMS

I'm trying to export just group participants from a WhatsApp thread in an iOS extraction made with XRY. Looking at data in XAMN PRO 7.7. Does anyone know how to get the list of names/WhatsApp ID's out without all the chat context? @MSAB

What does it look like if you filter on contacts (or possibly even 'Social groups') and WhatsApp, and export this? (edited)

MSAB_Sofia

What does it look like if you filter on contacts (or possibly even 'Social groups') and WhatsApp, and export this? (edited)

Thank you, this worked when exporting to PDF!

2

Hi all, I am working on a case where the user believes their iPhone 11 /w iOS 16.6.1, has been compromised with malware somehow. Typically I do IP theft cases that often include mobile devices...but this one is a one off...referral, I took on. Friend of a friend's personal phone that I am not charging much to look into. Backstory...The users statements: User claims the home screen glitches often and settings they believe they have made are then changed to something different. The glitching, per the user, is the home screen is cut in half with an installed application. As well, the user states that all their bank accounts have been compromised and shut down. I explained to the end user, these apple devices have all sorts of security mechanisms and I am not aware of any sort of widespread vulnerability, outside of a jailbroken device or state sponsored access. Neither of which have happened. Anyway, I am, of course, knowledgeable on the iPhone file structure, files, investigating email, messenger and other items in general related to IP theft. I am familiar with the iOS sandbox feature and its purpose to always containerize applications run. I did receive the phone and credentials for iCloud. I took an encrypted backup of the device using copytrans as well as a normal iTunes backup. I grabbed the iCloud data as well. Investigating, the device does have ~ 200 3rd party apps, mainly kid anime games and such. As well, they have very simple passwords and mostly repeats of the same passwords across the games and their banks login. I did not observe the glitching, I only had the phone long enough to grab the data mentioned above and then sent the phone back to the user. I can neither confirm nor deny settings changing. More what I believe has happed is: 1) One or more of the gaming apps have bugs that could glitch 2) password(s) likely compromised through repeated use Any thoughts on this scenario much appreciated. (edited)

5-6 years ago.. there was a paid service (if i remember correctly it was called ispy). Onces purchased and setup with the icloud credentials, the suspect was able to read everything.. see everything. Did u watch out for devices that registered with the same icloud? Is it possible for you to do a Apple LEnforcement request regarding those data?

Like you mentioned, apps have to be signed by the Apple, so a rogue app usually stands out. However, I would look at all the app icons and make sure they launch actual apps and are not placeholders that redirect the user to a website that simply appears to be an app (hiding in plain sight, if you will).. The iCloud return will also contain all the apps ever purchased from the App Store, so you can cross reference those with what you see on the device to rule out unwarranted apps. Maybe make sure they don’t have reachability turned on

or other assisted touch. Accidentally turning it on can drive you crazy if you don’t know you’ve done it (so I’ve heard

)

citizencain

Like you mentioned, apps have to be signed by the Apple, so a rogue app usually stands out. However, I would look at all the app icons and make sure they launch actual apps and are not placeholders that redirect the user to a website that simply appears to be an app (hiding in plain sight, if you will).. The iCloud return will also contain all the apps ever purchased from the App Store, so you can cross reference those with what you see on the device to rule out unwarranted apps. Maybe make sure they don’t have reachability turned on

or other assisted touch. Accidentally turning it on can drive you crazy if you don’t know you’ve done it (so I’ve heard

)

Thanks so much for the suggestions

1

Hans Leißner

5-6 years ago.. there was a paid service (if i remember correctly it was called ispy). Onces purchased and setup with the icloud credentials, the suspect was able to read everything.. see everything. Did u watch out for devices that registered with the same icloud? Is it possible for you to do a Apple LEnforcement request regarding those data?

Thanks so much for the recommendations...I will look into ispy...hopfully something like that would only work on a jailbroken iPhone

CyberTend

Thanks so much for the recommendations...I will look into ispy...hopfully something like that would only work on a jailbroken iPhone

I tool a search on google. I remembered wrong. Take a look at this https://mspy.mobi/?chatbotIsTrue&partner_id=ipa-914&utm_source=google-g&utm_medium=cpc&utm_campaign=20480142604&utm_content=157834274292&utm_term=icloud%20monitoring&p=main&btnid=t&ptid=Phone+Monitoring+App&pdid=Get+remote+access+to+all+phone+activities!&t=1&addlink=&gbraid=0AAAAAp3YiXn0JXW-mW0VASNMbAygkbSn9&gclid=CjwKCAjw-eKpBhAbEiwAqFL0mooeQQhcHxyy4gFwBoZnguUMEpwCLONL-WV2DNn-owkTsjxxp35fjhoCIIkQAvD_BwE&exp_name=mobi_live_chat_en&exp_var_id=1

mSpy™ Phone Monitoring App for Parental Control

1

CyberTend

Thanks so much for the recommendations...I will look into ispy...hopfully something like that would only work on a jailbroken iPhone

‍♂️

Hi. I have a case with iphone 14 (iOS 16.1.2) and I am currently looking at cache_encryptedb.db which is located under /private/var/root/Library/Caches/locationd/ directory. I already found that geolocation data are not to be trusted but I've found some interesting columns in the GaitMetricsHistory table. The columns are userWeight and userHeight. Has anybody of you ever validated those findings and got to know how Apple gets them?

1

4n6equals10

Hi. I have a case with iphone 14 (iOS 16.1.2) and I am currently looking at cache_encryptedb.db which is located under /private/var/root/Library/Caches/locationd/ directory. I already found that geolocation data are not to be trusted but I've found some interesting columns in the GaitMetricsHistory table. The columns are userWeight and userHeight. Has anybody of you ever validated those findings and got to know how Apple gets them?

@CLB_iwhiffin

@Cellebrite Is a minor release scheduled to solve the physical analyzer reader problem? With the latest version, an error appears in the reader.

manuelevlr

@Cellebrite Is a minor release scheduled to solve the physical analyzer reader problem? With the latest version, an error appears in the reader.

Which version of pa ?

CLB_4n6s_mc

Which version of pa ?

Last one : https://discord.com/channels/427876741990711298/427877097768222740/1163208307020943471

CLB_4n6s_mc

Which version of pa ?

Yes, last one. It is not possible to wait another month for the release of the new version which would correct the error. So it is unusable physical analyzer.

Hans Leißner

‍♂️

Wow, this seems like it could be used for much more nefarious purposes...thanks so much, I am going to search for that installed application.

manuelevlr

@Cellebrite Is a minor release scheduled to solve the physical analyzer reader problem? With the latest version, an error appears in the reader.

For everyone concerned with this issue, here is an update from R&D: There is nothing missing in the report, as I suspected, the error is a false positive. This has been fixed and will be available in the next release, but you don't need to wait for it, or worry about it.

1

I have videos found at the file path private/var/mobile/containers/data/pluginkitplugin/<uuid>/tmp, where the uuid resolves to Signal, specifically "org.whispersystems.signal.shareextension". Obviously I know these videos have been sent or received via signal, but is there any more information to be gleaned about this location? I can't find anything useful about the pluginkitplugin folder in relation to signal. Any help would be much appreciated

chms17

I have videos found at the file path private/var/mobile/containers/data/pluginkitplugin/<uuid>/tmp, where the uuid resolves to Signal, specifically "org.whispersystems.signal.shareextension". Obviously I know these videos have been sent or received via signal, but is there any more information to be gleaned about this location? I can't find anything useful about the pluginkitplugin folder in relation to signal. Any help would be much appreciated

Signal Share extension or SAE appears to be a standalone xcodeproj that can be found on the Signal iOS github repo - here is the Info.plist https://github.com/signalapp/Signal-iOS/blob/784e77cea546e4751f6f3c88d9c6c283308c21cf/SignalShareExtension/Info.plist If you notice on line 45 begins the 'NSExtension' section and shortly after mentions INSendMessageIntent. My speculation (not confirmed at all) is that this provides integration with iOS native features specifically the attached screenshot which you get to when you tap 'Signal' from the list of apps in the built-in iOS share interface from virtually any source. https://github.com/signalapp/Signal-iOS/pull/2851 this is the one of the earliest pull requests I found related to the SignalShareExtension code from 2017, and you can see from the PR description it states "Shows a searchable conversation picker (via the existing SendExternalFileViewController)" which seems to corroborate this a bit. as for why a video would show up there, I think its possible Signal requires a specific format for media being sent. if you try to share a video that is in the wrong format (which lets face it, with Apple, is likely) you'll get the little "Preparing" screen / progressbar that can take a long time if the video is long. I am guessing this might be when that file gets created. I also think given the generic location you found the video in, that this is probably true for other apps with custom share ux like this. (edited)

forensicmike @Magnet

Signal Share extension or SAE appears to be a standalone xcodeproj that can be found on the Signal iOS github repo - here is the Info.plist https://github.com/signalapp/Signal-iOS/blob/784e77cea546e4751f6f3c88d9c6c283308c21cf/SignalShareExtension/Info.plist If you notice on line 45 begins the 'NSExtension' section and shortly after mentions INSendMessageIntent. My speculation (not confirmed at all) is that this provides integration with iOS native features specifically the attached screenshot which you get to when you tap 'Signal' from the list of apps in the built-in iOS share interface from virtually any source. https://github.com/signalapp/Signal-iOS/pull/2851 this is the one of the earliest pull requests I found related to the SignalShareExtension code from 2017, and you can see from the PR description it states "Shows a searchable conversation picker (via the existing SendExternalFileViewController)" which seems to corroborate this a bit. as for why a video would show up there, I think its possible Signal requires a specific format for media being sent. if you try to share a video that is in the wrong format (which lets face it, with Apple, is likely) you'll get the little "Preparing" screen / progressbar that can take a long time if the video is long. I am guessing this might be when that file gets created. I also think given the generic location you found the video in, that this is probably true for other apps with custom share ux like this. (edited)

Thank you so much! Super helpful!

1

Any way to find out when photos in the samsung gallery have been 'hearted' / favourited? And what's the best way to find out the date when the user has setup the Samsung secure folder?

Hi. Is there any way to decrypt these files with oxygen? The extraction is a FFS (checkm8) of an iPhone 8 made with UFED. @Oxygen Forensics (edited)

1

@Flaviusold backup with different key i suppose?

has anyone ever used this https://github.com/mac4n6/APOLLO ? (edited)

GitHub - mac4n6/APOLLO: Apple Pattern of Life Lazy Output'er

Apple Pattern of Life Lazy Output'er. Contribute to mac4n6/APOLLO development by creating an account on GitHub.

3:34 AM

I have no idea how to use it, i tried to follow the usage but it doesn't work

3:38 AM

nevermind found it

In the latest version of physical analyzer 7.64 I am finding on whatsapp that several messages the owner of the phone is identified as “unknown”

4:07 AM

But in the participants the phone number and name appear correctly

@Cellebrite Hello! Another weird question. We did an extraction of an old Pantec phone running Android 2.3.5 using Touch2. Loaded it in PA and found most of the files were dated in 2014, but a few files were dated the day of the extraction, including IndexerVolumeGuid in System Volume Information. Why is this? Not imperative, but it is a curiosity.

Hello I'm currently faced with a situation where I need to extract emails from an extraction. While I can easily view the email content within the PA and UFDR report in a readable format, I encounter an issue with PDF and HTML files where the email content is presented in XML code, rendering it unreadable. Is there a method available to convert this source text into a readable format? It's worth noting that the email body contains certain Unicode characters, for regional language(Malayalam, a language used in Kerala,India)text. I have used some online eml to html converter but the unicode character doesnt work well.

1

hfactor

Hello I'm currently faced with a situation where I need to extract emails from an extraction. While I can easily view the email content within the PA and UFDR report in a readable format, I encounter an issue with PDF and HTML files where the email content is presented in XML code, rendering it unreadable. Is there a method available to convert this source text into a readable format? It's worth noting that the email body contains certain Unicode characters, for regional language(Malayalam, a language used in Kerala,India)text. I have used some online eml to html converter but the unicode character doesnt work well.

Hari, what version of PA are you using?

@CLB-DannyTheModeler Hi, PA 7.63, if I remember correctly.

Fixed a parsing signal backup error on Ufed PA 7.64?

Hello, Any tool to brute force the pattern lock on a Samsung A33. How many tries are possible before data wipe? Thanks.

hfactor

Hello I'm currently faced with a situation where I need to extract emails from an extraction. While I can easily view the email content within the PA and UFDR report in a readable format, I encounter an issue with PDF and HTML files where the email content is presented in XML code, rendering it unreadable. Is there a method available to convert this source text into a readable format? It's worth noting that the email body contains certain Unicode characters, for regional language(Malayalam, a language used in Kerala,India)text. I have used some online eml to html converter but the unicode character doesnt work well.

Have you tried using grep with a regex for emails? Like for instance grep -r -E -o "\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}\b" /path/to/files > /path/to/outputfile. Or if you're not comfortable with terminal commands, you could * import into Autopsy and use its built-in keyword filter. A small number of small text files should process fast, even though generally for larger projects it could take days (sigh*). (edited)

3:59 AM

------- On another note: Does anyone know if the timestamps in iOS sms.db are time received * or time *sent? Like if a phone has been turned off or in Airplane Mode and then the former is turned on again some time later and receives a bulk of messages: will the timestamps reflect the time the messages were sent to the device? (edited)

Xenotype

------- On another note: Does anyone know if the timestamps in iOS sms.db are time received * or time *sent? Like if a phone has been turned off or in Airplane Mode and then the former is turned on again some time later and receives a bulk of messages: will the timestamps reflect the time the messages were sent to the device? (edited)

I found this post from Magnet really helpful, but with encrypted backup only, many of the data sources are unfortunately not available: https://www.forensicfocus.com/webinars/cracking-the-code-of-ios-messages-a-guide-to-storage-and-analysis-techniques-for-forensic-examiners/

Cracking The Code Of iOS Messages: A Guide To Storage And Analysis ...

In this Mobile Unpacked with Chris Vance webinar, Chris will focus on the Messages app on iOS and its storage components.

1

I have came across the LockMyPix application on an Android device. I believe there are hundreds of files of CSAM within the application. All have the .6zu extension. I saw there was some discussion about this application in the past. Does anyone have any information that could help me decrypt these files?

EricL400

I have came across the LockMyPix application on an Android device. I believe there are hundreds of files of CSAM within the application. All have the .6zu extension. I saw there was some discussion about this application in the past. Does anyone have any information that could help me decrypt these files?

@bang

1

Does anyone know if there is a way to find out how a IOS device was unlocked, either face ID or pin?

1

EricL400

I have came across the LockMyPix application on an Android device. I believe there are hundreds of files of CSAM within the application. All have the .6zu extension. I saw there was some discussion about this application in the past. Does anyone have any information that could help me decrypt these files?

I'll DM you

1

Nick_26

Does anyone know if there is a way to find out how a IOS device was unlocked, either face ID or pin?

Maybe in knowledgeC. It records when the device is unlocked so there might be something about face vs pin.

@Cellebrite @SANS Forensics Institute @Magnet Forensics Pantec P9070 Burst phone running Android 2.3.5. Physical extraction using Touch2. This phone was found in possession of an individual who claimed he hadn't used it since 2014. Dates on the phone are for 2014, however, through testing we found that the phone resets to the date August 26, 2014, 1:57pm (UTC-5) every time it power cycles, and the phone was received powered off. Here's the question: Is there a log within that version of Android which shows events sequentially instead of based solely on the timestamp?

I'm working with an unlocked iPhone 12 running an iOS 17 developer beta so we can't get a FFS using GK or CP. Can I get the recenty deleted photos or do I need the FFS? I don't have the Apple ID password fwiw.

2

Alexsaurus

Maybe in knowledgeC. It records when the device is unlocked so there might be something about face vs pin.

Gone through KnowledgeC and can't find anything obvious

Happy Halloween! I have a case involving downloads from the emload.com cloud storage service to a Samsung phone. Brave Browser was used but subsequently uninstalled from the phone. We can't seem to find any LE contact info for the company and Search.org doesn't have anything. Anyone else out there deal with this before and have a contact?

criley4640

Happy Halloween! I have a case involving downloads from the emload.com cloud storage service to a Samsung phone. Brave Browser was used but subsequently uninstalled from the phone. We can't seem to find any LE contact info for the company and Search.org doesn't have anything. Anyone else out there deal with this before and have a contact?

""Emload hereby reserves the right to take further action including but not limited to cooperation with law enforcement agencies and/or government bodies to assist them in prosecuting those involved. Please direct all your child sexual abuse content and illegal content reports to dmca@emload.com""

haven't dealt with them but their tos and privacy policy seem law enforcement friendly

1

s.m.

haven't dealt with them but their tos and privacy policy seem law enforcement friendly

thanks. for some reason, I couldn't find that.

Just wanted to share my latest research in case anyone can benefit. It explains how you can link cached discord attachments to their threads. ILEAPP and Artex support coming soon. https://bluecrewforensics.com/2023/10/30/connecting-discord-attachments-threads-sdwebimage-library/

Connecting Discord Attachments to Threads & SDWebImage Library - Bl...

Introduction I recently had a case involving Discord where the case investigator had observed images within the thread on an iPhone but they were not appearing in the threads in Cellebrite Physical Analyzer. The investigator described the images to me and I was able to locate them in a folder associated with Discord so I

7

1

snoop168

Just wanted to share my latest research in case anyone can benefit. It explains how you can link cached discord attachments to their threads. ILEAPP and Artex support coming soon. https://bluecrewforensics.com/2023/10/30/connecting-discord-attachments-threads-sdwebimage-library/

this is awesome, thanks for sharing!

@Cellebrite I have a question in regards to PA decoding deleted WhatsApp messages. It would appear the source of the data is msgstore.db-wal and the PA decoded it was between the two parties, namely the owner of the device and the second party being "1008". Further research of the databases in DB Browser, FQLite as well as Xamn does not show where "1008" is coming from. Is that something that PA assigns when it cannot find the correct contact? Or is there a different explanation for this?

P4perTrails

@Cellebrite I have a question in regards to PA decoding deleted WhatsApp messages. It would appear the source of the data is msgstore.db-wal and the PA decoded it was between the two parties, namely the owner of the device and the second party being "1008". Further research of the databases in DB Browser, FQLite as well as Xamn does not show where "1008" is coming from. Is that something that PA assigns when it cannot find the correct contact? Or is there a different explanation for this?

I think i just figured it out... It's the chat_row_id number

‍♂️

I've done a Full file system dump of a Samsung SM-G525F and found some apks in \prism\preload\SER\hidden_app\ Anyone knowing what this location is for? The apks found at this location doesn't seem to be installed but Physical Analyzer thinks so. APKs ru.mail.mailapp com.yandex.zen ru.yandex.searchplugin I can't find any trace of them in \data\data\ (edited)

those are pre-loaded apps by Samsung, that are installed depending on the CSC

9:00 AM

if phone had CSC set to SER (Russia), then they would get installed during initial setup. Otherwise, they're not (edited)

Arcain

those are pre-loaded apps by Samsung, that are installed depending on the CSC

Sounds logical. Thanks for the answer.

Hi all. I cant test currently as no devices but does anyone know if you start writing a note in apple notes is that starting a note the creation date? Or is it only when saved? Bonus question if you switch apps to say Safari will that trigger a save?

Hi. This questions probably have been done already. Android phone unlocked, full file system acquisition obtained. 4PC and P.A. both on latest versions. On the phone there is Signal installed and when i open it there are various conversations. Question: Why Signal is missing from analyzed data? What alternative method can i use (if any) to parse Signal messages? Thanks

1

FabianoQ

Hi. This questions probably have been done already. Android phone unlocked, full file system acquisition obtained. 4PC and P.A. both on latest versions. On the phone there is Signal installed and when i open it there are various conversations. Question: Why Signal is missing from analyzed data? What alternative method can i use (if any) to parse Signal messages? Thanks

Are you familiar with using sqlwizard? Try finding the database and manually parse it. Signal likes to change up their database constantly. Changing the name of one column can break the automated parser.

FabianoQ

Hi. This questions probably have been done already. Android phone unlocked, full file system acquisition obtained. 4PC and P.A. both on latest versions. On the phone there is Signal installed and when i open it there are various conversations. Question: Why Signal is missing from analyzed data? What alternative method can i use (if any) to parse Signal messages? Thanks

Look at the supported apps list in PA and then compare it with the installed signal app version. Perhaps PA will not support it or PA has a bug. I had a bug in the past. (edited)

In what file can you find the time settings on a Samsung Device. Like of it was automatic time settings of manualy set

@Cellebrite anyone able to pm me about a question for PA Ultra?

1

I've been supplied a hancom extraction of a Oukiet WP6 android device with the format .mdf My issue is, I need to get the extraction into cellebrite pa, and so far I haven't had any success. Does anyone know the best way?

MrMacca (Allan Mc)

I've been supplied a hancom extraction of a Oukiet WP6 android device with the format .mdf My issue is, I need to get the extraction into cellebrite pa, and so far I haven't had any success. Does anyone know the best way?

Have you got Oxygen?

1

Aero

Have you got Oxygen?

Afraid not.

MrMacca (Allan Mc)

Afraid not.

Even by requesting to Oxygen a trial license?

MrMacca (Allan Mc)

Afraid not.

Hello, we indeed support *.mdf file imports. If you will need to request a trial, please email - support@oxygenforensics.com

MrMacca (Allan Mc)

Afraid not.

I would grab the trial from Oxygen - you can process the .mdf file via Oxygen - then export the FFS/Physical as a .zip/.bin and import than into UFED PA for processing. (edited)

Thanks alot for the info. I'll send an email now.

1

I have a FFS of an Android device in a CSAM case. The suspect was tipped off we were coming to get him and deleted a bunch of applications. Are there any unisntall logs retained by the Android OS?

I have a full file-system extraction that I'm working with and trying to find traces of Facebook posts/comments. The device is an Android phone. I have been combing through encoded log files under the following location: /data/user/0/com.facebook.katana/app_graph_service_cache/<facebook user-id>/. I have full text associated with some posts and comments made along with author details contained in these logs that were not parsed by Cellebrite or Axiom. Anyone ever work with content in these folders? The log files contains a wack of other stuff and trying to make heads or tails of it. Going to have to do some testing, but thought I'd check the group to see if anyone else has insight to share.

Does anyone know what images end up in this folder? com.samsung.android.messaging/cache/image_manager_disk_cache/

Does youtube on iOS keep a log anywhere of search terms or videos watched?

EricL400

I have a FFS of an Android device in a CSAM case. The suspect was tipped off we were coming to get him and deleted a bunch of applications. Are there any unisntall logs retained by the Android OS?

I don’t think android records a deletion date, only installation. It certainly never used to last time I looked into this.

Mike_H

I have a full file-system extraction that I'm working with and trying to find traces of Facebook posts/comments. The device is an Android phone. I have been combing through encoded log files under the following location: /data/user/0/com.facebook.katana/app_graph_service_cache/<facebook user-id>/. I have full text associated with some posts and comments made along with author details contained in these logs that were not parsed by Cellebrite or Axiom. Anyone ever work with content in these folders? The log files contains a wack of other stuff and trying to make heads or tails of it. Going to have to do some testing, but thought I'd check the group to see if anyone else has insight to share.

try using ALEAPP and point to the ffs. There might be some extra info to help you

1

Is Gbwhatsapp supported by physical analyzer ?

1

manuelevlr

Is Gbwhatsapp supported by physical analyzer ?

Idk atm BUT.. oxygen does (when the gbwa version matches with the supported version)

jaikl

Does anyone know what images end up in this folder? com.samsung.android.messaging/cache/image_manager_disk_cache/

https://www.youtube.com/watch?v=Rlp-h9V6FI0&t=199s&ab_channel=AlexisBrignoni

Alexis Brignoni

MFE 0 - ALEAPP - Image Manager Cache & Glide

Any thoughts on this would be helpful! I have an airdrop I was able to get the phone number from the airdrop. I then got the device associated with that phone number. I have an airdrop send to "recipient device name" from interactionC and that matches my receiving device and the time matches with the creation of the file on the receiving device. Only issue i can't figure out is the Sender ID on the received airdrop does not match the AirdropID from the senders phone.

Looking for information on Safari's AutoFillQuirks.plist. I wasn't able to find anything through Google and Discord searches. One post on here for someone looking for the same thing from 2021, but no resolution. I am analyzing an iPhone SE (3rd Gen) iOS 16.5.1 and @Magnet Forensics Axiom 7.6.0.37501 found websites of interest. Manually going through the plist shows these websites are under the [4] ChangePasswordURLs section. Many of these sites don't appear to be relevant to the case, so I think they are standardly listed in this file. But I don't remember them being listed in the past. Thanks for any insight into this file.

sholmes

Looking for information on Safari's AutoFillQuirks.plist. I wasn't able to find anything through Google and Discord searches. One post on here for someone looking for the same thing from 2021, but no resolution. I am analyzing an iPhone SE (3rd Gen) iOS 16.5.1 and @Magnet Forensics Axiom 7.6.0.37501 found websites of interest. Manually going through the plist shows these websites are under the [4] ChangePasswordURLs section. Many of these sites don't appear to be relevant to the case, so I think they are standardly listed in this file. But I don't remember them being listed in the past. Thanks for any insight into this file.

I did my own research into this file. It only appears after a user launches safari at least once on the device and is pre populated with URLs that have known password rules to them. Apple uses these ‘quirks’ to help customize a passcode for a user if they use the safari saved password for one of these sites.

Thanks @cScottVance!

The file itself has been in iOS for a while, but has undergone changes with different versions of Safari updates.

1

It seemed like it was a prepopulated file, but I didn't want to just rule it out without seeing if I could find an answer.

Yup! We have gotten several questions about it previously throwing red flags in exams.

What could cause a photo being taken on an iPhone at a set time, then the filesystem shows the photo as created a couple of hours later? Usually this occurs within a minute or two. This occured for multiple photos taken at about the same time. Worth adding is that a few photos that were taken an hour after the first ones got created with normal "Created" timestamps.

1

Allan Tiep

What could cause a photo being taken on an iPhone at a set time, then the filesystem shows the photo as created a couple of hours later? Usually this occurs within a minute or two. This occured for multiple photos taken at about the same time. Worth adding is that a few photos that were taken an hour after the first ones got created with normal "Created" timestamps.

Synced photos from a different device on the same iCloud account? That or restore from backup/icloud are some of the possibilities that I can think of (edited)

Oscar

Synced photos from a different device on the same iCloud account? That or restore from backup/icloud are some of the possibilities that I can think of (edited)

The logs shows that the pictures were captured on that device. And the exif data matches as well :/

Are the seconds set to zero in timestamps?

@Oxygen Forensics Hello! Anyone able to pm for some help with a huawei P smart 2021 (PPA-LX2) extraction error ?

1

@Cellebrite is the zHorizontalaccuracy column in the Cache.sqlite db zRTCLoccation table in feet or meters?

Anyone have resources in decoding the reddit application on iOS? I've got the encoded username string but am trying to find the decoded version. Hoping I can do it locally and not need a subpoena for just this.

4:00 PM

iOS filepath:
private/var/mobile/Containers/Data/Application/[App_
GUID]/Library/Preferences/com.reddit.Reddit.plist

(edited)

whee30

Anyone have resources in decoding the reddit application on iOS? I've got the encoded username string but am trying to find the decoded version. Hoping I can do it locally and not need a subpoena for just this.

https://aboutdfir.com/dissecting-official-reddit-app-what-your-tools-dont-tell-you/

Dissecting Official Reddit App, What Your Tools Don't Tell You - Ab...

Reddit in general So this is probably not new to much of the readers of this blog, Reddit is kind of a big deal at this moment in its lifespan. For those who do not know though, Reddit is a social media platform that touts itself as the “Frontpage of the Internet” What makes this […]

1

Hi, is anyone having problems in the "Chats" view of telegram with Oxygen 16.0.1.121? It shows me all the messages from one party and then all the messages from the other party. The "All data" view, however, is correct and the messages are shown in chronological order, so it's not a parsing problem. The problem only occurs with Telegram, other apps (including Telegram desktop) do not have this problem. Both Android and iOS FFS extracted with UFED. @Oxygen Forensics

Flavius

Hi, is anyone having problems in the "Chats" view of telegram with Oxygen 16.0.1.121? It shows me all the messages from one party and then all the messages from the other party. The "All data" view, however, is correct and the messages are shown in chronological order, so it's not a parsing problem. The problem only occurs with Telegram, other apps (including Telegram desktop) do not have this problem. Both Android and iOS FFS extracted with UFED. @Oxygen Forensics

Hello! I would like to DM you to figure it out

1

Anyone from @Magnet Forensics free for a quick question?

Anyone else having issues with Cellebrite Reader 8.7 not loading UFDR files? It shows as loading but once complete doesn’t display any data whatsoever.

Allan Tiep

What could cause a photo being taken on an iPhone at a set time, then the filesystem shows the photo as created a couple of hours later? Usually this occurs within a minute or two. This occured for multiple photos taken at about the same time. Worth adding is that a few photos that were taken an hour after the first ones got created with normal "Created" timestamps.

Haven’t tested this but maybe copies or duplicates of the original captured media were made then the originals were deleted? I believe the copies would have new created timestamps but would also maintain the original exif and metadata. (edited)

Terry_____

@Cellebrite is the zHorizontalaccuracy column in the Cache.sqlite db zRTCLoccation table in feet or meters?

Meters

Anyone know where I can get a white paper or something verified by Google or good 3rd party source about the specificities of semantic location logging. I need all the details.

chrisforensic

heyho folks! somebody here with knowledge to decode the .sav files, which contain geodatas from the iGO-Navigation-app? some years ago i had a python-script for decoding this .sav files but i lost it ....

I immediately thought Strasse- and the German character is left off at the end.

Would anyone be able to shed some light about the file path: mobile\containers\data\application\net.WhatsApp.WhatsApp\Documents\inbox I have 3 video files in this location but I’m unable to say why

‍♂️ if anyone could help it would be appreciated. Thanks

theshark

Anyone know where I can get a white paper or something verified by Google or good 3rd party source about the specificities of semantic location logging. I need all the details.

https://support.google.com/accounts/answer/3118687?hl=en https://locationhistoryformat.com/guides/semantic-location/ (edited)

1

Hi @Magnet Forensics anyone available for a quick question? Thanks

Is there any way of merging two .pas files from @Cellebrite ? Or just merging the tags

ScottKjr3347

Haven’t tested this but maybe copies or duplicates of the original captured media were made then the originals were deleted? I believe the copies would have new created timestamps but would also maintain the original exif and metadata. (edited)

The filename for the captured photo matches the filename of the created file by file system though. Wouldn't a copy of the original file get a completely new filename?

Anyone from @Oxygen Forensics free for a quick Q?

Aero

Anyone from @Oxygen Forensics free for a quick Q?

Hello, sure thing

dinosaurdave

Anyone else having issues with Cellebrite Reader 8.7 not loading UFDR files? It shows as loading but once complete doesn’t display any data whatsoever.

Yes, i'm also got this problem. @Cellebrite broke it, so, i think use older version or have to wait for new one. (edited)

Allan Tiep

The logs shows that the pictures were captured on that device. And the exif data matches as well :/

is there an option to save the original picture in the cloud and just have the thumbnails on the phone itself, and then maybe downloading the full picture later on created a new timestamp?

Allan Tiep

The logs shows that the pictures were captured on that device. And the exif data matches as well :/

May i ask u again.. are the seconds in any timestamps set to zero? Did the user changed those manually?

I have found some videoes with filenames of the form "VID_YYYYMMDD_HHMMSS_xyz.mp4" where xyz is a number (possibly milliseconds?). The files were found on a computer, but probably originate from a Huawei phone. Does anyone recognize where these filenames come from?

Bobby

Hi @Magnet Forensics anyone available for a quick question? Thanks

@Magnet Forensics still need you

hi. anobody know how to BF pin in AppLock Pro ? I have samsung device. The data is stored: /data/data/com.ibragunduz.applockpro/ (edited)

OS randomizes MAC addresses when it connects to a wifi network but I am seeing the same randomized MAC, this makes me believe that somewhere in the phone it knows that x networks gets x MAC address, anyone ever found where that info is stored, Physical Analyzer doesn't parse for that and I haven't been able to find that info anywhere.

1

Chris

OS randomizes MAC addresses when it connects to a wifi network but I am seeing the same randomized MAC, this makes me believe that somewhere in the phone it knows that x networks gets x MAC address, anyone ever found where that info is stored, Physical Analyzer doesn't parse for that and I haven't been able to find that info anywhere.

might try opening the FFS in Encase and search for the specific MAC?

I've done several searches inside PA, however I have just been put on a lead where the info may be stored. I'll post if it works, waiting on the extraction to open.

Chris

I've done several searches inside PA, however I have just been put on a lead where the info may be stored. I'll post if it works, waiting on the extraction to open.

Raw search or in the indexed data?

Bobby

@Magnet Forensics still need you

Sent you a message

1

@OggE @Oscar Didnt one of you two find a way to find 'experired' snapchat media, in a chat, and download it from snapchat server? (edited)

1

has anyone parsed out the weather app ??

12:11 PM

is there a python script for parsing out that application

Jetten_007

is there a python script for parsing out that application

Parse for what? Locations? The database isnt that hard to read tbh

Hans Leißner

Parse for what? Locations? The database isnt that hard to read tbh

ya.... i just did it manually

1

Hello everyone, for those who are using Pa ultra, have you noticed that the phone number or account relating to the application does not appear in the "chat" section? @Cellebrite

manuelevlr

Hello everyone, for those who are using Pa ultra, have you noticed that the phone number or account relating to the application does not appear in the "chat" section? @Cellebrite

Could ypu be more precise please, which version of PA, which app ? this is coming from Ultra : (edited)

11:16 PM

May be it is a problem from the extraction

Can someone help me decoding this time format : 20240730. It comes from com.lrhsoft.shiftercalendar. I've already ran DCode on it and haven't found anything. I'm hoping to find something around the year 2022

found it : 20240730 refered to 2024/07/30 sounds obvious put like that ...

1

@Cellebrite Anyone from Cellebrite available about PA ULTRA ?

1

Hans Leißner

May i ask u again.. are the seconds in any timestamps set to zero? Did the user changed those manually?

No, the seconds were not set to 0 on any of the images

rfar

is there an option to save the original picture in the cloud and just have the thumbnails on the phone itself, and then maybe downloading the full picture later on created a new timestamp?

That was one of the possibilties I was considering. The photos db didn't show the picture as downloaded from iCloud though

Allan Tiep

No, the seconds were not set to 0 on any of the images

Very unusual construct you have there

Hans Leißner

Very unusual construct you have there

Tell me about it

Is anyone else experiencing substantial lag in PA 7.64 processing times? I have a 64GB iPhone FFS parsing on a very capable machine ... for 3 hours now. It seems to hangup on the FaceBook app.

1

Bill (VeriFi)

Is anyone else experiencing substantial lag in PA 7.64 processing times? I have a 64GB iPhone FFS parsing on a very capable machine ... for 3 hours now. It seems to hangup on the FaceBook app.

Probably should update

theshark

Probably should update

I’m running the latest version of 7.64.x.

Bill (VeriFi)

I’m running the latest version of 7.64.x.

7.8

theshark

7.8

Ohhhhh…. PA ultra. Got it

1

Has anyone already worked on data from snapchat leveldb ?

I have a device that was processed with Graykey @Magnet Forensics which obtained a Partial BFU. I have a lot of images but none that appear to come from the camera roll. The only file paths I see point to the “Shared with you” folders, cached images, etc.

BFU images won't contain data from the camera roll as those files are protected at a higher level of "data protection" and only available in AFU or higher images.

Okay that makes sense. I have a question about a file path if you can help me with that real quick @cScottVance (edited)

7:30 AM

00008110-000791A2699401E _files partial-bfu.zip/private/var/mobile/Library/Photos/Libraries/Svadication.rhotoslibrary /scopes/syndication/resources/derivatives/D/D53371E4-769D-4AEE-ADDO 196C23567F2_1_102_0.jpeg.

DFIS721

00008110-000791A2699401E _files partial-bfu.zip/private/var/mobile/Library/Photos/Libraries/Svadication.rhotoslibrary /scopes/syndication/resources/derivatives/D/D53371E4-769D-4AEE-ADDO 196C23567F2_1_102_0.jpeg.

Scott did a great blog about the files within the syndication data area here: https://theforensicscooter.com/2022/09/16/shared-with-you-syndication-photo-library-message-attachments-linked-assets/

Scott_koenig

Shared with You Syndication Photo Library – Message Attachments & L...

The Shared with You is a new feature that has been discussed within Apple Worldwide Developers Conference (WWDC) videos and other developer videos. Generally, the comments made indicate that within…

Hi everyone, looking for guidance… I have a FFS obtained from prem of a galaxy fold4, the signal DB is still encrypted. I also have a chat capture extraction from UFED. I took a picture of the keys and I added those keys to axiom (with no spaces & with spaces)

1

cScottVance

Scott did a great blog about the files within the syndication data area here: https://theforensicscooter.com/2022/09/16/shared-with-you-syndication-photo-library-message-attachments-linked-assets/

That’s what I was looking at just making sure I was on the right track. Thank you!

1

Original message was deleted or could not be loaded.

I can't help you re: the artifacts but if you can't find anything to answer this question it seems like an objectively reasonable thing to conclude that if the artifacts universally stop at X time and pick back up at Y time that the phone was shut off. May not be helpful but it seems that fact pattern is objectively reasonable to conclude that's what's going on, for what it's worth

Does anyone know how withheld numbers are parsed in @Cellebrite PA or @Magnet Forensics Axiom?

1

1:10 AM

Do they appear as empty/null or something else?

whatsapp user

hi @Rob

Does anyone know if airplane mode impacts "find my" on an Iphone, in regards to low level bluetooth network and a Iphone 13 pro? I thought @Magnet Forensics had a webinar on this a year ago. I dont have an Iphone 12 13 14 to test with at the moment...

florus

Does anyone know if airplane mode impacts "find my" on an Iphone, in regards to low level bluetooth network and a Iphone 13 pro? I thought @Magnet Forensics had a webinar on this a year ago. I dont have an Iphone 12 13 14 to test with at the moment...

I don't know about specific models. But I do know that in general the "find my" app will be disabled / unable to connect while the device is in airplane mode.

florus

Does anyone know if airplane mode impacts "find my" on an Iphone, in regards to low level bluetooth network and a Iphone 13 pro? I thought @Magnet Forensics had a webinar on this a year ago. I dont have an Iphone 12 13 14 to test with at the moment...

My understanding it was as of iOS 15 i think that airplane mode doesn't turn off GPS or Bluetooth. I think its on iPhone 14 and 15 it explicitly tells you on the screen that your phone is still findable.

1

Terry_____

My understanding it was as of iOS 15 i think that airplane mode doesn't turn off GPS or Bluetooth. I think its on iPhone 14 and 15 it explicitly tells you on the screen that your phone is still findable.

that was my understanding as well, but who has tested this, not that long ago?

@Cellebrite - you should make a variable file size filter in PA.

Original message was deleted or could not be loaded.

Do u looked at the battery % before the gap? Maybe the battery run out. What Apps were running before the gap, are there artefacts of seen bluetooth devices? (edited)

florus

Does anyone know if airplane mode impacts "find my" on an Iphone, in regards to low level bluetooth network and a Iphone 13 pro? I thought @Magnet Forensics had a webinar on this a year ago. I dont have an Iphone 12 13 14 to test with at the moment...

As i know from a test with my device last week (iPhone 13 Pro, iOS 17.x) .. if u put the device in "lost" mode via iCloud when de device is in flightmode .. it do nothing. I needed to deactivate the flightmode to get the "lost mode" activated. I had my 2nd iphone nearby when testing (edited)

Hey guys, do you know a way to decrypt Signal db version 6.6.5 (edited)

thaconnecter

Hey guys, do you know a way to decrypt Signal db version 6.6.5 (edited)

If you have access to a gray key you can extract the key and it’s already decrypted

Oups my bad i forgot to mention that it is coming from an samsung s7 android 7

Ooo it’s probably not supported

7:16 AM

I’ve been trying to find out a work around besides using gray key

7:17 AM

Axiom gives u an option to add the keys, have u tried maybe doing the chat capture extraction in ufed?

Its alright i'll do a manual back up, thanks

thaconnecter

Its alright i'll do a manual back up, thanks

You can parse the manual backup using this tool: https://github.com/bepaald/signalbackup-tools. PA does not parse the latest versions of Signal backup yet. I'm not sure about v 6.6.5 though. Also, after parsing, compare the results with the messages on the phone. I've seen a case where not everything was exported from a chat if disappearing messages were activated and deactivated several times.

1

Anyone from @Cellebrite free for a quick question?

3

Anyone having issues with PA 7.64 not parsing GK extraction?

TheNomad

Anyone having issues with PA 7.64 not parsing GK extraction?

Nothing noticed. iOS or Android extraction? Keychain file (iOS) or Keystore file (Android) existing? What issues exactly? (edited)

TheNomad

Anyone having issues with PA 7.64 not parsing GK extraction?

I guess u imported it as follow: File –> Open Case –> Add –> Full File System GrayKey. Choose the desired zip archive. Also add the keychain plist. Click “Next” to define examination details. It is very important to add both the zip archive file and also the keychain plist in order to properly parse and collect the most information. https://cellebrite.com/en/how-to-ingest-graykey-data-collections-into-cellebrite-physical-analyzer/ (edited)

Hans Leißner

I guess u imported it as follow: File –> Open Case –> Add –> Full File System GrayKey. Choose the desired zip archive. Also add the keychain plist. Click “Next” to define examination details. It is very important to add both the zip archive file and also the keychain plist in order to properly parse and collect the most information. https://cellebrite.com/en/how-to-ingest-graykey-data-collections-into-cellebrite-physical-analyzer/ (edited)

Sure did... it parses virtually nothing out of 25GB extraction

10:22 AM

Should have added it is for iOS. I have all necessary files so it should parse it, but it's not. no error messages...

TheNomad

Should have added it is for iOS. I have all necessary files so it should parse it, but it's not. no error messages...

Is it a BFU extraction?

TheNomad

Sure did... it parses virtually nothing out of 25GB extraction

Did you select right option if android etc? Also right keychain etc if ios

TheNomad

Sure did... it parses virtually nothing out of 25GB extraction

What about with another tool? Like Axiom, Oxygen or even ILEAPP?

TheNomad

Anyone having issues with PA 7.64 not parsing GK extraction?

I had a GK extraction that was not parsed at all by PA Ultra. I restarted PA Ultra and added only the GK extraction (previously I also added the SIM extractions) and then it was parsed.

yes, BFU. Have parsed GKs in the past without issues, this one is elusive. iOS with keychain plist... can't put my finger on why it is not parsing the zip

TheNomad

yes, BFU. Have parsed GKs in the past without issues, this one is elusive. iOS with keychain plist... can't put my finger on why it is not parsing the zip

Basically everything in a BFU is encrypted so you shouldnt be seeing much parsed data.

Oscar

Basically everything in a BFU is encrypted so you shouldnt be seeing much parsed data.

While that's theoretically true, I have often seen stuff like location data and chat messages from SnapChat for example in a BFU.

Hans Leißner

I guess u imported it as follow: File –> Open Case –> Add –> Full File System GrayKey. Choose the desired zip archive. Also add the keychain plist. Click “Next” to define examination details. It is very important to add both the zip archive file and also the keychain plist in order to properly parse and collect the most information. https://cellebrite.com/en/how-to-ingest-graykey-data-collections-into-cellebrite-physical-analyzer/ (edited)

Is it the combined ZIP, so the real ZIP is within the ZIP, if you get me? That will cause it to decode without error. It is a setting that we turned off!

12:27 AM

You may need to extract the ZIP to get the data ZIP for decoding.

1

BETBAMS

While that's theoretically true, I have often seen stuff like location data and chat messages from SnapChat for example in a BFU.

In a BFU you will mostly get data that has come in before the phone device has been unlocked. If the databases are still encrypted the device can't write to them. That's most of the useful user data you get from a BFU. If not much data is sitting in line waiting for its bd to be decrypted then you're not going to see much data. That's from Ian with Cellebrite during one his last podcasts.

Anyone from @Cellebrite available for a quick DM?

1

Terry_____

In a BFU you will mostly get data that has come in before the phone device has been unlocked. If the databases are still encrypted the device can't write to them. That's most of the useful user data you get from a BFU. If not much data is sitting in line waiting for its bd to be decrypted then you're not going to see much data. That's from Ian with Cellebrite during one his last podcasts.

Thanks, that makes sense. I'd still argue that a BFU attempt is worth it precisely because we can't know what comes out parsed and what doesn't.

BETBAMS

Thanks, that makes sense. I'd still argue that a BFU attempt is worth it precisely because we can't know what comes out parsed and what doesn't.

Completely agree. I'll always take what I can get.

Oscar

Basically everything in a BFU is encrypted so you shouldnt be seeing much parsed data.

Brain was foggy.. meant AFU, not BFU.

did someone manage to get Cellebrite Virtual Analyzer running in PA on a Win 11 Machine? if yes any Tips?^I get Error Code 10 after i launch VA from PA (Andy OS working outside of PA) and when i fiddle arround with the Versions i just get BSOD (2 Different machines, different hardware)

@Mattia Epifani can we discuss that and especially version of decoding tools? https://blog.digital-forensics.it/2023/11/ios-15-image-forensics-analysis-and.html

iOS 15 Image Forensics Analysis and Tools Comparison - Communicati...

DFIR research

2:11 PM

If someone didn't review that article, just click. Great work here

2

Has anyone had any luck decoding paypal in PA?

Can anyone advise whether historic cache files would be restored to a device, if an iPhone restored an old backup? We're trying to establish whether it is a plausible defence that cache files would end up on a device from an iCloud backup, or whether a backup would not contain such data. Can someone contact me to discuss/explain please?

MHE

did someone manage to get Cellebrite Virtual Analyzer running in PA on a Win 11 Machine? if yes any Tips?^I get Error Code 10 after i launch VA from PA (Andy OS working outside of PA) and when i fiddle arround with the Versions i just get BSOD (2 Different machines, different hardware)

Go to Windows' Apps & Features (add/remove programs) and uninstall all Microsoft Visual C++ Redistributable's 2015 and higher. Download and install VMWare player 15.0.0 from here: https://my.vmware.com/en/web/vmware/downloads/details?downloadGroup=PLAYER-1500&productId=800&rPId=47861

3:53 AM

That's from: https://community.cellebrite.com/s/article/How-to-Resolve-Virtual-Analyzer-Install-Error-0x80070643

Hello @Cellebrite ! Any Cellebrite's Data Architect online for a PA / Reader related hypothetical question? I tried to reach out Danny but i guess he is enjoying his well-deserved days off. :,} (edited)

BETBAMS

Go to Windows' Apps & Features (add/remove programs) and uninstall all Microsoft Visual C++ Redistributable's 2015 and higher. Download and install VMWare player 15.0.0 from here: https://my.vmware.com/en/web/vmware/downloads/details?downloadGroup=PLAYER-1500&productId=800&rPId=47861

Thanks, did that in advance, did not help. We now installed PA Ultra, VA seems to work there

Hans Leißner

Hello @Cellebrite ! Any Cellebrite's Data Architect online for a PA / Reader related hypothetical question? I tried to reach out Danny but i guess he is enjoying his well-deserved days off. :,} (edited)

Sadly no days off recently, just a glitchy Discord client that didn't send me any notifications for days, sorry to all that tried to DM me, trying to catch up now.

1

@Cellebrite I also have some questions regarding some trace window errors if anyone has a moment please

1

I was able to get a BFU from an andriod, the pw on the device is some alphanumeric one. IS there something I could check in the BFU to help figure out the password?

10:10 AM

I see a hash in the "password" under accounts

10:10 AM

like could I hashcat that hash?

what phone is that?

beamar

like could I hashcat that hash?

I believe that hash you see is a password key or token for the account. I don't believe hashcat supports that

Arcain

what phone is that?

samsung Galaxy S22 (edited)

10:49 AM

yeah, says userkey

beamar

samsung Galaxy S22 (edited)

does it at least auto accept passcode after n characters entered, or you have to confirm it manually?

I'm not sure what you mean?

10:55 AM

like it stops once you hit 10 letters and trys that?

on Samsung, it's possible enable a feature where it will automatically unlock once you enter the passcode, and this helps to figure out the length

10:56 AM

the default is that you have to enter passcode and press ok

10:57 AM

in general, this is a type of job for premium tools, and they run bf on the device itself

I am running BF on it, no luck so far with a very large BF list

beamar

I am running BF on it, no luck so far with a very large BF list

what mode in hashcat are you using?

@Cellebrite I downloaded the new version of the physical analyzer but checking the zip hash turns out to be different from the one indicated on the site

I'm not using hashcat for the BF. It's using GK's one ATM, with a provided list

beamar

I'm not using hashcat for the BF. It's using GK's one ATM, with a provided list

Have you already tested a custom dictionary? I recently had success with a list I created myself (birth dates of children and partner). https://weakpass.com/generate (edited)

2

birthday and stuff you can enter into the BF, i know it's a long PW from the girlfriend. it's not like 4 or 6 digit pin

1

Any other devices that belong to the suspect that you have access to? Could you check his computer at his house with his girlfriend’s permission for stored Chrome passwords?

Cellebite PA duplicate Question: If i use PA (normal Version) in the Images Tab i see 3 relevant Numbers at the Bottom: Total / Deduplication / Selected. If i want to deduplicate, i go to settings -> switch from "show all items" to "show Main items only" and the deduplication goes from "0" to "38.323" for example. If i do this in the newest PA ultra Version (Same test 2 images) the "Deduplication" stays on "0", regardless of the Setting. So to say i can't see how many duplicates are there, and if i tag a File, the duplicates (same MD5) are not tagged so i have to do this manualy. I tried clean reinstall, other Machine, Clear Temp folders in Windows and Cellebrite App data. Still no duplicates shown. Same on the New Cellebrite Reader wich comes with PA Ultra (8.x) - Any help would be welcome, overall i like the PA Ultra more but i need the deduplicate work prop.

Anyone from Cellebrite PA team available? @Cellebrite

1

Hi, Anyone from @Magnet Forensics available for a question about Magnet App Simulator ?

Hey, question for the room. Does anyone know if the application usage log and activity sensor data time stamp is stored in UTC in knowledgeC?

tesla

someone expirience with WhatsApp locked Chats on Android and Cellebrite?

6:49 AM

in Cellebrite Reader i can see chats wich i cant see on the suspects phone, but there is the "locked Chats" tab at the Top, im now looking for a clear way to tell if these chats are the locked Chats. i cant access them on the device cause they are secured by fingerprint

6:50 AM

looking for some kind of flag in the .db files to determine wich ones are locked

ok i got it the noob way. In the suspects Phone, you can go to whatsApp contacts, click the Contact you think is in locked chats, and whatsapp tells you "this chat is locked", still, would be good to know how WA flags these chats in the database

1

so has anyone had luck virtualizing an app from an iphone and using the data from the image to launch the app as if the user would see it? I would like to screen shot this to show the court what the user would have seen as if using the device itself. And perhaps 1 step further, would be to launch an app and login with the token/keys stored in the image (if they are still valid). (edited)

I have an Android ADB filesystem extraction of an OPPO CPH2083. The device includes a directory named ".keepsafe," although the user has uninstalled the app. PA successfully decrypted the folder, allowing me to view the folder names and filenames. However, all the files, whether images or videos, cannot be opened; they appear corrupted. Do you have any ideas?

Maybe handy to some of you, I have been required to perform some bulk offline message translation recently and after running into some trouble with commercial tools I ended up building this script to pipe an excel of them into a local LibreTranslate Server. Translation results were impressive especially when a language was selected https://github.com/facelessg00n/pythonForensics/tree/main/offlineTranslate

pythonForensics/offlineTranslate at main · facelessg00n/pythonForen...

Assorted Python. Contribute to facelessg00n/pythonForensics development by creating an account on GitHub.

1

@Cellebrite Anyone around for a question about PA?

1

ChutzpahAI

Any iOS guru's out there? iPhone 11; iOS 14.4; GrayKey Extraction; Location: /private/var/mobile/Library/CallHistoryTransactions/.dat**.00 files, that contain phone numbers, that none of the tools (AXIOM, PA, etc) parsed. Does anyone have any context to how these get populated? backups? OS research is not getting me anywhere. Thanks in Advanced!

Hi did you ever find out about this? Thanks

FullTang

Any other devices that belong to the suspect that you have access to? Could you check his computer at his house with his girlfriend’s permission for stored Chrome passwords?

I asked the Detective whos case it is about a home computer, I haven't head back. Typically where I work(Ghetto), most of these guys don't have/use desktops/laptops

GTBOUCHA

Anyone ran across the "TeleGuard" application by Hulbee Swisscows (hxxps://teleguard.com/en)?

I did, extracted Database and made a PA XML to process, i test it and compared with app and run OK. But test it youself

TELEGUARD_EXPORT_MSG.xml

49.53 KB

Hello, I have a FFS extraction of an iPhone 11. PA and XRY wasn't able to parse telegram app. I could find db_sqlite in account-xxxxx/postbox/db/ but it's looks encrypted after the sqlite header. Also, in PA and XRY I can't see the tables inside the db, looks like encrypted. The app opens normally in the phone, but it has a huge amount of chats. Anyone knows how to decrypt it? It's a csam case and I was able to find thumbnails related to telegram, so it's important to parse it.

rafael_cs

Hello, I have a FFS extraction of an iPhone 11. PA and XRY wasn't able to parse telegram app. I could find db_sqlite in account-xxxxx/postbox/db/ but it's looks encrypted after the sqlite header. Also, in PA and XRY I can't see the tables inside the db, looks like encrypted. The app opens normally in the phone, but it has a huge amount of chats. Anyone knows how to decrypt it? It's a csam case and I was able to find thumbnails related to telegram, so it's important to parse it.

https://belkasoft.com/signal-decryption-with-belkasoft-x or you can look for the "tempkey" file

Good morning all. I have an iPhone 12 extraction. The phone is no longer with us and screen was damaged so could not view anything but we are trying to obtain what the local language was set to. I am unable to find it in the device info once decoding using PA and unable to see it within data_ark.plist. Any clues on where else it could be? Thanks in advance.

forensicgeek

Good morning all. I have an iPhone 12 extraction. The phone is no longer with us and screen was damaged so could not view anything but we are trying to obtain what the local language was set to. I am unable to find it in the device info once decoding using PA and unable to see it within data_ark.plist. Any clues on where else it could be? Thanks in advance.

maybe here /private/var/mobile/Library/Preferences/com.apple.purplebuddy.plist

s.m.

maybe here /private/var/mobile/Library/Preferences/com.apple.purplebuddy.plist

Ah thank you for the reply. I will have a look when back in the office.

OggE

https://belkasoft.com/signal-decryption-with-belkasoft-x or you can look for the "tempkey" file

Thank you very much. I found this file ".tempkey" and looking at github (https://github.com/TelegramMessenger/Telegram-iOS) I was able to discover that the first 32 bytes are the key and next 16 bytes are the salt. The hexkey to decrypt the db are just key+salt with sqlcipher v4 parameters and a header of 32. Checked with ileapp and I could see the messages. (edited)

4

1

Hi all, anyone else experiencing the following: FFS from an iPhone 13 Pro Max - Large amount of location data present and have generated a KML with locations from time of incident in PA 7.64. When importing to Google Earth it appears the latitude and longitude are imported the wrong way around, so rather than getting the location I'd expect to see I'm getting locations in the middle of the Indian Ocean! Reopened the dump in PA 8 and generated same KML file and when imported into Google Earth it's giving me the correct location data. Is this a glitch with PA 7.64 or should I be doing something different in 7.64 to get the right results? Never had an issue before with previous PA 7.XX releases.

LoccIE

Hi all, anyone else experiencing the following: FFS from an iPhone 13 Pro Max - Large amount of location data present and have generated a KML with locations from time of incident in PA 7.64. When importing to Google Earth it appears the latitude and longitude are imported the wrong way around, so rather than getting the location I'd expect to see I'm getting locations in the middle of the Indian Ocean! Reopened the dump in PA 8 and generated same KML file and when imported into Google Earth it's giving me the correct location data. Is this a glitch with PA 7.64 or should I be doing something different in 7.64 to get the right results? Never had an issue before with previous PA 7.XX releases.

I haven't experienced that, but is the problem when the export happens into the KML file, or is the problem when PA parses the information? Perhaps check the location artifacts between PA 8 and 7.64 to see if they match. If so, perhaps the issue is the export function to KML?

rfar

I haven't experienced that, but is the problem when the export happens into the KML file, or is the problem when PA parses the information? Perhaps check the location artifacts between PA 8 and 7.64 to see if they match. If so, perhaps the issue is the export function to KML?

It seems to be when the export happens into KML file - PA 7.64 is exporting the latitude as the longitude and the longitude as the latitude

e.g. 52.XXXX, - 2.XXXX is being exported as 2.XXXX, 52.XXXX which obviously points to a very different location than where the device actually was!

LoccIE

Hi all, anyone else experiencing the following: FFS from an iPhone 13 Pro Max - Large amount of location data present and have generated a KML with locations from time of incident in PA 7.64. When importing to Google Earth it appears the latitude and longitude are imported the wrong way around, so rather than getting the location I'd expect to see I'm getting locations in the middle of the Indian Ocean! Reopened the dump in PA 8 and generated same KML file and when imported into Google Earth it's giving me the correct location data. Is this a glitch with PA 7.64 or should I be doing something different in 7.64 to get the right results? Never had an issue before with previous PA 7.XX releases.

I have seen this bug, too. After reporting it, they said it will be fixed in a future release of PA8, in PA7 it will not be fixed anymore. You should create a bug report, so they see a fix is needed sooner. A few years ago my team have reported this bug already, and I think it was already fixed. (edited)

DO_G

I have seen this bug, too. After reporting it, they said it will be fixed in a future release of PA8, in PA7 it will not be fixed anymore. You should create a bug report, so they see a fix is needed sooner. A few years ago my team have reported this bug already, and I think it was already fixed. (edited)

I checked an old KML I previously generated for another case in 7.63 and it's perfect so I'll for sure send a bug report when back in the office. Thank you

LoccIE

I checked an old KML I previously generated for another case in 7.63 and it's perfect so I'll for sure send a bug report when back in the office. Thank you

Btw. 7.65 is out.

LoccIE

Hi all, anyone else experiencing the following: FFS from an iPhone 13 Pro Max - Large amount of location data present and have generated a KML with locations from time of incident in PA 7.64. When importing to Google Earth it appears the latitude and longitude are imported the wrong way around, so rather than getting the location I'd expect to see I'm getting locations in the middle of the Indian Ocean! Reopened the dump in PA 8 and generated same KML file and when imported into Google Earth it's giving me the correct location data. Is this a glitch with PA 7.64 or should I be doing something different in 7.64 to get the right results? Never had an issue before with previous PA 7.XX releases.

I sent a ticket to cellebrite about this the other week. It'll be fixed in the next update. Google Earth is expecting to read the KML as long first then lat. PA has been generating the KML lat first then long.

I have a calllog.db in an Oppo phone that is displaying call type as a negative number eg -1 where 1 would normally be an outgoing call. Its only doing this for the specifc contact Im focussed on... PA is thus displaying this value as unknown in reporting .... Any ideas @Cellebrite why the db entry is a negative number and whether this can be relied to be a 1 vs a -1 ? (edited)

LoccIE

Hi all, anyone else experiencing the following: FFS from an iPhone 13 Pro Max - Large amount of location data present and have generated a KML with locations from time of incident in PA 7.64. When importing to Google Earth it appears the latitude and longitude are imported the wrong way around, so rather than getting the location I'd expect to see I'm getting locations in the middle of the Indian Ocean! Reopened the dump in PA 8 and generated same KML file and when imported into Google Earth it's giving me the correct location data. Is this a glitch with PA 7.64 or should I be doing something different in 7.64 to get the right results? Never had an issue before with previous PA 7.XX releases.

Known bug, we put in a ticket last week.

Hi all - has anyone here dealt with the ‘AnonChat’ application? It doesn’t get decoded in axiom/PA and wondering if anyone knew if there is any local data I can manually examine. Currently looking for a DB…

3

DO_G

Btw. 7.65 is out.

Same problem in 7.65 sadly... Easily fixed with python but annoying

Can someone from @Cellebrite contact me regarding PA? (edited)

1

is there a db where i can find the usage of phonenumber IN an android OS? (same as on IOS, where i can find 3 record of simcard put in)

LoccIE

Hi all, anyone else experiencing the following: FFS from an iPhone 13 Pro Max - Large amount of location data present and have generated a KML with locations from time of incident in PA 7.64. When importing to Google Earth it appears the latitude and longitude are imported the wrong way around, so rather than getting the location I'd expect to see I'm getting locations in the middle of the Indian Ocean! Reopened the dump in PA 8 and generated same KML file and when imported into Google Earth it's giving me the correct location data. Is this a glitch with PA 7.64 or should I be doing something different in 7.64 to get the right results? Never had an issue before with previous PA 7.XX releases.

This will get the track log for you. Will be in an Esri compatible CSV but should still import to google earth. https://github.com/facelessg00n/gkTools (edited)

GitHub - facelessg00n/gkTools

Contribute to facelessg00n/gkTools development by creating an account on GitHub.

florus

is there a db where i can find the usage of phonenumber IN an android OS? (same as on IOS, where i can find 3 record of simcard put in)

you might want to get the IMEI and claim the attached 06 numbers

@MSAB Adam @MSAB_Carl Hello all - I have a Huawei ALE-L21 that I managed to dump a physical image with XRY. The problem is that I need to find the lockscreen password but it seems that it bypassed it since it doesn't appear in the log file. Is there a way to find it in decoded data? Perhaps a specific file?

Flipz4n6

@MSAB Adam @MSAB_Carl Hello all - I have a Huawei ALE-L21 that I managed to dump a physical image with XRY. The problem is that I need to find the lockscreen password but it seems that it bypassed it since it doesn't appear in the log file. Is there a way to find it in decoded data? Perhaps a specific file?

Could you email the extraction log to support@msab.com (or DM it to me) so that I can have a look at what happens during extraction? Normally, when a bruteforcing has been successful, the passcode should be written to the log. And it should also be saved to 'Device - General information' among the categories in XAMN.

ALE-L21 is not factory encrypted, so unless it had secure startup, no bruteforce was required (edited)

Hi! I’m currently analyzing an iPhone 12 with iOS 15. The investigator is looking for info on an event that happened one year before the extraction. Any ideas on iOS databases with a data retention of at least one year excluding the health database?

powerlog archives maybe

citizencain

Can anyone recommend an easy way to export large quantiles of data from a realm db other than the massive awkward json conversion. No tools are parsing newest version of Grindr. Up until the last release or so, both @Cellebrite and @Oxygen Forensics would convert the realm to a SQLite db- You could actually throw in any realm and it would convert it (most amazing feature ever, btw). Now both tools error out when trying to view the SQLite, prompting that it is either encrypted (it is not) or not a valid realm (it is). But db opens just fine in Realm Studio v14+.

Did you find a good method for parsing .realm databases in this case? I have an unsupported chat application in realm that I would like to open up. Cellebrite did a decent job in my case but I want to have a third party tool to verify.

whee30

Did you find a good method for parsing .realm databases in this case? I have an unsupported chat application in realm that I would like to open up. Cellebrite did a decent job in my case but I want to have a third party tool to verify.

I was not able to get the swift code working, tho scripting is not my forte whatsoever. So nope, and I'm still waiting for the tools to do the conversion for the newer realm to sqlite.

1

In XRY. I found a password for a G-mail, but I stupidly forgot where I got it from, does anybody have an idea? I tried looking for the string etc, but I can't find it.

Hi all - in terms of sim cards, is there a possibility on finding out when a sim card was first inserted and last used? and is there any guidance anywhere on last_update_time for cellularusage.db and what the time/date could indicate?

Scrubz

In XRY. I found a password for a G-mail, but I stupidly forgot where I got it from, does anybody have an idea? I tried looking for the string etc, but I can't find it.

In XAMN you should find any password that has been decoded under 'Security - Accounts'. Filtering on the app Gmail perhaps narrows it down as well. (edited)

MSAB_Sofia

In XAMN you should find any password that has been decoded under 'Security - Accounts'. Filtering on the app Gmail perhaps narrows it down as well. (edited)

Thanks once again

Does anyone have any literature concerning recovery of deleted files from IOS and Android devices? Specifically concerning lengths of time, processes, and why some items deleted at the same time as others could be recovered but not all can be recovered? I'm trying to completely educate myself in preparation for testimony concerning some data Cellebrite recovered from an IOS after deletion where we know additional data was deleted at the same time.

strangepicasso

Does anyone have any literature concerning recovery of deleted files from IOS and Android devices? Specifically concerning lengths of time, processes, and why some items deleted at the same time as others could be recovered but not all can be recovered? I'm trying to completely educate myself in preparation for testimony concerning some data Cellebrite recovered from an IOS after deletion where we know additional data was deleted at the same time.

There are several different ways data can be deleted. If you recovered “deleted” data from a modern iOS phone, then the data was probably queued for deletion, it was not in unallocated space. For example, when iOS deletes photos they go into the Recently Deleted folder and are permanently deleted after ~30 days, but if text messages were deleted the entries in the SQLite database are removed. You could still find evidence of the deleted text messages by examining the primary keys in the appropriate database.

2:18 PM

It all depends on if the phone if FBE or FDE, the OS version, and what type of data is being deleted.

Does anyone know if spotlight on an iPhone would typically be able to see a .PDF within a safari tmp folder? Not sure if spotlight only sees stuff within the normal user accessible areas

I have a FFS from an iPhone 6 processed in Cellebrite PA. Im looking to provenance a file at the path “/library/persistent/SCMedia/chat-media-video-(series of alpha numeric characters).mov” The application ID is Snapchat and I’m leaning towards that this video was shared within a chat. Does anyone know of where I can conduct further searches? I’ve looked at My eyes only, memories, stories, and saved to Snapchat camera roll. I’ve reviewed a few chats on the created date and time of the media file and so far haven’t found the file in a chat

anyone from @Cellebrite for a quick technical question regarding export device events

SeanSugar

I have a FFS from an iPhone 6 processed in Cellebrite PA. Im looking to provenance a file at the path “/library/persistent/SCMedia/chat-media-video-(series of alpha numeric characters).mov” The application ID is Snapchat and I’m leaning towards that this video was shared within a chat. Does anyone know of where I can conduct further searches? I’ve looked at My eyes only, memories, stories, and saved to Snapchat camera roll. I’ve reviewed a few chats on the created date and time of the media file and so far haven’t found the file in a chat

Not sure if it will give you will get anything more than what Cellebrite PA has already parsed, but you could try running the data through Snapchat_Auto (python script) available on GitHub -> https://github.com/DFIR-HBG/Snapchat_Auto. It's been a while since I've run it, but might be worth a try. (edited)

Mike_H

Not sure if it will give you will get anything more than what Cellebrite PA has already parsed, but you could try running the data through Snapchat_Auto (python script) available on GitHub -> https://github.com/DFIR-HBG/Snapchat_Auto. It's been a while since I've run it, but might be worth a try. (edited)

Snapchat Auto will not find the media as it's in a folder I haven't seen populated before. Some saved videos are saved to /library/Caches/SCPersistentMedia/ and are named cm-chat-media-video-1-ConversationdID-server_message_ID-0-0.mp4. Your file seems similar in name and at least the folder names in the path, could the series of alphanumeric characters in your filename be the same as in my example? @SeanSugar Feel free to DM if you'd like (edited)

@Oscar @Mike_H Thanks both. I'll be taking another look at it Friday Oscar, the series of alphanumeric characters might be similar to your example. I will check on Friday and if they are like that I'll drop you a DM to explore some options

I am looking for someone who could tell me more about "Teleguard". It's being used in a CP case and we'd like to know if the company that owns the app is approchable. Also, had anyone done any research in the Teleguard Data?

Anyone have any experience with “Yandex Disk” application on an iOS device? Some images/videos viewable on device but other require internet connection. Possible to extract the data?

I have an LG G8 Android device. I haven’t been able to find any information about this, anything would be appreciated. I have movies and images on the device saved in a folder named “Zappdownload” a bit of digging into External.DB shows some of these files originally being associated to “appdownload” Does anyone have knowledge of an app being associated to this? Or perhaps a deleted app adding “Z” ? Thanks in advance for any assistance.

1

Hello all. Just curious. As far best practice goes (if any exists for my current situation) or what you find generally works best for you, how do you currently represent info extracted from databases in a disclosure report going to the Crown? Using Cellebrite but need to pull some relevant data from gphotos0.db that is not parsed/displayed elsewhere in PA after processing.

theridlr

Hello all. Just curious. As far best practice goes (if any exists for my current situation) or what you find generally works best for you, how do you currently represent info extracted from databases in a disclosure report going to the Crown? Using Cellebrite but need to pull some relevant data from gphotos0.db that is not parsed/displayed elsewhere in PA after processing.

Are you familiar with SQLite wizard, Cellebrite's built in database query tool? You can use it to manually parse the database and it to the project. Will look like any other data Cellebrite autoparsed.

I was not familiar with it as I usually export and use other tools especially as I’m always validating what PA shows me. I pulled it up just now and ran a query. I will look and see how I can add the results returned to the project. Thanks for the prompt response @Terry_____

theridlr

Hello all. Just curious. As far best practice goes (if any exists for my current situation) or what you find generally works best for you, how do you currently represent info extracted from databases in a disclosure report going to the Crown? Using Cellebrite but need to pull some relevant data from gphotos0.db that is not parsed/displayed elsewhere in PA after processing.

Best practice could be: do not rely on 1 tool only and/or confirm manually (like what you do directly from source db/file).

1

Anyone from @Cellebrite free for a question regarding PA?

1

Hello, does anyone have suggestions on where I can locate overheating logs for an Android device?

Terry_____

Are you familiar with SQLite wizard, Cellebrite's built in database query tool? You can use it to manually parse the database and it to the project. Will look like any other data Cellebrite autoparsed.

Terry, thanks for the pro tip, I will just add that items that you parse via the SQLite Wizard will be marked accordingly as being decoded by you, the user.

@magnet @Cellebrite just a heads up that axiom and pa do not decode any emails from Outlook 4.27.1 on an iPhone. Admittedly, this is from an old 3 year old phone that only recently brute forced.

Hi, can anyone help with the file path Documents/com.snap.file_manager as I'm trying providence where the images is from and if it is accessible, the OS is iOS (edited)

1

ines.labidi

Hello, does anyone have suggestions on where I can locate overheating logs for an Android device?

Is it a Samsung?

no it’s a Xiaomi Note with Android 12, but maybe it works the same @Gizmononootje

ines.labidi

no it’s a Xiaomi Note with Android 12, but maybe it works the same @Gizmononootje

Affraid not, with Samsungs its possible to generate a logfile including the data you are looking for

too bad, thanks anyway! @Gizmononootje

Anyone from cellebrite here? In Physical Analzer, what does really mean when an item is flagged deleted with the red cross? I don’t know how to explain this in court…

Anyone ever do analysis of a jail broken phone

An iPhone specifically

Hey! Any way to read .M4P files (audio) from a iOS 16.6.1 FFS extraction?

Good morning everyone! I have a question regarding a transmitted screenshot from an iPhone. Does anyone happen to know which application this is? Unfortunately, I couldn't find any clues on the device. Thank you very much!

Hans Leißner

Good morning everyone! I have a question regarding a transmitted screenshot from an iPhone. Does anyone happen to know which application this is? Unfortunately, I couldn't find any clues on the device. Thank you very much!

The flaming icon at the bottom right of the picture looks like the one from the Tinder app.

1

Hans Leißner

Good morning everyone! I have a question regarding a transmitted screenshot from an iPhone. Does anyone happen to know which application this is? Unfortunately, I couldn't find any clues on the device. Thank you very much!

for me it kinda looks like wickr, both how the text square look and the burn on read icons at the bottom

1

Hans Leißner

Good morning everyone! I have a question regarding a transmitted screenshot from an iPhone. Does anyone happen to know which application this is? Unfortunately, I couldn't find any clues on the device. Thank you very much!

I'd say Wickr too

1

Annoyingly I'm working on a job atm that's Wickr but don't have the phone anymore but seems familiar

Does anyone know if there is an iPhone equivalent to localappstate.db? Or any kind of log that details app install dates?

Hans Leißner

Good morning everyone! I have a question regarding a transmitted screenshot from an iPhone. Does anyone happen to know which application this is? Unfortunately, I couldn't find any clues on the device. Thank you very much!

The stock image on the app store for Wickr does look similar to your screenshot https://is1-ssl.mzstatic.com/image/thumb/Purple114/v4/08/54/be/0854bec4-27a4-8669-c0a9-7115fd96fc55/pr_source.jpg/560x0w.webp (edited)

1

2:57 AM

Use the link for a bigger view

@exFAT This was covered by @Brigs - Hopefully still relevant dependant on iOS version. https://dfir.pubpub.org/pub/e5xlbw88/release/2

iOS Mobile Installation Logs

What applications were installed on an iOS device and when?

MSAB_Adam

@exFAT This was covered by @Brigs - Hopefully still relevant dependant on iOS version. https://dfir.pubpub.org/pub/e5xlbw88/release/2

Can't access the page due to an error on their end apparently! I did check that page before, albeit not the 'release/2' version you've linked there so I'll check that out thank you. (edited)

Hans Leißner

Good morning everyone! I have a question regarding a transmitted screenshot from an iPhone. Does anyone happen to know which application this is? Unfortunately, I couldn't find any clues on the device. Thank you very much!

Thank you all for the info! u were a great help

Hello all, does someone know an effective method to identify/detect deleted Whastapp chats/messages? (edited)

Scrubz

In XRY. I found a password for a G-mail, but I stupidly forgot where I got it from, does anybody have an idea? I tried looking for the string etc, but I can't find it.

Hi Scrubs, Guessing XAMN? you can find emails by filtering on Security Category> Accounts

River_Plate

Hello all, does someone know an effective method to identify/detect deleted Whastapp chats/messages? (edited)

When messages are deleted there would usually be a missing primary key entries https://belkasoft.com/exploring-deleted-whatsapp-messages

1

Anyone from @Cellebrite for a question regarding PA?

1

Hello! KnowledgeC.db on iOS store Notifications, but what about Android? Where can be found SMS and chat message notifications? Is Android store it? Notifications is on. (edited)

Anjo

Hello! KnowledgeC.db on iOS store Notifications, but what about Android? Where can be found SMS and chat message notifications? Is Android store it? Notifications is on. (edited)

Notification log, I thought Cellebrite supported this?

Anjo

Hello! KnowledgeC.db on iOS store Notifications, but what about Android? Where can be found SMS and chat message notifications? Is Android store it? Notifications is on. (edited)

Leveldb for some app

Original message was deleted or could not be loaded.

You can parse it with https://github.com/abrignoni/ALEAPP

GitHub - abrignoni/ALEAPP: Android Logs Events And Protobuf Parser

Android Logs Events And Protobuf Parser. Contribute to abrignoni/ALEAPP development by creating an account on GitHub.

Gizmononootje

Notification log, I thought Cellebrite supported this?

I see Digital Wellbeing in Cellebrite and Oxygen, but problem is there is no "body" of notification messages, just what software and when.

Anjo

I see Digital Wellbeing in Cellebrite and Oxygen, but problem is there is no "body" of notification messages, just what software and when.

Need to check it but might have a python script for PA

Anjo

I see Digital Wellbeing in Cellebrite and Oxygen, but problem is there is no "body" of notification messages, just what software and when.

Digital wellbeing doesnt contain body of an notification.

florus

Digital wellbeing doesnt contain body of an notification.

That because i need to find it, if it exist somewhere. (edited)

Anjo

That because i need to find it, if it exist somewhere. (edited)

I'll DM you

Could someone from cellebrite DM me? Regarding Chrome Web History in PA... (edited)

1

Gizmononootje

Need to check it but might have a python script for PA

If you have a related python script, I'd be interested as well. Had a few files now where this has same situation has come up. Thanks.

Mike_H

If you have a related python script, I'd be interested as well. Had a few files now where this has same situation has come up. Thanks.

DM me if you are interested!

Rob

Could someone from cellebrite DM me? Regarding Chrome Web History in PA... (edited)

@Cellebrite

Maybe someone have some other parser for leveldb - ".ldb" files?

Anjo

Maybe someone have some other parser for leveldb - ".ldb" files?

@Arsenal Arsenal Image Mounter has one

Anjo

Maybe someone have some other parser for leveldb - ".ldb" files?

https://x.com/arsenalrecon/status/1729194881065844885

1

Arsenal

https://x.com/arsenalrecon/status/1729194881065844885

That is intresting, we have 1 lecense for it, need to find.

1

Has anyone ever looked at the gallery_sub.db and looked at DeletedRecord on Android device? Trying to figure out if the time in there is when it was deleted?

Also on the same phone as above. Has anyone ever looked at gallery.db and looked at the cloud section as it lists GPS coordinates long and lat but in a format I'm not familiar with. I've tried converting to what I believe is correct but wanted to make sure? (edited)

florus

@Arsenal Arsenal Image Mounter has one

Bad that Recon do not decoding data, there is so many encoded data.

Anjo

Bad that Recon do not decoding data, there is so many encoded data.

LevelDB Recon is a maximum exploitation digital forensics tool, in the sense that it reveals as much LevelDB data from LevelDB files as possible - more than other tools and techniques we tested when we decided to build it. In other words, it gives you the best possible foundation on which to begin your analysis. LevelDB data can be essentially anything desired by application developers, so your analysis of the data exposed by LevelDB Recon will be specific in some cases not only to an application but to its particular version. LevelDB Recon does not (at least currently) do application-specific parsing for you. It is very easy to interact with the database we create of all the exposed LevelDB data however, so you could build your own modules which perform application-specific parsing. If you are interested in this, send us a DM and we will send instructions.

Android Q: Would anyone know how long Activity stores information re app usage (active/foreground/background)? Would it be available for 8-10 months?

Anyone have experience with UnArchiver on iOS? @Cellebrite PA just uncovered the motherload of images from here. However, looking at the database it has filenames/locations which might be important. I was lloking to see if anyone had dealt with this app before, especially on the decoding side.

1

I have an ufd that I extracted with endpoint I don’t have physical analizar, how can I convert it to ufdr or read it??

mdogilvie

I have an ufd that I extracted with endpoint I don’t have physical analizar, how can I convert it to ufdr or read it??

Ufd is raw data extraction. You need PA to convert it to UFDR format.

They told me that with endpoint it will be converted to ufdr

mdogilvie

They told me that with endpoint it will be converted to ufdr

Hmm not too familiar with that side of products. Let me see if I can get some info for you

Thanks very helpful as always

TheNomad

Android Q: Would anyone know how long Activity stores information re app usage (active/foreground/background)? Would it be available for 8-10 months?

Typically this data is overwritten every 30 days by normal device usage

Anyone have experience getting images from BLOBs in SQL?

burgers_N_bytes

Typically this data is overwritten every 30 days by normal device usage

Which makes sense - 30 day log given the amount of data, but I had to verify it. Thanks very much

1

sholmes

Anyone have experience getting images from BLOBs in SQL?

Depends on how it's structured/stored. If it's just raw data stored as a blob, you can just copy/paste/create a new file using a standard hex editor. Which application are you looking at?

The Unarchiver app

4:48 PM

In iOS. The images show up fine in DB viewer. PA parsed them from the DB but I need the file paths. I can do an excel report from images in PA which will give me row information, but doing the query from DB Viewer or PA didn’t give me row number to correspond back to image for report purposes. DB viewer shows images, but doesn’t allow for export. There are 167 images and videos in the BLOB, so I would prefer to not copy and paste. But obviously I’ll do what I need to make sure this is clear and convincing. @DeeFIR 🇦🇺 (edited)

sholmes

In iOS. The images show up fine in DB viewer. PA parsed them from the DB but I need the file paths. I can do an excel report from images in PA which will give me row information, but doing the query from DB Viewer or PA didn’t give me row number to correspond back to image for report purposes. DB viewer shows images, but doesn’t allow for export. There are 167 images and videos in the BLOB, so I would prefer to not copy and paste. But obviously I’ll do what I need to make sure this is clear and convincing. @DeeFIR 🇦🇺 (edited)

I'm not familiar with the structure of the sqlite db for that particular app, and I don't have any test data available to test it. What about using the sqlite CLI set of tools to recursively select each blob field (within a certain table), then export it as a file using writefile, and the name of the file can match the line/key value? I did this a couple of years ago and I have notes somewhere, but it'll take a minute to find them. Edit: I just created a database called testdb.db. It contains a single table called 'photo', and two fields called photodata (BLOB) and key (NUMERIC). I put binary data of a dog photo in key 1, and a cat in key 2. (see below) Install sqlite3 tools The following one-liner will read all id values from the table, echo them into writefile, then writes 'export-key-$id' with a matching key ID

sqlite3 testdb.db "SELECT key from photo" | while read id; do echo SELECT writefile\(\'export-key-$id.jpg\', photodata\) FROM photo WHERE key = $id\;; done | sqlite3 testdb.db

(edited)

3

Hey, anyone know where I can find the hash of the pin for the Keepsafe app in an iPhone FFS extraction? Thanks!

hfactor

Hey, anyone know where I can find the hash of the pin for the Keepsafe app in an iPhone FFS extraction? Thanks!

seems https://discord.com/channels/427876741990711298/427877097768222740/1126794180832804874 ; had it in plaintext in PA but with an Android. Did you check it ?

AnTaL

seems https://discord.com/channels/427876741990711298/427877097768222740/1126794180832804874 ; had it in plaintext in PA but with an Android. Did you check it ?

Yes. I checked PA , but the pin hash/pin is not available. In Android, the keys are saved in "com.kii.safe_preference.xml" but I have no clue in the iphone.

hfactor

Yes. I checked PA , but the pin hash/pin is not available. In Android, the keys are saved in "com.kii.safe_preference.xml" but I have no clue in the iphone.

in the keychain then, or the passwords list if you did the extract with GK

AnTaL

in the keychain then, or the passwords list if you did the extract with GK

I have a chkm8 FFS. I have a backup_keychain_v2.plist in the filesystem. I am not familiar with keychains. Can you please give some direction on how I should proceed

Can anyone @Cellebrite or elsewhere explain how a particular series of cached images are generated from tik tok in relation to a particular file path? The file path in particular is com.zhiliaoapp.musically/files/extract_shot Obviously it’s tik tok but it’s the “extract shot” aspect I am interested in. The still images are taken from a video and I am wondering if the images I am seeing be created by some sort of user frame selection process or similar?

DeeFIR 🇦🇺

I'm not familiar with the structure of the sqlite db for that particular app, and I don't have any test data available to test it. What about using the sqlite CLI set of tools to recursively select each blob field (within a certain table), then export it as a file using writefile, and the name of the file can match the line/key value? I did this a couple of years ago and I have notes somewhere, but it'll take a minute to find them. Edit: I just created a database called testdb.db. It contains a single table called 'photo', and two fields called photodata (BLOB) and key (NUMERIC). I put binary data of a dog photo in key 1, and a cat in key 2. (see below) Install sqlite3 tools The following one-liner will read all id values from the table, echo them into writefile, then writes 'export-key-$id' with a matching key ID

sqlite3 testdb.db "SELECT key from photo" | while read id; do echo SELECT writefile\(\'export-key-$id.jpg\', photodata\) FROM photo WHERE key = $id\;; done | sqlite3 testdb.db

(edited)

That is awesome! Thanks!!! I will try this out today.

@DeeFIR 🇦🇺 I was struggling with the CLI. I played with the commands, but couldn't get results. I know it is from lack of experience. So I stared playing with DB Viewer more to see what I could get from it, since it displays the images next to the file path. Low and behold, you can just select rows and columns and copy and paste directly into a spreadsheet. So now I have a report showing file path containing file name next to the actual picture. I would still love to learn how to get the sqlite3 working, but at least found a workaround for the moment. Thanks again for all your assistance. If you get a chance next week, maybe I can pick your brain as to what I was doing wrong.

1

I need some help. I have court next week and I'm trying to figure something out. The images are from phone # 512-988-3154. The Service Identifiers show 2 different numbers +16363848922 +19703769769. The number this phone was communicating with is +15129857751. The SMSC is blank. Can someone please explain what is going on?

1

Russell Abel - Bastrop County SO

I need some help. I have court next week and I'm trying to figure something out. The images are from phone # 512-988-3154. The Service Identifiers show 2 different numbers +16363848922 +19703769769. The number this phone was communicating with is +15129857751. The SMSC is blank. Can someone please explain what is going on?

isnt the service identifier the number used by the service provider to deliver the message?

1

I thought that was only the SMSC

1

Anyone?

Russell Abel - Bastrop County SO

I need some help. I have court next week and I'm trying to figure something out. The images are from phone # 512-988-3154. The Service Identifiers show 2 different numbers +16363848922 +19703769769. The number this phone was communicating with is +15129857751. The SMSC is blank. Can someone please explain what is going on?

Has the phone been associated with more than one SIM or service ?

When analyzing iOS attachments, are pluginpayload files anything of interesting from iPhones?

Russell Abel - Bastrop County SO

I need some help. I have court next week and I'm trying to figure something out. The images are from phone # 512-988-3154. The Service Identifiers show 2 different numbers +16363848922 +19703769769. The number this phone was communicating with is +15129857751. The SMSC is blank. Can someone please explain what is going on?

I would suggest to open the db "mmssms.db" in a sqlite tool. Ufed has a build in tool. U can use db browser for sqlite too. The table "sms" should have different colums. This should bring up the correct answer. If i remember correctly, the column service provider is different from the table with the phonenumer used. Keep in mind, that u dnt see the phonenumber of the device u examining (edited)

1

Anyone having issues with Cellebrite PA sticking on parsing Telegram. It's been stuck for over a week now and not moved past this. Any advice on getting past this would be great.

KM

Anyone having issues with Cellebrite PA sticking on parsing Telegram. It's been stuck for over a week now and not moved past this. Any advice on getting past this would be great.

PA Ultra or 7? What Version? Have tried to reprocess? (One time stuck?) (edited)

Hans Leißner

PA Ultra or 7? What Version? Have tried to reprocess? (One time stuck?) (edited)

PA 7.65.0.22. Tried it across multiple computers. Also tried just processing Telegram but still sticking. Processed fully and opened when excluding telegram

facelessg00n

Has the phone been associated with more than one SIM or service ?

Not that I know of. I did get a message from Cellebrite saying that there was an issue with the SMSC parsing, and that they are working on a fix.

Regarding iOS Biome SEGB location data: The horizontal accuracy. Is there documentation somewhere declaring the units this value represents? My assumption is meters but I'm looking for something more solid than an assumption.

7:36 AM

For example, "Horizontal: 3881.62315491445" to me seems a horribly loose "location" at 3.8 KM or 2.4 freedom miles

7:37 AM

But I also see some that are just 9, which is a whole lot easier to be confident in.

7:38 AM

The specific location data I am referencing was found here: /private/var/mobile/Library/DuetExpertCenter/streams/location/local/703604143453038

any1 else experiencing huge loading times on taging images and loading .pasx files with image-tags on PA 8.7?

whee30

For example, "Horizontal: 3881.62315491445" to me seems a horribly loose "location" at 3.8 KM or 2.4 freedom miles

https://cellebrite.com/en/ios-location-artifacts-explained/

8:47 AM

This suggests it's all meters like I had assumed.

whee30

Regarding iOS Biome SEGB location data: The horizontal accuracy. Is there documentation somewhere declaring the units this value represents? My assumption is meters but I'm looking for something more solid than an assumption.

It is meters. It's pretty much always in meters. And yes, 3.8KM is terrible but it's likely based on cell site in that case, so not surprising.

1

KM

Anyone having issues with Cellebrite PA sticking on parsing Telegram. It's been stuck for over a week now and not moved past this. Any advice on getting past this would be great.

Any idea how big the Telegram database is? If you check inside the zip file for example. DM me or email ian.whiffin@cellebrite.com

CLB_iwhiffin

It is meters. It's pretty much always in meters. And yes, 3.8KM is terrible but it's likely based on cell site in that case, so not surprising.

The man himself! I’m also assuming the distance found in the database is a radius and not diameter, correct? As in whatever location it pinpoints, take a radius of the confidence and draw that circle.

1

KM

Anyone having issues with Cellebrite PA sticking on parsing Telegram. It's been stuck for over a week now and not moved past this. Any advice on getting past this would be great.

Any luck with another tool?

whee30

The man himself! I’m also assuming the distance found in the database is a radius and not diameter, correct? As in whatever location it pinpoints, take a radius of the confidence and draw that circle.

Correct

whee30

The man himself! I’m also assuming the distance found in the database is a radius and not diameter, correct? As in whatever location it pinpoints, take a radius of the confidence and draw that circle.

Exactly right!

Got a moto E with Android 10 and i’m looking at images from the following path com.google.android.apps.nbu.files/cache Does anyone know if this cache belongs to the Google App?

Digital Dude

Got a moto E with Android 10 and i’m looking at images from the following path com.google.android.apps.nbu.files/cache Does anyone know if this cache belongs to the Google App?

https://play.google.com/store/apps/details?id=com.google.android.apps.nbu.fileshttps://play.google.com/store/apps/details?id=com.google.android.apps.nbu.files

3:24 PM

If you take your reverse DNS package name and paste it after: https://play.google.com/store/apps/details?id= then you will get the google play store page for whatever app it is

Hi does anyone here know how to obtain the update (OS update) history of a iPhone from a iTunes backup file of that iPhone?

Hi everyone, I'm trying to make an iTunes backup using 3utools with my iPhone 15 Pro with iOS 17.1. However, I am finding that Physical Analyzer does not see WhatsApp. Has anything changed with iOS 17?

Hi! I had a Samsung smartphone that was factory reset and then initialized (it started to the home screen, so the setup wizard was somehow completed). The date of the reset taken from /efs/recovery/history was more than one year AFTER the date of the EULA acceptance taken from /data/data/com.sec.android.app.setupwizardlegalprovider/databases/swlpdb.db. Also, the phone date was not sincronized to the real time (it was a few months before the actual date). Can someone explain how can this happen? Maybe after the reset the suspect turned the phone off, the battery died at some point, the RTC reset (while the phone was off) without leaving any trace in any file, then the device was initialized (without connection to any network) and turned off again. Is this plausible? Can anybody explain how the RTC works on modern smartphones? To what date/time does it reset when it runs out of battery?

Cip

Hi! I had a Samsung smartphone that was factory reset and then initialized (it started to the home screen, so the setup wizard was somehow completed). The date of the reset taken from /efs/recovery/history was more than one year AFTER the date of the EULA acceptance taken from /data/data/com.sec.android.app.setupwizardlegalprovider/databases/swlpdb.db. Also, the phone date was not sincronized to the real time (it was a few months before the actual date). Can someone explain how can this happen? Maybe after the reset the suspect turned the phone off, the battery died at some point, the RTC reset (while the phone was off) without leaving any trace in any file, then the device was initialized (without connection to any network) and turned off again. Is this plausible? Can anybody explain how the RTC works on modern smartphones? To what date/time does it reset when it runs out of battery?

It would be nice if there was some official guide released by the various manufacturers that would tell you what the "start" date/time is every time the device completely discharges.

Does anyone know a way to determine the exact time a phone disconnects from a wifi hotspot ? It's iOS 16.1.1

Hi, anyone know where I can find notifications such as water ingress or overheating on iPhones? I can't find them in knowledge c or the log files. iOs 16.5.

manuelevlr

Hi everyone, I'm trying to make an iTunes backup using 3utools with my iPhone 15 Pro with iOS 17.1. However, I am finding that Physical Analyzer does not see WhatsApp. Has anything changed with iOS 17?

Did you try getting an Advanced Logical w/ UFED 4PC?

Bodly

Hi, anyone know where I can find notifications such as water ingress or overheating on iPhones? I can't find them in knowledge c or the log files. iOs 16.5.

On iOS 16, these notifications are sometimes available in the SEGB files at this path: /private/var/mobile/Library/DuetExpertCenter/streams/userNotificationEvents/local/ (Same format is used for Biome streams) You'd need some luck because the records in these files get deleted once they reach a certain 'age'. Usually around a month. If you need help with viewing those files you can write me a DM.

1

Regarding chrome cache files, the ones found here: /data/data/com.android.chrome/cache/Cache/Cache_Data/*************_0 I have a FFS extraction on a Samsung, the cache file shows modified date/time of about 4 minutes prior to download. The download required a reboot I believe, am I correct in assuming this was a product of the phone shutting down and committing cache files into the directories?

9:07 AM

I can't think of anything else that would make sense. The browser was not accessed, there was no password available on the device so whatever caused it was either the reboot or the download process itself

I was trying to find a database that tracks the cache but didn’t see one before I had to head out of the office. Will be back later to keep digging.

Any Android Dev SME available to help anwser some questions about .aab files? Please DM me!

1

GregL

Does anyone know a way to determine the exact time a phone disconnects from a wifi hotspot ? It's iOS 16.1.1

I think I might know a way, because I've done this analysis before on my own iPhone

James Pedersen

I think I might know a way, because I've done this analysis before on my own iPhone

Obtaining the relevant system logs and then looking for WiFi hotspot disconnects in that log was my approach (edited)

1

Bodly

Hi, anyone know where I can find notifications such as water ingress or overheating on iPhones? I can't find them in knowledge c or the log files. iOs 16.5.

For overheating, what about in the sysdiagnose output if you look in the "summaries" folder and then go to the "ThermalLogs.log" file? In that file there's a mention of a file /var/log/tgraph.csv (edited)

1

Does anyone have working knowledge of what the group.com.apple.FileProvider.LocalStorage does? I have files in a Downloads folder in this application. private\var\mobile\Conainers\Shared\AppGroup####-####-####-#####\File Provider Storage\Downloads is where the files are. (edited)

6:39 AM

I read the .com.apple.mobile_container_manager.metadata.plist data, but that just gave me some UUIDs. The Google hits look like programmers might be able to use this to store data for their apps.

6:45 AM

I think I partially found my answer on @Magnet Forensics website. https://www.magnetforensics.com/blog/ios-tracking-bundle-ids-for-containers-shared-containers-and-plugins/ Thanks @cScottVance for a great article! However, this doesn't exactly explaint the FileProvider.Localstorage. So if anyone has insight on that, I would appreciate the insight. (edited)

iOS - Tracking Bundle IDs for Containers, Shared Containers, and Pl...

In this blog, Christopher Vance looks at tracking what application is responsible for putting data in a specific place within iOS.

sholmes

I read the .com.apple.mobile_container_manager.metadata.plist data, but that just gave me some UUIDs. The Google hits look like programmers might be able to use this to store data for their apps.

Hi there! FileProvider.LocalStorage is used as part of the iOS Files application. I have some info on this as well but I never wrote it into a blog. I covered it in the two part webinar series of Mobile Unpacked but I can also send you over the slides if you'd like them which contain a bunch of info on them.

2

7:08 AM

There's SOME info here: https://blog.d204n6.com/2020/09/ios-files-app.html but it's a couple of years ago. The mobile unpacked episodes https://www.magnetforensics.com/resources/mobile-unpacked-ep-7-figuring-out-file-explorers-part-1/ and https://www.magnetforensics.com/resources/mobile-unpacked-ep-8-figuring-out-file-explorers-part-2/ are a lot more updated

Thanks @cScottVance

Good morning everyone? Is PA ultra out of Beta?

I have an FFS and User Data extraction from a Samsung phone. The device has a date of December 2, 2022 at 1245. However there are artifacts on the phone after that date. Can someone explain to me how that can happen?

Kattana

I have an FFS and User Data extraction from a Samsung phone. The device has a date of December 2, 2022 at 1245. However there are artifacts on the phone after that date. Can someone explain to me how that can happen?

What does the phone show happened on December 2, 2022 at 1245?

Nothing

Salutations! Has anyone succeded in a decoding of a partial/incomplete dump of an android performed by a Graykey. What is the correct procedure in PA, if at all possible.

hypeman

Salutations! Has anyone succeded in a decoding of a partial/incomplete dump of an android performed by a Graykey. What is the correct procedure in PA, if at all possible.

Open advanced? Gk android, select the keystore and zip

Rob

Open advanced? Gk android, select the keystore and zip

Thank You!! worked like a charm!

1

You're welcome

@Cellebrite PA question. I have a case involving Telegram. I have a lot of chat threads with only a single message (I assume they are older ones that have dropped off the device so it only gets the first message). In PA I can see them as blue chat bubbles. When I prepare a HTML or PDF for a dip sample of those messages, I don’t get the chat bubbles only a link to a txt file. I get chat bubbles where I have more than one message. I want the bubbles for pasting into a report

2

@Magnet Forensics Hi - can someone DM me regarding a support ticket raised back in August as I cannot currently access the customer service portal since the merge with GK - thanks

sky

@Magnet Forensics Hi - can someone DM me regarding a support ticket raised back in August as I cannot currently access the customer service portal since the merge with GK - thanks

Their new Microsoft sign in thing kicked a bunch of people out. My authentication app transferred over from GK to Magnet though, which is nice that I didn't have to re-attach that.

Hey there! We have an iPhone 13, FFS extracted and we have unified logs. In our case it is relevant to know at what time the device made contact with water. Does anyone know IF this is logged anywhere? (My gut feeling says it is not logged) The unified logs are not recent enough to contain touching events. Thanks in advance. (edited)

Peacekeeper

Hey there! We have an iPhone 13, FFS extracted and we have unified logs. In our case it is relevant to know at what time the device made contact with water. Does anyone know IF this is logged anywhere? (My gut feeling says it is not logged) The unified logs are not recent enough to contain touching events. Thanks in advance. (edited)

Might be a wet detection or a failing charging attempt after it? Also check the battery temp, might drop due to cold water

1

Gizmononootje

Might be a wet detection or a failing charging attempt after it? Also check the battery temp, might drop due to cold water

This is my first hunch as well, temperature is there somewhere. Dont recall where exactly though. Let us know if you find out

Gizmononootje

Might be a wet detection or a failing charging attempt after it? Also check the battery temp, might drop due to cold water

Yes and what about screen orientation change?

12:55 AM

Maybe close to temperature drop (or not)

Also try to locate the whatsapplog, might contain a “ appshake” when dropping in the water

Hello dear colleagues Does anyone know, or does anyone have a parser for the mmssms.db or another tip, maybe another software? It concerns the database under Android 2.3.6. Unfortunately, most tools obviously fail when parsing/decoding because the database is so old that it is no longer included in the new releases.

https://github.com/abbot/android-restore-tools

GitHub - abbot/android-restore-tools: Tools for recovering Call Log...

Tools for recovering Call Logs and SMS archives from android partition dumps - GitHub - abbot/android-restore-tools: Tools for recovering Call Logs and SMS archives from android partition dumps

1

5:07 AM

check if this works

thank you Arcain. ill check asap! @Arcain i get some module errors back in those chains. :/ unluckily im not able to solve that (not the python pro). i will search further (edited)

yaffs-mmssmsdb-calls-extractor.zip

2.2 MB

5:29 AM

i usually use this to convert db, it's ancient and compiled to exe

5:30 AM

if it fails, i guess you'd be better of writing your own query for sqlite to get data out

Arcain

if it fails, i guess you'd be better of writing your own query for sqlite to get data out

True that.. I have no choice but to search for the entries manually using hex. Unfortunately, the client was unable to provide either an exact date or a specific text. Sometime on 01.01.2011 and on 11.11.2014... according to the information. Thank you anyway for trying to help me!

why with hex? Can't load db into sqlite browser?

Arcain

why with hex? Can't load db into sqlite browser?

I have viewed the mmssms.db with the tools available to me (respective SQlite browsers). However, even with these tools I could not find the messages that I can see with my own eyes on the device. I do not check this completely myself.

Hans Leißner

I have viewed the mmssms.db with the tools available to me (respective SQlite browsers). However, even with these tools I could not find the messages that I can see with my own eyes on the device. I do not check this completely myself.

did you merge the .wal en .db together? Just put them in the same directory and sanderson and i think dbbrowserlite will merge them.if you open the db. (edited)

florus

did you merge the .wal en .db together? Just put them in the same directory and sanderson and i think dbbrowserlite will merge them.if you open the db. (edited)

its an Android 2.3.6.. it has a journal-file but this have no info inside. its a physical image btw. no SD-Card or SIM-Card was inside. (edited)

6:41 AM

thats how it looks with an actual version of PA. I am missing a lot of messages in readable form that I can see on the device itself. I also can't find any of them in the mmssms.db that I see on the device.

thinking out loud; 7bit-pdu?

1

florus

thinking out loud; 7bit-pdu?

I've already thought about that. But there is one big BUT

Hans Leißner

its an Android 2.3.6.. it has a journal-file but this have no info inside. its a physical image btw. no SD-Card or SIM-Card was inside. (edited)

Have you tried other tools like XRY, Oxygen or Axiom?

yep

Even an old version?

Bobby

Even an old version?

Yes. The weird thing is.. i couldnt even do an extraction (physical) with other vendors then ufed premium. No usb debugging worked.. boot into recovery to do a dd with twrp wasnt possible.. no other options left. Most of the messages i sesrch for are flying around on the nand memory.

8:04 AM

That device break my head

8:05 AM

The mmssms.db holds some messages but not all of them whats weird too.

Bobby

Even an old version?

Ah now i got u. . I already asked clb to get an old PA version. They come back to me (ty Ian). Maybe ill give it a try on monday. Downloading an old version of oxygen (edited)

Hans Leißner

Ah now i got u. . I already asked clb to get an old PA version. They come back to me (ty Ian). Maybe ill give it a try on monday. Downloading an old version of oxygen (edited)

Which you luck

‍

‍♂️thanks!

Hans Leißner

‍

‍♂️thanks!

Did you try ALEAPP by chance? Also, Sanderson Forensic database browser can retrieve changes in the database and will let you know. From my understanding, DB Browser can only see what is in the current SQLite DB. If you open the DB then close it, any WAL or Journal files will be written (which may include instructions to delete). (edited)

1

Pop quiz - is there a way to open a @Cellebrite PA 7.63 session file in 7.65?

Can someone find out their info? I can’t seem to get a precise answer

3

2

1

rfar

Did you try ALEAPP by chance? Also, Sanderson Forensic database browser can retrieve changes in the database and will let you know. From my understanding, DB Browser can only see what is in the current SQLite DB. If you open the DB then close it, any WAL or Journal files will be written (which may include instructions to delete). (edited)

Unfortunatly.. no Sanderson available. As far as i came.. the sms i search for are already in the free pages.

Wooah... is it really true that @Cellebrite does NOT parse memo recordings from an iOS device in analyzed data?!

Or is it just me?.... t

j_matas

Wooah... is it really true that @Cellebrite does NOT parse memo recordings from an iOS device in analyzed data?!

Or is it just me?.... t

In one case I have found the voice memos under audio files. There are not specifically sorted in a category.

tost

In one case I have found the voice memos under audio files. There are not specifically sorted in a category.

exactly.. you have to find them there. Makes no sense that they are not sorted in a category

From an advanced logical acquisition of an iPhone 14 (iOS 16.6), is it possible to establish when an application (Whatsapp) has been uninstalled?

j_matas

exactly.. you have to find them there. Makes no sense that they are not sorted in a category

You are right, it would be much better if it sorted unter the application name(messenger) like the chats.

j_matas

Wooah... is it really true that @Cellebrite does NOT parse memo recordings from an iOS device in analyzed data?!

Or is it just me?.... t

Hey, we're aware of this and we have a fix ready. It should be available in the upcoming release.

j_matas

Wooah... is it really true that @Cellebrite does NOT parse memo recordings from an iOS device in analyzed data?!

Or is it just me?.... t

What type of extraction do you have, and from what iOS version?

Anyone know what timezone the cache_encryptedC.db uses? Is it the same as the phone or apple time?

CLB-ShaiS

Hey, we're aware of this and we have a fix ready. It should be available in the upcoming release.

awesome thanks

CLB_joshhickman1

What type of extraction do you have, and from what iOS version?

its an iPhone XR iOS 16.6.1... but you seem to be aware so thats super cool

Does information in the KnowledgeC sync between apple products

Hello, does anyone know what /audio/outputRoute means in the knowledgeC database? I have got a case regarding a road traffic collision and looking at device connectivity. Thanks in advance

tessallen

Hello, does anyone know what /audio/outputRoute means in the knowledgeC database? I have got a case regarding a road traffic collision and looking at device connectivity. Thanks in advance

https://belkasoft.com/knowledgec-database-forensics-with-belkasoft seems like when the device produced audio, should also see the mac address of the speakers played through

1

tessallen

Hello, does anyone know what /audio/outputRoute means in the knowledgeC database? I have got a case regarding a road traffic collision and looking at device connectivity. Thanks in advance

https://www.doubleblak.com/blogPost.php?k=knowledgec2 Via @CLB_iwhiffin

2

1

zotl54321 started a thread. 12/20/2023 6:39 AM

Hi Guys, I have a ffs of an iPhone 6s with OS 15.4.1. I'm desperately looking for location data in this case. The routined cache database and wal file have dates and locations that show dates a week after the dates I'm interested in. Has anyone used any tools that might be able to rebuild or carve any location data that was lost? Or, any other ideas on acquiring other location data? CDRs were not helpful nor was geofencing.

Disregard. I think I have it figured out.

Hello and good morning! I have a question regarding the Vacuum function in SQLIte. I am currently trying to familiarize myself with this area and based on my previous research I was of the opinion that the information on vacuuming can be found at offset 64-67. 00.. - Auto vacuum enabled 01.. - Disabled In the SQLite database I am working on (mmssms.db, Android 2.3.6 - so a bit older), the pragmas in the DB Browser for SQLite - Auto vacuum FULL are displayed. In the hex view I can see 05... . How can I interpret this? Is there any other information about vacuuming apart from 00... and 01...? It would be great if someone could help me a little. Thanks to all

12:32 AM

12:33 AM

EDIT: Maybe i just found the correct answer: Offest 64 for 4 bytes - True (non-zero) for incremental-vacuum mode. That 5 (it is a non-zero) is a true. False (zero) otherwise. I hope i did not misinterpreted something (edited)

Does anyone know of a method of converting .exo files extracted from Snapchat into fully viewable videos?

Hans Leißner

Hello and good morning! I have a question regarding the Vacuum function in SQLIte. I am currently trying to familiarize myself with this area and based on my previous research I was of the opinion that the information on vacuuming can be found at offset 64-67. 00.. - Auto vacuum enabled 01.. - Disabled In the SQLite database I am working on (mmssms.db, Android 2.3.6 - so a bit older), the pragmas in the DB Browser for SQLite - Auto vacuum FULL are displayed. In the hex view I can see 05... . How can I interpret this? Is there any other information about vacuuming apart from 00... and 01...? It would be great if someone could help me a little. Thanks to all

If I'm remembering correctly ANY value other than 0 means auto vacuum is on.

Alex Owen

Does anyone know of a method of converting .exo files extracted from Snapchat into fully viewable videos?

Open it with VLC?

The file only plays the first 2 seconds of the 20 second video, the frame freezes after this

Terry_____

If I'm remembering correctly ANY value other than 0 means auto vacuum is on.

Hi Terry! Thanks for the reply. That confirms my assumption. I was of the opinion that you can only find 1 or 0 here. Do you happen to know how to recognize manipulated databases? xD For example, if someone exports the db itself, makes changes in the tables and re-inserts them into the device? Or does that not lead to anything? It's all pretty new to me... so I don't know any indicators for such an approach. (edited)

That probably doesn't help me either...

Hans Leißner

Hi Terry! Thanks for the reply. That confirms my assumption. I was of the opinion that you can only find 1 or 0 here. Do you happen to know how to recognize manipulated databases? xD For example, if someone exports the db itself, makes changes in the tables and re-inserts them into the device? Or does that not lead to anything? It's all pretty new to me... so I don't know any indicators for such an approach. (edited)

That I don't know. Hasn't been something I've had to be concerned about. Maybe start with a background on the device owner to see if he's even capable. Does he work in IT or tech, does he have DB software on other devices, that sort of thing.

Terry_____

That I don't know. Hasn't been something I've had to be concerned about. Maybe start with a background on the device owner to see if he's even capable. Does he work in IT or tech, does he have DB software on other devices, that sort of thing.

This is the telephone of a deceased person. He himself had no reason to manipulate the database. If he did, it was done externally by an expert after his death. At least that is the assumption of the deceased's brother. I will have to try to find clues in the device logs as to whether adb commands were carried out. Because somehow the DB had to be exported and imported again. Let's see. Thank you in any case!

Hans Leißner

Hello and good morning! I have a question regarding the Vacuum function in SQLIte. I am currently trying to familiarize myself with this area and based on my previous research I was of the opinion that the information on vacuuming can be found at offset 64-67. 00.. - Auto vacuum enabled 01.. - Disabled In the SQLite database I am working on (mmssms.db, Android 2.3.6 - so a bit older), the pragmas in the DB Browser for SQLite - Auto vacuum FULL are displayed. In the hex view I can see 05... . How can I interpret this? Is there any other information about vacuuming apart from 00... and 01...? It would be great if someone could help me a little. Thanks to all

According to my book, header byte 52 (for 4 bytes) is also Auto-Vacuum b-tree page. Anything other than zero indicates a pointer map table is present. (sorry for the limited info, I am still learning this myself) (edited)

rfar

According to my book, header byte 52 (for 4 bytes) is also Auto-Vacuum b-tree page. Anything other than zero indicates a pointer map table is present. (sorry for the limited info, I am still learning this myself) (edited)

no worries! thank you for the input. At 52 i got the zeros.

Anyone know of any subject matter experts in Snapchat in the UK? We have a case at Crown Court that has been adjourned until March and have some questions the Judge wants answered.

Is there a way to convert or properly import an iOS keychain in XML format produced by @Elcomsoft iOS Toolkit (FFS) into @Cellebrite or @Magnet Forensics ? They both only take in the graykey .plist format for the keychain afaik.

In PA 7, you can choose the Open (Advanced) flow, select "Select Device", and then search for Elcomsoft, select Elcomsoft FFS, and then you should be prompted for the archive plus XML file.

9:13 AM

5

perfect! didnt even realize they added a profile for this

9:14 AM

thanks a lot

@FunkeDopein PA 8.7 or 8.8 you have directly the option on the principal board. cheers (edited)

@Magnet Forensics Hi! In Axiom I used to go to File system explorer, right click on a folder and choose "Save file / folder to ZIP". I remember that the exported files were having their original dates. I'm not sure how the carved files (the ones that did not have a created/accessed/modified date) were treated. However, now, in the latest 7.8 version of Axiom, ALL dates of all the files within the archive are the export date (when I create the zip file). Is this a known issue? Am I doing something wrong?

3

Hans Leißner

Hi Terry! Thanks for the reply. That confirms my assumption. I was of the opinion that you can only find 1 or 0 here. Do you happen to know how to recognize manipulated databases? xD For example, if someone exports the db itself, makes changes in the tables and re-inserts them into the device? Or does that not lead to anything? It's all pretty new to me... so I don't know any indicators for such an approach. (edited)

A simpler route may be to get a stock version of the database using the same app version and see if vacuum is implemented. It is pretty common these days. https://android.stackexchange.com/questions/14910/where-can-find-older-versions-of-apps

Where can find older versions of Apps?

Is is possible to download older versions of Android applications? Is there some kind of online archive for all versions of Android apps? Like how you can find older versions of some Windows app.

char|i3

A simpler route may be to get a stock version of the database using the same app version and see if vacuum is implemented. It is pretty common these days. https://android.stackexchange.com/questions/14910/where-can-find-older-versions-of-apps

Oh, cool! Thanks for the info. I'll test that immediately in the next service.

1

4:31 AM

The date (last modification) was promising. However, someone had already tried to reconstruct the deleted sms on their own using dr.fone. -.-

Hi, I have some pdf files in 'knox/sd card/150/Downloads' which i am unable to open. Could this be because I haven't been able to unlock the the secure folder and the contents of the file is still encrypted or is there another reason? This phone has teamwin so not sure if this might be changing stuff too

KM

Hi, I have some pdf files in 'knox/sd card/150/Downloads' which i am unable to open. Could this be because I haven't been able to unlock the the secure folder and the contents of the file is still encrypted or is there another reason? This phone has teamwin so not sure if this might be changing stuff too

Seems "SecureFolder" is activated on the phone and SecureFolder is closed, so the files inside are encrypted. The "150" is a hint for this

(edited)

5:43 AM

chrisforensic

Seems "SecureFolder" is activated on the phone and SecureFolder is closed, so the files inside are encrypted. The "150" is a hint for this

(edited)

Thats great!!! Thanks you!

1

MagnetForensics has a cool webinar dedicated to the SecureFolder. https://www.magnetforensics.com/resources/mobile-unpacked-ep-9-exploring-samsungs-secure-folder-feature-to-recover-digital-evidence/

chrisforensic

MagnetForensics has a cool webinar dedicated to the SecureFolder. https://www.magnetforensics.com/resources/mobile-unpacked-ep-9-exploring-samsungs-secure-folder-feature-to-recover-digital-evidence/

Hi.Does Instagram Lite (252.0.0.6.119) really not save messages locally? Thanks.

https://blog.digital-forensics.it/2023/12/has-user-ever-used-xyz-application-aka.html?m=1

Has the user ever used the XYZ application? aka traces of applicati...

DFIR research

2

4

1

Working on an iPhone XR, which has a shared Apple ID with 5 other family devices. Using @Magnet Forensics Axiom, I can see there is information in Biome Application Launch which shows the application has usage on days of interest, but they are listed as Remote. Using @cScottVance website and explanation of this phenomenon, I went to Biome's sync DB. In the DevicePeer table I find a GUID in the devcie_identifier column, as well as a iOS version models in the "model" column. The GUID is the one which is listed in Axiom as being the REMOTE device. Is there a way to specifically link a device to the GUID? The phone I think did the action, does have a matching iOS model as the version found in the DB. But I don't want to make an assumption or fall into confirmation biasis here. Any suggestions or help is appreciated.

has anyone had any issues getting illeap to run on python 3.12.x I have a new machine we are loading up and we get dependency issues with wheel creations from mmh3 and pyliblzfse that only seem to exist in the 3.12x python side.

2:29 PM

it runs fine in 3.11x

so, i'm looking at the keychain for a IOS 17 device. And i notice everything is different...

12:54 AM

instead of keys like acct and base64 data, i see a lot of <key>clas</key><integer>11</integer><key>rowid</key><integer>9</integer> stuff..

1

12:54 AM

anyone know what exactly the difference is in the keychain? Seems like Apple uses a whole new approach?

I am looking at the healthdb of an iOS device. With the current query (APOLLO github) I am getting alot of NULL values for the heart rate. It seems that older entries to have value, just not recent ones. Anyone know whats up?

Tube

I am looking at the healthdb of an iOS device. With the current query (APOLLO github) I am getting alot of NULL values for the heart rate. It seems that older entries to have value, just not recent ones. Anyone know whats up?

@Sarah Edwards (SANS/BlackBag) No idea if she is active here

Tube

I am looking at the healthdb of an iOS device. With the current query (APOLLO github) I am getting alot of NULL values for the heart rate. It seems that older entries to have value, just not recent ones. Anyone know whats up?

Isn't the "quantity" column just samples/sec? So multiply by 60 to get beats/min . Seems to be true in these examples as well: https://github.com/mac4n6/Presentations/blob/master/%23DFIRFIT%20or%20BUST/DFIRFIT.pdf

Presentations/#DFIRFIT or BUST/DFIRFIT.pdf at master · mac4n6/Prese...

Presentation Archives for my macOS and iOS Related Research - mac4n6/Presentations

locked myself out of the CLB portal, anyone from @Cellebrite able to help me out?

Looking for information about the the folder "/../../../../Data/Application/<Snapchat App ID>/Library/Caches/SCPersistentMedia/" found in a Snapchat installation on iOS. Anyone know what it is commonly used for and under which specific circumstances files end up there? I've found some support (both here in the chat, and online) that it may be used for saved items. I tried to recreate it though, using a lab-phone, and saved different kinds of files in different ways in Snapchat, but none of them ended up in that folder. Any further information, or sources online, would be very appreciated!

m_l

Looking for information about the the folder "/../../../../Data/Application/<Snapchat App ID>/Library/Caches/SCPersistentMedia/" found in a Snapchat installation on iOS. Anyone know what it is commonly used for and under which specific circumstances files end up there? I've found some support (both here in the chat, and online) that it may be used for saved items. I tried to recreate it though, using a lab-phone, and saved different kinds of files in different ways in Snapchat, but none of them ended up in that folder. Any further information, or sources online, would be very appreciated!

Previously when I tested, this path was used to save media files attached to a chat. Not Snaps, but if user A attached a video from their Gallery and sent to user B, it would save in user B's SCPersistentMedia folder.

4

florus

@Sarah Edwards (SANS/BlackBag) No idea if she is active here

Yes correct. Thank you. The values make sense now

Jackds

Isn't the "quantity" column just samples/sec? So multiply by 60 to get beats/min . Seems to be true in these examples as well: https://github.com/mac4n6/Presentations/blob/master/%23DFIRFIT%20or%20BUST/DFIRFIT.pdf

Exactly that, they changed recently from Beats per Minute to Beats per Second becuase 'Apple'.

2

1

CLB_iwhiffin

Previously when I tested, this path was used to save media files attached to a chat. Not Snaps, but if user A attached a video from their Gallery and sent to user B, it would save in user B's SCPersistentMedia folder.

Thanks @CLB_iwhiffin !

@Oxygen Forensics Is anyone around for a quick question?

loo

@Oxygen Forensics Is anyone around for a quick question?

Of course, please shoot me a message

CLB_iwhiffin

Exactly that, they changed recently from Beats per Minute to Beats per Second becuase 'Apple'.

atleast it isn't beats per NSMutableDictionary

2

Anyone know what 'bot_profile_info' table in burbn.instagram/messagingMailbox/ig-msys.db. Just curious

Has anyone the same problem that the PA Ultra 8.8 lasts very long to process. I had to process extractions but it lasts very long but it had to be finished. After closing the processing and reopen it, i could see the finished processed extractions to examine. The programm is installed on SSD. @Cellebrite (edited)

1

tost

Has anyone the same problem that the PA Ultra 8.8 lasts very long to process. I had to process extractions but it lasts very long but it had to be finished. After closing the processing and reopen it, i could see the finished processed extractions to examine. The programm is installed on SSD. @Cellebrite (edited)

Last 8.7 and 8.8v sotware after processing is a very slow, did fresh reinstall, but still all working very slow, eat many RAM at PC start.

1

Anjo

Last 8.7 and 8.8v sotware after processing is a very slow, did fresh reinstall, but still all working very slow, eat many RAM at PC start.

My pc was newly installed a few weeks ago and that were the second and third extractions which were processed after that. PA Ultra is not not very satisfactory until yet. I hope PA7 will be still alive until the problems with Ultra are solved.

(edited)

Anyone ever had an experience with the GMS Context DB? context_username_gmail.com.db

Is there an issue in Cellebrite PA / Ultra with 2024 timestamps? @Cellebrite

Chris

Is there an issue in Cellebrite PA / Ultra with 2024 timestamps? @Cellebrite

Yes, fix should come in a few days according to the forum

Chris

Is there an issue in Cellebrite PA / Ultra with 2024 timestamps? @Cellebrite

Correct. As Markus mentioned, more information is in the forum notes.

Thanks

Chris

Is there an issue in Cellebrite PA / Ultra with 2024 timestamps? @Cellebrite

There is a post about it here : https://community.cellebrite.com/s/question/0D57Q00002Ghn9GSAR/physical-analyzer-765-ultra-88-timestamp-issue-2024 We should have the new 7.66 available in the next few days.

1

Anyone with experience analyzing iwc_dump.txt from Samsung? Which events are of interest when trying to determine if the devices is connected to a certain wifi network, when it disconnects, etc. The goal is for it to support or refute an hypothesis about where the device is located in given time frames.

Kazhulu

Anyone with experience analyzing iwc_dump.txt from Samsung? Which events are of interest when trying to determine if the devices is connected to a certain wifi network, when it disconnects, etc. The goal is for it to support or refute an hypothesis about where the device is located in given time frames.

We mentioned it breifly in our locations presentation a year or 2 back. If you need specific information I am happy to try looking at it again

1

Yeah I think I found some of the mentioned material in relation to a CTF from you guys. What I would really love, is a breakdown of the different events/artifacts to sort though it. Do you know of anything like that?

Hi guys, I am looking at the routineD cache.sqlite database in the ZRTCLLOCATIONMO table and seeing a column for ZSPEED. A value I'm currently looking at is 35.6199989318848. I know this value is meters per second. Cellebrite does not seem to parse ZSPEED from the table. Can anyone tell me how to take that value and translate it into hex?

Cenizas

Hi guys, I am looking at the routineD cache.sqlite database in the ZRTCLLOCATIONMO table and seeing a column for ZSPEED. A value I'm currently looking at is 35.6199989318848. I know this value is meters per second. Cellebrite does not seem to parse ZSPEED from the table. Can anyone tell me how to take that value and translate it into hex?

Why do you want to convert it onto hex code? Do you mean how to manually parse it into the report?

Cenizas

Hi guys, I am looking at the routineD cache.sqlite database in the ZRTCLLOCATIONMO table and seeing a column for ZSPEED. A value I'm currently looking at is 35.6199989318848. I know this value is meters per second. Cellebrite does not seem to parse ZSPEED from the table. Can anyone tell me how to take that value and translate it into hex?

According to cyber chef that value converted to hex is 33 35 2e 36 31 39 39 39 38 39 33 31 38 38 34 38

I wanted to share some recent research for these artifacts (iOS routined cache.sqlite and device speed). The researchers are from the Netherlands Forensic Institute. The research discusses other storage locations for this type of data and some great details about the variances observed. Special thanks to Aart Spek for contacting me and making me aware of their research. https://www.researchgate.net/publication/374912713_Validity_of_iPhone_speed_loggings_under_crash_conditions (edited)

2

Can anyone provide a simplified answer as to why a physical extraction can be performed on some devices but only a FFS on others

rylee25

Can anyone provide a simplified answer as to why a physical extraction can be performed on some devices but only a FFS on others

https://discord.com/channels/427876741990711298/427877097768222740/1190272989128818800

9:04 AM

FDE != FBE

1

Arlakossan

Anyone ever had an experience with the GMS Context DB? context_username_gmail.com.db

Yes, PA decodes it but feel free to reach out in DM if you have any specific question

1

Hi, is there a way to search the notes field I added in Oxygen? @Oxygen Forensics

hello everyone, it is possible to use the "minidump plugin" with PA 8 ? @Cellebrite

1

Flavius

Hi, is there a way to search the notes field I added in Oxygen? @Oxygen Forensics

Hello! Sadly, not at this moment. But there should be, sounds like a good idea. I will file a suggestion request for this

1

status: waiting for the release of PA 7.66 .... ⏲️

2

1

Oxygen Forensics

Hello! Sadly, not at this moment. But there should be, sounds like a good idea. I will file a suggestion request for this

Ok, thank you

2:51 AM

yes

1

heyho, someone from @Cellebrite here for short question? ... found something strange using new PA 7.66 BETA

2

PieR

hello everyone, it is possible to use the "minidump plugin" with PA 8 ? @Cellebrite

@PieR - It's currently in development, once its available I can update you.

1

@Cellebrite Are you aware of decoding issues in Android 14, regarding call logs, sms/mms? TImestamps arnt parsed, call logs dont match with the db etc etc. Anyone else seeying this? (edited)

1

CLB_iwhiffin

We mentioned it breifly in our locations presentation a year or 2 back. If you need specific information I am happy to try looking at it again

What I would like to know more about is the difference of "Auto Disconnection Event", "Network disconnected event (intermediate)", "Connecting event" and "Network connected event(intermediate)".

3:45 AM

Also, what could could lead to several hours gap in events? I have one event that is "Good link" and the next line is "Poor link" almost 12 hours later. Both are to the same Network. There are no records of Disconnection between them.

Kazhulu

What I would like to know more about is the difference of "Auto Disconnection Event", "Network disconnected event (intermediate)", "Connecting event" and "Network connected event(intermediate)".

That's deeper than we went. But I will try to take a look. Good questions.

2

Hi guys, I've got 2x Samsung S20 FFS extractions, Prem & GK, that's presented me with readable Keepsafe (com.kii.safe) directories, I can see the contents/file names and sizes etc., but the contents (mainly media) are unreadable. I can't see the app on the device so I assume the user removed it. Is there anything I can do with the extraction data to make it readable? (edited)

slipd

Hi guys, I've got 2x Samsung S20 FFS extractions, Prem & GK, that's presented me with readable Keepsafe (com.kii.safe) directories, I can see the contents/file names and sizes etc., but the contents (mainly media) are unreadable. I can't see the app on the device so I assume the user removed it. Is there anything I can do with the extraction data to make it readable? (edited)

Maybe you can check with ALEAPP Image Manager Cache module and see if there is something from Keepsafe there

1

Someone from @Cellebrite for short question? question about new PA 7.66 beta and release

1

Using a tool like cellebrite with a before first unlock phone, what information can you pull iPhone vs Android? What about after first unlock? I can't seem to find a good source on this.

silvance.

Using a tool like cellebrite with a before first unlock phone, what information can you pull iPhone vs Android? What about after first unlock? I can't seem to find a good source on this.

BFU extractions pull data that has come into the device before the databases have been unencrypted, i.e. the phone switches to AFU. As well as some low level system stuff the device needs to function or non-user data Apple determined doesn't need to be encrypted. Essentially the device can't write to an encrypted database/file, so that new data sits unencrypted in temp caches until it can be committed to where it's trying to go. A device that is AFU has a pretty good portion of the databases unencrypted, so data can quickly be written to them. The tools can grab this unencrypted data. @CLB_iwhiffin talked about it in a webiner a couple of months ago.

Does someone know, how to determine a possible former set passcode on an android device like the passcode history of an iPhone? I have an unlocked Android Device and an iPhone from the suspect, but the iPhone has a 6-digit unknown passcode and is locked. I have done a BFU extraction, but i have not found a reference to a passcode. (edited)

Is It Done Yet? started a thread. 1/10/2024 4:51 AM

Bobby

Maybe you can check with ALEAPP Image Manager Cache module and see if there is something from Keepsafe there

Tried, nothing returned unfortunately. Thanks though!

1

Hi! I require assistance with understanding and manually linking files in analysis of Discord in an iOS device please. Can someone with appropriate knowledge reach out to me please?

FabianoQ

Hi everyone. Question: finding a copy of a video in "\media\WhatsApp.Shared" whatsapp folder is a PROOF that this file has been sent to someone else?

did u found an answer, i have same ask

No, unfortunately

@FabianoQthx

slipd

Hi guys, I've got 2x Samsung S20 FFS extractions, Prem & GK, that's presented me with readable Keepsafe (com.kii.safe) directories, I can see the contents/file names and sizes etc., but the contents (mainly media) are unreadable. I can't see the app on the device so I assume the user removed it. Is there anything I can do with the extraction data to make it readable? (edited)

The Keepsafe files are encrypted on the device and also in an online folder hosted by Getkeepsafe. If you have Keepsafe still installed on the device then it may be possible to decrypt them. There are a couple of papers on how to decrypt them, including https://www.researchgate.net/figure/The-decryption-procedure-for-media-files-in-Keepsafe_fig1_318858478 If you don't have the Keepsafe App installed then as far as I know the only way to get the files is from the online storage. What may be of value you you is that the encrypted files are in their own individual folders and the folder names are the Hash value of the unencrypted version of the file (it's either MD5 or SHA1 I can't remember which)

1

slipd

Tried, nothing returned unfortunately. Thanks though!

The folders I meant are within the '.keepsafe/manifest/primary'

1

An iPhone 8 was seized and put in flightmode 10th of april 2021. An FFS extraction was made same day or a few days after. But in the Ufed report there are several locations with even later timestamps, and the source is: Documents/GMSCacheStorage-AZSpotlightStorageModel/GMSCacheStorageAZSpotlightStorageModel/AZSpotlightStorageModel.sqlite. Unless anyone removed flightmode and it connected, how could this be explained? Could an earlier search of one of the locations show up with a later timestamp?

Happy new year everyone!

2:16 AM

Quick Android question : Apple guys in the office can't stop working with Unified Logs, are there such logs on Android?

Joe 🍿🍺

An iPhone 8 was seized and put in flightmode 10th of april 2021. An FFS extraction was made same day or a few days after. But in the Ufed report there are several locations with even later timestamps, and the source is: Documents/GMSCacheStorage-AZSpotlightStorageModel/GMSCacheStorageAZSpotlightStorageModel/AZSpotlightStorageModel.sqlite. Unless anyone removed flightmode and it connected, how could this be explained? Could an earlier search of one of the locations show up with a later timestamp?

Hard flight mode or light flight mode. Meaning :

hard mode, from settings
light mode, from quick menu Light flight mode is not for ever but only for 24/48h Was location service switched to off in settings too?

Hi everyone, I am analysing Discord in an iOS device and trying to determine whether certain images had been shared in any chats or channels. Is there a database or file that may contain such data of where certain images/videos had been shared within Discord?

Lolokidd

Quick Android question : Apple guys in the office can't stop working with Unified Logs, are there such logs on Android?

The most similar think to unified logs in Android is generating a bug report and extract data with dumpsys and similar commands.

2

Bobby

Hard flight mode or light flight mode. Meaning :

hard mode, from settings
light mode, from quick menu Light flight mode is not for ever but only for 24/48h Was location service switched to off in settings too?

Not sure but very likely a light mode. Can the type be seen in the extraction somewhere you think? But the location seen at that time was not near our office, instead very far away but still an extremely important location to the case. But not at that time but earlier..

Joe 🍿🍺

Not sure but very likely a light mode. Can the type be seen in the extraction somewhere you think? But the location seen at that time was not near our office, instead very far away but still an extremely important location to the case. But not at that time but earlier..

Maybe in activity logs but i don't know if there is more than 1 kind of flight mode listed there

Alex Owen

Hi everyone, I am analysing Discord in an iOS device and trying to determine whether certain images had been shared in any chats or channels. Is there a database or file that may contain such data of where certain images/videos had been shared within Discord?

Not a "yes" or "no", but this article may help you https://bluecrewforensics.com/2023/10/30/connecting-discord-attachments-threads-sdwebimage-library/

Connecting Discord Attachments to Threads & SDWebImage Library - Bl...

Introduction I recently had a case involving Discord where the case investigator had observed images within the thread on an iPhone but they were not appearing in the threads in Cellebrite Physical Analyzer. The investigator described the images to me and I was able to locate them in a folder associated with Discord so I

Mattia Epifani

The most similar think to unified logs in Android is generating a bug report and extract data with dumpsys and similar commands.

Thanks for that!!! I've had a quick look, lots of things to try there...

PA 7.66 is rlz guys

2

Is there a way to tell when the retention setting was changed from say 1 year to Forever?

Joe 🍿🍺

Not sure but very likely a light mode. Can the type be seen in the extraction somewhere you think? But the location seen at that time was not near our office, instead very far away but still an extremely important location to the case. But not at that time but earlier..

I've also seen where Flight mode does not turn off WiFi.

1

Lolokidd

Thanks for that!!! I've had a quick look, lots of things to try there...

I am planning some blog posts on this topic during the year…I just need to find a way to double my time

1

Let me know if you do, I actually think I’ll try and find someone with time for research to work on it!

does anyone have any idea how to interpret netstats/uid.<timestamp> files?

1:46 AM

the only tool that has parsed them is Cellebrite but it's lumped the times together in two hour chunks and I need it more granular

1:47 AM

I need to show a suspect connected to a wifi network at a certain time and this is the only location this phone seems to have stored this information - it's a Samsung Galaxy A3 running android 7

1:47 AM

we weren't able to get a router download at the scene because no one can work out who manages the network in order to give us the password...

Hello, does anyone know if there is a way to stop the minidump creator plugin on PA7?

Seeing in Cellebrite PA that the decryption key for Rubin could not be found - this might be why I've noticed Rubin not being decoded for some time now. Has the decryption key been moved or removed from keystone?

7:03 AM

If it's been moved and can still be used, is there a guide to decrypt the databases? (edited)

@Cellebrite how long should it take for PA ultra to start? Installed version 8.8.100.46 recently. But for some reason it gets stuck at 14%... (several minutes already) Never really used it, but this isnt convincing me to switch from PA to PA ultra..

1

That’s a big issue. As you said, PA is the only tool that works on this artifact. It works great, but I don’t know if the 2-hours timeframe is a choice of how to show the parsed that or the real way in which raw data is stored in the file. Definitely is a great artifact to “geolocate” a phone expecilly when connected to a WiFi network. The Android component of the source code detailing this feature should be this one https://android.googlesource.com/platform/frameworks/base/+/e098050/services/java/com/android/server/net/NetworkStatsService.java I am not aware of any free/open tool or library to parse them, so it’s worth investing some time in researching it.

1

Question, anyone aware of a way to recover/decode Samsung Secure Folder password, after you already have the secure folder partition extracted? Kinda want the password for other containers. Not sure if it's even possible. I have physical and filesystem Samsung's dumped with secure folder decrypted and extracted. I know you would rework and brute force with advanced extraction tools but feel like this data has to be present, especially on the decrypted physical. Any ideas?

Hi, does anyone know of a good software tool for recovering frames out of a corrupted .mp4 video ?

Ffmpeg

5:25 PM

ffmpeg -errdetect ignore_err -i corrupted_file.mp4 -vsync 0 output_frame%03d.png

2

https://blog.digital-forensics.it/2024/01/analysis-of-android-settings-during.html

Analysis of Android settings during a forensic investigation

DFIR research

1

James Pedersen

Hi, does anyone know of a good software tool for recovering frames out of a corrupted .mp4 video ?

For broken/corrupted files where there is data missing for playback (not a complete file with proprietary or format non-compliant data complicating playback) it depends if you have a known working file from the same camera. If it is broken/corrupted and you have a working example tools like Grau video repair or mp4 repair should do the trick. If you don’t have a working example it becomes a much more difficult and manual process. If that is the case feel free to DM me for more info.

chms17

the only tool that has parsed them is Cellebrite but it's lumped the times together in two hour chunks and I need it more granular

asking again in the vague hope someone who knows someting might have missed this... we now have a router download but it doesn't appear to be very useful

chms17

asking again in the vague hope someone who knows someting might have missed this... we now have a router download but it doesn't appear to be very useful

As @Mattia Epifani alluded to, the 2-hour aggregation is a result of how Android stores the raw data, and not a design choice for PA. Typically the buckets (files) are in 2-hour chunks and store the aggregate for a UID within that two hour window.

1

CLB_joshhickman1

As @Mattia Epifani alluded to, the 2-hour aggregation is a result of how Android stores the raw data, and not a design choice for PA. Typically the buckets (files) are in 2-hour chunks and store the aggregate for a UID within that two hour window.

Ahh thank you, apologies I didn't realise @Mattia Epifani message was aimed at me, thank you Mattia, and thanks Josh for the tldr version!

1

ross4n6

Question, anyone aware of a way to recover/decode Samsung Secure Folder password, after you already have the secure folder partition extracted? Kinda want the password for other containers. Not sure if it's even possible. I have physical and filesystem Samsung's dumped with secure folder decrypted and extracted. I know you would rework and brute force with advanced extraction tools but feel like this data has to be present, especially on the decrypted physical. Any ideas?

Did you got a solution?

Mr.Robot

Did you got a solution?

No joy, on multiple listserv and groups

Brandon E

For broken/corrupted files where there is data missing for playback (not a complete file with proprietary or format non-compliant data complicating playback) it depends if you have a known working file from the same camera. If it is broken/corrupted and you have a working example tools like Grau video repair or mp4 repair should do the trick. If you don’t have a working example it becomes a much more difficult and manual process. If that is the case feel free to DM me for more info.

In this case the corrupted video is a .mp4 screen recording video

Brandon E

For broken/corrupted files where there is data missing for playback (not a complete file with proprietary or format non-compliant data complicating playback) it depends if you have a known working file from the same camera. If it is broken/corrupted and you have a working example tools like Grau video repair or mp4 repair should do the trick. If you don’t have a working example it becomes a much more difficult and manual process. If that is the case feel free to DM me for more info.

I've never heard of mp4 repair or Grau video repair. Perhaps you would be so kind as to post a link to them? I would really appreciate it.

Grau Video Repair can be found at https://main.grauonline.de/video-repair-tool/ You will need another working mp4 using the same screen capture tool from the same device as a sample in order for Grau to work on your broken file. I can’t find mp4 repair online anymore but it was a CLI that essentially did the same thing as Grau.

alex

Video Repair Tool - Grau GmbH Hardware & Software Solutions

Do-It-Yourself Video Repair Tool (VRT) – MP4视频文件修复工具 – MP4 Repair “We googled 2 days to find a solution to repair…

chms17

Ahh thank you, apologies I didn't realise @Mattia Epifani message was aimed at me, thank you Mattia, and thanks Josh for the tldr version!

Sorry my fault, I missed to answer in the thread. And thanks @CLB_joshhickman1 for the clarification! Really useful

1

anyone familiar with \private\var\mobile\Library\Caches\com.apple.findmy.fmipcore\Items.data on an iPhone extraction (airtag data) ? I'd like to know what the type columns refers to.

@Cellebrite Question about PA Ultra and the photo origin reasoning. What is the source for the reasoning 'Predates Backup Restore' and 'Saved Copy' @CLB_iwhiffin? Could you give me some more insight. Just want to validate it. (edited)

florus

@Cellebrite Question about PA Ultra and the photo origin reasoning. What is the source for the reasoning 'Predates Backup Restore' and 'Saved Copy' @CLB_iwhiffin? Could you give me some more insight. Just want to validate it. (edited)

'Predates Backup Restore' means PA decoded a timestamp for the last time a backup was loaded into the device (either from iCloud or from iTunes) and the media file has a timestamp before that time. This means the media file might be from the backup itself and not necessarily created on the extracted device. 'Saved Copy' means PA found an indication that this media file is a copy of another file. In some cases you can see the original file's path in the 'Files Info' tab, but sometimes that info is not recoverable. For example, if you save an image from WhatsApp to the gallery, the copy in the gallery (in DCIM) is a 'Saved Copy' of the image file in WhatsApp's data folder. Beware that the original file might not exist anymore (e.g., user deleted the photo from the WhatsApp chat after saving).

1

anyone have any idea what the 'lastPrepareLaunchSentinel' date relates to in com.apple.purplebuddy.plist?

3:32 AM

it's later than the setupalastexit date which makes me think it's not the last setup date

@Cellebrite Why Snapchat audios are in the video section of PA ? This is problematic for sorting correctly, is there any way to fix this? (edited)

1

GregL

@Cellebrite Why Snapchat audios are in the video section of PA ? This is problematic for sorting correctly, is there any way to fix this? (edited)

Ya, annoying.

7:33 AM

I asked my question in the Extraction forum, but perhaps it was best asked here. "Morning - looking at a FFS extraction of an Android device, which has Facebook Messenger v438.1.0.33.115 installed (released a month ago), which isn't supported Cellebrite/Axiom. Trying to track down the messages, but can't find the db. There's a couple msys db's, but their for instagram and no messenger chats in there. Anyone stumbled across this yet?"

No_Dox

I asked my question in the Extraction forum, but perhaps it was best asked here. "Morning - looking at a FFS extraction of an Android device, which has Facebook Messenger v438.1.0.33.115 installed (released a month ago), which isn't supported Cellebrite/Axiom. Trying to track down the messages, but can't find the db. There's a couple msys db's, but their for instagram and no messenger chats in there. Anyone stumbled across this yet?"

I just took a look at this under 440.0.0.30.352 (current as of today - freshly installed with a new account). I'm finding chats in ~/databases/mysys_database_LONGNUMBERHERE. Are you not seeing anything similar?

8:28 AM

Also, are you looking under Katana or Orca?

is anyone showing a date in the purplebuddy.plist file under guessed country? My last few extractions are missing the date.

CLB_joshhickman1

I just took a look at this under 440.0.0.30.352 (current as of today - freshly installed with a new account). I'm finding chats in ~/databases/mysys_database_LONGNUMBERHERE. Are you not seeing anything similar?

No, and under both. The actual com.facebook.orca has no data in it. Prem has had issues with parsing some of the mysys db's, so I've been manually parsing them at times

1

snoop168

is anyone showing a date in the purplebuddy.plist file under guessed country? My last few extractions are missing the date.

I didn't have one in mine either

Does any know if i can determine what the previous Apple device was, where the new device got backup'ed from? Context: I have several photos made, with metadata; made with an Iphone X. Device i am investigating is an Apple Iphone 11 Pro. I would like to determine that the iphone x had the same apple id as the iphone 11 pro.

chms17

I didn't have one in mine either

encountered that a few times, a while back.

snoop168

is anyone showing a date in the purplebuddy.plist file under guessed country? My last few extractions are missing the date.

That timestamp seems to have been removed some time between iOS 15.0 and 15.3.1, and has not returned.

1

CLB_joshhickman1

That timestamp seems to have been removed some time between iOS 15.0 and 15.3.1, and has not returned.

Had a feeling. Thanks for confirming! Any other good ways of seeing when an iPhone was first setup? I think I saw someone mention the created date of the address book db as one option? Just don’t know if updates could technically create a new file as part of the upgrade/migration process…

I'd recommend giving this a read. Minus the purplebuddy timestamp, it still holds true: https://dfir.pubpub.org/pub/6i7d593n/release/1

Upgrade From NULL—Detecting iOS Wipe Artifacts

1

Hello! I need help with "interactionC.db" database, wich includes the "ZMECHANISM" foled in the "ZINTERACTIONS" table. Do you know what code 4, 13, 20 corresponds to and what action I should interpret ? In my investigation, it seems to be linked to a message from signal application and an image. I'm trying to fing out whether it was received or sent. Thanks!

Does anyone know if Android logs each time the OS is updated? I only know about the current version, and factory reset history. (edited)

I found "update_package" entries in "/efs/recovery/history", but it's still a bit cryptic to me. I'm going to test this on a dummy phone to make sure, but I'm feeling hopeful this is exactly what I was looking for. Partial excerpt: (edited)

I have a temp_wav file pulled as part of an Android extraction.The inside of which looks as below excerpt. No header or 'nuthin'... anyone have any direction to point me in to see if this might result in some form process to pull out audio?

Good Morning; i have a msgstore.db from whatsapp and some voice-files. Now i found in the database hashes for the files (file_hash and enc_file_hash) for my voice_files. what kind of hashes are this in the database. We need to be sure, that the voice-files are the right one from the database and nobody has modified it. thx.

Jeeper

I have a temp_wav file pulled as part of an Android extraction.The inside of which looks as below excerpt. No header or 'nuthin'... anyone have any direction to point me in to see if this might result in some form process to pull out audio?

do you have any idea what are the max and min value of the file ?

eightsideddie

I found "update_package" entries in "/efs/recovery/history", but it's still a bit cryptic to me. I'm going to test this on a dummy phone to make sure, but I'm feeling hopeful this is exactly what I was looking for. Partial excerpt: (edited)

My understanding is that these are logs of when the device has completed OS software updates. fota in the filepath standing for Firmware Over The Air. https://en.wikipedia.org/wiki/Over-the-air_update. A536EXXU2AVG1: https://galaxyfirmware.org/model/SM-A536E/XSA/A536EXXU2AVG1/ A536EXXU3AVGA: https://galaxyfirmware.org/model/SM-A536E/INS/A536EXXU3AVGA/ etc. (edited)

https://blog.digital-forensics.it/2024/01/a-first-look-at-android-14-forensics.html?m=1

A first look at Android 14 forensics

DFIR research

7

3

AmNe5iA

My understanding is that these are logs of when the device has completed OS software updates. fota in the filepath standing for Firmware Over The Air. https://en.wikipedia.org/wiki/Over-the-air_update. A536EXXU2AVG1: https://galaxyfirmware.org/model/SM-A536E/XSA/A536EXXU2AVG1/ A536EXXU3AVGA: https://galaxyfirmware.org/model/SM-A536E/INS/A536EXXU3AVGA/ etc. (edited)

Sweet, thank you for the reinforcement!

i'm working on a missing person case. the phone data was extracted with Cellebrite and I've ran the extraction through Axiom as well. the victims phone was at the residence and in the early morning hours of the last known date there are several program executions with the following: Event Name: event Package Name: com.motorola.faceunlock Type: by Bucket Changed the file path was located in the .zip\Dump\data\system_ce\0\usagestats\daily folder. can any android or phone gurus provide some info on if this artifact shows that our missing person did unlock the phone with face id?

In android extraction, does anyone know what is the meaning of the file “factory_reset_boot_complete” created in the “data/misc/bootstat” directory?

emilie_

do you have any idea what are the max and min value of the file ?

0 and 15864

Anyone know if there is a way to get the messages from an imac into Cellebrite PA? (We are talking about these ones: ~/Library/Messages/chat.db)

Dropped two blogs on parsing data from Life360 app https://www.stark4n6.com/2024/01/analyzing-life360-on-ios.html

Analyzing Life360 on iOS

Life360 is the sell proclaimed "#1 family locator app". If they're not selling your location data (who am I to judge), they sure are leavi...

6

7:19 AM

https://www.stark4n6.com/2024/01/analyzing-life360-on-android.html

Analyzing Life360 on Android

We looked at the iOS version of Life360 recently and now we get a chance to look at the Android side this time. There were three database f...

8

Original message was deleted or could not be loaded.

sorry, all right here with "Zangi"-Messenger... was decoded with OFD without troubles

@Oxygen Forensics

1

CLB_iwhiffin

Power On events can be found in "containermanager.log.0" or "containermanager.log.1" etc. Search for "containermanagerd performing first boot initialization" Power Off events can be found in either: KnowledgeC : ZSTREAMNAME = "/app/inFocus" and ZVALUESTRING = "SBPowerDownViewController" (Though this shows that the "Swipe to Shutdown" screen was visible it doesn't actually show that the device was actually shutdown) logd.0.log : Search for "No userlevel firehose clients left"

Does "No userlevel firehose clients left" means it was powered off by the user it selfs or can it also be that the phone run out of power?

does anyone know of a way to determine when a user switched from a personal to a business facebook messenger account? like is there a log of when they switched? iOS 16.6, Facebook Messenger v424.0. Also if they were in the business account, would they get notifications from their personal account?

@Cellebrite how long does it take for chainalysis enrichment? does it depend on the size of the dump?

PieR

@Cellebrite how long does it take for chainalysis enrichment? does it depend on the size of the dump?

It depends on the number of Wallet Addresses that were found on the Device.

1

Is anyone aware of an artifact that may track when the setting for text message forwarding or messages in icloud enabled/disabled?

CLB-DannyTheModeler

It depends on the number of Wallet Addresses that were found on the Device.

Financial Account 1674... i wait

Good afternoon! Looking for assistance and information concerning Apple's Migration Kit. Full File System extraction from an Apple iPhone 13, iOS 17.0.2. Currently open on PA8 and Axiom. Found images with the path "private/var/mobile/Library/MigrationKit/image/1" Does this mean the images were transferred from another device (which means there's another device we need to look for) or is this is an automatic process for a future transfer? (edited)

Hi there, do you have any links to articles about blobs? thanks

Someone from @Cellebrite about Unified Logs decoded with Inspector ?

1

Is there a way to tell when a Samsung Galaxy S phone have been wiped? The phone is not set up after the wipe. Updated I found some help here. https://thebinaryhick.blog/2021/08/19/wipeout-detecting-android-factory-resets/ (edited)

Binary Hick

Wipeout! Detecting Android Factory Resets

There is a Part II to this post, which you can find here. I’d like to thank Alexis Brignoni, Heather Mahalik, and Jared Barnhart for their insight and validation, and Alexis for tooling ALEAPP for …

2

Has anyone managed to decode the application BOTIM on iPhone?

Www

Has anyone managed to decode the application BOTIM on iPhone?

Following

Hi all! I am dealing with a case where there are questions about the Significant Locations on an iOS device. I've already read the blog entry from Elcomsoft, but this does not go as far as I wanted. Looking at Cloud-V2.sqlite I noticed that on some tables where specific locations are described there is a ZPLACESOURCE column. But I don't seem to be able to figure out what this points towards. Basically I am trying to find out if an address present in this database arrived here as a result of the iOS device physically being there or maybe through different means (e.g. searching for the address) Any pointers or hints would be very much appreciated! (edited)

@spadart Cellebrite have several location webinars which have helped us several times on location based investigations. I hope some help you. https://cellebrite.com/en/episode-17-i-beg-to-dfir-was-it-actually-there-location-education-on-ios-and-android/ https://cellebrite.com/en/episode-15-ibeg-to-dfir-location-data-on-ios-and-android-devices/ https://cellebrite.com/en/understanding-and-qualifying-location-data-on-android-ios/ https://cellebrite.com/en/location-challenges-for-ios-and-android-part-2/

1

3:05 AM

@NibblesNBits Have you tried ArtEx2, not sure if it tells you this specifically but it can bring back a lot of log information.

4N6Matt

@NibblesNBits Have you tried ArtEx2, not sure if it tells you this specifically but it can bring back a lot of log information.

Used it in the past and it was helpful. Forgot about this gem will give it a go either way to see what info it shows.

1

@chms17 If i want to search for something that's not easy to find i tend to unpack the extracted zip file in windows or dump the file system from the forensics tool. Then use BareGrep https://www.baremetalsoft.com/baregrep/ to search for key words such as Facebook in that folder that you just extracted everything too. The tools is very quick and easy to use. It will pick out a lot of files you were not aware of including logs, dbs...., after going through them it may detail when the business account changed or something like that. I have found so much in the past such as dates of media added to the device that hasnt decoded, when an app was installed or removed.... It doesnt take too long to sort through maybe 20-30 mins. (edited)

Tilt

Is there a way to tell when a Samsung Galaxy S phone have been wiped? The phone is not set up after the wipe. Updated I found some help here. https://thebinaryhick.blog/2021/08/19/wipeout-detecting-android-factory-resets/ (edited)

I just did a FFS extraction on an S23 Ultra that came in looking FR - once parsed it showed me under Device Events exactly when it was FR. Even had a screenshot the USER took accidentally after doing it.

4N6Matt

@chms17 If i want to search for something that's not easy to find i tend to unpack the extracted zip file in windows or dump the file system from the forensics tool. Then use BareGrep https://www.baremetalsoft.com/baregrep/ to search for key words such as Facebook in that folder that you just extracted everything too. The tools is very quick and easy to use. It will pick out a lot of files you were not aware of including logs, dbs...., after going through them it may detail when the business account changed or something like that. I have found so much in the past such as dates of media added to the device that hasnt decoded, when an app was installed or removed.... It doesnt take too long to sort through maybe 20-30 mins. (edited)

thanks very much!

Has someone looked into what the different MEDIA_CONTEXT_TYPE stand for in cache_controller.db in Snapchat iOS?

@Pehr Here is a good webinar on Snapchat https://cellebrite.com/en/deep-dive-into-snapchat/ It might be a good place to start. I thought i had read the media types somewhere but couldnt put my hand on the information, Removed the rest of the information incase it was incorrect! (edited)

Anyone from @Magnet Forensics available regarding an AXIOM data processing question?

1

4N6Matt

@Pehr Here is a good webinar on Snapchat https://cellebrite.com/en/deep-dive-into-snapchat/ It might be a good place to start. I thought i had read the media types somewhere but couldnt put my hand on the information, Removed the rest of the information incase it was incorrect! (edited)

As someone who doesn't really use AI, can bard be compelled to give non-ai sources? I would hate to rely on a hallucination

@Pehr. I knew id seen it somewhere check the Cellebrite webinar at 33:30 under the Arroyo.db they talk about content type, thats the one i was thinking of they don't say Media_Context_Type so not sure if it's the same thing you are looking for. (edited)

Brandon E

Grau Video Repair can be found at https://main.grauonline.de/video-repair-tool/ You will need another working mp4 using the same screen capture tool from the same device as a sample in order for Grau to work on your broken file. I can’t find mp4 repair online anymore but it was a CLI that essentially did the same thing as Grau.

Thanks Brandon, this is great !

4N6Matt

@Pehr Here is a good webinar on Snapchat https://cellebrite.com/en/deep-dive-into-snapchat/ It might be a good place to start. I thought i had read the media types somewhere but couldnt put my hand on the information, Removed the rest of the information incase it was incorrect! (edited)

This is completely wrong and I have no idea where it could have gotten this information from. MEDIA_CONTEXT_TYPE is a column in cache_controller.db, and has little to do with arroyo.db. 2 is mostly links that I have not investigated further, customSticker files can be found here as well. 3 is where most of the "user generated" media will be found, such as Snaps and media sent in chats. 19 is Snaps and Memories, both media and overlays 26 is lowres versions of 19 @Pehr (edited)

4

Does anybody have any good resources on the GrapheneOS? I'm interested in anything from general writeups on it, or any forensics analysis.

Looking at Telegram attachments. I haven't been able to find any significance to the naming convention of attachments - just that clumps are occasionally named in sequential order. Not sure if a date in embedded in there anywhere? Also has anyone have any luck parsing the Telegram .meta files? My testing shows that the MAC times of the .meta match when the attachment was first loaded on to the device and doesn't change after that, but wondering if there's a timestamp embedded in there somewhere? I couldn't find one, just wondering what others found?

Does anyone know of any site that has a list of database files you might find in an extraction and information on how to understand the database? I'm trying to get info on what "cohorts.sqlite" is in an iphone extraction, have only been able to find out somewhat unhelpful information about it. Was hoping someone in the community has created or knows of a central place that might have information on databases for investigators. Thanks!

Has anyone been able to match the chat threads database in Telegram to the media database. Have a CSAM case where we need to tie the pictures to the chat thread. Celebrite parses the chats but pictures are unavailable. AXIOM shows the pictures without the chat.

melunn

Has anyone been able to match the chat threads database in Telegram to the media database. Have a CSAM case where we need to tie the pictures to the chat thread. Celebrite parses the chats but pictures are unavailable. AXIOM shows the pictures without the chat.

Yes, ok you can do this if the database still has the entry - I've only matched it for iOS tho . Open up the chat db_sqlite. Find your attachment by name in t15. The T15 key will equal the t16 key, except the t16 key will APPEND the key with the 8-byte chat ID (most of these precede with 00 00 00). The chat ID is in BE endian here. For instance, my chat ID is 35813183093 which is 00 00 00 08 56 A1 CE 75. Please note tho, that Telegram is NOTORIOUS for swapping endianness, so in the chat db, it's usually in LE (75 CE A1 56 08). If your chat has been deleted, you can still find the chat name in the chat db t2 table, or by searching the pure hex of the databse. Search both LE/BE, tho, cause ya never know what you're gonna get. DM me if you have questions.

3

citizencain

Yes, ok you can do this if the database still has the entry - I've only matched it for iOS tho . Open up the chat db_sqlite. Find your attachment by name in t15. The T15 key will equal the t16 key, except the t16 key will APPEND the key with the 8-byte chat ID (most of these precede with 00 00 00). The chat ID is in BE endian here. For instance, my chat ID is 35813183093 which is 00 00 00 08 56 A1 CE 75. Please note tho, that Telegram is NOTORIOUS for swapping endianness, so in the chat db, it's usually in LE (75 CE A1 56 08). If your chat has been deleted, you can still find the chat name in the chat db t2 table, or by searching the pure hex of the databse. Search both LE/BE, tho, cause ya never know what you're gonna get. DM me if you have questions.

Thanks for the point. I will DM you for more info.

1

If everyone could please check out my message in this channel and share your experience if its related: https://discord.com/channels/427876741990711298/694548160533495913/1200183789561839726 It references an issue with PA missing data which I believe other forces have been experiencing. (edited)

citizencain

Yes, ok you can do this if the database still has the entry - I've only matched it for iOS tho . Open up the chat db_sqlite. Find your attachment by name in t15. The T15 key will equal the t16 key, except the t16 key will APPEND the key with the 8-byte chat ID (most of these precede with 00 00 00). The chat ID is in BE endian here. For instance, my chat ID is 35813183093 which is 00 00 00 08 56 A1 CE 75. Please note tho, that Telegram is NOTORIOUS for swapping endianness, so in the chat db, it's usually in LE (75 CE A1 56 08). If your chat has been deleted, you can still find the chat name in the chat db t2 table, or by searching the pure hex of the databse. Search both LE/BE, tho, cause ya never know what you're gonna get. DM me if you have questions.

DM'd you with questions.

Grok

Does anyone know of any site that has a list of database files you might find in an extraction and information on how to understand the database? I'm trying to get info on what "cohorts.sqlite" is in an iphone extraction, have only been able to find out somewhat unhelpful information about it. Was hoping someone in the community has created or knows of a central place that might have information on databases for investigators. Thanks!

What's the file path or associated application?

1

whee30

What's the file path or associated application?

00008020-00023CA621D1002E_files_partial-a.zip\private\var\mobile\Library\Caches\com.apple.parsecd\Cohorts\cohorts.sqlite I looked up parsecd and got these little nuggest from reddit "The Little Snitch Research Assistant says that parsecd is "Used for Suggestions in Spotlight, Messages, Lookup and Safari and usually connects to api.smoot.apple.com." " and "Location-Based Suggestions for Siri. At least thats how the service is described in "/System/Library/PrivateFrameworks/CoreParsec.framework/Versions/Current/Resources/Info.plist""

I have a question for someone from @Magnet Forensics about their quick image process and the production of the agent_mmssms.db

1

whee30

I have a question for someone from @Magnet Forensics about their quick image process and the production of the agent_mmssms.db

I just took a class from them last week where they talked about the agent_databases. Not sure if this is related to your question, but that database is one they make from (I think live) messages extracted from the phone, but it's not the original database you would find on the phone. The original database might have things left in it like deleted messages and more, but it's a decent record of the active messages that are still on the phone.

I got an assist, watching their webinars now

Question for @Magnet Forensics : How to import a greykey dump (XXXX_files_full.zip with keychain.plist separately), I can't find the step-by-step documentation. Thanks

12:31 AM

import into axiom

PieR

Question for @Magnet Forensics : How to import a greykey dump (XXXX_files_full.zip with keychain.plist separately), I can't find the step-by-step documentation. Thanks

Type Mobile phone, import .zip then Axiom will ask for keychain file

1

ok, i test

12:36 AM

import folder or file?

File

I have a UFED iTunes backup of an iPhone 14 running 16.3.1. Does WhatsApp record whether ‘disappearing messages’ were enabled and the timer (24hr, 7d etc.)? I cannot spot anything obvious in ZWACHATSESSION. The custodian claims he did not delete the messages and cannot produce them because the other chat participant set ‘disappearing messages’ in their chat.

Is there funtionality missing in PA Ultra, not parsing location data? @Cellebrite. I have the same extraction loaded in PA and Ultra, where PA shows me significant MORE artifacts... Edit: semi solved thanks to chrisforensics! (edited)

1

Were should i find the parsed cache.sqlite in PA-Ultra? @Cellebrite Oke i find out what goes wrong. The 2024 timestamps arnt parsed, just as a former PA bug (that got solved in the lastest update). PA Ultra 8.8.100.46 has the same issue! Can someone contact me? Or is the newest update Inseyts (version 10.x)? Quite confusing to be honest... (edited)

1

In need of establishing whether the Telegram account in use on an iOS device is the admin for a number of public channels. They're displaying as the "owner" in PA and are showing as the only participant (other than the channel itself) - any assistance very much appreciated!! Thinking table t18 may be where i need to be, but we haven't managed to decode a huge amount of the blob data yet, currently working to a rather tight deadline

Jeezy

In need of establishing whether the Telegram account in use on an iOS device is the admin for a number of public channels. They're displaying as the "owner" in PA and are showing as the only participant (other than the channel itself) - any assistance very much appreciated!! Thinking table t18 may be where i need to be, but we haven't managed to decode a huge amount of the blob data yet, currently working to a rather tight deadline

What about other tools like Oxygen or Axiom (or even iLEAPP)

1

Bobby

What about other tools like Oxygen or Axiom (or even iLEAPP)

I do generally use Oxygen for Telegram as it tends to do a more complete decode, but it doesn’t seem to shed any light on the channel admin

Jeezy

In need of establishing whether the Telegram account in use on an iOS device is the admin for a number of public channels. They're displaying as the "owner" in PA and are showing as the only participant (other than the channel itself) - any assistance very much appreciated!! Thinking table t18 may be where i need to be, but we haven't managed to decode a huge amount of the blob data yet, currently working to a rather tight deadline

Yeah with PA they mean “owner” to refer to the owner of the account. If says the same in native messages and other chat groups so it’s not meaning the owner as in the chat admin. As to where in the db you’d find that I’m not sure if I’m honest.

JeezyCreezy

I do generally use Oxygen for Telegram as it tends to do a more complete decode, but it doesn’t seem to shed any light on the channel admin

What about first msg of these channels saying MrX received admin rights? Or run kw search in order to identify admin rights granted to somebody?

Ben J Man

Yeah with PA they mean “owner” to refer to the owner of the account. If says the same in native messages and other chat groups so it’s not meaning the owner as in the chat admin. As to where in the db you’d find that I’m not sure if I’m honest.

Thought that may well be the case, thanks for confirming!

Bobby

What about first msg of these channels saying MrX received admin rights? Or run kw search in order to identify admin rights granted to somebody?

My testing hasn’t shown there to be any admin rights messages generated. Unfortunately we no longer have the physical device to perform manual verification

I have encountered this application on a Oppo device (https://play.google.com/store/apps/details?id=com.hld.anzenbokusucal&hl=en&gl=US&pli=1), its a hidden photo vault application. I have obtained a full file system of the device however i do not know the passcode to the application (the device passcode does not work) If anyone knows where and how the passcode is stored within the filesystem i would love to know! Thanks in advanced

Calculator - photo vault - Apps on Google Play

Photo hider and video vault hide pictures and videos to keep your privacy safe

Count Nathan

I have encountered this application on a Oppo device (https://play.google.com/store/apps/details?id=com.hld.anzenbokusucal&hl=en&gl=US&pli=1), its a hidden photo vault application. I have obtained a full file system of the device however i do not know the passcode to the application (the device passcode does not work) If anyone knows where and how the passcode is stored within the filesystem i would love to know! Thanks in advanced

Check out this article: https://github.com/Magpol/decrypt-calculatorPlusApk and this article: https://github.com/Magpol/decryptCalculatorPhotoVault (edited)

GitHub - Magpol/decrypt-calculatorPlusApk: Decrypt hidden images fr...

Decrypt hidden images from Android application Calculator+ - GitHub - Magpol/decrypt-calculatorPlusApk: Decrypt hidden images from Android application Calculator+

GitHub - Magpol/decryptCalculatorPhotoVault: Decrypt files from Cal...

Decrypt files from Calculator - photo vault - com.hld.anzenbokusucal - GitHub - Magpol/decryptCalculatorPhotoVault: Decrypt files from Calculator - photo vault - com.hld.anzenbokusucal

looking at the second article as that is the exact app, the key should be within share_privacy_safe.xml but is encrypted? fantastic! thanks!

Count Nathan

I have encountered this application on a Oppo device (https://play.google.com/store/apps/details?id=com.hld.anzenbokusucal&hl=en&gl=US&pli=1), its a hidden photo vault application. I have obtained a full file system of the device however i do not know the passcode to the application (the device passcode does not work) If anyone knows where and how the passcode is stored within the filesystem i would love to know! Thanks in advanced

I had a colleague the other week who had this, got an FFS on UFED and found the password as a plain text in the file system so it is definitely there. I’ll try see if she remembers where she found it

Count Nathan

looking at the second article as that is the exact app, the key should be within share_privacy_safe.xml but is encrypted? fantastic! thanks!

it should be a MD5 hash of what the password is. So if you copy out that value then bruteforce a 4-digit PIN, you should find a match. If you use hashcat, you can try something like this: hashcat -a 3 -m 0 <put your hash here> ?d?d?d?d (edited)

do you have any support from @Oxygen Forensics here?

2:09 AM

or @Oxygen Forensics mod , i need support

1

Isarenl

or @Oxygen Forensics mod , i need support

Yes they are here, very active. But its weekend...

Isarenl

do you have any support from @Oxygen Forensics here?

Depending on the current issue, people here may assist you but if it's more than Oxygen usage better to open service request on Oxygen support web page

Hi guys. Any news about WhatsApp not being included in iTunes backup anymore? Have an iPhone 14 pro max with iOS 17.2 (so no tools at the moment able to get a full fs, not even premium) and i have made various logical acquisitions (UFED4PC, Oxygen, Axiom, etc..) + some iTunes backup with various different tools but in the subsequent analysis phase i can't find WhatsApp data anywhere..examining the backups with various generic iTunes backup browsers/explorers there is no trace a WhatsApp data

1

@Cellebrite Someone available to help with a query?

1

I am looking for info on <idstring>.com.google.GooleMobile. The info on iOS is under Passwords and is a bplist - which contains some data of interest but I am trying to figure this file out. Anyone have any ideas?

FabianoQ

Hi guys. Any news about WhatsApp not being included in iTunes backup anymore? Have an iPhone 14 pro max with iOS 17.2 (so no tools at the moment able to get a full fs, not even premium) and i have made various logical acquisitions (UFED4PC, Oxygen, Axiom, etc..) + some iTunes backup with various different tools but in the subsequent analysis phase i can't find WhatsApp data anywhere..examining the backups with various generic iTunes backup browsers/explorers there is no trace a WhatsApp data

I'm pretty positive you need a full file system extraction to pull the whatsapp encryption keys.

Terry_____

I'm pretty positive you need a full file system extraction to pull the whatsapp encryption keys.

The problem was that user had enabled end-to-end encrypted backups option in WhatsApp. Because of this the chatstorage.sqlite db Is kept in encrypted form so even if it is included in normal iTunes backups can't be parsed. Solution was to disable this option WhatsApp ->Settings ->Chat-> Chat backup->end-to-end encrypted backup. When you opt to disable it will ask you for a password i choose "password forgot" and it asked for screen unlock PIN code. Reboot phone, repeat the extraction and now WhatsApp data is included in report

7

Has anyone got any reasons as to why there is no created dates for files on Android devices. I've done a full file system extraction and there is only a modified date. Is it a limitation of the file system or the extraction type?

I'm just guessing. But I think it has with Gallery app, for exampel google Photos.

@Magnet Forensics any reason why Safari Favicons aren't parsed by Axiom? When they are for other browsers - do they behave differently to favicons in Chrome for example?

1

7:28 AM

talking iOS btw

Is anyone able to help with a weird situation...I have knowledgeC data relating to a device having the backlight on, SMS App in Focus. However, Unified Logs records 'Screen did Lock (was unlocked for x number of seconds)' during the middle of the backlight and In Focus timeframe. I'm currently wondering whether 'Screen Did Lock' doesn't necessarily mean the device has locked, just the screen somehow locked, maybe the lock screen is visible? I can't think of anyway it would be possible for the device to lock, whilst keeping the backlight on, but any help please

@Cellebrite @Magnet Forensics

1

Bellis

Is anyone able to help with a weird situation...I have knowledgeC data relating to a device having the backlight on, SMS App in Focus. However, Unified Logs records 'Screen did Lock (was unlocked for x number of seconds)' during the middle of the backlight and In Focus timeframe. I'm currently wondering whether 'Screen Did Lock' doesn't necessarily mean the device has locked, just the screen somehow locked, maybe the lock screen is visible? I can't think of anyway it would be possible for the device to lock, whilst keeping the backlight on, but any help please

@Cellebrite @Magnet Forensics

@cScottVance

Anyone with @Cellebrite have a minute to chat about Biome, user notifications? Pretty please?

1

@Cellebrite Need help with Inseyts, its giving me dongle error, that i need to register them, but they are alreadyr registered...

1

florus

@Cellebrite Need help with Inseyts, its giving me dongle error, that i need to register them, but they are alreadyr registered...

solved

chms17

@Magnet Forensics any reason why Safari Favicons aren't parsed by Axiom? When they are for other browsers - do they behave differently to favicons in Chrome for example?

I had the same issue before. Neither axiom nor Physical Analyzer were parsing very important safari searches from the favicon db. When I manually examined it I found that the db is fairly complicated. The search term os associated with a uuid. Which ties to another table with the actual icon. However, the date/timestamp is updated to newest instance of that specific favicon showing up for every entry. So it can appear that a search made last month can have a date of yesterday if you're not careful. I think that's why neither tool auto parses it. Don't want people taking the data it would show at face value.

Terry_____

I had the same issue before. Neither axiom nor Physical Analyzer were parsing very important safari searches from the favicon db. When I manually examined it I found that the db is fairly complicated. The search term os associated with a uuid. Which ties to another table with the actual icon. However, the date/timestamp is updated to newest instance of that specific favicon showing up for every entry. So it can appear that a search made last month can have a date of yesterday if you're not careful. I think that's why neither tool auto parses it. Don't want people taking the data it would show at face value.

Hmm interesting ok thankyou. PA has parsed them as safari history items but no dates and times associated - I assume your explanation above is why!

chms17

Hmm interesting ok thankyou. PA has parsed them as safari history items but no dates and times associated - I assume your explanation above is why!

That's exactly it. If a favicon uuid is associated with only one sesrch term. It's safe to say the associated timestamp is correct. But if the uuid is for the Google favicon that's probably going to be associated with dozens of searches and they'll all have the same date/time of the last time that favicon appeared.

Terry_____

That's exactly it. If a favicon uuid is associated with only one sesrch term. It's safe to say the associated timestamp is correct. But if the uuid is for the Google favicon that's probably going to be associated with dozens of searches and they'll all have the same date/time of the last time that favicon appeared.

yeah I just searched the UUID for the URL I'm interested in in the 'page_url' table and it came back with at least 200 records with different URLs, so think I'm going to omit this from my report - I just can't tell whether it's there from the user accessing it or just happening upon it unexpectedly!

4:25 AM

@Terry_____ thanks for your help!

Terry_____

That's exactly it. If a favicon uuid is associated with only one sesrch term. It's safe to say the associated timestamp is correct. But if the uuid is for the Google favicon that's probably going to be associated with dozens of searches and they'll all have the same date/time of the last time that favicon appeared.

or is what you're saying that the URLs are pages that have been visited, but we just can't rely on the favicon timestamp as being the date they visited the URL?

4:29 AM

because these are highly relevant URLs...

chms17

or is what you're saying that the URLs are pages that have been visited, but we just can't rely on the favicon timestamp as being the date they visited the URL?

I believe you have to visit the site. My understanding is the favicon entry is generated when a tab or window with that favicon is opened.

Terry_____

I believe you have to visit the site. My understanding is the favicon entry is generated when a tab or window with that favicon is opened.

Brilliant, thank you, that's really helpful

@chms17 Your relevant URL are google search? their urls may contain timestamps

GregL

@chms17 Your relevant URL are google search? their urls may contain timestamps

True. https://dfir.blog/unfurl/ can decode urls and pull out timestamps and exact search terms. @chms17

unfurl

Extract and Visualized Data from URLs

1

GregL

@chms17 Your relevant URL are google search? their urls may contain timestamps

nah unfortunately not, mostly Tumblr

1

4:56 AM

never mind, it still shows interest even if I can't timestamp it

4:56 AM

thanks for all the help!

I have a quick fire question, if someone can assist me please. Is it possible to determine whether a person has blocked a phone number in an iPhone, or do you need access to subscriber information to establish this?

5:04 AM

I don't have the extraction in front of me, just a person asking the question and I cannot recall the answer from my head. Thanks

if it's just a regular phone contact as opposed to an app contact

5:05 AM

I think it says in Addressbook.sqlite or whatever it is (edited)

5:05 AM

the contacts database

Thank you, that's good enough for me to go back to them with an answer. I'll probably end up having to find it for them anyway lol

Alex Owen

Thank you, that's good enough for me to go back to them with an answer. I'll probably end up having to find it for them anyway lol

or com.cmfsyncagent.plist has a list of blocked contacts

Thank you, much appreciated

1

Hello, recently I receive 3 iPhones with ios 17. All are unlocked. Then I perform advanced logical acquisition in ufed. I noted that the extraction result is almost double the device occupied storage space. So, I think it is probably a duplicating a lot of media files, but ufdr report from PA still have a high size. (edited)

Hi, any @Oxygen Forensics support available?

1

bad read

Anyone from @Cellebrite available?

11:07 AM

UFED cloud not appearing available in Physical analyzer? Anyone knows what it could be?

11:08 AM

i have both dongles PA and Cloud connected to the laptop

garfieldkhan

i have both dongles PA and Cloud connected to the laptop

With the new versions of PA you can’t use two dongles. Both licenses must be on one dongle. We struggled with support about this and submitted support tickets to get it corrected but the fastest way to get it fixed was to have support join the pa and cloud licensing on to one dongle. We can thanks inseyets for this. (edited)

ScottKjr3347

With the new versions of PA you can’t use two dongles. Both licenses must be on one dongle. We struggled with support about this and submitted support tickets to get it corrected but the fastest way to get it fixed was to have support join the pa and cloud licensing on to one dongle. We can thanks inseyets for this. (edited)

i don’t have trouble doing cloud extration (without tokens, knowing the credentials) with PA 7.64.0.38 (2 dongles connected) but with PA 7.66.0.9 i can’t do it

garfieldkhan

i don’t have trouble doing cloud extration (without tokens, knowing the credentials) with PA 7.64.0.38 (2 dongles connected) but with PA 7.66.0.9 i can’t do it

Oh I was speaking about pa 8 and pa 10. I haven’t used pa 7 in over a year.

Anyone have any luck decrypting the Session application database on Android? I followed the guide at https://thebinaryhick.blog/2022/07/14/session-on-android-an-app-wrapped-in-signal/ but had no luck. It may be dated information

Binary Hick

Session On Android – An App Wrapped in Signal

NOTE: parts of this article describe steps by which the order of encryption methods are reversed to render encrypted data in clear-text. This was done in order to investigate the app being discusse…

One Potato, Two Potato

Anyone have any luck decrypting the Session application database on Android? I followed the guide at https://thebinaryhick.blog/2022/07/14/session-on-android-an-app-wrapped-in-signal/ but had no luck. It may be dated information

Does the source device use a hardware-backed keystore? And what tool(s) did you use to do the extraction? (edited)

CLB_joshhickman1

Does the source device use a hardware-backed keystore? And what tool(s) did you use to do the extraction? (edited)

Yeah, it’s a Galaxy S-21 I believe

The key stored in persistent.sqlite is encrypted, and the key needed to decrypt it is stored in hardware. You would need an extraction tool capable of extracting the key to decrypt the key in persistent.sqlite, and then turn around and use that key to decrypt the Session database.

1:04 PM

In the article virtualization is used to get a non-hardware backed store in order to explore the app. However, most modern devices utilize hardware backed.

Does anyone have a tool or script that can interpret an _chat.txt export from WhatsApp and generate a document that has all of the attachments in the right place? So if its a jpeg attachment, then that is displayed, however if it's a zip file attachment, or an audio/video file, a link is made within the document that when clicked opens the attachment? I've had a play around with chatgpt to try and create something thet resembles what I need, but not having much success. So was hoping there's something already out there that can do the job. Kind regards.

One Potato, Two Potato

Anyone have any luck decrypting the Session application database on Android? I followed the guide at https://thebinaryhick.blog/2022/07/14/session-on-android-an-app-wrapped-in-signal/ but had no luck. It may be dated information

@bang

thatboy_leo

I was able to find the contents of a locked secure folder on a s22 through a ffs collected by ufed

@thatboy_leo I don't suppose you know the location of the Files by Google 'Safe Folder' in the file system? I have one which is pattern locked so just wanted to check the contents. Thanks.

Just a shout out for @ScottKjr3347: He was a BIG help regarding photos.sqlite in a case of mine. There i nobody with his knowledge regarding this db! And the fact hé is a great person and always willing to help, made sure i deeply understood the meaning of picture X in my investigation. Thanks again Scott!!

1

2

1

ClaireM

@thatboy_leo I don't suppose you know the location of the Files by Google 'Safe Folder' in the file system? I have one which is pattern locked so just wanted to check the contents. Thanks.

~~com.google.android.apps.photos/files/mars_files/~~ Disregard. I read the string of messages incorrectly. (edited)

Anyone from @Cellebrite & @MSAB around for a quick question?

2

1

@Elcomsoft, anyone available for a question please?

Does anyone know where to look for deleted call records, for a Xiaomi redmi

mello

Does anyone know where to look for deleted call records, for a Xiaomi redmi

callog.db?

7:06 AM

depending the android version their might me different options

Gizmononootje

callog.db?

I'll have a look at, but i presume that there won't be any records in there as the strangest analysers of the market haven't brought any records of deleted calls. But i know for a fact for certain calls to be deleted.

Gizmononootje

depending the android version their might me different options

Android version is up to date

mello

Android version is up to date

as in which version?

mello

I'll have a look at, but i presume that there won't be any records in there as the strangest analysers of the market haven't brought any records of deleted calls. But i know for a fact for certain calls to be deleted.

if thats a fact try raw searching the image you made with a phone number you know is deleted

1

Gizmononootje

as in which version?

It should be the latest one but ill check that again.

Gizmononootje

if thats a fact try raw searching the image you made with a phone number you know is deleted

Although i feel i am not going to have any luck with that.

mello

Although i feel i am not going to have any luck with that.

If not found with the raw search changes are low your going to find it in a database

1

Anyone from @Magnet Forensics lingering who knows automate?

1

ClaireM

@thatboy_leo I don't suppose you know the location of the Files by Google 'Safe Folder' in the file system? I have one which is pattern locked so just wanted to check the contents. Thanks.

So for my test I was able to validate from the user id which items were saved to the safe folder. Someone informed me the success of this depends on the SPL for the device (newer ones will not get SF if it exists). https://discord.com/channels/427876741990711298/545232743353810946/1070508266322399232

thatboy_leo

So for my test I was able to validate from the user id which items were saved to the safe folder. Someone informed me the success of this depends on the SPL for the device (newer ones will not get SF if it exists). https://discord.com/channels/427876741990711298/545232743353810946/1070508266322399232

https://discord.com/channels/427876741990711298/427877097768222740/1141023164588101685

jjh2320

@Elcomsoft, anyone available for a question please?

Sure

Anyone conducted research and testing with iPhones getting setup via the quick setup transfer files method? Specifically the files that track the devices used (ios versions, udid, files transferred, date and time of transfer). Also how this type of device setup might affect the files stored in the local photo library and data stored in photos.sqlite. Looking for a peer reviewer. (Yes I’m aware of DFRWS) but seeing if anyone else has researched this first.

ScottKjr3347

Anyone conducted research and testing with iPhones getting setup via the quick setup transfer files method? Specifically the files that track the devices used (ios versions, udid, files transferred, date and time of transfer). Also how this type of device setup might affect the files stored in the local photo library and data stored in photos.sqlite. Looking for a peer reviewer. (Yes I’m aware of DFRWS) but seeing if anyone else has researched this first.

I did research it and it’s actually doing a backup and restore. Pretty much like it.

1

Has anybody else had issues decoding the 'LINE' app, specifically call logs? I'm looking in XAMN 7.8.0 and cant see any of the calls made through LINE.

Phillips

Has anybody else had issues decoding the 'LINE' app, specifically call logs? I'm looking in XAMN 7.8.0 and cant see any of the calls made through LINE.

Any luck with another decoding tool?

Bobby

Any luck with another decoding tool?

PA seems to be finding them no problem, but as part of data verification I need to locate the data in a secondary tool which is a pain when they don't show up

Phillips

PA seems to be finding them no problem, but as part of data verification I need to locate the data in a secondary tool which is a pain when they don't show up

Then XRY is not supporting that Line version. Do you have access to Axiom or Oxygen?

Phillips

PA seems to be finding them no problem, but as part of data verification I need to locate the data in a secondary tool which is a pain when they don't show up

Or with ALEAPP/ILEAPP, there is a Line parser available and for free

1

Photos.sqlite decoding when Data Transfer used at setup. Main question: how did media file get there & what does the data indicate? Other topics: Data transfer timestamps Device iOS versions at time of transfer Old device UDID found in analyzed device http://tinyurl.com/5n7cajdm

3

1

Are you aware of any IOS/Android artefact that stores the nearby WiFi access points that are advertised when a user is trying to connect to a network? Thanks

Hi all, I've chat application who's not parsed by PA, by the way the app use REALM database. I can see data in hex but i'll like to know if a reader like dbbrowser exist?

yes and it's a pain

3:17 AM

I used realm browser on Mac (for some reason, it works better on mac)

3:18 AM

and then if you find a good way to export it, let me know because last time I did it, it was aweful

Mistercatapulte

Hi all, I've chat application who's not parsed by PA, by the way the app use REALM database. I can see data in hex but i'll like to know if a reader like dbbrowser exist?

See Realm Studio: https://github.com/realm/realm-studio/releases/tag/v14.1.2

Release 14.1.2 · realm/realm-studio

Changes since v14.1.1 Enhancements None Fixed Fixed main process crash, by unpacking the realm.node binary and signing it. (#1605)

@CLB_joshhickman1 Hi Josh, i've tried this one without any good result... I've followed @emilie_ tips and used app on MAC but now this one require 128 caracters key....

6:25 AM

@CLB_joshhickman1with another file i've tested it's ok (edited)

I do know there was a version change to Realm. When did you last try it?

just today, but I took a REALM file at random in the application's floder, there I managed to determine which one is for conversations and I get everything in clear, as if I was in dbbrowser Thanks again!

1

Looking for information for these Bundle ID's: "com.apple.telephonyutilities" and "com.apple.InCallService" Does anybody know what the difference is? I have tried looking around the ol Google machine and been trying to look through SANS posters. I was curious if one had to do with Facetime while the other had to do with the actual phone app, or if there was a way to differentiate the 2 in anyway,

CLB_joshhickman1

I'd recommend giving this a read. Minus the purplebuddy timestamp, it still holds true: https://dfir.pubpub.org/pub/6i7d593n/release/1

In one iPhone 11 I encountered recently, the com.apple.purplebuddy.plist->GuessedCountry timestamp and SetupLastExit timestamp have been updated. However, the containermanagerd.log.1 indicated that this was a system upgrade rather than a wipe. I want to know if this is a common occurrence or an exceptional case. Any thoughts about this? (edited)

hi everyone, quick Question: i got one susp. Video File with 2 Duplicates (so 3 Files in total), shown in Cellebrite Reader. One of the Filepaths is shown as something similar to "Google Photo JsohnSmith@gmail.com/localmedia/VID_123.mp4", the other 2 Paths are in a common directory. Does this mean the File is physicaly saved on the device just 2 Times and the google photos filepath shown is just a reference to one of these local saved duplicats, or is the one with the google photos filepath to saved somewhere and i dont see the "real" folder where it sits on the file tree? just need to know if i got 3 Files "existant" on the Device or 2 and one "pseudo" file

Looking for guidance on calculating the number of messages associated with individual chat participants. I’m working with an iOS extraction in PA Insights. I have selected all the threads of interest, and I have that count. The report wizard provides total message count. Is it possible to get more granular to get per user total@message count?

1

luis511_

Looking for guidance on calculating the number of messages associated with individual chat participants. I’m working with an iOS extraction in PA Insights. I have selected all the threads of interest, and I have that count. The report wizard provides total message count. Is it possible to get more granular to get per user total@message count?

Are you trying to figure out how many messages an individual participant sent in a given thread? You should be able to filter down to a specific thread, then filter on the sender column for a specific participant.

1

I have a call record thats in Polling from the Telco but not on the device. Am I right in thinking that a call record thats been deleted ie not showing up in the PA callhistorydb of an IOS device might still be able to be pieced together via InteractionC (ZInteraction/Zcontacts). Question Part B: will timestamps in ZINTERACTION be UTC0 or will they reflect the set time on the device ie UTC+X. Thanks in advance (edited)

Hardie35

Looking for information for these Bundle ID's: "com.apple.telephonyutilities" and "com.apple.InCallService" Does anybody know what the difference is? I have tried looking around the ol Google machine and been trying to look through SANS posters. I was curious if one had to do with Facetime while the other had to do with the actual phone app, or if there was a way to differentiate the 2 in anyway,

telephonyutilities should be the settings that denote another device on the same wifi and iCloud either rings 'as well' or at least stores the fact the call was made on the other device vs InCallService i've always just reviewed as referencing a call taking place. https://thebinaryhick.blog/2022/12/28/relays-in-the-apple-ecosystem-passing-the-baton/ (edited)

Binary Hick

Relays in the Apple Ecosystem. Passing the Baton

The hand off. So I lied…one more blog post for the year. :-) Right before the Christmas holiday I received another really great question and I did not know the answer. My Google-Foo and phone…

1

@Cellebrite There's no way to do a regex search in all the data on PA 10? (edited)

1

Just done a quick comparison of group.net.whatsapp.WhatsApp.shared.plist to see if "Save to Camera Roll" is turned on/off. If the "SaveReceived" field = True then media is automatically saved to gallery, False = manually saved. Obviously this is only the current state.

1

Terry_____

Are you trying to figure out how many messages an individual participant sent in a given thread? You should be able to filter down to a specific thread, then filter on the sender column for a specific participant.

Hi. Yes, I’m trying to calculate that specific number. PA presents the chats by thread, with all participants together per thread. I would have to go into each thread and count - across 400 threads. Is there a way to switch PA from presenting in thread view and instead presenting all messages such that there are to-from columns? If I export the chats to excel, the individual messages are listed in the way you are mentioning (to/from)

luis511_

Hi. Yes, I’m trying to calculate that specific number. PA presents the chats by thread, with all participants together per thread. I would have to go into each thread and count - across 400 threads. Is there a way to switch PA from presenting in thread view and instead presenting all messages such that there are to-from columns? If I export the chats to excel, the individual messages are listed in the way you are mentioning (to/from)

Any other tool available? Like Oxygen?

Bobby

Any other tool available? Like Oxygen?

Axiom is the only other tool available. Having thoughts of using this need as another motivator to learn sql. I’m sure there is some query I can run to get the metric I’m looking for.

luis511_

Axiom is the only other tool available. Having thoughts of using this need as another motivator to learn sql. I’m sure there is some query I can run to get the metric I’m looking for.

Then you need to try Oxygen and make your life easier

Bobby

Then you need to try Oxygen and make your life easier

6:37 AM

Thank you for the suggestion. Funny, I’m pretty sure if I paid for Pathfinder the stat I’m looking for would be available (at least via an easier workflow compared to manual exporting and counting). Thanks again.

Jeeper

telephonyutilities should be the settings that denote another device on the same wifi and iCloud either rings 'as well' or at least stores the fact the call was made on the other device vs InCallService i've always just reviewed as referencing a call taking place. https://thebinaryhick.blog/2022/12/28/relays-in-the-apple-ecosystem-passing-the-baton/ (edited)

Awesome, thanks for the info! I'll have to see if our lab can try to recreate those findings!

luis511_

Hi. Yes, I’m trying to calculate that specific number. PA presents the chats by thread, with all participants together per thread. I would have to go into each thread and count - across 400 threads. Is there a way to switch PA from presenting in thread view and instead presenting all messages such that there are to-from columns? If I export the chats to excel, the individual messages are listed in the way you are mentioning (to/from)

Ah I see, it's in chat bubbles. Try going into the settings. I think there is an option to turn chat bubbles off. What app is it. I can write a sql query for you. (edited)

busted4n6

Thanks Chris. We can’t see a way to find a contemporaneous record of who the local user was (or at least what their phone number was) at the time a WhatsApp message was sent.

Hi @chriscone_ar @cScottVance is the fix in 7.9 ‘Sometimes, WhatsApp artifacts were being attributed to the wrong user. -MARS-1818’ refer to this?

Phillips

Has anybody else had issues decoding the 'LINE' app, specifically call logs? I'm looking in XAMN 7.8.0 and cant see any of the calls made through LINE.

Could you send me the log from XAMN so that possibly we can see what is going on? As Bobby said, it could be a version of LINE that isn't supported for decoding, but there may also be other reasons. Do you know what version of the app that is installed? A somewhat hidden feature, is that the XRY Device Manual also lists all app and what app versions that are supported for decoding. (edited)

Hello everyone, I have a quick question: Does anyone know of any scripts or programs that can decode/parse the chat application 'Wire' at the moment? Any other solutions would also be greatly appreciated! Thank you!

jorgen4853

Hello everyone, I have a quick question: Does anyone know of any scripts or programs that can decode/parse the chat application 'Wire' at the moment? Any other solutions would also be greatly appreciated! Thank you!

Hi, Oxygen Detective supports decoding of Wire

it´s worth a try if newer versions of Wire will be decoded... last version is 4.5.4 i think (edited)

1

Hm, installed new PA 10.1 ... i´m not satisfied.... just scrolling the pictures and PA 10.1 always hangs... smooth working the case is not possible! With PA7 there is no such problem @Cellebrite (edited)

1

2

my specs: 13th Gen Intel(R) Core(TM) i7-13700K 3.40 GHz 128 GB DDR5 Only NVMe-Drives installed Geforce RTX 3060 Win11Pro 23H2 (edited)

Hello! I'm trying to find a software to plot coordinates with a radius from Local.sqlite. Any suggestions?

Anyone has information on the „companion_devices.db“ from Android WhatsApp? Can anyone tell for sure if these are the linked devices like Web or other smartphone? I’m unable to find any papers discussing this database

Can anyone give me some pointers on trying to figure out where sync'd Chrome history is coming from. I am working on a Samsung Galaxy A02s (OS: Android Version 12). The file path for the source Axiom is getting the information is "data\com.android.chrome\app_chrome\Default\History." I know the last two google accounts which were sync'd and the last date they were sync'd. But I can't figure out how to determine if either of those are syncing web data or what the web history is sync'd from.

I have Enchanted Cloud Photo Vault version 14 on iOS, any decoding options? Firing up Axiom but I see that may not support that version, any thoughts gang? (edited)

Zhaan

I have Enchanted Cloud Photo Vault version 14 on iOS, any decoding options? Firing up Axiom but I see that may not support that version, any thoughts gang? (edited)

If you are UK based then try reaching out to Control-F for CFCrypt Its currently a free tool capable of doing a lot of vault based apps. Im not in front of it now but im sure it does the Photo Vault app. (edited)

1

4N6Matt

If you are UK based then try reaching out to Control-F for CFCrypt Its currently a free tool capable of doing a lot of vault based apps. Im not in front of it now but im sure it does the Photo Vault app. (edited)

it does indeed do it

Has anyone encountered iOS pictures in var/mobile/Library/Intents/Images? I'm trying to find more information about this path to figure out where that picture came from, but can't find much about it

Does anyone know what the Telegram "forbidden" column relates to? Here is a screenshot from @Oxygen Forensics showing the column in the Channel section, but it also appears in the Groups as well. None of these channels OR groups are still visible on the device itself. None of the channels content is present in the database, however some of the group content is, and is subsequently parsed. It appears that anytime "forbidden" is YES, then the joined/created date is empty. This is only parsed in Oxygen from the Android cache4, it is not parsed in Oxygen for iOS. Any ideas on what it refers to?

Looking for help with interpreting the data from the downloads.db (data/com.android.providers.downloads) file. a Samsung Galaxy A14 5G (Model SM-A146U1, Android 14). Person of interest mentioned looking at images/videos of concern on the day the phone was seized. It looks like he regularly wipes the phone. No internet history on the device, but various cached images in the Gallery and Samsung My Files applications. There is no MicroSD card in this phone. The downloads.db shows various file names of concern which contain "lastmod" hours before the phone was seized. The URI for the files all read "non-dwnldmngr-download-dont-retry2download." the mediaprovider_uri for 3 of the files shows content://media/external_primary/video/media/########## (file numbers removed for the posting). Looking to interpret columns and data from the columns. For instance, doe teh mediaprovider_uri indicate he was using an external drive (MicroSD/USB)? File size is in the total_bytes column, but the current_bytes is 0. If this didn't come from an external drive, does this mean he attempted to download and it failed? Any resources or assistance would be welcomed. I have processed this in @Cellebrite PA and @Magnet Forensics Axiom.

sholmes

Looking for help with interpreting the data from the downloads.db (data/com.android.providers.downloads) file. a Samsung Galaxy A14 5G (Model SM-A146U1, Android 14). Person of interest mentioned looking at images/videos of concern on the day the phone was seized. It looks like he regularly wipes the phone. No internet history on the device, but various cached images in the Gallery and Samsung My Files applications. There is no MicroSD card in this phone. The downloads.db shows various file names of concern which contain "lastmod" hours before the phone was seized. The URI for the files all read "non-dwnldmngr-download-dont-retry2download." the mediaprovider_uri for 3 of the files shows content://media/external_primary/video/media/########## (file numbers removed for the posting). Looking to interpret columns and data from the columns. For instance, doe teh mediaprovider_uri indicate he was using an external drive (MicroSD/USB)? File size is in the total_bytes column, but the current_bytes is 0. If this didn't come from an external drive, does this mean he attempted to download and it failed? Any resources or assistance would be welcomed. I have processed this in @Cellebrite PA and @Magnet Forensics Axiom.

Nothing in mind about that db, but did you run aleapp on that device extraction. If you are looking for media there is a image cache mnager (aka Glide) parser in aleapp that may help you identify thumbnails about pictures or videos opened with that device

11:21 PM

And i'm sure there is also a parser for downloads.db that may help understand decoded content

1

@sholmes For what i can see over internet "non-dwnldmngr-download-dont-retry2download" meaning = downloaded with success and "media/external_primary/video/media" meaning = file accessed(downloaded) from external shared storage

citizencain

Does anyone know what the Telegram "forbidden" column relates to? Here is a screenshot from @Oxygen Forensics showing the column in the Channel section, but it also appears in the Groups as well. None of these channels OR groups are still visible on the device itself. None of the channels content is present in the database, however some of the group content is, and is subsequently parsed. It appears that anytime "forbidden" is YES, then the joined/created date is empty. This is only parsed in Oxygen from the Android cache4, it is not parsed in Oxygen for iOS. Any ideas on what it refers to?

Hello, this should be the source of the artifact

1

Hopefully a quick question: anyone here who knows if/where on an Android 13 Samsung S23U the display/screen timeout is stored? Thanks in advance!

Oxygen Forensics

Hello, this should be the source of the artifact

wow, awesome, thank you!

1

citizencain

wow, awesome, thank you!

This also seems to generate Forbidden Yes, because the account cannot join the chat/group or view its content by itself

2

citizencain started a thread. 2/14/2024 5:10 AM

Does anyone have a good resource or info on photos.sqlite for iOS 17? Trying to do some digging into the DB.

CIF

Does anyone have a good resource or info on photos.sqlite for iOS 17? Trying to do some digging into the DB.

From the one and unique source https://github.com/ScottKjr3347/iOS_Local_PL_Photos.sqlite_Queries/tree/main/iOS17

iOS_Local_PL_Photos.sqlite_Queries/iOS17 at main · ScottKjr3347/iOS...

iOS Photos.sqlite queries that may help with decoding data stored in Photos.sqlite. These queries are based on testing, research and some community published research. These queries were written to...

@Cellebrite Anyone available to field an Android dumpsys/bugreport quesiton when it comes to parsing with PA?

ahhh let me jump in with my question now you mention dumpsys/bugreport : I generated them, still looking for traces of Flashlight use.

7:31 AM

I'm working on a test Redmi phone, and am still struggling

If anyone found such a thing in those logs, let me know

I figured I could maybe find something in there : "_name:sysui_qs_tiles pkg:com.android.systemui" ie the tiles/shortcuts to activate the torch, but I couldn't find anything. Yet ^^

Info to share and a question regarding Verizon devices such as Samsung and Motorola: in a file system extraction I found images in a folder named VZMedia. I found two of these folders one of which (the only one with files) is a subdirectory to Download/(invalid)/VZMedia. The difference is the other VZMedia isn't a subdirectory of '(invalid)'. After some research I discovered that for the past few years these Verizon devices generated the invalid folder and images from Verizon Message+ texts are stored in this invalid folder. Customers who attempt to move the images to the other folder and delete the invalid one find that the device restores the folder on its own. The question I have is do Verizon devices auto save all text message attachments here as primary storage for those specific items or is this utilized only when a user intentionally saves the files? Like long press save etc?

9:46 AM

It appears the original VZMedia folder is simply not used any more.

CIF

Does anyone have a good resource or info on photos.sqlite for iOS 17? Trying to do some digging into the DB.

If you would like some help feel free to dm

I was wondering if someone at @Magnet Forensics could DM me about the Apple Warrant Return Assistant. I had some weird things happen and I'd like to troubleshoot as well as figure out if there's an easy way to use the tool with files already downloaded. Thanks.

1

Has anyone come across AllowList.txt in iOS? It is stored under a siri folder and I am trying to find out what it actually contains. In the case I am working there are references to wanting to kill themself and I dont know if these are things that were said to siri or what. Any help is appreciated!

Does anyone know if gunfire in close proximity to an iPhone 11 can cause the display to come on and off? We have an incident where gunfire occurred in close proximity to the device sitting on a table in a confined area. Just wondering if anyone has done any testing or knows from their own experience if the sound or percussion can can cause the phone's display to come on. Thanks.

luis511_

Hi. Yes, I’m trying to calculate that specific number. PA presents the chats by thread, with all participants together per thread. I would have to go into each thread and count - across 400 threads. Is there a way to switch PA from presenting in thread view and instead presenting all messages such that there are to-from columns? If I export the chats to excel, the individual messages are listed in the way you are mentioning (to/from)

Go into Timeline view and filter on data type "Instant Messages" that will break down each message into an individual line item.

Hello everyone, I have a FFS from cellebrite and i found two videos related to my case, but i cant determine if the suspect made them from his device, i just have the path : data/media/0/Movies/signal-2023-05-16-15-59-25-036.mp4 AND data/data/com.snapchat.android/files/native_content_manager/com.snap.file_manager_3_SCContent_e92f36fd-66fd-45df-aa15-608f6358c254/27669f3d8b07854021d34bce2f3280ab Thank you ! (edited)

135i

Hello everyone, I have a FFS from cellebrite and i found two videos related to my case, but i cant determine if the suspect made them from his device, i just have the path : data/media/0/Movies/signal-2023-05-16-15-59-25-036.mp4 AND data/data/com.snapchat.android/files/native_content_manager/com.snap.file_manager_3_SCContent_e92f36fd-66fd-45df-aa15-608f6358c254/27669f3d8b07854021d34bce2f3280ab Thank you ! (edited)

no metadata in the files, or any comparable stills?

Digitalferret

no metadata in the files, or any comparable stills?

no metadata exept the modification date... (edited)

135i

no metadata exept the modification date... (edited)

then maybe check any and all other <media> and check if the device writes metadata. I'd think that that would mean if it does, that the suspect files have been moved into the device rather than taken with the device itself?

Digitalferret

then maybe check any and all other <media> and check if the device writes metadata. I'd think that that would mean if it does, that the suspect files have been moved into the device rather than taken with the device itself?

thank you for your reply!

1

@Cellebrite anyone for a question about ufdr report in PA7/Inseyets?

1

@Cellebrite When will the versions 317.x and up from the iOS Instagram App be supported by PA 7 or 10? (edited)

Mike_H

Does anyone know if gunfire in close proximity to an iPhone 11 can cause the display to come on and off? We have an incident where gunfire occurred in close proximity to the device sitting on a table in a confined area. Just wondering if anyone has done any testing or knows from their own experience if the sound or percussion can can cause the phone's display to come on. Thanks.

Desk pop for scientific testing?

3

1

Mike_H

Does anyone know if gunfire in close proximity to an iPhone 11 can cause the display to come on and off? We have an incident where gunfire occurred in close proximity to the device sitting on a table in a confined area. Just wondering if anyone has done any testing or knows from their own experience if the sound or percussion can can cause the phone's display to come on. Thanks.

I think it would depend on the calibre and air pressure produced when the round discharges along with distance to the device. You can activate an iPhone screen by tapping on it and just testing now it can be very light taps so get close enough and I guess it’s possible. That’s by no mean fact, just an educated guess from my knowledge. (edited)

Mike_H

Does anyone know if gunfire in close proximity to an iPhone 11 can cause the display to come on and off? We have an incident where gunfire occurred in close proximity to the device sitting on a table in a confined area. Just wondering if anyone has done any testing or knows from their own experience if the sound or percussion can can cause the phone's display to come on. Thanks.

Sounds like something to test at the next range day!

1

Hi! i'm looking for some reference meterial for creating decoding script for PA. Is there any published documents or is everything locked to their python course?

callzor

Hi! i'm looking for some reference meterial for creating decoding script for PA. Is there any published documents or is everything locked to their python course?

if you find anything, let me know !

@callzorPA only support Python 2 fyi....

5:56 AM

Python 3 is supposed to be supported by PA ultra/Inseyts q2 2024, still waiting (edited)

Anyone know if it's possible to feed a vdi file from an emulated android from bluestacks into PA and decode?

callzor

Hi! i'm looking for some reference meterial for creating decoding script for PA. Is there any published documents or is everything locked to their python course?

There's a python scripting guide built into PA, I think under the help or python menu. If it's not there then it's downloadable from the community portal. Can't say how great it is or isn't since I've never really tried to use it, just that it's there

Has anyone heard of „twinme“ messenger or has any experiences with that? In my case, it is an iPhone. I have found the messages with PA10.1 in Biome➡️Device Notifications. But not all. I haven’t found a Chat/Message database of this app. (edited)

Anyone from @Cellebrite for a quick PA-question?

1

Good morning all. Just a quick question. Can anyone shed any light on what the graphstrore.sqlite3 database is? It’s found in the following location data/com.facebook.katana/cache/graph.store.cache. Thanks in advance.

Does anyone know where you can find the speed a phone was travelling. I have a full file system extraction of a Samsung SM-G998U and looking to see if anyone know what database may contain speed information.

houndineu

Desk pop for scientific testing?

Haha..... I was thinking a trip to the gun range might be in order.....

forensicgeek

Good morning all. Just a quick question. Can anyone shed any light on what the graphstrore.sqlite3 database is? It’s found in the following location data/com.facebook.katana/cache/graph.store.cache. Thanks in advance.

I checked a FFS extraction from an Android device on a file that I have been working that is heavily focused on Facebook posting data. The directory you mentioned exists in my extraction, but is void of any content. One thing I did find and found interesting during the course of my analysis is that the directories data\data\com.facebook.katana\app_graph_cache<facebook ID#> and \data\data\com.facebook.katana\cache\thin_client_pool_cache_model<facebook ID#> each contained a series of what appear to be Facebook application cache files which contained full fragments of Facebook posting content that wasn't parsed by either Cellebrite or Axiom. From the fragments I was able to determine their author, intended recipient, and posted content. There is also comment ID information present that can help to source the original post the comments/replies are related to. I located them while doing a simultaneous search in X-Ways Forensics as I had info regarding potential content of the posts. Just an interesting file I thought I'd share. I knows its not an answer to your question, but might help depending on what you are looking into.

forensicgeek

Good morning all. Just a quick question. Can anyone shed any light on what the graphstrore.sqlite3 database is? It’s found in the following location data/com.facebook.katana/cache/graph.store.cache. Thanks in advance.

is it a sqlite with typical layout? does it have any json like data resembling requests ?

Mike_H

I checked a FFS extraction from an Android device on a file that I have been working that is heavily focused on Facebook posting data. The directory you mentioned exists in my extraction, but is void of any content. One thing I did find and found interesting during the course of my analysis is that the directories data\data\com.facebook.katana\app_graph_cache<facebook ID#> and \data\data\com.facebook.katana\cache\thin_client_pool_cache_model<facebook ID#> each contained a series of what appear to be Facebook application cache files which contained full fragments of Facebook posting content that wasn't parsed by either Cellebrite or Axiom. From the fragments I was able to determine their author, intended recipient, and posted content. There is also comment ID information present that can help to source the original post the comments/replies are related to. I located them while doing a simultaneous search in X-Ways Forensics as I had info regarding potential content of the posts. Just an interesting file I thought I'd share. I knows its not an answer to your question, but might help depending on what you are looking into.

the data you see are probably cached graphed responses take a look at this https://developers.facebook.com/docs/android/graph/

Calling the Graph API - Facebook SDK for Android - Documentation - ...

1

tost

Has anyone heard of „twinme“ messenger or has any experiences with that? In my case, it is an iPhone. I have found the messages with PA10.1 in Biome➡️Device Notifications. But not all. I haven’t found a Chat/Message database of this app. (edited)

suppose to be p2p https://twin.me/en/support/twinme-protect-data/ so if the user didnt wipe search for me.twin.twinme and follow this https://www.magnetforensics.com/blog/ios-tracking-bundle-ids-for-containers-shared-containers-and-plugins/ to track down the app's dbs

Michel Gien

How does twinme protect my data?

How does twinme protect my data?By not collecting any of your personal information, twinme avoids their dissemination, either voluntarily (e.g. commercial) or not (piracy, in particular).twinme

iOS - Tracking Bundle IDs for Containers, Shared Containers, and Pl...

In this blog, Christopher Vance looks at tracking what application is responsible for putting data in a specific place within iOS.

1

Has anyone researched what "other party visited" means when referring to an AirTag?

Anyone else having issues connecting to @Cellebrite

yeoj112689

Anyone else having issues connecting to @Cellebrite

Connecting to what part?

CLB-Paul

Connecting to what part?

I was unable to connect via either of my premium end points (license or resources) nor was I able to connect to the main website. Every other website worked fine at the time. This has resolved itself it seems and is working now. Was about a 20 min periord of not being able to connect for some reason.

Hmm not sure. Don’t see anything recent for us for outage. But glad it resolved itself

CLB-Paul

Hmm not sure. Don’t see anything recent for us for outage. But glad it resolved itself

This area is having major cellular issues as well so it could have very well been an issue on my end but it was odd that everything else was working. Either way its working now. Thank you for the response! (edited)

Actually now that you mention it, one of the guys on the team did mention there was huge cellular issuse on the east coast.

Can anyone help me understand the possible ways a screenshot that is no longer in DCIM (as a PNG) is now in CPLassets (as a JPEG). I understand what CPL is but trying to wrap my head around the logistics of how it happened. I assume it was deleted from device but seems like other non-deleted screenshots where never put into CPL. Any thoughts on this from someone with experience would be appreciated.

theshark

Can anyone help me understand the possible ways a screenshot that is no longer in DCIM (as a PNG) is now in CPLassets (as a JPEG). I understand what CPL is but trying to wrap my head around the logistics of how it happened. I assume it was deleted from device but seems like other non-deleted screenshots where never put into CPL. Any thoughts on this from someone with experience would be appreciated.

Is it now named as „5003.jpg“? Perhaps the picture is at icloud and it must be downloaded to watch and on the device is still a thumbnail. It sounds like a similar case I had. (edited)

tost

Is it now named as „5003.jpg“? Perhaps the picture is at icloud and it must be downloaded to watch and on the device is still a thumbnail. It sounds like a similar case I had. (edited)

Looking at the timeline, during a certain time period many photos are being created/acessed/modified at the same time over the span of an hour. Does this indicate the iCloud syncronization process? Does this happen automatically? trying to wrap my head around that process and what it actually does.

theshark

Looking at the timeline, during a certain time period many photos are being created/acessed/modified at the same time over the span of an hour. Does this indicate the iCloud syncronization process? Does this happen automatically? trying to wrap my head around that process and what it actually does.

Can you see any indicator for an icloud backup or so on? The things sounds like a sync, but no guarantees

These are my assumptions. (edited)

Yeah I should be good now after some testing I got the solution. Thanks! @tost

theshark

Yeah I should be good now after some testing I got the solution. Thanks! @tost

And the solution is?

I have a backup of Telegram created via the Desktop version of the app. I'd like to get this into PA and have it appear as 'Chat' for presentation purposes - Everything in the backup is in plain text eg JSON and images/videos etc ; Does anyone think this is possible? @Cellebrite ?? (edited)

Hi Everyone, I am reviewing the DataUsage.sqlite file from an iOS 15 extraction and looking at records with only a single Timestamp from ZProcess / ZLiveusage. For records with only a single timestamp (vs start/end timestamps) with massive amounts of data used via cellular, does anyone know if the timestamp is when the connection started, or is the logged timestamp when the connection/data usage completed? Putting together my own tests to confirm with too.

135i

thank you for your reply!

for the snapchat path I would check the filename in cache_controller.db. It may give a hint on how it was handeld

tost

And the solution is?

It was replaced during iCloud synchronization. “Optimize photos” was also on. Replacing high quality PNGs to JPEGS. (edited)

1

5:05 AM

So the accesses modified and created date all matches the time of sync (which is random) while the original capture time is preserved.

1

theshark

It was replaced during iCloud synchronization. “Optimize photos” was also on. Replacing high quality PNGs to JPEGS. (edited)

I am glad, I was able to help

2 part question: 1) Does anyone know if the WAL / SHM files are committed to the DB when Axiom or PA processes the acquired data? In my example, the original acquisition .zip file had the favicons.db / WAL / SHM and lock files, however, when I navigate to the same area in PA filesystem, I can only see the .DB file. The reason I am looking at the favicons DB is to try an figure out the timestamp column. 2) From what I understand about this timestamp, is that it is not a reliable source since the time can be refreshed when the user goes to the website in question. In my case, a keyword search revealed an entry in the favicons db but was hoping to get more evidence around it. @Magnet Forensics @Cellebrite (edited)

rfar

2 part question: 1) Does anyone know if the WAL / SHM files are committed to the DB when Axiom or PA processes the acquired data? In my example, the original acquisition .zip file had the favicons.db / WAL / SHM and lock files, however, when I navigate to the same area in PA filesystem, I can only see the .DB file. The reason I am looking at the favicons DB is to try an figure out the timestamp column. 2) From what I understand about this timestamp, is that it is not a reliable source since the time can be refreshed when the user goes to the website in question. In my case, a keyword search revealed an entry in the favicons db but was hoping to get more evidence around it. @Magnet Forensics @Cellebrite (edited)

I haven't seen PA commit the wal and shm. Your part 2 is correct. The timestamp is associated with a uuid for a general url, like Google.com. So anytime the Google favicon is referenced it updates the timestamp for the associated google uuid/entry. The search term references the Google uuid, so a search actually made 3 weeks ago will reference the updated Google favicon entry.

Terry_____

I haven't seen PA commit the wal and shm. Your part 2 is correct. The timestamp is associated with a uuid for a general url, like Google.com. So anytime the Google favicon is referenced it updates the timestamp for the associated google uuid/entry. The search term references the Google uuid, so a search actually made 3 weeks ago will reference the updated Google favicon entry.

yes I was hoping that when I searched for the UUID across all databases, that I would see perhaps another artifact to help distinguish, but it was the general 'google.com' entry, so it corroborates what you said.

rfar

2 part question: 1) Does anyone know if the WAL / SHM files are committed to the DB when Axiom or PA processes the acquired data? In my example, the original acquisition .zip file had the favicons.db / WAL / SHM and lock files, however, when I navigate to the same area in PA filesystem, I can only see the .DB file. The reason I am looking at the favicons DB is to try an figure out the timestamp column. 2) From what I understand about this timestamp, is that it is not a reliable source since the time can be refreshed when the user goes to the website in question. In my case, a keyword search revealed an entry in the favicons db but was hoping to get more evidence around it. @Magnet Forensics @Cellebrite (edited)

They are not committed in PA to the point that they would disappear from the extraction. They are taken into consideration when parsing data and when viewing in the DB Viewer, but they are never altered in the extraction or file system view.

CLB_iwhiffin

They are not committed in PA to the point that they would disappear from the extraction. They are taken into consideration when parsing data and when viewing in the DB Viewer, but they are never altered in the extraction or file system view.

ok thank you. interesting that I could not see them in the filesystem then ...

rfrye123

Hi Everyone, I am reviewing the DataUsage.sqlite file from an iOS 15 extraction and looking at records with only a single Timestamp from ZProcess / ZLiveusage. For records with only a single timestamp (vs start/end timestamps) with massive amounts of data used via cellular, does anyone know if the timestamp is when the connection started, or is the logged timestamp when the connection/data usage completed? Putting together my own tests to confirm with too.

I've been testing this. I tested using Maps and it seems that everytime I open the Maps application and use data, it gets added to the same (first) record. I ran this over a few hours, restarted the app a few times and got the results in the attachment. See the time is consistant but WANIN and OUT is ever increasing.

rfar

ok thank you. interesting that I could not see them in the filesystem then ...

Yes. That is a concern. What version of PA was this?

CLB_iwhiffin

Yes. That is a concern. What version of PA was this?

I'll dig this info up and get back to you. Thank you (edited)

CLB_iwhiffin

I've been testing this. I tested using Maps and it seems that everytime I open the Maps application and use data, it gets added to the same (first) record. I ran this over a few hours, restarted the app a few times and got the results in the attachment. See the time is consistant but WANIN and OUT is ever increasing.

Awesome thanks! Will confirm If i see the same!

theshark

It was replaced during iCloud synchronization. “Optimize photos” was also on. Replacing high quality PNGs to JPEGS. (edited)

Dm sent

OggE

for the snapchat path I would check the filename in cache_controller.db. It may give a hint on how it was handeld

Thank you, i ll check it

11:22 PM

I was wondering if anyone had some sort of article talking about activity data on iPhones. In particular if there is some sort of threshold of activity needed for the phone to start registering it. I have seem several records from phones that seem to suggest that the person did not take any steps all day which I find hard to believe.

Does anyone know why, in the Instagram app data, the file userBootstrapService.xml shows the lastFollowStatus of a user as FollowStatusUnknown, but the same user is shown as FollowStatusFollowing in the file USER_PREFERENCE.xml?"

@Cellebrite I have an iCloud Backup where I am getting two message retention settings. The plist says 30 but in the extraction summary it says 30 and Forever. What causes it to say both?

greg124567

@Cellebrite I have an iCloud Backup where I am getting two message retention settings. The plist says 30 but in the extraction summary it says 30 and Forever. What causes it to say both?

There is likely two files with the same name, but one is capitolized. ie. there will be a com.apple.mobileSMS.plist and a com.apple.MobileSMS.plist. One has the 30 days flag, one has nothing (And if it says nothing it can be taken to mean Forever). This was a bug a long time ago but was fixed. What version are you using? I'll check if we have a regression.

CLB_iwhiffin

There is likely two files with the same name, but one is capitolized. ie. there will be a com.apple.mobileSMS.plist and a com.apple.MobileSMS.plist. One has the 30 days flag, one has nothing (And if it says nothing it can be taken to mean Forever). This was a bug a long time ago but was fixed. What version are you using? I'll check if we have a regression.

There is only MobileSMS.plist and it says this in 7.66.0.9 and 7.67.0.15

Has anyone received support from @Cellebrite in relation to an updated Python scripting guide? I just need assistance with setting the chat messages direction for my unsupported app decoding.

Does anyone how how images with file path var/mobile/library/intents/images got onto an iOS device? Any help would be great

Hi, does anyone knows if its possible to do a regex search over the whole device not just in the hexview in PA?

1

so - when the thumb up means it does work would you mind to tell me how

instagram artifact

saltyduck

Does anyone how how images with file path var/mobile/library/intents/images got onto an iOS device? Any help would be great

What does photos.sqlite say about the picture?

Can PA turn process a Telegram Desktop backup into 'standard' chat evidnce? I have the clear text JSON and the assocated forlders but PA only wants to allow to view within the JSON. Am I missing a trick to process this data set?

Hi to all! Can I private message someone from @Cellebrite?

1

Jeeper

Can PA turn process a Telegram Desktop backup into 'standard' chat evidnce? I have the clear text JSON and the assocated forlders but PA only wants to allow to view within the JSON. Am I missing a trick to process this data set?

Unfortunately, we do not support this.

Hi ! someone from @Magnet Forensics please ? I have a question on decoding of whatsapp backup

Jeeper

Can PA turn process a Telegram Desktop backup into 'standard' chat evidnce? I have the clear text JSON and the assocated forlders but PA only wants to allow to view within the JSON. Am I missing a trick to process this data set?

Maybe Oxygen or Axiom can do that?

Hi, anyone available from @Oxygen Forensics for a question around processing please?

2

1

Good Morning, working a case where when I manually review the android and go into their google photos, there are a bunch of photos and video thumbnails which are all dated correctly. However, when I parse the extraction, the photos have difference file names and are in the glide google photos cache directory with the phone's reset date as the created date. There are 0kb files with the correct file names and dates as well. Does anyone know how google photos matches the two up when manually reviewing the phone? I'm trying to show that particular images were created at the dates corresponding to the 0kb files

@Cellebrite anyone able to help me out regarding a decryption issue in PA?

1

Has anyone come across the file path Google.android.apps.photos/files/mars_files? Particularly what the mars_files relates to? Possibly multi-application-recovery-service but that’s a guess. Any suggestions welcome.

Is it possible to find the "two step verification pin code" of WhatsApp from the xml files. Has anyone tried this?

ecs143

Has anyone come across the file path Google.android.apps.photos/files/mars_files? Particularly what the mars_files relates to? Possibly multi-application-recovery-service but that’s a guess. Any suggestions welcome.

Google photos locked folder, from my experience. I need to verify the next bit of information but I believe it contains files stored locally on the device from the Google photos locked folder Luckily in my case I had the device passcode and was able to confirm the items stored in mars were located in the locked folder on the device. (edited)

ScottKjr3347

Google photos locked folder, from my experience. I need to verify the next bit of information but I believe it contains files stored locally on the device from the Google photos locked folder Luckily in my case I had the device passcode and was able to confirm the items stored in mars were located in the locked folder on the device. (edited)

Thank you!

ecs143

Thank you!

But goes without saying don’t just take my word for it…always test and validate.

Anyone from @Magnet Forensics @Grayshift for a quick GK support question?

@Cellebrite any known issues regarding connection to a central db for using the maps in inseyts PA?

1

Lpx

Anyone from @Magnet Forensics @Grayshift for a quick GK support question?

dm'ing

Can anyone confirm the field that specifies if the “Save to Camera Roll” setting in WhatsApp is on or off. I believe the file that would store this is group.net.whatsapp.WhatsApp.shared.plist. I’m only seeing references to a “Download Policy” but unsure of the assigned values. I’m reviewing an iPhone 11 Pro running iOS 14.2. Thanks.

@Cellebrite - i heard new 7.67 PA added the support to a recent Telegram version update. Problem is I see the db parsing call logs, but it is not parsing or showing any message content/events. What dB would that be in so I can try to parse myself? any update on whether this is supported yet the PA 7.67?

1

Anyone know how *_fidelius_user.db is encrypted in Snapchat?

Is it possible to see if a Facebook messenger profile picture has been changed throughout a chat? Would it say in chat or would there be 2 urls saved in the db? Or any other way to tell?

Anyone from @Cellebrite to help with an extraction?

1

Looking for some confirmation of expected behaviour. @MSAB I acquired a file system of a phone using greykey. I’ve imported that into XRY. I only need a single WhatsApp conversation with attachments, so I selected the relevant conversation and created a subset including attachments. The whole extraction is 189GB. The subset took all day to produce and is 179GB. Examining the subset .xry file there is a single artifact “XXXXXX_files_full.zip” of 180GB Why has this been created can I get rid of it from the subset?

It is included in the subset, since the WhatsApp conversation you are interested in is linked to (decoded from) this file. And yes - it's annoying. But if tag the .zip with 'Unimportant' (or some other tag of your choice) and from the Ribbon bar use the 'Exclude artifact' button, and select to exclude artifacts that are tagged 'Unimportant' the link between artifacts will be broken.

MSAB_Sofia

It is included in the subset, since the WhatsApp conversation you are interested in is linked to (decoded from) this file. And yes - it's annoying. But if tag the .zip with 'Unimportant' (or some other tag of your choice) and from the Ribbon bar use the 'Exclude artifact' button, and select to exclude artifacts that are tagged 'Unimportant' the link between artifacts will be broken.

I understand. Thank you. Will a subset of data always be the same size as the original extraction? Essentially I’ve attempted to whittle down the size of this to make it easier for the OIC to review and transfer, but what I’ve actually now done is just doubled the amount of space required to store the original and now the subset

Will-ko

I understand. Thank you. Will a subset of data always be the same size as the original extraction? Essentially I’ve attempted to whittle down the size of this to make it easier for the OIC to review and transfer, but what I’ve actually now done is just doubled the amount of space required to store the original and now the subset

Depending on what and how much data you include in the subset, it can or should become radically less in size compared to the original file size. And then of course as well, what data you select to exclude from the subset - since some data needs to actively be left out. (edited)

Thanks again, I think this is probably because it’s a greykey import that it’s using the single source file (edited)

3:39 AM

Which is just a flat 180GB (edited)

Will-ko

Thanks again, I think this is probably because it’s a greykey import that it’s using the single source file (edited)

But using this 'Exclude artifacts' on the imported .zip, should leave this file out of the subset, making the resulting file considerably smaller. If this isn't the case, please reach out to support@msab.com so that we can trouble shoot this further!

MSAB_Sofia

But using this 'Exclude artifacts' on the imported .zip, should leave this file out of the subset, making the resulting file considerably smaller. If this isn't the case, please reach out to support@msab.com so that we can trouble shoot this further!

Ah I see, do that on the original! Okay I’ll try that thank you

MSAB_Sofia

But using this 'Exclude artifacts' on the imported .zip, should leave this file out of the subset, making the resulting file considerably smaller. If this isn't the case, please reach out to support@msab.com so that we can trouble shoot this further!

This worked like a charm! Brilliant thank you!!

1

Hello! I am looking for the source of this file path \private\var\mobile\Media\PhotoData\Caches\Neutrino. Some have said it is connected to an Instagram follower app but the iPhone extraction I am looking at doesnt seem to indicate that at all. I am currently doing a deeper search but while waiting for those results to come back, I thought I would ask you lot...

4:00 AM

They are pictures and videos in this path with the suffix mask.jpg, lexp.jpg, stab.mov

Neutrino dilemma resolved, it is a Likes and Followers app for Instagram, stand down!

4:43 AM

Looks like the key app for this app is another app called TestFlight which you need to install to install Neutrino+ (edited)

AmNe5iA

I've been asked to verify WhatsApp data from an iPhone specifically they are interested in read receipts (to show the time difference from when the message was received and when it was read.). I can see from the ZWAMessage table the time sent from columns ZMessageDate and ZSentDate (Apple Absolute Time). But I can't see any columns for received or read. It appears for items sent there is another table, ZWAMessageInfo, which has a column ZReceiptInfo. This column contains BLOB data which is appears to be a binary plist. Does this mean it only records time of delivery and time read by recipients ONLY for sent messages? Thanks. The last time I looked at ChatStorage in this level of detail was some years ago and it appears to have changed quite a bit in the interim. (edited)

Hi mate, I know its an old post but did you ever figure out how to determine the read receipts date/time for Whatsapp from the db. I have a similar case to determine if the message was actually read as the device has their read receipts turned off

Hi everyone, I keep seeing everywhere that com.apple.commcenter.plist contains 'last known ICCID and IMSI', but every time I have seen it it contains multiple ICCIDs and IMSIs; are these all ones that have been used on that phone, or are they linked to something else?

@Dan15 @GTBOUCHA Did you guys get any intel on Teleguard? I am looking to see if anyone knows the database well enough to show me where the sent images are stored. I don't think any tool except ALeapp parse Teleguard.

chms17

Hi everyone, I keep seeing everywhere that com.apple.commcenter.plist contains 'last known ICCID and IMSI', but every time I have seen it it contains multiple ICCIDs and IMSIs; are these all ones that have been used on that phone, or are they linked to something else?

Have you attempted to verify the data you are seeing within that plist from a secondary source? e.g. CellularUsage.db - Typically it will store up to three of the latest SIM cards used in the device before dropping out of the database.

@Ghosted Cellebrite PA supports Teleguard since the last update. You can also find the picture in the SQL database when an image has been made. They are easy to find. It all depends on the burntime.

@Dan15 thanks I just ran a test phone and looking at the .db its pretty easy to see the sender receiver image name time. I will check PA on evidence phone. Thanks again.

1

I have a WeChat backup handed over / compiled by an end user. The backup was created within Android and is over two folders which appears as below. The user is somewhat compliant but is offshore (as is the device). Is anyone aware of anything that will decrypt as a standalone tool? (edited)

cf-eglendye

Have you attempted to verify the data you are seeing within that plist from a secondary source? e.g. CellularUsage.db - Typically it will store up to three of the latest SIM cards used in the device before dropping out of the database.

Yeah, I've looked there, and in com.apple.commcenter.data.plist, the data matches, but I'm just after a bit more context as to what I'm actually looking at - there's 6 SIM details in com.apple.commcenter.plist, and the same 6 in com.apple.commcenter.data.plist, just wondering whether these have all previously been used in this device of if this is soemthing that may sync (edited)

Phillips

Hi mate, I know its an old post but did you ever figure out how to determine the read receipts date/time for Whatsapp from the db. I have a similar case to determine if the message was actually read as the device has their read receipts turned off

So it turned out the database only keeps read receipts for sent messages not all messages and the BLOB data was protobuf data. I think the version of PA I was using at the time had a bug but later versions correctly decoded the protobuf data. As pointed out by @OllieD , cyber chef was able to decode the protobuf data if PA and other tools were failing. I suspect that, as your device has read receipts turned off, you won't be able to determine this. As turning this setting (according to the setting description) off turns off all read receipts. So the device you have examined doesn't send read receipts to others and others no longer send read receipts to it either. (edited)

Can't believe that was three years ago, where has the time gone...

Hi everyone. I have a case in which its important to know how many times the user searched a certain phrase. in history.db there are 8 entries of that phrase. however these entries are only milliseconds apart and some occurred within the same millisecond, It doesnt seem plausible that the user searched this phrase 8 times within a few milliseconds so Im thinking maybe a refresh of the page but not sure how to corroborate that. Anyone have any ideas?

chms17

Yeah, I've looked there, and in com.apple.commcenter.data.plist, the data matches, but I'm just after a bit more context as to what I'm actually looking at - there's 6 SIM details in com.apple.commcenter.plist, and the same 6 in com.apple.commcenter.data.plist, just wondering whether these have all previously been used in this device of if this is soemthing that may sync (edited)

the entries listed in the cellularusage.db are all sim cards that have been used in the device

rylee25

the entries listed in the cellularusage.db are all sim cards that have been used in the device

Yes, but there's more in com.apple.commcenter.plist, and it's the additional ones I'm unsure about the origin of

rylee25

Hi everyone. I have a case in which its important to know how many times the user searched a certain phrase. in history.db there are 8 entries of that phrase. however these entries are only milliseconds apart and some occurred within the same millisecond, It doesnt seem plausible that the user searched this phrase 8 times within a few milliseconds so Im thinking maybe a refresh of the page but not sure how to corroborate that. Anyone have any ideas?

Isn't there a column in history.db that says "from visit" or something? Or tells you how the session was initiated? I'm sure there's something where you can see the URL redirecting and it therefore logging as a search but in reality it's just the browser going through the motions, can't remember off the top of my head the structure of the table

Hi guys, i've iphone FFS, and i found whatsapp backup but i'm not able to find decryption key, in my memory (or not) manifest plist can contain this type of key, i'm true?

Mistercatapulte

Hi guys, i've iphone FFS, and i found whatsapp backup but i'm not able to find decryption key, in my memory (or not) manifest plist can contain this type of key, i'm true?

The key is in the keychain

11:52 AM

wa.backuo.e

Hi. I have FFS done on iPhone 15 and I need to parse data from Usecrypt Messenger. Has anyone had this problem before and managed to solve it? The messenger on your device is password protected. The case concerns drugs. UFED PA does not analyze this messenger. (edited)

Zolwik_MF

Hi. I have FFS done on iPhone 15 and I need to parse data from Usecrypt Messenger. Has anyone had this problem before and managed to solve it? The messenger on your device is password protected. The case concerns drugs. UFED PA does not analyze this messenger. (edited)

@bang Might be able to help.

1

I was wondering if anyone has anything around producing Samsung logs using the menu from dialing *#9900# before performing a Cellebrite exraction. It seems like there is a lot of information in there but Cellebrite has never asked me to produce the logs before extraction. Does Cellebrite extract all of that information anyway and so it is unnecessary to produce the logs beforehand?

Maybe of interest to some, I’ve been working on a job where we’ve needed Facebook messenger conversations between victims and witnesses. Full consent given along. Done traditional extraction of their phones initially to get some WhatsApp messages, but as expected no Facebook. Used supplied credentials to cloud capture the accounts. The one conversation I needed appears to now be end-to-end encrypted in messenger and did not come across with the cloud acquisition. Fortunately I also managed to do a file system extraction on one of the devices via cellebrite. The Facebook messenger conversations were decoded correctly in chats, however the encrypted one was missing from this subsection. The individual messages were visible but under a Facebook messenger heading under instant messages. Though they were not linked into a conversation. Ordering the list chronological showed the flow of conversation but this isn’t perfect (edited)

2

Additionally does anyone have any guides for understanding the logs that are produced by Samsung logcat? There is a lot of information but I am unsure what some of it exactly means.

Will-ko

Maybe of interest to some, I’ve been working on a job where we’ve needed Facebook messenger conversations between victims and witnesses. Full consent given along. Done traditional extraction of their phones initially to get some WhatsApp messages, but as expected no Facebook. Used supplied credentials to cloud capture the accounts. The one conversation I needed appears to now be end-to-end encrypted in messenger and did not come across with the cloud acquisition. Fortunately I also managed to do a file system extraction on one of the devices via cellebrite. The Facebook messenger conversations were decoded correctly in chats, however the encrypted one was missing from this subsection. The individual messages were visible but under a Facebook messenger heading under instant messages. Though they were not linked into a conversation. Ordering the list chronological showed the flow of conversation but this isn’t perfect (edited)

Meta has announced they were rolling out end to end encryption for FB and insta a little while ago. My understanding is you can still get message content from them from before they flipped the switch.

Hi, does anyone know if either @Magnet Forensics or @Cellebrite have any sort of roadmap for future supported apps parsing on their respective support portals? I can't find anything.

1

Hi, @Cellebrite, I have a FFS of a iPad WiFi (J181AP) that has a Cellularusage.db which report the usage of an ICCID. I don't understand why this exists! Does someone has an explanation for this?

Where would I look to find the settings for Google Photos and Google Drive? Trying to see if the subject was backing up images/videos. (edited)

ninjapaz.

Hi, @Cellebrite, I have a FFS of a iPad WiFi (J181AP) that has a Cellularusage.db which report the usage of an ICCID. I don't understand why this exists! Does someone has an explanation for this?

Might be a residu of an backup?

florus

Might be a residu of an backup?

Maybe but the other thing is the ICCID is beginning with 89444... which I cannot know where this comes from. And there is no phone number associated with it in the database.

I am looking for some guidance regarding the encrypted app com.enchanted.photovault (Android Photo Vault). I have the password and on the physical device there are 4000 images. A FFS extraction parses the records but cannot see the media.

1

Hi all, I'm dealing with an investigation that is heavily relying on KnowledgeC. The investigating officers are concerned about data syncing, I have looked into it and found conflicting info as to if Knowledge C data syncs. Can anyone confirm that it is all local, or if there is a column in the database that identifies where the data came from. Thank you

woody38

I am looking for some guidance regarding the encrypted app com.enchanted.photovault (Android Photo Vault). I have the password and on the physical device there are 4000 images. A FFS extraction parses the records but cannot see the media.

@bang has something that can decrypt

Nick_26

Hi all, I'm dealing with an investigation that is heavily relying on KnowledgeC. The investigating officers are concerned about data syncing, I have looked into it and found conflicting info as to if Knowledge C data syncs. Can anyone confirm that it is all local, or if there is a column in the database that identifies where the data came from. Thank you

KnowledgeC is all stored locally and does not sync or back up to other devices

anyone from @Cellebrite to help me?

I have a question about message timestamps. I believe a phone I am looking at was powered off for a few hours, however PA interprets the phone receiving an iMessage and two discord messages during the time I believe it was off. Looking at the table, I can't figure out exactly what the timestamp refers to. Do the messages contain a timestamp of when they were sent, so that even if the phone was off the timestamp could show the correct time, or is there a second device which received the messages and timestamped them?

Regarding Google Maps' /data/data/com.google.android.gms/databases/context_[Google Account]_gmail.com.db, does anyone have any insight as to how the context.proto_blob value is stored? In my dataset, it isn't a straight forward protobuf, but appears additionally encoded. @Cellebrite PA Inseyets does parse it, but I want to know how so I can do it manually to verify. (edited)

Hi, does anyone know where in the filesystem I can find data regarding translations made in the Translate application on a iPhone ?

hello, i have found a database with geocoordinates in a protobuf in a xiaomi 13 (os 14) (data/data/com.google.android.gms/databases/context<MAIL>.db Can anyone tell me where this data comes from or how accurate or reliable it is? It is not clear from the database

Hi all, Question about KnowledgeC on iPhone. Does anybody know why two call logs for the same call would have different timestamps and durations? One is being pulled from: CallHistory.storedata-wal The other is being pulled from knowledgeC.db The timestamp and durations are only a few seconds out in most cases, but I’m looking for a way to explain this.

Hello, does anyone know if the new invisible WhatsApp-Chats are listed normally in the database? https://blog.whatsapp.com/introducing-secret-code-for-chat-lock

Introducing Secret Code for Chat Lock

Introducing Secret Code for Chat Lock Earlier this year we rolled out Chat Lock to help people protect their ...

@Cellebrite anyone up for a quick UFDR question- pertains to displaying "application data" in the analyzed data section- or the lack thereof.

Is anyone aware of the "Advanced Data Protection" Feature on iCloud and its effect with Adv Logical extractions. When doing my extraction it said the backup was not encrypted but in the device info it has Is Encryped: True (is that just for the extraction copy?) and all of the chats are unreadable. (edited)

Markus

hello, i have found a database with geocoordinates in a protobuf in a xiaomi 13 (os 14) (data/data/com.google.android.gms/databases/context<MAIL>.db Can anyone tell me where this data comes from or how accurate or reliable it is? It is not clear from the database

I just posted a question about this database yesterday: https://discord.com/channels/427876741990711298/545232743353810946/1217574017267925002 It appears reliable based on the known dataset I have. Can you give me insight on how you are decoding the protobuf?

I'm working on a CSAM case where the vic was making videos that were saved to an iPad. The vic appears to be interacting with an individual/audience but I cannot tell much about the video other than the timestamp and the content. When looking at the timeline I see the youtube app is being accessed frequently at the same time the video was created. 1) Is it possible to decern the @username that is logged into the youtube account via Cellebrite analyzer (Insyets)? 2) is it possible to determine if the video was the result of a youtube live stream just from the data on the phone?

Beefhelmet

I'm working on a CSAM case where the vic was making videos that were saved to an iPad. The vic appears to be interacting with an individual/audience but I cannot tell much about the video other than the timestamp and the content. When looking at the timeline I see the youtube app is being accessed frequently at the same time the video was created. 1) Is it possible to decern the @username that is logged into the youtube account via Cellebrite analyzer (Insyets)? 2) is it possible to determine if the video was the result of a youtube live stream just from the data on the phone?

Any and all social media, streaming services, or cloud reposit/storage should be immediately preserved and you should attain search warrants for the content of these platforms you are seeing that are in use by your suspect. Looking at CSAM sources- when they are created- will lead you into many deep rooted areas of data. Don't pull the weed up by the flower- pull it up by the taproot brother.

spicy_caveman

Any and all social media, streaming services, or cloud reposit/storage should be immediately preserved and you should attain search warrants for the content of these platforms you are seeing that are in use by your suspect. Looking at CSAM sources- when they are created- will lead you into many deep rooted areas of data. Don't pull the weed up by the flower- pull it up by the taproot brother.

Thanks. Unfortunately right now my victim is my only “suspect”.

1

Does anyone have experience parsing data from the healthdb for iOS? Trying to figure out what the tables mean.

Beefhelmet

I'm working on a CSAM case where the vic was making videos that were saved to an iPad. The vic appears to be interacting with an individual/audience but I cannot tell much about the video other than the timestamp and the content. When looking at the timeline I see the youtube app is being accessed frequently at the same time the video was created. 1) Is it possible to decern the @username that is logged into the youtube account via Cellebrite analyzer (Insyets)? 2) is it possible to determine if the video was the result of a youtube live stream just from the data on the phone?

I have a thought here ....

James Pedersen

I have a thought here ....

Actually, never mind

James Pedersen

Actually, never mind

I confused this with something else

Hey All. Have a WhatsApp on Android. Is it correct that the files in the "/data/media/0/WhatsApp/Media/WhatsApp Images/" contains files received by the user? The weird thing is that in this folder is a photo of relevance we believe is taken by the user, and the phone model is the same as we are analyzing. Is this possible in some way and can we trust that only received files are in the Images root folder and the sent ones are ind the "sent" dir? Thanks in advance

j_matas

Hey All. Have a WhatsApp on Android. Is it correct that the files in the "/data/media/0/WhatsApp/Media/WhatsApp Images/" contains files received by the user? The weird thing is that in this folder is a photo of relevance we believe is taken by the user, and the phone model is the same as we are analyzing. Is this possible in some way and can we trust that only received files are in the Images root folder and the sent ones are ind the "sent" dir? Thanks in advance

Could you confirm you have a Full File System Extraction ?

yes we have that... Currently doing some tests

JLindmar (83AR)

I just posted a question about this database yesterday: https://discord.com/channels/427876741990711298/545232743353810946/1217574017267925002 It appears reliable based on the known dataset I have. Can you give me insight on how you are decoding the protobuf?

Decoding protobufs yourself is a bit complicated to explain here. I have actually only viewed the decoding via Cellebrite and have not yet verified it as a protobuf. I thought it was a protobuf purely from the optics in the hexeditor. but I'll test it out over the next few days and get back to you

Markus

Decoding protobufs yourself is a bit complicated to explain here. I have actually only viewed the decoding via Cellebrite and have not yet verified it as a protobuf. I thought it was a protobuf purely from the optics in the hexeditor. but I'll test it out over the next few days and get back to you

Typically I'll decode protobufs either in PA's File Format Viewer, CyberChef, Mushy, and/or protoc. In this specific case, PA is decoding it, but the native data appears additionally encrypted/encoded to where my other tools won't work. I'm trying to figure out what this additional layer is and how to handle it.

Hi, is it possible to bruteforce a Samsung Secure Folder pin code from data obtained in a Physical or FFS extraction? I'm trying to find that pin so I can access other phones. Thanks!

Miller280

Hi, is it possible to bruteforce a Samsung Secure Folder pin code from data obtained in a Physical or FFS extraction? I'm trying to find that pin so I can access other phones. Thanks!

After the fact no.

CLB-Paul

After the fact no.

Ok, thanks

Anyone have references of not being able to recover deleted messages from the newer iOS ? I have a FFS and there a no messages that were recovered

Jay528

Anyone have references of not being able to recover deleted messages from the newer iOS ? I have a FFS and there a no messages that were recovered

I'd check the compressed archive file the ffs extraction is saved in to make sure the sms.db is there (private/var/mobile/library/sms/sms.db). I've seen instances where for some reason a certain tool didn't pull it as part of the ffs and the phone had to be re-extracted.

The SMS database is there. I forgot where I read that the newer iOS, it is not likely to recover deleted messages

6:03 PM

https://blog.elcomsoft.com/2020/07/the-iphone-data-recovery-myth-what-you-can-and-cannot-recover/

The iPhone Data Recovery Myth: What You Can and Cannot Recover

There is no lack of tools claiming the ability to recover lost or deleted information from the iPhone. These tools’ claims range from “Recover data lost due to water damaged, broken, deletion, device loss, etc.” to the much more reserved “Selectively recovers iPhone data from internal memory, iCloud

6:03 PM

Messages. Your text messages and iMessages are stored in a database in the SQLite format. By default, SQLite does not overwrite records immediately after they’ve been deleted. Instead, SQLite marks them as “deleted”. Deleted pages become unused, and are stored on what is called a “freelist”. If you obtain the database files (by making a backup), these records can be recovered until the moment the database is fully vacuumed and defragmented (if it is, the deletion becomes permanent). This used to be the case in iOS 8 through iOS 11. Starting with iOS 12, Apple seemingly moved to a non-standard implementation, physically wiping records almost immediately after they are deleted. As a result, deleted text messages and iMessages cannot be recovered in iOS 12, 13 and newer.

Although, @Beefhelmet now that I think about it, wouldn't you want to at least try to track down the login token? Isn't this the way these things work?

James Pedersen

Although, @Beefhelmet now that I think about it, wouldn't you want to at least try to track down the login token? Isn't this the way these things work?

Just a thought.

Kind of a random question. Could someone explain or send a link as to how you would manually convert Hexadecimal (big-endian) to Apple Absolute time. How does 0x 41 C3 0D 06 5F B5 DD become 639241407.420816 (just a random example from a phone I had been working on)? The conversion from the decimal value to the time is easy, I'm just not sure how the decimal number is derived from the hex. I had never paid attention to it in raw form and incorrectly presumed it was either just a straight hex to decimal conversion or stored as ascii (edited)

Solec

Kind of a random question. Could someone explain or send a link as to how you would manually convert Hexadecimal (big-endian) to Apple Absolute time. How does 0x 41 C3 0D 06 5F B5 DD become 639241407.420816 (just a random example from a phone I had been working on)? The conversion from the decimal value to the time is easy, I'm just not sure how the decimal number is derived from the hex. I had never paid attention to it in raw form and incorrectly presumed it was either just a straight hex to decimal conversion or stored as ascii (edited)

It's using the IEEE 754 double-precision format. https://en.wikipedia.org/wiki/Double-precision_floating-point_format There are several converters online that show a breakdown of how each bit is interpreted. For example: https://resource.heltec.cn/utils/hf

Double-precision floating-point format

Double-precision floating-point format (sometimes called FP64 or float64) is a floating-point number format, usually occupying 64 bits in computer memory; it represents a wide dynamic range of numeric values by using a floating radix point. Double precision may be chosen when the range or precision of single precision would be insufficient. In t...

2

CLB-ShaiS

It's using the IEEE 754 double-precision format. https://en.wikipedia.org/wiki/Double-precision_floating-point_format There are several converters online that show a breakdown of how each bit is interpreted. For example: https://resource.heltec.cn/utils/hf

Awesome, thank you!

Anyone from @Cellebrite available for a quick PA question?

1

Does anyone know if iMazing extractions can be parsed by Cellebrite/Axiom or another tool ?

Jay528

Does anyone know if iMazing extractions can be parsed by Cellebrite/Axiom or another tool ?

I believe iMazing is using the same mechanism as iTunes for its backups. If this is the case, you can try this in Cellebrite PA/Inseyets: "Common source" -> "Backup" -> "iTunes backup". But if you can, I would strongly suggest creating a "normal" iTunes backup and loading that instead.

@Cellebrite Hi there. I´am missing the "manual evidence" in my recent Inseyets cases using the latest release 10.1.101.64. Pictures of the device taken with UFED Camera do not appear in the Extraction. Is this a known issue or do I maybe miss a setting?

1

CLB-ShaiS

I believe iMazing is using the same mechanism as iTunes for its backups. If this is the case, you can try this in Cellebrite PA/Inseyets: "Common source" -> "Backup" -> "iTunes backup". But if you can, I would strongly suggest creating a "normal" iTunes backup and loading that instead.

Thank you

I have a physical and FFS extraction of an Amazon Fire tablet running Android 9, but the passcode is unknown and it is not supported for brute force. Is the passcode or the hash of the passcode stored somewhere in the extractions?

10:00 AM

I don't think it is there, but I just wanted to make sure.

https://www.msab.com/blog/apple-deleted-data-itunes-backups/

Adam Firman

A gift from Apple a day puts deleted data in play - MSAB

Deleted data is crucial for all digital forensic examiners. As of iOS 17.4, MSAB are now decoding more deleted data from iTunes backups.

1

2

10:47 AM

In case people were not aware of the above for iOS 17.4

Hi folks, I have a question about Safari on the iPhone. I have read this Apple support page (https://support.apple.com/en-us/102279), and I think it's the same situation as on older iOS versions when you visit a web page in Safari with a red lock with a slash through it before the URL. My question is, if someone visits such a web page in Safari, is there any marker left by Safari on the iPhone, that can be retrieved from a forensic extraction of the filesystem of the iPhone, that would indicate that such a web page was indeed flagged by Safari in this way? (edited)

Jay528

Does anyone know if iMazing extractions can be parsed by Cellebrite/Axiom or another tool ?

Yes. Tested on an encrypted backup parsed by AXIOM Cyber. (edited)

@derekeiri much appreciated !

I've got a case involving WhatsApp calls on an Android phone. The issue raised is that the logs in WhatsApp show the calls ending before they actually did, the time difference varies for each call but it goes up to 20 seconds. The phone's date and time was set to Auto and as far as we can tell it was accurate for other artefacts, such as call regular call history. We can prove the times of the WhatsApp calls by other means and the discrepancy is causing some problems for the case. I may have to do some testing on this, but wondered if anyone has come across this before? (I've confirmed the times on the phone using two forensic tools and manually)

I have a FFS extraction of an iPhone - interested in parsing Telegram. Attempted PA 7.67 and newest Axiom version, Telegram will not parse.. I am able to find the database in the file structure and its decrypted, so should have no problem seeing the data. Telegram version is 10.4. Anyone have any suggestions or had similar experience with this Telegram version?

CIF

I have a FFS extraction of an iPhone - interested in parsing Telegram. Attempted PA 7.67 and newest Axiom version, Telegram will not parse.. I am able to find the database in the file structure and its decrypted, so should have no problem seeing the data. Telegram version is 10.4. Anyone have any suggestions or had similar experience with this Telegram version?

Looks like in their documentation and supported apps 7.67 supports up to Telegram Version 10.5, so I assume 10.4 would be covered as well. I wonder if a ticket might be required?

I checked that as well and thought the same, but unsure if the database schema is different from 10.4 -> 10.5. It parses Call Logs but no messages.. Was curious if anyone else has seen similar

1:42 PM

@camdeezee.

CIF

I checked that as well and thought the same, but unsure if the database schema is different from 10.4 -> 10.5. It parses Call Logs but no messages.. Was curious if anyone else has seen similar

@Cellebrite someone might be able to chime in on their thoughts...

I extracted the memory of a SM-A032F with oxygen, but oxygen can't bruteforce the password. Passware doesn't seem to take it into account, can I specify more rules to oxygen to bruteforce it nonetheless

1:57 AM

?

@Oxygen Forensics

1

2:09 AM

⬆️

emilie_

I extracted the memory of a SM-A032F with oxygen, but oxygen can't bruteforce the password. Passware doesn't seem to take it into account, can I specify more rules to oxygen to bruteforce it nonetheless

Hello! I will DM you

1

Hey, does anyone know if a chat is deleted from WhatsApp on an Android device, whether the videos present in the chat are automatically moved to the trash or the media remains in the gallery folder?

6:16 AM

Is there also a database on Android, like 'photos.sqlite' on iOS, where we can see how many times a media file has been viewed?

6:17 AM

I presume that the media remain on the gallery and it has to be moved manually to the trash but don't have an android to test it yet.

Dam

Hey, does anyone know if a chat is deleted from WhatsApp on an Android device, whether the videos present in the chat are automatically moved to the trash or the media remains in the gallery folder?

From experience the media remains

1

@Damyep, same thing for me

7:05 AM

media stay on the device (in general)

7:07 AM

@Damfor the photos, you have gphotos-1.db, after it's depend what is the android version etc

1

Mistercatapulte

@Damfor the photos, you have gphotos-1.db, after it's depend what is the android version etc

Thanks I will check that db.

1

@Dami try with Aleapp can help too

1

Hello, short question: I managed to decrypt the health database from Samsung Health and found the stored pedometer data in the data blob. Does anybody know, in which unit the "distance" is stored? Sometimes its a high value with not many steps, sometimes the other way (mwalktime=105356, walkstep=167, distance=23.820004 vs. mwalktime=22678, walkstep=34, distance=55.260002)

@Cellebrite I'm trying to download Inseyets and PA from the website, but I keep getting this.

Russell Abel - Bastrop County SO

@Cellebrite I'm trying to download Inseyets and PA from the website, but I keep getting this.

Which version, I just tried and it started the download for me.

10.1

10:00 AM

and 7.67

Sent you a DM.

Russell Abel - Bastrop County SO

@Cellebrite I'm trying to download Inseyets and PA from the website, but I keep getting this.

Are you using a VPN?

I switched to tether with my cell phone and disabled my VPNs and was able to download.

Anyone familiar with ios sysdiagnose logs?

Photos.sqlite is tracking assets being shared in the iCloud Shared Photo Library (SPL) & who shared the asset to the SPL. PhotoData/Photos.sqlite & Syndication.PhotoLibrary/Database/Photos.sqlite iOS 14-17 queries have been updated to include iCloud Shared Photo Library & Shared with You Syndication assets. Research and documentation coming soon. https://github.com/ScottKjr3347/PhotoData-Synd-Photos.sqlite_Queries

GitHub - ScottKjr3347/PhotoData-Synd-Photos.sqlite_Queries: This is...

This is a new repository used to provide updated SQLite queries for both Photos.sqlite databases. Most of the updated queries will work on both Photos.sqlite databases (PhotoData-Photos.sqlite and ...

2

1

Does anyone has experience with the following?: If a user uses multiple devices to use the same snapchat account. Is there some snapchat db/file that tells which message was sent from which device?

Markus

hello, i have found a database with geocoordinates in a protobuf in a xiaomi 13 (os 14) (data/data/com.google.android.gms/databases/context<MAIL>.db Can anyone tell me where this data comes from or how accurate or reliable it is? It is not clear from the database

@Cellebrite I have seen that the PA 10 classifies the entries from this database (com.google.android.gms/databases/context<MAIL>.db) as visited. What causes these entries or how accurate are they?

Im very excited about the animated maps feature of axiom... @Magnet Forensics !! Awesome feaure, hopefully it will works as stated in your video

3

Morning all, anyone know if a good shared repository for Cellebrite python scripts? Hoping there was a community of likeminded folk that use them for special reporting or analytics.

Mistercatapulte

@Dami try with Aleapp can help too

Photos.sqlite can tell you how many times a photo was viewed? @Dam @ScottKjr3347

Husky_M00s3

Photos.sqlite can tell you how many times a photo was viewed? @Dam @ScottKjr3347

*yes…additional testing and research is necessary. There is now a timestamp that says last viewed BUT I don’t know if or how frequently it’s cleared from the db or what actions cause the timestamp to populate. During recent testing when I viewed assets from the camera roll for both local photo library and iCld shared photo library a timestamp populated. But again I want to make clear I was not testing or researching the viewed timestamp so my actions were not being documented. As of today I have only found it in iOS 16 and 17. (edited)

1

ScottKjr3347

*yes…additional testing and research is necessary. There is now a timestamp that says last viewed BUT I don’t know if or how frequently it’s cleared from the db or what actions cause the timestamp to populate. During recent testing when I viewed assets from the camera roll for both local photo library and iCld shared photo library a timestamp populated. But again I want to make clear I was not testing or researching the viewed timestamp so my actions were not being documented. As of today I have only found it in iOS 16 and 17. (edited)

Very cool.

Husky_M00s3

Photos.sqlite can tell you how many times a photo was viewed? @Dam @ScottKjr3347

Sorry I just reread your post and you asked about the viewed count(s) not viewed dates. Again yes this and other counts such as played, shared, pending viewed and pending played are stored in the photos.sqlite. Based on what I have experienced during my testing and research these count values are not that reliable. During my testing I have seen where counts were recorded when I didn’t view, played, or shared an asset. I have also experienced instances where I viewed and played an asset and the action was not immediately recorded in the database. I am not sure if anyone else out here has tested this and is willing to share their results. The last time I looked into these counts it required an asset to be viewed and or played. Then a pending count would be added to the appropriate field. Then after the asset was reprocessed/analyzed by the OS then the count would be moved from pending field to the asset viewed/played count field. I would be very careful about making definitive statements based on the counts listed in the db.

Hello All, I have a client who has a hearing disability. She uses captioning software on her iPhone to communicate with oral phone calls. She wants to use some captions off the phone in a case (having to do with discrimination due to her hearing). The ruling officer's on the case are saying the captions are inadmissible due to 'hearsay'. I have confirmed that there is no ability for the captions to be altered by the user and they are intact the way they were created when the conversation took place. Do any of you have any experience with such issues, or perhaps even know of some precedence? Thank You

ScottKjr3347

Sorry I just reread your post and you asked about the viewed count(s) not viewed dates. Again yes this and other counts such as played, shared, pending viewed and pending played are stored in the photos.sqlite. Based on what I have experienced during my testing and research these count values are not that reliable. During my testing I have seen where counts were recorded when I didn’t view, played, or shared an asset. I have also experienced instances where I viewed and played an asset and the action was not immediately recorded in the database. I am not sure if anyone else out here has tested this and is willing to share their results. The last time I looked into these counts it required an asset to be viewed and or played. Then a pending count would be added to the appropriate field. Then after the asset was reprocessed/analyzed by the OS then the count would be moved from pending field to the asset viewed/played count field. I would be very careful about making definitive statements based on the counts listed in the db.

Thank you for the clarification.

LaunchPADMcHack

Hello All, I have a client who has a hearing disability. She uses captioning software on her iPhone to communicate with oral phone calls. She wants to use some captions off the phone in a case (having to do with discrimination due to her hearing). The ruling officer's on the case are saying the captions are inadmissible due to 'hearsay'. I have confirmed that there is no ability for the captions to be altered by the user and they are intact the way they were created when the conversation took place. Do any of you have any experience with such issues, or perhaps even know of some precedence? Thank You

I have some US criminal case law if you are interested: United States v. Lizarraga-Tirado. United States v. Moon. Evidence as self-authenticating evidence under Rule 902(13) and 902(14). FRE 901(b)(9), which permits “evidence about a process or system” You could call a "qualified person” under FRE 902(11). IMBO, the caption software outputs sounds like self-authenticating, machine-generated, business records. The caption software company has a business interest in accurately transcribing records. They would go out of business pretty fast if they changed the meaning of sentences. Disclaimer, I am NOT a lawyer. A lawyer with training, knowledge of local rules, and experience would be a better source. I can point you to law journals and whitepapers if you are interested. Most surround the admissibility of cryptocurrency.

Husky_M00s3

I have some US criminal case law if you are interested: United States v. Lizarraga-Tirado. United States v. Moon. Evidence as self-authenticating evidence under Rule 902(13) and 902(14). FRE 901(b)(9), which permits “evidence about a process or system” You could call a "qualified person” under FRE 902(11). IMBO, the caption software outputs sounds like self-authenticating, machine-generated, business records. The caption software company has a business interest in accurately transcribing records. They would go out of business pretty fast if they changed the meaning of sentences. Disclaimer, I am NOT a lawyer. A lawyer with training, knowledge of local rules, and experience would be a better source. I can point you to law journals and whitepapers if you are interested. Most surround the admissibility of cryptocurrency.

Thank You, this is what I was looking for. For the record, I should be the qualified person, but it's not even making it that far.

LaunchPADMcHack

Thank You, this is what I was looking for. For the record, I should be the qualified person, but it's not even making it that far.

Great. This sounds frustrating. Good luck. This issue built mansions in my brain today…Is it hearsay if she read it? Like no one claims hearsay when speaking about a word doc or pdf on someone’s computer. If she is testifying, you could submit it as her rule 3500 material. Just something to think about. Here is a good article: Pelker, C. A., Brown, C. B., & Tucker, R. M. (2021). Using blockchain analysis from investigation to trial. Department of Justice Journal Federal Law and Practice. 69, 59. https://www.justice.gov/media/1169626/dl?inline

Hello everyone, I am facing a case with 11500 notes present and deleted in notestore.sqlite (yes, yes 11500). I would like to know if it is possible, just like on Android, to record voice notes and to know if one of the tables references this type of information in notestore.sqlite. thanks

has anyone got an explanation/definition for telegram "y_partial" images? I have a number at the file path private\var\mobile\Containers\Shared\AppGroup<UUID>\telegram-data\account-<ID>\postbox\media\ and I'm wondering whether they would be considered accessible or not

7:26 AM

and also how I can explain 'partial' in an SFR...

@chms17from my xp and pov, data were not downloaded on the device but only on telegram server

Mistercatapulte

@chms17from my xp and pov, data were not downloaded on the device but only on telegram server

that would make sense as to why they are all named 'telegram-cloud-photo-size-4-...'

7:27 AM

just wanted to coroborate my thinking really!

7:27 AM

thanks

if someone can coroborate that too

1

Anyone have experience with a blank sms.db and modification at time of extraction. Cellebrite was only able to decode the Recents which is junk. I need to preserve and document the users text message and that is about the only artifact that did not decode. Can anyone give me some insight into what may be happening here? (also the extraction as indicated in summary only took < 15 mins when in reality I remember it taking longer than that which feels off to me). It is very likely the user setup some sort of wipe feature / encryption PRIOR but I have not been able to find anything concrete besides an AI Cleaner app. I also saw some messages live on his device at extraction so It is not the case there was nothing there. (edited)

1

For added info: sms.db-shm and -wal created 3 days before the extraction

Trying to see what results when a user navigates to Settings > iCloud > Apps using iCloud > Messages in the Cloud. Turns it On. And then also has Advanced Data Protection. Exploring settings they could enable.

theshark

Anyone have experience with a blank sms.db and modification at time of extraction. Cellebrite was only able to decode the Recents which is junk. I need to preserve and document the users text message and that is about the only artifact that did not decode. Can anyone give me some insight into what may be happening here? (also the extraction as indicated in summary only took < 15 mins when in reality I remember it taking longer than that which feels off to me). It is very likely the user setup some sort of wipe feature / encryption PRIOR but I have not been able to find anything concrete besides an AI Cleaner app. I also saw some messages live on his device at extraction so It is not the case there was nothing there. (edited)

What is the message retention setting? What iOS version are you working with?

Morning all, been sent a wiped iPhone. Just checking, other than the .obb file with the timestamp are there any other artefacts up for grabs? Anything like the iCloud ID that issued the remote wipe command etc

@House Whiskeyyou can grab the purplebuddy file to determine it (edited)

1

Mistercatapulte

@House Whiskeyyou can grab the purplebuddy file to determine it (edited)

I’ll look into it, cheers for the response

1

Hey there, is there a possible artifact on Android (espacially samsung) where i can see if a device was connected to a pc?

I am working with a GK FFS extraction of an LG phone. Certain images of interest are encrypted using the content lock feature of the LG Gallery app and show up with a “.jpg.dm” file extension when I view the decoded/parsed extraction within latest versions of PA and Axiom. Does anyone have any insight into how I could decrypt these “.jpg.dm” files?

@Magnet Forensics @Cellebrite

EricL400

I have came across the LockMyPix application on an Android device. I believe there are hundreds of files of CSAM within the application. All have the .6zu extension. I saw there was some discussion about this application in the past. Does anyone have any information that could help me decrypt these files?

Hey, did you find a solution for that app? I have the exact same app on an Android device. (edited)

Anyone have any luck with an LG Q Stylo 4 (LM-Q710FGN) - running Android 8.1. Premium can't access with any method

jack dawson

I am working with a GK FFS extraction of an LG phone. Certain images of interest are encrypted using the content lock feature of the LG Gallery app and show up with a “.jpg.dm” file extension when I view the decoded/parsed extraction within latest versions of PA and Axiom. Does anyone have any insight into how I could decrypt these “.jpg.dm” files?

I have dealt with this before and had to use the device itself to decrypt the files. I can send you more info when I get back to the office tomorrow if you would like.

mond4y_morNin6

I have dealt with this before and had to use the device itself to decrypt the files. I can send you more info when I get back to the office tomorrow if you would like.

Yes, please. I appreciate it.

I have exported out the FB messaging database and can't figure out why a NULL value is there. There are also messages with nothing in the field at all.. Has anyone come across this before?

1

benny | RlP

Hey there, is there a possible artifact on Android (espacially samsung) where i can see if a device was connected to a pc?

Try running Aleap on it. It parsed "ADB Hosts" from \temp\data\misc\adb\adb_keys when I used it to analyze the ASUS_X00TDB image in the Belkasoft Android Forensics training.

Thank you @Husky_M00s3, i will give it a try

does anyone have any documentation on writing plugins or using the api with UFED PA? Had a (very) quick look on their site but didn't see anything. Anyone from @Cellebrite have an pointers? (edited)

If anyone from Cellebrite can help out here. Im using SQLite Wizard and have a timestamp format that looks like: 202401130000, so year/month/day/hour/minute/second. Im using the custom format option, but cant figure out the right format for putting it in. I've tried YYYYMMDDHHMMSS, yyyyMMddHHmmss, YYYYMMddHHmmss...could anyone save me some time

@Cellebrite

Gumpoo

I have exported out the FB messaging database and can't figure out why a NULL value is there. There are also messages with nothing in the field at all.. Has anyone come across this before?

Could be those are emojis or audio recordings. Stuff like is sometimes recorded on a different column way down the table or on a completely separate table.

Terry_____

Could be those are emojis or audio recordings. Stuff like is sometimes recorded on a different column way down the table or on a completely separate table.

I think I've seen a lot of blank messages from Facebook messenger correlate with voice calls in Facebook messenger (edited)

Does anyone know if Google Messages (Bugle.db) has a timestamp for when a message is created using the delayed send feature?

wchtdev

If anyone from Cellebrite can help out here. Im using SQLite Wizard and have a timestamp format that looks like: 202401130000, so year/month/day/hour/minute/second. Im using the custom format option, but cant figure out the right format for putting it in. I've tried YYYYMMDDHHMMSS, yyyyMMddHHmmss, YYYYMMddHHmmss...could anyone save me some time

You can add the following to the sql query you are building using SQL Wizard to get your desired output. SELECT CONVERT(VARCHAR(20), CONVERT(DATETIME, '20240327130502', 112), 120) The tool itself won’t be able to get you where you want to go. “112” is your current time format. “120” is the style code for yyyy-MM-dd hh:mm:ss.

Morning! Has anyone discovered if the type of unlock (FaceiD, touchID or passcode) was tracked in knowledgeC or Biome?

@No_DoxMornin', nop, you have to analyze unified logs (edited)

Mistercatapulte

@No_DoxMornin', nop, you have to analyze unified logs (edited)

Is there something you'd recommend looking out for?

No_Dox

Is there something you'd recommend looking out for?

You need a Mac to start with. Then you need the uuid folders and a second one whose name I immediately forgot.... These folders can be retrieved from an ffs, I've never tested any other method, sorry.

4:18 AM

@No_Dox/private/var/db/diagnostics and uuidtext

Mistercatapulte

You need a Mac to start with. Then you need the uuid folders and a second one whose name I immediately forgot.... These folders can be retrieved from an ffs, I've never tested any other method, sorry.

Gotcha, thanks for the input!

1

@No_Doxafter that you have to find the correct date and search terms

4:22 AM

for sure you will more infor there

4:23 AM

i have a case i'll start very soon, where i have to analyze unified logs

4:23 AM

you can ping me in pribvate if needed

1

char|i3

You can add the following to the sql query you are building using SQL Wizard to get your desired output. SELECT CONVERT(VARCHAR(20), CONVERT(DATETIME, '20240327130502', 112), 120) The tool itself won’t be able to get you where you want to go. “112” is your current time format. “120” is the style code for yyyy-MM-dd hh:mm:ss.

Thanks,

char|i3

You can add the following to the sql query you are building using SQL Wizard to get your desired output. SELECT CONVERT(VARCHAR(20), CONVERT(DATETIME, '20240327130502', 112), 120) The tool itself won’t be able to get you where you want to go. “112” is your current time format. “120” is the style code for yyyy-MM-dd hh:mm:ss.

Ive done in the past where I've exported the database, reformatted the timestamp, and then imported the new database back in. Wanted to avoid that. Would recommend something for @Cellebrite with that. Make the custom timestamp format in wizard a bit more versatile (edited)

SQL has a lot of great formatting and even basic logic baked in. Like any tool the Wizard is other people making choices about what they expect we will need. The good news is you can edit the text query in the wizard with any SQL query and it will work. I start with the Wizard typically and then tweak the query (often using ChatGPT). Filtering, Concatenation/column merging, and this kind of string formatting can only be done that way. If nothing else it’s an opportunity to learn some query syntax.

Can anybody point me to a database that tracks the currently open apps in the background of an android Samsung tablet. (edited)

No_Dox

Morning! Has anyone discovered if the type of unlock (FaceiD, touchID or passcode) was tracked in knowledgeC or Biome?

If I recall rightly, associated in the logs for homescreen management (Springboard ), search the unified logs for the term 'SBFAuthenticationRequest' this should be set to type 1 meaning it was accessed with a passcode, whilst type 2 means biometric access

I have an iPhone extraction, is there somewhere that says the first day this phone was being used? I need to know when the suspect aquired this phone for the timeline. Thanks.

PhrostByte

I have an iPhone extraction, is there somewhere that says the first day this phone was being used? I need to know when the suspect aquired this phone for the timeline. Thanks.

Some of those info could help you : https://cellebrite.com/en/upgrade-from-null-detecting-ios-wipe-artifacts/ (edited)

@segumarc That;s great! Thanks

1

FYI @Cellebrite FB-Messenger 441.0.0.23.113 (PA 7.67.0.15) is inadequately decoded (source is a FFS) and only listed in the "instant messages" section... unusual to view... it should be listed in the "chats" section, right? (edited)

1

10:59 PM

another tool has no problems to decode and view all the messages @Oxygen Forensics ... imported FFS into this tool, no problem

(edited)

1

11:02 PM

both tools decode the msys_database_xxxxxx as source

chrisforensic

FYI @Cellebrite FB-Messenger 441.0.0.23.113 (PA 7.67.0.15) is inadequately decoded (source is a FFS) and only listed in the "instant messages" section... unusual to view... it should be listed in the "chats" section, right? (edited)

Doesn't PA differentiate native and IM's down to the associated ID or it being missing. My understanding is that Cellebrite differentiate the categories as the data is still in the WAL and not committed to the .db? Has Oxygen merged the WAL with the db to combine all of the messages from the respective App?

1

Original message was deleted or could not be loaded.

https://community.cellebrite.com/s/question/0D57Q00002SB29PSAT/missing-data-from-advanced-logical-extractions

1

1:48 PM

I still had issues, returning to it soon.

1

RCS coming to Apple soon. https://9to5google.com/2024/03/28/iphone-rcs-fall-2024/

Google says Apple is bringing RCS to the iPhone in 'fall of 2024'

The Android website has added a new landing page for Google Messages that says RCS is coming to the iPhone in fall of 2024...

No_Dox

Morning! Has anyone discovered if the type of unlock (FaceiD, touchID or passcode) was tracked in knowledgeC or Biome?

Hello No_Dox, I am documenting some interesting iOS Unified Logs on my blog if that can help: https://www.ios-unifiedlogs.com/blog Using a Mac to export a logarchive from an iPhone (I did a tool for this) is the easiest but you can also have a look there: https://eclecticlight.co/2020/02/07/making-your-own-logarchive-from-a-backup/ And finally, as said by Mistercatapulte, you need a Mac

Lionel Notari's Articles | iOS Unified Logs investigation

Explore my Blog Articles on iOS Unified Logs Investigation. Gain valuable insights into digital forensics and uncover the secrets hidden in unified logs.

hoakley

Making your own logarchive from a backup

Logs are normally backed up by Time Machine, but Apple provides no tool which can access those backed up logs. Here’s how to do it.

2

WhyMe?

Doesn't PA differentiate native and IM's down to the associated ID or it being missing. My understanding is that Cellebrite differentiate the categories as the data is still in the WAL and not committed to the .db? Has Oxygen merged the WAL with the db to combine all of the messages from the respective App?

Not related to commited db or not - PA decodes sqlites in whatever state including the wal. Please see my message here, hope it helps explain the general reason for messages to appear under Instant Messages https://discord.com/channels/427876741990711298/427877097768222740/1223639760174846084

I'm using Axiom Examine for the first time today, looking through a logical provided to attny on extremely short notice. My question is about time zones. In the evidence source details, the timezone is America/Chicago. However, in the timeline, the bottom right corner shows "time zone UTC" The relevant timeline also crosses the DST time change in october/november in an area that was UTC-5 or UTC-6 respectively, so I just want to make sure I'm understanding what's going on here. Do I need to manually change the time zone in the bottom right depending on whether i'm in the october or november dates to get the timeline to display the local time (of the person using the device)? Thanks in advance for any help. (edited)

Laertes

I'm using Axiom Examine for the first time today, looking through a logical provided to attny on extremely short notice. My question is about time zones. In the evidence source details, the timezone is America/Chicago. However, in the timeline, the bottom right corner shows "time zone UTC" The relevant timeline also crosses the DST time change in october/november in an area that was UTC-5 or UTC-6 respectively, so I just want to make sure I'm understanding what's going on here. Do I need to manually change the time zone in the bottom right depending on whether i'm in the october or november dates to get the timeline to display the local time (of the person using the device)? Thanks in advance for any help. (edited)

Time zones are a pain. For me, I change my settings so the time zone defaults to UTC because that is the default setting in most programs (Axiom included). I know it’s a pain for courts but at least you can say that all your time zones are UTC.

Hello, I made an UFED4PC extraction of signal from an android phone, and now have a signal.backup (230 000 ko) file with a backupkey.txt file. When playing it into UFED PA, i got nothing in the "analyzed data" tab and when parsing the file system, the signal.backup file is still weighting 230 000 ko, but the org.thoughtcrime.securesms is classified as 0 byte (hence why i don't have any data). Any idea what i'm doing wrong ? Thanks in advance for your help.

A47199

Hello, I made an UFED4PC extraction of signal from an android phone, and now have a signal.backup (230 000 ko) file with a backupkey.txt file. When playing it into UFED PA, i got nothing in the "analyzed data" tab and when parsing the file system, the signal.backup file is still weighting 230 000 ko, but the org.thoughtcrime.securesms is classified as 0 byte (hence why i don't have any data). Any idea what i'm doing wrong ? Thanks in advance for your help.

Dm

Lionel Notari

Hello No_Dox, I am documenting some interesting iOS Unified Logs on my blog if that can help: https://www.ios-unifiedlogs.com/blog Using a Mac to export a logarchive from an iPhone (I did a tool for this) is the easiest but you can also have a look there: https://eclecticlight.co/2020/02/07/making-your-own-logarchive-from-a-backup/ And finally, as said by Mistercatapulte, you need a Mac

This does help, thanks for that. Unfortunate that one can't just pull and analyze these directly in Axiom or Cellebrite and you need a Mac!

Cache_encryptedC.db does it store the time value same as the phones settings or in UTC+0 anyone know for certain. I get it to UTC+0

Hi all, I’ve just acquired a FFS from a Galaxy A04 and it’s running an application called Blue Kik. Cellebrite PA hasn’t decoded it but has pulled out the databases. Can anyone help me link the tables so the chat body, the persons it’s to/from and the timestamp into a chat what can be read.

A47199

Hello, I made an UFED4PC extraction of signal from an android phone, and now have a signal.backup (230 000 ko) file with a backupkey.txt file. When playing it into UFED PA, i got nothing in the "analyzed data" tab and when parsing the file system, the signal.backup file is still weighting 230 000 ko, but the org.thoughtcrime.securesms is classified as 0 byte (hence why i don't have any data). Any idea what i'm doing wrong ? Thanks in advance for your help.

You can probably use https://github.com/bepaald/signalbackup-tools

GitHub - bepaald/signalbackup-tools: Tool to work with Signal Backu...

Tool to work with Signal Backup files. Contribute to bepaald/signalbackup-tools development by creating an account on GitHub.

1

Anyone able to identify this blob format from a SQLite? It's from Twitter for Android

4

stark4n6

Anyone able to identify this blob format from a SQLite? It's from Twitter for Android

Looks like it could be messagepack but I haven’t verified it.

@Bobby @Oscar Work like a charm, thanks for your help

2

Hello, is anyone familiar with how messages that are archived appear in msssms.db on android devices? Are they placed in a special table of the db/do they have an extra flag that is set?

Anyone from @Cellebrite available for a PA decoding question ?

1

nachito 4n6s

Anyone from @Cellebrite available for a PA decoding question ?

What do you need? Happy to help if I can.

obi95

Hi all, I’ve just acquired a FFS from a Galaxy A04 and it’s running an application called Blue Kik. Cellebrite PA hasn’t decoded it but has pulled out the databases. Can anyone help me link the tables so the chat body, the persons it’s to/from and the timestamp into a chat what can be read.

any chance you can share the data?

secluding

Hello, is anyone familiar with how messages that are archived appear in msssms.db on android devices? Are they placed in a special table of the db/do they have an extra flag that is set?

Look at the table "threads", it seems like the "Archived" flag will be set to 1 if the conversation was put in the archive (edited)

1

Christoffer.M

Looks like it could be messagepack but I haven’t verified it.

I tried reading it as such and it failed, so either I did it wrong or it's not messagepack

Anyone having issues with images processing from Artifacts into @Magnet Forensics Axiom Examine timeline (from a google takeout)?

Jeeper

Anyone having issues with images processing from Artifacts into @Magnet Forensics Axiom Examine timeline (from a google takeout)?

Axiom version? What is the problem with your images?

Bobby

Axiom version? What is the problem with your images?

Images with all expected Metadata Inc Creation dates aren't showing up in timeline when processed relative to their creation (or any) date.

But metadata are available when viewing the files in details panel? What about Axiom version? Did you activated the option to have images copied into the case and not accessed from source?

1:00 AM

Source format is a zip right?

1:00 AM

@Jeeper

Anyone from @Oxygen Forensics free for a quick question?

1

I have an iPhone 12 using 15.5 that has a Darkbox App installed, dos anyone have any info on how to identify the passcode for it?

1

Deleted User

I have an iPhone 12 using 15.5 that has a Darkbox App installed, dos anyone have any info on how to identify the passcode for it?

Not one that I have came across before personally, but might be able to assist. Check DM Salute

@Cellebrite Can anyone help explain what the "Times Contacted" refers to in the contacts2.db? The DB is from a Huawei device and in PA's parsed contact table for native contacts, it has a "Times Contacted" listed under the Timestamp. Does this refer to how many calls were made to that contact? how many messages were sent? etc. Thanks! (edited)

Original message was deleted or could not be loaded.

not sure what you exactly mean but maybe this canhelp?

Anyone from @Cellebrite free for a quick question?

2

Anyone from @Cellebrite free for a quick question?

1

Hello @Oxygen Forensics I have obtained a Physical extraction via test point on a Motorola e13 device, however when running through Detective I am not prompted to run a brute force utilising the hardware keys? It loads as ‘successful’ however shows no user data as I presume still encrypted. Any suggestions would be much appreciated!

@Cellebrite I am attempting to use Advanced search in 10.1 and when I select all results it also selects all instant messages both under the Instant messages tab and the individual messages under the chats tab. This is the case even when there are no instant messages in the search results.

Hi mates, if somebody needs them... here are the latest NIST RDS hashsets for android and ios, MD5 only, as .txt for use in Cellebrite PA, Oxygen Forensic Detective or other tools you have

I converted them from sql to txt. Tested in PA and Oxygen Forensic Detective. https://pixeldrain.com/u/2B7wMayb https://pixeldrain.com/u/LG46Agqy (edited)

1

11:09 PM

2

Anyone from @Cellebrite available for a quick DM regarding Inseyets?

1

GrannySmi1th

Hello @Oxygen Forensics I have obtained a Physical extraction via test point on a Motorola e13 device, however when running through Detective I am not prompted to run a brute force utilising the hardware keys? It loads as ‘successful’ however shows no user data as I presume still encrypted. Any suggestions would be much appreciated!

Hello, I will DM you

@Cellebrite someone around for a decoding / creating report bug? Its says the license is not active, but it is. Now i cant make a 'full' report etc. Im on 7.67.0.15 (edited)

florus

@Cellebrite someone around for a decoding / creating report bug? Its says the license is not active, but it is. Now i cant make a 'full' report etc. Im on 7.67.0.15 (edited)

Please contact support for that as we cannot fix it on Discord (edited)

1

CLB_4n6s_mc

Please contact support for that as we cannot fix it on Discord (edited)

Support aint that fast unfortunatly. And its almost weekend. This means im stuck till next week.

florus

Support aint that fast unfortunatly. And its almost weekend. This means im stuck till next week.

Please contact them they are following the DIscord flow. US is still working late on Friday

1

Anyone from @Cellebrite free for a question?

What is the best way to show when a user started using an iPhone? I am using @Cellebrite PA and @Magnet Forensics Axiom to work a FFS of an iPhone 12. The phone was originally used by the suspect's sister, but when she got picked up on a case, he started using the phone. Sync data is making it hard to note start dates when looking at messages. According to Accounts3.sqlite, the Apple account for the suspect started on this device on September 12, 2023. This seems reasonable, but was hoping to find something concrete. The SIM card associated with the suspect was last updated in November 2023, which seems late based upon other pieces of evidence on this phone. Any suggestions?

Good afternoon. I am looking for some Siri information. I was wondering if there is anywhere or any databases that contain a log of any instructions that it has been given?

forensicgeek

Good afternoon. I am looking for some Siri information. I was wondering if there is anywhere or any databases that contain a log of any instructions that it has been given?

Like this? https://forensafe.com/blogs/iOSVoiceTriggers.html

Bobby

Like this? https://forensafe.com/blogs/iOSVoiceTriggers.html

Good evening. Thank you for this. I will pass this on to the analyst looking into it and see if it what they are looking for. Thank you for the reply

Good Morning; i have an Iphone 14max and i need information about lte-cell and gsm-cell and where the iphone was in a timerange; Oxygen give me a Database "cache.encrypteDB.db" where some logs of location are, but for LTE there are 57 entrys with an old date 01.01.2001 and for GSM there are 121 entrys with one date 28.03.2024? where can i find more details about gsm and the gps-coordinates? thx

1

Hello @Cellebrite , anyone available for a quick dm about UFED Reader? Thanks

I have empty Snapchat messages decoded with PA. In my case, it's probably related to screenshot notifications. Is there any way to confirm this?

@Cellebrite Is there any news regarding the new version of UFED 4PC? Furthermore, will there be a new version of Physical Analyzer that solves the problem of decoding iTunes backups on iOS 17.4?

1

Anyone here who knows the exact purpose of /Documents/com.snapchat.filemanager_3_SCContent... ?

Vägis

Anyone here who knows the exact purpose of /Documents/com.snapchat.filemanager_3_SCContent... ?

Maybe this can help https://discord.com/channels/427876741990711298/545232743353810946/1199981226509996113

Vägis

Anyone here who knows the exact purpose of /Documents/com.snapchat.filemanager_3_SCContent... ?

If that is for a newer snapchat version, I watched a great video from cellebrite. I made notes but unfortunately, I don't have access to those notes at the moment. https://cellebrite.com/en/deep-dive-into-snapchat/ @GregL (edited)

1

Perfect, thx guys!

@rfar I'm actually looking for the meaning of content_type = 9 in the conversation_message table. It's not documented in this webinar. I really think it has something to do with a screenshot, i'll test it

GregL

@rfar I'm actually looking for the meaning of content_type = 9 in the conversation_message table. It's not documented in this webinar. I really think it has something to do with a screenshot, i'll test it

Ah, perhaps this is how Snapchat knows/documents a screenshot was taken and alerts the other person in the conversation?

yes, I think it's related to the notification "XXX took a screenshot of the chat".

GregL

@rfar I'm actually looking for the meaning of content_type = 9 in the conversation_message table. It's not documented in this webinar. I really think it has something to do with a screenshot, i'll test it

Hey, type 9 is the system message "Saved a photo from..", that is sent when a user saves a sent image to their camera roll

1

I've just checked this with a test, thanks (type 10 corresponds to notification of a screenshot if anyone's wondering)

@CLB - Ofri Do you know if it's the same content type if a video is saved?

GregL

@CLB - Ofri Do you know if it's the same content type if a video is saved?

Yep, 9 is for both, the difference is in the message_content protobuf

1

Ok ty

In a Snapchat conversation view between two participants, I have a "System Message" where one of the participants deleted a chat. Within that chat are three pictures/videos, which may be CSAM related material. What I don't have is those images/videos being sent or received in the messages I can see prior to this date. I'm trying to understand this. The chats I can see are between 3/13 - 3/19 of this year. There is a later "System Message" which also contains possible CSAM material, and it shows as an attachment from one of them and the images are very similar in appearance. I'm just trying to understand how the first set got to the chat in the first place. Is it most likely that they were sent in messages that have since gone away in Snapchat and just not available?

Good morning all. Does anyone know where the location for a setting preference file is for Android devices to see if Location Services were turned on/off by default?

I'm going through an iphone full system extraction on PA...I've discovered some pretty good location data with lat/long and time staps within the ZRTCLLOCATIONNMO database. I'm just trying to do a little more research and learn where exactly this data is coming from

I apologize in advance if this is the wrong section to post this. I was wondering if anybody has any recommendations on tools that can be used to establish a baseline to identify anomalies on a mobile device extraction. Im not too familiar with Cellebrite PA so forgive me if I missed it. If I recall correctly, there was a tool in Windows to identify changes to a system file or registry for indicators of compromise. Is there something similar for mobile devices? (edited)

Yawndy

I apologize in advance if this is the wrong section to post this. I was wondering if anybody has any recommendations on tools that can be used to establish a baseline to identify anomalies on a mobile device extraction. Im not too familiar with Cellebrite PA so forgive me if I missed it. If I recall correctly, there was a tool in Windows to identify changes to a system file or registry for indicators of compromise. Is there something similar for mobile devices? (edited)

https://docs.mvt.re/en/latest/

Mobile Verification Toolkit

Mobile Verification Toolkit Documentation

B

https://docs.mvt.re/en/latest/

I'll read into this, thank you so much!

I was wondering if anyone had experience with restoring an iphone from the extraction by Passware Kit. I managed to get the extraction with brutefocing however the phone is locked up and needs to be factory reset. I was hoping I could use the passware kit extraction as a backup to restor to the phone.

Does anyone know what the '.links' folder in WhatsApp/Media is for? Thanks

Anyone else having issues with CLB reader files generated from PA Inseyets 10.1.101.64? - Generated with no issue and then once opened on any machine, no artifacts shown, blank case.

1

Vägis

Anyone here who knows the exact purpose of /Documents/com.snapchat.filemanager_3_SCContent... ?

Hey again everyone. I've now gotten much further thanks to @Bobby & @rfar. I'm now trying to understand if the person have shared the video on MyStory or sent it to someone directly. I took a look at primary.docobjects.db and under stories_mystoryplaybacksequence_5 i saw storyID Is there a connection between com.snap.filemanager_3_SCContent a0ac550b_... and storyID since it has the same name(a0ac550b_...)? (edited)

6:51 AM

I've heard it might be a keychain. Is that true? And if so, anyone know why stories_mystoryplaybacksequence_5 uses a keychain as storyID?

@Cellebrite I went throug my settings in Physical Analyser and saw (under Report Defaults) that two points are excluded (not marked). “Include merged items” (analyzed data) and (data files). There are no info in settings. What does it affect specifically?

Gulyás

@Cellebrite I went throug my settings in Physical Analyser and saw (under Report Defaults) that two points are excluded (not marked). “Include merged items” (analyzed data) and (data files). There are no info in settings. What does it affect specifically?

Duplicates

Gulyás

@Cellebrite I went throug my settings in Physical Analyser and saw (under Report Defaults) that two points are excluded (not marked). “Include merged items” (analyzed data) and (data files). There are no info in settings. What does it affect specifically?

As @Bobby rightfully stated, this is a checkbox to include duplicate Artifacts (Analyzed Data) and/or Duplicate Files (Data Files) to the main items that are selected for the report.

When I extract a device I do both file system and advanced logical and sometimes a downgrade. If fore instance a picture is presented, it will be twice presented, in both extractions. Is it that kind of duplicate ?

Gulyás

When I extract a device I do both file system and advanced logical and sometimes a downgrade. If fore instance a picture is presented, it will be twice presented, in both extractions. Is it that kind of duplicate ?

It can also be that a picture (with the same hash) is found in DCIM and some app. In that case UFED will just include one of them afaik. I pretty much always include merged items to keep as much information as possible.

1

I have done that until now as well, but have got the thought that fore instance in a case about child abuse the case investigator will count wrongly amount pictures/videos for possession…if you can follow me?

Gulyás

When I extract a device I do both file system and advanced logical and sometimes a downgrade. If fore instance a picture is presented, it will be twice presented, in both extractions. Is it that kind of duplicate ?

This is one example that will typically produce duplicates, but there are many more- A file appearing in multiple locations on the Device (similar to what Oscar was saying), events that come from multiple sources, for axample Instant messages that come from native DBs like interactionC and 3rd party apps, contacts that appear in several places on the device or in multiple apps.

Gulyás

I have done that until now as well, but have got the thought that fore instance in a case about child abuse the case investigator will count wrongly amount pictures/videos for possession…if you can follow me?

In CSAM/CE cases it is very important to include duplicates if they are from the same extraction, as that may influence sentencing. (edited)

I understand, but despite that, on a simple level, not talking about apps and such, the same picture will be represented in the export of report if PA is made of both adv.logical and file system extraction. In the report it is pinned out under source to each picture.

Gulyás

I understand, but despite that, on a simple level, not talking about apps and such, the same picture will be represented in the export of report if PA is made of both adv.logical and file system extraction. In the report it is pinned out under source to each picture.

What about the option you use to manage duplicates when decoding extraction? In pictures table view you can use option "show group of similar items" then your will see only 1 image, the others will be viewable under the " + "

12:18 AM

If you use Cellebrite Reader to open UFDR reports, you also have to take care of that option BEFORE opening the ufdr file

Vägis

Hey again everyone. I've now gotten much further thanks to @Bobby & @rfar. I'm now trying to understand if the person have shared the video on MyStory or sent it to someone directly. I took a look at primary.docobjects.db and under stories_mystoryplaybacksequence_5 i saw storyID Is there a connection between com.snap.filemanager_3_SCContent a0ac550b_... and storyID since it has the same name(a0ac550b_...)? (edited)

In this case a0ac550b is just the user's Snapchat id (internal id), the name of the SCContent folder ends with that id. In the stories table, the story that has the same Id is just the "main" user's story. If you are using PA you should check under Social Media -> Snapchat to see if any of the stories have the matching media under Attachments. (edited)

1

Bobby

What about the option you use to manage duplicates when decoding extraction? In pictures table view you can use option "show group of similar items" then your will see only 1 image, the others will be viewable under the " + "

My duplicate rules is set to “show main items only”. Would it be more correct to mark “show group of similar items” ?

Gulyás

My duplicate rules is set to “show main items only”. Would it be more correct to mark “show group of similar items” ?

Show main item meaning, "no duplicates", then yes you need "show group of similar items" in PA

CLB - Ofri

In this case a0ac550b is just the user's Snapchat id (internal id), the name of the SCContent folder ends with that id. In the stories table, the story that has the same Id is just the "main" user's story. If you are using PA you should check under Social Media -> Snapchat to see if any of the stories have the matching media under Attachments. (edited)

Thanks for the explanation! I took a look at the Snapchat tab under Social Media in PA but the problem is that theres only 2 days of Stories here(5th - 6th of Dec 2023) and what I'm looking for happened in July. What I have is the SCContent_aoa.../3aec..._PREFETCH/3aec..._PREFETCH.full ,a video with the evidence. I'm basically trying to find any information about this video. If it was the suspect filming it, if he shared to Stories and/or sent it directly to someone and so on. But I'm pretty much stuck at this point. I guess because of it being prefetch it's pretty much impossible to gather any connections to this file? FeelsBadMan

(edited)

2

@MSAB Hi I'm trying to export a decrypted physical from a samsung A013G into a 2nd tool for comparative analysis. Whether I export from the Hex viewer or from the report window - The various media files are all given today's creation date. Is there any way to circumvent this?

sky

@MSAB Hi I'm trying to export a decrypted physical from a samsung A013G into a 2nd tool for comparative analysis. Whether I export from the Hex viewer or from the report window - The various media files are all given today's creation date. Is there any way to circumvent this?

Hello! I am assuming you are doing a file system export? Windows will give a mandatory timestamp to artifacts with no timestamp and there's no direct way to circumvent it but there is a new option we recently added that needs a special license- I will need to get more info about it and then DM you.

No_Dox

Morning! Has anyone discovered if the type of unlock (FaceiD, touchID or passcode) was tracked in knowledgeC or Biome?

Does anyone know where/if stuff like this can be found on and Android device?

Oscar

Does anyone know where/if stuff like this can be found on and Android device?

Not fingerprint but lock/unlock, screen status, .. thanks to Josh and his work on Wellbeing "App" https://thebinaryhick.blog/2020/02/22/walking-the-android-timeline-using-androids-digital-wellbeing-to-timeline-android-activity/

Binary Hick

Walking the Android (time)line. Using Android’s Digital Wellbeing ...

Each time I have created an Android image I have found something new. Google Assistant and Android Auto were results of Nougat and Oreo, and the changes I found in Google Assistant were a result of…

1

Gulyás

My duplicate rules is set to “show main items only”. Would it be more correct to mark “show group of similar items” ?

I prefer to see all the items individually so I can determine where the media came from myself (specifically for a CSAM case). Because what PA says is the main item, may not be the best source of the media, and you might not catch that. for example, a picture in the DCIM folder might be grouped under the 'main' item which may be the same picture but in an inaccessible file path. And in the case of exact files by hash value showing up in multiple locations, you would only see one.....

Anyone ever see a field in a cellebrite report called Manually Entered IMEI number and know what it is?

No_Dox

Morning! Has anyone discovered if the type of unlock (FaceiD, touchID or passcode) was tracked in knowledgeC or Biome?

With AXIOM 8, you can now process the unified logs directly in the GK image. I have all the identifiers for how to locate if it was a biometric or standard unlock from there if you need them. A few things to note. 1. Unified logs are INCREDIBLY noisy. Because of this the artifact is turned off by default. I would suggest processing the image in a fresh case with just unified logs turned on. 2. This will likely be only a few days prior to seizure due to the rollover nature of unified logs. Hope this helps!

Digital Dude

Anyone ever see a field in a cellebrite report called Manually Entered IMEI number and know what it is?

Is there WeChat in your report?

Hi. Looking at an FFS extraction of a Huawei P30 running Android 10, and found some thumbnails of interest. The path to the folder is /data/media/0/Huawei/CloudDrive/.thumbnail/category/ and the file names are on the form [35 HEX digits].cache (e.g. 6b895b6e10b35867cf6cbf3d2e7d85fed79.cache). 1. Some of the thumbnails have a cloud icon in the top left corner, see the attached picture. The one one the left is in better resolution, but also cropped, compared to the one on the right. Does anyone recognize the cloud icon, and if so, what it implies? 2. Does anyone know what the existence of the CloudDrive folder imply? The user was not logged into the Huawei account on the phone at the time of seizure. I am wondering if the CloudDrive folder is created/used even if there is no synchronisation with the Huawei Cloud service. 3. Has anyone has examined Huawei's photoshare.db (/data/media/0/Android/data/com.android.gallery3d/files/thumbdb/photoshare.db)? The database contains thumbnails and references to file paths. In each record there is also a ModifiedTime (UNIX timestamp) which seems to reflect when the thumbnail was created on the device. In some instances, however, the ModifiedTime converts to a date in year 2013, long before the release of the P30. Does anyone have an explanation here?

cScottVance

With AXIOM 8, you can now process the unified logs directly in the GK image. I have all the identifiers for how to locate if it was a biometric or standard unlock from there if you need them. A few things to note. 1. Unified logs are INCREDIBLY noisy. Because of this the artifact is turned off by default. I would suggest processing the image in a fresh case with just unified logs turned on. 2. This will likely be only a few days prior to seizure due to the rollover nature of unified logs. Hope this helps!

Can you send me the info as well? I just had a similar question asked to verify if FaceID/TouchID was enabled. Thanks!

CIF

Can you send me the info as well? I just had a similar question asked to verify if FaceID/TouchID was enabled. Thanks!

I’ll send it as soon as I am back to a computer but for anyone else interested it’s all available as part of this episode of Mobile Unpacked in the meantime. https://www.magnetforensics.com/resources/mobile-unpacked-ep-14-logging-la-vida-loca-2/

Mobile Unpacked: Ep. 14 // Logging La Vida Loca - Magnet Forensics

Most modern electronic devices keep logs running that store information about who, what, when, where, and why processes are performed. Modern smartphones are certainly no different. In fact, certain artifacts can only be recovered by an in-depth review of these logging files. This talk will explore the different types of log files that can be … ...

1

Digital Dude

Anyone ever see a field in a cellebrite report called Manually Entered IMEI number and know what it is?

When you enter the IMEI on the password list screen to potentially decrypt WeChat Chats it puts the Manually Entered IMEI field showing that it may not necessarily be what was pulled from the phone by Cellebrite.

@Cellebrite anyone for a quick question about media classification

1

CIF

Can you send me the info as well? I just had a similar question asked to verify if FaceID/TouchID was enabled. Thanks!

Hello, here are some Unified Logs messages that you can investigate when a phone is unlocked (logs are in italics) Passcode: Processed authentication request (success=YES): <SBFAuthenticationRequest: 0x2802e5c80; type: 1; hasPasscode: YES> type: 1 and hasPasscode: YES confirm that the passcode was used to unlock the phone. Biometric: For the touchID and FaceID, you can use this one: Processed authentication request (success=YES): <SBFAuthenticationRequest: 0x2802097a0; type: 2; hasPasscode: NO> Here we have a type: 2 and a « hasPasscode NO » You can also use this ones: 1) Base unlock behavior received biometric event: finger on 2) Base unlock behavior received biometric event: bio unlocked 3) Base unlock behavior received biometric event: finger off If it failed, the log 2) will be: Base unlock behavior received biometric event: identity match failed FaceID The logs above (Processed authentication ..." ) itself does not allow us to determine if the finger or the face was used to unlock the phone but if it was the face, you will also have this one: PearlCamFrameReceived - isFaceDetected = 1 isBracketedCapturteFrame=0 If you swipe up to unlock your phone with the FaceID but don’t show your face, you will have the message isFaceDetected = 0. * Unlock confirmation: To confirm the phone was really unlocked (the unlock process worked correctly), You should check this one: *Unlock attempt succeeded: yes. If the unlock process did not work, you will have this one: Unlock attempt succeeded: no Time: You should also investigate the apsd log, which will give you the time (in seconds) that the phone was locked before unlocking. Example : apsd: Screen did unlock (Was locked for 1.245383 seconds) Same when the phone is locked by the user: apsd: Screen did lock (Was unlocked for 305.244956 seconds) You can find more about iOS Log investigation on my blog, I documented some relevant: https://www.ios-unifiedlogs.com/blog (edited)

Lionel Notari's Articles | iOS Unified Logs investigation

Explore my Blog Articles on iOS Unified Logs Investigation. Gain valuable insights into digital forensics and uncover the secrets hidden in unified logs.

7

Silly question, is it possible to see if Developer Options were enabled through an Advanced Logical extraction of a Samsung S20/S21 Android device in @Cellebrite? If so, how would I go about finding this on the file system?

Yawndy

Silly question, is it possible to see if Developer Options were enabled through an Advanced Logical extraction of a Samsung S20/S21 Android device in @Cellebrite? If so, how would I go about finding this on the file system?

Wouldn't they need to be enabled to do the extraction in the first place? In the adv logical I don't think it'd be likely, would probably need a FFS (edited)

Solec

Wouldn't they need to be enabled to do the extraction in the first place? In the adv logical I don't think it'd be likely, would probably need a FFS (edited)

I totally forgot Developer options needs to be enabled for the extraction. Thank you so much!

Anyone really good with Snapchat? I’m looking at a UFED report and I don’t know what the “last activity” column means. The message was read on the 1st but the “last activity “ was 15 days later.

MSAB_Ash

Hello! I am assuming you are doing a file system export? Windows will give a mandatory timestamp to artifacts with no timestamp and there's no direct way to circumvent it but there is a new option we recently added that needs a special license- I will need to get more info about it and then DM you.

Can't simply a zip option for the exported file solve the date/time issue? Is the special license another product/level (aka $$)? (edited)

1

ltrain1029

Anyone really good with Snapchat? I’m looking at a UFED report and I don’t know what the “last activity” column means. The message was read on the 1st but the “last activity “ was 15 days later.

@ltrain1029 - Just so everyone has a bit of Context, in Chats, the last activity is either the last message (may also be a system message) or the value that we found in the App DB. The reason for this is that sometimes when messages are deleted, the App DB can provide additional information that the chat was still active. The same logic applies to the Start Time field. (edited)

CLB-DannyTheModeler

@ltrain1029 - Just so everyone has a bit of Context, in Chats, the last activity is either the last message (may also be a system message) or the value that we found in the App DB. The reason for this is that sometimes when messages are deleted, the App DB can provide additional information that the chat was still active. The same logic applies to the Start Time field. (edited)

Awesome. Thanks so much for that.

EricL400

I have came across the LockMyPix application on an Android device. I believe there are hundreds of files of CSAM within the application. All have the .6zu extension. I saw there was some discussion about this application in the past. Does anyone have any information that could help me decrypt these files?

Hey, I have the same application on an android device. Did you find a way to parse that application (decrypt it)?

Dam

Hey, I have the same application on an android device. Did you find a way to parse that application (decrypt it)?

DM

Dam

Hey, I have the same application on an android device. Did you find a way to parse that application (decrypt it)?

Contact @Control-F. They used to have decryptor for those, at least few years back

They still do

2:57 AM

@bang Is your go to contact for that

Thank you everyone @Crox already help me. Thanks again

2

1

Lionel Notari

Hello, here are some Unified Logs messages that you can investigate when a phone is unlocked (logs are in italics) Passcode: Processed authentication request (success=YES): <SBFAuthenticationRequest: 0x2802e5c80; type: 1; hasPasscode: YES> type: 1 and hasPasscode: YES confirm that the passcode was used to unlock the phone. Biometric: For the touchID and FaceID, you can use this one: Processed authentication request (success=YES): <SBFAuthenticationRequest: 0x2802097a0; type: 2; hasPasscode: NO> Here we have a type: 2 and a « hasPasscode NO » You can also use this ones: 1) Base unlock behavior received biometric event: finger on 2) Base unlock behavior received biometric event: bio unlocked 3) Base unlock behavior received biometric event: finger off If it failed, the log 2) will be: Base unlock behavior received biometric event: identity match failed FaceID The logs above (Processed authentication ..." ) itself does not allow us to determine if the finger or the face was used to unlock the phone but if it was the face, you will also have this one: PearlCamFrameReceived - isFaceDetected = 1 isBracketedCapturteFrame=0 If you swipe up to unlock your phone with the FaceID but don’t show your face, you will have the message isFaceDetected = 0. * Unlock confirmation: To confirm the phone was really unlocked (the unlock process worked correctly), You should check this one: *Unlock attempt succeeded: yes. If the unlock process did not work, you will have this one: Unlock attempt succeeded: no Time: You should also investigate the apsd log, which will give you the time (in seconds) that the phone was locked before unlocking. Example : apsd: Screen did unlock (Was locked for 1.245383 seconds) Same when the phone is locked by the user: apsd: Screen did lock (Was unlocked for 305.244956 seconds) You can find more about iOS Log investigation on my blog, I documented some relevant: https://www.ios-unifiedlogs.com/blog (edited)

Thank you so much! This is great!

chauan

Can't simply a zip option for the exported file solve the date/time issue? Is the special license another product/level (aka $$)? (edited)

Hello. The Zip option does not solve that problem, the reason is that files are written to the disk before being zipped which is what we are avoiding with the new license-locked feature.

I often see this data in the v_Data field of a decrypted key in a iOS keychain. This is the Base64 decoded (UTF-8) representation. It seems to be some kind of structure, i'd like to find out what kind of structure this is, so I can extract only the part im interested in (edited)

Tube

I often see this data in the v_Data field of a decrypted key in a iOS keychain. This is the Base64 decoded (UTF-8) representation. It seems to be some kind of structure, i'd like to find out what kind of structure this is, so I can extract only the part im interested in (edited)

https://gchq.github.io/CyberChef/ Might be a useful tool for this, at least you can dump it in and if it's all Base64 etc then you can figure the structure.

CyberChef

The Cyber Swiss Army Knife - a web app for encryption, encoding, compression and data analysis

Anyone have advice on obtaining vehicle speed from FFS extraction of an iPhone. Looking for certain dbs to explore and any data that might suggest or make me able to calulate the vehicle speed. DM me if you have any general advice on this please.

Anyone aware of any relatively recent writeups on the sms/mms databases for IOS and Android?

@Cellebrite anyone able to PM me for a PA question?

1

@Cellebrite anyone available for a quick Inseyets PA question too?

1

theshark

Anyone have advice on obtaining vehicle speed from FFS extraction of an iPhone. Looking for certain dbs to explore and any data that might suggest or make me able to calulate the vehicle speed. DM me if you have any general advice on this please.

https://www.researchgate.net/publication/374912713_Validity_of_iPhone_speed_loggings_under_crash_conditions https://www.doubleblak.com/blogPost.php?k=LocationAccuracy https://theforensicscooter.com/2022/07/01/vehicle-and-iphone-speed-comparison/

1

Joe Schmoe

Anyone aware of any relatively recent writeups on the sms/mms databases for IOS and Android?

https://blog.d204n6.com/2020/09/ios-14-message-mentions-and-threading.html https://blog.d204n6.com/2022/09/ios-16-paul-unsent-message-or-did-he.html https://www.doubleblak.com/blogPost.php?k=iOS16iMessage https://dfir.pubpub.org/pub/yp6efc8q

I appreciate it. I’m hoping to find a generic breakdown of the databases so I have something to reference for a paper.

1

Hey does anyone know what artifact to look for to gain some insight on altitude and elevation on iPhones? Particularly iOS 16.5

1:28 AM

I've looked at the health_secure.sqlite dB but didn't really find much there

1:28 AM

I was thinking the fitness tracking should have had something

fixclown

I've looked at the health_secure.sqlite dB but didn't really find much there

what kind of extraction is made?

Might want to check if 3rd party apps are available and see if locations are stored within

Gizmononootje

what kind of extraction is made?

Got a full system - had a look at 3rd party apps nothing relevant

fixclown

Got a full system - had a look at 3rd party apps nothing relevant

Made a unified log?

Gizmononootje

Made a unified log?

Yes but does that have anything relating to altitude or elevation

if you filter the log on the specific date / time you might find something interesting

2:53 AM

worth a try

fixclown

Got a full system - had a look at 3rd party apps nothing relevant

Pretty sure routined/cache.sqlite has a horizontal fix + horizontal accuracy fields in the database itself

Solec

Pretty sure routined/cache.sqlite has a horizontal fix + horizontal accuracy fields in the database itself

But that won't have any fields for altitude though right?

Gizmononootje

if you filter the log on the specific date / time you might find something interesting

Sure will give that a try thank you

Sorry I meant vertical not horizontal

Ahh fair enough

3:41 AM

Will have a look thank you

3:42 AM

I was thinking if anything tracked physical activity like trekking or something similar

1

longitude, latitude, altitude are, unfortunately, "always" private in the iOS Unified Logs (we are never safe from an application that doesn't hide this data).

Anyone from CLB available for a quick device question?

2

5:08 AM

Re: Trevor

@Cellebrite

Does anyone know where I can find the certificates on a full file system for an iOS phone? Our team isn’t experienced with mobile forensics, but we want to review the certificates on the iOS phone for any untrusted applications in the system.

Yawndy

Does anyone know where I can find the certificates on a full file system for an iOS phone? Our team isn’t experienced with mobile forensics, but we want to review the certificates on the iOS phone for any untrusted applications in the system.

there's a whole section dedicated to certificates in the keychain (aptly named cert. tbh i've never gone looking for third party stuff in there, but there are public developer docs & APIs to do so. please note that almost all useful data in keychain-2.db is encrypted so you wont be able to review much unless you have a keychain extraction of some kind. there is also nothing stopping app developers from bundling a cert in the app itself either depending on what the certificate is for. https://developer.apple.com/documentation/security/certificate_key_and_trust_services/certificates/storing_a_certificate_in_the_keychain?language=objc (edited)

1

forensicmike @Magnet

there's a whole section dedicated to certificates in the keychain (aptly named cert. tbh i've never gone looking for third party stuff in there, but there are public developer docs & APIs to do so. please note that almost all useful data in keychain-2.db is encrypted so you wont be able to review much unless you have a keychain extraction of some kind. there is also nothing stopping app developers from bundling a cert in the app itself either depending on what the certificate is for. https://developer.apple.com/documentation/security/certificate_key_and_trust_services/certificates/storing_a_certificate_in_the_keychain?language=objc (edited)

Thank you very much, I’ll look into this.

1

Lionel Notari

longitude, latitude, altitude are, unfortunately, "always" private in the iOS Unified Logs (we are never safe from an application that doesn't hide this data).

Ohh alright thank you for that.

tjgubernick

Anyone have any experience with “Yandex Disk” application on an iOS device? Some images/videos viewable on device but other require internet connection. Possible to extract the data?

Hi @tjgubernick did you get to the bottom of this one? I am working on a job with Yandex.Disk currently.

Anyone have an easy way to create a hash set from a set of files for using in @Cellebrite?

Alexsaurus

Anyone have an easy way to create a hash set from a set of files for using in @Cellebrite?

If you have access to XWays, RVS option to MD5 hash the files. Copy the entire hash column into a text file. Then import into Cellebrite using the hashset manager. Or i might have a python script i did up a couple of years ago. I'll try to find it (edited)

Alexsaurus

Anyone have an easy way to create a hash set from a set of files for using in @Cellebrite?

Here a nice small portable tool to create hashes from a bunch of files. You can import a folder with files - MD5 (and other hashes) will be created - mark all and copy them into new created .txt-file. This .txt you can add with hashsetmanager in PA to your existing hashsets. https://www.nirsoft.net/utils/hash_my_files.html (edited)

HashMyFiles: Calculate MD5/SHA1/CRC32 hash of files

HashMyFiles is small utility that allows you to calculate the MD5 and SHA1 hashes of one or more files in your system.

1

Good evening all. I have a physical extraction of a Google pixel 5. Intelligence has identified that map searches have taken place on the device using the Google maps application. The device has been decoding using XRY however no searches have been recovered. Does anyone know what database the map searches are potentially located or anywhere else they could be? Thanks in advance.

any Snapchat (iOS) experts in here for a question related to cache_controller.db and media_context_type?

1

forensicgeek

Good evening all. I have a physical extraction of a Google pixel 5. Intelligence has identified that map searches have taken place on the device using the Google maps application. The device has been decoding using XRY however no searches have been recovered. Does anyone know what database the map searches are potentially located or anywhere else they could be? Thanks in advance.

What about results with any other decoding tool like PA, Oxygen or Axiom?

2

Bobby

What about results with any other decoding tool like PA, Oxygen or Axiom?

Hi. Thanks for your reply. We have tried PA and Axiom and still no results.

forensicgeek

Good evening all. I have a physical extraction of a Google pixel 5. Intelligence has identified that map searches have taken place on the device using the Google maps application. The device has been decoding using XRY however no searches have been recovered. Does anyone know what database the map searches are potentially located or anywhere else they could be? Thanks in advance.

Hello - I remember reading a blog post about this a while back, unsure if the application has changed since but here is the original article: https://thebinaryhick.blog/2023/10/17/finding-phones-with-google-maps-part-1-android/ from what you describe, you may be looking for the file "new_recent_history_cache_search.cs" which is stored as protobuf, the author indicates that commercial forensic tools did not recognise the file as protobuf. I hope this helps? (edited)

Furthermore, I recommend you parse the full file system with ALEAPP as you can see here it supports exactly what you are after I believe @forensicgeek : https://github.com/abrignoni/ALEAPP/blob/main/scripts/artifacts/googleMapsSearches.py (edited)

Hello all, i investigate a iOS 17.2.1 FFS and found a ../com.apple.routined/SafetyCache.sqlite file. Have anyone more information about this file? It has a table with the name "ZSMINITIATORLOCATIONMO" and follow rows: Z_PK Z_ENT Z_OPT ZALTITUDE ZDATE ZHUNC ZLATITUDE ZLONGITUDE ZVUNC ZIDENTIFIER. What can "UNC" in HUNC and VUNC stand for? Thanks.

interesting find haven’t researched that one yet but maybe Horizontal Uncertainty - Vertical Uncertainty

1

I know it's been asked before but there haven't been any responses: Anyone know how to decrypt the Samsung Rubin databases if they aren't automatically decrypted by any tool? I've pushed it through the latest versions of PA, AXIOM, and Oxygen with no decryption. I really need some data that is usually in those databases. I have the device passcode. Full Filesystem extraction with GK (with the keystore file).

criley4640

I know it's been asked before but there haven't been any responses: Anyone know how to decrypt the Samsung Rubin databases if they aren't automatically decrypted by any tool? I've pushed it through the latest versions of PA, AXIOM, and Oxygen with no decryption. I really need some data that is usually in those databases. I have the device passcode. Full Filesystem extraction with GK (with the keystore file).

normally it should be availabe if you have the correct keystore. You can actually see the db files within the Rubin folder?

7:03 AM

possibly dump it again but with UFED this time to see if this works?

Gizmononootje

possibly dump it again but with UFED this time to see if this works?

It's an old case being re-examined for more data and the phone is not currently available. I was hoping that one of the tool makers could chime in with their method of decrypting it just to see in the keystore where they get the key(s) so I can verify that they're not there.

criley4640

It's an old case being re-examined for more data and the phone is not currently available. I was hoping that one of the tool makers could chime in with their method of decrypting it just to see in the keystore where they get the key(s) so I can verify that they're not there.

yeah it could be that the keystore isnt complete or incorrect. It would assume the tools will parse it if correct

Gizmononootje

yeah it could be that the keystore isnt complete or incorrect. It would assume the tools will parse it if correct

I'm hoping to be able to look in the actual keystore data on the phone rather than the keystore file generated by GK.

you could ask @Magnet Forensics due to its a GK extraction

criley4640

I'm hoping to be able to look in the actual keystore data on the phone rather than the keystore file generated by GK.

I hope i'm wrong but i think you have to extract again that mobile phone in order to have keystore completed

Bobby

I hope i'm wrong but i think you have to extract again that mobile phone in order to have keystore completed

I'll look into getting ahold of the phone. It's a 2022 case.

criley4640

I know it's been asked before but there haven't been any responses: Anyone know how to decrypt the Samsung Rubin databases if they aren't automatically decrypted by any tool? I've pushed it through the latest versions of PA, AXIOM, and Oxygen with no decryption. I really need some data that is usually in those databases. I have the device passcode. Full Filesystem extraction with GK (with the keystore file).

Have you tried processing the keystore file separately with Axiom and then looking for any artifacts associated to Rubin to get the password? Then when processing the FFS, double check the Rubin app (I don’t know off hand if Axiom supports it) to make sure that the correct password is used. I’ve had it where Axiom said it retrieved the password for the signal app, but couldn’t actually use it to decrypt the database. In this case, I manually decrypted the database with the cipher db browser. Just a thought without knowing anything about that DB. Look over the log files (edited)

Hi everyone. Is there any standalone Telegram Viewer (like WhatsApp viewer) that you know of?

ZRTCLLOCATIONMO is empty but ZRTLEARNEDLOCATIONOFINTERESTVISITMO has 43 entries? in local.sqlite for iPhone iOS. Is ZRTCLLOCATIONMO only saved for 30days?

Denny

Hello all, i investigate a iOS 17.2.1 FFS and found a ../com.apple.routined/SafetyCache.sqlite file. Have anyone more information about this file? It has a table with the name "ZSMINITIATORLOCATIONMO" and follow rows: Z_PK Z_ENT Z_OPT ZALTITUDE ZDATE ZHUNC ZLATITUDE ZLONGITUDE ZVUNC ZIDENTIFIER. What can "UNC" in HUNC and VUNC stand for? Thanks.

http://www.mac4n6.com/blog/2018/12/23/on-the-tenth-day-of-apollo-my-true-love-gave-to-me-an-oddly-detailed-map-of-my-recent-travels-ios-location-analysis

On the Tenth Day of APOLLO, My True Love Gave to Me – An Oddly Deta...

I saved one of my favorite topics for (nearly) last. There is no question that location can play a major role in many investigations. iOS location data as changed drastically with iOS 11 from previous iOS versions. I published research on these locations in the past and parsing scripts.

criley4640

I know it's been asked before but there haven't been any responses: Anyone know how to decrypt the Samsung Rubin databases if they aren't automatically decrypted by any tool? I've pushed it through the latest versions of PA, AXIOM, and Oxygen with no decryption. I really need some data that is usually in those databases. I have the device passcode. Full Filesystem extraction with GK (with the keystore file).

So, I've figured out the situation: when I extracted the device back in 2022, I was using @Magnet Forensics GrayKey Applogic 3.2.0 which did not support obtaining the Rubin keys for decryption in the keystore file. However, they added that support in 3.2.7. So, I was able to get my hands on the device again and re-extract. I then used the new keystore on the old extraction data in order to ensure I was looking at the original Rubin data instead of the data that written there yesterday. In my testing, @Cellebrite Physical Analyzer 7.68 successfully parses the Rubin database data (or at least for some of the databases) while @Magnet Forensics AXIOM 8.00.0.39753 and @Oxygen Forensics Oxygen Forensic Detective 16.1.0.172 (not sure about the most recent version - we're still awaiting purchase of our renewal license) do not decrypt the databases at all, let alone parse the artifacts. With regard to @Cellebrite PA support, it decrypts the inferenceengine_logging.db, inferenceengine_monitoring.db, and inferenceengine_analytics.db but others are not decrypted despite there being additional keys in the keystore file. However, it is the only tool in our toolset to support any of the Rubin data.

2

Question about Cellebrite Physical Analyzer. I can ask P.A. to analyze an extraction for WhatsApp data using "Plug-ins->Run plugin". Is it possible to do the same thing for Telegram or Facebook Messenger and other chat programs? I can't find specific plugins for these apps, maybe it can be done in a different way?

criley4640

So, I've figured out the situation: when I extracted the device back in 2022, I was using @Magnet Forensics GrayKey Applogic 3.2.0 which did not support obtaining the Rubin keys for decryption in the keystore file. However, they added that support in 3.2.7. So, I was able to get my hands on the device again and re-extract. I then used the new keystore on the old extraction data in order to ensure I was looking at the original Rubin data instead of the data that written there yesterday. In my testing, @Cellebrite Physical Analyzer 7.68 successfully parses the Rubin database data (or at least for some of the databases) while @Magnet Forensics AXIOM 8.00.0.39753 and @Oxygen Forensics Oxygen Forensic Detective 16.1.0.172 (not sure about the most recent version - we're still awaiting purchase of our renewal license) do not decrypt the databases at all, let alone parse the artifacts. With regard to @Cellebrite PA support, it decrypts the inferenceengine_logging.db, inferenceengine_monitoring.db, and inferenceengine_analytics.db but others are not decrypted despite there being additional keys in the keystore file. However, it is the only tool in our toolset to support any of the Rubin data.

To follow up: @Cellebrite PA parsed the following new artifacts from Rubin: Device Locations (30615 locations), Device Events (36580 events), Web History (3 visits), Devices (6 Connected Devices), and Wireless Networks (18 Wireless Networks). There may be more that I haven't seen, yet. However, it is definitely a lot more device locations and device events than I had previously.

1

FabianoQ

Question about Cellebrite Physical Analyzer. I can ask P.A. to analyze an extraction for WhatsApp data using "Plug-ins->Run plugin". Is it possible to do the same thing for Telegram or Facebook Messenger and other chat programs? I can't find specific plugins for these apps, maybe it can be done in a different way?

Those are usually parsed when you first open the extraction. Including WhatsApp. Are they not showing in Analyzed Data\Messages\Chats?

FabianoQ

Question about Cellebrite Physical Analyzer. I can ask P.A. to analyze an extraction for WhatsApp data using "Plug-ins->Run plugin". Is it possible to do the same thing for Telegram or Facebook Messenger and other chat programs? I can't find specific plugins for these apps, maybe it can be done in a different way?

Looks like this for me

criley4640

Those are usually parsed when you first open the extraction. Including WhatsApp. Are they not showing in Analyzed Data\Messages\Chats?

I have a downgrade extraction made with another tool and i need to merge advanced logical made with ufed with this downgrade including 5 apps. If i just give it to P.A. to analyze it reports just media and a few other items. If i execute WhatsApp standalone plugin then WhatsApp analysis magically appears so i was thinking equivalent, app specific plugins, could exist for other popular apps like Telegram, facebook etc (edited)

FabianoQ

I have a downgrade extraction made with another tool and i need to merge advanced logical made with ufed with this downgrade including 5 apps. If i just give it to P.A. to analyze it reports just media and a few other items. If i execute WhatsApp standalone plugin then WhatsApp analysis magically appears so i was thinking equivalent, app specific plugins, could exist for other popular apps like Telegram, facebook etc (edited)

Even if you add the second downgrade extraction to the original Adv Logical extraction project? Or open them together?

criley4640

Even if you add the second downgrade extraction to the original Adv Logical extraction project? Or open them together?

Tried both ways

FabianoQ

Tried both ways

Have you tried changing the chain that PA uses to parse the downgrade extraction to be the same as the advanced logical extraction? Ie. Open (Advanced).. (edited)

If i start with a blank project and ask P.A. to run the "Android Generic" chain against the downgrade it reports data from "Facebook Messenger, Instagram and WhatsApp" while the downgrade includes also "Telegram" and "Facebook"

FabianoQ

If i start with a blank project and ask P.A. to run the "Android Generic" chain against the downgrade it reports data from "Facebook Messenger, Instagram and WhatsApp" while the downgrade includes also "Telegram" and "Facebook"

Interesting...just looked at the Chain Manager and seeing what sub-chains and plugins run under that and other options. While it seems like it would ultimately run the same plugins, maybe use the basic "AndroidContent" on the downgrade extraction and see if skipping all the other detection chains allows it to parse the 3rd party app data. AndroidContent is a sub-chain of AndroidDD, which is itself a sub-chain of Android Generic, so one would think it would ultimately do the same thing. But I'm just trying to think outside the box.

I am looking for a way to translate 1,000s of messaging app messages from Arabic to English. I didn't see a language option in @Cellebrite PA for Arabic. I know you can use excel to translate, but that is one cell at a time through the Review Translate feature. I can use Google Translate by pulling messages from my excel export report, but this is a bit cumbersome. So I thought I would see what other's are doing. Thanks

@FabianoQ Android Content or even just run plug-in "Android Databases" should be sufficient for any extraction input that is in the correct structure of an Android file system. When you say that other apps that are not decoded appear in the downgrade, how do you know that? Maybe folders exist but actual DBs are empty..?

(edited)

@Cellebrite Am I missing it, or is there not an equivalant to this button from PA 7 in Inseyets PA? I'd just like to be able to grab a quick copy of the totals from the extraction.

1

sholmes

I am looking for a way to translate 1,000s of messaging app messages from Arabic to English. I didn't see a language option in @Cellebrite PA for Arabic. I know you can use excel to translate, but that is one cell at a time through the Review Translate feature. I can use Google Translate by pulling messages from my excel export report, but this is a bit cumbersome. So I thought I would see what other's are doing. Thanks

You can thanks to Oxygen, as other @Oxygen Forensics users

1

So oxygen will translate messages automatically from Arabic to English?

Yes, just right click on 1 or 1000 msg then translate

11:09 AM

Depending on your computer power you may have to wait few sec or minutes

Thanks. I rarely use oxygen. I will update it and try it out.

Bobby

You can thanks to Oxygen, as other @Oxygen Forensics users

Ofcourse, you have to install the Text-Translate addon from customerportal too... (edited)

1

sholmes

I am looking for a way to translate 1,000s of messaging app messages from Arabic to English. I didn't see a language option in @Cellebrite PA for Arabic. I know you can use excel to translate, but that is one cell at a time through the Review Translate feature. I can use Google Translate by pulling messages from my excel export report, but this is a bit cumbersome. So I thought I would see what other's are doing. Thanks

I believe these are included with their Premium translations for extra $$. My old group used to pay the extra for the premium languages.

1

CLB-ChenK

@FabianoQ Android Content or even just run plug-in "Android Databases" should be sufficient for any extraction input that is in the correct structure of an Android file system. When you say that other apps that are not decoded appear in the downgrade, how do you know that? Maybe folders exist but actual DBs are empty..?

(edited)

There are folders and there is data inside, i'm sure about this because i see data checking databases manually and because in another tool all five apps data is correctly reported

FabianoQ

There are folders and there is data inside, i'm sure about this because i see data checking databases manually and because in another tool all five apps data is correctly reported

And e.g. Telegram app folder is named correctly? Did you used AppGenie too?

Bobby

And e.g. Telegram app folder is named correctly? Did you used AppGenie too?

This is the content. I just updated P.A. from v.7.67 to v.7.68 and now only Telegram remains unparsed. Not tried AppGenie yet (edited)

forensicgeek

Hi. Thanks for your reply. We have tried PA and Axiom and still no results.

@forensicgeek Are you sure it was the Google maps application? Could it have been Google maps from the browser?

FabianoQ

This is the content. I just updated P.A. from v.7.67 to v.7.68 and now only Telegram remains unparsed. Not tried AppGenie yet (edited)

I'd check the version of telegram in the supported apps.

fixclown

I was thinking if anything tracked physical activity like trekking or something similar

https://dfir.pubpub.org/pub/xqvcn3hj/release/1 if you are looking for how many flights the device climbed. Its worth a read.

Enriching Investigations with Apple Watch Data Through the healthdb...

FabianoQ

This is the content. I just updated P.A. from v.7.67 to v.7.68 and now only Telegram remains unparsed. Not tried AppGenie yet (edited)

What about creating a zip with that Telegram folder with that exact name and loading it into PA as Android Backup?

Bobby

What about creating a zip with that Telegram folder with that exact name and loading it into PA as Android Backup?

Tried. No joy

FabianoQ

Tried. No joy

PA SQLWizard allow you to see some chats at least?

sholmes

I am looking for a way to translate 1,000s of messaging app messages from Arabic to English. I didn't see a language option in @Cellebrite PA for Arabic. I know you can use excel to translate, but that is one cell at a time through the Review Translate feature. I can use Google Translate by pulling messages from my excel export report, but this is a bit cumbersome. So I thought I would see what other's are doing. Thanks

There is a python module called deep_translate that had integrated Google translates api. You can use it to translate whole documents. I've never used it myself but from looking at the documentation it looks pretty straightforward.

Terry_____

There is a python module called deep_translate that had integrated Google translates api. You can use it to translate whole documents. I've never used it myself but from looking at the documentation it looks pretty straightforward.

Thanks. I will take a look at it. I was trying to use Oxygen, but that has failed to load the extraction.

Terry_____

There is a python module called deep_translate that had integrated Google translates api. You can use it to translate whole documents. I've never used it myself but from looking at the documentation it looks pretty straightforward.

Deep_tranlste appears to send data out to each translation service for results and not a locally-run service. Why not just use the web interface when PII is not a concern? The closet thing I can think of to take advantage of the cloud is to redact the PII first then sends it out for the results...still a lot of work but...

Guys, can I ask the following question about the Apple Unified Logs on iOS? Does updating the iOS operating system on a iPhone clear the Unified Logs?

reposting here as well. I have an examiner in the field imaging an iPhone 14 Pro Max iOS 17.4.1, the phone was imaged with Cellebrite Inseyets version 10.2.1. The examiner was suspicious that the phone imaged in 20min. We had them look into the custodians Recently deleted folder for SMS messages and noted there were 130 deleted messages that were present in the recently deleted but when the examiner looked at Chat they noticed some of the messages in recently deleted were not recovered by Inseyets. Has anyone noticed this before?

Ash4n6

reposting here as well. I have an examiner in the field imaging an iPhone 14 Pro Max iOS 17.4.1, the phone was imaged with Cellebrite Inseyets version 10.2.1. The examiner was suspicious that the phone imaged in 20min. We had them look into the custodians Recently deleted folder for SMS messages and noted there were 130 deleted messages that were present in the recently deleted but when the examiner looked at Chat they noticed some of the messages in recently deleted were not recovered by Inseyets. Has anyone noticed this before?

Source is FFS or Advanced Logical extraction?

Carl

@Cellebrite Am I missing it, or is there not an equivalant to this button from PA 7 in Inseyets PA? I'd just like to be able to grab a quick copy of the totals from the extraction.

If you want to export the Device Info Entries to CSV, you can find that capability in the dashboard in 2 places, either in the Device Info Widget on the main tab (Dashboard View), or on the Data Details View in the Device Info section (right side).

2:10 AM

Anyone from @Cellebrite able to assist with a trevor query please? (edited)

@Cellebrite Does the new inseyets PA have the fuzzy wizard built into it ? (edited)

Morning all! Quick Kik related question - is there a database that tracks whether auto-download of videos has been enabled? I’m not seeing anything in kik.defaults or the group.com.kik.chat.plist

@Magnet Forensics Hi, Magnets app simulator is asking me to check logs for errors installing an APK - Where can I find these logs? It's not specified exactly. Thanks

Dfdan

@Cellebrite Does the new inseyets PA have the fuzzy wizard built into it ? (edited)

Fuzzy Model has not yet been implemented in Inseyets PA.

CLB-DannyTheModeler

Fuzzy Model has not yet been implemented in Inseyets PA.

THanks for the reply, any workaround to index the data in latest version of Inseyets PA or roll over to PA to do the work ?

@Cellebrite anyone available?

1

Does anybody know how the Griffeye Social Media Identifier works? I just read that it was innovated at the Interpol DevOps Hackathon 2019... @Magnet Forensics I'm searching for a paper or something related to this. I would be very grateful for any help!

Bobby

Source is FFS or Advanced Logical extraction?

It was Advanced Logical Extraction

Ash4n6

It was Advanced Logical Extraction

Have you considered this : https://discord.com/channels/427876741990711298/427877097768222740/1222328518311022635 (edited)

Vivien Dehne

Does anybody know how the Griffeye Social Media Identifier works? I just read that it was innovated at the Interpol DevOps Hackathon 2019... @Magnet Forensics I'm searching for a paper or something related to this. I would be very grateful for any help!

I think from experience it looks at filename and sees if it matches any known patterns as some apps name files specific ways. I always take it with a pinch of salt.

Hello all, I've an extraction from a samsung phone and have pulled location data from samsung rubin. Each location has a horizontal precision value, eg 16.521xxxx meters. Is anyone able to advise as to the accuracy of this precision information? I.e. is the device definitley located within 16.521m of the location hit or is there still room for error within this data?

@Magnet Forensics I have a database from an Android phone I am trying to parse and I am running into errors. It is a Facebook Messenger database (msys_database_520162933). While doing a hex search I can see massages which do not appear when I look at the database (I can look at the database through Physical Analyzer). I tried to run the database, the wal, and the shm in Axiom an it was not able to to parse the messages I can see in the hex. Also everytime I try to look at the database through Axiom's File System view I get an error saying "SQL logic error No such module: echo_document_map." any one got some tips or tricks they can share?

does anyone have any experience in windows mobile 10 analysis? maybe someone has scripts in python ?

Can anyone help me real quick with some Belkasoft filters? I have a decrypted iTunes back that I am trying to analyze SMS messages between the owner of the phone and one person. I've tried several different filters, and I will end up will messages from the owner of the phone to a different person that I'm not interested in. For some reason the person that I am interested in is not listed under "Recipients." However, I know the owner of the phone has sent them messages by just reading through them. It appears that all of the messages are grouped together and not in a "per group" list

Very specific question for Android (galaxy s20): I want to find a picture from a blink webcam that was shown in a notification, which itself was never opened before doing a restart to get a FFS. All I found was the Internet - link to the picture. Does anyone know, if downloaded pictures for a notification are stored anywhere?

Anyone from @Oxygen Forensics around for a troubleshooting issue?

sholmes

Anyone from @Oxygen Forensics around for a troubleshooting issue?

Hello, of course, please message me

Hello all, I have a device that was wiped and then a few months later backed up from the cloud. Is there any way to show that this wipe was done natively and not remotely?

reblac

Very specific question for Android (galaxy s20): I want to find a picture from a blink webcam that was shown in a notification, which itself was never opened before doing a restart to get a FFS. All I found was the Internet - link to the picture. Does anyone know, if downloaded pictures for a notification are stored anywhere?

Seems like the downloaded pictures are re-coded by Android to an in-memory bitmap, which is then displayed in the notification. After a restart it is gone...

Anyone come across Touchberry’s Secret Calculator App? It’s a password protected gallery where a user can hide photos. I’m also looking for any info on Apalon’s CameraCalculator. Not sure what it is, but it’s listed in the keychain.

dcs453

Anyone come across Touchberry’s Secret Calculator App? It’s a password protected gallery where a user can hide photos. I’m also looking for any info on Apalon’s CameraCalculator. Not sure what it is, but it’s listed in the keychain.

Can you tell me the exact package name of the two apps?

Crox

Can you tell me the exact package name of the two apps?

TbPhotoAlbum Com.touchberry.secretcalculator Com.apalonapps.cameracalculator I can’t find anything on the camera calculator inside the phone extraction. Maybe a deleted or discontinued app?

‍♂️

1

2

dcs453

TbPhotoAlbum Com.touchberry.secretcalculator Com.apalonapps.cameracalculator I can’t find anything on the camera calculator inside the phone extraction. Maybe a deleted or discontinued app?

‍♂️

Sorry, I'm out of the office today and won't be able to check it until tomorrow. I'm better with Android stuff though. Maybe @bang can help, he's pretty good with that stuff.

Cheers, I'll send you a DM

In a Cellebrite extraction why does it always have blank messages expecially listed as "Recent". Why does the software even display these as messages? Are they actual messages that are blank or is Cellebrite just creating duplicate entries for messages and leaving some of them blank? Can anyone help explain why there are always a bunch of blank messages from iOS extractions?

PhrostByte

In a Cellebrite extraction why does it always have blank messages expecially listed as "Recent". Why does the software even display these as messages? Are they actual messages that are blank or is Cellebrite just creating duplicate entries for messages and leaving some of them blank? Can anyone help explain why there are always a bunch of blank messages from iOS extractions?

I believe these are being pulled from a db that keeps track of recent locations, sms, and emails. However it does not store the body of the message rather just that a recent event took place

PhrostByte

In a Cellebrite extraction why does it always have blank messages expecially listed as "Recent". Why does the software even display these as messages? Are they actual messages that are blank or is Cellebrite just creating duplicate entries for messages and leaving some of them blank? Can anyone help explain why there are always a bunch of blank messages from iOS extractions?

https://www.youtube.com/watch?v=gdU6Kz-OpqU&ab_channel=Cellebrite this is also a bit relevant

Cellebrite

Native messages & Instant messages in Cellebrite Physical Analyzer

Anyone encountered the Enigma privacy chat app before? Wondering if commercially available tools will parse

@Cellebrite Hi, can you please explain me the difference between chats -> native messages and Instant messages -> natives messages (both contain messages from same DB and both SMS and/or iMessage, at least in some cases)

PhrostByte

In a Cellebrite extraction why does it always have blank messages expecially listed as "Recent". Why does the software even display these as messages? Are they actual messages that are blank or is Cellebrite just creating duplicate entries for messages and leaving some of them blank? Can anyone help explain why there are always a bunch of blank messages from iOS extractions?

David, We do our best to decode as much useful data as we can. We go to numerous files and databases to decode this information, sometimes this results in duplicates, but many times, especially with deleted messages we are only able to acquire partial data. These appear as messages as that is what they are. In many cases, even partial data can be useful as knowing that a message was sent at a specific time (distracted driving as an example) or knowing that the device owner was in communication with a certain person may be very important to your case, even if you do not have the content of the message itself. The video that Alex provided explains the difference between Chats and Instant Messages in the PA UI (there's a minor mistake in the video as Heather refers to Native messages rather than Chats). (edited)

1

@MSAB Hey, I want to use whisper transcribing in one case. Its a big phone with several thousand audio files. But I only need to transcribe a single chat with around 5 audio files. Is there a way to do it? My idea was to save a subset of the case with just the single chat. I saved it but since I included the attachments, the saved subsets included the complete .xry file (around 100 gb). I can only see the selected chat, but when I start a new decoding with whisper, it starts to transcribe every single audio file, not just the ones from the single chat. So any idea how to run whisper just for a single chat?

Introser

@MSAB Hey, I want to use whisper transcribing in one case. Its a big phone with several thousand audio files. But I only need to transcribe a single chat with around 5 audio files. Is there a way to do it? My idea was to save a subset of the case with just the single chat. I saved it but since I included the attachments, the saved subsets included the complete .xry file (around 100 gb). I can only see the selected chat, but when I start a new decoding with whisper, it starts to transcribe every single audio file, not just the ones from the single chat. So any idea how to run whisper just for a single chat?

I'll DM you.

Anyone know of a write-up or have a method of parsing Grindr chats? FFS pulled from an Apple 15, iOS 17.1.1, Grindr version 9.18.3. Processed through @Cellebrite Inseyets and @Magnet Forensics Axiom. Poking through the databases I believe they are stored as a blob in cache.db, however, I don't know a reliable way to convert the blob into something human readable. Confirmed the chats are present on the phone, and I could fall back on a manual exam with a camera, but only if that's the only option. (edited)

Axen Cleaver

Anyone know of a write-up or have a method of parsing Grindr chats? FFS pulled from an Apple 15, iOS 17.1.1, Grindr version 9.18.3. Processed through @Cellebrite Inseyets and @Magnet Forensics Axiom. Poking through the databases I believe they are stored as a blob in cache.db, however, I don't know a reliable way to convert the blob into something human readable. Confirmed the chats are present on the phone, and I could fall back on a manual exam with a camera, but only if that's the only option. (edited)

They’re stored as a realm db. I don’t have one in front of me, but the db is called something like persistencestore.bin (misleading, I know). You’ll probably need to download Realm Studio to view, they will be plaintext and you can export them out to json. Some tools like PA and Oxy will convert the realm to sqlite and morph it into a relational database that you can query.

Worked like a charm! Thank you!

1

Looking through PA's documentation, looks like it only supports up to version 6.11 of the Grindr app, and this one is 9.18. Probably why it didn't automatically parse it out this time when it has in the past.

Axen Cleaver

Looking through PA's documentation, looks like it only supports up to version 6.11 of the Grindr app, and this one is 9.18. Probably why it didn't automatically parse it out this time when it has in the past.

I would email CellebriteAppSupport@cellebrite.com - assuming its still live (all requests did go towards telling the PA folk what's in demand) @CLB_iwhiffin can maybe confirm the email inbox still works

(edited)

Rob

I would email CellebriteAppSupport@cellebrite.com - assuming its still live (all requests did go towards telling the PA folk what's in demand) @CLB_iwhiffin can maybe confirm the email inbox still works

(edited)

Can confirm its still good

1

sorry if in the wrong channel, but its "kind of" related to phones, etc...

I've obtained the app logs from a mac using unix artifact collector, which includes iMessage data/chats. I've parsed the data through @Magnet Forensics axiom and I am only able to see the sender of the messages as "Me", how do I tie those messages to a particular phone or tell if they were sent via the Messages app on the Macbook? Kind of a Mac/iOS forensics newbie, please excuse

Introser

@MSAB Hey, I want to use whisper transcribing in one case. Its a big phone with several thousand audio files. But I only need to transcribe a single chat with around 5 audio files. Is there a way to do it? My idea was to save a subset of the case with just the single chat. I saved it but since I included the attachments, the saved subsets included the complete .xry file (around 100 gb). I can only see the selected chat, but when I start a new decoding with whisper, it starts to transcribe every single audio file, not just the ones from the single chat. So any idea how to run whisper just for a single chat?

Hi @MSAB. I'm currently facing the exact same problem. Do you have an easy solution for this?

Hey Dear Members, Just wanted to check, is there any way we can identify the reset/Wipeout logs from Android v7, advance logical extraction by UFED.

DeepDiveForensics

Hey Dear Members, Just wanted to check, is there any way we can identify the reset/Wipeout logs from Android v7, advance logical extraction by UFED.

if you can find the persistent_properties

12:32 AM

but im not sure if a advanced logical will provide that.... you need system logs etc

12:33 AM

If not available check install dates of certain apps

Gizmononootje

if you can find the persistent_properties

Sure, let me check that

KeHei_MoFo

Hi @MSAB. I'm currently facing the exact same problem. Do you have an easy solution for this?

I'll DM you.

Sure

DeepDiveForensics

Hey Dear Members, Just wanted to check, is there any way we can identify the reset/Wipeout logs from Android v7, advance logical extraction by UFED.

https://thebinaryhick.blog/2021/08/19/wipeout-detecting-android-factory-resets/ This may be a good starting point.

Binary Hick

Wipeout! Detecting Android Factory Resets

There is a Part II to this post, which you can find here. I’d like to thank Alexis Brignoni, Heather Mahalik, and Jared Barnhart for their insight and validation, and Alexis for tooling ALEAPP for …

Killer3p0

Can anyone help me real quick with some Belkasoft filters? I have a decrypted iTunes back that I am trying to analyze SMS messages between the owner of the phone and one person. I've tried several different filters, and I will end up will messages from the owner of the phone to a different person that I'm not interested in. For some reason the person that I am interested in is not listed under "Recipients." However, I know the owner of the phone has sent them messages by just reading through them. It appears that all of the messages are grouped together and not in a "per group" list

Hi! Text to support support@belkasoft.com as it is not very clear what the problem is. In general, if the contact is not in the recipients, filters will not help.

Dar Belkasoft

Hi! Text to support support@belkasoft.com as it is not very clear what the problem is. In general, if the contact is not in the recipients, filters will not help.

Thanks for replying. I have figured out what the problem is, and have reached out to tech support

Axen Cleaver

https://thebinaryhick.blog/2021/08/19/wipeout-detecting-android-factory-resets/ This may be a good starting point.

Thanks, i checked this one but I'm looking for Android v7 and I'm having adb /logical extraction

Other than “Did the phone capture the photo/video?” What are the questions you are getting related to iOS media and possible photos.sqlite data?

Hi all, can someone explain in detail the User Dictionary from Samsung devices please. Originally posted in extraction but realised just now that it was the wrong area to post in.

obi95

Hi all, can someone explain in detail the User Dictionary from Samsung devices please. Originally posted in extraction but realised just now that it was the wrong area to post in.

That's the dictionary that contains frequently typed words by the user in the keyboard. (edited)

Rob

That's the dictionary that contains frequently typed words by the user in the keyboard. (edited)

Is it only typed words that get entered into this file? Or could spoken words get added into it?

obi95

Is it only typed words that get entered into this file? Or could spoken words get added into it?

Voice as in surrounding environment or Voice to text?

Rob

Voice as in surrounding environment or Voice to text?

Voice to text.

I think it's possible, never done that level of research but would also imagine there's no separation between the two as both are typed, albeit it one via voice

SNAPCHAT question. Is there any way to find the name of a group chat? I have the ID, but can’t find the database where this info could be. Any pointers?

trillian

SNAPCHAT question. Is there any way to find the name of a group chat? I have the ID, but can’t find the database where this info could be. Any pointers?

Hey, it should be in the arroyo.db database, table "feed_entry", column "conversation_title". Also if you are using PA it should appear in the Chat side panel under "Details".

1

CLB - Ofri

Hey, it should be in the arroyo.db database, table "feed_entry", column "conversation_title". Also if you are using PA it should appear in the Chat side panel under "Details".

Thank you. I’ll check that out!

Hello everyone. I have a question about mobile devices. Do you know if it's possible, either on Android or iOS, to determine the position of a mobile device at a certain moment? For example, if at a certain time, let's say before an accident, the user lifted the phone. Maybe using some sensors logs? Thanks!

rylee25

Hello all, I have a device that was wiped and then a few months later backed up from the cloud. Is there any way to show that this wipe was done natively and not remotely?

I think your best bet is to look at VSS! Also, look in the system Hive for data extraction.

ShellBags

I think your best bet is to look at VSS! Also, look in the system Hive for data extraction.

For a mobile phone?

Ghibra Mad

Hello everyone. I have a question about mobile devices. Do you know if it's possible, either on Android or iOS, to determine the position of a mobile device at a certain moment? For example, if at a certain time, let's say before an accident, the user lifted the phone. Maybe using some sensors logs? Thanks!

Hello, for iOS yes, you can investigate a few iOS Unified Logs, for example: SpringBoard: Animating backlight to state active on animated:YES source:2 (home button) SpringBoard: Animating backlight to state active on animated:YES source:3 (lock button) SpringBoard: Animating backlight to state active on animated:YES source:12 (notification) SpringBoard: Animating backlight to state active on animated:YES source:20 (lift to wake) The logs above give you the reason why the lock screen turns on, the "lift to wake" might be interesting in your case. For the orientation of the phone, you can use the following ones: backbordd: Effective device orientation changed to: portrait (1) backboardd: Effective device orientation changed to: portraitUpsideDown (2) backboardd: Effective device orientation changed to: landscapeLeft (3) backbordd: Effective device orientation changed to: landscapeRight (4) backboardd: Effective device orientation changed to: faceUp (5) backboardd: Effective device orientation changed to: faceDown (6) A few other examples to confirm the orientation: backboardd: Received orientation. (Portrait to FaceUp) backboardd: Received orientation. (LandscapeRight to PortraitUpsideDown) backboardd: Received orientation. (FaceUp to FaceDown) * *SpringBoard: Received active interface orientation did change from landscapeLeft (4) to portrait (1) with duration 0.3 SpringBoard: [SwitcherOrientation] outSwitcherOrientation: portrait (1), outElementsOrientations: { "sceneID:net.whatsapp.WhatsApp-default" = 1; } The log just above gives you the application in which the orientation changed which might be interesting. I hope it can help, this is what I have in mind at the moment, more here: https://www.ios-unifiedlogs.com/blog

Lionel Notari's Articles | iOS Unified Logs investigation

Dive into my Blog Articles focusing on iOS Unified Logs and tracev3 Investigation. Gain insights into digital forensics and uncover the secrets hidden in unified logs.

7

@DeeFIR 🇦🇺 for which os, more details so i can better assist?

Lionel Notari

Hello, for iOS yes, you can investigate a few iOS Unified Logs, for example: SpringBoard: Animating backlight to state active on animated:YES source:2 (home button) SpringBoard: Animating backlight to state active on animated:YES source:3 (lock button) SpringBoard: Animating backlight to state active on animated:YES source:12 (notification) SpringBoard: Animating backlight to state active on animated:YES source:20 (lift to wake) The logs above give you the reason why the lock screen turns on, the "lift to wake" might be interesting in your case. For the orientation of the phone, you can use the following ones: backbordd: Effective device orientation changed to: portrait (1) backboardd: Effective device orientation changed to: portraitUpsideDown (2) backboardd: Effective device orientation changed to: landscapeLeft (3) backbordd: Effective device orientation changed to: landscapeRight (4) backboardd: Effective device orientation changed to: faceUp (5) backboardd: Effective device orientation changed to: faceDown (6) A few other examples to confirm the orientation: backboardd: Received orientation. (Portrait to FaceUp) backboardd: Received orientation. (LandscapeRight to PortraitUpsideDown) backboardd: Received orientation. (FaceUp to FaceDown) * *SpringBoard: Received active interface orientation did change from landscapeLeft (4) to portrait (1) with duration 0.3 SpringBoard: [SwitcherOrientation] outSwitcherOrientation: portrait (1), outElementsOrientations: { "sceneID:net.whatsapp.WhatsApp-default" = 1; } The log just above gives you the application in which the orientation changed which might be interesting. I hope it can help, this is what I have in mind at the moment, more here: https://www.ios-unifiedlogs.com/blog

Thank you very much for your reply, that's really helpful!

ShellBags

@DeeFIR 🇦🇺 for which os, more details so i can better assist?

He may be mistaken your response to the one question regarding mobile device location.

4:04 PM

It took me few times to notice both questions as they all began with a "Hello"

Can knowledge c be cleared in someway by the user?

jaikl

Can knowledge c be cleared in someway by the user?

nope, not that I know of... then it should be if the user resets settings/cache etc. Haven't tested though

Has anyone here looked into the Coinbase wallet app on iOS? Is it possible to get transaction lists and chat?

Tilt

Has anyone here looked into the Coinbase wallet app on iOS? Is it possible to get transaction lists and chat?

Just search up the wallet addresses found on a block explorer for the transactions or if you got hands on the chainalysis tool called reactor just trace it through there, not sure about the chat side of it though (edited)

1

If a user has a video chat using Facebook Messenger does anyone know if a cached copy or snippets of the video are left on on the device afterwards? All I've been told is the person had a 30 minute video call and they used an iOS device. Just reaching out to see if anyone has looked into and dealt with this before.

I'm running into an issue with generating @Cellebrite Reader reports on one particular forensic machine, and I'm not sure why: I have Advanced Logical extraction around 100GB in size. Generating a reader report on a forensic laptop yields a UFDR file ~30GB in size, with all options (including uncategorized items) checked. I had this once before and reprocessed the case on a different machine (50GB GK BFU extraction was generating a ~4GB report), and after doing so, the report was much closer to 50GB. I've only encountered it on these two instances so I can't say for certain it's the machine. I've checked report settings and nothing is jumping out at me. Anyone run into this? (edited)

1

RootBeer403

Just search up the wallet addresses found on a block explorer for the transactions or if you got hands on the chainalysis tool called reactor just trace it through there, not sure about the chat side of it though (edited)

Breadcrumbs.app might be worth looking into. Malt ego has plug ins, but if you are just doing basic tracing- breadcrumbs is your friend. @Tilt

1

Does anyone know what the "Library\Intents\Images" folder on an iPhone 12 running iOS17.4.1 refers to or contains? I have an illegal image within it and need to define that location. Thanks

Based on a quick bit of thumbing through Google and GIME books, could be an image related to a chat. If the file name looks like a GUID, maybe go through the chat.db and see if you can't find anything that corresponds. I read that and can't help but think it's related to an app intent, so I would run this query against the knowledgeC.db: https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_app_intents.txt Lot of conjecture on my end here, but if you have a created timestamp for that image in that library, there's a chance that there was an entry in the knowledgeC.db around that time.

Killithid the Mindslayer™

Based on a quick bit of thumbing through Google and GIME books, could be an image related to a chat. If the file name looks like a GUID, maybe go through the chat.db and see if you can't find anything that corresponds. I read that and can't help but think it's related to an app intent, so I would run this query against the knowledgeC.db: https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_app_intents.txt Lot of conjecture on my end here, but if you have a created timestamp for that image in that library, there's a chance that there was an entry in the knowledgeC.db around that time.

doing a +/- search on the timestamp of the event of interest. this is an approach that won't limit you to specific intents, so if you find anything you can then investigate each event type as needed.

1

Hi, we have a picture that we found on the videocapture folder on an Android device (samsung). I have a question regarding the timestamp. I need to understand the difference between the modified and access date. I cannot understand why the date/time in the picture's name is the last accessed date and not the same as the exif created date.

6:42 AM

Dam

Hi, we have a picture that we found on the videocapture folder on an Android device (samsung). I have a question regarding the timestamp. I need to understand the difference between the modified and access date. I cannot understand why the date/time in the picture's name is the last accessed date and not the same as the exif created date.

Perhaps the original picture was subsequently re-saved on the android device causing the 20220803 filename? If you extract the picture out and run it against exiftool, you might get more exif details to identify the origins of the picture ?

rfar

Perhaps the original picture was subsequently re-saved on the android device causing the 20220803 filename? If you extract the picture out and run it against exiftool, you might get more exif details to identify the origins of the picture ?

Nothing more unfortunately.

Is it possible that the file was simply renamed?

It is, but knowing the suspect and the case there is almost zero chance that is the case.

Dam

Hi, we have a picture that we found on the videocapture folder on an Android device (samsung). I have a question regarding the timestamp. I need to understand the difference between the modified and access date. I cannot understand why the date/time in the picture's name is the last accessed date and not the same as the exif created date.

When true EXIF data isn’t there, I’ve seen PA pull in the file system date to populate that field. It would seem your video was created March 8 and because you have your dates set to display as MM/DD/YYYY, it’s simply misrepresenting the access date as Aug 3 rather than March 8. This at least lines your timeline up better, making the filename/access before the creation/modification. Several things can stomp on these dates, including re-saving or re-opening the file from certain apps. Or even sharing the file. Synching with a cloud provider timestomps all over these as well. Were you able to find the file in the internal/external dbs?

@Cellebrite Is someone able to tell me what these files are and can I delete them?

Alexsaurus

@Cellebrite Is someone able to tell me what these files are and can I delete them?

Is that the filepath for your database files?

Ross

Is that the filepath for your database files?

Don't think so. Think that's "C:\ProgramData\Cellebrite Mobile Synchronization\Cases Data"

Hmm what's in the folders?

Ross

Hmm what's in the folders?

Well that problem is solved now. Fired up inseyets again and it cleared it all out. Guess it's the working case stuff and was left after it crashed.

citizencain

When true EXIF data isn’t there, I’ve seen PA pull in the file system date to populate that field. It would seem your video was created March 8 and because you have your dates set to display as MM/DD/YYYY, it’s simply misrepresenting the access date as Aug 3 rather than March 8. This at least lines your timeline up better, making the filename/access before the creation/modification. Several things can stomp on these dates, including re-saving or re-opening the file from certain apps. Or even sharing the file. Synching with a cloud provider timestomps all over these as well. Were you able to find the file in the internal/external dbs?

nothing in internal/external db

iLEAPP https://github.com/abrignoni/iLEAPP now parses

Photos.sqlite

iOS 11-17 If errors encountered please dm me the error. Easier to view & search when using EZ Tools Timeline Explorer (<https://ericzimmerman.github.io/#!index.md >) & TSV generated reports. (edited)

5

2

Hey . I have an image in the WhatsApp sent folder, but I cannot find the original image. I think the user has deleted the original image but kept the file in the WhatsApp directory. Is there any way to retrieve information about the original image, such as filename, filepath, or size? PS : I have a FFS extraction.

hfactor

Hey . I have an image in the WhatsApp sent folder, but I cannot find the original image. I think the user has deleted the original image but kept the file in the WhatsApp directory. Is there any way to retrieve information about the original image, such as filename, filepath, or size? PS : I have a FFS extraction.

Hi, try Magnet Axiom, it recover images from thumb files for WhatsApp, not from folder files and maybe you will be lucky. If user deleted many messages at once or unistalled app, pictures still can stay in WhatsApp folder. WhatsApp have thumbs and Axiom can show it for you. I'm not sure, but i think also Oxygen F.D. showed image and thumb image in messages. Maybe you will see more info about an image, but you will not get it, if image was deleted some time ago and had a big size.

1

Alexsaurus

@Cellebrite Is someone able to tell me what these files are and can I delete them?

yes you can, sometimes the temp folder fills up and needs to be deleted

Count Nathan

Does anyone know what the "Library\Intents\Images" folder on an iPhone 12 running iOS17.4.1 refers to or contains? I have an illegal image within it and need to define that location. Thanks

Just had the excat samt thing... It can be "intents" from a lot a places where an app has shown the image. I did a couple of tests, and for example, the contacts-photos are also here, and that has among other things something to do with shortcuts, where the images is used... So, you cant exactly say where the images is originated from, but you can almost be sure that is has been on the device. Pm me for more if nessecary

Not sure which channel to put it in so I'll go for here. Does anyone know an identifier that will be in every snapchat file path

8:17 AM

I have identified that com.snap.file.manager_3_SCContent is in most snapchat file paths

8:17 AM

But I want to make sure I'm not missing any

I would like to know how to verify filesystem metadata on iOS devices. Obviously forensic software is going to tell me the created/modified times and I can test software against software, but I would like to be able to do the equivalent of going to the $MFT on a windows box and use my lock and code book to manually interpret stuff. I know iOS is using APFS, which uses B Tree structures, but beyond the words I just regurgitated I don't exactly know how those work. I have found a few links I am trying to wade through, but it isn't what I would call "easy reading". Curious if there's a better resource I'm not looking at. And finally, are these B Tree structures preserved in a FFS download? Or do we just get the result of the interpretation of those structures from whatever tool produced the FFS? https://www.infosecinstitute.com/resources/digital-forensics/ios-forensics/ https://developer.apple.com/support/downloads/Apple-File-System-Reference.pdf I have been to an embarrassing number of trainings to not know the answer to this question.

iOS forensics | Infosec

Day by day, smartphones and tablets are becoming ever more popular, and as a result, the technology used in development to add new features or improve the se

Gooner

Not sure which channel to put it in so I'll go for here. Does anyone know an identifier that will be in every snapchat file path

on iOS I typically just grab the app bundle guid and search for that

11:03 AM

otherwise you could grab the reverse DNS com.picaboo.whatever.itis.thismonth

whee30

on iOS I typically just grab the app bundle guid and search for that

I thought the guid changed depending on iOS version and iPhone model

each phone will have a unique GUID, you just need to identify what it is for each phone and use that. If you're using PA/Ins

️ts, I go to installed applications and click the source link to find the GUID quickly.

Anyone know where voicemails are stored on androids, or which DB tracks? Physical from a Samsung not parsing voicemails and trying to track them down in the filesystem

Hi all, has anyone encountered 'Deleted - Chat' and 'Deleted - Instant Message' in Inseyets PA after parsing an iOS extraction done by UFED? Both of them can contain 'Yes' (obviously deleted) and 'Trash' message. Does anyone know what the 'Trash' chat or message is? Can @Cellebrite provide more insight? (edited)

Hi all, I am working with a full encrypted backup of an iPhone that is running iOS 17.5, specific tool I used was 3Utool. This user is claiming that he is being somehow tracked through his mobile device. I have confirmed the device is not jailbroken. I do not have the mobile device in my possession any longer. Out of ~900 apps installed, I have 5 that are odd/stand out for further investigation. I want to investigate each application and its permissions. I currently have a commercial tool that is really focused on windows desktop type investigations, but supports mobile. I am checking with the vendor to see if they support analyzing the application permissions. In the meantime, any suggestions on something I could use to quickly investigate each app..settings, permissions and so forth? BTW, I do know that apple does a great job of keeping spyware type applications out of the apple store. But an example of one of the suspect applications is: com.yourcompany.TestWithCustomTabs. No idea what this is.

Ian.C

Hi all, has anyone encountered 'Deleted - Chat' and 'Deleted - Instant Message' in Inseyets PA after parsing an iOS extraction done by UFED? Both of them can contain 'Yes' (obviously deleted) and 'Trash' message. Does anyone know what the 'Trash' chat or message is? Can @Cellebrite provide more insight? (edited)

Trash refers to a chat that was moved to trash bin and marked for deletion, but has not been permanently deleted yet.

@Cellebrite I have a 440 gb FFS extraction of iPhone that I am attempting to parse. Although it was extracted using Cellebrite, there no longer is a .ufd pointer file. From what I hear and research the best way to parse that is uploading it as Advanced, Blank project, Zip and put the raw dump in (and select the plug in chain as iPhoneFS). I did all this and ran it at 7pm last night and it was been well over 12 hours now. Task Manger has the process running and basically fully exhausting my live memory. I assume the right thing to do is keep waiting but when do I draw the line. Please help if you have any thoughts or experience on this. (edited)

There is a number of reasons this can happen. The first thing to remember is the speed of parsing has more to do with the items in the extraction more than the size of the total extraction. There maybe some rather "dense" items in the extraction causing the delay ( App databases containing a very large number of chat messages.) so once PA gets past that item(s) the speed could increase. The second restriction has to do with iPhone extractions and the way that they are read. They have no regard for what you selected and will take more time than a typical Android. If it is not tying up the computer from other priorities I would let it continue.

1

yeah I also chose to recover from archives which I know makes the process longer. really hoping to see it finish under 24 hours still.

@Cellebrite @Magnet Forensics Need help with figuring out the information in a MEGA database. I got a full file system extraction from a Samsung Galaxy A14 5G (Model: SM-S146VL, Android Version: 13), I found evidence in the cache of the MEGA application and went to dive further. Inside on of the MEGA databases (megaclient_statecache14) I found a buch of video names and some time stamps. I can't tell what the time stamps are for (created, access, modified, etc...) and nether Axiom or Physical Analyzer parsed this database. Does anyone know of a way to parse the database or has anyone worked with this database before and is willing to answer some questions.

1

I think there used to be a custom artefact for mega, did you check the community pages?

zero00796

@Cellebrite @Magnet Forensics Need help with figuring out the information in a MEGA database. I got a full file system extraction from a Samsung Galaxy A14 5G (Model: SM-S146VL, Android Version: 13), I found evidence in the cache of the MEGA application and went to dive further. Inside on of the MEGA databases (megaclient_statecache14) I found a buch of video names and some time stamps. I can't tell what the time stamps are for (created, access, modified, etc...) and nether Axiom or Physical Analyzer parsed this database. Does anyone know of a way to parse the database or has anyone worked with this database before and is willing to answer some questions.

Try ALEAPP or Oxygen. Both tools support database decryption.

RichardG

I think there used to be a custom artefact for mega, did you check the community pages?

I have not

Crox

Try ALEAPP or Oxygen. Both tools support database decryption.

I'll give those a shot

zero00796

@Cellebrite @Magnet Forensics Need help with figuring out the information in a MEGA database. I got a full file system extraction from a Samsung Galaxy A14 5G (Model: SM-S146VL, Android Version: 13), I found evidence in the cache of the MEGA application and went to dive further. Inside on of the MEGA databases (megaclient_statecache14) I found a buch of video names and some time stamps. I can't tell what the time stamps are for (created, access, modified, etc...) and nether Axiom or Physical Analyzer parsed this database. Does anyone know of a way to parse the database or has anyone worked with this database before and is willing to answer some questions.

Last time I had media found in MEGAs cache I actually got w/e information I needed by the customersupport. They sent me a full explanation of how their cache worked. Can't seem to find that email right now but I'll keep looking. They are super helpful. In my case it was CP so that might've been why they helped me though. Worth a try!

zero00796

@Cellebrite @Magnet Forensics Need help with figuring out the information in a MEGA database. I got a full file system extraction from a Samsung Galaxy A14 5G (Model: SM-S146VL, Android Version: 13), I found evidence in the cache of the MEGA application and went to dive further. Inside on of the MEGA databases (megaclient_statecache14) I found a buch of video names and some time stamps. I can't tell what the time stamps are for (created, access, modified, etc...) and nether Axiom or Physical Analyzer parsed this database. Does anyone know of a way to parse the database or has anyone worked with this database before and is willing to answer some questions.

Found it: They'll give you Intelligence_packages containing HANDLE(name of cachefile), CONTENT(original filename), UserID, Email(owner of the MEGA account), Country, UnixDT, STATUS(still has it, deleted etc..), UTC time Another file with great info that they'll give you userhandles: USERHANDLE(Accountname), email, Creation Session(IP-address during creation of the account), DATE, Time UTC. Third and final document we got was [user email]_[random numbers]_BSI Useragent(all devices used with OS and OS version and the MEGA-app version), Creation IP(IP-address during first log in), Creation Timestamp, Last seen Timestamp, VIABLE(still able to use autologin(TRUE or FALSE)), Additional IPs(other IP-addresses used with the same OS, OS Version and MEGA-app version) (edited)

2

hey mate @Vägis can you share the whole infos you got from mega-support with me please? (edited)

chrisforensic

hey mate @Vägis can you share the whole infos you got from mega-support with me please? (edited)

I'll see if I can find our conversation. just found the documents regarding my case. I'll get back to ya!

1

Thanks for the info guys it helps alot

1

Happy to help with MEGA support related info. Dealt with them a bunch in recent weeks on numerous jobs

I've actually had good luck with Mega actively helping us gain access to an account, removing the download limit, and letting us download the suspect's entire CSAM collection

Anyone from MSAB available for a quick question?

1

Anyone know if it’s possible to take a session file from @Cellebrite PA 7.6x and import to Inseyets PA 10.2 case of the same read

Can anyone direct me to a guide of how I get a Sim card extraction from cellebrite Ufed 4pc Into axiom process? When I click mobile > sim card. It appears to be looking for the sim card as of it wasn't connected to my pc. I don't want to perform the extraction. But I want to add the already acquired extraction that is in .UFDX format. Cheers!

anyone have a breakdown of icloud files on ios. I have a zip file that just seems to be created in the middle of some health data stored in com.apple.iclouddocs i found some stuff for older ios versions but this is running 17.4.1

MrMacca (Allan Mc)

Can anyone direct me to a guide of how I get a Sim card extraction from cellebrite Ufed 4pc Into axiom process? When I click mobile > sim card. It appears to be looking for the sim card as of it wasn't connected to my pc. I don't want to perform the extraction. But I want to add the already acquired extraction that is in .UFDX format. Cheers!

I don’t think you can, not natively anyway. If you point at the UFD for the SIM it won’t work. You would need to create a report (perhaps CSV) and bring into AXIOM that way

MrMacca (Allan Mc)

Can anyone direct me to a guide of how I get a Sim card extraction from cellebrite Ufed 4pc Into axiom process? When I click mobile > sim card. It appears to be looking for the sim card as of it wasn't connected to my pc. I don't want to perform the extraction. But I want to add the already acquired extraction that is in .UFDX format. Cheers!

Automate likes ufdx

Is there a general understanding of how long KnowledgeC retains logs? Ie, does it hold logs only for the past 30days, 60 days? etc

CIF

Is there a general understanding of how long KnowledgeC retains logs? Ie, does it hold logs only for the past 30days, 60 days? etc

~4 weeks, I believe http://www.mac4n6.com/blog/2018/8/5/knowledge-is-power-using-the-knowledgecdb-database-on-macos-and-ios-to-determine-precise-user-and-application-usage

Knowledge is Power! Using the macOS/iOS knowledgeC.db Database to D...

Having access to precise and granular user and application usage can be extremely useful in a forensic investigation, some of which are listed here. I find that pattern-of-life data is some of the most useful information on a device - it really does tell the story about a user and their devices. I'v

Good afternoon all. I have a question regarding dates and times recovered from WhatsApp sent folder. First of all a logical extraction was conducted on an android device (triage) and a WhatsApp video WA-15122017-004 was recovered of importance (the message the media may have been with was not available). The date and time from the logical was created 09/07/2018 04:32:37. A full physical was then conducted at a later date. The same video was recovered however had a different date and time. It had no created time but did recover a date and time of 15/12/2017 21:05. Within the external.db it had a date added of the 16/12/2017 20:30 and a modified date of 15/12/2017 (same as file name). The extractions were conducted using UFED4PC and decoded in PA. Can any explain why the dates and times differ from the logical and physical extraction as we are trying to determine which is the correct one that can be relied upon. Thank you in advance.

Got an extraction from Cellebrite I'm reviewing. Location specific investigation. I have locations from the com.apple.wifid/ThreeBars sqlite and from the com.apple.routined/Local.sqlite databases that contradict. Anyone have any insight or papers I can read regarding which is accurate? As I had to carve via Cellebrite to get the Wifid locations, I assume those are the inaccurate ones, but don't want to rely on assumptions.

(.df.)

Got an extraction from Cellebrite I'm reviewing. Location specific investigation. I have locations from the com.apple.wifid/ThreeBars sqlite and from the com.apple.routined/Local.sqlite databases that contradict. Anyone have any insight or papers I can read regarding which is accurate? As I had to carve via Cellebrite to get the Wifid locations, I assume those are the inaccurate ones, but don't want to rely on assumptions.

I'd check out this post from Cellebrite and reference the spreadsheet attached to it https://cellebrite.com/en/episode-15-ibeg-to-dfir-location-data-on-ios-and-android-devices/

1:10 PM

RoutineD/cache.sqlite will be your friend assuming you have an FFS extraction (edited)

Solec

RoutineD/cache.sqlite will be your friend assuming you have an FFS extraction (edited)

Appreciate it. It's looking like the Local.sqlite is the better source. It has the table referenced within the other records. Cheatsheet shows the WifiD is unreliable, which is what it seemed.

(edited)

Rob

Happy to help with MEGA support related info. Dealt with them a bunch in recent weeks on numerous jobs

I'll keep you in mind for my next MEGA-case! detect

1

forensicgeek

Good afternoon all. I have a question regarding dates and times recovered from WhatsApp sent folder. First of all a logical extraction was conducted on an android device (triage) and a WhatsApp video WA-15122017-004 was recovered of importance (the message the media may have been with was not available). The date and time from the logical was created 09/07/2018 04:32:37. A full physical was then conducted at a later date. The same video was recovered however had a different date and time. It had no created time but did recover a date and time of 15/12/2017 21:05. Within the external.db it had a date added of the 16/12/2017 20:30 and a modified date of 15/12/2017 (same as file name). The extractions were conducted using UFED4PC and decoded in PA. Can any explain why the dates and times differ from the logical and physical extraction as we are trying to determine which is the correct one that can be relied upon. Thank you in advance.

Manually check the database to verify the timestamps yourself.

@Cellebrite Hi, the media origin is greyed out in the reader. Is it a feature that is not yet available?

Carved locations in PA doesn't give an UTC value, it only displays date and time anyone know what time zone it presents or is it only UTC?

Anyone know what the media_context_type "1" & "12" in snapchats cache_controller is? They both have an external key starting with "lens.data...". The userid is not identified in these so I'm guessing they are recieved by the user and not sent. They are not present in scdb-27 either. Using PA (edited)

Dam

@Cellebrite Hi, the media origin is greyed out in the reader. Is it a feature that is not yet available?

Hi, media origin is a decoding feature, you should run it (enabled by default in latest Inseyets PA) during the decoding process so the relevant data will be decoded and calculated. Once you've ran it the results will be part of the ufdr and will be shown also in Reader, but as a feature it's not relevant for Reader

I already select media origin in PA but I cannot filter in the reeader

12:28 AM

I cannot use the media origin filter

Arlakossan

Carved locations in PA doesn't give an UTC value, it only displays date and time anyone know what time zone it presents or is it only UTC?

I believe it is decoded as GMT / UTC+0, but remember that it's a carver meaning we just decode whatever fits to a possible timestamp next to possible coordinates. It might lead you to real timestamp that was written by a certain service/application in the device, but it's up to the application to decide if they keep the timestamp in a specific timestamp (but they usually store also in GMT timezone)

1

Dam

I already select media origin in PA but I cannot filter in the reeader

Sorry, got you now. Let me check and get back to you

1

Hi everyone, we have a Google Pixel 8 Pro running Android 14 that we are trying to find network connectivity details on, specifically daily network connections, to see whether it has connected to a Wi-Fi network at certain times to try and link it up with internet search history. does anyone have any idea where this data might be stored? Nothing has parsed it so far

Anyone from @Oxygen Forensics available?

1

@chms17not familiar with Pixel, but /data/misc/apexdata/com.android.wifi/WifiConfigStore.xml can be a good starting point (if exist on Pixel ofc) (edited)

Mistercatapulte

@chms17not familiar with Pixel, but /data/misc/apexdata/com.android.wifi/WifiConfigStore.xml can be a good starting point (if exist on Pixel ofc) (edited)

unfortunately that doesn;t give us associated times! but thanks anyway

1

MrMacca (Allan Mc)

Can anyone direct me to a guide of how I get a Sim card extraction from cellebrite Ufed 4pc Into axiom process? When I click mobile > sim card. It appears to be looking for the sim card as of it wasn't connected to my pc. I don't want to perform the extraction. But I want to add the already acquired extraction that is in .UFDX format. Cheers!

Load the ufdx file as a mobile image file.

dannynorris

Load the ufdx file as a mobile image file.

Sure I've tried that and it just says that the file is corrupt. But I will give this another try to make sure. Thanks.

New blog posted providing information about each Photos.sqlite #iLEAPP parser. iLEAPP is now my preferred method of sharing photos.sqlite parsing. Really hoping for an easy transition into #iOS18!! #dfir https://theforensicscooter.com/2024/05/18/ileapp-parsers-photos-sqlite-queries/

Scott_koenig

iLEAPP Parsers & Photos.sqlite Queries

After recently updating the Photos.sqlite queries I thought it might be time for me to build these queries into the great open-source iLEAPP project. I thought this might be a good way to document …

4

2

Good Morning from Austria @Cellebrite ... someone here for short question concerning new beta PA Inseyets? (edited)

1

Hi everyone. Why is it that in the PA Report, the mobile number associated with the Telegram 'Account' is different from the number associated with the 'Owner'? Thanks

1:17 AM

Morning all, I have an extraction of a Samsung Galaxy A02 which has decoded fine in PA (7.68.0.25). However, when trying to create a reader, I keep getting the error 'Failed to execute physical analyzer report reader' and 'Tagged files, unknown node, decoded data'. Does anyone know how this can be resolved? @Cellebrite (edited)

Hi! I have an iPhone 13 Pro Max (17.4.1) that had several Google sheets stored locally, I thought they were stored locally, because I could open, read, scroll and change tabs in the files even though the iPhone was in Flight mode. It was not that easy to find them as separate files in the extraction. However we did find traces and content in a cello.db file. Does anyone have any experience in parsing Google sheets? (edited)

Filetype is application/vnd.google-apps.spreadsheet

5:17 AM

And it points to a database named cello.db

Help @Cellebrite I have a large case open in PA 7.63. I started a report generating but realised I’d ticked the wrong thing. Cancelled but still have the progress box (can press cancel again). Now the option to save my session is greyed out. Is there anyway to force cancel the report generation. I deleted the report folder so it’s not doing anyway

busted4n6

Help @Cellebrite I have a large case open in PA 7.63. I started a report generating but realised I’d ticked the wrong thing. Cancelled but still have the progress box (can press cancel again). Now the option to save my session is greyed out. Is there anyway to force cancel the report generation. I deleted the report folder so it’s not doing anyway

Never mind it died

busted4n6

Never mind it died

PA 7 will do that from time to time.

10:14 AM

ScottKjr3347

Click to see attachment 🖼️

Cries in 2 hours of lost work

Hi, I conducted tests on private browsing for my dissertation and then performed a file system extraction from a Galaxy A20s running Android 10. I discovered a directory within the browsers' profile paths containing unsolicited screenshots of the browsing session (in Chrome and Edge it's known as app_textures). Does anyone know the purpose of this directory? It appears only in the mobile versions of web browsers

Can you see in the extraction if an iPhone was factory reset locally or remote?

CLB-ChenK

Sorry, got you now. Let me check and get back to you

Hey, any news regarding the media origin in the reader?

Dam

Hey, any news regarding the media origin in the reader?

Oh, yes... "Media Origin" is greyed out even in Reader of latest beta PA 10.2.101.344 @Cellebrite

4:13 AM

chrisforensic

Oh, yes... "Media Origin" is greyed out even in Reader of latest beta PA 10.2.101.344 @Cellebrite

Thanks for the check. So it's not only me

1

4:16 AM

It's greyed out but the information is readable on the media (edited)

Yes, right... filter greyed out, but the infos in the media are there

I'm trying to figure out when an iPhone was locked/unlocked. Looking at KnowledgeC.db i see a bunch of /device/isLocked 1/0 for over a year but just a few days before the crime took place there are none. Instead I see /device/isBacklit and some /notification/usage/ and other misc-stuff only. How is it that it just randomly didn't unlock/lock anymore? Is it possible he never unlocked the phone but only watched notifications from the lock screen for several days? (edited)

The z double value indicates if the device was locked or unlocked between the start and end dates. If it's a 1 it means it was locked between start and end, it's 0 it's unlocked between the start and end times.

1

Vägis

I'm trying to figure out when an iPhone was locked/unlocked. Looking at KnowledgeC.db i see a bunch of /device/isLocked 1/0 for over a year but just a few days before the crime took place there are none. Instead I see /device/isBacklit and some /notification/usage/ and other misc-stuff only. How is it that it just randomly didn't unlock/lock anymore? Is it possible he never unlocked the phone but only watched notifications from the lock screen for several days? (edited)

Ian whiffin did a lot of research into knowledgeC and can be found here https://www.doubleblak.com/blogPost.php?k=knowledgec2

Solec

Ian whiffin did a lot of research into knowledgeC and can be found here https://www.doubleblak.com/blogPost.php?k=knowledgec2

That's amazing, thanks!

This is all i got from the day of interest. All isBacklit are within seconds-minutes of each other. /notification/usage is the first entry after several hours. And from this day onwards the entries became unusual from how he used the phone earlier. I'm sure the database isn't logging every single entry but I'd assume I could've gotten at least a lock/unlock entry or something?

(edited)

Vägis

This is all i got from the day of interest. All isBacklit are within seconds-minutes of each other. /notification/usage is the first entry after several hours. And from this day onwards the entries became unusual from how he used the phone earlier. I'm sure the database isn't logging every single entry but I'd assume I could've gotten at least a lock/unlock entry or something?

(edited)

Cannot see that you have noted which iOS version you are investigating here...? Presumably, it is older than iOS 15? If not, you should really be looking at Biome instead of KnowledgeC Salute

Dam

Hey, any news regarding the media origin in the reader?

@chrisforensic hey, sadly it is indeed a current limitation in Reader, we have an open ticket on it

1

Vägis

This is all i got from the day of interest. All isBacklit are within seconds-minutes of each other. /notification/usage is the first entry after several hours. And from this day onwards the entries became unusual from how he used the phone earlier. I'm sure the database isn't logging every single entry but I'd assume I could've gotten at least a lock/unlock entry or something?

(edited)

I would compare to any other event that requires user interaction (for example look on Inseyets/PA's Timeline) in the same time range and see if it makes sense that he didn't use his device. that should also cover @cf-eglendye 's advice with Biome artifacts

CLB-ChenK

@chrisforensic hey, sadly it is indeed a current limitation in Reader, we have an open ticket on it

Thanks for the info

Anyone know what this icon is?

Alexsaurus

Anyone know what this icon is?

any backstory / context?

Client is concerned about its presence on their device after reseting it. I suspect it's some basic android thing but would like the exact one to point to.

maybe if there's more detail, like are all the other icons a similar pink. whats the phone model, any app packs installed. i take it it isn't clickable?

4:51 PM

but yeh, after a re-install... would think it's like some included pack of icons?

Pink is from the wallpaper

looks kinda xmas puddingy

4:52 PM

ah, right

4:53 PM

this seemed close

I am pretty sure thats the System Notification that states "Your PIN code is required to access all of your data after a restart"

4:54 PM

As its a System Notification, its icon is the Android version icon

I thought that was the S looking symbol

that was for a previous version

5:04 PM

the S symbol was for Android 12

5:06 PM

Alexsaurus

Pink is from the wallpaper

@Private Derp spot on., Older version had different icons for FBE / BFU state

Exploring WeChat dbs for malware, anyone have experience?

CLB-Paul

@Private Derp spot on., Older version had different icons for FBE / BFU state

theshark

Exploring WeChat dbs for malware, anyone have experience?

Its the only application that has been consistent across multiple infected devices. Communication to China to add. Just wondering if someone knew something that I can check out before the Full FS extraction is done.

CLB-ChenK

I would compare to any other event that requires user interaction (for example look on Inseyets/PA's Timeline) in the same time range and see if it makes sense that he didn't use his device. that should also cover @cf-eglendye 's advice with Biome artifacts

Okay, yeah, looking at the timeline it does make sense. Just looked really weird. But I guess since no other evidence suggest otherwise then this is probably the only conclusion. @cf-eglendye he's running 17.3.1

I'll look over everything once more just in case. Just thought it looked weird when the suspect is clearly having his phone with him, removing notifications, later that night he plugged it in to charge but other than that he just basically stopped using the phone like he used to. Super weird. Appreciate the help, thanks guys! (edited)

does anyone know how a telegram-local-file is born?

busted4n6

Help @Cellebrite I have a large case open in PA 7.63. I started a report generating but realised I’d ticked the wrong thing. Cancelled but still have the progress box (can press cancel again). Now the option to save my session is greyed out. Is there anyway to force cancel the report generation. I deleted the report folder so it’s not doing anyway

hi @Cellebrite I am having the exact same issue, I cancelled the report generation but everything is greyed out now because PA thinks it is still generating a report? Any way to solve this issue without having to close down and reprocess?

Question for those who have used the new Cellebrite Insight, do you need to uninstall and purge the old PA? Or can you have both installed on one machine? I had horrible experience with PA Ultra so am hesitant with insights, want to test and tinker before I use it for cases and curious if I can do it on same machine.

is anyone else having problems downloading ALEAP from https://github.com/abrignoni/ALEAPP/releases/tag/v3.2.2 - trying to download, but it keep aborting

(edited)

Release v3.2.2 · abrignoni/ALEAPP

What's Changed Update aleappGUI.py by @BrunoFischerGermany in #473 Artifact kleinanzeigen.de by @BrunoFischerGermany in #474 add me to contributors by @BrunoFischerGermany in #475 Errp Update ...

Palazar82

Question for those who have used the new Cellebrite Insight, do you need to uninstall and purge the old PA? Or can you have both installed on one machine? I had horrible experience with PA Ultra so am hesitant with insights, want to test and tinker before I use it for cases and curious if I can do it on same machine.

I have both installed no problemo

1

Palazar82

Question for those who have used the new Cellebrite Insight, do you need to uninstall and purge the old PA? Or can you have both installed on one machine? I had horrible experience with PA Ultra so am hesitant with insights, want to test and tinker before I use it for cases and curious if I can do it on same machine.

You can install both PA 7.x and Inseyets 10.x on the same machine. A lot has happened since you last tried Ultra and I am confident you will have a much better experience with Inseyets. I recommend reading the release notes and looking at the recommended deployment for the number of SSD drives that you have on your machine. If you have any questions, feel free to contact me directly, or post any further questions here. We are always happy to get constructive criticism and real world feedback, it helps us get better.

3

CLB-DannyTheModeler

You can install both PA 7.x and Inseyets 10.x on the same machine. A lot has happened since you last tried Ultra and I am confident you will have a much better experience with Inseyets. I recommend reading the release notes and looking at the recommended deployment for the number of SSD drives that you have on your machine. If you have any questions, feel free to contact me directly, or post any further questions here. We are always happy to get constructive criticism and real world feedback, it helps us get better.

Thank you I am downloading it now (connection is kb/s so might be a long while) but if I have questions I will ask.

Palazar82

Thank you I am downloading it now (connection is kb/s so might be a long while) but if I have questions I will ask.

Which version are you downloading?

10.2.1 is available for design partners.

2

Like I said might be awhile haha might need to relocate to a better connection area haha.

Hi group, anyone have experience with a SIM card that has been cloned where a criminal has someone on the inside of a subcontractor to the mobile device operators clone a SIM and therefore some messages are delivered to the victim and some to the criminal as both devices try to register on the mobile network?

CSSDFO29

hi @Cellebrite I am having the exact same issue, I cancelled the report generation but everything is greyed out now because PA thinks it is still generating a report? Any way to solve this issue without having to close down and reprocess?

I’ve got the same issue again. This time I have two reads open (same case), tried to create a simple table listing Telegram chats. After spending 45 minutes generating a folder full of attachments (which didn’t even want) it starts on the second case (which I didn’t generate a report for) and is now just saying generating report. Annoyingly I don’t even have the report for the first phone. And I dare not cancel. I really hate the fact I’ve done weeks of tagging and review and have no way to export it

Hi all, just a quick one. I’ve got a download of a suspects phone and I can see in the log entries that MEGA was used but only for the wan in wan out. I’ve got intel saying when that phone connected to the MEGA account but the dates on the intel don’t match that on the phone. In that it’s almost 6 months out. Any idea why this might be? I’ve considered there might be another account but that wouldn’t match that seen on the intel.

obi95

Hi all, just a quick one. I’ve got a download of a suspects phone and I can see in the log entries that MEGA was used but only for the wan in wan out. I’ve got intel saying when that phone connected to the MEGA account but the dates on the intel don’t match that on the phone. In that it’s almost 6 months out. Any idea why this might be? I’ve considered there might be another account but that wouldn’t match that seen on the intel.

Dm'd

Hi guys, Do anyone know what is "restoredfromdevice" mean in purplebuddy.plist? (IOS 17.2.1)

obi95

Hi all, just a quick one. I’ve got a download of a suspects phone and I can see in the log entries that MEGA was used but only for the wan in wan out. I’ve got intel saying when that phone connected to the MEGA account but the dates on the intel don’t match that on the phone. In that it’s almost 6 months out. Any idea why this might be? I’ve considered there might be another account but that wouldn’t match that seen on the intel.

Drop me a dm if needs be. But if it’s a referral the date may not be the date of upload/suspect adding the file from another mega user. The oic should have a spreadsheet which shows the actual upload. However if the intel is what I think it is, it can’t be used and shouldn’t be referred to in any sfr etc

Mistercatapulte

Hi guys, Do anyone know what is "restoredfromdevice" mean in purplebuddy.plist? (IOS 17.2.1)

https://blog.d204n6.com/2021/06/ios-tracking-device-migration.html https://support.apple.com/en-gb/HT210216 Believe it is relating to Quick Start - although I haven't tested this. Suggest you use a test device for that version of iOS to verify.

iOS - Tracking Device Migration

Sometimes I get the privilege of helping someone with a case and it really puts me down a rabbit hole of research. This is that situation. A...

Use Quick Start to transfer data to a new iPhone or iPad

Set up your new iOS device automatically using an iPhone or iPad.

2

@cf-eglendyeThx, that's all combinaisons i know, but it's the first time i see restoredfromdevice, for sure data on the devices are from 08/2023, and it's confirmed with the line PASAnalyticsUUIDDateKey : date = 06/08/2023 17:06:17 coupled with data anlyze. Maybe it's the new name for icloud restauration, need to confirm that when i'll have time. Thx for your reply (edited)

Hey @Oxygen Forensics, is anyone available for a quick question?

1

Good morning. How does one create a @Cellebrite preliminary device report for an Android phone, and include the content pane from the extraction summary in the resulting report? Is this possible without selecting every category in the report wizard? I’m using Insights 10.2.

Mistercatapulte

@cf-eglendyeThx, that's all combinaisons i know, but it's the first time i see restoredfromdevice, for sure data on the devices are from 08/2023, and it's confirmed with the line PASAnalyticsUUIDDateKey : date = 06/08/2023 17:06:17 coupled with data anlyze. Maybe it's the new name for icloud restauration, need to confirm that when i'll have time. Thx for your reply (edited)

Check this out to see if it helps: https://theforensicscooter.com/2024/02/04/device-setup-transferring-data-to-new-iphone-effects-to-photos-sqlite/

1

@ScottKjr3347thx Scott

Mistercatapulte

@ScottKjr3347thx Scott

Majority of the blog pertains to what happens to photos.sqlite after quick start, but I think the data you are looking for is at the end of the blog.

@ScottKjr3347Found yes

one more time thx !

6:33 AM

the chronicle part is exactly what i thinked too

6:33 AM

good point too

Hello , Im using PA to analyse an iphone 17.4.1 , it shows that whatsapp have been decoded by cellebrite but its not showing , tried to re-image again but its the same thing .. anyone facing the same ? Its not the first time with this ios number .. any help is much appreciated

.

1

@Cellebrite and open ticket support in the same time

Hi all, anyone know where the user dictionary is on iOS 15.6.1 ? I can’t find the dynamic-text.dat on the extraction.

wcso_pete

Hoping someone can assist me with a question about the interactionc database in a Cellebrite report. All of the dates/times are in the format of 672546597.498181. I can't figure out what format this is in. Is there a way to convert them to a readable format within Reader, or is there a way I can convert them in the exported CSV file I made?

Was searching for questions on interactionc and this came up. I know I'm late to the party, by about 2 years here, but in case it wasn't answered already or in case anyone else has a similar question, this is Apple Time (or, I think more fully, "Apple Cocoa Core Data timestamp") format. Some algorithms recognize it as Unix Time, and if it does that just add exactly 30 years to it and you'll get Apple Time. Apple Time= Unix Time + 30 Years, that's why algorithms recognize it as Unix Time algorithm but beginning 01/01/2001 rather than 01/01/1971 like UNIX time.

Good afternoon! I have a Physical extraction (using UFED4PC) of an older Android and would like to parse it in ALEAPP. It is in a .bin format, but ALEAPP doesn't appear to ingest .bin files. Does anyone know of a way to get ALEAPP to parse the data from the .bin file?

@luis511_ you can’t, I have a ticket in with cellebrite for it already. For some reason they removed the option to select device info from a tagged report, so you end having to do a preliminary report and then a tagged / category report

️

1

MDilmore

Good afternoon! I have a Physical extraction (using UFED4PC) of an older Android and would like to parse it in ALEAPP. It is in a .bin format, but ALEAPP doesn't appear to ingest .bin files. Does anyone know of a way to get ALEAPP to parse the data from the .bin file?

in PA you can Export the FS and import it that way.

Mistercatapulte

Hi guys, Do anyone know what is "restoredfromdevice" mean in purplebuddy.plist? (IOS 17.2.1)

You can do a peer to peer backup/restore between devices without involving cloud or a computer.

2

@CLB_iwhiffin yep, it's confirmed and it's the first time i have this type of restore

RichardG

@luis511_ you can’t, I have a ticket in with cellebrite for it already. For some reason they removed the option to select device info from a tagged report, so you end having to do a preliminary report and then a tagged / category report

️

Thank you! I noticed that in version 7.68, the content pane in the extraction summary tab has the three dots to export to csv. I ultimately did it this way.

Does anyone have experience with verifying deleted facebook messages? PA parsed out deleted fb messages but they are only found within the hex. They are not in the db. (edited)

@rylee25messages stored in freepages maybe?

Hi, I have a UFED extraction (v.7.69.0.1397) I did yesterday of a iPhone 13 Pro Max running iOS 17.5.1. I’ve been trying to parse it in @Cellebrite PA 7.68.0.25 and in PA 10.2.100.248. In the trace window it just gets stuck at “Running plugin iPhone Backup Parser over Decoding scope (debug=False)” for hours and has gone no where since.

Hi all, I have a client who I am 95% sure has her SIM card cloned and has service with Verizon Business. This is a real thing that is possible if you check out this link, this pretty much every box has been checked so far as the way the mobile phone is acting: https://www.certosoftware.com/insights/how-to-tell-if-your-sim-has-been-cloned-or-hacked/ Anyway, I called Verizon fraud and all that the fraud folks said they could do is investigate unauthorized users accessing her online VZB account or having unauthorized numbers on her account. The fraud department could not answer how to investigate a possible SIM card clone beyond getting a subpoena submitted. Anyone here have experience with this? Please PM me or post here. (edited)

How to Tell if Your Sim Has Been Cloned or Hacked? | Certo Software

Your SIM card holds the key to your digital life. Discover if you're being targeted and which steps you can take to protect yourself.

1

Good morning. Have an iPhone AFU extraction and looking at the CellularUsage.db database and specifically the 'bundle_info' table. A large number of the records have 'flags' value of '48' set. My understanding is a value of '0' means no cellular data usage allowed and '1' means cellular usage is allowed for the 'bundle_id'. So what does '48' means? Does this simply mean the value has not been defined either way?

Mike_H

Good morning. Have an iPhone AFU extraction and looking at the CellularUsage.db database and specifically the 'bundle_info' table. A large number of the records have 'flags' value of '48' set. My understanding is a value of '0' means no cellular data usage allowed and '1' means cellular usage is allowed for the 'bundle_id'. So what does '48' means? Does this simply mean the value has not been defined either way?

I don't know this db specifically but in general, bitwise flags work with each flag being a powers of 2, e.g.: 1,2,4,8,16,32,64,.... So when you have a value like 48, this can indicate the combination of flag for 16 and flag for 32. So if you have any given number you just need to figure out what power of 2 values need to be combined to obtain that value.

4:40 AM

It also makes a lot of sense if you look at it in binary, as the bit for each consecutive flag slides to the left by one position as the number grows (0001, 0010, 0100, 1000), which makes it easy & efficient to check flags programmatically without any math

@Oxygen Forensics is duplicating every text message - the Source file/table are the same, so for the parsed fields, these messages are identical. Does anyone know of any way to remove the duplicates? Trying to take 150k messages down to 75k.

citizencain

@Oxygen Forensics is duplicating every text message - the Source file/table are the same, so for the parsed fields, these messages are identical. Does anyone know of any way to remove the duplicates? Trying to take 150k messages down to 75k.

Hello, this should do it:) DM me if you run into any issues

1

Oxygen Forensics

Hello, this should do it:) DM me if you run into any issues

This worked (yay!!!!), but you have to choose 'show deduplicated data' to make it work. Thank you so much! (edited)

forensicmike @Magnet

I don't know this db specifically but in general, bitwise flags work with each flag being a powers of 2, e.g.: 1,2,4,8,16,32,64,.... So when you have a value like 48, this can indicate the combination of flag for 16 and flag for 32. So if you have any given number you just need to figure out what power of 2 values need to be combined to obtain that value.

Thanks. Appreciated.

1

Anyone have a problem making portable cases with Axiom. I can't seem to get one to work. Getting the error. No case found in location. Please select a new location. I browse to the mfdb and select it and get same error. Created the case twice and got same results.

Ghosted

Anyone have a problem making portable cases with Axiom. I can't seem to get one to work. Getting the error. No case found in location. Please select a new location. I browse to the mfdb and select it and get same error. Created the case twice and got same results.

@Magnet Forensics ^

Anyone from @Cellebrite for a question about Facebook / Facebook Messenger in PA ? (edited)

1

Anyone getting issues with @Cellebrite Insights (i refuse to use inseyets) hanging at the end? I have a download approx 130GB. In PA 7 opens in about an hour or so. In insights the decoding seems done but its been stuck on 'starting last stage of project' now for 5 hours. This is in 10.2.100.248 after the previous version did the same but hung all bank holiday weekend (3 days).

1

2

How reliable is PA for finding Spyware with the Malware Scan?

visor

How reliable is PA for finding Spyware with the Malware Scan?

Like any security related software, it's more reliable if you update the malware DB periodically.

of course with updated DB

equalexpert

Anyone getting issues with @Cellebrite Insights (i refuse to use inseyets) hanging at the end? I have a download approx 130GB. In PA 7 opens in about an hour or so. In insights the decoding seems done but its been stuck on 'starting last stage of project' now for 5 hours. This is in 10.2.100.248 after the previous version did the same but hung all bank holiday weekend (3 days).

Same here. Terrible name to be honest :p. Hopefully no hard feelings Clb

(edited)

florus

Same here. Terrible name to be honest :p. Hopefully no hard feelings Clb

(edited)

That's the marketing department, no offence taken.

5

Is there any way to export just the metadata from tagged chat threads in PA and not the threads itself?

4:28 AM

Looking to subscribe the participants and the reports I'm generating are bogging it down with the conversations being included

4:28 AM

@Cellebrite

Just Scott

Is there any way to export just the metadata from tagged chat threads in PA and not the threads itself?

Simplest way would likely be via excel

Any tips on filtering watchlist keyword hits by date?

Hi all, we have a photo that has been taken with a iPhone that shows a timestamp from the columns (zAsset.ZADDEDDATE zAsset.ZDATECREATED zCldMast.ZCREATIONDATE) as 10:49:09 (UTC+0) in the photos.sqlite. When we check the photo in a Cellebrite or Axiom report they show a created timestamp of 10:51:07 (UTC+0), can anyone explain the difference? Phone has iCloud enabled and the picture has been synced with the cloud.

Hello. I have a device where after some digging in PA , Snapchat appeared to be present but was uninstalled by the user. I’ve located quite a few potential Snapchat user Bitmoji PNG’s. I would like to confirm through looking at HEX whether they are Bitmojis from Snapchat. I have found a potential identifier, however has anyone else done this for Snapchat and have any insights? Thank you. (edited)

Good Morning. I am currently looking. At Siri artefacts and have identified a SNLUOverride which seems to have Siri artefacts within it under ZINPUTTEXT then another called ZUSERPARSES. Does anyone know if the items found are system or user created? It looks like a lot are potentially encrypted but some are in plain text within the hex. Any help would be appreciated. Thank you.

Greengrimm

Hi all, we have a photo that has been taken with a iPhone that shows a timestamp from the columns (zAsset.ZADDEDDATE zAsset.ZDATECREATED zCldMast.ZCREATIONDATE) as 10:49:09 (UTC+0) in the photos.sqlite. When we check the photo in a Cellebrite or Axiom report they show a created timestamp of 10:51:07 (UTC+0), can anyone explain the difference? Phone has iCloud enabled and the picture has been synced with the cloud.

My first question is what is the source of Cellebrite and Axiom? Are they also getting the information from the photos.sqlite database? Could it be that 10:49 is the EXIF taken/created date, and then 10:51 is the OS created date?

Greengrimm

Hi all, we have a photo that has been taken with a iPhone that shows a timestamp from the columns (zAsset.ZADDEDDATE zAsset.ZDATECREATED zCldMast.ZCREATIONDATE) as 10:49:09 (UTC+0) in the photos.sqlite. When we check the photo in a Cellebrite or Axiom report they show a created timestamp of 10:51:07 (UTC+0), can anyone explain the difference? Phone has iCloud enabled and the picture has been synced with the cloud.

Very curious about you time differences in the df tools from photos.sqlite. Cb doesn’t provide the z_PK with the decoded asset data but axiom does so I would make sure the zpk you are looking at in photos.sqlite matches the zpk displayed in axiom. This will ensure you are analyzing the same asset data both in the tools and during your manual exam/validation. If you are using only the file name I would make sure that you are reviewing the data from the ZINTERNALRESOURCE table to ensure you have and are analyzing the full size file from the device or if the asset has been optimized and you only have a reduced size file for analysis. Feel free to dm if you think it would help. I have recently added an iLEAPP parser that will allow you to isolate the records from photos.sqlite that have ZASSET.ZDATECREATED is not equal to zADDITIONALASSETATTRIBUTES.ZEXIFSTRING The parser is titled Ph70UserAdjustDateTimezoneLocation.py It might help you review some of the additional data for those records. (edited)

1

ScottKjr3347

Very curious about you time differences in the df tools from photos.sqlite. Cb doesn’t provide the z_PK with the decoded asset data but axiom does so I would make sure the zpk you are looking at in photos.sqlite matches the zpk displayed in axiom. This will ensure you are analyzing the same asset data both in the tools and during your manual exam/validation. If you are using only the file name I would make sure that you are reviewing the data from the ZINTERNALRESOURCE table to ensure you have and are analyzing the full size file from the device or if the asset has been optimized and you only have a reduced size file for analysis. Feel free to dm if you think it would help. I have recently added an iLEAPP parser that will allow you to isolate the records from photos.sqlite that have ZASSET.ZDATECREATED is not equal to zADDITIONALASSETATTRIBUTES.ZEXIFSTRING The parser is titled Ph70UserAdjustDateTimezoneLocation.py It might help you review some of the additional data for those records. (edited)

If im correct, this is something that i had a while ago. Let me check my notes what my conclusion was back then.

rfar

My first question is what is the source of Cellebrite and Axiom? Are they also getting the information from the photos.sqlite database? Could it be that 10:49 is the EXIF taken/created date, and then 10:51 is the OS created date?

You’re correct. Cellebrite doesn’t take anything from the photos.sqlite except for the cloud asset id, which might actually be from the cpl db. All of their dates are strictly EXIF, and when there is no EXIF, they’ll just show file system timestamps. Axiom takes some data from the db but creation dates are also EXIF. For funsies, try reviewing a phone that has been factory reset and had the photos restored back to the device. You’ll won’t find the dates you’re looking for in any tool … @ScottKjr3347 is the go-to source for accurate parsing.

Thanks all for the answers and suggestions and many thanks to you @ScottKjr3347, we were indeed looking at the wrong photo within the reports. We found the correct one based on the primary key and it showed the timestamp correlating with the timestamp of the photos.sqlite. It indeed looks like for the other files with the same filename within Axiom and Cellebrite are showing the filesystem timestamp @citizencain. For now i am back to researching and reading your blogs @ScottKjr3347.

3

iLEAPP will make it a lot easier to analyze the Photos.sqlite db. Also just a reminder that the .exe found under releases can be a bit behind the current supported tool. I always recommend using the “code” “download zip” option and using the most recent version. https://github.com/abrignoni/iLEAPP

1

Is there a function/service on an iOS that tracks speed of travel?

1

Wiley CaT

Is there a function/service on an iOS that tracks speed of travel?

But I couldn’t stop myself from adding a bit of laughter on a Friday. Thanks @Brigs

3

Wiley CaT

Is there a function/service on an iOS that tracks speed of travel?

I sensed there was a location question on discord somewhere.... Check this out: There is a video half way down the page comparing my actual speed to the speed recorded by my phone. https://doubleblak.com/blogPost.php?k=LocationAccuracy

1

CLB_iwhiffin

I sensed there was a location question on discord somewhere.... Check this out: There is a video half way down the page comparing my actual speed to the speed recorded by my phone. https://doubleblak.com/blogPost.php?k=LocationAccuracy

It's something I've been thinking about for awhile, has any of your research identified how the iPhone generates the horizontal accuracy score in tables associated with routined/cache.sqlite? Is there some iOS proprietary algorithm combining cell towers, gps, wifi, and Bluetooth in the background of the phone? (edited)

hey y'all, is there a way to tell if a note entry in the iPhone 'Notes' app contains media (attached photos/videos directly in the note) or has been shared with other people so they can contribute? we are looking at various notes in Cellebrite PA and AXIOM. also, would the .sqlite file for the Notes app be able to tell us this if the programs cant?

1

Heyho @Cellebrite ... when will the next update for PA 7 be released ? (edited)

1:58 AM

ScottKjr3347

But I couldn’t stop myself from adding a bit of laughter on a Friday. Thanks @Brigs

LOL, yes you have to have a little fun.

Has anyone had any cases where iOS stickers were

artifacts or derived from the smoking

& required in-depth forensic analysis?

CLB_iwhiffin

I sensed there was a location question on discord somewhere.... Check this out: There is a video half way down the page comparing my actual speed to the speed recorded by my phone. https://doubleblak.com/blogPost.php?k=LocationAccuracy

Your forensic senses tingling, LOL. Thank you for sharing! Do you have information on how the coordinates found on the device is not the location of the device; but, the center of the radius that is drawn using accuracy information. I am still wrapping my head around what combination of accuracy information is used to draw a radius and how it device decides what which signal to use over another for the radius.

Anyone recognize these icons? They were restored to an iPhone so all i have is the icons and an app group ID that goes nowhere.

MBRETON

Anyone recognize these icons? They were restored to an iPhone so all i have is the icons and an app group ID that goes nowhere.

Pinterest? https://lens.google.com/search?ep=gsbubb&hl=lv&re=df&p=AbrfA8o33TWrYptf9Ik4S9zFUKFhGZPxC2k9lqvd50IebFdLI_qV3M-vi8hmLaFCp66EdVnZ5d-0K83b3qUbB_8yk1pEN2byDo-PdOB_iOcSvkzjInCvPhkh5tl5DVj5CE8fpMWTaAQD1DU2OTo8wvigo9PeEzerbW8ujDamF8-rrh-yADe4yrpS-VNqr4Iu5wA32WK_o1DLDRe6hA%3D%3D#lns=W251bGwsbnVsbCxudWxsLG51bGwsbnVsbCxudWxsLG51bGwsIkVrY0tKRGN5T1RFell6Um1MV05qTkRZdE5HSXlPUzA1Tm1RNUxUVTVZalJqWlRjNE5URXlOaElmV1RSclZISkROM1JJTkVWa1RVbG5SM0JuU1V4dVVETnZaMUZZTUY5U1p3PT0iXQ== (edited)

Can @Cellebrite determine if a device is or was in the past jailbroken?

11:15 AM

mostly concerned about iPhone, but if android has a history fo rooting somewhere would be curious about that too.

MBRETON

Anyone recognize these icons? They were restored to an iPhone so all i have is the icons and an app group ID that goes nowhere.

My guess is discord pack.

1

MBRETON

Anyone recognize these icons? They were restored to an iPhone so all i have is the icons and an app group ID that goes nowhere.

Think this is it: https://www.patreon.com/posts/froggy-shy-icon-52393703

1

11:25 AM

Maybe this discord: https://discord.com/invite/C9ZJRpxVCF

11:31 AM

https://cremechii.com/collections/digital-download

App Icon Packs

Cute cozy themes for your phones! Works on both iOS and Android, easy to download and install.

Thanks @theshark That looks right. I was hoping it was a specific messenger app, oh well.

1

Has anyone encountered an encrypted Telegram database? I have an iOS FFS with Telegram 10.8 and most of the sqlite files are readable, but the main one in .../telegram-data/account-.../postbox/db/db_sqlite only stars with "SQLite format 3" and then it's 22 MB of random stuff. When trying to open with DB Browser (SQLCipher), it asks for a password.

If a picture is taken with the iOS Telegram App and sent, does it get saved to the camera roll? In addition to this, I have a an artifact in a plist that indicates a device restore was conducted in Feb 2023 from an itunes backup. But I have device events / logs starting in June 2023, nothing in between. I have content historically and even from Feb - June, but just weird device events are only showing in June 2023 and not right after the device was restored. Any ideas?

Looking into Snapchat on iOS, arroyo.db, where the feed_entry table has a column named feedItemCreator. The column has a user ID, but I'm not sure what this means. Is it the creator of the entire thread, the last poster in the thread, or something completely different? @Oscar: have you looked into this one?

torskepostei

Looking into Snapchat on iOS, arroyo.db, where the feed_entry table has a column named feedItemCreator. The column has a user ID, but I'm not sure what this means. Is it the creator of the entire thread, the last poster in the thread, or something completely different? @Oscar: have you looked into this one?

Got a tip now from a colleague that this is the UUID of the group creator.

Hello, I'm looking through an android phone parsed using Cellebrite PA 10. I found an image that is notable, that's located at this path - Path: Google Photos "Actual account name"/local media/.trashed-#####.jpg , Original File Path - /store/emulated/0/DCIM/camera/.trashed#####.jpg. I've been using PA 7 for a while and just switched to Inseyets here and there to see new features. I'm trying to determine if that photograph is physically on the device, or in the "cloud", as there's legal process involved here. Did the subject take the photgraph with his phone, it uploaded to google photos, and then he deleted it from the actual device but it stayed in the cloud? The photo is no longer in the /dcim/camera path

Blue56

Hello, I'm looking through an android phone parsed using Cellebrite PA 10. I found an image that is notable, that's located at this path - Path: Google Photos "Actual account name"/local media/.trashed-#####.jpg , Original File Path - /store/emulated/0/DCIM/camera/.trashed#####.jpg. I've been using PA 7 for a while and just switched to Inseyets here and there to see new features. I'm trying to determine if that photograph is physically on the device, or in the "cloud", as there's legal process involved here. Did the subject take the photgraph with his phone, it uploaded to google photos, and then he deleted it from the actual device but it stayed in the cloud? The photo is no longer in the /dcim/camera path

I also found the same image in /media/0/DCIM/Camera/.trashed##########.jpg. I'm not too familiar with androids like I am with iOS, but is it possible that the user deleted the photo from his device, but failed to delete it from the "trash" in his photos app?

Blue56

Hello, I'm looking through an android phone parsed using Cellebrite PA 10. I found an image that is notable, that's located at this path - Path: Google Photos "Actual account name"/local media/.trashed-#####.jpg , Original File Path - /store/emulated/0/DCIM/camera/.trashed#####.jpg. I've been using PA 7 for a while and just switched to Inseyets here and there to see new features. I'm trying to determine if that photograph is physically on the device, or in the "cloud", as there's legal process involved here. Did the subject take the photgraph with his phone, it uploaded to google photos, and then he deleted it from the actual device but it stayed in the cloud? The photo is no longer in the /dcim/camera path

Hello, first of all it is highly recommended to tag @Cellebrite otherwise we can miss these messages. I Inseyets there is a feature called Media Origin that may help[ you determine if the image was captured on the Device. This feature needs to be enabled when processing the Device. If you did enable it there is a Filter in the Thumbnail View as well as two columns "Capturing Device" and "Capturing Origin Reasoning" in the Table View. If you need more help, or want to hop on a quick Zoom Call DM me.

CLB-DannyTheModeler

Hello, first of all it is highly recommended to tag @Cellebrite otherwise we can miss these messages. I Inseyets there is a feature called Media Origin that may help[ you determine if the image was captured on the Device. This feature needs to be enabled when processing the Device. If you did enable it there is a Filter in the Thumbnail View as well as two columns "Capturing Device" and "Capturing Origin Reasoning" in the Table View. If you need more help, or want to hop on a quick Zoom Call DM me.

I enabled it when I processed the device, this worked great, thanks!

2

Any ideas on why the data in the from / to section is different than in the participant section? I can see this being an issue as it says in the blue conversation bubble From: Big P followed by green conversation bubble To: Big P. Kind of like the person is talking to themselves.

1

Blue56

I enabled it when I processed the device, this worked great, thanks!

happy to hear that you've found Media Origin helpful. worth also opening the file and looking at the File Info tab, and in some cases we can also add to the file info if the file was deleted and when it was deleted (and in general whenever we decode some info on the file that doesn't have a dedicated UI representation yet, it might appear in the File Info)

Hey all and @Cellebrite! I recently did a File System extraction on a Motorola Moto G 5G 2023 using Premium on an unlocked phone. I successfully got the extraction and received a message saying there was a password protected Vault on the phone it called UID 10. I initiated a tether less brute force attempt after going through the phone extraction and case info to create a dictionary file that will hopefully help. I've learned UID 10 is likely a unique identifier assigned to the vault app at the time of installation. It seems reasonable there should be a list somewhere of what the UID's are for each app so I can identify what application I'm attempting to brute force. Does anyone know of any specific databases on the phone or other locations to check? So far I've got nothing going through the extraction. Looking through the apps I don't see anything that jumps out, but there's roughly 600 of them and half of them aren't readily identifiable as they're system applications. Any ideas?

Hope someone can give me a clue on this.. Got a file called "filtered-XXXX-XXXXXXX-XXXX-XXX.mp4". I'm trying to figure out where it came from and since the only place where I find this file is in snapchats "Caches"-folder and there's nothing that i can connect it with inside scdb-27 or cache_controller. I'm guessing the file most likely was received from another user? Or am I thinking backwards?

Vägis

Hope someone can give me a clue on this.. Got a file called "filtered-XXXX-XXXXXXX-XXXX-XXX.mp4". I'm trying to figure out where it came from and since the only place where I find this file is in snapchats "Caches"-folder and there's nothing that i can connect it with inside scdb-27 or cache_controller. I'm guessing the file most likely was received from another user? Or am I thinking backwards?

This is a temporary file the Snapchat app saves when the user uploads a video from their phone's gallery to either send in chat or upload to their story. this means the video wasn't taken inside the snapchat app so it should also appear in the native gallery.

1

CLB - Ofri

This is a temporary file the Snapchat app saves when the user uploads a video from their phone's gallery to either send in chat or upload to their story. this means the video wasn't taken inside the snapchat app so it should also appear in the native gallery.

Thank you!! That's perfect. Hm, it does not appear in his gallery. Could it be deleted pretty recently and snapchat just didn't update the cache?

Vägis

Thank you!! That's perfect. Hm, it does not appear in his gallery. Could it be deleted pretty recently and snapchat just didn't update the cache?

Yep that's possible, I've seen cases where the files there weren't cleared for several days (edited)

1

CLB - Ofri

This is a temporary file the Snapchat app saves when the user uploads a video from their phone's gallery to either send in chat or upload to their story. this means the video wasn't taken inside the snapchat app so it should also appear in the native gallery.

filtered- files can also be where a user sends a saved memory to a Snapchat contact. It does not have to come from the gallery @Vägis The files I think Ofri are refering to is located in .../Shared/AppGroup/<AppID>/Library/Caches/Share Extension Store/ The filtered-/recorded-/UID files @Vägis are refering to are located in .../Data/Application/<AppID>/Library/Caches/ (edited)

torskepostei

Looking into Snapchat on iOS, arroyo.db, where the feed_entry table has a column named feedItemCreator. The column has a user ID, but I'm not sure what this means. Is it the creator of the entire thread, the last poster in the thread, or something completely different? @Oscar: have you looked into this one?

feedItemCreator refers to the creator of the arrow/box that you can see below the chat thread in the app (see image). This is not necessarily the last poster as it will still show that you have received something even if you sent something after. I have not dug much deeper but message_type and viewed also seems to be connected to what type of icon is shown in the app. (edited)

Oscar

filtered- files can also be where a user sends a saved memory to a Snapchat contact. It does not have to come from the gallery @Vägis The files I think Ofri are refering to is located in .../Shared/AppGroup/<AppID>/Library/Caches/Share Extension Store/ The filtered-/recorded-/UID files @Vägis are refering to are located in .../Data/Application/<AppID>/Library/Caches/ (edited)

No I was referring to the ones in Library/Caches, but you are right. What I meant to say was it's not necessarily taken inside the app so it could be something from the gallery and thus we can't know if it was taken by the user, but yes it could also originate from the snapchat memories, though in that case he should find a matching item in the scdb-27 db (though the ids will not be the same). (edited)

Oscar

filtered- files can also be where a user sends a saved memory to a Snapchat contact. It does not have to come from the gallery @Vägis The files I think Ofri are refering to is located in .../Shared/AppGroup/<AppID>/Library/Caches/Share Extension Store/ The filtered-/recorded-/UID files @Vägis are refering to are located in .../Data/Application/<AppID>/Library/Caches/ (edited)

Ah okey. The video was found on the suspects phone but it's someone else recording him. Could of course still be his phone but something to keep in mind i suppose. But as @CLB - Ofri said, I can't see any reference to scdb-27 so it would make sense if it originated from elsewhere(?). I'll keep digging. So far I haven't even found any snap-media or messages that were sent nor received within 5+ hours of the cache-files creation time. I don't know if that says anything since cached files doesn't have to appear at the same time. However, 5+ hours seems too long if it's been sent/received? And if it is from memories, could I somehow see that file in any of the databases? I have well over 50.000 entries in scdb-27 and looking at them 1 by 1 would take a bit too long

(edited)

Vägis

Ah okey. The video was found on the suspects phone but it's someone else recording him. Could of course still be his phone but something to keep in mind i suppose. But as @CLB - Ofri said, I can't see any reference to scdb-27 so it would make sense if it originated from elsewhere(?). I'll keep digging. So far I haven't even found any snap-media or messages that were sent nor received within 5+ hours of the cache-files creation time. I don't know if that says anything since cached files doesn't have to appear at the same time. However, 5+ hours seems too long if it's been sent/received? And if it is from memories, could I somehow see that file in any of the databases? I have well over 50.000 entries in scdb-27 and looking at them 1 by 1 would take a bit too long

(edited)

If it was uploaded from the camera roll and sent as a message, and the message was seen and disappeared, you wouldn't see any other related evidence, so that sounds possible. For going over memories, I would suggest using PA and going over Search & Web -> Uploads -> Snapchat, with filtering File Type for "video_". This way at least you only look at videos and you can see the media on the right pan. (edited)

2

CLB - Ofri

If it was uploaded from the camera roll and sent as a message, and the message was seen and disappeared, you wouldn't see any other related evidence, so that sounds possible. For going over memories, I would suggest using PA and going over Search & Web -> Uploads -> Snapchat, with filtering File Type for "video_". This way at least you only look at videos and you can see the media on the right pan. (edited)

It does sound like he uploaded it from gallery since I (so far) haven't found anything related to it. I'll doublecheck by going through snapchat uploads the way you suggested. I'll keep you updated if I find anything else Salute

Appreciate the help @CLB - Ofri @Oscar !!! (edited)

1

Vägis

It does sound like he uploaded it from gallery since I (so far) haven't found anything related to it. I'll doublecheck by going through snapchat uploads the way you suggested. I'll keep you updated if I find anything else Salute

Appreciate the help @CLB - Ofri @Oscar !!! (edited)

Another tip I can suggest is looking for a similar video or picture across the case. I have had scenarios where the investigator tags the picture/video in the general Android cache folder, and when I do the comparison, I find what I believe the source of the file came from. Since I don't know which app was used, I find this method helps. Do you have a tool that can visually compare the file (such as Griffeye or Axiom) ? I don't believe PA can do that yet...

Hey all you smarter people than me: iPhone 13 iOS 17.4. CapMurder case where both physical and eSIM in use. Another examiner thinks the suspect was using the physical SIM AND the eSIM and trying to make the eSIM appear to be a "second phone" of the victim. The number is listed in his contacts as th victim. In looking at the CellularUsage.db there are two records consisting of the two ICCIDs, their associated ph numbers, and a date/time column labeled Last Update Time. Can anyone tell me specifically what this entry means? Is it the activation or the last time the SIM/eSIM was used? Or is it just the last time the carrier settings were updated which seems rather obvious, but...? The commcenter.plist entries associate the ICCIDs, phone numbers, and IMEIs, but has no dates. Any guidance is greatly appreciated. Thanks in advance!

Just done a physical with 4PC on an OPPO CPH1851 which has decoded fine. However the log file reports a Bad sector at mmcblk0rpmb which displays (in hex) DE AD DE AD etc for the whole block. I've never come across a bad sector before on a phone so not sure what this means and wondered if anyone out there had come across this before? Any help is greatly appreciated. Tks in advance.

wadde

Hi! I have an iPhone 13 Pro Max (17.4.1) that had several Google sheets stored locally, I thought they were stored locally, because I could open, read, scroll and change tabs in the files even though the iPhone was in Flight mode. It was not that easy to find them as separate files in the extraction. However we did find traces and content in a cello.db file. Does anyone have any experience in parsing Google sheets? (edited)

Hi. I'm currently in the same boat as you. I found multiple sqlite databases which contain information from within the google sheet files. I found those under the following path (GOOGLESHEETS_APP_ID, GOOGLE_USERID and CRYPTICNAME will be different for you) /private/var/mobile/Containers/Data/Application/GOOGLESHEETS_APP_ID/Documents/GOOGLE_USERID/localStore/documents/CRYPTICNAME/CRYPTICNAME.db You will find the related original file name in cello.db where you can compare the CRYPTICNAME. Inside the CRYPTICNAME.db there's a table called "document_commands" with a column named "serialized commands". The different entries are in some kind of JSON format and contain data from the google sheets I was able to view directly on the phone. I'm currently trying to figure out how I can interpret that data. JSON to CSV tools don't work here...by the way: if by any chance someone thinks I'm totally wrong in my analysis, I'd be happy if someone would message me directly so I don't waste more time than needed.

@sootysoxthis literally indicates that the block cannot be read and that it is dead in read/write mode, the extraction software skip this block and continue the dump (edited)

Mistercatapulte

@sootysoxthis literally indicates that the block cannot be read and that it is dead in read/write mode, the extraction software skip this block and continue the dump (edited)

many thanks for the reply to this one. Appreciated.

1

sootysox

many thanks for the reply to this one. Appreciated.

yw

Are time read timestamps usually reliable in iOS sms.db or are there other ways to trigger a read message other than opening the conversation in the messages app? Working on a fatal crash case for device manipulation, according to biomes the device is showing Google Maps being utilized from 4:44pm-4:48pm and then transitions to messages at 4:48pm. However the read message timestamps is 4:46:53pm. Not sure the best avenue to explain but essentially crash happens right around the same time if not right before the read timestamp (edited)

JayB1rd

Hey all you smarter people than me: iPhone 13 iOS 17.4. CapMurder case where both physical and eSIM in use. Another examiner thinks the suspect was using the physical SIM AND the eSIM and trying to make the eSIM appear to be a "second phone" of the victim. The number is listed in his contacts as th victim. In looking at the CellularUsage.db there are two records consisting of the two ICCIDs, their associated ph numbers, and a date/time column labeled Last Update Time. Can anyone tell me specifically what this entry means? Is it the activation or the last time the SIM/eSIM was used? Or is it just the last time the carrier settings were updated which seems rather obvious, but...? The commcenter.plist entries associate the ICCIDs, phone numbers, and IMEIs, but has no dates. Any guidance is greatly appreciated. Thanks in advance!

Sorry. I don’t have the answers you seek. Approaching it a different way… could you get subscriber / CDR for both numbers? That way you could check the IMSI and IMEI and compare them to what you got in the extraction? That might help. Maybe what you find might help you get PC for cell site. If the dual SIM hypothesis is correct, the two TNs should use the same towers.

rfar

Another tip I can suggest is looking for a similar video or picture across the case. I have had scenarios where the investigator tags the picture/video in the general Android cache folder, and when I do the comparison, I find what I believe the source of the file came from. Since I don't know which app was used, I find this method helps. Do you have a tool that can visually compare the file (such as Griffeye or Axiom) ? I don't believe PA can do that yet...

Great tip, I'll make sure to do that as well. Got both but I'm more used to Axiom so I'll start there. Thank you!

Ghosted

Any ideas on why the data in the from / to section is different than in the participant section? I can see this being an issue as it says in the blue conversation bubble From: Big P followed by green conversation bubble To: Big P. Kind of like the person is talking to themselves.

We had the same issue. It is only a mistake in the report. In the analyzer it is okey. We tried some Analyzer Versions of 10(Inseyet) and build reports, but all the same mistake. Our solution was AXIOM.

Has anyone used Cellebrite or Axiom to parse Elcomsoft message sync downloads? Or any other tool other than elcomsoft phone viewer?

Anyone from @MSAB free for a quick DM?

1

Husky_M00s3

Sorry. I don’t have the answers you seek. Approaching it a different way… could you get subscriber / CDR for both numbers? That way you could check the IMSI and IMEI and compare them to what you got in the extraction? That might help. Maybe what you find might help you get PC for cell site. If the dual SIM hypothesis is correct, the two TNs should use the same towers.

Yeah, that was my first suggestion to the investigator and other examiner, but not sure if they are going to go that route. I appreciate the reply and I, like you, tend to think that would answer the questions. Thanks!

1

Are there any specific profiles that are best for purely logical android decoding? Newer device of course but its app data I need using XRY only

5:09 AM

Not yet officially supported I should say

TetsuoAR

Are there any specific profiles that are best for purely logical android decoding? Newer device of course but its app data I need using XRY only

Logical extractions often rely on API / backups through that vendor software. The data does not “need” decoding in the normal meanings. Think of it this way. In a logical extraction, we ask the phone, Logical extraction app: Please give me your calls logs Phone : Ok here they are Logical Extraxtion app: can I have your media Phone: ok, only what I can have from User land. Etc. outside of “backups” there is much decoding to be had.

1:28 PM

Missed the XRY part :). I’ll let the guys at @MSAB reply

CLB-Paul

Logical extractions often rely on API / backups through that vendor software. The data does not “need” decoding in the normal meanings. Think of it this way. In a logical extraction, we ask the phone, Logical extraction app: Please give me your calls logs Phone : Ok here they are Logical Extraxtion app: can I have your media Phone: ok, only what I can have from User land. Etc. outside of “backups” there is much decoding to be had.

Thanks for the explanation of it all, unfortunately our scope is currently only logical and finding it annoying that manual capture is necessary as decoding doesn’t work consistently, some profiles work and others don’t so I was just curious if there was a trick I was missing

good morning! Anyone came across the messenger "Simplex" so far? chat.simplex.app https://play.google.com/store/apps/details?id=chat.simplex.app&hl=de&pli=1 (edited)

SimpleX Chat – Apps bei Google Play

Private & e2e-verschlüsselte Messenger ohne Benutzerkennungen - private by design!

TetsuoAR

Are there any specific profiles that are best for purely logical android decoding? Newer device of course but its app data I need using XRY only

Decoding is not profile specific, once the data has been extracted - the decoders look for all supported data and extracts what's there. Extraction of data is more of an "it depends" question, and we would need more details about device, to be able to advise on best possible extraction method.

TetsuoAR

Thanks for the explanation of it all, unfortunately our scope is currently only logical and finding it annoying that manual capture is necessary as decoding doesn’t work consistently, some profiles work and others don’t so I was just curious if there was a trick I was missing

If you could send us a few examples of extraction logs, where data you expect hasn't been extracted/decoded - I can have a look, and possibly advise on what could have been done differently to get a better result. You can either DM them to me here, or email them to support@msab.com.

CLB-Paul

Missed the XRY part :). I’ll let the guys at @MSAB reply

Thanks for the ping!

Morning all, one of my staff has encountered an issue with Griffeye when processing mobile data from Cellebrite’s C4All format. It gets to 74.6% and then the entire program crashes for no reason and doesn’t provide any error message. We’re on version 24.1.2. Has anyone else encountered this recently?

12:39 AM

@Magnet Forensics

MSAB_Sofia

If you could send us a few examples of extraction logs, where data you expect hasn't been extracted/decoded - I can have a look, and possibly advise on what could have been done differently to get a better result. You can either DM them to me here, or email them to support@msab.com.

Sent a PM regarding this thank you

Hello all. Working on an iPhone 13 Pro FFS extraction. Does anyone know the purpose of the application ZIP files that exist in private/var/root/Library/Caches/Backup/placeholders/ folder? Did some testing by deleting an application on a test iPhone that had an application installed and signed in with a test account, but nothing was placed into this folder when it was deleted the app from the device. The .zip files that exist in this folder for my evidence item seem to contain basic information about applications that were on the phone at one point, but no longer. My initial theory was that when an application was deleted from the device or uninstalled when deemed an Unused App, a .zip was created in this folder with basic config details for the application in the event it is re-installed at a later date, but in my testing it did not create a file in here when I deleted a configured application. Does anyone have experience with or explanation for how this folder works and its purpose?

Mike_H

Hello all. Working on an iPhone 13 Pro FFS extraction. Does anyone know the purpose of the application ZIP files that exist in private/var/root/Library/Caches/Backup/placeholders/ folder? Did some testing by deleting an application on a test iPhone that had an application installed and signed in with a test account, but nothing was placed into this folder when it was deleted the app from the device. The .zip files that exist in this folder for my evidence item seem to contain basic information about applications that were on the phone at one point, but no longer. My initial theory was that when an application was deleted from the device or uninstalled when deemed an Unused App, a .zip was created in this folder with basic config details for the application in the event it is re-installed at a later date, but in my testing it did not create a file in here when I deleted a configured application. Does anyone have experience with or explanation for how this folder works and its purpose?

https://support.apple.com/en-gb/guide/deployment/depd44f045b4/web

Back up and restore managed iPhone and iPad devices

Migrating users and their data to a new iPhone or iPad is a common workflow in many organisations. This migration often involves a mobile device management (MDM) solution.

11:50 PM

Assuming this? If the backup contains managed app data or enterprise books, this data is restored as well. If the Managed App isn’t present on the device but the backup includes the Managed App data, a placeholder may be shown for the app. App placeholders aren’t shown when restoring devices using Apple Configurator.

I have a physical and FFS of an LG LM-G820... I am looking for evidence regarding the battery levels (i.e. charging vs. not charging) as well as any evidence of talk to text (if possible)

Hello. I'm wondering if anyone can tell my anything about this app package "com.google.android.apps.photosgo". And how it differs from "com.google.android.apps.photos" the Google Photos app?

Does anyone have any experience with the Session messaging app on iOS? I've never run into it before and was trying to figure out if messages are stored locally on the device.

Anyone have any insight on com.samsung.android.smartsuggestions/databases/GIUrldatabase.db I have a spoofing case and both my spoofed numbers are showing up in this database.

12:15 PM

I don't get any results in PA on the numbers, but a hex search gives me all my hits in that .db

@Cellebrite Someone about Google Takeout with PA ?

1

Mike

Does anyone have any experience with the Session messaging app on iOS? I've never run into it before and was trying to figure out if messages are stored locally on the device.

Can't remember about iOS but should work as Session for Android, then chats stored locally in encrypted db (edited)

Mike

Does anyone have any experience with the Session messaging app on iOS? I've never run into it before and was trying to figure out if messages are stored locally on the device.

Session is based on a fork of Signal. It is open source and the code can be reviewed here: https://github.com/oxen-io/session-ios

Is there a way of knowing if multiple deviceshave logged in to the same Snapchat account? Suspect tells us that there are several people that uses the same account and that he hasn't sent the messages that we've asked about. Maybe @Oscar @CLB - Ofri can help me once again? shyuwu

Edit: I've looked at the UserID but suspect it's just the ID for the account itself and not connected to the device it self. Can't see any coordinates either. (edited)

1

forensicmike @Magnet

Session is based on a fork of Signal. It is open source and the code can be reviewed here: https://github.com/oxen-io/session-ios

Speaking of Session, any possibility for you to add parsing of Session on desktop in Axiom?

hi folks can anyone point me in the correct direction for info about com.google.android.photos\mars_files. came across this path in an IIOC case and have never seen it before. Tried google search and it is talking about secure folders, however somewhere else said that it was connected to google photos uploading. TIA (edited)

Oscar

Speaking of Session, any possibility for you to add parsing of Session on desktop in Axiom?

Don't see a ticket for it yet but I will create one for you!

1

Does anyone know of any writeup for the artifact /root/Library/Application Support/com.apple.wifianalyticsd/WiFiNetworkStoreModel.sqlite? I see iLEAPP has a plugin for it, but I don't see any writeup about how the database is populated, etc. Any help would be appreciated.

Oh well of knowledge….I have data from a Snapchat return, specifically a list of chats, and media for a specified time period. However, I do not have a key telling me anything about the files. I do not have an extraction of a device. The file in question: memories~~2021-09-07-02-34-12UTC~username_123~~~main-CCDE328E-FAC5-4981-AEBD-B11140FA9921~V4 Now, my question is about the date: Is it the capture date/time? Is it the saved to memories date/time? Or some other time because you know, stuff and things. Thanks in advance for the assistance. I’ve tried searching the Discord, list serv and etc. No Luck. Stay Safe!

Anyone, maybe someone who has done some Apple app building want to take a shot at what “sleet” means or is referencing in relation to iOS 18 Apple Photos? Here are some of the fields: zAddAssetAttr.SLEETISREVERSIBLE ZASSET.CURRENTSLEETCAST And others These are in Photos.sqlite and haven’t been able to get data in these new fields.

@Cellebrite anyone available?

MindBreak

@Cellebrite anyone available?

Whats the topic of your question @MindBreak ?

Inseyets decoding problems

1

Vägis

Is there a way of knowing if multiple deviceshave logged in to the same Snapchat account? Suspect tells us that there are several people that uses the same account and that he hasn't sent the messages that we've asked about. Maybe @Oscar @CLB - Ofri can help me once again? shyuwu

Edit: I've looked at the UserID but suspect it's just the ID for the account itself and not connected to the device it self. Can't see any coordinates either. (edited)

I'm not familiar with anything on the extraction but I can try looking it up. However I know this information does appear in Snapchat's "Takeout" or My Data request if that is an option (We do support it in PA but you can see the information in a simple html too). https://help.snapchat.com/hc/en-us/articles/7012305371156-How-do-I-download-my-data-from-Snapchat

Has anyone any experience with the „skred“ messenger app either on iOS or Android? I am looking for a way to decrypt the SQLite cipher database.

goofycom

Has anyone any experience with the „skred“ messenger app either on iOS or Android? I am looking for a way to decrypt the SQLite cipher database.

myself and @bang have looked into this in the past, where @bang focused on the iOS version and I focused on the Android version, he may be abe to help

from memory, I believe they both used the same encryption method but obviously the keys were stored in different places (keystore/keychain) (edited)

1

Someone experience with shared encrypted ios note? Context: i have a whatsapp chat. In this chat there is an icloud note being shared WITH the password after. The shared note has a file extension .pluginPayloadAttachment. The file 43224 bytes in size. If i open this file on a Macbook it gives me an error: There is no new note been made. Go to systempreferences and turn Icloud for Notes on if you want to make a note by dragging attachments. If icloud already is turned on for notes, it can be that notes have to be update. Opening the file in a textviewer gives me jibberish. Question? If i turn icloud on, does it fetch a shared icloud note from the www, or is the file offline? Who knows how to get insight to the note(attachment), and decrypt it (edited)

CLB - Ofri

I'm not familiar with anything on the extraction but I can try looking it up. However I know this information does appear in Snapchat's "Takeout" or My Data request if that is an option (We do support it in PA but you can see the information in a simple html too). https://help.snapchat.com/hc/en-us/articles/7012305371156-How-do-I-download-my-data-from-Snapchat

That will work perfectly fine. I tried finding information on the phone connecting him. I found two things in his profile settings: connected phone number and his birthday, they are both his, making it a bit easier to prove. I’ll contact Snapchat too. Feel like that information will be more than sufficient to prove it’s him! Thank you once again @CLB - Ofri

(edited)

2

Aero

myself and @bang have looked into this in the past, where @bang focused on the iOS version and I focused on the Android version, he may be abe to help

from memory, I believe they both used the same encryption method but obviously the keys were stored in different places (keystore/keychain) (edited)

Hello, yes, have a solution for both Android and iOS

1

Original message was deleted or could not be loaded.

I think you should post this in the #mobile-forensic-extractions channel.

bang

Hello, yes, have a solution for both Android and iOS

Nice! Would you mind to give me a little help? I have the SKRED app on both devices (Samsung and iPhone). For both devices I have a full file system extraction.

1

goofycom

Nice! Would you mind to give me a little help? I have the SKRED app on both devices (Samsung and iPhone). For both devices I have a full file system extraction.

If you have a FFS, XRY should be able to decrypt and decode Skred (possibly depending on version of the app.)

MSAB_Sofia

If you have a FFS, XRY should be able to decrypt and decode Skred (possibly depending on version of the app.)

I tried that. It recognized the SKRED app but couldn't parse the messages.

goofycom

I tried that. It recognized the SKRED app but couldn't parse the messages.

Ah, that's too bad! Do you know what version of Skred was installed? (It should be possible to tell from Device - Installed apps) Could you send me (or email support) the etraction log, so that we can investigate?

MSAB_Sofia

Ah, that's too bad! Do you know what version of Skred was installed? (It should be possible to tell from Device - Installed apps) Could you send me (or email support) the etraction log, so that we can investigate?

It says version 12.5. Unfortunately I am not allowed to send out any extraction logs.

goofycom

It says version 12.5. Unfortunately I am not allowed to send out any extraction logs.

We aim to keep the logs anonymous, just so that they should be possible to send. But we verified decoding support for version 10.4 - so it is very possible that the app has changed too much in between, and that explains why it wasn't decrypted/decoded then

Anyone come across the sqlite database on iOS 16 com.apple.replayd as it relates to photos.sqlite and mp4's? The question is what is this database? I have a video file and the database shows "importedbybundleidenifier" com.apple.replayd as well as a view count column with original file name and the saved filename on the device.

sword4nsics

Anyone come across the sqlite database on iOS 16 com.apple.replayd as it relates to photos.sqlite and mp4's? The question is what is this database? I have a video file and the database shows "importedbybundleidenifier" com.apple.replayd as well as a view count column with original file name and the saved filename on the device.

As far as I know, com.apple.replayd is the bundle identifier used for video screen recordings. But I haven't seen this db yet. (edited)

1

Hey folks. Trying to extract a video from the TP-Link Tapo app on an iPhone 13 Pro (iOS 17.4.1) with known passcode with no success. Anyone have a clue if the video is stored somewhere locally on the phone or if its completely cloud-based? Could it be that our programs aren't able to decode the app? We've only tried with @Cellebrite Premium and then over to PA/Inseyets at the moment. Edit: to clarify. We cant find the app on the extraction. Only some tplink related files that isn't telling us anything. (edited)

Vägis

Hey folks. Trying to extract a video from the TP-Link Tapo app on an iPhone 13 Pro (iOS 17.4.1) with known passcode with no success. Anyone have a clue if the video is stored somewhere locally on the phone or if its completely cloud-based? Could it be that our programs aren't able to decode the app? We've only tried with @Cellebrite Premium and then over to PA/Inseyets at the moment. Edit: to clarify. We cant find the app on the extraction. Only some tplink related files that isn't telling us anything. (edited)

Regarding the cloud part: does it play on the phone while in airplane mode?

Lazza

Regarding the cloud part: does it play on the phone while in airplane mode?

Ah, no it doesn't. So it's cloud based.. However I can see that the program has taken random pictures in a separate tab and saved them locally on the app.. Guess the only way is for us to download the footage(?). (edited)

Vägis

Ah, no it doesn't. So it's cloud based.. However I can see that the program has taken random pictures in a separate tab and saved them locally on the app.. Guess the only way is for us to download the footage(?). (edited)

I suppose so, but I don't have specific knowledge regarding that app

Lazza

I suppose so, but I don't have specific knowledge regarding that app

Appreciate the help

We'll try some different programs just incase there are any logs or db that never made it onto the extraction.

Anyone have issues with Cellebrite PA and 2 DLL files (xgboost and librocksdbjni) filling up almost 100GB in the windows\temp folder?

dstam

Anyone have issues with Cellebrite PA and 2 DLL files (xgboost and librocksdbjni) filling up almost 100GB in the windows\temp folder?

This is likely due to our media categorization engine running. It should empty out once completed. There was a fix that did go out for it in new(er) version.

CLB-Paul

This is likely due to our media categorization engine running. It should empty out once completed. There was a fix that did go out for it in new(er) version.

Ah okay, maybe it's just the first time I'm noticing it. I have the latest version (10.2.101.352).

@Law Enforcement [UK] Sorry to disturb at the weekend! Dealing with Element messenger on iOS - anyone have any top tips for me?

2

1

Jeezy

@Law Enforcement [UK] Sorry to disturb at the weekend! Dealing with Element messenger on iOS - anyone have any top tips for me?

Not off the top of my head, I’ve not done mobiles specifically in a bit. It used to be called Riot and Vector, and I know there’s some white papers on them, worth a look?

daco1992

Not off the top of my head, I’ve not done mobiles specifically in a bit. It used to be called Riot and Vector, and I know there’s some white papers on them, worth a look?

Okay thanks, I'll take a look at those

Hi all. I have a FFS of an Oppo phone. I found CSAM in the data\media\0\Download folder. I can see when it was downloaded as the downloads are in the Chrome and Opera history dbs. The problem is that the URLs for the files are .onion links. Is there a way that Chrome and Opera can access .onion links on Android?

Never tried it on mobile but I know Chrome has extensions in their extension store for tor bowser extension, presumably this would be offered on the mobile version as well? Don't have my test phone to try but can test it tonight (EST) and report back.

Extensions may only be available for Desktop and not mobile. Are there other browsers installed on the device and what are the associated events happening ont he deivce prior/after the download?

chauan

Extensions may only be available for Desktop and not mobile. Are there other browsers installed on the device and what are the associated events happening ont he deivce prior/after the download?

I need to have a better look at it tomorrow and get more info. I only had a quick look before leaving on Friday

@panicpants. It would be worth checking the history for clearnet redirectors like onion.to and browser.lol which can get you to onion address through chrome etc. otherwise it’s likely to be an extension (edited)

panicpants.

I need to have a better look at it tomorrow and get more info. I only had a quick look before leaving on Friday

Chrome sync a bunch of data, have u looked at the possibility that he used another device with the same Google Account? If it's the Tor Extension it should tell you either through the extension or in History as @RichardG mentioned. Weird redirects are prob the first thing you should look for.

Does anyone have a simple graphic or wording they use in reports to explain the differences between FFS and Adv Logical on iOS? I recall seeing one in a Magnet course and it was really simple to visually show the lack of apple health data etc

Rob

Assuming this? If the backup contains managed app data or enterprise books, this data is restored as well. If the Managed App isn’t present on the device but the backup includes the Managed App data, a placeholder may be shown for the app. App placeholders aren’t shown when restoring devices using Apple Configurator.

Thanks for the reply, but the device I'm dealing with isn't a corporate/managed device so I don't think this applies in my situation. Again, thanks for the suggested article and replying.

1

RichardG

Does anyone have a simple graphic or wording they use in reports to explain the differences between FFS and Adv Logical on iOS? I recall seeing one in a Magnet course and it was really simple to visually show the lack of apple health data etc

they have it on the Magnet support website

Ellimist

they have it on the Magnet support website

Cheers I’ll go look

1

RichardG

@panicpants. It would be worth checking the history for clearnet redirectors like onion.to and browser.lol which can get you to onion address through chrome etc. otherwise it’s likely to be an extension (edited)

I found traces of an app called Orbot which is a VPN that allows any browser to access onion links. It’s not installed anymore so wasn’t obvious what was happening

panicpants.

I found traces of an app called Orbot which is a VPN that allows any browser to access onion links. It’s not installed anymore so wasn’t obvious what was happening

Perfect, one to add to the list for future but we don’t really do much csam, we send it all your way

I take it CP / Axiom didn’t recognise it in the decode? Had to go manual?

RichardG

Perfect, one to add to the list for future but we don’t really do much csam, we send it all your way

I take it CP / Axiom didn’t recognise it in the decode? Had to go manual?

Seems like he had the VPN on permanently as there was no unusual activity showing on the timeline in axiom. He would regularly go to https://check.torproject.org to make sure he was on Tor so I knew there had to something there. A bit of research led me to Orbot and a search of that in axiom confirmed that he had searched for it and installed it months ago.

Where you working at??

Short question about PA 10.x I got the error message 'failed to load data, check the connectivity of the dump file source'. Long time ago, i was able to solve that but nowadays i cannot remember how i managed it

Any hind? thanks a lot!! Nevermind.. just closing it from the Cases-Tab and reopen solved it... (edited)

Anyone familiar with iOS Logs? Especially sysdiagnose

@Lionel Notari can help you if he is ok

Hello, always happy to help !

Thanks for the mention @Mistercatapulte @Hans Leißner don't hesitate to have look there and let me know if you have any questions: https://www.ios-unifiedlogs.com/blog

Lionel Notari's Articles | iOS Unified Logs investigation

Dive into my Blog Articles focusing on iOS Unified Logs and tracev3 Investigation. Gain insights into digital forensics and uncover the secrets hidden in unified logs.

2

1

2

Lionel Notari

Hello, always happy to help !

Thanks for the mention @Mistercatapulte @Hans Leißner don't hesitate to have look there and let me know if you have any questions: https://www.ios-unifiedlogs.com/blog

I remembered posts on LinkedIn... but couldn't remember that it was you. Thank you!

Hello, has anyone some resources concerning Snapchat on iOS, especially the contents of the "SCContent" folder. I am having hard times finding recent forensic research about Snapchat. The forensic software I tried do find the content of the folder but cannot associate the media to messages, stories, memories, etc... (edited)

Jaclo

Hello, has anyone some resources concerning Snapchat on iOS, especially the contents of the "SCContent" folder. I am having hard times finding recent forensic research about Snapchat. The forensic software I tried do find the content of the folder but cannot associate the media to messages, stories, memories, etc... (edited)

@Oscar @OggE

Jaclo

Hello, has anyone some resources concerning Snapchat on iOS, especially the contents of the "SCContent" folder. I am having hard times finding recent forensic research about Snapchat. The forensic software I tried do find the content of the folder but cannot associate the media to messages, stories, memories, etc... (edited)

I dont have anything written and published but feel free to DM and I can try to point you in the right direction

1

@panicpants. Sorry don’t see your reply, tried to dm but not accepted. Drop me a line sometime it’s always useful to keep local contacts, even if on ‘opposite’ sides

Jaclo

Hello, has anyone some resources concerning Snapchat on iOS, especially the contents of the "SCContent" folder. I am having hard times finding recent forensic research about Snapchat. The forensic software I tried do find the content of the folder but cannot associate the media to messages, stories, memories, etc... (edited)

https://cellebrite.com/en/deep-dive-into-snapchat/ webinar from Cellebrite.

1

mornings!... does anyone know what the "Receommended" in "AddReason" is in the com.apple.wifi.plist? Most of the entries either has cloudsync or wifisettings, but others have "recommended" and som havent got any at all? Havent come across this before?

Anyone from @Cellebrite free for a quick Q?

1

Anyone from @Cellebrite ?

1

Anyone from @Magnet Forensics for an AXIOM question?

Does anyone know the difference between the columns "zAsset - Trashed State/LocallyAssetRecently" and "zIntResou - Trash State" within the photos.sqlite database for the Photos App

Daniel Rotchell

Does anyone know the difference between the columns "zAsset - Trashed State/LocallyAssetRecently" and "zIntResou - Trash State" within the photos.sqlite database for the Photos App

@ScottKjr3347 knows for sure

1

Daniel Rotchell

Does anyone know the difference between the columns "zAsset - Trashed State/LocallyAssetRecently" and "zIntResou - Trash State" within the photos.sqlite database for the Photos App

This is a follow-up based on the email @Daniel Rotchell sent so that everyone can review. Based on my testing and research this is normal. I have attached a screenshot illustrating that this is normal behavior. I have attempted but have never been successful of getting the ZINTERNALRESOURCE Table ZTRASHEDSTATE to have a value anything other than "0" even when ZASSET table ZTRASHEDSTATE had a value of "1" I would like to mention that you are using older queries and if possible use the parsers and queries built into iLEAPP. https://github.com/abrignoni/iLEAPP When reviewing data from the ZINTERNALRESOURCE table I would suggest using Ph50AssetIntResouData.py This parser and embedded query will provide you the necessary data from both the zAsset and zInternalResource table to see how there are other files referenced in the internal resource table that are not referenced in the zAsset table. (edited)

2

Daniel Rotchell

Does anyone know the difference between the columns "zAsset - Trashed State/LocallyAssetRecently" and "zIntResou - Trash State" within the photos.sqlite database for the Photos App

ScottKjr3347

Click to see attachment 🖼️

Thank you! @ScottKjr3347 I mainly do computer forensics but was able to get hold of the newer mobile data for this case. I did try and run iLEAPP for the macos photos.sqlite but it didnt like the path? im assuming i would need to recreate it to be the phone path? Thank you! I will give that parser ago

Daniel Rotchell

Thank you! @ScottKjr3347 I mainly do computer forensics but was able to get hold of the newer mobile data for this case. I did try and run iLEAPP for the macos photos.sqlite but it didnt like the path? im assuming i would need to recreate it to be the phone path? Thank you! I will give that parser ago

email over the screen output error and ill take a look and reply via email about iLEAPP

Hello, anyone from @MSAB please ?

1

just a heads up for any/all software & support vendors out there. You are all probably aware of 'cracked software' vendors but it has come to our attention that those services are pointing their clients and forensic wannabe's to our discord for info/advice/help. It has been suggested that support staff might want to check proof of license before offering such help. As per capture, one can see they already have "eyes" in here. (edited)

2

1

AnTaL

Hello, anyone from @MSAB please ?

Hello!

Someone from @Cellebrite about UFED ?

1

Where do some of the device identifiers get pulled from for android extractions in the Device Info portion of Physical Analyzer? (ex: IMEI, IMSI, Model) There is no source listed for it. @Cellebrite

2

Having some issues with iCloud Backup. I've been using Elcomsoft Phone Breaker for about 2 years and loved how simple downloading iCloud backups are. I recomended this tool to a colluge who needed to pull down an iCloud backup. He noticed when he downloaded the data that there were no text messages. He then tried Belkasoft and then Cellebrite to download the backups. None of the tools were able to pull down the messages. He confirmed that messages were being backed up. Well I jump in and try my phone in which I've done my phone numerous times without issue. I get an error when trying to use Elcomsoft to download the iCloud backup. Has any noticed this same issue or is there a none issue that I'm not aware of?

@Elcomsoft ^

Hey DF examiners out there keep your

open

Final Cut Pro now on iOS!! New video capabilities including multiple device recording. Also, screen recording streams directly to apps!! iOS 17-18 (edited)

4

ScottKjr3347

Hey DF examiners out there keep your

open

Final Cut Pro now on iOS!! New video capabilities including multiple device recording. Also, screen recording streams directly to apps!! iOS 17-18 (edited)

Damn I thought this was just a photo editing app! You had any cases where devices have had their screens streamed. Seems like it would definitely be an issue pre-submission to a digital forensics unit if seizing officers didn’t know to disconnect it from all network access or power off if PIN/pattern known.

Ben J Man

Damn I thought this was just a photo editing app! You had any cases where devices have had their screens streamed. Seems like it would definitely be an issue pre-submission to a digital forensics unit if seizing officers didn’t know to disconnect it from all network access or power off if PIN/pattern known.

Not yet brand new feature & appears not fully implemented yet. But it’s definitely something to keep our eyes on.

Hi, anyone know if I can open an iCloud collection captured in Axiom in Cellebrite? Thanks!

Any beta-update on PA 7 in the oven? @Cellebrite

1

Hi @Oxygen Forensics, is anyone around for a quick question?

1

Hello. Iphone 14 Standard email app. Suspect has two emails which I believe to have been setup to send later, as they were sent at 20:00:00 exactly. Would anyone know how I would prove this? There are two entries beforehand which are blank, and live in the 'Recents`wal. I believe these to be when the suspect setup the delayed emails. Honestly I'm stumped when it comes to priloving this. Any ideas? Thanks

SammyD

Hello. Iphone 14 Standard email app. Suspect has two emails which I believe to have been setup to send later, as they were sent at 20:00:00 exactly. Would anyone know how I would prove this? There are two entries beforehand which are blank, and live in the 'Recents`wal. I believe these to be when the suspect setup the delayed emails. Honestly I'm stumped when it comes to priloving this. Any ideas? Thanks

Other sources.

‍♂️ What state was the phone in at 20:00:00? Locked? Back light on? Etc? Lack of activity during that time period.

@Cellebrite Good morning! I have a question regarding the Extraction Summary in PA 10.2.101.352 The imported file is a GK extraction. However, the dashboard is missing information such as - extraction Start and End Date/TIme and the hash for verification. Is this usual, or can this be added with the next version?

1

@Hans Leißner I think that information is in the GrayKey Progress Report, it does not carry over to the decoding side as what is pulled from the GrayKey is just the acquisition

11:23 PM

While Cellebrite extracts have the .ufd file which contains this kind of information

1

Private Derp

While Cellebrite extracts have the .ufd file which contains this kind of information

Would make sense, of course. If this is not supported, an upload button for the GK report could possibly be added in the next release

@CLB-DannyTheModeler Or does it make a difference if I specify the folder instead of the zip file when importing? Saw u typing.. haha (edited)

Hans Leißner

Would make sense, of course. If this is not supported, an upload button for the GK report could possibly be added in the next release

You can add the PDF as an external file in PA today, no need to wait for the next release. If there is an expectation that we parse the PDF file and extract information from it, some would argue that PDF is not a good format for structured data.

1

CLB-DannyTheModeler

You can add the PDF as an external file in PA today, no need to wait for the next release. If there is an expectation that we parse the PDF file and extract information from it, some would argue that PDF is not a good format for structured data.

and the hash-verification?

Hans Leißner

and the hash-verification?

We have a backlog item to allow you to manually enter it, but it is not yet assigned to a future release.

1

alright! thank you

Hi. I got a FFS from an iPhone X using Cellebrite Premium. On the phone there’s “nicegram” app, an alternative app for accessing telegram service. PA Ultra is not able to decode the messages. Any hint?

bypx

Hi. I got a FFS from an iPhone X using Cellebrite Premium. On the phone there’s “nicegram” app, an alternative app for accessing telegram service. PA Ultra is not able to decode the messages. Any hint?

as long as the app databases not encrypted.. u can take a look on its sqlite database itself to get some informations. Analyzed data -> Databases -> searchterm 'nicegram' or somewhat points to the database of interest. idk any parsers yet. Maybe a other tool supports it? (edited)

1

@Magnet Forensics greetings! Does the latest software version of AXIOM have problems processing GK images? Today I tried to open an image (extraction date 09.2022) in Axiom to test the new feature (Apple unified logs) or I wanted to use it on this case. AXIOM has been searching for over 1 hour now and is not even at 1%... A previous attempt was completed, but only 1 artifact was found. The image file is not corrupted as I had prepared it in an older version in Axiom and other tools can also process the extraction. I'm a bit at a loss as to what else I could try. Thanks and regards

bypx

Hi. I got a FFS from an iPhone X using Cellebrite Premium. On the phone there’s “nicegram” app, an alternative app for accessing telegram service. PA Ultra is not able to decode the messages. Any hint?

Did you try using the App Genie in PA?

1

Hans Leißner

@Magnet Forensics greetings! Does the latest software version of AXIOM have problems processing GK images? Today I tried to open an image (extraction date 09.2022) in Axiom to test the new feature (Apple unified logs) or I wanted to use it on this case. AXIOM has been searching for over 1 hour now and is not even at 1%... A previous attempt was completed, but only 1 artifact was found. The image file is not corrupted as I had prepared it in an older version in Axiom and other tools can also process the extraction. I'm a bit at a loss as to what else I could try. Thanks and regards

Depending on the amount of Unified Logs present it can certainly take a long time. Those are likely going to be one of the first hit artifacts due to their location in the file system. I would say refresh your Examine to see if it's adding new records to make sure it's not frozen on something, because UAL can add 10s of millions+ of records to the case. If it's not, feel free to DM me the logs and I can take a look at what's going on.

1

cScottVance

Depending on the amount of Unified Logs present it can certainly take a long time. Those are likely going to be one of the first hit artifacts due to their location in the file system. I would say refresh your Examine to see if it's adding new records to make sure it's not frozen on something, because UAL can add 10s of millions+ of records to the case. If it's not, feel free to DM me the logs and I can take a look at what's going on.

Thank you!

S1

Hi, anyone know if I can open an iCloud collection captured in Axiom in Cellebrite? Thanks!

I believe Axiom has an addon for analyzing cloud data. Need to purchase the extra cloud license

Hans Leißner

@Magnet Forensics greetings! Does the latest software version of AXIOM have problems processing GK images? Today I tried to open an image (extraction date 09.2022) in Axiom to test the new feature (Apple unified logs) or I wanted to use it on this case. AXIOM has been searching for over 1 hour now and is not even at 1%... A previous attempt was completed, but only 1 artifact was found. The image file is not corrupted as I had prepared it in an older version in Axiom and other tools can also process the extraction. I'm a bit at a loss as to what else I could try. Thanks and regards

How is it going ?

I obviously had serious network problems. I found this out when I had problems with AppGenie in ufed PA10. @CLB-DannyTheModeler thankfully supported me and found in the logs that my network drive on which the extractions are stored was causing problems. I was finally able to process the GK extraction in Axiom. However, it is not yet finished with the unified logs. Friendly reminder: Keep at least one copy of the extractions locally to avoid errors like the one above.

Hello, I recently tried following these instructions in order to retrieve the database, attachments and logs decryption key for Signal; https://thebinaryhick.blog/2022/07/14/session-on-android-an-app-wrapped-in-signal/ The phone is running Android 13, a Motorola E13 (XT2345-3) and I achieved a FFS-extraction using Cellebrite. The passcode is known. However when dumping "persistent.sqlite" and looking at the blob(s) for "SignalSecret" I don't see that the blob(s) is starting with "pKMblob". I checked a Samsung Galaxy S22 which is rooted and have Signal and there the blob(s) for SignalSecret in its persistent.sqlite do indeed begin with "pKMblob". I received a "secrets.json" file with the extraction and using the key there makes Axiom decode Signal. I am just wondering why the blob(s) doesn't start with "pKMblob" (and by extension what I believe is the cause that I can't follow the steps and decrypt the database, attachments and logs manually). Thank you for your time in advance.

Binary Hick

Session On Android – An App Wrapped in Signal

NOTE: parts of this article describe steps by which the order of encryption methods are reversed to render encrypted data in clear-text. This was done in order to investigate the app being discusse…

Does anyone know what determines if a website gets recorded in the webkit "observations.db" database for the Chrome app on iOS? I may have to test it at some point but for now I was just wondering if anyone else has looked into this. The file path for this database is /private/var/mobile/Containers/Data/Application/(Chrome App UUID)/Library/WebKit/WebsiteData/ResourceLoadStatistics/observations.db. Cheers

I would like to extract specific app containers from an iOS extraction. The ones I mean are located in private/var/mobile/Containers/Data/Application. I want to do this programmatically. Let's say I am looking for the app WhatsApp. In each folder there is a metadata.plist, with the app name, but I don't find this a very efficient method since I have to iterate through every folder. Is there a more efficient way to link app-id with app-names in case of an iOS extraction? e.g a list containing all installed apps with their corresponding app-id?

Tube

I would like to extract specific app containers from an iOS extraction. The ones I mean are located in private/var/mobile/Containers/Data/Application. I want to do this programmatically. Let's say I am looking for the app WhatsApp. In each folder there is a metadata.plist, with the app name, but I don't find this a very efficient method since I have to iterate through every folder. Is there a more efficient way to link app-id with app-names in case of an iOS extraction? e.g a list containing all installed apps with their corresponding app-id?

Yes - This is well documented and there are several open source Python scripts / modules relating to this exact scenario (such as iLEAPP and iosapt)... if you are looking to do this yourself, you should consider the "applicationState.db", located in /private/var/mobile/Library/FrontBoard/. You should consider that the path you list above is where the application should be storing data, however, with iOS extractions you will commonly see data being stored in: /private/var/mobile/Containers/Shared/AppGroup/ - for the case of WhatsApp, the majority of the user data you would be after (e.g. contacts, calls, and messaging) is stored in /Shared/ rather than /Data/. (edited)

Is there any analyzing tool out there that decodes ChatIw and Teleguard

Arlakossan

Is there any analyzing tool out there that decodes ChatIw and Teleguard

iLEAPP / ALEAPP both have support for Teleguard

1

Arlakossan

Is there any analyzing tool out there that decodes ChatIw and Teleguard

Teleguard Android is supported in Inseyets 10.2.1 Teleguard iOS will be included in Inseyets 10.3

1

cf-eglendye

Yes - This is well documented and there are several open source Python scripts / modules relating to this exact scenario (such as iLEAPP and iosapt)... if you are looking to do this yourself, you should consider the "applicationState.db", located in /private/var/mobile/Library/FrontBoard/. You should consider that the path you list above is where the application should be storing data, however, with iOS extractions you will commonly see data being stored in: /private/var/mobile/Containers/Shared/AppGroup/ - for the case of WhatsApp, the majority of the user data you would be after (e.g. contacts, calls, and messaging) is stored in /Shared/ rather than /Data/. (edited)

Thank you. Exactly the answer I was looking for

1

How reliable is a .ktx thumbnail creation on a Safari saved state tab? Essentially, I have a saved state Safari artifact with 6 item history. Item #3 in that tab history has a thumbnail of the webpaged accessed. I know it's not 100% accurate based on my testing, may be off by some times, but can i use that as a very rough estimate of typical time usage for the tab? Database has this as row 66 out of 350+ so the original date is long gone and I know there was a large amount of activity on the device afterwards. For context, the activity occured approximatley 1 year prior to the extraction (FFS).

It is still not possible to view media files at a reasonable speed. Inseyets PA is slow and often hangs, compared to PA7. And i´m sure, i´m not the only one.... and... my specs are good, so there is no excuse for bad specs as already mentioned many times I am frustrated when working with PA Inseyets (edited)

1

chrisforensic

It is still not possible to view media files at a reasonable speed. Inseyets PA is slow and often hangs, compared to PA7. And i´m sure, i´m not the only one.... and... my specs are good, so there is no excuse for bad specs as already mentioned many times I am frustrated when working with PA Inseyets (edited)

If it's something specific to look for I sometimes use iLeapp or ALeapp

Dfdan

If it's something specific to look for I sometimes use iLeapp or ALeapp

A VLC Playlist and some hotkeys can speed up a review if you are running through a set of videos. Media classification / filter, tag, export, VLC playlist. @chrisforensic (edited)

Husky_M00s3

A VLC Playlist and some hotkeys can speed up a review if you are running through a set of videos. Media classification / filter, tag, export, VLC playlist. @chrisforensic (edited)

Thanks, i mean the "basic" review of thousands of photos

liv360

Hello everyone, I'm currently analyzing the Google Maps application and came across the file Odelay_cache.cs. There are various geo coordinates in it. Does anyone know whether these are locations that have been visited or whether they are just search queries or something similar?

sabrina_he

Hello everyone, I'm currently analyzing the Google Maps application and came across the file Odelay_cache.cs. There are various geo coordinates in it. Does anyone know whether these are locations that have been visited or whether they are just search queries or something similar?

Odelay_cache.cs in Google Maps has the geographic coordinates saved for different locations as a cache. Normally such coordinates are stored for commonly visited or searched for places to improve performance and easily retrieve location information. These coordinates appear to be for locations that have been either visited or searched in the app.

1

Filenames showing up different in Cellebrite vs Axiom and Oxygen I am working on some image artifacts for validation and came across some weirdness. In Celebrite PA and Inseyets the image filename is being reported as: _P_1_AYLjaLhPoY8QHcJ2GNRai6wOFTaB_imgfile In Axiom and Oxygen the same image filename is being reported as: :P:1:AYLjaLhPoY8QHcJ2GNRai6wOFTaB:imgfile The underscores have been replaced with colons in the filename. It's not just one file either, its a whole directory of files where this has occurred with the filenames. Anyone seen this before? I am just dumping the extract into X-Ways to see what it shows. UPDATE: X-Ways reports the filename with colons and I manually opened the GrayKey extraction zip and its colons that are being used in the filename. I'm just opening the extraction using Cellebrite PA (non-Inseyets edition) to see if it reports the filename using colons.... Email sent -> Cellebrite Support (edited)

Mike_H

Filenames showing up different in Cellebrite vs Axiom and Oxygen I am working on some image artifacts for validation and came across some weirdness. In Celebrite PA and Inseyets the image filename is being reported as: _P_1_AYLjaLhPoY8QHcJ2GNRai6wOFTaB_imgfile In Axiom and Oxygen the same image filename is being reported as: :P:1:AYLjaLhPoY8QHcJ2GNRai6wOFTaB:imgfile The underscores have been replaced with colons in the filename. It's not just one file either, its a whole directory of files where this has occurred with the filenames. Anyone seen this before? I am just dumping the extract into X-Ways to see what it shows. UPDATE: X-Ways reports the filename with colons and I manually opened the GrayKey extraction zip and its colons that are being used in the filename. I'm just opening the extraction using Cellebrite PA (non-Inseyets edition) to see if it reports the filename using colons.... Email sent -> Cellebrite Support (edited)

Images from specific app or for all images in the case? iOS or Android?

Mike_H

Filenames showing up different in Cellebrite vs Axiom and Oxygen I am working on some image artifacts for validation and came across some weirdness. In Celebrite PA and Inseyets the image filename is being reported as: _P_1_AYLjaLhPoY8QHcJ2GNRai6wOFTaB_imgfile In Axiom and Oxygen the same image filename is being reported as: :P:1:AYLjaLhPoY8QHcJ2GNRai6wOFTaB:imgfile The underscores have been replaced with colons in the filename. It's not just one file either, its a whole directory of files where this has occurred with the filenames. Anyone seen this before? I am just dumping the extract into X-Ways to see what it shows. UPDATE: X-Ways reports the filename with colons and I manually opened the GrayKey extraction zip and its colons that are being used in the filename. I'm just opening the extraction using Cellebrite PA (non-Inseyets edition) to see if it reports the filename using colons.... Email sent -> Cellebrite Support (edited)

I would say it is your computer regional settings causing the difference in Cellebrite. (edited)

@Cellebrite anyone available for a quick dm about sqlwizard ?

Does anyone know a quick way to get the total number of Telegram messages in @Cellebrite PA? I want the total of all of the ‘Number of messages’ column in the Chats window. Exporting a report and looking at the number of rows takes over a day for some reason on this phone

3:41 AM

My hack is to screenshot and use ocr but not ideal as it needs a manual check for ocr oopsies

busted4n6

My hack is to screenshot and use ocr but not ideal as it needs a manual check for ocr oopsies

Export as Excel/csv and auto sum the messages column (edited)

Yeah - takes hours to do lol - hundreds of thousands of messages. I really wish there was a way to just do a report of the screen you see in chats

4:43 AM

I’d use another tool but they don’t agree on numbers due to recovered bits etc

4:43 AM

Even pa versions don’t agree

‍♂️

busted4n6

Does anyone know a quick way to get the total number of Telegram messages in @Cellebrite PA? I want the total of all of the ‘Number of messages’ column in the Chats window. Exporting a report and looking at the number of rows takes over a day for some reason on this phone

It should say on the analysed data tab?

4

1

p0tt541

It should say on the analysed data tab?

Fml i knew I’d done it easily before hahah. Thanks!

1

Bobby

Images from specific app or for all images in the case? iOS or Android?

Its not images from any specific app, in this case its they are from the Apple's News Widget application. We were round-tabling it further at the office and wonder if its something Cellebrite chose to do in order to allow exporting of the files as a colon is an illegal character in Windows filenames, but an underscore is allowed.

Mike_H

Filenames showing up different in Cellebrite vs Axiom and Oxygen I am working on some image artifacts for validation and came across some weirdness. In Celebrite PA and Inseyets the image filename is being reported as: _P_1_AYLjaLhPoY8QHcJ2GNRai6wOFTaB_imgfile In Axiom and Oxygen the same image filename is being reported as: :P:1:AYLjaLhPoY8QHcJ2GNRai6wOFTaB:imgfile The underscores have been replaced with colons in the filename. It's not just one file either, its a whole directory of files where this has occurred with the filenames. Anyone seen this before? I am just dumping the extract into X-Ways to see what it shows. UPDATE: X-Ways reports the filename with colons and I manually opened the GrayKey extraction zip and its colons that are being used in the filename. I'm just opening the extraction using Cellebrite PA (non-Inseyets edition) to see if it reports the filename using colons.... Email sent -> Cellebrite Support (edited)

Another examiner pointed this out to me during their research. The above is CB and the bottom is sqlite query output.

Hey all, does anyone have a good standalone tool that an convert imessages/sms messages from Cellebrite to RSMF format? I found message crawler but wouldn't mind hearing thoughts around message crawler or any other tool. Thanks in advance.

I am searching for a person with an iphone. I have the iphone of his wife. They use the same apple account. While seizing the iphone, we checked the "where is" app and could see the location of the other iphone. We then activated plane mode and I extracted a FFS with GK from the seized iPhone. My question is: Can I find the right token/whatever on the iphone, so I can use the "Where is" App on the browser and see the other iPhone, without removing the airplane mode?

Introser

I am searching for a person with an iphone. I have the iphone of his wife. They use the same apple account. While seizing the iphone, we checked the "where is" app and could see the location of the other iphone. We then activated plane mode and I extracted a FFS with GK from the seized iPhone. My question is: Can I find the right token/whatever on the iphone, so I can use the "Where is" App on the browser and see the other iPhone, without removing the airplane mode?

Does the other phone number have a SIM card in it? Have you tried locating the phone through the cell phone provider? All this work is going to give you historical location info. Since your law enforcement, I imagine you can request a live ping. Can you give us the bundle ID of the app?

Husky_M00s3

Does the other phone number have a SIM card in it? Have you tried locating the phone through the cell phone provider? All this work is going to give you historical location info. Since your law enforcement, I imagine you can request a live ping. Can you give us the bundle ID of the app?

Live pinging would do another agency, it is possible, but an "own" way would be nice to have. I can check for the ID after the weekend

1

Introser

Live pinging would do another agency, it is possible, but an "own" way would be nice to have. I can check for the ID after the weekend

If they share an AppleID, can't you just have the wife log into iCloud for you? From there, you can use "Find My" to locate the other phone? I do not think you need to find the password in the phone. Unless the husband is the only person who knows the password.

Looking at the Cellebrite Reader file trying to break down Telegram contacts. Have anyone made an overview of what the different Interaction Statuses are? Like "ChatParticipant", "AppContact", "Group". My current understanding is that all members of a Group chat or similar are logged as ChatParticipant, which means you will get a lot of contacts in the database if the user account was member of many big groups. Many of these might be vaguely or not linked to the suspect at all.

Hi, does anyone know how to identify original filenames for files the Gallery 3D cache of a Samsung A3 phone. I don't have the original versions. I need to find the original filenames and paths and then look on the device for activity with the files as they are 1st generation CSAM. The Gallery is version 12.1.09.1. I've looked at a Cheeky Monkey blog about part of this for version 10, but that process doesn't seem to work on newer versions.

Quick question regarding Tor on an iPhone. is .../containers/data/application/[id]/library/TorBrowserDataStore/torBrowser.json where bookmarks are saved? I can see urls and titles to websites, nothing else. Looking at Torprojects guide on making a backup of bookmarks seems to match what I'm seeing. (edited)

Anyone know a way to redecode a xry case without loosing the tags? I want to run media classification for all images but dont want to loose the current tags. @MSAB (edited)

Kazhulu

Looking at the Cellebrite Reader file trying to break down Telegram contacts. Have anyone made an overview of what the different Interaction Statuses are? Like "ChatParticipant", "AppContact", "Group". My current understanding is that all members of a Group chat or similar are logged as ChatParticipant, which means you will get a lot of contacts in the database if the user account was member of many big groups. Many of these might be vaguely or not linked to the suspect at all.

@Cellebrite

Introser

Anyone know a way to redecode a xry case without loosing the tags? I want to run media classification for all images but dont want to loose the current tags. @MSAB (edited)

Make a copy and redecode only the copy?

8:34 AM

Then if redecoding don't give you more data your tags will be safe.

Kazhulu

@Cellebrite

@Kazhulu please have a look at our webinar about Telegram ; I think you will understand better : https://cellebrite.com/en/deep-dive-into-telegram/

1

Bobby

Make a copy and redecode only the copy?

That definitly. But one case with both, tags and media classification would be handy

Does anyone know where TikTok's recent searches are stored on Android (the ones that appear when you click on the search bar)?

Introser

Anyone know a way to redecode a xry case without loosing the tags? I want to run media classification for all images but dont want to loose the current tags. @MSAB (edited)

A redecode will remove the tags unfortunately. But could a workaround (as an alternative to Bobby's suggestion) be to export the media files out of the .xry file - do a folder import of that export and run Image recognition on those (or am I misinterpreting 'media classification'?) on those files. Adding this .xry file to the .xrycase will of course give you duplicates of all these files - but XAMN will show you both classification, and have kept the tags in the original file.

1

Hi, someone got a parser script for the databases of the App "LIKEE" (iOS) need to get those chats in a good readable format

MHE

Hi, someone got a parser script for the databases of the App "LIKEE" (iOS) need to get those chats in a good readable format

Haven't had the opportunity to try this one out yet so I'm not sure it is what you're after but it is something I wanted to try out: https://github.com/Caff1982/LikeeScraper One command that I thought might be what you're after is this: Get the comments for a video: LikeeScraper video_comments -vu <video-url> -l 50

GitHub - Caff1982/LikeeScraper: A command-line application written ...

A command-line application written in Python that can be used for getting information from Likee. - Caff1982/LikeeScraper

2

Hi. I have made some updates to my translation script. Takes in Cellebrite or Axiom formatted excels (can feed it others if you rename a column ) and runs them through an on prems libre translate server. Results are similar to google translate and it doesn’t have to leave your environment. Good for triaging bulk messages. https://github.com/facelessg00n/pythonForensics/tree/main/offlineTranslate

pythonForensics/offlineTranslate at main · facelessg00n/pythonForen...

Assorted Python. Contribute to facelessg00n/pythonForensics development by creating an account on GitHub.

1

2

Vägis

Haven't had the opportunity to try this one out yet so I'm not sure it is what you're after but it is something I wanted to try out: https://github.com/Caff1982/LikeeScraper One command that I thought might be what you're after is this: Get the comments for a video: LikeeScraper video_comments -vu <video-url> -l 50

thanks, i need the send and recieved private messages from the internal 1:1 private chats, if possible including the attachements (if saved localy). I didnt get into the app at all, but i need to these days. At least, this is a starting point, thanks man

hi guys, not sure if this is the right chat but need some advice. On a Oneplus phone we have an encrypted folder, (which we think is the onplus 'secret folder'). does anyone have any ideas how to get into this

1

Jimbo

hi guys, not sure if this is the right chat but need some advice. On a Oneplus phone we have an encrypted folder, (which we think is the onplus 'secret folder'). does anyone have any ideas how to get into this

Did you obtain a FFS? Did gk or premium not extract it

im not sure to be completely honest, but when the extraction was done, i know it didnt unlock it

Hi all, one of my investors asked me a question which I’m struggling with. He’s doing an SFR and the last modified dates/times are post seizure of the exhibit. Some are caches files but 2 files of if I remember are in the trash. My question is this, how does Android record these dates/times? Does it update them whenever the device is powered on? As we can’t figure out why this would be

Anyone know of a way to factory reset an iPhone without entering in the Apple password? I have the device code, but it needs to be wiped before returning it to the owner (Standard industry practice when returning devices with sensitive/CSAM content). This used to not be an issue, becuase all you needed was the pin code (which I have). But now it's also prompting for password AND face ID (Stolen Protection is on). (edited)

citizencain

Anyone know of a way to factory reset an iPhone without entering in the Apple password? I have the device code, but it needs to be wiped before returning it to the owner (Standard industry practice when returning devices with sensitive/CSAM content). This used to not be an issue, becuase all you needed was the pin code (which I have). But now it's also prompting for password AND face ID (Stolen Protection is on). (edited)

ask the owner for it. I'm sure he will divulge that information if he wants the phone back. Easy to articulate why you are asking... or does it needed to be connected to the internet for that to work? (edited)

rfar

ask the owner for it. I'm sure he will divulge that information if he wants the phone back. Easy to articulate why you are asking... or does it needed to be connected to the internet for that to work? (edited)

Well we eneded up getting the device passcode, parental controls password, Apple password from the owner, and we're now just stuck on the Face ID. Apparently a four-step authentication process is standard now.

citizencain

Well we eneded up getting the device passcode, parental controls password, Apple password from the owner, and we're now just stuck on the Face ID. Apparently a four-step authentication process is standard now.

Oh wow. That's some good stolen protection

1

I'm going through an iOS extraction and came across a few artifacts of interest in the /Library/Intents/Images/XXX.png. I can't for the life of me figure out exactly where these pngs came from but one png in particular potentially places bad guy on scene. Any hints? I've tried Googling and doing my own research but can't figure it out

Blue56

I'm going through an iOS extraction and came across a few artifacts of interest in the /Library/Intents/Images/XXX.png. I can't for the life of me figure out exactly where these pngs came from but one png in particular potentially places bad guy on scene. Any hints? I've tried Googling and doing my own research but can't figure it out

Whenever I've looked at this, they are just small images/profile pictures from various apps that utilize the intents. Like WhatsApp, Snapchat, Telegram etc. I'd be interested to know if you have a big image in there. Mine are always mostly 90x90 (But it does depend on the app) (edited)

CLB_iwhiffin

Whenever I've looked at this, they are just small images/profile pictures from various apps that utilize the intents. Like WhatsApp, Snapchat, Telegram etc. I'd be interested to know if you have a big image in there. Mine are always mostly 90x90 (But it does depend on the app) (edited)

No its a small image for me too

citizencain

Anyone know of a way to factory reset an iPhone without entering in the Apple password? I have the device code, but it needs to be wiped before returning it to the owner (Standard industry practice when returning devices with sensitive/CSAM content). This used to not be an issue, becuase all you needed was the pin code (which I have). But now it's also prompting for password AND face ID (Stolen Protection is on). (edited)

I would use an apple mac. Place the device in dfu and connect it with ur mac. U should be able to factory reset the device then. It could work on windows too but for me, mac was more stable. Let us know, if this worked (edited)

Anyone from @Cellebrite available for a quick chat?

1

Question about Android Gallery3d Databases. Does someone know how to get the connection from the thumb to the origanal File? I got thumbnails of files of interest, but origanal files dont exist on the Phone anymore. I managed to pull a List of Path/Filenames of Files moved to trash including timestamps from local.db, but i miss the connection to those thumbs

Hans Leißner

I would use an apple mac. Place the device in dfu and connect it with ur mac. U should be able to factory reset the device then. It could work on windows too but for me, mac was more stable. Let us know, if this worked (edited)

I tried this on both the SE and 12 Pro, and while the device appears in Finder, there is no prompt indicating it was indeed in DFU. You used to get a DFU mode notification thru iTunes, but since it isn't technically an app anymore, I'm not sure how to proceed. Do you use a legacy machine for this?

citizencain

I tried this on both the SE and 12 Pro, and while the device appears in Finder, there is no prompt indicating it was indeed in DFU. You used to get a DFU mode notification thru iTunes, but since it isn't technically an app anymore, I'm not sure how to proceed. Do you use a legacy machine for this?

1

Hello guys, anyone here has already used the Life360 apps ? hit me so, Got some questions

Herodote

Hello guys, anyone here has already used the Life360 apps ? hit me so, Got some questions

This app should be supported by ALEAPP / iLEAPP

Thanks ! I'm wondering if this app got also the data of friends that share their locations. And if so, how can we find them ?

Herodote

Thanks ! I'm wondering if this app got also the data of friends that share their locations. And if so, how can we find them ?

@stark4n6 should be able to help

1

Herodote

Thanks ! I'm wondering if this app got also the data of friends that share their locations. And if so, how can we find them ?

https://arxiv.org/pdf/1907.00074 https://www.stark4n6.com/2024/01/analyzing-life360-on-ios.html?m=1

Analyzing Life360 on iOS

Life360 is the sell proclaimed "#1 family locator app". If they're not selling your location data (who am I to judge), they sure are leavi...

Hi friends. Working a CSAM case and came across something unusual regarding the KIK application on Android OS phone. I tracked CSAM media to the data\media\0\DCIM\Kik\ folder, but neither Axiom or PA reported any KIK artifacts in their respective cases. I noted the version of the KIK app installed is 15.50.1.27996 which appears to be in between supported versions (at least according to the PA matrix). I then thought perhaps I can manually browse through the SQlite DBs so I checked paths associated with KIK (according to the Sans posters) but cannot find such paths. A global search for 'kik' reveals only the path above. What am I missing? Any thoughts? @Cellebrite @Magnet Forensics (edited)

rfar

Hi friends. Working a CSAM case and came across something unusual regarding the KIK application on Android OS phone. I tracked CSAM media to the data\media\0\DCIM\Kik\ folder, but neither Axiom or PA reported any KIK artifacts in their respective cases. I noted the version of the KIK app installed is 15.50.1.27996 which appears to be in between supported versions (at least according to the PA matrix). I then thought perhaps I can manually browse through the SQlite DBs so I checked paths associated with KIK (according to the Sans posters) but cannot find such paths. A global search for 'kik' reveals only the path above. What am I missing? Any thoughts? @Cellebrite @Magnet Forensics (edited)

It may be possible that the user deleted app data from Kik (data in the dcim folder is not part of an application data and does not get deleted if you clear data for one app)

1

Anyone know how to tell when a WhatsApp conversation was deleted in PA from Android? It says deleted but doesn’t state when

obi95

Anyone know how to tell when a WhatsApp conversation was deleted in PA from Android? It says deleted but doesn’t state when

As far as I remember, there is no deletion date for messages. If in doubt, check out the database tables directly

If someone deletes an entire chat and then starts a new chat with the chat partner, you should see a WA system message in the timeline. That the chat is encrypted end-to-end. Perhaps the timing matches an assumption/assertion As the colleague before me wrote, there will probably be no deletion date.

obi95

Anyone know how to tell when a WhatsApp conversation was deleted in PA from Android? It says deleted but doesn’t state when

You may be able to work out a period of time based on commits from the wal if you are familiar with that process

_blackbeardactual_

You may be able to work out a period of time based on commits from the wal if you are familiar with that process

That sounds very time consuming

Any good ressource to share?

https://sqliteforensictoolkit.com/determining-when-a-record-was-deleted-in-sqlite/

Angie

Determining when a record was deleted in SQLite | Sanderson Forensics

4:23 AM

Paul Sanderson has a SQLite forensics book too which is pretty good.

4:24 AM

This is presuming the database used WAL and not journal but WAL is more common I believe.

4:24 AM

It also requires there to be a WAL in the extraction which is not always the case.

2

_blackbeardactual_

It also requires there to be a WAL in the extraction which is not always the case.

Full Filesystem

The last device i saw with journal instead of wal was a Galaxy GT-I9000, android 2.3.6

(edited)

2

_blackbeardactual_

It also requires there to be a WAL in the extraction which is not always the case.

I confirm that WhatsApp uses Wal / shm files, which is a bit annoying when you are manipulating the messages to alter evidence (anti forensics and so on), but it can be fixed quickly

Has anyone had any issues with Cellebrite PA opening previously visited windows explorers locations when selecting extractions, keychain plists etc? Ie if you selected a plist on your last job, when you come to select a plist on your next job it will open the folder location of the previous job? It provides an opportunity to accidentally load the wrong plist. Anyone got a solution? There don't seem to be amy related PA settings.

Achris

Has anyone had any issues with Cellebrite PA opening previously visited windows explorers locations when selecting extractions, keychain plists etc? Ie if you selected a plist on your last job, when you come to select a plist on your next job it will open the folder location of the previous job? It provides an opportunity to accidentally load the wrong plist. Anyone got a solution? There don't seem to be amy related PA settings.

This seems to be standard as I've always had this happen to me.

Vägis

This seems to be standard as I've always had this happen to me.

Yeah it's annoying, been trying to find something in the registry that we can tweak in the build as a preventative measure but no luck.

Yeah, I've had some close calls because of it. Might have to report it to @Cellebrite

Achris

Has anyone had any issues with Cellebrite PA opening previously visited windows explorers locations when selecting extractions, keychain plists etc? Ie if you selected a plist on your last job, when you come to select a plist on your next job it will open the folder location of the previous job? It provides an opportunity to accidentally load the wrong plist. Anyone got a solution? There don't seem to be amy related PA settings.

I understand the issue, but when we do not open the same folder, people complain that it's annoying because they are working a case with multiple extractions, or devices and it saves them time to go back to the last folder. When we do that we get these types of complaints. I guess everybody is right, so maybe the best approach would be to add a setting that you choose to use the current behavior, or a fixed path that you determine. Thoughts? (edited)

3

CLB-DannyTheModeler

I understand the issue, but when we do not open the same folder, people complain that it's annoying because they are working a case with multiple extractions, or devices and it saves them time to go back to the last folder. When we do that we get these types of complaints. I guess everybody is right, so maybe the best approach would be to add a setting that you choose to use the current behavior, or a fixed path that you determine. Thoughts? (edited)

That makes sense. I would prefer our investigators are a little annoyed over selecting the wrong keyfile and missing evidence. So yeah option makes sense, the fixed location wouldn't work for us as our save location changes drive letter for each case (though I am sure it would be welcome for some labs) but an option to revert to windows default would be fantastic.

I'd say a setting that goes either current or previous

Morning all, I figured you’d all need to be aware of this as Cellebrite PA currently has a bug affecting the decoding of Safari from iOS 14 through 16. I’ve tested a device running 15.6.1 and it goes as far back as PA 7.61. Currently Cellebrite are looking into this but as of yet no specific reason has been found/communicated to me. From my tests as well, the issue appears to be random but Cellebrite might come back with more information soon. They have stated it is fixed in the new version coming out soon though

1

CLB-DannyTheModeler

I understand the issue, but when we do not open the same folder, people complain that it's annoying because they are working a case with multiple extractions, or devices and it saves them time to go back to the last folder. When we do that we get these types of complaints. I guess everybody is right, so maybe the best approach would be to add a setting that you choose to use the current behavior, or a fixed path that you determine. Thoughts? (edited)

I believe the current behavior is best. It’s a trust but verify behavior. Trust your tool is pointing you to the right area, but it’s the examiners job to verify they are loading the appropriate files. Having a setting that allows a user to choose a default location that opens each time the windows explorer opens would be a nice addition but personally I wouldn’t use it. It would more than likely require more navigation.

1

Can anyone offer some insight on how to flag messages for the groups a specific contact exists in using Oxygen?

Jason

Can anyone offer some insight on how to flag messages for the groups a specific contact exists in using Oxygen?

Create tag? Add to key evidence?

CLB-DannyTheModeler

I understand the issue, but when we do not open the same folder, people complain that it's annoying because they are working a case with multiple extractions, or devices and it saves them time to go back to the last folder. When we do that we get these types of complaints. I guess everybody is right, so maybe the best approach would be to add a setting that you choose to use the current behavior, or a fixed path that you determine. Thoughts? (edited)

Slightly off the topic but if you could add the option to choose a directory when generating the preliminary device reports that would be nice!

obi95

Morning all, I figured you’d all need to be aware of this as Cellebrite PA currently has a bug affecting the decoding of Safari from iOS 14 through 16. I’ve tested a device running 15.6.1 and it goes as far back as PA 7.61. Currently Cellebrite are looking into this but as of yet no specific reason has been found/communicated to me. From my tests as well, the issue appears to be random but Cellebrite might come back with more information soon. They have stated it is fixed in the new version coming out soon though

can you please elaborate on the actual bug? How does this manifest itself? Have yuo compared this with other tools to confirm it is not a Safari iOS data deletion issue rather than just a Cellebrite PA issue? sorry for all the questions

1

Jimbo

im not sure to be completely honest, but when the extraction was done, i know it didnt unlock it

DM'd you

Solec

Slightly off the topic but if you could add the option to choose a directory when generating the preliminary device reports that would be nice!

You can do it in PA 10.2.101.352: settings > Export Folder

1:43 PM

ScottKjr3347

You can do it in PA 10.2.101.352: settings > Export Folder

Guess it's one more reason to update. Waiting for some ssds to come in to upgrade machines being making the move but the PO keeps disappearing after making it to admin

1

Is the Private-folder in Whatsapp Video where the user manually save media inside a "private" folder inside the app? I know that the Whatsapp Video - folder is for recieved media but never looked into the Private-folder. Filenames are still VID-[DATE]-WAXXXXX data/media/0/Android/media/com.whatsapp/Whatsapp/Media/WhatsApp Video/Private/

Cellebrite Reader/PA Question: Is there any way to add a hotkey to open Videos with default Player? Or is it intendet to "rightclick -> Open with default Program" every single Video

12:44 AM

Like in X-Ways "shift + F11"

Hi! I have a question regarding web activity (Safari) on iPhone. Is there a way to see a difference if a website have been visited actively or if the website just been refreshed from being open as a tab? If multiple tabs are open in the web browser and you close the application and then open it again, will it look like you visited that web site again even though you don’t go in to the tab actively?

Hi, question regarding iOS extraction data - specifically iOS14. If there are two devices on an iCloud account, is there any way to tell what artefacts came from the device itself, and what artefacts came from the other device, but were synced? I need to try and tie down some data to the specific device if possible.

I want to find out, when the android phone was setup the last time. Found some different ways and different timestamps for that on the android phone. That differs up to a few month. Whats your way to go? For example I checked the data/misc/bootstat folder. There is a file called "factory_reset" with last modified time from 20th nov. 23, while the factory_reset_current_time is from 26th sept 23. So a total of almost 2 month difference. Any advise?

Anyone have insight on the "sync deleted messages" table from the SMS database on an iPhone. The data contains a ROWID and A GUID. Neither of those two seem to corelate with any other table. I am trying to determine if the listed rows in this table indicate an actual deleted message

1

Bobby

That sounds very time consuming

Any good ressource to share?

I've recently been looking into the WAL structure, a tool to assist is greatly appreciated... not a straightforward process. Here's a link for the structure the WAL is saved in. This doesn't address the SQLite structure/tables, just the WAL structure. https://www.sqlite.org/fileformat2.html#walformat

1

Achris

Has anyone had any issues with Cellebrite PA opening previously visited windows explorers locations when selecting extractions, keychain plists etc? Ie if you selected a plist on your last job, when you come to select a plist on your next job it will open the folder location of the previous job? It provides an opportunity to accidentally load the wrong plist. Anyone got a solution? There don't seem to be amy related PA settings.

Yes - I've put in a ticket/featuere request for this a while back. It would be nice if when loading a GK iOS acquisition, for example, that after you navigate to a folder for the keychain, the bin/zip window would start from the same location. If you do lots of GK iOS, the current setup could lead to opening a download with the wrong keychain... something I definitely have not done ever before.

obi95

Morning all, I figured you’d all need to be aware of this as Cellebrite PA currently has a bug affecting the decoding of Safari from iOS 14 through 16. I’ve tested a device running 15.6.1 and it goes as far back as PA 7.61. Currently Cellebrite are looking into this but as of yet no specific reason has been found/communicated to me. From my tests as well, the issue appears to be random but Cellebrite might come back with more information soon. They have stated it is fixed in the new version coming out soon though

Is there a reason it can't be posted publicly? Would love to know what it's doing incorrectly

Www

Hi! I have a question regarding web activity (Safari) on iPhone. Is there a way to see a difference if a website have been visited actively or if the website just been refreshed from being open as a tab? If multiple tabs are open in the web browser and you close the application and then open it again, will it look like you visited that web site again even though you don’t go in to the tab actively?

Browserstate.db?

1

ScottKjr3347

Click to see attachment 🖼️

Actually, that is not the right setting, the default folder for the Preliminary Device Report is the "Default folder" is the Report Defaults tab of the settings. The setting that Scott mentions is the default folder for exported cases which can be later used to import into another instance of PA and will restore all the decoded data and tags, marked for report, as well as highlights.

1

whee30

Is there a reason it can't be posted publicly? Would love to know what it's doing incorrectly

I’m not sure why, but I suspect they are looking into it to find out how extensive the bug actually is. My guess is that an RCA should be published once they’ve figured it out but who knows

Hopefully!

CLB-DannyTheModeler

Actually, that is not the right setting, the default folder for the Preliminary Device Report is the "Default folder" is the Report Defaults tab of the settings. The setting that Scott mentions is the default folder for exported cases which can be later used to import into another instance of PA and will restore all the decoded data and tags, marked for report, as well as highlights.

Then to follow up still would be nice to choose a directory in lieu of default. Not really that big of a deal I usually just move cut and paste it when choosing the reader directory

Hey, everyone- I've been out of mobile forensics for a couple of years now, and I'm curious about chip-offs on newer devices. When we were doing them, we had hit a roadblock regarding encryption- newer Android and Apple devices weren't good candidates for chip-off because all you would get was the encrypted data and that's all but useless. Are the advanced extraction capabilities now able to reasonably attack or bypass that encryption, or are there other ways that chip-off is still useable on newer devices?

Chip off is still used on vehicle infotainments and IoT devices, I have not heard of any method for chip off for newer phones, encryption really prevents that method from being effective like you said.

That's what I thought. I was just curious if there had been any developments or changes there since I left LE in 2020

Has anyone tried the latest GUI version of iLEAPP? I've tried it on several computers but nothing happens...

Crox

Has anyone tried the latest GUI version of iLEAPP? I've tried it on several computers but nothing happens...

Yes, working great. Did you downloaded the last release or did you build it yourself?

I have downloaded the version from Git

Crox

I have downloaded the version from Git

Then, something is wrong on your side. Antivirus issue or GPO restrictions?

Yes, Anti Virus could actually be. I'll test it with other different settings, thanks

1

@Crox , @Bobby ... same here with both tools... iLEAPP and aLEAPP... both recent guiversion-exe downloaded from github... after start parsing only empty window... hmmm (edited)

chrisforensic

@Crox , @Bobby ... same here with both tools... iLEAPP and aLEAPP... both recent guiversion-exe downloaded from github... after start parsing only empty window... hmmm (edited)

Alright, release version is broken. I thougt problem was to open it. I just build GUI version from Git source code and it's working fine (edited)

@chrisforensic @Crox

2:26 AM

I'm able to parse an FFS with the version built manually (edited)

1

Thanks for testing. Unfortunately I can't build the exe in my environment. I have to use the finished GUI.exe. Do you know who I should contact to get the bug fixed?

Crox

Thanks for testing. Unfortunately I can't build the exe in my environment. I have to use the finished GUI.exe. Do you know who I should contact to get the bug fixed?

You can download source code and launch the GUI with python

Crox

Thanks for testing. Unfortunately I can't build the exe in my environment. I have to use the finished GUI.exe. Do you know who I should contact to get the bug fixed?

@Brigs is the guy

Is anyone aware if there is a way in PA after running media classification and looking through unclassified images to place an image into the media classification. I am going to tag it but i feel like sometimes only items in the classification are whats looked at. They will surely look at a tag im just wondering. A way to add it to the group as classified manually or something similar. (edited)

Hello, has anyone come across "HideU: Calculator Lock" https://play.google.com/store/apps/details?id=com.calculator.hideu&hl=en_GB ? I've come across the application on an android device which i've performed a FFS extraction on. I've had a look over the file system in Cellebrite PA and there doesnt appear to be any files stored within the application. However I could not find the PIN for the application so can't verify this on the device. Does anyone know where the PIN is stored, or know of any software that can decode the application?

HideU: Calculator Lock – Apps on Google Play

Keep Phone Safe and Hide Photos & Videos behind Calculator! APP locker & hider.

2

Trying to find a match on a value buried within a binary plist field of a SQLite DB table. Anyone know of or use a good tool that decodes the binary plist field and allows you to do a DB or table-wide search for a specific value within the bplists? I know tools like Cellebrite and others allow you to view and drilldown into the individual bplists, but when you perform a table or project wide search they don't go through the plists as part of the search... When you are viewing the individual bplists, you can search for a value, but the problem I have is that I have a table of ~5000 records, each record contains a bplist field and I'm trying to see if one of those binary plists contains a particular value. Hopefully that makes.... Thanks in advance for any help.

Mike_H

Trying to find a match on a value buried within a binary plist field of a SQLite DB table. Anyone know of or use a good tool that decodes the binary plist field and allows you to do a DB or table-wide search for a specific value within the bplists? I know tools like Cellebrite and others allow you to view and drilldown into the individual bplists, but when you perform a table or project wide search they don't go through the plists as part of the search... When you are viewing the individual bplists, you can search for a value, but the problem I have is that I have a table of ~5000 records, each record contains a bplist field and I'm trying to see if one of those binary plists contains a particular value. Hopefully that makes.... Thanks in advance for any help.

Mushy?

Bobby

I'm able to parse an FFS with the version built manually (edited)

Yes, built aleapp_gui.exe right from gitsource, too... running fine

(edited)

anyone know the difference between the AwemeContactsV4 V5 and V6 tables found in tiktok?

Mike_H

Trying to find a match on a value buried within a binary plist field of a SQLite DB table. Anyone know of or use a good tool that decodes the binary plist field and allows you to do a DB or table-wide search for a specific value within the bplists? I know tools like Cellebrite and others allow you to view and drilldown into the individual bplists, but when you perform a table or project wide search they don't go through the plists as part of the search... When you are viewing the individual bplists, you can search for a value, but the problem I have is that I have a table of ~5000 records, each record contains a bplist field and I'm trying to see if one of those binary plists contains a particular value. Hopefully that makes.... Thanks in advance for any help.

Can you toggle the binary search option within PA DB Viewer?

Bobby

Mushy?

Thanks for the reply. I do use Mushy for viewing individual bplists, but unfortunately it doesn't help in this case as the bplists I am dealing with are embedded as a table value within a SQLite DB....

snoop168

Can you toggle the binary search option within PA DB Viewer?

Thanks. I enabled the option 'enable searching in binary blobs', then performed a database wide search for a value I know exists within one of the Binary Plists for sure, but no hits. Is there something else I need to enable or do?

Mike_H

Thanks. I enabled the option 'enable searching in binary blobs', then performed a database wide search for a value I know exists within one of the Binary Plists for sure, but no hits. Is there something else I need to enable or do?

what app is this related to? Want to see if I can pull up the same DB in a test extraction to try to understand.

Mike_H

Thanks for the reply. I do use Mushy for viewing individual bplists, but unfortunately it doesn't help in this case as the bplists I am dealing with are embedded as a table value within a SQLite DB....

I thought you were able to extract bplist from db. Hum what about Oxygen db viewer? As snoop said which app are we talking about

Does anyone know what exists to verify an eSIM was active.

Crox

Thanks for testing. Unfortunately I can't build the exe in my environment. I have to use the finished GUI.exe. Do you know who I should contact to get the bug fixed?

It should be fixed now. Please try again.

chrisforensic

@Crox , @Bobby ... same here with both tools... iLEAPP and aLEAPP... both recent guiversion-exe downloaded from github... after start parsing only empty window... hmmm (edited)

should be fixed now. Please test.

1

Bobby

I thought you were able to extract bplist from db. Hum what about Oxygen db viewer? As snoop said which app are we talking about

It's the Binary Plists in in the arroyo.db for Snapchat in the 'conversation_message' table contained in the 'message_content' field. There are some 'key' values stored in the plists that I am looking to search for, but would like to be able to search them all at once and not one at a time. I haven't tried Oxygen yet, I will take a look at that shortly.

Mike_H

Trying to find a match on a value buried within a binary plist field of a SQLite DB table. Anyone know of or use a good tool that decodes the binary plist field and allows you to do a DB or table-wide search for a specific value within the bplists? I know tools like Cellebrite and others allow you to view and drilldown into the individual bplists, but when you perform a table or project wide search they don't go through the plists as part of the search... When you are viewing the individual bplists, you can search for a value, but the problem I have is that I have a table of ~5000 records, each record contains a bplist field and I'm trying to see if one of those binary plists contains a particular value. Hopefully that makes.... Thanks in advance for any help.

Try x-Ways

Brigs

should be fixed now. Please test.

Good Morning... tested new gui-versions-exe..... now working fine, thanks Salute

2

1

Mike_H

It's the Binary Plists in in the arroyo.db for Snapchat in the 'conversation_message' table contained in the 'message_content' field. There are some 'key' values stored in the plists that I am looking to search for, but would like to be able to search them all at once and not one at a time. I haven't tried Oxygen yet, I will take a look at that shortly.

The message_content BLOBs should be protobufs, not a bplist. You could write a quite small script to parse and search through the contents and print the rows/write them to a new DB

Mike_H

Trying to find a match on a value buried within a binary plist field of a SQLite DB table. Anyone know of or use a good tool that decodes the binary plist field and allows you to do a DB or table-wide search for a specific value within the bplists? I know tools like Cellebrite and others allow you to view and drilldown into the individual bplists, but when you perform a table or project wide search they don't go through the plists as part of the search... When you are viewing the individual bplists, you can search for a value, but the problem I have is that I have a table of ~5000 records, each record contains a bplist field and I'm trying to see if one of those binary plists contains a particular value. Hopefully that makes.... Thanks in advance for any help.

Hey, if you click this button here in the database view, it will search inside blobs. Edit: I see you already tried that and it didn't work, but do note this is not database wide but table wide, so you need to be in the relevant table. (edited)

2

Does anyone know if the coordinates found in com.apple.wifi.known-passwords.plist are reliable? It seems to record a location every time you connect to a new BSSID for a known network. There is therefore a lot of locations when connected to another iphone since they randomize the BSSID all the time. (edited)

@Magnet Forensics anyone available?

Looking for anyone familiar with Cellebrite Premium/Inseyets vs. Verakey. Have not yet used Verakey but thinking about replacing CB because of limitations they put on FFS extractions for certain types of cases in the private sector.

NibblesNBits

Is anyone aware if there is a way in PA after running media classification and looking through unclassified images to place an image into the media classification. I am going to tag it but i feel like sometimes only items in the classification are whats looked at. They will surely look at a tag im just wondering. A way to add it to the group as classified manually or something similar. (edited)

Media Classification is based on the model and it can not learn new things from your feedback. The training has to be done by Cellebrite, I think. But I heard that Pathfinder can learn from a picture and find you similar ones.

chauan

Media Classification is based on the model and it can not learn new things from your feedback. The training has to be done by Cellebrite, I think. But I heard that Pathfinder can learn from a picture and find you similar ones.

Axiom can search for similar images

Hi everyone, I have an important romance fraud job that i'm working on (iPhone SE), the Victim was wrongfully advised to delete the chat applications where all of this took place over the last few years. apps in question are Signal, Whatsapp and facebook messenger, screenshots of the evidence were also deleted back in January, handset was only just submitted for examination, my understanding and research says this data is gone for good, before i close the case does anyone have any other suggestions? was hoping some hidden databases might hold some residual data but nothing so far

Loz📱🕵

Hi everyone, I have an important romance fraud job that i'm working on (iPhone SE), the Victim was wrongfully advised to delete the chat applications where all of this took place over the last few years. apps in question are Signal, Whatsapp and facebook messenger, screenshots of the evidence were also deleted back in January, handset was only just submitted for examination, my understanding and research says this data is gone for good, before i close the case does anyone have any other suggestions? was hoping some hidden databases might hold some residual data but nothing so far

If the phone haven't been in use since the deletion of the screenshots, shouldn't there still be some crumbs left from the deleted files? Cached copies? Thumbnails? The databases holding conversations for all of the apps mentioned gets removed when the app is deleted. Did he just delete the apps or delete the chats AND the apps? There's a small chance it could be synced by re-downloading the apps.

7:29 AM

Signal wont sync tho

Vägis

If the phone haven't been in use since the deletion of the screenshots, shouldn't there still be some crumbs left from the deleted files? Cached copies? Thumbnails? The databases holding conversations for all of the apps mentioned gets removed when the app is deleted. Did he just delete the apps or delete the chats AND the apps? There's a small chance it could be synced by re-downloading the apps.

unfortunately it has been in use since January, only surrendered to the officer in May, they deleted all the apps in Jan on the advice of the visiting officer so that they wouldn't receive any further comms from the suspect.

3

Loz📱🕵

unfortunately it has been in use since January, only surrendered to the officer in May, they deleted all the apps in Jan on the advice of the visiting officer so that they wouldn't receive any further comms from the suspect.

Are there any .ktx files? https://abrignoni.blogspot.com/2019/09/ios-snapshots-triage-parser-working.html?m=1 (edited)

iOS Snapshots Triage Parser & working with KTX files

Short version Collection of scripts that assist with parsing iOS snapshot bplists in the applicationState.db data store. Snapshot images s...

1

Vägis

If the phone haven't been in use since the deletion of the screenshots, shouldn't there still be some crumbs left from the deleted files? Cached copies? Thumbnails? The databases holding conversations for all of the apps mentioned gets removed when the app is deleted. Did he just delete the apps or delete the chats AND the apps? There's a small chance it could be synced by re-downloading the apps.

Deleted files cannot be recovered on iOS, unless they are found inside some iTunes backup etc

1

Loz📱🕵

Hi everyone, I have an important romance fraud job that i'm working on (iPhone SE), the Victim was wrongfully advised to delete the chat applications where all of this took place over the last few years. apps in question are Signal, Whatsapp and facebook messenger, screenshots of the evidence were also deleted back in January, handset was only just submitted for examination, my understanding and research says this data is gone for good, before i close the case does anyone have any other suggestions? was hoping some hidden databases might hold some residual data but nothing so far

Re: Facebook messenger, the communications should still be available inside the Facebook account

Lazza

Re: Facebook messenger, the communications should still be available inside the Facebook account

Yes I was thinking this, I’m planning to give back to the officer with the advice to see if the victim can re-download both messenger and WhatsApp to see if the messages are within the back-up then hopefully export the chats themselves

1

Hi everyone :} Anyone familiar with the iOS 15, database /Library/Database/com.apple.MobileBluetooth.ledevices.other.db ? The databse was inside a FFS extraction from sept. 2022. Table 'OtherDevices', Column: 'LastSeenTime'.. The rows make no sense to me. I have used several timeconverters in the meantime and can't get a result that makes sense. Here is an example: 20069048 The only conversion that could be approximately correct is seconds from UTC 2001 (iPhone). The problem is... all !!1010 Bluetooth devices in this database were lastseen in the year xx.xx.2001 when using the mentioned time. I had expected data from at least the year 2022 I had hoped that I could somehow find a device that was close to the device at a time under investigation. Apparently this time has a different meaning... Or does it mean 'lastseentime' since.... idk I just don't know what xD Anyone have any idea? (edited)

Hans Leißner

Hi everyone :} Anyone familiar with the iOS 15, database /Library/Database/com.apple.MobileBluetooth.ledevices.other.db ? The databse was inside a FFS extraction from sept. 2022. Table 'OtherDevices', Column: 'LastSeenTime'.. The rows make no sense to me. I have used several timeconverters in the meantime and can't get a result that makes sense. Here is an example: 20069048 The only conversion that could be approximately correct is seconds from UTC 2001 (iPhone). The problem is... all !!1010 Bluetooth devices in this database were lastseen in the year xx.xx.2001 when using the mentioned time. I had expected data from at least the year 2022 I had hoped that I could somehow find a device that was close to the device at a time under investigation. Apparently this time has a different meaning... Or does it mean 'lastseentime' since.... idk I just don't know what xD Anyone have any idea? (edited)

Maybe this can help? https://cellebrite.com/en/how-to-use-ios-bluetooth-connections-to-solve-crimes-faster/

10:49 AM

There is details about the db you are investigating

Bobby

There is details about the db you are investigating

Thank you. This report did not go into detail about the ledevices.other database... unfortunately. At least I don't see anything about it. I was aware of the article

What about other db in that article, are they available?

Bobby

What about other db in that article, are they available?

Yes, but they don't help me any further. I'm trying to find out if an unknown device was in the vicinity of the iPhone at a certain time. Not one that it was paired with

11:03 AM

I even plowed through the unified logs...unfortunately negative.

11:04 AM

thats a rlly tricky one..

Hans Leißner

Yes, but they don't help me any further. I'm trying to find out if an unknown device was in the vicinity of the iPhone at a certain time. Not one that it was paired with

Did you tried iLEAPP, bluetooth parser should support xx.other.db

11:18 AM

With luck timestamp could be in correct format

1

Bobby

With luck timestamp could be in correct format

I'm glad you mentioned it again... I already opened the FFS with Aleapp and wondered why it didn't work.... I had the GUI of A... open instead of ILeapp xD

1

11:22 AM

That's what happens when you want to process several extractions at once...

Bobby

Did you tried iLEAPP, bluetooth parser should support xx.other.db

iLeapp did parse the db but without Timestamps. Unfortunately, the secret behind the time 'LastSeenTime' could not be solved (edited)

1

Hans Leißner

Hi everyone :} Anyone familiar with the iOS 15, database /Library/Database/com.apple.MobileBluetooth.ledevices.other.db ? The databse was inside a FFS extraction from sept. 2022. Table 'OtherDevices', Column: 'LastSeenTime'.. The rows make no sense to me. I have used several timeconverters in the meantime and can't get a result that makes sense. Here is an example: 20069048 The only conversion that could be approximately correct is seconds from UTC 2001 (iPhone). The problem is... all !!1010 Bluetooth devices in this database were lastseen in the year xx.xx.2001 when using the mentioned time. I had expected data from at least the year 2022 I had hoped that I could somehow find a device that was close to the device at a time under investigation. Apparently this time has a different meaning... Or does it mean 'lastseentime' since.... idk I just don't know what xD Anyone have any idea? (edited)

Many ios databases use cocoa time which starts at 01.01.2001.

2:33 AM

So the timestamp would only Show the time after the creation of the Database.

1

2:34 AM

Maybe you can check the birthtime of the file and add the time difference.

prosch

Maybe you can check the birthtime of the file and add the time difference.

I give that a try! Thanks :}

MHE

hi everyone, quick Question: i got one susp. Video File with 2 Duplicates (so 3 Files in total), shown in Cellebrite Reader. One of the Filepaths is shown as something similar to "Google Photo JsohnSmith@gmail.com/localmedia/VID_123.mp4", the other 2 Paths are in a common directory. Does this mean the File is physicaly saved on the device just 2 Times and the google photos filepath shown is just a reference to one of these local saved duplicats, or is the one with the google photos filepath to saved somewhere and i dont see the "real" folder where it sits on the file tree? just need to know if i got 3 Files "existant" on the Device or 2 and one "pseudo" file

I am wrestling with the same question. did you find out more?

Rob

com.google.android.apps.photos/files/shadowcopies and com.google.android.apps.photos/files/trash_files. Would these be classed as inaccessible (i.e. require a forensic tool or advanced knowledge to recover the files)

I have the same question. did you find an answer?

Hi All. Does anyone have experience with the Signal application - Specifically the file paths of the media sent through Signal? I have hundreds of media with file path 'data\org.thoughtcrime.securems\app_parts', and need to determine if 'app_parts' is an accessible media location. Thanks in advance.

Hey. Can anyone help me out? What exactly does the Network Usage Stats indicate within a UFED PA report? I have numerous app names showing, all with the same or very similar timestamps within the network stats tab but I cannot see any correlation between these and actual user activity. Could these simply be background app activity? @Cellebrite (edited)

Phillips

Hi All. Does anyone have experience with the Signal application - Specifically the file paths of the media sent through Signal? I have hundreds of media with file path 'data\org.thoughtcrime.securems\app_parts', and need to determine if 'app_parts' is an accessible media location. Thanks in advance.

this path is indeed where signal media is stored, but the files there are encrypted. PA does support decrypting these files and attaching them to the relevant message.

IOS question: a lawyer asks for details concerning a specific time slot concerning data consumption, the telephone operator having indicated data consumption. I have looked through datausage, knowledgeC, Biome, I have nothing conclusive (I specify that I do not have the unified logs, the phone was extracted 6 months after its seizure.) Thanks in advance friends (edited)

Random question. We had a Vivint Smart Hub come into the lab. Investigators want activity logs from the device. Does anyone have any experience with this and know if it's even possible?

Mike

Random question. We had a Vivint Smart Hub come into the lab. Investigators want activity logs from the device. Does anyone have any experience with this and know if it's even possible?

#iot-forensics

Hans Leißner

#iot-forensics

Thanks, my fault...forgot what channel I was in

1

Mistercatapulte

IOS question: a lawyer asks for details concerning a specific time slot concerning data consumption, the telephone operator having indicated data consumption. I have looked through datausage, knowledgeC, Biome, I have nothing conclusive (I specify that I do not have the unified logs, the phone was extracted 6 months after its seizure.) Thanks in advance friends (edited)

Did u analyze for malware?

(edited)

@Hans Leißnerlook your dm

CLB - Ofri

this path is indeed where signal media is stored, but the files there are encrypted. PA does support decrypting these files and attaching them to the relevant message.

Great, thank you. Yes these files have been decrypted through PA and I have been able to review them. It was more a question of whether i could define these media artefacts as accessible themselves. As they're multimedia artifacts sent through the chat, these theoretically are accessible to the user. The artefacts in this location are encrypted, but as the user is logged in they are able to see and access these images through their device - right?

Hi everyone, I have a Samsung device (Android 13) and am trying to establish if the device was on speakerphone when a selection of calls were made. Does anyone have any idea if I can find this/where? Thanks!

1

Phillips

Great, thank you. Yes these files have been decrypted through PA and I have been able to review them. It was more a question of whether i could define these media artefacts as accessible themselves. As they're multimedia artifacts sent through the chat, these theoretically are accessible to the user. The artefacts in this location are encrypted, but as the user is logged in they are able to see and access these images through their device - right?

I would say generally yes, but it's hard to say for sure if none of them are cached media that is no longer accessible for some reason. I think it would be best to check if the file is attached to a message (you can see it in the Media view in PA), if it isn't then I wouldn't say it is for sure accessible.

1

AHF

Hi everyone, I have a Samsung device (Android 13) and am trying to establish if the device was on speakerphone when a selection of calls were made. Does anyone have any idea if I can find this/where? Thanks!

I see you received an answer via private message, but IMHO it would be interesting for all if you could share the answer here as well

Morning all, quick question on a decode (sorry I’m a computer man not mobiles and my analyst is away). Looking at a decode of a Samsung Device and it shows WhatsApp (com.whatsapp.conversation) with a “BringToFocus” event at a particular time. Does that mean the device was physically in use at that time? Accessing WhatsApp? Again this is just for my own knowledge, my examiner will be the ‘expert’ when back

. Thanks

1:21 AM

There’s a second event logged 10 seconds later with a “SendToBackground” so I assume that’s when they stopped looking at it?

chrisforensic

Oh, yes... "Media Origin" is greyed out even in Reader of latest beta PA 10.2.101.344 @Cellebrite

Hi, @Cellebrite It seems that the problem is still there in 10.3 (edited)

Anyone know how I can find out the user guid for a wire user in an iphone. I've got a ffs extraction and the passcode for the device

Arlakossan

Anyone know how I can find out the user guid for a wire user in an iphone. I've got a ffs extraction and the passcode for the device

There are multiple places you can find the user guid for Wire Messenger: 1. On iOS, Wire Messenger stores its data in \\private\var\mobile\Containers\Shared\AppGroup\, not in \\private\var\mobile\Containers\Data\Application\...within the AppGroup directory you will find the UUID for the application group. Within this folder Wire has a folder called "AccountData", within which is a folder named using the user guid. 2. If you are examining the store.wiredatabase SQLite database, you will find that there is a table called ZUSER, this contains a column called ZREMOTEIDENTIFIER_DATA and is of BLOB type, containing hex values of the user guid.

5

Dam

Hi, @Cellebrite It seems that the problem is still there in 10.3 (edited)

This issue has been fixed in 10.4, but as a temporary workaround in Reader 10.3, you can go to the Table View and filter based on the relevant columns- . If you have any questions, feel free to DM me.

CLB-DannyTheModeler

This issue has been fixed in 10.4, but as a temporary workaround in Reader 10.3, you can go to the Table View and filter based on the relevant columns- . If you have any questions, feel free to DM me.

Thank you for your answer. I didn't check in 10.3 but in 10.2 the search bar didn't search in the metadata column. (edited)

Question regarding iMessages involving a blocked contact. I have iMessages between two parties. All of the messages from the device owner’s side have the threadid“0” placing them in the instant messages section of PA. All of the messages from the other participant have a threadid that corresponds to the chat participant. So I end up with a conversation that has one side parsed in native messages and another parsed in instant messages. From the time and context of the messages it’s clear they are talking to one another. Both messages are present in the SMS.db and the WAL file. The participant is a blocked contact, so until I do more testing, my thought is that the “blocking” of a user removes the threadid from the device owner. Curious to hear other people’s thoughts and/or suggestions.

CLB - Ofri

I would say generally yes, but it's hard to say for sure if none of them are cached media that is no longer accessible for some reason. I think it would be best to check if the file is attached to a message (you can see it in the Media view in PA), if it isn't then I wouldn't say it is for sure accessible.

Thanks for your help. Reviewed the message threads and was able to tie specific media to the messages, so im happy to say its accessible media

1

I have an extraction from an Android Samsung S21 that shows an image with a file location of (image name)_files_full.zip/data/data/com.sec.android.gallery3d/cache/12/..... There is no creation date. The accessed and modified date are the exact same date and time. Does this mean the original image file was deleted? And, is there anyway to determine the original image creation date or the date it was deleted?

Any idea why PA might show a Keychains folder as having a large size but then show no files in it? iPhone 13 Advanced logical

On iOS, does anyone know if Signal records a call duration in its database? I have several call related records I'm looking at in the Signal DB and the only thing I'm not seeing is duration. I know in Signal, a users can enable an option under settings to have Signal calls appear under Recents, which will then enable the recording of Signal call details in the callhistory.storedata DB which should have an associated call duration. But if the user doesn't enable this setting, the call details don't get recorded in this databases and I'm thinking no duration is recorded anywhere..... Just wondering if anyone else has more info on this.

Alexsaurus

Any idea why PA might show a Keychains folder as having a large size but then show no files in it? iPhone 13 Advanced logical

What PA Version r u using?

10.3

Nothing is displayed in the new 'Learning hub' either, although I watched a video yesterday. After restarting PA, however, it worked again. Solution: Ticket will be opened (edited)

1

Hans Leißner

Nothing is displayed in the new 'Learning hub' either, although I watched a video yesterday. After restarting PA, however, it worked again. Solution: Ticket will be opened (edited)

It seems that when your session token expires after 8 hours of inactivity, we don't pop-up the login window. We will open a bug and fix this for the next version, thanks for reporting this Hans. Please create a ticket with support so that we can update you when it's officially fixed. (edited)

1

Mike_H

On iOS, does anyone know if Signal records a call duration in its database? I have several call related records I'm looking at in the Signal DB and the only thing I'm not seeing is duration. I know in Signal, a users can enable an option under settings to have Signal calls appear under Recents, which will then enable the recording of Signal call details in the callhistory.storedata DB which should have an associated call duration. But if the user doesn't enable this setting, the call details don't get recorded in this databases and I'm thinking no duration is recorded anywhere..... Just wondering if anyone else has more info on this.

I believe Signal indeed does not record any info on the call durations

1

@CLB - Ofricorrect, only Signal calls stored in callhistory/calllog db have timestamp (edited)

1

Hello folks @Cellebrite .... I just want to mention that I'm currently working with the latest release Inseyets PA 10.3. I'm really happy with the speed and features. This is how a good program should work. Well done. Salute

4

3

Everytime I compare Inseyets to the PA version- I'm still missing a lot from it. Everytime I try, I say I won't try it again. I want to like/use it, but it just ain't working for me. I compared the same extraction just a few days before the latest update and was again let down. FWIW

Anyone from @Cellebrite available for a question re decoding support please?

1

glennard

Everytime I compare Inseyets to the PA version- I'm still missing a lot from it. Everytime I try, I say I won't try it again. I want to like/use it, but it just ain't working for me. I compared the same extraction just a few days before the latest update and was again let down. FWIW

I had the same problem as you, but now try the latest version. You will notice the difference.

Does anyone happen to know anything about the "currentpendinglogevents" sqlite for Facebook? I have a hacking case that contains critical information, but I don't know anything about this artifact. Any help would be appreciated.

glennard

Everytime I compare Inseyets to the PA version- I'm still missing a lot from it. Everytime I try, I say I won't try it again. I want to like/use it, but it just ain't working for me. I compared the same extraction just a few days before the latest update and was again let down. FWIW

There was a white paper released recently that details why you may be getting different results. You have to ensure the same settings/options are set when opening each version. The testing we did produced exactly the same

This is common in Samsung devices and I raised it with a supplier some time ago. The created time stamps are in a DB. I can't remember if is internal or external dB or something like that. If I can find the email about it I will post more details to it's location.

4N6Matt

There was a white paper released recently that details why you may be getting different results. You have to ensure the same settings/options are set when opening each version. The testing we did produced exactly the same

It didn't even parse out messages. What different setting would cause that?

That could be a different issue(s) all together. I'll send you a DM in a second to follow-up.

Someone from @Cellebrite available for a quick Cloud access question?

Is anyone from @Cellebrite @Cellebrite Moderator available for a quick question about a PAS file?

nachito 4n6s

Someone from @Cellebrite available for a quick Cloud access question?

@CLB-ChenK

2

Two questions: 1) Do I have any log entries (on iOS and Android) if "personal hotspot" was active at a certain time? 2) Where can I find evidence on iOS and Android what devices have connected to my personal hotspot? Is that information somewhere stored?

Why might a text message from 2014 only appear in the journal file for sms.db, but not the main Andoird sms.db? Message was sent to the device owner, flagged as "read", but not deleted and there has been text message activity since this time in the main db file (edited)

TripleA

Why might a text message from 2014 only appear in the journal file for sms.db, but not the main Andoird sms.db? Message was sent to the device owner, flagged as "read", but not deleted and there has been text message activity since this time in the main db file (edited)

Could it be that the sms has been sent via the google messaging service rather than the standard application? It might have also been backed up to the cloud and restored down to that device. I could be wrong though on both

TripleA

Why might a text message from 2014 only appear in the journal file for sms.db, but not the main Andoird sms.db? Message was sent to the device owner, flagged as "read", but not deleted and there has been text message activity since this time in the main db file (edited)

Where does the record id # of that message fall in relation to other messages? That is, is the id # higher than messages with a later date or lower than messages with an earlier date, or does it appear sequential? Depending on that, it could suggest the older message was written (e.g., sync, restore, etc.) to the journal at a time other than when it was sent/received and it hasn't yet been committed to the main DB.

Does anyone have any experience with decoding Proton Drive?

Saea

Good evening. A short question: I have a iPhone with 2 different Face-ID's and I made a FullFile-Extraction with GrayKey. Can I see in PA, which Face-ID unlock the phone on which Date and Time and where is that in PA? Thank you for answer.

Hi, did you ever get to the bottom of this? I have the same issue at the moment. TIA.

Hi. I know this question has been asked before but I wonder if anyone has uncovered the answer. I am being asked to look into an iPhone with potentially 2 different Face-ID's. I have a Full File System extraction and have decoded with both AXIOM and UFED PA. I can see when the phone was unlocked but I'm struggling to see which Face-ID was used to unlock the phone. Does anyone know where I might find this info? I assume KnowledgeC but I seem to be going round in circles. TIA @Magnet Forensics @Cellebrite (edited)

Can anyone tell me what this file path is referring to (iOS)? I am assuming its some sort of cache location for iCloud... \mobile\library\caches\CloudKit\com.apple.CloudDocs.MobileDocumentsFileProvider\

Hey everyone! SM-G973F/DS Android 12 --> BFU extraction with UFED 4PC possible? (edited)

1

blake-ee

Hi. I know this question has been asked before but I wonder if anyone has uncovered the answer. I am being asked to look into an iPhone with potentially 2 different Face-ID's. I have a Full File System extraction and have decoded with both AXIOM and UFED PA. I can see when the phone was unlocked but I'm struggling to see which Face-ID was used to unlock the phone. Does anyone know where I might find this info? I assume KnowledgeC but I seem to be going round in circles. TIA @Magnet Forensics @Cellebrite (edited)

Maybe Unified Logs, @Lionel Notari might be able to help you (https://www.ios-unifiedlogs.com/post/ios-unified-logs-unlock)

Morning, looking for some advice re WeChat on iOS (version 8.0.50). Have a ffs but not seeing things like MM.sqlite present. Have the’…xin.plist’ and wc005_008.db, but that is empty. In this case I don’t have access to the physical handset so just wondering if this is inline with an account that’s not setup of its moved to some funky location?

shuttered3880

Hey everyone! SM-G973F/DS Android 12 --> BFU extraction with UFED 4PC possible? (edited)

that depends, if it has firmware from 02.2022 or older - yes

@Cellebrite morning. Quick query on google pay decode in 10.1. PA obtains details of the date/time, participants etc but when it comes to the Transfer Amount it says “Unknown_ISO. Unknown-sign5” I assume the euro sign is throwing it off? Also nowhere does PA show which database it pulls this data from (source reads Google Pay with no link off) so I can’t manually go check if the amount of recorded. Any ideas?

RichardG

@Cellebrite morning. Quick query on google pay decode in 10.1. PA obtains details of the date/time, participants etc but when it comes to the Transfer Amount it says “Unknown_ISO. Unknown-sign5” I assume the euro sign is throwing it off? Also nowhere does PA show which database it pulls this data from (source reads Google Pay with no link off) so I can’t manually go check if the amount of recorded. Any ideas?

Please open a ticket to support; It could also be the Bitcoin symbol and please update your Inseyets PA to 10.3 thanks @RichardG (edited)

Greg

Maybe Unified Logs, @Lionel Notari might be able to help you (https://www.ios-unifiedlogs.com/post/ios-unified-logs-unlock)

Thanks I'll take a look. @Lionel Notari Just wondered if you might be able to help me out here? (edited)

CLB_4n6s_mc

Please open a ticket to support; It could also be the Bitcoin symbol and please update your Inseyets PA to 10.3 thanks @RichardG (edited)

Will do, just thought you might know the correct database off the top of your head

. Thanks we are on 10.3 now this is just an old decode. Will rerun it later just in case before submitting a ticket.

RichardG

Will do, just thought you might know the correct database off the top of your head

. Thanks we are on 10.3 now this is just an old decode. Will rerun it later just in case before submitting a ticket.

It is not necessary a database / It could come from other sources especially based on payment so it could from an encrypted file based on data on (keychain/keydump) depending on the phone. (edited)

CLB_4n6s_mc

It is not necessary a database / It could come from other sources especially based on payment so it could from an encrypted file based on data on (keychain/keydump) depending on the phone. (edited)

Ah, thanks. It will need manually verifying anyways as important to the case, best I find out where you got it

. I’ll drop a ticket in thanks

RichardG

Will do, just thought you might know the correct database off the top of your head

. Thanks we are on 10.3 now this is just an old decode. Will rerun it later just in case before submitting a ticket.

Hey, the relevant database is located at data/data/com.google.android.gms/databases/pay in the table GpfeTransactions. It should show up in the Source file field, I'm not really sure why it doesn't.

Arcain

that depends, if it has firmware from 02.2022 or older - yes

Thank you, unfortunately 2023-03-08...

CLB - Ofri

Hey, the relevant database is located at data/data/com.google.android.gms/databases/pay in the table GpfeTransactions. It should show up in the Source file field, I'm not really sure why it doesn't.

Thanks, strangle if you do an advanced find that database shows up in the search results there as the source, even though it doesn’t on the main transfer page. Didn’t help much though as it must link off somewhere else as there’s no details of the vendor etc, just a transaction id and date / time. I’ve got a ticket in but something to chase down for the day

RichardG

Thanks, strangle if you do an advanced find that database shows up in the search results there as the source, even though it doesn’t on the main transfer page. Didn’t help much though as it must link off somewhere else as there’s no details of the vendor etc, just a transaction id and date / time. I’ve got a ticket in but something to chase down for the day

If by vendor you mean the recipient of the transfer, it should be decoded in the "To" field. All data should be in the table I mentioned, the recipient is decoded from the transaction_proto column which is a protobuf. if you can't find it feel free to send me a DM.

@CLB - Ofrithanks I'll DM but it wont let me as we dont share a server apparently

Hans Leißner

I give that a try! Thanks :}

I'm running into the same issue with the ledevices.other database. Have you found anything about the timestamp format? The Cocoa time didnt work for me

Unfortunately not! :/

1

Hans Leißner

Unfortunately not! :/

thx, i'll keep you inform if i find anything (edited)

1

blake-ee

Thanks I'll take a look. @Lionel Notari Just wondered if you might be able to help me out here? (edited)

Hello, really sorry for the delay. Unfortunately, I don' have a quick answer, I will have to make some tests. I tested it for the fingerprint in the past and I hadn't had any promising results ... I will probably run some tests over the weekend and keep you updated if it's ok for you

I parsed a return in PA v 10.3.0.3169 and am trying to get the language translation feature to work. I have enabled the right languages for my dongle, but it doesn't seem to be working as under Actions > Translation Commands it is grayed out. @Cellebrite

FullTang

I parsed a return in PA v 10.3.0.3169 and am trying to get the language translation feature to work. I have enabled the right languages for my dongle, but it doesn't seem to be working as under Actions > Translation Commands it is grayed out. @Cellebrite

PA 10.x support the advanced SDL languages, and does not support the basic languages.

Lionel Notari

Hello, really sorry for the delay. Unfortunately, I don' have a quick answer, I will have to make some tests. I tested it for the fingerprint in the past and I hadn't had any promising results ... I will probably run some tests over the weekend and keep you updated if it's ok for you

That's amazing thank you. Just a little extra context... The phone has a single user account secured by a passcode however that passcode is known by another person who has added a second Face-ID to the one account. I've done some testing myself, registering one passcode and two separate Face-IDs but I am struggling to see anywhere in the data that it can be determined which Face-ID was responsible for unlocking the handset. (edited)

1

I mainly do cellphone forensics these days, and its time for a new computer one of the bids/invoices is quoted as providing "Intel Xeon W5-2465X 3.1 GHz (4.7 GHz Max Turbo) 16-Core LGA 4677 Processor" has anybody done any recent testing with AMD Ryzen™ Threadripper™ Processors in a head to head test ? The main software I focus on is Cellebrite and Axiom for day-to-day use. Awhile back somone posted that the Threadripper parsed that data way faster than the Intel. Thanks for any insight.

goofycom

Two questions: 1) Do I have any log entries (on iOS and Android) if "personal hotspot" was active at a certain time? 2) Where can I find evidence on iOS and Android what devices have connected to my personal hotspot? Is that information somewhere stored?

Hello @goofycom , I can answer for the iOS Unified Logs part. First of all, the "Hotspot" is often referenced by "MobileInternetSharing" on iOS: for example you have the subsystem called "com.apple.MobileInternetSharing" and the process "misd", this a good starting point for your hotspot investigation in the Mac Console. The personal hotspot has different states: OFF; Not Discoverable, Discoverable, Connections . The easiest to handle the hotspot is either from the Control Center or from the Settings. From the CC, you can switch from ND to Discoverable (vice-versa) and from Connections to OFF. I have never been able to switch from Discoverable to OFF in the CC for example. In the Settings, you can easily switch it to OFF and to Discoverable/Connections but you can't put it in ND. A first check you can do is the process SpringBoard that generates the following logs: 1) Updated hotspot state [ inoperative: 0 available: o enabled: 0 discoverable: 0 connections: 0 ] - OFF 2) Updated hotspot state [ inoperative: 0 available: 1 enabled: 0 discoverable: 0 connections: 0 ] - Not Discoverable 3) Updated hotspot state [ inoperative: 0 available: 1 enabled: 1 discoverable: 0 connections: 0 ] - Discoverable 4) Updated hotspot state [ inoperative: 0 available: 1 enabled: 1 discoverable: 1 connections: 0 ] *- Active Connection(s) Most of the time when the status of the hotspot changes in the CC, SpringBoard will save two logs approx at the same time: the previous state and new one. For example if it changes from ND to D, you will have the log 2) followed by log 3). OFF When the user switch the hotspot to OFF, you can have the following logs (+ log 1) above): *misd: set state: state ON(1023)->OFF(1022), reason: NO_ERROR(0)->NO_ERROR(0), errnum 0->0 misd: netrb state is OFF Preferences: MIS state change: 1023 -> 1022, reason: 0 -> 0 wifid: Disable MIS Discoverability requested by "Preferences" with immediateDisable=1 hidden=0 Force2.4GHz Channel=0 Discoverable: The user can switch from OFF to Discoverable or from ND to D. misd: set state: state OFF(1022)->ON(1023), reason: NO_ERROR(0)->NO_ERROR(0), errnum 45->45 Wifid: MIS Discovery is Enabled misd: netrb state is ON SpringBoard: Starting hotspot service (followed by the next one and the log 3)) SpringBoard: Starting hotspot discoverability SpringBoard: Hotspot discoverability changed to 1 Wifid: Enable MIS Discoverability requested by "SpringBoard" with immediateDisable=0 hidden=0 Force2.4GHz Channel=0 ND Here the hotspot is still active, so you will stille have this log for example: misd: netrb state is ON but you will also have theses ones (and the log 2) above) SpringBoard: Hotspot discoverability changed to 0 SpringBoard: Shutting down hotspot discoverability immediately (when the user deactivates is manually) SpringBoard: Stopping hotspot discoverability after delay (auto deactivation after a period of time) Wifid: Disable MIS Discoverability requested by "SpringBoard" with immediateDisable=0 hidden=0 Force2.4GHz Channel=0 Connections Does not generate a lot of Unified Logs unfortunately so you can search for the log 4) above and also this one: symptomsd: Update of value 0 to value 1 for keypath softAPClientCount of object <PersonalHotspotRelay: 0xb689252a0> -------------------------------------------------

2:12 PM

------------------------------------------------- Once we have the connection, we have to find the name of the connected device and we can do it (sometimes) : For this, we will have to check the hostapd process (host access point daemon). This process will save different Unified Logs when the iPhone tries to establish a connection with another device, for example: hostapd: STA 5c:1b:f4:8d:b3:96 associated hostapd: STA 5c:1b:f4:8d:b3:96 start authentication hostapd: STA 5c:1b:f4:8d:b3:96 AUTHORIZED. hostapd: STA *5c:1b:f4:8d:b3:96 pairwise key handshake completed (RSN)* These logs confirm a hotspot connection. Now if I search "5c:1b:f4:8d:b3:96" in my Unified Logs, I can find the following one: Wifid: WiFiDeviceManagerGetInterfaceDataUsage: DHCP client hostnames: { "0:d4:9e:85:3b:44" = "5c:1b:f4:8d:b3:96" = "Mini-de-Lionel"; "5c:c5:d4:a1:67:f1" = "7e:8f:c0:f1:f1:11" = "e6:2b:34:6:3:9e" = "f0:18:98:86:a2:72" = } Please note that I am not always able to find the corresponding name but if you have a full file system extraction you might be able to find it somewhere else by searching for "5c:1b:f4:8d:b3:96". Sorry for the length of the message, I hope it was not too much ... You can find more on WiFi iOS Unified Logs here if needed: https://www.ios-unifiedlogs.com/post/ios-unified-logs-wifi-and-airplane-mode

3

1

SuperSleuth

I have an extraction from an Android Samsung S21 that shows an image with a file location of (image name)_files_full.zip/data/data/com.sec.android.gallery3d/cache/12/..... There is no creation date. The accessed and modified date are the exact same date and time. Does this mean the original image file was deleted? And, is there anyway to determine the original image creation date or the date it was deleted?

Hi. I asked the practitioner involved if he could remember and and there is a collum in one of the databases detailed as date_added. We still can't recall the DB. The way we found it was unzip the file system to a location, then use bare grep point it at that location and search for an image name. It will scan the hex for the matching names including in DBs.... Then just take a look at that file in your preferred forensics tool by navigating to the file of interest. I find so much extra data this way that tools don't get such as messages and all sorts.....

Hi all, hopefully someone can assist. I'm looking at file paths and accessibility of images etc 90% stored in android sam secure folder. I've got \mnt\pass_through\150\emulated\150\Downloads... etc.. But then I've also got \mnt\pass_through\0\emulated\150\Downloads... etc.. And then pass_through\150\emulated\0 Hust wanted to know the difference between these? Any assistance would be greatly appreciated

Different users?

(edited)

7:37 AM

Did u check if there are other profiles?

it's all symlinks to the actual location (/data/media/150) (edited)

loo

Can anyone tell me what this file path is referring to (iOS)? I am assuming its some sort of cache location for iCloud... \mobile\library\caches\CloudKit\com.apple.CloudDocs.MobileDocumentsFileProvider\

Just bumping my post from the other day, I'm a complete iOS noob and have an iPad with CSAM in this location. I've kept my explanation brief in that it is related to iCloud/CloudKit and is some sort of cache, but just wondering if anyone can provide any further info about this filepath please

(edited)

In this month’s GMDSOFT Tech Letter, we delve deep into the technical aspects of Telegram’s message storage. Our comprehensive guide offers a blend of practical application, illustrated through real-world case studies and examples.

Anyone happen to have a link to this "Tech Letter" GMDSoft is talking about? All I see is a low-quality blog post generated by ChatGPT which is supposed to "introduce" the actual letter, but no link is provided: https://www.gmdsoft.com/blog/gmdsoft-tech-letter_telegram-messages-on-device-missing-in-analysis-results/ (edited)

Hannah Yang

GMDSOFT Tech Letter : Telegram Messages on Device Missing in analys...

In this month’s GMDSOFT Tech Letter, we delve deep into the technical aspects of Telegram’s message storage. Our comprehensive guide offers practical application

Hello, did someone come across a iOS database called SNLUOverride.sqlite in the past? I cant find any information about it but it seems to contain relevant data in regards to CSAM. Cheers

Anyone know why a Cellebrite session file (PAS) would just hang on "Loading Session" and never actually load my previous progress? Is the file potentially corrupted?

@oreo Is it something to do with Siri Natural Language Understanding, maybe it is keywords set by SIRI to flag up if they are used.

1

4:08 PM

Might be worthwhile seeing if it was created by the Apple system, as I've seen similar things in Google files, that control banned words.

4:09 PM

Maybe compare the file to a different extraction, and see if the file hashes match to rule it out

Nitraz_

Hello, i'm on iOS FFS, i've some interesting files located in

 DarArchive/root/private/var/mobile/Containers/Data/Application/$ID/Caches/com.facebook.Facebook.MosaicIGImageDiskCache/

($ID = 90CE98E51-CC04-etc). Filenames in this dir are FBImageDownloader-$id . Does anyone know its meaning? (Other than Facebook app cache). Thanks

(edited)

been a while since this post haha but did you ever have any luck? I am trying to establish the same thing.

Anyone had the issue whereby opening Cellebrite Reader 8 (older extraction) is showing "System.Exception: Can not start PostgreSQL server"?

3X3

Anyone had the issue whereby opening Cellebrite Reader 8 (older extraction) is showing "System.Exception: Can not start PostgreSQL server"?

Did u reopened it? Sometimes that solves the Problem (worked for me one time)

Yeah, I got it to work this time by moving it's location which is odd.

1

Trying to find the best solution for translation. UFED4PC v 7.69.0.10 does not seem to be working as the option is grayed out.

Anyone @Cellebrite available for a quick question on PA or PA Inseyets re: Malware Scanning - Cheers

1

In case anyone is interested, I did some digging into what happens when iOS users change the timestamps and location of media in the gallery. www.nibblesnbitz.com (edited)

2

1

Joe Schmoe

In case anyone is interested, I did some digging into what happens when iOS users change the timestamps and location of media in the gallery. www.nibblesnbitz.com (edited)

U now get reviewed by Scott

(edited)

DCSO

I mainly do cellphone forensics these days, and its time for a new computer one of the bids/invoices is quoted as providing "Intel Xeon W5-2465X 3.1 GHz (4.7 GHz Max Turbo) 16-Core LGA 4677 Processor" has anybody done any recent testing with AMD Ryzen™ Threadripper™ Processors in a head to head test ? The main software I focus on is Cellebrite and Axiom for day-to-day use. Awhile back somone posted that the Threadripper parsed that data way faster than the Intel. Thanks for any insight.

That would depend on which threadripper they have.

Hi everyone, I have an advanced logical extraction from a device and need to determine which media files were played on it and when. Are there any specific artifacts I should look into for this information?

Hans Leißner

U now get reviewed by Scott

(edited)

He helped with my first post. I’m all for constructive criticism. I’m just trying to avoid getting in a rut of spitting out UFDR reports. It gets harder and harder to do as the backlog grows.

1

Joe Schmoe

He helped with my first post. I’m all for constructive criticism. I’m just trying to avoid getting in a rut of spitting out UFDR reports. It gets harder and harder to do as the backlog grows.

Yep. Im with u

mindset on point

DeepDiveForensics

Hi everyone, I have an advanced logical extraction from a device and need to determine which media files were played on it and when. Are there any specific artifacts I should look into for this information?

What OS? What Version?

Android OS v14

Do you mean video files within a specific app? Are you investigating a traffic accident or why do you need this information?

Video files stored in gallery and we are investigating a hit and run

DeepDiveForensics

Video files stored in gallery and we are investigating a hit and run

Did u gave ALeapp a try? Digital Wellbeing / App usage (edited)

Not yet, I have parsed the data in UFED Inseyets

Hans Leißner

Did u gave ALeapp a try? Digital Wellbeing / App usage (edited)

Let me parse in ALEAPP

DeepDiveForensics

Let me parse in ALEAPP

Hold on.. u wrote u have a adv logical? Im afraid that digital wellbeing is just inside a full filesystem

11:42 AM

Searching for thumbnails at the time of the crime could be helpfull.

Hans Leißner

Hold on.. u wrote u have a adv logical? Im afraid that digital wellbeing is just inside a full filesystem

Yeah, i have adv logical extraction. sure, I'll look for thumbnails (edited)

Can someone from @MSAB throw me a DM?

1

Lionel Notari

Hello @goofycom , I can answer for the iOS Unified Logs part. First of all, the "Hotspot" is often referenced by "MobileInternetSharing" on iOS: for example you have the subsystem called "com.apple.MobileInternetSharing" and the process "misd", this a good starting point for your hotspot investigation in the Mac Console. The personal hotspot has different states: OFF; Not Discoverable, Discoverable, Connections . The easiest to handle the hotspot is either from the Control Center or from the Settings. From the CC, you can switch from ND to Discoverable (vice-versa) and from Connections to OFF. I have never been able to switch from Discoverable to OFF in the CC for example. In the Settings, you can easily switch it to OFF and to Discoverable/Connections but you can't put it in ND. A first check you can do is the process SpringBoard that generates the following logs: 1) Updated hotspot state [ inoperative: 0 available: o enabled: 0 discoverable: 0 connections: 0 ] - OFF 2) Updated hotspot state [ inoperative: 0 available: 1 enabled: 0 discoverable: 0 connections: 0 ] - Not Discoverable 3) Updated hotspot state [ inoperative: 0 available: 1 enabled: 1 discoverable: 0 connections: 0 ] - Discoverable 4) Updated hotspot state [ inoperative: 0 available: 1 enabled: 1 discoverable: 1 connections: 0 ] *- Active Connection(s) Most of the time when the status of the hotspot changes in the CC, SpringBoard will save two logs approx at the same time: the previous state and new one. For example if it changes from ND to D, you will have the log 2) followed by log 3). OFF When the user switch the hotspot to OFF, you can have the following logs (+ log 1) above): *misd: set state: state ON(1023)->OFF(1022), reason: NO_ERROR(0)->NO_ERROR(0), errnum 0->0 misd: netrb state is OFF Preferences: MIS state change: 1023 -> 1022, reason: 0 -> 0 wifid: Disable MIS Discoverability requested by "Preferences" with immediateDisable=1 hidden=0 Force2.4GHz Channel=0 Discoverable: The user can switch from OFF to Discoverable or from ND to D. misd: set state: state OFF(1022)->ON(1023), reason: NO_ERROR(0)->NO_ERROR(0), errnum 45->45 Wifid: MIS Discovery is Enabled misd: netrb state is ON SpringBoard: Starting hotspot service (followed by the next one and the log 3)) SpringBoard: Starting hotspot discoverability SpringBoard: Hotspot discoverability changed to 1 Wifid: Enable MIS Discoverability requested by "SpringBoard" with immediateDisable=0 hidden=0 Force2.4GHz Channel=0 ND Here the hotspot is still active, so you will stille have this log for example: misd: netrb state is ON but you will also have theses ones (and the log 2) above) SpringBoard: Hotspot discoverability changed to 0 SpringBoard: Shutting down hotspot discoverability immediately (when the user deactivates is manually) SpringBoard: Stopping hotspot discoverability after delay (auto deactivation after a period of time) Wifid: Disable MIS Discoverability requested by "SpringBoard" with immediateDisable=0 hidden=0 Force2.4GHz Channel=0 Connections Does not generate a lot of Unified Logs unfortunately so you can search for the log 4) above and also this one: symptomsd: Update of value 0 to value 1 for keypath softAPClientCount of object <PersonalHotspotRelay: 0xb689252a0> -------------------------------------------------

Thanks a lot @Lionel Notari Great help. I will give it a try the next couple of days and see what I can dig out.

3X3

Anyone had the issue whereby opening Cellebrite Reader 8 (older extraction) is showing "System.Exception: Can not start PostgreSQL server"?

If Reader encounters any issues and is not able to extract all the files it needs to run the PostgreSQL DB, it will cleaup the temp folder, then when you relaunch it everything should be ok.

Hi everyone, looking at com.android.vending/install_queue.db, in the install+_requests table there's a 'reason' column; most reasons are fairly self-explanatory, however there's one 'ec_choice_install' - does anyone have any idea what that means? I googled it and literally nothing comes up

1:39 AM

Also there's a 'state' column - does anyone have any idea what the states refer to? for reference, the 'ec_choice_install' row has a 'state' of 2

1:40 AM

The corresponding row in localappstate.db has the install reason listed as 'unknown' which is super unhelpful

chms17

Hi everyone, looking at com.android.vending/install_queue.db, in the install+_requests table there's a 'reason' column; most reasons are fairly self-explanatory, however there's one 'ec_choice_install' - does anyone have any idea what that means? I googled it and literally nothing comes up

I was intrigued..."literally nothing". This is by far a long shot and complete guess... so please do not take this as accurate, but hopefully might provoke some thought...and research. It may be that someone else has a more accurate answer for you! That said, the link below MAY be of relevance? Is the application of interest a browser? Or have a built in browser? https://www.android.com/choicescreen/dma/ (edited)

DMA Choice Screen

The Android choice screen lets users select their search provider and browser during setup. Learn how to include your service or browser in the choice screen.

2:29 AM

"(i) set the search provider in a home screen search box to the selected provider, (ii) set the default search provider in Chrome (if installed) to the selected provider, and (iii) install the search app of the selected provider (if not already installed)." it is point (iii) that I think you may be encountering here?

2:31 AM

Could it be possible "ec" refers to "European Commision"

2:31 AM

Just typing out loud...

cf-eglendye

I was intrigued..."literally nothing". This is by far a long shot and complete guess... so please do not take this as accurate, but hopefully might provoke some thought...and research. It may be that someone else has a more accurate answer for you! That said, the link below MAY be of relevance? Is the application of interest a browser? Or have a built in browser? https://www.android.com/choicescreen/dma/ (edited)

that's actually super helpful, the app in question is com.duckduckgo.mobile.android, and the associated timestamps correlate with device setup time, so that may well be the case. Thank you so much! How did you find that?

chms17

that's actually super helpful, the app in question is com.duckduckgo.mobile.android, and the associated timestamps correlate with device setup time, so that may well be the case. Thank you so much! How did you find that?

Glad I could be of help, obviously I would suggest trying to replicate to assist in verification of the data. But that would be my best guess, especially given that your timestamps correlate with setup time. Essentially, when the device is being setup it is being asked what web browser to use, the user has to select an option, at which point if it is not already installed as part of that OS then it installs it. Hence, the ec_choice_install. Google - "android choice"

4:17 AM

less is more, sometimes...

1

cf-eglendye

Glad I could be of help, obviously I would suggest trying to replicate to assist in verification of the data. But that would be my best guess, especially given that your timestamps correlate with setup time. Essentially, when the device is being setup it is being asked what web browser to use, the user has to select an option, at which point if it is not already installed as part of that OS then it installs it. Hence, the ec_choice_install. Google - "android choice"

testing now! Will update you...

1

off the back of this - anyone know a reputable source to download firmware from that I don't have to pay for... Specifically G960FXXS7CTA2

This site seems to have it, at least clicking on "Download on browser" something seems to download https://samfw.com/firmware/SM-G960F/SER/G960FXXS7CTA2

1

I am looking at WhatsApp on an iphone 12 Pro (iOS 17) Does anyone know what the zMEDIAORIGIN column in ZWAMEDIAITEM signifies? I am looking to determine whether a video was taken with the device.

Google Chrome artifact on an Android Smartphone. Cached Video file located within the com.android.chrome/cache/Cache/Cache_Data/ folders. There's no date/time stamps within the media file, is there a way to detremine their download date? Phone is not available, Ultra FFS may be, but I am working off a limited PDF/UFDR. (edited)

Hmmmm. I rebooted my machine and opened Insights PA and now all the cases are gone. @Cellebrite any ideas? I went to import the cases but it is asking for a .clbe file and I don't have any of those.

Lazza

This site seems to have it, at least clicking on "Download on browser" something seems to download https://samfw.com/firmware/SM-G960F/SER/G960FXXS7CTA2

This is the site I use and has worked for me

Alexsaurus

Hmmmm. I rebooted my machine and opened Insights PA and now all the cases are gone. @Cellebrite any ideas? I went to import the cases but it is asking for a .clbe file and I don't have any of those.

Huh, and suddenly they are back. Didn't even touch the machine. Odd.

Has anyone come across the Xiaomi Privacy Protection Password before? I’ve got a FFS from Premium so hoping it’s grabbed anything that’s protected but not sure how to confirm this? I know of the 150 file path for Samsung Secure Folder but just wondering if there’s something similar I can look at for this? It’s a Redmi Note 10.

Lazza

This site seems to have it, at least clicking on "Download on browser" something seems to download https://samfw.com/firmware/SM-G960F/SER/G960FXXS7CTA2

thank you

WoodenMango

Has anyone come across the Xiaomi Privacy Protection Password before? I’ve got a FFS from Premium so hoping it’s grabbed anything that’s protected but not sure how to confirm this? I know of the 150 file path for Samsung Secure Folder but just wondering if there’s something similar I can look at for this? It’s a Redmi Note 10.

if that's the one i'm thinking about, locate the .key file and bf it like old Android passcodes, using Andriller for example

Husky_M00s3

I am looking at WhatsApp on an iphone 12 Pro (iOS 17) Does anyone know what the zMEDIAORIGIN column in ZWAMEDIAITEM signifies? I am looking to determine whether a video was taken with the device.

https://www.group-ib.com/blog/whatsapp-forensic-artifacts/ ZMEDIAORIGIN Unknown, usually has value ‘0’ (edited)

1

WoodenMango

Has anyone come across the Xiaomi Privacy Protection Password before? I’ve got a FFS from Premium so hoping it’s grabbed anything that’s protected but not sure how to confirm this? I know of the 150 file path for Samsung Secure Folder but just wondering if there’s something similar I can look at for this? It’s a Redmi Note 10.

https://discord.com/channels/427876741990711298/517431818627186692/1192426089830699088

1

tost

Hello, has anyone a parser for the likee and/or zangi messenger app? Perhaps anyone knows how to export chats and more. (edited)

Hi Tost, did you have any luck with the mentioned App (zangi)

WoodenMango

Has anyone come across the Xiaomi Privacy Protection Password before? I’ve got a FFS from Premium so hoping it’s grabbed anything that’s protected but not sure how to confirm this? I know of the 150 file path for Samsung Secure Folder but just wondering if there’s something similar I can look at for this? It’s a Redmi Note 10.

Is this different from the Secure Safe?

hypeman

Hi Tost, did you have any luck with the mentioned App (zangi)

Hey, PA latest versions support decoding of Zangi

1

Aero

Is this different from the Secure Safe?

Yes appears so - Secure Safe isn’t activated but this is

hypeman

Hi Tost, did you have any luck with the mentioned App (zangi)

Yes, our higher authority has programmed a tool. Oxygen supported it at that time, but we have not Oxygen. And now Cellebrite supports the app like @CLB - Ofri mentioned.

1

Arcain

https://discord.com/channels/427876741990711298/517431818627186692/1192426089830699088

Amazing, this has worked great with Andriller. The .key file was privacy_password_setting.key rather than access_control but worked great all the same. Thanks so much! (edited)

1

chms17

https://www.group-ib.com/blog/whatsapp-forensic-artifacts/ ZMEDIAORIGIN Unknown, usually has value ‘0’ (edited)

Thank you, @chms17 ! I saw 4, 1, 0 in my dataset. I plan to do some testing to see if I can make sense of it / test my current working hypothesis…. Unless someone smarter than me replies. At a quick glance, 4 was a gif, 1 was opus, 0 was a picture.

1

Husky_M00s3

Thank you, @chms17 ! I saw 4, 1, 0 in my dataset. I plan to do some testing to see if I can make sense of it / test my current working hypothesis…. Unless someone smarter than me replies. At a quick glance, 4 was a gif, 1 was opus, 0 was a picture.

I wasn't able to find anything other than that, but do update us if you can figure it out!

1

Has anyone pulled apart the Snapchat app? A coworker has a case where Snapchat was recorded as making phone calls on an iPhone on one phone but not on the other. They have questions (I haven't got all of them) if anyone has seen something similar with using Snapchat to make phone calls

randomaccess

Has anyone pulled apart the Snapchat app? A coworker has a case where Snapchat was recorded as making phone calls on an iPhone on one phone but not on the other. They have questions (I haven't got all of them) if anyone has seen something similar with using Snapchat to make phone calls

going to need more context - what type of extraction did you get? is this just what the tool decoded, or did you look in to the databases?

Husky_M00s3

Thank you, @chms17 ! I saw 4, 1, 0 in my dataset. I plan to do some testing to see if I can make sense of it / test my current working hypothesis…. Unless someone smarter than me replies. At a quick glance, 4 was a gif, 1 was opus, 0 was a picture.

If you figure it out, please consider publishing a Github or a blog post

chms17

going to need more context - what type of extraction did you get? is this just what the tool decoded, or did you look in to the databases?

My coworkers case so I only have some details. ADV logical on one, FFS on the other. Phones aren't available any more. I think she looked at the call log directly but may have just been celebrite output. More wondering whether Snapchat populates the call log and if it does, does it clear it's records. Mostly because she has both devices that should have corresponding data and they don't.

iPhone Full File System extraction through GrayKey. Specifically a question into Apple Voice-memo Application. Victim recorded multiple sexual assualts while using this application. I'm able to authenticate the original recordings (totaling 11 recordings). The original recordings are about a year old, and one of them has a duplicated file with a file path of composition/fragments/**. I ran my own test and found each recording I made also had a duplicated audio file with the "composition/fragments/" path extension (m4a files). Can anyone think of a reason as to why the other 10 audio files didn't have this duplication? I'm thinking the file path extension might represent a movement to the iCloud? Can anyone explain the purpose for the duplicated files with the "composition/fragments" extension/duplication? Thanks!

randomaccess

My coworkers case so I only have some details. ADV logical on one, FFS on the other. Phones aren't available any more. I think she looked at the call log directly but may have just been celebrite output. More wondering whether Snapchat populates the call log and if it does, does it clear it's records. Mostly because she has both devices that should have corresponding data and they don't.

It’s been awhile… I might need to rewatch this, but remember it having good info: https://cellebrite.com/en/deep-dive-into-snapchat/

Hi ! Someone from @Magnet Forensics please ? Found a bug in decoding for Axiom 8.3.1. Thanks

randomaccess

My coworkers case so I only have some details. ADV logical on one, FFS on the other. Phones aren't available any more. I think she looked at the call log directly but may have just been celebrite output. More wondering whether Snapchat populates the call log and if it does, does it clear it's records. Mostly because she has both devices that should have corresponding data and they don't.

Are they both iPhones? If so the call log should be populated on both iPhones. Was the call answered?

AnTaL

Hi ! Someone from @Magnet Forensics please ? Found a bug in decoding for Axiom 8.3.1. Thanks

I know they do fix bugs but I’ve never gotten any I reported fixed (well who knows, maybe it was eventually but I never got notified!) Hopefully they can sort it though

Hi all I am dealing with a OnePlus Nord2 5G DN2103 Android 12. It contains forbidden images in the OnePlus gallery imgcache.0 file. In addition, there is the private safe in the gallery app, to which I unfortunately don't have the pin to access it. I was hoping to discover more evidence there and was wondering whether there is a way to bypass the pin dialog or that the files are stored somewhere at an easily accessible location (and maybe only encoded and not encrypted).

forensic vizsla

Hi all I am dealing with a OnePlus Nord2 5G DN2103 Android 12. It contains forbidden images in the OnePlus gallery imgcache.0 file. In addition, there is the private safe in the gallery app, to which I unfortunately don't have the pin to access it. I was hoping to discover more evidence there and was wondering whether there is a way to bypass the pin dialog or that the files are stored somewhere at an easily accessible location (and maybe only encoded and not encrypted).

What kind of extraction do you have?

Hans Leißner

What kind of extraction do you have?

A Cellebrite Premium extraction

I found an issue with exporting media from PA, while exporting dont click around (I found if I clicked Filters then Hide Redacted that would cause the issue but I dont know if it does it in other areas too) in PA otherwise the export of pictures/videos may stop before completing but PA reports it as successful. We double check by seeing how many items are selected in PA for export and check to see how many are in the export folder. This bug was around a while ago but looks like its back.

1:11 AM

A ticket is in and CB are aware...

busted4n6

I know they do fix bugs but I’ve never gotten any I reported fixed (well who knows, maybe it was eventually but I never got notified!) Hopefully they can sort it though

Ahah. Yep but this one was regression. Anyway I know how you feel. This idea to close your ticket because one other is created to the development team, you never know what is really happening

Anyone had issues when reinstalling offline maps saying the TileServer doesn't have correct privileges? Any idea how to sort this? Thanks.

1

5:50 AM

Haven't had this issue before, usually installed just fine in PA 10.

Anyone have any luck or tips decoding Private Photo Vault v 4.6.6 on Android - either cracking PIN/Passcode or decrypting payload?

jb3139

Anyone have any luck or tips decoding Private Photo Vault v 4.6.6 on Android - either cracking PIN/Passcode or decrypting payload?

Try to decode and parse your FFS extraction with AXIOM. The password should then be there in plain text.

Crox

Try to decode and parse your FFS extraction with AXIOM. The password should then be there in plain text.

I've had it in CB, Oxygen and Magnet. Magnet at least parses out the data from the app, but I have looked in every XML/JSON file in data/data/com.enchantedcloud.photovault directory and subdirectory and I see no password in the clear anywhere. It's only pulling the file list and album information from the ppv.sqlite DB file. I also don't see anything in the Keystore that might be useful. (edited)

jb3139

I've had it in CB, Oxygen and Magnet. Magnet at least parses out the data from the app, but I have looked in every XML/JSON file in data/data/com.enchantedcloud.photovault directory and subdirectory and I see no password in the clear anywhere. It's only pulling the file list and album information from the ppv.sqlite DB file. I also don't see anything in the Keystore that might be useful. (edited)

Hmm okay then maybe the version for decrypting the password or code is not supported but as far as I remember it is in the media PPV tab of Magnet AXIOM and there next to the album is the password in plain text. But of course it is possible that this version is not supported.

Crox

Hmm okay then maybe the version for decrypting the password or code is not supported but as far as I remember it is in the media PPV tab of Magnet AXIOM and there next to the album is the password in plain text. But of course it is possible that this version is not supported.

There are two columns for Password and PIN but no data in them. This version must not be supported. Anyone from @Magnet Forensics able to weigh in on possible support now or coming?

jb3139

There are two columns for Password and PIN but no data in them. This version must not be supported. Anyone from @Magnet Forensics able to weigh in on possible support now or coming?

Maybe @bang can help you out

jb3139

There are two columns for Password and PIN but no data in them. This version must not be supported. Anyone from @Magnet Forensics able to weigh in on possible support now or coming?

iirc those are for album passwords- they don't affect cryptography. they are a UI level permission check.

1

1:12 PM

i'm much more versed on the ios side so let me double check on your question

I have a file where I have a series of image artifacts located in data/data/com.instagram.android/cache/images.stash/clean/. I know this directly is a cache location used by Instagram for images, but does anyone know why there is a 'clean' and 'dirty' folder in the images.stash folder? The clean folder has several hundred cached images, whereas the 'dirty' folder is empty. Thanks in advance for any assistance.

Anyone from Cellebrite available to assist with a PA 10 query... hoping there's a simple explanation for this, otherwise it's a fairly critical bug. @Cellebrite Thanks

1

.I have a SEGB (BIOME) file from the Devices.Wireless.WiFi directory from an iPhone Dump. Can someone help me understand what the timestamps mean? Are they the timestamps from when the phone connected to the wireless access point? I'm trying to understand what these timestamps mean.

Hi anyone providing course or consultancy services on mobile unlocking phone Solution or training? For Mobile Forensics

m1gr@n3

.I have a SEGB (BIOME) file from the Devices.Wireless.WiFi directory from an iPhone Dump. Can someone help me understand what the timestamps mean? Are they the timestamps from when the phone connected to the wireless access point? I'm trying to understand what these timestamps mean.

You have both connection and disconnection events in this file. The timestamps alone are not indicative enough, You need to parse the data inside as a protobuf. Then you'll see 2 fields: the SSID and a boolean which is either set to 0 (disconnected) or 1 (connected). Also, the first record in your screenshot is deleted (the data is zeroed). Obviously parsing that one as a protobuf won't work. (edited)

Does anyone know which tool decodes GMX mail under iOS? Or does anyone have a functioning sqlite script for GMX Mail under iOS which I can import into the Physical Analyzer SQLite Assistent?

pixel

Does anyone know which tool decodes GMX mail under iOS? Or does anyone have a functioning sqlite script for GMX Mail under iOS which I can import into the Physical Analyzer SQLite Assistent?

Last job I did with gmx, we had the credentials. Upgraded the gmx acc and then download via Axiom

Hey all - I have an iPhone 13 Pro Max with 17.5.1 and a FFS extraction. Physical Analyzer indicates deleted iMessages, where I can only see the what the phone user sent and what was received from the other half, with nothing identifying who is on the other half of the conversation. SMS.db has 0 for deleted_messages. Identifying the other half of the conversation would be great, but at a minimum I’d love to get a time of deletion. Any help would be greatly appreciated. Thanks!

BourbonBuckeyeGuy

Hey all - I have an iPhone 13 Pro Max with 17.5.1 and a FFS extraction. Physical Analyzer indicates deleted iMessages, where I can only see the what the phone user sent and what was received from the other half, with nothing identifying who is on the other half of the conversation. SMS.db has 0 for deleted_messages. Identifying the other half of the conversation would be great, but at a minimum I’d love to get a time of deletion. Any help would be greatly appreciated. Thanks!

Messaging apps do not record when a row is deleted, that would not have any purpose

1

I have a icloud backup that I've parsed with Oxy. For this user the named contacts (phonebook) aren't tied out to the phone # or iMessages. Anyone see this before? Cause? Solution?

Anyone heard of a home cctv app called EZ View? Seems to have some local storage within the app, will run it through CP / Axiom tomorrow but any experience would be gratefully received. Thanks

11:17 AM

Android Oppo

CLB-ShaiS

You have both connection and disconnection events in this file. The timestamps alone are not indicative enough, You need to parse the data inside as a protobuf. Then you'll see 2 fields: the SSID and a boolean which is either set to 0 (disconnected) or 1 (connected). Also, the first record in your screenshot is deleted (the data is zeroed). Obviously parsing that one as a protobuf won't work. (edited)

Thanks for responding! I appreciate you answering my question. I think I'm tracking what you are saying. So if I'm understanding you correctly, in my analyzed wireless networks in Physical anlyzer, the marker named "Timestamp" is the time "Pine_test" was joined, and then the "End Time" Marker is the timestamp when it was disconnected/lost-connection? Is there any documentation for that shows what the 0 and the 1 mean?

m1gr@n3

Thanks for responding! I appreciate you answering my question. I think I'm tracking what you are saying. So if I'm understanding you correctly, in my analyzed wireless networks in Physical anlyzer, the marker named "Timestamp" is the time "Pine_test" was joined, and then the "End Time" Marker is the timestamp when it was disconnected/lost-connection? Is there any documentation for that shows what the 0 and the 1 mean?

Yes, that's right. You see both timestamps in PA because we combined 2 SEGB entries, the connection event and the disconnection event, into a single event. There isn't official documentation by Apple for the formats and values used in SEGB payloads. Testing with your own test device (*multiple times in various settings) can give you confidence regarding which value matches which action.

CLB-ShaiS

Yes, that's right. You see both timestamps in PA because we combined 2 SEGB entries, the connection event and the disconnection event, into a single event. There isn't official documentation by Apple for the formats and values used in SEGB payloads. Testing with your own test device (*multiple times in various settings) can give you confidence regarding which value matches which action.

Thanks for explaining! So when looking at this table I can understand it better now. the "Last Connected" timestamp value from the "Known-networks" plist would be the time that the user manually joined the network, The Last auto connected time (which matches connected timestamp from the Biome file) is the timestamp that the system automatically connected to the access point. But then the "Timestamp" marker from the known-network (hi-lighted in blue) shows the time that the pine_test network was added as a known network. I think the "TimeStamp" Marker was throwing me off because the date was a year before. I understand it better. Thanks for your help. (edited)

1

pixel

Does anyone know which tool decodes GMX mail under iOS? Or does anyone have a functioning sqlite script for GMX Mail under iOS which I can import into the Physical Analyzer SQLite Assistent?

Cellebrite pa do the Job. If Not, you can dm me

Anyone around from @Oxygen Forensics for a question around X/Twitter ?

HIK213

Anyone around from @Oxygen Forensics for a question around X/Twitter ?

Hello, will DM you

1

Any way to determine when or if a passcode got removed in a FFS of an Iphone?

@Cellebrite Is anyone around for a question please?

1

@florus I am not aware of any db / plist or similar (but this does not rule out that there is one). Perhaps a different approach. When the code is removed, some data such as Apple Pay transactions, download exchange-based emails and various app tokens are lost. Maybe you can narrow down the time period. Is it also conceivable that something can be found in the unified logs? Changing the protection level to Class D? for example. May @Lionel Notari be able to help (edited)

FullTang

I have a physical and FFS extraction of an Amazon Fire tablet running Android 9, but the passcode is unknown and it is not supported for brute force. Is the passcode or the hash of the passcode stored somewhere in the extractions?

Did you ever get any traction on this? I have physicals on two fire tablets and am hoping to find some way to crack a PIN for other devices in the case.

The tablet was AFU running Android 9, so my best guess is it was not extracted and I was only able to get the data because it was ~~FBE~~ FDE and AFU. If someone is able to prove me wrong I would be happy to know where to find the PIN in the extractions. (edited)

I've got physicals on both of the devices, I'm just not finidng anything compelling on where to look exactly. For some reason I think because it's a fire tablet my bias says it should be less secure but it is running android 11 so probably not

whee30

I've got physicals on both of the devices, I'm just not finidng anything compelling on where to look exactly. For some reason I think because it's a fire tablet my bias says it should be less secure but it is running android 11 so probably not

I believe the last time you could get a hash of a passcode from a physical would be on android 5

1

whee30

I've got physicals on both of the devices, I'm just not finidng anything compelling on where to look exactly. For some reason I think because it's a fire tablet my bias says it should be less secure but it is running android 11 so probably not

How was @Cellebrite able to get a physical extraction from an Android 11 device? I was under the impression Android 11 was required to be FBE. My (apparently limited) understanding of the relationship between encryption and the Android version is as follows: Android 4.4 - 6.0.1 : FDE optional Android 7 - 9 : Encryption required, can be FDE or FBE. (Huawei started using FBE with 7, Samsung started using FBE with 9, not sure about other models) Android 10: FBE required, except in very unique circumstances when upgrading from older versions. Android 11+: FBE Maybe the exception for 10 can also apply to 11? I haven't heard of that before.

1

Based on model number, (KFQUWI) the Android 11 device I have a physical of is an Amazon Fire 7 2022, 12th gen. https://developer.amazon.com/docs/fire-tablets/ft-device-specifications-fire-models.html?v=fire7_2022

Fire Tablet Specifications: Fire Models | Fire Tablets

Select the Fire tablet device you want to see. Fire 7 (2022, 12th Gen) Fire 7 (2022, 12th Gen) Fire 7 (2019, 9th Gen) Fire 7 (2017, 7th Gen) Fire (2...

8:04 PM

It says android 11 but also says "Fire OS", so maybe amazon makes their own rules/flavor of android to skirt the FBE requirement?

8:06 PM

relevant thread: https://xdaforums.com/t/risks-of-unencrypted-fire-tablet.4584755/#google_vignette

Risks of Unencrypted Fire Tablet?

The fire tablet are one of the few devices that aren't encrypted by default. What are the theoretical and practical risks of physical attacks on these devices? Encryption seems to have noticeable performance hit when enabled on these devices, and...

That would make sense. The Android specifications say FBE is required on 10 and above. https://source.android.com/docs/security/features/encryption/file-based

File-Based Encryption | Android Open Source Project

8:17 PM

FireOS does not mention FDE or FBE, but I guess if you create your own flavor of OS then you can do what you want. https://developer.amazon.com/docs/fire-tablets/fire-os-8.html#android-11-updates

Fire OS 8 for Fire Tablets | Fire Tablets

Fire OS 8 incorporates updates from Android 10 (API 29) and Android 11 (API 30). Below are some of the important changes you should consider while building apps for Fire OS 8 (F...

1

FullTang

How was @Cellebrite able to get a physical extraction from an Android 11 device? I was under the impression Android 11 was required to be FBE. My (apparently limited) understanding of the relationship between encryption and the Android version is as follows: Android 4.4 - 6.0.1 : FDE optional Android 7 - 9 : Encryption required, can be FDE or FBE. (Huawei started using FBE with 7, Samsung started using FBE with 9, not sure about other models) Android 10: FBE required, except in very unique circumstances when upgrading from older versions. Android 11+: FBE Maybe the exception for 10 can also apply to 11? I haven't heard of that before.

FBE isn’t an issue for decrypting and decoding a physical extraction. I guess most tools of today can handle it. At least XRY does.

Christoffer.M

FBE isn’t an issue for decrypting and decoding a physical extraction. I guess most tools of today can handle it. At least XRY does.

True. I just have never seen Cellebrite give the option for a physical extraction on an FBE device.

1

Christoffer.M

FBE isn’t an issue for decrypting and decoding a physical extraction. I guess most tools of today can handle it. At least XRY does.

As long as the keystore file can be extracted too. Not always the case

(edited)

Hans Leißner

As long as the keystore file can be extracted too. Not always the case

(edited)

True. I can only speak for XRY but we always strive to get all the necessary keys.

1

FullTang

True. I just have never seen Cellebrite give the option for a physical extraction on an FBE device.

Cellebrite were always really focused on using the device to decrypt the data, exploit it, and just pull already decrypted stuff (for both FDE and FBE). This is somewhat safer since you get the files exactly as the device sees them. Other solutions, like Xry and Oxygen, can sometimes use an exploit to dump the physical images, some keys (either derrive them themselves, or use a way to leak them from the phone itself during decryption) and then decrypt the physical dump offline using own implementation of the encryption used on those devices.

5

Interesting. Any idea how an FDE device was running Android 11? Or is it not really running Android 11 and it is actually FireOS "pretending" to be Android 11?

Heyho mates @Cellebrite ! Someone here to shine a light on me

- what means this, GPS Tracker? Airtag? What is the real source (hardware) of this location? How can I explain this entry to the investigator. (edited)

chrisforensic

Heyho mates @Cellebrite ! Someone here to shine a light on me

- what means this, GPS Tracker? Airtag? What is the real source (hardware) of this location? How can I explain this entry to the investigator. (edited)

This is anti stalking software on Android/iOS regarding airtags etc. If your phone detects an airtags not belonging to your apple id, it will give you a popup message and sometimes a route up to a few days, where it detected this.

1

florus

This is anti stalking software on Android/iOS regarding airtags etc. If your phone detects an airtags not belonging to your apple id, it will give you a popup message and sometimes a route up to a few days, where it detected this.

Thanks... so this sort of location can be ignored, because no exactly location and time? Or can we say the mobilephone was exactely on this time at this location? (edited)

11:09 PM

Hm, another phone and again deleted entries of airtags.. hm at the border area between ukraine and poland

11:10 PM

11:11 PM

So what happens on this place? What signal was received by the phone?

chrisforensic

Thanks... so this sort of location can be ignored, because no exactly location and time? Or can we say the mobilephone was exactely on this time at this location? (edited)

In my testing these locations are quite accurate. I tested this with a collega an half year ago (my airtag, he a samsung) Route was spot on. The question is: can you validate the values in the database/wal file etc. (edited)

florus

In my testing these locations are quite accurate. I tested this with a collega an half year ago (my airtag, he a samsung) Route was spot on. The question is: can you validate the values in the database/wal file etc. (edited)

Thanks so far mate, will dig deeper into this

1

@florus found really detailed infos on joshua´s blog

https://thebinaryhick.blog/2023/08/13/android-airtags-part-ii/ (edited)

1

Someone from @Cellebrite around regarding a Whatsapp decoding question? I have a ffs from an Iphone. In whatsapp the owner (john doe) has number ending on 112. His phone, Iphone X, got extracted FFS. John Doe has a whatsapp chat with Karen, number ending with 555. On the 28th march 2024 there is a Whatsapp call initiated by Karen (i see this in chat) and the Call log. Im seeying some strange things in the decoded part: 1. Call logs is showing an missed incoming call from Karen (555) on the 28th march 2024 19:44;17. The other participant is Donald Duck with a number ending on 409. Its not showing the number from John Doe. 2. In Chats, i see a historic chat between John Doe and Karen. The missed called is visible in this chat. A system Message is saying: "status = missed, type = video call, duration = 00:00:00, 2 joined = Karen (555@s.whatsapp.net) + Donald Duck (408@s.whatsapp.net)" with the additional timestamp 19:44;17. My theory is that Karen started a videocall with John Doe, and added Donald Duck. That John Doe didnt answer it. Still, quite confusing how Cellebrite displays this right? Edit: did some testing; Theory is right. Disregard if John Doe was first caller, or added later on; if party 2 and 3 answered the call, this gets displayed as 'described'. (edited)

FullTang

Interesting. Any idea how an FDE device was running Android 11? Or is it not really running Android 11 and it is actually FireOS "pretending" to be Android 11?

Amazon doesn't really follow the security guidelines for the regular Android. After all, they kept their devices unencrypted for a long time before, making some jobs easier

1

Christoffer.M

FBE isn’t an issue for decrypting and decoding a physical extraction. I guess most tools of today can handle it. At least XRY does.

What about the free space / deleted data? If only files are decrypted, I would call that a full file system acquisition, not a physical extraction... I know each vendor seems to provide a different definition of "physical extraction", so I'm just checking if I understood correctly.

Lazza

What about the free space / deleted data? If only files are decrypted, I would call that a full file system acquisition, not a physical extraction... I know each vendor seems to provide a different definition of "physical extraction", so I'm just checking if I understood correctly.

It acquires the whole memory (physical extraction) but decrypts only the files (results). Can it be called a FFS, sure.....I think this is more just on the terms.

chauan

It acquires the whole memory (physical extraction) but decrypts only the files (results). Can it be called a FFS, sure.....I think this is more just on the terms.

I am not sure I agree it's just terms... According to this definition, I can get a physical extraction of any Apple Silicon device using DD, I just cannot decrypt its contents. If I can only extract the allocated files, without any way to read or extract the deleted data, it's not a physical extraction to me. It is definitely a full file system extraction. I hope what I am trying to say makes sense

I think the extraction is just the method to get data without worrying about the usefulness of data at the time. You can do a physical of a SD with all zero, and it's as useful as acquiring an encrypted one. Physical gets all blocks from the card, which the process does. FFS are all about the file system but the exploit here goes above and beyond, even the unallocated space is not useful.

5:59 AM

I don't want to see another new term for sure...like FFS+ or Physical Lite

chauan

I think the extraction is just the method to get data without worrying about the usefulness of data at the time. You can do a physical of a SD with all zero, and it's as useful as acquiring an encrypted one. Physical gets all blocks from the card, which the process does. FFS are all about the file system but the exploit here goes above and beyond, even the unallocated space is not useful.

Yeah, and "Advanced Logical" vs "Logical", etc... FFS is definitely an exclamation one says out loud with all this terminology confusion

Lazza

I am not sure I agree it's just terms... According to this definition, I can get a physical extraction of any Apple Silicon device using DD, I just cannot decrypt its contents. If I can only extract the allocated files, without any way to read or extract the deleted data, it's not a physical extraction to me. It is definitely a full file system extraction. I hope what I am trying to say makes sense

there's no need for another term. It's a full filesystem extraction, obtained from a physical image and decrypted outside the device, using valid encryption keys

7:05 AM

It still won't really get you any deleted files back, because there's no way to derrive the valid key for those missing files (edited)

Anyone that has a good resource regarding AirDroid forensics?

Hello, anyone from Cellebrite available? Regarding PA/Inseyets carving + parsing -wal files.

1

@Cellebrite

Hi everyone! I had a look at UsageStats on an Android Phone (Oppo A53s) to determine what was going on on the phone at a precise time. I'd like to track more detailed logs, to be able to tell what action was taken on the phone (tap, swipe etc...) Logcat might have some info, but I fear the info I'm looking for will be long gone (I'm testing on a test phone). Anyone know of a log with such info? Thanks

@Cellebrite What does the Capture Origin Reasoning: "Saved Copy" mean exactly? (edited)

We have a document explaining the Media Origins classifications.

Ah, were do i find that?

its on the portal / 101.. i can share via dM also.

1

florus

@Cellebrite What does the Capture Origin Reasoning: "Saved Copy" mean exactly? (edited)

The Saved Copy indicates that the Image was taken via an App, in your case snapchat, and then copied to the Gallery. The fact that the image resides in the photos.sqlite but originates from another app is indication of that. (edited)

Original message was deleted or could not be loaded.

I can see the s there? Do you mean /data/data/com.whatsapp/databases... (the s is there in the pictures you've posted)

2

busted4n6

I can see the s there? Do you mean /data/data/com.whatsapp/databases... (the s is there in the pictures you've posted)

argh.. What the hell

I think I have a kink in my optics. Sorry... but yes, now I see it "again". I think I gawked at the box for too long yesterday.

2

Anyone from @Cellebrite available for quick question regarding PA?

1

Anyone have experience of Cellebrite failing to brute force after running their entire dictionary? It was shown as a complex numeric - I thought their dictionary had every possible combination??

Huawei Y6 2019. Android 9. Comes up with a 6 character pin lock on boot. Tried the full complex dictionary on Premium (took 31 days!) and it didn’t find the code. Tried a custom 6 digit only dictionary (ie all 6 digit combinations) and still didn’t get it?!?

RichardG

Huawei Y6 2019. Android 9. Comes up with a 6 character pin lock on boot. Tried the full complex dictionary on Premium (took 31 days!) and it didn’t find the code. Tried a custom 6 digit only dictionary (ie all 6 digit combinations) and still didn’t get it?!?

Wasn't there a problem with BF on Huawei and CLB temporarily made BF unsupported? I've gotten that message a few times recently. But your device is an older one so that should work normally.. perhaps

I think the issue was with autonomous BF, in that it wouldn’t reconnect after the disconnect. That’s been fixed now it seems as phone is connecting first time. I’m wondering if the fault lies in the access method. If i try to connect to the device after boot then BF fails to start (I can get a BFU extraction so the connection is good). However if I boot the device in the recovery screen / EMUI (wipe cache, reset screen - vol up and power) then BF will connect and install the CLB as usual. Perhaps BF doesn’t work from the recovery area?? (edited)

RichardG

Huawei Y6 2019. Android 9. Comes up with a 6 character pin lock on boot. Tried the full complex dictionary on Premium (took 31 days!) and it didn’t find the code. Tried a custom 6 digit only dictionary (ie all 6 digit combinations) and still didn’t get it?!?

You can try Passware if you have a license

1

@Dmitry Sumin I’ve never tried passware for mobile devices. We just have the usual graykey and Cellebrite premium. Is it any good? I see it supports the y6 according to their website - and they have a trial license for 5 extractions as well!

1

Hi, Anyone from MSAB available for a question about SMS / RCS messages on Android Devices ?

@MSAB ^

KR-4n6

Hi, Anyone from MSAB available for a question about SMS / RCS messages on Android Devices ?

What seems to be the issue?

Digitalferret

@MSAB ^

Thanks!

1

RichardG

Anyone have experience of Cellebrite failing to brute force after running their entire dictionary? It was shown as a complex numeric - I thought their dictionary had every possible combination??

It doesnt contain everything. Reach out to support what is has, and not. Then make your own dict.

4n6_5w3

Wasn't there a problem with BF on Huawei and CLB temporarily made BF unsupported? I've gotten that message a few times recently. But your device is an older one so that should work normally.. perhaps

This issue is for Kirin based Huawei's

RichardG

Huawei Y6 2019. Android 9. Comes up with a 6 character pin lock on boot. Tried the full complex dictionary on Premium (took 31 days!) and it didn’t find the code. Tried a custom 6 digit only dictionary (ie all 6 digit combinations) and still didn’t get it?!?

Try XRY, it can BF it and give you the PIN, then you can use any tool to extract the FFS.

RichardG

@Dmitry Sumin I’ve never tried passware for mobile devices. We just have the usual graykey and Cellebrite premium. Is it any good? I see it supports the y6 according to their website - and they have a trial license for 5 extractions as well!

I'm from Passware, and I hope it is good

According to our users, it is

that will teach me to check tags lol. Thanks I’ll find some funding to buy the trial license and see.

RichardG

that will teach me to check tags lol. Thanks I’ll find some funding to buy the trial license and see.

Passware is the tool you need to BF Huawei device

nicnic

Hi, does anyone know what the "frequency" value in the "dynamic.lm" dictionary of swiftkey represents? Its part of the n-gram language model. Is the frequency the absolute usage of the word by a user?

Hi! Did you find an answer to this question about the frequency value from dynamic.lm?

Celebrite Inseyets Physical Analyser 10.3.0.3169: After running a hash database, it has tagged items which are now viable within the Insights tab on the left. Is there a way to delete the hash set hits?

3:23 AM

@CLB or anyone who has found the magic button.

1

Nullable Truth

Celebrite Inseyets Physical Analyser 10.3.0.3169: After running a hash database, it has tagged items which are now viable within the Insights tab on the left. Is there a way to delete the hash set hits?

@Cellebrite

3

Hey everyone. Did look in the CellularUsage.db and saw 3 ICCIDs. When looking in the com.apple.commcenter.plist saw in the Personal wallet dictionary 6 ICCIDs and some of them had in the info section a TS value which is clearly a timestamp. Does anyone know why there are multiple ones in the last plist and what that ts value represents more exactly? Like the timestamp of SIM activation or last use or registration etc.? (edited)

ZetLoke77

Hey everyone. Did look in the CellularUsage.db and saw 3 ICCIDs. When looking in the com.apple.commcenter.plist saw in the Personal wallet dictionary 6 ICCIDs and some of them had in the info section a TS value which is clearly a timestamp. Does anyone know why there are multiple ones in the last plist and what that ts value represents more exactly? Like the timestamp of SIM activation or last use or registration etc.? (edited)

CellularUsage.db contains only the last 3 ICCIDs used. You won't find more than 3, no matter how many sim cards you use. Be aware of the fact that most forensic sofware display SIM information from this database. The com.apple.commcenter.plist file contains ALL ICCIDs used in the phone, not just the last 3. You might find this information in here even after wiping the device, but not if it's a recent version of iOS (not sure at what version they started clearing this plist). You can get this file in a BFU extraction. I'm not sure what the ts timestamp represents (maybe when the SIM was last active, as the info found in CellularUsage.db?).

Cip

CellularUsage.db contains only the last 3 ICCIDs used. You won't find more than 3, no matter how many sim cards you use. Be aware of the fact that most forensic sofware display SIM information from this database. The com.apple.commcenter.plist file contains ALL ICCIDs used in the phone, not just the last 3. You might find this information in here even after wiping the device, but not if it's a recent version of iOS (not sure at what version they started clearing this plist). You can get this file in a BFU extraction. I'm not sure what the ts timestamp represents (maybe when the SIM was last active, as the info found in CellularUsage.db?).

Seen that the last update time in CellularUsage.db is starting with 69 so obviously it is Cocoa Time. The TS value from com.apple.commcenter.plist starts with 1669 and it is weird, seems like UNIX Epoch time. Is it possible to have 2 timestamps in 2 different formats on the Iphone?

5:13 AM

Btw thanks for the answer!!

5:14 AM

If I am to convert these 2 timestamps. One in Cocoa and the second one with UNIX they give me almost the exact time. 15 minutes difference.

ZetLoke77

If I am to convert these 2 timestamps. One in Cocoa and the second one with UNIX they give me almost the exact time. 15 minutes difference.

ts might represent the last significant communication event for each ICCID (like successful connection to a cellular network, or when the device updated its settings related to communication, or last time when network-related information was logged or changed.

Hi! Does anybody have some insights on the user dictionary "dynamic.lm" of Microsoft Swiftkey Keyboard (found in /data/data/com.touchtype.swiftkey/files/language_models/user/)? Is there any other app that cand decode that info besides Cellebrite's PA? Is there more info in that file that PA doesn't display? What does the "frequency" column represent (and why it can be 0)? Why aren't the words unique? What is the source of the words? I've done some tests, but I cannot draw definite conclusions. It seems to me that the words come from every text edit box that the keyboard encounters (even if the words from the box were not typed by the user) and the frequency is the count of appearances of the word, not the typed count (ie: opening 3 times the same text file that contains a certain word, increments the count 3 times for that word; however, some appearances seem to be ignored).

CLB-Paul

its on the portal / 101.. i can share via dM also.

Can you dm me please. Thanks

Dmitry Sumin

I'm from Passware, and I hope it is good

According to our users, it is

Can you tell me if the BF that Passware does is on the phone or can we utilize a GPU to speed it up?

DCSO

Can you tell me if the BF that Passware does is on the phone or can we utilize a GPU to speed it up?

That depends on the device: GPU for some Android phones, one the phone for Apple devices

I did a logical extraction for SMS, MMS, and IM in an iPhone 13 Pro Max using the newest version of @Cellebrite UFED touch 2. However, when opening the extraction in Physical Analyzer, I noticed the attachments were throwing an error (file does not exist) when attempting to open, but I checked the ZIP extraction and I can see the attachments were exported. Is there any reason why I’m encountering this issue?

I have an FFS of an iPhone. Where can i find the used Discord Servers?

@Dmitry Sumin thank you for the assist. Passware Mobile Kit took 50 mins to extract the 25gb user data from the y6 2019 and brute forced the 6 digit pin in under 8 mins on my rig. Been working on breaking this pin since June with cellebrite premium and multiple dictionaries getting exhausted after 27 days of running. Obviously a bug somewhere in case anyone else is struggling with a mrd-lx1 / huawei y6 2019

1

3

1

12:19 AM

Only fiddley bit was putting it into brom mode via the test point - cases on the y6 are very brittle! (edited)

Has anyone performed gap analysis of sms.db of an iOS device? I performed an Advanced logical extraction of an iPhone . I parsed the image with Cellebrite and I can see there is about a three year gap in time from where one conversation starts and another conversation starts. I'd like to pull the sms.db and wanted to see if someone has created an sql script that would highlight large gaps of time?

Ash4n6

Has anyone performed gap analysis of sms.db of an iOS device? I performed an Advanced logical extraction of an iPhone . I parsed the image with Cellebrite and I can see there is about a three year gap in time from where one conversation starts and another conversation starts. I'd like to pull the sms.db and wanted to see if someone has created an sql script that would highlight large gaps of time?

iOS version?

Potentially dumb question appreciate the tap to my forward assist here. Doing a review of a Samsung 22 running android 13. I was able to obtain a FFS extraction. However, going to look for my normal artifacts some file paths are confusing me. The data/user/0 folder is straight up empty nothing there. 150 has a decent amount of files but not seeing what I'm used to finding in 0. There is a user_de/0 that has about the same amount of data as the user/150, with user_de/150 being significantly smaller. Has it just been too long since I have done android or is this abnormal?

Separate question I know 150 is the secure folder and the amount of data I am seeing in here shows even though I do not know the swipe pattern my tool in the FFS decrypted and pulled the secure folder contents (assumption I'm working under). Question, my tool gave me the device PIN right, the secure folder uses a different PIN, how do I determine the secure folders PIN? For use on other items seized with unknown pins.

Bobby

iOS version?

iOS ver 16

Ash4n6

iOS ver 16

Then not related to iOS 17 and logical extraction. Have you loaded your extraction in another tool to confirm this issue? Which version of Cellebrite?

Does anyone know if @Cellebrite or other tools parse emoji reactions to WhatsApp messages?

return2zero

Does anyone know if @Cellebrite or other tools parse emoji reactions to WhatsApp messages?

Is this in tool or the report ?

Both, the report format required will be a UFDR. My understanding after doing some reading and speaking to other consultants, is that they aren't decoded for WhatsApp on iOS, it is decoded for WhatsApp on Android. Oxygen does decode and export the reactions in reports. (edited)

I have a locked Samsung sm-j120w with a smashed screen. However, when I plug it into the cellebrite premium turbo link adapter, I hear a chyme. I tried to gain access, but it failed. Is there something else I need to do?

Shotty_2_Hotty

I have a locked Samsung sm-j120w with a smashed screen. However, when I plug it into the cellebrite premium turbo link adapter, I hear a chyme. I tried to gain access, but it failed. Is there something else I need to do?

Is it booting or can you even tell? You can look at some UFED methods that don’t require the same access methods as Premium

I can't tell if it's booting, but I hear a chyme when I plug it in.

6:35 PM

Premium does detect it, but it fails. I'm not sure if there's even a passcode or not.

1

6:36 PM

Tried both lock/unlock profiles. Obviously can't enable ADB when I can't see the screen

Bobby

Then not related to iOS 17 and logical extraction. Have you loaded your extraction in another tool to confirm this issue? Which version of Cellebrite?

When I did the extraction I was on UFED4PC version 7.60. I’ve processed the image in two different tools but I’m going to dig into it deeper tomorrow.

I am using Dynamic app finder in Magnet Axiom in some of my cases and receive good results. But somehow those (custom) artifacts are not searchable in Magnet Examine. Is there a way to re-index them to make those artifacts searchable as well?

Morning all, Anyone familiar with the "lockbox" / "Safebox" in the OnePlus file manager? I can see a hash under the program path */.safe/passwd. But have been unable to identify the hash type. Don't see any encrypted files under the files folder, but informed by colleague that sometimes file such as those with a Secure Folder may not be extracted.

1

Shotty_2_Hotty

I have a locked Samsung sm-j120w with a smashed screen. However, when I plug it into the cellebrite premium turbo link adapter, I hear a chyme. I tried to gain access, but it failed. Is there something else I need to do?

You should try a physical dump with regular 4PC

Hey, Anyone know where in the Reddit database files you’ll typically find Reddit private messages? I’ve gotten the following: Account.db ContentService.db observations.db RedditUsersStore.db RedditUsersService.db Then a lot of Cache.db Not sure if my extraction has not pulled it or the decoding tool hasn’t. Using Physical Analyser. Got the extraction from a iphone 15 pro using Graykey.

Good morning everyone. Can anyone suggest a method to use a phone extraction to estimate the medium speed of the car where the phone was found in a given time frame?

Hello everyone. Been doing some analysis on the RevolutRetailCore.sqlite db and saw that in different tables such as ZBALANCE that the balance either in crypto or cash does not have a comma separator. I can't figure out if it is 500.00 or 50000 for example since I don't have any separator. Anyone know what scale might apply in this db or it depends on the currency or crypto used?

Butters

Morning all, Anyone familiar with the "lockbox" / "Safebox" in the OnePlus file manager? I can see a hash under the program path */.safe/passwd. But have been unable to identify the hash type. Don't see any encrypted files under the files folder, but informed by colleague that sometimes file such as those with a Secure Folder may not be extracted.

Sent you a DM Salute

1

hi there, does anybody know to decode or read a log-file from a samsung (sm-G780g) smartphone esp. the ewlog0 or ewlog2 files in the folder /data/log? the battery-logs are all planetext, but the ewlog files has a special? format..thx

FabianoQ

Good morning everyone. Can anyone suggest a method to use a phone extraction to estimate the medium speed of the car where the phone was found in a given time frame?

For Android phones, often times these things are done by getting a Google Takeout and looking at maps or location data (edited)

Morph

hi there, does anybody know to decode or read a log-file from a samsung (sm-G780g) smartphone esp. the ewlog0 or ewlog2 files in the folder /data/log? the battery-logs are all planetext, but the ewlog files has a special? format..thx

Did you check if ALEAPP could already parse it?

Lolokidd

Did you check if ALEAPP could already parse it?

@Morph I don't believe I've seen that before but if it's something that can be supported in ALEAPP, we can try to make a parser. Test data would be helpful for that.

1

Hi guys. Having a full file system extraction from an android phone can i be sure that ANY possible system log is included? Or there are logs that need to be requested/generated before acquiring the phone like in iPhone?

2

MSAB XAMN Python Scripting Question: How can I get the datetime out of a xry.property object? Only way I see is calling str() and then casting it back to a datetime, but that feels wrong and surely can't be the only way. @MSAB (edited)

Lolokidd

Did you check if ALEAPP could already parse it?

HiLolokidd, i check ALEAPP, but it coulnd parse these logs, the right parser is missing

stark4n6

@Morph I don't believe I've seen that before but if it's something that can be supported in ALEAPP, we can try to make a parser. Test data would be helpful for that.

Hi there, i think all Samsung SM-G780 and near above the S23 have these logs; the source is /data/log/ewlogd ..... i check another S23 Filesystem, and there are the same directory /data/log/ewlogs .. so it seams, that all Samsung S2x have these logs (edited)

Are there people who have experience with locked and hidden (with secret code) whatsapp chats? Forensic analysis of myself has determined that locked (with Face ID and passcode) whatsapp chats are included in a Graykey extraction of an iPhone 14 Pro Max. I performed my analysis in Magnet Axiom 8.4, so I don't know if these chats are included in a Ufed Analyzer / Reader extraction. Although I don't find anything in the iPhone, extraction, blogposts, Discord forensics group related to locked hidden whatsapp chats. So if anyone has encountered this would it be nice to share this knowledge. I also would like to test and experiment with this but I don't have the forensic tools at my disposal to perform this. This is another point of attention for when we are executing live forensics on a phone or when we are analyzing the data in our forensic tools. This also adds another layer of protection that makes our work harder, you can have a passcode for a phone, an application passcode, WhatsApp 2FA passcode and now a secret code to lock and hide chats.. https://faq.whatsapp.com/764072925284841/?cms_platform=iphone&helpref=platform_switcher (edited)

Is anyone experiencing an issue where @Cellebrite UFED errors during an advanced logical of an iPhone running 17.4.1? Ufed allows the user to abort or skip? I chose to skip, and the extraction completed. uFD file was created. Backup was encrypted with UFED. I tried parsing with PA 10.3 and it looks like the data is not decrypted, even when I use a password file with standard 1234.

1

kevindm

Are there people who have experience with locked and hidden (with secret code) whatsapp chats? Forensic analysis of myself has determined that locked (with Face ID and passcode) whatsapp chats are included in a Graykey extraction of an iPhone 14 Pro Max. I performed my analysis in Magnet Axiom 8.4, so I don't know if these chats are included in a Ufed Analyzer / Reader extraction. Although I don't find anything in the iPhone, extraction, blogposts, Discord forensics group related to locked hidden whatsapp chats. So if anyone has encountered this would it be nice to share this knowledge. I also would like to test and experiment with this but I don't have the forensic tools at my disposal to perform this. This is another point of attention for when we are executing live forensics on a phone or when we are analyzing the data in our forensic tools. This also adds another layer of protection that makes our work harder, you can have a passcode for a phone, an application passcode, WhatsApp 2FA passcode and now a secret code to lock and hide chats.. https://faq.whatsapp.com/764072925284841/?cms_platform=iphone&helpref=platform_switcher (edited)

Should be only lock access from the App, chats are in same database if i'm right, then extracted as usual and decoded (edited)

1

Anyone know of a good mobile phone virtualization software? I'm thinking how in windows exams for court room products I'll toss the E01 into a VM grab some screen recordings to show where the contraband was located or how when you open a browser the favorite tabs are to illegal content just seems to really send it home better than me trying to explain file paths and nerd reasons why clearly the subject was aware type stuff. On mobile phones I don't have the knowledge on how to do this. A lot of tools like PA and Axiom will allow you to port out messages and give ya the pretty bubbles to help the audience follow it. But I'm not aware of being able to toss a phone extraction into virtual box or whatever to see the device as the user saw it. Further thinking that could be useful since tools will decrypt say the secure folder but not provide you the pin/swipe/whatever. So to try and view it as the subject would view it, you could mount the decrypted extraction and view it as they did might be handy.

Palazar82

Anyone know of a good mobile phone virtualization software? I'm thinking how in windows exams for court room products I'll toss the E01 into a VM grab some screen recordings to show where the contraband was located or how when you open a browser the favorite tabs are to illegal content just seems to really send it home better than me trying to explain file paths and nerd reasons why clearly the subject was aware type stuff. On mobile phones I don't have the knowledge on how to do this. A lot of tools like PA and Axiom will allow you to port out messages and give ya the pretty bubbles to help the audience follow it. But I'm not aware of being able to toss a phone extraction into virtual box or whatever to see the device as the user saw it. Further thinking that could be useful since tools will decrypt say the secure folder but not provide you the pin/swipe/whatever. So to try and view it as the subject would view it, you could mount the decrypted extraction and view it as they did might be handy.

There is Corellium, mainly used for security research, moreover you can run Android Virtual Devices (AVD) in Android Studio, Genymotion and the like... BUT Do not expect to be able to simply boot a forensic image, as many of those are full file system (or logical) and for physical images you don't simply add them to the virtual device like you would with a VM Surely you may be able to restore the data folder for Android in a (rooted) AVD and that may give a "similar" view to the original device (not identical), or you can restore an iTunes backup on a different iOS device. Not exactly what you are dreaming, though.

1

Nope but could still be useful to try and tinker with.

1

4:35 PM

Thank you

Yes, rooted AVDs are very nice also for artifacts research and similar stuff. Or for saving customers' bacon when they are trying to recover WhatsApp messages and they only have an encrypted msgstore backup, sometimes stored on Google Drive

Nefarious

Hey, Anyone know where in the Reddit database files you’ll typically find Reddit private messages? I’ve gotten the following: Account.db ContentService.db observations.db RedditUsersStore.db RedditUsersService.db Then a lot of Cache.db Not sure if my extraction has not pulled it or the decoding tool hasn’t. Using Physical Analyser. Got the extraction from a iphone 15 pro using Graykey.

Sans poster has these as locations for iOS: (edited)

Nefarious

Hey, Anyone know where in the Reddit database files you’ll typically find Reddit private messages? I’ve gotten the following: Account.db ContentService.db observations.db RedditUsersStore.db RedditUsersService.db Then a lot of Cache.db Not sure if my extraction has not pulled it or the decoding tool hasn’t. Using Physical Analyser. Got the extraction from a iphone 15 pro using Graykey.

135i

Hello everyone, I have a FFS from cellebrite and i found two videos related to my case, but i cant determine if the suspect made them from his device, i just have the path : data/media/0/Movies/signal-2023-05-16-15-59-25-036.mp4 AND data/data/com.snapchat.android/files/native_content_manager/com.snap.file_manager_3_SCContent_e92f36fd-66fd-45df-aa15-608f6358c254/27669f3d8b07854021d34bce2f3280ab Thank you ! (edited)

Did you ever figure out anything more re the video file you found in ....native_content_manager/com.snap.file_manager_3_SCContent_e92f36fd-66fd-45df-aa15-608f6358c254/...? I know files in this location are generally attributed to being cache related, but in the case I'm working right now I have a video located in this folder with a similar alphanumeric name like yours. The part that is stumping me is the video has Exif data associated with it, created and modified dates are embedded in the Exif data. Based on the video content I believe the video was recorded using this device as well. I've dug for other copies of the video in and around the the Exif creation date and can't find anything. It would appear the only copy of the video is the one contained in the above mentioned directory. I find it odd that if the user recorded the video using this device that the only copy of the video would be stored in Snapchat cache related folders. I've found other images and videos created by the user using Snapchat, which are all located in data/media/0/DCIM/Snapchat/. Any help would be appreciated. Thanks.

Mike_H

Did you ever figure out anything more re the video file you found in ....native_content_manager/com.snap.file_manager_3_SCContent_e92f36fd-66fd-45df-aa15-608f6358c254/...? I know files in this location are generally attributed to being cache related, but in the case I'm working right now I have a video located in this folder with a similar alphanumeric name like yours. The part that is stumping me is the video has Exif data associated with it, created and modified dates are embedded in the Exif data. Based on the video content I believe the video was recorded using this device as well. I've dug for other copies of the video in and around the the Exif creation date and can't find anything. It would appear the only copy of the video is the one contained in the above mentioned directory. I find it odd that if the user recorded the video using this device that the only copy of the video would be stored in Snapchat cache related folders. I've found other images and videos created by the user using Snapchat, which are all located in data/media/0/DCIM/Snapchat/. Any help would be appreciated. Thanks.

Don't have any clue but, it could be video recorded by user with Snapchat but not sent (due to Exif data available)? What about Snapchat cloud extraction, maybe you will find more intell related to it?

1

kevindm

Are there people who have experience with locked and hidden (with secret code) whatsapp chats? Forensic analysis of myself has determined that locked (with Face ID and passcode) whatsapp chats are included in a Graykey extraction of an iPhone 14 Pro Max. I performed my analysis in Magnet Axiom 8.4, so I don't know if these chats are included in a Ufed Analyzer / Reader extraction. Although I don't find anything in the iPhone, extraction, blogposts, Discord forensics group related to locked hidden whatsapp chats. So if anyone has encountered this would it be nice to share this knowledge. I also would like to test and experiment with this but I don't have the forensic tools at my disposal to perform this. This is another point of attention for when we are executing live forensics on a phone or when we are analyzing the data in our forensic tools. This also adds another layer of protection that makes our work harder, you can have a passcode for a phone, an application passcode, WhatsApp 2FA passcode and now a secret code to lock and hide chats.. https://faq.whatsapp.com/764072925284841/?cms_platform=iphone&helpref=platform_switcher (edited)

In my experience this typ of "locks" are only for the GUI. They don't protect the data in the filesystem. So if you can perform a FFS you get the data and every standard tool can pars it. PA can do it for sure. I have made a few tests on this topic. (edited)

rfar

Click to see attachment 🖼️

Thank you. I found it in the accounts table! What is Sans poster?

Nefarious

Thank you. I found it in the accounts table! What is Sans poster?

https://www.sans.org/posters/?focus-area=digital-forensics

Cyber Security Posters | SANS Institute

Cyber Security Posters

1

cf-eglendye

https://www.sans.org/posters/?focus-area=digital-forensics

Thank you!

Bobby

Don't have any clue but, it could be video recorded by user with Snapchat but not sent (due to Exif data available)? What about Snapchat cloud extraction, maybe you will find more intell related to it?

Thanks for the response. Unfortunately the investigators do not have authorization for a cloud extraction. The fact the video is stored in the cache area is what is stumping me, especially with it having Exif data. If the user recorded it using Snapchat I would have expected it would have gone into the media/0/DCIM/Snapchat *where the other media files are that I have found. I would think if the user recorded it and didn't send it that I would just find the copy in DCIM/Snapchat being the only one. When the user has recorded and sent images or videos that's where I have found *<filename>.media.0 copies stored within data/com.snapchat.android/files/file_manager/ directory structure.

RichardG

Morning all, quick question on a decode (sorry I’m a computer man not mobiles and my analyst is away). Looking at a decode of a Samsung Device and it shows WhatsApp (com.whatsapp.conversation) with a “BringToFocus” event at a particular time. Does that mean the device was physically in use at that time? Accessing WhatsApp? Again this is just for my own knowledge, my examiner will be the ‘expert’ when back

. Thanks

Was this ever answered? I have the same question

Mike_H

Thanks for the response. Unfortunately the investigators do not have authorization for a cloud extraction. The fact the video is stored in the cache area is what is stumping me, especially with it having Exif data. If the user recorded it using Snapchat I would have expected it would have gone into the media/0/DCIM/Snapchat *where the other media files are that I have found. I would think if the user recorded it and didn't send it that I would just find the copy in DCIM/Snapchat being the only one. When the user has recorded and sent images or videos that's where I have found *<filename>.media.0 copies stored within data/com.snapchat.android/files/file_manager/ directory structure.

There are a lot of different scenarios where a file is saved in the content manager folder, first if you are using PA you could look in the Media section for the file and make sure it's not attached to any message/post/upload. If you look in the cache_controller.db CACHE_FILE_CLAIM table for the file name you should find a relevant record with MEDIA_CONTEXT_TYPE value, this can provide more info, for example if the value is 3 this means it was sent through chat. If it has a different value or you need further help shoot me a DM

2

1

tydras

Was this ever answered? I have the same question

Not here it wasn’t, my examiner says it needs testing but in principle yes similar to apples InFocus from biome

BBECK

In my experience this typ of "locks" are only for the GUI. They don't protect the data in the filesystem. So if you can perform a FFS you get the data and every standard tool can pars it. PA can do it for sure. I have made a few tests on this topic. (edited)

Thank you for the clarification

Lennart

MSAB XAMN Python Scripting Question: How can I get the datetime out of a xry.property object? Only way I see is calling str() and then casting it back to a datetime, but that feels wrong and surely can't be the only way. @MSAB (edited)

You should be able to use xry.data_fmt_mgr.get_prop_datetime and then get individual date and time components, like year and month from that.

MSAB_John

You should be able to use xry.data_fmt_mgr.get_prop_datetime and then get individual date and time components, like year and month from that.

Thanks

Got a physical from a P20 Pro but the user partition wasnt supported by decryption with the tool (XRY) ive pulled the BIN and tried to run through Passware with no luck, Anyone have any ideas if its possible to bruteforce? (edited)

Oxygen fails on data extraction but I did run it to return Hardware keys which has seemingly succeded, so I have an encrypted bin, keys.json (edited)

You should be able to load the bin in Oxygen and provide the keys.json

Yeh I though I should be able to do that, not overly familar with Oxygen, Ive attempted the import backup option and give it the BIN but I dont know where to provide the JSON, there is just a password option, If I continue the process it just starts importing the data in its encrypted state

1

Oxygen creates it's own description file about the backup and the keys. Creating or adjusting such a file could work in your case. I'm sure somenone @Oxygen Forensics can help you with this.

2

LM

Got a physical from a P20 Pro but the user partition wasnt supported by decryption with the tool (XRY) ive pulled the BIN and tried to run through Passware with no luck, Anyone have any ideas if its possible to bruteforce? (edited)

Anoter option would be to extract again using Passware Kit Mobile

1

Dmitry Sumin

Anoter option would be to extract again using Passware Kit Mobile

Thanks for the suggestion, Yeh when I did a little research I saw Passware Kit Mobile being mentioned, sadly I only have Passware Kit Forensics (edited)

1

Need urgent assistance with Inseyets 10.3. Running a watchlist to a FFS and when I click apply, it tells me that it is applying changes for watchlist and will take a few minutes. My list is 60 words but nothing seems to be happening…no progress bar, no circle , and I can click the apply button again because it is not grayed out. Tried it once and let it sit for several hours and no change. Is there something I am missing? Thanks so much! I have an urgent deadline asap. Yes, on a holiday weekend!

SuperSleuth

Need urgent assistance with Inseyets 10.3. Running a watchlist to a FFS and when I click apply, it tells me that it is applying changes for watchlist and will take a few minutes. My list is 60 words but nothing seems to be happening…no progress bar, no circle , and I can click the apply button again because it is not grayed out. Tried it once and let it sit for several hours and no change. Is there something I am missing? Thanks so much! I have an urgent deadline asap. Yes, on a holiday weekend!

Your watchlist is running, look for the Notification Bubble (Bottom Right corner), or check the Notification Center (Bell in the Top Right corner) to see when it is done. (edited)

1

JLindmar (83AR)

Yes, YouTube was active (foreground) on my phone. As @whee30 stated, as I scroll through my feed on the "Home" screen of the app, when a video in my feed reaches a certain position on my display, the video "preview" will autoplay which appears to cause the creation of a .exo file(s) in /storage/emulated/0/Android/data/com.google. android.youtube/cache/exo/[#] folders on my unrooted, Android 10 device with YouTube 18.06.35. (edited)

Just following up on your post from about 1.5 years ago so it might take a bit of time to clean the dust of this thread...

I am working a file where I have a series of .exo files contained in the .../files/streaming/ directories of the SnapChat application folder on an Android device. There are a couple of .exo files that have embedded video files that Cellebrite has decoded. One of these files says that its 54 seconds long, but only plays 7 seconds of video before the video frame freezes and stops but the audio continues in the background, but not for the full 54 seconds. One of my theories that I haven't had time to test yet is whether this 7 seconds of video that was encoded was the amount of video played on the device's screen before possibly the user swiped past it and on to other content... Does this sound possible from what you recall in your testing?

hi All. Looking for the pref. plist which says if photos are activated on sync. Done this earlier using the "cloudServiceEnableLog.plist", but the file does not exist on my current device, an iphone 11, ios 17.5.1. Can anyone help me find the file which holds the "cloud sync settings"

Hi all, got a hidden calculator app com.hld.anzenbokusucal. Does anyone know how to find out the code to access the hidden files?

j_matas

hi All. Looking for the pref. plist which says if photos are activated on sync. Done this earlier using the "cloudServiceEnableLog.plist", but the file does not exist on my current device, an iphone 11, ios 17.5.1. Can anyone help me find the file which holds the "cloud sync settings"

Have you checked the following: /private/var/mobile/Media/PhotoData/CPL/syncstatus.plist Key/node: cloudAssetCountPerType Key/node: iCloudLibraryExists Key/node: lastSyncDate

obi95

Hi all, got a hidden calculator app com.hld.anzenbokusucal. Does anyone know how to find out the code to access the hidden files?

https://theincidentalchewtoy.wordpress.com/2021/12/07/decrypting-the-calculator-apps/ - > https://github.com/Magpol/decryptCalculatorPhotoVault/blob/main/script.py Can't vouch for the success rate but i'd start there

theincidentalchewtoy

Decrypting the ‘Calculator’ App(s)

This week I have been looking at another Android application designed to keep files secure. ‘Calculator – hide photos’ has many features, including a vault ‘…Through t…

decryptCalculatorPhotoVault/script.py at main · Magpol/decryptCalcu...

Decrypt files from Calculator - photo vault - com.hld.anzenbokusucal - Magpol/decryptCalculatorPhotoVault

Each file can be decrypted in this way. There is no correlation between the pattern and the encryption key. Regardless of the pattern lock the Key and IV are the same in each instance of the application.

ROTFL

CLB-DannyTheModeler

Your watchlist is running, look for the Notification Bubble (Bottom Right corner), or check the Notification Center (Bell in the Top Right corner) to see when it is done. (edited)

Thank you!

9:09 AM

Anyone having trouble with CB Reader report produced from Inseyets not able to be downloaded due to clients virus protection?

4n6_5w3

https://theincidentalchewtoy.wordpress.com/2021/12/07/decrypting-the-calculator-apps/ - > https://github.com/Magpol/decryptCalculatorPhotoVault/blob/main/script.py Can't vouch for the success rate but i'd start there

Tried that before but it didn’t work as they’ve changed the encryption method from what I can tell.

1

SuperSleuth

Anyone having trouble with CB Reader report produced from Inseyets not able to be downloaded due to clients virus protection?

Zip it?

Will give that a try! Thanks!

SuperSleuth

Will give that a try! Thanks!

Probably nothing about reader but about .exe file (you can try zip password protected + file listing disabled if standard zip not working)

obi95

Hi all, got a hidden calculator app com.hld.anzenbokusucal. Does anyone know how to find out the code to access the hidden files?

@bang is pretty good with these (assuming its actually encrypted etc)

Does anyone have suggestions for a mobile forensic software that can parse Revolut for iOS? Only seen "ADF" when searching for it online.

ScottKjr3347

Have you checked the following: /private/var/mobile/Media/PhotoData/CPL/syncstatus.plist Key/node: cloudAssetCountPerType Key/node: iCloudLibraryExists Key/node: lastSyncDate

thanks.. I had opened the file 100 times (almost) but was not quite sure if it was it, because the last time I had a case with this question, it was so obvious in the cloudserviceenablelog.plist. Thank so much for clarifying. So if the cloudlibrary exitsts is true and the last sync date is rather new, one can trust that it is syncing photos to icloud

Rob

@bang is pretty good with these (assuming its actually encrypted etc)

Definitely think it’s encrypted. Did use the default decryption key provided in the article on the media database which spat out the original file paths, names, encrypted names and their new location within that app but I think they’ve changed it to 128 characters from the original 32 characters. Managed to get the recovery password after digging around but not sure how to get to that point on the app where I can enter it.

obi95

Definitely think it’s encrypted. Did use the default decryption key provided in the article on the media database which spat out the original file paths, names, encrypted names and their new location within that app but I think they’ve changed it to 128 characters from the original 32 characters. Managed to get the recovery password after digging around but not sure how to get to that point on the app where I can enter it.

DM

j_matas

thanks.. I had opened the file 100 times (almost) but was not quite sure if it was it, because the last time I had a case with this question, it was so obvious in the cloudserviceenablelog.plist. Thank so much for clarifying. So if the cloudlibrary exitsts is true and the last sync date is rather new, one can trust that it is syncing photos to icloud

I would recommend reading https://theforensicscooter.com/2022/12/05/do-you-have-a-full-sized-assetor-just-a-thumbnail-did-optimized-iphone-storage-process-occur/ There is mention of what was observed when I turned off iCloud Photos. I always encourage people to test and verify for themselves.

More of a general question. Anyone had a chance to extract a phone with iOS 18 beta and the lock app feature enabled on an app? I’m curious if the locked app feature actually encrypts the app database until unlocked too or if it is just launching the app is locked. (edited)

SuperSleuth

Anyone having trouble with CB Reader report produced from Inseyets not able to be downloaded due to clients virus protection?

We have a similar issue. Sophie blocks the CEFSharp component used by Inseyets as a virus

Is anyone aware of a scenario where a 5005.JPG thumbnail file persists on an iphone, but the original image and it's record in the photos.sqlite database is gone? I completed testing on an iOS16 device and permanently deleting the photo from the local device and then, in another test, permanently deleting from the icloud account both resulted in the 5005.jpg being removed as well as the photos.sqlite record and the original image.

jabaj@y

Is anyone aware of a scenario where a 5005.JPG thumbnail file persists on an iphone, but the original image and it's record in the photos.sqlite database is gone? I completed testing on an iOS16 device and permanently deleting the photo from the local device and then, in another test, permanently deleting from the icloud account both resulted in the 5005.jpg being removed as well as the photos.sqlite record and the original image.

The default naming convention for IOS is IMG_XXXX.JPG and when this number reaches IMG_9999.JPG it resets to IMG_0001.JPG (or HEIC). Performing timeline analysis may assist in determining if this has occurred on the device you are analysing. Use the thumbnail metadata to correlate.

jabaj@y

Is anyone aware of a scenario where a 5005.JPG thumbnail file persists on an iphone, but the original image and it's record in the photos.sqlite database is gone? I completed testing on an iOS16 device and permanently deleting the photo from the local device and then, in another test, permanently deleting from the icloud account both resulted in the 5005.jpg being removed as well as the photos.sqlite record and the original image.

Have you tried sending the photo and then deleting it?

Hello all, I am wondering if anyone might be able to share some insight on an explanation for why you might see two of the same Biome/knowledeC entries consecutively without the opposing value. My current instance for example is two ‘AirplaneModeOff’ entries are seen consecutively without an ‘AirplaneModeOn’ entry. I have checked in the database and it shows the same. (edited)

Need some help with a Telegram database on iOS. I have a suspect who used a Telegram group between 2019 and 2021 on an iPhone. I think the group has changed names several times and people have come and gone. @Cellebrite PA decodes a single chat with a single chat ID from 2019 to 2021 and gives it the latest group name. @Magnet Forensics AXIOM decodes the chat in two groups - 1) 2019-2020 with old group name and a chat ID that is the same as Cellebrite and 2) 2020-2021 with new group name and a completely different chat ID. Clearly I need to figure this out in the DB but it’s a complete mess, any good resources or blogs or tools to sort it out?

busted4n6

Need some help with a Telegram database on iOS. I have a suspect who used a Telegram group between 2019 and 2021 on an iPhone. I think the group has changed names several times and people have come and gone. @Cellebrite PA decodes a single chat with a single chat ID from 2019 to 2021 and gives it the latest group name. @Magnet Forensics AXIOM decodes the chat in two groups - 1) 2019-2020 with old group name and a chat ID that is the same as Cellebrite and 2) 2020-2021 with new group name and a completely different chat ID. Clearly I need to figure this out in the DB but it’s a complete mess, any good resources or blogs or tools to sort it out?

@busted4n6 I would look at this webinar first : https://cellebrite.com/en/deep-dive-into-telegram/ then if you have questions contact Cellebrite Support that will escaladate if needed.

1

It’s a mess. I understand what has happened contextually - two groups have people have merged their group chat (I don’t know if you can do that tg literally) but don’t understand forensically why different tools are reporting different group names

4:38 AM

Cellebrite appears to report the current group name, AXIOM appears to split the chat

busted4n6

It’s a mess. I understand what has happened contextually - two groups have people have merged their group chat (I don’t know if you can do that tg literally) but don’t understand forensically why different tools are reporting different group names

Check the source is the only way to understand and also use Cloud Analyzer should help (edited)

Yes I’ll have to watch video as it looks like a mess of encrypted and encoded nonsense haha

Hi, a law firm sent me some phone extractions made with Wondershare. I'm about to try and open them with Cellebrite and AXIOM, is there anything I need to know? Is this even possible?

Good day all, I have Wizz app on an iphone, not able to parse it with usual forensics tools Anyone have an idea or script for this one? Thx (edited)

PhrostByte

Hi, a law firm sent me some phone extractions made with Wondershare. I'm about to try and open them with Cellebrite and AXIOM, is there anything I need to know? Is this even possible?

Hi, if you have access to Oxygen Forensic Detective, you can give a try... should be possible to import

1

Has anyone integrated any form of recording application when conducting the decode and analysis? A way of showing exactly what was done in the image - for example capturing within PA what screens and images or search terms were used? I was surprised there is no forensic logging method like in amped image analysis? I was thinking of using something like the windows steps program that captures each screen whenever the mouse is clicked within a program?

Mobiledit does screenshots of user interaction and bundles this with the report.

RichardG

Has anyone integrated any form of recording application when conducting the decode and analysis? A way of showing exactly what was done in the image - for example capturing within PA what screens and images or search terms were used? I was surprised there is no forensic logging method like in amped image analysis? I was thinking of using something like the windows steps program that captures each screen whenever the mouse is clicked within a program?

Steps Recorder is being deprecated (https://prod.support.services.microsoft.com/en-us/windows/steps-recorder-deprecation-a64888d7-8482-4965-8ce3-25fb004e975f). I currently use the XBOX Game Bar (Windows + Alt + Print Screen) to grab screenshots of software settings, etc. when documenting my examinations. I like that the Game Bar names the screenshots with the name of the active windows + timestamp and automatically saves them to a folder. X-Ways Forensics (XWF) can also take a screenshot of every settings screen that you click "Ok" on if you configure your XWF case to do so. (edited)

FullTang

Have you tried sending the photo and then deleting it?

As in sending the photo in a messaging application? I figured that would just create a different thumbnail and image within the messaging app container but I haven't tested that yet so will give it a go. thank you!

1

RichardG

Has anyone integrated any form of recording application when conducting the decode and analysis? A way of showing exactly what was done in the image - for example capturing within PA what screens and images or search terms were used? I was surprised there is no forensic logging method like in amped image analysis? I was thinking of using something like the windows steps program that captures each screen whenever the mouse is clicked within a program?

IMHO that would not make sense. Once the forensic acquisition is done, the data is hashed and other analysts can replicate the findings if needed... Moreover the analysis process includes a lot of trial and error, sometimes dead ends, and so on. Things that are useless or you might not want to include in a "log" as they would pollute it. Taking screenshots manually may be useful though, but I would argue against logging every step taken in analyzing the forensic copy after that one is done. (edited)

nullbytes

Morning all, anyone know if a good shared repository for Cellebrite python scripts? Hoping there was a community of likeminded folk that use them for special reporting or analytics.

Morning, did you manage to come accross any? Im after some as a starting point for my own

heyho folks @Cellebrite ... bitdefender updates are available just via onlineupdate in PA? Because i see just an old definition on customer portal. I need offline updatefile for a workstation (offline) where one of our investigator works. Is this possible to get somewhere the offline-update? Thanks (edited)

chrisforensic

heyho folks @Cellebrite ... bitdefender updates are available just via onlineupdate in PA? Because i see just an old definition on customer portal. I need offline updatefile for a workstation (offline) where one of our investigator works. Is this possible to get somewhere the offline-update? Thanks (edited)

@chrisforensic please open ticket to support and we will handle it thanks

1

CLB_4n6s_mc

@chrisforensic please open ticket to support and we will handle it thanks

Hm, you understood me? On customerportal is just an old update from 2023 and not a current one... (edited)

equalexpert

Morning, did you manage to come accross any? Im after some as a starting point for my own

Unfortunately no responses that I saw

@chrisforensictips : go to C:\Program Files\Cellebrite Mobile Synchronization\Ultra Physical Analyzer, copy the bitdefenderupdate folder and copy it on the offline station to update

6:58 AM

make the update by using this folder

chrisforensic

Hm, you understood me? On customerportal is just an old update from 2023 and not a current one... (edited)

I'm guessing they are saying to open a ticket to prompt them to update the virus definition. It will get to the right person eventually.

Lazza

IMHO that would not make sense. Once the forensic acquisition is done, the data is hashed and other analysts can replicate the findings if needed... Moreover the analysis process includes a lot of trial and error, sometimes dead ends, and so on. Things that are useless or you might not want to include in a "log" as they would pollute it. Taking screenshots manually may be useful though, but I would argue against logging every step taken in analyzing the forensic copy after that one is done. (edited)

The log would be to show the level of collateral intrusion. For example our warrant covers recover of data from one specific date, how do you prove to the Court you didn’t go ‘fishing’ through the other data on the device? Or where you are authorised to view the images but you go looking through messages instead. If the program logged every access / view then you could stand over it in court easily

RichardG

The log would be to show the level of collateral intrusion. For example our warrant covers recover of data from one specific date, how do you prove to the Court you didn’t go ‘fishing’ through the other data on the device? Or where you are authorised to view the images but you go looking through messages instead. If the program logged every access / view then you could stand over it in court easily

Nothing stops you from making two clones of the same forensic acquisition, go fishing on one and submit the other one (with pristine logs) to the court...

Mistercatapulte

make the update by using this folder

Oh, thanks for the tip

seems to be easy

will test on weekend when at work

@chrisforensiclet me know if it's work

Lazza

Nothing stops you from making two clones of the same forensic acquisition, go fishing on one and submit the other one (with pristine logs) to the court...

Sssh. lol

Original message was deleted or could not be loaded.

Once you have established when the original image was created (was it created in the current batch of 9999 photos, or a previous batch) you can then further analyse what happened after this photo was created, because you have a time reference to work from. i.e. what happened to the photo after this creation date? Was a screenshot taken of the photo, was it send as an attachment via a messaging app and finally was it deleted.

Lazza

Nothing stops you from making two clones of the same forensic acquisition, go fishing on one and submit the other one (with pristine logs) to the court...

Turns XRY have an audit log function so someone’s thought about it

1

Has someone else the same problems in @Cellebrite PA 10.3? --In telegram chats the owner number is not labeled, the chats are arranged among each other without the owner messages being arragend on the right and are not highlighted in a different color --Exports of zangi chats contains the whole chat three times. No matter if pdf, html or word export.

1

Any guidance on best way to review Google Drive items? I see PA 7.69 parses drive, but I don't see a section in Analyzed data for it. Any tips are appreciated.

tost

Has someone else the same problems in @Cellebrite PA 10.3? --In telegram chats the owner number is not labeled, the chats are arranged among each other without the owner messages being arragend on the right and are not highlighted in a different color --Exports of zangi chats contains the whole chat three times. No matter if pdf, html or word export.

For the Telegram point, most likely the Telegram version isn't supported fully / version is too new. Check the installed version on device vs supported version on PA. Telegram version can checked in "Installed Apps" section (edited)

@Mistercatapulte @4N6Matt hi mates, found an easy to do solution for the PA Bitdefender Offline Updates

I just use the Malware Definitions Downloader to download latest definitions, the file will be downloaded in same folder... I gave the file to the examiner who updated directly in PA and all is good

(edited)

1

11:32 AM

chrisforensic

@Mistercatapulte @4N6Matt hi mates, found an easy to do solution for the PA Bitdefender Offline Updates

I just use the Malware Definitions Downloader to download latest definitions, the file will be downloaded in same folder... I gave the file to the examiner who updated directly in PA and all is good

(edited)

Path and folder are a bit different btw PA and PA inseyets, but it s the same result

1

RichardG

We have a similar issue. Sophie blocks the CEFSharp component used by Inseyets as a virus

I spoke with CB support yesterday and they told me that Window Defender is the only antivirus that can be used and apparently does not block any Inseyets files.

CIF

Any guidance on best way to review Google Drive items? I see PA 7.69 parses drive, but I don't see a section in Analyzed data for it. Any tips are appreciated.

Hey, Google Drive folders should appear under File System in PA

CLB - Ofri

There are a lot of different scenarios where a file is saved in the content manager folder, first if you are using PA you could look in the Media section for the file and make sure it's not attached to any message/post/upload. If you look in the cache_controller.db CACHE_FILE_CLAIM table for the file name you should find a relevant record with MEDIA_CONTEXT_TYPE value, this can provide more info, for example if the value is 3 this means it was sent through chat. If it has a different value or you need further help shoot me a DM

do you know any other media context types? particularly 19...

Mike_H

Trying to find a match on a value buried within a binary plist field of a SQLite DB table. Anyone know of or use a good tool that decodes the binary plist field and allows you to do a DB or table-wide search for a specific value within the bplists? I know tools like Cellebrite and others allow you to view and drilldown into the individual bplists, but when you perform a table or project wide search they don't go through the plists as part of the search... When you are viewing the individual bplists, you can search for a value, but the problem I have is that I have a table of ~5000 records, each record contains a bplist field and I'm trying to see if one of those binary plists contains a particular value. Hopefully that makes.... Thanks in advance for any help.

don't know if you ever had a response to this (just searched for 'snapchat' and it came up), but RabbitHole will search plists

1

5:35 AM

does anyone know how to determine which participant saved a message in a Snapchat chat (iOS)? I can see the 'is_saved' column, but nothing that jumps out that tells me which user saved it (edited)

chms17

do you know any other media context types? particularly 19...

19 is memories snap, should be either My Eyes Only or normal memories

1

CLB - Ofri

19 is memories snap, should be either My Eyes Only or normal memories

I thoguht this, I can see 'snap-media-<GUID>' and 'g-media-<GUID>' in the external_key column related to 19s, do you know what the difference between these is?

1

5:40 AM

Also is there any way to determine how something ended up in memories? for example looking at my own snapchat account I have old posts that have appeared there by me actually posting them on snapchat (I believe to my stories), and I have other stuff that appears in there from my camera roll that has definitely never been shared on Snapchat. is there a way to determine whether stuff has been shared or just ended up there via the camera roll being linked? I have checked photos.sqlite to see if the stuff was filmed using the device camera, looks like it was filmed using Snapchat, but I can't see that it has actually been distributed at all

5:40 AM

I have tried matching external/cache keys with messages to no avail, but that may just be that the messages have expired...

CLB - Ofri

Hey, Google Drive folders should appear under File System in PA

Awesome - thanks! I see google photos under the file system tree, but no google drive. I'm 100% sure that there is a bunch of google drive data on the device.

@Oxygen Forensics - making sure I am not missing anything to help with activity at the time of an auto accident. Not terribly familiar with Oxygen. I have Chrome webpages with dates and can’t locate any times associated with the page visits. Phone is a LG Stylo 5. Extraction says (MOA). What does MOA stand for and would I expect to see times from an Android Agent Extraction? Thanks!

1

I'm working with a FFS extraction of a Google Pixel 3 and looking into Snapchat artifacts. I have image and video files stored under data/0/media/DCIM/Snapchat/ and was under the impression these files are getting stored here when the device user captures photos or videos using the device's builtin camera. I have come across two files in DCIM/Snapchat/ using the naming Snapchat-########.jpg that contain the same image (matching content and matching hash values) but have different file names, eg. Snapchat-324534643.jpg and Snapchat-12344512.jpg, along with modified dates that differ by approximately a day. I am still looking into what's up with these two files, but I was under the impression that only content capture with the device's camera was getting placed in this folder. Just one last note on this, I have checked time-lining and around the modified timestamp associated with each of the images, a Snapchat Memories posting of the respective image files shows as being created. Any advise on this would be appreciated. Just to add to my post, I’ve notified in the external.db on Android in the files table, none of the images (.jpg) files associated with Snapchat have a DATETAKEN value, whereas all of the videos (.mp4) files associated with Snapchat have DATETAKEN populated. Does anyone know why this is? The Snapchat images have nothing really for EXIF data, whereas the videos have associated EXIF data. (edited)

Does anyone have any particular understanding of Biome remote app launches? I have records of Snapchat being launched on a different device, but the associated GUID doesn't show up in the DevicePeer table in sync.db. Is there any other way to identify this device? Is that an indication the other device is no longer syncing with iCloud? Any advice would be much appreciated

Hello. Has someone knowledge about the app "element messenger" on an iPhone?

@CPZ end to end encrypted messenging app.

Has anyone troubleshooted an issue relating to the final step in parsing backup via new inseyets. It seems stuck on "Finishing Extraction Info" but information seems populated in analyzed data and does not seem to be updating. Worried its just held up when it's actually finished for some reason. Its been 1+ hour on this stage.

Bring up the trace window and see what it’s doing there (edited)

RichardG

Bring up the trace window and see what it’s doing there (edited)

Yeah its stuck on the last phase, I just said that.

Whatsapp decoding in @Cellebrite UFED: If I pull the wider Whatsapp database and look at thumbnails it clearly identifies the number these thumbnails are associated with however UFED makes no attempt to insert these into the message thread or ID the associated number in the images section. Is this UFED missing a trick or is it generally accepted that manual interrogation of third party databases has to happen above and beyond push button processing to ensure all bases are covered?

CPZ

Hello. Has someone knowledge about the app "element messenger" on an iPhone?

What knowledge are you after? I had a case relating to Element, full file system pulled the data but it was encrypted. It did however pull the images, which is what lead me to look at it more in the first place. I just ended up doing a manual review and taking pictures of the chats

theshark

Yeah its stuck on the last phase, I just said that.

Ah sorry. I recalled the trace showing much more detail than that, with the actual running module name etc. I’ll check when in later today. Is it 10.3?

Hello ! anyone from @Cellebrite for a question on Inseyets please ?

1

Anyone have any suggestions on how to decrypt / bypass the hardware backed keystore on a pixel 7 when decoding session data? I’ve found a guide which uses virtualisation, bypassing the hardware backed state of the original device, but we don’t currently have any software which will facilitate this. Any suggestions appreciated, thanks

Jeeper

Whatsapp decoding in @Cellebrite UFED: If I pull the wider Whatsapp database and look at thumbnails it clearly identifies the number these thumbnails are associated with however UFED makes no attempt to insert these into the message thread or ID the associated number in the images section. Is this UFED missing a trick or is it generally accepted that manual interrogation of third party databases has to happen above and beyond push button processing to ensure all bases are covered?

I am not sure I am following the question. Do you mean that UFED is ignoring / not showing the thumbnails in the chat view, if the full size picture is not available?

Hello, I am trying to manually decrypt a Signal database on a Samsung Galaxy S6 running Android 7. I was able to retrieve a physical extraction using CB which first didn't get the decryption key but after disabling the screen lock and opening Signal it did. However PA says it's unable to find decryption key for Signal. Exporting /userdata/misc/keystore/user_0/<appid>_USRSKEY_SignalSecret and trying to use the offset from 2D to 3C doesn't work. The example below on how his "SignalSecret" looks and another example I found all show that preceeding the offset there is a "-" followed by zeroes (".") and the offset neatly fits the value before a lot of zeroes. When I open my SignalSecret in a hexviewer it doesn't look anything like the example below or the other example. Following these instructions: https://rado0z.github.io/Decrypt_Android_Database

Decrypting Signal DB for Android

Introduction

keystore on Android is encrypted. That instruction is valid, but only if you can get decrypted keystore. Otherwise SignalSecret is not the correct one

4:20 AM

try running smart flow, and do extract tokens. It should automatically get you the correct key for signal

Arcain

keystore on Android is encrypted. That instruction is valid, but only if you can get decrypted keystore. Otherwise SignalSecret is not the correct one

Thanks! Will try it

If I am looking at “keepMessagesVersionID : integer = 5” within mobileSMS.plist. Does this mean the setting was changed 3 times on the device or on the iCloud account?

6:22 AM

UPDATE: Device only (edited)

RichardG

Ah sorry. I recalled the trace showing much more detail than that, with the actual running module name etc. I’ll check when in later today. Is it 10.3?

All good it finished up!

chms17

does anyone know how to determine which participant saved a message in a Snapchat chat (iOS)? I can see the 'is_saved' column, but nothing that jumps out that tells me which user saved it (edited)

It's usually buried at the end of the message_content protobuf, i can dm exactly where and how to parse it tomorrow

1

chms17

Also is there any way to determine how something ended up in memories? for example looking at my own snapchat account I have old posts that have appeared there by me actually posting them on snapchat (I believe to my stories), and I have other stuff that appears in there from my camera roll that has definitely never been shared on Snapchat. is there a way to determine whether stuff has been shared or just ended up there via the camera roll being linked? I have checked photos.sqlite to see if the stuff was filmed using the device camera, looks like it was filmed using Snapchat, but I can't see that it has actually been distributed at all

Yes, you can usually find enought info to be pretty certain where a memory originates from in the scdb-27 database. Its not very straight forward though... Can try to guide you via dm if you need it

1

hi I have a Samsung phone that I check using cellebrite Is there a way to know a history of when the user opened / watched the movie?

DrZ

hi I have a Samsung phone that I check using cellebrite Is there a way to know a history of when the user opened / watched the movie?

Do you have a FFS or logical acquisition

Anyone got good explanation of "SuspendTime" in mobileSMS.plist?

Lazza

I am not sure I am following the question. Do you mean that UFED is ignoring / not showing the thumbnails in the chat view, if the full size picture is not available?

Hi - Sorry - Time Zone difference: Yes, the images when viewed in an external database viewer clearly show the assocaited number they are related to but Cellebrite within Inseyets makes no such correlation.

Jeeper

Hi - Sorry - Time Zone difference: Yes, the images when viewed in an external database viewer clearly show the assocaited number they are related to but Cellebrite within Inseyets makes no such correlation.

I see, so it's like a parsing problem. Do you have other tools to try for the parsing?

Lazza

I see, so it's like a parsing problem. Do you have other tools to try for the parsing?

Yes, we can use a DB explorer to manually compile this evidence but it would be nice to see this done by Cellebrite.

Heyho folks @Oxygen Forensics ... short question... is it possible to calculate MD5-hashes for an extraction "after" importing an extraction, or do I have to import the extraction again with activated MD5 hashing?

11:51 PM

To exclude the known files i need the MD5-hashes...

chrisforensic

Heyho folks @Oxygen Forensics ... short question... is it possible to calculate MD5-hashes for an extraction "after" importing an extraction, or do I have to import the extraction again with activated MD5 hashing?

Hello, not at the moment, no. You will need to run re-import

Oxygen Forensics

Hello, not at the moment, no. You will need to run re-import

Ok, thanks for info

Jeeper

Yes, we can use a DB explorer to manually compile this evidence but it would be nice to see this done by Cellebrite.

I was thinking more like Mobiledit or other options... I don't remember if aLeapp does WhatsApp, probably Avilla Forensics does it, as well But I see your point

What is the best way to export chatbubbles only from a reader report? Feels like whatever we try it does not include this even when the checkbox has been checked.

1

Hello. Just got a FFS with Cellebrite on a Xiaomi Redmi Note 11 PRO, OS version 12 and found in there a signal backup. Is there any way I can get the passphrase out of this extraction?

Johnie

What is the best way to export chatbubbles only from a reader report? Feels like whatever we try it does not include this even when the checkbox has been checked.

You need to make sure that you're not asking Reader to generate the Tags Table Only, otherwise, it will do exactly as you ask.

1

Is there any artifact for calls made with Siri? Besides the usual timelining around the call and looking related artifacts, is this stored anywhere in callhistory.storedata?

burgers_N_bytes

Do you have a FFS or logical acquisition

I have a FFS

Can anyone confirm this account - XXXX number is the number associated with the logged in user

11:59 AM

Trying to tie this number to an account name

Can anyone help me fully grasp "Source: Recents". I have old phones / extractions that have more Recent junk than real native messages when they are parsed. Is this an iCloud staging area for messages that are meant to go to the cloud? I know many people blame it on Cellebrite older parsing versions but I feel like there is more to it. (edited)

theshark

Can anyone help me fully grasp "Source: Recents". I have old phones / extractions that have more Recent junk than real native messages when they are parsed. Is this an iCloud staging area for messages that are meant to go to the cloud? I know many people blame it on Cellebrite older parsing versions but I feel like there is more to it. (edited)

if i recall correctly recents is parsing the recents database showing metadata of interactions, not the content of it. Say the user deleted the text messages and said they never spoke or sent a message to the second party, recents might still show there was an interaction between the parties (edited)

2

Hello, do you know if there is a way to determine the creation date of a Snapchat account (on iOS), knowing that this account was not created on the analyzed phone?

Greg

Hello, do you know if there is a way to determine the creation date of a Snapchat account (on iOS), knowing that this account was not created on the analyzed phone?

what sort of extraction do you have?

FFS

Greg

FFS

If it's the currently logged in account physical analyser should decode it

4:49 AM

it's from primary.docobjects I think but I can't remember which row inthe userinfo_coreuserdata table it is

1

Hello

I successfully readed the phone with Passware Kit Mobile 2024 v3 . The Passware has successfully decrypted the Signal app file "signal.db". However, I don't know with which program it would be possible to parse this file? Make it in a human readable format. I tried to do this with AXIOM, UFED but without success, the programs do not see messages from the "signal.db" file. Using SQLite I can see the text of the messages.

arforensic

Hello

I successfully readed the phone with Passware Kit Mobile 2024 v3 . The Passware has successfully decrypted the Signal app file "signal.db". However, I don't know with which program it would be possible to parse this file? Make it in a human readable format. I tried to do this with AXIOM, UFED but without success, the programs do not see messages from the "signal.db" file. Using SQLite I can see the text of the messages.

rabbithole

5:27 AM

https://www.cclsolutionsgroup.com/forensic-products/rabbithole

RabbitHole | CCL Solutions Group

Developed by CCL’s R&D Centre of Excellence, RabbitHole sets a new standard in forensic data exploration tools.

in general, all of the tools should handle it, but they may expect it as encrypted, with a key, or just placed in the correct spot

5:30 AM

what happens if you "plant" decrypted db in its usual location, and try to decode it then?

Greg

Hello, do you know if there is a way to determine the creation date of a Snapchat account (on iOS), knowing that this account was not created on the analyzed phone?

Snap Takeout

https://help.snapchat.com/hc/en-us/articles/7012305371156-How-do-I-download-my-data-from-Snapchat

Arcain

in general, all of the tools should handle it, but they may expect it as encrypted, with a key, or just placed in the correct spot

If I replace the encrypted .db with an unencrypted one, the programs does not parse the messages. When I load the entire file system (.zip), which contains the original .db (encrypted), the messages are also not parsed.

chms17

rabbithole

Thank you

, As I understand it is possible to try for 30 days for free?

Does Signal.db analyze automatically or do I need to connect data manually? (edited)

Ghosted

Can anyone confirm this account - XXXX number is the number associated with the logged in user

https://belkasoft.com/ios-telegram-forensics-acquisition-and-database-analysis?utm_campaign=Newsletter&utm_medium=email&_hsenc=p2ANqtz-9f3Pw_BZuacMQEl2ebTleUv7n96dfClcgrIHzSG6u3ZxDwrYapg2X2X06bDvANvqxVNVTb2DTc4s6Cd9mUma5pA945iDbatKuETDAhttv4IrqBcBs&_hsmi=94577454&utm_content=94577677&utm_source=hs_email

arforensic

Thank you

, As I understand it is possible to try for 30 days for free?

Does Signal.db analyze automatically or do I need to connect data manually? (edited)

yeah 30 days free. You'll need to give it the SQL databases, it's just a database reader, but if they're encoded in some way you can reparse them etc

1

Question for those much smarter than me, about the favorite app Snapchat. I have a case where we will say john and Jill are snapping back and forth, some videos/images are still inside the messages, others show as expired, yet there are thousands of cached images and videos some of them appear to be cached around some of the messages. Is there a way to tie these cached images to what was sent/received the log unique naming convention of these files makes me think there has to be some rhyme or reason. Anyone know how to reverse tie these? I remember there being a way to do this with iOS DCIM cached images but not for Snapchat.

11:37 AM

I am reviewing a FFS of an iPhone 14 running iOS 17.5.1, snapchat version 13.1.0

Hello all. Wish to ask if there is any way to read/bypass the pattern lock on a Redmi 13c. Thanks

@AikonHi, yes it's possble with commercial tools like GK or Premium to bruteforce it (you can't bypass pwd on FBE device) (edited)

1

@Mistercatapulte Thanks!

@Mistercatapulte the latest OFD does not support it then.

@Aikonidk

@Mistercatapulte pity law enforcement is not like Judge Dredd. Imagine how much hassles in unlocking we could avoid.

1

Hi all For an iphone with ios 17.5.1 We would like to control the unified logs... But the usual method of reconstructing a logarchive file (inside the directories: uidtext, Timesync, HighVolume, Signpost...) gives us the error message: “log: Could not open log archive: The log archive is corrupt or incomplete and cannot be read.” on Sonoma macos.. Someone have an idea or better : the solution ?

You can pull the logs directly from the device using UFADE or Lionel Notaris iOS Unified Logs acquisition tool

2

1

rico

Hi all For an iphone with ios 17.5.1 We would like to control the unified logs... But the usual method of reconstructing a logarchive file (inside the directories: uidtext, Timesync, HighVolume, Signpost...) gives us the error message: “log: Could not open log archive: The log archive is corrupt or incomplete and cannot be read.” on Sonoma macos.. Someone have an idea or better : the solution ?

@rico Hello, it’s not the first time I see this issue when "manually" reconstructing the Logarchive. @prosch said it all (thanks !), you can extract the logarchive directly from the phone with the tools he mentioned. Finally, (self advertisement part), I've documented on my blog some Unified Logs that can be interesting to investigate: https://www.ios-unifiedlogs.com/blog Have a nice Sunday !

️

Lionel Notari's Articles | iOS Unified Logs investigation

Dive into my Blog Articles focusing on iOS Unified Logs and tracev3 Investigation. Gain insights into digital forensics and uncover the secrets hidden in unified logs.

1

Thx for your help. I have already read this great site (and learned many details). I would have liked to use this method but we are more than 5 days from the facts. The extraction was not managed with this special manipulation. And as you know: over time the data is erased. Reason why I use the reconstruction of the logarchive file. I dont know ufade so i will read its github. It's seem good tools both

I am currently working on analysis of several devices (mostly android) for a file involving Snapchat. I am really struggling trying to determine if a video was captured using Snapchat or simply saved from a chat or elsewhere using Snapchat on the device. For example, I have a "Snapchat-######.mp4" video artifact found in data/media/0/DCIM/Snapchat/ along with copies of this video stored in the Snapchat directory structure ending in .media.0 that all relate to a video being uploaded the Snapchat Memories. There are also related entries for the "Snapchat-#####.mp4" file in the external.db database with creation/modified/date taken values that all line-up. I see in the memories.db database, table memories_snap table the details for the snap again correspond to the device I am examining (mentions model number of the device in the SNAP_CREATE_USER_AGENT value). I guess what I am trying to say is how do I know a Snapchat video has been recorded using the the device camera its found on with absolute certainty? Or is it a situation where I can only say given all of the pieces lining up that it was likely recorded using the device? It's just throwing things off for me with the ability to save photos and video as well as capture them through Snapchat. Thanks in advance for any assistance.

Mike_H

I am currently working on analysis of several devices (mostly android) for a file involving Snapchat. I am really struggling trying to determine if a video was captured using Snapchat or simply saved from a chat or elsewhere using Snapchat on the device. For example, I have a "Snapchat-######.mp4" video artifact found in data/media/0/DCIM/Snapchat/ along with copies of this video stored in the Snapchat directory structure ending in .media.0 that all relate to a video being uploaded the Snapchat Memories. There are also related entries for the "Snapchat-#####.mp4" file in the external.db database with creation/modified/date taken values that all line-up. I see in the memories.db database, table memories_snap table the details for the snap again correspond to the device I am examining (mentions model number of the device in the SNAP_CREATE_USER_AGENT value). I guess what I am trying to say is how do I know a Snapchat video has been recorded using the the device camera its found on with absolute certainty? Or is it a situation where I can only say given all of the pieces lining up that it was likely recorded using the device? It's just throwing things off for me with the ability to save photos and video as well as capture them through Snapchat. Thanks in advance for any assistance.

You can check the features Table in data\data\com.snapchat.android\databases\UUID/clientsearch.db

1

7:49 AM

With luck there will be the capture artifacts (with the city of the geo-location)

7:54 AM

For video in snapchat directory of dcim the résolution isn't tje same between recorded and captured video (but you can copy paste in this directory like you want)

Mike_H

I am currently working on analysis of several devices (mostly android) for a file involving Snapchat. I am really struggling trying to determine if a video was captured using Snapchat or simply saved from a chat or elsewhere using Snapchat on the device. For example, I have a "Snapchat-######.mp4" video artifact found in data/media/0/DCIM/Snapchat/ along with copies of this video stored in the Snapchat directory structure ending in .media.0 that all relate to a video being uploaded the Snapchat Memories. There are also related entries for the "Snapchat-#####.mp4" file in the external.db database with creation/modified/date taken values that all line-up. I see in the memories.db database, table memories_snap table the details for the snap again correspond to the device I am examining (mentions model number of the device in the SNAP_CREATE_USER_AGENT value). I guess what I am trying to say is how do I know a Snapchat video has been recorded using the the device camera its found on with absolute certainty? Or is it a situation where I can only say given all of the pieces lining up that it was likely recorded using the device? It's just throwing things off for me with the ability to save photos and video as well as capture them through Snapchat. Thanks in advance for any assistance.

SNAP_CREATE_USER_AGENT always shows the current device regardless of what device created the memory, so be careful with that. That's how it has worked in the past few years at least, been some months since i tested it.

2

1

Hello, I got a list from apple for a device registration for an imei. "IOS device activation Data". It has a total of 35 entrys. The first 3 entries have different timestamps. These could be activation dates. But then I have 32 entries with the exact same time stamp and same imei. Anyone knows what that is? (edited)

Team, reviewing a Android handset Full Filesystem Extraction. We have located Protonmail on the device and are trying to locate the PGP public key to attribute to the suspect. I have located some .dB files which have nothing in them. Is anyone aware of other artifacts ?

Oscar

SNAP_CREATE_USER_AGENT always shows the current device regardless of what device created the memory, so be careful with that. That's how it has worked in the past few years at least, been some months since i tested it.

Thanks for the response. With Snapchat is there anything in particular that acts as a good indicator that a picture or video artifact saved on the device or posted to Snap Memories has been recorded using the the device its found on? Or is it a situation that none of the media found in Snapchat can reliably be said to have been captured using the device its found on...

Mike_H

Thanks for the response. With Snapchat is there anything in particular that acts as a good indicator that a picture or video artifact saved on the device or posted to Snap Memories has been recorded using the the device its found on? Or is it a situation that none of the media found in Snapchat can reliably be said to have been captured using the device its found on...

On Android I haven't been able to find anything that's reliable enough to determine that. But on iOS the data in scdb-27.sqlite is can be pretty good at determining that. But as I've heard you can now use your account on multiple devices (not just web) at once, that is sure to spice it all up again... (edited)

1

Oscar

SNAP_CREATE_USER_AGENT always shows the current device regardless of what device created the memory, so be careful with that. That's how it has worked in the past few years at least, been some months since i tested it.

I have done this exercise last week, confirmed it's still the same behavior for Android on the latest Snapchat update. Selecting an existing media from the gallery or creating one directly in snapchat will log the same value for this field in the db.

1

For several of the Snapchat Memories artifacts, they have the usual media file associated with them that have the .media.0 *extensions stored in the \data\data\com.snapchat.android\files\file_manager\memories_media\ folder, but some also have a *Snapchat-#########.mp4 copy associated with them that is stored in the data\media\0\snapchat\ folder. Does the presence of this additional copy in the media path help lend to the belief that the image may have been captured using the device or could it simply be a copy saved from a snap to the device's camera roll? As I am typing this reply, I am thinking that both explanations are possible and likely difficult to determine which occurred. Sorry for the ramble, Snapchat is simply driving me crazy on this file.

Does the Samsung keyboard have any screenshot function and if so does it save it in com.samsung.honeyboard?

A OnePlus extracted with Ufed shows network usage in 2hr intervals. We can see the phone was connected to different SSID:s sometime during 10pm - 12am, but it would help to know more exact times or at least in which order they were connected to. Any ideas what to look for?

Anyone around for a question about OFD v17? @Oxygen Forensics

Wouter#0195

Anyone around for a question about OFD v17? @Oxygen Forensics

Hello, of course. DM'd

Mike_H

For several of the Snapchat Memories artifacts, they have the usual media file associated with them that have the .media.0 *extensions stored in the \data\data\com.snapchat.android\files\file_manager\memories_media\ folder, but some also have a *Snapchat-#########.mp4 copy associated with them that is stored in the data\media\0\snapchat\ folder. Does the presence of this additional copy in the media path help lend to the belief that the image may have been captured using the device or could it simply be a copy saved from a snap to the device's camera roll? As I am typing this reply, I am thinking that both explanations are possible and likely difficult to determine which occurred. Sorry for the ramble, Snapchat is simply driving me crazy on this file.

To help determine if the device was used to take the pictures, any chance there are indications the camera was engaged in a timeline just before snapchat was used? For example, on a motorola, Prediciton.db – \data_mirror\data_ce\null\0\com.motorola.moto\databases\Prediction.db

Table: AppDataSet has headers timestamp, package, battery level. Memorypredict.db - \data_mirror\data_ce\null\0\com.motorola.moto\databases\memorypredict.db
Has app duration timestamps

(edited)

How are people producing reports from Physical Analyzer? The default reports are pretty bad, does anyone have a script or anything to produce something a bit better?

Has anyone messed with IOS 18 yet? Do full file system extractions pull the apps in hidden folders?

Speaking of apps, we were given the ability to protect apps by using our lockscreen password to open them. This is more of a top-level UX based protection as it doesn’t seem to change the ability for our forensic tools to gain access to the data once a file system image has been acquired. Users have two options: the ability to hide the application from the home screen AND password protect it, or just password protect it.

https://www.magnetforensics.com/blog/a-look-into-ios-18s-changes/#:~:text=Speaking%20of%20apps,password%20protect%20it.

A look into iOS 18’s changes - Magnet Forensics

Discover key iOS 18 new features for forensic analysis, including app protections, RCS messaging, and scheduled iMessages for investigators.

1

Hidden is only a springboard option. It's not hidden in the filesystem.

JLindmar (83AR)

Speaking of apps, we were given the ability to protect apps by using our lockscreen password to open them. This is more of a top-level UX based protection as it doesn’t seem to change the ability for our forensic tools to gain access to the data once a file system image has been acquired. Users have two options: the ability to hide the application from the home screen AND password protect it, or just password protect it.

https://www.magnetforensics.com/blog/a-look-into-ios-18s-changes/#:~:text=Speaking%20of%20apps,password%20protect%20it.

I was looking for something like that. Thanks!

@Elcomsoft @Cellebrite I have an iCloud Sync collection from Elcomsoft and it doesn’t seem to be loading into Cellebrite Physical Analyzer properly. I’ve tried loading the iCloud Sync as a iTunes backup, but it’s only displaying the media that was collected. I manually checked and confirmed there are messages in the sms.db, as well as other databases that were pulled, but it’s not being decoded/parsed in Cellebrite. Are there any recommended steps to get this data loaded in?

1

Hey all, bit of a random question. Where exactly does iOS store cellular plan labels and other user-determined cellular and dual SIM-related settings? I know a user with dual SIMs can assign either predefined or custom labels like "personal" or "business" to each plan. They can specify a "default voice line" by designating a phone number as either "primary", "secondary," etc. They can also assign a preferred cellular plan for each contact. Does anyone know where records of these settings and assignments are stored? Update: looks like com.apple.commcenter.device_specific_nobackup.plist may hold some information? Also possibly remoteplandb.sqlite and com.apple.commcenter.transferdeviceplaninfo.plist? I don't currently have access to a good environment or devices with esim to do proper testing though. (edited)

Yawndy

@Elcomsoft @Cellebrite I have an iCloud Sync collection from Elcomsoft and it doesn’t seem to be loading into Cellebrite Physical Analyzer properly. I’ve tried loading the iCloud Sync as a iTunes backup, but it’s only displaying the media that was collected. I manually checked and confirmed there are messages in the sms.db, as well as other databases that were pulled, but it’s not being decoded/parsed in Cellebrite. Are there any recommended steps to get this data loaded in?

Are you talking about an iCloud Backup download ? care to send me im PM the hierarchy of the dump ?

1

Hi! Does anyone know when / how media from Snapchat is stored in the path /data/media/0/DCIM/Snapchat? e.g., EXTRACTION_FFS.zip/data/media/0/DCIM/Snapchat/Snapchat-70172190.mp4

Ment0r

Hi! Does anyone know when / how media from Snapchat is stored in the path /data/media/0/DCIM/Snapchat? e.g., EXTRACTION_FFS.zip/data/media/0/DCIM/Snapchat/Snapchat-70172190.mp4

The .mp4 videos get saved in the /media/0/DCIM/Snapchat/ folder when the user saves the videos to their camera roll. The problem is its not just videos they take that can be saved their, basically any video within Snapchat can be saved in this location. If the user saves it to their camera roll the video will get placed in there. So if they are in a chat and receive an video from someone and save it in their chat, they can then save that video to their camera roll. I'm just working on a file right now and when dealing with Snapchat on Android its difficult to determine if the a video was actually capture on the device it was found on. If I've found associated Snapchat Memories that were uploaded, I can say this occurred, but finding it a stretch to actually be able to say the video was captured using the device. Hopefully this helps. And if I am wrong on anything, anyone please correct me...... Salute

Hello everyone, I’m working on a case where the allegation is that someone accessed and viewed a photo on a phone without permission after they were given the device. I’m planning to conduct a forensic analysis using Cellebrite and would like to know if there’s a way to determine when a specific photo was viewed, and if there are any logs or metadata that could help indicate this. Additionally, I viewed the photo myself after receiving the phone, so I’m trying to distinguish between my actions and those of the previous user. Main questions: 1. Can Cellebrite provide any evidence of when a particular photo was viewed on the device? 2. What types of system logs or app data might be useful to confirm if a photo was accessed? 3. How can I differentiate my own actions from the previous user’s to establish when the photo was accessed before I received the phone? Any insights, examples, or advice from similar cases would be greatly appreciated. Thanks in advance!

DrZ

Hello everyone, I’m working on a case where the allegation is that someone accessed and viewed a photo on a phone without permission after they were given the device. I’m planning to conduct a forensic analysis using Cellebrite and would like to know if there’s a way to determine when a specific photo was viewed, and if there are any logs or metadata that could help indicate this. Additionally, I viewed the photo myself after receiving the phone, so I’m trying to distinguish between my actions and those of the previous user. Main questions: 1. Can Cellebrite provide any evidence of when a particular photo was viewed on the device? 2. What types of system logs or app data might be useful to confirm if a photo was accessed? 3. How can I differentiate my own actions from the previous user’s to establish when the photo was accessed before I received the phone? Any insights, examples, or advice from similar cases would be greatly appreciated. Thanks in advance!

iOS , Android?

1

DrZ

Hello everyone, I’m working on a case where the allegation is that someone accessed and viewed a photo on a phone without permission after they were given the device. I’m planning to conduct a forensic analysis using Cellebrite and would like to know if there’s a way to determine when a specific photo was viewed, and if there are any logs or metadata that could help indicate this. Additionally, I viewed the photo myself after receiving the phone, so I’m trying to distinguish between my actions and those of the previous user. Main questions: 1. Can Cellebrite provide any evidence of when a particular photo was viewed on the device? 2. What types of system logs or app data might be useful to confirm if a photo was accessed? 3. How can I differentiate my own actions from the previous user’s to establish when the photo was accessed before I received the phone? Any insights, examples, or advice from similar cases would be greatly appreciated. Thanks in advance!

Hello @DrZ, On iOS each photo has an UUID. Investigating the Unified Logs, it's possible to show which UUID has been accessed by the user. Then, as Cellebrite displays the UUID of each photo it's quite easy to map the photo of interest with its UUID and show when to photo has been accessed. However, there's maybe an easier solution than the Unified Logs. If you are on Android, I can't help. (edited)

How can I differentiate my own actions from the previous user’s

Usually the date is a pretty clear indicator. Say you get the device on January 1st 2024. Anything in 2023 would not be your action, anything after would be your action. Make sure you document when you get the device and note down when you power it on / start using it.

florus

iOS , Android?

Aandroid

Does anyone know where Snapchat on iOS stores attachment details for each message? I'm working on a file right now where I have disagreement between Axiom, Cellebrite, and Oxygen as to how many attachments and what type (video/photo) are associated with a particular chat received. I literally have one tool telling me 1 attachment, the other show 3 attachments, and the last showing 2 attachments.

I manually went into the arroyo.db -> conversation_message table and browsed through the serialized data in the message_content field, but couldn't make out anything that spoke to the attachments. Guessing it is stored somewhere else..... Any help would be appreciated.

Mike_H

Does anyone know where Snapchat on iOS stores attachment details for each message? I'm working on a file right now where I have disagreement between Axiom, Cellebrite, and Oxygen as to how many attachments and what type (video/photo) are associated with a particular chat received. I literally have one tool telling me 1 attachment, the other show 3 attachments, and the last showing 2 attachments.

I manually went into the arroyo.db -> conversation_message table and browsed through the serialized data in the message_content field, but couldn't make out anything that spoke to the attachments. Guessing it is stored somewhere else..... Any help would be appreciated.

The attachment information is in the message_content protobuf, the exact path depends on the type of attachment. it could be that some tools also attach the thumbnail or overlay as an attachment, i would look at the images/videos to see if they are connected. also you can look at the field remote_media_count, but this can also count extra media, for example in a story reply this also counts the story media

1

Anyone from cellebrite available for a quick question regarding iphone FFS? @Cellebrite

Hi all, we’ve got some locations of interest from an extraction. I’m lacking detail as this is third-hand information as I’m not in the office. I’ve been told that @Cellebrite PA has decoded some Google Maps locations with the type column showing "Saved." Has anyone confirmed that locations with that type are actually saved locations, and not ones previously visited? (edited)

ApC

Hi all, we’ve got some locations of interest from an extraction. I’m lacking detail as this is third-hand information as I’m not in the office. I’ve been told that @Cellebrite PA has decoded some Google Maps locations with the type column showing "Saved." Has anyone confirmed that locations with that type are actually saved locations, and not ones previously visited? (edited)

If you look at the Locations in Inseyets PA 10.x, we provide a clearer differentiation between the different loation semantics. We distinguish between User Specified (Favorites, Saved Locations, Home, Work, School etc.) and Significant Locations which are locations that the Device or platform has deemed as significant for the Device Owner based on repeated visits etc. But as we always say, you have to trust but verify. I hope this helps.

2

CLB-DannyTheModeler

If you look at the Locations in Inseyets PA 10.x, we provide a clearer differentiation between the different loation semantics. We distinguish between User Specified (Favorites, Saved Locations, Home, Work, School etc.) and Significant Locations which are locations that the Device or platform has deemed as significant for the Device Owner based on repeated visits etc. But as we always say, you have to trust but verify. I hope this helps.

Thank you. We are unable to verify at the moment as it was an AFU extraction.

Anyone having problems on Cellebrite PA getting hung up on “Running plugin (ProjectProcessorFinisher) ?

LeatherCouch

Anyone having problems on Cellebrite PA getting hung up on “Running plugin (ProjectProcessorFinisher) ?

Yes, ios mainly

florus

Yes, ios mainly

It’s been happening to me a lot lately. Most recently with an iPhone 12 and Galaxy Z Fold …

Someone have contact with @Ryan Benson ? Need to get in touch regarding Unfurl

. Im trying to validate an gclid value Ryan Decodes by unfurl. Only explanation im getting is from base64 as protobuf, but no idea how to decode it using cyberchef as example. (edited)

Yawndy

@Elcomsoft @Cellebrite I have an iCloud Sync collection from Elcomsoft and it doesn’t seem to be loading into Cellebrite Physical Analyzer properly. I’ve tried loading the iCloud Sync as a iTunes backup, but it’s only displaying the media that was collected. I manually checked and confirmed there are messages in the sms.db, as well as other databases that were pulled, but it’s not being decoded/parsed in Cellebrite. Are there any recommended steps to get this data loaded in?

Load in Oxygen

1

heyho @Cellebrite someone here for some clarification concerning new beta PA10.4 and a serious problem?

1

Hi all. I'm looking for some guidance with the CellularUsage.db in iOS. When looking at the subscriber_info table there is a column named slot_id and it has a value of 2. Could this possibly mean it is an eSIM?

Possible. If you query SIM information from the lockdown service, kOne refers to the SIM and kTwo to the eSIM

stps358

Hi all. I'm looking for some guidance with the CellularUsage.db in iOS. When looking at the subscriber_info table there is a column named slot_id and it has a value of 2. Could this possibly mean it is an eSIM?

Check com.apple.commcenter.data.plist or com.apple.commcenter.plist because you can see the ICCID and there is an "eSIM" key or either True or False.

6

CLB-Paul

Check com.apple.commcenter.data.plist or com.apple.commcenter.plist because you can see the ICCID and there is an "eSIM" key or either True or False.

Found it. Thank you!

1

If the eSIM is deleted or removed from the device, is the data also lost or does this only affect various system databases?

Hi I have a question, can cellebrite parse a pst, mbox, zip, rar files? Thank (edited)

Hello, I'm looking for the signification of the values that we can find in the column ZPREDOMINANTMOTIONACTIVITYTYPE in the table ZRTLEARNEDLOCATIONOFINTERESTMO in the local.sqlite database. Where can I find the description of those values ?

SD

Hello, I'm looking for the signification of the values that we can find in the column ZPREDOMINANTMOTIONACTIVITYTYPE in the table ZRTLEARNEDLOCATIONOFINTERESTMO in the local.sqlite database. Where can I find the description of those values ?

What values are you seeing?

JLindmar (83AR)

What values are you seeing?

4 and 6

SD

4 and 6

Sorry, I don't have anything on the integer values. Perhaps they are related to these motion types: https://developer.apple.com/documentation/coremotion/cmmotionactivity

JLindmar (83AR)

Sorry, I don't have anything on the integer values. Perhaps they are related to these motion types: https://developer.apple.com/documentation/coremotion/cmmotionactivity

Thank you for your time and for the link

Anyone know where I can find in an iPhone Advanced Logical Image if/when a Google Account was Added and Set to Sync with the Address book? Not seeing it in Accounts Database that is decoded by Cellebrite (edited)

Are there any indicators a user was Private Browsing in Safari, aside from blank page titles in the History.db and favicon db (which we don’t have) entries for visited sites? Adv logical of iPhone 14 Plus iOS 18. Would appreciate anyone’s previous experience

@Zverev give a look to browserstate.db

10:38 AM

private browsing is stored in this db (edited)

Thank you @Mistercatapulte

1

NOSUSHI4U

Anyone know where I can find in an iPhone Advanced Logical Image if/when a Google Account was Added and Set to Sync with the Address book? Not seeing it in Accounts Database that is decoded by Cellebrite (edited)

Disregard. With the help of my colleague we found it in the Address Book DB in ABPerson. Will put in a feature request with Cellebrite to add this to the view.

SD

Hello, I'm looking for the signification of the values that we can find in the column ZPREDOMINANTMOTIONACTIVITYTYPE in the table ZRTLEARNEDLOCATIONOFINTERESTMO in the local.sqlite database. Where can I find the description of those values ?

https://discord.com/channels/427876741990711298/537760691302563843/1289078102063845461

1

Hi @Cellebrite, someone to help on decoding the iOS Private Photo Vault please ?

1

Anyone from @Cellebrite with a question about JSON export?

CLB-Paul

We have a document explaining the Media Origins classifications.

Can someone point me to @Cellebrite Media Origins document, my searching came up empty.

1

Any reason why a Nord OnePlus would have text messages on the device but not show up on a Cellebrite Premium dump?

8:37 AM

The user was having cell signal issues, messages that showed up were green but the blue bubble messages didn’t appear in cellebrite

8:38 AM

@Cellebrite

Hi. I'm looking for some help with the sms.db from an iPhone. In the Attachment table there is a heading for "transfer_state". When using DB Browser it indicates that the data type is an Integer and the the default state is 0. I have a value of 5 my artifact of interest. Can anyone shed some light on the signifigance of this value if any?

Anyone know if there is documentation that explains some of the iLEAPP artifacts? I'm specifically interested in items from the "Cellular Wireless report" (kLastUploadTimestamp and kNextCarrierBundleUpdateCheck) appreciate any help. @Brigs appreciate if you can point me in the right direction on this. (edited)

NOSUSHI4U

Anyone know if there is documentation that explains some of the iLEAPP artifacts? I'm specifically interested in items from the "Cellular Wireless report" (kLastUploadTimestamp and kNextCarrierBundleUpdateCheck) appreciate any help. @Brigs appreciate if you can point me in the right direction on this. (edited)

Maybe you can ask to @Brigs

1

NOSUSHI4U

Anyone know if there is documentation that explains some of the iLEAPP artifacts? I'm specifically interested in items from the "Cellular Wireless report" (kLastUploadTimestamp and kNextCarrierBundleUpdateCheck) appreciate any help. @Brigs appreciate if you can point me in the right direction on this. (edited)

The artifact is just pulling the keys and values found in com.apple.commcenter.plist

2:11 PM

Of these values I put the Phone number, ICCID, IMEI and MEID in the Device Details tab in the main report page. (edited)

2:11 PM

I have no special insight into any of the other keys and values.

Brigs

The artifact is just pulling the keys and values found in com.apple.commcenter.plist

Ok thanks I wasn't sure if that update timestamp would mean the phone still had active service from the carrier.

2:13 PM

I was trying to confirm date of carrier active service. Appreciate your response

AnTaL

Hi @Cellebrite, someone to help on decoding the iOS Private Photo Vault please ?

Hi. If Someone of @Cellebrite is available please ? had nobody atm. Thanks !

1

Hi, have a extraction and trying to figure out the instagram artifacts if the vanish mode is enabled. Any DB i can look in to see the messages or are they gone from the device. If gone, will they be obtained with legal process?

Android noob here - any reason why accessible media files found in the location 'data\media\0\DCIM\Kik' do not have created dates? Exif created date and modified dates are there but no created date

(edited)

@Oxygen Forensics anyone available for a question?

1

Anyone know if there is an option for more tags in @Cellebrite? I have used all available shown in the list and have more search terms.

Has anyone done any work around LineageOS and the artefacts relating to this?

Anyone had any luck decrypting the content of Private Photo Vault v14.9?

1:12 AM

The main forensic players cant decrypt it although they all extract the passcode for the vault so the content is viewable but not extractable.

Zhaan

The main forensic players cant decrypt it although they all extract the passcode for the vault so the content is viewable but not extractable.

What extraction did you get and from what device? As I’ve had Cellebrite PA decode it a couple of times, but other times only recovered the cache

3:56 AM

It should be in a folder path with PPV in it I believe

FFS, usually not an issue but this one version is the achiless heel of them all

4:04 AM

The content is there but not decrypted.

@bang might be able to assist here as he’s pretty good with these types of apps from what I’ve heard on here before

obi95

@bang might be able to assist here as he’s pretty good with these types of apps from what I’ve heard on here before

If you are referring to the knight in shining armour I think you are referring to, this one knocked him off the horse sadly. (edited)

Zhaan

If you are referring to the knight in shining armour I think you are referring to, this one knocked him off the horse sadly. (edited)

Have you trited CFCrypt?

bang

Have you trited CFCrypt?

Yes

4:13 AM

I spoke with you a while back about it

Yes, sorry, I think I remember, there are so many enquiries for this app. Yeah it was unusual, I think it was upgraded from a really early version of the app (and therefore still using the older encryption mechanisms). I cannot find a binary for the older version it was upgraded from, which was, I think v7 or v8. Perhaps someone else has a solution for these old versions?

I may have one, is it for Android or iOS @Zhaan ?

Aero

I may have one, is it for Android or iOS @Zhaan ?

iOS

Zhaan

Anyone had any luck decrypting the content of Private Photo Vault v14.9?

Hi, don't know about this specific version but PA does support versions very close before and after this one, so it should be supported too. Did you check the files under Library/PPV_Pics to see if they have any decrypted embedded file? Edit: I see that this might be data left from an older version so it's possible that it is not supported, although we do support different older versions. (edited)

CLB - Ofri

Hi, don't know about this specific version but PA does support versions very close before and after this one, so it should be supported too. Did you check the files under Library/PPV_Pics to see if they have any decrypted embedded file? Edit: I see that this might be data left from an older version so it's possible that it is not supported, although we do support different older versions. (edited)

No, the data was extracted but PA didn’t decode it on the latest version of PA or earlier versions. Usually it does but not this version.

Zhaan

No, the data was extracted but PA didn’t decode it on the latest version of PA or earlier versions. Usually it does but not this version.

Not sure what was already tried but if you are able to share the data I could try take a look

CLB - Ofri

Not sure what was already tried but if you are able to share the data I could try take a look

Thank you but unfortunately it isn’t shareable due to the type of case

1

Hello! I remember that it was once written here that you cannot restore data such as a pdf from an FBE device once it has been deleted. Is that correct? Or is it still possible under special conditions? If not, what is the reason? Thx for the answers

Question for the big brains, I have an iPhone where the Purple Buddy plist gives me mostly what I am looking for shows the guessed country with 4 Aug 2020 date, the SetupLastExit also matches same 4 Aug 2020, my question is what is this lastPrepareLaunchSentinel? It happens to be the day before my phone was imaged 31 Mar 21. Went and checked a few other dumps and see routunely this lastpreparelaunchsentinel is different than the lastsetupexit and am curious what this indicates?

Palazar82

Question for the big brains, I have an iPhone where the Purple Buddy plist gives me mostly what I am looking for shows the guessed country with 4 Aug 2020 date, the SetupLastExit also matches same 4 Aug 2020, my question is what is this lastPrepareLaunchSentinel? It happens to be the day before my phone was imaged 31 Mar 21. Went and checked a few other dumps and see routunely this lastpreparelaunchsentinel is different than the lastsetupexit and am curious what this indicates?

Backup, restore or update dates?

"lastPrepareLaunchSentinel" The date happens to be the same day or 24 hours prior to the extractions I am seeing.

12:15 PM

One of the timestamps on one of my dumps it happens to be 10 seconds prior to the phone rip so not an update to the phone OS I would suspect.

Palazar82

One of the timestamps on one of my dumps it happens to be 10 seconds prior to the phone rip so not an update to the phone OS I would suspect.

Some kind of automatic system process. Nobody had access to the device, did they? Have all network interfaces been deactivated? When did this take place?

Hans Leißner

Hello! I remember that it was once written here that you cannot restore data such as a pdf from an FBE device once it has been deleted. Is that correct? Or is it still possible under special conditions? If not, what is the reason? Thx for the answers

In FBE files are encrypted with unique key, when you delete a file Android just forget about the key. Then if you delete a PDF file from the "Download" folder, good luck to identify an encrypted PDF located in encrypted area. But, if the PDF was an attachment and stored into a database like a chat application, then it could be possible to recover it.

1

1:55 PM

(correct me if i'm wrong)

Mistercatapulte

Good day all, I have Wizz app on an iphone, not able to parse it with usual forensics tools Anyone have an idea or script for this one? Thx (edited)

Looking for remnants of this one on a phone right now. What's the reverse DNS on it? I know it was here based on an interview, it has since been uninstalled. Working on some byte-level searching to find remnants for a username.

3:57 PM

android play store trick says "info.wizzapp"

3:57 PM

https://play.google.com/store/apps/details?id=info.wizzapp&hl=en_US

Wizz App - chat now - Apps on Google Play

Swipe, Meet & Chat Real People

4:04 PM

I'm seeing com.vlbapps.wizz in the iPhone, though (edited)

Bobby

In FBE files are encrypted with unique key, when you delete a file Android just forget about the key. Then if you delete a PDF file from the "Download" folder, good luck to identify an encrypted PDF located in encrypted area. But, if the PDF was an attachment and stored into a database like a chat application, then it could be possible to recover it.

Thank you for the explanation.

in theorie.. it sounds possible

but only in theory

1

whee30

I'm seeing com.vlbapps.wizz in the iPhone, though (edited)

i DM u soon

whee30

I'm seeing com.vlbapps.wizz in the iPhone, though (edited)

It's not rare to have different app identifiers on different platforms

Anyone had any issues with PA Inseyets 10.3.0 failing to import cases? There's nothing particularly tricky about this import, and it continuously is failing. Thanks in advance. @Cellebrite

1

Pehr

Can you see in the extraction if an iPhone was factory reset locally or remote?

Did you ever get an answer to this?

Does anyone know of, or have, information on decoding the Audible application? Looking for search history and how the global_library.db is populated

stps358

Did you ever get an answer to this?

Dm

Hi, I have a unihertz jelly pro locked with passcode. CB premium will not work. XRY Pro has a profile but cannot obtain extract using this profile due to passcode. I have used a MTK generic android profile which has obtain 10GB of data but does not decode correctly and lists all data as databases. I have tried to ingest this into PA but doesn’t seem to like it due to XRY format. Anyone got any ideas how I could parse this data?

I have two devices an iPhone and an android. Both seized by police in 2014. I get my hands on them in 2024 and use cellebrite to get ffs. There’s data on the devices from 2017…. Looking at the messages database and converting the times it still shows 2017… there anyway this is reporting incorrectly ?

"Real" data? Like a message with a timestamp? Some times may be certificate expiry dates or something like that.

Yeah I have text messages and web history and emails. Some of the emails even have dates in the body that confirm 2017. This is just a situation that obviously should not happen with evidence. And even though there may be an obvious answer. I’m trying to cover my bases x100

coastal4n6

Yeah I have text messages and web history and emails. Some of the emails even have dates in the body that confirm 2017. This is just a situation that obviously should not happen with evidence. And even though there may be an obvious answer. I’m trying to cover my bases x100

Could it be synchronized data if the device was not isolated from the network and turned on while in evidence?

4

Hey everyone. Quick question regarding kik. If a user has Auto Download Video - Enabled. Is the user required to interact with the video in any way for it to download? Like open Kik, open the convo, click to open the file? Found lots of CP in the /tmp/ directory. And just a few files in other directories. The cache is completely empty.

12:00 AM

kik.defaults tells me auto download is enabled.

FullTang

Could it be synchronized data if the device was not isolated from the network and turned on while in evidence?

I’m not ruling anything out at this stage. But with the factory reset in 2017 along with two separate operating systems showing the same data, I don’t believe that to be the case

Morning - I have a physical and FFS extraction of a Samsung J3 (SM-J327A). Signal is installed, version 6.46.7. Using PA 7.69, signal doesn't get parsed. DB still seems encrypted while looking at it in PA. I know the key still exists on the device, I'm able to navigate Signal on the device no problem. Any idea why PA isn't decrypting / parsing the contents from a physical or FFS?

Anyone from @Oxygen Forensics available to help me troubleshoot a KeyDiver password recovery on encrypted Apple Notes that keeps failing? Problem appears to be a token length exception for the hash, but that's coming directly out of Oxygen Forensic Detective.

coastal4n6

I’m not ruling anything out at this stage. But with the factory reset in 2017 along with two separate operating systems showing the same data, I don’t believe that to be the case

So the device shows it was factory reset 3 years after being seized by police and while still in their custody? Then there is data present with timestamps placing it after the factory reset? Just confirming the chronology of events here.

jb3139

Anyone from @Oxygen Forensics available to help me troubleshoot a KeyDiver password recovery on encrypted Apple Notes that keeps failing? Problem appears to be a token length exception for the hash, but that's coming directly out of Oxygen Forensic Detective.

Hello, sure, let me DM you

1

Mike_H

So the device shows it was factory reset 3 years after being seized by police and while still in their custody? Then there is data present with timestamps placing it after the factory reset? Just confirming the chronology of events here.

So during my consult on the project with my associate, a key point was pointed out. One of the devices wasn’t even released in the year it was allegedly seized. So we have some very fishy business going on

1

coastal4n6

So during my consult on the project with my associate, a key point was pointed out. One of the devices wasn’t even released in the year it was allegedly seized. So we have some very fishy business going on

Hmmmmmm..... Maybe your data from 2017 is legit then......

CIF

Morning - I have a physical and FFS extraction of a Samsung J3 (SM-J327A). Signal is installed, version 6.46.7. Using PA 7.69, signal doesn't get parsed. DB still seems encrypted while looking at it in PA. I know the key still exists on the device, I'm able to navigate Signal on the device no problem. Any idea why PA isn't decrypting / parsing the contents from a physical or FFS?

Could you check if keystore was extracted? And if yes, is there any signal decryption key?

Anyone have an idea on what reader to use for UP828 or Serida? The ones we are using don't seem to match the BGA. Chip is from a Nokia N139DL

looks like BGA221

Has anyone ever heard of utils.db in reference to apple forensics? Ran location carver in PA (7.69) one of the places it is finding location data is this DB located DUMP>private>var>mobile>library>CoreAS>utils.db, when I look in here I can find the same lat and long but nowhere in the DB am I seeing recorded time stamps yet PA in the carved locations is associating time stamps with it. Any ideas how to validate this finding? Duplicate place this identical DB seems to be found is also DUMP>System>Library>CoreAS>Utils.db same exact DB and records as best I can tell. The only 2 tables are astr (which has less than 300 records) only columns being id/lat/lon/zip The other table is ziplathon (33k records)those tables are id/geoid/aland_sqmi/awater_sqmi/lat/lon

Bobby

Could you check if keystore was extracted? And if yes, is there any signal decryption key?

/misc/keystore has approx 500 files. What would the signal decryption key be?

CIF

/misc/keystore has approx 500 files. What would the signal decryption key be?

No keystore extracted during FFS or Physical, is there any mention to keystore in .ufd files?

Bobby

No keystore extracted during FFS or Physical, is there any mention to keystore in .ufd files?

Doesn't seem it. Method to extract the Physical / FFS was a decrypted boot loader via UFED4PC. FFS zip doesn't have the usual "secrets" json given during Smartflow or live acquisition.

Bobby

Could you check if keystore was extracted? And if yes, is there any signal decryption key?

You need decrypted keystore, or decrypted key from keystore. I think UFED doesn't automatically try to obtain keys when using physical (mainly because on devices like the one you mentioned, you're not fully booted to OS) so you should folllow with smart flow, on a fully booted device and this should also allow you get proper keys from those apps to decrypt them. Would be good to also obtain full filesystem while you're at it, since decrypting those apps with data from secrets.json doesn't happen when decoding a physical dump in PA, at least as far as i remember.

Mike_H

Hmmmmmm..... Maybe your data from 2017 is legit then......

Sure is! From a different case lol

Vägis

Hey everyone. Quick question regarding kik. If a user has Auto Download Video - Enabled. Is the user required to interact with the video in any way for it to download? Like open Kik, open the convo, click to open the file? Found lots of CP in the /tmp/ directory. And just a few files in other directories. The cache is completely empty.

if i remember correctly, kik downloads all content of all channels if the app is opend. But double check that

11:44 PM

Anyone expirience with the Shot Video App "Likee" ? i need to know if the iOS Folder /Library/Image_im/ is a cache folder or if the Pictures of interest in there are "known" to the user. Sadly, i cant access the App on the iPhone cause the Account is not logged in.

MHE

if i remember correctly, kik downloads all content of all channels if the app is opend. But double check that

Appreciate the answer, I’ll take a look. Thanks!

1

MSAB team… trying to open a xry extraction and it’s saying invalid header. Any reason or ways to view data? @MSAB_Carl (edited)

claireh

MSAB team… trying to open a xry extraction and it’s saying invalid header. Any reason or ways to view data? @MSAB_Carl (edited)

Unfortunately this sounds like a corrupt file. It has in some way become damaged, so that XAMN can't interpret the contents.

1

Hello everyone, I was wondering if anyone have done some research into the Local.sqlite database on iOS, in the table ZRTLEARNEDLOCATIONOFINTERESTVISITMO there's the column ZLOCATIONHORIZONTALUNCERTAINTY. Is the values in this column to be intepretated as in meters in horizontal uncertainty? Similiar to ZHORIZONTALACCURACY in ZRTCLLOCATIONMO in cache.sqlite? I have looked into the cache.sqlite database which under the ZRTCLLOCATIONMO table has a ZHORIZONTALACCURACY column that stores horizontal accuracy expressed in meters from the coordinates as per the CLB Webinars (I beg to DFIR). But since this is a separate database I wanted to investigate further. Thanks in advance and have a great weekend!

Looking at */mobile_installation.log files on iOS, trying to find documentation on if these time out and if so at what point?

8:19 AM

I have an installation log showing an app on August 31st, however I have other information suggesting it was on the device a week prior. I have no logs prior to Aug 31st, which makes me think these logs are potentially timed out after a while?

Looking at some other iOS downloads, looks like I get just over a week's worth of data. So likely a rotating cache of logs, too bad it isn't longer lived.

Arcain

You need decrypted keystore, or decrypted key from keystore. I think UFED doesn't automatically try to obtain keys when using physical (mainly because on devices like the one you mentioned, you're not fully booted to OS) so you should folllow with smart flow, on a fully booted device and this should also allow you get proper keys from those apps to decrypt them. Would be good to also obtain full filesystem while you're at it, since decrypting those apps with data from secrets.json doesn't happen when decoding a physical dump in PA, at least as far as i remember.

@Bobby @Arcain Thank you both for the help. It does seem the bootloader methods do not grab the decrypted keystore. I was successful in using Smart Flow to get a physical + FFS and it was able to grab the keystore while device was on like usual. Parsed it out and PA was able to decrypt it with the key. Thanks for the help and insight, much appreciated (edited)

1

Hi all, was wondering if anyone has come across the chat app SimpleX and if they have had any success in decoding it using PA / Oxygen / Axiom / XRY / MD-RED ?

1

Hi guys. Anyone can give some advice about this private chat app for iPhone?: https://www.klineapp.com/

KLine App | Encrypted Phone For Your Business

Experience encrypted phone security in your online communications with KLine Messenger, the paramount choice for maintaining business connections. Where conventional apps falter, KLine excels by providing not just simplicity and reliability in messaging and calling, but also fortified encryption technologies.

3X3

Anyone had any issues with PA Inseyets 10.3.0 failing to import cases? There's nothing particularly tricky about this import, and it continuously is failing. Thanks in advance. @Cellebrite

2 Questions: 1) Did you try importing it into 10.4 (available to design partners)? 2) Did you contact support? (edited)

Hi I am looking for information on this path data/root/data/com.sec.android.app.sbrowser/cache What does it contain and what is stored in it? I would appreciate your help, thanks

DrZ

Hi I am looking for information on this path data/root/data/com.sec.android.app.sbrowser/cache What does it contain and what is stored in it? I would appreciate your help, thanks

com.sec.android.app.sbrowser is Samsung Internet Browser, the default browser for Samsung devices. specifically the cache folder doesn't store the important information like browsing history but it does store cached html files for visited pages.

2

Hello, i have Samsung Android 13 FFS dump from phone, so, is there any place where i can find phone specification how big storage (Build in memory, GB) it have? From gsmarena it can be 64 or 128GB, can i get exactly? (edited)

You could check the IMEI online. You should get the model with the storage size.

prosch

You could check the IMEI online. You should get the model with the storage size.

I'm also got info about 64/128GB.

Sometimes you find a partition table in the recovery.

Hello everyone, does anyone know where the messages from the Google Voice application are stored for a Galaxy S23 device? In an iOS device, I located them via private/var/mobile/containers/shared/Appgroups. I've searched just about every database that I can think of with no luck.

Would anyone know the best tool for decoding a blackberry backup (bbb) with the aim to verify chats. I have tried MSAB and Cellebrite with no luck. Thank you.

Xiaomi Redmi 13C, Mediatek MT6769Z Helio G85, android 13. Anyone knows hot to set it to brom mode (key combo, test point, whatever...)?

bootrom on redmi 13s is permanently disabled

9:07 AM

best you can get is preloader mode

Arcain

bootrom on redmi 13s is permanently disabled

Thanks sir

10:36 AM

Tecno Spark 20 mt6769z Test points required for MTK based extraction.

lala1234

Would anyone know the best tool for decoding a blackberry backup (bbb) with the aim to verify chats. I have tried MSAB and Cellebrite with no luck. Thank you.

I suppose this could be good? https://reincubate.com/blackberry-backup-extractor/

BlackBerry Backup Extractor: open BBB or IPD files on Windows or Mac

Open and extract BlackBerry contacts, emails, memos, call history, SMS, MMS, BBM and more from .BBB and .IPD backups.

lala1234

Would anyone know the best tool for decoding a blackberry backup (bbb) with the aim to verify chats. I have tried MSAB and Cellebrite with no luck. Thank you.

https://www.elcomsoft.com/ebbe.html

Elcomsoft Blackberry Backup Explorer | Elcomsoft Co.Ltd.

Analyze legacy BlackBerry OS backups produced with BlackBerry Desktop Software.

lala1234

Would anyone know the best tool for decoding a blackberry backup (bbb) with the aim to verify chats. I have tried MSAB and Cellebrite with no luck. Thank you.

I'm sorry to hear this! Could you email the extraction log from your attempt to support@msab.com so that we can have a look at what happens?

Anjo

https://www.elcomsoft.com/ebbe.html

Thank you! Will give it a go.

Hi everyone! I've used ALEAPP to analyse UsageStats, and I realize in Axiom, I get different results (they don't point to the same app, which is really disturbing) Anyone would be able to help me on this, and help me parse just one protobuf/usagestat file?

1

GM all, I have a questions about the iOS TCC database “auth_reason” values. What is the difference between value 3 = User set and 4 = System set? Thank you (edited)

Good day all, anyone have an easy way to determine if an iphone has an esim. I've found the following. but just looking for another point of verification. In the file com.apple.commcenter.data.plist under one of the ICCIDs I have the value: esim : boolean = True