On the digital forensic analysis of the Firefox browser via recovery of SQLite artifacts from unallocated space

A technique and supporting tool for the recovery of browsing activity (both stored and deleted) from current and recent versions of the Firefox web-browser is presented. The generality of the technique is discussed: It is applicable to any software that uses the popular SQLite embedded database engine such as the Apple Safari web-browser and many Android apps

A Digital Forensic View of Windows 10 Notifications

Windows Push Notifications (WPN) is a relevant part of Windows 10 interaction with the user. It is comprised of badges, tiles and toasts. Important and meaningful data can be conveyed by notifications, namely by so-called toasts that can popup with information regarding a new incoming email or a recent message from a social network. In this paper, we analyze the Windows 10 Notification systems from a digital forensic perspective, focusing on the main forensic artifacts conveyed by WPN. We also briefly analyze Windows 11 first release’s WPN system, observing that internal data structures are practically identical to Windows 10. We provide an open source Python 3 command line application to parse and extract data from the Windows Push Notification SQLite3 database, and a Jython module that allows the well-known Autopsy digital forensic software to interact with the application and thus to also parse and process Windows Push Notifications forensic artifacts. From our study, we observe that forensic data provided by WPN are scarce, although they still need to be considered, namely if traditional Windows forensic artifacts are not available. Furthermore, toasts are clearly WPN’s most relevant source of forensic data.info:eu-repo/semantics/publishedVersio

IOS Device Forensics

Many people today have an iPhone, iPad or iPod. Not many would realize that valuable information is stored on these devices. When a crime occurs, an iOS Device could hold key information to help solve said crime that criminals are not aware are present on the device. This can include GPS information as well as application history on the device itself. The project I wish to do and complete is to create a class where students can learn the about iOS Forensics. Student will be able to learn the basics of an iDevice, as well as how to work with forensics tools to acquire the information in an efficient manner. The class will also introduce forensic tools that can be used with iOS Devices. These tools can include Open Source and Commercial forensic tools. This class will be offered to both Graduates and Undergraduates at Governors State University. It will act as a beginner’s class, for individuals who want to learn more and have an interest in iOS Forensics

Making the Invisible Visible – Techniques for Recovering Deleted SQLite Data Records

Forensic analysis and evidence collection for web browser activity is a recurring problem in digital investigation. It is not unusual for a suspect to cover his traces. Accordingly, the recovery of previously deleted data such as web cookies and browser history are important. Fortunately, many browsers and thousands of apps used the same database system to store their data: SQLite. Reason enough to take a closer look at this product. In this article, we follow the question of how deleted content can be made visible again in an SQLite-database. For this purpose, the technical background of the problem will be examined first. Techniques are presented with which it is possible to carve and recover deleted data records from a database on a binary level. A novel software solution called FQLite is presented that implements the proposed algorithms. The search quality, as well as the performance of the program, is tested using the standard forensic corpus. The results of a performance study are discussed, as well. The article ends with a summary and identifies further research questions

DIGITAL FORENSIC ARTIFACTS OF SQLITE-BASED WINDOWS 1 0 APPLICATIONS

O Windows 10 é um dos Operating System (OS) mais populares e utilizado. Contém vários serviços, como o Windows Push Notification Services (WNS) e o Timeline, que usam bases de dados SQLite. O Windows 10 tem também uma plataforma, Universal Windows Platform (UWP), para suportar o desenvolvimento de aplicações. As aplicações desta plataforma podem guardar os seus dados em bases de dados SQLite, como o Photos da Microsoft e o Messenger do Facebook. Esta dissertação estuda, numa perspetiva de análise digital forense, dois componentes do Windows 10, o ambiente Your Phone, e o WNS. O primeiro consiste de uma aplicação Android, Your Phone Companion (YPC), e uma aplicação UWP, Your Phone. O último é um sistema do Windows 10 que disponibiliza o serviço de notificações. No âmbito desta dissertação foram desenvolvidos scripts para analisar esses componentes, extraindo-se os artefactos forenses considerados mais relevantes. As soluções desenvolvidas estão integradas com o conhecido software de análise forense Autopsy. Para ajudar a desenvolver e manter estas soluções de forense digital que analisam artefactos produzidos por aplicações UWP, foi desenvolvido o UWP scanner. Tratase de um analisador de aplicações focado na deteção de alterações ao nível das bases de dados SQLite empregue por aplicações UWP. Esta ferramenta ajuda a manter um histórico da evolução das bases de dados utilizadas por certas aplicações UWP

Mobile Forensics – The File Format Handbook

This open access book summarizes knowledge about several file systems and file formats commonly used in mobile devices. In addition to the fundamental description of the formats, there are hints about the forensic value of possible artefacts, along with an outline of tools that can decode the relevant data. The book is organized into two distinct parts: Part I describes several different file systems that are commonly used in mobile devices. · APFS is the file system that is used in all modern Apple devices including iPhones, iPads, and even Apple Computers, like the MacBook series. · Ext4 is very common in Android devices and is the successor of the Ext2 and Ext3 file systems that were commonly used on Linux-based computers. · The Flash-Friendly File System (F2FS) is a Linux system designed explicitly for NAND Flash memory, common in removable storage devices and mobile devices, which Samsung Electronics developed in 2012. · The QNX6 file system is present in Smartphones delivered by Blackberry (e.g. devices that are using Blackberry 10) and modern vehicle infotainment systems that use QNX as their operating system. Part II describes five different file formats that are commonly used on mobile devices. · SQLite is nearly omnipresent in mobile devices with an overwhelming majority of all mobile applications storing their data in such databases. · The second leading file format in the mobile world are Property Lists, which are predominantly found on Apple devices. · Java Serialization is a popular technique for storing object states in the Java programming language. Mobile application (app) developers very often resort to this technique to make their application state persistent. · The Realm database format has emerged over recent years as a possible successor to the now ageing SQLite format and has begun to appear as part of some modern applications on mobile devices. · Protocol Buffers provide a format for taking compiled data and serializing it by turning it into bytes represented in decimal values, which is a technique commonly used in mobile devices. The aim of this book is to act as a knowledge base and reference guide for digital forensic practitioners who need knowledge about a specific file system or file format. It is also hoped to provide useful insight and knowledge for students or other aspiring professionals who want to work within the field of digital forensics. The book is written with the assumption that the reader will have some existing knowledge and understanding about computers, mobile devices, file systems and file formats

Forensic Analysis of the ChatSecure Instant Messaging Application on Android Smartphones

We present the forensic analysis of the artifacts generated on Android smartphones by ChatSecure, a secure Instant Messaging application that provides strong encryption for transmitted and locally-stored data to ensure the privacy of its users. We show that ChatSecure stores local copies of both exchanged messages and files into two distinct, AES-256 encrypted databases, and we devise a technique able to decrypt them when the secret passphrase, chosen by the user as the initial step of the encryption process, is known. Furthermore, we show how this passphrase can be identified and extracted from the volatile memory of the device, where it persists for the entire execution of ChatSecure after having been entered by the user, thus allowing one to carry out decryption even if the passphrase is not revealed by the user. Finally, we discuss how to analyze and correlate the data stored in the databases used by ChatSecure to identify the IM accounts used by the user and his/her buddies to communicate, as well as to reconstruct the chronology and contents of the messages and files that have been exchanged among them. For our study we devise and use an experimental methodology, based on the use of emulated devices, that provides a very high degree of reproducibility of the results, and we validate the results it yields against those obtained from real smartphones

Mobile Forensics – The File Format Handbook

This open access book summarizes knowledge about several file systems and file formats commonly used in mobile devices. In addition to the fundamental description of the formats, there are hints about the forensic value of possible artefacts, along with an outline of tools that can decode the relevant data. The book is organized into two distinct parts: Part I describes several different file systems that are commonly used in mobile devices. · APFS is the file system that is used in all modern Apple devices including iPhones, iPads, and even Apple Computers, like the MacBook series. · Ext4 is very common in Android devices and is the successor of the Ext2 and Ext3 file systems that were commonly used on Linux-based computers. · The Flash-Friendly File System (F2FS) is a Linux system designed explicitly for NAND Flash memory, common in removable storage devices and mobile devices, which Samsung Electronics developed in 2012. · The QNX6 file system is present in Smartphones delivered by Blackberry (e.g. devices that are using Blackberry 10) and modern vehicle infotainment systems that use QNX as their operating system. Part II describes five different file formats that are commonly used on mobile devices. · SQLite is nearly omnipresent in mobile devices with an overwhelming majority of all mobile applications storing their data in such databases. · The second leading file format in the mobile world are Property Lists, which are predominantly found on Apple devices. · Java Serialization is a popular technique for storing object states in the Java programming language. Mobile application (app) developers very often resort to this technique to make their application state persistent. · The Realm database format has emerged over recent years as a possible successor to the now ageing SQLite format and has begun to appear as part of some modern applications on mobile devices. · Protocol Buffers provide a format for taking compiled data and serializing it by turning it into bytes represented in decimal values, which is a technique commonly used in mobile devices. The aim of this book is to act as a knowledge base and reference guide for digital forensic practitioners who need knowledge about a specific file system or file format. It is also hoped to provide useful insight and knowledge for students or other aspiring professionals who want to work within the field of digital forensics. The book is written with the assumption that the reader will have some existing knowledge and understanding about computers, mobile devices, file systems and file formats

Forensics Analysis of Privacy of Portable Web Browsers

Web browser vendors offer a portable web browser option which is considered as one of the features that provides user privacy. Portable web browser is a browser that can be launched from a USB flash drive without the need for its installation on the host machine. Most popular web browsers have portable versions of their browsers as well. Portable web browsing poses a great challenge to computer forensic investigators who try to reconstruct the past browsing history, in case of any computer incidence. This research examines various sources in the host machine such as physical memory, temporary, recent, event files, Windows Registry, and Cache.dll files for the evidential information regarding portable browsing session. The portable browsers under this study include Firefox, Chrome, Safari, and Opera. Results of this experiment show that portable web browsers do not provide user-privacy as they are expected to do. Keywords: computer forensics tools, RAM forensics, volatile memory, forensics artifacts, Registr