Posts

The Duck Hunters Guide - Blog #6 - Fireproof Sites (Android)

Image
In this post I want to talk about fireproof sites in the Android version of the DuckDuckGo web browser and what information is immune to the fire button when a site is fireproofed. The concept of Fireproofing a site is a little misleading and when I searched online there is not much chatter about what this feature in the browser actually does. One would think that fireproofing a site would make browsing relating artifacts immune to the fire button, but this is not true. As part of my research process, I fireproofed a site  and then examined what data remained after clearing browsing data using the Fire Button. What I found is that the Fireproof feature preserves cookies for the selected site so users  donā€™t need to log in again after clearing data (session cookies remain intact). However, browsing history, cache, and other site data are still cleared , even for fireproofed sites. We will start with determining what sites the user has fireproofed. This information can be foun...

The Duck Hunters Guide - Android Cheat Sheet

Image
This cheat sheet contains the locations of forensic artifacts associated with the DuckDuckGo Android Browser.  It will be periodically updated as research is conducted History.db Location:  data\data\com.duckduckgo.mobile.android\databases\ Artifacts:  Browsing History App.db Location:  data\data\com.duckduckgo.mobile.android\databases\ Artifacts:  Open Tabs Bookmarks/Favorites Fireproof Sites Cookies Location:  data\data\com.duckduckgo.mobile.android\app_webview\default Artifacts:  Cookies com.duckduckgo.app.settings_activity.settings.xml Location:  data\data\com.duckduckgo.mobile.android\shared_prefs\ Artifacts:  Automatic Clearing Settings com.duckduckgo.app.fire.unsentpixels.settings.xml Location:   data\data\com.duckduckgo.mobile.android\shared_prefs\ Artifacts:  Datetime when data was last cleared tabPreviews Cache Folder Location:  data\data\com.duckduckgo.mobile.android\cache\ Artifacts:  Open Tab Preview Files Clo...

SQBite Beta Release

Image
On Friday 28th March I uploaded the Beta Code for SQBite to Spyder Forensics Github. This version was a major update from the Alpha code that I released earlier this year, with new features and a completely different output format which is a lot easier to work. Note: In the initial release there were a few bugs that were identified which I fixed in beta 2, a few more in Beta 3 and another in Beta 4. Just a reminder: The purpose of this tool is not to reinvent the wheel for forensics on SQLite databases, but to be used for validation, and as an educational tool for  my Advanced Applied Database Forensics class that I teach at Spyder Forensics (My employer). There is a lot more information about the records that is output than you would typically see in your main forensic tools. For example, the first 7 columns for a record in the output is not the record content but information about the record and where it is physically located. The latest version of the tool can be downloaded fro...

The Duck Hunters Guide - Blog #5 - Bookmarks & Favorites (Android)

Image
In this installment of the Duck Hunters Guide I am going to talk about the artifacts associated with Bookmarks and Favorites in the Android version of the DuckDuckGo web browser. Favorite sites are bookmarks that user has favorited. The favicon for a favorited site will show on a tile on a new browser tab to enable quick navigation to the URL. The main artifact for Bookmarks and Favorites is the app.db sqlite database. app.db location:  data\data\com.duckduckgo.mobile.android\databases\ This database has a lot of tables, including tables called bookmarks, bookmark folders and favorites. One would think that these tables would contain all the information about Bookmarks and Favorites; however, they are empty.  In actual fact the Bookmark and Favorite information goes into the entities table and the relations table. Entities Table The entities table contains the core information for Bookmarks and Folders. entityId - Type 4 UUID (Random) unique identifier title - Title for the Bo...

The Duck Hunters Guide - Blog #4 - DuckDuckGo Closed Tab Information (Android)

Image
In my last Duck Hunters Guide post I discussed forensic artifacts associated with Tabs that are open in the Android DuckDuckGo Browser, now I will move onto residual artifacts that are left behind when the user closes a tab or clears their tab data. I will be talking about the same artifacts as previously so if you haven't read my previous post here it is:  The Duck Hunters Guide - Blog #3 - DuckDuckGo Open Tab Information (Android)  Tab information! As I have determined already, browser Tab information goes into the Tabs and Tab_selection tables in the app.db SQLite database. When a user closes a tab, the associated information is deleted from the table. If I query the Tabs table, I currently have 3 open tabs. app.db location: data\data\com.duckduckgo.mobile.android\databases\ Query location:   Android - DuckDuckGo Open Tabs.sql As this is an SQLite database, there are options for us to potentially recover closed tab information. The app.db utilizes a Rollback Journal i...