Posts

The Realm Files - Vol 2 - Physical Structure Overview

By -
Image
In this second installment of the Realm Files, we will move into the physical structure of a Realm Database and discuss how it is conceptually laid on disk. At the physical level, a Realm database is organized as a hierarchy of arrays arranged in a B-tree-like structure. At the top of this hierarchy is the Group , the top-level node that serves as the root of the database. The Group contains references to Tables , each representing a class within the Realm schema. Each Table maintains a Cluster Tree which is  Realm’s implementation of a B+ tree that organizes object data into Clusters at the leaf level. These Clusters store the actual object data for the database records, making them the end points of the structure and the primary source of evidentiary content.  The challenge, forensically speaking, is linking the Clusters back to their corresponding Tables (Classes) and Columns (Properties) within those tables. To accomplish this, we must traverse the hierarchy beginning a...
Post a Comment
Read more

Inside Proton’s Vault: Uncovering Android Proton Drive Artifacts

By -
Image
Proton Drive is Proton’s answer to secure, privacy-first cloud storage, and its Android app  extends that same protection to mobile users. Proton is well known for its encrypted ecosystem: Proton Mail delivers end-to-end encrypted email, while Proton VPN provides anonymous, protected internet access. Proton Drive fits seamlessly into this suite of privacy-focused services, enabling users to upload, sync, and share files with all data being encrypted both in transit and at rest, ensuring that sensitive information remains under the user’s control. When approaching Proton Drive from a forensic perspective, just like other cloud storage apps, the first questions are often the simplest: what is the user account information, and what data is actually being stored?  so these questions are what I am going to focus on. Of course, with Proton’s well-advertised model of end-to-end encryption and data at rest encryption , it causes some challenges that are not as common with more mainst...
Post a Comment
Read more

The Realm Files - Vol 1 - Intro to RealmDB

By -
Image
In this new blog series, "The Realm Files", I’ll be digging into the physical structure of RealmDB. The goal is to give examiners a deeper understanding of how Realm actually works, so they can validate what their tools parse if supported and have a clear methodology to extract the data when the tool does not support it. Unlike other database formats such as SQLite or LevelDB, the file structure of RealmDB is not well documented in the public domain. While a few academic papers touch on specific applications that utilize Realm databases, and one mobile forensics book includes a chapter on the subject, there are still significant gaps. What is missing is detailed guidance on how to interpret the payload of an array and rebuild the database. This process is not as straightforward as it might first appear. Below is the link to the Realm Forensics Chapter in the Mobile Forensics - The File Format Handbook which has a great introduction to RealmDB  Realm Forensics Chapter:  Mobile...
Post a Comment
Read more

The Duck Hunters Guide - Blog #8 - DuckDuckGo Downloads (Android)

By -
Image
In this post I want to talk about downloaded files in the Android version of the DuckDuckGo web browser. Like all modern browsers, the DuckDuckGo web browser allows users to download files.  All downloaded files are stored in the Android standard location: /storage/emulated/0/Download/ The information about files downloaded is stored in the downloads.db SQLite database. downloads.db location:  data\data\com.duckduckgo.mobile.android\databases\ This database is very simple, with only the downloads table containing user data: Id - Unique ID for each tab downloadId - A 64-bit signed integer that is a unique identifier assigned to each download request. downloadStatus - The status of the download. That I have been able to figure out so far 0 = Started 1 = Completed filename - Name of the file downloaded contentLength - The size of the file in bytes filepath - The download location createdAt - The datetime when the download process was initiated. This is a text timestamp stored as ...
Post a Comment
Read more

The Duck Hunters Guide - Blog #7 - Duck AI Chat (Android)

By -
Image
This week I am going to write about Duck AI in the Android version of the DuckDuckGo web browser. This is a feature in the DuckDuckGo Browser that allows users to interact anonymously with third-party AI chat models.  As of this writing users can access the following AI Models GPT-4o Mini - OpenAI Llama 3.3 - Meta Claude 3 Haiku - Anthropic o3-Mini - OpenAI Mistral Small 3 - Mistral AI To anonymize users, the traffic going to these models goes through the DuckDuckGo servers which removes identifiable information such as IP address before forwarding the prompt to the LLM. Furthermore, the DuckDuckGo servers do not store, or record chats and the conversations are not used to train the models.  Link:   Duck AI Privacy Info Even though the DuckDuckGo servers do not store the chats, the browser does store the last 30 conversations locally (Not just DuckDuckGo Browser). This local save option can be disabled and the conversations will be cleared each time the browsing data is c...
Post a Comment
Read more