Posts

The Duck Hunters Guide - Blog #5 - Bookmarks & Favorites (Android)

By -
Image
In this installment of the Duck Hunters Guide I am going to talk about the artifacts associated with Bookmarks and Favorites in the Android version of the DuckDuckGo web browser. Favorite sites are bookmarks that user has favorited. The favicon for a favorited site will show on a tile on a new browser tab to enable quick navigation to the URL. The main artifact for Bookmarks and Favorites is the app.db sqlite database. app.db location:  data\data\com.duckduckgo.mobile.android\databases\ This database has a lot of tables, including tables called bookmarks, bookmark folders and favorites. One would think that these tables would contain all the information about Bookmarks and Favorites; however, they are empty.  In actual fact the Bookmark and Favorite information goes into the entities table and the relations table. Entities Table The entities table contains the core information for Bookmarks and Folders. entityId - Type 4 UUID (Random) unique identifier title - Title for the Bo...
Post a Comment
Read more

The Duck Hunters Guide - Blog #4 - DuckDuckGo Closed Tab Information (Android)

By -
Image
In my last Duck Hunters Guide post I discussed forensic artifacts associated with Tabs that are open in the Android DuckDuckGo Browser, now I will move onto residual artifacts that are left behind when the user closes a tab or clears their tab data. I will be talking about the same artifacts as previously so if you haven't read my previous post here it is:  The Duck Hunters Guide - Blog #3 - DuckDuckGo Open Tab Information (Android)  Tab information! As I have determined already, browser Tab information goes into the Tabs and Tab_selection tables in the app.db SQLite database. When a user closes a tab, the associated information is deleted from the table. If I query the Tabs table, I currently have 3 open tabs. app.db location: data\data\com.duckduckgo.mobile.android\databases\ Query location:   Android - DuckDuckGo Open Tabs.sql As this is an SQLite database, there are options for us to potentially recover closed tab information. The app.db utilizes a Rollback Journal i...
Post a Comment
Read more

ROWID Reuse in SQLite Databases

By -
Image
Recently on one of the list-serves I'm on; a question was raised about whether ID's can be reused in an SQLite database. Whilst the database in question does not reuse ID's, it does bring up the question of does SQLite ever reuse ID's? The short answer is under certain circumstances  YES they can! and the long answer requires an understanding of how rowid's work in SQLite, so let's get into that. ROWID's Explained For faster sorting and searching, SQLite implemented a special field called rowid that uniquely identifies a record in a table. This unique identifier is considered the true primary key and is what is actually used by the underlying B-tree storage mechanism to look up records in a table. The only exception to this is what they call a WITHOUT ROWID table, which uses the declared primary key as the identifier. When a table has an integer primary key declared, then this field becomes an alias of the rowid, so both fields will contain the same value. ...
Post a Comment
Read more

The Duck Hunters Guide - Blog #3 - DuckDuckGo Open Tab Information (Android)

By -
Image
In my last blog post I talked about DuckDuckGo browsing history on Android, and along that same theme, in this post I am going to breakdown the information that is stored for opened tabs. I initially planned to do open tabs and closed tabs in the same post, but it was getting really long so I will do another post for that in the coming days. The DuckDuckGo app will store various pieces of information about a user's tabs to populate certain areas of the app and restore a browsing session if the application is closed and reopened. Note: The Fire button will clear this information!  Thus far I have found the following Tab Information: URLs for open tabs Which is the currently active tab Screenshot of current webpage in open tabs Favicons for current webpage in open tabs This information is split between the app.db and the browser cache, and we can tie it all together. app.db Location:  data\data\com.duckduckgo.mobile.android\databases\ I will start out by talking about open tab i...
Post a Comment
Read more