Posts

A Forensic Look at the Grok Android App

By -
Image
In this post, I’ll be taking a closer look at some of the core artifacts associated with the Grok application on Android devices. Grok is an AI assistant developed by xAI and integrated into the X platform, designed to provide real-time, interactive AI capabilities. Users can interact with Grok using text, voice, or images to generate responses ranging from explanations and summaries to written content, code assistance, and AI-generated images or video.  From a forensic perspective, these interactions can provide valuable insight into user intent, content creation activity, and AI-assisted communications. When examining the on-device application artifacts, they are notably limited compared to other AI applications I have looked at, as Grok operates primarily as a cloud-centric AI service. During testing and research, I was able to identify user account information, artifacts associated with the built-in ExoPlayer framework and remnants of content generation prompts. What I have not...
Post a Comment
Read more

The Realm Files - Vol 3 - The Realm Header

By -
Image
In the previous installment of The Realm Files, I discussed how a Realm database maintains two top nodes as a direct result of its copy on write architecture. To start decoding these two distinct nodes, we need a reliable anchor point, and that anchor is the file header. The file header occupies the first 24 bytes of a Realm database file and contains seven informational entries, as shown in the table below.  Note: All integer values in the header are stored in little endian byte order. Offset Size (Bytes) Description 0 8 Top Reference 0 – Offset to Top-Level Node 8 8 Top Reference 1 – Offset to Top-Level Node 16 4 Mnemonic (File Signature) – 54 2D 44 42 (TB-D) 20 1 File Format (Top Ref 0) 21 1 File Format (Top Ref 1) 22 1 Reserved Byte (Currently Not Used) 23 1 Flag – Determines which Root Node is currently active The first 16 bytes of the Realm file header consist of two 8-byte integers known as Top Reference 0 and Top Reference 1. Each value points to the file offset of ea...
Post a Comment
Read more

The Realm Files - Vol 2 - Physical Structure Overview

By -
Image
In this second installment of the Realm Files, we will move into the physical structure of a Realm Database and discuss how it is conceptually laid on disk. At the physical level, a Realm database is organized as a hierarchy of arrays arranged in a B-tree-like structure. At the top of this hierarchy is the Group , the top-level node that serves as the root of the database. The Group contains references to Tables , each representing a class within the Realm schema. Each Table maintains a Cluster Tree which is  Realm’s implementation of a B+ tree that organizes object data into Clusters at the leaf level. These Clusters store the actual object data for the database records, making them the end points of the structure and the primary source of evidentiary content.  The challenge, forensically speaking, is linking the Clusters back to their corresponding Tables (Classes) and Columns (Properties) within those tables. To accomplish this, we must traverse the hierarchy beginning a...
Post a Comment
Read more

Inside Proton’s Vault: Uncovering Android Proton Drive Artifacts

By -
Image
Proton Drive is Proton’s answer to secure, privacy-first cloud storage, and its Android app  extends that same protection to mobile users. Proton is well known for its encrypted ecosystem: Proton Mail delivers end-to-end encrypted email, while Proton VPN provides anonymous, protected internet access. Proton Drive fits seamlessly into this suite of privacy-focused services, enabling users to upload, sync, and share files with all data being encrypted both in transit and at rest, ensuring that sensitive information remains under the user’s control. When approaching Proton Drive from a forensic perspective, just like other cloud storage apps, the first questions are often the simplest: what is the user account information, and what data is actually being stored?  so these questions are what I am going to focus on. Of course, with Proton’s well-advertised model of end-to-end encryption and data at rest encryption , it causes some challenges that are not as common with more mainst...
Post a Comment
Read more