Digital Forensics with Damien

Over the past few days, I started combing through the Android version of DuckDuckGo. The version I have been testing is the latest version (5.222.0). In this blog post I want to talk specifically about the history.db. This SQLite database stores all the browsing history. This includes back/forward navigations in tabs similar to other web browsers that we see during examinations.  I will start by talking about the structure of the database and its contents and then discuss how the history clearing options and its impact on this database. The History.db is a very basic database, just 2 tables of interest with very minimal information about the URL's being visited. History.db Location: data\data\com.duckduckgo.mobile.android\databases\ As it is an SQLite database, I first get information about the database settings: Page Size: 4096 Journal_Mode: WAL Auto_Vacuum: On   The useful information this gives me is primarily for record recovery purposes. The database uses Write-Ahead ...

One of my passions in Digital Forensics is ripping apart applications and trying to figure out how they work and how they store data. Over the past 5 years as part of my job, I have had what some may call an "unhealthy" obsession with Dark Web applications. I have looked into Tor, I2P, Hyphanet (Formerly Freenet) and ZeroNet on multiple platforms, examining the features as new updates come out, in an attempt to uncover usage artifacts.  So, for a new research project (in my personal time) and for my first blog series I will be following a similar methodology to track down user artifacts associated with the DuckDuckGo privacy browser. This project has been on my research list for some time, and what sparked my interest was a blog I read in early 2024 that compares the application decoding capabilities of forensics tools.  Link:   iOS 15 Image Forensics Analysis and Tools Comparison - Browsers, Mail Clients, and Productivity apps I wasn't entirely shocked about the differe...

A few days ago, I released the Alpha code for a new python tool I have been working on that extracts records from an SQLite database. Whilst I understand how SQLite Databases and their corresponding journal files work and have a solid understanding of the physical structured of the files, I am fairly new to Python (less than a year) and some of the functions I wrote provided me some challenges but I eventually figured out.  Over my digital forensics career, I have used many tools (both paid and open-source) to look at SQLite Databases at a forensic level and whilst many do an "OKAY" job with parsing records I have found that many miss a lot of data (or just not providing it the examiner) that could be critical evidence during an examination. The purpose of this tool is not to reinvent the wheel for forensics on SQLite databases, but to be used for validation, and as an educational tool for  my Advanced Applied Database Forensics class that I teach at Spyder Forensics (My empl...