The Duck Hunters Guide - Blog #3 - DuckDuckGo Open Tab Information (Android)

By -
In my last blog post I talked about DuckDuckGo browsing history on Android, and along that same theme, in this post I am going to breakdown the information that is stored for opened tabs. I initially planned to do open tabs and closed tabs in the same post, but it was getting really long so I will do another post for that in the coming days.

The DuckDuckGo app will store various pieces of information about a user's tabs to populate certain areas of the app and restore a browsing session if the application is closed and reopened.

Note: The Fire button will clear this information! 

Thus far I have found the following Tab Information:

  • URLs for open tabs
  • Which is the currently active tab
  • Screenshot of current webpage in open tabs
  • Favicons for current webpage in open tabs
This information is split between the app.db and the browser cache, and we can tie it all together.

app.db Location: data\data\com.duckduckgo.mobile.android\databases\

I will start out by talking about open tab information found in the app.db SQLite database.

This is an interesting database and stores a lot of information about other browser artifacts that I plan on covering in future post. For our purposes today we want to look at the tabs table and the tab_selection table.

Tabs Table

This table stores all the information about the currently open tabs

  • tabId - Unique ID for each tab
  • url - The current url being visited 
  • title - Title of the web page
  • position - The tab position in the browser
  • tabPreviewFile - Name of the preview file in the browser cache
  • lastAcessTime - The last time the tab was accessed (Local Time). This is the last time the user selected the tab and does not update when a user navigates to different URLs.

I have some theories about the skipHome, viewed, sourceTabId and deletable columns, but I still need to research further to figure those out with 100% certainty. I will do an update post on those.


Tab_Selection Table

All that's stored in this table is the tabID for currently selected tab.





Bringing it Together

We can pull all this information together to get a full picture of the users open tabs

SELECT

    tabs.tabid AS 'Tab ID',

    CASE 

        WHEN tab_selection.tabid IS NOT NULL THEN 'Yes'

        ELSE 'No'

    END AS 'Current Tab',

    tabs.url AS 'URL',

    tabs.title AS 'Title',

    tabs.position AS 'Tab Position',

    tabs.tabPreviewFile AS 'Cached Tab Filename',

    tabs.lastAccessTime AS 'Tab Last Accessed (Local)'    

FROM tabs

LEFT JOIN tab_selection ON tabs.tabid = tab_selection.tabid;


As mentioned, the tabPreviewFile column stores the filename for the tab preview file in the browser cache. Before I go into the cache, lets first talk about the filename itself. This is a Unix milliseconds timestamp for when the preview file was created. we can use a tool like DCode to translate the datetime stamp or we can get a little creative with the SQLite functions to remove the file extension and translate the date into local time.

Note: After a lot of scenario testing, I found that the tab preview file is not regenerated for each URL visit, but when a user changes tabs.

SELECT
    tabs.tabid AS 'Tab ID',
    tabs.tabPreviewFile AS 'Cached Tab Preview Filename',
    DATETIME(RTRIM(tabs.tabPreviewFile, '.jpg') / 1000, 'unixepoch','localtime') AS 'Cached Tab Preview Time (Local)'
FROM tabs



tabPreviews Cache Folder

The tab preview file is stored in the tabPreviews folder in the application cache.

tabPreviews Location: data\data\com.duckduckgo.mobile.android\cache\

Within the tabPreviews folder there will be a folder for each tab that has been opened. The name of the folder corresponds to the Tab ID so we can quickly identifier the preview files associated with each tab.



Inside the folder there will be one JPG file that has the filename referenced in the app.db.


From an application perspective this jpg is used to populate the tabs screen, but from a forensic perspective we have a snapshot of the web page at a point in time.


faviconsTemp Cache Folder 

Another cache folder we can tie back to a specific tab is the faviconsTemp folder. 

faviconsTemp Location: data\data\com.duckduckgo.mobile.android\cache\

This folder stores the favicon for a tab. For those that don't know what a favicon is, they are small icons that serve as branding for a website which is often the website/company logo. In the context DuckDuckGo the favicons are displayed in browser tabs and the Bookmarks menu.

Note: Bookmark favicons are stored in another cache location.

Just like the tabPreviews cache folder, there will be a folder for each tab that has been opened, with the name of the folder corresponding to the Tab ID.







Inside the folder there will be the current tab favicon as png file. In testing, the favicon is updated when a user navigates to a different website.


There we have it, all the open tab information that I have been able to find thus far on the Android version of the DuckDuckGo browser. In the next post I will cover what information we can find for closed tabs and what happens if the user has the Tab clearing option enabled.

As always, I hope you found this information useful! Happy Hunting 🍻

Comments

Post a Comment

Popular posts from this blog

Introducing SQBite (Alpha) - Python Tool for Extracting Records from SQLite Databases

By -
Image
A few days ago, I released the Alpha code for a new python tool I have been working on that extracts records from an SQLite database. Whilst I understand how SQLite Databases and their corresponding journal files work and have a solid understanding of the physical structured of the files, I am fairly new to Python (less than a year) and some of the functions I wrote provided me some challenges but I eventually figured out.  Over my digital forensics career, I have used many tools (both paid and open-source) to look at SQLite Databases at a forensic level and whilst many do an "OKAY" job with parsing records I have found that many miss a lot of data (or just not providing it the examiner) that could be critical evidence during an examination. The purpose of this tool is not to reinvent the wheel for forensics on SQLite databases, but to be used for validation, and as an educational tool for  my Advanced Applied Database Forensics class that I teach at Spyder Forensics (My empl...
Read more

The Duck Hunters Guide - Blog #2 - DuckDuckGo Browsing History (Android)

By -
Image
Over the past few days, I started combing through the Android version of DuckDuckGo. The version I have been testing is the latest version (5.222.0). In this blog post I want to talk specifically about the history.db. This SQLite database stores all the browsing history. This includes back/forward navigations in tabs similar to other web browsers that we see during examinations.  I will start by talking about the structure of the database and its contents and then discuss how the history clearing options and its impact on this database. The History.db is a very basic database, just 2 tables of interest with very minimal information about the URL's being visited. History.db Location: data\data\com.duckduckgo.mobile.android\databases\ As it is an SQLite database, I first get information about the database settings: Page Size: 4096 Journal_Mode: WAL Auto_Vacuum: On   The useful information this gives me is primarily for record recovery purposes. The database uses Write-Ahead ...
Read more