Digital Forensics with Damien

In this post, I’ll be taking a closer look at some of the core artifacts associated with the Grok application on Android devices. Grok is an AI assistant developed by xAI and integrated into the X platform, designed to provide real-time, interactive AI capabilities. Users can interact with Grok using text, voice, or images to generate responses ranging from explanations and summaries to written content, code assistance, and AI-generated images or video.  From a forensic perspective, these interactions can provide valuable insight into user intent, content creation activity, and AI-assisted communications. When examining the on-device application artifacts, they are notably limited compared to other AI applications I have looked at, as Grok operates primarily as a cloud-centric AI service. During testing and research, I was able to identify user account information, artifacts associated with the built-in ExoPlayer framework and remnants of content generation prompts. What I have not...

In the previous installment of The Realm Files, I discussed how a Realm database maintains two top nodes as a direct result of its copy on write architecture. To start decoding these two distinct nodes, we need a reliable anchor point, and that anchor is the file header. The file header occupies the first 24 bytes of a Realm database file and contains seven informational entries, as shown in the table below.  Note: All integer values in the header are stored in little endian byte order. Offset Size (Bytes) Description 0 8 Top Reference 0 – Offset to Top-Level Node 8 8 Top Reference 1 – Offset to Top-Level Node 16 4 Mnemonic (File Signature) – 54 2D 44 42 (TB-D) 20 1 File Format (Top Ref 0) 21 1 File Format (Top Ref 1) 22 1 Reserved Byte (Currently Not Used) 23 1 Flag – Determines which Root Node is currently active The first 16 bytes of the Realm file header consist of two 8-byte integers known as Top Reference 0 and Top Reference 1. Each value points to the file offset of ea...