Unboxing the Artifacts
Now that we have understood what key artifacts are and where they are, let's locate them and unbox them to find the key information they contain. In the Evidence provided to us in the Desktop\Evidence\suspicious_device folder as shown below:
SMS / MMS
SMS and MMS databases store text and multimedia messages through the default messaging app. These artifacts provide crucial evidence of communication patterns and message contents, which can reveal the communication on the suspect device.
Let's examine the mmssms file located at the C:\Users\Administrator\Desktop\Evidence\suspicious_device\data\data\com.android.providers.telephony\databases, as shown below:
Open the terminal, and run the following command to open the mmssms.db in sqlite3, as shown below:
Command: sqlite3 mmssms.db
Once we have loaded the database file into sqlite3, we can use the command .tables to show the list of tables in the database, as shown above.
Now, we can retrieve the content of the table SMS by running the SQL query select * from SMS; as shown below:
We can also use .mode ? options to change the output format. Here we have multiple options such as ascii, box, column, csv, html, insert, json, line, list, markdown, qbox, quote, table, tabs, and tcl to select from. Here we have used .mode line to display each column in a separate line, as shown below:
Let's use another display option .mode box to get the output in a visually neat table format, as shown below:
Call Logs
Call logs act like a digital footprint of someone's phone conversations. They show who was contacted, when, and how often, offering valuable insights into connections, routines, or sudden spikes in suspicious activity. Let's now examine the call logs in the C:\Users\Administrator\Desktop\Evidence\suspicious_device\data\data\com.android.providers.contacts\databases, as shown below:
Open the terminal and run the following command to open the calllog.db into the sqlite3 tool:
Command: sqlite3 calllog.db
Review the Tables
Run the command .table to display the tables within the database. Once we have the table's name, we can create an SQL query to read the table's content. Using the command SELECT * from calls; as shown below:
Now that we have retrieved it, let's examine the suspect's communication and see if we can find something suspicious.
Contacts and Address Book
This artifact holds structured information about saved contacts, including names, phone numbers, and emails, which can be critical information from a forensics point of view.
Let's load the contacts2.db database located in C:\Users\Administrator\Desktop\Evidence\suspicious_device\data\data\com.android.providers.contacts\databases\ using sqlite3 with the query sqlite3 contacts2.db, examine the contact details, a shown below:
As shown above, we can run the .tables command to retrieve the tables found in the contacts2.db. Let's now run the query select * from data; to retrieve the contacts stored in the database, as shown below:
Now that we have retrieved the contact list, let's examine it and see if we can find some suspicious contact details stored on the device.
Browser History
Browser history logs track visited websites, search terms, and access timestamps. They offer valuable insight into a user's online behavior, research patterns, and intent, and sometimes even reveal incriminating searches or deleted history. In the captured evidence, we can only find data related to the Chrome browser, as shown below, which means that only the Chrome browser was installed on the device.
Let's navigate to the location C:\Users\Administrator\Desktop\Evidence\suspicious_device\data\data\com.android.chrome\app_chrome\Default. We will find the History.db file containing information about the browser activities, as shown below:
Let's open the History.db file into the sqlite3, using the command sqlite3 History, and run .tables query to retrieve the tables present in the database, as shown below:
It looks like we have two tables found in the History.db file. Let's run the query SELECT * from URLs; to retrieve the content stored in the URLs table, as shown below:
Now that we have retrieved the URLs' content from the Chrome browser history database, we can examine and try to identify any suspicious URLs visited by the suspect that could reveal his intentions.
Bluetooth Information
Bluetooth connections may reveal information about the devices they have been connected to in the past. From a forensics perspective, we can examine the information and identify the device, which may lead back to the suspect or a suspect's Bluetooth connection.
Go to the location C:\Users\Administrator\Desktop\Evidence\suspicious_device\data\misc\bluedroid, as shown below. As the config file is in text format, we can open it and retrieve the information using the find command.
We can review the information about the Bluetooth connections and look for suspicious ones, which could lead us to the suspect's suspicious activities.
WiFi Information
Wireless to Bluetooth connectivity information: It also stores information about the Wi-Fi adapter and the Wi-Fi history of the Wi-Fi devices it connected to in the past. These network connections can show us where someone has been, like visiting a home, workplace, or even a hidden location.
Let's explore the Wi-Fi information in the configuration file in the location C:\Users\Administrator\Desktop\Evidence\suspicious_device\data\misc\wifi, as shown below:
We can now review the information about the WIFI connections and hunt for suspicious ones that could be connected to the suspect's suspicious activities.
Summary
In this task, we explored only a handful of the artifacts, identified the locations, unboxed them individually, and examined the footprints of the suspect's activities to find something suspicious. It is also important to note that reviewing the artifacts manually and separately can take a lot of time and affect our investigation when we only have a limited amount of time to conclude the investigation. In the next task, we will address this shortcoming in detail.
Last updated