Third Party-Applications And Data Storage

Understanding the way that each platform stores data leads to better, more thorough examinations.

Firstly, let's give a short talk about Android/IOS and data storage.

1. IOS And Data Storage

1. iOS platform utilizes both the .plist and SQLite database files to store user-related content for each application.
2. iOS file system layout stores each of the native iOS applications under the Library folder \private\var\mobile\Library

3. Once an app is installed on an iOS device: App Bundle is installed in a subfolder in the /private/var/containers/Bundle and store data in /private/var/mobile/Containers/Data/Application/
   and each application data contain 4 main directories [Documents, Library, SystemData, tmp].

4. The easiest way to track down an iOS application’s Data folder is to analyze the /private/var/mobile/Library/FrontBoard/applicationstate.db , as described in a blog post by Alexis Brignoni
5. There is also Common locations for third-party application data: Mobile/Applications/

2. Android And Data Storage

1. Similar to iOS devices, Android makes extensive use of SQLite databases for application data storage.
2. Each application is stored in its own sub-folder on the root of the device and that application sub-folder may contain other supporting application files, such as .xml files.
3. Most often, a folder labeled /Databases contains the bulk of the user data in an SQLite database
4. Once an app is installed on an Android device: App APK is stored in the USERDATA partition in a subfolder of the /app folder
5. App Data folder uses the package name (e.g., “com.whatsapp,” “com.facebook.katana,” “org.telegram.messenger”).
6. App Data is stored in the USERDATA partition in a subfolder of the /data folder
7. Once installed, an app can request permissions to read and write data in the /media folder in the USERDATA partition.

Types of Application Storage

1- Databases (sqlite, releam)

1.1 sqlite

• SQLite is the storage mechanism of choice for the major mobile operating systems in the smartphone market today, it is a standalone database and does not operate under the traditional server-client protocol, which is one reason it is so desirable for mobile devices.

This means there is no need to install and configure a database server separately. Instead, SQLite is integrated into the application itself, typically as a library that applications link to.

• SQLite databases make use of some additional files, notably WAL and SHM files, as temporary memory locations to make SQLite more efficient.
• One feature of SQLite that has proven to be a hidden gem for mobile forensic examinations is the fact that ACTIVE SQLite database files contain DELETED content as when user data is deleted from within an application, that data is simply "marked for deletion" in the SQLite database.
• The big commercial vendors began recovering deleted content from those databases, but they cannot support every application from every app store that is available on the market so, application databases of interest to the examination should always be reviewed for deleted content in a Hex viewer or a tool that can access deleted SQLite records.

Quick Demo 👨‍🏫

As mentioned above applicationstate.db contain the folder path related to the data of the applicatoins, As a quick summary for Alexis Brignoni's blog, this database contain 3 tables of interest :

1. application_identifier_tab : contain application_identifier for each application and unique id.
2. kvs : contain application_identifier == id in application_identifier_tab table, value (blob data) and key
3. key_tab : contain the discription of key in kvs table.

As the key == 1 the there is a blob value telling you the location of the data path.

WAL and SHM :

• -WAL (Write-Ahead Logging):

1. The original content of the database is preserved in the database file and the changes of data files are appended into a separate WAL file.**
2. A COMMIT occurs when a special record indicating a commit is appended to the WAL.

COMMIT : is a transaction control language in SQL, lets a user permanently save all the changes made in the transaction of a database or table.

3. Transfer all the transactions that are appended in the WAL file back into the original database, this process is called (checkpointing)
4. By default, SQLite does a checkpoint automatically when the WAL file reaches a threshold size of 1000 pages.
5. checkpointing is done with the use of -shm file which is WAL-index file

• -SHM (Shared Memory File):

1. Is not actually used as a file. Rather, individual database clients mmap the shm file and use it as shared memory for coordinating access to the database and as a cache for quickly locating frame within the wal file.

• These files can be viewed within a Hex editor, carved for strings, or parsed by creating Python scripts that target application content.

• Demo
  containers.sqlite3 is a database contains installed applications in IOS, so when we load containers.sqlite3-wal to HxD we can grep some strings to see any applications installed or deleted if we don't find them in the original database.

this shows that com.reddit.Reddit.stickers is installed, maybe if we don't find it in the original database, that the user deleted this applicatoin, we can check if the applicatoins are deleted from.

1.2 realm

1. While nowhere near as common as SQLite, you may come across mobile applications that are utilizing Realm
   databases as a means to store user data.
2. Realm Studio can be downloaded for free for stand-alone analysis of databases on Mac OS, Linux, or Windows.

• Demo
  Cargurus.realm database located in data_ce\null\0\com.cargurus.mobileApp\files, which seemed that it is a car-applicaton that you can look for or sell a car.

2- JSON Files

JSON (JavaScript Object Notation) files can be another file type that contains valuable app-related content.

3- PLIST Files (in IOS only)

1. A PLIST file is a special text file that contains data in the Property List format.
2. it's format looks similar to an XML file and is not always easy to read unless you utilize a plist editor/viewer.
3. You can use plist editor to view plist files in xml view or list view.

4- Protobufs Files

• Protocol buffers or protobufs were created by Google as a way to serialize structured data for communication between systems, and they are starting to pop up all over our mobile device images.
• They are a more efficient equivalent to XML and JSON, and they are operating system and language neutral, which means will we likely see them on any of the operating systems we encounter.
• Every application that utilizes protobufs, native or third-party, will have its own way to structure the data, and therefore what works to interpret th residual data will vary from one application to the next.
• The structure is stored in a .proto file.
• protoc binary, can be used to decode raw protobuf files and make them slightly easier to interpret.
• To know more about protobufs you can check Yogesh Khatri's forensic blog, he has a good stuff to check.
• This is a good blog talking about protobuf files and how to decode those files [here].

References

1. https://byjus.com/gate/difference-between-commit-and-rollback-in-sql/#:~:text=COMMIT is a transaction control,previous state in any case.
2. https://www.sqlite.org/wal.html
3. https://www.swiftforensics.com/2020/01/usagestats-on-android-10-q.html
4. https://www.sans.org/posters/ios-third-party-apps-forensics-reference-guide-poster/