tag:blogger.com,1999:blog-79490389115391531922024-03-04T20:35:50.538-08:00Troy 4N6Troy Schnack's Bloghttp://www.blogger.com/profile/18412052156846845412noreply@blogger.comBlogger10125tag:blogger.com,1999:blog-7949038911539153192.post-48838367862593242132023-03-26T11:13:00.003-07:002023-03-26T11:14:38.191-07:00Try to Be More Sensitive<h1 style="text-align: left;">Discovering Insensitivity</h1><div style="text-align: left;">Running through the steps of an exercise during the <a href="https://academy.cyber5w.com/collections/live-training-hexordia" target="_blank">Mobile Forensic Analysis</a> course from <a href="https://www.hexordia.com/" target="_blank">Hexordia</a>. I ran into an interesting sensitivity issue. For me, unsolved issue like this are not acceptable. I'm sure that if you are a forensicator like me, this same standard applies to you. Let's walk through my testing and the solution I discovered.</div><div class="separator" style="clear: both; text-align: center;"><br /></div><h1 style="text-align: left;"><span style="font-size: x-large;">The Problem with Insensitivity</span></h1><p>I was dealing with data from Apple File System from an iOS image in ZIP format. Although many tools can parse the ZIP file as is, others may require the file to be extracted. You may want to manually browser through the files and folders as well. When performing the ZIP extraction on a Windows computer, you are likely to run into a problem. This problem will cause you to miss possibly vital information.</p><p>The problem I speak of is based on the File System's inability to handle case sensitivity. In the screenshot below, you will note that the extraction was attempting to put two files in the same folder with the same name except for the one had a capital letter and the other did not.</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgxGC5yVtIhc9K_OlN3tJAyQaDT2Zb4q38omyw1Be4K7FhCA4-tL-3ue5HLmIDv-r0LhDA7AQumuCjjWzsMIJ0Ud0nOKE9acghm9hk1kEKccTzN3o4cMSm_hDIUU0w13W-oufWKDGZSj6lC5L3vVqdMw8VDYj7vg0puTB6H6ZseVzbi466w8cGKtw/s1200/Screenshot%20iOS%20Unzip%20Error.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="307" data-original-width="1200" height="160" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgxGC5yVtIhc9K_OlN3tJAyQaDT2Zb4q38omyw1Be4K7FhCA4-tL-3ue5HLmIDv-r0LhDA7AQumuCjjWzsMIJ0Ud0nOKE9acghm9hk1kEKccTzN3o4cMSm_hDIUU0w13W-oufWKDGZSj6lC5L3vVqdMw8VDYj7vg0puTB6H6ZseVzbi466w8cGKtw/w625-h160/Screenshot%20iOS%20Unzip%20Error.png" width="625" /></a></div><p>Whether you chose to overwrite or skip this file, the answer is still wrong. We need <b>both</b> files to allow a complete view of the data from the iOS extraction.</p><p>This issue first presented itself attempting to extract the ZIP file to an NTFS volume. I next tried the extraction to an external exFAT formatted thumb drive. I found the same problem.</p><p>Maxim Suhanov a more detailed blog detailing case sensitivity on Windows files system <a href="https://dfir.ru/2021/07/15/playing-with-case-insensitive-file-names/" target="_blank">here</a>.</p><h1 style="text-align: left;"><span style="font-size: x-large;">Mac OS exFAT Sensitivity Testing</span></h1><p>Some websites suggested that exFAT was case sensitive even though my testing on Windows 11 (22H2) showed this to be false. It was time to open a MacBook Pro laptop and test the theory. I inserted a thumb drive and formatted it from the Mac as exFAT. I then first created a folder with the name "Test", capitalizing the first letter. I attempted to create a second folder with the same name but without capitalization. It also failed.</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhoHLjvbr37XsDJ8vFfUys7dJK7wJAfnRcXOHlv_TmQHTnyM3ydTS5fe9B_qjsRCSwKMM_PHNhOP-8nZwNk5mwyTr8aXoG4_0EidgdV4vngngEYnZm2Nm6STQBhcfX5avo6Gg-qwpMDkfFX1icBHlXqdbTZ02eibBLURTYKP5G6JWCYDuGyDiE2yQ/s3024/MacOS%20exFAT%20Test%20small.JPG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="2053" data-original-width="3024" height="370" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhoHLjvbr37XsDJ8vFfUys7dJK7wJAfnRcXOHlv_TmQHTnyM3ydTS5fe9B_qjsRCSwKMM_PHNhOP-8nZwNk5mwyTr8aXoG4_0EidgdV4vngngEYnZm2Nm6STQBhcfX5avo6Gg-qwpMDkfFX1icBHlXqdbTZ02eibBLURTYKP5G6JWCYDuGyDiE2yQ/w546-h370/MacOS%20exFAT%20Test%20small.JPG" width="546" /></a></div><div><br /></div><br /><h1 style="text-align: left;"><span style="font-size: x-large;">Acquiring Sensitivity</span></h1><p>This looks like we have hit a dead end. However, I'm not fond of giving up 😉. After some research using a popular search engine I located the answer from a Microsoft article <a href="https://learn.microsoft.com/en-us/windows/wsl/case-sensitivity" target="_blank">here</a>. It details how to set case sensitivity on a specific subfolder on an NTFS volume.</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiWoEXh8vAa60HL4kmObEF4jfA-ZooyItjt85Fy21CLI1ZJrpuuHGY-45XIC-M1gMXxaG95vrw1FAzheHTbYyshlfkpJbL_cXPaeJz8VH0CuvsS-5BWLMyeMGUSKIT5MsDPZF7N9Rsz7cdfEgupYGJelwlTJKbnI1ORvCCfK9rF5WMoHPSjlFubAA/s928/Screenshot%20NTFS%20fsutil%20example.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="471" data-original-width="928" height="265" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiWoEXh8vAa60HL4kmObEF4jfA-ZooyItjt85Fy21CLI1ZJrpuuHGY-45XIC-M1gMXxaG95vrw1FAzheHTbYyshlfkpJbL_cXPaeJz8VH0CuvsS-5BWLMyeMGUSKIT5MsDPZF7N9Rsz7cdfEgupYGJelwlTJKbnI1ORvCCfK9rF5WMoHPSjlFubAA/w523-h265/Screenshot%20NTFS%20fsutil%20example.png" width="523" /></a></div><p><b><span style="color: #2b00fe;">TIP</span></b>:<i> Create a new <u>empty</u> folder before applying the <span style="font-family: courier;">fsutil </span>command. It will not work if the folder is not empty.</i></p><p>After following the directions in the section "Changing the case sensitivity of files and directories" I extracted the iOS full file system image to my Windows 11 computer without errors or loss of data.</p><h1 style="text-align: left;"><span style="font-size: x-large;">Be Sensitive to the Data's Needs</span></h1><p>The next time you need to extract an image from iOS, Linux or other case sensitive File System on Windows, have an NTFS volume and configure the empty folder using the <span style="font-family: courier;">fsutil </span>command. The most important thing to remember is that is can be done!</p><p><br /></p>Troy Schnack's Bloghttp://www.blogger.com/profile/18412052156846845412noreply@blogger.com0tag:blogger.com,1999:blog-7949038911539153192.post-59921535169277485462019-10-07T16:36:00.000-07:002020-06-02T13:47:41.361-07:00Android Video Thumbnail Files ".lvl"<h2>
Video Thumbnails ".lvl" Found on Android Devices</h2>
Video files with the <span style="font-family: "courier new" , "courier" , monospace;">.lvl</span> extension were located on an Android phone in the hidden “<span style="font-family: "courier new" , "courier" , monospace;">.thumbnails</span>” folder. The Android device tested is a Samsung Galaxy SGH-M919. The device model number appears in the full path where the <span style="font-family: "courier new" , "courier" , monospace;">.lvl</span> video thumbnails are stored.<br />
<br />
<span style="font-family: "courier new" , "courier" , monospace;">Root/media/0/.thumbnails/<span style="background-color: yellow;">M919</span>UVSFQA1_4.4.4/<i>movie_xx/section.0000.lvl</i></span><br />
<br />
A test to see what actions initiate the creation of the video thumbnails was conducted.<br />
<br />
<br />
<h3>
Download Video Testing</h3>
A Samsung Galaxy SGH-M919 was used for the test. The phone had been cleared and reset to factory defaults. I installed a video download app to obtain a video from the Internet and store them on the mobile device. The app Video Downloader was installed from the Google App Store.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjQAjhwuA_3Cn-Uy4Oh4VERfGundsQ8aYLCW2lj_sWQtuHE0ZCUjFNQWP1W4LOaA8UDiHsokbjtSLOub3W20W7wzzRyFtYc5eC2W6GjyHRC2ti9jUhWeGjt95wKwtfE2qts7_pL_2iO/s1600/App_Download.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="271" data-original-width="781" height="111" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjQAjhwuA_3Cn-Uy4Oh4VERfGundsQ8aYLCW2lj_sWQtuHE0ZCUjFNQWP1W4LOaA8UDiHsokbjtSLOub3W20W7wzzRyFtYc5eC2W6GjyHRC2ti9jUhWeGjt95wKwtfE2qts7_pL_2iO/s320/App_Download.png" width="320" /></a></div>
<br />
<br />
Using the Video Downloader browser, I accessed the Internet Archive movie library and downloaded “Night of the Living Dead”.<br />
<br />
<span style="color: orange;"><b>It is October after all - Happy Halloween!!</b></span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZtrcc61aEwovsKa5jPe7bfUddyXjOMJBu2tD6BOxum1NeawprYYHBLNjTkf-4j4cdkPCEy9AkgefBYPD7wc0hb7cnJtHTV5dkGIf5C_x1v6UO2NXn4OYVcJxUf0izLL6nrFKKbfOw/s1600/Screenshot_2019-10-04-16-18-03.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="900" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZtrcc61aEwovsKa5jPe7bfUddyXjOMJBu2tD6BOxum1NeawprYYHBLNjTkf-4j4cdkPCEy9AkgefBYPD7wc0hb7cnJtHTV5dkGIf5C_x1v6UO2NXn4OYVcJxUf0izLL6nrFKKbfOw/s320/Screenshot_2019-10-04-16-18-03.png" width="180" /></a></div>
<br />
<br />
The video download completed. The video was never opened or viewed on the device.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhf_oUfpkIaAGeWS9BuPs8jHiH_lrIezhBvVDNB95EAM9QsC4FjxbVnOqwOOzqF0F-G0unR_0G85SB-LxkCGy3fOlsd7y_sExiCTCAwG9cdQomZ5pG4sik3rxs3XaHfavUsJxMatC3n/s1600/Screenshot_2019-10-04-16-18-12.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="900" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhf_oUfpkIaAGeWS9BuPs8jHiH_lrIezhBvVDNB95EAM9QsC4FjxbVnOqwOOzqF0F-G0unR_0G85SB-LxkCGy3fOlsd7y_sExiCTCAwG9cdQomZ5pG4sik3rxs3XaHfavUsJxMatC3n/s320/Screenshot_2019-10-04-16-18-12.png" width="180" /></a></div>
<br />
<br />
I used the built-in file browser “My Files” app to view folders and files on the phone.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh7W1m0VEQnqI6uy1AJ9R9AMkzDw1FmrYkWZDbl0Q3gH5upZr52rpN4B8NUL8Z6TozrN79-ycZIy8_vaxsy1hENXbj4nGv3Qnr5ZYyZIvgdI9vuywTX14s88PuagPXfgiB9iwIGfaSR/s1600/Screenshot_2019-10-04-16-18-53.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="900" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh7W1m0VEQnqI6uy1AJ9R9AMkzDw1FmrYkWZDbl0Q3gH5upZr52rpN4B8NUL8Z6TozrN79-ycZIy8_vaxsy1hENXbj4nGv3Qnr5ZYyZIvgdI9vuywTX14s88PuagPXfgiB9iwIGfaSR/s320/Screenshot_2019-10-04-16-18-53.png" width="180" /></a></div>
<br />
<br />
Opening the “VideoDownloader” folder.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgO7zc8EH9LX5TY4OHBvR6OIQQiHmSfx7IPUpEYVxFbU2uerkNN9pCxTjAWDIkL0bPtsDi1wR8HMcpA6fNHzc11QjJoJmCPC12nk8mjFqSHkKy0O4bGOsGjNnBV8t55865smr_VRNAu/s1600/Screenshot_2019-10-04-16-19-02.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="900" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgO7zc8EH9LX5TY4OHBvR6OIQQiHmSfx7IPUpEYVxFbU2uerkNN9pCxTjAWDIkL0bPtsDi1wR8HMcpA6fNHzc11QjJoJmCPC12nk8mjFqSHkKy0O4bGOsGjNnBV8t55865smr_VRNAu/s320/Screenshot_2019-10-04-16-19-02.png" width="180" /></a></div>
<br />
Opening the “<span style="font-family: "courier new" , "courier" , monospace;">Download</span>” folder. This showed the “<span style="font-family: "courier new" , "courier" , monospace;">night of the living dead.mp4</span>” video filename and thumbnail image. The video file was never opened or viewed.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDYU385qyZuhkzy7U1nNfYNFJkhGp1SuZF3FY2erWmyYDiaNNWFu_uc5nV-9nhzltvJvY0c74EvG3mLT4rBnH1KGSUWxVEqbKdJRmo2lraekEu4_Hhvz4CLYgJ7zt-GSOIKzwCLh4a/s1600/Screenshot_2019-10-04-16-19-09.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="900" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDYU385qyZuhkzy7U1nNfYNFJkhGp1SuZF3FY2erWmyYDiaNNWFu_uc5nV-9nhzltvJvY0c74EvG3mLT4rBnH1KGSUWxVEqbKdJRmo2lraekEu4_Hhvz4CLYgJ7zt-GSOIKzwCLh4a/s320/Screenshot_2019-10-04-16-19-09.png" width="180" /></a></div>
<br />
Using “My Files” app, I changed the settings to allow hidden files to be visible.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh3kX-LOs-FrQWaltyvIeWZGNXzUUIS4aKaQfE1e6A7C1w9UjdUfxGaBLQyGt58KmNijLhC1fxnHmSSBicdYxHiTIilc9rUtTfAgl0gNMO_N_QD1M89eoI8CSQ0-gTW0WP1Y12wemIg/s1600/Screenshot_2019-10-04-16-19-21.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="900" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh3kX-LOs-FrQWaltyvIeWZGNXzUUIS4aKaQfE1e6A7C1w9UjdUfxGaBLQyGt58KmNijLhC1fxnHmSSBicdYxHiTIilc9rUtTfAgl0gNMO_N_QD1M89eoI8CSQ0-gTW0WP1Y12wemIg/s320/Screenshot_2019-10-04-16-19-21.png" width="180" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiEcwx1dL7cXcMicvM34FfQ4z4eOzaQzHJ-oWFuBadDXiVXNkN02iH3bu6eavwtAHq7YgZMqSkZOwL6wNNLZlv7uTaJJJj0MR9wLKoqxRrEsVBvmkOpms0mvypx_2RsvXvOtMsMt7VN/s1600/Screenshot_2019-10-04-16-19-26.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="900" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiEcwx1dL7cXcMicvM34FfQ4z4eOzaQzHJ-oWFuBadDXiVXNkN02iH3bu6eavwtAHq7YgZMqSkZOwL6wNNLZlv7uTaJJJj0MR9wLKoqxRrEsVBvmkOpms0mvypx_2RsvXvOtMsMt7VN/s320/Screenshot_2019-10-04-16-19-26.png" width="180" /></a></div>
<br />
With hidden files now visible, I opened the “<span style="font-family: "courier new" , "courier" , monospace;">.thumbnails</span>” folder.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTqG6qfGFQ2WO2Zs5ldSZb7JdeSq5M0xl56_L0f4Aq3cdUvCHfhWSx-Q5sj0rPcA3YLMWeaAqGYpDBF-ZYwRIfW8qCGD0a-v_VQ-szkJsbd1-ebNwFndc8xIzqm3oVSEYv-IqlQmzc/s1600/Screenshot_2019-10-04-16-19-33.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="900" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTqG6qfGFQ2WO2Zs5ldSZb7JdeSq5M0xl56_L0f4Aq3cdUvCHfhWSx-Q5sj0rPcA3YLMWeaAqGYpDBF-ZYwRIfW8qCGD0a-v_VQ-szkJsbd1-ebNwFndc8xIzqm3oVSEYv-IqlQmzc/s320/Screenshot_2019-10-04-16-19-33.png" width="180" /></a></div>
<br />
Inside “<span style="font-family: "courier new" , "courier" , monospace;">.thumbnails</span>” was a similar folder to that found on the client’s phone with model number.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgEMRJNFybkjhnLtCYlmcMF4SVxDej2cjluB58YZJmDx-ZdeJxzgTab4dKo6jGjqWNL4DyLVAwSW7naWSIXYKlU5IxdA6xp9rCnrFg9oTVkz2E2p9NX5SjrCp_pPOb041f2fTxBB66o/s1600/Screenshot_2019-10-04-16-19-39.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="900" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgEMRJNFybkjhnLtCYlmcMF4SVxDej2cjluB58YZJmDx-ZdeJxzgTab4dKo6jGjqWNL4DyLVAwSW7naWSIXYKlU5IxdA6xp9rCnrFg9oTVkz2E2p9NX5SjrCp_pPOb041f2fTxBB66o/s320/Screenshot_2019-10-04-16-19-39.png" width="180" /></a></div>
<br />
Opening the folder containing the device’s model number revealed again a similar folder to that of the client phone’s folder structure. ( movie_xx )<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhOyYQxbWRISCHX8xYKy7E5chDLIy0OlCHNLxMzHx74UM6ATqyG7A99w0mpUsSj_Vtv2W_EJ8sYFlyJRhadThJYNMsLmNfv02OLfPWpu6zIlUrBThdbHa4SQSzDzXGz9riZxehx5PBs/s1600/Screenshot_2019-10-04-16-19-44.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="900" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhOyYQxbWRISCHX8xYKy7E5chDLIy0OlCHNLxMzHx74UM6ATqyG7A99w0mpUsSj_Vtv2W_EJ8sYFlyJRhadThJYNMsLmNfv02OLfPWpu6zIlUrBThdbHa4SQSzDzXGz9riZxehx5PBs/s320/Screenshot_2019-10-04-16-19-44.png" width="180" /></a></div>
<br />
The “<span style="font-family: "courier new" , "courier" , monospace;">movie_27</span>” folder contained the video thumbnails with “<span style="font-family: "courier new" , "courier" , monospace;">.lvl</span>” extensions.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhyg_kCcHDTuTwQbrTt-LnLjh-Uw4C7Wl4QvL3uJ5MgHUo3dsWDF-kXxL_tDRgdlMzvRfQn2d4V79vVQtBjBFLMc5j5YSxDE-olF0rmFxGmm5Xm2xIgfiO7Pe_w2XNg0DnZ3nESM6lk/s1600/Screenshot_2019-10-04-16-19-51.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="900" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhyg_kCcHDTuTwQbrTt-LnLjh-Uw4C7Wl4QvL3uJ5MgHUo3dsWDF-kXxL_tDRgdlMzvRfQn2d4V79vVQtBjBFLMc5j5YSxDE-olF0rmFxGmm5Xm2xIgfiO7Pe_w2XNg0DnZ3nESM6lk/s320/Screenshot_2019-10-04-16-19-51.png" width="180" /></a></div>
<br />
<h3>
Recorded Video Testing</h3>
I created several videos with the built-in camera app. These videos were stored in the “<span style="font-family: "courier new" , "courier" , monospace;">DCIM</span>” folder apart from those videos that were downloaded. They also received their own folder and “<span style="font-family: "courier new" , "courier" , monospace;">.lvl</span>” video thumbnails in the same root “<span style="font-family: "courier new" , "courier" , monospace;">.thumbnails</span>” folder path.<br />
<br />
<h3>
LVL File Format</h3>
The “<span style="font-family: "courier new" , "courier" , monospace;">.lvl</span>” file are actually 3GP format video clips from the original video file saved to the device. The header information viewed in <a href="https://ericzimmerman.github.io/#!index.md" target="_blank">Eric Zimmerman’s</a> EZViewer is shown below.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgSvv_FeyxGujWLhi3cwf9jBf8PimXO0alnaJ5RF81c0-xHrmIXY3Fj9bpq_1OBEUh2oyLTarTOuTxSziXyzy1ZQEi2bjP5nBAgPNGjV9Jd2dFF-tRInkSx1Hg8KPLNEVaxGYy_ye9F/s1600/LVL+3GP+Hex.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="162" data-original-width="799" height="128" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgSvv_FeyxGujWLhi3cwf9jBf8PimXO0alnaJ5RF81c0-xHrmIXY3Fj9bpq_1OBEUh2oyLTarTOuTxSziXyzy1ZQEi2bjP5nBAgPNGjV9Jd2dFF-tRInkSx1Hg8KPLNEVaxGYy_ye9F/s640/LVL+3GP+Hex.jpg" width="640" /></a></div>
<br />
<h3>
Results</h3>
My testing shows that Android photo or video viewing apps initiate the automatic creation on the operating system. The video thumbnails are not created until the video file preview is viewed as a motion thumbnail in an app. The apps use these "<span style="font-family: "courier new" , "courier" , monospace;">.lvl</span>" video clips to show a preview of the videos in thumbnail form.<br />
<br />
The “<span style="font-family: "courier new" , "courier" , monospace;">.lvl</span>” files are actual 3GP video clips of sections of the full movie and can be viewed with specific file viewers and forensic tools. Renaming the <span style="font-family: "courier new" , "courier" , monospace;">xxx.lvl</span> file to <span style="font-family: "courier new" , "courier" , monospace;">xxx.3gp</span> will allow the video thumbnail to be viewed in a standard media player.<br />
<br />
I also tested deleting the videos and observed that the “<span style="font-family: "courier new" , "courier" , monospace;">.lvl</span>” thumbnails remained on the phone for a period of time. The phone eventually deleted the “<span style="font-family: "courier new" , "courier" , monospace;">.lvl</span>” files and folders that were related to the original deleted video file.<br />
<div>
<br /></div>
Troy Schnack's Bloghttp://www.blogger.com/profile/18412052156846845412noreply@blogger.com0tag:blogger.com,1999:blog-7949038911539153192.post-76715776495805834332019-02-26T19:54:00.002-08:002019-02-26T20:10:52.702-08:00ChatHour Chat/Messaging - Android<h2>
Artifacts for ChatHour (Android)</h2>
<div>
I'm working on an Android tablet case and slowly scrolling through the application folders. The usual thousands of com.android.<i>blah_blah</i> ... just keep scrolling. Then I saw it, a name I've not seen before. Even more important, this is a case involving "messaging".<br />
<br />
<span style="font-family: "courier new" , "courier" , monospace;"><b>com.chathour.android</b></span><br />
<br />
<div class="separator" style="clear: both; text-align: left;">
</div>
<b><span style="color: #b45f06;">The game's afoot!</span></b><br />
<br />
<h3>
Browse For Data</h3>
<div>
The next step in my process is to start browsing files and folders for recognizable data names. The fun is just beginning when you see the familiar <b>db</b> folder and file(s) inside with the <b>.db</b> extension. </div>
<div>
<br /></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"><b>com.chathour.android/db/chathour.db</b></span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"><b><br /></b></span></div>
<div>
But don't stop there. It's always a good choice to check all the other files and folders because you just never know. Sure enough, another folder <b>sp</b> contained <b>.xml</b> files with more useful information.</div>
<div>
<br /></div>
<div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"><b>com.chathour.android/sp/admob.xml</b></span><br />
<b style="font-family: "Courier New", Courier, monospace;">com.chathour.android/sp/</b><span style="font-family: "courier new" , "courier" , monospace;"><b>chathour_pref</b></span><b style="font-family: "Courier New", Courier, monospace;">.xml</b></div>
</div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"><b><br /></b></span></div>
<div>
<i>When dealing with an app that you've never seen before, don't stop at the first sign of data. Keep digging. </i></div>
<div>
<br /></div>
<h3>
Research the User Interface</h3>
<div>
It feels like I keep writing this in every blog, but it really is important to understand how the app works, looks and feels to the end user. Without this general understanding, you could easily misinterpret the parsed data.</div>
<h4>
Review of <span style="font-family: inherit;">ChatHour</span> Computer and Mobile App</h4>
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjb8jdJ_f3OiZYYN9GzAk72DKGJz4szhfmyiac8Rvh4xEa8zfxWD2w3z0SON6a0JkEu1pHulzzt4arJm-2nFAEmzhWqYEMmIpvs9g5FoL0rqyobliWhCvLRp9Vi5hhw5bkTVMRB7vWr/s1600/chat-hour-logo.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="498" data-original-width="1600" height="123" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjb8jdJ_f3OiZYYN9GzAk72DKGJz4szhfmyiac8Rvh4xEa8zfxWD2w3z0SON6a0JkEu1pHulzzt4arJm-2nFAEmzhWqYEMmIpvs9g5FoL0rqyobliWhCvLRp9Vi5hhw5bkTVMRB7vWr/s400/chat-hour-logo.png" width="400" /></a></div>
<div>
<br /></div>
<div>
This site shows screenshots from the actual web and mobile app. Plus describes how it functions for the end user.</div>
<div>
<br /></div>
<div>
<a href="https://www.datingscout.com/chathour/review">https://www.datingscout.com/chathour/review</a></div>
<div>
<br /></div>
<h3>
The Easier Stuff First (XML)</h3>
<div>
XML files are easily viewed in most browsers or text editors. I've become a big fan of Code Writer from the MS Store. The point is, these files can be exported from your forensic tool of choice and opened for review.</div>
<div>
<br /></div>
<h3>
ADMOB XML File Data</h3>
<div>
The <b>admob.xml</b> file contains a few date/time related and other general settings for the app.</div>
<div>
<br /></div>
<div>
<pre><span style="color: blue;"><?</span><span style="color: magenta;">xml version='1.0' encoding='utf-8' standalone='yes' </span><span style="color: blue;">?></span>
<span style="color: blue;"><</span><span style="color: maroon;">map</span><span style="color: blue;">></span>
<span style="color: blue;"><</span><span style="color: maroon;">long</span> <span style="color: red;">name</span><span style="color: blue;">="first_ad_req_time_ms"</span> <span style="color: red;">value</span><span style="color: blue;">="1510851364197"</span> <span style="color: blue;">/></span>
<span style="color: blue;"><</span><span style="color: maroon;">int</span> <span style="color: red;">name</span><span style="color: blue;">="request_in_session_count"</span> <span style="color: red;">value</span><span style="color: blue;">="0"</span> <span style="color: blue;">/></span>
<span style="color: blue;"><</span><span style="color: maroon;">long</span> <span style="color: red;">name</span><span style="color: blue;">="app_settings_last_update_ms"</span> <span style="color: red;">value</span><span style="color: blue;">="<span style="background-color: yellow;">1485436274422</span>"</span> <span style="color: blue;">/></span>
<span style="color: blue;"><</span><span style="color: maroon;">boolean</span> <span style="color: red;">name</span><span style="color: blue;">="auto_collect_location"</span> <span style="color: red;">value</span><span style="color: blue;">="true"</span> <span style="color: blue;">/></span>
<span style="color: blue;"><</span><span style="color: maroon;">boolean</span> <span style="color: red;">name</span><span style="color: blue;">="content_url_opted_out"</span> <span style="color: red;">value</span><span style="color: blue;">="true"</span> <span style="color: blue;">/></span>
<span style="color: blue;"><</span><span style="color: maroon;">boolean</span> <span style="color: red;">name</span><span style="color: blue;">="use_https"</span> <span style="color: red;">value</span><span style="color: blue;">="false"</span> <span style="color: blue;">/></span>
<span style="color: blue;"><</span><span style="color: maroon;">string</span> <span style="color: red;">name</span><span style="color: blue;">="app_settings_json"</span><span style="color: blue;">></span>{<span style="color: red;">&quot;</span>status<span style="color: red;">&quot;</span>:1,<span style="color: red;">&quot;</span>app_id<span style="color: red;">&quot;</span>:<span style="color: red;">&quot;</span>ca-app-pub-8857310711809123~7339277565<span style="color: red;">&quot;</span>,<span style="color: red;">&quot;</span>auto_collect_location<span style="color: red;">&quot;</span>:false,<span style="color: red;">&quot;</span>ad_unit_id_settings<span style="color: red;">&quot;</span>:[{<span style="color: red;">&quot;</span>ad_unit_id<span style="color: red;">&quot;</span>:<span style="color: red;">&quot;</span>ca-app-pub-8857310711809123/8816010767<span style="color: red;">&quot;</span>,<span style="color: red;">&quot;</span>format<span style="color: red;">&quot;</span>:<span style="color: red;">&quot;</span>banner<span style="color: red;">&quot;</span>}]}<span style="color: blue;"></</span><span style="color: maroon;">string</span><span style="color: blue;">></span>
<span style="color: blue;"><</span><span style="color: maroon;">long</span> <span style="color: red;">name</span><span style="color: blue;">="app_last_background_time_ms"</span> <span style="color: red;">value</span><span style="color: blue;">="1510851497240"</span> <span style="color: blue;">/></span>
<span style="color: blue;"></</span><span style="color: maroon;">map</span><span style="color: blue;">></span></pre>
<pre></pre>
<span style="font-family: inherit;"><b>A few things I noticed:</b> </span><br />
<span style="font-family: inherit;">"use_https" is </span><u style="font-family: inherit;">false</u><br />
<span style="font-family: inherit;">"auto_collect_location" is </span><u style="font-family: inherit;">true</u><br />
<u style="font-family: inherit;"><br /></u>
<i>I could not find any location information in the XMLs or SQLite databases.</i><br />
<u style="font-family: inherit;"><br /></u>
<br />
<h4>
<span style="font-family: inherit;">Date Values</span></h4>
<span style="font-family: inherit;">The date/time values are all in UNIX milliseconds. A program like <b><a href="https://www.digital-detective.net/dcode/" target="_blank">DCode</a></b> can be used to convert them to human readable form. To report on the the last time the application settings were update, convert </span><span style="font-family: "courier new" , "courier" , monospace;">1485436274422</span> to local date and time.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEivLBiMCcwYXZQD5q-kGgZV6pW3PY8VIpopjZ7emuGZjZlG_lZp9IrYXTs-SwO2FyVvNyNm0UwwSv4C_A1ccxfQEka9WLCka5Mn47qNoGxXQod8uSFlY6bXQBmYVUaxDPMlUaKvRqsV/s1600/dcodejpg.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="704" data-original-width="1222" height="368" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEivLBiMCcwYXZQD5q-kGgZV6pW3PY8VIpopjZ7emuGZjZlG_lZp9IrYXTs-SwO2FyVvNyNm0UwwSv4C_A1ccxfQEka9WLCka5Mn47qNoGxXQod8uSFlY6bXQBmYVUaxDPMlUaKvRqsV/s640/dcodejpg.jpg" width="640" /></a></div>
<br />
<span style="font-family: inherit;">The remaining dates and times can be converted in the same manner.</span><br />
<span style="font-family: inherit;"><br /></span>
<br />
<h3>
<span style="font-family: inherit;">CHATHOUR XML File Data</span></h3>
<span style="font-family: inherit;">The </span><b style="font-family: inherit;">chathour_pref.xml</b><span style="font-family: inherit;"> file contains a number of app settings and user preferences. The very important data field that is ONLY found here - </span><b style="font-family: inherit;">UserName</b><span style="font-family: inherit;">.</span><br />
<span style="font-family: inherit;"><br /></span>
<br />
<pre><span style="color: blue;"><?</span><span style="color: magenta;">xml version='1.0' encoding='utf-8' standalone='yes' </span><span style="color: blue;">?></span>
<span style="color: blue;"><</span><span style="color: maroon;">map</span><span style="color: blue;">></span>
<span style="color: blue;"><</span><span style="color: maroon;">string</span> <span style="color: red;">name</span><span style="color: blue;">="m_code"</span><span style="color: blue;">></span><i>xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx</i><span style="color: blue;"></</span><span style="color: maroon;">string</span><span style="color: blue;">></span>
<span style="color: blue;"><</span><span style="color: maroon;">boolean</span> <span style="color: red;">name</span><span style="color: blue;">="ringtone_on"</span> <span style="color: red;">value</span><span style="color: blue;">="true"</span> <span style="color: blue;">/></span>
<span style="color: blue;"><</span><span style="color: maroon;">string</span> <span style="color: red;">name</span><span style="color: blue;">="ringtone"</span><span style="color: blue;">></span>content://settings/system/ringtone<span style="color: blue;"></</span><span style="color: maroon;">string</span><span style="color: blue;">></span>
<span style="color: blue;"><</span><span style="color: maroon;">string</span> <span style="color: red;">name</span><span style="color: blue;">="active_ringtone"</span><span style="color: blue;">></span>content://settings/system/ringtone<span style="color: blue;"></</span><span style="color: maroon;">string</span><span style="color: blue;">></span>
<span style="color: blue;"><</span><span style="color: maroon;">string</span> <span style="color: red;">name</span><span style="color: blue;">="alert_mode"</span><span style="color: blue;">></</span><span style="color: maroon;">string</span><span style="color: blue;">></span>
<span style="color: blue;"><</span><span style="color: maroon;">boolean</span> <span style="color: red;">name</span><span style="color: blue;">="active_ringtone_on"</span> <span style="color: red;">value</span><span style="color: blue;">="false"</span> <span style="color: blue;">/></span>
<span style="color: blue;"><</span><span style="color: maroon;">boolean</span> <span style="color: red;">name</span><span style="color: blue;">="led"</span> <span style="color: red;">value</span><span style="color: blue;">="true"</span> <span style="color: blue;">/></span>
<span style="color: blue;"><</span><span style="color: maroon;">string</span> <span style="color: red;">name</span><span style="color: blue;">="list_display_mode"</span><span style="color: blue;">></</span><span style="color: maroon;">string</span><span style="color: blue;">></span>
<span style="color: blue;"><</span><span style="color: maroon;">boolean</span> <span style="color: red;">name</span><span style="color: blue;">="reminder_tone"</span> <span style="color: red;">value</span><span style="color: blue;">="false"</span> <span style="color: blue;">/></span>
<span style="color: blue;"><</span><span style="color: maroon;">boolean</span> <span style="color: red;">name</span><span style="color: blue;">="notification"</span> <span style="color: red;">value</span><span style="color: blue;">="true"</span> <span style="color: blue;">/></span>
<span style="color: blue;"><</span><span style="color: maroon;">string</span> <span style="color: red;">name</span><span style="color: blue;">="username"</span><span style="color: blue;">></span><b style="background-color: yellow;">TheBaldJedi</b><span style="color: blue;"></</span><span style="color: maroon;">string</span><span style="color: blue;">></span>
<span style="color: blue;"><</span><span style="color: maroon;">int</span> <span style="color: red;">name</span><span style="color: blue;">="saved_messages"</span> <span style="color: red;">value</span><span style="color: blue;">="1000"</span> <span style="color: blue;">/></span>
<span style="color: blue;"><</span><span style="color: maroon;">boolean</span> <span style="color: red;">name</span><span style="color: blue;">="lockscreen_alert"</span> <span style="color: red;">value</span><span style="color: blue;">="true"</span> <span style="color: blue;">/></span>
<span style="color: blue;"><</span><span style="color: maroon;">string</span> <span style="color: red;">name</span><span style="color: blue;">="deletion_threshold"</span><span style="color: blue;">></</span><span style="color: maroon;">string</span><span style="color: blue;">></span>
<span style="color: blue;"><</span><span style="color: maroon;">boolean</span> <span style="color: red;">name</span><span style="color: blue;">="vibrate"</span> <span style="color: red;">value</span><span style="color: blue;">="true"</span> <span style="color: blue;">/></span>
<span style="color: blue;"><</span><span style="color: maroon;">string</span> <span style="color: red;">name</span><span style="color: blue;">="photo_grid_size"</span><span style="color: blue;">></</span><span style="color: maroon;">string</span><span style="color: blue;">></span>
<span style="color: blue;"></</span><span style="color: maroon;">map</span><span style="color: blue;">></span>
</pre>
<pre></pre>
<pre></pre>
<h3>
<span style="font-family: inherit;">SQLite Data</span></h3>
</div>
<div>
<span style="font-family: inherit;">The </span><b><span style="font-family: "courier new" , "courier" , monospace;">chathour.db</span></b><span style="font-family: inherit;"> file contains several tables. I used <a href="https://sqlitebrowser.org/" target="_blank">DB Broswer (SQLite)</a> to browse the tables and determine which contained useful information. </span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiBgCXfZQjec27duCz7KIMTIFyV0kNg0X57i0FLyXkKvxjeiCTa7Xor9_phRjNWMmeYmEnusC7SBMLSq0ZoKRYRpCQ771VZCbw-c49-QGrt8tnLCfEf5_PsSjI9D0phfs-KIHaIoqTB/s1600/db_tables.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="430" data-original-width="662" height="258" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiBgCXfZQjec27duCz7KIMTIFyV0kNg0X57i0FLyXkKvxjeiCTa7Xor9_phRjNWMmeYmEnusC7SBMLSq0ZoKRYRpCQ771VZCbw-c49-QGrt8tnLCfEf5_PsSjI9D0phfs-KIHaIoqTB/s400/db_tables.jpg" width="400" /></a></div>
<div>
<ul>
<li>favorites - <i>favorite contacts</i></li>
<li>im_partners - <i>usernames and userIDs used for JOIN SQL statements </i></li>
<li>ims - <i>all stored messages including userID, message, date/time and sent/received</i></li>
<li>recent_views - <i>includes userID and date/time of last viewed</i></li>
</ul>
<div style="text-align: center;">
<u>The times in all the date/time columns are UNIX milliseconds</u></div>
</div>
<div>
<br /></div>
<div>
By using specific SQL statements and joining the <b>ims</b> and <b>im_partners</b> tables, a list can be created of all messages, sent/received, date/time with the other username.</div>
<div>
<br /></div>
<div>
<pre><span style="color: blue;">SELECT</span>
im_partners.username,
ims.message,
ims.creation_time,
<span style="color: magenta;">CASE</span> ims.sender
<span style="color: blue;">WHEN</span> <span style="color: maroon; font-weight: bold;">0</span> <span style="color: blue;">THEN</span> <span style="color: red;">'Received'</span>
<span style="color: blue;">WHEN</span> <span style="color: maroon; font-weight: bold;">1</span> <span style="color: blue;">THEN</span> <span style="color: red;">'Sent'</span>
<span style="color: blue;">ELSE</span> <span style="color: red;">'Unknown'</span>
<span style="color: blue;">END</span> <span style="color: blue;">AS</span> sent_recv
<span style="color: blue;">FROM</span> ims
<span style="color: grey;">JOIN</span> im_partners
<span style="color: blue;">ON</span> im_partners.<span style="color: magenta;">user_id</span> <span style="color: grey;">=</span> ims.partner_id</pre>
<pre></pre>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhfsJSHYeS84g3j34jJ6qLediMsowIywj1cJ8eUMiSoSqovVDmNFGn3EMEU1Hwbum_QL_J8TS83sEvyuVMz7DTDfvZyei3cQcrNkVOsd5X0KElm5hLU7Q0m3Di0xA2UUoeqefVx1997/s1600/sql.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="813" data-original-width="1502" height="345" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhfsJSHYeS84g3j34jJ6qLediMsowIywj1cJ8eUMiSoSqovVDmNFGn3EMEU1Hwbum_QL_J8TS83sEvyuVMz7DTDfvZyei3cQcrNkVOsd5X0KElm5hLU7Q0m3Di0xA2UUoeqefVx1997/s640/sql.jpg" width="640" /></a></div>
<pre></pre>
<h2>
AXIOM Custom Artifact <span style="font-weight: normal;"><i><span style="color: #e69138;">(coming soon)</span></i></span></h2>
</div>
<div>
Taking all this information, I have created and submitted a custom artifact to Magnet's website. It links all the table information and converts date/times to human format for sorting and reporting.</div>
<div>
<br /></div>
<div>
Once the artifact is approved, I'll post a link to it here in the blog. For now, you will have to do all the work manually.</div>
Troy Schnack's Bloghttp://www.blogger.com/profile/18412052156846845412noreply@blogger.com0tag:blogger.com,1999:blog-7949038911539153192.post-28595559575308979472019-02-19T11:21:00.001-08:002019-02-19T19:25:36.932-08:00Text Based Treasure: qBittorrent Log File<h2>
qBittorrent Data</h2>
<div>
It has been a few months since my last forensic (4N6) blog post. I had a slight heart issue in July 2018. I'm so excited to be back into the 4N6 work and finding new information to share!</div>
<div>
<br /></div>
<div>
I've noticed that many of the criminal P2P sharing cases involved the qBittorrent application. For some reason, over the last year, it has become the "go to" P2P application. There are plenty of Digital Forensic resources available on uTorrent, the BitTorrent protocol and the great, free, BENcode tool for looking at .torrent and .dat files.</div>
<div>
<br /></div>
<div>
<a href="https://sites.google.com/site/ultimasites/bencode-editor" target="_blank">BEncode Editor Link</a></div>
<div>
<br /></div>
<div>
I did not find much data specific to the qBittorrent application. The obvious next step was to download it and start playing ... I mean testing. Understanding how the program worked from a user perspective is important. The application interface is very similar to that of uTorrent and is as easy to use. The Internet Archive has numerous free classic movies available for download via Torrent. This is a good place to find legal data to test BitTorrent clients. I chose "Monster of Frankenstein" torrent.</div>
<div>
<br /></div>
<div>
Here's the link if you are interested: <a href="https://archive.org/details/MonsterOfFrankenstein1981TVSpecialEnglishDubbed" target="_blank">Internet Archive Movie Link</a></div>
<div>
<br /></div>
<h3>
BEncode of Torrent File</h3>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiLWZ5Tg8ZMONfGIjEYncRZ2XlcSAlN76IQriwLr107SNNdXzKFwj5we2By21yJaOD1W8EfQ0Ntb22BQ0ObruCX8IiWGBma_JvGvEyQEMtwteIdutw6r7B4aphuHPHF7WkOdHH_bnNL/s1600/bencode_info.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1422" data-original-width="1302" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiLWZ5Tg8ZMONfGIjEYncRZ2XlcSAlN76IQriwLr107SNNdXzKFwj5we2By21yJaOD1W8EfQ0Ntb22BQ0ObruCX8IiWGBma_JvGvEyQEMtwteIdutw6r7B4aphuHPHF7WkOdHH_bnNL/s400/bencode_info.jpg" width="365" /></a></div>
<div>
<br /></div>
<h3>
qBittorrent Download Progress Screen</h3>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6oaTChYNjAfvkDBEjg8v8VExdQLI_D3DFBVhTrcN_mOBejUY5c_Wt9onqG0l172mQTzD2y1GgaoxoltIsRnjpO4Izgf7eUd_Nxt8xSxMLniWVj3calCV3KzkO1F7AOth2FGEKKYky/s1600/qb1.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1021" data-original-width="1600" height="408" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6oaTChYNjAfvkDBEjg8v8VExdQLI_D3DFBVhTrcN_mOBejUY5c_Wt9onqG0l172mQTzD2y1GgaoxoltIsRnjpO4Izgf7eUd_Nxt8xSxMLniWVj3calCV3KzkO1F7AOth2FGEKKYky/s640/qb1.jpg" width="640" /></a></div>
<div>
<br /></div>
<h4>
The Log File</h4>
The next step was to search for data files related to the qBittorrent application. What I found was that qBittorent stores 6 months of detailed logs that are extremely easy to read. According to testing and the application documentation, logging is enabled by default. Many of the questions that can arise from either the prosecution or defense can be answered with the log or using the log in conjunction with other digital artifacts like the Windows SRUM database. The log is stored in plain text and can be viewed easily.<br />
<br />
<i>Notice that a separate log file is created for each user on Windows systems.</i><br />
<br />
Log File Path: <span style="font-family: "courier new" , "courier" , monospace;"><b>x:\Users\<i>username</i>\AppData\Local\qBittorrent\Logs\qbittorrent.log</b></span><br />
<br />
<h4>
Log Treasure</h4>
<div>
The dates/times in the log file are stored in the system's local time zone. This can be validated by comparing the log file's initial or last entries to the log file's creation or modified date/time. </div>
<div>
<br /></div>
<h3>
Useful Log Entries</h3>
<div>
<ul>
<li>Each time the program is started and exited<br /><i>This includes the last time used</i></li>
<li>Application version noted<br /><i>Useful for tracking upgrades over time</i></li>
<li>External IP Address<br /><i>This is the public IP which can be compared to the reporting agents notes</i></li>
<li>Download activity</li>
<ul>
<li>Download started</li>
<li>Resume download started</li>
<li>Removed from transfer list</li>
<li>Removed from hard disk</li>
</ul>
</ul>
<div>
<br /></div>
<h3>
Log File Sample</h3>
A sample of what the log file looks like is shown below.</div>
<div>
<br />
<pre>(N) 2019-02-19T17:48:13 - qBittorrent v3.3.12 started
(I) 2019-02-19T17:48:25 - qBittorrent is trying to listen on any interface port: 8999
(N) 2019-02-19T17:48:25 - HTTP User-Agent is 'qBittorrent/3.3.12'
(I) 2019-02-19T17:48:25 - DHT support [ON]
(I) 2019-02-19T17:48:25 - Local Peer Discovery support [ON]
(I) 2019-02-19T17:48:25 - PeX support [ON]
(I) 2019-02-19T17:48:25 - Anonymous mode [OFF]
(I) 2019-02-19T17:48:25 - Encryption support [ON]
(I) 2019-02-19T17:48:25 - Embedded Tracker [OFF]
(I) 2019-02-19T17:48:25 - UPnP / NAT-PMP support [ON]
(I) 2019-02-19T17:48:30 - External IP: <i>xxx.xxx.xxx.xxx</i>
(I) 2019-02-19T17:48:33 - Python found in 'C:\Python34\'
(I) 2019-02-19T17:48:33 - Python version: 3.4.3
(N) 2019-02-19T17:52:14 - '<i>sample filename</i>' added to download list.
(N) 2019-02-19T17:52:37 - '<i>sample filename</i>' was removed from transfer list and hard disk.</pre>
</div>
<div>
<br />
<br />
<h4>
Incomplete Download Storage</h4>
</div>
<div>
qBittorrent also keeps a folder with current incomplete .torrent downloads and "fast resume" data. These files are also Windows user specific and can be found at:</div>
<div>
<br /></div>
<div>
<b style="font-family: "courier new", courier, monospace;">x:\Users\<i>username</i>\AppData\Local\qBittorrent\BT_Backup</b></div>
<div>
<br /></div>
Remember that the .torrent files can be decoded using the BEncode tool.<br />
<br />
<h3>
</h3>
<h4>
Program Settings (INI)</h4>
<div>
Additional program settings for qBittorrent are located in an INI file. Once again, this is Windows user specific. The commonly referenced data from the INI is the <b>save path history</b>. This stores the paths used when downloading content with qBittorrent.</div>
<div>
<br /></div>
<div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"><b>[TorrentAdditionDlg]</b></span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"><b>save_path_history=<i>x:/Users/username/Downloads</i></b></span></div>
</div>
<div>
<br /></div>
<div>
The INI file can be found at:</div>
<div>
<br /></div>
<div>
<div>
<b style="font-family: "courier new", courier, monospace;">x:\Users\<i>username</i>\AppData\Roaming\qBittorrent\qBittorrent.ini</b></div>
</div>
<div>
<b style="font-family: "courier new", courier, monospace;"><br /></b></div>
Troy Schnack's Bloghttp://www.blogger.com/profile/18412052156846845412noreply@blogger.com1tag:blogger.com,1999:blog-7949038911539153192.post-73170268136884771662018-06-18T08:01:00.000-07:002018-06-22T16:13:57.593-07:00How to Explain Deleted Data: For Attorneys, Clients, Juries and More<br />
<h3>
How to Explain Deleted Data<br /><i>For Attorneys, Clients, Juries and More</i></h3>
<div class="MsoNormal">
I was recently asked by a colleague for an analogy to help
them explain how it was possible to recover data that a user had emptied
from the Recycle Bin / Deleted. The question reminded me that it’s easy to slip
into the belief that everyone inherently knows how stuff works. Attending
forensic training and conferences we sometimes forget that what appears to us
to be basic and simple, can sound like Star Trek Next Generation’s well known
technobabble. i.e. “Increase the neutrino stream to the warp engine transducers”.
<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Completing reviews of digital data and finding new artifacts
can be exhilarating for a forensic investigator. The feeling of accomplishment
at finding the truth from the data is euphoric. That is the fun part. The truly
difficult part comes when we have to explain the information verbally and in
written form so that it is useful to those that need it most. The recipients
can include management, clients, attorneys, judges, juries and more. These
individuals may make life altering decisions based on their understanding of
our work product.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
A few of my own ideas came to mind, but it occurred to me
that they were getting old and not very relatable. Many adults today have never
used a library with a card catalog, let alone a cassette tape or a phone book.
It was time to go to the #DFIR community for some fresh ideas. The community
responded!<span style="mso-spacerun: yes;"> </span><o:p></o:p></div>
<div class="MsoNormal">
<span style="mso-spacerun: yes;"><br /></span></div>
<div class="MsoNormal">
(<i style="mso-bidi-font-style: normal;">If you don’t follow
#DFIR on Twitter, you are missing out on outstanding information sharing from
some amazingly talented people in the industry</i>)<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
There were some great ideas. For reference, I’ve listed all
the suggestions and sources at the end of the blog. Among the comments was a critique
that “The analogies are just as complicated as the technical explanation.” That
is partly my concern as well. However, when people have an innate fear or
resistance to technology, many times they can relate equally complex ideas from
a world/experience they do understand.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
@DFIRTraining had a very logical suggestion: “Choose the
analogy that fits the audience. Someone who cooks can relate to a stovetop
being RAM. The more burners (RAM) you have, the more you can cook (run) at the
same time.”<span style="color: blue;"><b> This is the idea that
should drive your choice as to how you plan to explain a highly technical
artifact to your audience.</b></span> With this concept in mind, I choose the table of contents
and a book. My intended recipient is an attorney. They are very familiar with
books, table of contents and indexes. <o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
The Table of Contents (TOC) idea can be used in a simple or
more in depth explanation. In simple terms, a book’s TOC can have an entry
removed while the pages that it references including the text can remain. A
reader could scour the book for the undocumented chapter and read the contents.<o:p></o:p></div>
<div class="MsoNormal">
Sometimes the case is more intricate. It may include digital
artifacts from slack space or the original file metadata can be intact but the
data has been partially or completely overwritten. I can still rely on this
analogy. <i style="mso-bidi-font-style: normal;">This can work for most any
analogy that you choose. Just take some time to use your imagination and tailor
it to your audience.</i><o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
I made a sample TOC and a slide containing data “pages”. I
can show the TOC entry <i style="mso-bidi-font-style: normal;">marked</i> for
deletion and explain at print time, it’s hidden from the viewer. All the while,
the actual chapter and pages remain in the book. This demonstrates how the file’s
metadata can be recovered. The next step would be to show that the TOC entry is
needed for a new chapter in the book and is overwritten. <o:p></o:p></div>
<div class="MsoNormal">
In another scenario, I could show how a replacement chapter
overwrites part or all of a chapter no longer needed. This keeps the book the
same number of pages just like a drive volume size, but demonstrates how the
partial data could be found and that the original “deleted” TOC entry’s
metadata could be found.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
This starts to sound pretty complex, but when shown as a
slide or multiple slides, a picture makes it much easier.<o:p></o:p></div>
<div class="MsoNormal">
<o:p><br /></o:p></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjnJqL9cfoSAIBiVClmMd8h2UFVgEG-IJtfIzCaE0sF_C1FF5D2TIO4UWIr6mVAX5e75gM1buRySyxU6h9WNjSAYQb6fChN35048BQEfDRtNBqC-x36hLTWty_E1dj4dssa64NdqGg9/s1600/Slide1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="720" data-original-width="1280" height="360" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjnJqL9cfoSAIBiVClmMd8h2UFVgEG-IJtfIzCaE0sF_C1FF5D2TIO4UWIr6mVAX5e75gM1buRySyxU6h9WNjSAYQb6fChN35048BQEfDRtNBqC-x36hLTWty_E1dj4dssa64NdqGg9/s640/Slide1.PNG" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="MsoNormal">
<o:p><br /></o:p></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEigBs3NLxT_HyNzLKT6uiiYIA_4HQTwZPWXI3iP1ghHJRf2hzPJJ2ukBAw-OxrGmW5_E07dk_4ynJax6K7vaOQZy0-EpRFhcS4nPeRPrKWDBPc9jy_Pd2dRCwY1K8i2CqmRlPR8ByY5/s1600/Slide2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="720" data-original-width="1280" height="360" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEigBs3NLxT_HyNzLKT6uiiYIA_4HQTwZPWXI3iP1ghHJRf2hzPJJ2ukBAw-OxrGmW5_E07dk_4ynJax6K7vaOQZy0-EpRFhcS4nPeRPrKWDBPc9jy_Pd2dRCwY1K8i2CqmRlPR8ByY5/s640/Slide2.PNG" width="640" /></a></div>
<div class="MsoNormal">
<o:p><br /></o:p></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhzsaAi2jk7jayv9rUoB3GItxbNE06DNA-tlcTx_PDGJ_sPsHTeChFwzylnJ2XHjFbmvWztsA1ta3_OkQitWJ9QPC-_DKXvyJe3GcdJpoSdJEyZ9isGs3Q-Czt7_2ffCdkyNha1HexD/s1600/Slide3.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="720" data-original-width="1280" height="360" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhzsaAi2jk7jayv9rUoB3GItxbNE06DNA-tlcTx_PDGJ_sPsHTeChFwzylnJ2XHjFbmvWztsA1ta3_OkQitWJ9QPC-_DKXvyJe3GcdJpoSdJEyZ9isGs3Q-Czt7_2ffCdkyNha1HexD/s640/Slide3.PNG" width="640" /></a></div>
<div class="MsoNormal">
<br /></div>
<h3>
The Point</h3>
<h1>
<o:p></o:p></h1>
<div class="MsoNormal">
The overall take away is like most things in digital
forensics, the answer is “it depends”. Know your audience, understand their
perceptions and tailor your explanation and reports to them.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<h2>
Sources:</h2>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Stacey (@4n6woman) <o:p></o:p></div>
<div class="MsoNormal" style="margin-bottom: 8.0pt; margin-left: 1.0in; margin-right: 1.0in; margin-top: 0in;">
Throwing things into the trash can. As the bag fills up,
it’s harder to pull the item out. Recovery can vary based on if the bag is
empty, full, in your kitchen, in the dumpster by the road, taken by the garbage
collector, or sitting at the landfill.<o:p></o:p></div>
<div class="MsoNormal" style="margin-bottom: 8.0pt; margin-left: 1.0in; margin-right: 1.0in; margin-top: 0in;">
Also varies based on what goes on top of the item in the
bag. If it’s all paper, relative simple recovery. If it’s paper and then you
cover it with spaghetti sauce, little more difficult. If burned trash, not
recoverable.<o:p></o:p></div>
<div class="MsoNormal">
Scott (@scottforensics)<o:p></o:p></div>
<div class="MsoNormal" style="margin-bottom: 8.0pt; margin-left: 1.0in; margin-right: 1.0in; margin-top: 0in;">
My go-to is using the comparison of a hard drive and a book
with a table of contents.<span style="mso-spacerun: yes;"> </span>I can expand
on that if needed...<o:p></o:p><br />
<br />
<span style="background-color: white; color: #14171a; letter-spacing: 0.27px; white-space: pre-wrap;"><span style="font-family: inherit;">So... when a file is created, it tells the table of contents, I need ten pages for this file. The TOC gives the system ten pages. When the file is deleted, the TOC deletes that the file name but the t</span></span>en pages containing that file remain intact and can still
be read if you flip to those pages, even though there is no record in the TOC.
Once the TOC needs those ten pages for a new file, the TOC grants some or all
of the pages to the new file.</div>
<div class="MsoNormal" style="margin-bottom: 8.0pt; margin-left: 1.0in; margin-right: 1.0in; margin-top: 0in;">
<o:p></o:p></div>
<div class="MsoNormal" style="margin-bottom: 8.0pt; margin-left: 1.0in; margin-right: 1.0in; margin-top: 0in;">
…<o:p></o:p></div>
<div class="MsoNormal" style="margin-bottom: 8.0pt; margin-left: 1.0in; margin-right: 1.0in; margin-top: 0in;">
I think I heard it on @ovie ‘s CyberSpeak forensic podcast.
It resonated with me & I’ve used it ever since. If it wasn’t him, it was
definitely someone else on a podcast ~7 or 8 years ago.<o:p></o:p></div>
<div class="MsoNormal" style="margin-right: 1.0in;">
Santiago Ayala (@darthsaac)<o:p></o:p></div>
<div class="MsoNormal" style="margin-bottom: 8.0pt; margin-left: 1.0in; margin-right: 1.0in; margin-top: 0in;">
For a Windows environment I have use a diary an index. The index is the MFT, the files are pages. If you write page 2, you add an index. The deletion process only removes the index entry and allows page to be overwritten. The new paragraph may not completely overwrite the old one. In that case, you can explain slack space also.<br />
<br /></div>
<div class="MsoNormal">
@DFIRTraining<br />
<div class="MsoNormal" style="margin-bottom: 8.0pt; margin-left: 1.0in; margin-right: 1.0in; margin-top: 0in;">
Choose the analogy that fits the audience. Someone who cooks
can relate to a stovetop being RAM. The more burners (RAM) you have, the more
you can cook (run) at the same time. In that case, you can explain slack space
also.<o:p></o:p></div>
<div class="MsoNormal">
Vern (@malanalysis)<o:p></o:p></div>
<div class="MsoNormal" style="margin-bottom: 8.0pt; margin-left: 1.0in; margin-right: 1.0in; margin-top: 0in;">
Neighborhoods: If you just take the address numbers off all
the houses, the houses are still there and can be found and readdressed. If you
destroy the houses they cannot be recovered.<o:p></o:p></div>
<div class="MsoNormal">
Richard Harman (@xabean)<o:p></o:p></div>
<div class="MsoNormal" style="margin-bottom: 8.0pt; margin-left: 1.0in; margin-right: 1.0in; margin-top: 0in;">
Hard drives are dry-erase boards, with stuck-on dry-erase
marker that doesn't completely come off when you erase it.<span style="mso-spacerun: yes;"> </span>You can write over-top of it though!<o:p></o:p></div>
<div class="MsoNormal" style="margin-bottom: 8.0pt; margin-left: 1.0in; margin-right: 1.0in; margin-top: 0in;">
It's a bit oversimplified, but I think it *begins* the
discussion to get into the technical details.<o:p></o:p></div>
<div class="MsoNormal" style="margin-bottom: 8.0pt; margin-left: 1.0in; margin-right: 1.0in; margin-top: 0in;">
Alternatively to describe the importance of a
MFT/FAT/TOC/whatever: mentally visualize a jigsaw puzzle. The box it comes in
shows what order the pieces are in, right? Now viz the same puzzle, no box
showing what it's SUPPOSED to be, and all the pieces are perfect squares.<o:p></o:p></div>
<div class="MsoNormal" style="margin-bottom: 8.0pt; margin-left: 1.0in; margin-right: 1.0in; margin-top: 0in;">
Puzzle can be reassembled in any order to show
anything.<span style="mso-spacerun: yes;"> </span>Or you can mix in a
*completely different* puzzle's pieces (showing interleaving of data).<o:p></o:p></div>
<div class="MsoNormal">
Andrew Hay (@andrewsmhay)<o:p></o:p></div>
<div class="MsoNormal" style="margin-bottom: 8.0pt; margin-left: 1.0in; margin-right: 1.0in; margin-top: 0in;">
Paper shredders. Strip-Cut vs. Cross-Cut vs. Micro-Cut<o:p></o:p></div>
<div class="MsoNormal" style="margin-right: 1.0in;">
Madeye Moddy (@madeye_c3t)<o:p></o:p></div>
<div class="MsoNormal" style="margin-bottom: 8.0pt; margin-left: 1.0in; margin-right: 1.0in; margin-top: 0in;">
You can checkout of a hotel room but still be in the room
until the next guest arrives.<o:p></o:p></div>
<div class="MsoNormal">
Troy Schnack (@troyschnack)<o:p></o:p></div>
<div class="MsoNormal" style="margin-bottom: 8.0pt; margin-left: 1.0in; margin-right: 1.0in; margin-top: 0in;">
The computer stores data similar to a grid of PO Boxes like
at Mail Boxes Etc. What happens if you cancel your box rental while there is
mail still in the box? The box has no name or association with an address or
person, but the boxes can be manually inventoried<o:p></o:p></div>
<div class="MsoNormal" style="margin-bottom: 8.0pt; margin-left: 1.0in; margin-right: 1.0in; margin-top: 0in;">
and the mail found. Or, to more closely compare to a
computer, the mail isn't removed until the PO Box number is used for a new
rental customer or "filename"<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<br /></div>
Troy Schnack's Bloghttp://www.blogger.com/profile/18412052156846845412noreply@blogger.com0tag:blogger.com,1999:blog-7949038911539153192.post-88372998994017801902018-06-05T07:22:00.001-07:002019-02-26T17:52:28.232-08:00Reviewing PDFs: Reports & Discovery<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<h4>
Quick Tip on Reviewing Report/Discovery PDFs</h4>
<b><br /></b>
<b>
Acrobat Document Scrolling Settings:</b><br />
<div class="MsoTitle">
<o:p></o:p></div>
<i>
Changing Acrobat so that documents are automatically set to Single Page
Scrolling view as default</i><br />
<h1>
<o:p></o:p></h1>
<div class="MsoNormal">
<o:p><br /></o:p>
<o:p>This isn't my typical forensics blog, but I'm sure I'm not the only one that reviews numerous pages of reports/discovery before performing a forensic examination. If you are not reviewing reports prior to an exam, how do you know what you are looking for?</o:p></div>
<div class="MsoNormal">
<o:p><br /></o:p></div>
<div class="MsoNormal">
<o:p>I've always been annoyed by the default view in Acrobat. Trying to scroll through a PDF and having it jump to the next page when I'm still reading the previous page at the bottom. I seemed to waste time changing the Page Display setting under View for continuous scrolling. Not only does this make it easier to read, but it also makes scrolling through an OCR'd PDF faster. This is especially true when scrolling with a wheel-mouse, touchpad or on touchscreen computers. </o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
1.<span style="mso-tab-count: 1;"> </span>Open
Adobe Acrobat<o:p></o:p></div>
<div class="MsoNormal">
2.<span style="mso-tab-count: 1;"> </span>Go to
Edit | Preferences<o:p></o:p></div>
<br />
<div class="MsoNormal">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgUbyT8QCNQwl1geXdx23NkUiJCgjzVWBRsTLdDVwe38gzYyLcERQxeRmZrSu8UQ3KHr8uaunDYI_AAIHuonjEsWGZgBuXsjB961NlsGNo2ld4PeH1dDVIPmsPhd4av-VcPol8PzG-c/s1600/2.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1393" data-original-width="689" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgUbyT8QCNQwl1geXdx23NkUiJCgjzVWBRsTLdDVwe38gzYyLcERQxeRmZrSu8UQ3KHr8uaunDYI_AAIHuonjEsWGZgBuXsjB961NlsGNo2ld4PeH1dDVIPmsPhd4av-VcPol8PzG-c/s400/2.jpg" width="197" /></a></div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="MsoNormal">
3.<span style="mso-tab-count: 1;"> </span>Select
Page Display in the left column and change <b style="mso-bidi-font-weight: normal;">Page
Layout</b> to <u>Automatic</u><o:p></o:p></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhFA6YGdZC7OBneUf3jzuBUQOzyBqcRfz-Z_K2fQ6tXRY7dNeTHuq9QLw7sDkCb3mfYL0rucqLtW_ABTzBFsX-Z4Fz_9r0shOEHkO2VIgZnCH-GeZ66wzyclfZrklFRpMpB9kJnTsD7/s1600/3.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="411" data-original-width="1600" height="102" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhFA6YGdZC7OBneUf3jzuBUQOzyBqcRfz-Z_K2fQ6tXRY7dNeTHuq9QLw7sDkCb3mfYL0rucqLtW_ABTzBFsX-Z4Fz_9r0shOEHkO2VIgZnCH-GeZ66wzyclfZrklFRpMpB9kJnTsD7/s400/3.jpg" width="400" /></a></div>
<br />
<br />
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
4.<span style="mso-tab-count: 1;"> </span>Select
Accessibility in the left column and change <b style="mso-bidi-font-weight: normal;">Always use Page Layout Style</b> to <br />
<u>Single Page Continuous</u><o:p></o:p></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhO46NxjHhgCnXpYE-0LAqc47vIo_ruyPnHusF7cxaE8dkjpAxIUXXverrB-EmK896VNxKbSA3Yhlb0UXAbIo5_uRZ5pfjciiPlkUduApLTsHX4kBsjV42KNzwtrFbuA3D_y4SCTasv/s1600/4.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="491" data-original-width="1408" height="138" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhO46NxjHhgCnXpYE-0LAqc47vIo_ruyPnHusF7cxaE8dkjpAxIUXXverrB-EmK896VNxKbSA3Yhlb0UXAbIo5_uRZ5pfjciiPlkUduApLTsHX4kBsjV42KNzwtrFbuA3D_y4SCTasv/s400/4.jpg" width="400" /></a></div>
<br />
<br />
<br />Troy Schnack's Bloghttp://www.blogger.com/profile/18412052156846845412noreply@blogger.com0tag:blogger.com,1999:blog-7949038911539153192.post-4209641479953374182018-04-12T03:33:00.001-07:002018-04-12T03:41:49.399-07:00FB Messenger App (Android) Media Files Share Tracking<span style="font-size: x-large;">Facebook Messenger (Android) App</span><br />
<span style="font-size: large;">Media Files Share Tracking</span><br />
<span style="font-size: large;"><br /></span>
In past blog posts, I've stressed the importance of testing and validating information. This post is no different. It's imperative that as a digital forensic investigator, we test apps from the user's perspective and then analyze what happens to the data behind the scenes.<br />
<br />
I recently had a case which featured a specific media file artifact located in the "fb_temp" folder of the Facebook Messenger app. At first glance, the assumption would be that the user must have sent this media to someone using the app. But we all know what happens when we assume.<br />
<br />
Below is the testing I conducted and the information I found that can help you track whether files or media were actually shared in the app and when.<br />
<br />
<h4>
<b>FACEBOOK MESSENGER TESTING METHODOLOGY</b></h4>
A video was located in the Facebook Messenger app’s fb_temp folder on an Android phone. Since “temp” denotes a temporary folder, it was necessary to test Facebook Messenger (FBM) on an Android device to ascertain what user actions create these files.<br />
<b><br /></b>
<b>
STEP 1</b><br />
This first step tested whether a file was created and remained in the fb_temp folder if a video was recorded but not sent.<br />
<br />
FBM was opened on an Android phone and signed into the Federal Public Defender Facebook account. A video recording was started on the device of a Star Wars poster. Once finished, the video was saved to the phone’s movies folder. The FBM video recording screen was then exited and never sent as a message.<br />
<br />
This video test from FBM was completed on 3/19/2018 @ 1:35 pm (13:35).<br />
<br />
<b>
STEP 2</b><br />
The second step tested creating a video in FBM and sending it as a message.<br />
<br />
FBM was opened on the same Android phone and signed into the same account as Step 1. A video recording was started on the device of a red Star Wars calendar. The video was then sent to a staff member’s Facebook account through FBM. This was completed on 3/19/2017 @ 2:55 pm (14:55).<br />
<br />
The video was not saved to the phone’s movies folder.<br />
<b><br /></b>
<b>
TESTING NOTE</b><br />
During Step 2 testing, an attempt was made to send the previously made video in Step 1. FBM did not show that the previously unsent video existed. This indicates that if a user were to create a video or photo and not share it, all subsequent messages would not have access to send or share the video or photo. When a user creates a video and doesn’t share it, they will not be able to share or access that video any time in the future.<br />
<br />
<h4>
TESTING / VALIDATION FORENSIC ANALYSIS</h4>
The Android phone was then placed in Airplane Mode to disable all communications. Cellebrite’s UFED was used to perform a physical forensic image of the device. The forensic image was then analyzed using two separate tools to validate the data: Cellebrite’s Physical Analyzer and Magnet Forensics AXIOM.<br />
<b><br /></b>
<b>
VIDEO CREATION ANALYSIS</b><br />
Both the video created but not shared and the video that was shared were found in FBM’s fb_temp folder. Each video file had the date/time it was created. There was no difference in the filename syntax or file location between the video that was shared and the video that was not shared.<br />
Additionally, a second copy of Step 1’s video was found in the phones movies folder. This was expected since Step 1 included saving the video to the phone.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh1HawMvNbFgtqu6P7BGTnbknFCNEml541C-0wje3nRC-Hiazgi3Q9jXWWnvwKiAfjWvZFlwrHVej7Z1jpI1VnS806fB4iNkIB0mpKXMe8AVGqcqTmdRL4OSHiItaYCEN5d_DVe3zt6/s1600/VideoArtifacts.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="770" data-original-width="1231" height="250" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh1HawMvNbFgtqu6P7BGTnbknFCNEml541C-0wje3nRC-Hiazgi3Q9jXWWnvwKiAfjWvZFlwrHVej7Z1jpI1VnS806fB4iNkIB0mpKXMe8AVGqcqTmdRL4OSHiItaYCEN5d_DVe3zt6/s400/VideoArtifacts.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
This testing demonstrates that the mere presence of a video or photo digital artifact found in FBM’s fb_temp folder is not an indication that the file was sent or shared.<br />
<br />
<b>
FACEBOOK MESSENGER CONVERSATION DATABASE ANALYSIS</b><br />
FBM also keeps a log of messages or conversations in a database. This digital artifact can be used to view past conversations including sending or receiving attachments. It also includes the date/time of each message.<br />
<br />
The conversation on the test phone used to send the video from Step 2 was extracted and reviewed. It does indeed show that a video was sent during the FBM chat. It does not show the creation or other evidence of the video created in Step 1 since that video was never shared.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjX3AhJCnHy-01RW4d9HPO1qUin1Odqi6ZgPXSFfp5B9mh4PbEirFCo1d9GhrA06ZQJM84A4mMdS3VMZY-039l0K454NtUlRBoJVO61fZ5o4PMfQDuhvUHtyWY4glVBC_MaUniiC6sC/s1600/ChatArtifacts.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="930" data-original-width="722" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjX3AhJCnHy-01RW4d9HPO1qUin1Odqi6ZgPXSFfp5B9mh4PbEirFCo1d9GhrA06ZQJM84A4mMdS3VMZY-039l0K454NtUlRBoJVO61fZ5o4PMfQDuhvUHtyWY4glVBC_MaUniiC6sC/s400/ChatArtifacts.png" width="310" /></a></div>
<br />
<br />
<h3>
CONCLUSION</h3>
This testing demonstrates that to verify if a video or photo was shared using FBM, the conversation data must be extracted and analyzed.<br />
<div>
<br /></div>
Troy Schnack's Bloghttp://www.blogger.com/profile/18412052156846845412noreply@blogger.com1tag:blogger.com,1999:blog-7949038911539153192.post-58972041775818019702018-03-11T12:48:00.000-07:002018-03-11T12:48:45.582-07:00Timelines in P2P Forensic Cases<br />
<h2>
<span style="font-family: "georgia" , "times new roman" , serif;">Timelines in P2P Forensic Cases</span></h2>
<div class="MsoTitle">
<span style="font-family: "georgia" , "times new roman" , serif;">2018-03-11</span></div>
<div class="MsoTitle">
<span style="font-family: "georgia" , "times new roman" , serif;">Troy Schnack</span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: "georgia" , "times new roman" , serif;">Creating a timeline of activity in a digital forensic (4n6)
case can be vitally important to the ultimate goal of placing a person at the
scene. In criminal 4n6 cases, the investigator, whether law enforcement or
defense, is assigned the task to put a “butt in the seat”. This blog is
intended to help avoid the many misconceptions seen regarding dates / times
(DT) on reports from both sides. We’ve all spent countless hours gathering
various artifacts and combining the data into a timeline. I’ve used my past
mistakes and testing to help you avoid the same errors.<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "georgia" , "times new roman" , serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "georgia" , "times new roman" , serif;">The sole intent of this blog is to help find the truth.
Information and technology are continually changing. Please feel free to
identify any incorrect conclusions or other errors on my part as I’m always
excited to learn. Brett Shavers (<a href="http://brettshavers.cc/index.php/brettsblog/entry/placing-the-suspect-behind-the-keyboard-online-course" target="_blank">Blog</a>)
and others have written about our innate need to solve problems and the
processes we can employee. 4n6 investigators use information gathered from not
only the digital device’s data, but from interviews, cell location, field investigator
reports and other sources to achieve this goal.<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "georgia" , "times new roman" , serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "georgia" , "times new roman" , serif;">The reason for identification of the “butt in the seat” for
law enforcement is clear. The same need also applies to the defense. If the
evidence shows that the defendant was at the keyboard, it is important that the
client is made aware of the evidence against them. Taking a plea rather than
risking an enhanced sentence by going to trial could be the best result for the
defendant. There is also always the possibility that the defendant was not responsible.<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "georgia" , "times new roman" , serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "georgia" , "times new roman" , serif;">Peer-to-Peer (P2P) programs are not as prevalent as they once
were. Ares, eMule, Gigatribe, BitTorrent and others still show up in cases from
time to time. There has been a vast resource of white papers, blogs and
presentations on many of these programs and how to find and decode their
respective artifacts. These resources are too plentiful to list here, but can
be found easily with a Google search. <o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "georgia" , "times new roman" , serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "georgia" , "times new roman" , serif;">The examples, concepts and information in this blog will
focus mainly on Ares P2P artifacts since it is fresh in my mind from a recent
case. However, the concepts are applicable to most other P2P investigations and
downloads.<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "georgia" , "times new roman" , serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "georgia" , "times new roman" , serif;">The number one confusion I have seen in reports and that I
myself have fallen into is the DT the P2P download was initiated. This specific
artifact is critical when building a timeline of activity to compare with other
activity found on the device. The Holy Grail is seeing a contraband download
started near a person checking their personal webmail or using an identifiable
login name into social media, shopping or other web site.<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "georgia" , "times new roman" , serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "georgia" , "times new roman" , serif;">The problem, in my opinion, is the labeling used by most
forensic tools when listing information carved from the P2P program’s database
(DB). For example, when viewing Ares download artifacts, there will be column
labeled “Downloaded Date/Time”. This is similarly named in multiple tools from IEF/AXIOM,
EnCase Ares EnScript and other Ares DAT file descriptors. The label can be misleading
to investigators that have not tested Ares or other P2P programs.<o:p></o:p></span></div>
<div class="MsoNormal">
<i style="mso-bidi-font-style: normal;"><span style="font-family: "georgia" , "times new roman" , serif;"><br /></span></i></div>
<div class="MsoNormal">
<i style="mso-bidi-font-style: normal;"><span style="font-family: "georgia" , "times new roman" , serif;">NOTE: This reinforces
the mantra heard at every forensic training class I’ve ever attended. TEST YOUR
RESULTS. You don’t have to be the world’s leading expert on NTFS or other file
systems to perform simple DT testing.<o:p></o:p></span></i></div>
<div class="MsoNormal">
<span style="font-family: "georgia" , "times new roman" , serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "georgia" , "times new roman" , serif;">The download DT in these DBs is actually when the download <b style="mso-bidi-font-weight: normal;">completed</b>. The P2P programs record this
information once the download has finished. Completed DTs are not useful for
building timelines of activity for multiple reasons. P2P networks are notorious
for being slow based on the availability of the file from multiple sources, the
source’s bandwidth availability and most importantly if the source remains
online. All these factors can cause a small MP3 file to take hours or days to
complete. As seen in many cases, some files remain “incomplete” because the
download source never reappeared.<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "georgia" , "times new roman" , serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "georgia" , "times new roman" , serif;">The only reliable way
to determine when the file download was initiated is based on the files
Creation DT. To easily test this functionality, go to the Internet and download
a file. Once it’s finished, check its Creation vs Modified dates from the file
system. You will immediately note that the difference between the two will be
the time it took your system to complete the download process. This same file
system DT recording applies to P2P downloads as well.<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: "georgia" , "times new roman" , serif;"><b>Example Download using Chrome</b><o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "georgia" , "times new roman" , serif;"><span style="mso-no-proof: yes;"><!--[if gte vml 1]><v:shapetype
id="_x0000_t75" coordsize="21600,21600" o:spt="75" o:preferrelative="t"
path="m@4@5l@4@11@9@11@9@5xe" filled="f" stroked="f">
<v:stroke joinstyle="miter"/>
<v:formulas>
<v:f eqn="if lineDrawn pixelLineWidth 0"/>
<v:f eqn="sum @0 1 0"/>
<v:f eqn="sum 0 0 @1"/>
<v:f eqn="prod @2 1 2"/>
<v:f eqn="prod @3 21600 pixelWidth"/>
<v:f eqn="prod @3 21600 pixelHeight"/>
<v:f eqn="sum @0 0 1"/>
<v:f eqn="prod @6 1 2"/>
<v:f eqn="prod @7 21600 pixelWidth"/>
<v:f eqn="sum @8 21600 0"/>
<v:f eqn="prod @7 21600 pixelHeight"/>
<v:f eqn="sum @10 21600 0"/>
</v:formulas>
<v:path o:extrusionok="f" gradientshapeok="t" o:connecttype="rect"/>
<o:lock v:ext="edit" aspectratio="t"/>
</v:shapetype><v:shape id="Picture_x0020_1" o:spid="_x0000_i1027" type="#_x0000_t75"
style='width:467.7pt;height:119.7pt;visibility:visible;mso-wrap-style:square'>
<v:imagedata src="file:///C:/Users/TROYSC~1/AppData/Local/Temp/msohtmlclip1/01/clip_image001.png"
o:title=""/>
</v:shape><![endif]--><!--[if !vml]--><!--[endif]--></span><o:p></o:p></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEivc3v93k82KkzNGaYuJMybFN0kPKqhzQyHwOpi6mmdevWSh22qn4nUXLiGz4gKVD3YAsxTARpNGCgyNC5uxqy-qswPJNi4QKRLVPrUOu6ZCUEHwrSbfO9IE5zSxsKhnirIh_Hnrtzt/s1600/Axiom+Download.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="401" data-original-width="1567" height="161" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEivc3v93k82KkzNGaYuJMybFN0kPKqhzQyHwOpi6mmdevWSh22qn4nUXLiGz4gKVD3YAsxTARpNGCgyNC5uxqy-qswPJNi4QKRLVPrUOu6ZCUEHwrSbfO9IE5zSxsKhnirIh_Hnrtzt/s640/Axiom+Download.jpg" width="640" /></a></div>
<div class="MsoNormal">
<span style="font-family: "georgia" , "times new roman" , serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "georgia" , "times new roman" , serif;"><b>The downloaded files created and modified DT showing it took
11 minutes to complete</b><o:p></o:p></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTGonMl7YUVaFj-RqgeDahiqYOIC5SrEaWavdX7k8RPXp_Eaa-z10aHWprA7KF7EE4WYaSA7-St2BOmIWNRgKK4qos0FejQZmMaDOaibs3FOprlpsESIzl2NJWBGNfRibp78OuzQkJ/s1600/Axiom+Info.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="147" data-original-width="1600" height="54" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTGonMl7YUVaFj-RqgeDahiqYOIC5SrEaWavdX7k8RPXp_Eaa-z10aHWprA7KF7EE4WYaSA7-St2BOmIWNRgKK4qos0FejQZmMaDOaibs3FOprlpsESIzl2NJWBGNfRibp78OuzQkJ/s640/Axiom+Info.jpg" width="640" /></a></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: "georgia" , "times new roman" , serif;">Once you understand this relationship, the next thing that
will become apparent is that the modified DT from the file system will match
the “Downloaded Date / Time” from Ares DB. <o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "georgia" , "times new roman" , serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "georgia" , "times new roman" , serif;">This then means that the actual file downloaded will need to
be located on the file system to obtain the creation DT to record the specific
DT the file download was started. Don’t just look in the shared folder. The
Recycle Bin is a great place to find these files as well. The Recycle Bin file artifacts
will keep the original creation DT from the file when it was “deleted” by the
user.<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "georgia" , "times new roman" , serif;"><br /></span></div>
<h2>
<span style="font-family: "georgia" , "times new roman" , serif;">Example File from Recycle Bin Creation DT</span></h2>
<table border="0" cellpadding="0" cellspacing="0" class="MsoNormalTable" style="border-collapse: collapse; mso-padding-alt: 0in 5.4pt 0in 5.4pt; mso-yfti-tbllook: 1184; width: 0px;">
<tbody>
<tr style="height: 14.35pt; mso-yfti-firstrow: yes; mso-yfti-irow: 0;">
<td nowrap="" style="background: #4472C4; border-bottom: solid windowtext 1.0pt; border-left: none; border-right: none; border-top: solid windowtext 1.0pt; height: 14.35pt; mso-border-bottom-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext 1.0pt; padding: 0in 5.4pt 0in 5.4pt; width: 300.0pt;" valign="bottom" width="400"><div align="center" class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in; text-align: center;">
<b><span style="color: white; mso-ascii-font-family: Calibri; mso-bidi-font-family: Calibri; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri;"><span style="font-family: "georgia" , "times new roman" , serif;">Filename<o:p></o:p></span></span></b></div>
</td>
<td nowrap="" style="background: #4472C4; border-bottom: solid windowtext 1.0pt; border-left: none; border-right: none; border-top: solid windowtext 1.0pt; height: 14.35pt; mso-border-bottom-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext 1.0pt; padding: 0in 5.4pt 0in 5.4pt; width: 159.0pt;" valign="bottom" width="212"><div align="center" class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in; text-align: center;">
<b><span style="color: white; mso-ascii-font-family: Calibri; mso-bidi-font-family: Calibri; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri;"><span style="font-family: "georgia" , "times new roman" , serif;">File Created<o:p></o:p></span></span></b></div>
</td>
</tr>
<tr style="height: 14.35pt; mso-yfti-irow: 1; mso-yfti-lastrow: yes;">
<td nowrap="" style="background: #D9D9D9; height: 14.35pt; padding: 0in 5.4pt 0in 5.4pt; width: 300.0pt;" valign="bottom" width="400"><div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in;">
<span style="color: black; mso-ascii-font-family: Calibri; mso-bidi-font-family: Calibri; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri;"><span style="font-family: "georgia" , "times new roman" , serif;">21 jump street 2012 dvdrip latino xvid.avi<o:p></o:p></span></span></div>
</td>
<td nowrap="" style="background: #D9D9D9; height: 14.35pt; padding: 0in 5.4pt 0in 5.4pt; width: 159.0pt;" valign="bottom" width="212"><div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in;">
<span style="color: black; mso-ascii-font-family: Calibri; mso-bidi-font-family: Calibri; mso-fareast-font-family: "Times New Roman"; mso-hansi-font-family: Calibri;"><span style="font-family: "georgia" , "times new roman" , serif;">11/23/2012<span style="mso-spacerun: yes;"> </span>11:43:10 AM<o:p></o:p></span></span></div>
</td>
</tr>
</tbody></table>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<h2>
<span style="font-family: "georgia" , "times new roman" , serif;">Sample Ares DB Record </span></h2>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEivVmzwp_uQIdMa3DMeNAz0BYV8CTKexeP7Z8mKzylrL-bfpTZp-B9sBDTqlIV-WDtVPQG8yLf-uUiLf5LfK-wTYcLXfqsvWalG-iHBI59N6s0qgD8l27xnPhayzV3bD9PRQo_KSryr/s1600/Axiom+Artifact.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="195" data-original-width="1105" height="110" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEivVmzwp_uQIdMa3DMeNAz0BYV8CTKexeP7Z8mKzylrL-bfpTZp-B9sBDTqlIV-WDtVPQG8yLf-uUiLf5LfK-wTYcLXfqsvWalG-iHBI59N6s0qgD8l27xnPhayzV3bD9PRQo_KSryr/s640/Axiom+Artifact.jpg" width="640" /></a></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: "georgia" , "times new roman" , serif;">As you can see, the video download took Ares over 10 hours
to complete. That’s a big difference in time and can have a dramatic affect
when building an activity timeline and comparing to other user activity on the
system. <o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "georgia" , "times new roman" , serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "georgia" , "times new roman" , serif;">What if the downloaded file no longer exists? There are
still some possibilities to at least narrow down the time the download was
initiated. I had a case recently where a download was completed 30 minutes
after Ares was installed. This would indicate that the download was started sometime
between Ares install and the downloaded file’s completion. If there is no other
information, all that can be determined is that sometime between the install of
the P2P program and the files “Downloaded Date / Time”, the download process
was started.<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "georgia" , "times new roman" , serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "georgia" , "times new roman" , serif;">Another option is the incomplete download mentioned earlier.
Ares and other P2P programs also track these files. The difference is that they
track download started DT unlike completed files.<o:p></o:p></span></div>
<div class="MsoNormal">
<b style="mso-bidi-font-weight: normal;"><span style="font-family: "georgia" , "times new roman" , serif;"><br /></span></b></div>
<div class="MsoNormal">
<b style="mso-bidi-font-weight: normal;"><span style="font-family: "georgia" , "times new roman" , serif;">The important thing
to remember is to interpret the data correctly when reporting on the evidence.
No one enjoys having their findings called into question. However, I’ve found
learning from mistakes is sometimes how I learn best.<o:p></o:p></span></b></div>
<div class="MsoNormal">
<br /></div>
<br />Troy Schnack's Bloghttp://www.blogger.com/profile/18412052156846845412noreply@blogger.com0tag:blogger.com,1999:blog-7949038911539153192.post-49751247630780708932017-11-10T09:40:00.005-08:002017-11-10T12:18:49.677-08:00One is Silver and the other Gold<div class="MsoNormal">
Working cases the last week an old song that we sang as a
kid at summer camp has been on my mind. </div>
<div class="MsoNormal">
The lyrics were something like this:</div>
<div class="MsoNormal">
<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Make new
friends, but keep the old<br />
One is silver and the other
gold<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
This same sentiment should be applied to the forensic world as
well. Rephrasing to:<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Find new
artifacts, but keep the old<br />
One is silver and the other
gold<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
The recent cases I’ve worked have included new mobile tech
we all need to know and learn. The thing is, it almost always also includes
PCs as well. Many times it also includes some kind of P2P program from Ares and eMule
to BitTorrent. Without fail, I continue to lean on the basic forensic knowledge
I learned all those years ago from my first forensic training course in 2002.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Basic metadata like OS file dates/times cannot be properly interpreted
without knowing the version of Windows running on the system. (i.e. Last
Accessed post Windows XP) Foundational information like this gathered from the
Windows Registry is paramount. Just
about every forensic tool on the market can parse and produce this information.
The important thing to remember, is that as forensic analysts we use this
type of Gold artifact to make sure our conclusions are correct and have the
proper foundation.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
We’ve all learned a lot about Shell Bags and Jump Lists.
These are fantastic new resources to use during investigations. I would
consider these the Silver artifacts that are so important in our industry to
continue to learn about as systems change and evolve. What we don’t want to
forget are the Gold artifacts that can be used to verify our findings. A great
example that’s been around for years is the Internet Explorer (IE) history.
Remember that IE tracks file and folder browsing as part of its history
database. Even in Windows 10, filtering for “file:///” can give you not only
files and folders opened, but also last accessed dates/times and number of
times viewed. All while giving this information per user on the system. Just
another Gold artifact I learned many years ago that continues to provide me great information.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
It's important to keep in mind that Silver is also rare and
desired. The sharing of new information and artifacts MUST continue
and is VERY valuable to the community. Please keep that information coming! For
all of us, new and veteran, it’s important not to forget the Gold artifacts
that can be the foundation that you build your case on. When writing reports
and explaining your findings, it’s important to educate your audience on these
foundational artifacts and how they verify the more ancillary data that all the
new scripts and tools provide.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b>Keep learning, keep sharing and go get that data!</b><o:p></o:p></div>
Troy Schnack's Bloghttp://www.blogger.com/profile/18412052156846845412noreply@blogger.com1tag:blogger.com,1999:blog-7949038911539153192.post-46634322327424460022017-10-18T18:11:00.000-07:002017-10-18T19:49:20.116-07:00Hide It Pro App Forensics - Android<h2>
Hide It Pro App Forensics - Android</h2>
<div>
Welcome to my first blog post. Following #DFIR on Twitter has convinced me it's about time I started sharing some information with the community. Luckily, I ran across some good info during a recent investigation. Using the data below, I hope it helps save someone else a lot of time if you run across this app during your own investigations.</div>
<div>
<br /></div>
<div>
I came across some questionable images on an Android phone. The problem was, they were located in a folder that I wasn't familiar with. </div>
<div>
<br /></div>
<span style="font-family: "courier new" , "courier" , monospace;">ProgramData\Android\Language\.fr\Pictures</span><br />
<br />
<div>
Like many forensicators, not knowing is maddening. Using the all powerful Google, I found a clue to as to their app origins. Thanks to <a href="https://plus.google.com/105188903650729622132" rel="author" style="background-color: #f9f9f9; color: #33aaff; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 14.4px; text-decoration-line: none;" title="author profile"><span itemprop="name">Shubham Chaudhary</span> </a> and his <a href="http://sunny1001.blogspot.com/2012/12/view-files-hidden-by-hide-it-pro.html?m=1">post</a> , I found out the odd folder was created by the Google Play app Hide It Pro. </div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhyQKOgnBaIuCJleEcyp7WQ9p9qfwgy5q7W241lqJlSnsDCp8Mmzr5uXviJHUfqCT9wryRmmlbi2DQ92tjEtdCH14RbFxR4hIZD_h8lt-pDxC-GY5J5sqFrtX_b0JGfL7Sm3jMRUPb8/s1600/DMDcZYVUEAAyCP_.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1200" data-original-width="650" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhyQKOgnBaIuCJleEcyp7WQ9p9qfwgy5q7W241lqJlSnsDCp8Mmzr5uXviJHUfqCT9wryRmmlbi2DQ92tjEtdCH14RbFxR4hIZD_h8lt-pDxC-GY5J5sqFrtX_b0JGfL7Sm3jMRUPb8/s320/DMDcZYVUEAAyCP_.jpg" width="173" /></a></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<b>It is very important to understand how an app works and is viewed by a user before digging into the bits behind the curtain. If you don't understand how an app functions for a user, the underlying data can be misinterpreted. </b><br />
<br />
The path to Language\.fr has NO bearing on the phone's language choice. This folder is used for obfuscation. In all testing, the installation used this specific folder to store the data.<br />
<br />
<br /></div>
<div>
The Hide It Pro app camouflages itself when installed as Audio Manager.</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgFNCwSjA01KWK4hw0YjRBi-gFVmglSqWTMiQ_iPYuDc-z_XWbVsbS7FQsUhUu3ZuCtwE5x2owyvfSu8DZs3wYfMOENT9tTQ7P5Eu5q_bFzmEUmTXpf9oFcRCgQm3NPCPsX56mjBKst/s1600/Screenshot_20171013-184656.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="678" data-original-width="562" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgFNCwSjA01KWK4hw0YjRBi-gFVmglSqWTMiQ_iPYuDc-z_XWbVsbS7FQsUhUu3ZuCtwE5x2owyvfSu8DZs3wYfMOENT9tTQ7P5Eu5q_bFzmEUmTXpf9oFcRCgQm3NPCPsX56mjBKst/s200/Screenshot_20171013-184656.png" width="165" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div>
NOTE: The underlying folder structure shown later including SQLite DB files, sub-folders for Pictures, Videos and etc DO NOT get created upon the app's installation. Only after the app is first opened and configured do these folders get created.</div>
<div>
<br /></div>
<div>
When the user opens the app initially, it displays a prompt on how to access the <i>hidden</i> data.<i> </i>It then requests a PIN or password to be entered, followed by a recovery e-mail address. I've included screenshots of this process including the PIN and e-mail address I used for reference later when analyzing the data stored on the device.</div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhUQq0WBgWCUS62AH6i1WPFdRv6G-LyuG1T2vFMcD7iLRuKcieRSXGGkz1hIHEBHdKXSwlCFfhEgt8Jb0TN11GPYn6ooFonk8CB56LDNP0sbNqQD9qY6Rdtk42PaSOKyUeSiFxeK_uK/s1600/Screenshot_20171015-165253.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="779" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhUQq0WBgWCUS62AH6i1WPFdRv6G-LyuG1T2vFMcD7iLRuKcieRSXGGkz1hIHEBHdKXSwlCFfhEgt8Jb0TN11GPYn6ooFonk8CB56LDNP0sbNqQD9qY6Rdtk42PaSOKyUeSiFxeK_uK/s200/Screenshot_20171015-165253.png" width="96" /></a><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiCmJFLmgMgCLM4nBX0tBN28Reunv5_4LUqLhYDGifhdqc6CjlcDbgyEB9NlwNmNQHoWYBpUWJvjtwIZ5SSz39QMM4gsjTZzq2DtBsFbuf6M7N1095ZJ7YrQUPvsdT2QpUmRd_I5Agy/s1600/Screenshot_20171015-165300.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="779" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiCmJFLmgMgCLM4nBX0tBN28Reunv5_4LUqLhYDGifhdqc6CjlcDbgyEB9NlwNmNQHoWYBpUWJvjtwIZ5SSz39QMM4gsjTZzq2DtBsFbuf6M7N1095ZJ7YrQUPvsdT2QpUmRd_I5Agy/s200/Screenshot_20171015-165300.png" width="96" /></a><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiNAA9o36wQ4zS9o-5DmRDoajWR39_rQCHz4V5DH-QeDt3Gcf5bo8m4IfauVXaGBf4NIsqrICJ51KFsQsa22e9UAxpUgdss3g91SQgwOU_5ptpI1a6QeshCWcB51qmgmcP4PjS8Jhjt/s1600/Screenshot_20171015-165313.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="779" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiNAA9o36wQ4zS9o-5DmRDoajWR39_rQCHz4V5DH-QeDt3Gcf5bo8m4IfauVXaGBf4NIsqrICJ51KFsQsa22e9UAxpUgdss3g91SQgwOU_5ptpI1a6QeshCWcB51qmgmcP4PjS8Jhjt/s200/Screenshot_20171015-165313.png" width="96" /></a><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhHU1CaTimQbU_ZMHXtthhYPLKG3vuC7GoKMQ8iI3urM7lHfvT9jzwuua7aQM788_SaC_gVhEPdxiDMztHSoF_ouScdvPucMmcBuL9mnBcf113RSl26wL2ojd0DUq21lbzA_BV3jVo0/s1600/Screenshot_20171015-165330.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="779" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhHU1CaTimQbU_ZMHXtthhYPLKG3vuC7GoKMQ8iI3urM7lHfvT9jzwuua7aQM788_SaC_gVhEPdxiDMztHSoF_ouScdvPucMmcBuL9mnBcf113RSl26wL2ojd0DUq21lbzA_BV3jVo0/s200/Screenshot_20171015-165330.png" width="96" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
Once setup, the user holds down the "Audio Manager" logo, enters their PIN/password and the true app is revealed.</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjpM-tCea0Jw32FO6_xVIYRZsv3Xkyqj8Fdk_7NEb0GDn04sXWomTZrsDXRcYzT78oinSkmeV-VI8zaolXZY1Uexp-_FyOnxYlMx7kciAzb-Z3FpD_nf8K87iWhW6Hep3agpurM1EAI/s1600/Screenshot_20171015-165354.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="779" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjpM-tCea0Jw32FO6_xVIYRZsv3Xkyqj8Fdk_7NEb0GDn04sXWomTZrsDXRcYzT78oinSkmeV-VI8zaolXZY1Uexp-_FyOnxYlMx7kciAzb-Z3FpD_nf8K87iWhW6Hep3agpurM1EAI/s320/Screenshot_20171015-165354.png" width="155" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
The app allows the user to add photos, video, audio into the folders from the phone's gallery. SMS texting is also available with an add-on app which allows the user to create a hidden contact list and communicate via SMS without having the data be seen by the device's default texting app. Notes can also be made here away from prying eyes.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Let's now look at how to view all this data from a forensic examination. All the data reviewed below can be acces<span style="font-family: "times" , "times new roman" , serif;">se</span>d via a logical image of the phone. A physical image isn't necessary to investigate this app. I tested this using Magnet's Aquire to obtain a logical ADB backup of the test device.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
The first artifact to look for is the file <span style="font-family: "courier new" , "courier" , monospace;">com.hideitpro_preferences.xml</span> located in <span style="font-family: "courier new" , "courier" , monospace;">apps/com.hideitpro/sp/ </span>folder. The XML contains either the PIN or password set by the user in plain text. It also includes the recovery e-mail address. The XML from my test device is shown below.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<pre><span style="color: blue;"><?</span><span style="color: magenta;">xml version='1.0' encoding='utf-8' standalone='yes' </span><span style="color: blue;">?></span>
<span style="color: blue;"><</span><span style="color: maroon;">map</span><span style="color: blue;">></span>
<span style="color: blue;"><</span><span style="color: maroon;">string</span> <span style="color: red;">name</span><span style="color: blue;">="lockType"</span><span style="color: blue;">></span>pin<span style="color: blue;"></</span><span style="color: maroon;">string</span><span style="color: blue;">></span>
<span style="color: blue;"><</span><span style="color: maroon;">string</span> <span style="color: red;">name</span><span style="color: blue;">="pin"</span><span style="color: blue;">></span>1234<span style="color: blue;"></</span><span style="color: maroon;">string</span><span style="color: blue;">></span>
<span style="color: blue;"><</span><span style="color: maroon;">boolean</span> <span style="color: red;">name</span><span style="color: blue;">="setupCompleted"</span> <span style="color: red;">value</span><span style="color: blue;">="true"</span> <span style="color: blue;">/></span>
<span style="color: blue;"><</span><span style="color: maroon;">boolean</span> <span style="color: red;">name</span><span style="color: blue;">="fingerprint"</span> <span style="color: red;">value</span><span style="color: blue;">="false"</span> <span style="color: blue;">/></span>
<span style="color: blue;"><</span><span style="color: maroon;">int</span> <span style="color: red;">name</span><span style="color: blue;">="locktype"</span> <span style="color: red;">value</span><span style="color: blue;">="5"</span> <span style="color: blue;">/></span>
<span style="color: blue;"><</span><span style="color: maroon;">boolean</span> <span style="color: red;">name</span><span style="color: blue;">="lsup"</span> <span style="color: red;">value</span><span style="color: blue;">="false"</span> <span style="color: blue;">/></span>
<span style="color: blue;"><</span><span style="color: maroon;">string</span> <span style="color: red;">name</span><span style="color: blue;">="ve"</span><span style="color: blue;">></span>0!true:1!true:2!true:3!true:4!true:5!true:6!true:7!true:8!true:9!true:10!true:11!true:<span style="color: blue;"></</span><span style="color: maroon;">string</span><span style="color: blue;">></span>
<span style="color: blue;"><</span><span style="color: maroon;">string</span> <span style="color: red;">name</span><span style="color: blue;">="recoveryEmail"</span><span style="color: blue;">></span>troyschnack@gmail.com<span style="color: blue;"></</span><span style="color: maroon;">string</span><span style="color: blue;">></span>
<span style="color: blue;"><</span><span style="color: maroon;">int</span> <span style="color: red;">name</span><span style="color: blue;">="launchCount"</span> <span style="color: red;">value</span><span style="color: blue;">="1"</span> <span style="color: blue;">/></span>
<span style="color: blue;"></</span><span style="color: maroon;">map</span><span style="color: blue;">></span>
</pre>
<pre><span style="color: blue;">
</span></pre>
<span style="font-family: inherit; white-space: normal;">The remaining artifacts are located in the </span><span style="font-family: "courier new" , "courier" , monospace;">ProgramData\Android\Language\.fr\</span><span style="font-family: inherit;"> folder. </span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjLq391UEwisBXBZSYPPR1FUfJitqRO8e2T7qBzsxT9DwkMKr4fbO1H0y-6picSPwlRP6V-m8rs-WzurWB0fWG_EIb4NmY2NWXeCe1ViCSeucB_5aovHAvsv7ZxcPba9zAMz3nmvAS7/s1600/folder+structure.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="587" data-original-width="335" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjLq391UEwisBXBZSYPPR1FUfJitqRO8e2T7qBzsxT9DwkMKr4fbO1H0y-6picSPwlRP6V-m8rs-WzurWB0fWG_EIb4NmY2NWXeCe1ViCSeucB_5aovHAvsv7ZxcPba9zAMz3nmvAS7/s320/folder+structure.JPG" width="182" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
Exploring the Audio, Pictures and Videos folder will reveal their contents. However, we want to know when and where the data came from. For that information, the SQLite DB files are the key. I used Sanderson Forensics SQLite Browser for the analysis. Photos added to the app are simply copied from their current location. If the user does not delete the original photo, it will remain. Photos with no path indicate that the photo was copied from the phones default photos storage rather than a subfolder.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
The first DB file to review is <b>sys</b>. The <b>sys</b> DB contains the following fields</div>
<table bgcolor="#FFFFFF" border="0" cellspacing="0" style="border-collapse: collapse; table-layout: fixed; width: 1172pxpx;"><tbody>
<tr height="19px"></tr>
<tr height="19px"><td class="CellStyle_3" style="background-color: #f0f0f0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 20px;">
id</div>
</td><td class="CellStyle_3" style="background-color: #f0f0f0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 58.6667px;">
album</div>
</td><td class="CellStyle_3" style="background-color: #f0f0f0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 191.333px;">
title</div>
</td><td class="CellStyle_3" style="background-color: #f0f0f0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 313.333px;">
filename</div>
</td><td class="CellStyle_3" style="background-color: #f0f0f0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 106px;">
originalPath</div>
</td><td class="CellStyle_3" style="background-color: #f0f0f0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 108px;">
added</div>
</td><td class="CellStyle_3" style="background-color: #f0f0f0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 108px;">
dateTaken</div>
</td><td class="CellStyle_3" style="background-color: #f0f0f0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 53.3333px;">
size</div>
</td><td class="CellStyle_3" style="background-color: #f0f0f0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 27.3333px;">
type</div>
</td><td class="CellStyle_3" style="background-color: #f0f0f0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 45.3333px;">
duration</div>
</td><td class="CellStyle_3" style="background-color: #f0f0f0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 19.3333px;">
rot</div>
</td><td class="CellStyle_3" style="background-color: #f0f0f0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 21.3333px;">
ord</div>
</td><td class="CellStyle_3" style="background-color: #f0f0f0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 41.3333px;">
latitude</div>
</td><td class="CellStyle_3" style="background-color: #f0f0f0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 49.3333px;">
longitude</div>
</td></tr>
<tr height="19px"><td class="CellStyle_4" style="background-color: #c0dcc0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; text-align: right; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 20px;">
1</div>
</td><td class="CellStyle_5" style="background-color: #c0dcc0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 58.6667px;">
New Album</div>
</td><td class="CellStyle_5" style="background-color: #c0dcc0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 191.333px;">
Screenshot_2017-10-17-06-15-22.png</div>
</td><td class="CellStyle_5" style="background-color: #c0dcc0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 313.333px;">
Screenshot_2017-10-17-06-15-22.png</div>
</td><td class="CellStyle_5" style="background-color: #c0dcc0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 106px;">
</div>
</td><td class="CellStyle_5" style="background-color: #c0dcc0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 108px;">
10/17/2017 11:15:25 AM</div>
</td><td class="CellStyle_5" style="background-color: #c0dcc0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 108px;">
</div>
</td><td class="CellStyle_4" style="background-color: #c0dcc0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; text-align: right; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 53.3333px;">
1173568</div>
</td><td class="CellStyle_4" style="background-color: #c0dcc0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; text-align: right; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 27.3333px;">
1</div>
</td><td class="CellStyle_4" style="background-color: #c0dcc0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; text-align: right; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 45.3333px;">
</div>
</td><td class="CellStyle_4" style="background-color: #c0dcc0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; text-align: right; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 19.3333px;">
</div>
</td><td class="CellStyle_4" style="background-color: #c0dcc0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; text-align: right; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 21.3333px;">
</div>
</td><td class="CellStyle_4" style="background-color: #c0dcc0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; text-align: right; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 41.3333px;">
</div>
</td><td class="CellStyle_4" style="background-color: #c0dcc0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; text-align: right; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 49.3333px;">
</div>
</td></tr>
<tr height="19px"><td class="CellStyle_6" style="border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; text-align: right; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 20px;">
2</div>
</td><td class="CellStyle_7" style="border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 58.6667px;">
New Album</div>
</td><td class="CellStyle_7" style="border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 191.333px;">
stanza-art-fortuna.jpg</div>
</td><td class="CellStyle_7" style="border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 313.333px;">
stanza-art-fortuna.jpg</div>
</td><td class="CellStyle_7" style="border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 106px;">
</div>
</td><td class="CellStyle_7" style="border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 108px;">
10/17/2017 11:14:44 AM</div>
</td><td class="CellStyle_7" style="border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 108px;">
</div>
</td><td class="CellStyle_6" style="border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; text-align: right; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 53.3333px;">
139139</div>
</td><td class="CellStyle_6" style="border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; text-align: right; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 27.3333px;">
1</div>
</td><td class="CellStyle_6" style="border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; text-align: right; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 45.3333px;">
</div>
</td><td class="CellStyle_6" style="border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; text-align: right; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 19.3333px;">
</div>
</td><td class="CellStyle_6" style="border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; text-align: right; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 21.3333px;">
</div>
</td><td class="CellStyle_6" style="border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; text-align: right; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 41.3333px;">
</div>
</td><td class="CellStyle_6" style="border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; text-align: right; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 49.3333px;">
</div>
</td></tr>
<tr height="19px"><td class="CellStyle_4" style="background-color: #c0dcc0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; text-align: right; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 20px;">
3</div>
</td><td class="CellStyle_5" style="background-color: #c0dcc0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 58.6667px;">
New Album</div>
</td><td class="CellStyle_5" style="background-color: #c0dcc0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 191.333px;">
Screenshot_2017-10-17-06-15-05.png</div>
</td><td class="CellStyle_5" style="background-color: #c0dcc0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 313.333px;">
Screenshot_2017-10-17-06-15-05.png</div>
</td><td class="CellStyle_5" style="background-color: #c0dcc0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 106px;">
</div>
</td><td class="CellStyle_5" style="background-color: #c0dcc0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 108px;">
10/17/2017 11:15:08 AM</div>
</td><td class="CellStyle_5" style="background-color: #c0dcc0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 108px;">
</div>
</td><td class="CellStyle_4" style="background-color: #c0dcc0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; text-align: right; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 53.3333px;">
2350615</div>
</td><td class="CellStyle_4" style="background-color: #c0dcc0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; text-align: right; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 27.3333px;">
1</div>
</td><td class="CellStyle_4" style="background-color: #c0dcc0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; text-align: right; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 45.3333px;">
</div>
</td><td class="CellStyle_4" style="background-color: #c0dcc0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; text-align: right; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 19.3333px;">
</div>
</td><td class="CellStyle_4" style="background-color: #c0dcc0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; text-align: right; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 21.3333px;">
</div>
</td><td class="CellStyle_4" style="background-color: #c0dcc0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; text-align: right; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 41.3333px;">
</div>
</td><td class="CellStyle_4" style="background-color: #c0dcc0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; text-align: right; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 49.3333px;">
</div>
</td></tr>
<tr height="19px"><td class="CellStyle_6" style="border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; text-align: right; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 20px;">
4</div>
</td><td class="CellStyle_7" style="border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 58.6667px;">
Messages</div>
</td><td class="CellStyle_7" style="border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 191.333px;">
Screenshot_2017-02-16-14-46-28.png</div>
</td><td class="CellStyle_7" style="border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 313.333px;">
Screenshot_2017-02-16-14-46-28.png</div>
</td><td class="CellStyle_7" style="border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 106px;">
</div>
</td><td class="CellStyle_7" style="border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 108px;">
10/17/2017 11:07:40 AM</div>
</td><td class="CellStyle_7" style="border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 108px;">
</div>
</td><td class="CellStyle_6" style="border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; text-align: right; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 53.3333px;">
77911</div>
</td><td class="CellStyle_6" style="border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; text-align: right; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 27.3333px;">
1</div>
</td><td class="CellStyle_6" style="border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; text-align: right; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 45.3333px;">
</div>
</td><td class="CellStyle_6" style="border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; text-align: right; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 19.3333px;">
</div>
</td><td class="CellStyle_6" style="border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; text-align: right; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 21.3333px;">
</div>
</td><td class="CellStyle_6" style="border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; text-align: right; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 41.3333px;">
</div>
</td><td class="CellStyle_6" style="border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; text-align: right; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 49.3333px;">
</div>
</td></tr>
<tr height="19px"><td class="CellStyle_4" style="background-color: #c0dcc0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; text-align: right; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 20px;">
5</div>
</td><td class="CellStyle_5" style="background-color: #c0dcc0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 58.6667px;">
New Album</div>
</td><td class="CellStyle_5" style="background-color: #c0dcc0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 191.333px;">
Screenshot_2017-10-17-06-15-22</div>
</td><td class="CellStyle_5" style="background-color: #c0dcc0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 313.333px;">
U2NyZWVuc2hvdF8yMDE3LTEwLTE3LTA2LTE1LTIyLnBuZw==~</div>
</td><td class="CellStyle_5" style="background-color: #c0dcc0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 106px;">
Pictures/Screenshots</div>
</td><td class="CellStyle_5" style="background-color: #c0dcc0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 108px;">
10/17/2017 11:16:30 AM</div>
</td><td class="CellStyle_5" style="background-color: #c0dcc0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 108px;">
10/17/2017 11:15:25 AM</div>
</td><td class="CellStyle_4" style="background-color: #c0dcc0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; text-align: right; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 53.3333px;">
1173568</div>
</td><td class="CellStyle_4" style="background-color: #c0dcc0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; text-align: right; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 27.3333px;">
1</div>
</td><td class="CellStyle_4" style="background-color: #c0dcc0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; text-align: right; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 45.3333px;">
0</div>
</td><td class="CellStyle_4" style="background-color: #c0dcc0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; text-align: right; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 19.3333px;">
0</div>
</td><td class="CellStyle_4" style="background-color: #c0dcc0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; text-align: right; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 21.3333px;">
</div>
</td><td class="CellStyle_4" style="background-color: #c0dcc0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; text-align: right; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 41.3333px;">
0</div>
</td><td class="CellStyle_4" style="background-color: #c0dcc0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; text-align: right; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 49.3333px;">
0</div>
</td></tr>
<tr height="19px"><td class="CellStyle_6" style="border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; text-align: right; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 20px;">
6</div>
</td><td class="CellStyle_7" style="border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 58.6667px;">
New Album</div>
</td><td class="CellStyle_7" style="border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 191.333px;">
stanza-art-fortuna</div>
</td><td class="CellStyle_7" style="border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 313.333px;">
c3RhbnphLWFydC1mb3J0dW5hLmpwZw==~</div>
</td><td class="CellStyle_7" style="border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 106px;">
Download</div>
</td><td class="CellStyle_7" style="border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 108px;">
10/17/2017 11:16:30 AM</div>
</td><td class="CellStyle_7" style="border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 108px;">
10/17/2017 11:14:45 AM</div>
</td><td class="CellStyle_6" style="border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; text-align: right; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 53.3333px;">
139139</div>
</td><td class="CellStyle_6" style="border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; text-align: right; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 27.3333px;">
1</div>
</td><td class="CellStyle_6" style="border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; text-align: right; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 45.3333px;">
0</div>
</td><td class="CellStyle_6" style="border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; text-align: right; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 19.3333px;">
0</div>
</td><td class="CellStyle_6" style="border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; text-align: right; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 21.3333px;">
</div>
</td><td class="CellStyle_6" style="border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; text-align: right; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 41.3333px;">
0</div>
</td><td class="CellStyle_6" style="border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; text-align: right; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 49.3333px;">
0</div>
</td></tr>
<tr height="19px"><td class="CellStyle_4" style="background-color: #c0dcc0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; text-align: right; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 20px;">
7</div>
</td><td class="CellStyle_5" style="background-color: #c0dcc0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 58.6667px;">
New Album</div>
</td><td class="CellStyle_5" style="background-color: #c0dcc0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 191.333px;">
Screenshot_2017-10-17-06-15-05</div>
</td><td class="CellStyle_5" style="background-color: #c0dcc0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 313.333px;">
U2NyZWVuc2hvdF8yMDE3LTEwLTE3LTA2LTE1LTA1LnBuZw==~</div>
</td><td class="CellStyle_5" style="background-color: #c0dcc0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 106px;">
Pictures/Screenshots</div>
</td><td class="CellStyle_5" style="background-color: #c0dcc0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 108px;">
10/17/2017 11:16:30 AM</div>
</td><td class="CellStyle_5" style="background-color: #c0dcc0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 108px;">
10/17/2017 11:15:08 AM</div>
</td><td class="CellStyle_4" style="background-color: #c0dcc0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; text-align: right; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 53.3333px;">
2350615</div>
</td><td class="CellStyle_4" style="background-color: #c0dcc0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; text-align: right; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 27.3333px;">
1</div>
</td><td class="CellStyle_4" style="background-color: #c0dcc0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; text-align: right; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 45.3333px;">
0</div>
</td><td class="CellStyle_4" style="background-color: #c0dcc0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; text-align: right; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 19.3333px;">
0</div>
</td><td class="CellStyle_4" style="background-color: #c0dcc0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; text-align: right; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 21.3333px;">
</div>
</td><td class="CellStyle_4" style="background-color: #c0dcc0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; text-align: right; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 41.3333px;">
0</div>
</td><td class="CellStyle_4" style="background-color: #c0dcc0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; text-align: right; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 49.3333px;">
0</div>
</td></tr>
<tr height="19px"><td class="CellStyle_6" style="border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; text-align: right; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 20px;">
8</div>
</td><td class="CellStyle_7" style="border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 58.6667px;">
New Album</div>
</td><td class="CellStyle_7" style="border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 191.333px;">
20171017_062143</div>
</td><td class="CellStyle_7" style="border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 313.333px;">
20171017_062143.mp4</div>
</td><td class="CellStyle_7" style="border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 106px;">
DCIM/Camera</div>
</td><td class="CellStyle_7" style="border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 108px;">
10/17/2017 11:22:28 AM</div>
</td><td class="CellStyle_7" style="border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 108px;">
10/17/2017 11:21:53 AM</div>
</td><td class="CellStyle_6" style="border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; text-align: right; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 53.3333px;">
18006499</div>
</td><td class="CellStyle_6" style="border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; text-align: right; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 27.3333px;">
2</div>
</td><td class="CellStyle_6" style="border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; text-align: right; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 45.3333px;">
8640</div>
</td><td class="CellStyle_6" style="border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; text-align: right; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 19.3333px;">
0</div>
</td><td class="CellStyle_6" style="border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; text-align: right; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 21.3333px;">
</div>
</td><td class="CellStyle_6" style="border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; text-align: right; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 41.3333px;">
0</div>
</td><td class="CellStyle_6" style="border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; text-align: right; vertical-align: middle;"></td></tr>
</tbody></table>
<table bgcolor="#FFFFFF" border="0" cellspacing="0" style="border-collapse: collapse; table-layout: fixed; width: 1172pxpx;"><tbody>
<tr height="19px"></tr>
<tr height="19px"><td class="CellStyle_3" style="background-color: #f0f0f0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 20px;">
<br /></div>
</td><td class="CellStyle_3" style="background-color: #f0f0f0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"></td><td class="CellStyle_3" style="background-color: #f0f0f0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"></td><td class="CellStyle_3" style="background-color: #f0f0f0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"></td><td class="CellStyle_3" style="background-color: #f0f0f0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"></td><td class="CellStyle_3" style="background-color: #f0f0f0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"></td><td class="CellStyle_3" style="background-color: #f0f0f0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"></td><td class="CellStyle_3" style="background-color: #f0f0f0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"></td><td class="CellStyle_3" style="background-color: #f0f0f0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"></td><td class="CellStyle_3" style="background-color: #f0f0f0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"></td><td class="CellStyle_3" style="background-color: #f0f0f0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"></td><td class="CellStyle_3" style="background-color: #f0f0f0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"></td><td class="CellStyle_3" style="background-color: #f0f0f0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"></td><td class="CellStyle_3" style="background-color: #f0f0f0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"><br /></td></tr>
</tbody></table>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
The date "added" uses Unix mSecs while the "datetaken" uses Unix Secs format. If the file was copied from a folder on the phone, it will be populated in this table. (i.e. Pictures, Downloads etc)<br />
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<span style="font-family: inherit;">The <b>aqua</b> DB will only be present if the user sent SMS texts, made a call or created a contact. All three tables exist inside the <b>aqua</b> DB. The same goes for the <b>notes.db</b> which will only exist if the user created notes.</span><br />
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;"><b>aqua</b> SMS table structure - added Unix mSecs</span><br />
<table bgcolor="#FFFFFF" border="0" cellspacing="0" style="border-collapse: collapse; table-layout: fixed; width: 326pxpx;"><tbody>
<tr height="19px"><td class="CellStyle_3" style="background-color: #f0f0f0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 20px;">
id</div>
</td><td class="CellStyle_3" style="background-color: #f0f0f0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 20px;">
uid</div>
</td><td class="CellStyle_3" style="background-color: #f0f0f0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 64px;">
sms_subject</div>
</td><td class="CellStyle_3" style="background-color: #f0f0f0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 54px;">
sms_body</div>
</td><td class="CellStyle_3" style="background-color: #f0f0f0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 27.3333px;">
type</div>
</td><td class="CellStyle_3" style="background-color: #f0f0f0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 28px;">
seen</div>
</td><td class="CellStyle_3" style="background-color: #f0f0f0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 108px;">
added</div>
</td></tr>
<tr height="19px"><td class="CellStyle_4" style="background-color: #c0dcc0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; text-align: right; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 20px;">
1</div>
</td><td class="CellStyle_4" style="background-color: #c0dcc0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; text-align: right; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 20px;">
1</div>
</td><td class="CellStyle_5" style="background-color: #c0dcc0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 64px;">
</div>
</td><td class="CellStyle_5" style="background-color: #c0dcc0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 54px;">
test sms 1</div>
</td><td class="CellStyle_4" style="background-color: #c0dcc0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; text-align: right; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 27.3333px;">
8</div>
</td><td class="CellStyle_4" style="background-color: #c0dcc0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; text-align: right; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 28px;">
1</div>
</td><td class="CellStyle_5" style="background-color: #c0dcc0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 108px;">
10/17/2017 11:06:53 AM</div>
</td></tr>
<tr height="19px"><td class="CellStyle_6" style="border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; text-align: right; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 20px;">
2</div>
</td><td class="CellStyle_6" style="border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; text-align: right; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 20px;">
1</div>
</td><td class="CellStyle_7" style="border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 64px;">
</div>
</td><td class="CellStyle_7" style="border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 54px;">
test sms 2</div>
</td><td class="CellStyle_6" style="border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; text-align: right; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 27.3333px;">
8</div>
</td><td class="CellStyle_6" style="border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; text-align: right; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 28px;">
1</div>
</td><td class="CellStyle_7" style="border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 108px;">
10/17/2017 11:07:03 AM</div>
</td></tr>
</tbody></table>
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;"><b>aqua</b> Blacklist (contacts) table structure - added Unix mSecs</span><br />
<table bgcolor="#FFFFFF" border="0" cellspacing="0" style="border-collapse: collapse; table-layout: fixed; width: 969pxpx;"><tbody>
<tr height="19px"><td class="CellStyle_3" style="background-color: #f0f0f0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 86px;">
phoneFormatted</div>
</td><td class="CellStyle_3" style="background-color: #f0f0f0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 20px;">
id</div>
</td><td class="CellStyle_3" style="background-color: #f0f0f0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 65.3333px;">
phone</div>
</td><td class="CellStyle_3" style="background-color: #f0f0f0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 62px;">
name</div>
</td><td class="CellStyle_3" style="background-color: #f0f0f0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 49.3333px;">
hide_sms</div>
</td><td class="CellStyle_3" style="background-color: #f0f0f0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 66px;">
hide_call_log</div>
</td><td class="CellStyle_3" style="background-color: #f0f0f0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 102px;">
block_incoming_calls</div>
</td><td class="CellStyle_3" style="background-color: #f0f0f0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 103.333px;">
block_outgoing_calls</div>
</td><td class="CellStyle_3" style="background-color: #f0f0f0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 104px;">
showSMSNotification</div>
</td><td class="CellStyle_3" style="background-color: #f0f0f0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 101.333px;">
showCallNotification</div>
</td><td class="CellStyle_3" style="background-color: #f0f0f0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 93.3333px;">
last_sms_received</div>
</td><td class="CellStyle_3" style="background-color: #f0f0f0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 108px;">
added</div>
</td></tr>
<tr height="19px"><td class="CellStyle_4" style="background-color: #c0dcc0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 86px;">
816-200-<i>xxxx</i></div>
</td><td class="CellStyle_5" style="background-color: #c0dcc0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; text-align: right; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 20px;">
1</div>
</td><td class="CellStyle_4" style="background-color: #c0dcc0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 65.3333px;">
816200<i>xxxx</i></div>
</td><td class="CellStyle_4" style="background-color: #c0dcc0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 62px;">
Test Person</div>
</td><td class="CellStyle_5" style="background-color: #c0dcc0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; text-align: right; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 49.3333px;">
1</div>
</td><td class="CellStyle_5" style="background-color: #c0dcc0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; text-align: right; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 66px;">
0</div>
</td><td class="CellStyle_5" style="background-color: #c0dcc0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; text-align: right; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 102px;">
0</div>
</td><td class="CellStyle_5" style="background-color: #c0dcc0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; text-align: right; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 103.333px;">
0</div>
</td><td class="CellStyle_5" style="background-color: #c0dcc0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; text-align: right; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 104px;">
1</div>
</td><td class="CellStyle_5" style="background-color: #c0dcc0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; text-align: right; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 101.333px;">
0</div>
</td><td class="CellStyle_5" style="background-color: #c0dcc0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; text-align: right; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 93.3333px;">
0</div>
</td><td class="CellStyle_4" style="background-color: #c0dcc0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 108px;">
10/17/2017 11:06:39 AM</div>
</td></tr>
</tbody></table>
<span style="font-family: inherit;"><i>Sorry, I'm not sharing my cell number :-)</i></span><br />
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;"><b>notes.db </b>table structure - created and updated Unix mSecs</span><br />
<table bgcolor="#FFFFFF" border="0" cellspacing="0" style="border-collapse: collapse; table-layout: fixed; width: 423pxpx;"><tbody>
<tr height="19px"><td class="CellStyle_3" style="background-color: #f0f0f0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 20px;">
id</div>
</td><td class="CellStyle_3" style="background-color: #f0f0f0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 60px;">
title</div>
</td><td class="CellStyle_3" style="background-color: #f0f0f0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 65.3333px;">
text</div>
</td><td class="CellStyle_3" style="background-color: #f0f0f0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 29.3333px;">
meta</div>
</td><td class="CellStyle_3" style="background-color: #f0f0f0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 27.3333px;">
type</div>
</td><td class="CellStyle_3" style="background-color: #f0f0f0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 108px;">
created</div>
</td><td class="CellStyle_3" style="background-color: #f0f0f0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 108px;">
updated</div>
</td></tr>
<tr height="19px"><td class="CellStyle_4" style="background-color: #c0dcc0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; text-align: right; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 20px;">
1</div>
</td><td class="CellStyle_5" style="background-color: #c0dcc0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 60px;">
Test note 1</div>
</td><td class="CellStyle_5" style="background-color: #c0dcc0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 65.3333px;">
Test note 1</div>
</td><td class="CellStyle_5" style="background-color: #c0dcc0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 29.3333px;">
</div>
</td><td class="CellStyle_4" style="background-color: #c0dcc0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; text-align: right; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 27.3333px;">
0</div>
</td><td class="CellStyle_5" style="background-color: #c0dcc0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 108px;">
10/17/2017 11:02:30 AM</div>
</td><td class="CellStyle_5" style="background-color: #c0dcc0; border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 108px;">
10/17/2017 11:02:30 AM</div>
</td></tr>
<tr height="44px"><td class="CellStyle_6" style="border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; text-align: right; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 20px;">
2</div>
</td><td class="CellStyle_7" style="border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 60px;">
Test note 2</div>
</td><td class="CellStyle_7" style="border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 65.3333px;">
Test note 2<br />
<br />
This is a test</div>
</td><td class="CellStyle_7" style="border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 29.3333px;">
</div>
</td><td class="CellStyle_6" style="border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; text-align: right; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 27.3333px;">
0</div>
</td><td class="CellStyle_7" style="border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 108px;">
10/17/2017 11:02:49 AM</div>
</td><td class="CellStyle_7" style="border-color: rgb(160, 160, 160); border-style: solid; border-width: 1px; font-family: Tahoma; font-size: 8pt; overflow: hidden; padding: 0px; vertical-align: middle;"><div class="cell" style="overflow: hidden; position: relative; width: 108px;">
10/17/2017 11:02:49 AM</div>
</td></tr>
</tbody></table>
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;">The encrypted folder does indeed encrypt files. I will let someone else with more time and capabilities figure out the encryption method used. The majority of users will not use this folder. Most store their photos in the Pictures assuming that the hidden app is secure enough. Only files in the <b>encrypted</b> folder are encrypted. The rest are easily viewed in your forensic tool of choice.</span><br />
<span style="font-family: inherit;"><br /></span>
<span style="color: #cc0000; font-family: inherit;"><b>One other important note</b></span><br />
<span style="font-family: inherit;">If the user deleted the Hide It Pro app from their device, the app and the XML will not be available. However, the </span><span style="font-family: "courier new" , "courier" , monospace;">Language\.fr</span><span style="font-family: inherit;"> folder remains will all the files, folders and DBs.</span><br />
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;">I hope this information is helpful in one of your cases. </span><span style="font-family: inherit;">I will be creating a custom artifact for Magnet's Axiom in the near future.</span><br />
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;">If you have any suggestions, comments or questions, feel free to post them. As this is my first blog post, be kind.</span><br />
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;">Thanks!!</span><br />
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;"><br /></span>Troy Schnack's Bloghttp://www.blogger.com/profile/18412052156846845412noreply@blogger.com1