Skip to main content


Android Video Thumbnail Files ".lvl"

Video Thumbnails ".lvl" Found on Android Devices Video files with the .lvl extension were located on an Android phone in the hidden “.thumbnails” folder. The Android device tested is a Samsung Galaxy SGH-M919. The device model number appears in the full path where the .lvl video thumbnails are stored.


A test to see what actions initiate the creation of the video thumbnails was conducted.

Download Video Testing A Samsung Galaxy SGH-M919 was used for the test. The phone had been cleared and reset to factory defaults. I installed a video download app to obtain a video from the Internet and store them on the mobile device. The app Video Downloader was installed from the Google App Store.

Using the Video Downloader browser, I accessed the Internet Archive movie library and downloaded “Night of the Living Dead”.

It is October after all - Happy Halloween!!

The video download completed. The video was never opened or…
Recent posts

ChatHour Chat/Messaging - Android

Artifacts for ChatHour (Android) I'm working on an Android tablet case and slowly scrolling through the application folders. The usual thousands of ... just keep scrolling. Then I saw it, a name I've not seen before. Even more important, this is a case involving "messaging".

The game's afoot!

Browse For Data The next step in my process is to start browsing files and folders for recognizable data names. The fun is just beginning when you see the familiar db folder and file(s) inside with the .db extension.
But don't stop there. It's always a good choice to check all the other files and folders because you just never know. Sure enough, another folder sp contained .xml files with more useful information.
When dealing with an app that you've never seen before, don't stop at the first sign of data. Keep …

Text Based Treasure: qBittorrent Log File

qBittorrent Data It has been a few months since my last forensic (4N6) blog post. I had a slight heart issue in July 2018. I'm so excited to be back into the 4N6 work and finding new information to share!
I've noticed that many of the criminal P2P sharing cases involved the qBittorrent application. For some reason, over the last year, it has become the "go to" P2P application. There are plenty of Digital Forensic resources available on uTorrent, the BitTorrent protocol and the great, free, BENcode tool for looking at .torrent and .dat files.
BEncode Editor Link
I did not find much data specific to the qBittorrent application. The obvious next step was to download it and start playing ... I mean testing. Understanding how the program worked from a user perspective is important. The application interface is very similar to that of uTorrent and is as easy to use. The Internet Archive has numerous free classic movies available for download via Torrent. This is a good pla…

How to Explain Deleted Data: For Attorneys, Clients, Juries and More

How to Explain Deleted Data
For Attorneys, Clients, Juries and More I was recently asked by a colleague for an analogy to help them explain how it was possible to recover data that a user had emptied from the Recycle Bin / Deleted. The question reminded me that it’s easy to slip into the belief that everyone inherently knows how stuff works. Attending forensic training and conferences we sometimes forget that what appears to us to be basic and simple, can sound like Star Trek Next Generation’s well known technobabble. i.e. “Increase the neutrino stream to the warp engine transducers”.
Completing reviews of digital data and finding new artifacts can be exhilarating for a forensic investigator. The feeling of accomplishment at finding the truth from the data is euphoric. That is the fun part. The truly difficult part comes when we have to explain the information verbally and in written form so that it is useful to those that need it most. The recipients can include management, clients,…

Reviewing PDFs: Reports & Discovery

Quick Tip on Reviewing Report/Discovery PDFs
Acrobat Document Scrolling Settings:
Changing Acrobat so that documents are automatically set to Single Page Scrolling view as default

This isn't my typical forensics blog, but I'm sure I'm not the only one that reviews numerous pages of reports/discovery before performing a forensic examination. If you are not reviewing reports prior to an exam, how do you know what you are looking for?
I've always been annoyed by the default view in Acrobat. Trying to scroll through a PDF and having it jump to the next page when I'm still reading the previous page at the bottom. I seemed to waste time changing the Page Display setting under View for continuous scrolling. Not only does this make it easier to read, but it also makes scrolling through an OCR'd PDF faster. This is especially true when scrolling with a wheel-mouse, touchpad or on touchscreen computers. 

1.Open Adobe Acrobat 2.Go to Edit | Preferences

3.Select Page Displa…

FB Messenger App (Android) Media Files Share Tracking

Facebook Messenger (Android) App
Media Files Share Tracking

In past blog posts, I've stressed the importance of testing and validating information. This post is no different. It's imperative that as a digital forensic investigator, we test apps from the user's perspective and then analyze what happens to the data behind the scenes.

I recently had a case which featured a specific media file artifact located in the "fb_temp" folder of the Facebook Messenger app. At first glance, the assumption would be that the user must have sent this media to someone using the app. But we all know what happens when we assume.

Below is the testing I conducted and the information I found that can help you track whether files or media were actually shared in the app and when.

FACEBOOK MESSENGER TESTING METHODOLOGY A video was located in the Facebook Messenger app’s fb_temp folder on an Android phone. Since “temp” denotes a temporary folder, it was necessary to test Facebook Messenger …

Timelines in P2P Forensic Cases

Timelines in P2P Forensic Cases2018-03-11 Troy Schnack
Creating a timeline of activity in a digital forensic (4n6) case can be vitally important to the ultimate goal of placing a person at the scene. In criminal 4n6 cases, the investigator, whether law enforcement or defense, is assigned the task to put a “butt in the seat”. This blog is intended to help avoid the many misconceptions seen regarding dates / times (DT) on reports from both sides. We’ve all spent countless hours gathering various artifacts and combining the data into a timeline. I’ve used my past mistakes and testing to help you avoid the same errors.
The sole intent of this blog is to help find the truth. Information and technology are continually changing. Please feel free to identify any incorrect conclusions or other errors on my part as I’m always excited to learn. Brett Shavers (Blog) and others have written about our innate need to solve problems and the processes we can employee. 4n6 investigators use information ga…

One is Silver and the other Gold

Working cases the last week an old song that we sang as a kid at summer camp has been on my mind.  The lyrics were something like this:
              Make new friends, but keep the old
              One is silver and the other gold
This same sentiment should be applied to the forensic world as well. Rephrasing to:
              Find new artifacts, but keep the old
              One is silver and the other gold
The recent cases I’ve worked have included new mobile tech we all need to know and learn. The thing is, it almost always also includes PCs as well. Many times it also includes some kind of P2P program from Ares and eMule to BitTorrent. Without fail, I continue to lean on the basic forensic knowledge I learned all those years ago from my first forensic training course in 2002.
Basic metadata like OS file dates/times cannot be properly interpreted without knowing the version of Windows running on the system. (i.e. Last Accessed post Windows XP) Foundational information like this …

Hide It Pro App Forensics - Android

Hide It Pro App Forensics - Android Welcome to my first blog post. Following #DFIR on Twitter has convinced me it's about time I started sharing some information with the community. Luckily, I ran across some good info during a recent investigation. Using the data below, I hope it helps save someone else a lot of time if you run across this app during your own investigations.
I came across some questionable images on an Android phone. The problem was, they were located in a folder that I wasn't familiar with. 

Like many forensicators, not knowing is maddening. Using the all powerful Google, I found a clue to as to their app origins. Thanks to  and his post , I found out the odd folder was created by the Google Play app Hide It Pro. 

It is very important to understand how an app works and is viewed by a user before digging into the bits behind the curtain. If you don't understand how an app functions for a user, the …