Skip to main content

Hide It Pro App Forensics - Android

Hide It Pro App Forensics - Android

Welcome to my first blog post. Following #DFIR on Twitter has convinced me it's about time I started sharing some information with the community. Luckily, I ran across some good info during a recent investigation. Using the data below, I hope it helps save someone else a lot of time if you run across this app during your own investigations.

I came across some questionable images on an Android phone. The problem was, they were located in a folder that I wasn't familiar with. 

ProgramData\Android\Language\.fr\Pictures

Like many forensicators, not knowing is maddening. Using the all powerful Google, I found a clue to as to their app origins. Thanks to  and his post , I found out the odd folder was created by the Google Play app Hide It Pro. 



It is very important to understand how an app works and is viewed by a user before digging into the bits behind the curtain. If you don't understand how an app functions for a user, the underlying data can be misinterpreted. 

The path to Language\.fr has NO bearing on the phone's language choice. This folder is used for obfuscation. In all testing, the installation used this specific folder to store the data.


The Hide It Pro app camouflages itself when installed as Audio Manager.



NOTE: The underlying folder structure shown later including SQLite DB files, sub-folders for Pictures, Videos and etc DO NOT get created upon the app's installation. Only after the app is first opened and configured do these folders get created.

When the user opens the app initially, it displays a prompt on how to access the hidden data. It then requests a PIN or password to be entered, followed by a recovery e-mail address. I've included screenshots of this process including the PIN and e-mail address I used for reference later when analyzing the data stored on the device.
Once setup, the user holds down the "Audio Manager" logo, enters their PIN/password and the true app is revealed.
The app allows the user to add photos, video, audio into the folders from the phone's gallery. SMS texting is also available with an add-on app which allows the user to create a hidden contact list and communicate via SMS without having the data be seen by the device's default texting app. Notes can also be made here away from prying eyes.

Let's now look at how to view all this data from a forensic examination. All the data reviewed below can be accessed via a logical image of the phone. A physical image isn't necessary to investigate this app. I tested this using Magnet's Aquire to obtain a logical ADB backup of the test device.

The first artifact to look for is the file com.hideitpro_preferences.xml located in apps/com.hideitpro/sp/ folder. The XML contains either the PIN or password set by the user in plain text. It also includes the recovery e-mail address. The XML from my test device is shown below.

<?xml version='1.0' encoding='utf-8' standalone='yes' ?>
<map>
    <string name="lockType">pin</string>
    <string name="pin">1234</string>
    <boolean name="setupCompleted" value="true" />
    <boolean name="fingerprint" value="false" />
    <int name="locktype" value="5" />
    <boolean name="lsup" value="false" />
    <string name="ve">0!true:1!true:2!true:3!true:4!true:5!true:6!true:7!true:8!true:9!true:10!true:11!true:</string>
    <string name="recoveryEmail">troyschnack@gmail.com</string>
    <int name="launchCount" value="1" />
</map>
The remaining artifacts are located in the ProgramData\Android\Language\.fr\ folder. 
Exploring the Audio, Pictures and Videos folder will reveal their contents. However, we want to know when and where the data came from. For that information, the SQLite DB files are the key. I used Sanderson Forensics SQLite Browser for the analysis. Photos added to the app are simply copied from their current location. If the user does not delete the original photo, it will remain. Photos with no path indicate that the photo was copied from the phones default photos storage rather than a subfolder.

The first DB file to review is sys. The sys DB contains the following fields
id
album
title
filename
originalPath
added
dateTaken
size
type
duration
rot
ord
latitude
longitude
1
New Album
Screenshot_2017-10-17-06-15-22.png
Screenshot_2017-10-17-06-15-22.png
10/17/2017 11:15:25 AM
1173568
1
2
New Album
stanza-art-fortuna.jpg
stanza-art-fortuna.jpg
10/17/2017 11:14:44 AM
139139
1
3
New Album
Screenshot_2017-10-17-06-15-05.png
Screenshot_2017-10-17-06-15-05.png
10/17/2017 11:15:08 AM
2350615
1
4
Messages
Screenshot_2017-02-16-14-46-28.png
Screenshot_2017-02-16-14-46-28.png
10/17/2017 11:07:40 AM
77911
1
5
New Album
Screenshot_2017-10-17-06-15-22
U2NyZWVuc2hvdF8yMDE3LTEwLTE3LTA2LTE1LTIyLnBuZw==~
Pictures/Screenshots
10/17/2017 11:16:30 AM
10/17/2017 11:15:25 AM
1173568
1
0
0
0
0
6
New Album
stanza-art-fortuna
c3RhbnphLWFydC1mb3J0dW5hLmpwZw==~
Download
10/17/2017 11:16:30 AM
10/17/2017 11:14:45 AM
139139
1
0
0
0
0
7
New Album
Screenshot_2017-10-17-06-15-05
U2NyZWVuc2hvdF8yMDE3LTEwLTE3LTA2LTE1LTA1LnBuZw==~
Pictures/Screenshots
10/17/2017 11:16:30 AM
10/17/2017 11:15:08 AM
2350615
1
0
0
0
0
8
New Album
20171017_062143
20171017_062143.mp4
DCIM/Camera
10/17/2017 11:22:28 AM
10/17/2017 11:21:53 AM
18006499
2
8640
0
0



The date "added" uses Unix mSecs while the "datetaken" uses Unix Secs format. If the file was copied from a folder on the phone, it will be populated in this table. (i.e. Pictures, Downloads etc)

The aqua DB will only be present if the user sent SMS texts, made a call or created a contact. All three tables exist inside the aqua DB. The same goes for the notes.db which will only exist if the user created notes.

 aqua SMS table structure - added Unix mSecs
id
uid
sms_subject
sms_body
type
seen
added
1
1
test sms 1
8
1
10/17/2017 11:06:53 AM
2
1
test sms 2
8
1
10/17/2017 11:07:03 AM

 aqua Blacklist (contacts) table structure - added Unix mSecs
phoneFormatted
id
phone
name
hide_sms
hide_call_log
block_incoming_calls
block_outgoing_calls
showSMSNotification
showCallNotification
last_sms_received
added
816-200-xxxx
1
816200xxxx
Test Person
1
0
0
0
1
0
0
10/17/2017 11:06:39 AM
Sorry, I'm not sharing my cell number :-)

 notes.db table structure - created and updated Unix mSecs
id
title
text
meta
type
created
updated
1
Test note 1
Test note 1
0
10/17/2017 11:02:30 AM
10/17/2017 11:02:30 AM
2
Test note 2
Test note 2

This is a test
0
10/17/2017 11:02:49 AM
10/17/2017 11:02:49 AM

 The encrypted folder does indeed encrypt files. I will let someone else with more time and capabilities figure out the encryption method used. The majority of users will not use this folder. Most store their photos in the Pictures assuming that the hidden app is secure enough. Only files in the encrypted folder are encrypted. The rest are easily viewed in your forensic tool of choice.

 One other important note
If the user deleted the Hide It Pro app from their device, the app and the XML will not be available. However, the Language\.fr folder remains will all the files, folders and DBs.

 I hope this information is helpful in one of your cases. I will be creating a custom artifact for Magnet's Axiom in the near future.

 If you have any suggestions, comments or questions, feel free to post them. As this is my first blog post, be kind.

 Thanks!!

Comments

  1. Troy Schnack's BlogNovember 2, 2017 at 3:41 AM

    The custom AXIOM artifact is now posted on Magnet's Artifact Exchange

    ReplyDelete

Post a Comment