There may also be groups under -groups.įigure 6 - AppGroup information in Entitlements section (in plist) If this App creates a shared AppGroup, then it will show up under -groups. The Entitlements dictionary has a lot of information in it. In figure below, you can see the extensions for the app.įigure 5 - Plist (for - cs_info_id 456) from 'code_signing_data.data' The child_bundles table lists extensions and their owner Apps. The database structure is simple with just 3 main tables (and an sqlite_sequence one).įigure 2 - containers.sqlite database tables This database is listed in the SANS smartphone forensics poster, but I couldn't find any details on it elsewhere.
It does not have information about UUIDs. As far as I can tell, this is the only place where this information is stored (apart from caches and logs). It precisely lists all Apps, their extensions, AppGroups and Entitlements. It is located at /private/var/root/Library/MobileContainerManager/containers.sqlite3 The shared containers are identified by AppGroups.įigure 1 - iOS App, Extension, container relationships - Source: Solutionįortunately, there is a database that tracks container information on iOS. The diagram below does a good job of summarizing this. Before we proceed further, its important to understand the relationships between extensions, apps and shared containers. Hence we search for something with a more direct reference connecting Shared Containers to their Apps. A program cannot know that corresponds to. The Problemįor automated analysis, this approach does not work, as each app follows its own convention on naming for ids. For example, the Notes app has bundle_id and one of its shared groups (where the actual Notes db is stored!) has the id.
FORENSIC HEX EDITOR FOR MAC OSX MANUAL
For manual analysis, this works out great, as you can visually make out the app name from the group name. /private/var/mobile/Containers/Data/PluginKitPlugin/ UUID/Īs noted by Scott, the iLEAPP tool does this too, reading all the plists and listing out the path and its group name./private/var/mobile/Containers/Data/InternalDaemon/ UUID/./private/var/mobile/Containers/Shared/AppGroup/ UUID/./private/var/containers/Shared/SystemGroup/ UUID/._container_ file under each of the UUID folders: The suggested method by Scott Vance here, and recommended by few others too is to look for the.
However locating the sandbox folder for its AppGroups (and Extensions) is not so straight-forward. One simply needs to look at the applicationState.db sqlite database located under /private/var/mobile/Library/FrontBoard/ This is well known. Tracking down an iOS application's Data folder, aka, SandboxPath in iOS is fairly easy. Of these, useful data can be found in trainingcache2.db, trainingcache3.db and trainingcachev2.db. In different versions of the app, the database formats and names have changed a bit. These are the files that contain the caches.įigure 1 - Contents of Gboard's databases folder (v 10.70508) Here you might see a number of databases that start with trainingcache*. LocationGboard's app data (sandbox) folder is located here: The specific versions of Gboard databases studied were:
FORENSIC HEX EDITOR FOR MAC OSX ANDROID
Josh Hickman's Android 10 Pixel 3 image was also used, and Josh was able to verify that Telegram and WhatsApp sent messages were present here. This was also verified on other earlier taken images.
All testing was on a Pixel 3 running latest Android 11 using the default keyboard, and default settings. Note - The Signal app wasn't specifically tested to see if data from that app is retained, but based on what we can see here, it seems likely those messages would end up here too. Also for some apps that don't track when a particular item was created/modified, this could be useful. From a DFIR perspective, that is GOLD. For a forensic examiner, this can possibly show you data that was typed by the user on an app that is now deleted, or show messages typed that were then deleted, or messages from apps that have the disappearing message feature turned on! Or data entered into fields on web pages/online apps (that wouldn't be stored locally at all). This is at least seen from the version from Jan 2020 (v 8.3.x). Since the last few versions, it also retains a lot of data (ie, user keystrokes!) in its cache. Gboard - the Google Keyboard, is the default keyboard on Pixel devices, and overall has been installed over a billion times according to the Play Store.Īlthough not the default on most non-Google brands, it is a popular app installed by foreign language users because of its good support and convenience of use particularly with dozens of Asian and Indian languages.Īs a keyboard app, it monitors and analyzes your keystrokes, offering suggestions and corrections for spelling and grammar, sentence completion and even emoji suggestions.
0 kommentar(er)
