Last week we hosted a webinar, “Using Geolocation Artifacts and Timeline Analysis to Solve the Case: A Digital Forensics Case Study”, where we presented a fictional case study and looked at the resulting artifacts from a PC and an Android phone. Thank you to everyone who joined us and for all the great questions asked! This blog post features some of the questions that were asked, including one that we didn’t have time to answer during the webinar.
Without any further ado, here are the questions and answers:
| Q: “If using a VPN can you still get Internet history information?” |  |
| A: Yes, even when using a VPN the web browser will save history records (on a PC or mobile device) unless the browser settings have been set so that saving browsing history has been specifically turned off. Even in those cases, traces of web browser usage/URLs can be found, as we’ve detailed in previous blog posts. |
| Q: “With Google now using HTTPS for all search results, will this change the data stored in the Android browser2.db file?” |  |
| A: No, the data stored in the web browser history file, browser2.db, will not change. The use of HTTPS for search results just means that the content of the search results that Google serves up will be encrypted for anyone capturing packets on the wire/wirelessly. It doesn’t change how the URLs are formed, so they will continue to contain the search terms unless Google starts to encode the URLs in some way. Additionally, the web page title data stored in the browser2.db SQLite file provides an indication of what the search terms were as well (e.g. “who is buddy the elf – Google Search”). |
| Q: “Is there a way to ensure the collected messages were not spoofed? (my understanding is that with a rooted phone, one could hypothetically plant any data in the DB)” |  |
A: That is correct, with a rooted or jailbroken phone, the user can access the databases behind various 3rd party applications (or native apps) and could potentially change the data the in the databases for nefarious reasons. There are a number of ways to detect this activity. If you only have the single device to work with, you can check the last modified time of the database and compare that with timestamps in records within the database to see if there are any obvious discrepancies. Within the database, you can find inconsistencies that would point to tampering of the data. For example, for the Google searches in our case study, there are timestamps stored in the URLs along with the timestamps stored by the browser for each record. If someone only changed the timestamp for the record but didn’t realize there was a timestamp in the URL data itself, they may miss that and therefore leave a clue behind. Finally, if you have both devices, you’re in a good spot since you can cross-validate data between the two devices. While you can tamper with the data on your own device, you can’t tamper with the remote data (unless you’re somehow able to remotely get root access to that device as well, in which case all bets are off  ). |
| Q: “If a fake Facebook page is created and later on removed how can you determine the identity of the person who made the page?” |  |
| A: If you have a device that accessed the page while it still existed, you may be able to find artifacts that identify the page. For example, you might be able to find the username or user ID for the profile page, or a group ID, or a URL for the page that was accessed while the page still existed. Once you have one or more of these items, you can request more data from Facebook directly by submitting a request in accordance with their legal process guidelines. |
(Please note: Some of the above questions may have been edited for brevity or clarity.)
Again, I’d like to thank everyone who attended the webinar or watched the recording. We hope you found it valuable and look forward to producing more informative webinars. If you have any suggestions for future webinars, please don’t hesitate to contact us with your ideas. You can always reach me by email with any questions, suggestions, or requests at jad(at)magnetforensics(dot)com.
All the best,
Jad and the Magnet Team
