
Investigators need the ability to gather evidence insights across a variety of data sources. This can include location data, chat messages and email stored on the device and deleted content. Yet the tools designed to extract their data are in a constant race against app updates, which can lead to evidence getting missed.
Uncovering the most amount of device data in digital investigations is often critical to finding the evidence needed for successful prosecutions. Text messages and conversations on third-party apps are a goldmine for examiners to tap into.
How apps are creating forensic tool blind spots
Application developers are creating, developing and altering apps as quickly as possible with no concern for the forensic aspect. Every update can introduce differences in storage formats and database structures, making it harder for investigators to find evidence or parse what is left in an ignored state by the tools. The tools cannot parse what they don’t support. Tools updates are not released as quickly as apps are.
In some cases, it could be as simple as a new column or table added to a database that can cause inefficiencies in the tools. In certain brands of phones, for example, Safari initially stored search history in a plist, and then switched over to a database, which change the file type.
If tools are designed to look for information in a specific location and it no longer exists, they get tunnel vision. Once the search for what the tools know is exhausted, data is simply not parsed for examiners.
It’s a constant loop of validation where an app comes in, you research it and build it into the tool. Then every so often, you look back on that app to make sure nothing has changed and you begin again by researching and updating the tool. It’s a constant life cycle.
Application research is necessary to prevent tools from missing data. The apps are constantly changing which continues to make forensic analysis hard, but this is where strong examination skills come into play and the art of creating test data and validation dives beyond what tools can offer.
The forensic upside of app updates
When apps update and the file responsible for storing user data changes, data can remain behind in older formats. This means even if the user tries to delete evidence, it can still be present in one file format while appearing non-existent in the next because the app will focus on the current format that it is using. Essentially, apps get tunnel vision too. They focus on the file storing the current data and overlook old files or tables. Photos.sqlite, the database responsible for tracking media files on iOS devices updated a table several iOS versions ago. Just because the table changed to ZASSET didn’t remove media information from ZGENERICASSET, the former table. Thus, if the tool parses metadata for media files only from ZASSET, thousands of files would be missed.
Whichever file the app is currently relying upon, that’s what information is being parsed rather than looking back at older data. This works in the investigator's favor as data may be preserved in legacy files containing data that the user and the system also believe no longer exists.
Knowing where to find the applications in the file system matters. If an examiner digs into the source directory or file, they will uncover the tables and files that contain user artifacts. There are so many methods of locating application data and one of the easiest is knowing how to keyword search in your tools. A keyword search will lead you to the path you need to be traveling to uncover potentially missing data.
The skills that tools can’t replace
Investigative skills such as SQLite queries, vendor keyword searching, and community resources like public device images that remain even as tech and apps update are key to digital investigations on third-party apps. There is a good chance you will need to examine an app that is old and you cannot create test data. Lean into the CTF and public images provided for to examine older applications or to simply compare to your case.
When searching for third-party applications, investigators should keyword search for not only the name of the application, but also the vendor who created it. If you look for the App Store, it may be that applications are listed under a different word, which should be searched for instead.
The two keywords of the app and the vendor are the strongest starting points. From here, it should take the investigator towards the directory where the application information is stored, and the databases should be examined.
This is where SQLite skills come in.
If a tool is not parsing the data, having foundational knowledge in SQLite analysis comes in extremely handy. Following proper investigative steps, such as keyword searching, database analysis, and SQLite querying, leads to the answers.
The evolution of third-party apps is a challenge to investigators, but it is also the reality of modern digital forensics and apps will only continue to develop. The same changes that hinder investigations are also the changes that preserve hidden evidence. The same gaps that create blind spots also create opportunities for skilled investigators.