Realm database storage primer for digital forensic examiners

Realm databases are non-relational storage structures that are being used in place of the traditional SQLite stores in many newer/updated mobile apps. As examiners we are faced with locating and parsing these newer data stores. As expected there is always a lag between newer technological applications and commercial forensic third party support. The purpose of this small primer is to enable you to find these Realm databases and access their contents.

Analysis Tools

• Genymotion Android 9 Virtual Machine (Google Pixel 3)
• Android Studio for macOS
• Sample Android app, by Dheeraj Andra, that uses a  Realm database to store and display user generated values.
• Blog post link. https://medium.com/mindorks/realm-with-android-acf50ea68ece
• Github link for the project: https://github.com/asdheeraj/Realm
• Realm Studio for macOS

What is a Realm database?

Some time ago I was made aware of a popular app that all of a sudden was not being properly supported by our usual forensic tools. When one of my colleagues told me that the data was contained within a Realm database I had no idea what he was talking about. A quick Google search lead me to the developer's webpage, realm.io.

Alternative to SQLite. Interesting...

Realm is an alternative to the commonly used relational SQLite databases we are used to. In this model, called NoSQL, data is saved as objects. Imagine a database cell where you can store and manipulate not only values but a list of values. The way the Realm databases accesses these values makes apps that use this model faster than traditional SQLite stores. For an more detailed explanation of Realm capabilities, like zero copy, live objects, MVCC, and ACID, see here. Like all things in life there are pros and cons to everything. I leave the reader to Google search why a developer would decide to build an app store on Realm or SQLite if interested. For our purposes we just want to find these databases and be able to see their contents.

Sample app that uses a Realm database

Usually I work on apps from the Google Play store to illustrate the extraction and parsing of data. In this case I used a simple Android project whose only purpose is to illustrate the input and output of data from a Realm database. Sadly the generation and extraction of sample data using a fully working app takes time and effort that I currently don't have. Using this simple project and an Android virtual machine I could do the generation an extraction of data in minutes for illustration purposes.

The Android project was made by Dheeraj Andra and it is a simple app that takes as input a name and age. These values are shown to the user on screen after being saved in the realm database. Links to the project are included above. To generate the APK needed to run the app in my Genymotion virtual machine I used Android Studio. With the APK in hand I ran it on my virtual machine. The following is an image of the app in use:

Sample Realm app

At the top the user enters values and these are shown back at the bottom part of the app.

Storage location

As any Android app the data of relevance is contained within the application directory. With SQLite databases the data is usually contained in the databases directory. By contrast this Realm app, as well as others I have come across lately, has no databases directory.

Where is the databases folder?

The data we seek resides in the files folder and the file type we need to extract are the ones that end in the .realm extension.

Get the .realm file!

As explained in some of the links above Realm databases have no need for write ahead logs or rollback journal files. In this example extracting the default.realm file has all the data we seek.

How to view Realm database contents

What do we do with the file after extracted? The database developers have a free tool called Realm Studio. Open the .real file with Realm Studio and you will be able to browse the contents.

Values

As the app has more classes and more data it can be useful to export the contents in JSON format for further analysis. It goes without saying that when an examiner does transformations of the data for parsing and analysis great care has to be taken to validate every single piece of resulting data. The farther we move away from the original format the closer we have to make direct links back to it.

In the previous image the bottom part of the screen shows the contents of the sample realm database while the upper part is the same data in JSON format.

Recently (November 19, 2019) Cellebrite announced that their Database viewer tool product had Realm database support.

This is pretty neat. Already seeing apps using Realm and protobuf data stores. Well done @Cellebrite_UFED. https://t.co/kES8plrVx3 pic.twitter.com/1BWKWruqZM

— Brigs 🦃 (@AlexisBrignoni) November 19, 2019

I expect other vendors in the space to follow suit. This is important because I forsee Realm databases, as well as JSON and protobuf, to be common in the near future as mobile app data stores.

Last but not least remember that having multiple ways of looking at a data set is important for validation purposes.

As always I can be reached on twitter @AlexisBrignoni and via email 4n6[at]abrignoni[dot]com.