New parser for Uber app in iOS using iLEAPP
🗜 Data contained in LevelDB data structures
⏳ Timestamps
📍 GPS coordinates + horizontal accuracy
🚘 Speed
🗺 Active trip information
🔗 Get it here: https://github.com/abrignoni/iLEAPP
Thanks to CCL Solutions & Alex Caithness for the LevelDB libraries used in this artifact.
Libraries are located here: https://github.com/cclgroupltd/ccl_chrome_indexeddb
#DFIR #FLOSS #FOSS #MobileForensics #DigitalForensics
Last week the awesome Heather Charpentier (my co-host on the Digital Forensics Now Podcast) and myself were working on building a parser for Google Chats in iOS. As we were looking for the location where images were share via the chat we came across a SQLite database called cacheV0.db in the /private/var/mobile/Data/Application/GUID/Library/Caches/com.google.Dynamite/ImageFetcherCache/ directory.
 |
| The cacheV0.db file in context. |
Even though we found the images tied to the chats somewhere else in the application directory, this database had a smaller resolution copy of all the files that were sent via the chats to include user avatars that were not shared via user attributable action. The database also contained images that were from deleted chats that did not remain in the folder where the chat images are kept.
It seems this database is similar in function to the Glide Image Manager Cache functionality found in some Android apps where this functionality generates and keeps a thumbnail of every image that has been rendered by the app's interface. In this context rendering means showing the image to the user within the interface of the application. You can watch a video detailing the Glide Image Manager Cache functionality and forensic significance here: https://youtu.be/Rlp-h9V6FI0
The cacheV0.db is comprised of only one table called cache that contains only two fields called id and data. The id field is of integer type and it is sequentially incremented starting at number one. The data field is of blob type and contains the thumbnail like images mentioned previously.
 |
| The cache table. |
Some details about how the database is implemented per our observations:
In summary it seems this database:
If anyone comes across additional implementations of this database do share your findings.
In order to automate the parsing of these databases in iOS I have created the Image CacheV0 parser in iLEAPP.
 |
| iLEAPP parser for cacheV0.db |
For questions or comments find me on all social media here: https://linqapp.com/abrignoni
Have you heard about binary JSON in SQLite? I hadn't. Today I was made aware of it by digital forensics examiner and software developer extraordinaire Alex Caithness.
Why would this data need to be in binary format? Per the jsonb specification there will be a reduction in data size as well as faster processing speed.
After downloading SQLite 3.45 on a Windows VM, I generated some synthetic plain text JSON data.
After importing the data I encoded the blob by using the following query:
UPDATE data set jsonblobdata = jsonb(jsonblobdata);
After the UPDATE query I ran a SELECT query to see how the data would look.
 |
| JSON binary blob |
Here is the blob field view with hex.
 |
| JSON binary blob with hex |
One of the issues with binary data structures is that text searching an extraction will be less and less productive. SQLite binary JSON does not seem to compress data that much but I can foresee a future where it will just like LevelDB or other formats. Being aware of compressed binary data, and the need to access it in clear text format, will be a key function for digital examiners today and into the future.
In order to present the blob data in clear text I used the following query:
SELECT keyf, json(jsonblobdata) from data;
The json() function does all the work for you.
 |
| Clear-text JSON |
After that one can deal with the JSON data as one usually does.
For questions or comments find me on all social media here: https://linqapp.com/abrignoni