When processing an Apple device, check the files located in /private/var/mobile/Library WebKit/Databases.
The Databases.db file is a SQLite Database file that contains a listing of databases. This file can include (https) Google Mail and Yahoo Mail. The corresponding file name is listed for each database entry.
The individual files are located in /private/var/mobile/Library/WebKit/Databases https_mail.google.com_0/with filenames similar to 0000000000000001.db . This SQLite database contains a full listing of the mail including messages and full information about each message (to / from / subject / attachments /status (draft/deleted/trash/unread etc.).
Information relating to Facebook and YouTube activities also can be found in these databases.
This can be a gold mine that is overlooked many investigators.
Yep, it is a great file. Some tools lile OFS can easily open it in a table view to view data in more convenient way.
Old news, but would it be nice to tell people how that gets populated as well. Simply if one does not use an app and uses the safari browser to go to gmail, google voice, yahoo, etc. It’s basically using HTML5. The databases are them populated. There is alot of information to be gathered. But you won’t get the complete message. You will get subject lines and snippets .
Humm, no news or old news I am sure there is someone out there that thanks BruceD for his post and information…Um there is..Me! THANKS Bruce for the information, I know it will help many people out there and keep up the GREAT work!
Excellent comments. The purpose of the post is to encourage examiners to look beyond what is handed to them by automated tools. Althought this is old to some, it is new to others. There are many new examiners entering the field. Thanks to Sean, Lee and OFS.