Not that I have neglected anyone, but working on the 2nd Edition of my book, Mobile Forensic Investigations as well as working to help grow Oxygen Forensics, Inc. I have been a bit busy. Furthermore, the travel is part of my world so that also makes it rather difficult to concentrate on getting things out, but I can not contain myself…
As I sit on the plane I started to watch a webinar that had been sent to me a bit ago to watch since it related to SQLite databases. So, since the WiFi is not working and there is no personal entertainment I felt it was time to watch! This particular webinar was about a new feature in a commercial mobile forensic tool that allowed for the building of queries to support applications that are not auto parsed by said application. This is particularly intriguing since I actually wrote a C# tool called SQLQuery Builder a few years back and I happen to really enjoy SQLite. What could go wrong… I found out a lot.
As it started, and I was introduced to the new feature SQL Query Builder (yes, I am not kidding the name was familiar), my mind started to spin. More to the point, as the presenter picked out the com.android.providers.media package I actually went into spasms of delight because that is my favorite app to talk about within an Android. In fact I talked about that app in my Mobile Forensic Minute episode 109 that aired February 2017. I also talk a lot about this in the book released in 2015 (2nd edition soon!) and my presentations because it is a great file that is created by the built-in mediascanner for android. Alas, this built in function was not mentioned by the moderator, nor was the very unique naming convention of the file (HINT – its a serial number) FIGURE 1. I was on the
Figure 1: Directory of com.android.providers.media
edge of my seat to see just what this moderator knew about this file, but I was disappointed to say the least. Well, it just got worse when the method was shown on how to convert the seconds since column to a regular date. The conversion worked but the outcome caught the moderator off guard. I immediately cringed when it was not explained why the added date was BEFORE the modified date? Humm, how..wait…what? Luckily people were on mute and could not ask as the presenter quickly went by and just said more research was needed as to why that was the case. FIGURE 2
Figure 2: date_added table and date_modifed
As the presentation moved to the Query builder I was really fascinated because, as I had previously mentioned, I wrote the SQLQuery Builder. So, the presenter mentioned the primary key and foreign key relationships (although using other names) and as he added tables he showed the SQL command was automatically building in another window. Wow, just like the SQLQuery Builder I had wrote back in 2015 and blogged about in Not Your Ordinary App (Part 2) ! It was like dejavu! Alas, mine along with Oxygen’s SQL Viewer will do multiple db files, which this tool might do as well; I just did not see this demo’d.
Don’t get me wrong, I think having tools that can support applications not supported is not only cool, but a necessity. So, If you know me at all, or have read any of my materials for the last 15 years you know I preach against the push button mentality. My only recommendation/advise to those selling/teaching this tech: know what you are talking about before you present it to the world and give credit to those that do.
