Posts

Glow & Behold

Image
Glow & Behold Flashlight Artifacts in Apple’s Unified Logs This blog is the work of my sister, Holly Charpentier, who did all the flashlight testing and artifact hunting 🔦. She’s the one who scrolled through endless Unified Logs, captured all the brightness level changes, and got way too excited about AVFlashlight entries. Basically, if there were a forensic merit badge for nerdy persistence, she’d earn it twice. Proud to share her work here — certified DFIR nerd and log whisperer! Flashlight toggles may seem minor at first glance, but they can provide valuable context when reconstructing user behavior or validating key moments in a timeline. Whether you’re checking device usage during a critical timeframe or comparing activity to a statement, flashlight events can serve as corroborative details. Examples include: Was the phone actively in use at a specific time? Was the flashlight turned on at a location or time relevant to the case? Did device interactio...
Read more

LogTimeWarp

Image
LogTimeWarp Tracking Date & Time Changes in Apple’s Unified Logs From suspicious user activity to malware behavior or post-event tampering, a sudden change to a device’s system time can be a red flag. It may signal attempts to obscure file timestamps, alter log coherence, or reset application timers. Forensic validation often hinges on accurate time interpretation. When the system time is altered, even legitimate logs may appear misleading. That’s where the Unified Logs come in. Date & time changes can be made by a device user by navigating to Settings > General > Date & Time. By toggling off Set Automatically, the date and time can be changed manually by the user. The first step is extracting the Unified Logs. See Alexis Brignoni’s post on Extraction, Processing, & Querying Apple Unified Logs from an iOS Device here: https://abrignoni.blogspot.com/2025/05/extraction-processing-querying-apple.html Once the Unified Logs are obtained the hu...
Read more

Snapchat Artifacts

Image
iOS Snapchat -user.plist- - fs-full.zip/private/var/mobile/Containers/Data/Application/****Snapchat application ID**** /Documents/user.plist -holds data about the local user such as username and user id. -primary.docobjects database- - fs-full.zip/private/var/mobile/Containers/Data/Application/****Snapchat application ID**** /Documents/user_scoped/9ea0aafe276d670e1a5155f78ee18485aca8b9040982e579eef26be6bb39 ad94/DocObjects/primary.docobjects -Snapchat contacts can be found in this database -Arroyo.db -fs-full.zip/private/var/mobile/Containers/Data/Application//****Snapchat application ID**** /Documents/user_scoped/9ea0aafe276d670e1a5155f78ee18485aca8b9040982e579eef26be6bb39 ad94/arroyo/arroyo.db          - The message content is stored in the conversation_message table.          - Each conversation has a client_conversation_id.          - The message is located in the message_content column.      ...
Read more

Samsung Android Gallery-Deleted Photos

Image
 Samsung Android Deleted Gallery -Starting in Android 9, the user has the capability to restore deleted media files. -When a user deletes a media file, the media file is not immediately deleted. -It goes into trash and remains in the trash for 30 days. -The filename is changed upon deletion. -During this time the user can choose to permanently delete the file or restore it to its original location. -The deleted file specific to a Samsung device, will be parsed with forensic tools from: data\media\0\Android\data\com.sec.android.gallery3d\files\.Trash -Data about the file can be located in: data\data\com.sec.android.gallery3d\databases\local.db. -Looking in the local.db specifically, the trash table, contains information about the deleted media file. -The following columns contain data about the deleted files:            _absPath – The current path of the deleted file.            _Title – The current title of the deleted f...
Read more

Google Keep Notes

Image
___________Google Keep Notes_______________________________________ While working on a case recently, I came across the Google Keep Notes application installed and utilized on an Android mobile device. Both of the commercial parsing tools that I was using to analyze the data displayed the timestamps of the notes and the title of the notes but no note body was present in the parsed data.   So, I just check marked everything in the case created a Reader/Portable Case, and sent the data out. Because if the tool doesn’t parse it, it doesn’t exist, right? Wrong.   I followed the source file which is a SQLite database named keep.db. Inside of the database is a ton of additional data including the body of those notes!   How Google Keep Notes Work: Google Keep boasts the capability to add notes lists and photos to Google Keep. They have the capability to record a voice memo and Keep will transcribe it so you can find it later. The Google Keep notes are share...
Read more