Snapchat Artifacts







iOS Snapchat

-user.plist-
- fs-full.zip/private/var/mobile/Containers/Data/Application/****Snapchat application ID****
/Documents/user.plist

-holds data about the local user such as username and user id.




-primary.docobjects database-
- fs-full.zip/private/var/mobile/Containers/Data/Application/****Snapchat application ID****
/Documents/user_scoped/9ea0aafe276d670e1a5155f78ee18485aca8b9040982e579eef26be6bb39
ad94/DocObjects/primary.docobjects

-Snapchat contacts can be found in this database



-Arroyo.db
-fs-full.zip/private/var/mobile/Containers/Data/Application//****Snapchat application ID****
/Documents/user_scoped/9ea0aafe276d670e1a5155f78ee18485aca8b9040982e579eef26be6bb39
ad94/arroyo/arroyo.db
        -The message content is stored in the conversation_message table.
        -Each conversation has a client_conversation_id.
        -The message is located in the message_content column.
        -The “friend” that the device user is communicating with can be found in
          group.snapchat.picaboo.plist.
        -Searching the client_conversation_id in the plist will reveal the username and user id of
          the “friend”.


-Images and Videos-Encrypted Snapchat Gallery
-Will need a tool that can utilize the keychain to decrypt the encrypted database.
(gallery.encrypteddb)

-Snapchat related videos and images can often be found with
com.snap.file_manager_3_SCContent as part of their path.

-We know they are related to the Snapchat application but are not sure exactly how.

-There are databases that we can use to learn more information about these files.

-Steps to determine more about a video or image related to Snapchat:
1. Take the filename of the image or video and search it in the CACHE_FILE_CLAIM table
of the cache_controller.db. This will give you an EXTERNAL_KEY related to the image
or video.


2. Once you have the EXTERNAL_KEY, you can search that key across the entire image to
reveal where (which databases) the key is showing up in.





3. The EXTERNAL_KEY may hit in the scdb-27.sqlite3. If so, in the ZGALLERYENTRY
table you will find created times, capture times, the saver user id, a ZENTRYID (which is
the EXTERNAL_KEY) and more.

4. Also in the scdb-27.sqlite3 is the ZGALLERYSNAP table. In this table you will find
information about the media file such as whether or not it has a location, create time,
capture time, media format, and a ZMEDIAID and ZSNAPID (which is the
EXTERNAL_KEY) that matches the ZENTRYID in the previous table.



5. The EXTERNAL_KEY may also hit in the memories_asset_repository.sqlite database.
This indicates that the video or image was saved and is stored in the user’s memories for
Snapchat.



6. In the scdb-27.sqlite3 database if there was an indication that the video has a location you
may be able to find the latitude and longitude for the video in the gallery.encrypteddb (if
you have the capability to decrypt it). In the snap_location_table, the snap_id is the
EXTERNAL_KEY. The corresponding latitude and longitude are stored here.





Popular posts from this blog

Samsung Android Gallery-Deleted Photos

Image
 Samsung Android Deleted Gallery -Starting in Android 9, the user has the capability to restore deleted media files. -When a user deletes a media file, the media file is not immediately deleted. -It goes into trash and remains in the trash for 30 days. -The filename is changed upon deletion. -During this time the user can choose to permanently delete the file or restore it to its original location. -The deleted file specific to a Samsung device, will be parsed with forensic tools from: data\media\0\Android\data\com.sec.android.gallery3d\files\.Trash -Data about the file can be located in: data\data\com.sec.android.gallery3d\databases\local.db. -Looking in the local.db specifically, the trash table, contains information about the deleted media file. -The following columns contain data about the deleted files:            _absPath – The current path of the deleted file.            _Title – The current title of the deleted f...
Read more

Google Keep Notes

Image
___________Google Keep Notes_______________________________________ While working on a case recently, I came across the Google Keep Notes application installed and utilized on an Android mobile device. Both of the commercial parsing tools that I was using to analyze the data displayed the timestamps of the notes and the title of the notes but no note body was present in the parsed data.   So, I just check marked everything in the case created a Reader/Portable Case, and sent the data out. Because if the tool doesn’t parse it, it doesn’t exist, right? Wrong.   I followed the source file which is a SQLite database named keep.db. Inside of the database is a ton of additional data including the body of those notes!   How Google Keep Notes Work: Google Keep boasts the capability to add notes lists and photos to Google Keep. They have the capability to record a voice memo and Keep will transcribe it so you can find it later. The Google Keep notes are share...
Read more