Results of Magnet A...
 
Notifications
Clear all

Results of Magnet Acquire imaging / Forensic Explorer(FEX)  

  RSS
UnallocatedClusters
(@unallocatedclusters)
Senior Member

Hello,

I used Magnet Acquire to create a .RAW image file of my personal LG G3 (Android 5.0.1), resulting in a 31GB .RAW image file.

I then used Forensic Explorer ("FEX") to index the .RAW image file, which resulted so far in some interesting findings (FEX has a built in SQLite database viewer, which is key)

1) "accounts.db" stores my "com.Android.exchange" company email user name and password (UNENCRYPTED 😯 😯 😯 ) plus all of my other user accounts located at image.raw\userdata (EFI 44)\system\users\0\

2) "mmssms.db" contains all of my text messages (senders, recipients, dates, times, etc.) and is located here image.raw\userdata (EFI 44)\data\com.android.providers.telephony\databases\

3) "[email protected]" contains all my Gmail content (senders, recipients, body of email, dates, etc.) located at image.raw\userdata (EFI 44)\data\com.google.android.gm\databases\

4) "EMAIL.db" contains my Microsoft Exchange email content and can be found at image.raw\userdata (EFI 44)\data\com.lge.email\data\

5) Multiple carved .MP3 files, which all turned out to be recordings of the nice Google lady's voice providing turn by turn directions. It appears that Google Maps is sending directions to my phone as temporary .MP3 files, which are then deleted by Maps.

6) EML email files in the following folder path image.raw\userdata (EFI 44)\data\com.lge.email\data\Messaging\EML\

7) "calendar.db", with all of my calendar entries found in file path image.raw\userdata (EFI 44)\data\com.android.providers.calendar\databases\

8) "contacts2.db" with all of my contacts in the "raw_contacts" table. Includes entry for "deleted" contacts as well as normal contacts. Found in file path image.raw\userdata (EFI 44)\data\com.android.providers.calendar\databases\

9) "profile.db" contains my Google ID email address located at image.raw\userdata (EFI 44)\data\com.android.providers.contacts\databases\

10) "fidelity.db" contains my Fidelity Financial user account email address and recent trades!!!! Located at image.raw\userdata (EFI 44)\data\com.fidelity.android\databases\

11) "babel1.db" contains Google Hangout session information and can be located at \data\com.google.android.talk\databases\

I have not identified the "Call Records" database file yet - not sure in what file format call records are stored in, so more digging ahead.

Quote
Posted : 11/06/2015 5:38 am
DCS1094
(@dcs1094)
Active Member

SQLite Database logs.db

File Path data/com.sec.android.provider.logsprovider/databases

ReplyQuote
Posted : 11/06/2015 2:10 pm
UnallocatedClusters
(@unallocatedclusters)
Senior Member

Thanks DCS -

My phone does not have a "logs.db" at all and there is no folder path exactly like or similar to "data/com.sec.android.provider.logsprovider/databases"

Still digging…

ReplyQuote
Posted : 11/06/2015 10:53 pm
agolding
(@agolding)
Junior Member

The calls should be in contacts2 on an LG, logs.db on a samsung

ReplyQuote
Posted : 12/06/2015 8:04 pm
UnallocatedClusters
(@unallocatedclusters)
Senior Member

Thanks AGolding-

Within the Contacts2.db file, I did in fact identify a "Calls" table that contains call records including date, duration, etc.

Cheers!

ReplyQuote
Posted : 12/06/2015 9:36 pm
Share: