My blog posts tend to be long. I will admit it. I like to include some background, a little history, and then as much detail as I can cram into the post about whatever it is I am writing about. My intention is to help readers fully understand the subject matter with the hopes the knowledge can help them when they need it (i.e. during an exam, an investigation, or in the courtroom).
This post will be different. While it will be much shorter, it will cover an important subject in our discipline: coborration. Being able to take multiple artifacts found in different locations on a device, using their contents to confirm findings in other artifacts, and combining everything to understand user activity on the device is a simple yet powerful concept.
Last night I caught an email string on the IACIS listsrv discussing Android snapshots. If you are not familiar with Android snapshots, take a look at Alexis Brignoni’s blog post on them, and Jessica Hyde’s 2018 SANS DFIR Summit presentation. To summarize, snapshots can be used to determine what was displayed on the device screen the last time an app was used; you also get a timestamp. This can really be useful when timeline-ing user activity on an Android device, and, sometimes, you can capture data that was on the device screen that is not captured elsewhere on the device (e.g. a database full of chats).
Since snapshots can be used to aid in the timeline-ing of user activity, I thought it might be a good idea to use another timeline-y artifact to corroborate the data presented by the snapshots: Digital Wellbeing. You can read about Digital Wellbeing here, but just know that it can also be used to timeline user activity on an Android device.
Attack of the Protobufs
The email string was discussing what was eventually determined to be a protobuf file that accompanied a jpeg file in the /data/system_ce/0/snapshots folder, which is not something I recalled seeing previously. However, when I re-watched Jessica’s Summit presentation on Android artifacts, her screenshot of the snapshots folder had protobuf files in it. Lesson: don’t get tunnel vision or you are likely to miss something.
Figure 1 shows the /data/system_ce/0/snapshots/ in my public Android 11 image.
WARNING: from this point forward, I am going to assume you have read Alexis’ blog post and/or watched Jessica’s presentation, and looked at my Digital Wellbeing blog post. If you haven’t done so, the rest of this post may not make sense to you.
For this exercise, I chose snapshot 454, which involved 454.jpg, 454.proto, and 454_tasks.xml from the /data/system_ce/0/recent_tasks, which can be seen in Figure 1.
Let’s take a look at the jpg first. Figure 2 shows the contents of 454.jpg, which depicts the messaging portion of Snapchat.
Figure 3 shows the contents of 454.proto after being decoded using Google’s protoc.
Field tag 10 refers to the package that created the jpg (red arrow), which here is com.snapchat.android, and there is a Unix Epoch timestamp just below that in field tag 12 (blue arrow), which, when decoded, is 2020-10-04 at 20:51:22 UTC.
Figure 4 shows the contents of 454_tasks.xml.
There are two interesting things to note here. First, the real_activity value (purple box) contains the same value as field tag 10 in Figure 3. Second, there is another timestamp in the last_time_moved value (red box), which, when decoded is 2020-10-04 20:42:45 UTC. This is just under nine minutes before the timestamp in 454.proto.
So, we have two timestamps and a jpeg file. What do these things represent? Enter Digital Wellbeing, which we can use to understand user activity on the device. Running a query against the database helps us understand what was happening on the device at a particular point in time. Let’s address the earlier timestamp first. See Figure 5.
I have highlighted the actual timestamp in the red box. You can see Snapchat was paused at that time. But look at what was happening around that time…the context, if you will. In the blue box you can see the device had been unlocked at 20:41:51, and then Snapchat was brought into the foreground and that there was some activity (green box) leading up to the 20:42:45 UTC timestamp in which Snapchat was “paused” and com.google.android.permissioncontroller was “resumed.” What was going on??? Let’s have a look at the tape. See Figure 6.
Figure 6 is an excerpt of the documentation from my public Android 11 image; the timestamps are in local time, which was UTC -0400 at the time. In the red box you can there were audio and video calls made, with the first starting at 16:43 EDT (UTC -0400). This was approximately one minute (or less) before the 20:42:45 timestamp. Based on data from Digital Wellbeing, we know Snapchat was paused, and com.google.android.permissioncontroller was resumed, but why? See Figure 7.
Before an audio or video call can be made in Snapchat, it needs permission from the user to manage phone calls. Snapchat was paused so com.google.android.permissioncontroller could ask for permission to manage phone calls. So, the 2020-10-04 20:42:45 UTC timestamp seen in 454_tasks.xml represents when Snapchat was moved to background. This makes sense seeing how I need to grant permission to Snapchat to manage phone calls, which pushed Snapchat to the background. After I granted the permission I then started the Snapchat audio call at 16:43 EDT (UTC -0400), which is denoted in the area below the red box in Figure 5 (Snapchat “resumed” at 20:42:57 UTC).
Let’s address the second timestamp: 2020-10-04 at 20:51:22 UTC, which, as a reminder, was found in 454.proto. See Figure 8.
As seen, we didn’t have to scroll down very far in Digital Wellbeing. The first timestamp, from 454_tasks.xml, is still seen in the red box, and the second timestamp, from 454.proto, is in the blue box. At 20:51:22 UTC Snapchat was paused again, and then stopped a second later (i.e. it was no longer visible in the UI – Type 23 in the green box). You will also notice that com.google.android.apps.nexuslauncer resumed at 20:51:22 UTC, which is, in essence, the device home screen. If you refer back to Figure 6, there was an incoming video call at 16:49 EDT (UTC -0400) that lasted approximately 1 minute and 20 seconds (Snapchat doesn’t keep a call timer). Once the video call was completed, I exited Snapchat and went back to the homescreen.
Now, recall that the jpeg files in /data/system_ce/0/snapshots depict what was displayed on the device screen the last time an app was used. The last time Snapchat was used was when the video call was received (based on the image documentation), which was received on the Snapchat messaging screen. Using the timestamp in 454.proto file along with the entry in Digital Wellbeing, we know that once the Snapchat call was completed, I exited Snapchat and went back to the home screen. Thus, the timestamp in 454.proto represents the last time Snapchat was used, and the picture depicted in 454.jpg represents what was displayed on the screen by Snapchat at that time. Additionally, if there was a question about which app generated the snapshot, an examiner could refer to the data in the protobuf file, the xml file from recent_tasks, or Digital Wellbeing.
Taking seemingly disparate artifacts, confirming the analysis of their contents using other artifacts, and connecting all of the information to paint a picture of user activity is a skill all of us should have and hone, regardless of what platform or device we examine. The best way master this skill is to research, learn and understand the artifacts we analyze. And the best way to understand is to research and learn. It’s a vicious cycle, but a necessary one.