Before any analysis of the device
could be made I first had to generate the necessary data. The first step was to
download the application onto my Android device, LG Optimus F7 LG870, running
Android version 4.1.2. Once I opened the application I was then able to log in
using the fake profile I set up for the purpose of this project, complete with
Gmail and Facebook account as well. Here is what my home “pheed” looked like
after I finished setting it up, complete with custom profile picture and
background banner.
I posted one of each pheed types, followed by subscribing to five different types of pheeds as well as accepted a subscriber request. I also performed each of the interactions available to other pheeds as well as received one of each back on my own pheeds. Once this was done I used the UFED Cellebrite version 2.2.5.4 to image the phone. I ran into issues while imaging as the device I had was no one that was supported by the Cellebrite for physical or logical imaging so I had to resort to an file system dump of the device which finally worked. Then using the UFED Physical Analyzer program version 3.9.2.4 I was able to view the extracted file system and begin my analysis.
Because I was forced to do a file
system extraction I was only able to find pertinent application, audio,
database, image, and video files. The evidence was found in a handful of
locations but most of which was located in the /data/data volume. All
timestamps were extracted in UTC time but converted to EST for this blog.
Application Data
/data/app/com.pheed.android-1.apk
/data/dalvik-cache/data@app@com.pheed.android-1.apk@classes.dex
The .dex is simply the compiled Android application code
file that is later zipped into the .apk file, which is used to install the
application. Both of these had a modified time of 2/2/14 at 6:18:34 PM that
matches perfectly for the time in which the application completed downloading.
Audio Data
Only one audio pheed was made the time stamp that I got from
the report matches that which I recorded while creating it. Below is the path
to where I found the mp3 file.
/data/media/Pheed/Pheed
Audio/1391386499118.mp3
Database Data
The three databases below where found to be created during the install of the application 2/2/2014 6:18:26
PM
/data/data/com.google.android.apps.books/files/accounts/kfpheed.kf@gmail.com/books2.db
/data/data/com.google.android.gm/databases/internal.kfpheed.kf@gmail.com.db
/data/data/com.google.android.gm/databases/mailstore.kfpheed.kf@gmail.com.db
Then I found the database file below at
6:25:02 PM and then at 7:32:02 PM found the second one. I have reason to
believe this is simply a storage location for cookies as 6:25 was approximately
the log in time for my first time.
/data/data/com.pheed.android/databases/webviewCookiesChromiumPrivate.db
/data/data/com.pheed.android/databases/webviewCookiesChromium.db
The database file below I located that was
associated with Pheed was one that occurred directly after I link the Pheed
account to a Twitter account at 2/2/2014 7:32:02 PM
/data/data/com.pheed.android/databases/webview.db
The final database file I found occurred very close to the
final seconds I was creating the data for my research 2/3/2014
7:34:22 PM
/data/data/com.pheed.android/databases/google_analytics_v2.db
Image Files
The first major volume I looked at was the one listed below
/data/data/com.pheed.android/cache/picasso-cache/
Here is where I found all of the cached
images that were looked at on Pheed. Some of them were simply images that were scrolled
by quickly and other was the ones which I interacted with. From this volume
there was no way to decipher between which the user interacted with or not.
The next volume appears to be another location of cached image files that were observed on the device
/data/data/com.pheed.android/cache/webviewCacheChromium/
The next volume I found artifacts in was also another cache volume but this one held the images for the profile pictures as well as background pictures before and after the user changed them
/data/media/Android/data/com.pheed.android/cache/
 |
| cached background picture |
The next volume is interesting as it is a
thumbnail of two videos that were taken to be uploaded to the Pheed. One was a
failed video while the other was in fact uploaded to the Pheed.
/data/media/DCIM/.thumbnails/
 |
| Video thumbnail |
The final location for images I found held all
the images that was uploaded to the Pheed, whether it was a thumbnail from a video
or an image of such as the background picture. One of which was an attempted
profile picture but never actually used for the pheed. It should also be noted
that the background and profile image were saved as background.jpg and profile.jpg
/data/media/Pheed/Pheed Images/
 |
| Image Pheed that was uploaded |
 |
| attempted profile image |
Text Data
I was unable to find any text files with true
value, simply a handful of .xml files
/data/data/com.pheed.android/shared_prefs/
Video Data
This volume was very interesting because not
only did it contain the video I posted to the Pheed but also had videos that I
recorded in the Pheed application and never uploaded to the profile. I posted the video that was uploaded to the Pheed below.
/data/media/DCIM/100LGDSC/
Moving Forward
As I move forward with my research I am going to try using a
different tool for extraction in hopes that I can maybe find more data as well
as for further validation in my first results. My hopes are that I am able to
view more artifacts such as what pheeds the user interacted with. If this does
not yield any new results I will try rooting the phone in hopes that it will
allow me to locate more of the artifacts I am looking for that were
unattainable thus far in my research.
