0Pricing
Cyber Security Academy · Lesson

Apps, Artifacts and Reporting

Parsing app data and presenting findings.

App Artifacts: The Big Picture

Third-party apps generate the richest evidence in most cases. Each app stores data its own way, but patterns recur.

  • SQLite databases for messages, history, and metadata.
  • Property lists (plist) on iOS and XML shared_prefs on Android for settings/state.
  • Protobuf / JSON blobs embedded inside DB columns.
  • Cache and media folders for thumbnails and attachments.

Your job is to parse these consistently, attribute them to a user and time, and present them defensibly.

Messaging App Artifacts

Messaging apps are frequent evidence sources. Each keeps a primary message store plus contact and group tables.

  • WhatsApp (Android): msgstore.db (messages), wa.db (contacts).
  • Signal: encrypted SQLCipher DB; the key lives in the keystore/keychain.
  • Telegram: cache4.db with protobuf-encoded content.

Reconstruct a WhatsApp conversation from the message store:

sqlite3 -readonly msgstore.db
sqlite> SELECT datetime(timestamp/1000,'unixepoch') ts,
   ...>        key_remote_jid, key_from_me, data
   ...> FROM messages
   ...> WHERE key_remote_jid LIKE '%@s.whatsapp.net'
   ...> ORDER BY timestamp;

All lessons in this course

  1. Mobile Forensics Fundamentals
  2. Android Acquisition and Analysis
  3. iOS Acquisition and Analysis
  4. Apps, Artifacts and Reporting
← Back to Cyber Security Academy