December 14th, 2009 by ahoogI played around with Google Goggles today and was quite impressed. Like any good forensic geek, I wanted to understand better what happened behind the scenes. Below are some observations from the data the app persisted on the NAND:
- Application data is stored in /data/data/com.google.android.apps.unveil
- Following directories exist: cache, databases, files, lib, shared_prefs
- Last picture I took was stored in ./files/lastimage.jpeg (see bottom of post for the image…which found Barbara’s Books site immediately)
- I have not had time to see if I could carve or otherwise extract previous images from the YAFFS2 data partition
- ./cache/webviewCache contained 2 files (referenced in the webviewCache.db database); one was a jpg (122eefe1) and the other a png (f0277abc). The jpg contained a logo from a previous Goggle search I did so there was some residual data there
- ./databases contained 2 databases, webviewCache.db and webview.db
- webviewCache.db contained references to the 2 cached files mentioned above. It at least tells us the order (although file system date/time can do the same). It also tells you when the content expires so you could probably calculate a decent time from that through testing…or at least get the general idea.
- webview.db looked more like the android browser database but was unpopulated except for a cookie entry for .google.com
Not quite a revealing as Google Maps Navigation (see my previous post) but still insightful. Oh, and it’s a really, really cool app. I’ll use it more and report back at some point.
lastimage.jpg
[...] This post was Twitted by ffarina [...]