±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 1 Overall: 35514
New Yesterday: 4 Visitors: 200

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

Embedded.cache on Android

Discussion of forensic issues related to all types of mobile phones and underlying technologies (GSM, GPRS, UMTS/3G, HSDPA, LTE, Bluetooth etc.)
Subforums: Mobile Telephone Case Law
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

4Rensics
Senior Member
 

Embedded.cache on Android

Post Posted: Nov 22, 16 13:49

Hi,

This is either a simple or difficult question.

I know what 'cache' is. But is there anything specific I should know about "embedded.cache_1" images from an Android device. Is there anything specific or unique about it or is it just a name its been given.

I fear this is something I may be asked soon in court and I can't seem to find any information anywhere.

Any help much appreciated.

4R  
 
  

giuseppem
Member
 

Re: Embedded.cache on Android

Post Posted: Sep 17, 17 09:33

Hi 4Rensics.
I have the same question and some more doubt to clarify. Unfortunately I see that, despite of the long time lasted, nobody answered. I raise the question and moreover I would like to know the following, related with "embedded_1.jpg" files. I found three of these kind of files in two different directory of an Android smartphone, starting from this path, userdata (ExtX)/Root/data:

- com.google.android.googlequicksearchbox/cache/
/org.chromium.android_webview
(the above path is all together)

- com.android.chrome/cache/Cache

The public prosecutor wants some more details, as follow:
1) Have these files been opened and viewed?
2) How long have been there, in the phone?
3) Have been they downloaded accidentally during web browsing?
Premise that I have performed the physical extraction with Ufed Touch and I created the report with UFED Physical Analyzer, I have no metadata of these 3 files!!
To answer to the 1) question, If it was an hard disk image of Windows system, I would have used autopsy or something similar to create the timeline and to see what application was launched corresponding to accessed time in image metadata. To answer to the 2) question I need metadata too.
The 3) question seems simply to be answered because the files are in the cache so they have been downloaded accidentally, in some way.
I'm looking for some more ideas to answer, above all, question 1) and 2).

Thanks in advance  

Last edited by giuseppem on Sep 18, 17 08:12; edited 4 times in total
 
  

passcodeunlock
Senior Member
 

Re: Embedded.cache on Android

Post Posted: Sep 17, 17 18:23

Just a hint:: embed files cached from documents or applications. Please trial and error, but that is what the name suggests...
_________________
Apple passcode unlock + decrypted filesystem dump, Android user locks unlock + physical dump with decrypted userdata partition. We provide our services world-wide, but we reserve the right for choosing which tasks we take and which we deny! 
 

Page 1 of 1