Notifications
Clear all

herrevad database

9 Posts
4 Users
0 Likes
3,400 Views
SamBrown
(@sambrown)
Posts: 97
Trusted Member
Topic starter
 

Hello,

I have a physical dump from a Samsung Android 4.1.2 device. In this dump we have the database com.google.android.gms./databases/herrevad. The database stores several entries which contains information about connected wifi networks such as a timestamp, said, mac address. Can anybody tell my when such an entry is generated? My guess is that it might occur when the device connects to a wifi network but that's just a guess right now. Does anybody have more information on this database?

 
Posted : 19/01/2017 4:32 pm
OxygenForensics
(@oxygenforensics)
Posts: 143
Estimable Member
 

Hello Sam,

This database contains the WiFi connections history of preinstalled Google apps in Android OS devices. It can be WIFI connections of Google Play, Google Maps, Youtube, etc. We've added this database parsing in Oxygen Forensic Detective 9.1.1.

Here is the screenshot how it may look like http//www.oxygen-forensic.com/images/whatsnew/911/WiFiHistory.png

 
Posted : 19/01/2017 7:10 pm
(@trewmte)
Posts: 1877
Noble Member
 

Just out of interest which one is Oxygen Forensic Detective 9.1.1 displaying and what is the difference in the packages?

http//www.oxygen-forensic.com/images/whatsnew/911/WiFiHistory.png

com.google.android.gmx/databases/herrevad

com.google.android.gms/databases/herrevad

 
Posted : 19/01/2017 9:35 pm
SamBrown
(@sambrown)
Posts: 97
Trusted Member
Topic starter
 

But what exactly does an entry mean? That the user used for example Google maps AND was connected to a certain wifi network at some point of time?
When is an entry generated? That's what I would like to know…

Sorry, it is GMS (google mobile services). It has nothing to do with the GMX app.

 
Posted : 20/01/2017 11:18 am
(@trewmte)
Posts: 1877
Noble Member
 

Sorry, it is GMS (google mobile services). It has nothing to do with the GMX app.

No worries, I thought perhaps you had found something new.

The Oxygen .png reports what was recorded in the database HERREVAD.

I find there are

'/data/data/com.google.android.gms/shared_prefs/herrevad.xml'
'/data/data/com.google.android.gms/databases/herrevad'
'/data/data/com.google.android.gms/databases/herrevad-journal'

But what exactly does an entry mean?

By itself, you have evidence of the 'fact' the data are recorded there. It means the recording was made due to sensor activity showing the device had detected and decoded the WLAN networks, including SSID and BSSID (MAC address) info, as well as timestamps; thus has proximity to the source. So here is a connection, but doesn't necessarily tell us what is happening beyond that.

Now Oxygen .png shows a consistent connection to the same network and on various dates and times. It is possible to draw an inference from that of regular proximity to this network, thus a 'distance' (in space and time) to a location could be investigated.

That the user used for example Google maps

Not necessarily, as data may originate due to activity from third party plugins. It could be recorded via an app that had passed info to the database

see examples
Gaming
Apps download
Weather
Travel
Lesiure (running etc)
and so on

Connie Bell in her partial MSc thesis states

' PROVIDING CONTEXT TO THE CLUES RECOVERY AND RELIABILITY OF LOCATION DATA FROM ANDROID DEVICES'

"However, during a review of the databases’ contents, it became clear that the database did not capture all of the instances in which the devices were connected to WLAN networks, based on test session activity."

"From these examinations, it seems clear that connectivity-related log artifacts may be quite useful in ruling out the possibility that the WLAN sensor was disabled at a particular time. However, it may be more difficult to affirm that the sensor was indeed enabled at a particular time, since these logs seem to only document when the device is actually connected to a network.

"A device may have the WLAN functionality enabled but be out of range or not connected due to wireless network security, for example. In situations like these, it seems the log files would not indicate that the device WLAN feature was active, since the device would then default to cellular data services"

AND was connected to a certain wifi network at some point of time?

Are you making a distinction here that connection means download, web usage, etc.?

When is an entry generated?

Sometimes they are not. Following is part of a logcat dump. This log could be due to the device's sensor proximity from the network or surrounding noise it was insufficient to complete sending a HERREVAD record entry or that the third party plugin failed for other reasons

(com.estrongs.android.pop) from content//downloads/my_downloads/6 format 2
98.12-26 193101.741 536 536 I installd free_cache(6186696) avail 33903247360
99.12-26 193101.764 4260 4260 V Herrevad NQAS connected
100.12-26 193101.776 1016 2567 D WifiService New client listening to asynchronous messages
101.12-26 193101.796 4678 4678 I ConfigService onCreate
102.12-26 193101.927 4260 7615 I ReportNQOperation [202] g.a Not enough data to save wifi report to local db
com.google.android.gms.herrevad.g.s@nnnnnn

I have included a download link to a .pdf https://www.dropbox.com/s/ds89ulvcgezcgsy/Pandora%20Herrevad.pdf I have prepared for you regarding a complete logcat dump.

Some search terms you may wish to consider when analysing your image and the 32-page logcat dump

Connie Bell suggests

select local_reports.network_type, local_reports.ssid,
local_reports.security_type, local_reports.bssid,
local_reports.timestamp_millis,
datetime((local_reports.timestamp_millis)/1000,'unixepoch')
as "Converted timestamp (UTC)"
from local_reports
order by local_reports.timestamp_millis asc

I suggest the following to get you started

HERREVAD
BSSID
SSID
LocationFilter
WiFiInfo
WiFi
MAC
RSSI
download or downloaded
com.google.android.gms.persistent
com.google.android.gms.herrevad.services.LightweightNetworkQualityAndroidService
com.google.android.gms.herrevad.h.g.a
com.google.android.gms.herrevad.h.l.f

For time-stamps they may require conversion so here are a couple of sites that might assist you

http//www.epochconverter.com/
http//www.unixtimestamp.com/

If this helps and you complete your work, please come back to FF and without revealing case details let us know what you found and the methods you use to achieve it?

cheers

 
Posted : 22/01/2017 5:01 pm
(@trewmte)
Posts: 1877
Noble Member
 

Update - HERREVAD Databases Geo Location Artefacts - http//trewmte.blogspot.com/2018/07/update-herrevad-databases-geo-location.html

 
Posted : 07/07/2018 8:30 am
(@thomass30)
Posts: 110
Estimable Member
 

Is there a way to get the demo or trial version of Oxygen Forensic Detective ?

 
Posted : 10/07/2018 7:32 am
OxygenForensics
(@oxygenforensics)
Posts: 143
Estimable Member
 

Thomass30, sure, you can request a fully-functional demo license contacting us directly at support@oxygen-forensic.com.

 
Posted : 10/07/2018 10:10 am
(@thomass30)
Posts: 110
Estimable Member
 

Thanks I will write soon directly on posted e-mail.

 
Posted : 10/07/2018 1:36 pm
Share: