Investigating Android Google Keep
11/10/2024 Friday
Google Keep is one of the free services provided by the Google Docs Editors suite. It offers note-taking features such as adding text, images, and audio, and allows users to create reminders, collaborate on notes with others, and organize content using labels and color codes. This service is available as a web application, and Google also makes it accessible on all major mobile operating systems, ensuring seamless synchronization through the user’s Google account across all his/her devices. Android Google Keep is the Android version of the app, allowing Android users to take full advantage of this service.
Digital Forensics Value of Android Google Keep
Android Google Keep is of significant value in digital forensics, as the app can provide a wealth of data that helps investigators in various ways. First, retrieving the content of notes may reveal important information related to the user's activities, intentions, or communications. Second, since Google Keep allows users to share notes with others, these shared notes can reveal interactions and collaborations, enabling investigators to trace connections between individuals. Lastly, each note in Google Keep is associated with creation and modification timestamps. This allows forensic analysts to establish a timeline of when specific notes were created, accessed, or edited, helping to reconstruct events.
Location of Android Google Keep Artifacts
Android Google Keep artifacts can be found at the following location:
*/com.google.android.keep/databases/keep.db
Analyzing Android Google Keep Artifacts with ArtiFast
This section will discuss how to use ArtiFast to extract Android Google Keep artifact from Android devoces' files and what kind of digital forensics insights we can gain from the artifact.
After you have created your case and added evidence for the investigation, at the Artifact Selection phase, you can select Android Google Keep artifact parsers:
×
Once ArtiFast parsers plugins complete processing the artifact for analysis, it can be reviewed via “Artifact View” or “Timeline View,” with indexing, filtering, and searching capabilities. Below is a detailed description of Android Google Keep artifact in ArtiFast.
Android Google Keep Notes
- Created Date/Time: The created date/time of this note.
- Last Modified Date/Time: The last modified date/time of this note.
- Is Deleted: Indicates whether this note has been deleted from the user's device or not.
- Owner Email: The email of this note owner.
- Note Title: The title of this note.
- Note Content: The content of this note.
- Synced Content: The synced content of this note.
- Last Modifier Email: The email of the last person who modified this note.
Android Google Keep Shared Notes
- Sharing Date/Time: The sharing date/time of this note.
- Is Deleted: Indicates whether this note has been deleted from the user's device or not.
- Owner Email: The email of this note owner.
- Sharing Email: The email used to share this note.
- Note Title: The title of this note.
- Note Content: The content of this note.
- Is Synced: Indicates whether this note is synchronized or not.
For more information or suggestions please contact: kalthoum.karkazan@forensafe.com
