Investigating Android Google Photos
24/05/2024 Friday
Android Google Photos is an application that provides users with cloud-based images hosting and storage services. It features synchronization services that make uploaded images immediately available across all of the user's synchronized devices. Additionally, Google Photos allows users to easily share their uploaded images with friends and offers editing tools for enhancing images and creating albums.
Digital Forensics Value of Android Google Photos
Photos are always a rich source of information in digital forensics, providing examiners with strong photographic evidence to prove events and construct timelines. Google Photos' artifacts are especially beneficial, as they store the photos taken by the user’s Android device as well as the images shared or synchronized from other people and devices. This comprehensive access to visual data enhances the ability of forensic analysts to uncover detailed insights, verify user activities, and gather crucial evidence for investigations.
Location of Android Google Photos Artifacts
Android Google Photos artifacts can be found at the following locations:
*/com.google.android.apps.photos/databases/disk_cache
*/com.google.android.apps.photos/databases/gphotos*.db
Analyzing Android Google Photos Artifacts with ArtiFast
This section will discuss how to use ArtiFast to extract Android Google Photos artifact from Android devices' files and what kind of digital forensics insights we can gain from the artifact.
After you have created your case and added evidence for the investigation, at the Artifact Selection phase, you can select Android Google Photos artifact parsers:
×
Once ArtiFast parsers plugins complete processing the artifact for analysis, it can be reviewed via “Artifact View” or “Timeline View,” with indexing, filtering, and searching capabilities. Below is a detailed description of Android Google Photos artifact in ArtiFast.
Android Google Photos Cache
- Created Date/Time: The created date/time of this screenshot file.
- Last Modified Date/Time: The last modified date/time of this screenshot file.
- Size: The size of this screenshot file in bytes.
- File Path: The file path of this screenshot file.
- File Name: The file name of this screenshot file.
- Is Pending Delete: Indicates whether this file is pending delete or not.
Android Google Photos Local Media
- Duration: Video Duration (in seconds) if applicable.
- File Name: The name and extension of the file.
- File Path: The path where this file is stored on this device.
- Size: The size of the file in bytes.
- Folder Name: The parent folder name.
- Mime Type: The mime type of this file.
- Width: This media file width in pixels.
- Height: This media file height in pixels.
- Latitude: The Latitude associated with the location where this media file has been taken/recorded.
- Longitude: The Longitude associated with the location where this media file has been taken/recorded.
- Taken Date/Time: The date/time when this media file has been taken/recorded.
- Trashing Date/Time: The date/time when this media file has been moved to the trash if applicable.
- Purging Date/Time: The date/time when this media file has been purged if applicable.
- Media ID: The Unique identifier associated with this media file.
Android Google Photos Shared Media
- Duration: Video Duration (in seconds) if applicable.
- File Name: The name and extension of the file.
- Remote URL: The URL where this file is stored on the server.
- Size: The size of the file in bytes.
- Mime Type: The mime type of this file.
- Width: This media file width in pixels.
- Height: This media file height in pixels.
- Latitude: The Latitude associated with the location where this media file has been taken/recorded.
- Longitude: The Longitude associated with the location where this media file has been taken/recorded.
- Taken Date/Time: The date/time when this media file has been taken/recorded.
- Upload Percentage: The percentage of the uploading process that has been finished.
Android Google Photos Remote Media
- Duration: Video Duration (in seconds) if applicable.
- File Name: The name and extension of the file.
- Remote URL: The URL where this file is stored on the server.
- Size: The size of the file in bytes.
- Mime Type: The mime type of this file.
- Width: This media file width in pixels.
- Height: This media file height in pixels.
- Latitude: The Latitude associated with the location where this media file has been taken/recorded.
- Longitude: The Longitude associated with the location where this media file has been taken/recorded.
- Taken Date/Time: The date/time when this media file has been taken/recorded.
- Upload Percentage: The percentage of the uploading process that has been finished.
- Inferred Latitude: The Latitude associated with the location where this media file has been taken/recorded.
- Inferred Longitude: The Longitude associated with the location where this media file has been taken/recorded.
For more information or suggestions please contact: kalthoum.karkazan@forensafe.com
