Google Messages is a messaging application used on Android devices for
text messages, multimedia messages, and conversation-related data.
Message content, sender details, conversation information, timestamps,
message status values, and attachment details may be stored by the
application.
Similar to other applications that provide messaging features, Android
Google Messages can be a valuable source of communication evidence in
mobile investigations. The artifacts left by the application may contain
message content, sender information, participant or conversation names,
sent and received timestamps, message direction, read or seen status,
MIME type, and attachment references. These elements can be used to
reconstruct communication timelines, identify involved contacts, verify
whether messages were sent or received, and correlate messaging activity
with other device events.
Android Google Messages artifacts can be found at the following
location:
Dump/data/data/com.google.android.apps.messaging/databases/bugle_db
The bugle_db database is used by Google Messages to store message
records and related application data.
This section will discuss how to use ArtiFast to extract Android Google
Messages artifacts from Android machines files and what kind of digital
forensics insights can be gained from the artifacts.
After a case has been created and evidence has been added for the
investigation, at the Artifact Selection phase, the Android Google
Messages artifact parser can be selected:
Once ArtiFast parsers plugins complete processing the artifact for analysis, it can be reviewed via Artifact View or Timeline View, with indexing, filtering, and searching capabilities. Below is a detailed description of Android Google Messages artifact in ArtiFast.
Android Google Messages
For more information or suggestions please contact: enes.cihan@forensafe.com