OMGboard

Android and iOS users can install custom keyboards on their device. Alternative keyboards may offer various features to enhance the user experience.

Forensic artefacts from a third party keyboard have potential to offer insightful evidence which may corroborate other activity on a device.

One such keyboard application is GBoard, from Google.

GBoard on the Google Play Store

Yohesh Khatri (@SwiftForensics) has already provided some detailed research into the Gboard which is well worth reading. I don’t intend to reinvent the wheel here. I just have one thing to add… session data!

Where it’s at!

Data for the GBoard can be found at the below file path.

/data/data/com.google.android.inputmethod.latin

The databases folder on the test device I used contained the contents pictured below.

GBoard databases

Session Data

Session data was found in the session table of the trainingcachev3.db database.

trainingcachev3.db

The below video shows user activity on the test device, overlayed with the contents of the session table at the bottom right.

To get the session data, the below SQL was executed on trainingcachev3.db.

SELECT
    session._session_id AS Session,
    datetime(session._session_id / 1000, 'unixepoch') AS Start,
    datetime(session._timestamp_ / 1000, 'unixepoch') AS Finish,
    session.package_name AS Application 
FROM 
    session

ALEAPP

As always, this artefact has submitted to Alexis‘s ALEAPP.

One response to “OMGboard”

Week 24 – 2022 – This Week In 4n6 says:

June 12, 2022 at 12:59 pm

[…] Kibaffo33OMGboard […]

LikeLike

Leave a Reply Cancel reply

Enter your comment here…

Please log in using one of these methods to post your comment:

Email (required) (Address never made public)

Name (required)

Website

You are commenting using your WordPress.com account. ( Log Out / Change )

You are commenting using your Twitter account. ( Log Out / Change )

You are commenting using your Facebook account. ( Log Out / Change )

Cancel

Connecting to %s