OMGboard


Android and iOS users can install custom keyboards on their device. Alternative keyboards may offer various features to enhance the user experience.

Forensic artefacts from a third party keyboard have potential to offer insightful evidence which may corroborate other activity on a device.

One such keyboard application is GBoard, from Google.

GBoard on the Google Play Store

Yohesh Khatri (@SwiftForensics) has already provided some detailed research into the Gboard which is well worth reading. I don’t intend to reinvent the wheel here. I just have one thing to add… session data!

Where it’s at!

Data for the GBoard can be found at the below file path.

/data/data/com.google.android.inputmethod.latin

The databases folder on the test device I used contained the contents pictured below.

GBoard databases

Session Data

Session data was found in the session table of the trainingcachev3.db database.

trainingcachev3.db

The below video shows user activity on the test device, overlayed with the contents of the session table at the bottom right.

To get the session data, the below SQL was executed on trainingcachev3.db.

SELECT
    session._session_id AS Session,
    datetime(session._session_id / 1000, 'unixepoch') AS Start,
    datetime(session._timestamp_ / 1000, 'unixepoch') AS Finish,
    session.package_name AS Application 
FROM 
    session

ALEAPP

As always, this artefact has submitted to Alexis‘s ALEAPP.


One response to “OMGboard”

Leave a Reply to Week 24 – 2022 – This Week In 4n6 Cancel reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Create your website with WordPress.com
Get started
%d bloggers like this: