Google Plus is the Google-based social network. It allows the sharing of text/videos/images, adding friends, following people, and messaging. Google Plus may also, depending on the user's settings, automatically upload all pictures taken on the user's device.
Package name: com.google.android.apps.plus
Files of interest:
- /databases/es0.db
Es0.db contains all the information an examiner would expect to find from a social media account:
|
Table |
Description |
|
all_photos |
Contains a URL to download images shared by and with the user, as well as the creation date/time in Linux epoch format |
|
activities |
Data displayed in the user's stream (that is, their news feed). The created and modified time for each post is, once again, stored in Linux epoch time. The title and comment columns will contain the post title and at least some of the comments from it. The permalink column contains a URL that can be followed to view the post, if it was shared publicly. If the post is shared privately, the content can still be recovered from the embed table. The related table contains the hashtags automatically generated for the post by Google, this will also populate even if the post is private. |
|
activity_contacts |
Contains a list of names for people whose posts are in the activities table. |
|
all_photos |
Contains a list of ALL photos the user has backed up to Google Plus, whether they were shared or not. image_url can be used to download any of the user's photos, and is publicly available. Removing the -d on the end of the URL will allow you to view the image without downloading. The timestamp column is the date/time the image was taken, based on the image metadata; it does not indicate when the image was uploaded. |
|
all_tiles |
Contains an unknown subset of all_photos, but also includes images shared with the user. |
|
circle_contact |
Contains a list of people the user has added to their circles. Does not include names, but some of the link_person_id values include email addresses. The link_circle_id value can be correlated with the circles table to identify the name of each circle. link_person_id can then be correlated with the contacts table to identify which user is in which circle. |
|
circles |
Has all circles the user has created, as well as a count of the number of users in each one. |
|
contacts |
A list of all contacts in the user's circles. |
|
events |
A listing of all events the user has been invited to, whether they attended or not. The name column is the title of the event. creator_gaia_id can be correlated with the gaia_id column in the contacts table to identify the event creator. The start_time and end_time columns are the time of the event, in Linux epoch format. The event_data column has the description of the event entered by the creator, as well as information about the location if added. It also lists all other users who were invited to the event. |
|
squares |
A list of groups the user has joined. |