The terms encoding and encryption are used so frequently when discussing applications and smartphone data that they are often confused. Encoding is essentially the process of obfuscating a message or piece of information to appear as raw code. In some cases, the goal of encoding is to make the data unrecognizable to the computer or the user. In reality, the primary goal of encoding is to transform the input into a different format using a publicly available scheme. In other words, anyone can easily decode an encoded value. Encryption, however, transforms the data using a key to keep its content confidential. So, encrypted text can only be reversed if you have the key.
Most applications claim that they encrypt data or that the data is never saved to disk. While this is true for some, most are simply encoded. Encoding options can vary, but the most common option for smartphone data is Base64. Messaging apps often rely on Base64 encoding to make the data appear to be hidden or safe. A common artifact of Base64 is the padding of the data with = when the encoded bytes are not divisible by three.
A few years ago, Oxygen Forensics and Autopsy were two of the few tools that supported the decoding of Base64 payloads from applications derived from smartphones. For these tools to parse the data, they must support the application containing the encoding. Currently, MSAB, UFED Physical Analyzer, and Magnet IEF provide Base64 decoding support.
An example of Base64-encoded messages is shown in the following screenshot. This data is from the Tango chat application:
Encryption is a bit more difficult as the app itself may not even provide access to the encrypted data. For example, you may find that the database directory or the cells containing the encrypted data are simply empty. Occasionally, you will have access to the encrypted blobs within the databases, but this data cannot always be decrypted. Again, when you face encrypted data, look elsewhere. Have you examined the journal and write-ahead logs? Have you examined the cache and media directories? Have you examined the SD card? These are common questions you will often have to ask yourself to ensure that you are not relying on your forensic tools too much and that you are covering your bases to ensure nothing is overlooked. As we've explained, start with what you know. We know that the cache and database directories store user data, so this is a great place to start your manual examination, as you can see in the following screenshot:
In the following sections, we will cover how applications store their data within the device and the significance of various types of storage options.