So, for this special Halloween installment of “My Favorite Artifacts,” let’s head down to Camp Crystal Lake and take a look at all the goodies that can be gleaned from .json files.
For those of you who might not be familiar with JSON, here’s a quick overview:
Put simply, JSON is an open-standard and language-independent text file format with notation designed to be “easy for humans to read and write” and “easy for machines to parse and generate.” In layman’s terms, JSON is designed to make it easy for humans to help machines do things for them quickly and with little effort.
JSON is very commonly used to communicate changes between mobile devices (or other computers) and servers. Because if you think about it, a really common task for smartphone applications is to query a server for some type of information, process that information, and then present it to the user. All of the changes made on the phone have to get back to the app’s server somehow, and JSON is a great way to make that happen.
If you look at a .json file, you won’t see anything complex. In fact, even if you’ve never heard of JSON schema or syntax before you started reading this article, you’ll find it startlingly easy to understand! That’s the beauty of it. JSON files contain metadata in a simply-laid-out text format.
Most programming languages understand and process JSON natively since it uses many of the same conventions in its syntax. As you might imagine, it’s a handy data-interchange format for programmers, especially mobile app developers.
Using JSON schema, a mobile or desktop app can very efficiently comprehend data from other sources, such as Google Maps, Facebook, Facebook Messenger, Twitter, YouTube, Word Press, SQL databases, or any other external source it needs to function. Sweet! Right?
As you can imagine, JSON has quite a lot of utility for programmers. In my experience though, it tends to be overlooked by forensic investigators. Most mobile forensics tools won’t seek it out or parse it, which means you’ll have to be proactive in your investigation if you want to reap its benefits. Here are some of the ways .json files can help in your iOS- or Android-based mobile investigations if you take the time to seek them out.
One very common use of the .json file in mobile forensics is to communicate information about errors, crashes, and failures of the app back to the server. If you need to determine whether an app was in use at a particular date or time or whether there were problems with the application, these “crash” related .json files can be of great investigative value.
During a mobile forensic examination, when you need to answer questions about application settings or how a user has configured the application, you might naturally look to SQLite, .db, .xml, or .plist files for answers.
But don’t overlook .json Files! Information including account numbers, usernames, passwords (sometimes in plain text!), email addresses, and other sweet treats can be found in .json files, as well!
In the example below from the Amazon app on a mobile phone, we can see just how easy user configuration information is to find… if, that is, we’re looking for it.
Mobile forensic tools have gotten a lot better at identifying and parsing location based data from various mobile applications.
Often times though, they can still miss a plethora of location treats that are nestled inside .json files. Our .json example on the left comes from the Uber app.
If geolocation data is important to your case, be sure to dig into the application folder for any app that might store location based information, and don’t overlook those .json files!
If you’re looking to recreate user in-app activities, .json files may hold the specific answers you’re looking for.
Once you’ve searched through SQLite database files and other data sources on the device, if you’re still looking for answers, check those .json files!
Our example here comes from the Nordstrom shopping app, but many other applications use .json files for storing historical information about the user’s browsing activity.
By reviewing the various entries within the “recentlyViewed.json” file, you can recreate each specific item the phone’s user viewed.
When you look for JSON, you start seeing it everywhere. Some applications are extremely JSON dependent, to the point that almost all of the data stored by the app is stored as .json files. One example of this is the extremely popular productivity application “Wunderlist.”
In Wunderlist mobile, nearly all user-created entries including contacts, notes, lists, etc.. are stored in .json files within the application. If your forensic tool doesn’t see and parse this user data dressed up in .json costume, you might be missing a whole lot of important information!
JSON is often used to manage communications that are initiated from within an app. If you dig into .json files, you may find the content of entire messages depending on how the app handles this data. But .json files can contain some other important clues to communications, too.
For instance, if a phone’s user makes a phone call or video call from within Facebook Messenger to another Facebook contact, that activity often won’t show up in the call history database.
Instead, it will be documented within a .json file with a file name that starts with “batch-1540930891” (where “1540930891” is the date and time of the communication in Unix timestamp notation.
The .json files used within the Facebook app are often a little more complex in their data formatting. They will include references back to various SQLite database tables and entries also stored within the app’s directory.
But if you take the time to work through the JSON notation within these .json files, you will be rewarded with a step by step record of the in-app activities. Invariably, the level of detail you are able to glean through this kind of examination gives a great deal more information than what is automatically parsed by mobile forensic tools.
If you’ve read this blog post and are all psyched up to dig into JSON in your next forensic examination, here are a few words of caution: You may see a whole lot of empty and deleted .json files and feel upset because they no longer contain the sweet data goodies I’ve mentioned in this post.
This is because application developers like to do nice, neat work. Once the .json file has done its work of communicating the change in the state of the app back to the server, the .json file can be cleaned up and may just *poof!* disappear.
Artifacts left by JSON can be ephemeral (even ghostly) in nature, so don’t be surprised if these sweet treats aren’t consistent in how and when they make an appearance in your evidence. In my personal experience though, if a phone is broken or damaged during use you will tend to see more .json files that haven’t had a chance to be cleaned up before disaster struck.
As you can now see, the potential for .json files to provide data you won’t find elsewhere in your Android and iOS forensics investigations shouldn’t be overlooked. Remember, just like when you’re out trick-or-treating, the house you skip might just be the one that gives you the biggest candy bars.
Stay tuned for the next installment of “My Favorite Artifacts.” Next month’s subject will definitely be one you’ll be thankful for!