Forensics of Google Now Cards
I'm doing some forensics research on Google Now on Android devices,
specifically looking for traces of Google Now cards. I've found some
interesting looking MD5 hash filenames in
/data/data/com.google.android.googlequicksearchbox/cache/http:
ec3e155cd9468332b96f281f391698d2.0
ec3e155cd9468332b96f281f391698d2.1
f557c74614fff426f32fd1235c1a0aaf.0
f557c74614fff426f32fd1235c1a0aaf.1
It looks like the files ending in .0 contain links to the graphics used on
the cards. Can someone explain what the .1 files contain? Looks like
either encrypted or binary data when I open them in a text editor. Do the
.1 files contain the rest of the Google Now card content and can they be
viewed somehow?
Thanks, Justin
No comments:
Post a Comment