GMDSOFT Tech Letter Vol 22.Quick Share History Analysis Amid Expanding Device and OS Support

Quick Share is a wireless file transfer feature from Samsung and Google that allows users to quickly share files between devices via Wi-Fi and Bluetooth. First introduced as a Samsung-exclusive feature with the Galaxy S20, it was integrated with Google’s Nearby Share in January 2024 and has since become the standard sharing solution across the Android ecosystem, supporting not only Samsung devices but also other Android devices, Windows PCs, and Chromebooks.

Quick Share is also compatible with Apple’s AirDrop. Starting with the Pixel 10 series in November 2025, Google began rolling out two-way AirDrop compatibility to Android devices, and Samsung followed in March 2026 by officially adding AirDrop support to the Galaxy S26 series running One UI 8.5, beginning in South Korea.

As Quick Share expands its support across a wider range of devices and operating systems, its importance from a digital forensic perspective is increasing. Quick Share records are more than just a history of file transfers—they can act as key artifacts revealing a user’s send/receive activity and the connections between devices. Information on shared files, connected devices, and the use of the ‘Private Sharing’ feature can be particularly valuable for identifying data leaks, the movement of evidence, or the transfer of materials between accomplices.

This article explains how to share data with iOS and Android devices using the Quick Share feature, and the information that can be collected from an Android device after sending or receiving content via Quick Share. The findings are based on data extracted from an Android 16 device via MD-NEXT v2.2.14 and analyzed via MD-RED v4.0.12.

 

Table of Contents


How to Use Quick Share

To share content using Quick Share, both the sending and receiving devices must have Wi-Fi and Bluetooth enabled, and devices must be located within nearby range. To share content with Galaxy devices, you must be signed into a Samsung account. To share content with non-Galaxy devices, a Google account sign-in is required.

Sharing with Nearby Devices

Sending Content

  1. Select the content to share, then tap the Share button.
  2. Tap the Quick Share button.
  3. Select the user or device to share the content with. The available sharing targets may vary depending on the receiving device’s Nearby Sharing settings.
Quick Share – Sharing with Nearby Devices (Sending Device)

 

Receiving Content

When a Quick Share request is received, a sharing notification appears on the receiving device. The recipient can preview the type of content being shared and choose whether to ‘Accept’ or ‘Decline’ the request.

Quick Share – Sharing with Nearby Devices (Receiving Device: iPhone)

Quick Share – Sharing with Nearby Devices (Receiving Device: Galaxy)

Private Share

Private Share is a secure sharing mode available between Galaxy devices. It allows the sender to set an expiration time for shared files. By default, the expiration period is set to 2 days, and it can be extended up to 6 days, 23 hours, and 59 minutes. Recipients cannot take screenshots, save, or reshare the shared content, and the files are automatically deleted after expiration.

Sending Content

  1. Select the content to share, then tap [Turn on Private Sharing].
  2. Set the expiration date, then select the user to share the content with. The available sharing targets may vary depending on the receiving device’s Nearby Sharing settings.
Quick Share – Private Share Method (Sending Device)

 

Receiving Content

When a Private Share request is received, a notification appears on the receiving device. The recipient can preview the type of content being shared and choose whether to ‘Accept’ or ‘Decline’ the request.

Quick Share – Private Share Method (Receiving Device)

Available Information from Mobile Devices

The linkShare.db file stores records of files sent and received through Quick Share, the target devices involved in sharing, and the sharing timestamps. The privacy_library_database.db file stores records of content sent and received through the ‘Private Share’ feature.

The table below summarizes the information above.

DB Table Available Information
linkShare.db devices Connected device name, timestamp
transfer_file List of sent files
receiving_file List of received files
privacy_library_database.db FileLogCard Records of files sent or received through Private Share

Summary

  1. Quick Share is a wireless file transfer feature jointly provided by Samsung and Google. It enables users to share data not only between Android devices, but also with devices running other operating systems, including Windows, iOS, and macOS. Support for iOS and macOS transfers is currently limited to certain devices and OS versions, but is gradually expanding.
  2. Quick Share supports both Nearby Device Sharing and Private Share. Records of these sharing activities are stored in linkShare.db and the Private Share-specific privacy_library_database.db. Analyzing these records can reveal details about sent and received content, target devices, and sharing timestamps.

Appendix

Quick Share Receiving Settings

The available sharing targets may vary depending on the receiving device’s Quick Share settings.

  • No one: No one can share content with the device.
  • Contacts: Only users saved in Contacts through a Samsung account can share content with the device.
  • Everyone: Anyone nearby can share content with the device.

For more information, please refer to https://www.samsung.com/us/support/answer/ANS10007268/.

Supported File Types by Sharing Method

Quick Share supports different file types depending on the sharing method.

  • Sharing with nearby devices: No restrictions on shareable file types
  • Sharing using QR code or contacts: Some file types are not supported, such as exe, com, bat, cmd, vbs, reg, msi, etc.
  • Sharing using Private Share: The following file types are supported.
    • Image: jpeg, jpg, png, gif, bmp, webp, heic, dng
    • Video: webm, mp4, 3gp, 3g2, mkv
    • Audio: mp3, wav, ogg, m4a
    • Document: txt, pdf

File Transfer Limits by Sharing Method

Quick Share has different file count and size limits depending on the sharing method.

  • Nearby device sharing: No restrictions on file count or total transfer size.
  • QR code and contact sharing: Up to 1,000 files per transfer, with size limits of 10 GB per file and 10 GB per day.
  • Private Sharing: Up to 20 files and 200 MB per transfer.

 

 

GMDSOFT Tech Letter Vol 21.ChatGPT Q&A: 10 Key Questions

An OpenAI and NBER study found that nearly 80% of ChatGPT usage is centered on practical guidance, information seeking, and writing, with information seeking functioning much like web search. As search behavior shifts from keyword-based search to conversational AI, ChatGPT is becoming increasingly relevant in digital investigations. Because these interactions develop through natural-language dialogue, conversation histories can reveal not just what was searched, but how the user’s intent evolved, making them a valuable source of investigative insight.

This article focuses on ChatGPT as a leading generative AI application and addresses practical questions in a Q&A format. This article is based on findings extracted with MD-NEXT v2.2.13 from devices running Android 14, using Full Filesystem with MD-PLUG and Android Live extraction methods and analyzed via MD-RED v4.0.10.

Table of Contents

 

App Data Storage Structure and Extraction

This section examines how ChatGPT app data is stored on Android device and available information for extraction.  

1. Can I extract data through mobile forensics even though it is stored on the server?

Yes. ChatGPT conversation records can be analysis through mobile forensic examination. When chat history is synchronized, the corresponding data is stored on the device, making the synchronized data recoverable through mobile forensic analysis.  

2. Do the available analysis results vary depending on the extraction method?

Yes. The available artifacts vary by the extraction method. The available results can be summarized as follows:

Extraction Method Available Information
Backup
  • ChatGPT account
  • Chat List
  • Text conversation records within chatrooms
Full Filesystem
  • All 3 items available for extraction via the Backup extraction method
  • Image files within chatrooms

 

3. How is the data stored?

The data is stored in DB format under /data/com.openai.chatgpt/databases.

Note: ChatGPT Data Storage Format on iOS On iOS, ChatGPT data is stored in JSON format. The corresponding JSON files are located at /var/mobile/Applications/com.openai.chat/Library/Application Support/conversations-v3{device UUID}.

 

4. Can user-generated images or attached files be identified?

User-generated images are retained as cache files, which are stored at /data/com.openai.chatgpt/cache/coil3_disk_cache.

The filenames of attached files, including .pdf, .xml, and .doc, can be identified; however, the actual files cannot be analyzed.

 

Artifact Analysis by User Behavior

This section examines the data that can be identified based on ChatGPT usage scenarios.

 

5. Can I find conversation records created without logging in?

Yes. Conversation records will be stored on the device even without logging in. Because conversation records are stored in an SQLite database, chats conducted while not logged in are available for analysis.

 

6. Are all conversations synchronized after login?

No. Logging in automatically synchronizes only the 20 most recent conversations, and the contents are not synchronized unless each one is opened individually. To synchronize older chats, you must scroll through the chat list to trigger additional synchronization.

Note: iOS Chat Synchronization Scope On iOS devices, the 18 most recent conversations are synchronized after login. Unlike Android, contents are saved in bulk as JSON files even if the user does not open each chatroom. To synchronize additional conversations beyond the 18 most recent chatroom, scroll through the chat list.
Chat List

 

7. What range of data is stored when entering each chatroom?

When you enter a chatroom, the full text content is synchronized at once, and the entire conversation is recorded in the database. No additional scrolling is required after entering the chatroom to synchronize the data.

For image files, if the image has not been loaded on the device, the original file is not stored and therefore cannot be analyzed. If the image has been loaded properly, a cache file (coil3_disk_cache) is created, allowing the image to be analyzed.  

Image not loading

 

8. If a chatroom is deleted, can I still recover the data?

Yes, but only under limited conditions. When a chatroom is deleted, the related database records are marked as deleted. If those deleted records have not yet been cleaned up, the data may still be identified. However, once the deleted records have been cleaned up, data cannot be recovered.

Note: Deletion of Chatroom on iOS On iOS devices, deleting a chatroom immediately removes the related JSON files, and the data cannot be recovered.

 

9. If the user logs out from the device, does the data disappear?

Yes. When the user logs out, all conversation data (.db) stored on the device is deleted.

 

10. Can I find conversations from ‘Temporary Chat’?

No. Temporary chat conversations cannot be examined because they are not stored locally on the device and are not synchronized.

Temporary Chat Temporary Chat is a separate conversation mode in ChatGPT that does not appear in chat history, does not create memories, and is not used for model training. Conversations conducted in this mode are neither saved in chat history nor stored locally on the device in DB or JSON format. In addition, they are not synchronized between PC and mobile devices, which significantly limits extraction.
Temporary Chat

 

How MD-PCM Tackles Large-Scale Digital Evidence

80 workstations. 1,600+ Viber accounts.

One investigation team. Zero room for error. 

When a joint operation dismantled a Cambodia-based scam syndicate, investigators uncovered the operation’s engine room: 80+ workstations running over 1,600 Viber accounts — each one a tool for cross-border fraud. What threatened to bury the case entirely was not the suspects, but the sheer scale of digital evidence left behind. 

This is how MD-PCM turned an operationally unfeasible challenge into actionable intelligence. 

 

The Growing Bottleneck in Transnational Cybercrime Investigations 

Modern organized crime syndicates operate across jurisdictions by design. Fragmented infrastructure, encrypted messaging, and multiple identities per device are no longer edge cases — they are standard operating procedure for today’s threat actors. 

For law enforcement agencies (LEAs), this creates a dual burden: 

• Scale: Dozens to hundreds of seized devices requiring simultaneous triage 

• Complexity: Encrypted messenger applications with multiple accounts per workstation, each requiring individual credential extraction 

In international operations, time is evidence. Delays don’t just slow investigations — they allow syndicates to destroy remaining assets, warn co-conspirators, and render leads obsolete. 

 

Case Highlight: The Viber Account Labyrinth 

During a high-stakes international criminal investigation, investigators seized 80+ workstations from a Cambodia-based scam syndicate — each terminal running upwards of 20 distinct Viber accounts, totaling over 1,600 communication channels weaponized to orchestrate fraud across borders. 

Manual processing was operationally unfeasible. The investigation demanded a solution that could deliver rapid triage without compromising forensic soundness — because in international cases, evidentiary admissibility is non-negotiable. 

 

Strategic Deployment: MD-PCM & MD-RED 

The investigative team deployed MD-PCM (PC Messenger Extraction Tool), delivering three critical capabilities that transformed the trajectory of the case. 

 

1.Forensic Soundness via Portable Execution

MD-PCM runs directly from an external SSD — no installation required. By minimizing changes to the host system’s registry and file system, it preserves the integrity of the source device from the first interaction. In high-profile international cases where chain of custody is scrutinized at every stage, this isn’t a convenience feature. It’s a requirement. 

*Supported environments: Windows, macOS and forensic images (E01, DD, and more) 

 

2.Auto-Detection of Multi-Accounts and Multi-Messengers

Manually searching for numerous accounts across different messengers on a single PC is a primary cause of investigative delay. MD-PCM automatically detects installed messenger applications, user IDs, and credentials. This automation slashes extraction time and eliminates the risk of human error in identifying hidden profiles. 

3.Precision Triage:EliminatingNon-Probative Data 

In high-volume cases, indiscriminate data collection is its own liability. MD-PCM targets specific messenger artifacts and decryption, filtering out non-probative data before it ever reaches the analyst. The resulting curated dataset was seamlessly ingested into MD-RED, enabling investigators to decrypt communications, visualize network hierarchies, and map the syndicate’s operational structure — in hours, not weeks. 

 

Outcome: From Digital Mountain to Dismantled Syndicate 

By compressing the time-to-evidence from weeks to hours, MD-PCM allowed the task force to act while intelligence was still operationally relevant. The case stands as a direct example of how purpose-built forensic tooling — not general-purpose solutions — determines outcomes in large-scale international crime investigation. 

 

Is Your Team Facing a High-Volume Evidence Challenge? 

Whether you’re managing a single complex case or coordinating across multiple jurisdictions, the MD-Series is engineered to ensure that investigative complexity never becomes an obstruction to justice. 

Explore MD-PCM

 

GMDSOFT Tech Letter Vol20.Health App Data Analysis

From iOS 8 and later versions, Apple has provided a built-in Health app that automatically tracks and stores a wide range of physical activities, including step count, distance traveled, heart rate, flights climbed, and workout records. Health app data is aggregated across all devices linked to the same Apple Account, including iPhone and Apple Watch. The physical activity and health data recorded in the Health app can serve as evidence to verify subject statements and reconstruct behavioral timelines during an investigation.

This article aims to introduce Apple’s Health app and the available information in the app. The findings are based on data extracted from iOS 26 device and watchOS 26 via MD-NEXT v2.2.13 and analyzed via MD-RED v4.0.10.

Table of Contents


1.iOS Health App Overview

1.1. Types of Recorded Health Data

Data from all devices connected to the same Apple Account is aggregated in the Health app. When an Apple Watch is paired with an iPhone, step count and distance data are automatically recorded in the iOS Health app, without additional configuration. Tap the    icon in the bottom right corner of the app to see the categories of data that can be recorded in the Health app. For more details, refer to https://support.apple.com/guide/iphone/view-your-health-data-iphe3d379c32/26/ios/26

The table below summarizes the key data that may be recorded in iPhone and Apple Watch, and how they serve during investigation.

Category Key Data Examples Data on iPhone Data on Apple Watch Investigative Application
Activity Steps, distance traveled, flights climbed O O Verify movement during a specific timeframe; estimate whether stairs were used indoors
Heart Heart rate, HRV, ECG O Estimate physical exertion or stress from sudden heart rate spike; identify abnormal physiological responses
Respiratory Respiratory rate O Reference for sleep state and physiological responses
Sleep Sleep duration O
(based on schedule)
O Verify whether the subject was actually asleep during the timeframe in question
Mobility Gait stability, walking speed O O Cross-check claims of physical injury
Hearing Environmental noise exposure O Indirectly infer surrounding environment (e.g., high-noise locations)
Cycle Tracking Menstrual cycle, ovulation records O O Supplementary reference for statements regarding physical condition

Data Recording Method

Health app data can be collected automatically through the sensors built into iPhone and Apple Watch, or input manually by the user. To manually input the data, follow the steps below.

  1. Open the Health app and tap Steps.

  2. Then tap the icon to manually input the data.
  3. When finished, tap    icon to save.

Manual Input of Health Data

Health Data Sharing

The health data sharing feature has been available since iOS 15 and watchOS 8. Sharing is limited to users who have added each other as contacts, and shared data is continuously synchronized.

Follow the steps below to share the health data. For more details, refer to the Apple support page https://support.apple.com/guide/iphone/view-your-health-data-iphe3d379c32/26/ios/26

1.In the Health app, go to the ‘Sharing’ tab.

2.Tap [Share with Someone].

3.Search for and select a person from the contacts list.

4.Select the health data categories to share, then tap [Share].

Health Data Sharing

2.Available Information

2.1. Device Information & Data Entry Method

The healthdb.sqlite contains the device information, initial Health app setup timestamp, and manual and automatic data entry flag. Any manually input records may suggest potential data manipulation.

Table Available Information
sources Device name
source_devices
  • Model name
  • OS version
  • Initial Health app pairing timestamp
  • Value indicating whether data was input manually or automatically

2.2 User Profile & Health Records

The healthdb_secure.sqlite file contains the user’s personal information, the start and end timestamps of health data recording, health data entries, and location records.

Table Available Information
samples
  • User name, gender, date of birth, and other user information
  • Data type
  • Recording start/end timestamps
quantity_samples
  • Health data value

2.3 Shared Health Data from Other Users

Health data shared by another user is stored in /private/var/mobile/Library/Health/Profiles/{SharedAccoundInternalID}/.

The healthdb.sqlite and healthdb_secure.sqlite files at this path follow the same structure as the primary Health database. Records of health data sharing requests are stored in /private/var/mobile/Library/Health/Client/HealthApp.sqlite.

Path File Available Information
/private/var/mobile/Library/Health/Profiles/{Shared Account Internal ID}/
  • healthdb.sqlite
  • healthdb_secure.sqlite
Health data shared by other users
/private/var/mobile/Library/Health/Client/ HealthApp.sqlite
  • Account information of the sharing requester and the target recipient
  • Timestamp of the sharing request and acceptance
  • Current health data sharing status

 

3.Summary

    1. The Apple Health app tracks users’ physical activity and biometric data. Data is collected automatically or entered manually via iPhone and Apple Watch, and the recorded data can be used to verify statements made by subjects under investigation and to reconstruct behavioral timelines.

    2. Apple Health app data is stored in the healthdb.sqlite and healthdb_secure.sqlite files located under /private/var/mobile/Library/Health/.

    3. The healthdb.sqlite file contains the device information associated with recorded entries, the timestamp of the initial Health app setup, the manual/automatic data entry flag, and more.

    4. The healthdb_secure.sqlite file stores the user’s personal information, the type and actual values of recorded health data, and the start and end timestamps of each recorded entry.

    5. Health data shared by other users is stored in the healthdb.sqlite and healthdb_secure.sqlite files under /private/var/mobile/Library/Health/Profiles/{Shared Account Internal ID}/, while records of sharing requests are logged in the HealthApp.sqlite file located under /private/var/mobile/Library/Health/Client/.

 

 

GMDSOFT Tech Letter Vol19.App Artifact Analysis: Text Input Records

Text entered on a mobile device can be stored and managed by keyboard apps to improve features such as auto-completion and data learning. Therefore, not only messenger apps that contain large volumes of messages, but also keyboard apps that store keyboard text artifacts are forensically significant sources of evidence during investigations.

Text input methods on mobile devices vary by language. Some languages, such as English, allow direct text entry without conversion, while others require a conversion process before finalizing the input. Japanese is a prime example of the latter. Japanese users typically input text in romaji (Latin alphabet) or hiragana, then convert it to hiragana, katakana, or kanji and confirm their final input. For languages with conversion processes like Japanese, keyboard apps can retain various text input records, including initial input, suggested conversions, and final confirmed text.

This article aims to explore the available information from keyboard apps from Android and iOS, focusing primarily on Japanese input records. The findings are based on data extracted from Android 12.0 and iOS 16.7 devices via MD-NEXT v2.2.12 and analyzed via MD-RED v4.0.8.

Table of Contents


1.Keyboard Input Process

Japanese uses three writing systems, hiragana, katakana, and kanji. It is characterized by multiple kanji characters that share the same pronunciation but convey different meanings, as well as individual kanji that can be read in multiple ways. Because of these complexities, Japanese input requires users to first enter text in romaji or hiragana, then select from suggested words (to hiragana, katakana, or kanji) presented by the keyboard app to determine the final text.

General Japanese Input Process for Typing “kyo”

2.Available Information by Keyboard App

2.1 Android

Gboard

Gboard is a keyboard app developed by Google that supports multiple languages and integrates features such as Google Translate and Google Search.

The input text records and the timestamp of entry are stored in the history.db file located under the /.mozc directory. Within this file, both the input text and the corresponding input timestamp are stored in an encrypted Protocol Buffer format.

Input Records Available in Gboard

Wnn Keyboard Lab

Wnn Keyboard Lab is a keyboard app installed on many Android devices manufactured by Japanese vendors. It stores input records using the OpenWnn structure, an open-source input framework developed by Japanese manufacturer Omron.

Text input records are stored in njuserl.a and njuserw.a files under the /files/discet/master directory.

OpenWnn

OpenWnn is an open-source Japanese input method editor developed by Omron. It provides core functions required for Japanese text input, including romaji input, kana conversion, kanji candidate prediction, and user dictionary-based learning.

 

Samsung Keyboard

Samsung Keyboard is the default keyboard app preinstalled on Samsung mobile devices. Similar to Wnn Keyboard Lab, Samsung Keyboard uses the OpenWnn structure, resulting in a similar data storage format. Japanese text input records are stored in njuserl.a and njuserl_uniq.a files under the /app_omrondb/dicset/master directory.

Simeji Keyboard

Simeji Keyboard is a third-party keyboard app that supports a wide range of emojis and theme customization features. Text input records are stored in the following locations.

  • /database

  • /file/dat

Text input content and the timestamp of the last input can be identified in the SimejiProvider.db file located under the /database directory.

SimejiProvider.db

In addition, plaintext records of input text and the package name of the application in which the text was entered are stored in the fcloud.dat file under the /files/dat directory. The dad_info.dat file, stored in the same path, records the time at which a text input field was displayed. These records may be created even when no text is entered, as long as a keyboard appears on the screen.

fcloud.dat

dad_info.dat

The following table summarizes the information above.

File path File Available Information
/databases SimejiProvider.db
  • Text input records
  • Timestamp of last input
/files/dat fcloud.dat
  • Text input records and suggested words
  • App package name where the text was entered
dad_info.dat
  • Timestamp when the keyboard was displayed on the screen
  • (Recorded even without actual user input)

2.1 iOS

Default Keyboard

For the default keyboard built into the iPhone, keyboard input records are stored in plaintext in the following files under the /private/var/Mobile/Library/Keyboard directory.

  • LexicalLearning_ja_JP.db

  • DynamicPhraseLexicon_ja_JP.db

LexicalLearning_ja_JP.db & DynamicBigramPhraseLexicon_ja_JP.db

Biome

The Biome directory is known to store system logs such as user activity data, device usage information, application execution records, and Siri-related events. Text input records on iOS devices are also stored under the /private/var/mobile/Library/Biome.

Under the /restricted/Keyboard.TokenFrequency/local directory, numerically named file contains records saved by session. These data are serialized and stored in SEGB format.

Under the /public/TextInputSession/local directory, numerically named file stores keyboard usage logs, and the application package name. These data are serialized in SEGB format.

SEGB

SEGB is a proprietary binary storage format used by iOS to record user actions and system events. This format is primarily observed within the Biome directories on iOS devices.

Records by language

Input records for other languages are also stored in separate databases organized by language in the private/var/Mobile/Library/Keyboard directory. These databases contain word input records and last converted timestamp. The internal database structure remains consistent across all languages.

2.3 Available Information by Keyboard App

App Save Path File Available Information
Android Gboard /.mozc history.db
  • Text input records
  • Timestamp of the last text input
Wnn Keyboard Lab /files/dicset/master • njuserl.a
• njuserw.a
  • Text input records
  • Suggested words
Samsung Keyboard /app_omrondb/dicset/master • njuserl.a
• njuserl_uniq.a
  • Text input records
Simeji Keyboard /database SimejiProvider.db
  • Text input records
  • Timestamp of the last text input
/files/dat fcloud.dat
  • Text input records
  • Suggested words
  • Package name of the app…
dad_info.dat
  • Timestamp when the keyboard was displayed…
  • (Recorded even when no text is entered)
iOS Default Keyboard /private/var/Mobile/Library/Keyboard • LexicalLearning_ja_JP.db
• DynamicPhraseLexicon_ja_JP.db
  • Text input records
Biome /restricted/Keyboard.TokenFrequency/loca Numerically named file
  • Text input records
/public/TextInputSession/local Numerically named file
  • Keyboard usage logs
  • Package name of the app…

3.Summary

    1. Text entered on a mobile device can be stored and managed by keyboard apps to improve features such as auto-completion and data learning.

    2. Japanese users typically input romaji or hiragana first, then convert it to katakana or kanji to finalize their text entry.

    3. The Android Gboard app stores text input records and the timestamp of the last text entry in the history.db file located at /.mozc.

    4. The Android Wnn Keyboard Lab app stores text input records using the OpenWnn structure. These records are saved in the njuserl.a and njuserw.a files at /files/dicset/master.

    5. The Android Samsung Keyboard app stores text input records in the njuserl.a and njuserl_uniq.a files at /app_omrondb/dicset/master.

    6. The Android Simeji Keyboard app stores text input records and the timestamp of the last text entry in the SimejiProvider.db file at /database. Additionally, the fcloud.dat and dad_info.dat files in /files/dat store text input records, suggested words, the package names of apps in which text was entered, and the timestamp when the keyboard was displayed on screen.

    7. The iOS default keyboard app stores text input records at /private/var/Mobile/Library/Keyboard.

    8. The iOS default keyboard app stores text input history, keyboard usage logs, and the package names of apps where text was entered at /private/var/mobile/Library/Biome.

 

Bridging the Gap in UAV Investigations: The Case for a 360-Degree Drone Forensics Curriculum

The Escalating Complexity of Drone Forensics 

As Unmanned Aerial Vehicles (UAVs) become more integrated into critical infrastructure and daily life, their role in criminal activities—from unauthorized surveillance to smuggling—has surged. For digital forensic practitioners, this presents a multi-layered challenge. Unlike traditional mobile devices, drones are subject to extreme physical stress, proprietary encryption, and volatile data environments. 

Standard software-based extraction often fails when a drone is severely damaged or when the firmware is locked. To build a solid case, investigators need more than just a tool; they need a comprehensive methodological approach. 

 

Beyond Software: A Holistic Training Ecosystem 

GMDSOFT is proud to offer the industry’s most advanced Drone Forensics Training Course. We believe that true proficiency in UAV forensics cannot be achieved in a classroom alone. It requires a seamless integration of field operations, hardware engineering, and sophisticated data analysis. 

 

1.Real-World Field Intelligence

Our training begins at our dedicated flight range. By operating a diverse fleet of drones in a controlled environment, investigators generate live telemetry data, GPS logs, and multimedia files. This “Field-to-Lab” approach ensures that trainees understand the operational behavior of the aircraft before they ever attempt to analyze the data. 

 

2.Advanced Hardware Recovery & Chip-off Mastery

When a drone is recovered from a crash site or intentionally destroyed, the logic board is often the only remaining source of truth. We provide specialized training in Chip-off forensics, teaching investigators how to physically desolder flash memory chips and extract raw data directly from the hardware—a critical skill when standard interfaces are non-functional. 

 

3. Advanced Decryption Lab: Mastering High-Priority Models

In an era of rapid manufacturer updates, staying current is not optional—it is a requirement. Our curriculum provides hands-on practice with the latest physical extraction and decryption methodologies specifically designed for high-priority DJI models. 

Participants will engage in deep-dive labs focused on: 

• Phantom 4 Series: Advanced, Pro, Pro V2.0, and RTK 

• Matrice Series: Matrice 600 Pro 

• Mini 3 Pro 

• Flight controllers: MateksysSpeedyBeeHolybro 

Rather than just running a tool, you will learn the underlying decryption logic and extraction workflows that ensure access to critical flight logs and media, even when standard forensic methods fail. 

 

4. AI-Driven Analysis: Precision Intelligence at Scale

Modern drone investigations often involve overwhelming amounts of data. This training introduces investigators to AI-based analytical deep dives within MD-DRONE. You will learn how to: 

• Pinpoint critical evidence, such as deleted flight paths or unauthorized communication logs, with forensic precision. 

• Accelerate the investigation timeline without compromising the integrity of the evidence. 

 

Tailored to Your Mission 

We recognize that a “one-size-fits-all” approach does not work for specialized law enforcement units. Whether your focus is on counter-terrorism, narcotics, or border security, GMDSOFT provides fully customizable training schedules. We align our curriculum with your team’s specific mission requirements and technical proficiency levels. 

 

Conclusion: Future-Proofing Your Unit 

The gap between drone technology and forensic capability is widening. GMDSOFT is the only global provider that closes this gap by combining real-world piloting, deep-tier hardware forensics, and industry-leading software analysis into one cohesive program. 

Equip your team with the expertise to turn complex aerial data into courtroom-ready evidence. 

   

 

Advancing Forensic Science: Transforming Video Evidence with Precision Speed Estimation

In the realm of digital forensics and crime or accident reconstruction, the difference between a conviction and an acquittal often hinges on the ability to quantify the “unquantifiable.” For years, investigators have relied on subjective witness testimonies or rime-intensive manual frame-analysis to estimate vehicle speeds. However, in modern litigation, “fast” is merely an opinion—speed is a factual necessity.

 

With the latest update to MD-VIDEO AI, we are proud to introduce our Speed Estimation feature. This feature is designed to move beyond visual observation, providing investigators with a scientifically grounded methodology to extract velocity from standard CCTV, dashcam, and surveillance footage.

 

Bridging the Gap Between Visuals and Actionable Data

Forensic video analysis often suffers from low frame rates, poor lighting, and extreme motion blur. These factors make manual speed calculation not only time-consuming but also prone to human error. MD-VIDEO AI’s Speed Estimation addresses these challenges through Ground-Plane Speed Mapping, allowing for precise velocity calculation of any object moving across a fixed surface.

Critical Investigative Scenarios:

• Crime/Accident Reconstruction & Braking Analysis: Determining the exact speed at the moment of impact is vital. Our tool allows investigators to calculate velocity changes and braking points, providing a clear picture of the events leading to a collision.

• Pedestrian Safety & Negligence Determination: In pedestrian-involved incidents, the “avoidability” of the accident is a primary legal question. By analyzing speed data, forensic experts can determine if a driver was adhering to speed limits and whether they had sufficient time to react.

• Hit-and-Run Investigations & Establishing Intent: One of the most challenging aspects of a hit-and-run is proving “intent to flee.” By quantifying a suspect’s acceleration immediately following an impact, MD-VIDEO AI helps investigators provide evidence of deliberate evasion.

A Comprehensive Video Forensic Ecosystem: Supporting Global Identification

While speed provides the context of a crime, identification provides the subject. MD-VIDEO AI goes beyond quantification. Our industry-leading Number Plate Restoration engine works alongside our analytical tools to resolve high-speed motion blur that typically renders identifiers unreadable.

We are proud to announce that our AI models are currently supporting all 50 U.S. state number plate designs. Furthermore, our commitment to global justice means we provide comprehensive coverage for over 50 countries in Europe, Asia, Latin America and Africa with specialized vehicle classes, including motorcycles.

Conclusion: The Future of Evidence is Precise

The introduction of Speed Estimation marks a significant leap forward in video forensics. By integrating automated velocity calculation with high-fidelity number plate restoration, MD-VIDEO AI provides a unified environment where investigators can build cases based on hard data rather than estimates.

When every mile per hour—and every pixel—matters to the truth, trust the precision and integrity of MD-VIDEO AI.

Interested in integrating MD-VIDEO AI into your investigation workflow? Contact our Global Sales Team to schedule a technical briefing or request a trial license.

 

2025 MD-Series Q4 Release Note Highlights

In the fast-paced world of digital forensics, the challenge isn’t just about collecting data—it’s about the speed of insight and the integrity of evidence. Investigators are constantly battling increasing encryption, massive data volumes, and the urgent need for real-time field decisions. 

 

At GMDSOFT, we understand that every minute saved in the lab or the field is a step closer to justice. Our Q4 2025 updates are designed to alleviate these pressures by enhancing global compatibility and introducing groundbreaking field-triage capabilities. 

 

Key Highlights of the Q4 Release: 

📱 MD-NEXT: Expanded Mobile Coverage 

• Broad Compatibility: Now supporting 200 new models from 27 different manufacturers. 

• Security Bypass: Enhanced iOS backup password removal to streamline data extraction. 

 

📈 MD-RED: Advanced App Analysis 

• Social Media Intelligence: Added support for 12 Android and 6 iOS apps, including deep analysis of WhatsApp read receipts and timestamps. 

• Modern Assets: Improved NFT log analysis and recovery of deleted files. 

• Global Reach: Optimized WeChat decryption for iOS backup data. 

 

🔍 MD-LIVE & MD-CLOUD 

• Precision Search: Support for alphabetic ligatures and compatible character searches. 

• Workflow Automation: New Auto Scroll Capture for Android. 

• Compliance: Clear guidance for iCloud accounts that haven’t accepted updated Terms of Service. 

 

🎥 MD-VIDEO AI: Global Plate Restoration 

• AI Speed Estimation: A crucial tool for accident reconstruction and incident analysis. 

• Global Expansion: Massive expansion of number plate restoration capabilities covering regions across the US (Delaware, D.C., Wyoming, etc.), Europe, and Asia-Pacific. We won’t stop until we provide seamless restoration support for every plate in the world. 

 

The Power of Real-Time Decision Making: Block Hash 

While our Q4 release brings immediate power to your lab, we are excited to share a glimpse of what’s coming next to the front lines. We are currently developing the ‘Block Hash’ feature—a strategic addition designed for the high-pressure environment of on-site investigations. 

We recognize that field investigators often need to make split-second decisions regarding the seizure of devices. This powerful feature will allow for rapid scanning and immediate determination of evidentiary value. This upcoming innovation will ensure that your critical resources are focused exactly where they need to be, significantly reducing the time spent on non-relevant data during the initial triage phase. Stay tuned for this game-changing update in our upcoming feature. 

 

Elevate Your Investigative Capabilities 

The landscape of digital crime is evolving. Your tools should evolve faster. These updates are more than just features; they are a commitment to your mission of uncovering the truth. 

 Ready to streamline your investigations? Explore the full release note and see how these updates can transform your workflow. 

 

GMDSOFT Tech Letter Vol18.Analyzing Recent App Traces: Task Snapshots

The ‘Recent Apps’ feature allows users to conveniently browse and relaunch recently used apps, and it has been available since Android 5.0 and later versions. Starting with Android 8.0, a new internal infrastructure called ‘task snapshots’ was introduced to store app screen captures and metadata displayed in the ‘Recent Apps’.

This article aims to introduce the ‘’Recent Apps’’ feature available on Android devices, and explain the concept of task snapshots, which save its traces. The findings are based on data extracted from the device with Android 11 using MD-NEXT v2.2.8, and analyzed with MD-RED v4.0.5

Table of Contents


1.Recent Apps

Tap at the bottom-left of the home screen to access the ‘Recent Apps’. Swipe left or right to browse through the apps running in the background. You can reopen a specific app or swipe it upward to remove it from the ‘Recent Apps’. Up to 50 apps can be open in the background, and when the limit is exceeded, the oldest apps will be removed from the ‘Recent Apps’.

Learn more

Background Apps

An application that is still running and active on the device, even though it is not currently visible on the screen.

 

1.1 Take Snapshot

A task snapshot is an internal Android infrastructure used to store the screen displayed in the ‘Recent Apps’ feature. It refers to the app screen when it is switched to the background. The app screen is saved in both high-resolution and low-resolution.

Learn more

2.Available Information

Under /system_ce/{User ID}/snapshots/, Android stores a set of three files for each screen displayed in the ‘Recent Apps’ list. If a user swipes an app away from the ‘Recent Apps’, the corresponding files are also deleted.

• {Task ID}. jpg

• {Task ID}_reduced.jpg

• {Task ID}.proto

The name of each file is assigned a unique numerical Task ID, and this ID increases sequentially according to the order in which apps transition to the background. Even if an app already shown in ‘Recent Apps’ is launched again and then switched back to the background, its previously assigned Task ID does not change.

Task snapshot file list

Although Task IDs generally increase as apps transition to the background, the numbers may not appear in consecutive order. This can occur when a user swipes an app away from the ‘Recent Apps’, or when Task IDs are assigned to background apps that do not appear in the ‘Recent Apps’ list.

 

2.1 Last Screen of the Recent App

You can identify the last screen displayed in a recent app from the two snapshot image files: {Task ID}.jpg and {Task ID}_reduced.jpg. The {Task ID}_reduced.jpg file is a lower-resolution version and has a smaller file size compared to {Task ID}.jpg

2.2 Timestamp of Background Transition

You can identify the timestamp of an app’s transition to the background in the {Task ID}.proto file, which stores the snapshot’s metadata. The modified, accessed, and changed timestamps (MAC Times) of the {Task ID}.proto file also reflect the moment when the app was switched to the background.

Decoded protocol buffer (.proto) file

MAC Times of the protocol buffer (.proto) file

The modified and changed timestamp of {Task ID}.jpg and {Task ID}_reduced.jpg represent the timestamp when the app transitioned to the background. These timestamps are updated each time the app is switched to the background. The accessed timestamp of these files indicates the first time the app was transitioned to the background.

MAC Times of JPG file

 

Protocol Buffer File

A protocol buffer file is a file format developed by Google for efficiently storing and transmitting structured data.

2.3 Others

The /system_ce/{User ID}/snapshots/ directory may also contain screens, such as alarm screens, Galaxy default app searches, network list screens, and others.

Other Screens

Meanwhile, the {Task ID}.xml files stored under /system_ce/{User ID}/recent_tasks/ provide a record of app usage history that complements the snapshot artifacts.

 

2.4 Summary of Available Information

Item Description
{Task ID}.jpg
  • Last screen displayed in the ‘Recent Apps’
  • The modified and changed timestamps represent the moment the app transitioned to the background.
{Task ID}_reduced.jpg
  • Low-resolution version of the last screen displayed in the ‘Recent Apps’
  • The modified and changed timestamps represent the moment the app transitioned to the background.
{Task ID}.proto • File containing metadata and state information for the task snapshot.
Others
  • Screens such as alarm views, default app search screens, and network list screens may also be stored under /system_ce/{User ID}/snapshots/.
  • App usage history is recorded in the {Task ID}_task.xml file stored under /system_ce/{User ID}/recent_tasks/.

3.Summary

  1. Android devices provide a ‘Recent Apps’ feature that allows users to view recently used apps and relaunch them easily.

  2. Task snapshots serve as Android’s internal infrastructure for storing the screens and metadata of recently used apps.

  3. For each screen shown in the ‘Recent Apps’, a set of three files, {task ID}.jpg, {task ID}_reduced.jpg, and {task ID}.proto, is stored under /system_ce/{User ID}/snapshots/.

  4. The {task ID}.jpg and {task ID}_reduced.jpg files contain the last displayed screen of the app. The modified and changed timestamps indicate the moment the app transitioned to the background, while the accessed time reflects the first time the app transitioned to the background.

  5. The {Task ID}.proto file records metadata, including the timestamp of the background transition. Its modified, accessed, and changed timestamps also correspond to the time the app was transitioned to the background.

  6. In addition to recent app screens, this directory may also contain images such as alarm screens or other system-generated snapshots. App usage history can be found in the {Task ID}.xml file stored under /system_ce/{User ID}/recent_tasks/.

 

 

GMDSOFT Tech Letter Vol17.Detecting Hotspot Connection Evidence on Suspect Devices

There is suspicion that the subject participated in criminal activity through a hotspot connection. Is it possible to verify the device’s hotspot connection activity through mobile forensic analysis?

Hotspot connections represent more than simple network activity. They can serve as evidence that two devices were in close physical proximity.

iOS hotspot feature requires manual authentication for the initial connection, but automatically reconnects when the same device comes within range thereafter. This means the presence of automatic connection records indicates that the user previously entered the password manually, and suggests the possibility that both devices were used together in the same location at the time of an incident.

This article aims to explain how to connect to a personal hotspot on iOS devices and provide key information available to identify the connection history. The findings are based on the data extracted from iOS 16.7 device using MD-NEXT v2.2.8 and analyzed via MD-RED v4.0.4.

A hotspot allows a mobile device to share its cellular data connection with another device, providing internet access when Wi-Fi is unavailable.

For a hotspot connection, both the providing device and the receiving device must be within approximately 10 meters of each other.

Table of Contents


1.How to Set Up a Personal Hotspot

When a Wi-Fi network is unavailable, you can share your iPhone’s cellular data connection by enabling a Personal Hotspot. To enable a hotspot, configure devices as follows.

Learn more


1.1 Hotspot Providing Device

Go to ‘Settings’ > ‘Personal Hotspot’ or ‘Settings’ > ‘Cellular’ > ‘Personal Hotspot’ and enable ‘Allow Others to Join’ option. To use this hotspot, other users must enter the password set in the providing device.

 

1.2 Hotspot Receiving Device

Go to ‘Settings’ > ‘Wi-Fi’ and select a personal hotspot of Device B. A personal hotspot is displayed with the icon next to it. If a personal hotspot is successfully connected, the icon is displayed on the top-right corner of the device screen.


2.Hotspot Connection History on Receiving Device (A)

The hotspot connection history on the receiving device is stored in the following source files:

• /private/var/preferences/com.apple.wifi.known-networks.plist

• /private/var/preferences/SystemConfiguration/com.apple.wifi-private-mac-networks.plist

• /var/mobile/Library/Preferences/com.apple.networkserviceproxy.plist

The following information is available in the fils : 

• Start timestamp of initial connection

• Start timestamp of automatic an manual hotspot connection

• Start timestamp of the nth connection

• Start/end timestamp of the last connection

The following sections describe typical scenarios in which this information can be identified and analyzed. Device A refers to the device that received the hotspot connection, and Device B refers to the device that provided it.

The name of the hotspot used by the receiving device is also available for analysis. IF the device name is changed, the name of the providing device may differ from the name it had when the hotspot connection was made.

 

2.1 Case 1 : Device A Connects to Device B’s hotspot (1st session)

This scenario is when Device A connects to Device B’s personal hotspot. If it is the initial connection, the password set on the providing Device B is required to enable the connection.

The following information is available :

• The AddedAt key in the com.apple.wifi.known-networks.plist file and the AddedAt key in the com.apple.wifi-private-mac-networks.plist file record the timestamp when the hotspot was initially connected.

• The NSPServiceStatusMAnagerInfo key in the com.apple.networkserviceproxy.plist file contains blob-processed Plist data with detailed hotspot connection information. In each NS.time key, under PrivacyProxyNetworkStatusTimeNetworkStartTime andPrivacyProxyNetworkStatusTimeNetworkEndTime keys, you cna find the timestamp the hotspot was connected and disconnected. The timestamp is recorded in CFAbsoluteTime format.

CFAbsoluteTime (Core Foundation Absolute Time) is Apple’s timestamp format, which uses January 1, 2001, 00:00:00 UTC as its reference point. By converting a CFAbsoluteTime value to Gregorian date, you can determine the corresponding year, month, day, and hour.

 

The following table summarizes the information above.

Source File Key Description
/var/mobile/Library/Preferences/com.apple.networkserviceproxy.plist
  • NSPServiceStatusManagerInfo
  • PrivacyProxyNetworkStatusTimeNetworkEndTime
  • NS.time
End timestamp of connection

 

/private/var/preferences/com.apple.wifi.known-networks.plist

 

/private/var/preferences/SystemConfiguration/com.apple.wifi-private-mac-networks.plist

 

/var/mobile/Library/Preferences/com.apple.networkserviceproxy.plist

 

2.2 Case 2 : Device A Connects from the hotspot (1st session)

In this case, Device A loses its connection to Device B’s hotpot. Hotspot connections can be lost when :

• The user manually disconnects from the hotspot.

• The device switches to a different Wi-Fi network.

• The device moves too far from the hotspot providing device.

• The hotspot provider changes the hotspot password.

When a connection is terminated, the end timestamp can be found in the com.apple.networkserviceproxy.plist file.

Source File Key Description
com.apple.wifi.known-networks.plist JoinedBySystemAt Start timestamp of automatic connection
JoinedByUserAt Start timestamp of manual connection
com.apple.wifi-private-mac-networks.plist lastJoined Starttimestamp of the most recent connection

 

/var/mobile/Library/Preferences/com.apple.networkserviceproxy.plist

2.3 Case 3 : Device A Connects to Device B’s hotspot (2nd session)

In this case, Device A temporarily loses connection and then reconnects to Device B’s hotspot. There are two possible reconnection scenarios.

• Automatic connection: The device automatically reconnects when it comes within range of the hotspot. For this condition, the providing device must not have changed the password, and the ‘Allow Others to Join’ option must be enabled.

• Manual connection: The user actively selects and reconnects to the hotspot. Since the password was saved during the first connection, re-authentication is not required.

The JoinedBySystemAt key within the com.apple.wifi.known-networks.plist file records the start timestamp of the automatic connection. Upon manual reconnection, the JoinedByUserAt key is updated with the corresponding start timestmap of connection.

The lastJoined key in the com.apple.wifi-private-mac-networks.plist file records the start timestamp of the last connection, updating with each session (2nd, 3rd, nth session).

The table below summarizes the information above.

Source File Key Description
com.apple.wifi.known-networks.plist JoinedBySystemAt Start timestamp of automatic connection
com.apple.wifi.known-networks.plist JoinedByUserAt Start timestamp of manual connection
com.apple.wifi-private-mac-networks.plist lastJoined Starttimestamp of the most recent connection

 

JoinedBySystemAt and JoinedByUserAt keys in com.apple.wifi.known-networks.plist

lastJoined key in com.apple.wifi-private-mac-networks.plist

2.4 Case 4 : Device A disconnects from the hotspot (2nd session)

In this case, the device disconnects from the hotspot after having successfully reconnected. To determine when the hotspot connection was terminated, refer to UpdatedAt key in com.apple.wifi.known-networks.plist file and lastUpdated key in com.apple.sifi-private-mac-networks.plist file.

These timestmaps may update after actual disconnection occurs. They do not represent precise disconnection timestamps and should be used only as reference data for hotspot network logs.

2.5 Case 5 : Device A disconnects from the hotspot (multiple times)

In this case, the device repeatedly connects to and disconnects from the hotspot. In each session, the same information described in Case 3: Device A reconnects to Device B’s hotspot (2nd session) can be found.

When hotspot connections and disconnections occur two or more times, the start and end timestamps for all sessions except the last one are recorded in the NS.timekey under the
PrivacyProxyNetworkStatusTimeNetworkStartTime and PrivacyProxyNetworkStatusTimeNetworkEndTime keys in the com.apple.networkserviceproxy.plist file.

For example, if four sessions occurred, the start and end timestmaps for sessions 1 through 3 can be identified in the source file. While the las (4th) session’s connection start and end timestmaps cannot be verified, you can refer to the recording of previous connection and disconnection timestamps to trace hotspot connection history.

A session refers to a single connection unit from the moment a hotspot connection is initiated until it is terminated.

The table below summarized the information above.

Source File Key Description
com.apple.networkserviceproxy.plist
  • PrivacyProxyNetworkStatusTimeNetworkStartTime
  • PrivacyProxyNetworkStatusTimeNetworkEndTime
NS.time
  • Start timestamp of $n^{th}$ session
  • End timestamp of $n^{th}$ session
*When a connection is established and terminated more than twice, start and end timestamp of the last connection are not recorded.

/var/mobile/Library/Preferences/com.apple.networkserviceproxy.plist

3. Summary of Available Information

Source File Key Description
/private/var/preferences/com.apple.wifi.known-networks.plist
  • AddedAt
  • UpdatedAt
  • JoinedBySystemAt
  • JoinedByUserAt
  • Start timestamp of initial connection
  • End timestampof connection (may be updated later)
  • Start timestampof automatic reconnection
  • Start timestamp of manual reconnection
/private/var/preferences/SystemConfiguration/com.apple.wifi-private-mac-networks.plist
  • addedAt
  • lastUpdatedAt
  • lastJoined
  • Start timestamp of initial connection
  • End timestamp of connection (may be updated later)
  • Start timestamp of last connection
/var/mobile/Library/Preferences/com.apple.networkserviceproxy.plist
  • PrivacyProxyNetworkStatusTimeNetworkStartTime
  • PrivacyProxyNetworkStatusTimeNetworkEndTime
  • Start timestamp of nth connection
  • End timestamp of nth connection
*When a connection is established and terminated more than twice, start and end timestamp of the last connection are not recorded.

4.Appendix: Information Available on Providing Device (B)

The device that provided the hotspot also stores records of hotspot connection activity.If deleted records are present in the ZTIMESTMAP key of the ZPROCESS table in the /private/var/wireless/Library/Databases/DataUsage.sqlite file, it suggest that the hotspot provider enabled the ‘Allow Others to Join’ option.

/private/var/wireless/Library/Databases/DataUsage.sqlite

Records are not always created every time the hotspot is enabled.
However, when records are present, the timestamp indicates when the hotspot was enabled and can be used as reference data.

5.Summary

  • • Hotspot connection records suggest the physical proximity of the providing and receiving devices.
  • • Connecting to a hotspot requires entering the hotspot password on the initial connection. If a device automatically connects to a specific hotspot, it suggests a prior connection between the two devices.

  • • On the receiving device, hotspot connection records are found in the following source files
    •   ◦ com.apple.wifi.known-networks.plist

    •   ◦ com.apple.wifi-private-mac-networks.plist

    •   ◦ com.apple.networkserviceproxy.plist

  • • On the providing device, if deleted records of the ZTIMESTMAP key in the ZPROCESS table of the DataUsage.sqlite file exist, it indicates that a hotspot connection occurred.