DataChain is a tool designed to make sense of the chaotic data found in iOS and Android backups. When a mobile device is backed up, the resulting file structure can be overwhelming, with various database files storing contacts, messages, call logs, app activity, and media metadata. Instead of manually navigating these files, DataChain uses a technique called chain parsing to quickly locate and organise relevant information.
What is Chain Parsing?
Chain parsing involves extracting specific types of data from known database files, focusing on essential information while ignoring unrelated data. This process is essential in digital forensics, particularly when working with mobile devices. As discussed by Quick and Choo (2014) in their work on forensic collection of app data from Android and iOS, databases like SQLite store most app and system data on mobile devices, including user messages, contact lists, and even location history. Targeting these databases with specialised parsing techniques allows analysts to retrieve key information efficiently.
Using chain parsing, DataChain can recognise and extract data from these structured databases, simplifying the process of locating valuable data within a mobile backup. This method is modular, so new parsers can be added or customised to support additional data sources, making DataChain flexible for different data types and applications.
How DataChain Works
- Import Backup: The user uploads an iTunes or Android backup.
- Run Chain Parsers: DataChain automatically runs parsers to detect and extract data from recognised files, such as contacts and messages.
- Organise Data: Data is displayed by type (Contacts, Messages, Calls), allowing easy navigation.
- Export and Reporting: Users can export the data to formats like CSV or PDF for further analysis or reporting.
Example of Chain Parsers in Action
Each chain parser targets a specific data type:
- Contacts Parser: Extracts contacts from files like
contacts.db. - Messages Parser: Pulls text messages from
sms.db. - Call Logs: Retrieves call history from call log databases.
- Location Data: Extracts GPS data from location history files or media metadata.
Proof of Concept
DataChain is currently a proof of concept rather than a complete tool. It demonstrates how chain parsing can help organise mobile backup data, making it easier for users and analysts to locate important information without sifting through unstructured files. As Quick and Choo (2014) highlight, the ability to focus on specific types of data within mobile databases is crucial for efficient forensic analysis, a principle DataChain applies directly.
Source
Quick, D., & Choo, K. K. R. (2014). “Forensic collection and analysis of app data from Android and iOS mobile devices.” IEEE Transactions on Mobile Computing, 13(9), 2242–2255. This paper examines forensic techniques for collecting and analysing structured data in mobile databases, highlighting methods like chain parsing for targeted extraction of user data from app and system files.