Search results
View Alex Caithness’ profile on LinkedIn, a professional community of 1 billion members. Principal Digital Analyst (Research and Development) at CCL Group Ltd. · Experience: Cranfield...
- 500+
- Cranfield University
- Alcester Grammar School
Alex Caithness (BA Hons.) Alex is an experienced programmer, with C# and Python being his primary languages, he is also proficient in a number of others. He has designed and developed several digital forensics tools, both for internal use in CCL and also commercial usage.
- Primitive Data Encoding
- Varints
- BigIntegers
- The Database Structure
- Key Prefix Structure
- Stringwithlength
- Global Metadata
- Database Metadata
- Object Store Metadata
- Reading Records
Within keys and values the usual encoding format for integers and floating-point numbers, IEEE 754 double precision, will be encountered; integers should be stored in little-endian byte order, floating point numbers will use the host system’s endianness (little-endian more often than not on desktops). Text is variously encoded using ASCII (although...
In addition to the usual suspects, many integer values are stored using a variable length integer format (henceforth “varint”). Varints, which are found in a number of Google data formats (as well as SQLite), are integer representations which expand to occupy as many bytes as are needed to represent their value. For example: the number “54” is smal...
JavaScript can store arbitrarily large (or, at least very, very big) integer values. The BigInt datatype in IndexedDB can be decoded thus: Read a varint; the least significant bit gives you the sign of the number (1 for negative). Bit-shift the value left 4 bits; this shifted value tells you how many unsigned integers to read – 32-bit integers on 3...
In order to read through the objects in the IndexedDB LevelDB database in a meaningful way we need to understand the structure of the IndexedDB: how many object stores there are; how to identify them; and so on. We can achieve this by identifying records in the LevelDB backing store with specially constructed metadata keys. The following understand...
The keys of the records relating to IndexedDB data and metadata all have a common prefix format which indicates what aspect of IndexedDB each record refers to. Strictly speaking, this prefix is of a variable length, but unless there are more than 255 IndexedDB databases, more than 255 object stores in a single database, or more than 255 indexes for...
Most text fields in the database metadata will be stored as “StringWithLength” structures. This structure comprises a varint value giving the length of the string in characters, followed by the string encoded using UTF-16; as UTF-16 is made up of two-byte units, you need to multiply the length value by 2 to get the length in bytes.
Global metadata does not pertain to any particular database, object store or index, so in the key prefix those values will all be zero, therefore a global metadata record can be identified by the key prefix: 0x 00 00 00 00. The next byte will define the type of metadata being defined, the structure of the remainder of the key (if any) and the struc...
For database metadata records, the key prefix will contain the database ID for the database in question, then zero for both the object store ID and the index ID. The key prefix for these records will therefore be: 0x 00 yy 00 00, where yy is the database ID. The next byte will define the type of metadata being defined. Of particular interest to us:...
The key prefix format for object store metadata is a little surprising – as with the database metadata only the database ID field is set, with the object store and index ID both still set to zero (this is because when the object ID is set to a value, the records contain record data or metadata referring to records rather than the object store itsel...
Once we understand the “shape” of the IndexedDB database, we can start to consider how to identify and read the actual records in the object stores.
Nov 12, 2020 · It’s called tomorrow" (or FCM Queued Messages if you're talking to our Principal Analyst Alex Caithness). In his latest blog, Alex explains how FCM Queued Messages can lead us to Android artefacts that present a golden second opportunity to recover data that might otherwise be unrecoverable.
📣 Digital Forensics Essentials – New episode heads-up The latest in the Digital Forensics Essentials series will land next week with Principal Analyst Alex Caithness set to unpack the subject...
Jan 6, 2022 · In this blog, Principal Analyst Alex Caithness explains the new ‘ABX’ format, provides open-source code for reading the data and emphasises the importance of collaboration in the digital forensics community.
Alex Caithness is the module leader on the Programming for Digital Forensics module and teaches on the Techniques and Traces and Internet Based Investigations modules.
![ASMR [guest : alex caithness - in the studio] - YouTube](https://in.images.search.yahoo.com/search/images?p=Alex+Caithness&nojs=1&ei=UTF-8&nocache=1&fr=fp-hotsearch-hifi-in&th=117.7&tw=209.8&imgurl=https%3A%2F%2Fi.ytimg.com%2Fvi%2FL8Y_mIWd0x0%2Fmaxresdefault.jpg&rurl=https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DL8Y_mIWd0x0&size=88KB&name=ASMR+%5Bguest+%3A+alex+caithness+-+in+the+studio%5D+-+YouTube&oid=4&h=720&w=1280&turl=https%3A%2F%2Ftse1.mm.bing.net%2Fth%3Fid%3DOIP.aA55kF2X9WnT_EFoQAwQdwHaEK%26pid%3DApi%26rs%3D1%26c%3D1%26qlt%3D95%26w%3D209%26h%3D117&tt=ASMR+%5Bguest+%3A+alex+caithness+-+in+the+studio%5D+-+YouTube&sigr=WcreLHQvHNz6&sigit=GdDwZNPxU8Zz&sigi=JtwA2kaDULWt&sign=uzxg2QOdbSI0&sigt=uzxg2QOdbSI0 "ASMR [guest : alex caithness - in the studio] - YouTube")
