Often in digital forensics, you end up with odd Apps that you need to review as part of your investigation that your tool does not support. In this quick review, we will look at the App Calculator Photo Vault and the data that can be found from unsupported Apps.
Calculator+ Photo Vault v.8.8.0 by FishingNet
When we did the review of this App, we reviewed it on a device that we had root level access.
As a result, when reviewed in the E3 Platform, databases were able to be obtained from the device. However, the images and other files from this app (see Calc_Android.png in attachments) were not found in the database, except for the files that were cached when I was browsing images to add in Calculator (see Calc_browse.png in attachments). See images below.
This led me to believe that the Calculator+ Photo Vault for Android encrypts all images and other files with their own encryption. This creates a barrier for your forensic tools in their ability to find this data. Since encryptions are proprietary, a large amount of time would need to be spent trying to decrypt this App.
When we looked at the same style of App on iOS called Fake Calculator v.1.2 by Secret Calculator+ Photo Lock, we discovered very different results. The application does not encrypt images and other files. There is also the ability to open a built-in Browser and navigate to some websites. Although the intent of this App to encrypt the data was the same, the results on iOS were vastly different than what we saw with Android. When we processed it with the E3 Platform, we obtained files from this application for iOS with a logical image (see image below). With that image, we could see in plain view the images from the App, unlike what we saw with Android.
In conclusion, this is a quick reminder to pay attention to the odd Apps on the devices during investigations, and what they might be able to offer you can change with each type of device.
Forensic-Impact Articles
Investigating Fileless Malware Through Volatile Memory Forensics: Building an Open-Source DFIR Workflow
Guest Blogger: Anas Zahid Fileless malware has become one of the most challenging threats facing modern defenders. Unlike traditional malware, fileless attacks often operate entirely within memory, leveraging trusted operating system components such as PowerShell,...
Decoding Financial Fraud: Tools and Methodology
Guest Blogger: Vladislav Hamppu Many people think that online investigation is just a Google search. In reality, it’s about working with digital footprints and automation. Using my recent case as an example, here is how it works in practice: First Environment Setup I...
Behind the Scenes of ClickFix: Blockchain-Based Dead Drop C2 Resolver
Guest Blogger: Manasi Joshi What if a malware’s C2 infrastructure wasn’t hardcoded—but resolved dynamically from a blockchain? I was recently analysing a ClickFix campaign. While analysing, I expected the usual—hardcoded domains, maybe some layered obfuscation. That’s...




