Often in digital forensics, you end up with odd Apps that you need to review as part of your investigation that your tool does not support.  In this quick review, we will look at the App Calculator Photo Vault and the data that can be found from unsupported Apps.

Calculator+ Photo Vault v.8.8.0 by FishingNet

When we did the review of this App, we reviewed it on a device that we had root level access.

As a result, when reviewed in the E3 Platform, databases were able to be obtained from the device.  However, the images and other files from this app (see Calc_Android.png in attachments) were not found in the database, except for the files that were cached when I was browsing images to add in Calculator (see Calc_browse.png in attachments). See images below.

This led me to believe that the Calculator+ Photo Vault for Android encrypts all images and other files with their own encryption.  This creates a barrier for your forensic tools in their ability to find this data. Since encryptions are proprietary, a large amount of time would need to be spent trying to decrypt this App.

When we looked at the same style of App on iOS called Fake Calculator v.1.2 by Secret Calculator+ Photo Lock, we discovered very different results. The application does not encrypt images and other files. There is also the ability to open a built-in Browser and navigate to some websites.  Although the intent of this App to encrypt the data was the same, the results on iOS were vastly different than what we saw with Android.  When we processed it with the E3 Platform, we obtained files from this application for iOS with a logical image (see image below).  With that image, we could see in plain view the images from the App, unlike what we saw with Android. 

In conclusion, this is a quick reminder to pay attention to the odd Apps on the devices during investigations, and what they might be able to offer you can change with each type of device.