Mobile Forensics — Analyzing Snapseed on Android
Short Version
The Android Snapseed application stores its pictures in the following directory: /shared/0/Snapseed/. Information about the application and installation is stored in the following directory: /apps/com.niksoftware.snapseed/k/.
The pictures taken on the Android device that I used are stored in /shared/0/DCIM/Camera. The filenames are formatted as IMG_YYYYMMDD_XXXXXXXXX.jpg where YYYY is the year, MM is the month, DD is the day when the picture was taken, and XXXXXXXXX is a 9-digit numeric sequence. An example would be IMG_20220509_5146678912.jpg.
Snapseed changes the filename by adding a -01 at the end and replaces the extension from .jpg to .jpeg. An example would be IMG_20220509_514667912–01.jpeg.
The detailed process to populate test data, acquire the forensic image and analysis are provided below.
Long Version
The objective of this research was to see how a photo editing application called Snapseed would make changes to a data set of pictures taken on an Android device along with any other changes in the file system.
Snapseed is an application by Google which allows a user to upload pictures and edit them. Pictures can’t be taken from within the application itself, but there are 11 filters and 28 editing features to choose from. More information about Snapseed can be found here.
I used Snapseed version 2.19.1.303051424 and a Motorola Moto G6 smartphone running on Android Version 9.0. The following are the model and hardware specifications of the Moto G6:
- Serial Number: ZY323CWZQJ
- Hardware version: PVT2
- Model Number (SKU): ZT1925–6
- RAM: 3.00 GB
- Storage: 32.00 GB
- Display: 2160 x 1080
- Camera: Front 8MP / Rear 12MP + 5 MP
This blog post goes through the process that I followed and presents the outcomes of my research. The timestamps referenced in this post reflect Eastern Daylight Time (UTC -4:00).
Testing
I used the following device and tools for analysis:
- Lenovo ThinkPad with Windows 11 Operating System
- Magnet ACQUIRE version 2.31.0.22469
- AXIOM Process version 5.10.0.30634
- AXIOM Examine version 5.10.0.30634
- Sleuth Kit Autopsy version 14.19.1
Before extracting a forensic image, I created my test data. Using the Moto G6, I took pictures of 12 different objects one by one on 03/28/2022 between 3:57 pm — 4:12 pm. I then edited 11 out of the 12 pictures in Snapseed one by one between 4:15 pm — 4:45 pm. I did not make any edits to the first picture in order to keep it as the control for this test data. I made sure to leave at least one minute in between taking pictures, and at least two minutes in between editing the pictures to ensure the data was properly captured. Figure 2 below shows the time the pictures were taken on the left, and the time the pictures were edited on the right.
Acquisition
I first entered Developer Mode and then enabled USB Debugging Mode on the Moto G6. More information and steps on how to enable these options can be found here.
One blocker that I ran into for obtaining a full file system image was that my Original Equipment Manufacturer (OEM) of my device was locked by my carrier. Therefore, I wasn’t able to root my device using Team Win Recovery Project (TWRP), which is needed to acquire a full file system image. The instructions and the TWRP image file for the Moto G6 that I used can be found here. However, please note that using this custom recovery will factory reset your mobile device.
Figure 3 below shows the command prompt window with the last line displaying “<waiting for any device>” and the Moto G6 with the second to last line displaying “oem_locked” when the command “fastboot flash recovery twrp.img” was run.
I was able to obtain a quick file system image using Magnet Acquire. This produced an adb-data.tar file and I was able to view Snapseed’s application files and artifacts after loading it into Autopsy and AXIOM Process / Examine.
Analysis
I present the following analysis with screen captures from Autopsy only because both AXIOM Examine and Autopsy resulted in similar findings. The important artifacts that I found during my analysis are located in the following three directories:
- /apps/com.niksoftware.snapseed/k/
- /shared/0/DCIM/Camera
- /shared/0/Snapseed
The first directory, /apps/com.niksoftware.snapseed/k/ contains information about the Snapseed application and it’s installation package as shown in Figure 5 below.
In Figures 6 and 7 below, the hex and associated plaintext for the _manifest file is displayed. The _manifest file contains important information about the application that the Android operating system must read before being able to run the application’s code.
From Figure 7, the com.android.vending text represents a verification signature that the app is downloaded from the Google Play Store and not from a third party vendor. Under the com.niksoftware.snapseed.data file from Figure 5, the following hex is found along with its associated plaintext in Figures 8 and 9 respectively.
The xml file in Figure 9 contains Snapseed’s setting preferences including the export configuration being a .jpg file at 100% quality, and the application appearance having a dark theme. Figure 10 below shows the settings page in the Snapseed application that reflects the xml file in Figure 9.
In the second directory, /shared/0/DCIM/Camera, I was able to find the 12 original pictures taken with the Moto G6. Figure 11 displays the exported .csv file from Autopsy of the original pictures.
In the third directory, /shared/0/Snapseed, I was able to find the 11 pictures that were edited in Snapseed. Figure 12 displays the exported .csv file from Autopsy of the edited pictures.
From Figure 11, we can see that the Moto G6 uses a naming convention of IMG_YYYYMMDD_XXXXXXXXX.jpg where YYYY is the year, MM is the month, and DD is the day when the picture was taken. Afterwards, we see a 9-digit number followed by the extension of .jpg. I was unable to determine what this 9-digit number is.
In Figure 12, once edited via Snapseed, a -01 is added to the end of IMG_YYYYMMDD_XXXXXXXXX, the XXXXXXXXX is different from the original picture, and the extension is changed from .jpg to .jpeg. The difference between .jpg and .jpeg (joint photographic exports group) is that earlier versions of operating systems required a three-character extension, while newer versions of operating systems allow extensions that are longer than three-characters.
Furthermore, looking at the Modified, Access, and Created (MAC) timestamps in Figures 11 and 12, we see that only the last modified timestamp is recorded in both the /Camera and /Snapseed directories. These last modified timestamps match with the timestamps of when the images were taken and edited as shown in Figure 2.
From analyzing the data between the original pictures and the edited pictures, I found that the indicators of modification are the change in the file name, change in extension, reduction in file size, and reduction in file dimensions. In Figure 13, the crop edit has been applied to Object 4, headphones. The following are the changes that can be observed between the original picture and the edited picture:
- Name: IMG_20220328_160203637.jpg changed to IMG_20220328_160203637-01.jpeg
- File Size: 3.0 megabytes (mb) reduced to 2.1 megabytes (mb)
- File Dimensions: 3072 x 4096 reduced to 3024 X 3187
In Figures 14 and 15, we take a look at another picture from the data set, which is Object 10, journal. This picture was taken at 4:08 pm, and the Healing edit was applied at 4:39 pm. The Healing edit allows you to remove an item from the picture. The modification made to the image was the removal of the blue and silver thumb drive.
The original picture in Figure 14 has a name of IMG_20220328_160835194.jpg, a timestamp of 2022–03–28 16:08:36 EDT (4:08:36 pm), and file size of 2.8 mb. The edited picture in Figure 15 has a name of IMG_20220328_160835194-01.jpeg, a timestamp of 2022–03–28 16:39:44 EDT (4:39:44 pm), and file size of 2.6 mb.
One interesting discovery I made is that when looking at the pictures on the Moto G6 itself, using the Google Photos application, timestamps in both the Camera and Snapseed folders display the timestamp of when the picture was taken. Figure 13 shows Object 12, the Rubiks cube from the dataset. The original picture of the Rubiks cube is on the left and the picture with the Lens Blur edit is on the right, but both show the timestamp of Mar 28, 2022, 4:12 pm.
Conclusion
The Snapseed application on Android stores it’s information and installation data in /apps/com.niksoftware.snapseed/k/ and it’s pictures are stored in /shared/0/Snapseed/. The discoveries from my analysis show that the Snapseed application modifies attributes of the pictures in the following ways:
- adding a -01 at the end of the file name
- replacing the original extension with .jpeg
- reducing the size of the file
- reducing the dimensions of the file (for the crop feature)
Today, there is a wide range of photo and video editing applications that are available for personal and professional use. I believe that it is important to have an understanding what type of information applications store and what type of modifications they make in order to identify what normal behavior is versus what is not during forensic investigations.
References
Snapseed on the Google Play Store
https://play.google.com/store/apps/details?id=com.niksoftware.snapseed&gl=US
How to Enable USB Debugging on Motorola Moto G
https://www.syncios.com/android/how-to-enable-usb-debugging-on-moto-g.html
TWRP for Motorola Moto G6
https://twrp.me/motorola/motorolamotog6.html
JPG vs JPEG: Understanding the Most Common Image File Format
https://kinsta.com/blog/jpg-vs-jpeg/
Thank you to Jessica Hyde for providing the knowledge and guidance that helped me with this forensic analysis.