.JSON files- My Favorite Artifacts, Part Three

President of Tetra Defense, Cindy Murphy, shares her insights:

This month, I’m taking a stab at JSON (not to be confused with another seasonally-appropriate Jason). As a subset of JavaScript, JSON doesn’t quite qualify as an artifact in the same way that the other artifacts like MobileSMS.plist and user dictionary files do, but it leaves behind a whole slew of artifacts that mobile forensics tools often miss.

So, for this special Halloween installment of “My Favorite Artifacts,” let’s head down to Camp Crystal Lake and take a look at all the goodies that can be gleaned from .json files.

What Is JSON?

For those of you who might not be familiar with JSON, here’s a quick overview:

JSON is the central antagonist of the Friday the 13th horror movie franchise from the second film onward, most notable for wearing a hockey mask and slaughtering teenagers; and also an acronym for JavaScript Object Notation. (JavaScript, as we all know, is an unusually-bloodthirsty high-level programming language.)

Put simply, JSON is an open-standard and language-independent text file format with notation designed to be “easy for humans to read and write” and “easy for machines to parse and generate.” In layman’s terms, JSON is designed to make it easy for humans to help machines do things for them quickly and with little effort.

JSON is very commonly used to communicate changes between mobile devices (or other computers) and servers.  Because if you think about it, a really common task for smartphone applications is to query a server for some type of information, process that information, and then present it to the user. All of the changes made on the phone have to get back to the app’s server somehow, and JSON is a great way to make that happen.

If you look at a .json file, you won’t see anything complex. In fact, even if you’ve never heard of JSON schema or syntax before you started reading this article, you’ll find it startlingly easy to understand! That’s the beauty of it. JSON files contain metadata in a simply-laid-out text format.

Most programming languages understand and process JSON natively since it uses many of the same conventions in its syntax. As you might imagine, it’s a handy data-interchange format for programmers, especially mobile app developers.

Using JSON schema, a mobile or desktop app can very efficiently comprehend data from other sources, such as Google Maps, Facebook, Facebook Messenger, Twitter, YouTube, Word Press, SQL databases, or any other external source it needs to function. Sweet! Right?

How is JSON Useful in Mobile Forensics?

As you can imagine, JSON has quite a lot of utility for programmers. In my experience though, it tends to be overlooked by forensic investigators. Most mobile forensics tools won’t seek it out or parse it, which means you’ll have to be proactive in your investigation if you want to reap its benefits.  Here are some of the ways .json files can help in your iOS- or Android-based mobile investigations if you take the time to seek them out.

Errors, Crashes, and Failures:

One very common use of the .json file in mobile forensics is to communicate information about errors, crashes, and failures of the app back to the server.  If you need to determine whether an app was in use at a particular date or time or whether there were problems with the application, these “crash” related .json files can be of great investigative value.

Configuration Files and Settings:

During a mobile forensic examination, when you need to answer questions about application settings or how a user has configured the application, you might naturally look to SQLite, .db, .xml, or .plist  files for answers.

But don’t overlook .json Files! Information including account numbers, usernames, passwords (sometimes in plain text!), email addresses, and other sweet treats can be found in .json files, as well!

In the example below from the Amazon app on a mobile phone, we can see just how easy user configuration information is to find… if, that is, we’re looking for it.

amazon information json file
“account_information_json” file from the Amazon mobile app.
“GeoJSON” file from the Uber app.

Geolocation Information:

Mobile forensic tools have gotten a lot better at identifying and parsing location based data from various mobile applications.

Often times though, they can still miss a plethora of location treats that are nestled inside .json files.  Our .json example on the left comes from the Uber app.

If geolocation data is important to your case, be sure to dig into the application folder for any app that might store location based information, and don’t overlook those .json files!

User-Generated Information:

If you’re looking to recreate user in-app activities, .json files may hold the specific answers you’re looking for.

Once you’ve searched through SQLite database files and other data sources on the device, if you’re still looking for answers, check those .json files!

Our example here comes from the Nordstrom shopping app, but many other applications use .json files for storing historical information about the user’s browsing activity.

By reviewing the various entries within the “recentlyViewed.json” file, you can recreate each specific item the phone’s user viewed.

When you look for JSON, you start seeing it everywhere.  Some applications are extremely JSON dependent, to the point that almost all of the data stored by the app is stored as .json files.  One example of this is the extremely popular productivity application “Wunderlist.”

In Wunderlist mobile, nearly all user-created entries including contacts, notes, lists, etc.. are stored in .json files within the application.  If your forensic tool doesn’t see and parse this user data dressed up in .json costume, you might be missing a whole lot of important information!

“recentlyViewed.json” file from the Nordstrom shopping app.
A screenshot showing just some of the many, many .json files hiding in the Wunderlist Mobile app.
“note-##########.json” file from the Wunderlist Mobile app.

In-App Interactions and Communications:

JSON is often used to manage communications that are initiated from within an app. If you dig into .json files, you may find the content of entire messages depending on how the app handles this data.  But .json files can contain some other important clues to communications, too.

For instance, if a phone’s user makes a phone call or video call from within Facebook Messenger to another Facebook contact, that activity often won’t show up in the call history database.

Instead, it will be documented within a .json file with a file name that starts with “batch-1540930891” (where “1540930891” is the date and time of the communication in Unix timestamp notation.

The .json files used within the Facebook app are often a little more complex in their data formatting.  They will include references back to various SQLite database tables and entries also stored within the app’s directory.

But if you take the time to work through the JSON notation within these .json files, you will be rewarded with a step by step record of the in-app activities. Invariably, the level of detail you are able to glean through this kind of examination gives a great deal more information than what is automatically parsed by mobile forensic tools.

Now You See Them… Now You Don’t:

If you’ve read this blog post and are all psyched up to dig into JSON in your next forensic examination, here are a few words of caution: You may see a whole lot of empty and deleted .json files and feel upset because they no longer contain the sweet data goodies I’ve mentioned in this post.

This is because application developers like to do nice, neat work.  Once the .json file has done its work of communicating the change in the state of the app back to the server, the .json file can be cleaned up and may just *poof!* disappear.

Artifacts left by JSON can be ephemeral (even ghostly) in nature, so don’t be surprised if these sweet treats aren’t consistent in how and when they make an appearance in your evidence. In my personal experience though, if a phone is broken or damaged during use you will tend to see more .json files that haven’t had a chance to be cleaned up before disaster struck.

As you can now see, the potential for .json files to provide data you won’t find elsewhere in your Android and iOS forensics investigations shouldn’t be overlooked. Remember, just like when you’re out trick-or-treating, the house you skip might just be the one that gives you the biggest candy bars.

Stay tuned for the next installment of “My Favorite Artifacts.” Next month’s subject will definitely be one you’ll be thankful for!

Check out some related content on our blog: