Protocol buffers or protobufs were created by Google as a way to serialize structured data for communication between systems, and they are starting to pop up all over our mobile device images.¹ They are a more efficient equivalent to XML and JSON, and they are operating system and language neutral, which means will we likely see them on any of the operating systems we encounter.

When it comes to parsing these files, it’s hit or miss, but we saw that some of the important artifacts, like the GeoHistory.mapsdata plist file from an iOS device, was correctly interpreted, but many others in this format are not. Forensic utilities are increasingly including support file by file, but every application that utilizes protobufs, native or third-party, will have its own way to structure the data, and therefore what works to interpret the residual data will vary from one application to the next. The structure is stored in a .proto file, but unfortunately, that file doesn’t get stored on the device, so interpreting the structure becomes a manual process.

While it is possible to carve the ASCII strings from a protobuf file, Google’s protobuf compiler, the protoc binary, can be used to decode raw protobuf files and make them slightly easier to interpret.²  Two examples are shown above, one from an Android device and another from an iOS device.

References:

[1] https://for585.com/protobuf

[2] https://for585.com/protobufparse