What is Samsung Rubin?

Samsung Rubin is the customization service available on newer Samsung devices that can log valuable data which can be lawfully accessed using a mobile device forensic tool during a digital investigation. There are many ways to activate this service. The primary way to enable customization is to: Go to Settings > General Management > Customization Services. Other ways to enable the service may include enabling it during the creation of a Samsung account on the device by going into Privacy settings or the Digital Wellbeing settings. A user can select the customizations they want to include. You may find that some users enable these customization services by accident and are not aware of the logs keeping tabs on the device. Keep in mind, these settings will impact what Physical Analyzer can parse, assuming the proper full file system extraction has been leveraged.

Why would a user enable customization?

The following are the benefits of customization a user will see on their device:
  • Personalized content based on device usage
  • Direct marketing based on your interests
  • Customized ads
  • The ability to locate your device should it go offline
While some of the above may seem insignificant, customized ads increase the quality of engagement for many users. Many of us want more relevant targeted ads to shop for efficiently. The last bullet above is generally important to many users and can ease the process of locating their device if lost or stolen. The ability to locate a device via the Samsung account is likely tied to the function of “Find my Mobile” device and may encourage a user to enable further customizations. Data that can be collected when this service is enabled:
  • Device Connectivity, such as WiFi
  • Samsung Browser searches
  • Samsung Browser history
  • Location information
  • And more

How can this data be leveraged using an Android Mobile Device Forensic Tool?

For the digital examiner, the data collected from a Samsung customized service can produce a wealth of evidence from charging states to application usage data. For those familiar with iOS forensic examinations, Samsung Rubin is the closest thing that we have to the KnowledgeC database, acting as the tracker of truth. Questions that could be answered include:
  • What was the user doing in Samsung browser?
  • Was the device on or off?
  • Was WiFi in use?
  • Where was the device when an activity occurred?
Location information on an Android device can be challenging to interpret during a digital investigation. Heather exposed these challenges and unpacked the appropriate investigative solutions in the Cellebrite community series  I Beg to DFIR, Episode 15 where Android device locations were discussed. Keep in mind, this webinar was conducted before Samsung Rubin locations were supported for parsing and are not explored in that webinar. Before we dig into the data, lets talk about how to get access to it. The application itself, com.samsung.rubin does get extracted as part of a Full File System extraction or Physical extraction. It does NOT get extracted in an advanced logical or a backup.

Diving into Samsung Rubin Digital Artifacts

There are two key files of interest discussed in this blog. The first is /data/data/com.samsung.rubin.app/databases/inferenceengine_logging.db View the screenshots below for reference:
  • Application usage
  • Charging state
  • Device events
    • Location services on/off
    • Ringer state
    • Display on/off
    • Many more
  • Location data
  • Media Categorizations (Samsung Native)
    • Details are in the File Info – showing the categories
  • Motion log
    • Vehicle moving/stationary
  • Samsung browser search query
  • WiFi connections
  • Bluetooth Connections – from the all_bluetooth_log table
The second file is located at: /data/data/com.samsung.rubin.app/databases/inferenceengine_monitoring.db. The table analyzed_place_monitor displays the user’s main frequented locations (home, work, etc.) and their coordinates in terms of latitude/longitude. The value inside the place_id column is then used in other tables in the inferenceengine_logging.db to identify the coordinates. For instance, the wifi_log table contains additional artifacts.

Top things to remember about Samsung Rubin:

  1. The data will not exist forever – The data in db will typically last for only 30 days.
  2. Location artifacts from Samsung Rubin are locations the device visited.
  3. A Full File System or Physical extraction is required to parse Samsung Rubin.
As you can see there is a lot of relevant data that can be used to accelerate your digital investigations. This is just the start of the forensics research into this topic. We will continue to provide updates as they become available. Look for it in the Notebook and in future webinars. As always, our goal is to educate you on digital artifacts and how to parse them to make your digital forensics examination experience more efficient with better results.

Additional Resources:

Tip Tues – https://cellebrite.com/en/how-to-use-samsung-rubin-in-cellebrite-physical-analyzer-for-mobile-device-forensics/ Blog – https://cellebrite.com/en/physical-analyzer-7-58-updated-android-artifacts-and-support/
Share this post
Autodetect: Special Feature Built Into UFED for Android 8 & 9 Samsung Devices View Now
Episode 20: I BEG TO DFIR – How to Leverage Samsung Rubin Data with Mobile Device Forensic Tools - Digital Forensics Webinar View Now
How to Use Samsung Rubin in Cellebrite Physical Analyzer for Mobile Device Forensics View Now