What forensic techniques and artifacts reveal which sites a user has Fireproofed in the DuckDuckGo mobile app?

1. Where to look: on‑device directories and known files

A practical starting point in Android examinations is the DuckDuckGo application data directory — typically /data/data/com.duckduckgo.mobile.android — which contains subdirectories and an SQLite database (databases/app.db) recording bookmarks, tabs, sites visited and app usage useful to investigators ^[1]. In addition, the app’s WebView storage holds a Chromium-style Cookies database at app_webview/Default/Cookies that persists cookie records ^{[2] [1]}. DuckDuckGo Help confirms that Fireproofing preserves some first‑party cookies and storage that the Fire Button would otherwise remove, pointing examiners toward cookie and storage artifacts as the likely evidence ^[3].

2. Which artifacts actually indicate a site was fireproofed

Public technical testing shows that cookies are the primary artifact left intact for Fireproof Sites: investigators can find cookie rows with domain names, creation and last‑access timestamps and values in the Cookies SQLite file, and these entries are expected for fireproofed domains because DuckDuckGo deliberately preserves first‑party cookies for those sites ^{[2] [3]}. The app.db tables for sites visited, tabs and bookmarks can corroborate that the user interacted with a domain around the same times cookies were created or accessed, strengthening the inference that an entry was fireproofed rather than transient ^[1].

3. Forensic techniques: extraction, parsing and correlation

Typical methods are physical or logical acquisition of the /data/data/com.duckduckgo.mobile.android tree (emulator testing often used in research) followed by parsing of app.db with SQLite tools and carving the WebView Cookies DB with Chromium cookie parsers to extract timestamps and domain names ^[1]. Correlation is crucial: match cookie domain entries and their last access/creation times against the app.db's sites‑visited or tabs tables to infer persistence across Fire Button events; forensic scripts or parsers (for example, community tools referenced in research) can automate extraction and timeline building ^{[1] [2]}.

4. Limits, ambiguities and alternative explanations

The available reporting does not document a single explicit "fireproof sites" table or JSON file exposed in the app’s storage, so any assertion that a domain was explicitly fireproofed depends on indirect evidence — persistent first‑party cookies plus corroborating app metadata — not on a labeled flag recoverable in every case ^{[2] [1]}. DuckDuckGo’s privacy posture and the Fire Button’s design intentionally minimize traces, so examiners must weigh alternative explanations (cookies left by other browsers or services, synchronized backups, or sites that simply set long‑lived cookies) and consider device‑level artifacts and sync settings before concluding a site was fireproofed ^{[3] [4]}.

5. Practical guidance for examiners and caveats about interpretation

Examiners should capture the app filesystem, export databases/app.db and app_webview/Default/Cookies, parse cookie metadata (creation and last access times), and correlate those with app.db site/tabs entries and system timestamps to build a timeline; use emulator tests to reproduce app behavior under controlled Fire Button and Fireproof workflows to validate inferences ^{[1] [2]}. Report findings with caution: publicly available analyses indicate cookies are the strongest direct artifact for fireproof sites, but there is no definitive public evidence of a dedicated labeled fireproof list in storage, so conclusions must be framed as probabilistic and supported by multi‑artifact correlation ^{[2] [3]}.