Summer 2022
by Alexia Bowie
Introduction
During the summer of 2022, the Mobile Forensics team at the Leahy Center for Digital Investigations & Cybersecurity (LCDI) decided to choose three different phone applications to investigate with the aim of analyzing any artifacts that could possibly be extracted from Android devices. In a virtual working environment provided by the LCDI, our team used various forensic tools such as DB Browser for SQLite, Android Studio, and Android Debug Bridge to help with the investigation of the selected applications.
Initial Research
Before starting my part of the project, I was tasked with looking over an excellent academic paper (Forensic Analysis of the Bumble Dating App for Android) in order to begin our team’s research into the topic. In this paper, I observed that the investigators used various forensics tools and procedures to obtain information about possible artifacts that can be useful to forensic analysts. From this, I had an idea of how to go about my own research and how to report it. I was also responsible for familiarizing myself with a type of file format called “SQLite”— the computer language used in the artifacts I would be investigating.
Prep
To prepare for our project, we needed to choose Android applications to base our investigation on. Each team member chose a different app, mine being Kik Messenger, and started to brainstorm questions we wanted answers to. “What kind of information does Kik store in their databases about their users? What can be seen from an investigative stance about Kik’s users?”. These are questions that I wanted answers to and I began the course of my investigation based on them.
My supervisor introduced me to some of the applications I would need to use for the project: Android Studio, DB Browser and the Android Debug Bridge. Android Studio is a virtual environment to develop Android applications and execute virtual Android systems called Android Virtual Devices (AVD). The Android Debug Bridge is a command-line tool to execute communication between a computer and the Android device I would be using. Lastly, DB Browser is an open-source tool used for analyzing, creating, and editing a certain type of database files, which in this case, was SQLite.
Getting Started
As stated before, I decided to investigate Kik Messenger. Kik Messenger is a mobile messaging app where users can talk to people around the world for free. It allows users to send photos and audio messages, join public messaging groups, and more. Kik requires new users to create an account using their email address, first and last name, and date of birth. Optionally, users can set a profile photo and link their phone number to the account they created.
The goal was to understand how databases store user data and what information can be useful to forensic investigators.
To begin, I opened Android Studio to create a virtual smartphone in the virtual environment (also called a virtual machine). The phone I created was a LG Nexus 4 with an Android version of Android 9.0 (Pie) and an API of 28. I configured the settings for the Nexus 4 to simulate a rooted phone to have extended privileges to its contents. I had trouble with beginning virtualization, but with help from the Leahy Center support-team, this was resolved.
Conduction
After the rocky start, I used the ADB command line tool to download an Android application onto my virtual machine. I started with a notepad application to test the machine’s responsiveness, and it took less than ten minutes to download and install. I then assumed Kik Messenger would also be a swift download, but it oddly took over 20 minutes to install.
Once the application was on my virtual smartphone, I opened the app and logged into my prior-made Kik account. I did some basic data-generation, such as starting a conversation with a person on the app’s contact list, as well as attempting to join community groups.
This data-generation was enough to have some information for the DB browser to pull from the Kik database. I used Android Studio to extract files from Kik and uploaded them to the DB browser to view the content. I extracted 17 different databases from Kik, though after viewing them, only a handful seemed relevant to the project’s priority. In one of the databases, I saw all of the user’s (being me) contacts. This contact list showed information such as: whether the user blocked or muted another, as well as the unique user-identifier that Kik uses for their databases, and the username of each profile.
In other database files, I found the usernames of the people that I, the user, came in contact with and conversed with, and searches the user made.
Conclusion
From this project, I’ve concluded that Kik doesn’t store any messages between users. Rather, it stores unique identifiers for its media. Although it doesn’t store particularly vital information for investigators, it does store whether the user blocked another user, came in contact with another user, and what public groups the user was interested in joining. All of which could, conceivably, be used in a creative way to be admissible in court.
Stay up to date with Twitter, Instagram, Facebook, and LinkedIn so you always know what we’re up to!
Written by Alexia Bowie // Mobile Forensics Assistant
Follow Us!