Mobile Device Apps forensics
Updates and Moving Forward:
In the second semester of Mobile Device Apps Forensics we are planning on adding two new apps to our research: Kik and GroupMe. In addition to these two new apps, we would still like to research WhatsApp and dig deeper into our research on Cyber Dust & Wickr.
kik: A first Look
We have already started our research into kik and have been able to find some great artifacts. We generated data on both Android and iOS and then imaged the devices using Cellebrite UFED Touch. During data generation, we sent messages back and forth between the two devices and used some kik specific messaging features like memes and sketches.
iOS Artifacts:
A lot of the relevant information that we found from kik was within: Com.kik.chat\kik.sqlite . We loaded kik.sqlite into SqliteBrowser and went into the “ZKIKMESSAGE” table. In that table we found relevant information like the time messages were sent, the time they were received and what the messages said:
The message timestamps are stored in EPOCH. There are also some messages that have “[]”, these “[]” are stored in place of an emoji. There are also some message fields that are blank, this is because no text was actually ever sent, and instead it was a picture message. For some reason, one of the messages above says “c4df6a8f-e180-4d99-a4ed-f8a45ddda87b” which was a picture that was received and wasn’t an actual text message. We aren’t sure why this message is different than the others, but we have a possible explanation. The reason this field had “c4df6a8f-e180-4d99-a4ed-f8a45ddda87b” instead of being blank is because this picture message was sent by using the camera app on the phone, whereas the other pictures were sent directly through kik using their built in meme and sketch functions.
Although the fields may be blank, it is still possible to find what images were sent. iOS stores the attachments sent through kik in: Com.kik.chat\Documents\attachments within that folder files are created:
These files are the memes and sketches sent and received within kik that aren’t represented in “ZKIKMESSAGE”.
Android:
A lot of the relevant information that we found from kik was within: Kik.android\db\kikDatabase.db We loaded kikDatabase.db into SqliteBrowser and went into the “messagesTable” table. In that table we found relevant information like the time messages were sent, what the messages said, and who sent them:
The Android database file is a bit different than iOS. In Android we were able to see who sent what message, but other than that, the same information is represented. As with iOS, the picture messages are not represented in the database file. However, the pictures sent through kik can still be found by going to Kik.android\f\staging\thumbs:
Conclusion:
We have been able to find some nice artifacts with kik thus far, however there are still a few more things that we would like to look into before moving on. After kik we are going to focus on the app WhatsApp.