Welcome to Scribd. Sign in or start your free trial to enjoy unlimited e-books, audiobooks & documents.Find out more
Standard view
Full view
of .
Look up keyword
Like this
0 of .
Results for:
No results containing your search query
P. 1
Artefacts of Kik Messenger on iOS

Artefacts of Kik Messenger on iOS



|Views: 4,924|Likes:
Published by bridgeythegeek
*WORK IN PROGRESS* This document describes some of the key artefacts of Kik Messenger when used on iOS. It aims to identify artefacts not extracted by commonly used commercial tools.
*WORK IN PROGRESS* This document describes some of the key artefacts of Kik Messenger when used on iOS. It aims to identify artefacts not extracted by commonly used commercial tools.

More info:

Categories:Types, Research
Published by: bridgeythegeek on Jun 02, 2013
Copyright:Attribution Non-commercial


Read on Scribd mobile: iPhone, iPad and Android.
download as ODT, PDF, TXT or read online from Scribd
See more
See less





Artefacts of Kik Messenger on iOS
Saturday, 25
May 2013Bridgey the Geek <forensicgeekinthecorner@gmail.com>
This document describes some of the key artefacts of Kik Messenger when used on iOS. It aims to identify artefactsnot extracted by commonly used commercial tools. I have tried hard to make it error-free, but the odd one may havecrept in. Please feel free to email me corrections.
Thank You
A big thank you to my colleague BW who brought this interesting topic to my attention (and politely allowed me takeover), and to my colleague SC who provided much needed assistance on the effective use of XRY.
Tools Used
Windows was the OS of choice as it is required for the commercial tools used, specifically I used Windows 7Professional 64-bit. As always, please respect their licences.
Commercial Tools
Tool Available From
Open-Source and/or Free Tools
Tool Available From
BlueStacks App Playerhttp://www.bluestacks.com/ SQLite Expert Personalhttp://www.sqliteexpert.com/ SQLite Pre-compiled Binary for Windowshttp://www.sqlite.org/
The Scenario
BW was investigating a case where image files had been sent from one Kik user to another Kik user as part of aconversation. He had the device used by one of the parties and wanted to identify the other party. The device he wasinvestigating was an iPod Touch 4G (model A1367) running iOS 6.1 (10B144), with a capacity of 16GB, and not jailbroken.BW had tried to acquire a physical dump of the device using UFED Physical Analyzer, but at the time, this model wasnot supported. He had also tried using XRY to take a physical dump and a logical dump using a RAM disk: these alsofailed, the errors indicate that the device wasn't supported by this product either. He was able to use XRY to take abackup of the device. XRY didn't parse any Kik Messenger data out, that is, no data was identified as being chat,contacts, etc.
Exploring the iPod Backup
Using XRY, from the 'Export' ribbon, I chose 'File' and extracted 'All Views' ensuring I had checked 'Reflect originalpath' and 'Use common root'. This gave me a local working copy of the iPod file system, maintaining the folderstructure.
General Preferences
It's work taking a quick look at
. It's a binary plist file that contains a few App-wide settings, mostnotably the username, password (in plain text), first name, last name, phone number, email address, and install date(which is 31 years behind, more on that later).
The TCC Database
When exploring an app on iOS it's always worth a quick check of the TCC database. Located at
, this database is used to control what permissions apps have.(Some more info here: http://macops.ca/modifying-the-tcc-db/.)
C:\tools>sqlite.exe TCC.dbsqlite> .tablesaccess access_overrides access_times adminsqlite> .headers ONsqlite> SELECT * FROM access;
This tells us that the client com.kik.chat is allowed to access to the address book service and the photos service.
Further testing has shown that the TCC folder and therefore the TCC.db file don't seem to be created until theuser is asked to grant (or deny) permissions to an app.
The AddressBook and Photos Services
If you didn't already know, you could probably guess that an app with permission to access the Address Book can dowhatever it likes with the local Address Book: create, edit, and registering to be notified of changes made externally.(More info:http://developer.apple.com/library/ios/#documentation/AddressBook/Reference/ABAddressBookRef_iPhoneOS/Reference/reference.html)Similarly, permission to access the Photos service allows an app to take pictures or movies, or select them via themedia browser. (More info:https://developer.apple.com/LIBRARY/IOS/#documentation/AudioVideo/Conceptual/CameraAndPhotoLib_TopicsForIOS/Introduction/Introduction.html)It is perfectly logical that Kik would want these permissions: it wants to know which contacts you might be talkingwith and it wants to allow you to send photos or videos.But back to the tables...
service client client_type allowed prompt_count
kTCCServiceTwitter com.apple.mobileslideshow 0 0 1kTCCServicePhotos com.facebook.Facebook 0 1 0kTCCServiceAddressBook com.skype.skype 0 1 0kTCCServicePhotos com.burbn.instagram 0 1 0kTCCServiceAddressBook com.flexilis.security 0 1 0kTCCServicePhotos com.tumblr.tumblr 0 1 0
kTCCServiceAddressBook com.kik.chat 0 1 0kTCCServicePhotos com.kik.chat 0 1 0kTCCServicePhotos com.atebits.Tweetie2 0 1 0kTCCServicePhotos com.skype.skype 0 1 0kTCCServicePhotos com.microsoft.wlx 0 1 0kTCCServicePhotos com.cardinalblue.PicCollage 0 1 0kTCCServicePhotos co.uk.barterbooks.keepcalmandcarryon 0 1 0kTCCServiceTwitter com.atebits.Tweetie2 0 0 1kTCCServicePhotos com.jollydream.camwow 0 1 0
sqlite>SELECT * FROM access_times;
I added the human_time column!I'm sure you spotted that last_used_time is just a Unix timestamp. This tells us thelast time that Kik made use of the address book and photos services.For completeness, the access_overrides table was empty and the admin table just contained a key/value pair: version= 4.
The Big Horde
As one might expect, the significant data for the app is located in the Applications folder, specifically
. The folder structure of this folder looks like this:Essentially the data for the app is contained within a serious of plist and xml files and one SQLite file. The SQLitefile contains the data which combines everything together and can be found at:
service client client_type last_used_time human_time
kTCCServicePhotos com.globaldelight.Camera-Plus 0 1349543933 06/10/12 17:18:53kTCCServiceAddressBook com.flexilis.security 0 1356472631 25/12/12 21:57:11kTCCServiceAddressBook com.kik.chat 0 1356904665 30/12/12 21:57:45kTCCServicePhotos com.microsoft.wlx 0 1357001154 01/01/13 00:45:54kTCCServicePhotos co.uk.barterbooks.keepcalmandcarryon 0 1357087473 02/01/13 00:44:33kTCCServicePhotos com.burbn.instagram 0 1357167404 02/01/13 22:56:44kTCCServicePhotos com.cardinalblue.PicCollage 0 1357521613 07/01/13 01:20:13kTCCServicePhotos com.atebits.Tweetie2 0 1357936407 11/01/13 20:33:27kTCCServicePhotos com.jollydream.camwow 0 1360791755 13/02/13 21:42:35kTCCServicePhotos com.apptao.retinawallpapers 0 1360958014 15/02/13 19:53:34kTCCServicePhotos IncredibleApp.Wallpapers 0 1361280894 19/02/13 13:34:54kTCCServicePhotos com.ticktockapps.wallhd-10000 0 1361281000 19/02/13 13:36:40kTCCServicePhotos com.bootstlab.PhotoEditorFX 0 1361306949 19/02/13 20:49:09kTCCServicePhotos com.kik.chat 0 1361636603 23/02/13 16:23:23kTCCServicePhotos com.tumblr.tumblr 0 1361743413 24/02/13 22:03:33kTCCServicePhotos com.skype.skype 0 1361746592 24/02/13 22:56:32kTCCServiceAddressBook com.skype.skype 0 1361814217 25/02/13 17:43:37kTCCServicePhotos com.facebook.Facebook 0 1361814714 25/02/13 17:51:54

Activity (3)

You've already reviewed this. Edit your review.
scott maffioli liked this
1 thousand reads
1 hundred reads

You're Reading a Free Preview

/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->