Artifacts for ChatHour (Android)
I'm working on an Android tablet case and slowly scrolling through the application folders. The usual thousands of com.android.blah_blah ... just keep scrolling. Then I saw it, a name I've not seen before. Even more important, this is a case involving "messaging".
com.chathour.android
The game's afoot!
com.chathour.android
Browse For Data
The next step in my process is to start browsing files and folders for recognizable data names. The fun is just beginning when you see the familiar db folder and file(s) inside with the .db extension.
com.chathour.android/db/chathour.db
But don't stop there. It's always a good choice to check all the other files and folders because you just never know. Sure enough, another folder sp contained .xml files with more useful information.
com.chathour.android/sp/admob.xml
com.chathour.android/sp/chathour_pref.xml
com.chathour.android/sp/chathour_pref.xml
When dealing with an app that you've never seen before, don't stop at the first sign of data. Keep digging.
Research the User Interface
It feels like I keep writing this in every blog, but it really is important to understand how the app works, looks and feels to the end user. Without this general understanding, you could easily misinterpret the parsed data.
Review of ChatHour Computer and Mobile App
This site shows screenshots from the actual web and mobile app. Plus describes how it functions for the end user.
The Easier Stuff First (XML)
XML files are easily viewed in most browsers or text editors. I've become a big fan of Code Writer from the MS Store. The point is, these files can be exported from your forensic tool of choice and opened for review.
ADMOB XML File Data
The admob.xml file contains a few date/time related and other general settings for the app.
<?xml version='1.0' encoding='utf-8' standalone='yes' ?> <map> <long name="first_ad_req_time_ms" value="1510851364197" /> <int name="request_in_session_count" value="0" /> <long name="app_settings_last_update_ms" value="1485436274422" /> <boolean name="auto_collect_location" value="true" /> <boolean name="content_url_opted_out" value="true" /> <boolean name="use_https" value="false" /> <string name="app_settings_json">{"status":1,"app_id":"ca-app-pub-8857310711809123~7339277565","auto_collect_location":false,"ad_unit_id_settings":[{"ad_unit_id":"ca-app-pub-8857310711809123/8816010767","format":"banner"}]}</string> <long name="app_last_background_time_ms" value="1510851497240" /> </map>A few things I noticed:
"use_https" is false
"auto_collect_location" is true
I could not find any location information in the XMLs or SQLite databases.
Date Values
The date/time values are all in UNIX milliseconds. A program like DCode can be used to convert them to human readable form. To report on the the last time the application settings were update, convert 1485436274422 to local date and time.The remaining dates and times can be converted in the same manner.
CHATHOUR XML File Data
The chathour_pref.xml file contains a number of app settings and user preferences. The very important data field that is ONLY found here - UserName.<?xml version='1.0' encoding='utf-8' standalone='yes' ?> <map> <string name="m_code">xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx</string> <boolean name="ringtone_on" value="true" /> <string name="ringtone">content://settings/system/ringtone</string> <string name="active_ringtone">content://settings/system/ringtone</string> <string name="alert_mode"></string> <boolean name="active_ringtone_on" value="false" /> <boolean name="led" value="true" /> <string name="list_display_mode"></string> <boolean name="reminder_tone" value="false" /> <boolean name="notification" value="true" /> <string name="username">TheBaldJedi</string> <int name="saved_messages" value="1000" /> <boolean name="lockscreen_alert" value="true" /> <string name="deletion_threshold"></string> <boolean name="vibrate" value="true" /> <string name="photo_grid_size"></string> </map>
SQLite Data
The chathour.db file contains several tables. I used DB Broswer (SQLite) to browse the tables and determine which contained useful information.
- favorites - favorite contacts
- im_partners - usernames and userIDs used for JOIN SQL statements
- ims - all stored messages including userID, message, date/time and sent/received
- recent_views - includes userID and date/time of last viewed
The times in all the date/time columns are UNIX milliseconds
By using specific SQL statements and joining the ims and im_partners tables, a list can be created of all messages, sent/received, date/time with the other username.
SELECT im_partners.username, ims.message, ims.creation_time, CASE ims.sender WHEN 0 THEN 'Received' WHEN 1 THEN 'Sent' ELSE 'Unknown' END AS sent_recv FROM ims JOIN im_partners ON im_partners.user_id = ims.partner_id
AXIOM Custom Artifact (coming soon)
Taking all this information, I have created and submitted a custom artifact to Magnet's website. It links all the table information and converts date/times to human format for sorting and reporting.
Once the artifact is approved, I'll post a link to it here in the blog. For now, you will have to do all the work manually.
Comments
Post a Comment