Skip to main content

ChatHour Chat/Messaging - Android

Artifacts for ChatHour (Android)

I'm working on an Android tablet case and slowly scrolling through the application folders. The usual thousands of ... just keep scrolling. Then I saw it, a name I've not seen before. Even more important, this is a case involving "messaging".

The game's afoot!

Browse For Data

The next step in my process is to start browsing files and folders for recognizable data names. The fun is just beginning when you see the familiar db folder and file(s) inside with the .db extension.

But don't stop there. It's always a good choice to check all the other files and folders because you just never know. Sure enough, another folder sp contained .xml files with more useful information.

When dealing with an app that you've never seen before, don't stop at the first sign of data. Keep digging. 

Research the User Interface

It feels like I keep writing this in every blog, but it really is important to understand how the app works, looks and feels to the end user. Without this general understanding, you could easily misinterpret the parsed data.

Review of ChatHour Computer and Mobile App

This site shows screenshots from the actual web and mobile app. Plus describes how it functions for the end user.

The Easier Stuff First (XML)

XML files are easily viewed in most browsers or text editors. I've become a big fan of Code Writer from the MS Store. The point is, these files can be exported from your forensic tool of choice and opened for review.


The admob.xml file contains a few date/time related and other general settings for the app.

<?xml version='1.0' encoding='utf-8' standalone='yes' ?>
    <long name="first_ad_req_time_ms" value="1510851364197" />
    <int name="request_in_session_count" value="0" />
    <long name="app_settings_last_update_ms" value="1485436274422" />
    <boolean name="auto_collect_location" value="true" />
    <boolean name="content_url_opted_out" value="true" />
    <boolean name="use_https" value="false" />
    <string name="app_settings_json">{&quot;status&quot;:1,&quot;app_id&quot;:&quot;ca-app-pub-8857310711809123~7339277565&quot;,&quot;auto_collect_location&quot;:false,&quot;ad_unit_id_settings&quot;:[{&quot;ad_unit_id&quot;:&quot;ca-app-pub-8857310711809123/8816010767&quot;,&quot;format&quot;:&quot;banner&quot;}]}</string>
    <long name="app_last_background_time_ms" value="1510851497240" />

A few things I noticed: 
"use_https" is false
"auto_collect_location" is true

I could not find any location information in the XMLs or SQLite databases.

Date Values

The date/time values are all in UNIX milliseconds. A program like DCode can be used to convert them to human readable form. To report on the the last time the application settings were update, convert 1485436274422 to local date and time.

The remaining dates and times can be converted in the same manner.


The chathour_pref.xml file contains a number of app settings and user preferences. The very important data field that is ONLY found here - UserName.

<?xml version='1.0' encoding='utf-8' standalone='yes' ?>
    <string name="m_code">xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx</string>
    <boolean name="ringtone_on" value="true" />
    <string name="ringtone">content://settings/system/ringtone</string>
    <string name="active_ringtone">content://settings/system/ringtone</string>
    <string name="alert_mode"></string>
    <boolean name="active_ringtone_on" value="false" />
    <boolean name="led" value="true" />
    <string name="list_display_mode"></string>
    <boolean name="reminder_tone" value="false" />
    <boolean name="notification" value="true" />
    <string name="username">TheBaldJedi</string>
    <int name="saved_messages" value="1000" />
    <boolean name="lockscreen_alert" value="true" />
    <string name="deletion_threshold"></string>
    <boolean name="vibrate" value="true" />
    <string name="photo_grid_size"></string>

SQLite Data

The chathour.db file contains several tables. I used DB Broswer (SQLite) to browse the tables and determine which contained useful information. 
  • favorites - favorite contacts
  • im_partners - usernames and userIDs used for JOIN SQL statements 
  • ims - all stored messages including userID, message, date/time and sent/received
  • recent_views - includes userID and date/time of last viewed
The times in all the date/time columns are UNIX milliseconds

By using specific SQL statements and joining the ims and im_partners tables, a list can be created of all messages, sent/received, date/time with the other username.

  CASE ims.sender
   WHEN 0 THEN 'Received'
   WHEN 1 THEN 'Sent'
   ELSE 'Unknown'
  END AS sent_recv
  FROM ims
        JOIN im_partners
        ON im_partners.user_id = ims.partner_id

AXIOM Custom Artifact (coming soon)

Taking all this information, I have created and submitted a custom artifact to Magnet's website. It links all the table information and converts date/times to human format for sorting and reporting.

Once the artifact is approved, I'll post a link to it here in the blog. For now, you will have to do all the work manually.


  1. Thank you so much for the inclusion nice article and very informative.
    BIGO LIVE is a cross-platform application, which has the ability to work on all sort of modern platforms.Here you have much freedom to share anything as like as you share on your smartphone.
    Click Here:
    Bigo Live Connector
    Bigo Live Login
    bigo live pc connector
    BIGO LIVE PC Download
    Bigo Live Login
    Bigo live Android App
    bigo live for pc

  2. Thats really amazing to get this on my website for the chat app chatib


  3. Thanks for Sharing an Information to us. Kindly visit our store for EHS Software and Health and Safety Management Softwares.
    Safety Software | Health and Safety Software


Post a Comment