There is always room for improvement to parsers of the past. That was the case when I asked to look into some Kik Messenger artifacts. There has already been support for Kik in iLEAPP for months but you can always squeeze out more information. Starting with the basics we can open up Josh Hickman’s well documented test image of an iPhone SE. We can look at the main sqlite database file found at the following path:
private\var\mobile\Containers\Shared\AppGroup\<APP_GUID>\cores\private\<USER_ID>\kik.sqlite
Don't forget the -wal file! I still hate the naming conventions iOS uses for sqlite tables but I digress. Here is what the Tables look like:
Figure 1: kik.sqlite Tables
The main focus will be surrounding the following:
- ZKIKMESSAGE - A list of all messages
- ZKIKUSER - A list of user info, including user names
- ZKIKATTACHMENT - Attachment information including file name that can be correlated to a message
Since Alexis already had the main pieces of the ZKIKMESSAGE table done in the initial parser, I decided to whip up a quick SQLite query to add more user information.
One thing missing from the original parser was attachments. In the ZKIKATTACHMENT table we see a column called ZCONTENT with a GUID:
Figure 2: ZKIKATTACHMENT table, ZCONTENT column
After trolling through the folder structure looking for a reference to this GUID, I came across the following folder:
private\var\mobile\Containers\Shared\AppGroup\<APP_GUID>\cores\private\<USER_ID>\content_manager\data_cache
Easily enough, we get extension-less files with the same names as seen in the ZCONTENT column in the kik.sqlite database. One thing I've learned from creating other parsers in Python for ALEAPP & iLEAPP is that these can be embedded quickly into their reports. With some quick updates we can now see better results into Kik Messenger conversations including sent and received images.
Figure 3: iLEAPP Report for Kik Messages
You have to love the great content shared in Josh Hickman's test images. Next up, we are going to look at the following folder:
private\var\mobile\Containers\Shared\AppGroup\<APP_GUID>\cores\private\<USER_ID>\attachments
Inside we get a little more context on the attachments we saw prior. The files found here are extension-less bplists. In collaboration with Alexis and a colleague who shall remain anonymous, we were able to discover what these bplists were all about. One of the first metadata items we get are the hashes of the attachments.
Figure 4: Attachments bplist Hashes
From testing I found out that the SHA1-Scaled hash directly matches the file we previously found in the "data_cache" folder. My assumption is that when files are uploaded to Kik they are compressed down for sending. The next grouping of keys we can see some app information as well as file attachment info.
Figure 5: Attachments bplist app and file info
What I can comprehend here is that we show that the attachment is a photo and came from the Gallery. We also can see the file size is available as well as a temporary file name (note, seemed like all temp names were the same). We also once again see the file name GUID of the file which also matches the bplist here.
Figure 6: Attachments bplist snippet of thumbnail
The full image bytes can be found here, albeit encoded with Base64. After all is said and done, we get another parser for the Kik metadata into iLEAPP, thanks for the coding Alexis! Some things to note, the bplists may still reside after an attachment or if the chat is deleted. More testing needs to be done to see if this is true but we had one case instance where it was. It also appears that the bplists are found in an Advanced Logical dump in Cellebrite so we may get this information out of an iTunes backup as well.
Figure 7: Kik Bplist metadata in iLEAPP
The last artifact of interest that I found during exploring the app folder was Pending Uploads. Basically we can find another extension-less file at the following path:
private\var\mobile\Containers\Shared\AppGroup\<APP_GUID>\cores\private\<USER_ID>\chunked_upload_storage\pending_uploads
It is an XML file that is pretty straight forward.
Figure 8: pending_uploads file
Contained is a list of metadata related to file attachments that are naturally pending to be uploaded. We can see we get application ID information, a content ID which is the file name, as well as progress percentage, retries and an upload start time. I'm not quite sure what the "state" key is used for at this time. Any pending picture uploads can be found at the following folder path:
private\var\mobile\Containers\Shared\AppGroup\<APP_GUID>\cores\private\<USER_ID>\chunked_upload_storage\data_cache
iLEAPP now has a parser for one as well, hope this helps people in their investigations.
