I never did finish this post, because it became a scribd document:
A colleague recently had to do some work with Kik Messenger. Ideally he was looking to identify which users had sent which pictures to one another. The device in question was an iPod Touch 4G. It turned out that it wasn't easy to find a lot of information on the inner workings of Kik Messenger, so, as is my weakness, I had to have a play.
What was crucial was that I'd never seen Kik messenger in action. To get some context I decided I'd install and have a play. I thought using my own iPod Touch would be sensible as this would be close to the target device. But no joy. My iPod touch is a 2G and so can't have iOS 4.3 which is a minimum requirement for Kik. So instead I had to try it on my trusty Samsung Galaxy S.
Via Google Play, I installed Kik Messenger version 6.3.1 which was available from 11-Apr-2013. The install was painless and I had to create an account. I created a username of ForensicGeekAdrd and a display name of Forensic Geek. I received an email from firstname.lastname@example.org with a subject of Welcome to Kik Messenger! Confirm your details inside... asking me to confirm my email address, but I haven't done that yet. (The only difference this seems to make is that in the settings of Kik it has a little message saying 'Email is Unconfirmed'.)
Without doing anything further with Kik I used Micro Systemation's XRY (v6.5.1) to take a physical dump of my phone. XRY clearly identified some Kik artefacts. It identified my account:
Application: KikThis was all as expected except the _75c appended to my Kik ID... they're can't already be 0x75B users called forensicgeekadrd can there?! The user Kik Team had also been added to my contacts. XRY also parsed a Kik chat message to me from Kik Team, a typical welcome message:
Password: <SHA-1 of password here>
Name: Forensic Geek
Account Name: ForensicGeekAdrd
Kik ID: email@example.com
Application: KikAnother artefact was that a picture, the profile picture for Kik Team had been stored on my phone:
Time: 23/04/2013 17:18:57 UTC (Device)
Text: Welcome to Kik, the super fast smartphone messenger! If you have any questions, let me know. I'll do my best :)
From Kik ID: firstname.lastname@example.org
To Kik ID: email@example.com
Size: 2.60 KB
File Format: Jpeg
First Cluster: 12668
Created: 23/04/2013 18:19:01
Modified: 23/04/2013 18:19:00
What I really wanted to know was how messages, including attachments, worked, so I needed to send and received some. But I didn't have another device with which to communicate.After some Googleing I discovered BlueStacks App Player. It's an application for Windows and Mac that provides a virtual Android device. You set it up just like an ordinary Android device, that is, with a Gmail account and then you can install apps! Awesome! It just worked. I set it up and installed Kik Messenger on it; this time with a username of ForensicGeekBstk.
I then had a lovely conversation with myself. Below is a screen capture from my Android device:
According to Kik they represent Received, Delivered and Sent. What I was especially interested in was how the different statuses of these messages would be reflected in the back end. How would a forensic examiner know without actually opening the app?
--- SNIP ---
Our usual tool for grabbing data from iPods, iPads and iPhones is Micro Systemation's XRY. The ideal is to grab a physical dump, but this currently isn't supported by the tool for this device. We tried a RAM disk logical dump, but this didn't play ball either. In the end, we managed a "normal" backup of the device. This simulates a backup that iTunes would take. For completeness we did try a physical dump using Cellebrite's UFED Physical Analyzer too, but this model of iPod isn't currently supported by this tool either.
We opened the XRY acquisition up in XRY Reader, but nothing Kik related had been automatically parsed. The search function in XRY is pretty nice, so a simple search for kik seemed a sensible place to start. It returned 356 matches.
The first thing to notice was the folder structure. The image below shows com.kik.chat which is located at /private/var/mobile/Applications/com.kik.chat.
Some of these folders are fairly self-explanatory...
As it's name implies, the pictures in this folder are the profile pictures of Kik users.
Two versions of the profile picture seem to be stored:
firstname.lastname@example.orgAs you would expect, the thumb is simply a resized version of the original. Note that there is no file extension, but in all 31 instances in this folder, the images were jpgs. You may have spotted that 31 is an odd number. If there's an original and a thumbnail, why is there an odd number of pictures? Well, firstly, well spotted, and secondly, in this particular case there are only 11 originals, but 20 thumbnails. Every original has a corresponding thumbnail, but obviously therefore, not every thumbnail has a corresponding original.
Again, as it's name implies, pictures in this folder seem to show thumbnails of pictures that have been attached to a conversation. A user can choose to send a picture to another user. They can do this by directly accessing the camera app or by selecting a pre-existing image from the device. When the picture is sent it is attached to the conversation. Even though a user can accompany the picture with some text, the text and the picture are actually sent as two separate messages - as we'll see later.
The thumbnails are named simply as a GUID, again, no file extension, for example:
This folder seems to contain the original pictures attached to a conversation.