The inconsistent case of the messaging app

I never did finish this post, because it became a scribd document:

A colleague recently had to do some work with Kik Messenger. Ideally he was looking to identify which users had sent which pictures to one another. The device in question was an iPod Touch 4G. It turned out that it wasn't easy to find a lot of information on the inner workings of Kik Messenger, so, as is my weakness, I had to have a play.

What was crucial was that I'd never seen Kik messenger in action. To get some context I decided I'd install and have a play. I thought using my own iPod Touch would be sensible as this would be close to the target device. But no joy. My iPod touch is a 2G and so can't have iOS 4.3 which is a minimum requirement for Kik. So instead I had to try it on my trusty Samsung Galaxy S.

Via Google Play, I installed Kik Messenger version 6.3.1 which was available from 11-Apr-2013. The install was painless and I had to create an account. I created a username of ForensicGeekAdrd and a display name of Forensic Geek. I received an email from with a subject of Welcome to Kik Messenger! Confirm your details inside... asking me to confirm my email address, but I haven't done that yet. (The only difference this seems to make is that in the settings of Kik it has a little message saying 'Email is Unconfirmed'.)

Without doing anything further with Kik I used Micro Systemation's XRY (v6.5.1) to take a physical dump of my phone. XRY clearly identified some Kik artefacts. It identified my account:
Application: Kik
Password: <SHA-1 of password here>
Name: Forensic Geek
Account Name: ForensicGeekAdrd
Kik ID:
This was all as expected except the _75c appended to my Kik ID... they're can't already be 0x75B users called forensicgeekadrd can there?! The user Kik Team had also been added to my contacts. XRY also parsed a Kik chat message to me from Kik Team, a typical welcome message:
Application: Kik
Storage: Device
Time: 23/04/2013 17:18:57 UTC (Device)
Text: Welcome to Kik, the super fast smartphone messenger! If you have any questions, let me know. I'll do my best :)
Direction: Incoming
From Kik ID:
To Kik ID:
Another artefact was that a picture, the profile picture for Kik Team had been stored on my phone:

Name: kikteam@talk.kik.com000000027c23efa4
Size: 2.60 KB
File Format: Jpeg
First Cluster: 12668
Created: 23/04/2013 18:19:01
Modified: 23/04/2013 18:19:00
Accessed: 23/04/2013
Path: \data\\cache\profpics\

What I really wanted to know was how messages, including attachments, worked, so I needed to send and received some. But I didn't have another device with which to communicate.After some Googleing I discovered BlueStacks App Player. It's an application for Windows and Mac that provides a virtual Android device. You set it up just like an ordinary Android device, that is, with a Gmail account and then you can install apps! Awesome! It just worked. I set it up and installed Kik Messenger on it; this time with a username of ForensicGeekBstk.

I then had a lovely conversation with myself. Below is a screen capture from my Android device:

 As you can see, there's noting complicated about this messaging app. The messages received are shown in the grey bubble on the left-hand side and the sent messages are shown in the green bubble on the right-hand side. You will notice that each of the sent messages have a 'message status'. According to Kik they represent Received, Delivered and Sent. What I was especially interested in was how the different statuses of these messages would be reflected in the back end. How would a forensic examiner know without actually opening the app?

--- SNIP ---

Our usual tool for grabbing data from iPods, iPads and iPhones is Micro Systemation's XRY. The ideal is to grab a physical dump, but this currently isn't supported by the tool for this device. We tried a RAM disk logical dump, but this didn't play ball either. In the end, we managed a "normal" backup of the device. This simulates a backup that iTunes would take. For completeness we did try a physical dump using Cellebrite's UFED Physical Analyzer too, but this model of iPod isn't currently supported by this tool either.

We opened the XRY acquisition up in XRY Reader, but nothing Kik related had been automatically parsed. The search function in XRY is pretty nice, so a simple search for kik seemed a sensible place to start. It returned 356 matches.

The first thing to notice was the folder structure. The image below shows which is located at /private/var/mobile/Applications/

Some of these folders are fairly self-explanatory...

As it's name implies, the pictures in this folder are the profile pictures of Kik users.
Two versions of the profile picture seem to be stored:
As you would expect, the thumb is simply a resized version of the original. Note that there is no file extension, but in all 31 instances in this folder, the images were jpgs. You may have spotted that 31 is an odd number. If there's an original and a thumbnail, why is there an odd number of pictures? Well, firstly, well spotted, and secondly, in this particular case there are only 11 originals, but 20 thumbnails. Every original has a corresponding thumbnail, but obviously therefore, not every thumbnail has a corresponding original.

Again, as it's name implies, pictures in this folder seem to show thumbnails of pictures that have been attached to a conversation. A user can choose to send a picture to another user. They can do this by directly accessing the camera app or by selecting a pre-existing image from the device. When the picture is sent it is attached to the conversation. Even though a user can accompany the picture with some text, the text and the picture are actually sent as two separate messages - as we'll see later.

The thumbnails are named simply as a GUID, again, no file extension, for example:
This folder seems to contain the original pictures attached to a conversation.


  1. Where can we find deleted or old kik chat history? Couldn't find the path.... I accidentally reset my kik and all my chat history are gone..... I was hoping to retrieve those because kik said messages are stored locally in the device..

  2. Hi, the honest answer is: it depends. Resetting you Kik has likely deleted and created a new kik.sqlite, or maybe flushed the tables of the existing one. Either way, it could get very tricky to get your messages back. It might help if you can share what device you're using Kik on and what software/hardware you're using to view the file system?

  3. I was hoping I could retrieve some deleted Kik messages from a Kindle FireHDX.

    I am completely new to the world of digital forensics and was hoping you could point me in a (cheap) and right direction.

    Any help is appreciated.
    luke1720 [at] gmail

    1. Hi Julian, the answer is probably. I'll send you an email - see what we can do.

  4. Hi. Would you know what the chances are of getting chat messages back on a samsung note 2. Thanks so much

    1. Hi, as always, the answer is: it depends. It depends on how the messages got deleted and how much you've been using the device since. Can you get to the kik.sqlite file as described in the scribd link referenced at the top of the blog entry? Especially the section on the last page title 'A Note on Testing'.

  5. Hi. I the file Attachments - list vieuw - image - point the + you see also older images from kik, also a picuture of the first second of a movie is send with kikvideo.
    Is there a possibitly to restore that movie ?
    I use iBackupBot
    Thanks in advance

  6. Is it possible to backup all contacts and conversations (with the images, etc) from chatting and not chatting (new chat)? This is on android (not rooted). Thanks.

  7. If you deleted a kik message on the app, and then backed up that phone to itunes, would the deleted data be backed up to itunes?