KIK Messenger Forensics

Alessia Manon | Modified: July 21st, 2015 | SQLite Forensics

KIK Messenger is widely used free messaging app which covers almost all the mobile platforms likeiOS, Android, and Windows Phone. This KIK Messenger has millions of users and most of the users are young adults and teenagers. This readily makes this application to be forensically important messenger app. Today, digital forensic investigation has reach to such pace where Mobile applications and data associated with these applications have been proved to be keen source of evidences. KIK Messenger forensics is essential at investigator’s perspective as the stored databases can comprise of hidden evidence.

kik-messenger

Locations for Kik Messenger Databases

KIK artifacts for both iOS and Android are stored in its databases which are stored as SQLite databases. These databases are stored in the Phone storage in an encrypted manner. During KIK Messenger forensics, these can be found in below mentioned locations;

Android:

kik1

iOS:

kik2

These databases store information like contacts, messages and attachments, and almost same information but the structure of the database is quite different.

iOS Preferences:

In iOS platform, General Preferences can also be examined through below mentioned location;

kik3

This .plist is a binary file which comprises of Applications settings files like username, password (in plain text), first/last name, phone number, email id, and also the installation date. It will also comprise of the setting files of Kik Messenger application.

iOS TCC Database:

While performing investigation on iOS Kik Messenger, it is always recommended to check the TCC database as well. This database holds information about what permissions the apps including Kik Messenger app have. The TCC database however will only get created when user is asked to provide permissions to app. This database is located at below mentioned location;

kik4

Resourceful Elements for Kik Messenger Forensics

Contacts: Kik Messenger stores the user contacts in SQLite databases which can be easily extracted and viewed using SQLite DB Browser or the pre-compiled binary file set-up available for SQLite on SQLite.org. The contacts are stored in table known as KIKcontactsTable (Android) or ZKIKUSER (iOS). These tables comprises of important information about the users’ contacts.

Database comprises of user name which is a unique identifier for Kik and the display name for the contact. User name can be checked with JID column where identifier is available in email address form with username_xyz@talk.kik.com where xyz is a random string value generated. Tables for Kik contacts can also comprise of profile picture which adds to be very important evidence along with links, timestamps, block lists, and group.

Messages: Messages are undoubtedly the most important and crucial source of evidence. Messages are located in messagesTable in Android and for iOS these are located in ZKIKMESSAGE table. Messages are stored altogether and hence it multiple conversations were done during same time period, it becomes difficult to examine the messages. Investigators can perform this investigation on Android platform referring to partnet_jid which will help to examine the persons with whom the conversation was done.

Which party has sent or received the message can be determined by was_me. Moreover, read_statecolumn will display about the unread (400)/read (500) status of the message. iOS platform saves the information in ZUSER column denoting the other end partner, and sender receiver information can be save d to ZTYPE column.

Attachments: Another most resourceful element of evidences in Kik Messenger forensics can be the attachments. These attachments can be images, sent from gallery or camera clicked photos. Files are available with the GUID and available in the attachment table. Messages are also forwarded as attachments and hence these attachments can have some messages in it as well.

While examining the Kik Messenger, many SQLite databases can be analyzed to carve out details about the artifacts stored in the databases. These artifacts can help to get the information about time-stamps, senders, receivers, etc. and other information. A thorough analysis can lead to get the hidden facts through the messenger.