Initialization vectors. Digital Forensics and Incident Reaction. All things InfoSec

Initialization vectors. Digital Forensics and Incident Reaction. All things InfoSec

Finding Badoo chats in Android os utilizing SQL inquiries as well as the MAGNET App Simulator

The Badoo complimentary talk and Dating software keeps user created chats into the following SQLite database:

The after questions can be utilized as templates to draw out chats through the Badoo database:

  • Communications
    • Sender name, receiver name, chat message, create time, modified time, host status, payload.
  • Consumer information
    • Consumer ID, username, sex, age, individual image url, photo url, max messages that are unanswered delivering multimedia enabled, user deleted.

The Badoo application is just a chat and dating platform for Android os and iOS. The software site claims a to have over 425,000,000 users and counting.

The application appear to be fairly popular into the Bing Enjoy store with more than 4 million reviews.

The after analysis came become because of a demand from an electronic forensics examiner perhaps perhaps maybe not having the ability to parse the application information making use of commercial mobile forensic tools. We procured permission from my colleague to make use of the data sets when you look at the development regarding the questions and associated article. With that said i am going to obscure usernames and talk content within the data sets simply because that they’re in French, which i actually do perhaps not talk, and I also wish to avoid posting something with no knowledge of just what it states.

Analysis via SQL questions

The information is held into the SQLite ChatComDatabase file located when you look at the directory. Inside the database you will find 2 tables containing information of great interest.

Conversation_info This table offers the user IDs, sex, individual names, age and profile photo URLs for the users that chatted with all the Badoo app that is local individual. It’s of observe that the neighborhood software individual info is perhaps maybe perhaps not included in this particular dining table. To spot your local individual information we emulated the software utilizing the Magnet App Simulator ( more on that later) and surely could start to see the title and chronilogical age of the user that is local.

With this home elevators hand we processed the software directory with Autopsy and did a text look for the consumer title which had a winner when you look at the after course and filename:

Note the base64 formatted filename. Making use of Cyberchef it absolutely was simple to transform the base64 filename to ASCII as present in the next image.

By taking a look at the articles of this settings file with Autopsy the next information can be had about the neighborhood individual:

  • Username
  • Birth date
  • Phone figures
  • Body body body Weight & height
  • Physique
  • Workplace
  • Intimate orientation
  • Governmental orientation

It really is of keep in mind that this user created information undoubtedly would differ based exactly how much the user increases their profile. Further screening could be needed to verify.

Concerning the individual information of people that exchanged messages utilizing the neighborhood user the consumer information question could be used to have the after line values as noticed in the next image.

Communications This dining dining dining table offers the user IDs, timestamps, and messages that are chat. The talk communications are found in an industry defined as payload that holds them in JSON structure. It really is very easy to draw out them utilizing SQLiteis the json_extract function. For an illustration on just how to utilize the json_extract function start to see the after post on Slack app messages parsing:

Considering that the communications are referenced by their user IDs a select that is join of messages and conversation_info tables must be utilized to determine the sender and receiver names. For this the query that is select to consider that the neighborhood individual information had not been discovered in the conversation_info dining dining dining table. This particular fact managed to make it tough to get in on the tables by user_ids because the many user that is importantthe neighborhood individual) didn’t have individual title information to participate. To conquer that barrier we utilized two split question conditions.

  1. Left join conversation facts about sender_id = user_idThis condition provided me all sender individual names to add null rows which had information but no matching individual name (i.e. the rows when asiame.com it comes to communications delivered by your local individual.)
  2. Kept join conversation info recipient_id = user_idThis condition gave me all recipient user names to add null rows which had information but no matching individual title (i.e. the rows when it comes to communications gotten because of the regional individual.)

Its of observe that We have added the payload data field with all the current JSON content inside it. This is essential since a few of the JSON content is probably not a chat message but information regarding a provided image. If the chat_text industry is null into the question results the examiner can merely go right to the articles for the payload industry to ascertain extra information like upload ID, termination timestamp therefore the Address regarding the image it self. Into the preceding image notice the way the chat_text null field rows state “type”:”permanent_image” within the payload industry.

I want to have these inquiries presented into the MAGNET Artifact Exchange Portal quickly.