This is the start of a series of blog posts about recovering forensics artifacts from mobile applications for your digital forensics investigations.
This series will be my tribute to LookOut Security for all the help they rendered, all the people there are very nice to me, especially Tim Strazzere, Marc Rogers, tamakikusu and Caleb Fenton. Thanks a lot.
Today, i’ll be talking about Viber Forensic Artifacts – Android Edition.
Viber (version 126.96.36.199 is the version which i did my testing on) is a cross-platform application that allows users to do voice call, send messages and share images with their contacts using Windows, iOS, Android, Blackberry, Symbian and Windows Phone devices.
[ Tool Used ]
Cerbero Profiler – http://cerbero.io/profiler/
[ Why are Viber Artifacts Important to Your Mobile Forensics Investigations? ]
Currently, smartphones are used worldwide by billions of people to communicate and keep updated with the latest news.
Smartphone users spend the majority of their time on their devices sending emails, surfing the web, updating their social network status and/or chatting with others using various applications.
As such, it’s getting important for people working in the field of #DFIR to investigate mobile applications such as the likes of Viber as part of the source for evidence, and the ability to recover data from this application will potentially become important to their investigations since Viber is widely used as shown by the numbers of installs indicated in Google Play Store.
Image 0 : Screenshot of stats
For Android, most Viber artifacts relevant to forensic investigations are stored within SQLite databases, similar to other smartphone chat applications.
In order to gain access to the more important Viber artifacts, investigators must root or get a physical acquisition of the Android device.
Some of the more important Viber artifacts in Android can be found at:
These databases store details on the Viber user’s contacts, messages and attachments sent and received through the Viber application.
[ The Artifacts About The Viber User ]
Often in times during forensics investigation, we want to gather as much information about the user as possible. Information such as email used, phonenumber, contacts, activated SIM serial.
Viber stores information about:
/data/data/com.viber.voip/files/preferences/activated_sim_serial - This file contain the SIM card serial number.
/data/data/com.viber.voip/files/preferences/device_hardware_key - This file contain the make and mode of the smartphone of the Viber user.
/data/data/com.viber.voip/files/preferences/display_name - This file contain the "username" of the Viber user.
/data/data/com.viber.voip/files/preferences/pref_wifi_policy - This file contain information about the WiFi Sleep Policy. The options available is either "Always Connected" or "Use Device's Settings". "Always Connected" option will have Viber keeping the WiFi constantly on. Whereas "Use Device's Settings" will use the device's WiFi sleep policy.
/data/data/com.viber.voip/files/preferences/reg_viber_country_code - This file contain the country code of the Viber user when he/she first registered the Viber account.
/data/data/com.viber.voip/files/preferences/reg_viber_phone_num - This file contain the phone number that was used to register for the Viber account. One thing to take note is that you can receive the SMS with another phone number and install the Viber application in a separate smartphone. Thus, it might give you more clues the user if he/she did it this way.
/data/data/com.viber.voip/files/preferences/selected_account - This file contain the email address of the associated with the smartphone that Viber was installed on. This means we know what is the Google account that was used to download the Viber application.
We can cross verify some of the information with the .userdata file found in the location below.
/storage/sdcard0/viber/.userdata - This file contain the "username" and the "phonenumber" associated with the Viber user.
[ The Key Artifacts That Need to Be Found When Investigating Viber ]
While doing mobile forensics, there are some key artifacts that we need to find in order to gain more insight about the Viber user.
1) Viber Contacts
Viber stores user contacts within the “viber_data“, SQLite database.
There are several tables in the SQLite database such as the following:
In a table called “phonebookcontact“, this list contains valuable information for all the Viber user’s contacts.
The table contains the following columns for each contact in the table.
_id, native_id, display_name, phonetic_name, phone_label, low_display_name, starred, viber, viber_out, contact_lookup_key, contact_hash_version, has_number, has_name, native_photo_id, recently_joined_date, joined_date, numbers_name, deleted, flags.
Image 1 : Screenshot of viber_data SQLite DB
Right now, i have not determine how “contact_lookup_key” and “contact_hash” are generated and what is the purpose of these columns.
Another interesting table, “calls“, is useful for investigators to know whether that Viber user made or receive any calls. The calls are not limited to Viber to Viber users. It also contain information on Viber Out.
The table consists of these columns:
id, call_id, aggregate_hash, number, canonized_number, viber_call, viber_call_type, date, duration, type, end_reason, start_reason, token, looked
Some of the findings i made are:
- The values in “duration” is measured in seconds
- The timestamp in all the tables are in Epoch timestamp.
- The values in “viber_call_type” means the following:
* 1 – viber user to viber user call type
* 2 – viber out call type
2) Viber Messages
Given that Viber is a IM with call capability, it’s likely that the most valuable evidence will be found in the conversation(s).
Earlier on, we mentioned that there is another SQLite database, viber_messages.
This DB comprises of the following tables:
android_metadata, conversations, group_conversations_extras, kvdata, messages, messages_calls, participants, participants_info, public_messages_extras, purchase, sqlite_sequence, stickers, stickers_packages
The particular table(s) which we are more interested in are “conversations“, “messages“, “participants“, “participants_info”
All messages appear together in the “messages” table, which can be a uphill and challenging task if we were to sift through several conversations that could have occurred simultaneously.
To analyze these conversations, we need to always refer to “conversation_id” and “group_id“, which will help us in identify who the conversation was with
Additionally, if want to know whether the Viber user has read a given message (a value of 0 means read while 1 means unread) in the “read” column.
In the “participants_info” table, we can gather information on who are the friends of this Viber user and possibly the Geo-location if they had enabled that.
3) Viber Attachments
Viber also supports the transfer of photos. Photos – sent from either the camera or gallery – are stored on the mobile device.
It is also worth noting an attachment can include a “description” entered by the sender of the attachment. The “description” might or might not contain important information.
Image 2 : Screenshot of attachments location in Viber
[ Recovering Clear Message History ]
There is a “Clear Message History” in Viber for users to delete all the messages.
While this may appear true if you use SQLite Browser to view the SQLite DB as shown here.
Image 3 : Screenshot of deleted messages in Viber
Image 4 : Screenshot of “deleted messages” which are not “deleted” in Viber
As you can see, we managed to get back the supposedly “Deleted Messages”. 😀
While this might not be those super advanced articles. I do hope this “Super Funday Mini-Series” will be sufficient for others to pick up and learn more stuff about mobile forensics.