[ Super Funday Mini Series : Viber Forensic Artifacts – Android Edition ]

This is the start of a series of blog posts about recovering forensics artifacts from mobile applications for your digital forensics investigations.
This series will be my tribute to LookOut Security for all the help they rendered, all the people there are very nice to me, especially Tim Strazzere, Marc Rogers, tamakikusu and Caleb Fenton. Thanks a lot.

Today, i’ll be talking about Viber Forensic Artifacts – Android Edition.
Viber (version 5.0.2.12 is the version which i did my testing on) is a cross-platform application that allows users to do voice call, send messages and share images with their contacts using Windows, iOS, Android, Blackberry, Symbian and Windows Phone devices.

[ Tool Used ]

[ Why are Viber Artifacts Important to Your Mobile Forensics Investigations? ]
Currently, smartphones are used worldwide by billions of people to communicate and keep updated with the latest news.
Smartphone users spend the majority of their time on their devices sending emails, surfing the web, updating their social network status and/or chatting with others using various applications.

As such, it’s getting important for people working in the field of #DFIR to investigate mobile applications such as the likes of Viber as part of the source for evidence, and the ability to recover data from this application will potentially become important to their investigations since Viber is widely used as shown by the numbers of installs indicated in Google Play Store.
viber.005

Image 0 : Screenshot of stats

For Android, most Viber artifacts relevant to forensic investigations are stored within SQLite databases, similar to other smartphone chat applications.
In order to gain access to the more important Viber artifacts, investigators must root or get a physical acquisition of the Android device.

Some of the more important Viber artifacts in Android can be found at:

These databases store details on the Viber user’s contacts, messages and attachments sent and received through the Viber application.

[ The Artifacts About The Viber User ]
Often in times during forensics investigation, we want to gather as much information about the user as possible. Information such as email used, phonenumber, contacts, activated SIM serial.
Viber stores information about:

We can cross verify some of the information with the .userdata file found in the location below.

[ The Key Artifacts That Need to Be Found When Investigating Viber ]
While doing mobile forensics, there are some key artifacts that we need to find in order to gain more insight about the Viber user.

1) Viber Contacts

Viber stores user contacts within the “viber_data“, SQLite database.

There are several tables in the SQLite database such as the following:

In a table called “phonebookcontact“, this list contains valuable information for all the Viber user’s contacts.
The table contains the following columns for each contact in the table.
_id, native_id, display_name, phonetic_name, phone_label, low_display_name, starred, viber, viber_out, contact_lookup_key, contact_hash_version, has_number, has_name, native_photo_id, recently_joined_date, joined_date, numbers_name, deleted, flags.
viber.001

Image 1 : Screenshot of viber_data SQLite DB

Right now, i have not determine how “contact_lookup_key” and “contact_hash” are generated and what is the purpose of these columns.

Another interesting table, “calls“, is useful for investigators to know whether that Viber user made or receive any calls. The calls are not limited to Viber to Viber users. It also contain information on Viber Out.

The table consists of these columns:

Some of the findings i made are:

  • The values in “duration” is measured in seconds
  • The timestamp in all the tables are in Epoch timestamp.
  • The values in “viber_call_type” means the following:
    * 1 – viber user to viber user call type
    * 2 – viber out call type

2) Viber Messages

Given that Viber is a IM with call capability, it’s likely that the most valuable evidence will be found in the conversation(s).
Earlier on, we mentioned that there is another SQLite database, viber_messages.
This DB comprises of the following tables:
android_metadata, conversations, group_conversations_extras, kvdata, messages, messages_calls, participants, participants_info, public_messages_extras, purchase, sqlite_sequence, stickers, stickers_packages

The particular table(s) which we are more interested in are “conversations“, “messages“, “participants“, “participants_info

All messages appear together in the “messages” table, which can be a uphill and challenging task if we were to sift through several conversations that could have occurred simultaneously.
To analyze these conversations, we need to always refer to “conversation_id” and “group_id“, which will help us in identify who the conversation was with
Additionally, if want to know whether the Viber user has read a given message (a value of 0 means read while 1 means unread) in the “read” column.

In the “participants_info” table, we can gather information on who are the friends of this Viber user and possibly the Geo-location if they had enabled that.

3) Viber Attachments

Viber also supports the transfer of photos. Photos – sent from either the camera or gallery – are stored on the mobile device.
It is also worth noting an attachment can include a “description” entered by the sender of the attachment. The “description” might or might not contain important information.

We can find out the exact location of all these photos in the “extra_uri” column in the “messages” table.
viber.002

Image 2 : Screenshot of attachments location in Viber

[ Recovering Clear Message History ]
There is a “Clear Message History” in Viber for users to delete all the messages.
While this may appear true if you use SQLite Browser to view the SQLite DB as shown here.
viber.003

Image 3 : Screenshot of deleted messages in Viber

However, if you were to open the SQLite DB with Notepad++ or any other hex editor, you may see this instead.
viber.004

Image 4 : Screenshot of “deleted messages” which are not “deleted” in Viber

As you can see, we managed to get back the supposedly “Deleted Messages”. 😀
While this might not be those super advanced articles. I do hope this “Super Funday Mini-Series” will be sufficient for others to pick up and learn more stuff about mobile forensics.

Happy Reversing,
Jacob Soo

Leave a Reply