[ Super Funday Mini Series : LINE Forensic Artifacts – Android Edition ]

This is the 2nd article in the “Super Funday Mini Series” about recovering forensics artifacts from mobile applications for your digital forensics investigations.

Today, i’ll be covering about LINE Forensic Artifacts – Android Edition.
However, as i was writing this. I think lots more information could be uncovered if i were to reverse the application.
LINE (version 4.7.1 is the version which i did my testing on) is a cross-platform application that allows users to do voice call, send messages and share images with their contacts using Windows, iOS, Android, Blackberry, Nokia Asha, MAC OSX and Windows Phone devices.

[ Tool Used ]

[ Why are LINE Artifacts Important to Your Mobile Forensics Investigations? ]
Much like other IM (Instant Messaging) applications, LINE contacts, messages, and attachments are valuable to forensics investigators who are looking to recover evidence for a variety of different investigation types. Whether you’re analyzing the mobile device of a suspect or a victim, these chat artifacts can contain valuable information to help solve a case.

In order to gain access to the more important LINE artifacts, forensics investigators must root or get a physical acquisition of the Android device.
Some of the more important LINE artifacts in Android can be found at:

The “naver_line” file is a relatively simple SQLite database with 25 tables:

Inside the “contacts” table, each contact are given a unique identifier, “m_id”.
This table will include the contact’s name in addressbook, message status, timestamps, and other details.
Chat history in Line are kept under “chat_history” table. This table contains the messages along with timestamps and other relevant data.
Included in this table is message content, timestamps for sent and received messages, status, state (whether the message has been delivered, read, etc.) and attachments (if applicable).

If you start a “Private Chat”, it will also be stored unencrypted in “chat_history” like the image shown below.

Image 0 : Screenshot of “Private Chat” entry in LINE’s “naver_line” DB

However, the “Private Chat” entry will reside in that table for 1 minute before it’s being removed after the receiver reads the message.
In my experiment, i notice that the timer to remove the message will end a few seconds earlier than the timer on the sender’s end.
So what this means is that after the receiver starts reading the message, it will sync back to LINE’s server. LINE’s server will inform the sender and the timer will begin.

What is interesting is that it is not deleted after 1 minute. The entry is removed but not permanently until some time later.
I extracted out the DB and still managed to recover the “Private Chat” message as shown below:

Image 1 : Screenshot of “deleted messages” which are not “deleted” immediately in LINE

The deletion of the “Private Chat” are controlled by the “Parameter” column in “chat_history” table.

If you were to view the “naver_line” DB, you will also notice that a typical private message is easily identified when you search for a user’s ID followed by “+private” as shown below
or in my case
followed by “1415376903” which is the timestamp of the message in Epoch timestamp

All messages appear together in the “chat_history” table, which can be challenging to sift through if multiple conversations occurred at the same time. To analyze these conversations properly, forensics investigators need to refer to both chat_id, which will identify who the conversation was with, and from_mid, which will indicate which party sent or received the message. Additionally, the “read_count” & “sent_count” column will indicate how many people were given message and how many had read the message.

The “naver_line_private_chat” SQLite database contains the following 3 tables:

A typical entry will look like this.

Image 2 : Screenshot of “naver_line_private_chat” in LINE

Another interesting DB is “line_general_key_value”, there is a “key_value_blob” table containing “PRIVATE_CHAT_PRIVATE_KEY” & “PRIVATE_CHAT_PUBLIC_KEY”
Probably need to fully reverse this application to see where this was used.

Even though there is an option to remove all the chat messages under
“Settings” -> “Privacy” -> “Clear Chat Messages”
It seems like it didn’t “Vacuum” the SQLite Database as required. Thus forensics investigators are still able to retrieve some valuable information from the Databases.

[ Timeline of LINE’s user ]
Another interesting artifact could be found under the following location:
Inside this folder, there are many files with random filenames.
These files contain the “messages” that a LINE user wrote under “Timeline”.
I have not reversed the application yet to fully understand what the struct will look like.

While this week’s blogpost seems not too comprehensive.
I do hope this “Super Funday Mini-Series” will be sufficient for others to pick up and further expand on the information that i’ve shared today.
Hopefully, i will find time to reverse this application and “find out the truth” on other parts which i didn’t cover today.

Happy Reversing,
Jacob Soo

Leave a Reply