This is the second blog post in a series of five about recovering third-party mobile chat applications for your digital forensics investigations.
With over 150 million users worldwide, Kik Messenger has exploded in popularity because of its cross-platform functionality and zero-dollar price tag. Kik allows users to send messages and files to contacts using iOS, Android, and Windows Phone devices.
Why are Kik Messenger Artifacts Important to Your Mobile Forensics Investigations?
In today’s world where mobile phones are the technology of choice used by millions to communicate, chat applications like Kik Messenger are often used in the commission of crimes like online harassment, or to plan or facilitate crimes like drug trafficking, robbery or murder. More and more digital forensics examiners are seeing the need to investigate Kik Messenger as a vital source of evidence, and the ability to recover data from this app is becoming critical to their investigations.
For both iOS and Android, most Kik artifacts relevant to forensic investigations are stored within SQLite databases, similarly to other mobile chat applications.
For iOS, Kik artifacts can be found at:
/root/var/mobile/Applications/com.kik.chat/Documents/kik.sqlite
For Android, Kik artifacts can be found at:
/data/data/kik.android/databases/kikdatabase.db
These databases store details on the Kik user’s contacts, messages and attachments sent and received through the Kik Messenger application; however, they are structured very differently.
The Key Artifacts That Need to Be Found When Investigating Kik Messenger
1) Kik Contacts
Kik stores user contacts within the SQLite database, in a table called KIKcontactsTable (Android) or ZKIKUSER (iOS). This list contains valuable information for all the user’s contacts and can vary depending if they are using the Android or iOS application.
The database for both Android and iOS contains a user name and display name for each contact. The user name is a unique identifier for every Kik user. The display name, on the other hand, is the name shown in the user’s chat window, which can be modified by the user at any time. The user name can also be verified with the JID column – a unique identifier appearing in an email address format, ending in an underscore, a 3 character string, and a “@talk.kik.com” domain. For example, if my user name was jmcquaid, my JID would be “jmcquaid_rbs@talk.kik.com” where “rbs” could be a different string value used internally by Kik. In our testing, we have found multiple string values in the JID and while many of them are common across users, we cannot determine their meaning. They are likely used to categorize users internally within the Kik servers.
![[Image1]](http://www.magnetforensics.com/wp-content/uploads/2014/09/Blog1_img11.png "Blog1_img1")
The Kik contacts tables can also contain profile picture links and timestamps, as well as group and block lists (depending on which application is used).
2) Kik Messages
Given that Kik is a messaging application, it’s likely that the most valuable evidence will be found in the messages themselves. Messages are stored in the messagesTable (Android) or the ZKIKMESSAGE table (iOS).
All messages appear together in the messages table, which can be challenging to sift through if multiple conversations occurred at the same time. To analyze these conversations on Android, investigators need to refer to partner_jid, which will identify who the conversation was with, and was_me, which will indicated which party sent or received the message. Additionally, the read_state column will indicate whether or not the user has read a given message (a value of 500 means read while 400 means unread). In reference to iOS, the ZUSER column refers to the conversation partner, while the ZTYPE column identifies the sender and receiver.
![[Image 2]](http://www.magnetforensics.com/wp-content/uploads/2014/09/Blog1_img23.png "Blog1_img2")
While both applications have similar features, the artifacts recovered from each operating system will differ slightly as a result of their respective SQLite database structures.
3) Kik Attachments
Kik Messenger also supports the transfer of photos or attachments. Photos – sent from either the camera or gallery – are stored on the mobile device as a JPG with no file extension. These files are named with a GUID and referenced in the attachment table for the SQLite database.
It is also worth noting an attachment can include a message; however, the messages and attachments are sent separately in the Kik database. The attachments are represented in the message table as a (null) message but will link to a GUID in the attachments table.
Making Kik Messenger Analysis Easier with Internet Evidence Finder (IEF)
Internet Evidence Finder (IEF) is able to recover Kik contacts, messages, and attachments from iOS and Android devices with the use of our Mobile Artifacts Module. It will parse the SQLite database for the artifacts listed above to identify details such as sender, receiver, message, attachment, timestamps, as well as several other values found in the database. IEF will also try to carve this data from unallocated space in the event that some of the data has been deleted, potentially providing investigators with additional messages and artifacts that aren’t found in the SQLite database tables.
Here’s a screenshot of Kik artifacts recovered by IEF:
![[Image 4]](http://www.magnetforensics.com/wp-content/uploads/2014/09/Blog1_img43.png "Blog1_img4")
- Shows whether the message was sent or received by the user
- Unique identifier for the other Kik user in conversation.
- Shows the message status
- Contents of the message (this message was an attachment so there is no body)
- Timestamp details\
- Attachment thumbnail
The ability to recover Kik Messenger artifacts has proven valuable for IEF users. We will continue to update and add additional artifacts as new features are included in the application.
As always, please let me know if you have any questions, suggestions or requests. I can be reached by email at jamie(dot)mcquaid(at)magnetforensics(dot)com.
Here are some related resources you might also be interested in:
- Read the next blog in our series: Recovering Whatsapp Forensic Artifacts
- See what IEF is all about: Attend a Demo
- Try IEF for Free:
- New to IEF: Request a 30-day trial
- Current customers: Request a 30-day trial of our Mobile Module
Jamie McQuaid
Forensics Consultant, Magnet Forensics
