Technology has quickly become the most important way we stay connected throughout the world. As such, there are many widely used mobile chat applications that may vary depending your location across the globe. In this blog, we’re going to focus in on a few of the lesser talked about chat applications that you might use on or may come across in your mobile examinations.
The processing and parsing of artifacts from Telegram, WeChat, KakaoTalk, and Line are all supported in AXIOM as of version 4.8, so let’s take a look at these chat applications, specifically for Android devices.
Telegram is a cloud-based messenger application that allows chats, photos, and other files to sync between different devices. In AXIOM Examine, you’ll see artifacts for up to Telegram version 7.3.1 showing chats, contacts, and users from a SQLite database named cache4.db from an Android device. The results in AXIOM will be parsed as seen below:
The application WeChat is another chat platform that is common in some regions around the world. AXIOM will parse WeChat artifacts up to version 7.0.13 on an Android evidence source from a database named EnMicroMsg.db. The output of WeChat Friends and Messages will appear as follows, allowing for a simplified analysis of the data.
On an Android, the artifacts from the messaging app KakaoTalk up to version 9.1.7 are parsed from two SQLite databases named KakaoTalk.db and KakaoTalk2.db. Not only will you see Calls, Chat Room, Friends, and Messages, but KakaoTalk also has an in-app browser in which the history is stored and will be parsed as well.
LINE is a communication platform that also allows for chat messaging as well as video and voice calls. The database that holds Line’s data on an Android mobile device is also in SQLite format, and you will be able to parse artifacts for chats, contacts, and messages in AXIOM up to LINE’s version 10.7.1 as seen below.
AXIOM will hopefully make analysis of these chat applications easier to get the data you need, so be sure to select them for processing during your mobile device examinations! But, as mobile applications are constantly being updated or new ones introduced, there is always a chance that you may come across an app that AXIOM does not support. Luckily, Magnet Forensics has a FREE tool that can help called the Magnet Custom Artifact Generator (MCAG). Using MCAG, you are able to process SQLite databases and CSV/delimited files to generate custom artifacts to load directly into AXIOM for easy analysis! Read more about MCAG here.