TikTok Forensics – Method to Get Messages from TikTok Database in iOS
This article explains the steps to retrieve messages from TikTok app from database in iOS. The users / forensic examiners can easily find chats and media from the created SQLite database.
Recently, one of the most downloaded iPhone applications around the world has been banned due to lack of privacy settings. This step has been taken by the cybersecurity experts who investigated that even the small children are exposing their identities publically on the platform. There were some other privacy concerns as well due to which the TikTok application is banned. Thus, the users cannot download it from the App Store and Play Store.
Therefore, a challenge occurs for the forensic examiners that how can they examine the communication done by the users using the app. So, in this article, we will be discussing the steps to retrieve TikTok messages from the iOS device using SQLite database.
Steps for TikTok Data Acquisition
The following segment of the article represents the steps to get user data from TikTok application in iOS.
Step 1 – First of all, you have to locate the Bundle ID name which is unique for every Apple application.
Step 2 – Go to /private/var/mobile/Library/FrontBoard/ location to access the applicationState.db file.
The above-mentioned database file will help you to provide the connection between bundle ID and the UUID number in the application directory. The users can access TikTok chats & messages in DB file with the help of SQLite Database Viewer Software. Here, find the bundle name in the application_identifier_tab table and mark the corresponding id number.
Step 3 – Now, find it in the “kvs” table in the “application_identifier” column. Export the blob in the value field. The output data which we get is the bplist which maps all the UUID numbers to the bundle ID or the application name.
Step 4 – After identifying the right application directory, move it to the forensic workstation.
Method to Recover Chat & Media from TikTok in iOS
The chats or the messages of the TikTok application can be accessed by combining the contents of two separate databases and two tables in them i.e. TIMMessageORM.db.sqlite and awemecontacts.AwemeIM.db which can be located at Support/ChatFiles/User-ID/db.sqlite /private/var/mobile/Containers/Data/Application/UU-ID/Documents/AwemeIM.db respectively.
The execution of message query in DFIR SQL Query Repo gives the following result:
The columns shown in the above table signify as follows:
- sender – It indicates the numeric user ID. This value is used to join the tables which help to access the usernames.
- profilepicURL – It contains the link of the user’s profile pic.
- customID – This is the username of the account.
- nickname – This field stores the nickname of account.
- Local_create_time – It indicates the device time of a particular message.
- servercreatedat – This is the server time of a sent message. If it shows 0 value, it means that the message did not leave the device.
- message – It shows the content of the message.
- localresponse – This field stores the additional information of a message. If any message does not leave the device, it provides some diagnostic information.
- links_display_name – If the user responds with any image or some GIF, then this field shows the display name of the file.
- links_gif_url – This entity contains the URL of the shared image or GIF. It can be accessed without any authentication.
The user data query in the DFIR SQL Query Repo provides the following output:
The columns in the above table denotes as follows:
- uid – This field shows the numeric user id.
- CustomID – This implies account username.
- nickname – It contains the nickname of account.
- latestchattimestamp – It stores the last timestamp of the chat.
- url1 – This contains the link of the profile picture of the user.
The users can also use the UID number which will help them to access the public profile of the user on the browser. It will show all the public shared videos in the profile. The URL mentioned below can help them to do so:
https://m.tiktok.com/h5/share/usr/(insert username ID number from DB).html
Moreover, the users created in the TikTok application can be found in .mp4 format at the following directory:
/private/var/mobile/Containers/Data/Application/UU-ID/temp/
Conclusion
As the TikTok application has been banned a few days ago, the forensic examiners might face some issues while retrieving messages from TikTok app in iOS. So, we have come up with a solution to find messages from the application with the help of the database created in iOS. This DB file can be opened with the help of SQLite database viewer tool.