Monday, August 13, 2018

Finding Discord chats in iOS

Short version:

Discord for iOS keeps chat data in the following directories and files:
  • /private/var/mobile/Containers/Data/Application/*UUID*/Library/Caches/com.hammerandchisel.discord/fsCachedData/
    • The UUID formatted directory name in the path maps to the bundle id of the app. 
    • Chat and media files found in the fsCachedData directory. 
    • All chat content in JSON format.
  • /private/var/mobile/Library/FrontBoard/applicationState.db
    • SQLite database.
    • Contains a bplist that establishes the relationship between the bundle id (com.hammerandchisel.discord), app id (Discord.app) and the UUID folder name in the Applications folder.
    • Look for app name in 'application_identifier_tab' table. Take id number. Use id to extract blob field in the 'kvs' table. Open blob to map UUID to application name.
    • The more direct way to determine the correct application folder where the data resides is to open each one by one and look for the bundle id in the path or by using commercial tools.
  • /private/var/mobile/Containers/Data/Application/*UUID*/Documents/RCTAsyncLocalStorage_V1/manifest.json
    • Key value pairs in JSON format. 
    • Contains items like 'LAST_VIEWED_PATH', 'first_run_date_key', and 'Emoji UsageHistory.'
Long version:

This post is a continuation of the Discord digital forensic analysis on all platforms that it is available. The main purpose is to determine where user generated items are located like chats and related multimedia files. Discord is supported on browsers and multiple operating systems.

Supported platforms
So far I have reviewed Discord in the following platforms:

Testing Platform

For analysis I am using the following device and equipment:
  • iPhone SE - A1662
  • iOS 11.2.1
  • Jailbroken - Electra
  • Discord app installed and logged in to test account with test data.
  • Forensic workstation with Windows 10 and SANS SIFT in VMware Pro
Acquisition

My first attempt to extract Discord data from the device involved using Magnet Forensics Acquire and Cellebrite Physical Analyzer. None of the available extraction methods provided user generated Discord data. iTunes backup was also not aggregating any Discord files. The only solution was to try and jailbreaking the device in order to access the file system. The instructions I followed for the jailbreak came from the ElcomSoft blog here. It worked.

It is of note that even though the device was jailbroken the extraction/imaging tools at my disposal did not recognize the device as such. My assumption is that the current version of the Apple File Conduit is not compatible with the jailbreak being used. Thankfully it was fairly easy to extract the file system data via SSH connection from the iPhone to the forensic workstation SIFT virtual machine. Sarah Edwards in her 'Getting Saucy with APFS' presentation explains how to make a tarball of the iPhone file system via SSH. It worked like a charm. All done in a single line.
ssh root@iphoneip -p 22 'tar -cf - /private/var' > data.tar
Page 8 of the presentation slides PDF.
Worth watching the whole presentation.
After decompressing the tar bundle the logical files where processed with Autopsy and Cellebrite Physical Analyzer. No user generated Discord artifacts were present in the tools' parsed artifacts sections.

Analysis

There are multiple ways of navigating the acquired logical files in order to find Discord data. The most basic one is to do an index/text/keyword search for the term 'Discord.' 

Another option is to navigate to the
/private/var/mobile/Containers/Data/Application 
directory and look through the UUID named folders for the one that corresponds to the Discord app.

Commercial tools can establish this association for you.

Cellebrite Physical Analyzer
See the field application id, identifier and the source file for these values in Physical Analyzer. Since one of the plists with the required information resides in the directory we are trying to identify to begin with this method did not seem to be the fastest way to go when a manual examination is being done or when using an open source tool like Autopsy.

My approach:

Looked for the Discord app bundle id and search for that specific term within the data. There are various ways to obtain this bundle id. For this analysis I searched for the bundle id in a lookup web page here. For the Discord app the bundle id is 'com.hammerandchisel.discord'.

https://offcornerdev.com/bundleid.html

The bundle id keyword search in Autopsy led me to the 'applicationState.db' file located at
/private/var/mobile/Library/FrontBoard/ 
This SQLite database provided the connection between the bundle id and the UUID numbers in the 'Application' directory.

Open the SQLite database with a SQLite browser. Look for the bundle id name in the 'application_identifier_tab' table. Take note of the corresponding id number. In this instance it is 101.

Look at the id field with the 101 value.

Use the 101 id and look for it in the 'kvs' table in the 'application_identifier' field . Export the blob in the value field for the id. The exported data is a bplist that maps all pertinent UUID numbers to the application name and/or bundle id. The data can also be seen in the preview pane in binary mode without the need to export the blob content.

Blob as binary data
If the bplist is exported a viewer, like Sanderson Forensics BPlister, can be used to see the relationship between UUID and application we are looking for.

These are the UUIDs we are looking for.
Items of interest, including the chats, were located in the matching UUID directories.
The user data Discord directory per the bplist in my test device was the following:

/private/var/mobile/Containers/Data/Application/97E2A29D-B465-451B-B045-4D480FC7AFE2/
Be aware that the UUID folder name assigned in my device will be different from one in another devices for the same app. In some instances this UUID number can change, for example, if the app is uninstalled and installed again in the same device.

After finding the proper UUID named folder for Discord, here is the file structure for it:

Notice 'fsCachedData' right under 'com.hammerandchisel.discord'

Chats and media

The chats were located in the following directory:
/private/var/mobile/Containers/Data/Application/*UUID*/Library/Caches/com.hammerandchisel.discord/fsCachedData/
The chats are in the expected JSON format.

Chat data in JSON
In order to make the chats more human readable I made a simple Python script that gives the option to convert the JSON data into HTML or XLS format.

JSON to HTML/XLS conversion
The script can be found here:
https://github.com/abrignoni/Discord-JSON-chat-conversions
Here is a sample of how the JSON chat looks in HTML format:

Truncated for better viewing
The fields are pretty self explanatory. If the analyst is has an urgent interest in the content field in particular and wants to see how the chat content flows quickly then the XLS format is ideal for this. The XLS format compacts some of the metadata fields in order to see the chat content line by line chronologically. Most recent content at the top.

Easy to see the content quickly. Even emojis!!!!
The 'fsCachedData' directory also contains media shared in the chat. In the next image the item line in yellow is the JSON chat file while the item line in blue is a picture of a pen that was shared in chat.

We got media too. UUID like names.
 An additional Discord JSON file was located here:
/private/var/mobile/Containers/Data/Application/*UUID*/Documents/RCTAsyncLocalStorage_V1/manifest.json
The UUID in the path above is the same as the one for the location of the chats. It contains multiple items of interest like 'LAST_VIEWED_PATH', 'first_run_date_key', and even 'Emoji UsageHistory.' Here is how it looks after converted to HTML.

Image truncated for visibility.
Conclusion

Be it via a jailbroken phone or alternate extractions that provide access to the iOS file system, knowing how and where to look for pertinent artifacts can be just as important as the extraction of the file system itself. Hopefully the paths, files and methodology here can speed up Discord artifact examinations.

I plan on taking a look at Discord for Linux soon. This will close out all platform analysis for the Discord service.

As always I can be reached on twitter @alexisbrignoni and email 4n6[at]abrignoni[dot]com.

Thanks!

No comments:

Post a Comment