What is this post about?
In my latest examinations of devices I had several contacts with Tox or, to be more clear, apps that use the Tox Protocol to communicate. I had never heart of it before so I needed to look it up.
In short, it is an Open Source Project to build a free and secure (E2E-encrypted without a centralized infrastructure) instand messaging and video calling protocol.
You can find more infos about Tox under https://tox.chat/
Because in the cases I had worked on I really needed to see what and to whom the person has communicated with over Tox I started analysing it more deeply.
There are different clients for different operating systems. This post will start with the analysis of Antox, one client for the Androoid OS. The client qtox, for Windows and Linux, will follow in another post.
Btw, this post does not go into the technical detail of the used encryption, anonymisation and authentication mechanisms used within Tox and its clients. Everything is Open Source, so one can look this up in the documentation and in the source code.
Okay, let's start.
Overview of the app
Name: Antox
Current Version on Google Play: 0.25.515 (also the tested version)
Path (TOXPATH): /data/data/chat/tox/antox
Databases of interest
Chat History
The database with the chat history in it is located under:
TOXPATH/databases/[tox_username]
So, for a tox username like "4n6" the database would be named and located like:
TOXPATH/databases/4n6
In this database are four tables, the structure is really simple to understand, awesome clear design.
1. Table contacts:
Like the name says the contact list is stored in here.
2. Table friend_requests:
The open received friend requests are stored in here
3. Table group_invites:
The open group invites are stored in here.
4. Table messages:
The sent and received messages are in here including media messages and calls. The media itself is stored separately (more later). The timestamps are in UTC.
I have created two sql statements to get data out of the database. One for the contacts and one for the messages.
You can find both of them in my Github. https://github.com/kalink0/useful_scripts/tree/master/sql/Android/Antox
User Account
There is also a database with information about the used tox accounts.
TOXPATH/databases/userdb
This database contains all used accounts. Also the ones that were deleted. But only the username is stored, not the tox_id which is the real identifier in tox.
Files of interest
The Tox-File
The tox file stores the account information.
TOXPATH/files/[tox_username]
If the account is created with a passphrase than the content is encrypted.
But with Antox itself it is not possible to create an encrypted tox file, you can just open them.
Tox-Files can than be copied from one device to another to use the account. E.g. a tox file created with a passphrase in qtox can be copied on an Android device and used their with the passphrase.
But the protocol is not build to use the same account on different devices at the same time.
Preferences Files
The preferences of the app are stored in the following file:
TOXPATH/shared_prefs/chat.tox.antox_preferences
It is a XML file. It contains information about teh settings. e,g, The used proxy address, if autostart is enabled, if notifications are allowed and much more.
Also very interesting in this file is e.g.:
1. The (last) active account including the tox id
2. If auto accept of files and media is enabled
Media files
Okay so what happens when sending/receiving media files?
1. Both communication partners need to be online the moment one wants to send media via Antox.
2. Default: The receiver of the media needs to accept the file actively. THe receiver cannot see the content of the file (no thumb) before it is completely received.
3. The sender of the media cannot see if the receiver has accepted and downloaded the media. But in the database of the user, table "messages" one has a column "successfully_sent". If the value is "1" the receiver has fully downloaded the file.
4. Sent media is not stored separately. In the database the original file name is stored. SO one can search for this file name. If it is still there and if it is not changed one can determine which file was sent.
5. Received filed are stored in /media/Downloads/Tox Received Files
6. In the folder /media/Antox there are the QR-Codes of the Accounts saved. They can be used to make it simple adding a new contact.
Messages
Okay, now normal text messages, how does this work?
1. One can send a message even if the communication partner is offline.
2. Deleting messages (also media) on sender side only affects the sender side.
3. Deleting messages (also media) on receiver side only affects the receiver side.
4. Deletion of files seems to zero out the content in the database. I was not able to recover data (I tested it with the sql parse script from Maria deGrazia. My old friend, the hex editor, only saw zeroes and I could not find the strings that were in the message. A WAL-File is not used by the database.
I will test the database with the Oxygen Forensics SQLite-Tool to see if it can recover anything. But because I cannot find anything with the Hex-Editor I don't think it will work.
5. When disabling the option "Keep Chat History on Logout" in the profile all messages are deleted in the database when logging out. Same we under number 4, I could not find any data left.
Some important findings
1. One needs to use the password of a tox account the first time one imports the tox file. But after this no password is needed.
2. The database with the messages in it is always unencrypted. Even if a passphrase is used.
3. If a account is deleted the whole database is deleted in the filesystem. But the info about the account is still in the userdb database and also the tox file of the deleted account still exists.Conclusion
When finding Antox on an Android device you can have a really good chance to find valuable information because their is no encryption at the moment of the data in on the device.
Also, even if an account was deleted after its usage there is still information that this account was used on the device.
My analysis of qtox on WIndows and Linux will follow here on my blog. Just a short forecast -> The desktop app makes it more difficult to get data.