With this post I will give an overview on the app "Nandbox messenger" for Android.
Information on the app is available from https://nandbox.com/en/messenger/
I've used Android 6 and Nandbox 1.6.485 for my analysis.
To use the messenger you need to register via mail or phone number. Only one is possible.
Path
The path of the application data is:
/data/data/com.nandbox.nandbox
Used Account
The used account can be found in the following file (sqlite-database):
database/courgette
Table: Profile
The earliest entry is the account used in the app.
You can get the username, MSISDN (for this app this is either the mail address or the phone number), the time the account was created (time in unix epoch ms UTC).
Also you can find the ACCOUNT_ID. This is the primary key in the table and is used as identifier for e.g. messages.
Additionally to the way above you can get the used MSISDN from another file:
shared_prefs/RegisterLevels
It is a XML-file. The key "msisdn" holds the value.
Contacts
The contacts can also be found in the main database:
database/courgette
Table: Profile
All entries except the earliest one.
Messages
All messages are stored in the main database:
database/courgette
Table: Message
Timestamps are in Unix Epoch (ms) UTC.
In the table you can also find the path to the media files sent/received (Column LOCAL_PATH)
Media Files
Images
The sent/received images are stored at:
/data/media/0/nandbox/nandbox_Image
The name is unique and can be mapped to the message in the database "courgette".
Additionally the images are stored in the cache folder:
/data/data/com.nandbox.nandbox/cache/Image
Here the images have the name [LID]_base64.jpg. LID is the id of the message in the database "courgette"
Audio Files
Audio Files are called Voice Notes in this App. They are stored at:
/data/data/com.nandbox.nandbox/cache/Voice_Note
The files have unique names and are m4a files. The names can be mapped to the messages in the database "courgette".
What happens when deleting messages?
Additionally I've tested what happens if a user deletes the message. One of the features of this app is the recall of messages even on the device of the communication partner.
I tested both sides. What happens on the side of the user who deletes and what happens on the device of the communication partner.
Local device
When deleting a message on the own device, the message is removed from the database. One can see that a message is missing because a LID is missing. I've not tested the recovery of the entry via carving.
If there was a media file in the message this file would be deleted in the file systems media folder. For an image this was
/data/media/0/nandbox/nandbox_Image
But the image is still available in the cache folder.
/data/data/com.nandbox.nandbox/cache/Image
Remote Device
On the remote device you will see a message with the text "**message has been recalled**".
This is also the content in the database.
But: for media files the data is still available in the entry of the database. The path to the image/audio file is in there. And the files itself are also still in the filesystem
Finally, when the user on the remote device now deletes the message with the content "**message has been recalled**" the entry is deleted in the database. But a media file would not be removed from the file system.
Conclusion
Nandbox in hte used version doesn't use any encryption which makes the analysis simple. And the cache is a goldmine for media files sent or received.
I have not tested the group feature and also not tested the multiple profile feature. So a bit more testing can be done.
Hope you had a fun and informative read.