Hangouts is a chat/SMS application provided by Google. Hangouts is the default SMS client on Android devices.
Package name: com.google.android.talk
Files of interest:
- /cache/volleyCache/
- /databases/babel#.db (our device had babel0.db and babel1.db)
- /shared_prefs/accounts.xml
The cache directory contains .0 files, as discussed in the Google Maps example. The files contain a URL to fetch the profile pictures of contacts, as well as a JPG embedded within the file. Visiting the URL or carving the JPG from the file will recover the contact's picture.
The babel#.db file contains all messaging data. On our test device, babel0.db was blank and babel1.db had all of the data for the active account. There are many tables within this database worth looking at:
|
Table |
Description |
|
conversations |
Contains conversation data. There is a unique conversation_id for each chat. latest_message_timestamp is the time of the most recent chat, in Linux epoch format. The generated_name column has a list of all participants in the chat, minus the account on the device. The snippet_text column is the content of the most recent message; like Gmail, the entire chat is not stored on the device. The latest_message_author_full_name and latest_message_author_first_name columns identify the author of the snippet_text column. The inviter_full_name and inviter_first_name columns identify which person initiated the conversation. |
|
dismissed_contacts |
Has a list of names of former contacts that had been messaged. These are labelled as a Hidden Contact within the app. |
|
messages |
As expected, contains a detailed message history for each conversation. Text contains the content of the message, and the timestamp column is the date/time in Linux epoch format. The remote_url column is, once again, a URL to retrieve images shared in the message. Again, it can be accessed publicly. author_chat_id is a value that can be correlated with the participants table to identify the author of each message. |
|
participants |
Contains a list of people chatted with. Includes full names, profile picture URLs, and a chat_id to identify the person in the messages table. |
The accounts.xml file has a phone_verification field that contains the phone number associated with the Google account when Hangouts is configured to send SMS. This could be highly useful, because it is frequently difficult to obtain the device's phone number as it is often not stored on the device.