Tango for Android

[hmahalik]

Description of problem:

Need parsing support for the Tango app. Would also like to use Timesketch for timelining.

Queries are below.
Android based app v 4.4.4 - 5+

Tango_Android.zip

Messages (Base64 encoded) /data/data/com.sgiggle.production/files/tc.db
SELECT
messages.msg_id, 
messages.payload, -- Base64 encoded
messages.type,
datetime(messages.create_time/1000,'UNIXEPOCH','localtime') AS "Created Time",
datetime(messages.send_time/1000,'UNIXEPOCH','localtime') AS "Sent Time",
messages.direction AS "1=Incoming, 2=Outgoing",
likes.msg_id
FROM messages
left join likes on messages.msg_id = likes.msg_id;

Conversations  /data/data/com.sgiggle.production/files/profilecache.db (Base64 encoded)
SELECT 
conversations.conv_id,
conversations.payload --Base64 encoded
FROM conversations

Contacts (Base64 encoded) -/data/data/com.sgiggle.production/files/profilecache.db
SELECT
itemFirstName, -- Base64 encoded
itemLastName, -- Base64 encoded
itemBirthday,
itemGender,
itemStatus, -- Base64 encoded
datetime(itemLastActiveTime/1000,'UNIXEPOCH','localtime') AS "Last Activity",
datetime(itemLastLocalAccessTime/1000,'UNIXEPOCH','localtime') AS "Last Accessed",
itemDistance,
itemIsFriend AS "Is Friend (1=Yes, 0=No)",
itemFriendRequestType,
datetime(itemFriendRequestTime/1000,'UNIXEPOCH','localtime') AS "Friend Request Date",
itemFriendRequestMessage-- Base64 encoded
FROM profiletable

[Onager]

@bethlogic is on it.

[bethlogic]

Heather - I'm working on this one and have a question. With the
information in the database, how do you know who the conversation with? I
don't see any connection between TC.db and profilecache.db.

Unless that is just a problem/limitation of the tango dB's. I might have
blocked that out.

Would you also want the sms table in Tc.db extracted? The example doesn't
have any entries, but I can imagine some.

Elizabeth

On Wed, May 25, 2016, 2:55 PM Daniel White notifications@github.com wrote:

@bethlogic https://github.com/bethlogic is on it.

—
You are receiving this because you were mentioned.

Reply to this email directly or view it on GitHub
#712 (comment)

[hmahalik]

I'm on vacation but will take a closer look when I can. I would love SMS to
be parsed as well. If possible.

On Friday, May 27, 2016, bethlogic notifications@github.com wrote:

Heather - I'm working on this one and have a question. With the
information in the database, how do you know who the conversation with? I
don't see any connection between TC.db and profilecache.db.

Unless that is just a problem/limitation of the tango dB's. I might have
blocked that out.

Would you also want the sms table in Tc.db extracted? The example doesn't
have any entries, but I can imagine some.

Elizabeth

On Wed, May 25, 2016, 2:55 PM Daniel White <notifications@github.com
javascript:_e(%7B%7D,'cvml','notifications@github.com');> wrote:

@bethlogic https://github.com/bethlogic is on it.

—
You are receiving this because you were mentioned.

Reply to this email directly or view it on GitHub
<#712 (comment)

—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
#712 (comment),
or mute the thread
https://github.com/notifications/unsubscribe/ARxRh2Y0ulAbH61ZOmvq4deWW6a9CU43ks5qFymmgaJpZM4IjfOM
.

Heather Mahalik
smarterforensics.com

[hmahalik]

Sorry! Just got back into town. I was pulled on a work trip. I will take a
look at this hopefully today or this weekend.

On Sun, May 29, 2016 at 9:10 AM, Heather Mahalik hmahalik@gmail.com wrote:

I'm on vacation but will take a closer look when I can. I would love SMS
to be parsed as well. If possible.

On Friday, May 27, 2016, bethlogic notifications@github.com wrote:

Heather - I'm working on this one and have a question. With the
information in the database, how do you know who the conversation with? I
don't see any connection between TC.db and profilecache.db.

Unless that is just a problem/limitation of the tango dB's. I might have
blocked that out.

Would you also want the sms table in Tc.db extracted? The example doesn't
have any entries, but I can imagine some.

Elizabeth

On Wed, May 25, 2016, 2:55 PM Daniel White notifications@github.com
wrote:

@bethlogic https://github.com/bethlogic is on it.

—
You are receiving this because you were mentioned.

Reply to this email directly or view it on GitHub
<
https://github.com/log2timeline/plaso/issues/712#issuecomment-221688020>

—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
#712 (comment),
or mute the thread
https://github.com/notifications/unsubscribe/ARxRh2Y0ulAbH61ZOmvq4deWW6a9CU43ks5qFymmgaJpZM4IjfOM
.

Heather Mahalik
smarterforensics.com

Heather Mahalik
smarterforensics.com

[hmahalik]

Ok. I finally had time to dig into this. If it doesn't make sense, let me
know.

The conv_id from messages and conversations in the tc.db need to be
associated to the profilecache.db. In the profilecache.db the profiletable
contains the itemUserid, which is the same as the conv_id. The
itemFirstName and itemLastName are base64 encoded.

Hope that helps,
Heather

On Fri, Jun 10, 2016 at 9:08 AM, Heather Mahalik hmahalik@gmail.com wrote:

Sorry! Just got back into town. I was pulled on a work trip. I will take a
look at this hopefully today or this weekend.

On Sun, May 29, 2016 at 9:10 AM, Heather Mahalik hmahalik@gmail.com
wrote:

I'm on vacation but will take a closer look when I can. I would love SMS
to be parsed as well. If possible.

On Friday, May 27, 2016, bethlogic notifications@github.com wrote:

Heather - I'm working on this one and have a question. With the
information in the database, how do you know who the conversation with? I
don't see any connection between TC.db and profilecache.db.

Unless that is just a problem/limitation of the tango dB's. I might have
blocked that out.

Would you also want the sms table in Tc.db extracted? The example doesn't
have any entries, but I can imagine some.

Elizabeth

On Wed, May 25, 2016, 2:55 PM Daniel White notifications@github.com
wrote:

@bethlogic https://github.com/bethlogic is on it.

—
You are receiving this because you were mentioned.

Reply to this email directly or view it on GitHub
<
https://github.com/log2timeline/plaso/issues/712#issuecomment-221688020>

—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
#712 (comment),
or mute the thread
https://github.com/notifications/unsubscribe/ARxRh2Y0ulAbH61ZOmvq4deWW6a9CU43ks5qFymmgaJpZM4IjfOM
.

Heather Mahalik
smarterforensics.com

Heather Mahalik
smarterforensics.com

Heather Mahalik
smarterforensics.com