Investigating Android Viber
01/12/2023 Friday
Viber PC is a Japanese corporation Rakuten's that provides cross-platform voice-over IP (VoIP) and instant messaging (IM) web service. Android Viber allows users to send any kind of message such as text, video, contact info, and audio, and to exchange and share data with other users. In addition to that, Viber is available on Windows, macOS, Linux, Android, and iOS devices.
Digital Forensics Value of Android Viber
Android Viber artifacts provide information about phone/video calls, messages, and the application configuration data. Viber stores chats on devices members. New chat messages are stored in the Viber cloud and can be retrieved from there. This information is critical during the forensic analysis process as it helps us understand the types of artifacts that are likely to remain for digital forensics investigators
Location and Structure of Android Viber Artifacts
Android Viber artifacts records are in database in the SQLite format which can be found at the following location:
data/user/0/com.viber.voip/databases/viber_messages
Analyzing Android Viber Artifacts with ArtiFast
This section will discuss how to use ArtiFast to extract Android Viber artifact from Android device's files and what kind of digital forensics insights we can gain from the artifact.
After you have created your case and added evidence for the investigation, at the Artifact Selection phase, you can select Android Viber artifact:
×
Once ArtiFast parser plugins complete processing the artifact for analysis, it can be reviewed via “Artifact View” or “Timeline View,” with indexing, filtering, and searching capabilities. Below is a detailed description of Android Viber artifact in ArtiFast.
Android Viber Messages
- Message Date/Time: The date and time when the message was received.
- Read Message Time: The date and time when the message was read.
- Opened: Indicates whether the message was opened.
- Conversation ID: Conversation ID.
- Location Latitude: Location Latitude.
- Read: Indicates whether the message was read or not.
- Recipient Name: Message recipient name.
- Location Longitude: Location Longitude.
- Sender Name: Message sender name.
- Conversation Type: Conversation type.
- Unread: Indicates whether the message was unread.
- Description: Description.
- Participant ID: Participant ID.
- Body: Message body.
- Deleted: Indicates whether the message was deleted.
- Type: Message type.
Android Viber Conversations
- Time: Creation date and time.
- Mute Notification: Indicates whether the conversation is muted or not.
- Message Draft: Message draft.
- Creator Participant ID: Conversation creator ID.
- Favorite Conversation: Indicates whether the conversation is favorite or not.
- Participant ID 1: Conversation first participant’s ID.
- Participant ID 2: Conversation second participant’s ID.
- Participant ID 3: Conversation third participant’s ID.
- Participant ID 4: Conversation fourth participant’s ID.
- Deleted: Indicates whether the conversation was deleted or not.
- Group ID: Group ID.
- Name: Conversation name.
- Conversation Type: Conversation type.
Android Viber Contacts
- Time: The joined date if this contact has a Viber account.
- Display Name: The contact’s name.
- Phone Number: The contact’s phone number.
- Has Viber: Indicates whether the contact has Viber or not.
Android Viber Calls
- Time: Date and time of the call.
- Caller/Callee Name: Username of the Caller or Callee.
- Duration: Call duration in milliseconds.
- Call Direction: Indicates whether the call is incoming or outgoing.
- Viber Call Type: Indicates whether the call was Audio or Video.
- Conversation ID: Conversation ID.
- Message ID: Message ID.
- Canonized Number: User’s phone number.
- Seen: Indicates whether the call was seen or not.
For more information or suggestions please contact: ekrma.elnour@forensafe.com
