Blog >> Android Wickr

Investigating Android Wickr

03/01/2025 Friday

Wickr is an instant messaging app that allows users to send and receive messages in real-time over the internet. It is designed as a multi-platform application, supporting iOS, Android, macOS, Windows, and Linux operating systems. Wickr protects user privacy by providing end-to-end encryption and content-expiring messages. Beyond basic messaging, Wickr also supports sharing multimedia files, voice memos, and conducting encrypted voice and video calls.

Digital Forensics Values of Android Wickr

The encryption service provided by the Wickr app significantly enhances its digital forensic value. Since the app emphasizes privacy, its artifacts are stored in an encrypted format. For this reason, criminals may trust it more than other apps and send messages that revealing their illicit intentions. Consequently, decrypting these artifacts and extracting the information stored within them can be valuable to forensic examiners.

Location of Android Wickr

Android Wickr artifact can be found at the following location:
data/data/*.wickr.*/databases/wickr_db

The information in the following files can be used to extract the Android Wickr database decryption key:
data/data/*.wickr.*/files/kcd.wic
data/data/*.wickr.*/files/kck.wic
*/system/users/*/settings_ssaid.xml

Analyzing Android Wickr Artifacts with ArtiFast

This section will discuss how to use ArtiFast to extract Android Wickr artifacts from Android machines’ files and what kind of digital forensics insights we can gain from the artifact.

After you have created your case and added evidence for the investigation, at the Artifact Selection phase, you can select Android Wickr artifact parser:

Once ArtiFast parsers plugins complete processing the artifact for analysis, it can be reviewed via “Artifact View” or “Timeline View,” with indexing, filtering, and searching capabilities. Below is a detailed description of Android Wickr artifacts in ArtiFast.

Android Wickr Contacts

• Last Activity Date/Time: Date and time when this account user performed his/her last activity.
• User Alias: This account user alias.
• User Name: This account user name.
• User ID: This account user ID.
• Is Hidden: Indicates whether this user account is hidden or not.
• Is Starred: Indicates whether this user account is starred or not.
• Is Blocked: Indicates whether this user account is blocked or not.
• Is Bot Account: Indicates whether this user account is a bot account or not.
• Is Active: Indicates whether this user account is active or not.

Android Wickr Text Messages

• Message Content: The content of this message.
• Message Sent Date/Time: Message sending date/time.
• Sender Alias: Alias of the message sender.
• Receiver Alias: Alias of the message receiver.
• Message ID: ID of the message.
• Message Direction: Indicates whether this is an outgoing or incoming message.
• Is Read: Indicates whether the message was read or not.
• Conversation Type: Indicates whether this chat is a room or an individual conversation.

Android Wickr Conversations

• Last Sync Date/Time: Date and time when this conversation has been lastly synchronized.
• Last Message Date/Time: Date and time when the last message has been sent/received on this conversation.
• Conversation ID: This chat conversation ID.
• Members: The members of this conversation.
• Conversation Type: Indicates whether this chat is a room or an individual conversation.
• Conversation Title: The title of this conversation.

Android Wickr Locations

• Message Sent Date/Time: Message sending date/time.
• Sender Alias: Alias of the message sender.
• Receiver Alias: Alias of the message receiver.
• Message ID: ID of the message.
• Location Latitude: Sent location latitude.
• Location Longitude: Sent location longitude.
• Message Direction: Indicates whether this is an outgoing or incoming message.
• Is Read: Indicates whether the message was read or not.
• Conversation Type: Indicates whether this chat is a room or an individual conversation.

Android Wickr Calls

• Call Date/Time: Message sending date/time.
• Caller Alias: Alias of the message sender.
• Receiver Alias: Alias of the message receiver.
• Call ID: ID of the message.
• Call Direction: Indicates whether this is an outgoing or incoming message.
• Call Duration: Duration of the call.
• Is Read: Indicates whether the message was read or not.
• Conversation Type: Indicates whether this chat is a room or an individual conversation.

Android Wickr Attachments

• Message Sent Date/Time: Message sending date/time.
• Sender Alias: Alias of the message sender.
• Receiver Alias: Alias of the message receiver.
• Message ID: ID of the message.
• Message Direction: Indicates whether this is an outgoing or incoming message.
• Is Read: Indicates whether the message was read or not.
• Conversation Type: Indicates whether this chat is a room or an individual conversation.
• Attachment URL: Attachment URL.
• Attachment Name: Attachment name.
• Attachment Type: Attachment type.

Android Wickr System Messages

• Message Content: The content of this message.
• Message Sent Date/Time: Message sending date/time.
• Sender Alias: Alias of the message sender.
• Receiver Alias: Alias of the message receiver.
• Message ID: ID of the message.
• Message Direction: Indicates whether this is an outgoing or incoming message.
• Is Read: Indicates whether the message was read or not.
• Conversation Type: Indicates whether this chat is a room or an individual conversation.

For more information or suggestions please contact: kalthoum.karkazan@forensafe.com