The Forensic Investigation of Hike Messenger and
Imo Application on Android Devices.
Swasti Bhushan Deb
Kolkata, India
swastik.bhushan@gmail.com
Abstract Instant Messenger (IM) applications (apps) have
always been a vital area of research for forensic examiners.
Digital forensic examiners often come across forensic analysis of
IM apps for android devices. After considering the existing
research work in this field, this paper focuses on conducting
forensic analysis on two popular IMs for android devices-hike
messenger and imo. Tests were conducted on three Android
devices. The tests consisted of installing the IM application on
each android device, conducting common user activities through
the apps, acquiring the physical image of each device and
performing manual forensic analysis of each acquired logical
image. The forensic analysis was aimed at determining whether
user activities performed through android based hike and imo
IM apps are stored on the android devices. If so, what and where
are the evidentiary artifacts that hike messenger and imo leaves
behind on android devices, and how these artifacts can be
gathered for analysis to aid as forensic evidence? The test results
show that significant amount of user data is stored on the
internal memory of the android devices that can be examined and
used by forensic examiners.
Keywords android forensics; evidentiary artifacts; forensic
investigations; hike messenger; imo; instant messenger
applications; mobile device forensics. (key words)
I. INTRODUCTION
In recent years, IM apps have proven to be a low cost
alternative to operator centered messaging services. Paired with
social media components and fueled by the growth in mobile
internet, these apps offer real time data transmission over the
internet. Instant text messaging, group chats, sharing of photos,
videos, video and audio calls etc. are a common feature of IM
apps nowadays.
Criminals have also leveraged IM apps for illegal activities.
Phishers, fraudsters, child predators, terrorist groups and
organized cyber criminals also use IM apps to their advantage.
[1][2][3]. IM applications such as Hike, imo etc. can also be
used as a tool in commission of crimes like cyber stalking,
sextortion, drug trafficking etc. This probably brands IM apps
as the rich data source for forensic examiners in terms of
investigative leads and evidence.at the same time biases the
significance of forensic research in this area.
With the increase in cybercrime, digital evidence is
becoming an integral part of the judicial system. Digital
evidence is to be found everywhere from computers, to
mobile phones, ATMs and surveillance cameras, and it is
Sudhir Misra
Kolkata, India
misra.sudhir@gmail.com
hard to imagine a crime that does not contain any element
of digital evidence [4].According to National Institute of
Science and Technology(NIST),mobile device forensics is an
evolving specialty in the field of digital forensics. Mobile
device forensics is the science of recovering digital evidence
from a mobile device under forensically sound conditions using
accepted methods. Forensic examination of mobile device have
always been challenging to forensic examiners. Unlike the data
acquisition approach for computer environments, where data
can usually be extracted in the same state it was found and is
preserved from the time of its seizure, extraction of data from
mobile devices typically require intervening on the device [5].
Furthermore every few month, new android IM apps emerge &
there are numerous ways an android app can store or obfuscate
its data. The way in which data is stored and obfuscated
depends on the app developer. Hence keeping pace with
various techniques for app data storage is also a daunting task
for the forensic examiners.
Despite the popularity of android based hike messenger and
imo apps, there has been limited published research focused on
identifying and analyzing forensic artifacts related to these
apps. This paper aims to conclude whether user activities
piloted through android based hike messenger and imo app can
be located and analyzed for aiding criminal investigations.
The paper is structured as follows: in section 2 related work
from the digital forensics community is discussed. Section 3
concentrates on the outline of research methodology and
procedure adopted followed by the test results in section 4 and
discussion on the findings in section 5. Section 6 summarizes
concluding remarks and future work. Finally the paper ends
with related references.
II. RELATED WORK
This section details related work.
A. Android Device Forensics
Initial research in this field have focused on acquiring the
physical image of android devices using multiple methods and
have analyzed various forensic artifacts such as call logs,
contact list, SMS/MMS etc.[6].Recent forensic research have
focused specific types of mobile devices. In 2012, C.
Racioppo et al have researched on how to forensically analyze
an Android device, focusing on the HTC Incredible phone.
[7].
 In 2013, a research paper [8] focused on the design and
implementation of an android app that automates the collection
of useful data for internal investigations, including policy
violations, intellectual property theft, misuse, embezzlement,
sabotage, and espionage.
It would also be vital to recognize the work in Andrew
Hoogs book Android Forensics Investigation, Analysis, and
Mobile Security for Google Android [9] along with [10].
Android 2.2.x, 2.3.x G and 4.0.x have the vulnerability of
generating self-modified fake SMS from any fake number,
name, text and time-Stamp. So, in [11] the authors have
presented a way to ascertain application based self-modified
and self-generated incoming SMS which can be faked in
android devices.
B. Android IM Forensic Artifacts
Forensic analysis of IM artifacts in android device have
been the focus of many researchers till date. Noora Al Mutawa
et al [12] have made significant efforts to study Facebook,
Twitter, and MySpace app artifacts and have pointed out that
iPhones and Android phones store a significant amount of user
data that could be recovered and used by forensic investigators.
Forensic analysis of popular VOIP Skype app demonstrates
that Skype calls patterns and chat messages not only can be
found in both of the RAM and NAND flash memories
but also can stick there for a long time[13].
A forensic examination showed that the preloaded IM app
in several Samsung mobiles ChatON leaves behind
evidentiary artifacts in android and iOS devices [14]. They
have been able to identify the location of the files sent
during conversations and the timestamp of when they were
sent.
Nhien-An Le-Khac et al [15] have forensically acquired
and analyzed Tango VoIP for both iOS and Android platforms.
Aditya Mahajan et al [16] discussed in their work that it is
possible to locate and analyze Whatsapp and Viber Artifacts in
android devices.
In [17], the authors concluded that in android devices, it is
possible to retrieve partial evidence related to Viber app via the
RAM.
Lastly, researchers [18] have analyzed 20 IM apps for
android and showed that some IM apps were poor on adopting
security and privacy measures which can be used positively for
collecting evidentiary artifacts. To discuss all the research
literature on Android IM artifacts is outside the papers scope,
as the objective of this paper is to locate and analyze Hike and
imo artifacts in android devices.
Hence from the above cited related work, it is clear that
there exists no research work to determine the evidentiary
artifacts of hike messenger and imo IM apps for android
devices. Furthermore, from the above mentioned related works,
it can be quoted that activities performed through android
based Hike and imo IM apps may be stored into the internal
memory of android devices and that which may be sited and
reconstructed for convicting a criminal involved in a criminal
investigation. If so, further research and experimentation
focusing on locating and analyzing forensic artifacts of these
IM apps are required to be determined.
This work compliments existing digital forensic research
literature by answering the question whether activities
performed through hike messenger and imo IM apps are stored
into the android devices and can the same be reconstructed for
forensic purposes.
III. RESEARCH METHODOLOGY
The experiments were conducted under forensically sound
manner. To ensure the quality of the testing methods along
with the reliability and validity of the results, the test and
examination procedures were derived from the Computer
Forensics Tool Testing program guidelines issued by the
National Institute of Standards and Technology (NIST) [19].In
order to address the objectives of this paper, an experiment
was designed .Manual forensic analysis was performed on
android based IM apps-hike messenger and imo. The
experiments were conducted on three android devices.
This section of the paper provides a detailed description of
the test environment required for this research in addition to the
requirements to create such an environment.
A. Test Environment and other Requirements
Prior to initiating the experiments, it was required to set up
a forensic workstation configured with all the tools .Following
are the list of hardwares and softwares used in performing the
experiment.
TABLE I. DEVICES AND TOOLS USED FOR TESTNG.
Hardware/Software Details and Use.
Laptop Lenovo Z51,Windows 8.1 as forensic
workstation.
Samsung Galaxy Tab 3.8 Running on android 4.2.2 ,as test subject.
Samsung Galaxy Grand 2 Running on android 4.1 ,as test subject.
LG P698 Running on android 2.3.4, as test subject.
Magnet Acquire. Used for Acquizition of the android devices.
Community Edition.
Autopsy 3.1.3. Physical/Logical Image viewer and analyzer.
Oxygen Forensic SQLite To view and recover deleted SQLite records.
Viewer v.2.2
SQLite Manager. For viewing the database schema of
SQLite/DB files.
Micro USB cable. For connecting the android devices to the
forensic workstaiton.
TABLE II. IM APPS TESTED AND THEIR FEATURES.
App Details and Features.
hike messenger version -10 million downloads on Google Play.
4.0.6.8.1 -free hike sms within India; sharing
documents and files;free HD Hike to Hike
audio calling;sharing documents and
files;attachments upto 100 MB size.
imo -100 million downloads on Google Play.
version 9.4.1 -unlimited text messages ; free video and
voice calls; group chat; photo and video
sharing.
B. Test Procedure examined a number of database files. The artifacts from each
This section details the test procedure used in this research. app are detailed below.

The test procedure adopted in this work consisted of three A. Hike Messenger Artifacts
stages. Stage one: performing user activities via the IM apps on
each android device. Stage two: acquiring the internal memory The database schema were analyzed thoroughly and it was
of the android devices. Stage three: analyzing the acquired found that the user activities performed via the hike messenger
images of the three android device. app were stored in these databases. The location
/data/data/com.bsb.hike/db/databases/ housed most relevant
1) User Activity: This stage consisted of performing evidentiary artifacts -two database files that contained traces of
user activities that would be of interest to a forensic examiner. user activities.
All the features(refer Table 1) of the apps were utilized for chats database: The schema of this database revealed
almost a week by all the three android device .Prior to individual as well as group chat conversations,
performing user activity, the IM apps-hike messenger and imo chat/audio call, their participants, file transfers and
were downloaded from the Google Play Store and installed in related timestamps. The contents of the inbox of
each device. Some of the activities performed were also deleted mobile device are also found to be associated with the
after some time. messages table of chats database. The
2) Acquizition: Device drivers of each android unreadCount column of the conversations table can
phones were installed into the forensic workstation prior to be used to identify unread messages. Furthermore, hike
messenger can also be used to send a free hike SMS or
acquisition. The acquisition of the android devices was
a regular SMS. Each chat conversation using hike
performed using the Community edition of Magnet messenger can be related back to the contacts using the
Acquire[20]. Magnet ACQUIRE is a mobile forensic imaging msisdn and the onhike column of the
application that extracts as much evidence as possible from conversations table.
mobile devices. It was installed into the forensic
workstation.Micro USB cable were used to connect the hikeusers database: This database contained all the
android devices to the forensic workstation. The Full Image contacts that were either on hike or normal contacts
existing on the mobile device. All the contacts that
option was opted while acquiring the physical image of each
have a hike messenger account are automatically added
device. The physical images were saved in .raw format. to the hike friend list.
3) Forensic Examination and Analysis: The objective
of this stage is to locate, identify and analyze the artifacts of
TABLE IV. HIKE MESSENGER ARTIFACTS.
hike messenger and imo. After acquiring the physical image of
each device, the .raw images were imported in Autopsy for Hike messenger
Artifact Location: /data/data/ com.bsb.hike/db/databases/
identifying the location of traces of user activity performed via Evidence Artifacts found Database Table name Time-
hike messenger and imo apps. First we attempted to identify description name stamp
the android packages related to the said IM apps. Following found
History of -Text messages in messages. Yes
android packages were found to contain evidentiary artifacts. Chat logs plain text .
-Status of messages
TABLE III. HIKE MESSENGER AND IMO PACKAGES AND THEIR LOCATION i.e seen/unseen.
-Contacts chats
App Package name Location
with/without hike
Hike messenger com.bsb.hike /data/data/ messenger.
imo imo.android.imoim /data/data/ -Text messages in convers- Yes
plain text . ations
-MSISDN of
contacts.
These packages were identified and extracted out of the -Group Chat
image for further analysis .While analyzing the packages, it participants
was noted that majority of the files were database files. Details of -Group name, groupinfo No
Significant traces of user activity were found in the database Chat -Group Owner,
files of each package. We utilized SQLite Manager for Groups -Group ID.
analyzing the database files. The findings were then -Group ID ,name groupMem
-MSISDN of each -bers
corroborated with the live examination of the apps on the group member.
android devices by viewing the activities performed using each Contact list -MSISDN of hikeuser favoritesTa- No
app. details. favorite contacts. -s ble
-MSISDN of blocked No
IV. RESULTS blocked contacts.
-Name,MSISDN users Yes
We were able to locate and analyze the evidentiary artifacts -Last messaged
of hike messenger and imo. Using SQLite Manager we timestamps.
-Time stamps of
invitaitons sent .
 The contents of users table are also found to be associated
with the device contacts. Using the hikeUsers database, a
forensic examiner can also identify the mobile phone contacts
and their name, phone number etc.
The onhike column of users table indicates whether a
particular user is on hike messenger or not. A value of 1
indicates users having account on hike messenger. A value of Figure 2. An excerpt from the chats
0 indicates users not using hike messenger. The database.Figure illustrates the incoming SMS that are availabe on the
inbox of the mobile device as well on hike messenger.Tool used:SQLite
hikeJoinTime column indicates the date and timestamp a Manager.
particular user joined hike. These timestamps are in Unix
Epoch format and we used the datetime function in SQL to
convert the timestamps to local time. The onhike column of
the conversations table of chats database were found to be
similar to that of the onhike column of users table of
users database.The findings are detailed in table above.
Database tables that were of no forensic significance were
omitted from the findings.

Figure 1. An excerpt from the chats database

.This figure shows the text message conversation between hike messenger
participants with related timestamps in localtime.Tool used:SQLite
Manager.

1) Significance of the msgStatus column: In the chats

database,the msgStatus column of conversations table
defines the type of communication.The details are
illustrated in table below:

TABLE V. TABLE ILLUSTRATING THE VALUES OF isHikeMessage ,

msgstatus COLUMN VALUES AND THEIR SIGNIFICANCE.
Artifact location: /data/data/ com.bsb.hike/db/databases/chats
isHikeMessage msgStatus Significance
value value
1 6 Incoming text messages and stickers
sent by users using hike messenger. It Figure 3. Illustration of the corroboration of the
indicates live chat communication findings from manual analysis of chats database to the actual chat logs
between participants. on hike messenger. The results were obtained for a msgstatus column
0 6 Inbox SMSs. value of 4 and isHikeMessagecolumn value of 1.Tool used:SQLite
1 5 Incoming Text messages and stickers Manager.
from hike messenger service
provider(sender named as team hike)
0 5 Incoming text messages from operator B. Imo Artifacts
based SMS service.
1 4 Outgoing text messages sent via the
Examination of the database files found in the location
hike messenger . /data/data/com.imo.android.imoim/databases/ revealed traces
of user activity performed via imo. Following database files
were found to be forensically significant.
 imo: imo user account details. TABLE VII. CHAT_TYPE COLUMN VALUES AND THEIR SIGNIFICANCE.
chat_type Column Value. Significance.
imofriends.db: The friends and phone_numbers outgoing_video_call Outgoing video calls
table of imofriends.db database can be utilized by missed_video_call Missed Video Calls
forensic examiners to relate the name of the imo chat Text chat .
friends with their mobile nos. The names of imo
friends are associated with the names of the contact list .
existing on the mobile device.
sms_invites: SMS invites send by the imo user.

TABLE VI. IMO ARTIFACTS

imo Artifacts.
Artifact Location: /data/data/ com.imo.android.imoim/databases/
Evidence Artifacts found Database Table Time-
description name name stamp
found
imo contact -Full name of imo imofrien- friends No Figure 5. An excerpt from the accounts table of the imo database.Tool
list. contacts. ds.db used:SQLite Manager.
-Blocked imo
contacts.
-Alias names. V. FINDINGS AND DISCUSSION
-chat contents and chats Yes
type- text messages
In section 4, the artifacts were located and analyzed .The
or results were presented which addresses the research objectives
incoming/outgoing of this paper. The key finding is that activities performed
video calls. through android based hike and imo IM apps are stored into
SMS -Name and phone sms_invi- sms_invi yes
the internal memory of android devices and that which may be
invites sent nos. of the contact. tes.db -tes
via IMO. -Nos.of times sent. sited and reconstructed for convicting a criminal involved in a
Imo contact -Phone nos. of imo imophoneb- favorites No criminal investigation. The analysis performed on three
list contacts ook.db -Table android devices yielded the same results. This makes evident
Imo -imo UID. imo accounts No that forensic examiners can reconstruct user activities
account -Alias name in plain
details text. performed via hike messenger and imo apps in android
devices. Table below details the findings of this paper.

TABLE VIII. TABLE 1 HIKE MESSENGER AND IMO ARTIFACTS THAT CAN
BE RECONSTRUCTED.

Artifacts hike Messenger imo

Individual and group chats Yes Yes
Deleted chat logs,videos etc. Yes Yes
Encrypted conversation No No
Audio calls with timestamps Yes Yes
Video calls with timestamps No (feature not avaliable) Yes
Participants name and Yes Yes
Mobile nos.
Document Files Yes(Path included) Nu such
Figure 4. An excerpt form chats table of sent/received. feature.
imofriends.db database.Figure illustrates incomming,outgoing calls,name of Conversation timestamps. Yes Yes
participants and related timestamps.Tool used:SQLite Manager. Audio files sent/received Yes.(Path included) Yes
Video Files sent/received Yes.(Path included) Yes
Imo facilitates both audio as well as video calls.The
forensic examiner can use the chats table of the imofrien- It is worth mentioning that hike messenger can be used to
ds.db database to reconstruct the particulars of audio as well share photos from the gallery, audio and video files, .doc and
as video calls. Table 7 details the chat_type column values pdf files up to 100MB, geographical location and contacts
and their significance. also. On the other hand, the imo app does not facilitate
attachments like pdf, document files etc. and hence presence
of such artifacts could not be established.
The imo database can be used by the examiner to
In case of evidence reconstruction in absence of
enumerate account information of the imo user. Figure 5
intermediate evidences (for e.g. intentional deletion of chat
illustrates the same. However, the password column value
history, call records, pictures/videos etc.) the roll back journal
was found to be null. The name associated with the imo
files of the SQLite databases can provide best possible source
account could be determined.
of recovering deleted records. Each of the SQLite databases in
the hike and imo database folders were found to be associated
with rollback journal files that maintains a history of the input
and output records plus the changes that have been made to
the database. For recovering deleted activities, Oxygen
Forensic SQLite Viewer v.2.2 [21], was used to recover
deleted traces of evidences from the respective packages of
both the messengers.
Figure 6 demonstrates a sample recovery of deleted text
chat record of hike messenger. The chats database of hike
messenger was imported into Oxygen Forensic SQLite Viewer
to recover the deleted chat records. Similar results were
obtained from the imofriends.db database of imo, which
concludes that deleted traces of activities can also be
reconstructed for android based hike and imo applications.
Deleted Mobile number of the sender
Text of the deleted text message.
Figure 6. An excerpt of the chats database of the
hike messenger.Figure illustrates the recovery of deleted text messages from
the conversations table of the chats database. Tool used: Oxygen Forensic
SQLite Viewer v.2.2.
VI. CONCLUSION AND FUTURE WORK.
This work aimed to determine whether user activities
performed via hike messenger and imo are stored into the
internal memory of android devices. It explored the forensic
acquizition and manual analysis of the physical images of
three android devices. The results of this research is a decent
indication of what is to be expected and what is not to be
expected from the forensic examinaiton of hike messenger and
imo in android devices.The resusts show that both the IM apps
record user activities such as text
communication,incomming/outgoing calls etc. in database
files.The data locations and the database names can be utilized
to locate and reconstruct user activities perfromed via the said
apps.Future work can be conducted for enumerating forensic
artifacts of hike messenger and imo apps,particularly by using
logical acquizition of android devices ,the results of which can
also be compared with the results achieved in this paper.
This paper has documented the type, location and
significance of user activities that are stored into the internal
memory of andorid devices.The authors hope that this research
can serve as ready reference for forensic examiners and law
enforcement officers while investigating hike messenger and
imo in android devices.
REFERENCES
[1] North Brookfield Man Charged with Child Enticement Offenses
[Online].Available:https://www.fbi.gov/boston/press-
releases/2015/north-brookfield-man-charged-with-child-enticement-
offenses/
[2] Drug dealer gave schoolgirl cocaine and ketamine after grooming her
through 'Kik' instant messenger app
[Online].Available:http://www.mirror.co.uk/news/uk-news/drug-dealer-
gave-schoolgirl-cocaine-5697798
[3] Angela Orebaugh and Dr. Jeremy Allnutt,"Data mining instant
messaging communications to perform author identification for
cybercrime investigations," in Digital Forensics and Cyber Crime, vol.
31,Sanjay Goel,Ed., Springer Berlin Heidelberg,2010,pp. 99-110.
[4] Richard de Beer, Adrie Stander and Jean-Paul Van Belle,"Anti-
forensics: A practitioner perspective", International Journal of Cyber-
Security and Digital Forensics,vol. 4,no.2,2015.
[5] Andre Morum de L. Simao,Fabio Caus Sicoli,Laerte Peotta de Melo and
Rafael T imoteo de Sousa Junior,Acquisition of digital evidence in
Android smartphones, in 9th Australian Digital Forensics Conference,
Edith Cowan University , Perth Western Australia,2011,pp. 116-124.
[6] Jeff Lessard and Gary C. Kessler, Android Forensics: Simplifying Cell
Phone Examinations, SMALL Scale Digital Device Forensics
Journal,vol. 4, no.1,2010.
[7] C. Racioppo and N. Murthy, Android forensics: A Case Study of the
HTC Incredible Phone, in Proceedings of Student-Faculty Research
Day, White Plains, New York, 2012, pp. B6.1- B6.8.
[8] Justin Grover, Android forensics: Automated data collection and
reporting from a mobile device, Digital Investigation, vol. 10, pp. S12
S20, Aug. 2013.
[9] Android Forensics: Investigation, Analysis, and Mobile Security for
Google Android, 1st ed.,Syngress, Waltham,pp. 195-364.
[10] Learning Android Forensics, 1st ed., Packt Publishing Ltd, 35 Livery
Street Birmingham B3 2PB, UK,2015,pp. 191-247.
[11] Aditya Mahajan, Laxmikant Gudipaty and Dr. M. S. Dahiya,
Identification of Fake SMS generated using Android Applications in
Android Devices, International Journal of Scientific & Engineering
Research, vol.4, no.9, Sep. 2013.
[12] Justin Grover, Forensic analysis of social networking applications on
mobile devices, Digital Investigation, vol. 9, pp. S24S33, Aug. 2012.
[13] Mohammed I. Al-Saleh and Yahya A. Forihat, Skype Forensics in
Android Devices, International Journal of Computer Applications, vol.
78, no. 7 ,Sep. 2013.
[14] Asif Iqbal et al, Forensic artifacts of the ChatON Instant Messaging
application, in 8th International Workshop on Systematic Approaches
to Digital Forensics Engineering ,2013 IEEE. doi:
10.1109/SADFE.2013.6911538
[15] Nhien-An Le-Khac, Christos Sgaras, and M-Tahar Kechadi, Forensic
Acquisition and Analysis of Tango VoIP, in International Conference
on Challenges in IT, Engineering and Technology, 2014, Phuket,
Thailand, ICCIET 2014,,2014 ,pp. 07-18.
[16] Aditya Mahajan, M. S. Dahiya and H. P. Sanghvi, Forensic Analysis of
Instant Messenger Applications on Android Devices, International
Journal of Computer Applications,vol. 68,no. 8,April 2013.
[17] Hai-Cheng,Szu-Wei Yang, Shiuh-Jeng Wang and Jong Hyuk Park,The
Partial Digital Evidence Disclosure in Respect to the Instant Messaging
Embedded in Viber Application Regarding an Android Smart Phone, in
Information Technology Convergence, Secure and Trust Computing, and
Data Management,vol. 180, Netherlands: Springer,2012,pp. 171-178.
[18] Daniel Walnycky, Ibrahim Baggili, Andrew Marrington, Jason Moore
and Frank Breitinger,Network and device forensic analysis of Android
social-messaging applications, Digital Investigation, vol. 14, pp. S77
S84, Aug. 2015.
[19] General Test Methodology for Computer Forensic Tools
[Online].Available: http://www.cftt.nist.gov/documents.htm
[20] Magnet ACQUIRE - Community Edition [Online]. Available:
https://www.magnetforensics.com/magnet-acquire/
[21] Oxygen Forensics. Available: http://www.oxygen-forensic.com/en/