четвер, 3 січня 2019 р.

CACHE4.DB FILE OF TELEGRAM FOR ANDROID (PART 2)


Maksym Boiko, mboiko25@gmail.com, Kyiv, 2018

CACHE4.DB FILE OF TELEGRAM FOR ANDROID (PART 1)

2. CERTAIN DIFFERENCES BETWEEN TELEGRAM VERSIONS


There was able to observe various directory structures with message-related data and messenger settings in the different Telegram versions. Also the internal structure of the cache4.db” database  was changedThere are the following most characteristic changes in the “cache.db” file:
- adding new tables (such as sharing_locationsandroid_metadatachannel_adminsbot_cache);
renaming and updating the content of another ones (instead of the User_contacts_v6 and User_phones_v6 tables, the User_contacts_v7 and User_phones_v7 tables with partially changed structure appeared);
- changing the structure of storing information in the "data" fields (for instance, the initial four bytes of the “data” fields of the messages table were changed).
For comparison, the typical structure of the cache4.db file that was relevant to Telegram 3.12.0 (8421) is shown in the following figure 6 [1].
However, it should be noted that in general, the structure, principles and organization of data storage in the main database file remained unchanged.

 Figure 6 Typical structure of the cache4.db” file (Telegram 3.12.0)



3. MAIN FEATURES OF THE "CACHE4.DB" FILE TABLES


From the point of view of informativeness the most important data are stored in the following tables [1,2]:
-          Messages - data on text, media, voice messages, audio calls;
-          Enc_chats - data on secret chats details;
-          Chats – data on group and channel details;
-          Users - information on user name and unique contact ID;
-          Media_v2 – information on messages with non-text data;
-          User_contacts_v7 - user contact data;
-          User_phones_v7 - data on phone numbers of contacts.

The mentioned earlier tables could be conventionally divided into three groups:
the Messages and Media_v2 tables - these tables provide detailed information on the texts of messages, callings details and sent files. The data field contains an information that is important from criminological point of view;
the “Enc_chatsChats and Users tables - data on regular and secret chats, groups, channels, sent/received files, names and unique contact identifiers. This group complements the data from the Messages and Media_v2 tables and allows us to specify interlocutors and names of the transmitted files;
the “User_contacts_v7 and User_phones_v7 tables are independent and self-contained group of interrelated tables that contain information on user names and their phone numbers.

3.1. MESSAGES AND MEDIA_V2 TABLES


The typical structures of the Messages and Media_v2 tables are shown in the following figures 7, 8In case of the media field of the messages table is "0", the fields rowidmiduiddatedata fields from the messages table are duplicated in the media_v2” table.

 Figure 7 Structure of the Messages table

Figure 8 Structure of the “Media_v2 table

The description of the fields of the Messages table (similar to the media_v2 table):
- mid  message id, unique for each message. This field links the Messages and Media_v2” tables;
- uid  a unique user ID or chat ID, but it could be required some mathematical conversions in some cases. This field links the Messages table and Enc_chatsChatsUsers ones. Depending on the value of the uid” field, further information on the interlocutors is taken from one of the Enc_chatsChats or Users tables.
- date – UNIX timestamp of the message;
- data  one of the main fields that besides the message body contains additional information about message id, sender and addressee identifiers, timestamp. This field actual duplicates data from the miduiddate” fields. Also, the first 4 bytes of this field allow us to specify the chat type (normal or secret) and voice calls.
- out - message direction, 0 - incoming, 1 - outgoing;
- media  if the field value is 0, then the message contains a media component and there are duplicate rowidmiduiddatedata fields from the messages table in the "media_v2" one. In case of sending a file using the explorer, the “media” field is not equal “0” but rows are also recorded in both tables;
- read_state, send_state, ttl, replydata, imp, mention - other properties of the message.


3.2. ENC_CHATS, CHATS AND USERS TABLES



 Figure 9 Structure of the Chats table


Figure 10 Structure of the Enc_chats table

Figure 11 Structure of the Users table

The typical structures of the Enc_chatsChats and Users tables are shown in the previously figures 9, 10, 11.
The description of some fields of the Chats table:
- uid  a unique chat identification number. This field links the Messages and Users tables;
- name – chat name.
The description of some fields of the Enc_chats table:
- uid  unique secret chat identification number. This field links the Messages and Enc_chats tables;
- name  contact’s name;
- admin_id  unique identification number of a chat administartor.
The description of some fields of the Users table:
- uid - unique user ID. This field links the Messages and Users tables;
- name – contact’s name;
- data  contains a contact’s phone number.


3.3. USER_CONTACTS_V7 AND USER_PHONES_V7 TABLES

 Figure 12 Structure of the User_contacts_v7 table

Figure 13 Structure of the User_phones_v7 table

The typical structure of the User_contacts_v7 and User_phones_v7” tables are shown in the previously figures 12, 13.
The User_contacts_v7 and User_phones_v7 tables are interrelated by the rowid and key fields. The "fname", "sname" fields of the User_contacts_v7 table contain contacts’ names; the phonesphone” fields of the User_phones_v7 table show information on contacts phone numbers.