2. CERTAIN DIFFERENCES BETWEEN TELEGRAM VERSIONS
2. CERTAIN DIFFERENCES BETWEEN TELEGRAM VERSIONS
There was able to observe various directory structures with message-related data and messenger settings in the different Telegram versions. Also the internal structure of the “cache4.db” database was changed. There are the following most characteristic changes in the “cache.db” file:
- adding new tables (such as “sharing_locations”, “android_metadata”, “channel_admins”, “bot_cache”);
- renaming and updating the content of another ones (instead of the “User_contacts_v6” and “User_phones_v6” tables, the “User_contacts_v7” and “User_phones_v7” tables with partially changed structure appeared);
- changing the structure of storing information in the "data" fields (for instance, the initial four bytes of the “data” fields of the “messages” table were changed).
For comparison, the typical structure of the “cache4.db” file that was relevant to Telegram 3.12.0 (8421) is shown in the following figure 6 [1].
However, it should be noted that in general, the structure, principles and organization of data storage in the main database file remained unchanged.
Figure 6 Typical structure of the “cache4.db” file (Telegram 3.12.0)
3. MAIN FEATURES OF THE "CACHE4.DB" FILE TABLES
From the point of view of informativeness the most important data are stored in the following tables [1,2]:
- Messages - data on text, media, voice messages, audio calls;
- Enc_chats - data on secret chats details;
- Chats – data on group and channel details;
- Users - information on user name and unique contact ID;
- Media_v2 – information on messages with non-text data;
- User_contacts_v7 - user contact data;
- User_phones_v7 - data on phone numbers of contacts.
The mentioned earlier tables could be conventionally divided into three groups:
- the “Messages” and “Media_v2” tables - these tables provide detailed information on the texts of messages, callings details and sent files. The “data” field contains an information that is important from criminological point of view;
- the “Enc_chats”, “Chats” and “Users” tables - data on regular and secret chats, groups, channels, sent/received files, names and unique contact identifiers. This group complements the data from the “Messages” and “Media_v2” tables and allows us to specify interlocutors and names of the transmitted files;
- the “User_contacts_v7” and “User_phones_v7” tables are independent and self-contained group of interrelated tables that contain information on user names and their phone numbers.
3.1. MESSAGES AND MEDIA_V2 TABLES
The typical structures of the “Messages” and “Media_v2” tables are shown in the following figures 7, 8. In case of the “media” field of the “messages” table is "0", the fields “rowid”, “mid”, “uid”, “date”, “data” fields from the “messages” table are duplicated in the “media_v2” table.
Figure 7 Structure of the “Messages” table
Figure 8 Structure of the “Media_v2” table
The description of the fields of the “Messages” table (similar to the “media_v2” table):
- mid – message id, unique for each message. This field links the “Messages” and “Media_v2” tables;
- uid – a unique user ID or chat ID, but it could be required some mathematical conversions in some cases. This field links the “Messages” table and “Enc_chats”, “Chats”, “Users” ones. Depending on the value of the “uid” field, further information on the interlocutors is taken from one of the “Enc_chats”, “Chats” or “Users” tables.
- date – UNIX timestamp of the message;
- data – one of the main fields that besides the message body contains additional information about message id, sender and addressee identifiers, timestamp. This field actual duplicates data from the “mid”, “uid”, “date” fields. Also, the first 4 bytes of this field allow us to specify the chat type (normal or secret) and voice calls.
- out - message direction, “0” - incoming, “1” - outgoing;
- media – if the field value is “0”, then the message contains a media component and there are duplicate “rowid”, “mid”, “uid”, “date”, “data” fields from the “messages” table in the "media_v2" one. In case of sending a file using the explorer, the “media” field is not equal “0” but rows are also recorded in both tables;
- read_state, send_state, ttl, replydata, imp, mention - other properties of the message.
3.2. ENC_CHATS, CHATS AND USERS TABLES
Figure 9 Structure of the “Chats” table
Figure 10 Structure of the “Enc_chats” table
Figure 11 Structure of the “Users” table
The typical structures of the “Enc_chats”, “Chats” and “Users” tables are shown in the previously figures 9, 10, 11.
The description of some fields of the “Chats” table:
- uid – a unique chat identification number. This field links the “Messages” and “Users” tables;
- name – chat name.
The description of some fields of the “Enc_chats” table:
- uid – unique secret chat identification number. This field links the “Messages” and “Enc_chats” tables;
- name – contact’s name;
- admin_id – unique identification number of a chat administartor.
The description of some fields of the “Users” table:
- uid - unique user ID. This field links the “Messages” and “Users” tables;
- name – contact’s name;
- data – contains a contact’s phone number.
3.3. USER_CONTACTS_V7 AND USER_PHONES_V7 TABLES
Figure 12 Structure of the “User_contacts_v7” table
Figure 13 Structure of the “User_phones_v7” table
The typical structure of the “User_contacts_v7” and “User_phones_v7” tables are shown in the previously figures 12, 13.
The “User_contacts_v7” and “User_phones_v7” tables are interrelated by the “rowid” and “key” fields. The "fname", "sname" fields of the “User_contacts_v7” table contain contacts’ names; the “phone”, “sphone” fields of the “User_phones_v7” table show information on contacts’ phone numbers.
