Forensic Analysis of Jami for Android,
a Peer-to-Peer Messaging Application

By: Darren Lim
May 1, 2023

CONCEPT:

I did a forensic analysis of Jami to find artifacts that the application stored in the device.  In this blog, I will describe my test data, the acquisition method, and point out artifacts found during my analysis.  

OVERVIEW:

Jami is a messaging application that sends text messages, makes audio/video calls, and shares pictures/files. 

It is a fully distributed network of encrypted peer-to-peer communication that does not use servers for relaying messages or storing information.

TESTING:

Devices

Two devices were used for the test:

  • Motorola Moto G Pure
  • Samsung Galaxy S10 

Jami was installed and Jami profiles were created on both devices.  Potsticker was created on the Motorola device and pbandjay and smaghetti were created on the Samsung device.  The two profiles on the Samsung device were created to help distinguish artifacts.  

Device Specifications:

  • Motorola Moto G Pure
  • Android Version 12
  • Rooted with Magisk (v 25.2)
  • Physical Device

Jami Profile:

  • Device:  Motorola Moto G Pure
  • Jami Name:  potsticker
  • Jami Identity Number: 8049868ca99c6b38744f b360eaaae6935058c55f
  • Jami Version:  20230310-01

Device Specifications:

  • Samsung Galaxy S10
  • Android Version 9.0
  • Not Rooted
  • BlueStacks Emulator (v 5.11.1.1002)

Jami Profile 1:

  • Device:  Samsung Galaxy S10
  • Jami Name:  pbandjay
  • Jami Identity Number: c4abb30be53230d100a6 76d02324ded3b43b64f0
  • Jami Version:  20230310-01

 

Jami Profile 2:

  • Device:  Samsung Galaxy S10
  • Jami Name:  smaghetti
  • Jami Identity Number: db36a8083908ec884141 6103af7c598a7374ddc4
  • Jami Version:  20230310-01

Traffic

Text messages, which included images, were sent between potsticker (Blue Text Box) and pbandjay (Gray Text Box) on:

  • Friday March 17, 2023, between 4:35 pm and 4:42 pm
  • Saturday April 8, 2023, between 2:11 pm and 2:33 pm

 

Text messages, which included images, were sent between potsticker (Blue Text Box) and smaghetti (Gray Text Box) on:

  • Sunday April 16, 2023, between 9:38 pm and 9:50 pm

ACQUISITION:

A file system image was acquired from the Motorola Moto G Pure using Magnet ACQUIRE (v 2.61.0.33597).

ANALYSIS:

The tools used during analysis were:

  • Autopsy v4.15.0
  • Magnet ACQUIRE Output (File System)  v 2.61.0.33597
  • Notepad++ v8.4.8
  • Epoch Converter

 

Package Name

Identifying Jami’s package name helps locate the application in the file system.  The package name is in the Google Play Store’s application URL path.  

Jami’s package name is cx.ring.  It is cx.ring because Jami was previously called GNU Ring.

Installation

One place to validate if Jami (cx.ring) was installed on the device can be found in the library database (.db) located in:

/data/com.android.vending/databases/library.db

This screenshot shows that Jami (cx.ring) was installed.  Converting the “purchase_time (epoch time)” will display the date and time the application was installed (standard time).

Cryptographic Key

When registering for a Jami account, the user does not need to be connected to the internet.  A file is created that contains the user’s cryptographic key and the user sends the key to whoever they want to communicate with.  The key was found in: 

/data/user/0/cx.ring/files/cb7a5205b179e976

Name Cache

Jami creates a file that lists the usernames that potsticker interacts with.  The file was found in:

/data/user/0/cx.ring/cache/namecache

Along with identifying the three known test subjects (potsticker, pbandjay, and smaghetti), you’ll see another Jami account (grilled cheese) it had interacted with.

 

Message Artifact – Conversations

Creating two Jami profiles allowed me to identify conversation ID folders.  Each folder held the conversation with a specific user.  These were located in:

/data/user/0/cx.ring/files /cb7a5205b179e976/conversations/


Conversation ID:  77917e8d8a09079cc401 df9d0a7f79e1ec5f50d9

  • potsticker and pbandjay

Conversation ID:  9c422558f851f54bf238 6e42a14c3bdb2f34db63

  • potsticker and smaghetti


Further down into the directory were the conversations:

/data/user/0/cx.ring/files /cb7a5205b179e976/conversations /conversation ID/.git/objects

Every text and image sent by potsticker were stored their respective folder location.  Below are screenshots of four of the conversation artifacts potsticker had with pbandjay and smaghetti. 

In the image below, the artifact revealed the message in plain text and the epoch time.  After converting the epoch time to local time, I was able to correlate the information with the actual message on the device.

  • potsticker (Blue Text Box) and pbandjay (Gray Text Box)

In the image below, the artifact showed the image name.  A search of the image name in the file system revealed the image.  In addition, the artifact showed the epoch time.  After converting the epoch time to local time, I was able to correlate the information with the actual message on the device.

  • potsticker (Blue Text Box) and pbandjay (Gray Text Box)

In the image below, the artifact revealed the message in clear text  and the epoch time.  After converting the epoch time to local time, I was able to correlate the information with the actual message on the device.

  • potsticker (Blue Text Box) and smaghetti (Gray Text Box)

In the image below, the artifact showed the image name.  A search of the image name in the file system revealed the image.  In addition, the artifact showed the epoch time.  After converting the epoch time to local time, I was able to correlate the information with the actual message on the device.

  • potsticker (Blue Text Box) and smaghetti (Gray Text Box)

Message Artifact – Images

In addition to the full conversations that included the texts and images, the images alone were in:

/data/data/cx.ring/files/conversation_data /cb7a5205b179e976/conversation ID/

Conversation ID:  77917e8d8a09079cc401 df9d0a7f79e1ec5f50d9

  • potsticker and pbandjay
  • Some of the images were named with the LOCAL date and time (YYYYMMDD_HHMMSS) of when the images were sent/received

Conversation ID:  9c422558f851f54bf238 6e42a14c3bdb2f34db63

  • potsticker and smaghetti


In the images below, the artifacts revealed the images that were sent by potsticker.  I was able to correlate the images in the artifacts with the actual images on the device.

  • potsticker (Blue Text Box) and pbandjay (Gray Text Box)

In the images below, the artifacts revealed the images that were sent by potsticker.  I was able to correlate the images in the artifacts with the actual images on the device.

  • potsticker (Blue Text Box) and smaghetti (Gray Text Box)

 

CONCLUSION:

Further work could include the testing of audio/video calls, but my current analysis of Jami revealed that the application left valuable artifacts on the device while sending text messages.

The cryptographic keys which users share to whom they want to communicate with was in /data/user/0/cx.ring/files/cb7a5205b179e976.

The list of Jami usernames that the user had interacted with was in /data/user/0/cx.ring/cache/namecache.

The conversations, which included the texts and associated images, were in /data/user/0/cx.ring/files /cb7a5205b179e976/conversations /conversation ID/.git/objects.

In relation to the conversations, Jami stored them in separate folders identified by conversation ID’s.  Furthermore, the conversations were stored in plain text. 

Lastly, the images alone were in /data/data/cx.ring/files/conversation_data /cb7a5205b179e976/conversation ID/.