Reddit in general
So this is probably not new to much of the readers of this blog, Reddit is kind of a big deal at this moment in its lifespan. For those who do not know though, Reddit is a social media platform that touts itself as the “Frontpage of the Internet”
What makes this social media platform so much different than say Facebook or Twitter — is the platform is designed around mini sub forums where like minded folks can get together to discuss current event topics or other random thoughts. And just how many are there? And why is this little internet space considered a hot-topic for your investigations?
As far as how many members are currently on the site is quite arbitrary from what I could find. But it appears the consensus is there is roughly 250 Million active users on the site at any given time.
Okay, so how does it work?
For the longest time, Reddit did not require you to register with an email address. The thought and theory most likely behind this was 2-fold I’m sure, even if this subliminally only thought of it. The first, is if they ever were breached there was minimal exposure of the user-base towards directed attacks towards them based on posts/topics being attributed to a specific person. This came to light 4 days ago when Reddit finally announced they had been breached and data from a 2007 dump was lost to the attacker(s).
The second was to keep the site anonymous if the user chose to, without fear of being exposed. The goal has always seemed to be for Reddit to maintain that Privacy Advocacy, as seen with recent movements with EFF, ACLU and directed lobbying attempts at issues such as Net Neutrality.
But now when you try to sign up….
You are greeted with this. So, now your user-base is required to use an email address to gain access to the site. What this means for investigative significance is tracking down all those emails that someone may be using. But what if the user never uses a computer? We, as a global society, are moving much more towards mobile convenience than being controlled by our desktop computer overlords. Additionally, there is nothing stopping any person from making multiple accounts and using them on different machines as well. And Hence…we have an App for that!
It probably goes without saying. If you are talking about a forum where like minded individuals can get together to discuss current topics within a realm of comfort, you are going to get a better understanding of their psyche potentially during a specific moment in time. This may be something that is extremely relevant when profiling an individual on the Who, What, Why and How moments in the latter parts of your investigation. While Reddit has done a terrific job of trying to tame the beast that is over 1M subreddits with a user base that would put it in the Top 5 countries in the world…some things are going to fall through the cracks.
Applications – iOS
For the longest time, Reddit did not have its own dedicated app for download through either iTunes or through itself. This left a massive window of opportunity for would-be developers to build something that could be used to traverse Reddit and build up its own user-base. With the departure of one particular dev from the Alien Blue project, things started to go into motion that Reddit was finally building its own official app. And while there are still dozens of other 3rd party apps out there, Reddit having its own to endorse and push updates to makes it a game changer for those users who either:
1. Only use 1st Party Apps
2. Don’t know about the 3rd Party Apps being available
3. Trust Reddit to secure their data over 3rd party
So with this being said, I decided I wanted to look at the official Reddit app and see just how it is storing data. This project came to be via curiosity more so than anything. It was also incredibly alarming that one of the largest social media platforms out there right now has effectively ZERO support from 3 of the top mobile device forensic vendors out there. Let me say that again…ZERO. Meaning the only way you’re going to find this data while using these tools is with a Search Function that is scouring these files. Most likely the reasoning behind this, became hilarious to me as I was looking at the files. When we think of files for apps that will maintain data for an app, the first thing we think of are SQLite databases. But you’d be wrong if you thought that with these ones!
That is right! We are looking at plist files!
So Lets Break this down
We definitely need to break this thing down! You’re going to see two different sets of files within the app: plist and sqlite. The SQLite’s to my knowledge do not appear to really bare anything fruitful within them. My take is they are not being actively used by the app to do anything with potentially use later on? My reasoning behind that hypothesis is much of the other information that is user-related (e.g. subreddits subscribed to) are maintained within the plist files.
When you do an advanced logical acquisition of the phone and then dump out the “com.reddit.Reddit” folder, you’ll be greeted with two subfolders: Documents and Library. The Library folder maintains the Crash Analytics of the application, along with Twitter/IO folders that appear to have merely the database’s columns and rows, but really nothing of relevance within them.
An interesting folder within the Library is /Library/com.apple.UserManagedAssets folder. This subfolder held a video file that I had saved through the app in the “offline” mode. The video was saved as a ftypisom file with header 20 66 74 79 70. First time I had seen one like that!
Inside /Library/Cookies/Cookies.binarycookies is a plaintext view of websites that appear to have been visited by the user through clicking on hyperlinks within a specific thread of discussion.
Outside of these two subfolders within Library, I do not see much more than artifacts relating specifically to the Reddit app and not to the user.
Onto the Meat and Potatoes
This is where it will get a little more juicy. The /Documents folder is where the user data resides for all user accounts that have been logged into within the application. So I’m going to work backwards here, purely because of how much data there is in here.
This is the location of a plist file that will show what videos have been saved into the cache of the app. So it is tying directly back to the UserManagedAsset folder we saw in the /Library folder. Within there, you’ll uncover the filename of the files that have been saved. There is one little nugget, I wanted to share a screenshot of:
That time is what you would guess! Mach Absolute Time. Which, yes that roughly is around when I recalled playing that video for someone while at SANSFIRE in Washington DC.
These appear to be events related to Reddit that a user would have clicked on to view. Within it, at about Line 578, you will hit the Reddit Username that was logged into the event. Curiously enough, my epoch time for one specific event was 1349812312000, which decodes to 9 October 2012. This is when Malala Yousafzai was shot 3 times in Pakistan, and was certainly an event I was monitoring. Strangely this would have been long before the official Reddit App was released. My own conclusion is this is information that is tied to your account and when you move to different devices is used to correlate to those events if you so choose to review them again.
The moment we’ve all been waiting for. The accounts location. Within this folder you’ll see all accounts that have been used on the device, to include an anonymous account. This anonymous account appears to be created so a user can traverse reddit without being logged into an account. The other will appear in an hex number, so I’m not including it as I’m not sure if this will be the same for everyone. However, this is where all the user preference settings are stored, to include when the account was created. If also lists if an email address has been supplied or if the person is even an employee of Reddit.
Line 75 is when we will start getting into the user information. This will provide the user ID.
Line 78 contains a mach absolute time of when the account was created
Other intriguing information pertains to things like NSFW banner popups and other restrictive content being blocked. While these may or may not be relevant to your matter, they are still of interest if you are investigating an individual who is suspected of creating a hostile work environment.
This is an area of probably the most interesting within the userid folder. This is the location of all the subreddits that a user has gone to through the application. The most intriguing aspect in my opinion is it provides a cached view of what was in the sidebar area of the subreddit. Key areas of interest may be Line 42/43 where the NSFW boolean is located. Line 153 is where the string is located for what the subreddit is called along with its description.
This is a location of what appears to be actual threads opened by the user. Within the plist file is the subreddit information and title of the thread. There also appears to be a string underneath within this that is a reference point for what is termed cross-posts. Other intriguing information in here are file locations to what a user may be viewing from within the actual thread itself. There are also NSFW boolean locations within this as well to for if the thread has been deemed as potentially offensive.
As far as the Reddit app itself goes, it is what you think it is going to be. Much of this information is within plaintext and plist files as opposed to SQLite. The only benefit for culling through a plist rather than sqlite is we are not needing to create SQL queries in order to compile the data together. You get what you get in these files. My amateur developing guess is, they found this to be the best way to create and maintain a stable application when they first designed it. If it ain’t broke, why fix it? The good news is, I cannot find the password at all in here so happy to report (as of now) that you cannot get the user password through the app at least.
While this is not an overly encompassing look at the app itself, it is merely to point out there can be some very relevant information within this that your tools may not be catching. Things like UserID’s, creation of the account, varying posts/thread traversals are all there to help an investigator understand the person they may be looking into. This is also there to reaffirm the need to always validate your tools to what you are looking for within the data. All 3 of the major tools out there that I use do am immensely powerful job at culling through data and putting it in a friendly format that you can read and interpret. But there are so many apps out there, that you cannot expect them to hit it all. Doing searches through the data may come up with information, but if you do not know what you’re looking for — can you really count on it to lead you down the right path as well? Only YOU are in control what and how you investigate.