TikTok Smartphone Evidence

Written by Amber Schroader


June 16, 2021

We have been using the windows of our smartphones for many years to explore the world of social media. One of the most popular areas for exploration over the last few years has been in the newer social media platform of TikTok. TikTok currently has over 2 billion downloads worldwide and is growing every day, so if you have missed this fad, it is time to take a look.

Formally known as Musical.ly, this China-based app has had a lot of controversy regarding security and the forensic data that can be collected. As with all social media, it is important to know there is always risk involved. Which means you use it and you are at risk. As much as we would love to believe our data is secure and safe, the process of sharing it with a group guarantees that you are opening your window to a large party of everyone who wants to see inside to see your post.

Let’s start with how TikTok works. TikTok does short video posts about a LARGE variety of topics that compel you to like and follow the poster. With people becoming “TikTok Famous” for simple tips and tricks or their Buy List from popular retailers like Amazon, it is a world of information in the TikTok universe. The Hetherington Group wrote an excellent blog on the structure of TikTok from the perspective of who is in charge of this multi-verse of data. However, we need to take a look at what data we can get from an investigative perspective.

Here is the simple data breakdown when it comes to TikTok. Keep in mind this is constantly changing, as we saw in this review of new permissions with the app regarding biometric data. Don’t forget the basics of data already collected from SIM Cards, GPS location, and IP Addresses as part of your content.

There are a few considerations before we look at the data.

  • TikTok allows you to have multiple accounts.

This multi-account option will affect the data. Make sure the data you are looking for is in the active account so it can be collected with the most common acquisition methods.

  • Conversations

When you get into the conversations, you have a few tips to remember. They only happen when one user follows another. There are two main identifiers, which are the nicknames and the user ID. Nicknames can get truncated, so rely on the user ID to track who is talking to whom.

If you are using E3 for your TikTok investigation, data will show up from multiple accounts. The case will contain conversation data from all user accounts in the corresponding User ID folders.  Each User ID folder also includes a list of conversations referring to the definite user account. To switch to the particular conversation, you can just click the link in the Conversation List grid if there are multiple accounts present.

  • Video Recordings

As a video-centric app, you would expect to see a lot of content in this area. However, the videos are only available for a limited time, and the multiple accounts will affect how much of that potential data you will be able to recover. Most of the recovered data for videos is related to what is published in the app.  

Paraben’s E3 parses data from the TikTok app during a physical acquisition of iOS devices, a logical acquisition of an iOS device with the encrypted backup, and during the import of the encrypted iOS backups.

Paraben’s E3 allows acquiring and parsing the following TikTok data:

  • Direct messages from multiple user accounts
  • User activity timeline
  • Published video records

The Activity Timeline grid displays a list of actions performed by the user in chronological order.

The video records are available in a separate folder and can be viewed via external tools through an export command.

Conversation List grid: contains additional data about the conversations and link to them

  • Conversation ID
  • Participants
  • Last Updated
  • Unread Count
  • Is on Top (conversation status)
  • Is Favorite (conversation status)
  • Is Muted (conversation status)
  • Link

Conversation ID grid: contains the messages and additional data about them

  • Time (Local)
  • Sender ID
  • Text Preview
  • Full Text
  • Time (Server)
  • Message ID
  • Is Deleted (message status)
  • Is Read (message status)
  • Attachment URL

Activity Timeline grid: contains the user activities data

  • Time
  • Activity

Published Videos folder: contains video files published by the user.


Whether you are a TikTok user or just investigating it, understanding the details of what is available and how this popular app works can provide you with valuable insight into how your potential suspect is spending their time.

If you are looking to try a new tool when it comes to smartphone forensics and App investigations reach out to us and we will setup a trial. Trial@paraben.com

Forensic-Impact Articles

Different Android Flavors and Forensic Processing

Different Android Flavors and Forensic Processing

Android, developed by Google, is one of the most popular mobile operating systems worldwide, powering millions of devices. What you might not realize is that there are different tiers of Android OS that are available for millions of devices. We will explore the three...

Small Businesses: Don’t Make These 7 Common Cybersecurity Mistakes

Small Businesses: Don’t Make These 7 Common Cybersecurity Mistakes

Guest Blog Post: Lance Cody-ValdezHackers are going after SMBs with a vengeance – 43 percent of all cyberattacks are directed toward these smaller companies, according to a Hacked report.  SMBs make for “soft” targets, as many don’t have basic cybersecurity safeguards...

Why is Triage a good step in Digital Forensics?

Why is Triage a good step in Digital Forensics?

Many people discount the value of triage. Investigators try to obtain all the data at once, which can be costly and unproductive. With the data gap gone between mobile and computer-related data, you can analyze terabytes now without breaking a sweat. Triage and...