ForrestCook.net

Projects and posts related to digital forensics. Mostly.

Potato Chat 🥔💬

Last updated 04/24/2025:

I recently became aware of the “Potato Chat” application, which my tools weren’t supporting. I decided I would take a stab at parsing the unsupported elements from the various databases and log files involved. I’ll give a rundown of the app and then we will dive into the artifacts you can find within the application files. 

By setting up three devices with potato accounts and joining my own three-person group chat, I was able to simulate specific activities and document the effects. I plan on treating this post as a “living document” so that I can add new information or change older information should my research be corrected or added to.

Potato chat boasts 200 million users worldwide and advertises their platform as a secure and private application. A feature called “secret chats” advertises end-to-end encryption, however there are many other features outside of the “secret chats”. I will detail some of the features that were relevant to me and demanded testing, there is more to the app than this post will cover, however I have not seen any other sources of information on this app so I wanted to share what I’ve learned.

Channels

Channels are publicly searchable “groups” that a user can keyword search for and join. Channels are a one-way communication stream, the channel owner can broadcast to visitors. It operates like a public bulletin board, the most frequent use of which I have observed is unlicensed pharmaceutical salespersons… It’s a very entrepreneurial community. Channels can contain text as well as media.

When creating a channel, the admin user can dictate whether the group is private vs public and is prompted to enter a custom URL, which other users can follow to join the channel. Multiple top-level-domains have been observed, one of which was “https://ptdl159.org/”.

Messaging

Users can participate in one-on-one chats with other users. This should not be confused with “secret chats”, that is a different service. For a user to find another user to chat with, they can search for other users in the “chats” tab. The search results will begin to auto-complete after five characters have been entered and show users, public groups, available AI chat bots, and channels that match the search string entered up to that point. Each entered character will recalculate the auto-complete results without having to submit the query.

These auto-completed usernames appeared in a database (tgdata.db / users_v32) without the device user ever having interacted with the auto-completed usernames. Important to remember to separate the noise from the signal, so to speak.

Groups

Users can join groups either by publicly searching for them or being invited via a specially formatted link. When creating a group, the admin user will be prompted to invite contacts and recent chat participants. Groups can be geographically locked, only allowing participants from particular areas. Groups can also have “labels” applied, with several pre-established options like “Love”, “Photography”, “Brain Hole” (what?), and many others. The group admin also gets to decide on an “Auto-Delete Messages” setting with the options: Close and a span from 1 day-5 months. By default, the setting was “Close” on iOS. After creating the group, an invite link is then generated so that other individuals can be invited to the group. Several top-level-domains have been observed, one example of which is “https://ptdl159.org”. The end of the link is a generated GUID, custom URLs are not available.

Within the group chat itself, messages can be sent, GIFs can be searched for and sent, images, videos, audio and files can be sent and all of the above can be replied to, similar to many other group chat applications. Crypto transfers also claim to be supported, however this functionality has not been tested. The group admin is able to invite chat bots in addition to other users. The group admin is also able to remove specific users and shut down the group entirely. A group image can be set, which appears next to the group name as a custom icon. Potato advertises that these “super groups” can have up to 200,000 users.

Contacts

A contacts list is available on the device, offering a “Groups” category and a “Channels” category. If the user has no established contacts, a contacts category is not generated. Once a user adds one or more contacts, a “Contacts” category will be added.

The application also contains some untested categories, my particular need on this app did not include these categories so they were not initially tested. Those categories include “Game”, “Discover” and “Wallet”. The app advertises the capability of cryptocurrency transfers and app purchases from their own “App Market”.

Relevant file paths:

When the application is parsed from a FFS acquisition, there is relevant data in both of the following directory paths:

/private/var/mobile/containers/Data/Application/<App GUID>/ /private/var/mobile/containers/Shared/AppGroup/<App GUID>/

The lion’s share of the data was found in the “Shared” location. The iOS package is identified as “group.org.potatochat.PotatoEnterprise”. Perhaps the most immediately valuable artifact found in the directories was image and video files. Numerous cached versions of images were found in the following directory:

~Shared/AppGroup/<App GUID>/Caches/

I have not yet determined a connection between the cached versions and their full-size or thumbnail counterparts. Full-sized images can be found in the following directory:

  ~/Shared/AppGroup/<App GUID>/Documents/files/

Within this directory, there are folders which contain full-sized images as well as thumbnails. The directories are named in the following manner:

Images: ~/image-remote-<image ID>/
Videos: ~/video-remote-<video ID>/
        ~/video-local-<video ID>/
        ~/<video ID>/
Animated GIFs: ~/<image ID>/
Files: ~/<file ID>/
Audio: ~/<file ID>/

Video folders found here do not actually contain videos, but rather thumbnails for the videos. The “video-local” folders appear when the video was uploaded by the device. Interestingly, videos that were uploaded by the device also received a ~/<video ID>/ folder containing a thumbnail simply called “thumbnail”. The IDs between the “video-local” and the ID-only folder *are not the same*. The distinction between the IDs is not currently known and both were generated at the same time, without further user interaction.

GIF folders include a version of the GIF with a .mov extension as well as a .gif extension. This was the same for files searched for within the app as it was files uploaded from the device.

Audio files are saved within a folder as described above and named simply “file” with no extension. Once the audio file has been played through the app, another file is produced in this directory entitled “file.mp3”, which appears to simply be a link to the file itself.

Files can also be sent through the chats and are stored within a simple ID folder. The file within was simply the same file that was uploaded, with the same filename it had when it was uploaded (In this case, a copy of the iOS-3rd-Party-Apps-Poster.pdf by SANS. It felt appropriate.)

Image files are found within the directories here as well, the folders can contain one or more thumbnails. In all cases, a full-sized image named “image.jpg” was observed. Multiple versions of the images can be found, and certain versions can be attributed to specific user actions. For example, when I sent an image to the chat from the iPad, the relevant folder had a version of the image named “image-origin.jpg”. No other files were observed with “origin” in the filename.

Another apparently user-action related thumbnail is generated when a user views media from a chat in the “gallery” mode. In this mode, a grid of square images or videos or gifs (depending on user selection) is presented to the user. If an image was in the chat at the time the in-app gallery was opened, the associated file’s folder was shown to now contain a thumbnail named in the following manner (the pixel dimensions were not consistent across files, but the presence of the pixel dimensions was new):

thumbnail-90x90-135x90.jpg

In addition to the directories described above, there are images saved directly in the ~/files/ directory named in the following manner:

image-remote-<image ID>image-gallery-<pixel resolution>.jpg

These “gallery” images are significant in that they are representative of images contained within like-named directories (shared image ID). The “gallery” images are not present until the device user interacts with an image in a chat such as looking at an image full-size by pressing on it. It doesn’t necessarily mean that the user interacted with *that* image, as “gallery” images are generated both for the viewed image as well as one image above and one below as arranged in the chat. For example, three images were sent showing the letters “A”, “B”, and “C”, in that order. Gallery images did not exist after receiving all three images, however after pressing on and viewing the “B” image full-size, a “gallery” image was produced for each of the letters with no known indication of which was viewed.

In the case of the video folders from the ~Documents/files/ directory, the original video was not included within those folders, just the thumbnails for the videos. The video files from the chats were found within the following directory:

~/Shared/AppGroup/<App GUID>/Documents/video/

 Within this directory, videos were located with the following filename pattern:

remote<video ID>.mov
local<video ID>.mov

Remember the device-uploaded videos mentioned earlier which have two different IDs in the ~/Documents/files/ directory? Well, here they are again! The “local” file is simply a link to the “remote” counterpart. The “remote” file is actually the video file.

Of particular note regarding videos, if you are lucky enough to find a .ktx image file of the app within the following directory, there may be significance to what you see: 

~/Data/Application/<App_GUID>/Library/SplashBoard/Snapshots/ 

Pay close attention to the content of the images. If your .ktx file shows an active chat window and happens to feature a video, whether or not that video appears “blurred” is significant. When a video is sent to a group chat, by default the thumbnail is blurred out on iOS. Android was not observed to blur video files. Once a user watches a specific video on iOS, that specific video thumbnail will no longer be blurred in the chat. An artifact to reflect “watched” status has not yet been identified, however this specific circumstance was observed directly.

When a user joins a group chat, it was observed that historical messages and media files were visible to the new user. It is unknown if this is limited in some way or if the history is infinite. 

A follow-up to this post is forthcoming, detailing findings from two of the databases as well as some .plist information. If you have experience with this app or would like to participate in the decoding of the data found within it, please reach out. In particular the tgdata.db database contains what appear to be protobufs which are not being parsed by the available tools at the moment. Some progress has been made, but there is always plenty more to do!

Application Logs

Within the ~/Shared/AppGroup/<App GUID>/Documents/ directory, there is a rolling cache of up to 31 application logs. The logs are named in the following manner: application-<#>.log where the # is an integer from 0-30. The lower the number, the more recent the log. Hence, application-0.log will be the most recent log of activity. The logs appear to be segmented by app launch. It’s possible there is a maximum size for a log, however the nature of the testing thus far has instigated numerous short sessions. Observed file sizes for the logs ran from ~25KB up to 1.1MB. These logs will be examined in more technical detail in the next post.

Current known areas of need:

Secret Chats
Financial Transactions
App Market
, , , ,

One response to “Potato Chat 🥔💬”

  1. Digital Forensics Round-Up, April 24 2025 – Forensic Focus

    […] Potato Chat […]

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Digital Forensics and general nerdery. Learning bit by bit (heh) and fighting off imposter syndrome. Learning python, adapting it to my work and overcomplicating simple processes most of the time.