Copyright © 2017 Moses Ashawa et al. This is an open-access article

distributed under the terms of the Creative Commons Attribution License 4.0,

which permits unrestricted use, distribution, and reproduction in any medium,

provided the original author and source are credited.

Circulation in Computer Science

Vol.2, No.11, pp: (8-16), December 2017

https://doi.org/10.22632/ccs-2017-252-67

Forensic Data Extraction and Analysis of Left

Artifacts on emulated Android Phones: A Case Study

of Instant Messaging Applications

Moses Ashawa Federal Ministry of Communication Technology

Phase 1, Annex III Shehu Shagari Way,

Abuja, Nigeria

Innocent Ogwuche Benue State University

P.M.B 102119 Makurdi

Benue State, Nigeria

ABSTRACT

The fast-growing nature of instant messaging applications

usage on Android mobile devices brought about a

proportional increase on the number of cyber-attack vectors

that could be perpetrated on them. Android mobile phones

store significant amount of information in the various memory

partitions when Instant Messaging (IM) applications

(WhatsApp, Skype, and Facebook) are executed on them. As

a result of the enormous crimes committed using instant

messaging applications, and the amount of electronic based

traces of evidence that can be retrieved from the suspect’s

device where an investigation could convict or refute a person

in the court of law and as such, mobile phones have become a

vulnerable ground for digital evidence mining. This paper

aims at using forensic tools to extract and analyse left

artefacts digital evidence from IM applications on Android

phones using android studio as the virtual machine. Digital

forensic investigation methodology by Bill Nelson was

applied during this research. Some of the key results obtained

showed how digital forensic evidence such as call logs,

contacts numbers, sent/retrieved messages, and images can be

mined from simulated android phones when running these

applications. These artefacts can be used in the court of law as

evidence during cybercrime investigation.

Keywords

Emulated Android phones, IM Applications, Artefacts,

Mobile forensics, Forensic tools.

1. INTRODUCTION As the use of instant messaging applications on mobile

devices continues to explode, so does the number of digital

crime scenes associated with these messaging applications

such as threatening, phishing, sexual harassment, hate

utterance, fraud, social engineering, identity theft, intellectual

property theft, and drug trafficking that need to be

investigated [11].

The escalated expansion of these social media applications on

mobile phones have provided a potential quarry site for

mining digital evidence which are deposited on the devices

for forensic investigation and examination using forensic tools

and techniques [6]. Though social networks were designed

purposely for socialization and relevant information

altercation between friends, families, groups, organizations,

and relatives; these services have been abused and became a

vulnerable ground for cybercrime perpetuation. The explosion

of Instant Messengers (IM) on mobile phones has also

constituted an essential fraction in human day-to-day

activities and as a result, mobile phones are susceptible to

enhancing illegal acts. For a typical crime investigation such

as homicide, sexual assaults, or drug dealing, the leading

types of data on mobile messaging apps are call logs, digital

photographs, Geo-locations, and videos. All these data types

can be extracted using some special mobile digital forensics

tools by following forensics data acquisition, collection, and

analysis and preservation procedures. Essential investigatory

questions related to information stowed on mobile phones can

aid in unveiling contacts and communication made between a

suspect and the victim.

The research of [25] asserted that, mobile devices are not just

media for performing cybercrimes but that they are also

corporate tools for forensic investigation for both private

sectors and law enforcement agencies. There corporation in

investigation could be seen in their usage to commit crime and

the deposits of data left on them after the crime. Because of

the enormous crimes committed using messaging applications

and the amount of electronic based traces of evidence that can

be retrieved from the suspect’s device when an investigation

could convict or refute a person in the court of law, has

elevated the field of mobile forensics. Investigators in the

field of mobile forensics tackle incriminating issues through

data stockpiled on the applications used in the phones by

recovering erased data [13]. In as much as these evidences can

be retrieved using forensic tools and techniques, there is still a

great challenge in the field of mobile forensics. There is no

single mobile forensic framework that could be used to

investigate different cases on different mobile platforms and

the procedures used on one case or device may not be

applicable on others [26, 21]. Most of these events which

occurred while using IM are recorded on different paths or

specific locations of the device which could be hard drive

ROM, RAM, SIM card, memory card, and even cloud, based

on the device settings and the security preferences of the

user.The research of [14]on how digital evidence is stored on

specific locations of the used device agrees with that of

[7]which affirmed that data recovery from smartphones in the

21st century is an emerging field of computer and digital

forensics which helps tremendously in felonious prosecution

of cases in the court. This data ranges from users’ contact

details like name, phone number, emails, call history, sent and

received messages, browsers from where the IM application

was downloaded and installed, time stamp, geophysical

locations, conversation data such as video, images, audio and

other useful files.

Circulation in Computer Science, Vol.2, No.11, pp: (8-16), December 2017

www.ccsarchive.org

9

Mobile forensics is now becoming an emerging area of study.

It can be defined as “the art of recovering prospective

electronic proof from mobile devices using similar procedures

as for forensic investigations” [17]. Mobile forensics is a

discipline which involves the recapture of digital evidences

from mobile devices. It deals with investigation and

acquisition of digital evidence stored on mobile devices in a

forensically sound way which ensures that the recovered

evidence is justifiably unmodified or damaged [4, 16, 5]. Due

to frequent emergence of different mobile platforms in the

market today, it is very challenging not to alter mobile

evidence originality. The research of [16] asserted that the

assurance for mobile evidence originality is difficult due to

the fact that communication vector between certain forensics

tools and mobile devices is needed which may involve

removal or installation of the mobile bootloader chips or

changing mobile configurations before data extraction. From

the above assertion, it can be inferred that appropriate

procedures and methodologies must be critically followed to

obtain valuable evidences for without which extracted data

could result to evidence loss or inadmissibility. Basically,

there are three processes in carrying out investigation in

mobile forensics which are seizure, acquisition and analysis

[19, 16].

Seizure is the process of getting hold of or having access to a

suspect’s mobile device for further investigation. It is the first

stage in mobile forensics investigation where the mobile

phone to be seized is identified and got hold of. The forensic

investigator must follow the ACPO digital evidence collection

guidelines [20] to ensure that the collected data to be counted

on in the court of law (magistrate court, crown court, high

court, federal court, Supreme Court) is not tempered with.

Further, digital media seizure procedures are subject to

decrees of a particular locality. The challenging decision

among mobile investigators is whether the battery should be

removed before placing the device in faraday bag to avoid

phone’s connection to network if in case it suddenly switched

off. Removing the battery will alter some volatile data in the

phone memory since digital evidence is volatile [28]. The best

approach according to [19] is to leave the battery on but then

disconnect the phone from network connections such as WIFI

and Bluetooth by powering the flight mode before inserting

the phone in the bag. Another issue to consider during seizure

is what if the phone screen is locked by a password or

Personal Identification Number (PIN) or encrypted, then, get

the logical image of the phone’s memory [16].

Acquisition of digital evidence is the most fragile process in

mobile forensics due to the delicate nature of mobile evidence

which needs proper handling to avoid evidence contamination

or destruction. According to [20] evidence acquisition in

mobile device has to follow some critical acquisition steps

such as: Approach and observe the smartphone,

documentation of the phone’s software and hardware

configurations, Image the phone, fill chain of custody form

and transport and store evidence in a secure environment to

avoid evidence contamination. Evidence acquisition could be

dead or live acquisition.

Extraction of evidence from the source could be physical or

logical [20, 18, 24]. The physical extraction gathers data

stored at the device physical layer. This process of extraction

does not have regards to the operating system (OS) or the file

system of the device and may take the form of file carving to

table partition of the drive to determine and account for the

hard drive. The logical extraction of digital evidence on

mobile device however, is more of dealing with data present

on the mobile file system which may include deleted files,

time stamps, file name and location, file content, unallocated

space, file header, and file slack. The study of [18] outlined

processes involved in evidence extraction as ranging from

evidence intake, identification, preparation, isolation,

processing, verification, documentation/reporting, and

presentation to evidence archiving. The significance of any

legal case in the court of law related to mobile devices is

dependent on how relevant the extracted evidence is

interpreted using mobile forensics tools [12]. Digital evidence

can be analysed based on the time of event’s occurrence

which in other words known as timeframe analysis.

Timeframe analysis of digital evidence gives details of when a

file was created, accessed, modified and deleted based on the

metadata held in the file system of the mobile device.

Analysis can also be done on hidden data which is very

significant to unveil the suspect’s intent. Attackers sometimes

run malicious codes to encrypt files and prevent those files

from detection which makes reverse engineering very difficult

[2]. The connection between a hidden file header and its

extension gives an overview of the suspect’s intention for

encrypting or compressing a file. Application and file analysis

is the last layer of examination in mobile forensic. Application

analysis seeks to examine the file names and their contents,

links installed programs to the files, type of operating system

used by mobile phones, correlates cache files to browsing

history, compare suspect’s emails to their respective

attachments.

2. RELATED WORK A lot of researchers carried out studies in the field of mobile

forensics particularly in the extraction of digital evidence

from Instant Messaging (IM) Applications such as WhatsApp,

Skype and social media applications such as Facebook and

host of others. This study highlighted some of those related

works as applied in the research. The research of [22]

performed a forensic investigation on two prominent IM

applications namely, WhatsApp and Facebook. They

examined the historical invention of IM applications looking

at the communication patterns and the implicative effects of

IM activities on network traffic by providing a comparative

analysis of their features to SMS. The research however could

not extract any evidence from those IM applications, and in

addition, could not provide a subjective evaluation on how IM

application activities can be applied to forensic investigations.

The research of [27] took a different approach and studied

how to extract remnant artefacts from Skype and Facebook

IM applications looking at transferred files and contact lists as

potential evidence with credence to RAM and network traffic

as major sources of evidence trace. However, this research

was limited to RAM and network traffic storage media

analysis and failed to consider other useful Android mobile

file structures such as caches, boot, user data and sdcard

which hold potential forensic evidential information.[15]

investigated on Viber and WhatsApp IM applications using

three different but closely related versions of Android OS

(version 2.2, 2.3.x and 4.0.x). The research focused on folder

and timestamp analysis by making a live acquisition of the

phones’ internal memory with a conclusion that potential

evidence such as message logs and video files could remain

after using those applications. However, the research did not

give a critical security analysis of the different versions of the

Android phones used because the Android OS were so closely

related that no much relevant security comparison could be

made on them.

Circulation in Computer Science, Vol.2, No.11, pp: (8-16), December 2017

www.ccsarchive.org

10

The study of [8] performed a forensic investigation and

acquisition research on Tango VoIP IM across two OS

platforms namely, Android and iOS respectively. The

research findings produced artefact taxonomy structure of the

target devices and marginal sites of quarrying digital evidence

such as communication interception and session cloning. The

research additionally provided a forensic comparative

examination of the application with Viber and WhatsApp

IMs. Both researches affirmatively concluded that, only

Tango stores data in an encoded layout as at 2014 [23] using

cryptographic techniques demonstrated an adapted adversary

forensics model for evidence collection from WhatsApp

application IM. The research was able to retrieve valid

evidence like profile pictures and databases. [1] performed

acquisition of data on rooted and non-rooted Android phone

using WhatsApp and Orweb browser. The research found that

rooting mobile phones during investigation changes device

partitions thereby modifying the evidence. The research

established that rooting is only needed if the imaging of the

mobile RAM for evidence acquisition is required. Unlike [1],

this research avoided rooting and jail breaking of the Android

devices to circumvent security breaches and enhance privacy

integrity.

This research is similar to the one conducted by [29] where

Snapchat social media application was simulated on android

and IOS devices to see how digital evidence such as videos,

images and folders can be extracted and analysed using XML

records. The research found that there is an imperative

correlation between XML records and the digital evidence.

The correlation between those artefacts (images, videos) has a

great acceleration when carrying out investigation. The result

of the study demonstrated whether or not Snapchat contents

uploaded are permanently deleted. The research however

extracted limited artifacts (images and videos) and vast

amount of digital evidence in the device memory were not

captured.

There are so many researches that are carried out on

extracting evidence deposited by Instant Messaging (IM)

Applications on physical android devices but none of those

researches has paid attention to doing same on emulated

android phones which is one of the fast-growing ways black

hackers are deploying for cyber-attacks. The research

therefore seeks to simulate android phones and extract digital

evidence that are deposited by IM applications. The result

from this research will help cyber security analyst and

forensic investigators to know how digital evidence can be

extracted from simulated android devices during forensic

investigation. The remaining parts of this paper are organised

as follows: Section 2 reviewed some of the previous work

used for the literature review. Section 3 contained the

methodology that was followed to achieve the required

results. Section 4 discussed artefacts extractions while section

5 investigates the security of the emulated systems and

conclusion of the paper.

2.1 Mobile Applications and Cybercrime

Investigation Although Instant Messaging (IM) applications were designed

majorly for socialization and relevant information transfer

between friends, groups, organizations and relatives, these

services today however have been abused and are now

vulnerable grounds for cybercrime perpetuation. The

explosion of IM on mobile phones has constituted an essential

fraction in human day-to-day activities and as a result, mobile

phones are susceptible to enhancingillegal acts [31]. For a

typical crime investigation such as homicide, sexual assaults

or drug dealing, the leading types of data are mobile

messaging applications content files such as call logs, photos

and videos [30, 32].

2.2 Android Mobile Devices To be able to carry out a successful digital forensic

investigation process on any device, the hardware and

software architectural build-up of such a device must be

comprehensively studied and understood so as to be able to

identify where the digital evidence related information could

be sourced [33]. As an approach to investigating android

phone, the knowledge of the structure and composition of

android OS is inevitable. Android smartphones are mobile

devices whose operating system (OS) are same but with

diverse producers [34]. It is an Open-source Linux kernel

based OS developed to enable and enhance software binding

and compatibility within the context of different prototypes of

smartphone devices. Android OS platform services for mobile

devices such as smartphone and tablets were incepted in 2008

by Andy Rubin and today has become the utmost prevalent

Operating System for mobile devices [33, 34, 35, 36).

3. METHODOLOGY AND SYSTEM

SETUP This research was conducted with reference to the

comprehensive Digital forensic investigation methodological

guidelines published by [19] as illustrated in figure 1 below.

Figure 1: Digital forensic investigation process [19]

VMWare Linux based OS virtual machine running Android

studio on an 8GB RAM was built. Three emulated phones

with varying specifications such as memory capacity, density,

resolution, CPU/ABI were created with different Android

versions. The three phones where Nexus phone1 with Android

version 7.1.1 (Nougat), Galaxy Nexus with Android version

4.1 (Jelly Bean), and Nexus 5 with Android version 2.3.3

(Gingerbread) respectively. Each of them used Android SDK

as the major dependency. WhatsApp, Facebook and Skype IM

applications were installed on each of the devices. Chatting

activities like sending and receiving of text, images, emotions,

video, calls and audio were performed. Mobile Forensic tools

such as Autopsy [10], Encase [3] and FTK Imager were then

deployed to extract evidence on those virtual phones

3.1 Experimental Design In the experimental design of this research, IM applications

were downloaded and installed on each of the phones during

the research. Users’ activities such as sending of text

messages, WhatsApp calls and chats, skype calls and chats,

Facebooking and so on where performed on each of the three

mobile phones. For WhatsApp, a group communication

platform called ‘WHITE HACKERS’ was created. Members

of the group were actively involved in the chat. Forensic

phones imaging was taken using Autopsy, FTK Imager and

Encase. A copy of each was exported for memory content

extraction process. The system setup was divided into network

setup and data extraction phase. To control the artefacts

extraction process, bit-by-bit extraction procedure was

deployed by imaging each phone separately. The network

setup for the designed systems was basically built using three

network adaptors as shown below.

Circulation in Computer Science, Vol.2, No.11, pp: (8-16), December 2017

www.ccsarchive.org

11

3.1.1 Ethernet adaptor VMware Network

Adaptor (VMnet1) VMnet1 adaptor was configured to be used by the host

machine for network bridging which through the network card

communication with the emulated phones can be made easily

via gateway provisioning which the NAT network offers.

Figure 2 captures the VMnet1 network adaptor configuration.

Figure 2: VMnet1 network adaptor configuration

3.1.2 Ethernet adapter VMware Network

Adapter (VMnet8) VMnet8 adaptor was setup for IP address remapping of the

Network Address Translation (NAT) so that information that

shall be transferred in the internet through network address

modification will be properly routed with the packet headers.

This network adaptor was included in the operating system

configuration of the virtual machine to enhance the

performance of the host system. This is illustrated by figure 2.

Figure 3: VMnet 8network adaptor configuration

3.1.3 Wireless Adapter Wi-Fi The wireless adaptor was enabled. This was to allow the

devices get connection to the wireless network signals used by

the physical machine. This is illusted by figure 4.

Figure 4: Wi-Fi Adaptor configuration

The forensic investigation setup for evidence extraction from

the emulated mobile devices was designed as shown below in

figure 5.

Figure 5: System setup for data extraction process

The figure above demonstrates the system set-up designed for

extracting the necessary artefacts. The emulated phones where

both built on API protocols with different android versions

and API levels respectively. The devices were connected to

the workstation via web interface where the investigator could

perform data extraction process. The workstation is where

forensic tools were installed.

3.2 Acquisition Techniques The first step was to set-up an investigation environment for

all the three devices and IM applications respectively.

Following the setup of the environment and the definition of

the list of target artefacts, the next steps were devoted to the

whole investigation itself; from phones seizure to evidence

extraction. The overall acquisition approach has two main

phases. In the first phase, session cloning technique was used

and in the second, forensic analysis was performed on the

data. Session cloning technique was deployed as an alternative

approach for communication interception of IM applications,

since intercepting communication traffic through Instant

Messaging vendor or ISP might be technically difficult or

impossible. Another problem encountered during the research

is that the researcher has no control over automatic update

from android repository and dependencies.

4. RESULTS In locating the artefacts, the extraction process was based on

each IM applications installed on each of the android mobile

devices.

4.1 Evidence extraction from WhatsApp

IM Application Here, a detailed description of “WhatsApp” Instant Messaging

application artefacts obtained through examination of each

phone is presented.

4.1.1 Evidence of installed and deleted IM Userdata-qemu component shows the location of the three IM

applications installed on this device with a common (. dex)

extension. This is captured shown as figure 6 below.

Figure 6: Userdata-qemu contents in the dalvik-cache

Autopsy used for the imaging extracted the data content of

both the installed and the deleted applications as shown in the

figure above. The deleted skype application with the dalvik-

cache data@app@com.skype.raider-2.apk@classes.dex was

the first version of Skype installed which was not compatible

with this very version of the Android. The details of the

WhatsApp content (msgstore.db) and contacts (wa.db) was

further examined in the userdata-qemu which contained the

contacts, messages and call logs. Important evidence such as

downloaded files were observed. This was captured as figure

7.

Circulation in Computer Science, Vol.2, No.11, pp: (8-16), December 2017

www.ccsarchive.org

12

Figure 7: Extracted contents of the sdcard memory

partition

Artefacts from WhatsApp were extracted using WhatsApp DB

Key extractor [9] Win-UFO v6.0and WhatsApp Viewer.

WhatsApp message contents stored in the message database

(msgstore.da) are in an encrypted format which requires an

extraction key during backup to be able to have access to the

application database. To have access to the readable content of

the database, a WhatsApp key database extractor version 2.1

was installed. An 8-character backup key was created during

the backup operation which helped to extract the msgstore.db,

wa.db, axolotl.db and chatsetting.db databases respectively as

shown in figure 8 below.

Figure 8: WhatsApp key DB extractor

Contacts extraction was executed using Autopsy on the

contact database (wa.db) and message (msgstore.db) of the

Android userdata-qemu table name as shown below. The

outcome of the experiment extracted the contacts, call logs

and messages sent as shown in Figure 5.

4.1.2 WhatsApp message artefacts WhatsApp exchanged messages were also extracted with

timestamp, flag and contents and contacts respectively as

shown in figure 9..

Figure 9: WhatsApp messages artefacts (with personal

information hidden)

4.1.3 WhatsApp Image artefacts Apart from the artefacts above, others such as image and

audio evidence were also extracted from WhatsApp IM

application using other forensic tools for further investigation.

The WhatsApp image file was found in the source file

img_sdcard.img/WhatsApp/media/WhatsApp/Images/IMG-

20161212-WA0000.jpg with an MD5 hash. This zis captioned

as figure 10.

Figure 10: WhatsApp image artefact extracted from the

sdcard

The picture image also showed the unchanged evidence which

has the same creation time with the modification timestamp

thus, suitable for court case. The metadata revealed that the

image is a WhatsApp image file with image extension

WAoooo.jpg. For security purposes, the face is masked in order to hide the person’s identity

4.1.4 WhatsApp Audio artefacts A total of 9 audio files where identified in the /img_userdata-

qemu.img/app/vmdof the tmp/reserve/raw/ phone partition.

These were the audio files exchanged during chatting. Figure 11 the audio artefacts extracted from userdata-qemu.

Figure 11: Audio artefactsextracted from userdata-qemu

4.1.5 WhatsApp call logs and contact artefacts There are two SQLite database files that are created in

Whatsapp: msgstore.db and wa.db. The msgstore.db file

embraced the conversation details between a user and their

contacts whereas wa.db stores information of users’ contacts.

The location of both the files were respectively:

i. /data/data/com.whatsapp/databases/msgstore.db

ii, /data/data/com.whatsapp/databases/wa.db.

The disk image of the emulated userdata-qemu.img of the

devices was found to have contained evidence (WhatsApp

contacts and call logs). Further investigation provided the

details of the call logs and the contact number with the

timestamp and call direction. Contacts evidences were masked

for privacy and security purposes. Digital evidence extracted

from WhatsApp contacts and call logs are shown below as

figure 12.

Circulation in Computer Science, Vol.2, No.11, pp: (8-16), December 2017

www.ccsarchive.org

13

Figure 12: WhatsApp Contacts and call logs artefacts

4.2 Artefacts from Skype IM application Digital evidence such as record number, action type and time,

username, Chat message and ID between users where

extracted using Skype LogView. Figure 13 shows the Skype

logs artefacts

Figure 13:Skype logs artefacts

Although the above figure extracted the content of the Chat

Message, however, the extraction of chat identity of the

participants was unsuccessful. The forensic tool called Skype

log viewer[22] was then deployed to extract the ChatID as

shown with green mask in the figure 14.

Figure 14: Skype ChatID artefacts shown with green mask

Digital evidence such as record number, action type,

timestamp, message content and the chat ID’s of the respect

parties were also extracted. The research reveals that Skype

IM application provides a variety of features for user’s

identity including, video calling, voice calls and file transfers

much like MSN Messenger.

4.3 Artefacts from Facebook Application Some of the digital evidence extracted from the social media

(Facebook) are vital for this research and digital investigation.

4.3.1 Facebook User id and location artefacts During the experiment, a Facebook username ‘Ipoko Iduku’

was created. Activities were conducted during system

implementation. Facebook Forensics Toolkit was used to

extract communication contents as displayed in figure 15.

Figure 15: Facebook logs artefacts showing userid,

username and location

The Facebook indexed text of the account metadata revealed

the user id ‘100014492072263’, username ‘Ipoko Iduku’ and

country of location GB ‘Great Britain’. The tool however

failed to extract other information about the account such as

likes, friends, photos and messages.

4.3.2 Facebook message artefacts Further analysis was done on the userdata-qemu of the phone

NAND using Encase to get the message content of the

communicating ids. The result shows the artefacts in labeled

figure 16.

Figure 16: Facebook message contents artefacts

The communication contents were found in the userdata-

qemu.img/data/app/vmd-1485149232.tmpMETA

INFO/FACEBOOK.COM/ipoko.iduku directory unlocated

cluster at PS 11982396 of the phone’s disk. The

communication content was extracted from the cluster region

(\”msg\). {\text\”: “do u like fun?” =} to the message table

sorter which extracted the reply from the user’s numeric id

\”1000000555” \ with the message (\”msg\). {\text\”: “lol I

love facebook, it’s also awesome. Chatting is fun! \”}. The

experimental target retrieved Facebook artefacts between two

Facebook users Sharon and ipoko (both names are fictitious).

4.4 Security analysis of the research The security analysis shows that the latest version of Android

(nougat) has better security parameters imbedded in it more

than the earlier versions. However, it is observed that all

versions of the OS provide frequent updates which add more

features and amend their security flows. Also, all the versions

provide licence verification for security scanning during

applications downloads and installations. The latest version of

android proved that the hardware backed is enhanced greatly

with advanced HMAC and AES cryptographic primitives

which cannot be easily broken by an attacker. Tabulated

below are the security issues observed during the research

work on the three versions of the Android devices. A Security

comparison of the three-emulated android mobile devices is

summarized in table 1.

Circulation in Computer Science, Vol.2, No.11, pp: (8-16), December 2017

www.ccsarchive.org

14

5. DISCUSSION Instant Messaging applications are commonly used by people

in the society today for legitimate work such as business

discussions, educational work, and others; yet they have been

used for criminal activities as mentioned above. These

applications could however leave potential information on the

memory. The research extracted artefacts left by the IM

applications (WhatsApp, Skype and Facebook) on virtual

Android mobile phones that are of evidential importance

when forensically analysed. The research outcome showed

that access to the databases of the IM applications for viewing

private chats is possible without necessarily compromising the

security policies of the OS such as rooting and jail breaking of

Android mobile devices. Further, it is observed that though

from all Android versions, evidence where extracted but

Android 7.1.1 has more security restrictions and precedence

over the others which cannot be easily exploited by hackers.

Digital evidence such as call logs, contact numbers,

timestamps, media files and so on were obtained. The

research has found that, all the artefacts extracted from

WhatsApp IM application where basically stored in the

userdata-

Table 1. Security comparison of the three-emulated

android mobile devices

Security

Features

Nexus 5

Android

2.3.3

Galaxy

Nexus

Android 4.1

Nexus PHONE1

Android 7.1.1

Encryptio

n

No disk encryption

Partial disk encryption

Supports full disk encryption and file

based encryption

Authentic

ation

Gatekeeper

authenticati

on

Gatekeeper

authentication

Both Gatekeeper

authentication and

fingerprint

authentication

SELinux No

enforcement Partial enforcement

Full enforcement of SELinux

Keystone Provides

simple crypto

services

such keymaster

Provides

simple crypto services such

keymaster

The hardware

backed is enhanced greatly with

advanced HMAC

and AES cryptographic

primitives

qemu.img/data/com.whatsapp/databases and sdcard-

qemu.img/data/com.whatsapp/databases of the simulated

devices memory partition. Artifacts like Chat history,

messages, received and sent images, audio files, userdata,

contact lists, call details were found in these memory

partitions which can help forensic investigators in any cyber

investigation.

Similar to the research conducted by Nelson et al. (2014)

which highlighted key challenges facing mobile forensic

investigation, this research encountered similar problems

during the investigation. Some of which are:

Continuous application updates. Updates are ceaselessly released by the developers of the

applications and OS installed in the phone which makes it

hard for forensic examiners to understand every updated

feature and to be ready to deal with new methods of forensic

examination with available old tools only. This makes

presenting and proving of evidence integrity in the court of

law by forensic investigators very challenging. In addition,

there was no absolute control over the updates of the android

phones since the research has no control over them.

Selection of Appropriate Mobile Forensic Extraction Tool.

Effective extraction of digital evidence from smartphone is

very much sophisticated than when dealing with computer

forensics. There is no recommendation on any specific tool

for a specific mobile investigatory case. Mobile investigators

have to apply different forensic tools and techniques for

different cases and OS which is time consuming and requires

expert knowledge on all mobile forensic available tools which

is not possible.

Hardware Difference The frequent emergence of different hardware models of

mobile phones flooding the market daily with different

chipsets size and features by diverse manufacturers makes

forensic investigation of mobile phones quite challenging.

Recurrent daily landscape modification of mobile phones has

placed a critical task for mobile examinations to keep an up to

date knowledge of all the techniques deployed for mobile

investigation.

Mobile Accidental Reset Digital evidence is lost when mobile phones are reset. During

examination, there is always tendency to accidentally apply

the reset features imbedded in the mobile phone. Other

challenges that might encounter during forensic investigation

include passcode recovery, mobile alteration, communication

shielding, evidence dynamism, legal issues and malicious

programs on the mobile phone.

Mobile Anti-Forensics Activities Anti-forensic activities of criminals are another challenging

factor to forensic examiners during mobile investigation. As a

result, wrong conclusions are often made by mobile forensic

examiners due to anti-forensics tactics deployed by attackers

to damage electronic evidence. Some of the anti-forensic

approaches include: mobile data contraception, mobile data

hiding, mobile data misdirection, mobile logs swiping and

mobile data destruction.

6. CONCLUSION The study was focused on extracting and analysing the

artifacts which were live on the Android phone’s memory.

Forensic tools were able to provide the Artifacts related to

“IM” apps by providing folder by folder Analysis of the

Extracted data all possible artifacts related to “WhatsApp”

and “Skype” applications were found along with timestamps.

Artifacts extracted included Chat history, messages, received

and sent images and video file locations in sdcard, cache,

userdata, contact lists, call details, etc. These artifacts can help

forensic investigators and security agencies in cyber

investigation. The experiments and results showed that heavy

amount of potential evidences can be found on simulated

Android phones which is another area criminals are exploiting

to perform cyber-attacks.It is also worth noting that extracted

artefacts from IM applications can assist in checking terrorist

activities of a society as could be seen in the case of a 24 old

Tunisian named Amri who was found on Saturday 24

December 2016 by the US communication agency to have

involved in a communication chat with a terrorist group called

ISIS where he pledged his allegiance to the group for suicide

attacks when his mobile Telegram messaging application was

examined. The researcher recommended the following

security measures for android communities:

Circulation in Computer Science, Vol.2, No.11, pp: (8-16), December 2017

www.ccsarchive.org

15

i. Security modifications of mobile settings such as

jailbreaking or rooting should be highly discouraged

when investigating IM applications on smartphones.

ii. Side loading of IM applications from untrusted sites

outside android application store should be avoided

to reduce mobile malware infection.

iii. Users of android phones should upgrade from using

older versions (Gingerbread) to newer versions of

the OS to avoid been exploited.

In conclusion, no one could doubt the fact that cybercriminals

are making extra efforts to hide attacks through anti-forensic

tactics such as logs clearing. Most of these deeds are moving

from physical realm of attacks to virtuality which calls for in-

depth understanding of virtually based applications and

devices in order to have a successful forensic investigation

that is virtually based. The experiments and results showed

that heavy amount of potential evidences and valuable data

can be found on emulated Android mobile phones. Future

work can be done on extracting similar IM applications based

digital evidence using other virtual OS mobile platforms such

as iOS, blackberry and window phones.

7. REFERENCES [1] Al Barghouthy, N. and Marrington, A. (2014). A

Comparison of Forensic Acquisition Techniques for

Android Devices. International journal of New

Technologies, Mobility and Security, vol. 7, No. 4, pp. 1-

4.

[2] Amari, K. (2009). Techniques and tools for recovering

and analysing data from volatile memory. Available at:

https://www.sans.org/reading-

room/whitepapers/forensics/techniques-tools-recovering-

analyzing-data-volatile-memory-33049. (Accessed: 28th

October 2017).

[3] Andrikopoulos, V. and Di Nitto, E. (2014). Message

from the EnCASE 2014 Workshop Chairs. International

Enterprise Distributed Object Computing Conference

Workshops and Demonstrations, pp. 152-153.

[4] Ayers, R., Brothers, S. and Jansen, W. (2013).

Guidelines on Mobile Device Forensics (Draft). NIST

Special Publication, vol. 8, No. 5, p.101.

[5] Casey, E. (2011). Digital evidence and computer crime:

Forensic science, computers, and the internet. Academic

press.

[6] Dibb, P. and Hammoudeh, M. (2013). Forensic Data

Recovery from Android OS Devices: An Open Source

Toolkit. In Intelligence and Security Informatics

Conference (EISIC). pp. 226-226.

[7] Do Q., Martini, B. and Choo, K.K.R. (2015). A Cloud-

Focused Mobile Forensics Methodology. Journal of

digital forensics investigation, vol. 2, No. 4, pp. 60-65.

[8] Faheem, M., Le-Khac, N.A., Lit, K.P., Kui, S., Fanry, L.,

& Kechadi, T. (2014). Smartphone Forensic Analysis: A

Case Study for Obtaining Root Access of an Android

Samsung S3 Device and Analyse the Image without an

Expensive Commercial Tool. Journal of Information

Security, vol. 5, No. 3, pp. 78-83.

[9] Gudipaty, L.P. and Jhala, K.Y. (2015). WhatsApp

Forensics: Decryption of Encrypted WhatsApp

Databases on Non-Rooted Android Devices. Journal of

Information Technology & Software Engineering, vol. 5,

No. 14, pp.216-786.

[10] Inglot, B. and Liu, L. (2014). Enhanced timeline analysis

for digital forensic investigations: A Global Perspective.

Journal of Information Security, vol. 23, No. 2, pp. 32-

44.

[11] Iqbal, A., Marrington, A. and Baggili, I. (2013). Forensic

artifacts of the ChatON Instant Messaging application. In

Systematic Approaches to Digital Forensic Engineering

(SADFE), IEEE Eighth International Workshop, pp. 1-6.

[12] Kalaimannan, E. (2015). Smart Device Forensics-

Acquisition, Analysis and Interpretation of Digital

Evidences. 2015 IEEE International Conference on

Computational Science and Computational Intelligence

(CSCI). pp. 837-838.

[13] Kausar, F. (2014). New Research Directions in the area

of Smart Phone Forensic Analysis. International Journal

of Computer Networks & Communications, vol. 6, No. 4,

pp. 99.

[14] Khan, S., Gani, A., Wahab, A.W.A., Bagiwa, M.A.,

Shiraz, M., Khan, S.U., Buyya, R. and Zomaya, A.Y.

(2016). Cloud Log Forensics: Foundations, State of the

Art, and Future Directions. ACM International Journal of

Computing Security, vol. 4, No. 9, pp. 7-11.

[15] Mahajan, A., Dahiya, M.S. and Sanghvi, H.P. (2013).

Forensic analysis of instant messenger applications on

Android devices Auckland, New Zealand.

[16] Mahalik, H. (2014). Introduction to Mobile Forensics.

Packt Publishing Ltd.

[17] Mumba, E.R. and Venter, H.S. (2014). Mobile forensics

using the harmonised digital forensic investigation

process. Information Security for South Africa, pp. 1-10.

[18] Murphy, C. (2011). Cellular Phone Evidence Data

Extraction and Documentation. Available at:

https://mobileforensics.files.wordpress.com/2010/07/cell

-phone-evidence-extraction-process-development-1-1-

8.pdf. (Accessed: 28th October 2017).

[19] Nelson, B., Phillips, A. and Stuart, C. (2014). Guide to

computer forensics and investigations. United Kingdom:

Cengage Learning.

[20] Owen, P. and Thomas, P. (2011). An analysis of digital

forensic examinations: Mobile devices versus hard disk

drives utilising ACPO & NIST guidelines. Digital

Investigation, 8(2), pp.135-140.

[21] Santos, M., Alves, T., Neto, R. (2016). Forensic

Simplified Methodology for Android Data Extraction.

International Journal of Innovative Research in

Computer and Communication Engineering, vol. 4, No.

4, pp. 1111-1119.

[22] Seufert, M., Hoýfeld, T., Schwind, A., Rayto, K., Burger,

V. and Tran-Gia, P. (2016). Group-based communication

in WhatsApp. In IFIP Networking Conference (IFIP

Networking) and Workshops, pp. 536-541.

[23] Shortall, A. and Azhar, M.H.B. (2015). Forensic

acquisitions of WhatsApp data on popular mobile

platforms. IEEE Sixth International Conference on

Emerging Security Technologies (EST), pp. 13-17.

[24] Tajuddin, T.B. and Manaf, A.A. (2015). Forensic

investigation and analysis on digital evidence discovery

through physical acquisition on smartphone. In 2015

World Congress on Internet Security, pp. 132-138.

Circulation in Computer Science, Vol.2, No.11, pp: (8-16), December 2017

www.ccsarchive.org

16

[25] Thakur, R., Chourasia, K. and Singh, B. (2012). Cellular

Phone Forensics. International Journal of Scientific and

Research Publications, vol. 2, No. 8), pp. 456-532.

[26] Witteman, R., Meijer, A., Kechadi, M.T. and Le-Khac,

N.A. (2016). Toward a new tool to extract the Evidence

from a Memory Card of Mobile phones. In IEEE 2016

4th International Symposium on Digital Forensic and

Security (ISDFS), pp. 143-147.

[27] Yang, T.Y., Dehghantanha, A., Choo, K.K.R. and Muda,

Z. (2016). Windows instant messaging app forensics:

Facebook and Skype as case studies. International

Journal of Digital Forensics, vol. 11, No.3, pp. 150-185.

[28] National Institute of Standards and Technology (NIST)

and United States of America (2004). Forensic

Examination of Digital Evidence. A Guide for Law

Enforcement. Available at:

https://www.ncjrs.gov/pdffiles1/nij/199408.pdf.

(Accessed: 27 October. 2017).

[29] Aji, M. P., Riadi, I., & Lutfhi, A. (2017). The Digital

Forensic Analysis of Snapchat Application Using Xml

Records. Journal of Theoretical & Applied Information

Technology, vol. 95, No. 19, pp.

[30] Ab Rahman, N.H., Kessler, G.C. and Choo, K.K. (2017).

Implications of Emerging Technologies to Incident

Handling and Digital Forensic Strategies: A Routine

Activity Theory. In Contemporary Digital Forensic

Investigations of Cloud and Mobile Applications, pp.

131-146.

[31] Holt, T.J., Fitzgerald, S., Bossler, A.M., Chee, G. and

Ng, E. (2016). Assessing the risk factors of cyber and

mobile phone bullying victimization in a nationally

representative sample of Singapore youth. International

journal of offender therapy and comparative

criminology, vol. 60, No. 5, pp.598-615.

[32] Mishra, M., Maske, D. and Deshpande, N. (2016).

Remote Desktop Monitoring Using Android Mobile

Phones. International Journal of Research, vol. 3, No. 3,

pp.599-601.

[33] Quick, D. and Alzaabi, M. (2011). Forensic Analysis of

the Android File System yaffs2. Available at:

http://ro.ecu.edu.au/cgi/viewcontent.cgi?article=1100&c

ontext=adf. (Accessed: 6th November 2016).

[34] Omeleze, S. and Venter, H.S. (2013). Testing the

harmonised digital forensic investigation process model-

using an Android mobile phone. IEEE 2013 Information

Security for South Africa, pp. 1-8.

[35] Albano, P., Castiglione, A., Cattaneo, G. and De Santis,

A. (2011). A novel anti-forensics technique for the

android OS. In Broadband and Wireless Computing,

Communication and Applications (BWCCA)

International Conference, pp. 380-385.

[36] Immanuel, F., Martini, B. and Choo, K.K.R. (2015).

Android cache taxonomy and forensic process. In

Trustcom/BigDataSE/ISPA, 2015 IEEE, vol. 1, No. 5, pp.

1094-1101.

CCS | 2017 | ISSN 2456-3692

Published by: CSL Press, USA