forensic data extraction and analysis of left artifacts on ... · the logical image of the...
TRANSCRIPT
Copyright © 2017 Moses Ashawa et al. This is an open-access article
distributed under the terms of the Creative Commons Attribution License 4.0,
which permits unrestricted use, distribution, and reproduction in any medium,
provided the original author and source are credited.
Circulation in Computer Science
Vol.2, No.11, pp: (8-16), December 2017
https://doi.org/10.22632/ccs-2017-252-67
Forensic Data Extraction and Analysis of Left
Artifacts on emulated Android Phones: A Case Study
of Instant Messaging Applications
Moses Ashawa Federal Ministry of Communication Technology
Phase 1, Annex III Shehu Shagari Way,
Abuja, Nigeria
Innocent Ogwuche Benue State University
P.M.B 102119 Makurdi
Benue State, Nigeria
ABSTRACT
The fast-growing nature of instant messaging applications
usage on Android mobile devices brought about a
proportional increase on the number of cyber-attack vectors
that could be perpetrated on them. Android mobile phones
store significant amount of information in the various memory
partitions when Instant Messaging (IM) applications
(WhatsApp, Skype, and Facebook) are executed on them. As
a result of the enormous crimes committed using instant
messaging applications, and the amount of electronic based
traces of evidence that can be retrieved from the suspect’s
device where an investigation could convict or refute a person
in the court of law and as such, mobile phones have become a
vulnerable ground for digital evidence mining. This paper
aims at using forensic tools to extract and analyse left
artefacts digital evidence from IM applications on Android
phones using android studio as the virtual machine. Digital
forensic investigation methodology by Bill Nelson was
applied during this research. Some of the key results obtained
showed how digital forensic evidence such as call logs,
contacts numbers, sent/retrieved messages, and images can be
mined from simulated android phones when running these
applications. These artefacts can be used in the court of law as
evidence during cybercrime investigation.
Keywords
Emulated Android phones, IM Applications, Artefacts,
Mobile forensics, Forensic tools.
1. INTRODUCTION As the use of instant messaging applications on mobile
devices continues to explode, so does the number of digital
crime scenes associated with these messaging applications
such as threatening, phishing, sexual harassment, hate
utterance, fraud, social engineering, identity theft, intellectual
property theft, and drug trafficking that need to be
investigated [11].
The escalated expansion of these social media applications on
mobile phones have provided a potential quarry site for
mining digital evidence which are deposited on the devices
for forensic investigation and examination using forensic tools
and techniques [6]. Though social networks were designed
purposely for socialization and relevant information
altercation between friends, families, groups, organizations,
and relatives; these services have been abused and became a
vulnerable ground for cybercrime perpetuation. The explosion
of Instant Messengers (IM) on mobile phones has also
constituted an essential fraction in human day-to-day
activities and as a result, mobile phones are susceptible to
enhancing illegal acts. For a typical crime investigation such
as homicide, sexual assaults, or drug dealing, the leading
types of data on mobile messaging apps are call logs, digital
photographs, Geo-locations, and videos. All these data types
can be extracted using some special mobile digital forensics
tools by following forensics data acquisition, collection, and
analysis and preservation procedures. Essential investigatory
questions related to information stowed on mobile phones can
aid in unveiling contacts and communication made between a
suspect and the victim.
The research of [25] asserted that, mobile devices are not just
media for performing cybercrimes but that they are also
corporate tools for forensic investigation for both private
sectors and law enforcement agencies. There corporation in
investigation could be seen in their usage to commit crime and
the deposits of data left on them after the crime. Because of
the enormous crimes committed using messaging applications
and the amount of electronic based traces of evidence that can
be retrieved from the suspect’s device when an investigation
could convict or refute a person in the court of law, has
elevated the field of mobile forensics. Investigators in the
field of mobile forensics tackle incriminating issues through
data stockpiled on the applications used in the phones by
recovering erased data [13]. In as much as these evidences can
be retrieved using forensic tools and techniques, there is still a
great challenge in the field of mobile forensics. There is no
single mobile forensic framework that could be used to
investigate different cases on different mobile platforms and
the procedures used on one case or device may not be
applicable on others [26, 21]. Most of these events which
occurred while using IM are recorded on different paths or
specific locations of the device which could be hard drive
ROM, RAM, SIM card, memory card, and even cloud, based
on the device settings and the security preferences of the
user.The research of [14]on how digital evidence is stored on
specific locations of the used device agrees with that of
[7]which affirmed that data recovery from smartphones in the
21st century is an emerging field of computer and digital
forensics which helps tremendously in felonious prosecution
of cases in the court. This data ranges from users’ contact
details like name, phone number, emails, call history, sent and
received messages, browsers from where the IM application
was downloaded and installed, time stamp, geophysical
locations, conversation data such as video, images, audio and
other useful files.
Circulation in Computer Science, Vol.2, No.11, pp: (8-16), December 2017
www.ccsarchive.org
9
Mobile forensics is now becoming an emerging area of study.
It can be defined as “the art of recovering prospective
electronic proof from mobile devices using similar procedures
as for forensic investigations” [17]. Mobile forensics is a
discipline which involves the recapture of digital evidences
from mobile devices. It deals with investigation and
acquisition of digital evidence stored on mobile devices in a
forensically sound way which ensures that the recovered
evidence is justifiably unmodified or damaged [4, 16, 5]. Due
to frequent emergence of different mobile platforms in the
market today, it is very challenging not to alter mobile
evidence originality. The research of [16] asserted that the
assurance for mobile evidence originality is difficult due to
the fact that communication vector between certain forensics
tools and mobile devices is needed which may involve
removal or installation of the mobile bootloader chips or
changing mobile configurations before data extraction. From
the above assertion, it can be inferred that appropriate
procedures and methodologies must be critically followed to
obtain valuable evidences for without which extracted data
could result to evidence loss or inadmissibility. Basically,
there are three processes in carrying out investigation in
mobile forensics which are seizure, acquisition and analysis
[19, 16].
Seizure is the process of getting hold of or having access to a
suspect’s mobile device for further investigation. It is the first
stage in mobile forensics investigation where the mobile
phone to be seized is identified and got hold of. The forensic
investigator must follow the ACPO digital evidence collection
guidelines [20] to ensure that the collected data to be counted
on in the court of law (magistrate court, crown court, high
court, federal court, Supreme Court) is not tempered with.
Further, digital media seizure procedures are subject to
decrees of a particular locality. The challenging decision
among mobile investigators is whether the battery should be
removed before placing the device in faraday bag to avoid
phone’s connection to network if in case it suddenly switched
off. Removing the battery will alter some volatile data in the
phone memory since digital evidence is volatile [28]. The best
approach according to [19] is to leave the battery on but then
disconnect the phone from network connections such as WIFI
and Bluetooth by powering the flight mode before inserting
the phone in the bag. Another issue to consider during seizure
is what if the phone screen is locked by a password or
Personal Identification Number (PIN) or encrypted, then, get
the logical image of the phone’s memory [16].
Acquisition of digital evidence is the most fragile process in
mobile forensics due to the delicate nature of mobile evidence
which needs proper handling to avoid evidence contamination
or destruction. According to [20] evidence acquisition in
mobile device has to follow some critical acquisition steps
such as: Approach and observe the smartphone,
documentation of the phone’s software and hardware
configurations, Image the phone, fill chain of custody form
and transport and store evidence in a secure environment to
avoid evidence contamination. Evidence acquisition could be
dead or live acquisition.
Extraction of evidence from the source could be physical or
logical [20, 18, 24]. The physical extraction gathers data
stored at the device physical layer. This process of extraction
does not have regards to the operating system (OS) or the file
system of the device and may take the form of file carving to
table partition of the drive to determine and account for the
hard drive. The logical extraction of digital evidence on
mobile device however, is more of dealing with data present
on the mobile file system which may include deleted files,
time stamps, file name and location, file content, unallocated
space, file header, and file slack. The study of [18] outlined
processes involved in evidence extraction as ranging from
evidence intake, identification, preparation, isolation,
processing, verification, documentation/reporting, and
presentation to evidence archiving. The significance of any
legal case in the court of law related to mobile devices is
dependent on how relevant the extracted evidence is
interpreted using mobile forensics tools [12]. Digital evidence
can be analysed based on the time of event’s occurrence
which in other words known as timeframe analysis.
Timeframe analysis of digital evidence gives details of when a
file was created, accessed, modified and deleted based on the
metadata held in the file system of the mobile device.
Analysis can also be done on hidden data which is very
significant to unveil the suspect’s intent. Attackers sometimes
run malicious codes to encrypt files and prevent those files
from detection which makes reverse engineering very difficult
[2]. The connection between a hidden file header and its
extension gives an overview of the suspect’s intention for
encrypting or compressing a file. Application and file analysis
is the last layer of examination in mobile forensic. Application
analysis seeks to examine the file names and their contents,
links installed programs to the files, type of operating system
used by mobile phones, correlates cache files to browsing
history, compare suspect’s emails to their respective
attachments.
2. RELATED WORK A lot of researchers carried out studies in the field of mobile
forensics particularly in the extraction of digital evidence
from Instant Messaging (IM) Applications such as WhatsApp,
Skype and social media applications such as Facebook and
host of others. This study highlighted some of those related
works as applied in the research. The research of [22]
performed a forensic investigation on two prominent IM
applications namely, WhatsApp and Facebook. They
examined the historical invention of IM applications looking
at the communication patterns and the implicative effects of
IM activities on network traffic by providing a comparative
analysis of their features to SMS. The research however could
not extract any evidence from those IM applications, and in
addition, could not provide a subjective evaluation on how IM
application activities can be applied to forensic investigations.
The research of [27] took a different approach and studied
how to extract remnant artefacts from Skype and Facebook
IM applications looking at transferred files and contact lists as
potential evidence with credence to RAM and network traffic
as major sources of evidence trace. However, this research
was limited to RAM and network traffic storage media
analysis and failed to consider other useful Android mobile
file structures such as caches, boot, user data and sdcard
which hold potential forensic evidential information.[15]
investigated on Viber and WhatsApp IM applications using
three different but closely related versions of Android OS
(version 2.2, 2.3.x and 4.0.x). The research focused on folder
and timestamp analysis by making a live acquisition of the
phones’ internal memory with a conclusion that potential
evidence such as message logs and video files could remain
after using those applications. However, the research did not
give a critical security analysis of the different versions of the
Android phones used because the Android OS were so closely
related that no much relevant security comparison could be
made on them.
Circulation in Computer Science, Vol.2, No.11, pp: (8-16), December 2017
www.ccsarchive.org
10
The study of [8] performed a forensic investigation and
acquisition research on Tango VoIP IM across two OS
platforms namely, Android and iOS respectively. The
research findings produced artefact taxonomy structure of the
target devices and marginal sites of quarrying digital evidence
such as communication interception and session cloning. The
research additionally provided a forensic comparative
examination of the application with Viber and WhatsApp
IMs. Both researches affirmatively concluded that, only
Tango stores data in an encoded layout as at 2014 [23] using
cryptographic techniques demonstrated an adapted adversary
forensics model for evidence collection from WhatsApp
application IM. The research was able to retrieve valid
evidence like profile pictures and databases. [1] performed
acquisition of data on rooted and non-rooted Android phone
using WhatsApp and Orweb browser. The research found that
rooting mobile phones during investigation changes device
partitions thereby modifying the evidence. The research
established that rooting is only needed if the imaging of the
mobile RAM for evidence acquisition is required. Unlike [1],
this research avoided rooting and jail breaking of the Android
devices to circumvent security breaches and enhance privacy
integrity.
This research is similar to the one conducted by [29] where
Snapchat social media application was simulated on android
and IOS devices to see how digital evidence such as videos,
images and folders can be extracted and analysed using XML
records. The research found that there is an imperative
correlation between XML records and the digital evidence.
The correlation between those artefacts (images, videos) has a
great acceleration when carrying out investigation. The result
of the study demonstrated whether or not Snapchat contents
uploaded are permanently deleted. The research however
extracted limited artifacts (images and videos) and vast
amount of digital evidence in the device memory were not
captured.
There are so many researches that are carried out on
extracting evidence deposited by Instant Messaging (IM)
Applications on physical android devices but none of those
researches has paid attention to doing same on emulated
android phones which is one of the fast-growing ways black
hackers are deploying for cyber-attacks. The research
therefore seeks to simulate android phones and extract digital
evidence that are deposited by IM applications. The result
from this research will help cyber security analyst and
forensic investigators to know how digital evidence can be
extracted from simulated android devices during forensic
investigation. The remaining parts of this paper are organised
as follows: Section 2 reviewed some of the previous work
used for the literature review. Section 3 contained the
methodology that was followed to achieve the required
results. Section 4 discussed artefacts extractions while section
5 investigates the security of the emulated systems and
conclusion of the paper.
2.1 Mobile Applications and Cybercrime
Investigation Although Instant Messaging (IM) applications were designed
majorly for socialization and relevant information transfer
between friends, groups, organizations and relatives, these
services today however have been abused and are now
vulnerable grounds for cybercrime perpetuation. The
explosion of IM on mobile phones has constituted an essential
fraction in human day-to-day activities and as a result, mobile
phones are susceptible to enhancingillegal acts [31]. For a
typical crime investigation such as homicide, sexual assaults
or drug dealing, the leading types of data are mobile
messaging applications content files such as call logs, photos
and videos [30, 32].
2.2 Android Mobile Devices To be able to carry out a successful digital forensic
investigation process on any device, the hardware and
software architectural build-up of such a device must be
comprehensively studied and understood so as to be able to
identify where the digital evidence related information could
be sourced [33]. As an approach to investigating android
phone, the knowledge of the structure and composition of
android OS is inevitable. Android smartphones are mobile
devices whose operating system (OS) are same but with
diverse producers [34]. It is an Open-source Linux kernel
based OS developed to enable and enhance software binding
and compatibility within the context of different prototypes of
smartphone devices. Android OS platform services for mobile
devices such as smartphone and tablets were incepted in 2008
by Andy Rubin and today has become the utmost prevalent
Operating System for mobile devices [33, 34, 35, 36).
3. METHODOLOGY AND SYSTEM
SETUP This research was conducted with reference to the
comprehensive Digital forensic investigation methodological
guidelines published by [19] as illustrated in figure 1 below.
Figure 1: Digital forensic investigation process [19]
VMWare Linux based OS virtual machine running Android
studio on an 8GB RAM was built. Three emulated phones
with varying specifications such as memory capacity, density,
resolution, CPU/ABI were created with different Android
versions. The three phones where Nexus phone1 with Android
version 7.1.1 (Nougat), Galaxy Nexus with Android version
4.1 (Jelly Bean), and Nexus 5 with Android version 2.3.3
(Gingerbread) respectively. Each of them used Android SDK
as the major dependency. WhatsApp, Facebook and Skype IM
applications were installed on each of the devices. Chatting
activities like sending and receiving of text, images, emotions,
video, calls and audio were performed. Mobile Forensic tools
such as Autopsy [10], Encase [3] and FTK Imager were then
deployed to extract evidence on those virtual phones
3.1 Experimental Design In the experimental design of this research, IM applications
were downloaded and installed on each of the phones during
the research. Users’ activities such as sending of text
messages, WhatsApp calls and chats, skype calls and chats,
Facebooking and so on where performed on each of the three
mobile phones. For WhatsApp, a group communication
platform called ‘WHITE HACKERS’ was created. Members
of the group were actively involved in the chat. Forensic
phones imaging was taken using Autopsy, FTK Imager and
Encase. A copy of each was exported for memory content
extraction process. The system setup was divided into network
setup and data extraction phase. To control the artefacts
extraction process, bit-by-bit extraction procedure was
deployed by imaging each phone separately. The network
setup for the designed systems was basically built using three
network adaptors as shown below.
Circulation in Computer Science, Vol.2, No.11, pp: (8-16), December 2017
www.ccsarchive.org
11
3.1.1 Ethernet adaptor VMware Network
Adaptor (VMnet1) VMnet1 adaptor was configured to be used by the host
machine for network bridging which through the network card
communication with the emulated phones can be made easily
via gateway provisioning which the NAT network offers.
Figure 2 captures the VMnet1 network adaptor configuration.
Figure 2: VMnet1 network adaptor configuration
3.1.2 Ethernet adapter VMware Network
Adapter (VMnet8) VMnet8 adaptor was setup for IP address remapping of the
Network Address Translation (NAT) so that information that
shall be transferred in the internet through network address
modification will be properly routed with the packet headers.
This network adaptor was included in the operating system
configuration of the virtual machine to enhance the
performance of the host system. This is illustrated by figure 2.
Figure 3: VMnet 8network adaptor configuration
3.1.3 Wireless Adapter Wi-Fi The wireless adaptor was enabled. This was to allow the
devices get connection to the wireless network signals used by
the physical machine. This is illusted by figure 4.
Figure 4: Wi-Fi Adaptor configuration
The forensic investigation setup for evidence extraction from
the emulated mobile devices was designed as shown below in
figure 5.
Figure 5: System setup for data extraction process
The figure above demonstrates the system set-up designed for
extracting the necessary artefacts. The emulated phones where
both built on API protocols with different android versions
and API levels respectively. The devices were connected to
the workstation via web interface where the investigator could
perform data extraction process. The workstation is where
forensic tools were installed.
3.2 Acquisition Techniques The first step was to set-up an investigation environment for
all the three devices and IM applications respectively.
Following the setup of the environment and the definition of
the list of target artefacts, the next steps were devoted to the
whole investigation itself; from phones seizure to evidence
extraction. The overall acquisition approach has two main
phases. In the first phase, session cloning technique was used
and in the second, forensic analysis was performed on the
data. Session cloning technique was deployed as an alternative
approach for communication interception of IM applications,
since intercepting communication traffic through Instant
Messaging vendor or ISP might be technically difficult or
impossible. Another problem encountered during the research
is that the researcher has no control over automatic update
from android repository and dependencies.
4. RESULTS In locating the artefacts, the extraction process was based on
each IM applications installed on each of the android mobile
devices.
4.1 Evidence extraction from WhatsApp
IM Application Here, a detailed description of “WhatsApp” Instant Messaging
application artefacts obtained through examination of each
phone is presented.
4.1.1 Evidence of installed and deleted IM Userdata-qemu component shows the location of the three IM
applications installed on this device with a common (. dex)
extension. This is captured shown as figure 6 below.
Figure 6: Userdata-qemu contents in the dalvik-cache
Autopsy used for the imaging extracted the data content of
both the installed and the deleted applications as shown in the
figure above. The deleted skype application with the dalvik-
cache data@[email protected]@classes.dex was
the first version of Skype installed which was not compatible
with this very version of the Android. The details of the
WhatsApp content (msgstore.db) and contacts (wa.db) was
further examined in the userdata-qemu which contained the
contacts, messages and call logs. Important evidence such as
downloaded files were observed. This was captured as figure
7.
Circulation in Computer Science, Vol.2, No.11, pp: (8-16), December 2017
www.ccsarchive.org
12
Figure 7: Extracted contents of the sdcard memory
partition
Artefacts from WhatsApp were extracted using WhatsApp DB
Key extractor [9] Win-UFO v6.0and WhatsApp Viewer.
WhatsApp message contents stored in the message database
(msgstore.da) are in an encrypted format which requires an
extraction key during backup to be able to have access to the
application database. To have access to the readable content of
the database, a WhatsApp key database extractor version 2.1
was installed. An 8-character backup key was created during
the backup operation which helped to extract the msgstore.db,
wa.db, axolotl.db and chatsetting.db databases respectively as
shown in figure 8 below.
Figure 8: WhatsApp key DB extractor
Contacts extraction was executed using Autopsy on the
contact database (wa.db) and message (msgstore.db) of the
Android userdata-qemu table name as shown below. The
outcome of the experiment extracted the contacts, call logs
and messages sent as shown in Figure 5.
4.1.2 WhatsApp message artefacts WhatsApp exchanged messages were also extracted with
timestamp, flag and contents and contacts respectively as
shown in figure 9..
Figure 9: WhatsApp messages artefacts (with personal
information hidden)
4.1.3 WhatsApp Image artefacts Apart from the artefacts above, others such as image and
audio evidence were also extracted from WhatsApp IM
application using other forensic tools for further investigation.
The WhatsApp image file was found in the source file
img_sdcard.img/WhatsApp/media/WhatsApp/Images/IMG-
20161212-WA0000.jpg with an MD5 hash. This zis captioned
as figure 10.
Figure 10: WhatsApp image artefact extracted from the
sdcard
The picture image also showed the unchanged evidence which
has the same creation time with the modification timestamp
thus, suitable for court case. The metadata revealed that the
image is a WhatsApp image file with image extension
WAoooo.jpg. For security purposes, the face is masked in order to hide the person’s identity
4.1.4 WhatsApp Audio artefacts A total of 9 audio files where identified in the /img_userdata-
qemu.img/app/vmdof the tmp/reserve/raw/ phone partition.
These were the audio files exchanged during chatting. Figure 11 the audio artefacts extracted from userdata-qemu.
Figure 11: Audio artefactsextracted from userdata-qemu
4.1.5 WhatsApp call logs and contact artefacts There are two SQLite database files that are created in
Whatsapp: msgstore.db and wa.db. The msgstore.db file
embraced the conversation details between a user and their
contacts whereas wa.db stores information of users’ contacts.
The location of both the files were respectively:
i. /data/data/com.whatsapp/databases/msgstore.db
ii, /data/data/com.whatsapp/databases/wa.db.
The disk image of the emulated userdata-qemu.img of the
devices was found to have contained evidence (WhatsApp
contacts and call logs). Further investigation provided the
details of the call logs and the contact number with the
timestamp and call direction. Contacts evidences were masked
for privacy and security purposes. Digital evidence extracted
from WhatsApp contacts and call logs are shown below as
figure 12.
Circulation in Computer Science, Vol.2, No.11, pp: (8-16), December 2017
www.ccsarchive.org
13
Figure 12: WhatsApp Contacts and call logs artefacts
4.2 Artefacts from Skype IM application Digital evidence such as record number, action type and time,
username, Chat message and ID between users where
extracted using Skype LogView. Figure 13 shows the Skype
logs artefacts
Figure 13:Skype logs artefacts
Although the above figure extracted the content of the Chat
Message, however, the extraction of chat identity of the
participants was unsuccessful. The forensic tool called Skype
log viewer[22] was then deployed to extract the ChatID as
shown with green mask in the figure 14.
Figure 14: Skype ChatID artefacts shown with green mask
Digital evidence such as record number, action type,
timestamp, message content and the chat ID’s of the respect
parties were also extracted. The research reveals that Skype
IM application provides a variety of features for user’s
identity including, video calling, voice calls and file transfers
much like MSN Messenger.
4.3 Artefacts from Facebook Application Some of the digital evidence extracted from the social media
(Facebook) are vital for this research and digital investigation.
4.3.1 Facebook User id and location artefacts During the experiment, a Facebook username ‘Ipoko Iduku’
was created. Activities were conducted during system
implementation. Facebook Forensics Toolkit was used to
extract communication contents as displayed in figure 15.
Figure 15: Facebook logs artefacts showing userid,
username and location
The Facebook indexed text of the account metadata revealed
the user id ‘100014492072263’, username ‘Ipoko Iduku’ and
country of location GB ‘Great Britain’. The tool however
failed to extract other information about the account such as
likes, friends, photos and messages.
4.3.2 Facebook message artefacts Further analysis was done on the userdata-qemu of the phone
NAND using Encase to get the message content of the
communicating ids. The result shows the artefacts in labeled
figure 16.
Figure 16: Facebook message contents artefacts
The communication contents were found in the userdata-
qemu.img/data/app/vmd-1485149232.tmpMETA
INFO/FACEBOOK.COM/ipoko.iduku directory unlocated
cluster at PS 11982396 of the phone’s disk. The
communication content was extracted from the cluster region
(\”msg\). {\text\”: “do u like fun?” =} to the message table
sorter which extracted the reply from the user’s numeric id
\”1000000555” \ with the message (\”msg\). {\text\”: “lol I
love facebook, it’s also awesome. Chatting is fun! \”}. The
experimental target retrieved Facebook artefacts between two
Facebook users Sharon and ipoko (both names are fictitious).
4.4 Security analysis of the research The security analysis shows that the latest version of Android
(nougat) has better security parameters imbedded in it more
than the earlier versions. However, it is observed that all
versions of the OS provide frequent updates which add more
features and amend their security flows. Also, all the versions
provide licence verification for security scanning during
applications downloads and installations. The latest version of
android proved that the hardware backed is enhanced greatly
with advanced HMAC and AES cryptographic primitives
which cannot be easily broken by an attacker. Tabulated
below are the security issues observed during the research
work on the three versions of the Android devices. A Security
comparison of the three-emulated android mobile devices is
summarized in table 1.
Circulation in Computer Science, Vol.2, No.11, pp: (8-16), December 2017
www.ccsarchive.org
14
5. DISCUSSION Instant Messaging applications are commonly used by people
in the society today for legitimate work such as business
discussions, educational work, and others; yet they have been
used for criminal activities as mentioned above. These
applications could however leave potential information on the
memory. The research extracted artefacts left by the IM
applications (WhatsApp, Skype and Facebook) on virtual
Android mobile phones that are of evidential importance
when forensically analysed. The research outcome showed
that access to the databases of the IM applications for viewing
private chats is possible without necessarily compromising the
security policies of the OS such as rooting and jail breaking of
Android mobile devices. Further, it is observed that though
from all Android versions, evidence where extracted but
Android 7.1.1 has more security restrictions and precedence
over the others which cannot be easily exploited by hackers.
Digital evidence such as call logs, contact numbers,
timestamps, media files and so on were obtained. The
research has found that, all the artefacts extracted from
WhatsApp IM application where basically stored in the
userdata-
Table 1. Security comparison of the three-emulated
android mobile devices
Security
Features
Nexus 5
Android
2.3.3
Galaxy
Nexus
Android 4.1
Nexus PHONE1
Android 7.1.1
Encryptio
n
No disk encryption
Partial disk encryption
Supports full disk encryption and file
based encryption
Authentic
ation
Gatekeeper
authenticati
on
Gatekeeper
authentication
Both Gatekeeper
authentication and
fingerprint
authentication
SELinux No
enforcement Partial enforcement
Full enforcement of SELinux
Keystone Provides
simple crypto
services
such keymaster
Provides
simple crypto services such
keymaster
The hardware
backed is enhanced greatly with
advanced HMAC
and AES cryptographic
primitives
qemu.img/data/com.whatsapp/databases and sdcard-
qemu.img/data/com.whatsapp/databases of the simulated
devices memory partition. Artifacts like Chat history,
messages, received and sent images, audio files, userdata,
contact lists, call details were found in these memory
partitions which can help forensic investigators in any cyber
investigation.
Similar to the research conducted by Nelson et al. (2014)
which highlighted key challenges facing mobile forensic
investigation, this research encountered similar problems
during the investigation. Some of which are:
Continuous application updates. Updates are ceaselessly released by the developers of the
applications and OS installed in the phone which makes it
hard for forensic examiners to understand every updated
feature and to be ready to deal with new methods of forensic
examination with available old tools only. This makes
presenting and proving of evidence integrity in the court of
law by forensic investigators very challenging. In addition,
there was no absolute control over the updates of the android
phones since the research has no control over them.
Selection of Appropriate Mobile Forensic Extraction Tool.
Effective extraction of digital evidence from smartphone is
very much sophisticated than when dealing with computer
forensics. There is no recommendation on any specific tool
for a specific mobile investigatory case. Mobile investigators
have to apply different forensic tools and techniques for
different cases and OS which is time consuming and requires
expert knowledge on all mobile forensic available tools which
is not possible.
Hardware Difference The frequent emergence of different hardware models of
mobile phones flooding the market daily with different
chipsets size and features by diverse manufacturers makes
forensic investigation of mobile phones quite challenging.
Recurrent daily landscape modification of mobile phones has
placed a critical task for mobile examinations to keep an up to
date knowledge of all the techniques deployed for mobile
investigation.
Mobile Accidental Reset Digital evidence is lost when mobile phones are reset. During
examination, there is always tendency to accidentally apply
the reset features imbedded in the mobile phone. Other
challenges that might encounter during forensic investigation
include passcode recovery, mobile alteration, communication
shielding, evidence dynamism, legal issues and malicious
programs on the mobile phone.
Mobile Anti-Forensics Activities Anti-forensic activities of criminals are another challenging
factor to forensic examiners during mobile investigation. As a
result, wrong conclusions are often made by mobile forensic
examiners due to anti-forensics tactics deployed by attackers
to damage electronic evidence. Some of the anti-forensic
approaches include: mobile data contraception, mobile data
hiding, mobile data misdirection, mobile logs swiping and
mobile data destruction.
6. CONCLUSION The study was focused on extracting and analysing the
artifacts which were live on the Android phone’s memory.
Forensic tools were able to provide the Artifacts related to
“IM” apps by providing folder by folder Analysis of the
Extracted data all possible artifacts related to “WhatsApp”
and “Skype” applications were found along with timestamps.
Artifacts extracted included Chat history, messages, received
and sent images and video file locations in sdcard, cache,
userdata, contact lists, call details, etc. These artifacts can help
forensic investigators and security agencies in cyber
investigation. The experiments and results showed that heavy
amount of potential evidences can be found on simulated
Android phones which is another area criminals are exploiting
to perform cyber-attacks.It is also worth noting that extracted
artefacts from IM applications can assist in checking terrorist
activities of a society as could be seen in the case of a 24 old
Tunisian named Amri who was found on Saturday 24
December 2016 by the US communication agency to have
involved in a communication chat with a terrorist group called
ISIS where he pledged his allegiance to the group for suicide
attacks when his mobile Telegram messaging application was
examined. The researcher recommended the following
security measures for android communities:
Circulation in Computer Science, Vol.2, No.11, pp: (8-16), December 2017
www.ccsarchive.org
15
i. Security modifications of mobile settings such as
jailbreaking or rooting should be highly discouraged
when investigating IM applications on smartphones.
ii. Side loading of IM applications from untrusted sites
outside android application store should be avoided
to reduce mobile malware infection.
iii. Users of android phones should upgrade from using
older versions (Gingerbread) to newer versions of
the OS to avoid been exploited.
In conclusion, no one could doubt the fact that cybercriminals
are making extra efforts to hide attacks through anti-forensic
tactics such as logs clearing. Most of these deeds are moving
from physical realm of attacks to virtuality which calls for in-
depth understanding of virtually based applications and
devices in order to have a successful forensic investigation
that is virtually based. The experiments and results showed
that heavy amount of potential evidences and valuable data
can be found on emulated Android mobile phones. Future
work can be done on extracting similar IM applications based
digital evidence using other virtual OS mobile platforms such
as iOS, blackberry and window phones.
7. REFERENCES [1] Al Barghouthy, N. and Marrington, A. (2014). A
Comparison of Forensic Acquisition Techniques for
Android Devices. International journal of New
Technologies, Mobility and Security, vol. 7, No. 4, pp. 1-
4.
[2] Amari, K. (2009). Techniques and tools for recovering
and analysing data from volatile memory. Available at:
https://www.sans.org/reading-
room/whitepapers/forensics/techniques-tools-recovering-
analyzing-data-volatile-memory-33049. (Accessed: 28th
October 2017).
[3] Andrikopoulos, V. and Di Nitto, E. (2014). Message
from the EnCASE 2014 Workshop Chairs. International
Enterprise Distributed Object Computing Conference
Workshops and Demonstrations, pp. 152-153.
[4] Ayers, R., Brothers, S. and Jansen, W. (2013).
Guidelines on Mobile Device Forensics (Draft). NIST
Special Publication, vol. 8, No. 5, p.101.
[5] Casey, E. (2011). Digital evidence and computer crime:
Forensic science, computers, and the internet. Academic
press.
[6] Dibb, P. and Hammoudeh, M. (2013). Forensic Data
Recovery from Android OS Devices: An Open Source
Toolkit. In Intelligence and Security Informatics
Conference (EISIC). pp. 226-226.
[7] Do Q., Martini, B. and Choo, K.K.R. (2015). A Cloud-
Focused Mobile Forensics Methodology. Journal of
digital forensics investigation, vol. 2, No. 4, pp. 60-65.
[8] Faheem, M., Le-Khac, N.A., Lit, K.P., Kui, S., Fanry, L.,
& Kechadi, T. (2014). Smartphone Forensic Analysis: A
Case Study for Obtaining Root Access of an Android
Samsung S3 Device and Analyse the Image without an
Expensive Commercial Tool. Journal of Information
Security, vol. 5, No. 3, pp. 78-83.
[9] Gudipaty, L.P. and Jhala, K.Y. (2015). WhatsApp
Forensics: Decryption of Encrypted WhatsApp
Databases on Non-Rooted Android Devices. Journal of
Information Technology & Software Engineering, vol. 5,
No. 14, pp.216-786.
[10] Inglot, B. and Liu, L. (2014). Enhanced timeline analysis
for digital forensic investigations: A Global Perspective.
Journal of Information Security, vol. 23, No. 2, pp. 32-
44.
[11] Iqbal, A., Marrington, A. and Baggili, I. (2013). Forensic
artifacts of the ChatON Instant Messaging application. In
Systematic Approaches to Digital Forensic Engineering
(SADFE), IEEE Eighth International Workshop, pp. 1-6.
[12] Kalaimannan, E. (2015). Smart Device Forensics-
Acquisition, Analysis and Interpretation of Digital
Evidences. 2015 IEEE International Conference on
Computational Science and Computational Intelligence
(CSCI). pp. 837-838.
[13] Kausar, F. (2014). New Research Directions in the area
of Smart Phone Forensic Analysis. International Journal
of Computer Networks & Communications, vol. 6, No. 4,
pp. 99.
[14] Khan, S., Gani, A., Wahab, A.W.A., Bagiwa, M.A.,
Shiraz, M., Khan, S.U., Buyya, R. and Zomaya, A.Y.
(2016). Cloud Log Forensics: Foundations, State of the
Art, and Future Directions. ACM International Journal of
Computing Security, vol. 4, No. 9, pp. 7-11.
[15] Mahajan, A., Dahiya, M.S. and Sanghvi, H.P. (2013).
Forensic analysis of instant messenger applications on
Android devices Auckland, New Zealand.
[16] Mahalik, H. (2014). Introduction to Mobile Forensics.
Packt Publishing Ltd.
[17] Mumba, E.R. and Venter, H.S. (2014). Mobile forensics
using the harmonised digital forensic investigation
process. Information Security for South Africa, pp. 1-10.
[18] Murphy, C. (2011). Cellular Phone Evidence Data
Extraction and Documentation. Available at:
https://mobileforensics.files.wordpress.com/2010/07/cell
-phone-evidence-extraction-process-development-1-1-
8.pdf. (Accessed: 28th October 2017).
[19] Nelson, B., Phillips, A. and Stuart, C. (2014). Guide to
computer forensics and investigations. United Kingdom:
Cengage Learning.
[20] Owen, P. and Thomas, P. (2011). An analysis of digital
forensic examinations: Mobile devices versus hard disk
drives utilising ACPO & NIST guidelines. Digital
Investigation, 8(2), pp.135-140.
[21] Santos, M., Alves, T., Neto, R. (2016). Forensic
Simplified Methodology for Android Data Extraction.
International Journal of Innovative Research in
Computer and Communication Engineering, vol. 4, No.
4, pp. 1111-1119.
[22] Seufert, M., Hoýfeld, T., Schwind, A., Rayto, K., Burger,
V. and Tran-Gia, P. (2016). Group-based communication
in WhatsApp. In IFIP Networking Conference (IFIP
Networking) and Workshops, pp. 536-541.
[23] Shortall, A. and Azhar, M.H.B. (2015). Forensic
acquisitions of WhatsApp data on popular mobile
platforms. IEEE Sixth International Conference on
Emerging Security Technologies (EST), pp. 13-17.
[24] Tajuddin, T.B. and Manaf, A.A. (2015). Forensic
investigation and analysis on digital evidence discovery
through physical acquisition on smartphone. In 2015
World Congress on Internet Security, pp. 132-138.
Circulation in Computer Science, Vol.2, No.11, pp: (8-16), December 2017
www.ccsarchive.org
16
[25] Thakur, R., Chourasia, K. and Singh, B. (2012). Cellular
Phone Forensics. International Journal of Scientific and
Research Publications, vol. 2, No. 8), pp. 456-532.
[26] Witteman, R., Meijer, A., Kechadi, M.T. and Le-Khac,
N.A. (2016). Toward a new tool to extract the Evidence
from a Memory Card of Mobile phones. In IEEE 2016
4th International Symposium on Digital Forensic and
Security (ISDFS), pp. 143-147.
[27] Yang, T.Y., Dehghantanha, A., Choo, K.K.R. and Muda,
Z. (2016). Windows instant messaging app forensics:
Facebook and Skype as case studies. International
Journal of Digital Forensics, vol. 11, No.3, pp. 150-185.
[28] National Institute of Standards and Technology (NIST)
and United States of America (2004). Forensic
Examination of Digital Evidence. A Guide for Law
Enforcement. Available at:
https://www.ncjrs.gov/pdffiles1/nij/199408.pdf.
(Accessed: 27 October. 2017).
[29] Aji, M. P., Riadi, I., & Lutfhi, A. (2017). The Digital
Forensic Analysis of Snapchat Application Using Xml
Records. Journal of Theoretical & Applied Information
Technology, vol. 95, No. 19, pp.
[30] Ab Rahman, N.H., Kessler, G.C. and Choo, K.K. (2017).
Implications of Emerging Technologies to Incident
Handling and Digital Forensic Strategies: A Routine
Activity Theory. In Contemporary Digital Forensic
Investigations of Cloud and Mobile Applications, pp.
131-146.
[31] Holt, T.J., Fitzgerald, S., Bossler, A.M., Chee, G. and
Ng, E. (2016). Assessing the risk factors of cyber and
mobile phone bullying victimization in a nationally
representative sample of Singapore youth. International
journal of offender therapy and comparative
criminology, vol. 60, No. 5, pp.598-615.
[32] Mishra, M., Maske, D. and Deshpande, N. (2016).
Remote Desktop Monitoring Using Android Mobile
Phones. International Journal of Research, vol. 3, No. 3,
pp.599-601.
[33] Quick, D. and Alzaabi, M. (2011). Forensic Analysis of
the Android File System yaffs2. Available at:
http://ro.ecu.edu.au/cgi/viewcontent.cgi?article=1100&c
ontext=adf. (Accessed: 6th November 2016).
[34] Omeleze, S. and Venter, H.S. (2013). Testing the
harmonised digital forensic investigation process model-
using an Android mobile phone. IEEE 2013 Information
Security for South Africa, pp. 1-8.
[35] Albano, P., Castiglione, A., Cattaneo, G. and De Santis,
A. (2011). A novel anti-forensics technique for the
android OS. In Broadband and Wireless Computing,
Communication and Applications (BWCCA)
International Conference, pp. 380-385.
[36] Immanuel, F., Martini, B. and Choo, K.K.R. (2015).
Android cache taxonomy and forensic process. In
Trustcom/BigDataSE/ISPA, 2015 IEEE, vol. 1, No. 5, pp.
1094-1101.
CCS | 2017 | ISSN 2456-3692
Published by: CSL Press, USA