Professional Documents
Culture Documents
The Society of Digital Information and Wireless Communications (SDIWC), 2018 ISSN: 2305-001
In recent years, we have witnessed a rapid increase Application Google Play Download
in the use of Voice over IP (VoIP) as the new form Skype 100,000,000 - 500,000,000
of online communication in mobile devices. downloads
Smartphones have taken up the market so well that WhatsApp 500,000,000 - 1,000,000,000
nearly every adult in the world today owns at least Messenger downloads
one Smartphone which aids interaction, Viber 100,000,000 - 500,000,000
socialization and information sharing at a very low downloads
cost compared to the traditional communication
techniques. Unfortunately and regrettably,
smartphones have become a source of Table 1 shows each application download rate on
communication in certain cyber terrorism or cyber Google Play store while Table 2 shows different
crime conspiracies as well. Therefore, the features of the mVoIP. This paper is aimed to
acquisition of digital probative is an indispensible conduct a forensic examination of three widely
and imminent task for digital forensic investigators used mVoIP applications used on Android
119
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 7(2): 119-131
The Society of Digital Information and Wireless Communications (SDIWC), 2018 ISSN: 2305-001
devices. The analysis is aimed on data and 2. RELATED WORKS
information stored by each of the application on
the phone and the forensic data extraction According to [6], while this technological
techniques. diversity and unending constant innovation maybe
good for end-users, it makes it more challenging
Table 2. Features of mVoIP Applications for forensics experts to keep up on track. In [7],
the future trends in digital investigation was
Features Skype WhatsApp Viber investigated and detected mobile-phone forensics
Textchat ! ! ! as one of the fastest growing fields. There have
Send image & ! ! ! been many works in forensic field which focuses
Receive image on acquisition techniques and general forensics
Send video & ! ! ! analyses of smartphones. The forensic
Receive video examination on BlackBerry was conducted in [8],
Send audio & ! ! ! and it described few methods of examination
Receive audio which include using forensic tools while [9]
Incoming call ! ! ! proposed a framework for investigation of
& Outgoing call Samsung Phones. Several researchers have
Group Call ! proposed various framework for the investigation
Group Chat ! ! of Nokia mobile devices and for Firefox OS [10],
Sharing V-Cards ! [11]. The research carried out in [12] shows that
& Contacts artifact such as SMS, logs, MMS, photos, videos,
calendar notes, emails, browser history and web
bookmarks can be extracted from the internal
The aim of this paper work is to determine storage of any mobile device.
potential artifacts of activities identified in Table
4.It is intended that artifacts like timestamps, IP The comparison of forensic evidence recovery
address, phone number and pictures would not techniques for a Windows Mobile smartphone was
only provide a summary of what is relevant for presented in [13]. The comparison demonstrates
mobile forensics practitioners but save forensic that there are different techniques to acquire and
practitioners' resources and time during future decode information of potential forensic interest in
investigation in similar cases. Windows Mobile smart phone. Several tests on
Nokia mobile phones were conducted using
The paper is organized as follows. Section 2 forensically sound tools like MOBILedit, Oxygen
reviews the related work in the area of mobile Phone Manager, TULP 2G, MOBILedit, Seizure
forensics investigation, mVoIP forensics, and and Paraban Cell. The state-of-the-art SIM
social network application forensics and also forensic tools was evaluated in order to understand
describes the various tools used in smartphones limitations and capacities in their data acquiring,
examination in terms of mobile applications and examination and analyses. The evaluated tools
logical image acquisition. Section 3 describes the include MOBILedit, ForensicSIM, GSM.XRY
methodology and tools used throughout the Cell Seizure, SIMCon, Forensic Card Reader,
project. It also defines the proposed framework, SIMIS and TULP. The results show that most
classifies, enumerates and analyzes the stages information such as SMS/EMS and IMSI could be
involved in the project by providing the necessary found using these tools [14]. Furthermore, A
background knowledge. Section 4 reports the forensic examination on Windows Mobile device
results from the forensic analysis of the mVoIP database (the pim.vol) file was carried out in [15],
applications. And finally, Section 5 concludes the the result of the examination confirmed that
paper based on the result of the research and also pim.vol contains information related to contacts,
proposes future work. call history, speed-dial settings, appointments, and
tasks.
120
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 7(2): 119-131
The Society of Digital Information and Wireless Communications (SDIWC), 2018 ISSN: 2305-001
A critical review of seven years of mobile device these applications. Studies in [27], [28] did a
forensics was conducted and the review showed similar work by forensically analyzing of
that many publications in the area of Android WhatsApp Messenger on Android platforms.
device forensics have been done. However, there
are very few research works that supports the 3. ENVIRONMENTAL SETUP
varying levels of Android memory investigation
The tools used in this experiment is chosen based
[16]. A research project published in DFRWS
on the standards established by the National
2010 Annual Conference discussed technical
Institute of Standards and Technology (NIST) to
issues faced during capturing Android physical
ensure the reliability, quality and validity of results
memory [17]. Also, a volatilitux project by
(National Institute of Standards and Technology,
Girault [18] provided a limited analysis on the
2001). A rooted Android phone was used to
running processes enumeration, memory maps and
conduct the experiment.
open files. Android-based smartphones like
Samsung Galaxy's logical image can be acquired Before conducting the experiments, the necessary
using either a logical method or a physical work stations have been properly set up and well
method. The physical acquisition technique configured (i.e. needed tools both software and
consists of obtaining a binary image of the hardware). Table 3 shows the supported platform
device’s memory and it requires root access of the and authentication methods used by the mVoIP
device [19]. applications.
More so, an acquisition methodology based on The tools listed below were used for the research.
overwriting the “Recovery” partition on the
Android device’s SD card with specialized • Android platform phone (Samsung S3 GT-
forensic acquisition software was discussed in i9300 Firmware version 3.0.31)
[20]. Indicators to measure performance of mobile • mVoIP applications (Skype, WhatsApp
forensic data acquisition techniques in Firefox OS and Viber (Table 3))
were developed in [21] while a unified framework • Access Data FTK Imager (v 3.1.4.6): This
for investigation of different types of smartphone tool was used to explore the logical
devices was developed in [22]. acquired image (internal memory) of the
Samsung S3.
The vast interest of digital investigators in instant • SQLite Database Browser 2.0b1: This
messaging artifacts has been reflected in the visual tool was used to explore the
stream of research in the area of digital forensics. database extracted from each application
Authors in [23] claimed to be the first to carry out after identifying the folders using Access
a forensic analysis of Skype on Android platform. Data FTK Imager
They investigated both the NAND and RAM flash
• Internet Evidence Finder Timeline (IEF
memories in different scenarios. The results show
v6.3) : This tool provides a view of each
that chat and call patterns can be found in both of
artifact on a visual timeline without any
NAND ad flash memories of mobile devices
need to convert artifacts like timestamps
regardless of whether the Skype account being
• USB data cables
signed out, signed in or even after deleting the call
history. In addition, authors in [24], [25] • Root-Kit ( Frameware CF-Auto-Root- m0
conducted a VoIP applications digital evidences m0xx-gti9300): This frameware was used
recovering in computer systems and show that to root the device.
Skype information is recoverable from the • Odin3 (version 3.07): This tool enables the
physical memory. A forensic analysis of several uploading of the root-kit frameware to the
instant messaging applications including (Skype Android device.
and WhatsApp) was carried out in [26] but • Laptop with Backtrack 5r3 OS
focused more on encryption algorithms used by
121
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 7(2): 119-131
The Society of Digital Information and Wireless Communications (SDIWC), 2018 ISSN: 2305-001
• Epoch & Unix Timestamp Converter: This Table 4. Activities Performed on the mVoIP Applications
tool was used to convert the timestamp
Activities Skype WhatsApp Viber
found in hex format.
Textchat ! ! !
• WiFi network is used as the
Send image ! ! !
communication channel.
Receive image ! ! !
Send video ! ! !
Table 3. Supported Platforms and Authentication Receive video ! ! !
Methods of the mVoIP Applications Send audio ! ! !
Receive audio ! ! !
Incoming call ! !
Authentication
Outgoing call ! !
Applications
Platforms
Version
mobile
Size
4. RESULTS AND DISCUSSION Figure 2 contains the avatar icon of each contact in
the WhatsApp application while Table 5 shows all
This section describes the uniqueness of each the artifacts found.
mVoIP application’s directory path and the
123
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 7(2): 119-131
The Society of Digital Information and Wireless Communications (SDIWC), 2018 ISSN: 2305-001
Table 5. Artifacts Analysis of the Avatars Figure 3 shows the content of the wa.db database
which are phone numbers, names and status. The
Application Features Artifact Found blue area is the status while the red underlined is
WhatApp Profile Image Found with the contact names; the phone numbers are grayed
Messenger timestamp out for privacy. These artifacts can be of great
MD5 Hash Found with value to actually track down suspects (For
timestamp instance, if a criminal updated his/her WhatsApp
SHA1 Hash Found with status to “Gunshot in Bank XYZ”) and in few days
timestamp time a robbery took place in Bank XYZ. With
artifacts like this, a digital forensic specialist
would know how to relate the status to the actual
Avatar pictures shown in Figure 2 have
incident and back it up with other artifacts.
evidentiary value as shown in Table 5 in the sense
that they can be directly linked to a particular
WhatsApp account and identify the person using
the account. Alongside the avatar pictures, the
user's name and phone number are also valuable to
forensic specialists.
124
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 7(2): 119-131
The Society of Digital Information and Wireless Communications (SDIWC), 2018 ISSN: 2305-001
125
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 7(2): 119-131
The Society of Digital Information and Wireless Communications (SDIWC), 2018 ISSN: 2305-001
126
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 7(2): 119-131
The Society of Digital Information and Wireless Communications (SDIWC), 2018 ISSN: 2305-001
caller’s timestamp
number
Send Images File Path found
with timestamp
Receive File Path found
Images with timestamp
GPS Found with
coordinates timestamp
Performed
Artifact
127
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 7(2): 119-131
The Society of Digital Information and Wireless Communications (SDIWC), 2018 ISSN: 2305-001
128
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 7(2): 119-131
The Society of Digital Information and Wireless Communications (SDIWC), 2018 ISSN: 2305-001
Table 10. Artifacts Analysis of /SkypeID/main.db recovered. In mobile devices, evidential data that
contains data indentified in Table 10 can be
recovered and can prove fruitful for an
Application
Performed
Activity investigation. To illustrate this, assuming a
Artifact
Found
particular user is involved in a cyber crime and the
user's phone is being investigated. Table 10
identifies and equally provides a rich source of
Skype Skype # Skype name evidence when investigating crimes related to
contact # Full Name Skype. Artifacts in both Figure 13 and Figure 14
lists # Birthday show the incoming and outgoing call, the
# Gender timestamp associated with a particular call is
# Country captured along with the call duration. With this
# Mobile evidence, a suspect cannot deny initiating or
number engaging in such a call. This would give forensic
# Email examiners a stronger convincing power in court of
address law when handling the case. However, Figure 15
# Registered clearly shows that the full contact detail (full
date name, date of birth, phone number(if any) , date of
timestamp Skype creation and email) of the Skype owner can
Textchat # Text message be obtained too, which makes it easy for forensic
# Message type practitioner to be able to track down the suspect in
# Status question. Figure 17 shows that the IP address
# Chat ID reflects the “externally visible” IP address of the
# Recipient ID device where Skype is running, i.e. the IP address
Calls # Local user of the outermost NAT gateway connecting the
details device to the Internet. The IP address plays a
# Remote user significant role in terms of geographical location
details of parties involved in the crime. This artifact can
# Call duration be useful for attribution as it indicates the IP
# Calltype address the device used to connecting to the
(incoming/outgoing Internet. This may help tie a subject to a particular
File # Timestamp IP address and activity originating from that
Transfer # File address. Having found artifacts like name, email,
(Images/ Size(Bytes) mobile number, date of birth, gender and country,
Video/ # Status it would be easily for a forensic investigator to
Video) further carry out the investigation based on what
Voicemail # Caller’s ID has been found and it would be easy to
# Voicemail geographically point where they reside.
size
# Status 5. CONCLUSION AND FUTURE WORK
IP # UserID Table 11summarizes the result acquired from the
Location # IP Address forensic analysis of WhatsApp Messenger, Viber
# Timestamp
and Skype. Both WhatsApp Messenger and Viber
share almost the same potential evidentiary
artifacts but in WhatsApp Messenger, no call
Most people or even suspect actually think that
duration nor GPS coordination due to the feature
physically deleting or clearing chat histories
of the application. Skype has more interesting
destroys the Skype logs and believes that the data
artifacts like both local and private IP addresses;
associated with a particular account cannot be
129
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 7(2): 119-131
The Society of Digital Information and Wireless Communications (SDIWC), 2018 ISSN: 2305-001
which are good enough to further investigation on There are varieties of Smartphone’s lock screen
a particular case. Artifacts listed in Table 11 are apps, app lock, SMS and picture locks; some of
vital evidence that open up a case or provides a these "locks" encrypt the data stored on the mobile
host of line in further investigation when dealing device when locked and it also locks the device
with crime related to mobile devices and mobile interface. This could be an issue for digital
application. forensic specialist when examining such a device.
A comprehensive research in this area on different
Table 11. Summary of Potential Evidentiary Artifacts Found
mobile operating system platforms would really be
MVoIP Potential Evidentiary Artifacts of vital information to digital forensic
Application investigation.
WhatsApp Messages, contact names, phone
Messenger numbers, images, video, audio
and timestamps. REFERENCES
Viber Messages, contact names, phone
numbers, images, videos, audios, 1. H. Chu, S. Yang, S. Wang and J. Park, 'The Partial
timestamps, gps coordinates, Digital Evidence Disclosure in Respect to the Instant
Messaging Embedded in Viber Application Regarding
blocked numbers and call an Android Smart Phone', Springer, pp. 171--178,
durations 2012.
Skype Messages, voicemail, file
transfer, contact details, emails, 2. M. Al-Zarouni, 'Mobile handset forensic evidence: a
challenge for law enforcement', School of Computer
phone number, images, videos, and Information Science, Edith Cowan University,
audios and IP Addresses Perth, Western Australia, 2006.
Few research works have explored and addressed 3. M. Husain and R. Sridhar, 'iForensics: forensic analysis
of instant messaging on smart phones', Springer, pp. 9-
the forensic recovery and analysis of activities -18, 2010.
carried out on social network and instant
messaging applications on smartphones. However, 4. Eweek.com, 'Android Ships 33M Smartphones to Lead
World: Canalys', 2014. Online.. Available:
these researches have limited information in terms
http://www.eweek.com/c/a/Mobile-and-
of logical acquisition and artifacts recovery. In this Wireless/Android-Ships-33M-Smartphones-to-Lead-
paper, the research examined the legal forensic World-Canalys-162803. Accessed: 12- Aug- 2014..
aspect of mVoIP applications misuse on
5. S. Perez, 'IDC: Android Market Share Reached 75%
smartphones. The study explored the forensic
Worldwide In Q3 2012 | TechCrunch',TechCrunch,
acquisition, examination and analysis of the 2012. Online.. Available:
logical image of a smartphone. The experiment http://techcrunch.com/2012/11/02/idc-android-market-
consists of three top-rated mVoIP applications share-reached-75-worldwide-in-q3-2012. Accessed:
installation, conducting usual user activities on 12- Aug- 2014..
each of the applications, acquiring the logical 6. J. Gonzalez, J. Hung and S. Friedberg LLC, 'Mobile
image in a forensically sound approach, and then Device Forensics: A Brave New World? | STROZ
perform a manual forensic analysis on each of the FRIEDBERG', Strozfriedberg.com, 2011. Online..
installed mVoIP application. Available:
http://www.strozfriedberg.com/mediaevents/publicatio
ns/jason-gonzalez-and-james-hung-of-stroz-friedberg-
This paper successfully creates a forensic co-authored-mobile-device-forensics-a-brave-new-
framework for forensic analysis and the discussed world-featured-in-bloomberg-law-reports-technology-
result indicated that potential evidentiary artifacts law. Accessed: 12- Aug- 2014..
can be found on Android devices and such 7. F. Dezfoli, A. Dehghantanha, R. Mahmoud, N. Sani
evidence can be presented in the court of law by a and F. Daryabar, 'Digital Forensic Trends and
forensic investigator when handling a case related Future',International Journal of Cyber-Security and
to cyber terrorism or cybercrime conspiracies.
130
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 7(2): 119-131
The Society of Digital Information and Wireless Communications (SDIWC), 2018 ISSN: 2305-001
Digital Forensics (IJCSDF), vol 2, iss 2, pp. 48--76, 19. J. Lessard and G. Kessler, 'Android Forensics:
2013. Simplifying Cell Phone Examinations.', Purdue
University, 2010.
8. M. Burnette, COMPUTER FORENSICS, 2002.
Online.. Available: 20. T. Vidas, C. Zhang and N. Christin, 'Toward a general
http://www.mandarino70.it/Documents/Blackberry%20 collection methodology for Android devices',digital
Forensics.pdf. Accessed: 12- Aug- 2014.. investigation, vol 8, pp. 14--24, 2011.
10. S. Mohtasebi, A. Dehghantanha and H. Broujerdi, 22. S. Mohtasebi and A. Dehghantanha, 'Towards a
'Smartphone Forensics: A Case Study with Nokia E5- Unified Forensic Investigation Framework of
00 Mobile Phone', International Journal of Digital Smartphones.', International Journal of Computer
Information and Wireless Communications (IJDIWC), Theory \& Engineering, vol 5, iss 2, 2013.
vol 1, iss 3, pp. 651--655, 2011.
23. M. I.Al-Saleh and Y. A. Forihat, 'Skype Forensics in
11. S. Mohtasebi and A. Dehghantanha, 'Towards a Android Devices', International Journal of Computer
Unified Forensic Investigation Framework of Applications, vol 78, iss 7, pp. 38-44, 2013.
Smartphones.', International Journal of Computer
Theory \& Engineering, vol 5, iss 2, 2013. 24. J. Slay and M. Simon, 'Voice over IP forensics',
Proceedings of the 1st international conference on
12. S. Punja and R. Mislan, 'Mobile device analysis', Small Forensic applications and techniques in
Scale Digital Device Forensics Journal, vol 2, iss 1, telecommunications, information, and multimedia and
pp. 1--16, 2008. workshop, January 21-23, 2008, Adelaide, Australia, p.
10, 2008.
13. G. Grispos, T. Storer and W. Glisson, 'A comparison of
forensic evidence recovery techniques for a windows 25. M. Simon and J. Slay, 'Recovery of Skype Application
mobile smart phone', Digital Investigation, vol 8, iss 1, Activity Data from Physical Memory', 2010
pp. 23--36, 2011. International Conference on Availability, Reliability
and Security, Krakow, Poland, pp. 283 - 288, 2010..
14. B. Williamson, P. Apeldoorn, B. Cheam and M.
Mcdonald, 'Forensic analysis of the contents of Nokia 26. N. Al Barghuthi and H. Said, 'Social Networks IM
mobile phones', 4th Australian Digital Forensics Forensics: Encryption Analysis.', Journal of
Conference, Edith Cowan University, p. 36, 2006 Communications, vol 8, iss 11, 2013.
15. M. Kaart, C. Klaver and R. van Baar, 'Forensic access 27. A. Mahajan, M. S. Dahiya and H. P. Sanghvi, 'Forensic
to Windows Mobile< i> pim. vol</i> and other Analysis of Instant Messenger Applications on
Embedded Database (EDB) volumes', Digital Android Devices', International Journal of Computer
Investigation, vol 9, iss 3, pp. 170--192, 2013. Applications, vol 68, iss 8, pp. 38-44, 2013.
16. K. Barmpatsalou, D. Damopoulos, G. Kambourakis 28. Thakur, Neha S., "Forensic Analysis of WhatsApp on
and V. Katos, 'A critical review of 7 years of Mobile Android Smartphones" University of New Orleans
Device Forensics', Digital Investigation, vol 10, iss 4, Theses and Dissertations. Paper 1706, (2013).
pp. 323--349, 2013.
29. K. Kumar, S. Sofat, S. Jain and N. Aggarwal,
17. V. Thing, K. Ng and E. Chang, 'Live memory forensics 'International Journal of Engineering Research and
of mobile phones', digital investigation, vol 7, pp. 74-- Development', Significance of Hash Value Generation
82, 2010. in Digital Forensic: A Case Study, vol 2, iss 5, pp. 64-
70, 2014.
18. E. Girault, 'Volatilitux : Physical memory analysis of
Linux systems | Segmentation
fault',Segmentationfault.fr, 2010. Online.. Available:
http://www.segmentationfault.fr/projets/volatilitux-
physical-memory-analysis-linux-systems/. Accessed:
15- Aug- 2014..
131