See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/366987426

Digital forensics on facebook messenger application in an android

smartphone based on NIST SP 800-101 R1 to reveal digital crime cases

Conference Paper in Procedia Computer Science · January 2023

DOI: 10.1016/j.procs.2022.12.123

CITATIONS READS

0 472

3 authors, including:

Samsul Arifin
Binus University
116 PUBLICATIONS 242 CITATIONS

SEE PROFILE

All content following this page was uploaded by Samsul Arifin on 10 January 2023.

The user has requested enhancement of the downloaded file.

 Available online at www.sciencedirect.com
Available online at www.sciencedirect.com
ScienceDirect
ScienceDirect
Available online at www.sciencedirect.com
Procedia Computer Science 00 (2022) 000–000
Procedia Computer Science 00 (2022) 000–000 www.elsevier.com/locate/procedia
ScienceDirect www.elsevier.com/locate/procedia

Procedia Computer Science 216 (2023) 161–167

7th International Conference on Computer Science and Computational Intelligence 2022

7th International Conference on Computer Science and Computational Intelligence 2022
Digital forensics on facebook messenger application in an android
Digital forensics on facebook messenger application in an android
smartphone based on NIST SP 800-101 R1 to reveal digital crime
smartphone based on NIST SP 800-101 R1 to reveal digital crime
cases
cases
Bagus Pribadi a, Sri Rosdianaa,*, Samsul Arifinb
Bagus Pribadi a, Sri Rosdianaa,*, Samsul Arifinb
a
Politeknik Siber dan Sandi Negara, Jl. Raya H. Usa, Putat Nutug, Kec. Ciseeng, Bogor, Jawa Barat, 16120, Indonesia
a b
Statistics
Politeknik SiberDepartment, School Jl.
dan Sandi Negara, of Computer Science,
Raya H. Usa, PutatBina Nusantara
Nutug, University,
Kec. Ciseeng, Bogor,Jakarta, 11480,16120,
Jawa Barat, Indonesia
Indonesia
b
Statistics Department, School of Computer Science, Bina Nusantara University, Jakarta, 11480, Indonesia

Abstract
Abstract
Android is the world’s most popular system of operation. In the Android system, communication applications can be installed,
for example,
Android is theFacebook
world’s Messenger,
most popularwhichsystemis one of the most
of operation. In popular communication
the Android applications with
system, communication 988 million
applications can active users.
be installed,
As a mediumFacebook
for example, for communication
Messenger, and whichdata
is exchange,
one of the mostthe Facebook Messenger application
popular communication maywith
applications be misused by unauthorized
988 million active users.
parties for cybercrime.
As a medium This action and
for communication is usually done to obtain
data exchange, a one-sided
the Facebook profit for application
Messenger unauthorized parties.
may After doing
be misused cybercrime,
by unauthorized
cybercriminals will delete
parties for cybercrime. Thisall of the
action data todone
is usually remove digital
to obtain evidence. profit
a one-sided Digital
forforensics serves
unauthorized the challenge
parties. of cybercrime,
After doing uncovering
evidence in investigations.
cybercriminals will delete Digital forensics
all of the data toonremovethe Facebook
digital Messenger application
evidence. Digital is needed
forensics servesto the
helpchallenge
the authorities organize
of uncovering
digital
evidenceevidence when the disclosure
in investigations. process on
Digital forensics is performed.
the FacebookTheMessenger
data revealed through is
application theneeded
digital to
forensics
help theprocess can reinforce
authorities organize
existing evidencewhen
digital evidence in a the
court. In this research,
disclosure process isdigital forensics
performed. Theon therevealed
data Facebook Messenger
through application
the digital wasprocess
forensics conducted
can with data
reinforce
deletion scenariosinand
existing evidence application
a court. In this uninstall
research, scenarios. The results
digital forensics on the are digital Messenger
Facebook evidence inapplication
the form wasof Facebook
conductedMessenger
with data
application information,
deletion scenarios photo, and uninstall
and application video sentscenarios.
by the cybercriminal.
The results areThedigital
conversation
evidenceandinaudio evidence
the form could not Messenger
of Facebook be located
because there
application was no rooting
information, photo,process, or the
and video sentsmartphone was in an untied
by the cybercriminal. state. When the
The conversation and uninstall processcould
audio evidence was carried
not be out, the
located
smartphone
because thereautomatically
was no rooting deleted all the
process, datasmartphone
or the including thumbnails. However,
was in an untied state.the digital
When theforensics
uninstall process
process in ancarried
was unrooted out,state
the
on the Facebook
smartphone Messengerdeleted
automatically application
all thecan stillincluding
data produce thumbnails.
digital evidence that can
However, thebedigital
used inforensics
the court.process in an unrooted state
©
on 2022 The Authors.
the Facebook MessengerPublished by ELSEVIER
application B.V. This
can still produce is an
digital open access
evidence that canarticle
be usedunder
in thethe CC BY-NC-ND license
court.
© 2023 The Authors. Published by Elsevier B.V.
(https://creativecommons.org/licenses/by-nc-nd/4.0)
© 2022 The Authors. Published by ELSEVIER B.V. This is an open access article under the CC BY-NC-ND license
This is an open access article under the CC BY-NC-ND license (https://creativecommons.org/licenses/by-nc-nd/4.0)
Peer-review under responsibility of the scientific committee of the 7th International Conference on Computer Science
(https://creativecommons.org/licenses/by-nc-nd/4.0)
Peer-review under responsibility of the scientific committee of the 7th International Conference on Computer Science and
and Computational
Peer-review
Computational under Intelligence
2022 2022
responsibility
Intelligence of the scientific committee of the 7th International Conference on Computer Science
Keywords: digital forensic;
and Computational facebook messenger;
Intelligence 2022 NIST SP 800-101 R1
Keywords: digital forensic; facebook messenger; NIST SP 800-101 R1

* Corresponding author. Tel.: +622518541742,

* Corresponding sri.rosdiana@poltekssn.ac.id
E-mail address:author. Tel.: +622518541742,
E-mail address: sri.rosdiana@poltekssn.ac.id
1877-0509 © 2022 The Authors. Published by ELSEVIER B.V. This is an open access article under the CC BY-NC-ND license
(https://creativecommons.org/licenses/by-nc-nd/4.0)
1877-0509 © 2022 The Authors. Published by ELSEVIER B.V. This is an open access article under the CC BY-NC-ND license
Peer-review under responsibility of the scientific committee of the 7th International Conference on Computer Science and
(https://creativecommons.org/licenses/by-nc-nd/4.0)
Computational Intelligence
Peer-review under 2022 of the scientific committee of the 7th International Conference on Computer Science and
responsibility
Computational Intelligence 2022
1877-0509 © 2023 The Authors. Published by Elsevier B.V.
This is an open access article under the CC BY-NC-ND license (https://creativecommons.org/licenses/by-nc-nd/4.0)
Peer-review under responsibility of the scientific committee of the 7th International Conference on Computer Science and Computational
Intelligence 2022
10.1016/j.procs.2022.12.123
162 Bagus Pribadi et al. / Procedia Computer Science 216 (2023) 161–167
156 Pribadi et al. / Procedia Computer Science 00 (2019) 000–000

1. Introduction

The process of identifying, collecting, examining, and analyzing data while maintaining its integrity is known as
digital forensics [1]. The forensic process will produce digital evidence used by cybercriminals [2], which is helpful
for law enforcement in court [3]. The most widely used mobile operating system worldwide, Android, is capable of
supporting digital forensics [4].
Applications for communication can be installed on an Android system, such as Facebook Messenger, one of the
most popular options with 988 million active users [5]. The ease of technology does not rule out the existence of
digital criminality [6]. Cybercrime or digital crime can occur, including pornography, violence, intimidation, hoax,
and illegal transactions [7].
Every digital crime must imprint traces or some shreds of evidence that can be used as investigation materials [8].
However cybercriminals can remove those traces by deleting stored digital evidence in the electronic device [9].
Therefore, it is necessary to proceed with digital forensics to find digital evidence after the appearance of digital
crime [10]. The case selected in this study was about drug trafficking inside digital media. Narcotics are substances
or drugs derived from plants or non-plants, both synthetic and semi-synthetic, which can cause a decrease or change
in consciousness, loss of taste, reduce or eliminate pain, and can cause dependence, which are divided into groups as
referred to UU Number 35 Year 2009 [11]. This study aims to find evidence of conversations from drug sellers
offering drugs to buyers, deals of drug prices, and the location of the transaction. In addition, this study also aims to
obtain digital evidence in all forms of photos (can be photos of drugs and photos of places where sellers and buyers
met), audio (voice notes sent by sellers and buyers), and videos (videos where transactions were occurring) that
support the transaction process. Mobile forensics is the area of digital forensic science that searches for and
examines digital crime on smartphones or other mobile devices [12]. According to Article 5 of Law Number 11 of
2008 Concerning Electronic Information and Transactions (UU ITE), electronic information and electronic
documents are extensions of legal evidence in Indonesia [13]. This means that digital evidence in criminal court can
be legally accounted for.
The analysis of the Facebook Messenger application utilizing NIST [14] and NIJ [15] techniques was part of a
study on digital forensics in the search for digital evidence. Besides, a study [16] had already analyzed an instant
messenger application based on Android. A study on the deletion of data from instant messaging applications had
also been conducted on Facebook Messenger, and the findings were supported by digital proof in the form of texts,
photographs, and videos [17]. The next study [7] discussed about smartphone forensics after using the unsent
message feature on social media application. The results, artifacts could only be found by UFED on Instagram,
WhatsApp, Facebook Messenger, Skype, Viber, and Telegram. But it could not be found on Line and Snapchat. The
next study [18] obtained results from the MOBILedit tool with more specific data, especially in the contact
information evidence. Another study (Forensic Analysis of Instant Messenger) [19] conducted digital forensics on
WhatsApp and Viber applications with the discovery of data and information on the device's internal memory for
instant messengers. Of all these studies, there has never been any research related to Facebook Messenger when the
application has been uninstalled and the digital forensics process is in an unrooted state.
From the explanation above, it is possible to conduct additional digital forensics research on the Facebook
Messenger application, with a particular emphasis on digital forensics Facebook Messenger application has been
uninstalled and in an unrooted state. Because Android makes up 90.66% of all mobile operating systems in
Indonesia, this study will be carried out using an Android-based smartphone throughout the period of April 2021 to
April 2022 [20]. The digital forensics method employed in this study is called Dead Forensics and it is a method that
is used when an electronic device is unrooted and in a dead condition [21]. The guideline and procedure used in this
study is the National Institute of Standards and Technology Special Publication 800-101 Revision 1 (NIST SP 800-
101 R1) [22]. This guideline and procedure can help when performing digital forensics on the Facebook Messenger
application on an Android-based smartphone so that the authorities can use it as a model when gathering digital
artifacts that are used as digital evidence [13].
 Bagus Pribadi et al. / Procedia Computer Science 216 (2023) 161–167 163
Pribadi et al. / Procedia Computer Science 00 (2019) 000–000 157

2. Research Method

NIST SP 800-101 R1 is the procedure and guideline that provides the base information about mobile forensics
tools and forensics analysis procedures of digital evidence in smartphones. NIST SP 800-101 R1 contains conditions
that must be considered during the investigation. Several necessary processes include Preservation, Acquisition,
Examination and Analysis, and Reporting [22]:
a. Preservation is the process of securing the device against data changes. The preservation process covers
searching, documenting, and collecting digital evidence.
b. The acquisition is the process of duplicating or copying digital evidence.
c. Examination and Analysis. Digital evidence, including intentionally deleted or hidden evidence, is
disclosed during the examination process. Investigators or forensic analysts analyze the results of the
examination process to be used as supporting evidence at court.
d. Reporting is the process of summarizing the outcomes of each stage that has been completed. In the
reporting stage, the final report must be consistent with the data presented.
NIST SP 800-101 R1 manual can simplify the analysis process of digital forensics on the Facebook Messenger
application. NIST SP 800-101 R1 manual is required because a guide is needed to carry out analytical procedures in
the investigation that needs a digital forensics process.

3. Results and Discussion

The results were retrieved from the smartphone using the MOBILedit Forensic Express PRO 7.2.0.17975 tool.
Then, using the NIST SP 800-101 R1 methods, analysis was done and information was gleaned from the evidence.
The hardware utilized in this study is described in Table 1 in detail.

Table 1. Smartphone Specifications.

No. Specification Information
1. Device Type POCO X3 (unrooted)
2. Android Version 10
3. RAM 6GB
4. Internal Storage 64GB
5. External Storage 64GB

3.1 Preservation

Android version 10 and the POCO X3 device type were both employed in the preservation process. This study's
smartphone, which in the scenario belonged to a cybercriminal, is depicted in Fig. 1 as a smartphone belonging to a
criminal. From the Fig. 1, the cybercrime smartphone information can be seen. The information includes the name
of the device, 02-18 baguspribadi, 64 GB of internal storage with 35.1 GB used storage, the MIUI version (for
smartphones with the POCO brand) MIUI Global 12.0.7 Stable 12.0.7.0 (QJGIDXM), android 10 version
QKQ1.200512.002, and android security patch level 2021-05-01. Can also find out the overall specifications by
clicking the Overall specifications tab. Additional information obtained are 6 GB RAM, CPU Octa-core Max
2.30GHz, Model M2007J20CG, base band version MPSS.AT.4.4.c6-00020-RENNELL_GEN_PACK-1.

3.2 Acquisition

The acquisition was carried out to extract data that may still be stored in the device. The acquisition was carried
out on an unrooted android due to reduce the risk of digital data changes [23]. The technique used in the digital
forensic process in this study uses the Dead Forensics technique, which is a digital forensic technique that is carried
out when digital evidence is dead and digital evidence is not accessed by root [21]. This study uses physical
164 Bagus Pribadi et al. / Procedia Computer Science 216 (2023) 161–167
158 Pribadi et al. / Procedia Computer Science 00 (2019) 000–000

acquisition with Software-based Acquisition techniques, namely, techniques using software to obtain digital
evidence without moving hardware components to avoid damage to the device [23]. The process was then carried
out before uninstalled and after uninstalling the Facebook Messenger application. Thus, this study will produce two
different results. The acquisition process used MOBILedit Forensic Express PRO 7.2.0.17975 which produces
information in a PDF file that will be used for the next process, examination and analysis.

Fig. 1. Cybercriminal smartphone

3.3.1 Examination

The MOBILedit Forensic Express PRO 7.2.0.17975 tool was used in the examination to conduct a digital
forensics process on the Facebook Messenger application on the smartphone used by the cybercriminal. Fig. 2 in the
first result depicts information from the Facebook Messenger application. Fig. 2 shows that the Facebook Messenger
application, which the offender used to commit a digital crime, has been installed. The version of Facebook
Messenger utilized is 369.0.0.7.111.

Fig. 2. Facebook messenger application information

The second result was a photo (drugs), which corresponded to the message a cybercriminal would have given to
 Bagus Pribadi et al. / Procedia Computer Science 216 (2023) 161–167 165
Pribadi et al. / Procedia Computer Science 00 (2019) 000–000 159

the potential drug buyer. The location where the digital evidence was found is on the
phone/raw3/Pictures/.thumbnails/1945.jpg. Complete details information can be seen in Fig. 3.

Fig. 3. Photo sent by the cybercriminal

The third result was a video depicting where the transaction would be conducted. The digital evidence was
discovered on the phone/raw3/DCIM/Camera/VID 20220717 100118.mp4 in its original place. The image is shown
in Fig. 4.

Fig. 4. Video sent by the cybercriminal

3.3.2 Analysis

The MOBILedit Forensic Express PRO 7.2.0.17975 program was used in the preceding procedure to gather
digital evidence in the form of Facebook Messenger application information, photo, and video sent by the
cybercriminal. However, no audio or chat sent by the cybercriminal via the Facebook Messenger application has
been found in the digital forensics process that has been carried out. This is due to the fact that not all of the data can
be dumped because the smartphone is not in the root state when the digital forensics process is performed. This
results in the absence of any text (chat) or audio digital evidence.
166 Bagus Pribadi et al. / Procedia Computer Science 216 (2023) 161–167
160 Pribadi et al. / Procedia Computer Science 00 (2019) 000–000

3.4 Reporting

Data from the analysis process are presented in the reporting process. Table 2 displays the outcomes of
processing the data from the evidence.

Table 2. Evidence of data

Data Findings of evidence
Before uninstall After uninstall
Conversation Not Not
Picture Yes Not
Audio Not Not
Video Yes Not

In the Table 2, it can be seen that digital evidence in the form of photos and videos could be obtained when the
Facebook Messenger application was not uninstalled, but when the Facebook Messenger application was
uninstalled, none were found. When the uninstall process was carried out, the smartphone automatically deleted all
the data including thumbnails. The Facebook Messenger application can still generate digital evidence that can be
utilized in court throughout the digital forensics procedure in an unrooted condition.

4. Conclusion and Future Work

Based on the findings, an investigation was conducted into a scenario involving the use of a smartphone, the
POCO X3 (unrooted), the installation of the Facebook Messenger application, the creation of a short message, the
application of the deletion and uninstalling scenario, the performance of digital forensics using the MOBILedit
Forensic Express PRO 7.2.0.17975 tool, and the analysis of data that will be reported as evidence. Information is
obtained and analyzed using the NIST SP 800-101 R1 technique. The cybercriminal supplied a video, a photo, and
information about the Facebook Messenger application as results. Because the rooting procedure was not completed
or the smartphone was in an unrooted condition, no chat and audio evidence could be found. This study has
successfully find digital evidence without rooting (device is in an unrooted state), but researcher could not find any
result when the Facebook Messenger application was uninstalled. The Facebook Messenger program can still
produce digital evidence that can be utilized in court throughout the digital forensics procedure in an unrooted
condition. Compares the tools and techniques used to examine and discover the data on the evidence is suggested as
a direction for future research. Finding extra digital evidence can also be accomplished by rooting the smartphone to
gain additional access. Additional situations that cybercriminals might use are also possible.

References

[1] Kent K, Chevalier S, Grance T, Dang H. Guide to Integrating Forensic Techniques into Incident Response. 2006.
[2] Riadi I, Umar R, Firdonsyah A. Identification Of Digital Evidence On Android's Blackberry Messenger Using NIST Mobile Forensics
Method. International Journal of Computer Science and Information Security. 2017; 15(5).
[3] Haryanto MKT, Riadi I, Prayudi Y. Forensics Acquisition and Analysis Method of IMO Messenger. International Journal of Computer
Applications. 2018; 179(47).
[4] Curry D. Business of Apps. [Online].; 2022 [cited 2022 May 22. Available from: https://www.businessofapps.com/data/android-statistics/.

[5] Statista. Most popular global mobile messenger apps as of January 2022. [Online].; 2022 [cited 2022 May 22. Available from:
https://www.statista.com/statistics/258749/most-popular-global-mobile-messenger-apps/.

[6] Yudhana A, Riadi I, Anshori I. Acquisition of Digital Evidence on Android -Based Instagram Messenger Using the NIJ Method. Informatics
and Information Systems Engineering. 2018; 4(2).
[7] Hermawan T, Suryanto Y. Android Forensic Tools Analysis for Unsend Chat on Social Media. 3rd International Seminar on Research of
Information Technology and Intelligent Systems (ISRITI). 2020.
 Bagus Pribadi et al. / Procedia Computer Science 216 (2023) 161–167 167
Pribadi et al. / Procedia Computer Science 00 (2019) 000–000 161

[8] Afif MF. Storage Clustering Method for Digital Evidence Storage Using Software Defined Storage. [Online].; 2019. Available from:
https://dspace.uii.ac.id/handle/123456789/18258.
[9] Mahalik H, Tamma R, Bommisetty S. Practical Mobile Forensics Second Edition. 2016.
[10] Faiz MN, Umar R, Yudhana A. Analysis of Live Forensics for Comparison of Email Security on Propriertary Operating Systems. ILKOM
Scientific Journal. 2016; 8(3).
[11] Indonesia PR. Undang-Undang Republik Indonesia Nomor 35 Tahun 2009 tentang Narkotika; 2009.
[12] Hikmatyar FG, Sugiantoro B. Digital Forensic Analysis on Android Smartphones For Handling Cybercrime Cases. (IJID) International
Journal on Informatics for Development. 2018; 7(2).
[13] PR Indonesia. Law of the Republic of Indonesia Number 11 of 2008 concerning Information and Electronic Transactions. 2008.
[14] Yudhana A, Riadi I, Anshori I. Analysis of Digital Evidence for Facebook Messenger Using the Nist Method. IT Journal Research and
Development. 2018; 3(1).
[15] Anshori I, Putri KES, Ghoni U. Analysis of Digital Evidence for Facebook Messenger Applications on Android Smartphones Using the
NIJ Method. IT Journal Research and Development (ITJRD). 2021; 5(2).
[16] Asyaky MS, Widiyasono N, Gunawan R. Analysis and Comparison of Digital Evidence for Instant Messenger Applications on Android.
SyncrOn Journal & Research on Informatics Engineering Instant Messenger Applications on Android. 2018; 3(1).
[17] Dasmen RN, Kurniawan F. Digital Forensic Deleted Cyber Crime Evidence on Social Media Instant Messaging. Techno.COM. 2021;
20(4).
[18] Riadi I, Fadlil A, Fauzan A. Evidence Gathering and Identification of LINE Messenger on Android Device. International Journal of
Computer Science and Information Security (IJCSIS). 2018 May; 16(5).
[19] Mahajan A, Dahiya MS, Sanghvi HP. Forensic Analysis of Instant Messenger Applications on Android Devices. International Journal of
Computer Applications. 2013 April; 68(8).
[20] StatCounter. StatCounter. [Online]. [cited 2022 May 22. Available from: https://gs.statcounter.com/os-market-share/mobile/indonesia.
[21] Htun NL, Thwin MMS, San CC. Evidence Data Collection with ANDROSICS Tool for Android Forensics. International Conference on
Information Technology and Electrical Engineering (ICITEE). 2018.
[22] Ayers R, Brothers S, Jansen W. Guidelines on Mobile Device Forensics. National Institute of Standards and Technology. 2014.
[23] Sathe SC, Dongre NM. Data Acquisition Techniques in Mobile Forensics. In International Conference on Inventive Systems and Control
(ICISC 2018); 2018.

View publication stats