Forensic Analysis of WhatsApp Messenger on Android Smartphones

We present the forensic analysis of the artifacts left on Android devices by \textit{WhatsApp Messenger}, the client of the WhatsApp instant messaging system. We provide a complete description of all the artifacts generated by WhatsApp Messenger, we discuss the decoding and the interpretation of each one of them, and we show how they can be correlated together to infer various types of information that cannot be obtained by considering each one of them in isolation. By using the results discussed in this paper, an analyst will be able to reconstruct the list of contacts and the chronology of the messages that have been exchanged by users. Furthermore, thanks to the correlation of multiple artifacts, (s)he will be able to infer information like when a specific contact has been added, to recover deleted contacts and their time of deletion, to determine which messages have been deleted, when these messages have been exchanged, and the users that exchanged them.Comment: (c)2014. This manuscript version is made available under the CC-BY-NC-ND 4.0 license http://creativecommons.org/licenses/by-nc-nd/4.0

Forensic Authentication of WhatsApp Messenger Using the Information Retrieval Approach

The development of telecommunications has increased very rapidly since the internet-based instant messaging service has spread rapidly to Indonesia. WhatsApp is the most popular instant messaging application compared to other instant messaging services, according to the statista website users of WhatsApp services in 2018 showed significant growth by gathering 1.5 billion monthly active users or monthly active users (MAU). That number increased 14 percent compared to MAU WhatsApp in July 2017 which amounted to 1.3 billion. Daily active users aka DAU are in the range of one billion. WhatsApp handles more than 60 billion message exchanges between users around the world. This growth is predicted to continue to increase, along with the wider internet penetration. Along with WhatsApp updates with various features embedded in this application including Web-based Whatsapp for computers, this feature makes it easier for users to share data and can be synchronized with their smartphone or user's computer. Besides the positive side found in the application, WhatsApp also provides a security gap for user privacy, one of which is tapping conversations involving both smartphone and computer devices. The handling of crimes involving digital devices needs to be emphasized so that they can help the judicial process of the effects they have caused Mobile Forensics Investigation also took part in suppressing the misuse of WhatsApp's instant messaging service features, including investigating the handling of cases of WhatsApp conversations through a series of standard steps according to digital forensics procedures. Exploration of evidence (digital evidence) WhatsApp conversations will be a reference to the crime of telecommunication tapping which will then be carried out forensic investigation report involving evidence of the smartphone and computer of the victim. Keywords: Authentication, Mobile Forensics, Instant Messenger, and WhatsApp Messenger

Forensic Tools Performance Analysis on Android-based Blackberry Messenger using NIST Measurements

Blackberry Messenger is one of the popularly used instant messaging applications on Android with user’s amount that increase significantly each year. The increase off Blackberry Messenger users might lead to application misuse, such as for commiting digital crimes. To conduct investigation involving smartphone devices, the investigators need to use forensic tools. Therefore, a research on current forensic tool’s performance in order to handle digital crime cases involving Android smartphones and Blackberry Messenger in particular need to be done. This research focuses on evaluating and comparing three forensic tools to obtain digital evidence from Blackberry Messenger on Android smartphones using parameter from National Institute of Standard Technology and Blackberry Messenger’s acquired digital evidences. The result shows that from comparative analysis conducted, Andriller gives 25% performance value, Oxygen Forensic Suite gives 100% performance value, and Autopsy 4.1.1 gives 0% performance value. Related to National Institute of Standard Technology parameter criterias, Andriller has performance value of 47.61%. Oxygen Forensic Suite has performance value of 61.90%. Autopsy 4.1.1 has performance value of 9.52%

Forensic Analysis of WhatsApp SQLite Databases on the Unrooted Android Phones

WhatsApp is the most popular instant messaging mobile application all over the world. Originally designed for simple and fast communication, however, its privacy features, such as end-to-end encryption, eased private and unobserved communication for criminals aiming to commit illegal acts. In this paper, a forensic analysis of the artefacts left by the encrypted WhatsApp SQLite databases on unrooted Android devices is presented. In order to provide a complete interpretation of the artefacts, a set of controlled experiments to generate these artefacts were performed. Once generated, their storage location and database structure on the device were identified. Since the data is stored in an encrypted SQLite database, its decryption is first discussed. Then, the methods of analyzing the artefacts are revealed, aiming to understand how they can be correlated to cover all the possible evidence. In the results obtained, it is shown how to reconstruct the list of contacts, the history of exchanged textual and non-textual messages, as well as the details of their contents. Furthermore, this paper shows how to determine the properties of both the broadcast and the group communications in which the user has been involved, as well as how to reconstruct the logs of the voice and video calls. Doi: 10.28991/HIJ-2022-03-02-06 Full Text: PD

Multimedia Distribution Process Tracking for Android and iOS

The crime of illegally filming and distributing images or videos worldwide is increasing day by day. With the increasing penetration rate of smartphones, there has been a rise in crimes involving secretly taking pictures of people's bodies and distributing them through messengers. However, little research has been done on these related issue. The crime of distributing media using the world's popular messengers, WhatsApp and Telegram, is continuously increasing. It is also common to see criminals distributing illegal footage through various messengers to avoid being caught in the investigation network. As these crimes increase, there will continue to be a need for professional investigative personnel, and the time required for criminal investigations will continue to increase. In this paper, we propose a multimedia forensic method for tracking footprints by checking the media information that changes when images and videos shot with a smartphone are transmitted through instant messengers. We have selected 11 of the world's most popular instant messengers and two secure messengers. In addition, we selected the most widely used Android and iOS operating systems for smartphones. Through this study, we were able to confirm that it is possible to trace footprints related to the distribution of instant messengers by analyzing transmitted images and videos. Thus, it was possible to determine which messengers were used to distribute the video when it was transmitted through multiple messengers.Comment: 10 page

Mobile Forensic of Vaccine Hoaxes on Signal Messenger using DFRWS Framework

The COVID-19 pandemic is one of the factors that has increased the use of social media. One of the negative impacts of using social media is the occurrence of cybercrime. The possibility of cybercrime can also happen on one of the social media platforms, such as the Signal Messenger application. In the investigation process, law enforcement needs mobile forensic methods and appropriate forensic tools so that the digital evidence found on the perpetrator's smartphone can be accepted by the court. This research aims to get digital evidence from cases of spreading the COVID-19 vaccine hoaxes. The method used in this research is a mobile forensics method based on the Digital Forensic Research Workshop (DFRWS) framework. The DFRWS framework consists of identification, preservation, collection, examination, analysis, and preservation. The results showed that the MOBILedit tool could reveal digital evidence in the form of application information and contact information with a performance value of 22.22%. Meanwhile, Magnet AXIOM cannot reveal digital evidence at all. The research results were obtained following the expected research objectives

You can run but you cannot hide from memory: Extracting IM evidence of Android apps

Smartphones have become a vital part of our business and everyday life, as they constitute the primary communication vector. Android dominates the smartphone market (86.2%) and has become pervasive, running in `smart' devices such as tablets, TV, watches, etc. Nowadays, instant messaging applications have become popular amongst smartphone users and since 2016 are the main way of messaging communication. Consequently, their inclusion in any forensics analysis is necessary as they constitute a source of valuable data, which might be used as (admissible) evidence. Often, their examination involves the extraction and analysis of the applications' databases that reside in the device's internal or external memory. The downfall of this method is the fact that databases can be tampered or erased, therefore the evidence might be accidentally or maliciously modified. In this paper, a methodology for retrieving instant messaging data from the volatile memory of Android smartphones is proposed, instead of the traditional database retrieval. The methodology is demonstrated with the use of a case study of four experiments, which provide insights regarding the behavior of such data in memory. Our experimental results show that a large amount of data can be retrieved from the memory, even if the device's battery is removed for a short time. In addition, the retrieved data are not only recent messages, but also messages sent a few months before data acquisition

Forensic Analysis of the ChatSecure Instant Messaging Application on Android Smartphones

We present the forensic analysis of the artifacts generated on Android smartphones by ChatSecure, a secure Instant Messaging application that provides strong encryption for transmitted and locally-stored data to ensure the privacy of its users. We show that ChatSecure stores local copies of both exchanged messages and files into two distinct, AES-256 encrypted databases, and we devise a technique able to decrypt them when the secret passphrase, chosen by the user as the initial step of the encryption process, is known. Furthermore, we show how this passphrase can be identified and extracted from the volatile memory of the device, where it persists for the entire execution of ChatSecure after having been entered by the user, thus allowing one to carry out decryption even if the passphrase is not revealed by the user. Finally, we discuss how to analyze and correlate the data stored in the databases used by ChatSecure to identify the IM accounts used by the user and his/her buddies to communicate, as well as to reconstruct the chronology and contents of the messages and files that have been exchanged among them. For our study we devise and use an experimental methodology, based on the use of emulated devices, that provides a very high degree of reproducibility of the results, and we validate the results it yields against those obtained from real smartphones

Digital Forensic Tools & Cloud-Based Machine Learning for Analyzing Crime Data

Digital forensics is a branch of forensic science in which we can recreate past events using forensic tools for legal measure. Also, the increase in the availability of mobile devices has led to their use in criminal activities. Moreover, the rate at which data is being generated has been on the increase which has led to big data problems. With cloud computing, data can now be stored, processed and analyzed as they are generated. This thesis documents consists of three studies related to data analysis. The first study involves analyzing data from an android smartphone while making a comparison between two forensic tools; Paraben E3: DS and Autopsy. At the end of the study, it was concluded that most of the activities performed on a rooted android device can be found in its internal memory. In the second study, the Snapchat application was analyzed on a rooted Android device to see how well it handles privacy issues. The result of the study shows that some of the predefined activities performed on the Snapchat application as well as user information can be retrieved using Paraben E3: DS forensic tool. The third study, machine learning services on Microsoft Azure and IBM Watson were used in performing predictive analysis to uncover their performance. At the end of the experiments, the Azure machine learning studio was seen to be more user friendly and builds models faster compared to the SSPS Modeler in the IBM Watson Studio. This research is important as data needs to be analyzed in order to generate insights that can aid organizations or police departments in making the best decisions when analyzing crime data