Forensic Analysis of the ChatSecure Instant Messaging Application on Android Smartphones

We present the forensic analysis of the artifacts generated on Android smartphones by ChatSecure, a secure Instant Messaging application that provides strong encryption for transmitted and locally-stored data to ensure the privacy of its users. We show that ChatSecure stores local copies of both exchanged messages and files into two distinct, AES-256 encrypted databases, and we devise a technique able to decrypt them when the secret passphrase, chosen by the user as the initial step of the encryption process, is known. Furthermore, we show how this passphrase can be identified and extracted from the volatile memory of the device, where it persists for the entire execution of ChatSecure after having been entered by the user, thus allowing one to carry out decryption even if the passphrase is not revealed by the user. Finally, we discuss how to analyze and correlate the data stored in the databases used by ChatSecure to identify the IM accounts used by the user and his/her buddies to communicate, as well as to reconstruct the chronology and contents of the messages and files that have been exchanged among them. For our study we devise and use an experimental methodology, based on the use of emulated devices, that provides a very high degree of reproducibility of the results, and we validate the results it yields against those obtained from real smartphones

UML class diagrams supporting formalism definition in the Draw-Net Modeling System

The Draw-Net Modeling System (DMS) is a customizable framework supporting the design and the solution of models expressed in any graph-based formalism, thanks to an open architecture. During the years, many formalisms (Petri Nets, Bayesian Networks, Fault Trees, etc.) have been included in DMS. A formalism defines all the primitives that can be used in a model (nodes, arcs, properties, etc.) and is stored into XML files. The paper describes a new way to manage formalisms: the user can create a new formalism by drawing a UML Class Diagrams (CD); then the corresponding XML files are automatically generated. If instead the user intends to edit an existing formalism, a "reverse engineering" function generates the CD from the XML files. The CD can be handled inside DMS, and acts an intuitive and graphical "meta-model" to represent the formalism. An application example is presented

Forensic Analysis of WhatsApp SQLite Databases on the Unrooted Android Phones

WhatsApp is the most popular instant messaging mobile application all over the world. Originally designed for simple and fast communication, however, its privacy features, such as end-to-end encryption, eased private and unobserved communication for criminals aiming to commit illegal acts. In this paper, a forensic analysis of the artefacts left by the encrypted WhatsApp SQLite databases on unrooted Android devices is presented. In order to provide a complete interpretation of the artefacts, a set of controlled experiments to generate these artefacts were performed. Once generated, their storage location and database structure on the device were identified. Since the data is stored in an encrypted SQLite database, its decryption is first discussed. Then, the methods of analyzing the artefacts are revealed, aiming to understand how they can be correlated to cover all the possible evidence. In the results obtained, it is shown how to reconstruct the list of contacts, the history of exchanged textual and non-textual messages, as well as the details of their contents. Furthermore, this paper shows how to determine the properties of both the broadcast and the group communications in which the user has been involved, as well as how to reconstruct the logs of the voice and video calls. Doi: 10.28991/HIJ-2022-03-02-06 Full Text: PD

Challenges and opportunities for wearable IoT forensics: TomTom Spark 3 as a case study

Wearable IoT devices like fitness trackers and smartwatches continue to create opportunities and challenges for forensic investigators in the acquisition and analysis of evidential artefacts in scenarios where such devices are a witness to a crime. However, current commercial and traditional forensic tools available to forensic investigators fall short of conducting device extraction and analysis of forensic artefacts from many IoT devices due to their heterogeneous nature. In this paper, we conduct a comprehensive forensic analysis and show artefacts of forensic value from the physical TomTom Spark 3 GPS fitness smartwatch, its companion app installed on an Android smartphone, and Bluetooth event logs located in the app’s metadata. Our forensic methodology and analysis involved the combination and use of a non-forensic tool, a commercial forensic tool, and a non-forensic manufacturer-independent analysis platform tool specifically designed for endurance athletes to identify, extract, analyze, and reconstruct user activity data in an investigative scenario. We show forensic metadata associated with the device information, past user activities, and audio files from the physical smartwatch. We recovered data associated with past user activities stored in proprietary activity files and databases maintained by the app on an Android smartphone. From the event logs, we show when user activity was synced with the app and uploaded to the device cloud storage. The results from our work provide vital references for forensic investigators to aid criminal investigations, highlight limitations of current forensic tools, and for developers of forensic tools an incentive into developing forensic software applications and tools that can decode all relevant data generated by wearable IoT devices

Virtual reality forensics: forensic analysis of Meta Quest 2

The Meta Quest 2 is one of the most popular Virtual Reality (VR) entertainment headsets to date. The headset, developed by Meta Platforms Inc., immerses the user in a completely simulated environment. Some VR environments can be shared over the Internet to allow users to communicate and interact with one another and share their experiences. Unfortunately, the safety of these VR environments cannot always be guaranteed, generating a risk that users may be exposed to illicit online behaviour in the form of online harassment, grooming, and cyberbullying. Therefore, forensic examiners must be able to conduct sound forensic analysis of VR headsets to investigate these criminal investigations. In this study, we conduct digital forensic acquisition and analysis of the Meta Quest 2 VR headset. Analysis of the forensic image exemplified that there were several digital artefacts relating to user activities, device information and stored digital artefacts that can be extracted in a forensically sound manner. The main contributions of this study include a detailed description of the forensic acquisition process, identification of internal file storage locations, and recovery and analysis of digital artefacts that can be used to aid VR forensic investigations

Forensic analysis of open-source XMPP/Jabber multi-client instant messaging apps on Android smartphones

In the quest for a panacea to ensure digital privacy, many users have switched to using decentralized open-source Extensible Messaging and Presence Protocol multi-client instant messaging (IM) apps for secure end-to-end communication. In this paper, we present a forensic analysis of the artefacts generated on Android smartphones by Conversations and Xabber apps. We identified databases maintained by each app and external Secure Digital card directories that store local copies of user metadata. We analysed each app’s storage locations for forensic artefacts and how they can be used in a forensic investigation. The results in this paper show a detailed analysis of forensic files of interest which can be correlated to identify the local user’s multiple IM accounts and contact list, contents of messages exchanged with contacts, deleted files, time, and dates in the order of their occurrence. The contributions of this research include a comprehensive description of artefacts, which are of forensic interest, for each app analysed

Virtual reality forensics: Forensic analysis of Meta Quest 2

The Meta Quest 2 is one of the most popular Virtual Reality (VR) entertainment headsets to date. The headset, developed by Meta Platforms Inc., immerses the user in a completely simulated environment. Some VR environments can be shared over the Internet to allow users to communicate and interact with one another and share their experiences. Unfortunately, the safety of these VR environments cannot always be guaranteed, generating a risk that users may be exposed to illicit online behaviour in the form of online harassment, grooming, and cyberbullying. Therefore, forensic examiners must be able to conduct sound forensic analysis of VR headsets to investigate these criminal investigations. In this study, we conduct digital forensic acquisition and analysis of the Meta Quest 2 VR headset. Analysis of the forensic image exemplified that there were several digital artefacts relating to user activities, device information and stored digital artefacts that can be extracted in a forensically sound manner. The main contributions of this study include a detailed description of the forensic acquisition process, identification of internal file storage locations, and recovery and analysis of digital artefacts that can be used to aid VR forensic investigations

Forensic analysis of open-source XMPP multi-client social networking apps on iOS devices

In this paper, we present forensic analysis of Monal and Siskin IM, two decentralized open-source XMPP multi-client social networking apps on iOS devices that provide anonymity and privacy using OMEMO end-to-end encryption. We identified databases maintained by each app and storage locations within the iOS file system that stores the local copies of user information and metadata. We analyzed the databases and storage locations for evidential data of forensic value. The results in this paper show a detailed analysis and correlation of data stored in each app's database to identify the local user's multiple IM accounts and contact list, contents of messages exchanged with contacts, and chronology of conversations. The focus and main contributions of this study include a detailed description of artifacts of forensic interest that can be used to aid mobile forensic investigations

Contribuciones al análisis forense de evidencias digitales procedentes de aplicaciones de mensajería instantánea

La continua evolución de las Tecnologías de la Información y Comunicaciones está propiciando que cada vez más, nos encontremos ante una sociedad más interconectada, permitiendo el intercambio inmediato de información digital desde casi cualquier lugar del planeta. Desde el punto de vista de las ciencias forenses, como ciencia que estudia los elementos recolectados en la escena de un crimen, el nacimiento y la rápida evolución de las TICs implica que las ciencias forenses deban adaptarse continuamente a esta evolución, investigando nuevos métodos científicos de análisis que permitan la resolución de los hechos delictivos a través de medios digitales. El uso que se realiza en concreto de las aplicaciones de intercambio de información en la comisión de hechos delictivos implica que éstas deban ser objeto de un análisis forense minucioso, a partir del cual identificar, recuperar y extraer toda aquella información relativa con el hecho investigado, manteniendo en todo momento el valor probatorio de la misma. La Tesis con el título La Tesis con el título CONTRIBUCIONES AL ANÁLISIS FORENSE DE EVIDENCIAS DIGITALES PROCEDENTES DE APLICACIONES DE MENSAJERÍA INSTANTÁNEA lleva a cabo la investigación de la evolución de las aplicaciones de mensajería instantánea y su impacto en el ámbito de las ciencias forenses. La investigación realizada pretende reseñar la transformación de este tipo de aplicaciones en cuando a los diferentes métodos de acceso e infinidad de funcionalidades ofrecidas a sus usuarios. Así mismo se persigue contribuir de forma directa en los métodos científicos utilizados en el análisis forense que se vienen realizando sobre las aplicaciones de mensajería instantánea, medio de prueba principal en multitud de procesos judiciales. Esta Tesis expondrá el estado actual de los procesos utilizados tanto en el proceso de adquisición como en el proceso de análisis de las aplicaciones de mensajería instantánea, así como las diferentes problemáticas a las que se enfrenta el especialista forense digital en el análisis forense de este tipo de aplicaciones. Se desarrollará una metodología específica para el análisis forense de las aplicaciones de mensajería instantánea, suma de diversos métodos de estudios, la cual permitirá identificar, decodificar e interpretar la información generada por este tipo de aplicaciones con independencia del dispositivo electrónico, sistema operativo o aplicación analizada. A partir de los tres métodos de estudio incluidos en la metodología propuesta, se pretende verificar y validar la integridad de la información extraída más allá del uso generalizado de soluciones forenses comerciales. Por último, se expondrán los resultados y conclusiones obtenidas de aplicar la metodología de análisis forense propuesta en esta investigación sobre alguno de los clientes de las principales aplicaciones de mensajería instantánea que existen en la actualidad

Introductory Computer Forensics

INTERPOL (International Police) built cybercrime programs to keep up with emerging cyber threats, and aims to coordinate and assist international operations for ?ghting crimes involving computers. Although signi?cant international efforts are being made in dealing with cybercrime and cyber-terrorism, ?nding effective, cooperative, and collaborative ways to deal with complicated cases that span multiple jurisdictions has proven dif?cult in practic