Multimedia Distribution Process Tracking for Android and iOS

The crime of illegally filming and distributing images or videos worldwide is increasing day by day. With the increasing penetration rate of smartphones, there has been a rise in crimes involving secretly taking pictures of people's bodies and distributing them through messengers. However, little research has been done on these related issue. The crime of distributing media using the world's popular messengers, WhatsApp and Telegram, is continuously increasing. It is also common to see criminals distributing illegal footage through various messengers to avoid being caught in the investigation network. As these crimes increase, there will continue to be a need for professional investigative personnel, and the time required for criminal investigations will continue to increase. In this paper, we propose a multimedia forensic method for tracking footprints by checking the media information that changes when images and videos shot with a smartphone are transmitted through instant messengers. We have selected 11 of the world's most popular instant messengers and two secure messengers. In addition, we selected the most widely used Android and iOS operating systems for smartphones. Through this study, we were able to confirm that it is possible to trace footprints related to the distribution of instant messengers by analyzing transmitted images and videos. Thus, it was possible to determine which messengers were used to distribute the video when it was transmitted through multiple messengers.Comment: 10 page

Digital Forensic Analysis of Telegram Messenger App in Android Virtual Environment

The paper provides an in-depth analysis of the artifacts generated by the Telegram Messenger application on Android OS which provides secure communications between individuals, groups, and channels. Since the past few years, the application went through major changes and updates and the latest version’s artifacts varied from the previous ones. Our methodology is based on the set of experiments designed to generate the artifacts from various use cases on the virtualized environment. The acquired artifacts such as messages, their location, and data structure how they relate to one another were studied and were then compared to the older versions. By correlating the artifacts of newer version with the older ones, it shows how the application have been upgraded behind the scenes and by incorporating those results can provide investigators better understanding and insight for the certain evidence in a potential cybercrime case

Forensic Tools Performance Analysis on Android-based Blackberry Messenger using NIST Measurements

Blackberry Messenger is one of the popularly used instant messaging applications on Android with user’s amount that increase significantly each year. The increase off Blackberry Messenger users might lead to application misuse, such as for commiting digital crimes. To conduct investigation involving smartphone devices, the investigators need to use forensic tools. Therefore, a research on current forensic tool’s performance in order to handle digital crime cases involving Android smartphones and Blackberry Messenger in particular need to be done. This research focuses on evaluating and comparing three forensic tools to obtain digital evidence from Blackberry Messenger on Android smartphones using parameter from National Institute of Standard Technology and Blackberry Messenger’s acquired digital evidences. The result shows that from comparative analysis conducted, Andriller gives 25% performance value, Oxygen Forensic Suite gives 100% performance value, and Autopsy 4.1.1 gives 0% performance value. Related to National Institute of Standard Technology parameter criterias, Andriller has performance value of 47.61%. Oxygen Forensic Suite has performance value of 61.90%. Autopsy 4.1.1 has performance value of 9.52%

Forensic Analysis of the ChatSecure Instant Messaging Application on Android Smartphones

We present the forensic analysis of the artifacts generated on Android smartphones by ChatSecure, a secure Instant Messaging application that provides strong encryption for transmitted and locally-stored data to ensure the privacy of its users. We show that ChatSecure stores local copies of both exchanged messages and files into two distinct, AES-256 encrypted databases, and we devise a technique able to decrypt them when the secret passphrase, chosen by the user as the initial step of the encryption process, is known. Furthermore, we show how this passphrase can be identified and extracted from the volatile memory of the device, where it persists for the entire execution of ChatSecure after having been entered by the user, thus allowing one to carry out decryption even if the passphrase is not revealed by the user. Finally, we discuss how to analyze and correlate the data stored in the databases used by ChatSecure to identify the IM accounts used by the user and his/her buddies to communicate, as well as to reconstruct the chronology and contents of the messages and files that have been exchanged among them. For our study we devise and use an experimental methodology, based on the use of emulated devices, that provides a very high degree of reproducibility of the results, and we validate the results it yields against those obtained from real smartphones

Forensic Analysis of WhatsApp SQLite Databases on the Unrooted Android Phones

WhatsApp is the most popular instant messaging mobile application all over the world. Originally designed for simple and fast communication, however, its privacy features, such as end-to-end encryption, eased private and unobserved communication for criminals aiming to commit illegal acts. In this paper, a forensic analysis of the artefacts left by the encrypted WhatsApp SQLite databases on unrooted Android devices is presented. In order to provide a complete interpretation of the artefacts, a set of controlled experiments to generate these artefacts were performed. Once generated, their storage location and database structure on the device were identified. Since the data is stored in an encrypted SQLite database, its decryption is first discussed. Then, the methods of analyzing the artefacts are revealed, aiming to understand how they can be correlated to cover all the possible evidence. In the results obtained, it is shown how to reconstruct the list of contacts, the history of exchanged textual and non-textual messages, as well as the details of their contents. Furthermore, this paper shows how to determine the properties of both the broadcast and the group communications in which the user has been involved, as well as how to reconstruct the logs of the voice and video calls. Doi: 10.28991/HIJ-2022-03-02-06 Full Text: PD

Comparative Analysis of Forensic Software on Android-based Blackberry Messenger using NIJ Framework

Instant Messaging application is the most widely used application all over the world. Blackberry Messenger is a multiplatform instant messaging with lots of features that can be a magnet for many people to use Blackberry Messenger for commiting digital crimes. In the process of investigating digital crime cases, digital evidences are required. To obtain digital evidence, a set of forensic tools are needed to conduct forensic process on physical evidences. The topic of this research is to describe the forensic process and to compare the current forensic tools used based on acquired digital evidences by using method that refers to mobile device forensic guidelines made by the National Institute of Justice (NIJ). The forensic tools used in this research are Magnet AXIOM, Belkasoft Evidence Center, and MOBILedit Forensic Express. The outcome shows that Magnet AXIOM has the highest capability to obtain digital evidences, Belkasoft Evidence Center has superiority in terms of data text acquisition, and MOBILedit Forensic Express has superiority in physical evidence preserving and cloning

Disappearing Messages: Privacy or Piracy?

Disappearing messages is an optional feature available in popular applications for more privacy. The Telegram instant messenger application is a rival and alternative to the popular messaging application WhatsApp, with both applications citing end-to-end encryption for both messages and calls as a key offering. While Telegram doesn’t officially have a ‘disappearing message’ feature like WhatsApp it still is possible to send disappearing messages using the secret chat functionality. In this paper, we analyse and evaluate ‘disappearing messages’ across Telegram and Snapchat to see whether they can be forensically preserved and/or recovered across Apple and Android operating systems. As these messages could be vital to investigations, with potential evidence and intelligence stored on them, not to mention the limited timeframe in which they are ‘viewable’ to the user, it is a great opportunity for digital forensic analysts to understand how they are stored, managed, and ‘deleted’ compared to traditional messages on the same platforms/applications

Forensic Authentication of WhatsApp Messenger Using the Information Retrieval Approach

The development of telecommunications has increased very rapidly since the internet-based instant messaging service has spread rapidly to Indonesia. WhatsApp is the most popular instant messaging application compared to other instant messaging services, according to the statista website users of WhatsApp services in 2018 showed significant growth by gathering 1.5 billion monthly active users or monthly active users (MAU). That number increased 14 percent compared to MAU WhatsApp in July 2017 which amounted to 1.3 billion. Daily active users aka DAU are in the range of one billion. WhatsApp handles more than 60 billion message exchanges between users around the world. This growth is predicted to continue to increase, along with the wider internet penetration. Along with WhatsApp updates with various features embedded in this application including Web-based Whatsapp for computers, this feature makes it easier for users to share data and can be synchronized with their smartphone or user's computer. Besides the positive side found in the application, WhatsApp also provides a security gap for user privacy, one of which is tapping conversations involving both smartphone and computer devices. The handling of crimes involving digital devices needs to be emphasized so that they can help the judicial process of the effects they have caused Mobile Forensics Investigation also took part in suppressing the misuse of WhatsApp's instant messaging service features, including investigating the handling of cases of WhatsApp conversations through a series of standard steps according to digital forensics procedures. Exploration of evidence (digital evidence) WhatsApp conversations will be a reference to the crime of telecommunication tapping which will then be carried out forensic investigation report involving evidence of the smartphone and computer of the victim. Keywords: Authentication, Mobile Forensics, Instant Messenger, and WhatsApp Messenger

Post-mortem digital forensic artifacts of TikTok Android App

TikTok is a social network known mostly for the creation and shar ing of short videos and for its popularity for those under 30 years old. Although it has only appeared as Android and iOS apps in 2017, it has gathered a large user base, being one of the most downloaded and used app. In this paper, we study the digital forensic artifacts of TikTok’s app that can be recovered with a post mortem analysis of an Android phone, detailing the databases and XML with data that might be relevant for a digital forensic practitioner. We also provide the module tiktok.py to extract several forensic artifacts of TikTok in a digital forensic analysis of an Android phone. The module runs under Autopsy’s Android Analyzer environment. Although TikTok offers a rich set of features, it is very internet-dependent, with a large amount of its inner data kept on the cloud, and thus not easily accessible in a post mortem analysis. Nonetheless, we were able to recover messages exchanged through the app commu nications channels, the list of TikTok users that have interacted with the TikTok account used at the smartphone, photos linked to the app and in some circumstances, TikTok’s videos watched by the smartphone’s user.info:eu-repo/semantics/publishedVersio