A Forensic Analysis of Video Streaming Activities on Android Applications

Mobile applications of video streaming platforms store a lot of information on mobile devices which can have both positive and negative impacts. Positive, in the sense that it could assist law enforcement agencies in solving crime, and the negative impact is that it could be accessed by malicious actors. In this study, we forensically investigate the Netflix, Amazon Prime Video, and iFlix android applications. The major focus is on identifying stored artifacts on the mobile devices left behind by the android video streaming applications. It will give law enforcement agencies and forensic investigators a clear direction when it comes to extracting evidence to solve a crime. On the other hand, it will notify the mobile application developers on how to further improve the security of their mobile applications.

Forensic analysis of open-source XMPP/Jabber multi-client instant messaging apps on Android smartphones

In the quest for a panacea to ensure digital privacy, many users have switched to using decentralized open-source Extensible Messaging and Presence Protocol multi-client instant messaging (IM) apps for secure end-to-end communication. In this paper, we present a forensic analysis of the artefacts generated on Android smartphones by Conversations and Xabber apps. We identified databases maintained by each app and external Secure Digital card directories that store local copies of user metadata. We analysed each app’s storage locations for forensic artefacts and how they can be used in a forensic investigation. The results in this paper show a detailed analysis of forensic files of interest which can be correlated to identify the local user’s multiple IM accounts and contact list, contents of messages exchanged with contacts, deleted files, time, and dates in the order of their occurrence. The contributions of this research include a comprehensive description of artefacts, which are of forensic interest, for each app analysed

Digital forensic analysis of the private mode of browsers on Android

The smartphone has become an essential electronic device in our daily lives. We carry our most precious and important data on it, from family videos of the last few years to credit card information so that we can pay with our phones. In addition, in recent years, mobile devices have become the preferred device for surfing the web, already representing more than 50% of Internet traffic. As one of the devices we spend the most time with throughout the day, it is not surprising that we are increasingly demanding a higher level of privacy. One of the measures introduced to help us protect our data by isolating certain activities on the Internet is the private mode integrated in most modern browsers. Of course, this feature is not new, and has been available on desktop platforms for more than a decade. Reviewing the literature, one can find several studies that test the correct functioning of the private mode on the desktop. However, the number of studies conducted on mobile devices is incredibly small. And not only is it small, but also most of them perform the tests using various emulators or virtual machines running obsolete versions of Android. Therefore, in this paper we apply the methodology we presented in a previous work to Google Chrome, Brave, Mozilla Firefox, and Tor Browser running on a tablet with Android 13 and on two virtual devices created with Android Emulator. The results confirm that these browsers do not store information about the browsing performed in private mode in the file system. However, the analysis of the volatile memory made it possible to recover the username and password used to log in to a website or the keywords typed in a search engine, even after the devices had been rebootedThis work has received financial support from the Consellería de Cultura, Educación e Ordenación Universitaria of the Xunta de Galicia (accreditation 2019- 2022 ED431G-2019/04, reference competitive group 2022-2024, ED431C 2022/16) and the European Regional Development Fund (ERDF), which acknowledges the CiTIUS-Research Center in Intelligent Technologies of the University of Santiago de Compostela as a Research Center of the Galician University System. This work was also supported by the Ministry of Economy and Competitiveness, Government of Spain (Grant No. PID2019-104834 GB-I00). X. Fernández-Fuentes is supported by the Ministerio de Universidades, Spain under the FPU national plan (FPU18/04605)S

Forensic analysis of open-source XMPP multi-client social networking apps on iOS devices

In this paper, we present forensic analysis of Monal and Siskin IM, two decentralized open-source XMPP multi-client social networking apps on iOS devices that provide anonymity and privacy using OMEMO end-to-end encryption. We identified databases maintained by each app and storage locations within the iOS file system that stores the local copies of user information and metadata. We analyzed the databases and storage locations for evidential data of forensic value. The results in this paper show a detailed analysis and correlation of data stored in each app's database to identify the local user's multiple IM accounts and contact list, contents of messages exchanged with contacts, and chronology of conversations. The focus and main contributions of this study include a detailed description of artifacts of forensic interest that can be used to aid mobile forensic investigations

Forensics study of IMO call and chat app.

Smart phones often leave behind a wealth of information that can be used as an evidence during an investigation. There are thus many smart phone applications that employ encryption to store and/or transmit data, and this can add a layer of complexity for an investigator. IMO is a popular application which employs encryption for both call and chat activities. This paper explores important artifacts from both the device and from the network traffic. This was generated for both Android and iOS platforms. The novel aspect of the work is the extensive analysis of encrypted network traffic generated by IMO. Along with this the paper defines a new method of using a firewall to explore the obscured options of connectivity, and in a way which is independent of the protocol used by the IMO client and server. Our results outline that we can correctly detect IMO traffic flows and classify different events of its chat and call related activities. We have also compared IMO network traffic of Android and iOS platforms to report the subtle differences. The results are valid for IMO 9.8.00 on Android and 7.0.55 on iOS

Contribuciones al análisis forense de evidencias digitales procedentes de aplicaciones de mensajería instantánea

La continua evolución de las Tecnologías de la Información y Comunicaciones está propiciando que cada vez más, nos encontremos ante una sociedad más interconectada, permitiendo el intercambio inmediato de información digital desde casi cualquier lugar del planeta. Desde el punto de vista de las ciencias forenses, como ciencia que estudia los elementos recolectados en la escena de un crimen, el nacimiento y la rápida evolución de las TICs implica que las ciencias forenses deban adaptarse continuamente a esta evolución, investigando nuevos métodos científicos de análisis que permitan la resolución de los hechos delictivos a través de medios digitales. El uso que se realiza en concreto de las aplicaciones de intercambio de información en la comisión de hechos delictivos implica que éstas deban ser objeto de un análisis forense minucioso, a partir del cual identificar, recuperar y extraer toda aquella información relativa con el hecho investigado, manteniendo en todo momento el valor probatorio de la misma. La Tesis con el título La Tesis con el título CONTRIBUCIONES AL ANÁLISIS FORENSE DE EVIDENCIAS DIGITALES PROCEDENTES DE APLICACIONES DE MENSAJERÍA INSTANTÁNEA lleva a cabo la investigación de la evolución de las aplicaciones de mensajería instantánea y su impacto en el ámbito de las ciencias forenses. La investigación realizada pretende reseñar la transformación de este tipo de aplicaciones en cuando a los diferentes métodos de acceso e infinidad de funcionalidades ofrecidas a sus usuarios. Así mismo se persigue contribuir de forma directa en los métodos científicos utilizados en el análisis forense que se vienen realizando sobre las aplicaciones de mensajería instantánea, medio de prueba principal en multitud de procesos judiciales. Esta Tesis expondrá el estado actual de los procesos utilizados tanto en el proceso de adquisición como en el proceso de análisis de las aplicaciones de mensajería instantánea, así como las diferentes problemáticas a las que se enfrenta el especialista forense digital en el análisis forense de este tipo de aplicaciones. Se desarrollará una metodología específica para el análisis forense de las aplicaciones de mensajería instantánea, suma de diversos métodos de estudios, la cual permitirá identificar, decodificar e interpretar la información generada por este tipo de aplicaciones con independencia del dispositivo electrónico, sistema operativo o aplicación analizada. A partir de los tres métodos de estudio incluidos en la metodología propuesta, se pretende verificar y validar la integridad de la información extraída más allá del uso generalizado de soluciones forenses comerciales. Por último, se expondrán los resultados y conclusiones obtenidas de aplicar la metodología de análisis forense propuesta en esta investigación sobre alguno de los clientes de las principales aplicaciones de mensajería instantánea que existen en la actualidad