7 research outputs found
LiFE (Logical iOS Forensics Examiner): An Open Source iOS Backup Forensics Examination Tool
In this paper, we present LiFE (Logical iOS Forensics Examiner), an open source iOS backup forensics examination tool. This tool helps both researchers and practitioners alike in both understanding the backup structures of iOS devices and forensically examining iOS backups. The tool is currently capable of parsing device information, call history, voice messages, GPS locations, conversations, notes, images, address books, calendar entries, SMS messages, Aux locations, facebook data and e-mails. The tool consists of both a manual interface (where the user is able to manually examine the backup structures) and an automated examination interface (where the tool pulls out evidence from known files). Additionally, LiFE is designed so that the evidence located in files would retain its integrity. It is important to note that most of the evidence examined by LiFE is parsed from SQLite databases that are backed up by iTunes. LiFE also offers an extensibility option to the user, where an examiner can add new evidence SQLite files to the application that can be automatically parsed, and these known files are then automatically populated in the automated GUI’s toolbar with an icon added to the investigator’s liking
LiFE (Logical iOSForensics Examiner): An Open Source iOSBackup Forensics Examination Tool
In this paper, we present LiFE (Logical iOS Forensics Examiner), an open source iOS backup forensics examination tool. This tool helps both researchers and practitioners alike in both understanding the backup structures of iOS devices and forensically examining iOS backups. The tool is currently capable of parsing device information, call history, voice messages, GPS locations, conversations, notes, images, address books, calendar entries, SMS messages, Aux locations, facebook data and e-mails. The tool consists of both a manual interface (where the user is able to manually examine the backup structures) and an automated examination interface (where the tool pulls out evidence from known files). Additionally, LiFE is designed so that the evidence located in files would retain its integrity. It is important to note that most of the evidence examined by LiFE is parsed from SQLite databases that are backed up by iTunes. LiFE also offers an extensibility option to the user, where an examiner can add new evidence SQLite files to the application that can be automatically parsed, and these known files are then automatically populated in the automated GUI’s toolbar with an icon added to the investigator’s liking.
Keywords: iOS forensics, Small Scale Digital Devices, iPhone forensics, iPad forensics, SQLite, Open source tools, iTunes backup, Extensible forensics software, File identification, LiF
Forensic Analysis of WhatsApp Messenger on Android Smartphones
We present the forensic analysis of the artifacts left on Android devices by
\textit{WhatsApp Messenger}, the client of the WhatsApp instant messaging
system. We provide a complete description of all the artifacts generated by
WhatsApp Messenger, we discuss the decoding and the interpretation of each one
of them, and we show how they can be correlated together to infer various types
of information that cannot be obtained by considering each one of them in
isolation.
By using the results discussed in this paper, an analyst will be able to
reconstruct the list of contacts and the chronology of the messages that have
been exchanged by users. Furthermore, thanks to the correlation of multiple
artifacts, (s)he will be able to infer information like when a specific contact
has been added, to recover deleted contacts and their time of deletion, to
determine which messages have been deleted, when these messages have been
exchanged, and the users that exchanged them.Comment: (c)2014. This manuscript version is made available under the
CC-BY-NC-ND 4.0 license http://creativecommons.org/licenses/by-nc-nd/4.0
Forensic Analysis of the ChatSecure Instant Messaging Application on Android Smartphones
We present the forensic analysis of the artifacts generated on Android
smartphones by ChatSecure, a secure Instant Messaging application that provides
strong encryption for transmitted and locally-stored data to ensure the privacy
of its users.
We show that ChatSecure stores local copies of both exchanged messages and
files into two distinct, AES-256 encrypted databases, and we devise a technique
able to decrypt them when the secret passphrase, chosen by the user as the
initial step of the encryption process, is known.
Furthermore, we show how this passphrase can be identified and extracted from
the volatile memory of the device, where it persists for the entire execution
of ChatSecure after having been entered by the user, thus allowing one to carry
out decryption even if the passphrase is not revealed by the user.
Finally, we discuss how to analyze and correlate the data stored in the
databases used by ChatSecure to identify the IM accounts used by the user and
his/her buddies to communicate, as well as to reconstruct the chronology and
contents of the messages and files that have been exchanged among them.
For our study we devise and use an experimental methodology, based on the use
of emulated devices, that provides a very high degree of reproducibility of the
results, and we validate the results it yields against those obtained from real
smartphones
Find Me If You Can: Mobile GPS Mapping Applications Forensic Analysis & SNAVP the Open Source, Modular, Extensible Parser
The use of smartphones as navigation devices has become more prevalent. The ubiquity of hand-held navigation devices such as Garmins or Toms Toms has been falling whereas the ownership of smartphones and their adoption as GPS devices is growing. This work provides a comprehensive study of the most popular smartphone mapping applications, namely Google Maps, Apple Maps, Waze, MapQuest, Bing, and Scout, on both Android and iOS. It details what data was found, where it was found, and how it was acquired for each application. Based on the findings, the work allowed for the construction of a tool capable of parsing the data from all of the aforementioned applications as well as creating maps of the locations attained. It was discovered that much data relating to the user\u27s navigation history, be it addresses, latitude longitude points, etc., were stored on the user\u27s device. It was also found that in almost all cases, discerning whether the user had actually traveled to a destination from the mapping application data was not possible
Advances of mobile forensic procedures in Firefox OS
The advancement of smartphone technology has
attracted many companies in developing mobile
operating system (OS). Mozilla Corporation recently
released Linux-based open source mobile OS, named
Firefox OS. The emergence of Firefox OS has created
new challenges, concentrations and opportunities for
digital investigators. In general, Firefox OS is designed
to allow smartphones to communicate directly with
HTML5 applications using JavaScript and newly
introduced WebAPI. However, the used of JavaScript
in HTML5 applications and solely no OS restriction
might lead to security issues and potential exploits.
Therefore, forensic analysis for Firefox OS is urgently
needed in order to investigate any criminal intentions.
This paper will present an overview and methodology
of mobile forensic procedures in forensically sound
manner for Firefox OS