Forensic investigations of popular ephemeral messaging applications on Android and iOS platforms
Ephemeral messaging applications are growing increasingly popular on the digital mobile market. However, they are not always used with good intentions. Criminals may see a gateway into private communication with each other through this transient application data. This could negatively impact criminal court cases for evidence, or civil matters. To find out if messages from such applications can indeed be recovered or not, a forensic examination of the device would be required by the law enforcement authority. This paper reports mobile forensic investigations of ephemeral data from a wide
range of applications using both proprietary and freeware forensic tools. Both Android and iOS platforms were used in the investigation.
The results from the investigation uncovered various artefacts from the iOS device including account information, contacts, and evidence of communication between users. The Android device uncovered evidence of communications, and several media files assumed to be deleted within a storage cache in the Android file system. The forensic tools used within the investigations were evaluated using parameters from the National Institute of Standards and Technology’s (NIST) mobile tool test assertions and test plan.
KeywordsMobile forensics; Digital forensics; NIST measurements; Oxygen Forensics; Ephemeral messaging apps; EMAsYear2020JournalInternational Journal on Advances in SecurityJournal citation13 (1 & 2), pp. 41 - 53PublisherIARIAISSN1942-2636Official URLhttp://www.iariajournals.org/security/sec_v13_n12_2020_paged.pdfPublication datesPrint02 Jul 2020Publication process datesAccepted04 May 2020Deposited06 Jul 2020Accepted author manuscript[1] A. Chamberlain and M.A.H.B. Azhar, “Comparisons of
Forensic Tools to Recover Ephemeral Data from iOS Apps
Used for Cyberbullying”, The Fourth International Conference
on Cyber-Technologies and Cyber-Systems, CYBER 2019,
Porto, Portugal.
[2] R. Graham, “How Terrorists Use Encryption”, Combating
Terrorism Center at West Point. Available from:
https://ctc.usma.edu/how-terrorists-use-encryption/ [Accessed:
01- June- 2020].
[3] C. Cotta, A.J. Fernandez-Lelva, F. Fernandez de Vega and F.
Chavez, “Application Areas of Ephemeral Computing: A
Survey”, in Transactions on Computational Collective
Intelligence: David Camacho, University of Malaga, pp. 155-
157, 2016.
[4] I. Barker, “Cyber criminals turn to messaging apps following
dark web crackdown”, Betanews, 2017. [Online]. Available
from: https://betanews.com/2017/10/25/criminals-turn-tomessaging/ [Accessed: 01- June- 2020].
[5] T. Alyaha and F. Kausar, “Snapchat Analysis to Discover
Digital Forensic Artefacts on Android Smartphone”, in 8th
International Conference on Ambient Systems, Networks and
Technologies, ANT-2017 and the 7th International Conference
on Sustainable Energy Information Technology, SEIT 2017,
16-19 May 2017, Madeira, Portugal, pp. 1035-1040, 2017.
[6] GSMA, “Number of Mobile Subscribers Worldwide Hits 5
Billion”, [Online]. Available from:
https://www.gsma.com/newsroom/press-release/numbermobile-subscribers... [Accessed: 01-
June- 2020].
[7] D. L. Fisher, M.J. Hamilton and J.K. Southwick, “When
Electronic Records Disappear But Legal Issues Linger”,
Law360, Portfolio Media, Inc., Available from:
https://www.pepperlaw.com/publications/when-electronicrecords-disapp...
[Accessed: 01- June- 2020].
[8] J. Graham, “WhatsApp, Wickr Seen by Justice Dept. as Tools
to Erase Evidence”, Available from:
https://biglawbusiness.com/whatsapp-wickr-seen-by-justicedept-as-too... [Accessed: 01- June- 2020].
[9] J. Constine, “Snapchat revives growth in Q1 beat with 190M
users”, Available from:
https://techcrunch.com/2019/04/23/snapchat-q1-2019-
earnings/ [Accessed: 01- June- 2020].
[10] D. Noyes, “The Top 20 Valuable Facebook Statistics”,
Available from: https://zephoria.com/top-15-valuablefacebook-statistics/ [Accessed: 01- June- 2020].
[11] National Institute of Standards and Technology, “Mobile
Device Tool Test Assertions and Test Plan”, 2016. [Online].
Available from:
https://www.nist.gov/system/files/documents/2017/05/09/mob
ile_device_tool_test_assertions_and_test_plan_v2.0.pdf
[Accessed: 01- June- 2020].
[12] K. M. Ovens and G. Morison, “Forensic analysis of kik
messenger on ios devices”, Digital Investigation, vol. 17, pp.
40-52, 2016.
[13] S. C. Sathe and N. M. Dongre, “Data acquisition techniques in
mobile forensics”, in 2018 2nd International Conference on
Inventive Systems and Control (ICISC), pp. 280–286. doi:
10.1109/ICISC.2018.8399079.
[14] M. A. H. B. Azhar and T. Barton, “Forensic Analysis of Secure
Ephemeral Messaging Applications on Android Platforms”,
Jan. 2017, doi: 10.1007/978-3-319-51064-4.
[15] M. Al-Hadadi and A. AlShidhani, “Smartphone Forensics
Analysis: A Case Study”, International Journal of Computer
and Electrical Engineering, vol. 5, pp. 577-579, 2013.
[16] R. Umar, I. Riadi and G. Zamroni, “Mobile Forensic Tools
Evaluation for Digital Crime Investigation”, International
Journal on Advanced Science, Engineering and Information
Technology, vol. 8, pp. 949-955, 2018.
[17] P. Naughton and M. A. H. B. Azhar, “An Investigation on
Forensic Opportunities to Recover Evidential Data from
Mobile Phones and Personal Computers. The Second
International Conference on Cyber-Technologies and CyberSystems”, CYBER 2017, Barcelona, Spain.
[18] ACPO, “ACPO Good Practice Guide for Digital Evidence”,
2012. [Online]. Available from: https://www.digitaldetective.net/digital-forensics
documents/ACPO_Good_Practice_Guide_for_Digital_Eviden
ce_v5.pdf [Accessed: 01- June- 2020].
[19] iPhone 6s, “Wikipedia for iPhone 6s”, [Online]. Available
from: https://en.wikipedia.org/wiki/IPhone_6S [Accessed: 01-
June- 2020].
[20] Vodafone VF695, “User manual of Vodafone VF695”,
[Online]. Available from:
https://www.vodafone.com/content/dam/vodcom/devices/sma
rt-first/User%20Manual%20-%20English.pdf [Accessed: 01-
June- 2020].
[21] Jkielty, “Android v iOS market share”, 2019, DeviceAtlas,
[Online]. Available at: https://deviceatlas.com/blog/android-vios-market-share [Accessed: 01- June- 2020].
[22] Snapchat, “Snapchat APP for mobile”, [Online]. Available
from: https://www.snapchat.com/l/en-gb/ [Accessed: 01- June2020].
[23] Dust, “The APP that protects your assests”, [Online].
Available from: https://usedust.com/ [Accessed: 01- June2020].
[24] Confide, “Your Confidential Messenger”, [Online]. Available
from: https://getconfide.com/ [Accessed: 01- June- 2020].
[25] Facebook Messenger, “Wikipedia for Facebook Messenger”,
[Online]. Available
https://en.wikipedia.org/wiki/Facebook_Messenger
[Accessed: 01- June- 2020].
[26] Signal Messenger, “Wikipedia for Signal Messenger”,
[Online]. Available
https://en.wikipedia.org/wiki/Signal_Messenger [Accessed:
01- June- 2020].
[27] Wire App, “Wikipedia for Wire App”, [Online]. Available
https://en.wikipedia.org/wiki/Wire_(software) [Accessed: 01-
June- 2020].
[28] Omnicore , “Snapchat by the Numbers: Stats, Demographics &
Fun Facts”, 2020. [Online]. Available from:
https://www.omnicoreagency.com/snapchat-statistics/
[Accessed: 01- June- 2020].
[29] Messenger, “Messenger - Android Apps on Google Play”,
[Online], Available at:
https://play.google.com/store/apps/details?id=com.facebook.o
rca [Accessed: 01- June- 2020].
[30] J. Evans, “WhatsApp Partners With Open WhisperSystems To
End-To-End Encrypt Billions Of Messages A Day.” [Online].
Available from https://techcrunch.com/2014/11/18/end-toend-for-everyone/ [Accessed: 01- June- 2020].
[31] Oxygen Forensics, Oxygen Forensic Detective Enterprise,
[Online]. Available from: https://www.oxygenforensic.com/en/products/oxygen-forensic-detective... [Accessed: 01- June- 2020].
[32] MOBILedit Forensic, MOBILedit Forensic Express, [Online].
Available from: https://www.mobiledit.com/onlinestore/forensic-express [Accessed: 01- June- 2020].
[33] Andriller, Android Forensic Tools, [Online]. Available from:
https://www.andriller.com/ [Accessed: 01- June- 2020].
[34] FTK Imager, AccessData. [Oniline], Available from:
https://accessdata.com/product-download [Accessed: 01-
June- 2020].
[35] Autopsy. [Online], Available from:
https://www.sleuthkit.org/autopsy/ [Accessed: 01- June2020].
[36] Andrioid Tools, “Android Forensics: imaging android
filesystem using ADB and DD”, [Online], Available from:
https://www.andreafortuna.org/2018/12/03/android-forensicsimaging-an... [Accessed:
01- June- 2020].
[37] M. Lohrum, “Live imaging an Android device”, [Online]
Available from:http://freeandroidforensics.blogspot.com/2014/08/liveimaging-android... [Accessed: 01- June- 2020].
[38] FireBase Messaging, “Firebase Cloud Messaging”, [Online].
Available from: https://firebase.google.com/docs/cloudmessaging [Accessed: 01- June- 2020].
