Abstract

Smartphone users spend a substantial amount of time in browsing, emailing, and messaging through different social networking apps. The use of social networking apps on smartphones has become a dominating part of daily lives. This momentous usage has also resulted in a huge spike in cybercrimes such as social harassing, abusive messages, vicious threats, broadcasting of suicidal actions, and live coverage of violent attacks. Many of such crimes are carried out through social networking apps; therefore, the forensic analysis of allegedly involved digital devices in crime scenes and social apps installed on them can be helpful in resolving criminal investigations. This research is aimed at performing forensic investigation of five social networking apps, i.e., Instagram, LINE, Whisper, WeChat, and Wickr on Android smart phones. The essential motivation behind the examination and tests is to find whether the data resides within the internal storage of the device or not after using these social networking apps. Data extraction and analysis are carried out using three tools, i.e., Magnet AXIOM, XRY, and Autopsy. From the results of these experiments, a considerable amount of essential data was successfully extracted from the examined smartphone. This useful data can easily be recovered by forensic analysts for future examination of any crime situation. Finally, we analyzed the tools on the basis of their ability to extract digital evidences from the device and their performance are examined with respect to NIST standards.

1. Introduction

Smartphones have gone through a progressive advancement over the last two decades. From being a prized possession, they have become an outright need as they are used for a lot more than just calls and messages. Smartphones enable users to enjoy a comfortable internet experience by browsing, emailing, and staying connected through different social media apps. The use of social media apps has witnessed a momentous surge, and they are being used by people of all age groups, by businesses, academia, media, hacktivists, law enforcement agencies (LEAs), and even terrorist organizations for a wide variety of purposes [1]. During the last 12 months, the use of social media has continuously increased by 1 million every day [2]. According to the Digital 2020 Global Overview, the usage of social media has increased by 12 percent from 2019 and 99 percent of that surge was due to smartphone apps [2].

For most teenagers, the most popular usage of mobile phone is socializing. These online interactions are mostly productive; however, the online interactions have resulted in increased number of bullying, threatening, and humiliating others as well [3]. It is estimated that 73% of students feel that they have been harassed in their lives and 44% say they have been harassed during the last 30 days [4]. Easy access to social media platforms opens a door for a new type of bullying.

Social networking apps (SNAs) allow users to create a profile, upload personal information such as pictures, videos, and location, and share that information through private messaging or public posts. This phenomenon gives criminals an open opportunity to influence the user’s personal information thus giving rise to cybercrimes via SNAs [5]. These apps can also be exploited for cyber bullying, stalking, sexual harassment, and insults [6, 7]. Since all information about user activities is stored within the phone’s internal memory, these smartphones have become an important source of evidence and artifacts during crime investigations linked to these SNAs. These gathered artifacts enable users and investigators to find out the PII (personally identifiable information) [8] that is stored in the device and is useful to be presented in the court of law.

The increase in cybercrimes using smartphones and SNAs [9] has created an opportunity to use forensic tools and techniques to investigate these criminal activities. The forensic analyst requires an up-to-date understanding of what kind of artifacts can possibly be recovered so that they can be presented in the court of law. Moreover, the increased demand for more and more advanced smartphones has created fierce competition among equipment manufacturers. New smartphones are continuously launched in the market that has resulted in a frequent change of mobile phones by users based on factors such as better OS, file structure, data storage, user experience, and many more [10]. Therefore, forensic examiners are struggling to keep up with new procedures and tools.

Many studies have been conducted on Facebook and WhatsApp forensic and other well-renowned apps as mentioned in literature, so there is a need for forensics analysis of other social media apps (Instagram, LINE, WeChat, Whisper, and Wickr) which are getting popular these days. With expanded use of smartphones for social networking as highlighted in Figure 1, a lot of knowledge on forensic artifacts depicting user behaviour is generated through these social networking apps [2] which are stored within the phones. Several situations involving significant accidents might occur that may end up in the court. Forensic investigators can use those activities as evidence in investigating such incidents.

Keeping this scenario in mind, we have focused on inspecting the phone forensically and looking for the artifacts generated and stored in different locations in the phone, via the forensic tools. Such artifact findings are capable of tying the perpetrator to the incident; thus, forensic examination of these apps can provide a ready reckoner to the digital forensic investigator of Android phone analysis.

Thus, focusing on this requirement, our research aims at performing the following actions:(i)Identification, extraction, and analysis of the artifacts recovered from the popular social networking apps on an Android smartphone in a way that can be presented in the court of law(ii)Analysis of each app using three different tools, i.e., Magnet AXIOM, Autopsy, and XRY(iii)Presentation of the analysis of the tools to showcase their ability to extract digital evidences from the device and their performance is examined with respect to NIST standards

We have used three forensic tools to perform experiments on five popular social media apps including Instagram [11], LINE [12], Whisper [13], WeChat [14], and Wickr [15]. Data from these apps is acquired and analyzed during three stages (before data deletion, after data deletion, and after app uninstall) using Magnet AXIOM [16], Autopsy [17], and XRY [18]. Furthermore, we have also categorized the tools on the basis of total artifacts recovered and NIST standards on smartphone extraction tools [19]. We have also devised some additional parameters that can be used for forensic analysis. The artifacts suggested by our study can be helpful in forensic investigation of cybercrimes on SNAs.

The rest of the paper is organized in 6 sections. Section 1 presents the preliminary concepts and definitions used in this paper. Section 2 presents the literature related to mobile app forensics on different operating systems (OSs). In Section 3, the methodology of the research is explained. Section 4 covers the artifacts recovered from all five apps using Magnet AXIOM, Autopsy, and XRY. Section 5 discusses the results gathered from three tools and evaluates the tools according to total artifacts recovered, NIST parameters [19, 20], and additional parameters derived during this research to judge the tool’s capabilities. Conclusions and future work are presented in Section 6.

2. Preliminary Concepts

This section presents a brief overview of preliminary concepts that are going to be used/referred throughout this article.

2.1. Android Operating System

Currently, Android OS is the most commonly used OS in mobile phones with an 88% share in the worldwide smartphone industry. It is therefore essential to explore Android using various methodologies and methods [21]. For forensic investigators, the folder structure of an Android phone can be an extremely interesting region. So, they should understand where the information/evidence can be found. It is therefore helpful to understand the structure of data storage [22].

A unique Id (Uid) is assigned to each app in Android. Each app runs in a separate process so as no application can access the data of other app. A unique app id for a specific app is stored in the app package. Phone application can store app data in many ways [23]. Through app forensic analysis, an investigator can comprehend the usage of the app and find the user data. App analysis is important because nearly all of them use typical function, i.e., messages, calls, contacts, and internet surfing [24]. This data can tell a lot about the user as to when they were in a specific location or to whom they have communicated and their future planning, etc.

2.2. Digital Evidence and Forensic Process

In 2006, Carrier and Spafford [25] defined a digital evidence as the data that approve or disapprove the hypothesis made about the digital events. Forensic investigation is done by collecting, preserving, and analyzing the evidence to present in the court of law. Mobile phones continuously transmit the data through wifi, Bluetooth, etc. It is too difficult to preserve data without altering it so it is important to record and document every single detail during the whole process.

According to the National Institute of Standards and Technology (NIST), the forensic process [26] includes a 4-step procedure, i.e., preservation, acquisition, analysis, and presentation. Figure 2 describes the NIST forensic process.

2.2.1. NIST Standards on Smartphone Extraction Tools

NIST releases some parameters and methods to calculate the performance of forensic tools based on the outcomes of the assessment plan conducted by NIST. Every assertion creates at least one experiment comprising of a test convention and the normal test outcomes. The test convention indicates point-by-point techniques for setting up the test, executing the test, and estimating the test outcomes [19]. NIST claims that in forensic cases, expanding the quantity of cell phones every year creates problems. Hence, to quantify the capability of forensic tools available, a method is required. NIST offers 42 parameters and methods based on the results of each test plan to assess the performance of forensic devices.

The objective of the computer forensic tool testing (CFTT) venture at the NIST is to build up an approach for testing forensic tools. This is done by establishing unique and common rules governing the requirements of the tools. NIST records the estimation parameters of the forensic tools on two composed reports entitled “smartphone tool specification” [19] and “smartphone tool test assertions and test plan” [20]. The estimation parameters are partitioned into two parts: core and optional. Specifications for smartphone devices are in two parts. Smartphone tool core requirements ([SPT-CR-01] to [SPT-CR-06]) are the requirements that will be met by all the acquisition tools. Smartphone tool optional requirements ([SPT-RO-01] to [SPT-RO-15]) require that all tools shall comply with the requirements that the stated feature or choices that tool offers. Test assertions are developed using these requirements. Test assertions are defined as general proclamations of conditions that can be tested after a test has been carried out.

2.3. Digital Investigation Tools

There are tools that are designed to acquire and analyze the digital image from the mobile devices. Competency of the forensic acquisition and analysis of these tools can differ from one another so it is important for the analyst to have the knowledge of different tool expertise levels. The output comparison and verification between tools can help the examiner to choose the tool he needs to use for the case. We have used the following three tools in our analysis.

2.3.1. Magnet AXIOM

AXIOM is a complete digital investigation tool developed by Magnet Forensics. It is used to recover digital evidence from different sources, i.e., computers, smartphones, third-party images, and cloud. This platform contains two apps to acquire and analyze data. The AXIOM process is used to acquire and process the data acquired from the smartphone, and AXIOM Examine performs the examination and analysis over the acquire data. For the purpose of this research, we have used the fully functional trial version [16].

2.3.2. Autopsy

Autopsy is an open source digital investigation platform that is commonly used by law enforcement and forensic examiners to analyze the digital image in order to get the evidence from it. In this research, we are using Autopsy as a second analyzing tool to make certain of all the evidence recovered from the acquired images [17].

2.3.3. XRY

XRY is a digital investigation platform. It is an instinctive and competent software app that runs on the Windows OS. It allows an examiner to extract high-quality data securely from different digital devices and platforms. Acquisition and analysis can be performed through this tool. It allows an examiner to extract logical or physical data according to the case [18].

2.4. Root for Physical Acquisition

Forensic examination requires a detailed recovery of artifacts for thorough analysis, even though rooting is not needed for physical acquirement in some cases where patch is offered by the acquisition tool such as XRY, Cellebrite, and Magnet AXIOM. On the other hand, rooting the device helps in eliminating the limitations that the cell carriers or system OEMs have imposed. A rooted interface offers effective user data extraction and access to internal directories for the device. The partitions and system folders are kept hidden with no access for a nonrooted phone. However, many Android smartphone manufacturers permit to legally root your devices [27]. Moreover, integrity of user data from rooted Android devices during data acquisition is a main concern as forensic analyst extract valuable data from Android phones by rooting [27]. Furthermore, authors in [28] prove that rooting of Android devices has legal validity and the evidence extracted as a result of the rooting process is effective and credible evidence of conviction in criminal proceedings.

Some research work has been done in the field of mobile application forensics. Some of the analysis is done on the device general activities, event logs, and device logs [29, 30], whereas others emphasized on the installed applications on the device. Andriotis et al. [31] related the usage of smartphone with numerous crimes like confidential information sharing on public mediums, uploading images over the cloud and child pornography etc. [32]. Information was collected from phone log files, wifi logs, event logs, Bluetooth logs, and databases containing the browsing history. Snapchat was analyzed in [33] by Infosecurity Group and by Aji et al. [34] on two smartphones using Android and iOS. They acquired the data from the smartphone’s internal memory through 3 extraction techniques: physical, logical, and file system. Extraction was performed with UFED Cellebrite. Chatting file, images, and videos were detected from XML records found on the iOS smartphone; however, the Android device data was not permanently deleted but hidden with nomedia extension.˙

In [35], Mehrotra et al. aimed to authenticate the founder’s claim that the Android application Wicker enables the user to exchange self-destructive messages and files. They examined both rooted and not rooted Android phone data acquired through Titanium Backup Android app v6.1.1 and Helium Backup Android app. No artifacts or trace of data exchange was found. Mahajan et. al [36] analyzed the artifacts of two apps, WhatsApp and Viber. Data was extracted through UFED from 3 versions of Android OS. Both the apps were examined through UFED Analyzer. The chat list, chat messages, and sessions along with timestamps were found in the WhatsApp “msgstoredb” file, and contact information was found in the “wadb” file. For Viber, all information that include send and receive messages, contact lists, and timestamps was found through manual search. Mathavan and Meeran [37] performed forensic analysis on WhatsApp. The internal memory of an Android phone was analyzed to find out the artifacts such as send/receive messages, images, videos, logs, and contact information. Walnycky et al. [38] selected 20 social messaging apps based on the number of downloads and keyword results from Google Play Store. Network traffic was captured and saved by using Wireshark and examined through NetworkMiner and NetWitness Investigator. This research concluded that four apps, i.e., Snapchat, Tinder, Wicker, and BBM are secure as they encrypt network traffic through HTTPS encryption using an SSL certificate.

Anglano et al. [39] analyzed ChatSecure on Android phones. UFED Physical Analyzer was used to analyze data. ChatSecure database was decrypted through LiME. Messages and media shared during conversation were been recovered, whereas the deleted data was not recovered. Adebayo et al. [40] analyzed Kik app installed on three Android mobile devices. The device backup was created with Titanium Backup, and the SQLite DB browser was used to analyze the recovered databases. In another study, Instagram was analyzed by Ryu et al. [41] on iPhone 6s using EditPlus3 Plist, iBackupBot iPhone Backup Extractor, iBackup Viewer, and iPhone Tracker DB. User information, activity history, and application settings were recovered from the iPhone backup file. Umar et al. [42] analyzed WhatsApp for digital evidence. The application was installed on Samsung Galaxy S4 GT-I9500 Android version 5.0.1, and acquisition was done through ADB. For analysis, two tools were used: WhatsApp key/DB Extractor and Belkasoft Evidence. Text messages, images, videos, and documents were recovered. From the results generated by tools, Belkasoft was concluded as best among the two. Telegram app was analyzed in [43, 44] on different versions of Android phones and Windows phones [45]. Android gave messages and cache info after exploring DBs. No package related to the app was found on the Windows phone.

In a few other studies [44, 46], KaKaoTalk was analyzed on Android phones. The Kakao encrypted database was decrypted to gain access to messages and contact information in the researches. Facebook, Skype, Viber, Windows Live Messenger, and WhatsApp were analyzed in [50] on iPhone. The backup contains all the information related to these apps even after uninstallation. In [51], Facebook, WhatsApp, Hike, Viber, and Imo were analyzed on an Android phone. Locations of artifacts were discussed in this research. In [52], the security mechanisms of WhatsApp, Viber, Tango, Voupi, Forfone, HeyTell, EasyTalk, and WowTalk were discussed when they were installed on Android v2.3 and iOS v2.3. In [5355], LINE Messenger, BlackBerry Messenger, and IMO Messenger app were analyzed respectively on Android phones and iPhone. The content shared between two parties through private conversation was discussed. Twitter, POF Dating, Snapchat, Fling, and Pinterest were analyzed in [56] installed on Android v5. Message content and account information were discussed. Forensic analysis of Snapchat and Burner was done in [57] on both iOS and Android smartphones. Table 1 summarizes some previous studies on forensic analysis on mobile apps.

4. Methodology

The overall methodology adopted in research comprises four steps. These steps are illustrated in Figure 3.

4.1. Scenario Building

In the first stage, investigation scenarios are set up by performing common user activities on apps. Apps are installed on the phone from Google Play Store. Accounts are created for each app and activities, i.e., pictures/videos uploaded, comments, scrolling over newsfeed, stories uploaded, messages (text/audio/video/images) sent or received, and video calling (LINE), are performed for the application according to their capabilities. The scenario followed in this research is explained in Figure 4.

4.2. Acquisition

Data from phone memory is acquired through two different tools Magnet AXIOM (process) and XRY. Data from phone memory is acquired in three stages.(i)Application is installed and working(ii)Application is installed and data has been deleted(iii)Application and data both have been deleted

In the first stage, all the data remains on the phone as the app is working. In the next stage, some data is deleted by the analyst, and in the last stage, all data is deleted and the app is uninstalled from the phone. Data is acquired from the device in a controlled environment in order to ensure the integrity of the data. In order to get maximum data from the internal memory of the device, data is acquired through the physical acquisition of the device after rooting.

4.3. Analysis

In the analysis phase, every app is analyzed by the content of the app folder located in the data/data directory. The analysis generally involves data found in the specific app’s file folder and database folder but not limited to them. Another folder found in the data/data/app_folder named “Shared Preference” contains some .xml files having app-related data. The same information is recovered by all three tools. Cache stores all the activity information and images/videos seen by the user while using the app and is recovered by all three tools.

4.4. Tool Evaluation

Tools are evaluated on the basis of their capability to recover digital artifacts from every said app, NIST standards on smartphone extraction tools [19] and some additional parameters from the investigator after conducting research. The result of this research can be used as a recommendation to investigators to handle the cases associated with these apps.

In order to analyze the data generated by these apps (Figure 4), the internal storage of the smartphone is examined after every experiment. The information generated by apps is stored in the inner phone memory that is ordinarily out of reach to users. Therefore, appropriate tools and techniques should be adopted so as to obtain and access this part of the memory. The hardware used in the research is a Samsung smartphone, USB cable, and computer for the retrieval and analysis of data. The description of experimental tools is provided in Table 2. Forensic tools that are used during the experiments are described in Table 3.

Artifacts recovered have been categorized into six fields in this research. The main categories are DB (databases), media/text exchange, timeline, account/user information, calls, and timestamps. The DB category contains the artifacts recovered from the databases present in the app folder. The artifacts recovered are related to the exchange of media (images/video/audio/emoji/GIFs) and text between two parties which reside in the media/text exchange category. The timeline category have artifacts related to the information of user’s timeline, i.e., his stories/posts/likes/replies/statuses. Artifacts for the user’s account (profile picture/DoB/email address/ID/name/phone numbers/app activity) reside in account/user information category. The category calls contains the artifacts related to information of audio/video calls done or received by the user. The category timestamps comprises the artifacts related to the timings of different activities performed by the user. The summary of categories has been stated in Table 4.

5. Forensic Analysis

In order to execute the forensic analysis, apps are downloaded from Google Play Store and a set of activities is performed on apps following certain test cases that any user might perform on these apps. Figure 4 states the activities performed on each app. Physical data of the device is acquired through two propriety tools, i.e., Magnet AXIOM and XRY. Before starting the acquisition, the phone is rooted through the installation of TWRP Recovery and Flash SuperSu in the recovery mode. After getting the Super User privileges, full image extraction is performed through Magnet AXIOM and physical acquisition is done by XRY.

The finding of the apps from the acquired image is described in this section. All the activities that are performed by the apps and the relevant data that is stored in the internal memory of the phone is examined. The examination is done by viewing the acquired image through the tools (Magnet AXIOM and XRY) and is analyzed against the defined cases of all the SNAs one by one in detail.

5.1. Forensic Analysis of Apps through Magnet AXIOM

This section discusses the artifacts recovered from the applications using Magnet AXIOM.

5.1.1. Instagram

The artifacts recovered from Instagram through Magnet AXIOM are described in Figure 5 under three conditions: before data deletion, after deleting some data, and after app uninstallation. Firstly, the app is analyzed while no data has been deleted from the device. Figure 5(a) shows that the messages sent and received are recovered with message time, type, sender, and receiver information. Figure 5(b) shows that the stories uploaded by the user on its Instagram account are recovered. An image is taken again after deleting some data, i.e., images, text messages, and images/video uploaded on the Instagram account. Figure 5(c) shows that 80 percent of text messages are successfully recovered and only textual information of images and video calls is recovered such as the name of other party and timestamps. After app uninstallation, no data is recovered related to the Instagram app analyzed by Magnet AXIOM.

5.1.2. LINE

As we examined naver line.db, there are 32 tables from which only 6 tables are of interest from the forensic point of view. The contact table has the relation with call_history.db as the user that was making the call can only be recognized by the contact table. The id of the caller would be matched from the m_id in the contact table. So, the caller can be verified. LINE gives an end-to-end encryption for data. The public key for every contact is stored in e2ee.db in an encrypted format. After deletion, some messages and media shared through private messages were not recovered. Only a few contacts were recovered. No data related to the LINE application was recovered after app uninstallation. The detailed analysis of LINE is shown in Figure 6. Figure 6(a) shows that LINE contacts, m_ids (unique IDs for every contact), messages, and calls shared between both parties with timestamps are recovered from the database (naver_line.db) store in the app package. Messages recovered with the sender/receiver and message type with timestamps are shown in Figure 6(b). Figures 6(c) and 6(d) show the recovery of media files (videos) and audio image, respectively, transferred during the chat session with timestamps.

5.1.3. Whisper

The forensic analysis of Whisper resulted in some data being retrieved. The retrieved data contains information of user accounts, content created or liked by the user, groups he/she follows, private messages shared with friends, location information and other activities. After deletion, all the text messages were recovered and a textual preview of media shared through private messages was recovered. After app uninstallation, no data related to the Whisper app was recovered. The detailed analysis of Whisper is shown in Figure 7. Figure 7(a) shows the retrieved text messages shared between the user with its friends with timestamps and location information. Textual information of images received by the user is recovered as shown in Figure 7(b). Figure 7(c) shows the retrieved information about the posts uploaded by or replied by the user with timestamps, hearts, and location information. Figure 7(d) shows the posts shared while the user was online with timestamps, Whisper content, and location information.

5.1.4. WeChat

WeChat data files are stored within the parent company Tencent’s [59] directory MicroMsg folder. WeChat’s database EnMicroMsg.db is encrypted using SqlCipher [60]. Some information was retrieved from the index file named FTS5IndexMicroMsg.db, as shown in Figure 8(a). After data deletion, some messages/media files were recovered in a textual format as shown in Figure 8(b). After app uninstallation, only textual information of media files, i.e., video files as shown in Figure 8(c) and audio files (as shown in Figure 8(d)), was recovered from the smartphone. The detailed analysis of WeChat is shown in Figure 8.

5.1.5. Wickr

Wickr is known as an antiforensic app. It is highly encrypted and claims that no data can be recovered from a device or from network analysis for forensic investigation. All conversations are stored in a highly encrypted database. Wickr does not store any other data within the internal memory of the phone. The detailed analysis of Wickr is shown in Figure 9. By exploring the base.apk file (extracted base.apk file through the .zip archive extractor. In this file, some artifacts have been recovered from classes.dex and classes2.dex files. .dex files were decompiled through Java Decompiler.), it was found that the database wickr_db.db is encrypted with SQLCipher [60] as shown in Figure 9(a). Figure 9(b) shows the WickrDBAdapter File Recover wickr.db Schema that contains account information, contact info, messages sent/received, timestamps, and keys. Figure 9(c) shows that the file folder contains some .wic files that are encrypted. By exploring base.apk, it was found that the ds.wic file is used to store cache data and passwords. Figure 9(d) shows the WickrDBKey.class where it was found that sk.wic contains the key for database. Kck.wic and kcd.wic are also encrypted files that must have contained videos/audio that were sent by the user because these files were deleted after video and audio information sent by the user was deleted (shown in Figure 9(e)). Figure 9(f) shows that the video sent by the user is recovered from the cache folder.

5.2. Forensic Analysis of the App through Autopsy

This section discusses the artifacts recovered from the apps using Autopsy.

5.2.1. Instagram

Autopsy recovered almost the same data recovered by AXIOM. AXIOM gives the text thread detail with the text/media shared. This is not the case in Autopsy. Autopsy gives the text content and information in the database (have to save the database and open in SQLite browser) shared in DM. The user’s activity has been recorded in the cache folder and recovered with timestamps. Video’s parts are also recovered in the form jpeg image. After the cache clears, stories and cache data were not recovered. 50 percent of text messages were recovered after deletion from direct.db with date and time information. Images shared during the chat were not recovered. Textual information of media that has been sent or video call done by the user is recovered after data deletion. No data was recovered after app uninstallation. The detailed analysis is shown in Figure 10. Figure 10(a) shows that messages sent through DM are recovered. Figure 10(b) shows that images sent through DM are recovered. Figure 10(c) shows the stories recovered as pending media. Figure 10(d) shows that the images uploaded as the story are recovered after deletion.

5.2.2. LINE

naver_line.db contains the information of text messages shared during private chat, chat history, chat members, and contacts. Autopsy did not recover any text messages after deletion. Deleted images from the timeline have been recovered. Voice message detail recovers after deletion. No data was recovered after app uninstall. The detailed analysis is shown in Figure 11. Figure 11(a) shows the recovered chat history with timestamps and contact information. Figure 11(b) shows that Autopsy recovered the post hidden from the timeline with the option “Hide posts.” Backup data of a chat including text messages, media type shared, and call (audio, video) information are recovered as shown in Figure 11(c). Profile pictures of all the friends have also been recovered as shown in Figure 11(d). Figure 11(e) shows that voice messages were recovered with timestamps. The video shared through chat was recovered in .jpeg image format as shown in Figure 11(f).

5.2.3. Whisper

Artifacts recovered from the c.db database’s c table are the information of private conversation of the user. After deletion, images received while private chatting; Whisper post; event information recovered with the sender name, location, age, gender, and content that has been sent; and some messages with sender and receiver ids and timestamps are recovered after deletion. No artifact was recovered after app uninstallation. The detailed analysis is shown in Figure 12. Figure 12(a) shows the list of every conversation with the timestamp being stored. The column titled pid has the receiver user id and the column sid contains the user id of the sender. Figure 12(b) shows that Whisper posted on the timeline were recovered. Figure 12(c) shows that Whisper posted by the people while the user was active is recovered with timestamps and locations. Figure 12(d) shows that images received during chat is recovered.

5.2.4. WeChat

WeChat artifacts recovered through Autopsy are stated in this section. The detailed analysis is shown in Figure 13. Figure 13(a) shows the messages recovered from the FTS5IndexMessage_content table when it was open in the SQLite browser. Figure 13(b) shows that the audio messages shared during private chat are recovered with timestamps. Figure 13(c) shows that the images received during chat are recovered. Figure 13(d) shows that the phone number against which the account was created is recovered in plain text. Textual information of the video shared is recovered after deletion as shown in Figure 13(e). Figure 13(f) shows that images received through private chat are recovered after deletion. Figure 13(g) shows that textual information of videos is recovered after app uninstallation. Figure 13(h) shows that images shared and uploaded by the user are recovered after app uninstall.

5.2.5. Wickr

From analyzing the image from Autopsy, the textual information of the video file is recovered from the cache folder. Wickrdb is encrypted database and all the file folder is encrypted. No information regarding communication has been recovered from Wickr.

5.3. Forensic Analysis of Applications through XRY

This section discusses the artifacts recovered from the applications using XRY.

5.3.1. Instagram

The image has also been taken from XRY from all the said cases. After the app uninstalls, the app name was recovered with information that the app deleted on what time and date on the data/data folder. The detailed analysis is shown in Figure 14. Figure 14(a) shows that the database direct.db contains the messages and sent images. Figure 14(b) shows that the thread information of the chat through DM is recovered. Figure 14(c) shows the cache data stored in the cache folder of the app package. Figure 14(d) shows that Cache images are recovered in XRY after a cache clears. After deletion, XRY recovered the messages deleted within 24 hrs with text/media information (type, timestamps) as shown in Figure 14(e). Remnants of the video uploaded on the account are recovered after deletion as shown in Figure 14(f).

5.3.2. LINE

The LINE package is analyzed before any data was deleted using XRY. After LINE uninstallation, the app existence proof is present in location data/data which contains the application name jp.naver.line.android, date, and time of app deletion. The detailed analysis is shown in Figure 15. Figure 15(a) shows that the files shared through private chat have been recovered. Contact details, chat record, and information shared between two parties including text messages, media, and call info with timestamps were recovered from naver_line.db as shown in Figure 15(b). Figure 15(c) shows that e2ee.db stores private and public keys encrypted with a unique id and timestamp. Images uploaded by the user on LINE’s timeline were also recovered as shown in Figure 15(d). The profile picture of friends was recovered as shown in Figure 15(e). The video uploaded on the timeline by the user was recovered as shown in Figure 15(f). Messages that have been deleted with the content information (text, video, and audio) with sender and receiver ids and timestamps are recovered as shown in Figure 15(g). Figure 15(h) shows that call history details were recovered after deletion from call_history.db images and videos that were uploaded by a user on the timeline are also recovered after deletion.

5.3.3. Whisper

Whisper app analyzed by XRY recovered the stated artifacts for all cases. The detailed analysis is shown in Figure 16. Figure 16(a) shows the c.db that contains all the messages that are transmitted between the user and the other users with their ids and timestamps. w.db contains the list of all those people that have posted at the time of the user’s connectivity and group user joined as shown in Figure 16(b). Posts uploaded by the user are recovered as shown in Figure 16(c). Images sent by the user were recovered as shown in Figure 16(d). Figure 16(e) shows the cache folder containing the posts viewed by a user with timestamps. Deleted chats are recovered from c.db with the sender and receiver names and timestamps as shown in Figure 16(f). The deleted group’s information was recovered. The images sent by the user and then deleted are recovered. The file with the name whisper is recovered after app uninstallation.

5.3.4. WeChat

Artifacts recovered from WeChat through XRY is stated below. The first analysis has been done before data deletion. No message information has been recovered as all the databases are encrypted. The detailed analysis is shown in Figure 17. After the deletion of some data, no text messages were recovered. Images and videos uploaded were recovered after deletion. After app uninstallation, all the media files and their information were recovered. Encrypted databases and cache files were not recovered. The profile picture, images, and videos uploaded and shared through private chats are all recovered.

5.3.5. Wickr

No data recovery from Wickr could be managed except from the metadata from the base.apk file. After app uninstallation, the location data/data contain the filename com.mywickr.wickr2 with the deleted status being yes.

Detailed information of artifacts that were recovered after three scenarios is discussed in Table 5. The (✓) symbol defines that artifact are recovered from the tool, (●) is the symbol for textual information/audio-video not playable, and (▲) defines partially recovered. Table 6 describes the artifacts recovered from SNAs before data deletion, after data deletion, and after app uninstallation according to categories proposed in Table 4. The details of artifacts recovered and their location are presented in Tables 713. Tables 79 state the artifacts recovered from apps and their locations before any data is deleted from apps. Similarly, Tables 1012 show the artifact information recovered after data deletion and after app uninstallation from every app using all three tools.

6. Results Analysis and Tool Evaluation

This section presents an analysis and discussion on the output of forensic analysis of five SNAs. A comparison of tools on the basis of their capabilities is also presented.

6.1. Analysis of Apps
6.1.1. Instagram

During investigation of the internal storage of the Android phone for Instagram app data, many artifacts are recovered that can help the investigation. The database folder that contains all the messages, i.e., text message, video, audio, emojis, or the link to online media that have been transferred to or from the user is being recovered unencrypted with the information of date and time. The posts that are uploaded on the account and stories are also recovered with date/time information. The cache folder stores all the online activity done by the user. Every post, picture, story, or video seen by the user get recorded in the cache folder. The shared preference folder contains an .xml file that stored user’s account information in plain text format. The number of accounts logged in the app during specific time period are recovered through their login nonce. The information stored in these files contain live sessions attended and last search made etc. After the messages and posts are deleted, data from the database is deleted but some of the messages are being recovered from the .db journal file. The posts have also been recovered after deletion. After the uninstallation of the app, only the pictures that had been uploaded by the user are recovered. If we clear the cache of our phone, photos, videos, and Instagram stories cannot be recovered.

6.1.2. LINE

Different artifacts are recovered from the LINE app. The main focus of our research is on four folders stored inside the local memory of the smartphone. By examining the internal memory of the smartphone, it was determined that the app stores some artifacts on different locations in the app folder. These artifacts are related to its activity within the internal memory. We can understand the DB schema and can recover the critical information of LINE app activity from the database folder. Note that the importance and the location of the artifacts can be examined during any criminal investigation. It was discovered that LINE manages the directories within its app folder. LINE app stores the cache for transferred, downloaded, and uploaded files in the app cache. From the examination of local memory and databases of the app, we can recover the information (message/media transferred, cache copies) within the DB table in a plain text form with the exception of the password. All the contacts are recovered from the database folder even after deletion. We realize that app data is stored in a different location and different forms can be interesting in a forensic investigation.

6.1.3. Whisper

Whisper post is originally a message sent by user publicly and it includes the name of the sender, message, date/time when it was posted, the link of the image, location, the likes (hearts) it received, and replies to these posts. The name of the user is not a unique identifier in a whisper; that means that the same username can be used by different users and can also be changed anytime by the user. The user phone does not store the images of the post in the app but these images are cached by the phone and stored in the device. Links of posts are also stored on the phone but not all the images are available on these links. Post location information can also be determined in Android with the longitude and latitude for each post. The heart and reply counter keeps the info of likes on a post. Whisper messages are privately sent or received by the user. All the messages with timestamps, media type, and other party information are recovered even after the deletion of some messages or the deletion of the whole thread. Like Whisper posts, in whisper messages, the username is also not a unique identifier so it became difficult to confirm the exact identity of the other party. There is no way to confirm if the message has been received or read by the other person or not. Whisper stores its information against the Mac address of the phone. It does not have any email id or password and not any phone number needed to register into the platform. However, there is an email registration option that is present in new versions of the app. The user needs to install the app and can start posting and messaging. A username is given by the app. All the whispers can be seen. Turn on the location and the user can see all the whispers that have been posted by the people near its location. If the user uninstalls the app and reinstalls it, it recovers its own account and all the data and activities that have been carried out by the user on that account. But if the user uninstalls the app and restarts its phone and reinstalls the app, its account is gone forever. The user will be registered against another name and gets a new account.

6.1.4. WeChat

From the analysis of the internal memory of the phone, it was revealed that WeChat [14] created the directory Tencent [59] to store its data in the internal memory. The Tencent directory contains all the files including databases, caches, and media information that has been shared or uploaded on the timeline by the user. WeChat [14] cares about privacy more than most social networking apps because of some critical features, i.e., payments. EnMicroMsg.db is a database within this directory which is encrypted. It uses SQLCipher [60] to encrypt its database. All previous researches about WeChat describe that EnMicroMsg.db contains messaging information of the user and describes the method to decrypt this database. A script [61] needs to run with SQLCipher to decrypt the said database. That method is successful for the Android phone’s previous versions. For WeChat version 6 or more running on Android version 6.0.x or higher, the database EnMicroMsg.db is not decrypted through the methods described in [61, 62]. Since lower versions of WeChat cannot be installed on Android versions higher than 5, so, the information within this database is not possible to recover. In [62], the previous versions of WeChat were installed on Android 4.4.2 and decrypted successfully using the same methods described in [63, 64]. So, it was determined that the encryption in the latest version of WeChat in Android 6.0.1 or higher is different from the previous version and it is not possible to recover data from it. An index file named FTS5IndexMicroMsg.db contains the information about the contact and plain text messages. The Meta_messages table contains the unique ids of the user; the talker with a timestamp and message_content table contain the content of the messages. The main issue is that we cannot tell who sends which message to whom and when. This database is also encrypted in a later version of WeChat.Media that has been shared through messages and uploaded by the user on the timeline which is recovered from the com.tencent/media/0/MicroMsg folder. It contains the jpeg images, mp4 videos, and audio file transfer during the chat. After data deletion, this folder contains these files stored in this location. The shared preference folder contains critical information, i.e., username and the phone number through which the account was created when the account was created. If we clear the phone cache, it was discovered that the user automatically logs out from the account and he needs to log in again with the username and password.

6.1.5. Wickr

Wickr secures the internal information by encrypting the local storage. Wickr’s delicate information, i.e., id keys, account data, and messages, is stored in an encrypted storage in the phone. This information in the storage container is decrypted only when the user is logged in the account and can be used for any activity. When a user logs off, the container is encrypted again with Klds and expelled from the persistent memory. Klds is put away in an encoded configuration with the goal that it might be recuperated upon the following client login. The key used to encode and decode Klds is taken from the client’s passphrase utilizing script [65]. Klds is put away in an encoded configuration with the goal that it might be recuperated upon the following client login. The key used to encode and decode Klds is taken from the client’s passphrase utilizing script. Successful login for this situation is equivalent to having the capacity to effectively unscramble Klds and get to an encrypted container material. Those clients who wish to dependably remain signed in to Wickr basically store the secret word-determined key in stage gave secure capacity. Along these lines, delicate material is constantly encoded when the Wickr application is not dynamic [66]. The metadata about how and where Wickr app stores its information is identified while exploring the base.apk file. By exploring the files stored within the .apk file, it was determined that the information related to messages with timestamps and media type is stored in a database named wickr_db. The key through which wickr_db is encrypted is also encrypted and stored within the phone. The database can be decrypted only if the user will log in to the account with the username and password. These phrases with a random number decrypt the key and the key decrypts the database. It was also discovered that a database is encrypted through SQLCipher by the SQL helper class present in the WickrDbAdapter.class file. Two files sk.wic and ds.wic are also encrypted. By analyzing the file in the .apk file of Wickr app, it was discovered that the ds.wic file contains the cache data of Wickr and sk.wic which contain the key of the database which is also encrypted.

6.2. Tools Evaluation

Three tools are used in this research—Magnet AXIOM, Autopsy, and XRY. Magnet AXIOM and XRY have the capability to extract the data from the smartphone and present the artifacts in a human-understandable format. Autopsy just analyzes the already-extracted image. The tools are evaluated on the basis of three factors.(i)Number of artifacts recovered by the tool(ii)NIST standard tool assessment document [19, 20](iii)Additional parameters

The result of this research can be used as recommendations to investigators to handle the cases associated with these apps. The overall ranking of tools according to digital artifacts recovery is presented in Table 14.

6.2.1. Number of Artifacts Recovered by a Tool

All three tools are analyzed on the basis of their capability to recover digital artifacts from five SNAs. These numbers give us the validation of the performance of tools. Details of the number of artifacts recovered from every app using these tools are shown in Table 13. Tools are ranked according to the capability of artifacts to be recovered by them. The index number has been calculated according to the formula stated in (1) as follows:where is the percentage of useful extractions, is the number of recovered artifacts, and is the total number of artifacts

The index number for every application is calculated according to equation (1). The Magnet AXIOM index is calculated by dividing the number of artifacts recovered () from all five applications through Magnet AXIOM with a total number of artifacts () sent times 100, and the result index is 76 percent. The indexes of Autopsy and XRY are also calculated in the same way. Autopsy is ranked second in as an image analysis tool with an index of 71.7 percent and XRY is ranked third with an index of 65.7 percent.

6.2.2. NIST Standard Tool Assessment Document

NIST published an assessment plan to measure the performance of a tool [19, 20]. It is important to develop the method that can standardize the tool according to its capabilities. NIST releases some factors and methods to calculate the performance of a forensic tool based on the outcomes of the assessment plan conducted by NIST. In Table 15, tools are compared against the core requirements, optional requirements, core assertions, and optional assertions of smartphone examination tools where the (✓) symbol defines that tool supports the factor, symbol (●) defines partially supporting, symbol (X) defines not supporting, and symbol (▲) defines not applying for a specific tool. According to the NIST parameter of smartphone examination tools, Magnet AXIOM did fulfill most of the requirements.

6.2.3. Additional Parameters

Finally, the performance of tools is evaluated on the basis of some parameters that were defined during this research and tool performance capability can be judged by these parameters. These six parameters are(i)Processing time(ii)User friendliness(iii)Compatibility(iv)Artifacts recovery(v)Keyword search option(vi)Accuracy

Table 16 gives a detailed comparison of the tools according to these parameters where the (✓) symbol defines the tool that supports the factor, symbol (●) defines partly supporting, symbol (X) defines not supporting, and symbol (▲) defines not applicable for a specific tool. According to the combined results of defined tool evaluation factors (no. of artifacts a tool recovers, NIST parameter of smartphone analysis tools, and additional parameters) and on the basis of overall performance, Magnet AXIOM is the number one followed by XRY and Autopsy.

7. Conclusions and Future Work

Various tools are available commercially and proprietary through which data acquisition and forensic analysis can be done. In this research, Magnet AXIOM and XRY are used to acquire data from five social networking apps in three different scenarios: before any data deleted from the app, after some data deleted, and after app uninstall. The outcomes of research explain that a large number of artifacts of Instagram, LINE, Whisper, and WeChat are recovered from the smartphone internal memory. Wickr, on the other hand, discloses very little information. Potential artifacts have been categorized to utilize them to create a report. Tools are analyzed with respect to their capabilities, NIST standards for smartphone analysis tools, and few additional parameters defined during this study. The results of this analysis report that among the three tools, Magnet AXIOM is ranked no. 1 with an index no. of 76.0% followed by Autopsy at 71.5% and XRY at rank 3 with an index of 65.5%. According to the NIST parameter of smartphone analysis tools and additional parameters on the basis of overall performance, Magnet AXIOM is the number one followed by XRY and Autopsy. In the future, a new version of Android Smartphones can be analyzed for application forensics as almost every 3 month, a new version or software update is released for Android. This leaves a lot of areas to further research the apps on the latest version and analyze the security flaws. New apps like Omegle, Periscope, and Azar which are becoming popular within teenagers need some attention from forensic investigators. Every tool has some weaknesses, and for the better and accurate results, forensic investigators can use the combination of different tools in his investigation to get more reliable results by using the unique capability of every single tool.

Data Availability

No data were used to support this study.

Conflicts of Interest

The authors declare that there are no conflicts of interest regarding the publication of this paper.

Acknowledgments

The authors of this paper are extremely thankful to the Department of Information Security, National University of Sciences and Technology (NUST), Islamabad, Pakistan, for its support in the research.