Abdullah Azfar,Kim-Kwang Raymond Choo,Lin Liu

DOI: https://doi.org/10.48550/arXiv.1505.02905

2015-05-12

Abstract:Mobile health applications (or mHealth apps, as they are commonly known) are increasingly popular with both individual end users and user groups such as physicians. Due to their ability to access, store and transmit personally identifiable and sensitive information (e.g. geolocation information and personal details), they are potentially an important source of evidentiary materials in digital investigations. In this paper, we examine 40 popular Android mHealth apps. Based on our findings, we propose a taxonomy incorporating artefacts of forensic interest to facilitate the timely collection and analysis of evidentiary materials from mobile devices involving the use of such apps. Artefacts of forensic interest recovered include user details and email addresses, chronology of user locations and food habits. We are also able to recover user credentials (e.g. user password and four-digit app login PIN number), locate user profile pictures and identify timestamp associated with the location of a user.

Computers and Society

Michael Fröwis,Thilo Gottschalk,Bernhard Haslhofer,Christian Rückert,Paulina Pesch

DOI: https://doi.org/10.1016/j.fsidi.2019.200902

2020-06-01

Abstract:Analyzing cryptocurrency payment flows has become a key forensic method in law enforcement and is nowadays used to investigate a wide spectrum of criminal activities. However, despite its widespread adoption, the evidential value of obtained findings in court is still largely unclear. In this paper, we focus on the key ingredients of modern cryptocurrency analytics techniques, which are clustering heuristics and attribution tags. We identify internationally accepted standards and rules for substantiating suspicions and providing evidence in court and project them onto current cryptocurrency forensics practices. By providing an empirical analysis of CoinJoin transactions, we illustrate possible sources of misinterpretation in algorithmic clustering heuristics. Eventually, we derive a set of legal key requirements and translate them into a technical data sharing framework that fosters compliance with existing legal and technical standards in the realm of cryptocurrency forensics. Integrating the proposed framework in modern cryptocurrency analytics tools could allow more efficient and effective investigations, while safeguarding the evidential value of the analysis and the fundamental rights of affected persons.

computer science, information systems, interdisciplinary applications

Nghi Hoang Khoa,Phan The Duy,Hien Do Hoang,Do Thi Thu Hien,Van-Hau Pham

DOI: https://doi.org/10.1109/rivf48685.2020.9140739

2020-10-01

Abstract:Emerging with highlight features as a global phenomenon, TikTok - the international version of Douyin application in China market, is a social media video app for creating and sharing short lip-syncing. This social video platform has seen astounding growth by reaching 1.5 billion users in 2019 by capturing the cultural zeitgeist among teenage smartphone owners in unprecedented fashion. However, criminals have been paid attention to this platform where young users become the target of abusers or predators. In this paper, we introduce the forensic analysis of the artifacts left on Android phones by TikTok application. In more detail, we indicate a complete description of all the artifacts obtained in TikTok. Furthermore, by using the results discussed in the paper, an investigator can rebuild the list of followers, searching keywords, favorites, messages that have been exchanged by users. It is helpful to examine and determine which artifacts could be considered as evidence for criminal investigation on popular social networking application.

Ben Martini,Quang Do,Kim-Kwang Raymond Choo

DOI: https://doi.org/10.1016/B978-0-12-801595-7.00015-X

2015-06-18

Abstract:Using the evidence collection and analysis methodology for Android devices proposed by Martini, Do and Choo, we examined and analyzed seven popular Android cloud-based apps. Firstly, we analyzed each app in order to see what information could be obtained from their private app storage and SD card directories. We collated the information and used it to aid our investigation of each app database files and AccountManager data. To complete our understanding of the forensic artefacts stored by apps we analyzed, we performed further analysis on the apps to determine if the user authentication credentials could be collected for each app based on the information gained in the initial analysis stages. The contributions of this research include a detailed description of artefacts, which are of general forensic interest, for each app analyzed.

Computers and Society,Cryptography and Security

Wei Q. Yan,Jarrett Chambers

DOI: https://doi.org/10.1109/ISCAS.2013.6572507

2013-01-01

Circuits and Systems

Abstract:The banknote manufacturing industry is shrouded in secrecy, fundamental mechanics of security components are closely guarded trade secrets. Currency forensics is the application of systematic methods to determine authenticity of questioned currency. However, forensic analysis is a difficult task requiring specially trained examiners, the most important challenge is automating the analysis process reducing human error and time. In this study, an empirical approach for automated currency forensics is formulated and a prototype is developed. A two parts feature vector is defined comprised of color features and texture features. Finally the note in question is classified by a Feedforward Neural Network (FNN) and a measurement of the similarity between template and suspect note is output.

George Grispos,William Bradley Glisson,Tim Storer

DOI: https://doi.org/10.1016/B978-0-12-801595-7.00016-1

2015-06-07

Abstract:There is a growing demand for cloud storage services such as Dropbox, Box, Syncplicity and SugarSync. These public cloud storage services can store gigabytes of corporate and personal data in remote data centres around the world, which can then be synchronized to multiple devices. This creates an environment which is potentially conducive to security incidents, data breaches and other malicious activities. The forensic investigation of public cloud environments presents a number of new challenges for the digital forensics community. However, it is anticipated that end-devices such as smartphones, will retain data from these cloud storage services. This research investigates how forensic tools that are currently available to practitioners can be used to provide a practical solution for the problems related to investigating cloud storage environments. The research contribution is threefold. First, the findings from this research support the idea that end-devices which have been used to access cloud storage services can be used to provide a partial view of the evidence stored in the cloud service. Second, the research provides a comparison of the number of files which can be recovered from different versions of cloud storage applications. In doing so, it also supports the idea that amalgamating the files recovered from more than one device can result in the recovery of a more complete dataset. Third, the chapter contributes to the documentation and evidentiary discussion of the artefacts created from specific cloud storage applications and different versions of these applications on iOS and Android smartphones.

Cryptography and Security

Tooska Dargahi,Ali Dehghantanha,Mauro Conti

DOI: https://doi.org/10.1016/B978-0-12-805303-4.00002-2

2017-09-16

Abstract:Voice over Internet Protocol (VoIP) applications (apps) provide convenient and low cost means for users to communicate and share information with each other in real-time. Day by day, the popularity of such apps is increasing, and people produce and share a huge amount of data, including their personal and sensitive information. This might lead to several privacy issues, such as revealing user contacts, private messages or personal photos. Therefore, having an up-to-date forensic understanding of these apps is necessary. This chapter presents analysis of forensically valuable remnants of three popular Mobile VoIP (mVoIP) apps on Google Play store, namely: Viber, Skype, and WhatsApp Messenger, in order to figure out to what extent these apps reveal forensically valuable information about the users activities. We performed a thorough investigative study of these three mVoIP apps on smartphone devices. Our experimental results show that several artefacts, such as messages, contact details, phone numbers, images, and video files, are recoverable from the smartphone device that is equipped with these mVoIP apps.

Cryptography and Security

Nishchal Soni,Manpreet Kaur,Vishwas Bhardwaj

DOI: https://doi.org/10.1016/j.fsidi.2024.301695

IF: 1.805

2024-02-08

Forensic Science International Digital Investigation

Abstract:This study delves into a forensic analysis of the AnyDesk Remote Access application, focusing prominently on disk forensic acquisitions. We aim to assess the security and privacy features of AnyDesk, uncovering insights vital for forensic investigators and potential adversaries. The recovery of artifacts from Android Mobile and Window-based PC devices, employing acquisition techniques, plays a pivotal role in forensic analysis. The study underscores the significance of log files, housing crucial details like user IDs, dates, transfer times, and file movements. Manual scrutiny of the extracted data establishes user connections and reveals user-centric information, encompassing wallpapers, chat logs, AnyDesk-IDs, and transferred files. As the data lacks encryption, artifacts are easily comprehensible and interlinked. AnyDesk-related files, including session recordings, media files, and documents, undergo successful extraction via forensic methods. Root permissions on the Android phone emerge as a critical asset, facilitating the identification of more reliable and concealed data. In contrast, on the PC, all files related to AnyDesk were identified through a combination of automatic and manual examination. In essence, this study provides profound insights into AnyDesk's security and privacy features, underscored by the instrumental role of forensic acquisitions in pinpointing and extracting pertinent data.

computer science, information systems, interdisciplinary applications

Muhammad Faheem,M-Tahar Kechadi,Nhien-An Le-Khac

DOI: https://doi.org/10.48550/arXiv.1611.09566

2016-11-29

Cryptography and Security

Abstract:Smartphones have become popular in recent days due to the accessibility of a wide range of applications. These sophisticated applications demand more computing resources in a resource constraint smartphone. Cloud computing is the motivating factor for the progress of these applications. The emerging mobile cloud computing introduces a new architecture to offload smartphone and utilize cloud computing technology to solve resource requirements. The popularity of mobile cloud computing is an opportunity for misuse and unlawful activities. Therefore, it is a challenging platform for digital forensic investigations due to the non-availability of methodologies, tools and techniques. The aim of this work is to analyze the forensic tools and methodologies for crime investigation in a mobile cloud platform as it poses challenges in proving the evidence. The advancement of forensic tools and methodologies are much slower than the current technology development in mobile cloud computing. Thus, forces the available tools, and techniques become increasingly obsolete. Therefore, it opens up the door for the new forensic tools and techniques to cope up with recent developments. Hence, this work presents a detailed survey of forensic methodology and corresponding issues in a mobile device, cloud environment, and mobile cloud applications. It mainly focuses on digital forensic issues related to mobile cloud applications and also analyze the scope, challenges and opportunities. Finally, this work reviewed the forensic procedures of two cloud storage services used for mobile cloud applications such as Dropbox and SkyDrive.

Min-Hao Wu,Ting-Cheng Chang,Yi Li-Min

DOI: https://doi.org/10.13052/jwe1540-9589.20310

2021-06-09

Journal of Web Engineering

Abstract:With the rapid development of the Internet era, cell phones play an essential and indispensable role in nowadays life. Smartphones have profoundly influenced our social relationships and our daily lives. Generally speaking, the most common tools we hear about in our daily lives are QQ, WeChat, and other Internet communication services that allow users to send text messages, pictures, and documents, providing a more convenient and faster medium for people to communicate and chat. The popularity and convenience of mobile technology have changed people’s habits of communication. People no longer need to rely on computers to communicate, and computers cannot communicate anytime and anywhere. In the kernel of Linux and Windows, as long as the Message Hooker will install, it can monitor the messages of other programs, including WeChat and QQ, in this research. We can provide relevant law enforcement officers with effective evidence collection so that criminals will not be able to hide. The suspects often delete their WeChat or QQ records after committing the crime. It impossible for our law enforcement agencies to obtain evidence directly from the cell phone and the crime facts. Our research hopes to use some technology to help law enforcement units effectively obtain strong evidence in the iPhone not to hide the crime facts.

computer science, theory & methods, software engineering

Rob Witteman,Arjen Meijer,M-T. Kechadi,Nhien-An Le-Khac

DOI: https://doi.org/10.48550/arXiv.1609.02953

2016-09-09

Cryptography and Security

Abstract:Today, a mobile phone is not just a phone but it is a computer that you can also use for calling someone. Besides, in criminal investigations the importance of evidence from the mobile phone is increasing as more and more phones are seized at the Digital Forensic Department of the police. Indeed, the amount of memory cards of these mobile phones that need to be investigated separately is also increasing. Possible reasons are that the mobile phone investigation software does not support the specific mobile phone or the specific, for that investigation, artefacts. Sometimes the software investigates just the internal memory of the mobile phone and not the data which is written on the memory card. Fact is also that although the mobile phone was investigated by the dedicated software, the possibility that the associated memory card contains additional important information is evident. The current procedure to get all of the usable information from a memory card of a mobile phone is very time-consuming process and not user friendly. In this paper, we present a new single tool to simplify the investigation of a memory card from a mobile phone. We also test our tool with WhatsApp application installed on the memory card from different mobile phones.

George Grispos,William Bradley Glisson,Peter Cooper

DOI: https://doi.org/10.48550/arXiv.1901.03724

2019-01-11

Cryptography and Security

Abstract:The integration of medical devices in everyday life prompts the idea that these devices will increasingly have evidential value in civil and criminal proceedings. However, the investigation of these devices presents new challenges for the digital forensics community. Previous research has shown that mobile devices provide investigators with a wealth of information. Hence, mobile devices that are used within medical environments potentially provide an avenue for investigating and analyzing digital evidence from such devices. The research contribution of this paper is twofold. First, it provides an empirical analysis of the viability of using information from smartphone applications developed to complement a medical device, as digital evidence. Second, it includes documentation on the artifacts that are potentially useful in a digital forensics investigation of smartphone applications that interact with medical devices.

Muhammad Faraz Hyder,Saadia Arshad,Tasbiha Fatima

DOI: https://doi.org/10.1002/cpe.8074

2024-03-08

Concurrency and Computation Practice and Experience

Abstract:Summary Social media usage in mobile phones has increased substantially in recent times, and they are a critically important source of a forensics investigation. In this paper, we have developed Python‐based forensic analyzers that are integrated with the open‐source tool Autopsy. The proposed analyzers find forensic artifacts from the three most widely used social media messaging applications, that is, WhatsApp, Instagram, and Facebook Messenger. This research focuses on finding forensic artifacts stored by these social media applications on an iOS device. These analyzers extract data critical for a forensic investigation such as text messages, media attachments, sender and receiver details, timestamps, contact information, and other related forensics data from the full file system image of iOS devices. These Python‐based plugins extract the required data from the social media applications' databases and present the evidential artifacts in a human‐readable format. We integrated these analyzers into the Autopsy Forensics tool and showcased the gathered evidence so that investigators are capable to analyze the extracted information effortlessly. The data integrity is maintained by converting it into readable form without permanently altering the database format. The results prove that the proposed analyzers can successfully extract and analyze forensics data at a low computational overhead.

computer science, theory & methods, software engineering

Jennifer Newman,Li Lin,Wenhao Chen,Stephanie Reinders,Yangxiao Wang,Min Wu,Yong Guan

DOI: https://doi.org/10.48550/arXiv.1904.09360

2019-04-20

Abstract:In this paper, we present a new reference dataset simulating digital evidence for image steganography. Steganography detection is a digital image forensic topic that is relatively unknown in practical forensics, although stego app use in the wild is on the rise. This paper introduces the first database consisting of mobile phone photographs and stego images produced from mobile stego apps, including a rich set of side information, offering simulated digital evidence. StegoAppDB, a steganography apps forensics image database, contains over 810,000 innocent and stego images using a minimum of 10 different phone models from 24 distinct devices, with detailed provenanced data comprising a wide range of ISO and exposure settings, EXIF data, message information, embedding rates, etc. We develop a camera app, Cameraw, specifically for data acquisition, with multiple images per scene, saving simultaneously in both DNG and high-quality JPEG formats. Stego images are created from these original images using selected mobile stego apps through a careful process of reverse engineering. StegoAppDB contains cover-stego image pairs including for apps that resize the stego dimensions. We retainthe original devices and continue to enlarge the database, and encourage the image forensics community to use StegoAppDB. While designed for steganography, we discuss uses of this publicly available database to other digital image forensic topics.

Image and Video Processing,Multimedia

Vincent F. Taylor,Riccardo Spolaor,Mauro Conti,Ivan Martinovic

DOI: https://doi.org/10.1109/tifs.2017.2737970

IF: 7.231

2018-01-01

IEEE Transactions on Information Forensics and Security

Abstract:The apps installed on a smartphone can reveal much information about a user, such as their medical conditions, sexual orientation, or religious beliefs. In addition, the presence or absence of particular apps on a smartphone can inform an adversary, who is intent on attacking the device. In this paper, we show that a passive eavesdropper can feasibly identify smartphone apps by fingerprinting the network traffic that they send. Although SSL/TLS hides the payload of packets, side-channel data, such as packet size and direction is still leaked from encrypted connections. We use machine learning techniques to identify smartphone apps from this side-channel data. In addition to merely fingerprinting and identifying smartphone apps, we investigate how app fingerprints change over time, across devices, and across different versions of apps. In addition, we introduce strategies that enable our app classification system to identify and mitigate the effect of ambiguous traffic, i.e., traffic in common among apps, such as advertisement traffic. We fully implemented a framework to fingerprint apps and ran a thorough set of experiments to assess its performance. We fingerprinted 110 of the most popular apps in the Google Play Store and were able to identify them six months later with up to 96% accuracy. Additionally, we show that app fingerprints persist to varying extents across devices and app versions.

computer science, theory & methods,engineering, electrical & electronic

Raffaele Cuomo,Davide D'Agostino,Mario Ianulardo

DOI: https://doi.org/10.3390/s22187096

2022-09-19

Abstract:This paper presents several scenarios where digital evidence can be collected from mobile devices, their legal value keeping untouched. The paper describes a robust methodology for mobile forensics developed through on-field experiences directly gained by the authors over the last 10 years and many real court cases. The results show that mobile forensics, digital analysis of smartphone Android or iOS can be obtained in two ways: on the one hand, data extraction must follow the best practice of the repeatability procedure; on the other hand, the extraction of the data must follow the best practice of the non-repeatability procedure. The laboratory study of the two methods for extracting digital data from mobile phones, for use as evidence in court trials, has shown that the same evidence can be obtained even when the procedure of unavailability of file mining activities has been adopted. Indeed, thanks to laboratory tests, the existence of multiple files frequently and continuously subjected to changes generated by the presence of several hashes found at forensic extractions conducted in very short moments of time (sometimes not exceeding 15 min) has been proven. If, on the other hand, the examination of a device is entrusted to a judicial police officer in order to conduct a forensic analysis to acquire data produced and managed by the user (such as images, audio, video, documents, SMS, MMS, chat conversations, address book content, etc.) we have sufficient grounds to believe that such examination can be organized according to the system of repeatable technical assessments.

Julian Geus,Jenny Ottmann,Felix Freiling

2024-04-19

Abstract:Due to the increasing security standards of modern smartphones, forensic data acquisition from such devices is a growing challenge. One rather generic way to access data on smartphones in practice is to use the local backup mechanism offered by the mobile operating systems. We study the suitability of such mechanisms for forensic data acquisition by performing a thorough evaluation of iOS's and Android's local backup mechanisms on two mobile devices. Based on a systematic and generic evaluation procedure comparing the contents of local backup to the original storage, we show that in our exemplary practical evaluations, in most cases (but not all) local backup actually yields a correct copy of the original data from storage. Our study also highlights corner cases, such as database files with pending changes, that need to be considered when assessing the integrity and authenticity of evidence acquired through local backup.

Cryptography and Security

Khushi Gupta,Phani Lanka,Cihan Varol

DOI: https://doi.org/10.1111/1556-4029.15548

2024-05-30

Journal of Forensic Sciences

Abstract:In the last decade, the market share and user base of social media applications have witnessed significant growth. However, this surge in popularity has inadvertently drawn the attention of criminals aiming to exploit these platforms for illicit activities. The forensic examination of these applications emerges as a pivotal avenue for uncovering valuable insights into criminal behavior and identifying suspects. Discord, a social media platform, has become a significant focal point for such illicit activities. In this paper, we examine the remnants of Discord on both Windows and Linux operating systems, employing storage, memory, and network analysis techniques to review the remnants of Discord. Our investigation reveals a range of crucial artifacts that have been successfully recovered across all three areas of analysis, including login and payment details, chat history, account information, and much more. Collectively, these artifacts constitute a valuable resource for forensic investigations, allowing the reconstruction of most of the user's activity.

medicine, legal

Soojin Kang,Giyoon Kim,Uk Hur,Jongsung Kim

DOI: https://doi.org/10.3390/electronics13071325

IF: 2.9

2024-04-02

Electronics

Abstract:This study focuses on digital forensic investigations of the databases used in an instant messenger application. Instant messengers store and manage user data in databases, which can be encrypted for privacy protection. We proposed a method to identify and decrypt an SQLite version 3.40.0 database encrypted using wxSQLite3 version 4.9.1, and then we examined the LINE instant messenger application to validate the proposed method. As a result, we successfully acquired the wxSQLite3 passphrase, which was used to decrypt the database of the LINE messenger application. We also performed artifact analysis to enumerate the data from a digital forensics perspective. To the best of our knowledge, this study is the first to propose a method to identify and decrypt of wxSQLite3-encrypted database and its applications.

engineering, electrical & electronic,computer science, information systems,physics, applied

Farkhund Iqbal,Aasia Jaffri,Zainab Khalid,Aine MacDermott,Qazi Ejaz Ali,Patrick C. K. Hung

DOI: https://doi.org/10.3389/frcmn.2023.1212743

2023-07-26

Frontiers in Communications and Networks

Abstract:Small-scale digital devices like smartphones, smart toys, drones, gaming consoles, tablets, and other personal data assistants have now become ingrained constituents in our daily lives. These devices store massive amounts of data related to individual traits of users, their routine operations, medical histories, and financial information. At the same time, with continuously evolving technology, the diversity in operating systems, client storage localities, remote/cloud storages and backups, and encryption practices renders the forensic analysis task multi-faceted. This makes forensic investigators having to deal with an array of novel challenges. This study reviews the forensic frameworks and procedures used in investigating small-scale digital devices. While highlighting the challenges faced by digital forensics, we explore how cutting-edge technologies like Blockchain, Artificial Intelligence, Machine Learning, and Data Science may play a role in remedying concerns. The review aims to accumulate state-of-the-art and identify a futuristic approach for investigating SSDDs.