Zainab Khalid,Farkhund Iqbal,Faouzi Kamoun,Liaqat Ali Khan,Babar Shah

DOI: https://doi.org/10.1007/s12243-022-00919-6

Abstract:Digital forensic analysis of videoconferencing applications has received considerable attention recently, owing to the wider adoption and diffusion of such applications following the recent COVID-19 pandemic. In this contribution, we present a detailed forensic analysis of Cisco WebEx which is among the top three videoconferencing applications available today. More precisely, we present the results of the forensic investigation of Cisco WebEx desktop client, web, and Android smartphone applications. We focus on three digital forensic areas, namely memory, disk space, and network forensics. From the extracted artifacts, it is evident that valuable user data can be retrieved from different data localities. These include user credentials, emails, user IDs, profile photos, chat messages, shared media, meeting information including meeting passwords, contacts, Advanced Encryption Standard (AES) keys, keyword searches, timestamps, and call logs. We develop a memory parsing tool for Cisco WebEx based on the extracted artifacts. Additionally, we identify anti-forensic artifacts such as deleted chat messages. Although network communications are encrypted, we successfully retrieve useful artifacts such as IPs of server domains and host devices along with message/event timestamps.

Muhammad Faraz Hyder,Saadia Arshad,Tasbiha Fatima

DOI: https://doi.org/10.1002/cpe.8074

2024-03-08

Concurrency and Computation Practice and Experience

Abstract:Summary Social media usage in mobile phones has increased substantially in recent times, and they are a critically important source of a forensics investigation. In this paper, we have developed Python‐based forensic analyzers that are integrated with the open‐source tool Autopsy. The proposed analyzers find forensic artifacts from the three most widely used social media messaging applications, that is, WhatsApp, Instagram, and Facebook Messenger. This research focuses on finding forensic artifacts stored by these social media applications on an iOS device. These analyzers extract data critical for a forensic investigation such as text messages, media attachments, sender and receiver details, timestamps, contact information, and other related forensics data from the full file system image of iOS devices. These Python‐based plugins extract the required data from the social media applications' databases and present the evidential artifacts in a human‐readable format. We integrated these analyzers into the Autopsy Forensics tool and showcased the gathered evidence so that investigators are capable to analyze the extracted information effortlessly. The data integrity is maintained by converting it into readable form without permanently altering the database format. The results prove that the proposed analyzers can successfully extract and analyze forensics data at a low computational overhead.

computer science, theory & methods, software engineering

Muhammad Faheem,M-Tahar Kechadi,Nhien-An Le-Khac

DOI: https://doi.org/10.48550/arXiv.1611.09566

2016-11-29

Cryptography and Security

Abstract:Smartphones have become popular in recent days due to the accessibility of a wide range of applications. These sophisticated applications demand more computing resources in a resource constraint smartphone. Cloud computing is the motivating factor for the progress of these applications. The emerging mobile cloud computing introduces a new architecture to offload smartphone and utilize cloud computing technology to solve resource requirements. The popularity of mobile cloud computing is an opportunity for misuse and unlawful activities. Therefore, it is a challenging platform for digital forensic investigations due to the non-availability of methodologies, tools and techniques. The aim of this work is to analyze the forensic tools and methodologies for crime investigation in a mobile cloud platform as it poses challenges in proving the evidence. The advancement of forensic tools and methodologies are much slower than the current technology development in mobile cloud computing. Thus, forces the available tools, and techniques become increasingly obsolete. Therefore, it opens up the door for the new forensic tools and techniques to cope up with recent developments. Hence, this work presents a detailed survey of forensic methodology and corresponding issues in a mobile device, cloud environment, and mobile cloud applications. It mainly focuses on digital forensic issues related to mobile cloud applications and also analyze the scope, challenges and opportunities. Finally, this work reviewed the forensic procedures of two cloud storage services used for mobile cloud applications such as Dropbox and SkyDrive.

Gilbert Gilibrays Ocen,Ocident Bongomin,Gilbert Barasa Mugeni,Mutua Stephen Makau,Twaibu Semwogerere

DOI: https://doi.org/10.48550/arXiv.2203.13258

2022-03-24

Abstract:The increasing need for the examination of evidence from mobile and portable gadgets increases the essential need to establish dependable measures for the investigation of these gadgets. Many differences exist while detailing the requirement for the examination of each gadget, to help detectives and examiners in guaranteeing that of any kind piece of evidence extracted/ collected from any mobile devices is well documented and the outcomes can be repeatable, a reliable and well-documented investigation process must be implemented if the results of the examination are to be repeatable and defensible in courts of law. In this paper we developed a generic process flow model for the extraction of digital evidence in mobile devices running on android, Windows, iOs and Blackberry operating system. The research adopted survey approach and extensive literature review a s means to collect data. The models developed were validate through expert opinion. Results of this work can guide solution developers in ensuring standardization of evidence extraction tools for mobile devices.

Cryptography and Security

Min-Hao Wu,Ting-Cheng Chang,Yi Li-Min

DOI: https://doi.org/10.13052/jwe1540-9589.20310

2021-06-09

Journal of Web Engineering

Abstract:With the rapid development of the Internet era, cell phones play an essential and indispensable role in nowadays life. Smartphones have profoundly influenced our social relationships and our daily lives. Generally speaking, the most common tools we hear about in our daily lives are QQ, WeChat, and other Internet communication services that allow users to send text messages, pictures, and documents, providing a more convenient and faster medium for people to communicate and chat. The popularity and convenience of mobile technology have changed people’s habits of communication. People no longer need to rely on computers to communicate, and computers cannot communicate anytime and anywhere. In the kernel of Linux and Windows, as long as the Message Hooker will install, it can monitor the messages of other programs, including WeChat and QQ, in this research. We can provide relevant law enforcement officers with effective evidence collection so that criminals will not be able to hide. The suspects often delete their WeChat or QQ records after committing the crime. It impossible for our law enforcement agencies to obtain evidence directly from the cell phone and the crime facts. Our research hopes to use some technology to help law enforcement units effectively obtain strong evidence in the iPhone not to hide the crime facts.

computer science, theory & methods, software engineering

Nishchal Soni,Manpreet Kaur,Vishwas Bhardwaj

DOI: https://doi.org/10.1016/j.fsidi.2024.301695

IF: 1.805

2024-02-08

Forensic Science International Digital Investigation

Abstract:This study delves into a forensic analysis of the AnyDesk Remote Access application, focusing prominently on disk forensic acquisitions. We aim to assess the security and privacy features of AnyDesk, uncovering insights vital for forensic investigators and potential adversaries. The recovery of artifacts from Android Mobile and Window-based PC devices, employing acquisition techniques, plays a pivotal role in forensic analysis. The study underscores the significance of log files, housing crucial details like user IDs, dates, transfer times, and file movements. Manual scrutiny of the extracted data establishes user connections and reveals user-centric information, encompassing wallpapers, chat logs, AnyDesk-IDs, and transferred files. As the data lacks encryption, artifacts are easily comprehensible and interlinked. AnyDesk-related files, including session recordings, media files, and documents, undergo successful extraction via forensic methods. Root permissions on the Android phone emerge as a critical asset, facilitating the identification of more reliable and concealed data. In contrast, on the PC, all files related to AnyDesk were identified through a combination of automatic and manual examination. In essence, this study provides profound insights into AnyDesk's security and privacy features, underscored by the instrumental role of forensic acquisitions in pinpointing and extracting pertinent data.

computer science, information systems, interdisciplinary applications

George Grispos,William Bradley Glisson,Tim Storer

DOI: https://doi.org/10.1016/B978-0-12-801595-7.00016-1

2015-06-07

Abstract:There is a growing demand for cloud storage services such as Dropbox, Box, Syncplicity and SugarSync. These public cloud storage services can store gigabytes of corporate and personal data in remote data centres around the world, which can then be synchronized to multiple devices. This creates an environment which is potentially conducive to security incidents, data breaches and other malicious activities. The forensic investigation of public cloud environments presents a number of new challenges for the digital forensics community. However, it is anticipated that end-devices such as smartphones, will retain data from these cloud storage services. This research investigates how forensic tools that are currently available to practitioners can be used to provide a practical solution for the problems related to investigating cloud storage environments. The research contribution is threefold. First, the findings from this research support the idea that end-devices which have been used to access cloud storage services can be used to provide a partial view of the evidence stored in the cloud service. Second, the research provides a comparison of the number of files which can be recovered from different versions of cloud storage applications. In doing so, it also supports the idea that amalgamating the files recovered from more than one device can result in the recovery of a more complete dataset. Third, the chapter contributes to the documentation and evidentiary discussion of the artefacts created from specific cloud storage applications and different versions of these applications on iOS and Android smartphones.

Cryptography and Security

Khushi Gupta,Phani Lanka,Cihan Varol

DOI: https://doi.org/10.1111/1556-4029.15548

2024-05-30

Journal of Forensic Sciences

Abstract:In the last decade, the market share and user base of social media applications have witnessed significant growth. However, this surge in popularity has inadvertently drawn the attention of criminals aiming to exploit these platforms for illicit activities. The forensic examination of these applications emerges as a pivotal avenue for uncovering valuable insights into criminal behavior and identifying suspects. Discord, a social media platform, has become a significant focal point for such illicit activities. In this paper, we examine the remnants of Discord on both Windows and Linux operating systems, employing storage, memory, and network analysis techniques to review the remnants of Discord. Our investigation reveals a range of crucial artifacts that have been successfully recovered across all three areas of analysis, including login and payment details, chat history, account information, and much more. Collectively, these artifacts constitute a valuable resource for forensic investigations, allowing the reconstruction of most of the user's activity.

medicine, legal

Xabiel G. Pañeda,David Melendi,Víctor Corcoba,Alejandro G. Pañeda,Roberto García,Dan García

DOI: https://doi.org/10.3390/electronics13081429

IF: 2.9

2024-04-11

Electronics

Abstract:The use of remote desktop applications has increased greatly in recent years, mainly because of the generalization of telecommuting due to the COVID-19 pandemic. This process has been carried out in a very controlled manner in some companies, but in other organizations it has been introduced in a more anarchic way. The direct use of on-premises company computers and resources from the internet without the necessary protection mechanisms, including VPNs, has increased the risk of data exfiltration. Apart from other types of data exfiltration, there are cases in which employees transfer files using encrypted communications, consciously or unconsciously, producing a leak of information undetected by data loss prevention systems. In this paper we analyse the question of whether a forensic investigation may answer questions about data exfiltrations; questions such as those regarding the when, what and who (or to whom) and the use of application logs and other available tools. The answers to these questions may form the basis of solid digital evidence for legal purposes, though they may only deliver a partial response to said questions. Other complementary sources are necessary to build a complete answer and accurate digital evidence. Nevertheless, we have identified and analysed several use cases that may help to raise an early alarm that can offer warning about certain behaviours in encrypted traffic that may be detected via network monitoring.

engineering, electrical & electronic,computer science, information systems,physics, applied

Xiaodong Lin,Ting Chen,Tong Zhu,Kun Yang,Fengguo Wei

DOI: https://doi.org/10.1016/j.diin.2018.04.012

2018-01-01

Digital Investigation

Abstract:It is not uncommon that mobile phones are involved in criminal activities, e.g., the surreptitious collection of credit card information. Forensic analysis of mobile applications plays a crucial part in order to gather evidences against criminals. However, traditional forensic approaches, which are based on manual investigation, are not scalable to the large number of mobile applications. On the other hand, dynamic analysis is hard to automate due to the burden of setting up the proper runtime environment to accommodate OS differences and dependent libraries and activate all feasible program paths. We propose a fully automated tool, Fordroid for the forensic analysis of mobile applications on Android. Fordroid conducts inter-component static analysis on Android APKs and builds control flow and data dependency graphs. Furthermore, Fordroid identifies what and where information written in local storage with taint analysis. Data is located by traversing the graphs. This addresses several technique challenges, which include inter-component string propagation, string operations (e.g., append) and API invocations. Also, Fordroid identifies how the information is stored by parsing SQL commands, i.e., the structure of database tables. Finally, we selected 100 random Android applications consisting of 2841 components from four categories for evaluation. Analysis of all apps took 64 h. Fordroid discovered 469 paths in 36 applications that wrote sensitive information (e.g., GPS) to local storage. Furthermore, Fordroid successfully located where the information was written for 458 (98%) paths and identified the structure of all (22) database tables.

Xuejiao Wan,Jingsha He,Gongzheng Liu,Na Huang,Xingye Zhu,Bin Zhao,Yonghao Mai

DOI: https://doi.org/10.4018/ijdcf.2015010101

2015-01-01

International Journal of Digital Crime and Forensics

Abstract:During the rapid development of mobile wireless technologies and applications, the Android operating system, due to its open-source characteristics, has become the most popular development platform in the smartphone market. Meanwhile, as Android-based intelligent mobiles devices experience a rapid increase in numbers, high-tech crimes involving such devices have become more versatile, affecting an ever increasing amount of data, thus making digital evidence an indispensable part of the evidence that needs to be seriously dealt with during crime investigations. Consequently, understanding the internal structure of Android and the various data operations in the file systems becomes necessary in Android-based digital forensics. In this paper, we survey the state-of-the-art of technologies in Android-based digital forensics and some popular tools in the aspects of data recovery and acquisition, file system analysis and data analysis. We also discuss some technical challenges and point out future research directions in Android-based digital forensics.

Hai-Cheng Chu,Gai-Ge Wang,Der-Jiunn Deng

DOI: https://doi.org/10.1002/sec.1729

IF: 1.968

2016-01-01

Security and Communication Networks

Abstract:Digital forensics-related investigations have been a relative competitive research area by the computer specialists or law enforcement agency officers to confirm or refuse the assumptions with respect to the cybercrime scenes. WeChat is one of the most popular instant messaging application programs in contemporary age. While applying WeChat, there is precious information deposited in the computing devices that could be supportive evidences in a court of law. Hence, this research is focusing on the application of WeChat on the desktop PC under Windows 7 by means of the acquisition of volatile digital evidences in order to provide supporting information for some cybercrime cases. This paper provides generic investigation methods conducting forensic sound analysis on WeChat from the aspect of data volatility of the computing devices. By means of the proposed methodologies, the digital forensics specialists should be able to gather critical digital traces to confirm the previous actions of a WeChat user or even to reconstruct the crime scene to prove the suspect is guilty or innocent in a court of law. Copyright (C) 2017 John Wiley & Sons, Ltd.

Zlatan Morić,Vedran Dakić,Ana Kapulica,Damir Regvart

DOI: https://doi.org/10.3390/electronics13224546

IF: 2.9

2024-11-27

Electronics

Abstract:This article delves into Microsoft Azure's cyber forensic capabilities, focusing on the unique challenges in cloud security incident investigation. Cloud services are growing in popularity, and Azure's shared responsibility model, multi-tenant nature, and dynamically scalable resources offer unique advantages and complexities for digital forensics. These factors complicate forensic evidence collection, preservation, and analysis. Data collection, logging, and virtual machine analysis are covered, considering physical infrastructure restrictions and cloud data transience. It evaluates Azure-native and third-party forensic tools and recommends methods that ensure effective investigations while adhering to legal and regulatory standards. It also describes how AI and machine learning automate data analysis in forensic investigations, improving speed and accuracy. This integration advances cyber forensic methods and sets new standards for future innovations. Unified Audit Logs (UALs) in Azure are examined, focusing on how Azure Data Explorer and Kusto Query Language (KQL) can effectively parse and query large datasets and unstructured data to detect sophisticated cyber threats. The findings provide a framework for other organizations to improve forensic analysis, advancing cloud cyber forensics while bridging theoretical practices and practical applications, enhancing organizations' ability to combat increasingly sophisticated cybercrime.

engineering, electrical & electronic,computer science, information systems,physics, applied

Jason Bays,Umit Karabiyik

DOI: https://doi.org/10.48550/arXiv.1907.00074

2019-06-29

Abstract:Location sharing applications are becoming increasingly common. These applications allow users to share their own locations and view contacts' current locations on a map. Location applications are commonly used by friends and family members to view Global Positioning System (GPS) location of an individual, but valuable forensic evidence may exist in this data when stored locally on smartphones. This paper aims to discover forensic artifacts from two popular third-party location sharing applications on iOS and Android devices. Industry standard mobile forensic suites are utilized to discover if any locally stored data could be used to assist investigations reliant on knowing the past location of a suspect. Security issues raised regarding the artifacts found during our analysis is also discussed.

Cryptography and Security

Raffaele Cuomo,Davide D'Agostino,Mario Ianulardo

DOI: https://doi.org/10.3390/s22187096

2022-09-19

Abstract:This paper presents several scenarios where digital evidence can be collected from mobile devices, their legal value keeping untouched. The paper describes a robust methodology for mobile forensics developed through on-field experiences directly gained by the authors over the last 10 years and many real court cases. The results show that mobile forensics, digital analysis of smartphone Android or iOS can be obtained in two ways: on the one hand, data extraction must follow the best practice of the repeatability procedure; on the other hand, the extraction of the data must follow the best practice of the non-repeatability procedure. The laboratory study of the two methods for extracting digital data from mobile phones, for use as evidence in court trials, has shown that the same evidence can be obtained even when the procedure of unavailability of file mining activities has been adopted. Indeed, thanks to laboratory tests, the existence of multiple files frequently and continuously subjected to changes generated by the presence of several hashes found at forensic extractions conducted in very short moments of time (sometimes not exceeding 15 min) has been proven. If, on the other hand, the examination of a device is entrusted to a judicial police officer in order to conduct a forensic analysis to acquire data produced and managed by the user (such as images, audio, video, documents, SMS, MMS, chat conversations, address book content, etc.) we have sufficient grounds to believe that such examination can be organized according to the system of repeatable technical assessments.

SeyedHossein Mohtasebi,Ali Dehghantanha,Kim-Kwang Raymond Choo

DOI: https://doi.org/10.48550/arXiv.1706.08042

2017-06-25

Abstract:STorage as a Service (STaaS) cloud platforms benefits such as getting access to data anywhere, anytime, on a wide range of devices made them very popular among businesses and individuals. As such forensics investigators are increasingly facing cases that involve investigation of STaaS platforms. Therefore, it is essential for cyber investigators to know how to collect, preserve, and analyse evidences of these platforms. In this paper, we describe investigation of three STaaS platforms namely SpiderOak, JustCloud, and pCloud on Windows 8.1 and iOS 8.1.1 devices. Moreover, possible changes on uploaded and downloaded files metadata on these platforms would be tracked and their forensics value would be investigated.

Cryptography and Security

Shiwen Song,Xuanyu Liu,Xiao Fu,Bin Luo,Xiaojiang Du,Mohsen Guizani

DOI: https://doi.org/10.1109/globecom46510.2021.9685748

2021-01-01

Abstract:With the widespread use of Android devices, research on their security has attracted increasing attention. However, at present, digital forensics for investigating attacks, such as social engineering attacks and phishing that target Android users, remains a challenging and time-consuming task. To help discover the existence of an attack and conduct effective investigations, we propose a top-down digital forensic tool for Android applications to reconstruct attack scenarios by considering both high-level user interface (UI) elements and low-level system events. Thus, we can explain the nature of an attack from a visual and global perspective. The tested evaluation results show that our tool can successfully reconstruct scenarios on Android devices for phishing attacks.

Farkhund Iqbal,Joseph Williams,Áine MacDermott,Kellyann Stamp

DOI: https://doi.org/10.1109/SPW53761.2021.00052

2021-05-01

Abstract:Fitbit Versa is the most popular of its predecessors and successors in the Fitbit faction. Increasingly data stored on these smart fitness devices, their linked applications and cloud datacenters are being used for criminal convictions. There is limited research for investigators on wearable devices and specifically exploring evidence identification and methods of extraction. In this paper we present our analysis of Fitbit Versa using Cellebrite UFED and MSAB XRY. We present a clear scope for investigation and data significance based on the findings from our experiments. The data recovery will include logical and physical extractions using devices running Android 9 and iOS 12, comparing between Cellebrite and XRY capabilities. This paper discusses databases and datatypes that can be recovered using different extraction and analysis techniques, providing a robust outlook of data availability. We also discuss the accuracy of recorded data compared to planned test instances, verifying the accuracy of individual data types. The verifiable accuracy of some datatypes could prove useful if such data was required during the evidentiary processes of a forensic investigation.

Computer Science,Law

Teing Yee Yang,Ali Dehghantanha,Kim-Kwang Raymond Choo,Zaiton Muda

DOI: https://doi.org/10.48550/arXiv.1706.08879

2017-06-25

Cryptography and Security

Abstract:Instant messaging applications (apps) are one potential source of evidence in a criminal investigation or a civil litigation. To ensure the most effective collection of evidence, it is vital for forensic practitioners to possess an up-to-date knowledge about artefacts of forensic interest from various instant messaging apps. Hence, in this chapter, we study America Online Instant Messenger (version 7.14.5.8) with the aims of contributing to an in-depth understanding of the types of terrestrial artefacts that are likely to remain after the use of instant messaging services and app on Windows 8.1 devices. Potential artefacts identified during the research include data relating to the installation or uninstallation, log-in and log-off information, contact lists, conversations, and transferred files.

Juanru Li,Dawu Gu,Yuhao Luo

DOI: https://doi.org/10.1109/ICDCSW.2012.33

2012-01-01

Abstract:Smart mobile devices have been widely used and the contained sensitive information is endangered by malwares. The malicious events caused by malwares are crucial evidences for digital forensic analysis, and the main task of mobile forensic analysis is to reconstruct these events. However, the reconstruction heavily relies on the code analysis of the malware. The difficulties and challenges include how to quickly identify the suspicious programs, how to defeat the anti-forensics tricks of malicious code, and how to deduce the malicious behaviors according to the code. To address this issue, we propose systematic procedures of analyzing typical malware behaviors on the popular mobile operating system Android. Based on the procedures we discuss the deduction of Android malicious events. We also give a real malware forensic case as a reference.