Abdullah Azfar,Kim-Kwang Raymond Choo,Lin Liu

DOI: https://doi.org/10.48550/arXiv.1505.02905

2015-05-12

Abstract:Mobile health applications (or mHealth apps, as they are commonly known) are increasingly popular with both individual end users and user groups such as physicians. Due to their ability to access, store and transmit personally identifiable and sensitive information (e.g. geolocation information and personal details), they are potentially an important source of evidentiary materials in digital investigations. In this paper, we examine 40 popular Android mHealth apps. Based on our findings, we propose a taxonomy incorporating artefacts of forensic interest to facilitate the timely collection and analysis of evidentiary materials from mobile devices involving the use of such apps. Artefacts of forensic interest recovered include user details and email addresses, chronology of user locations and food habits. We are also able to recover user credentials (e.g. user password and four-digit app login PIN number), locate user profile pictures and identify timestamp associated with the location of a user.

Computers and Society

Muhammad Faraz Hyder,Saadia Arshad,Tasbiha Fatima

DOI: https://doi.org/10.1002/cpe.8074

2024-03-08

Concurrency and Computation Practice and Experience

Abstract:Summary Social media usage in mobile phones has increased substantially in recent times, and they are a critically important source of a forensics investigation. In this paper, we have developed Python‐based forensic analyzers that are integrated with the open‐source tool Autopsy. The proposed analyzers find forensic artifacts from the three most widely used social media messaging applications, that is, WhatsApp, Instagram, and Facebook Messenger. This research focuses on finding forensic artifacts stored by these social media applications on an iOS device. These analyzers extract data critical for a forensic investigation such as text messages, media attachments, sender and receiver details, timestamps, contact information, and other related forensics data from the full file system image of iOS devices. These Python‐based plugins extract the required data from the social media applications' databases and present the evidential artifacts in a human‐readable format. We integrated these analyzers into the Autopsy Forensics tool and showcased the gathered evidence so that investigators are capable to analyze the extracted information effortlessly. The data integrity is maintained by converting it into readable form without permanently altering the database format. The results prove that the proposed analyzers can successfully extract and analyze forensics data at a low computational overhead.

computer science, theory & methods, software engineering

Ben Martini,Quang Do,Kim-Kwang Raymond Choo

DOI: https://doi.org/10.1016/B978-0-12-801595-7.00015-X

2015-06-18

Abstract:Using the evidence collection and analysis methodology for Android devices proposed by Martini, Do and Choo, we examined and analyzed seven popular Android cloud-based apps. Firstly, we analyzed each app in order to see what information could be obtained from their private app storage and SD card directories. We collated the information and used it to aid our investigation of each app database files and AccountManager data. To complete our understanding of the forensic artefacts stored by apps we analyzed, we performed further analysis on the apps to determine if the user authentication credentials could be collected for each app based on the information gained in the initial analysis stages. The contributions of this research include a detailed description of artefacts, which are of general forensic interest, for each app analyzed.

Computers and Society,Cryptography and Security

Xiaodong Lin,Ting Chen,Tong Zhu,Kun Yang,Fengguo Wei

DOI: https://doi.org/10.1016/j.diin.2018.04.012

2018-01-01

Digital Investigation

Abstract:It is not uncommon that mobile phones are involved in criminal activities, e.g., the surreptitious collection of credit card information. Forensic analysis of mobile applications plays a crucial part in order to gather evidences against criminals. However, traditional forensic approaches, which are based on manual investigation, are not scalable to the large number of mobile applications. On the other hand, dynamic analysis is hard to automate due to the burden of setting up the proper runtime environment to accommodate OS differences and dependent libraries and activate all feasible program paths. We propose a fully automated tool, Fordroid for the forensic analysis of mobile applications on Android. Fordroid conducts inter-component static analysis on Android APKs and builds control flow and data dependency graphs. Furthermore, Fordroid identifies what and where information written in local storage with taint analysis. Data is located by traversing the graphs. This addresses several technique challenges, which include inter-component string propagation, string operations (e.g., append) and API invocations. Also, Fordroid identifies how the information is stored by parsing SQL commands, i.e., the structure of database tables. Finally, we selected 100 random Android applications consisting of 2841 components from four categories for evaluation. Analysis of all apps took 64 h. Fordroid discovered 469 paths in 36 applications that wrote sensitive information (e.g., GPS) to local storage. Furthermore, Fordroid successfully located where the information was written for 458 (98%) paths and identified the structure of all (22) database tables.

Shiwen Song,Xuanyu Liu,Xiao Fu,Bin Luo,Xiaojiang Du,Mohsen Guizani

DOI: https://doi.org/10.1109/globecom46510.2021.9685748

2021-01-01

Abstract:With the widespread use of Android devices, research on their security has attracted increasing attention. However, at present, digital forensics for investigating attacks, such as social engineering attacks and phishing that target Android users, remains a challenging and time-consuming task. To help discover the existence of an attack and conduct effective investigations, we propose a top-down digital forensic tool for Android applications to reconstruct attack scenarios by considering both high-level user interface (UI) elements and low-level system events. Thus, we can explain the nature of an attack from a visual and global perspective. The tested evaluation results show that our tool can successfully reconstruct scenarios on Android devices for phishing attacks.

Tooska Dargahi,Ali Dehghantanha,Mauro Conti

DOI: https://doi.org/10.1016/B978-0-12-805303-4.00002-2

2017-09-16

Abstract:Voice over Internet Protocol (VoIP) applications (apps) provide convenient and low cost means for users to communicate and share information with each other in real-time. Day by day, the popularity of such apps is increasing, and people produce and share a huge amount of data, including their personal and sensitive information. This might lead to several privacy issues, such as revealing user contacts, private messages or personal photos. Therefore, having an up-to-date forensic understanding of these apps is necessary. This chapter presents analysis of forensically valuable remnants of three popular Mobile VoIP (mVoIP) apps on Google Play store, namely: Viber, Skype, and WhatsApp Messenger, in order to figure out to what extent these apps reveal forensically valuable information about the users activities. We performed a thorough investigative study of these three mVoIP apps on smartphone devices. Our experimental results show that several artefacts, such as messages, contact details, phone numbers, images, and video files, are recoverable from the smartphone device that is equipped with these mVoIP apps.

Cryptography and Security

Yajin Zhou,Xuxian Jiang

DOI: https://doi.org/10.1109/sp.2012.16

2012-01-01

Abstract:The popularity and adoption of smart phones has greatly stimulated the spread of mobile malware, especially on the popular platforms such as Android. In light of their rapid growth, there is a pressing need to develop effective solutions. However, our defense capability is largely constrained by the limited understanding of these emerging mobile malware and the lack of timely access to related samples. In this paper, we focus on the Android platform and aim to systematize or characterize existing Android malware. Particularly, with more than one year effort, we have managed to collect more than 1,200 malware samples that cover the majority of existing Android malware families, ranging from their debut in August 2010 to recent ones in October 2011. In addition, we systematically characterize them from various aspects, including their installation methods, activation mechanisms as well as the nature of carried malicious payloads. The characterization and a subsequent evolution-based study of representative families reveal that they are evolving rapidly to circumvent the detection from existing mobile anti-virus software. Based on the evaluation with four representative mobile security software, our experiments show that the best case detects 79.6% of them while the worst case detects only 20.2% in our dataset. These results clearly call for the need to better develop next-generation anti-mobile-malware solutions.

Min-Hao Wu,Ting-Cheng Chang,Yi Li-Min

DOI: https://doi.org/10.13052/jwe1540-9589.20310

2021-06-09

Journal of Web Engineering

Abstract:With the rapid development of the Internet era, cell phones play an essential and indispensable role in nowadays life. Smartphones have profoundly influenced our social relationships and our daily lives. Generally speaking, the most common tools we hear about in our daily lives are QQ, WeChat, and other Internet communication services that allow users to send text messages, pictures, and documents, providing a more convenient and faster medium for people to communicate and chat. The popularity and convenience of mobile technology have changed people’s habits of communication. People no longer need to rely on computers to communicate, and computers cannot communicate anytime and anywhere. In the kernel of Linux and Windows, as long as the Message Hooker will install, it can monitor the messages of other programs, including WeChat and QQ, in this research. We can provide relevant law enforcement officers with effective evidence collection so that criminals will not be able to hide. The suspects often delete their WeChat or QQ records after committing the crime. It impossible for our law enforcement agencies to obtain evidence directly from the cell phone and the crime facts. Our research hopes to use some technology to help law enforcement units effectively obtain strong evidence in the iPhone not to hide the crime facts.

computer science, theory & methods, software engineering

Juanru Li,Dawu Gu,Yuhao Luo

DOI: https://doi.org/10.1109/ICDCSW.2012.33

2012-01-01

Abstract:Smart mobile devices have been widely used and the contained sensitive information is endangered by malwares. The malicious events caused by malwares are crucial evidences for digital forensic analysis, and the main task of mobile forensic analysis is to reconstruct these events. However, the reconstruction heavily relies on the code analysis of the malware. The difficulties and challenges include how to quickly identify the suspicious programs, how to defeat the anti-forensics tricks of malicious code, and how to deduce the malicious behaviors according to the code. To address this issue, we propose systematic procedures of analyzing typical malware behaviors on the popular mobile operating system Android. Based on the procedures we discuss the deduction of Android malicious events. We also give a real malware forensic case as a reference.

Nurul Adhlina Hani Roslee,Nurul Hidayah bt Ab Rahman,Nurul Hidayah Bt Ab Rahman

DOI: https://doi.org/10.30630/joiv.2.3-2.137

2018-06-06

Abstract:This study aims to design and develop an interactive system that can visualize evidence collected from Android smartphone data. This project is developing to support forensic investigator in investigating the security incidents particularly involving Android smartphone forensic data. The used of smartphone in crime was widely recognized. Several types of personnel information are stored in their smartphones. When the investigator analyses the image data of the smartphone, the investigator can know the behaviour of the smartphone’s owner and his social relationship with other people. The analysis of smartphone forensic data is cover in mobile device forensic. Mobile device forensics is a branch of digital forensics relating to recovery of digital evidence from a mobile device under forensically sound condition. The digital investigation model used in this project is the model proposed by United States National Institute of Justice (NIJ) which consists four phases, which are collection phase, examination phase, analysis phase and presentation phase. This project related with analysis phase and presentation phase only. This paper introduces Visroid, a new tool that provides a suite of visualization for Android smartphone data.

Songyang Wu,Xiong Xiong,Yong Zhang,Yang Tang,Bo Jin

DOI: https://doi.org/10.1109/icct.2017.8359976

2017-01-01

Abstract:Public reports show that crimes linked to Smartphones have increased sharply in past years. Because of the largest market share of Android, forensics on Android device had become a focus in the field of digital forensics. Data acquisition is a key aspect for smartphones forensics. In this paper, we proposed an improved approach of acquiring data image using special modes of Qualcomm processors, which almost taken more than half of market share of mobile smartphones' CPU. Evaluation experiments confirmed that proposed methods are practicability and the data integrity of extracted partition images is preserved. This work is intended to provide vital references for the investigators and researchers working on the digital forensics.

Jason Bays,Umit Karabiyik

DOI: https://doi.org/10.48550/arXiv.1907.00074

2019-06-29

Abstract:Location sharing applications are becoming increasingly common. These applications allow users to share their own locations and view contacts' current locations on a map. Location applications are commonly used by friends and family members to view Global Positioning System (GPS) location of an individual, but valuable forensic evidence may exist in this data when stored locally on smartphones. This paper aims to discover forensic artifacts from two popular third-party location sharing applications on iOS and Android devices. Industry standard mobile forensic suites are utilized to discover if any locally stored data could be used to assist investigations reliant on knowing the past location of a suspect. Security issues raised regarding the artifacts found during our analysis is also discussed.

Cryptography and Security

Adil Ahmad,Mehdi Hussain

DOI: https://doi.org/10.12928/mf.v4i1.5762

2022-03-31

Mobile and Forensics

Abstract:Mobile applications of video streaming platforms store a lot of information on mobile devices which can have both positive and negative impacts. Positive, in the sense that it could assist law enforcement agencies in solving crime, and the negative impact is that it could be accessed by malicious actors. In this study, we forensically investigate the Netflix, Amazon Prime Video, and iFlix android applications. The major focus is on identifying stored artifacts on the mobile devices left behind by the android video streaming applications. It will give law enforcement agencies and forensic investigators a clear direction when it comes to extracting evidence to solve a crime. On the other hand, it will notify the mobile application developers on how to further improve the security of their mobile applications.

Jiamin Zheng,Yu-An Tan,Xiaosong Zhang,Chen Liang,Changyou Zhang,Jun Zheng

DOI: https://doi.org/10.1109/cse-euc.2017.45

2017-01-01

Abstract:Mobile device forensics is an interdisciplinary field consisting of techniques applied to a wide range of computing devices. Android devices are among the most disruptive technologies of the last years, gaining even more diffusion and success in the daily life of a wide range of people categories. Android devices became even more important in the forensic field due to the rich amount of personal information they store. However, the forensics tools are often used to acquire privacy information by attackers. This papar presents an anti-forensics approach for Android devices which protects AES keys from being acquired by forensics tools. The keys are stored in the special memory space where the data will be covered when android reboots, thus attackers can not steal the privacy information.

Bo JIN,Songyang WU,Xiong XIONG,Yong ZHANG

DOI: https://doi.org/10.19363/j.cnki.cn10-1380/tn.2016.03.004

2016-01-01

Abstract:As the widespread application of mobile Internet, smart devices such as smartphones and pads also increas-ingly play an important roles in a wide variety of criminal activities. It has been proven that the extracted data from smartphone of suspects often critical clues and evidence of digital investigation. However, the improved security design of smartphones in recent years seriously hinders the evidence acquisition for mobile phone forensics and brings us new chal-lenges. This paper analyzed current security mechanisms of popular mobile devices of iOS, Android and Windows Phone, studied the major crack technologies of smartphones and their application in digital investigation. This paper also dis-cussed research directions of smartphone forensics technologies in the future.

Milda Petraityte,Ali Dehghantanha,Gregory Epiphaniou

DOI: https://doi.org/10.48550/arXiv.1706.08048

2017-06-25

Abstract:This paper uses a scenario-based role-play experiment based on the usage of QR codes to detect how mobile users respond to social engineering attacks conducted via mobile devices. The results of this experiment outline a guided mobile phone forensics investigation method which could facilitate the work of digital forensics investigators while analysing the data from mobile devices. The behavioural response of users could be impacted by several aspects, such as impulsivity, smartphone usage and security or simply awareness that QR codes could contain malware. The findings indicate that the impulsivity of users is one of the key areas that determine the common mistakes of mobile device users. As a result, an investigative framework for mobile phone forensics is proposed based on the impulsivity and common mistakes of mobile device users. As a result, an investigative framework for mobile phone forensics is proposed based on the impulsivity and common mistakes of mobile device users. It could help the forensics investigators by potentially shortening the time spent on investigation of possible breach scenarios.

Cryptography and Security

Weiming Guo,Shunxiang Wu,Dengyou Wang

DOI: https://doi.org/10.1109/iccse.2017.8085543

2017-01-01

Abstract:Nowadays, Android devices become more and more popular, which attracts the attention of the forensics workers. As Android devices have a perfect security mechanism, the root privileges of Android devices are required to obtain electronic evidence effectively. The existing methods of obtaining the root privileges in Android devices mainly based on the third-party tool. Although the methods are widely used, the drawback of this root method based on the third-party tools is uncontrollable. In this article, a temporary root method is presented. It is based on the vulnerabilities of the Android system. Moreover, this root method is applied to the acquisition of the physical images for Android devices. This root method utilizes an appropriate strategy and the vulnerabilities of the Android system to acquire the root privileges effectively. In the course of practice, this root method has the advantages of completely controllable and convenient.

Nghi Hoang Khoa,Phan The Duy,Hien Do Hoang,Do Thi Thu Hien,Van-Hau Pham

DOI: https://doi.org/10.1109/rivf48685.2020.9140739

2020-10-01

Abstract:Emerging with highlight features as a global phenomenon, TikTok - the international version of Douyin application in China market, is a social media video app for creating and sharing short lip-syncing. This social video platform has seen astounding growth by reaching 1.5 billion users in 2019 by capturing the cultural zeitgeist among teenage smartphone owners in unprecedented fashion. However, criminals have been paid attention to this platform where young users become the target of abusers or predators. In this paper, we introduce the forensic analysis of the artifacts left on Android phones by TikTok application. In more detail, we indicate a complete description of all the artifacts obtained in TikTok. Furthermore, by using the results discussed in the paper, an investigator can rebuild the list of followers, searching keywords, favorites, messages that have been exchanged by users. It is helpful to examine and determine which artifacts could be considered as evidence for criminal investigation on popular social networking application.

Vincent F. Taylor,Riccardo Spolaor,Mauro Conti,Ivan Martinovic

DOI: https://doi.org/10.1109/tifs.2017.2737970

IF: 7.231

2018-01-01

IEEE Transactions on Information Forensics and Security

Abstract:The apps installed on a smartphone can reveal much information about a user, such as their medical conditions, sexual orientation, or religious beliefs. In addition, the presence or absence of particular apps on a smartphone can inform an adversary, who is intent on attacking the device. In this paper, we show that a passive eavesdropper can feasibly identify smartphone apps by fingerprinting the network traffic that they send. Although SSL/TLS hides the payload of packets, side-channel data, such as packet size and direction is still leaked from encrypted connections. We use machine learning techniques to identify smartphone apps from this side-channel data. In addition to merely fingerprinting and identifying smartphone apps, we investigate how app fingerprints change over time, across devices, and across different versions of apps. In addition, we introduce strategies that enable our app classification system to identify and mitigate the effect of ambiguous traffic, i.e., traffic in common among apps, such as advertisement traffic. We fully implemented a framework to fingerprint apps and ran a thorough set of experiments to assess its performance. We fingerprinted 110 of the most popular apps in the Google Play Store and were able to identify them six months later with up to 96% accuracy. Additionally, we show that app fingerprints persist to varying extents across devices and app versions.

computer science, theory & methods,engineering, electrical & electronic

Mohd Najwadi Yusoff,Ali Dehghantanha,Ramlan Mahmod

DOI: https://doi.org/10.48550/arXiv.1706.08062

2017-06-25

Abstract:Mobile devices are increasingly utilized to access social media and instant messaging services, which allow users to communicate with others easily and quickly. However, the misuse of social media and instant messaging services facilitated conducting different cybercrimes such as cyber stalking, cyber bullying, slander spreading and sexual harassment. Therefore, mobile devices are an important evidentiary piece in digital investigation. In this chapter, we report the results of our investigation and analysis of social media and instant messaging services in Firefox OS. We examined three social media services (Facebook, Twitter and Google+) as well as three instant messaging services (Telegram, OpenWapp and Line). Our analysis may pave the way for future forensic investigators to trace and examine residual remnants of forensics value in FireFox OS.

Cryptography and Security