Forensic analysis of Telegram Messenger for Windows Phone

This article presents a forensic analysis methodology for obtaining the digital evidence generated by one of today's many instant messaging applications, namely “Telegram Messenger” for “Windows Phone”, paying particular attention to the digital forensic artifacts produced. The paper provides an overview of this forensic analysis, while focusing particularly on how the information is structured and the user, chat and conversation data generated by the application are organised, with the goal of extracting related data from the information. The application has several other features (e.g. games, bots, stickers) besides those of an instant messaging application (e.g. messages, images, videos, files). It is therefore necessary to decode and interpret the information, which may relate to criminal offences, and establish the relation of different types of user, chat and conversation.     

Forensic analysis of WeChat on Android smartphones

WeChat is one of the most popular instant-messaging smartphone applications in the world. At the end of 2015, WeChat had 697 million monthly active users from over 200 countries. Although WeChat was designed originally for communication between relatives and friends, its abundant social functions are now also used by criminals for communication, and even for the organization and coordination of criminal acts. Therefore, communication records of social networking services like WeChat extracted from the smartphones of criminals are always the vital digital evidences for the investigation and prosecution of criminal cases. At present, only a few literatures focused on WeChat forensics. This paper describes several common questions that arise in forensic examinations of Android WeChat and provides corresponding technical methods that are useful to address these questions. This paper is intended to provide vital references for the investigators and researchers working on the digital forensics.     

Forensic acquisition and analysis of palm webOS on mobile devices

The emergence of webOS on Palm devices has created new challenges and opportunities for digital investigators. With the purchase of Palm by Hewlett Packard, there are plans to use webOS on an increasing number and variety of computer systems. These devices can store substantial amounts of information relevant to an investigation, including digital photographs, videos, call logs, SMS/MMS messages, e-mail, remnants of Web browsing and much more. Although some files can be obtained from such devices with relative ease, the majority of information of forensic interest is stored in databases on a system partition that many mobile forensic tools do not acquire. This paper provides a methodology for acquiring and examining forensic duplicates of user and system partitions from a device running webOS. The primary sources of digital evidence on these devices are covered with illustrative examples. In addition, the recovery of deleted items from various areas on webOS devices is discussed.     

An Android Communication App Forensic Taxonomy

Due to the popularity of Android devices and applications (apps), Android forensics is one of the most studied topics within mobile forensics. Communication apps, such as instant messaging and Voice over IP (VoIP), are one popular app category used by mobile device users, including criminals. Therefore, a taxonomy outlining artifacts of forensic interest involving the use of Android communication apps will facilitate the timely collection and analysis of evidentiary materials from such apps. In this paper, 30 popular Android communication apps were examined, where a logical extraction of the Android phone images was collected using XRY, a widely used mobile forensic tool. Various information of forensic interest, such as contact lists and chronology of messages, was recovered. Based on the findings, a two‐dimensional taxonomy of the forensic artifacts of the communication apps is proposed, with the app categories in one dimension and the classes of artifacts in the other dimension. Finally, the artifacts identified in the study of the 30 communication apps are summarized using the taxonomy. It is expected that the proposed taxonomy and the forensic findings in this paper will assist forensic investigations involving Android communication apps.     

Automated identification of installed malicious Android applications

Increasingly, Android smartphones are becoming more pervasive within the government and industry, despite the limited ways to detect malicious applications installed to these phones' operating systems. Although enterprise security mechanisms are being developed for use on Android devices, these methods cannot detect previously unknown malicious applications. As more sensitive enterprise information becomes available and accessible on these smartphones, the risk of data loss inherently increases. A malicious application's actions could potentially leave sensitive data exposed with little recourse. Without an effective corporate monitoring solution in place for these mobile devices, organizations will continue to lack the ability to determine when a compromise has occurred. This paper presents research that applies traditional digital forensic techniques to remotely monitor and audit Android smartphones. The smartphone sends changed file system data to a remote server, allowing for expensive forensic processing and the offline application of traditional tools and techniques rarely applied to the mobile environment. The research aims at ascertaining new ways of identifying malicious Android applications and ultimately attempts to improve the state of enterprise smartphone monitoring. An on-phone client, server, database, and analysis framework was developed and tested using real mobile malware. The results are promising that the developed detection techniques identify changes to important system partitions; recognize file system changes, including file deletions; and find persistence and triggering mechanisms in newly installed applications. It is believed that these detection techniques should be performed by enterprises to identify malicious applications affecting their phone infrastructure.     

Forensic Taxonomy of Android Social Apps

An Android social app taxonomy incorporating artifacts that are of forensic interest will enable users and forensic investigators to identify the personally identifiable information (PII) stored by the apps. In this study, 30 popular Android social apps were examined. Artifacts of forensic interest (e.g., contacts lists, chronology of messages, and timestamp of an added contact) were recovered. In addition, images were located, and Facebook token strings used to tie account identities and gain access to information entered into Facebook by a user were identified. Based on the findings, a two‐dimensional taxonomy of the forensic artifacts of the social apps is proposed. A comparative summary of existing forensic taxonomies of different categories of Android apps, designed to facilitate timely collection and analysis of evidentiary materials from Android devices, is presented.     

A study of user data integrity during acquisition of Android devices

At the time of this writing, Android devices are widely used, and many studies considering methods of forensic acquisition of data from Android devices have been conducted. Similarly, a diverse collection of smartphone forensic tools has also been introduced. However, studies conducted thus far do not normally guarantee data integrity required for digital forensic investigations. Therefore, this work uses a previously proposed method of Android device acquisition utilizing ‘Recovery Mode’. This work evaluates Android Recovery Mode variables that potentially compromise data integrity at the time of data acquisition. Based on the conducted analysis, an Android data acquisition tool that ensures the integrity of acquired data is developed, which is demonstrated in a case study to test tool's ability to preserve data integrity.     

We are meeting on Microsoft Teams: Forensic analysis in Windows,Android, and iOS operating systems

Microsoft released a new communication platform, Microsoft Teams, in 2017. Due in part to COVID-19, the popularity of communication platforms, like Microsoft Teams, increased exponentially. Given its user base and increased popularity, it seems likely that digital forensic investigators will encounter cases where Microsoft Teams is a relevant component. However, because Microsoft Teams is a relatively new application, there is limited forensic research on the application particularly focusing on mobile operating systems. To address this gap, an analysis of data stored at rest by Microsoft Teams was conducted on the Windows 10 operating system as well as on Android and Apple iOS mobile operating systems. Basic functionalities, such as messaging, sharing files, participating in video conferences, and other functionalities that Teams provides, were performed in an isolated testing environment. Cellebrite UFED Physical Analyzer and Magnet AXIOM Examine tools were used to analyze the mobile devices and the Windows device, respectively. Manual or non-automated investigation recovered, at least partially, the majority of artifacts across all three operating systems. In this study, a total of 77.6% of the populated artifacts were partially or fully recovered in the manual investigation. On the other hand, forensic tools used did not automatically recover many of the artifacts found with the manual investigation. Only 13.8% of artifacts were partially or fully recovered by the forensic tools across all three devices. These discovered artifacts and the results of the investigations are presented in order to aid digital forensic investigations.     

APK Auditor: Permission-based Android malware detection system

Android operating system has the highest market share in 2014; making it the most widely used mobile operating system in the world. This fact makes Android users the biggest target group for malware developers. Trend analyses show large increase in mobile malware targeting the Android platform. Android's security mechanism is based on an instrument that informs users about which permissions the application needs to be granted before installing them. This permission system provides an overview of the application and may help gain awareness about the risks. However, we do not have enough information to conclude that standard users read or digital investigators understand these permissions and their implications. Digital investigators need to be on the alert for the presence of malware when examining Android devices, and can benefit from supporting tools that help them understand the capabilities of such malicious code. This paper presents a permission-based Android malware detection system, APK Auditor that uses static analysis to characterize and classify Android applications as benign or malicious. APK Auditor consists of three components: (1) A signature database to store extracted information about applications and analysis results, (2) an Android client which is used by end-users to grant application analysis requests, and (3) a central server responsible for communicating with both signature database and smartphone client and managing whole analysis process. To test system performance, 8762 applications in total, 1853 benign applications from Google's Play Store and 6909 malicious applications from different sources were collected and analyzed by the system developed. The results show that APK Auditor is able to detect most well-known malwares and highlights the ones with a potential in approximately 88% accuracy with a 0.925 specificity.     

Forensic analysis of video file formats

Video file format standards define only a limited number of mandatory features and leave room for interpretation. Design decisions of device manufacturers and software vendors are thus a fruitful resource for forensic video authentication. This paper explores AVI and MP4-like video streams of mobile phones and digital cameras in detail. We use customized parsers to extract all file format structures of videos from overall 19 digital camera models, 14 mobile phone models, and 6 video editing toolboxes. We report considerable differences in the choice of container formats, audio and video compression algorithms, acquisition parameters, and internal file structure. In combination, such characteristics can help to authenticate digital video files in forensic settings by distinguishing between original and post-processed videos, verifying the purported source of a file, or identifying the true acquisition device model or the processing software used for video processing.     

电子邮件真伪鉴定初探

电子邮件作为网络沟通常见的形式之一，应用十分广泛，但涉及电子邮件的相关纠纷与犯罪问题也日益突出。很多案件由于无法判明电子邮件证据真实性，而导致诉讼无法正常进行、无奈拖延或者失败。为确定电子邮件证据真实性，对其进行科学鉴定显得十分重要，但电子邮件不同传统的物证、书证鉴定，其本身十分复杂，对其鉴定研究，必须分析常见的伪造形式，以及如何伪造，并在此基础上探讨鉴定的主要思路。     

Android forensics: Automated data collection and reporting from a mobile device

In this research, a prototype enterprise monitoring system for Android smartphones was developed to continuously collect many data sets of interest to incident responders, security auditors, proactive security monitors, and forensic investigators. Many of the data sets covered were not found in other available enterprise monitoring tools. The prototype system neither requires root privileges nor the exploiting of the Android architecture for proper operation, thereby increasing interoperability among Android devices and avoiding a spyware classification for the system. An anti-forensics analysis on the system was performed to identify and further strengthen areas vulnerable to tampering. The contributions of this research include the release of the first open-source Android enterprise monitoring solution of its kind, a comprehensive guide of data sets available for collection without elevated privileges, and the introduction of a novel design strategy implementing various Android application components useful for monitoring on the Android platform.     

Android智能手机的取证

作为一种新兴的智能手机,Android手机发展势头极为迅猛,并越来越多的受到人们的关注。通过对Android智能手机的取证研究,在介绍了Android手机的基本工作原理后,详细描述了取证方式。通过Android SDK工具对手机内外置存储进行镜像备份,逻辑分析利用文件系统分析,查找每个应用程序自带的数据库文件来获得有价值信息,物理分析通过对内存镜像进行数据恢复以寻找删除的文件,两者互相结合。结果表明,能够从Android手机中有效寻找到潜在证据。     

Forensic Investigation of Cooperative Storage Cloud Service: Symform as a Case Study

Researchers envisioned Storage as a Service (StaaS) as an effective solution to the distributed management of digital data. Cooperative storage cloud forensic is relatively new and is an under‐explored area of research. Using Symform as a case study, we seek to determine the data remnants from the use of cooperative cloud storage services. In particular, we consider both mobile devices and personal computers running various popular operating systems, namely Windows 8.1, Mac OS X Mavericks 10.9.5, Ubuntu 14.04.1 LTS, iOS 7.1.2, and Android KitKat 4.4.4. Potential artefacts recovered during the research include data relating to the installation and uninstallation of the cloud applications, log‐in to and log‐out from Symform account using the client application, file synchronization as well as their time stamp information. This research contributes to an in‐depth understanding of the types of terrestrial artifacts that are likely to remain after the use of cooperative storage cloud on client devices.     

Forensic investigation of cross platform massively multiplayer online games: Minecraft as a case study

Minecraft, a Massively Multiplayer Online Game (MMOG), has reportedly millions of players from different age groups worldwide. With Minecraft being so popular, particularly with younger audiences, it is no surprise that the interactive nature of Minecraft has facilitated the commission of criminal activities such as denial of service attacks against gamers, cyberbullying, swatting, sexual communication, and online child grooming. In this research, there is a simulated scenario of a typical Minecraft setting, using a Linux Ubuntu 16.04.3 machine (acting as the MMOG server) and Windows client devices running Minecraft. Server and client devices are then examined to reveal the type and extent of evidential artefacts that can be extracted.     

Forensic analysis of smart TV: A current issue and call to arms

A number of new entertainment systems have appeared on the market that have embedded computing capabilities. Smart Televisions have the ability to connect to networks, browse the web, purchase applications and play games. Early versions were based on proprietary operating systems; newer versions released from 2012 are based on existing operating systems such as Linux and Android. The question arises as to what sort of challenges and opportunities they present to the forensics examiner. Are these new platforms or simply new varieties of existing forms of devices? What data do they retain and how easy is it to access this data? This paper explores this as a future forensic need and asks if we are missing potential sources of forensic data and to what degree we are ready to process these systems as part of an investigation.     

In‐Depth Analysis of Computer Memory Acquisition Software for Forensic Purposes

The comparison studies on random access memory (RAM) acquisition tools are either limited in metrics or the selected tools were designed to be executed in older operating systems. Therefore, this study evaluates widely used seven shareware or freeware/open source RAM acquisition forensic tools that are compatible to work with the latest 64‐bit Windows operating systems. These tools' user interface capabilities, platform limitations, reporting capabilities, total execution time, shared and proprietary DLLs, modified registry keys, and invoked files during processing were compared. We observed that Windows Memory Reader and Belkasoft's Live Ram Capturer leaves the least fingerprints in memory when loaded. On the other hand, ProDiscover and FTK Imager perform poor in memory usage, processing time, DLL usage, and not‐wanted artifacts introduced to the system. While Belkasoft's Live Ram Capturer is the fastest to obtain an image of the memory, Pro Discover takes the longest time to do the same job.     

网络电子证据取证技术与反取证技术研究

随着网络技术的发展,计算机网络犯罪现象日趋严重。为了有效地打击网络犯罪行为,完善网络电子证据立法基础,取证技术专家不仅要研究网络取证相关技术,同时还必须对网络反取证技术充分进行研究。通过研究反取证技术来促进取证技术的提高,这样才能在网络取证过程中拓宽思路,提高获取有效证据的效率。     

巧用MTP协议破解Android智能手机屏幕锁密码

本文介绍了基于Android平台的智能手机应用MTP协议[1]在PC机构建的一个虚拟文件系统[2]中进行案件检验的实例。涉案手机因设置了手机防盗锁且USB调试未打开,现有的手机取证工具无法对其数据进行提取。通过查询手机生产日期推断该手机版本支持MTP协议,并尝试利用MTP协议查看和拷贝手机内的文件,最终找到QQ文件夹下保存的解锁密码,解除屏幕锁后利用现有手机取证工具成功提取到涉案手机中的短信息、即时通讯记录等与案件相关的信息,为手机检验中破解第三方软件设置的屏幕锁解锁提供了一种新的方法。