SlideShare a Scribd company logo
1 of 18
Download to read offline
SOCIAL MEDIA FORENSICS
ON
MOBILE DEVICES
YALÇIN ÇAKMAK
Why This Topic
• 22% of total world population use social media via mobile
devices (2014 September by We Are Social agency)
• 2% of social media cases refer mobile devices as a source
(by X1 Social Discovery from 2010 and 2011 in USA)
• Sharing personal data such as age, location, education, job,
religion and some preferences
• Electronic crimes like identity theft, drug dealing,phishing and
fraud.
• E-mails, text messages, photos, passwords, credit card numbers
and internet history left behind
INTRODUCTION
• Determination of the artifacts and potential evidences
• Difference between applications and operating systems
• Facebook, Twitter, Google+, Instagram, WhatsApp and LinkedIn
are chosen
• Android and iOS dominates the market
• Samsung GT-i9500 Galaxy S IV (Android) and Apple iPhone 5S
(iOS) are chosen
INTRODUCTION
Market shares of mobile operating systems
• Digital Forensics
• Social Media and Social Networks
• Mobile Forensics
 Operating Systems: Android and iOS
 Evidence Extraction
 Methods: Manuel, Logical and Physical
 Tools: XRY, Cellebtite, Oxygen and Open Source Tools
 Types of Evidences: Address Book, Call History, Messages, E-mails, Multimedia, Web History, Geolocation data and
Application data
 Challenges
• Social Media Forensics on Mobile Devices
 Related Work
 Sample Cases
LITERATURE REVIEW
Extraction Methods
• Windows 7 Professional 64-bit operating system with 8
GB RAM
• Samsung GT-i9500 Galaxy S IV ( 16 GB capacity and
Android 4.4.2)
• Apple iPhone 5S (A1457 chip, 32 GB capacity and iOS 8.1)
• Mobile applications of Facebook, Twitter, Google+,
Instagram, WhatsApp and LinkedIn for iOS and Android
• XRY v6.11.1
• AccessData FTK Imager v3.0.0.1443
• Android SDK
• VMware workstation 9.0.1
• SANS Investigative Forensic Toolkit (SIFT) 2.13 Linux
Workstation
• Pangu v1.2.1 for jailbreak
• Odin3 v3.09 and CF-Root Package for rooting
• Putty v0.63
• WinSCP v 5.5.6
• HFSExplorer 0.21
• WinHex 15.9
• Plist Editor Pro v2.0
• SQLite Database Browser v3.4.0
• Micro USB cable for Samsung phone
• Lightning to USB Cable for iPhone 5S
• 16 GB Micro SD card
• 2 Avea SIM Cards
RESEARCH METHODOLOGY
Test Environment and Requirements
• Mobile operating systems
Only iOS and Android are tested
• Social network apps
Only 6 apps are tested
• commercial software for forensic imaging
Only XRY v6.11.1 is used as a commercial software for forensic imaging
RESEARCH METHODOLOGY
Limitations of Research
• Rooting is gaining root access to a device
• Jailbreaking is removing limitations on device and enables to install and use
various applications like SSH
• The goal of rooting and jailbreaking is the same in this research
• The main purpose of these low level modifications is acquiring physical images
of devices
• Admissibility of these mobile devices is also indispensable
• Most of the countries do not have laws including rooting and jailbreaking
• Widely used commercial tools may also have a support for rooting
• All possible acquisition methods had to be applied before low level
modifications
• Most of the previous researches are based on non-modified devices and logical
acquisition methods
RESEARCH METHODOLOGY
Rooting and Jailbreaking
Rooting Android device with Odin3 v3.09
Pangu software screen after iOS Jailbreak
Application
Version
Activity
iOS Android
Facebook 18.0 21.0.0.23.12
Account creation
Profile update
Comment posting
Comment Editing
Location sharing
Photo upload
Facebook Messenger 15.1 16.0.0.16.15
Sending a text message
Receiving a text message
Deleting a message
Sending a photo
Deleting a photo
Twitter 6.17 5.34.0
Account creation
Profile update
Follow some accounts
Unfollow some accounts
Comment posting
Private message sending to a friend
Location sharing
Photo upload
Sample search
Google+ 4.7.4 4.2.4
Account creation
Profile update
Follow some accounts
Unfollow some accounts
Comment posting
Location sharing
Photo upload
Application
Version
Activity
iOS Android
Instagram 6.2.0 6.10.1
Account creation
Profile update
Follow some accounts
Unfollow some accounts
Photo sharing
Deleting a photo
WhatsApp Messenger 2.11.12 2.11.432
Account creation with phone number
Profile update
Adding a friend
Sending and receiving a text message
Sending and receiving a photo
Location sharing
Deleting any content
LınkedIn 8.1.58 3.4.3
Account creation
Profile update
Searching a friend
RESEARCH METHODOLOGY
Scenarios
• Acquisition phase is most challenging part of this research
• Both physical and logical images of each devices are acquired
• Logical images are acquired with XRY v6.11.1
• Physical images are acquired with open source UNIX “dd”
command line tool
RESEARCH METHODOLOGY
Acquisition
İmaging raw disk partitions of iOS deviceImaging raw disk partitions of Android device
Logical imaging with XRY
• The last and detailed phase of this research
• Both commercial and open source tools are used
• The main tool is XRY v6.11.1. It decodes and parses the files to present in a comprehensible format
• AccessData FTK Imager is for Android images and HFSExplorer is for iOS images. For mounting and file export.
• SQLite Browser and Plist editör.
• R-Studio and foremost
• WinHex and some commands like “xxd” and “strings”
RESEARCH METHODOLOGY
Analysis
iOS
• Orca2.db file: friends’ names, Facebook IDs, chat messages with timestamps
and geographic coordinates, profile picture URLs and threads.
• fbsyncstore.db file: Emails, phone numbers, friends’ names, searched
people, Facebook IDs and profile picture URLs
• 100004158494721.session.plist file: profile information like high
school, work, education and city. It also stores longitude and latitude of some shared
locations s
• Multimedia files are in LibraryCaches directory.
EXAMINATION AND ANALYSIS
Facebook Artifacts
Android
• Contacts_db2 file: number of contacts, contact IDs, phone numbers,
names and surnames, picture URLs
• threads_db2 file: chat messages with time stamps, group conversations,
various unique IDs, phone numbers, coordinates and last seen time
• cookies.db: cookie name, creation time, its value, expiration time and last
access time
• notifications_db: notification ID, recipient ID, cache ID, notification
message and profile picture URLs
Sample message format with metadata information for Facebook applicationSample deleted Facebook message with metadata information retrieved from orca2.db file
iOS
• autocomplete4.sqlite3 file: hashtags with ID, priority, description and
timestamp
• twitter.db file: text messages with timestamps and user IDs, retweets, retweet
counts, following accounts, status messages, location information, URLs and
descriptions
• app.acct.JoeJoeblackst-437908224.detail.10.log file:
text messages, profile information and URLs
• Multimedia files are in LibraryCaches directory.
EXAMINATION AND ANALYSIS
Twitter Artifacts
Android
• 2880712150-17.db file: Twitter conversations with time stamps,
unique IDs, URLs, searches, hashtags and followers
• Global.db file: account name, user ID, tweet and mention count
• 0-scribe.db file: logs and IDs in scribe table
• Multimedia files are in media0Androiddatacom.twitter.android
cache directory
Sample posted tweet format with metadata information for Twitter applicationSample posted tweet format with metadata information for Twitter application
iOS
• Profile.plist file: profile information such as name, E-mail, gender, picture
URL and unique ID
• com.google.PlusCore.PersonCacheCollection.1116138
86622229336085.plist file: various profile information about user and
user’s friends
• Multimedia files are in LibraryCaches directory.
• Some of the old (deleted and changed) profile entries
such as E-mail can be found but some of them cannot.
• Deleted posts cannot be found in logical image.
• Google+ application do not use SQLite database files
in iOS.
EXAMINATION AND ANALYSIS
Google+ Artifacts
Android
• es0.db, es1.db and es2.db database files: contacts, user
names, unique IDs, time stamps, URLs, activities, comments, searches and
locations
• Accounts.xml file: account names, emails, unique IDs, URLs and so on
• iu_settings.xm: emails, time stamps and some more settings about
Google+ application
• notifications_db: notification ID, recipient ID, cache ID, notification
message and profile picture URLs
Sample posted message format with metadata information for Google+ application
iOS
• lastentries.coded.log file: profile information and incoming posts with
picture urls
• recent-users.coded.log file: various profile information and following
people
• Multimedia files are in LibraryCaches directory.
• Instagram application do not use SQLite database files
in iOS. Log, plist and xml files store evidentiary
contents. These files do not contain deleted data.
Consequently, deleted artifacts and old profile
information cannot be found in logical image of the
phone.
EXAMINATION AND ANALYSIS
Instagram Artifacts
Android
• 1564603320_USER_PREFERENCES.xml file: geotag
enabled or disabled, recent user searches, contacts count, inbox new share count
• 1564603320_video_view.xml file: watched videos and
watching times
• Multimedia files are in datacom.instagram.androidcache ,
datacom.instagram.androidfiles , media0PicturesInstagram ,
media0Androiddatacom.instagram.androidcachevideo
• Instagram application do not use SQLite database
files. Profile information is stored in xml files. Old
profile information cannot be found in both xml
files and raw image of data partition
iOS
• ChatStorage.sqlite file: user names, phone numbers, text messages, time
stamps, unique IDs and used words list
• Contacts.sqlite file: user names, phone numbers, time stamps and status
messages
• ChatSearch.sqlite file: chat messages, phone numbers and time stamps
• net.whatsapp.WhatsApp.plist file: user name, status message,
login count, payment information and number of received and sent messages
• whatsapp-2014-11-17-16-27-09.763.1.log file: time stamps
for messages, phone numbers, IP addresses, device information, carrier name
• Multimedia files are in LibraryCaches and LibraryMedia directories
EXAMINATION AND ANALYSIS
WhatsApp Artifacts
Android
• msgstore.db file: chat messages with time stamps, phone numbers,
pictures as raw data and user IDs
• wa.db file: contact people with names, phone numbers, status messages
and time stamps
• Axolotl.db file: some encrypted keys and unique IDs
• com.whatsapp_preferences.xml file: phone number, time
stamps, program version and some more preferences
• Whatsapp.log file: various log information about WhatsApp application
• Multimedia files are in media0WhatsAppMediaWhatsApp Images
and datacom.whatsappfilesAvatars directories
Sample message format with metadata information for WhatsApp applicationComparison of WhatsApp deleted messages in ChatSeach.sqlite file
iOS
• com.linkedin.LinkedIn.plist file: basic profile information such as
name, E-mail, headline, picture URL and user ID number
• cacheInfo.plist file: file names that contain accessed URLs, file sizes and
time stamps
• liv2profile385087501.xml file: user ID and profile information such
as name, location, E-mail, phone number, address, education, job, website and picture
URL
• notificaions_data_center_key.xml file: Information about who
viewed the profile
• LinkedIn profile update was performed. Some
information such as phone number, address,
university, occupation and profile picture were
changed and tried to recover old information. Only
university and occupation can be found in the logical
image. Some of the old profile information cannot be
found.
EXAMINATION AND ANALYSIS
LinkedIn Artifacts
Android
• linkedin.db file: profile information, time stamps, search results,
notifications, companies and recommended people
• auth_library_prefs.xml file: user name, member ID and E-mail
• LinkedInPrefs.xml file: user name, E-mail, member ID and profile
picture URL.
• Multimedia files are in media0Androiddatacom.linkedin.android
cacheli_images directory
Deleted LinkedIn profile information retrieved from linkedin.db file
• Mobile social media applications generally create database files, log files, xml files and plist files to store most of the
private and evidentiary data
• User names and user IDs, contacts, chat messages, pictures, time stamps, location coordinates and some more
private information were retrieved even after they have been deleted
• Deleting a record just removes the reference to it, but leaves the actual data in the file.
• These kind of examinations are the most time-consuming because of manual methods
• Platforms have similarities and differences about stored data contents, time stamp formats, picture formats, unique
IDs and logs.
• The entire file system is encrypted in iOS devices with hardware level encryption. User data partition could be
imaged but file contents could not be seen. iOS seems more secure than Android in this respect
• To avoid using SQLite database system makes Instagram more secure than others
RESEARCH FINDINGS
• Several future researches are needed inevitably in social media forensics on mobile devices
• Renewed operating system versions and new social media applications will require new researches
• Better forensically sound methods can be performed for physical imaging of the nonvolatile memory of mobile devices.
• Further research in this area may be performed on acquiring and analyzing the volatile memory (RAM).
• Encryption and secure erasing of private social media data may be accomplished in any future research.
FUTURE WORK

More Related Content

What's hot

File system in iOS
File system in iOSFile system in iOS
File system in iOSPurvik Rana
 
NETC 2012_Mobile Security for Smartphones and Tablets (pptx)
NETC 2012_Mobile Security for Smartphones and Tablets (pptx)NETC 2012_Mobile Security for Smartphones and Tablets (pptx)
NETC 2012_Mobile Security for Smartphones and Tablets (pptx)Vince Verbeke
 
The Android vs. Apple iOS Security Showdown
The Android vs. Apple iOS Security Showdown The Android vs. Apple iOS Security Showdown
The Android vs. Apple iOS Security Showdown Tom Eston
 
Android vs ios System Architecture in OS perspective
Android vs ios System Architecture in OS perspectiveAndroid vs ios System Architecture in OS perspective
Android vs ios System Architecture in OS perspectiveRaj Pratim Bhattacharya
 
Which Mobile OS is the Most Secure; Apple, Android or Windows? [Updated 2016-...
Which Mobile OS is the Most Secure; Apple, Android or Windows? [Updated 2016-...Which Mobile OS is the Most Secure; Apple, Android or Windows? [Updated 2016-...
Which Mobile OS is the Most Secure; Apple, Android or Windows? [Updated 2016-...hlittle
 
Recover iPhone data with ease
Recover iPhone data with easeRecover iPhone data with ease
Recover iPhone data with easejenkerry
 
Ios operating system
Ios operating systemIos operating system
Ios operating systemTIB Academy
 
I phone programming project report
I phone programming project reportI phone programming project report
I phone programming project reportDhara Shah
 
What is Application Software?
What is Application Software?What is Application Software?
What is Application Software?DaisyJeffenYRios
 
Tech savvy seniors term 4 introduction
Tech savvy seniors term 4   introductionTech savvy seniors term 4   introduction
Tech savvy seniors term 4 introductionMarni3Bridges
 
Why cant all_data_be_the_same
Why cant all_data_be_the_sameWhy cant all_data_be_the_same
Why cant all_data_be_the_sameSkyler Lewis
 

What's hot (20)

File system in iOS
File system in iOSFile system in iOS
File system in iOS
 
Icloud
IcloudIcloud
Icloud
 
NETC 2012_Mobile Security for Smartphones and Tablets (pptx)
NETC 2012_Mobile Security for Smartphones and Tablets (pptx)NETC 2012_Mobile Security for Smartphones and Tablets (pptx)
NETC 2012_Mobile Security for Smartphones and Tablets (pptx)
 
The Android vs. Apple iOS Security Showdown
The Android vs. Apple iOS Security Showdown The Android vs. Apple iOS Security Showdown
The Android vs. Apple iOS Security Showdown
 
Apple iOS
Apple iOSApple iOS
Apple iOS
 
How... Do you know?
How... Do you know?How... Do you know?
How... Do you know?
 
Android vs ios System Architecture in OS perspective
Android vs ios System Architecture in OS perspectiveAndroid vs ios System Architecture in OS perspective
Android vs ios System Architecture in OS perspective
 
Which Mobile OS is the Most Secure; Apple, Android or Windows? [Updated 2016-...
Which Mobile OS is the Most Secure; Apple, Android or Windows? [Updated 2016-...Which Mobile OS is the Most Secure; Apple, Android or Windows? [Updated 2016-...
Which Mobile OS is the Most Secure; Apple, Android or Windows? [Updated 2016-...
 
Recover iPhone data with ease
Recover iPhone data with easeRecover iPhone data with ease
Recover iPhone data with ease
 
iOS platform
iOS platformiOS platform
iOS platform
 
Ios operating system
Ios operating systemIos operating system
Ios operating system
 
Android App
Android AppAndroid App
Android App
 
iOS App Architecture
iOS App ArchitectureiOS App Architecture
iOS App Architecture
 
Introduction to ios
Introduction to iosIntroduction to ios
Introduction to ios
 
iOS Basics
iOS BasicsiOS Basics
iOS Basics
 
I phone programming project report
I phone programming project reportI phone programming project report
I phone programming project report
 
What is Application Software?
What is Application Software?What is Application Software?
What is Application Software?
 
Tech savvy seniors term 4 introduction
Tech savvy seniors term 4   introductionTech savvy seniors term 4   introduction
Tech savvy seniors term 4 introduction
 
Why cant all_data_be_the_same
Why cant all_data_be_the_sameWhy cant all_data_be_the_same
Why cant all_data_be_the_same
 
18th android intro
18th android intro18th android intro
18th android intro
 

Viewers also liked

Digital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research ChallengeDigital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research ChallengeAung Thu Rha Hein
 
July132000
July132000July132000
July132000CTIN
 
Level1 Part8 End Of The Day
Level1 Part8 End Of The DayLevel1 Part8 End Of The Day
Level1 Part8 End Of The DayCTIN
 
Corporate Public Investigations
Corporate Public InvestigationsCorporate Public Investigations
Corporate Public InvestigationsCTIN
 
Nra
NraNra
NraCTIN
 
Introduction to memory forensics
Introduction to memory forensicsIntroduction to memory forensics
Introduction to memory forensicsMarco Alamanni
 
Using and Developing with Open Source Digital Forensics Software in Digital A...
Using and Developing with Open Source Digital Forensics Software in Digital A...Using and Developing with Open Source Digital Forensics Software in Digital A...
Using and Developing with Open Source Digital Forensics Software in Digital A...Mark Matienzo
 
Social Media for Investigations Tools
Social Media for Investigations ToolsSocial Media for Investigations Tools
Social Media for Investigations ToolsMandy Jenkins
 
WinFE: The (Almost) Perfect Triage Tool
WinFE: The (Almost) Perfect Triage ToolWinFE: The (Almost) Perfect Triage Tool
WinFE: The (Almost) Perfect Triage ToolBrent Muir
 
Facebook Forensics Toolkit(FFT)
Facebook Forensics Toolkit(FFT)Facebook Forensics Toolkit(FFT)
Facebook Forensics Toolkit(FFT)Shuvo Sarker
 
Accessioning-Based Metadata Extraction and Iterative Processing: Notes From t...
Accessioning-Based Metadata Extraction and Iterative Processing: Notes From t...Accessioning-Based Metadata Extraction and Iterative Processing: Notes From t...
Accessioning-Based Metadata Extraction and Iterative Processing: Notes From t...Mark Matienzo
 
Files and Folders in Windows 7
Files and Folders in Windows 7Files and Folders in Windows 7
Files and Folders in Windows 7RIAH ENCARNACION
 
Windows 8.x Forensics 1.0
Windows 8.x Forensics 1.0Windows 8.x Forensics 1.0
Windows 8.x Forensics 1.0Brent Muir
 
Sadfe2007
Sadfe2007Sadfe2007
Sadfe2007CTIN
 

Viewers also liked (20)

Digital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research ChallengeDigital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research Challenge
 
July132000
July132000July132000
July132000
 
Level1 Part8 End Of The Day
Level1 Part8 End Of The DayLevel1 Part8 End Of The Day
Level1 Part8 End Of The Day
 
Digital forensic upload
Digital forensic uploadDigital forensic upload
Digital forensic upload
 
Corporate Public Investigations
Corporate Public InvestigationsCorporate Public Investigations
Corporate Public Investigations
 
Nra
NraNra
Nra
 
Introduction to memory forensics
Introduction to memory forensicsIntroduction to memory forensics
Introduction to memory forensics
 
Using and Developing with Open Source Digital Forensics Software in Digital A...
Using and Developing with Open Source Digital Forensics Software in Digital A...Using and Developing with Open Source Digital Forensics Software in Digital A...
Using and Developing with Open Source Digital Forensics Software in Digital A...
 
Social Media for Investigations Tools
Social Media for Investigations ToolsSocial Media for Investigations Tools
Social Media for Investigations Tools
 
Capturing forensics image
Capturing forensics imageCapturing forensics image
Capturing forensics image
 
WinFE: The (Almost) Perfect Triage Tool
WinFE: The (Almost) Perfect Triage ToolWinFE: The (Almost) Perfect Triage Tool
WinFE: The (Almost) Perfect Triage Tool
 
NTFS Forensics
NTFS Forensics NTFS Forensics
NTFS Forensics
 
Facebook Forensics Toolkit(FFT)
Facebook Forensics Toolkit(FFT)Facebook Forensics Toolkit(FFT)
Facebook Forensics Toolkit(FFT)
 
Linux forensics
Linux forensicsLinux forensics
Linux forensics
 
Accessioning-Based Metadata Extraction and Iterative Processing: Notes From t...
Accessioning-Based Metadata Extraction and Iterative Processing: Notes From t...Accessioning-Based Metadata Extraction and Iterative Processing: Notes From t...
Accessioning-Based Metadata Extraction and Iterative Processing: Notes From t...
 
Files and Folders in Windows 7
Files and Folders in Windows 7Files and Folders in Windows 7
Files and Folders in Windows 7
 
Ntfs forensics
Ntfs forensicsNtfs forensics
Ntfs forensics
 
Windows 7-cheat-sheet
Windows 7-cheat-sheetWindows 7-cheat-sheet
Windows 7-cheat-sheet
 
Windows 8.x Forensics 1.0
Windows 8.x Forensics 1.0Windows 8.x Forensics 1.0
Windows 8.x Forensics 1.0
 
Sadfe2007
Sadfe2007Sadfe2007
Sadfe2007
 

Similar to [OWASP-TR Mobil Güvenlik Çalıştayı 2015] Yalçın Çakmak - Social Media Apps Forensics

Advanced Research Investigations for SIU Investigators
Advanced Research Investigations for SIU InvestigatorsAdvanced Research Investigations for SIU Investigators
Advanced Research Investigations for SIU InvestigatorsSloan Carne
 
A Comparison Study of Android Mobile Forensics for Retrieving Files System
A Comparison Study of Android Mobile Forensics for Retrieving Files SystemA Comparison Study of Android Mobile Forensics for Retrieving Files System
A Comparison Study of Android Mobile Forensics for Retrieving Files SystemCSCJournals
 
Hacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OSHacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OSEC-Council
 
Social Zombies: Rise of the Mobile Dead
Social Zombies: Rise of the Mobile DeadSocial Zombies: Rise of the Mobile Dead
Social Zombies: Rise of the Mobile DeadTom Eston
 
There's an App for That: Digital Forensic Realities for Mobile App Evidence, ...
There's an App for That: Digital Forensic Realities for Mobile App Evidence, ...There's an App for That: Digital Forensic Realities for Mobile App Evidence, ...
There's an App for That: Digital Forensic Realities for Mobile App Evidence, ...Cellebrite
 
Android app development
Android app developmentAndroid app development
Android app developmentTechizzaa
 
Forensics_1st_Presentation.pptx
Forensics_1st_Presentation.pptxForensics_1st_Presentation.pptx
Forensics_1st_Presentation.pptxFatemaAkter78
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Blueinfy Solutions
 
[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security Workshop[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security WorkshopOWASP
 
CNIT 121: 14 Investigating Applications
CNIT 121: 14 Investigating ApplicationsCNIT 121: 14 Investigating Applications
CNIT 121: 14 Investigating ApplicationsSam Bowne
 
OSINT x UCCU Workshop on Open Source Intelligence
OSINT x UCCU Workshop on Open Source IntelligenceOSINT x UCCU Workshop on Open Source Intelligence
OSINT x UCCU Workshop on Open Source IntelligencePhilippe Lin
 
Cloudlytics - Analyze S3 & CloudFront Logs
Cloudlytics - Analyze S3 & CloudFront LogsCloudlytics - Analyze S3 & CloudFront Logs
Cloudlytics - Analyze S3 & CloudFront LogsCloudlytics
 
Android Application Development GDSC DCE Darbhanga.pptx
Android Application Development GDSC DCE Darbhanga.pptxAndroid Application Development GDSC DCE Darbhanga.pptx
Android Application Development GDSC DCE Darbhanga.pptxDCETechnicalClub
 
#mytweet via Instagram: Exploring User Behaviour Across Multiple Social Networks
#mytweet via Instagram: Exploring User Behaviour Across Multiple Social Networks#mytweet via Instagram: Exploring User Behaviour Across Multiple Social Networks
#mytweet via Instagram: Exploring User Behaviour Across Multiple Social NetworksBang Hui Lim
 
Computer Forensics – What Every Lawyer Needs to Know
Computer Forensics – What Every Lawyer Needs to KnowComputer Forensics – What Every Lawyer Needs to Know
Computer Forensics – What Every Lawyer Needs to KnowWinston & Strawn LLP
 
Breaking Down Walls in Enterprise with Social Semantics
Breaking Down Walls in Enterprise with Social SemanticsBreaking Down Walls in Enterprise with Social Semantics
Breaking Down Walls in Enterprise with Social SemanticsJohn Breslin
 

Similar to [OWASP-TR Mobil Güvenlik Çalıştayı 2015] Yalçın Çakmak - Social Media Apps Forensics (20)

Advanced Research Investigations for SIU Investigators
Advanced Research Investigations for SIU InvestigatorsAdvanced Research Investigations for SIU Investigators
Advanced Research Investigations for SIU Investigators
 
Autopsy Digital forensics tool
Autopsy Digital forensics toolAutopsy Digital forensics tool
Autopsy Digital forensics tool
 
A Comparison Study of Android Mobile Forensics for Retrieving Files System
A Comparison Study of Android Mobile Forensics for Retrieving Files SystemA Comparison Study of Android Mobile Forensics for Retrieving Files System
A Comparison Study of Android Mobile Forensics for Retrieving Files System
 
Hacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OSHacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OS
 
Social Zombies: Rise of the Mobile Dead
Social Zombies: Rise of the Mobile DeadSocial Zombies: Rise of the Mobile Dead
Social Zombies: Rise of the Mobile Dead
 
There's an App for That: Digital Forensic Realities for Mobile App Evidence, ...
There's an App for That: Digital Forensic Realities for Mobile App Evidence, ...There's an App for That: Digital Forensic Realities for Mobile App Evidence, ...
There's an App for That: Digital Forensic Realities for Mobile App Evidence, ...
 
Android app development
Android app developmentAndroid app development
Android app development
 
WhatsApp Forensic
WhatsApp ForensicWhatsApp Forensic
WhatsApp Forensic
 
Forensics_1st_Presentation.pptx
Forensics_1st_Presentation.pptxForensics_1st_Presentation.pptx
Forensics_1st_Presentation.pptx
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013
 
[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security Workshop[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security Workshop
 
CNIT 121: 14 Investigating Applications
CNIT 121: 14 Investigating ApplicationsCNIT 121: 14 Investigating Applications
CNIT 121: 14 Investigating Applications
 
OSINT x UCCU Workshop on Open Source Intelligence
OSINT x UCCU Workshop on Open Source IntelligenceOSINT x UCCU Workshop on Open Source Intelligence
OSINT x UCCU Workshop on Open Source Intelligence
 
Android
AndroidAndroid
Android
 
Cloudlytics - Analyze S3 & CloudFront Logs
Cloudlytics - Analyze S3 & CloudFront LogsCloudlytics - Analyze S3 & CloudFront Logs
Cloudlytics - Analyze S3 & CloudFront Logs
 
Windows Forensic 101
Windows Forensic 101Windows Forensic 101
Windows Forensic 101
 
Android Application Development GDSC DCE Darbhanga.pptx
Android Application Development GDSC DCE Darbhanga.pptxAndroid Application Development GDSC DCE Darbhanga.pptx
Android Application Development GDSC DCE Darbhanga.pptx
 
#mytweet via Instagram: Exploring User Behaviour Across Multiple Social Networks
#mytweet via Instagram: Exploring User Behaviour Across Multiple Social Networks#mytweet via Instagram: Exploring User Behaviour Across Multiple Social Networks
#mytweet via Instagram: Exploring User Behaviour Across Multiple Social Networks
 
Computer Forensics – What Every Lawyer Needs to Know
Computer Forensics – What Every Lawyer Needs to KnowComputer Forensics – What Every Lawyer Needs to Know
Computer Forensics – What Every Lawyer Needs to Know
 
Breaking Down Walls in Enterprise with Social Semantics
Breaking Down Walls in Enterprise with Social SemanticsBreaking Down Walls in Enterprise with Social Semantics
Breaking Down Walls in Enterprise with Social Semantics
 

More from OWASP Turkiye

[OWASP-TR Uygulama Güvenliği Günü 2016] Özgür Alp - HTTP/2 ve Güvenlik
[OWASP-TR Uygulama Güvenliği Günü 2016] Özgür Alp - HTTP/2 ve Güvenlik[OWASP-TR Uygulama Güvenliği Günü 2016] Özgür Alp - HTTP/2 ve Güvenlik
[OWASP-TR Uygulama Güvenliği Günü 2016] Özgür Alp - HTTP/2 ve GüvenlikOWASP Turkiye
 
[OWASP-TR Uygulama Güvenliği Günü 2016] Özkan Boztaş - SSL Protokolüne Karşı ...
[OWASP-TR Uygulama Güvenliği Günü 2016] Özkan Boztaş - SSL Protokolüne Karşı ...[OWASP-TR Uygulama Güvenliği Günü 2016] Özkan Boztaş - SSL Protokolüne Karşı ...
[OWASP-TR Uygulama Güvenliği Günü 2016] Özkan Boztaş - SSL Protokolüne Karşı ...OWASP Turkiye
 
[OWASP-TR Uygulama Güvenliği Günü 2016] Gökmen Güreşçi - Web Uygulamalarında ...
[OWASP-TR Uygulama Güvenliği Günü 2016] Gökmen Güreşçi - Web Uygulamalarında ...[OWASP-TR Uygulama Güvenliği Günü 2016] Gökmen Güreşçi - Web Uygulamalarında ...
[OWASP-TR Uygulama Güvenliği Günü 2016] Gökmen Güreşçi - Web Uygulamalarında ...OWASP Turkiye
 
[OWASP-TR Uygulama Güvenliği Günü 2016] Muhammet Dilmaç - Ruby on Rails Web F...
[OWASP-TR Uygulama Güvenliği Günü 2016] Muhammet Dilmaç - Ruby on Rails Web F...[OWASP-TR Uygulama Güvenliği Günü 2016] Muhammet Dilmaç - Ruby on Rails Web F...
[OWASP-TR Uygulama Güvenliği Günü 2016] Muhammet Dilmaç - Ruby on Rails Web F...OWASP Turkiye
 
[OWASP-TR Uygulama Güvenliği Günü 2016] Emre Kısa - HTTP Güvenlik Başlıkları ...
[OWASP-TR Uygulama Güvenliği Günü 2016] Emre Kısa - HTTP Güvenlik Başlıkları ...[OWASP-TR Uygulama Güvenliği Günü 2016] Emre Kısa - HTTP Güvenlik Başlıkları ...
[OWASP-TR Uygulama Güvenliği Günü 2016] Emre Kısa - HTTP Güvenlik Başlıkları ...OWASP Turkiye
 
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Ömer Faruk Acar - Mobil Uygulamalar ...
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Ömer Faruk Acar - Mobil Uygulamalar ...[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Ömer Faruk Acar - Mobil Uygulamalar ...
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Ömer Faruk Acar - Mobil Uygulamalar ...OWASP Turkiye
 
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Bahtiyar Bircan - PwnPhone: Cepteki ...
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Bahtiyar Bircan - PwnPhone: Cepteki ...[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Bahtiyar Bircan - PwnPhone: Cepteki ...
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Bahtiyar Bircan - PwnPhone: Cepteki ...OWASP Turkiye
 
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Oğuzhan Topgül - iOS'da Zararlı Yazı...
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Oğuzhan Topgül - iOS'da Zararlı Yazı...[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Oğuzhan Topgül - iOS'da Zararlı Yazı...
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Oğuzhan Topgül - iOS'da Zararlı Yazı...OWASP Turkiye
 
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Mehmet Sabır Kiraz & Osmanbey Uzunko...
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Mehmet Sabır Kiraz & Osmanbey Uzunko...[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Mehmet Sabır Kiraz & Osmanbey Uzunko...
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Mehmet Sabır Kiraz & Osmanbey Uzunko...OWASP Turkiye
 
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Sertel Şıracı - Mobil Uygulama Güven...
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Sertel Şıracı - Mobil Uygulama Güven...[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Sertel Şıracı - Mobil Uygulama Güven...
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Sertel Şıracı - Mobil Uygulama Güven...OWASP Turkiye
 
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Ahmet Can Kan - Attacking Mobile App...
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Ahmet Can Kan - Attacking Mobile App...[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Ahmet Can Kan - Attacking Mobile App...
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Ahmet Can Kan - Attacking Mobile App...OWASP Turkiye
 
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Bakır Emre - Cebinizdeki Hırsız
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Bakır Emre - Cebinizdeki Hırsız[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Bakır Emre - Cebinizdeki Hırsız
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Bakır Emre - Cebinizdeki HırsızOWASP Turkiye
 
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Fatih Emiral - Android Uygulamalara ...
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Fatih Emiral - Android Uygulamalara ...[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Fatih Emiral - Android Uygulamalara ...
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Fatih Emiral - Android Uygulamalara ...OWASP Turkiye
 

More from OWASP Turkiye (13)

[OWASP-TR Uygulama Güvenliği Günü 2016] Özgür Alp - HTTP/2 ve Güvenlik
[OWASP-TR Uygulama Güvenliği Günü 2016] Özgür Alp - HTTP/2 ve Güvenlik[OWASP-TR Uygulama Güvenliği Günü 2016] Özgür Alp - HTTP/2 ve Güvenlik
[OWASP-TR Uygulama Güvenliği Günü 2016] Özgür Alp - HTTP/2 ve Güvenlik
 
[OWASP-TR Uygulama Güvenliği Günü 2016] Özkan Boztaş - SSL Protokolüne Karşı ...
[OWASP-TR Uygulama Güvenliği Günü 2016] Özkan Boztaş - SSL Protokolüne Karşı ...[OWASP-TR Uygulama Güvenliği Günü 2016] Özkan Boztaş - SSL Protokolüne Karşı ...
[OWASP-TR Uygulama Güvenliği Günü 2016] Özkan Boztaş - SSL Protokolüne Karşı ...
 
[OWASP-TR Uygulama Güvenliği Günü 2016] Gökmen Güreşçi - Web Uygulamalarında ...
[OWASP-TR Uygulama Güvenliği Günü 2016] Gökmen Güreşçi - Web Uygulamalarında ...[OWASP-TR Uygulama Güvenliği Günü 2016] Gökmen Güreşçi - Web Uygulamalarında ...
[OWASP-TR Uygulama Güvenliği Günü 2016] Gökmen Güreşçi - Web Uygulamalarında ...
 
[OWASP-TR Uygulama Güvenliği Günü 2016] Muhammet Dilmaç - Ruby on Rails Web F...
[OWASP-TR Uygulama Güvenliği Günü 2016] Muhammet Dilmaç - Ruby on Rails Web F...[OWASP-TR Uygulama Güvenliği Günü 2016] Muhammet Dilmaç - Ruby on Rails Web F...
[OWASP-TR Uygulama Güvenliği Günü 2016] Muhammet Dilmaç - Ruby on Rails Web F...
 
[OWASP-TR Uygulama Güvenliği Günü 2016] Emre Kısa - HTTP Güvenlik Başlıkları ...
[OWASP-TR Uygulama Güvenliği Günü 2016] Emre Kısa - HTTP Güvenlik Başlıkları ...[OWASP-TR Uygulama Güvenliği Günü 2016] Emre Kısa - HTTP Güvenlik Başlıkları ...
[OWASP-TR Uygulama Güvenliği Günü 2016] Emre Kısa - HTTP Güvenlik Başlıkları ...
 
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Ömer Faruk Acar - Mobil Uygulamalar ...
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Ömer Faruk Acar - Mobil Uygulamalar ...[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Ömer Faruk Acar - Mobil Uygulamalar ...
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Ömer Faruk Acar - Mobil Uygulamalar ...
 
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Bahtiyar Bircan - PwnPhone: Cepteki ...
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Bahtiyar Bircan - PwnPhone: Cepteki ...[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Bahtiyar Bircan - PwnPhone: Cepteki ...
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Bahtiyar Bircan - PwnPhone: Cepteki ...
 
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Oğuzhan Topgül - iOS'da Zararlı Yazı...
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Oğuzhan Topgül - iOS'da Zararlı Yazı...[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Oğuzhan Topgül - iOS'da Zararlı Yazı...
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Oğuzhan Topgül - iOS'da Zararlı Yazı...
 
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Mehmet Sabır Kiraz & Osmanbey Uzunko...
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Mehmet Sabır Kiraz & Osmanbey Uzunko...[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Mehmet Sabır Kiraz & Osmanbey Uzunko...
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Mehmet Sabır Kiraz & Osmanbey Uzunko...
 
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Sertel Şıracı - Mobil Uygulama Güven...
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Sertel Şıracı - Mobil Uygulama Güven...[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Sertel Şıracı - Mobil Uygulama Güven...
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Sertel Şıracı - Mobil Uygulama Güven...
 
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Ahmet Can Kan - Attacking Mobile App...
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Ahmet Can Kan - Attacking Mobile App...[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Ahmet Can Kan - Attacking Mobile App...
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Ahmet Can Kan - Attacking Mobile App...
 
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Bakır Emre - Cebinizdeki Hırsız
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Bakır Emre - Cebinizdeki Hırsız[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Bakır Emre - Cebinizdeki Hırsız
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Bakır Emre - Cebinizdeki Hırsız
 
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Fatih Emiral - Android Uygulamalara ...
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Fatih Emiral - Android Uygulamalara ...[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Fatih Emiral - Android Uygulamalara ...
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Fatih Emiral - Android Uygulamalara ...
 

[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Yalçın Çakmak - Social Media Apps Forensics

  • 1. SOCIAL MEDIA FORENSICS ON MOBILE DEVICES YALÇIN ÇAKMAK
  • 2. Why This Topic • 22% of total world population use social media via mobile devices (2014 September by We Are Social agency) • 2% of social media cases refer mobile devices as a source (by X1 Social Discovery from 2010 and 2011 in USA) • Sharing personal data such as age, location, education, job, religion and some preferences • Electronic crimes like identity theft, drug dealing,phishing and fraud. • E-mails, text messages, photos, passwords, credit card numbers and internet history left behind INTRODUCTION
  • 3. • Determination of the artifacts and potential evidences • Difference between applications and operating systems • Facebook, Twitter, Google+, Instagram, WhatsApp and LinkedIn are chosen • Android and iOS dominates the market • Samsung GT-i9500 Galaxy S IV (Android) and Apple iPhone 5S (iOS) are chosen INTRODUCTION Market shares of mobile operating systems
  • 4. • Digital Forensics • Social Media and Social Networks • Mobile Forensics  Operating Systems: Android and iOS  Evidence Extraction  Methods: Manuel, Logical and Physical  Tools: XRY, Cellebtite, Oxygen and Open Source Tools  Types of Evidences: Address Book, Call History, Messages, E-mails, Multimedia, Web History, Geolocation data and Application data  Challenges • Social Media Forensics on Mobile Devices  Related Work  Sample Cases LITERATURE REVIEW Extraction Methods
  • 5. • Windows 7 Professional 64-bit operating system with 8 GB RAM • Samsung GT-i9500 Galaxy S IV ( 16 GB capacity and Android 4.4.2) • Apple iPhone 5S (A1457 chip, 32 GB capacity and iOS 8.1) • Mobile applications of Facebook, Twitter, Google+, Instagram, WhatsApp and LinkedIn for iOS and Android • XRY v6.11.1 • AccessData FTK Imager v3.0.0.1443 • Android SDK • VMware workstation 9.0.1 • SANS Investigative Forensic Toolkit (SIFT) 2.13 Linux Workstation • Pangu v1.2.1 for jailbreak • Odin3 v3.09 and CF-Root Package for rooting • Putty v0.63 • WinSCP v 5.5.6 • HFSExplorer 0.21 • WinHex 15.9 • Plist Editor Pro v2.0 • SQLite Database Browser v3.4.0 • Micro USB cable for Samsung phone • Lightning to USB Cable for iPhone 5S • 16 GB Micro SD card • 2 Avea SIM Cards RESEARCH METHODOLOGY Test Environment and Requirements
  • 6. • Mobile operating systems Only iOS and Android are tested • Social network apps Only 6 apps are tested • commercial software for forensic imaging Only XRY v6.11.1 is used as a commercial software for forensic imaging RESEARCH METHODOLOGY Limitations of Research
  • 7. • Rooting is gaining root access to a device • Jailbreaking is removing limitations on device and enables to install and use various applications like SSH • The goal of rooting and jailbreaking is the same in this research • The main purpose of these low level modifications is acquiring physical images of devices • Admissibility of these mobile devices is also indispensable • Most of the countries do not have laws including rooting and jailbreaking • Widely used commercial tools may also have a support for rooting • All possible acquisition methods had to be applied before low level modifications • Most of the previous researches are based on non-modified devices and logical acquisition methods RESEARCH METHODOLOGY Rooting and Jailbreaking Rooting Android device with Odin3 v3.09 Pangu software screen after iOS Jailbreak
  • 8. Application Version Activity iOS Android Facebook 18.0 21.0.0.23.12 Account creation Profile update Comment posting Comment Editing Location sharing Photo upload Facebook Messenger 15.1 16.0.0.16.15 Sending a text message Receiving a text message Deleting a message Sending a photo Deleting a photo Twitter 6.17 5.34.0 Account creation Profile update Follow some accounts Unfollow some accounts Comment posting Private message sending to a friend Location sharing Photo upload Sample search Google+ 4.7.4 4.2.4 Account creation Profile update Follow some accounts Unfollow some accounts Comment posting Location sharing Photo upload Application Version Activity iOS Android Instagram 6.2.0 6.10.1 Account creation Profile update Follow some accounts Unfollow some accounts Photo sharing Deleting a photo WhatsApp Messenger 2.11.12 2.11.432 Account creation with phone number Profile update Adding a friend Sending and receiving a text message Sending and receiving a photo Location sharing Deleting any content LınkedIn 8.1.58 3.4.3 Account creation Profile update Searching a friend RESEARCH METHODOLOGY Scenarios
  • 9. • Acquisition phase is most challenging part of this research • Both physical and logical images of each devices are acquired • Logical images are acquired with XRY v6.11.1 • Physical images are acquired with open source UNIX “dd” command line tool RESEARCH METHODOLOGY Acquisition İmaging raw disk partitions of iOS deviceImaging raw disk partitions of Android device Logical imaging with XRY
  • 10. • The last and detailed phase of this research • Both commercial and open source tools are used • The main tool is XRY v6.11.1. It decodes and parses the files to present in a comprehensible format • AccessData FTK Imager is for Android images and HFSExplorer is for iOS images. For mounting and file export. • SQLite Browser and Plist editör. • R-Studio and foremost • WinHex and some commands like “xxd” and “strings” RESEARCH METHODOLOGY Analysis
  • 11. iOS • Orca2.db file: friends’ names, Facebook IDs, chat messages with timestamps and geographic coordinates, profile picture URLs and threads. • fbsyncstore.db file: Emails, phone numbers, friends’ names, searched people, Facebook IDs and profile picture URLs • 100004158494721.session.plist file: profile information like high school, work, education and city. It also stores longitude and latitude of some shared locations s • Multimedia files are in LibraryCaches directory. EXAMINATION AND ANALYSIS Facebook Artifacts Android • Contacts_db2 file: number of contacts, contact IDs, phone numbers, names and surnames, picture URLs • threads_db2 file: chat messages with time stamps, group conversations, various unique IDs, phone numbers, coordinates and last seen time • cookies.db: cookie name, creation time, its value, expiration time and last access time • notifications_db: notification ID, recipient ID, cache ID, notification message and profile picture URLs Sample message format with metadata information for Facebook applicationSample deleted Facebook message with metadata information retrieved from orca2.db file
  • 12. iOS • autocomplete4.sqlite3 file: hashtags with ID, priority, description and timestamp • twitter.db file: text messages with timestamps and user IDs, retweets, retweet counts, following accounts, status messages, location information, URLs and descriptions • app.acct.JoeJoeblackst-437908224.detail.10.log file: text messages, profile information and URLs • Multimedia files are in LibraryCaches directory. EXAMINATION AND ANALYSIS Twitter Artifacts Android • 2880712150-17.db file: Twitter conversations with time stamps, unique IDs, URLs, searches, hashtags and followers • Global.db file: account name, user ID, tweet and mention count • 0-scribe.db file: logs and IDs in scribe table • Multimedia files are in media0Androiddatacom.twitter.android cache directory Sample posted tweet format with metadata information for Twitter applicationSample posted tweet format with metadata information for Twitter application
  • 13. iOS • Profile.plist file: profile information such as name, E-mail, gender, picture URL and unique ID • com.google.PlusCore.PersonCacheCollection.1116138 86622229336085.plist file: various profile information about user and user’s friends • Multimedia files are in LibraryCaches directory. • Some of the old (deleted and changed) profile entries such as E-mail can be found but some of them cannot. • Deleted posts cannot be found in logical image. • Google+ application do not use SQLite database files in iOS. EXAMINATION AND ANALYSIS Google+ Artifacts Android • es0.db, es1.db and es2.db database files: contacts, user names, unique IDs, time stamps, URLs, activities, comments, searches and locations • Accounts.xml file: account names, emails, unique IDs, URLs and so on • iu_settings.xm: emails, time stamps and some more settings about Google+ application • notifications_db: notification ID, recipient ID, cache ID, notification message and profile picture URLs Sample posted message format with metadata information for Google+ application
  • 14. iOS • lastentries.coded.log file: profile information and incoming posts with picture urls • recent-users.coded.log file: various profile information and following people • Multimedia files are in LibraryCaches directory. • Instagram application do not use SQLite database files in iOS. Log, plist and xml files store evidentiary contents. These files do not contain deleted data. Consequently, deleted artifacts and old profile information cannot be found in logical image of the phone. EXAMINATION AND ANALYSIS Instagram Artifacts Android • 1564603320_USER_PREFERENCES.xml file: geotag enabled or disabled, recent user searches, contacts count, inbox new share count • 1564603320_video_view.xml file: watched videos and watching times • Multimedia files are in datacom.instagram.androidcache , datacom.instagram.androidfiles , media0PicturesInstagram , media0Androiddatacom.instagram.androidcachevideo • Instagram application do not use SQLite database files. Profile information is stored in xml files. Old profile information cannot be found in both xml files and raw image of data partition
  • 15. iOS • ChatStorage.sqlite file: user names, phone numbers, text messages, time stamps, unique IDs and used words list • Contacts.sqlite file: user names, phone numbers, time stamps and status messages • ChatSearch.sqlite file: chat messages, phone numbers and time stamps • net.whatsapp.WhatsApp.plist file: user name, status message, login count, payment information and number of received and sent messages • whatsapp-2014-11-17-16-27-09.763.1.log file: time stamps for messages, phone numbers, IP addresses, device information, carrier name • Multimedia files are in LibraryCaches and LibraryMedia directories EXAMINATION AND ANALYSIS WhatsApp Artifacts Android • msgstore.db file: chat messages with time stamps, phone numbers, pictures as raw data and user IDs • wa.db file: contact people with names, phone numbers, status messages and time stamps • Axolotl.db file: some encrypted keys and unique IDs • com.whatsapp_preferences.xml file: phone number, time stamps, program version and some more preferences • Whatsapp.log file: various log information about WhatsApp application • Multimedia files are in media0WhatsAppMediaWhatsApp Images and datacom.whatsappfilesAvatars directories Sample message format with metadata information for WhatsApp applicationComparison of WhatsApp deleted messages in ChatSeach.sqlite file
  • 16. iOS • com.linkedin.LinkedIn.plist file: basic profile information such as name, E-mail, headline, picture URL and user ID number • cacheInfo.plist file: file names that contain accessed URLs, file sizes and time stamps • liv2profile385087501.xml file: user ID and profile information such as name, location, E-mail, phone number, address, education, job, website and picture URL • notificaions_data_center_key.xml file: Information about who viewed the profile • LinkedIn profile update was performed. Some information such as phone number, address, university, occupation and profile picture were changed and tried to recover old information. Only university and occupation can be found in the logical image. Some of the old profile information cannot be found. EXAMINATION AND ANALYSIS LinkedIn Artifacts Android • linkedin.db file: profile information, time stamps, search results, notifications, companies and recommended people • auth_library_prefs.xml file: user name, member ID and E-mail • LinkedInPrefs.xml file: user name, E-mail, member ID and profile picture URL. • Multimedia files are in media0Androiddatacom.linkedin.android cacheli_images directory Deleted LinkedIn profile information retrieved from linkedin.db file
  • 17. • Mobile social media applications generally create database files, log files, xml files and plist files to store most of the private and evidentiary data • User names and user IDs, contacts, chat messages, pictures, time stamps, location coordinates and some more private information were retrieved even after they have been deleted • Deleting a record just removes the reference to it, but leaves the actual data in the file. • These kind of examinations are the most time-consuming because of manual methods • Platforms have similarities and differences about stored data contents, time stamp formats, picture formats, unique IDs and logs. • The entire file system is encrypted in iOS devices with hardware level encryption. User data partition could be imaged but file contents could not be seen. iOS seems more secure than Android in this respect • To avoid using SQLite database system makes Instagram more secure than others RESEARCH FINDINGS
  • 18. • Several future researches are needed inevitably in social media forensics on mobile devices • Renewed operating system versions and new social media applications will require new researches • Better forensically sound methods can be performed for physical imaging of the nonvolatile memory of mobile devices. • Further research in this area may be performed on acquiring and analyzing the volatile memory (RAM). • Encryption and secure erasing of private social media data may be accomplished in any future research. FUTURE WORK