Contemporary Digital Forensic Investigations of Cloud and Mobile Applications

(CyberSec)."

Chapter 1

Contemporary Digital Forensics Investigations of Cloud and Mobile Applications

K.-K.R. Choo*,†; A. Dehghantanha‡    * University of Texas at San Antonio, San Antonio, TX, United States

† University of South Australia, Adelaide, SA, Australia

‡ University of Salford, Salford, United Kingdom

Abstract

Digital forensics is a relatively new and fast growing field of research that is focused on the development of forensically sound methods for the collection, preservation, and analysis of digital evidence. However, the fast pace of development in IT and digital technologies has made it difficult for the forensic research community to react in a timely manner and develop tools, techniques, and procedures for handling digital evidence. The wide adoption of cloud platforms and mobile devices has made them an important resource for digital forensics. The identification, collection, preservation, and analysis of evidence from mobile and cloud platforms has proven to be a challenge. This chapter provides an overview of the existing research gaps in the cloud and mobile forensic fields.

Keywords

Digital investigation; Cyber forensics; Mobile forensics; Cloud forensics; Instant messaging application forensics

The US government defined cyberspace as the interdependent network of information technology infrastructures that includes the Internet, telecommunications networks, computer systems, embedded processors, and controllers in critical industries [1]. The increasing number and role of cyber elements in both civil and military infrastructures and applications have attracted the attention of cybercriminals (including state-sponsored actors) [2]. As observed by Choo, Smith, and McCusker, there are a number of attack vectors, ranging from syntactic—exploiting technical vulnerabilities (e.g., use of malware [3])—to semantic—exploiting social vulnerabilities to blended approaches compromising both social and technical exploitations [4].

Cybercrime can be loosely defined as an unlawful activity involving computers, as the subject, object, or tools of a crime [5]. Increasingly popularity has also resulted in the importance of digital forensics (also known as cyber forensics, computer forensics and network forensics) [6,7]. While there are a number of definitions for digital forensics, it can be broadly defined to be the identification, collection, preservation, analysis, and reporting of digital evidences [8]. While conducting a forensic investigation, it is important to ensure that one is familiar with the local and relevant laws and regulations for handling digital evidence [9–11], data privacy regulation [12–16], and the relevant technical guidelines (e.g., guidelines for computer forensics [8,17–19], Internet forensics [20], and mobile forensics [10,21–25]), as well as maintaining up-to-date technical proficiency in investigating a broad range of attacks [26], malware [3,27–29], and popular consumer technologies such as cloud [11,20,30] and internet of things [31,32].

Any new consumer technology created and deployed will at some point come under scrutiny in the course of an investigation, criminal or civil. Cloud computing, for example, has seen massive growth in recent years. Although cloud computing are often being credited for enabling promising and cost-competitive solutions, it is subject to potential abuse. Identification, collection, preservation, and analysis of evidence in a cloud environment can be cloudy [33,34], as data of interest are likely stored in a cloud server outside the jurisdiction of the investigators. Mobile devices are, however, a potential evidential source as such devices are commonly used to access cloud services. Thus, it is not surprising that cloud and mobile forensics are emerging as popular forensic research focuses [2,35,36].

The first (and one of the most widely cited) cloud forensic framework(s) was proposed by Martini and Choo [20,37], which was derived from the McKemmish investigation framework [38] and the NIST mobile forensics guideline [39]. This framework had been used in a number of cloud forensic studies investigating ownCloud [20], Amazon EC2 [40], XtreemFS [41], SkyDrive [42], Dropbox [43], Google Drive [44–47], SugarSync [48], MEGA [49], hubiC [50], and Ubuntu One [51]. Chung et al. [52] proposed another methodology for cloud forensics and utilized it to investigate Amazon S3, Google Docs, and Evernote. Other studies have demonstrated that it is possible to partially retrieve residual evidences of cloud platforms such as synchronizing history and synchronized files from unstructured datasets [53]. Developing tools and techniques to acquire evidence from different cloud platforms [54–57] analyzing the effectiveness of data acquisition functions of existing cloud forensics tools [58,59] are also topics of ongoing research interest. A number of researchers have also pointed out potential complications in preserving cloud data remnants [45,60].

Cloud computing is not the only consumer technology of forensic importance [20,43,44,49–51,55,61–66]. Instant messaging mobile applications such as American Online Messenger [67–69], MSN Messenger [67,70], Yahoo Messenger [71,72], Facebook Messenger [19,73], Skype [74–76] and even Trillian [77], and Pidgin [78] have been the subject of forensic examinations. In addition to mobile (and cloud) app forensics, a number of researchers have also focused on mobile device forensics, such as Blackberry [79,80], Nokia [81,82], and Samsung [83].

Suffice it to say that the need for digital forensics is unlikely to fade away in the foreseeable future, and in fact with the increasing digitalization of our society, the importance of digital forensics will be more important than ever.

This book seeks to provide both digital forensic practitioners and researchers an up-to-date and advanced knowledge in collecting, preserving, and analyzing digital evidence from different cloud services such as platform as a service, infrastructure as a service, and storage as a service.

The structure of the remaining of this book is as follows.

Chapter 2: Forensics Analysis of Skype, Viber, and WhatsApp on Android Platform

Chapter 3: Investigating America Online Instant Messaging Application: Data Remnants on Windows 8.1 Client Machine

Chapter 4: Forensic Investigation of Social Media and Instant Messaging Services in Firefox OS: Facebook, Twitter, Google +, Telegram, OpenWapp, and Line as Case Studies

Chapter 5: Network Traffic Forensics on Firefox Mobile OS: Facebook, Twitter, and Telegram as Case Studies

Chapter 6: Mobile Phone Forensics: An Investigative Framework Based on User Impulsivity and Secure Collaboration Errors

Chapter 7: Performance of Android Forensics Data Recovery Tools

Chapter 8: Honeypots for Employee Information, Security Awareness, and Education Training: A Conceptual EASY Training Model

Chapter 9: Implications of Emerging Technologies to Incident Handling and Digital Forensic Strategies: A Routine Activity Theory

Chapter 10: Forensic Readiness: A Case Study on Digital CCTV Systems Anti-Forensics

Chapter 11: Forensic Visualization: Survey and Future Research Directions

Chapter 12: Investigating Storage as a Service Cloud Platform: pCloud as a Case Study

Chapter 13: Cloud Storage Forensics: Analysis of Data Remnants on SpiderOak, JustCloud, and pCloud

Chapter 14: Residual Cloud Forensics: CloudMe and 360Yunpan as Case Studies

Chapter 15: An Android Cloud Storage Apps Forensic Taxonomy

References

[1] Ganji M., Dehghantanha A., Izuraudzir N., Damshenas M. Cyber warfare trends and future. Adv. Inf. Sci. Serv. Sci. 2013;5:1–10.

[2] Choo K.-K.R. Organised crime groups in cyberspace: a typology. Trends Organ. Crime. 2008;11(3):270–295.

[3] Damshenas M., Dehghantanha A., Mahmoud R. A survey on malware propagation, analysis and detection. Int. J. Cyber-Security Digit. Forensics. 2013;2(4):10–29.

[4] Choo K.-K.R., McCusker R., Smith R.G. Future Directions in Technology-Enabled Crime: 2007–09. Australian Institute of Criminology; 2007. http://www.aic.gov.au/media_library/publications/rpp/78/rpp078.pdf.

[5] Mercuri R. Criminal defense challenges in computer forensics. In: 1st Int. Conf. Digit. Forensics Cyber Crime, ICDF2C 2009, vol. 31 LNICST; 2010:132–138.

[6] Choo K.-K.R. The cyber threat landscape: challenges and future research directions. Comput. Secur. 2011;30(8):719–731.

[7] M.K. Rogers, K.C. Seigfried-Spellar (Eds.) Digital Forensics and Cyber Crime, 4th International Conference, ICDF2C 2012, Lafayette, IN, USA, October 25–26, 2012.

[8] Kessler G.C. Advancing the science of digital forensics. Computer (Long. Beach. Calif.). 2012;45(12):25–27.

[9] Martini B., Do Q., Choo K.-K.R. Conceptual evidence collection and analysis methodology for Android devices. In: Ko R., Choo K.-K.R., eds. Cloud Secur. Ecosyst. Cambridge, MA: Syngress; 2015:285–307. doi:10.1016/B978-0-12-801595-7.00014-8.

[10] Aminnezhad A., Dehghantanha A., Abdullah M.T., Damshenas M. Cloud forensics issues and opportunities. Int. J. Inf. Process. Manag. 2013;4(4):76–85.

[11] Choo K.-K.R., Smith R.G. Criminal exploitation of online systems by organised crime groups. Asian J. Criminol. 2007;3(1):37–59.

[12] Daryabar F., Dehghantanha A., Udzir N.I., Fazlida N. A survey on privacy impacts of digital investigation. J. Next Gener. Inf. Technol. 2013;4(8):57–68.

[13] Ho V., Dehghantanha A., Shanmugam K. A guideline to enforce data protection and privacy digital laws in Malaysia. In: 2010 Second International Conference on Computer Research and Development; 2010:3–6.

[14] Aminnezhad A., Ali Dehghantanha M.T.A. A survey on privacy issues in digital forensics. Int. J. Cyber-Security Digit. Forensics. 2012;1(4):311–323.

[15] Dehghantanha A., Franke K. Privacy-respecting digital investigation. In: 2014 Twelfth Annual International Conference on Privacy, Security and Trust; 2014:129–138.

[16] Choo K.-K.R., Sarre R. Balancing privacy with legitimate surveillance and lawful data access. IEEE Cloud Comput. 2015;2(4):8–13.

[17] Bennett D. The challenges facing computer forensics investigators in obtaining information from mobile devices for use in criminal investigations. Inf. Secur. J. A Glob. Perspect. 2012;21(3):159–168.

[18] Wang W. Steal This Computer Book 4.0: What They Won’t Tell You About the Internet. fourth ed. San Francisco, CA: No Starch Press; 2006.

[19] Yang T.Y., Dehghantanha A., Choo K.-K.R., Muda Z. Windows instant messaging app forensics: Facebook and Skype as case studies. PLoS ONE. 2016;11(3):e0150300.

[20] Quick D., Martini B., Choo K.-K.R. Cloud Storage Forensics. Elsevier; 2013.

[21] Do Q., Martini B., Choo K.-K.R. A forensically sound adversary model for mobile devices. PLoS ONE. 2015;10(9):e0138449.

[22] Mumba E.R., Venter H.S. Mobile forensics using the harmonised digital forensic investigation process. In: 2014 Information Security for South Africa; 2014:1–10.

[23] Lessard J., Kessler G. Android Forensics: Simplifying Cell Phone Examinations. ECU Publications Pre. 2011; 2010.

[24] Norouzizadeh Dezfouli F., Dehghantanha A., Eterovic-Soric B., Choo K.-K.R. Investigating Social Networking applications on smartphones detecting Facebook, Twitter, LinkedIn and Google + artefacts on Android and iOS platforms. Aust. J. Forensic Sci. 2016;46(4):469–488.

[25] Yusoff M., Mahmod R., Dehghantanha A., Abdullah M. Advances of mobile forensic procedures in Firefox OS. Int. J. Cyber-Security Digit. Forensics (IJCSDF). 2014;3(4) Society of Digital Information and Wireless Communications (SDIWC).

[26] Kessler G., Browning D. Bluetooth Hacking: A Case Study. ECU Publications Pre. 2011; 2009.

[27] Damshenas M., Dehghantanha A., Choo K.K.R., Mahmud R. M0Droid: an Android behavioral-based malware detection model. J. Inf. Priv. Secur. 2015;11(3):141–157.

[28] Kondakci S. A concise cost analysis of Internet malware. Comput. Secur. 2009;28(7):648–659.

[29] Shaerpour K., Dehghantanha A., Mahmod R. Trends in Android malware detection. J. Digit. Forensic Secur. Law. 2013;8(3):21–40.

[30] Do Q., Martini B., Choo K.K.R. A cloud-focused mobile forensics methodology. IEEE Cloud Comput. 2015;2(4):60–65.

[31] Oriwoh E., Jazani D., Epiphaniou G., Sant P. Internet of things forensics: challenges and approaches. In: Proceedings of the 9th IEEE International Conference on Collaborative Computing: Networking, Applications and Worksharing; 2013:608–615.

[32] O’Neill M. The internet of things: do more devices mean more risks? Comput. Fraud Secur. 2014;2014(1):16–17.

[33] Daryabar F., Dehghantanha A. A review on impacts of cloud computing and digital forensics. Int. J. Cyber-Security Digit. Forensics (IJCSDF). 2014;3(4):183–199 Society of Digital Information and Wireless Communications (SDIWC).

[34] Farid Daryabar S.B.S., Dehghantanha A., Izura Udzir N., Mohd Sani N.F. A survey about impacts of cloud computing on digital forensics. Int. J. Cyber-Security Digit. Forensics. 2013;2(2):77–94.

[35] Ab Rahman N.H., Choo K.-K.R. A survey of information security incident handling in the cloud. Comput. Secur. 2015;49:45–69.

[36] Osanaiye O., Cai H., Choo K.-K.R., Dehghantanha A., Xu Z., Dlodlo M. Ensemble-based multi-filter feature selection method for DDoS detection in cloud computing. EURASIP J. Wirel. Commun. Netw. (1):2016;130.

[37] Martini B., Choo K.-K.R. An integrated conceptual digital forensic framework for cloud computing. Digit. Investig. 2012;9(2):71–80.

[38] McKemmish R. What is forensic computing? Canberra: Australian Institute of Criminology; 1999.

[39] Ayers R., Jansen W., Brothers S. Guidelines on mobile device forensics (NIST Special Publication 800-101 Revision 1). 2014;1:85.

[40] Bagh C. Amazon EC2 helps researcher to crack WiFi password in 20 minutes. 2011.

[41] Martini B., Choo K.-K.R. Distributed filesystem forensics: XtreemFS as a case study. Digit. Investig. 2014;11(4):295–313.

[42] Quick D., Choo K.-K.R. Digital droplets: Microsoft SkyDrive forensic data remnants. Futur. Gener. Comput. Syst. 2013;29(6):1378–1394.

[43] Daryabar F., Dehghantanha A., Eterovic-Soric B., Choo K.-K.R. Forensic investigation of OneDrive, Box, GoogleDrive and Dropbox applications on Android and iOS devices. Aust. J. Forensic Sci. 2016;1–28. doi:10.1080/00450618.2015.1110620.

[44] Quick D., Choo K.-K.R. Google drive: forensic analysis of data remnants. J. Netw. Comput. Appl. 2014;40:179–193.

[45] Quick D., Choo K.-K.R. Forensic collection of cloud storage data: does the act of collection result in changes to the data or its metadata? Digit. Investig. 2013;10(3):266–277.

[46] Federici C. Cloud data imager: a unified answer to remote acquisition of cloud storage areas. Digit. Investig. 2014;11(1):30–42.

[47] Ab Rahman N.H., Cahyani N.D.W., Choo K.-K.R. Cloud incident handling and forensic-by-design: cloud storage as a case study. Concurr. Comput. Pract. 2016;doi:10.1002/cpe.3868/.

[48] Shariati M., Dehghantanha A., Choo K.-K.R. SugarSync forensic analysis. Aust. J. Forensic Sci. 2015;48(1):95–117.

[49] Daryabar F., Dehghantanha A., Choo K.-K.R. Cloud storage forensics: MEGA as a case study. Aust. J. Forensic Sci. 2016;1–14. doi:10.1080/00450618.2016.1153714.

[50] Blakeley B., Cooney C., Dehghantanha A., Aspin R. Cloud Storage Forensic: hubiC as a case-study. In: 2015 IEEE 7th International Conference on Cloud Computing Technology and Science (CloudCom); 2015:536–541.

[51] Shariati M., Dehghantanha A., Martini B., Choo K.-K.R. Chapter 19—Ubuntu One investigation: detecting evidences on client machines. In: Choo R.K.-K.R., ed. The Cloud Security Ecosystem. Boston: Syngress; 2015:429–446.

[52] Chung H., Park J., Lee S., Kang C. Digital forensic investigation of cloud storage services. Digit. Investig. 2012;9(2):81–95.

[53] Quick D., Choo K.-K.R. Digital droplets: Microsoft SkyDrive forensic data remnants. Futur. Gener. Comput. Syst. 2013;29(6):1378–1394.

[54] Quick D., Choo K.-K.R. Big forensic data reduction: digital forensic images and electronic evidence. Clust. Comput. 2016;19(2):723–740.

[55] Scanlon M., Farina J., Le Khac N.A., Kechadi T. Leveraging Decentralization to Extend the Digital Evidence Acquisition Window: Case Study on BitTorrent Sync. 2014 arXiv:1409.8486 [cs].

[56] Dykstra J., Sherman A.T. Understanding issues in cloud forensics: two hypothetical case studies. In: Proceedings of the 2011 ADSFL Conference on Digital Forensics, Security, and Law; 2011:45–54.

[57] Gebhardt T., Reiser H.P. Network forensics for cloud computing. In: Dowling J., Taïani F., eds. Distributed applications and interoperable systems, no. 7891. Berlin, Heidelberg: Springer; 2013:29–42.

[58] Dykstra J., Sherman A.T. Acquiring forensic evidence from infrastructure-as-a-service cloud computing: Exploring and evaluating tools, trust, and techniques. Digit. Investig. 2012;9:S90–S98.

[59] Thethi N., Keane A. Digital forensics investigations in the cloud. In: Proc. Int’l Advance Computing Conf. (IACC 14); 2014:1475–1480.

[60] Dykstra J., Sherman A.T. Design and implementation of FROST: digital forensic tools for the OpenStack cloud computing platform. Digit. Investig. 2013;10:S87–S95.

[61] Quick D., Choo K.-K.R. Dropbox analysis: data remnants on user machines. Digit. Investig. 2013;10(1):3–18.

[62] Mehreen S., Aslam B. Windows 8 cloud storage analysis: Dropbox forensics. In: 2015 12th International Bhurban Conference on Applied Sciences and Technology (IBCAST); 2015:312–317.

[63] Martini B., Do Q., Choo K.-K.R. Chapter 15—mobile cloud forensics: an analysis of seven popular Android apps. The Cloud Security Ecosystem. 2015.309–345.

[64] Grispos G., Glisson W.B., Storer T. Chapter 16—Recovering residual forensic data from smartphone interactions with cloud storage providers. Cloud Secur. Ecosyst. 2015.347–382.

[65] Grispos G., Glisson W.B., Storer T. Using smartphones as a proxy for forensic evidence contained in cloud storage services. In: 2013 46th Hawaii International Conference on System Sciences; 2013:4910–4919.

[66] Shariati M., Dehghantanha A., Choo K.-K.R. SugarSync forensic analysis. Aust. J. Forensic Sci. 2016;48(1):95–117.

[67] Dickson M. An examination into MSN Messenger 7.5 contact identification. Digit. Investig. 2006;3(2):79–83.

[68] Reust J. Case study: AOL instant messenger trace evidence. Digit. Investig. 2006;3(4):238–243.

[69] Kiley M., Dankner S., Rogers M. Forensic analysis of volatile instant messaging. In: Ray I., Shenoi S., eds. Advances in Digital Forensics IV, no. 285. US: Springer; 2008.

[70] van Dongen W.S. Forensic artefacts left by Windows Live Messenger 8.0. Digit. Investig. 2007;4(2):73–87.

[71] Dickson M. An examination into Yahoo Messenger 7.0 contact identification. Digit. Investig. 2006;3(3):159–165.

[72] Levendoski M., Datar T., Rogers M. Yahoo! Messenger forensics on Windows vista and Windows 7. In: Gladyshev P., Rogers M.K., eds. Digital Forensics and Cyber Crime, no. 88. Berlin Heidelberg: Springer; 2012:172–179.

[73] Al Mutawa N., Al Awadhi I., Baggili I., Marrington A. Forensic artifacts of Facebook’s instant messaging service. In: 2011 International Conference for Internet Technology and Secured Transactions ICITST; 2011:771–776.

[74] Yang T.Y., Dehghantanha A., Choo K.R., Muda Z. Windows instant messaging app forensics: Facebook and Skype as case studies. PLoS ONE. 2016.

[75] Simon M., Slay J. Recovery of Skype application activity data from physical memory. In: ARES’10 International Conference on Availability, Reliability, and Security, 2010; 2010:283–288.

[76] McQuaid J. Skype Forensics: Analyzing Call and Chat Data From Computers and Mobile. Magnet Forensics; 2012.

[77] Dickson M. An examination into Trillian basic 3.x contact identification. Digit. Investig. 2007;4(1):36–45.

[78] van Dongen W.S. Forensic artefacts left by Pidgin Messenger 2.0. Digit. Investig. 2007;4(3–4):138–145.

[79] Al Marzougy M., Baggili I., Marrington A. BlackBerry playbook backup forensic analysis. Lect. Notes Inst. Comput. Sci. Soc. Informatics Telecommun. Eng.—Digit. Forensics Cyber Crime. 2013;114:239–252.

[80] Al Mutawa N., Baggili I., Marrington A. Forensic analysis of social networking applications on mobile devices. Digit. Investig. 2012;9(Suppl.):S24–S33.

[81] Mohtasebi S., Ali Dehghantanha H.G.B. Smartphone forensics: a case study with Nokia E5-00 Mobile Phone. Int. J. Digit. Inf. Wirel. Commun. 2011;1(3):651–655.

[82] Cahyani N.D.W., Martini B., Choo K.-K.R., Al-Azhar A.M.N. Forensic data acquisition from cloud-of-things devices: windows Smartphones as a case study. Concurr. Comput. Pract. 2016.

[83] Parvez S., Dehghantanha A., Broujerdi H.G. Framework of digital forensics for the Samsung Star Series phone. In: 2011 3rd International Conference on Electronics Computer Technology; 264–267. 2011;vol. 2.

Chapter 2

Forensics Analysis of Android Mobile VoIP Apps

T. Dargahi*; A. Dehghantanha†; M. Conti‡    * Islamic Azad University, Tehran, Iran

† University of Salford, Salford, United Kingdom

‡ University of Padua, Padua, Italy

Abstract

Voice over Internet Protocol (VoIP) applications (apps) provide convenient and low-cost means for users to communicate and share information with each other in real-time. Day by day, the popularity of such apps is increasing, and people produce and share a huge amount of data, including their personal and sensitive information. This might lead to several privacy issues, such as revealing user contacts, private messages, or personal photos. Therefore, having an up-to-date forensic understanding of these apps is necessary.

This chapter presents analysis of forensically valuable remnants of three popular Mobile VoIP (mVoIP) apps on Google Play store, namely: Viber, Skype, and WhatsApp Messenger, in order to figure out to what extent these apps reveal forensically valuable information about the users activities. We performed a thorough investigative study of these three mVoIP apps on smartphone devices. Our experimental results show that several artifacts, such as messages, contact details, phone numbers, images, and video files, are recoverable from the smartphone device that is equipped with these mVoIP apps.

Keywords

Android forensics; mVoIP; Viber; Skype; WhatsApp Messenger; Digital forensics

1 Introduction

In recent years, we have witnessed a rapid increase in the use of Voice over Internet Protocol (VoIP) services as an online communication method on mobile devices. This is not surprising due to the increasing proliferation of smartphones: it has been predicted that by 2019 the number of smartphone users will be more than 2.6 billion [1]. These days people use their smartphone devices not only for making voice calls and exchanging SMS, but also for obtaining several services that are offered due to the ubiquitous access to Internet, such as mobile banking, and location-based services. Meantime, the use of VoIP applications, which could be delivered easily through mobile VoIP applications (mVoIP apps), would enable people to interact, share information, and become socialized at a very low cost compared to most of the traditional communication techniques. However, such applications could also be exploited by criminals or be targeted by cybercriminals (e.g., with malware infection to steal financial data) [2, 3]. For these reasons, mobile devices (including smartphones) attracted a lot of attention from the security research community [4], in particular from the perspective of malware [5–12], security enforcement [13–16], and authentication mechanisms [17–19].

Smartphones are a common source of evidence in both criminal investigations and civil litigations [20–25]. However, the constant evolution and nature (e.g., closed source operating system and diverse range of proprietary hardware) of mobile devices and mobile apps complicates forensic investigations [26]. Among the existing smartphone operating systems in the market, Android dominated the market with more than 80% of the total market share in 2015 Q2 [27, 28]. Therefore Android popularity attracted several researchers to focus on investigating several different security aspects of Android, ranging from user identification [29, 30], feasibility of encryption methods on Android [31], cloud storage apps forensics [32], and social networking apps forensics [3]. Due to the increasing use of mVoIP apps for malicious activities on different platforms including Android, forensic investigation of such apps needs an extensive coverage [33, 34], and therefore in this chapter, we provide an investigative study of the three popular VoIP apps for Android on Google Play (see Table 1), namely: Viber [35], Skype [36], and WhatsApp [37]. The features of these VoIP apps are summarized in Table 2. In particular, we aim to answer the following question: What artifacts of forensic value can be recovered from the use of Viber, Skype, and WhatsApp Android apps?

Table 1

Number of Installations for Each Application [35–37]

Table 2

Features of mVoIP Applications

2 Related Work

These days, several trusted and untrusted providers launch various categories of applications for mobile devices. This has led to the ever increasing trend in using mobile devices in order to benefit from the services offered by these applications. This tendency motivated the forensic community to concentrate on forensic investigation of the mobile devices. In this regard Dezfoli et al. [26] perused the future trends in digital investigation and determined that mobile phone forensics is receiving more and more attention by the community and is one of the fastest growing fields. In [38], the authors provided a comprehensive discussion on the nature of digital evidence on mobile devices, along with a complete guide on forensic techniques to handle, preserve, extract, and analyze evidence from mobile devices. Moreover, they presented examples of commercial forensic tools that can be used to obtain data from mobile phones, such as Access Data Forensic Toolkit (FTK), Cellebrite Physical, XACT, along with the case example of the adopted Digital Forensic Framework (DDF) plug-in. In the same line of study, Mohtasebi and Dehghantanha [39] presented a unified framework for investigating different types of smartphone devices. Parvez et al. [40] proposed a forensics framework for investigating Samsung phones. Several researchers have proposed various frameworks for the investigation of Nokia mobile devices and Firefox OS [25, 41].

A comparison of forensic evidence recovery techniques for a Windows Mobile smartphone demonstrates that there are different techniques to acquire and decode information of potential forensic interest from a Windows Mobile smartphone [42]. Furthermore, forensic examination of the Windows Mobile device database (the pim.vol) file confirmed that pim.vol contains information related to contacts, call history, speed-dial settings, appointments, and tasks [43]. Moreover, in [44], the authors provided a number of possible methods of acquiring and examining data on Windows Mobile devices, as well as the locations of potentially useful data, such as text messages, multimedia, email, Web browsing artifacts, and Registry entries. They also used MobileSpy monitoring software as a case example to highlight the importance of forensic analysis. They showed that the existence of such a malicious monitoring software on a Windows phone could be detectable on the device being investigated by forensics analyst. In another recent study, Yang et al. [45] carried out an investigative study on two popular Windows instant messaging apps, i.e., Facebook and Skype. The authors showed that several artifacts are recoverable, such as contact lists, conversations, and transferred