Contemporary Digital Forensic Investigations of Cloud and Mobile Applications
()
About this ebook
Contemporary Digital Forensic Investigations of Cloud and Mobile Applications comprehensively discusses the implications of cloud (storage) services and mobile applications on digital forensic investigations. The book provides both digital forensic practitioners and researchers with an up-to-date and advanced knowledge of collecting and preserving electronic evidence from different types of cloud services, such as digital remnants of cloud applications accessed through mobile devices.
This is the first book that covers the investigation of a wide range of cloud services. Dr. Kim-Kwang Raymond Choo and Dr. Ali Dehghantanha are leading researchers in cloud and mobile security and forensics, having organized research, led research, and been published widely in the field. Users will gain a deep overview of seminal research in the field while also identifying prospective future research topics and open challenges.
- Presents the most current, leading edge research on cloud and mobile application forensics, featuring a panel of top experts in the field
- Introduces the first book to provide an in-depth overview of the issues surrounding digital forensic investigations in cloud and associated mobile apps
- Covers key technical topics and provides readers with a complete understanding of the most current research findings
- Includes discussions on future research directions and challenges
Related to Contemporary Digital Forensic Investigations of Cloud and Mobile Applications
Related ebooks
Managing Information Security Rating: 0 out of 5 stars0 ratingsDigital Forensics: Threatscape and Best Practices Rating: 0 out of 5 stars0 ratingsProfessional Penetration Testing: Volume 1: Creating and Learning in a Hacking Lab Rating: 4 out of 5 stars4/5Building a Digital Forensic Laboratory: Establishing and Managing a Successful Facility Rating: 3 out of 5 stars3/5Cloud Storage Forensics Rating: 4 out of 5 stars4/5Mobile Malware Infringement and Detection Rating: 0 out of 5 stars0 ratingsDigital Forensics with Open Source Tools Rating: 3 out of 5 stars3/5Kali Linux CTF Blueprints Rating: 0 out of 5 stars0 ratingsAutomated Security Analysis of Android and iOS Applications with Mobile Security Framework Rating: 1 out of 5 stars1/5Malware Forensics: Investigating and Analyzing Malicious Code Rating: 5 out of 5 stars5/5Practical Mobile Forensics - Second Edition Rating: 0 out of 5 stars0 ratingsMobile Device Forensics A Complete Guide - 2020 Edition Rating: 0 out of 5 stars0 ratingsComputer Forensics: A Pocket Guide Rating: 4 out of 5 stars4/5Mobile Malware Attacks and Defense Rating: 5 out of 5 stars5/5Mastering Mobile Forensics Rating: 0 out of 5 stars0 ratingsSecurity Assessment: Case Studies for Implementing the NSA IAM Rating: 3 out of 5 stars3/5Certified Cyber Forensics Professional The Ultimate Step-By-Step Guide Rating: 0 out of 5 stars0 ratingsBlackhatonomics: An Inside Look at the Economics of Cybercrime Rating: 3 out of 5 stars3/5Cuckoo Malware Analysis Rating: 0 out of 5 stars0 ratingsMalware Sandbox A Clear and Concise Reference Rating: 0 out of 5 stars0 ratingsMalware Forensics Field Guide for Windows Systems: Digital Forensics Field Guides Rating: 4 out of 5 stars4/5Learning Android Forensics Rating: 4 out of 5 stars4/5Cyber Security Risk Management A Complete Guide - 2019 Edition Rating: 0 out of 5 stars0 ratingsDigital Forensics A Complete Guide - 2021 Edition Rating: 0 out of 5 stars0 ratingsHacking a Terror Network: The Silent Threat of Covert Channels: The Silent Threat of Covert Channels Rating: 5 out of 5 stars5/5Practical Mobile Forensics Rating: 4 out of 5 stars4/5The Hacker's Guide to OS X: Exploiting OS X from the Root Up Rating: 0 out of 5 stars0 ratingsImplementing Digital Forensic Readiness: From Reactive to Proactive Process Rating: 0 out of 5 stars0 ratingsPenetration Tester's Open Source Toolkit Rating: 0 out of 5 stars0 ratingsLow Tech Hacking: Street Smarts for Security Professionals Rating: 4 out of 5 stars4/5
Computers For You
Mastering ChatGPT: 21 Prompts Templates for Effortless Writing Rating: 5 out of 5 stars5/5Creating Online Courses with ChatGPT | A Step-by-Step Guide with Prompt Templates Rating: 4 out of 5 stars4/5Remote/WebCam Notarization : Basic Understanding Rating: 3 out of 5 stars3/5The ChatGPT Millionaire Handbook: Make Money Online With the Power of AI Technology Rating: 0 out of 5 stars0 ratingsPeople Skills for Analytical Thinkers Rating: 5 out of 5 stars5/5Master Builder Roblox: The Essential Guide Rating: 4 out of 5 stars4/5How to Create Cpn Numbers the Right way: A Step by Step Guide to Creating cpn Numbers Legally Rating: 4 out of 5 stars4/5Procreate for Beginners: Introduction to Procreate for Drawing and Illustrating on the iPad Rating: 0 out of 5 stars0 ratingsChatGPT Ultimate User Guide - How to Make Money Online Faster and More Precise Using AI Technology Rating: 0 out of 5 stars0 ratingsCompTIA Security+ Get Certified Get Ahead: SY0-701 Study Guide Rating: 5 out of 5 stars5/5SQL QuickStart Guide: The Simplified Beginner's Guide to Managing, Analyzing, and Manipulating Data With SQL Rating: 4 out of 5 stars4/5101 Awesome Builds: Minecraft® Secrets from the World's Greatest Crafters Rating: 4 out of 5 stars4/5Deep Search: How to Explore the Internet More Effectively Rating: 5 out of 5 stars5/5CompTIA IT Fundamentals (ITF+) Study Guide: Exam FC0-U61 Rating: 0 out of 5 stars0 ratingsCompTIA Security+ Practice Questions Rating: 2 out of 5 stars2/5Network+ Study Guide & Practice Exams Rating: 4 out of 5 stars4/5Ultimate Guide to Mastering Command Blocks!: Minecraft Keys to Unlocking Secret Commands Rating: 5 out of 5 stars5/5Artificial Intelligence: The Complete Beginner’s Guide to the Future of A.I. Rating: 4 out of 5 stars4/5AWS Certified Cloud Practitioner All-in-One Exam Guide (Exam CLF-C01) Rating: 5 out of 5 stars5/5Practical Lock Picking: A Physical Penetration Tester's Training Guide Rating: 5 out of 5 stars5/5The Professional Voiceover Handbook: Voiceover training, #1 Rating: 5 out of 5 stars5/5The New Email Revolution: Save Time, Make Money, and Write Emails People Actually Want to Read! Rating: 5 out of 5 stars5/5Grokking Algorithms: An illustrated guide for programmers and other curious people Rating: 4 out of 5 stars4/5Everybody Lies: Big Data, New Data, and What the Internet Can Tell Us About Who We Really Are Rating: 4 out of 5 stars4/5Slenderman: Online Obsession, Mental Illness, and the Violent Crime of Two Midwestern Girls Rating: 4 out of 5 stars4/5
Reviews for Contemporary Digital Forensic Investigations of Cloud and Mobile Applications
0 ratings0 reviews
Book preview
Contemporary Digital Forensic Investigations of Cloud and Mobile Applications - Kim-Kwang Raymond Choo
(CyberSec)."
Chapter 1
Contemporary Digital Forensics Investigations of Cloud and Mobile Applications
K.-K.R. Choo*,†; A. Dehghantanha‡ * University of Texas at San Antonio, San Antonio, TX, United States
† University of South Australia, Adelaide, SA, Australia
‡ University of Salford, Salford, United Kingdom
Abstract
Digital forensics is a relatively new and fast growing field of research that is focused on the development of forensically sound methods for the collection, preservation, and analysis of digital evidence. However, the fast pace of development in IT and digital technologies has made it difficult for the forensic research community to react in a timely manner and develop tools, techniques, and procedures for handling digital evidence. The wide adoption of cloud platforms and mobile devices has made them an important resource for digital forensics. The identification, collection, preservation, and analysis of evidence from mobile and cloud platforms has proven to be a challenge. This chapter provides an overview of the existing research gaps in the cloud and mobile forensic fields.
Keywords
Digital investigation; Cyber forensics; Mobile forensics; Cloud forensics; Instant messaging application forensics
The US government defined cyberspace as the interdependent network of information technology infrastructures that includes the Internet, telecommunications networks, computer systems, embedded processors, and controllers in critical industries
[1]. The increasing number and role of cyber elements in both civil and military infrastructures and applications have attracted the attention of cybercriminals (including state-sponsored actors) [2]. As observed by Choo, Smith, and McCusker, there are a number of attack vectors, ranging from syntactic—exploiting technical vulnerabilities (e.g., use of malware [3])—to semantic—exploiting social vulnerabilities to blended approaches compromising both social and technical exploitations [4].
Cybercrime can be loosely defined as an unlawful activity involving computers, as the subject, object, or tools of a crime [5]. Increasingly popularity has also resulted in the importance of digital forensics (also known as cyber forensics, computer forensics and network forensics) [6,7]. While there are a number of definitions for digital forensics, it can be broadly defined to be the identification, collection, preservation, analysis, and reporting of digital evidences [8]. While conducting a forensic investigation, it is important to ensure that one is familiar with the local and relevant laws and regulations for handling digital evidence [9–11], data privacy regulation [12–16], and the relevant technical guidelines (e.g., guidelines for computer forensics [8,17–19], Internet forensics [20], and mobile forensics [10,21–25]), as well as maintaining up-to-date technical proficiency in investigating a broad range of attacks [26], malware [3,27–29], and popular consumer technologies such as cloud [11,20,30] and internet of things [31,32].
Any new consumer technology created and deployed will at some point come under scrutiny in the course of an investigation, criminal or civil. Cloud computing, for example, has seen massive growth in recent years. Although cloud computing are often being credited for enabling promising and cost-competitive solutions, it is subject to potential abuse. Identification, collection, preservation, and analysis of evidence in a cloud environment can be cloudy
[33,34], as data of interest are likely stored in a cloud server outside the jurisdiction of the investigators. Mobile devices are, however, a potential evidential source as such devices are commonly used to access cloud services. Thus, it is not surprising that cloud and mobile forensics are emerging as popular forensic research focuses [2,35,36].
The first (and one of the most widely cited) cloud forensic framework(s) was proposed by Martini and Choo [20,37], which was derived from the McKemmish investigation framework [38] and the NIST mobile forensics guideline [39]. This framework had been used in a number of cloud forensic studies investigating ownCloud [20], Amazon EC2 [40], XtreemFS [41], SkyDrive [42], Dropbox [43], Google Drive [44–47], SugarSync [48], MEGA [49], hubiC [50], and Ubuntu One [51]. Chung et al. [52] proposed another methodology for cloud forensics and utilized it to investigate Amazon S3, Google Docs, and Evernote. Other studies have demonstrated that it is possible to partially retrieve residual evidences of cloud platforms such as synchronizing history and synchronized files from unstructured datasets [53]. Developing tools and techniques to acquire evidence from different cloud platforms [54–57] analyzing the effectiveness of data acquisition functions of existing cloud forensics tools [58,59] are also topics of ongoing research interest. A number of researchers have also pointed out potential complications in preserving cloud data remnants [45,60].
Cloud computing is not the only consumer technology of forensic importance [20,43,44,49–51,55,61–66]. Instant messaging mobile applications such as American Online Messenger [67–69], MSN Messenger [67,70], Yahoo Messenger [71,72], Facebook Messenger [19,73], Skype [74–76] and even Trillian [77], and Pidgin [78] have been the subject of forensic examinations. In addition to mobile (and cloud) app forensics, a number of researchers have also focused on mobile device forensics, such as Blackberry [79,80], Nokia [81,82], and Samsung [83].
Suffice it to say that the need for digital forensics is unlikely to fade away in the foreseeable future, and in fact with the increasing digitalization of our society, the importance of digital forensics will be more important than ever.
This book seeks to provide both digital forensic practitioners and researchers an up-to-date and advanced knowledge in collecting, preserving, and analyzing digital evidence from different cloud services such as platform as a service, infrastructure as a service, and storage as a service.
The structure of the remaining of this book is as follows.
Chapter 2: Forensics Analysis of Skype, Viber, and WhatsApp on Android Platform
Chapter 3: Investigating America Online Instant Messaging Application: Data Remnants on Windows 8.1 Client Machine
Chapter 4: Forensic Investigation of Social Media and Instant Messaging Services in Firefox OS: Facebook, Twitter, Google +, Telegram, OpenWapp, and Line as Case Studies
Chapter 5: Network Traffic Forensics on Firefox Mobile OS: Facebook, Twitter, and Telegram as Case Studies
Chapter 6: Mobile Phone Forensics: An Investigative Framework Based on User Impulsivity and Secure Collaboration Errors
Chapter 7: Performance of Android Forensics Data Recovery Tools
Chapter 8: Honeypots for Employee Information, Security Awareness, and Education Training: A Conceptual EASY Training Model
Chapter 9: Implications of Emerging Technologies to Incident Handling and Digital Forensic Strategies: A Routine Activity Theory
Chapter 10: Forensic Readiness: A Case Study on Digital CCTV Systems Anti-Forensics
Chapter 11: Forensic Visualization: Survey and Future Research Directions
Chapter 12: Investigating Storage as a Service Cloud Platform: pCloud as a Case Study
Chapter 13: Cloud Storage Forensics: Analysis of Data Remnants on SpiderOak, JustCloud, and pCloud
Chapter 14: Residual Cloud Forensics: CloudMe and 360Yunpan as Case Studies
Chapter 15: An Android Cloud Storage Apps Forensic Taxonomy
References
[1] Ganji M., Dehghantanha A., Izuraudzir N., Damshenas M. Cyber warfare trends and future. Adv. Inf. Sci. Serv. Sci. 2013;5:1–10.
[2] Choo K.-K.R. Organised crime groups in cyberspace: a typology. Trends Organ. Crime. 2008;11(3):270–295.
[3] Damshenas M., Dehghantanha A., Mahmoud R. A survey on malware propagation, analysis and detection. Int. J. Cyber-Security Digit. Forensics. 2013;2(4):10–29.
[4] Choo K.-K.R., McCusker R., Smith R.G. Future Directions in Technology-Enabled Crime: 2007–09. Australian Institute of Criminology; 2007. http://www.aic.gov.au/media_library/publications/rpp/78/rpp078.pdf.
[5] Mercuri R. Criminal defense challenges in computer forensics. In: 1st Int. Conf. Digit. Forensics Cyber Crime, ICDF2C 2009, vol. 31 LNICST; 2010:132–138.
[6] Choo K.-K.R. The cyber threat landscape: challenges and future research directions. Comput. Secur. 2011;30(8):719–731.
[7] M.K. Rogers, K.C. Seigfried-Spellar (Eds.) Digital Forensics and Cyber Crime, 4th International Conference, ICDF2C 2012, Lafayette, IN, USA, October 25–26, 2012.
[8] Kessler G.C. Advancing the science of digital forensics. Computer (Long. Beach. Calif.). 2012;45(12):25–27.
[9] Martini B., Do Q., Choo K.-K.R. Conceptual evidence collection and analysis methodology for Android devices. In: Ko R., Choo K.-K.R., eds. Cloud Secur. Ecosyst. Cambridge, MA: Syngress; 2015:285–307. doi:10.1016/B978-0-12-801595-7.00014-8.
[10] Aminnezhad A., Dehghantanha A., Abdullah M.T., Damshenas M. Cloud forensics issues and opportunities. Int. J. Inf. Process. Manag. 2013;4(4):76–85.
[11] Choo K.-K.R., Smith R.G. Criminal exploitation of online systems by organised crime groups. Asian J. Criminol. 2007;3(1):37–59.
[12] Daryabar F., Dehghantanha A., Udzir N.I., Fazlida N. A survey on privacy impacts of digital investigation. J. Next Gener. Inf. Technol. 2013;4(8):57–68.
[13] Ho V., Dehghantanha A., Shanmugam K. A guideline to enforce data protection and privacy digital laws in Malaysia. In: 2010 Second International Conference on Computer Research and Development; 2010:3–6.
[14] Aminnezhad A., Ali Dehghantanha M.T.A. A survey on privacy issues in digital forensics. Int. J. Cyber-Security Digit. Forensics. 2012;1(4):311–323.
[15] Dehghantanha A., Franke K. Privacy-respecting digital investigation. In: 2014 Twelfth Annual International Conference on Privacy, Security and Trust; 2014:129–138.
[16] Choo K.-K.R., Sarre R. Balancing privacy with legitimate surveillance and lawful data access. IEEE Cloud Comput. 2015;2(4):8–13.
[17] Bennett D. The challenges facing computer forensics investigators in obtaining information from mobile devices for use in criminal investigations. Inf. Secur. J. A Glob. Perspect. 2012;21(3):159–168.
[18] Wang W. Steal This Computer Book 4.0: What They Won’t Tell You About the Internet. fourth ed. San Francisco, CA: No Starch Press; 2006.
[19] Yang T.Y., Dehghantanha A., Choo K.-K.R., Muda Z. Windows instant messaging app forensics: Facebook and Skype as case studies. PLoS ONE. 2016;11(3):e0150300.
[20] Quick D., Martini B., Choo K.-K.R. Cloud Storage Forensics. Elsevier; 2013.
[21] Do Q., Martini B., Choo K.-K.R. A forensically sound adversary model for mobile devices. PLoS ONE. 2015;10(9):e0138449.
[22] Mumba E.R., Venter H.S. Mobile forensics using the harmonised digital forensic investigation process. In: 2014 Information Security for South Africa; 2014:1–10.
[23] Lessard J., Kessler G. Android Forensics: Simplifying Cell Phone Examinations. ECU Publications Pre. 2011; 2010.
[24] Norouzizadeh Dezfouli F., Dehghantanha A., Eterovic-Soric B., Choo K.-K.R. Investigating Social Networking applications on smartphones detecting Facebook, Twitter, LinkedIn and Google + artefacts on Android and iOS platforms. Aust. J. Forensic Sci. 2016;46(4):469–488.
[25] Yusoff M., Mahmod R., Dehghantanha A., Abdullah M. Advances of mobile forensic procedures in Firefox OS. Int. J. Cyber-Security Digit. Forensics (IJCSDF). 2014;3(4) Society of Digital Information and Wireless Communications (SDIWC).
[26] Kessler G., Browning D. Bluetooth Hacking: A Case Study. ECU Publications Pre. 2011; 2009.
[27] Damshenas M., Dehghantanha A., Choo K.K.R., Mahmud R. M0Droid: an Android behavioral-based malware detection model. J. Inf. Priv. Secur. 2015;11(3):141–157.
[28] Kondakci S. A concise cost analysis of Internet malware. Comput. Secur. 2009;28(7):648–659.
[29] Shaerpour K., Dehghantanha A., Mahmod R. Trends in Android malware detection. J. Digit. Forensic Secur. Law. 2013;8(3):21–40.
[30] Do Q., Martini B., Choo K.K.R. A cloud-focused mobile forensics methodology. IEEE Cloud Comput. 2015;2(4):60–65.
[31] Oriwoh E., Jazani D., Epiphaniou G., Sant P. Internet of things forensics: challenges and approaches. In: Proceedings of the 9th IEEE International Conference on Collaborative Computing: Networking, Applications and Worksharing; 2013:608–615.
[32] O’Neill M. The internet of things: do more devices mean more risks? Comput. Fraud Secur. 2014;2014(1):16–17.
[33] Daryabar F., Dehghantanha A. A review on impacts of cloud computing and digital forensics. Int. J. Cyber-Security Digit. Forensics (IJCSDF). 2014;3(4):183–199 Society of Digital Information and Wireless Communications (SDIWC).
[34] Farid Daryabar S.B.S., Dehghantanha A., Izura Udzir N., Mohd Sani N.F. A survey about impacts of cloud computing on digital forensics. Int. J. Cyber-Security Digit. Forensics. 2013;2(2):77–94.
[35] Ab Rahman N.H., Choo K.-K.R. A survey of information security incident handling in the cloud. Comput. Secur. 2015;49:45–69.
[36] Osanaiye O., Cai H., Choo K.-K.R., Dehghantanha A., Xu Z., Dlodlo M. Ensemble-based multi-filter feature selection method for DDoS detection in cloud computing. EURASIP J. Wirel. Commun. Netw. (1):2016;130.
[37] Martini B., Choo K.-K.R. An integrated conceptual digital forensic framework for cloud computing. Digit. Investig. 2012;9(2):71–80.
[38] McKemmish R. What is forensic computing? Canberra: Australian Institute of Criminology; 1999.
[39] Ayers R., Jansen W., Brothers S. Guidelines on mobile device forensics (NIST Special Publication 800-101 Revision 1). 2014;1:85.
[40] Bagh C. Amazon EC2 helps researcher to crack WiFi password in 20 minutes. 2011.
[41] Martini B., Choo K.-K.R. Distributed filesystem forensics: XtreemFS as a case study. Digit. Investig. 2014;11(4):295–313.
[42] Quick D., Choo K.-K.R. Digital droplets: Microsoft SkyDrive forensic data remnants. Futur. Gener. Comput. Syst. 2013;29(6):1378–1394.
[43] Daryabar F., Dehghantanha A., Eterovic-Soric B., Choo K.-K.R. Forensic investigation of OneDrive, Box, GoogleDrive and Dropbox applications on Android and iOS devices. Aust. J. Forensic Sci. 2016;1–28. doi:10.1080/00450618.2015.1110620.
[44] Quick D., Choo K.-K.R. Google drive: forensic analysis of data remnants. J. Netw. Comput. Appl. 2014;40:179–193.
[45] Quick D., Choo K.-K.R. Forensic collection of cloud storage data: does the act of collection result in changes to the data or its metadata? Digit. Investig. 2013;10(3):266–277.
[46] Federici C. Cloud data imager: a unified answer to remote acquisition of cloud storage areas. Digit. Investig. 2014;11(1):30–42.
[47] Ab Rahman N.H., Cahyani N.D.W., Choo K.-K.R. Cloud incident handling and forensic-by-design: cloud storage as a case study. Concurr. Comput. Pract. 2016;doi:10.1002/cpe.3868/.
[48] Shariati M., Dehghantanha A., Choo K.-K.R. SugarSync forensic analysis. Aust. J. Forensic Sci. 2015;48(1):95–117.
[49] Daryabar F., Dehghantanha A., Choo K.-K.R. Cloud storage forensics: MEGA as a case study. Aust. J. Forensic Sci. 2016;1–14. doi:10.1080/00450618.2016.1153714.
[50] Blakeley B., Cooney C., Dehghantanha A., Aspin R. Cloud Storage Forensic: hubiC as a case-study. In: 2015 IEEE 7th International Conference on Cloud Computing Technology and Science (CloudCom); 2015:536–541.
[51] Shariati M., Dehghantanha A., Martini B., Choo K.-K.R. Chapter 19—Ubuntu One investigation: detecting evidences on client machines. In: Choo R.K.-K.R., ed. The Cloud Security Ecosystem. Boston: Syngress; 2015:429–446.
[52] Chung H., Park J., Lee S., Kang C. Digital forensic investigation of cloud storage services. Digit. Investig. 2012;9(2):81–95.
[53] Quick D., Choo K.-K.R. Digital droplets: Microsoft SkyDrive forensic data remnants. Futur. Gener. Comput. Syst. 2013;29(6):1378–1394.
[54] Quick D., Choo K.-K.R. Big forensic data reduction: digital forensic images and electronic evidence. Clust. Comput. 2016;19(2):723–740.
[55] Scanlon M., Farina J., Le Khac N.A., Kechadi T. Leveraging Decentralization to Extend the Digital Evidence Acquisition Window: Case Study on BitTorrent Sync. 2014 arXiv:1409.8486 [cs].
[56] Dykstra J., Sherman A.T. Understanding issues in cloud forensics: two hypothetical case studies. In: Proceedings of the 2011 ADSFL Conference on Digital Forensics, Security, and Law; 2011:45–54.
[57] Gebhardt T., Reiser H.P. Network forensics for cloud computing. In: Dowling J., Taïani F., eds. Distributed applications and interoperable systems, no. 7891. Berlin, Heidelberg: Springer; 2013:29–42.
[58] Dykstra J., Sherman A.T. Acquiring forensic evidence from infrastructure-as-a-service cloud computing: Exploring and evaluating tools, trust, and techniques. Digit. Investig. 2012;9:S90–S98.
[59] Thethi N., Keane A. Digital forensics investigations in the cloud. In: Proc. Int’l Advance Computing Conf. (IACC 14); 2014:1475–1480.
[60] Dykstra J., Sherman A.T. Design and implementation of FROST: digital forensic tools for the OpenStack cloud computing platform. Digit. Investig. 2013;10:S87–S95.
[61] Quick D., Choo K.-K.R. Dropbox analysis: data remnants on user machines. Digit. Investig. 2013;10(1):3–18.
[62] Mehreen S., Aslam B. Windows 8 cloud storage analysis: Dropbox forensics. In: 2015 12th International Bhurban Conference on Applied Sciences and Technology (IBCAST); 2015:312–317.
[63] Martini B., Do Q., Choo K.-K.R. Chapter 15—mobile cloud forensics: an analysis of seven popular Android apps. The Cloud Security Ecosystem. 2015.309–345.
[64] Grispos G., Glisson W.B., Storer T. Chapter 16—Recovering residual forensic data from smartphone interactions with cloud storage providers. Cloud Secur. Ecosyst. 2015.347–382.
[65] Grispos G., Glisson W.B., Storer T. Using smartphones as a proxy for forensic evidence contained in cloud storage services. In: 2013 46th Hawaii International Conference on System Sciences; 2013:4910–4919.
[66] Shariati M., Dehghantanha A., Choo K.-K.R. SugarSync forensic analysis. Aust. J. Forensic Sci. 2016;48(1):95–117.
[67] Dickson M. An examination into MSN Messenger 7.5 contact identification. Digit. Investig. 2006;3(2):79–83.
[68] Reust J. Case study: AOL instant messenger trace evidence. Digit. Investig. 2006;3(4):238–243.
[69] Kiley M., Dankner S., Rogers M. Forensic analysis of volatile instant messaging. In: Ray I., Shenoi S., eds. Advances in Digital Forensics IV, no. 285. US: Springer; 2008.
[70] van Dongen W.S. Forensic artefacts left by Windows Live Messenger 8.0. Digit. Investig. 2007;4(2):73–87.
[71] Dickson M. An examination into Yahoo Messenger 7.0 contact identification. Digit. Investig. 2006;3(3):159–165.
[72] Levendoski M., Datar T., Rogers M. Yahoo! Messenger forensics on Windows vista and Windows 7. In: Gladyshev P., Rogers M.K., eds. Digital Forensics and Cyber Crime, no. 88. Berlin Heidelberg: Springer; 2012:172–179.
[73] Al Mutawa N., Al Awadhi I., Baggili I., Marrington A. Forensic artifacts of Facebook’s instant messaging service. In: 2011 International Conference for Internet Technology and Secured Transactions ICITST; 2011:771–776.
[74] Yang T.Y., Dehghantanha A., Choo K.R., Muda Z. Windows instant messaging app forensics: Facebook and Skype as case studies. PLoS ONE. 2016.
[75] Simon M., Slay J. Recovery of Skype application activity data from physical memory. In: ARES’10 International Conference on Availability, Reliability, and Security, 2010; 2010:283–288.
[76] McQuaid J. Skype Forensics: Analyzing Call and Chat Data From Computers and Mobile. Magnet Forensics; 2012.
[77] Dickson M. An examination into Trillian basic 3.x contact identification. Digit. Investig. 2007;4(1):36–45.
[78] van Dongen W.S. Forensic artefacts left by Pidgin Messenger 2.0. Digit. Investig. 2007;4(3–4):138–145.
[79] Al Marzougy M., Baggili I., Marrington A. BlackBerry playbook backup forensic analysis. Lect. Notes Inst. Comput. Sci. Soc. Informatics Telecommun. Eng.—Digit. Forensics Cyber Crime. 2013;114:239–252.
[80] Al Mutawa N., Baggili I., Marrington A. Forensic analysis of social networking applications on mobile devices. Digit. Investig. 2012;9(Suppl.):S24–S33.
[81] Mohtasebi S., Ali Dehghantanha H.G.B. Smartphone forensics: a case study with Nokia E5-00 Mobile Phone. Int. J. Digit. Inf. Wirel. Commun. 2011;1(3):651–655.
[82] Cahyani N.D.W., Martini B., Choo K.-K.R., Al-Azhar A.M.N. Forensic data acquisition from cloud-of-things devices: windows Smartphones as a case study. Concurr. Comput. Pract. 2016.
[83] Parvez S., Dehghantanha A., Broujerdi H.G. Framework of digital forensics for the Samsung Star Series phone. In: 2011 3rd International Conference on Electronics Computer Technology; 264–267. 2011;vol. 2.
Chapter 2
Forensics Analysis of Android Mobile VoIP Apps
T. Dargahi*; A. Dehghantanha†; M. Conti‡ * Islamic Azad University, Tehran, Iran
† University of Salford, Salford, United Kingdom
‡ University of Padua, Padua, Italy
Abstract
Voice over Internet Protocol (VoIP) applications (apps) provide convenient and low-cost means for users to communicate and share information with each other in real-time. Day by day, the popularity of such apps is increasing, and people produce and share a huge amount of data, including their personal and sensitive information. This might lead to several privacy issues, such as revealing user contacts, private messages, or personal photos. Therefore, having an up-to-date forensic understanding of these apps is necessary.
This chapter presents analysis of forensically valuable remnants of three popular Mobile VoIP (mVoIP) apps on Google Play store, namely: Viber, Skype, and WhatsApp Messenger, in order to figure out to what extent these apps reveal forensically valuable information about the users activities. We performed a thorough investigative study of these three mVoIP apps on smartphone devices. Our experimental results show that several artifacts, such as messages, contact details, phone numbers, images, and video files, are recoverable from the smartphone device that is equipped with these mVoIP apps.
Keywords
Android forensics; mVoIP; Viber; Skype; WhatsApp Messenger; Digital forensics
1 Introduction
In recent years, we have witnessed a rapid increase in the use of Voice over Internet Protocol (VoIP) services as an online communication method on mobile devices. This is not surprising due to the increasing proliferation of smartphones: it has been predicted that by 2019 the number of smartphone users will be more than 2.6 billion [1]. These days people use their smartphone devices not only for making voice calls and exchanging SMS, but also for obtaining several services that are offered due to the ubiquitous access to Internet, such as mobile banking, and location-based services. Meantime, the use of VoIP applications, which could be delivered easily through mobile VoIP applications (mVoIP apps), would enable people to interact, share information, and become socialized at a very low cost compared to most of the traditional communication techniques. However, such applications could also be exploited by criminals or be targeted by cybercriminals (e.g., with malware infection to steal financial data) [2, 3]. For these reasons, mobile devices (including smartphones) attracted a lot of attention from the security research community [4], in particular from the perspective of malware [5–12], security enforcement [13–16], and authentication mechanisms [17–19].
Smartphones are a common source of evidence in both criminal investigations and civil litigations [20–25]. However, the constant evolution and nature (e.g., closed source operating system and diverse range of proprietary hardware) of mobile devices and mobile apps complicates forensic investigations [26]. Among the existing smartphone operating systems in the market, Android dominated the market with more than 80% of the total market share in 2015 Q2 [27, 28]. Therefore Android popularity attracted several researchers to focus on investigating several different security aspects of Android, ranging from user identification [29, 30], feasibility of encryption methods on Android [31], cloud storage apps forensics [32], and social networking apps forensics [3]. Due to the increasing use of mVoIP apps for malicious activities on different platforms including Android, forensic investigation of such apps needs an extensive coverage [33, 34], and therefore in this chapter, we provide an investigative study of the three popular VoIP apps for Android on Google Play (see Table 1), namely: Viber [35], Skype [36], and WhatsApp [37]. The features of these VoIP apps are summarized in Table 2. In particular, we aim to answer the following question: What artifacts of forensic value can be recovered from the use of Viber, Skype, and WhatsApp Android apps?
Table 1
Number of Installations for Each Application [35–37]
Table 2
Features of mVoIP Applications
2 Related Work
These days, several trusted and untrusted providers launch various categories of applications for mobile devices. This has led to the ever increasing trend in using mobile devices in order to benefit from the services offered by these applications. This tendency motivated the forensic community to concentrate on forensic investigation of the mobile devices. In this regard Dezfoli et al. [26] perused the future trends in digital investigation and determined that mobile phone forensics is receiving more and more attention by the community and is one of the fastest growing fields. In [38], the authors provided a comprehensive discussion on the nature of digital evidence on mobile devices, along with a complete guide on forensic techniques to handle, preserve, extract, and analyze evidence from mobile devices. Moreover, they presented examples of commercial forensic tools that can be used to obtain data from mobile phones, such as Access Data Forensic Toolkit (FTK), Cellebrite Physical, XACT, along with the case example of the adopted Digital Forensic Framework (DDF) plug-in. In the same line of study, Mohtasebi and Dehghantanha [39] presented a unified framework for investigating different types of smartphone devices. Parvez et al. [40] proposed a forensics framework for investigating Samsung phones. Several researchers have proposed various frameworks for the investigation of Nokia mobile devices and Firefox OS [25, 41].
A comparison of forensic evidence recovery techniques for a Windows Mobile smartphone demonstrates that there are different techniques to acquire and decode information of potential forensic interest from a Windows Mobile smartphone [42]. Furthermore, forensic examination of the Windows Mobile device database (the pim.vol) file confirmed that pim.vol contains information related to contacts, call history, speed-dial settings, appointments, and tasks [43]. Moreover, in [44], the authors provided a number of possible methods of acquiring and examining data on Windows Mobile devices, as well as the locations of potentially useful data, such as text messages, multimedia, email, Web browsing artifacts, and Registry entries. They also used MobileSpy monitoring software as a case example to highlight the importance of forensic analysis. They showed that the existence of such a malicious monitoring software on a Windows phone could be detectable on the device being investigated by forensics analyst. In another recent study, Yang et al. [45] carried out an investigative study on two popular Windows instant messaging apps, i.e., Facebook and Skype. The authors showed that several artifacts are recoverable, such as contact lists, conversations, and transferred