© The Author(s), under exclusive license to APress Media, LLC, part of Springer Nature 2022
M. MorebPractical Forensic Analysis of Artifacts on iOS and Android Deviceshttps://doi.org/10.1007/978-1-4842-8026-3_14

14. Mobile Forensics for iOS and Android Platforms: Chrome App Artifacts Depending on SQLite

Mohammed Moreb1  
(1)
Palestine Hebron Halhul, Palestine, State of
 

This chapter starts by comparing and contrasting the architectures of Android and iOS that are discussed in the first chapter. As a result, we implement and utilize mobile forensics methodology to analyze SQLite files from the applications that install on the mobile device, we discuss some of the techniques and tools used to extract information, and we present a case study of Chrome application. In terms of forensic analysis, the chapter will also emphasize the necessity of examining all SQLite files that come under the apps in order to extract the most amount of digital evidence feasible. We investigated practical forensic analysis for the Chrome app for iOS and Android, and forensic procedures were carried out using the three phases (seizure, acquisition, examination & analysis) methodology. This chapter aims to extract artifacts from Chrome applications using many tools such as iBackup, iExplorer, iTunes, Belkasoft, and FINALMobile software for iOS. We use ADB, Belkasoft, AXIOM, FINALMobile, and MOBILedit for Android. SQLiteStudio is used to view SQLite database files extracted from both Android and iOS.

In this chapter, we will cover the following topics:

  • Introduction to iOS Chrome App Forensics Using SQLite

  • SQLite Acquisition Phase

  • SQLite Forensic Tools

  • SQLite Experimental Design

  • Acquisition SQLite by iTunes and Belkasoft

  • Android Chrome App Forensics Using SQLite

  • Examination and Analysis Phase for Chrome App iOS and Android

  • Comparison between Tools Used for iOS

iOS Chrome App Forensics Using SQLite

SQLite is an in-process library that implements a self-contained, zero-configuration, serverless, transactional SQL database engine” (Bhosale et al., 2015). SQLite’s evolution has made it one of the world’s most commonly used database management systems, as well as a storage engine for browsers and mobile apps.

Seizure Phase

The digital equipment is seized before the beginning of the inspection process. Seizure is carried out by law enforcement officers who have the required competence and training to preserve evidence, ensuring that the confiscated equipment is maintained in its original state. When seizing a phone, it is critical to switch it to airplane mode. A seizure must be based on a valid search warrant issued in line with the rules governing seizure processes and purposes (Manendra Sai et al., 2015). In this study, work will be done based on the Palestinian Cybercrime Law No. 10 of 2018, especially Article 32.
  1. I.

    Agency: including institutions that conduct the forensics analysis and examination.

     
  2. II.

    Case identifier: case number and some other details for the case such as date and time.

     
  3. III.

    Forensic investigator: information about the forensics examiner including name, institution, qualification, and experience.

     
  4. IV.

    Identity of the submitter: details about the submitter and how to hand it over to the examiner; there can be pictures documenting the condition of the device when it is handed over.

     
  5. V.

    Date of evidence receipt: the date of delivery of the devices to the forensic analysis department.

     
  6. VI.

    Details of the device seized for examination: including serial number, make, and model. In this chapter, we will use Samsung Galaxy A7 with Android 7.0, and Apple iPhone 6 with iOS 12.5.2. Device specifications are shown in Table 14-1.

     
Table 14-1

Suspected iPhone and Android Mobile Specifications

iPhone Mobile Specifications

Make

iPhone 6

Model no.

MG482AA/A

IMEI

3592830694**29

Color

Silver

Jailbroken

No

Network

JAWWAL

Capacity

16 GB

Passcode

Provided (111111)

iOS version

12.5.2

Serial no.

C8QPM2RTG5MP

Mobile power

On

MEID

35928306947829

Airplane mode

On

Wi-Fi add.

D8:1D:72:E9:6F:0B

Bluetooth

D8:1D:72:E9:6F:0C

ICCID

89970281433296612949

Modem firmware

7.80.04

SIM no.

0594-4444***

Suspect Android Mobile Specifications

Make

Samsung Galaxy A7 2016

Model no.

SM-A710FD

IMEI (slot 1)

3581680770892**

Color

Black

Root

No

Network

JAWWAL-Ps

Capacity

16 GB

Passcode

Provided (123456)

Android version

7.0

Serial no.

RF8J72EJ*0R

Mobile power

On

Build no.

NRD90M.A710FXXS2CTJ1

Airplane mode

On

Wi-Fi add.

94:7B:E7:27:12:BC

Bluetooth

Unavailable

SIM no.

0593-333***

Acquisition Phase

Forensic Tools

The workstation and software used in this experiment to make acquisitions for iOS and Android mobiles are shown in Table 14-2.
Table 14-2

Experiment Tools and Devices

No.

Tools/Devices

Description

1

iTunes, version 12.11.3.17

Used to get a backup for iPhone

2

Belkasoft Evidence center 9.9 Build 4662 x64

Forensic software used for acquisition and analysis, software

3

FINALMobile Forensics user version

The file version is 2020.04.22.

CDF version is 2020.04.22.

Forensic tool: used for extraction and analysis

4

SQLiteStudio v3.3.3

Open and view SQLite

5

AXIOM

Forensics SW used for acquisition and analysis

6

Odin3

SW used for root Android

7

Hp Zbook, windows 10, 64 bit, 24GB Ram, Intel(R) Core™ i7-7700HQ [email protected] 2.81 GHz

Workstation

8

Original USB cable

Media to connect the smartphone with workstation

9

iPhone 6

Suspect smartphone X

10

Samsung Galaxy A7 2016

Suspect smartphone Y

Experimental Design

The experiment was prepared in terms of (a) activating mobile airplane mode to isolate receiving and transmission signals, (b) connecting the mobile device through a USB cable with the workstation, which is not connected to the Internet and free of malware, (c) selecting trust computer, (d) connecting iTunes for backup, (e) running Belkasoft to get backup and to load iTunes backup for analysis and comparison, and (f) running FINALMobile software to get another backup and later for analysis.

Acquisition by iTunes and Belkasoft

  • iTunes backup: Create iPhone backup as shown in Figure 14-1. This backup will be analyzed forensically using Belkasoft. The backup data is stored in the following path: C:UsershpAppDataRoamingApple ComputerMobileSyncBackup

Figure 14-1

iTunes backup

  • Acquisition by Belkasoft: When doing acquisition for Apple mobile, Belkasoft offers three acquisition methods: iTunes backup; full logical backup, which requires a jailbreak; and agent backup, which is not supported for current iOS (12.5.3 for suspected iPhone). Figure 14-2 shows selecting acquire Apple mobile. In Figure 14-2 Belkasoft recognizes the iPhone after connecting the iPhone with the workstation. Figure 14-3 shows the starting backup process.

Figure 14-2

Selecting acquire Apple mobile

In Figure 14-2, mobile forensics examiners are required to choose whether to add an existing data source or to acquire and analyze. As shown in Figure 14-3, acquisition for mobile was selected and Apple mobile was chosen.
Figure 14-3

Belkasoft recognizing mobile phone

Figure 14-4 shows that the examiner should choose to trust this computer to activate the mobile connection to recognized mobile by Belkasoft.
Figure 14-4

Backup process

For obtaining a logical image for targeted smartphones, it is not allowed to use Belkasoft without jailbreak as shown in Figure 14-5.
Figure 14-5

Logical image required jailbreak

As shown in Figure 14-8, when choosing full logical backup, it is required for the mobile to be jailbroken.

Examination/Analysis Phase

1. Using Belkasoft

iTunes backup, which was taken by Belkasoft, is open for analysis by Belkasoft as shown in Figure 14-6.
Figure 14-6

Using Belkasoft to analyze iTunes backup

The results show that about 107 files that were opened by the Chrome application were shown in the overview. No other information was provided in the overview, so for more details, it is important to lookup for the Chrome SQLite database. To do that, we need to move to File System, where we can locate related SQLite files as shown in Figure 14-7.
Figure 14-7

Belkasoft file system

As shown in Figure 14-8, all Chrome app SQLite database files are located under the path AppDomain-com.google.chrome.os. Walk through this path looking for SQLite database files. To open any SQLite files, we can use the integrated SQLite viewer in Belkasoft as shown in Figure 14-9.
Figure 14-8

Belkasoft SQLite Viewer

Viewing data that is stored on SQLite for sure gives more details and artifacts. SQLite file format could be .db or .sqlite3, and some files have no extension, so it is important to know that we can recognize any SQLite file according to the header of files as shown in Figure 14-9. A lot of SQLite files were found under the Chrome path. These files are a mine of data that can be used to get artifacts. Just for example, the history SQLite database file provides the history for the Chrome application, and shows the number of times each site was visited. It provides a keyword search via Chrome application and many other details.
Figure 14-9

SQLite header

As shown in Figure 14-10, SQLite signature offset is zero and size is 16 bytes. Another example is the “Login data” SQLite database file, which is saved by Belkasoft and viewed by SQLiteStudio as shown in Figure 14-10. This table gives other artifacts about logins signed through the Chrome application.
Figure 14-10

Login data file through SQLiteStudio

2. Using FINALMobile

iTunes backup was taken by iTunes and opened by the FINALMobile forensics tool, as shown in Figure 14-11.
Figure 14-11

FINALMobile interface

It is clear at first glance that a program at the workspace directly displays some of the contents of the Chrome application; the display is done by the Chrome_WebHistory tap and all its contents are read directly from the history SQLite file. These tools also give us the ability to search all files manually through File Explorer as shown in Figure 14-12. We can use this feature to look for all SQLite database files.
Figure 14-12

File Explorer in FINALMobile

As mentioned before, because forensic tools do not display all SQLite database files directly, searching for all files through navigating the path of desired application is extremely important to obtain the largest possible number of artifacts. FINALMobile also as Belkasoft gives us the ability for this search and also provides us with the ability to export SQLite database files to be opened later by any tool such as SqliteStudio, or we can directly open it without exporting as shown in Figure 14-13.
Figure 14-13

View SQLite directly in FINALMobile

3. Using iBackUp

iBackup will automatically find the iTunes backup as shown in Figure 14-17, or we can simply open the backup from the desired path. After that, it is easy to view all mobile content as shown in Figure 14-14. Also, these tools give us the ability to export any file including SQLite database files; in this practical case when we use iBackup tool it’s can’t able to recognize SQLite files, as it doesn’t support hex dump to view the file header.
Figure 14-14

Export files using iBackup

4. Using iExplorer

Used to view iTunes backup and gather related SQLite files, this tool gives us the ability to export any file including SQLite database files as shown in Figure 14-15. In this tool, it is not possible to recognize SQLite files if they have no extension or are without previous experience. In other words, it doesn’t support hex dump to view the file header.
Figure 14-15

Export files using iExplorer

Android Chrome App Forensics Using SQLite

The experiment design was prepared in terms of (a) activating mobile airplane mode to isolate receiving and transmission signals; (b) connecting the mobile device through a USB cable with a workstation that is not connected to the Internet and is free of malware, (c) selecting the trust computer, (d) using ADB command to get backup, (e) running Belkasoft to get ADB backup and physical image (also used for analysis and comparison), (f) running FINALMobile software to get another backup and later for analysis, (j) using AXIOM to get the full image and later for analysis, and (h) using MOBILedit to get backup and analysis.

First, for the acquisition phase, to get backup or any type of acquisition, developer mode must be enabled. To enable developer mode for Samsung A7 2016: (1) go to settings, (2) About phone, (3) Software information (4) Click build number seven times to enable developer mode as shown in Figure 14-16.
Figure 14-16

Enable developer mode

Then it is required to enable USB debugging. For rooting the Android mobile, we must enable OEM to unlock as shown in Figure 14-17.
Figure 14-17

Enable USB debugging mode

Before Rooting

Using ADB Command

For everything you need, just download the Software Development Kit (SDK), which includes an integrated development environment (IDE), which is required for investigative tools like ADB and quick boot. Figure 14-18 shows the adb command to get backup -shared -all, which is used to get backup from external memory on the mobile.
Figure 14-18

ADB command to get backup from Android mobile

The backup will be saved with .ab format. To make this backup universal format, open with different automated forensics tools; then it is required to convert it to .tar format. For that, it is essential to install the Java development kit (JDK), and then copy abe.jar to the platform-tools folder. Later we can use the command shown in Figure 14-19 to convert. ab format to .tar format. The backup.ab and backup.tar will be stored in the platform-tools folder.
Figure 14-19

Convert .ab to .tar

Using AXIOM

Two options are available when acquiring evidence using AXIOM as shown in Figure 14-20.
Figure 14-20

AXIOM acquisition method

ADB (Unlocked) is used when you have passcodes and patterns for the device and you can unlock it. Advanced (Lock Bypass) is used to bypass the lock screen. Figure 14-21 shows progress when choosing the ADB (Unlocked) option, which is used to acquire a quick or full image as shown in Figure 14-5, hence the full image requires the device to be rooting, and the quick image is stored as .zip format.
Figure 14-21

ADB progress to acquire the quick image

Figure 14-22 shows the progress of preparing the device including disconnecting and reconnecting the mobile to the workstation, installing the mobile driver, and attempting to bypass the device if it is locked. AXIOM provides two types of images: a full image, which means whole contents of the device, and a quick image.
Figure 14-22

Quick image

Using Belkasoft

We can get backup using Belkasoft by:
  1. a.

    Choosing “Mobile” from Acquire and analyzing and then select Android as shown in Figure 14-23.

     
Figure 14-23

Select mobile

  1. b.

    Selecting acquisition method as shown in Figure 14-24.

     
Figure 14-24

Acquisition methods

Using FINALMobile

FINALMobile Forensics supports different platforms as shown in Figure 14-25.
Figure 14-25

Mobile platforms supported by FINALMobile

To get a backup of Android using FINALMobile, we have to select the Android platform, then choose the make and model as shown in Figure 14-26.
Figure 14-26

The make and model

There are two acquisition methods as shown in Figure 14-27. Both are given logical image.
Figure 14-27

Acquisition methods in FINALMobile

Rooting

Odin3 software as shown in Figure 14-28 was used to root the mobile.
Figure 14-28

Odin3 interface

To root the mobile device using Odin3, first, we have to enable OEM to unlock as shown in Figure 14-17, turn off the mobile, and then log in to the download mode by holding and pressing power + volume down + home together until getting the warning screen, then pressing up the volume. After that, run Odin3 as administrator and connect the mobile device to the PC via USB cable; the Odin3 software will confirm the connection by showing “Added” as shown in Figure 14-29. If there is no confirmation, then there is a problem with the mobile driver and it is recommended to install the correct driver for the mobile.

Once the connection is confirmed, then locate the root file, which can be downloaded from samsungsfour.com [15] depending on the version and model, add it to Odin3 by clicking AP, select the root file, which is in the format of .tar.md5., and then choose to start rooting the device as shown in Figure 14-28.

After successfully rooting the mobile, we can get superuser (SU) privileges and access the data folder on the Android, which was limited to SU before rooting; we can do anything, such as removing files that contain passcodes or patterns, and we can get physical acquisition.

Use ADB to enter the shell and then get SU privileges after rooting the mobile as shown in Figure 14-29.
Figure 14-29

SU privileges

And now, let us remove password and pattern from the mobile using SU privileges and using the files containing password and pattern, which are found under /data/system, and then look for gatekeeper.password.key and gatekeeper.pattern.key. by removing these two files, as shown in Figure 14-30. Then there will be no passcode or pattern on the mobile.
Figure 14-30

Bypass passcode and pattern in Samsung A7 2016

After Rooting

Using Belkasoft to get a physical copy, we need to select DD backup and verify root status to continue as shown in Figure 14-31, then select the partition or all partitions to get a backup physical in which the images are logical, and then click Next to start the process of physical imaging.
Figure 14-31

Physical copy

After rooting the mobile, using AXIOM the full image option will be available as shown in Figure 14-32.
Figure 14-32

AXIOM full image

Examination and Analysis Phase for Android

1. Before Rooting

Analyzing the manual backup taken by adb command will be done manually by extracting backup.tar and looking for SQLite files. Then we will use SQLiteStudio to open these files. As adb doesn’t back up all installed applications, the Chrome app is one of the applications that doesn’t back up in this case. Even when using automated forensics tools such as Belkasoft, AXIOM, or FINALMobile to analyze backup.tar, it still has no data related to the Chrome app. It is still the same as ADB backup; there is no data related to the Chrome app. The artifacts that were retrieved are shown in Figure 14-33.
Figure 14-33

Analyze ADB backup using Belkasoft

Analyzing a logical image using FINALMobile, as shown in Figure 14-34, shows analyzing results for the logical image that was taken as “Samsung backup” and spotted on Chrome results.
Figure 14-34

Analyzing results showing Chrome artifacts

If we are looking for more artifacts, it will be necessary to look for every single SQLite file located under Chrome. To achieve that, we navigate to the File Explorer as shown in Figure 14-35.
Figure 14-35

File Explorer

One more thing: it is important to look at all SQLite files depending on file signature instead of looking at file extensions, as some SQLite files have no extension. Figure 14-36 shows the SQLite signature.
Figure 14-36

SQLite file signature

Analyzing Quick images using AXIOM, first we open the image by process and wait until we finish analyzing evidence. Figure 14-37 shows artifacts. No artifacts related to Chrome apps were found.
Figure 14-37

Case overview

2. After Rooting

We try to find artifacts using Belkasoft and results show that no artifacts were acquired. By loading the image to the AXIOM process, and waiting until it finishes analyzing, Figure 14-38 shows artifact statistics for the full image after rooting.
Figure 14-38

Artifacts for full image after rooting

As shown in Figure 14-39, analyzing full images retrieves data related to Chrome apps.
Figure 14-39

Extract Chrome app data from full image

Results and Discussion

iOS

The Chrome application used in iPhone mobiles is like any other application where many artifacts can be extracted. In the conducted experiment, acquisition of SQLite manually without jailbreaking the mobile is possible if the mobile is open (no passcode or pattern is given) using iTunes, iBackup, and iExplorer to get iTunes backup. We can easily export an SQLite file and then open it with any SQLite viewer such as SQLiteStudio. Or we can use Belkasoft and FINALMobile as forensics tools to get iTunes backup and do forensics analysis using tools features or export SQLite files to be opened by SQLiteStudio.

There are many SQLite database files under Chrome path, such as history, login data, top sites, affiliation database, cookies, favicons, shortcuts, web data, and more. Just for example, th history file contains information about all browsing such as downloads, keyword_searched_items, URL, and so on. As shown in Figure 14-41, login data file contains information about all user logins, such as origin_url, password_element_username_element, and so on as shown in Figure 14-40. Topsites: contains the most visited sites through Chrome application, as shown in Figure 14-40.
Figure 14-40

History SQLite file

All tables inside the History SQLite database files include login details through the Chrome app, and information about the top sites visited using Chrome app web browser, as shown in Figure 14-41.
Figure 14-41

SQLite database files for the Chrome app

Android

Many applications exist for a specific purpose; for example, the purpose of the email application is to open the email, the purpose of the Facebook application is to open Facebook, and so on. Regardless of these applications that are designed for specific purposes, Internet browsers are still used to search and open an email, Facebook, and so on. The most used Internet browser is the Chrome app. Therefore, it is always recommended to check the artifacts in Chrome and the rest of the Internet browsers, if any. Like any mobile platform, Chrome is used in Android. Using Chrome can provide a lot of artifacts. And once more, if we are looking for more artifacts, it is required to look for all SQLite database files.

There are many methods to do acquisition for Android platforms. ADB manual extraction doesn’t back up everything; for example, ADB didn’t acquire Chrome data. To get Chrome data, we have to do logical acquisition by automated tools such as FINALMobile, AXIOM, and so on. There is no need to root Android mobile for the logical image. Logical images will never provide deleted files. After analyzing the logical image with FINALMobile as shown in Figure 14-42, we get 27 artifacts.
Figure 14-42

Chrome app artifacts

But if we go deeper and look for SQLite files by navigating File Explorer, we can find more artifacts. There are 22 SQLite files located under the Chrome app, as shown in Table 14-3.
Table 14-3

SQLite Files Located under Chrome App

No

SQLite file

No. of Tables

Description

1

Account Web Data

22

appcom.android.chrome app_chromedefault

2

Affiliation Database

3

appcom.android.chrome app_chromedefault

3

Cookies

2

appcom.android.chrome app_chromedefault

4

Favicons

4

appcom.android.chrome app_chromedefault

5

Heavy_ad_intervention_opt_out.db

2

appcom.android.chrome app_chromedefault

6

History

12

appcom.android.chrome app_chromedefault

7

Lite_video_opt_out.db

2

appcom.android.chrome app_chromedefault

8

Login Data

6

appcom.android.chrome app_chromedefault

9

Media History

6

appcom.android.chrome app_chromedefault

10

Network Action Predictor

4

appcom.android.chrome app_chromedefault

11

Origin Bound Certs

2

appcom.android.chrome app_chromedefault

12

QuotaManager

4

appcom.android.chrome app_chromedefault

13

Reporting and NEL

4

appcom.android.chrome app_chromedefault

14

Shortcuts

2

appcom.android.chrome app_chromedefault

15

Top Sites

2

appcom.android.chrome app_chromedefault

16

Trust Tokens

3

appcom.android.chrome app_chromedefault

17

Web Data

27

appcom.android.chrome app_chromedefault

18

Databases

2

appcom.android.chrome app_chromedefaultdatabases

19

OfflinePages.db

3

com.android.chromeapp_chromedefaultoffline Pagesmetadata

20

RequestQueue.db

1

com.android.chromeapp_chromedefaultoffline Pages equest_queue

21

SyncData.sqlite3

5

com.android.chromeapp_chromedefault Sync Data

22

Safe Browsing Cookies

2

appcom.android.chrome app_chrome

Rooting the Android platform is used to have SU privileges to do whatever we want. Android physical acquisition required the device to be rooted. After rooting the device, we can get a physical image. After doing a full image acquisition using AXIOM, we can do analysis for the full image using Belkasoft, because the image won’t open with AXIOM. Since Belkasoft can deal with corrupted images, we will use Belkasoft to analyze the full image taken by AXIOM, as shown in Figure 14-43. A total of 204 Chrome artifacts were retrieved after rooting.
Figure 14-43

Analyzing full image using Belkasoft

Moreover, we still can navigate to the Chrome SQLite files as shown in Figure 14-44.
Figure 14-44

Locating SQLite DB files for Chrome app

After rooting Android, one more experiment is done when disabling Chrome apps. To disable the Chrome app go to Settings App Chrome Disable. After disabling Chrome, one more full image was taken by AXIOM. Analysis of this image returns nothing related to the Chrome app.

Comparison between Tools Used for iOS

In summary comparisons between data acquisition from iOS devices and iOS backups, we mainly used three tools to do data acquisition for the iOS device, iTunes, Belkasoft, and FINALMobile. No differences were found between the acquired data for the case study. All copies of backup contain the same SQLite files; it is easy to export files and later view all data using SQLiteStudio or by SQLite viewer, which is included in Belkasoft and FINALMobile. Using automated forensics tools gives different artifacts because each tool views artifacts directly from some SQLite database files; for example, FINALMobile extracts data from devices in a different way from Belkasoft. If we are are looking for more artifacts, then it is very important to dive deeply looking for SQLite database file because forensics tools will never show you all artifacts, which are the logical images stored in SQLite files. Also, it is important to use more than one tool, because of the differences in mobile platforms, equipment, architecture, OS, the make, and so on. Knowing mobile features will facilitate the choice for the digital forensics specialist to select which tool will be effective in different cases. Table 14-4 shows basic features available in each table for previous experiments.

Table 14-4. Used Tool Features for iOS

Table 14-5 summarizes the comparison between tools used for Android in the acquisition phase.

Table 14-5. Comparison between Tools Used for Android in Terms of the Acquisition

Summary

In this chapter, we have investigated practical forensic analysis for the Chrome app on iOS V.12 and Android v7.0, and forensic procedures were carried out using the three phases (seizure, acquisition, examination/analysis) methodology. This study aimed to extract artifacts from Chrome applications. iBackup, iExplorer, iTunes, Belkasoft, and FINALMobile software were used for iOS V.12.5.2. ADB, Belkasoft, AXIOM, FINALMobile and MOBILedit were used for Android V 7.0. SQLiteStudio is used to view SQLite database files extracted from both Android and iOS. The results of the experiment have been presented, including artifacts such as websites visited, top sites, login data, the email that was used, the words searched, and so on. These artifacts help forensic investigators and law enforcement agencies in the investigation and can be used as evidence in court. Different tools provide different results, so it is recommended to use more tools to do forensics analysis. These differences relate to the differences in extraction evidence from different SQLite database files. It is also recommended to view all SQLite database files located under any application such as the Chrome app. Previous studies show some SQLite database files, while in this study, all SQLite database files located under the Chrome application are extracted.

References

  1. [1].

    Al-Hadadi, M., & AlShidhani, A. (2013). Smartphone Forensics Analysis: A Case Study. International Journal of Computer and Electrical Engineering, 5(6), 576–580. https://doi.org/10.7763/ijcee.2013.v5.776

     
  2. [2].

    Al-Sabaawi, A., & Foo, E. (2019). A Comparison Study of Android Mobile Forensics for Retrieving Files System. Ernest Foo International Journal of Computer Science and Security (IJCSS), 13, 2019–2148.

     
  3. [3].

    Aleem, F. (2019). Layered Architecture Used by iOS and Its Performance & Portability. July, 0–19. https://doi.org/10.13140/RG.2.2.22845.20968

     
  4. [4].

    Android Architecture. (2019). https://androidframework.com/2019/04/27/android-architecture/

     
  5. [5].

    Ashawa, M., & Ogwuche, I. (2017). Forensic Data Extraction and Analysis of Left Artifacts on Emulated Android Phones: A Case Study of Instant Messaging Applications. Circulation in Computer Science, 2(11), 8–16. https://doi.org/10.22632/ccs-2017-252-67

     
  6. [6].

    Azfar, A., Choo, K. K. R., & Liu, L. (2016). An Android Social App Forensics Adversary Model. Proceedings of the Annual Hawaii International Conference on System Sciences, 2016-March, 5597–5606. https://doi.org/10.1109/HICSS.2016.693

     
  7. [7].

    Bhardwaj, D. (2021). Download Odin Flash Tool for Samsung Galaxy Devices (All Versions). https://www.thecustomdroid.com/download-odin-flash-tool/

     
  8. [8].

    Bhosale, S. T., Patil, T., & Patil, P. (2015). SQLite: Light Database System. International Journal of Computer Science and Mobile Computing, 44(4), 882–885.

     
  9. [9].

    Castro, K. (2018). How Are iOS and Android Similar? How Are They Different? https://www.tutorialspoint.com/how-are-ios-and-android-similar-how-are-they-different

     
  10. [10].

    Chernyshev, M., Zeadally, S., Baig, Z., & Woodward, A. (2017). Mobile Forensics: Advances, Challenges, and Research Opportunities. IEEE Security and Privacy, 15(6), 42–51. https://doi.org/10.1109/MSP.2017.4251107

     
  11. [11].

    Domingues, P., Frade, M., Andrade, L. M., & Silva, J. V. (2019). Digital Forensic Artifacts of the Your Phone Application in Windows 10. Digital Investigation, 30(June), 32–42. https://doi.org/10.1016/j.diin.2019.06.003

     
  12. [12].

    Faheem, M., Kechadi, T., & Le-Khac, N. A. (2015). The State of the Art Forensic Techniques in Mobile Cloud Environment: A Survey, Challenges and Current Trends. Web-Based Services: Concepts, Methodologies, Tools, and Applications, 2324–2344. https://doi.org/10.4018/978-14.4666-9466-8.ch103

     
  13. [13].

    Hamid, A., Ahmad, F., Ram, K., & Khalique, A. (2015). Implementation of Forensic Analysis Procedures for WhatsApp and Viber Android Applications. International Journal of Computer Applications, 128(12), 26–33. https://doi.org/10.5120/ijca2015906683

     
  14. [14].

    Hayes, D., Snow, C., & Altuwayjiri, S. (2017). Geolocation Tracking and Privacy Issues Associated with the Uber Mobile Application. Proceedings of the Conference on Information Systems Applied Research, 10(4511), 1–11.

     
  15. [15].

    Thomas, A., 2022. How To Root Samsung Galaxy A7 (2016) On Android Nougat 7.0? All Models. [online] Samsungsfour.com. Available at: <www.samsungsfour.com/tutorials/how-to-root-samsung-galaxy-a7-2016-on-android-nougat-7-0-all-models.html> [Accessed 26 March 2022].

     
  16. [16].

    Khan, J., & Shahzad, S. (2016). Android Architecture and Related Security Risks. Asian Journal of Technology & Management Research, 5(March), 2249–2892.

     
  17. [17].

    Kitsaki, T. I., Angelogianni, A., Ntantogian, C., & Xenakis, C. (2018). A Forensic Investigation of Android Mobile Applications. ACM International Conference Proceeding Series, December, 58–63. https://doi.org/10.1145/3291533.3291573

     
  18. [18].

    Lessad, J., & Kessler, G. C. (2013). Android Forensics: Simplifying Cell Phone Examinations. Small Scale Digital Device Forensics Journal, 4(1), 1–12.

     
  19. [19].

    Liu, S. (2020). Market Share Held by Leading Mobile Internet Browsers Worldwide from January 2012 to September 2020. Statista. https://www.statista.com/statistics/263517/market-share-held-by-mobile-internet-browsers-worldwide/

     
  20. [20].

    Liu, S. (2021). Global Market Share Held by Mobile Internet Browsers 2012-2021. https://www.statista.com/statistics/263517/market-share-held-by-mobile-internet-browsers-worldwide/

     
  21. [21].

    Manendra Sai, D., G K Prasad, N. R., & Dekka, S. (2015). The Forensic Process Analysis of Mobile Device. International Journal of Computer Science and Information Technologies, 6(5), 4847–4850. www.ijcsit.com

     
  22. [22].

    MOBILedit. (n.d.). Retrieved July 3, 2021, from https://en.wikipedia.org/wiki/MOBILedit

     
  23. [23].

    Nemetz, S., Schmitt, S., & Freiling, F. (2018). A Standardized Corpus for SQLite Database Forensics. DFRWS 2018 EU - Proceedings of the 5th Annual DFRWS Europe, 24, S121–S130. https://doi.org/10.1016/j.diin.2018.01.015

     
  24. [24].

    Rathod, D. (2017). Web Browser Forensics: Google Chrome Available Online at www.ijarcs.info. International Journal of Advanced Research in Computer Science, 8(December), 5–9. https://doi.org/10.26483/ijarcs.v8i7.4433

     
  25. [25].

    Umar, R., Riadi, I., & Zamroni, G. M. (2018). Mobile Forensic Tools Evaluation for Digital Crime Investigation. International Journal on Advanced Science, Engineering and Information Technology, 8(3), 949–955. https://doi.org/10.18517/ijaseit.8.3.3591

     
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.16.130.201