This chapter starts by comparing and contrasting the architectures of Android and iOS that are discussed in the first chapter. As a result, we implement and utilize mobile forensics methodology to analyze SQLite files from the applications that install on the mobile device, we discuss some of the techniques and tools used to extract information, and we present a case study of Chrome application. In terms of forensic analysis, the chapter will also emphasize the necessity of examining all SQLite files that come under the apps in order to extract the most amount of digital evidence feasible. We investigated practical forensic analysis for the Chrome app for iOS and Android, and forensic procedures were carried out using the three phases (seizure, acquisition, examination & analysis) methodology. This chapter aims to extract artifacts from Chrome applications using many tools such as iBackup, iExplorer, iTunes, Belkasoft, and FINALMobile software for iOS. We use ADB, Belkasoft, AXIOM, FINALMobile, and MOBILedit for Android. SQLiteStudio is used to view SQLite database files extracted from both Android and iOS.
Introduction to iOS Chrome App Forensics Using SQLite
SQLite Acquisition Phase
SQLite Forensic Tools
SQLite Experimental Design
Acquisition SQLite by iTunes and Belkasoft
Android Chrome App Forensics Using SQLite
Examination and Analysis Phase for Chrome App iOS and Android
Comparison between Tools Used for iOS
iOS Chrome App Forensics Using SQLite
“SQLite is an in-process library that implements a self-contained, zero-configuration, serverless, transactional SQL database engine” (Bhosale et al., 2015). SQLite’s evolution has made it one of the world’s most commonly used database management systems, as well as a storage engine for browsers and mobile apps.
Seizure Phase
- I.
Agency: including institutions that conduct the forensics analysis and examination.
- II.
Case identifier: case number and some other details for the case such as date and time.
- III.
Forensic investigator: information about the forensics examiner including name, institution, qualification, and experience.
- IV.
Identity of the submitter: details about the submitter and how to hand it over to the examiner; there can be pictures documenting the condition of the device when it is handed over.
- V.
Date of evidence receipt: the date of delivery of the devices to the forensic analysis department.
- VI.
Details of the device seized for examination: including serial number, make, and model. In this chapter, we will use Samsung Galaxy A7 with Android 7.0, and Apple iPhone 6 with iOS 12.5.2. Device specifications are shown in Table 14-1.
Suspected iPhone and Android Mobile Specifications
iPhone Mobile Specifications | |||
---|---|---|---|
Make | iPhone 6 | Model no. | MG482AA/A |
IMEI | 3592830694**29 | Color | Silver |
Jailbroken | No | Network | JAWWAL |
Capacity | 16 GB | Passcode | Provided (111111) |
iOS version | 12.5.2 | Serial no. | C8QPM2RTG5MP |
Mobile power | On | MEID | 35928306947829 |
Airplane mode | On | Wi-Fi add. | D8:1D:72:E9:6F:0B |
Bluetooth | D8:1D:72:E9:6F:0C | ICCID | 89970281433296612949 |
Modem firmware | 7.80.04 | SIM no. | 0594-4444*** |
Suspect Android Mobile Specifications | |||
Make | Samsung Galaxy A7 2016 | Model no. | SM-A710FD |
IMEI (slot 1) | 3581680770892** | Color | Black |
Root | No | Network | JAWWAL-Ps |
Capacity | 16 GB | Passcode | Provided (123456) |
Android version | 7.0 | Serial no. | RF8J72EJ*0R |
Mobile power | On | Build no. | NRD90M.A710FXXS2CTJ1 |
Airplane mode | On | Wi-Fi add. | 94:7B:E7:27:12:BC |
Bluetooth | Unavailable | SIM no. | 0593-333*** |
Acquisition Phase
Forensic Tools
Experiment Tools and Devices
No. | Tools/Devices | Description |
---|---|---|
1 | iTunes, version 12.11.3.17 | Used to get a backup for iPhone |
2 | Belkasoft Evidence center 9.9 Build 4662 x64 | Forensic software used for acquisition and analysis, software |
3 | FINALMobile Forensics user version The file version is 2020.04.22. CDF version is 2020.04.22. | Forensic tool: used for extraction and analysis |
4 | SQLiteStudio v3.3.3 | Open and view SQLite |
5 | AXIOM | Forensics SW used for acquisition and analysis |
6 | Odin3 | SW used for root Android |
7 | Hp Zbook, windows 10, 64 bit, 24GB Ram, Intel(R) Core™ i7-7700HQ [email protected] 2.81 GHz | Workstation |
8 | Original USB cable | Media to connect the smartphone with workstation |
9 | iPhone 6 | Suspect smartphone X |
10 | Samsung Galaxy A7 2016 | Suspect smartphone Y |
Experimental Design
The experiment was prepared in terms of (a) activating mobile airplane mode to isolate receiving and transmission signals, (b) connecting the mobile device through a USB cable with the workstation, which is not connected to the Internet and free of malware, (c) selecting trust computer, (d) connecting iTunes for backup, (e) running Belkasoft to get backup and to load iTunes backup for analysis and comparison, and (f) running FINALMobile software to get another backup and later for analysis.
Acquisition by iTunes and Belkasoft
iTunes backup: Create iPhone backup as shown in Figure 14-1. This backup will be analyzed forensically using Belkasoft. The backup data is stored in the following path: C:UsershpAppDataRoamingApple ComputerMobileSyncBackup
Acquisition by Belkasoft: When doing acquisition for Apple mobile, Belkasoft offers three acquisition methods: iTunes backup; full logical backup, which requires a jailbreak; and agent backup, which is not supported for current iOS (12.5.3 for suspected iPhone). Figure 14-2 shows selecting acquire Apple mobile. In Figure 14-2 Belkasoft recognizes the iPhone after connecting the iPhone with the workstation. Figure 14-3 shows the starting backup process.
As shown in Figure 14-8, when choosing full logical backup, it is required for the mobile to be jailbroken.
Examination/Analysis Phase
1. Using Belkasoft
2. Using FINALMobile
3. Using iBackUp
4. Using iExplorer
Android Chrome App Forensics Using SQLite
The experiment design was prepared in terms of (a) activating mobile airplane mode to isolate receiving and transmission signals; (b) connecting the mobile device through a USB cable with a workstation that is not connected to the Internet and is free of malware, (c) selecting the trust computer, (d) using ADB command to get backup, (e) running Belkasoft to get ADB backup and physical image (also used for analysis and comparison), (f) running FINALMobile software to get another backup and later for analysis, (j) using AXIOM to get the full image and later for analysis, and (h) using MOBILedit to get backup and analysis.
Before Rooting
Using ADB Command
Using AXIOM
Using Belkasoft
- a.
Choosing “Mobile” from Acquire and analyzing and then select Android as shown in Figure 14-23.
- b.
Selecting acquisition method as shown in Figure 14-24.
Using FINALMobile
Rooting
To root the mobile device using Odin3, first, we have to enable OEM to unlock as shown in Figure 14-17, turn off the mobile, and then log in to the download mode by holding and pressing power + volume down + home together until getting the warning screen, then pressing up the volume. After that, run Odin3 as administrator and connect the mobile device to the PC via USB cable; the Odin3 software will confirm the connection by showing “Added” as shown in Figure 14-29. If there is no confirmation, then there is a problem with the mobile driver and it is recommended to install the correct driver for the mobile.
Once the connection is confirmed, then locate the root file, which can be downloaded from samsungsfour.com [15] depending on the version and model, add it to Odin3 by clicking AP, select the root file, which is in the format of .tar.md5., and then choose to start rooting the device as shown in Figure 14-28.
After successfully rooting the mobile, we can get superuser (SU) privileges and access the data folder on the Android, which was limited to SU before rooting; we can do anything, such as removing files that contain passcodes or patterns, and we can get physical acquisition.
After Rooting
Examination and Analysis Phase for Android
1. Before Rooting
2. After Rooting
Results and Discussion
iOS
The Chrome application used in iPhone mobiles is like any other application where many artifacts can be extracted. In the conducted experiment, acquisition of SQLite manually without jailbreaking the mobile is possible if the mobile is open (no passcode or pattern is given) using iTunes, iBackup, and iExplorer to get iTunes backup. We can easily export an SQLite file and then open it with any SQLite viewer such as SQLiteStudio. Or we can use Belkasoft and FINALMobile as forensics tools to get iTunes backup and do forensics analysis using tools features or export SQLite files to be opened by SQLiteStudio.
Android
Many applications exist for a specific purpose; for example, the purpose of the email application is to open the email, the purpose of the Facebook application is to open Facebook, and so on. Regardless of these applications that are designed for specific purposes, Internet browsers are still used to search and open an email, Facebook, and so on. The most used Internet browser is the Chrome app. Therefore, it is always recommended to check the artifacts in Chrome and the rest of the Internet browsers, if any. Like any mobile platform, Chrome is used in Android. Using Chrome can provide a lot of artifacts. And once more, if we are looking for more artifacts, it is required to look for all SQLite database files.
SQLite Files Located under Chrome App
No | SQLite file | No. of Tables | Description |
---|---|---|---|
1 | Account Web Data | 22 | appcom.android.chrome app_chromedefault |
2 | Affiliation Database | 3 | appcom.android.chrome app_chromedefault |
3 | Cookies | 2 | appcom.android.chrome app_chromedefault |
4 | Favicons | 4 | appcom.android.chrome app_chromedefault |
5 | Heavy_ad_intervention_opt_out.db | 2 | appcom.android.chrome app_chromedefault |
6 | History | 12 | appcom.android.chrome app_chromedefault |
7 | Lite_video_opt_out.db | 2 | appcom.android.chrome app_chromedefault |
8 | Login Data | 6 | appcom.android.chrome app_chromedefault |
9 | Media History | 6 | appcom.android.chrome app_chromedefault |
10 | Network Action Predictor | 4 | appcom.android.chrome app_chromedefault |
11 | Origin Bound Certs | 2 | appcom.android.chrome app_chromedefault |
12 | QuotaManager | 4 | appcom.android.chrome app_chromedefault |
13 | Reporting and NEL | 4 | appcom.android.chrome app_chromedefault |
14 | Shortcuts | 2 | appcom.android.chrome app_chromedefault |
15 | Top Sites | 2 | appcom.android.chrome app_chromedefault |
16 | Trust Tokens | 3 | appcom.android.chrome app_chromedefault |
17 | Web Data | 27 | appcom.android.chrome app_chromedefault |
18 | Databases | 2 | appcom.android.chrome app_chromedefaultdatabases |
19 | OfflinePages.db | 3 | com.android.chromeapp_chromedefaultoffline Pagesmetadata |
20 | RequestQueue.db | 1 | com.android.chromeapp_chromedefaultoffline Pages equest_queue |
21 | SyncData.sqlite3 | 5 | com.android.chromeapp_chromedefault Sync Data |
22 | Safe Browsing Cookies | 2 | appcom.android.chrome app_chrome |
After rooting Android, one more experiment is done when disabling Chrome apps. To disable the Chrome app go to Settings ➤ App ➤ Chrome ➤ Disable. After disabling Chrome, one more full image was taken by AXIOM. Analysis of this image returns nothing related to the Chrome app.
Comparison between Tools Used for iOS
In summary comparisons between data acquisition from iOS devices and iOS backups, we mainly used three tools to do data acquisition for the iOS device, iTunes, Belkasoft, and FINALMobile. No differences were found between the acquired data for the case study. All copies of backup contain the same SQLite files; it is easy to export files and later view all data using SQLiteStudio or by SQLite viewer, which is included in Belkasoft and FINALMobile. Using automated forensics tools gives different artifacts because each tool views artifacts directly from some SQLite database files; for example, FINALMobile extracts data from devices in a different way from Belkasoft. If we are are looking for more artifacts, then it is very important to dive deeply looking for SQLite database file because forensics tools will never show you all artifacts, which are the logical images stored in SQLite files. Also, it is important to use more than one tool, because of the differences in mobile platforms, equipment, architecture, OS, the make, and so on. Knowing mobile features will facilitate the choice for the digital forensics specialist to select which tool will be effective in different cases. Table 14-4 shows basic features available in each table for previous experiments.
Table 14-4. Used Tool Features for iOS
Table 14-5 summarizes the comparison between tools used for Android in the acquisition phase.
Summary
In this chapter, we have investigated practical forensic analysis for the Chrome app on iOS V.12 and Android v7.0, and forensic procedures were carried out using the three phases (seizure, acquisition, examination/analysis) methodology. This study aimed to extract artifacts from Chrome applications. iBackup, iExplorer, iTunes, Belkasoft, and FINALMobile software were used for iOS V.12.5.2. ADB, Belkasoft, AXIOM, FINALMobile and MOBILedit were used for Android V 7.0. SQLiteStudio is used to view SQLite database files extracted from both Android and iOS. The results of the experiment have been presented, including artifacts such as websites visited, top sites, login data, the email that was used, the words searched, and so on. These artifacts help forensic investigators and law enforcement agencies in the investigation and can be used as evidence in court. Different tools provide different results, so it is recommended to use more tools to do forensics analysis. These differences relate to the differences in extraction evidence from different SQLite database files. It is also recommended to view all SQLite database files located under any application such as the Chrome app. Previous studies show some SQLite database files, while in this study, all SQLite database files located under the Chrome application are extracted.
References
- [1].
Al-Hadadi, M., & AlShidhani, A. (2013). Smartphone Forensics Analysis: A Case Study. International Journal of Computer and Electrical Engineering, 5(6), 576–580. https://doi.org/10.7763/ijcee.2013.v5.776
- [2].
Al-Sabaawi, A., & Foo, E. (2019). A Comparison Study of Android Mobile Forensics for Retrieving Files System. Ernest Foo International Journal of Computer Science and Security (IJCSS), 13, 2019–2148.
- [3].
Aleem, F. (2019). Layered Architecture Used by iOS and Its Performance & Portability. July, 0–19. https://doi.org/10.13140/RG.2.2.22845.20968
- [4].
Android Architecture. (2019). https://androidframework.com/2019/04/27/android-architecture/
- [5].
Ashawa, M., & Ogwuche, I. (2017). Forensic Data Extraction and Analysis of Left Artifacts on Emulated Android Phones: A Case Study of Instant Messaging Applications. Circulation in Computer Science, 2(11), 8–16. https://doi.org/10.22632/ccs-2017-252-67
- [6].
Azfar, A., Choo, K. K. R., & Liu, L. (2016). An Android Social App Forensics Adversary Model. Proceedings of the Annual Hawaii International Conference on System Sciences, 2016-March, 5597–5606. https://doi.org/10.1109/HICSS.2016.693
- [7].
Bhardwaj, D. (2021). Download Odin Flash Tool for Samsung Galaxy Devices (All Versions). https://www.thecustomdroid.com/download-odin-flash-tool/
- [8].
Bhosale, S. T., Patil, T., & Patil, P. (2015). SQLite: Light Database System. International Journal of Computer Science and Mobile Computing, 44(4), 882–885.
- [9].
Castro, K. (2018). How Are iOS and Android Similar? How Are They Different? https://www.tutorialspoint.com/how-are-ios-and-android-similar-how-are-they-different
- [10].
Chernyshev, M., Zeadally, S., Baig, Z., & Woodward, A. (2017). Mobile Forensics: Advances, Challenges, and Research Opportunities. IEEE Security and Privacy, 15(6), 42–51. https://doi.org/10.1109/MSP.2017.4251107
- [11].
Domingues, P., Frade, M., Andrade, L. M., & Silva, J. V. (2019). Digital Forensic Artifacts of the Your Phone Application in Windows 10. Digital Investigation, 30(June), 32–42. https://doi.org/10.1016/j.diin.2019.06.003
- [12].
Faheem, M., Kechadi, T., & Le-Khac, N. A. (2015). The State of the Art Forensic Techniques in Mobile Cloud Environment: A Survey, Challenges and Current Trends. Web-Based Services: Concepts, Methodologies, Tools, and Applications, 2324–2344. https://doi.org/10.4018/978-14.4666-9466-8.ch103
- [13].
Hamid, A., Ahmad, F., Ram, K., & Khalique, A. (2015). Implementation of Forensic Analysis Procedures for WhatsApp and Viber Android Applications. International Journal of Computer Applications, 128(12), 26–33. https://doi.org/10.5120/ijca2015906683
- [14].
Hayes, D., Snow, C., & Altuwayjiri, S. (2017). Geolocation Tracking and Privacy Issues Associated with the Uber Mobile Application. Proceedings of the Conference on Information Systems Applied Research, 10(4511), 1–11.
- [15].
Thomas, A., 2022. How To Root Samsung Galaxy A7 (2016) On Android Nougat 7.0? All Models. [online] Samsungsfour.com. Available at: <www.samsungsfour.com/tutorials/how-to-root-samsung-galaxy-a7-2016-on-android-nougat-7-0-all-models.html> [Accessed 26 March 2022].
- [16].
Khan, J., & Shahzad, S. (2016). Android Architecture and Related Security Risks. Asian Journal of Technology & Management Research, 5(March), 2249–2892.
- [17].
Kitsaki, T. I., Angelogianni, A., Ntantogian, C., & Xenakis, C. (2018). A Forensic Investigation of Android Mobile Applications. ACM International Conference Proceeding Series, December, 58–63. https://doi.org/10.1145/3291533.3291573
- [18].
Lessad, J., & Kessler, G. C. (2013). Android Forensics: Simplifying Cell Phone Examinations. Small Scale Digital Device Forensics Journal, 4(1), 1–12.
- [19].
Liu, S. (2020). Market Share Held by Leading Mobile Internet Browsers Worldwide from January 2012 to September 2020. Statista. https://www.statista.com/statistics/263517/market-share-held-by-mobile-internet-browsers-worldwide/
- [20].
Liu, S. (2021). Global Market Share Held by Mobile Internet Browsers 2012-2021. https://www.statista.com/statistics/263517/market-share-held-by-mobile-internet-browsers-worldwide/
- [21].
Manendra Sai, D., G K Prasad, N. R., & Dekka, S. (2015). The Forensic Process Analysis of Mobile Device. International Journal of Computer Science and Information Technologies, 6(5), 4847–4850. www.ijcsit.com
- [22].
MOBILedit. (n.d.). Retrieved July 3, 2021, from https://en.wikipedia.org/wiki/MOBILedit
- [23].
Nemetz, S., Schmitt, S., & Freiling, F. (2018). A Standardized Corpus for SQLite Database Forensics. DFRWS 2018 EU - Proceedings of the 5th Annual DFRWS Europe, 24, S121–S130. https://doi.org/10.1016/j.diin.2018.01.015
- [24].
Rathod, D. (2017). Web Browser Forensics: Google Chrome Available Online at www.ijarcs.info. International Journal of Advanced Research in Computer Science, 8(December), 5–9. https://doi.org/10.26483/ijarcs.v8i7.4433
- [25].
Umar, R., Riadi, I., & Zamroni, G. M. (2018). Mobile Forensic Tools Evaluation for Digital Crime Investigation. International Journal on Advanced Science, Engineering and Information Technology, 8(3), 949–955. https://doi.org/10.18517/ijaseit.8.3.3591