Facebook Messenger (FBM) is widely used by most mobile users. FBM is used for normal communication in addition to its involvement in criminal cases. Following a scientific mobile forensic analysis approach keeps the evidence admissible. This study follows the NIST mobile forensic process to retrieve data from FBM. The study provides several techniques for device identification, data acquisition, and analysis of FBM data from both Android and iOS devices. Several tools were used for acquisition including Libimobiledevice, iTunes, Belkasoft, AXIOM, and ADB. Additionally, several tools were used for data analysis including AXIOM Examine, Belkasoft, and DB viewer for SQLite. This study shows that the appropriate forensic tool for FBM analysis is AXIOM; based on the results of analyzing encrypted iTunes images for iOS, Belkasoft was better in performance for analyzing ADB images for Android, while FBM data extraction requires the device to be rooted.
Introduction to FBM Application
Introduction to Mobile Messenger Application
Experiment Tools
Evidence and Scene Security
Evidence Isolation
Data Acquisition
FBM Data Analysis Using Magnet AXIOM Examine
FBM Data Analysis Using Belkasoft
FBM Data Analysis Using DB Browser for SQLite
Recovering Deleted Evidence from SQLite Property Lists
Summary
Introduction to FBM Application
Internet access has dramatically increased during the last two decades; more than 60% of the global population can access the Internet these days. Among those who can access the Internet, 92.6% did so via mobile devices [1]. The availability of Internet services over mobile operators’ networks and services like 5G, 4G, and 3G were essential factors in the increased Internet access via mobile devices. With the huge growth of Internet access via mobile devices, messaging had been evolved from only text exchange, which was the main feature of mobile messaging, into voice and video communications, with the ability to exchange pictures and files. This introduced instant messaging as a chatting platform offering real-time text messaging over the Internet, and messaging evolution created an opportunity for competition between several social network platforms to provide smooth and fast messaging apps. The most popular mobile messaging platform is Facebook. As shown in Figure 13-1, the most popular messaging mobile application is WhatsApp followed by FBM; Facebook owns both WhatsApp and FBM.
Facebook has become an important part of all of our lives and has a greater impact on life than other social networking sites, due to its multiple use by all ages and because it brings together a huge number of people. In many cases, the conversation has come to take place on the FBM application. Since it is one of the most effective applications due to its many advantages, it has also had a clear impact on the increase in the rate of electronic crimes.
The use of messaging apps is not limited to normal good usage only; these apps can be used by criminals to contact each other or to perform crimes. FBM is one of the apps that can be used by criminals in digital crimes. The application can be used to plan for several types of crimes such as drug dealing, theft, murder, or terrorism, or to carry out direct crimes through the app such as extortion, harassment, fraud, or others. Using FBM will keep traces that can be used to help investigators in court. The trace or evidence cannot be accepted at court unless it is retrieved based on a specific procedure. Therefore, forensics analysis will be based on mobile forensics principles, which is a branch of digital forensics science.
FBM is a leading social media messaging platform, and it is expected to become more popular with its development and new features. It will be able to chat directly with other messaging platforms; now it involves a lot of customizations and services including money transfer. For this, it is expected to be involved more in crime investigations. For iOS devices, FBM works from the top application layer, through the media layer, to some components in the core services layer. The growing number of artifacts for FBM is related to its continuous development by Facebook.
In this chapter, Android and iOS forensic examination techniques are presented and introduced with mobile operating systems architecture. What is needed to prepare for data extraction from Android and iOS devices is discussed. Data extraction techniques are presented with their different approaches. Data analysis of FBM is presented with details.
Introduction to Mobile Messenger Application
The identification of digital evidence for the FBM app [3] was performed on retrieving evidence from an Android device using Magnet AXIOM and Oxygen Forensics tools. The researchers were able to view the device details and recover the evidence in both tools. They used indexed calculation numbers to get the performance of each forensic tool. Based on NIST method parameters, they found that the AXIOM result is 75% whereas Oxygen got 79%. The researchers used only an Android device. They did not use iOS devices for comparison. Additionally, they used only AXIOM and Oxygen as forensic tools.
In performing mobile forensics on Android-based IMO messenger services using the Digital Forensic Research Workshop (DFRWS) Method [4], researchers followed a three-phase methodology that involves identification, preservation, and collection. They compared data extraction from rooted and unrooted devices with IMO apps installed: MOBILedit, DB Browser for SQLite, FTK Imager, and Belkasoft are used as forensic tools. The result can retrieve all IMO data from the rooted device, but nothing was retrieved from the unrooted one. An experiment was conducted [7] to analyze LINE Messenger on virtual Android machines. The researchers used a VMware workstation with BlueStacks and LINE Messenger installed on the machines. To extract the data, they suspended the virtual machine and acquired the files related to volatile memory and nonvolatile memory using WinHex, EnCase, and Root Explorer for analyzing the database. Researchers were able to identify the related artifacts and data locations in LINE Messenger.
Instagram forensic [8] analysis was performed on Android virtual devices using Genymotion, DB Browser for SQLite, Android Studio Device File Explorer, and Sqliteparser. The researchers were able to identify and access datastores of the application on /data/data; there was no mention of whether the user device was rooted or not. Similar research was conducted to forensically analyze the TikTok app [9] on Android; researchers separated the identified artifacts into two categories. The first category is accessible without the need of having root privileges within the smartphones, and the secunde category include artifacts are only available within a rooted device.
In the next section, we follow the four stages of seizing the device and taking care of its related digital evidence in secure conditions to prevent changes on the data or manipulation of the evidence. Then comes acquisition (i.e., getting evidential information from the device or its related media), and then the examination and analysis stage to search for and reveal hidden or deleted evidence by working on an identical copy of the acquired image in the first phase using different toolkits during the investigation. The last phase we describe in detail is the reporting stage, which depends on the precise records of information taken during the previous stages; all the information and the conclusions made based on the results of the investigation are presented in the report, which is made to the court or the legal parties according to well-understood procedures.
Experiment Tools and Devices
Experiment Devices
Device | OS | Model Name | Model Number |
---|---|---|---|
Apple iPhone | iOS 14.6 | iPhone 6s | A1688 |
Huawei Mobile | Android | Y3 2017 | CRO-U00 |
HP Laptop | Windows 10 | ProBook 640 G1 |
Experiment Forensic Tools
Tool Name | Version | Note |
---|---|---|
iTunes | 12.11.3.17 | Apple app for Windows |
Libimobiledevice | 18/05/2020 | Windows compiled |
Belkasoft Evidence Center | 9.9 | For Windows |
Magnet AXIOM Process | 4.6 | For Windows |
Magnet AXIOM Examine | 4.6 | For Windows |
DB Browser for SQLite | 3.12.2 | For Windows |
ABD Android toolkit | 1.0.41 | For Windows |
iOS Device Identification
Device Identification Using Libimobiledevice
- [1].
Using the command idevice_id to learn the UDID of the device, which will help in identifying the device-related iTunes backup. idevice_id.exe -l Output: 53e291a4587a7e9572dd729f02c534ca4772c53f
- [2].
Using the command ideviceinfo shows a huge number of forensically useful identifications for the device. This includes information other forensic tools cannot show: ideviceinfo.exe
Device Identification Using Belkasoft Evidence Center
Device Identification Using Magnet AXIOM
From the preceding simple comparison, different forensic tools provide different device information details. For example, AXIOM did not show the UDID but provided IMEI.
Device Identification via IMEI Number
Android Device Connection Setup
The device identification process for Android devices is very important for forensic data acquisition. Manufacturer, model, and Android version all determine the needed tools. Manufacturers can be known from looking at the labels on the device mostly on the back of the device. From the Menu ➤ Settings ➤ About phone, the device model number can be identified in addition to several useful pieces of information, including the Kernel version. Additionally, the build number is located here, which is important to enable the developer mode. There are tools to help in identifying the device after connecting it to a digital forensic lab computer. The used device in this case study is Huawei Y3 (2017) with Android version 6.0 and kernel version 3.18.19.
To connect the device to a computer, a data cable is needed. The required cable type can vary based on the device model. It can be a mini-USB, micro-USB, or USB type C. Other types may appear in rare cases like coaxial or D subminiature cables. For a successful connection to a computer, the device drivers should be installed on that computer. On Windows’ new operating system, this process is done automatically by the OS. In some cases, drivers must be downloaded from the manufacturer’s site and installed manually on the computer.
The next step is needed to connect the Android device to a computer. It is enabling data transfer from the mobile device once connected. This can be done by pulling down the notifications area and selecting Turn On USB storage on the USB connection type option, which should be selected as data transfer. To use the forensic tools on an Android device, it should be in USB debugging mode. USB debugging mode is enabled from Settings ➤ About phone by tapping several times continuously on the build number. A counter will start counting down until developer options are enabled. Now from Settings ➤ developer options, enable USB debugging. In some cases, the device should be checked for device administration settings. This will be enabled if a mobile device management application is installed on the device. Applications like Family link may disable accessing the device with USB debugging mode even if it is enabled on the device but disabled from the Family link.
Using Automated Tools
Gaining Root Access
From a forensic point of view, rooting Android devices is needed to access applications’ data and to get more data when acquiring the rooted device. Rooting, as described in detail in Chapter 7, is granting access with the highest privileges on the OS level to perform actions and access partitions that are not allowed for normal users. Rooting makes unrecoverable changes to the evidence. It grants privileges that put the device at risk of vulnerabilities, malicious apps, and user misuse. For these reasons, rooting voids the warranty of the device, taking into consideration the risk of damaging the device during the process.
- 1.
Download the TWRP file from [20]. This file contains the image of the modified recovery partition to be written over the recovery partition on the device.
- 2.
Prepare the device for connection and use ADB to list the device.
- 3.
Enable USB Debugging option from the developer options.
- 4.
Using the ADB tool, reboot the device in fastboot mode using the command adb.exe reboot bootloader, which will cause the device to reboot.
- 5.
To make sure that the device is connected in fastboot mode, use the command fastboot.exe devices, which should show the device in the list.
- 6.
Extract the recovery.img from the downloaded TWRP inside the ADB folder.
- 7.
Write the image to the device using the command: fastboot flash recovery recovery.img. The result as shown in Figure 13-7 is to write on the recovery partition in the targeted device.
- 8.
Download SuperSu file, paste the file to an SDcard, power off the device, and then put it in the device.
- 9.
Power on the device in recovery mode by holding volume up + power button.
- 10.
Choose backup data and then choose Install.
- 11.
Swipe the slide at the bottom of the screen.
- 12.
Reboot the device from the menu.
- 13.
Verify root by installing the app Root Checker.
Android Data Extraction Techniques
The preceding techniques will be discussed based on this case study in investigating FBM data. The following subsections discuss the three extraction techniques.
Manual Data Extraction
This technique involves accessing the device as a normal user and browsing the data directly with documentation of each step with screenshots. The disadvantage of this technique includes limited data access and evidence changes. Limited data access is due to using the interface as a normal user and seeing what is accessible to the regular user. Evidence changes happen when opening unread messages or triggering any action that may result in data loss. Based on the investigation case, this may be the fastest data extraction technique with minimal preparation. Even so, this method should not be considered unless it is an urgent life or death case or for data verification for the other techniques.
In our case study, since the device is unlocked, we were able to open the Messenger app and browse the conversations directly.
Logical Data Extraction
This technique, which involves using forensic acquisition tools to extract data and the file system from the device, works on most devices. The amount of data retrieved depends on the access level on the device. This means limited data will be retrieved for unrooted devices.
Physical Data Extraction
This technique involves obtaining the exact binary image of the device’s memory or external storage. This is done bit by bit for the entire memory. This technique is different from logical data extraction. With physical imaging, deleted files can be recovered in some cases. Additionally, hidden file leftovers can be retrieved from the slack space or unallocated space.
- 1.
Connect the device to the computer and check the device connection using the command adb devices and make sure the device is listed.
- 2.
Use a new empty SD card to store the image on it. It should be of an appropriate size and clean of data. The SD card should be attached to the device.
- 3.
Use the mount command to list the partitions inside /div that contain the Android file system.
- 4.
Execute the dd command to the partitions of interest. For the /data partition, it is located under /dev/block/<block number>. In front of the block number will be /data at the beginning of the comment. In the command, the input file is the targeted block, and the output file is the SD card partition as in the following:
To write the output image to the forensic computer, use the netcat command. This is the method used by most forensic tools.
Practical Logical Data Extraction for iOS Devices
This experiment performs logical acquisition using iTunes backup, the Libimobiledevice tool, Belkasoft Evidence Center, and Magnet AXIOM Process.
Logical Data Extraction Using iTunes
In Our current case, the location of the iTunes backed-up image will be at C:Users<User name>AppleMobileSyncBackup. The Backup folder contains a folder named with the UDID of the iOS device. Each backed-up device will have its own UDID backup folder.
Logical Data Extraction Using Libimobiledevice Library
Two steps are required: enabling the encrypted backup option, and taking the logical image. We use the following command: idevicebackup2.exe backup encryption on <Backup_Password>.
After getting confirmation of enabling encryption, the following command is used to take the backup: idevicebackup2 backup –full <Image_Path>. The backed-up image will be ready in the destination image path, with the UDID folder name.
Logical Acquisition Using Belkasoft
Logical Acquisition Using Magnet AXIOM Process
Data Analyzing for FBM
Revealing the evidence is the main purpose of the examination and analysis. Related evidence was retrieved from hundreds or thousands of files from the acquired image. This can be done using a forensic tool or manual extraction. Some artifacts may not be recovered by tools where they can be by manual analysis. Manual extraction is required sometimes to validate the tool results. Based on the provided information by the investigator to the forensic examiner, the direction of the examination becomes clear. The examiner can begin with forensic tools that have built-in filters related to the required application, and then prepare the files list and databases to analyze.
FBM Data Analysis for Android
FBM Source of Information in Android
Internal Path | File Name | File Type |
---|---|---|
/app_light_prefs/ | logged_in_<User_ID> | JSON |
/cache/audio/ | * | Various |
/cache/fb_temp/ | * | Various |
/cache/image/ | * | Various |
/databases/ | call_logs_db | SQLite |
/databases/ | contacts_db2 | SQLite |
/databases/ | omnistore_<User_ID>_v01.db | SQLite |
/databases/ | prefs_db | SQLite |
/databases/ | threads_db2 | SQLite |
/databases/ | tican_db_<User_ID> | SQLite |
/files/image/ | * | JPG |
/files/ExoPlayerCacheDir/ | * | Various |
/shared_prefs/ | com.facebook.orca_preferences.xml | XML |
FBM Data Analysis Using Magnet AXIOM for iOS
After the evidence source is added to the case, click “Go to processing details”. In this section, the analysis can be tuned and categorized into several techniques. Click “Go to artifact details”; from this section, artifacts can be filtered based on category and application. This is an important examination feature to comply with case requirements and keep the evidence extraction process admissible in court. From this section, we clear the selection from all categories, search for the FBM app, and select it. The last step is clicking “Analyze” in the Analyze Evidence section. The decryption process starts, and AXIOM Examine is launched. The artifact analysis duration was 28 seconds, and the decryption process took 52 seconds for our case.
By copying the provided URL for each message and opening it in a browser, we retrieved all pictures, emojis, audio, and video messages successfully, and all deleted messages are located as “unsent messages”. For our case, we used Belkasoft for data analysis and recovered FBM data but the results show that we couldn’t retrieve data related to our case. For that, we recommend verification data using SQLite analysis.
FBM Data Analysis Using DB Browser for SQLite
Additionally, SQLite data analysis helps in recovering deleted data in some cases as explained in the following section.
Recovering Deleted Evidence from SQLite Property Lists
Depending on the iOS version, the amount of defragmentation and database clean-up varies. Additionally, some user settings and device specs may affect that. Data records can be restored from SQLite tables if they are not overwritten or cleared. This happens when the record is marked as deleted even though it will be kept stored in the database. Using some forensic tools or manual extraction, we can recover such records. For example, the call history database has a limited size; when it is almost full, some of the oldest records are removed to provide space for new records. If the new space is not overwritten yet, it can be recovered. This is applicable for most SQLite tables such as messages, notes, emails, contacts, and others that contain valuable evidence that might be intentionally deleted by the criminal. From this, we conclude that it is not always possible for AXIOM or Belkasoft to recover deleted records from SQLite databases.
Reporting
Reporting involves providing a summary of all the steps taken and conclusions reached as part of the examination process for FBM on iOS and Android devices. Details about all important actions performed in this case study should be mentioned, including common information like investigator name, reporting agency, and case identifier. The reporting agency is the agency officially authorized by the judicial authorities to investigate the seized devices for a specific investigation. It should have forensic experts and the tools needed to issue an examination report. The agency should issue a report that is admissible, authentic, complete, reliable, and believable. The case identifier is the submission number of the case. It is unique and makes it easy to reference the case.
Summary
Security enhancements to mobile operating systems make it harder for forensic investigators to retrieve data. Devices now have full desk encryption (FDE) features. This makes it almost impossible to retrieve the data without knowing the unlock key. Jailbreaking and rooting devices are necessary to extract data in some cases. Most Android applications data, including FBM stored in partitions, requires root-level permissions to be accessed. Rooting a Huawei Y3 device is not as simple as it looks. Several factors may affect the rooting process including the binary image, the forensic computer, the cables, and the device firmware. Applying different rooting techniques to the device may result in damaging the device. For the case with iOS, there was no need for jailbreaking the device, as we were able to extract FBM data.
This case study focused on showing techniques required to forensically examine Apple iPhone 6 and Huawei Y3 devices for FBM artifacts. This study started by explaining Android and iOS architecture, then demonstrated the need for preparations for the data extraction phase, and finally explained the data extraction techniques and data analysis for FBM.
References
- [1].
Statista, “Digital Population.” https://www.statista.com/statistics/617136/digital-population-worldwide/ (accessed May 01, 2021).
- [2].
Statista, “Most Popular Global Mobile Messenger Apps.” https://www.statista.com/statistics/258749/most-popular-global-mobile-messenger-apps/ (accessed Apr. 29, 2021).
- [3].
A. Yudhana, I. Riadi, and I. Anshori, “Identification of Digital Evidence Facebook Messenger on Mobile Phone with National Institute of Standards Technology (NIST) Method,” Kursor, vol. 9, no. 3, Jan. 2019, doi: 10.28961/kursor.v9i3.152.
- [4].
A. N. Ichsan and I. Riadi, “Mobile Forensic on Android-Based IMO Messenger Services Using Digital Forensic Research Workshop (DFRWS) Method,” International Journal of Computer Applications, vol. 174, no. 18, Feb. 2021, doi: 10.5120/ijca2021921076.
- [5].
Amer Shakir, Muhammad Hammad, and Muhammad Kamran, “Comparative Analysis & Study of Android/iOS Mobile Forensics Tools,” 2021.
- [6].
A. Akinbi and E. Ojie, “Forensic Analysis of Open-Source XMPP Multi-client Social Networking Apps on iOS Devices,” Forensic Science International: Digital Investigation, vol. 36, Mar. 2021, doi: 10.1016/j.fsidi.2021.301122.
- [7].
M. S. Chang and C. Y. Chang, “Forensic Analysis of LINE Messenger on Android,” Journal of Computers (Taiwan), vol. 29, no. 1, 2018, doi: 10.3966/199115992018012901002.
- [8].
C. Alisabeth and Y. R. Pramadi, “Forensic Analysis of Instagram on Android,” in IOP Conference Series: Materials Science and Engineering, 2020, vol. 1007, no. 1. doi: 10.1088/1757-899X/1007/1/012116.
- [9].
P. Domingues, R. Nogueira, J. C. Francisco, and M. Frade, “Post-mortem Digital Forensic Artifacts of TikTok Android App,” 2020. doi: 10.1145/3407023.3409203.
- [10].
T. Alyahya and F. Kausar, “Snapchat Analysis to Discover Digital Forensic Artifacts on Android Smartphone,” in Procedia Computer Science, 2017, vol. 109. doi: 10.1016/j.procs.2017.05.421.
- [11].
M. Kukuh, I. Riadi, and Y. Prayudi, “Forensics Acquisition and Analysis Method of IMO Messenger,” International Journal of Computer Applications, vol. 179, no. 47, 2018, doi: 10.5120/ijca2018917222.
- [12].
V. Jain, R. Sahu, and D. Singh Tomar, “Evidence Gathering of Line Messenger on iPhones,” 2015. [Online]. Available: www.gtia.co.in
- [13].
Google Developer, “Android Architecture.” https://developer.android.com/guide/platform (accessed Jul. 15, 2021).
- [14].
Android Authority, “Phone Storage Folders Explained.” https://www.androidauthority.com/phone-storage-folders-explained-744100/ (accessed Jul. 15, 2021).
- [15].
Android Tutorials, “Android Filesystems.” https://android.tutorials.how/android-file-system/ (accessed Jul. 16, 2021).
- [16].
Rohit Tamma, Oleg Skulkin, Heather Mahalik, and Satish Bommisetty, Practical Mobile Forensics, Fourth edition. Birmingham: Packt Publishing Ltd., 2020.
- [17].
S. Chauhan, “Understanding Xamarin iOS - Build Native iOS App.” https://www.dotnettricks.com/learn/xamarin/understanding-xamarin-ios-build-native-ios-app (accessed May 30, 2021).
- [18].
R. Ayers, S. Brothers, and W. Jansen, “Guidelines on Mobile Device Forensics,” Gaithersburg, MD, May 2014. doi: 10.6028/NIST.SP.800-101r1.
- [19].
Apple, “HT208200.” https://support.apple.com/en-us/HT208200 (accessed Apr. 30, 2021).
- [20].
androidgroup.net, “root-huawei-y3-2017-cro-u00.” https://www.androidgroup.net/2019/03/root-huawei-y3-2017-cro-u00.html (accessed Jul. 16, 2021).
- [21].
Apple, “Apple Guide.” https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/web (accessed Jun. 14, 2021).
- [22].
cheeky4n6monkey, “Facebook Messenger Android App.” http://cheeky4n6monkey.blogspot.com/2014/01/facebook-facebook-messenger-android-app.html (accessed Jul. 18, 2021).
- [23].
freeandroidforensics, “Facebook for Android Artifacts.” http://freeandroidforensics.blogspot.com/2015/02/facebook-for-android-artifacts.html (accessed Jul. 18, 2021).