Introduction to FBM Application

Internet access has dramatically increased during the last two decades; more than 60% of the global population can access the Internet these days. Among those who can access the Internet, 92.6% did so via mobile devices [1]. The availability of Internet services over mobile operators’ networks and services like 5G, 4G, and 3G were essential factors in the increased Internet access via mobile devices. With the huge growth of Internet access via mobile devices, messaging had been evolved from only text exchange, which was the main feature of mobile messaging, into voice and video communications, with the ability to exchange pictures and files. This introduced instant messaging as a chatting platform offering real-time text messaging over the Internet, and messaging evolution created an opportunity for competition between several social network platforms to provide smooth and fast messaging apps. The most popular mobile messaging platform is Facebook. As shown in Figure 13-1, the most popular messaging mobile application is WhatsApp followed by FBM; Facebook owns both WhatsApp and FBM.

Facebook has become an important part of all of our lives and has a greater impact on life than other social networking sites, due to its multiple use by all ages and because it brings together a huge number of people. In many cases, the conversation has come to take place on the FBM application. Since it is one of the most effective applications due to its many advantages, it has also had a clear impact on the increase in the rate of electronic crimes.

People spend most of their time on the smartphone; the phone has become an integral part of every person’s life, regardless of age or use, and for this reason, cybercrimes of all kinds have increased, including blackmail, impersonation, and spreading lies and rumors, as the smartphone has an effective and clear effect on the social, political, security, international, and economic aspects of life. Smartphones have had a clear role in many countries’ coups against their governmental systems, and this is also a reason for the use of social media sites. The average time spent daily by social media platform users has increased in recent years, reaching a total of above 1 hour in 2021.

The use of messaging apps is not limited to normal good usage only; these apps can be used by criminals to contact each other or to perform crimes. FBM is one of the apps that can be used by criminals in digital crimes. The application can be used to plan for several types of crimes such as drug dealing, theft, murder, or terrorism, or to carry out direct crimes through the app such as extortion, harassment, fraud, or others. Using FBM will keep traces that can be used to help investigators in court. The trace or evidence cannot be accepted at court unless it is retrieved based on a specific procedure. Therefore, forensics analysis will be based on mobile forensics principles, which is a branch of digital forensics science.

FBM is a leading social media messaging platform, and it is expected to become more popular with its development and new features. It will be able to chat directly with other messaging platforms; now it involves a lot of customizations and services including money transfer. For this, it is expected to be involved more in crime investigations. For iOS devices, FBM works from the top application layer, through the media layer, to some components in the core services layer. The growing number of artifacts for FBM is related to its continuous development by Facebook.

In this chapter, Android and iOS forensic examination techniques are presented and introduced with mobile operating systems architecture. What is needed to prepare for data extraction from Android and iOS devices is discussed. Data extraction techniques are presented with their different approaches. Data analysis of FBM is presented with details.

Introduction to Mobile Messenger Application

The identification of digital evidence for the FBM app [3] was performed on retrieving evidence from an Android device using Magnet AXIOM and Oxygen Forensics tools. The researchers were able to view the device details and recover the evidence in both tools. They used indexed calculation numbers to get the performance of each forensic tool. Based on NIST method parameters, they found that the AXIOM result is 75% whereas Oxygen got 79%. The researchers used only an Android device. They did not use iOS devices for comparison. Additionally, they used only AXIOM and Oxygen as forensic tools.

In performing mobile forensics on Android-based IMO messenger services using the Digital Forensic Research Workshop (DFRWS) Method [4], researchers followed a three-phase methodology that involves identification, preservation, and collection. They compared data extraction from rooted and unrooted devices with IMO apps installed: MOBILedit, DB Browser for SQLite, FTK Imager, and Belkasoft are used as forensic tools. The result can retrieve all IMO data from the rooted device, but nothing was retrieved from the unrooted one. An experiment was conducted [7] to analyze LINE Messenger on virtual Android machines. The researchers used a VMware workstation with BlueStacks and LINE Messenger installed on the machines. To extract the data, they suspended the virtual machine and acquired the files related to volatile memory and nonvolatile memory using WinHex, EnCase, and Root Explorer for analyzing the database. Researchers were able to identify the related artifacts and data locations in LINE Messenger.

Instagram forensic [8] analysis was performed on Android virtual devices using Genymotion, DB Browser for SQLite, Android Studio Device File Explorer, and Sqliteparser. The researchers were able to identify and access datastores of the application on /data/data; there was no mention of whether the user device was rooted or not. Similar research was conducted to forensically analyze the TikTok app [9] on Android; researchers separated the identified artifacts into two categories. The first category is accessible without the need of having root privileges within the smartphones, and the secunde category include artifacts are only available within a rooted device.

This practical case methodology is guided by NIST’s special publication of guidelines on mobile devices forensics [18] utilizing the mobile forensics process to recover the evidence in forensically sound conditions. As depicted in Figure 13-2 (and as seen in Chapter 9 and Chapter 10), the process has four stages, and each stage has its rules to keep the evidence admissible. The main purpose is to protect the evidence from changes during the process.

In the next section, we follow the four stages of seizing the device and taking care of its related digital evidence in secure conditions to prevent changes on the data or manipulation of the evidence. Then comes acquisition (i.e., getting evidential information from the device or its related media), and then the examination and analysis stage to search for and reveal hidden or deleted evidence by working on an identical copy of the acquired image in the first phase using different toolkits during the investigation. The last phase we describe in detail is the reporting stage, which depends on the precise records of information taken during the previous stages; all the information and the conclusions made based on the results of the investigation are presented in the report, which is made to the court or the legal parties according to well-understood procedures.

Experiment Tools and Devices

iOS Device Identification

Device Identification Using Belkasoft Evidence Center

Forensic tools can show device information before acquisition to choose which device to image. In Belkasoft, when adding a data source to the case, selecting the device brand will show the connected device info as shown in Figure 13-3. In some cases, if investigators need more details related to iOS such as hardware internal identification details, we recommend using the Libimobiledevice tool as described previously.

Device Identification Using Magnet AXIOM

The same can be applied to Magnet AXIOM when adding evidence sources on the AXIOM Process as shown in Figure 13-4.

From the preceding simple comparison, different forensic tools provide different device information details. For example, AXIOM did not show the UDID but provided IMEI.

Device Identification via IMEI Number

The International Mobile Equipment Identifier or IMEI number is 15 or 16 digits containing device information. The information includes the device serial number, the origin of the device, and the model number. The IMEI number can be found inside the device under the battery; additionally, it can be retrieved by dialing *#06# if the device is on. Using IMEI can provide all manufacturer information through several websites. For this case, we use www.​imei.​info to show the device specifications using its IMEI as in Figure 13-5. Basic device information is shown in the table provided on the website. Additionally, more detailed information can be provided if you click the More Details button.

Android Device Connection Setup

The device identification process for Android devices is very important for forensic data acquisition. Manufacturer, model, and Android version all determine the needed tools. Manufacturers can be known from looking at the labels on the device mostly on the back of the device. From the Menu ➤ Settings ➤ About phone, the device model number can be identified in addition to several useful pieces of information, including the Kernel version. Additionally, the build number is located here, which is important to enable the developer mode. There are tools to help in identifying the device after connecting it to a digital forensic lab computer. The used device in this case study is Huawei Y3 (2017) with Android version 6.0 and kernel version 3.18.19.

To connect the device to a computer, a data cable is needed. The required cable type can vary based on the device model. It can be a mini-USB, micro-USB, or USB type C. Other types may appear in rare cases like coaxial or D subminiature cables. For a successful connection to a computer, the device drivers should be installed on that computer. On Windows’ new operating system, this process is done automatically by the OS. In some cases, drivers must be downloaded from the manufacturer’s site and installed manually on the computer.

The next step is needed to connect the Android device to a computer. It is enabling data transfer from the mobile device once connected. This can be done by pulling down the notifications area and selecting Turn On USB storage on the USB connection type option, which should be selected as data transfer. To use the forensic tools on an Android device, it should be in USB debugging mode. USB debugging mode is enabled from Settings ➤ About phone by tapping several times continuously on the build number. A counter will start counting down until developer options are enabled. Now from Settings ➤ developer options, enable USB debugging. In some cases, the device should be checked for device administration settings. This will be enabled if a mobile device management application is installed on the device. Applications like Family link may disable accessing the device with USB debugging mode even if it is enabled on the device but disabled from the Family link.

Using Automated Tools

You can use any tools that used in previous chapters, such as Chapter 3’s practical case to bypass the password or unlock Android devices. You can use free tools that utilize ADB and fastboot to automate the unlock processes such as HalabTech (halabtech.​com), which is supported by a variety of digital forensic solutions and customized tools. Most of the commercial tools require the device to be in USB debugging mode. UFED user lock code recovery is one of the professional tools that require special connection cables as shown in Figure 13-6.

Gaining Root Access

From a forensic point of view, rooting Android devices is needed to access applications’ data and to get more data when acquiring the rooted device. Rooting, as described in detail in Chapter 7, is granting access with the highest privileges on the OS level to perform actions and access partitions that are not allowed for normal users. Rooting makes unrecoverable changes to the evidence. It grants privileges that put the device at risk of vulnerabilities, malicious apps, and user misuse. For these reasons, rooting voids the warranty of the device, taking into consideration the risk of damaging the device during the process.

In this practical case, we need to get access to the FBM data partition in data that is protected by the OS and is not accessible in the unrooted mode. There is a forensic need to root the device to access FBM data. The following steps should be applied to the device in this case study, which is with Huawei Y3 [20].

1. 1.

   Download the TWRP file from [20]. This file contains the image of the modified recovery partition to be written over the recovery partition on the device.

    
2. 2.

   Prepare the device for connection and use ADB to list the device.

    
3. 3.

   Enable USB Debugging option from the developer options.

    
4. 4.

   Using the ADB tool, reboot the device in fastboot mode using the command adb.exe reboot bootloader, which will cause the device to reboot.

    
5. 5.

   To make sure that the device is connected in fastboot mode, use the command fastboot.exe devices, which should show the device in the list.

    
6. 6.

   Extract the recovery.img from the downloaded TWRP inside the ADB folder.

    
7. 7.

   Write the image to the device using the command: fastboot flash recovery recovery.img. The result as shown in Figure 13-7 is to write on the recovery partition in the targeted device.

    

1. 8.

   Download SuperSu file, paste the file to an SDcard, power off the device, and then put it in the device.

    
2. 9.

   Power on the device in recovery mode by holding volume up + power button.

    
3. 10.

   Choose backup data and then choose Install.

    
4. 11.

   Swipe the slide at the bottom of the screen.

    
5. 12.

   Reboot the device from the menu.

    
6. 13.

   Verify root by installing the app Root Checker.

    

Android Data Extraction Techniques

The preceding techniques will be discussed based on this case study in investigating FBM data. The following subsections discuss the three extraction techniques.

Logical Data Extraction

This technique, which involves using forensic acquisition tools to extract data and the file system from the device, works on most devices. The amount of data retrieved depends on the access level on the device. This means limited data will be retrieved for unrooted devices.

Several forensic applications support this technique: data can be acquired from an unrooted device by using Axiom, Belkasoft, and ADB command line. They all depend on using ADB backup. Normal user and system data can be retrieved but FBM data is located in /data, which is not accessible without root permission. The analysis and data extraction process may take a long time depending on the device specification as shown in Figure 13-8.

After finishing the logical ADB acquisition, we can browse the system and apps files, as shown in Figure 13-9.

Direct ADB data extraction is not allowed on the /data partitions, as it requires root access as shown in Figure 13-10; from that, we conclude that FBM data is not accessible without rooting the Android device.

Physical Data Extraction

This technique involves obtaining the exact binary image of the device’s memory or external storage. This is done bit by bit for the entire memory. This technique is different from logical data extraction. With physical imaging, deleted files can be recovered in some cases. Additionally, hidden file leftovers can be retrieved from the slack space or unallocated space.

Most forensic software and imaging tools use the ADB command to perform the physical imaging process. This command requires a rooted device. Unrooted devices will not accept the ADB command due to the need for root permissions. Rooting a device in an investigation may change data for the evidence, and data may be lost. Figure 13-11 shows the physical imaging options provided by Belkasoft. The software checks if the device is rooted first to proceed.

For our case, the technique can be applied from the ADB tool using the following steps:

1. 1.

   Connect the device to the computer and check the device connection using the command adb devices and make sure the device is listed.

    
2. 2.

   Use a new empty SD card to store the image on it. It should be of an appropriate size and clean of data. The SD card should be attached to the device.

    
3. 3.

   Use the mount command to list the partitions inside /div that contain the Android file system.

    
4. 4.

   Execute the dd command to the partitions of interest. For the /data partition, it is located under /dev/block/<block number>. In front of the block number will be /data at the beginning of the comment. In the command, the input file is the targeted block, and the output file is the SD card partition as in the following:

    

dd if=/dev/block/<block number> of=/sdcard/imagename.img

To write the output image to the forensic computer, use the netcat command. This is the method used by most forensic tools.

Practical Logical Data Extraction for iOS Devices

This experiment performs logical acquisition using iTunes backup, the Libimobiledevice tool, Belkasoft Evidence Center, and Magnet AXIOM Process.

Logical Data Extraction Using iTunes

iTunes backup is a type of logical acquisition for iOS devices. It is accessed simply from the mobile summary tab on iTunes. After connecting the mobile to iTunes, select This Computer from the Backups section and make sure to select Encrypted local backup. Encrypted iTunes backups include more artifacts. Click the Back Up Now button to start the process as shown in Figure 13-12.

In Our current case, the location of the iTunes backed-up image will be at C:Users<User name>AppleMobileSyncBackup. The Backup folder contains a folder named with the UDID of the iOS device. Each backed-up device will have its own UDID backup folder.

Logical Acquisition Using Belkasoft

After creating a new case, add a data source and select the Apple device. Select the connected iOS device with its details shown. Select iTunes backup and browse the path location to store the image as shown in Figure 13-13.

Logical Acquisition Using Magnet AXIOM Process

After creating a new case, select Mobile from the Evidence Sources tab, then iOS, and select Acquire evidence. Select the connected device as shown in Figure 13-14 and click Next. Select the type of image; for this case Quick is selected, whereas Full requires a jailbroken device.

Data Analyzing for FBM

Revealing the evidence is the main purpose of the examination and analysis. Related evidence was retrieved from hundreds or thousands of files from the acquired image. This can be done using a forensic tool or manual extraction. Some artifacts may not be recovered by tools where they can be by manual analysis. Manual extraction is required sometimes to validate the tool results. Based on the provided information by the investigator to the forensic examiner, the direction of the examination becomes clear. The examiner can begin with forensic tools that have built-in filters related to the required application, and then prepare the files list and databases to analyze.

FBM Data Analysis Using Magnet AXIOM for iOS

We examine the acquired image for iTunes. After selecting the image folder (backup previously), the backup encryption password will be required. After providing the password, click “CHECK” and then “OKAY” as shown in Figure 13-15.

After the evidence source is added to the case, click “Go to processing details”. In this section, the analysis can be tuned and categorized into several techniques. Click “Go to artifact details”; from this section, artifacts can be filtered based on category and application. This is an important examination feature to comply with case requirements and keep the evidence extraction process admissible in court. From this section, we clear the selection from all categories, search for the FBM app, and select it. The last step is clicking “Analyze” in the Analyze Evidence section. The decryption process starts, and AXIOM Examine is launched. The artifact analysis duration was 28 seconds, and the decryption process took 52 seconds for our case.

On AXIOM Examine, selecting the chat category shows all FBM messages. Edit the time zone settings to modify the time parsing. Figure 13-16 shows the results of the analysis.

By copying the provided URL for each message and opening it in a browser, we retrieved all pictures, emojis, audio, and video messages successfully, and all deleted messages are located as “unsent messages”. For our case, we used Belkasoft for data analysis and recovered FBM data but the results show that we couldn’t retrieve data related to our case. For that, we recommend verification data using SQLite analysis.

FBM Data Analysis Using DB Browser for SQLite

Most mobile internal and third-party applications utilize SQLite databases in their structure. Based on this, knowing the database location of the required app will provide access capability to data stored in its tables. For this FBM analysis case, DB Browser for SQLite was used. FBM message artifacts are located in the “messages” table from the database “4b6f02493291c174257c570cadf3b96d73c1a59f” inside the “4b” folder of the decrypted iTunes backup. Browsing this table provided the required messages, as shown in Figure 13-17.

Additionally, SQLite data analysis helps in recovering deleted data in some cases as explained in the following section.

Recovering Deleted Evidence from SQLite Property Lists

Depending on the iOS version, the amount of defragmentation and database clean-up varies. Additionally, some user settings and device specs may affect that. Data records can be restored from SQLite tables if they are not overwritten or cleared. This happens when the record is marked as deleted even though it will be kept stored in the database. Using some forensic tools or manual extraction, we can recover such records. For example, the call history database has a limited size; when it is almost full, some of the oldest records are removed to provide space for new records. If the new space is not overwritten yet, it can be recovered. This is applicable for most SQLite tables such as messages, notes, emails, contacts, and others that contain valuable evidence that might be intentionally deleted by the criminal. From this, we conclude that it is not always possible for AXIOM or Belkasoft to recover deleted records from SQLite databases.

Reporting

Reporting involves providing a summary of all the steps taken and conclusions reached as part of the examination process for FBM on iOS and Android devices. Details about all important actions performed in this case study should be mentioned, including common information like investigator name, reporting agency, and case identifier. The reporting agency is the agency officially authorized by the judicial authorities to investigate the seized devices for a specific investigation. It should have forensic experts and the tools needed to issue an examination report. The agency should issue a report that is admissible, authentic, complete, reliable, and believable. The case identifier is the submission number of the case. It is unique and makes it easy to reference the case.

Summary

Security enhancements to mobile operating systems make it harder for forensic investigators to retrieve data. Devices now have full desk encryption (FDE) features. This makes it almost impossible to retrieve the data without knowing the unlock key. Jailbreaking and rooting devices are necessary to extract data in some cases. Most Android applications data, including FBM stored in partitions, requires root-level permissions to be accessed. Rooting a Huawei Y3 device is not as simple as it looks. Several factors may affect the rooting process including the binary image, the forensic computer, the cables, and the device firmware. Applying different rooting techniques to the device may result in damaging the device. For the case with iOS, there was no need for jailbreaking the device, as we were able to extract FBM data.

This case study focused on showing techniques required to forensically examine Apple iPhone 6 and Huawei Y3 devices for FBM artifacts. This study started by explaining Android and iOS architecture, then demonstrated the need for preparations for the data extraction phase, and finally explained the data extraction techniques and data analysis for FBM.

References