Extracting Data of the Activities of the Instant Artifacts

In previous chapters, we introduced the Android and iOS architecture. The iOS architecture includes an intermediate layer between the programs and the hardware such that they do not communicate directly. Also, the lowest levels provide fundamental services, while the upper layers give the user interface and advanced visuals. The Android architecture incorporates a variety of components to support the demands of any Android device. Android software has an open source Linux kernel that includes a collection of C/C++ libraries that are accessed via application framework services.

This chapter is divided to three sections: the first section introduces the process of extracting the data remaining from instant messaging and other applications on an Android and iOS platforms. The second section extracts data from Gmail application artifacts using both the recent iPhone operating system and Android 10, and describes the proliferation of mobile phone industries, which caused an increase in the opportunities for the intruder’s chance to do their activities beyond the challenges of the new techniques. The third section explains how to analyze evidence from Google Drive by applying a mobile forensic method on an Android smartphone on which the Google Drive application is installed.

Implementation and Examination Details

This study uses two smartphones with an installation of Facebook Messenger, WhatsApp, and so on. It focuses on extracting the data remaining from instant messaging and other applications on Android and iOS platforms. This chapter studies the user’s behavior, including logging on to these applications, uploading images, exchanging information, and so on. All the experiments are conducted on real systems and iTunes backup files. It performs on OPPO Reno5 F under the Android operating environment and on IPhone7 under the iOS platform; instant messaging applications are already installed in all cases.

We try to collect and gathered data such as call logs, deleted items, images, Internet connection logs, lock codes, memos, MMS, phonebooks, SMS, system files, video clips, and voice files; all the specifications of the tools that used are listed in Table 4-1.

• Details of the reporting agency: Dr. Mohammed Moreb

• Case identifier: 741994

• Date of evidence receipt: 24th April 2021

• Identity of the submitter: PalMobileCenterTest

• Forensic investigator: Rawan Samara

The first step is to find the details about the device seized for examination like brand name, model, serial number, IMEI number, and so on. There are two methods. Firstly, searching the phone for labels that contain some information like IMEI number will be very useful because there are many websites that can show all the details about the seized device like https://www.imei.info/. Secondly, use the tools that are introduced in Chapter 2. We used Libimobiledevice for iPhone 7 and HalabTech tool for OPPO Reno5 F, as shown in Figure 4-1.

Then, we create an image file for the physical memory of the smartphones and use forensic tools to extract and analyze the data extracted from the image files. After that, extract data and create image files from physical memory by connecting the mobile phone with the computer by using the phone cable after enabling developer options and allowing connection via USB (introduced in Chapter 2). Following that, when the two devices are connected, we use forensic tools and continue with the device connection, user settings, acquisition, examination, analysis, and reporting. During the acquisition for the iPhone7, there were some additional difficulties over what was seen during the acquisition for the OPPO mobile, namely, requesting the iTunes program to be open in the PC, needing the iTunes backup password, and being locked out of the iPhone multiple times.

Acquisition for Android Device - OPPO Reno5 F

• Logical acquisition (Nonrooted device): We used this method on OPPO Reno5 F using many challenges as follows:

• Mobiledit: Unfortunately, no data was extracted from any application in the device. The only information we got is the permissions that the device granted for every application.

• FINALMobile: This program was one of the best when dealing with Android without rooting. It extracted a good amount of data like Messenger, Twitter, and Instagram chats. Also, it detected the true caller, which was a bonus.

• Belkasoft: We used another version of Belkasoft with Android (the crack version of Belkasoft evidence center), which is not as good as Belkasoft X. Also, the fact that the device is unrooted reduces the amount of data extracted. This version extracted only the image, audio, video, document, location, and device information.

• Axiom Magnet: It was the worst in extracting data. There was a problem with the application when it was installed on a nonfunctional phone which does not run, and I think the agent that uses it is not compatible with OPPO devices.

• DB Browser (SQLite): The SQLite database is a free and open source database engine that is used as an in-process systematic library to deploy transactional SQL databases. The SQLite database is a full database that has multiple tables, programmable triggers, and data views in a single platform file. Because SQLite is a dependable, portable, and lightweight database format, it is the most often used database format in many mobile environments. Several attempts to root the phone (Redmi Note 7) were made using XRY, TWRB, MI Flash, and other tools as shown in Figure 4-2, but there was a problem when the app (find device) couldn’t activate the SIM card that associated with the MI account, which meant that we couldn’t unlock the bootloader to continue rooting. We also tried recovery boot and a variety of other approaches, but none of them worked. More research and study are needed on this subject to complete, as we explain in the next chapters. For the screen lock bypassing technique, there’s a Halab Tech tool that can remove the lock screen, but the device must be rooted.

Gmail Application Artifacts

This section will introduce the process of Gmail investigation artifacts on both operating systems: iOS and Android. The revolution of the development of smartphones in the last few years, especially the variation in developed applications, has made life easier, and such applications are fast enough to handle such problems in real life. The statistics show that the number of smartphones running worldwide is 3.6 million in 2020, and the expectation in 2023 to be 4.3 million (Statista, 2021).

Here is a brief introduction to a famous artifact on mobile devices that may help make the overall picture of mobile investigations more easily understood. A mobile web browser is an application used to access the Internet. Using a web browser, a user can search information, communicate with others using social networks, send/receive emails, and so on. The forensic artifacts that are left by a web browser like Google Chrome as a session ends are not only website visits, downloads, and cookies, but other artifacts like time of access and some keywords. Web browsers store a large amount of data on the user’s hard disk, and either Safari or Google Chrome stored data about the user such as usernames, emails, downloads, temp files, and cache in a database of SQLite at the user’s side. Investigations on mobile web browsers are also known as mobile forensics, which is divided into two techniques: live and static (Sariboz, E., & Varol, C., 2018).

A technique that allows investigators to restore deleted files is relying on the journaling file system in iOS. The forensic analysis to confirm the suggested technique (A. Ariffin, C. D’Orazio, K. R. Choo, and J. Slay, 2013). In addition to that, there are multiple methods for collecting data and extracting evidence, as well as corresponding policies. However, combined with rapidly changing technology, many challenges in the forensic investigation process. In iTunes backup utility the data of forensic value like email messages, text, and messages, calendar, browsing history, call history, and others may be found using iPhone capture dump. Despite their research professionalism they did not mention live data forensics (Bader, M., Baggili, I., 2010). Android forensic for extracting Gmail data from mobile device has received recent attention: researchers have successfully found extracted data from the database of the Gmail application under /data/data/com.google.android.gm directory. The one thing that has not been solved is how to find the encrypted files residing in the database directories for Gmail (Kim, D., & Lee, S., 2020).

International cooperation in cybersecurity law is taking place in constituencies to bring international support to cybercrime issues. International Telecom Union (ITU) in 2014 in WASIS initiated an initiative in cybercrime cooperation in five regions worldwide (ITU Cybersecurity Activities, 2020).

On May 25, 2018, the European Union (EU) launched the General Data Protection Regulation (GDPR), which is security and privacy law (What is GDPR, 2019). On the other hand, in June 2017 the Republic of China approved the cybersecurity law addressing most features of security, but there is not one single word regarding mobile security (Translation: Cybersecurity Law of the People’s Republic of China, 2017), which is a weakness in this law. The Budapest Convention against Cybercrimes, the first convention related to digital crimes, took place in the Hungarian capital Budapest on November 23, 2001. It highlights the cooperation and international solidarity in combating cybercrime. The signing of that international convention is the first step in the field of building international solidarity against those crimes that take place through the Internet (Budapest Convention and Related Standards, n.d.).

In this section, the main goal is to achieve the best practice method in investigating the Gmail application, which runs on both iOS iPad 10.5 version 14.4 and Android 10. The analysis will be on both OS for seizure, acquisition, analysis, and reporting as shown in Figure 4-3.

In this section, experiments with both iOS and Android will take place with all stages of the forensic life cycle as described next.

iOS Seizure Device Information

In this section, we will obtain all information about the iOS device, which is the iPad; Table 4-1 describes all information about the iPad’s status to emphasize the health of the device before the case investigation.

Table 4-1

iPad Obtained

Color	Gold
Scratches	No scratches found
Wallpaper	Default Apple wallpaper
Accessories	Just cover
External storage	Not found
SIM card	No

1. [1].

   Isolation: Before starting acquisition, and because we did not have a box for isolation such as a Faraday box, we did isolation for the device from other external connections, putting the device in Flight mode to disconnect it from Wi-Fi, Bluetooth access, or cabling. This operation is done on all devices in both iOS and Android.

    
2. [2].

   Acquisition To acquire mobile phones, there are three types of extractions used: manual, logical, and physical extractions.

    
3. [3].

   Manual Acquisition: This method of extraction is used to verify the accuracy after the physical extractions for both iOS and Android OS. It is done simply to view the data on the mobile directly from its touch screen in a human way. Here the error tolerance for the data is based on human error.

    
4. [4].

   Logical Acquisition: In this case, we did a logical acquisition. The iOS device connected the USB-Lighting cable to the computer; then we connected the iPad to the iTunes software, and we got specific information about the device as shown in Figure 4-4.

    

In our case, logical extraction for Android OS was done mainly using mobiledit; using this tool while the device is not rooted only extracts the application without its data. Rooted devices will be described in the following sections. After a successful acquisition was finished, the Android file structure was listed as shown in Figure 4-5.

From our practical case, we can summarize the comparisons between logical backup and device backup; the iOS logical acquisition is fast and compatible with all iOS versions running on Apple devices using iTunes. Also, it gets shared application information but not all data files and databases of the iOS. In device backup, which is bit by bit, the backup will include all file systems with database and SQLite files, and deleted files also will be there. Android devices using ADB backup may get logical backup, since the device is not rooted, but if we have a rooted device, we can get physical backup reaching a low level of the file system with all database files.

1. [5].

   Analysis: In this section, we will analyze the data acquired from iOS and Android OS, also comparing the acquisition tools used. The acquisition proceedings were conducted according to the iPad device while it’s unlocked, and we used the logical acquisition because the physical acquisition did not occur while the iPad was not jailbroken. We moved over the backup files that iTunes generated from the device on the preceding path, and then we browsed the “Manifest.db” database SQLite using the DB SQLite viewer as shown in Figure 4-11.

    
2. [6].

   Verification: After the acquisition, we did a verification on the backup file that matches the real device data by comparing the data in the backup file with device data. Also, we took the hash value of the file to make sure that there were no changes in data. The hash file was taken using PowerShell in Windows. Figure 4-6 shows the process of calculating the hash file, also in text representation as SHA256:

   00D32E16FE52AE6E69F5448778338344E12FC30FF46D2FDE4D0C5CC282F29F4F

    

1. [7].
   Analysis and Findings: Finally, we had the backup file for iPad as shown in Figure 4-7. The system gives a name for the backup as unique identifier c3929606ab580d10ee494d31528706f879f34915, and has the following files:

   • info.plist

   • manifest.plist

   • status.plist

   • manifest.db

    

info.plist:

Inside this folder, as seen in Figure 4-8, is the screenshot for info.plist view. We will take a look at major features staring from info.plist. This file has the following information:

• Applications: All applications installed on iPad

• Build version: iOS build version: 18D52

• Device name and display name: Device owner name: Zain’s iPad

• Globally Unique Identifier (GUID): 1FE45D6A5076661CD28000DCC71C30D7

• Last backup date: 2021-05-30T22:51:54Z

• Serial Number: F9FXK5PYJMVR

manifest.plist:

This file also describes the content of the backup file as shown in Figure 4-9, including the manifest view and the following information included inside it:

• Backup keybag: Key backup

• Version: Backup version 10.0

• Date: Last backup or updated 2021-05-23T21:38:56

• WasPasscodeSet: To find whether a passcode was set or was not. NO

• Lockdown: Holds iPad details, and other information.

• Applications: All third-party applications installed.

• Is Encrypted: To find whether backup taken in with encryption or not: False.

status.plist:

This file stores details about backup status. Basically, it has the following information as shown in Figure 4-10.

• IsFullBackup: False.

• UUID: E79B08BF-FD8E-41F5-9247-7E45474410D5

• Date: 2021-05-30T22:51:43Z

• BackupState: New

• SnapshotState: Has the backup process finished successfully: Finished.

manifest.db:

It is an SQLite database that holds a list of all the files and folders extracted from the iPad, showing the table schema and data in the manifest database as shown in Figure 4-11.

To extract data from backup, we used many tools, in addition to the iBackup software and DB SQLite tools used previously. The following extraction, done using iExplorer software when connected to the mobile device, will display all information about the iPad backup. In addition to that, a new commercial tool is used known as Belkasoft as shown in Figure 4-12.

Also, we used the reincubate iPhone extractor to extract evidence from the backup we took for the iPad; we found that a lot of data can be accessed easily and quickly. We did extract all of contacts, SMS, and mail SQLite database. After loading the case into the application, we searched on the Gmail application. We found truly little data. Figure 4-13 illustrates Gmail artifacts.

Also, we found the contact detail from the same interface; Figure 4-14 shows the data extracted.

Figure 4-15 shows the SMS extracted from the same software.

Using the Belkasoft tools, we found an artifact related to our search topic, which is Gmail artifact. In Figure 4-16 we found messages between two parties as sender and receiver; this data was extracted from a hex dump file analysis.

After extracting the backup file using elcomsoft, go to the home domain under the directory path C:UsershpcDesktopelcomsoftwaseemHomeDomainLibrarySafari. We found all directories needed in our investigation. We will look at the following:

Form home domain/account as shown in Figure 4-17, then after performing the following command, select * from ZACCOUNTTYPE where ZACCOUNTTYPEDESCRIPTION like ‘Gmail’.

Also, from the same directory, we can get the bookmark for the Safari web browser as shown in Figure 4-18.

Android OS

Our case will use two Android mobile devices (real devices) and one virtual machine simulator as follows:

1. 1.

   Tecno Spark 6GO.

    
2. 2.

   Xiaomi Mi 8 lite (Figure 4-19 shows the Xaiomi mobile information)

    
3. 3.

   Nox virtual machine mobile.

    

Physical extraction can apply only on rooted devices’ bit-by-bit copies, including deleted files and nonallocated space of memory; the tool used to dump all data from the mobile is the “dd” command to copy bit-by-bit data, while its rooted mobile is as illustrated in Figure 4-20, which shows the process of physical backup in the shell command then using one of two methods to transfer the file to the Windows machine: either “ADB pull” or the NC command.

It is important to know that all acquisition methods will not take a full backup if the device does not root state. Otherwise, it will be a logical backup.

The rooting process is driven to get administrative privileges on the device allowing the investigators to extract data from the application at the root level. The root shell user called a superuser writes down as # sign when logged in. We installed a virtual mobile machine on Mi Note 8 successfully after many rooting tries failed on the Chinese one (TECNO SPART 6 GO) because the CPU architecture did not support the 64-bit application and virtualizations. However, we did successfully install the NOX emulator on the Windows computer to go in my experiment. After doing root configuration on the NOX emulator, finally, we connected to the shell as shown in Figure 4-21.

Using Mobiledit and FINALMobile Forensic Software

Again Figure 4-22 shows the acquisition stage using ADB logical backup. Since the data is found under the path /data/data/com.google.android.gm, the directories have only XML files about the emails with no data.

In the FINALMobile software, there was data extracted from the (.emf) file but it was only cache data, as shown in Figure 4-23.

Rooted Device

In this section, we will do our investigation using root privileges; many tools are available to root the Android device, and we use ADB Shell by connecting the mobile device through USB cable, then navigating to the Platform-Tools to view the device information and whether it’s connected or not, as shown in Figure 4-24.

The NOX device platform now has root privileges, and we can access the device as a superuser as shown in Figure 4-25. Here we connect the device to the Windows machine using the adb.exe command. We find the serial for the mobile and we obviously see the # sign, which is root privileges.

Using the “ls -l” command, we see the list of all files and directories inside the Android as shown in Figure 4-26.

To navigate the desired data, we must go under the path data/data/com.google.android.gm as shown in Figure 4-27, which includes the database of the Gmail email application.

Getting the database dump using shell command is the easiest way for us, and the second easiest is moving the database outside the mobile device using the commands in Table 4-2 and as shown in Figure 4-28.

Table 4-2

List of Commands Used

Tar -cvf new.tar /database/	Compress database directory to new.tar
Mv new.tar /sdcard	Moving archived file to sdcard in order to pull it to our machine
Adb pull /sdcard/new.tar c: emp	Copy new.tar to temp directory in C drive

By using Linux command, the extracted data is obtained easily rather than the next one using GUI of SQLite, because the encrypted file is not manipulated in GUI but it is easy to decode it in Linux scripting shell as shown in Table 4-2.

Under the path of the data file for Gmail, which is /data/data/com.google.android.gm/databases, listing all files in this directory as in Figure 4-29.

We found that a file with extension (.db) is easy to browse its content either by command or by GUI as described in later sections. For example, if we want to browse the data inside accounts.notifications.db, the following command is used as in Figure 4-30.

And this could be opened on SQLite software. But when trying to open a Write Ahead Log (WAL) file, this could not be opened in GUI as SQLite because this software did not support the extension of this file.

What we did to open the file and extract the messaging from the file itself. We used Linux shell command “cat” concatenated with “grep” as (cat * | grep test); here the term “test” is used for analysis and how the file is written inside. After deep analysis of the result of the preceding command. Finally, we found all things we were searching for, and the following are some hints that help investigators to read the data shown in Figure 4-31.

• Line starting with (↔thread-a) means it is a sent message and has subject and body.

• Line starting with (sg-a) means sender email address.

• Line starting with (∟thread-f) means it is an inbox message and has subject and body.

• Line starting with (deleted email) means it is a deleted email and found in a trash folder.

• Line starting with (▲thread-a:) means it is a draft message.

• Attachment and time creations found in the next section.

SQLite Viewer

In Figure 4-32, we see a pulled directory that contains all data base files; the figure also shows the associated account, which is [email protected].

In addition to that, we decode the time of the first_registration_version from epoch time to human-readable time to see when this account is created. The time equal to 1626337812193112 is shown in Figure 4-33.

Also, we fetch the attachments uploaded in email as shown in Figure 4-34 and easily find the real attachment from its name and time from FINALMobile tool.

Mobile Forensics for Google Drive

Cloud computing is a form of Internet-based computing that allows computers and other devices to access shared information-processing resources and data on demand. Because of the rapid technological evolution related to mobile devices and cloud computing, users could access their resources from any place and at any time. Nowadays, the use of cloud storage media is very popular among Internet users, especially with the Google Drive cloud storage media on smartphones. Google Drive is a file storage and sharing platform that provides storing and synchronizing many types of users’ files, which can be accessed via their Google accounts. Google Drive applications can be installed on Apple and Android smartphones, so viewing, editing, uploading, sharing, and synchronizing documents are available on these devices.

This section’s case is an exercise in analyzing evidence by applying a mobile forensic method on an Android smartphone, on which the Google Drive application is already installed. To analyze the evidence, a crime situation has been created in which the user saves a photo of drugs on the smartphone’s Google Drive. Many forensic software programs were used to acquire the Google Drive data. Firstly, the Belkasoft Evidence center was used but it gives an error “Operation completed with errors” and not all the data required could be opened. Another one is the Mobiledit Forensic Express; the data was acquired but hashed.

Evidence collection is the first step in securing evidence discovered by police or investigators is preservation. In this case, the prosecutor received proof from the owner in the form of a Xiaomi Redmi Note 8 Pro smartphone with the operating system Android 9.0 Pie, 4GB RAM, and the Google Drive application installed on it. The isolation process is required to avoid changing data on the smartphone by triggering the Airplane mode feature. This feature is allowed to disable all data access that might compromise the smartphone’s data integrity. This procedure is followed in order to ensure data integrity. Data integrity is achieved by imaging files from the physical evidence using Mobiledit Forensic Express. The phone image was created but hashed.

According to Android architecture, the Google Drive app is in the system app layer where the system application and the user applications are found. The Google Drive used in our case was the standard application: version 2.18, as described in Figure 4-35.

Rooting is a term used in mobile forensics that refers to granting the mobile user an access to their devices to perform activities that are not allowed normally. In the selected case, when acquiring the unrooted device, a restricted scope of data was acquired, but in case of rooting, the data folder could be accessed and more evidence was collected. The owner of the app (email address) was shown, and the deleted data was also displayed in the summary report as shown in Figure 4-36.

A Samsung mobile device with root access was used with the following specifications: model: G7102 Galaxy Grand 2 (SM-G7102), IMEI: 359907052716647, SN: 271644, Android version: 4.4.2, built-in memory: 8 GB. it was rooted using Odin 3.31 as shown in Figure 4-37.

ADB commands were used for displaying the connected device, and ADB was used to back up the data. Then, the image was converted to a .tar file using the Java -jar command, and the image was copied to a local workstation, as shown in Figure 4-38.

Belkasoft was used to acquire the device but it gives “operation completed with errors”; Mobiledit Forensic Express was used to acquire evidence from this device, and it gave a detailed report about the mobile data including all the content of Google Drive like contacts, photos, and files. According to database files, there was a database file in the backup file related to Google Drive, and DB Browser was used to open this file, as seen in Figure 4-39.

Cloud Storage Services Artifacts

Summary

Gmail is the only email that has come with default Android application in the last couple of years, and it is used to create accounts and define private (non-Gmail) accounts on it, which makes it easy for the users to handle their emails via Android mobiles.

Nowadays, the data forensic since is used for white and black purposes; we as students at Arab American University achieved the goal of the mobile forensics course, which is how to do successful mobile forensics in order to extract data from mobiles. My experiment shows that there is no way to extract Gmail data by logical acquisition nor by manuals unless you have an authorized access, and the only way to bring the application data from the device is if physical acquisitions are there. But physical acquisition will not be valid without root permission on Android devices or jailbreak on iOS.

Recently, iOS devices have been able to extract data information about the account and sender receiver subject of the email, but no data is given about the email body itself because of the nonjailbreak device; that is why we did not access superuser privileges.

The Android version had no vulnerability to do root easily, and the developers had hardened their codes to be increasingly robust and secure. In our experiment on both devices, Xiaomi Mi 8 lite and Techno Spark with Android 10 QKQ the rooting failed, but we succeeded to root on virtual mobile Galaxy Note 10 successfully.

Lastly, we got all the information in Gmail including accounts, creation date of accounts, sent email, inbox, draft, and deleted files.

References