Hindawi

Wireless Communications and Mobile Computing

Volume 2021, Article ID 5567592, 36 pages
https://doi.org/10.1155/2021/5567592

Research Article
Forensic Analysis of Social Networking Applications on an
Android Smartphone

Anoshia Menahil,1 Waseem Iqbal ,1 Mohsin Iftikhar,2 Waleed Bin Shahid,1

Khwaja Mansoor,3 and Saddaf Rubab1
1
Department of Information Security, National University of Sciences and Technology (NUST), Islamabad 44000, Pakistan
2
School of Computing and Mathematics, Charles Sturt University, Australia
3
Faculty of Computing and AI, Department of Cyber Security, Air University, Islamabad 44000, Pakistan

Correspondence should be addressed to Waseem Iqbal; [email protected]

Received 20 February 2021; Revised 15 March 2021; Accepted 1 July 2021; Published 23 July 2021

Academic Editor: Ernestina Cianca

Copyright © 2021 Anoshia Menahil et al. This is an open access article distributed under the Creative Commons Attribution
License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is
properly cited.

Smartphone users spend a substantial amount of time in browsing, emailing, and messaging through different social networking
apps. The use of social networking apps on smartphones has become a dominating part of daily lives. This momentous usage
has also resulted in a huge spike in cybercrimes such as social harassing, abusive messages, vicious threats, broadcasting of
suicidal actions, and live coverage of violent attacks. Many of such crimes are carried out through social networking apps;
therefore, the forensic analysis of allegedly involved digital devices in crime scenes and social apps installed on them can be
helpful in resolving criminal investigations. This research is aimed at performing forensic investigation of five social networking
apps, i.e., Instagram, LINE, Whisper, WeChat, and Wickr on Android smart phones. The essential motivation behind the
examination and tests is to find whether the data resides within the internal storage of the device or not after using these social
networking apps. Data extraction and analysis are carried out using three tools, i.e., Magnet AXIOM, XRY, and Autopsy. From
the results of these experiments, a considerable amount of essential data was successfully extracted from the examined
smartphone. This useful data can easily be recovered by forensic analysts for future examination of any crime situation. Finally,
we analyzed the tools on the basis of their ability to extract digital evidences from the device and their performance are
examined with respect to NIST standards.

1. Introduction Global Overview, the usage of social media has increased by

Smartphones have gone through a progressive advancement
over the last two decades. From being a prized possession,
they have become an outright need as they are used for a
lot more than just calls and messages. Smartphones enable
users to enjoy a comfortable internet experience by browsing,
emailing, and staying connected through different social
media apps. The use of social media apps has witnessed a
momentous surge, and they are being used by people of all
age groups, by businesses, academia, media, hacktivists, law
enforcement agencies (LEAs), and even terrorist organiza-
tions for a wide variety of purposes [1]. During the last 12
months, the use of social media has continuously increased
by 1 million every day [2]. According to the Digital 2020
12 percent from 2019 and 99 percent of that surge was due
to smartphone apps [2].
For most teenagers, the most popular usage of mobile
phone is socializing. These online interactions are mostly pro-
ductive; however, the online interactions have resulted in
increased number of bullying, threatening, and humiliating
others as well [3]. It is estimated that 73% of students feel that
they have been harassed in their lives and 44% say they have
been harassed during the last 30 days [4]. Easy access to social
media platforms opens a door for a new type of bullying.
Social networking apps (SNAs) allow users to create a
profile, upload personal information such as pictures, videos,
and location, and share that information through private
messaging or public posts. This phenomenon gives criminals
2 Wireless Communications and Mobile Computing

Annual digital growth 2020

99%

100% 67%
60%
80% 53%

60%
40%
20%
0%

Internet user Mobile user

Active social media user Use social media through mobile phone

Figure 1: Statistics of the usage of the Internet and social media.

an open opportunity to influence the user’s personal infor-

mation thus giving rise to cybercrimes via SNAs [5]. These
apps can also be exploited for cyber bullying, stalking, sexual
harassment, and insults [6, 7]. Since all information about
user activities is stored within the phone’s internal memory,
these smartphones have become an important source of evi-
dence and artifacts during crime investigations linked to
these SNAs. These gathered artifacts enable users and
investigators to find out the PII (personally identifiable
information) [8] that is stored in the device and is useful to
be presented in the court of law.
The increase in cybercrimes using smartphones and
SNAs [9] has created an opportunity to use forensic tools
and techniques to investigate these criminal activities. The
forensic analyst requires an up-to-date understanding of
what kind of artifacts can possibly be recovered so that they
can be presented in the court of law. Moreover, the increased
demand for more and more advanced smartphones has cre-
ated fierce competition among equipment manufacturers.
New smartphones are continuously launched in the market
that has resulted in a frequent change of mobile phones by
users based on factors such as better OS, file structure, data
storage, user experience, and many more [10]. Therefore,
forensic examiners are struggling to keep up with new proce-
dures and tools.
Many studies have been conducted on Facebook and
WhatsApp forensic and other well-renowned apps as men-
tioned in literature, so there is a need for forensics analysis
of other social media apps (Instagram, LINE, WeChat, Whis-
per, and Wickr) which are getting popular these days. With
expanded use of smartphones for social networking as
highlighted in Figure 1, a lot of knowledge on forensic arti-
facts depicting user behaviour is generated through these
social networking apps [2] which are stored within the
phones. Several situations involving significant accidents
might occur that may end up in the court. Forensic investiga-
tors can use those activities as evidence in investigating such
incidents.
Keeping this scenario in mind, we have focused on
inspecting the phone forensically and looking for the artifacts
generated and stored in different locations in the phone, via
the forensic tools. Such artifact findings are capable of tying
the perpetrator to the incident; thus, forensic examination
Preservation/
acquisition
Analysis
Reporting
Figure 2: NIST forensic analysis process.
of these apps can provide a ready reckoner to the digital
forensic investigator of Android phone analysis.
Thus, focusing on this requirement, our research aims at
performing the following actions:
(i) Identification, extraction, and analysis of the arti-
facts recovered from the popular social networking
apps on an Android smartphone in a way that can
be presented in the court of law
(ii) Analysis of each app using three different tools, i.e.,
Magnet AXIOM, Autopsy, and XRY
(iii) Presentation of the analysis of the tools to showcase
their ability to extract digital evidences from the
device and their performance is examined with
respect to NIST standards
We have used three forensic tools to perform experi-
ments on five popular social media apps including Instagram
[11], LINE [12], Whisper [13], WeChat [14], and Wickr [15].
Data from these apps is acquired and analyzed during three
stages (before data deletion, after data deletion, and after
app uninstall) using Magnet AXIOM [16], Autopsy [17],
and XRY [18]. Furthermore, we have also categorized the
tools on the basis of total artifacts recovered and NIST
standards on smartphone extraction tools [19]. We have
also devised some additional parameters that can be used
Wireless Communications and Mobile Computing
App
Snapchat [34]
Wickr [35]
Froyover 2.2, GingerBread
WhatsApp, Viber [36]
IceCreamSandwich v4.0.x
WhatsApp [37]
20 applications [38] Android v4.4.2, iOS 7.1.2
ChatSecure [39]
Kik Messenger [40]
Instagram [41] iPhone 6s (iOS 10.3.0)
WhatsApp [42]
Telegram [43–45] Android, Windows
KaKaoTalk [44, 46]
Instagram and Path [47]
Cubby, IDrive [48]
Table 1: Literature study of forensic investigation on mobile applications.
Platform used Artifacts
IOS images and videos are
iOS and Android fully detected. Android images
and videos not fully detected
Android No artifacts found
WhatsApp: message, timestamps,
and names of files sent and received.
v2.3.x, and
Viber: no file found through
the analyzer
Phone numbers, messages,
Android media files, contact cards,
and profile pictures
Snapchat, Tinder, Wickr,
and BBM: data not recovered
Recovered messages, video,
Android and audio that have been shared.
No deleted data recovered
Chat messages (send/received),
Android v4.4,5.0 contacts, and media that have
been exchanged are recovered
User information, activity
history, and application settings
recovered from the iPhone backup file
Text messages, images, video,
Android v5.0.1
and documents recovered
Android gives messages and
cache info after exploring
databases. App package was not
recovered in Windows phone
Kakao encrypted database was
Android decrypted to gain access to messages
and contact information
Followers, hashtags, and some
account information recovered
iPhone 5s
from Instagram. Path did not disclose
any important data of user activities
Recovered register id and password,
timestamps, uploaded files with timestamps,
Android v5 and downloaded files
with timestamps and recovered
encryption technique
3
Remarks
No correlation found between _le
on XML record and recovered video.
After analyzing app on rooted
and nonrooted devices, Wickr
was proved as an antiforensic app
Research does not focus on the
artifact discovery when data
was deleted
They successfully developed a tool
to acquire data from phone
Main focus was on the network
traffic analysis
Artifact extraction done only
from the volatile memory.
An algorithm was designed to
decrypt the encrypted chat
secure database
Device backup was created
through the logical acquisition
Backup created through logical acquisition.
Only the file folder was considered
for the artifacts
Calculate and compare the Belkasoft
Evidence (trial version) and WhatsApp
Key/DB Extractor tools on the basis of
artifacts recovered from WhatsApp
Analysis was done on 5 scenarios
that were divided into 17 smaller
scenarios but these scenarios
were not discussed properly.
Reference [44] did not analyze
the whole _le system (part analysis
has been done). Reference [45] claimed
that commercial tools like Internet
Evidence Finder, UFED Physical Analyzer,
and Oxygen Forensic Analysis did not
have the capability to acquire artifacts
from Telegram Messenger for the Windows
phone but did not discuss the clear
experimental evidence
Reference [41] discussed the security
measures against password guessing
attack to protect the encrypted databases.
Reference [44] did not analyze the
whole file system (part analysis has
been done)
Discussed and proved the importance
of write blocker while acquiring
data from a device
Some locations were identified that
were vulnerable to attacks
4 Wireless Communications and Mobile Computing
Table 1: Continued.
App Platform used
Recovered some information
Facebook, Twitter, Android, iPhone, and
from iPhone and Android.
Myspace [49] Blackberry
Nothing recovered from Blackberry
Snapchat [33] Android Unexpired and expired recoverable
for forensic analysis. The artifacts suggested by our study
can be helpful in forensic investigation of cybercrimes on
SNAs.
The rest of the paper is organized in 6 sections. Section 1
presents the preliminary concepts and definitions used in this
paper. Section 2 presents the literature related to mobile app
forensics on different operating systems (OSs). In Section 3,
the methodology of the research is explained. Section 4
covers the artifacts recovered from all five apps using Magnet
AXIOM, Autopsy, and XRY. Section 5 discusses the results
gathered from three tools and evaluates the tools according
to total artifacts recovered, NIST parameters [19, 20], and
additional parameters derived during this research to judge
the tool’s capabilities. Conclusions and future work are pre-
sented in Section 6.
2. Preliminary Concepts
This section presents a brief overview of preliminary con-
cepts that are going to be used/referred throughout this
article.
2.1. Android Operating System. Currently, Android OS is the
most commonly used OS in mobile phones with an 88%
share in the worldwide smartphone industry. It is therefore
essential to explore Android using various methodologies
and methods [21]. For forensic investigators, the folder struc-
ture of an Android phone can be an extremely interesting
region. So, they should understand where the information/e-
vidence can be found. It is therefore helpful to understand the
structure of data storage [22].
A unique Id (Uid) is assigned to each app in Android.
Each app runs in a separate process so as no application
can access the data of other app. A unique app id for a specific
app is stored in the app package. Phone application can store
app data in many ways [23]. Through app forensic analysis,
an investigator can comprehend the usage of the app and find
the user data. App analysis is important because nearly all of
them use typical function, i.e., messages, calls, contacts, and
internet surfing [24]. This data can tell a lot about the user
as to when they were in a specific location or to whom they
have communicated and their future planning, etc.
2.2. Digital Evidence and Forensic Process. In 2006, Carrier
and Spafford [25] defined a digital evidence as the data that
approve or disapprove the hypothesis made about the digital
events. Forensic investigation is done by collecting, preserv-
ing, and analyzing the evidence to present in the court of
law. Mobile phones continuously transmit the data through
Artifacts Remarks
Logical backup copies of
three smartphones. No artifacts
from internal memory were discussed
Scenario-based discussion. Scenarios
are difficult to implement because
of high cost
wifi, Bluetooth, etc. It is too difficult to preserve data without
altering it so it is important to record and document every
single detail during the whole process.
According to the National Institute of Standards and
Technology (NIST), the forensic process [26] includes a 4-
step procedure, i.e., preservation, acquisition, analysis, and
presentation. Figure 2 describes the NIST forensic process.
2.2.1. NIST Standards on Smartphone Extraction Tools. NIST
releases some parameters and methods to calculate the per-
formance of forensic tools based on the outcomes of the
assessment plan conducted by NIST. Every assertion creates
at least one experiment comprising of a test convention and
the normal test outcomes. The test convention indicates
point-by-point techniques for setting up the test, executing
the test, and estimating the test outcomes [19]. NIST claims
that in forensic cases, expanding the quantity of cell phones
every year creates problems. Hence, to quantify the capability
of forensic tools available, a method is required. NIST offers
42 parameters and methods based on the results of each test
plan to assess the performance of forensic devices.
The objective of the computer forensic tool testing
(CFTT) venture at the NIST is to build up an approach for
testing forensic tools. This is done by establishing unique
and common rules governing the requirements of the tools.
NIST records the estimation parameters of the forensic tools
on two composed reports entitled “smartphone tool specifi-
cation” [19] and “smartphone tool test assertions and test
plan” [20]. The estimation parameters are partitioned into
two parts: core and optional. Specifications for smartphone
devices are in two parts. Smartphone tool core requirements
([SPT-CR-01] to [SPT-CR-06]) are the requirements that
will be met by all the acquisition tools. Smartphone tool
optional requirements ([SPT-RO-01] to [SPT-RO-15])
require that all tools shall comply with the requirements that
the stated feature or choices that tool offers. Test assertions
are developed using these requirements. Test assertions are
defined as general proclamations of conditions that can be
tested after a test has been carried out.
2.3. Digital Investigation Tools. There are tools that are
designed to acquire and analyze the digital image from the
mobile devices. Competency of the forensic acquisition and
analysis of these tools can differ from one another so it is
important for the analyst to have the knowledge of different
tool expertise levels. The output comparison and verification
between tools can help the examiner to choose the tool he
needs to use for the case. We have used the following three
tools in our analysis.
Wireless Communications and Mobile Computing 5

Start

Apps downloaded and

installed Scenario
building
Flash super SU after
installing TWRP recovery
in recovery mode to gain
Standard activites (app specific)
SU access
performed on apps Uploaded
pictures/videos/stories
Exchange text messages
exchange media
(image/video/audio)
Root the No calls (video, audio)
Phone rooted?
phone

Yes

Acquisition
(physical)

Magnet
XRY
AXIOM

App Extracted Data

uninstallation data from deleted
internal
storage

Analysis

Magnet Autopsy XRY

AXIOM

NIST standards
Tool
Research parameters
evaluation
Defined by researcher

End

Figure 3: Research methodology: a detailed flow chart of actions performed during forensic analysis.

2.3.1. Magnet AXIOM. AXIOM is a complete digital investi-
gation tool developed by Magnet Forensics. It is used to
recover digital evidence from different sources, i.e., com-
puters, smartphones, third-party images, and cloud. This
platform contains two apps to acquire and analyze data.
The AXIOM process is used to acquire and process the data
acquired from the smartphone, and AXIOM Examine per-
forms the examination and analysis over the acquire data.
For the purpose of this research, we have used the fully func-
tional trial version [16].
2.3.2. Autopsy. Autopsy is an open source digital investiga-
tion platform that is commonly used by law enforcement
and forensic examiners to analyze the digital image in order
to get the evidence from it. In this research, we are using
Autopsy as a second analyzing tool to make certain of all
the evidence recovered from the acquired images [17].
2.3.3. XRY. XRY is a digital investigation platform. It is an
instinctive and competent software app that runs on the
Windows OS. It allows an examiner to extract high-quality
6 Wireless Communications and Mobile Computing

(i) Create an account

(ii) Upload some pictures on the account.
(iii) Follow friends and followed by some
friends
(iv) Follow pages and hashtags
(v) Perform searches on the search bar
(vi) Upload stories (video, picture, text)
(vii) Scrolling news feed and user explorer
(viii) DM pictures, videos, messages sent, and
received

(i)Create an account with phone number

(ii)Add friends
(iii)Make a profile and uploaded pictures
(iv) Scrolling newsfeed
(v) Send and receive messages
(audio/video/images)
(vi) Perform video/audio calling

(i) Create an account

(ii) Join groups
(iii) Scroll down the public whispers
(iv) Post whisper a couple to times
(v) Search whispers by location
(vi) Give hearts and comments over
whispers
(vii) Put password over the messages
User section
(viii) Start private chat
(ix) Send and receive message (audio,
video, text)

(i)Create an account
(ii)Set up profile
(iii)Add friends
(iv) Upload status and pictures
(v) Liked and commented friend’s statuses
(vi) Send and receive message
(audio/video/text/stickers)
(vii) Video calling

(i) Create an account

(ii) Set up profile
(iii) Add friends
(iv) Send and receive message
(audio/video/text/stickers)

Figure 4: Application scenario.

Table 2: Experimental tools (SNA stands for social networking app).

Sr. Experimental tools and software Description

1 Samsung Galaxy J7 Android 8.0.1
2 Workstation Windows 10, 64 Bit, Intel i5
3 USB cable Connect the mobile phone to the workstation
4 SQL DB browser [58] Version 3.11.0
5 Instagram [11] SNA v87.0.0.18.99
6 LINE [12] SNA v9.4.5
7 Whisper [13] SNA v7.28.6
8 WeChat [14] SNA v7.0.3
9 Wickr [15] SNA v5.10.2
Wireless Communications and Mobile Computing 7

data securely from different digital devices and platforms. Table 3: Forensic tool description.
Acquisition and analysis can be performed through this tool.
It allows an examiner to extract logical or physical data Sr. Forensic tools Version Description
according to the case [18]. 1 Magnet AXIOM 4.0 Proprietary
2 Autopsy 4.14.0 Open source
2.4. Root for Physical Acquisition. Forensic examination 3 XRY 8.2 Proprietary
requires a detailed recovery of artifacts for thorough analysis,
even though rooting is not needed for physical acquirement
in some cases where patch is offered by the acquisition tool Table 4: Proposed categories for artifacts.
such as XRY, Cellebrite, and Magnet AXIOM. On the other
hand, rooting the device helps in eliminating the limitations Categories Artifacts
that the cell carriers or system OEMs have imposed. A rooted DB Databases recovered
interface offers effective user data extraction and access to Text messages
internal directories for the device. The partitions and system Images incoming
folders are kept hidden with no access for a nonrooted Media/text Images outgoing, videos incoming,
phone. However, many Android smartphone manufacturers exchanged videos outgoing, audio incoming
permit to legally root your devices [27]. Moreover, integrity Audio outgoing, GIFs/emojis incoming
of user data from rooted Android devices during data acqui- GIFs/emojis outgoing
sition is a main concern as forensic analyst extract valuable
Stories, posts uploaded
data from Android phones by rooting [27]. Furthermore,
authors in [28] prove that rooting of Android devices has Posts liked/reply
Timeline
legal validity and the evidence extracted as a result of the Group information
rooting process is effective and credible evidence of convic- Timing of posts/status
tion in criminal proceedings. Friend list
Profile picture, date of birth
3. Related Work: Application Forensics Email address
ID
Some research work has been done in the field of mobile Account/user
Location
application forensics. Some of the analysis is done on the information
device general activities, event logs, and device logs [29, 30], Name
whereas others emphasized on the installed applications on Phone number
the device. Andriotis et al. [31] related the usage of smart- Profile images
phone with numerous crimes like confidential information Phone app activity
sharing on public mediums, uploading images over the cloud Calls Audio calls, video calls
and child pornography etc. [32]. Information was collected Private chats
from phone log files, wifi logs, event logs, Bluetooth logs,
Timestamps Stories/posts/statuses upload
and databases containing the browsing history. Snapchat
was analyzed in [33] by Infosecurity Group and by Aji et al. Friends added
[34] on two smartphones using Android and iOS. They
acquired the data from the smartphone’s internal memory include send and receive messages, contact lists, and time-
through 3 extraction techniques: physical, logical, and file stamps was found through manual search. Mathavan and
system. Extraction was performed with UFED Cellebrite. Meeran [37] performed forensic analysis on WhatsApp.
Chatting file, images, and videos were detected from XML The internal memory of an Android phone was analyzed to
records found on the iOS smartphone; however, the Android find out the artifacts such as send/receive messages, images,
device data was not permanently deleted but hidden with videos, logs, and contact information. Walnycky et al. [38]
nomedia extension.˙ selected 20 social messaging apps based on the number of
In [35], Mehrotra et al. aimed to authenticate the foun- downloads and keyword results from Google Play Store. Net-
der’s claim that the Android application Wicker enables the work traffic was captured and saved by using Wireshark and
user to exchange self-destructive messages and files. They examined through NetworkMiner and NetWitness Investiga-
examined both rooted and not rooted Android phone data tor. This research concluded that four apps, i.e., Snapchat,
acquired through Titanium Backup Android app v6.1.1 and Tinder, Wicker, and BBM are secure as they encrypt network
Helium Backup Android app. No artifacts or trace of data traffic through HTTPS encryption using an SSL certificate.
exchange was found. Mahajan et. al [36] analyzed the arti- Anglano et al. [39] analyzed ChatSecure on Android
facts of two apps, WhatsApp and Viber. Data was extracted phones. UFED Physical Analyzer was used to analyze data.
through UFED from 3 versions of Android OS. Both the apps ChatSecure database was decrypted through LiME. Messages
were examined through UFED Analyzer. The chat list, chat and media shared during conversation were been recovered,
messages, and sessions along with timestamps were found whereas the deleted data was not recovered. Adebayo et al.
in the WhatsApp “msgstoredb” file, and contact information [40] analyzed Kik app installed on three Android mobile
was found in the “wadb” file. For Viber, all information that devices. The device backup was created with Titanium
8 Wireless Communications and Mobile Computing
(a)
(c)
Figure 5: Artifacts retrieved from Instagram using Magnet AXIOM.
Backup, and the SQLite DB browser was used to analyze the
recovered databases. In another study, Instagram was ana-
lyzed by Ryu et al. [41] on iPhone 6s using EditPlus3 Plist,
iBackupBot iPhone Backup Extractor, iBackup Viewer, and
iPhone Tracker DB. User information, activity history, and
application settings were recovered from the iPhone backup
file. Umar et al. [42] analyzed WhatsApp for digital evidence.
The application was installed on Samsung Galaxy S4 GT-
I9500 Android version 5.0.1, and acquisition was done
through ADB. For analysis, two tools were used: WhatsApp
key/DB Extractor and Belkasoft Evidence. Text messages,
images, videos, and documents were recovered. From the
results generated by tools, Belkasoft was concluded as best
among the two. Telegram app was analyzed in [43, 44] on
different versions of Android phones and Windows phones
[45]. Android gave messages and cache info after exploring
DBs. No package related to the app was found on the Win-
dows phone.
In a few other studies [44, 46], KaKaoTalk was analyzed
on Android phones. The Kakao encrypted database was
decrypted to gain access to messages and contact information
in the researches. Facebook, Skype, Viber, Windows Live
Messenger, and WhatsApp were analyzed in [50] on iPhone.
The backup contains all the information related to these apps
even after uninstallation. In [51], Facebook, WhatsApp, Hike,
Viber, and Imo were analyzed on an Android phone. Loca-
(b)
(d)
tions of artifacts were discussed in this research. In [52], the
security mechanisms of WhatsApp, Viber, Tango, Voupi, For-
fone, HeyTell, EasyTalk, and WowTalk were discussed when
they were installed on Android v2.3 and iOS v2.3. In [53–
55], LINE Messenger, BlackBerry Messenger, and IMO Mes-
senger app were analyzed respectively on Android phones
and iPhone. The content shared between two parties through
private conversation was discussed. Twitter, POF Dating,
Snapchat, Fling, and Pinterest were analyzed in [56] installed
on Android v5. Message content and account information
were discussed. Forensic analysis of Snapchat and Burner
was done in [57] on both iOS and Android smartphones.
Table 1 summarizes some previous studies on forensic anal-
ysis on mobile apps.
4. Methodology
The overall methodology adopted in research comprises four
steps. These steps are illustrated in Figure 3.
4.1. Scenario Building. In the first stage, investigation scenar-
ios are set up by performing common user activities on apps.
Apps are installed on the phone from Google Play Store.
Accounts are created for each app and activities, i.e., picture-
s/videos uploaded, comments, scrolling over newsfeed,
stories uploaded, messages (text/audio/video/images) sent
Wireless Communications and Mobile Computing
(a)
(c)
Figure 6: Artifacts retrieved from LINE using Magnet AXIOM.
or received, and video calling (LINE), are performed for the
application according to their capabilities. The scenario
followed in this research is explained in Figure 4.
4.2. Acquisition. Data from phone memory is acquired
through two different tools Magnet AXIOM (process) and
XRY. Data from phone memory is acquired in three stages.
(i) Application is installed and working
(ii) Application is installed and data has been deleted
(iii) Application and data both have been deleted
In the first stage, all the data remains on the phone as the
app is working. In the next stage, some data is deleted by the
analyst, and in the last stage, all data is deleted and the app is
uninstalled from the phone. Data is acquired from the device
in a controlled environment in order to ensure the integrity
of the data. In order to get maximum data from the internal
memory of the device, data is acquired through the physical
acquisition of the device after rooting.
4.3. Analysis. In the analysis phase, every app is analyzed by
the content of the app folder located in the data/data direc-
tory. The analysis generally involves data found in the spe-
cific app’s file folder and database folder but not limited to
them. Another folder found in the data/data/app_folder
named “Shared Preference” contains some .xml files having
9
(b)
(d)
app-related data. The same information is recovered by all
three tools. Cache stores all the activity information and ima-
ges/videos seen by the user while using the app and is recov-
ered by all three tools.
4.4. Tool Evaluation. Tools are evaluated on the basis of their
capability to recover digital artifacts from every said app,
NIST standards on smartphone extraction tools [19] and
some additional parameters from the investigator after con-
ducting research. The result of this research can be used as
a recommendation to investigators to handle the cases asso-
ciated with these apps.
In order to analyze the data generated by these apps
(Figure 4), the internal storage of the smartphone is exam-
ined after every experiment. The information generated by
apps is stored in the inner phone memory that is ordinarily
out of reach to users. Therefore, appropriate tools and tech-
niques should be adopted so as to obtain and access this part
of the memory. The hardware used in the research is a Sam-
sung smartphone, USB cable, and computer for the retrieval
and analysis of data. The description of experimental tools is
provided in Table 2. Forensic tools that are used during the
experiments are described in Table 3.
Artifacts recovered have been categorized into six fields
in this research. The main categories are DB (databases),
media/text exchange, timeline, account/user information,
calls, and timestamps. The DB category contains the artifacts
recovered from the databases present in the app folder. The
10 Wireless Communications and Mobile Computing

(a) (b)

(c) (d)

Figure 7: Artifacts retrieved from Whisper using Magnet AXIOM.

(a) (b)

(c) (d)

Figure 8: Artifacts retrieved from WeChat using Magnet AXIOM.

Wireless Communications and Mobile Computing
(a)
(c)
(e)
Figure 9: Artifacts retrieved from Wickr using Magnet AXIOM.
artifacts recovered are related to the exchange of media (ima-
ges/video/audio/emoji/GIFs) and text between two parties
which reside in the media/text exchange category. The time-
line category have artifacts related to the information of
user’s timeline, i.e., his stories/posts/likes/replies/statuses.
Artifacts for the user’s account (profile picture/DoB/email
address/ID/name/phone numbers/app activity) reside in
account/user information category. The category calls con-
tains the artifacts related to information of audio/video calls
done or received by the user. The category timestamps com-
prises the artifacts related to the timings of different activities
performed by the user. The summary of categories has been
stated in Table 4.
5. Forensic Analysis
In order to execute the forensic analysis, apps are down-
loaded from Google Play Store and a set of activities is per-
formed on apps following certain test cases that any user
11
(b)
(d)
(f)
might perform on these apps. Figure 4 states the activities
performed on each app. Physical data of the device is
acquired through two propriety tools, i.e., Magnet AXIOM
and XRY. Before starting the acquisition, the phone is
rooted through the installation of TWRP Recovery and
Flash SuperSu in the recovery mode. After getting the
Super User privileges, full image extraction is performed
through Magnet AXIOM and physical acquisition is done
by XRY.
The finding of the apps from the acquired image is
described in this section. All the activities that are performed
by the apps and the relevant data that is stored in the internal
memory of the phone is examined. The examination is done
by viewing the acquired image through the tools (Magnet
AXIOM and XRY) and is analyzed against the defined cases
of all the SNAs one by one in detail.
5.1. Forensic Analysis of Apps through Magnet AXIOM. This
section discusses the artifacts recovered from the applications
using Magnet AXIOM.
12
(a)
(c)
Figure 10: Artifacts retrieved from Instagram using Autopsy.
5.1.1. Instagram. The artifacts recovered from Instagram
through Magnet AXIOM are described in Figure 5 under
three conditions: before data deletion, after deleting some
data, and after app uninstallation. Firstly, the app is analyzed
while no data has been deleted from the device. Figure 5(a)
shows that the messages sent and received are recovered with
message time, type, sender, and receiver information.
Figure 5(b) shows that the stories uploaded by the user on
its Instagram account are recovered. An image is taken again
after deleting some data, i.e., images, text messages, and ima-
ges/video uploaded on the Instagram account. Figure 5(c)
shows that 80 percent of text messages are successfully recov-
ered and only textual information of images and video calls is
recovered such as the name of other party and timestamps.
After app uninstallation, no data is recovered related to the
Instagram app analyzed by Magnet AXIOM.
5.1.2. LINE. As we examined naver line.db, there are 32 tables
from which only 6 tables are of interest from the forensic
point of view. The contact table has the relation with call_his-
tory.db as the user that was making the call can only be rec-
Wireless Communications and Mobile Computing
(b)
(d)
ognized by the contact table. The id of the caller would be
matched from the m_id in the contact table. So, the caller
can be verified. LINE gives an end-to-end encryption for
data. The public key for every contact is stored in e2ee.db
in an encrypted format. After deletion, some messages and
media shared through private messages were not recov-
ered. Only a few contacts were recovered. No data related
to the LINE application was recovered after app uninstal-
lation. The detailed analysis of LINE is shown in Figure 6.
Figure 6(a) shows that LINE contacts, m_ids (unique IDs
for every contact), messages, and calls shared between
both parties with timestamps are recovered from the data-
base (naver_line.db) store in the app package. Messages
recovered with the sender/receiver and message type with
timestamps are shown in Figure 6(b). Figures 6(c) and
6(d) show the recovery of media files (videos) and audio
image, respectively, transferred during the chat session
with timestamps.
5.1.3. Whisper. The forensic analysis of Whisper resulted in
some data being retrieved. The retrieved data contains
Wireless Communications and Mobile Computing 13

(a) (b)

(c) (d)

(e) (f)

Figure 11: Artifacts retrieved from LINE using Autopsy.

14
(a)
(b)
(c)
Figure 12: Artifacts retrieved from Whisper using Autopsy.
information of user accounts, content created or liked by the
user, groups he/she follows, private messages shared with
friends, location information and other activities. After
deletion, all the text messages were recovered and a textual
preview of media shared through private messages was
recovered. After app uninstallation, no data related to the
Whisper app was recovered. The detailed analysis of Whisper
Wireless Communications and Mobile Computing
(d)
is shown in Figure 7. Figure 7(a) shows the retrieved text
messages shared between the user with its friends with time-
stamps and location information. Textual information of
images received by the user is recovered as shown in
Figure 7(b). Figure 7(c) shows the retrieved information
about the posts uploaded by or replied by the user with time-
stamps, hearts, and location information. Figure 7(d) shows
Wireless Communications and Mobile Computing 15

(a) (b)

(c) (d)

(e) (f)

Figure 13: Continued.

16
(g)
Figure 13: Artifacts retrieved from WeChat using Autopsy.
the posts shared while the user was online with timestamps,
Whisper content, and location information.
5.1.4. WeChat. WeChat data files are stored within the parent
company Tencent’s [59] directory MicroMsg folder.
WeChat’s database EnMicroMsg.db is encrypted using
SqlCipher [60]. Some information was retrieved from the
index file named FTS5IndexMicroMsg.db, as shown in
Figure 8(a). After data deletion, some messages/media files
were recovered in a textual format as shown in Figure 8(b).
After app uninstallation, only textual information of media
files, i.e., video files as shown in Figure 8(c) and audio files
(as shown in Figure 8(d)), was recovered from the smart-
phone. The detailed analysis of WeChat is shown in Figure 8.
5.1.5. Wickr. Wickr is known as an antiforensic app. It is
highly encrypted and claims that no data can be recovered
from a device or from network analysis for forensic investiga-
tion. All conversations are stored in a highly encrypted data-
base. Wickr does not store any other data within the internal
memory of the phone. The detailed analysis of Wickr is
shown in Figure 9. By exploring the base.apk file (extracted
base.apk file through the .zip archive extractor. In this file,
some artifacts have been recovered from classes.dex and
classes2.dex files. .dex files were decompiled through Java
Decompiler.), it was found that the database wickr_db.db is
encrypted with SQLCipher [60] as shown in Figure 9(a).
Figure 9(b) shows the WickrDBAdapter File Recover
wickr.db Schema that contains account information, contact
info, messages sent/received, timestamps, and keys.
Figure 9(c) shows that the file folder contains some .wic files
that are encrypted. By exploring base.apk, it was found that
the ds.wic file is used to store cache data and passwords.
Figure 9(d) shows the WickrDBKey.class where it was found
that sk.wic contains the key for database. Kck.wic and
kcd.wic are also encrypted files that must have contained
videos/audio that were sent by the user because these files
were deleted after video and audio information sent by the
user was deleted (shown in Figure 9(e)). Figure 9(f) shows
Wireless Communications and Mobile Computing
(h)
that the video sent by the user is recovered from the cache
folder.
5.2. Forensic Analysis of the App through Autopsy. This sec-
tion discusses the artifacts recovered from the apps using
Autopsy.
5.2.1. Instagram. Autopsy recovered almost the same data
recovered by AXIOM. AXIOM gives the text thread detail
with the text/media shared. This is not the case in Autopsy.
Autopsy gives the text content and information in the data-
base (have to save the database and open in SQLite browser)
shared in DM. The user’s activity has been recorded in the
cache folder and recovered with timestamps. Video’s parts
are also recovered in the form jpeg image. After the cache
clears, stories and cache data were not recovered. 50 percent
of text messages were recovered after deletion from direct.db
with date and time information. Images shared during the
chat were not recovered. Textual information of media that
has been sent or video call done by the user is recovered after
data deletion. No data was recovered after app uninstallation.
The detailed analysis is shown in Figure 10. Figure 10(a)
shows that messages sent through DM are recovered.
Figure 10(b) shows that images sent through DM are recov-
ered. Figure 10(c) shows the stories recovered as pending
media. Figure 10(d) shows that the images uploaded as the
story are recovered after deletion.
5.2.2. LINE. naver_line.db contains the information of text
messages shared during private chat, chat history, chat mem-
bers, and contacts. Autopsy did not recover any text messages
after deletion. Deleted images from the timeline have been
recovered. Voice message detail recovers after deletion. No
data was recovered after app uninstall. The detailed analysis
is shown in Figure 11. Figure 11(a) shows the recovered chat
history with timestamps and contact information.
Figure 11(b) shows that Autopsy recovered the post hidden
from the timeline with the option “Hide posts.” Backup data
of a chat including text messages, media type shared, and call
(audio, video) information are recovered as shown in
Wireless Communications and Mobile Computing
(a)
(c)
(e)
Figure 14: Artifacts retrieved from Instagram using XRY.
Figure 11(c). Profile pictures of all the friends have also been
recovered as shown in Figure 11(d). Figure 11(e) shows that
voice messages were recovered with timestamps. The video
shared through chat was recovered in .jpeg image format as
shown in Figure 11(f).
5.2.3. Whisper. Artifacts recovered from the c.db database’s c
table are the information of private conversation of the user.
After deletion, images received while private chatting; Whis-
per post; event information recovered with the sender name,
location, age, gender, and content that has been sent; and
some messages with sender and receiver ids and timestamps
are recovered after deletion. No artifact was recovered after
app uninstallation. The detailed analysis is shown in
Figure 12. Figure 12(a) shows the list of every conversation
17
(b)
(d)
(f)
with the timestamp being stored. The column titled pid has
the receiver user id and the column sid contains the user id
of the sender. Figure 12(b) shows that Whisper posted on
the timeline were recovered. Figure 12(c) shows that Whisper
posted by the people while the user was active is recovered
with timestamps and locations. Figure 12(d) shows that
images received during chat is recovered.
5.2.4. WeChat. WeChat artifacts recovered through Autopsy
are stated in this section. The detailed analysis is shown in
Figure 13. Figure 13(a) shows the messages recovered from
the FTS5IndexMessage_content table when it was open in
the SQLite browser. Figure 13(b) shows that the audio mes-
sages shared during private chat are recovered with time-
stamps. Figure 13(c) shows that the images received during
18 Wireless Communications and Mobile Computing

(a) (b)

(c) (d)

(e) (f)

(g) (h)

Figure 15: Artifacts retrieved from LINE using XRY.

Wireless Communications and Mobile Computing 19

(a) (b)

(c) (d)

(e)

(f)

(g) (h)

Figure 16: Artifacts retrieved from Whisper using XRY.

20
(a)
(c)
(e)
(g)
Figure 17: Artifacts retrieved from WeChat using XRY.
chat are recovered. Figure 13(d) shows that the phone
number against which the account was created is recovered
in plain text. Textual information of the video shared is
recovered after deletion as shown in Figure 13(e).
Figure 13(f) shows that images received through private chat
are recovered after deletion. Figure 13(g) shows that textual
Wireless Communications and Mobile Computing
(b)
(d)
(f)
(h)
information of videos is recovered after app uninstallation.
Figure 13(h) shows that images shared and uploaded by the
user are recovered after app uninstall.
5.2.5. Wickr. From analyzing the image from Autopsy, the
textual information of the video file is recovered from the
Wireless Communications and Mobile Computing 21

Table 5: Comparison of tools on the basis of digital artifacts recovered from SNAs. The (✓) symbol defines that artifact is recovered from the
tool, (●) is the symbol for textual information/audio-video not playable, and (▲) defines partially recovered.

AXIOM Autopsy XRY

Applications Digital artifacts Not Data App Not Data App Not Data App
deleted deleted uninstallation deleted deleted uninstallation deleted deleted uninstallation
Images outgoing (✓) (●) (✓) (●) (✓)
Images incoming
Videos outgoing (✓)
Videos incoming
Audio outgoing (✓) (✓) (✓) (✓)
Instagram
Audio incoming
App/account information (✓) (✓) (✓) (✓) (✓) (✓) (▲)
Timeline image recovery (✓)
Timeline video recovery (✓) (✓) (✓) (▲) (✓) (✓)
Text messages (✓) (▲) (✓) (▲) (▲) (✓)
Images outgoing (✓) (✓) (✓) (✓)
Images incoming (●) (●)
Videos outgoing (✓) (✓) (●) (●)
Videos incoming (●) (●) (✓) (●) (●) (●)
Audio outgoing (✓) (●) (●)
LINE
Audio incoming
Account information (✓) (✓) (✓) (✓) (✓) (✓) (▲)
Timeline image recovery (✓) (✓) (✓) (✓)
Timeline video recovery (✓) (✓) (✓) (✓) (✓) (✓)
Text messages (✓) (✓) (✓) (▲)
Images outgoing (✓) (✓) (✓) (✓) (✓)
Images incoming (✓) (✓)
Videos outgoing
Videos incoming
Audio outgoing
Whisper
Audio incoming
Account information (✓) (✓) (✓) (✓) (✓) (✓) (▲)
Timeline image recovery (✓) (✓) (✓) (✓)
Timeline video recovery
Text messages (✓) (▲) (✓) (▲) (✓) (▲)
Images outgoing (✓) (✓) (✓) (✓) (✓) (✓) (✓) (✓)
Images incoming (✓) (✓)
Videos outgoing (●)
Videos incoming
Audio outgoing (✓) (✓) (✓) (✓) (✓) (✓) (✓) (✓) (✓)
WeChat
Audio incoming
Account information (▲) (▲) (▲) (▲) (▲) (▲)
Timeline image recovery (✓) (✓) (✓)
Timeline video recovery (✓) (✓) (✓)
Text messages (✓) (▲) (✓) (✓)
Images outgoing (●)
Images incoming (●)
Videos outgoing (✓)
Videos incoming
Audio outgoing
Wickr
Audio incoming
Account information (▲) (▲)
Timeline image recovery
Timeline video recovery
Text messages
 22

Table 6: Artifacts recovered from SNAs according to proposed categories.

Before data deletion After data deletion After app uninstallation

Category Artifacts
Instagram LINE Whisper WeChat Wickr Instagram LINE Whisper WeChat Wickr Instagram LINE Whisper WeChat Wickr
DB Databases ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
Chat history ✓ ✓ ✓ ✓ ✓
Text messages ✓ ✓ ✓ ✓ ✓ ✓ ✓
Images incoming ✓ ✓ ✓ ✓ ✓
Images outgoing ✓ ✓ ✓ ✓ ✓ ✓ ✓
Video incoming ✓
Media text exchange
Video outgoing ✓ ✓ ✓ ✓ ✓
Audio outgoing ✓ ✓ ✓ ✓
Audio incoming ✓
GIFs/emoji incoming ✓
GIFs/emoji outgoing ✓ ✓ ✓ ✓ ✓ ✓ ✓
Stories ✓ ✓
Posts uploaded ✓ ✓ ✓ ✓ ✓ ✓
Timeline Posts liked/reply ✓ ✓
Group information ✓ ✓ ✓ ✓
Timing of post status ✓ ✓ ✓ ✓ ✓
Friend list ✓ ✓ ✓ ✓ ✓ ✓
User profile picture
User date of birth ✓ ✓ ✓ ✓ ✓
User email address ✓ ✓ ✓
Account/user User id ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
information User location ✓ ✓
Username ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
Phone no. ✓ ✓ ✓
Profile images ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
App activity ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
Audio call ✓ ✓
Video call ✓ ✓ ✓ ✓ ✓
Private chat ✓ ✓ ✓ ✓ ✓
Call timestamps Stories/posts/status
✓ ✓ ✓ ✓ ✓
upload
Friends added ✓ ✓ ✓ ✓ ✓
Audio/video calls ✓ ✓ ✓ ✓ ✓
Wireless Communications and Mobile Computing
Wireless Communications and Mobile Computing 23

Table 7: Location and Artifacts Recovered from Instagram before Data Deletion.

Location Artifacts recovered AXIOM Autopsy XRY

Text messages and
/data/com.instagram.android/databases/ direct.db sender id with (✓) (✓) (✓)
timestamps
Text messages received
/data/com.instagram.android/databases/ direct.db with receiver_id with (✓) (✓) (✓)
time stamp
http link to the accounts
/data/com.instagram.android/databases/ direct.db (●) (●) (●)
recovered
Messages from other
/data/com.instagram.android/databases/ direct.db-journel accounts previously (✓) X X
logged in
Every thread info, thread
id, sender/receiver ids,
/data/com.instagram.android/databases/ direct.db/thread account info, messages (✓) (✓) (●)
seen/pending, and type
of message
All the information of
message sender, receiver
/data/com.instagram.android/databases/ direct.db/messages (✓) (●) (✓)
ids, name, type, and
content
Send images recovered
/data/com.instagram.android/databases/direct.db-journal with date & time and (✓) (●) (✓)
sender/receiver name
Information of received
/data/com.instagram.android/databases/direct.db-journal media recovered (type, (✓) (●) (●)
date time)
Link of media shared
/data/com.instagram.android/databases/direct.db-journal from newsfeed/explorer (✓) (✓) (✓)
through DM
Videos and jpeg
thumbnails watched by
/data/com.instagram.android/databases/video.db (✓) (✓) (●)
user on news feed with
time/date
Videos and jpeg
thumbnails watched by
/data/com.instagram.android/databases/video.db (✓) (✓) (●)
user on explorer with
time/date
Video shoot through
media/0/Android/data/com.instagram.android/files/videos/VID_20190319_182811_
Instagram cam and (✓) (●) (✓)
473_session_0
uploaded by the user
/data/com.instagram.android/files/ Text stories (✓) (✓) X
/data/com.instagram.android/files/ Video stories (playable) (✓) (●) X
Video shoot through
Instagram cam is being
media/0/Android/data/com.instagram.android/files/rendered_videos (✓) (✓) (✓)
segmented in audio and
video files
Images viewed by the
/data/com.instagram.android/cache/ images user on newsfeed with (✓) (●) (✓)
date and time
Images viewed by the
/data/com.instagram.android/cache/ images user on explorer with (✓) (●) (●)
date and time
Video information
media/0/Android/data/com.instagram.android/cache/ExoPlayerCacheDir/videocache watched by users is (✓) (✓) (✓)
recovered
24 Wireless Communications and Mobile Computing

Table 7: Continued.

Location Artifacts recovered AXIOM Autopsy XRY

Stories viewed by a user
/data/com.instagram.android/cache/ (✓) (●) (✓)
with date and time
Images shared
/data/com.instagram.android/cache/orignal_images (●) (●) (●)
through DM
/data/com.instagram.android/shared_prefs/tokent_store.xml Token key recovered (✓) (✓) (✓)
data/com.instagram.android/shared_prefs/2138581153_insta_video_call_ Live session info of user’s
(✓) (✓) (✓)
notifications.xml followers/following
/data/com.instagram.android/shared_prefs/rti.mqtt.ids.xml Connection key (✓) (✓) (✓)
/data/com.instagram.android/shared_prefs/rti.mqtt.ids.xml Device key (✓) (✓) (✓)
Last login_nonce
/data/com.instagram.android/shared_prefs /com.instagram.android_preferences.xml (✓) (✓) (✓)
recovered
Recent user searches
/data/com.instagram.android/shared_prefs /2138581153_USER_PREFERENCS.xml (✓) (✓) (✓)
recovered
List of the follower and
following account
/data/com.instagram.android/shared_prefs/2138581153_usersBootstrapServices.xml (✓) (✓) (✓)
recovered with
timestamps
Contain all pictures
/media/0/Pictures/Instagram/ (✓) (✓) (✓)
uploaded by the user
Video uploaded by the
/media/0/Movies/Instagram/ (✓) (●) (●)
user

cache folder. Wickrdb is encrypted database and all the file
folder is encrypted. No information regarding communica-
tion has been recovered from Wickr.
5.3. Forensic Analysis of Applications through XRY. This sec-
tion discusses the artifacts recovered from the applications
using XRY.
5.3.1. Instagram. The image has also been taken from XRY
from all the said cases. After the app uninstalls, the app name
was recovered with information that the app deleted on what
time and date on the data/data folder. The detailed analysis is
shown in Figure 14. Figure 14(a) shows that the database
direct.db contains the messages and sent images.
Figure 14(b) shows that the thread information of the chat
through DM is recovered. Figure 14(c) shows the cache data
stored in the cache folder of the app package. Figure 14(d)
shows that Cache images are recovered in XRY after a cache
clears. After deletion, XRY recovered the messages deleted
within 24 hrs with text/media information (type, time-
stamps) as shown in Figure 14(e). Remnants of the video
uploaded on the account are recovered after deletion as
shown in Figure 14(f).
5.3.2. LINE. The LINE package is analyzed before any data
was deleted using XRY. After LINE uninstallation, the app
existence proof is present in location data/data which con-
tains the application name jp.naver.line.android, date, and
time of app deletion. The detailed analysis is shown in
Figure 15. Figure 15(a) shows that the files shared through
private chat have been recovered. Contact details, chat
record, and information shared between two parties includ-
ing text messages, media, and call info with timestamps were
recovered from naver_line.db as shown in Figure 15(b).
Figure 15(c) shows that e2ee.db stores private and public keys
encrypted with a unique id and timestamp. Images uploaded
by the user on LINE’s timeline were also recovered as shown
in Figure 15(d). The profile picture of friends was recovered as
shown in Figure 15(e). The video uploaded on the timeline by
the user was recovered as shown in Figure 15(f). Messages that
have been deleted with the content information (text, video,
and audio) with sender and receiver ids and timestamps are
recovered as shown in Figure 15(g). Figure 15(h) shows that
call history details were recovered after deletion from call_his-
tory.db images and videos that were uploaded by a user on the
timeline are also recovered after deletion.
5.3.3. Whisper. Whisper app analyzed by XRY recovered the
stated artifacts for all cases. The detailed analysis is shown in
Figure 16. Figure 16(a) shows the c.db that contains all the
messages that are transmitted between the user and the other
users with their ids and timestamps. w.db contains the list of
all those people that have posted at the time of the user’s con-
nectivity and group user joined as shown in Figure 16(b).
Posts uploaded by the user are recovered as shown in
Figure 16(c). Images sent by the user were recovered as
shown in Figure 16(d). Figure 16(e) shows the cache folder
containing the posts viewed by a user with timestamps.
Deleted chats are recovered from c.db with the sender and
receiver names and timestamps as shown in Figure 16(f).
The deleted group’s information was recovered. The images
sent by the user and then deleted are recovered. The file with
the name whisper is recovered after app uninstallation.
5.3.4. WeChat. Artifacts recovered from WeChat through
XRY is stated below. The first analysis has been done before
Wireless Communications and Mobile Computing 25

Table 8: Location and artifacts recovered from LINE and Whisper before data deletion.

Location Artifacts recover AXIOM Autopsy XRY

Contact data recovered with timestamps
/data/jp.naver.line.android/databases/naver_line.db/contact (✓) (✓) (✓)
(m_id, contact_id, name, and status)
/data/jp.naver.line.android/databases/naver_line.db/group_home group_id and memebrs_id are recovered (✓) (✓) (✓)
/data/jp.naver.line.android/databases/naver_line.db/group Group name against their id’s is recovered (✓) (✓) (✓)
0,1 indicated if the requested user accepts
/data/jp.naver.line.android/databases/naver_line.db/members (✓) (✓) X
to be a member or not
Chat_id, message content, and
/data/jp.naver.line.android/databases/naver_line.db/chat (✓) (✓) (✓)
timestamp recovered
Sender/recover id, message content,
/data/jp.naver.line.android/databases/naver_line.db/chat_history date, time, message type recovered (audio, (●) (✓) (✓)
video, text, doc, and location)
/data/jp.naver.line.android/databases/naver_line.db/chat_notification Chat_id (✓) (✓) (✓)
data/media/0/Android/data/jp.naver.line.android/storage/toyboxing/line User email recover X X (✓)
Post information uploaded by the
/data/jp.naver.line.android/databases/naver_line_myhome (●) (✓) (✓)
ser on LINE timelines
caller_id, time, date, and duration of
/data/jp.naver.line.android/databases/call_history.db (✓) (✓) (✓)
call (audio, video) recovered
LINE has end-to-end encryption. E2ee.db
data/jp.naver.line.android/databases/e2ee.db (✓) (✓) (✓)
stores public keys
Images transferred during chat is
data/media/0/Android/data/jp.naver.line.android/storage/mo (●) (●) (✓)
recovered with timestamp
Videos transferred during chat is
data/media/0/Android/data/jp.naver.line.android/storage/mo (✓) (●) (●)
recovered with timestamp
Audio messages transferred during
data/media/0/Android/data/jp.naver.line.android/storage/mo (●) (●) (●)
chat is recovered with timestamp
Images uploaded by the user on LINE
data/media/0/Android/data/jp.naver.line.android/storage/write (✓) (✓) (✓)
timeline recovered with timestamps
/data/media/0/Android/data/jp.naver.line.android/storage/write Hidden post recovered X (✓) X
The video viewed by the user on LINE
/media/0/Android/data/jp.naver.line.android/cache/mm (✓) (●) (✓)
timeline recovered
/data/jp.naver.line.android/shared_prefs/Extended_My_Profile.xml User’s date of birth recovered (✓) (✓) (✓)
Server key for the profile and
/data/jp.naver.line.android/shared_prefs/ServiceInfoManager.xml (✓) (✓) (✓)
encryption standard
Private conversion details recovered
data/com.whisper.andrid/database/c.db (✓) (✓) (✓)
with timestamps
Text messages with timestamps
data/com.whisper.andrid/database/c.db/m (✓) (✓) (✓)
and member_id recovered
Information about the groups joint by
data/com.whisper.andrid/database/w.db (✓) (✓) (✓)
the user with time/date and URL
Notification received by the user (hearts
data/com.whisper.andrid/database/w.db/n (✓) (✓) (✓)
to whisper/reply to whisper)
Whisper posted by people nearby
data/com.whisper.andrid/database/w.db/w (✓) (●) (●)
with timestamps
Whispers that has been posted by the
the /data/sh.whisper/files/me/ (✓) X (●)
user (textual preview) recovered
Files sent/received by the user to
/data/sh.whisper/files/whisper-chat/. (●) (●) (●)
other people recovered
All the whisper that has been seen
/data/sh.whisper/cache/picasso-cache (✓) (●) (✓)
by the user
Whisper app installation data, time, Uid,
/data/sh.whisper/shared_
user location, gender, and date of birth.
prefs/com.mixpanel.android.mpmetrics.MixpanelAPI_ (✓) (✓) (✓)
List of groups that have been joined
c39eea2c9ad72a79d1688ca82c50cb94.xml
by the user
 26

Table 9: Location and artifacts recovered from WeChat and Wickr before data deletion.

Location Artifacts recovered AXIOM Autopsy XRY

Encrypted database. Did not reveal
data/com.tencent.mm/MicroMsg/71a0c06fe86c4efd9b0b6e1112d906/EnMicroMsg.db (✓) (✓) (✓)
any information
u_id, device info, username, and
/data/com.tencent.mm/shared_prefs/com.tencent.mm_preferences.xml (✓) (✓) (✓)
login mobile number are recovered
Messages between U_id of contacts
/data/com.tencent.mm/MicroMsg/71a0c06fe86c4efd9b0b6e1112d906/FTS5IndexMicroMsg.db/FTS5MetaMessage and talkers (receiver of user’s (✓) (✓) (✓)
messages) with timestamps
/data/com.tencent.mm/MicroMsg/71a0c06fe86c4efd9b0b6e1112d906/FTS5IndexMicroMsg.db/FTS5IndexMessagecontant Text messages recovered (✓) (✓) (✓)
/media/0/tencent/MicroMsg/71a0c06fe86c4efd9b0b6e1112d906/voice2/0b/50/msg_01000602111819a6b51aaa6106.amr Audio sent by the user is recovered (✓) (●) (✓)
/media/0/tencent/MicroMsg/71a0c06fe86c4efd9b0b6e1112d906/video/videoCompressTmp Video sent by the user is recovered (●) (✓) (✓)
This file revealed that wickr_db is
/data/app/com.mywickr.wickr2-1/base.apk/classes.dex/WickrDBadapter.class encrypted by SQLite Cipher (AES- (✓) (✓) (✓)
256 full database encryption)
Recovered from
WickrDBadapter.class. DB saves
/data/app/com.mywickr.wickr2-1/base.apk/classes.dex/WickrDBadapter.class account information, contact info, (✓) (✓) (✓)
messages with timestamps, and
keys
Encrypted .wic files “ds.wic,”
/data/com.mywickr.wickr2/files “sk.wic,” Kck.wic, and kcd.wic (✓) (✓) (✓)
recovered
WickrDBKey.class described that
/data/app/com.mywickr.wickr2-1/base.apk/classes.dex/WickrDBKey.class “sk.wic” stores the encrypted key of (✓) (✓) (✓)
database
Kck.wic and kcd.wic must have
contained media files (images,
/data/com.mywickr.wickr2/files video, and audio) because these (✓) (✓) (●)
files were deleted automatically
after media of Wickr deleted
Wireless Communications and Mobile Computing
Wireless Communications and Mobile Computing 27

Table 10: Artifacts recovered from Magnet AXIOM after data deletion and app uninstallation.

Instagram LINE Whisper WeChat Wickr

80% of text messages Text messages (send/received)
Call history 50% of text messages Encrypted database
deleted recovered
Textual information Hearts and replay Image uploaded on Video from the
Group member detail
of shared media notification the timeline cache folder
Textual preview of
Video uploaded on
After data deletion Account information video uploaded after Group data -
the timeline
deletion
Uploaded pictures Textual preview of Video shared during
Image sent -
recovered images the chat
Images sent
- - Posts by the user recovered during -
the chat
An empty folder
- - Video uploaded -
names LINE
After Apps Uninstall - - - Image uploaded -
Image send during
- - - -
the chat

Table 11: Artifacts Recovered from Autopsy after Data Deletion and App Uninstall.

Instagram LINE Whisper WeChat Wickr

50 % of Text messages Hidden/deleted image Text messages Encrypted
SSID of chat parties
deleted recovered recovered database
Heart and replay Image uploaded on Video from the
Account information Call history
notification the timeline cache folder
Video uploaded on
— Group member detail Group data —
After Data Deletion the timeline
Textual preview of the video Video shared during
— Image send —
uploaded after deletion the chat
Images shared
— Textual preview of images Posts by user —
during the chat
Image captured by
— — — —
WeChat
A filename with
— — Profile picture —
deletion date/time
— — — Video uploaded —
After app uninstallation — — — Image uploaded —
— — — Private chat image —
Image sent during
— — — —
the chat

data deletion. No message information has been recovered as
all the databases are encrypted. The detailed analysis is
shown in Figure 17. After the deletion of some data, no text
messages were recovered. Images and videos uploaded were
recovered after deletion. After app uninstallation, all the
media files and their information were recovered. Encrypted
databases and cache files were not recovered. The profile
picture, images, and videos uploaded and shared through pri-
vate chats are all recovered.
5.3.5. Wickr. No data recovery from Wickr could be managed
except from the metadata from the base.apk file. After app
uninstallation, the location data/data contain the filename
com.mywickr.wickr2 with the deleted status being yes.
Detailed information of artifacts that were recovered
after three scenarios is discussed in Table 5. The (✓) symbol
defines that artifact are recovered from the tool, (●) is the
symbol for textual information/audio-video not playable,
and (▲) defines partially recovered. Table 6 describes the
artifacts recovered from SNAs before data deletion, after data
deletion, and after app uninstallation according to categories
proposed in Table 4. The details of artifacts recovered and
their location are presented in Tables 7–13. Tables 7–9 state
the artifacts recovered from apps and their locations before
any data is deleted from apps. Similarly, Tables 10–12 show
the artifact information recovered after data deletion and
after app uninstallation from every app using all three tools.
6. Results Analysis and Tool Evaluation
This section presents an analysis and discussion on the out-
put of forensic analysis of five SNAs. A comparison of tools
on the basis of their capabilities is also presented.
28 Wireless Communications and Mobile Computing

Table 12: Artifacts recovered from XRY after data deletion and app uninstallation.

Instagram LINE Whisper WeChat Wickr

Text messages deleted Text messages Image uploaded Textual info of the
Group member detail
within 24 hrs recovered on the timeline image
Heart and replay Video uploaded
Account information Call history —
notification on the timeline
Textual preview of the Video uploaded after Video shared during
Group data —
After data deletion shared image deletion the chat
Textual preview Images shared during
Image sent —
of images the chat
Video uploaded after Images received
Posts by the user —
deletion in private chat
Image captured
— — — —
by WeChat
Filename with deletion Filename with deletion The app filename
Filename Profile picture
date/time date/time recovered
— — — Video uploaded —
— — — Image uploaded —
After app uninstallation — — — Private chat image —
Encrypted database
— — — —
info
— — — App filename —
— — — Image sent Image sent

6.1. Analysis of Apps
6.1.1. Instagram. During investigation of the internal storage
of the Android phone for Instagram app data, many artifacts
are recovered that can help the investigation. The database
folder that contains all the messages, i.e., text message, video,
audio, emojis, or the link to online media that have been
transferred to or from the user is being recovered unen-
crypted with the information of date and time. The posts that
are uploaded on the account and stories are also recovered
with date/time information. The cache folder stores all the
online activity done by the user. Every post, picture, story,
or video seen by the user get recorded in the cache folder.
The shared preference folder contains an .xml file that stored
user’s account information in plain text format. The number
of accounts logged in the app during specific time period are
recovered through their login nonce. The information stored
in these files contain live sessions attended and last search
made etc. After the messages and posts are deleted, data from
the database is deleted but some of the messages are being
recovered from the .db journal file. The posts have also been
recovered after deletion. After the uninstallation of the app,
only the pictures that had been uploaded by the user are
recovered. If we clear the cache of our phone, photos, videos,
and Instagram stories cannot be recovered.
6.1.2. LINE. Different artifacts are recovered from the LINE
app. The main focus of our research is on four folders stored
inside the local memory of the smartphone. By examining
the internal memory of the smartphone, it was determined
that the app stores some artifacts on different locations in
the app folder. These artifacts are related to its activity within
the internal memory. We can understand the DB schema and
can recover the critical information of LINE app activity
from the database folder. Note that the importance and the
location of the artifacts can be examined during any criminal
investigation. It was discovered that LINE manages the direc-
tories within its app folder. LINE app stores the cache for
transferred, downloaded, and uploaded files in the app cache.
From the examination of local memory and databases of the
app, we can recover the information (message/media trans-
ferred, cache copies) within the DB table in a plain text form
with the exception of the password. All the contacts are
recovered from the database folder even after deletion. We
realize that app data is stored in a different location and dif-
ferent forms can be interesting in a forensic investigation.
6.1.3. Whisper. Whisper post is originally a message sent by
user publicly and it includes the name of the sender, message,
date/time when it was posted, the link of the image, location,
the likes (hearts) it received, and replies to these posts. The
name of the user is not a unique identifier in a whisper; that
means that the same username can be used by different users
and can also be changed anytime by the user. The user phone
does not store the images of the post in the app but these
images are cached by the phone and stored in the device.
Links of posts are also stored on the phone but not all the
images are available on these links. Post location information
can also be determined in Android with the longitude and
latitude for each post. The heart and reply counter keeps
the info of likes on a post. Whisper messages are privately
sent or received by the user. All the messages with time-
stamps, media type, and other party information are recov-
ered even after the deletion of some messages or the
deletion of the whole thread. Like Whisper posts, in whisper
messages, the username is also not a unique identifier so it
became difficult to confirm the exact identity of the other
party. There is no way to confirm if the message has been
received or read by the other person or not. Whisper stores
its information against the Mac address of the phone. It does
 Table 13: Comparison between tools on the basis of the number of artifacts recovered.

Instagram LINE Whisper WeChat Wickr

Tools Artifacts
Send/receive Recover Send/receive Recover Send/receive Recover Send/receive Recover Send/receive Recover
Incoming 10 12 10 7 20 20 10 8 5 0
Text messages
Outgoing 10 10 10 8 20 20 10 8 5 0
Incoming 5 0 5 0 2 2 4 1 2 0
Outgoing 5 5 2 0 2 2 1 1 2 0
Images
Stories 1 1 – – – – – – – –
Uploaded 4 4 4 4 5 5 2 2 – –
Incoming – – 1 0 – – 1 0 1 0
Outgoing – – 1 1 – – 1 1 1 1
Magnet AXIOM Videos
Stories 1 1 – – – – – – – –
Uploaded 1 1 1 1 – – 1 1 – –
Incoming – – 1 1 – – 1 1 – –
Audio Calls
Outgoing – – 1 1 – – 1 1 – –
Wireless Communications and Mobile Computing

Incoming 1 1 1 1 – – 1 1 – –
Video calls
Outgoing 1 1 1 1 – – 1 1 – –
Incoming 1 0 1 0 – – 1 0 1 0
Audio
Outgoing 1 1 1 1 – – 1 1 1 0
Incoming 10 8 10 8 20 20 10 8 5 0
Text messages
Outgoing 10 7 10 6 20 20 10 8 5 0
Incoming 5 0 5 0 2 2 4 2 2 0
Outgoing 5 3 2 0 2 2 1 0 2 0
Images
Stories 1 1 – – – – – – – –
Uploaded 4 4 4 5 5 5 2 2 – –
Incoming – – 1 0 – – 1 1 1 0
Outgoing – – 1 1 – – 1 1 1 1
Autopsy Videos
Stories 1 1 – – – – – – – –
Uploaded 1 1 1 1 – – 1 1 – –
Incoming – – 1 1 – – 1 1 – –
Audio calls
Outgoing – – 1 1 – – 1 1 – –
Incoming 1 1 1 1 – – 1 1 – –
Video calls
Outgoing 1 1 1 1 – – 1 1 – –
Incoming 1 0 1 0 – – 1 0 1 0
Audio
Outgoing 1 1 1 1 – – 1 1 1 0
29
 30

Table 13: Continued.

Instagram LINE Whisper WeChat Wickr

Tools Artifacts
Send/receive Recover Send/receive Recover Send/receive Recover Send/receive Recover Send/receive Recover
Incoming 10 8 10 7 20 18 10 8 5 0
Text messages
Outgoing 10 8 10 8 20 18 10 8 5 0
Incoming 5 0 3 0 2 0 2 2 2 0
Outgoing 5 0 3 0 2 2 4 4 2 0
Images
Stories 1 0 – – – – – – – –
Uploaded 4 4 3 3 5 5 1 1 – –
Incoming – – 2 0 – – 1 0 1 0
Outgoing – – 2 0 – – 1 1 1 0
XRY Videos
Stories 1 0 – – – –
Uploaded 1 1 1 1 – – 1 1 – –
Incoming – – 1 1 – – 1 1 – –
Audio calls
Outgoing – – 1 1 – – 1 1 – –
Incoming 1 1 1 1 – – 1 1 – –
Video calls
Outgoing 1 1 1 1 – – 1 1 – –
Incoming 1 0 1 0 – – 1 0 1 0
Audio
Outgoing 1 1 1 1 – – 1 1 1 0
Wireless Communications and Mobile Computing
 Wireless Communications and Mobile Computing

Table 14: Ranking of tools according to digital artifact recovery.

Applications
Tools Instagram LINE Whisper WeChat Wickr Total recovered artifacts Index calculated Ranking
T R T R T R T R T R
Magnet AXIOM 41 37 40 26 49 49 36 27 18 1 140 76.00% 1
Autopsy 41 28 40 26 49 49 36 28 18 1 132 71.70% 2
XRY 41 24 40 24 49 43 36 30 18 0 121 65.70% 3
31
32 Wireless Communications and Mobile Computing

not have any email id or password and not any phone Table 15: Comparison of tools according to NIST standards.
number needed to register into the platform. However,
there is an email registration option that is present in new Magnet
Type Features XRY Autopsy
versions of the app. The user needs to install the app and AXIOM
can start posting and messaging. A username is given by SPT-CR-01 (✓) (✓) (▲)
the app. All the whispers can be seen. Turn on the location SPT-CR-02 (✓) (X) (▲)
Core requirements
and the user can see all the whispers that have been posted SPT-CR-03 (✓) (X) (▲)
by the people near its location. If the user uninstalls the app SPT-CR-04 (✓) (✓) (✓)
and reinstalls it, it recovers its own account and all the data SPT-RO-05 (✓) (✓) (✓)
and activities that have been carried out by the user on that
SPT-RO-06 (✓) (✓) (✓)
account. But if the user uninstalls the app and restarts its
phone and reinstalls the app, its account is gone forever. Optional SPT-RO-08 (✓) (✓) (✓)
The user will be registered against another name and gets requirements SPT-RO-09 (✓) (✓) (▲)
a new account. SPT-RO-13 (✓) (✓) (▲)
SPT-RO-14 (✓) (✓) (X)
6.1.4. WeChat. From the analysis of the internal memory of SPT-CA-01 (✓) (✓) (X)
the phone, it was revealed that WeChat [14] created the SPT-CA-02 (✓) (✓) (▲)
directory Tencent [59] to store its data in the internal mem- SPT-CA-03 (✓) (X) (▲)
ory. The Tencent directory contains all the files including SPT-CA-04 (✓) (✓) (✓)
databases, caches, and media information that has been SPT-CA-05 (✓) (✓) (✓)
shared or uploaded on the timeline by the user. WeChat SPT-CA-06 (✓) (✓) (✓)
[14] cares about privacy more than most social networking SPT-CA-07 (✓) (✓) (✓)
apps because of some critical features, i.e., payments. EnMi- Core assertion
SPT-CA-24 (✓) (✓) (✓)
croMsg.db is a database within this directory which is
encrypted. It uses SQLCipher [60] to encrypt its database. SPT-CA-25 (✓) (✓) (✓)
All previous researches about WeChat describe that EnMi- SPT-CA26 (✓) (✓) (●)
croMsg.db contains messaging information of the user and SPT-CA27 (✓) (●) (●)
describes the method to decrypt this database. A script [61] SPT-CA29 (✓) (✓) (▲)
needs to run with SQLCipher to decrypt the said database. SPT-CA30 (✓) (✓) (▲)
That method is successful for the Android phone’s previous SPT-CA31 (✓) (X) (▲)
versions. For WeChat version 6 or more running on Android
SPT-AO25 (✓) (✓) (✓)
version 6.0.x or higher, the database EnMicroMsg.db is not
SPT-AO26 (✓) (✓) (✓)
decrypted through the methods described in [61, 62]. Since
lower versions of WeChat cannot be installed on Android SPT-AO27 (X) (●) (●)
versions higher than 5, so, the information within this data- Optional assertion SPT-AO31 (✓) (✓) (●)
base is not possible to recover. In [62], the previous versions SPT-AO37 (✓) (●) (✓)
of WeChat were installed on Android 4.4.2 and decrypted SPT-AO38 (✓) (●) (✓)
successfully using the same methods described in [63, 64]. SPT-AO39 (●) (●) (●)
So, it was determined that the encryption in the latest ver-
sion of WeChat in Android 6.0.1 or higher is different from
the previous version and it is not possible to recover data account and he needs to log in again with the username
from it. An index file named FTS5IndexMicroMsg.db con- and password.
tains the information about the contact and plain text mes-
sages. The Meta_messages table contains the unique ids of 6.1.5. Wickr. Wickr secures the internal information by
the user; the talker with a timestamp and message_content encrypting the local storage. Wickr’s delicate information,
table contain the content of the messages. The main issue i.e., id keys, account data, and messages, is stored in an
is that we cannot tell who sends which message to whom encrypted storage in the phone. This information in the stor-
and when. This database is also encrypted in a later version age container is decrypted only when the user is logged in the
of WeChat.Media that has been shared through messages account and can be used for any activity. When a user logs
and uploaded by the user on the timeline which is recovered off, the container is encrypted again with Klds and expelled
from the com.tencent/media/0/MicroMsg folder. It contains from the persistent memory. Klds is put away in an encoded
the jpeg images, mp4 videos, and audio file transfer during configuration with the goal that it might be recuperated upon
the chat. After data deletion, this folder contains these files the following client login. The key used to encode and decode
stored in this location. The shared preference folder con- Klds is taken from the client’s passphrase utilizing script [65].
tains critical information, i.e., username and the phone Klds is put away in an encoded configuration with the goal
number through which the account was created when the that it might be recuperated upon the following client login.
account was created. If we clear the phone cache, it was dis- The key used to encode and decode Klds is taken from the cli-
covered that the user automatically logs out from the ent’s passphrase utilizing script. Successful login for this
Wireless Communications and Mobile Computing 33

Table 16: Comparison of tools according to additional parameters.

Additional parameters Magnet AXIOM Autopsy XRY

4–8 hrs (fast) (✓)
Processing time (physical acquisition + processing) 8–12 hrs (medium) (✓)
12–16 hrs (slow) (✓)
Portable case file (✓) X X
GUI (✓) (✓) (✓)
Artifact connectivity (✓) X X
User friendly
Categorization (✓) (✓) X
DB (✓) (✓) (✓)
Media/text exchanged (✓) (✓) (●)
Timeline (✓) (●) (●)
Artifacts
Account/user information (✓) (●) (✓)
Calls (✓) (✓) (✓)
Timestamps (✓) (✓) (✓)
Keyword search option (✓) (✓) (✓)
Accuracy (✓) (✓) (●)

situation is equivalent to having the capacity to effectively
unscramble Klds and get to an encrypted container material.
Those clients who wish to dependably remain signed in to
Wickr basically store the secret word-determined key in stage
gave secure capacity. Along these lines, delicate material is
constantly encoded when the Wickr application is not
dynamic [66]. The metadata about how and where Wickr
app stores its information is identified while exploring the
base.apk file. By exploring the files stored within the .apk file,
it was determined that the information related to messages
with timestamps and media type is stored in a database
named wickr_db. The key through which wickr_db is
encrypted is also encrypted and stored within the phone.
The database can be decrypted only if the user will log in to
the account with the username and password. These phrases
with a random number decrypt the key and the key decrypts
the database. It was also discovered that a database is
encrypted through SQLCipher by the SQL helper class pres-
ent in the WickrDbAdapter.class file. Two files sk.wic and
ds.wic are also encrypted. By analyzing the file in the .apk file
of Wickr app, it was discovered that the ds.wic file contains
the cache data of Wickr and sk.wic which contain the key
of the database which is also encrypted.
6.2. Tools Evaluation. Three tools are used in this research—-
Magnet AXIOM, Autopsy, and XRY. Magnet AXIOM and
XRY have the capability to extract the data from the smart-
phone and present the artifacts in a human-understandable
format. Autopsy just analyzes the already-extracted image.
The tools are evaluated on the basis of three factors.
(i) Number of artifacts recovered by the tool
(ii) NIST standard tool assessment document [19, 20]
(iii) Additional parameters
The result of this research can be used as recommenda-
tions to investigators to handle the cases associated with
these apps. The overall ranking of tools according to digital
artifacts recovery is presented in Table 14.
6.2.1. Number of Artifacts Recovered by a Tool. All three tools
are analyzed on the basis of their capability to recover digital
artifacts from five SNAs. These numbers give us the valida-
tion of the performance of tools. Details of the number of
artifacts recovered from every app using these tools are
shown in Table 13. Tools are ranked according to the capabil-
ity of artifacts to be recovered by them. The index number
has been calculated according to the formula stated in (1)
as follows:
∑Nr
P= ∗ 100, ð1Þ
ðNtÞ
where P is the percentage of useful extractions, Nr is the
number of recovered artifacts, and Nt is the total number of
artifacts
The index number for every application is calculated
according to equation (1). The Magnet AXIOM index is cal-
culated by dividing the number of artifacts recovered (R)
from all five applications through Magnet AXIOM with a
total number of artifacts (T) sent times 100, and the result
index is 76 percent. The indexes of Autopsy and XRY are also
calculated in the same way. Autopsy is ranked second in as an
image analysis tool with an index of 71.7 percent and XRY is
ranked third with an index of 65.7 percent.
6.2.2. NIST Standard Tool Assessment Document. NIST pub-
lished an assessment plan to measure the performance of a
tool [19, 20]. It is important to develop the method that can
standardize the tool according to its capabilities. NIST
releases some factors and methods to calculate the perfor-
mance of a forensic tool based on the outcomes of the
assessment plan conducted by NIST. In Table 15, tools are
compared against the core requirements, optional
requirements, core assertions, and optional assertions of
34
smartphone examination tools where the (✓) symbol defines
that tool supports the factor, symbol (●) defines partially
supporting, symbol (X) defines not supporting, and symbol
(▲) defines not applying for a specific tool. According to
the NIST parameter of smartphone examination tools,
Magnet AXIOM did fulfill most of the requirements.
6.2.3. Additional Parameters. Finally, the performance of
tools is evaluated on the basis of some parameters that were
defined during this research and tool performance capability
can be judged by these parameters. These six parameters are
(i) Processing time
(ii) User friendliness
(iii) Compatibility
(iv) Artifacts recovery
(v) Keyword search option
(vi) Accuracy
Table 16 gives a detailed comparison of the tools accord-
ing to these parameters where the (✓) symbol defines the tool
that supports the factor, symbol (●) defines partly support-
ing, symbol (X) defines not supporting, and symbol (▲)
defines not applicable for a specific tool. According to the
combined results of defined tool evaluation factors (no. of
artifacts a tool recovers, NIST parameter of smartphone anal-
ysis tools, and additional parameters) and on the basis of
overall performance, Magnet AXIOM is the number one
followed by XRY and Autopsy.
7. Conclusions and Future Work
Various tools are available commercially and proprietary
through which data acquisition and forensic analysis can be
done. In this research, Magnet AXIOM and XRY are used
to acquire data from five social networking apps in three dif-
ferent scenarios: before any data deleted from the app, after
some data deleted, and after app uninstall. The outcomes of
research explain that a large number of artifacts of Instagram,
LINE, Whisper, and WeChat are recovered from the smart-
phone internal memory. Wickr, on the other hand, discloses
very little information. Potential artifacts have been catego-
rized to utilize them to create a report. Tools are analyzed
with respect to their capabilities, NIST standards for smart-
phone analysis tools, and few additional parameters defined
during this study. The results of this analysis report that
among the three tools, Magnet AXIOM is ranked no. 1 with
an index no. of 76.0% followed by Autopsy at 71.5% and XRY
at rank 3 with an index of 65.5%. According to the NIST
parameter of smartphone analysis tools and additional
parameters on the basis of overall performance, Magnet
AXIOM is the number one followed by XRY and Autopsy.
In the future, a new version of Android Smartphones can
be analyzed for application forensics as almost every 3
month, a new version or software update is released for
Android. This leaves a lot of areas to further research the
apps on the latest version and analyze the security flaws.
Wireless Communications and Mobile Computing
New apps like Omegle, Periscope, and Azar which are becom-
ing popular within teenagers need some attention from
forensic investigators. Every tool has some weaknesses, and
for the better and accurate results, forensic investigators can
use the combination of different tools in his investigation to
get more reliable results by using the unique capability of
every single tool.
Data Availability
No data were used to support this study.
Conflicts of Interest
The authors declare that there are no conflicts of interest
regarding the publication of this paper.
Acknowledgments
The authors of this paper are extremely thankful to the
Department of Information Security, National University of
Sciences and Technology (NUST), Islamabad, Pakistan, for
its support in the research.
References
[1] Global social media research summarySeptember 2019 https://
www.smartinsights.com/social-media-marketing/social-
mediastrategy/new-global-social-media-research/.
[2] DataReportal – Global Digital Insights, 2021, March 2021
https://datareportal.com/reports/digital-2020-october-global-
statshot.
[3] “51 critical cyberbullying statistics in 2020,” https://www
.broadbandsearch.net/blog/cyber-bullying-statistics.
[4] “The-Annual-Bullying-Survey-2017-1.pdf,” December 2019
https://www.ditchthelabel.org/wp-content/uploads/2017/07/
The-Annual-Bullying-Survey-2017-1.pdf.
[5] N. Jain and V. Shrivastava, “Cyber crime changing everything–
an empirical study,” International Journal of Computer Appli-
cation, vol. 1, no. 4, 2014.
[6] M. Sharma and S. Kaur, “Cyber crimes becoming threat to
cyber security,” IASR Xournals, vol. 2, no. 1, 2019https://
www.academia.edu/39618017/Cyber_Crimes_Becoming_
Threat_to_Cyber_Security.
[7] U. Sharma, S. Ghisingh, and E. Ramdinmawii, “A study on the
cyber, crime and cyber criminals a global problem,” Journal:
International Journal of Web Technology, vol. 3, pp. 172–179,
2014.
[8] R. A. Grimes, What Is Personally Identifiable Information
(PII)? How to Protect It under GDPRCSO OnlineAugust
2019; https://www.csoonline.com/article/3215864/how-to-
protect-personally-identifiable-information-piiunder-gdpr
.html.
[9] H. Saini, Y. S. Rao, and T. C. Panda, “Cyber-crimes and their
impacts: a review,” International Journal of Engineering
Research and Applications, vol. 2, no. 2, pp. 202–209, 2012.
[10] H. Mahalik, R. Tamma, and S. Bommisetty, Practical Mobile
Forensics, Packt Publishing Ltd, 2016.
[11] Instagram, App Store, 2010, August 2019. https://apps.apple
.com/us/app/instagram/id389801252.
Wireless Communications and Mobile Computing 35

[12] LINE Free Calls, Messages-Apps on Google PlayGooglecomAu- [35] T. Mehrotra and B. Mehtre, “Forensic analysis of Wickr appli-
gust 2019 https://play.google.com/store/apps/details. cation on android devices,” in 2013 IEEE International Confer-
[13] Whisper Apps on Google PlayGooglecomAugust 2019 https:// ence on Computational Intelligence and Computing Research,
play.google.com/store/apps/details. pp. 1–6, IEEE, 2013.
[14] WeChat Apps on Google PlayGooglecomAugust 2019 https:// [36] A. Mahajan, M. Dahiya, and H. Sanghvi, “Forensic analysis of
play.google.com/store/apps/details. instant messenger applications on android devices,” 2013,
[15] Wickr Me Private Messenger Apps on Google PlayGoogleco- http://arxiv.org/abs/13044915.
mAugust 2019 https://play.google.com/store/apps/details. [37] T. Mathavan and M. A. Nagoor, “Acquisition and analysis of
[16] Magnet AXIOM Digital Investigation Platform|Magnet Foren- artifacts from instant messenger on android device,” Interna-
sicsMagnet ForensicsAugust 2019 https://www tional Journal of Engineering Research & Technology, pp.
.magnetforensics.com/products/magnet-axiom/. 1210–1212, 2014.
[17] AutopsySleuthkit.orgAugust 2019 https://www.sleuthkit.org/ [38] D. Walnycky, I. Baggili, A. Marrington, J. Moore, and
autopsy/. F. Breitinger, “Network and device forensic analysis of
Android social-messaging applications,” Digital Investigation,
[18] MSAB, MSAB The Pioneers of Mobile ForensicsMSABAugust
vol. 14, pp. S77–S84, 2015.
2019 https://www.msab.com/.
[39] C. Anglano, M. Canonico, and M. Guazzone, “Forensic analy-
[19] R. P. Ayers, Smart Phone Tool Specification|NIST, Computer
sis of the chatsecure instant messaging application on android
Forensic Tool Testing, 2017, August 2019. https://www.nist
smartphones,” Digital investigation, vol. 19, pp. 44–59, 2016.
.gov/publications/smart-phone-tool-specification.
[40] O. S. Adebayo, S. A. Sulaiman, O. Osho, J. Alhassan, and
[20] NIST, Smart Phone Tool Test Assertions and Test Plan, NIST,
S. Abdul-hamid, Forensic Analysis of Kik Messenger on
US Department of Commerce, 2010.
Android Devices, ResearchGate, 2017, https://www
[21] Android (Operating System), Wikipedia, 2019. .researchgate.net/publication/321268908_Forensic_Analysis_
[22] A. Hoog, Android Forensics-Investigation, Syngress, 2011. of_Kik_Messenger_on_Android_Devices.
[23] “Application sandbox|android open source project,” 2019, [41] J. H. Ryu, N. Y. Kim, B. W. Kwon, S. K. Suk, J. H. Park, and
September 2019 https://source.android.com/security/app- J. H. Park, “Analysis of a third-party application for mobile
sandbox. forensic investigation,” Journal of Information Processing Sys-
[24] B. Reaves, J. Bowers, S. A. Gorski Iii et al., “∗droid: assessment tems, vol. 14, no. 3, 2018.
and evaluation of android application analysis tools,” ACM [42] R. Umar, I. Riadi, and G. M. Zamroni, “Mobile forensic tools
Computing Surveys (CSUR), vol. 49, no. 3, pp. 1–30. evaluation for digital crime investigation,” International Jour-
[25] B. D. Carrier and E. H. Spafford, “Categories of digital investi- nal on Advanced Science, Engineering and Information Tech-
gation analysis techniques based on the computer history nology, vol. 8, no. 3, pp. 949–955, 2018.
model,” Digital Investigation, vol. 3, pp. 121–130, 2006. [43] G. B. Satrya, P. T. Daely, and M. A. Nugroho, “Digital forensic
[26] R. Ayers, S. Brothers, and W. Jansen, NIST Special Publication analysis of Telegram Messenger on Android devices,” in 2016
800-101 Guidelines on Mobile Device, Obtenido de National International Conference on Information & Communication
Institute of Standards and Technology, 2014, http://nvlpubs. Technology and Systems (ICTS), pp. 1–7, IEEE, 2016.
[27] A. Verma, “What is rooting? Is rooting my android smart- [44] G. B. Satrya, P. Daely, and S. Y. Shin, “Android forensics anal-
phone illegal? Fossbytes,” November 2017; https://fossbytes ysis: private chat on social messenger,” in 2016 Eighth Interna-
.com/what-is-rooting-meaning-android-legal. tional Conference on Ubiquitous and Future Networks
[28] T. Almehmadi and O. Batarfi, Impact of Android Phone Root- (ICUFN), pp. 430–435, IEEE, 2016.
ing on User Data Integrity in Mobile Forensics, IEEE, 2021. [45] J. Gregorio, A. Gardel, and B. Alarcos, “Forensic analysis of
[29] S. Park, S. Park, and K. Ma, “An automatic user activity anal- telegram messenger for Windows phone,” Digital Investiga-
ysis method for discovering latent requirements: usability issue tion, vol. 22, pp. 88–106, 2017.
detection on mobile applications,” Sensors, vol. 18, no. 9, [46] J. Choi, J. Park, and H. Kim, “Forensic analysis of the backup
p. 2963, 2018. database file in KakaoTalk messenger,” in 2017 IEEE Interna-
[30] F. Rebhi, Development of a Tool for Analysis and Visualization tional Conference on Big Data and Smart Computing (Big-
of Android Logs, Ecole Nationale des Sciences de l’Informa- Comp), pp. 156–161, IEEE, 2017.
tique (ENSI), Tunisie, 2013, https://hal.inria.fr/hal-00922034. [47] R. Al Mushcab and P. Gladyshev, “Forensic analysis of insta-
[31] P. Andriotis, G. Oikonomou, and T. Tryfonas, “Forensic anal- gram and path on an iPhone 5s mobile device,” in 2015 IEEE
ysis of wireless networking evidence of android smartphones,” Symposium on Computers and Communication (ISCC),
in 2012 IEEE International Workshop on Information Foren- pp. 146–151, IEEE, 2015.
sics and Security (WIFS), pp. 109–114, IEEE, 2012. [48] A. A. Abbasi, S. Saleem, and R. Zulqarnain, “Forensic investi-
[32] P. Stephenson, “A comprehensive approach to digital incident gation of smartphone cloud storage applications,” NUST Jour-
investigation,” Information Security Technical Report, vol. 8, nal of Engineering Sciences, vol. 10, no. 1, pp. 30–36, 2017.
no. 2, pp. 42–54, 2003. [49] N. Al Mutawa, I. Baggili, and A. Marrington, “Forensic analy-
[33] C. G. Nolte, Privacy in Social Networks – Economic Options for sis of social networking applications on mobile devices,” Digi-
Regulation, ResearchGate, 2017, https://www.researchgate tal Investigation, vol. 9, pp. S24–S33, 2012.
.net/publication/324517531_Privacy_in_social_networks_-_ [50] Y. C. Tso, S. J. Wang, C. T. Huang, and W. J. Wang, “iPhone
economic_options_for_regulation. social networking for evidence investigations using iTunes
[34] M. P. Aji, I. Riadi, and A. Lutfhi, “The digital forensic analysis forensics,” in Proceedings of the 6th International Conference
of Snapchat application using XML records,” Journal of Theo- on Ubiquitous information management and Communication,
retical & Applied Information Technology, vol. 95, no. 19, 2017. ACM, p. 62, 2012.
36 Wireless Communications and Mobile Computing

[51] V. V. Rao and A. Chakravarthy, “Forensic analysis of android

mobile devices,” in 2016 International Conference on Recent
Advances and Innovations in Engineering (ICRAIE), pp. 1–6,
IEEE, 2016.
[52] S. Schrittwieser, P. Frühwirt, P. Kieseberg et al., Guess Who’s
Texting You? Evaluating the Security of Smartphone Messaging
Applications, NDSS Citeseer, 2012.
[53] V. Jain, D. R. Sahu, and D. S. Tomar, “Evidence gathering of
LINE messenger on iPhones,” International Journal For Inno-
vative Engineering and Management, vol. 4, no. 2, pp. 1–9,
2015.
[54] I. Riadi, Sunardi, and A. Firdonsyah, “Forensic investigation
technique on Android’s BlackBerry Messenger using NIST
framework,” International Journal of Cyber-Security and Digi-
tal Forensics, vol. 6, no. 4, pp. 198–205, 2017.
[55] M. K. Tri, I. Riadi, and Y. Prayudi, “Forensics acquisition and
analysis ethod of IMO messenger,” International Journal of
Computer Applications, vol. 179, pp. 9–14, 2018.
[56] A. Azfar, K. K. R. Choo, and L. Liu, “An Android social app
forensics adversary model,” in 2016 49th Hawaii International
Conference on System Sciences (HICSS), pp. 5597–5606, IEEE,
2016.
[57] C. Wu, C. Vance, R. Boggs, and T. Fenger, Forensic Analysis of
Data Transience Applications in iOS and Android, Marshall
Forensic Science, 2013.
[58] DB Browser for SQLite, SqlitebrowserorgAugust 2019 https://
sqlitebrowser.org/.
[59] Tencent, TencentcomAugust 2019 https://www.tencent.com/
en-us/.
[60] “SQLCipher-Zetetic,” August 2019 https://www.zetetic.net/
sqlcipher/.
[61] ppwwyyxx, “wechat-dump,” 2018, September 2019 https://
github.com/ppwwyyxx/wechat-dump.
[62] F. Darus, How to Decrypt WeChat EnMicroMsg. db Database?
Forensic Focus, 2014, https://www.forensicfocus.com/articles/
decrypt-wechat-enmicromsgdb-database/.
[63] S. Wu, Y. Zhang, X. Wang, X. Xiong, and L. Du, “Forensic
analysis of WeChat on Android smartphones,” Digital Investi-
gation, vol. 21, pp. 3–10, 2017.
[64] Z. Dai, Sufatrio, T. W. Chua, D. K. Balakrishnan, and V. L.
Thing, Chat-App Decryption Key Extraction through Informa-
tion Flow Analysis, IOS Press, 2017.
[65] H. Md and M. Warnier, Cyber Crime in Privately Held Infor-
mation Systems: Personal Data at Stake, IEEE, 2014.
[66] Z. Whittaker, Wickr Technical White Paper, 2019, September
2019 https://www.documentcloud.org/documents/3461863-
Wickrtechnical-white-paper.html.