Smartphone Forensics - Recovering Evidence from 3rd Party Apps
Applications on smartphones such as Skype, Viber, and Whatsapp enable users to communicate over the Internet in much the same way as standard phone calls and text messages. However, the traces of these communications on smartphones are not extracted by some forensic tools, and some data is encrypted, requiring additional effort to recover.
Skype and Viber Artifacts
Skype can be used to make voice and video calls, send messages and send digital pictures securely over an encrypted network connection. Viber is an application similar to Skype for sending messages and making free calls over the Internet (VoIP). Although Skype is designed to protect the privacy of users on the Internet, it can leave substantial traces of user activities on a smartphone. For instance, on an iOS device, the majority of Skype traces are stored under the Application Support folder in SQLite databases as shown here.
Inspecting these databases and reconstructing communications between parties can be a time consuming process. To assist digital investigators, specialized smartphone forensics tools such as Cellebrite Physical Analyzer can parse these databases and ultimately display the contacts, calls, and chat logs as shown here.
Smartphone forensic tools can also parse and display information about calls and messages sent and received using Viber. Messages sent using Viber can have pictures and other media attachments, and can have the current geolocation of the device attached to the message. None of this information is encrypted on the smartphone.
Decrypting Whatsapp Databases
Whatsapp is a popular application used for messaging on smartphones, including Android, Blackberry and iOS. The main Whatsapp database on Android and iOS devices is in plaintext, with information about communications, including date-time stamps and content of messages. Backups of the Whatsapp database may be found on the SDCard from a smartphone, but the contents are encrypted as shown here with the file "msgstore.db.crypt" recovered from an Android SDCard.
Analysis of the Whatsapp application and encryption can reveal the AES key needed to decrypt the contents (see WhatsApp Database Encryption Project Report). As a result, some Whatsapp databases can be decrypted and parsed using freely available utilities such as including Whatsapp Extract.
> whatsapp_xtract.py msgstore.db.crypt -o msgstore.plain.db Python Version 2.x Android mode! trying to repair android database... trying to decrypt android database... decrypted database written to C:\Whatsapp_Xtract\msgstore.plain.db printing output to C:\Whatsapp_Xtract\msgstore.db.html ... done!
The resulting information that is decrypted and parsed from the Whatsapp backup database is displayed in HTML as shown here.
However, encrypted Whatsapp databases on Blackberry devices (named messageStore.db) cannot currently be decrypted using available forensic tools. These files are encrypted using a key stored on the actual device and have the REMF file header associated with Blackberry encryption as shown here.
One approach to accessing the contents of these encrypted Whatsapp databases from a Blackberry is to restore them onto a clean SDCard and open them on the actual device. This approach assumes that the original Blackberry is accessible and that the encryption key is still stored on the device. As an example, taking a Blackberry that had Whatsapp deleted but still had copies of encrypted databases on the SDCard, it was possible to restore the messageStore.db file onto a clean SDCard, insert it into the original device, reinstall Whatsapp, and view the decrypted messages as shown below. This approach provides access to chat sessions and exchanged pictures just as the user would have seen them, sometimes requiring the selection of “View earlier messages” – although not all metadata is displayed (e.g., year of date-time stamps).
The increasing use of smartphones to communicate and share files over the Internet using a variety of 3rd party applications creates challenges for digital investigators. Fortunately, developers of forensic tools are working hard to recover this information and make it available in a form that is useful for digital investigators. These and many other advanced aspects of smartphone forensics are covered in the new Advanced Smartphone & Mobile Forensics course developed by Eoghan Casey, Heather Mahalik and Terrance Maguire being offered in 2013.
Digital Evidence and Computer Crime
After six years of work, the expanded and updated third edition of Digital Evidence and Computer Crime: Forensic Science, Computers and the Internet is now complete. The 800 printed pages and one online chapter cover the methods and tools relevant to incident responders, forensic analysts, police and lawyers.