International Journal of Mechanical Engineering and Technology (IJMET) Volume 10, Issue 01, January 2019, pp. 92 6–934, Article ID: IJMET_10_01_095 Available online at http://www.iaeme.com/ijmet/issues.asp?JType=IJMET&VType=10&IType= 01 ISSN Print: 0976-6340 and ISSN Online: 0976-6359 © IAEME Publication Scopus Indexed FORENSIC BENCHMARKING FOR ANDROID MESSENGER APPLICATIO NS A Karahoca Professor, Bahcesehir University, Software Engineering Department, Turkey D Karahoca Assistant Professor, Bahcesehir University, Health Management Department, Turkey Selman Kasim Bağirici Bahcesehir University ABSTRACT Technology has reshaped the way we interact with the world and access information with the advent of smartphones. Accordingly, the needs we have and the solutions for our needs have also changed along with the evolving technology. One of the most affected matters from technology is communication. With the various options and capabilities, instant m essaging applicat ions have been s tarted t o use f or c ommunication purpose which is one of the biggest needs of human being. We can send text messages, video messages, voice recordings and share locations using these applications. Even further, we no longer need cell phone calls by GSM operators, and instead prefer these applications for instant calls, as well as sharing private information with these applications, not only for personal daily life, also for business need. On the other hand, these applications bring risks with many benefits. One of them is privacy. We do not want that these applications can store our personal data as its user. How do our best practices keep our data? Do they give the necessary attention for privacy? Another fact is that these applications can be used by criminals to communicate and execute a secret plan. If a criminal gets caught, what can be obtained as evidence from these messaging applications? This time we need to know what can be extracted from the mobile device. This research focuses on forensics analysis of the instant messaging applications on the Android platform. Keyword head: Mobile Forensics, Android Forensics, Instant Messaging Cite this Article: A Karahoca, D Karahoca and Selman Kasim Bağirici Forensic Benchmarking for Android Messenger Applications, International Journal of Mechanical Engineering and Technology, 10(01), 2019, pp.926– 934 http://iaeme.com/Home/issue/IJMET?Volume=10&Issue=1 http://iaeme.com/Home/journal/IJMET 926 [email protected] A Karahoca, D Karahoca a nd Selman Kasim Bağirici 1. INTRODUCTION Technology has reshaped the way we interact with the world and access information with the advent of smartphones. Accordingly, the needs we have and the solutions for our needs have also changed along with the evolving technology. Also, the rate of change is increasing exponentially depending on the technology. A report published by a research company about the use of media devices showed that 3 hours and 14 minutes is the average time spent using mobile devices by a US a dult i n 2017 [1]. B y t he e nd of t he 20th c entury, har dware-based i nventions s uch as computers, mobile phones were the leading production in the world; whereas in the first quarter of 21st century, the application revolution has dominated the market and it affected our daily life. When we consider the last twenty years, we have acquired new skills, and found new ways of communicating with people due to evolving technology. Even further, we have quitted some of those skills and gained new ones with what technology provides. We started to use mobile phones in our daily life at the end of the 20th century and we used to send Short Message Service (SMS) messages first. However, the use of the SMS decreased to 15.5 percent in 2017 and expected to decrease even more to 5.9 percent on 2021 [2]. With the various options and capabilities, we’ve started using instant messaging applications for communication purpose with our family and friends. We send text messages, video messages, voice recordings and share locations using these applications. Number of users of these applications is 1.58 billion in 2016 worldwide and it is expected to hit 2.48 billion in 2021 [3]. The research about forensics analysis of the instant messaging applications requires continuity and consistency because applications change with each update as a new feature is added. The purpose of this paper is to provide answers for common questions related to the forensics analysis of instant messaging applications. 2. LITERATURE Digital Forensics is recovering, investigating and identifying the data to prove the existence of evidence. Mobile forensics is a sub-branch of the digital forensics. It is not possible to apply same procedure entirely because of uniqueness of the investigations on each domain. However, we can list the steps as follows: a) identification and investigation, b) acquisition, c) analysis. 2.1. Identify and Investigate Mobile forensics has a lot of different factors which depend on mobile phone manufacturer, phone model, operating system type, operating system version. Therefore, the investor must prepare a proper method for each scenario [27]. 2.2. Acquisition The acquisition phase refers to the extraction of data from the device. Due to the inherent security features of mobile devices, extracting data is not always straight forward. The extraction method is determined based on the operating system, make, and model of the device. There are three type of acquisition method: Manual acquisition: This acquisition method requires the least technical qualification. It is based on the user interface of the device. No need for any tool for manual acquisition. Disadvantage of the manual acquisition is that the examiner can detect only artifacts which are visible from user interface. Logical acquisition: Logical acquisition based on extracting accessible data on the file system. Disadvantage of the logical acquisition is that the examiner can extract the data which is identified by operating system, not deleted data except some files such as database files. Database files can still contain deleted data [4-25]. If the root access of the mobile phone is provided, the examiner can detect more artifacts from mobile phone. http://iaeme.com/Home/journal/IJMET 927 [email protected] Forensic Benchmarking for Android Messenger Applications Physical acquisition: Physical acquisition is extracting data from hardware (storage) bit-by - bit. There are various methods for physical acquisition such as hex dumping, JTAG, chip-off, micro read. The JTAG method extracts complete physical image of a mobile phone, if the JTAG port of the mobile phone is connected to a computer using a JTAG emulator. The extracted physical image can be analyzed by using WinHex or any other software which can analyze binary files. Another physical acquisition method is using dd command which is a Linux command-line utility used by definition to convert and copy files, but is frequently used in forensics to create bit-by-bit images of entire drives [5]. Most of the commercial forensics tool uses dd command for physical acquisition method. The physical acquisition requires the most technical qualification. Advantage of the physical acquisition is it is possible to recover deleted files. 2.3. Analysis In analysis part, private data from the disk image is collected. Various software tools help to extract the data from the image which was stored in acquisition part. There is no single tool that can be used in all cases. This part needs the know-how and knowledge of the operating system and file types such as databases files, xml files etc. 2.4. Forensics Tools There are a lot of commercial (paid) and free tools developed for forensics analysis purposes to extract data f rom i mage of m emory or t o a nalyze t he artifacts. E ven s o, t heir major aim is extracting the data or analyzing, each of them has lots of additional features which are different from each other. The following mobile forensics tools are the most common ones in the mobile forensics research, and this study focuses on their major purposes instead of side effects. The Department of Homeland S ecurity e xamines Mobile Device Acquisition tools and publishes reports for the public’s awareness. Also, Homeland Security and National Institute of Standards and Technology (NIST) supports a program called Computer Forensics Tool Testing Program (CFTT). The goal of the CFTT project is to establish a methodology for testing computer forensic s oftware t ools by developme nt of general t ool specifications, test procedures, test criteria, test sets, and test hardware [6]. MSAB's ( a software company) s olution called X RY E xtract f amily i s one of the most frequently used and useful forensics tool. It has two major versions to extract data. XRY logical is designed t o e xtract a nd r ecover dat a c ommunicating w ith the operating s ystem (Logical Acquisition). XRY physical is designed to extract and recover raw data directly from the device memory (physical acquisition). MSAB has the XAMN Analyze family which analyzes the output of the XRY logical and XRY physical. There is no technical document related with how XRY examines the mobile phone. Another commercial tool is Oxygen Forensic Detective. The tool offers 3 methods of data acquisition: Android backup, Physical dump via device rooting and logical extraction. In case of logical e xtraction O xyAgent a pplication ( developed b y O xygen F orensic) i s i nstalled i n the device [ 7]. Magnet ACQIRE is another commercial forensics tool which widely used by examiners. Magnet Acquire has two options for image types. First one is named “Full” which extracts entire contents and requires a rooted device. This method is a type physical acquisition and based on Linux dd command.