FORENSIC ANALYSIS OF SOCIAL NETWORKING APPLICATIONS ON MOBILE DEVICES

Diploma

ABSTRACT

The increased use of social networking applications on smartphones makes these devices a goldmine for forensic investigators. Potential evidence can be held on these devices and recovered with the right tools and examination methods. This paper focuses on conducting forensic analyses on three widely used social networking applications on smartphones: Facebook, Twitter, and MySpace. The tests were conducted on three popular smartphones: BlackBerrys, iPhones, and Android phones. The tests consisted of installing the social networking applications on each device, conducting common user activities through each application, acquiring a forensically sound logical image of each device, and performing manual forensic analysis on each acquired logical image. The forensic analyses were aimed at determining whether activities conducted through these applications were stored on the device’s internal memory. If so, the extent, significance, and location of the data that could be found and retrieved from the logical image of each device were determined. The results show that no traces could be recovered from BlackBerry devices. However, iPhones and Android phones store a significant amount of valuable data that could be recovered and used by forensic investigators.


Introduction

The last several years have witnessed the rapid evolution of a new form of online communication known as social networking. By joining websites that offer these services, users can interact and socialize, share information and ideas, post comments and updates, participate in activities and events, upload files and photos, and engage in real-time instant messaging and conversations. These websites attract millions of people from all over the world. A study estimated that the number of unique users of online social networks worldwide was about 830 million at the end of 2009 (International Telecommunications Union, 2010).

Despite being primarily used to communicate and socialize with friends, the diverse and anonymous nature of social networking websites makes them highly vulnerable to cybercrimes. Phishers, fraudsters, child predators, and other cyber criminals can register to these services with fake identities, hiding their malicious intentions behind innocent appearing profiles. Social networks also encourage the publication of personal data, such as age, gender, habits, whereabouts, and schedules. The wealth of personal information uploaded to these websites makes it possible for cyber criminals to manipulate this information to their advantage and use it to commit criminal acts. Other abusive activities that can be committed on these websites include uploading illegal or inappropriate material, defaming, and stalking (de Paula, 2009). The large number of criminal acts that can be performed through social networks raises the importance of digital forensics in this area. Electronic evidence retrieved from social networking activities on a suspect’s machine can be of great assistance in investigating a criminal case by incriminating or proving the innocence of a suspect.

Besides accessing social networking sites via desktop computers and laptops, subscribers can use their smartphones to tap into these services. A survey conducted by Ruder Finn (a PR agency) showed that “91% of smartphone users go online to socialize compared to only 79% of traditional desktop users”. It also showed that 43% of smartphone users use them to communicate with people on social networking sites (Finn, 2012). Approximately half of Facebook’s users access Facebook through a mobile device, such as a smartphone or tablet. According to Facebook, these users are twice as active as users who do not access Facebook through a mobile device (Facebook, 2011). Given that millions of users access social networks through smartphones and that smartphones provide 24/7 access to these services, there is a high risk of the abuse of these services by users with malicious intentions. Therefore, when a forensic examination is performed on a suspect’s smartphone, there might be a chance of finding evidence that supports criminal prosecution. Forensic examination of smartphones is challenging. Smartphones are always active and are constantly updating data, which can cause faster loss of evidentiary data. Second, the operating systems (OS) of smartphones are generally closed source, with the notable exception of Linux-based smartphones, which makes creating custom tools to retrieve evidence a difficult task for forensic examiners. In addition, smartphone vendors tend to release OS updates very often, making it hard for forensic examiners to keep up with the examination methods and tools required to forensically examine each release. The variety of proprietary hardware of smartphones is another issue faced by forensic examiners (Al Zarouni, 2006). This paper focuses on conducting forensic analyses on three widely used social networking applications on smartphones: Facebook, Twitter, and MySpace. The tests were conducted on three popular smartphones: BlackBerry Torch 9800, iPhone 4, and the Android-based Samsung Galaxy S, and consisted of installing the social networking applications on each device, conducting common user activities through each application, acquiring a forensically-sound logical image of each device, and performing a manual forensic analysis on each acquired image. The purpose of our analysis was to determine whether activities conducted through these applications were stored on the device’s internal memory. If so, the amount, significance, and locations of data that could be found and retrieved from the logical image of each device were determined.