by Nor Zarina Binti Zainal Abidin
Forensic analysis of mobile phones’ third party applications is a new area that needs to be explored. There are a lot of third party applications available in App store.
Mobile forensic software tools basically extracted typical mobile phone data such as contact numbers, text messages and call logs. These tools overlook information saved in third-party apps. Many third-party applications installed in Apple mobile devices leave forensically relevant evidence or information available for investigation. Potential evidence can be held on these devices. This information can be made readily available to law enforcement through simple and easy-to-use techniques. This paper focuses on conducting forensic analysis on Instagram which is a widely used social networking application on smartphones. The tests were conducted on the most popular smartphones: iPhones.
1.1 Apple Device
iPhone is the most favored Apple product since it was launched in 2007. Apple is the pioneer in Smartphones as they reinvented the mobile phone into what it is today. iPhone uses Apple’s iOS as an operating system. The iOS architecture is layered and consists of four abstraction layers. The functions of all applications that have been installed in iPhone will be determined by these layers. iPhones have their own default applications installed in the phone but users also can select third party applications of their choice and install them on the device. The applications can be downloaded from the App Store using the user’s Apple ID.
Instagram is one of the social networking applications that are available for almost all smartphone platforms and operating systems. It is a widely used and universal application.
Instagram is available for free in the App Store. Users can upload photographs and short videos, follow other users’ feeds and geotag images with longitude and latitude coordinates, or the name of a location. The users can either share their Instagram account to public or keep it as private. Users can connect their Instagram account to other social networking sites, enabling them to share uploaded photos to sites such as Facebook, Twitter, Tumblr and Flickr.
The main purpose of this research is to identify various data security issues in social networking applications on the iOS platform which aid in forensic investigations. Information is stored in different formats at varied locations on the phone. Our aim is to summarize a general methodology to gather valuable information, so a standard investigation process can be followed for all similar applications.
The main purpose of this research is to determine whether activities performed through smartphone social networking applications are stored on the internal memory of the device and what kind of data that can be extracted or recovered from the device. Prior to conducting the experiments, the device needs to be connected to the internet.
All activities were done and recorded. When the activities were done, we disabled the Wi-fi connection and a forensic workstation was set up and configured. Once the forensic workstation was ready, the device was switched on with flight mode to isolate any signal from the device. Then, all data were extracted using forensic tools. The following is a list of device, software and tools used for this forensic examination:
• iPhone 5s
• Model: A1530
• iOS 7.1.1
• Non-jailbroken phone
• Installed with Instagram version 6.9.2
• XRY version 6.13.1
|No.||Performed Activities||Description / Findings|
|1.||Login to Instagram with|
|• Found username ‘zarinazainal_’ with|
Instagram’s ID number in ‘recent-users’
plist file• No login logs were found
|2.||Enter Instagram password||• No records of Instagram password|
|3.||Choose picture to be uploaded||• N/A|
|4.||Edit the picture using one of|
|• The edited pictures will be saved in|
Instagram folder inside iPhone Photos
Album• The post could not be found
|5.||Create caption and hashtag for|
the edited picture
|• No Instagram caption was found in the|
exhibit• Recent visited and used hashtag can be
found under ‘visited hashtag’ in the plist
|6.||Linked the picture to Facebook|
| • Found facebook_user_info key|
(encrypted) with Facebook user ID and
Instagram’s account name that has been
used to upload the picture in
‘com.burbn.instagram’ plist file
|7.||Post the picture|| • The date when the pictures were uploaded|
is the same as the creation date• Hash value for the pictures is different
from the original pictures
• Software used (Instagram) will be shown
• The original created date (including
• Date and time is based on device time
• Other metadata (location, coordinates)
|8.||Follow other Instagram|
|• Found the username and Instagram’s ID|
number for Instagram accounts that have
been followed by ‘zarinazainal_’ in
‘recent-users’ plist file
|9.||Invite followers||• Found the username and Instagram’s ID|
number for Instagram account that has
followed ‘zarinazainal_’ Instagram
account in ‘recent-users’ plist file
|10.||Make comments on other|
|• No comment made by user was found|
unless the comments were made to the
latest status, as XRY extracts the 10 latest
pictures with comments (if any) under
‘Status Update’ tab• Instagram stores the cache files of the
|11.|| Followers’ comments on your|
|• No comment made by the followers was|
found unless the comments were made to
the latest status as XRY extracts the 10 latest
pictures with comments (if any) under
‘Status Update’ tab
|12.||Delete pictures that have been|
|• If the pictures have been deleted from the|
Instagram, the edited pictures will remain
in the Instagram folder inside iPhone
Photos Album• No indication or records of deleted post
|13.||Upload another picture|
|• No evidence or trace that the picture has|
been uploaded to Instagram• The post could not be found
4. Future Work
• Extract data from another platform or operating system such as Android, Blackberry and Windows.
• Need to extract data from jailbroken iPhone or rooted Android phone, to identify what kind of data that can be extracted
There is no strong evidence to show that the exhibit has been used to post or upload pictures to Instagram. From the analysis, the Instagram account found in the phone could not be proven that it has been used to login as administrator. No registration details such as email and password were found in the device.
Nor Zarina Binti Zainal Abidin is a senior analyst at CyberSecurity Malaysia, an agency that encourages digital forensics professionals to work together to harness the power of information networks.