by Nor Zarina Binti Zainal Abidin
Abstract
Forensic analysis of mobile phones’ third party applications is a new area that needs to be explored. There are a lot of third party applications available in App store.
Mobile forensic software tools basically extracted typical mobile phone data such as contact numbers, text messages and call logs. These tools overlook information saved in third-party apps. Many third-party applications installed in Apple mobile devices leave forensically relevant evidence or information available for investigation. Potential evidence can be held on these devices. This information can be made readily available to law enforcement through simple and easy-to-use techniques. This paper focuses on conducting forensic analysis on Instagram which is a widely used social networking application on smartphones. The tests were conducted on the most popular smartphones: iPhones.
1. Introduction
1.1 Apple Device
iPhone is the most favored Apple product since it was launched in 2007. Apple is the pioneer in Smartphones as they reinvented the mobile phone into what it is today. iPhone uses Apple’s iOS as an operating system. The iOS architecture is layered and consists of four abstraction layers. The functions of all applications that have been installed in iPhone will be determined by these layers. iPhones have their own default applications installed in the phone but users also can select third party applications of their choice and install them on the device. The applications can be downloaded from the App Store using the user’s Apple ID.
1.2 Instagram
Instagram is one of the social networking applications that are available for almost all smartphone platforms and operating systems. It is a widely used and universal application.
Instagram is available for free in the App Store. Users can upload photographs and short videos, follow other users’ feeds and geotag images with longitude and latitude coordinates, or the name of a location. The users can either share their Instagram account to public or keep it as private. Users can connect their Instagram account to other social networking sites, enabling them to share uploaded photos to sites such as Facebook, Twitter, Tumblr and Flickr.
The main purpose of this research is to identify various data security issues in social networking applications on the iOS platform which aid in forensic investigations. Information is stored in different formats at varied locations on the phone. Our aim is to summarize a general methodology to gather valuable information, so a standard investigation process can be followed for all similar applications.
2. Methodology
The main purpose of this research is to determine whether activities performed through smartphone social networking applications are stored on the internal memory of the device and what kind of data that can be extracted or recovered from the device. Prior to conducting the experiments, the device needs to be connected to the internet.
All activities were done and recorded. When the activities were done, we disabled the Wi-fi connection and a forensic workstation was set up and configured. Once the forensic workstation was ready, the device was switched on with flight mode to isolate any signal from the device. Then, all data were extracted using forensic tools. The following is a list of device, software and tools used for this forensic examination:
• iPhone 5s
• Model: A1530
• iOS 7.1.1
• Non-jailbroken phone
• Installed with Instagram version 6.9.2
• XRY version 6.13.1
3. Result
No. | Performed Activities | Description / Findings |
---|---|---|
1. | Login to Instagram with username zarinazainal_ |
• Found username ‘zarinazainal_’ with Instagram’s ID number in ‘recent-users’ plist file• No login logs were found |
2. | Enter Instagram password | • No records of Instagram password |
3. | Choose picture to be uploaded | • N/A |
4. | Edit the picture using one of Instagram’s filters |
• The edited pictures will be saved in Instagram folder inside iPhone Photos Album• The post could not be found |
5. | Create caption and hashtag for the edited picture |
• No Instagram caption was found in the exhibit• Recent visited and used hashtag can be found under ‘visited hashtag’ in the plist file |
6. | Linked the picture to Facebook account |
• Found facebook_user_info key (encrypted) with Facebook user ID and Instagram’s account name that has been used to upload the picture in ‘com.burbn.instagram’ plist file |
7. | Post the picture | • The date when the pictures were uploaded is the same as the creation date• Hash value for the pictures is different from the original pictures • Software used (Instagram) will be shown • The original created date (including • Date and time is based on device time • Other metadata (location, coordinates) |
8. | Follow other Instagram accounts |
• Found the username and Instagram’s ID number for Instagram accounts that have been followed by ‘zarinazainal_’ in ‘recent-users’ plist file |
9. | Invite followers | • Found the username and Instagram’s ID number for Instagram account that has followed ‘zarinazainal_’ Instagram account in ‘recent-users’ plist file |
10. | Make comments on other pictures/post |
• No comment made by user was found unless the comments were made to the latest status, as XRY extracts the 10 latest pictures with comments (if any) under ‘Status Update’ tab• Instagram stores the cache files of the pictures seen |
11. | Followers’ comments on your pictures |
• No comment made by the followers was found unless the comments were made to the latest status as XRY extracts the 10 latest pictures with comments (if any) under ‘Status Update’ tab |
12. | Delete pictures that have been posted |
• If the pictures have been deleted from the Instagram, the edited pictures will remain in the Instagram folder inside iPhone Photos Album• No indication or records of deleted post found |
13. | Upload another picture without editing |
• No evidence or trace that the picture has been uploaded to Instagram• The post could not be found |
4. Future Work
• Extract data from another platform or operating system such as Android, Blackberry and Windows.
• Need to extract data from jailbroken iPhone or rooted Android phone, to identify what kind of data that can be extracted
5. Conclusion
There is no strong evidence to show that the exhibit has been used to post or upload pictures to Instagram. From the analysis, the Instagram account found in the phone could not be proven that it has been used to login as administrator. No registration details such as email and password were found in the device.
Nor Zarina Binti Zainal Abidin is a senior analyst at CyberSecurity Malaysia, an agency that encourages digital forensics professionals to work together to harness the power of information networks.