Forensic Analysis Of Third Party Applications: Instagram

by Nor Zarina Binti Zainal Abidin


Forensic analysis of mobile phones’ third party applications is a new area that needs to be explored. There are a lot of third party applications available in App store.

Mobile forensic software tools basically extracted typical mobile phone data such as contact numbers, text messages and call logs. These tools overlook information saved in third-party apps. Many third-party applications installed in Apple mobile devices leave forensically relevant evidence or information available for investigation. Potential evidence can be held on these devices. This information can be made readily available to law enforcement through simple and easy-to-use techniques. This paper focuses on conducting forensic analysis on Instagram which is a widely used social networking application on smartphones. The tests were conducted on the most popular smartphones: iPhones.

1. Introduction

1.1 Apple Device

iPhone is the most favored Apple product since it was launched in 2007. Apple is the pioneer in Smartphones as they reinvented the mobile phone into what it is today. iPhone uses Apple’s iOS as an operating system. The iOS architecture is layered and consists of four abstraction layers. The functions of all applications that have been installed in iPhone will be determined by these layers. iPhones have their own default applications installed in the phone but users also can select third party applications of their choice and install them on the device. The applications can be downloaded from the App Store using the user’s Apple ID.

1.2 Instagram

Instagram is one of the social networking applications that are available for almost all smartphone platforms and operating systems. It is a widely used and universal application.

Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.

Instagram is available for free in the App Store. Users can upload photographs and short videos, follow other users’ feeds and geotag images with longitude and latitude coordinates, or the name of a location. The users can either share their Instagram account to public or keep it as private. Users can connect their Instagram account to other social networking sites, enabling them to share uploaded photos to sites such as Facebook, Twitter, Tumblr and Flickr.

The main purpose of this research is to identify various data security issues in social networking applications on the iOS platform which aid in forensic investigations. Information is stored in different formats at varied locations on the phone. Our aim is to summarize a general methodology to gather valuable information, so a standard investigation process can be followed for all similar applications.

2. Methodology

The main purpose of this research is to determine whether activities performed through smartphone social networking applications are stored on the internal memory of the device and what kind of data that can be extracted or recovered from the device. Prior to conducting the experiments, the device needs to be connected to the internet.

All activities were done and recorded. When the activities were done, we disabled the Wi-fi connection and a forensic workstation was set up and configured. Once the forensic workstation was ready, the device was switched on with flight mode to isolate any signal from the device. Then, all data were extracted using forensic tools. The following is a list of device, software and tools used for this forensic examination:

• iPhone 5s
• Model: A1530
• iOS 7.1.1
• Non-jailbroken phone
• Installed with Instagram version 6.9.2
• XRY version 6.13.1

Forensic Analysis on third party application Instagram.pdf

3. Result


 No. Performed Activities Description / Findings
 1. Login to Instagram with
username zarinazainal_
• Found username ‘zarinazainal_’ with
Instagram’s ID number in ‘recent-users’
plist file• No login logs were found
 2.  Enter Instagram password  • No records of Instagram password
 3. Choose picture to be uploaded  • N/A
4. Edit the picture using one of
Instagram’s filters
• The edited pictures will be saved in
Instagram folder inside iPhone Photos
Album• The post could not be found
 5. Create caption and hashtag for
the edited picture
• No Instagram caption was found in the
exhibit• Recent visited and used hashtag can be
found under ‘visited hashtag’ in the plist
6. Linked the picture to Facebook
 • Found facebook_user_info key
(encrypted) with Facebook user ID and
Instagram’s account name that has been
used to upload the picture in
‘com.burbn.instagram’ plist file
 7. Post the picture  • The date when the pictures were uploaded
is the same as the creation date• Hash value for the pictures is different
from the original pictures

• Software used (Instagram) will be shown
in the metadata

• The original created date (including
modified & accessed) remains in the

• Date and time is based on device time

• Other metadata (location, coordinates)

 8. Follow other Instagram
• Found the username and Instagram’s ID
number for Instagram accounts that have
been followed by ‘zarinazainal_’ in
‘recent-users’ plist file
 9. Invite followers • Found the username and Instagram’s ID
number for Instagram account that has
followed ‘zarinazainal_’ Instagram
account in ‘recent-users’ plist file
 10. Make comments on other
• No comment made by user was found
unless the comments were made to the
latest status, as XRY extracts the 10 latest
pictures with comments (if any) under
‘Status Update’ tab• Instagram stores the cache files of the
pictures seen
 11.  Followers’ comments on your
• No comment made by the followers was
found unless the comments were made to
the latest status as XRY extracts the 10 latest
pictures with comments (if any) under
‘Status Update’ tab
 12. Delete pictures that have been
• If the pictures have been deleted from the
Instagram, the edited pictures will remain
in the Instagram folder inside iPhone
Photos Album• No indication or records of deleted post
 13. Upload another picture
without editing
• No evidence or trace that the picture has
been uploaded to Instagram• The post could not be found

4. Future Work

• Extract data from another platform or operating system such as Android, Blackberry and Windows.
• Need to extract data from jailbroken iPhone or rooted Android phone, to identify what kind of data that can be extracted

5. Conclusion

There is no strong evidence to show that the exhibit has been used to post or upload pictures to Instagram. From the analysis, the Instagram account found in the phone could not be proven that it has been used to login as administrator. No registration details such as email and password were found in the device.

Nor Zarina Binti Zainal Abidin is a senior analyst at CyberSecurity Malaysia, an agency that encourages digital forensics professionals to work together to harness the power of information networks.

Leave a Comment

Latest Videos

Digital Forensics News Round-Up, June 19 2024 #dfir #digitalforensics

Forensic Focus 19th June 2024 2:46 pm

Digital Forensics News Round-Up, June 19 2024 #dfir #digitalforensics

Forensic Focus 19th June 2024 2:14 pm

Digital Forensics News Round-Up, June 12 2024 #dfir #digitalforensics

Forensic Focus 12th June 2024 5:51 pm

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feeds settings page to add an API key after following these instructions.

Latest Articles