Review: Network and Device Forensic Analysis of Android Social-Messaging Applications

Emily C. Lennert

Category: Digital

Keywords: social media, instant messaging, Android, network, mobile, Facebook, messaging, messenger, Kik, Instagram, Snapchat, ooVoo, Tango, Nimbuzz, textPlus

Article to be reviewed:

  1. Walnycky, D.; Baggili, I.; Marrington, A.; Moore, J.; Breitinger, F. Network and device forensic analysis of Android social-messaging applications. Digital Investigation. 2015.

Disclaimer: The opinions expressed in this review are an interpretation of the research presented in the article. These opinions are those of the summation author and do not necessarily represent the position of the University of Central Florida or of the authors of the original article.

Summary: Instant messaging applications (apps) on mobile devices may be involved in several types of crime, including child pornography, fraud, theft, and more. Digital evidence from smartphones and associated messaging apps may be very valuable to investigations and court proceedings. The above research article investigated the availability of digital evidence from 20 common messaging apps on a mobile device running an Android operating system.

An Android platform device, the HTC One, and an Apple iPad were used to exchange messages on each of the messaging apps. The iPad was arbitrarily selected to exchange messages with the HTC One. The HTC One was selected for analysis due to its Android operating system. Messages were exchanged on a wireless network that was set up using an examination computer to create a wireless access point, which generated the Wi-Fi signal that the mobile devices connected to. Messages of varying content were exchanged, including text, photos, and videos. The study relied on two phases of data recovery: network analysis and application data storage analysis.

The first phase was network analysis, by tracking network traffic and activity in real time on the examination computer. Network traffic was captured and saved using a software called Wireshark. The second phase involved examining the messaging apps’ data storage on the HTC One mobile device. The phone was imaged using Microsystemation’s XRY.

The study found that, of the 20 apps examined, four apps encrypted the network traffic using https encryption, which is the traditional hypertext transfer protocol with an extra security layer or, in this case, encryption. The paper states that network traffic, device storage, and server storage were all encrypted for Snapchat, Tindr, Wickr, and BBM. Overcoming encryption was not in the scope of this study, so the authors concluded that data from those four messaging apps could not be retrieved. The remaining 16 messaging apps had unencrypted network traffic and/or data storage.

The study focused on what data could be recovered from the remaining messaging apps.

  • Text messages were recovered in four messaging apps. In one app, Okcupid, only sent messages were recovered. However, sent and received messages were recovered for MessageMe, MeetMe, and ooVoo.
  • Photos and videos were also recovered for several messaging apps. The study reports reconstructing images from Instagram, ooVoo, Tango, Nimbuzz, MessageMe, textPlus, TextMe, Viber, HeyWire, Grindr, and Facebook Messenger. Some messaging apps contained a sketching feature, which allowed a user to send an on screen drawing. Received sketches were recovered for Viber and MessageMe, and sent sketches were recovered for Kik.
  • Additionally, some messaging apps allowed for recovery of location tagged images, if the location was sent by the app user.
  • A final observation is that the textPlus messaging app stored screenshots of the user’s activity to the device’s storage, which were recovered. Table 5 within the paper summarizes the recovery results and source; network traffic, data storage, or server storage; for each messaging app. For complete results, refer to the study.

Scientific Highlights:

  • Many messaging applications do not use encryption when transmitting data over networks.
  • Many messaging applications store unencrypted passwords, chat logs, images, videos, text messages, and location information on local device storage that can be recovered at a later date.

Relevance: Messaging applications on mobile devices may provide valuable digital forensic evidence that can be easily accessed due to lack of encryption.

Potential conclusions:

  • Mobile messaging apps are not a secure means of communication.
  • Messaging apps may provide easily accessible digital evidence.