Mobile Apps Forensics Update

download4

Intro

Since our last blog post, we’ve worked on two more Mobile Apps: Private Photo (Calculator%) and Snapchat. We are still in the process of analyzing the image for the Nexus 7 Snapchat analysis, however we have completed the analysis for Private Photo (Calculator%) and the iPhone analysis for Snapchat. We plan to have the final analysis for the Nexus 7 done soon and we will include that in our final report.

Analysis

Private Photo (Calculator%)

Since Private Photo (Calculator%) is only available on the Apple App Store,our findings for this application pertain only to the iPhone. We found that within the .sqlite database for Private Photo, we were able to see how many albums and photos existed within the application – even after deletion. Each album that gets created within the application is assigned a number, which you can view under the ZAlbum tab in the .sqlite file.mobile      

  • We noticed that there was no album listed with the numbers 3 or 6 , so we consulted our data generation sheet. The album “Random” was created after an album called “Funny Images”. Our inference is that “Funny Images” was assigned the number 3 and “Random” was assigned the number 4. Even though “Funny Images” was deleted, “Random” still kept its original number. A similar operation can be attributedto why album 6 does not appear in the list either.
  • The tab ZPHOTO contains information about each image such as its file type, size and the time it was created, as well as any provided caption description or name.
  • All we were able to determine from our findings were whether or not a filter was applied to an image, as well as any previous names of renamed folders, and deleted folders.

Snapchat

Analysis of the iPhone image showed that the file defaultChats.plist allowed us to see the names of people we’ve chatted with, who we’ve added as friends and snapchats we’ve opened. DownloadConsumptionLogger.plist contains a list of the advertisement companies on the Discovery page. Geofilters were recoverable, regardless of whether any were used in recent snapchats, within locationServicesDataStore.plist. When users create snapchat stories, these are assigned a unique ID number. Another interesting finding was that we were able to see the user’s friends list, how they were added and their relationship to the user’s account (i.e. the explanation of the emoji that users see next to their friends in Snapchat).

Conclusion

Both Snapchat and Private Photo (Calculator%) turned out to provide a lot of useful information that would be beneficial to digital forensic investigators. Moving forward, we will finish up the analysis of the Nexus 7 and include that in our final report. So be on the lookout for our final Mobile Apps report! If you have questions or comments about the project, you can leave a comment or contact the LCDI via Twitter @ChampForensics or via email at lcdi@champlain.edu. LCDI Twitter LCDI Facebook

More Research Projects
SIFT Tool Evaluation
Mobile App Forensics Intern Blog 2
Introduction to Amazon Echo Forensics