Mobile App Analysis Part 3

Introduction

The Mobile Application Forensics team is wrapping up analysis on Signal by Open Whisper Systems, and is starting data generation on the new mobile dating app, Bumble. The iOS team, unfortunately, did not find many artifacts left by Signal. The Android team had better luck, and found some interesting artifacts as seen below.

Signal Findings

iOS:

During the research phase, the iOS team found that there had been previous research completed on Signal. The research reports published stated that when looking for artifacts created by Signal on iOS devices, digital investigators would find little to no evidence left on a device. The team felt it was worth a try, to see if the newer versions of Signal would leave anything on the iOS device.

During the analysis phase, the iOS team examined Signal’s file directory stored on the device. The only file that was found was a property list file (plist), seen below. 

The info.plist file contained information on the version of Signal installed on the device, the amount of times the app was used, the last version of the app that was used, and the date the the app was first used.

Android:

Earlier in the researching phase, the Mobile App Forensics team discovered that Signal was ciphering text in its databases with Base64. After attempting to decipher the text, a team member hypothesised that Signal was using a custom alphabet instead of the standard alphabet used in Base64.

In the analysis phase, the Android team reversed engineered Signal, and was able to find three 64 bit strings that resembled Base64 alphabets. We found one standard Base64 alphabet, and two custom ones titled “Ordered Base64 Alphabet” and “URL Safe Base64 Alphabet.” The URL safe Base64 Alphabet can be seen below.

URL Safe Base Alphabet

Once data generation was complete, the Android team used UFED to do a physical extraction of the Nexus 5x, and used UFED along with EnCase to analyze the data. Below are our findings.

MESSAGES:

Earlier on, we knew that Signal encrypted messages sent and received on the user’s phone. Through using UFED, we were able to see all the messages inside Signal’s messages.db database, including data regarding MMS messages (Multimedia Messaging Service), correct timestamp information, and sender/receiver information. Below is an image of what we found through UFED’s timeline tool.

Ciphered messages found in messages.db in plain text via UFED

Regarding MMS messages, the messages.db database did not store the images we sent themselves, but rather referenced where that pictures were located on the phone or in its cache. Signal stores messages it sent or received in the image_manager_disk_cache which is located inside the Root/data folder: (Root/data/org.thoughtcrime.securesms/cache/image_manager_disk_cache). Here is an image of one of the images we received on the Nexus 5x via Signal, along with the path showing that it was found in the image_manager_disk_cache.

Image sent to Nexus 5x via Signal stored inside image_manager_disk_cache

Contact list and information:

Signal stores information regarding who the user recently contacted in its canonical_address.db database. Through the canonical_addresses.db database, UFED was able to detect SMS messages (Short Message Service) sent from the Nexus 5x that were later imported into Signal, and was able to recreate that chat. Below is an image of what we were able to see via UFED’s chat window.

SMS messages imported from Nexus;s default messaging app to Signal

 Conclusion

The iOS team was not able to find important artifacts on the phone in respect to Signal. The Android team, however, was able to find artifacts pertaining to Signal which we believe are of importance. Our analysis concluded that Signal is a secure app unless the investigator has access to UFED or other mobile forensic software that can decode the encrypted data stored on the device.

The Mobile Application Forensics team will continue to do their analysis on Signal, and will start moving their attention towards a new mobile dating app, Bumble. With the team more experienced, and with a new app ready for analysis, we hope to post an update on our next blog on our results for Bumble. Stay tuned!

Questions or comments? Please share with us in the comment section below! You can also reach out to our Twitter and Facebook or email us at lcdi@champlain.edu.

More Research Projects
CyberRange Team: Creating The Perfect Sandbox Environment
The Internet of Things Team: An Inside Look
CyberTech: Creating a Safer Internet Through Education