Mobile Device Forensics

Mobile Device Forensics Update 2

Introduction

So far, the team has analyzed six applications on two operating systems. Originally, we planned on including a Windows phone in our analysis. However, without Cellebrite’s in-house system, we had very limited access to that file system. The first set of apps we focused on were Viber, Telegram, and LINE; all messenger applications used to chat with other users.

The second set of apps that we analyzed were Rabbit, Twitch, and Expedia. Rabbit is a streaming application generally used by friends to watch content together. Twitch is used to watch others play video games and chat with streamers live. Both could contain sensitive personal information. Expedia, meanwhile, is a location based app. It logs hotels you’ve stayed in, flights you’ve taken, cars you’ve rented, locales you’ve visited, and more that could potentially be exploited or raise privacy concerns.

The First Set of Applications

Viber

On Viber, the full contact list is accessible. We also found names, IDs, and phone numbers for everybody that a user had chatted with.  

Viber Application Data

In addition, there were chat logs of all interactions, with timestamps included. We did not delete messages in our data generation. Even so, there was a database titled, “ZDELETEDVIBERMESSAGE”, indicating that deleted messages are recoverable.

We did not manage to gain access to most of the Windows file system. However, we did find an image sent through Viber on the Windows phone, meaning that any images sent over Viber are saved to your phone.

Viber Data

Telegram

We learned that Telegram is a cloud-based service. This means most of the data associated with and utilized by the application are stored remotely on their own cloud services. Without going into the cloud data, we found contacts added through Telegram on the Android phone. We also found location data showing where we used the device.

Telegram Map

Line

While our analysis of LINE on the Android phone revealed little, the iPhone picked up multiple artifacts. These included chat logs and basic user information, as well as a friend’s user ID, their name, picture URL, and their status message. 

Line Data

The Second Set of Applications

Rabbit

Rabbit contained the least amount of data of the applications. On iOS, we didn’t find many artifacts. We only found an incomplete database containing cookies, evidence of timestamps, and user/device information. We found the former in a database in the application folder, but the latter had to be manually searched for.

Rabbit Data

Rabbit Data

On the Android phone, we found even less data. The only artifact of interest was an XML file containing data on the user. This included full name and display name, as well as the user’s email.

Rabbit Data

Twitch

Twitch did not reveal much on the Android device. The only artifact found was the email, in plain text, used to sign up for the associated account. However, on the iPhone, we found cookies containing each account’s user ID, their name, picture URL, and their status message. The iPhone also contained login information, such as the last login date.

Twitch Data

Expedia

In comparison to the other two applications in this set, Expedia revealed a bevy of information. Much of the information we found was related to locations the user previously looked at and trip criteria that was searched for. On iOS we found the locations searched for, the results on a map, and account information. It seems as though the application logs the location of every place you search for.

Expedia Data

Analysis on Android led to similar results. We found images of the locations the user looked at and their place on a map. Far more interesting is an XML file containing a list of the various criteria previously entered while searching for a trip. Interestingly enough, this file is saved online, not locally. Anyone with the URL could access your trip details. This alone raises another privacy concern.

Conclusion

Both sprints revealed some interesting artifacts from their applications. We also learned a few other important facts to keep in mind for the future. For example, you can hunt through hex to find artifacts that Cellebrite can’t pick up quite as well. Also, Cellebrite only has limited access to Windows Phones. It’s also good to know that, despite claims of being encrypted and impenetrable, the app will always leave behind something readable, whether that be good or bad.

 

Post any feedback, questions, or general comments in the comment section below! Interested in our research? Follow the Leahy Center for Digital Investigation (LCDI) on Twitter @ChampForensics, Instagram @ChampForensics and Facebook @ChamplainLCDI.