Digital Investigation 9 (2012) S24–S33

Contents lists available at SciVerse ScienceDirect

Digital Investigation
journal homepage: www.elsevier.com/locate/diin

Forensic analysis of social networking applications on mobile devices

Noora Al Mutawa, Ibrahim Baggili, Andrew Marrington*
Advanced Cyber Forensics Research Laboratory, Zayed University, PO Box 19282, Dubai, United Arab Emirates

a b s t r a c t

Keywords: The increased use of social networking applications on smartphones makes these devices
Mobile device forensics a goldmine for forensic investigators. Potential evidence can be held on these devices and
Social networking recovered with the right tools and examination methods. This paper focuses on conducting
iPhone
forensic analyses on three widely used social networking applications on smartphones:
Android
Facebook, Twitter, and MySpace. The tests were conducted on three popular smartphones:
Blackberry
BlackBerrys, iPhones, and Android phones. The tests consisted of installing the social
networking applications on each device, conducting common user activities through each
application, acquiring a forensically sound logical image of each device, and performing
manual forensic analysis on each acquired logical image. The forensic analyses were aimed
at determining whether activities conducted through these applications were stored on
the device’s internal memory. If so, the extent, significance, and location of the data that
could be found and retrieved from the logical image of each device were determined. The
results show that no traces could be recovered from BlackBerry devices. However, iPhones
and Android phones store a significant amount of valuable data that could be recovered
and used by forensic investigators.
ª 2012 A. Marrington, N. Al Mutawa & I. Baggili. Published by Elsevier Ltd. All rights
reserved.

1. Introduction cyber criminals can register to these services with fake

identities, hiding their malicious intentions behind innocent-
The last several years have witnessed the rapid evolu- appearing profiles. Social networks also encourage the
tion of a new form of online communication known as publication of personal data, such as age, gender, habits,
social networking. By joining websites that offer these whereabouts, and schedules. The wealth of personal infor-
services, users can interact and socialize, share information mation uploaded to these websites makes it possible for
and ideas, post comments and updates, participate in cyber criminals to manipulate this information to their
activities and events, upload files and photos, and engage in advantage and use it to commit criminal acts. Other abusive
real-time instant messaging and conversations. These activities that can be committed on these websites include
websites attract millions of people from all over the world. uploading illegal or inappropriate material, defaming, and
A study estimated that the number of unique users of stalking (de Paula, 2009). The large number of criminal acts
online social networks worldwide was about 830 million at that can be performed through social networks raises the
the end of 2009 (International Telecommunications Union, importance of digital forensics in this area. Electronic
2010). evidence retrieved from social networking activities on
Despite being primarily used to communicate and a suspect’s machine can be of great assistance in investigating
socialize with friends, the diverse and anonymous nature of a criminal case by incriminating or proving the innocence of
social networking websites makes them highly vulnerable to a suspect.
cybercrimes. Phishers, fraudsters, child predators, and other Besides accessing social networking sites via desktop
computers and laptops, subscribers can use their smart-
* Corresponding author. Tel.: þ971 4 402 1199; fax: þ971 4 402 1017. phones to tap into these services. A survey conducted by
E-mail address: andrew.marrington@zu.ac.ae (A. Marrington). Ruder Finn (a PR agency) showed that “91% of smartphone

1742-2876/$ – see front matter ª 2012 A. Marrington, N. Al Mutawa & I. Baggili. Published by Elsevier Ltd. All rights reserved.
doi:10.1016/j.diin.2012.05.007
 N. Al Mutawa et al. / Digital Investigation 9 (2012) S24–S33 S25

users go online to socialize compared to only 79% of emails, webpage bookmarks, photos, videos, and calendar
traditional desktop users”. It also showed that 43% of notes (Punja and Mislan, 2008).
smartphone users use them to communicate with people Recent scientific research has focused on individual
on social networking sites (Finn, 2012). Approximately half types of smartphones, investigating the methods that could
of Facebook’s users access Facebook through a mobile be used to acquire and analyze the internal memory of the
device, such as a smartphone or tablet. According to Face- device and the data that could be extracted from each
book, these users are twice as active as users who do not device. iPhone data could be acquired by either a physical
access Facebook through a mobile device (Facebook, 2011). or a logical method. The physical method requires jail-
Given that millions of users access social networks through breaking the system, which causes a slight modification to
smartphones and that smartphones provide 24/7 access to the system’s data (Kubasiak et al., 2009). However, the
these services, there is a high risk of the abuse of these latest technique developed by Zdziarski acquires a phys-
services by users with malicious intentions. Therefore, ical-logical image of an iPhone without jailbreaking the
when a forensic examination is performed on a suspect’s phone (Zdziarski, 2010). It is considered the best forensic
smartphone, there might be a chance of finding evidence method for acquiring iPhone and has been evaluated by the
that supports criminal prosecution. National Institute of Standard and Technology (NIST)
Forensic examination of smartphones is challenging. (National Institute of Standards and Technology, 2010).
Smartphones are always active and are constantly updating Similar to iPhones, Android-based smartphones can also be
data, which can cause faster loss of evidentiary data. acquired using either a physical or a logical method. The
Second, the operating systems (OS) of smartphones are physical technique consists of obtaining a dd image of the
generally closed source, with the notable exception of phone’s memory and requires root access to the device
Linux-based smartphones, which makes creating custom (Lessard and Kessler, 2010). Vidas et al. discuss an acquisi-
tools to retrieve evidence a difficult task for forensic tion methodology based on overwriting the “Recovery”
examiners. In addition, smartphone vendors tend to release partition on the Android device’s SD card with specialized
OS updates very often, making it hard for forensic exam- forensic acquisition software (Vidas et al., 2011).
iners to keep up with the examination methods and tools
required to forensically examine each release. The variety 2.2. Social networking forensic artifacts
of proprietary hardware of smartphones is another issue
faced by forensic examiners (Al Zarouni, 2006). Scientific research has also included the investigation of
This paper focuses on conducting forensic analyses on artifacts left by social networking sites on computer
three widely used social networking applications on systems and tools that assist in the extraction of these
smartphones: Facebook, Twitter, and MySpace. The tests artifacts. Zellers has examined the unique data tags created
were conducted on three popular smartphones: BlackBerry in different MySpace source-code pages and used these
Torch 9800, iPhone 4, and the Android-based Samsung tags to create focused artifact keyword searches (Zellers,
Galaxy S, and consisted of installing the social networking 2008). Other research discussed the process of recovering
applications on each device, conducting common user and reconstructing Facebook chat artifacts from
activities through each application, acquiring a forensi- a computer’s hard disk (Al Mutawa et al., 2011).
cally-sound logical image of each device, and performing Because many social networking applications are inte-
a manual forensic analysis on each acquired image. The grated into new smartphones, in cases involving social
purpose of our analysis was to determine whether activities networks, forensic examiners may be able to find relevant
conducted through these applications were stored on the evidence on a suspect’s smartphone. A forensic examination
device’s internal memory. If so, the amount, significance, of the iPhone 3GS (via a logical acquisition) showed that
and locations of data that could be found and retrieved a database related to the Facebook application is stored on the
from the logical image of each device were determined. phone’s memory. The database stores data for each friend in
the list, including their names, ID numbers, and phone
2. Related work number (Bader and Baggili, 2010). Two other directories
related to the Twitter application were also found. These
2.1. Mobile device forensics directories store information about Twitter account data,
attachments sent with tweets, user names, and tweets with
Initial work in this field has focused on acquisition date and time values (Morrissey, 2010). A forensic examina-
techniques and general forensic analyses of smart devices. tion of an Android phone’s logical image showed that basic
In his paper, Burnette discussed the forensic examination of Facebook friend information is stored in the contacts database
older versions of the BlackBerry and covered the hardware (contacts.db) as the device “synchronizes contact’s Facebook
and software used for acquisition (Burnette, 2002). He also status updates with the phone book” (Lessard and Kessler,
described several methods of examination, including the 2010). It also showed that the device stores Twitter pass-
use of hex editors and emulators. Later research provided words and Twitter updates performed through the Twitter
foundational concepts on forensic analyses of the new application in plain text (Lessard and Kessler, 2010). Forensic
generations of smartphones (e.g., BlackBerry and iPhone). It research papers on BlackBerry phones and Windows smart-
outlined the technologies used, the handling procedures, phones, however, did not mention finding or recovering any
and the common evidence storage locations for each data related to the use of social networking applications.
device. The data that could be extracted from the internal Similar to computers, smartphones store data that can
memory of these devices included call logs, SMS, MMS, help determine how the device has been used or misused.
S26 N. Al Mutawa et al. / Digital Investigation 9 (2012) S24–S33

Therefore, activities performed through social networks rooted Android devices. The experiments were designed
applications may be stored on smartphones. However, accordingly.
previous research has been limited to the recovery of very
basic information related to the use of social networking
applications. It is clear that further experiments focusing on 3.1. Test environment and requirements
the recovery of artifacts related to the use of social
networking applications are required to determine Prior to conducting the experiments, a forensic work-
whether activities performed through these applications station was set up and configured. Once the forensic
are stored and can be recovered from smartphones. workstation was ready, it was isolated from the lab’s
network. The following is a list of the hardware and soft-
ware used to conduct the experiment:
3. Methodology
 Two Blackberry Torch 9800 phones (software version:
The main purpose of this research is to determine 6.0 Bundle 862).
whether activities performed through smartphone social  Two iPhone 4 devices, 32GB (version 4.3.3 8J2).
networking applications are stored on the internal memory  One Android phone (Samsung GT-i9000 Galaxy S –
of these devices and whether these data can be recovered. Firmware version 2.3.3).
These data can be of high evidentiary value, which can  Facebook, Twitter, and MySpace applications for each
assist in the investigation of criminal, civil, or other types of tested phones.
cases. The goal of this study was achieved by conducting  BlackBerry Desktop Software (version 6.1.0 B34).
experiments on a number of smartphones. Manual forensic  Apple iTunes Application (version 10.4.0.80).
examinations and analyses were performed on three  TextPad (version 4.5.2).
commonly used social networking applications on smart-  Plist Editor for Windows (version 1.0.1).
phones: Facebook, Twitter, and MySpace. The experiments  SQLite Database Browser (version 1.3).
were conducted on three popular smartphones: Black-  DCode (version 4.02a).
Berrys, iPhones, and Android phones.  EnCase (version 6.5).
In a real investigation, law enforcement agencies may  A software USB write-blocker (Thumbscrew).
have access to data from the social networking providers.  USB data cables.
Depending on the nature of the investigation, jurisdictional  A Micro SD card.
issues and the degree to which the social networking  A Micro SD card reader.
provider is co-operative with law enforcement, the  Odin3 (version 1.3), a tool to upload a root-kit to the
provider may prove to be a more convenient source of Android device.
digital evidence about social networking use than the  MyBackup Rerware, LLC (version 2.7.7).
smartphone. However, investigation the smartphone has
two-fold value. It is often useful to corroborate evidence The configurations of the smartphones were not altered.
from different sources, such as from the provider and then Temporary storage cache sizes, for instance, were not
from the smartphone. Moreover, especially in an era of modified from factory defaults. Changing the default cache
ubiquitous mobile Internet connections, many traditional size would likely affect the volume of recoverable digital
telephony services (such as text messaging) are provided evidence found on the smartphone.
via social networking sites through their smartphone apps.
It may be crucial to the reconstruction of a crime to know
whether particular social networking activities (already 3.2. Test procedure
reflected in data from the service provider) took place on
a particular smartphone. The test procedure consisted of three stages: scenarios,
The experiments were conducted using forensically logical acquisition, and analysis. The following sections
sound approaches and under forensically acceptable describe each stage in details.
conditions to fulfill a crucial rule in digital forensics, which
is to preserve the integrity of the original data and to 3.2.1. Scenarios
prevent it from any contamination that would interfere This stage involved conducting common user activities
with its acceptance in court. The test and examination on social networking applications on the smartphones. The
procedure was derived from the Computer Forensics Tool Facebook, Twitter, and MySpace applications were installed
Testing program guidelines established by the National on each device if they were not already integrated with the
Institute of Standards and Technology (NIST) to ensure the device. These applications were chosen simply because of
quality of the testing methods and the reliability and val- their availability as stand-alone applications for each plat-
idity of the results (National Institute of Standards and form. For the purpose of the experiments, fictional
Technology, 2001). accounts with fictional users were created on each social
The research aimed to work with realistic data similar to networking website and were logged into and used
that found in an actual investigation. In a real investigation, through the smartphones’ applications. For each device,
suspects may use different social networking applications a predefined set of activities were conducted using each
on smartphones and conduct different activities through application. The activities were chosen to represent
each of them. They may also use jailbroken iPhones or common activities, such as uploading photos, posting
 N. Al Mutawa et al. / Digital Investigation 9 (2012) S24–S33 S27

comments, sending emails within the application, and Table 1

chatting. Activities performed on each application of each tested device.

Application Performed activities Comments

3.2.2. Logical acquisition Facebook Login with user name: –
The second stage involved acquiring a logical image of infected.mushroom2011
the internal memory of each device. The acquisitions were @hotmail.com
and password: mushroom77
performed in a controlled environment using forensically
Post in news feed –
sound techniques to ensure the integrity of the acquired Upload photos þ captions –
data and its potential admissibility in court. As is always the Send email messages –
case with all logical acquisitions, there is the possibility that Post on friend’s wall –
data remnants of inactive files may be missed in the course Instant messaging (chat) –
View profiles of friends –
of such an acquisition. In computer forensics for example, Twitter Login with user name: –
a logical acquisition may miss data stored in slack space. infected.mushroom2011
The same issue exists with all logical acquisition techniques @hotmail.com
for smartphones. and password: mushroom246
Follow people –
As the tested phones had three different operating
Post tweets –
systems, specific tools and configurations were required to Upload photos –
manually acquire a logical image of each device. Detailed MySpace Login with user name: –
methods of acquisition are presented later in the paper. infected.mushroom2011
@hotmail.com
and password: mushroom888
3.2.3. Analysis Upload pictures Did not function
The third stage involved performing forensic examina- for Android
tions to the acquired logical image of each device, to Add friends –
determine whether the activities conducted through these Change status –
Check emails –
applications were stored on the device’s internal memory.
Send emails –
If so, the amount, location, and significance of the data that Post comments –
could be found and retrieved from the logical image of each View profiles –
device were determined. The examinations were con- Instant messaging (chat) Did not function
ducted manually using a number of tools to view the for Android

acquired images, determine the unique headers or signa-

tures in each structure, search for data related to the social
networking applications, and determine how these data each phone to reduce redundant data and simplify the
were stored on each device. analysis phase. After conducting the social networking
activities on the tested phones, a logical image of the
4. Implementation and analysis internal memory of each device was acquired and analyzed
for evidence of the conducted activities. Table 2 shows a list
The first stage of the experiment involved installing the of keywords used to search for traces of each social
social networking applications and conducting the pre- networking application’s usage. The following sections
defined activities on each device. This stage was straight- describe the procedures used for the acquisition and
forward and general for all of the tested devices. For the analysis of each tested smartphone.
two BlackBerry Torch phones, the Facebook, Twitter, and
MySpace applications were already preinstalled by the 4.1. BlackBerry forensic examination
manufacturer. For the two iPhones, Facebook (version
3.4.4), Twitter (version 3.3.5), and MySpace (version 2.0.7) This section describes the process of the logical acqui-
were downloaded from the App Store and installed on the sition and forensic analysis of the two tested BlackBerry
devices. For the Android phone, Facebook (version 1.6.3), phones. The processes for both phones were identical, and
Twitter (version 2.1.2), and MySpaceDroid (version 1.0.7) the analysis results were similar.
were downloaded from the Android Market and installed
on the devices. All of the tested applications were created
by the official social networking companies except for Table 2
Keywords for searching for social networking activity.
MySpaceDroid (the official MySpace application could not
be installed on the tested Android phone). Application Keywords
Once the applications were installed on the devices, the All infected.mushroom2011@hotmail.com
predefined activities were conducted on each device. The MySpace mushroom888, infected mushroom,
gloomy, hello myspace
activities represented common user activities and activities
Twitter mushroom246, ForensicFocus, Jzdiarski,
that would of interest to the forensic examiner. These activ- jonathan zdziarski, Sctan, Mushrooom2011,
ities included uploading photos, posting comments, sending “Amazing how time runs fast!!”, “so hot and humid!!”
emails, and chatting. Table 1 represents all activities that have Facebook mushroom77, “craving for shake shack!!”,
been performed on each application of each tested device. “hello cheza”, “lets go to the mall”, “hellooooo”,
“hey im here”, “what time shall we go?”, “9pm?”,
Similar activities were conducted on each tested phone; “ok see u later”, Infected, Cheza,
however, unique data were used on each application for
S28 N. Al Mutawa et al. / Digital Investigation 9 (2012) S24–S33

4.1.1. Logical acquisition Apple official website. It is designed to synchronize data,

The logical acquisition of the BlackBerry phones was applications, and media files between Apple devices (e.g.,
performed using BlackBerry Desktop Software (BDS). BDS is iPhone, iPad, and iPod) and the host computer. It is also
a management application that is freely available on the used to create backup copies of data from the Apple device
BlackBerry official website. It is designed to synchronize and save them on the host computer. iTunes is not designed
data, applications, and media files between the BlackBerry for forensic acquisition. However, it is an option that
device and the host computer. It is also used to create forensic practitioners can use to obtain a logical image
backup copies of data from the BlackBerry phone and save (backup file) of an Apple device. Backup files may also exist
them on the host computer. BDS is not designed for forensic on the suspect’s computer if the suspect had previously
acquisition. However, there are several advantages of using performed a sync operation or a software update or
it to acquire a logical copy of a BlackBerry device. First, it is restored their device to its factory settings.
produced by the same company which produces the It is critical for a forensic examiner to ensure the
device; thus, more data may be obtained using BDS than integrity of the acquired evidence. Therefore, the iPhone
with some forensic tools produced by companies with logical acquisitions were conducted in a forensically sound
lesser familiarity with BlackBerry. Finally, backup files environment. Before attaching each iPhone to the forensic
acquired through BDS can be inspected using a BlackBerry workstation, it was critical to disable automatic synchro-
emulator. nization option from the iTunes application. By default,
A rule of thumb in the field of digital forensics is not to iTunes automatically syncs the device to the host computer
alter the original data acquired from the subject’s device. By once the device is connected.
default, BDS is set to synchronize the phone’s date and time Disabling automatic synchronization preserves the
with those of the host computer. If this option is not integrity of the iPhone’s data, as it prevents the user’s data
deactivated, it can strongly affect the validity of evidence in from being exchanged between the iPhone and the host
a criminal investigation by changing the original dates and computer. Once iTunes was configured, the iPhone was
times of the subject phones, contaminating the evidence. attached to the forensic workstation through a USB data
Therefore, this option must be explicitly disabled before cable. After being detected by the iTunes application, a logical
attempting to attach and backup the subject’s phone. acquisition was manually initiated by right-clicking on the
After configuring BDS to not synchronize the BlackBerry device name and selecting “backup”. iTunes created a backup
phone with the host computer, a logical bit-by-bit image of copy of the iPhone, and by default, it placed the backup files
the test device was created using the “Backup” option from in the following directory: C:\Users\[user]\AppData\R-
the Device menu. The logical image was created manually oaming\Apple Computer\MobileSync\Backup\[unique identi-
by performing a full backup of the device. Once the backup fier]. Once the backup process was completed, the iPhone was
process was completed, the device was disconnected from disconnected from the forensic workstation.
the forensic workstation.
4.2.2. Examination and analysis
4.1.2. Examination and analysis Acquiring a logical image of the iPhones using iTunes
Acquiring a logical image of the BlackBerry phones resulted in the creation of a folder with a unique alpha-
resulted in the creation of a single proprietary IPD file for numeric name (hash value) for each iPhone, which con-
each phone. The files were stored within the default backup tained the backed-up logical file. Both folders included
directory and by default had the naming style “BlackBerry three plist files, one mbdb file, one mbdx file, and a number
model (current date).ipd” (e.g., BlackBerry Torch 9800 (July of backup files with no apparent extensions. Each of the
30, 2011).ipd). Viewing the IPD file using a text editor backup files was distinguished by a unique alphanumeric
showed that it had a unique header that starts with “Inter@ identifier of 40 characters.
ctive Pager Backup/Restore File”. The file contained data- Viewing and examining the backup files in a text editor
bases of user data and configurations. Examining the showed that these files are in binary format or plain text that
contents of the files revealed that they contained user data, may contain encapsulated images, SQLite database files, or
such as contacts, SMS messages, MMS messages, and call other plist files. To examine the contents of each file, they
logs. However, no traces of the social networking activities had to be decoded and viewed using the appropriate tools.
performed during the test were found. Each file type was determined by the header contained
within the file. Files starting with the header “bplist00”
4.2. iPhone forensic examination contained binary plist data, and files starting with the
header “SQLite format 3” contained SQLite databases. A
This section describes the process of the logical acqui- number of tools were used to manually examine the
sition and forensic analysis of the two iPhones. The acqui- contents of the backup files according to their type. Plist
sition processes for both phones were identical, and the Editor for Windows (version 1.0.1) was used to help read and
analysis results were similar. examine backup files that contained plist data, and SQLite
Database Browser (version 1.3) was used to help read and
4.2.1. Logical acquisition examine backup files that contained SQLite databases.
The logical acquisitions of the iPhone 4G devices were Manual examination of the backup files showed that
performed using the Apple iTunes application (version they contained a vast amount of user data, including sent
10.4.0.80). Similar to BDS, iTunes is a synchronization and and received SMS, calendar events, call history, and address
management application and is freely available on the book entries. However, the main focus of this research was
 N. Al Mutawa et al. / Digital Investigation 9 (2012) S24–S33 S29

to determine whether footprints of social networking 4.2.2.2. Twitter artifacts. The iPhone Twitter application had
applications were stored within these backup files. The two plist files that contained data that may be of significance
Command-line utility was used to manually search the files to the forensic examiner: eb8899d553cf563080453-
within the backup directory for keywords that relate to the f9a366600de1dcf6286 and f77282c60c3cee3ffce4a8bba2760
social networking activities conducted during the experi- fd954d4921f. The first file held the Twitter application’s user
ment. Files containing the keywords were then decoded information including the user name, URL link pointing to the
using the appropriate tools (e.g., Plist Editor and SQLite user’s profile picture, tweets posted by the user, and the
Database Browser), and their contents were thoroughly timestamps of posted tweets. The second file contained the
examined for traces of the activities that were conducted user’s details plus some other information. It held records of
earlier in the experiment. people followed by the user, their user names, detailed
information taken from their profile pages, URL links pointing
to their profile pictures, tweets posted by them, and the
4.2.2.1. Facebook artifacts. Examination and analysis of the timestamps of their posted tweets. Fig. 3 show the details of
backup files revealed a number of SQLite and plist files related a tweet posted by the user of the iPhone Twitter application
to the tested social networking applications. Many files con- recovered from the first iPhone file, and the corresponding
tained the strings “Facebook”, “Twitter”, and “MySpace”; tweet extracted from the Twitter website.
however, only a few contained data of interest to the forensic
examiner. Three files contained data related to the iPhone 4.2.2.3. MySpace artifacts. The iPhone MySpace application
Facebook application. The first two files were SQLite databases had two files that contained data that may be of significance
with the hashed names 6639cb6a02f32e0203851f254 to the forensic examiner: a SQLite file 48598f280bb577d1e68
65ffb89ca8ae3fa and 9f2140d8e87b45a9bb5dfc813fd2299- aaddadccba35c54acbb48 and a plist file e5cb579c7bdf12b996
c02851e6b. Viewing the first file using the SQLite Database bd865ecf6290ab94374abd. The SQLite file contained the user
Browser showed that it contained a table that stored Facebook name of the iPhone MySpace application, plus comments that
friend data. The table stored the friends’ profile IDs, first and the user had posted in the stream with timestamps encoded
last names, URLs pointing to their profile pictures on Face- in absolute value. Table 3 shows a record of one of the posted
book, phone numbers, and email addresses. comments and its timestamp.
The second file contained traces of the user’s previous
activities of uploading photos and posting comments 4.2.2.4. Dynamic directory. Another file that held data of
through the Facebook application. It stored data such as the interest to this study was 0b68edc697a550c9b977b77cd
user’s name, profile ID, the nature of the activity performed 012fa9a0557dfcb. Examining the contents of the file in
(e.g., uploading photos), and timestamps of the performed a text editor showed that it started with the header
activities. The timestamps were stored in UNIX numeric (DynamicDictionary-4) and stored snippets of text that had
values. Comparing the decoded date and times to the date been typed using the iPhone’s keyboard. Performing some
and times of the activities performed on the actual Face- tests regarding the contents of this file showed that it stores
book webpage showed that the pictures were uploaded user keyboard inputs to applications on the iPhone;
and the comments were posted within the same period of including social networking applications. Parts of the
time. Fig. 1 shows the actual activities as they were pre- comments, emails, and chat messages that have been used
sented on the Facebook website. Fig. 2 shows the traces of through the experiment; and were not stored elsewhere on
activities stored in the SQLite database. the backup files, were found in this file.
The third file that contained data related to the iPhone
Facebook application was a plist file with the hashed name
384eb9e62ba50d7f3a21d9224123db62879ef423. The file 4.3. Android forensic examination
stored details about the user, including the last email
address used to log into the Facebook account, the unique This section describes the process of the logical acqui-
identifier (ID) that identified the user’s profile and user sition and forensic analysis of the Android phone (Samsung
name, and a URL address pointing to the user’s profile GT-i9000 Galaxy S – Firmware version 2.3.3). Unlike other
picture on Facebook. smartphones, unless the Android phone was rooted, many
Further examination of the plist file 384eb9e62- data files could not be accessed or backed up by backup
ba50d7f3a21d9224123db62879ef423 yielded more inter- programs. Therefore, the tested Android phone was first
esting results. In addition to the details of the last logged-in rooted using Odin3 (version 1.3) to upload the root-kit (CF
user, the plist file contained other information that could be Root XW).
significant to the forensic examiner. It stored a record of all Installing a root-kit allows the user to gain privilege
users that have previously logged into their Facebook control over the Android OS (root access), allowing him to
accounts using the Facebook application. This information bypass some limitations that the manufacturers put on the
included user names, profile IDs, and URL addresses pointing device. Having a rooted Android phone also allows the user
to their profile pictures on Facebook. Furthermore, the plist to access protected directories on the system that hold user
file stored the details of the friends who had an active chat data (e.g., /data/data directory) and backup all of the files in
session with the Facebook user. The details included the user these directories. These data files can hold a significant
names of the friends, their profile ID, URL addresses pointing amount of data that may support an ongoing investigation.
to their profile pictures on Facebook, and a timestamp of The process is not uncontroversial in the forensics litera-
when the chat session was initiated. ture (see for example, the discussion in Vidas et al. (2011)),
S30 N. Al Mutawa et al. / Digital Investigation 9 (2012) S24–S33

Fig. 1. The actual photos and comments as presented on the Facebook website.

and ideally, a thorough method of logical acquisition which creation of a backup directory on the external Micro SD
does not require rooting or other modification of the soft- card. The Directory had the default path \rerware\MyBack-
ware running on the Android device will be identified in up\AllAppsBackups\[AppsMedia_yyyy_mm_dd]\Apps. The
future research. directory contained three archive (ZIP) files, one for each
tested app:
4.3.1. Logical acquisition
Unlike Blackberrys and iPhones, Android phones do not  com.facebook.katana_4130.zip
have a unified management and backup solution. Various  com.kozmo.kspace_4.zip
companies have released different backup tools which give  com.twitter.android_134.zip
the user the option of backing up the device on either the
phone’s SD Card or the company’s server. One such appli-
cations is MyBackup. 4.3.2.1. Facebook artifacts. The three backed up files were
To acquire a logical backup of the Android phone, copied to the forensic workstation, where each was
MyBackup (v2.7.7) was installed on the test Android phone. A extracted and thoroughly examined for traces of the social
new Micro SD external card was placed into the test phone. networking activities performed during the tests. The first
The Micro SD card was selected as the location to store the file com.facebook.katana_4130.zip was associated with the
backup files. All three tested social networking applications Facebook application. It contained three subdirectories:
were selected, and the associated data files were backed up to databases, files, and lib, which contained a number of files.
the external Micro SD card. Once the backup process was The two directories that held relevant data for this study
completed, the Micro SD external card was removed from the were databases and files.
test phone and attached to the forensic workstation to The databases folder held three SQLite files: fb.db,
examine the backup files and perform the forensic analysis. webview.db, and webviewCache.db. Viewing each file
through the SQLite Database Browser and examining its
4.3.2. Examination and analysis content yielded interesting results. The first file fb.db con-
Acquiring a logical backup of the data files associated tained tables that held records of activities performed by
with the Facebook, Twitter, and MySpace applications on the Android Facebook application user, including created
the Android phone using MyBackup resulted in the albums, chat messages, list of friends, friend data, mailbox
 N. Al Mutawa et al. / Digital Investigation 9 (2012) S24–S33
Fig. 2. Traces of uploading photos and posting comments using the iPhone Facebook application.

S31
S32 N. Al Mutawa et al. / Digital Investigation 9 (2012) S24–S33

Table 3
Record of a posted comment in MySpace.

ZTIMESTAMP ZMESSAGE Decoded timestamp

338556819.798738 The weather Saturday, 24 September
is getting better 2011 15:33:40 þ0400
The plist file contained the user name and password in clear text.
For example:
<dict>
<key>password</key>
<string>mushroom888</string>
<key>user name</key>
<string>infected.mushroom2011@hotmail.com</string>
</dict>

messages, and uploaded photos. The records included

significant information for the forensic investigator, such as
Fig. 3. The record of a “tweet” from the iPhone file, and the corresponding tweet on the Twitter website.

the users’ IDs, contents of exchanged messages, URL links of

uploaded pictures, and timestamps of performed activities.
The files folder contained a number of files with names
that consisted of seemingly random letters and numbers
and that did not have any extensions. Viewing the files in
a text editor and examining their headers showed the (JFIF)
marker segment, indicating that these files were (JPEG)
image files. Using Windows Photo Viewer to open the files
showed the actual image contained within each file. Images
contained within these files were either pictures that the
user had viewed from within the Android Facebook appli-
cation or pictures that he uploaded from within the
application. Files of uploaded pictures had their names
preceded with the word “upload”.

4.3.2.2. Twitter artifacts. The second archive file com.twit-

ter.android_134.zip was associated with the Android Twitter
application. It contained a folder called databases, which
contained three SQLite files. One of the files, 342525691.db,
stored interesting data. It contained tables that stored
records of posted tweets, photos, friends, users, and other
data associated with activities performed through the
Android Twitter application. Besides storing the author IDs,
timestamps, and contents of the posted tweets, the records
also stored data about the source of the posted tweets, e.g.,
posting through the website, an iPhone application, or an
Android phone application.

4.3.2.3. MySpace artifacts. The third archive file, com.koz-

mo.kspace_4.zip, was associated with the Android MySpace
application. It contained a folder called databases, which
contained three SQLite files. As mentioned earlier, the
tested MySpace application was not the official application
created by the MySpace company but a web-based appli-
cation created by another group. Examining the three
SQLite files showed that they stored cookies and cache files
associated with navigating the MySpace website. It also
showed that the file webview.db stored the user name and
the password of the MySpace application in plain text.

4.4. Results summary

Table 4 summarizes the results of our analysis for each

application on each device examined.
 N. Al Mutawa et al. / Digital Investigation 9 (2012) S24–S33 S33

Table 4 The study explored the forensic acquisition, analysis and

The significant social networking data that could be recovered from the examination of the logical backup copies of the three
logical image of each smartphone.
smartphones. The tests consisted of installing the social
Smartphone Application Description networking applications on each device, conducting
BlackBerry Facebook Not found common user activities through each application, acquiring
BlackBerry Twitter Not found a forensically sound logical image of each device, and per-
BlackBerry MySpace Not found
forming manual forensic analysis on each acquired logical
iPhone Facebook User and friend data incl.
contact details and profile image. The forensic analysis determined the amount,
picture URLs significance, and location of social networking data that
Photo uploads could be found and retrieved from the logical image of each
Comments posted device.
Timestamps
All previously logged in users
The results showed that no traces of social networking
Friends with active chat sessions activities could be recovered from BlackBerry devices.
iPhone Twitter For user and people followed: However, iPhones and Android phones stored a significant
User names amount of valuable data that could be recovered and used by
Profile picture URLs
the forensic investigator. The paper documented the nature
Tweets posted
Timestamps of the social networking data that could be recovered from
iPhone MySpace User name/Password each device and their locations from within the backup files.
Posted comments We hope that the paper can inspire the creation of digital
Timestamps forensics tools to extract and reconstruct social networking
Android Facebook User and friend data incl.
contact details and profile
data from a variety of modern smartphones.
Photo uploads
Created albums
References
Pictures viewed with app
Mailbox/Chat messages
Al Mutawa N, Al Awadhi I, Baggili I, Marrington A. Forensic artifacts of
Android Twitter For user and people followed:
Facebook’s instant messaging service. In: Proceedings of the 2011
User names
International Conference for Internet Technology and Secured
Posted tweets and photos Transactions (ICITST); 2011. p. 771–6. Abu Dhabi, UAE.
Other activity information Al Zarouni M. Mobile handset forensic evidence: a challenge for law
(e.g., device used to tweet) enforcement. In: Proceedings of the 4th Australian Digital Forensics
Android MySpace User name/Password Conference; 2006. Perth, Australia.
Cookies & cache files Bader M, Baggili I. iPhone 3GS forensics: logical analysis using apple
itunes backup utility. Small Scale Digital Device Forensics Journal
September 2010;4(1).
5. Future work Burnette MW. Forensic examination of a RIM (BlackBerry) wireless
device. Retrieved on 18 February 2012 from: http://www.
mandarino70.it/Documents/Blackberry%20Forensics.pdf; 2002.
There are several major items of future work leading de Paula AMG. Security aspects and future trends of social networks. In:
directly from this study. First, more experimental cases are Proceedings of the Fourth International Conference of Forensic
Computer Science; 2009. p. 66–77. Natal City, Brazil.
required to examine a greater variety of smartphones and
Facebook. Statistics. Retrieved on 26 May 2011 from: http://www.
social networking applications alike. Second, different facebook.com/press/info.php?statistics; 2011.
smartphones employ a variety of techniques to “lock” the Finn Ruder. New study shows ‘intent’ behind mobile Internet use.
Retrieved on 18 February 2012 from: http://www.prnewswire.com/
device’s interface and encrypt the data stored on the phone
news-releases/new-study-shows-intent-behind-mobile-internet-
while the device is locked, and these privacy measures also use-84016487.html; 2012.
serve as anti-forensics techniques to be overcome. Research International Telecommunications Union. The rise of social networking.
into this issue would likely require different techniques for Retrieved on 18 February 2012 from: http://www.itu.int/net/itunews/
issues/2010/06/35.aspx; 2010.
each smartphone platform. Kubasiak R, Morrissey S, Varsalone J. Macintosh OS X, iPod, and iPhone
forensic analysis DVD toolkit. Burlington, MA: Syngress; 2009.
6. Conclusions Lessard J, Kessler GC. Android forensics: simplifying cell phone exami-
nations. Small Scale Digital Device Forensics Journal September 2010;
4(1).
Few studies have addressed the forensic analysis and Morrissey S. iOS forensic analysis for iPhone, iPad, and iPod touch. New
recovery of activities performed through social networking York: Apress; 2010.
National Institute of Standards and Technology. General test methodology
applications on smartphones. These studies have also been for computer forensic tools. Retrieved on 18 February 2012 from:
limited to the recovery of very basic information related to http://www.cftt.nist.gov/documents.htm; 2001.
the use of social networking applications. This study National Institute of Standards and Technology. Test results for mobile
device acquisition tool. Zdziarski’s Method; 2010.
focused on the recovery of artifacts and traces related to the
Punja SG, Mislan RP. Mobile device analysis. Small Scale Digital Device
use of social networking applications on a variety of Forensics Journal June 2008;2(1).
smartphones using different operating systems. It aimed to Vidas T, Zhang C, Maloof M. Toward a general collection methodology for
Android devices. In: Proceedings of the Eleventh Annual DFRWS
determine whether activities performed through these
Conference, vol. 8S; 2011. p. S14–23. New Orleans, USA, published in
applications are stored and can be recovered from the Digital Investigation.
internal memory of these smartphones. The tested social Zdziarski J. iPhone forensics: recovering evidence, personal data, and
networking applications were Facebook, Twitter, and corporate assets. Sebastopol, CA: O’Reilly; 2010.
Zellers F. MySpace.com forensic artifacts keyword searches. Retrieved on
MySpace, which were used on BlackBerry, iPhone, and 18 February 2012 from: http://www.inlanddirect.com/CEIC-2008.pdf;
Android. 2008.