Submitted Successfully!
To reward your contribution, here is a gift for you: A free trial for our video production service.
Thank you for your contribution! You can also upload a video entry or images related to this topic.
Version Summary Created by Modification Content Size Created at Operation
1
Cihan Varol
 -- 4078 2023-12-04 11:20:45 |
2 update references and layout
Rita Xu
 Meta information modification 4078 2023-12-05 02:09:49 |

Video Upload Options

Do you have a full video?
Send video materials Upload full video

Confirm

Are you sure to Delete?
Yes No
Cite
If you have any further questions, please contact Encyclopedia Editorial Office.
Gupta, K.; Oladimeji, D.; Varol, C.; Rasheed, A.; Shahshidhar, N. Artifact Recovery from Social Media Platforms. Encyclopedia. Available online: https://encyclopedia.pub/entry/52329 (accessed on 16 May 2024).
Gupta K, Oladimeji D, Varol C, Rasheed A, Shahshidhar N. Artifact Recovery from Social Media Platforms. Encyclopedia. Available at: https://encyclopedia.pub/entry/52329. Accessed May 16, 2024.
Gupta, Khushi, Damilola Oladimeji, Cihan Varol, Amar Rasheed, Narasimha Shahshidhar. "Artifact Recovery from Social Media Platforms" Encyclopedia, https://encyclopedia.pub/entry/52329 (accessed May 16, 2024).
Gupta, K., Oladimeji, D., Varol, C., Rasheed, A., & Shahshidhar, N. (2023, December 04). Artifact Recovery from Social Media Platforms. In Encyclopedia. https://encyclopedia.pub/entry/52329
Gupta, Khushi, et al. "Artifact Recovery from Social Media Platforms." Encyclopedia. Web. 04 December, 2023.
Artifact Recovery from Social Media Platforms
Edit
This entry is adapted from the peer-reviewed paper 10.3390/info14120629

Social media applications have been ubiquitous in modern society, and their usage has grown exponentially over the years. With the widespread adoption of these platforms, social media has evolved into a significant origin of digital evidence in the domain of digital forensics.

artifact analysis digital forensics disk forensics memory forensics

1. Introduction

The term “Social Media” refers to a variety of interactive online platforms, chat rooms, and internet forums. They all have their own unique features and purposes that encourage seamless user connectivity, interactive information exchange, and data transfer via internet-mediated communications. Social media is becoming a vital aspect of modern civilization as a result of the broad adoption of new technology and the internet’s pervasiveness in the lives of billions of people globally [1]. Some of the most popular social media applications include WhatsApp, Facebook, and Instagram. The COVID-19 outbreak and the resulting lockdowns further allowed deeper penetration of social media applications into users’ daily lives. This made the growth of social media applications like TikTok even more prominent. Statistics for January 2023 state that 59% of the world’s population uses social media for an average of 2 h and 31 min per day [2].
As a result of the extensive communication and widespread user engagement facilitated by social media applications, they have emerged as a new avenue for criminal activities known as social media-mediated crimes. These crimes are becoming advanced in nature, owing to the vast information exchange that takes place between millions of devices across the globe [3][4][5][6]. Social media applications give cybercriminals a platform to manipulate personal data and use it to perpetrate crimes [7]. Some of the crimes committed through social media platforms include spam (unwanted messages embedded with harmful links that lure users into giving personal information) [8], online identity theft (involves taking someone’s identity without their consent with the motive of committing fraud or financial theft) [9], cyberbullying (harassing, humiliating, or threatening another through the internet) [10], sexual exploitation (using someone’s sexuality for personal or financial gain, often through coercion or manipulation), and many other crimes.
Digital forensics is the process of identifying, acquiring, processing, analyzing, and reporting on data stored electronically [11]. The combination of social media and digital forensics has given rise to a new field called Social Media Forensics (SMF) [12]. SMF is the process of collecting, analyzing, and preserving digital evidence from social media platforms. Over the last ten years, it has been acknowledged as a distinct branch of digital forensics. In legal cases concerning cyber crime where the perpetrator, victim, or witnesses may have used social media platforms, social media artifacts are essential as evidence [7][13]. Social media artifacts in the context of digital forensic investigations refer to the digital traces, remnants, or pieces of data left behind by using social media platforms. Common social media artifacts include chats, posts, geolocation, timestamps, deleted chats, and much more.
These artifacts can be valuable sources of evidence in various types of investigations. Trials involving the use of evidence from social media evidence are continuously increasing. In 2016, only in the United States, 14,000 decisions were observed, out of which 9500 heavily relied on evidence from social media [13], which is twice as high as the number in 2015. Due to the exclusion of cases in which social media content was used but no decision was made, it should be noted that these numbers are significantly lower than the actual number of investigations. They do, however, emphasize the undeniable significance of social media data.
One positive aspect of social media crimes is that criminals often leave digital footprints of their deeds, which is where social media forensics comes into play. Among various types of cybercrimes taking place, cybercrimes executed via social media platforms, also called online social network (OSN) crimes, have recently accelerated in number. Thus, there is a critical need for forensic analysis of digital platforms operating social media applications, as these platforms can be used for criminal activity, terrorism, and other unlawful actions. When properly explored for its potential, social media content can prove to be an outstanding source of digital evidence for digital forensics investigators. The information available about potential victims and suspects on social media is endless. It offers a dynamic dataset of user-generated information, such as posts, friend lists, images, geographical information, videos, demographics, and more.

2. Memory Analysis Focus

Memory forensics is a branch of digital forensics that focuses on the analysis and extraction of digital evidence from a computer’s volatile memory, also known as RAM. Volatile memory stores data temporarily while a computer is powered on and actively running [14]. Some of the data stored by the RAM include:
  • program data (data related to currently running applications);
  • process data (data related to currently running processes such as open files and data for execution);
  • user data (data generated or modified by the users);
  • network data (network connections);
  • graphics data (video and graphics data including contents of the screen and graphics used in applications);
  • user sessions (Information about user sessions, including user login credentials, active user profiles, and session-related data);
  • browser data (data related to open tabs, history, cookies, and cached web content).
With a treasure trove of user and system information stored by the RAM, memory forensics is indispensable for investigating social media applications. Owing to its ability to capture a wide range of data, different researchers analyze the volatile memory of digital devices for various research purposes. The majority of the research is carried out to uncover what kinds of evidentiary artifacts related to social media applications can be found from the memory [15][16][17][18][19][20], whereas other researchers look for specific kinds of artifacts such as deleted chats [21] or encryption keys [22]. Additional research goals behind examining volatile memory for social media evidence are also to decrypt databases [23] and for the creation of tools for analysis of memory artifacts from social media applications [24][25].

2.1. Memory Acquisition

The memory forensics process typically involves two main phases: memory acquisition and memory analysis. Some of the most common tools used for memory acquisition in the literature include DumpIt [17][22][26] and LiMe (Linux Memory Extractor) [27][28][29][30], while other acquisition tools include FTK Imager [31], Android Debug Bridge [29][32][33], and Belkasoft Ram capturer [31]. From the review of the existing literature, it is seen that DumpIt is the most common choice for memory acquisition in Windows machines. It is a command-line memory tool that specializes in acquiring the contents of physical RAM primarily from Windows systems. The acquired memory (memory dump) is then output in a raw format, which can then be further analyzed using memory analysis tools. However, one of the tool’s limitations is that it leaves a digital footprint on the memory [22], which can taint the memory dump acquired.
While DumpIt is the most prominent tool used for memory acquisition on Windows platforms, LiMe is the most prominent memory acquisition tool for Linux kernels and Linux-based devices such as Android. It is an open-source tool that can perform full memory captures. LiMe supports two memory acquisition methods, one via the transfer control protocol (TCP) network and the other via local storage, such as SD cards [28]. It is noteworthy that LiMe requires that the device be rooted to perform the acquisition [30]. This is because LiMe needs access to the kernel’s memory space, which contains critical system information and data from running processes. Additionally, LiMe functions by loading a kernel module into the running kernel to create a memory snapshot. The access levels to perform all these functions are protected for security reasons. Thus, root access needs to be granted to capture memory using LiMe.
While some researchers prefer conducting experiments on physical devices, others use virtualization. Virtualization allows Windows systems to be configured on VMWare and Android Virtual Devices (AVDs) configured using platforms such as Android Mobile Device Emulator. When researchers use virtual devices, the process of acquiring a memory dump becomes streamlined. In the case of Windows systems, researchers can capture the memory by creating a snapshot, such as a .vmem file, while using VMWare, as performed by Chang et al. [16]. In the context of AVDs, researchers can bypass the need for device rooting since it can be preconfigured to grant root access to users within the virtual environment, as performed by Anglano et al. [30].

2.2. Memory Analysis

After acquiring a memory dump, memory analysis is the next phase. It is the process of examining the contents of the volatile memory to extract valuable information and evidence for investigative purposes. The most common tool for memory analysis is Volatility [21][22][28][30][34][35]. Volatility is a versatile open-source memory forensics tool. It provides a wide range of plugins to analyze memory dumps from various operating systems, such as Windows, Linux, and MacOS. Volatility can be used to extract information about running processes, network connections, registry keys, and much more. However, one of the major drawbacks of Volatility is the limited support for Linux and Mac operating systems. Analysis of these operating systems may require the researcher to create specific profiles for the particular operating system version in use.
Other than Volatility, many research methodologies prefer using hex editors to analyze memory dumps [16][17][22][24][27][28][31][35][36]. Hex editors are widely used for memory analysis for several important reasons. They provide a low-level representation of data, allowing investigators the opportunity to inspect the contents of the memory byte by byte. This level of granularity is required to identify data patterns needed to extract evidence. Another important reason for using hex editors is the ability to search for specific strings or patterns within the memory dump, which is one of the most employed methods used by researchers to look for evidence in the memory [16][19][22][28][31][37].
In the same line, the tool “Strings” is another popular tool for extracting a sequence of characters. A string of text is usually passed to search throughout the memory dump. The lines of the dump containing the matching text strings are then extracted. This is a traditional method used to analyze volatile memory [38]. Strings is commonly employed for this task as it supports large raw files, hexadecimal, ASCII, Unicode, and regular expressions. Other memory analysis tools used to conduct memory analysis in the literature include FTK toolkit [19][27][39] and EnCase [16][36].
In an effort to conduct a thorough examination of the remnants left by the LINE application on a Windows 10 system, Chang et al. [16] carry out investigations with different configurations of the environment. One of the configurations included conducting anti-forensic activities, such as deleting the application using CCleaner. This approach yielded a noteworthy discovery, revealing trace evidence of LINE activity, encompassing chats, usernames, and user files persisting in the system’s RAM. Despite the relatively limited number of artifacts, the recoverability of artifacts remains intact.
While most of the memory analysis conducted on platforms is aimed at recovering evidence from social media applications locally downloaded on the device, some researchers have tackled memory forensics to recover evidence from browsers running social media web applications [27][40][41][42][43][44][45][46][47]. As seen in Table 1, the most targeted browser researchers use is Google Chrome because it is one of the most widely used web browsers globally, with a significant market share [48]. Its popularity makes it a prime target for forensic researchers because it represents a large portion of users’ online activities. One of the most common research objectives related to browsers was to compare the artifacts uncovered from using social media web applications across different browsers [42][43][44]. The findings from these research experiments reveal that using different browsers can yield a discrepancy in recovered artifacts. This is due to variations in their architecture, data storage mechanisms, and how they manage user information. Hence, it is important to consider the browser’s characteristics in any forensic investigation.
Table 1. Memory analysis on browser.
Ref Application Browser VD Tools Artifacts
    Google Chrome Firefox Internet Explorer Microsoft Edge   Acquisition Analysis User Information User activities Metadata Password
[27] Facebook, Twitter, Google+, Telegram × × × N Lime FTK Toolkit, HxD
[40] Twitter × × Y N/A Winhex, Memoryze, FTK Imager ×
[41] LinkedIn × N Mandiant FTK Imager ×
[43] Instagram × × Y N/A Winhex × ×
[44] Instagram × Y N/A WinHex × ×
[45] TikTok × × × N DumpIt HxD × × ×
[46] Google Meet × Y Volatility Strings, FTK Imager × ×
[47] Facebook, Skype, Twitter, Hangouts, WhatsApp, Telegram × Y N/A Strings, grep ×

2.3. Artifact Recovery from Memory

Most of the existing literature in the domain of memory analysis for social media evidence exists for the purpose of determining and exploring what artifacts can be uncovered upon analysis. Researchers have illustrated the existing literature in Table 2. Upon surveying the literature, it is seen that many artifacts can be gathered from analyzing the memory. Some of these artifacts include chats [15][21][22][26][31][33][35][37][49], contacts [17][18][25][34][37], media (URLs to photos, videos, images) [17][26][31][34], deleted chats [16], passwords [17][18][20][24][25], user profile information [22], geolocation data [26][31], and timestamps [16][21][26][37].
The chat feature is one of the most popular features in social media applications. It has become a central component of social media applications, contributing to user engagement. Chat features provide a convenient way to engage with other users in real time with options for multimedia sharing. Recovering chat artifacts is paramount in social media forensics due to the wealth of crucial evidence they contain. These chat records provide evidence of online interactions, offering invaluable insights into user behavior, relationships, intents, and activities on social media platforms. By examining chat artifacts, investigators can uncover evidence of cybercrimes, harassment, fraud, impersonation, and much more. Furthermore, these artifacts aid in verifying user identities and establishing a contextual understanding of events.
Passwords and encryption keys are crucial pieces of evidence that can be recovered from the forensic analysis of RAM (Random Access Memory). This is due to how computer systems handle sensitive data during their operation. When a user logs into a system or an application, their password or encryption key is temporarily loaded into RAM to facilitate authentication or data decryption. Even after the user logs out or the application is closed, fragments or residues of this sensitive information may persist in RAM for a certain duration. Modern operating systems and applications also use caching mechanisms to enhance performance, temporarily storing credentials in RAM. Moreover, when data are being actively used or processed, encryption keys must be loaded into RAM to decrypt those data on the fly, making them potentially accessible through RAM analysis.
Passwords hold the key to unlocking valuable evidence. They not only grant access to a user’s social media profiles but also provide insights into their online activities, connections, and potentially illicit actions. In cases involving cybercrimes, cyberbullying, or online harassment, gaining access to a suspect’s social media accounts can reveal critical evidence, including private messages, deleted content, and interactions with victims. This information is indispensable for investigations, as it can help establish motives, uncover hidden activities, and facilitate the identification of culprits.
Table 2. Existing literature on artifact recovery from memory.
  Ref Application R VD Tools Artifacts
Platform         Acquisition Analysis User Information User activities Metadata Password Encryption key
Windows [15] Digsby N N N/A Encase × ×
[17] LinkedIn N N DumpIt WinHex × ×
[18] Skype N Y N/A RSA keyfinder, AES Keyfinder, Volatility, Hex editor × × ×
[37] Facebook N N Helix FTK Toolkit, HxD × ×
[22] Google Hangouts N N DumpIt Volatility, WinHex × ×
[31] Line N N Ramcapturer, FTK Imager WinHex × × ×
[21] IMO N N Custom python script Volatility, Windbg × ×
[24] Digsby N N N/A WinHex × × ×
[25] Telegram N Y Windows memory extractor IM artifact finder × ×
[26] Skype, WhatsApp, Viber, Facebook N N DumpIt Strings × ×
Android [34] WhatsApp Y Y Memfetch Volatility × × ×
[32] Skype Y Y ADB, DDMS Eclipse memory analyzer, grep × × × ×
[50] Wickr Y N Android tool memory dump Strings × × × ×
[49] Wickr, Telegram N N Memory dump app String, grep × × × ×
[36] Line Y Y N/A Winhex, EnCase × × ×
[33] KIK N Y ADB Grep, JHAT × × × ×
[19] Viber N N Android SDK FTK Toolkit × × × ×
[39] Skype, MSN N N Android SDK FTK Toolkit × × × ×
[28] WeChat N N Lime WinHex, Volatility × × × ×
[29] Facebook, Viber, WhatsApp Y N Lime, ADB Custom script × ×
[51] Private text messaging, Wickr Y N N/A N/A × × × ×
[30] ChatSecure Y Y Lime Volatility × × × ×
Linux [27] Facebook, twitter, google+, telegram, openwapp, LINE N N Lime FTK Toolkit, HxD × ×
[35] Discord, Slack N Y N/A Volatility, WxHexeditor × × ×
iOS [26] Skype, WhatsApp, Viber, Facebook N N DumpIt Strings × ×

3. Network Analysis Focus

The continually surging popularity of online services compels security experts and law enforcement agencies to seek innovative approaches for investigating cybercrimes and obtaining court-admissible evidence. There are a few researchers who have conducted forensic analysis on the disk in an effort to investigate encrypted databases of secured social media applications [52][53], but such approaches fall short when it comes to investigating end-to-end encrypted data. In such a case, network forensics comes in handy. Network forensics is a specialized branch of digital forensics that focuses on the collection, analysis, and interpretation of network traffic and data to uncover evidence related to cybercrimes and security incidents. It involves systematically examining network logs, packet captures, configuration files, and other network-related data sources to reconstruct events and recover network traffic artifacts [54][55]. Network traffic analysis is of paramount importance in the field of SMF.
Social media applications facilitate the transfer of substantial data volumes across communication networks, encompassing various formats, with network packets being the most prevalent. Network packets hold useful user online activity data. When effectively captured, stored, and processed, they can yield valuable assets in forensic investigations and provide admissible evidence [56]. The de facto format for capturing network packets is libpcap. The Pcap Next-Generation Capture File Format (pcapng) has succeeded the traditional pcap format. The information extracted from these network packets can be used as evidence either directly or indirectly. For example, some information contained in the packets, including the sender and receiver IP addresses, port numbers, etc., along with the transferred data, can be used directly as evidence. In contrast, indirect information derived from multiple packets can also be used as evidence. This includes streams of packets sent from a particular host to another one in a certain pattern, which might indicate a specific user activity.
Many social media applications offer end-to-end encryption. These applications have attracted significant attention from users, driven by escalating concerns regarding their privacy. Notable social media applications, including Signal, WhatsApp, Facebook Messenger, and WeChat, have incorporated robust end-to-end encryption techniques during data transmission to safeguard user data’s security and privacy. Signal, for instance, asserts the use of the highly secure Signal Protocol for communication. However, it is important to acknowledge that malicious actors also capitalize on the protective attributes of end-to-end encryption in these apps. Consequently, the presence of these security features presents an attractive medium for digital crime and fraudulent activities.

3.1. Common Research Aims for Network Forensics

Traffic characterization aims to identify user activities through the network traffic. The classification of user activities is performed by finding certain fixed patterns in network traffic. As most of the social media applications are secure and traffic flows are HTTPS-encapsulated, gaining access to the actual contents of information being exchanged between an app client and the servers is difficult. However, identification of a particular app and its user’s activities is made possible by establishing behavior analysis of the traffic. This is performed by finding out a number of fixed patterns that are considered useful to identify the application over the network and to classify user activities.
The decryption of network traffic involves transforming encrypted data into their original, human-readable form. When data are transmitted over a network, they are often encrypted to protect their confidentiality and security. Decryption, therefore, serves as the means to unveil the content of these encrypted communications, making it comprehensible for analysis and investigation. To extract artifacts from network traffic, researchers establish a controlled network environment. Within this controlled setting, they simulate a sequence of user interactions within the application under examination. Subsequently, they capture the network traffic that results from these actions, meticulously dissecting and reconstructing evidentiary traces of potentially suspect data. This process allows for a comprehensive examination of digital footprints and potential forensic evidence within the network traffic, shedding light on user activities.
Many researchers have also incorporated the idea of using firewalls into the network forensic investigation [57][58][59][60]. Deploying a firewall within the investigation network enhances the ability to effectively monitor app behavior. Firewall rules are employed to verify the app’s default behavior, enabling the imposition of restrictions and the identification of any hidden or alternative app behaviors. Additionally, this approach facilitates the observation of client–server connectivity design patterns, ports, and server ranges.
Using a firewall helps in understanding connectivity patterns by regulating traffic through different rule sets. A firewall can be used to restrict client traffic and compel the exposure of the client to alternate connectivity methods. Azab et al. [57][58] configured firewall rule sets to block out TCP ports that the application would regularly communicate on to understand the changes in network connectivity patterns. Moreover, firewalls can also be used to filter out traffic not concerning the experiment so that the researchers can focus on traffic corresponding to the experiment, as performed in [58][59]. Another use case of employing a firewall includes blocking server IP addresses, as performed in [59], which would result in reduced functionality of the application.

3.2. Common Network Forensics Tools

The heart of network packet analysis relies on packet capturing and analysis. One of the most utilized packet capture and analysis softwares used by researchers in the field is Wireshark [57][58][61][62][63][64]. In 1998, Gerald Combs introduced Ethereal, a packet analyzer that was later rebranded as Wireshark in 2006 [65]. Wireshark is a versatile open-source network protocol analyzer that can capture and analyze a vast array of protocols and traffic types. It can analyze protocols from simple HTTP/HTTPS protocols to complex protocols such as TCP, DNS, UDP, ICMP, etc. It has an exceedingly user-friendly graphical user interface (GUI) tailored for packet analysis [66]. This GUI features a packet browser capable of simultaneously displaying a list of packets, along with detailed information and packet bytes of the currently selected packet.
Other than Wireshark, Network Miner and Charles proxy are other common network packet analysis tools. NetworkMiner is a network analysis tool designed for passive network packet capturing and forensic analysis. Its primary function is to extract valuable information and artifacts from captured network traffic. NetworkMiner can dissect and analyze network packets to reveal insights such as IP addresses, domain names, usernames, file transfers, etc. It aids in reconstructing network conversations, allowing forensic analysts to piece together the chronology of network events. Additionally, The Charles Web Debugging Proxy, developed by Karl von Randow in 2002, is a versatile web debugging proxy tool that primarily serves the function of monitoring and intercepting network traffic between a user’s device and the internet. Its core purpose is to provide detailed insights into the HTTP and HTTPS traffic generated by web browsers or mobile applications. Charles Proxy allows users to inspect, analyze, and manipulate this traffic in real time.

3.3. Network Forensics Artifacts

Artifacts from network analysis primarily stem from monitoring and examining network traffic. These artifacts encompass data packets, communication logs, metadata detailing network interactions, and information related to IP addresses, ports, and protocols. IP addresses are fundamental to network forensic analysis. They help identify the source and destination of network traffic. However, researchers cannot solely depend on IP addresses for the investigation due to their dynamic nature. IP addresses often cannot be directly linked to a person [67] or a specific geolocation [68]. Some other prominent artifacts that can be gathered during a network forensic analysis include port numbers [57][69], protocols [61][70][71][72], domain names [61], certificates [69] used, and timestamps [61][69][70].
Port numbers help differentiate services and applications on a network, while protocols specify the rules and format of the network communication. They determine how data are structured, transmitted, and interpreted and help investigators understand the nature of network traffic. Certificates, specifically SSL/TLS certificates, are critical for securing web communications by encrypting data transmitted over HTTPS connections. They include details about the website’s identity, encryption algorithms, and validity. Another common artifact retrieved is timestamps. They provide chronological information about network events.
Most of the authors of the existing literature focus on the artifacts from user activities related to chats [64] and calls [58][63][72]. This is because the most common user activities performed on social media applications are communication, such as chatting and calling. In light of this aim, Cents et al. [64] identified sent and received WhatsApp chat messages between a phone and the WhatsApp servers by detecting patterns in wiretap data. Wiretap data are utilized since it is difficult to trace any signs of network traffic monitoring by the suspect. Furthermore, Karpisek et al. [63] focused on decrypting WhatsApp network traffic to uncover information related to a call, while Azab et al. and Nicoletti et al. [58][72] examined the Skype application to characterize network traffic and retrieve artifacts related to calls, respectively. Some of the most prominent artifacts recovered from the above are audio codecs [58][63][72], call establishment and termination [58][63], call duration [63], and phone numbers [63][72].

References

  1. Ma, B.; Tao, Z.; Ma, R.; Wang, C.; Li, J.; Li, X. A High-Performance Robust Reversible Data Hiding Algorithm Based on Polar Harmonic Fourier Moments. IEEE Trans. Circuits Syst. Video Technol. 2023; early access.
  2. Chaffey, D. Global Social Media Statistics Research Summary 2022 . 2023. Available online: https://www.smartinsights.com/social-media-marketing/social-media-strategy/new-global-social-media-research/ (accessed on 12 May 2023).
  3. Alqatawna, J.; Madain, A.; Al-Zoubi, A.; Al-Sayyed, R. Online social networks security: Threats, attacks, and future directions. In Social Media Shaping e-Publishing and Academia; Springer: Berlin/Heidelberg, Germany, 2017; pp. 121–132.
  4. Rathore, S.; Sharma, P.K.; Loia, V.; Jeong, Y.S.; Park, J.H. Social network security: Issues, challenges, threats, and solutions. Inf. Sci. 2017, 421, 43–69.
  5. Fire, M.; Goldschmidt, R.; Elovici, Y. Online social networks: Threats and solutions. IEEE Commun. Surv. Tutor. 2014, 16, 2019–2036.
  6. Patel, P.; Kannoorpatti, K.; Shanmugam, B.; Azam, S.; Yeo, K.C. A theoretical review of social media usage by cyber-criminals. In Proceedings of the 2017 International Conference on Computer Communication and Informatics (ICCCI), Coimbatore, India, 5–7 January 2017; pp. 1–6.
  7. Al Mutawa, N.; Baggili, I.; Marrington, A. Forensic analysis of social networking applications on mobile devices. Digit. Investig. 2012, 9, S24–S33.
  8. Luo, W.; Liu, J.; Liu, J.; Fan, C. An analysis of security in social networks. In Proceedings of the 2009 Eighth IEEE International Conference on Dependable, Autonomic and Secure Computing, Chengdu, China, 12–14 December 2009; pp. 648–651.
  9. Norden, S. How the Internet Has Changed the Face of Crime. 2013. Available online: https://scholarscommons.fgcu.edu/esploro/outputs/doctoral/How-the-Internet-has-Changed-the/99383341581306570 (accessed on 12 May 2023).
  10. Dredge, R.; Gleeson, J.; De la Piedad Garcia, X. Cyberbullying in social networking sites: An adolescent victim’s perspective. Comput. Hum. Behav. 2014, 36, 13–20.
  11. Garfinkel, S.L. Digital forensics research: The next 10 years. Digit. Investig. 2010, 7, S64–S73.
  12. Basumatary, B.; Kalita, H.K. Social media forensics—A holistic review. In Proceedings of the 2022 9th International Conference on Computing for Sustainable Global Development (INDIACom), New Delhi, India, 23–25 March 2022; pp. 590–597.
  13. Reddy, S.T.; Mothe, R.; Sunil, G.; Harshavardhan, A.; Korra, S.N. Collecting the evidences and forensic analysis on social networks: Disputes and trends in research. Stud. Rosenthal. J. Study Res. 2019, XII, 183–192.
  14. Inoue, H.; Adelstein, F.; Joyce, R.A. Visualization in testing a volatile memory forensic tool. Digit. Investig. 2011, 8, S42–S51.
  15. Yasin, M.; Kausar, F.; Aleisa, E.; Kim, J. Correlating messages from multiple IM networks to identify digital forensic artifacts. Electron. Commer. Res. 2014, 14, 369–387.
  16. Chang, M.S.; Chang, C.Y. Line messenger forensics on windows 10. J. Comput. 2019, 30, 114–125.
  17. Bashir, S.; Abbas, H.; Shafqat, N.; Iqbal, W.; Saleem, K. Forensic Analysis of LinkedIn’s Desktop Application on Windows 10 OS. In Proceedings of the 16th International Conference on Information Technology-New Generations (ITNG 2019); Springer: Berlin/Heidelberg, Germany, 2019; pp. 57–62.
  18. Simon, M.; Slay, J. Recovery of skype application activity data from physical memory. In Proceedings of the 2010 International Conference on Availability, Reliability and Security, Krakow, Poland, 15–18 February 2010; pp. 283–288.
  19. Chu, H.C.; Yang, S.W.; Wang, S.J.; Park, J.H. The partial digital evidence disclosure in respect to the instant messaging embedded in viber application regarding an android smart phone. In Information Technology Convergence, Secure and Trust Computing, and Data Management; Springer: Berlin/Heidelberg, Germany, 2012; pp. 171–178.
  20. Ghafarian, A.; Fredy, J. Investigating Instagram Privacy Through Memory Forensics. In Proceedings of the Science and Information Conference; Springer: Berlin/Heidelberg, Germany, 2023; pp. 1263–1273.
  21. Ababneh, A.; Awwad, M.A.; Al-Saleh, M.I. IMO forensics in android and windows systems. In Proceedings of the 2017 8th International Conference on Information, Intelligence, Systems & Applications (IISA), Larnaca, Cyprus, 27–30 August 2017; pp. 1–6.
  22. Kazim, A.; Almaeeni, F.; Al Ali, S.; Iqbal, F.; Al-Hussaeni, K. Memory forensics: Recovering chat messages and encryption master key. In Proceedings of the 2019 10th International Conference on Information and Communication Systems (ICICS), Irbid, Jordan, 11–13 June 2019; pp. 58–64.
  23. Kim, G.; Park, M.; Lee, S.; Park, Y.; Lee, I.; Kim, J. A study on the decryption methods of telegram X and BBM-Enterprise databases in mobile and PC. Forensic Sci. Int. Digit. Investig. 2020, 35, 300998.
  24. Yasin, M.; Abulaish, M. DigLA—A Digsby log analysis tool to identify forensic artifacts. Digit. Investig. 2013, 9, 222–234.
  25. Fernández-Álvarez, P.; Rodríguez, R.J. Extraction and analysis of retrievable memory artifacts from Windows Telegram Desktop application. Forensic Sci. Int. Digit. Investig. 2022, 40, 301342.
  26. Thantilage, R.D.; Le Khac, N.A. Framework for the retrieval of social media and instant messaging evidence from volatile memory. In Proceedings of the 2019 18th IEEE International Conference on Trust, Security and Privacy in Computing and Communications/13th IEEE International Conference on Big Data Science and Engineering (TrustCom/BigDataSE), Rotorua, New Zealand, 5–8 August 2019; pp. 476–482.
  27. Yusoff, M.N.; Dehghantanha, A.; Mahmod, R. Forensic investigation of social media and instant messaging services in Firefox OS: Facebook, Twitter, Google+, Telegram, OpenWapp, and Line as case studies. In Contemporary Digital Forensic Investigations of Cloud and Mobile Applications; Elsevier: Amsterdam, The Netherlands, 2017; pp. 41–62.
  28. Zhou, F.; Yang, Y.; Ding, Z.; Sun, G. Dump and analysis of android volatile memory on wechat. In Proceedings of the 2015 IEEE International Conference on Communications (ICC), London, UK, 8–12 June 2015; pp. 7151–7156.
  29. Nisioti, A.; Mylonas, A.; Katos, V.; Yoo, P.D.; Chryssanthou, A. You can run but you cannot hide from memory: Extracting IM evidence of Android apps. In Proceedings of the 2017 IEEE Symposium on Computers and Communications (ISCC), Heraklion, Crete, Greece, 3–6 July 2017; pp. 457–464.
  30. Anglano, C.; Canonico, M.; Guazzone, M. Forensic analysis of the ChatSecure instant messaging application on android smartphones. Digit. Investig. 2016, 19, 44–59.
  31. Riadi, I.; Sunardi, S.; Rauli, M.E. Live forensics analysis of line app on proprietary operating system. Kinetik Game Technol. Inf. Syst. Comput. Netw. Comput. Electron. Control 2019, 4, 305–314.
  32. Al-Saleh, M.I.; Forihat, Y.A. Skype forensics in android devices. Int. J. Comput. Appl. 2013, 78, 38–44.
  33. Al-Rawashdeh, A.M.; Al-Sharif, Z.A.; Al-Saleh, M.I.; Shatnawi, A.S. A post-mortem forensic approach for the kik messenger on android. In Proceedings of the 2020 11th International Conference on Information and Communication Systems (ICICS), Irbid, Jordan, 7–9 April 2020; pp. 079–084.
  34. Thakur, N.S. Forensic Analysis of WhatsApp on Android Smartphones. 2013. Available online: https://scholarworks.uno.edu/td/1706/ (accessed on 12 May 2023).
  35. Davis, M.; McInnes, B.; Ahmed, I. Forensic investigation of instant messaging services on linux OS: Discord and Slack as case studies. Forensic Sci. Int. Digit. Investig. 2022, 42, 301401.
  36. Chang, M.S.; Chang, C.Y. Forensic analysis of LINE messenger on android. J. Comput. 2018, 29, 11–20.
  37. Chu, H.C.; Deng, D.J.; Park, J.H. Live data mining concerning social networking forensics based on a facebook session through aggregation of social data. IEEE J. Sel. Areas Commun. 2011, 29, 1368–1376.
  38. Garcia, G.L. Forensic physical memory analysis: An overview of tools and techniques. In Proceedings of the TKK T-110.5290 Seminar on Network Security, TKK, Helsinki, Finland, 11–12 October 2007; Volume 207, pp. 305–320.
  39. Chu, H.C.; Lo, C.H.; Chao, H.C. The disclosure of an Android smartphone’s digital footprint respecting the Instant Messaging utilizing Skype and MSN. Electron. Commer. Res. 2013, 13, 399–410.
  40. Chang, M.; Chang, C.Y. Twitter social network forensics on Windows 10. Int. J. Innov. Sci. Eng. Technol. 2016, 3, 55–60.
  41. Chang, M.S.; Yen, C.P. LinkedIn Social Media Forensics on Windows 10. Int. J. Netw. Secur. 2020, 22, 321–330.
  42. Cusack, B.; Alshaifi, S. Mining Social Networking Sites for Digital Evidence. In Proceedings of the 13th Australian Digital Forensics Conference, Perth, WA, Australia, 30 November–2 December 2015; pp. 15–21.
  43. Chang, M.S. Evidence gathering of instagram on windows 10. Int. J. Innov. Sci. Eng. Technol. 2016, 3.
  44. Chang, M.S.; Yen, C.P. Forensic Analysis of Social Networks Based on Instagram. Int. J. Netw. Secur. 2019, 21, 850–860.
  45. Al-Duwairi, B.; Shatnawi, A.S.; Jaradat, H.; Al-Musa, A.; Al-Awadat, H. On the Digital Forensics of Social Networking Web-based Applications. In Proceedings of the 2022 10th International Symposium on Digital Forensics and Security (ISDFS), Istanbul, Turkey, 6–7 June 2022; pp. 1–6.
  46. Iqbal, F.; Khalid, Z.; Marrington, A.; Shah, B.; Hung, P.C. Forensic investigation of Google Meet for memory and browser artifacts. Forensic Sci. Int. Digit. Investig. 2022, 43, 301448.
  47. Barradas, D.; Brito, T.; Duarte, D.; Santos, N.; Rodrigues, L. Forensic analysis of communication records of messaging applications from physical memory. Comput. Secur. 2019, 86, 484–497.
  48. Oberlo. Most Popular Web Browsers in 2022. Oberlo. 2022. Available online: https://www.oberlo.com/statistics/browser-market-share (accessed on 11 September 2022).
  49. Azhar, M.; Barton, T.E.A. Forensic analysis of secure ephemeral messaging applications on android platforms. In Proceedings of the International Conference on Global Security, Safety, and Sustainability; Springer: Berlin/Heidelberg, Germany, 2017; pp. 27–41.
  50. Barton, T.; Azhar, M. Forensic analysis of the recovery of Wickr’s ephemeral data on Android platforms. In Proceedings of the First International Conference on Cyber-Technologies and Cyber-Systems, IARIA, Venice, Italy, 9–13 October 2016; pp. 35–40.
  51. Kim, G.; Kim, S.; Park, M.; Park, Y.; Lee, I.; Kim, J. Forensic analysis of instant messaging apps: Decrypting Wickr and private text messaging data. Forensic Sci. Int. Digit. Investig. 2021, 37, 301138.
  52. Rathi, K.; Karabiyik, U.; Aderibigbe, T.; Chi, H. Forensic analysis of encrypted instant messaging applications on Android. In Proceedings of the 2018 6th International Symposium on Digital Forensic and Security (ISDFS), Antalya, Turkey, 22–25 March 2018; pp. 1–6.
  53. Choi, J.; Yu, J.; Hyun, S.; Kim, H. Digital forensic analysis of encrypted database files in instant messaging applications on Windows operating systems: Case study with KakaoTalk, NateOn and QQ messenger. Digit. Investig. 2019, 28, S50–S59.
  54. Sikos, L.F. Packet analysis for network forensics: A comprehensive survey. Forensic Sci. Int. Digit. Investig. 2020, 32, 200892.
  55. Montasari, R.; Hill, R.; Carpenter, V.; Montaseri, F. Digital forensic investigation of social media, acquisition and analysis of digital evidence. Int. J. Strateg. Eng. (IJoSE) 2019, 2, 52–60.
  56. Nikkel, B.J. Generalizing sources of live network evidence. Digit. Investig. 2005, 2, 193–200.
  57. Sudozai, M.; Saleem, S.; Buchanan, W.J.; Habib, N.; Zia, H. Forensics study of IMO call and chat app. Digit. Investig. 2018, 25, 5–23.
  58. Azab, A.; Watters, P.; Layton, R. Characterising network traffic for skype forensics. In Proceedings of the 2012 Third Cybercrime and Trustworthy Computing Workshop, Ballarat, Australia, 29–30 October 2012; pp. 19–27.
  59. Afzal, A.; Hussain, M.; Saleem, S.; Shahzad, M.K.; Ho, A.T.; Jung, K.H. Encrypted Network Traffic Analysis of Secure Instant Messaging Application: A Case Study of Signal Messenger App. Appl. Sci. 2021, 11, 7789.
  60. Umrani, A.; Javed, Y.; Iftikhar, M. Network forensic analysis of Twitter application on Android OS. In Proceedings of the 2022 International Conference on Frontiers of Information Technology (FIT), Islamabad, Pakistan, 12–13 December 2022; pp. 249–254.
  61. Norouzizadeh Dezfouli, F.; Dehghantanha, A.; Eterovic-Soric, B.; Choo, K.K.R. Investigating Social Networking applications on smartphones detecting Facebook, Twitter, LinkedIn and Google+ artefacts on Android and iOS platforms. Aust. J. Forensic Sci. 2016, 48, 469–488.
  62. Walnycky, D.; Baggili, I.; Marrington, A.; Moore, J.; Breitinger, F. Network and device forensic analysis of android social-messaging applications. Digit. Investig. 2015, 14, S77–S84.
  63. Karpisek, F.; Baggili, I.; Breitinger, F. WhatsApp network forensics: Decrypting and understanding the WhatsApp call signaling messages. Digit. Investig. 2015, 15, 110–118.
  64. Cents, R.; Le-Khac, N.A. Towards a New Approach to Identify WhatsApp Messages. In Proceedings of the 2020 IEEE 19th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), Guangzhou, China, 29 December–1 January 2020; pp. 1895–1902.
  65. Beale, J.; Orebaugh, A.; Ramirez, G. Wireshark & Ethereal Network Protocol Analyzer Toolkit; Elsevier: Amsterdam, The Netherlands, 2006.
  66. Sanders, C. Practical Packet Analysis: Using Wireshark to Solve Real-World Network Problems; No Starch Press: San Francisco, CA, USA, 2017.
  67. Clarke, N.; Li, F.; Furnell, S. A novel privacy preserving user identification approach for network traffic. Comput. Secur. 2017, 70, 335–350.
  68. Afanasyev, M.; Kohno, T.; Ma, J.; Murphy, N.; Savage, S.; Snoeren, A.C.; Voelker, G.M. Privacy-preserving network forensics. Commun. ACM 2011, 54, 78–87.
  69. Yusoff, M.N.; Dehghantanha, A.; Mahmod, R. Network Traffic Forensics on Firefox Mobile OS: Facebook, Twitter, and Telegram as Case Studies. In Contemporary Digital Forensic Investigations of Cloud and Mobile Applications; Elsevier: Amsterdam, The Netherlands, 2017; pp. 63–78.
  70. Satrya, G.B.; Daely, P.T.; Shin, S.Y. Android forensics analysis: Private chat on social messenger. In Proceedings of the 2016 Eighth International Conference on Ubiquitous and Future Networks (ICUFN), Vienna, Austria, 5–8 July 2016; pp. 430–435.
  71. Satrya, G.B.; Nugroho, M.A. Digital forensics study of internet messenger: Line artifact analysis in Android OS. In Proceedings of the 2016 International Conference on Control, Electronics, Renewable Energy and Communications (ICCEREC), Bandung, Indonesia, 13–15 September 2016; pp. 23–29.
  72. Nicoletti, M.; Bernaschi, M. Forensic analysis of Microsoft Skype for Business. Digit. Investig. 2019, 29, 159–179.
More
© Text is available under the terms and conditions of the Creative Commons Attribution (CC BY) license; additional terms may apply. By using this site, you agree to the Terms and Conditions and Privacy Policy.
Upload a video for this entry
Information
Subjects: Computer Science, Cybernetics
Contributors MDPI registered users' name will be linked to their SciProfiles pages. To register with us, please refer to https://encyclopedia.pub/register :
Khushi Gupta
,
Damilola Oladimeji
,
Cihan Varol
,
Amar Rasheed
,
Narasimha Shahshidhar
View Times: 193
Revisions: 2 times (View History)
Update Date: 05 Dec 2023
Table of Contents
    1000/1000
    Hot Most Recent
    Feedback