Analysis of Autopsy Mobile Forensic Tools against Unsent Messages on WhatsApp Messaging Application

Fahdiaz Alief, Y. Suryanto, Linda Rosselina, T. Hermawan
{"title":"Analysis of Autopsy Mobile Forensic Tools against Unsent Messages on WhatsApp Messaging Application","authors":"Fahdiaz Alief, Y. Suryanto, Linda Rosselina, T. Hermawan","doi":"10.23919/EECSI50503.2020.9251876","DOIUrl":null,"url":null,"abstract":"This paper discusses the new feature implemented in most social media messaging applications: the unsent feature, where the sender can delete the message he sent both in the sender and the recipient devices. This new feature poses a new challenge in mobile forensic, as it could potentially delete sent messages that can be used as evidence without the means to retrieve it. This paper aims to analyze how well Autopsy open-source mobile forensics tools in extracting and identifying the deleted messages, both that are sent or received. The device used in this paper is a Redmi Xiaomi Note 4, which has its userdata block extracted using linux command, and the application we're using is WhatsApp. Autopsy will analyze the extracted image and see what information can be extracted from the unsent messages. From the result of our experiment, Autopsy is capable of obtaining substantial information, but due to how each vendor and mobile OS store files and databases differently, only WhatsApp data can be extracted from the device. And based on the WhatsApp data analysis, Autopsy is not capable of retrieving the deleted messages. However it can detect the traces of deleted data that is sent from the device. And using sqlite3 database browser, the author can find remnants of received deleted messages from the extracted files by Autopsy.","PeriodicalId":6743,"journal":{"name":"2020 7th International Conference on Electrical Engineering, Computer Sciences and Informatics (EECSI)","volume":"101 1","pages":"26-30"},"PeriodicalIF":0.0000,"publicationDate":"2020-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"2","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2020 7th International Conference on Electrical Engineering, Computer Sciences and Informatics (EECSI)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.23919/EECSI50503.2020.9251876","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 2

Abstract

This paper discusses the new feature implemented in most social media messaging applications: the unsent feature, where the sender can delete the message he sent both in the sender and the recipient devices. This new feature poses a new challenge in mobile forensic, as it could potentially delete sent messages that can be used as evidence without the means to retrieve it. This paper aims to analyze how well Autopsy open-source mobile forensics tools in extracting and identifying the deleted messages, both that are sent or received. The device used in this paper is a Redmi Xiaomi Note 4, which has its userdata block extracted using linux command, and the application we're using is WhatsApp. Autopsy will analyze the extracted image and see what information can be extracted from the unsent messages. From the result of our experiment, Autopsy is capable of obtaining substantial information, but due to how each vendor and mobile OS store files and databases differently, only WhatsApp data can be extracted from the device. And based on the WhatsApp data analysis, Autopsy is not capable of retrieving the deleted messages. However it can detect the traces of deleted data that is sent from the device. And using sqlite3 database browser, the author can find remnants of received deleted messages from the extracted files by Autopsy.
针对WhatsApp消息应用程序中未发送消息的尸检移动法医工具分析
本文讨论了在大多数社交媒体消息应用程序中实现的新功能:unsent功能,即发送方可以在发送方和接收方设备中删除他发送的消息。这一新功能给移动取证带来了新的挑战,因为它可能会删除可以用作证据的已发送消息,而无法检索它。本文旨在分析尸检开源移动取证工具在提取和识别发送或接收的已删除消息方面的表现。本文使用的设备是红米小米Note 4,使用linux命令提取其userdata块,我们使用的应用程序是WhatsApp。尸检将分析提取的图像,看看可以从未发送的消息中提取什么信息。从我们的实验结果来看,尸检能够获得大量信息,但由于每个供应商和移动操作系统存储文件和数据库的方式不同,只能从设备中提取WhatsApp数据。根据WhatsApp的数据分析,尸检无法检索被删除的消息。但是,它可以检测从设备发送的已删除数据的痕迹。并使用sqlite3数据库浏览器,通过对提取的文件进行尸检,可以找到收到的已删除消息的残余物。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 求助全文
来源期刊
自引率
0.00%
发文量
0
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
copy
已复制链接
快去分享给好友吧!
我知道了
右上角分享
点击右上角分享
0
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信