Facebook Messenger Software – Destiny Review Case Study

• Loading metrics

Open Access

Peer-reviewed

Research Article

Windows Instant Messaging App Forensics: Facebook and Skype as Case Studies

• Teing Yee Yang,
• Ali Dehghantanha,
• Kim-Kwang Raymond Choo,
• Zaiton Muda

x

• Published: March 16, 2016
• https://doi.org/x.1371/journal.pone.0150300

Figures

Abstract

Instant messaging (IM) has inverse the way people communicate with each other. Withal, the interactive and instant nature of these applications (apps) made them an bonny selection for malicious cyber activities such as phishing. The forensic test of IM apps for modernistic Windows eight.i (or later) has been largely unexplored, as the platform is relatively new. In this paper, we seek to determine the data remnants from the utilise of two popular Windows Store application software for instant messaging, namely Facebook and Skype on a Windows 8.ane customer machine. This inquiry contributes to an in-depth understanding of the types of terrestrial artefacts that are likely to remain after the use of instant messaging services and application software on a contemporary Windows operating system. Potential artefacts detected during the enquiry include data relating to the installation or uninstallation of the instant messaging application software, log-in and log-off data, contact lists, conversations, and transferred files.

Commendation: Yang TY, Dehghantanha A, Choo M-KR, Muda Z (2016) Windows Instant Messaging App Forensics: Facebook and Skype every bit Case Studies. PLoS Ane 11(3): e0150300. https://doi.org/10.1371/periodical.pone.0150300

Editor: Muhammad Khurram Khan, King Saud University, Kingdom of Saudi arabia, Kingdom of saudi arabia

Received: December 29, 2015; Accepted: February 11, 2016; Published: March xvi, 2016

Copyright: © 2016 Yang et al. This is an open up access article distributed under the terms of the Creative Commons Attribution License, which permits unrestricted utilise, distribution, and reproduction in any medium, provided the original author and source are credited.

Data Availability: All relevant data are within the paper.

Funding: These authors take no support or funding to report.

Competing interests: The authors have declared that no competing interests be.

1. Introduction

Instant messaging (IM) is popular with both traditional calculating device users (i.e., personal computers and laptops) and mobile device users by allowing them to commutation data with peers in real fourth dimension using text messaging, voice messaging, and file sharing. According to the report of Radicati Grouping [i], the number of worldwide IM accounts (with the exception of mobile messaging) in 2015 amounted to over 3.two billion which is expected to rise above 3.8 billion past the end of 2019.

Similar to other pop consumer technologies, IM services have also been exploited to commit frauds and scams [two–4], disseminate malware [5], groom children online with the purpose of sexual exploitation [6–ix] etc. The chat logs tin can provide a great bargain of information of evidential value to investigators [10, eleven], which may often comprise a suspect's physical location, true identity, transactional information, incriminating conversations, and other person information i.e., email accost and bank business relationship number [12].

Due to the increased user privacy requirements [13] and demands for data redundancy, it is increasingly challenging to collect evidential data from the IM service provider (ISP). The data are frequently protected by proprietary protocols, encryption, etc., making forensic practitioners virtually impossible to collect meaningful information from external network [fourteen]. Moreover, collecting data from a multi-tenancy surroundings may alienation the data privacy policies of the ISPs [15]. Even if the artefacts could exist identified, the challenges are compounded by cantankerous-jurisdictional investigations that may prohibit cross-border transfer of information [16–18]. In the worst-case scenario, the ISPs may not even log the incriminating conversations to reduce traffic to the messaging servers [nineteen].

Depending on the IM application in use, the client device can ofttimes provide potential for alternative methods for recovery of the IM artefacts [xx–22]. In addition to addressing the possible bug in relation to evidence acquisition from the ISPs, the terrestrial artefacts tin can be useful in establishing whether a suspect has a direct connection to a criminal offence, equally the suspect may claim he/she is a victim of identity theft otherwise. While a practitioner should be cognisant of techniques of digital forensics, information technology is just as important to maintain an upwards-to-date understanding of the potential artefacts that are recoverable from different types of IM products. Hence, in this newspaper, we seek to identify potential terrestrial artefacts that may remain after the apply of the popular Facebook and Skype Windows Store application software (henceforth the Store app) on a Windows eight.ane customer automobile. Like to the approaches of Quick and Choo [23–25], we attempt to answer the following questions in this research:

1. What information remains on a Windows 8.1 device and their locations on a difficult drive after a user has used Facebook app version 1.four.0.9 and Skype app version 3.one.0.1007.
2. What data remains in Random Admission Memory (RAM) after a user has used the in a higher place IM services or apps on a Windows eight.one device?
3. What data can be seen in network traffic?

Findings from this enquiry volition contribute to the forensic customs's understanding of the types of terrestrial artefacts that are likely to remain after the apply of IM services and apps on devices running the newer Windows operating system.

The structure of this paper is as follows. Department 2 discusses the background and related piece of work. Department 3 outlines the research methodology and experiment environment and setup. In Sections 4 to half dozen, we present and discuss the findings from the IM apps. We then conclude the paper and outline potential future enquiry areas in the concluding department.

2. Literature Review

A Windows Store app (formerly known as Metro app) mimics the affect-screen-friendly mobile apps, while retaining the traditional mouse and keyboard inputs [26]. The installation is handled exclusively by the Windows Shop, which bypasses the execution of executable files [27]. The Store apps are licensed to Microsoft account, giving the users the right to install a aforementioned app on upwardly to eighty-one dissimilar Windows 8 (or newer) desktop clients nether the aforementioned login [28]. The concept also enables the users to roam the app credentials (stored inside the Credential Locker) between the corresponding devices [29].

The Store apps are predominantly congenital on Windows Runtime. In addition to offer the developers a multi-linguistic communication programming environment, the architecture isolates the apps from the file organization for security and stability [26]. The app itself is a package (.APPX file) that incorporates the app's code, resources, libraries, and a manifest up to a combined limit of 8GB [26]. Each Store app is represented by a package ID, which is often denoted by the package name followed by its build version, the target platform, and the alphanumeric publisher identification (ID). The installation and application folders tin be by and large located in %Program Files%\WindowsApps\[Package ID] and %localappdata%\packages\[Package ID] respectively [thirty, 31].

The application data, correspond to the app states [26], are stored in three (3) categories: local, roaming, and temp states; each of which creates a subfolder in the application folder. The 'LocalState' folder holds device-specific information typically loaded to back up the app functionality, such every bit temporary files and caches, recently viewed items, and other behavioural settings. The 'RoamingState' folder stores information shared betwixt the same app running on multiple Windows devices under the same login. The data may include account configurations, favourites, game scores and progress, important URIs etc. Meanwhile, the 'TempState' binder houses data temporarily suspended or terminated from the memory for restoration purposes, such as page navigation history, unsaved form data etc. The application information persist throughout the lifetime of a Store app, with the exception of the temp data which may be bailiwick to disk make clean upwards [26].

The application cache/data can be stored using caching mechanisms like HTML5 local storage and IndexedDB (for Shop apps written in HTML and JavaScript) likewise as other 3rd-party database options like SQLite [32]. In the absenteeism of encryption machinery, the data can assist in reconstruction of user events such every bit cloud storage [28], emails [30], web browsing history [33], conversations [34], and other user-specific events [35], depending on the Shop app in use.

Instant messaging has been the subject of numerous digital forensic studies since the mid 2000'due south. In a serial of early works, Dickson identified that artefacts of the client-based American Online Messenger version 5.v (AIM) [16], MSN Messenger version 7.five [36], Yahoo Messenger version 7.0 [37], and Trillian version 3.one [38] could be recovered from the registry, user settings, and other awarding-specific files on the hard drive of a Windows XP automobile. Past applying keyword search, the author was able to recover portion of the conversation history from unstructured datasets such equally retention dumps, slack space, free space, and swap files in plain text, even with the absence of chat logging. The findings were echoed by several others studies with respect to Digsby [39–41], Windows Live Messenger 8.0 [42], and Pidgin 2.0 [43]. Yet, Levendoski et al. [44] concluded that artefacts of the Yahoo Messenger client produced a unlike directory structure on Windows Vista/seven. Kiley et al. [19] investigated web-based IM apps (i.eastward., AIM Express, Google Talk, Meebo, and E-Buddy) and found that artefacts of the contact lists, conversations, and estimate time of the last chat could but be recovered from memory dump and hard disk drive's free infinite, although reference to the URLs, final access times, and view count information could be recovered from the web browsing history.

Wong et al. [45] and Al Mutawa et al. [46] demonstrated that artefacts of the Facebook web-application could be recovered from memory dumps and spider web browsing enshroud in Javascript Object Notation (JSON) and Hypertext Markup Language (HTML) formats. Al Mutawa et al. [46] also described a methodology for investigating the Arabic string artefacts on a computer device. In some other written report, Al Mutawa et al. [47] investigated artefacts of the Facebook and several other IM applications on iPhone 4, Blackberry Torch 9800, and Samsung GT-i9000 Galaxy S. The authors were able to extract records of the contact list and conversation from the logical images, with the exception of the BlackBerry devices.

Said et al. [48] investigated Facebook and other IM applications for iPhone 3G and 3GS, Blackberry Bold 7000 and 900, Samsung Omnia Ii i8000, Nokia E71, and Ericsson G900. Of all the mobile devices investigated, it was determined that only BlackBerry Assuming 9700 and iPhone 3G/3GS provided evidence of Facebooking unencrypted. The study also revealed that artefacts of the Facebook applications were unique to the mobile devices investigated (i.e., iPhone 3GS and iphone 3G had the same version of Facebook v3.iv.ii simply maintained different files in the application folders). Walnycky et al. [49] added that artefacts of the Facebook Messenger could vary depending on user settings, OS version, and manufacturer. Levinson et al. [fifty] demonstrated that records of the recent Facebook chats stored in the property list of the Facebook Messenger for iOS tin can assist forensic practitioners with timeline analysis.

Examining iTunes backups rather than disk images, Norouzizadeh et al. [10] and Tso et al. [51] concluded that information technology is possible to extract users' personal data, messages, contact lists and posts Facebook app from the iTunes backup of iPhone iv and iPhone 5s, respectively. Chu et al. [52] focused on live data acquisition from the desktop personal estimator (PC) and was able to identify distinct strings that will assist forensic practitioners with reconstruction of the previous Facebook sessions. Wongyai and Charoenwatana [53] determined that objects recovered from a network analysis of Facebook homepage can be broadly categorised into 24 types based on properties such equally file blazon, naming pattern, IP accost, and location or department on the page.

Sgaras et al. [54] analysed Skype and several other VoIP applications for iOS and Android platforms. Although footprints of the installations, user profiles, conversations, contact lists, and network traffic could be located for all the VoIP applications investigated, it was concluded that the Android apps store far less artefacts than of the iOS apps. Simon and Slay [55] found that remnants of Skype communication, communication history, contacts, passwords, and encryption keys could be recovered from physical retentiveness dump. However, Teng and Lin [56] demonstrated that using SQLite editor tools, one could easily change Skype log files. Unsurprisingly, other studies accept suggested that the network traffic behaviour varies amidst different versions [57, 58].

In the but article on Windows Shop apps for instant messaging (at the time of this inquiry), Lee and Chung [34] studied the third political party Viber and Line apps and identified that the package identifications (IDs) could be discerned from '2414F_C7A.ViberFreePhoneCallsText_p61zvh252yqyr' and 'NA_VER.LINEwin8_8ptj331gd3tyt' respectively. By analysing the app caches, the authors managed to locate records of account logins, contacts, chats, transferred file unencrypted. Even so, the report is only limited to dead analysis of the hard deejay. Hence, there is a need to develop a further agreement of the implications of the Windows Shop apps for IM forensics–a gap that this newspaper aims to contribute to.

three. Research Methodology

The examination process in this inquiry is adjusted from the four-phase digital forensic framework of McKemmish [59], namely: identification of digital evidence, preservation of digital evidence, assay, and presentation. The purpose is to enable acquisition of realistic data similar to that institute in real world investigations. This paper mainly focuses on the analysis stage, although nosotros likewise briefly discuss the prove source identification, preservation, and presentation to demonstrate how the framework could exist practical in practice.

The first step of the experiment involved the creation of 8 (8) fictional accounts to play the part of suspects and victims in this research–encounter Table 1. The IM accounts were assigned with a unique 'display icon' and username which was not used inside the respective IM apps and Windows operating organization. This eases identification of the user roles. Adjacent was to create the test environments for the suspects and the victims, which consisted two (2) command base VMware Workstations (VMs) version 9.0.0 build 812388 running Windows 8.1 Professional (Service Pack 1, 64 fleck, build 9600). As explained past Quick and Choo [23–25], using physical hardware to undertake setup, erasing, copying, and re-installing would have been an onerous do. Moreover, a virtual machine allows room for error by enabling the exam surroundings to be reverted to a restore point should the results are unfavourable. The workstations were configured with the minimal space (2GB of physical retentivity and 20GB hard bulldoze space) in society to reduce the time required to analyse the considerable amounts of snapshots in the latter stage.

In the third step, we conducted a predefined set of activities to simulate various real world scenarios of using the apps on each workstation/examination environment. The base of operations assumptions are that the practitioner encounters a live organization running Microsoft Windows 8.1 in a typical home environment. Like to the approaches of Quick and Choo [23–25], the 3111th email message of the University of California (UC) Berkeley Enron email dataset (downloaded from http://bailando.sims.berkeley.edu/enron_email.html on 24th September 2014) was used to create the sample files and saved as SuspectToVictim.rtf, SuspectToVictim.txt, SuspectToVictim.docx, SuspectToVictim.zip, SuspectToVictim.jpg (printscreen), VictimToSuspect.rtf, VictimToSuspect.txt, VictimToSuspect.docx, VictimToSuspect.jpg (printscreen), and VictimToSuspect.zip to simulate the transferring and receiving of files of different formats using the IM apps. As the filenames suggest, the 'SuspectToVictim' (and 'VictimToSuspect') files were placed on the suspect'southward workstation (and victims' workstations respectively) and later on transferred to the victims' workstations (and suspect'due south workstation respectively).

The experiments were predominantly undertaken in NATed (where NAT stands for Network Accost Translation) network environment and without firewall outbound restriction to correspond a typical IM situation. Wireshark was deployed on the host car to capture the network traffic from the doubtable's workstation for each scenario. After each experiment was carried out, we saved a copy of the network capture file in.PCAP format, and caused a bit-stream (dd) prototype of the virtual retentiveness (.VMEM) file prior to shutdown. Nosotros then took a snapshot of each workstation after being shutdown and made a forensic copy of the virtual disk (.VMDK) file in Encase Evidence (E01) format. This resulted in the creation of 15 (xv) snapshots (each for each surround) as highlighted in Table two, and Figs 1 and 2. The decision to instantiate the physical memory dumps and hard disks with the virtual disk and memory files was to prevent the datasets from being modified with the utilize of memory/image acquisition tools [23, 25].

The terminal step of this enquiry was to analyse the datasets using a range of forensically recognised tools (every bit highlighted in Tabular array 3) and nowadays the findings. Both indexed and non-indexed equally well every bit Unicode and non-Unicode cord searches were included as part of the evidence searches. The experiments were repeated at least thrice (at unlike dates) to ensure consistency of findings.

4. Analysis of the Facebook App

Facebook (Messenger) is an IM service offered by Facebook–one of the most popular social network platforms with more than than one billion daily active users on average [60]. The Store app was officially released on 17th Oct 2013 in conjunction with the launch of Windows 8.1 [61]. It allows users to view status updates, news feeds, ship and receive text and voice, besides equally features such as file transfer and image sharing. In this department, we present artefacts of installation, uninstallation, logins, contact lists, conversations, transferred files, and notifications of the Facebook app (version 1.4.0.9) on Windows 8.1.

4.1 Installation of the Facebook App

Examinations of the directory listings observed that the bundle ID (for the Facebook app) can be differentiated from 'Facebook.Facebook_1.4.0.9_x64__8xx8rvfyw5nnt'. A closer examination of the registry entries created during the installation observed that the installation time could be identified from the 'InstallTime' entry within the HKEY_USERS\<SID>\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Repository\Families\Faceook.Facebook_8xx8rvfyw5nnt\Facebook.Facebook_1.iv.0.9_x64_8xx8rvfyw5nnt branch in 64-bit FILETIME Hex value in Big Endian format.

A search for the packet ID 'Facebook.Facebook_1.4.0.9_x64__8xx8rvfyw5nnt' in the Windows Shop logs (resided at %AppData%\Local\Temp\winstore.log and %AppData%\Local\Packages\winstore_cw5n1h2txyewy\Ac\Temp\winstore.log) located supporting timestamp information such equally the dates when the app was offset launched and updated. Moreover, analysis of the prefetch files revealed the last run time and number of times the app has been loaded in 'FACEBOOK.EXE.pf'. As for event logs, there was additional timestamp information which indicated the accessed times in 'Application.evtx', 'Microsoft-WS-Licensing%4Admin.evtx', 'Microsoft-Windows-AppModel-Runtime%4Admin.evtx', 'Microsoft-Windows-AppXDeploymentServer%4Operational.evtx', 'Microsoft-Windows-Audio%4PlaybackManager.evtx', 'Microsoft-Windows-CoreApplication%4Operational.evtx', 'Microsoft-Windows-PushNotification-Platform%4Operational.evtx', 'Microsoft-Windows-Resource-Burnout-Resolver%4Operational.evtx', 'Microsoft-Windows-SettingSync%4Debug.evtx', 'Microsoft-Windows-Shell-Cadre%4Operational.evtx', 'Microsoft-Windows-TWinUI%4Operational.evtx', 'Microsoft-Windows-Windows Firewall With Avant-garde Security%4Firewall.evtx', and 'System.evtx'.

Examinations of the running processes using the 'pslist' office of Volatility adamant that the procedure name could be discerned from 'Facebook.exe'. Fig 3 illustrates that the 'pslist' output also included the process identifier (PID), parent procedure identifiers (PPID), and the procedure initiation and termination time. The PID could prove useful for correlating data associated with the the app during further analysis of the RAM (i.e., contextualising a cord using the 'Yarascan' office of Volatility).

4.2 Logins

In our experiments, it was observed that Facebook maintains a wealth of cache data for the Store app in a number of SQLite databases located in %AppData%\Local\Packages\Facebook.Facebook_1.4.0.9_x64__8xx8rvfyw5nnt\LocalState\<User specific Facebook ID>\DB\, such every bit Analytics.sqlite, FriendRequests.sqlite, Friends.sqlite, Messages.sqlite, Notifications.sqlite, and Stories.sqlite. Withal, it is noteworthy that these databases will only appear when the user is logged in from the app. The database of interest with the logins is Analytics.sqlite, which contains records of the login time in Unix epoch format. The records can exist discerned from the 'name' and 'module' table columns which reference 'login' and 'login_events' in the 'analytics_logs' table, respectively—see Fig four. Within %AppData%\Local\Packages\Facebook.Facebook_8xx8rvfyw5nnt\Ac\InetCache\<Cache ID>\ and %AppData%\Local\Packages\Facebook.Facebook_8xx8rvfyw5nnt\AC\.local_cache\ there were copies of profile and encompass pictures of the user and the contacts, equally well every bit other pictures which appeared on the Facebook timelines. The pictures may provide invaluable leads that lay the groundwork for follow-up via traditional investigative techniques.

A search for the login password produced no matches in the forensic epitome and retention dump. An examination of the network traffic revealed that the host get-go established a session with Symantec Certification Authority (i.e., IP address 23.58.43.27) for certificate authentication. Later on, the host accessed the nearest Akamai content delivery servers (i.e., IP addresses 23.62.109.*) and Facebook servers from different countries (i.e., IP addresses 31.13.*.* and 115.164.13.* in our inquiry) on port 443 (hence HTTPS), which we theorised to retrieve the profile and timeline information. Although the network traffic was encrypted and the login credentials were not recovered, we were able to correlate the IP addresses with the timestamp information to make up one's mind when the app was started up and the elapsing of Facebook use in our research.

4.3 Friend Lists

Contact (or 'friend' in the context of Facebook) lists can be a useful reference point for a suspect's social network. A search for the suspect's contour name in the directory list determined that artefacts of the contact lists tin only be located in the Friends.sqlite database. The table of item involvement is the 'friends' table, which holds a list of user identifications (UIDs), total names, first names, middle names, last names, email addresses, phone numbers, profile links, advice rank (frequency of communication), and birth dates associated with the friends added by the user as shown in Fig 5. Moreover, the 'profiles' table provide supplementary information relating to the profiles viewed by the user such as the profile type (private contour or folio), description (if whatever), URLs to the profiles, cover photograph metadata (i.eastward., photograph IDs, sizes, URLs, titles, and creation times for the encompass photos), number of common friends associated with the profiles (if whatsoever), whether a friend request can be sent to the profiles, and the user has liked the folio or is a subscriber.

4.4 Conversations and Transferred Files

Facebook allows users to transfer files upwards to 15MB. When a file is uploaded using the chat window, it will be attached aslope the line of chat messages (if any) and announced as a download link. The sender is immune to abort a transfer part way through the process. The downloaded files were saved under %Downloads%\ past default, all of which were given an Alternating Data Stream (ADS) ZoneTransfer marker (ZoneID) with reading 'ZoneID = 3', indicating that the files were downloaded from an Net zone [62]. This also suggests that when a user downloads a file using the Facebook app, there will be records remaining in Windows system files such as $LogFile, $MFT, and $UsnJrnl to point the filenames, directory paths, and timestamps for the downloaded files; an extract of the $LogFile entries (recovered from the suspect's workstation) is shown in Fig 6. Assay of the thumbnail caches stored within %AppData%\Local\Packages\Package ID\AC\INetCache\<Cache ID>\ and %AppData%\Local\Microsoft\Windows\Explorer\ (henceforth thumbcache) adamant that copies of the transferred or downloaded tin be recovered. This creates potential for alternative methods for recovery of the deleted files, but the results may not be definitive.

Examinations of the cache databases determined that artefacts of the conversations could be recovered from the Analytics.sqlite and Messages.sqlite databases. Within the 'analytics_logs' table of the erstwhile there were timestamp records which reflected the times when the chat tab was turned on, conversations were initiated by the user, likewise as files were downloaded. The entry of which could exist discerned from the 'proper name' table column which referenced 'chat_turned_on', 'message_sent_attempt' or 'message_send_state', and 'file_downloaded' respectively. Meanwhile, details most the conversations and file transfers were recovered from the 'letters' tabular array in the latter. Each thread created an entry which comprised the thread ID, chat texts (if any), UID and username of the sender and the receiver, a count of the number of times the message was sent, file attachment metadata (i.e., sender's username and ID too every bit filename, file size, and format references for the files transferred as shown in Fig 7), and other relevant information equally shown in Fig 8. Additionally, the 'users' table (of the Letters.sqlite database) could provide additional information pertaining to the correspondents including the UIDs, electronic mail addresses, Facebook names, last active times and other information as detailed in Fig 9.

Undertaking data carving of the retentiveness captures and unallocated infinite only produced matches to the transferred/downloaded sample files. By searching for terms unique to the app enshroud databases (i.e., table column names), it was possible to recover complete/partial fragments of the databases in plain text (like to other IM scenarios). Nonetheless, at that place was no common footer information to signal the file structure. Fig 10 illustrates that records of conversations from the 'messages' tabular array (of Messsages.sqlite database) can be located using the tabular array column name 'm_mid'. Moreover, we were also able to locate copies of Asynchronous JavaScript and XML (AJAX) objects for the Facebook conversation in the memory captures. The artefacts could provide a articulate indication of contact in Unix epoch format, Facebook usernames and UIDs of the correspondents, and conversation texts as depicted in Fig 11. The JSON coding could be a suitable search keyword for future searches. The presence of the remnants in the memory space of 'Facebook.exe' confirmed that the texts were associated with the Facebook app.

Inspecting the network traffic, it was observed that the transferred files were uploaded to IP addresses 31.13.seventy.*, 31.13.67.*, and 31.xiii.67.* with URLs referencing 'upload.facebook.com'. The downloaded files were seen from IP addresses 31.xiii.seventy.*, and the URLs were prefixed with 'cdn.fbsdx.com'. Meanwhile, the IP addresses i.e., 31.13.79.* and 31.thirteen.76.102 were observed in relation to the conversations, with URLs referencing 'v-edge-chat.facebook.com'—see Tabular array 4 for details. Although the contents were encrypted completely, the IP addresses and URLs highlighted as office of our research may assist a practitioner in scoping the Facebook activities undertaken by a suspect in time to come investigations. Additionally, the IP addresses can be correlated with the 'netscan' output (of Volatility) to obtain information regarding the running procedure (i.e., PID, process creation fourth dimension, and socket states) as detailed in Fig 12.

four.5 Real-time Notifications

Facebook notifications prompt users in existent-time when activities such every bit messages and comments were posted on their walls, or wall post tagging took identify. Analyses of the directory listings but revealed records of the notifications in the 'notifications' table of Notifications.sqlite database. The records contained the senders' UIDs, notification texts, URLs, update and creation times, whether a notification has been read past the user ('1' for read and '0' for unread), and other options useful to aid timeline assay (see Fig 13).

4.6 Uninstallation of the Facebook App

Uninstallation of the Facebook app did not create uninstallation files. When the uninstallation was taken identify, only the installation folder remained, merely was moved to %Program Files%\WindowsApps\Deleted. Other footprints such as remnants from RAM, unallocated infinite, and arrangement files such as pagefile.sys, shortcuts, consequence logs, prefetch files, $LogFile, $MFT, likewise as $UsnJrnl were non affected by uninstallation procedure. The uninstallation also created additional references to the directory paths and timestamp information for the files removed during the uninstallation in $LogFile, $MFT, as well equally $UsnJrnl.

five. Analysis of the Skype App

Skype is a pop IM and Vocalization over Internet Protocol (VoIP) application that provides costless IM services, audio and video calls between computers and other mobile devices [63]. With the contempo launch of Windows eight.1, Skype is now an integrated Windows service. The most recent version of Skype uses the Super Wideband Audio Codec (SILK) [64]. The overlay peer-to-peer network consists of a combination of ordinary and supernodes [57]. An ordinary node is a typical Skype application that provides the users the ability to identify calls and send text messages. The supernode serves equally a proxy to relay data betwixt nodes with firewall restrictions and an intermediary to handle authentication and user lookups during logins [57].

In this section, nosotros present results of our investigation of artefacts left backside later on the use of the Skype (Windows store) app version three.ane.0.1007 on Windows 8.1, such as installation directory paths, usernames, passwords, text of conversations, transferred or downloaded files, records of video and voice calls, and the associated timestamps.

5.1 Installation of the Skype App

Analysis of the directory list identified that the package ID could be discerned from 'Microsoft.SkypeApp_kzf8qxf38zg5c'. The packet ID was then used to correlate the 'InstallTime' registry entry, Windows Store logs, and event logs to determine the installation and accessed times. An inspection of the prefetch files determined that the process proper name (for the Skype app) was masqueraded with 'WWAHost.exe'—the process name for the Store apps written in Javascript [35]. As the same procedure proper name was located for more than i app of the same type, it was not possible to determine exactly which prefetch file was associated with the Skype app.

5.2 Logins

The crucial artefacts were predominantly located in the user-specific %AppData%\Local\Packages\Microsoft.SkypeApp_kzf8qxf38zg5c\LocalState\<Skype proper noun>\principal.db database (unless otherwise stated, all tables will henceforth exist referred to this database). Of particular involvement with respect to the logins is the 'Accounts' table, which maintains a list of details about the Skype accounts logged in from the figurer under investigation. The details contain the account registration times in Unix epoch format, Microsoft Live usernames, Skype names, users' full name, birth dates, gender, registered locations, phone numbers, email addresses, homepage URLs (if any), mood texts and the creation times, time zones, and other data useful for user profiling. To recover the avatars used by the users, the practitioner can access %AppData%\Local\Packages\Microsoft.SkypeApp_kzf8qxf38zg5c\LocalState\avatars\.

Analysis of the Internet Explorer's web browsing history was able to place two URLs associated with the logins, which were 'login.skype.com/login?message=signin_continue&return_url=…' and 'login.skype.com/login/sso?nonce=…'). The web browsing history can provide an approximate of the number of times a suspect had accessed Skype too as the corresponding login times on the estimator under investigation.

Examination of the %AppData%\Local\Packages\Microsoft.SkypeApp_kzf8qxf38zg5c\LocalState\shared.xml file indicated the Skype proper name and node ID of the user in the 'Default' and 'NodeID' tags, respectively. The Skype name can evidence useful for correlating events initiated by the user during further analysis. Meanwhile, it was observed that the 'HostCache' tag maintains a cord of the supernode IP addresses and port pairs that Skype builds and refreshes regularly [57]. Each of which is recorded in twelve character hexadecimal strings and prefixed with '0400050041050200' [65]. The shared.xml file also held records of the terminal used external IP address, port number, and last continued supernode IP address and port pair in the 'LastIP', 'ListeningPort', 'Supernode' tags in decimal format, respectively—come across Fig xiv; useful to support network analysis.

Although the procedure name was masqueraded with 'WWAHost.exe', we could correlate the supernode IP addresses (obtained from the shared.xml file) with the 'netscan' output (of Volatility) to determine the PID. For case, when nosotros mapped the supernode IP address of '111.221.77.148' with the 'netscan' output recovered from our research (run into Fig xv), we obtained the PID '656'. The PID could then be used to map the 'pslist' output (of Volatility) to obtain additional information such as the PPID and process creation time as shown in Fig sixteen. Further analysis of the unstructured datasets identified that the config.xml and shared.xml files can be potentially carved from the retention dump and unallocated space using the header and footer values of "3C 3F 78 6D 6C 20 76 65 72 73 69 6F 6E 3D 22… 3C 2F 55 49 3E 0D 0A 3C 2F 63 6F 6E 66 69 67 3E 0D 0A" and "3C 3F 78 6D 6C xx 76 65 72 73 69 6F 6E 3D 22…3C 2F 4C 69 62 3E 0D 0A 3C 2F 63 6F 6E 66 69 67 3E 0D 0A" respectively, but the findings may be subject to software updates.

Upon launching the app, it was observed that the host first established a session with EdgeCast Networks to download Microsoft'south certificate revocation list (CRL) on port eighty. The side by side session was established with the Akamai servers to retrieve the contact (i.east., IP address 23.58.236.138) and advertizing data (i.e., IP address 23.58.154.154) on port 443. So, a session was established with the Microsoft servers (i.due east., IP addresses 168.63.212.78 and 137.116.32.77 on port 443) for the traffic management service. When the logins occurred, the host first established several TCP sessions with random supernodes, which we hypothesised for user lookups [57]. Similar to the observation of Azab et al. [57], the IP addresses were associated with a combination of random and destined (33033) port numbers. The next servers accessed were the Windows Live Messenger server (i.e., IP address 65.54.184.60), Windows Live servers (i.east., IP addresses 65.55.246.*), equally well as Hotmail server (i.e., IP address 65.55.68.104) on port 443 for login authentication and buddy list retrieval. The sessions were subsequently seen with random IP addresses on random UDP ports. As well observed were many connections to the IP addresses 91.190.216.* (referencing 'rstwh.skype-cr.akadns.net' and '1007.0.one.3.9.rst15.r.skype.net') on random TCP port numbers, merely we were unable to identify the actual functions of the IP addresses due to lack of information from the URLs too as encrypted traffic—come across Table five for details of the captured network traffic. Rebuilding the network files using Netminer, we but recovered certificates that were used to authenticate the HTTPS sites as well as HTML documents and image files from the HTTP sites. Since the network traffic was encrypted (HTTPS), no credential information was recovered from the network captures.

5.three Contacts

Artefacts of the contacts were located in the 'Contacts' table. The artefacts comprised the Skype names, full names, nativity dates, gender details, languages, registered locations, contact numbers, email addresses, homepage URLs (if whatsoever), mood texts, time zones, last online times, brandish names, last accessed times, and other information as depicted in Fig 17. Examination of the %AppData%\Local\Packages\Microsoft.SkypeApp_kzf8qxf38zg5c\LocalState\<Skype proper name>\config.xml file revealed the user ID for the contact with whom the user last communicated as well every bit the last accessed time. Each contact formed an opening and closing subtag in the 'u' tag equally shown in Fig 18.

When the Skype account was synced with the Microsoft business relationship, boosted profile information was recovered for the contacts in the address book located at %Appdata%\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\Indexed\LiveComm\6e4f9dff0b76dd9b\1207120049\People\AddressBook\26000001_bef42d234ebd42.appcontent-ms. Each contact formed an opening and closing 'properties' tag to firm the search backdrop such as search keywords, full names, dwelling house addresses, nascency dates, phone numbers, and other information as detailed in Fig 19, which may be of value for user profiling. Additionally, the like information could exist located for the user in the %Appdata%\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\Indexed\LiveComm\6e4f9dff0b76dd9b\120712-0049\People\Me\24000001_7b20c4c2b2382.appcontent-ms file.

5.4 IM Conversations and Transferred Files

Examinations of the directory listings determined that the files downloaded were saved in %Downloads%\Microsoft.SkypeApp_kzf8qxf38zg5c!App\ and %AppData%\Local\Packages\Microsoft.SkypeApp_kzf8qxf38zg5c\LocalState\<Skype proper noun>\ReceiveStorage\ by default; each of which was given an ADS ZoneID with reading 'ZoneID = 3'. Meanwhile, copies of the transferred files were located in %AppData%\Local\Packages\Microsoft.SkypeApp_kzf8qxf38zg5c\LocalState\<Skype name>\SendingStorage\. The files retained the original filenames and extensions. In addition to the file download or transfer directory paths, we were able to recover copies of thumbnail images for the transferred or downloaded files inside the Windows thumbcache.

An inspection of the registry entries observed that each transferred or downloaded file created a Globally Unique Identifier (GUID) key in HKEY_USERS\<SID>\Software\Classes\LocalSettings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.SkypeApp_kzf8qxf38zg5c\PersistedStorageItemTable\ManagedByApp\. The entries of particular involvement with the fundamental are 'FilePath' and 'LastUpdatedTime', which concur the directory path and last modified time for the file. When the sample files were opened, references were plant for the directory paths and last accessed times in the 'RecentDocs' registry primal and 'DLLHOST.EXE.pf' prefetch file.

An inspection of the chief.db database located further details regarding the file transfer or download in the 'Transfers' table. The details included the senders' names, transfer types (where 1 indicates receiving and ii indicates transferring), reasons for transfer failure (if whatsoever), storage paths, the times when the transfers were accustomed, started and finished, every bit well as other file transfer data equally shown in Fig twenty. Records specific to the conversation or file transfer threads were located in the 'Messages' table, which encompassed the senders' Skype names (authors), whether the correspondents were the user's permanent contacts, the times when the threads were sent in Unix epoch format, the message sending status and types (equally indicated in Table 6), reasons for message sending failure (if any), and other information as shown in Fig 21. The group chat could be discerned from the 'participant_count' tabular array cavalcade given the value higher than 2. Moreover, it was also possible to recover the chat texts and metadata associated with the downloaded or transferred files in the 'body_xml' table column (of the 'Letters' table). As can exist seen in Fig 22, each downloaded or transferred file forms an opening and endmost XML subtag (in the 'files' tag) to record its file size, transfer alphabetize, transfer ID, and filename in the 'body_xml' table column.

Another file of forensic interest that will potentially allow a practitioner to recover the conversation history is the 'Chatsync' file located in %AppData%\Local\Packages\Microsoft.SkypeApp_kzf8qxf38zg5c\LocalState\<Skype name>\Chatsync\. The 'Chatsync' file is stored in the format of <Random xvi character strings>.DAT and is mainly used to facilitate chat log synchronisation between devices [67]. The 'Chatsync' file is conversation-session-specific in the sense that a chatsync file is generally created for each chat session. Fig 23 illustrates that the 'Chatsync' files may provide the chat texts and timestamp data for the chat sessions associated with the Skype user.

Unsurprisingly, a manual search for terms unique to the Enron sample files (i.eastward., 'pensive' and 'parakeet') likewise as tabular array cavalcade names of the main.db database produced matches to the obviously text copies of the transferred/downloaded files and main.db database in the unstructured datasets, respectively. Withal, in that location was no mutual footer information that could enable future carving of the main.db database. We as well located fragments of the payloads for the conversation threads in the retentiveness dump, which held the conversation times, senders and receivers' Skype names, and conversation texts every bit highlighted in Fig 24. When file transfers occurred, additional entries were observed for the filenames, file sizes, and file transfer IDs in the payload. The header fields could be suitable search terms for the remnants; a Yarascan search would attribute the remnants to the Skype's process.

Exam of the network traffic observed that the host established a direct UDP connection with the correspondents during conversations and file transfers, and hence the IP addresses could be detected. However, there was no definitive port number or URL which could enable hereafter identification of the traffic. Further analysis of the network packets determined that the data were fully encrypted, merely we were able to guess when the conversations were taken place from the respective timestamp information.

five.five Vocalization and Video Calls

Skype allows users to perform voice calls via the free Skype to Skype calls and in the premium version, users could brand Skype to mobile or landline calls using Skype credit. In order to enhance the user's interactive experience, Skype allows users to share free video calls with anyone who has Skype and a webcam or compatible smartphone.

Examinations of the directory listings determined that the Skype app does non save the vocalization and video calls. However, we were able to recover a wealth of caches relating to the vocalization and video calls in the main.db database. Recalling the 'Messages' table, information technology was observed that entries of the vocalisation or video calls could be differentiated from the 'type' table column given the value xxx, 39, or 67 (meet Table 6). Details of the voice or video calls were recovered from the 'Calls' table, which comprised the callers' Skype names, the times when the calls were started, the phone call durations in seconds, and whether the calls were incoming calls, conference calls, and put on hold—come across Fig 25. Additionally, the 'CallMembers' table provided additional information associated with the contacts with whom the user had vox or video calls such equally the Skype names, full names, call charges, reasons for phone call failures (if any), graphical user IDs (represented in '<User's Skype proper name>-<Correspondent'south Skype name>-<Telephone call name>'), external IP addresses of the correspondents, call statuses, the times when the calls were started, the call durations, whether the calls were incoming or outgoing, conference calls, and from permanent contacts.

Examinations of the network traffic of the phonation and video calls observed that the app established a session with the CloudFlare (GlobalSign) server for Online Certificate Status Protocol (OSCP) stapling and with the Verisign server for document hallmark. When the calls occurred, the IP addresses were allocated to the supernodes (on random TCP ports) so to the Windows Alive server (i.due east., IP address 65.55.246.85) on port 443, which we theorised for user lookups and authentications. The network traffic was subsequently seen with random IP addresses and UDP ports, which were hypothesised from supernodes responsible for bridging the VoIP, only the contents were encrypted completely.

5.six Video Messages

Skype allows the users to share video letters (video recordings) with other online and offline users. The video messages are sent as a link in Skype version vi.5 or older, which requires a secret code access.

Sending a video message, it was observed that the Skype app stored a re-create of the video message in %AppData%\Local\Packages\Microsoft.SkypeApp_kzf8qxf38zg5c\LocalState\<Skype name>\media\ of the sender's device past default. The video message also created a thumbnail image in %AppData%\Local\Packages\Microsoft.SkypeApp_kzf8qxf38zg5c\LocalState\<Skype name>\thumbnails\.

Assay of the main.db database revealed that the Skype app buried notifications of the video messages in the 'body_xml' table cavalcade of the 'Messages' table, and the entry of which could be discerned from the XML tag 'videomessage'. The notification records provided the video message IDs, public links, and cloak-and-dagger codes (sent from Skype application version 6.5 or older) for the video messages sent or received by the user as highlighted in Fig 26. Meanwhile, details of the video messages sent/received could be located in the 'VideoMessages' table, which included the directory paths, public links, titles, descriptions (if whatsoever), writer names, creation times, transferring or receiving times every bit illustrated in Fig 27.

5.7 Uninstallation of the Skype App

Uninstallation of the Skype app did not remove the installation folders like every bit was presented for the Facebook app. However, the awarding folder was removed from the file system completely. Analysis of the unallocated infinite, RAM, every bit well every bit a variety Windows system files (i.e., $LogFile, $MFT, $UsnJrnl, pagefile.sys, shortcuts, event logs, prefetch files, and thumbcache files) resulted in the recovery of artefacts created prior to uninstallation of the app, with additional references to the directory paths and timestamp information for the files removed during the uninstallation in $LogFile, $MFT, $UsnJrnl.

6. Discussion

In this inquiry, we identified artefacts common to investigating the Windows Store apps for IM. Previous studies only addressed dead assay of the IM apps, while we focus on both the volatile and non-volatile artefacts. Our experiments showed that the Facebook and Skype apps maintain a wealth of caches of forensic involvement inside the 'localstate' application folder in Sqlite database unencrypted, which seem to agree with the findings of Lee and Chung [34]. This indicated that when a user has used a Windows Store app for IM, in that location volition be records remaining in the application folder to support reconstruction of the logins, contact lists, conversations, file transfers, and other relevant IM activities, assuming that the app is non removed.

Although several registry keys new to the Windows Store apps could be recovered, it was determined that the Windows Store apps record significantly less data of interest to IM forensics in comparison to traditional client desktop awarding. While artefacts of the user profiles, contact lists and recent communications could be potentially recovered from the registry of the older Windows IM client applications [16, 21, 36–38, 42, 43], only installation metadata (i.due east., install paths and times) could be recovered for the Windows Shop apps, albeit records of the transferred files could be recovered in some cases. This is probable resulted from the adoption of the app caches. Similar to any other Windows client applications, our examinations of the system files such as $LogFile, $MFT, $UsnJrnl, shortcuts, event logs, thumbnail enshroud, likewise as the 'recentdocs' registry key revealed that additional timestamp information could be recovered to support prove found in all scenarios, merely results may non be definitive.

Information technology should be noted, all the same, that that the significance, corporeality, and location of artefacts could vary in accordance to the Windows Shop apps under investigation. For instance, in our inquiry, it was determined that:

• both the Facebook and Skype apps maintain a unlike directory structure in the application folders;
• the apps hold unlike database schema for the application caches;
• caches of the Facebook app appear only when the user is logged in from the app, while caches of the Skype app remain resident throughout the lifetime of the app;
• the Skype app caches copies of the transferred and downloaded files in the awarding folder but this is not the case with the Facebook app;
• only the Skype app holds records of the transferred or downloaded files in HKEY_USERS\<SID>\Software\Classes\LocalSettings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\<Package ID>\PersistedStorageItemTable\ManagedByApp\.

The findings suggested that while a method tin exist generally defined to guide the investigation of the Windows Store apps, a different procedure may exist necessary for investigating the dissimilar IM apps.

Our examinations of the physical memory captures indicated that the retentivity dumps tin can provide a potential culling method for recovery of the application caches in plain text, with the exception of the login password. The fact that at that place was no clear text password in the hard drives and retentivity dumps should mayhap be unsurprising since the credential data is securely encrypted in the Credential Locker [29]. Nevertheless, a practitioner must continue in mind that memory changes frequently according to users' activities and will exist wiped as soon every bit the arrangement is shut downwardly.

In some cases, remnants of the caches could be located in the swap file (pagefile.sys) and unallocated space. The most probable explanation for the remnants is that the organization swapped inactive retentiveness pages containing the awarding caches out of the retentiveness to the hd during the system's normal operation. Equally the remnants were recovered with minimal space configuration in our inquiry, we believe there will be a greater chance of remnants on a typically larger system. Although the network traffic was encrypted, sufficient IP address and URL references could exist located for scoping the user activities as well as requesting for assistance from counterparts overseas (i.eastward., via Interpol). Hence, we recommend that the concrete retentiveness and network captures should be undertaken wherever practical. Table vii summarises the primal artefacts located as part of our research.

7. Decision and Future Work

Instant messaging (IM), such as VoIP apps, are increasingly pop among individuals 
and business organisations [68], including criminals. To ensure the nearly constructive collection of evidence of relevance, information technology is of import that a practitioner possess an up-to-date understanding of different technologies [69–77]. This paper presented the findings from our forensic examination (conquering and reconstruction of the terrestrial artefacts left by the utilise) of 2 popular Windows Shop IM apps, namely Facebook and Skype. The report consisted of installation, uninstallation, logins, conversations, transferred files, and and other IM activities specific to the apps investigated.

The results indicated that use of the Windows Shop apps IM apps tin leave behind incriminating evidential fabric useful or disquisitional to an investigation on the hard bulldoze, retention dumps, and network captures. The artefacts located as function of our experiments are likely to be common with other Windows Store IM apps as well as newer Windows Os (i.eastward., Windows ten), since the apps share a common characteristic set. While the implementation may vary betwixt different IM apps, we contended that practitioners could apply the artefacts identified in this research as a basis for their investigation of the customer as a potential evidence source.

Futurity work would include:

1. Extending this written report to new (version of) apps, including apps popular in other countries (i.e., WeChat and LINE), to have an upward-to-date forensic understanding of these technologies that can be used to inform investigations.
2. Proposing a method for analyzing new (as of yet) unknown apps with similar functionality(ies). If such a method tin be adult, evaluation might demonstrate that it tin can it be applied to a new app, or fifty-fifty implemented into a tool.

Author Contributions

Conceived and designed the experiments: TYY Ad KKRC. Performed the experiments: TYY. Analyzed the data: TYY. Contributed reagents/materials/analysis tools: TYY AD KKRC. Wrote the paper: TYY AD KKRC ZM.

References

1. one. The Radicati Group Releases "Instant Messaging Statistics Report, 2015–2019. California: Radicati Group; 2015 March 16. Available: http://www.radicati.com/?p=13001. Accessed 18 June 2015.
2. two. Online dating fraud up past 33% final twelvemonth. London: City of London Police force; 2015 [2015 February 13] Available: https://www.cityoflondon.police.u.k./advice-and-support/fraud-and-economic-crime/nfib/nfib-news/Pages/online-dating-fraud.aspx. Accessed 29 May 2015
3. 3. Meyers SL. Special Study, Role i: "Diploma factory" scams continue to plague Milwaukee's adult students. Washington: Milwaukee Neighborhood News Service; 2014 May 21. Bachelor: http://milwaukeenns.org/2014/05/21/special-written report-diploma-manufactory-scams-continue-to-plague-milwaukees-adult-students/. Accessed 24 May 2015
4. 4. Timoney N. Consumer Contact: Task Advertising Fraud. Bangor: WABI TV5; 2014 May 12. Available: http://wabi.idiot box/2014/05/12/consumer-contact-chore-advertising-fraud/. Accessed 24 May 2015
5. 5. Instant messaging Trojan spreads through the UK. [Identify unknown]: Help Net Security. 2014 May 27. Available: http://www.net-security.org/malware_news.php?id=2773. Accessed 24 May 2015
6. half dozen. Barnes T. Margate pedophile jailed for five years. U.K: Thanet Gazette; 2014 April vii. Available: http://www.thanetgazette.co.united kingdom of great britain and northern ireland/Margate-paedophile-jailed-years/story-20922860-particular/story.html. Accessed 24 May 2015
7. 7. Godfrey M. Pedophiles coercing kids using phone app. Sydney: Sydney Morn Herald; 2014. Bachelor: http://news.smh.com.au/breaking-news-national/pedophiles-coercing-kids-using-phone-app-20130327-2gu3a.html. Accessed 24 May 2015
8. eight. McCallum N. Pedophile posed every bit Bieber to lure victims. Australia: Mi9;2013. Available: http://world wide web.9news.com.au/world/2013/09/17/10/30/pedophile-posed-as-bieber-to-lure-victims. Accessed 24 May 2015
9. ix. Jacksonville Man Sentenced in Child Pornography Case. Raleigh: The Federation Bureau of Investigation (FBI); 2015. Available: http://www.fbi.gov/charlotte/press-releases/2015/jacksonville-man-sentenced-in-child-pornography-example. Accessed xx May 2015.
10. x. Norouzizadeh Dezfouli F, Dehghantanha A, Eterovic-Soric B, Choo M-KR. Investigating Social Networking applications on smartphones detecting Facebook, Twitter, LinkedIn and Google+ artefacts on Android and iOS platforms. Australian Journal of Forensic Sciences. 2015 Aug 7;i–twenty.
    • View Article
    • Google Scholar
11. 11. Ali D. Mining the Social Web: Data Mining Facebook, Twitter, LinkedIn, Google+, Github, and More. Journal of Information Privacy and Security. 2015 Apr iii;11(2):137–8.
    • View Article
    • Google Scholar
12. 12. Investigative Uses of Technology: Devices, Tools, and Techniques. U.S: National Criminal Justice Reference Service (NCJRS); 2007 Oct 3. Available: https://www.ncjrs.gov/pdffiles1/nij/213030.pdf. Accessed 4 May 2015.
13. 13. Barghuthi NBA, Said H. Social Networks IM Forensics: Encryption Assay. Periodical of Communications. 2013; 8: 708–715.
    • View Article
    • Google Scholar
14. 14. Golden TW, Skalak SL, Clayton MM. A Guide to Forensic Accounting Investigation. 2 edition. Hoboken, Northward.J: Wiley; 2011.
15. 15. Procure Secure: A guide to monitoring of security service levels in cloud contracts—ENISA. Europe: European Marriage Agency for Network and Data Security (ENISA); 2012 April ii. Bachelor: https://www.enisa.europa.eu/activities/Resilience-and-CIIP/deject-computing/procure-secure-a-guide-to-monitoring-of-security-service-levels-in-cloud-contracts. Accessed 10 Dec 2015.
16. 16. Dickson M. An examination into AOL Instant Messenger 5.v contact identification. Digital Investigation. 2006; iii: 227–237.
    • View Article
    • Google Scholar
17. 17. Martini B, Choo M-KR. An integrated conceptual digital forensic framework for cloud computing. Digital Investigation. 2012; 9: 71–80.
    • View Article
    • Google Scholar
18. 18. Quick D, Martini B, Choo R. Cloud Storage Forensics. Syngress; 2013.
    • View Commodity
    • Google Scholar
19. 19. Kiley M, Dankner S, Rogers M. Forensic Analysis of Volatile Instant Messaging. In: Ray I, Shenoi Southward, editors. Advances in Digital Forensics 4. Springer US; 2008. p. 129–38. Available: http://link.springer.com/chapter/10.1007/978-0-387-84927-0_11. Accessed 11 June 2015.
20. xx. Forensic Investigation of Instant Messenger Histories. [Place unknown]: Forensic Focus; [Date unknown]. Available: http://www.forensicfocus.com/forensic-investigation-of-instant-messenger-histories. Accessed 24 May 2015.
21. 21. Reust J. Case study: AOL instant messenger trace prove. Digital Investigation. 2006; iii: 238–243.
    • View Article
    • Google Scholar
22. 22. Carvey H. Instant messaging investigations on a live Windows XP system. Digital Investigation. 2004 Dec;1(4):256–sixty.
    • View Article
    • Google Scholar
23. 23. Quick D, Choo K-KR. Dropbox assay: Data remnants on user machines. Digital Investigation. 2013;10: 3–18.
    • View Article
    • Google Scholar
24. 24. Quick D, Choo Grand-KR. Google Drive: Forensic Analysis of Data Remnants. Journal of Network Computing and Application. 2014;twoscore: 179–193.
    • View Commodity
    • Google Scholar
25. 25. Quick D, Choo K-KR. Digital droplets: Microsoft SkyDrive forensic information remnants. Future Generation Computer Systems. 2013;29: 1378–1394.
    • View Article
    • Google Scholar
26. 26. Brockschmidt K. Programming Windows Store Apps with HTML, CSS, and JavaScript. Microsoft Press; 2014
27. 27. Mehreen S, Aslam B. Windows 8 deject storage analysis: Dropbox forensics. In IEEE; 2015. p. 312–7. Bachelor: http://ieeexplore.ieee.org/lpdocs/epic03/wrapper.htm?arnumber=7058522. Accessed 6 April 2015.
28. 28. Fleming R. How many devices can yous install a Windows 8 app on?. U.S: Microsoft Corporation; 2013 October i. Available: http://blogs.msdn.com/b/educational activity/archive/2013/10/01/how-many-devices-tin-you-install-a-windows-viii-app-on.aspx. Accessed 28 March 2015
29. 29. How to shop user credentials (XAML). U.S: Microsoft; [Date unknown]. Available: https://msdn.microsoft.com/en-u.s./library/windows/apps/xaml/Hh465069(five=win.x).aspx. Accessed 24 May 2015.
30. 30. Sanna P, Wright A. Windows eight.ane Absolute Beginner's Guide. Que Publishing; 2013.
31. 31. Thomson A. Windows viii Forensic Guide. Washington; The George Washington University; 2012. Available: http://propellerheadforensics.files.wordpress.com/2012/05/thomson_windows-viii-forensic-guide2.pdf. Accessed 13 May 2015.
32. 32. Rasmussen B, High-Performance Windows Store Apps. Microsoft Press; 2014.
33. 33. Iqbal A, Al Obaidli H, Marrington A, Jones A. Windows Surface RT tablet forensics. Digital Investigation. 2014 May;11, Supplement 1: S87–S93.
    • View Article
    • Google Scholar
34. 34. Lee C, Chung M. Digital Forensic Analysis on Window8 Fashion UI Instant Messenger Applications. In: Park JJ (Jong H, Stojmenovic I, Jeong HY, Yi Grand, editors. Reckoner Scientific discipline and its Applications. Springer Berlin Heidelberg; 2015. p. 1037–42. Available: http://link.springer.com/chapter/10.1007/978-3-662-45402-2_147. Accessed 22 March 2015.
35. 35. Carvey H. Windows Forensic Assay Toolkit: Advanced Analysis Techniques for Windows 8. Elsevier; 2014.
36. 36. Dickson M. An examination into MSN Messenger 7.5 contact identification. Digital Investigation. 2006 Jun; 3(ii):79–83.
    • View Article
    • Google Scholar
37. 37. Dickson M. An examination into Yahoo Messenger vii.0 contact identification. Digital Investigation. 2006 Sep; iii(3):159–65
    • View Article
    • Google Scholar
38. 38. Dickson M. An examination into Trillian basic 3.10 contact identification. Digital Investigation. 2007 Mar; iv(1):36–45.
    • View Article
    • Google Scholar
39. 39. Yasin M, Abulaish M. DigLA–A Digsby log analysis tool to identify forensic artifacts. Digital Investigation. 2013 Feb; 9(three–iv):222–34.
    • View Article
    • Google Scholar
40. xl. Yasin M, Kausar F, Aleisa East, Kim J. Correlating messages from multiple IM networks to identify digital forensic artifacts. Electron Commer Res. 2014 Sep 18; 14(3):369–87
    • View Commodity
    • Google Scholar
41. 41. Yasin M, Abulaish M, Elmogy MNN. Forensic Assay of Digsby Log Information to Trace Suspected User Activities. In: Park JH (James), Kim J, Zou D, Lee YS, editors. Information Technology Convergence, Secure and Trust Calculating, and Information Management. Springer Netherlands; 2012. p. 119–26. Available: http://link.springer.com/chapter/10.1007/978-94-007-5083-8_16. Accessed 1 April 2015.
42. 42. Van Dongen WS. Forensic artefacts left by Windows Alive Messenger 8.0. Digital Investigation. 2007 Jun; 4(2):73–87.
    • View Commodity
    • Google Scholar
43. 43. Van Dongen WS. Forensic artefacts left by Pidgin Messenger 2.0. Digital Investigation. 2007 Sep; four(iii–4):138–45.
    • View Article
    • Google Scholar
44. 44. Levendoski G, Datar T, Rogers One thousand. Yahoo! Messenger Forensics on Windows Vista and Windows 7. In: Gladyshev P, Rogers MK, editors. Digital Forensics and Cyber Criminal offence. Berlin, Heidelberg: Springer Berlin Heidelberg; 2012. p. 172–nine. Available: http://link.springer.com/10.1007/978-3-642-35515-8_14. Accessed 6 Apr 2015.
45. 45. Wong K, Lai Deed, Yeung JCK, Lee WL, Chan PH. Facebook Forensics. Singapore: Valkyrie-X Security Research Grouping; 2011 July. Available: world wide web.fbiic.gov/public/2011/jul/Facebook_Forensics-Finalized.pdf. Accessed 12 May 2015.
46. 46. Al Mutawa Due north, Al Awadhi I, Baggili I, Marrington A. Forensic artifacts of Facebook'south instant messaging service. Internet Technology and Secured Transactions (ICITST), 2011 International Conference for. 2011. pp. 771–776.
47. 47. Al Mutawa N, Baggili I, Marrington A. Forensic analysis of social networking applications on mobile devices. Digital Investigation. 2012 Aug;ix, Supplement: S24–S33.
    • View Article
    • Google Scholar
48. 48. Said H, Yousif A, Humaid H. IPhone forensics techniques and crime investigation. In IEEE; 2011. p. 120–5. Available: http://ieeexplore.ieee.org/lpdocs/epic03/wrapper.htm?arnumber=6107946. Accessed 4 July 2015.
49. 49. Walnycky D, Baggili I, Marrington A, Moore J, Breitinger F. Network and device forensic analysis of Android social-messaging applications. Digital Investigation. 2015 Aug;14, Supplement one: S77–84.
    • View Article
    • Google Scholar
50. 50. Levinson A, Stackpole B, Johnson D. Third Political party Application Forensics on Apple Mobile Devices. In: 2011 44th Hawaii International Briefing on System Sciences (HICSS). 2011. p. ane–9.
51. 51. Tso Y-C, Wang S-J, Huang C-T, Wang W-J. iPhone Social Networking for Bear witness Investigations Using iTunes Forensics. In: Proceedings of the sixth International Conference on Ubiquitous Data Management and Advice. New York, NY, Us: ACM; 2012. p. 62:ane–62:7. Available: http://doi.acm.org/ten.1145/2184751.2184827. Accessed 8 December 2015.
52. 52. Chu H-C, Deng D-J, Park JH. Live Information Mining Concerning Social Networking Forensics Based on a Facebook Session Through Assemblage of Social Data. IEEE Journal on Selected Areas in Communications. 2011 Aug;29(7):1368–76.).
    • View Article
    • Google Scholar
53. 53. Wongyai Westward, Charoenwatana 50. Examining the network traffic of facebook homepage retrieval: An cease user perspective. 2012 International Joint Conference on Information science and Software Engineering (JCSSE). 2012. pp. 77–81. ten.1109/JCSSE.2012.6261929.
54. 54. Sgaras C, Kechadi Yard-T, Le-Khac North-A. Forensics Acquisition and Analysis of Instant Messaging and VoIP Applications. In: Garain U, Shafait F, editors. Computational Forensics. Springer International Publishing; 2015. p. 188–99. Available: http://link.springer.com/chapter/x.1007/978-three-319-20125-2_16. Accessed xi Oct 2015
55. 55. Simon Grand, Slay J. Recovery of Skype Application Activity Data from Physical Memory. ARES '10 International Conference on Availability, Reliability, and Security, 2010. 2010. pp. 283–288. ten.1109/ARES.2010.73.
56. 56. Teng S-Y, Lin Y-L. Skype Chat Data Forgery Detection. In: Kim T, Ko D, Vasilakos T, Stoica A, Abawajy J, editors. Calculator Applications for Communication, Networking, and Digital Contents. Springer Berlin Heidelberg; 2012. pp. 108–114. Available: http://link.springer.com/chapter/10.1007/978-3-642-35594-3_15.
57. 57. Baset SA, Schulzrinne HG. An Assay of the Skype Peer-to-Peer Net Telephony Protocol. INFOCOM 2006 25th IEEE International Conference on Computer Communications Proceedings. 2006. pp. ane–11. x.1109/INFOCOM.2006.312.
58. 58. Azab A, Watters P, Layton R. Characterising Network Traffic for Skype Forensics. Cybercrime and Trustworthy Computing Workshop (CTC), 2012 Third. 2012. pp. 19–27. x.1109/CTC.2012.fourteen.
59. 59. McKemmish R. What is forensic computing? Canberra: Australian Plant of Criminology;1999 June. Bachelor: http://world wide web.aic.gov.au/media_library/publications/tandi_pdf/tandi118.pdf. Accessed 20 May 2015
60. sixty. Visitor Info. U.S: Facebook. [Appointment unknown]. Available: https://newsroom.fb.com/visitor-info/. Accessed 24 May 2015
61. 61. Reisinger D. Windows 8.1 app updates: Facebook, Netfix, and more. U.South: CNET;2013 October 17. Available: http://www.cnet.com/news/windows-eight-1-app-updates-facebook-netflix-and-more/. Accessed 4 May 2015
62. 62. About URL Security Zones (Windows). U.S: Microsoft; [Date unknown]. Available: https://msdn.microsoft.com/en-us/library/ms537183.aspx#internet. Accessed 24 May 2015
63. 63. Microsoft to Acquire Skype. U.South: Microsoft; 2011. Available: http://news.microsoft.com/2011/05/10/microsoft-to-learn-skype/. Accessed 24 May 2015
64. 64. Wurm Chiliad. Skype and a New Audio Codec. U.Due south: Skype; 2012 September 12. Available: http://blogs.skype.com/2012/09/12/skype-and-a-new-audio-codec/. Accessed 24 May 2015
65. 65. Skype Forensics. U.Southward: InfoSec Institute; [Date unknown]. Bachelor: http://resource.infosecinstitute.com/skype-forensics-two/.Accessed 24 May 2015.
66. 66. Kuhlee 50, Völzow V. Computer-Forensik Hacks. O'Reilly Germany; 2012.
67. 67. McQuaid J. Skype Forensics: Analyzing Call and Chat Data From Computers and Mobile U.Southward: Magnet Forensics; 2012. Available: http://www.magnetforensics.com/wp-content/uploads/2014/04/Skype-Forensics-Analyzing-Call-and-Conversation-Data-From-Computers-and-Mobile-Magnet-Forensics.pdf. Accessed 12 May 2015.
68. 68. Azfar A, Choo K-KR, Liu L. Android mobile VoIP apps: A survey and exam of their security and privacy. Electronic Commerce Research. 2016.
    • View Commodity
    • Google Scholar
69. 69. Azfar A, Choo K-KR, Liu 50. An Android Social App Forensics Antagonist Model. In Proceedings of Almanac Hawaii International Conference on System Sciences (HICSS 2016). 2016. [In press].
70. 70. Azfar A, Choo K-KR, Liu Fifty. An Android Communication App Forensic Taxonomy. Journal of Forensic Sciences. 2016 [In press].
    • View Commodity
    • Google Scholar
71. 71. Azfar A, Choo K-KR, Liu L. Forensic Taxonomy of Popular Android mHealth Apps. In Proceedings of Americas Briefing on Information Systems (AMCIS 2015). 2015. http://aisel.aisnet.org/cgi/viewcontent.cgi?article=1217&context=amcis2015.
72. 72. Practise Q, Martini B, Choo K-KR 2015. A Forensically Sound Antagonist Model for Mobile Devices. PLOS ONE 10(ix): e0138449. pmid:26393812
    • View Article
    • PubMed/NCBI
    • Google Scholar
73. 73. Farnden J, Martini B, Choo K-KR. Privacy Risks in Mobile Dating Apps. In Proceedings of Americas Conference on Information Systems (AMCIS 2015). 2015. http://aisel.aisnet.org/cgi/viewcontent.cgi?commodity=1427&context=amcis2015.
74. 74. Immanuel F, Martini B, Choo K-KR. Android cache taxonomy and forensic procedure. In Proceedings of IEEE International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom 2015). 2015: 1094–1101. 10.1109/Trustcom-BigDataSe-ISPA.2015.488.
75. 75. Leom MD, D'Orazio C, Deegan 1000, Choo K-KR. Forensic Collection and Analysis of Thumbnails in Android. In Proceedings of IEEE International Briefing on Trust, Security and Privacy in Computing and Communications (TrustCom 2015). 2015: 1059–1066. 10.1109/Trustcom-BigDataSe-ISPA.2015.483.
76. 76. Ganji M, Dehghantanha A, Udzir NI, Damshenas Yard. Cyber warfare trends and time to come. Advances in Information Sciences and Service Sciences. 2013 Aug; 5(xiii): i–10.
    • View Article
    • Google Scholar
77. 77. Mohtasebi Due south, Dehghantanha A, Broujerdi HG. Smartphone Forensics: A Case Written report with Nokia E5-00 Mobile Telephone. International Journal of Digital Data and Wireless Communications (IJDIWC). 2011; 1(3): 651–5.
    • View Article
    • Google Scholar

beebeballe1968.blogspot.com

Source: https://journals.plos.org/plosone/article?id=10.1371%2Fjournal.pone.0150300

Share this post