Abstract Instant Messenger (IM) applications (apps) have hard to imagine a crime that does not contain any element
always been a vital area of research for forensic examiners. of digital evidence [4].According to National Institute of
Digital forensic examiners often come across forensic analysis of Science and Technology(NIST),mobile device forensics is an
IM apps for android devices. After considering the existing evolving specialty in the field of digital forensics. Mobile
research work in this field, this paper focuses on conducting device forensics is the science of recovering digital evidence
forensic analysis on two popular IMs for android devices-hike from a mobile device under forensically sound conditions using
messenger and imo. Tests were conducted on three Android accepted methods. Forensic examination of mobile device have
devices. The tests consisted of installing the IM application on always been challenging to forensic examiners. Unlike the data
each android device, conducting common user activities through
acquisition approach for computer environments, where data
the apps, acquiring the physical image of each device and
can usually be extracted in the same state it was found and is
performing manual forensic analysis of each acquired logical
image. The forensic analysis was aimed at determining whether preserved from the time of its seizure, extraction of data from
user activities performed through android based hike and imo mobile devices typically require intervening on the device [5].
IM apps are stored on the android devices. If so, what and where Furthermore every few month, new android IM apps emerge &
are the evidentiary artifacts that hike messenger and imo leaves there are numerous ways an android app can store or obfuscate
behind on android devices, and how these artifacts can be its data. The way in which data is stored and obfuscated
gathered for analysis to aid as forensic evidence? The test results depends on the app developer. Hence keeping pace with
show that significant amount of user data is stored on the various techniques for app data storage is also a daunting task
internal memory of the android devices that can be examined and for the forensic examiners.
used by forensic examiners.
Despite the popularity of android based hike messenger and
Keywords android forensics; evidentiary artifacts; forensic imo apps, there has been limited published research focused on
investigations; hike messenger; imo; instant messenger identifying and analyzing forensic artifacts related to these
applications; mobile device forensics. (key words) apps. This paper aims to conclude whether user activities
piloted through android based hike messenger and imo app can
be located and analyzed for aiding criminal investigations.
I. INTRODUCTION
In recent years, IM apps have proven to be a low cost The paper is structured as follows: in section 2 related work
alternative to operator centered messaging services. Paired with from the digital forensics community is discussed. Section 3
social media components and fueled by the growth in mobile concentrates on the outline of research methodology and
internet, these apps offer real time data transmission over the procedure adopted followed by the test results in section 4 and
internet. Instant text messaging, group chats, sharing of photos, discussion on the findings in section 5. Section 6 summarizes
videos, video and audio calls etc. are a common feature of IM concluding remarks and future work. Finally the paper ends
apps nowadays. with related references.
Nhien-An Le-Khac et al [15] have forensically acquired Hardware/Software Details and Use.
and analyzed Tango VoIP for both iOS and Android platforms. Laptop Lenovo Z51,Windows 8.1 as forensic
workstation.
Aditya Mahajan et al [16] discussed in their work that it is Samsung Galaxy Tab 3.8 Running on android 4.2.2 ,as test subject.
possible to locate and analyze Whatsapp and Viber Artifacts in Samsung Galaxy Grand 2 Running on android 4.1 ,as test subject.
android devices. LG P698 Running on android 2.3.4, as test subject.
Magnet Acquire. Used for Acquizition of the android devices.
In [17], the authors concluded that in android devices, it is Community Edition.
possible to retrieve partial evidence related to Viber app via the Autopsy 3.1.3. Physical/Logical Image viewer and analyzer.
RAM. Oxygen Forensic SQLite To view and recover deleted SQLite records.
Viewer v.2.2
Lastly, researchers [18] have analyzed 20 IM apps for SQLite Manager. For viewing the database schema of
android and showed that some IM apps were poor on adopting SQLite/DB files.
security and privacy measures which can be used positively for Micro USB cable. For connecting the android devices to the
collecting evidentiary artifacts. To discuss all the research forensic workstaiton.
literature on Android IM artifacts is outside the papers scope,
as the objective of this paper is to locate and analyze Hike and TABLE II. IM APPS TESTED AND THEIR FEATURES.
imo artifacts in android devices. App Details and Features.
hike messenger version -10 million downloads on Google Play.
Hence from the above cited related work, it is clear that 4.0.6.8.1 -free hike sms within India; sharing
there exists no research work to determine the evidentiary documents and files;free HD Hike to Hike
artifacts of hike messenger and imo IM apps for android audio calling;sharing documents and
devices. Furthermore, from the above mentioned related works, files;attachments upto 100 MB size.
it can be quoted that activities performed through android imo -100 million downloads on Google Play.
version 9.4.1 -unlimited text messages ; free video and
based Hike and imo IM apps may be stored into the internal voice calls; group chat; photo and video
memory of android devices and that which may be sited and sharing.
reconstructed for convicting a criminal involved in a criminal
B. Test Procedure examined a number of database files. The artifacts from each
This section details the test procedure used in this research. app are detailed below.
The test procedure adopted in this work consisted of three A. Hike Messenger Artifacts
stages. Stage one: performing user activities via the IM apps on
each android device. Stage two: acquiring the internal memory The database schema were analyzed thoroughly and it was
of the android devices. Stage three: analyzing the acquired found that the user activities performed via the hike messenger
images of the three android device. app were stored in these databases. The location
/data/data/com.bsb.hike/db/databases/ housed most relevant
1) User Activity: This stage consisted of performing evidentiary artifacts -two database files that contained traces of
user activities that would be of interest to a forensic examiner. user activities.
All the features(refer Table 1) of the apps were utilized for chats database: The schema of this database revealed
almost a week by all the three android device .Prior to individual as well as group chat conversations,
performing user activity, the IM apps-hike messenger and imo chat/audio call, their participants, file transfers and
were downloaded from the Google Play Store and installed in related timestamps. The contents of the inbox of
each device. Some of the activities performed were also deleted mobile device are also found to be associated with the
after some time. messages table of chats database. The
2) Acquizition: Device drivers of each android unreadCount column of the conversations table can
phones were installed into the forensic workstation prior to be used to identify unread messages. Furthermore, hike
messenger can also be used to send a free hike SMS or
acquisition. The acquisition of the android devices was
a regular SMS. Each chat conversation using hike
performed using the Community edition of Magnet messenger can be related back to the contacts using the
Acquire[20]. Magnet ACQUIRE is a mobile forensic imaging msisdn and the onhike column of the
application that extracts as much evidence as possible from conversations table.
mobile devices. It was installed into the forensic
workstation.Micro USB cable were used to connect the hikeusers database: This database contained all the
android devices to the forensic workstation. The Full Image contacts that were either on hike or normal contacts
existing on the mobile device. All the contacts that
option was opted while acquiring the physical image of each
have a hike messenger account are automatically added
device. The physical images were saved in .raw format. to the hike friend list.
3) Forensic Examination and Analysis: The objective
of this stage is to locate, identify and analyze the artifacts of
TABLE IV. HIKE MESSENGER ARTIFACTS.
hike messenger and imo. After acquiring the physical image of
each device, the .raw images were imported in Autopsy for Hike messenger
Artifact Location: /data/data/ com.bsb.hike/db/databases/
identifying the location of traces of user activity performed via Evidence Artifacts found Database Table name Time-
hike messenger and imo apps. First we attempted to identify description name stamp
the android packages related to the said IM apps. Following found
History of -Text messages in messages. Yes
android packages were found to contain evidentiary artifacts. Chat logs plain text .
-Status of messages
TABLE III. HIKE MESSENGER AND IMO PACKAGES AND THEIR LOCATION i.e seen/unseen.
-Contacts chats
App Package name Location
with/without hike
Hike messenger com.bsb.hike /data/data/ messenger.
imo imo.android.imoim /data/data/ -Text messages in convers- Yes
plain text . ations
-MSISDN of
contacts.
These packages were identified and extracted out of the -Group Chat
image for further analysis .While analyzing the packages, it participants
was noted that majority of the files were database files. Details of -Group name, groupinfo No
Significant traces of user activity were found in the database Chat -Group Owner,
files of each package. We utilized SQLite Manager for Groups -Group ID.
analyzing the database files. The findings were then -Group ID ,name groupMem
-MSISDN of each -bers
corroborated with the live examination of the apps on the group member.
android devices by viewing the activities performed using each Contact list -MSISDN of hikeuser favoritesTa- No
app. details. favorite contacts. -s ble
-MSISDN of blocked No
IV. RESULTS blocked contacts.
-Name,MSISDN users Yes
We were able to locate and analyze the evidentiary artifacts -Last messaged
of hike messenger and imo. Using SQLite Manager we timestamps.
-Time stamps of
invitaitons sent .
The contents of users table are also found to be associated
with the device contacts. Using the hikeUsers database, a
forensic examiner can also identify the mobile phone contacts
and their name, phone number etc.
The onhike column of users table indicates whether a
particular user is on hike messenger or not. A value of 1
indicates users having account on hike messenger. A value of Figure 2. An excerpt from the chats
0 indicates users not using hike messenger. The database.Figure illustrates the incoming SMS that are availabe on the
inbox of the mobile device as well on hike messenger.Tool used:SQLite
hikeJoinTime column indicates the date and timestamp a Manager.
particular user joined hike. These timestamps are in Unix
Epoch format and we used the datetime function in SQL to
convert the timestamps to local time. The onhike column of
the conversations table of chats database were found to be
similar to that of the onhike column of users table of
users database.The findings are detailed in table above.
Database tables that were of no forensic significance were
omitted from the findings.
TABLE VIII. TABLE 1 HIKE MESSENGER AND IMO ARTIFACTS THAT CAN
BE RECONSTRUCTED.