Main Body

Chapter 6: Apps

With mobile devices being viewed as an extension of the human, we next look at the applications that are resident on the devices we wish to examine and understand what they do, why the user installed them and whether they have any capacity to advance our investigation. The application (app) itself may not hold much data within, but there are avenues of investigation, including examining the device it is resident upon and the services it connects to, which is generally a remote cloud computing account.

Apps are a feature of people’s daily lives as much as the mobile devices they carry with them. There is a large commercial market for developing apps, having them for sale on the app stores, and being downloaded and operated by individuals. Apps are very active in accumulating data, and many will seek data from the device it is resident upon.

An app may be preinstalled on a mobile device or downloaded from a store such as Apple iTunes or Google Play. An app is downloaded and installed by the user for a specific purpose, and it is a deliberate action by this person, meaning it has some relevance to them. As an investigator, it may be essential to determine the relevance, such as when a series of encrypted communication apps are found – why is the app there, what does it do, what can it tell us, and how does it fit into the investigation? Also, there will be circumstances when you may want to understand what else was happening in the device owner’s life at the time that made them think the installation of an encryption app was worthwhile. 

We have observed users often go directly to the app of most interest to them once they open their mobile device. The app may be a social media site like Facebook or an encrypted messaging service from a different provider, such as Signal. The first app accessed tells us the value of that app to the user (located through Screen time in Settings), and the time spent indicates how often they use it and for how long (found through the battery usage setting).

This chapter seeks to identify the data from a series of popular downloaded apps using a forensic examination of the device. The best evidence when reviewing this data originates when the digital examiner physically controls the device by accessing credentials and the online account passcode of the app. It is imperative to receive the device owner’s consent or legal authority before examining any online account, as these can be stored in foreign legal jurisdictions.[1]

The Operating System (OS) that the app resides on stores volumes of data. As there are many popular apps to cover in this chapter, ask your digital forensic examiner if there is a particular app you want to focus on to see what data the app has written to the OS host and what has been recorded.

The data in this chapter has been sourced from a series of researchers and will include data reviews from digital examiners who have extracted the app data. We include an interpretation of the data and provide examples of how it can be incorporated into an investigation. In many instances, the evidence value is clear and requires no explanation.

The main built-in apps are discussed in the chapter on mobile phones. In this chapter, we will look at examples of the apps found in app stores where users decide to download them onto their mobile devices.

When reviewing the apps, be aware that the capacity may exist to log into the user account from a desktop or laptop computer, and users can use the device as they would on their phone. Common examples include Facebook and Dropbox. Suppose you have access details and legal authority – in that case, it may be beneficial to see if an app has a linked website to log into, conduct a forensic examination through the device and see what data can be obtained. Ensure you have the correct legal authority and that the examination you undertake in your jurisdiction is permitted, as cloud accounts reside in many legal jurisdictions, not just in the jurisdiction where you are conducting the remote examination.[2]

One example that investigators will find helpful is gaining lawful authority to access a person’s online Facebook account and downloading all the data that Facebook has accumulated on them. The ‘Social Media and Open-Source Data’ chapter will discuss Facebook accounts, and the Facebook app, which is resident on the mobile device, will be examined later in this chapter.

Downloaded apps are important to the investigator as it says the functionality is important enough for the user to download onto their device. As we discuss in the mobile phone chapter, examination of the battery will tell you how important the app is to the user and indicate how often they use it, when and for how long. The first app the person accesses shows it is of specific interest to the device owner and the investigator.

This chapter provides a guide to the amount of information generated and located on apps. As particular apps in the constantly evolving landscape of apps become popular, they are replaced by other apps. In addition, as app developers make changes to their products, what evidence may have been available today is unavailable tomorrow or if a new app version is released.

Each section in the chapter refers to artefacts or traces of evidence located using apps, with the data recovery being large or small. Many digital forensic variances will affect the recovered data, and each case will be unique. Changes to the operating systems that the apps are resident on can affect the data obtained, so whilst this chapter identifies examples of artefacts, they cannot be guaranteed to remain due to the constant evolution of technology. The same applies to the app and the amount of data written to the device, whether encrypted or in plain text.

Researchers’ methodologies differ from Apple and Android mobile devices, and the digital examiner will be aware of their nuances. Researchers regularly use a jailbreaking method to allow access to the administrator level of the mobile device. Jailbreaking allows a deep examination of the infrastructure to locate the evidence of the app’s artefacts using the support of information technicians, with methodologies to access this data. To the investigator, the knowledge that this evidence may exist and is accessible is why obtaining credentials to access the mobile device is essential.

As operating systems and apps evolve, there is no guarantee the data listed in this chapter will always be accessible. As digital forensic examiners have many investigations to attend, it is helpful to know that significant data of value stored on the device is worth the investment of time and effort to locate and examine.

An AI generated image of a mobile phone surrounded by apps
Mobile phone with apps. Image created by author using DALL-E 2 AI.

Dropbox

Dropbox is an established cloud storage solution that many individuals and businesses use.  As with all cloud storage services, investigators must be mindful of the legality of accessing the data, including identifying the legal jurisdiction the data resides within should they consider using remote digital forensic services to download evidence.[3] Access to evidence may be through the device or having account access and using a web browser. Not only is the data stored in a cloud service – Dropbox also stores folders and files, easily accessible on the app’s mobile device.

A digital forensic study by Gandeva Satrya of Telkom University, Indonesia, identified significant evidence from a mobile device located through a digital examination of a Dropbox application.

The evidence included:[4]

      • Copy files.
      • Deletion of files
      • Downloaded file metadata.
      • Files created.
      • Files stored in the cloud computing service.
      • Folders created.
      • Installation date.
      • Login data.
      • Logout data.
      • Movement of files.
      • Renaming of files.
      • Signup data.
      • Uninstallation date.
      • Uploaded file metadata.

The content data of Dropbox may not be able to be located through a digital examination of the device. However, the evidence obtained from the digital forensic device may provide investigative assistance or valuable support in seeking a search warrant or other related court orders to try and access the content data. Relevant to an Intellectual Property theft investigation would be a file identified by the examiner on an employee’s device. The examiner could apply to the court for a search warrant to be served on Dropbox.

As with all apps, having lawful direct access to the account can present the most accurate evidence of the content data and personal account information, such as the account creation date, the account name, and the email address.

For the investigator seeking deleted evidence, valuable information to know is that Dropbox business has a 180-day rewind facility to recover deleted data.[5]

Facebook

Facebook is the most well-established social media network, with just under 3 billion daily users. To many, Facebook is an integral part of their life, where they connect, share and organise their information through the company’s products and services. With lawful and ethical authority, it provides the investigator with the opportunity to examine this large volume of data. Statista identifies Facebook has approximately 3 billion active users per month.[6] 

Facebook is advertised as a social media company that collects and processes user data as a part of its business model. It may also be argued that it is a data company that uses the website facebook.com or m.facebook.com to collect user data for profit through lawful activities such as advertising. Data collected and its use is subject to the user agreeing to the End User Licensing Agreement (EULA).

Social media sites facebook.com and m.facebook.com (Mobile), are free products that users are constantly encouraged to engage with.  Facebook users also invite their friends, family and associates onto the site to freely access its services.  Offering a product at no cost to anyone and everyone with unlimited use is not a typical business model, as the cost of operating Facebook would run into many billions of dollars per annum, considering the number of active users, and the need to make a profit for their shareholders.

One way Facebook makes its money is by knowing as much as possible about its clients and using this data to generate income from lawful sources such as advertising. Advertisers are attracted to Facebook as they can target their adverts to people they know are likely to be interested in their products and services. This saves the advertisers money by not spending limited advertising dollars targeting people who were never going to have an interest in their products or services.

To achieve this, Facebook must update the profile of their Facebook clients as much as possible by collecting as much information about them as users generate new data. The authority to do this originates from the End User Licence Agreement the user agrees to when setting up an account.

To the investigators, a business such as Facebook contains much information used to advance an investigation. When a detective may want to gain background on a suspect, missing person or other people of interest, Facebook contains information beyond what is on the individual’s page. As Facebook exists to collect user data, the detective with a valid reason to seek data and lawful authority should consider Facebook as a source of intelligence and evidence.

Examiners can access Facebook through a desktop/laptop web browser (facebook.com), a mobile device (m.facebook.com), or a mobile device app. All locations may provide information through a digital forensic analysis; however, lawful access to the account will be the best evidence. Facebook data collection is examined in more detail in Chapter 7.

A digital forensic examination of the device the app is resident on provides artefacts of evidence. Several researchers conducting a forensic examination on the Facebook app’s device located the following artefacts of data:[7],[8]

Facebook - Types of evidence

A-C C-D D-F F-L L-U
Accessed times Comments made Downloaded files deleted metadata Friends full names Likes
App installation time Cover image of contacts Duration of session Friends phone numbers Number of times the app has been loaded
Chat logs artefacts and metadata Cover image of user File transfers including metadata Friends profile links Profile image of contacts
Chat logs downloaded metadata Date and time the app was launched Friends Date of Birth Friend requests sent Profile image of user
Chat log time stamps metadata Date and time the app was updated Friends email address Friends User Identification Number (UID) Profiles viewed
Chat participant identifiers metadata Date and time the app was last used Friends frequency of communication Last runtime Uninstallation data

It is worth repeating that the volume of data obtained in each of these instances is variable and, in some instances, there will be only metadata meaning logs or other data identifying chat communication, and not the communication contents itself.

As with other apps mentioned in this chapter, an investigator may find the data generated by the Facebook app has the potential to divulge much about the account holder and their behaviour.

Kik

Kik is an instant messenger and social media service accessed through the Kik app. It is very popular as it combines anonymity and privacy, not requiring users to verify their identity as in the case of other social media providers such as Facebook.

When signing up to Kik, a user creates an identity and they are then able to access the app’s functionality such as messenger, videos, emojis, photos, webpages and personal sketches.

Users can choose topics of personal interest to start conversations with people and these cover a wide range of topics as you would expect across many legitimate online platforms. Messages can be sent in the same format as a text, but a feature is the sender can see when the recipient has received and read the message.

A person can be invited into a Kik group, or they can join a public group.

The Kik Law Enforcement Guide states the username is unique to the individual, cannot be replicated and cannot be changed. A law enforcement request requires the username as a phone number, email address or name cannot locate the correct account.[9]

Kik advises they may be able to access images and video content for up to 30 days before they are deleted. They also note some content data logs may be accessible longer. Chat conversations are stored on the user device and Kik has no access to this data.[10]

The Kik law enforcement guide provides specific details on what evidence may be accessible with a formal legal request. As with all online social media accounts, it relies on the data provided by the user as being accurate, however, it is worth obtaining as even fake information provided may be of value in the circumstances.[11]

Non-content data

This provides the basic subscriber data including the following:[12]

      • Birthdate.
      • Current identification photograph.
      • Date of the creation of the account.
      • Email address provided by the user at registration.
      • First and last name.
      • Information provided on the device the user has been using to access the account.
      • Internet Protocol addresses used to access the account.
      • The version of Kik operating at the time.

This is all valuable data even allowing for the possibility a user has provided false information to Kik when creating the account. Of note, the Internet Protocol addresses may be of interest to the investigator even allowing for the possibility a Virtual Private Network (VPN) was used and the device data may be relevant in the circumstances. Whilst a VPN may be a barrier at first look, occasionally a VPN will drop out and the true IP connection address will be revealed.

Content user data

Content data refers to data generated by the user. Examples of content data Kik may be able to provide include the following:[13]

      • Abuse reports submitted including metadata.
      • Chat platform log includes logs of all the media files a user has sent and received. Important metadata includes the Jabber Identifier (JID), username/receiver name or group, Internet Protocol (IP) address of the sender and the identifier of the content. JID is an abbreviation for a Jabber ID being a code assigned to a user in chat conversations.
      • Email logs.
      • Internet Protocol (IP) address associated with the registration of the account.
      • Log of usernames added and deleted by the account user and when the event occurred.
      • Media images.
      • Transactional chat log which includes metadata such as the IP address of the sender, log of all messages a user has sent and received, sender username, receiver username or receiver group JID, timestamps and IP address of the sender.

Group data content

Details about when the group was created and by whom as well as the following content:[14]

      • Group abuse reports including metadata.
      • Group information log contains metadata including the group JID, name, type of group it is as well as the status of the group.
      • Media logs including metadata.
      • Message logs including metadata.
      • Record of users including when they joined and left the group.

Having access to the device the user accesses Kik with will provide further evidence including message content to which Kik does not have access as well as possible deleted messages.[15] As with any open-source platform, there is the potential for the amount of evidence to change at any time and it is worth reviewing the Kik Law Enforcement Guide at the time when you are considering seeking evidence from them.

A digital forensic examination may locate evidence of value without making a formal request from Kik. As with all the apps discussed in this chapter, evidence collection may not be a complete representation of the activity of the device, however, any artifacts of activity located may be of benefit to the investigator.

Researchers have conducted forensic examinations on the Kik app and the OS it is resident upon and located artefacts of the following evidence:[16],[17]

Kik -Types of evidence

A-D D-I J-M M-V
Account registration details Deleted messages Jabber Id Messages sent but not delivered from a blocked contact
Attachments from blocked contacts Deleted videos List of friends with the order of how they have chatted with the user Profile pictures including meta
Automatic messages including those from automated bots Display name Media received including metadata Public groups even if there has been no communication
Blocked contacts Friends including timestamps of when they became friends Media sent including metadata URL of location of contact’s profile image
Contacts list including metadata Friend suggestions Messages and contact details Username
Conversations with a blocked user before they were blocked Groups including metadata Messages exchanged including timestamps and metadata User data and preferences
Deleted contacts including groups and their messages Groups that have left Messages from deleted contacts and groups Videos received
Deleted groups Images received Messages received including metadata Videos sent
Deleted images Images sent Messages sent including metadata

As shown by this research, there is the potential for a lot of data to be recovered and this may provide the investigator assistance that may be able to provide direction to the investigation whilst a data request from Kik is being processed.

Skype

Skype is an online communications application that can be operated through an app on a mobile device or used through a laptop or desktop computer. Communication can be by video camera or be text based.

The feature exists to allow recorded conversations in text or video format. Skype can be used for services such as group meetings, and users can share screens through the call.

Multiple researchers have conducted detailed digital forensic examinations on a Skype account and identified artifacts in which the following data may be located:[18],[19],[20],[21]

Skype - Types of evidence

A-D D-I I-R R-U U-V
Audio received Downloaded files Internet Protocol addresses including chat Remnants of chat User's full name
Audio sent Email addresses Language configuration Secret codes User identifier
Avatars used File transfer details Messages SMS Usernames
Call/chat history Gender Microsoft Live usernames Skype account details User profile data
Call participants Group chat Mood texts Skype names and identifiers Video message identifiers
Contacts schedule Homepage URL Outgoing calls Sounds used Video messages details
Conversations schedule Images sent Phone numbers Text chat Video received
Chat/image/video content data Images received Profile picture of all Skype contacts Thumbnail images of files transferred or downloaded Video sent
Contact database Incoming calls Profile status Times of communication with others Voicemails
Creation times Install time and date Public links Time zones Voicemails sent to the user
Date of Birth Instant messaging members Registered locations Uninstallation of the Skype app Video calls schedule

Snapchat

Snapchat is an application that allows users to communicate with others through instant messenger, and transfer images and stories. A video or picture sent is called a snap and can be sent to multiple accounts at once.

One unique characteristic is the snap sent deletes after viewing by the recipient, providing the sender a perceived level of security that the snap they sent is not going to be stored, shared or posted online. The exception being if the snap is added to a person’s story, and then it can reside for 24 hours. A Snapchat story presents the images, including videos that the recipient wants to share with their friends.

A series of academic studies has attempted to identify the data that can be recovered from a device hosting a Snapchat application. The examiners used different devices and forensic tools and identified there are significant artifacts of evidence that may be available to the investigator. It is to be noted the researchers tested different methodologies and versions of the application, therefore the results were expected to be different across the researchers’ reports which they were. However, they all found there was a significant artifact of evidence that may be of assistance to the investigator rather than complete datasets.

Researchers have identified that after conducting an examination of mobile devices, they were able to locate evidence of Snapchat use.[22],[23],[24]

Snapchat - Types of evidence

A-F F-L P-S S cont. S-U
Call logs Friends list Participants in a communication Sent and deleted data Start time
Chat messages artefacts Images and videos Phone number of account owner Sent snaps Stories
Contacts Installed applications Received image snaps Sent video artifacts Timestamps
Event logs artefacts Last activity Received video snaps SMS messages User account details including username and phone number
Files Log entries Snapchat images artefacts Snaps User profile

TikTok

TikTok is a platform for the sharing of short videos. It is very popular in the youth market with the TikTok app being one of the most popular downloads on the Apple and Google stores.

A digital forensic analysis of the TikTok app finds artifacts of digital evidence that may be of value to an investigator. As per previous, this evidence is often artifacts only and not complete records of data or communications, however, they may provide leads to new areas of inquiry or confirm existing ones. A lot of TikTok data is located on the app’s cloud services.

When examining the digital forensic output, be aware the app can contain the accounts of different users although only one user can operate the app at a time.[25] This may mean other users operate the mobile device and TikTok app or the user has multiple accounts which may be valuable information in its own right.

Domingues et al have identified the forms of data that may be able to be located on a device relating to TikTok should the digital forensic examiner have administrator access to the device.[26]

      • Blocked accounts including whether they are blocked themselves.
      • DOB.
      • Email account registered to the account.
      • Gender.
      • Location.
      • Nickname.
      • Text messages, images, videos, hashtags and audio.
      • Timestamp of account creation.
      • Unique ID.
      • URL to avatar.
      • User ID.

Viber

Viber is an application that allows users to make calls, and send messages, images and videos to other Viber users. Viber can be used on a mobile device or accessed through a desktop computer or laptop.

As per previous apps, researchers have conducted forensic examinations on the Viber application and managed to locate artifacts of evidence from the device the application is resident on. The tests were conducted using different methodologies and versions of the application, and the output was similar to the Snapchat research where artefacts of evidence were located.

The digital artefacts located were as follows:[27].[28]

      • Attachments exchanged.
      • Call duration.
      • Call history.
      • Chat history.
      • Chat/image content data.
      • Contacts.
      • Contact number and Id.
      • Conversation.
      • GPS coordinates.
      • Installation history.
      • Lat and longitude of each message with location service enabled.
      • Messages exchanged.
      • Messages but they were encrypted.
      • Phone numbers.
      • Pictures shared along with the path for the thumbnails stored for these pictures.
      • Profile pictures.
      • Recent calls and their duration.
      • Sender’s number.
      • Stickers and photos exchanged.
      • Total number of messages exchanged.

WeChat

WeChat is an application that provides users with a variety of services from communication to operating as a financial services platform. It is a comprehensive application that incorporates the following services:[29]

      • Business transactions.
      • Currency transactions.
      • Gift exchanges.
      • Images.
      • Text messages.
      • Voice messages.
      • Video.

A study of the digital evidence available through WeChat by Wu and colleagues from China identified the following evidence they were able to locate on an Android device.[30]

      • Image message.
      • Moments.
      • Username, create time.
      • Text messages.
      • Video message.
      • Voice message.

WhatsApp

WhatsApp is a messaging application that supports voice and text messaging. Communication can be received or sent to an individual or group. It can be used from a mobile or desktop/laptop computer.

As with the other applications, academic researchers have attempted to recover digital evidence from the device WhatsApp is resident upon and located artifacts of data that may be of value to the investigator. Also, as with the other applications, the researchers used different strategies and test methodologies to locate the data and used different versions of the application, thereby obtaining different results in several instances.[31],[32],[33],[34]

      • Audio received.
      • Audio sent.
      • Chat history content data.
      • Chat/image.
      • Contacts shared.
      • File metadata.
      • Images received.
      • Images sent.
      • Installation date.
      • Media files exchanged.
      • Messages received.
      • Messages sent.
      • Thumbnail images of profile pictures.
      • Videos received.
      • Videos sent.

What can the evidence tell you?

As you can see all the apps generate a large quantity of evidence that is recorded either in the user account or on the device being used. Devices may be mobile or a laptop/desktop with applications such as Facebook or Dropbox.

The services are created for functionality, and as activity occurs, data files capture this and record it. Across the many instances of evidence identified, some information such as account usernames, phone names and email addresses may lead to new avenues of inquiry including seeking evidence where this data appears elsewhere in the investigation or on other social media accounts.

Contact lists and details of communication have their own value and may be used to link or exclude a person from an inquiry. Each case you investigate will be unique, and whatever evidence that can be obtained from apps will contribute to the resolution of the case.

Whilst you will often find only artefacts of evidence, small pieces of data such as identifying who the user has been in communication with may be of value depending upon the circumstances of your investigation.

Key Takeaways

Key Takeaways

  • Device examination can identify which apps are of the most importance to a person.
  • Examination of apps on mobile devices provides valuable insights into a person and their life.
  • Data may be recovered through device apps that are connected to Cloud Service Providers and used as evidence.
  • App versions are changing regularly and offer new features. What you may be able to access today, cannot be accessed tomorrow and vice versa. Unless you make the inquiries, you will not know.

Scenario

The case study shows Alex and Sledge communicate through the WhatsApp application which they both have on their phones. This is a secure communication channel that requires password access details. As this chapter states, the best evidence involving apps originates from having password access to the app. Also, the evidence obtained from the device’s Operating System is often only artefacts, meaning only parts of communications are available and not necessarily the full conversation.

Apps provide information on other services such as maps, online storage and banking. These lead to separate lines of inquiry which can produce new evidence or corroborate/negate other evidence and suspected methodologies. An app such as “Find my Friends” is valuable in identifying relationships between people. In the scenario, the applications identified include WhatsApp and a ride-share app on Sledge’s phone. Alex also has the WhatsApp social media application and a banking app. Although the scenario does not specifically mention it, both phones may also include links to online storage accounts.

Examples of app-based evidence that can be found on both Alex’s and Sledge’s devices include:

  • Audio files transferred.
  • Chat history
  • Contacts
  • Email
  • GPS location details
  • Health data including pulse and heart rate.
  • Message history
  • Images and/or videos exchanged.
  • Media files transferred (audio/video)
  • Payment method for the rideshare application.
  • Phone number
  • Photos
  • Profile image
  • Rideshare information from Sledge travelling to Alex’s home.

The most valuable evidence would be the conversations between Alex and Sledge involving the poor-quality cocaine and the heated arguments that follow. To investigators, this provides details of events leading up to the confrontation that led to Alex’s death including the motivation for Sledge to turn up unexpectedly at Alex’s home.

Timing of conversations is valuable and establishes a timeline of events which is corroborated against other evidence found on the computer and smart devices.

Sledge caught a ride share to the home of Alex. This will be valuable evidence as it further confirms Sledge being present at Alex’s home at the relevant time. It also confirms Sledge did not order a ride share away from the address.

  1. Edwards, G. (2019) Cybercrime Investigators Handbook, Wiley New Jersey, USA.
  2. Ibid.
  3. Ibid.
  4. Satrya, G.B. (2019) Digital forensic study of a cloud storage client: A Dropbox artifact analysis. CommIT (Communication and Information technology) Journal 13(2), 57-66, 2019.
  5. Dropbox Business. www.dropbox.com/business/plans-comparison
  6. Dixon, S. J. (2023, September 21). Number of monthly active Facebook users worldwide as of 2nd quarter 2023  Statista. https://www.statista.com/statistics/264810/number-of-monthly-active-facebook-users-worldwide/
  7. Josephine, B.M., Shekar, K.V., Meghana, G. Rama Rao, K.V.S.N & Rajesh, Ch. (2019) Forensic analysis of Social media apps. International Journal of Innovative Technology and Exploring Engineering (IJITEE) ISSN: 2278-3075, Vol. 9 (1) November 2019.
  8. Yang, T.Y., Dehghantanha, A., Choo, K. & Muda, Z. (2016). Windows Instant Messaging app forensic: Facebook and Skype as case studies. PLoS ONE 11(3): e0150300 doi:10.1371/journal.pone0150300.
  9. Kik Law Enforcement Guide (2021) Retrieved 10 July 2023. Located at https://kikhelpcenter.zendesk.com/hc/en-us/articles/4402394292507-Does-Kik-have-a-guide-for-Law-Enforcement?
  10. Ibid.
  11. Ibid.
  12. Ibid.
  13. Ibid.
  14. Ibid.
  15. Ovens & Morison (2015). Forensic analysis of Kik messenger on IoT devices.
  16. Ibid.
  17. Adebayo, Sulaiman, Osho, Abdulhamid & Alhassan (2017). Forensic analysis of Kik messenger on Android devices.
  18. Onovakpuri, P.E. (2018). Forensics analysis of Skype, Viber and WhatsApp messenger on Android platform. International Journal of Cyber-security and Digital Forensics 7(2): 119-131
  19. Makura, S. (2013) University of Pretoria. Digital forensics report: A focus on the Skype application in Linux.
  20. Yang, T. Y., Dehghantanha, A., Choo, K.-K. R., & Muda, Z. (2016). Windows Instant Messaging App Forensics: Facebook and Skype as Case Studies. PLOS ONE, 11(3), e0150300. https://doi.org/10.1371/journal.pone.0150300
  21. Sgaras, C. Kechadi, M-T. & le-Khac, N. (2016) Forensic acquisition of instant messaging and VOIP applications. School of Computer Science & Informatics, University College Dublin, Belfield, Dublin, Ireland. Arvix.org/pdf/1612.00204.pdf
  22. Aji, M.P., Riadi, I. & Lutfhi, A. (2017) The digital analysis of Snapchat application using XML records. Journal of Theoretical and Applied Information Technology Vol. 95. No 19. October 2017.
  23. Alyahya, T., & Kausar, F. (2017). Snapchat Analysis to Discover Digital Forensic Artifacts on Android Smartphone. Procedia Computer Science, 109, 1035–1040. https://doi.org/10.1016/j.procs.2017.05.421
  24. Reedy, P. (2020) Interpol review of digital evidence 2016-2019. Forensic Science International: Synergy, https://pubmed.ncbi.nlm.nih.gov/33385144/
  25. Domingues, P., Francisco,J.C., Nogueira,R. & Frade, M. 2020. Post-mortem digital forensic artifacts on TikTok Android app. Association for Computer Machinery ARES Virtual Event Ireland August 2020.
  26. Ibid.
  27. Sgaras, C. Kechadi, M-T. & le-Khac, N. (2016) Forensic acquisition of instant messaging and VOIP applications. School of Computer Science & Informatics, University College Dublin, Belfield, Dublin, Ireland. Arvix.org/pdf/1612.00204.pdf
  28. Majeed, A., Zia, H, Imram, R. & Saleem, S. (2015). Forensic analysis of 3 social media apps in Windows 10.
  29. Reedy, P. (2020) Interpol review of digital evidence 2016-2019. Forensic Science International: Synergy, https://pubmed.ncbi.nlm.nih.gov/33385144/
  30. Wu, S., Zhang, Y., Wang, X., Xiong, X & Du, L. (2016). Forensic analysis of WeChat on Android smartphones. Digital Investigation 21(2017) 3-10.
  31. Josephine, B.M., Shekar, K.V., Meghana, G. Rama Rao, K.V.S.N & Rajesh, Ch. (2019) Forensic analysis of Social media apps. International Journal of Innovative Technology and Exploring Engineering (IJITEE) ISSN: 2278-3075, Vol. 9 (1) November 2019.
  32. Onovakpuri, P.E. (2018). Forensics analysis of Skype, Viber and WhatsApp messenger on Android platform. International Journal of Cyber-security and Digital Forensics 7(2): 119-131
  33. Sgaras, C. Kechadi, M-T. & le-Khac, N. (2016) Forensic acquisition of instant messaging and VOIP applications. School of Computer Science & Informatics, University College Dublin, Belfield, Dublin, Ireland. Arvix.org/pdf/1612.00204.pdf
  34. Astorian & Riadi (2018). Forensic investigation on WhatsApp web using framework integrated digital investigation framework version 2.
definition

Licence

Icon for the Creative Commons Attribution-NonCommercial 4.0 International License

Digital Evidence Manual Copyright © 2024 by Graeme Edwards is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License, except where otherwise noted.

Share This Book