International Journal of Mechanical Engineering and Technology (IJMET)
Volume 10, Issue 01, January 2019, pp. 926–934, Article ID: IJMET_10_01_095
Available online at http://www.iaeme.com/ijmet/issues.asp?JType=IJMET&VType=10&IType=01
ISSN Print: 0976-6340 and ISSN Online: 0976-6359
© IAEME Publication
Scopus Indexed
FORENSIC BENCHMARKING FOR ANDROID
MESSENGER APPLICATIONS
A Karahoca
Professor, Bahcesehir University, Software Engineering Department, Turkey
D Karahoca
Assistant Professor, Bahcesehir University, Health Management Department, Turkey
Selman Kasim Bağirici
Bahcesehir University
ABSTRACT
Technology has reshaped the way we interact with the world and access information
with the advent of smartphones. Accordingly, the needs we have and the solutions for our
needs have also changed along with the evolving technology. One of the most affected
matters from technology is communication. With the various options and capabilities,
instant messaging applications have been started to use for communication purpose
which is one of the biggest needs of human being. We can send text messages, video
messages, voice recordings and share locations using these applications. Even further,
we no longer need cell phone calls by GSM operators, and instead prefer these
applications for instant calls, as well as sharing private information with these
applications, not only for personal daily life, also for business need. On the other hand,
these applications bring risks with many benefits. One of them is privacy. We do not want
that these applications can store our personal data as its user. How do our best practices
keep our data? Do they give the necessary attention for privacy? Another fact is that these
applications can be used by criminals to communicate and execute a secret plan. If a
criminal gets caught, what can be obtained as evidence from these messaging
applications? This time we need to know what can be extracted from the mobile device.
This research focuses on forensics analysis of the instant messaging applications on the
Android platform.
Keyword head: Mobile Forensics, Android Forensics, Instant Messaging
Cite this Article: A Karahoca, D Karahoca and Selman Kasim Bağirici Forensic
Benchmarking for Android Messenger Applications, International Journal of Mechanical
Engineering and Technology, 10(01), 2019, pp.926–934
http://www.iaeme.com/IJMET/issues.asp?JType=IJMET&VType=10&Type=01
http://www.iaeme.com/IJMET/index.asp
926
editor@iaeme.com
A Karahoca, D Karahoca and Selman Kasim Bağirici
1. INTRODUCTION
Technology has reshaped the way we interact with the world and access information with the
advent of smartphones. Accordingly, the needs we have and the solutions for our needs have also
changed along with the evolving technology. Also, the rate of change is increasing exponentially
depending on the technology. A report published by a research company about the use of media
devices showed that 3 hours and 14 minutes is the average time spent using mobile devices by a
US adult in 2017 [1]. By the end of the 20th century, hardware-based inventions such as
computers, mobile phones were the leading production in the world; whereas in the first quarter
of 21st century, the application revolution has dominated the market and it affected our daily life.
When we consider the last twenty years, we have acquired new skills, and found new ways of
communicating with people due to evolving technology. Even further, we have quitted some of
those skills and gained new ones with what technology provides. We started to use mobile phones
in our daily life at the end of the 20th century and we used to send Short Message Service (SMS)
messages first. However, the use of the SMS decreased to 15.5 percent in 2017 and expected to
decrease even more to 5.9 percent on 2021 [2]. With the various options and capabilities, we’ve
started using instant messaging applications for communication purpose with our family and
friends. We send text messages, video messages, voice recordings and share locations using these
applications. Number of users of these applications is 1.58 billion in 2016 worldwide and it is
expected to hit 2.48 billion in 2021 [3]. The research about forensics analysis of the instant
messaging applications requires continuity and consistency because applications change with
each update as a new feature is added. The purpose of this paper is to provide answers for common
questions related to the forensics analysis of instant messaging applications.
2. LITERATURE
Digital Forensics is recovering, investigating and identifying the data to prove the existence of
evidence. Mobile forensics is a sub-branch of the digital forensics. It is not possible to apply same
procedure entirely because of uniqueness of the investigations on each domain. However, we can
list the steps as follows: a) identification and investigation, b) acquisition, c) analysis.
2.1. Identify and Investigate
Mobile forensics has a lot of different factors which depend on mobile phone manufacturer,
phone model, operating system type, operating system version. Therefore, the investor must
prepare a proper method for each scenario [27].
2.2. Acquisition
The acquisition phase refers to the extraction of data from the device. Due to the inherent security
features of mobile devices, extracting data is not always straight forward. The extraction method
is determined based on the operating system, make, and model of the device. There are three type
of acquisition method:
Manual acquisition: This acquisition method requires the least technical qualification. It is
based on the user interface of the device. No need for any tool for manual acquisition.
Disadvantage of the manual acquisition is that the examiner can detect only artifacts which are
visible from user interface.
Logical acquisition: Logical acquisition based on extracting accessible data on the file system.
Disadvantage of the logical acquisition is that the examiner can extract the data which is identified
by operating system, not deleted data except some files such as database files. Database files can
still contain deleted data [4-25]. If the root access of the mobile phone is provided, the examiner
can detect more artifacts from mobile phone.
http://www.iaeme.com/IJMET/index.asp
927
editor@iaeme.com
Forensic Benchmarking for Android Messenger Applications
Physical acquisition: Physical acquisition is extracting data from hardware (storage) bit-bybit. There are various methods for physical acquisition such as hex dumping, JTAG, chip-off,
micro read. The JTAG method extracts complete physical image of a mobile phone, if the JTAG
port of the mobile phone is connected to a computer using a JTAG emulator. The extracted
physical image can be analyzed by using WinHex or any other software which can analyze binary
files. Another physical acquisition method is using dd command which is a Linux command-line
utility used by definition to convert and copy files, but is frequently used in forensics to create
bit-by-bit images of entire drives [5]. Most of the commercial forensics tool uses dd command
for physical acquisition method. The physical acquisition requires the most technical
qualification. Advantage of the physical acquisition is it is possible to recover deleted files.
2.3. Analysis
In analysis part, private data from the disk image is collected. Various software tools help to
extract the data from the image which was stored in acquisition part. There is no single tool that
can be used in all cases. This part needs the know-how and knowledge of the operating system
and file types such as databases files, xml files etc.
2.4. Forensics Tools
There are a lot of commercial (paid) and free tools developed for forensics analysis purposes to
extract data from image of memory or to analyze the artifacts. Even so, their major aim is
extracting the data or analyzing, each of them has lots of additional features which are different
from each other. The following mobile forensics tools are the most common ones in the mobile
forensics research, and this study focuses on their major purposes instead of side effects.
The Department of Homeland Security examines Mobile Device Acquisition tools and
publishes reports for the public’s awareness. Also, Homeland Security and National Institute of
Standards and Technology (NIST) supports a program called Computer Forensics Tool Testing
Program (CFTT). The goal of the CFTT project is to establish a methodology for testing computer
forensic software tools by development of general tool specifications, test procedures, test
criteria, test sets, and test hardware [6].
MSAB's (a software company) solution called XRY Extract family is one of the most
frequently used and useful forensics tool. It has two major versions to extract data. XRY logical
is designed to extract and recover data communicating with the operating system (Logical
Acquisition). XRY physical is designed to extract and recover raw data directly from the device
memory (physical acquisition). MSAB has the XAMN Analyze family which analyzes the output
of the XRY logical and XRY physical. There is no technical document related with how XRY
examines the mobile phone.
Another commercial tool is Oxygen Forensic Detective. The tool offers 3 methods of data
acquisition: Android backup, Physical dump via device rooting and logical extraction. In case of
logical extraction OxyAgent application (developed by Oxygen Forensic) is installed in the
device [7].
Magnet ACQIRE is another commercial forensics tool which widely used by examiners.
Magnet Acquire has two options for image types. First one is named “Full” which extracts entire
contents and requires a rooted device. This method is a type physical acquisition and based on
Linux dd command. Second one named “Quick” and this method uses adb backup command for
Android version 4+. Quick mode is a type of logical acquisition. Android Debug Bridge (ADB)
on a workstation allows it to access the system partitions if the USB debugging mode is enabled
on an Android phone [4].
http://www.iaeme.com/IJMET/index.asp
928
editor@iaeme.com
A Karahoca, D Karahoca and Selman Kasim Bağirici
ViaExtract is a logical and physical extraction tool based on Santoku Linux distribution.
Logical acquisitions version is free, but physical acquisitions are paid. It is freely distributed
inside of a virtual machine running [5].
The SIFT (SANS Investigate Forensic Toolkit) Workstation is free Linux based operating
system which has different open-source forensics tools such as Autospy, SleuthKit, log2timeline.
It can match any current incident response and forensic tool suite. SIFT demonstrates that
advanced incident response capabilities and deep dive digital forensic techniques to intrusions
can be accomplished using cutting-edge open-source tools that are freely available and frequently
updated [8].
It is important to note that forensic tools have the potential to contain some degree of error in
their operation. For example, the implementation of the tool may have a programming error; the
specification of a file structure used by the tool to translate bits into data comprehensible by the
examiner may be inaccurate or out of date; or the file structure generated by another program as
input may be incorrect, causing the tool to function improperly [9]. In addition, developers are
creating new versions of applications often. If we consider the count of applications and their
updated versions, it becomes a big issue to support all applications and especially the latest
versions. Another problem is that there are a lot of different models made in Asia which has no
mark means.
3. DATA AND METHOD
Various types of mobile phones with many different brands, models, operating systems and
versions are used nowadays. When we consider this expansive variation, we have noticed that it
is not possible to apply the same analysis methods or use the same commercial tools for all
possible combinations. Thus, a lot of statistic reports were examined and these reports helped to
determine the test platform to be used. As a result, Samsung Galaxy Note 5 (SM-N920C) with
Android Marshmallow Operating System is chosen as the main test platform. Android is preferred
as the test platform because of having the highest number of users. 85.9% of all smartphones sold
to customers were Android phones in 2017. Samsung has the largest percentage of market share
with 20.9 percent among the mobile phone vendors [10]. Marshmallow (Android version 6) is
chosen as the lab environment since it is the most used Android version with 32,2% in September
2017 [11]. Also, virtual Android device platforms on Android Studio and ZTE Nubia Z5s mobile
phone with Android 4.4.2 version were used to verify or test some of the cases. The virtual
machines are working on macOS High Sierra (10.13) operating system.
Android is an open source operating system; thus, it is possible to modify the source code
when vendors are designing mobile phones with some limitations. Rooting the operating system
process is widely applied to have more authorization on mobile phones. Having a rooted Android
phone allows the user to access protected, restricted directories on the system that has private
user data (e.g., /data/data directory), backups, system files and more [12]. The test platform of
this study is rooted to be able to see all artifacts on the device. Logical acquisition method is
applied to extract data from the device. We can see only the data which operating system permits
via the logical acquisition method. Thus, the device is rooted to increase visibility of the data. On
the other hand, physical acquisition method was applied via dd command of Linux too and rooting
was a requirement to apply dd command.
DB browser for SQLite application is installed on macOS to read database files extracted
from mobile phone.
Android Debug Bridge (adb) is a versatile command-line tool that lets you communicate with
a device and it is one of the most used command in this study. The adb command facilitates a
variety of device actions, such as installing, debugging apps. It provides access to a Unix shell
that you can use to run a variety of commands on a device [13]. ADB is one of the most effective
http://www.iaeme.com/IJMET/index.asp
929
editor@iaeme.com
Forensic Benchmarking for Android Messenger Applications
tool for forensic analysis. It requires USB debugging option enabled to work and after enabling
the USB debugging option, the device executes the adb daemon (adbd) in the background to
detect USB connections. It is not possible to access to internal application data on non-rooted
Android devices. If the device is rooted, adbd runs under the root account and thus it is possible
to access to the entire data [14]. Below adb commands were used often in this study: a)adb
devices: This command is used to see whether the device is connected or not. b)adb install *.apk:
This command is used for installing application to Android device via a computer.c) adb pull
[path] [path]: This command is used to copy a file or folder to/from Android device d) adb shell:
This command is used to access command line of Android device.
On Android site; ES File Explorer (Version 1.0.7), File Manager +(Version 1.8.0) and Total
Commander (Version 2.90) applications are used as file manager. Different tools are chosen to
compare results each other to decrease the error or missing to minimum. Also, each application
has different talents. Terminal and Termux (version 0.60) applications are used to access
command line of the Android device. SqlitePrime (Version 1.3.0) is used to read database files
directly on the Android device. Root Checker Basic (Version 6.2.6) is used to ensure root access
to Android device. OS monitoring application was used to identify package name and process id
numbers of the applications.
Criteria such as number of downloads, number of users, popularity were regarded in the stage
of selection phases of the messenger applications. This research covers below instant messaging
applications.
Each of the steps is repeated for every application. If the tested application has different
feature from common mobile messaging applications, it is explicitly indicated in the findings part
of the study. For example, WhatsApp and WeChat has live location feature to share location of
sender but instantly along the specified time.
Install the application to Android Device (A)
Create an account
Exchange Data between A and B
Send and receive text messages
Send and receive image
Send and receive video
Send and receive location
Send and receive a contact
Voice call
Video call
Share an image on story (A)
Apply below scenarios;
Delete one of the text message from
A
Delete one of the text message from B
Delete the application from A
Extracting the data from the mobile phone is not always successful with same method. Based
on the vendor, phone model, operating system, the methods are adapted. Thus, examining with
one of the previously explained forensics tools is not enough. There are two main acquisition
methods: logical and physical acquisition. Logical acquisition method is applied by using adb
tool manually in this study. Adb tool takes an active role to get data from android device to
macOS. Adb pull command is used for extraction. Also, physical acquisition method is applied
via dd command in this study. The dd command is a Linux command-line utility used by
definition to convert and copy files, but is frequently used in forensics to create bit-by-bit images
of entire drives [14].
The study performed by considering two problems which are mentioned in Introduction
section: privacy and forensic analysis. Thus, different images belong to different state of the
device were taken to compare with each other. Taken images are a) cleanstate.img, b)
apps_installed.img c) apps_deleted.img.
http://www.iaeme.com/IJMET/index.asp
930
editor@iaeme.com
A Karahoca, D Karahoca and Selman Kasim Bağirici
Two images that apps_installed.img and apps_deleted.img are compared for answering the
question of what if the applications were deleted after committing a crime. Clean state of the
device (the state which test applications are not installed) named cleanstate.img is compared with
the apps_installed.img to increase visibility of detecting artifacts.
The /data/data partition is one of the most critical locations for forensic examiners.
Applications stores their data such as databases, caches, custom libraries, xml files under this
directory [14]. Related folder of application that is located under /data/data directory was
determined. Applications stores user data such as images, video and voice messages, profile
photos under /sdcard and folder of the tested application under /sdcard is determined. Whole disk
of the phone is scanned because of possibility of having another folder of the tested application.
After determining folders created by the applications on the mobile phone are extracted to
investigate by using file manager applications and adb pull command. Md5 hash of files
compared to each other to confirm integrity.
4. FINDINGS
This research is motivated to investigate the privacy concerns and forensics of the popular instant
messaging applications’ latest versions on the most commonly used version of Android platform.
It is not useful to examine all types of applications with the same method or same commercial
tools when we consider different phone vendors, different operating systems and their versions,
various applications. Thus, we examined the applications manually by considering NIST mobile
device forensics framework [15]. In addition to aforementioned artifacts, this study proposes a
classification method for different applications’ latest version’s artifacts to make the forensics
research easier. Also, the test platform of these applications during the investigation is the up to
date version of Android.
The answers of the below questions were investigated in this study:
• How does an application store data? New files of instant messaging applications were
investigated and elaborated in Findings section based on their file type, e.g., database, xml, text,
image, video or audio file. MD5 hashes of the files were calculated for two cases: (1) before
copying the files to PC (on Android device) and (2) after copying the files to PC (on PC). Then,
MD5 hashed compared with each other to verify integrity of files.
• Is the stored data time stamped/encrypted? Artefacts were categorized depending on their
file type and investigated whether they are encrypted or plaintext and if they were time-stamped.
• Does the application store personal information of the users? It was found that profile
information of a user such as age, name and last name, contact list of a user existed on the files;
account details such as phone number, username, profile photo, Facebook token were stored by
applications in database files and xml files in most of the cases.
WhatsApp is a messenger application ranking the second most active users (over 1.5 billion
monthly) in 2018 [16]. Thus, it is a widely analyzed application in terms of forensics. However,
a detailed analysis of WhatsApp has not been conducted so far, and this study is an attempt to
elaborate all parts of the application and provide as much information as possible. On the other
hand, the latest version of WhatsApp (at this time of the research) which is 2.18.79 (released on
9 March 2018) is analyzed in this study on the Android version 6.0.1. It is determined while
preparing literature review that analyzed latest version of 2.12.5x (released in April 2015) [17].
Version 2.12.5x does not have end-to-end encryption and live location.
Even though Tango has 390 million registered users, it has not been thoroughly investigated
and there is no enough research related to Tango. Sgaras et al. analyzed Tango on Android 2.3.5
and iOS operating systems. They declared that all of the Tango database files that contained
encrypted content and artifacts were specified as N/A in the table of android logical extraction
analysis. The version of the application could not be found in the research [42]. Walnycky et al.
http://www.iaeme.com/IJMET/index.asp
931
editor@iaeme.com
Forensic Benchmarking for Android Messenger Applications
analyzed Tango in terms of network analysis [24]. It could not find any detailed information
about how the analysis is done in forensic concept. In this study, it was identified that artifacts
such as text messages, locations can be extracted from database files by decoding Base64 format.
One of the possible reasons of obtaining artifacts is the root access to the Android devices. This
method was applied by Tamma and Tindall for Tango version 3.13.128111 (release date 09
January 2015) [14].
Walnycky et al. mentioned about forensic analysis of Instagram Direct feature (version 6.3.1)
in their study and could not find any data storage trace [24]. Another study that involves
Instagram Direct was not found in literature review phase. The research in this paper can be
regarded as one of the detailed analysis about Instagram Direct. Instagram version 37.0.0.21.97
was analyzed in this study. The focus of the study was messaging feature of the Instagram
application called Instagram Direct, feed features were not examined. Exchanged text messages,
videos and images, contacts’ details, Facebook token were extracted. Related artifacts were not
encrypted.
Viber Messenger has been studied commonly by forensics folks because of its large number
of users. Viber released and developed end-to-end encryption with version 6 and security and
privacy are emphasized especially after the version 6. Viber Messenger claims that Viber's
security technology creates an environment where two devices communicate using a secret code
instead of plain, understandable text. Only the sender and receiver devices have the key to
decipher the code. Not even Viber can read and understand this code, and anyone who tries to
hack or spy on this communication will not be able to understand it. Viber Messenger does not
store any chat information on Viber’s servers once it has been delivered to the recipient [19]. It
is determined that latest studies analysing the Viber Messenger application are covering previous
versions. Dargahi et al. analysed Viber 4.3.3 version released in 2014 [17]. Azfar et al. analysed
the version 5.0.2 released in 2015 [20]. Cahyani et al. analysed 6.0.1.13, but there has been found
only limited information related to the artefacts [21]. Our study includes a comprehensive
analysis of the data structure of the Viber Messenger with the version 7.9.6.30 released at the end
of 2017.
With distinctive features such as payment and official accounts, WeChat is one of the trend
applications of forensics researchers to examine because of the effect of usage numbers of the
application. Studies showed that WeChat application care the privacy more than most of the
mobile messaging application. It is using Sqlcipher to encrypt its critical database files such as
EnMicroMsg.db. Some proven methods on previous versions of WeChat applications installed
previous version of Android were examined and applied but it is found that database files of
WeChat 6.6.2 version on Android 6.0.1 are not possible to decrypt. New test platform was
prepared to find out the root cause. First earlier version (6.2.2) of WeChat was installed, but
WeChat did not permit to login without latest version. Then, latest version of WeChat (version
6.6.2) was installed on earlier version of Android (4.4.2). Same method applied and database file
was decrypted successfully. It is showed that the encryption method of WeChat version 6.6.2 on
Android Marshmallow is not same with previous version of Android.
BiP Messenger is a newer instant messaging application compared to the other applications
analyzed in this study. BiP Messenger has different features in addition to what traditional instant
messaging applications provides such as sending secret messages, free SMS and MMS (even to
a device that does not have BiP Messenger installed) and making translations between languages.
It has been commonly used by Turkish users. Any research including BiP Messenger was not
found on literature to the knowledge of the authors. Data structure and artifacts of BiP Messenger
were shown in Findings Section. Artifacts of secret messages (feature to address privacy concerns
includes that messages are being deleted after a certain amount of time) could not be found on
the Android device.
http://www.iaeme.com/IJMET/index.asp
932
editor@iaeme.com
A Karahoca, D Karahoca and Selman Kasim Bağirici
5. CONCLUSION
Privacy and security of users are taken into account more seriously day by day with the new laws
being passed such as The General Data Protection Regulation (GDPR). It is a regulation in EU
law on data protection and privacy for all individuals within the European Union Developers
Applications [22]. It is a hot topic at the time of this study that Facebook has sold the data of its
1.5bn users [23]. These types of events are triggering the developers of the applications to design
more secure applications. They are designing encrypted data structures, certificated based
network traffics, restricted access to personal information etc. On the other hand, if the mobile
phone was used as a criminal tool via installed messaging application, then it is a requirement to
access data to solve and address the crime. This paper focused on both privacy and forensic
analysis of the instant messaging applications. Future works would include a discussion of how
an instant message application store the data while being secure enough and also allowing
forensic analysis for criminal cases. A study about forensics analysis for the instant messaging
applications requires continuity and consistency due to the fact that applications get updated each
time a new feature is added. Hence, future works will include new versions of instant messaging
applications.
REFERENCES
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
[15]
eMarketer, 2017. http://www.emarketer.com/Chart/Average-Time-Spent-per-Day-withMajor-Media-by-US-Adults-2017-hrsmins/206481.
Statista, 2017. https://www.statista.com/statistics/483287/change-of-mobile-messagingusers-worldwide/.
Statista, 2016. https://www.statista.com/statistics/483255/number-of-mobile-messagingusers-worldwide/.
Hoog, A., Android Forensics: Investigation, Analysis, and Mobile Security for Google
Android, Waltham: Elsevier, 2011.
Tamma, R. and Tindall, D. Learning Android Forensics, BIRMINGHAM: Packt Publishing
Ltd., 2015, pp. 249-253.
Nist, 08 05 2017. . Available: https://www.nist.gov/itl/ssd/software-quality-group/computerforensics-tool-testing-program-cftt.
Oxygen-Forensic,
"Oxygen-Forensic,"
2017.
https://www.oxygenforensic.com/download/articles/Oxygen_Forensic_DetectiveHow_to_connect_Android_devices.pdf.
SANS, "SANS," 2015. https://digital-forensics.sans.org/community/downloads.
Ayers, R., W. Jansen, and S. Brothers. "Guidelines on mobile device forensics (NIST Special
Publication 800-101 Revision 1), 1, 85." (2014).
Gartner, "Gartner," 2017. https://www.gartner.com/newsroom/id/3859963. [Accessed 2018].
Fossbytes, "Fossbytes," 2017. . Available: https://fossbytes.com/most-popular-androidversions-always-updated/.
Mutawa, N. A. Baggili, I. and Marringto, A. "Forensic analysis of social networking
applications on mobile devices," Digital Investigation, vol. 9, pp. 24-33, 2012.
Developer.Android,
"Developer.Android,"
2017.
.
Available:
https://developer.android.com/studio/command-line/adb.html.
Tamma, R. and Tindall, D. Learning Android Forensics, BIRMINGHAM: Packt Publishing
Ltd., 2015, p. 78.
Kent, K. Chevalier, S. Grance, T. and Da, H. "Guide to Integrating Forensic Techniques into
Incident Response," NIST, Gaithersburg, 2006.
http://www.iaeme.com/IJMET/index.asp
933
editor@iaeme.com
Forensic Benchmarking for Android Messenger Applications
[16]
[17]
[18]
[19]
[20]
[21]
[22]
[23]
[24]
[25]
[26]
Molla, R. "Recode," https://www.recode.net/2018/2/1/16959804/whatsapp-facebookbiggest-messenger-instagram-users.
Dargahi, T. Dehghantanhab, A. and Con, M. "Forensics Analysis of Android Mobile VoIP
Apps," Cornell University Library, 2017.
Sgaras, C. Kechadi, M.-T. and Le-Khac, N.-A. "Forensics Acquisition and Analysis of instant
messaging and VoIP applications," 2016.
Viber, "Viber," 2018. https://support.viber.com/customer/portal/articles/2017401-vibersecurity-faq.
Azfar, A., Choo, K.-K. R. and Liu, L. "An Android Communication App Forensic
Taxonomy," Journal of Forensic Sciences, vol. 61, no. 5, 2016.
Cahyani, N. D. W., Rahman, N. H. A. Glisson, W. B. and Choo, K.-K. R. "The Role of Mobile
Forensics in Terrorism Investigations Involving the Use of Cloud Storage Service and
Communication Apps," Springer, New York, 2016.
General_Data_Protection_Regulation,Wikipedia,2018.https://en.wikipedia.org/wiki/General
_Data_Protection_Regulation.
Hern,A."Theguardian,"19042018.https://www.theguardian.com/technology/2018/apr/19/fac
ebook-moves-15bn-users-out-of-reach-of-new-european-privacy-law.
Walnycky, D., Baggili, I., Marrington, A., Moore, J. and Breitinger, F. "Network and device
forensic analysis of Android social-messaging applications," vol. 14, pp. 77-84, 2015.
Vara Prasad, P.V., Sowmya, N., Rajasekhar Reddy, K. and Bala,P.J. Introduction to Dynamic
Malware Analysis for Cyber Intelligence and Forensics, International Journal of Mechanical
Engineering and Technology 9(1), 2018, pp. 10–21.
Gyamfi, N.K., Nyamadi,M., Appiah,P. Katsriku, F. and Abdulai, J-D, A Brief Survey of
Mobile Forensics Analysis on Social Networking Application. International Journal of
Computer Engineering and Technology, 7(4), 2016, pp. 81–86.
http://www.iaeme.com/IJMET/index.asp
934
editor@iaeme.com