International Journal of Mechanical Engineering and Technology (IJMET) Volume 10, Issue 01, January 2019, pp. 926–934, Article ID: IJMET_10_01_095 Available online at http://www.iaeme.com/ijmet/issues.asp?JType=IJMET&VType=10&IType=01 ISSN Print: 0976-6340 and ISSN Online: 0976-6359 © IAEME Publication Scopus Indexed FORENSIC BENCHMARKING FOR ANDROID MESSENGER APPLICATIONS A Karahoca Professor, Bahcesehir University, Software Engineering Department, Turkey D Karahoca Assistant Professor, Bahcesehir University, Health Management Department, Turkey Selman Kasim Bağirici Bahcesehir University ABSTRACT Technology has reshaped the way we interact with the world and access information with the advent of smartphones. Accordingly, the needs we have and the solutions for our needs have also changed along with the evolving technology. One of the most affected matters from technology is communication. With the various options and capabilities, instant messaging applications have been started to use for communication purpose which is one of the biggest needs of human being. We can send text messages, video messages, voice recordings and share locations using these applications. Even further, we no longer need cell phone calls by GSM operators, and instead prefer these applications for instant calls, as well as sharing private information with these applications, not only for personal daily life, also for business need. On the other hand, these applications bring risks with many benefits. One of them is privacy. We do not want that these applications can store our personal data as its user. How do our best practices keep our data? Do they give the necessary attention for privacy? Another fact is that these applications can be used by criminals to communicate and execute a secret plan. If a criminal gets caught, what can be obtained as evidence from these messaging applications? This time we need to know what can be extracted from the mobile device. This research focuses on forensics analysis of the instant messaging applications on the Android platform. Keyword head: Mobile Forensics, Android Forensics, Instant Messaging Cite this Article: A Karahoca, D Karahoca and Selman Kasim Bağirici Forensic Benchmarking for Android Messenger Applications, International Journal of Mechanical Engineering and Technology, 10(01), 2019, pp.926–934 http://www.iaeme.com/IJMET/issues.asp?JType=IJMET&VType=10&Type=01 http://www.iaeme.com/IJMET/index.asp 926 editor@iaeme.com A Karahoca, D Karahoca and Selman Kasim Bağirici 1. INTRODUCTION Technology has reshaped the way we interact with the world and access information with the advent of smartphones. Accordingly, the needs we have and the solutions for our needs have also changed along with the evolving technology. Also, the rate of change is increasing exponentially depending on the technology. A report published by a research company about the use of media devices showed that 3 hours and 14 minutes is the average time spent using mobile devices by a US adult in 2017 [1]. By the end of the 20th century, hardware-based inventions such as computers, mobile phones were the leading production in the world; whereas in the first quarter of 21st century, the application revolution has dominated the market and it affected our daily life. When we consider the last twenty years, we have acquired new skills, and found new ways of communicating with people due to evolving technology. Even further, we have quitted some of those skills and gained new ones with what technology provides. We started to use mobile phones in our daily life at the end of the 20th century and we used to send Short Message Service (SMS) messages first. However, the use of the SMS decreased to 15.5 percent in 2017 and expected to decrease even more to 5.9 percent on 2021 [2]. With the various options and capabilities, we’ve started using instant messaging applications for communication purpose with our family and friends. We send text messages, video messages, voice recordings and share locations using these applications. Number of users of these applications is 1.58 billion in 2016 worldwide and it is expected to hit 2.48 billion in 2021 [3]. The research about forensics analysis of the instant messaging applications requires continuity and consistency because applications change with each update as a new feature is added. The purpose of this paper is to provide answers for common questions related to the forensics analysis of instant messaging applications. 2. LITERATURE Digital Forensics is recovering, investigating and identifying the data to prove the existence of evidence. Mobile forensics is a sub-branch of the digital forensics. It is not possible to apply same procedure entirely because of uniqueness of the investigations on each domain. However, we can list the steps as follows: a) identification and investigation, b) acquisition, c) analysis. 2.1. Identify and Investigate Mobile forensics has a lot of different factors which depend on mobile phone manufacturer, phone model, operating system type, operating system version. Therefore, the investor must prepare a proper method for each scenario [27]. 2.2. Acquisition The acquisition phase refers to the extraction of data from the device. Due to the inherent security features of mobile devices, extracting data is not always straight forward. The extraction method is determined based on the operating system, make, and model of the device. There are three type of acquisition method: Manual acquisition: This acquisition method requires the least technical qualification. It is based on the user interface of the device. No need for any tool for manual acquisition. Disadvantage of the manual acquisition is that the examiner can detect only artifacts which are visible from user interface. Logical acquisition: Logical acquisition based on extracting accessible data on the file system. Disadvantage of the logical acquisition is that the examiner can extract the data which is identified by operating system, not deleted data except some files such as database files. Database files can still contain deleted data [4-25]. If the root access of the mobile phone is provided, the examiner can detect more artifacts from mobile phone. http://www.iaeme.com/IJMET/index.asp 927 editor@iaeme.com Forensic Benchmarking for Android Messenger Applications Physical acquisition: Physical acquisition is extracting data from hardware (storage) bit-bybit. There are various methods for physical acquisition such as hex dumping, JTAG, chip-off, micro read. The JTAG method extracts complete physical image of a mobile phone, if the JTAG port of the mobile phone is connected to a computer using a JTAG emulator. The extracted physical image can be analyzed by using WinHex or any other software which can analyze binary files. Another physical acquisition method is using dd command which is a Linux command-line utility used by definition to convert and copy files, but is frequently used in forensics to create bit-by-bit images of entire drives [5]. Most of the commercial forensics tool uses dd command for physical acquisition method. The physical acquisition requires the most technical qualification. Advantage of the physical acquisition is it is possible to recover deleted files. 2.3. Analysis In analysis part, private data from the disk image is collected. Various software tools help to extract the data from the image which was stored in acquisition part. There is no single tool that can be used in all cases. This part needs the know-how and knowledge of the operating system and file types such as databases files, xml files etc. 2.4. Forensics Tools There are a lot of commercial (paid) and free tools developed for forensics analysis purposes to extract data from image of memory or to analyze the artifacts. Even so, their major aim is extracting the data or analyzing, each of them has lots of additional features which are different from each other. The following mobile forensics tools are the most common ones in the mobile forensics research, and this study focuses on their major purposes instead of side effects. The Department of Homeland Security examines Mobile Device Acquisition tools and publishes reports for the public’s awareness. Also, Homeland Security and National Institute of Standards and Technology (NIST) supports a program called Computer Forensics Tool Testing Program (CFTT). The goal of the CFTT project is to establish a methodology for testing computer forensic software tools by development of general tool specifications, test procedures, test criteria, test sets, and test hardware [6]. MSAB's (a software company) solution called XRY Extract family is one of the most frequently used and useful forensics tool. It has two major versions to extract data. XRY logical is designed to extract and recover data communicating with the operating system (Logical Acquisition). XRY physical is designed to extract and recover raw data directly from the device memory (physical acquisition). MSAB has the XAMN Analyze family which analyzes the output of the XRY logical and XRY physical. There is no technical document related with how XRY examines the mobile phone. Another commercial tool is Oxygen Forensic Detective. The tool offers 3 methods of data acquisition: Android backup, Physical dump via device rooting and logical extraction. In case of logical extraction OxyAgent application (developed by Oxygen Forensic) is installed in the device [7]. Magnet ACQIRE is another commercial forensics tool which widely used by examiners. Magnet Acquire has two options for image types. First one is named “Full” which extracts entire contents and requires a rooted device. This method is a type physical acquisition and based on Linux dd command. Second one named “Quick” and this method uses adb backup command for Android version 4+. Quick mode is a type of logical acquisition. Android Debug Bridge (ADB) on a workstation allows it to access the system partitions if the USB debugging mode is enabled on an Android phone [4]. http://www.iaeme.com/IJMET/index.asp 928 editor@iaeme.com A Karahoca, D Karahoca and Selman Kasim Bağirici ViaExtract is a logical and physical extraction tool based on Santoku Linux distribution. Logical acquisitions version is free, but physical acquisitions are paid. It is freely distributed inside of a virtual machine running [5]. The SIFT (SANS Investigate Forensic Toolkit) Workstation is free Linux based operating system which has different open-source forensics tools such as Autospy, SleuthKit, log2timeline. It can match any current incident response and forensic tool suite. SIFT demonstrates that advanced incident response capabilities and deep dive digital forensic techniques to intrusions can be accomplished using cutting-edge open-source tools that are freely available and frequently updated [8]. It is important to note that forensic tools have the potential to contain some degree of error in their operation. For example, the implementation of the tool may have a programming error; the specification of a file structure used by the tool to translate bits into data comprehensible by the examiner may be inaccurate or out of date; or the file structure generated by another program as input may be incorrect, causing the tool to function improperly [9]. In addition, developers are creating new versions of applications often. If we consider the count of applications and their updated versions, it becomes a big issue to support all applications and especially the latest versions. Another problem is that there are a lot of different models made in Asia which has no mark means. 3. DATA AND METHOD Various types of mobile phones with many different brands, models, operating systems and versions are used nowadays. When we consider this expansive variation, we have noticed that it is not possible to apply the same analysis methods or use the same commercial tools for all possible combinations. Thus, a lot of statistic reports were examined and these reports helped to determine the test platform to be used. As a result, Samsung Galaxy Note 5 (SM-N920C) with Android Marshmallow Operating System is chosen as the main test platform. Android is preferred as the test platform because of having the highest number of users. 85.9% of all smartphones sold to customers were Android phones in 2017. Samsung has the largest percentage of market share with 20.9 percent among the mobile phone vendors [10]. Marshmallow (Android version 6) is chosen as the lab environment since it is the most used Android version with 32,2% in September 2017 [11]. Also, virtual Android device platforms on Android Studio and ZTE Nubia Z5s mobile phone with Android 4.4.2 version were used to verify or test some of the cases. The virtual machines are working on macOS High Sierra (10.13) operating system. Android is an open source operating system; thus, it is possible to modify the source code when vendors are designing mobile phones with some limitations. Rooting the operating system process is widely applied to have more authorization on mobile phones. Having a rooted Android phone allows the user to access protected, restricted directories on the system that has private user data (e.g., /data/data directory), backups, system files and more [12]. The test platform of this study is rooted to be able to see all artifacts on the device. Logical acquisition method is applied to extract data from the device. We can see only the data which operating system permits via the logical acquisition method. Thus, the device is rooted to increase visibility of the data. On the other hand, physical acquisition method was applied via dd command of Linux too and rooting was a requirement to apply dd command. DB browser for SQLite application is installed on macOS to read database files extracted from mobile phone. Android Debug Bridge (adb) is a versatile command-line tool that lets you communicate with a device and it is one of the most used command in this study. The adb command facilitates a variety of device actions, such as installing, debugging apps. It provides access to a Unix shell that you can use to run a variety of commands on a device [13]. ADB is one of the most effective http://www.iaeme.com/IJMET/index.asp 929 editor@iaeme.com Forensic Benchmarking for Android Messenger Applications tool for forensic analysis. It requires USB debugging option enabled to work and after enabling the USB debugging option, the device executes the adb daemon (adbd) in the background to detect USB connections. It is not possible to access to internal application data on non-rooted Android devices. If the device is rooted, adbd runs under the root account and thus it is possible to access to the entire data [14]. Below adb commands were used often in this study: a)adb devices: This command is used to see whether the device is connected or not. b)adb install *.apk: This command is used for installing application to Android device via a computer.c) adb pull [path] [path]: This command is used to copy a file or folder to/from Android device d) adb shell: This command is used to access command line of Android device. On Android site; ES File Explorer (Version 1.0.7), File Manager +(Version 1.8.0) and Total Commander (Version 2.90) applications are used as file manager. Different tools are chosen to compare results each other to decrease the error or missing to minimum. Also, each application has different talents. Terminal and Termux (version 0.60) applications are used to access command line of the Android device. SqlitePrime (Version 1.3.0) is used to read database files directly on the Android device. Root Checker Basic (Version 6.2.6) is used to ensure root access to Android device. OS monitoring application was used to identify package name and process id numbers of the applications. Criteria such as number of downloads, number of users, popularity were regarded in the stage of selection phases of the messenger applications. This research covers below instant messaging applications. Each of the steps is repeated for every application. If the tested application has different feature from common mobile messaging applications, it is explicitly indicated in the findings part of the study. For example, WhatsApp and WeChat has live location feature to share location of sender but instantly along the specified time. Install the application to Android Device (A) Create an account Exchange Data between A and B Send and receive text messages Send and receive image Send and receive video Send and receive location Send and receive a contact Voice call Video call Share an image on story (A) Apply below scenarios; Delete one of the text message from A Delete one of the text message from B Delete the application from A Extracting the data from the mobile phone is not always successful with same method. Based on the vendor, phone model, operating system, the methods are adapted. Thus, examining with one of the previously explained forensics tools is not enough. There are two main acquisition methods: logical and physical acquisition. Logical acquisition method is applied by using adb tool manually in this study. Adb tool takes an active role to get data from android device to macOS. Adb pull command is used for extraction. Also, physical acquisition method is applied via dd command in this study. The dd command is a Linux command-line utility used by definition to convert and copy files, but is frequently used in forensics to create bit-by-bit images of entire drives [14]. The study performed by considering two problems which are mentioned in Introduction section: privacy and forensic analysis. Thus, different images belong to different state of the device were taken to compare with each other. Taken images are a) cleanstate.img, b) apps_installed.img c) apps_deleted.img. http://www.iaeme.com/IJMET/index.asp 930 editor@iaeme.com A Karahoca, D Karahoca and Selman Kasim Bağirici Two images that apps_installed.img and apps_deleted.img are compared for answering the question of what if the applications were deleted after committing a crime. Clean state of the device (the state which test applications are not installed) named cleanstate.img is compared with the apps_installed.img to increase visibility of detecting artifacts. The /data/data partition is one of the most critical locations for forensic examiners. Applications stores their data such as databases, caches, custom libraries, xml files under this directory [14]. Related folder of application that is located under /data/data directory was determined. Applications stores user data such as images, video and voice messages, profile photos under /sdcard and folder of the tested application under /sdcard is determined. Whole disk of the phone is scanned because of possibility of having another folder of the tested application. After determining folders created by the applications on the mobile phone are extracted to investigate by using file manager applications and adb pull command. Md5 hash of files compared to each other to confirm integrity. 4. FINDINGS This research is motivated to investigate the privacy concerns and forensics of the popular instant messaging applications’ latest versions on the most commonly used version of Android platform. It is not useful to examine all types of applications with the same method or same commercial tools when we consider different phone vendors, different operating systems and their versions, various applications. Thus, we examined the applications manually by considering NIST mobile device forensics framework [15]. In addition to aforementioned artifacts, this study proposes a classification method for different applications’ latest version’s artifacts to make the forensics research easier. Also, the test platform of these applications during the investigation is the up to date version of Android. The answers of the below questions were investigated in this study: • How does an application store data? New files of instant messaging applications were investigated and elaborated in Findings section based on their file type, e.g., database, xml, text, image, video or audio file. MD5 hashes of the files were calculated for two cases: (1) before copying the files to PC (on Android device) and (2) after copying the files to PC (on PC). Then, MD5 hashed compared with each other to verify integrity of files. • Is the stored data time stamped/encrypted? Artefacts were categorized depending on their file type and investigated whether they are encrypted or plaintext and if they were time-stamped. • Does the application store personal information of the users? It was found that profile information of a user such as age, name and last name, contact list of a user existed on the files; account details such as phone number, username, profile photo, Facebook token were stored by applications in database files and xml files in most of the cases. WhatsApp is a messenger application ranking the second most active users (over 1.5 billion monthly) in 2018 [16]. Thus, it is a widely analyzed application in terms of forensics. However, a detailed analysis of WhatsApp has not been conducted so far, and this study is an attempt to elaborate all parts of the application and provide as much information as possible. On the other hand, the latest version of WhatsApp (at this time of the research) which is 2.18.79 (released on 9 March 2018) is analyzed in this study on the Android version 6.0.1. It is determined while preparing literature review that analyzed latest version of 2.12.5x (released in April 2015) [17]. Version 2.12.5x does not have end-to-end encryption and live location. Even though Tango has 390 million registered users, it has not been thoroughly investigated and there is no enough research related to Tango. Sgaras et al. analyzed Tango on Android 2.3.5 and iOS operating systems. They declared that all of the Tango database files that contained encrypted content and artifacts were specified as N/A in the table of android logical extraction analysis. The version of the application could not be found in the research [42]. Walnycky et al. http://www.iaeme.com/IJMET/index.asp 931 editor@iaeme.com Forensic Benchmarking for Android Messenger Applications analyzed Tango in terms of network analysis [24]. It could not find any detailed information about how the analysis is done in forensic concept. In this study, it was identified that artifacts such as text messages, locations can be extracted from database files by decoding Base64 format. One of the possible reasons of obtaining artifacts is the root access to the Android devices. This method was applied by Tamma and Tindall for Tango version 3.13.128111 (release date 09 January 2015) [14]. Walnycky et al. mentioned about forensic analysis of Instagram Direct feature (version 6.3.1) in their study and could not find any data storage trace [24]. Another study that involves Instagram Direct was not found in literature review phase. The research in this paper can be regarded as one of the detailed analysis about Instagram Direct. Instagram version 37.0.0.21.97 was analyzed in this study. The focus of the study was messaging feature of the Instagram application called Instagram Direct, feed features were not examined. Exchanged text messages, videos and images, contacts’ details, Facebook token were extracted. Related artifacts were not encrypted. Viber Messenger has been studied commonly by forensics folks because of its large number of users. Viber released and developed end-to-end encryption with version 6 and security and privacy are emphasized especially after the version 6. Viber Messenger claims that Viber's security technology creates an environment where two devices communicate using a secret code instead of plain, understandable text. Only the sender and receiver devices have the key to decipher the code. Not even Viber can read and understand this code, and anyone who tries to hack or spy on this communication will not be able to understand it. Viber Messenger does not store any chat information on Viber’s servers once it has been delivered to the recipient [19]. It is determined that latest studies analysing the Viber Messenger application are covering previous versions. Dargahi et al. analysed Viber 4.3.3 version released in 2014 [17]. Azfar et al. analysed the version 5.0.2 released in 2015 [20]. Cahyani et al. analysed 6.0.1.13, but there has been found only limited information related to the artefacts [21]. Our study includes a comprehensive analysis of the data structure of the Viber Messenger with the version 7.9.6.30 released at the end of 2017. With distinctive features such as payment and official accounts, WeChat is one of the trend applications of forensics researchers to examine because of the effect of usage numbers of the application. Studies showed that WeChat application care the privacy more than most of the mobile messaging application. It is using Sqlcipher to encrypt its critical database files such as EnMicroMsg.db. Some proven methods on previous versions of WeChat applications installed previous version of Android were examined and applied but it is found that database files of WeChat 6.6.2 version on Android 6.0.1 are not possible to decrypt. New test platform was prepared to find out the root cause. First earlier version (6.2.2) of WeChat was installed, but WeChat did not permit to login without latest version. Then, latest version of WeChat (version 6.6.2) was installed on earlier version of Android (4.4.2). Same method applied and database file was decrypted successfully. It is showed that the encryption method of WeChat version 6.6.2 on Android Marshmallow is not same with previous version of Android. BiP Messenger is a newer instant messaging application compared to the other applications analyzed in this study. BiP Messenger has different features in addition to what traditional instant messaging applications provides such as sending secret messages, free SMS and MMS (even to a device that does not have BiP Messenger installed) and making translations between languages. It has been commonly used by Turkish users. Any research including BiP Messenger was not found on literature to the knowledge of the authors. Data structure and artifacts of BiP Messenger were shown in Findings Section. Artifacts of secret messages (feature to address privacy concerns includes that messages are being deleted after a certain amount of time) could not be found on the Android device. http://www.iaeme.com/IJMET/index.asp 932 editor@iaeme.com A Karahoca, D Karahoca and Selman Kasim Bağirici 5. CONCLUSION Privacy and security of users are taken into account more seriously day by day with the new laws being passed such as The General Data Protection Regulation (GDPR). It is a regulation in EU law on data protection and privacy for all individuals within the European Union Developers Applications [22]. It is a hot topic at the time of this study that Facebook has sold the data of its 1.5bn users [23]. These types of events are triggering the developers of the applications to design more secure applications. They are designing encrypted data structures, certificated based network traffics, restricted access to personal information etc. On the other hand, if the mobile phone was used as a criminal tool via installed messaging application, then it is a requirement to access data to solve and address the crime. This paper focused on both privacy and forensic analysis of the instant messaging applications. Future works would include a discussion of how an instant message application store the data while being secure enough and also allowing forensic analysis for criminal cases. A study about forensics analysis for the instant messaging applications requires continuity and consistency due to the fact that applications get updated each time a new feature is added. Hence, future works will include new versions of instant messaging applications. REFERENCES [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] eMarketer, 2017. http://www.emarketer.com/Chart/Average-Time-Spent-per-Day-withMajor-Media-by-US-Adults-2017-hrsmins/206481. Statista, 2017. https://www.statista.com/statistics/483287/change-of-mobile-messagingusers-worldwide/. Statista, 2016. https://www.statista.com/statistics/483255/number-of-mobile-messagingusers-worldwide/. Hoog, A., Android Forensics: Investigation, Analysis, and Mobile Security for Google Android, Waltham: Elsevier, 2011. Tamma, R. and Tindall, D. Learning Android Forensics, BIRMINGHAM: Packt Publishing Ltd., 2015, pp. 249-253. Nist, 08 05 2017. . Available: https://www.nist.gov/itl/ssd/software-quality-group/computerforensics-tool-testing-program-cftt. Oxygen-Forensic, "Oxygen-Forensic," 2017. https://www.oxygenforensic.com/download/articles/Oxygen_Forensic_DetectiveHow_to_connect_Android_devices.pdf. SANS, "SANS," 2015. https://digital-forensics.sans.org/community/downloads. Ayers, R., W. Jansen, and S. Brothers. "Guidelines on mobile device forensics (NIST Special Publication 800-101 Revision 1), 1, 85." (2014). Gartner, "Gartner," 2017. https://www.gartner.com/newsroom/id/3859963. [Accessed 2018]. Fossbytes, "Fossbytes," 2017. . Available: https://fossbytes.com/most-popular-androidversions-always-updated/. Mutawa, N. A. Baggili, I. and Marringto, A. "Forensic analysis of social networking applications on mobile devices," Digital Investigation, vol. 9, pp. 24-33, 2012. Developer.Android, "Developer.Android," 2017. . Available: https://developer.android.com/studio/command-line/adb.html. Tamma, R. and Tindall, D. Learning Android Forensics, BIRMINGHAM: Packt Publishing Ltd., 2015, p. 78. Kent, K. Chevalier, S. Grance, T. and Da, H. "Guide to Integrating Forensic Techniques into Incident Response," NIST, Gaithersburg, 2006. http://www.iaeme.com/IJMET/index.asp 933 editor@iaeme.com Forensic Benchmarking for Android Messenger Applications [16] [17] [18] [19] [20] [21] [22] [23] [24] [25] [26] Molla, R. "Recode," https://www.recode.net/2018/2/1/16959804/whatsapp-facebookbiggest-messenger-instagram-users. Dargahi, T. Dehghantanhab, A. and Con, M. "Forensics Analysis of Android Mobile VoIP Apps," Cornell University Library, 2017. Sgaras, C. Kechadi, M.-T. and Le-Khac, N.-A. "Forensics Acquisition and Analysis of instant messaging and VoIP applications," 2016. Viber, "Viber," 2018. https://support.viber.com/customer/portal/articles/2017401-vibersecurity-faq. Azfar, A., Choo, K.-K. R. and Liu, L. "An Android Communication App Forensic Taxonomy," Journal of Forensic Sciences, vol. 61, no. 5, 2016. Cahyani, N. D. W., Rahman, N. H. A. Glisson, W. B. and Choo, K.-K. R. "The Role of Mobile Forensics in Terrorism Investigations Involving the Use of Cloud Storage Service and Communication Apps," Springer, New York, 2016. General_Data_Protection_Regulation,Wikipedia,2018.https://en.wikipedia.org/wiki/General _Data_Protection_Regulation. Hern,A."Theguardian,"19042018.https://www.theguardian.com/technology/2018/apr/19/fac ebook-moves-15bn-users-out-of-reach-of-new-european-privacy-law. Walnycky, D., Baggili, I., Marrington, A., Moore, J. and Breitinger, F. "Network and device forensic analysis of Android social-messaging applications," vol. 14, pp. 77-84, 2015. Vara Prasad, P.V., Sowmya, N., Rajasekhar Reddy, K. and Bala,P.J. Introduction to Dynamic Malware Analysis for Cyber Intelligence and Forensics, International Journal of Mechanical Engineering and Technology 9(1), 2018, pp. 10–21. Gyamfi, N.K., Nyamadi,M., Appiah,P. Katsriku, F. and Abdulai, J-D, A Brief Survey of Mobile Forensics Analysis on Social Networking Application. International Journal of Computer Engineering and Technology, 7(4), 2016, pp. 81–86. http://www.iaeme.com/IJMET/index.asp 934 editor@iaeme.com