Toward social media forensics through development of iOS analyzers for evidence collection and analysis

Summary

Social media usage in mobile phones has increased substantially in recent times, and they are a critically important source of a forensics investigation. In this paper, we have developed Python‐based forensic analyzers that are integrated with the open‐source tool Autopsy. The proposed analyzers find forensic artifacts from the three most widely used social media messaging applications, that is, WhatsApp, Instagram, and Facebook Messenger. This research focuses on finding forensic artifacts stored by these social media applications on an iOS device. These analyzers extract data critical for a forensic investigation such as text messages, media attachments, sender and receiver details, timestamps, contact information, and other related forensics data from the full file system image of iOS devices. These Python‐based plugins extract the required data from the social media applications' databases and present the evidential artifacts in a human‐readable format. We integrated these analyzers into the Autopsy Forensics tool and showcased the gathered evidence so that investigators are capable to analyze the extracted information effortlessly. The data integrity is maintained by converting it into readable form without permanently altering the database format. The results prove that the proposed analyzers can successfully extract and analyze forensics data at a low computational overhead.