Mobile Devices

Forensic Analysis Of Third Party Applications: Instagram

by Nor Zarina Binti Zainal Abidin

Abstract

Forensic analysis of mobile phones’ third party applications is a new area that needs to be explored. There are a lot of third party applications available in App store.

Mobile forensic software tools basically extracted typical mobile phone data such as contact numbers, text messages and call logs. These tools overlook information saved in third-party apps. Many third-party applications installed in Apple mobile devices leave forensically relevant evidence or information available for investigation. Potential evidence can be held on these devices. This information can be made readily available to law enforcement through simple and easy-to-use techniques. This paper focuses on conducting forensic analysis on Instagram which is a widely used social networking application on smartphones. The tests were conducted on the most popular smartphones: iPhones.

1. Introduction

1.1 Apple Device

iPhone is the most favored Apple product since it was launched in 2007. Apple is the pioneer in Smartphones as they reinvented the mobile phone into what it is today. iPhone uses Apple’s iOS as an operating system. The iOS architecture is layered and consists of four abstraction layers. The functions of all applications that have been installed in iPhone will be determined by these layers. iPhones have their own default applications installed in the phone but users also can select third party applications of their choice and install them on the device. The applications can be downloaded from the App Store using the user’s Apple ID.

1.2 Instagram

Instagram is one of the social networking applications that are available for almost all smartphone platforms and operating systems. It is a widely used and universal application.

Instagram is available for free in the App Store. Users can upload photographs and short videos, follow other users’ feeds and geotag images with longitude and latitude coordinates, or the name of a location. The users can either share their Instagram account to public or keep it as private. Users can connect their Instagram account to other social networking sites, enabling them to share uploaded photos to sites such as Facebook, Twitter, Tumblr and Flickr.

The main purpose of this research is to identify various data security issues in social networking applications on the iOS platform which aid in forensic investigations. Information is stored in different formats at varied locations on the phone. Our aim is to summarize a general methodology to gather valuable information, so a standard investigation process can be followed for all similar applications.

2. Methodology

The main purpose of this research is to determine whether activities performed through smartphone social networking applications are stored on the internal memory of the device and what kind of data that can be extracted or recovered from the device. Prior to conducting the experiments, the device needs to be connected to the internet.

All activities were done and recorded. When the activities were done, we disabled the Wi-fi connection and a forensic workstation was set up and configured. Once the forensic workstation was ready, the device was switched on with flight mode to isolate any signal from the device. Then, all data were extracted using forensic tools. The following is a list of device, software and tools used for this forensic examination:

• iPhone 5s
• Model: A1530
• iOS 7.1.1
• Non-jailbroken phone
• Installed with Instagram version 6.9.2
• XRY version 6.13.1

Forensic Analysis on third party application Instagram.pdf

3. Result

 

 No. Performed Activities Description / Findings
 1. Login to Instagram with
username zarinazainal_
• Found username ‘zarinazainal_’ with
Instagram’s ID number in ‘recent-users’
plist file• No login logs were found
 2.  Enter Instagram password  • No records of Instagram password
 3. Choose picture to be uploaded  • N/A
4. Edit the picture using one of
Instagram’s filters
• The edited pictures will be saved in
Instagram folder inside iPhone Photos
Album• The post could not be found
 5. Create caption and hashtag for
the edited picture
• No Instagram caption was found in the
exhibit• Recent visited and used hashtag can be
found under ‘visited hashtag’ in the plist
file
6. Linked the picture to Facebook
account
 • Found facebook_user_info key
(encrypted) with Facebook user ID and
Instagram’s account name that has been
used to upload the picture in
‘com.burbn.instagram’ plist file
 7. Post the picture  • The date when the pictures were uploaded
is the same as the creation date• Hash value for the pictures is different
from the original pictures

• Software used (Instagram) will be shown
in the metadata

• The original created date (including
modified & accessed) remains in the
metadata

• Date and time is based on device time

• Other metadata (location, coordinates)
remains

 8. Follow other Instagram
accounts
• Found the username and Instagram’s ID
number for Instagram accounts that have
been followed by ‘zarinazainal_’ in
‘recent-users’ plist file
 9. Invite followers • Found the username and Instagram’s ID
number for Instagram account that has
followed ‘zarinazainal_’ Instagram
account in ‘recent-users’ plist file
 10. Make comments on other
pictures/post
• No comment made by user was found
unless the comments were made to the
latest status, as XRY extracts the 10 latest
pictures with comments (if any) under
‘Status Update’ tab• Instagram stores the cache files of the
pictures seen
 11.  Followers’ comments on your
pictures
• No comment made by the followers was
found unless the comments were made to
the latest status as XRY extracts the 10 latest
pictures with comments (if any) under
‘Status Update’ tab
 12. Delete pictures that have been
posted
• If the pictures have been deleted from the
Instagram, the edited pictures will remain
in the Instagram folder inside iPhone
Photos Album• No indication or records of deleted post
found
 13. Upload another picture
without editing
• No evidence or trace that the picture has
been uploaded to Instagram• The post could not be found

4. Future Work

• Extract data from another platform or operating system such as Android, Blackberry and Windows.
• Need to extract data from jailbroken iPhone or rooted Android phone, to identify what kind of data that can be extracted

5. Conclusion

There is no strong evidence to show that the exhibit has been used to post or upload pictures to Instagram. From the analysis, the Instagram account found in the phone could not be proven that it has been used to login as administrator. No registration details such as email and password were found in the device.

Nor Zarina Binti Zainal Abidin is a senior analyst at CyberSecurity Malaysia, an agency that encourages digital forensics professionals to work together to harness the power of information networks.

About scar

Scar de Courcier is an assistant editor at Forensic Focus.

Discussion

No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 995 other followers

%d bloggers like this: