Examining Browsers, E-mails, Messaging Systems, and Mobile Phones This chapter looks at Internet browsers, e-mail and messaging systems, and mobile phones and other handheld devices—often considered to be rich sources of digital evidence. The processes of locating, and recovering digital evidence relating, to records of personal communications, including e-mails and browsing records stored in computer devices and telephonic communications stored on mobile phones, are described. You will appreciate the value of locating, extracting, and examining records ‘of communications between persons of interest stored on computer and mobile phones that are often a rich source of evidence. The chapter will provide you with a basic understanding of the following concepts: + The recovery of Internet browsing and search records and other messaging, systems including Skype and virtual private networks + E-mail analysis and the processing of large e-mail databases ‘+ Mobile phone forensics and the growing challenge of evidence acquisition from personal computing devices, including tablet and GPS devices A range of Internet browsers are available for desktop and laptop devices as well as for tablets and other handheld devices, including Mozilla Firefox, Google Chrome, Microsoft Internet Explorer and, more recently, Microsoft Edge, Safari, and a range of others. The value of data stored as a result of using browsers is outlined in the next section and in the The growing challenge of evidence recovery from mobile phones and handheld devices section. [244]Examining Browsers, Esai, Messaging Syston, and Mobile Pho Locating evidence from Internet browsing Information relating to the web-browsing activities of a user are often found stored as cookies, cache files, URL history, search terms, histories, and other files on the computer. This forms an important part of many forensic examinations, as it can help reconstruct a suspect's online browsing behavior in relation to cases such as infringements of intellectual property, cybercrime and child pornography, and other serious crimes. The following subsections describe some of the basic features of web-browsing events that assist in crime reconstruction. They also outline the recovery of evidence from browser data, which may be done from unallocated space as well, providing the practitioner with an insight into private browsing activities. Typical web-browsing behavior ‘Typical browsing activities involve searches for specific topics stored on websites, such as a petson, event, organization, or e-mail or messaging account—virtually anything that the searcher is looking for. During the process of visiting or linking toa remote site, there is, as per Locard's exchange principle, some exchange of data: traces are left behind and some are transferred to another device. The remote website ‘may record some details of user visits to a varying extent. Web-based e-mail servers such as Hotmail and Yahoo! would log account holders and often record their IP addresses at the point of accessing their accounts. This information is useful in reconstructing transgressions, even more so if they correlate with the device used by the account holder to sign in to an account. Gmail, for example, stores e-mail messages on its cloud server and not on local machines, so itis unlikely that much e-mail evidence will be recovered from these accounts, other than what may be in the transient RAM state. However, such e-mail accounts can now be synchronized and backed up into a Post Office Protocol (POP) client, a standard protocol to retrieve and manage messages from remote servers ‘over an Internet connection. This results in messages being downloaded and stored ‘on the local machine. Windows 10 e-mail messaging similarly caches these messages on the local drive, thereby potentially assisting forensic recovery. Browsing records are often cached on the user's local machine. For example, the default browser setting will record browsing activities in a number of different forms, most notably * Cached folders storing HTML and multimedia files of webpages visited + History databases of webpages visited and, to some extent, the date and time of a range of times in which an individual webpage was visited [2a2}Chapter 8 + A database record of searches made using applications such as Google and Bing + Cookie stores that record websites visited and the timestamps of each visit + Records of online accounts visited by users + E-commerce activities, including e-banking records and accounts Forensic tools process common file types that could contain useful evidential ‘material. Many of these small database files require deconstruction, including history databases and image thumbnail database . cb files, index.dat and other such files that record Internet history, and so forth. The following table shows a collection of image and Shockwave files recovered from the Firefox default cache and a default, temporary folder located in a suspect's laptop. This information formed part of the evidence to bring charges against the suspect and helped establish browsing activities during a relevant period relating to the main charge. The table shows recovered image and media files from the browser cache and the default temp folder. ‘Name Type | Path Created Modified | Accessed wsaesaban: | jpg | \Bocunents and Tijer/aais | irjoracis | a/os/20rs Settings\Jser\toca | 5:54 S54 Settings\application (ta\wozilla\Firefox\ Profiles\ Tyyapigs assault cache zscapeasdo2 [jpg | \Docunents and Ta/o7/a01s Settings\dser\toca | 5:49 Settings\application Data\Noztila\Firefex\ Prof iles\7yyxpi99 Settinga\vser\, °: Local Settings\reee\ [243]In the following table, the first image file, which had been deleted, has been recovered from a cache folder. Its previous location is unknown, but the file does provide some potentially useful timestamps. The remaining deleted files have no location or timestamps but they do have a hashed filename and signature that may be used for comparison with other files recovered on the device. The file-carving process recovered these files from sectors, which could be examined in more detail to attempt to discover more about their antecedents. Without some form of corroboration, the evidentiary weight of this evidence is weakened. The table shows the deleted files recovered from unallocated space, recording the filename and, on ‘one occasion, timestamps: Name ‘Type _| Path Created Modified [Accessed \path unknown\ [23/08/2014 |23/o8/acie [23/08/2014 aapsecpbve |jpg_| Cache o1:sa ona on:se \Path unknown oo04s.jpa_|ipg_|carvea tiles \Path unknown o0676.3pg_|ipg_|carved files 00352 jpg_| carved silee \Path unknowa\ 00873.3pg_|ipg_|carvea files o0700.5pg_|ipg_|carved tiles \Path unknown ooses.jpg_|ipg_|carvea files \path unknown) ooa69.jpg_|jpg_| carved tiles \Path unknowal ooses.jpg_|ipg_|carvea files o14s2.spg_|ip3_| carved files o1sst.jpa_|opg_|carvea tiles The following table shows some . db database files holding traces of images that existed in a folder at an unknown location on the device. There are no timestamps, although the naming convention of the files suggests two dates in August 2015 when they may have been created or accessed. The reliability of this data obtained by the X-Ways Forensics tool is probably insufficient for this evidence to be considered admissible without some other sound corroboration (244)Chapter 8 ‘Name ‘Type _[Path Created [Modified | Accessed ‘Taunbnail.jpg [jpg [\Path unknown\ Carved files\ c120,0380 2025-08- 13 02:15:03 jpg ‘Taunbnail.jeg |jpgy_ [\Path unknown\ carved files\ ©120,0380 2015-08- 22. 05:22:04. jpg. ‘The following screenshot shows URIs and keyword search history files recovered froma laptop computer. This information was used to reconstruct the suspect's browsing activities and the nature of the search terms used as part of online crime activity. The spreadsheets extracted from the database provided timestamps, details of ‘websites visited, and search terms used as part of the commissioning of the offense: ‘reps commen nd Sonmp ew. commun com ata) ope/ogen spe Simp inp goo com aie are Sipe ncetnchcom/menngelconrsaion 725500796 Recovered spreadsheets deconstructed fom the browser database showing a range of browsing activities [245]Examining Browsers, E-mails, Messaging Systems, and Mobile Phones Recovering browsing artifacts from slack and unallocated space Using ILookIX's indexing of unallocated sectors will index the raw sector contents of each sector not assigned to a file or folder, The following screenshot shows the result of a search for the term tightvne in an attempt to explore the possibility that this remote-access program may have been used to compromise the desktop computer. 116 hits in the file slack were recovered, with a further 423 file hits being recorded, thereby shedding much more light on a remote attack against the device: Search hits recovered infil and file lack sectors A sample of recovered sectors containing traces of the search terms or hits is shown in the following screenshot, Note that there are no timestamps for this data, and what is shown is the date the practitioner extracted the traces after free and unallocated space on the forensic image was indexed. In many instances, not all of the data is readable, even using the inbuilt hex editor—there is often an absence of timestamps and the original file location. In this instance, BitTorrent activity was recovered, providing details suggesting the suspect using the BitTorrent peer-to-peer protocol to download media from other torrent users. In this example, the timestamps of some of the activity are clearly visible as well as the nature of the media being downloaded: Search hits recovered in files and fle slack sectors [246Chapter 8 In this example, data was recovered from slack file sectors using the term search terns. One of the hits shown in the following screenshot provided details of the drive sector and contiguous sectors where the record was held. Data carving of the sectors may provide a partial reconstruction of the data, but unless there were some timestamp included in the body of the information, analysis of temporal data would be guesswork at best: ne ce (i SIS \wratct p (2 25 ry ny 0 58 8 Properties of covered Intemet browsing from slack space [247]Examining Browsers, E-mails, Messaging Systems, and Mobile Phones By opening this data, it was possible to glean some important information, The following screenshot highlights a website visited to delete a Skype account. This, information was commensurate with the suspect's presumed attempt to delete the account to prevent future investigation of illegal activities involving communication with organized crime personalities: j SGLLADG AL x Dolo VHassLedssDirCI Hants SDACUD3StbaleiwtlpaQ DCTRUWRIENND = “Vay sv2i9fttazYobSF96391E9uD gaz. ADYAZ cr YELL OLigeNwWte 0744 IvoligeNwibeOdSDURSUSiGSLME EWser7e 87980 iZYEOBIYQIRSNERV Saga JKSNEKY hq fnVYsPABUZQ™—s7:ADGAZ VHB LgeNGWDOTAS JnoligeswWheOTsdBOU SUS @STIMZ EW ser 70 yeH}ZY TIBI YQIKSNERY Sag ha SKSNEKhaltnVYsPAEUZO— {sean syn VISS0TS01 GeRNVDNIS— 16Seeson_eyneHIVVIRSOTSOIGeLNVDNI 1eeBGmakaCSvagP Vasko TobaagLU- Oo eNy Seession_syueHIVUT6OT301Gs4xNVDNI ipso google comavweblp sewceié-sbvome-asanespr21S8ie-UTES im Ta nts: google com afavicon ico IotetalypeSoq delete lalypeagectrome. 655701526356 18bmbp 1 (kt skype - Google Search ‘Spee goele com aufavsoaey

Fon ie cue Properties | vawer Har Yaw far Text Vew log Hatem —Corment| Email property sheet [280Chapter 8 Attachments to e-mail messages can be viewed by displaying the messages in the E-Mail List and then selecting the File List. Fach message will have an icon associated with it in the leftmost column by default. This icon is either an envelope to denote an e-mail message with no attachment or a paper clip to denote a message with a file attachment, as shown here: Nana aD } spy eine c ee Bless ss ‘Checking e-mail attachment status This will show all the files attached to the messages and allow the practitioner to work with them as a group, but it does not show the specific source of each attachment. By selecting the E-Mail List, the practitioner has more options for viewing attachments in the context of the messages to which they were originally attached: eae ene oe r= ts 3 Felot | EMauie (ny [Cabin EiTak Reger” whee —— — Doe —> Viewing email attachments [261]Examining Browsers, E-mails, Messaging Systems, and Mobile Phon In addition, the attachment column shows the number of attachments for each, individual message: all st (3) cattorod) subpet Fen enateae + ‘fowber Hib sorn sina cto. zmey]2013 081958 wal FB torn riche chon, 27 Mey 2012 06404 1 & Lemtbelove ti ote char” <0. 4/2207. 0751 ONDE Headers attachments, and email body ILookIX can also group and filter messages in the E-Mail List. Grouping allows the practitioner to take all messages displayed and group them by a single column. This can save time and enhance the cataloging of relevant evidence as the practitioner works through evidence selection: EM Lot (SY TaereaT Selected group John Richards Ealdte 1 rebertbennerdchem.. O4Mar/2012 07:07:31 2 we = 0 bert.beerdehem. Za D ons = 0 rberttennerdeham. 27May2012005408 Cataloging e-mail evidence of potential elevance E-mail messages can be included in the same categories as files or in separate categories specifically created for correspondence, as determined by the practitioner. Whole e-mail stores or subfolders therein can be added to categories by selecting the store or folder in the e-mail explorer and selecting Save Messages to My Categories: [282}Chapter 8 Categorised emails z EMail st (15) a oO) subject va |&) fon 10 [= tented, 1 Sep 2019 18:208 40800 0 tensten.con cba bonnet, cg tented, Se 019 221640600 0 blstertersecn rebut bonrehen, = test ed, Sep 2019 14:2038 40600 0 bstesBeiclcm bat brn, a ut a ‘cbt cee Q This ool! o robert bonne che + Thee a icbrbeoenr cha hn ae we meting a scbrteneerSche a: ° tbr bower ‘Were have youbsen a a ‘cbr tower isc a bet bower The tcl! = Q ccbr.bewarBch suite cht becca CCategorizing e-mails of potential relevance The categorized file(s) may be viewed in the Category Explorer, where they are collated for convenient access: [Bp Sr catecones “5 a03 Categories youve Geatedto allocate seul evidenalmateralto ltoxc eshoiestectests sine TE eke pcb aee : Good housekeeping sen by calaloging evidence of value during the selection process Recovering and analyzing e-mails from larger datasets As outlined in Chapter 5, The Need for Enhanced Forensic Tools, the ISeckDiscovery automaton is a distributed collection tool that captures electronically stored information (ESI) from unlimited populations of computers and digital storage. Unlike other tools, it harnesses its patented technology to use each targeted machine for processing with minimum impact on the user of that computer. ISeekDiscovery greatly improves ESI collection and has been enhanced for use by forensic examiners to enable live acquisition of data that traditional digital forensic tools would be unable to capture remotely in large-scale networks (including RAM and Windows Registry data) [283]Examining Browsers, E-mails, Messaging Systems, and Mobile Phon To reiterate, the automaton only requires access to the device and appropriate designing of the configuration file; it collects only the evidence needed, thereby ‘making endpoint analysis less daunting because of the smaller size of the dataset, which enhances filtering and searching for evidence. However, the extracted data may still be large and require substantial post-recovery processing ‘The 32-bit and 64-bit APIs provided by XtremeForensics allow users to make use of companies’ servers to extract large datasets from a . 15x evidence container. This is a relatively simple process of opening the application and logging on to our server, which then allows ISeekExtractor to commence the operation The extraction process provides a number of extraction style options: ‘+ Original folders and filenames, discarding metadata ‘+ Original folders and filenames, adding .xm1, metadata + Numbered files with metadata in a .xmu index ‘The API can be initialized in minutes using Dynamic Link Library (DLL) files and guided to facilitate the expeditious and secure transport of all captured data in an ISeekExplorer container into: + Any database or review system intended for a basic review platform in current use + Another file format suitable for import to any other system This is especially time-saving when large sets of data have been captured from extensive network servers. Searching for scanned files Searching for scanned images may be done using the Portable Scanned Images tool provided by ILookIX, shown in the following screenshot. Locating scanned objects can be helpful in identifying those documents that cannot be indexed and searched because, during the scanning process, they were not converted using optical character recognition (OCR) to allow them to be indexed as text documents. These files may contain relevant information and so they may require manual viewing, or conversion through OCR processes if the number is too large. (284)Chapter 8 ‘The process is also useful for determining the provenance and authenticity of documents relating to forgeries and deception: » DnraeIReRE.) aie seen ee. See. Stdvodeateameh 2021500 2S GOAL 250 BR ster sz 68 5). 0. 3a ST hiswoteenerdinh. 32 dee. ono. ste [SS lowinherwndinh.—_asa5e ein CeO. 21s “B38 tomnaatiored gen. aL Doe KENT. oR. ES ha Fis cater Duet ebb scamet naps) * i oF 1 Es ca Recovered scanned fies ready for manual inspection The growing challenge of evidence recovery from mobile phones and handheld devices Digital evidence may come from a range of devices, including mobile phones, GPS navigation devices, printers, digital cameras and video recorders, voice recorders, Kindles, home security devices, motor vehicle computers, Xbox and Wii players, black-box flight recorders, and digital watches. Mobile phones and other handheld devices store users’ personal information, including call history, Internet browsing records, file downloads and uploads, ‘geographical locations, text messages, e-mails, multimedia files, contact lists, calendar events, and private information. They also record the position of users if they have the positioning setting activated —all in all, a considerable amount of data that may assist an investigation. For example, stored information may reveal details of the user's contacts and details of their communications relating to some transgression as well as an insight into their motivation and mindset. [285]Examining Browsers, E-mails, Messaging Systems, and Mobile Phon ‘The following screenshot shows a report of items and deleted items regarding, the activity of the phone user, including messages, calls, locations, and browsing, activities: View Sinai (eve Evert Lon on oo eve Ap Usage : ‘ec tad ope ts Mesoges ih 3% Messages Sau Use ° Web eto 3a 4 Fee ores a {A general forensic report of mobile phone accounts and files However, mobile phones pose challenges to the forensic practitioner, especially with the rapid development of new phone types and operating systems with increased reliance on protection and encryption that effectively challenges evidence recovery ‘The rapid growth of mobile phones using different hardware and operating systems has made it difficult to develop a single process or tool to address all eventualities. In addition to a growing variety of smartphones and platforms, including Android, Blackberry, Apple iPhone, and Windows Mobile, there is a staggering range of inexpensive phones using legacy systems. The following section provides an outline of evidence recovery from mobile phones. [286Chapters Extracting data from mobile devices Evidence of different types of files is stored in mobile phones and may be found in several locations, including device memory, detachable memory such as SD cards, and removable SIM cards. Each mobile phone is provided with a usually unique identifier known as the International Mobile Station Equipment Identity (IMEI) to uniquely identify a broad range of mobile phones. The unique number is normally printed inside the battery compartment or on the outside casing of the phone. It is also stored inside the embedded memory of the phone and, from there, may be displayed on the screen and recovered using forensic tools. The IMEI identifies and validates the phone hardware to a GSM network to prevent stolen phones from accessing that network ‘The IMEI is an important record of a phone's use and identity. In the following screenshot, the XRY Micro Systemation forensic tool has extracted general information about an iPhone 4, including its IMEI number. The SIM identification number is recorded at the bottom of the report: cnsic report of an iPhone 4 showing the basic device settings (297)E Messagin ind Mobile Phone Subscribers at identified by another unique identifi: the IMEL rte stored onthe SIM card, which identifies and authenticates GG Sabserters This attates a practioner ising with he telephone network to abn bling information locations of alls and contacts al potential evidence Among practitioners, itis considered best practice to document manual and technical processes used to access and recover evidence from mobile phones and to minimize any loss or changes to data. Android and Apple phones and a host of others store a significant amount of user information in SQLite databases information which sometimes remains on the device after other information has been deleted. This can be a useful source of information, and forensic tools often recover a broad range of file types, including databases. In the following screenshot, the mobile forensic tool NowSecure Mobile Forensics was used to recover information from an Android mobile phone. These new-generation tools organize the examination into a project so that all the recovered data is cataloged and may be analyzed with simple-to-use graphic interfaces: Ne — ie : tS" sings me ‘Creating a forensic casein NowSecure Mobile Forensics, (288)Chapter 8 ‘The device under examination is a late-model Android and cannot be rooted to extract a physical dump, as shown in the following screenshot: Eee come hse com Bones ter th gees Ge Binet) | eer i? ‘Options available to recover data from an Android phone A logical extraction or backup of the device is available for analysis, and in this instance, a backup of the device was selected: @ Select extraction ype ad Evidence Name [Case 40007 Evidence Number [Mobile 01 )y Evidence Timazane | australia/pert 0800) ale Type | Android Backup ale ‘adb backup ofthe target device WARNING: On high capacity devices extractions can take upto afew hours to complete, Xcanel | YOK Preparing the forensic examination and inserting ease details [289]‘Once the extraction is complete, the practitioner may select from a range of recovered categories of items, as shown here: John Boe Audio ternal 24) Bhcatendors i) (calendar Events (22) Recattiog samsung) 0) | @ Downloads ' @iemallAccount) Bolles External asa | Boles eral a - Roimage thumbnals 640 - Roimages external Bogs (samsung) ne Rovideos external) Seinstaled packages 70) F wirioetae Bookmarks (serowse I ‘Browser story (5. 13) Asana rinaings carved Data Filesystem Browser audio) FQ ninary na Directory in NowSecure Mobile Forensics of recovered dats from an Android phone In the following instance, an array of Internet browsing activity showing the ttle of the webpage, URLs, and timestamps is available to the practitioner: [270].om iy Bo) a ‘Recovered webpages, including tiles, URLs, and timestamps In the following screenshot, a list of downloaded files and the originating websites is shown with the associated timestamps: [271]Examining Browsers, Esmails, Messaging Systems, and Mobile Phones In the next screenshot, the tool has recovered video and music files located on the external SD card housed in the phone: ‘View of data recovered from an attached SD card ‘A range of different applications were installed on the phone, and some of those can bbe seen in the following screenshot: 3 hanno § eae Fe Bae He Ghaieay XS Gaara Xm ambena *e ao Sec te vivastreet isis /elrstomapersa Details of applications installed on an Android phone and the dates oftheir installation DryChapter 8 In the following crime simulation, XRY Micro Systemation has recovered some chat ‘messages of an incriminating nature: eS Ta eeei se 8 ‘Record of SMS conversations, which ean be traced back to caller and sender phones E-mail may also be recovered from mobile phones, and the following simulation shows some communications between the suspect and his wife: ‘Record of email and content recovered from an Android phone [273]Ex Messagin ind Mobile Phone General information about the suspect's iPhone 5 was recovered and reveals the IMEI and International Mobile Subscriber Identity (IMSI) numbers and general information about the phone: (General ntormation a 2 ey = avon 1085) ar Cote Hom MS) Tata Copan Lt, uate GES) Shien OCOD) sSxofserranNNos Sere Capacy soe (General information obtained from an iPhone 5 rayChapter 8 In the following screenshot is a Google Map extraction, showing the specific location of the mobile phone on 23/12/2012. In this simulation, it was possible to track the phone at its location in western Australia and then to another destination in Victoria ‘on the eastern Australian seaboard. These records can be triangulated, with Telco formation being recorded of the location of the device as it passes each cell tower while it is active, Records of its location when making and receiving calls can also be obtained: Recovered map showing the location ofthe phone In the following screenshot, a new location has been recorded, showing the position of the phone approaching a major road intersection: Recovered map showing location ofthe phone during transit [275]‘The following table is an extract of chat messages recorded on at used to rebut an allegation of rape by the spouse. It served as a record of conversation between the two parties showing a greater degree of friendliness and empathy than *hone that was the victim had previously disclosed. The case was dismissed in a lower court: Message Tine Sian [older] Deleted aay BOU-OEIS | Read | Inbox | Yor ors240 lute) Wupfora hone ca 20ULGFIS | Sent Sentbor | Ver orso4s lure) Thome now dong ok zondris [Read | box | Ver lure) How farauayrunoa? 2OUL-GEAS | Sent | Sentbor | Ver orazso (ure) Yesbut willbe coming straight [2011058 | Sent | Sentbox | Ver beet oss lure) Waldo uhave2gobscimoro? [20110135 | Read | inbox | Vor 5:12.07 (ure) ‘Dont knon probabiy could do] 2011-0048 | Sent | Sentbor | Vor tha coup daye rast, 61050 cure) ‘Chat messages between spouses used sabi evidence In the following extract from a civil case over a disputed will, one chat message between the deceased and her spouse and a number of voicemail notifications recorded on the Nokia mobile phone were recovered. Regrettably, the phone did not provide any further information to assist either party to the dispute: ev hope racing's ine | 19/08/2010 well ustleting uno | 3:27-5¢ px cami (20:00) tered | sna | a | ng 19/08/2010, es Voice message(s. | 531557 PMI Icom (09:30) sted | sna | 2 | ng GaIriOF younaved | 5/08/2000 ew Voice message(s}. | 11:00:25 am com (+0800) eteted | nm |_| ne GaIPIOF youhaved ew Voice messagets. 30/07/2010 3327 PM Incomi (08:00) tered [sim [4 __| ne (Chat messages and voicemail notifications elaing toa civil dispute over the deceased's will, [276}