Professional Documents
Culture Documents
Forensic Analysis of Bip
Forensic Analysis of Bip
To cite this article: Erhan Akbal, Ibrahim Baloglu, Turker Tuncer & Sengul Dogan (2019): Forensic
analysis of BiP Messenger on android smartphones, Australian Journal of Forensic Sciences, DOI:
10.1080/00450618.2019.1610064
Article views: 65
1. Introduction
Nowadays, Instant messaging applications are the most preferred communication tools
by mobile users worldwide.1-3 The most important reason for this is that it can transmit
not only text but also multimedia messages for instance image, audio and video
contents at the same time. no matter the distance, people can share multimedia
messages, video chat with contacts free of charge via phones that have internet by
using instant messaging applications.2-4 The instant messaging applications are also
utilized as criminal tools because of their widespread usage and the ability to identify
the actual identity of the user has become very difficult compared to conventional tools
of communication.5 Therefore, the instant messaging program analysis has become
a very important research area for mobile forensics.
The BM application was developed by Lifecell Ventures Cooperative U.A and was
launched available on 20 June 2016. All subscribers of the Turkcell can use it. According
to the statistics of the year 2017, its 10 million users have sent more than 100 million
messages a day on average6. The BM contains various features such as sending captures,
sending vibrations, time-set messages, video chatting, sending money. In addition to
these features, particularly the features, such as self-destructive messaging, have
attracted the attention of the criminals and led the researchers to do various studies
in this field.7-9 The data obtained from BM are very important in many investigations as
it is in similar messaging applications.10,11
BM stores many encrypted and unencrypted data in storage area of the mobile
device. Because the usage of Android devices is high, law enforcement often encounters
with the BM on an android device. There is no study about mobile forensics analysis of
the BM in the literature. Hence, it is necessary to determine what kind of effects and
information are left in the application by users. Many studies have been proposed about
mobile forensics in the literature. A few selected the state-of-art works about mobile
forensics for instant messaging applications are given as follows. ChatSecure instant
messaging was analysed on android smartphone by Anglano et al.12 In this study,
Artifacts of ChatSecure was presented database/table location, structure of folder/
table, contact lists. Analysis of WeChat was presented on Android for smartphones by
Wu et al13. They showed of WeChat encrypted messages database, data tables, data
acquisition paths, communication methods, user information, for different version.
Telegram Messenger that is instant messaging application was analysed by Gregorio
et al.14 Telegram Messenger analysis was given in terms of digital forensics for windows
phone. In their study, open knowledge, analysis of artefacts and source code were used
for this analysis. By using open knowledge, explanation and meaning of the databases
and messages were extracted and artefacts were obtained using this knowledge. Also,
they analysed this app using source code and reverse engineering. Kik messenger
(v9.6.0) was analysed by Ovens and Morison15. The obtained artefacts were elaborated
database/table content, data structure of iOS platforms. Anglano16 presented WhatsApp
messenger analysis. Forensic acquisition of the artefacts was given on Android platforms
for contact information (blocked, deleted), messages, chat history, settings and prefer-
ences, group information. Norouzizadeh Dezfouli et al.17 investigated forensics analysis
for Facebook, Twitter, Google+, and LinkedIn applications of social networking platform.
Forensics analysis was performed on iOS and Android devices and obtained artefacts
were compared for these devices. Forensics artefacts were given in login information,
user profile information, uploading posts, messaging, uploading comments on Android
and iOS platforms.
The main objectives of the proposed BM forensics analysis methodology are given as
follows. The first objective is to display all of the data. The second one is to construct
cases and analysis methodology. The third one is to obtain correlation of the results.
The characteristics and contributions of this study are; (1) We present a methodology
for how to do a forensic analysis of the application that runs on the Android operating
system. (2) The completeness and integrity of the BiP data are checked using the
presented analysis methodology. (3) The proposed forensic analysis methodology
extracts all artifacts of the BM from a mobile device. (4) The relationships of the storage
format, communication protocols, extracted data and databases are obtained. (5) BiP is
an android messaging application and as we know that from the literature, this study is
the first article about digital forensics analysis of this application.
AUSTRALIAN JOURNAL OF FORENSIC SCIENCES 3
In this paper, a mobile forensics methodology about BM is presented. The rest of the
paper is organized as follows. In Section 2 methodology and used tools is shown for BM.
In section 3, the analysis process of BM in terms of digital forensics is performed. Results
and evaluation are presented in Section 4.
Figure 1. The block diagram of the proposed mobile forensics analysis methodology.
4 E. AKBAL ET AL.
mobile forensics software for instance Oxygen Forensic, XRY, Paraben don’t support the
BM. Even if some tools can be used at examination stage, they don’t share any
information about how processes are done and they don’t offer any content related
to the different evidence being correlated with each other. Hence, it is not possible for
examiners to assess the completeness and correctness of the results. In this study, it will
be possible to evaluate the accuracy of the examinations by revealing all behaviours of
BM on an android device.
BM offers a variety of communication formats to users. These are sending message,
audio communication, video call, geographical data sharing, multimedia sharing, send-
ing money via credit card, location tracking, business card sharing.1,2,18
The steps of the proposed analysis methodology are summarized as follows. Firstly,
BM data are extracted from the Android device. Then, the communication protocol
information is extracted to decrypt the encrypted chat messages database and how the
time-set messages are stored. Also, the reverse engineering is utilized for permissions.
The BM stores databases in the root directory unlike the other widely used instant
messaging applications for instance WhatsApp. The databases of the BM have not
encrypted data and this situation is proved using mobile forensics examinations. In
the 3rd step, permissions of the BM are obtained, information about users are retrieval
from BM in the 4th step. Contact information are obtained in the 5th step. The informa-
tion of extracted message is obtained and these messages are analysed in the 6th step.
Finally, the log analysis of the BM is performed in the 7th step.1,2,19
isn’t possible to access the databases which store the user chat and activities. When the
root directory on the rooted device is examined, it is seen that the BM is stored under
the ‘data/data/com.turkcell.BiP’ directory and has the structure shown in Figure 4.
In order to access the hidden areas, “View hidden files” option should be enabled in
the phone’s options. Otherwise, hidden files cannot be displayed. The directory contents
tree of the BM is also shown in Figure 4.
As shown in Figure 4, communication and activities between users are stored in the
‘tims.db’ database located under ‘data/data/com.turkcell.BiP/databases’ directory. The
database files of the BM appear to be stored without using any encryption method.
Unlike other instant messaging applications like Whatsapp, chat backups aren’t stored.
Because the BM performs the user backup through the cloud storage system, it doesn’t
allow a backup file to be created in the device.
In order to examine the file structure of the BM, a rooting process has been
performed on the Android phone. Root process on the Android systems allows the
user to access the system files and modify them. In this way, the user has as many
privileges on the phone as the manufacturing company.
After the rooting process, the subfolders inside of ‘data/data/com.turkcell.BiP’ direc-
tory is shown in Figure 5.
The database files are located under the ‘data/data/com.turkcell.BiP/databases’ direc-
tory. When the current directory is examined it appears that there is a database file
named ‘tims.db’ in Figure 6.
(5) The sent message is temporarily stored in the ‘tims.db-journal’ database under
the ‘data/data/com.turkcell.BiP/directory’ on the sender’s phone. Then, it’s
saved permanently on ‘tims.db’ database located under ‘data/data/com.turk-
cell.BiP/directory’. The main aim of temporarily storing is to prevent the pos-
sible loss.
(6) If the receiver’s internet connection is not active, the message will continue to be
sent repeatedly until the message transmitted to the receiver.
(7) When the recipient turns on the internet, the message sent by the sender is
forwarded to the receiver as a notification with Push Notification feature.
(8) When the transmission is performed, the server sends information to the sender
that the message has been transmitted. The application interprets this incoming
information and displays it with ✔✔ double ticks, indicating that the message
has been sent.
(9) With message being transmitted, it is first stored in the ‘tims.db-journal’ file
under ‘data/data/com.turkcell.BiP/’ directory and then it is stored in ‘tims.db’
database under ‘data/data/com.turkcell.BiP/’, on receiver’s phone.
(10) The receiver and the sender communicate instantly with each other through
these processes.
When the application is running on the mobile device, BM creates a unique ID number
for each user and places the relevant personal data folder under the path “/data/data/
com.turkcell.BiP”. The personal data folder is named using the MD5 value calculated by
the application.
● Phone call
● Network location
● Read Contacts
● Write/delete contacts
● Voice recording
● Read SMS
● Read MMS
● Write/delete search history
● Phone status
● Camera
● GPS location
● Bluetooth pairing
Permissions are kept in .xml files. Permissions of the BM can be seen in the
‘AndroidManifest.xml’ file. The file contents are shown in Figure 8.
10 E. AKBAL ET AL.
Figure 8. The content of the AndroidManifest.xml file inside the BiP apk file and permission
information.
When the file is examined, it is seen that many information about the mobile device is
obtained. The contents of the areas in the file and explanation of them are listed in
Table 3.
Message activities of the users are stored in the ‘messages’, ‘groups’, ‘conversations’,
‘delivery_status’, ‘group_participants’ tables of the ‘tims.db’ database. Messages table stores
all data about the message communications, while the conversations table stores the last
message with contacts, date time of the message and contact information. Hence, the
messages of the users are obtained by examining these two tables. When a user gets
involved in a chat group, information about the group is found in the ‘groups’ and ‘group_-
participants’ tables. In addition, the delivery date and time information of the messages sent
and received by the user are found in the ‘delivery_status’ table. Therefore, it is important to
analysis tables specified in order to obtain all the details of communication.
about recent chat are accessed by examining. Figure 14 shows screenshot of a conversation
table during the mobile forensic examination of the BM.
Application users can join various groups. The group information are extracted using
the proposed mobile forensics examination methodology and the conversation table
together. A sample of the group table is shown in Figure 15, and the explanations of the
groups table are listed in Table 7.
The ‘group_jid’ in the last column of the messages table is correlated to the ‘group_jid’
in the second column of the groups table.
hold latitude, longitude, address information and description are found in the geogra-
phical messages. The transaction histories of the location data sent and received
through the application are in the ‘recent_locations’ and ‘location’ tables of the ‘tims.
db’ database located in the ‘data/data/com.turkcell.BiP/databases/file’ directory. Figure 18
shows the ‘recent_location’ table.
The table has ‘share_date’, ‘title’, ‘address’, ‘icon_url’, ‘longitude’ and ‘latitude’ areas. The
data related to the location of the user are stored in the indicated areas. The explana-
tions of the columns of recent location table are listed Table 8.
1. Current IP address information and DNS information of the device that uses the
application is accessed by searching for “Resolver is using DNS server(s):”. (Figure 20)
2. In simple to access which server addresses the application is connected to, it is
necessary to look at the “connect to” field in the log file. When the above IP
address is searched, it is determined that it belongs to the Turkcell company which
is the manufacturer of BM. (Figure 21)
3. The information of the protocol and encryption method is reached using “cert.
version” field. (Figure 22)
4. Number of messages and users are obtained using “OneToOneChatActivity scr info”
keyword. Field 1 shows the total number of messages and Field 2 illustrates the
contact information. (Figure 23)
5. To access the information of the blocked people on the BM searching for “blocked
insert contact”. (Figure 24)
6. In simple to find online users. “isOnline: true” keyword is used. (Figure 25)
7. ‘dVersion’ is used to obtain version number of the BM. (Figure 26)
8. “ACTIVE NetworkInfo” keyword is used to access the type of internet connection (1)
and the SSID information (2) of the connected devices. (Figure 27)
In simple to perform log analysis, the used keywords and the screenshots are given as
above.
5. Conclusions
The mobile forensics is one of the important research areas for information security and
digital forensics. In this study, a mobile forensics analysis methodology is presented for
BM and the analyses were performed on an Android device. The obtained artefacts are
used as important findings in a digital forensics investigation. In this study, the inter-
pretation of the tables, databases and fields was given and the relationship between the
data generated by the application is revealed. Analysis of the messages and contact
databases provides messages and contact lists. Relationships between the other data-
base tables stored by the applications and the interpretations of these relationships are
given by using the proposed methodology. Thus, when a user is added to the database
or there’s a message exchanged investigator is observed the change. The location
information were extracted and interpreted using the proposed examination methodol-
ogy. The proposed methodology also shows that there are significant differences
between rooted and unrooted devices for data acquisition. It was stated that the data
to be obtained with different hidden feature settings of the device differed. It was
shown that the time-set messages in the application are deleted on the application,
but they aren’t deleted from the database. The results shown in the proposed metho-
dology provide a complete analysis of the BM on android mobile devices and it is first
BM analysis methodology in the literature up to now.
The obtained results include only Android mobile device. IOS-related studies are
planned in the future studies.
Disclosure statement
No potential conflict of interest was reported by the authors.
References
1. Casey E. Handbook of digital forensics and investigation. Academic Press; 2010. ISBN: 978-
0123742674.
2. Carrier B. File system forensic analysis. USA: Addison-Wesley Professional; 2005. ISBN 0-321-
26817-2.
3. Sahu S. An analysis of whatsapp forensics in android smartphones. Int J Eng Res. 2014;3
(5):349–350. doi:10.17950/ijer.
4. Acquisti A, Gross R. Imagined communities: awareness, information sharing, and privacy on
the Facebook. In: Danezis G., Golle P. editors. Privacy Enhancing Technologies. Berlin
(Heidelberg): Springer; 2006 June. p. 36–58.
20 E. AKBAL ET AL.
5. Reust J. Case study: AOL instant messenger trace evidence. Digital Invest. 2006;3(4):238–243.
doi:10.1016/j.diin.2006.10.009.
6. Turkcell Communication Report. 2017. [Accessed 2018 January 04]. Access Link: turkcell.
com.tr
7. Sagiroglu S, Sinanc D. 2013, May. Big data: a review. In Collaboration Technologies and
Systems (CTS), 2013 international conference on (pp. 42–47). IEEE, San Diego, CA, USA.
8. Mitchell F. The use of Artificial Intelligence in digital forensics: an introduction. Digital
Evidence & Elec Signature L Rev. 2010;7:35.
9. Barmpatsalou K, Damopoulos D, Kambourakis G, Katos V. A critical review of 7 years of
mobile device forensics. Digital Invest. 2013;10(4):323–349. doi:10.1016/j.diin.2013.10.003.
10. Hoog A. Android forensics: investigation, analysis and mobile security for Google Android.
USA: Elsevier; 2011. ISBN: 9781597496520
11. Van Dongen WS. Forensic artefacts left by windows live messenger 8.0. Digital Invest. 2007;4
(2):73–87. doi:10.1016/j.diin.2007.06.019.
12. Anglano C, Canonico M, Guazzone M. 2016. Forensic analysis of the ChatSecure instant
messaging application on android smartphones. Digital Invest. 19:44–59. doi:10.1016/j.
diin.2016.10.001.
13. Wu S, Zhang Y, Wang X, Xiong X, Du L. 2017. Forensic analysis of wechat on android
smartphones. Digital Invest. 21:3–10. doi:10.1016/j.diin.2016.11.002.
14. Gregorio J, Gardel A, Alarcos B. 2017. Forensic analysis of telegram messenger for windows
phone. Digital Invest. 22:88–106. doi:10.1016/j.diin.2017.07.004.
15. Ovens KM, Morison G. 2016. Forensic analysis of kik messenger on ios devices. Digital Invest.
17:40–52. doi:10.1016/j.diin.2016.04.001.
16. Anglano C. Forensic analysis of whatsapp messenger on android smartphones. Digital
Invest. 2014;11(3):201–213. doi:10.1016/j.diin.2014.04.003.
17. Norouzizadeh Dezfouli F, Dehghantanha A, Eterovic-Soric B, Choo KKR. Investigating social
networking applications on smartphones detecting Facebook, Twitter, LinkedIn and Google
+ artefacts on Android and iOS platforms. Aust J Forensic Sci. 2016;48(4):469–488.
doi:10.1080/00450618.2015.1066854.
18. Husain MI, Sridhar R. iForensics: forensic analysis of instant messaging on smart phones. In:
Goel S. editor. Digital Forensics and Cyber Crime. ICDF2C 2009. Lecture Notes of the
Institute for Computer Sciences, Social Informatics and Telecommunications Engineering,
Vol. 31. Berlin (Heidelberg): Springer; 2009 September. p. 9–18.
19. Hakimi M, Jungbluth J, Windolf J, Wild M. 2010, February. Recovery of skype application
activity data from physical memory. In Availability, reliability, and security, 2010. ARES‘10
international conference on (pp. 283–288). IEEE. J Hand Surg., European volume 35, Krakow,
Poland.
Authorship contributions
Conception and design of study: Erhan AKBAL, İbrahim BALOĞLU
Acquisition of data: İbrahim BALOĞLU
Analysis and/or Interpretation of Data: Erhan AKBAL, İbrahim BALOĞLU, Turker TUNCER, Sengul
DOGAN
Drafting the Manuscript: Turker TUNCER, Sengul DOGAN
Revising the Manuscript Critically for Important Intellectual Content: Erhan AKBAL, Sengul
DOGAN, Turker TUNCER,
Approval of the Version of the Manuscript to be Published (the names of all authors must be
listed): Erhan AKBAL, Ibrahim BALOGLU, Turker TUNCER, Sengul DOGAN