Australian Journal of Forensic Sciences

ISSN: 0045-0618 (Print) 1834-562X (Online) Journal homepage: https://www.tandfonline.com/loi/tajf20

Forensic analysis of BiP Messenger on android

smartphones

Erhan Akbal, Ibrahim Baloglu, Turker Tuncer & Sengul Dogan

To cite this article: Erhan Akbal, Ibrahim Baloglu, Turker Tuncer & Sengul Dogan (2019): Forensic
analysis of BiP Messenger on android smartphones, Australian Journal of Forensic Sciences, DOI:
10.1080/00450618.2019.1610064

To link to this article: https://doi.org/10.1080/00450618.2019.1610064

Published online: 06 May 2019.

Submit your article to this journal

Article views: 65

View related articles

View Crossmark data

Full Terms & Conditions of access and use can be found at

https://www.tandfonline.com/action/journalInformation?journalCode=tajf20
AUSTRALIAN JOURNAL OF FORENSIC SCIENCES
https://doi.org/10.1080/00450618.2019.1610064

Forensic analysis of BiP Messenger on android smartphones

Erhan Akbal, Ibrahim Baloglu, Turker Tuncer and Sengul Dogan
Department of Digital Forensics Engineering, Technology Faculty, Firat University, Elazig, Turkey

ABSTRACT ARTICLE HISTORY

Nowadays, social media applications and communication tools are Received 9 September 2018
utilized as communication platforms and the vast majority of commu- Accepted 17 April 2019
nication is performed using these tools. The instant messaging appli- KEYWORDS
cations have been widely used for peer to peer communication Mobile forensics; BiP
worldwide and BiP Messenger (BM) is one of them. BM has been Messenger; digital forensics;
generally used in Turkey. The BM was presented by Turkcell mobile android OS; instant
GSM carrier offers many services such as messaging, video chatting, messaging
data transfer to smartphone users and approximately 10 million peo-
ple have been used BM. Hence, it is one of the most encountered
applications in forensics examinations. In this study, the BM is analysed
using a mobile forensics methodology for the Android phones and this
work presents the methodology of what artefacts produced by BM is,
how to analyse them and how to show their relations with each other
is presented. The proposed analysis methodology shows contact ana-
lyses, communication information, message information, deleted mes-
sages, group messages, message sending and receiving processes, the
chronology of multimedia files and how to reconstruct them. The
proposed methodology analysed data structure, communication pro-
tocols, permissions, user information, contact information, message
information and log analyses of the BM.`wct 2 Comprehensively
mobile forensics examinations of BM were presented using these
analyses in this paper.

1. Introduction
Nowadays, Instant messaging applications are the most preferred communication tools
by mobile users worldwide.1-3 The most important reason for this is that it can transmit
not only text but also multimedia messages for instance image, audio and video
contents at the same time. no matter the distance, people can share multimedia
messages, video chat with contacts free of charge via phones that have internet by
using instant messaging applications.2-4 The instant messaging applications are also
utilized as criminal tools because of their widespread usage and the ability to identify
the actual identity of the user has become very difficult compared to conventional tools
of communication.5 Therefore, the instant messaging program analysis has become
a very important research area for mobile forensics.
The BM application was developed by Lifecell Ventures Cooperative U.A and was
launched available on 20 June 2016. All subscribers of the Turkcell can use it. According
to the statistics of the year 2017, its 10 million users have sent more than 100 million

CONTACT Sengul Dogan senguldgn@gmail.com

© 2019 Australian Academy of Forensic Sciences
2 E. AKBAL ET AL.

messages a day on average6. The BM contains various features such as sending captures,
sending vibrations, time-set messages, video chatting, sending money. In addition to
these features, particularly the features, such as self-destructive messaging, have
attracted the attention of the criminals and led the researchers to do various studies
in this field.7-9 The data obtained from BM are very important in many investigations as
it is in similar messaging applications.10,11
BM stores many encrypted and unencrypted data in storage area of the mobile
device. Because the usage of Android devices is high, law enforcement often encounters
with the BM on an android device. There is no study about mobile forensics analysis of
the BM in the literature. Hence, it is necessary to determine what kind of effects and
information are left in the application by users. Many studies have been proposed about
mobile forensics in the literature. A few selected the state-of-art works about mobile
forensics for instant messaging applications are given as follows. ChatSecure instant
messaging was analysed on android smartphone by Anglano et al.12 In this study,
Artifacts of ChatSecure was presented database/table location, structure of folder/
table, contact lists. Analysis of WeChat was presented on Android for smartphones by
Wu et al13. They showed of WeChat encrypted messages database, data tables, data
acquisition paths, communication methods, user information, for different version.
Telegram Messenger that is instant messaging application was analysed by Gregorio
et al.14 Telegram Messenger analysis was given in terms of digital forensics for windows
phone. In their study, open knowledge, analysis of artefacts and source code were used
for this analysis. By using open knowledge, explanation and meaning of the databases
and messages were extracted and artefacts were obtained using this knowledge. Also,
they analysed this app using source code and reverse engineering. Kik messenger
(v9.6.0) was analysed by Ovens and Morison15. The obtained artefacts were elaborated
database/table content, data structure of iOS platforms. Anglano16 presented WhatsApp
messenger analysis. Forensic acquisition of the artefacts was given on Android platforms
for contact information (blocked, deleted), messages, chat history, settings and prefer-
ences, group information. Norouzizadeh Dezfouli et al.17 investigated forensics analysis
for Facebook, Twitter, Google+, and LinkedIn applications of social networking platform.
Forensics analysis was performed on iOS and Android devices and obtained artefacts
were compared for these devices. Forensics artefacts were given in login information,
user profile information, uploading posts, messaging, uploading comments on Android
and iOS platforms.
The main objectives of the proposed BM forensics analysis methodology are given as
follows. The first objective is to display all of the data. The second one is to construct
cases and analysis methodology. The third one is to obtain correlation of the results.
The characteristics and contributions of this study are; (1) We present a methodology
for how to do a forensic analysis of the application that runs on the Android operating
system. (2) The completeness and integrity of the BiP data are checked using the
presented analysis methodology. (3) The proposed forensic analysis methodology
extracts all artifacts of the BM from a mobile device. (4) The relationships of the storage
format, communication protocols, extracted data and databases are obtained. (5) BiP is
an android messaging application and as we know that from the literature, this study is
the first article about digital forensics analysis of this application.
 AUSTRALIAN JOURNAL OF FORENSIC SCIENCES 3

In this paper, a mobile forensics methodology about BM is presented. The rest of the
paper is organized as follows. In Section 2 methodology and used tools is shown for BM.
In section 3, the analysis process of BM in terms of digital forensics is performed. Results
and evaluation are presented in Section 4.

2. Analysis methodology and tools

In this study, various scenarios were applied to the BM for forensic analysis. These scenarios
are applied to message sending, multimedia content sharing, group communication to
reveal all user activities of BM. After the scenarios are performed, the produced data by the
BM are taken from the mobile devices and analysed. The data produced by the application
are not recognized by commercial tools, for instance, XRY, Oxygen, Paraben.
Similarly, open source software cannot analyse all data of the BM. Therefore, the
mobile forensics examiners cannot find a solution for BM. In order to solve this problem,
the proposed BM analysis methodology is presented. The graphical outline of the
proposed analysis methodology is shown in Figure 1.
Firstly, the BM installed android device is rooted and the files are extracted using ES
file manager. The obtained files are copied to a computer. In the computer, databases of
the BM are examined using SQLite browser. Then, artefacts are analysed using the
obtained data and explanations.
In the study, BiP v3.22.15 is implemented on a real Preo P2 device with eight core
processors, 16 GB internal storage, 2 GB Ram memory, and Android 5.1 operating system.
The mobile device is analysed using two cases. These cases are rooted and unrooted.
SQLite DB Browsers (Version 3.9.99, Qt Version 5.7.1) are utilized as database display-
ing. To root the mobile device, The Kingo Root program is used, and to access and
viewing the root directory after the rooting ES File Explorer Mobile application is chosen.

3. BiP forensic analysis

Mobile forensics software generally supports popular messaging applications worldwide.
BM is a popular instant messaging application in Turkey. However, commonly used

Figure 1. The block diagram of the proposed mobile forensics analysis methodology.
4 E. AKBAL ET AL.

mobile forensics software for instance Oxygen Forensic, XRY, Paraben don’t support the
BM. Even if some tools can be used at examination stage, they don’t share any
information about how processes are done and they don’t offer any content related
to the different evidence being correlated with each other. Hence, it is not possible for
examiners to assess the completeness and correctness of the results. In this study, it will
be possible to evaluate the accuracy of the examinations by revealing all behaviours of
BM on an android device.
BM offers a variety of communication formats to users. These are sending message,
audio communication, video call, geographical data sharing, multimedia sharing, send-
ing money via credit card, location tracking, business card sharing.1,2,18
The steps of the proposed analysis methodology are summarized as follows. Firstly,
BM data are extracted from the Android device. Then, the communication protocol
information is extracted to decrypt the encrypted chat messages database and how the
time-set messages are stored. Also, the reverse engineering is utilized for permissions.
The BM stores databases in the root directory unlike the other widely used instant
messaging applications for instance WhatsApp. The databases of the BM have not
encrypted data and this situation is proved using mobile forensics examinations. In
the 3rd step, permissions of the BM are obtained, information about users are retrieval
from BM in the 4th step. Contact information are obtained in the 5th step. The informa-
tion of extracted message is obtained and these messages are analysed in the 6th step.
Finally, the log analysis of the BM is performed in the 7th step.1,2,19

3.1. BiP setup and data structure in android device

The BM is stored in, “data/data/com.turkcell.BiP”, “sdcard/turkcell/BiP” directories in the
internal storage and the memory card of the Android device, respectively. The user
activity data for BM usage are stored in five subfolders under the main “com.turkcell.BiP”,
directory and the contents information of folders are shown in Table 1. Some folders are
hidden by the application. In order to access hidden folders and content, the “Show
hidden folders” option on the phone must be enabled. Figure 2 shows the folder
structure that appears when this feature is off.
The view of the data area when the hidden attribute is on is shown in Figure 3.
As seen in Table 1, the used directories of the BM are listed and explanation of them
are listed. The unrooted device’s storage area contains data that was sent and received
by the user. Any database is not used to store these data and there is no database under
the ‘Internal/Storage/BiP’ directory.
The data and contents acquired from the rooted mobile device are shown in Table 2.
In order to access the chat logs of BM, it is necessary to root the device. Otherwise, it

Table 1. Subdirectories of user activity data in an unrooted device.

Directory Name Directory URL Meaning
Audio Storage/BiP/Audio Sent and received voice data.
Contact Storage/Contact Sent and received business card information.
BİP Storage/BiP Sent and received images and documents.
BiP Video Storage/BiP Video Sent and received video information
History Storage/History BiP’s history
 AUSTRALIAN JOURNAL OF FORENSIC SCIENCES 5

Figure 2. Application storage area folders.

Figure 3. Data areas with the hidden attribute on.

6 E. AKBAL ET AL.

Table 2. BiP artefacts and locations on the rooted device.

Content Directory File Hidden
1 contacts and chats database data/data/com.turkcell.BiP/databases/ tims.db (SQLite V 3.9) False
2 data/data/com.turkcell.BiP/ com.turkcell.BiP_preferences. False
shared_prefs xml
3 last session info data/data/com.turkcell.BiP/ com.turkcell.BiP.SETTINGS.xml False
shared_prefs
4 Phone Information data/data/com.turkcell.BiP/cache BiP_PUSH_CONFIG_REQUEST False
5 documentation files storage/BİP/ BİP False
6 log files storage/BiP/.LocalLogs BiPAndroidAppLogs.txt True
BiPAndroidFallowMeLogs.txt
7 avatars of contacts storage/BiP/.RoundedAv *.jpg True

isn’t possible to access the databases which store the user chat and activities. When the
root directory on the rooted device is examined, it is seen that the BM is stored under
the ‘data/data/com.turkcell.BiP’ directory and has the structure shown in Figure 4.
In order to access the hidden areas, “View hidden files” option should be enabled in
the phone’s options. Otherwise, hidden files cannot be displayed. The directory contents
tree of the BM is also shown in Figure 4.
As shown in Figure 4, communication and activities between users are stored in the
‘tims.db’ database located under ‘data/data/com.turkcell.BiP/databases’ directory. The
database files of the BM appear to be stored without using any encryption method.
Unlike other instant messaging applications like Whatsapp, chat backups aren’t stored.
Because the BM performs the user backup through the cloud storage system, it doesn’t
allow a backup file to be created in the device.
In order to examine the file structure of the BM, a rooting process has been
performed on the Android phone. Root process on the Android systems allows the
user to access the system files and modify them. In this way, the user has as many
privileges on the phone as the manufacturing company.
After the rooting process, the subfolders inside of ‘data/data/com.turkcell.BiP’ direc-
tory is shown in Figure 5.
The database files are located under the ‘data/data/com.turkcell.BiP/databases’ direc-
tory. When the current directory is examined it appears that there is a database file
named ‘tims.db’ in Figure 6.

3.2. BM communication protocol

BM is an instant messaging application that can be used for both iOS and Android
devices. The application automatically identifies the user’s identity by phone number.
The contacts stored on the mobile device are added to the access list of the application.
One-to-one, one-to-many and group chat communication can be established by using
BM. When a user sends a message, the message is stored in the BM servers. The server
sends this message repeatedly until the receiving device accepts it. When the message is
accepted, the server transfers this message to the receiver. Since the BM uses the
Extensible Messaging and Presence Protocol (XMPP) instant messaging protocol, the
transmission scheme of a message is as shown in Figure 7.
The steps of the used communication protocol are given below:
 AUSTRALIAN JOURNAL OF FORENSIC SCIENCES 7

Figure 4. data/data/com.turkcell.BiP directory contents.

8 E. AKBAL ET AL.

Figure 5. BM directories in the rooted device.

Figure 6. Databases directory contents.

Figure 7. Application message communication structure.

(1) The message is decided to send.

(2) Destination is selected.
(3) In order to send message content to destination, contents of the message and
the jid information of the receiver, via the TCP protocol are requested from the
BM server.
(4) The BM server verifies the message request. Then attached the sender’s jid
information with the receiver’s and directs the message to the receiver.
 AUSTRALIAN JOURNAL OF FORENSIC SCIENCES 9

(5) The sent message is temporarily stored in the ‘tims.db-journal’ database under
the ‘data/data/com.turkcell.BiP/directory’ on the sender’s phone. Then, it’s
saved permanently on ‘tims.db’ database located under ‘data/data/com.turk-
cell.BiP/directory’. The main aim of temporarily storing is to prevent the pos-
sible loss.
(6) If the receiver’s internet connection is not active, the message will continue to be
sent repeatedly until the message transmitted to the receiver.
(7) When the recipient turns on the internet, the message sent by the sender is
forwarded to the receiver as a notification with Push Notification feature.
(8) When the transmission is performed, the server sends information to the sender
that the message has been transmitted. The application interprets this incoming
information and displays it with ✔✔ double ticks, indicating that the message
has been sent.
(9) With message being transmitted, it is first stored in the ‘tims.db-journal’ file
under ‘data/data/com.turkcell.BiP/’ directory and then it is stored in ‘tims.db’
database under ‘data/data/com.turkcell.BiP/’, on receiver’s phone.
(10) The receiver and the sender communicate instantly with each other through
these processes.

When the application is running on the mobile device, BM creates a unique ID number
for each user and places the relevant personal data folder under the path “/data/data/
com.turkcell.BiP”. The personal data folder is named using the MD5 value calculated by
the application.

3.3. Application permit structure

When the apk file of the BM is examined by reverse engineering, the application requires
the following permissions from the user while it is installing on the phone.

● Phone call
● Network location
● Read Contacts
● Write/delete contacts
● Voice recording
● Read SMS
● Read MMS
● Write/delete search history
● Phone status
● Camera
● GPS location
● Bluetooth pairing

Permissions are kept in .xml files. Permissions of the BM can be seen in the
‘AndroidManifest.xml’ file. The file contents are shown in Figure 8.
10 E. AKBAL ET AL.

Figure 8. The content of the AndroidManifest.xml file inside the BiP apk file and permission
information.

3.4. Application user information

The BM user’s information is kept in xml format in ‘com.turkcell.BiP_preferences.xml’ file in
‘data/data/com.turkcell.BiP/shared_prefs’ directory. It stores information such as the last
login, last access time of the user.
The date and time of the BM user’s last access to the BM are in the ‘com.turkcell.BiP.
SETTINGS.xml’ file located under the ‘data/data/com.turkcell.BiP/shared_prefs’ directory.
The last access date is kept in, <longname = “last_cache_update_tes_list_serv“ value =
”time stamp value”/> as TimeStamp with time zone. The timestamp value can be learned
by converting it to the normal date format using the timestamp converter. After
conversion, the last active time can be found out. The content of the file is shown in
Figure 9.
The application version and the user device information are stored in the ‘appversion’
variable in the “BiP_PUSH_CONFIG_REQUEST” file under the “data/data/com.turkcell.BiP/
cache” directory. Version information showed in Figure 10.

Figure 9. Content of com.turkcell.BiP.SETTINGS.xml.

 AUSTRALIAN JOURNAL OF FORENSIC SCIENCES 11

Figure 10. Content of BiP_PUSH_CONFIG_REQUEST.

When the file is examined, it is seen that many information about the mobile device is
obtained. The contents of the areas in the file and explanation of them are listed in
Table 3.

3.5. Contact information

The BM stores the contact information as ‘.db’ file format in the “users” table of the “tims.
db” database located in the “data/data/com.turkcell.BiP/databases/” file directory. This
area contains all of the contacts numbers on the user’s phone. It keeps information
about which user is using BM, the nickname of the user, and the URL path of the profile
photo. The contents of the user's table are shown in Figure 11.
The explanation of the user table columns is listed in Table 4.
Profile pictures are considered as an evidence during a forensic examination. Images
are used to link the BM account to the actual identity of the person using it. The profile
picture of a BM user is stored under ‘file://storage/emulated/0/BiP/.RoundedAvatar/’ folder
and there is a photo name and an area stored for each user’s ‘jid’ information. This
information is stored as a JPEG file in the directories.
The version number of the BM used by communicated users, information about
which user installed which application, the operating system for instance Android, IOS
and the latest update date, is stored in the ‘table_user_details’ table. Contents of the
table are shown in Figure 12.
In Figure 11, ‘user_id’ shows user, ‘user_app_version’ gives the version of BM of contacted
users, ‘user_os_version’ explains version information of the operating system, ‘user_os_type’
(A-Android, I-IOS) describes operating system type and ‘LAST_UPDATED_TIME’ is the latest
update time information as the timestamp.

Table 3. Fields in the BiP_PUSH_CONFIG_REQUEST file.

Field Name Meaning
appversion The version of the BM used on the phone
Language Language of the phone
model Model of the phone
ostype Operating system of the phone (A = Android, I = IOS)
osversion Operating system version of the phone
Region Country code of the device, Eg: Turkey – 90
serialNumber Serial number of the phone
vendor Manufacturer of the phone
12 E. AKBAL ET AL.

Figure 11. A sample of users table of the BM.

Table 4. The data structure of the user's table.

Field name Meaning
_id The numerical structure that increases with every new registry (set by SQLite)
jid BM User ID is a unique identification number that distinguishes users.
alias The recorded names of the contacts that’s saved in the contacts.
status_message The status information of the contacts who use BM
nickname The usernames of the contacts who use BM
unread_msg_count The number of messages that have been received from BM users but have not been read yet.
Phone The numbers in the contact list
is_tims_user The information whether or not the people registered in contacts use BM. The ones who are
BM users are represented by 1, the ones who aren’t represented by 0.
Profile_photo The address of the contacts’ profile pictures
is_blocked The information of whether or not contacts that are registered are blocked on the BM. If
blocked 1 if not blocked 0 is represented.

Figure 12. Content of table_user_details.

3.6. Analysis of messages

The BM stores all sent and received chat information under the relevant directories.
There are three message sending types in the BM and these are given below.
a) User-to-user messages,
b) User to group – Groups to user,
c) Sponsor services to user.
 AUSTRALIAN JOURNAL OF FORENSIC SCIENCES 13

Message activities of the users are stored in the ‘messages’, ‘groups’, ‘conversations’,
‘delivery_status’, ‘group_participants’ tables of the ‘tims.db’ database. Messages table stores
all data about the message communications, while the conversations table stores the last
message with contacts, date time of the message and contact information. Hence, the
messages of the users are obtained by examining these two tables. When a user gets
involved in a chat group, information about the group is found in the ‘groups’ and ‘group_-
participants’ tables. In addition, the delivery date and time information of the messages sent
and received by the user are found in the ‘delivery_status’ table. Therefore, it is important to
analysis tables specified in order to obtain all the details of communication.

3.6.1. Message table

Messages table contains all the connected people by BM for instance the contents of all
messages, message dates, person and group jid information. Person, group and sponsor
service information are revealed by using ‘group_jid’ information. The connected entities
are listed in Table 5.
A sample about Message Table of the BM is also shown in Figure 13.
This table contains all the messages related to the connected users. All the informa-
tion about the message are accessed by examining the columns in the table. The
content structure of the columns is given in Table 6.
As seen in Table 6, it is possible to find out where the user has sent the message
(group-service-person) and who has seen the message. In addition, message contents
and sender information are obtained.

3.6.2. Conversations table

In the conversation table, sender jid (unique person id information), message time information
(timestamp), message PID information of last messages are stored. Unlike the Messages table,
the conversations table contains the contents of the last messages. Therefore, the information

Table 5. Entities information of the BM.

Entity Keywords
Individual user <jid> + @ tims.turkcell.com.tr
Group <jid> + @ conference.tims.turkcell.com.tr
Sponsor service <jid>+@service.tims.turkcell.com.tr

Figure 13. A sample screenshot about message table.

14 E. AKBAL ET AL.

Table 6. Structure of messages table content.

Field Name Meaning
_id The numerical structure that increases with every new registry. (set by SQLite)
Date Timestamp date information
Direction Information about the message being sent/received (If sent 0-, If received 1)
companion_jid Message sender information
message_body Message text
extra_a Additional information about the message content, type of data being sent and received and where
it is recorded.
extra_b Additional information about the message content, type of data being sent and received and where
it is recorded.
group_jid The group the message is associated with

about recent chat are accessed by examining. Figure 14 shows screenshot of a conversation
table during the mobile forensic examination of the BM.
Application users can join various groups. The group information are extracted using
the proposed mobile forensics examination methodology and the conversation table
together. A sample of the group table is shown in Figure 15, and the explanations of the
groups table are listed in Table 7.
The ‘group_jid’ in the last column of the messages table is correlated to the ‘group_jid’
in the second column of the groups table.

3.6.3. Group_participants table

Group information are stored in ‘Group_Participants Table’. Information, founders, participants,
foundation date time of the group are founded by using this table. The content view of the
table is shown in Figure 16. Group jid information is created in the form of,
JidInformationOfThePersonFoundedTheGroup_g_TimestampOfGroupsEstablishingTime@co-
nference.tims.turkcell.com.tr. In this way, information about the admin of the group are
obtained.
For instance; It’s stored in, jid:
90506XXXX207_g_1501010150052479@conference.tims.turkcell.com.tr, form. Figure 10
shows the structure of the ‘group_participants’ table. The ‘group_jid’ information shows the
group identifiers, generated as described above. The ‘user_jid’ area contains a list of the
members of groups specified in ‘group_jid’.

Figure 14. The conversations table.

 AUSTRALIAN JOURNAL OF FORENSIC SCIENCES 15

Figure 15. The groups table.

Table 7. Structure of the groups table content.

Field Name Meaning
_id The numerical structure that increases with every new registry. (set by SQLite)
group_jid Group jid information of the person who founded the group
mobil_phone_number+@conference.tims.turkcell.com.tr
group_name Name of the group
avatar Field where the group image stored and its name
creation_date Timestamp, the date group is created
group_owener_jid Group admin’s jid

Figure 16. Screenshot of the ‘Group_participants’ table.

3.6.4. Delivery_states table

Communicated user’s information, date information of the sent and received messages are
stored in the ‘delivery_states’ table. The information about the delivery status of the message
sent by the user are obtained from the ‘ds_state’ column of the Table 9. It means that the
message has been delivered. 0 and 1 values express delivery and not delivery information,
respectively. Figure 17 shows the contents of the ‘delivery_states’ table.

3.6.5. Location information analysis

Location information is utilized as an important evidence in mobile forensics analysis.
Users share location with the application. BM provides users to obtain the geographic
coordinates of their location from Android Location Services. Geographical coordinates
16 E. AKBAL ET AL.

Figure 17. Delivery_states table.

hold latitude, longitude, address information and description are found in the geogra-
phical messages. The transaction histories of the location data sent and received
through the application are in the ‘recent_locations’ and ‘location’ tables of the ‘tims.
db’ database located in the ‘data/data/com.turkcell.BiP/databases/file’ directory. Figure 18
shows the ‘recent_location’ table.
The table has ‘share_date’, ‘title’, ‘address’, ‘icon_url’, ‘longitude’ and ‘latitude’ areas. The
data related to the location of the user are stored in the indicated areas. The explana-
tions of the columns of recent location table are listed Table 8.

3.6.6. Automatic message deletion

The BM has automatic message deletion ability within a specified time (3, 5, 10 and 60 s).
This attribute is an optional. If a user enables this attributes, the message will delete
after receiver read the sent message. The feature on the application has been tested
with specific time selections and it has been observed that messages are deleted from
the application within the specified time. However, it is been observed that the message
deleted from the application is not deleted from the database file and it is saved in the
messages table of the tims.db database file.
Figure 19 shows the contents of the time-set test message in field 1, and the time
value of preferred seconds for message deletion (60 s) is illustrated in field 2. Although
the message is deleted from the application, the message content is reached in the
‘message_body’ field.

Figure 18. Recent_location table.

 AUSTRALIAN JOURNAL OF FORENSIC SCIENCES 17

Table 8. Explanation of columns of the recent location table.

Field Name Meaning
share_date The date and time of location sharing
title The defined name of the location on the map
address The full address of the location
icon_url The area of location icon
longitude Coordinate information in longitude
latitude Coordinate information as latitude

Figure 19. Automatic message deletion information.

3.7. Log analysis

Application stores the log records in storage/BiP/.LocalLogs/BiPAndoidAppLogs.txt file.
Various findings are obtained using this file.

1. Current IP address information and DNS information of the device that uses the
application is accessed by searching for “Resolver is using DNS server(s):”. (Figure 20)
2. In simple to access which server addresses the application is connected to, it is
necessary to look at the “connect to” field in the log file. When the above IP
address is searched, it is determined that it belongs to the Turkcell company which
is the manufacturer of BM. (Figure 21)

Figure 20. IP address and DNS information.

Figure 21. IP detection preview.

18 E. AKBAL ET AL.

3. The information of the protocol and encryption method is reached using “cert.
version” field. (Figure 22)
4. Number of messages and users are obtained using “OneToOneChatActivity scr info”
keyword. Field 1 shows the total number of messages and Field 2 illustrates the
contact information. (Figure 23)
5. To access the information of the blocked people on the BM searching for “blocked
insert contact”. (Figure 24)
6. In simple to find online users. “isOnline: true” keyword is used. (Figure 25)
7. ‘dVersion’ is used to obtain version number of the BM. (Figure 26)
8. “ACTIVE NetworkInfo” keyword is used to access the type of internet connection (1)
and the SSID information (2) of the connected devices. (Figure 27)

Figure 22. Information about protocol and encryption method.

Figure 23. Information about users and the number of messages.

Figure 24. Blocked person information.

Figure 25. Application login time.

Figure 26. Application version.

 AUSTRALIAN JOURNAL OF FORENSIC SCIENCES 19

Figure 27. Internet connection type and SSID.

In simple to perform log analysis, the used keywords and the screenshots are given as
above.

5. Conclusions
The mobile forensics is one of the important research areas for information security and
digital forensics. In this study, a mobile forensics analysis methodology is presented for
BM and the analyses were performed on an Android device. The obtained artefacts are
used as important findings in a digital forensics investigation. In this study, the inter-
pretation of the tables, databases and fields was given and the relationship between the
data generated by the application is revealed. Analysis of the messages and contact
databases provides messages and contact lists. Relationships between the other data-
base tables stored by the applications and the interpretations of these relationships are
given by using the proposed methodology. Thus, when a user is added to the database
or there’s a message exchanged investigator is observed the change. The location
information were extracted and interpreted using the proposed examination methodol-
ogy. The proposed methodology also shows that there are significant differences
between rooted and unrooted devices for data acquisition. It was stated that the data
to be obtained with different hidden feature settings of the device differed. It was
shown that the time-set messages in the application are deleted on the application,
but they aren’t deleted from the database. The results shown in the proposed metho-
dology provide a complete analysis of the BM on android mobile devices and it is first
BM analysis methodology in the literature up to now.
The obtained results include only Android mobile device. IOS-related studies are
planned in the future studies.

Disclosure statement
No potential conflict of interest was reported by the authors.

References
1. Casey E. Handbook of digital forensics and investigation. Academic Press; 2010. ISBN: 978-
0123742674.
2. Carrier B. File system forensic analysis. USA: Addison-Wesley Professional; 2005. ISBN 0-321-
26817-2.
3. Sahu S. An analysis of whatsapp forensics in android smartphones. Int J Eng Res. 2014;3
(5):349–350. doi:10.17950/ijer.
4. Acquisti A, Gross R. Imagined communities: awareness, information sharing, and privacy on
the Facebook. In: Danezis G., Golle P. editors. Privacy Enhancing Technologies. Berlin
(Heidelberg): Springer; 2006 June. p. 36–58.
20 E. AKBAL ET AL.

5. Reust J. Case study: AOL instant messenger trace evidence. Digital Invest. 2006;3(4):238–243.
doi:10.1016/j.diin.2006.10.009.
6. Turkcell Communication Report. 2017. [Accessed 2018 January 04]. Access Link: turkcell.
com.tr
7. Sagiroglu S, Sinanc D. 2013, May. Big data: a review. In Collaboration Technologies and
Systems (CTS), 2013 international conference on (pp. 42–47). IEEE, San Diego, CA, USA.
8. Mitchell F. The use of Artificial Intelligence in digital forensics: an introduction. Digital
Evidence & Elec Signature L Rev. 2010;7:35.
9. Barmpatsalou K, Damopoulos D, Kambourakis G, Katos V. A critical review of 7 years of
mobile device forensics. Digital Invest. 2013;10(4):323–349. doi:10.1016/j.diin.2013.10.003.
10. Hoog A. Android forensics: investigation, analysis and mobile security for Google Android.
USA: Elsevier; 2011. ISBN: 9781597496520
11. Van Dongen WS. Forensic artefacts left by windows live messenger 8.0. Digital Invest. 2007;4
(2):73–87. doi:10.1016/j.diin.2007.06.019.
12. Anglano C, Canonico M, Guazzone M. 2016. Forensic analysis of the ChatSecure instant
messaging application on android smartphones. Digital Invest. 19:44–59. doi:10.1016/j.
diin.2016.10.001.
13. Wu S, Zhang Y, Wang X, Xiong X, Du L. 2017. Forensic analysis of wechat on android
smartphones. Digital Invest. 21:3–10. doi:10.1016/j.diin.2016.11.002.
14. Gregorio J, Gardel A, Alarcos B. 2017. Forensic analysis of telegram messenger for windows
phone. Digital Invest. 22:88–106. doi:10.1016/j.diin.2017.07.004.
15. Ovens KM, Morison G. 2016. Forensic analysis of kik messenger on ios devices. Digital Invest.
17:40–52. doi:10.1016/j.diin.2016.04.001.
16. Anglano C. Forensic analysis of whatsapp messenger on android smartphones. Digital
Invest. 2014;11(3):201–213. doi:10.1016/j.diin.2014.04.003.
17. Norouzizadeh Dezfouli F, Dehghantanha A, Eterovic-Soric B, Choo KKR. Investigating social
networking applications on smartphones detecting Facebook, Twitter, LinkedIn and Google
+ artefacts on Android and iOS platforms. Aust J Forensic Sci. 2016;48(4):469–488.
doi:10.1080/00450618.2015.1066854.
18. Husain MI, Sridhar R. iForensics: forensic analysis of instant messaging on smart phones. In:
Goel S. editor. Digital Forensics and Cyber Crime. ICDF2C 2009. Lecture Notes of the
Institute for Computer Sciences, Social Informatics and Telecommunications Engineering,
Vol. 31. Berlin (Heidelberg): Springer; 2009 September. p. 9–18.
19. Hakimi M, Jungbluth J, Windolf J, Wild M. 2010, February. Recovery of skype application
activity data from physical memory. In Availability, reliability, and security, 2010. ARES‘10
international conference on (pp. 283–288). IEEE. J Hand Surg., European volume 35, Krakow,
Poland.

Authorship contributions
Conception and design of study: Erhan AKBAL, İbrahim BALOĞLU
Acquisition of data: İbrahim BALOĞLU
Analysis and/or Interpretation of Data: Erhan AKBAL, İbrahim BALOĞLU, Turker TUNCER, Sengul
DOGAN
Drafting the Manuscript: Turker TUNCER, Sengul DOGAN
Revising the Manuscript Critically for Important Intellectual Content: Erhan AKBAL, Sengul
DOGAN, Turker TUNCER,
Approval of the Version of the Manuscript to be Published (the names of all authors must be
listed): Erhan AKBAL, Ibrahim BALOGLU, Turker TUNCER, Sengul DOGAN