Professional Documents
Culture Documents
Bashir2019 Chapter ForensicAnalysisOfLinkedInSDes
Bashir2019 Chapter ForensicAnalysisOfLinkedInSDes
net/publication/333313466
CITATION READS
1 1,444
5 authors, including:
Kashif Saleem
King Saud University
146 PUBLICATIONS 3,482 CITATIONS
SEE PROFILE
Some of the authors of this publication are also working on these related projects:
All content following this page was uploaded by Waseem Iqbal on 27 June 2019.
They were able to find various artefacts and their potential lo-
Download
cations. Even deleted artefacts were recovered using Easeus Load apps in Login from
Apps from
software. memory the app
Win AppStore
In 2015, Lee and Chung [31] studied the third-party Viber
and Line apps on Windows 8 and identified that the package
identifications (IDs) could be found by analysing the app
Take a dump
caches. They also located records of account logins, contacts, Logout from Perform
of memory
chats, and transferred files. However, it was limited to dead the app Acvies
and store it
analysis of hard disk.
In 2016, a research [32] focused on reconstruction of arte-
facts from physical memory of Windows 7 was carried out.
Take Bit by Analyze both
This was challenging, since the sections reside in different Report the
Bit image of images to
pages and physical location. results
storage find artefacts
In 2016, Yang et al. [33] conducted live and storage
analysis of Facebook and Skype on Windows 8.1 and found Fig. 9.3 Steps for Application Analysis
contact lists, messages and conversations etc. The network
analysis of these applications was also presented.
In 2016, Pankaj et al. [34] performed forensic analysis of 9.3 Proposed Methodology
Facebook on Windows 10 and found contact list, newsfeed,
messages etc. in SQLite files. However, deleted artefacts In this section, we provide a generic forensic analysis
were ignored. methodology in order to analyse artefacts of APXX files
In 2017, Ababneh et al. [35] carried out forensic study of downloaded from Windows AppStore. The suggested
IMO on mobile and Windows 8. Volatility and Windbg were scenarios for this research are as follows.
used to capture volatile memory image of the OS and search
for artefacts respectively. • Tracking artefacts stored by live analysis of RAM,
In 2017, researchers [36] proposed an automated tool • Analysing of artefacts stored in disk after logging in,
“Plugin for Autopsy” to extract image from volatile memory. • Locating artefacts stored in the registry,
All literature review carried out in this section has been • Manually finding artefacts in the main folder where appli-
summarized in Table 9.2. cations from the Windows AppStore and other folders are
The literature review done above is a blend of live and stored as well.
storage forensic analysis of Windows OS, artefacts recovery
and their potential locations. The forensic analysis of Face- As per the proposed methodology, depicted in Fig. 9.3,
book, Skype and Viber [30, 33, 34] carried out on Windows the application is first downloaded from Windows Appstore
10 is limited in approach. Thus, it is concluded that minimal on a laptop running Windows 10 OS. In our case, LinkedIn
work has been done with regards to forensic analysis of is downloaded and used for some time to generate sufficient
applications on Windows AppStore. Also, major researches user activity. When a user is signed in, the activities per-
are conducted using tools for artefact’s extraction but very formed are stored in RAM. To analyse these activities, we
few have been conducted manually. need to take dump of memory using Dumpit tool. The image
60 S. Bashir et al.
can be analysed using WinHex in order to gather artefacts may not be compatible with all Operating systems and appli-
and their timestamps. cations. Hence, the investigator needs to apply his intellect in
Similarly, for storage analysis, the LinkedIn application order to find all potential evidences [37].
was signed out and then memory dump was taken again using For validation of our proposed technique, we have
FTK imager and analysed carefully. The artefacts can also be tested our methodology on LinkedIn. Few dummy
recovered from registry using captured dumps. accounts were created and activities such as job search,
messaging, invitation, comments and image exchange
etc. were performed. Initial results of RAM, stor-
9.4 Evaluation and Validation age and registry artefacts obtained after analyzing
LinkedIn app show that artefacts were stored in main
The proposed technique follows manual analysis using Hex folder i.e. DiskDrive/Users/System/AppData/Local/Pack-
Editor and manual exploration of artefacts files in order ages/7EE7776C.LinkedInforWindows_w1wdnht996qgy.
to provide in-depth analysis of the selected application on After manual analysis of the images taken in WinHex and
Windows OS. Contrary to this, majority of the techniques FTK imager, it was observed that artefacts were also found in
mentioned in Sect. 9.2 use forensic tools to gather required various other folders outside main folder such as Microsoft
artefacts, which may be incomplete or wrong. These tools edge browser folder, Microsoft\Windows\AppRepository,
Table 9.4 Comparison of techniques 4. W3schools.com: Web statistics: OS platform statistics. http://
Asma Yang Chaudhry Our www.w3schools.com/browsers/browsersos.asp (2016)
Analysis covered [29] [32] et al. [33] technique 5. Majeed, A., Saleem, S.: Forensic analysis of social media apps in
windows 10. NUST J Eng Sci. 10(1), 37–45 (2017)
RAM No Yes Yes Yes 6. Domingues, F.: Digital forensic artifacts of the Cortana device
Storage Yes Partial No Yes search cache on Windows10 desktop. In: 11th International Con-
Registry No No No Yes ference on Availability, Reliability and Security, ARES.2016.44
Salzburg, Austria, IEEE (2016)
Manual No Partial No Yes 7. Singh, B., Singh, U.: A forensic insight into windows 10 jump lists.
Deleted artefacts Yes Yes No Yes Digit. Investig. 17, 1–13 (2016)
8. Khatri, Y.: Forensic implications of system resource usage monitor
(SRUM) data in windows 8. Digit. Investig. 12, 53–65 (2015)
9. Boyd, J.: 35 Insightful and Valuable LinkedIn Statistics. Retrieved
AppData\local\Microsoft\Windows\Notifications, Microsoft\ July 2, 2018., from https://www.brandwatch.com/blog/linkedin-
install agent, ProgramFiles\WindowsApps and prefetch files, statistics/
as tabulated in Table 9.3. 10. De Paula, A.M.G.: Security aspects and future trends of social
The results clearly show that artefacts of LinkedIn app networks. In Proceedings of the Fourth International Conference
of Forensic Computer Science, Brazil (2009)
were stored outside the Main folder as well. Hence if the 11. Iqbal, A., Alobaidli, H., Almarzooqi, A., Jones, A.: LINE IM
criminal deletes the data from the main folder, many useful app forensic analysis. In: 12th International Conference on High-
artefacts can still be gathered through analysis of RAM, Capacity Optical Networks and Enabling/Emerging Technologies
storage and registry to reveal any illicit activity. (HONET-ICT 2015)
12. Fontein, D.: The ultimate list of LinkedIn statistics that matter
Table 9.4 shows the comparison of our proposed tech- to your business. Retrieved February 7, 2017., from https://
nique with some of the existing techniques that were relevant www.linkedin.com/pulse/ultimate-list-linkedin-statistics-matter-
to our case. The comparison highlights that our proposed your-business-dara-fontein
methodology is more effective than other techniques. The 13. Poh, M.: 10 Most Bizarre crimes linked to Facebook. Re-
trieved June 21, 2015, from http://www.hongkiat.com/blog/
proposed technique can also be used to forensically analyze bizarre-facebookcrimes/ (n.d.)
any application downloaded from Windows AppStore as 14. Weise, E.: Banker used LinkedIn to send photo to prospective hire.
well. Retrieved June 15, 2017, from https://www.usatoday.com/story/
tech/news/2017/06/15/recruiter-used-linkedin-send-sex-photo-
prospective-hire/102882292/
15. Amber, U., Nanda, P., He, X.: Online social network informa-
9.5 Conclusion tion forensics. A survey on use of various tools and determin-
ing how cautious Facebook users are? In: IEEE Trustcom/Big-
RAM, storage and registry analysis are equally important DataSE/ICESS.2017.364 (2017)
from application forensic analysis point of view. The litera- 16. Hay, B., Nance, K., Bishop, M.: Live analysis: progress and
challenges. IEEE Secur. Priv. 7(2), 30–37 (2009)
ture review conducted regarding forensic analysis of messag- 17. Hausknecht, K., Foit, D., Burić, J.: RAM data significance in digital
ing and VoIP apps on Windows 10 reveals that minimal work forensics. In: 38th International Convention on Information and
has been done regarding manual forensic analysis of appli- Communication Technology, Electronics and Microelectronics,
cations of Windows Store. Hence, a comprehensive study is MIPRO 2015 – Proceedings (May), pp. 1372–1375 (2015)
18. Thantilage, R., Jeyamohan, N.: A volatile memory analysis tool
presented considering all scenarios to retrieve potential arte- for retrieval of social media evidence in windows 10 OS based
facts. Moreover, the paper has also validated the technique by workstations. In: National Information Technology Conference
identifying artefacts of LinkedIn found at various locations (NITC), Sri Lanka (2017)
after user activity on Windows 10 OS. In future, other trendy 19. Ahmed, W., Aslam, B.: A comparison of windows physical mem-
ory acquisition tools. In: Milcom 2015 track 3 – cyber security and
Windows store apps like Outlook, Grammarly etc. can also trusted computing, IEEE, FL, USA (2015)
be tested on Win 10 or a comprehensive tool be developed. 20. Aljaedi, A., Lindskog, D., Zavarsky, P., Ruhl, R., Almari, F.:
Comparative analysis of volatile memory forensics: live response
Vs. memory imaging. In: Proceedings of 3rd IEEE International
Conference on Privacy, Security, Risk and Trust, pp. 1253–1258
References (2011)
21. Prem, T., Paul Selwin, V., Mohan, A.K.: Disk memory forensics
1. Adeyemi, I.R., Razak, S.A., Azhan, N.A.N.: A review of current re- analysis of memory forensics frameworks flow. In: International
search in network forensic analysis. Int. J. Digit. Crime Forensics. Conference on Innovations in Power and Advanced Computing
5(1), 1–26 (2013) Technologies [I-PACT2017]
2. Carrier, B.: Defining digital forensic examination and analysis tools 22. Alazab, M., Venkatraman, S., Watters, P.: Effective digital forensic
using abstraction layers. Int. J. Digit. Evid. 1(4), 1–12 (2003) analysis of the NTFS disk image. Ubiquit. Comput. Commun. J.
3. Lancaster, D.T.: Windows 10 is now on more than 14 million 4(3), 1–8 (2009)
devices just 24 hours after launch [online]. Available: http:// 23. John, J.L.: Digital forensics and preservation. Digital Preservation
www.windowscentral.com/windows-10-now-14-million-devices- Coalition. Digital preservation handbook, Denmark (2012)
just-24-hours-after-launch (July 2015). Accessed: 13 Sept 2015 24. Zhang, S., Wang, L., Zhang, L.: Extracting Windows Registry Info
from Physical Memory. IEEE (2011)
62 S. Bashir et al.
25. Arshad, A., Iqbal, W., Abbas, H.: USB storage device foren- 32. Dija, S., Suma, G.S., Gonsalvez, D.D., Pillai, A.T.: Forensic recon-
sics for windows 10. J. Forensic Sci. 63(3), 856–867 (2017). struction of executables win 7 physical memory. In: International
https://doi.org/10.1111/1556-4029.13596 Conference on Computational Intelligence & Computing Research,
26. Al Mutawa, N., Al Awadhi, I., Baggili, I., Marrington, A.: Forensic IEEE (2016)
artifacts of Facebook’s instant messaging service. In: International 33. Yang, T.Y., Dehghantanha, A., Choo, K.-K.R., Muda, Z.: Windows
Conference for Internet Technology & Secured Transactions (IC- messaging app forensics: Facebook and Skype as case studies.
ITST), IEEE (2011) PLoS One. 11(3), e0150300 (2016)
27. Zhang, S., Wang, L., Zhang, L.: Extracting windows registry infor- 34. Choudhary, P., Singh, U., Bharadwaj, N.K., Singh, B.: Facebook
mation from physical memory. In: 3rd International Conference on forensics for Win 10. In: 11th Annual Symposium on Information
Computer Research and Development (2011) Assurance, USA (2016)
28. Saidi, R.M., Ahmad, S.A., Noor, N.M., Younas, R.: Window 35. Ababneh, A., Abu Awwad, M., Al-Saleh, M.I.: IMO forensics
registry analysis for forensic investigation. In: Proceedings of the in android and windows systems. In: 8th International Con-
2013 International Conference on Technological Advances in Elec- ference on Information, Intelligence, Systems & Applications
trical, Electronics and Computer Engineering (TAEECE), IEEE (2017)
(2013) 36. Meyers, C., Ikuesan, A.R., Venter, H.S.: Automated RAM analysis
29. Kumar, H., Majeed, P.G., Pundir, S.: Forensic analysis of windows mechanism for windows OS for digital investigation. In: IEEE
server 2008 physical memory. IJSRD-Int. J. Sci. Res. Dev. 2(01), Conference on Application, Information and Network Security
1–4 (2014) (AINS) (2017)
30. Majeed, A., Zia, H., Saleem, S.: Forensics analysis of three social 37. Gaur, S., Chhikara, R.: Memory forensics: tools and
media apps in Window 10. In: 12th International Conference on techniques. Indian J. Sci. Technol. 9(48), 1–12 (2016).
High-capacity Optical Networks & Enabling/Emerging Technolo- https://doi.org/10.17485/ijst/2016/v9i48/105851
gies, IEEE (2015)
31. Lee, C., Chung, M.: Digital forensic analysis on Window8 style
UI instant messenger applications. In: Park, J.J. (ed.) Computer
Science & its Applications. Springer, Berlin (2015)