Forensic Investigation Technique on Android's Blackberry Messenger using NIST Framework.
According to Statista , in 2016, the number of smartphone users is estimated to reach 2.1 billion. By 2018, more than 36 percent of the world's population is expected to use smartphones, about 10 percent higher than 2011. As shown on Figure 1, the number of mobile phonec users in the world is predicted to pass the five billion mark by 2019. Among those smartphone users, Android and iOS are the two most popular smartphone operating systems in the industry. This rapid development of Android smartphone sales has an impact on the growing number of applications developed for the Android OS, including instant messaging applications. Developers are competing to create instant messaging applications with user friendly features, one of these application is Blackberry Messenger (BBM). A survey conducted by Global Web Index , stated that in direct comparison with its competitors, BBM ranked 2nd on worldwide users with 81% registered users, Figure 2 shows the graph.
As for Indonesia, a survey conducted by Singaporean online survey organizations We Are Social  at 2016, Blackberry Messenger users ranked first with 19% of users, followed by WhatsApp users with with 14%, the graph shown on Figure 3.
The increasing of BBM users, in addition to lots of positive impacts that caused, also caused many negative impacts. Many people took advantage of BBM's user friendly features to perform digital crimes such as prostitution, pornography, identity theft, cyberbully, etc. Table 1 shows some examples of digital crimes occured by using BBM at Indonesia [4,5,6,7,8].
In the process for solving digital crime cases, necessary supporting evidence is needed. If an android based smartphone became the physical evidence on a case that Blackberry Messenger application was installed, then the application can be analyzed to obtain digital evidence that can be expected to assist law enforcement in solving the cases of digital crimes. The main topic of this paper are to emphasize on the forensic investigation process and to compare mobile forensics tools used in this research by using a framework developed by National Institute of Standard and Technology (NIST) .
2 LITERATURE REVIEW
2.1 Mobile Forensics
Mobile Forensics is a science that performs the process of digital evidence recovery from a mobile device using the appropriate way with forensic conditions . The initial research work in this field has focused on acquisition techniques and general forensic analysis of smart devices . This was shown in Burnette's work in 2002 where he discussed the forensic examination of older versions of the BlackBerry and the hardware and software used for acquisition .
2.2 Cyber Crime
The website of Interpol in cyber crime section stated "Cyber crime is one of the fastest growing areas of crime". These crime cases include attacks against computer data and systems, identity theft, sexual abuse images, internet auction fraud, the deployment of viruses, and various scams such as phishing .
According to the UN (United Nations), cybercrime is: "any illegal behaviour committed by means on relation to, a computer system offering or system or network, including such crime as illegal possession in, offering or distributing information by means of computer system or network". Another definition of Cybercrime is a crime using information technology as instrument or target, and digital forensics, in essence, answer the questions: when, what, who, where, how and why related to digital crime . There are many kinds of cybercrimes: one of the example is cyberbullying, a term that refers to the use of information technology to bully people to send or post text that is intimidating or threatening others .
2.3 Digital Evidence
Digital evidence is information stored or transmitted in binary form that may be relied on in court. It can be found on a computer hard drive, a mobile phone, a personal digital assistant (PDA), a CD, and a flash card in a digital camera, among other places. Digital evidence is commonly associated with digital or electronic crime, such as pornography, prostitution, identity theft, phishing, or credit card fraud. However, digital evidence is now used to prosecute all types of crimes, not just digital crimes .
Android is architected in the form of a software stack comprising applications, an operating system, run-time environment, middleware, services and libraries. Each layer of the stack, and the corresponding elements within each layer, are tightly integrated and carefully tuned to provide the optimal application development and execution environment for mobile devices as shown on Figure 4 .
2.5 Blackberry Messenger
BlackBerry Messenger (BBM) is an application of instant messaging that is developed by Research In Motion (RIM), and originally created for BlackBerry smartphone . As technology advances, BBM is moving beyond Blackberry devices, BBM now become a multi-platfom application that can be installed on Android, iOS, and Windows based smartphone. Since it was created in August 2005, BBM has evolved from a pure messaging application for communication (text and video) to a social eco-system unifying chat, social, commerce and services including games .
2.6 Oxygen Forensic Suite
Oxygen Forensic Suite is a forensic software for extraction and analysis of data from cell phones, smartphones and tablets . This tool offers several hash algorithms and one of which can be selected in each investigation case. Oxygen Forensic Suite also has the capability to provide general information about the smartphone and the network that the device was connected to. The other useful capability from this tool is recovered all contacts, SMS, MMS, and user's files .
Andriller is a utility which consists of various tools for serving various purposes which includes cracking of screen lock pattern, PIN and passwords, decoding of encrypted databases and files, data extraction automatically and unpacking of android backups. This tool kit solves many of mobile forensics needs for the Android OS .
2.8 Belkasoft Evidence Center
Belkasoft Evidence Center is a tool for investigators that can be used to acquire, search, analyze, store and share digital evidence found inside computer and mobile devices. This toolkit will extract digital evidences from multiple sources such as hard drives, drive images, memory dumps, iOS, Blackberry and Android backups. Belkasoft Evidence Center will automatically analyze the data source and lay out the most forensically important artifacts for investigator to review, examine, and report .
The National Institute of Standard and Technology (NIST) has published a framework for mobile device investigation guide called NIST Mobile Forensics, that contained 4 consecutive steps :
1. Collection: or sometimes called Preservation, this process consist of the steps in gathering and documenting the evidence from the perpetrator, the owner, or at the crime scene. Care has to be taken to preserve other forms of evidence.
2. Examination: or sometimes called Acquisition, in this phase actual data is gathered from the device. In an ideal case the data is forensically copied from the phone as well as from the SIM Card. In some cases technical diffculties can prevent a digital accusation of the device. In a worst case scenario only screen captures of the phone can be gathered.
3. Analysis: Now the gathered data is analyzed for clues regarding the possible crime. The analysis can either be done by hand or with the help of software tools. There are many software tools available for that purpose. It is important to use different software tools to gather more detailed analysis. Care has to be taken not to miss a crucial piece of evidence solely because one particular tool didn't have the right feature.
4. Reporting: The last step is the most important. Between the gathering of evidence and the presentation in court a signifcant amount of time can pass. An examiner must be able to present his evidence in a conclusive manner and offer the other party information about the tools and methods used.
Figure 5 shows the graphical picture of these 4 consecutive stages.
Figure 5. NIST Mobile Forensics Stages Collection Examination Identify, label, record, and Processing data that collected retrieve data from relevant forensically using a data sources by following combination of various data integrity perservation scenarios, both automatic procedure and manual, assess and release data as needed while maintaining data integrity. Collection Analysis Identify, label, record, and Analyze the results of the retrieve data from relevant examination by using data sources by following technically and legally data integrity perservation justified methods to obtain procedure useful information and answer the questions that encourage the collection and examination. Collection Reporting Identify, label, record, and Reporting the results of the retrieve data from relevant analysis that includes the data sources by following description of the action taken data integrity perservation the explanation of the selected procedure tools and procedures, the determination of other actions that needs to be done.
4 RESULTS AND DISCUSSION
Collection or Preservation is the earliest stage in mobile forensic methods, and the first thing to do is to search, collect and document the evidence. In this research the evidence is in the form of an android-based smartphone. The result of this stage is as follows:
Examination is the process of physical evidence backup and retrieval of digital data that contained in it. At this stage the cloning process of physical evidence is conducted. The cloning process can be done using various tools, such as MOBILedit Forensic Express . Figure 7 shows the examination result using Oxygen Forensic Suite.
Oxygen Forensic Suite's examination result provide complete data of physical evidence that contained Device Information, Forensic Examiner's Identity, List of Contact, and Installed Application, BBM included.
For examination process that conducted using Andriller, the result provided is an integrated HTML report that contained all the data extracted from physical evidence. Forensic examiner is able to navigate through the HTML formatted report to find digital evidences. The report shown on figure 8.
# This report was generated using Andriller# (This field is editable In Preferences) was generated using Andriller version 18.104.22.168 on 2017-07-15 00:00:00 SE Asia Standt [Andriller Report] SONY C6602 | IMEI:355666050620508 Figure 8. Andriller's Examination Result Type Data ADB serial: BX903FBCZH Shell permissions: root (su) Manufacturer: Model: SONY IMEI: C6602 Android version 355666050620508 Build name: 5.1.1 Wifi MAC: Local time: 00:eb:2d:33:bd:2a Android time: 2017-07-15 00:00:00 SE Asia Standard Time Accounts: 2017-07-09 05:17:19 WIB com.sonyericsson localcontacts: Phone contacts com.google: email@example.com com.bbm.account: BBM Groups com. Whatsapp: WhatsApp Filesystem: Shared Storage (2.221) System: Wi-Fi Passwords (2) Communications data: SMS Messages  Applications data: Blackberry Messenger [158) # andriller.com # (This field is editable in Preferences)
For Belkasoft Evidence Center, the results given from the Examination stage are relatively similar to Oxygen Forensic Suite, ie in the form of complete data on physical evidence and applications installed on the physical evidence, including BBM. Figure 9 shows the result of Examination from Belkasoft Evidence Center.
From the results of this Examination stage, an analysis will be conducted to find digital evidence related to a digital crime case. In this research will be sought digital evidence generated from BBM application.
Analysis is a stage to look Examination result thoroughly to acquire digital evidences. This stage limits the searching process to a certain point that connected to certain data or application. At this research, the search limit is BBM. Analysis stage conducted by Oxygen Forensic Suite resulted in the form of BBM contact pictures that shows some young girls in an inappropriate pose like shown at Figure 10 (due to inappropriate content, part of the picture's been covered).
The analysis process also resulted a data conversation with one of the BBM contact that used an unusual and inappropriate language just like shown on Figure 11.
Based on the result above, there is an indication of an online prostitution transaction that happened. To gain more detailed data, analysis of the next tool is conducted. Andriller's examination result did not produce any pictures or photos due to the software limitation but the conversation's data is fully acquired. The analysis shows a conversation that exactly the same like shown on Oxygen Forensic Suite. Figure 12 shows the conversation analysis result.
As for Belkasoft Evidence Center, due to software's trial limitation, this tool is only able to produce a random part of the BBM data as shown on Figure 13.
The last stage on the mobile forensic investigation method is reporting. At this stage all the analysis's result will be discussed and presented in detail and all artifacts related to the previously obtained from BBM application that showing some indications of a digital crime is documented. The report can be presented based on each tool used on the investigation or by overall report contained all result from all investigation tools.
Oxygen Forensic Suite has the ability to create full reports in various formats, including PDF, the document format that most frequently used. Full Reports from Oxygen Forensic in PDF format is shown in Figure 14
Oxygen Forensic Suite is also able to create partial reports that refer to one application only, in this research, partial reports are made from the BBM application as shown in Figure 15.
Andriller's report generation capability is not as good as Oxygen Forensic Suite or Belkasoft Evidence Center. Compared to both forensic tools, Andriller is a lightweight forensic application with simple features. Reports generated from BBM application are just tables containing conversation recordings. Supported formats are also only in HTML and MS-Excel form. Figure 16 shows the report from Andriller.
As for Belkasoft Evidence Center, the report generation ability is actually quite good, but due to the limitations of the trial version software, the resulting report is only 50%, and taken at random, as shown in Figure 17.
These generated reports from all forensic tools used are expected to become a supporting evidence that can be used in the investigation and solving process of digital crime cases. The chosen method and report's presentation format generally based on the policies of local law enforcements, on the other words, local law enforcements might use local presentation format.
Based on the forensics investigation stages that have been discussed about BBM's digital evidence analysis on Android platform, several things that can be concluded are: There are various way to get digital datas from BBM that installed on Android-based that depends on various factor also, such as type of vendor, smartphone screen security, transfer protocol used, and also BBM and Android version.
Mobile Forensics is needed because mobile-based services are increasing and getting more users, with the growing popularity of mobile computing and mobile commerce, the need of mobile transactions are also getting higher and the chance for digital crimes occured also increased significantly.
There are various forensic tools that can be used by forensic examiners to acquire digital data from physical evidences, various tools means various capabilities also. Some evaluations on forensic tools can be conducted to get an overview what tool that best for digital forensic investigations.
[1.] Statista: Number of smartphone users worldwide from 2014 to 2020 (in billions). Available at https://www.statista.com/statistics/330695/number-of-smartphone-users-worldwide/.Accessed on August 2, 2017.
[2.] Jason Mander: Telegram, BBM and WeChat users keenest on transferring money. Available at http://blog.globalwebindex.net/chart-of-the-day/telegram-bbm-and-wechat-users-keenest-on-transferring-money/. Accessed on August 3, 2017
[3.] Judith Balea: The latest stats in web and mobile in Indonesia (INFOGRAPHIC). Available at https://www.techinasia.com/indonesia-web-mobile-statistics-we-are-social. Accessed on : August 3, 2017.
[4.] Liputan 6 News: Ditipu Pria Asing Foto Bugil ABG Banyuwangi Menyebar di Internet. Available at http://news.liputan6.com/read/2099669/ditipu-pria-asing-foto-bugil-abg-banyuwangi-menyebar-di-internet?source=search. Accessed on : August 5, 2017.
[5.] Hernowo Anggie: Blackberry Di-Hack, Ki Kusumo Lapor ke Mabes Polri. Available at http://showbiz.liputan6.com/read/2207179/blackberry -di-hack-ki-kusumo-lapor-ke-mabes-polri?source=search. Accessed on : August 5, 2017.
[6.] Mei Amelia R: Polda Metro Bekuk Al Gazali Cs di Palopo Atas Kejahatan Hacker BBM dan Penipuan. Available at https://news.detik.com/berita/3120102/polda-metro-bekuk-al-gazali-cs-di-palopo-atas-kejahatan-hacker-bbm-dan-penipuan. Accessed on August 9, 2017
[7.] Dolly Rosana: Polisi Selidiki Kasus Pembajakan Identitas aplikasi BBM. Available at http://www.antaranews.com/berita/567216/polisi-selidiki-kasus-pembajakan-identitas-aplikasi-bbm. Accessed on August 8, 2017.
[8.] Safar Sijabat: Aurel Sediakan Jasa Layanan Seks Via Medsos di Kota Pekanbaru. Available at https://www.tribratanews.com/aurel-sediakan-jasa-layanan-seks-via-medsos-di-kota-pekanbaru/,accessed on August 11, 2017.
[9.] Anggie Khristian, Yessi Novaria Kunang, and Siti Sa'uda: Forensic Analysis of Whatsapp's Artefact On Android Platform. Bina Darma University. Available at http://digilib.binadarma.ac.id/download.php?id=1336, 2016.
[10.] Ilman Zuhri Yadi and Yessi Novaria Kunang: Forensic Analysis on Android Platform. National Conference of Computer Science (Konferensi Nasional Ilmu Komputer (KONIK)). Available at http://eprints.binadarma.ac.id/2191/1/ilman%20zy-%20analisis%20forensik%20android.2.pdf., 2014
[11.] Asif Iqbal, Andrew Marrington, and Ibrahim Baggili: Forensic Artifacts of the ChatOn Instant Messaging Application. 8th International Workshop on Systematic Approaches to Digital Forensics Engineering. Available at https://pdfs.semanticscholar.org/1265/425a5b913456 56b6b9201b3fe24d0a46d015.pdf., 2013
[12.] Michael W Burnette: Forensic Examination of a RIM (BlackBerry) Wireless Device. Rogers & Hardin LLP. Available at http://web.archive.org/web/20070718221442/http%3A//www.rh-law.com/ediscovery/Blackberry.pdf.,2002
[13.] Masoud Nosrati, Mehdi Hariri, and Alireza Shakarbeygi: Computer and Internet: From a Chronological View. Internasional Journal of Economy, Management, and Social Sciences. Available at
[14.] Imam Riadi, Jazi Eko Istiyanto, Ahmad Ashari, and Subanar: Log Analysis Techniques using Clustering in Network Forensics. International Journal of Computer Science and Information Security (IJCSIS), Vol. 10, No.7, July 2012, pp. 23-30.
[15.] Hariani and Imam Riadi: Detection Of Cyberbullying On Social Media Using Data Mining Techniques. International Journal of Computer Science and Information Security (IJCSIS), Vol. 15, No. 3, March 2017, pp. 244-250.
[16.] National Institute of Justice (NIJ): Digital Evidence and Forensics. Available at https://www.nij.gov/topics/forensics/evidence/digital/Pages/welcome.aspx. Accessed on August 15, 2017.
[17.] Venkateswara Rao V and ASN Chakravarthy: Survey on Android Forensic Tools and Methodologies. International Journal of Computer Applications (IJCA), Vol. 154, No.8, November 2016, pp. 17-21.
[18.] Tajudin: The Occurence of Code Switching on Personnal Message of Blackberry Messenger. Journal of English and Education, 2013, pp. 103-112.
[19.] BBM: About BBM. Available at https://www.bbm.com/en/about.html. Accessed on August 10, 2017.
[20.] Oxygen Forensic: Smart Forensics for Smartphones. Available at https://www.oxygen-forensic.com/en/.Accessed on August 5, 2017.
[21.] SeyedHossein Mohtasebi, Ali Dehghantanha, and Hoorang Ghasem Broujerdi: Smartphone Forensic: A Case Study with Nokia E5-00 Mobile Phone. International Journal of Digital Information and Wireless Communications (IJDIWC), 2011, pp. 651-655.
[22.] Andriller: Andriller--Android Forensic Tools. Available at http://andriller.com/. Accessed on August 7, 2017
[23.] Belkasoft Evidence Center: Belkasoft Evidence Center 2017. Available at https://belkasoft.com/ec, accessed on August 11, 2017.
[24.] Lars Woolleschensky: Cell Phone Forensics. Seminararbeit Ruhr-Universit at Bochum. Available at https://www.emsec.rub.de/media/crypto/attachments/files/2011/04/cell_phone_forensics.pdf., 2007.
[25.] Mohammad Junaid, Jai Prakash Tewari, Rajeev Kumar, and Abhishek Vaish: Proposed Methodology
[26.] on Smart Phone Forensic Tool. Asian Journal of Computer Science and Technology, Vol. 4, No. 2, 2015, pp. 1-5.
Imam Riadi (1), Sunardi (2), and Arizona Firdonsyah (3)
(1) Department of Information System, Universitas Ahmad Dahlan, Yogyakarta, Indonesia
[2,3] Master of Informatics Engineering, Universitas Ahmad Dahlan, Yogyakarta, Indonesia
(firstname.lastname@example.org, email@example.com, firstname.lastname@example.org)
Table 1. Digital crime that using BBM (observation) No Year Case 1 2014 Pornography via BBM at Banyuwangi 2 2015 BBM Account hacking at Jakarta 3 2016 Online fraud via BBM at Palopo 4 2016 Identity theft via BBM at Palembang 5 2017 Online prostitution via BBM at Pekanbaru Table 2. Evidence's Specification No Specification Physical Evidence's Type Specification 1 Brand Sony 2 Brand Series Xperia Z 3 Model Number C6602 4 OS Android 5 Processor Quad core 1.5 GHz
|Printer friendly Cite/link Email Feedback|
|Author:||Riadi, Imam; Sunardi; Firdonsyah, Arizona|
|Publication:||International Journal of Cyber-Security and Digital Forensics|
|Date:||Oct 1, 2017|
|Previous Article:||Preserving Confidentiality and Privacy of Sensitive Data in e-Procurement System.|
|Next Article:||A Mathematical Model for Resolving Minimum Password Length Controversy.|