Profiling Social Media Apps From Encrypted Traffic

Abstract

Forensic analysis of social media applications has become a challenging area due to powerful encryptions. The increasing privacy requirements of users of social media apps are met through strong cryptographic architectures and anonymity of identities over the networks. Data related to users of these secure apps, whether residing on a device or flowing over a network, is mostly cryptic. Consequently, scope of acquisition of digital evidence related to secure social media apps is not limited to data only, but involves the processing of meta-data (data about the data) as well. This research work investigates the problem in holistic manner and presents a comprehensive framework to profile any social media app from network forensics (data-intransit) as well as device forensics (data-in-memory) point of view. The framework, we proposed in this research, is demonstrated by using Instant Messaging and Voice over Internet Protocol (VoIP) calling apps being a major sub set of social media platforms. Novel methodology of traffic analysis in a strict controlled environment, managed by a hardware firewall, is introduced for network forensic studies which facilitates to explore unknown protocols of secure server client communications. Extensive traffic analysis with new methodology of behaviour analysis of encrypted flows resulted into tangible clues of classification of different services of the apps and their related user activities. For the device forensic part, profiling framework encompasses the artefacts explored from three dimensions; forensic tools, manual analysis and code analysis (app reverse engineering from executable file). Against the obfuscated source code files of secure apps, exploring the evidential artefacts through proposed string matching engine is a new dimension to device forensic domain. Efficacy of our proposed framework of profiling the social media apps is duly demonstrated by applying it on few of commonly used IM and VoIP calling apps including WhatsApp, WeChat, Signal, Viber and IMO. IMO, being unique of its uninterrupted services, was selected as a use case for step wise demonstration of our proposed framework in both the dimensions of forensic analysis. It is important to note that proposed framework can be generalized to profile any social media app after a slight fine tuning in accordance to the the services offered by that app and corresponding user activities. Based on our proposed framework of forensic profiling the social media apps, solutions at large scale can be developed for criminal investigations, next generation firewalls and business intelligence analytics for networks.