Abstract:
Smartphones and Social media applications are particularly prominent in their usage and are
often utilized for criminal purposes. Although several mobile forensic tools are available for
investigation, it becomes challenging for investigators to select the most suitable tool capable
of analyzing different types of social media apps with all available features. Furthermore,
there is a lack of a detailed evaluation framework to assess the capability of forensic tools in
examining social media apps. In this context, this study aims to propose a social media
forensic framework along with 151 test cases. The proposed framework builds upon the
CFTT mobile forensics tools evaluation framework. For the experiments, three open-source
tools, namely Autopsy, Andriller, and AFLogical, are used, while the social media
applications WhatsApp, Telegram, and KalamTime are employed. The experimental strategy
consists of three phases. First, various user activities are performed on social media
applications. Second, device images are obtained both with and without rooting the devices.
The acquired images are then forensically analyzed using the selected tools. Finally, the
forensic tools are evaluated based on the proposed test cases. Autopsy had a success rate of
56% for test cases involving built-in mobile features. Regarding social media applications,
Autopsy achieved 67% for WhatsApp, 41% for Telegram, and 56% for KalamTime.
Andriller, on the other hand, had a success rate of 42% for built-in mobile features and 59%
for WhatsApp's social media application. Telegram and KalamTime had success rates of 6%
and 4%, respectively. AFLogical succeeded in 14% of the test cases for mobile devices, but it
couldn't find any evidence related to social media applications using the proposed test cases.
xiv
In the future, the proposed test cases can be analyzed on other existing social media apps and
forensics tools for broader comparison.
