AN EXTENDED CFTT EVALUATION FRAMEWORK FOR FORENSIC TOOLS IN SOCIAL MEDIA INVESTIGATIONS

Abstract

Smartphones and Social media applications are particularly prominent in their usage and are often utilized for criminal purposes. Although several mobile forensic tools are available for investigation, it becomes challenging for investigators to select the most suitable tool capable of analyzing different types of social media apps with all available features. Furthermore, there is a lack of a detailed evaluation framework to assess the capability of forensic tools in examining social media apps. In this context, this study aims to propose a social media forensic framework along with 151 test cases. The proposed framework builds upon the CFTT mobile forensics tools evaluation framework. For the experiments, three open-source tools, namely Autopsy, Andriller, and AFLogical, are used, while the social media applications WhatsApp, Telegram, and KalamTime are employed. The experimental strategy consists of three phases. First, various user activities are performed on social media applications. Second, device images are obtained both with and without rooting the devices. The acquired images are then forensically analyzed using the selected tools. Finally, the forensic tools are evaluated based on the proposed test cases. Autopsy had a success rate of 56% for test cases involving built-in mobile features. Regarding social media applications, Autopsy achieved 67% for WhatsApp, 41% for Telegram, and 56% for KalamTime. Andriller, on the other hand, had a success rate of 42% for built-in mobile features and 59% for WhatsApp's social media application. Telegram and KalamTime had success rates of 6% and 4%, respectively. AFLogical succeeded in 14% of the test cases for mobile devices, but it couldn't find any evidence related to social media applications using the proposed test cases. xiv In the future, the proposed test cases can be analyzed on other existing social media apps and forensics tools for broader comparison.