WeChat forensic artifacts: Android phone extraction and analysis

Author

Chandrika Silla, Purdue University

Date of Award

Spring 2015

Degree Type

Thesis

Degree Name

Master of Science (MS)

Department

Computer and Information Technology

First Advisor

Marcus Rogers

Second Advisor

Eric Matson

Third Advisor

Baijian Yang

Committee Chair

Marcus Rogers

Committee Co-Chair

Eric Matson

Committee Member 1

Baijian Yang

Abstract

Instant messaging (IM) applications on smart phones are being used across the globe for various modes of communication. They gained popularity mainly due to their cross-platform compatibility and minimal or no cost addition. This popularity is also reflected in their use in criminal activities such as threatening, hate speech, and bullying. Very few publications exist in the mobile forensics domain on the analysis of IM applications on Android phones without gaining root access. Since every IM application follows its own communication protocol, there is a significant diversity in the information that could be stored by IM applications on Android phones. So it is important to know which artifacts related to IM applications could be retrieved by tools reliably. In this work, a known set of data was populated on Android phone using WeChat application. The test phone was logically imaged with Android Debug Bridge (ADB) and Mobile Phone Examiner Plus (MPE+) logical tools. Validity and reliability of the test results produced by logical tools were checked by extracting logical image ten times using each tool. In every extraction, validity was checked by comparing the extracted set of artifacts with known populated set of artifacts. Reliability of each tool was checked by comparing the extracted file names and their hash values from each time with the sets of data from other times. Out of the two tested tools, ADB recovered all the shared media and downloaded documents files with time stamps. Shared media files includes sent and received images, videos, audios, stickers and downloaded images and videos. Additionally, profile pictures of the user and participants were also found

Recommended Citation

Silla, Chandrika, "WeChat forensic artifacts: Android phone extraction and analysis" (2015). Open Access Theses. 615.
https://docs.lib.purdue.edu/open_access_theses/615