logo

Digital Investigation Article 2022

   

Added on  2022-08-25

19 Pages13087 Words193 Views
Forensics study of IMO call and chat app
M.A.K. Sudozai b
, Shahzad Saleem b
, William J. Buchanan a, *, Nisar Habib b
,
Haleemah Zia b
a The Cyber Academy, Edinburgh Napier University, Edinburgh, UK
b School of Electrical Engineering and Computer Science (SEECS), National University of Sciences and Technology (NUST), Islamabad, 44000, Pakistan
a r t i c l e i n f o
Article history:
Received 4 January 2018
Received in revised form
17 April 2018
Accepted 18 April 2018
Available online 25 April 2018
Keywords:
IMO
Encryption
Android
iOS
Network forensic
Device forensic
a b s t r a c t
Smart phones often leave behind a wealth of information that can be used as an evidence during an
investigation. There are thus many smart phone applications that employ encryption to store and/or
transmit data, and this can add a layer of complexity for an investigator. IMO is a popular application
which employs encryption for both call and chat activities. This paper explores important artifacts from
both the device and from the network traffic. This was generated for both Android and iOS platforms. The
novel aspect of the work is the extensive analysis of encrypted network traffic generated by IMO. Along
with this the paper defines a new method of using a firewall to explore the obscured options of con-
nectivity, and in a way which is independent of the protocol used by the IMO client and server. Our
results outline that we can correctly detect IMO traffic flows and classify different events of its chat and
call related activities. We have also compared IMO network traffic of Android and iOS platforms to report
the subtle differences. The results are valid for IMO 9.8.00 on Android and 7.0.55 on iOS.
© 2018 Elsevier Ltd. All rights reserved.
Introduction
IMO (http://imo.im) is a free messaging, voice and video call
application (app) and which was launched in 2007 by Ralph Harik,
Georges Harik and Praveen Krishnamurthy (Crunchbase, May 23,
2013 [accessed 16-March-2017]; Eldon, 2007 [accessed 16-March-
2017]). According to a survey conducted in 2016 by App Annie, IMO
is one of the top communication apps being used worldwide
(AppAnnie, 2016 [accessed 16-March-2017]). Apart from its user-
friendly design and reliable connectivity, one major factor that
contributes to this popularity is its provision of service in countries
where competitor apps (WhatsApp or Viber) are blocked by gov-
ernment agencies (Quora, May, 2016 [accessed 17-March-2017];
ProVpnAccounts, May, 2016 [accessed 17-March-2017]).
Our major contribution in this paper is the exploration and
analysis of IMO artifacts for:
 The artifacts generated through the usage on of mobile device.
 The artifacts generated through usage over the network.
 An investigation of both Android and iOS devices.
The results of mobile device forensics indicate that IMO stores
data in plain text, so that anyone with the control of the smart
phone can have access to the underlying data. We have conducted a
detailed study of IMO file structure on both Android and iOS plat-
forms and define the grey areas which can be exploited during the
forensics study of IMO.
From the network perspective, it is important to highlight that
the communication protocol of IMO, as well as its security archi-
tecture, are not known in public literature. We have performed an
extensive review of the traffic analysis of IMO and have introduced
the idea of incorporating a firewall approach to the investigation.
The firewall helps understand the patterns of connectivity and then
can regulate the traffic based on a progressive study. We thus forced
the IMO client to connect to its servers in a controlled environment
and this arrangement revealed the obscured design of IMO client
connectivity to its servers. After this, we experimented with the
network activities of IMO on both the platforms in order to study
different traffic characteristics.
In Section Related work, we have summarized the previous
work done in forensics analysis of social media apps. Section Device
forensics of IMO covers the device forensics part of IMO, along with
our analysis methodology, detailed experimental setup for access-
ing the Android and iOS storage/memory and results of our study
have been separately mentioned for both these platforms. Section
Network forensics of IMO defines the network forensics elements
of IMO, and discuss the traffic analysis setup and the results for both
Android and iOS platforms. Section Crime scene reconstruction* Corresponding author.
E-mail address: w.buchanan@napier.ac.uk (W.J. Buchanan).
Contents lists available at ScienceDirect
Digital Investigation
j o u r n a l h o m e p a g e : w w w . e l s e v i e r . c o m / l o c a t e / d i i n
https://doi.org/10.1016/j.diin.2018.04.006
1742-2876/© 2018 Elsevier Ltd. All rights reserved.
Digital Investigation 25 (2018) 5e23
Digital Investigation Article 2022_1
demonstrates the application of our results to reconstruct a crime
scene involving IMO. The paper is finally concluded in Section
Conclusion.
Related work
Over the past few years, users concerns over their privacy has
been increasing, alongside the number of social media apps
providing privacy to their users (Taylor et al., 2014). Besides their
positive use, the secure services offered by these apps are also
extensively exploited in variety of criminal cases. Digital forensics
thus has become an most important component of any crime
investigation (Seigfried-Spellar and Leshney, 2015; Huber et al.,
2011; Brunty et al., 2014). For any mobile social media app, foren-
sics analysis has two dimensions:
 Device forensics. This includes analyzing memory and storage
elements (Norouzizadeh Dezfouli et al., 2016).
 Network forensics. This involves the study of network traffic for
different activities of users and services (Lillard, 2010).
The most comprehensive study of network and device forensics
of Android social-messaging applications has been carried out by
(Walnycky et al., 2015). This includes the forensics analysis of 20 of
the most popular social media apps for Android. The authors
highlight the features of target apps and which leave artifacts of
evidentiary value for an investigation. More specifically, the pos-
sibility of full or partial reconstruction of a crime scene through
network and/or device forensics of these was explored. Besides
Android, other platforms hosting social media apps, such as
BlackBerrys and iPhones, have also been studied with respect to
their utilization in a digital forensics investigation (Al Mutawa et al.,
2012; Tso et al., 2012).
Device and network forensics of popular apps have been carried
out regularly. As a leading platform for secure voice, video and chat
services, studies on Skype have become fundamental in this
domain (Dupasquier et al., 2010; Molnar and Perenyi, 2011). Simi-
larly artifacts of Viber (Appelman et al., 2011; Marik et al., 2015),
Telegram (Anglano et al., 2017) on Android smart phones, Telegram
on Windows phone (Gregorio et al., 2017), WeChat (Wu et al.,
2017), ChatSecure (Anglano et al., 2016), Wickr (Mehrotra and
Mehtre, 2013), KiK on iOS (Ovens and Morison, 2016) and What-
sApp (Anglano, 2014; Karpisek et al., 2015; Majeed et al., 2015) have
also been studied in detail (Azfar et al., 2016). contains a detailed
research of Android forensics, and where 30 Android apps were
studied with a focus on extracting useful information from memory
using XRY - a well known mobile forensics tool. A generic taxonomy
of the Android forensics is also proposed and which is correlated as
a study of forensics artifacts of these apps.
Following the same motivation, we chose IMO apps for forensics
study and which covered both device- and network-based analysis.
For the device forensics part, we carried out a study of IMO files
structure on Android and iOS platforms. This provided a way to find
the critical artifacts and their significance. Similarly, a study of
network forensics of IMO is presented on both the platforms in
which network traffic is analyzed to classify the IMO flows and
detection of user activities by analyzing the sniffed traffic. Novelty
of our work lies in the study of IMO at such a scale. Moreover, our
methodology of network forensics is interesting because most of
the related research is limited to plaintext, whereas we have
included encrypted network traffic in our study.
Contrary to other studies of chat and calling apps where
network traffic is sniffed and then analyzed to draw important
conclusions, a firewall is used to carry out analysis of IMO client-
server communication in a controlled environment. Observing a
known behavior of a IMO client, a firewall is then used to restrict
the IMO client traffic and to force it to expose all the alternate
connectivity methods. Our methodology of studying network
traffic of IMO in a controlled environment with a firewall is generic
and can be used for network forensics of other apps as well.
Referring to the goal of forensics analysis which should exhibit
the specific properties listed in (Anglano et al., 2017), and where
our methodology of both the domains of device and network fo-
rensics was aimed to achieve completeness, repeatability and
generality. The limitations, we observed during the course of our
study are clearly highlighted for the future work. It is important to
mention that the results of this paper are presented with reference
to specific versions of Android and iOS, but the conclusions are
applicable to contemporary versions of Android and iOS with their
supporting handsets.
Device forensics of IMO
Analysis methodology
We carried out device forensics of the IMO app on Android and
on the iOS platform, separately. Our methodology of device foren-
sics is focused to identify maximum possible artifacts from the
device's internal and external memory. The analysis of IMO app on
both the platforms of Android and iOS makes our work more
comprehensive as each platform has unique identifiers and method
of access to one are not applicable to the other.
The work flow of our methodology to carry out the device fo-
rensics of IMO is depicted in Fig. 1. It starts with assessing the
functionalities of IMO app and which can be significant in gener-
ating artifacts that have good relevance in a forensics analysis. The
impact of just installation of IMO app on the mobile is observed
without configuring an account. In the next step, the account is
configured and analysis of file structure of mobile memory/storage
is carried out to identify any changes. All the important locations of
Fig. 1. Work flow of Device Forensics of IMO.
M.A.K. Sudozai et al. / Digital Investigation 25 (2018) 5e236
Digital Investigation Article 2022_2
IMO files are then determined along with their formats. The last
stage are experiments for functionality analysis at the start of a
functional aspect and then analyze the changes in files of IMO. The
files of IMO can be extracted out of mobile memory whenever
required during any of the above for their content analysis and
correlation. Artifacts are then studied in order to identify their
mappings to different activities of an IMO user.
Analysis of IMO functionalities
As shown in Fig. 1, the first step of our work flow is to identify
those functionalities of IMO app which are important for the fo-
rensics analysis of the mobile device. Like any calling and chat app,
IMO provides a long list of features including live chat, voice call,
video call, media share (Photos and video), story sharing, group
chat, and so on. Starting from the IMO app installation in a mobile
device, different app features and activities of user which leave
possible traces of information in mobile storage are:
a) Installation of IMO app. Different chat and calling apps follow
different file structures upon installation. Many files and folders
are created in both user and system space during the installa-
tion process. Identifying the location of these files and folders
along with their usage can be important for an investigator.
b) Account configuration. After the installation, the account
configuration of IMO user is an important event and which
has a unique impact on file storage. According to the specific
user credentials and app permissions that are granted, a
number of databases of IMO are updated.
c) Fetching contacts list of users from a mobile. Depending upon
the settings and permissions, IMO fetches contacts which are
already stored on the device. Details of these contacts and
their format can help in forensics analysis of IMO.
d) Exchange of chat messages. IMO provides the functionality of
message exchange including voice clips, stickers, images,
videos, and so on. All chats are encrypted before trans-
mission, however the IMO app stores these messages in
plaintext form. The location and format of each type of these
artifacts is important from forensics point of view.
e) Status of chat messages. Like other contemporary apps, IMO
maintains the status of chat messages including delivered,
read, and so on. Specific identifiers indicating the status of
different messages are fixed by IMO.
f) Voice and video calls. IMO provides the functionality of audio
and video calls which are encrypted. Records of these calls is
maintained in the memory and their location could be
important to any crime scene investigation involving IMO.
Results for Android and iOS forensics provided a good deal of
similarity. However, to give clarity on access to mobile storage in
each case, there are differences in file structures, and peculiar
format of artifacts from the extraction from mobile memory/stor-
age and thus Android and iOS will be outlined separately.
Device forensics on android
Experimental setup
We installed IMO on a rooted Samsung Galaxy 6.0 having an
Android version of 6.0.1. On a Ubuntu 16.04 terminal, the following
steps were taken to access the smart phone's file structure:
 Run the command adb shell. This was to run the Android
Debug Bridge (adb) tool in order to access the mobile memory.
 Pressed Allow on mobile against the prompt Allow access to
mobile data.
 User then entered to shell@zeroflte:/$ .
 To gain root previligaes, we pressed su. Root privileges were
shown as root@zeroflte:/#.
 Entering the command ls will display all the files and folders
on the mobile in both user and system space.
To identifying the file structure of IMO app, we used a number of
controlled activities related to text, voice, and video chats, and
observed their corresponding traces within different storage re-
cords maintained by IMO. These were validated using the Helium
Backup (Chris, 2014 [accessed 3-june-2017]) to retrieve.db files of
the IMO app. Finally, an Android backup extractor and db browser
for SQLite was used to analyze the contents of storage elements
against each activity.
Results and their analysis e android device
Following the steps of our work flow as shown in Fig. 1, the file
structure of IMO on Android is identified and shown in Fig. 2.
The following section will throw some light on the files and
folders that were identified during device forensics of IMO on
Android platform.
Main folders of IMO file structure. Upon installation of IMO on
Android, three main folders are created at fixed locations as:
 com.imo.android.imoim-1 at location /data/app/.
 com.imo.android.imoim at location /data/data/.
 IMO at location /data/media/0/. This is a location of SD card or
user accessible memory and which is normally visible through
USB connectivity on a PC, even without the root privileges.
The sub folders and files which are created within each of the
main folders are depicted in Fig. 2. We now discuss the important
files, their locations and related artifacts stored by IMO with their
mapping to functionalities discussed in Section Analysis
methodology.
File structure of com.imo.android.imoim-1. Like other popular chat
and calling apps namely WhatsApp, Signal and Telegram, IMO
creates this folder in device memory at /data/app/. Each of these
apps store their basic apk files along with other associated files in
app folder. IMO also creates a folder with its name IMO in app folder
and base.apk file is stored there.
File structure of com.imo.android.imoim. IMO stores most of its user
related artifacts in this folder. This location is critical because arti-
facts related to user credentials/activities are stored there. We
experimented number of user activities outlined in Section Analysis
methodology and observed their corresponding storage patterns by
IMO. Referring to Fig. 2 again, the following explains the files and
folders at this location.
a) cache folder. IMO stores sent images and videos in a cache
folder, whereas received images and videos are stored in user
space within IMO folder. This will be discussed in detail in a
following section. All these images and videos are stored in non-
encrypted form in the device memory.
b) Databases folder. From forensics point of view, Databases
folder is considered as one of the most important component of
file structure of IMO. Upon installation of IMO app, the following
two files are created in this folder before the account
configuration:
 imofriends.db.
 imofriends.db-journal.
c) After the user account is configured with IMO servers, the app
creates two additional files in Databases folder:
M.A.K. Sudozai et al. / Digital Investigation 25 (2018) 5e23 7
Digital Investigation Article 2022_3
 accountdb.db.
 accountdb.db-journal.
imofriends.db is an important folder as it contains wealth of
information related to the contacts, their chats, timestamps, tele-
phone numbers, emails, and a great deal of other information.
imofriends.db. This is the main database file in which IMO
maintains the records of users, and their associated activities in a
plaintext form. These records include number of tables containing
information of evidentiary value, such as phonebook entries, email
IDs, call logs, chat logs and chat messages, and so on. Different ta-
bles created by IMO in this location are shown in Fig. 3. We
observed plaintext data in these tables. The data is relates to ac-
tivities including chats and call logs as defined in Section Analysis
methodology. We now discuss the contents of these tables along
with their mapping to the user activities, as these can help in crime
scene reconstruction.
i) imo_phonebook. During the installation process, IMO ac-
cesses the mobile phonebook data according to the permis-
sions granted and saves them in the table imo_phonebook.
The structure of this table is shown in Fig. 4. We observed
that IMO stores all the critical information related to the
contacts in plaintext form as shown in Fig. 5. We carried out
experiments on number of user accounts and verified that
against any unique mobile number of a user, IMO assigns a
unique identifier naming uid and which is fixed. Any IMO
user can be tracked through this unique identifier and is
therefore can be considered to be one of most important
artifacts of IMO. Moreover. IMO also keeps the record of the
number of incoming and outgoing GSM calls and GSM
messages (SMS) in this table. The reasons for storing this
information about calls and SMS is unknown, but it can prove
helpful information with an investigation.
ii) A separate record of all users and their mobile numbers is
stored in the table phonebook_numbers as shown in Fig. 6.
iii) A similarly table messages is used to store chat messages in
plain text as shown in Fig. 8. It is important to note that even
the email addresses and phone numbers of the IMO users are
stored in the column imdata of this table in plaintext.
Through repeated experiments of chat messages for different
scenarios of text, images, videos, and so on, we decoded
values of different fields of the Table as shown in Fig. 7. It can
be useful to forensics analysis of IMO during any
investigation.
iv) IMO also tracks timestamps of different activities which are
stored in the tables discussed above. Through forced activ-
ities of messaging on IMO, we verified our results of time
stamps using on-line conversion tool (http://timestamp.
online/).
v) Table calls_only stores call logs in plaintext as shown in
Fig. 9.
vi) Table stories is used to save artifacts related to Story sharing
feature of IMO as shown in Fig. 10. All these details are stored
in plaintext form.
vii) Contents accessible from IMO servers. One of the most critical
result of our study of IMO is on-line accessibility of uploaded
contents (images and videos) from its servers without any
authentication. A field of object_Id exists in different tables
within imofriends.db and which contains the direct link to a
specific uploaded content at IMO servers. By just entering
this object_Id in a browser as URL (https://imo.im/s/object/
object_Id/), content uploaded by IMO client is accessible
directly. During an investigation, retrieving the object_Id
from imofriends.db will enable an investigator to retrieve the
exact content shared by the IMO servers, even if the contents
are deleted from the mobile device. Fig. 11 shows that
different locations of object_Id in tables within imofriends.db.
object_Id of uploaded contents are either placed in the imdata
record or in the icon record for profile images in different
tables.
Fig. 2. File structure of IMO in Android.
M.A.K. Sudozai et al. / Digital Investigation 25 (2018) 5e238
Digital Investigation Article 2022_4

End of preview

Want to access all the pages? Upload your documents or become a member.

Related Documents
Digital Forensics Literature Review 2022
|9
|2368
|18