Social Media Investigation: Mobile Device Forensics Tools Capabilities
The significant development of social media in recent years has an impact on increasing the number of social media platforms and device users around the world. The majority of social media users access their platform via smartphones and have continuous access from location and time. The recent features provided by social media platforms allow the uploaded files such as videos and photos to last a short period of time before disappearing. This is one of the concerns for social media investigators and evidence collection. For instance, a cybercriminal who utilised social media to spread threats or sell illegal drugs and substances, can post a secret code through photos and videos, and know the potential evidence is gone. For that reason, it is a necessity to educate investigators and to figure out the capability of mobile device forensics tools before use. Crimes can and are committed using social media and these social media-related crime cases require examining and retrieving potential evidence from social media applications such as Facebook, Twitter, and Instagram. Usually, the mobile device is the first physical point of entry for evidence.
This thesis reviewed and compared two widely used mobile device forensics tools, namely, MSAB XRY and Cellebrite UFED, with the aim to understand which of those tools possess the greatest useful practical capability for professional practice in handling cyber-crime cases related to social media. The two selected mobile device forensics tools were evaluated in a systematic and forensically sound manner in the research. Four case scenarios were developed, and each case consists of specific data such as social media status (posts), chat messages, photos, and videos. Social media evidence was planted on three Android smartphones: Samsung J5 Prime, Samsung S4 mini, and OPPO A57. To discover which of the chosen forensic tools is better performing in a social media investigation, the testing rating method was implemented. This research will explore the capabilities of mobile forensic tool devices in social media investigations by posing the main research question as follows:
“What are the capabilities of the chosen mobile devices forensics tools (i.e., Cellebrite UFED and MSAB XRY) when examining Social Media applications on Android smartphones in a social media-related crimes investigation?”
The research found that Cellebrite UFED performed better as a mobile device forensic tool than MSAB XRY in the tests described in chapter 3. Several factors contributed to the result such as MSAB XRY 7.6 is unable to examine the OPPO A57 smartphone due to the Android smartphone not yet being on the extractable list for the tool. In contrast, Cellebrite UFED is capable of examining all three smartphones. Moreover, Cellebrite UFED also has more extraction options for file system extraction, which is required most for social media-related cybercrime cases. The research findings also show that Cellebrite UFED surpassed MSAB XRY when retrieving evidence such as social media status (post), photos, and videos from all three social media applications on all three Android smartphones.
The results are helpful for investigators who are alerted to different capabilities in different tools, and also the importance of selecting the best performing tool for any investigation. The findings also suggest that an investigator should not only assess capability before embarking on a social media related investigation but also consider the best combination of tools to use. Each tool has strengths and weaknesses and the selection where one tool compensates for another is the best option. The consideration of cost is also important where time, tools and training have to be optimised to fit the investigation budget. Social media forensic tool capabilities are still developing so an investigator must assess current limitations and issues of the chosen mobile device forensic tool prior to use, and the tool developers need to recognise the limitation of the tools and improve the capability for examining social media applications on smartphones.