Using Dynamic App Finder to Recover More Mobile Artifacts

This is the final blog post in a series of five about recovering third-party mobile chat applications for your digital forensics investigations.

Data recovered from mobile chat apps is critical to many forensic investigations. However, with thousands of mobile chat apps in use today and a steady stream of new apps emerging, identifying, recovering and analyzing mobile chat data has become a challenging and time consuming duty for forensic professionals.

Internet Evidence Finder (IEF) recovers many of the most popular chat applications including BBM, Kik Messenger, WhatsApp, Viber, LINE, Google Hangouts, and many more. We continue to add additional apps as fast as possible, however it’s nearly impossible to support every chat application out there. Often investigators will come across a less popular app, or even a custom app created by a suspect that isn’t supported by any tool, but will still require examination.

Dynamic App Finder is a feature of IEF’s mobile module that helps address this problem. DAF searches for any potential mobile chat app databases located on images or file dumps of iOS or Android mobile devices. It identifies the app name, and then maps the four key fields required to interpret results from most chat apps:

1. Sender,
2. Receiver,
3. Date/time, and
4. Message

At the conclusion of an IEF search, Dynamic App Finder displays the names of the discovered chat apps along with the recommended field mapping for each chat database. Field mappings can be accepted as displayed or modified, and are saved by IEF for use in future cases.  Full search results with all recovered records for each chat app are displayed in IEF Report Viewer.

Dynamic App Finder enables examiners to find chat messages from potentially thousands of apps, regardless of how new or obscure they might be.