Journal of Digital Forensics, Journal of Digital Forensics,

Security and Law Security and Law

Volume 17 Article 1

January 2022

Forensic Discoverability of iOS Vault Applications Forensic Discoverability of iOS Vault Applications

Alissa Gilbert Purdue University, gilbera@purdue.edu

Kathryn C. Seigfried-Spellar Purdue University, kspellar@purdue.edu

Follow this and additional works at: https://commons.erau.edu/jdfsl

Part of the Computer Law Commons, Information Security Commons, and the Law and Society

Commons

Recommended Citation Recommended Citation Gilbert, Alissa and Seigfried-Spellar, Kathryn C. (2022) "Forensic Discoverability of iOS Vault Applications," Journal of Digital Forensics, Security and Law: Vol. 17 , Article 1. DOI: https://doi.org/10.15394/jdfsl.2022.1773 Available at: https://commons.erau.edu/jdfsl/vol17/iss1/1

This Article is brought to you for free and open access by the Journals at Scholarly Commons. It has been accepted for inclusion in Journal of Digital Forensics, Security and Law by an authorized administrator of Scholarly Commons. For more information, please contact commons@erau.edu.

(c)ADFSL

Forensic Discoverability of iOS Vault Applications Forensic Discoverability of iOS Vault Applications

Cover Page Footnote Cover Page Footnote The abstract for this paper was presented at the 72nd Annual Scientific Meeting of the American Academy of Forensic Sciences, AAFS, Anaheim, CA.

This article is available in Journal of Digital Forensics, Security and Law: https://commons.erau.edu/jdfsl/vol17/iss1/1

JDFSL 2021

FORENSIC DISCOVERABILITY OF IOSVAULT APPLICATIONSAlissa Gilbert, Kathryn Seigfried-Spellar

Purdue University, gilbera@purdue.edu, kspellar@purdue.edu

ABSTRACTVault Applications store potentially sensitive information on a smartphone; and are availableon Android and iOS. Using these applications could be used to hide potential evidence orillicit photos. After comparing five iOS photo vaults, each vault left evidence and photosbehind. However, of the three forensic toolkits used, each produced different results in theirscans of the phone. The media left behind was due to the photo vaults not protecting theirinformation as claimed and using basic obfuscation techniques in place of security controls.Future research will look at how newer security controls are implemented and if they areeasily discoverable.

Keywords: vault apps, sexting, privacy, digital forensics, iOS forensics

1. INTRODUCTION

Sexting has become more commonplace inmobile communications, which led to manyvault apps appearing on mobile phone ap-plication stores, such as the App Store foriPhones. Vault applications have gained me-dia attention stating these vault apps helpkeep your private photos safe. Previous re-search suggests that 40% of Android vaultapplications stored passwords in cleartext,and one third did not encrypt photos (Zhang,et al., 2017). These findings suggest that iOSapplications may also not live up to theirstandards. If vault applications securely con-ceal private photos, they should not be easilyfound when imaged forensically. The follow-ing study describes the use of vault applica-tions and their effectiveness in hiding andsecuring the user’s private photos.

2. LITERATUREREVIEW

2.1 Vault ApplicationsThe world has become dependent on digi-tal sources of information, and the use ofcomputer-based systems has been commonintoring, processing, and transmitting data(Palmer, 2001). A drive for the progress oftechnology is correlated to an increase in pub-lic dependency on it and has led to the fur-ther integration of technology into daily life(Oriwoh, et al., 2013). As the number of so-lutions provided by technology increases, theamount of information stored about an indi-vidual subsequently increases (Palmer, 2002).This has raised concerns for security and pri-vacy for the vast amount of generated userdata. While ways to secure and hide dataare consistently being developed (Garfinkel,2010), one such implementation is "vault ap-plications."

© 2021 JDFSL Page 1

JDFSL 2021

These vault applications store informationprivately on laptops, personal computers, mo-bile phones, and tablets (Newton, 2018). Themost common use of vault applications forphoto vault storage of sensitive or sexual uses(Lovejoy, 2017). There are multiple photovault applications available to users on allmobile devices. These applications allow theuser to securely store personal data, whichmakes it difficult for anyone except the de-vice’s owner to view the files even if theyhave access to the device (Zhang, et al., 2017).These mobile vault applications often disguisethemselves by pretending to look like otherapplications or only displaying informationwhen they enter a valid password (Newton,2018).

These images need to be kept securelyfor personal privacy and to avoid any un-wanted malicious activity towards the sender.Similarly, due to the frequent use of phones,users may also possess pictures of sensitiveor personally identifiable information (suchas social security numbers, passports, health-related information, and others). An addi-tional layer of security and privacy is addedto a person’s device (Newton, 2018).

On the contrary, it is also possible for mali-cious actors to use these applications to hidepictures that may be illegal or show illegalactivity. For example, a criminal may storesexually explicit images of children or pic-tures relating to an illegal sale of drugs onthese vault applications. In such cases, vaultapplications may serve as a hindrance to lawenforcement. Vaults are developed to safe-guard a user’s privacy and hide personal databut can also be misused to hide any incrim-ination files in case of a crime. This meansthe implications of such applications need tobe viewed from a user security perspectiveand investigative anti-forensics standpoint(Zhang, et al., 2017).

In previous research on Android devices,vault applications were easily discovered by

digital forensic toolkits. In a study byMichaila Duncan and Umit Karabiyik, all64 of their investigated vault apps were de-tected during forensic analysis. While theresearchers expected to find all unencrypteddata, more advanced tools were able to de-crypt images and locate them, leading to a100% success rate on recovery (2018). An-droid has more options for jailbreaking, appsavailable, removable media, and other op-portunities that make it easier to investi-gate many applications versus a more limitedphone with limited storage.

2.2 Relevance to InvestigationsDuring investigations, law enforcement ismuch more likely to encounter a suspect witha mobile device than a computer (Marturana,et al., 2011). Mobile forensics can reveal a sig-nificant amount of data ranging from an indi-vidual’s communication to their travel habits(Tassone, et al., 2013). Mobile devices con-tain the most relevant evidence per gigabyte(SANS, 2019). This has caused an increasingdemand for the analysis of forensic artifactsof interest on mobile phones (Palmer, 2001).In addition, forensic artifacts extracted frommobile devices could serve as evidence in bothcivil and criminal court cases (Adams, et al.,2008).

For mobile devices acquired during an in-vestigation, vault applications may be presenton the suspect’s phone, which may be used tohide any incrimination files in case of a crime.Zhang (Zhang, et al., 2017) describes a casein which around half of the students froma Colorado high school used "calculator-likevault applications to distribute and hide hun-dreds of nude photos of themselves." In suchcases, while traditional digital forensic toolsmay be able to recover photos directly storedon the phone, they may not be able to findthose secured by photo vaults (Zhang, et al.,2017). Due to these vault applications, it isnecessary to assess what kinds of information

Page 2 © 2021 JDFSL

JDFSL 2021

can still be recovered forensically and findnew ways to extract actionable informationdespite these anti-forensic measures.

2.3 iOS Application TestingMethods

2.3.1 Forensics of mobile devices.

Mobile phones contain gigabytes of informa-tion about the user’s behavior, location, con-tacts, interests, and beliefs (Abdulla Alghafli,et al., 2012). In the case of vault applica-tions, information the user wants to keep pri-vate. Al-Zarouni (Al-Zarouni, 2006) statedthe main issues with extracting and analyz-ing information from mobile technology: itrequires specialized interfaces, storage media,and hardware. Similarly, the file system re-sides in volatile memory, requiring the phonesto be powered on for analyses; each phonecontains different operating systems based onthe type and file system in place (Al-Zarouni,2006).

Based on methods used to acquire datafrom mobile phones, acquisition methods canbe classified into four basic categories: man-ual, logical, physical, and chip-off (AbdullaAlghafli, et al., 2012). The manual acquisi-tion is the simplest method to gather dataoff the phone, as it involves using buttonsand keypads to browse through the phone’scontents manually. This method will be in-effective, as all vault applications requiresome password or authentication mechanism,which the investigator would not be awareof (Newton, 2018). Most existing tools indigital forensics use logical extraction, whichinvolves retrieving information in the logicalpartitions of the mobile phone’s memory (Ab-dulla Alghafli, et al., 2012). This researchstudy utilized logical acquisition as it was theonly available method. The physical acquisi-tion of phones is based on "copying the en-tire physical memory locations of the phonememory chip." A chip-off involves reading

data from the chip to acquire the internalnon-volatile memory. The success of thesemethods is dependent on the file and operat-ing system, as well as if the device requiressuccessful authentication for the user to gainaccess (Jansen Ayers, 2007).

2.3.2 iPhone forensics

Since iPhones make up a large portion of thephone market, multiple studies have beenconducted on iPhones and data extraction.Based on logical extractions of iPhones, Mu-tawa and colleagues (Mutawa, et al., 2012) aswell as (Awan, 2015) could recover multipleforensics artifacts of value from common so-cial media platforms such as user and frienddata, profile pictures, timestamps, commentsand posts, and in some cases, chats and cook-ies. Yang, Dehghantanha, Choo, and Muda(Yang, et al., 2016) as well as Husain andSridhar (Husain Sridhar, 2009), were able toextract information from instant messagingapplications such as AIM, Yahoo Messen-ger, and Google Talk on iPhones and extractinformation such as login credentials, loginmetadata, and conversation history. Third-party applications from devices, such as theiPhone, contain a significant amount of data,and proper analysis can prove beneficial toan investigation (Levinson, et al., 2011). Aforensic analysis of an iPhone can also un-cover deleted files. Like a computer, deletingthe file will only delete the link to the file orthe data (Zdziarski, 2008).

While the extraction of such informationwas possible with older iPhones, Apple hasmade it harder to gain access to a user’siPhone (Norouzizadeh Dezfouli, et al., 2016).When acquiring images from iPhones, thelogical method is always possible, but theoverall data acquired is limited; full physicalacquisition is not possible on most iPhones(Jansen Ayers, 2007). However, the phys-ical method always works on iPhones thathave been jailbroken by the user (Abdulla

© 2021 JDFSL Page 3

JDFSL 2021

Alghafli, et al., 2012). Physical acquisitionis still possible on iPhones below iPhone 5s,and a significant amount of data can be foundon file system dumps of iPhones containingiOS version 9 and below. Beginning withiOS version 10.3, it is harder for current toolsto extract several information files success-fully unless the iPhone is jailbroken (HoogStrzempka, 2015). The iPhone in this studywas past iOS 9 and could not be analyzedphysically, only logically.

Some newly updated tools can extract rel-evant information from iPhones, but cannotlink them to an application; manually parsingthrough the files could still provide investiga-tors with valuable data (Yang, et al., 2016).Since the filesystem was completely changedin iOS 11 to Apple’s own creation and limitedliterature exists on iOS 11, it is difficult to sayhow it will affect the extraction and analysisof iPhones. As an additional complication,users are now required to enter the phonepasscode or backup password each time aniPhone with iOS 10.3 or above is plugged intoa computer (Newton, 2018). This makes itmore difficult for investigators, as they wouldneed to obtain the password from the suspectto access the phone. However, researcherssuch as Iqbal, Iqbal, and Al Obaidli (Iqbal, etal., 2012) are developing tools to acquire andanalyze Apple devices without jailbreakingthe device.

In terms of this study, these struggles withiPhone forensics might impact the study’sphotos acquisition. Without the phone beingjailbroken, the results and accuracy of the ac-quisition might be skewed in that some of theevidence was left behind (i.e., not recovered).

2.3.3 iPhone Vault testing

Generally, information about third-party ap-plications can be found in the User Datapartition of the iPhone device, which shouldbe similar in the case of the vault-based ap-plications (Levinson, et al., 2011). While

limited literature exists on vault applications,a recent study by Zhang (Zhang, et al., 2017)analyzed vault applications on Android de-vices. Their results showed that around 67%obfuscated the vault code, and around 28%used native libraries, which negatively af-fected reverse-engineering the code for break-ing into the applications. Zhang, however,was still able to find and view hidden dataon the device without having any privilegedaccess on the phone. Approximately a thirdof the vaults did not encrypt photos, whilenearly 44% did not encrypt videos; ∼40%also stored the password in cleartext. It wasalso possible to break into some of the vaultapplications by swapping the password filewith a custom one (Zhang, et al., 2017). Sinceno such testing is performed on the iPhoneand iOS ecosystem, we conducted a similarstudy for commonly used vault applicationson iPhone devices.

3. METHODSTo test the privacy and effectiveness of thevault apps, a mix of photos were assigned tomultiple vault apps, then analyzed forensi-cally to see what artifacts would be left bythe application. If the vault apps were tomaintain security and privacy for the images,there should not be a readable copy of thepicture on the phone. This would also be suc-cessful if a photo is found but encrypted. Thevault application failed when we found the"hidden" photos as readable objects where abasic imaging processor determined the im-age content. Ideally, the file name should notbe discovered as well.

3.1 PhotosNature photos were obtained from CreativeCommons under the Attribution (cc-by). Dif-ferent file name structures were also changedto observe any modification from the vaultapplications. See Figure 1 for the variations

Page 4 © 2021 JDFSL

JDFSL 2021

Figure 1. Photo Vault Apps and EvidenceAcquisition

of photo names. Nature images that did notinclude pictures of people were used as benigntest images. These images were under thecc-by license, which allowed for convenience.These photos were then added to the iPhonewithout additional image artifacts, such asthumbnails or copies. Any copies found wereat the creation of the vault applications.

3.2 Experiment DesignAn iPhone SE (A1662) on iOS 11.3 was usedto test popular vault apps from the AppStore. Five popular applications were in-stalled; KeepSafe, Photo Vault, Calculator+, Secret Safe, and Purple photo vault. InFall 2019, these vault applications were se-lected as they were the top results in theApple App Store and were most downloadedby Apple users. These names are the applica-tion name from the App Store, but they havedifferent names for folder names inside iOS.KeepSafe keeps its respective name, PhotoVault is also called enchanted cloud, Calcu-lator + is also secret Calculator, Secret Safeis loveyouchenapp, and Purple photo vaultis also referred to as galaxy studio. Eachapplication received four similar jpegs andreceived the jpeg image, respectively.

In order to assess the applications, threeforensic software packages were used; UFEDCellebrite (v. 7.23), Magnet Axiom (v. 3.8.0),

and Black Bag Mobilyze 2019 R1. While thisstudy did not compare the tools, it should benoted that not all tools produced the sameresults. The twenty images were added tothe phone and then imaged through the threerespective forensic applications. In order toaccess any cross interactions from the otherapplications, 20 different images were usedand assigned to the specific vault applicationto store the image. This would make it easierto see if the application modified the imagesor if a thumbnail is created. If the forensicapplication finds all artifacts, five dedicatedimages should be found per application.

Cellebrite, Axiom, and Mobilyze have dif-ferent features that may discover artifactsfrom the applications, such as pin codes,thumbnails, preview videos, or file names.Thus, more than one acquisition method wasused.

4. RESULTSEach app’s key indicators of success or failurewere given an abbreviated letter and charac-ter between the five vault applications andthe three different forensic software. Thissummary can be seen below in Figure 2. Thescope of this research is not to determineif any of the forensic software packages aremore effective than others in finding mobileforensic artifacts. Cellebrite, Axiom, andMobilyze shared similar results. In order tominimize redundancy, an entire breakdown ofCellebrite will be included to give further con-text to the summary in Figure 2. CellebritePhysical Analyzer displayed the results fromthe extraction.

4.1 SummaryTo compare the different types of evidencebetween each vault and forensic tool, thediscovery indicators were described betweenthem. The following letters indicate eachitem in the key for Figure 2:

© 2021 JDFSL Page 5

JDFSL 2021

A = Application discovered by forensic softwareC = Passcode foundE = Photos were found encryptedF = Facebook tracker found in-appL = Live video preview image foundM = Multiple copies of the same photo were foundN = No photos foundP = All four photos were discoveredR = Original photos still found in the camera rollT = Thumbnails/Preview Found

While Cellebrite and Axiom had all twentyphotos in the iOS default photo gallery, Mo-bilyze did not recognize photos assigned toKeepSafe and Calculator + and did not findthese applications on the phone. It is as-sumed that these eight missing pictures arein the default photo gallery, as suggested bythe two other software packages. Overall, Mo-bilyze found the least amount of informationfrom the vault applications, suggesting thatusing more than one forensic application toanalyze the same image of the iPhone pro-vides the most correct and whole picture ofwhat evidence is on the phone.

Axiom did not find the 20 images inthe camera roll for the vault applications.Cellebrite found all of them, and Mobilyzecould only find three out of the five apps,with these three apps having their twelve re-spective pictures found during analysis. Atfirst glance, Cellebrite found the most resultsbetween the three applications and was theonly application to find one of the passcodesfrom the photo vault app Photo Vault (en-chanted cloud). As Cellebrite found the mostforensic artifacts, Table 3 describes what ev-

Figure 2. Evidence Found per Vault App andForensic Tool

idence was found for each application, thefile name (to show any modifications), thedescription of the photo-matching to Figure1, and the location in Cellebrite where theevidence was found.

The package names of applications varyfrom their names as displayed in the app store.This created difficulty in analyzing matchingdifferent applications as the Cellebrite, Ax-iom, and Mobilyze found them versus howthey display to users.

4.2 Thumbnails

The modification of the file names lends someinformation about how each vault applica-tion is storing each photo. For example, Cal-culator + stored each private photo as anentry in an SQL database and makes a cus-tom file named . . . ZTHUMBNAIL insteadof creating a thumbnail file with the desig-nated thumbnail file extension .thumb suchas KeepSafe. This may provide some forensicprotection as using the common file extensionwill cause other forensic software tools notto find the thumbnail, where the thumbnailswith the designated file extension were found.For example, KeepSafe used the .thumbs fileextension found in Cellebrite and saw thatAxiom also discovered it. While Cellebritefound the custom thumbnail file for secretCalculator, both Axiom and Mobilyze didnot find these thumbnails, displaying thatthis type of obfuscation that the vault appprovides is effective against some forensicssoftware packages, but not all of them. PhotoVault (enchantedcloud) created a photo fora thumbnail to be viewed in the app, butit did not create a thumbnail file nor did itcreate a filename without a file extension. Itcreated another image file, a jpeg like theoriginal picture, but changed the file’s nameto designate to the application that is it athumbnail picture.

Page 6 © 2021 JDFSL

JDFSL 2021

Figure 3. Forensic Artifacts found by Cellebrite

© 2021 JDFSL Page 7

JDFSL 2021

4.3 Other ArtifactsReferencing Figure 2 shows one of the fea-tures examined if multiple copies of the samephoto were found. Copying the sensitivephoto to be viewed by the vault applicationcaused more evidence to be found forensically.The .mov files were found from images takenon the iPhone with its built-in camera, whichcreated a live preview of the images as a shortvideo.

Private Photo Vault’s pin number wasfound in plaintext by Cellebrite but was notfound by the other forensic applications. Thiscode was verified as the correct pin to unlockthe phone. Other applications, such as Keep-Safe, also had four-digit pin codes to unlockthe vaults, but they were not found duringthe investigation. Additional copies of someprivate photos were created as .png files, an-other image type, and stored on the phone,creating more evidence to be found by theforensic tool. Frequently, these applicationscreate more evidence and do little to obscureor secure private images.

5. CONCLUSIONBased on the current study, vault apps pro-vide minimum protection from forensic anal-ysis. Their primary usage should be to ob-scure sensitive photos from other users of themobile device, not to provide important ad-ditional security or privacy for these privatephotos. While some techniques were effectiveat hiding evidence from some forensic soft-ware packages, the forensic applications them-selves were the greatest contributing factoras to whether evidence was located on eachphone. The software packages that found themost evidence was Cellebrite, while the appthat provided the greatest protection wasCalculator + (secretCalculator). However,Cellebrite was able to find all of the photosand metadata for the photos from Calculator

+ and all five applications and the twenty pic-tures were discovered. Future research shouldinvestigate more effective methods of hidingand securing photos, including a cloud-onlysolution for vault applications that do notstore the image locally, but instead, they arestored off of the device via the cloud. Finally,reviewing the literature on other vault appli-cations, these results are similar to previousresearch which also found 100% of the arti-facts from Android vault applications (Dun-can Karabiyik, 2018).

5.1 Future WorkIn response to the proliferation of sexual mes-sages and images, vault applications are be-coming popular. Future research should ex-amine other platforms, which claim to pro-tect sensitive images, as well as the abilityof other forensic tools to identify probabledata. These newer apps should be comparedsingularly on Android and iOS similarly tothese vault applications, while adding an ad-ditional phase to test new vault applicationfeatures that these applications claim to use,such as AI image detection. Ultimately, con-tinued research in this area will address notonly the security and privacy of vault ap-plications but their potential role in digitalforensic investigations.

REFERENCES[1] Abdulla Alghafli, K., Jones, A. Mar-

tin, T. A., 2012. Forensics data acquisitionmethods for mobile phones. Proceedingsof International Conference for InternetTechnology and Secured Transactions, De-cember.pp. 265-269.

[2] Adams, C., Whitledge, A. Shenoi, S.,2008. Legal issues pertaining to the useof cell phone data. Advances in DigitalForensics, Volume IV, pp. 231-243.

Page 8 © 2021 JDFSL

JDFSL 2021

[3] Al-Zarouni, M., 2006. Mobile HandsetForensic Evidence: a challenge for LawEnforcement. Australian Digital ForensicsConference.

[4] Awan, F. A., 2015. Forensic examinationof social networking applications on smart-phones. Proceedings of the 2015 Confer-ence on Information Assurance and CyberSecurity , December.Issue 36-43.

[5] Duncan, M., Karabiyik, U., 2018. De-tection and Recovery of Anti-Forensic(VAULT) Applications on Android Devices.Proceedings of the 2018 Annual ADFSLConference on Digital Forensics, Securityand Law

[6] Garfinkel, S. L., 2010. Digital forensicsresearch: The next 10 years. Digital Inves-tigation, Volume 7, pp. S64-S73.

[7] Hoog, A. Strzempka, K., 2015. iPhoneand iOS forensics: Investigation, analysisand mobile security for Apple iPhone, iPadand iOS devices.

[8] Husain, M. I. Sridhar, R., 2009. iForen-sics: forensic analysis of instant messag-ing on smart phones. International Confer-ence on Digital Forensics and Cyber Crime,September.pp. 9-18.

[9] Iqbal, B., Iqbal, A. Al Obaidli, H., 2012.A novel method of iDevice (iPhone, iPad,iPod) forensics without jailbreaking. 2012International Conference on Innovationsin Information Technology, March.pp. 238-243.

[10] Jansen, W. Ayers, R., 2007. Guidelineson cell phone forensics. National Instituteof Science and Technology Special Publi-cation, Volume 800, pp. 101-110.

[11] Levinson, A., Stackpole, B. Johnson,D., 2011. Third party application forensics

on apple mobile devices. 44th Hawaii Inter-national Conference on System Sciences,January.pp. 1-9.

[12] Lovejoy, B., 2017. ’Nude’ app usesCoreML to automatically detect protectintimate photos on an iPhone. [Online]Available at: https://www.9to5mac.com/[Accessed March 2018].

[13] Marturana, F., Me, G., Berte, R. Tac-coni, S., 2011. A quantitative approachto triaging in mobile forensics. Proceed-ings of the 2011 IEEE 10th InternationalConference Trust, Security and Privacy inComputing and Communications , Novem-ber.pp. 582-588.

[14] Mutawa, N. A., Baggili, I. Marring-ton, A., 2012. Forensic analysis of socialnetworking applications on mobile devices.Digital Investigation, pp. S24-S33.

[15] Newton, C., 2018. Nude is a next-generation photo vault that uses AI to hideyour sensitive photos. [Online] Available at:https://www.theverge.com/

[16] Norouzizadeh Dezfouli, F., Dehghan-tanha, A., Eterovic-Soric, B. Choo, K. K.,2016. Investigating Social Networking ap-plications on smartphones detecting Face-book, Twitter, LinkedIn and Google+ arte-facts on Android and iOS platforms. Aus-tralian journal of forensic sciences, 48(4),pp. 469-488.

[17] Oriwoh, E., Jazani, D., Epiphaniou, G.Sant, P., 2013. Internet of things forensics:Challenges and approaches. Proceedings ofthe 9th International Conference on Col-laborative Computing: Networking, Ap-plications and Worksharing, October.pp.608-615.

[18] Palmer, G., 2001. A road map for dig-ital forensic research.. Proceedings of the

© 2021 JDFSL Page 9

JDFSL 2021

2001 Digital Forensic Research Conference,August.

[19] Palmer, G. L., 2002. Forensic analysisin the digital world. International Journalof Digital Evidence, Volume 1, pp. 1-6.

[20] SANS, 2019. FOR585: Advancedsmartphone forensics. [Online] Availableat: https://digital-forensics.sans.org/ [Ac-cessed 05 December 2017].

[21] Tassone, C., Martini, B., Choo, K. K. R.Slay, J., 2013. Mobile device forensics: Asnapshot. Trends and Issues in Crime andCriminal Justice, Issue 460, pp. 1-7.

[22] Yang, T. Y., Dehghantanha, A., Choo,K. K. R. Muda, Z., 2016. Windows instantmessaging app forensics: Facebook andSkype as case studies. PloS one, 11(3).

[23] Zdziarski, J. A., 2008. iPhone Forensics:Recovering Evidence, Personal Data, andCorporate Assets.

[24] Zhang, X., Baggili, I. Breitinger, F.,2017. Breaking into the vault: Privacy, se-curiy and forensic analysis of Android vaultapplications. Computers Security, Volume70, pp. 516-531.

Page 10 © 2021 JDFSL