Forensic Analysis of Instant Messenger Applications on Android Devices

The modern day Smartphone’s have built in apps like “WhatsApp & Viber” which allow users to exchange instant messages, share videos, audio’s and images via Smartphone’s instead of relying on their desktop Computers or laptop thereby increasing the portability and convenience for a layman smart phone user. An Instant Messenger (IM) can serve as a very useful yet very dangerous platform for the victim and the suspect to communicate. The increased use of Instant messengers on Android phones has turned to be the goldmine for mobile and computer forensic experts. Traces and Evidence left by applications can be held on Android phones and retrieving those potential evidences with right forensic technique is strongly required. This paper focuses on conducting forensic data analysis of 2 widely used IMs applications on Android phones: WhatsApp and Viber. 5 Android phones were analyzed covering 3 different versions of Android OS: Froyo (2.2), GingerBread (2.3.x) and IceCream Sandwich (4.0.x). The tests and analysis were performed with the aim of determining what data and information can be found on the device’s internal memory for instant messengers e.g. chat messaging logs and history, send & received image or video files, etc. Determining the location of data found from FileSystem Extraction of the device was also determined. The experiments and results show that heavy amount of potential evidences and valuable data can be found on Android phones by forensic investigators. General Terms Android Forensics, Instant Messenger Forensics.