Encryption apps are making mobile forensics harder than before. As phone providers and developers shift towards greater user privacy and anti-forensics, examining mobile devices becomes more difficult. Those seeking privacy and looking to protect their data and communications, both for malicious and benevolent purposes use encryptions apps/tools.
Users are increasingly gravitating towards using these apps, as they offer the ability for secure communications. Some popular applications, which use encryption include:
1. iMessage
Apple’s iMessage uses encryption for secure messages and stores the private key on the device itself. Therefore, without physical access to the device, messages are cannot be accessed. Further, messages are not stored in iCloud, and are instead stored in a separate Apple server, so even with access to iCloud messages cannot be viewed.
2. Facebook Messenger
Messenger contains a feature that users can set for end-to-end encryption. This feature called, ‘Secret Conversation’ also allows User’s set up a timer, which deletes messages indefinitely. In this feature, messages, pictures, stickers, videos, and voice recordings can be sent.
3. Slack
Slack uses its own Slack Enterprise Key Management for encryption and keeps data encryption both in transit and at rest.
4. WhatsApp
WhatsApp automatically uses end-to-end encryptions for all communications, including messages, photos, videos, voice messages, documents, and calls. Further, encryption keys are stored on the device itself, therefore WhatsApp cannot read messages either. Keys are one-time use and change with every message that is sent.
5. Viber
Viber by default sets up end-to-encryption for all communications and does not store messages in any of its servers either.
6. WeChat
WeChat uses encrypts all messages sent and received on their servers. The application deletes all messages from their servers once, messages are received to the intended recipient.
7. Microsoft Teams
Teams like Slack also implements encryption for all data in transit and at rest and cannot be accessed.
8. Snapchat
Snapchat is unique in that its platform is built on ‘Snaps’ that are sent to users, which can be pictures or videos, are automatically deleted after being watched. Therefore, any information that may have been sent on Snapchat is gone, unless it was saved by the user or screenshotted. Further, Snaps are sent using end-to-end encryption. Text messages and group chats are not end-to-end encrypted.
To analyze these applications, physical access to the devices is needed, with login information. Manual extraction of these devices may be required rather than Logical extractions. However, your first choice should always be doing a logical or physical extraction, to determine if applications can be processed and analyzed. Tools such as Cellebrite supports applications like WhatsApp and Facebook Messenger for Android devices. However, as of right now some applications on Apple devices cannot be extracted or viewed. If the logical/physical extraction does not work a Manual extraction may be necessary.
Contact LIFARS Today
For Mobile Forensics Services
