Dynamic App Finder 2: A Stronger, More Efficient Investigative Starting Point
In 2017, mobile usage not only shows no signs of slowing down; it’s actually increasing. A January report from EduBirdie reported that nearly 75 percent of people globally use mobile devices, making them “now an indispensable part of everyday life for most people around the globe.” Of that number, the report noted, Android and iOS were responsible for more than 91% of all mobile web traffic; and at the end of last year, mobile web browsing overtook desktop web browsing for the first time.
A significant part of all that mobile usage is mobile apps. Statista reports that American adults spend almost 18 hours a week on their smartphones, with much of that time and energy going to mobile messenger and social apps—not just in the United States, but also worldwide.
Other popular apps include utilities, photo and video and games for iOS users, and tools, video players and edit, travel and local for Android users. Smartphone owners installed an average of 88.7 apps (though they only used 24.9 of them monthly) on their devices. Finally, Statista noted, “Many of the most popular mobile properties are mainly accessed via mobile apps instead of mobile browsers.”
As we’ve described in the past, many of these apps have functionality that goes far beyond their primary usage. Game app users can chat in-game, for which they need their contact lists; geolocation data is available from a great many apps, including social media. So, as popular as chat apps remain; investigators need a way to refine their search for key evidence, especially from apps that may not be fully supported by commercial mobile forensic tools.
A Better Investigative Starting Point
When we first launched the Dynamic App Finder (DAF) as part of Magnet IEF in 2013, we were looking for a way to help forensic investigators identify mobile chat apps—and more importantly, their content.
DAF could search images or file dumps from iOS and Android devices for SQLite databases. It then ran heuristics to determine if any it found was a chat database. If it determined so, DAF would then recommend a mapping for key fields: Sender, Receiver, Date/Time, and Message (which could be manually re-mapped if necessary).
Once this was complete, DAF would include the results in the examination report. As a bonus in AXIOM, DAF would also save its findings as custom artifacts to be reused in the future examinations.
DAF2: Another Step Forward for Magnet Custom Artifact Support
We’ve taken the past four years of experience with DAF to add to and refine it beyond just chat apps. DAF2 adds support for discovering databases that contain geolocation data, web activity, or contact information. The additional support gives you new flexibility in quickly narrowing down the list of databases to just what you’re after in your investigation.
Just as with mobile chat apps, DAF2 looks for the common fields within each app category, then uses heuristics to identify the structure and find relevant data within. Unlike named entity recognition (NER), which filters and finds data only based on syntax—proper names, currency, and so forth—DAF2 seeks to derive meaning and context, helping you to understand content before you even read it.
How DAF2 will Benefit Investigators
DAF2 is part of AXIOM’s overall artifacts-oriented approach, which enables you to focus on potential sources of evidence more quickly than having to pore through an entire file system. In DAF2, this will become apparent as you can access:
Geolocation Data. Track the user’s location over time, or track their interest and searches in different points of interest as it relates to your case. For example, in a case where someone has violated the terms of their probation limiting their proximity to a specific address or person, app geolocation data could help show this violation.
Contact Info/Details. Help surface further details about either the suspect’s user accounts, or people in their networks. For instance, you can help attribute a specific email address to a suspect if it’s showing up in multiple apps on the device, and build a richer profile on that suspect.
Web Data. Uncover shared searches of interest or URLs between two users. In a child exploitation case, for example, while investigating distribution content between two offenders, you can find details on the online communities or forums they are recommending to each other to use. Combined with the above point, you could even potentially find user account info related to the communities in question.
Additional New Functionality in DAF2
Here’s what else you can expect in DAF2 as it builds on the feedback we received from the forensic community:
- A wider range of default column options make recommended mappings more complete and often suffice if you’re in a hurry.
- Mapping every column is now possible with limitless custom column names. This lets you work outside of the previous boundaries, allowing you to do more precise interpretation of the data.
- Filtering for databases and tables that only contain certain kinds of data (URLs, geolocation, etc.)
- Improved UI to preview the custom artifact you are creating from the found database tables.
- Simple shortcuts like Select/Deselect All help you avoid unnecessary frustration when dealing with a lot of data.
DAF2 is more flexible now, allowing you to better interpret and label the data. This in turn results in much more refined and complete custom artifacts that are share-ready for the Artifact Exchange. We believe that as examiners begin to share their DAF2-created custom artifacts on the Artifact Exchange, AXIOM’s artifact coverage will expand to include those specialized applications that made a difference in one case. Chances are, other cases will benefit from these artifacts as well.
Data recovered from mobile apps remains a crucial source of evidence for nearly all forensic investigations. With 2.8 million available apps in the Google Play Store and 2.2 million apps available in the Apple’s App Store as of March 2017, data volumes will continue to stymie forensic examiners who must identify, recover, and analyze the data within their databases. With features like DAF2, Magnet Forensics continues to innovate towards reducing the time it takes to get to needed evidence.
Try Magnet AXIOM 1.2.2 Today
To update your version of Magnet AXIOM to 1.2.2, visit the Customer Portal. Want to try Magnet AXIOM for yourself? Request a 30-day free trial.