3rd IEEE International Workshop on Security and Forensics in Communication Systems 2015

Forensic Analysis of Instagram and Path on an

iPhone 5s Mobile Device

Reema Al Mushcab Pavel Gladyshev

School of Computer Science and Informatics School of Computer Science and Informatics
University College Dublin University College Dublin
Dublin, Ireland Dublin, Ireland
reema.almushcab@ucdconnect.ie pavel.gladyshev@ucd.ie

Abstract— Social networking applications are a treasure their ability to provide users with a portable computing
trove for forensic examiners. The amount of potential evidence experience [5]. In addition, according to 2013 statistics, the
that they hold could sway the course of any investigation. number of people accessing the Internet via mobile phones has
However, the large number of mobile operating systems, their increased over the last few years by 60.3% to 818.4 million
continuous updates, and the constant emergence of new social
people [6]. This increase in mobile Internet usage has led to
networking applications in the market, create challenges for
forensic practitioners today. This paper hopes to alleviate some the number of people using their mobile phones to access
of those challenges by conducting a forensic analysis on two online social networking applications to increase by a
popular social networking applications; Instagram and Path on staggering 203% [7]. These social networking applications
an iPhone 5s mobile device. The analysis process consisted of have completely revolutionized the way people communicate.
installing both applications on the device, performing common However, Charles Dickens’s quote: “It was the best of times,
user activities via these applications, obtaining a forensically it was the worst of times” describes the current social
sound logical image of the device, and finally conducting manual quandary perfectly. Because despite social networks being
-and automatic (for result verification)- forensic analysis on the predominantly used to communicate, socialize, and bring
acquired image. The ultimate goal of the analysis was to
people closer together, the fact is that the anonymous nature of
determine whether the activities conducted through these
applications are stored on the mobile device’s internal memory social networks makes them extremely vulnerable to
or not. The test results show that a portion of the activities is cybercriminals [8]. Therefore, it may be true that we are living
indeed stored in the internal memory. Therefore, the in the best of times; living in an era that could be best
significance, extent, and locations of the stored information were described as the zenith of communication and socialization,
all determined and documented in this paper. but we are also living in the worst of times; in an era where
the technological advancements in communication mediums
Keywords—Path; Instagram; Forensic; Artifacts; iPhone are constantly being misused and abused. And more often than
not, these communication mediums end up playing a major
I. INTRODUCTION role in criminal (and civil) investigations.
The universal human right to communicate springs from
the very nature of the human person as a communicating Those with a computer forensics background most likely
being. The recognition of this basic right has been triggered by already realize the massive amount of information that can be
some of the ever-increasing technological innovations of locally stored on mobile phones and realize that to ignore the
today, such as telephony and the Internet [1]. Humans’ critical investigative demand to examine these devices would
practicing their basic right to communicate with each other is be negligent and would most likely result in incomplete
not something that is new. However, the social mediums used forensic investigations [9]. Particularly because according to
to facilitate these communications have evolved over time; Lessard and Kessler, mobile phones contain more probative
from telegraphs and pneumatic posts to most recently, mobile information that can be linked to an individual per byte
phones and social networking applications [2]. These new examined than most computers [10]. Thus in response to this
social mediums are becoming increasingly integrated into our investigative demand, this paper has conducted sound forensic
daily lives. In fact, according to 2013 statistics, it was examinations on Instagram and Path on an iPhone 5s mobile
estimated that there are approximately 7.1 billion people on device. The ultimate goal of this analysis was to determine
the planet and at least 6.6 billion mobile phone subscriptions whether the activities conducted through these social
[3]. Even more astonishing than that, in 2011 mobile phones networking applications are stored on the device’s internal
had actually outsold PCs by roughly around 73 million phones memory or not. The results affirmed that some information is
[4]. These numbers only forewarns of the pervasiveness of indeed stored in the internal memory. Therefore, the amount,
mobile devices in our society. This could be attributed to their significance, and locations of the recovered information were
compact size, storage capabilities, Internet connectivity, and determined and well documented in this paper.

978-1-4673-7194-0/15/$31.00 ©2015 IEEE 146

 3rd IEEE International Workshop on Security and Forensics in Communication Systems 2015

II. RELATED WORK iTunes software. Their proposed phases are: data acquisition,
The work done in the area of iPhone forensics is somewhat analysis, and reporting [20]. Their rationale for choosing
limited due to the embedded nature of the physical components iTunes was because despite the existence of iPhone forensics
inside the device [5]. To further complicate the matter, iPhone commercial products like Aceso or UFED, these products can
devices use solid-state flash memory for persistent data storage be overly expensive and not within the budget of every law
and do not house external memory cards, thus, forcing enforcement department/agency [20]. Also, these products
examiners to conduct iPhone forensics mainly via logical may require additional hardware e.g. Aceso [20]. Their
acquisition [5]. However, a rare breakthrough in iOS forensics functionally is also generally limited only to the built-in
provided what is considered to be as the closest thing to a features provided from the product’s manufacturer [20]. But
physical acquisition method for an iPhone device: the most importantly, the framework proposed by Husain et al
Zdziarski method [12]. [20] does not require an iPhone device to be jailbroken nor
Hoog and Gaffaney, tested Zdziarski’s method amongst does it alter the device’s firmware [20]. However, one major
other acquisition techniques [14]. For example, they also drawback of their proposed approach is that they made no
tested logical acquisition via Apple’s official proprietary mention of the vital need to disable the iTunes auto
synchronization protocol (iTunes Backup feature) which synchronization feature prior to initiating any backups [20].
creates a backup folder that forensic examiners can parse [14].
This backup feature was tested using certain precautions e.g. There are many papers published about the recovery of
disabling the automatic synchronization option to avoid the general information from mobile devices e.g. photos, contacts,
alteration of the data [14]. Interestingly enough, according to SMS … etc. but not many about the specific recovery of social
their results this method retrieved more information than most networking information. This could be attributed to the fact
of the other techniques/software that were tested and thus that in real life investigations, law enforcement agencies may
ranked higher than them, despite iTunes not being a have access to data from the social networking providers
forensically oriented tool [14]. In fact, several other papers themselves [8], which is why it may have been assumed that
have been published highlighting the benefits of using of there is no need to focus on social networking application
iTunes backup feature for iPhone logical acquisitions e.g. forensic artifacts. However, according to Al Mutawa et al [8],
Husain and Sridhar [15], Morissey [16], Al Mutawa et al [8], this access depends on many factors e.g. the nature of the
and Yousif et al [17]. However, unlike Morissey [16] and Al investigation, jurisdictional issues, and the degree of the social
Mutawa et al [8], neither Husain and Sridhar [15] nor Yousif network provider’s cooperativeness [8]. The authors also point
et al [17] made any mention of disabling the iTunes automatic out that there is a two-fold value of investigating social
synchronization feature prior to their testing which could networking applications on mobile phones. First, it is useful to
potentially affect the reliability of their results. Bader and corroborate results (from the provider and from the
Baggili [5] have also made use of the iTunes backup feature to smartphone), for it adds more value to the veracity of the
acquire a logical image of an iPhone device. The authors results [8]. Second, it is vital for the event reconstruction
ensured that the conditions of their research were compliant to process to know whether particular social networking
forensic standards by disabling the automatic synchronization activities took place on a particular mobile device [8].
feature to avoid the risk of data cross-contamination during
the logical acquisition [5]. They also attempted to connect the
iPhone device via a writeblocker, however, their several III. PROBLEM STATEMENT
attempts to do so had failed . The authors speculated that it Digital forensic investigators are familiar with computer
maybe because writeblockers may hinder the iTunes backup operating systems and are comfortable working with them
utility from initiating a connection with the iPhone to mount [11]. However, they are still not as comfortable working with
the file system [5]. However, this would indicate that the mobile phone operating systems [11]. This unease could be
iTunes backup utility would need to write to the iPhone file attributed to the challenges associated with mobile forensics.
system to mount the mobile device’s storage media on the For example, mobile operating systems are generally closed-
workstation [5]. The previous made no mention of source (with the exception of Linux-based devices) [8]. It is
writeblockers, it is presumed that the configuration setting to not only the manufacturers and operating system developers
disable the auto synchronization feature acts as somewhat, like who may conceal their codes but also some of the forensic
a writeblocker as it prevents the alteration of data [5]. tool developers themselves are hesitant to release information
about the inner workings of their code because they consider
A dominant method for iPhone logical acquisitions can be them to be as a ‘trade secret’ [11]. This makes the task of
observed in the works presented above and in many others e.g. creating custom tools to extract data from mobile devices a
Jung et al [18], where Apple’s official synchronization and tedious and difficult task [8]. Moreover, forensic practitioners
backup software is used to create logical images. In fact, Tso are often bombarded with various types of mobile phone
et al [19] have determined within their research that this generation technologies, proprietary firmware, and even
method is indeed a prevailing one amongst logical acquisition within the same manufacturer different data cables and
methods [19]. Husain et al [20] have even proposed a three- software may be required to access the phone’s information
phase forensic framework for iPhone devices using Apple’s [10]. These different generation technologies and mobile

147
 3rd IEEE International Workshop on Security and Forensics in Communication Systems 2015

phone updates tend to be released by vendors very often; This stage consisted of installing the social networking
resulting in very short product cycles [8]. This makes it applications under investigation (Instagram + Path) on the
difficult for forensic examiners to keep up with the iPhone device and then conducting common user activities on
examination methods and tools required to forensically them. For the sake of this forensic investigation, fictional
examine each release [8]. The process of developing, testing, accounts with fictional users were created on both Instagram
and releasing forensic tools and updates that deal with newer and Path activities were conducted via these accounts to create
operating system versions is usually a slow one, which is why a plausible dataset. For a more comprehensive overview of the
(as seen above): non-forensic oriented tools released (and main activities that were conducted, please refer to Table 1.
regularly updated) by official manufacturers (who are often
more familiar with their own product than external TABLE 1
THE MAIN ACTIVITIES CONDUCTED IN THE SCENARIOS PHASE
developers), are sometimes used instead e.g. Apple’s iTunes
software [8]. This is why it is vital to focus on new and Activities Conducted via Instagram and Path
popular mobile devices, in addition to new social netoworking Application Main Activities
Login with username: redwatermelon.2014 and
applications that digital forensic examiners will most likely password: 123176, edit profile “about me”, change
encounter but have yet to undergo extensive forensic profile picture, view Instagram users, add Instagram
examinations because of their recent releases/updates. 1 Instagram
users, accept requests from Instagram users, post
pictures + captions + location of pictures, post
videos, comment on pictures + videos, like pictures
+ videos, send private direct messages + pictures to
IV. ADOPTED APPROACH other Instagram users, visit hashtags, delete posts
Login with email: redwatermlon2014@hotmail.com
The approach for examining the target iPhone 5s is based and password: 123176, change profile picture, add
on the simple cost-effective framework for iPhone forensic Path users and accept Path friend requests,
analysis using the iTunes backup utility proposed by Husain et 2 Path post/delete statuses + location, post pictures and
al (iFF) [20]. However, the phases were slightly modified - in videos + location, post music listening to and books
reading + location, post location, post sleep/wake up
order to suit the purposes of this project- to: scenarios, logical time
acquisition, and data analysis. The approach was also
enhanced in order to increase the forensic reliability of the B.2. logical acquisition
results by adding two major steps: (1) Disabling the iTunes Obtaining a logical image of the device’s internal memory
automatic synchronization feature, (2) Using a writeblocker to was done by acquiring a bit-by-bit copy of the directories and
connect the mobile device. These two measures fulfil a crucial the different types of files within the iPhone file system by
rule in digital forensics, which is to preserve the integrity of creating a device backup via iTunes [5]. The applied approach
the original data and to prevent it from any contamination that is based on our enhanced version of the iPhone Forensic
could interfere with its acceptance in court [8]. It is important Framework (iFF) where two main steps were added: disabling
to note that the only found documented attempt to connect an the auto-synchronization feature, because by default iTunes
iPhone device via the iTunes backup utility to the forensic creates a backup of the iPhone data during the synchronization
workstation using a writeblocker was by Bader and Baggili [5] process; it automatically syncs the device once it is connected.
and their attempt had failed. However, what distinguishes this It copies data from the iPhone to the computer and VICE
enhanced approach even more is that its attempt to connect the VERSA to ensure that the content is the same on both [5].
device via a writeblocker was achieved successfully. This drastically decreases the reliability of the backup because
A. Test Environment and Requirements iTunes may copy the computer’s address book, image files,
calendar...etc. to the iPhone’s memory [5]. This is why it
Once the forensic station was set up, it was isolated from
important to stress on the significance of invoking the backup
the network. Below is a complete list of all the hardware and
process independently without initiating the synchronization
software tools used to perform the forensic analysis:
process. If this step were not performed, then the risk of data
• iPhone 5s (v. 7.1.1), Path (v. 3.4.3), Instagram (v. 6.0.1)
cross-contamination during the logical acquisition would be
• Apple iTunes application (v. 11.2.2.3), NotePad (v. 6)
very high [5]. This step was performed by going to iTunes
• SQLite Manager (v. 0.8.1), PList Editor Pro (v. 2.1)
‘Preferences’ menu item, selecting the ‘Devices’ tab, and then
• ThumbScrew, software writeblocker (v. 1.0)
ticking the ‘Prevent iPods, iPhones, and iPads from syncing
• M2CFG USB Writeblock (v. 1.0.0.1)
automatically’ option (which is by default un-ticked). The
• Apple’s iPhone 5s USB data cable
second step added to the iFF is connecting the iPhone to the
• iPhone Analyzer (v. 2.1.70), iBackupBot (v. 5.1.7)
forensic workstation via a writeblocker. The attempt to
• Windows Photo Viewer, VLC Media player (v. 2.1.3)
connect the iPhone to the forensic workstation via
ThumbScrew, a software writeblocker was achieved
B. Test Procedure successfully. Another attempt using M2CFG USB Writeblock,
The forensic analysis consisted of three separate stages: a different software writeblocker was also successful. Each
scenarios, logical acquisition, and data analysis: writeblocker was researched and tested individually prior to
B.1. scenarios being used. It is speculated that Bader and Baggili’s [5]
previous attempt to connect the iPhone via a writeblocker

148
 3rd IEEE International Workshop on Security and Forensics in Communication Systems 2015

failed because older versions of the iPhone OS and firmware amount of files located within backup folder: specifically,
do not allow writeblockers as opposed to newer OS versions 3,125 data files that were copied during the acquisition
(they conducted the forensic experiments on an iPhone 3GS). process. Two types of analyses were performed on these data
Another possibility is that since the authors did not mention files: manual and automatic analysis.
whether they used a hardware or software writeblocker, they
might have opted for a hardware writeblocker, which may The manual analysis of the backup files was performed
have produced different results as hardware writeblockers twice to ensure that no files had been missed. This phase
have not been tested in this paper. Once the backup process consisted testing multiple tools and then using them to parse
was completed, the iPhone device was disconnected from the hundreds of backed up data files in order to reverse engineer
forensic workstation and a copy of the backup was saved on the data stored within them. Each backup file was opened
the forensic storage hard-drive. Please refer to Figure 1 for a individually using NotePad text editor to determine whether
depiction of the main steps of the newly enhanced (iFF). these files are PLIST files, SQLITE databases, encapsulated
images...etc. This was determined by the header shown at the
start of the file. For example, files starting with the header
‘SQLITE Format 3’ contained SQLITE databases, files
starting with the header ‘BPLIST00’ contained binary PLIST
data, and files starting with the header ‘JFIF’ contained
encapsulated images ... and so on. After the file type was
determined, the appropriate software tools were used to
decode them.

In the automatic analysis phase, two commercial backup

analysis tools were used to verify the results found in the
manual analysis: iBackupBot by VOW Software and iPhone
Analyzer by Crypticbit. These software tools automatically
convert the hexadecimal hashed files into readable files. Two
software tools were used because using multiple tools further
Figure 1. Overall structure of the enhanced iFF validates the results in a forensic context. There was a slight
discrepancy between the results that were found from both
B.3. data analysis types of analyses. More details about this disparity can be
The completion of the iTunes backup process resulted in found in the section below.
the creation of a folder with a UDID (Unique Device ID) that
is 40 hexadecimal long:
38ea0fe8f9a351ba0212cc0108c0dd748f4d5632 containing the V. FINDINGS
backed up logical files. This alphanumeric value is a unique
identifier that represents from which device the backup came A. Writeblocker Findings
from. iTunes stores this backup folder in a preconfigured Before discussing the discovered Instagram and Path
default directory. In Windows 7 the default directory in which social networking artifacts, it is important to first note an
the backup file is located is: C\Users\User interesting discovery regarding the use of software
Name\AppData\Roaming\Apple Computer\MobileSync\ writeblockers. As previously stated, earlier published attempts
Backup\XXXXXX. The acquired backup folder consisted of to connect the iPhone via a writeblocker to the forensic
three PLIST files, one MBDB file, and tens of hundreds of 40- workstation had failed, which is why it was surprising when
digit hexadecimal-hashed filenames with no apparent this project’s attempt was successful. Therefore, more
extensions. These random-looking filenames are actually the experiments and analyses were conducted to remove any shred
SHA1 hash value of combining the domain name and the path of doubt. After both software writeblockers (ThumbScrew and
information with a hyphen (-) [21]. It has been noted that M2CFG USB Writeblock) were individually tested (by
most of the data in the backup files are stored binary lists and enabling them, connecting several storage devices, and
database files (sqlite), however several other file types were attempting to make writes on them), and after the iPhone
encountered e.g. Property List (PLIST)/ Binary Property List connected successfully to the workstation via the
(BPLIST), which are the Macintosh equivalent of the writeblocker(s), another iTunes backup was made of the
Windows registry and can be viewed with any PLIST viewer iPhone device WITHOUT connecting it to any writeblocker.
or XML editor. Encapsulated images/videos were also found This was done in order to determine whether the use of a
and could be viewed using programs like VLC Media Player writeblocker results in any visible changes to the produced
or Windows Photo Viewer logical backup. Interestingly enough, the number of items in
the backup file P to disabling the software writeblocker was
The process of examining these data backup files was a 3,125 items. However, after the writeblocker was disabled, the
laborious and time-consuming task, mainly because of the vast number of items went up to 3,133 items. That is a total of 8

149
 3rd IEEE International Workshop on Security and Forensics in Communication Systems 2015

additional items that have been written to the backup file, as 0e3272e9fb041be097c9c219f7a48fc852c05cc6 and
seen in Figure 2. Thus, proving that ignoring the use of a 24a23861051f71ae245535ae9560936da344bdbc. The first
writeblocker causes modifications to the acquired image. file contained a list of the fictional account’s Instagram
Further investigation into these 8 items revealed that they are followers. The list consisted of what appeared to be the
all temporary files used by SQLite. These 8 files were divided followers’ Instagram ID numbers, their usernames, their
into two file formats: WAL- Write-Ahead Log and SHM- “about me” message, and a link to their Instagram profile
Shared-Memory files [22]. picture. The second file contained a list of the Instagram
accounts the fictional profile followed which also contained
the same information. However, it may be worth noting that in
this PLIST file the fictional user’s account’s details were also
in the list. These two PLIST files are considered to be
forensically significant because they basically tie some sort of
relationship between two individuals. For example, if a
suspect claimed that he/she did not know the victim and never
even heard of the victim’s name, findings like these could help
discredit his/her story if they were following each other on
Instagram.

Another PLIST file that was considered to be forensically

significant was:
4bc6b8f7d14893ea5908bda90ffc410aae3b1289. This file
contained information about Instagram notifications e.g.
UserXYZ liked your photo. The list contained the notification
message, the link to the media being “liked’, and some sort of
encrypted value (suspected to be the creation date, since the
Figure 2. Eight extra Files when writeblockers are not used
creation date field was mentioned above). It is important to
note that this file was only found during the manual analysis
The purpose of the WAL file is to implement atomic of the backup file. During the automatic analysis, it did not
commit and rollback [22]. It exists in the same directory as the show up in either of the two software tools that were used.
database file and even has the same name as it, except with Disparities such as this must be highlighted and further
these four characters “-wal” added to it. The WAL file is examined. Gaining information about a suspect’s notifications
created when the database connection is opened and is is helpful for forensic examiners because they allow them to
normally removed when the connection is closed, unless the observe what other people were doing and saying, not just the
device was not shutdown properly [22]. Since the WAL files suspect.
are present on the acquired images, it indicates that a
connection with a database was opened at some point during An additional PLIST file considered to be of forensic
the acquisition. The use of a writeblocker presumably does not interest is: 72b88e49ac4f48605284907191d53d474397100f.
allow this database connection to occur, as the WAL files are This file consisted of a variety information e.g. Instagram
not present in the backup file when the writeblocker is settings, name of Twitter account (if Instagram is linked to it),
enabled. The SHM- Shared Memory File has a name that is last logged in username, last time the main feed (timeline) was
self-explanatory; its purpose is to provide a block of shared fetched (refreshed), the names of the hashtags searched for...
memory for use by several processes all accessing the same etc. Gaining access to the hashtags that were searched for
database in WAL mode [22]. It is also located in the same allows forensic examiners to obtain an idea of what is going
directory as the database file and even has the name, except on inside the user’s head. For example, if the suspect searched
with these four characters “-SHM” added to it [22]. Since this the following hashtags: #bombing, #murder, #dead, #kill, and
file is associated with the WAL file, it has the same lifespan. It #massacre. It would be safe to assume that the suspect is
is created when the WAL file is created and deleted when the fixated on death and murder. However, it is important to note
WAL file is deleted [22]. that no traces of the hashtags posted by the user under every
picture were found. The only ones that were found were the
C. Instagram Findings ones explicitly searched for in hashtag search section. No
SQLite databases were found in neither the manual or
The examination and analysis of the backup files automatic analysis that show more information about the
revealed a number of SQLite and PLIST files related to direct messages that have been sent, the captions and the
Instagram e.g. com.burbn.instagram. Many files contained the pictures posted, and the locations of the pictures posted.
phrase “Instagram” but only a few were considered to be
forensically significant. The first two files of interest were
PLIST files with the hash names:

150
 3rd IEEE International Workshop on Security and Forensics in Communication Systems 2015

D. Path Findings http://smallbiztrends.com/2013/05/the-complete-history-of-social-

media-infographic.html. 2013
Scarcely any valuable information regarding the [3] I. Ahmad. “Global Internet, mobile and social media engagement and
activities conducted through Path were found during both usage stats and facts”. Social Media Today. Retrieved from
types of analyses. One plaintext file was found: http://socialmediatoday.com/irfan-ahmad/1993606/global-overview-
internet-mobile-and-social-media-engagement-and-usage-infographic.
872377a1b61e9f4a88a51ad0f52e025268a1c853, it contained 2013
what appeared to be traces of some of the locations posted via [4] Canalys. “Smartphones overtake client PCs in 2011”. Retrieved from
Path (only found via the manual analysis). No other significant http://www.canalys.com/newsroom/smart-phones-overtake-client-pcs-
information was found. This was very peculiar as Path was 2011. 2012
also tested on an Android-based device (HTC One M8) as part [5] M. Bader and I. Baggili. “iPhone 3GS forensics: logical analysis using
of a separate study, and almost all the activities conducted apple iTunes backup utility”. Small Scale Digital Forensics Journal,
vol 4, num 1. 2010
through Path were found in a database stored on the device’s
[6] F. Frazier. “Social network statistics 2013- growth rates and numbers of
internal memory [23] users”. Ethority. Retrieved from
http://www.ethority.net/blog/2013/10/09/social-network-statistics-2013-
growth-rates-and-numbers-of-users/. 2013
[7] F. Richter. “Messaging and social app use triple in 2013”. Statista: the
VI. CONCLUSION statistical portal. Retrieved from
http://www.statista.com/chart/1778/app-use-in-2013/. 2014
It was confirmed that a portion of the activities conducted [8] N. Al Mutawa, I. Baggili, A. Marrington. “Forensic analysis of social
through Instagram and Path are stored on the iPhone’s internal networking applications on mobile devices”. Digital Investigation
Journal, vol 9, S24-S33. 2012
memory. Thus, the location, amount and significance of the
[9] S. Punja and R. Mislan. “Mobile device analysis”. Small Scale Digital
recovered information were all then determined. Device Forensics Journal, vol 2, num 1. 2012
[10] J. Lessard and G. Kessler. “Android forensics: simplifying cell phone
This paper hopes to provide a reference point for forensic examinations”. Small Scale Digital Device Forensics Journal, vol 4,
examiners and to give them an overview of what kind of data num 1. 2010
to expect to recover whilst using the approaches adopted in [11] M. Al-Zarouni. “Mobile handset forensic evidence: a challenge for law
enforcement”. Australian Digital Forensics Conference. 2011
this project. This study involved the forensic acquisition,
[12] J. Zdziarski. “iPhone Forensics” (First ed.). Sebastopol: O’Reilly
analysis, and examination of the logical copies of two social Media, Inc. 2008
networking applications: Instagram and Path on an iPhone 5s. [13] K. Barmpatsalou, D. Damopoulos, G. Kambourakis, and V. Katos. “A
The iPhone backup files barely revealed any information critical review of 7 years of mobile device forensics”. Digital
about the activities conducted through Path. However, they Investigation Journal, vol 10, page 323-349. 2013
shed light on some, but not all of the activities conducted [14] A. Hoog and K. Gaffaney. “iPhone Forensics”. 2009
through Instagram e.g. Instagram follower list, “like” [15] M. Husain and R. Sridhar. “iForensics: forensics analysis of instant
notifications, hashtags searched for, and some files containing messaging on smartphones.” International Conference on Digital
Forensics and Cyber Crime. 2009
Instagram preferences.
[16] S. Morrissey. “iOS Forensic analysis: for iPhone, iPad, and iPod touch”.
1st Ed. Berkley, CA. USA. 2010
There are several items of future work leading directly [17] A. Yousif, H. Humaid, and H. Said. “Smart phones forensics and social
from this study. First, more experimental cases are needed to networks”. IEEE Multidisciplinary Engineering Education Magazine,
examine a wider variety of social networking applications and vol 6, num 4, page 120-125. 2011
on different mobile phone platforms. Also, developers are [18] J. Jung, C. Jeong, K. Byun, and S. Lee. “Sensitive privacy data
acquisition in the iPhone for digital forensic analysis”. Secure and
encouraged to create forensic tools that automatically extract Trust Computin, Data Management and Application, vol 186, page
Instagram and Path social networking data from iPhone 172-186. 2011
devices. Most importantly, further studies are required to [19] Y. Tso, S. Wang, C. Huang, and W. Wang. “iPhone social networking
identify the role of the 8 files that are added to iTunes backup for evidence investigations using iTunes forensics”. International
folder when a writeblocker is not used during the acquisition. Conference on Ubiquitous Information Management and
Communication. 2012
And also further research needs to be done as to why social
[20] M. Husain, I. Baggili, and R. Sridhar. “A Simple cost-effective
networking activities associated with Path could not be framework for iPhone forensic analysis”. Digital Forensics and
recovered on an iPhone device, yet were almost completely Cybercrime, vol 53, page 27-37. 2011
recovered on an Android-based device. [21] J. Park, J. Lopez, S. Yeo, T. Shon, and D. Taniar. “Secure and Trust
Computing, Data Management, and Applications”. FIRA International
Conference, Springer Science and Business Media. 2011
[22] SQLITE. “SQLite’s use of temporary disk files”. Retrieved from
http://www.sqlite.org/tempfiles.html. (N.D)
REFERENCES [23] R. AlMushcab and P.Gladyshev. “Forensic analysis of instagram and
[1] W. J. Mclver, W. F. Birdsall, and M. Rasmussen. “The Internet and the path on an Android-based HTC one-m8”. Unpublished. 2014
right to communicate”. First Monday, vol 8, num 12. 2003
[2] D. Hendricks. “Complete history of social media: then and now”.
Small Business Trends. Retrieved from

151