Earlier this year Australian tourism operators in NSW and Victoria were the target in a phone scam using the popular Chinese messaging app WeChat resulting in businesses refunding over $400,000 to legitimate owners of credit cards.
The scam involved tickets to tourist attractions bought with stolen credit cards being on-sold at discounted rates to unsuspecting Chinese tourists via the popular WeChat app. The broader investigation of these and other scams often involves the forensic imaging and analysis of modern smartphones, which with the increasing use of encryption and security features is a double edged sword. Increased security functionality is rightly designed to protect users, but often frustrates forensic investigators.
The Australian Government is currently seeking to implement new legislation to enable access to information on encrypted messaging apps and devices. As the Prime Minister, Malcolm Turnbull noted, “The reality is, just as the rule of law prevails in the analogue world, so it must prevail in the cyber world.”
Investigation action can be severely hampered if the data is encrypted or the mobile device is one with updated security or encryption features. In such cases, where the user credentials are obtained or provided, action can be taken and potential evidence gathered. In the WeChat scam, the culprit’s phone(s) could provide a wealth of information to Police investigators.
Most messaging applications leave traces of information obscured behind the glossy interface and, in many instances it is not encrypted. User and contact information, even after deletion, can remain on your phone, hidden within the app itself and containing important remnants of the user’s identity, contacts and other data. This information is separate to your usual contact list and can remain even if you delete all your phonebook contacts.
So what specifically can we find and how does this help the investigative team catch the perpetrator?
The integrity of data on any device is important, especially if the evidence is to be presented in legal proceedings. As such all activity undertaken by the forensic professional should be verifiable and repeatable. Maintaining the integrity of the data is paramount to any investigation.
This is what we often find:
- User credentials and phone number: Apps often ask users to log in with their user credentials e.g. username and password, PIN, or authentication tokens. Some apps store these credentials along with the phone number of the user in the background. It is often not secured.
- Address book and contact ID: Communication apps generally import the phone address book into their local database separate to the phone’s contact list and sometimes require a user to create a personal contact ID.
- Blocked/ hidden/ deleted contacts: A user may block, hide or delete someone from the contact list and deny contact but these actions don’t necessarily remove the data from the phone.
- Group chat members and status messages: Who was sending/ receiving messages from a particular group and the publicly shared status of the users. Exchanged messages contain text, multimedia and group message communications. Some apps allow the user to have hidden chats, and in some cases, the apps store this data in their databases.
Overall, even if a user, or indeed the investigator, may think information is deleted we can potentially compile a list of contacts, determine when a contact was added, find the blocked/hidden/deleted contacts, and reconstruct the chronology of exchanged text and multimedia messages. This can assist in compiling a timeline of conversations, including the identity of the participants.
Forensic software continues to try and maintain pace with ever enhanced security protection measures, but hurdles, both physical and ethical, remain in overcoming the delicate balance between security and investigative requirements. The issue of whether legislative action, or device manufacturers, should provide a means for investigators to bypass the very security designed to protect users data is a complex one that balances the individual right to privacy against the need to expose those that take advantage of this same protection to evade identification.
It is a question with no easy answer and one which will continue to drive debate.
About the authors
Abdullah Azfar is a Consultant in the Forensic Technology team. He specialises in Digital Forensic and Security. He has completed his PhD from the University of South Australia in Mobile Device Forensics.
Stan Gallo is a Partner in KPMG Forensic and former Queensland detective.