Mobile Networks and Applications

, Volume 22, Issue 2, pp 240–254 | Cite as

The Role of Mobile Forensics in Terrorism Investigations Involving the Use of Cloud Storage Service and Communication Apps

  • Niken Dwi Wahyu Cahyani
  • Nurul Hidayah Ab Rahman
  • William Bradley Glisson
  • Kim-Kwang Raymond Choo


Mobile technologies can be, and have been, exploited in terrorist activities. In this paper, we highlight the importance of mobile forensics in the investigation of such activities. Specifically, using a series of controlled experiments on Android and Windows devices, we demonstrate how mobile forensics techniques can be used to recover evidentiary artefacts from client devices. There are three simulation scenarios, namely: (1) information propagation, (2) information concealment and (3) communications. The experiments used three popular cloud apps (Google Drive, Dropbox, and OneDrive), five communication apps (Messenger, WhatsApp, Telegram, Skype and Viber), and two email apps (GMail and Microsoft Outlook). The evidential data was collected and analysed using mobile forensics and network packet analyser tools. The correlation of evidence artefacts would support to infer illegal use of mobile devices. This study also highlights the extent of acquired evidence between Android and Windows devices, in which Android presents more evidentiary value.


Android device forensics Cloud app forensics Mobile forensics Terrorist investigations Windows phone forensics 



The authors thank the anonymous reviewers for providing constructive and generous feedback. Despite their invaluable assistance, any errors remaining in this paper are solely attributed to the authors. This paper is an extended conference version [35], with more than 50% new content.


  1. 1.
    Australian Government (2010) Securing Australia: Protecting Our Community. Accessed 28 February 2016
  2. 2.
    Choo K-KR (2013) New payment methods: a review of 2010–2012 FATF mutual evaluation reports. Comput Secur 36:12–26CrossRefGoogle Scholar
  3. 3.
    Choo K-KR (2014) Designated non-financial businesses and professionals: a review and analysis of recent financial action task force on money laundering mutual evaluation reports. Secur J 27(1):1–26CrossRefGoogle Scholar
  4. 4.
    Federal Bureau of Investigation (2016) Statement to Address Misleading Reports that the County Of San Bernardino Reset Terror Suspect’s Iphone without Consent of the FBI Accessed 28 Februari 2016
  5. 5.
    Ab Rahman N, Choo K (2015) Integrating digital forensic practices in cloud incident handling: A conceptual cloud incident handling model. In: KO R, CHOO K-KR (eds) Cloud Security Ecosystem. Syngress, an Imprint of Elsevier, Waltham, pp. 383–400CrossRefGoogle Scholar
  6. 6.
    Amble JC (2012) Combating terrorism in the new media environment. Stud Conf Terror 35(5):339–353CrossRefGoogle Scholar
  7. 7.
    UNODC (2012) The Use of the Internet for Terrorist Purposes. Accessed 28 February 2016
  8. 8.
    Ogun MN (2012) Terrorist use of internet: possible suggestions to prevent the usage for terrorist purposes. J Appl Secur Res 7(2):203–217CrossRefGoogle Scholar
  9. 9.
    Choo K-KR (2008) Organised crime groups in cyberspace: a typology. Trends in Organized Crime 11(3):270–295CrossRefGoogle Scholar
  10. 10.
    Choo K-KR, Smith RG, McCusker R (2007) Future directions in technology-enabled crime: 2007–09. Research and public policy no 78. Australian Institute of Criminology, CanberraGoogle Scholar
  11. 11.
    Zielińska E, Mazurczyk W, Szczypiorski K Trends in steganography. Commun ACM 57(3):86–95Google Scholar
  12. 12.
    Choo K-KR SR, Walters J, Bricknell S (2013) Perceptions of money laundering and financing of terrorism in the Australian legal profession. Research and public policy no 122(1). Australian Institute of Criminology, CanberraGoogle Scholar
  13. 13.
    Walters J, Budd C, Smith R, Choo K, McCusker R, Rees D (2012) Anti-money laundering and counter-terrorism financing across the globe: a comparative study of regulatory action. Research and public policy no 113. Australian Institute of Criminology, CanberraGoogle Scholar
  14. 14.
    Mishra S (2003) Exploitation of information and communication technology by terrorist organisations. Strateg Anal 27(3):439–462CrossRefGoogle Scholar
  15. 15.
    Ayers R, Brothers S, Jansen W (2014) Guidelines on mobile device forensics. NIST Special Publication 800 (101 Revision 1)Google Scholar
  16. 16.
    Grispos G, Storer T, Glisson WB (2011) A comparison of forensic evidence recovery techniques for a windows mobile smart phone. Digit Investig 8(1):23–36CrossRefGoogle Scholar
  17. 17.
    Tassone C, Martini B, Choo K-KR, Slay J (2013) Mobile device forensics: a snapshot. Trends issues crime Crim. Justice no. 460: 1–7. Australian Institute of Criminology, CanberraGoogle Scholar
  18. 18.
    Glisson WB, Storer T, Buchanan-Wollaston J (2013) An empirical comparison of data recovered from mobile forensic toolkits. Digit Investig 10(1):44–55CrossRefGoogle Scholar
  19. 19.
    Cahyani NDW, Martini B, Choo KKR, Al-Azhar A (2016) Forensic data acquisition from cloud-of-things devices: Windows smartphones as a case study. Concurrency and Computation: Practice and ExperienceGoogle Scholar
  20. 20.
    Chung H, Park J, Lee S, Kang C (2012) Digital forensic investigation of cloud storage services. Digit Investig 9(2):81–95CrossRefGoogle Scholar
  21. 21.
    McKemmish R (1999) What is forensic computing? Trends issues crime Crim. Justice no. 118:1–6. Australian Institute of Criminology, CanberraGoogle Scholar
  22. 22.
    Martini B, Do Q, Choo K-KR (2015) Mobile cloud forensics: An analysis of seven popular Android apps. In: KO R, CHOO K-KR (eds) Cloud Security Ecosystem. Syngress, an Imprint of Elsevier, Waltham, pp. 309–345CrossRefGoogle Scholar
  23. 23.
    Ariffin A, D'Oorazio C, Choo K-KR, Slay J (2013) iOS Forensics: How can we recover deleted image files with timestamp in a forensically sound manner? In: Proceedings of the 8th International Conference on Availability, Reliability and Security, Regensburg, Germany, Sept 2–6, 2013 (IEEE), 375–382Google Scholar
  24. 24.
    Leom MD, DOrazio CJ, Deegan G, Choo K-KR (2015) Forensic Collection and Analysis of Thumbnails in Android. In: Proceedings of the 14th IEEE International Conference on Trust, Security and Privacy in Computing and Communication, Helsinki, Finland, Aug 20–22, (IEEE) 1059–1066Google Scholar
  25. 25.
    Berman KJ, Glisson WB, Glisson LM (2015) Investigating the Impact of Global Positioning System Evidence. In: Hawaii International Conference on System Sciences, Hawaii, Jan 5–8, 2015 (IEEE), 5234–5243Google Scholar
  26. 26.
    McMillan JER, Glisson WB, Bromby M (2013) Investigating the increase in mobile phone evidence in criminal activities. In: Hawaii International Conference on System Sciences, Wailea, Hawaii, Jan 7–10, 2013 (IEEE), 4900–4909Google Scholar
  27. 27.
    Grispos G, Glisson WB, Storer T (2015) Recovering residual forensic data from smartphone interactions with cloud storage providers. In: KO R, CHOO K-KR (eds) Cloud Security Ecosystem. Syngress, an Imprint of Elsevier, WalthamGoogle Scholar
  28. 28.
    Al Mutawa N, Baggili I, Marrington A (2012) Forensic analysis of social networking applications on mobile devices. Digit Investig 9:S24–S33CrossRefGoogle Scholar
  29. 29.
    Farhood ND, Dehghantanha A, Eterovic-Soric B, Choo K-KR (2015) Investigating social networking applications on smartphones detecting Facebook, twitter, LinkedIn and Google + artefacts on android and iOS platforms. Aust J Forensic Sci:1–20Google Scholar
  30. 30.
    Anglano C (2014) Forensic analysis of WhatsApp messenger on android smartphones. Digit Investig 11(3):201–213CrossRefGoogle Scholar
  31. 31.
    Azfar A, Choo K-KR, Liu L (2015) Forensic Taxonomy of Popular Android mHealth Apps. In: Proceedings of the 21st Americas Conference on Information SystemsGoogle Scholar
  32. 32.
    Sgaras C, Kechadi M-T, Le-Khac N-A (2015) Forensics Acquisition and Analysis of Instant Messaging and VoIP Applications. In: Garain U, Shafait F (eds) Computational Forensics. Springer, Switzerland, pp. 188–199CrossRefGoogle Scholar
  33. 33.
    Oates BJ (2005) Researching information systems and computing. Sage Publications, London, p. 341Google Scholar
  34. 34.
    Ab Rahman NH, Cahyani NDW, Choo KKR (2016) Cloud incident handling and forensic-by-design: cloud storage as a case study. Concurrency and Computation: Practice and ExperienceGoogle Scholar
  35. 35.
    Cahyani NDW, Ab Rahman NH, Xu Z, Glisson WB, Choo KKR (2016) The role of mobile forensics in terrorism investigations involving the use of cloud apps. In: Proceedings of the 9th International Conference on Mobile Multimedia CommunicationsGoogle Scholar

Copyright information

© Springer Science+Business Media New York 2016

Authors and Affiliations

  1. 1.School of Information Technology & Mathematical SciencesUniversity of South AustraliaAdelaideAustralia
  2. 2.Telkom UniversityBandungIndonesia
  3. 3.Universiti Tun Hussein Onn MalaysiaKuala LumpurMalaysia
  4. 4.School of ComputingUniversity of South AlabamaMobileUSA
  5. 5.Department of Information Systems and Cyber SecurityThe University of Texas at San AntonioSan AntonioUSA

Personalised recommendations