Detecting Manipulated Smartphone Data on Android and iOS Devices

  • Heloise PieterseEmail author
  • Martin Olivier
  • Renier van Heerden
Conference paper
Part of the Communications in Computer and Information Science book series (CCIS, volume 973)


Ever improving technology allows smartphones to become an integral part of people’s lives. The reliance on and ubiquitous use of smartphones render these devices rich sources of data. This data becomes increasingly important when smartphones are linked to criminal or corporate investigations. To erase data and mislead digital forensic investigations, end-users can manipulate the data and change recorded events. This paper investigates the effects of manipulating smartphone data on both the Google Android and Apple iOS platforms. The deployed steps leads to the formulation of a generic process for smartphone data manipulation. To assist digital forensic professionals with the detection of such manipulated smartphone data, this paper introduces an evaluation framework for smartphone data. The framework uses key traces left behind as a result of the manipulation of smartphone data to construct techniques to detect the changed data. The outcome of this research study successfully demonstrates the manipulation of smartphone data and presents preliminary evidence that the suggested framework can assist with the detection of manipulated smartphone data.


Digital forensics Mobile forensics Manipulation Smartphone data Smartphones Android iOS 


  1. 1.
    NetMarketShare: Operating System Market Share. Accessed 04 June 2018
  2. 2.
    Pieterse, H., Olivier, M., van Heerden, R.: Evaluating the authenticity of smartphone evidence. Advances in Digital Forensics XIII. IAICT, vol. 511, pp. 41–61. Springer, Cham (2017). Scholar
  3. 3.
    Ayers, R., Brothers, S., Jansen, W.: Guidelines on mobile device forensics (draft). NIST Special Publication 800 (2013)Google Scholar
  4. 4.
    Albano, P., Castiglione, A., Cattaneo, G., De Maio, G., De Santis, A.: On the construction of a false alibi on the Android OS. In: Third International Conference on Intelligent Networking and Collaborative Systems (INCoS), pp. 685–690. IEEE (2011)Google Scholar
  5. 5.
    Pieterse, H., Olivier, M.: Smartphones as distributed witnesses for digital forensics. In: Peterson, G., Shenoi, S. (eds.) DigitalForensics 2014. IAICT, vol. 433, pp. 237–251. Springer, Heidelberg (2014). Scholar
  6. 6.
    Kala, M., Thilagaraj, R.: A framework for digital forensics in I-devices: jailed and jail broken devices. J. Adv. Libr. Inf. Sci. 2(2), 82–93 (2013)Google Scholar
  7. 7.
    Tsavli, M., Efraimidis, P.S., Katos, V.: Reengineering the user: privacy concerns about personal data on smartphones. Inf. Comput. Secur. 23(4), 394–405 (2015)CrossRefGoogle Scholar
  8. 8.
    Harris, R.: Arriving at an anti-forensics consensus: examining how to define and control the anti-forensics problem. Digit. Invest. 3, 44–49 (2006)CrossRefGoogle Scholar
  9. 9.
    Albano, P., Castiglione, A., Cattaneo, G., De Santis, A.: A novel anti-forensics technique for the Android OS. In: International Conference on Broadband and Wireless Computing, Communication and Applications (BWCCA), pp. 380–385. IEEE (2011)Google Scholar
  10. 10.
    Azedegan, S., Yu, W., Liu, H., Sistani, M., Acharya, S.: Novel anti-forensics approaches for smart phones. In: 45th Hawaii International Conference on System Sciences (HICSS), pp. 5424–5431. IEEE (2012)Google Scholar
  11. 11.
    D’Orazio, C., Ariffin, A., Choo, K.: iOS anti-forensics: how can we securely conceal, delete and insert data? In: 47th Hawaii International Conference o System Sciences (HICSS), pp. 4838–4847. IEEE (2014)Google Scholar
  12. 12.
    Karlsson, K., Glisson, W.: Android anti-forensics: modifying cyanogenMod. In: 47th Hawaii International Conference of System Sciences (HICSS), pp. 4828–4837. IEEE (2014)Google Scholar
  13. 13.
    Zheng, J., Tan, Y., Zhang, X., Liang, C., Zhang, C., Zheng, J.: An anti-forensics method against memory acquiring for Android devices. In: International Conference on Computational Science and Engineering (CSE) and Embedded and Ubiquitous Computing (EUC), pp. 214–218. IEEE (2017)Google Scholar
  14. 14.
    Verma, R., Govindaraj, J., Gupta, G.: Preserving dates and timestamps for incident handling in Android smartphones. In: Peterson, G., Shenoi, S. (eds.) DigitalForensics 2014. IAICT, vol. 433, pp. 209–225. Springer, Heidelberg (2014). Scholar
  15. 15.
    Govindaraj, J., Verma, R., Mata, R., Gupta, G.: iSecureRing: forensic ready secure iOS apps for jailbroken iPhones. In: 35th IEEE Symposium on Security and Privacy (2014)Google Scholar
  16. 16.
    Pieterse, H., Olivier, M., van Heerden, R.: Playing hide-and-seek: detecting the manipulation of Android timestamps. In: Information Security for South Africa, pp. 1–8. IEEE (2015)Google Scholar
  17. 17.
    Lessard, J., Kessler, G.: Android forensics: Simplifying cell phone examinations. Small Scale Digit. Dev. Forensics J. 4(1), 1–12 (2010)Google Scholar
  18. 18.
    Android: Platform architecture. Accessed 04 Oct 2017
  19. 19.
    Zimmermann, C., Spreitzenbarth, M., Schmitt, S., Freiling F.C.: Forensic analysis of YAFFS2. In: Sicherheit, pp. 59–69 (2012)Google Scholar
  20. 20.
    Kim, H.-J., Kim, J.-S.: Tuning the EXT4 filesystem performance for Android-based smartphones. In: Sambath, S., Zhu, E. (eds.) Frontiers in Computer Education, vol. 133, pp. 745–752. Springer, Heidelberg (2013). Scholar
  21. 21.
    Tamma, R., Tindall, D.: Learning Android Forensics. Packt Publishing Ltd., Birmingham/Mumbai (2015)Google Scholar
  22. 22.
    Tracy, K.: Mobile application development experiences on Apple’s iOS and Android OS. IEEE Potentials 31(4), 30–34 (2012)CrossRefGoogle Scholar
  23. 23.
  24. 24.
    Kanoi, M., Jdiet, Y.: Internal structure of iOS and building tools for iOS apps. Int. J. Comput. Sci. Appl. 6(2), 220–225 (2013)Google Scholar
  25. 25.
    Tamura, E., Giampaolo, D.: Introducing Apple file system. Technical report. Apple, Inc. (2016)Google Scholar
  26. 26.
    Epifani, M., Stirparo, P.: Learning iOS Forensics. Packt Publishing Ltd., Birmingham/Mumbai (2016)Google Scholar
  27. 27.
    Zdziarski, J.: iPhone Forensics: Recovering Evidence, Personal Data and Corporate Assets, 1st edn. O’Reilly Media Inc., Sebastopol (2008)Google Scholar
  28. 28.
    Egele, M., Kruegel, C., Kirda, E., Vigna, G.: PiOS: detecting privacy leaks in iOS applications. In: NDSS, pp. 177–183 (2011)Google Scholar
  29. 29.
    Jeon, S., Bang, J., Byun, K., Lee, S.: A recovery method of deleted record for SQLite database. Pers. Ubiquit. Comput. 16(6), 707–715 (2012)CrossRefGoogle Scholar
  30. 30.
    SQLite: About SQLite. Accessed 24 Apr 2018
  31. 31.
    Patodi, P.: Database recovery mechanism for Android devices. Ph.D. thesis. Indian Institute of Technology, Bombay (2012)Google Scholar
  32. 32.
    SQLite: Database file format. Accessed 24 Apr 2018
  33. 33.
    SQLite: Write-ahead logging. Accessed 24 Apr 2018
  34. 34.
    SQLite: Command line shell for SQLite. Accessed 25 Apr 2018
  35. 35.
    Android Studio: Android debug bridge (ADB). Accessed 13 Jan 2018
  36. 36.
    Schneier, B.: Attack trees. Dr. Dobb’s J. 24(12), 21–29 (1999)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  • Heloise Pieterse
    • 1
    • 2
    Email author
  • Martin Olivier
    • 2
  • Renier van Heerden
    • 3
    • 4
  1. 1.Defence, Peace, Safety and Security, Council for Scientific and Industrial ResearchPretoriaSouth Africa
  2. 2.Department of Computer ScienceUniversity of PretoriaPretoriaSouth Africa
  3. 3.National Integrated Cyber Infrastructure SystemCouncil for Scientific and Industrial ResearchPretoriaSouth Africa
  4. 4.School of Information and Communication TechnologyNelson Mandela UniversityPort ElizabethSouth Africa

Personalised recommendations