A Predictive Classification Model for Identifying Conversation-related Mobile Forensic Data in Instant Messaging Applications

Abstract

The rapidly changing and diverse landscape of instant messaging applications has significantly impacted the field of mobile forensics. To tackle this problem, existing practices and research in mobile forensics often rely on experts to write reverse engineering scripts based on their experience and background knowledge to handle the various database architectures of instant messaging applications in the market. However, this approach is often insufficient due to the rapidly changing nature of these applications.Thus, we proposed a novel mobile forensics method for identifying conversation-related columns and tables in various instant messaging applications. Our method utilizes content-based features of columns combined with a matching algorithm specially developed for the data schema of instant messaging applications. It can identify conversation-related data without relying on table and column names, making it a more flexible and advanced analysis technique. In this paper, we apply the proposed method to authenticate several popular instant messaging applications, including LINE, Messenger, WhatsApp, and Kik, as well as the open-source instant messaging application Rocket.chat, which is not currently supported by existing tools.Our methodology overcomes the limitations of previous works that only supported available instant messaging applications through reverse engineering scripts. By automating the identification process, our method achieved a filtering rate of irrelevant data of at least 88% for each instant messaging application, improving the NIST-compliant procedure mobile forensics process by reducing investigator time and training requirements while increasing accuracy and efficiency.