Upload
niall-heffernan
View
232
Download
1
Embed Size (px)
Citation preview
8/15/2019 Analysis of Forensic Artifacts of Tinder on iPhone
1/30
!
1!
!
!!!!!!!! Analysis of Forensically SignificantArtifacts of Tinder App on iPhone
Niall Heffernan
A minor dissertation submitted in part fulfilment of the degree of MSc in DigitalInvestigation and Forensic Computing with the supervision of Dr. Pavel
Gladyshev
!!!!!!!!!! !
School!of!Computer!Science!and!Informatics!
University!College!Dublin!
17th!August!2013!
!
!
!
!
!!
8/15/2019 Analysis of Forensic Artifacts of Tinder on iPhone
2/30
!
2!
!
Table!of!Contents!
!1.#Introduction#............................................................................................................................#3 !
1.1!Project!Scope!.....................................................................................................................................!3 !1.2!The!Smartphone!...............................................................................................................................!3 !
1.3!Tinder!...................................................................................................................................................!4 !2.#Literature#Survey#...................................................................................................................#5 !
2.1!Apple!File!System!Programming!Guide![8]!..........................................................................!5 !2.3!IPhone/IPod!Touch!Forensics!Manual![10]!.........................................................................!7 !2.4!Forensic!Analysis!of!the!Burner!App!for!the!IPhone!by!Digital!Forensics!Tips!
[11]!................................................................................................................................................................!7 !3.#SQLite#Database#and#PLIST#Files#......................................................................................#7 !
3.1!SQLite!Databases!.............................................................. ................................................................!8!3.2!PLIST!Files!..........................................................................................................................................!8 !
4.#ITunes#Backup#File#Acquisition#........................................................................................#8 !5.#Acquisition#and#Analysis#Software#..................................................................................#9 !
5.1!IPhone!Backup!Extractor!......................................................... .....................................................!9!5.2!iBackupBot!.......................................................................................................................................!10 !5.3!iPhone!Analyzer!.............................................................................................................................!10 !5.4!SQLite!Database!Browser!...........................................................................................................!11!
6.#Analysis#Method#................. .................. ................... .................. .................. ................... ......#11!7.#Results#and#Findings#.................. ................... .................. .................. .................. ................#12!
7.1!Tinder.sqlite!Database!file!..........................................................................................................!12!7.5!Forensic!Significance!of!Findings!...........................................................................................!17 !
8.#Conclusions#and#Future#Work#................... .................. .................. .................. ................#19!Bibliography#............................ ................... .................. .................. .................. ................... ......#20!Images#................ .................. .................. ................... .................. .................. ................... ............#22!
!
!
!
!
!
!
!!
!
!!
8/15/2019 Analysis of Forensic Artifacts of Tinder on iPhone
3/30
!
3!
!
!
1.!Introduction!!
1.1!Project!Scope!
The!purpose!of!this!dissertation! is! to! forensically!examine!significant! artefacts!
present!on!an!IPhone!after!the!installation!and!use!of!mobile!dating!applications.!
There!are!many! applications! available! for! smartphones! that! facilitate!users! in!
meeting!potential!partners.!There!is,!however,!a!risk!associated!with!the!level!of!
anonymity!a!user!can!have!on!dating!applications!as!there!exists!the!potential!for!
predators! to! attract! and! lure! vulnerable! users.! If! such! a! case! were! to! arise,!
evidence! found! from! mobile! dating! applications! can! prove! to! be! of! utmost!
significance!in! such!a!case.!Due!to! time!constraints!and!resources! the! scope!of!
this!dissertation! is! to!focus!only!on!the! dating! application!Tinder! [6]!which! is!
discussed!in!more!detail!in!following!sections.!!!!
!
1.2!The!Smartphone!
The!smartphone!has!taken!over!the!world!as!the!must!have! tool!in!the!area!of!
technology.!Out!of!5!billion!mobile! phone! owners! in!the!world,! 1.08!billion!of!
them!own! a! smartphone! [1].!Apart! from! the! basic! features!of!a!mobile!phone!
such! as! calling! and! texting! this! percentage! of! the! population! also! use!
smartphones! to! access! their! email,! go! online,! social! network,! bank! online,!
gaming!and!can!even!use!their!smartphones!as!a!GPS!device.!!
!
Smartphones! run! on! many! different! operating! systems.! Currently! the! two!
leaders!in!the!market!are!the!Google!Android!operating!system!and!Apple!IOS.!
The!Google!Android!OS!holds!41.1%!of!the!market!share!while!Apple!IOS!holds!
17.3%! [2].! This! is! largely! due! to! an!abundance! of! affordable! Android! phones!
available!on!the!market!which!in!turn!is!made!available!by!the!various!versions!
of! the! Android! OS.! ! Apple! on! the! other! hand! releases! a! new! version! of! their!
iPhone!software!less!frequently.!!
Another!desirable!feature!of!smartphones!is!the!ability!to!download!applications!
to!a!persons!phone!on!the!move!through!smartphone!providers!app!stores.!!In!
8/15/2019 Analysis of Forensic Artifacts of Tinder on iPhone
4/30
!
4!
!
2012!Apple!reported!offering!more! than!550,000!apps!on!their!app! store!and!
celebrated! 25! Billion! downloads! [3]! while! Google! Android! claims! to! have!
700,000!apps!on!their! Google!Play!app! store![4].!An!influential!factor! in!these!
statistics! is! that! anyone! with! programming! knowledge! can! develop! apps!independently!and!host!them!on!the!various!app!markets.!!
!
One! of! the!major!uses! of! smartphones! is!social! networking.! It!was! found!that!
smartphone!users!spend!9!hours!6!minutes!per!month!on!social!networks![5];!
this!includes!the!use!of!Twitter!and!Facebook!amongst!other!social!networking!
applications.!Along!with!social!networking!a!new!trend!of!using!smartphones!for!
online! dating! has! emerged,!with! a!number!of!applications! developed! to!assist!
people!in!meeting!potential!partners.!The!purpose!of!this!dissertation!is!to!focus!
on!one!of!these!dating!applications!and!to!forensically!examine!artefacts!that!can!
be!left!behind!after!use!of!the!application.!
!
1.3!Tinder!!
Tinder!is!a!dating!application!available!for!both!the!IPhone!and!Android!devices.!
The!Tinder!website!describes!Tinder!as!“A!fun!way!to!meet!people”![6].!In!order!
for!a!user!to!use!Tinder!they!must!have!a!Facebook!account!with!which!to!sign!
into!the! application.!Once!the!user!has! created!a!Tinder! account,! their! current!
Facebook!profile!picture!is!set!as!their!default!Tinder!profile!picture.!The!user!
then!has!the!option!to!add!more!photos!of!themselves!to!their!Tinder!account.!
These!photos!may!be!viewed!by!other!Tinder!users.!
!
Once!the!user!has!set!up!their!account!they!can!select!whether!they!are!looking!
to!meet!females,!males!or!both.!They!can!then!limit!the!search!radius!to!search!
for!other!users!from!anywhere!within!a!10!mile!to!a!100!mile!radius.! It!is!also!
possible! to! limit! the! age! profiles! of! potential! matches.! Once! the! user! has!
completed! their! search! criteria,! the! Tinder! app! presents! them! with! potential!
matches!sequentially.!The!user!has!the!choice!to!either!‘like’!the!person!they!are!
matched! with! by! pressing! a! heart! icon! on! the! interface! or! select! the! dislike!
option,!which!is!depicted!as!an!‘X’!symbol.!A!match!occurs!if!two!users!happen!
8/15/2019 Analysis of Forensic Artifacts of Tinder on iPhone
5/30
!
5!
!
to!mutually!‘like’!each!other.!They!are!then!given!the!option!to!private!message!
each! other! and! arrange! to! meet.! Tinder! only! provides! a! users! first! name! to!
potential!matches,! it! also! shows! if! the! two! parties! involved! have! any!mutual!
friends!or!shared!interests!on!Facebook.!!!
Tinder!provides!a!level!of!anonymity!by!only!displaying!first!names.!By!showing!
if! users! share!mutual! friends! on! Facebook! though! it! is! quite! simple! to! find! a!
user’s! identity!by!a! simple! search! through!a!mutual! friend’s!profile.!The!main!
danger!however!lies!in!the!terms!of!use!on!Tinder’s!website![6]!where!it!states!
that!a!user!“…must!be!at!least!13!years!old...”!to!use!the!application.!Since!anyone!
can! create! a! Facebook! account! using! a! fake! age! they! can! also! sign! up! to! use!
Tinder!where!they!may!be!exposed!to!potential!threats.!According!to!a!blog!in!
the!New!York!Times![7]!Tinder!is!being!downloaded!20,000!times!a!day!and!with!
no! way! of! screening! or! vetting! new! users! it! is! open! to! be! used! by! potential!
dangerous!characters.!!
!
2.!Literature!Survey!
!
In!order!to! be!sure! that! the! investigation!being!undertaken!presents!the!most!
accurate! results,! it! is! important! to! undertake! research! to! better! understand!
techniques! used! for! the! analysis! and! to! have! knowledge! of! the! file! system!
structure! of! the! IPhone! along! with! knowledge! of! the! best! tools! to! use.! The!
following!section!summarises!various!readings!that!were!carried!out!during!the!
process!of!this!analysis.!Forensic!analysis!of!smartphones!is!still!quite!new!in!the!
area!of!computer!forensics,!as!a!result!the!amount!of!literature!on!this!topic!is!
very! limited.!Despite! this,! the! following! literature! provides!good! insights! into!
IPhone!forensics!analysis.!!
!
2.1!Apple!File!System!Programming!Guide![8]!
Apple!has!provided!a! comprehensive!guide!for! developers!who! are! looking! to!
begin!developing!applications!for!the!Apple!app!store!or!for!their!own!personal!
8/15/2019 Analysis of Forensic Artifacts of Tinder on iPhone
6/30
!
6!
!
use.!The!guide!is!called!Apple!File!System!Programming!Guide.!For!the!scope!of!
this!project!only!certain!sections!of!the!document!were!examined.!Section!2:!File!
System! Basics! gives! an! indepth! overview! of! the! file! structure! created! by!
applications! within! the! overall! file! system! of! the! device.! The! guide! describes!where!a!developer!should!place!their!applications!files!for!best!efficiency.!This!
document!also!gives!a!comprehensive!overview!of!the!various!directories!of!the!
iOS! file! system! and! what! files! reside! in!each! directory.! From! an! investigation!
point! of! view! this! knowledge! is! very! useful! as! it! provides! starting! points! for!
locating!potential! evidential! artefacts.! The!guide! also! provides! information! on!
hidden!directories!that!are!present!on!the!device.!As!the!scope!of!this!project!is!
to!focus!on!artefacts!created!by!an!application!this!document!is!useful!as!it!states!
the! location!on! the! file!system!where!specific!application!files! are! stored.!This!
document!can!serve!as!an!investigator’s!roadmap!to!the!iOS!file!system,!pointing!
them!to!files!of!forensic!significance.!!
!
!
2.2!Forensic!Analysis!on!iOS!Devices![9]!
Forensic!Analysis!on!iOS!Devices! focuses!on!many!areas!of! iOS! forensics.!This!
paper!provides!an!overview!of!the!iOS!HFS+!(Hierarchical!File!System)!in!use!on!
iOS!devices,!an!overview!of!SQLite!Database!files,!PLIST!(property!lists)!files!and!
how! to! perform! Acquisitions! both! from! the! iTunes! backup! file! or! physical!
acquisitions! of! iOS! devices.! The! section! related! to! the! HFS+! gives! a! good!
overview!of!the!make!up!of!the!file!system!by!providing!information!about!the!
HFS+!allocation!file;!extents!overflow!file!and!the!HFS+!catalogue!file.!This!paper!
also!describes!two!prevalent!file!types!used!by!iOS.!These!are!SQLite!databases!
and! PLIST! files,! which!are! discussed! in!more! detail! in! a! later!section# entitled!
“SQLite! Databases! and! PLIST! Files”.! There! are! also! sections! relating! to! the!
processes!of!acquiring!images!of!an!iOS!device!for!further!examination,!the!paper!
describes! the! use! of! iTunes! backup! for! investigation! and! provides! suggested!
software!that! can! be!used! examine! these!backup! files.! Another! section!of! this!
paper! describes! methods! for! physically! acquiring! iOS! images! and! provides!
suggested!software!that!can!be!used!to!carry!out!physical!acquisitions.!!
8/15/2019 Analysis of Forensic Artifacts of Tinder on iPhone
7/30
!
7!
!
2.3!IPhone/IPod!Touch!Forensics!Manual![10]!!
This!article!written!by!Jonathan!A.!Zdziarski! gives!a!good! indepth!analysis!of!
performing! forensic! investigations! on! IPhone! devices.! The! article! covered!
subjects! such! as! disk! layouts,! poweron! device! modifications,! performing!forensic! recovery! and! Electronic! discovery.! For! the! scope! of! this! report! the!
section! entitled! “Electronic! Discovery”! provided! the! main! focus! for! this!
investigation.!This!section!provided!an!overview!of!both! SQLite!databases! and!
Property! lists.! This!section! also!provided!a! list!of!other! forensically!significant!
files!along!with!a!short!description!of!each!file!and!their!location!within!the!file!
system.!This!was!useful!as!it!provided!information!that!could!provide!a!further!
indepth! investigation! into! the! user! of! the! devices! actions! and! movements,!however! with! the! scope! of! this! investigation! being! focused! on! a! singular!
application!these!files!other! than!SQLite! and!PLIST!files!would!not!be!need!as!
they!are!outside!the!scope!of!this!project.!!
!
2.4!Forensic!Analysis!of!the!Burner!App!for!the!IPhone!by!Digital!Forensics!Tips![11]!
!
This!article!provides!and!analysis!of!an! IPhone!application!called!Burner.!This!
application!allows!users!to!purchase!disposable!phone!numbers!for!temporary!
use.!While!this!application!has!no!relation!to!the!application!being!examined!as!
part!of!this!project!the!techniques!used!proved!useful!when!running!analysis!on!
the! Tinder! dating! application.! It!provided!information!on!relevant! files!within!
the!applications!directory!on!the!device.!Since!IPhone!application!development!
follows!a!set!of!rules,!the!structure!of!application!directories!are!near!uniform!
meaning!investigation!on!the!Burner!app!has!significance!in!the!investigation!of!
the!Tinder!app.!!
!
3.!SQLite!Database!and!PLIST!Files!!
The! literature! surveyed! in! the! previous! section! all! discussed! the! forensic!
significance!of!SQLite!Database!and!PLIST!files!within!IPhone!forensic!analysis.!
This! section! provides! further! information! on!both! file! types! in! terms!of! their!
structure!and!forensic!significance!within!an!investigation.!!
8/15/2019 Analysis of Forensic Artifacts of Tinder on iPhone
8/30
!
8!
!
!
3.1!SQLite!Databases!
SQLite! is! an! inprocess! library! that! implements! a! selfcontained,! serverless,!
zeroconfiguration,! transactional! SQL! database! engine! [12].! Since! SQLite!
databases!are!serverless!they!can!be!embedded!into!applications!with!ease!and!
read!and!written!to!disk!files.!!SQLite!is!frequently!used!in!portable!devices!due!
to! the! fact! that! they! are! quite! compact! and! do! not! take! up! much! space! in!
memoryconstrained!devices,!they!also!perform!well!in!lowmemory!devices.!!
SQLite!is!provided!to!users!free!of!charge!for!commercial!and!private!use!for!this!
reason!SQLite!is!commonly!used!by!app!developers!as!a!means!for!their!app!to!
store!data.!!
!
3.2!PLIST!Files!
!
PLIST! files! are! also! known! as! Property! List! Files! [13].! These! files! are! the!
Macintosh!equivalent!to!Windows!registry.!They!contain!OS!information!such!as!
application!settings,!user!preferences!and!security!settings![13].!PLIST!files!are!
XML! files!meaning! they! can!be! viewed! using! any!XML!editor! or! a! text! editor.!
Every! application! on! iOS! devices! use! an! info.plist! file! [14],! which! contains!
configuration!settings!for!application!on!iOS!devices.!!
!
4.!ITunes!Backup!File!Acquisition!!
In!the!scope!of!this!project!it!is!assumed!that!the!IPhone!device!is!unavailable!to!
investigators!in!the!case!of!a!kidnapping.!It!is!therefore!necessary!to!be!able!to!examine!the!contents!of!an!iOS!device!without!having!physical!access!to!it.!Apple!
has!created!a!method!that!creates!backups!of!an!iOS!device!in!the!case!of!critical!
failure.! When! an! IPhone! is! registered! to! an! ITunes! account! a! backup! of! the!
IPhone!is!taken!when!the!device!is!synced!to!ITunes!with!the!backup!stored!on!
the! computer.! ITunes! creates! a! folder! on! the! computer!with! the! device! UDID!
(Unique!Device! ID)! [15]! as! the! name;! this!UDID! is!40!hexadecimal!characters!
long.!The!device! contents!are!then!copied!to!this!folder.!As!the!analysis!of! this!
8/15/2019 Analysis of Forensic Artifacts of Tinder on iPhone
9/30
!
9!
!
project!is!being!carried!out!using!Mac!OSX!the!location!of!IPhone!backups!are:!
/Library/Application! Support/MobileSync/Backup.! The!
following! section! will! outline! software! that! is! available! that! can! open! these!
backups!in!readable!format!allowing!for!a!forensic!analysis!to!be!carried!out.!!!
!
!
5.!Acquisition!and!Analysis!Software!!
This!section!will!outline!and!describe!software!available!for!the!acquisition!and!
forensic! analysis! of! IPhone! devices.! As!mentioned! in! the! previous! section! the!
analysis!of!the!IPhone!will!be!carried!out!on!a!backup!taken!by!ITunes!the!last!
time!the!device!was!synced.!!Only!software!that!can!read!and!present!the!backup!
files!in!readable!format!will!be!examined.!!
!
In!order!to!examine!the!backup!files!of!the!iOS!device,!appropriate!software!was!
needed!to!present!the!data!in!a!readable!format.!The!criterion!for!the!software!
was!that!it!needed!to!be!free!to!use,!didn’t!require!the!purchasing!of!a!license!and!
it!also!had!to!be!Mac!OSX!compatible.!!With!the!criteria!decided!upon!a!search!
was! conducted! to! identify! potential! software.! The! articles! mentioned! in! the!
previous!section!outlined!a!number!of!software!that!can!be!used!to!perform!an!
analysis! of! iTunes! backups.!The! following! sections! list! potential! software!and!
their!main!attributes.!
!
5.1!IPhone!Backup!Extractor!!
!
The!iPhone!Backup!Extractor![16]!is!crossplatform!software!that!automatically!
finds! iTunes! backup! files! if! they! are! present! on! a! system.! iPhone! Backup!
Extractor! was! developed! by! reincubate! technology,! media! and! data!
(http://www.reincubate.com).!The!software!provides!the!user!with!the!ability!to!
recover!various! artefacts! from!an!IPhone! device! such!as!contacts,! call! history,!
SMS,!video!and!most!importantly!App!files.!!!
!
8/15/2019 Analysis of Forensic Artifacts of Tinder on iPhone
10/30
!
10!
!
While! this! software!met! a! number! of!criteria!needed! to!complete! this! project!
there!was!some!negative!aspects!which!ultimately!led!to!the!decision!not!to!use!
it!for!this!project.!One!aspect!was!the!fact!that!it!did!not!include!any!functionality!
to!view!discovered!files!within!the!software,!instead!any!files!discovered!needed!to!be!extracted!to!a!location!on!the!local!machine!and!then!opened!using!external!
viewer!programs.!This!proved!to!be!quite!tedious!and!time!consuming.!Another!
issue!arose!regarding!the!installation!procedure.!In!order!to!install!the!software!
on!Mac!OSX!the!user!needs!to!install!various!libraries!to!the!system!such!as!the!
Mono! framework! (http://www.monoproject.com)! and! X11! libraries.! The!
software! had! to! be! then! run! through! the! command! line! using! the! Mono!
framework!that!proved!troublesome!and!encountered!a!number!of!issues.!
!!
5.2!iBackupBot!!
!The!iBackupBot![17],!much!like!iPhone!Backup!Extractor,!automatically!detects!
iTunes!backups!on!the!system.!However!this!software!presents!the!contents!of!
the!backup!to!the!user!in!the!form!of!a!filetree!structure.!This!makes!navigation!
through!the!various!files!easy!and!also!provides!good!reference!points!in!relation!
to!the!locations!of!certain!files!on!the!backup.!!
!
Unlike!the!iPhone!Backup!Extractor!software!iBackupBot!also!contains!various!
editors!and!viewer!programs!for!viewing/editing!plists!files,!SQLite!files,!images,!
messages!or!call!logs.!There!is!also!the!option!to!export!data!to!the!local!machine!
if!the!user!wants!to!keep!certain!documents!in!an!easy!to!find!location!and!view!
them!using! applications!of! their! choice.!This!software! seems! ideal! for!meeting!
the!requirements!of!this!project!as!it!contains!more!features!than!iPhone!Backup!
Extractor!and!is!more!accessible!to!install,!however,!the!developers!only!allow!a!
7day! free! trial.! After! the! initial! trial! expires! the! user! needs! to! purchase! the!
software,!this!was!beyond!the!resources!available!to!the!project.!For!this!reason!
iBackupBot!was!not!selected!for!this!assignment.!
!
5.3!iPhone!Analyzer!
!
8/15/2019 Analysis of Forensic Artifacts of Tinder on iPhone
11/30
!
11!
!
The! iPhone! Analyzer! software! developed! by! Crypticbit! [18]! like! the! other!
programs!mentioned!in!this!section!automatically!detects!an!iTunes!back!up!on!
the! system! and! imports! it! into! the! software.! The! GUI! presents! the! user! with!
information!about!the!device!that!it!procures!from!the!device’s!info.plist!file.!The!software!also!provides!two!options!for!viewing!a!devices’!data.!The!first!option!is!
by!using!‘Bookmarks’!which!is!the!most!likely!places!an!individual!searches!for!
information!such!as;!address!book;!location!map;!messages!and;!call!logs.!These!
are!presented!to!the!user!in!a!readily!accessible!way!in!the!main!window!of!the!
GUI.!The! second!way!an!individual!can!search!through!data!is!by!using!the! file!
system!view;!this!view!reconstructs!the!structure!of!the!devices!file!system!and!
presents! it! to! the! user! in! a! tree! structure.! ! IPhone! Analyzer! also! contains! an!
embedded!SQLite!browser!and!also!a!viewer!to!display!PLISTS!in!XML!format.!!
!
Iphone!Analyzer!also!provides!a!comprehensive!manual!outlining!all!the!features!
that! are! contained! in! the! software! that! is! easy! to! follow.!The! software! is! also!
freely! available! to! download! from! sourceforge.! For! these! reasons! IPhone!
Analyzer!was!chosen!for!this!project!as!the!primary!analysis!software.!!
!!
5.4!SQLite!Database!Browser!!
!SQLite!Database!Browser![19]!was!chosen!as!a!secondary!viewing!tool!for!SQLite!
files.! This!browser!was!used!over! the! embedded!browser! contained! in!IPhone!
Analyzer! as! it! is! easier! to! execute! SQL! commands! through! its! interface.! The!
software! is! also! freely! available! to! download! from! Sourceforge! with! no!
additional!costs.!!!
6.!Analysis!Method!!
The!scope!of!this!project!is! to!examine!the!forensically!significant!artefacts!that!
are!installed!on!an!IPhone!after!the!installation!of!the!mobile!dating!application!
Tinder.! In! order! to! have! a! focus! when! deciding! on! what! may! or! not! be!
forensically!significant!a!simple!scenario!was!put!in!place.!!The!scenario!focuses!
on!a!young!underage!teenager!who!has!gone!missing!and! it! is!believed! they!
8/15/2019 Analysis of Forensic Artifacts of Tinder on iPhone
12/30
!
12!
!
may! have! been! communicating! with! someone! on! Tinder.! As! the! device! is!
believed! to!be!on!the! person! it! is!not! possible!to!take!a!physical! image!of!the!
device! itself! so!an!analysis!needs!to!be!conducted!on!the!last!backup! from!the!
missing!persons!iTunes!account.!!!
The!goal!of!the!analysis!is!to!find!any!information!from!the!backup!that!may!help!
further!the!investigation!such!as!chat!history,!usernames,!and!location!history.!
Tinder,! version!2.1.0!was! downloaded!to!an!IPhone! 4S!running! iOS! 6.1.3.! The!
device!was!used,!as!it!would!be!in!normal!circumstances!to!collect!real!life!data.!
Once!a!sufficient!amount!of!data!was!collected!from!the!everyday!use!of!Tinder!
the!most!recent!backup!of!the! IPhone!was! located!and! loaded! into!the! IPhone!
Analyser!program.! The!contents!of! the!Tinder!application!directory!were! then!
examined,!the!focus!being!on!the!tinder.sqlite!file.!This!SQLite!file!was!extracted!
and! opened! using!an!SQLite! Database!Browser.!Once! the! SQLite! database!was!
exported! from! IPhone! Analyzer! and! opened! in! the! viewer! an! analysis! of! the!
database!is!conducted!with!the!results!of!the!analysis!described!in!the!following!
section.!!
!
7.!Results!and!Findings!!!
The!following!sections!outline!and!present!the!findings!of!the!analysis!of!the!files!
extracted!from!the!IPhone!device!following!the!data!collection!method!that!was!
carried!out!in!the!previous!section.!!
!
7.1!Tinder.sqlite!Database!file!!An!SQLite!database!file!named!Tinder.sqlite!was!extracted.!Figure.!1!below!shows!
the!structure!of!the!Tinder.sqlite!database,!it!displays!the!tables!contained!within!
Tinder.sqlite!along!with!each!tables’!list!of!fields.!!
!
8/15/2019 Analysis of Forensic Artifacts of Tinder on iPhone
13/30
!
13!
!
#
ZMESSAGE#
• Z_PK!
• Z_ENT!
• Z_OPT!
• ZINBOUND!
• ZUSER!
• ZCREATIONDATE!
• ZBODY!
#
ZUSER#
• Z_PK!
• Z_ENT!
• Z_OPT!
• ZCOMMONFRIENDCOUNT!
• ZCOMMONLIKECOUNT!
• ZGENDER!
• ZHASIMAGE!
• ZHASUNVIEWEDMESSAGES!
• ZISACTIVE!
• ZISMATCH!
• ZISRECOMMENED!
• ZISUNSEENEWMATCH!
•
ZSERVERMESSAGECOUNT!• ZBIRTHDATE!
• ZCHATLASTVIEWED!
• ZDISTANCEMILES!
• ZLASTACTIVITYDATE!
• ZDISTANCEINMILES!
• ZLASTACTIVITYDATE!
• ZMATCHEDDATE!
• ZPINGTIME!
• ZBIO!
• ZFACEBOOKID!
• ZMATCHID!
• ZNAME!
• ZUSERID!
• ZIMAGE!
!
#ZPROCESSEDPHOTO#
• Z_PK!
• Z_ENT!
• Z_OPT!
• Z_PHOTO!
• ZHEIGHT!
• ZWIDTH!
• ZREMOTEURL!
!
!
#
Z_5SHAREDFRIENDS#
• Z_5SHAREDFRIENDS!
• REFLEXIVE!!
!
#
Z_PRIMARYKEY#
• Z_ENT!
• Z_NAME!• Z_SUPER!
• Z_MAX!
!
8/15/2019 Analysis of Forensic Artifacts of Tinder on iPhone
14/30
!
14!
!
#
Z_METADATA#
• Z_VERSION!
• Z_UUID!
• Z_PLIST!
!
#
ZLIKE#
• Z_PK!
• Z_ENT!
• Z_OPT!
• ZUSER!
• ZCATEGORY!
• ZFACEBOOKID!
• ZNAME!
• ZREMOTEIMAGEURL!
• ZIMAGE!
#
ZPHOTO#
• Z_PK!
• Z_ENT!
• Z_OPT!
• ZUSER!
• Z_FOK_USER!
• ZORIGINX!
• ZORIGINY!
• ZSIZEHEIGHT!
• ZSIZEWIDTH!
• ZPHOTOID!
• ZREMOTEURL!
Figure!1.!Structure!of!Tinder.sqlite!Database!File!
!
A!number! of!the! tables! listed! above!have!duplicate! fields!within! them!but! the!
most!forensically!relevant!tables!discovered!were!ZMESSAGE!and!ZUSER.!The!
following!sections!will!outline!the!data!contained!in!each!of!these!tables.!!
!
7.2!ZMESSAGE!Table!
!
This! table! contains! all! information! relating! to! any! private! chat!messages! that!
have!been!sent!between!people!who!have!mutually!‘liked’!each!other!using!the!
application.!A!summation!of!the!information!stored!in!each!field!is!as!follows:!
!
ZBODY:!This!field!contains!the!body!of!any!messages!sent!between!two!‘matches’!
privately.!Messages! are! stored! in!individual! rows!and! every!time!a!message! is!
sent/received! the! body! of! that! message! is! stored! in! a! new! row.!!
!
ZINBOUND:!This!field!contains!a!numeric!value,!the!purpose!of!the!numeric!value!
is! to!differentiate! between!whether! the!message!was! sent! from! the! device! or!
received! from! another! user.! The! value! ‘0’! indicates! a! message! was! sent!
8/15/2019 Analysis of Forensic Artifacts of Tinder on iPhone
15/30
!
15!
!
outbound!from!the!users!device!and!the!value!‘1’!indicates!that!a!message!was!
received!inbound!from!another!users!device.!!
!
ZCREATIONDATE:!This! field! contains! a! timestamp! of! the! creation! date! of! the!message.!The!timestamp!is!stored!using!Mac!Absolute!Time![20].!
ZUSER:!This!field!contains!a!numeric!value!as!an!ID!for!a!matched!user!in!the!
table.!!
7.3! ZUSER!Table!
The!ZUSER!table!contains!a!number!of! forensically!significant!information.!This!
table!stores!data!relating!to!Tinder!users!who!have!been!mutually!matched.!A!
number!of!these!fields!contain!null!entries,!this!is!assumed!to!be!a!form!of!data!
protection.!The!field! ZFACEBOOKID!is!left!null!as!to!avoid!a!users!privacy!being!
compromised! as! the! app! is! designed! to! maintain! anonymity! with! the! users!
having!the!option!to!exchange!personal!details!through!the!chat!function!if!they!
are!a!match.!!
!
In! the! case! of! an! investigation,! such! as! that! mentioned! in! the! scope! of! this!
project,!there!are!a!number!of!forensically!significant!fields!present!in!this!table.!
These!fields!are!as!follows:!
!
ZNAME:!This!field!contains!the!users!first!name.!This!name!is!taken!from!a!users!
Facebook!account!and!can’t!be!altered!within!the!application.!!
!
ZGENDER:!This!field!contains!a!numeric!value!that!identifies!whether!the!user!is!
male!or!female.!The!value!‘1’!indicates!that!the!user!is!female!while!the!value!‘0’!
indicates!the!user!is!male.!!
!
ZBIRTHDATE:!This!field!contains!a!Timestamp!that!converts!to!a!users!date!of!
birth.!As!with! ZNAME!this!value!is!extracted!from!a!users!Facebook!account.!!
!
ZMATCHEDDATE:!This!field!also!contains!a!Timestamp!value!that!converts!to!the!
date!a!match!was!made!with!another!user.!!
8/15/2019 Analysis of Forensic Artifacts of Tinder on iPhone
16/30
!
16!
!
!
ZLASTACTIVITYDATE:!This!field!contains!another!Timestamp!that!converts!to!the!
date!and!time!a!user!was!last!active!on!Tinder.!!
! ZBIO:!When!signing!up!with!Tinder!the!user!has!an!option!of!including!a!body!of!
text! relating! to! a! users! interests,! hobbies,! details! of! their! personal! life.!Many!
times! users!will! use! this! option! to! include! their! Twitter! handle! so! users! can!
follow!them!on!Twitter!even!if!they!are!not!matched!together!on!Tinder.!!
!
Z_PK:!This!is!a!primary!key!field!containing!a!numeric!value.!The!contents!of!this!
field!will!be!discussed!in!more!detail!in!the!later!section!“Forensic!Significance!of!
Findings”.!!!
!
ZUSERID:!Contains!a!hexadecimal!numerical!value!set!as!an!individual!users!ID.!!
!
7.4!Summation!of!Remaining!Database!Tables!
!The! previous! section! outlined! relevant! tables! and! their! fields! from! an!
investigation!stand!point.!This!section!will!provide!an!overview!of!the!remaining!
tables!and!their!attributes.!!
!
ZLIKE:!One! feature! of! Tinder! is! identifying! whether! two! users! share! mutual!
interests!in!the!form!of!topical!Facebook!pages!such!as!a!TV!shows!fan!page.!The!
ZLIKE! table! contains! information! relating! to! the! Facebook! page! such! as! its!
Facebook! ID! and!page! title,! the! page! also! contains! the!users! ID! ( ZUSER)!who!
mutually!likes!the!Facebook!page.!!
!
ZPROCESSEDPHOTO:!This! table!contains! links! to!different! users!photos!on!the!
Tinder!server!in!the!field! ZREMOTEURL!other!fields.!Observations!of!this!table!
indicate! that! each! photo! ID! ( ZPHOTO)! contains! four! duplicates! but! each!with!
different!dimensions!( ZWIDTH,!ZHEIGHT ).!!
!
8/15/2019 Analysis of Forensic Artifacts of Tinder on iPhone
17/30
!
17!
!
ZPHOTO:! This! table! contains! a! single! version! of! each! photo! stored! in!
ZPROCESSEDPHOTO!along!with!the!same!URL!from!the! ZREMOTEURL!field.!There!
seems!to!be!no!link!between!the!images!and!what!user!they!belong!to.!!
!!
!!
!
7.5!Forensic!Significance!of!Findings!
!
The!previous!sectioned!outlined!and!provided!details!into!the!data!that!can!be!
recovered!from!the!underlying!database!that!is!created!when!Tinder!is!installed!
on! and! IPhone.! This! database! stores! key! information! needed! to! allow! the!
application!to!function.!In!the!section!entitled!“Analysis!Method”!a!scenario!was!
created!that!involved!investigating!a!backup!of!a!young!persons!phone!from!their!
computer! after! the! person! was! reported! missing.! It! is! believed! the! missing!
person!was! an!avid!user! of!Tinder! and!may! have!been! communicating!with!a!
‘match’! using! the! application.! The! goal! of! this! project! was! to! identify! Tinder!
artefacts!on!the!backup!that!may!be!forensically!significant.!!
!
The! previous! section! valuable! information! regarding! conversations! that! have!
taken!place!on!Tinder!such!information!being!the!body!of!the!conversation!along!
with!dates!and! times!of! the! conversations.!However! as!seen! above!within! the!
ZMESSAGE!table!there!is!no!link!to!distinguish!with!whom!the!conversation!was!
had.!Figure!2! shows!one! particular! conversation! that!was! conducted! between!
two!users!who!were!matched!together!on!Tinder,!from!this!example!we!can!see!
the!body!of!the!conversation!and!the!date!conversation!commenced!and!the!date!
a!reply!was!received.!The!field! ZUSER!contains!the!user!ID!12762!but!there!is!no!
other!information!relating!to!the!second!party.!!
!
8/15/2019 Analysis of Forensic Artifacts of Tinder on iPhone
18/30
!
18!
!
!
Figure!2.!Extracted!Conversation!from!Tinder.sqlite!Database!
!
While!no! information! is! provided!about! the! second! party! to! the! conversation!
within! the! ZMESSAGE! table! however,! there! is! a! correlation! between! the! field!
value! for! ZUSERID!and! the! field! ( Z_PK ),!which! is! contained! in! table! ZUSER.! In!
Figure!3!a!simple!SQL!query!was!ran!on!the! ZUSER!table!using!the!value!12762!
from!the! ZUSERID!field!contained!in! ZMESSAGE.!!The!query!resulted!in!displaying!
information!relating! to!a!user!with! the! name! ‘Roisha’! along!with! the!date! the!
user!was!last!active!and!the!date!the!users!were!matched!together.!!
!
8/15/2019 Analysis of Forensic Artifacts of Tinder on iPhone
19/30
!
19!
!
!
Figure!4.!Extracted!User!from!Tinder.sqlite!Database!
!
The! information! provided! here! could! potentially! help! significantly! in! the!
investigation! of! the! missing! youth.! An! investigator! can! search! messages! sent!
from! the!missing! persons! IPhone! looking! for! any! evidence! of!any! rendezvous’!
being!organised!with!an!unknown!stranger.! Potentially!a!message!of!this!kind!
can!provide!a!meeting!location!and!time!if!not!an!investigator!can!obtain!a!name!
and!user!ID!from!the! ZUSER!table.!Since!Tinder!is!a!location!driven!application!
requiring! a! user! to! share! their! location! in! order! to! use! the! application! an!
investigator! can! seek! the! assistance! of! Tinder! in! identifying! and! tracking! the!
suspected!kidnapper!by!use!of!their! ZUSERID.!!!
!
8.!Conclusions!and!Future!Work!!The!goal!of!this!project!was!to!identify!forensically!significant!artefacts!present!
on! an! IPhone! after! the! installation! and! use! of! the! mobile! dating! application!
Tinder!in!order!to!aid!in!the!investigation!of!a!missing!person.!Using!the!method!
outlined! in! the! “Analysis! Method”! section! of! this! paper! it! was! possible! to!
8/15/2019 Analysis of Forensic Artifacts of Tinder on iPhone
20/30
!
20!
!
extract! artefacts! relating! to! the! Tinder! application! from! an! iTunes! backup.!
Analysis!of!these!artefacts!has!shown!information!that!could!prove!vital!to!a!case!
of! this! kind.! However,! the! success! of! this! information! relies! on! whether! the!
victim! has! synced! their! IPhone! with! their! PC! after! having! contact! with! the!suspected!kidnapper!on!Tinder!thus!creating!a!backup!of!their!device.!!
!
Future! studies! can! include! the! analysis! of! a! device! on!which!Tinder! has! been!
deleted!to!see!if!any!artefacts!can!be!recovered!from!the!Tinder.sqlite!database.!
An!analysis!on!the!different!versions!of!the!application!could!also!be!conducted!
in!order!to!see!how!changes!of!application!features!can!affect!the!storage!of!data.!
As! mentioned! in! this! project! Tinder! can! also! be! installed! on! the! Android!
operating! system,!which! contains!different! design! protocols! to! iOS! devices! an!
analysis! of! the! Android! version! of! the! application! could! be! carried! out! to!
research! the! techniques! needed! to! discover! forensically! significant! artefacts!
from!that!platform.!!
!
Bibliography!!
![1]! Unknown.# Smartphone! Users! Around! the! World! –! Statistics! and! Facts.!
[Online]!2012.!http://www.gogulf.com/blog/smartphone/.!
![2]!Hardy,#I.!Android!and!iOS!lead!Q1!with!92.3%!of!all!Smartphone!Shipments,!
Windows! Phone! now! in! 3rd! Spot.! MobileSyrup.! [Online]! 2013.!http://mobilesyrup.com/2013/05/16/androidandiosleadq1with923of
allsmartphoneshipmentswindowsphonenowin3rdspot/!
![3]#Miller,#T#Monaghan,#C.!Apple’s!App!Store!Downloads!Top!25!Billion.! Apple!
Press! Info.! [Online]! 2012.!
http://www.apple.com/pr/library/2012/03/05ApplesAppStoreDownloadsTop25Billion.html!!!
![4]! Womack,# B.# Google! Says! 700,000! Applications! Available! for! Android.!
Bloomberg! News.! [Online]! 2012.! http://www.businessweek.com/news/2012
1029/googlesays700000applicationsavailableforandroiddevices!!
8/15/2019 Analysis of Forensic Artifacts of Tinder on iPhone
21/30
!
21!
!
[5]# Chmielewski,# D.! Nielsen!study:! Social! networking! dominates! smartphone,!
tablet! use.! Los! Angeles! Times.! [Online]! 2013.!
http://articles.latimes.com/2013/jun/09/entertainment/laetctnielsenstudy
socialnetworkingsmartphonetablet20130609!
![6]! Tinder.# A! Fun! Way! to! Meet! People.! Tinder.! [Online]! 2013.!
http://www.gotinder.com/about/!!
[7]!Wortham,# J.#Tinder,! a!Dating!App!With!a!Difference.!The!New!York!Times.!
[Online]!2013.! http://bits.blogs.nytimes.com/2013/02/26/tinderadatingappwithadifference/!
![8]! Apple.# File! System! Programming! Guide.! Apple! Developer.! [Online]! 2012.!
http://developer.apple.com/library/ios/documentation/FileManagement/Conc
eptual/FileSystemProgrammingGuide/FileSystemProgrammingGuide.pdf !!
[9]!Proffitt,#T.#Forensic!Analysis!on!iOS!Devices.! SANS!Institute.! [Online]!2012.!
http://www.sans.org/readingroom/whitepapers/forensics/forensicanalysisiosdevices34092!
![10]! Zdziarski,# J.# iPhone/iPod! Touch! Forensics! Manual.! Cryptome.! [Online]!
2008.!http://cryptome.org/ispspy/iphonespy4.pdf !
![11]!Unknown.# Forensic! Artifact! Analysis! of! the! Burner! App! for! the! iPhone.!
Digital! Forensics! Tips.! [Online]! 2013.!
http://digitalforensicstips.com/2013/07/forensicartifactanalysisoftheburnerappfortheiphone/!
![12]!SQLite.#About!SQLite.!SQLite.![Online].!http://www.sqlite.org/about.html!
!
[13]! Apple# Examiner.# PLIST! Files.! [Online]!http://www.appleexaminer.com/MacsAndOS/Analysis/PLIST/PLIST.html!
![14]! iOS# Developer# Library.# About! Info.plist! Keys.! Apple! Developer.! [Online]!
2012.!http://www.appleexaminer.com/MacsAndOS/Analysis/PLIST/PLIST.html!
![15]! Satish,# B.# Forensic! Analysis! of! iPhone! Backups.! Exploit`db.com.! [Online]!
http://www.exploitdb.com/wpcontent/themes/exploit/docs/19767.pdf !
![16]! Reincubate.# iPhone! Backup! Extractor.! Reincubate.! [Online]! 2013.!
http://www.iphonebackupextractor.com/!!
[17]iBackupBot.# iBackupBot! for! iTunes:! Backup! Manager! Software! for! iPad,!
iPhone! and! iPod! Touch.! iCopyBot.! [Online]! 2013.!http://www.icopybot.com/itunesbackupmanager.htm!
!
[18]! Cryptic# Bit.# iPhone! Analyzer.! Cryptic! Bit.! [Online]! 2010.!http://www.crypticbit.com/zen/products/iphoneanalyzer!
8/15/2019 Analysis of Forensic Artifacts of Tinder on iPhone
22/30
!
22!
!
[19]#Lehr,#J.!Calculating!Embedded!OS!X!Times.!Linux!Sleuthing.![Online]!2011.!http://linuxsleuthing.blogspot.ie/2011/02/calculatingembeddedosxtimes.html!
!!
!
Images!!
!Figure.!5!Tinder!Loading!Screen!!
8/15/2019 Analysis of Forensic Artifacts of Tinder on iPhone
23/30
!
23!
!
Figure.!6!Matching!Screen!!
8/15/2019 Analysis of Forensic Artifacts of Tinder on iPhone
24/30
!
24!
!
!Figure.!7!Match!Confirmation!Screen!!
8/15/2019 Analysis of Forensic Artifacts of Tinder on iPhone
25/30
!
25!
!
!Figure.!8!Private!Message!Screen!!
8/15/2019 Analysis of Forensic Artifacts of Tinder on iPhone
26/30
!
26!
!
!Figure.!9!User!Profile!Screen!!
8/15/2019 Analysis of Forensic Artifacts of Tinder on iPhone
27/30
!
27!
!
!Figure.!10!Account!Deletion!Confirmation!Screen!!
8/15/2019 Analysis of Forensic Artifacts of Tinder on iPhone
28/30
!
28!
!
!Figure.!11!Matching!Preferences!Screen!!!
!
!!
8/15/2019 Analysis of Forensic Artifacts of Tinder on iPhone
29/30
!
29!
!
!
!!
!!
!!!
!
!!
!
Figure.!12!IPhone!Analyzer!Home!Screen!!
!!
!
!!
!
!!
!!
8/15/2019 Analysis of Forensic Artifacts of Tinder on iPhone
30/30
!
30
!
!!
!!
!!!
!
Figure.!13!IPhone!Analyzer!Search!Screen!!
!!
!