Analysis of Forensic Artifacts of Tinder on iPhone

8/15/2019 Analysis of Forensic Artifacts of Tinder on iPhone

1/30

!

1!

!

!!!!!!!! Analysis of Forensically SignificantArtifacts of Tinder App on iPhone

Niall Heffernan

A minor dissertation submitted in part fulfilment of the degree of MSc in DigitalInvestigation and Forensic Computing with the supervision of Dr. Pavel

Gladyshev

!!!!!!!!!! !

School!of!Computer!Science!and!Informatics!

University!College!Dublin!

17th!August!2013!

!

!

!

!

!!


2/30

!

2!

!

Table!of!Contents!

!1.#Introduction#............................................................................................................................#3 !

1.1!Project!Scope!.....................................................................................................................................!3 !1.2!The!Smartphone!...............................................................................................................................!3 !

1.3!Tinder!...................................................................................................................................................!4 !2.#Literature#Survey#...................................................................................................................#5 !

2.1!Apple!File!System!Programming!Guide![8]!..........................................................................!5 !2.3!IPhone/IPod!Touch!Forensics!Manual![10]!.........................................................................!7 !2.4!Forensic!Analysis!of!the!Burner!App!for!the!IPhone!by!Digital!Forensics!Tips!

[11]!................................................................................................................................................................!7 !3.#SQLite#Database#and#PLIST#Files#......................................................................................#7 !

3.1!SQLite!Databases!.............................................................. ................................................................!8!3.2!PLIST!Files!..........................................................................................................................................!8 !

4.#ITunes#Backup#File#Acquisition#........................................................................................#8 !5.#Acquisition#and#Analysis#Software#..................................................................................#9 !

5.1!IPhone!Backup!Extractor!......................................................... .....................................................!9!5.2!iBackupBot!.......................................................................................................................................!10 !5.3!iPhone!Analyzer!.............................................................................................................................!10 !5.4!SQLite!Database!Browser!...........................................................................................................!11!

6.#Analysis#Method#................. .................. ................... .................. .................. ................... ......#11!7.#Results#and#Findings#.................. ................... .................. .................. .................. ................#12!

7.1!Tinder.sqlite!Database!file!..........................................................................................................!12!7.5!Forensic!Significance!of!Findings!...........................................................................................!17 !

8.#Conclusions#and#Future#Work#................... .................. .................. .................. ................#19!Bibliography#............................ ................... .................. .................. .................. ................... ......#20!Images#................ .................. .................. ................... .................. .................. ................... ............#22!

!

!

!

!

!

!

!!

!

!!


3/30

!

3!

!

!

1.!Introduction!!

1.1!Project!Scope!

The!purpose!of!this!dissertation! is! to! forensically!examine!significant! artefacts!

present!on!an!IPhone!after!the!installation!and!use!of!mobile!dating!applications.!

There!are!many! applications! available! for! smartphones! that! facilitate!users! in!

meeting!potential!partners.!There!is,!however,!a!risk!associated!with!the!level!of!

anonymity!a!user!can!have!on!dating!applications!as!there!exists!the!potential!for!

predators! to! attract! and! lure! vulnerable! users.! If! such! a! case! were! to! arise,!

evidence! found! from! mobile! dating! applications! can! prove! to! be! of! utmost!

significance!in! such!a!case.!Due!to! time!constraints!and!resources! the! scope!of!

this!dissertation! is! to!focus!only!on!the! dating! application!Tinder! [6]!which! is!

discussed!in!more!detail!in!following!sections.!!!!

!

1.2!The!Smartphone!

The!smartphone!has!taken!over!the!world!as!the!must!have! tool!in!the!area!of!

technology.!Out!of!5!billion!mobile! phone! owners! in!the!world,! 1.08!billion!of!

them!own! a! smartphone! [1].!Apart! from! the! basic! features!of!a!mobile!phone!

such! as! calling! and! texting! this! percentage! of! the! population! also! use!

smartphones! to! access! their! email,! go! online,! social! network,! bank! online,!

gaming!and!can!even!use!their!smartphones!as!a!GPS!device.!!

!

Smartphones! run! on! many! different! operating! systems.! Currently! the! two!

leaders!in!the!market!are!the!Google!Android!operating!system!and!Apple!IOS.!

The!Google!Android!OS!holds!41.1%!of!the!market!share!while!Apple!IOS!holds!

17.3%! [2].! This! is! largely! due! to! an!abundance! of! affordable! Android! phones!

available!on!the!market!which!in!turn!is!made!available!by!the!various!versions!

of! the! Android! OS.! ! Apple! on! the! other! hand! releases! a! new! version! of! their!

iPhone!software!less!frequently.!!

Another!desirable!feature!of!smartphones!is!the!ability!to!download!applications!

to!a!persons!phone!on!the!move!through!smartphone!providers!app!stores.!!In!


4/30

!

4!

!

2012!Apple!reported!offering!more! than!550,000!apps!on!their!app! store!and!

celebrated! 25! Billion! downloads! [3]! while! Google! Android! claims! to! have!

700,000!apps!on!their! Google!Play!app! store![4].!An!influential!factor! in!these!

statistics! is! that! anyone! with! programming! knowledge! can! develop! apps!independently!and!host!them!on!the!various!app!markets.!!

!

One! of! the!major!uses! of! smartphones! is!social! networking.! It!was! found!that!

smartphone!users!spend!9!hours!6!minutes!per!month!on!social!networks![5];!

this!includes!the!use!of!Twitter!and!Facebook!amongst!other!social!networking!

applications.!Along!with!social!networking!a!new!trend!of!using!smartphones!for!

online! dating! has! emerged,!with! a!number!of!applications! developed! to!assist!

people!in!meeting!potential!partners.!The!purpose!of!this!dissertation!is!to!focus!

on!one!of!these!dating!applications!and!to!forensically!examine!artefacts!that!can!

be!left!behind!after!use!of!the!application.!

!

1.3!Tinder!!

Tinder!is!a!dating!application!available!for!both!the!IPhone!and!Android!devices.!

The!Tinder!website!describes!Tinder!as!“A!fun!way!to!meet!people”![6].!In!order!

for!a!user!to!use!Tinder!they!must!have!a!Facebook!account!with!which!to!sign!

into!the! application.!Once!the!user!has! created!a!Tinder! account,! their! current!

Facebook!profile!picture!is!set!as!their!default!Tinder!profile!picture.!The!user!

then!has!the!option!to!add!more!photos!of!themselves!to!their!Tinder!account.!

These!photos!may!be!viewed!by!other!Tinder!users.!

!

Once!the!user!has!set!up!their!account!they!can!select!whether!they!are!looking!

to!meet!females,!males!or!both.!They!can!then!limit!the!search!radius!to!search!

for!other!users!from!anywhere!within!a!10!mile!to!a!100!mile!radius.! It!is!also!

possible! to! limit! the! age! profiles! of! potential! matches.! Once! the! user! has!

completed! their! search! criteria,! the! Tinder! app! presents! them! with! potential!

matches!sequentially.!The!user!has!the!choice!to!either!‘like’!the!person!they!are!

matched! with! by! pressing! a! heart! icon! on! the! interface! or! select! the! dislike!

option,!which!is!depicted!as!an!‘X’!symbol.!A!match!occurs!if!two!users!happen!


5/30

!

5!

!

to!mutually!‘like’!each!other.!They!are!then!given!the!option!to!private!message!

each! other! and! arrange! to! meet.! Tinder! only! provides! a! users! first! name! to!

potential!matches,! it! also! shows! if! the! two! parties! involved! have! any!mutual!

friends!or!shared!interests!on!Facebook.!!!

Tinder!provides!a!level!of!anonymity!by!only!displaying!first!names.!By!showing!

if! users! share!mutual! friends! on! Facebook! though! it! is! quite! simple! to! find! a!

user’s! identity!by!a! simple! search! through!a!mutual! friend’s!profile.!The!main!

danger!however!lies!in!the!terms!of!use!on!Tinder’s!website![6]!where!it!states!

that!a!user!“…must!be!at!least!13!years!old...”!to!use!the!application.!Since!anyone!

can! create! a! Facebook! account! using! a! fake! age! they! can! also! sign! up! to! use!

Tinder!where!they!may!be!exposed!to!potential!threats.!According!to!a!blog!in!

the!New!York!Times![7]!Tinder!is!being!downloaded!20,000!times!a!day!and!with!

no! way! of! screening! or! vetting! new! users! it! is! open! to! be! used! by! potential!

dangerous!characters.!!

!

2.!Literature!Survey!

!

In!order!to! be!sure! that! the! investigation!being!undertaken!presents!the!most!

accurate! results,! it! is! important! to! undertake! research! to! better! understand!

techniques! used! for! the! analysis! and! to! have! knowledge! of! the! file! system!

structure! of! the! IPhone! along! with! knowledge! of! the! best! tools! to! use.! The!

following!section!summarises!various!readings!that!were!carried!out!during!the!

process!of!this!analysis.!Forensic!analysis!of!smartphones!is!still!quite!new!in!the!

area!of!computer!forensics,!as!a!result!the!amount!of!literature!on!this!topic!is!

very! limited.!Despite! this,! the! following! literature! provides!good! insights! into!

IPhone!forensics!analysis.!!

!

2.1!Apple!File!System!Programming!Guide![8]!

Apple!has!provided!a! comprehensive!guide!for! developers!who! are! looking! to!

begin!developing!applications!for!the!Apple!app!store!or!for!their!own!personal!


6/30

!

6!

!

use.!The!guide!is!called!Apple!File!System!Programming!Guide.!For!the!scope!of!

this!project!only!certain!sections!of!the!document!were!examined.!Section!2:!File!

System! Basics! gives! an! indepth! overview! of! the! file! structure! created! by!

applications! within! the! overall! file! system! of! the! device.! The! guide! describes!where!a!developer!should!place!their!applications!files!for!best!efficiency.!This!

document!also!gives!a!comprehensive!overview!of!the!various!directories!of!the!

iOS! file! system! and! what! files! reside! in!each! directory.! From! an! investigation!

point! of! view! this! knowledge! is! very! useful! as! it! provides! starting! points! for!

locating!potential! evidential! artefacts.! The!guide! also! provides! information! on!

hidden!directories!that!are!present!on!the!device.!As!the!scope!of!this!project!is!

to!focus!on!artefacts!created!by!an!application!this!document!is!useful!as!it!states!

the! location!on! the! file!system!where!specific!application!files! are! stored.!This!

document!can!serve!as!an!investigator’s!roadmap!to!the!iOS!file!system,!pointing!

them!to!files!of!forensic!significance.!!

!

!

2.2!Forensic!Analysis!on!iOS!Devices![9]!

Forensic!Analysis!on!iOS!Devices! focuses!on!many!areas!of! iOS! forensics.!This!

paper!provides!an!overview!of!the!iOS!HFS+!(Hierarchical!File!System)!in!use!on!

iOS!devices,!an!overview!of!SQLite!Database!files,!PLIST!(property!lists)!files!and!

how! to! perform! Acquisitions! both! from! the! iTunes! backup! file! or! physical!

acquisitions! of! iOS! devices.! The! section! related! to! the! HFS+! gives! a! good!

overview!of!the!make!up!of!the!file!system!by!providing!information!about!the!

HFS+!allocation!file;!extents!overflow!file!and!the!HFS+!catalogue!file.!This!paper!

also!describes!two!prevalent!file!types!used!by!iOS.!These!are!SQLite!databases!

and! PLIST! files,! which!are! discussed! in!more! detail! in! a! later!section# entitled!

“SQLite! Databases! and! PLIST! Files”.! There! are! also! sections! relating! to! the!

processes!of!acquiring!images!of!an!iOS!device!for!further!examination,!the!paper!

describes! the! use! of! iTunes! backup! for! investigation! and! provides! suggested!

software!that! can! be!used! examine! these!backup! files.! Another! section!of! this!

paper! describes! methods! for! physically! acquiring! iOS! images! and! provides!

suggested!software!that!can!be!used!to!carry!out!physical!acquisitions.!!


7/30

!

7!

!

2.3!IPhone/IPod!Touch!Forensics!Manual![10]!!

This!article!written!by!Jonathan!A.!Zdziarski! gives!a!good! indepth!analysis!of!

performing! forensic! investigations! on! IPhone! devices.! The! article! covered!

subjects! such! as! disk! layouts,! poweron! device! modifications,! performing!forensic! recovery! and! Electronic! discovery.! For! the! scope! of! this! report! the!

section! entitled! “Electronic! Discovery”! provided! the! main! focus! for! this!

investigation.!This!section!provided!an!overview!of!both! SQLite!databases! and!

Property! lists.! This!section! also!provided!a! list!of!other! forensically!significant!

files!along!with!a!short!description!of!each!file!and!their!location!within!the!file!

system.!This!was!useful!as!it!provided!information!that!could!provide!a!further!

indepth! investigation! into! the! user! of! the! devices! actions! and! movements,!however! with! the! scope! of! this! investigation! being! focused! on! a! singular!

application!these!files!other! than!SQLite! and!PLIST!files!would!not!be!need!as!

they!are!outside!the!scope!of!this!project.!!

!

2.4!Forensic!Analysis!of!the!Burner!App!for!the!IPhone!by!Digital!Forensics!Tips![11]!

!

This!article!provides!and!analysis!of!an! IPhone!application!called!Burner.!This!

application!allows!users!to!purchase!disposable!phone!numbers!for!temporary!

use.!While!this!application!has!no!relation!to!the!application!being!examined!as!

part!of!this!project!the!techniques!used!proved!useful!when!running!analysis!on!

the! Tinder! dating! application.! It!provided!information!on!relevant! files!within!

the!applications!directory!on!the!device.!Since!IPhone!application!development!

follows!a!set!of!rules,!the!structure!of!application!directories!are!near!uniform!

meaning!investigation!on!the!Burner!app!has!significance!in!the!investigation!of!

the!Tinder!app.!!

!

3.!SQLite!Database!and!PLIST!Files!!

The! literature! surveyed! in! the! previous! section! all! discussed! the! forensic!

significance!of!SQLite!Database!and!PLIST!files!within!IPhone!forensic!analysis.!

This! section! provides! further! information! on!both! file! types! in! terms!of! their!

structure!and!forensic!significance!within!an!investigation.!!


8/30

!

8!

!

!

3.1!SQLite!Databases!

SQLite! is! an! inprocess! library! that! implements! a! selfcontained,! serverless,!

zeroconfiguration,! transactional! SQL! database! engine! [12].! Since! SQLite!

databases!are!serverless!they!can!be!embedded!into!applications!with!ease!and!

read!and!written!to!disk!files.!!SQLite!is!frequently!used!in!portable!devices!due!

to! the! fact! that! they! are! quite! compact! and! do! not! take! up! much! space! in!

memoryconstrained!devices,!they!also!perform!well!in!lowmemory!devices.!!

SQLite!is!provided!to!users!free!of!charge!for!commercial!and!private!use!for!this!

reason!SQLite!is!commonly!used!by!app!developers!as!a!means!for!their!app!to!

store!data.!!

!

3.2!PLIST!Files!

!

PLIST! files! are! also! known! as! Property! List! Files! [13].! These! files! are! the!

Macintosh!equivalent!to!Windows!registry.!They!contain!OS!information!such!as!

application!settings,!user!preferences!and!security!settings![13].!PLIST!files!are!

XML! files!meaning! they! can!be! viewed! using! any!XML!editor! or! a! text! editor.!

Every! application! on! iOS! devices! use! an! info.plist! file! [14],! which! contains!

configuration!settings!for!application!on!iOS!devices.!!

!

4.!ITunes!Backup!File!Acquisition!!

In!the!scope!of!this!project!it!is!assumed!that!the!IPhone!device!is!unavailable!to!

investigators!in!the!case!of!a!kidnapping.!It!is!therefore!necessary!to!be!able!to!examine!the!contents!of!an!iOS!device!without!having!physical!access!to!it.!Apple!

has!created!a!method!that!creates!backups!of!an!iOS!device!in!the!case!of!critical!

failure.! When! an! IPhone! is! registered! to! an! ITunes! account! a! backup! of! the!

IPhone!is!taken!when!the!device!is!synced!to!ITunes!with!the!backup!stored!on!

the! computer.! ITunes! creates! a! folder! on! the! computer!with! the! device! UDID!

(Unique!Device! ID)! [15]! as! the! name;! this!UDID! is!40!hexadecimal!characters!

long.!The!device! contents!are!then!copied!to!this!folder.!As!the!analysis!of! this!


9/30

!

9!

!

project!is!being!carried!out!using!Mac!OSX!the!location!of!IPhone!backups!are:!

/Library/Application! Support/MobileSync/Backup.! The!

following! section! will! outline! software! that! is! available! that! can! open! these!

backups!in!readable!format!allowing!for!a!forensic!analysis!to!be!carried!out.!!!

!

!

5.!Acquisition!and!Analysis!Software!!

This!section!will!outline!and!describe!software!available!for!the!acquisition!and!

forensic! analysis! of! IPhone! devices.! As!mentioned! in! the! previous! section! the!

analysis!of!the!IPhone!will!be!carried!out!on!a!backup!taken!by!ITunes!the!last!

time!the!device!was!synced.!!Only!software!that!can!read!and!present!the!backup!

files!in!readable!format!will!be!examined.!!

!

In!order!to!examine!the!backup!files!of!the!iOS!device,!appropriate!software!was!

needed!to!present!the!data!in!a!readable!format.!The!criterion!for!the!software!

was!that!it!needed!to!be!free!to!use,!didn’t!require!the!purchasing!of!a!license!and!

it!also!had!to!be!Mac!OSX!compatible.!!With!the!criteria!decided!upon!a!search!

was! conducted! to! identify! potential! software.! The! articles! mentioned! in! the!

previous!section!outlined!a!number!of!software!that!can!be!used!to!perform!an!

analysis! of! iTunes! backups.!The! following! sections! list! potential! software!and!

their!main!attributes.!

!

5.1!IPhone!Backup!Extractor!!

!

The!iPhone!Backup!Extractor![16]!is!crossplatform!software!that!automatically!

finds! iTunes! backup! files! if! they! are! present! on! a! system.! iPhone! Backup!

Extractor! was! developed! by! reincubate! technology,! media! and! data!

(http://www.reincubate.com).!The!software!provides!the!user!with!the!ability!to!

recover!various! artefacts! from!an!IPhone! device! such!as!contacts,! call! history,!

SMS,!video!and!most!importantly!App!files.!!!

!


10/30

!

10!

!

While! this! software!met! a! number! of!criteria!needed! to!complete! this! project!

there!was!some!negative!aspects!which!ultimately!led!to!the!decision!not!to!use!

it!for!this!project.!One!aspect!was!the!fact!that!it!did!not!include!any!functionality!

to!view!discovered!files!within!the!software,!instead!any!files!discovered!needed!to!be!extracted!to!a!location!on!the!local!machine!and!then!opened!using!external!

viewer!programs.!This!proved!to!be!quite!tedious!and!time!consuming.!Another!

issue!arose!regarding!the!installation!procedure.!In!order!to!install!the!software!

on!Mac!OSX!the!user!needs!to!install!various!libraries!to!the!system!such!as!the!

Mono! framework! (http://www.monoproject.com)! and! X11! libraries.! The!

software! had! to! be! then! run! through! the! command! line! using! the! Mono!

framework!that!proved!troublesome!and!encountered!a!number!of!issues.!

!!

5.2!iBackupBot!!

!The!iBackupBot![17],!much!like!iPhone!Backup!Extractor,!automatically!detects!

iTunes!backups!on!the!system.!However!this!software!presents!the!contents!of!

the!backup!to!the!user!in!the!form!of!a!filetree!structure.!This!makes!navigation!

through!the!various!files!easy!and!also!provides!good!reference!points!in!relation!

to!the!locations!of!certain!files!on!the!backup.!!

!

Unlike!the!iPhone!Backup!Extractor!software!iBackupBot!also!contains!various!

editors!and!viewer!programs!for!viewing/editing!plists!files,!SQLite!files,!images,!

messages!or!call!logs.!There!is!also!the!option!to!export!data!to!the!local!machine!

if!the!user!wants!to!keep!certain!documents!in!an!easy!to!find!location!and!view!

them!using! applications!of! their! choice.!This!software! seems! ideal! for!meeting!

the!requirements!of!this!project!as!it!contains!more!features!than!iPhone!Backup!

Extractor!and!is!more!accessible!to!install,!however,!the!developers!only!allow!a!

7day! free! trial.! After! the! initial! trial! expires! the! user! needs! to! purchase! the!

software,!this!was!beyond!the!resources!available!to!the!project.!For!this!reason!

iBackupBot!was!not!selected!for!this!assignment.!

!

5.3!iPhone!Analyzer!

!


11/30

!

11!

!

The! iPhone! Analyzer! software! developed! by! Crypticbit! [18]! like! the! other!

programs!mentioned!in!this!section!automatically!detects!an!iTunes!back!up!on!

the! system! and! imports! it! into! the! software.! The! GUI! presents! the! user! with!

information!about!the!device!that!it!procures!from!the!device’s!info.plist!file.!The!software!also!provides!two!options!for!viewing!a!devices’!data.!The!first!option!is!

by!using!‘Bookmarks’!which!is!the!most!likely!places!an!individual!searches!for!

information!such!as;!address!book;!location!map;!messages!and;!call!logs.!These!

are!presented!to!the!user!in!a!readily!accessible!way!in!the!main!window!of!the!

GUI.!The! second!way!an!individual!can!search!through!data!is!by!using!the! file!

system!view;!this!view!reconstructs!the!structure!of!the!devices!file!system!and!

presents! it! to! the! user! in! a! tree! structure.! ! IPhone! Analyzer! also! contains! an!

embedded!SQLite!browser!and!also!a!viewer!to!display!PLISTS!in!XML!format.!!

!

Iphone!Analyzer!also!provides!a!comprehensive!manual!outlining!all!the!features!

that! are! contained! in! the! software! that! is! easy! to! follow.!The! software! is! also!

freely! available! to! download! from! sourceforge.! For! these! reasons! IPhone!

Analyzer!was!chosen!for!this!project!as!the!primary!analysis!software.!!

!!

5.4!SQLite!Database!Browser!!

!SQLite!Database!Browser![19]!was!chosen!as!a!secondary!viewing!tool!for!SQLite!

files.! This!browser!was!used!over! the! embedded!browser! contained! in!IPhone!

Analyzer! as! it! is! easier! to! execute! SQL! commands! through! its! interface.! The!

software! is! also! freely! available! to! download! from! Sourceforge! with! no!

additional!costs.!!!

6.!Analysis!Method!!

The!scope!of!this!project!is! to!examine!the!forensically!significant!artefacts!that!

are!installed!on!an!IPhone!after!the!installation!of!the!mobile!dating!application!

Tinder.! In! order! to! have! a! focus! when! deciding! on! what! may! or! not! be!

forensically!significant!a!simple!scenario!was!put!in!place.!!The!scenario!focuses!

on!a!young!underage!teenager!who!has!gone!missing!and! it! is!believed! they!


12/30

!

12!

!

may! have! been! communicating! with! someone! on! Tinder.! As! the! device! is!

believed! to!be!on!the! person! it! is!not! possible!to!take!a!physical! image!of!the!

device! itself! so!an!analysis!needs!to!be!conducted!on!the!last!backup! from!the!

missing!persons!iTunes!account.!!!

The!goal!of!the!analysis!is!to!find!any!information!from!the!backup!that!may!help!

further!the!investigation!such!as!chat!history,!usernames,!and!location!history.!

Tinder,! version!2.1.0!was! downloaded!to!an!IPhone! 4S!running! iOS! 6.1.3.! The!

device!was!used,!as!it!would!be!in!normal!circumstances!to!collect!real!life!data.!

Once!a!sufficient!amount!of!data!was!collected!from!the!everyday!use!of!Tinder!

the!most!recent!backup!of!the! IPhone!was! located!and! loaded! into!the! IPhone!

Analyser!program.! The!contents!of! the!Tinder!application!directory!were! then!

examined,!the!focus!being!on!the!tinder.sqlite!file.!This!SQLite!file!was!extracted!

and! opened! using!an!SQLite! Database!Browser.!Once! the! SQLite! database!was!

exported! from! IPhone! Analyzer! and! opened! in! the! viewer! an! analysis! of! the!

database!is!conducted!with!the!results!of!the!analysis!described!in!the!following!

section.!!

!

7.!Results!and!Findings!!!

The!following!sections!outline!and!present!the!findings!of!the!analysis!of!the!files!

extracted!from!the!IPhone!device!following!the!data!collection!method!that!was!

carried!out!in!the!previous!section.!!

!

7.1!Tinder.sqlite!Database!file!!An!SQLite!database!file!named!Tinder.sqlite!was!extracted.!Figure.!1!below!shows!

the!structure!of!the!Tinder.sqlite!database,!it!displays!the!tables!contained!within!

Tinder.sqlite!along!with!each!tables’!list!of!fields.!!

!


13/30

!

13!

!

#

ZMESSAGE#

• Z_PK!

• Z_ENT!

• Z_OPT!

• ZINBOUND!

• ZUSER!

• ZCREATIONDATE!

• ZBODY!

#

ZUSER#

• Z_PK!

• Z_ENT!

• Z_OPT!

• ZCOMMONFRIENDCOUNT!

• ZCOMMONLIKECOUNT!

• ZGENDER!

• ZHASIMAGE!

• ZHASUNVIEWEDMESSAGES!

• ZISACTIVE!

• ZISMATCH!

• ZISRECOMMENED!

• ZISUNSEENEWMATCH!

•

ZSERVERMESSAGECOUNT!• ZBIRTHDATE!

• ZCHATLASTVIEWED!

• ZDISTANCEMILES!

• ZLASTACTIVITYDATE!

• ZDISTANCEINMILES!

• ZLASTACTIVITYDATE!

• ZMATCHEDDATE!

• ZPINGTIME!

• ZBIO!

• ZFACEBOOKID!

• ZMATCHID!

• ZNAME!

• ZUSERID!

• ZIMAGE!

!

#ZPROCESSEDPHOTO#

• Z_PK!

• Z_ENT!

• Z_OPT!

• Z_PHOTO!

• ZHEIGHT!

• ZWIDTH!

• ZREMOTEURL!

!

!

#

Z_5SHAREDFRIENDS#

• Z_5SHAREDFRIENDS!

• REFLEXIVE!!

!

#

Z_PRIMARYKEY#

• Z_ENT!

• Z_NAME!• Z_SUPER!

• Z_MAX!

!


14/30

!

14!

!

#

Z_METADATA#

• Z_VERSION!

• Z_UUID!

• Z_PLIST!

!

#

ZLIKE#

• Z_PK!

• Z_ENT!

• Z_OPT!

• ZUSER!

• ZCATEGORY!

• ZFACEBOOKID!

• ZNAME!

• ZREMOTEIMAGEURL!

• ZIMAGE!

#

ZPHOTO#

• Z_PK!

• Z_ENT!

• Z_OPT!

• ZUSER!

• Z_FOK_USER!

• ZORIGINX!

• ZORIGINY!

• ZSIZEHEIGHT!

• ZSIZEWIDTH!

• ZPHOTOID!

• ZREMOTEURL!

Figure!1.!Structure!of!Tinder.sqlite!Database!File!

!

A!number! of!the! tables! listed! above!have!duplicate! fields!within! them!but! the!

most!forensically!relevant!tables!discovered!were!ZMESSAGE!and!ZUSER.!The!

following!sections!will!outline!the!data!contained!in!each!of!these!tables.!!

!

7.2!ZMESSAGE!Table!

!

This! table! contains! all! information! relating! to! any! private! chat!messages! that!

have!been!sent!between!people!who!have!mutually!‘liked’!each!other!using!the!

application.!A!summation!of!the!information!stored!in!each!field!is!as!follows:!

!

ZBODY:!This!field!contains!the!body!of!any!messages!sent!between!two!‘matches’!

privately.!Messages! are! stored! in!individual! rows!and! every!time!a!message! is!

sent/received! the! body! of! that! message! is! stored! in! a! new! row.!!

!

ZINBOUND:!This!field!contains!a!numeric!value,!the!purpose!of!the!numeric!value!

is! to!differentiate! between!whether! the!message!was! sent! from! the! device! or!

received! from! another! user.! The! value! ‘0’! indicates! a! message! was! sent!


15/30

!

15!

!

outbound!from!the!users!device!and!the!value!‘1’!indicates!that!a!message!was!

received!inbound!from!another!users!device.!!

!

ZCREATIONDATE:!This! field! contains! a! timestamp! of! the! creation! date! of! the!message.!The!timestamp!is!stored!using!Mac!Absolute!Time![20].!

ZUSER:!This!field!contains!a!numeric!value!as!an!ID!for!a!matched!user!in!the!

table.!!

7.3! ZUSER!Table!

The!ZUSER!table!contains!a!number!of! forensically!significant!information.!This!

table!stores!data!relating!to!Tinder!users!who!have!been!mutually!matched.!A!

number!of!these!fields!contain!null!entries,!this!is!assumed!to!be!a!form!of!data!

protection.!The!field! ZFACEBOOKID!is!left!null!as!to!avoid!a!users!privacy!being!

compromised! as! the! app! is! designed! to! maintain! anonymity! with! the! users!

having!the!option!to!exchange!personal!details!through!the!chat!function!if!they!

are!a!match.!!

!

In! the! case! of! an! investigation,! such! as! that! mentioned! in! the! scope! of! this!

project,!there!are!a!number!of!forensically!significant!fields!present!in!this!table.!

These!fields!are!as!follows:!

!

ZNAME:!This!field!contains!the!users!first!name.!This!name!is!taken!from!a!users!

Facebook!account!and!can’t!be!altered!within!the!application.!!

!

ZGENDER:!This!field!contains!a!numeric!value!that!identifies!whether!the!user!is!

male!or!female.!The!value!‘1’!indicates!that!the!user!is!female!while!the!value!‘0’!

indicates!the!user!is!male.!!

!

ZBIRTHDATE:!This!field!contains!a!Timestamp!that!converts!to!a!users!date!of!

birth.!As!with! ZNAME!this!value!is!extracted!from!a!users!Facebook!account.!!

!

ZMATCHEDDATE:!This!field!also!contains!a!Timestamp!value!that!converts!to!the!

date!a!match!was!made!with!another!user.!!


16/30

!

16!

!

!

ZLASTACTIVITYDATE:!This!field!contains!another!Timestamp!that!converts!to!the!

date!and!time!a!user!was!last!active!on!Tinder.!!

! ZBIO:!When!signing!up!with!Tinder!the!user!has!an!option!of!including!a!body!of!

text! relating! to! a! users! interests,! hobbies,! details! of! their! personal! life.!Many!

times! users!will! use! this! option! to! include! their! Twitter! handle! so! users! can!

follow!them!on!Twitter!even!if!they!are!not!matched!together!on!Tinder.!!

!

Z_PK:!This!is!a!primary!key!field!containing!a!numeric!value.!The!contents!of!this!

field!will!be!discussed!in!more!detail!in!the!later!section!“Forensic!Significance!of!

Findings”.!!!

!

ZUSERID:!Contains!a!hexadecimal!numerical!value!set!as!an!individual!users!ID.!!

!

7.4!Summation!of!Remaining!Database!Tables!

!The! previous! section! outlined! relevant! tables! and! their! fields! from! an!

investigation!stand!point.!This!section!will!provide!an!overview!of!the!remaining!

tables!and!their!attributes.!!

!

ZLIKE:!One! feature! of! Tinder! is! identifying! whether! two! users! share! mutual!

interests!in!the!form!of!topical!Facebook!pages!such!as!a!TV!shows!fan!page.!The!

ZLIKE! table! contains! information! relating! to! the! Facebook! page! such! as! its!

Facebook! ID! and!page! title,! the! page! also! contains! the!users! ID! ( ZUSER)!who!

mutually!likes!the!Facebook!page.!!

!

ZPROCESSEDPHOTO:!This! table!contains! links! to!different! users!photos!on!the!

Tinder!server!in!the!field! ZREMOTEURL!other!fields.!Observations!of!this!table!

indicate! that! each! photo! ID! ( ZPHOTO)! contains! four! duplicates! but! each!with!

different!dimensions!( ZWIDTH,!ZHEIGHT ).!!

!


17/30

!

17!

!

ZPHOTO:! This! table! contains! a! single! version! of! each! photo! stored! in!

ZPROCESSEDPHOTO!along!with!the!same!URL!from!the! ZREMOTEURL!field.!There!

seems!to!be!no!link!between!the!images!and!what!user!they!belong!to.!!

!!

!!

!

7.5!Forensic!Significance!of!Findings!

!

The!previous!sectioned!outlined!and!provided!details!into!the!data!that!can!be!

recovered!from!the!underlying!database!that!is!created!when!Tinder!is!installed!

on! and! IPhone.! This! database! stores! key! information! needed! to! allow! the!

application!to!function.!In!the!section!entitled!“Analysis!Method”!a!scenario!was!

created!that!involved!investigating!a!backup!of!a!young!persons!phone!from!their!

computer! after! the! person! was! reported! missing.! It! is! believed! the! missing!

person!was! an!avid!user! of!Tinder! and!may! have!been! communicating!with!a!

‘match’! using! the! application.! The! goal! of! this! project! was! to! identify! Tinder!

artefacts!on!the!backup!that!may!be!forensically!significant.!!

!

The! previous! section! valuable! information! regarding! conversations! that! have!

taken!place!on!Tinder!such!information!being!the!body!of!the!conversation!along!

with!dates!and! times!of! the! conversations.!However! as!seen! above!within! the!

ZMESSAGE!table!there!is!no!link!to!distinguish!with!whom!the!conversation!was!

had.!Figure!2! shows!one! particular! conversation! that!was! conducted! between!

two!users!who!were!matched!together!on!Tinder,!from!this!example!we!can!see!

the!body!of!the!conversation!and!the!date!conversation!commenced!and!the!date!

a!reply!was!received.!The!field! ZUSER!contains!the!user!ID!12762!but!there!is!no!

other!information!relating!to!the!second!party.!!

!


18/30

!

18!

!

!

Figure!2.!Extracted!Conversation!from!Tinder.sqlite!Database!

!

While!no! information! is! provided!about! the! second! party! to! the! conversation!

within! the! ZMESSAGE! table! however,! there! is! a! correlation! between! the! field!

value! for! ZUSERID!and! the! field! ( Z_PK ),!which! is! contained! in! table! ZUSER.! In!

Figure!3!a!simple!SQL!query!was!ran!on!the! ZUSER!table!using!the!value!12762!

from!the! ZUSERID!field!contained!in! ZMESSAGE.!!The!query!resulted!in!displaying!

information!relating! to!a!user!with! the! name! ‘Roisha’! along!with! the!date! the!

user!was!last!active!and!the!date!the!users!were!matched!together.!!

!


19/30

!

19!

!

!

Figure!4.!Extracted!User!from!Tinder.sqlite!Database!

!

The! information! provided! here! could! potentially! help! significantly! in! the!

investigation! of! the! missing! youth.! An! investigator! can! search! messages! sent!

from! the!missing! persons! IPhone! looking! for! any! evidence! of!any! rendezvous’!

being!organised!with!an!unknown!stranger.! Potentially!a!message!of!this!kind!

can!provide!a!meeting!location!and!time!if!not!an!investigator!can!obtain!a!name!

and!user!ID!from!the! ZUSER!table.!Since!Tinder!is!a!location!driven!application!

requiring! a! user! to! share! their! location! in! order! to! use! the! application! an!

investigator! can! seek! the! assistance! of! Tinder! in! identifying! and! tracking! the!

suspected!kidnapper!by!use!of!their! ZUSERID.!!!

!

8.!Conclusions!and!Future!Work!!The!goal!of!this!project!was!to!identify!forensically!significant!artefacts!present!

on! an! IPhone! after! the! installation! and! use! of! the! mobile! dating! application!

Tinder!in!order!to!aid!in!the!investigation!of!a!missing!person.!Using!the!method!

outlined! in! the! “Analysis! Method”! section! of! this! paper! it! was! possible! to!


20/30

!

20!

!

extract! artefacts! relating! to! the! Tinder! application! from! an! iTunes! backup.!

Analysis!of!these!artefacts!has!shown!information!that!could!prove!vital!to!a!case!

of! this! kind.! However,! the! success! of! this! information! relies! on! whether! the!

victim! has! synced! their! IPhone! with! their! PC! after! having! contact! with! the!suspected!kidnapper!on!Tinder!thus!creating!a!backup!of!their!device.!!

!

Future! studies! can! include! the! analysis! of! a! device! on!which!Tinder! has! been!

deleted!to!see!if!any!artefacts!can!be!recovered!from!the!Tinder.sqlite!database.!

An!analysis!on!the!different!versions!of!the!application!could!also!be!conducted!

in!order!to!see!how!changes!of!application!features!can!affect!the!storage!of!data.!

As! mentioned! in! this! project! Tinder! can! also! be! installed! on! the! Android!

operating! system,!which! contains!different! design! protocols! to! iOS! devices! an!

analysis! of! the! Android! version! of! the! application! could! be! carried! out! to!

research! the! techniques! needed! to! discover! forensically! significant! artefacts!

from!that!platform.!!

!

Bibliography!!

![1]! Unknown.# Smartphone! Users! Around! the! World! –! Statistics! and! Facts.!

[Online]!2012.!http://www.gogulf.com/blog/smartphone/.!

![2]!Hardy,#I.!Android!and!iOS!lead!Q1!with!92.3%!of!all!Smartphone!Shipments,!

Windows! Phone! now! in! 3rd! Spot.! MobileSyrup.! [Online]! 2013.!http://mobilesyrup.com/2013/05/16/androidandiosleadq1with923of

allsmartphoneshipmentswindowsphonenowin3rdspot/!

![3]#Miller,#T#Monaghan,#C.!Apple’s!App!Store!Downloads!Top!25!Billion.! Apple!

Press! Info.! [Online]! 2012.!

http://www.apple.com/pr/library/2012/03/05ApplesAppStoreDownloadsTop25Billion.html!!!

![4]! Womack,# B.# Google! Says! 700,000! Applications! Available! for! Android.!

Bloomberg! News.! [Online]! 2012.! http://www.businessweek.com/news/2012

1029/googlesays700000applicationsavailableforandroiddevices!!


21/30

!

21!

!

[5]# Chmielewski,# D.! Nielsen!study:! Social! networking! dominates! smartphone,!

tablet! use.! Los! Angeles! Times.! [Online]! 2013.!

http://articles.latimes.com/2013/jun/09/entertainment/laetctnielsenstudy

socialnetworkingsmartphonetablet20130609!

![6]! Tinder.# A! Fun! Way! to! Meet! People.! Tinder.! [Online]! 2013.!

http://www.gotinder.com/about/!!

[7]!Wortham,# J.#Tinder,! a!Dating!App!With!a!Difference.!The!New!York!Times.!

[Online]!2013.! http://bits.blogs.nytimes.com/2013/02/26/tinderadatingappwithadifference/!

![8]! Apple.# File! System! Programming! Guide.! Apple! Developer.! [Online]! 2012.!

http://developer.apple.com/library/ios/documentation/FileManagement/Conc

eptual/FileSystemProgrammingGuide/FileSystemProgrammingGuide.pdf !!

[9]!Proffitt,#T.#Forensic!Analysis!on!iOS!Devices.! SANS!Institute.! [Online]!2012.!

http://www.sans.org/readingroom/whitepapers/forensics/forensicanalysisiosdevices34092!

![10]! Zdziarski,# J.# iPhone/iPod! Touch! Forensics! Manual.! Cryptome.! [Online]!

2008.!http://cryptome.org/ispspy/iphonespy4.pdf !

![11]!Unknown.# Forensic! Artifact! Analysis! of! the! Burner! App! for! the! iPhone.!

Digital! Forensics! Tips.! [Online]! 2013.!

http://digitalforensicstips.com/2013/07/forensicartifactanalysisoftheburnerappfortheiphone/!

![12]!SQLite.#About!SQLite.!SQLite.![Online].!http://www.sqlite.org/about.html!

!

[13]! Apple# Examiner.# PLIST! Files.! [Online]!http://www.appleexaminer.com/MacsAndOS/Analysis/PLIST/PLIST.html!

![14]! iOS# Developer# Library.# About! Info.plist! Keys.! Apple! Developer.! [Online]!

2012.!http://www.appleexaminer.com/MacsAndOS/Analysis/PLIST/PLIST.html!

![15]! Satish,# B.# Forensic! Analysis! of! iPhone! Backups.! Exploit`db.com.! [Online]!

http://www.exploitdb.com/wpcontent/themes/exploit/docs/19767.pdf !

![16]! Reincubate.# iPhone! Backup! Extractor.! Reincubate.! [Online]! 2013.!

http://www.iphonebackupextractor.com/!!

[17]iBackupBot.# iBackupBot! for! iTunes:! Backup! Manager! Software! for! iPad,!

iPhone! and! iPod! Touch.! iCopyBot.! [Online]! 2013.!http://www.icopybot.com/itunesbackupmanager.htm!

!

[18]! Cryptic# Bit.# iPhone! Analyzer.! Cryptic! Bit.! [Online]! 2010.!http://www.crypticbit.com/zen/products/iphoneanalyzer!


22/30

!

22!

!

[19]#Lehr,#J.!Calculating!Embedded!OS!X!Times.!Linux!Sleuthing.![Online]!2011.!http://linuxsleuthing.blogspot.ie/2011/02/calculatingembeddedosxtimes.html!

!!

!

Images!!

!Figure.!5!Tinder!Loading!Screen!!


23/30

!

23!

!

Figure.!6!Matching!Screen!!


24/30

!

24!

!

!Figure.!7!Match!Confirmation!Screen!!


25/30

!

25!

!

!Figure.!8!Private!Message!Screen!!


26/30

!

26!

!

!Figure.!9!User!Profile!Screen!!


27/30

!

27!

!

!Figure.!10!Account!Deletion!Confirmation!Screen!!


28/30

!

28!

!

!Figure.!11!Matching!Preferences!Screen!!!

!

!!


29/30

!

29!

!

!

!!

!!

!!!

!

!!

!

Figure.!12!IPhone!Analyzer!Home!Screen!!

!!

!

!!

!

!!

!!


30/30

!

30

!

!!

!!

!!!

!

Figure.!13!IPhone!Analyzer!Search!Screen!!

!!

!

Documents

Analysis of Forensic Artifacts of Tinder on iPhone