Description

Project
Deadline: Wednesday 23/04/2025 @
23:59
[Total Mark is 14]
Student Details:
Name:
Name:
Name:
Name:

Restricted – ‫مقيد‬

CRN:
ID:
ID:
ID:
ID:

Learning Outcome(s):
CLO1: Describe the
common processes and
procedures used to
conduct criminal and
noncriminal
investigations of
activities involving
evidence with digital
media, including the
ethical guidelines that
apply to these
processes.

Instructions
Project General Instructions
This project enables you to integrate the covered knowledge and skills in this
course. This project aims to equip you with the crucial skills of extracting and
analyzing digital evidence from mobile device. You will explore the
capabilities of forensic analysis tools and apply them to investigate, extract and
analyze data and recover deleted data from mobile device.
• Total Marks = 14

CLO2: Describe how to

• Group Size = 2 to 3 members.

maintain the chain of

• Submit all files: Project Report (Word and PDF) on blackboard before

evidence in criminal

23rd April 2025.

investigations
CLO3: Examine the
principles that underlie
the forensic

• One of the group members (group leader) should submit all the files
such as Project Report on blackboard. Marks will be given based on
your submission and quality of the contents.

investigation process

• Project Report: Each Project Report will be evaluated according to the

and apply the required

marking criteria mentioned in the Project Report Template File.

tools.

• Each group must come up with a unique solution for the project based on
the below description.
• Marks will be given based on your submission and quality of the contents.

Project Title: Mobile Forensics
Case Description:
Retailer company named “ABC” suspects that one of staff member has leaked confidential
documents through unauthorized communication apps using mobile device. The Security
department of the company has flagged suspicious activities. These activities were unauthorized
app installs and file transfer on a simulated Android device.
The company hired you as a forensic investigator to conduct an investigation on mobile device.
Your mission is to investigate the employee’s company-issued Android phone for evidence of data
exfiltration and unauthorized communications.
‫” في أن أحد موظفيها قام بتسريب مستندات سرية من خالل تطبيقات اتصال غير‬ABC” ‫اشتبهت شركة بيع بالتجزئة تدعى‬
‫ كانت هذه األنشطة عبارة عن عمليات‬.‫ قام قسم األمن في الشركة باإلبالغ عن أنشطة مشبوهة‬.‫مصرح بها باستخدام جهاز محمول‬
.‫تثبيت غير مصرح بها للتطبيقات ونقل الملفات على جهاز محاكاة لنظام أندرويد‬
‫ مهمتك هي التحقيق في هاتف أندرويد الخاص بالموظف‬.‫قامت الشركة بتعيينك كمحقق جنائي إلجراء تحقيق على الجهاز المحمول‬
. ‫الذي أصدرته الشركة بحثًا عن أدلة على استخراج البيانات واالتصاالت غير المصرح بها‬
Focus: Extracting and analyzing data from mobile devices.
Tools: you use one of the following: MOBILedi , Autopsy, Andriller, Maltego
Deliverables: A report outlining the extraction process, the tools used, and the recovered data.

Project Task:
1- Planning and Familiarize Yourself with Online Analysis Tools used for Mobile device
• Provide the investigation objectives and plan that you will follow in the project (0.5 mark).
•

Visit the provided websites:

•

–
–
–
Explore these online tools and understand their functionalities for data extraction from
mobile device.

•
•

Demonstrate understanding and discuss the functionalities offered by the online analysis
tools for mobile device (1 mark).
Discuss legal and ethical considerations that you have to follow for handling mobile forensic
evidence (0.5 mark)

2- Conduct Your Digital Evidence Investigation:
a. Document/PDF Files (3 Marks):
i. Select any three document or PDF files from your mobile device.
ii. Utilize one or more of the online analysis tools to examine each file.
iii. Document your findings in a clear and concise report, including details like:
1. File name and format
2. Creation date and time
3. Author information (if available)
4. Any other relevant metadata revealed by the tools
5. Screenshots of the analysis process
b. Image Files (3 Marks):
i. Select any three image files (e.g., JPG, PNG) from your mobile device.
ii. Use the online tools to analyze the metadata of each image file.
iii. Create a report documenting your findings, similar to the document/PDF
section, highlighting:
1. Image format and size
2. Date and time of capture (if available)
3. Camera model information (if embedded)
4. GPS location data (if present)
5. Screenshots of the analysis process
c. Social media/communication apps (4.5 Marks):
i. Choose any three social media you visit regularly.
ii. Utilize the online tools to investigate the metadata associated with those social
media.
iii. In your report, record your findings, including details like:
1. Social media name

2.
3.
4.
5.
6.
7.
8.

User information (username and display name)
Account creation date (if available)
Linked email and phone number
Deleted messages
Attachment and shared links in messages
Any other relevant technical details revealed by the tools
Screenshots of the analysis process

3- Reporting:
• Write a report that include the following:
1. Provide project aims and followed plan
2. Description of the incident and investigation process
3. Provide tools used.
4. Provide details of the evidence collected and analyzed.
Evaluation Criteria:
•

Comprehension of investigation objectives, Analysis Tools and ethical considerations (2
Mark)

•

Thoroughness of Investigation (10.5 Marks): Conduct a detailed examination of the
chosen files and social media, extracting all relevant metadata possible.

•

Screenshots (1.5 Marks): Including screenshots as evidence of your analysis process can
enhance your report mandatory).

•

Reporting: Present your findings in a clear, concise, and well-organized slides that is easy
to understand.

Project Title: Mobile Forensics
Part 01
1- Planning and Familiarize Yourself with Online Analysis Tools used for Mobile device
• Provide the investigation objectives and plan that you will follow in the project (0.5 mark).
Investigation Objectives:
1- Identify evidence of unauthorized communication applications installed on the device.
2- Detect any instances of confidential document transfers or leaks through these apps.
3- Recover and analyze relevant data (e.g., app logs, messages, files, metadata) to confirm
suspicious activities flagged by the Security Department.
4- Provide a comprehensive report detailing the findings, tools used, and the extraction process
to support potential disciplinary or legal actions.
investigation Plan
1. Preparation: Understand the case, set up tools, and ensure legal compliance.
2. Acquisition: Create a forensic image of the device to preserve original data.
3. Analysis: Extract and analyze data to identify unauthorized apps, file transfers, and
communications.
4. Reporting: Document findings, conclude the investigation, and provide
recommendations.
5. Review: Verify the investigation’s accuracy and submit the final report.
2- Demonstrate understanding and discuss the functionalities offered by the online analysis
tools for mobile device (1 mark).
MOBILedit offers robust mobile forensics features, including direct data extraction, app analysis,
and recovery of deleted files. It supports Android/iOS devices and identifies unauthorized apps or
file transfers. However, its lack of a free/trial version limits accessibility for this project.
Autopsy, a free/open-source tool, specializes in analyzing pre-existing disk images. It parses file
systems to detect unauthorized apps (via APK files), extracts user data (documents, messages),
and recovers deleted files. Its timeline analysis identifies when files were accessed or transferred,
while keyword searches flag confidential terms. Plugins enhance functionality, such as parsing
app databases (e.g., WhatsApp) for communication evidence.
Maltego focuses on link analysis, visualizing relationships between contacts, apps, and file
transfers. It integrates forensic data to map communication patterns and external platforms used
for leaks.

Autopsy is ideal for this case since it identifies unauthorized apps, traces file transfers via timeline
analysis, locates leaked documents through keywords, and recovers deleted data, all while being
cost-free. Maltego complements Autopsy by visualizing data exfiltration paths (e.g., cloud app
links). Though MOBILedit excels in live extraction, Autopsy’s disk image analysis and
affordability make it the optimal choice, excluding MOBILedit due to licensing constraints.
3- Discuss legal and ethical considerations that you have to follow for handling mobile forensic
evidence (0.5 mark)
To legally handle mobile forensic evidence, I must obtain authorization from ABC Company or a
court order to access the Android device, ensuring compliance with privacy laws like the ECPA
and GDPR. I will use write blockers to create forensic images, preserving data integrity, and
maintain a documented chain of custody for court admissibility. If encryption is present, I will
follow key disclosure laws but avoid forcing self-incrimination. Jurisdictional rules, such as Saudi
Arabia’s Sharia Law, will guide my approach to ensure legal access and avoid privacy violations.

Ethically, I will strictly limit my analysis to data directly relevant to the investigation, avoiding
unnecessary intrusion into personal messages, photos, or unrelated files to respect the employee’s
privacy. Using forensic tools responsibly, I will ensure evidence remains unaltered and document
every step transparently to maintain credibility. Sensitive metadata, such as GPS locations in
photos, will be safeguarded to prevent misuse. By remaining impartial, avoiding conflicts of
interest, and upholding transparency, I ensure the investigation’s integrity and uphold respect for
the employee’s rights and dignity.

Part 02
a. Document/PDF Files (3 Marks):
ii. Select any three document or PDF files from your mobile device.
iii. Utilize one or more of the online analysis tools to examine each file.
iv. Document your findings in a clear and concise report, including details like:
1. File name and format
2. Creation date and time
3. Author information (if available)
4. Any other relevant metadata revealed by the tools
5. Screenshots of the analysis process

Key Findings: CS243 Quiz.pdf
•
•
•
•
•
•
•
•
•
•
•
•

File Name: CS243 Quiz.pdf
Format: PDF
Date Created: 2024-05-01 21:27:08 AST
Date Modified: 2024-05-01 21:57:31 AST
Owner: TALAT – SAEED MEGDAD
Size: 168660 bytes
MD5 Hash: 668f9a6c439d0b1493a152ae32b9ae4
SHA-256 Hash: 2b27f19d133fefab7a12fb7942399579758d5a87646293c42171aecdb09d
Hash Lookup Results: UNKNOWN
Source File Path: /LogicalFileSet1/data/ayman/CS243 Quiz.pdf
Local Path: C:\Users\user\Downloads\android images\Android 11 – Pixel 3 Data\data\ayman\CS243 Quiz.pdf
Data Source: LogicalFileSet1

Source file meta data

File data artifacts

Key Findings: CS361 quiz.pdf
•
•
•
•
•
•
•
•
•
•
•

File Name: CS361 quiz.pdf
Format: PDF
Date Created: 2024-04-30 19:59:21 AST
Date Modified: 2024-04-30 19:59:21 AST
Owner: BASMAH MOHAMMEDSALEH MOHAMMED QASIM ALI
Size: 4025828 bytes
MD5 Hash: 5a4be6906091eaae03f3835c8711057
SHA-256 Hash: 19a0342ab811605063afec311f994d0bf08ce7260cc37310638c1e640c
Hash Lookup Results: UNKNOWN
Source File Path: /LogicalFileSet1/data/ayman/CS361 quiz.pdf
Local Path: C:\Users\user\Downloads\android images\Android 11 – Pixel 3 Data\data\ayman\CS361 quiz.pdf

•

Data Source: LogicalFileSet1
Source file meta data

File data artifacts

Key Findings: Printable-Ramadan-Decoration.pdf
•
•
•
•
•
•
•
•
•
•
•
•

File Name: Printable-Ramadan-Decoration.pdf
Format: PDF
Date Created: 2021-08-30 09:48:54 AST
Date Modified: 2021-08-30 09:48:54 AST
Owner: Admin
Size: 1594551 bytes
MD5 Hash: ea78c55d44a1d31e278b9f0c4193cb3
SHA-256 Hash:
17cc072ab8ec8d3f2e5334de0d5b2c31d14cf28661a6efe561e4998020fb299
Hash Lookup Results: UNKNOWN
Source File Path: /LogicalFileSet1/data/ayman/Printable-Ramadan-Decoration.pdf
Local Path: (Not specified in metadata)
Data Source: LogicalFileSet1

•

File data artifacts

Source file meta data

B- Image Files (3 Marks)
i. Select any three image files (e.g., JPG, PNG) from your mobile device.
ii. Use the online tools to analyze the metadata of each image file.
iii. Create a report documenting your findings, similar to the document/PDF section, highlighting:
•
•
•
•
•

Image format and size
Date and time of capture (if available)
Camera model information (if embedded)
GPS location data (if present)
Screenshots of the analysis process

Image 01

Forensic Analysis Report: IMG_20201003_191623.jpg

1. Image Format and Size
• Format: JPEG
• Size: 3778714 bytes
2. Date and Time of Capture (if available)
• Date Created: 2020-10-03 22:16:26 AST
3. Camera Model Information (if embedded)
• Device Make: OnePlus
• Device Model: HD1907
4. GPS Location Data (if present)
• Latitude: 35.657578
• Longitude: -78.827839722222

File meta data

Analysis Results

Image 02

Forensic Analysis Report: PXL_20201003_231422552.jpg
1. Image Format and Size
• Format: JPEG
• Size: 2695192 bytes
2. Date and Time of Capture (if available)
• Date Created: 2020-10-03 22:14:22 AST
3. Camera Model Information (if embedded)
• Device Make: Google
• Device Model: Pixel 3
4. GPS Location Data (if present)
• Latitude: 35.65818055555555
• Longitude: -78.82788888888888
File meta data

Analysis Results

Image 03

Forensic Analysis Report: PXL_20201004_000920947.jpg
1. Image Format and Size
• Format: JPEG
• Size: 350420 bytes
2. Date and Time of Capture (if available)
• Date Created: 2020-10-03 23:09:21 AST
3. Camera Model Information (if embedded)
• Device Make: Google
• Device Model: Pixel 3
4. GPS Location Data (if present)
• Latitude: 35.67126111111111
• Longitude: -78.877861111111

Analysis result

File meta data

C- Social media/communication apps (4.5 Marks):
4- Choose any three social media you visit regularly.
5- Utilize the online tools to investigate the metadata associated with those social media.
6- In your report, record your findings, including details like:
a. Social media name
b. User information (username and display name)
c. Account creation date (if available)
d. Linked email and phone number
e. Deleted messages
f. Attachment and shared links in messages
g. Any other relevant technical details revealed by the tools
h. Screenshots of the analysis process
Social media can be obtained from two locations
1- navigate to the “Communications” section under the
“Data Artifacts” tree.
The screenshot indicates the presence of multiple social
media and messaging platforms, including:
o Viber
o Facebook
o WhatsApp
o IMO
o LINE
2- From communications in the tool bar

a. Social media name
Facebook
b. User information (username and display name)
The screenshot does not provide usernames or display names directly. It only shows that ID
equals 100046799400843. Further analysis of the threads_db2 database may be required to
extract this information.

using keyword search

c. Account creation date (if available)
The Facebook account creation date cannot be retrieved by analyzing a mobile disk image with
Autopsy, as it is stored server-side and not locally on the device. Forensic tools like Autopsy
focus on local data (e.g., app logs, cached files), which does not include server-side details like
creation dates. For this information, we can use Facebook’s Download Your Information
feature or check the suspect email for the account creation notification.

d. Linked Email and Phone Number
the linked email and phone number associated with a Facebook account cannot be retrieved
through Autopsy, as these details are also stored server-side. Forensic tools analyze only local
data, which does not include such account-specific information. For this information, we can use
Facebook’s Download Your Information feature or check the suspect email for the account creation
notification.

e. Deleted Messages
Facebook’s threads_db2 database does not store deleted messages locally on the device, so I
cannot find them in mobile disk image. Deleted messages are permanently removed from local
storage and can only be recovered from Facebook’s servers.

f. Attachment and shared links in messages

g. Any other relevant technical details revealed by the tools

•

Database Metadata: threads_db2 at
/LogicalFileSet1/data/data/com.facebook.orca/databases/threads_db2, 380928 bytes,
allocated, MIME type application/x-sqlite3, suitable for SQLite analysis.

•

Timestamps: Modified 2020-10-04 20:32:54 AST, created/accessed 2025-03-05 18:05:56
AST, changed 0000-00-00 00:00:00, suggesting reset during extraction.

•

Hash Values: MD5 be31969a29be2b53b65d7fa83827bd3a, SHA-256
8e45965507926361072776c0396ea2181bda285a997fc679664204baa7cfe8, lookup
“UNKNOWN”.

•

Device Context: Google Pixel 3, Android 11, primary user (ID 0).

•

Forensic Artifacts: Internal ID 9671, processed in LogicalFileSet1.

•

7- Reporting:
Write a report that include the following:
1. Provide project aims and followed plan
2. Description of the incident and investigation process
3. Provide tools used.
4. Provide details of the evidence collected and analyzed.

Forensic Investigation Report: Mobile Forensics Case
1. Project Aims and Followed Plan
• Aims:
1. Identify evidence of unauthorized communication apps and file transfers on the
employee’s Android device.
2. Recover and analyze data to confirm suspicious activities flagged by the
company.
3. Provide a detailed report to support potential disciplinary or legal actions.
• Plan:
1. Preparation: Understand the case, set up forensic tools, and ensure legal
compliance.
2. Acquisition: Create a forensic image of the device to preserve original data.
3. Analysis: Extract and analyze data to identify unauthorized apps, file transfers,
and communications.
4. Reporting: Document findings, conclude the investigation, and provide
recommendations.
2. Description of the Incident and Investigation Process
• Incident: A retailer company, “ABC,” suspected an employee of leaking confidential
documents through unauthorized communication apps on a company-issued Android
device. Suspicious activities included unauthorized app installs and file transfers.
• Investigation Process:
1. A forensic image of the Android device was created.
2. The image was analyzed to extract and examine data, including documents,
images, and social media metadata.
3. Focus was placed on identifying unauthorized apps, file transfers, and
communication patterns.
3. Tools Used
• Autopsy: Used for analyzing the forensic image, extracting metadata from documents,
images, and social media apps, and recovering deleted files.
• SQLite Browser: Used to manually inspect the threads_db2 database for Facebook
messages and metadata.
• Hash Lookup Tools: Used to verify file integrity and identify unknown files.
4. Details of Evidence Collected and Analyzed

•

•

•

Documents/PDF Files:
o Analyzed three PDF files (e.g., CS243 Quiz.pdf, CS361 quiz.pdf) for metadata,
including creation dates, authors, and file paths.
o Findings: Metadata revealed file ownership, creation/modification dates, and file
paths, but no evidence of unauthorized transfers.
Image Files:
o Analyzed three image files (e.g., IMG_20201003_191623.jpg) for metadata,
including capture dates, camera models, and GPS locations.
o Findings: Metadata included device information (e.g., OnePlus, Google Pixel) and
GPS coordinates, but no evidence of suspicious activity.
Social Media/Communication Apps:
o Investigated Facebook’s threads_db2 database for user information, account
creation dates, and deleted messages.
o Findings:
▪ Account Creation Date: Not recoverable locally; stored server-side.
▪ Linked Email/Phone Number: Not recoverable locally; stored serverside.
▪ Deleted Messages: Not recoverable, as they are removed from local
storage.
▪ Attachments/Shared Links: Found two media attachments in the
Facebook account, but no evidence of confidential document leaks.

Purchase answer to see full
attachment