The Significance of Different Backup Applications in Retrieving Social Networking Forensic Artifacts From Android-Based Mobile Devices

The characteristics of mobile devices are becoming increasingly like those of modern-day computers in terms of speed, memory, functionality, and external storage capabilities. These factors, in addition to the widespread availability of Internet access create an environment where social networking applications thrive. This paper focuses on conducting forensic analysis on two popular social networking applications: Instagram and Path on an Android-based HTC One M8 mobile phone. The analysis consisted of rooting the mobile device, installing Instagram and Path on the device, performing common user activities via each application, acquiring several logical images of the device, and then finally conducting manual forensic analysis on each acquired image. Since Android does not have a unified backup utility, the logical acquisition was performed using 4 different Android backup applications (MyBackup Pro, Titanium Backup, Helium Backup, and Apps Backup & Restore). The test results have shown that a large portion of the conducted activities is indeed stored on the device's internal memory. However, the extent of the recovered information ultimately depended on which backup application was used to create the logical image of the Android device.