<center>CCF Project Report</center> - HackMD

<style> span.blue { color: #337AB7 !important; } span.red { color: #C62828 !important; } code.red { color: #C62828 !important; } code.orange { color: #F7A004 !important; } code.blue { color: #337AB7 !important; } span.blue_b { color: #1A237E !important; } code.blue_b { color: #1A237E !important; } </style> --- # <center>CCF Project Report</center> # <center><code class="blue">Investigating Android Third Party Applications (Skout, SnapChat) in Android 10</code></center> --- ## <center>Project Members:</center> #### <center>1. <code class="orange">Henadence Anyam Forku</code> | <span class="blue">h.forku@innopolis.university</span></center> #### <center>2. <code class="orange">Ifeanyi Nduka Oniya-Odike</code> | <span class="blue">i.oniyaodike@innopolis.university</span></center> #### <center>3. <code class="orange">Iseoluwa Titiloye Oyeniyi</code> | <span class="blue">i.oyeniyi@innopolis.university</span></center> #### <center>4. <code class="orange">Pacome Kemkeu Djoumessi</code> | <span class="blue">p.kemkeudjoumessi@innopolis.university</span></center> --- <br> ## <span class="blue">Abstract</span> This project report focuses on the forensic investigation of some Third Party applications: [**Skout**](https://play.google.com/store/apps/details?id=com.skout.android), and [**Snapchat**](https://play.google.com/store/apps/details?id=com.snapchat.android) in Android 10. The analysis aims at uncovering some critical data pertaining to the mobile device owner. We decided to work on Third-Party applications as: * They are platform agnostic and run on all mobile operating systems (Android and IOS) that power over 4.32 billion [1] active users over the world giving us mass reachability and availability of data. * They are open-source projects with all the above-mentioned applications on Google Play for free, that majority of the world's population use on a daily basis. People keep a lot of their personal information on their phones using these known Third Party applications. When these users are involved in cases such as homicides, harassment and stalking, economic crimes, drug involvements, just to name a few, their mobile devices are rich sources of information such as call logs, messages (MMS, SMS), email accounts, passwords, bank account details, deleted data, and so much more. We evaluated these applications and provided our findings (data) obtained from the applications. <br>Based on our investigation, we concluded that these Third-Party mobile applications carry an enormous amount of information pertaining to individuals using them. These principles were followed to conduct the complete assessment of the applications: **Data Acquisition**, **Preservation**, **Analysis**, and **Findings** <br> ## <span class="blue">1. Introduction</span> The prevalent rise and usage of web-enabled mobile devices such as tablets and smartphones in our society today have driven forensic investigators to see the need of acquiring mobile evidence in forensic investigations. The use of mobile devices so far proliferates as the world population's dependency on technology accelerates. According to 2021 statistics, the total number of mobile internet users was 4.32 billion [2], stipulating that over 90 percent of internet users operate mobile phones. These devices are operated through an operating system such as **Android** and **IOS** maintained by Google (open-source) and Apple (closed-source) respectively, which are the main operating systems powering mobile devices. These OS then provides an interface on which other applications can run such as AOSP applications, Third-Party applications and others. Speaking of, Third-Party applications are those that are provided by a vendor different from the manufacturer of the device. <br>Based on statistics collected on application downloads, 42.9 billion apps and games were downloaded in 2020 of which Google Play was responsible for 108.5 billion downloads, and iOS had 34.4 billion downloads [3]. ![](https://i.imgur.com/dOBZrQw.png) **<center><span class="blue_b">Figure 1: App Download Statitics [3].</span></center>** <br>Also, by ending 2020 chat and messengers apps which we are focusing on registered the highest user reach of all the surveyed categories, with almost 91 percent of internet users worldwide using these types of apps [4] as can be pictured in Figure 2 below. Social network applications followed with 88.5 per cent reach. This gives us a reasonable rationale for picking these categories of applications for this project. ![](https://i.imgur.com/De44Z8M.png) **<center><span class="blue_b">Figure 2: Chat and Social Networking App Usage Statistics by 2020 [4].</span></center>** <br>Based on our findings, we concluded that these Third-Party mobile applications carry an enormous amount of significant and critical user information which can be revealed by forensically analyzing them. Section 2 of the paper presents the methodology of gathering and analyzing the chosen applications. The next section presents our findings and finally, the last section concludes our examination. <br> ## <span class="blue">2. Methodology</span> This section presents our objective of this project, how our environment is setup, the software we used, our evidence collection, and presevation strategy and analysis of the digital evidence. ### <span class="blue">2.1. Objective In this project report, we are going to analyze the following Third-Party application of Android 10 which include: * Artifacts Overview * Investigating Skout * Investigating Snapchat <br> ### <span class="blue">2.2. Environment Set Up and Software Utilized</span> For our set up, we made use of <span class="blue">**Windows 11**</span> (**as seen in Figure 3 below**) as our base software on which other applications will run in our infrastructure. Windows has great support and visualization of the other software we will be using in this setup. <br>After installing Windows 11, we then moved to install <span class="blue">**Autopsy v4.19.3**</span> which is a fast and open-source digital forensic tool used for thorough and efficient analysis of data. We used this tool to go through the filesystem of Android 10 and investigate our applications of interest. <br>We finally installed <span class="blue">**FTK Imager**</span> which is an imaging and data preview tool that allows quick assessment of electronic evidence. Figure 3 below shows a complete installation of all the software we will be using for this investigation. ![](https://i.imgur.com/V7qpnmM.png) **<center><span class="blue_b">Figure 3: Complete Environment Set Up.</span></center>** <br> ### <span class="blue">2.3. Evidence Acquisition</span> Initially, we wanted to extract our own Android image from one of our phones but faced some difficulties when rooting our device and finally broke it :(. So we downloaded this [prebuild image](https://digitalcorpora.s3.amazonaws.com/corpora/mobile/android_10/Non-Cellebrite%20Extraction/Pixel%203.zip) used in some [practical cases](https://github.com/frankwxu/digital-forensics-lab/tree/main/Andriod10) in [University of Baltimore](https://www.ubalt.edu/) and [Towson University](https://www.towson.edu/). Our evident device (**Google Pixel 3**) is a customized one with pre-installed applications and data. The phone was then rooted with Magisk, a rooting application, in order to gain root-level access to the android operating system. The **version** of android used is: **10**, **Build: QQ1A.200105.003**, and **Patch Level: January 1, 2020**. These practical cases provided some investigations on some existing applications in the mobile as Android Open Source Applications, Google Mobile services Applications or some third party applications like [WhatsApp](https://play.google.com/store/apps/details?id=com.whatsapp), [TextNow](https://play.google.com/store/apps/details?id=com.textmeinc.textme) and [Kik](https://play.google.com/store/apps/details?id=kik.android). That is basically why we decided to continue the process by investigating in the beginning his data and latelly other third-party applications that we could find interesting like [SnapChat](https://play.google.com/store/apps/details?id=com.snapchat.android) and [skout](https://play.google.com/store/apps/details?id=com.skout.android). Having the **Pixel 3.zip** file in our possession, we used the FTK imager software to safely extract, preview and also image the file to the correct format needed for examination in Autopsy tool. Using this technique, we were able to retrieve the data evidence without modifying the original evidence. ![](https://i.imgur.com/cgXuS7P.png) **<center><span class="blue_b">Figure 4a: Mobsf Installed.</span></center>** ![](https://i.imgur.com/2sstPgJ.png) **<center><span class="blue_b">Figure 4b: Mobsf Analysis.</span></center>** <br>Looking at Figure 4c below, we could see that the data were successfully extracted and the preview is highlighted by the side panel. <br> ![](https://i.imgur.com/c0OWqCt.png) **<center><span class="blue_b">Figure 4c: Successful Evidence Extraction.</span></center>** <br>At this point, we then created the image (**.E0*** format) alongside the hash so that the image can be verified for integrity constraints. ![](https://i.imgur.com/ozPux0X.png) **<center><span class="blue_b">Figure 5: Image Creation in Process.</span></center>** <br>It can be seen in Figure 6 below that the image has been successfully created without encountering errors. ![](https://i.imgur.com/3MIWOzR.png) **<center><span class="blue_b">Figure 6: Successful Image Creation.</span></center>** <br>When the image creation process got completed, we could see that the different hashes were created as seen in Figure 7 below. This allows for verification of the original evidence. ![](https://i.imgur.com/AjVZYmg.png) **<center><span class="blue_b">Figure 7: Image Creation in Process.</span></center>** At this stage, our image has been successfully created. Since we are performing the investigation on the same VM, we will simply mount the image in our image analysis program, Autopsy. So, we went ahead and created a new case with the prompted parameters as shown in Figure 8 below. ![](https://i.imgur.com/uG3oaK8.png) **<center><span class="blue_b">Figure 8: Case Creation.</span></center>** Before proceeding with the investigation, we prepared Autopsy by installing the different modules required for this investigation including <span class="blue">**Android Analyzer**</span>, <span class="blue">**Encryption Detection**</span>, and others as shown in Figure 9 below. ![](https://i.imgur.com/Tjbuv0Z.png) **<center><span class="blue_b">Figure 9: Analysis Tools Selection and Installation.</span></center>** <br> At this point, everything has been set up and we are only looking into mounting the image and begin with the investigation. Before that, let us briefly look into the Android partitioning system which we will be needing throughout this investigation. Android devices use several partitions to organise their files and folders. These partitions each have distinct roles that they play in the Android device. ![](https://i.imgur.com/pyRYVNV.png) **<center><span class="blue_b">Figure 10: Android Partition Table.</span></center>** Below is a brief enumeration of the standard partitions: * **/boot** This partition is used to boot the Android device without which it can not be booted. It includes a kernel image and a RAMDisk image combined using mkbootimg [5]. * **/system** This partition contains the entire Android operating system, except the kernel and ramdisk. * **/recovery** It stores the recovery image that allows you to boot the device into a recovery mode for executing advanced recovery and maintenance operations. * <span class="blue">**/data**</span> This partition, which is also called **user data** contains user-installed apps and data, such as contacts, messages, settings, etc. This is the folder that we will be focusing on since we are interested in obtaining all user-related information. * <span class="blue">**/cache**</span> This partition where frequently accessed data and application components are stored. Forensic information can be gotten from here before it is deleted * **/misc** This partition is an important one that includes miscellaneous system settings. Some of these settings include CID (Carrier or Region ID), USB configuration and some hardware settings. Several device features will function abnormally if this partition is corrupt or missing. * **/metadata** This partition is used when the device is encrypted. Now we will mount our image on Autopsy and investigate the above-mentioned applications one after the other starting with Scout. <br> ### <span class="blue">2.4. Evidence Investigation</span> #### <span class="blue"> 2.4.1. Data Artifacts Overview</span> ##### Data ![](https://i.imgur.com/ESGHqjm.png) **<center><span class="blue_b">Figure 11 : Data Artifacts Overview.</span></center>** ##### Contacts ![](https://i.imgur.com/7Zq5ejU.png) ![](https://i.imgur.com/WxyfosK.png) **<center><span class="blue_b">Figure 12 : Contacts View.</span></center>** ##### Messages ![](https://i.imgur.com/lEHb4AZ.png) ![](https://i.imgur.com/OKmiVpU.png) ![](https://i.imgur.com/d57yytX.png) **<center><span class="blue_b">Figure 13 : Messages View.</span></center>** ##### Call logs ![](https://i.imgur.com/kat0F5c.png) ![](https://i.imgur.com/DgkpVbk.png) **<center><span class="blue_b">Figure 14 : Call Logs View.</span></center>** ##### Programs ![](https://i.imgur.com/idetgYO.png) ![](https://i.imgur.com/1DA5U9V.png) **<center><span class="blue_b">Figure 15 : Installed Programs View.</span></center>** ##### webaccounts ![](https://i.imgur.com/5udPrFF.png) **<center><span class="blue_b">Figure 16: Web Account View.</span></center>** <br> #### <span class="blue"> 2.4.2. Investigating Skout</span> Skout is a social networking and dating application based on location discovery. ![](https://i.imgur.com/jiY875a.png) **<center><span class="blue_b">Figure 17: Skout Application on Play Store.</span></center>** <br> * Skout is shipped with the following features: - Meet people by preference and proximity - chat - broadcast yourself and watch others’ streams - see who checked you out - get updates from nearby users - save your favorite users - browse profiles and pictures - promote your profile with in-app features. - Evidences type: - Username - Email - Password - Messages - Location - Last Login time - Version - Install date In the mounted device, we can find Skout related data under the <code class="blue">Pixel 3/data/data/com.skout.android</code> directory. ![](https://i.imgur.com/HyACW2X.png) **<center><span class="blue_b">Figure 18 : Contents of Pixel 3/data/data/com.skout.android Directory.</span></center>** <br> - ### Scenario We found a suspect phone with SKout installed. We will need to find and provide answers to the following questions for further investigations: - When was the app installed? - What is the version of the app? - What personal information does the application contain(Username, email, last location, etc...) - What are saved conversations? In order to provide answers to the questions, we proceeded as follow: - #### What is the version of the app? Since we knew the location of the Skout folder in the mobile, we launched a keyword search through all files looking for the ones with the field `version name:` and finally found one. ![](https://i.imgur.com/KtPAmhr.png) **<center><span class="blue_b">Figure 19 : Skout version obtained.</span></center>** <br>The fields highlighted up there show the package name `com.skout.android` and the version installed which is `6.17.0`. - #### When was the app installed? To find this information, we need to check for files that keep installation timestamps. These data are generated by Google Analytics, a solution designed to provide a report on the application usage and user behavior. It uses the Google Mobile Services Measurement library to configure each class that needs this information. In Android, they are generated and stored under a shared preferences folder in the application main directory in xml format. We found those needed in `shared_prefs/com.google.android.gms.measurement.prefs.xml`. This file is created by the `com.google.android.gms.measurement` library for each application that is installed. So in it, we discovered the following fields and their data: ![](https://i.imgur.com/bONSTXx.png) **<center><span class="blue_b">Figure 20: Application Installation Date.</span></center>** <br>Here we could find the fields: - `app_install_time: 1580317630000` - `first_open_time: 1580322805961` We converted the timestamp and obtained the following: ![](https://i.imgur.com/WeKIJ12.png) **<center><span class="blue_b">Figure 21: Application Installation Date Converted To Human-Readable Format.</span></center>** <br>The application was installed on Wednesday, January 29, 2020, at 5:07:10 PM GMT. And launched for the first time on Wednesday, January 29, 2020, 6:33:25 PM GMT. - #### Which personal information does the application contain (Username, email, last location, etc...) - Under the `shared_prefs` folder, we found multiple xml files keeping user data. We exposed them here as follow: - In "LOGIN_PREFS.xml` we found the email address and the password associated with this account: ![](https://i.imgur.com/DEuvzkE.png) **<center><span class="blue_b">Figure 22: LOGIN_PREFS.xml File.</span></center>** - In USERIDPREFS.xml`, we found his USERID and username shown below: ![](https://i.imgur.com/sk7hwUH.png) **<center><span class="blue_b">Figure 23: USERIDPREFS.xml File.</span></center>** <br> In `LOCATIONS.xml` we found the following coordinates and timestamp: ![](https://i.imgur.com/o701b20.png) **<center><span class="blue_b">Figure 24: LOCATIONS.xml File.</span></center>** <br>We used this timestamp, aka Last_sent_time, and coordinates to find from where they were sent and obtained the following: ![](https://i.imgur.com/thPy5sI.png) ![](https://i.imgur.com/UPRRAgS.png) ![](https://i.imgur.com/s9EEcNb.png) **<center><span class="blue_b">Figure 25: Location Discovery.</span></center>** <br>With more investigations, we got this complete address ![](https://i.imgur.com/LQzKKAJ.png) **<center><span class="blue_b">Figure 26: Complete Address Obtained from Coordinates.</span></center>** <br>So we concluded that the suspect was at that address on Saturday, February 1, 2020 at 8:32:19.080 PM GMT. - We also found the following details in `SEARCH_PREFS.xml`: ![](https://i.imgur.com/OJkmt4C.png) **<center><span class="blue_b">Figure 27: SEARCH_PREFS.xml File.</span></center>** <br>According to the different fields and their values, we could determine that : - The suspect is a man - Looking for women between 24 and 54 years old - That live in the same city as him - #### What are saved conversations? Many Android applications keep a local backup of all sorts of data in the mobile in form of light databases called SQLite. SQLite is an embeddable cross-platform database that supports a fairly complete set of SQL commands. We easily located Skout SQLite databases in the `databases` directory of the installation folder. ![](https://i.imgur.com/IKVHnFO.png) **<center><span class="blue_b">Figure 28: SEARCH_PREFS.xml File.</span></center>** <br>As those seen in the first section of this report, they did not have any encryption. Since we did not have all the details about how the image was built we decided to used SQLite browser to explore their contents. The only database exploitable was `SkoutDatabase`, in which we found two tables containing conversations details and some possible suspect's relations. Below we have the content of the messages table. It shows the list of latest conversations with information related to the parties involved, the data exchanged and their types. ![](https://i.imgur.com/yMYYrbJ.png) **<center><span class="blue_b">Figure 29: Scout Messages Table.</span></center>** The second table found there the Users table. ![](https://i.imgur.com/CC453SD.png) **<center><span class="blue_b">Figure 30: Scout Users Table.</span></center>** <br>The user's table contains the information related to different people with whom the suspect has exchanged information. The userId seen in the Messages databases now linked to some usernames and provided some identities. <br> #### <span class="blue">2.4.3. Investigating Snapchat</span> **Snapchat** is an instant messaging application. It helps friends and families to connect and share their moments. It supports the following services: * **Snap**: Express yourself with Lenses, Filters, and more through the camera with Snapchat defaults. * **Chat**: To stay in touch with friends and families through videos and live messaging. * **Stories**: For discovering breaking news and viewing friends' Stories to see how their day is going. * **Map**: For exploring live stories and sharing your location to friends * **Memories**: For creating, editing and saving photos and videos for special moments * **Friendship Profiles**: To view special save friendship profiles ![](https://i.imgur.com/FLWOtsi.png) **<center><span class="blue_b">Figure 31: Snapchat Page On Google Play Store.</span></center>** <br>The above-enumerated features of Snapchat provide us with a rich source of information and evidence types. We will be investigating information such as installation date and version of the software, Username, Email, Password, Messages, Location, Last Login time of the user. <br>We start by locating the <code class="blue">com.snapchat.android</code> folder where the Third-Party Snapchat files are stored as shown in Figure 32 below. ![](https://i.imgur.com/Q4Lp6mj.png) **<center><span class="blue_b">Figure 32: com.snapchat.android folder</span></center>** <br>We then locate the <code class="blue">shared_prefs</code> folder where user basic informations and application usage generated by Google Analytics are stored. This folder contains several xml files with user information. We first examined the <code class="orange">identity_persistent_store.xml</code> file as shown in Figure 33 below. ![](https://i.imgur.com/CqFVfMG.png) **<center><span class="blue_b">Figure 33: identity_persistent_store.xml file in shared_prefs folder</span></center>** <br>From Figure 33 above, we could obtain the **date when this application was installed** on the device (<code class="red">**1580317793035**</code>), the **first time** the user logged into the application (<code class="red">**1580322609553**</code>), and the **username** of the last person who logged into the application (<code class="red">**thisisdfir**</code>). <br>We noticed that the timestamps obtained are Unix timestamps in seconds, milliseconds, microseconds, and nanoseconds. We used the [epochconverter tool](https://www.epochconverter.com/) to convert the epoch to a human-readable date. <br>The date when this application was installed on the device after conversion is: (<code class="red">**Wednesday, January 29, 2020 5:09:53.035 PM GMT**</code>) as shown in Figure 34 below. That is about **2 years ago** relative to our current time. ![](https://i.imgur.com/YugA8WF.png) **<center><span class="blue_b">Figure 34: Snapchat Installation Date and Time On Device</span></center>** <br>And the date and time when the user first logged in to the application was: (<code class="red">**Wednesday, January 29, 2020 6:30:09.553 PM**</code>) as shown in Figure 35 below. This is just approximately **7 minutes** after installing the application. ![](https://i.imgur.com/F6UDBi7.png) **<center><span class="blue_b">Figure 35: First Logged In Date and Time On Snapchat.</span></center>** <br>We then moved to investigation the <code class="orange">user_session_shared.xml</code> file which provides us information about the logged in user session as shown in Figure 36 below. ![](https://i.imgur.com/2LBCcv1.png) **<center><span class="blue_b">Figure 36: user_session_shared.xml file in shared_prefs folder.</span></center>** <br>From the Figure 36 above, we could see the **username** <code class="red">**thisisdfir**</code> which proves the phone owner is this same user. We also got the following information: * The users **birthday**: <code class="red">**307598400000**</code> which is <code class="red">**Monday, October 1, 1979 4:00:00 AM GMT**</code> converted in human-readable format. This user is about **42 years old** with respect to now that this forensic analysis is conducted. This shows that the user is an adult. * The users **phone number**: <code class="red">**+19197580276**</code>. With this information, we were able to locate his location using the [allareacodes reverse phone lookup tool](https://www.allareacodes.com/reverse-phone-lookup/). We could tell that the user is a resident of **Raleigh** as shown in Figure 37 below. * The users **country code**: <code class="red">**US**</code> * The users **email address**: <code class="red">**thisisdfir@gmail.com**</code> ![](https://i.imgur.com/P9mlRHK.png) **<center><span class="blue_b">Figure 37: User's Location.</span></center>** <br>From Figure 37 above, we could get the phone users location which is **Raleigh, NC, Wake County** which confirms what was previously obtained from Skout investigation. <br>We then move on to the <code class="blue">databases</code> folder which contains databases that store a lot of information such as the user's contacts, conversations, and many more. We analyzed the **Friends** table in the main.db database. We were able to see the users friends list as shown in Figure 38 below. ![](https://i.imgur.com/BG4p8Rd.png) **<center><span class="blue_b">Figure 38: Friends Table Data.</span></center>** ### <span class="blue">2.5. Results</span> #### <span class="blue">2.5.1. Scout</span> :::info | Features | Data | Date |Time (GMT) | | ----------------- |:----------------|---------------|-----------| | Skout Installation| | Wednesday, January 29, 2020| 5:07:10 PM | | Skout Version| 6.17.0 | | | | First Usage | |Wed, Jan 29, 2020 | 6:33:25.961 PM | | Username | thisisdfir | | | | Email Address | thisisdfir@gmail.com | | | | Password | *3qpAs82ZgT9UBFZ}TZCqmg4%Av6R&nc | Gender | Male | | | Looking for| Women aged between 24 and 54 | Potential Location | House 105, Holy Springs, Wake County, North CArolina, 27540, USA | | | ::: **<center><span class="blue_b">Table 1 : Results Obtained During Skout Investigation.</span></center>** #### <span class="blue">2.5.2. Snapchat</span> :::info | Features | Data | Date |Time (GMT) | | ----------------- |:----------------|---------------|-----------| | Snapchat Installation| | Wed, Jan 29, 2020 |5:09:53.035 PM | | First Usage | |Wed, Jan 29, 2020 | 6:33:25.961 PM | | Username | thisisdfir | | | | Email Address | thisisdfir@gmail.com | | | | Date of Birth | | Mon, Oct 1, 1979| 4:00:00 AM | | Phone Number | +19197580276 | | | | Location | Raleigh, Wake County, North CArolina, USA | | | ::: **<center><span class="blue_b">Table 2 : Results Obtained During Snapchat Investigation.</span></center>** <br> ## <span class="blue">3. Conclusion</span> In our project, we were able to gather enough information which could be further used in forensic investigation. We obtained user credentials, locations, phone numbers and others as you can see on Table 1 and 2 above. To get these results, we merged several techniques and tools in carrying out this forensic investigation on the Third-Party Android applications Skout and Snapchat to be precise. This shows that Third-Party applications especially social networking ones contain an enormous amount of data that can be leverage for forensic investigations. <br> ## <span class="blue">References</span> [1] https://www.businessofapps.com/data/android-statistics/#:~:text=Android%20is%20the%20most%20popular,users%20spanning%20over%20190%20countries Accessed on 25th of Feb, 2022 [2] https://www.statista.com/topics/779/mobile-internet/#dossierKeyfigures Accessed on 25th of Feb, 2022 [3] https://www.businessofapps.com/data/app-statistics/ Accessed on 26th of Feb, 2022 [4] https://www.statista.com/statistics/1252652/top-apps-categories-by-global-usage-reach/ Accessed on 26th of March, 2022 [5] https://source.android.com/devices/bootloader/partitions Accessed on 27th of Feb, 2022 [6] https://www.programmer-books.com/wp-content/uploads/2019/05/Practical-Mobile-Forensics-Second-Edition.pdf [7] https://github.com/frankwxu/digital-forensics-lab/tree/main/Andriod10 Accessed on 28th of Feb, 2022 [8] https://digitalcorpora.s3.amazonaws.com/corpora/mobile/android_10/Non-Cellebrite%20Extraction/Pixel%203.zip Accessed on 25th of Feb, 2022 [9] https://www.programmer-books.com/wp-content/uploads/2019/05/Practical-Mobile-Forensics-Second-Edition.pdf Accessed on 4th of March, 2022