! !!!!!!!!

Analysis of Forensically Significant Artifacts of Tinder App on iPhone

Niall Heffernan
A minor dissertation submitted in part fulfilment of the degree of MSc in Digital Investigation and Forensic Computing with the supervision of Dr. Pavel Gladyshev

!!!!!!!!!!
School!of!Computer!Science!and!Informatics! University!College!Dublin! 17th!August!2013!

! ! ! ! !
!

1! !

Table!of!Contents!
!
1.#Introduction#............................................................................................................................#3! 1.1!Project!Scope!.....................................................................................................................................!3! 1.2!The!Smartphone!...............................................................................................................................!3! 1.3!Tinder!...................................................................................................................................................!4! 2.#Literature#Survey#...................................................................................................................#5! 2.1!Apple!File!System!Programming!Guide![8]!..........................................................................!5! 2.3!IPhone/IPod!Touch!Forensics!Manual![10]!.........................................................................!7! 2.4!Forensic!Analysis!of!the!Burner!App!for!the!IPhone!by!Digital!Forensics!Tips! [11]!................................................................................................................................................................!7! 3.#SQLite#Database#and#PLIST#Files#......................................................................................#7! 3.1!SQLite!Databases!..............................................................................................................................!8! 3.2!PLIST!Files!..........................................................................................................................................!8! 4.#ITunes#Backup#File#Acquisition#........................................................................................#8! 5.#Acquisition#and#Analysis#Software#..................................................................................#9! 5.1!IPhone!Backup!Extractor! ..............................................................................................................!9! 5.2!iBackupBot!.......................................................................................................................................!10! 5.3!iPhone!Analyzer!.............................................................................................................................!10! 5.4!SQLite!Database!Browser!...........................................................................................................!11! 6.#Analysis#Method#...................................................................................................................# 11! 7.#Results#and#Findings# ...........................................................................................................# 12! 7.1!Tinder.sqlite!Database!file!..........................................................................................................!12! 7.5!Forensic!Significance!of!Findings!...........................................................................................!17! 8.#Conclusions#and#Future#Work#.........................................................................................# 19! Bibliography#..............................................................................................................................# 20! Images#..........................................................................................................................................# 22!

! ! ! ! !
! ! ! ! !

2! !

! 1.!Introduction!!
1.1!Project!Scope! The! purpose! of! this! dissertation! is! to! forensically! examine! significant! artefacts! present!on!an!IPhone!after!the!installation!and!use!of!mobile!dating!applications.! There! are! many! applications! available! for! smartphones! that! facilitate! users! in! meeting!potential!partners.!There!is,!however,!a!risk!associated!with!the!level!of! anonymity!a!user!can!have!on!dating!applications!as!there!exists!the!potential!for! predators! to! attract! and! lure! vulnerable! users.! If! such! a! case! were! to! arise,! evidence! found! from! mobile! dating! applications! can! prove! to! be! of! utmost! significance! in! such! a! case.! Due! to! time! constraints! and! resources! the! scope! of! this! dissertation! is! to! focus! only! on! the! dating! application! Tinder! [6]! which! is! discussed!in!more!detail!in!following!sections.!!!! ! 1.2!The!Smartphone! The! smartphone! has! taken! over! the! world! as! the! must! have! tool! in! the! area! of! technology.! Out! of! 5! billion! mobile! phone! owners! in! the! world,! 1.08! billion! of! them! own! a! smartphone! [1].! Apart! from! the! basic! features! of! a! mobile! phone! such! as! calling! and! texting! this! percentage! of! the! population! also! use! smartphones! to! access! their! email,! go! online,! social! network,! bank! online,! gaming!and!can!even!use!their!smartphones!as!a!GPS!device.!! ! Smartphones! run! on! many! different! operating! systems.! Currently! the! two! leaders! in! the! market! are! the! Google! Android! operating! system! and! Apple! IOS.! The!Google!Android!OS!holds!41.1%!of!the!market!share!while!Apple!IOS!holds! 17.3%! [2].! This! is! largely! due! to! an! abundance! of! affordable! Android! phones! available!on!the!market!which!in!turn!is!made!available!by!the!various!versions! of! the! Android! OS.! ! Apple! on! the! other! hand! releases! a! new! version! of! their! iPhone!software!less!frequently.!! Another!desirable!feature!of!smartphones!is!the!ability!to!download!applications! to!a!persons!phone!on!the!move!through!smartphone!providers!app!stores.!!In! 3! !

! 2012! Apple! reported! offering! more! than! 550,000! apps! on! their! app! store! and! celebrated! 25! Billion! downloads! [3]! while! Google! Android! claims! to! have! 700,000! apps! on! their! Google! Play! app! store! [4].! An! influential! factor! in! these! statistics! is! that! anyone! with! programming! knowledge! can! develop! apps! independently!and!host!them!on!the!various!app!markets.!! ! One! of! the! major! uses! of! smartphones! is! social! networking.! It! was! found! that! smartphone! users! spend! 9! hours! 6! minutes! per! month! on! social! networks! [5];! this!includes!the!use!of!Twitter!and!Facebook!amongst!other!social!networking! applications.!Along!with!social!networking!a!new!trend!of!using!smartphones!for! online! dating! has! emerged,! with! a! number! of! applications! developed! to! assist! people!in!meeting!potential!partners.!The!purpose!of!this!dissertation!is!to!focus! on!one!of!these!dating!applications!and!to!forensically!examine!artefacts!that!can! be!left!behind!after!use!of!the!application.! ! 1.3!Tinder!! Tinder!is!a!dating!application!available!for!both!the!IPhone!and!Android!devices.! The!Tinder!website!describes!Tinder!as! A!fun!way!to!meet!people! [6].!In!order! for!a!user!to!use!Tinder!they!must!have!a!Facebook!account!with!which!to!sign! into! the! application.! Once! the! user! has! created! a! Tinder! account,! their! current! Facebook! profile! picture! is! set! as! their! default! Tinder! profile! picture.! The! user! then! has! the! option! to! add! more! photos! of! themselves! to! their! Tinder! account.! These!photos!may!be!viewed!by!other!Tinder!users.! ! Once!the!user!has!set!up!their!account!they!can!select!whether!they!are!looking! to!meet!females,!males!or!both.!They!can!then!limit!the!search!radius!to!search! for! other! users! from! anywhere! within! a! 10! mile! to! a! 100! mile! radius.! It! is! also! possible! to! limit! the! age! profiles! of! potential! matches.! Once! the! user! has! completed! their! search! criteria,! the! Tinder! app! presents! them! with! potential! matches!sequentially.!The!user!has!the!choice!to!either!like!the!person!they!are! matched! with! by! pressing! a! heart! icon! on! the! interface! or! select! the! dislike! option,!which!is!depicted!as!an!X!symbol.!A!match!occurs!if!two!users!happen! 4! !

! to!mutually!like!each!other.!They!are!then!given!the!option!to!private!message! each! other! and! arrange! to! meet.! Tinder! only! provides! a! users! first! name! to! potential! matches,! it! also! shows! if! the! two! parties! involved! have! any! mutual! friends!or!shared!interests!on!Facebook.!! ! Tinder!provides!a!level!of!anonymity!by!only!displaying!first!names.!By!showing! if! users! share! mutual! friends! on! Facebook! though! it! is! quite! simple! to! find! a! users! identity! by! a! simple! search! through! a! mutual! friends! profile.! The! main! danger!however!lies!in!the!terms!of!use!on!Tinders!website![6]!where!it!states! that!a!user! must!be!at!least!13!years!old...!to!use!the!application.!Since!anyone! can! create! a! Facebook! account! using! a! fake! age! they! can! also! sign! up! to! use! Tinder! where! they! may! be! exposed! to! potential! threats.! According! to! a! blog! in! the!New!York!Times![7]!Tinder!is!being!downloaded!20,000!times!a!day!and!with! no! way! of! screening! or! vetting! new! users! it! is! open! to! be! used! by! potential! dangerous!characters.!! !

2.!Literature!Survey!
! In! order! to! be! sure! that! the! investigation! being! undertaken! presents! the! most! accurate! results,! it! is! important! to! undertake! research! to! better! understand! techniques! used! for! the! analysis! and! to! have! knowledge! of! the! file! system! structure! of! the! IPhone! along! with! knowledge! of! the! best! tools! to! use.! The! following!section!summarises!various!readings!that!were!carried!out!during!the! process!of!this!analysis.!Forensic!analysis!of!smartphones!is!still!quite!new!in!the! area! of! computer! forensics,! as! a! result! the! amount! of! literature! on! this! topic! is! very! limited.! Despite! this,! the! following! literature! provides! good! insights! into! IPhone!forensics!analysis.!! ! 2.1!Apple!File!System!Programming!Guide![8]! Apple! has! provided! a! comprehensive! guide! for! developers! who! are! looking! to! begin!developing!applications!for!the!Apple!app!store!or!for!their!own!personal! 5! !

! use.!The!guide!is!called!Apple!File!System!Programming!Guide.!For!the!scope!of! this!project!only!certain!sections!of!the!document!were!examined.!Section!2:!File! System! Basics! gives! an! incdepth! overview! of! the! file! structure! created! by! applications! within! the! overall! file! system! of! the! device.! The! guide! describes! where! a! developer! should! place! their! applications! files! for! best! efficiency.! This! document!also!gives!a!comprehensive!overview!of!the!various!directories!of!the! iOS! file! system! and! what! files! reside! in! each! directory.! From! an! investigation! point! of! view! this! knowledge! is! very! useful! as! it! provides! starting! points! for! locating! potential! evidential! artefacts.! The! guide! also! provides! information! on! hidden!directories!that!are!present!on!the!device.!As!the!scope!of!this!project!is! to!focus!on!artefacts!created!by!an!application!this!document!is!useful!as!it!states! the! location! on! the! file! system! where! specific! application! files! are! stored.! This! document!can!serve!as!an!investigators!roadmap!to!the!iOS!file!system,!pointing! them!to!files!of!forensic!significance.!! ! ! 2.2!Forensic!Analysis!on!iOS!Devices![9]! Forensic! Analysis! on! iOS! Devices! focuses! on! many! areas! of! iOS! forensics.! This! paper!provides!an!overview!of!the!iOS!HFS+!(Hierarchical!File!System)!in!use!on! iOS!devices,!an!overview!of!SQLite!Database!files,!PLIST!(property!lists)!files!and! how! to! perform! Acquisitions! both! from! the! iTunes! backup! file! or! physical! acquisitions! of! iOS! devices.! The! section! related! to! the! HFS+! gives! a! good! overview! of! the! make! up! of! the! file! system! by! providing! information! about! the! HFS+!allocation!file;!extents!overflow!file!and!the!HFS+!catalogue!file.!This!paper! also!describes!two!prevalent!file!types!used!by!iOS.!These!are!SQLite!databases! and! PLIST! files,! which! are! discussed! in! more! detail! in! a! later! section# entitled! SQLite! Databases! and! PLIST! Files.! There! are! also! sections! relating! to! the! processes!of!acquiring!images!of!an!iOS!device!for!further!examination,!the!paper! describes! the! use! of! iTunes! backup! for! investigation! and! provides! suggested! software! that! can! be! used! examine! these! backup! files.! Another! section! of! this! paper! describes! methods! for! physically! acquiring! iOS! images! and! provides! suggested!software!that!can!be!used!to!carry!out!physical!acquisitions.!! 6! !

! 2.3!IPhone/IPod!Touch!Forensics!Manual![10]!! This! article! written! by! Jonathan! A.! Zdziarski! gives! a! good! incdepth! analysis! of! performing! forensic! investigations! on! IPhone! devices.! The! article! covered! subjects! such! as! disk! layouts,! powercon! device! modifications,! performing! forensic! recovery! and! Electronic! discovery.! For! the! scope! of! this! report! the! section! entitled! Electronic! Discovery! provided! the! main! focus! for! this! investigation.! This! section! provided! an! overview! of! both! SQLite! databases! and! Property! lists.! This! section! also! provided! a! list! of! other! forensically! significant! files!along!with!a!short!description!of!each!file!and!their!location!within!the!file! system.!This!was!useful!as!it!provided!information!that!could!provide!a!further! incdepth! investigation! into! the! user! of! the! devices! actions! and! movements,! however! with! the! scope! of! this! investigation! being! focused! on! a! singular! application! these! files! other! than! SQLite! and! PLIST! files! would! not! be! need! as! they!are!outside!the!scope!of!this!project.!! ! 2.4!Forensic!Analysis!of!the!Burner!App!for!the!IPhone!by!Digital!Forensics!Tips![11]! ! This! article! provides! and! analysis! of! an! IPhone! application! called! Burner.! This! application! allows! users! to! purchase! disposable! phone! numbers! for! temporary! use.!While!this!application!has!no!relation!to!the!application!being!examined!as! part!of!this!project!the!techniques!used!proved!useful!when!running!analysis!on! the! Tinder! dating! application.! It! provided! information! on! relevant! files! within! the! applications! directory! on! the! device.! Since! IPhone! application! development! follows! a! set! of! rules,! the! structure! of! application! directories! are! near! uniform! meaning!investigation!on!the!Burner!app!has!significance!in!the!investigation!of! the!Tinder!app.!! !

3.!SQLite!Database!and!PLIST!Files!

! The! literature! surveyed! in! the! previous! section! all! discussed! the! forensic! significance! of! SQLite! Database! and! PLIST! files! within! IPhone! forensic! analysis.! This! section! provides! further! information! on! both! file! types! in! terms! of! their! structure!and!forensic!significance!within!an!investigation.!! 7!

! ! 3.1!SQLite!Databases! SQLite! is! an! incprocess! library! that! implements! a! selfccontained,! servercless,! zerocconfiguration,! transactional! SQL! database! engine! [12].! Since! SQLite! databases!are!servercless!they!can!be!embedded!into!applications!with!ease!and! read!and!written!to!disk!files.!!SQLite!is!frequently!used!in!portable!devices!due! to! the! fact! that! they! are! quite! compact! and! do! not! take! up! much! space! in! memorycconstrained!devices,!they!also!perform!well!in!lowcmemory!devices.!! SQLite!is!provided!to!users!free!of!charge!for!commercial!and!private!use!for!this! reason!SQLite!is!commonly!used!by!app!developers!as!a!means!for!their!app!to! store!data.!! ! 3.2!PLIST!Files! ! PLIST! files! are! also! known! as! Property! List! Files! [13].! These! files! are! the! Macintosh!equivalent!to!Windows!registry.!They!contain!OS!information!such!as! application! settings,! user! preferences! and! security! settings! [13].! PLIST! files! are! XML! files! meaning! they! can! be! viewed! using! any! XML! editor! or! a! text! editor.! Every! application! on! iOS! devices! use! an! info.plist! file! [14],! which! contains! configuration!settings!for!application!on!iOS!devices.!!

! 4.!ITunes!Backup!File!Acquisition!

! In!the!scope!of!this!project!it!is!assumed!that!the!IPhone!device!is!unavailable!to! investigators!in!the!case!of!a!kidnapping.!It!is!therefore!necessary!to!be!able!to! examine!the!contents!of!an!iOS!device!without!having!physical!access!to!it.!Apple! has!created!a!method!that!creates!backups!of!an!iOS!device!in!the!case!of!critical! failure.! When! an! IPhone! is! registered! to! an! ITunes! account! a! backup! of! the! IPhone!is!taken!when!the!device!is!synced!to!ITunes!with!the!backup!stored!on! the! computer.! ITunes! creates! a! folder! on! the! computer! with! the! device! UDID! (Unique! Device! ID)! [15]! as! the! name;! this! UDID! is! 40! hexadecimal! characters! long.! The! device! contents! are! then! copied! to! this! folder.! As! the! analysis! of! this! 8! !

! project! is! being! carried! out! using! Mac! OSX! the! location! of! IPhone! backups! are:! <User! Home! Directory>/Library/Application! Support/MobileSync/Backup.! The! following! section! will! outline! software! that! is! available! that! can! open! these! backups!in!readable!format!allowing!for!a!forensic!analysis!to!be!carried!out.!! !

! ! 5.!Acquisition!and!Analysis!Software!

! This!section!will!outline!and!describe!software!available!for!the!acquisition!and! forensic! analysis! of! IPhone! devices.! As! mentioned! in! the! previous! section! the! analysis!of!the!IPhone!will!be!carried!out!on!a!backup!taken!by!ITunes!the!last! time!the!device!was!synced.!!Only!software!that!can!read!and!present!the!backup! files!in!readable!format!will!be!examined.!! ! In!order!to!examine!the!backup!files!of!the!iOS!device,!appropriate!software!was! needed!to!present!the!data!in!a!readable!format.!The!criterion!for!the!software! was!that!it!needed!to!be!free!to!use,!didnt!require!the!purchasing!of!a!license!and! it! also! had! to! be! Mac! OSX! compatible.! ! With! the! criteria! decided! upon! a! search! was! conducted! to! identify! potential! software.! The! articles! mentioned! in! the! previous!section!outlined!a!number!of!software!that!can!be!used!to!perform!an! analysis! of! iTunes! backups.! The! following! sections! list! potential! software! and! their!main!attributes.! ! 5.1!IPhone!Backup!Extractor!! ! The!iPhone!Backup!Extractor![16]!is!crosscplatform!software!that!automatically! finds! iTunes! backup! files! if! they! are! present! on! a! system.! iPhone! Backup! Extractor! was! developed! by! reincubate! technology,! media! and! data! (http://www.reincubate.com).!The!software!provides!the!user!with!the!ability!to! recover! various! artefacts! from! an! IPhone! device! such! as! contacts,! call! history,! SMS,!video!and!most!importantly!App!files.!!! ! 9! !

! While! this! software! met! a! number! of! criteria! needed! to! complete! this! project! there!was!some!negative!aspects!which!ultimately!led!to!the!decision!not!to!use! it!for!this!project.!One!aspect!was!the!fact!that!it!did!not!include!any!functionality! to!view!discovered!files!within!the!software,!instead!any!files!discovered!needed! to!be!extracted!to!a!location!on!the!local!machine!and!then!opened!using!external! viewer!programs.!This!proved!to!be!quite!tedious!and!time!consuming.!Another! issue!arose!regarding!the!installation!procedure.!In!order!to!install!the!software! on!Mac!OSX!the!user!needs!to!install!various!libraries!to!the!system!such!as!the! Mono! framework! (http://www.monocproject.com)! and! X11! libraries.! The! software! had! to! be! then! run! through! the! command! line! using! the! Mono! framework!that!proved!troublesome!and!encountered!a!number!of!issues.! !! 5.2!iBackupBot!! ! The!iBackupBot![17],!much!like!iPhone!Backup!Extractor,!automatically!detects! iTunes! backups! on! the! system.! However! this! software! presents! the! contents! of! the!backup!to!the!user!in!the!form!of!a!filectree!structure.!This!makes!navigation! through!the!various!files!easy!and!also!provides!good!reference!points!in!relation! to!the!locations!of!certain!files!on!the!backup.!! ! Unlike! the! iPhone! Backup! Extractor! software! iBackupBot! also! contains! various! editors!and!viewer!programs!for!viewing/editing!plists!files,!SQLite!files,!images,! messages!or!call!logs.!There!is!also!the!option!to!export!data!to!the!local!machine! if!the!user!wants!to!keep!certain!documents!in!an!easy!to!find!location!and!view! them! using! applications! of! their! choice.! This! software! seems! ideal! for! meeting! the!requirements!of!this!project!as!it!contains!more!features!than!iPhone!Backup! Extractor!and!is!more!accessible!to!install,!however,!the!developers!only!allow!a! 7cday! free! trial.! After! the! initial! trial! expires! the! user! needs! to! purchase! the! software,!this!was!beyond!the!resources!available!to!the!project.!For!this!reason! iBackupBot!was!not!selected!for!this!assignment.! ! 5.3!iPhone!Analyzer! ! 10! !

! The! iPhone! Analyzer! software! developed! by! Crypticbit! [18]! like! the! other! programs!mentioned!in!this!section!automatically!detects!an!iTunes!back!up!on! the! system! and! imports! it! into! the! software.! The! GUI! presents! the! user! with! information!about!the!device!that!it!procures!from!the!devices!info.plist!file.!The! software!also!provides!two!options!for!viewing!a!devices!data.!The!first!option!is! by!using!Bookmarks!which!is!the!most!likely!places!an!individual!searches!for! information!such!as;!address!book;!location!map;!messages!and;!call!logs.!These! are!presented!to!the!user!in!a!readily!accessible!way!in!the!main!window!of!the! GUI.! The! second! way! an! individual! can! search! through! data! is! by! using! the! file! system!view;!this!view!reconstructs!the!structure!of!the!devices!file!system!and! presents! it! to! the! user! in! a! tree! structure.! ! IPhone! Analyzer! also! contains! an! embedded!SQLite!browser!and!also!a!viewer!to!display!PLISTS!in!XML!format.!! ! Iphone!Analyzer!also!provides!a!comprehensive!manual!outlining!all!the!features! that! are! contained! in! the! software! that! is! easy! to! follow.! The! software! is! also! freely! available! to! download! from! sourceforge.! For! these! reasons! IPhone! Analyzer!was!chosen!for!this!project!as!the!primary!analysis!software.!! ! ! 5.4!SQLite!Database!Browser!! ! SQLite!Database!Browser![19]!was!chosen!as!a!secondary!viewing!tool!for!SQLite! files.! This! browser! was! used! over! the! embedded! browser! contained! in! IPhone! Analyzer! as! it! is! easier! to! execute! SQL! commands! through! its! interface.! The! software! is! also! freely! available! to! download! from! Sourceforge! with! no! additional!costs.!! !

6.!Analysis!Method!

! The!scope!of!this!project!is!to!examine!the!forensically!significant!artefacts!that! are!installed!on!an!IPhone!after!the!installation!of!the!mobile!dating!application! Tinder.! In! order! to! have! a! focus! when! deciding! on! what! may! or! not! be! forensically!significant!a!simple!scenario!was!put!in!place.!!The!scenario!focuses! on! a! young! underage! teenager! who! has! gone! missing! and! it! is! believed! they! 11! !

! may! have! been! communicating! with! someone! on! Tinder.! As! the! device! is! believed! to! be! on! the! person! it! is! not! possible! to! take! a! physical! image! of! the! device! itself! so! an! analysis! needs! to! be! conducted! on! the! last! backup! from! the! missing!persons!iTunes!account.!! ! The!goal!of!the!analysis!is!to!find!any!information!from!the!backup!that!may!help! further! the! investigation! such! as! chat! history,! usernames,! and! location! history.! Tinder,! version! 2.1.0! was! downloaded! to! an! IPhone! 4S! running! iOS! 6.1.3.! The! device!was!used,!as!it!would!be!in!normal!circumstances!to!collect!real!life!data.! Once!a!sufficient!amount!of!data!was!collected!from!the!everyday!use!of!Tinder! the! most! recent! backup! of! the! IPhone! was! located! and! loaded! into! the! IPhone! Analyser! program.! The! contents! of! the! Tinder! application! directory! were! then! examined,!the!focus!being!on!the!tinder.sqlite!file.!This!SQLite!file!was!extracted! and! opened! using! an! SQLite! Database! Browser.! Once! the! SQLite! database! was! exported! from! IPhone! Analyzer! and! opened! in! the! viewer! an! analysis! of! the! database!is!conducted!with!the!results!of!the!analysis!described!in!the!following! section.!! !

7.!Results!and!Findings!!
! The!following!sections!outline!and!present!the!findings!of!the!analysis!of!the!files! extracted!from!the!IPhone!device!following!the!data!collection!method!that!was! carried!out!in!the!previous!section.!! ! 7.1!Tinder.sqlite!Database!file! ! An!SQLite!database!file!named!Tinder.sqlite!was!extracted.!Figure.!1!below!shows! the!structure!of!the! Tinder.sqlite!database,!it!displays!the!tables!contained!within! Tinder.sqlite!along!with!each!tables!list!of!fields.!! !

12! !

! # ZMESSAGE#
Z_PK! Z_ENT! Z_OPT! ZINBOUND! ZUSER! ZCREATIONDATE! ZBODY!

# ZUSER#
Z_PK! Z_ENT! Z_OPT! ZCOMMONFRIENDCOUNT! ZCOMMONLIKECOUNT! ZGENDER! ZHASIMAGE! ZHASUNVIEWEDMESSAGES! ZISACTIVE! ZISMATCH! ZISRECOMMENED! ZISUNSEENEWMATCH! ZSERVERMESSAGECOUNT! ZBIRTHDATE! ZCHATLASTVIEWED! ZDISTANCEMILES! ZLASTACTIVITYDATE! ZDISTANCEINMILES! ZLASTACTIVITYDATE! ZMATCHEDDATE! ZPINGTIME! ZBIO! ZFACEBOOKID! ZMATCHID! ZNAME! ZUSERID! ZIMAGE! !

# ZPROCESSEDPHOTO#
Z_PK! Z_ENT! Z_OPT! Z_PHOTO! ZHEIGHT! ZWIDTH! ZREMOTEURL! !

# Z_5SHAREDFRIENDS#
Z_5SHAREDFRIENDS! REFLEXIVE! !

# Z_PRIMARYKEY#
Z_ENT! Z_NAME! Z_SUPER! Z_MAX! !

13! !

! # Z_METADATA#
Z_VERSION! Z_UUID! Z_PLIST! !

# ZLIKE#
Z_PK! Z_ENT! Z_OPT! ZUSER! ZCATEGORY! ZFACEBOOKID! ZNAME! ZREMOTEIMAGEURL! ZIMAGE!

# ZPHOTO#
Z_PK! Z_ENT! Z_OPT! ZUSER! Z_FOK_USER! ZORIGINX! ZORIGINY! ZSIZEHEIGHT! ZSIZEWIDTH! ZPHOTOID! ZREMOTEURL! Figure!1.!Structure!of!Tinder.sqlite!Database!File!

A! number! of! the! tables! listed! above! have! duplicate! fields! within! them! but! the! most! forensically! relevant! tables! discovered! were! ZMESSAGE! and! ZUSER.! The! following!sections!will!outline!the!data!contained!in!each!of!these!tables.!! ! 7.2!ZMESSAGE!Table! ! This! table! contains! all! information! relating! to! any! private! chat! messages! that! have! been! sent! between! people! who! have! mutually! liked! each! other! using! the! application.!A!summation!of!the!information!stored!in!each!field!is!as!follows:! ! ZBODY:!This!field!contains!the!body!of!any!messages!sent!between!two!matches! privately.! Messages! are! stored! in! individual! rows! and! every! time! a! message! is! sent/received! the! body! of! that! message! is! stored! in! a! new! row.!! ! ZINBOUND:!This!field!contains!a!numeric!value,!the!purpose!of!the!numeric!value! is! to! differentiate! between! whether! the! message! was! sent! from! the! device! or! received! from! another! user.! The! value! 0! indicates! a! message! was! sent! 14! !

! outbound! from! the! users! device! and! the! value! 1! indicates! that! a! message! was! received!inbound!from!another!users!device.!! ! ZCREATIONDATE:! This! field! contains! a! timestamp! of! the! creation! date! of! the! message.!The!timestamp!is!stored!using!Mac!Absolute!Time![20].! ZUSER:! This! field! contains! a! numeric! value! as! an! ID! for! a! matched! user! in! the! table.!! 7.3!ZUSER!Table! The!ZUSER!table!contains!a!number!of!forensically!significant!information.!This! table! stores! data! relating! to! Tinder! users! who! have! been! mutually! matched.! A! number!of!these!fields!contain!null!entries,!this!is!assumed!to!be!a!form!of!data! protection.!The!field! ZFACEBOOKID! is!left!null!as!to!avoid!a!users!privacy!being! compromised! as! the! app! is! designed! to! maintain! anonymity! with! the! users! having!the!option!to!exchange!personal!details!through!the!chat!function!if!they! are!a!match.!! ! In! the! case! of! an! investigation,! such! as! that! mentioned! in! the! scope! of! this! project,!there!are!a!number!of!forensically!significant!fields!present!in!this!table.! These!fields!are!as!follows:! ! ZNAME:!This!field!contains!the!users!first!name.!This!name!is!taken!from!a!users! Facebook!account!and!cant!be!altered!within!the!application.!! ! ZGENDER:!This!field!contains!a!numeric!value!that!identifies!whether!the!user!is! male!or!female.!The!value!1!indicates!that!the!user!is!female!while!the!value!0! indicates!the!user!is!male.!! ! ZBIRTHDATE:! This! field! contains! a! Timestamp! that! converts! to! a! users! date! of! birth.!As!with!ZNAME!this!value!is!extracted!from!a!users!Facebook!account.!! ! ZMATCHEDDATE:!This!field!also!contains!a!Timestamp!value!that!converts!to!the! date!a!match!was!made!with!another!user.!! 15! !

! ! ZLASTACTIVITYDATE:!This!field!contains!another!Timestamp!that!converts!to!the! date!and!time!a!user!was!last!active!on!Tinder.!! ! ZBIO:!When!signing!up!with!Tinder!the!user!has!an!option!of!including!a!body!of! text! relating! to! a! users! interests,! hobbies,! details! of! their! personal! life.! Many! times! users! will! use! this! option! to! include! their! Twitter! handle! so! users! can! follow!them!on!Twitter!even!if!they!are!not!matched!together!on!Tinder.!! ! Z_PK:!This!is!a!primary!key!field!containing!a!numeric!value.!The!contents!of!this! field!will!be!discussed!in!more!detail!in!the!later!section!Forensic!Significance!of! Findings.!!! ! ZUSERID:!Contains!a!hexadecimal!numerical!value!set!as!an!individual!users!ID.!! ! 7.4!Summation!of!Remaining!Database!Tables! ! The! previous! section! outlined! relevant! tables! and! their! fields! from! an! investigation!stand!point.!This!section!will!provide!an!overview!of!the!remaining! tables!and!their!attributes.!! ! ZLIKE:! One! feature! of! Tinder! is! identifying! whether! two! users! share! mutual! interests!in!the!form!of!topical!Facebook!pages!such!as!a!TV!shows!fan!page.!The! ZLIKE! table! contains! information! relating! to! the! Facebook! page! such! as! its! Facebook! ID! and! page! title,! the! page! also! contains! the! users! ID! (ZUSER)! who! mutually!likes!the!Facebook!page.!! ! ZPROCESSEDPHOTO:! This! table! contains! links! to! different! users! photos! on! the! Tinder! server! in! the! field! ZREMOTEURL! other! fields.! Observations! of! this! table! indicate! that! each! photo! ID! (ZPHOTO)! contains! four! duplicates! but! each! with! different!dimensions!(ZWIDTH,!ZHEIGHT).!! ! 16! !

! ZPHOTO:! This! table! contains! a! single! version! of! each! photo! stored! in! ZPROCESSEDPHOTO!along!with!the!same!URL!from!the!ZREMOTEURL!field.!There! seems!to!be!no!link!between!the!images!and!what!user!they!belong!to.!! ! ! ! ! ! 7.5!Forensic!Significance!of!Findings! ! The! previous! sectioned! outlined! and! provided! details! into! the! data! that! can! be! recovered!from!the!underlying!database!that!is!created!when!Tinder!is!installed! on! and! IPhone.! This! database! stores! key! information! needed! to! allow! the! application!to!function.!In!the!section!entitled!Analysis!Method!a!scenario!was! created!that!involved!investigating!a!backup!of!a!young!persons!phone!from!their! computer! after! the! person! was! reported! missing.! It! is! believed! the! missing! person! was! an! avid! user! of! Tinder! and! may! have! been! communicating! with! a! match! using! the! application.! The! goal! of! this! project! was! to! identify! Tinder! artefacts!on!the!backup!that!may!be!forensically!significant.!! ! The! previous! section! valuable! information! regarding! conversations! that! have! taken!place!on!Tinder!such!information!being!the!body!of!the!conversation!along! with! dates! and! times! of! the! conversations.! However! as! seen! above! within! the! ZMESSAGE!table!there!is!no!link!to!distinguish!with!whom!the!conversation!was! had.! Figure! 2! shows! one! particular! conversation! that! was! conducted! between! two!users!who!were!matched!together!on!Tinder,!from!this!example!we!can!see! the!body!of!the!conversation!and!the!date!conversation!commenced!and!the!date! a!reply!was!received.!The!field! ZUSER!contains!the!user!ID!12762!but!there!is!no! other!information!relating!to!the!second!party.!! !

17! !

!
Figure!2.!Extracted!Conversation!from!Tinder.sqlite!Database! !

While! no! information! is! provided! about! the! second! party! to! the! conversation! within! the! ZMESSAGE! table! however,! there! is! a! correlation! between! the! field! value! for! ZUSERID! and! the! field! (Z_PK),! which! is! contained! in! table! ZUSER.! In! Figure!3! a!simple!SQL!query!was!ran!on!the! ZUSER! table!using!the!value!12762! from!the!ZUSERID!field!contained!in!ZMESSAGE.!!The!query!resulted!in!displaying! information! relating! to! a! user! with! the! name! Roisha! along! with! the! date! the! user!was!last!active!and!the!date!the!users!were!matched!together.!! !

18! !

!
Figure!4.!Extracted!User!from!Tinder.sqlite!Database! !

The! information! provided! here! could! potentially! help! significantly! in! the! investigation! of! the! missing! youth.! An! investigator! can! search! messages! sent! from! the! missing! persons! IPhone! looking! for! any! evidence! of! any! rendezvous! being! organised! with! an! unknown! stranger.! Potentially! a! message! of! this! kind! can!provide!a!meeting!location!and!time!if!not!an!investigator!can!obtain!a!name! and! user! ID! from! the! ZUSER! table.! Since! Tinder! is! a! location! driven! application! requiring! a! user! to! share! their! location! in! order! to! use! the! application! an! investigator! can! seek! the! assistance! of! Tinder! in! identifying! and! tracking! the! suspected!kidnapper!by!use!of!their!ZUSERID.!!! !

8.!Conclusions!and!Future!Work!
! The!goal!of!this!project!was!to!identify!forensically!significant!artefacts!present! on! an! IPhone! after! the! installation! and! use! of! the! mobile! dating! application! Tinder!in!order!to!aid!in!the!investigation!of!a!missing!person.!Using!the!method! outlined! in! the! Analysis! Method! section! of! this! paper! it! was! possible! to! 19! !

! extract! artefacts! relating! to! the! Tinder! application! from! an! iTunes! backup.! Analysis!of!these!artefacts!has!shown!information!that!could!prove!vital!to!a!case! of! this! kind.! However,! the! success! of! this! information! relies! on! whether! the! victim! has! synced! their! IPhone! with! their! PC! after! having! contact! with! the! suspected!kidnapper!on!Tinder!thus!creating!a!backup!of!their!device.!! ! Future! studies! can! include! the! analysis! of! a! device! on! which! Tinder! has! been! deleted!to!see!if!any!artefacts!can!be!recovered!from!the!Tinder.sqlite!database.! An!analysis!on!the!different!versions!of!the!application!could!also!be!conducted! in!order!to!see!how!changes!of!application!features!can!affect!the!storage!of!data.! As! mentioned! in! this! project! Tinder! can! also! be! installed! on! the! Android! operating! system,! which! contains! different! design! protocols! to! iOS! devices! an! analysis! of! the! Android! version! of! the! application! could! be! carried! out! to! research! the! techniques! needed! to! discover! forensically! significant! artefacts! from!that!platform.!! !

Bibliography!!
! [1]! Unknown.# Smartphone! Users! Around! the! World! ! Statistics! and! Facts.! [Online]!2012.!http://www.gocgulf.com/blog/smartphone/.! ! [2]! Hardy,#I.!Android!and!iOS!lead!Q1!with!92.3%!of!all!Smartphone!Shipments,! Windows! Phone! now! in! 3rd! Spot.! MobileSyrup.! [Online]! 2013.! http://mobilesyrup.com/2013/05/16/androidcandcioscleadcq1cwithc92c3cofc allcsmartphonecshipmentscwindowscphonecnowcinc3rdcspot/! ! [3]#Miller,#T#&#Monaghan,#C.!Apples!App!Store!Downloads!Top!25!Billion.!Apple! Press! Info.! [Online]! 2012.! http://www.apple.com/pr/library/2012/03/05ApplescAppcStorecDownloadsc Topc25cBillion.html!!! ! [4]! Womack,# B.# Google! Says! 700,000! Applications! Available! for! Android.! Bloomberg! News.! [Online]! 2012.! http://www.businessweek.com/news/2012c 10c29/googlecsaysc700c000capplicationscavailablecforcandroidcdevices! !

20! !

! [5]# Chmielewski,# D.! Nielsen! study:! Social! networking! dominates! smartphone,! tablet! use.! Los! Angeles! Times.! [Online]! 2013.! http://articles.latimes.com/2013/jun/09/entertainment/lacetcctcnielsencstudyc socialcnetworkingcsmartphonectabletc20130609! ! [6]! Tinder.# A! Fun! Way! to! Meet! People.! Tinder.! [Online]! 2013.! http://www.gotinder.com/about/! ! [7]! Wortham,# J.# Tinder,! a! Dating! App! With! a! Difference.! The! New! York! Times.! [Online]! 2013.! http://bits.blogs.nytimes.com/2013/02/26/tindercacdatingcappc withcacdifference/! ! [8]! Apple.# File! System! Programming! Guide.! Apple! Developer.! [Online]! 2012.! http://developer.apple.com/library/ios/documentation/FileManagement/Conc eptual/FileSystemProgrammingGuide/FileSystemProgrammingGuide.pdf! ! [9]! Proffitt,# T.# Forensic! Analysis! on! iOS! Devices.! SANS!Institute.! [Online]! 2012.! http://www.sans.org/readingcroom/whitepapers/forensics/forensiccanalysisc ioscdevicesc34092! ! [10]! Zdziarski,# J.# iPhone/iPod! Touch! Forensics! Manual.! Cryptome.! [Online]! 2008.!http://cryptome.org/ispcspy/iphonecspy4.pdf! ! [11]! Unknown.# Forensic! Artifact! Analysis! of! the! Burner! App! for! the! iPhone.! Digital! Forensics! Tips.! [Online]! 2013.! http://digitalforensicstips.com/2013/07/forensiccartifactcanalysiscofcthec burnercappcforctheciphone/! ! [12]!SQLite.#About!SQLite.!SQLite.![Online].!http://www.sqlite.org/about.html! ! [13]! Apple# Examiner.# PLIST! Files.! [Online]! http://www.appleexaminer.com/MacsAndOS/Analysis/PLIST/PLIST.html! ! [14]! iOS# Developer# Library.# About! Info.plist! Keys.! Apple! Developer.! [Online]! 2012.!http://www.appleexaminer.com/MacsAndOS/Analysis/PLIST/PLIST.html! ! [15]! Satish,# B.# Forensic! Analysis! of! iPhone! Backups.! Exploit`db.com.! [Online]! http://www.exploitcdb.com/wpccontent/themes/exploit/docs/19767.pdf! ! [16]! Reincubate.# iPhone! Backup! Extractor.! Reincubate.! [Online]! 2013.! http://www.iphonebackupextractor.com/! ! [17]iBackupBot.# iBackupBot! for! iTunes:! Backup! Manager! Software! for! iPad,! iPhone! and! iPod! Touch.! iCopyBot.! [Online]! 2013.! http://www.icopybot.com/itunescbackupcmanager.htm! ! [18]! Cryptic# Bit.# iPhone! Analyzer.! Cryptic! Bit.! [Online]! 2010.! http://www.crypticbit.com/zen/products/iphoneanalyzer! 21! !

! [19]# Lehr,# J.! Calculating! Embedded! OS! X! Times.! Linux!Sleuthing.! [Online]! 2011.! http://linuxsleuthing.blogspot.ie/2011/02/calculatingcembeddedcoscxc times.html! ! ! !

Images!
!

Figure.!5!Tinder!Loading!Screen! !

22! !

Figure.!6!Matching!Screen! !

23! !

Figure.!7!Match!Confirmation!Screen! !

24! !

Figure.!8!Private!Message!Screen! !

25! !

Figure.!9!User!Profile!Screen! !

26! !

Figure.!10!Account!Deletion!Confirmation!Screen! !

27! !

Figure.!11!Matching!Preferences!Screen!! ! ! ! ! !

28!

! ! ! ! ! ! ! ! ! ! ! ! !

Figure.!12!IPhone!Analyzer!Home!Screen! ! ! ! ! ! ! ! ! ! ! ! !

29!

! ! ! ! ! ! ! ! ! !

Figure.!13!IPhone!Analyzer!Search!Screen! ! ! ! !

30! !