Ingénierie des Systèmes d’Information

Vol. 27, No. 6, December, 2022, pp. 903-913

Journal homepage: http://iieta.org/journals/isi

Mobile Forensic Analysis of Signal Messenger Application on Android using Digital

Forensic Research Workshop (DFRWS) Framework
Imam Riadi1, Herman2, Nur Hamida Siregar2*
1
Department of Information System, Universitas Ahmad Dahlan, Yogyakarta 55164, Indonesia
2
Department of Informatics, Universitas Ahmad Dahlan, Yogyakarta 55164, Indonesia

Corresponding Author Email: [email protected]

https://doi.org/10.18280/isi.270606 ABSTRACT

Received: 10 November 2022 Cybercrime is a crime committed using equipment connected to the internet. One of the
Accepted: 20 December 2022 cybercrimes that occured during the COVID-19 pandemic was the spread hoaxes about the
Covid-19 vaccine which caused panic in society. Signal Messenger is one of the social
Keywords: media that has become a trending topic since the number of personal data security issues
android, COVID-19 vaccine, cybercrime, and the emergence of end-to-end encryption features. This research aims to find digital
DFRWS framework, hoax, mobile forensic, evidence on Signal Messenger application installed on the perpetrator's Android
signal messenger smartphone. This research uses Belkasoft, Magnet AXIOM, and MOBILedit Forensic
Express tools and implements the Digital Forensics Research Workshop (DFRWS)
framework in each stage of the research experiment. The research was carried out according
to the case scenario with 11 predetermined parameters. Digital evidence is found from the
Signal Messenger application: application information, account information, chat, pictures,
videos, contacts, and stickers. The results of this research indicate that Belkasoft Evidence
Center forensic tool is better, with an accuracy rate of 78.69%, while Magnet AXIOM is
26.23% and MOBILedit Forensic Express is 9.84%. The results of this research can be used
as a reference for other forensic researchers/experts in handling similar crime cases on the
Signal Messenger application to get better results.

1. INTRODUCTION they can do online. This activity makes people today prefer to
use smartphones to overcome monotony.
Pandemic comes from the Greek word consisting of the Technological developments are one of the reasons behind
words "pan" and "demos", which can be translated as "all the the increase in smartphone technology. Smartphones have
people." A pandemic is an illness that strikes and then leaves increased in terms of power, speed, and storage space, and
the human population [1]. The continuing coronavirus disease more features and applications are available so that most
2019 (COVID-19) pandemic is affecting people worldwide people use their smartphones for various activities such as bill
and has spread to Indonesia. On March 2, 2020, Indonesian payments, online shopping, chatting, making calls, email,
authorities discovered their first COVID-19 positive case. The sharing social media, and communication via instant message
discovery of this case was confirmed through reports of the [7-9]. Social media significantly influences people's lives
first two cases of COVID-19 infection in Indonesia by because social media is used to build wider connections [10].
President Joko Widodo that day, which until April 2 had Figure 1 shows data on the usage of smartphones (mobile
reached 1790 confirmed cases [2]. As of April 9, when the devices), the internet, and social media worldwide.
pandemic had spread to 34 provinces, DKI Jakarta, West Java,
and Central Java were the Indonesian provinces most exposed
to the coronavirus [3]. The government is attempting to
promptly handle the situation by creating a team to manage
COVID-19, directly directed by the President. At the same
time, the World Health Organization (WHO) declared the first
step in combating the pandemic is to hygiene measures, hand
washing, and people should respect social distancing rules by
at least one meter to stop the transmission of COVID-19
worldwide so that it can slow the spread of the virus pandemic
[4, 5]. The government also requires the public to use well-
fitting masks, always apply hand hygiene rules, and avoid
contact with others (physical distancing) [6]. Implementing
physical distancing rules makes people work at home, change
home activities such as shopping at the market into online
shopping, and change some activities into other activities that Figure 1. Global social media and internet users in 2022

903
 Social media usage increased significantly by 10.1%, from and App Store, along with the change in WhatsApp's data
4.20 billion active users in 2021 to 4.62 billion active users in sharing policy in January 2021 [22]. Users (both employees
February 2022 [11]. Lastly, a report in April 2022 showed and the general public) of their own volition are starting to
active social media users approximately 4.65 billion [12]. switch to using Signal Messenger because the services of this
Social media has positive and negative impacts. The positive application are more reliable. This reason also allows
side is that it encourages economic growth in digitization, cybercriminals to use this application because it is more secure.
innovation, and information technology development. The Perpetrators usually delete messages after committing
negative side is social media facilitates the development of cybercrime to erase all traces of their activity. The increasing
serious malicious activity and cybercrime [13]. problem of cybercrime indirectly increases the necessity of
Cybercrime is a criminal act carried out using any mobile forensics [23]. Also, it creates opportunities for using
equipment as long as the equipment is connected to the techniques and forensic tools to investigate this cybercrime so
internet [14]. Cybercrimes tend to be more difficult to prove that the artifacts found can be used as digital evidence and
than real-world crimes. Cybercrime is often defined as "a accepted by the courts [24].
hidden crime [15]". One of the many examples of cybercrime Several previous studies that conducted forensic analysis
during the COVID-19 pandemic is the spread of false using the Digital Forensic Research Workshop (DFRWS)
information. False information is popularly and widely known framework showed different results. A research about mobile
as a hoax [16]. A hoax is an untrue information or fake news forensics on an Android-based IMO messenger application
that has no certainty, and the spread of hoaxes aims to cause using MOBILedit forensic express, DB Browser for SQLite,
panic or unrest in the community. Currently, there is a term AccessData FTK imager, and Belkasoft obtained evidence in
that is well known as "infodemic." Infodemic is a term for the the form of chat files, images, audio, video belonging to the
spread of hoaxes or rumors, and stigma during a pandemic [17]. perpetratos accounts, and chat times that have been deleted
Since the launch of the COVID-19 vaccine in Indonesia, from a smartphone device in root condition [25]. Meanwhile,
false information has emerged that has spread through the another research conducted on digital forensic investigation on
media. Mostly on social media. Some of the news circulating the Android-based instagram with the DFRWS using the
is: First, vaccine safety cases claim that many people died due Oxygen tool obtained chats and pictures/photos, while the Json
to vaccine injections. Second, the status of the COVID-19 viewer only obtained chats data [26]. The difference in the
vaccine, which contains pork oil, so it is not halal to use. Third, results of forensic evidences with the same framework from
the video cases show empty syringes without liquid vaccine these studies underlies the researcher to conduct further
content. Fourth, the conspiracy about the COVID-19 vaccine research on forensic analysis of the Signal messenger
is a product of propaganda. Social media users have been application on android using the DFRWS framework.
inundated with false information and left in fear. Information Based on the increasing use of social media phenomena,
of every type spreads more quickly than viruses do [18]. One problems of widespread COVID-19 vaccine hoaxes, and the
of the most widely spread types of vaccine hoaxes on social growing use of Signal Messenger application, and research
media today is a hoax that states the COVID-19 vaccine gaps, the researchers investigated the simulation of vaccine
contains a magnetic chip. Some people have even tried to hoax cases on Signal Messenger application. Forensic analysis
prove this theory by making videos showing a coin or spoon of a vaccine hoax case simulation was carried out using the
stuck to their arm [19]. Since the discovery of the first Digital Forensic Research Workshop (DFRWS) framework.
COVID-19 case in Indonesia, news about COVID-19 has This research used three forensic tools to get digital evidence
spread faster and created uncertainty due to limited knowledge from Signal Messenger application. The forensic tools used
and information about the pandemic situation [20]. Social are Belkasoft Evidence Center, Magnet AXIOM, and
media exacerbates the spread of hoaxes when all countries MOBILedit Forensic Express. This research aims to
worldwide are experiencing difficult times due to the COVID- demonstrate the ability of forensic tools to find digital
19 pandemic. Undeniably, the widespread hoaxes are caused evidence (artifacts) from the Signal Messenger application.
by the increased usage of social media applications. Social The main contributions of this paper are as follows: 1) In
media applications currently provide online-based short previous research, many papers have been published
messages or instant messaging (IM), which offers convenient discussing forensic analysis on WhatsApp, Twitter, Facebook,
communication. The features provided by various IM Instagram, Blackberry Messenger, and IMO Messenger. The
applications are the main attraction of this application. researcher analyzes the current popular Signal Messenger
Therefore, user policies when using IM applications are instant messenger application in this paper. 2) This paper
essential. While using IM applications, users share their demonstrates the effective framework used in mobile forensics
personal data without realizing it, leaving any personal data on for instant messenger applications to research and
their mobile devices [7]. Thus, the right solution is to choose investigation experts. 3) As a complement to previous research
an IM application that upholds personal data privacy to related to Signal Messenger, it can show the ability of forensic
prevent users from experiencing material or immaterial losses. tools to find digital evidence. The capabilities of the forensic
With concerns about users' personal data privacy, many tools used are compared in this paper. 4) This paper can be a
developers are competing to build and launch new IM reference for investigators and researchers when they see
applications that incorporate end-to-end encryption and add cybercrime cases on the Signal Messenger application.
encryption to their protocols to protect communications to This paper consists of five sections. The first section is the
servers that deliver messages [21]. Signal Messenger is one of introduction which describes the background of the problem,
the most popular end-to-end encrypted IM applications and is research gaps, research aims, and the contribution of this paper.
well-known for its privacy features. A new privacy feature The second section describes materials related to the research
introduced by Signal makes it more challenging to identify a and previous similar studies. The third section presents the
sender. The privacy feature is the reason for the spike in experiment research stages, the case scenario, and the research
downloads of the Signal application on the Google Play Store tools used. Section four is the results and discussion of the

904
section report preparation of case scenarios and the results conditions at that time. The stages of the DFRWS framework
obtained from the forensic analysis process. Meanwhile, the can be seen in Figure 2.
last section describes conclusions and suggestions for future
research .

2. LITERATURE REVIEW

2.1 Signal

Signal is a social media application that provides IM

services. It is a free and open source IM created by the Signal Figure 2. The DFRWS framework stages
Technology Foundation and can be accessed on iOS, Android,
and a Google Chrome extension [21, 27]. Common features of
The DFRWS framework consists of six stages and begins
the Signal service include texts, stickers, media messages,
with the identification stage [33]. The identification stage's
voice messages, audio calls, video calls, typing indicators, and
primary objective is to identify the objects, elements, and
more. Each communication has a security number that may be
information connected to a crime. It is important to follow the
checked between the persons involved [28]. correct procedures when taking photos and documenting the
Signal encrypts all communication end-to-end using the crime scene and the evidence. Second, the preservation stage
Signal protocol, encrypts SQLite databases using SQLCipher,
by carrying out the preservation process to prevent the
and keeps media and file attachments as encrypted blobs inside
evidence that has been obtained and ensure the authenticity
the application sandbox. Signal offers the messenger lock
and integrity of the evidence to avoid unauthorized parties so
feature, enabling users to open the messenger application by
that the evidence is not contaminated and is truly valid and
entering the pin, password, or fingerprint associated with their legitimate. The validity of evidence and allegations of
Android device [27].
tampering with evidence can be confirmed and disproved
using proper chain of custody documentation. In addition, the
2.2 Mobile forensic
risk that the evidence will not be admissible in court is reduced
because it offers complete information about the ownership
The tremendous growth in all fields of science and and placement of evidence during the case. The next stage is
technology is known as technological advancement. The the collection stage. The collection stage is the process stage
modern era of the fourth industrial revolution with new and
of collecting evidence samples suspected that have the
enabling technologies and systems, such as artificial
potential as strong evidence. The fourth and fifth stages are the
intelligence (AI), virtual/augmented reality, machine learning,
examination stage and the analysis stage. The examination and
cloud computing, blockchain, big data, Internet of Things
the analysis stages are crucial stages of the DFRWS
(IoT), 5G, and cyber security gives a profoundly positive framework. The process of tracking evidence, validating
impact on improving the quality of life and experience [29]. evidence, and recovering hidden or encrypted data is carried
However, advances in Information and Communication
out at this stage. The last stage is presentation, a process
Technology (ICT) and the emergence of IoT devices have
related to documentation, testimony from experts, etc.
increased the misuse of mobile technology and applications
for criminal acts. The significant increase in smartphone
2.4 Previous studies
storage capacity and the number of installed applications on
smartphones make it difficult for investigators to conduct
Riadi et al. conducted a forensic analysis of the Instagram
investigations to identify data related to criminal acts.
application following the stages of the National Institute of
Investigators are also hindered by security and privacy
Standards and Technology (NIST). The Oxygen Forensic tool
concerns when obtaining crucial digital evidence from
found digital evidence of images and chats with a performance
encrypted devices or encrypted messaging apps, which can
level of 84%. Meanwhile, using Magnet AXIOM tool, it can
even stop the inquiry. As a result, the need for mobile forensics find digital evidence of images and chats with a performance
has risen steadily over recent years.
level of 100% [34]. Umar et al. conducted mobile forensics on
Mobile forensics is the process of recovering digital
a smartphone using WhatsApp Key/DB Extractor forensic tool
information or data that is frequently used as evidence in
and Belkasoft Evidence with NIST forensic methods to extract
criminal cases [30]. Mobile forensics can also be interpreted
the latest WhatsApp artifacts. In their study, the capabilities of
as a term to describe the seizure, collection, and analysis of forensic tools were evaluated and compared. With WhatsApp
evidence held on mobile devices for use in court [31]. Key/DB Extractor, it obtained only two of four artifacts (text
Therefore, mobile forensics is closely related to digital
message and image). Meanwhile, Belkasoft Evidence obtained
forensics. Critical forensics investigations are conducted on
three artifacts (image, video, and document) [7].
mobile devices since they hold much important personal
In their research, Ichsan and Riadi only used three stages of
information [32].
the DFRWS method. The three stages include identification,
preservation, and collection. This research used two
2.3 DFRWS framework smartphones with root (seller/perpetrator) and non-root
(buyer/victim) conditions with IMO Messenger application
The goal of DFRWS is to promote the exchange of
installed. Evidence from the narcotics transaction case
knowledge and concepts about digital forensic research [32].
scenario was obtained using four forensic tools: AccessData
The first DFRWS was held in 2001 in Utica. This workshop,
FTK Imager, Belkasoft, DB Browser for SQLite, and
located in Utica, New York, discussed the digital forensics MOBILedit Forensic Express. Digital evidence includes the

905
perpetrator's account, chat files, chat time, pictures, audio, and Figure 3 shows how experiment research is conducted
deleted video from the perpetrator's smartphone device. The systematically so the stages can be used as guidelines to
index number for AccessData FTK Imager performance is overcome the problems in this research. Researchers divided
33.33%, Belkasoft is 83.33%, DB Browser for SQLite is the stages of this experimental research into two phases.
33.33%, and MOBILedit forensic express is 100% [25]. 1. Scenario Case Phase is where experiment research begins.
Previous research about mobile forensic analysis of Signal In this phase, researchers design case scenarios to serve as
services on smartphones is as follows. Azhar et al. attempted guidelines, so case simulations run better and are more
to perform a forensic analysis on Android and iOS focused. Researchers also prepare tools used for case
smartphones using NIST measurements. For iOS smartphones, simulation. Next, the Signal Messenger application is
the messaging applications investigated are Snapchat, downloaded and installed on the mobile device. Then
Cyberdust, and Confide. Meanwhile, for Android smartphones, proceed with carrying out a case simulation (conversation
the applications investigated are Facebook Messenger, Wire, between the perpetrator and the victim) according to the
Confide, and Signal. The Android smartphone is already designed case scenario and finally delete the conversation
rooted. Forensic analysis of the Signal application using on the signal messenger application on the perpetrator's
Oxygen Forensic tool. However, the analysis results did not android smartphone.
get any relevant data related to conversations and account 2. Forensic Analysis Phase is where the DFRWS framework
information [35]. is implemented, namely identification, preservation,
Riadi et al. explained mobile forensics on Signal Messenger collection, examination, analysis, and presentation.
application installed on the Samsung J1 Ace smartphone a. Identification, determining the objects, component
(rooted condition). Forensic analysis was carried out and information related to a crime.
according to the DFRWS stage and using the forensic tools b. Preservation, preventing the evidence obtained from
Magnet AXIOM and MOBILedit Forensic to obtain digital being contaminated and guaranteeing the authenticity
evidence (artifacts) from deleted messages on the perpetrator's and integrity of the evidence.
smartphone. MOBILedit Forensic gets any digital evidence c. Collection, acquiring and extracting data on the
(application information and contact) with a forensic tool perpetrator's smartphone to collect data that is
performance value of approximately 22.22%. Meanwhile, believed to be related to the crime.
AXIOM's Magnet tool revealed no digital evidence (artifacts) d. Examination
related to the deleted message [36]. The extraction process at the examination stage was
carried out using three forensic tools two times. The
forensic tools used were: Belkasoft Evidence, Magnet
3. THE PROPOSED APPROACH AXIOM, and MOBILedit Forensic Express.
e. Analysis
The research aimed to conduct mobile forensic experiments The repetition of the extraction process is intended to
to obtain digital evidence from cases of spreading COVID-19 confirm the validity of the forensic tool. The results
vaccine hoaxes on the Signal Messenger application. are analyzed to determine the advantages and
disadvantages of each forensic tool in finding digital
3.1 Experiment research stages evidence from the signal messenger application.
f. Presentation
The forensic process that was carried out in this research Presentation stage involves reporting the case analysis
adopted the DFRWS framework. The experimental workflow results, conducting discussions, and providing
of the research is shown in Figure 3. conclusions. The purpose of the presentation stage is
to communicate the process analysis results in a way
that the public can easily understand.

3.2 Case scenario

Case scenarios aim to simplify the identification process

when analyzing digital evidence. The evidence secured was an
Android smartphone. A perpetrator uses smartphones to
communicate with victims, so the crime of spreading COVID-
19 vaccine hoaxes runs smoothly. Here is Figure 4 shows the
case scenario in this research.

Figure 3. Flowchart of experiment research stages Figure 4. Case scenario of hoax vaccine simulation

906
 The case scenario begins with the perpetrator chatting with The ability of the three forensic tools to find digital evidence
the victim. At first, the perpetrator asked whether the victim according to predetermined parameters is calculated using
had been vaccinated or not. Furthermore, a perpetrator scared index number calculations (weightless index). The results of
the victims by spreading hoaxes about the COVID-19 vaccine. this calculation validate the performance of forensic tools. The
A perpetrator not only sends images, videos, audio, and forensic tool index number is calculated using Eq. (1).
documents but also makes voice calls and video calls to
convince victims that vaccines are dangerous. The perpetrator ∑ 𝑁𝑟
also ordered the victim to spread the dangers of the vaccine to 𝑃= 𝑥 100 (1)
(𝑁𝑡 )
others. The scenario case ends with the perpetrator deleting all
the contents of the conversation between himself and the 𝑃 is the accuracy index number (%), 𝑁𝑟 is the number of
victim in the signal messenger application. After the found artifacts, and 𝑁𝑡 is the total number of artifacts.
researcher got a smartphone, a mobile forensic process was
conducted to obtain appropriate evidence of a crime. The
results of the evidence will be presented as additional evidence 4. RESULT AND DISCUSSION
at trial.
This research uses the DFRWS framework to organize the
3.3 Research tools research steps in order to obtain digital evidence from the
signal messenger application. Here is an analysis of the results
This research uses hardware and software tools to get signal of mobile forensics on the perpetrator's smartphone.
messenger artifacts. The tools used are shown in Table 1.
4.1 Preparing case scenario
Table 1. Research tools
In the first stage, case scenarios are prepared. Next, install
Tools Description the Signal Messenger application on the smartphone. After
Xiaomi Redmi 9T Research Object that, the chat activity starts with creating an account, then
Lenovo Workstation
sending messages (text/images/video/audio/documents), as
USB Connector Connector
Signal Messenger Instant Messaging Application well as audio calls and video calls. The perpetrators
Belkasoft Evidence Center Forensic Tool (Trial Version) implemented the spread of the COVID-19 hoax according to
Magnet AXIOM Forensic Tool (v5.4) the scenario shown in Figure 3. The perpetrator's smartphone
MOBILedit Forensic Express Forensic Tool (v7.4) was in root condition before the case simulation.
The process of "rooting" enables users of Android-powered
The datasets from the research tools used to perform a series smartphones, tablets, and other devices to take more control
of simulations are listed in Table 1. The tools consist of (sometimes referred to as "root access") over some Android
Xiaomi Redmi 9, Lenovo, and a USB connecter as hardware. subsystems. A system account called "root" has the authority
In contrast, the software includes Signal Messenger as the to access and run every command, every system, and every file
software to be tested. Meanwhile, Belkasoft Evidence Center, in a Linux-based operating system. In addition, users with root
Magnet AXIOM, and MOBILedit Forensic Express are access have the unrestricted ability to update, remove, add, or
mobile forensic software (forensic tools). Belkasoft Evidence modify any files or data on the Android operating system.
Center is a forensic software for acquiring, examining,
analyzing, and displaying digital evidence from cloud services 4.2 Forensic analysis
and primary sources such as computers, RAM, and mobile
devices in the proper way, from a forensic perspective [37]. 4.2.1 Identification
Magnet AXIOM is one of the most widely used forensic Identifying evidence begins with securing the crime scene,
tools by professionals in the digital forensics field to search for which aims to prevent entry access for people who do not have
evidence that other forensic applications cannot find. Deleted a permit at the location. Next, search for evidence by looking
data can be quickly recovered using Magnet AXIOM. Digital at the entire crime scene and everything at the crime scene that
forensic experts can also use this software to make reports, has the potential to be evidence. Electronic evidence (the
examine digital evidence, and distribute portable case files perpetrator's smartphone) was found based on the search
[38]. MOBILedit Forensic is a mobile forensic tool created by results, as shown in Figure 5. Furthermore, the evidence found
Compelson to search, evaluate, and report data in a single is identified in terms of type, brand, specifications, and other
solution [39]. MOBILedit Forensic is exceptional for supporting information to serve as authentic evidence during
advanced application analyzers, live updates, deleted data the investigation process. The researcher also prepares
recovery, concurrent phone processing, fine-tuned reports, a materials and tools for the forensic process at this stage, as
wide range of supported phones, including most feature seen in Table 1.
phones, and an easy-to-use user interface. Connecting the
software with the phone can be done through an infrared
connector, Bluetooth connection, Wi-Fi connection, or wired
interface. Usually, after the connection, the identified phone
model is a related device image, the manufacturer, serial
number (IMEI), model number, and phone status.
In facilitating the search for evidence, the focus is on search
variables (parameters) consisting of application information,
account information, chat, images, audio, video, documents,
voice call history, video call history, contacts, and stickers. Figure 5. Evidence of the perpetrator’s smartphone

907
4.2.2 Preservation
The preservation process is carried out to maintain and
secure the authenticity of the physical evidence obtained at the
identification stage so that data integrity is maintained until the
analysis process is carried out. The preservation process is
done by disabling the smartphone data channel (activating
airplane mode). Activating airplane mode aims to isolate the
device so it can not receive messages and calls from outside,
or in other words, to prevent incoming and outgoing data.
Digital evidence is volatile and has the risk of being lost or
damaged, so isolation is important to prevent damage and
maintain the authenticity of digital evidence. The activation of
airplane mode on physical evidence (the perpetrator's Figure 8. Acquisition process using Magnet AXIOM
smartphone) is shown in Figure 6.
The Magnet AXIOM acquisition process in Figure 8 uses
the ADB (Unlocked) acquisition method for smartphones with
root status. The acquisition process takes 5 minutes.
Information obtained from the acquisition process: the
smartphone is made by Xiaomi with the Redmi 9T model. It
has an OS version of 11 with the serial number 7163c97b0121.
Smartphones also have privileged access. Meanwhile, the
acquisition process using MOBILedit Forensic is shown in
Figure 9. With MOBILedit Forensic, get information about
smartphones: The Xiaomi 9T smartphone model has an IMEI
of 862965058072027, an IMSI of 510104662316464, and the
smartphone status is rooted. The acquisition process takes
approximately 6 minutes.

Figure 6. Active airplane mode on the device

4.2.3 Collection
At the collection stage, the researcher collects data that is
believed to be related to the crime committed. The collection
process is done by acquiring and extracting data on the
perpetrator's smartphone to search for and obtain digital
evidence. The process of data acquisition and extraction of
physical evidence (the perpetrator's smartphone) was carried
out using Belkasoft Evidence Center, Magnet AXIOM, and
MOBILedit Forensic tools.

Figure 9. Acquisition process using MOBILedit Forensic

4.2.4 Examination
The results of the extraction that has been carried out will
appear in the form of a full report in .pdf format. The display
of the extracted data file is shown in Figure 10.

Figure 7. Acquisition process using Belkasoft Figure 10. Extraction result using MOBILedit Forensic

Figure 7 shows the acquisition process using Belkasoft The results of the Report.pdf report show that the
Evidence Center. The acquisition method used is ADB backup. smartphone used is the Xiaomi brand with detailed
The time required for data acquisition is 12 minutes and 06 specifications. Meanwhile, Figure 11 provides other
seconds.

908
information such as time zone, serial number, IMEI, IMSI, Meanwhile, Belkasoft could not find any information
storage, and others. regarding the data of documents, audio, voice calls, and video
calls in the backup file.

(a) Display of chat data using Belkasoft

Figure 11. Pdf report about smartphone

4.2.5 Analysis
This analysis stage describes and discusses the results of the
Signal Messenger application analysis using three different
forensic tools.

1. Belkasoft Evidence Center

The analysis results of the Signal Messenger application (b) Display of image data using Belkasoft
using the Belkasoft tool get account information and contact.
However, the information only shows the phone number,
according to Figure 12.

(c) Display of video data using Belkasoft

(a) Account information display using Belkasoft

(d) Display of sticker data using Belkasoft

Figure 13. Display of data obtained from backup file

(b) Contact information display using Belkasoft Figure 13 (a) shows evidence of deleted chat data. Using
Belkasoft, chat data can be displayed again, making it easier
Figure 12. Display of account and contact information to find previously deleted evidence. The chat evidence found
on the Signal Messenger application shows 29 messages from
The Signal Messenger application has a backup feature. If the perpetrators. In addition to finding chat data, the analysis
this feature is enabled, this application will create a database results with this tool also found media in the form of images,
backup with a key that the researcher can use to open the videos, and stickers. The media evidence in the Signal
backup file. This backup file can be an alternative for Messenger application consists of six images, six videos, and
researchers to view the data contained in Signal Messenger if one sticker, as shown in Figures 13 (b), 13 (c), and 13 (d). The
the data from the Signal Messenger application database is not image artifact provides information about the file name, width,
readable. Belkasoft's latest edition (trial version) has a feature height, and file size. The size of the image artifact is the same
that can open backup files. However, only some data can be as the original image size and can be seen clearly and even
found, such as chat data, images, videos, and stickers. zoomed in if needed. Similar to image artifacts, video artifacts

909
provide information about file name, duration, width, height, Figure 15 shows information related to video artifacts such
and file size. The video artifact size is different from the as file name, file extension, last modified date and time, file
original video size but can be played clearly. Therefore, image size, original width, and original height. Information about
and video artifacts can be used as evidence in court. video artifacts is also the same as image artifact information;
it only differs in a statement: media duration (for video
2. Magnet AXIOM artifacts). The image and video artifacts are the same size as
Similar to the Belkasoft tool, Magnet AXIOM can also open the original image and video.
backup files. The result of the Signal application analysis that
can be obtained is Signal Messenger account information. 3. MOBILedit Forensic
Figure 14 shows information about the account, including the Unlike the two tools above, MOBILedit Forensic can only
username, package name, and last login. find signal application information and contact information.
The results of the Signal application analysis obtained from
report.pdf are information that shows the package, the
application version used is 5.34.10, and the application size is
49.8 Mb, as shown in Figure 16.

Figure 14. Account information display using AXIOM

In addition to account information, this tool gets evidence

of deleted image and video data from the Signal Messenger
application, as shown in Figure 15. Magnet AXIOM could Figure 16. Application information using MOBILedit
only get six images and nine videos. In contrast, this tool can
not find other data evidence. The analysis results found five pieces of evidence of contact
data, each of which contained a name, phone number, and
modified time information, which can be seen in Figure 17.

(a) Display of image data using Magnet AXIOM

Figure 17. Contact information using MOBILedit

4.2.6 Presentation
Documentation about the results obtained from the
acquisition process using Belkasoft, Magnet AXIOM, and
MOBILedit Forensic tools is carried out at the presentation
stage. Data obtained from smartphones with an installed signal
messenger application becomes digital evidence for the crime
simulation of spreading COVID-19 vaccine hoaxes. Digital
evidence is obtained in various forms: chat data, images,
videos, and sticker. The finding results of evidence on
(b) Display of videos using Magnet AXIOM
Belkasoft Evidence Center, Magnet AXIOM, and MOBILedit
Forensic Express using predetermined parameters are shown
Figure 15. Display of image and video data
in Table 2.

910
 Table 2. Comparison of extraction results Signal application database and file backups, can read
additional information, namely signal application information
Artifact
Amount
Belkasoft
Magnet MOBILedit
and contact information. With this information, at least there
Type
of Data
Evidence
AXIOM Forensic is evidence that the Signal Messenger application with the last
(Parameters) Center active time was installed on the perpetrator's smartphone. The
Application victim's number is also stored in the Signal application, which
1 - - 1
Infomation
means there is evidence of the possibility of the perpetrator
Account
Information
1 1 1 - spreading the COVID-19 vaccine hoax to the victim. The
Contact 5 5 - 5 Belkasoft application obtained a higher accuracy of 78.69%
Chat 29 29 - - with six parameter variables obtained from 11 variables;
Image 6 6 6 - Magnet AXIOM obtained an accuracy of 26.23% with three
Audio 4 - - - parameter variables obtained from 11 variables, and
Video 10 6 9 - MOBILedit Forensic Express got an accuracy of 9.84% with
Document 2 - - - two parameter variables obtained from 11 variables. The
Voice Call artifact evidence obtained from this research can be used as
1 - - -
History
evidence from the Signal Messenger application in court. In
Video Call
History
1 - - - addition, it can be used as a reference for investigators in
Sticker 1 1 - - finding evidence of the widespread COVID-19 hoax, so the
Total 61 48 16 6 handling of the criminal case goes well.
Accuracy (%) 78,69 26,23 9,84 From the results and conclusions presented, by conducting
this experiment, we can find out which forensic tools support
Based on Table 2, the results obtained are: Belkasoft was and are capable of finding digital evidence from the Signal
able to find six parameter variables, including account Messenger application. In addition to knowing the capabilities
information (1), contacts (5), chats (29), images (6), videos (6), of each forensic tool used. The benefit of this research is that
and stickers (1) with a total data of approximately 48. Magnet if one day in real life (real world), we experience a crime when
AXIOM found three parameter variables: account information running a business or in an industry that uses Signal
(1), images (6), and videos (6), with a total data of Messenger as a medium, then we know and can take the right
approximately 16. Meanwhile, MOBILedit Forensic only action/attitude in overcoming the problem. Selection and use
found two parameter variables: application information (1) of appropriate forensic tools to find digital evidence from the
and contacts (5), with a total data of approximately 6. Signal messenger application are very useful if you experience
Table 2 also shows there is an accuracy index calculation. legal problems that require evidence to be presented in court.
The accuracy index measures each detection tool's ability for This research's limitation is the lack of forensic tool
forensics. The calculation of the forensic tool accuracy index capabilities in conducting forensic analysis. Therefore, it is
in Table 2 is calculated using Eq. (1) as follows: recommended for future research to use methods, frameworks,
and other forensic tools with the latest versions to adapt to the
Belkasoft Evidence Center: 𝑃 =
48
𝑥 100 = 78,69% latest versions of the signal messenger application, so further
61 forensic researchers/experts get better and more complete
16 results.
Magnet AXIOM: 𝑃 = 𝑥 100 = 26,23%
61

MOBILedit Forensic Express: 𝑃 =

6
𝑥 100 = 9,84% REFERENCES
61

[1] Okafor, S.O., Ugwu, C.I., Nkwede, J.O., Onah, S.,

From the calculation above, only Belkasoft Evidence tool
Amadi, G., Udenze, C., Chuke, N. (2020). COVID-19
can find digital evidence with a better accuracy rate of 78.69%.
public health and social measures in Southeast Nigeria
The lack of the ability of both forensic tools to read deleted
and its implication to public health management and
data and recover lost data proves that the Signal Messenger
sustainability. Oppor Chall Sustain, 1(1): 61-75.
application is a social media application with the highest level
https://doi.org/10.56578/ocs010107
of personal data security compared to other social media
[2] Djalante, R., Lassa, J., Setiamarga, D., Sudjatma, A.,
applications. Personal data security is an essential factor that
Indrawan, M., Haryanto, B., Mahfud, C., Sinapoy, M. S.,
must be owned by social media applications, mainly social
Djalante, S., Rafliana, I., Gunawan, L. A., Surtiari, G.A.
media applications that are used simultaneously as instant
K., Warsilah, H. (2020). Review and analysis of current
messaging. The ease of obtaining data currently makes
responses to COVID-19 in Indonesia: Period of January
irresponsible parties steal someone's personal data to be used
to March 2020. Progress in Disaster Science, 6: 100091.
in various types of crimes.
https://doi.org/10.1016/j.pdisas.2020.100091
[3] Jaya, I. (2021). Strengthening the Health System in
Controlling COVID-19.
5. CONCLUSIONS
http://p2p.kemkes.go.id/penguatan-sistem-kesehatan-
dalam-pengendalian-covid-19/, accessed on June 15,
Based on the results of mobile forensics on the Signal
2022.
Messenger application by implementing the DFRWS
[4] Mekahlia, F.Z., Bouzama, M.Z., Nechar, S. (2022).
framework and using different forensic tools, the researcher
Impact of vaccination on COVID-19 spread in real time:
can conclude that Belkasoft and Magnet AXIOM can carry out
visualization and analysis tool. Ingénierie des Systèmes
forensic investigations on Signal Messenger quite well.
d’Information, 27(2): 293-301.
Meanwhile, MOBILedit Forensic, although unable to read the

911
 https://doi.org/10.18280/isi.270213 di-
[5] Chakraoui, M., Mouhni, N., Elkalay, A., Nemiche, M. indonesia?gclid=Cj0KCQjwidSWBhDdARIsAIoTVb3F
(2022). Deep negative effects of misleading information 3m07VbjDWKOodHe7KeQ62RPcz8QE31Fhu0XY5s5
about COVID-19 on populations through Twitter. YCjIX8jLT1IcaArN6EALw_wcB, accessed on June 17,
Ingénierie des Systèmes d’Information, 27(2): 185-192. 2022.
https://doi.org/10.18280/isi.270202 [20] Rosemary, R., Rochimah, T.H.N., Susilawati, N. (2022).
[6] WHO. (2020). Coronavirus disease 2019 (COVID-19) Efficacy information in government’s initial responses to
situation report-91, World Health Organization, covid-19 pandemic: A content analysis of the media
Indonesia. coverage in Indonesia. International Journal of Disaster
[7] Umar, R., Riadi, I., Zamroni, G. M. (2018). Mobile Risk Reduction, 77: 1-7.
forensic tools evaluation for digital crime investigation. https://doi.org/10.1016/j.ijdrr.2022.103076
International Journal on Advanced Science Engineering [21] Rösler, P., Mainka, C., Schwenk, J. (2018). More is less:
Information Technology, 8(3): 949-955. on the end-to-end security of group chats in signal,
https://doi.org/10.18517/ijaseit.8.3.3591 whatsapp, and threema. 2018 IEEE European
[8] Eriş, F.G., Akbal, E. (2021). Forensic analysis of popular Symposium on Security and Privacy (EuroS&P), 2018:
social media applications on android smartphones. 415-429. https://doi.org/10.1109/EuroSP.2018.00036
Balkan Journal of Electrical and Computer Engineering, [22] Shu, C. (2021). Signal, the encrypted messaging app, is
9(4): 386-397. https://doi.org/10.17694/bajece.761271 currently down for many users (update: it’s back).
[9] Riadi, I., Umar, R., Firdonsyah, A. (2017). Identification https://techcrunch.com/2021/09/26/signal-the-
of digital evidence on android’s blackberry messenger encrypted-messaging-app-is-currently-down-for-many-
using NIST mobile forensic method. International users/.
Journal of Computer Science and Information Security, [23] Almehmadi, T., Batarfi, O. (2019). Impact of android
15(5): 155-160. phone rooting on user data integrity in mobile forensics.
[10] Sheikhi, S. (2020). An efficient method for detection of 2019 2nd International Conference on Computer
fake accounts on the Instagram platform. Revue Applications & Information Security (ICCAIS), 2019: 1-
d'Intelligence Artificielle, 34(4): 429-436. 6. https://doi.org/10.1109/CAIS.2019.8769520.
https://doi.org/10.18280/ria.340407 [24] Menahil, A., Iqbal, W., Iftikhar, M., Shahid, W. B.,
[11] Kemp, S. (2022). Digital 2022: Indonesia. Mansoor, K., Rubab, S. (2021). Forensic analysis of
https://datareportal.com/reports/digital-2022-indonesia social networking applications on an android smartphone.
[12] Statista. (2022). Global Digital Population as of April Wireless Communications and Mobile Computing,
2022. https://www.statista.com/statistics/617136/digital- 2021(4): 1-36. https://doi.org/10.1155/2021/5567592
population-worldwide/, accessed on June 18, 2022. [25] Ichsan, A.N., Riadi, I. (2021). Mobile forensic on
[13] Yas, H., Jusoh, A., Streimikiene, D., Mardani, A., Nor, android-based IMO messenger services using digital
K.M., Alatawi, A., Umarlebbe, J.H. (2021). The negative forensic research workshop (DFRWS) method.
role of social media during the COVID-19 outbreak. Scientific International Journal of Computer
International Journal of Sustainable Development and Applications, 174(18): 34-40.
Planning,16(2): 219-228. https://doi.org/10.5120/ijca2021921076
https://doi.org/10.18280/ijsdp.160202 [26] Pambanyun, S., Riadi, I. (2020). Investigation on
[14] Candiwan, C., Azmi, M., Alamsyah, A. (2022). Analysis instagram android-based using digital forensics research
of behavioral and information security awareness among workshop framework. International Journal of Computer
users of zoom application in COVID-19 era. Applications, 175(35): 15-21.
International Journal of Safety and Security Engineering, https://doi.org/10.5120/ijca2020920904
12(2): 229-237. https://doi.org/10.18280/ijsse.120212 [27] Son, J., Kim, Y.W., Oh, D.B., Kim, K. (2022). Forensic
[15] Li, X.G. (2018). Crucial elements in law enforcement analysis of insta nt messengers: decrypt signal, wickr,
against cybercrime. International Journal of Information and threema. Forensic Science International: Digital
Security Science, 7(3): 140-158. Investigation, 40: 1-12.
[16] Nadzir, I., Seftiani, S., Permana, Y.S. (2019). Hoax and https://doi.org/10.1016/j.fsidi.2022.301347.
misinformation in Indonesia: insights from a nationwide [28] Afzal, A., Hussain, M., Saleem, S., Shahzad, M.K., Ho,
survey. Researchers at Iseas, 2019(92): 1-12. A.T.S., Jung, K.H. (2021). Encrypted network traffic
[17] Islam, M.D., Sarkar, T., Khan, S.H., Kamal, A.H.M., analysis of secure instant messaging application: A case
Hasan, S.M.M., Kabir, A., Yeasmin, D., Islam, M.A., study of signal messenger app. Applied Sciences, 11(17):
Chowdhury, K.I.A., Anwar, K.S., Chughtai, A.A., Seale, 1-24. https://doi.org/10.3390/app11177789
H. (2020). Covid-19-related infodemic and its impact on [29] Kunle, A., Titilope, A.F. (2022). Technological
public health: a global social media analysis. Am J. Trop advancement and risk management in composite
Med Hyg, 103(4): 1621-1629. insurance companies in Nigeria. J. Corp. Risk Manag.,
https://doi.org/10.4269/ajtmh.20-0812 9(S1): 112-125. https://doi.org/10.51410/jcgirm.9.1.7
[18] Sirait, F.E.T., Sanjaya, R. (2021). Case study in Covid- [30] Judge, S.M. (2017). Mobile forensics: Analysis of the
19 infodemic in Indonesia. Nyimak Journal of messaging application signal. Master Thesis, Master of
Communication, 5(1): 1-14. Science in Forensic Science, University of Central
http://dx.doi.org/10.31000/nyimak.v5i1.2652 Oklahoma, Edmond, Oklahoma, USA Pawlaszczyk, D.
[19] Ravelo, J.L. (2021). A Hoax Killed My Father: (2022). Mobile forensics – the end of a golden age?.
Uncovering another pandemic in Indonesia. Journal of Forensic Sciences and Criminal Investigation,
https://www.unicef.org/indonesia/id/coronavirus/cerita/ 15(4): 555917.
hoaks-membunuh-ayahku-menyingkap-pandemi-lain- https://doi.org/10.19080/JFSCI.2022.15.555917.

912
[31] Barmpatsalou, K., Cruz, T.J., Monteiro, E., Simoes, P. applications on android and iOS platforms. International
(2018). Current and future trends in mobile device Journal on Advances in Security, 13(1&2): 41-53.
forensics: A survey. ACM Computing Surveys, 51(3): 1- http://www.iariajournals.org/security/sec_v13_n12_202
31. https://doi.org/10.1145/3177847 0_paged.pdf.
[32] Gde, A.A., Rahaditya, J., Sasmita, A., Made, G., Pratama, [36] Riadi, I., Herman, Siregar, N.H. (2022). Mobile forensic
E., Agus, I.P. (2016). Prototyping SMS forensic tool of vaccine hoaxes on signal messenger using DFRWS
application based on digital forensic research workshop framework. Matrik, 21(3): 489-502.
2001 (DFRWS) investigation model: Case study: SMS https://doi.org/10.3081/matrik.v21i3.1620
togel in indonesia. 2016 International Conference on [37] Belkasoft. Belkasoft Evidence Center X.
Information Technology Systems and Innovation https://belkasoft.com/x, accessed on June 12, 2022.
(ICITSI), PP.1-6. [38] Magnet Forensics. Magnet AXIOM Recover & Analyze
https://doi.org/10.1109/ICITSI.2016.7858226 Your Evidence in One Case.
[33] Tanner, A., Dampier, D. (2009). Concept mapping for https://www.magnetforensics.com/products/magnet-
digital forensic investigations. IFIP Advances in axiom/, accessed on June 12, 2022.
Information and Communication Technology, 306: 291- [39] Shukla, U., Mandal, B., Kiran, K.V.D. (2018).
300. https://doi.org/10.1007/978-3-642-04155-6_22 Perlustration on mobile forensics tools. In: Smys, S.,
[34] Riadi, I., Yudhana, A., Putra, M.C.F. (2018). Forensic Palanisamy, R., Rocha, Á., Beligiannis, G.N. (eds)
tool comparison on instagram digital evidence based on Computer Networks and Inventive Communication
android with the NIST method. Scientific Journal of Technologies. Lecture Notes on Data Engineering and
Informatics, 5(2): 235-247. Communications Technologies, 58: 1225-1231. Springer,
https://doi.org/10.15294/sji.v5i2.16545 Singapore. https://doi.org/10.1007/978-981-15-9647-
[35] Azhar, H., Cox, R, Chamberlain, A. (2020). Forensic 6_97
investigations of popular ephemeral messaging

913