Contribuciones al análisis forense de evidencias digitales procedentes de aplicaciones de mensajería instantánea

Abstract

The continuous evolution of Information and Communication Technologies (ICTs) is stimulating that we are facing a more and more interconnected society, allowing the immediate exchange of digital information from almost anywhere in the world. From the society point of view, this evolution implies the development of increasingly small and smart devices such as phones, televisions, watches, tablets, IoT (Internet of Things) devices, etc. These smart electronic devices offer their owners the ability to transmit huge amounts of data (sometimes without their explicit consent), through a wide variety of information exchange applications (instant messaging, emails, social networks, etc.), regardless of time and location. The instant messaging (IM) applications are one of the most relevant tools for information exchange. Since its beginnings, this kind of applications have meaningfully modified both, the way and how to interact with the rest of society. The impulsive use of IM applications, such as WhatsApp, Telegram Messenger or Facebook Messenger, is replacing on many occasions, the physical interactions with other people, both at the personal and professional level. These types of applications allow faster and more fluid communication, transforming how events are notified (meetings, birthdays, etc.), attaching documents (resumes, payrolls, contracts, etc.) or sharing multimedia files (images, videos, audios, voice, memos, etc.). From the legal point of view, the ICTs evolution, as well as the Internet, and the inappropriate use of these, implies that new criminal types arise and that many others are modified. At present, crimes related to threats, scams, against freedom and sexual identity, fraud of telecommunications flows, suicide induction, homicides, murders, computer damage, intellectual and industrial property, documentary forgery, disclosure of secrets, coercion, slander, etc., are committed through ICTs, even new terms such as sexting, cyberbullying, grooming, stalking or phishing has been coined to define new types of crimes. Similarly, the capabilities of intelligent electronic devices, coupled with the globalization of communications, have led to a trans-nationalization in the commission of criminal acts, not being necessary a physical closeness between victim and offender. Currently, the use of IM applications to commit crimes is increasing as provide the aggressor with immediate direct and free communication with his/her victims. Such applications are becoming extremely relevant in many lawsuits, being sometimes a starting element or central piece of criminal investigations. From the point of view of forensic science, as a science that studies the elements collected at the crime scene for the clarification of a criminal act, the birth and fast evolution of ICTs implies that digital forensic science should adapt, study and increasingly validate the use of different methods and scientific analysis techniques that contribute to the resolution of criminal acts committed through the use of ICTs. For many years, forensic science focused solely on the analysis of biological vestiges (hair, blood, fingerprints, etc.) found at the crime scene, mainly to identify the author. Nowadays, forensic technicians are dressed in white suits, gloves, shoes, carrying large briefcases (plastic and paper bags, tweezers, revealing powders, etc.), using the latest generation of electronic devices with specialized forensic software and hardware, in order to process the crime scene, identifying possible evidence through metric identifications and collecting countless traces both biological and digital to later be analysed in the laboratory. The identification, collection, and analysis of digital devices or vestiges have a great weight/impact in the investigations of criminal acts, allowing in many cases the resolution of crimes that otherwise could not have been resolved. In this way, the digital forensic sciences or solely digital forensics, embrace the acquisition, preservation, analysis, exposure, and results reporting made on the information contained in the digital devices included in legal proceedings. All these procedures must be supported by scientific methods that provide conceptual and procedural support to the investigation, guaranteeing at all times the integrity of the information extracted from the electronic devices related to the commission of a criminal act. Digital forensic science is as wide as the number of electronic devices, diversity of operating systems or number of applications (different clients even different versions). The use of information exchange applications in the commission of criminal acts implies that they must be subject to a thorough forensic analysis, from which to identify, retrieve and extract all information related to the investigated fact, maintaining at all times the probative value of it. The document presented here carries out the first research in the world in which the evolution of IM applications and their impact in the field of digital forensic science is evaluated. The research conducted aims to review the transformation of such applications taking into consideration the different access methods and host functions available to users. It also seeks to contribute directly to the scientific methods used in the forensic analysis that is being carried out on IM applications, the main evidence in many judicial proceedings. This document presents the current status of the processes used both in the acquisition process and in the process of IM application analysis, as well as the different problems faced by the digital forensic specialist in the forensic analysis of this type of application. A specific methodology has been developed for the forensic analysis of IM applications, a sum of various study methods, which allow the investigator to identify, decode and interpret the information generated by this type of application regardless of the electronic device, operating system or application analysed. Based on the three study methods included in the proposed methodology, it is intended to verify and validate the integrity of the information extracted beyond the widespread use of commercial forensic solutions. Finally, the results and conclusions obtained from applying the forensic analysis methodology proposed in this investigation on some of the clients of the main IM applications that currently exist are presented.