Forensic analysis of open-source XMPP/Jabber multi-client instant messaging apps on Android smartphones

Abstract

In the quest for a panacea to ensure digital privacy, many users have switched to using decentralized open-source Extensible Messaging and Presence Protocol multi-client instant messaging (IM) apps for secure end-to-end communication. In this paper, we present a forensic analysis of the artefacts generated on Android smartphones by Conversations and Xabber apps. We identified databases maintained by each app and external Secure Digital card directories that store local copies of user metadata. We analysed each app’s storage locations for forensic artefacts and how they can be used in a forensic investigation. The results in this paper show a detailed analysis of forensic files of interest which can be correlated to identify the local user’s multiple IM accounts and contact list, contents of messages exchanged with contacts, deleted files, time, and dates in the order of their occurrence. The contributions of this research include a comprehensive description of artefacts, which are of forensic interest, for each app analysed.