The Comparison Performance of Digital Forensic Tools Using Additional Root Access Options

Received December 06, 2021 Revised December 27, 2021 Accepted January 19, 2022 This research used MiChat and SayHi as materials for forensic investigations using three different tools, namely MOBILedit, Magnet Axiom, and Belkasoft. These three tools will show each performance in the forensic process. We also added a rooting process as an option if data cannot be extracted optimally even when using these three applications. The result of this study shows that the cases studied with processes without root access and with root access have the aim of complementing each other in obtaining evidence. So that these two processes complement each other's shortcomings. The main contribution of this research is a recommendation of a tool based on the best performance shown during the forensic process with rooting access and without rooting access. Based on the comparison, Magnet Axiom is superior with a total of 34 items of data found without root access, while MOBILedit is 30 items and 30 items for Belkasoft. While comparison using root access, Magnet Axiom and MOBILedit are superiors with a total of 36 items found in Magnet Axiom without root access, while MOBILedit is 36 items and 33 items for Belkasoft. Based on the test results, it can be concluded that the recommended tool according to the used scenario is Magnet Axiom.


INTRODUCTION
The rapid development of technology affects almost all aspects of human life [1] [2]. The application of technology with the latest updates is widely used in daily life [3]. One of the applications of technology that is frequently used in human life is communication technology, especially mobile phones [4] [5]. Humans in communicating with each other are now very dependent on technology ranging from daily conversations to exchanging data and documents via mobile phones [6] [7]. Mobile phones are now one of the most important variables in future technology infrastructure [8]. Mobile phones now contain applications that are usually run on desktop-based devices, thus increasing human dependence on mobile phones [9]. This dependence makes communication technology application manufacturers busy in producing applications. One type of product that is widely developed is a chat service application [10] [11].
Chat service applications can meet human communication needs from the most basic communication needs to communication needs at a higher level [12] [13]. Basic communication needs such as voice telephone conversations and messaging [14]. Meanwhile, communication needs at a higher level, such as sending documents that are integrated with other services and supported by security technologies such as cryptographic functions [15]. Various communication technology companies issue chat service application products, including Telegram, Whatsapp, Line, SayHi Chat, MiChat, and various other chat service products. Each product comes with the advantages of each feature [16]. However, along with the convenience and completeness of the services provided, these various chat service products are often used as a medium for criminal acts [17].
Various criminal transactions such as child sexual abuse material often occur using chat application services [18] [19]. Also, an application that is often in the spotlight is MiChat, which is often being a medium for prostitution transactions [20]. Dating apps are also one of the digital platforms that are often the object of police investigations [21], one application that is often in the spotlight is SayHi Chat, which is often being a medium for online prostitution [22]. Disclosure of prostitution cases by involving chat application media usually utilizes the digital forensic investigation process because sometimes perpetrators delete data to eliminate digital evidence [20].
The digital forensics investigation process can help the competent authorities to collect case evidence that would normally have been removed from the data history [23][24] [25][26] [27]. All forensic procedures are carried out with prudence and documented [28][29] [30]. Various studies regarding the digital forensic investigation process on chat application services have been carried out before. One of them is research on law enforcement investigations with a forensic approach on the WhatsApp instant messaging application [15]. The forensic approach carried out is related to wiretapping, database decryption, and analysis of WhatsApp application communication. This study also uses a test scenario for objective verification of the results. The result of this research is a recommendation of wiretapping methods that can be used by the authorities for the needs of law enforcement investigations.
A study about the forensic investigation of conversations in an Instagram application has also been carried out by [31]. This study compares the performance of Oxygen Forensics tools with Magnet Axiom in data extraction performance using the National Institute of Standards and Technology (NIST) method. The results of this study indicate that the performance of Magnet Axiom is superior with a performance percentage of 100% and axiom magnets by 84%.
Forensic analysis of telegram and BBM instant messenger applications has also been carried out by [32]. Encrypted data contained in the telegram and BBM applications is extracted and then analyzed for investigative purposes. The encryption method found in the investigation process is SQL encryption. After successful data extraction, the data is decrypted with a certain protocol for being analyzed as digital evidence [33]. Forensic analysis of IM application's encrypted data was also carried out by [34]. This research uses the Wickr and Private Text Messaging forensic object. The result of this research is a protocol for decrypting the extracted data from the forensic process on Wickr and Private Text Messaging platforms.
This research follows some basic forensic concepts that are also used by several previous studies, but we use different platforms for the forensic process. We used MiChat and SayHi as materials for forensic investigations using 3 different tools, namely MOBILedit, Magnet Axiom, and Belkasoft. These three tools will show each performance in the forensic process. We also added a rooting process as an option if data cannot be extracted optimally even when using these three applications. The main contribution of this research is a recommendation of a tool based on the best performance shown during the forensic process with rooting access and without rooting access.

METHOD
This study obtains information and analyzes the evidence by using the NIJ (National Institute of Justice) method. The stages of the method include the preparation stage, collection, examination, analysis, and reporting [20].
1. Preparation -Gathering information or issues to be raised, as well as preparing tools and materials to be analyzed for investigation purposes [35]. 2. Collection -Collection of physical evidence (smartphone). 3. Examination -The process of extracting or acquiring data [36]. 4. Analysis -The process of analyzing the extracted or acquired data [37]. 5. Reporting -The final stage is to make a report on the final results of the investigation and analysis that has been carried out [38]. The data extraction process at the examination stage utilizes the live forensic method where researchers try to carry out the extraction or acquisition process of digital evidence [39][40] [41]. It is stored on smartphones that have the MiChat and SayHi Chat applications installed. Extraction using MOBILedit Forensic Express PRO, Belkasoft Evidence Center, and Magnet Axiom tools. The extracted data is used as material for the analysis process. Data extraction is divided into three types based on the character of the data that can be collected. They are logical, file system, and physical. Logical data extraction is the fastest and most supported data extraction by any mobile phone [42]. Logical extraction can load data such as SMS & MMS, Call Logs, Contacts, Media, and application data. Data file system extraction is a data extraction that can be done by examiners to thoroughly examine the file system on the smartphone, not only data snippets but system files as well [43] [44]. This file system extraction can contain SMS & MMS, call logs, contacts, media, application data, and all files (including hidden data, database, system, and logs). Physical data extraction is the most detailed and extensive method. Physical extraction can contain SMS & MMS, call logs, contacts, media, application data, all files (including hidden data, database, system, and logs), temporal data, and deleted data.

Preparation (Identification)
The preparation stage was the stage where the researchers prepared some materials and tools for forensic process purposes [45].

Collection
The collection stage is the stage where the researcher investigates to collect the form of physical evidence and documentation [46]. This study used the Samsung Galaxy Duos GT-19060 version of Android 4.2.2 as the physical evidence, shown in Fig. 1. Physical device basic information of used physical evidence are explained in Table 1.  We use a scenario as a reference for the investigation process. A scenario in general investigative research is used to parameterize a unique individual pattern [47] [48]. This scenario was carried out on the Samsung Galaxy GT-1960 Smartphone as the property of the perpetrators of online prostitution transactions. This research scenario positions the perpetrators to try to eliminate evidence of transactions by deleting conversation history and data from the MiChat and SayHi applications as online transaction media. The investigative process of this research seeks to uncover digital evidence that has been deleted using digital forensic protocols.

Examination
The examination stage is the stage where the researchers carried out several investigative processes to find and retrieve the database from the MiChat application and SayHi Chat application. The examination stage has an imaging process that occurs where the original data of the android phone is copied for being analyzed in the next process [49] [50]. The imaging process is very important to maintain data integrity [51][52] [53]. The results of the examination process were analyzed to find the digital evidence [54][55] [56]. Researchers use two options in the examination process, namely the process without rooting and the process with rooting [57]. If the process without root access cannot find data from MiChat and SayHi Chat, then the device is rooted. Several stages of the process are carried out using three tools, namely MOBILedit, Magnet Axiom, and Belkasoft Evidence Center. The extraction process or data acquisition is divided into two, namely, without rooting and using root access, shown in Fig. 2, Fig. 3, Fig. 4, and Fig. 5.

Analysis
The Analysis stage has the goal to carry out analytical actions and reveal the results of the examination stage [58] [59]. In this stage, the researcher tried to analyze all the data that has been successfully acquired previously, which has a connection with the MiChat and SayHi Chat applications. All data found are connected. Completeness between contact data, avatars, conversation activities, multimedia files, and other data are associated with each other. If the results of the analysis show that there are indications of data deletion and it is not revealed using a process without root, then proceed with the analysis process using the root process. The analysis process is carried out by matching metadata, shown in Fig. 6.

Reporting
The reporting stage is the result of the previous analysis that has been carried out on the MiChat and SayHi Chat analysis investigation process. All stages of the analysis were carried out reported at the reporting stage. The researcher explained in detail all the result sets and compared all the results of the analysis that has been carried out starting from the analysis without rooting access to the analysis using rooting access.

RESULTS AND DISCUSSION
The forensic process is an attempt to uncover digital evidence as much as possible [60]. Therefore, the various processes needed are expected to support each other. If one process cannot solve a problem, then another additional process is needed as long as it gets permission from the competent authority and is under applicable regulations [61]. Usually, one process that is an additional option is the rooting process. In the process of investigating criminal cases, the forensic process as much as possible avoids the use of root access, but if rooting is needed to complete the investigation process, the rooting process can be carried out by the competent authorities. The rooting process is the last option because the rooting process can open new security holes on the device [24]. Table 2 shows a comparison of the results of the analysis without rooting using MOBILedit. The data in the table shows that almost all data in the SayHi Chat application can be extracted without having to use the rooting process. At the same time, the data on the MiChat application cannot be extracted optimally by the The Comparison Performance of Digital Forensic Tools Using Additional Root Access Options (Aljo Leonardo) process without rooting. Table 3 shows a comparison of the results of the analysis without rooting using Magnet Axiom. The data in the table shows that almost all data in the SayHi Chat application can be extracted without having to use the rooting process. In contrast, the data on the MiChat application cannot be extracted optimally by the process without rooting. Table 4 shows a comparison of the results of the analysis without rooting using Belkasoft. The data in the table shows that almost all data in the SayHi Chat application can be extracted without having to use the rooting process. In comparison, the data on the MiChat application cannot be extracted optimally by the process without rooting. Based on the comparison of Table 2, Table 3, and Table 4, Magnet Axiom is superior with a total of 34 items of data found without root access, while MOBILedit is 30 items, and 30 items for Belkasoft.    Table 5 shows that using MOBILedit with root access. Data extraction can be more optimal in both the SayHi application and the Mi chat application. Table 6 shows that using Magnet Axiom with root access. Data extraction can be more optimal in both the SayHi application and the Mi chat application. Table 7 shows that using Belkasoft with root access. Data extraction can be more optimal in both the SayHi application and the MiChat application. Based on the comparison of Table 5, Table 6, and Table 7, Magnet Axiom and MOBILedit are superiors with a total of 36 items found in Magnet Axiom without root access, while MOBILedit is 36 items and 33 items for Belkasoft.