Live forensics of tools on android devices for email forensics

,


Introduction
The development of technology can facilitate human work so that more effective, one of the developments technology is an electronic mail (email).Email is one of the medium of communication, information dissemination and the number of email provider services makes it all to be concise and easy.Users can send information in minutes and even seconds to the world.Likewise the recipient of the information can easily and quickly reply with the information [1].
The more people connect to the internet, making electronic mail (email) as one form of communication the most rapid and economical.The amount of digital information in email as a result of the development of information technology requires a way of organizing and grouping information in an email inbox for the convenience of its users.This unstructured grouping of information is known by the classification of documents [2].
Smartphones have many applications that can be used to help access email.Smartphones are working phones that use the full potential of operating system software that provides user-friendly connections and powerful hardware.Smartphones have different operating systems, just like with the operating system for desktop computers [3].Currently smartphone devices have the same functionality as computers.Although the function is the same as the computer, but there are some differences in the process of handling digital forensics between computer devices and smartphones because the smartphone has unique characteristics that cannot be equated with ordinary computer handling [4].
Indonesian society is no stranger to the name of smartphones, Indonesia is one of the market is quite promising for companies makers of smartphones, especially Android.Every year Android users continue to leave because the user interface friendly and open source makes it easy for users to use it and develop it.Based on statistics of mobile operating system market share in Indonesia from January 2012 to December 2017 users Android smartphone continue to increase, can be seen in Figure 1 [5].
In any cybercrime must leave evidence, in the form of digital and electronic evidence [6].Digital evidence can be seen when the criminal process is direct and can be stored, digital evidence can be handled exclusively by digital forensics science using tools to solve and draw conclusions from criminal cases on digital evidence obtained.In real or fake  ISSN: 1693-6930 TELKOMNIKA Vol.17, No. 4, August 2019: 1803-1809 1804 emails it can be detected using several ways, such as viewing email headers [7,8], digital signature, and reading logs [9][10][11].Digital forensics is the study of how to deal with crimes involving technology such as computers [12].There are several techniques in digital forensics, one of which is live forensics that is used to handle digital crimes using approaches to systems operating that are working and connected to the network [13].
The law on cybercrime crimes is set in the laws on ITE in Indonesia.The crimes of ITE can be criminalized by civil or civil law in accordance with the level of the crime committed, the process of arrest of the cybercrime by the authorities based on the evidence of crimes that are stored on the smartphone or on other hardware that can be used as evidence in the law court such as username, ip address and timestamp [14,15].No criminal cases have escaped evidentiary evidence.Almost all criminal prosecutions always lean on examination of evidence.At least in addition to proof with other evidence, there is always a need for verification with at least two evidences.Tools that can be used to obtain digital evidence such as Wireshark and Networkminer [16].Wireshark and Networkminer are open source packet analytical tools that can be used for troubleshooting networks and network analysis.Digital evidence can be found in a way that is by traditional or dead means such as looking for evidence of artifacts, history, and etc.Meanwhile, to obtain the evidence directly or the forensic analysis process when the system is running is called live forensics [17,18].
In [19] the title of A Comparative Study of Email Forensic Tools.The study conducted a comparison of traditional email forensic tools.Tools used to obtain digital evidence are Mailxaminer, Add4Mail, Digital Forensic Framework, Emailtrackerpro, and Paraben E-Mail Examiner.The study successfully compared between forensic tools.In [20], the title of Network and device forensic analysis of Android social-messaging applications.The research focused on detecting the presence of unclear artifacts associated with email accounts, retrieving data from service providers, and representative email in a well-structured format based on existing standards.
In [21], they discussed the description of email architecture, based on a forensic perspective.on architectures designed to explain the roles and responsibilities of e-mail users and their components, analyze the metadata contained in e-mail headers and then explain the tools used and techniques that can be used by investigators to forensic e-mail.From the results of the metadata presents e-mail messages and various techniques used for e-mail forensics.In [22], they discussed about forensic e-mail which includes analyzing the contents of e-mail, header information, transit lines for e-mail information, senders or recipients and gathering evidence for the culprit and making a safer system.In this case it also discusses e-mail investigative techniques and the tools used in e-mail forensic processes.The email system and internet applications have components such as hardware and software, including services, protocols, servers and agents.1805 In [23], they discussed about tools that are open source and can be used to analyze e-mail as digital evidence, and make responsive and interactive graph visualization of e-mail data supported by statistics.The research successfully implemented which can be used for e-mail forensic analysis with a dynamic visualization approach.From the above background then we will conduct research on the comparison of Wireshark and networkminner forensics, forensic tools to get as much digital evidence as possible for use in trials such as IP address, ports, and timestamps.The comparison process, forensic tools use Android-based webmail services.The method used in this study is the National Institute of Standards and Technology (NIST) to obtain digital evidence.

Research Method
In this research, we use mobile forensics methods based on the guidelines available and prepared by the National Institute of Standards and Technology (NIST).The NIST method is used to perform analysis of digital evidence in emails and as a stage for obtaining information from digital evidence, consisting of 4 stages such as Figure 2  Colection is a collection process, identifying, labeling, recording and retrieving evidence in the form of software to be retrieved for use as digital evidence of a digital crime case.

b. Examination
Testing includes an appraisal process and selects appropriate information from all the data collected, as well as bypassing prosses or minimizes various features in the operating system and applications that can eliminate data such as encryption, data compression, access control mechanisms, specify file locations, checks metadata, extract files and more.c. Analysis The analysis is done by various method approaches, the task of this analysis includes many activities, such as identifying the users involved indirectly, the location, the occurrence, the device and considering how to get all the components connected to the final conclusion.

Results and Analysis
The results of this research conducted a comparison of forensic tools in finding digital evidence in the email received live forensics.Tools used are Wireshark and Networkminer for sniffing on received email packets.The email used is webmail.Here is a comparison process of forensics tools on Android based email services using the National Institute of Standarts and Technology (NIST) forensics mobile method.

Collection
At this stage of collecting goods on smartphone owners, the smartphone used is google Nexus 6 and Android version Oreo 8.0.Smartphone used in this research is smartphone emulator genymotion version 2.12.The following is a collection stage concept.Figure 3 is a conceptual stage in the collection process, the user receives an email from someone then opens the email, together the investigator sniffing.This collection process of digital evidence is done live forensics.

Examination
In Examination, we performed a comparison on Wireshark and Networkminer forensic tools.The email recipient opens using the Android smartphone browser version of oreo 8.0.The smartphone runs on a 2.12.1 Geanymotion emulator.Here are the comparison stage forensic tools in the process of getting the digital evidence on Android smartphone.Figure 4 is an Android smartphone that is used to open the email received from someone to us.At the same time, Wireshark and Networkminer are running to capture packets of passing data.
Here is the process of capturing packages using Wireshark and Networkminer.Figure 5 is a sniffing process using Wireshark tools.Tools Wireshark successfully for sniffing data packets on email service that opened using Android browser can see there is a red circle in Figure 5. Figure 6 is a Networkminer sniffing tool.Networkminer succeeded in sniffing on email packets marked with finding IP Address and webmail, can see there is a red circle in Figure 6.

Reporting
This is a report of the results of research on a comparison of Wireshark and Networkminer forensic tools.In Figure 10, it is the result found.Figure 10 is the result of a comparison of Wireshark and networkminer forensic tools, it is known that 92.3% of the evidence obtained from Wireshark tools and 100% of evidence can be found with the Network Miner tools.Extraction in Figure 10 uses Orange software.

Figure 1 .
Figure 1.Smartphone user in Indonesia [24,25].a. Collection d. Reporting Report the results of the analysis including the description of the actions performed, what tools are used and the procedures used.

Figure 2 .
Figure 2. Stages of NIST method

Figure 3 .
Figure 3. Conceptual stages in collection process

Figure 7 .
Figure 7. Results of Wireshark sniffing Figure 8 is the contents of the TCP stream, in the TCP Stream gives a lot of information.The following information can be found: (a) is the webmail host, (b) is the smartphone information used, (c) is the browser used to open the email and layout webmail, (d) is username and password of the user, timestamp email delivery, and email server, (e) is the sending port used.

Figure 9
is a result that is captured by Networkminer tools.Networkminer can be a lot of information.The following information can be found: (a) is the ip address source, (b) is port source, (c) is the ip address destination, (d) it is the timestamp information on the server, (e) is the destination port, (f) is the interface used is roudcube, (g) is the webmail host used, (h) is a smartphone used to open email, (i) is the browser used to open the email, (j) is the user's username and password, (k) it is an email delivery timestamp, (l) represents an email recipient timestamp.

Figure 10 .
Figure 10.Comparison of forensics tools