TY - JOUR
T1 - VIDE - Vault App Identification and Extraction System for iOS Devices
AU - Dorai, Gokila
AU - Aggarwal, Sudhir
AU - Patel, Neet
AU - Powell, Charisa
N1 - Publisher Copyright:
© 2020 The Author(s)
PY - 2020/7
Y1 - 2020/7
N2 - Content hiding (or vault) apps are a class of applications that allow users to hide photos, videos, documents and other content securely. A subclass of these applications called decoy apps further supports secret hiding by having a mode which mimics standard apps such as calculators but can turn into a vault app through entering a specific input. In this work we focus on iOS devices and first describe how to identify content hiding applications from the App Store. We consider not only the US Store but also give results for App Stores in Russia, India and China. We show an effective and very fast identification of content hiding apps through a two-phase process: initial categorization using keywords followed by more precise binary classification. We next turn to understanding the behavior and features of these vault apps and how to extract the hidden information from artifacts of the app's stored data. Based on this work, we have designed and built a fully automated vault app identification and extraction system that first identifies and then extracts the hidden data from the apps on an iOS smartphone. Using our vault identification and data extraction system (VIDE), law enforcement investigators can more easily identify and extract data from such apps as needed. Although vault apps are removed regularly from the App Store, VIDE can still identify removed apps as our system continues to maintain information on such apps in our vault database.
AB - Content hiding (or vault) apps are a class of applications that allow users to hide photos, videos, documents and other content securely. A subclass of these applications called decoy apps further supports secret hiding by having a mode which mimics standard apps such as calculators but can turn into a vault app through entering a specific input. In this work we focus on iOS devices and first describe how to identify content hiding applications from the App Store. We consider not only the US Store but also give results for App Stores in Russia, India and China. We show an effective and very fast identification of content hiding apps through a two-phase process: initial categorization using keywords followed by more precise binary classification. We next turn to understanding the behavior and features of these vault apps and how to extract the hidden information from artifacts of the app's stored data. Based on this work, we have designed and built a fully automated vault app identification and extraction system that first identifies and then extracts the hidden data from the apps on an iOS smartphone. Using our vault identification and data extraction system (VIDE), law enforcement investigators can more easily identify and extract data from such apps as needed. Although vault apps are removed regularly from the App Store, VIDE can still identify removed apps as our system continues to maintain information on such apps in our vault database.
UR - http://www.scopus.com/inward/record.url?scp=85106648553&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85106648553&partnerID=8YFLogxK
U2 - 10.1016/j.fsidi.2020.301007
DO - 10.1016/j.fsidi.2020.301007
M3 - Article
AN - SCOPUS:85106648553
SN - 2666-2825
VL - 33
JO - Forensic Science International: Digital Investigation
JF - Forensic Science International: Digital Investigation
M1 - 301007
ER -