Alternative Social Networking Applications Analysis Tool (ASNAAT). This tool is part of a research paper conducted on the digital forensics of alternative social networking applications by Hailey Johnson, Karl Volk, Robert Serafin, Cinthya Grajeda, and Ibrahim Baggili. The research paper was submitted and accepted for presentation and publication at the DFRWS USA 2022 Virtual Conference. Paper: Johnson, H., Volk, K., Serafin, R., Grajeda, C., & Baggili, I. (2022, July 8). Alt-tech social forensics: Forensic analysis of Alternative Social Networking Applications. Forensic Science International: Digital Investigation. Retrieved July 12, 2022, from https://www.sciencedirect.com/science/article/pii/S2666281722000877. This work was supported under grant numbers 1900210 and 1921813. A collection of discovered artifacts can be found through the Artifact Genome Project - https://agp.newhaven.edu.
- Python 3.8+
- Any Chromium Browser for best results. (Use to open report)
NOTE: Don't use Safari
Go to the releases to download either the Windows or Mac versions.
NOTE: For Mac it is important to put the tool in your users folder "/Users/[Username]/ASNAAT-Mac/".
To setup this tool, it is advised to configure a virtual environment inside the tool directory. To do this, navigate into the tool's main folder and enter the following commands documented below. These commands will setup a virtual environment inside the directory which will allow you to install the dependencies for this tool:
$ python -m venv ./virtualenv
Use "python3" in command if multiple versions of python are installed.
Windows:
$ .\virtualenv\Scripts\activate
$ deactivate
Mac:
$ source ./virtualenv/bin/activate
$ deactivate
$ pip install -r requirements.txt
This adds two custom url scheme protocols (db-open:// and xml-open://). It allows the report to hyperlink SQLite and XML files to open with specific applications.
If your reinstalling, go to the remove section to delete the previous URL schemes.
$ python Protocols.py
- Go to ASNAAT-Windows/Protocols/ folder.
- Right click add_protocols.bat.
- Click on Run as administrator.
- Press Yes, if it asks to allow app to make changes to your device.
To remove:
- Go to ASNAAT-Windows/Protocols/ folder.
- Right click del_protocols.bat.
- Click on Run as Administrator.
- Press Yes, if it asks to allow app to make changes to your device.
- A terminal will pop up asking you to permanently delete both registry keys. Type y and press Enter for both.
$ sh Protocols.sh
- Go to /Users/[username]/ASNAAT-Mac/Protocols/ folder.
- Drag db_proto and xml_proto to the Macs Applications folder.
To remove:
- Go to the Macs Applications folder.
- Delete db_proto and xml_proto.
Executing the tool is very simple and straight forward. The tool is setup to use default wordlists in order to provided a tailored report file documenting what we believe to be the most important data for an investigation. The image type that this tool is made for are TAR files. The following options are available:
Usage: python ASNAAT.py [options] <inputfile>
Example: python ASNAAT.py -a Apple.tar
Options:
-h, --help
-a apple image tar
-b android image tar
Upon execution of the tool with the necessary options, the tool will ask for a Case Number and name of Examiner to preserve the chain of custody. Additionally, there is a built in feature to hash the TAR files before and after execution of the tool to ensure that the data has not been tampered.
Once the tool is run, a customized report is generated for either Android or Apple. Currently it only supports documentation for the information we deemed important to convey. However, our tool extracts and separates the files defined in wordlists to a folder named after the case file and image source type (ex: 00001-Apple).