See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/320750494

An Insight into File Sharing Artifacts Using Xender Application

Conference Paper · December 2016

DOI: 10.1109/CICN.2016.82

CITATIONS READS
0 1,064

4 authors:

Shantanu Khandelwal Ishita R. Sailor

1 PUBLICATION   0 CITATIONS    1 PUBLICATION   0 CITATIONS   

SEE PROFILE SEE PROFILE

Nilay Mistry Ms Dahiya

Gujarat Forensic Sciences University Gujarat Forensic Sciences University
19 PUBLICATIONS   15 CITATIONS    36 PUBLICATIONS   116 CITATIONS   

SEE PROFILE SEE PROFILE

Some of the authors of this publication are also working on these related projects:

City based Crime Scene Mapping View project

Volatile Memory Forensics View project

All content following this page was uploaded by Nilay Mistry on 11 July 2018.

The user has requested enhancement of the downloaded file.

 An Insight into File Sharing Artifacts using Xender
Application
Shantanu Khandelwal Ishita R. Sailor Nilay R. Mistry Dr. Mohinder Singh Dahiya
Institute of Forensic Science, Gujarat Forensic Sciences University,
Gandhinagar Gujarat, India

[email protected] [email protected] [email protected] [email protected]

Abstract— Bluetooth is frequently used as a file sharing doesn’t require any Bluetooth connection , and is faster than
platform, but with the advancement in technology, a new Bluetooth and even easier than Airdrop. Data transfer and
application Xender is now used for file sharing. Xender utilizes sharing is done between Android, Windows phone, IOS and
hotspot functionality in phones to share files. Apart from all the also PC/MAC devices. It can send and receive apk, doc, music,
good reasons, Xender is also being used to share illicit and illegal images, video, audio files, share V-Cards & Contact Information
material, and hence Xender forensics become inevitable. This and can transfer all files within a folder also.
paper is focused on Xender application, its working and forensics.

Keywords—Xender, Play Store Application Forensics, Data II. THE DARKER SIDE OF XENDER
Artifacts Forensics, Peer-to-peer File Sharing Artifacts, Mobile The main benefit of using Xender mobile application is that
Forensics it doesn’t save any application logs at either Internet Service
Provider, Router or Server side. This feature is exploited by
I. INTRODUCTION criminals to use Xender application to share and receive secret
Even in modern age of 3G and 4G we don’t tend to send and sensitive information, view or share offensive video. So
huge number of large size files online. Rather we prefer to send “Xender Forensics” plays a significant role from forensics point
them though Bluetooth or other means that save our Internet of view.
usage, time and failure rates and set user free from USB cables
and memory sticks. It is only possible if the two people III. RELATED WORK
communicating are in limited area range. It provides best Forensic Analysis play a significant role in any cyber and
transferring speed that too at no cost. crime investigations by helping investigators and investigation
Xender application is developed by Anmobi Incorporation agencies in solving & relating the cases with the crime reported.
[1]. Xender is a leading application that provides platform to Forensic Analysis of Play Store applications has been conducted
share pictures, videos, music, apk files and also transfers files by [2010, Mohammad I. Husain]. Keng, Joseph Chan Joo et
and documents between two devices. It provides file sharing and al[2] demonstrate the feasibility and benefits of mobile forensics
transferring documents of various sizes and types between of privacy leaks and correlate user actions to leaks, and report
different types of platforms/(smartphones) at an ease. It has the causes from a user-oriented perspective. Ntantogian,
10,000,000 - 50,000,000 Installs from Google Play. Christoforos et al. [3] the practicability of recovering
authentication credentials of mobile applications from Android
Xender application provides user a GUI to select files to mobile device’s volatile memory. Thongjul et al. [4] analyze
share, create group and set password for the group. Which is a username and password stored in a physical memory or RAM
collection of people who want to share the file and can have (Random Access Memory) in order to find the pattern as the
more than one receivers. Xender uses hotspot feature of android “Searching Criteria” for extending the search to other artifacts.
phones to create a group. It uses a special encoding technique to Tso, Yu-Cheng et al [5] use backup files of social networking
create a WIFI hotspot created with a string of random characters for offering the crucial evidence even though iPhone has been
beginning with “ADYY”. However, if the receiver has the destructed or encrypted by the suspect which could help the
Xender application already installed, it connects to the group investigators to exactly reconstruct the crime venue and find the
and file sharing begins. Once two people join the group, no one truth. Karpisek, Filip et al. [6]decrypt the network traffic and
can be classified as sender or receiver. Both the sender and obtain forensic artifacts that relate to this new calling feature.
receiver have the ability to share as well as receive files. It is Kaart, Marnix, and S. Laraghy [7] demonstrate a method to
the best and quickest way to share data, earlier known as Flash detect clock skew based on the mmssms.db database. Martini,
Transfer and is an WiFi based application. It works at ultra-fast Ben et al. [8] examined and analyzed seven popular Android
transmission speed as it consumes WiFi technology and its cloud-based apps in order to see information obtained from
utilities. It works without any mobile Internet connection. It also
private app storage and SD card directories. Anglano, Cosimo Device Model Android version
[9] present the forensic analysis of the artifacts left on Android Samsung GT-I9500 Lollipop 5.0
devices by WhatsApp Messenger , the client of the WhatsApp Samsung N7100 Kitkat 4.4.0
Asus Z_007 Kitkat 4.4.2
instant messaging system and show how they can be correlated
together to infer various types of information that cannot be
TABLE III. XENDER DATABASE FILE
obtained by considering each one of them in isolation
Application File Name Description
Xender User.db User details
IV. STORAGE ARTIFACTS CHALLENGES Xender History.db File sharing details
Before performing data forensic analysis, we initially need Xender Android_Metadata
to find location of data files and extract those files. These files Xender Sqlite_Sequence
contain artifacts and logs that are created by application. It is
very hard to analyze the artifacts as they can be encrypted or TABLE IV. ACTIVITIES PERFORMED
hard to find from the device. Also, artifacts or the logs can be Application Activity Performed
easily deleted or altered remotely when the device is connected Xender Initial database content (NO Activity)
to Internet. Sometimes it’s hard to understand or analyze the ( xender to xender) Creating Group and Sending file
extracted data by the forensics expert. The examiner has to use Creating Group and Receiving file
different kind of tools and techniques to examine the data. Sending 2 different files at same time
Sending 1 KB File
Group- when a user needs to send any document or receive Disconnecting group during file transfer
any file they either “Create Group” or “Join Group” functions. Joining the Group and Sending file
Functionality of both functions is similar, it helps us to connect Joining the Group and Receiving file
two devices through WiFi. Create Group function creates a
group and waits until the other device finds it and establishes a TABLE V. DATA DESCRIPTION OF SQLITE_SEQUENCE.DB
connection by accepting request. It will create a connection that Column Description Example
other device will connect(join) to. Join Group function is used Name
when the group is already created. It needs to wait until the user Number of entries in 3
device is shown in radar. It will join to the connection that other User.db
phone have created. history Number of entries in 16
History.db

V. METHODOLOGY TABLE VI. DATA DESCRIPTION OF USER.DB

We installed Xender application in mobile phone. While Column Description Example
installing the Xender application on the welcome page, the user Name
needs to set up profile picture along with the username. The _id Serial Number 1
name could be anything that would help users to connect to the key IMEI number of devices, 3526**0609416**
other connecting device and easily be found without any device connected to
inconvenience. The username could be his own name or nick_name Xender Name Cullen
anything the user like. device_type 0/NULL
connect_times Number of times that a 12
To examine data forensic artifacts, we attached the phone device is connected to the
with USB debugging enabled through USB to computer. other devices
Android Debug Bridge (ADB) application is used to connect connect_date Last time-stamp of 1460971157138
computer and phone. Using ADB we find the location of data connection of the device
with other devices in
artifacts of Xender Application residing in phone which are Epoch format
stored in /data/data/cn.xender/folder. File sharing logs of Xender deleted device was deleted 0/1
application are extracted directly by ADB pulling the files stored _key_m NULL
in the aforementioned folder (when phone is rooted) , or the NULL
_value Random Value Random Value
application data is backed up using ADB and then extracted for
further analysis ( when phone is not rooted). Table I describes
the abbreviation used. TABLE VII. DATA DESCRIPTION OF HISTORY.DB
Column Description Example
Name
TABLE I. ABBREVIATIONS USED _id Serial Number 1
Abbreviation Full Form Purpose d1_id3 IMEI number of device 3526**0609416**
IMEI[10] International Mobile It is a unique number to which a device is
Station Equipment used as a device connected to
Identity. validation code m2_a4 BLANK BLANK
ADB[11] Android Debug Bridge Used to connect mobile n3_a4 User’s Xender name in c2hhbnpjdXBpZA==
phone and computer Base64 format
n4_t1 If the device has created 1/0
group then value is 1
TABLE II. DEVICES USED
If the device has joined
group then value is 0
 d3 If device is sender, the 0/1 was created that shows that either the device transferred a file or
value is 0 was connected to a new device.
For Receiver, the value
is 1 *(send time is same) Scenario 6: When two files are received
d1_c2 Time at which file is sent 1460893319077 simultaneously, two data entries for different files are made in
in Epoch format database. Each data entry inside the table shows that two
d3_m2 Time at which file is 1460893319104 different files are sent and the “n3_a4” column that represents
received in Epoch user’s Xender name and “d1_c2” column that represents sent
format time shows that the file are sent from same device at the same
p2_t1 File path in Base64 L3N0b3JhZ2UvZW11bGF0
encoding ZWQvMC9YZW5kZXIvaW
time.
1hZ2UvRkJfSU1HXzE0Mjk Scenario 7: When files from different devices are received
3NDY0MTA3NDIuanBn
t1_t2 File Name in Base64 RkJfSU1HXzE0Mjk3NDY0
concurrently than two data entries for each device are seen. Each
encodin format MTA3NDIuanBn row in the history table described in Table VII shows the entry
c1_g4 File Type image, file, app, video of file received from device.
v2_c1 (version code of (3437){com.freevpnintouch}
apk){class file} Scenario 8: On receiving an image file, an entry is made in
t1_s1 File Size sent in bytes 27680258 column name “m2_d6” of user table in database. This entry
c1_s4 File Size received in 27680258 shows MD5 hash value of image. It is used to authenticate the
bytes file
s3_t2 2 2
t3_c2 BLANK BLANK VII. CONCLUSION
m2_d6 If device is Sender, the NULL/37f695a68be64091f5 We have analysed the forensic artifacts generated by Xender
value is NULL 396e36b64d17d4
For Receiver, the value application by Anmobi Corporation and determined the sender
is file MD5 hash value and the file by using multiple artifacts. Forensic analysis of such
(for file integrity) applications is important as these applications do not leave any
s1_pn2 Class name of Xender cn_xender transfer logs and can be easily be exploited by criminals. In
r2_pn5 BLANK future we tend to analyze all such applications like ShareIt which
data1 NULL uses similar techniques and technology for file sharing.
data2 Sender’s device samsung, asus
Company
data3 Sender’s device Model GT-N7100 VIII. REFERENCES
Number
[1] http://www.xender.com
data4 207/220 Not Determinable
data5 andouya_google andouya_google [2] Keng, Joseph Chan Joo, Tan Kiat Wee, Lingxiao Jiang, and Rajesh
Krishna Balan. "The case for mobile forensics of private data leaks:
data6 NA NA
Towards large-scale user-oriented privacy protection." Proceedings of the
d1_l8 NA NA 4th Asia-Pacific Workshop on Systems. (p.6) ACM, 2013
[3] Ntantogian, Christoforos, Dimitris Apostolopoulos, Giannis Marinakis,
VI. SCENARIOS and Christos Xenakis. "Evaluating the privacy of Android mobile
We perform various activities as described in Table IV. applications under forensic analysis." Computers & Security 42 (2014):
Scenario 1: No file is transferred. Database is obtained and 66-76.
viewed in Sqlite db viewer, to know table names and possible [4] Thongjul, Sasithorn, and Suratose Tritilanunt. "Analyzing and searching
process of internet username and password stored in Random Access
column names of every table as described in Table V. This Memory (RAM)." Computer Science and Software Engineering (JCSSE),
activity is done to know how initially the database looks like and 2015 12th International Joint Conference on. IEEE, 2015 : 257-262.
data value of a particular table. User table contains a single row [5] Tso, Yu-Cheng, Shiuh-Jeng Wang, Cheng-Ta Huang, and Wei-Jen Wang.
relating to user’s own details. "iPhone social networking for evidence investigations using iTunes
forensics." Proceedings of the 6th International Conference on
Scenario 2: An apk file is received. Information regarding Ubiquitous Information Management and Communication. (p.62) ACM,
apk file and sender is stored in history file. Information 2012.
regarding previously connected users is stored in User table as [6] Karpisek, Filip, Ibrahim Baggili, and Frank Breitinger. "WhatsApp
described in Table VI. network forensics: Decrypting and understanding the WhatsApp call
signaling messages." Digital Investigation 15 (2015): 110-118.
Scenario 3: File sending process is interrupted in between [7] Kaart, Marnix, and S. Laraghy. "Android forensics: Interpretation of
or transfer is canceled. No change in database is encountered. timestamps." Digital Investigation 11.3 (2014): 234-248.
[8] Martini, Ben, Quang Do, and Kim-Kwang Raymond Choo. "Mobile cloud
*Scenario 4: On receiving a 0 KB file, the column “t1_s1” forensics: An analysis of seven popular Android apps." The Cloud
of user table showed value ”0”. it clearly represents that the file Security Ecosystem, 2015, Pages 309-345
transfer is of size 0 KB. [9] Anglano, Cosimo. "Forensic analysis of WhatsApp Messenger on
Android smartphones." Digital Investigation 11.3 (2014): 201-213.
Scenario 5: When a file is sent from a new device, then new
[10] www.imei.info/
device details were entered in user table. A new entry in table
[11] https://developer.android.com/studio/command-line/adb.html

View publication stats