On the Internet, things are almost never truly destroyed or forgotten, even if we use Snapchat. But how much information do applications like Snapchat, Facebook Poke and Wickr actually leave behind?
Quite a lot, according to two forensics experts. Data can be retrieved from your phone, even if the images you sent have been deleted. Andrea London and Kyle O’Meara, of forensics firm Stroz Friedberg, analyze phones and computers in search of digital evidence for law enforcement agencies and investigators. The two studied how Snapchat, Facebook Poke and Wickr store data on iPhones and Android phones to see how much information the apps leave behind. They presented their findings at the Las Vegas hacking conference Def Con on Sunday.
Most any time a user communicates digitally, “artifacts are going to be left behind,” London told Mashable.
Although they are experts, and the phones they examined are jailbroken and rooted, they said they don’t think it would be too difficult for a non-expert to retrieve this data. “You don’t necessarily need crazy forensic tools that allow you, especially with a jailbroken phone, to access that information,” London said.
The two confirmed research published in May by another firm, Decipher Forensics:
On Snapchat for Android, images can be saved to the phone while they remain unopened. Also, the app will only permanently delete a series of images after the last one has been viewed.
On Snapchat for iOS, images were not retrievable through this method.
London and O’Meara found they can retrieve other types of information, however, which can be almost as revealing as the picture itself.
Analyzing an iPhone 4 running iOS 5 and 6, they found that Snapchat creates a file called “user.plist,” which contains all sorts of metadata on images received and sent. The data includes the time the photos were sent and received, as well as the identity of the sender and receiver.
On two Samsungs — a Galaxy S3 and a rooted S3 Mini — they found an .XML file containing the same information. As we’ve learned from revelations about NSA surveillance, metadata can be revealing.
“We can see who’s talking to whom and when,” London said during the presentation. “For example, if you had a supervisor talking to an employee, you might have an HR [human resources] issue; if you had a student sending messages to a teacher, you might have a problem.”
“Even without the contents of the image, this information still has investigative value,” she said.
Snapchat didn’t respond to our repeated requests for comment.
In the case of Facebook Poke, they found similar results regarding metadata. Even though images sent through the service were not recoverable,
the text included in the Pokes was stored in a database file.
“You can build this scenario that on this date and time, Joe did send a message to Jane, and he sent a picture, and the picture had a text on it that said ‘Hey, check me out,’” O’Meara told Mashable.
Facebook also didn’t respond to our repeated requests for comment.
The only app the two were not able to penetrate was Wickr, a sort of Snapchat for adults that Mashable profiled in April. The two found that the app, which claims on its very logo to “leave no trace,” seems to keep its promise, leaving behind no metadata.
“They claim to use this high-level encryption, and from what I saw during my analysis, there were, as we would say as forensics, no artifacts left behind,” O’Meara said. “They’re doing what they say they’re doing.”
One of the founders of Wickr, Nico Sell, who is also one of the organizers of Def Con, was at the presentation.
“I was super relieved,” she told Mashable, saying that you never know what could happen when experts take a close look at your product. She added that she knows somebody could eventually still find holes in the app.
“I’m not going to stick my head in the sand and say nothing will ever happen,” she said, “but I was very relieved, with that talk especially, to let people know that Snapchat and Poke aren’t safe.”
Even though pictures are somewhat safe, London and O’Meara told Mashable they didn’t do any memory analysis to see if the data was still retrievable through more sophisticated techniques, something they plan on doing in the next few weeks.
UPDATE, 11.17 a.m.: A eaerlier version of this article stated that the iPhone used by the forensic experts was a jailbroken one, when, in fact, it was not. Also, only the Samsung Galaxy S3 Mini was rooted.