Snapchat is an image messaging application whose biggest feature is that messages received are automatically removed after being viewed. Our goal was to figure out if any of those messages, whether they be a simple chat conversation or even a full video, might be stored somewhere on the phone.
To begin, we took a physical image of a Samsung Galaxy S4 using Cellebrite UFED Touch 2. Next, we uploaded the DumpData .bin file into Encase 8.0.4 and began a forensic examination for Snapchat artifacts.
We successfully developed a Grep expression that marked hits of snaps found in the device’s memory. However, the only snaps that were found were ones sent by Snapchat itself rather than by users sending or receiving manually. So far, we have been unable to locate any other artifacts left by messaging, but our testing is still in progress and we will provide updates if we discover more.