Editor’s note: Forensic experts from SalvationDATA developed a technology for extracting audio files from mobile devices. Direct access to sound files of a cell phone can play a decisive role in solving cases during the investigation. Several other tools are available on the market and can help restore files, but their application is limited and depends on various factors. In addition, other problems may occur during the process.
1 Introduction
Direct access to cellphone audio files, including calls and other cellphone recordings, and voice messages through apps like WeChat or WhatsApp, might play a decisive role in solving cases during investigation. Yet direct access to these data is rarely possible because of the various file types with complicated storage principles and forensics counter measures that are used by some suspects to destroy evidences, such as deleting data, resetting and formatting cellphones, and damaging cellphone hardware. Currently there is no tool available on the market that is specifically targeting the detection, identification, extraction and recovery of cellphone audio files and the research on relevant technologies bears great importance.
Audio message bars will disappear but contents will still be stored in cellphones
2 Technical Solutions
Several other tools that provide audio file recovery services are available on the market and can help to recover files in formats like texts, images, videos and audios. Yet their application is limited and affected by the brand, model, storage principles used, causes of losing of cellphones and successfully recovery of audio files is not guaranteed. Moreover, other problems such as display of WeChat or WhatsApp audio messages not supported might also come up during the process, which implies that conventional tools can assist in retrieving audio files to a certain extent but could not work as primary tools.
According to forensic experts from SalvationDATA, a new technological solution was found that solves the problem from the lower level of data. These advantages can help forensics gain access to audio electronic evidence with higher efficiency. And an algorithm had already developed that can identify recovered audio files from the rest and determine whether it is possible to reproduce the restored audio file from image documents. This solution can realize high-speed, on-site forensics by effective data searching and SILK audio file decoding displaying, irrespective of cellphone brands, forensics counter measures or audio format.
2.1 Technology difficulties: Calculating audio frame size and identifying valid audios
Analysis of audio frame structure and calculation of audio frame size are the keys to determine the following: whether the audio data is valid (whether it is damaged or overwritten), whether it could be recovered, and whether it is worth the efforts. Different audio formats and frame structures mean different calculation methods for audio frame size, with determining audio type as the prerequisite.
AMR, SILK, MIDI, MP3, AAC, WAV, W4A, WMA and OGG are the commonly-used cellphone audio file formats, among which AMR and SILK are the most often used ones. SILK format files come from the instant messaging software Skype and audio files formulated in chatting apps like WeChat or WhatsApp. AMR format files cover audio files recorded during phone calls and other cellphone recording functions and can be divided into two types, AMR-NB (AMR-NarrowBind) and AMR-WB (AMR-WideBand).
2.1.1 Structure of SILK audio files
Text “#!SILK_V3” that can be found in audio files represents a SILK audio file.
Structure of a SILK audio file with the highlighted part as file header
2.1.2 Structure of AMR audio files
Text “#!AMR” that can be found in audio files represents an ARM audio file.
Structure of an AMR audio file with the highlighted part as file header
Conduct data extraction in accordance with audio frame structures of the upper mentioned formats and the extracted files can be played through audio players.
2.2 Technology difficulties: Decoding playing of audio messages from WeChat or WhatsApp
With the first technology difficulty solved and detection and identification of valid audio data frames have been successfully done, data extraction and recovery are the next step. The hardest part for audio file data recovery through conventional tools is the proper playing of extracted files.
AMR, SILK, MIDI, MP3, AAC, WAV, W4A, WMA and OGG are the commonly-used cellphone audio file formats, as explained before, and cellphone with different brands, versions and operating systems are saving audio files in different formats. For example, WeChat or WhatsApp adopted SILK format to save audio files at a certain point of their development. Audio files in other formats can be played by any third-party tool, Core Player, QQ Music, Baidu Music, Kuwo Music for example, but SILK files need to be decoded before being played.
On the basis of SDK provided by Skype Official, the technical solution to this problem is a SILK encoding and decoding algorithm that can decode SILK audio files into files in WAV or AMR formats. Those decoded files can be played through Windows Media Player on a phone or a computer, which means investigators can extract and play deleted WeChat or WhatsApp audio messages on-site and enhance the efficiency of evidence collection.
3 Conclusion
Compared with conventional methods, the technical solution presented in this issue has the following advantages: locate audio files in cellphones quickly and accurately; determine the format of audio files; decode audio file structure based on its format; and transcode the file into formats that can be played on a phone or computer. These advantages can help forensic investigators gain access to audio evidence with higher efficiency.
This algorithm (audio_dec_krnl), to solve the problem that technicians are most concerned about: how to detect and identify the integrity of audio files. It can also identify valid audio files from the rest and determine whether a recovered audio file from image documents can be played properly. And it has already been updated to SmartPhone Forensic System(SPF), you can download the software from our resources page of the website and have a free trial.
SalvationDATA Blog 