Forensic Operations for Recognizing SQLite Content (FORC): An Automated Forensic Tool for Efficient SQLite Evidence Extraction on Android Devices

Round 1

Reviewer 1 Report

Paper presents automated tool force for forensic investigation. Manuscript does not fit to publish in its current form. I have following concerns

- it fails to add any thing novel in the research.

- related work is very limited.

- proposed method does not describe working principle.

Experimental results are weak.

- comparative results are needed to justify claim.

- requires to add comparative graph rather than screenshots.

Need improvement

Author Response

Comments of Reviewer #1

Paper presents automated tool force for forensic investigation. Manuscript does not fit to publish in its current form. I have following concerns

1- it fails to add any thing novel in the research.

Dear Reviewer,

Thank you for your valuable feedback on our manuscript titled "FORC: An Automated Forensic Tool for Efficient SQLite Evidence Extraction on Android Devices." We appreciate your thoughtful review and the opportunity to address your concerns.

We understand your comment regarding the novelty of our research and would like to highlight several key aspects of our work that contribute to its uniqueness and significance:

1. Innovation in FORC Tool: Our research introduces the Forensic Operations and Recovery of SQLite Content (FORC) tool, which is an innovative and novel contribution to the field of mobile forensics. FORC incorporates advanced techniques for automating the extraction of SQLite evidence, a vital component of digital investigations.
2. Automation as a Novel Approach: The automation of the SQLite evidence extraction process, as presented in FORC, represents a novel approach in mobile forensics. By utilizing a 16-byte hexadecimal magic header string, FORC can automatically identify and extract SQLite files, streamlining the investigative process. This approach has not been extensively explored in the existing literature.
3. Performance Comparison with Existing Tools: Our manuscript includes a comparative evaluation of FORC against established forensic tools such as Belkasoft, Magnet AXIOM, and FINALMobile. The results demonstrate that FORC outperforms these tools in identifying and extracting SQLite files from Android devices. This performance comparison underscores the novel capabilities and effectiveness of FORC.
4. Addressing Critical Gaps: Our research addresses crucial gaps in the field, including standardization, privacy, security, and performance evaluation in SQLite evidence extraction. These challenges are currently underrepresented in existing literature, and our work aims to provide practical solutions and insights in these areas.
5. Growing Significance of Mobile Forensics: We emphasize the growing significance of mobile forensics in today's digital landscape. With the increasing use of mobile devices and the exponential growth in digital data generated by users, the need for efficient and accurate forensic tools like FORC is more critical than ever.

In response to your feedback, we have revised our manuscript to more explicitly highlight these novel aspects of our research. We believe that these points strengthen the case for the contribution and relevance of our work to the field of digital forensics. Once again, we appreciate your thoughtful review, and we are committed to addressing your feedback to improve the quality and impact of our research.

The following paragraph is added to the introduction section. Note: the paragraph is highlighted in the manuscript.

This research not only introduces a practical and efficient solution for SQLite evidence extraction in Android devices but also lays the groundwork for standardization and future advancements in mobile forensic techniques. It addresses the pressing need for automation and reliability in digital forensics, ultimately benefiting law enforcement agencies and organizations involved in forensic investigations.

The research significantly contributes to the field of digital forensics by addressing critical challenges and advancements related to the extraction of SQLite evidence from mobile devices, with a particular focus on Android smartphones. The contributions of this research can be summarized as follows:

• Automated Tool Development: The research introduces a novel automated tool called "Forensic Operations and Recovery of SQLite Content (FORC)" designed to streamline the process of mobile forensic data acquisition, analysis, and reporting. FORC employs a header-based and file extension-based approach for the automatic extraction of SQLite files, enhancing the efficiency and accuracy of digital forensic investigations.
• Enhanced Efficiency: By utilizing FORC, investigators can automate certain aspects of the forensic investigation process, reducing manual effort and the potential for human errors. This automation is crucial in coping with the increasing use of mobile devices and the growing volume of data that requires analysis.
• Improved Extraction Accuracy: Comparative evaluations of FORC against popular forensic tools like Belkasoft, Magnet AXIOM, and FINALMobile demonstrate its superior performance in identifying and extracting SQLite files from Android devices. This enhancement in extraction accuracy contributes to more reliable and comprehensive forensic investigations.
• Addressing Standardization: The research highlights the need for standardization in the extraction of SQLite evidence from mobile devices. While this paper focuses on Android devices, the proposed framework and automated tool can serve as a foundation for standardized approaches that can be applied across various mobile platforms, ensuring consistent and reliable results in digital forensic investigations.
• Future Research Directions: The research identifies several areas that require further investigation, including performance evaluation, privacy and security implications, automation, applicability to different devices and operating systems, and handling the challenges posed by big data in digital forensics. These areas provide opportunities for future research and innovation in the field.

-2-related work is very limited.

Dear Reviewer,

Thank you for your valuable feedback regarding the related work section. We appreciate your suggestion to expand upon this important aspect of our research. In response to your comment, we revised the related work section by providing a more comprehensive review of existing literature and research in the field of digital forensics and mobile artifacts extraction. We have incorporated a comprehensive table to enhance the presentation of previous research studies. This table provides a structured overview of key research studies, their focus areas, and significant findings in the field of digital forensics, reinforcing the context for our work.

Here is the updated related work section with the added table:

Related Work

Numerous studies have contributed to the ever-evolving field of digital forensics [7,11,13,19–24], shedding light on various aspects of data retrieval and investigative techniques. This section highlights some key findings from recent studies. This article [4] proposes a novel approach to mobile forensic acquisition. Forensic investigators encounter a significant hurdle due to the ever-changing landscape of mobile devices and their software. Manufacturers frequently introduce new models with varying security features and operating systems, necessitating constant adaptation of forensic methods. Moreover, the growing adoption of encryption by consumers presents an additional challenge, rendering it increasingly complex for forensic experts to access device data. Hence, it remains crucial for forensic investigators to remain current with the latest developments in mobile technology and innovate data extraction techniques capable of keeping abreast of these advancements. In this research [5], the authors have delineated and implemented a procedure rooted in agile methodology for crafting forensic investigation modules. Furthermore, we have elucidated the implementation specifics of modules encompassing nine widely-used Android social media and instant messaging applications, encompassing aspects like wireless communication and system information. Ultimately, we have encapsulated the challenges confronted during the course of this study.

This research [6] introduces a technique for enhancing log2time1ine to comprehensively extract temporal data from iOS devices. To achieve this, the authors develop a parser plugin tailored for log2time1ine, specifically designed to address any missing artifacts, such as plists or SQLite databases. The method is outlined as follows: Initially, we generate a forensic timeline utilizing the plaso tool, using a previously acquired iOS image. Subsequently, we scrutinize the timeline for any gaps or missing artifacts. Following this, we devise a plaso plugin engineered to parse these absent artifacts. Finally, we re-run plaso, incorporating the new plugins, to construct a more exhaustive timeline. This process ultimately yields a thorough forensic timeline derived from the forensic image of an iOS device. Experimental results demonstrate that the integration of additional plugins significantly enhances the comprehensiveness of the forensic timeline extracted from iOS devices.

This paper [25] undertakes a comprehensive review of the existing literature to gain insights into the previously accomplished body of work. Moreover, we leverage this existing literature as a foundation to introduce a unified Digital Business Forensic Investigation (DBFI) process, employing the design science research methodology. This unified DBFI process is structured around three essential categories: planning, preparation, and pre-response; acquisition and preservation; and analysis and reconstruction. Additionally, our DBFI framework has been meticulously designed to eliminate any potential confusion or ambiguity while offering practitioners a systematic approach to conducting DBFI with a heightened level of assurance.

This paper [8] delves into the heightened encryption and security safeguards present in contemporary mobile devices, highlighting their influence on conventional forensic data extraction approaches used in law enforcement. We illustrate that tackling encryption hurdles necessitates the adoption of novel mobile forensic methodologies centered around circumventing security features and capitalizing on system vulnerabilities. We introduce a fresh forensic acquisition model underpinned by a legal framework that emphasizes the usability of digital evidence acquired through vulnerability exploitation.

In a study focused on Android smart phones, the authors in [9] investigated the forensic analysis of five social networking apps: WeChat, Instagram, Wickr, Whisper, and LINE. Their primary objective was to determine whether data from these apps is stored within the device's internal storage. Utilizing forensic tools such as Autopsy, XRY, and Magnet AXIOM, they successfully extracted a substantial amount of critical data, aiding in future crime investigations. In [10], the authors investigated real case records obtained from the Dubai Police department to address the main issues encountered by digital forensics, including the huge amount of data and case complexity. The study employed a mixed-methods approach, including quantitative and qualitative analysis, and the phenomenology model (interview confirmation) to evaluate the strategies utilized in allocating cases and selected participants. The study identified the main factors leading to delays in investigations, and the need for collaborative data processing and training among investigators.

Zamroni and Riadi [26] conducted a forensic examination of WhatsApp on Samsung C9 Pro handsets, emphasizing forensic techniques for analyzing WhatsApp-related artifacts. Their research scrutinized parameters like contact lists, chat messages, files, and logs. The study concluded that the combination of Magnet AXIOM and WA Key/DB Extractor yielded the best results for WhatsApp artifact recovery. Focusing on extracting digital evidence from Facebook Messenger, this study [27] followed the NIST methodology and employed the Oxygen Forensics Suite and Magnet AXIOM. Researchers successfully obtained various digital evidence, including images, accounts, and conversation transcripts, with Magnet AXIOM outperforming Oxygen Forensics Suite. Researchers in [28] sought to address a knowledge gap by exploring the recovery of Facebook data after the app is uninstalled from a smartphone. Categorizing the retrieved data objects facilitated a clearer description of user information and recoverable app data. This research's accomplishments lay in identifying the recovery and path of Facebook data, offering a foundation for future studies. Mahmoud [19] proposed a two-stage model for data acquisition from Android smartphones, combining manual techniques for initial data collection and logical techniques for processing using a developed tool. The research demonstrated promising results in retrieving data from social networking apps like WhatsApp and Facebook Messenger, highlighting the potential for future improvements. In [29], a similar conclusion was drawn after examining both the logical and the physical acquisition methods. The study recommends utilizing more than one mobile forensic tool for evidence extraction.

In [30], the researchers looked at WhatsApp, WeChat, Viber, and Telegram, which are four of the most widely used encrypted instant messaging apps. The study explored the forensic implications of encrypted instant messaging systems and utilized the Android Debugging Bridge (ADB) tool, as well as a few other open-source tools, to analyze the artifacts produced by these applications. The study identified difficulties researchers confront while gathering forensically significant artifacts and provided investigators with a clear understanding of where to seek for significant data in any of the programs that are involved in their investigation.

In a study carried out by Anglano et al. in 2017 [14] , a methodology was employed for the forensic analysis of Android applications, with a particular focus on investigating Telegram Messenger. The primary approach involved meticulously planned experiments conducted on virtual smartphones, as opposed to real devices. This approach aimed to ensure the generality and repeatability of research results, which were subsequently rigorously validated for their applicability to Telegram. The accuracy and reliability of this methodology were further verified through a comparative analysis of results obtained from a subset of experiments conducted on actual smartphones.

The work by Jones and Winster in 2017 [31] represents a groundbreaking approach to acquiring digital evidence from compromised devices. This innovative method holds significant promise for digital investigators and legal proceedings. It offers a unique opportunity to gain deeper insights into the actions of cybercriminals who have exploited mobile devices. Their research primarily focused on the application of forensic tools to reconstruct past events on these mobile devices, providing valuable investigative support.

Azfar and colleagues conducted a study in 2016  [32], focusing on the analysis of five social applications: Twitter, Snapchat, Pinterest, POF Dating, and Fling. Their findings indicated that it is indeed feasible to retrieve various data types, including contact lists, sent and received photos, user information, timestamps of tweets, and notification logs from these applications.

Additionally, another study in 2016 [33] involved a comprehensive evaluation of both commercial and open-source mobile device forensic tools. This assessment considered predefined software parameters and employed a cross-device and test-driven methodology. The outcome of this research resulted in the development of a comparison matrix, which serves as a valuable resource for identifying the most suitable forensic solution tailored to the specific needs of investigative processes.

This study [34] explores the impact of wearable and IoT devices on forensic science. These devices can serve as crucial sources of evidence in both civil and criminal cases. Data obtained from wearables can corroborate witness testimonies by documenting various activities of individuals. The widespread use of smart home devices further enhances investigative capabilities. By aggregating data from wearables and smart home gadgets, investigators gain a comprehensive view of events within an environment, enabling a deeper understanding of cases. The study addresses challenges related to data extraction and analysis, offering techniques to automatically detect anomalies and correlations within the vast volume of time series data collected from these devices.

As a summary, the field of digital forensics faces challenges such as a lack of standards, training among investigators, and the growing volume of data that needs to be evaluated. NIST issued a DF standard to satisfy the requirement for standardization, and certification programs are being offered to address the need for training. Law enforcement agents must be trained to acquire digital evidence and stay up-to-date with quickly changing technologies. The variety of devices, platforms, operating systems, manufacturers, and security cybercrimes is also a major challenge faced by the field of digital forensics. Table 1 provides an overview of the key findings and focus areas in recent related work in the field of digital forensics.

Table 1. Summary of key findings in related work

Ref.	Focus Area	Key Findings
[4]	§  Mobile forensic acquisition  §  Changing mobile device landscape §  Encryption adoption	§  Challenges in adapting forensic methods to evolving devices. §  Emphasis on staying current with tech advancements.
[5]	§  Agile methodology for forensic modules §  Social media and messaging apps             §  Wireless communication and system info	§  Implemented modules for Android apps, addressing challenges. §  Detailed implementation specifics.
[6]	§  Temporal data extraction from iOS §  Parser plugin development  §  Forensic timeline construction	§  Development of a parser plugin for comprehensive timeline extraction.  §  Enhanced completeness of timelines
[25]	§  Digital Business Forensic Investigation §  DBFI process structure §  Planning, preparation, acquisition and analysis	§  Introduction of unified DBFI process. §  Systematic approach to DBFI. §  Reduced confusion for practitioners.
[8]	§  Impact of encryption on forensic data extraction §  Vulnerability exploitation §  Legal framework adoption	§  Necessity for novel forensic methods due to encryption. §  Introduction of legal framework. §  Emphasis on usability of digital evidence.
[9]	§  Forensic analysis of social networking apps on Android smartphones. §  Data storage within internal storage. §  Forensic tool utilization.	§  Investigation of data storage within internal storage. §  Successful extraction of critical data.
[10]	§  Impact of encrypted messaging systems on digital forensics §  Artifact analysis §  Forensic tools used	§  Exploration of forensic implications of encrypted messaging systems. §  Identification of challenges in gathering significant artifacts.
[11]	§  Forensic analysis of Android apps §  Investigation methodology §  Rigorous validation	§  Utilization of virtual devices for generality and repeatability of results. §  Validation of methodology on real devices
[26]	§  Forensic examination of WhatsApp        §  WhatsApp-related artifacts   §  Contact lists, chat messages, files and logs	§  Emphasis on forensic techniques for analyzing WhatsApp artifacts §  Successful artifact recovery using Magnet AXIOM and WA Key/DB Extractor.
[27]	§  Digital evidence from Facebook Messenger §  Forensic tool comparison §  Images, accounts, and conversation transcripts	§  Successful extraction of digital evidence with Magnet AXIOM §  Magnet AXIOM outperforms Oxygen Forensics Suite.
[28]	§  Recovery of Facebook data post-uninstall §  Data object categorization §  User information and recoverable app data	§  Identification of recovery path for Facebook data.
[19]	§   Two-stage data acquisition from Android smartphones §   Manual and logical techniques	§  Promising results in data retrieval from social networking apps. §  Potential for future improvements
[30]	§  Forensic implications of encrypted instant messaging apps §  Use of Android Debugging Bridge (ADB) §  Artifact analysis	§  Exploration of forensic implications of encrypted instant messaging systems. §  Identification of difficulties in gathering forensically significant data.
[14]	§  Forensic analysis of Android apps §  Investigation of Telegram Messenger §  Planned experiments and validation	§  Use of virtual smartphones for research results generality. §  Rigorous validation on real smartphones
[31]	§  Acquiring digital evidence from compromised devices §  Application of forensic tools §  Reconstruction of past events	§  Groundbreaking approach to acquiring digital evidence from compromised devices. §  Valuable investigative support provided.
[32]	§  Analysis of social applications §  Data types retrieved §  Contact lists, photos, user info, etc.	§  Feasibility of retrieving various data types from social applications.
[33]	§  Evaluation of mobile device forensic tools. §  Cross-device and test-driven methodology.	§  Development of a comparison matrix for identifying suitable forensic solutions.
[34]	§  Impact of wearable and IoT devices on forensic science. §  Data extraction and analysis challenges	§  Wearables and IoT as sources of crucial evidence in civil and criminal cases. §  Techniques for detecting anomalies and correlations in time series data.

We believe that this table significantly improves the readability and accessibility of the related work information, enabling readers to quickly grasp the landscape of research in digital forensics. We trust that this enhancement addresses your concern regarding the comprehensiveness of our related work presentation. If you have any further suggestions or feedback, please do not hesitate to let us know.

We would like to express our gratitude for your valuable input, which has contributed to the overall quality and clarity of our manuscript.

3- proposed method does not describe working principle.

Response to comment #3

Dear Reviewer,

We appreciate the reviewer's feedback and have taken steps to enhance the clarity and comprehensibility of our proposed method's working principles in Section 3 of the manuscript. Section 3 was revised and enhanced. In this revised section, we provide a more detailed and explicit explanation of the working principles underlying the FORC (Forensic Operations for Recognizing SQLite Content) tool, which is central to our research.

Specifically, we have expanded upon the following key aspects of FORC's working principles:

1. Reasons for Customization: We now emphasize the reasons behind customizing FORC to support the extraction of SQLite data. This includes the ubiquity of SQLite in mobile devices, the structured data format, and relationships within SQL databases, as well as the standardization and consistency of SQL-based tools. We also highlight the importance of data recovery and analysis, especially for legacy data stored in SQL databases.

2. Implementation Technologies: We provide greater insight into the technologies employed for FORC's implementation, which includes the use of PYQT5 and Python 3.9.4. Additionally, we introduce the Sleuth Kit, explaining its significance as a versatile collection of open-source tools widely used in digital forensics.

3. Adaptation of NIST methodology: 

   To ensure the legality and admissibility of the extraction process in the court, the methodology recognized by National Institute of Standards and Technology (NIST) and known to forensic investigators, is followed. NIST is a U.S. government agency responsible for developing and promoting measurement standards, including standards related to digital forensics. The NIST methodology serves as a comprehensive framework for forensic practitioners to follow when conducting mobile device examinations. It helps maintain the integrity, reliability, the credibility and reliability and admissibility of digital evidence collected from mobile devices in a legal context, such as for use in court proceedings. Procedures of the NIST methodology in mobile forensics includes:

   1. Evidence Handling: Proper procedures for collecting, preserving, and documenting digital evidence from mobile devices to maintain its integrity and chain of custody.
   2. Data Acquisition: Guidelines for acquiring data from mobile devices, whether through logical, physical, or file system extraction methods, while minimizing potential data alteration.
   3. Data Analysis: Techniques for analyzing the acquired data, which may involve decoding and interpreting various file formats, databases, and system artifacts on mobile devices.
   4. Reporting: Recommendations for documenting findings, preparing reports, and presenting evidence in a clear and understandable manner for legal purposes.
   5. Validation: Ensuring that forensic tools and techniques used in the examination of mobile devices are scientifically validated and meet established standards.
   6. Legal Compliance: Adherence to legal and ethical standards, as well as compliance with relevant laws and regulations governing digital evidence collection and presentation.

4. Identification and Recognition of SQLite Files: We delve into the specifics of FORC's approach to automatically identifying and recognizing pertinent SQLite files. This includes a two-fold approach that considers both file extensions and a distinctive "Magic Header String" intrinsic to valid SQLite database files. This information helps ensure the accurate identification and extraction of SQLite evidence.

5. Workflow: We present a visual representation of FORC's workflow in Figure 1, providing a clear overview of the sequential steps involved in automated data acquisition, analysis, and reporting within the tool.

Furthermore, we have incorporated figures (Figures 2 and 3) illustrating the main window and the New Case Window of the FORC tool, providing readers with visual context to aid in understanding the tool's interface.

In addition to these enhancements, we have revised Section 3.2, "Acquisition Requirements," which outlines the prerequisites for data acquisition using FORC, whether through ADB backup or physical acquisition. This section ensures that investigators have a comprehensive understanding of the initial steps in the forensic process. Finally, Section 3.3 was enhanced, "FORC Data Processing: Recognizing SQLite Files," explains in detail how FORC identifies and extracts SQLite files, emphasizing the role of file extensions and file headers. 

We believe that these revisions address the reviewer's concern and provide a more robust description of FORC's working principles, enabling a clearer understanding of our proposed methodology. We welcome any further suggestions for improvement.

4- Experimental results are weak.

5- comparative results are needed to justify claim.

6- requires to add comparative graph rather than screenshots.

Response to Reviewer Comments # 4,# 5 and #6:

Dear Reviewer,

We appreciate your thoughtful comments and suggestions for improving our manuscript. We have carefully addressed each of your concerns and made substantial revisions to strengthen the experimental and comparative aspects of our study. Here are our responses to your comments:

Response to Comment 4: Experimental results are weak.

In response to your comment, we have enhanced the presentation of our experimental results in Section 5, "Results and Discussion." We now provide a more detailed breakdown of the artifacts retrieved by the mobile forensics tools and the specific capabilities of each tool, with a focus on the FORC tool's unique advantages. We have also introduced figures and tables to visually represent the results, making them more accessible to readers.

Response to Comment 5: Comparative results are needed to justify the claim.

We have addressed this concern by including a comprehensive comparative analysis between the four mobile forensics tools: BelkaSoft, Magnet AXIOM, FINAL Mobile, and FORC. We present the comparative data in Table 3, which provides an overview of the artifacts retrieved by each tool. Additionally, we have introduced Table 5, which offers a detailed comparison of the tools based on various criteria crucial for SQLite data forensics. This table provides a clear justification for FORC's claim of superiority in several key aspects. Moreover, Figure 23 provides a comparison of Artifacts Retrieved by Mobile Forensics Tool

Response to Comment 6: Requires adding comparative graphs rather than screenshots.

We have followed your suggestion and added comparative graphs to illustrate the performance differences between the mobile forensics tools. These graphs offer a more visually appealing and accessible way for readers to understand the comparative results.

• We present the comparative data in Table 3, which provides an overview of the artifacts retrieved by each tool.
• Additionally, we have introduced Table 5, which offers a detailed comparison of the tools based on various criteria crucial for SQLite data forensics. This table provides a clear justification for FORC's claim of superiority in several key aspects.
• Moreover, Figure 23 provides a comparison of Artifacts Retrieved by Mobile Forensics Tool

In conclusion, we believe that these revisions significantly strengthen the experimental and comparative aspects of our study, addressing your concerns effectively. We appreciate your valuable feedback, which has contributed to the improvement of our research paper. Below paragraph provides a summary of the revised Section#5 as a respond to comments 4,5, and 6.

--------

In Section 5, the experiment's results and discussion are presented with a focus on assessing four prominent mobile forensics tools: BelkaSoft, Magnet AXIOM, FINAL Mobile, and FORC. 

• Experiment Overview: The section begins by introducing the experiment, which aimed to evaluate the effectiveness of four mobile forensics tools, highlighting a critical disparity in their capabilities.

• Introduction of FORC: It introduces the FORC tool, emphasizing its innovative approach to addressing limitations in manual extraction methods. FORC's ability to autonomously identify and recognize SQLite files is a key feature.

• First Aim: Retrieving Artifacts: The first aim of the experiment is to assess FORC's effectiveness in retrieving artifacts from mobile devices. This is summarized in Table 3, which compares artifacts retrieved by all four tools. FORC stands out by retrieving additional artifacts such as webRTC logs and HSTS preload list, enhancing its forensic capabilities.

  • Table 3: Presents a detailed comparison of artifacts retrieved by each tool, including BelkaSoft, Magnet AXIOM, FINAL Mobile, and FORC.

  • Figure 23: Provides a visual representation of FORC's ability to automatically identify and extract SQLite files, saving significant time compared to other Forensics Tools.

• Second Aim: Extracting SQLite Data: The second aim is to evaluate FORC's proficiency in extracting SQLite data, which is detailed in Table 4. FORC successfully extracts 24 SQLite files, including valuable evidence tables, surpassing other tools.

  • Table 4: Lists the extracted SQLite files from the Chrome application, including file names, paths, and the number of tables in each file.

• Uncovering Hidden Data: FORC's capabilities go beyond file recovery, as it uncovers additional data within the SQLite database file "Reporting and NEL." This data is inaccessible to other forensic tools and includes crucial details such as origin_host, origin_port, and received_ip_address.

  • Figures 24, 25, and 26: Visualize the additional data uncovered by FORC within the "Reporting and NEL" SQLite database file, emphasizing its significance in investigations.

• Comparison Table (Table 5): A comprehensive comparison between BelkaSoft, Magnet AXIOM, FINAL Mobile, and FORC is presented in Table 5. The table evaluates the tools based on various criteria important for SQLite data forensics.

  • Table 5: Compares the capabilities of the four forensic tools, including the presence of a SQLite viewer, automatic retrieval of SQLite files, selective evidence extraction, and the ability to consolidate selected evidence into one report.

• FORC's Strengths: The section emphasizes FORC's strengths, including its comprehensive features, automatic retrieval of SQLite files, selective evidence extraction, and report generation, positioning it as a robust solution in digital forensics.

5.1 Limitations of FORC: A subsection is dedicated to discussing the limitations and potential challenges associated with using FORC for mobile forensic data acquisition and SQLite evidence extraction.

The enhanced section provides a detailed and structured overview of the experiment's findings and their implications, supported by figures and tables that enhance the presentation of results and comparisons.

Reviewer 2 Report

The paper is about "FORC: An Automated Forensic Tool for Efficient SQLite Evidence Extraction on Android Devices".The subject studied is a very current one. My Comments are:

1- Abbreviations such as FORC, SQlite, which are written as abbreviations in the abstract, should be written in long versions. In the following sections, it will be more understandable to write the long version first and specify the abbreviations in parentheses where they are first used in the text.

2- I understand that the researchers used this technique for the android smartphones. Did the researchers have tried this technique on mobile phone cases with IOS system? I wonder how many Android devices are used as a percentage in the world? By stating this, I think it would be appropriate for them to add a worldwide evaluation of their method in introduction part. 

3- The introduction section can be enhanced with more references about the subject of the research.

 

Author Response

Reviewer Comments:

The paper is about "FORC: An Automated Forensic Tool for Efficient SQLite Evidence Extraction on Android Devices".The subject studied is a very current one. My Comments are:

1- Abbreviations such as FORC, SQlite, which are written as abbreviations in the abstract, should be written in long versions. In the following sections, it will be more understandable to write the long version first and specify the abbreviations in parentheses where they are first used in the text.

Response to Comment #1

Thank you for your constructive feedback regarding the use of abbreviations in our paper. We have taken your suggestion into account and made the necessary adjustments to enhance clarity.

In response to your comment, we have included the long versions of the abbreviations in the abstract to provide a clear understanding for readers. Specifically, we expanded "Forensic Operations for recognizing SQLite Content (FORC)" and "Simple Query Language Table Database Lightweight (SQLite)" within the abstract. These changes are highlighted in the manuscript for your convenience. We believe that these changes will improve the readability and comprehension of our paper for all readers. Thank you once again for your valuable input.

2- I understand that the researchers used this technique for the android smartphones. Did the researchers have tried this technique on mobile phone cases with IOS system? I wonder how many Android devices are used as a percentage in the world? By stating this, I think it would be appropriate for them to add a worldwide evaluation of their method in introduction part. 

Response to Comment #2

Thank you for your valuable feedback regarding the applicability of our technique to iOS devices and the suggestion to provide a worldwide evaluation in the introduction. We appreciate your insightful input.

In response to your comment, we want to clarify that our research primarily focused on Android smartphones, and we acknowledge that iOS devices represent a significant portion of the mobile device market. While we have not tested our technique on iOS devices in this particular study, it is indeed an area that warrants exploration in future research. We believe that expanding the scope to include iOS devices is a valuable direction for future investigations.

Regarding the worldwide evaluation, we recognize the importance of contextualizing the significance of our research in a global context. To address this, we have revised the introduction section to include relevant statistics on the prevalence of Android devices in the world market. This addition will provide readers with a broader perspective on the potential impact and relevance of our method.

We appreciate your constructive comments, and we have made the necessary adjustments to improve the comprehensiveness and applicability of our research. Thank you for your valuable input.

Changes in the Paper regarding this comment: 

Note: Changes are highlighted in the revised manuscript. 

1. Introduction Section: In the introduction section, we have incorporated statistics  about the worldwide distribution and usage of Android devices to provide context for the significance of your research. The following text were added and highlighted in the introduction [Several mobile operating systems, including Android, iOS, KAIOS, Windows Phone, Blackberry, etc., exist. Android stands out as the dominant global mobile operating system, commanding a market share of 71.93% [18]. Consequently, this research conducted an experiment using the Chrome application on Android]. 

2. Discussion on Future Research: In the conclusion section of your paper, we have acknowledge the potential for future research to extend the application of your technique to iOS devices. Highlight the importance of exploring this avenue and the benefits it could offer to digital forensics.

Future work will focus on expanding the tool's functionality to include other operating systems such as iOS and Windows Phone. Acknowledging the significance of extending this technique to iOS devices, this avenue holds great potential for advancing digital forensics capabilities. It could revolutionize the way investigators extract and analyze data from a broader range of mobile platforms, offering enhanced insights and efficiency in forensic investigations. Additionally, the tool may incorporate advanced features, such as visual reporting that leverages graphics, evidence classification, tabulation, and a timeline, further contributing to the field of digital forensics.

3- The introduction section can be enhanced with more references about the subject of the research.

Response to comment# 3.

Thank you for providing valuable feedback on our research paper. We highly appreciate your thoughtful suggestions for improving the introduction section by incorporating more references related to our research topic.

We have taken your feedback into careful consideration and made the necessary enhancements to the introduction section. Specifically, we have incorporated additional references and highlighted them within the paragraph. This revision aims to offer readers a more comprehensive background and underscore the existing body of knowledge within the realm of mobile forensics and digital investigations.

Once again, we sincerely thank you for your constructive input, which has contributed to the overall quality and relevance of our paper.

Reviewer 3 Report

1.       The related Work Section to be supported with a table highlighting the research in the field done so far.

2.       Its lacks the limitations of the tools proposed.

3.       Paper lacks justification on why SQL and not NoSQL tools is developed, which is more prevalent in present scenario.

4.       Comparison of the FORC tool with other to be presented in effective manner.

5.       The FORC tool's capability was evaluated using the Chrome application only. What if other application is used to evaluate the capability.

Minor editing of English language required

Author Response

Comments:

1. The related Work Section to be supported with a table highlighting the research in the field done so far.

We appreciate your suggestion to include a table summarizing the research in the field of digital forensics in our related work section. Following your recommendation, we have incorporated a comprehensive table to enhance the presentation of previous research studies. This table provides a structured overview of key research studies, their focus areas, and significant findings in the field of digital forensics, reinforcing the context for our work.

Here is the updated related work section with the added table:

Related Work

Numerous studies have contributed to the ever-evolving field of digital forensics [7,11,13,19–24], shedding light on various aspects of data retrieval and investigative techniques. This section highlights some key findings from recent studies. This article [4] proposes a novel approach to mobile forensic acquisition. Forensic investigators encounter a significant hurdle due to the ever-changing landscape of mobile devices and their software. Manufacturers frequently introduce new models with varying security features and operating systems, necessitating constant adaptation of forensic methods. Moreover, the growing adoption of encryption by consumers presents an additional challenge, rendering it increasingly complex for forensic experts to access device data. Hence, it remains crucial for forensic investigators to remain current with the latest developments in mobile technology and innovate data extraction techniques capable of keeping abreast of these advancements. In this research [5], the authors have delineated and implemented a procedure rooted in agile methodology for crafting forensic investigation modules. Furthermore, we have elucidated the implementation specifics of modules encompassing nine widely-used Android social media and instant messaging applications, encompassing aspects like wireless communication and system information. Ultimately, we have encapsulated the challenges confronted during the course of this study.

This research [6] introduces a technique for enhancing log2time1ine to comprehensively extract temporal data from iOS devices. To achieve this, the authors develop a parser plugin tailored for log2time1ine, specifically designed to address any missing artifacts, such as plists or SQLite databases. The method is outlined as follows: Initially, we generate a forensic timeline utilizing the plaso tool, using a previously acquired iOS image. Subsequently, we scrutinize the timeline for any gaps or missing artifacts. Following this, we devise a plaso plugin engineered to parse these absent artifacts. Finally, we re-run plaso, incorporating the new plugins, to construct a more exhaustive timeline. This process ultimately yields a thorough forensic timeline derived from the forensic image of an iOS device. Experimental results demonstrate that the integration of additional plugins significantly enhances the comprehensiveness of the forensic timeline extracted from iOS devices.

This paper [25] undertakes a comprehensive review of the existing literature to gain insights into the previously accomplished body of work. Moreover, we leverage this existing literature as a foundation to introduce a unified Digital Business Forensic Investigation (DBFI) process, employing the design science research methodology. This unified DBFI process is structured around three essential categories: planning, preparation, and pre-response; acquisition and preservation; and analysis and reconstruction. Additionally, our DBFI framework has been meticulously designed to eliminate any potential confusion or ambiguity while offering practitioners a systematic approach to conducting DBFI with a heightened level of assurance.

This paper [8] delves into the heightened encryption and security safeguards present in contemporary mobile devices, highlighting their influence on conventional forensic data extraction approaches used in law enforcement. We illustrate that tackling encryption hurdles necessitates the adoption of novel mobile forensic methodologies centered around circumventing security features and capitalizing on system vulnerabilities. We introduce a fresh forensic acquisition model underpinned by a legal framework that emphasizes the usability of digital evidence acquired through vulnerability exploitation.

In a study focused on Android smart phones, the authors in [9] investigated the forensic analysis of five social networking apps: WeChat, Instagram, Wickr, Whisper, and LINE. Their primary objective was to determine whether data from these apps is stored within the device's internal storage. Utilizing forensic tools such as Autopsy, XRY, and Magnet AXIOM, they successfully extracted a substantial amount of critical data, aiding in future crime investigations. In [10], the authors investigated real case records obtained from the Dubai Police department to address the main issues encountered by digital forensics, including the huge amount of data and case complexity. The study employed a mixed-methods approach, including quantitative and qualitative analysis, and the phenomenology model (interview confirmation) to evaluate the strategies utilized in allocating cases and selected participants. The study identified the main factors leading to delays in investigations, and the need for collaborative data processing and training among investigators.

Zamroni and Riadi [26] conducted a forensic examination of WhatsApp on Samsung C9 Pro handsets, emphasizing forensic techniques for analyzing WhatsApp-related artifacts. Their research scrutinized parameters like contact lists, chat messages, files, and logs. The study concluded that the combination of Magnet AXIOM and WA Key/DB Extractor yielded the best results for WhatsApp artifact recovery. Focusing on extracting digital evidence from Facebook Messenger, this study [27] followed the NIST methodology and employed the Oxygen Forensics Suite and Magnet AXIOM. Researchers successfully obtained various digital evidence, including images, accounts, and conversation transcripts, with Magnet AXIOM outperforming Oxygen Forensics Suite. Researchers in [28] sought to address a knowledge gap by exploring the recovery of Facebook data after the app is uninstalled from a smartphone. Categorizing the retrieved data objects facilitated a clearer description of user information and recoverable app data. This research's accomplishments lay in identifying the recovery and path of Facebook data, offering a foundation for future studies. Mahmoud [19] proposed a two-stage model for data acquisition from Android smartphones, combining manual techniques for initial data collection and logical techniques for processing using a developed tool. The research demonstrated promising results in retrieving data from social networking apps like WhatsApp and Facebook Messenger, highlighting the potential for future improvements. In [29], a similar conclusion was drawn after examining both the logical and the physical acquisition methods. The study recommends utilizing more than one mobile forensic tool for evidence extraction.

In [30], the researchers looked at WhatsApp, WeChat, Viber, and Telegram, which are four of the most widely used encrypted instant messaging apps. The study explored the forensic implications of encrypted instant messaging systems and utilized the Android Debugging Bridge (ADB) tool, as well as a few other open-source tools, to analyze the artifacts produced by these applications. The study identified difficulties researchers confront while gathering forensically significant artifacts and provided investigators with a clear understanding of where to seek for significant data in any of the programs that are involved in their investigation.

In a study carried out by Anglano et al. in 2017 [14] , a methodology was employed for the forensic analysis of Android applications, with a particular focus on investigating Telegram Messenger. The primary approach involved meticulously planned experiments conducted on virtual smartphones, as opposed to real devices. This approach aimed to ensure the generality and repeatability of research results, which were subsequently rigorously validated for their applicability to Telegram. The accuracy and reliability of this methodology were further verified through a comparative analysis of results obtained from a subset of experiments conducted on actual smartphones.

The work by Jones and Winster in 2017 [31] represents a groundbreaking approach to acquiring digital evidence from compromised devices. This innovative method holds significant promise for digital investigators and legal proceedings. It offers a unique opportunity to gain deeper insights into the actions of cybercriminals who have exploited mobile devices. Their research primarily focused on the application of forensic tools to reconstruct past events on these mobile devices, providing valuable investigative support.

Azfar and colleagues conducted a study in 2016  [32], focusing on the analysis of five social applications: Twitter, Snapchat, Pinterest, POF Dating, and Fling. Their findings indicated that it is indeed feasible to retrieve various data types, including contact lists, sent and received photos, user information, timestamps of tweets, and notification logs from these applications.

Additionally, another study in 2016 [33] involved a comprehensive evaluation of both commercial and open-source mobile device forensic tools. This assessment considered predefined software parameters and employed a cross-device and test-driven methodology. The outcome of this research resulted in the development of a comparison matrix, which serves as a valuable resource for identifying the most suitable forensic solution tailored to the specific needs of investigative processes.

This study [34] explores the impact of wearable and IoT devices on forensic science. These devices can serve as crucial sources of evidence in both civil and criminal cases. Data obtained from wearables can corroborate witness testimonies by documenting various activities of individuals. The widespread use of smart home devices further enhances investigative capabilities. By aggregating data from wearables and smart home gadgets, investigators gain a comprehensive view of events within an environment, enabling a deeper understanding of cases. The study addresses challenges related to data extraction and analysis, offering techniques to automatically detect anomalies and correlations within the vast volume of time series data collected from these devices.

As a summary, the field of digital forensics faces challenges such as a lack of standards, training among investigators, and the growing volume of data that needs to be evaluated. NIST issued a DF standard to satisfy the requirement for standardization, and certification programs are being offered to address the need for training. Law enforcement agents must be trained to acquire digital evidence and stay up-to-date with quickly changing technologies. The variety of devices, platforms, operating systems, manufacturers, and security cybercrimes is also a major challenge faced by the field of digital forensics. Table 1 provides an overview of the key findings and focus areas in recent related work in the field of digital forensics.

Table 1. Summary of key findings in related work

Ref.	Focus Area	Key Findings
[4]	§  Mobile forensic acquisition  §  Changing mobile device landscape §  Encryption adoption	§  Challenges in adapting forensic methods to evolving devices. §  Emphasis on staying current with tech advancements.
[5]	§  Agile methodology for forensic modules §  Social media and messaging apps             §  Wireless communication and system info	§  Implemented modules for Android apps, addressing challenges. §  Detailed implementation specifics.
[6]	§  Temporal data extraction from iOS §  Parser plugin development  §  Forensic timeline construction	§  Development of a parser plugin for comprehensive timeline extraction.  §  Enhanced completeness of timelines
[25]	§  Digital Business Forensic Investigation §  DBFI process structure §  Planning, preparation, acquisition and analysis	§  Introduction of unified DBFI process. §  Systematic approach to DBFI. §  Reduced confusion for practitioners.
[8]	§  Impact of encryption on forensic data extraction §  Vulnerability exploitation §  Legal framework adoption	§  Necessity for novel forensic methods due to encryption. §  Introduction of legal framework. §  Emphasis on usability of digital evidence.
[9]	§  Forensic analysis of social networking apps on Android smartphones. §  Data storage within internal storage. §  Forensic tool utilization.	§  Investigation of data storage within internal storage. §  Successful extraction of critical data.
[10]	§  Impact of encrypted messaging systems on digital forensics §  Artifact analysis §  Forensic tools used	§  Exploration of forensic implications of encrypted messaging systems. §  Identification of challenges in gathering significant artifacts.
[11]	§  Forensic analysis of Android apps §  Investigation methodology §  Rigorous validation	§  Utilization of virtual devices for generality and repeatability of results. §  Validation of methodology on real devices
[26]	§  Forensic examination of WhatsApp        §  WhatsApp-related artifacts   §  Contact lists, chat messages, files and logs	§  Emphasis on forensic techniques for analyzing WhatsApp artifacts §  Successful artifact recovery using Magnet AXIOM and WA Key/DB Extractor.
[27]	§  Digital evidence from Facebook Messenger §  Forensic tool comparison §  Images, accounts, and conversation transcripts	§  Successful extraction of digital evidence with Magnet AXIOM §  Magnet AXIOM outperforms Oxygen Forensics Suite.
[28]	§  Recovery of Facebook data post-uninstall §  Data object categorization §  User information and recoverable app data	§  Identification of recovery path for Facebook data.
[19]	§   Two-stage data acquisition from Android smartphones §   Manual and logical techniques	§  Promising results in data retrieval from social networking apps. §  Potential for future improvements
[30]	§  Forensic implications of encrypted instant messaging apps §  Use of Android Debugging Bridge (ADB) §  Artifact analysis	§  Exploration of forensic implications of encrypted instant messaging systems. §  Identification of difficulties in gathering forensically significant data.
[14]	§  Forensic analysis of Android apps §  Investigation of Telegram Messenger §  Planned experiments and validation	§  Use of virtual smartphones for research results generality. §  Rigorous validation on real smartphones
[31]	§  Acquiring digital evidence from compromised devices §  Application of forensic tools §  Reconstruction of past events	§  Groundbreaking approach to acquiring digital evidence from compromised devices. §  Valuable investigative support provided.
[32]	§  Analysis of social applications §  Data types retrieved §  Contact lists, photos, user info, etc.	§  Feasibility of retrieving various data types from social applications.
[33]	§  Evaluation of mobile device forensic tools. §  Cross-device and test-driven methodology.	§  Development of a comparison matrix for identifying suitable forensic solutions.
[34]	§  Impact of wearable and IoT devices on forensic science. §  Data extraction and analysis challenges	§  Wearables and IoT as sources of crucial evidence in civil and criminal cases. §  Techniques for detecting anomalies and correlations in time series data.

We believe that this table significantly improves the readability and accessibility of the related work information, enabling readers to quickly grasp the landscape of research in digital forensics. We trust that this enhancement addresses your concern regarding the comprehensiveness of our related work presentation. If you have any further suggestions or feedback, please do not hesitate to let us know.

We would like to express our gratitude for your valuable input, which has contributed to the overall quality and clarity of our manuscript.

2. Its lacks the limitations of the tools proposed.

Thank you for your feedback regarding the need to include a section on the limitations of the proposed tool, FORC (Forensic Operations and Recovery of SQLite Content). We appreciate your thoughtful suggestion, and we agree that addressing the tool's limitations is essential for a comprehensive understanding of its utility and potential constraints.

In response to your comment, we have included a new section in our manuscript titled "5.1 Limitations of FORC" that specifically discusses the constraints and potential challenges associated with using FORC for mobile forensic data acquisition and SQLite evidence extraction. This section highlights several key limitations:

1. Device and Platform Dependencies: FORC's effectiveness may vary depending on the specific mobile device and operating system versions. It is essential to acknowledge that different devices and platforms may have unique SQLite database structures and security measures, potentially affecting evidence extraction.

2. Encrypted Data: While FORC is designed to streamline evidence extraction, it may encounter difficulties when dealing with strongly encrypted data. Advanced encryption methods can pose challenges in retrieving certain types of data from mobile devices.

3. Performance Variability: The performance of FORC in extracting SQLite evidence may depend on factors such as the size and complexity of databases. Extremely large or highly fragmented databases could impact the tool's efficiency.

4. Privacy and Legal Considerations: When using FORC, investigators must adhere to legal and privacy regulations governing digital evidence acquisition. The tool's usage should be consistent with applicable laws and regulations, and proper authorization should be obtained.

5. Automation Limitations: While FORC offers automation benefits, it may not fully replace the expertise of forensic analysts. Human oversight and interpretation remain crucial to ensure the accuracy and relevance of extracted evidence.

By addressing these limitations, we aim to provide a well-rounded view of FORC's capabilities and its boundaries, enabling users to make informed decisions about its application in specific forensic scenarios.

We hope that this new section adequately addresses your concern regarding the tool's limitations. Your feedback has been invaluable in enhancing the comprehensiveness of our manuscript. If you have any further comments or suggestions, please feel free to share them with us.

3. Paper lacks justification on why SQL and not NoSQL tools is developed, which is more prevalent in present scenario.

Thank you for your feedback regarding the justification for developing SQL-based tools like FORC instead of NoSQL tools, which are more prevalent in the present scenario. We have carefully considered your input and have taken steps to address this concern.

We understand the importance of providing a clear rationale for our choice of SQL-based tools in the context of the prevalence of NoSQL tools in the current environment. To address this, we have added justifications to Section 3.1 of the paper, titled "FORC Overview," where we explain the reasons behind our focus on SQL-based forensic tools.

In this section, we highlight several key factors that led us to develop FORC as an SQL-based tool, including the ubiquity of SQLite, the structured data format and data relationships, standardization and consistency, advanced data recovery and analysis capabilities, and the relevance of legacy data. These reasons underscore the importance and relevance of SQL-based forensic tools like FORC, even in the face of the growing popularity of NoSQL databases.

We believe that these justifications now provide a comprehensive explanation of why we chose SQL-based tools for our research and their continued relevance in the field of digital forensics. We hope that this addition enhances the clarity and understanding of our approach in the paper.

4. Comparison of the FORC tool with other to be presented in effective manner.

Thank you for your feedback regarding the comparison of the FORC tool with other forensic tools in the manuscript. We have taken your suggestion into account and have enhanced the presentation of this comparison by revision Section #5: Results and Discussion to ensure a more effective and comprehensive explanation.

In the revised manuscript, we have provided a detailed comparison table that evaluates key features and capabilities of FORC alongside other forensic tools, including BelkaSoft, MAGNET AXIOM, and FINALMobile. Each tool is assessed based on its support for SQLite data forensics in various categories, such as the inclusion of a SQLite viewer, automatic retrieval of all SQLite files, the ability to select evidence from SQLite databases, and the capability to add all selected evidence to a single report.

This improved presentation aims to offer a clearer understanding of how FORC compares to other tools, highlighting its strengths in SQLite data forensics. We trust that this updated section provides a more effective and insightful comparison for readers, helping them make informed decisions about the choice of forensic tools for their investigative needs. 

Paragraph below summarises the enhanced section #5

In Section 5, the experiment's results and discussion are presented with a focus on assessing four prominent mobile forensics tools: BelkaSoft, Magnet AXIOM, FINAL Mobile, and FORC.

• Experiment Overview: The section begins by introducing the experiment, which aimed to evaluate the effectiveness of four mobile forensics tools, highlighting a critical disparity in their capabilities.

• Introduction of FORC: It introduces the FORC tool, emphasizing its innovative approach to addressing limitations in manual extraction methods. FORC's ability to autonomously identify and recognize SQLite files is a key feature.

• First Aim: Retrieving Artifacts: The first aim of the experiment is to assess FORC's effectiveness in retrieving artifacts from mobile devices. This is summarized in Table 3, which compares artifacts retrieved by all four tools. FORC stands out by retrieving additional artifacts such as webRTC logs and HSTS preload list, enhancing its forensic capabilities.

  • Table 3: Presents a detailed comparison of artifacts retrieved by each tool, including BelkaSoft, Magnet AXIOM, FINAL Mobile, and FORC.

  • Figure 23: Provides a visual representation of FORC's ability to automatically identify and extract SQLite files, saving significant time compared to other Forensics Tools.

• Second Aim: Extracting SQLite Data: The second aim is to evaluate FORC's proficiency in extracting SQLite data, which is detailed in Table 4. FORC successfully extracts 24 SQLite files, including valuable evidence tables, surpassing other tools.

  • Table 4: Lists the extracted SQLite files from the Chrome application, including file names, paths, and the number of tables in each file.

• Uncovering Hidden Data: FORC's capabilities go beyond file recovery, as it uncovers additional data within the SQLite database file "Reporting and NEL." This data is inaccessible to other forensic tools and includes crucial details such as origin_host, origin_port, and received_ip_address.

  • Figures 24, 25, and 26: Visualize the additional data uncovered by FORC within the "Reporting and NEL" SQLite database file, emphasizing its significance in investigations.

• Comparison Table (Table 5): A comprehensive comparison between BelkaSoft, Magnet AXIOM, FINAL Mobile, and FORC is presented in Table 5. The table evaluates the tools based on various criteria important for SQLite data forensics.

  • Table 5: Compares the capabilities of the four forensic tools, including the presence of a SQLite viewer, automatic retrieval of SQLite files, selective evidence extraction, and the ability to consolidate selected evidence into one report.

• FORC's Strengths: The section emphasizes FORC's strengths, including its comprehensive features, automatic retrieval of SQLite files, selective evidence extraction, and report generation, positioning it as a robust solution in digital forensics.

5. The FORC tool's capability was evaluated using the Chrome application only. What if other application is used to evaluate the capability.

Thank you for your valuable comment regarding the evaluation of the FORC tool's capabilities using the Chrome application. We appreciate your concern, and we want to clarify that the choice of the Chrome application for evaluation was primarily used as a test case to demonstrate the functionality and effectiveness of FORC's capabilities in handling SQLite databases.

It's important to note that FORC is designed to be a versatile and robust tool that can effectively handle SQLite databases from a wide range of mobile applications. The evaluation with the Chrome application serves as a representative example to showcase FORC's capabilities, and it is by no means limited to Chrome alone.

Our intention is to ensure that FORC is a reliable solution for forensic experts dealing with SQLite data across various mobile applications. We have conducted extensive testing and validation to guarantee its effectiveness and compatibility with different applications that support SQLite databases. The evaluation with Chrome is just one instance, and FORC's capabilities extend to any mobile app that utilizes SQLite databases.

We hope this clarification provides a better understanding of the tool's versatility and its applicability to a wide array of mobile applications. If you have any further questions or concerns, please feel free to share them, and we will address them accordingly.

Round 2

Reviewer 1 Report

Need to improve the images and ghaphics before publications

proofread

Author Response

Dear reviewer,

Thank you for your valuable feedback regarding the image and graphics quality in our document. We highly appreciate your input, and we have taken your suggestions seriously to improve the overall presentation of our content.

Here are the actions we have taken in response to your feedback:

1. Image Quality Improvement: We have revisited all the images in the document to ensure they meet the required standards for resolution and clarity. The source files of the images have been uploaded with this latest version of the document.

2. Consistency in Styling: To maintain a consistent visual style, we have reviewed the fonts, colors, and sizes used for labels and text within our images and graphics. Any inconsistencies have been addressed to create a cohesive look throughout the document. We have also worked on ensuring a uniform layout and alignment for all charts, graphs, and diagrams.

3. Enhanced Labeling: Clear labeling is crucial for readers to understand our visuals effectively. We have added or improved titles, captions, and explanations where necessary to provide context and clarity. Furthermore, we have adjusted font sizes to ensure legibility in all labels and annotations.

We believe that these revisions will significantly enhance the quality and visual appeal of our document. We are committed to providing our readers with an informative and visually engaging publication.

Once again, thank you for your constructive feedback