Simulation of artefact detection in Viber and Telegram instant messengers in Windows operating systems

Messengers are popular today on mobile devices and traditional computers. Starting as a small text messaging service, they have turned into effective communication channels for both private and corporate users, becoming more than just an SMS replacement. Users entrust to them a huge amount of information, such as a time-based map of activity, photos and other personal data. Messengers changed the way communication is done; they reduce the distance to the user and along with social networks become tools for fraud, spam or blackmail and terrorism. In this regard, it is vital to study instant messengers from a forensic point of view. This research explores and compares two popular messengers: Viber and Telegram, which is rapidly gaining popularity in the criminal world and the darknet as secure message tools. The main purpose of the research is to investigate and analyze potential artefacts remaining during the installation and use of instant messengers, as well as after their uninstallation. The authors have done several experiments to investigate the artefacts in different environments and provide clear explanation of the results. The experiments showed that even though Telegram is considered to be one of the most secure instant messengers, important and useful material on a hard drive and registry remain after complete uninstallation of the application. Exploring Viber artefacts showed up information that helps to restore the whole history of a communication. Moreover, the study confirmed that artefacts are still accessible in Windows after removal of the application. INFORMATION SECURITY