What is ChatGPT?
OpenAI’s ChatGPT is a natural language processing model that first came out on November 20, 2022. The tool is trained to follow an instruction or analyze a prompt, in which it provides a detailed and articulate response to the user. The chatbot has gained a massive user base and is a popular topic within the generative AI landscape. ChatGPT can consider previous chats within a conversation, which allows the model to interact with the user in a conversational way. So far, ChatGPT has been utilized to answer questions about specific topics, write articles, help with code debugging, and much more.
To use ChatGPT, the user is required to make an account or log in with Google, Microsoft, or Apple. When you first create a ChatGPT account, you are required to validate a phone number. A phone number is used for anti-fraud and abuse reasons, and you are only allowed 2 unique OpenAI sign-ups per phone number. Once you create your account, you can use ChatGPT through a web browser on any device that has an internet connection. Your conversation history is saved across devices, meaning you can access previous conversations from one device to another. For iOS users, there is an official ChatGPT app that is now available via the AppStore. This is another way of utilizing ChatGPT, alongside the traditional OpenAI website. OpenAI plans on creating an Android app soon, but has not released it just yet.i
As more people begin to utilize ChatGPT, the more important it is to consider its potentially criminal uses. ChatGPT’s ability to produce detailed and highly authentic texts can make it the ideal tool for receiving information about certain crimes, creating fraudulent information, and producing text for online scams and phishing purposes. As the chatbot gets increasingly more popular, the greater the chance that it will have been utilized on a criminal’s mobile device. So, the question remains:
If ChatGPT was utilized on a mobile device, what artifacts (such as text conversations and user data) could be found, if any? Can any deleted information be recovered?
Forensic Analysis Setup of ChatGPT
Upon logging on to ChatGPT on any device, all previously undeleted conversations will appear in the History tab of the application. It does not matter if the conversations were created using the logged-in device, just as long as they were created at some point using the same account. Once the user begins a new conversation with ChatGPT, the previously opened conversation will automatically be put into the user’s history. Users have the option to clear past conversations that appear in the History tab, which deletes the content across all the user’s devices.
As discussed previously, ChatGPT is available for iOS devices via the official app or through a web browser. Android devices also have access to the tool, but currently just through a web browser. To begin the analysis of ChatGPT, we will analyze the contents of the application in three current states:
- An iOS device using the official ChatGPT app from the AppStore.
- An iOS device using ChatGPT through the Safari application.
- An Android device using ChatGPT through the Chrome application.
The goal will be to create an extraction of each device and examine any ChatGPT artifacts that we can find. Before we can do this, we will need to create content within ChatGPT that we will be able to examine. For each state, we will create the following using the ChatGPT tool:
- A conversation with ChatGPT that will not be deleted.
- A conversation with ChatGPT that will be deleted.
- A conversation with ChatGPT which will be created on a separate device using the same account.
For the iOS device, I will be using an iPhone 8 (A1863) running iOS version 16.5. The iPhone will be using OpenAI’s official ChatGPT app (version 1.2023.23) from the AppStore, as well as ChatGPT through the Safari application at chat.openai.com. For the Android device, I will be using a Samsung Galaxy A03s (SM-S134DL) running Android version 11. The Samsung phone will be using ChatGPT through the Chrome application (version 94.0.4606.85) at chat.openai.com.
Forensic Analysis of ChatGPT on iOS through the Official ChatGPT Application
For the first state, I will be analyzing ChatGPT through the official iPhone application. Upon opening the ChatGPT app from the Appstore, we will log in with an OpenAI account that has no chat history. Next, we will prepare the content within the app for extraction. Below are screenshots of the conversation we will create. The first screenshot shows the conversation which we didn’t delete, the second screenshot displays the second conversation that was deleted from the conversation history, and the third screenshot displays the third and final conversation of ChatGPT being utilized on a separate device, but logged into the same account. This final conversation was created on an iPhone 14 through a web browser.
Anytime you log into ChatGPT with your OpenAI account, your conversation history automatically refreshes. In this case, the app on the iPhone 8 was opened after the third conversation was created on the iPhone 14. Now that we have our three test conversations, we can now create an extraction of the phone to see what we can find. To receive an extraction of the iPhone 8, I first plugged the device into a Cellebrite UFED Device Adapter and started up the Cellebrite UFED software (version 7.65.0.247). The iPhone was then automatically detected and was prompted to start the Advanced Logical File System extraction. Once the extraction was completed, I was able to open the extraction using Cellebrite Physical Analyzer (version 7.62.0.59).
Upon examining the extraction, I was able to search the file system for any data related to OpenAI or the ChatGPT app. Navigating my way to the file path “iPhone/mobile/Containers/Data/Application/com.openai.chat” displayed application information for the ChatGPT app installed on the iPhone. The directory contained various preferences and cookie information, alongside an “Applications Support” folder which contained a subdirectory called “conversations”. The “conversations” folder contained .json files that represented ChatGPT conversations located within the History section of the application. In our case, there were a total of two .json files located within the folder. Below is a screenshot of the filesystem with the files.
The two .json files we found included the title of the conversations, along with each chat message sent to and from ChatGPT and the user. The first file contained information about the first conversation we created and didn’t delete. The second file contained information about the third conversation we created on a separate device, which automatically added itself to the ChatGPT app on the iPhone 8 because it was connected to the same account. I was not able to find any artifacts related to the second conversation that we created and then consecutively deleted. Below are screenshots of the .json files with the corresponding conversation information.
After finding this information, I reserved any content was left in the ChatGPT app and removed the app from the iPhone. Once it was deleted, I took a second extraction of the iPhone to see if any application data remained on the device. The application package in which we found the conversation data was deleted alongside the app. There was a trace of the app left in a database called “applicationState.db” which is located within the “iPhone/mobile/Library/FrontBoard” directory that includes the name of the ChatGPT app package “com.openai.chat”, but nothing more.
Forensic Analysis of ChatGPT on iOS and Android through Web Browsers
Next, we will be examining the use of ChatGPT through the use of web browsers. First, we will be creating the same conversations as we did with the official ChatGPT application, but through the Safari web browser on the iPhone 8. I went to chat.openai.com and logged into the website using the same OpenAI account we used earlier. Before logging in, I ensured that the conversation history had been cleared. I then created the three test conversations: one that isn’t deleted, one that is deleted, and one we create on a separate device that is logged into the same account. Once I had the content ready, I repeated the Cellebrite UFED extraction process to receive another advanced logical filesystem extraction.
Upon opening the extraction using Cellebrite Physical Analyzer, I searched the filesystem for any instance of OpenAI or ChatGPT, focusing on the Safari web application. After looking at the Safari History database located at “iPhone/mobile/Library/Safari/History.db”, I was able to see that the URL “https://chat.openai.com/?model=text-davinci-002-render-sha” was visited at the same timestamps in which the conversations were created within the web browser (verified through screenshots of the conversations). The URL specifies the model ChatGPT was using at the time of the conversations. Unlike the official ChatGPT application, no conversation information could be found; However, finding the specified URL within the web history signifies that ChatGPT was being utilized within the web browser.
Lastly, we will practice the same process on an Android device. I logged into ChatGPT on the Chrome Web Browser using the Samsung Galaxy A03s. Like before, I logged onto ChatGPT using the same OpenAI account I had used previously, which had its conversation history cleared prior to signing in. I then prepared the three test conversations: one that isn’t deleted, one that is deleted, and one we create on a separate device that is logged into the same account. In this case, the process of receiving an extraction of the device will vary from that of the iPhone, as we were able to create a full filesystem extraction which contains a greater amount of information compared to the advanced logical filesystem extraction.
After creating the full filesystem extraction of the Samsung Galaxy A03s, I loaded it within Cellebrite Physical Analyzer to view its contents. I was able to find the Chrome application folder at the path “data/data/com.android.chrome”. After extensively searching the directory for information relating to any of the conversations, the search only resulted in thumbnails of chat.openai.com, open tab information, cached HTML pages, and links pointing to the use of ChatGPT through a web browser. Since we logged into a Google account to use ChatGPT, the email which was utilized was also found within the Chrome Web Data database. After an excessive search of each extraction, I can confidently say that ChatGPT conversation information is not locally available on iOS and Android through the use of a web browser. It is also to note that a full filesystem extraction of an iOS device may result in more information when compared to an advanced logical filesystem, but our iPhone version was too new.
Conclusion
The official ChatGPT app for iPhone allows for conversational information to be extracted from the application. Compared to using ChatGPT through a traditional web browser, the iPhone application stores the contents of past conversations that are linked to one’s OpenAI account. This means that any conversation created using the same account is saved locally to the iPhone application, whether it was created on the local device or not. On iPhones, conversation information can’t be extracted when ChatGPT is utilized through a web browser, as the web application doesn’t actively store local information. The same rules apply on Android devices, as I was not able to find any unique ChatGPT information. However, you will still be able to tell if ChatGPT was being utilized, as web history, login information, and remnants of the website are still left behind.
With the popularity of the ChatGPT tool continuing to grow, it is important to consider extracting information from the ChatGPT app in some cases. With the official Android app around the corner, similar information we obtained from the iOS application could also be available to extract from future Android devices. In some cases, the extracted ChatGPT information may prove to be useful.
References
IIntroducing the ChatGPT app for iOS. OpenAI Blog. (2023, May 18). https://openai.com/blog/introducing-the-chatgpt-app-for-ios