You are on page 1of 5

2015 Sixth International Conference on Emerging Security Technologies

Forensic acquisitions of WhatsApp data on popular


mobile platforms
Adam Shortall, M A Hannan Bin Azhar
Computing, Digital Forensics and Cybersecurity
Canterbury Christ Church University
Canterbury, United Kingdom
Email: a.shortall724@canterbury.ac.uk, hannan.azhar@canterbury.ac.uk

Abstract Encryption techniques used by popular messaging the devices that could be potentially dangerous if used against
services such as Skype, Viber and WhatsApp make traces of individuals, or useful for criminal investigations. This poses
illegal activities by criminal groups almost undetectable. This prospects of forensically examining WhatsApp across multiple
paper reports challenges involved to examine data of the mobile operating systems to see how much personal
WhatsApp application on popular mobile platforms (iOS, information can be gained from them.
Android and Windows Phone) using latest forensic software such
as EnCase, UFED and Oxygen Forensic Suite. The operating There has been a previous study of WhatsApp forensics on
systems used were Windows phone 8.1, Android 5.0.1 (Lollipop) Android [9] systems and is a useful insight into how data is
and iOS 8.3. Results show that due to strong security features stored and encrypted on the device used. The data is stored in
built into the Windows 8.1 system forensic examiners may not be an encrypted state using crypt7 method [8] which must be
able to access data with standard forensic suite and they must the same for the devices to communicate. Another study [10]
decide whether to perform a live forensic acquisition. This paper evaluated several top cross-platform messaging applications,
provides forensics examiners with practical techniques for including the forensic analysis of WhatsApp and in particular
recovering evidences of WhatsApp data from Windows 8.1 when a server was placed between two communicating
mobile operating systems that would otherwise be inaccessible. devices. The study reported eavesdropping of messages being
sent (commonly referred to as a man-in-the-middle attack) by
Keywords Mobile forensics; Forensic tools; WhatsApp
an older version of WhatsApp where the messages were not
forensics; iOS; Android; Windows Phone; Live data forensics
being encrypted. The examinations conducted in [10] didnt
involve recovering data from the device itself but results
I. INTRODUCTION demonstrated how data was stored elsewhere, which had
Modern technology has eased the lives of many, allowing potentials for forensic analysts to explore live data techniques
us to keep in contact with friends and families around the if required.
globe. With its expanded use, we have learnt not attempt to There are a few studies on iPhone forensics such as a study
understand how it works, rather how to utilise it to help us.
by Magnet Forensics [11]. This details how and where
Instant messaging is one of the utilities which have allowed us
messages are stored but is not a comprehensive study and only
to keep in contact over the internet by sending and receiving
messages, photos and videos. WhatsApp is used by 800 million provides a brief comparison between Android and iOS. A
monthly users across multiple platforms in April 2015 [1]. better iOS study [12] utilises two well known tools: Oxygen
There are approximately 1.7 billion people own an Android and UFED. UFED performs a physical examintation of the
mobile phone [2] and 700 million people who utilise Apples hard drive and has a great chance of recovering deleted files,
iPhone [3]. Although Windows has just under 10% of the such as deleted WhatsApp messages. However Oxygen is only
market share for mobile operating systems [4], this translates to a logical exmaintation and will not find deleted data, but it
about 50 million Windows Phone users in the world at the end does contain specialsied functions which operate to
of 2013 [5]. What most users dont understand is what specifically find WhatsApp messages.
information is collected and stored on devices, sitting dormant.
This information is not stored for malicious intent by the Although there is an abundance of forensic analysis for
software, but rather so that backups can be made, or if old WhatsApp, the majority of it is focused upon the Android
messages wish to be viewed. These automatic backups have operating system [13] with a few other studies also analysing
created concerns to individuals when hackers gained access to iOS [11, 12]. The analyses conducted in our investigations
their accounts and released personal images the individuals will be treated as a data recovery techniques, such as one a
were not aware had been backed up [6]. It was also reported forensic team would perform after a crime. The standard
that messaging services like WhatsApp could be used by practice is to utilise recently available forensic software to
organized crime groups to streamline their illegal operations extract the personal data and to demonstrate what is easily
[7] and encryption techniques used by such applications [8]
accessible but this may not be the case always, as strong
made traces of illegal activities almost undetectable. Despite
security features built into some systems can make the data
various challenges it is important to discover what is stored on

978-1-4673-9799-5/15 $31.00 2015 IEEE 13


DOI 10.1109/EST.2015.16
inaccessible by standard forensic suite which left forensic access could be gained to the contents of these messages and
examiners to decide whether to perform a live forensic who sent and received the contents. It was expected that any
acquisition [14]. The act of collecting data from a live system previous messages would be accessible, including archived
should be carefully performed with supporting documentation messages. The examination also looked at messages those
so that the authenticity and integrity of the original data can be were viewed, as WhatsApp has the ability to display when a
validated [15]. Any changes on the original data need be message has been received by the receiver, and read. This
explained by the forensic examiner with regards to their would be useful for investigations, as this would provide
impact on the digital evidence. This paper will demonstrate evidence towards someone claiming they did not read a
the use of live data technique to recover evidences of message, especially if an investigator could see at what time
WhatsApp data from Windows Phone 8.1 (WP 8.1) system by they were viewed. WhatsApp contains the ability for users to
following the good practice guidelines defined by the transfer a range of media files, such as images, audios and
Association Of Chief Police Officers (ACPO) [16]; which is videos. The possibility of recovery of sent and received media
generally considered forensically sound. files were investigated. It was also be useful to see who sent
and received the files, and at what time.
The remainder of the paper are organised as follows:
Section 2 introduces various forensic tools and data used for
the investigation. This section also explains the methodology
used for the examination. Section 3 reports the findings and Operating system
results. Finally, Section 4 concludes the paper with direction to
the future work. WhatsApp
Files
II. FORENSIC TOOLS AND METHODOLOGY
The investigation reported in this paper utilised three
devices: a Nokia Lumia 820 mobile phone running Windows
8.1, an iPhone 5S using iOS 8.3 and a Samsung Galaxy Note 4
using Androids Lollipop (5.0.1) operating system. The Forensic Tool
WhatsApp versions used in the study were 2.11.516.0 for WP Data Extraction
8.1, 2.12.109 for Android and 2.12.3 for iOS. The scenario
was based upon if the devices had been suspected of using
WhatsApp to send and receive illegal files or to plan illegal
activities, and have been found disposed of in a rubbish bin.
The devices had all been used prior to the investigation for a Encryption Key Encrypted Data
minimum of three months, and had been used the day of
uninstallation. Several different types of chats had been set up,
including a group chat. The WhatsApp applications were
uninstalled by holding the applications and pressing the Has the tool
No decrypted
uninstall buttons or dragging the apps to the OS bin,
depending on which operating system was used. Nothing else the text?
was removed or tampered with, other than what was done by Third Party
default by the operating system, so as to represent a suspect Decryption
removing the application in haste. The investigation was Yes
aimed to look at what was stored on devices and not being
transmitted through networks and various tools used attempted
to gain access specific types of information that could be WhatsApp
unique to the user or any contacts that the user had interacted Messages and data
with.
A. WhatsApp Data
Three types of WhatsApp data were attempted to retrieve:
contacts, messages and media files. The aim was to recover Fig. 1. Steps to extract data by forensics tools.
contact lists and personal information, from contacts found on
B. Forensic tools
the devices, which eventually would reveal how much data
regarding individuals were stored. It was expected that names, Various tools were used in attempt to extract WhatsApp
alias, mobile number, e-mail address and date of birth would data. Two major tools were UFED by Cellebrite [17] and
be found, however any other data found about an individual Oxygen by Oxygen Forensics [18]. UFED is a physical tool,
would be useful for investigation. This was important to look which looks at physical data on the hard drive, as opposed to
at how messages were stored by all of the devices, to see if looking at what the operating system is telling it to look at. In
theory this should recover deleted data if it is possible. As

14
UFED was well established with iPhone and Android, this was investigator must provide a mobile phones number as it is
a great tool to see how Windows Phones forensics compares needed for the app installation and messages will not be
to other devices. decrypted back without it.

Another specialized piece of software for mobile forensics III. RESULTS


is Oxygen Forensic Suite [18]. This tool boasts a very large Both UFED and Oxygen forensic systems performed
array of phone choice to forensically analyse and more almost identically, as shown below in Table 1. Both UFED
importantly it contains specific features for WhatsApp and Oxygen found a list of contacts used by WhatsApp for
message decryption. Even though this software was not Android and iOS, but were unable to recover anything from
considered an industry standard or regarded as highly as the Windows device. The same can be said for decrypted
UFED, it was useful for comparative aspects. messages. The software was able to recover message backups
for all three devices but appeared to be unable to recover an
To image mobile devices there were few other tools encryption key for the Windows device. Messages found were
available such as FTK imager [19], EnCase [20] and Linux. the backups of conversations made every day by the device at
FTK Imager is a free tool provided by Access Data utilized for approximately 03:30 am by default; however this could have
imaging devices. All connected internal and external storage been changed through app settings before uninstallation of
devices are added to the evidence tree by this utility. EnCase WhatsApp. These backups were not lost due to uninstallation
is widely used by police units around Great Britain. The process either. So even if the suspect had removed potentially
Windows mobile device was connected to the PC and EnCase incriminating conversations so as not to get caught, but had
7.1 was utilised to attempt to extract data. not removed the backups stored, the conversations should still
be there to be recovered.
C. Layout of Operations
Fig. 1 is a graphical representation of simplified steps TABLE I. PERFORMANCES BY UFED AND OXYGEN
forensic tools take to extract data. Working downwards from
the top, the first section shows the mobile phone which is Data Found Android iOS WP 8.1
being analysed, with WhatsApp data contained inside it. The
forensic tools takes an image of the device and extracts the Contacts   
data that is relevant, in this case step 3 takes the backed up Media   
conversation data and the encryption key. In an ideal situation,
both will have been recovered and the tools decrypt the data. Encrypted Messages   
If it has not been decrypted by the tool, for example the tool Decrypted Messages   
does not support WhatsApp, it is possible to use third party
software to decrypt the data, using the encryption key. The
Once the messages were decrypted they could be viewed
device stores the key to the encryption in a specific location,
using a SQLite viewer which detailed information of who sent
and the forensic tools are able to extract this and use it to
and received the messages, time stamps and when messages
decrypt the file. When tools fail to extract any data external
were read by the receiver. These were displayed in separate
software would be required to decrypt any information found
columns and were easy to interpret. Media was found across
in the messages.
all of the devices, although it was unclear on the iPhone and
D. Live Data Analysis Windows phone as to where the images came from as it was in
Live data forensics should be used as a last resort when the a generic media folder. The Android phone had media saved
software fails to extract the data. This means accessing the into folders as to where it was sent from. It should be noted
device as a normal user would. This has a huge amount of risk however that photos do contain meta-data which can be
involved as an investigator could accidentally remove key bits accessed when the images are extracted via the software, this
of data or change data so that it is no longer viable in court. usually contains information as to who the original owner was.
The important aspect with this is to follow ACPO guidelines
[16]. ACPO guidelines state that there may be circumstances Contacts were found from both the Android and iOS
in which an investigator may need to access original data, but devices, however these were contacts stored on the device for
the person conducting the search should be competent to do other purposes, such as calling or sending SMS outside of
so. This is outlined in principle 2 of the guidelines and can be WhatsApp. Due to the nature of WhatsApp, this was expected,
tied up with principle 3 where an audit trail must be written, so as to send a message to someone using the app, both parties
that any other party conducting the same search will be able to must have the mobile number saved to the devices contact list.
follow the same steps and achieve the same result [16]. This means analysts can compare two devices found to see if
they both contain each others contact number. No contact
The best feature that WhatsApp has from an investigation numbers were found by the forensic tools on the Windows 8.1
point of view is that there are regular backups made of the mobile phone. It was noticed that security features built into
device, so that if the app is uninstalled, message backups can WP 8.1 by Microsoft [21] prevented users from accidentally
be decrypted by the app if it is being reinstalled. For this the removing important files or malicious applications gaining

15
access to data it should not be allowed access to. The An attempt was made to manually image the Windows
Windows system worked based on tiers of security privilege, Phone device using the Linuxs DD command, for example
with the top tier given to the default Windows applications, DD if=/dev/sdb of=/root/Nokia820.dd. However before this
which could open and access any system files, such as stage was reached, there was another issue finding the device.
contacts and messages. Lower tiers had restricted privileges. The command ls l /dev/sd* should have shown all of the
In this case outside applications such as UFED or Oxygen had devices that were attached to the Linux machine, regardless of
no access to anything deemed sensitive. For this reason the if they were mounted or not. In Linux data storage devices are
forensic kits had no better access to information than a generic listed as sd and then a letter. The first storage device, where
computer would by simply plugging the phone in and the OS was installed, would be labelled sda and any
accessing it via the Windows file browsing software. partitions would have a number after it, so for example sda2
would indicate the first hard drive and the second partition.
A. Further Analysis of Windows Phone 8.1
Consequent storage devices would go up in alphabetical order,
Due to problems with the mobile device not allowing any so sdb1 would be the second storage device that has been
forensic software to access system folders where the added to the machine. This was what was expected to display
encryption key was stored, it was decided to attempt to image the Windows Phone as sdb1; instead only the hard drive, sda1
the device using tools such as FTK Imager, EnCase and and its 7 partitions were displayed, no other storage devices
Linux. The hope of this was to create a forensic copy of the were found. This is shown in Fig. 4. The screenshot is from
device, which would hopefully remove any virtual security the Ubuntu version of the Linux operating system, although
that the device used to prevent anything accessing the devices same results were found when we tried on Red Hat and
hard drive. FTK Imager detected the hard drives installed and BackTrack versions of Linux.
external storage, including all partitions on the forensic
computer. The Mobile phone device was not detected by the
software, so it was not possible to make an image of the
device using this program, shown in Fig. 2.

Fig. 4. Devices found by the Linux machine.

B. Live data forensics of WhatsApp on Windows 8.1


Due to not being able to extract evidence using tools,
scripts or any other methods, we had to follow live data
acquisition technique complying with ACPO guidelines [16].
A solid case was built using supporting documentation with
minimal change of the original evidence where possible to
preserve authenticity and integrity during the process. Live
acquisition required reinstallation of the application on the
phone from the app store. A mobile phone number has to be
used (which could be different from suspects number) during
Fig. 2. Data drives discovered by FTK Imager. the installation process and messages would not be decrypted
back without it. Once the number was entered, there was a text
EnCase 7.1 picked up the local HDD labelled as C, an message sent to the device for a verification code and this was
external memory stick labelled as E and the PCs RAM. noted down, as this would also affect the original data. The
There was no indication that the Windows mobile had been next screen detailed the time at which the last backup was
detected (Fig. 3). found; in this case it was the day before at 03:30 am. Once the
restoration option was clicked previous messages and media
used by the suspect were imported from the SD card and then
decrypted and made available to the investigators within the
WhatsApp application. The live acquisition could successfully
retrieve messages from the time of the last backup until when
the app was first installed on the phone; in this case it was
three months worth of data. Media could also be accessed, by
clicking the contacts name when in a chat screen. This
provided a list of thumbnails that had been sent and received
Fig. 3. Data drives discovered by EnCase.

16
by the user. The thumbnails still remained even if the received [5] P. Thurrott, "Windows Phone Device Stats: January 2014,"
http://winsupersite.com/windows-phone/windows-phone-device-stats-
files were deleted; but instead, existed at a significantly lower january-2014, 2014, [Accessed 20 June 2015].
resolution. This also applied to video files found, but only a [6] L. Kelion, "BBC NEWS: Apple toughens iCloud security after celebrity
thumbnail of the original clip remained. Sound recordings breach," http://www.bbc.co.uk/news/ technology-29237469, 2014,
were no longer playable, yet still showed in the conversation, [Accessed 20 June 2015].
once again, unless they had been deleted before the backup. [7] The Spectator, "Camerons reaction to the Charlie Hebdo attacks has
been depressingly predictable," http://blogs.spectator.co.uk/
IV. CONCLUSIONS coffeehouse/2015/01/camerons-reaction-to-the-charlie-hebdo-attacks-
has-been-depressingly-predictable, 2015, [Accessed 20 June 2015].
Results reported in this paper showed methodical [8] M. Ibrahim, "How to Decrypt WhatsApp crypt7 Database Messages,"
approaches to forensically analyse WhatsApp data using http://www.digitalinternals.com/security/decrypt-whatsapp-crypt7-
various tools currently available to forensics investigators. It database-messages/307, 2014, [Accessed 20 June 2015].
was found that in both Android and iOS systems all the [9] N. S. Thakur, ""Forensic Analysis of WhatsApp on Android
Smartphones," University of New Orleans Theses and Dissertations,
evidences were successfully retrieved by UFED and Oxygen New Orleans, 2013.
suite but in Windows Phone 8.1 despite the encrypted file was [10] S. Schrittwieser, P. Fruhwirt, P. Kieseberg, M. Leithner, M. Mulazzani,
found, none of the information was decrypted by the tools due M. Huber and E. Weippl, "Guess Whos Texting You? Evaluating the
to their inaccessibility to the encryption key. It was noted that Security of Smartphone Messaging Applications," in Proceedings of the
security features built into the windows phone system made 19th Annual Symposium on Network and Distributed System Security,
2012.
any third party or forensic software inaccessible to the
[11] Magnet Forensics,"Recovering WhatsApp Forensic Artifacts,
sensitive areas of the phone where the key was stored. http://www.magnetforensics.com/mobile-forensics/ recovering-
Various attempts to image the Windows phone with the hope whatsapp-forensic-artifacts, September 2014, [Accessed 20 June 2015].
to achieve better accessibility were also failed. As a last resort [12] M. Al-Hadadi and A. Al-Shidhani, "Smartphone Forensics Analysis: A
live data acquisition technique was performed complying with Case Study," International Journal of Computer and Electrical
the ACPO guidelines which successfully retrieved all the Engineering, vol. 5, no. 6, pp. 576-580, 2013.
backed up messages in the phone. In future we would like to [13] S. Sahu, "An Analysis of WhatsApp Forensics in Android
Smartphones," International Journal of Engineering Research, vol. 3, no.
perform similar investigations on data recovery of other 5, pp. 349-350, 2014.
popular messaging services and social media applications used [14] E. Casey, G. Fellows, M. Geiger, and G. Stellatos, The growing impact
on mobile devices as these applications also pose potential of full disk encryption on digital forensics, Digital Investigation, 2011,
threats to organise criminal activities. vol. 8, no. 2, pp. 129-134, 2011.
[15] E. Casey, 2007. What does forensically sound really mean?, Digital
REFERENCES Investigation, vol. 4, no. 2, pp. 49-50, June 2007.
[1] Statista, "Number of monthly active WhatsApp users worldwide from [16] Association Of Chief Police Officers, "ACPO Good Practice Guide for
April 2013 to April 2015," http://www.statista.com Digital Evidence," Police Central e-Crime Unit, London, 2012.
/statistics/260819/number-of-monthly-active-whatsapp-users, April [17] UFED4PC by Cellebrite, http://www.cellebrite.com/Mobile-
2015, [Accessed 20 June 2015]. Forensics/Products, [Accessed 20 June 2015].
[2] Statistic Brain Research Institute, "Android Phone Statistics," [18] Oxygen Forensic Suite by Oxygen Forensics, http://www.oxygen-
http://www.statisticbrain.com/android-phone-statistics, March 2015 forensic.com, [Accessed 20 June 2015].
[Accessed 20 June 2015]. [19] FTK Imager by AccessData , http://accessdata.com/solutions/digital-
[3] S. Costello, "How Many iPhones Have Been Sold Worldwide?," forensics/forensic-toolkit-ftk, [Accessed 20 June 2015].
http://ipod.about.com/od/glossary/f/how-many-iphones-sold.htm, March [20] EnCase by Guidance Software, https:// www.guidancesoftware.com/
2015, [Accessed 10 June 2015]. products, [Accessed 20 June 2015].
[4] C. Page, "The Inquirer: Windows Phone market share tumbles almost 10 [21] Microsoft, "Summary of Changes in Code Access Security,"
percent as Lumia sales dry up," http://www.theinquirer.net https://msdn.microsoft.com/en-us/library/ff527276%28v= vs.100%29
/inquirer/news/ 2360573/windows-phone-market-share-tumbles-almost- .aspx, [Accessed 18 June 2015].
10-percent-as-lumia-sales-dry-up, 2014, [Accessed 20 June 2015].

17