WhatsApp Forensics

With more than 1.5 billion users and 5.5 billion messages per day, WhatsApp is without a doubt the most popular messenger in the world. All messages sent using WhatsApp have end-to-end encryption, meaning they are unreadable if intercepted by anyone, including law enforcement and WhatsApp itself. More importantly, WhatsApp communications are never stored on the WhatsApp server. It is no surprise with this type of security built-in to the application it is often the choice communication platform of users with nefarious agendas. Keeping that fact in mind, it is imperative investigators are armed with methods and tools to recover this essential data

Oxygen Forensics offers the most comprehensive WhatsApp data extraction and decryption tools in the market.

WhatsApp From Mobile Devices

End-to-end encryption, as described, only offers security for a “man-in-the-middle attack” or simply live interception.  However, the data on an Apple iOS or Android device is available in a decrypted format. The problems investigators often face in today’s mobile device examinations involving WhatsApp and other apps is often how to overcome a device with a screen lock or device encryption.

When it comes to iOS devices, all WhatsApp data can be extracted in a basic iTunes backup procedure. However, for Android devices, we often recommend a physical extraction method to recover WhatsApp’s evidentiary files. We offer a wide range of physical collection methods that are successful on a large variety of Android devices. Remember, when examining an Android device always check the SD card for a WhatsApp backup.  This file is always encrypted, but we have you covered! You will find information about Oxygen Forensics’ innovative decryption methods below.


WhatsApp data extracted and decrypted from a mobile device.

WhatsApp From Cloud

A WhatsApp user, using an iPhone or Android device, may choose to back up their chats to iCloud or Google Drive. It is important to understand; WhatsApp backups are encrypted by default and to decrypt them a forensic investigator should have access to the SIM card to which this WhatsApp account is assigned. Armed with this SIM and investigator can recover and decrypt this valuable WhatsApp data.  However, there are other methods to decrypt this recovered data using the WhatsApp Cloud token.  This is outlined more in the following paragraphs.

Extracting WhatsApp data from various cloud services there could be additional hurdles like two factor authentication (2FA) or two-step verification.  Our Oxygen Forensic Cloud Extractor documentation contains detailed instructions on how to overcome these additional challenges.

Extraction of this valuable cloud data is extremely important.  This collection may contain data that had been deleted from the device which can easily occur if synchronization is set to each week or each month.


WhatsApp extraction directly from cloud services.

EXCLUSIVE FEATURES

WhatsApp Backup Decryption

The standard WhatsApp backup decryption method used throughout the industry is based on a key file.  With our innovative methods, Oxygen Forensics offers a new decryption method that requires only a phone number! This method is a great alternative to the commonly used key file. Case in point: If you have found an encrypted backup on an Android’s SD card with no access to the Android internal memory where the decryption key is stored simply use our innovative decryption support. Our Oxygen Forensic Cloud Extractor offers you an exclusive opportunity to decrypt this backup by receiving a code to the phone number assigned to the recovered SIM card.

Not only data from the device is recoverable, but Oxygen Forensic Detective can also recover a special WhatsApp Cloud token from physical extractions of Android devices.  This token can be utilized to decrypt WhatsApp backups from Android devices, WhatsApp Google Drive, and WhatsApp iCloud backups associated with the same phone number.


WhatsApp backup decryption and display.

WhatsApp Cloud (Server)

It is known that WhatsApp does not store any communications on its Server that have been delivered.  Messages and unanswered calls that cannot be delivered (e.g., it has no Internet connection, or it is switched off) will be temporally stored on the server. Oxygen Forensic Detective has the unique ability to access this data from the cloud via only the phone number or special WhatsApp Cloud token extracted from Android devices.

Recommendation:

If you have a locked mobile device that you cannot acquire try this:  switch it off, wait for a few moments, remove the SIM card and place it into another phone that is unlocked to a carrier. Select WhatsApp Cloud service in our Cloud Extractor, select to receive a code to the SIM card.  Now you will have access to the undelivered messages, unanswered calls and their contacts.

WhatsApp extraction directly from cloud services.

WhatsApp via QR Token from PC

Users can now access and communicate using WhatsApp Desktop and WhatsApp Web Apps from a computer. Our exhaustive research revealed that these apps do not store any databases on the computer being used to communicate. However, with our free Oxygen Forensic KeyScout utility, built into Oxygen Forensic Detective, you can detect a WhatsApp QR token on a computer where WhatsApp was used. This valuable token will allow you to extract complete WhatsApp data in our Cloud Extractor. The only condition is that the WhatsApp owner’s mobile device must have an active Internet connection. If the mobile device is locked, no problem! This WhatsApp QR code method is ideal for data extraction from locked mobile devices. However, if you have an unlocked mobile device but for some reason the extraction continually fails, simply scan the WhatsApp QR code from the device in our Cloud Extractor to acquire all the current WhatsApp data.   

Support the Unsupported

Mobile forensic software is often heralded as the end all, do all, completer of all cases.  However, the probability that an examiner will be faced with the dissection of an unsupported app is quite great. Lets take it a step further and point out, at least in a most basic way, how an examiner can uncover valuable data without relying on the automated solution in this often inevitable situation.

In this document we will examine a SQLite database from built in browsers of both Android and iOS file systems.  Understanding the examiner has to go the extra mile if they are to find the 0’s and 1’s in the digital haystack the results are significant to the overall case. These examples can be used with any SQLite database that an examiner might run into during the investigation so long as they are not encrypted.

The first step in any investigation should be to run a series of search queries to identify relevant material for the case.  This is a necessity. Simply thumbing through the volume of data now found on a mobile device is not practical. I find it extremely beneficial to use Oxygen Forensic® Detective to search within the file content. Searching within files is a necessity to uncover strings within database files that are not fully supported, not supported at all, or simply not decoded.

Figure 1: Search in file content

 

Figure 2: Database within an app using webkit.

Once you have your search hits, and are focused on the files of interest, the deep dive of these files can start. In my example in Figure 1 I used a regular expression ((\W|^)[\w.+\-]{0,25}@(yahoo|hotmail|gmail)\.com(\W|$)) to search for free (i.e. gmail, yahoo, hotmail) email addresses in an effort to uncover any additional addresses of interest. This search uncovered an email address within a database file within the Android built in browser. The interesting fact this database; it is not the stock database for the android browser, but rather a database created by the application for storage of mobile enabled websites. A website within a browser that stores data? Much like a nesting doll that continues to contain a replica of the doll that housed the smaller doll.

Browsers are ripe with databases similar to this example when the WebKit platform is utilized. The fact that these types of databases are processed by only a few tools, Oxygen Forensic Detective is one of them.  So, if a user used the browser to surf their Facebook account, the examiner will surely miss this data if they are simply looking at the Facebook app that was parsed by the mobile solution. In this example, this artifact, housed in this particular Android browser, is one that very few even realize or even understand is available. Again, the critical take-a-way is to comprehend the idea that modern mobile browsers from iOS to Android are packed with these user created manifestations, but few solutions have the ability to even recognize this valuable artifact, let-alone automatically parse the information.   However, do not just concentrate on browsers, but also with the built in browsers in messaging, or other apps.

Let us take a look at an example. In Figure 3 is a database file from the Dolphin browser from an Android device.  This file is viewed in Oxygen Forensics® SQLite Viewer. This file hosts content (yes content) of gmail messages. Not just the snippet HTML but the actual message in it’s entirety. Granted, the data in the database is only going to be the most recently cached emails when the user visited their email account, but it is possible it contains information critical to your case and no modern tool at this date will parse and decode this information automatically. This is not the gmail app, but the user accessed their gmail page from a browser. Since there are multiple tables that make up a database file, Oxygen Forensic® SQLite Viewer can build and execute SQL Queries across a single file and even multiple database files.  You can use the built-in query builder to drag and drop tables and match keys without knowledge of a single SQL command.  The Visual Query builder will create the command while you are building the data to be extracted.

 

Figure 3 : Single table of Webkit database found in Dolphin Browser for Android.

If you have a strong sense of SQL and have custom commands you can use directly in the SQL Query Editor as shown in Figure 4.  So, you do not have to rely on the Visual Query builder to create the SQL command just write away to create powerful commands against the database.  What is even more impressive is the power to run the query against the free-page area of the main database and WAL files.  This means to you….DELETED DATA.  So, using the powerful tool built into Oxygen Forensic Detective will be of great assistance.

Figure 4: Complex SQL Query from SQLQuery Builder now used in Oxygen Forensic® SQLite Viewer, creates a powerful query over multiple tables.

These treasure troves are created on the fly, per the user’s activity. Now, throw in the multitude of internet browsers, messaging apps, or any with built in browsers it becomes an impossibility that the mobile forensic solution of choice will be able to parse and decode this data in all situations. Again, it comes down to the expert behind the keyboard and their commitment to performing a complete examination.

Oxygen Forensics, Inc. is committed to supporting the forensic community and offers world leading solutions to uncover, recover, and analyze data from mobile devices, cloud services, and IoT devices.