Deprecated: mysql_connect(): The mysql extension is deprecated and will be removed in the future: use mysqli or PDO instead in /home/dgi1f26tufrt/public_html/articledirectory/system/config.inc.php on line 70
Deprecated: mysql_connect(): The mysql extension is deprecated and will be removed in the future: use mysqli or PDO instead in /home/dgi1f26tufrt/public_html/articledirectory/system/classmysql.inc.php on line 8
Larry L Miller Article Directory | Forensic guide to WhatsApp data acquisition
Deprecated: mysql_connect(): The mysql extension is deprecated and will be removed in the future: use mysqli or PDO instead in /home/dgi1f26tufrt/public_html/articledirectory/inc/left.inc.php on line 23
Instant messaging apps have become the de-facto standard of real-time, text-based communications. The acquisition of instant messaging chats and communication histories can be extremely important for an investigation. In this article, we compare the five top instant messaging apps for iOS in the context of their forensic analysis.
ACQUISITION AND EXTRACTION
Speaking of iOS, there are several methods to acquiring communications going through an instant messaging app. The MITM (man-in-the-middle) attack is practically out of the question for most modern instant messaging apps; if there are exceptions, we aren't aware of those. Even on Android devices, a MITM attack would require installing a third-party SSL certificate, and even that may not work for some instant messengers.
The ability to obtain communication histories from the vendor is a great tool in the hands of the law enforcement. The policies of different vendors vary greatly from near-instant full disclosure to flat non-disclosure with stops in between.
Cloud extraction may be possible from several sources, which include iCloud synchronized data (including end-to-end encrypted data), iCloud backups and stand-alone backups in iCloud Drive. It's up to the vendor to decide where and how to store the data; more on that later.
Finally, the data can be extracted from the iPhone device itself. For some messaging apps, logical extraction via iTunes-style backups is enough, while some other messengers don't store anything in local backups. Imaging the file system (and, in some cases, decrypting the keychain) is always enough to gain full access to conversation histories.
Let us see the extraction options available for thetop instant messaging app, WhatsApp.
Today, WhatsApp is one of the most popular (if not the most popular) instant messaging tools worldwide. While WhatsApp communication is based on the Signal protocol employing end-to-end encryption, that fact alone does not make WhatsApp any more secure than other messaging apps as WhatsApp keeps a backup of its conversation histories, making them easily accessible with several acquisition techniques.
LEGAL REQUESTS: WhatsApp does not store conversation histories on its servers. As a result, only pending (undelivered) messages can be obtained with a legal request.
VENDOR CLOUD: Facebook does not keep WhatsApp conversations on its servers, and cloud acquisition is not generally possible with one exception. Undelivered (pending) messages are still stored on the server, and can be downloaded with forensic software by authenticating as a new WhatsApp client.
LOCAL BACKUPS: More often than not, WhatsApp communication histories show up in both local and cloud iOS backups (there are exceptions).
ICLOUD BACKUPS: Same as above. More often than not, WhatsApp conversation histories can be extracted from iCloud backups.
ICLOUD DRIVE: WhatsApp has an option to save stand-alone, proprietary backups in iCloud Drive. While these backups can be easily downloaded, they are protected with end-to-end encryption. As a result, one must authenticate as a WhatsApp client in order to decrypt the backup (e.g. using Elcomsoft Explorer for WhatsApp). This requires access to the user's registered WhatsApp number.
FILE SYSTEM: WhatsApp does not feature any additional protection to the working database. Once a file system image is captured from the iPhone, extracting and analyzing WhatsApp conversations is straightforward.
The acquisition of the user's WhatsApp communications is easier than average. WhatsApp conversations can be extracted from nearly every available source including local and cloud backups.
Tools required: Elcomsoft iOS Forensic Toolkit and Elcomsoft Phone Viewer; or Elcomsoft Explorer for WhatsApp.
Elcomsoft Explorer for WhatsApp is a tool to download, decrypt and display WhatsApp communication histories. It automatically acquires WhatsApp databases from one or multiple sources, processes information and displays contacts, messages, call history and pictures sent and received. The built-in viewer offers convenient searching and filtering, and allows viewing multiple WhatsApp databases extracted from various sources. Visit https://www.elcomsoft.com/exwa.html to find more information about Elcomsoft Explorer for WhatsApp and try it for free.
Olga Koksharova is involved in security research related to mobile forensics. During the last years, Olga has been busy researching security trends in the world of mobile forensic. Olga is an expert in cryptography and IT security.