A presentation discussing forensic analysis of WhatsApp messenger and its affects (India being primary concern), with focus on the Android platform.

1. WhatsApp Forensics
Presented By
Animesh Shaw (Psycho_Coder)
Digital Evidence Analyst,
@ data64 Cyber Solutions Pvt. Ltd.
psychocoder@outlook.com

2. Discussion Goals
 What is WhatsApp ?
 WhatsApp Stats
 Security & Privacy: Previous Issues
 Real World Threat Scenario
 Why Indians Should be Concerned ?
 Why WhatsApp Forensics ?
 Terminology & Pre-Requisites
 Where to look for evidence ?
 Investigating WhatsApp Data
 Tools of Trade
 Safe guarding Principles
 References

3. What is WhatsApp ?
o An Instant Messaging app for smartphones.
o Requires data connection to send text messages,
images, video, user location and audio media
messages.
o In January 2015, WhatsApp was the most globally
popular messaging app.
o In April 2015, WhatsApp reached 800 million active
users.
o Subsidized by Facebook on February 19, 2014.
o Supported by wide range of mobile platform, like
Android, iPhone, iOS, BlackBerry OS, Windows Phone,
Symbian etc.

4. WhatsApp Stats
o WhatsApp was handling ten billion messages per day
as of August 2012, growing from two billion in April
2012.
o Number of downloads exceeds 100 million on Google
Play.
o In only three years it is among the top 30 free
applications.
o Among the top five free communication
applications on Google Play.
o Facebook Acquired WhatsApp for $19 billion USD.

5. Security & Privacy: Previous Issues
• In May 2011, a security hole was reported which left
WhatsApp user accounts open for session hijacking.
• In September 2011, it was reported that forged messages
could be sent.
• German Tech site The H demonstrated how to use
WhatsAPI to hijack any WhatsApp account on September
14, 2012.
• On 1st December 2014, Indrajeet Bhuyan and Saurav Kar,
both 17-year old teenagers, demonstrated the WhatsApp
Message Handler Vulnerability, which allows anyone to
remotely crash WhatsApp just by sending a specially
crafted message of 2kb in size.

6. Security & Privacy: Previous Issues (contd.)
• In February 2015, a Dutch university student named
Maikel Zweerink published an app that set out to
prove that anyone can track a WhatsApp user's status
and also keep an eye of their changing profile
pictures, privacy settings or status messages
regardless of their privacy settings
• WhatsApp message database AES encrypted file uses
the same key for all the installations.

7. Real World Threat Scenario - 1

8. Real World Threat Scenario - 2
• MAC address is a unique identifier assigned to your
phone or other device that essentially serves as its
online identity.
• MAC Spoofing is a Threat.
• Gaining Physical access to Victims Phone. Get MAC
Info and Spoof it in your own Smart phone.
• Using Busybox and Terminal Emulator change MAC of
ethernet interface.
• Reinstall WhatsApp on your phone and configure.
• Get confirmation code and erase from victims phone.
• Re-establish your previous MAC Address.

9. Why Indians Should be Concerned ?
• According to current statistics WhatsApp got
maximum exposure in India. Pic below shows
download stats (Jan. 2015)
• With 65 million active users, about 10% of the total
worldwide users, India is the largest single country in
terms of number of users

10. Why Indians Should be Concerned ? (contd.)

11. Why WhatsApp Forensics ?
• Huge active user base (>800 Million)
• Ability to share Video, Image or data
which might contain explicit content.
• Identify various data security issues in
instant messaging applications on the
Android and other Mobile platform which
aid in forensic investigations

12. Why WhatsApp Forensics ? (contd.)
• With more updates other privacy issues
could be developed.
• Research required to build better tools.
• Runs on multiple platform with different
file system.
• New Exploits/Privacy Hacking issues are
coming every now and then.

13. Terminology & Pre-Requisites
o ADB (Android Debug Bridge)
o Database (SQLite)
o Imaging/Cloning
o Android Developer Mode
o Encryption
o Symmetric
o Asymmetric

14. Where to look for evidence ?
• All the WhatsApp data is stored in either “Internal
Phone Storage” or in the SD card.
• Location:- /storage/emulated/0/WhatsApp/

15. Where to look for evidence ? (contd.)
• Crypt8 files encrypted with AES algorithm with a
256 bit key.
• Key:-
346a23652a46392b4d73257c67317e352e33724
82177652c
• Key in stored in
/data/data/com.whatsapp/files/key
• Retrieving key requires rooted android phone.
• Media folders contain Images, calls, videos etc.
• Rooted Android phone contains unencrypted
database.
• Wa.db contains WhatsApp contacts.

16. Where to look for evidence? (contd.)
• Android Volatile Memory Acquisition :-
– Need for Live acquisition ?
– Applications including WhatsApp start with boot.
– Background data consumption and chat logs can
be found in system RAM.
– Deleted messages still present in volatile
memory.
– Can be retrieved partially I not fully.

17. Investigating WhatsApp Data
• Clone Android Storage using AccessData FTK.
• Retrieve WhatsApp related data and many more.
• Using Andriller
Enable Developer Mode on Phone.
Enable Debugger Mode.
Connect to Phone.
Accept RSA Fingerprint on Phone.
Click on check and the device serial
Is detected.
Click Go to acquire a backup of your
Android data.

18. Investigating WhatsApp Data (contd.)
• Reports Created
• Several forensically important data can be retrieved.

19. Investigating WhatsApp Data (contd.)
• Decrypting WhatsApp .db.crypt8

20. Investigating WhatsApp Data (contd.)
• Using WhatsApp Viewer.
• Decrypts all data. Requires .NET Framework
• Need to supply “key” file separately.
• Requires to be compiled.

21. Investigating WhatsApp Data (contd.)
• Using WhatsApp Key/DB Extractor. Applicable for
Android version 4+.
• Provide a method for WhatsApp users to extract their
cipher key on NON-ROOTED Android devices. Once key
has been extracted we can use Andriller or WhatsApp
Viewer to recover data.

22. Investigating WhatsApp Data (contd.)
• Check for Steganography
– Images
– Videos
– Audio
– Text

23. Tools of Trade
• Andriller :- Android Forensic Tools
• WhatsApp Key/DB Extractor :- Extraction of Key
from NON-ROOTED phones.
• WhatsApp-Viewer :- Retrieves encrypted messages.
• Wforenic :- Web based forensic tool to retrieve
whatsapp data.
• SQLite Data Browser
• AccessData FTK Imager or Other cloning software.
• LiME :- Volatile Memory Capture tool for Android.

24. Safe guarding Principles
• Be cautious about what you share.
• Remember the Internet is permanent.
• Exercise caution when clicking on links.
• Install Anti Virus Apps like CM Security/Dr.
Safety.
• Don’t ignore warnings from Malware Scanners.
• Don’t reveal personal information.
• When in doubt, throw it out.
• Learning about Security and Forensics. Getting
ourselves aware of different threats.
• Become aware of the law that you might be
violating unknowingly.

25. References
• https://en.wikipedia.org/wiki/WhatsApp
• https://www.magnetforensics.com/mobile-
forensics/recovering-whatsapp-forensic-artifacts
• http://www.securitybydefault.com/2012/05/whatsapp-
forensics.html
• http://www.whatsapp-viewer.com/
• http://www.digitalinternals.com/security/decrypt-
whatsapp-crypt8-database-messages/419/
• http://forum.xda-developers.com/showthread.php?
t=2770982
• http://forum.xda-developers.com/showthread.php?
t=2588979

26. Any Queries ?

27. Thank You