WhatsApp is the most popular instant messaging mobile application all over the world. Originally designed for simple and fast communication, however, its privacy features, such as end-to-end encryption, eased private and unobserved communication for criminals aiming to commit illegal acts. In this paper, a forensic analysis of the artefacts left by the encrypted WhatsApp SQLite databases on unrooted Android devices is presented. In order to provide a complete interpretation of the artefacts, a set of controlled experiments to generate these artefacts were performed. Once generated, their storage location and database structure on the device were identified. Since the data is stored in an encrypted SQLite database, its decryption is first discussed. Then, the methods of analyzing the artefacts are revealed, aiming to understand how they can be correlated to cover all the possible evidence. In the results obtained, it is shown how to reconstruct the list of contacts, the history of exchanged textual and non-textual messages, as well as the details of their contents. Furthermore, this paper shows how to determine the properties of both the broadcast and the group communications in which the user has been involved, as well as how to reconstruct the logs of the voice and video calls.

 

Doi: 10.28991/HIJ-2022-03-02-06

Full Text: PDF

Android; Instant Messaging; Mobile Forensics; SQLite Databases; WhatsApp Messenger.

Statista. (2021). Most popular global mobile messenger apps. Available online: https://www.statista.com/statistics/258749/ most-popular-global-mobile-messenger-apps/ (accessed on May 2021).

Seigfried-Spellar, K. C., & Leshney, S. C. (2016). The intersection between social media, crime, and digital forensics: #WhoDunIt? Digital Forensics, 59–67. doi:10.1016/b978-0-12-804526-8.00004-6.

Statista, (2021). Mobile operating systems’ market share worldwide from January 2012 to January 2021. Available online: https://www.statista.com/statistics/272698/global-market-share-held-by-mobile-operating-systems-since-2009/#:~:text=Android maintained its position as,of the global market share (accessed on May 2021)..

Skulkin, O., Tindall, D., & Tamma, R. (2018). Learning Android Forensics: Analyze Android devices with the latest forensic tools and techniques. Packt Publishing Ltd, Birmingham, United Kingdom.

Epifani, M., & Stirparo, P. (2016). Learning iOS forensics. Packt Publishing Ltd, Birmingham, United Kingdom.

Zhang, L., Yu, F., & Ji, Q. (2016). The Forensic Analysis of WeChat Message. 2016 Sixth International Conference on Instrumentation & Measurement, Computer, Communication and Control (IMCCC). doi:10.1109/imccc.2016.24.

Anglano, C., Canonico, M., & Guazzone, M. (2016). Forensic analysis of the ChatSecure instant messaging application on android smartphones. Digital Investigation, 19, 44–59. doi:10.1016/j.diin.2016.10.001.

Walnycky, D., Baggili, I., Marrington, A., Moore, J., & Breitinger, F. (2015). Network and device forensic analysis of Android social-messaging applications. Digital Investigation, 14, S77–S84. doi:10.1016/j.diin.2015.05.009.

Ovens, K. M., & Morison, G. (2016). Forensic analysis of Kik messenger on iOS devices. Digital Investigation, 17, 40–52. doi:10.1016/j.diin.2016.04.001.

Anglano, C., Canonico, M., & Guazzone, M. (2017). Forensic analysis of Telegram Messenger on Android smartphones. Digital Investigation, 23, 31–49. doi:10.1016/j.diin.2017.09.002.

Zhang, H., Chen, L., & Liu, Q. (2018). Digital Forensic Analysis of Instant Messaging Applications on Android Smartphones. 2018 International Conference on Computing, Networking and Communications (ICNC). doi:10.1109/iccnc.2018.8390330.

Rathi, K., Karabiyik, U., Aderibigbe, T., & Chi, H. (2018). Forensic analysis of encrypted instant messaging applications on Android. 2018 6th International Symposium on Digital Forensic and Security (ISDFS), 1-6. doi:10.1109/isdfs.2018.8355344 .

Azfar, A., Choo, K. K. R., & Liu, L. (2016). An android communication app forensic taxonomy. Journal of forensic sciences, 61(5), 1337-1350. doi: 10.1111/1556-4029.13164.

Thakur, Neha S., (2013)."Forensic Analysis of WhatsApp on Android Smartphones". University of New Orleans Theses and Dissertations, Louisiana, United States.

Mahajan, A., S. Dahiya, M., & P. Sanghvi, H. (2013). Forensic Analysis of Instant Messenger Applications on Android Devices. International Journal of Computer Applications, 68(8), 38–44. doi:10.5120/11602-6965.

Anglano, C. (2014). Forensic analysis of WhatsApp Messenger on Android smartphones. Digital Investigation, 11(3), 201–213. doi:10.1016/j.diin.2014.04.003.

Belkasoft (2018). Belkasoft Evidence Center v.8.6. Available online: https://belkasoft.com/whats_new_in_version_8_6. (accessed on December 2021).

Oxygen Forensics (2021). Mobile forensic solutions: software and hardware. Available online: https://www.oxygen-forensic.com/en/ (accessed on May 2021).

Sqlite Viewer. (2021). “SQLite Database Disk Image Is Malformed.” Available online: https://sqliteviewer.com/blog/database-disk-image-malformed/ (accessed on August 2021).