In this paper, we analyze the artefacts of the WhatsApp database using the WhatsApp DB/Extractor and Belkasoft Evidence Center tools.. Daniel Walnycky et.al [3] discussed in their paper
Trang 1Forensics Analysis of WhatsApp in Android Mobile
Phone
Samarjeet Yadav1, Satya Prakash2, Neelam Dayal3 and Vrijendra Singh4
17mcs11@gmail.com1,satyaprakas@gmail.com,neelamdayal@cas.res.in,
vrij@iiita.ac.in
1 Department of Computer Science and Engineering, Centre for Advanced Studies, Lucknow
2 Department of Information Technology, IIIT-Allahabad, PrayagRaj, India
Abstract One of the popularly known social media platforms is WhatsApp It
has many features such as chat, calling, video calling, multimedia messages
lo-cation-sharing, documents etc At present, there are 1.5 billion WhatsApp users
across the world A newly added feature in WhatsApp allows the sender to delete
the sent messages within 1 hour from the receiver’s end where it will show that
"This message was deleted" This feature provides the facility to delete the
mes-sages That is sent unknowingly But, this mechanism is also imposing challenges
for law enforcement and policymaker The deleted messages may have digital
evidence to trace the cybercrime, which will be hard to retrieve at receiver’s end
when it is deleted by the sender In this research paper, we proposed to analyze
the artefacts of WhatsApp database using the various forensics tools and compare
the efficiency of the tools i.e which one is able to reconstruct the chronology of
WhatsApp database
Keywords: Digital Forensics, Whatsapp, acquisition, mobile forensic,
extrac-tion
I Introduction
WhatsApp is a social messenger application having a 1.5-billion user base across the
world Two former employees of yahoo Brian Acton and Jan Koum founded WhatsApp
in 2009 The first version 2.0 of WhatsApp was launched in 2009 In the year, 2014
Facebook acquired WhatsApp for US$19 billion Overall timeline with respect to
WhatsApp shown in Fig.1 Earlier the WhatsApp data was prone to hacking, but
now-adays with advance, security mechanism enforced the data transmitted in WhatsApp
messages are encrypted WhatsApp uses end-to-end encryption so that no third party
can access the chats between two users Hence, every user can choose end-to-end
en-cryption of messages in WhatsApp
WhatsApp is having many features such as chats, audio calls, video calls,
multime-dia, documents, location sharing etc Along with these features, WhatsApp also added
a new feature i.e If the sender sends a message and within 1 hour if that message is
deleted by sender then it will be deleted at receivers end too and it will show “This
message was deleted at both ends”
Trang 2Whenever the user installs the WhatsApp, it will automatically synchronize all the
contacts from the user device after registering the number on that device When
WhatsApp is installed on a device a folder name com Whatsapp will be created under
internal storage having path Android/Data/com WhatsApp in this folder there is the
unique key to decrypt the msgstore database
Earlier the messages of Whatsapp were stored in SQLite databases, named as
‘msgstore.db’ but this database was not very much secure and easily decrypted by the
third party Therefore the user's data i.e all chats, contacts and other artefacts where
easily accessible to hackers in an earlier version of WhatsApp To counter WhatsApp
came with the new concept of end-to-end encryption to protect the user database
Now, Whatsapp is using AES encryption algorithm for end-to-end encryption
to give high security for the user’s database Due to this encryption mechanism, the
database, which was earlier named as msgstore.db is renamed to msgstore.db.crypt12
file This crypt file is not simple to access as msgstore because this file database is
encrypted with the user's unique key Every user has a unique key by which the user
can decrypt the database file such as msgstor.db.crypt The unique key located in the
internal storage of phone which at Android/data/com.whatsapp/files/key
In this paper, we analyze the artefacts of the WhatsApp database using the WhatsApp
DB/Extractor and Belkasoft Evidence Center tools The aim of this analysis was to
Trang 3compare the efficiency of the tools with respect to reconstruction of chronology of
The overall paper is divided into five sections Section II discusses the literature
survey Section III describes the methodology of our work Section IV presents the
analysis results followed by a conclusion and future work in section v
II Literature Survey
The proposed algorithm involves two steps: [A] Watermark Embedding and [B]
Wa-termark Extraction It works by applying a Simplistic Fourier Transformation followed
by Singular Value Decomposition
F Karpisek et.al [1] described how the network traffic of WhatsApp decrypt An
analyst can obtain forensic WhatsApp artefacts that relate to calling feature, which
also included WhatsApp phone numbers along with its call termination, server IPs,
audio codec and call duration The author explained the methods and some tools for
decrypting the traffic of call The author analyzed and examined the authentication
process of WhatsApp clients, discover what codec and with the help of full
handshak-ing between client and server analyzed the address of clients from relay servers They
got some interesting findings after analysis such as call duration metadata and
date-time stamps, relay server IP address used during the callsign WhatsApp
Anglano et al [2]deal with WhatsApp messenger on Android Smartphone in his
research paper where they analyzed the WhatsApp artefacts and discussed how an
analyst can reconstruct the list of contacts as well as exchanged messages for the
chronology by the user This correlation was helpful for the investigator to know and
determine the chat databases with log files information and help to determine when
the message was exchanged and which user exchanged these messages Whereas this
paper has the limitation i.e it does not explain about the acquisition, process and hash
function
Daniel Walnycky et.al [3] discussed in their paper about the acquisition of
WhatsApp database and another social messenger, they acquired and analyzed the
device data and network traffic of some popular instant messaging applications on
android smartphone After analysis, they reconstruct some applications and tested
them Some of them reflect poorly on the security and privacy measures but it was
good for constructed positively for evidence collection purposes They showed the
reconstruct or intercept data such as screenshots, passwords, videos, pictures, audio
sent, messages sent, profile pictures and more They did analysis on 20 apps in which
they found only 16 apps were not encrypted their data After experiment on 20 apps,
they found only 4 out of 20 applications encrypted their network traffic using https
encryption using SSL certificates Whereas 16 apps tested, which was not encrypted
their data
Trang 4Rusydi Umar, et al [4] showed the comparative study of forensic tools for
WhatsApp analysis on the basis of NIST parameters The authors used three forensic
tools for comparative study i.e WhatsApp DB/Extractor, Belkasoft evidence, UFED
and Oxygen forensic After the comparison, the author found belkasoft evidence is
much better than oxygen forensic suite and WhatsApp DB/Extractor based on NIST
parameter Belkasoft evidence is having both types of acquisition and it meets all the
criteria based on the NIST parameter WhatsApp DB/Extractor only have logical
ac-quisition whereas oxygen forensic have both physical and logical but it was costly
and they find belkasoft evidence is better in terms of performance, cost as compared
to other two tools
Shubham Sahu et.al [5] discussed the forensic analysis of WhatsApp messenger
using WhatsApp DB/Extractor tool In his research paper, the database of WhatsApp
extracted through this tool along with this key also extracted Msgstor.DB contains
all the database of chats whereas wa.db contains all the contact list of that phone
which was used in WhatsApp After extracting, the database could be see-through
WhatsApp viewer In WhatsApp viewer, he browsed the location of the database file
and views it along with the contact list having the wa.db file, which was optional, and
finally through WhatsApp view analyst able to see all the messages and contact list
and can analyze further
Author et.al [4],[5]-[12] [13]–[20], discussed briefly acquisition and reconstructing
the chronology of database They also discussed the way of analysis on social
mes-senger forensics where the forensic investigator can analyze the data in digital
foren-sic easily
III Methodology
This paper proposed the technique and method to analyze the artefacts of the
WhatsApp-deleted data using existing tools The new feature added by WhatsApp i.e
the facilities to delete the message within 1 hour, which will also be deleted from the
receivers end
This feature provides the advantage to any user who sends any message by mistake
to immediately delete it However, in spite of having the advantage, this feature also
has a disadvantage, as this feature can also be used to commit the crime and it will be
hard to know the deleted message and exact text The proposed methodology is to
an-alyze the artefacts of the WhatsApp database using various forensics tools and compare
the efficiency of the tools i.e which one is able to reconstruct the chronology of
WhatsApp database
There are certain tools name as Belkasoft Evidence Center, WhatsApp
DB/Extractor, UFED, Oxygen Forensics Suite etc For forensic analysis, we are using
two tools WhatsApp DB/Extractor and Belkasoft Evidence Center
Trang 5For this purpose, we have implemented these tools on different mobile devices such
as VIVO 1601, Asus Zenfone max pro m2, Nokia XL, Mi Max2 Further, we will
com-pare the tools and we will find out the accuracy and performance
As WhatsApp is using end-to-end encryption to secure the user’s database thus it
won’t be possible for any normal person to see the database messages Hence, to
de-crypt msgstore.db.de-crypt file we need unique key, which is located in internal storage
Android/data/com.whatsApp/file/key but as we discussed, it is not easy to retrieve this
unique key
Rooting can be done to gain access as root, but it is a very difficult task, as the
smartphones nowadays have latest and sensitive technology that can risk to loss of data
After rooting, it will be very easy to know the key and we can decrypt the msgstore.db
Crypt with the help of WhatsApp Viewer
Method2:- Backup the WhatsApp data
The second method is to create a backup of WhatsApp data After that, we can
ana-lyse the data through the existing tools
Method3:- Acquire the data through tools
The third method is to acquire the data through the WhatsApp DB/Extractor tools
Here, the data acquisition of data is easy but the analysis part is difficult
A WhatsApp Db/Extractor
Prerequisite:
1 O/S: Windows Vista, Windows 7, Windows 8, Windows 10, Mac OS X or Linux
2 Ensure Java is installed
3 Install ADB (Android Debug Bridge), Drivers
4 USB Debugging must be enabled on the target device
5 Android devise with Android 4.0 or higher
Steps to acquire the database through WhatsApp DB/Extractor:
• Install WhatsApp DB/Extractor
• Extract "WhatsApp-Key-DB-Extractor-master.zip"
• Connect your device via USB, unlock your screen and wait for "Full back up" to
appear
• Enter your backup password or leave blank
• Confirm the backup password in your command console and then check your
“ex-tracted” folder
Trang 6Fig 2 Connect mobile device
Fig.2 shows that the Whatsapp DB/Extractor is asking to connect a device, as soon
as the device is connected, it will automatically start running
Fig 3 Installing legacy WhatsApp
Trang 7Fig.3 shows that the device is connected and the tool automatically starts to install
the legacy WhatsApp that downgrades the version of WhatsApp in the device
tempo-rarily The size of the legacy WhatsApp is 17.4 MB
Fig 4 Unlock the device to confirm the backup
Fig.4 shows that the legacy WhatsApp is installed successfully in the device Now, it
will ask to unlock the device and confirm the backup operation from the device
Trang 8Fig 5 Password for backup the data
Fig 5 shows that the device is successfully unlocked and is asking for a password to
proceed for creating a full backup The password should be matched in both places i.e
device and on that tool, then only it will proceed and create the full backup of mobile
with all the database and key of WhatsApp
B Belkasoft Evidence Center
Belkasoft evidence centre is one of the strongest tools, which can acquire all the data
from mobile and it gives the option to choose social messenger application on which
we have to analyze
Trang 9Fig 6 The option of acquisition from different fields.
Fig.6 shows the different options from which we can acquire the data for analysis and
it shows the option of the drive, mobile device and cloud As we have to do WhatsApp
analysis of android phone, so we select mobile device and Android To acquire the
database, we have to connect the mobile device or we can acquire from the target folder
Fig 7 Acquisition process after connecting the device
Fig.7 shows the next process in which the device is connected and chooses the option
to store that file in your pc and as soon as investigator clicks on start it will start backing
Trang 10up data and it will take permission to take a full backup, do it without entering any
password
Fig 8 Option on which Investigator wants to analysis
In Fig 8, after backing up the data it will ask about the options on which investigators
have to analyze Choose WhatsApp from the option and click on finish Now the
anal-ysis part comes, in this Investigator have to analyze it deeply and with the help of time,
one can match which data was deleted from senders end
To analyze the data and to find out the accuracy of the tool, we utilized the size of
the database of WhatsApp for both the tools
After implementing these tools on mobile devices, we got the key with the help of
WhatsApp Db/Extractor as shown in Fig.9 Along with key, we extracted the database
by using its unique key The size of the extracted database is 107 MB for VIVO 1601
device Whereas by using belkasoft evidence centre the database, size is 107 MB
Trang 11Fig 9 Extracted database and it's Key
Fig 9 shows the extracted database and the unique key of WhatsApp for that particular
device Here, msgstore is the database in which all the conversation is stored between
sender and receiver Whereas, the key file is named as WhatsApp and its type is
CRYPTKEY file Now, with the help of WhatsApp viewer, we analysed the
conversa-tion of device VIVO 1601 and we reconstructed the deleted messages
The problem with WhatsApp DB/Extractor is that we cannot retrieve the documents
and videos However, images can be retrieved but the quality of the image will be
de-graded
The analysis of both the tools is done with the help of a database of 107 MB
Ob-tained database of chronology conversation between sender and receiver in WhatsApp
Db/Extractor is 47MB and Belkasoft Evidence centre is 105MB
The formula for computing the accuracy of both tools is as follows
Accuracy formula= (DBT – DBO)*100/ DBT
Where DBT refers total database size of device extracted through tools DBO refers
Obtained Database of conversation between sender and receiver
WhatsApp DB/Extractor Accuracy= (47*100)/107 = 43.92%
Belkasoft evidence center Accuracy= (105*100)/107 = 98.13%
Table 1 Accuracy results
Total Database Obtained Database Accuracy in
%
DB/Extractor
BEC