Proceedings of ICAEEC-2019, IIIT Allahabad India, 31st May - 1st June,2019 Forensics Analysis of WhatsApp in Android Mobile Phone Samarjeet Yadav1, Satya Prakash2, Neelam Dayal3 and Vrijendra Singh4 17mcs11@gmail.com1,satyaprakas@gmail.com,neelamdayal@cas.res.in, vrij@iiita.ac.in Department of Computer Science and Engineering, Centre for Advanced Studies, Lucknow Department of Information Technology, IIIT-Allahabad, PrayagRaj, India Abstract One of the popularly known social media platforms is WhatsApp It has many features such as chat, calling, video calling, multimedia messages location-sharing, documents etc At present, there are 1.5 billion WhatsApp users across the world A newly added feature in WhatsApp allows the sender to delete the sent messages within hour from the receiver’s end where it will show that "This message was deleted" This feature provides the facility to delete the messages That is sent unknowingly But, this mechanism is also imposing challenges for law enforcement and policymaker The deleted messages may have digital evidence to trace the cybercrime, which will be hard to retrieve at receiver’s end when it is deleted by the sender In this research paper, we proposed to analyze the artefacts of WhatsApp database using the various forensics tools and compare the efficiency of the tools i.e which one is able to reconstruct the chronology of WhatsApp database Keywords: Digital Forensics, Whatsapp, acquisition, mobile forensic, extraction I Introduction WhatsApp is a social messenger application having a 1.5-billion user base across the world Two former employees of yahoo Brian Acton and Jan Koum founded WhatsApp in 2009 The first version 2.0 of WhatsApp was launched in 2009 In the year, 2014 Facebook acquired WhatsApp for US$19 billion Overall timeline with respect to WhatsApp shown in Fig.1 Earlier the WhatsApp data was prone to hacking, but nowadays with advance, security mechanism enforced the data transmitted in WhatsApp messages are encrypted WhatsApp uses end-to-end encryption so that no third party can access the chats between two users Hence, every user can choose end-to-end encryption of messages in WhatsApp WhatsApp is having many features such as chats, audio calls, video calls, multimedia, documents, location sharing etc Along with these features, WhatsApp also added a new feature i.e If the sender sends a message and within hour if that message is deleted by sender then it will be deleted at receivers end too and it will show “This message was deleted at both ends” Electronic copy available at: https://ssrn.com/abstract=3576379 Proceedings of ICAEEC-2019, IIIT Allahabad India, 31st May - 1st June,2019 Whenever the user installs the WhatsApp, it will automatically synchronize all the contacts from the user device after registering the number on that device When WhatsApp is installed on a device a folder name com Whatsapp will be created under internal storage having path Android/Data/com WhatsApp in this folder there is the unique key to decrypt the msgstore database Earlier the messages of Whatsapp were stored in SQLite databases, named as ‘msgstore.db’ but this database was not very much secure and easily decrypted by the third party Therefore the user's data i.e all chats, contacts and other artefacts where easily accessible to hackers in an earlier version of WhatsApp To counter WhatsApp came with the new concept of end-to-end encryption to protect the user database Now, Whatsapp is using AES encryption algorithm for end-to-end encryption to give high security for the user’s database Due to this encryption mechanism, the database, which was earlier named as msgstore.db is renamed to msgstore.db.crypt12 file This crypt file is not simple to access as msgstore because this file database is encrypted with the user's unique key Every user has a unique key by which the user can decrypt the database file such as msgstor.db.crypt The unique key located in the internal storage of phone which at Android/data/com.whatsapp/files/key In this paper, we analyze the artefacts of the WhatsApp database using the WhatsApp DB/Extractor and Belkasoft Evidence Center tools The aim of this analysis was to Electronic copy available at: https://ssrn.com/abstract=3576379 Proceedings of ICAEEC-2019, IIIT Allahabad India, 31st May - 1st June,2019 compare the efficiency of the tools with respect to reconstruction of chronology of WhatsApp The overall paper is divided into five sections Section II discusses the literature survey Section III describes the methodology of our work Section IV presents the analysis results followed by a conclusion and future work in section v II Literature Survey The proposed algorithm involves two steps: [A] Watermark Embedding and [B] Watermark Extraction It works by applying a Simplistic Fourier Transformation followed by Singular Value Decomposition F Karpisek et.al [1] described how the network traffic of WhatsApp decrypt An analyst can obtain forensic WhatsApp artefacts that relate to calling feature, which also included WhatsApp phone numbers along with its call termination, server IPs, audio codec and call duration The author explained the methods and some tools for decrypting the traffic of call The author analyzed and examined the authentication process of WhatsApp clients, discover what codec and with the help of full handshaking between client and server analyzed the address of clients from relay servers They got some interesting findings after analysis such as call duration metadata and datetime stamps, relay server IP address used during the callsign WhatsApp Anglano et al [2]deal with WhatsApp messenger on Android Smartphone in his research paper where they analyzed the WhatsApp artefacts and discussed how an analyst can reconstruct the list of contacts as well as exchanged messages for the chronology by the user This correlation was helpful for the investigator to know and determine the chat databases with log files information and help to determine when the message was exchanged and which user exchanged these messages Whereas this paper has the limitation i.e it does not explain about the acquisition, process and hash function Daniel Walnycky et.al [3] discussed in their paper about the acquisition of WhatsApp database and another social messenger, they acquired and analyzed the device data and network traffic of some popular instant messaging applications on android smartphone After analysis, they reconstruct some applications and tested them Some of them reflect poorly on the security and privacy measures but it was good for constructed positively for evidence collection purposes They showed the reconstruct or intercept data such as screenshots, passwords, videos, pictures, audio sent, messages sent, profile pictures and more They did analysis on 20 apps in which they found only 16 apps were not encrypted their data After experiment on 20 apps, they found only out of 20 applications encrypted their network traffic using https encryption using SSL certificates Whereas 16 apps tested, which was not encrypted their data Electronic copy available at: https://ssrn.com/abstract=3576379 Proceedings of ICAEEC-2019, IIIT Allahabad India, 31st May - 1st June,2019 Rusydi Umar, et al [4] showed the comparative study of forensic tools for WhatsApp analysis on the basis of NIST parameters The authors used three forensic tools for comparative study i.e WhatsApp DB/Extractor, Belkasoft evidence, UFED and Oxygen forensic After the comparison, the author found belkasoft evidence is much better than oxygen forensic suite and WhatsApp DB/Extractor based on NIST parameter Belkasoft evidence is having both types of acquisition and it meets all the criteria based on the NIST parameter WhatsApp DB/Extractor only have logical acquisition whereas oxygen forensic have both physical and logical but it was costly and they find belkasoft evidence is better in terms of performance, cost as compared to other two tools Shubham Sahu et.al [5] discussed the forensic analysis of WhatsApp messenger using WhatsApp DB/Extractor tool In his research paper, the database of WhatsApp extracted through this tool along with this key also extracted Msgstor.DB contains all the database of chats whereas wa.db contains all the contact list of that phone which was used in WhatsApp After extracting, the database could be see-through WhatsApp viewer In WhatsApp viewer, he browsed the location of the database file and views it along with the contact list having the wa.db file, which was optional, and finally through WhatsApp view analyst able to see all the messages and contact list and can analyze further Author et.al [4],[5]-[12] [13]–[20], discussed briefly acquisition and reconstructing the chronology of database They also discussed the way of analysis on social messenger forensics where the forensic investigator can analyze the data in digital forensic easily III Methodology This paper proposed the technique and method to analyze the artefacts of the WhatsApp-deleted data using existing tools The new feature added by WhatsApp i.e the facilities to delete the message within hour, which will also be deleted from the receivers end This feature provides the advantage to any user who sends any message by mistake to immediately delete it However, in spite of having the advantage, this feature also has a disadvantage, as this feature can also be used to commit the crime and it will be hard to know the deleted message and exact text The proposed methodology is to analyze the artefacts of the WhatsApp database using various forensics tools and compare the efficiency of the tools i.e which one is able to reconstruct the chronology of WhatsApp database There are certain tools name as Belkasoft Evidence Center, WhatsApp DB/Extractor, UFED, Oxygen Forensics Suite etc For forensic analysis, we are using two tools WhatsApp DB/Extractor and Belkasoft Evidence Center Electronic copy available at: https://ssrn.com/abstract=3576379 Proceedings of ICAEEC-2019, IIIT Allahabad India, 31st May - 1st June,2019 For this purpose, we have implemented these tools on different mobile devices such as VIVO 1601, Asus Zenfone max pro m2, Nokia XL, Mi Max2 Further, we will compare the tools and we will find out the accuracy and performance As WhatsApp is using end-to-end encryption to secure the user’s database thus it won’t be possible for any normal person to see the database messages Hence, to decrypt msgstore.db.crypt file we need unique key, which is located in internal storage Android/data/com.whatsApp/file/key but as we discussed, it is not easy to retrieve this unique key Method1:Get access to the root Rooting can be done to gain access as root, but it is a very difficult task, as the smartphones nowadays have latest and sensitive technology that can risk to loss of data After rooting, it will be very easy to know the key and we can decrypt the msgstore.db Crypt with the help of WhatsApp Viewer Method2:- Backup the WhatsApp data The second method is to create a backup of WhatsApp data After that, we can analyse the data through the existing tools Method3:- Acquire the data through tools The third method is to acquire the data through the WhatsApp DB/Extractor tools Here, the data acquisition of data is easy but the analysis part is difficult A WhatsApp Db/Extractor Prerequisite: O/S: Windows Vista, Windows 7, Windows 8, Windows 10, Mac OS X or Linux Ensure Java is installed Install ADB (Android Debug Bridge), Drivers USB Debugging must be enabled on the target device Android devise with Android 4.0 or higher Steps to acquire the database through WhatsApp DB/Extractor: • Install WhatsApp DB/Extractor • Extract "WhatsApp-Key-DB-Extractor-master.zip" • Connect your device via USB, unlock your screen and wait for "Full back up" to appear • Enter your backup password or leave blank • Confirm the backup password in your command console and then check your “extracted” folder Electronic copy available at: https://ssrn.com/abstract=3576379 Proceedings of ICAEEC-2019, IIIT Allahabad India, 31st May - 1st June,2019 Fig Connect mobile device Fig.2 shows that the Whatsapp DB/Extractor is asking to connect a device, as soon as the device is connected, it will automatically start running Fig Installing legacy WhatsApp Electronic copy available at: https://ssrn.com/abstract=3576379 Proceedings of ICAEEC-2019, IIIT Allahabad India, 31st May - 1st June,2019 Fig.3 shows that the device is connected and the tool automatically starts to install the legacy WhatsApp that downgrades the version of WhatsApp in the device temporarily The size of the legacy WhatsApp is 17.4 MB Fig Unlock the device to confirm the backup Fig.4 shows that the legacy WhatsApp is installed successfully in the device Now, it will ask to unlock the device and confirm the backup operation from the device Electronic copy available at: https://ssrn.com/abstract=3576379 Proceedings of ICAEEC-2019, IIIT Allahabad India, 31st May - 1st June,2019 Fig Password for backup the data Fig shows that the device is successfully unlocked and is asking for a password to proceed for creating a full backup The password should be matched in both places i.e device and on that tool, then only it will proceed and create the full backup of mobile with all the database and key of WhatsApp B Belkasoft Evidence Center Belkasoft evidence centre is one of the strongest tools, which can acquire all the data from mobile and it gives the option to choose social messenger application on which we have to analyze Electronic copy available at: https://ssrn.com/abstract=3576379 Proceedings of ICAEEC-2019, IIIT Allahabad India, 31st May - 1st June,2019 Fig The option of acquisition from different fields Fig.6 shows the different options from which we can acquire the data for analysis and it shows the option of the drive, mobile device and cloud As we have to WhatsApp analysis of android phone, so we select mobile device and Android To acquire the database, we have to connect the mobile device or we can acquire from the target folder Fig Acquisition process after connecting the device Fig.7 shows the next process in which the device is connected and chooses the option to store that file in your pc and as soon as investigator clicks on start it will start backing Electronic copy available at: https://ssrn.com/abstract=3576379 Proceedings of ICAEEC-2019, IIIT Allahabad India, 31st May - 1st June,2019 up data and it will take permission to take a full backup, it without entering any password Fig Option on which Investigator wants to analysis In Fig 8, after backing up the data it will ask about the options on which investigators have to analyze Choose WhatsApp from the option and click on finish Now the analysis part comes, in this Investigator have to analyze it deeply and with the help of time, one can match which data was deleted from senders end To analyze the data and to find out the accuracy of the tool, we utilized the size of the database of WhatsApp for both the tools IV RESULTS & ANALYSIS After implementing these tools on mobile devices, we got the key with the help of WhatsApp Db/Extractor as shown in Fig.9 Along with key, we extracted the database by using its unique key The size of the extracted database is 107 MB for VIVO 1601 device Whereas by using belkasoft evidence centre the database, size is 107 MB Electronic copy available at: https://ssrn.com/abstract=3576379 Proceedings of ICAEEC-2019, IIIT Allahabad India, 31st May - 1st June,2019 Fig Extracted database and it's Key Fig shows the extracted database and the unique key of WhatsApp for that particular device Here, msgstore is the database in which all the conversation is stored between sender and receiver Whereas, the key file is named as WhatsApp and its type is CRYPTKEY file Now, with the help of WhatsApp viewer, we analysed the conversation of device VIVO 1601 and we reconstructed the deleted messages The problem with WhatsApp DB/Extractor is that we cannot retrieve the documents and videos However, images can be retrieved but the quality of the image will be degraded The analysis of both the tools is done with the help of a database of 107 MB Obtained database of chronology conversation between sender and receiver in WhatsApp Db/Extractor is 47MB and Belkasoft Evidence centre is 105MB The formula for computing the accuracy of both tools is as follows Accuracy formula= (DBT – DBO)*100/ DBT Where DBT refers total database size of device extracted through tools DBO refers Obtained Database of conversation between sender and receiver WhatsApp DB/Extractor Accuracy= (47*100)/107 = 43.92% Belkasoft evidence center Accuracy= (105*100)/107 = 98.13% Table Accuracy results WhatsApp DB/Extractor Total Database Obtained Database Accuracy in % 107 MB 47 MB 43.92% 107 MB 105 MB 98.13% BEC Electronic copy available at: https://ssrn.com/abstract=3576379 Proceedings of ICAEEC-2019, IIIT Allahabad India, 31st May - 1st June,2019 As shown in Table.1, the accuracy of belkasoft evidence centre is 98.13% which is far better than WhatsApp DB/Extractor of 49.92% The chronology conversation in Belkasot Evidence Center includes all Instant messages i.e text, images, documents Following are some interesting findings based on the analysis Finding 1: After testing the WhatsApp DB/Extractor on many Android mobile devices we get to know that, it can’t extract the database and unique key if the device has android version or more Finding 2: After deep analysis, we found the images in WhatsApp DB/Extractor are in png format Whereas in belkasoft, images are in jpg format, which justifies that belkasoft provide a high-quality image retrieval Finding 3: After comparing both the tools, we found that belkasoft evidence centre gives more details than WhatsApp DB/Extractor Hence it provides more accuracy Finding 4: These tools are not able to extract the database from many devices such as NOKIA XL because it has a lower version V Conclusion: we compared different tools through which we can retrieve the data, and we found WhatsApp DB/Extractor is much faster as compared to belkasoft evidence centre but for deep analysis, belkasoft is much efficient than WhatsApp DB/Extractor Therefore, the accuracy of bulk soft evidence is more An analyst is able to reconstruct the chronology of the WhatsApp database using these tools In future work, we will analysis android version and above and we will practical work on different OS along with the different mobile device We will also analyze performance based on NIST parameters References: F Karasek, I Baggili, and F Breitinger, “WhatsApp network forensics: Decrypting and understanding the WhatsApp call signalling messages,” Digit Investig., vol 15, pp 110– 118, 2015 C Anglano, “Forensic analysis of whats app messenger on Android smartphones,” Digit Investig., 2014 Electronic copy available at: https://ssrn.com/abstract=3576379 Proceedings of ICAEEC-2019, IIIT Allahabad India, 31st May - 1st June,2019 D Walnycky, I Baggili, A Marrington, J Moore, and F Breitinger, “Network and device forensic analysis of Android social-messaging applications,” Digit Investig., vol 14, no S1, pp S77–S84, 2015 R Umar, I Riadi, and G Maulana, “A Comparative Study of Forensic Tools for WhatsApp Analysis using NIST Measurements,” Int J Adv Comput Sci Appl., vol 8, no 12, pp 69–75, 2018 M S Sahu, “An Analysis of WhatsApp Forensics in Android Smartphones,” Int J Eng Res., vol 3, no 5, pp 349–350, 2015 10 11 H Singh, “ANALYSIS OF WHATSAPP LOG FILE FOR INFORMATION,” vol 7, no April, pp 475– 486, 2018 12 13 F C Tsai, E C Chang, and D Y Kao, “WhatsApp network forensics: Discovering the communication payloads behind cybercriminals,” Int Conf Adv Commun Technol ICACT, vol 2018-February, pp 679–684, 2018 14 15 A Shortall and H Azhar, “A forensic analysis of iOS, Android and Windows Phone to extract WhatsApp data,” vol 3, no April, p 2015, 2015 16 17 G B Satrya, P T Daely, and S Y Shin, “Android forensics analysis: Private chat on social messenger,” Int Conf Ubiquitous Futur Networks, ICUFN, vol 2016-Augus, no April 2018, pp 430–435, 2016 18 19 N Patel, S Patel, and W L Tan, “Performance Comparison of WhatsApp versus Skype on Smart Phones,” 2018 28th Int Telecommun Networks Appl Conf., pp 1–3, 2019 20 21 M Raji, H Wimmer, and R J Haddad, “Analyzing Data from an Android Smartphone while Comparing between Two Forensic Tools,” Conf Proc - IEEE SOUTHEASTCON, vol 2018-April, pp 1–6, 2018 22 23 T S Neha, “Forensic analysis of WhatsApp Messenger on Android smartphones,” Digit Investig., 2014 24 25 A Mahajan, M S Dahiya, and H P Sanghvi, “Forensic Analysis of Instant Messenger Applications on Android Devices,” Int J Comput Appl., 2013 26 27 O Peter E., “Forensics Analysis of Skype , Viber and WhatsApp Messenger on Android Platform,” Int J Cyber-Security Digit Forensics, 2018 28 29 L S Khoo, A H Hasmi, M S Mahmood, and P Vanezis, “Underwater DVI: Simple fingerprint technique 30 for positive identification,” Forensic Sci Int., 2016 31 32 Y N Kunang and A Khristian, “Implementasi prosedur forensik untuk analisis artefak Whatsapp pada ponsel android,” in Annual Research Seminar, 2016 33 Electronic copy available at: https://ssrn.com/abstract=3576379 Proceedings of ICAEEC-2019, IIIT Allahabad India, 31st May - 1st June,2019 34 N S Thakur, “Forensic analysis of WhatsApp Messenger on Android smartphones,” Digit Investig., 2014 35 36 M S Chang and C Y Chang, “Forensic Analysis of LINE Messenger on Android,” J Comput., 2018 37 38 A R Pratama, “Whatsapp Forensics: Eksplorasi Sistem Berkas Dan Basis Data Pada Aplikasi Android Dan Ios,” J Teknoin, 2016 39 40 T Dargahi, A Dehghantanha, and M Conti, “Forensics Analysis of Android Mobile VoIP Apps,” in Contemporary Digital Forensic Investigations of Cloud and Mobile Applications, 2016 41 42 K L.S., H A.H., M M.S., and V P., “Underwater DVI: Simple fingerprint technique for positive identification,” Forensic Sci Int., 2016 Electronic copy available at: https://ssrn.com/abstract=3576379 Proceedings of ICAEEC-2019, IIIT Allahabad India, 31st May - 1st June,2019 Electronic copy available at: https://ssrn.com/abstract=3576379 ... located in the internal storage of phone which at Android/data/com.whatsapp/files/key In this paper, we analyze the artefacts of the WhatsApp database using the WhatsApp DB/Extractor and Belkasoft... Belkasot Evidence Center includes all Instant messages i.e text, images, documents Following are some interesting findings based on the analysis Finding 1: After testing the WhatsApp DB/Extractor on... Breitinger, “WhatsApp network forensics: Decrypting and understanding the WhatsApp call signalling messages,” Digit Investig., vol 15, pp 110– 118, 2015 C Anglano, “Forensic analysis of whats app