The smartphone app WhatsApp has become a major concern for forensic investigations. This app, owned by Facebook, is a cross-platform messaging app providing encrypted communications, Internet voice calls, unlimited texting and multi-media file sharing. Savvy users know that their communications are encrypted and may exploit this feature for their own needs. This knowledge, and the fact that there is no cost to the end user, has increased it’s popularity.
Smartphones run the app locally and may store photos, video and voice messages, but the text content of the Whatsapp is encrypted and not natively available for review via a forensic image of the phone. By reviewing the evidence directly on the phone, you can see the content, but doing so can negatively affect the authenticity of the data. This potentially creates tampering and spoliation issues when entering it into evidence. On the forensic image, photos, videos, and voice messages can be painstaking to reconcile, even with the utilization of forensic tools, since these are extracted without a timestamp or sender information.
Conversely, text content may be available from the WhatsApp cloud, but the multimedia images like video and voice messages are deleted from the server once sent to the recipient. So again, the relationship of message and content is broken and needs to be reconciled manually.
If the phone’s owner is cooperative, providing the phone the app is active on and the passwords, it is possible to collect encrypted content. Although not impossible, without this cooperation it will be difficult.
The app can also be used on a computer, called WhatsApp Web, once the user allows access via the phone and a QR Code. Backups of chats can be backed up to iCloud and Google cloud as well, presenting multiple avenues to possibly collect relevant Whatsapp content.
At ITAcceleration, we use both Cellebrite and Oxygen Forensics tools for smartphone investigations. The forensic tool vendors are constantly updating their toolsets to keep pace with WhatsApp updates. Further impacting the forensic challenges are the compatibilities between devices, Android and iOS operating systems and the versions of WhatsApp. Our first step is to call each vendor with the make/model and operating system version of the phone being investigated and the version of Whatsapp to see what capabilities each have to recover data directly from the phone.
Like all apps, WhatsApp is constantly changing. The success of collecting WhatsApp data for investigations is dependent upon their different versions, cooperation of the user, as well as active profiles and phones.