Scribd
Upload
216 views2 pages

An Analysis of WhatsApp Forensics in Android Smart

This article discusses WhatsApp forensics on Android smartphones. It summarizes: 1) Previously, WhatsApp messages were stored unencrypted but now uses AES encryption with a 192-bit key. 2) A Python tool can decrypt encrypted WhatsApp databases and display the messages, attachments and metadata in an organized HTML format. 3) The tool allows analyzing WhatsApp data from both iOS and Android devices, including deleted messages.

Uploaded by

Onur Karaagac
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
216 views2 pages

An Analysis of WhatsApp Forensics in Android Smart

This article discusses WhatsApp forensics on Android smartphones. It summarizes: 1) Previously, WhatsApp messages were stored unencrypted but now uses AES encryption with a 192-bit key. 2) A Python tool can decrypt encrypted WhatsApp databases and display the messages, attachments and metadata in an organized HTML format. 3) The tool allows analyzing WhatsApp data from both iOS and Android devices, including deleted messages.

Uploaded by

Onur Karaagac
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 2

International Journal of Engineering Research ISSN:2319-6890)(online),2347-5013(print)

Volume No.3, Issue No.5, pp : 349-350 01 May 2014

An Analysis of WhatsApp Forensics in Android Smartphones


Mr. Shubham Sahu
Pursuing Bachelor of Engineering in Computer Science & Engineering | Founder – Chhattisgarh InfoSec
Society (NGO)
[email protected]

Abstract — WhatsApp is mobile application which allows With the starting version of WhatsApp 2.9 the messages
exchanged was stored in 'msgstore.db' which is SQLite
exchange of messages, videos, audio’s and images via
databases. But in early versions security researchers found that
Smartphone. The increased use of IM on Android phones
the chat records which was handled by WhatsApp was
has turned to be goldmine for mobile and computer forensic
vulnerable, because the database file which saves the chat
investigators. This paper focuses on conducting forensic
conversations was not encrypted and can easily accessible
data analysis by extracting useful information from
through many ways to get the whole conversation chat details
WhatsApp and from similar applications installed on
Android platform. including images, videos, contacts and so on. As this news hits
the internet, security researchers started researching with
Keywords — WhatsApp, Android Forensics, WhatsApp WhatsApp database (msgstore.db) to retrieve the conversation
Security, Data Security. even the deleted ones from the chat option. But WhatsApp
reacted soon and came up with an encryption mechanism to
I. Introduction protect its database.
Whatsapp allows to text messaging, send images, video, and
audio media messages. The application is available for Android, Now
Blackberry, iOS, Symbian (s60), and Windows phone. Whatsapp Now, according to officials of WhatsApp they are taking the
Inc. was founded in 2009 by Brian Acton and Jan Koum, both conversation database security in a very serious manner, now
veterans of Yahoo! WhatsApp database encryption having custom AES encryption
algorithm with above 192-bit encryption key mainly used for
People are exchanging information like images, videos, activities WhatsApp Android Platform. So now the previous file
and events. But despite of getting connected with friends for msgstore.db is converted to msgstore.db.crypt.
more and more time, their privacy is also getting more
vulnerable to threats by hackers and cyber criminals. II. Material and Methodology
The major problem after having the file msgstore.db.crypt is its
There is no restriction on the length and number of messages one decryption. Thanks to contribution of Francesco Picasso who
can exchange and no carrier IM fees apply. One does not need to made a tool to decrypt and organize SQLite database files in an
install a sim-card to use WhatsApp; the only requirements are a organized HTML form. The tool works for both encrypted and
supported phone, internet connection and storage space on the decrypted database files. The WhatsApp Database Encryption
phone to download the application. Project has made known a vulnerability in the Android
WhatsApp uses a customized version of the open standard implementation of the AES Cipher: the 192-bit key can be
Extensible Messaging and Presence Protocol (XMPP). After detected performing both static or active analysis on the
WhatsApp is installed in any mobile, it creates a user account software package.
using the phone number as the username (ID: [phone A python script uses this same key to decrypt the encrypted db
number]@s.whatsapp.net). WhatsApp automatically file and presents the result in a well organised HTML page. The
synchronizes all the phone numbers from user’s phonebook with paper implies that the same encryption key is used for all
its centralized database of WhatsApp users to add contacts to the WhatsApp installations on Android. In this methodology, we
user's WhatsApp contact list. have used this Python tool to decrypt and read our encrypted
Previously, WhatsApp messages were not encrypted, that means database and it was done successfully with the latest version of
data which was sent and received was in plaintext, meaning WhatsApp 2.11.186. We can alternately read the database files
messages could easily be read easily if packet traces were through the 'SQLite browser' but the timestamps and
available. representation of data is not straightforward. Another advantage
of WhatsApp Xtract tool is that all the media contents that are
WhatsApp NOW AND BEFORE exchanged are displayed on the HTML page itself, one does not
WhatsApp data is stored in the Internal Memory of the mobile have to look into the media folder separately. The tool can be
phone. After it is installed, it automatically synchronizes with the useful in comparing the data we analyze.
phone's contacts showing users who are already using
WhatsApp. Finding the information:
When a mobile with WhatsApp installed is turned on, WhatsApp stores all its chats on a SQLite database: The path of
“com.whatsapp” process receives a signal to start the database file is different from platform to platform.
'ExternalMediaManage' and 'MessageService' services which
runs in the phone’s background till the phone is turned on. Android:
Before (/sdcard/WhatsApp/Databases/msgstore.db.crypt)

iOS:

IJER@2014 Page 349


International Journal of Engineering Research ISSN:2319-6890)(online),2347-5013(print)
Volume No.3, Issue No.5, pp : 349-350 01 May 2014

(Application/net.whatsapp.WhatsApp/Documents/ChatStorage.s
qlite) As soon as the execution of the bat file or command is
Main Features: completed, all your WhatsApp backup data will be decrypted
and will be displayed in the default browser on your computer.
 WhatsApp database can be inspected for both iOS
(ChatStorage.sqlite) and Android (msgstore.db &
wa.db) devices;
 Emoticons and attachments (images / video / audio /
gps / contacts) are shown in the message content.

How to use:

Step 1:Download WhatsApp Xtract package on your computer


and extract it.

Step 2: Download and install Python programming language


environment on your computer.

Step 3: Open the folder where you downloaded the WhatsApp


Xtract archive. Find a file with name !install pyCrypto.bat, right
click on it and click run as administrator. This bat file will
execute the following Python command, pypm install pycrypto.
This common automatically installs the pycrypto library on
your computer, which will be used to decrypt the WhatsApp
backup data. IV. Conclusion
When doing a forensic investigation, having the most recent
Step 4: In the same folder, run either messages for analysis can play a vital role. In addition to the
whatsapp_xtract_iphone.bat, recent messages one can look into deleted messages as well.
whatsapp_xtract_android_crypted.bat or Thus, retrieving the artefacts after the factory reset of the phone
whatsapp_xtract_android.bat or retrieving the deleted data can be taken as the future aspect.
Depending upon the backup file you used. To run any of these
files, simply right click on it and click run as administrator, just
like above.
Acknowledgement
You can also run whatsapp_xtract_console.bat to specify the I would sincerely like to thank Reader(s) of Department of
WhatsApp backup file manually. Computer Science, REC Raipur - Prof. Anurag Sharma & Prof.
Uzma Ansari for their excellent guidance and support. Their
/* For Android DB: */ exceptional knowledge, wisdom and understanding have
python whatsapp_xtract.py -i msgstore.db -w wa.db inspired and motivated me. I would also like to thank Mr. Saket
Modi, CEO of Lucideus Tech Pvt Ltd for his guidance.
/* If wa.db is unavailable */
python whatsapp_xtract.py -i msgstore.db References
i. http://en.wikipedia.org/wiki/WhatsApp
ii. https://play.google.com/store/apps/details?id=com.whatsapp
/*For crypted DB*/
iii. "Forensic Analysis of Instant Messenger Applications on Android
python whatsapp_xtract.py -i msgstore.db.crypt Devices.” : IJCA 2013.
iv. Zena Forensics “WhatsAppXtract” Tool - (Available Online)
/*For iPhone DB*/ http://code.google.com/p/hotoloti/downloads/list
python whatsapp_xtract.py -i ChatStorage.sqlite v. http://developer.android.com/guide/components/fundamentals.html
vi. “Android Forensics, 1st Edition” : Andrew Hoog
Results vii. "WhatsApp Database Encryption Project Report" : Cortjens, D., A.
Spruyt, and W. F. C. Wieringa.
viii. Whatsapp Hacking 2013 : Lucideus Tech Pvt. Ltd.
ix. Forensic Analysis of WhatsApp on Android Smartphones :
University Of New Orleans.
x. Open source tools for mobile forensics: Sans European Digital
Forensics Summit.

IJER@2014 Page 350

You might also like