WhatsApp Forensics

Presented ByAnimesh Shaw (Psycho_Coder)Digital Evidence Analyst, @ data64 Cyber Solutions Pvt. Ltd.psychocoder@outlook.com

Discussion Goals What is WhatsApp ? WhatsApp Stats Security & Privacy: Previous Issues Real World Threat Scenario Why Indians Should be Concerned ? Why WhatsApp Forensics ? Terminology & Pre-Requisites Where to look for evidence ? Investigating WhatsApp Data Tools of Trade Safe guarding Principles References

What is WhatsApp ?o An Instant Messaging app for smartphones.o Requires data connection to send text messages,

images, video, user location and audio media messages.o In January 2015, WhatsApp was the most globally

popular messaging app.o In April 2015, WhatsApp reached 800 million active

users.o Subsidized by Facebook on February 19, 2014.o Supported by wide range of mobile platform, like

Android, iPhone, iOS, BlackBerry OS, Windows Phone, Symbian etc.

WhatsApp Statso WhatsApp was handling ten billion messages per day

as of August 2012, growing from two billion in April 2012.

o Number of downloads exceeds 100 million on Google Play.

o In only three years it is among the top 30 free applications.

o Among the top five free communication applications on Google Play.

o Facebook Acquired WhatsApp for $19 billion USD.

Security & Privacy: Previous Issues

• In May 2011, a security hole was reported which left WhatsApp user accounts open for session hijacking.

• In September 2011, it was reported that forged messages could be sent.

• German Tech site The H demonstrated how to use WhatsAPI to hijack any WhatsApp account on September 14, 2012.

• On 1st December 2014, Indrajeet Bhuyan and Saurav Kar, both 17-year old teenagers, demonstrated the WhatsApp Message Handler Vulnerability, which allows anyone to remotely crash WhatsApp just by sending a specially crafted message of 2kb in size.

Security & Privacy: Previous Issues (contd.)

• In February 2015, a Dutch university student named Maikel Zweerink published an app that set out to prove that anyone can track a WhatsApp user's status and also keep an eye of their changing profile pictures, privacy settings or status messages regardless of their privacy settings

• WhatsApp message database AES encrypted file uses the same key for all the installations.

Real World Threat Scenario - 1

Real World Threat Scenario - 2

• MAC address is a unique identifier assigned to your phone or other device that essentially serves as its online identity.

• MAC Spoofing is a Threat. • Gaining Physical access to Victims Phone. Get MAC

Info and Spoof it in your own Smart phone.• Using Busybox and Terminal Emulator change MAC of

ethernet interface.• Reinstall WhatsApp on your phone and configure.• Get confirmation code and erase from victims phone.• Re-establish your previous MAC Address.

Why Indians Should be Concerned ?

• According to current statistics WhatsApp got maximum exposure in India. Pic below shows download stats (Jan. 2015)

• With 65 million active users, about 10% of the total worldwide users, India is the largest single country in terms of number of users

Why Indians Should be Concerned ? (contd.)

Why WhatsApp Forensics ?• Huge active user base (>800 Million)• Ability to share Video, Image or data

which might contain explicit content.• Identify various data security issues in

instant messaging applications on the Android and other Mobile platform which aid in forensic investigations

Why WhatsApp Forensics ? (contd.)

• With more updates other privacy issues could be developed.

• Research required to build better tools.• Runs on multiple platform with different

file system. • New Exploits/Privacy Hacking issues are

coming every now and then.

Terminology & Pre-Requisites

o ADB (Android Debug Bridge)o Database (SQLite)o Imaging/Cloningo Android Developer Modeo Encryption

o Symmetrico Asymmetric

Where to look for evidence ?

• All the WhatsApp data is stored in either “Internal Phone Storage” or in the SD card.

• Location:- /storage/emulated/0/WhatsApp/

Where to look for evidence ? (contd.)

• Crypt8 files encrypted with AES algorithm with a 256 bit key.

• Key:- 346a23652a46392b4d73257c67317e352e3372482177652c

• Key in stored in /data/data/com.whatsapp/files/key• Retrieving key requires rooted android phone.• Media folders contain Images, calls, videos etc.• Rooted Android phone contains unencrypted

database.• Wa.db contains WhatsApp contacts.

Where to look for evidence? (contd.)

• Android Volatile Memory Acquisition :- – Need for Live acquisition ?– Applications including WhatsApp start with boot.– Background data consumption and chat logs can

be found in system RAM.– Deleted messages still present in volatile

memory. – Can be retrieved partially I not fully.

Investigating WhatsApp Data

• Clone Android Storage using AccessData FTK.• Retrieve WhatsApp related data and many more.• Using Andriller

Enable Developer Mode on Phone.Enable Debugger Mode.Connect to Phone.Accept RSA Fingerprint on Phone.Click on check and the device serialIs detected.Click Go to acquire a backup of yourAndroid data.

Investigating WhatsApp Data (contd.)

• Reports Created• Several forensically important data can be retrieved.

Investigating WhatsApp Data (contd.)

• Decrypting WhatsApp .db.crypt8

Investigating WhatsApp Data (contd.)

• Using WhatsApp Viewer.• Decrypts all data. Requires .NET Framework• Need to supply “key” file separately.• Requires to be compiled.

Investigating WhatsApp Data (contd.)

• Using WhatsApp Key/DB Extractor. Applicable for Android version 4+.

• Provide a method for WhatsApp users to extract their cipher key on NON-ROOTED Android devices. Once key has been extracted we can use Andriller or WhatsApp Viewer to recover data.

Investigating WhatsApp Data (contd.)

• Check for Steganography– Images– Videos– Audio– Text

Tools of Trade• Andriller :- Android Forensic Tools• WhatsApp Key/DB Extractor :- Extraction of Key

from NON-ROOTED phones.• WhatsApp-Viewer :- Retrieves encrypted messages.• Wforenic :- Web based forensic tool to retrieve

whatsapp data.• SQLite Data Browser• AccessData FTK Imager or Other cloning software.• LiME :- Volatile Memory Capture tool for Android.

Safe guarding Principles• Be cautious about what you share.• Remember the Internet is permanent.• Exercise caution when clicking on links.• Install Anti Virus Apps like CM Security/Dr. Safety. • Don’t ignore warnings from Malware Scanners.• Don’t reveal personal information.• When in doubt, throw it out.• Learning about Security and Forensics. Getting

ourselves aware of different threats.• Become aware of the law that you might be violating

unknowingly.

References• https://en.wikipedia.org/wiki/WhatsApp• https://www.magnetforensics.com/mobile-forensics/

recovering-whatsapp-forensic-artifacts• http://www.securitybydefault.com/2012/05/whatsapp-

forensics.html• http://www.whatsapp-viewer.com/• http://www.digitalinternals.com/security/decrypt-

whatsapp-crypt8-database-messages/419/• http://forum.xda-developers.com/showthread.php?

t=2770982• http://forum.xda-developers.com/showthread.php?

t=2588979

Any Queries ?

Thank You