WhatsApp Forensic

of 27/27
WhatsApp Forensics Presented By Animesh Shaw (Psycho_Coder) Digital Evidence Analyst, @ data64 Cyber Solutions Pvt. Ltd. [email protected]
  • date post

  • Category


  • view

  • download


Embed Size (px)

Transcript of WhatsApp Forensic

  • WhatsApp ForensicsPresented ByAnimesh Shaw (Psycho_Coder)Digital Evidence Analyst, @ data64 Cyber Solutions Pvt. [email protected]

  • Discussion GoalsWhat is WhatsApp ?WhatsApp StatsSecurity & Privacy: Previous IssuesReal World Threat ScenarioWhy Indians Should be Concerned ?Why WhatsApp Forensics ?Terminology & Pre-RequisitesWhere to look for evidence ?Investigating WhatsApp DataTools of TradeSafe guarding PrinciplesReferences

  • What is WhatsApp ?An Instant Messaging app for smartphones.Requires data connection to send text messages, images, video, user location and audio media messages.In January 2015, WhatsApp was the most globally popular messaging app.In April 2015, WhatsApp reached 800 million active users.Subsidized by Facebook on February 19, 2014.Supported by wide range of mobile platform, like Android, iPhone, iOS, BlackBerry OS, Windows Phone, Symbian etc.

  • WhatsApp StatsWhatsApp was handling ten billion messages per day as of August 2012, growing from two billion in April 2012.Number of downloads exceeds 100 million on Google Play.In only three years it is among the top 30 free applications.Among the top five free communication applications on Google Play.Facebook Acquired WhatsApp for $19 billion USD.

  • Security & Privacy: Previous IssuesIn May 2011, a security hole was reported which left WhatsApp user accounts open for session hijacking.In September 2011, it was reported that forged messages could be sent.German Tech site The H demonstrated how to use WhatsAPI to hijack any WhatsApp account on September 14, 2012.On 1st December 2014, Indrajeet Bhuyan and Saurav Kar, both 17-year old teenagers, demonstrated the WhatsApp Message Handler Vulnerability, which allows anyone to remotely crash WhatsApp just by sending a specially crafted message of 2kb in size.

  • Security & Privacy: Previous Issues (contd.)In February 2015, a Dutch university student named Maikel Zweerink published an app that set out to prove that anyone can track a WhatsApp user's status and also keep an eye of their changing profile pictures, privacy settings or status messages regardless of their privacy settingsWhatsApp message database AES encrypted file uses the same key for all the installations.

  • Real World Threat Scenario - 1

  • Real World Threat Scenario - 2MAC address is a unique identifier assigned to your phone or other device that essentially serves as its online identity.MAC Spoofing is a Threat. Gaining Physical access to Victims Phone. Get MAC Info and Spoof it in your own Smart phone.Using Busybox and Terminal Emulator change MAC of ethernet interface.Reinstall WhatsApp on your phone and configure.Get confirmation code and erase from victims phone.Re-establish your previous MAC Address.

  • Why Indians Should be Concerned ?According to current statistics WhatsApp got maximum exposure in India. Pic below shows download stats (Jan. 2015)With 65 million active users, about 10% of the total worldwide users, India is the largest single country in terms of number of users

  • Why Indians Should be Concerned ? (contd.)

  • Why WhatsApp Forensics ?Huge active user base (>800 Million)Ability to share Video, Image or data which might contain explicit content.Identify various data security issues in instant messaging applications on the Android and other Mobile platform which aid in forensic investigations

  • Why WhatsApp Forensics ? (contd.)With more updates other privacy issues could be developed.Research required to build better tools.Runs on multiple platform with different file system. New Exploits/Privacy Hacking issues are coming every now and then.

  • Terminology & Pre-RequisitesADB (Android Debug Bridge)Database (SQLite)Imaging/CloningAndroid Developer ModeEncryptionSymmetricAsymmetric

  • Where to look for evidence ?All the WhatsApp data is stored in either Internal Phone Storage or in the SD card.Location:- /storage/emulated/0/WhatsApp/

  • Where to look for evidence ? (contd.)Crypt8 files encrypted with AES algorithm with a 256 bit key. Key:- 346a23652a46392b4d73257c67317e352e3372482177652cKey in stored in /data/data/com.whatsapp/files/keyRetrieving key requires rooted android phone.Media folders contain Images, calls, videos etc.Rooted Android phone contains unencrypted database.Wa.db contains WhatsApp contacts.

  • Where to look for evidence? (contd.)Android Volatile Memory Acquisition :- Need for Live acquisition ?Applications including WhatsApp start with boot.Background data consumption and chat logs can be found in system RAM.Deleted messages still present in volatile memory. Can be retrieved partially I not fully.

  • Investigating WhatsApp DataClone Android Storage using AccessData FTK.Retrieve WhatsApp related data and many more.Using Andriller

    Enable Developer Mode on Phone.Enable Debugger Mode.Connect to Phone.Accept RSA Fingerprint on Phone.Click on check and the device serialIs detected.Click Go to acquire a backup of yourAndroid data.

  • Investigating WhatsApp Data (contd.)Reports CreatedSeveral forensically important data can be retrieved.

  • Investigating WhatsApp Data (contd.)Decrypting WhatsApp .db.crypt8

  • Investigating WhatsApp Data (contd.)Using WhatsApp Viewer.Decrypts all data. Requires .NET FrameworkNeed to supply key file separately.Requires to be compiled.

  • Investigating WhatsApp Data (contd.)Using WhatsApp Key/DB Extractor. Applicable for Android version 4+.Provide a method for WhatsApp users to extract their cipher key on NON-ROOTED Android devices. Once key has been extracted we can use Andriller or WhatsApp Viewer to recover data.

  • Investigating WhatsApp Data (contd.)Check for SteganographyImagesVideosAudioText

  • Tools of TradeAndriller :- Android Forensic ToolsWhatsApp Key/DB Extractor :- Extraction of Key from NON-ROOTED phones.WhatsApp-Viewer :- Retrieves encrypted messages.Wforenic :- Web based forensic tool to retrieve whatsapp data.SQLite Data BrowserAccessData FTK Imager or Other cloning software.LiME :- Volatile Memory Capture tool for Android.

  • Safe guarding PrinciplesBe cautious about what you share.Remember the Internet is permanent.Exercise caution when clicking on links.Install Anti Virus Apps like CM Security/Dr. Safety. Dont ignore warnings from Malware Scanners.Dont reveal personal information.When in doubt, throw it out.Learning about Security and Forensics. Getting ourselves aware of different threats.Become aware of the law that you might be violating unknowingly.

  • Referenceshttps://en.wikipedia.org/wiki/WhatsApphttps://www.magnetforensics.com/mobile-forensics/recovering-whatsapp-forensic-artifactshttp://www.securitybydefault.com/2012/05/whatsapp-forensics.htmlhttp://www.whatsapp-viewer.com/http://www.digitalinternals.com/security/decrypt-whatsapp-crypt8-database-messages/419/http://forum.xda-developers.com/showthread.php?t=2770982http://forum.xda-developers.com/showthread.php?t=2588979

  • Any Queries ?

  • Thank You