Beruflich Dokumente
Kultur Dokumente
Abstract Encryption techniques used by popular messaging the devices that could be potentially dangerous if used against
services such as Skype, Viber and WhatsApp make traces of individuals, or useful for criminal investigations. This poses
illegal activities by criminal groups almost undetectable. This prospects of forensically examining WhatsApp across multiple
paper reports challenges involved to examine data of the mobile operating systems to see how much personal
WhatsApp application on popular mobile platforms (iOS, information can be gained from them.
Android and Windows Phone) using latest forensic software such
as EnCase, UFED and Oxygen Forensic Suite. The operating There has been a previous study of WhatsApp forensics on
systems used were Windows phone 8.1, Android 5.0.1 (Lollipop) Android [9] systems and is a useful insight into how data is
and iOS 8.3. Results show that due to strong security features stored and encrypted on the device used. The data is stored in
built into the Windows 8.1 system forensic examiners may not be an encrypted state using crypt7 method [8] which must be
able to access data with standard forensic suite and they must the same for the devices to communicate. Another study [10]
decide whether to perform a live forensic acquisition. This paper evaluated several top cross-platform messaging applications,
provides forensics examiners with practical techniques for including the forensic analysis of WhatsApp and in particular
recovering evidences of WhatsApp data from Windows 8.1 when a server was placed between two communicating
mobile operating systems that would otherwise be inaccessible. devices. The study reported eavesdropping of messages being
sent (commonly referred to as a man-in-the-middle attack) by
Keywords Mobile forensics; Forensic tools; WhatsApp
an older version of WhatsApp where the messages were not
forensics; iOS; Android; Windows Phone; Live data forensics
being encrypted. The examinations conducted in [10] didnt
involve recovering data from the device itself but results
I. INTRODUCTION demonstrated how data was stored elsewhere, which had
Modern technology has eased the lives of many, allowing potentials for forensic analysts to explore live data techniques
us to keep in contact with friends and families around the if required.
globe. With its expanded use, we have learnt not attempt to There are a few studies on iPhone forensics such as a study
understand how it works, rather how to utilise it to help us.
by Magnet Forensics [11]. This details how and where
Instant messaging is one of the utilities which have allowed us
messages are stored but is not a comprehensive study and only
to keep in contact over the internet by sending and receiving
messages, photos and videos. WhatsApp is used by 800 million provides a brief comparison between Android and iOS. A
monthly users across multiple platforms in April 2015 [1]. better iOS study [12] utilises two well known tools: Oxygen
There are approximately 1.7 billion people own an Android and UFED. UFED performs a physical examintation of the
mobile phone [2] and 700 million people who utilise Apples hard drive and has a great chance of recovering deleted files,
iPhone [3]. Although Windows has just under 10% of the such as deleted WhatsApp messages. However Oxygen is only
market share for mobile operating systems [4], this translates to a logical exmaintation and will not find deleted data, but it
about 50 million Windows Phone users in the world at the end does contain specialsied functions which operate to
of 2013 [5]. What most users dont understand is what specifically find WhatsApp messages.
information is collected and stored on devices, sitting dormant.
This information is not stored for malicious intent by the Although there is an abundance of forensic analysis for
software, but rather so that backups can be made, or if old WhatsApp, the majority of it is focused upon the Android
messages wish to be viewed. These automatic backups have operating system [13] with a few other studies also analysing
created concerns to individuals when hackers gained access to iOS [11, 12]. The analyses conducted in our investigations
their accounts and released personal images the individuals will be treated as a data recovery techniques, such as one a
were not aware had been backed up [6]. It was also reported forensic team would perform after a crime. The standard
that messaging services like WhatsApp could be used by practice is to utilise recently available forensic software to
organized crime groups to streamline their illegal operations extract the personal data and to demonstrate what is easily
[7] and encryption techniques used by such applications [8]
accessible but this may not be the case always, as strong
made traces of illegal activities almost undetectable. Despite
security features built into some systems can make the data
various challenges it is important to discover what is stored on
14
UFED was well established with iPhone and Android, this was investigator must provide a mobile phones number as it is
a great tool to see how Windows Phones forensics compares needed for the app installation and messages will not be
to other devices. decrypted back without it.
15
access to data it should not be allowed access to. The An attempt was made to manually image the Windows
Windows system worked based on tiers of security privilege, Phone device using the Linuxs DD command, for example
with the top tier given to the default Windows applications, DD if=/dev/sdb of=/root/Nokia820.dd. However before this
which could open and access any system files, such as stage was reached, there was another issue finding the device.
contacts and messages. Lower tiers had restricted privileges. The command ls l /dev/sd* should have shown all of the
In this case outside applications such as UFED or Oxygen had devices that were attached to the Linux machine, regardless of
no access to anything deemed sensitive. For this reason the if they were mounted or not. In Linux data storage devices are
forensic kits had no better access to information than a generic listed as sd and then a letter. The first storage device, where
computer would by simply plugging the phone in and the OS was installed, would be labelled sda and any
accessing it via the Windows file browsing software. partitions would have a number after it, so for example sda2
would indicate the first hard drive and the second partition.
A. Further Analysis of Windows Phone 8.1
Consequent storage devices would go up in alphabetical order,
Due to problems with the mobile device not allowing any so sdb1 would be the second storage device that has been
forensic software to access system folders where the added to the machine. This was what was expected to display
encryption key was stored, it was decided to attempt to image the Windows Phone as sdb1; instead only the hard drive, sda1
the device using tools such as FTK Imager, EnCase and and its 7 partitions were displayed, no other storage devices
Linux. The hope of this was to create a forensic copy of the were found. This is shown in Fig. 4. The screenshot is from
device, which would hopefully remove any virtual security the Ubuntu version of the Linux operating system, although
that the device used to prevent anything accessing the devices same results were found when we tried on Red Hat and
hard drive. FTK Imager detected the hard drives installed and BackTrack versions of Linux.
external storage, including all partitions on the forensic
computer. The Mobile phone device was not detected by the
software, so it was not possible to make an image of the
device using this program, shown in Fig. 2.
16
by the user. The thumbnails still remained even if the received [5] P. Thurrott, "Windows Phone Device Stats: January 2014,"
http://winsupersite.com/windows-phone/windows-phone-device-stats-
files were deleted; but instead, existed at a significantly lower january-2014, 2014, [Accessed 20 June 2015].
resolution. This also applied to video files found, but only a [6] L. Kelion, "BBC NEWS: Apple toughens iCloud security after celebrity
thumbnail of the original clip remained. Sound recordings breach," http://www.bbc.co.uk/news/ technology-29237469, 2014,
were no longer playable, yet still showed in the conversation, [Accessed 20 June 2015].
once again, unless they had been deleted before the backup. [7] The Spectator, "Camerons reaction to the Charlie Hebdo attacks has
been depressingly predictable," http://blogs.spectator.co.uk/
IV. CONCLUSIONS coffeehouse/2015/01/camerons-reaction-to-the-charlie-hebdo-attacks-
has-been-depressingly-predictable, 2015, [Accessed 20 June 2015].
Results reported in this paper showed methodical [8] M. Ibrahim, "How to Decrypt WhatsApp crypt7 Database Messages,"
approaches to forensically analyse WhatsApp data using http://www.digitalinternals.com/security/decrypt-whatsapp-crypt7-
various tools currently available to forensics investigators. It database-messages/307, 2014, [Accessed 20 June 2015].
was found that in both Android and iOS systems all the [9] N. S. Thakur, ""Forensic Analysis of WhatsApp on Android
Smartphones," University of New Orleans Theses and Dissertations,
evidences were successfully retrieved by UFED and Oxygen New Orleans, 2013.
suite but in Windows Phone 8.1 despite the encrypted file was [10] S. Schrittwieser, P. Fruhwirt, P. Kieseberg, M. Leithner, M. Mulazzani,
found, none of the information was decrypted by the tools due M. Huber and E. Weippl, "Guess Whos Texting You? Evaluating the
to their inaccessibility to the encryption key. It was noted that Security of Smartphone Messaging Applications," in Proceedings of the
security features built into the windows phone system made 19th Annual Symposium on Network and Distributed System Security,
2012.
any third party or forensic software inaccessible to the
[11] Magnet Forensics,"Recovering WhatsApp Forensic Artifacts,
sensitive areas of the phone where the key was stored. http://www.magnetforensics.com/mobile-forensics/ recovering-
Various attempts to image the Windows phone with the hope whatsapp-forensic-artifacts, September 2014, [Accessed 20 June 2015].
to achieve better accessibility were also failed. As a last resort [12] M. Al-Hadadi and A. Al-Shidhani, "Smartphone Forensics Analysis: A
live data acquisition technique was performed complying with Case Study," International Journal of Computer and Electrical
the ACPO guidelines which successfully retrieved all the Engineering, vol. 5, no. 6, pp. 576-580, 2013.
backed up messages in the phone. In future we would like to [13] S. Sahu, "An Analysis of WhatsApp Forensics in Android
Smartphones," International Journal of Engineering Research, vol. 3, no.
perform similar investigations on data recovery of other 5, pp. 349-350, 2014.
popular messaging services and social media applications used [14] E. Casey, G. Fellows, M. Geiger, and G. Stellatos, The growing impact
on mobile devices as these applications also pose potential of full disk encryption on digital forensics, Digital Investigation, 2011,
threats to organise criminal activities. vol. 8, no. 2, pp. 129-134, 2011.
[15] E. Casey, 2007. What does forensically sound really mean?, Digital
REFERENCES Investigation, vol. 4, no. 2, pp. 49-50, June 2007.
[1] Statista, "Number of monthly active WhatsApp users worldwide from [16] Association Of Chief Police Officers, "ACPO Good Practice Guide for
April 2013 to April 2015," http://www.statista.com Digital Evidence," Police Central e-Crime Unit, London, 2012.
/statistics/260819/number-of-monthly-active-whatsapp-users, April [17] UFED4PC by Cellebrite, http://www.cellebrite.com/Mobile-
2015, [Accessed 20 June 2015]. Forensics/Products, [Accessed 20 June 2015].
[2] Statistic Brain Research Institute, "Android Phone Statistics," [18] Oxygen Forensic Suite by Oxygen Forensics, http://www.oxygen-
http://www.statisticbrain.com/android-phone-statistics, March 2015 forensic.com, [Accessed 20 June 2015].
[Accessed 20 June 2015]. [19] FTK Imager by AccessData , http://accessdata.com/solutions/digital-
[3] S. Costello, "How Many iPhones Have Been Sold Worldwide?," forensics/forensic-toolkit-ftk, [Accessed 20 June 2015].
http://ipod.about.com/od/glossary/f/how-many-iphones-sold.htm, March [20] EnCase by Guidance Software, https:// www.guidancesoftware.com/
2015, [Accessed 10 June 2015]. products, [Accessed 20 June 2015].
[4] C. Page, "The Inquirer: Windows Phone market share tumbles almost 10 [21] Microsoft, "Summary of Changes in Code Access Security,"
percent as Lumia sales dry up," http://www.theinquirer.net https://msdn.microsoft.com/en-us/library/ff527276%28v= vs.100%29
/inquirer/news/ 2360573/windows-phone-market-share-tumbles-almost- .aspx, [Accessed 18 June 2015].
10-percent-as-lumia-sales-dry-up, 2014, [Accessed 20 June 2015].
17