2015 Sixth International Conference on Emerging Security Technologies
Forensic acquisitions of WhatsApp data on popular
mobile platforms
Adam Shortall, M A Hannan Bin Azhar
Computing, Digital Forensics and Cybersecurity
Canterbury Christ Church University
Canterbury, United Kingdom
Email: a.shortall724@canterbury.ac.uk, hannan.azhar@canterbury.ac.uk
Abstract Encryption techniques used by popular messaging
services such as Skype, Viber and WhatsApp make traces of
illegal activities by criminal groups almost undetectable. This
paper reports challenges involved to examine data of the
WhatsApp application on popular mobile platforms (iOS,
Android and Windows Phone) using latest forensic software such
as EnCase, UFED and Oxygen Forensic Suite. The operating
systems used were Windows phone 8.1, Android 5.0.1 (Lollipop)
and iOS 8.3. Results show that due to strong security features
built into the Windows 8.1 system forensic examiners may not be
able to access data with standard forensic suite and they must
decide whether to perform a live forensic acquisition. This paper
provides forensics examiners with practical techniques for
recovering evidences of WhatsApp data from Windows 8.1
mobile operating systems that would otherwise be inaccessible.
Keywords Mobile forensics; Forensic tools; WhatsApp
forensics; iOS; Android; Windows Phone; Live data forensics
I. INTRODUCTION
Modern technology has eased the lives of many, allowing
us to keep in contact with friends and families around the
globe. With its expanded use, we have learnt not attempt to
understand how it works, rather how to utilise it to help us.
Instant messaging is one of the utilities which have allowed us
to keep in contact over the internet by sending and receiving
messages, photos and videos. WhatsApp is used by 800 million
monthly users across multiple platforms in April 2015 [1].
There are approximately 1.7 billion people own an Android
mobile phone [2] and 700 million people who utilise Apples
iPhone [3]. Although Windows has just under 10% of the
market share for mobile operating systems [4], this translates to
about 50 million Windows Phone users in the world at the end
of 2013 [5]. What most users dont understand is what
information is collected and stored on devices, sitting dormant.
This information is not stored for malicious intent by the
software, but rather so that backups can be made, or if old
messages wish to be viewed. These automatic backups have
created concerns to individuals when hackers gained access to
their accounts and released personal images the individuals
were not aware had been backed up [6]. It was also reported
that messaging services like WhatsApp could be used by
organized crime groups to streamline their illegal operations
[7] and encryption techniques used by such applications [8]
made traces of illegal activities almost undetectable. Despite
various challenges it is important to discover what is stored on
978-1-4673-9799-5/15 $31.00 2015 IEEE
DOI 10.1109/EST.2015.16
the devices that could be potentially dangerous if used against
individuals, or useful for criminal investigations. This poses
prospects of forensically examining WhatsApp across multiple
mobile operating systems to see how much personal
information can be gained from them.
There has been a previous study of WhatsApp forensics on
Android [9] systems and is a useful insight into how data is
stored and encrypted on the device used. The data is stored in
an encrypted state using crypt7 method [8] which must be
the same for the devices to communicate. Another study [10]
evaluated several top cross-platform messaging applications,
including the forensic analysis of WhatsApp and in particular
when a server was placed between two communicating
devices. The study reported eavesdropping of messages being
sent (commonly referred to as a man-in-the-middle attack) by
an older version of WhatsApp where the messages were not
being encrypted. The examinations conducted in [10] didnt
involve recovering data from the device itself but results
demonstrated how data was stored elsewhere, which had
potentials for forensic analysts to explore live data techniques
if required.
There are a few studies on iPhone forensics such as a study
by Magnet Forensics [11]. This details how and where
messages are stored but is not a comprehensive study and only
provides a brief comparison between Android and iOS. A
better iOS study [12] utilises two well known tools: Oxygen
and UFED. UFED performs a physical examintation of the
hard drive and has a great chance of recovering deleted files,
such as deleted WhatsApp messages. However Oxygen is only
a logical exmaintation and will not find deleted data, but it
does contain specialsied functions which operate to
specifically find WhatsApp messages.
Although there is an abundance of forensic analysis for
WhatsApp, the majority of it is focused upon the Android
operating system [13] with a few other studies also analysing
iOS [11, 12]. The analyses conducted in our investigations
will be treated as a data recovery techniques, such as one a
forensic team would perform after a crime. The standard
practice is to utilise recently available forensic software to
extract the personal data and to demonstrate what is easily
accessible but this may not be the case always, as strong
security features built into some systems can make the data
13
inaccessible by standard forensic suite which left forensic
examiners to decide whether to perform a live forensic
acquisition [14]. The act of collecting data from a live system
should be carefully performed with supporting documentation
so that the authenticity and integrity of the original data can be
validated [15]. Any changes on the original data need be
explained by the forensic examiner with regards to their
impact on the digital evidence. This paper will demonstrate
the use of live data technique to recover evidences of
WhatsApp data from Windows Phone 8.1 (WP 8.1) system by
following the good practice guidelines defined by the
Association Of Chief Police Officers (ACPO) [16]; which is
generally considered forensically sound.
The remainder of the paper are organised as follows:
Section 2 introduces various forensic tools and data used for
the investigation. This section also explains the methodology
used for the examination. Section 3 reports the findings and
results. Finally, Section 4 concludes the paper with direction to
the future work.
II. FORENSIC TOOLS AND METHODOLOGY
The investigation reported in this paper utilised three
devices: a Nokia Lumia 820 mobile phone running Windows
8.1, an iPhone 5S using iOS 8.3 and a Samsung Galaxy Note 4
using Androids Lollipop (5.0.1) operating system. The
WhatsApp versions used in the study were 2.11.516.0 for WP
8.1, 2.12.109 for Android and 2.12.3 for iOS. The scenario
was based upon if the devices had been suspected of using
WhatsApp to send and receive illegal files or to plan illegal
activities, and have been found disposed of in a rubbish bin.
The devices had all been used prior to the investigation for a
minimum of three months, and had been used the day of
uninstallation. Several different types of chats had been set up,
including a group chat. The WhatsApp applications were
uninstalled by holding the applications and pressing the
uninstall buttons or dragging the apps to the OS bin,
depending on which operating system was used. Nothing else
was removed or tampered with, other than what was done by
default by the operating system, so as to represent a suspect
removing the application in haste. The investigation was
aimed to look at what was stored on devices and not being
transmitted through networks and various tools used attempted
to gain access specific types of information that could be
unique to the user or any contacts that the user had interacted
with.
A. WhatsApp Data
Three types of WhatsApp data were attempted to retrieve:
contacts, messages and media files. The aim was to recover
contact lists and personal information, from contacts found on
the devices, which eventually would reveal how much data
regarding individuals were stored. It was expected that names,
alias, mobile number, e-mail address and date of birth would
be found, however any other data found about an individual
would be useful for investigation. This was important to look
at how messages were stored by all of the devices, to see if
14
access could be gained to the contents of these messages and
who sent and received the contents. It was expected that any
previous messages would be accessible, including archived
messages. The examination also looked at messages those
were viewed, as WhatsApp has the ability to display when a
message has been received by the receiver, and read. This
would be useful for investigations, as this would provide
evidence towards someone claiming they did not read a
message, especially if an investigator could see at what time
they were viewed. WhatsApp contains the ability for users to
transfer a range of media files, such as images, audios and
videos. The possibility of recovery of sent and received media
files were investigated. It was also be useful to see who sent
and received the files, and at what time.
Operating system
WhatsApp
Files
Forensic Tool
Data Extraction
Encryption Key Encrypted Data
Has the tool
No decrypted
the text?
Third Party
Decryption
Yes
WhatsApp
Messages and data
Fig. 1. Steps to extract data by forensics tools.
B. Forensic tools
Various tools were used in attempt to extract WhatsApp
data. Two major tools were UFED by Cellebrite [17] and
Oxygen by Oxygen Forensics [18]. UFED is a physical tool,
which looks at physical data on the hard drive, as opposed to
looking at what the operating system is telling it to look at. In
theory this should recover deleted data if it is possible. As
UFED was well established with iPhone and Android, this was
a great tool to see how Windows Phones forensics compares
to other devices.
Another specialized piece of software for mobile forensics
is Oxygen Forensic Suite [18]. This tool boasts a very large
array of phone choice to forensically analyse and more
importantly it contains specific features for WhatsApp
message decryption. Even though this software was not
considered an industry standard or regarded as highly as
UFED, it was useful for comparative aspects.
To image mobile devices there were few other tools
available such as FTK imager [19], EnCase [20] and Linux.
FTK Imager is a free tool provided by Access Data utilized for
imaging devices. All connected internal and external storage
devices are added to the evidence tree by this utility. EnCase
is widely used by police units around Great Britain. The
Windows mobile device was connected to the PC and EnCase
7.1 was utilised to attempt to extract data.
C. Layout of Operations
Fig. 1 is a graphical representation of simplified steps
forensic tools take to extract data. Working downwards from
the top, the first section shows the mobile phone which is
being analysed, with WhatsApp data contained inside it. The
forensic tools takes an image of the device and extracts the
data that is relevant, in this case step 3 takes the backed up
conversation data and the encryption key. In an ideal situation,
both will have been recovered and the tools decrypt the data.
If it has not been decrypted by the tool, for example the tool
does not support WhatsApp, it is possible to use third party
software to decrypt the data, using the encryption key. The
device stores the key to the encryption in a specific location,
and the forensic tools are able to extract this and use it to
decrypt the file. When tools fail to extract any data external
software would be required to decrypt any information found
in the messages.
D. Live Data Analysis
Live data forensics should be used as a last resort when the
software fails to extract the data. This means accessing the
device as a normal user would. This has a huge amount of risk
involved as an investigator could accidentally remove key bits
of data or change data so that it is no longer viable in court.
The important aspect with this is to follow ACPO guidelines
[16]. ACPO guidelines state that there may be circumstances
in which an investigator may need to access original data, but
the person conducting the search should be competent to do
so. This is outlined in principle 2 of the guidelines and can be
tied up with principle 3 where an audit trail must be written, so
that any other party conducting the same search will be able to
follow the same steps and achieve the same result [16].
The best feature that WhatsApp has from an investigation
point of view is that there are regular backups made of the
device, so that if the app is uninstalled, message backups can
be decrypted by the app if it is being reinstalled. For this the
15
investigator must provide a mobile phones number as it is
needed for the app installation and messages will not be
decrypted back without it.
III. RESULTS
Both UFED and Oxygen forensic systems performed
almost identically, as shown below in Table 1. Both UFED
and Oxygen found a list of contacts used by WhatsApp for
Android and iOS, but were unable to recover anything from
the Windows device. The same can be said for decrypted
messages. The software was able to recover message backups
for all three devices but appeared to be unable to recover an
encryption key for the Windows device. Messages found were
the backups of conversations made every day by the device at
approximately 03:30 am by default; however this could have
been changed through app settings before uninstallation of
WhatsApp. These backups were not lost due to uninstallation
process either. So even if the suspect had removed potentially
incriminating conversations so as not to get caught, but had
not removed the backups stored, the conversations should still
be there to be recovered.
TABLE I. PERFORMANCES BY UFED AND OXYGEN
Data Found Android iOS WP 8.1
Contacts   
Media   
Encrypted Messages   
Decrypted Messages   
Once the messages were decrypted they could be viewed
using a SQLite viewer which detailed information of who sent
and received the messages, time stamps and when messages
were read by the receiver. These were displayed in separate
columns and were easy to interpret. Media was found across
all of the devices, although it was unclear on the iPhone and
Windows phone as to where the images came from as it was in
a generic media folder. The Android phone had media saved
into folders as to where it was sent from. It should be noted
however that photos do contain meta-data which can be
accessed when the images are extracted via the software, this
usually contains information as to who the original owner was.
Contacts were found from both the Android and iOS
devices, however these were contacts stored on the device for
other purposes, such as calling or sending SMS outside of
WhatsApp. Due to the nature of WhatsApp, this was expected,
as to send a message to someone using the app, both parties
must have the mobile number saved to the devices contact list.
This means analysts can compare two devices found to see if
they both contain each others contact number. No contact
numbers were found by the forensic tools on the Windows 8.1
mobile phone. It was noticed that security features built into
WP 8.1 by Microsoft [21] prevented users from accidentally
removing important files or malicious applications gaining
access to data it should not be allowed access to. The
Windows system worked based on tiers of security privilege,
with the top tier given to the default Windows applications,
which could open and access any system files, such as
contacts and messages. Lower tiers had restricted privileges.
In this case outside applications such as UFED or Oxygen had
no access to anything deemed sensitive. For this reason the
forensic kits had no better access to information than a generic
computer would by simply plugging the phone in and
accessing it via the Windows file browsing software.
A. Further Analysis of Windows Phone 8.1
Due to problems with the mobile device not allowing any
forensic software to access system folders where the
encryption key was stored, it was decided to attempt to image
the device using tools such as FTK Imager, EnCase and
Linux. The hope of this was to create a forensic copy of the
device, which would hopefully remove any virtual security
that the device used to prevent anything accessing the devices
hard drive. FTK Imager detected the hard drives installed and
external storage, including all partitions on the forensic
computer. The Mobile phone device was not detected by the
software, so it was not possible to make an image of the
device using this program, shown in Fig. 2.
Fig. 2. Data drives discovered by FTK Imager.
EnCase 7.1 picked up the local HDD labelled as C, an
external memory stick labelled as E and the PCs RAM.
There was no indication that the Windows mobile had been
detected (Fig. 3).
Fig. 3. Data drives discovered by EnCase.
16
An attempt was made to manually image the Windows
Phone device using the Linuxs DD command, for example
DD if=/dev/sdb of=/root/Nokia820.dd. However before this
stage was reached, there was another issue finding the device.
The command ls l /dev/sd* should have shown all of the
devices that were attached to the Linux machine, regardless of
if they were mounted or not. In Linux data storage devices are
listed as sd and then a letter. The first storage device, where
the OS was installed, would be labelled sda and any
partitions would have a number after it, so for example sda2
would indicate the first hard drive and the second partition.
Consequent storage devices would go up in alphabetical order,
so sdb1 would be the second storage device that has been
added to the machine. This was what was expected to display
the Windows Phone as sdb1; instead only the hard drive, sda1
and its 7 partitions were displayed, no other storage devices
were found. This is shown in Fig. 4. The screenshot is from
the Ubuntu version of the Linux operating system, although
same results were found when we tried on Red Hat and
BackTrack versions of Linux.
Fig. 4. Devices found by the Linux machine.
B. Live data forensics of WhatsApp on Windows 8.1
Due to not being able to extract evidence using tools,
scripts or any other methods, we had to follow live data
acquisition technique complying with ACPO guidelines [16].
A solid case was built using supporting documentation with
minimal change of the original evidence where possible to
preserve authenticity and integrity during the process. Live
acquisition required reinstallation of the application on the
phone from the app store. A mobile phone number has to be
used (which could be different from suspects number) during
the installation process and messages would not be decrypted
back without it. Once the number was entered, there was a text
message sent to the device for a verification code and this was
noted down, as this would also affect the original data. The
next screen detailed the time at which the last backup was
found; in this case it was the day before at 03:30 am. Once the
restoration option was clicked previous messages and media
used by the suspect were imported from the SD card and then
decrypted and made available to the investigators within the
WhatsApp application. The live acquisition could successfully
retrieve messages from the time of the last backup until when
the app was first installed on the phone; in this case it was
three months worth of data. Media could also be accessed, by
clicking the contacts name when in a chat screen. This
provided a list of thumbnails that had been sent and received
by the user. The thumbnails still remained even if the received
files were deleted; but instead, existed at a significantly lower
resolution. This also applied to video files found, but only a
thumbnail of the original clip remained. Sound recordings
were no longer playable, yet still showed in the conversation,
once again, unless they had been deleted before the backup.
IV. CONCLUSIONS
Results reported in this paper showed methodical
approaches to forensically analyse WhatsApp data using
various tools currently available to forensics investigators. It
was found that in both Android and iOS systems all the
evidences were successfully retrieved by UFED and Oxygen
suite but in Windows Phone 8.1 despite the encrypted file was
found, none of the information was decrypted by the tools due
to their inaccessibility to the encryption key. It was noted that
security features built into the windows phone system made
any third party or forensic software inaccessible to the
sensitive areas of the phone where the key was stored.
Various attempts to image the Windows phone with the hope
to achieve better accessibility were also failed. As a last resort
live data acquisition technique was performed complying with
the ACPO guidelines which successfully retrieved all the
backed up messages in the phone. In future we would like to
perform similar investigations on data recovery of other
popular messaging services and social media applications used
on mobile devices as these applications also pose potential
threats to organise criminal activities.
REFERENCES
[1] Statista, "Number of monthly active WhatsApp users worldwide from
April 2013 to April 2015," http://www.statista.com
/statistics/260819/number-of-monthly-active-whatsapp-users, April
2015, [Accessed 20 June 2015].
[2] Statistic Brain Research Institute, "Android Phone Statistics,"
http://www.statisticbrain.com/android-phone-statistics, March 2015
[Accessed 20 June 2015].
[3] S. Costello, "How Many iPhones Have Been Sold Worldwide?,"
http://ipod.about.com/od/glossary/f/how-many-iphones-sold.htm, March
2015, [Accessed 10 June 2015].
[4] C. Page, "The Inquirer: Windows Phone market share tumbles almost 10
percent as Lumia sales dry up," http://www.theinquirer.net
/inquirer/news/ 2360573/windows-phone-market-share-tumbles-almost-
10-percent-as-lumia-sales-dry-up, 2014, [Accessed 20 June 2015].
17
[5] P. Thurrott, "Windows Phone Device Stats: January 2014,"
http://winsupersite.com/windows-phone/windows-phone-device-stats-
january-2014, 2014, [Accessed 20 June 2015].
[6] L. Kelion, "BBC NEWS: Apple toughens iCloud security after celebrity
breach," http://www.bbc.co.uk/news/ technology-29237469, 2014,
[Accessed 20 June 2015].
[7] The Spectator, "Camerons reaction to the Charlie Hebdo attacks has
been depressingly predictable," http://blogs.spectator.co.uk/
coffeehouse/2015/01/camerons-reaction-to-the-charlie-hebdo-attacks-
has-been-depressingly-predictable, 2015, [Accessed 20 June 2015].
[8] M. Ibrahim, "How to Decrypt WhatsApp crypt7 Database Messages,"
http://www.digitalinternals.com/security/decrypt-whatsapp-crypt7-
database-messages/307, 2014, [Accessed 20 June 2015].
[9] N. S. Thakur, ""Forensic Analysis of WhatsApp on Android
Smartphones," University of New Orleans Theses and Dissertations,
New Orleans, 2013.
[10] S. Schrittwieser, P. Fruhwirt, P. Kieseberg, M. Leithner, M. Mulazzani,
M. Huber and E. Weippl, "Guess Whos Texting You? Evaluating the
Security of Smartphone Messaging Applications," in Proceedings of the
19th Annual Symposium on Network and Distributed System Security,
2012.
[11] Magnet Forensics,"Recovering WhatsApp Forensic Artifacts,
http://www.magnetforensics.com/mobile-forensics/ recovering-
whatsapp-forensic-artifacts, September 2014, [Accessed 20 June 2015].
[12] M. Al-Hadadi and A. Al-Shidhani, "Smartphone Forensics Analysis: A
Case Study," International Journal of Computer and Electrical
Engineering, vol. 5, no. 6, pp. 576-580, 2013.
[13] S. Sahu, "An Analysis of WhatsApp Forensics in Android
Smartphones," International Journal of Engineering Research, vol. 3, no.
5, pp. 349-350, 2014.
[14] E. Casey, G. Fellows, M. Geiger, and G. Stellatos, The growing impact
of full disk encryption on digital forensics, Digital Investigation, 2011,
vol. 8, no. 2, pp. 129-134, 2011.
[15] E. Casey, 2007. What does forensically sound really mean?, Digital
Investigation, vol. 4, no. 2, pp. 49-50, June 2007.
[16] Association Of Chief Police Officers, "ACPO Good Practice Guide for
Digital Evidence," Police Central e-Crime Unit, London, 2012.
[17] UFED4PC by Cellebrite, http://www.cellebrite.com/Mobile-
Forensics/Products, [Accessed 20 June 2015].
[18] Oxygen Forensic Suite by Oxygen Forensics, http://www.oxygen-
forensic.com, [Accessed 20 June 2015].
[19] FTK Imager by AccessData , http://accessdata.com/solutions/digital-
forensics/forensic-toolkit-ftk, [Accessed 20 June 2015].
[20] EnCase by Guidance Software, https:// www.guidancesoftware.com/
products, [Accessed 20 June 2015].
[21] Microsoft, "Summary of Changes in Code Access Security,"
https://msdn.microsoft.com/en-us/library/ff527276%28v= vs.100%29
.aspx, [Accessed 18 June 2015].