Abstract
WhatsApp is the most popular instant messaging mobile application all over the world. Originally designed for simple and fast communication, however, its privacy features, such as end-to-end encryption, eased private and unobserved communication for criminals aiming to commit illegal acts. In this paper, a forensic analysis of the artefacts left by the encrypted WhatsApp SQLite databases on unrooted Android devices is presented. In order to provide a complete interpretation of the artefacts, a set of controlled experiments to generate these artefacts were performed. Once generated, their storage location and database structure on the device were identified. Since the data is stored in an encrypted SQLite database, its decryption is first discussed. Then, the ways of analyzing the artefacts are revealed, aiming to understand how they can be correlated to cover all the possible evidence. In the results obtained, it is shown how to reconstruct the list of contacts, the history of exchanged textual and non-textual messages, as well as the details of their contents. Furthermore, this paper shows how to determine the properties of both the broadcast and the group communications in which the user has been involved, as well as how to reconstruct the logs of the voice and video calls. Doi: 10.28991/HIJ-2022-03-02-06 Full Text: PDF
Highlights
Over a decade ago, regular mobile phones offered the Short Message Service (SMS) as an alternative to the instant messaging (IM) that existed on the internet at that time
This paper investigated the forensic artefacts of WhatsApp Messenger SQLite databases on Android phones
The methodology used was based on the performance of designed experiments on unrooted Android phones as well as a method to decrypt the encrypted databases by using free tools and Python scripts written for this study
Summary
Regular mobile phones offered the Short Message Service (SMS) as an alternative to the instant messaging (IM) that existed on the internet at that time. This service failed to offer the convenience of real-time texting, which is available in IM. The potentially new-born smartphones in 2007 opened the doors for real-time communication capability in mobile phones through instant messaging applications such as WhatsApp, which is the most popular of these applications almost globally with 2 billion users, as shown by Statista (2021) in Figure 1 [1]. The messages exchanged on early versions of WhatsApp were kept in SQLite local databases on the devices. The more recent versions of the application have seriously reconsidered the database security and have encrypted the databases following the custom Advanced Encryption Standard (AES)
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
