Towards a New Approach to Identify WhatsApp Messages

Abstract

Today traditional communication methods, such as SMS or phone calls, are used less often and are replaced by the use of chat applications. WhatsApp is one of the most popular chat applications nowadays. WhatsApp offers different ways of communicating, which include sending text messages and making phone calls. The implementation of encryption makes WhatsApp more challenging for law enforcement agencies to identify when a suspect is sending or receiving messages via this chat application. Most research in literature focused on the analysis of WhatsApp data by obtaining information from a physical device, such as a seized mobile device. However, it is not always possible to extract the data needed from a mobile device for the analysis of the WhatsApp data because of the encryption, or no devices have been seized yet. In addition, the current techniques for real time analysis of WhatsApp messages show that there is a high risk of detection by the suspect. Alternative methods are needed to understand the communication patterns of a suspect and criminal organizations. In this paper, we focused on identifying when a suspect is receiving or sending WhatsApp messages using only wiretap data. Therefore, no seized devices are needed. The pattern analysis has been used to identify patterns of data sent to and received from the WhatsApp servers. The identified patterns were tested against a large dataset created with different mobile devices to determine if the patterns are consistent. By using the technique described in this paper, investigators will obtain more information if and with whom a suspect is communicating.