WhatsApp Challenges: Finding Evidence With Oxygen Forensic Detective

With more than 1.5 billion users and 5.5 billion messages per day, WhatsApp is without a doubt the most popular messenger in the world. All messages sent using WhatsApp have end-to-end encryption, meaning they are unreadable if intercepted by anyone, including law enforcement and WhatsApp itself. More importantly, WhatsApp communications are never stored on the WhatsApp server. It is no surprise with this type of security built-in to the application it is often the choice communication platform of users with nefarious agendas. Keeping that fact in mind, it is imperative investigators are armed with methods and tools to recover this essential data.

Oxygen Forensics offers the most comprehensive WhatsApp data extraction and decryption tools in the market. WHATSAPP FROM MOBILE DEVICES

End-to-end encryption, as described, only offers security for a “man-in-the-middle attack” or simply live interception. However, the data on an Apple iOS or Android device is available in a decrypted format. The problems investigators often face in today’s mobile device examinations involving WhatsApp and other apps is often how to overcome a device with a screen lock or device encryption.

When it comes to iOS devices, all WhatsApp data can be extracted in a basic iTunes backup procedure. However, for Android devices, we often recommend a physical extraction method to recover WhatsApp’s evidentiary files. We offer a wide range of physical collection methods that are successful on a large variety of Android devices. Remember, when examining an Android device always check the SD card for a WhatsApp backup. This file is always encrypted, but we have you covered! You will find information about Oxygen Forensics’ innovative decryption methods below.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.


WHATSAPP FROM CLOUD

A WhatsApp user, using an iPhone or Android device, may choose to back up their chats to iCloud or Google Drive. It is important to understand, WhatsApp backups are encrypted by default and to decrypt them a forensic investigator should have access to the SIM card to which this WhatsApp account is assigned. Armed with this SIM and investigator can recover and decrypt this valuable WhatsApp data. However, there are other methods to decrypt this recovered data using the WhatsApp Cloud token. This is outlined more in the following paragraphs.

It should be understood that extracting WhatsApp data from various cloud services there could be additional hurdles like two-factor authentication (2FA) or two-step verification. Our Oxygen Forensic Cloud Extractor documentation contains detailed instructions on how to overcome these additional challenges.

Extraction of this valuable cloud data is extremely important. This collection may contain data that had been deleted from the device which can easily occur if synchronization is set to each week or each month.

WHATSAPP BACKUP DECRYPTION

The standard WhatsApp backup decryption method used throughout the industry is based on a key file. With our innovative methods, Oxygen Forensics offers a new decryption method that requires only a phone number! This method is a great alternative to the commonly used key file. Case in point: if you have found an encrypted backup on an Android’s SD card with no access to the Android internal memory where the decryption key is stored simply use our innovative decryption support. Our Oxygen Forensic Cloud Extractor offers you an exclusive opportunity to decrypt this backup by receiving a code to the phone number assigned to the recovered SIM card.

Not only data from the device is recoverable, but Oxygen Forensic Detective can also recover a special WhatsApp Cloud token from physical extractions of Android devices. This token can be utilized to decrypt WhatsApp backups from Android devices, WhatsApp Google Drive, and WhatsApp iCloud backups associated with the same phone number.

WHATSAPP CLOUD (SERVER)

It is known that WhatsApp does not store any communications on its Server that have been delivered. Messages and unanswered calls that cannot be delivered (e.g., a phone has no Internet connection, or it is switched off) will be temporally stored on the server. Oxygen Forensic Detective has the unique ability to access this data from the cloud via only the phone number or special WhatsApp Cloud token extracted from Android devices.

Recommendation: if you have a locked mobile device that you cannot acquire try this: switch it off, wait for a few moments, remove the SIM card and place it into another phone that is unlocked to a carrier. Select WhatsApp Cloud service in our Cloud Extractor, select to receive a code to the SIM card. Now you will have access to the undelivered messages, unanswered calls and their contacts.

WHATSAPP VIA QR TOKEN FROM PC

Users can now access and communicate using WhatsApp Desktop and WhatsApp Web Apps from a computer. Our exhaustive research revealed that these apps do not store any databases on the computer being used to communicate. However, with our free Oxygen Forensic KeyScout utility, built into Oxygen Forensic Detective, you can detect a WhatsApp QR token on a computer where WhatsApp was used. This valuable token will allow you to extract complete WhatsApp data in our Cloud Extractor. The only condition is that the WhatsApp owner’s mobile device must have an active Internet connection. If the mobile device is locked, no problem! This WhatsApp QR code method is ideal for data extraction from locked mobile devices. However, if you have an unlocked mobile device but for some reason the extraction continually fails, simply scan the WhatsApp QR code from the device in our Cloud Extractor to acquire all the current WhatsApp data.

Leave a Comment