Proceedings of ICAEEC-2019, IIIT Allahabad India, 31st May - 1st June,2019

Forensics Analysis of WhatsApp in Android Mobile
Phone
Samarjeet Yadav1, Satya Prakash2, Neelam Dayal3 and Vrijendra Singh4
,,,

1

Department of Computer Science and Engineering, Centre for Advanced Studies, Lucknow
2 Department of Information Technology, IIIT-Allahabad, PrayagRaj, India

Abstract. One of the popularly known social media platforms is WhatsApp. It
has many features such as chat, calling, video calling, multimedia messages location-sharing, documents etc. At present, there are 1.5 billion WhatsApp users
across the world. A newly added feature in WhatsApp allows the sender to delete
the sent messages within 1 hour from the receiver’s end where it will show that
"This message was deleted". This feature provides the facility to delete the messages. That is sent unknowingly. But, this mechanism is also imposing challenges
for law enforcement and policymaker. The deleted messages may have digital
evidence to trace the cybercrime, which will be hard to retrieve at receiver’s end
when it is deleted by the sender. In this research paper, we proposed to analyze
the artefacts of WhatsApp database using the various forensics tools and compare
the efficiency of the tools i.e. which one is able to reconstruct the chronology of
WhatsApp database.
Keywords: Digital Forensics, Whatsapp, acquisition, mobile forensic, extraction

I.

Introduction

WhatsApp is a social messenger application having a 1.5-billion user base across the
world. Two former employees of yahoo Brian Acton and Jan Koum founded WhatsApp

in 2009. The first version 2.0 of WhatsApp was launched in 2009. In the year, 2014
Facebook acquired WhatsApp for US$19 billion. Overall timeline with respect to
WhatsApp shown in Fig.1. Earlier the WhatsApp data was prone to hacking, but nowadays with advance, security mechanism enforced the data transmitted in WhatsApp
messages are encrypted. WhatsApp uses end-to-end encryption so that no third party
can access the chats between two users. Hence, every user can choose end-to-end encryption of messages in WhatsApp.
WhatsApp is having many features such as chats, audio calls, video calls, multimedia, documents, location sharing etc. Along with these features, WhatsApp also added
a new feature i.e. If the sender sends a message and within 1 hour if that message is
deleted by sender then it will be deleted at receivers end too and it will show “This
message was deleted at both ends”.

Electronic copy available at: />

Proceedings of ICAEEC-2019, IIIT Allahabad India, 31st May - 1st June,2019
Whenever the user installs the WhatsApp, it will automatically synchronize all the
contacts from the user device after registering the number on that device. When
WhatsApp is installed on a device a folder name com. Whatsapp will be created under
internal storage having path Android/Data/com. WhatsApp in this folder there is the
unique key to decrypt the msgstore database.

Earlier the messages of Whatsapp were stored in SQLite databases, named as
‘msgstore.db’ but this database was not very much secure and easily decrypted by the
third party. Therefore the user's data i.e. all chats, contacts and other artefacts where
easily accessible to hackers in an earlier version of WhatsApp. To counter WhatsApp
came with the new concept of end-to-end encryption to protect the user database.
Now, Whatsapp is using AES encryption algorithm for end-to-end encryption
to give high security for the user’s database. Due to this encryption mechanism, the
database, which was earlier named as msgstore.db is renamed to msgstore.db.crypt12
file. This crypt file is not simple to access as msgstore because this file database is
encrypted with the user's unique key. Every user has a unique key by which the user
can decrypt the database file such as msgstor.db.crypt. The unique key located in the

internal storage of phone which at Android/data/com.whatsapp/files/key.
In this paper, we analyze the artefacts of the WhatsApp database using the WhatsApp
DB/Extractor and Belkasoft Evidence Center tools. The aim of this analysis was to

Electronic copy available at: />

Proceedings of ICAEEC-2019, IIIT Allahabad India, 31st May - 1st June,2019
compare the efficiency of the tools with respect to reconstruction of chronology of
WhatsApp.
The overall paper is divided into five sections. Section II discusses the literature
survey. Section III describes the methodology of our work. Section IV presents the
analysis results followed by a conclusion and future work in section v.

II.

Literature Survey

The proposed algorithm involves two steps: [A] Watermark Embedding and [B] Watermark Extraction. It works by applying a Simplistic Fourier Transformation followed
by Singular Value Decomposition.
F. Karpisek et.al [1] described how the network traffic of WhatsApp decrypt. An
analyst can obtain forensic WhatsApp artefacts that relate to calling feature, which
also included WhatsApp phone numbers along with its call termination, server IPs,
audio codec and call duration. The author explained the methods and some tools for
decrypting the traffic of call. The author analyzed and examined the authentication
process of WhatsApp clients, discover what codec and with the help of full handshaking between client and server analyzed the address of clients from relay servers. They
got some interesting findings after analysis such as call duration metadata and datetime stamps, relay server IP address used during the callsign WhatsApp.
Anglano et al. [2]deal with WhatsApp messenger on Android Smartphone in his
research paper where they analyzed the WhatsApp artefacts and discussed how an
analyst can reconstruct the list of contacts as well as exchanged messages for the
chronology by the user. This correlation was helpful for the investigator to know and

determine the chat databases with log files information and help to determine when
the message was exchanged and which user exchanged these messages. Whereas this
paper has the limitation i.e. it does not explain about the acquisition, process and hash
function.
Daniel Walnycky et.al [3] discussed in their paper about the acquisition of
WhatsApp database and another social messenger, they acquired and analyzed the
device data and network traffic of some popular instant messaging applications on
android smartphone. After analysis, they reconstruct some applications and tested
them. Some of them reflect poorly on the security and privacy measures but it was
good for constructed positively for evidence collection purposes. They showed the
reconstruct or intercept data such as screenshots, passwords, videos, pictures, audio
sent, messages sent, profile pictures and more. They did analysis on 20 apps in which
they found only 16 apps were not encrypted their data. After experiment on 20 apps,
they found only 4 out of 20 applications encrypted their network traffic using https
encryption using SSL certificates. Whereas 16 apps tested, which was not encrypted
their data

Electronic copy available at: />

Proceedings of ICAEEC-2019, IIIT Allahabad India, 31st May - 1st June,2019
Rusydi Umar, et al. [4] showed the comparative study of forensic tools for
WhatsApp analysis on the basis of NIST parameters. The authors used three forensic
tools for comparative study i.e. WhatsApp DB/Extractor, Belkasoft evidence, UFED
and Oxygen forensic. After the comparison, the author found belkasoft evidence is
much better than oxygen forensic suite and WhatsApp DB/Extractor based on NIST
parameter. Belkasoft evidence is having both types of acquisition and it meets all the
criteria based on the NIST parameter. WhatsApp DB/Extractor only have logical acquisition whereas oxygen forensic have both physical and logical but it was costly
and they find belkasoft evidence is better in terms of performance, cost as compared
to other two tools.
Shubham Sahu et.al [5] discussed the forensic analysis of WhatsApp messenger

using WhatsApp DB/Extractor tool. In his research paper, the database of WhatsApp
extracted through this tool along with this key also extracted. Msgstor.DB contains
all the database of chats whereas wa.db contains all the contact list of that phone
which was used in WhatsApp. After extracting, the database could be see-through
WhatsApp viewer. In WhatsApp viewer, he browsed the location of the database file
and views it along with the contact list having the wa.db file, which was optional, and
finally through WhatsApp view analyst able to see all the messages and contact list
and can analyze further.
Author et.al [4],[5]-[12] [13]–[20], discussed briefly acquisition and reconstructing
the chronology of database. They also discussed the way of analysis on social messenger forensics where the forensic investigator can analyze the data in digital forensic easily.

III.

Methodology

This paper proposed the technique and method to analyze the artefacts of the
WhatsApp-deleted data using existing tools. The new feature added by WhatsApp i.e.
the facilities to delete the message within 1 hour, which will also be deleted from the
receivers end.
This feature provides the advantage to any user who sends any message by mistake
to immediately delete it. However, in spite of having the advantage, this feature also
has a disadvantage, as this feature can also be used to commit the crime and it will be
hard to know the deleted message and exact text. The proposed methodology is to analyze the artefacts of the WhatsApp database using various forensics tools and compare
the efficiency of the tools i.e. which one is able to reconstruct the chronology of
WhatsApp database
There are certain tools name as Belkasoft Evidence Center, WhatsApp
DB/Extractor, UFED, Oxygen Forensics Suite etc. For forensic analysis, we are using
two tools WhatsApp DB/Extractor and Belkasoft Evidence Center.

Electronic copy available at: />


Proceedings of ICAEEC-2019, IIIT Allahabad India, 31st May - 1st June,2019

For this purpose, we have implemented these tools on different mobile devices such
as VIVO 1601, Asus Zenfone max pro m2, Nokia XL, Mi Max2. Further, we will compare the tools and we will find out the accuracy and performance.
As WhatsApp is using end-to-end encryption to secure the user’s database thus it
won’t be possible for any normal person to see the database messages. Hence, to decrypt msgstore.db.crypt file we need unique key, which is located in internal storage
Android/data/com.whatsApp/file/key but as we discussed, it is not easy to retrieve this
unique key
Method1:Get access to the root
.
Rooting can be done to gain access as root, but it is a very difficult task, as the
smartphones nowadays have latest and sensitive technology that can risk to loss of data.
After rooting, it will be very easy to know the key and we can decrypt the msgstore.db.
Crypt with the help of WhatsApp Viewer.
Method2:- Backup the WhatsApp data.
The second method is to create a backup of WhatsApp data. After that, we can analyse the data through the existing tools.
Method3:- Acquire the data through tools.
The third method is to acquire the data through the WhatsApp DB/Extractor tools.
Here, the data acquisition of data is easy but the analysis part is difficult.
A. WhatsApp Db/Extractor
Prerequisite:
1. O/S: Windows Vista, Windows 7, Windows 8, Windows 10, Mac OS X or Linux
2. Ensure Java is installed.
3. Install ADB (Android Debug Bridge), Drivers
4. USB Debugging must be enabled on the target device
5. Android devise with Android 4.0 or higher
Steps to acquire the database through WhatsApp DB/Extractor:
• Install WhatsApp DB/Extractor.
• Extract "WhatsApp-Key-DB-Extractor-master.zip".

• Connect your device via USB, unlock your screen and wait for "Full back up" to
appear.
• Enter your backup password or leave blank.
• Confirm the backup password in your command console and then check your “extracted” folder.

Electronic copy available at: />

Proceedings of ICAEEC-2019, IIIT Allahabad India, 31st May - 1st June,2019

Fig. 2. Connect mobile device

Fig.2 shows that the Whatsapp DB/Extractor is asking to connect a device, as soon
as the device is connected, it will automatically start running.

Fig. 3. Installing legacy WhatsApp

Electronic copy available at: />

Proceedings of ICAEEC-2019, IIIT Allahabad India, 31st May - 1st June,2019
Fig.3 shows that the device is connected and the tool automatically starts to install
the legacy WhatsApp that downgrades the version of WhatsApp in the device temporarily. The size of the legacy WhatsApp is 17.4 MB

Fig. 4. Unlock the device to confirm the backup

Fig.4 shows that the legacy WhatsApp is installed successfully in the device. Now, it
will ask to unlock the device and confirm the backup operation from the device.

Electronic copy available at: />

Proceedings of ICAEEC-2019, IIIT Allahabad India, 31st May - 1st June,2019


Fig. 5. Password for backup the data

Fig. 5 shows that the device is successfully unlocked and is asking for a password to
proceed for creating a full backup. The password should be matched in both places i.e.
device and on that tool, then only it will proceed and create the full backup of mobile
with all the database and key of WhatsApp.

B. Belkasoft Evidence Center
Belkasoft evidence centre is one of the strongest tools, which can acquire all the data
from mobile and it gives the option to choose social messenger application on which
we have to analyze.

Electronic copy available at: />

Proceedings of ICAEEC-2019, IIIT Allahabad India, 31st May - 1st June,2019

Fig. 6. The option of acquisition from different fields.

Fig.6 shows the different options from which we can acquire the data for analysis and
it shows the option of the drive, mobile device and cloud. As we have to do WhatsApp
analysis of android phone, so we select mobile device and Android. To acquire the
database, we have to connect the mobile device or we can acquire from the target folder.

Fig. 7. Acquisition process after connecting the device.

Fig.7 shows the next process in which the device is connected and chooses the option
to store that file in your pc and as soon as investigator clicks on start it will start backing

Electronic copy available at: />


Proceedings of ICAEEC-2019, IIIT Allahabad India, 31st May - 1st June,2019
up data and it will take permission to take a full backup, do it without entering any
password.

Fig. 8. Option on which Investigator wants to analysis.

In Fig. 8, after backing up the data it will ask about the options on which investigators
have to analyze. Choose WhatsApp from the option and click on finish. Now the analysis part comes, in this Investigator have to analyze it deeply and with the help of time,
one can match which data was deleted from senders end.
To analyze the data and to find out the accuracy of the tool, we utilized the size of
the database of WhatsApp for both the tools.

IV.

RESULTS & ANALYSIS

After implementing these tools on mobile devices, we got the key with the help of
WhatsApp Db/Extractor as shown in Fig.9. Along with key, we extracted the database
by using its unique key. The size of the extracted database is 107 MB for VIVO 1601
device. Whereas by using belkasoft evidence centre the database, size is 107 MB.

Electronic copy available at: />

Proceedings of ICAEEC-2019, IIIT Allahabad India, 31st May - 1st June,2019

Fig. 9. Extracted database and it's Key.

Fig. 9 shows the extracted database and the unique key of WhatsApp for that particular
device. Here, msgstore is the database in which all the conversation is stored between

sender and receiver. Whereas, the key file is named as WhatsApp and its type is
CRYPTKEY file. Now, with the help of WhatsApp viewer, we analysed the conversation of device VIVO 1601 and we reconstructed the deleted messages.
The problem with WhatsApp DB/Extractor is that we cannot retrieve the documents
and videos. However, images can be retrieved but the quality of the image will be degraded.
The analysis of both the tools is done with the help of a database of 107 MB. Obtained database of chronology conversation between sender and receiver in WhatsApp
Db/Extractor is 47MB and Belkasoft Evidence centre is 105MB.
The formula for computing the accuracy of both tools is as follows.
Accuracy formula= (DBT – DBO)*100/ DBT.
Where DBT refers total database size of device extracted through tools. DBO refers
Obtained Database of conversation between sender and receiver.
WhatsApp DB/Extractor Accuracy= (47*100)/107 = 43.92%.
Belkasoft evidence center Accuracy= (105*100)/107 = 98.13%
Table 1. Accuracy results

WhatsApp
DB/Extractor

Total Database

Obtained Database

Accuracy in
%

107 MB

47 MB

43.92%


107 MB

105 MB

98.13%

BEC

Electronic copy available at: />

Proceedings of ICAEEC-2019, IIIT Allahabad India, 31st May - 1st June,2019

As shown in Table.1, the accuracy of belkasoft evidence centre is 98.13% which is
far better than WhatsApp DB/Extractor of 49.92%. The chronology conversation in
Belkasot Evidence Center includes all Instant messages i.e. text, images, documents.
Following are some interesting findings based on the analysis.
Finding 1: After testing the WhatsApp DB/Extractor on many Android mobile devices
we get to know that, it can’t extract the database and unique key if the device has android version 7 or more.
Finding 2: After deep analysis, we found the images in WhatsApp DB/Extractor are
in png format. Whereas in belkasoft, images are in jpg format, which justifies that
belkasoft provide a high-quality image retrieval.
Finding 3: After comparing both the tools, we found that belkasoft evidence centre
gives more details than WhatsApp DB/Extractor. Hence it provides more accuracy.
Finding 4: These tools are not able to extract the database from many devices such as
NOKIA XL because it has a lower version.

V.

Conclusion:


we compared different tools through which we can retrieve the data, and we found
WhatsApp DB/Extractor is much faster as compared to belkasoft evidence centre but
for deep analysis, belkasoft is much efficient than WhatsApp DB/Extractor. Therefore,
the accuracy of bulk soft evidence is more. An analyst is able to reconstruct the chronology of the WhatsApp database using these tools.
In future work, we will analysis android version 7 and above and we will do practical
work on different OS along with the different mobile device. We will also analyze performance based on NIST parameters.

References:
1. F. Karasek, I. Baggili, and F. Breitinger, “WhatsApp network forensics: Decrypting and
understanding the WhatsApp call signalling messages,” Digit. Investig., vol. 15, pp. 110–
118, 2015.
2.
3. C. Anglano, “Forensic analysis of whats app messenger on Android smartphones,” Digit.
Investig., 2014.
4.

Electronic copy available at: />

Proceedings of ICAEEC-2019, IIIT Allahabad India, 31st May - 1st June,2019
5. D. Walnycky, I. Baggili, A. Marrington, J. Moore, and F. Breitinger, “Network and device
forensic analysis of Android social-messaging applications,” Digit. Investig., vol. 14, no.
S1, pp. S77–S84, 2015.
6.
7. R. Umar, I. Riadi, and G. Maulana, “A Comparative Study of Forensic Tools for WhatsApp
Analysis using NIST Measurements,” Int. J. Adv. Comput. Sci. Appl., vol. 8, no. 12, pp.
69–75, 2018.
8.
9. M. S. Sahu, “An Analysis of WhatsApp Forensics in Android Smartphones,” Int. J. Eng.
Res., vol. 3, no. 5, pp. 349–350, 2015.
10.

11. H. Singh, “ANALYSIS OF WHATSAPP LOG FILE FOR INFORMATION,” vol. 7, no.
April, pp. 475– 486, 2018.
12.
13. F. C. Tsai, E. C. Chang, and D. Y. Kao, “WhatsApp network forensics: Discovering the
communication payloads behind cybercriminals,” Int. Conf. Adv. Commun. Technol.
ICACT, vol. 2018-February, pp. 679–684, 2018.
14.
15. A. Shortall and H. Azhar, “A forensic analysis of iOS, Android and Windows Phone 8 . 1 to
extract WhatsApp data,” vol. 3, no. April, p. 2015, 2015.
16.
17. G. B. Satrya, P. T. Daely, and S. Y. Shin, “Android forensics analysis: Private chat on social
messenger,” Int. Conf. Ubiquitous Futur. Networks, ICUFN, vol. 2016-Augus, no. April
2018, pp. 430–435, 2016.
18.
19. N. Patel, S. Patel, and W. L. Tan, “Performance Comparison of WhatsApp versus Skype on
Smart Phones,” 2018 28th Int. Telecommun. Networks Appl. Conf., pp. 1–3, 2019.
20.
21. M. Raji, H. Wimmer, and R. J. Haddad, “Analyzing Data from an Android Smartphone
while Comparing between Two Forensic Tools,” Conf. Proc. - IEEE SOUTHEASTCON,
vol. 2018-April, pp. 1–6, 2018.
22.
23. T. S. Neha, “Forensic analysis of WhatsApp Messenger on Android smartphones,” Digit.
Investig., 2014.
24.
25. A. Mahajan, M. S. Dahiya, and H. P. Sanghvi, “Forensic Analysis of Instant Messenger
Applications on Android Devices,” Int. J. Comput. Appl., 2013.
26.
27. O. Peter E., “Forensics Analysis of Skype , Viber and WhatsApp Messenger on Android
Platform,” Int. J. Cyber-Security Digit. Forensics, 2018.
28.

29. L. S. Khoo, A. H. Hasmi, M. S. Mahmood, and P. Vanezis, “Underwater DVI: Simple fingerprint technique
30. for positive identification,” Forensic Sci. Int., 2016.
31.
32. Y. N. Kunang and A. Khristian, “Implementasi prosedur forensik untuk analisis artefak
Whatsapp pada ponsel android,” in Annual Research Seminar, 2016.
33.

Electronic copy available at: />

Proceedings of ICAEEC-2019, IIIT Allahabad India, 31st May - 1st June,2019
34. N. S. Thakur, “Forensic analysis of WhatsApp Messenger on Android smartphones,” Digit.
Investig., 2014.
35.
36. M. S. Chang and C. Y. Chang, “Forensic Analysis of LINE Messenger on Android,” J. Comput., 2018.
37.
38. A. R. Pratama, “Whatsapp Forensics: Eksplorasi Sistem Berkas Dan Basis Data Pada Aplikasi Android Dan Ios,” J. Teknoin, 2016.
39.
40. T. Dargahi, A. Dehghantanha, and M. Conti, “Forensics Analysis of Android Mobile VoIP
Apps,” in Contemporary Digital Forensic Investigations of Cloud and Mobile Applications,
2016.
41.
42. K. L.S., H. A.H., M. M.S., and V. P., “Underwater DVI: Simple fingerprint technique for
positive identification,” Forensic Sci. Int., 2016.

Electronic copy available at: />

Proceedings of ICAEEC-2019, IIIT Allahabad India, 31st May - 1st June,2019

Electronic copy available at: />