Parameters for image-map-2:{}
University of New Haven logo
Parameters for article:{}

UNH Forensically Analyzes WhatsApp

Release Date:
10/26/2015 12:00 AM
Body

Oct. 26, 2015

Cell phone, smartphone, engineering, security, features WEST HAVEN, Conn. - A recent network forensic examination of WhatsApp, a popular messaging service, is offering new details on the data that can be collected from the app’s network from its new calling feature; such as phone numbers and phone call duration, and highlights areas for future research and study.

The study was conducted at the University of New Haven’s Cyber Forensics Research & Education Group (http://www.unhcfreg.com), and the results were outlined in a paper published in the scholarly journal, Digital Investigation.

The article, “WhatsApp Network Forensics: Decrypting and Understanding WhatsApp Call Signaling Messages,” was co-authored by F. Karpisek of Brno University of Technology in the Czech Republic, Ibrahim (Abe) Baggili and Frank Breitinger, co-directors of the Cyber Forensics Research & Education Group at the University of New Haven.

“Our research demonstrates the type of data that can be gathered through the forensic study of WhatsApp and provides a path for others to conduct additional studies into the network forensics of messaging apps,” said Baggili.  Decrypting the network traffic isn’t simple, the authors suggest, as both access to data on the device as well as the full network traffic is needed.

WhatsApp provides free texting, a calling feature that permits calls to be done over the Internet using data rather than toll charges and content sharing. It has more than 800 million users worldwide and was acquired by Facebook in 2014 for $19 billion.

In their paper, the authors point   the number of users and the affiliation with Facebook, writing, “We see a strong necessity for both researchers and practitioners to gain a comprehensive understanding of the networking protocol used in WhatsApp, as well as the type of forensically relevant data it contains.”

“We decrypted the WhatsApp client connection to the WhatsApp servers and visualized messages exchanged through such a connection using a command-line tool we created,” the authors wrote. “This tool may be useful for deeper analysis of the WhatsApp protocol.”

In fact, Baggili said he hopes others will use the tools his group developed to “analyze the network traffic of other popular messaging applications so that the forensic community can gain a better understanding of the forensically relevant artifacts that may be extracted from the network traffic, and not only the data stored on the devices.”

The researchers provided an outline of the WhatsApp messaging protocol from a networking perspective, making it possible to explore and study WhatsApp network communications. He said he believes they are the first to discuss “WhatsApp signaling messages used when establishing voice calls.”

Specifically, the researchers found that WhatsApp uses the FunXMPP protocol for message exchange, which is a binary-efficient encoded Extensible Messaging and Presence Protocol (XMPP) (WHAnonymous, 2015c).

Through the analysis of signaling messages exchanged during a WhatsApp call using an Android device, the researchers were able to closely examine the authentication process of WhatsApp clients; discover what codec WhatsApp is using for voice media streams (Opus at 8 or 16 kHz sampling rates); understand how relay servers are announced and the relay election mechanism; and understand how clients announce their endpoint addresses for media streams.

“Gaining insight into these signaling messages is essential for the understanding of the WhatsApp protocol, especially in the area of WhatsApp,” the authors wrote.

The researchers were able to acquire a variety of artifacts from network traffic, including WhatsApp phone numbers, WhatsApp phone call establishment metadata and date-time stamps, and WhatsApp phone call duration metadata and date-time stamps. They also were able to acquire WhatsApp's phone call voice codec (Opus) and WhatsApp's relay server IP addresses used during the calls.

The University of New Haven is a private, top-tier comprehensive institution recognized as a national leader in experiential education. Founded in 1920 the university enrolls approximately 1,800 graduate students and more than 4,600 undergraduates.