SlideShare a Scribd company logo

WhatsApp Forensic

Download as PPT, PDF
Animesh Shaw
Animesh Shaw

A presentation discussing forensic analysis of WhatsApp messenger and its affects (India being primary concern), with focus on the Android platform.

Technology
1 of 27
WhatsApp Forensics Presented By Animesh Shaw (Psycho_Coder) Digital Evidence Analyst, @ data64 Cyber Solutions Pvt. Ltd. psychocoder@outlook.com
Discussion Goals  What is WhatsApp ?  WhatsApp Stats  Security & Privacy: Previous Issues  Real World Threat Scenario  Why Indians Should be Concerned ?  Why WhatsApp Forensics ?  Terminology & Pre-Requisites  Where to look for evidence ?  Investigating WhatsApp Data  Tools of Trade  Safe guarding Principles  References
What is WhatsApp ? o An Instant Messaging app for smartphones. o Requires data connection to send text messages, images, video, user location and audio media messages. o In January 2015, WhatsApp was the most globally popular messaging app. o In April 2015, WhatsApp reached 800 million active users. o Subsidized by Facebook on February 19, 2014. o Supported by wide range of mobile platform, like Android, iPhone, iOS, BlackBerry OS, Windows Phone, Symbian etc.
WhatsApp Stats o WhatsApp was handling ten billion messages per day as of August 2012, growing from two billion in April 2012. o Number of downloads exceeds 100 million on Google Play. o In only three years it is among the top 30 free applications. o Among the top five free communication applications on Google Play. o Facebook Acquired WhatsApp for $19 billion USD.
Security & Privacy: Previous Issues • In May 2011, a security hole was reported which left WhatsApp user accounts open for session hijacking. • In September 2011, it was reported that forged messages could be sent. • German Tech site The H demonstrated how to use WhatsAPI to hijack any WhatsApp account on September 14, 2012. • On 1st December 2014, Indrajeet Bhuyan and Saurav Kar, both 17-year old teenagers, demonstrated the WhatsApp Message Handler Vulnerability, which allows anyone to remotely crash WhatsApp just by sending a specially crafted message of 2kb in size.
Security & Privacy: Previous Issues (contd.) • In February 2015, a Dutch university student named Maikel Zweerink published an app that set out to prove that anyone can track a WhatsApp user's status and also keep an eye of their changing profile pictures, privacy settings or status messages regardless of their privacy settings • WhatsApp message database AES encrypted file uses the same key for all the installations.
Real World Threat Scenario - 1
Real World Threat Scenario - 2 • MAC address is a unique identifier assigned to your phone or other device that essentially serves as its online identity. • MAC Spoofing is a Threat. • Gaining Physical access to Victims Phone. Get MAC Info and Spoof it in your own Smart phone. • Using Busybox and Terminal Emulator change MAC of ethernet interface. • Reinstall WhatsApp on your phone and configure. • Get confirmation code and erase from victims phone. • Re-establish your previous MAC Address.
Why Indians Should be Concerned ? • According to current statistics WhatsApp got maximum exposure in India. Pic below shows download stats (Jan. 2015) • With 65 million active users, about 10% of the total worldwide users, India is the largest single country in terms of number of users
Why Indians Should be Concerned ? (contd.)
Why WhatsApp Forensics ? • Huge active user base (>800 Million) • Ability to share Video, Image or data which might contain explicit content. • Identify various data security issues in instant messaging applications on the Android and other Mobile platform which aid in forensic investigations
Why WhatsApp Forensics ? (contd.) • With more updates other privacy issues could be developed. • Research required to build better tools. • Runs on multiple platform with different file system. • New Exploits/Privacy Hacking issues are coming every now and then.
Terminology & Pre-Requisites o ADB (Android Debug Bridge) o Database (SQLite) o Imaging/Cloning o Android Developer Mode o Encryption o Symmetric o Asymmetric
Where to look for evidence ? • All the WhatsApp data is stored in either “Internal Phone Storage” or in the SD card. • Location:- /storage/emulated/0/WhatsApp/
Where to look for evidence ? (contd.) • Crypt8 files encrypted with AES algorithm with a 256 bit key. • Key:- 346a23652a46392b4d73257c67317e352e33724 82177652c • Key in stored in /data/data/com.whatsapp/files/key • Retrieving key requires rooted android phone. • Media folders contain Images, calls, videos etc. • Rooted Android phone contains unencrypted database. • Wa.db contains WhatsApp contacts.
Where to look for evidence? (contd.) • Android Volatile Memory Acquisition :- – Need for Live acquisition ? – Applications including WhatsApp start with boot. – Background data consumption and chat logs can be found in system RAM. – Deleted messages still present in volatile memory. – Can be retrieved partially I not fully.
Investigating WhatsApp Data • Clone Android Storage using AccessData FTK. • Retrieve WhatsApp related data and many more. • Using Andriller Enable Developer Mode on Phone. Enable Debugger Mode. Connect to Phone. Accept RSA Fingerprint on Phone. Click on check and the device serial Is detected. Click Go to acquire a backup of your Android data.
Investigating WhatsApp Data (contd.) • Reports Created • Several forensically important data can be retrieved.
Investigating WhatsApp Data (contd.) • Decrypting WhatsApp .db.crypt8
Investigating WhatsApp Data (contd.) • Using WhatsApp Viewer. • Decrypts all data. Requires .NET Framework • Need to supply “key” file separately. • Requires to be compiled.
Investigating WhatsApp Data (contd.) • Using WhatsApp Key/DB Extractor. Applicable for Android version 4+. • Provide a method for WhatsApp users to extract their cipher key on NON-ROOTED Android devices. Once key has been extracted we can use Andriller or WhatsApp Viewer to recover data.
Investigating WhatsApp Data (contd.) • Check for Steganography – Images – Videos – Audio – Text
Tools of Trade • Andriller :- Android Forensic Tools • WhatsApp Key/DB Extractor :- Extraction of Key from NON-ROOTED phones. • WhatsApp-Viewer :- Retrieves encrypted messages. • Wforenic :- Web based forensic tool to retrieve whatsapp data. • SQLite Data Browser • AccessData FTK Imager or Other cloning software. • LiME :- Volatile Memory Capture tool for Android.
Safe guarding Principles • Be cautious about what you share. • Remember the Internet is permanent. • Exercise caution when clicking on links. • Install Anti Virus Apps like CM Security/Dr. Safety. • Don’t ignore warnings from Malware Scanners. • Don’t reveal personal information. • When in doubt, throw it out. • Learning about Security and Forensics. Getting ourselves aware of different threats. • Become aware of the law that you might be violating unknowingly.
References • https://en.wikipedia.org/wiki/WhatsApp • https://www.magnetforensics.com/mobile- forensics/recovering-whatsapp-forensic-artifacts • http://www.securitybydefault.com/2012/05/whatsapp- forensics.html • http://www.whatsapp-viewer.com/ • http://www.digitalinternals.com/security/decrypt- whatsapp-crypt8-database-messages/419/ • http://forum.xda-developers.com/showthread.php? t=2770982 • http://forum.xda-developers.com/showthread.php? t=2588979
Any Queries ?
Thank You

Recommended

Important section of IT Act 2000 & IPC sections related to cyber law.
Important section of IT Act 2000 & IPC sections related to cyber law. Important section of IT Act 2000 & IPC sections related to cyber law.
Important section of IT Act 2000 & IPC sections related to cyber law. KOMALMALLIK
 
Module 02 ftk imager
Module 02 ftk imagerModule 02 ftk imager
Module 02 ftk imagerParminderKaurBScHons
 
Incident response methodology
Incident response methodologyIncident response methodology
Incident response methodologyPiyush Jain
 
Anti forensic
Anti forensicAnti forensic
Anti forensicMilap Oza
 
Operating Systems: Computer Security
Operating Systems: Computer SecurityOperating Systems: Computer Security
Operating Systems: Computer SecurityDamian T. Gordon
 
Binders and crypters
Binders and cryptersBinders and crypters
Binders and cryptersTej Singh
 
Data Acquisition
Data AcquisitionData Acquisition
Data Acquisitionprimeteacher32
 
Trust Frameworks Explained
Trust Frameworks ExplainedTrust Frameworks Explained
Trust Frameworks Explainedkantarainitiative
 

Recommended

Important section of IT Act 2000 & IPC sections related to cyber law.
Important section of IT Act 2000 & IPC sections related to cyber law. Important section of IT Act 2000 & IPC sections related to cyber law.
Important section of IT Act 2000 & IPC sections related to cyber law. KOMALMALLIK
 
Module 02 ftk imager
Module 02 ftk imagerModule 02 ftk imager
Module 02 ftk imagerParminderKaurBScHons
 
Incident response methodology
Incident response methodologyIncident response methodology
Incident response methodologyPiyush Jain
 
Anti forensic
Anti forensicAnti forensic
Anti forensicMilap Oza
 
Operating Systems: Computer Security
Operating Systems: Computer SecurityOperating Systems: Computer Security
Operating Systems: Computer SecurityDamian T. Gordon
 
Binders and crypters
Binders and cryptersBinders and crypters
Binders and cryptersTej Singh
 
Data Acquisition
Data AcquisitionData Acquisition
Data Acquisitionprimeteacher32
 
Trust Frameworks Explained
Trust Frameworks ExplainedTrust Frameworks Explained
Trust Frameworks Explainedkantarainitiative
 
Introduction of hacking and cracking
Introduction of hacking and crackingIntroduction of hacking and cracking
Introduction of hacking and crackingHarshil Barot
 
Mobile Forensics
Mobile ForensicsMobile Forensics
Mobile Forensicsprimeteacher32
 
Digital Forensic
Digital ForensicDigital Forensic
Digital ForensicCleverence Kombe
 
Malicious software
Malicious softwareMalicious software
Malicious softwarerajakhurram
 
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing Netpluz Asia Pte Ltd
 
Privacy in private browsing mode
Privacy in private browsing modePrivacy in private browsing mode
Privacy in private browsing modeAparna “Ash” Himmatramka
 
Malware & Anti-Malware
Malware & Anti-MalwareMalware & Anti-Malware
Malware & Anti-MalwareArpit Mittal
 
Basics of Denial of Service Attacks
Basics of Denial of Service AttacksBasics of Denial of Service Attacks
Basics of Denial of Service AttacksHansa Nidushan
 
Information Security Policies and Standards
Information Security Policies and StandardsInformation Security Policies and Standards
Information Security Policies and StandardsDirectorate of Information Security | Ditjen Aptika
 
Password Cracking
Password CrackingPassword Cracking
Password CrackingSagar Verma
 
Session Hijacking ppt
Session Hijacking pptSession Hijacking ppt
Session Hijacking pptHarsh Kevadia
 
Information Technology Act 2000
Information Technology Act 2000Information Technology Act 2000
Information Technology Act 2000Dr. Heera Lal IAS
 
Browser forensics
Browser forensicsBrowser forensics
Browser forensicsPrince Boonlia
 
Network forensic
Network forensicNetwork forensic
Network forensicManjushree Mashal
 
Validation vs. verification
Validation vs. verificationValidation vs. verification
Validation vs. verificationSaad Al Jabri
 
Bluejacking
BluejackingBluejacking
BluejackingKomal Singh
 
malware analysis
malware analysismalware analysis
malware analysis20CS201AkashR
 
Keyloggers and Spywares
Keyloggers and SpywaresKeyloggers and Spywares
Keyloggers and SpywaresAnkit Mistry
 
How to Recover Deleted Files for Free with Recuva
How to Recover Deleted Files for Free with RecuvaHow to Recover Deleted Files for Free with Recuva
How to Recover Deleted Files for Free with Recuvamaggiemiao
 
The secret behind Clash of Clans success
The secret behind Clash of Clans successThe secret behind Clash of Clans success
The secret behind Clash of Clans successMiikka Leinonen
 
Android forensics an Custom Recovery Image
Android forensics an Custom Recovery ImageAndroid forensics an Custom Recovery Image
Android forensics an Custom Recovery ImageMohamed Khaled
 
Android Forensics: Exploring Android Internals and Android Apps
Android Forensics: Exploring Android Internals and Android AppsAndroid Forensics: Exploring Android Internals and Android Apps
Android Forensics: Exploring Android Internals and Android AppsMoe Tanabian
 

More Related Content

What's hot

Introduction of hacking and cracking
Introduction of hacking and crackingIntroduction of hacking and cracking
Introduction of hacking and crackingHarshil Barot
 
Malicious software
Malicious softwareMalicious software
Malicious softwarerajakhurram
 
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing Netpluz Asia Pte Ltd
 
Malware & Anti-Malware
Malware & Anti-MalwareMalware & Anti-Malware
Malware & Anti-MalwareArpit Mittal
 
Basics of Denial of Service Attacks
Basics of Denial of Service AttacksBasics of Denial of Service Attacks
Basics of Denial of Service AttacksHansa Nidushan
 
Password Cracking
Password CrackingPassword Cracking
Password CrackingSagar Verma
 
Session Hijacking ppt
Session Hijacking pptSession Hijacking ppt
Session Hijacking pptHarsh Kevadia
 
Information Technology Act 2000
Information Technology Act 2000Information Technology Act 2000
Information Technology Act 2000Dr. Heera Lal IAS
 
Validation vs. verification
Validation vs. verificationValidation vs. verification
Validation vs. verificationSaad Al Jabri
 
Keyloggers and Spywares
Keyloggers and SpywaresKeyloggers and Spywares
Keyloggers and SpywaresAnkit Mistry
 
How to Recover Deleted Files for Free with Recuva
How to Recover Deleted Files for Free with RecuvaHow to Recover Deleted Files for Free with Recuva
How to Recover Deleted Files for Free with Recuvamaggiemiao
 
The secret behind Clash of Clans success
The secret behind Clash of Clans successThe secret behind Clash of Clans success
The secret behind Clash of Clans successMiikka Leinonen
 

What's hot (20)

Introduction of hacking and cracking
Introduction of hacking and crackingIntroduction of hacking and cracking
Introduction of hacking and cracking
 
Mobile Forensics
Mobile ForensicsMobile Forensics
Mobile Forensics
 
Digital Forensic
Digital ForensicDigital Forensic
Digital Forensic
 
Malicious software
Malicious softwareMalicious software
Malicious software
 
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing
 
Privacy in private browsing mode
Privacy in private browsing modePrivacy in private browsing mode
Privacy in private browsing mode
 
Malware & Anti-Malware
Malware & Anti-MalwareMalware & Anti-Malware
Malware & Anti-Malware
 
Basics of Denial of Service Attacks
Basics of Denial of Service AttacksBasics of Denial of Service Attacks
Basics of Denial of Service Attacks
 
Information Security Policies and Standards
Information Security Policies and StandardsInformation Security Policies and Standards
Information Security Policies and Standards
 
Password Cracking
Password CrackingPassword Cracking
Password Cracking
 
Session Hijacking ppt
Session Hijacking pptSession Hijacking ppt
Session Hijacking ppt
 
Information Technology Act 2000
Information Technology Act 2000Information Technology Act 2000
Information Technology Act 2000
 
Browser forensics
Browser forensicsBrowser forensics
Browser forensics
 
Network forensic
Network forensicNetwork forensic
Network forensic
 
Validation vs. verification
Validation vs. verificationValidation vs. verification
Validation vs. verification
 
Bluejacking
BluejackingBluejacking
Bluejacking
 
malware analysis
malware analysismalware analysis
malware analysis
 
Keyloggers and Spywares
Keyloggers and SpywaresKeyloggers and Spywares
Keyloggers and Spywares
 
How to Recover Deleted Files for Free with Recuva
How to Recover Deleted Files for Free with RecuvaHow to Recover Deleted Files for Free with Recuva
How to Recover Deleted Files for Free with Recuva
 
The secret behind Clash of Clans success
The secret behind Clash of Clans successThe secret behind Clash of Clans success
The secret behind Clash of Clans success
 

Viewers also liked

Android forensics an Custom Recovery Image
Android forensics an Custom Recovery ImageAndroid forensics an Custom Recovery Image
Android forensics an Custom Recovery ImageMohamed Khaled
 
Android Forensics: Exploring Android Internals and Android Apps
Android Forensics: Exploring Android Internals and Android AppsAndroid Forensics: Exploring Android Internals and Android Apps
Android Forensics: Exploring Android Internals and Android AppsMoe Tanabian
 
Android– forensics and security testing
Android– forensics and security testingAndroid– forensics and security testing
Android– forensics and security testingSanthosh Kumar
 
Windows 8 Forensics & Anti Forensics
Windows 8 Forensics & Anti ForensicsWindows 8 Forensics & Anti Forensics
Windows 8 Forensics & Anti ForensicsMike Spaulding
 
Android Hacking
Android HackingAndroid Hacking
Android Hackingantitree
 
Whatsapp PPT Presentation
Whatsapp PPT PresentationWhatsapp PPT Presentation
Whatsapp PPT PresentationVOCCE ICT
 
Booting Android: bootloaders, fastboot and boot images
Booting Android: bootloaders, fastboot and boot imagesBooting Android: bootloaders, fastboot and boot images
Booting Android: bootloaders, fastboot and boot imagesChris Simmonds
 
мобільні операційні системи [автосохраненный]
мобільні операційні системи [автосохраненный]мобільні операційні системи [автосохраненный]
мобільні операційні системи [автосохраненный]Vlad Onyk
 
Active Https Cookie Stealing
Active Https Cookie StealingActive Https Cookie Stealing
Active Https Cookie StealingSecurityTube.Net
 
How to boot a VM form a Forensic Image
How to boot a VM form a Forensic ImageHow to boot a VM form a Forensic Image
How to boot a VM form a Forensic ImageKrešimir Hausknecht
 
мобільні операційні системи [автосохраненный]
мобільні операційні системи [автосохраненный]мобільні операційні системи [автосохраненный]
мобільні операційні системи [автосохраненный]Vlad Onyk
 
Mac Forensics
Mac ForensicsMac Forensics
Mac ForensicsCTIN
 
Expert system
Expert systemExpert system
Expert systemkhair20
 
tu ropa deportiva podra ser tu propio entrenador
tu ropa deportiva podra ser tu propio entrenadortu ropa deportiva podra ser tu propio entrenador
tu ropa deportiva podra ser tu propio entrenadorkeylimar25
 

Viewers also liked (20)

Android forensics an Custom Recovery Image
Android forensics an Custom Recovery ImageAndroid forensics an Custom Recovery Image
Android forensics an Custom Recovery Image
 
Android Forensics: Exploring Android Internals and Android Apps
Android Forensics: Exploring Android Internals and Android AppsAndroid Forensics: Exploring Android Internals and Android Apps
Android Forensics: Exploring Android Internals and Android Apps
 
Stealing sensitive data from android phones the hacker way
Stealing sensitive data from android phones the hacker wayStealing sensitive data from android phones the hacker way
Stealing sensitive data from android phones the hacker way
 
Android– forensics and security testing
Android– forensics and security testingAndroid– forensics and security testing
Android– forensics and security testing
 
Whatsapp project work
Whatsapp project workWhatsapp project work
Whatsapp project work
 
Windows 8 Forensics & Anti Forensics
Windows 8 Forensics & Anti ForensicsWindows 8 Forensics & Anti Forensics
Windows 8 Forensics & Anti Forensics
 
Android Hacking
Android HackingAndroid Hacking
Android Hacking
 
Whatsapp PPT Presentation
Whatsapp PPT PresentationWhatsapp PPT Presentation
Whatsapp PPT Presentation
 
whatsapp ppt
whatsapp pptwhatsapp ppt
whatsapp ppt
 
Booting Android: bootloaders, fastboot and boot images
Booting Android: bootloaders, fastboot and boot imagesBooting Android: bootloaders, fastboot and boot images
Booting Android: bootloaders, fastboot and boot images
 
мобільні операційні системи [автосохраненный]
мобільні операційні системи [автосохраненный]мобільні операційні системи [автосохраненный]
мобільні операційні системи [автосохраненный]
 
File000150
File000150File000150
File000150
 
Active Https Cookie Stealing
Active Https Cookie StealingActive Https Cookie Stealing
Active Https Cookie Stealing
 
How to boot a VM form a Forensic Image
How to boot a VM form a Forensic ImageHow to boot a VM form a Forensic Image
How to boot a VM form a Forensic Image
 
мобільні операційні системи [автосохраненный]
мобільні операційні системи [автосохраненный]мобільні операційні системи [автосохраненный]
мобільні операційні системи [автосохраненный]
 
Mac Forensics
Mac ForensicsMac Forensics
Mac Forensics
 
Expert system
Expert systemExpert system
Expert system
 
Linux forensics
Linux forensicsLinux forensics
Linux forensics
 
whatsapp
whatsappwhatsapp
whatsapp
 
tu ropa deportiva podra ser tu propio entrenador
tu ropa deportiva podra ser tu propio entrenadortu ropa deportiva podra ser tu propio entrenador
tu ropa deportiva podra ser tu propio entrenador
 

Similar to WhatsApp Forensic

2014: Mid-Year Threat Review
2014: Mid-Year Threat Review2014: Mid-Year Threat Review
2014: Mid-Year Threat ReviewESET
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Blueinfy Solutions
 
I haz you and pwn your maal
I haz you and pwn your maalI haz you and pwn your maal
I haz you and pwn your maalHarsimran Walia
 
Mobile security services 2012
Mobile security services 2012Mobile security services 2012
Mobile security services 2012Tjylen Veselyj
 
User's Guide to Online Privacy
User's Guide to Online PrivacyUser's Guide to Online Privacy
User's Guide to Online Privacycdunk12
 
CSF18 - Through a Mirror Darkly- a journey to the dark side of metadata - Sas...
CSF18 - Through a Mirror Darkly- a journey to the dark side of metadata - Sas...CSF18 - Through a Mirror Darkly- a journey to the dark side of metadata - Sas...
CSF18 - Through a Mirror Darkly- a journey to the dark side of metadata - Sas...NCCOMMS
 
CNIT 128 8: Mobile development security
CNIT 128 8: Mobile development securityCNIT 128 8: Mobile development security
CNIT 128 8: Mobile development securitySam Bowne
 
There's an App for That: Digital Forensic Realities for Mobile App Evidence, ...
There's an App for That: Digital Forensic Realities for Mobile App Evidence, ...There's an App for That: Digital Forensic Realities for Mobile App Evidence, ...
There's an App for That: Digital Forensic Realities for Mobile App Evidence, ...Cellebrite
 
Hacking By Nirmal
Hacking By NirmalHacking By Nirmal
Hacking By NirmalNIRMAL RAJ
 
Smart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationSmart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationTom Eston
 
It’s time to boost VoIP network security
It’s time to boost VoIP network securityIt’s time to boost VoIP network security
It’s time to boost VoIP network securityBev Robb
 
Android phone identifiers and eavesdropping audio
Android phone identifiers and eavesdropping audioAndroid phone identifiers and eavesdropping audio
Android phone identifiers and eavesdropping audioAndy Lee
 
Android vs iOS encryption systems
Android vs iOS encryption systemsAndroid vs iOS encryption systems
Android vs iOS encryption systemsBirju Tank
 
Touring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & DockerTouring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & DockerAbhinav Biswas
 
A Comedy of Errors in Web Application Security
A Comedy of Errors in Web Application SecurityA Comedy of Errors in Web Application Security
A Comedy of Errors in Web Application SecurityRob Dudley
 
Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1Subhransu Behera
 
Privacy and security in IoT
Privacy and security in IoTPrivacy and security in IoT
Privacy and security in IoTVasco Veloso
 

Similar to WhatsApp Forensic (20)

2014: Mid-Year Threat Review
2014: Mid-Year Threat Review2014: Mid-Year Threat Review
2014: Mid-Year Threat Review
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013
 
I haz you and pwn your maal
I haz you and pwn your maalI haz you and pwn your maal
I haz you and pwn your maal
 
Mobile security services 2012
Mobile security services 2012Mobile security services 2012
Mobile security services 2012
 
User's Guide to Online Privacy
User's Guide to Online PrivacyUser's Guide to Online Privacy
User's Guide to Online Privacy
 
I haz you and pwn your maal
I haz you and pwn your maalI haz you and pwn your maal
I haz you and pwn your maal
 
CSF18 - Through a Mirror Darkly- a journey to the dark side of metadata - Sas...
CSF18 - Through a Mirror Darkly- a journey to the dark side of metadata - Sas...CSF18 - Through a Mirror Darkly- a journey to the dark side of metadata - Sas...
CSF18 - Through a Mirror Darkly- a journey to the dark side of metadata - Sas...
 
CNIT 128 8: Mobile development security
CNIT 128 8: Mobile development securityCNIT 128 8: Mobile development security
CNIT 128 8: Mobile development security
 
Hacking Mobile Apps
Hacking Mobile AppsHacking Mobile Apps
Hacking Mobile Apps
 
There's an App for That: Digital Forensic Realities for Mobile App Evidence, ...
There's an App for That: Digital Forensic Realities for Mobile App Evidence, ...There's an App for That: Digital Forensic Realities for Mobile App Evidence, ...
There's an App for That: Digital Forensic Realities for Mobile App Evidence, ...
 
Hacking By Nirmal
Hacking By NirmalHacking By Nirmal
Hacking By Nirmal
 
Smart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationSmart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and Exploitation
 
Mobile Defense-in-Dev (Depth)
Mobile Defense-in-Dev (Depth)Mobile Defense-in-Dev (Depth)
Mobile Defense-in-Dev (Depth)
 
It’s time to boost VoIP network security
It’s time to boost VoIP network securityIt’s time to boost VoIP network security
It’s time to boost VoIP network security
 
Android phone identifiers and eavesdropping audio
Android phone identifiers and eavesdropping audioAndroid phone identifiers and eavesdropping audio
Android phone identifiers and eavesdropping audio
 
Android vs iOS encryption systems
Android vs iOS encryption systemsAndroid vs iOS encryption systems
Android vs iOS encryption systems
 
Touring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & DockerTouring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & Docker
 
A Comedy of Errors in Web Application Security
A Comedy of Errors in Web Application SecurityA Comedy of Errors in Web Application Security
A Comedy of Errors in Web Application Security
 
Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1
 
Privacy and security in IoT
Privacy and security in IoTPrivacy and security in IoT
Privacy and security in IoT
 

More from Animesh Shaw

Factoid based natural language question generation system
Factoid based natural language question generation systemFactoid based natural language question generation system
Factoid based natural language question generation systemAnimesh Shaw
 
Investigating server logs
Investigating server logsInvestigating server logs
Investigating server logsAnimesh Shaw
 
Email investigation
Email investigationEmail investigation
Email investigationAnimesh Shaw
 
Cryptography & Steganography
Cryptography & SteganographyCryptography & Steganography
Cryptography & SteganographyAnimesh Shaw
 

More from Animesh Shaw (7)

Factoid based natural language question generation system
Factoid based natural language question generation systemFactoid based natural language question generation system
Factoid based natural language question generation system
 
Investigating server logs
Investigating server logsInvestigating server logs
Investigating server logs
 
Flash drives
Flash drivesFlash drives
Flash drives
 
Financial Crimes
Financial CrimesFinancial Crimes
Financial Crimes
 
Email investigation
Email investigationEmail investigation
Email investigation
 
Cyber Crime
Cyber CrimeCyber Crime
Cyber Crime
 
Cryptography & Steganography
Cryptography & SteganographyCryptography & Steganography
Cryptography & Steganography
 

Recently uploaded

Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Angeliki Cooney
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKJago de Vreede
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfOverkill Security
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfOrbitshub
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 

Recently uploaded (20)

Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 

WhatsApp Forensic

  • 1. WhatsApp Forensics Presented By Animesh Shaw (Psycho_Coder) Digital Evidence Analyst, @ data64 Cyber Solutions Pvt. Ltd. psychocoder@outlook.com
  • 2. Discussion Goals  What is WhatsApp ?  WhatsApp Stats  Security & Privacy: Previous Issues  Real World Threat Scenario  Why Indians Should be Concerned ?  Why WhatsApp Forensics ?  Terminology & Pre-Requisites  Where to look for evidence ?  Investigating WhatsApp Data  Tools of Trade  Safe guarding Principles  References
  • 3. What is WhatsApp ? o An Instant Messaging app for smartphones. o Requires data connection to send text messages, images, video, user location and audio media messages. o In January 2015, WhatsApp was the most globally popular messaging app. o In April 2015, WhatsApp reached 800 million active users. o Subsidized by Facebook on February 19, 2014. o Supported by wide range of mobile platform, like Android, iPhone, iOS, BlackBerry OS, Windows Phone, Symbian etc.
  • 4. WhatsApp Stats o WhatsApp was handling ten billion messages per day as of August 2012, growing from two billion in April 2012. o Number of downloads exceeds 100 million on Google Play. o In only three years it is among the top 30 free applications. o Among the top five free communication applications on Google Play. o Facebook Acquired WhatsApp for $19 billion USD.
  • 5. Security & Privacy: Previous Issues • In May 2011, a security hole was reported which left WhatsApp user accounts open for session hijacking. • In September 2011, it was reported that forged messages could be sent. • German Tech site The H demonstrated how to use WhatsAPI to hijack any WhatsApp account on September 14, 2012. • On 1st December 2014, Indrajeet Bhuyan and Saurav Kar, both 17-year old teenagers, demonstrated the WhatsApp Message Handler Vulnerability, which allows anyone to remotely crash WhatsApp just by sending a specially crafted message of 2kb in size.
  • 6. Security & Privacy: Previous Issues (contd.) • In February 2015, a Dutch university student named Maikel Zweerink published an app that set out to prove that anyone can track a WhatsApp user's status and also keep an eye of their changing profile pictures, privacy settings or status messages regardless of their privacy settings • WhatsApp message database AES encrypted file uses the same key for all the installations.
  • 7. Real World Threat Scenario - 1
  • 8. Real World Threat Scenario - 2 • MAC address is a unique identifier assigned to your phone or other device that essentially serves as its online identity. • MAC Spoofing is a Threat. • Gaining Physical access to Victims Phone. Get MAC Info and Spoof it in your own Smart phone. • Using Busybox and Terminal Emulator change MAC of ethernet interface. • Reinstall WhatsApp on your phone and configure. • Get confirmation code and erase from victims phone. • Re-establish your previous MAC Address.
  • 9. Why Indians Should be Concerned ? • According to current statistics WhatsApp got maximum exposure in India. Pic below shows download stats (Jan. 2015) • With 65 million active users, about 10% of the total worldwide users, India is the largest single country in terms of number of users
  • 10. Why Indians Should be Concerned ? (contd.)
  • 11. Why WhatsApp Forensics ? • Huge active user base (>800 Million) • Ability to share Video, Image or data which might contain explicit content. • Identify various data security issues in instant messaging applications on the Android and other Mobile platform which aid in forensic investigations
  • 12. Why WhatsApp Forensics ? (contd.) • With more updates other privacy issues could be developed. • Research required to build better tools. • Runs on multiple platform with different file system. • New Exploits/Privacy Hacking issues are coming every now and then.
  • 13. Terminology & Pre-Requisites o ADB (Android Debug Bridge) o Database (SQLite) o Imaging/Cloning o Android Developer Mode o Encryption o Symmetric o Asymmetric
  • 14. Where to look for evidence ? • All the WhatsApp data is stored in either “Internal Phone Storage” or in the SD card. • Location:- /storage/emulated/0/WhatsApp/
  • 15. Where to look for evidence ? (contd.) • Crypt8 files encrypted with AES algorithm with a 256 bit key. • Key:- 346a23652a46392b4d73257c67317e352e33724 82177652c • Key in stored in /data/data/com.whatsapp/files/key • Retrieving key requires rooted android phone. • Media folders contain Images, calls, videos etc. • Rooted Android phone contains unencrypted database. • Wa.db contains WhatsApp contacts.
  • 16. Where to look for evidence? (contd.) • Android Volatile Memory Acquisition :- – Need for Live acquisition ? – Applications including WhatsApp start with boot. – Background data consumption and chat logs can be found in system RAM. – Deleted messages still present in volatile memory. – Can be retrieved partially I not fully.
  • 17. Investigating WhatsApp Data • Clone Android Storage using AccessData FTK. • Retrieve WhatsApp related data and many more. • Using Andriller Enable Developer Mode on Phone. Enable Debugger Mode. Connect to Phone. Accept RSA Fingerprint on Phone. Click on check and the device serial Is detected. Click Go to acquire a backup of your Android data.
  • 18. Investigating WhatsApp Data (contd.) • Reports Created • Several forensically important data can be retrieved.
  • 19. Investigating WhatsApp Data (contd.) • Decrypting WhatsApp .db.crypt8
  • 20. Investigating WhatsApp Data (contd.) • Using WhatsApp Viewer. • Decrypts all data. Requires .NET Framework • Need to supply “key” file separately. • Requires to be compiled.
  • 21. Investigating WhatsApp Data (contd.) • Using WhatsApp Key/DB Extractor. Applicable for Android version 4+. • Provide a method for WhatsApp users to extract their cipher key on NON-ROOTED Android devices. Once key has been extracted we can use Andriller or WhatsApp Viewer to recover data.
  • 22. Investigating WhatsApp Data (contd.) • Check for Steganography – Images – Videos – Audio – Text
  • 23. Tools of Trade • Andriller :- Android Forensic Tools • WhatsApp Key/DB Extractor :- Extraction of Key from NON-ROOTED phones. • WhatsApp-Viewer :- Retrieves encrypted messages. • Wforenic :- Web based forensic tool to retrieve whatsapp data. • SQLite Data Browser • AccessData FTK Imager or Other cloning software. • LiME :- Volatile Memory Capture tool for Android.
  • 24. Safe guarding Principles • Be cautious about what you share. • Remember the Internet is permanent. • Exercise caution when clicking on links. • Install Anti Virus Apps like CM Security/Dr. Safety. • Don’t ignore warnings from Malware Scanners. • Don’t reveal personal information. • When in doubt, throw it out. • Learning about Security and Forensics. Getting ourselves aware of different threats. • Become aware of the law that you might be violating unknowingly.
  • 25. References • https://en.wikipedia.org/wiki/WhatsApp • https://www.magnetforensics.com/mobile- forensics/recovering-whatsapp-forensic-artifacts • http://www.securitybydefault.com/2012/05/whatsapp- forensics.html • http://www.whatsapp-viewer.com/ • http://www.digitalinternals.com/security/decrypt- whatsapp-crypt8-database-messages/419/ • http://forum.xda-developers.com/showthread.php? t=2770982 • http://forum.xda-developers.com/showthread.php? t=2588979