WhatsApp network forensics: Decrypting and understanding ...WhatsApp network forensics: Decrypting...

ilable at ScienceDirect

Digital Investigation xxx (2015) 1e9

Contents lists ava

Digital Investigation

journal homepage: www.elsevier .com/locate/d i in

WhatsApp network forensics: Decrypting and understandingthe WhatsApp call signaling messages

F. Karpisek a, I. Baggili b, *, F. Breitinger b

a Faculty of Information Technology, Brno University of Technology, Czech Republicb Cyber Forensics Research & Education Group, Tagliatela College of Engineering, ECECS, University of New Haven, 300 Boston Post Rd.,West Haven, CT, 06516, USA

a r t i c l e i n f o

Article history:Received 10 July 2015Received in revised form 17 September 2015Accepted 19 September 2015Available online xxxx

Keywords:WhatsAppReverse engineeringProprietary protocolSignaling protocolsNetwork forensicsDecryptionMobile forensicsDigital forensicsCyber securityAudio encoding

* Corresponding author.E-mail addresses: [email protected] (F.

newhaven.edu (I. Baggili), [email protected]: http://www.unhcfreg.com/, http://www.FB

1 http://money.cnn.com/2014/02/19/technology/swhatsapp/, last accessed 2015-07-03.

http://dx.doi.org/10.1016/j.diin.2015.09.0021742-2876/© 2015 Elsevier Ltd. All rights reserved.

Please cite this article in press as: Karpisekcall signaling messages, Digital Investigati

a b s t r a c t

WhatsApp is a widely adopted mobile messaging application with over 800 million users.Recently, a calling feature was added to the application and no comprehensive digitalforensic analysis has been performed with regards to this feature at the time of writing thispaper. In this work, we describe how we were able to decrypt the network traffic andobtain forensic artifacts that relate to this new calling feature which included the: a)WhatsApp phone numbers, b) WhatsApp server IPs, c) WhatsApp audio codec (Opus), d)WhatsApp call duration, and e) WhatsApp's call termination. We explain the methods andtools used to decrypt the traffic as well as thoroughly elaborate on our findings withrespect to the WhatsApp signaling messages. Furthermore, we also provide the commu-nity with a tool that helps in the visualization of the WhatsApp protocol messages.

© 2015 Elsevier Ltd. All rights reserved.

Introduction

WhatsApp is one of the most widely used personal-messaging mobile applications for free texting and con-tent sharing (namely audio, video, images, location andcontacts), boasting over 800 million users worldwide andwas bought by facebook in 2014 for $19 Billion.1 The callingfeature was added recently in version 2.11.552, which wasreleased 2015-03-05 (Arce, 2015).

From its wide adoption, it is obvious how WhastAppcommunication exchanges may be used during an

Karpisek), IBaggili@u (F. Breitinger).reitinger.de/ocial/facebook-

F, et al., WhatsApp netwon (2015), http://dx.doi.

investigation, making the artifacts it produces of compel-ling forensic relevance. Therefore, we see a strong necessityfor both researchers and practitioners to gain a compre-hensive understanding of the networking protocol used inWhatsApp, as well as the type of forensically relevant datait contains. Most importantly, due to the newly introducedcalling feature, it becomes essential to understand thesignaling messages used in the establishment of calls be-tween the WhatsApp clients and servers. The methods andtools used in this research could be relevant to in-vestigations where proving that a call wasmade at a certaindate and time is necessary.

Our contribution outlines the WhatsApp messagingprotocol from a networking perspective and provides asolution to explore and study WhatsApp network com-munications. In terms of novelty, to our knowledge, this isthe first paper that discusses the WhatsApp signalingmessages used when establishing voice calls. The work has

ork forensics: Decrypting and understanding the WhatsApporg/10.1016/j.diin.2015.09.002

http://www.unhcfreg.com/mailto:[email protected]:[email protected]:[email protected]:[email protected]://www.unhcfreg.com/http://www.FBreitinger.de/http://money.cnn.com/2014/02/19/technology/social/facebook-whatsapp/http://money.cnn.com/2014/02/19/technology/social/facebook-whatsapp/www.sciencedirect.com/science/journal/17422876http://www.elsevier.com/locate/diinhttp://dx.doi.org/10.1016/j.diin.2015.09.002http://dx.doi.org/10.1016/j.diin.2015.09.002http://dx.doi.org/10.1016/j.diin.2015.09.002

2 https://github.com/WHAnonymous/Chat-API/wiki/FunXMPP-Protocol, last accessed 2015-07-03.

F. Karpisek et al. / Digital Investigation xxx (2015) 1e92

impact on practitioners in the field that have obtainednetwork traffic for a potential suspect, as well as providingscientists literature for better understanding the networkprotocol itself.

The rest of the paper is organized as follows. In SectionRelated work we review existing work, while SectionWhatsApp protocol describes the WhatsApp protocol.Then, in Section Tool for visualizing WhatsApp protocolmessages we describe the tool we created for visualizingexchanged WhatsApp messages. In Section Decryption, wedescribe the process of obtaining decrypted connectionsbetween the WhatsApp client and the WhatsApp server.Then in Section Findings we examine the message contentsand discuss the meaning of the signalingmessages during aWhatsApp call. Finally, in Section Conclusions, we offerconcluding remarks and outline some future research.

Related work

There has been research conducted on the forensics ofWhatsApp but the majority of that work focused on thedata that WhatsApp stores on the mobile device whencompared to our work which focuses on the network fo-rensics of WhatsApp.

Network protocol forensics

At the time of writing this paper, the work on networkprotocol forensics of WhatsApp was sparse. The only workthat provided any detail on WhatsApp's networking pro-tocol was the Hancke (2015) report. Hancke (2015)'s workfocused more on Realtime Transport Protocol (RTP) mediastreams (Schulzrinne et al., 2003). The report fails to un-cover the call signalingmessages used byWhatsApp, whichis elaborated on by our work.

Mobile device forensics

Anglano (2014) performed an in-depth analysis ofWhatsApp on Android devices. The work provided acomprehensive description of the artifacts generated byWhatsApp and discussed the decoding, interpretation andrelationship between the artifacts. Anglano (2014) was ableto provide an analyst with the means of reconstructing thelist of contacts and chronology of the messages that havebeen exchanged by users.

Theworks by Thakur (2013) andMahajan et al. (2013) aresimilar to previous studies since they both focused on theforensic analysis of WhatsApp on Android. These studiesuncovered the forensic acquisition of the artifacts left byWhatsApp on the device. Thakur (2013) focused on theforensicanalysisofWhatsAppartifactsonanAndroidphone'sstorage and volatile memory. The results showed that one isable to obtain many artifacts such as phone numbers, mes-sages, media files, locations, profile pictures, logs and more.Mahajan et al. (2013) analyzedWhatsApp and Viber artifactsusing theCellebrite Forensic ExtractionDevice (UFED) toolkit.They were able to recover contact lists, exchanged messagesand media including their timestamps and call details.

Walnycky et al. (2015) examined 20 different popularmobile social-messaging applications for Android including

Please cite this article in press as: Karpisek F, et al., WhatsApp netwcall signaling messages, Digital Investigation (2015), http://dx.doi.

WhatsApp. In their work, they focused on unencryptedtraffic that could be easily reconstructed. WhatsApp wasfound to be favorable at encrypting its network traffic whencompared to other mobile social-messaging applications.Therefore, based on the primarily findings by Walnyckyet al. (2015), our study aimed at further investigating anddissecting the WhatsApp protocol, and in specific, focusingon the signaling messages used when establishing What-sApp calls given this new feature. However, in order to divedeeper into the signaling messages, one must understandsome known attributes of the WhatsApp protocol whichwe discuss in Section WhatsApp protocol below.

WhatsApp protocol

WhatsApp uses the FunXMPP protocol for message ex-change which is a binary-efficient encoded ExtensibleMessaging and Presence Protocol (XMPP) (WHAnonymous,2015c). The WhatsApp protocol is also briefly described byLowLevel-Studios (2012) from an implementation perspec-tive. To fully describe the FunXMPP protocol is beyond thispaper's scope. For more information on the protocol thereaders may want visit a website outlining the protocol.2

Authentication procedure

There are two types of authentication procedures theWhatsApp client can use when connecting to the servers. Ifit is the first time the client is connecting to the server, a fullhandshake is performed as illustrated in Fig. 1. Subse-quently, for any consecutive connections, only a halfhandshake is executed using data provided from the initialfull handshake.

We note that a half handshake therefore results in usingthe same session keys multiple times, which can bedeemed as a plausible protocol security weakness.

Full handshakeThe authentication procedure as described by the de-

velopers of WhatsAPI consists of three messages(WHAnonymous, 2015a). This is synonymous with the wellknown three-way handshake and is described in detail inthe following paragraphs. These messages can be observedin Fig. 1 which was created using our developed tool (formore details see Section Tool for visualizing WhatsAppprotocol messages).

As shown in Fig. 1, first, the client sends an message to the server. This message is not encrypted andcontains the client number and authentication method theclient wants to use.

Then, the server replies with a messagecontaining a 20 byte long nonce for the session key gener-ation. Session keys are then generated using the Password-Based Key Derivation Function 2 (PBKDF2) algorithm usingthe password as a passphrase and the nonce as a salt. Boththe server and the client know the password and nonce sothe generated keys are the same on both ends. Four keys are


https://github.com/WHAnonymous/Chat-API/wiki/FunXMPP-Protocolhttps://github.com/WHAnonymous/Chat-API/wiki/FunXMPP-Protocol

Fig. 1. Full handshake between WhatsApp client and server. Note: Numbers on the left side represent packet numbers (see Appendix A for the source pcap file).Also, there can be multiple messages in one packet.

F. Karpisek et al. / Digital Investigation xxx (2015) 1e9 3

generated in total: two keys for confidentiality (one for eachdirection e from the server and to server) and two keys forthe integrity check (again one for each direction).

The client then creates a message thatconsists of a concatenated client phone number in ASCII,nonce sent by the server in binary, current Unix timestampin ASCII and other device description data. This message isencrypted using the generated session keys and it is pre-pended by the hash of the message for integrity checkingpurposes. Decrypted contents of the response message areillustrated in Fig. 2, where we can see the aforementionedfields e their hexadecimal value and also the ASCII repre-sentation as displayed by Wireshark.

If registration is successful, the server replies with amessage that is encrypted. Otherwise, the serverreplies with a message that is not encrypted.

Half handshakeA half handshake consists only of an message

that already contains the data of a messagedescribed above, and the server's reply, a mes-sage. The client uses the nonce from the earlier session


which means that this nonce is not known by outsiders,therefore, it is not possible to decrypt such a session, assession encryption keys cannot be determined.

Tool for visualizing WhatsApp protocol messages

Description

Our tool is a command-line program written in Python(version 2.7). It is named convertPDML.py as it converts thePDML file exported fromWireshark to an HTML report. It isavailable in the form of source code, see Appendix A formore details. It requires one input parameter; a path to anXML file containing the details of dissected packets. See thestep 6 in Section Decryption procedure for details on howto create the XML file.

The output of the tool is a report file containing all themessages exchanged between theWhatsApp client and theWhatsApp servers in HTML format as shown in Fig. 1.Hence, any standard browser can be used to view the re-sults. Messages are ordered chronologically as they appearin the input XML file.


Fig. 2. Content of message with marked regions.


Usage

As mentioned above, the tool requires am XML file as aninput parameter. Example: convertPDML.py INPUT.xml.

Network traffic collection

This section explains how we collected the WhatsAppnetwork traffic. More details are presented in SectionsExperimental setup and High level methodology.

Experimental setup

We used the setup exemplified in Fig. 3 for capturingnetwork traffic between the WhatsApp messenger runningon an Android phone and the WhatsApp servers. Thehardware and software used in the experimental setup arelisted below:

Equipment used in experimental setup:

� Phone: Lenovo P780, Android 4.2.1, runninge Whatsapp v2.12.84 which was downloaded from

the Google play store.e Password Extractor v1.03.

� Laptop: Lenovo ThinkPad T420s with Windows 7 64-bitwith the following installed software:e Wireshark v1.12.5, 32-bit, with the WhatsApp

dissector.4

e Pidgin v2.12.11,5 32-bit, with the WhatsApp plugin.6

High level methodology

First, we disconnected the Android phone from anyInternet connection and used the Password Extractor

3 https://www.mgp25.com/downloads/pw.apk, last accessed 2015-07-06.

4 https://davidgf.net/page/37/whatsapp-dissector-for-wireshark, lastaccessed 2015-07-06.

5 https://pidgin.im/, last accessed 2015-07-06.6 https://davidgf.net/whatsapp/, last accessed 2015-07-06.


application to gain access to the WhatsApp password. Wenote that the phone had to be rooted to use this application.We would also like to mention that there could have beenmultiple ways to gain access to the password on the devicesuch as using commercially available tools to acquire aforensic image of the phone, and in some cases gainingaccess to the password can be achieved without rooting thephone if the acquisition method allows the investigator toacquire the image without rooting the device.

We then utilized Pidgin messenger with the WhatsAppplugin and obtained the WhatsApp password for connect-ing to the WhatsApp servers in order to desynchronize theWhatsApp client installed on the Android phone. This wasperformed in order for us to capture the full handshake (seeSection Full handshake for more details).

The next step included setting up awifi access point (seeFig. 3) on the laptop and sharing the Internet connectionfrom the Ethernet port to the wifi adapter. The laptop nowacted as a wifi router. We then started capturing all thetraffic on the access point's network. In the next step, weconnected the phone to the created wifi network and madea WhatsApp call to a user with phone number 1-203-xxx-xxxx. Finally, we finished capturing the traffic and savedthe created pcap file.

Following the aforementioned methodology allowed usto collect network traffic enabling us to perform explor-atory analysis. In the following Section Decryption, weoutline the resultant steps that we were able to reproducefor decrypting the WhatsApp messaging traffic.

Decryption

According to LowLevel-Studios (2012) andWHAnonymous (2015a), encryption and decryption inWhatsApp is performed with a symmetric RC4 stream ci-pher using keys generated during authentication which isdescribed in the Section Authentication procedure.

Therefore, in order to decrypt the communication be-tween the WhatsApp servers and the WhatsApp client,session keys for each direction (as WhatsApp uses one keyfor communication from device to the server and adifferent one for communication from the server to the


https://www.mgp25.com/downloads/pw.apkhttps://davidgf.net/page/37/whatsapp-dissector-for-wiresharkhttps://pidgin.im/https://davidgf.net/whatsapp/

Fig. 3. Experimental setup.


device) are required. The process of obtaining these keys isprovided in Section Full handshake.

Prerequisites

Our work showed that there are two mandatory re-quirements for the successful decryption of WhatsAppmessaging connections:

� The password associated with the WhatsApp account.� The record of the full handshake between theWhatsApp

client and the server.

Tools used

We outline the list of software tools that were used inthe decryption process:

� To obtain the password, there are multiple optionsbased on themobile device being used (WHAnonymous,2015b). As we were using an already rooted Androidphone, the easiest way was to extract the passwordusing the Password Extractor application.

� To force WhatsApp to establish a full handshake thenext time the mobile device connected to the server, itwas necessary to break the synchronization betweenthe WhatsApp client and the server. The simplest wayfor doing that was to connect using a different client. Forthat purpose, we used the IM client Pidgin alongside theWhatsApp plugin.

� To decrypt theWhatsApp connection between the clientand server, we usedWireshark and aWhatsApp-specificdissector.

� To visualize the WhatsApp protocol message exchangewe created a command-line tool described in SectionTool for visualizing WhatsApp protocol messages.

Decryption procedure

In this section, we elaborate using a step-by-step pro-cedure describing how to successfully decrypt and visualize


the exchange of WhatsApp protocol's messages betweenthe WhatsApp client and the servers.

1. As the Android phone we were using, was rooted,obtaining the password was as easy as installing andrunning an application mentioned in the Section Toolsused. In our case, the username (phone number) was420xxxxxxxxx with the following extracted password627XlMqch8i5Ncy2tRSbZLXs2m0¼.

2. After obtaining credentials for the WhatsApp account(phone number and password), we disconnected themobile device runningWhatsApp from the wifi networkand used the IM client Pidgin with the WhatsApp pluginand used the obtained credentials to log into ourWhatsApp account. This broke the synchronization be-tween theWhatsApp client on themobile device and theWhatsApp server forcing the client to authenticate usinga full handshake.

3. We then connected the mobile device running theWhatsApp client back to the wifi access point capturingall the communication from and to the mobile device asexplained in Section Experimental setup. After theWhatsApp client logged into the WhatsApp account, weplaced a WhatsApp call to another device. All recordedcommunication was saved to a pcap file. Access to thepcap file is presented in the Appendix A.

4. After we captured all the communication between theWhatsApp client and the WhatsApp server, we providedthe WhatsApp dissector in Wireshark with the creden-tials we obtained in the prior steps. To do that we usedWireshark's menu Edit e> Preferences and in the Pro-tocols section we set up the WhatsApp dissector withthe same options exemplified in Fig. 4.

After setting up the WhatsApp dissector correctly, we wereable to observe the content of encrypted messages and thecontent of the message should start with thenumber used in message as shown in Fig. 2.5. When the communicationwas decrypted we exported it

to XML format usingWireshark's function Filee> ExportPacket Dissections e> as XML e “PDML” (packet details)file.... We provide access to this XML file in the AppendixA. Part of this XML file e namely is illustrated inListing 1 where we can see the same values as in


Fig. 4. WhatsApp Wireshark dissector settings.

Fig. 5. Signaling messages of WhatsApp call (numbers refer to packetnumbers).


message from Fig. 1 e attribute user with value420xxxxxxxxx (lines 33e38) and attribute mechanismwith value WAUTH-2 (lines 39e44).

6. The final step involved using our tool to generate areport of the WhatsApp message exchange between theWhatsApp client and WhatsApp servers. For that weused the XML file generated in the previous step. Formore details refer to the Section Tool for visualizingWhatsApp protocol messages.

Findings

In the following subsections, we describe our findingson the signaling messages used for call establishment inWhatsApp. For a visual representation of our findingsreaders may want to refer to Fig. 5.

Protocol analysis of call signaling messages

In this section we elaborate on messages that we hy-pothesize are part of the establishment of a WhatsApp callas we observed it in the decrypted captured communica-tion traffic. We used the captured pcap file and the HTMLreport generated from the same pcap file (refer to theSection Decryption procedure for more details). Both ofthese files can be downloaded from Appendix A. In the restof this section, we refer to the packet numbers displayed onthe leftmost side in the flow diagram of signaling messageexchange in Fig. 5.

First (in packets [8]e[32]), the WhatsApp client con-nects and authenticates with the first WhatsApp server174.37.231.87 but there is no activity regarding a call.

Starting with packet [33], theWhatsApp client connectsand authenticates to a second WhatsApp server174.36.210.45 and starts placing a call.

Right after connecting to the second server, in packet[41], the client asks for the presence of the called party

Please cite this article in press as: Karpisek F, et al., WhatsApp network forensics: Decrypting and understanding the WhatsAppcall signaling messages, Digital Investigation (2015), http://dx.doi.org/10.1016/j.diin.2015.09.002

7 http://www.opus-codec.org/, last accessed 2015-07-06.


(phone number 1-203-xxx-xxxx) and starts the callestablishment process by sending message tothe called party. This happens in packet [42]. There wecan observe the property call-id¼“1431719979-2” for thefirst time. This property remains constant throughoutthe rest of the signaling messages during the wholesignaling process and it identifies the call as it is uniquefor each call and therefore changes every time a call isinitiated.

In this first message we can also observe that the caller isoffering to use the Opus codec (Valin et al., 2012) (in prop-erty ) for voice data in two sampling rates, 8 kHzand 16 kHz. We also observe the properties (value of16 bytes ¼ 128 bits) and (192 bytes ¼ 1536 bits)values which wewere not able to decode. We postulate thatthey might be some kind of initialization vectors forencryption of media streams and/or description of thesestreams. The last property is contains a 6 byte valuethat we decoded as the endpoint (IP address and port)where the client announces the endpoint address for themedia stream. Its value is 192.168.137.208:46416.

The server replies with in packet [43] whichcontains property (value of 204 bytes ¼ 1632 bits)which we were also unable to decode, multiple properties that announce endpoint addresses of relay servers (8servers in total), and properties , (gaincontrol) and (noise suppression) that we hypothesizefurther specify media encoding.

Packets [44] and [45] carry messages and ofthe receipt. To the best of our knowledge, these messagesdo not contain any data of interest.

Packet [46] going from the server to the client carries themessage and has the property thatasserts that the used codec for media streams will be theOpus codec at the sampling rate of 16 kHz. It also containsthe property that has the same length as the same property in packet [42] (192 bytes ¼ 1536 bits) butcarries different value.

Packet [47] carries the message which con-tains the client's endpoint address but fromanexternal pointofvieweapublic endpointaddress. This address is foundoutby the clientusingTraversalUsingRelaysaroundNAT (TURN)mechanism (Mahy et al., 2010)e client asks the TURN serverwhat is its (client's) IP address fromtheoutsidepointof view.Its value is 64.251.61.74:62334 which differs from the valuein packet [42] e 192.168.137.208:46416. Packet [48] carriesthe message to the previous message.

We can observe a relay server election in packets [49]e[65]. The client finds out latency between itself and therelay servers obtained from message from packet[43] and one of the servers is elected.

The last message of the call establishment process ismessage in packet [70]. It contains the property that confirms that the used codec is Opus, sam-pling rate 16 kHz, properties and (with thesame value as in packet [47]) and two endpoint addresses:private e 192.168.1.22:55607 and public e64.251.61.74:55607. These endpoint addresses are usedwhen trying to establish a direct peer-to-peer (P2P)connection. Packet [71] contains message con-firming the previous message.


After that, both-way media stream is established from192.168.137.208:46416 to 31.13.74.48:3478 using RTP. Theseaddresses were announced in a message in packet [42] andduring the relay server election.

After about 30 s of the ongoing call, the client connectsto another WhatsApp server (108.168.180.110) andsignaling messages start flowing through this server. Theclient then announces new endpoint addresses in packets[2688] and [2711] and after a new relay election process, anew media stream is created replacing the previous oneusing a new endpoint address.

Finally, the client connects to another WhatsApp server(174.37.231.88) and sends two identical messages in packets [7921] and [7925] and the call isterminated.

Media streams

Hancke (2015) mentioned in his report that WhatsAppuses a codec at 16 kHz sampling rate with bandwidth ofabout 20 kbit/s. Unlike us, Philipp Hancke did not haveaccess to the decrypted signalingmessages and thuswe cannow declare that WhatsApp is using the Opus codec forvoice media streams at either 8 kHz or 16 kHz samplingrate which is decided at call setup.

We attempted to decode the media using the open-source implementation of the Opus codec7 but the deco-ded result was not voice audio. From that and from thefact that we can observe properties (SRTP standsfor Secure Realtime Transport Protocol (Baugher et al.,2004)) we infer that these media streams are beingencrypted.

Analysis summary

Through the analysis of signaling messages exchangedduring a WhatsApp call we were able to:

� Closely examine the authentication process of What-sApp clients.

� Discover what codec WhatsApp is using for voice mediastreams e Opus at 8 or 16 kHz sampling rates.

� Understand how relay servers are announced and therelay election mechanism.

� Understand how clients announce their endpoint ad-dresses for media streams.

Gaining insight into these signaling messages is essen-tial for the understanding of the WhatsApp protocolespecially in the area of WhatsApp call analysis from aforensic networking perspective.

Forensically relevant artifacts

As shown in Table 1, forensically relevant artifacts maybe extracted from the network traffic using the outlined


http://www.opus-codec.org/

Table 1Forensically relevant data, their location and sample data.


methodology. Most notably (see Fig. 1), we were able toacquire the following artifacts from the network traffic:

� WhatsApp phone numbers.� WhatsApp phone call establishment metadata and

datetime stamps.� WhatsApp phone call termination metadata and date-

time stamps.� WhatsApp phone call duration metadata and datetime

stamps.� WhatsApp's phone call voice codec (Opus).� WhatsApp's relay server IP addresses used during the

calls.

Conclusions

In this work, we decrypted the WhatsApp clientconnection to the WhatsApp servers and visualized mes-sages exchanged through such a connection using acommand-line tool we created. This tool may be useful fordeeper analysis of the WhatsApp protocol.

We also uncovered the hypothesized signaling mes-sages of the WhatsApp call which revealed what codec isbeing actually used for media transfer (Opus), as well asforensically relevant metadata about the call establish-ment, termination, duration and phone numbers associ-ated with the call.


Future work

In this work we were unable to decode media RTPstreams as they seem to be encrypted. However, we hy-pothesize that encryption keys are most likely beingtransferred inside the signaling messages during the set upof a WhatsApp call and therefore we postulate that itshould be possible, in theory, to decrypt these mediastreams as well. The main challenge for this task is to findout the encryption keys and encryption algorithm used.

We would also like to note that a limitation of ourwork is that it was tested on an Android device. Althoughwe hypothesize that the protocol used in the communi-cation will be constant across platforms, recreating theexperiments with different devices and operating sys-tems running WhatsApp is needed to validate that claim.Also, we would like to note that as more features areadded to WhatsApp, more experiments need to be con-ducted to ensure that the design of the protocol does notchange.

We would also like to encourage other researchers toapply the techniques explained in our work to analyze thenetwork traffic of other popular messaging applications sothat the forensic community can gain a better under-standing of the forensically relevant artifacts that may beextracted from the network traffic, and not only the datastored on the devices.



Appendix A. Reference files

These are files that were used throughout this paper.These files can be provided to researchers by visiting ourwebsite http://www.unhcfreg.com under Tools & Data.

� whatsapp_register_and_call.pcap e pcap file containinguser with phone number 420xxxxxxxxx connecting tomultipleWhatsApp servers and placing a call to the userwith phone number 1-203-xxx-xxxx.

� whatsapp_register_and_call.xml e content of previouspcap file exported from Wireshark in XML format.

� whatsapp_register_and_call.html e HTML file that wasgenerated from previous XML file using our tool.

� convertPDML.py e command-line tool for convertingXML files exported from Wireshark to a visual HTMLreport containing flow ofWhatsAppmessages exchangedbetween WhatsApp Messenger and the WhatsAppservers.

References

Anglano C. Forensic analysis of whatsapp messenger on android smart-phones. Digit Investig 2014;11:201e13. URL, http://www.sciencedirect.com/science/article/pii/S1742287614000437 [last accessed 06.07.15].

Arce N. Whatsapp calling for android and IOS: How to get it and what toknow. 2015. URL, http://www.techtimes.com/articles/38291/20150309/whatsapp-calling-for-android-and-ios-how-to-get-it-and-what-to-know.htm [last accessed 27.05.15].


Baugher M, McGrew D, Naslund M, Carrara E, Norrman K. The secure real-time transport protocol (SRTP). 2004. URL, https://www.ietf.org/rfc/rfc3711.txt [last accessed 06.07.15].

Hancke P. Whatsapp exposed: Investigative report. 2015. URL, https://webrtchacks.com/wp-content/uploads/2015/04/WhatsappReport.pdf[last accessed 03.06.15].

LowLevel-Studios. Whatsapp protocol 1.2: a brief explanation. 2012. URL,http://lowlevel-studios.com/whatsapp-protocol-1-2-a-brief-explanation/ [last accessed 03.06.15].

Mahajan A, Dahiya M, Sanghvi H. Forensic analysis of instant messengerapplications on android devices. 2013. arXiv preprint arXiv:1304.4915,.URL, http://arxiv.org/abs/1304.4915 [last accessed 06.07.15].

Mahy R, Matthews P, Rosenberg J. Traversal using relays around NAT(TURN). 2010. URL, https://tools.ietf.org/html/rfc5766 [last accessed06.07.15].

Schulzrinne H, Casner S, Frederick R, Jacobson V. RTP: a transport protocolfor real-time applications. 2003. URL, https://www.ietf.org/rfc/rfc3550.txt [last accessed 06.07.15].

Thakur NS. Forensic analysis of WhatsApp on android smartphones(Master's thesis). University of New Orleans; 2013. URL, http://scholarworks.uno.edu/td/1706/ [last accessed 06.07.15].

Valin J, Vos K, Terriberry T. Definition of the opus audio codec. 2012. URL,http://tools.ietf.org/html/rfc6716 [last accessed 06.07.15].

Walnycky D, Baggili I, Marrington A, Moore J, Breitinger F. Network anddevice forensic analysis of android social-messaging applications.Digit Investig 2015;14:S77e84.

WHAnonymous. Authentication overview (WAUTH 2). 2015. URL, https://github.com/WHAnonymous/Chat-API/wiki/Authentication-Overview-(WAUTH-2. https://github.com/WHAnonymous/Chat-API/wiki/Authentication-Overview-(WAUTH-2) [last accessed 03.06.15].

WHAnonymous. Extracting password from device. 2015. URL, https://github.com/WHAnonymous/Chat-API/wiki/Extracting-password-from-device [last accessed 12.06.15].

WHAnonymous. Funxmpp-protocol. 2015. URL, https://github.com/WHAnonymous/Chat-API/wiki/FunXMPP-Protocol [last accessed03.06.15].


http://www.unhcfreg.comhttp://www.sciencedirect.com/science/article/pii/S1742287614000437http://www.sciencedirect.com/science/article/pii/S1742287614000437http://www.techtimes.com/articles/38291/20150309/whatsapp-calling-for-android-and-ios-how-to-get-it-and-what-to-know.htmhttp://www.techtimes.com/articles/38291/20150309/whatsapp-calling-for-android-and-ios-how-to-get-it-and-what-to-know.htmhttp://www.techtimes.com/articles/38291/20150309/whatsapp-calling-for-android-and-ios-how-to-get-it-and-what-to-know.htmhttps://www.ietf.org/rfc/rfc3711.txthttps://www.ietf.org/rfc/rfc3711.txthttps://webrtchacks.com/wp-content/uploads/2015/04/WhatsappReport.pdfhttps://webrtchacks.com/wp-content/uploads/2015/04/WhatsappReport.pdfhttp://lowlevel-studios.com/whatsapp-protocol-1-2-a-brief-explanation/http://lowlevel-studios.com/whatsapp-protocol-1-2-a-brief-explanation/http://arxiv.org/abs/1304.4915https://tools.ietf.org/html/rfc5766https://www.ietf.org/rfc/rfc3550.txthttps://www.ietf.org/rfc/rfc3550.txthttp://scholarworks.uno.edu/td/1706/http://scholarworks.uno.edu/td/1706/http://tools.ietf.org/html/rfc6716http://refhub.elsevier.com/S1742-2876(15)00098-5/sref11http://refhub.elsevier.com/S1742-2876(15)00098-5/sref11http://refhub.elsevier.com/S1742-2876(15)00098-5/sref11http://refhub.elsevier.com/S1742-2876(15)00098-5/sref11https://github.com/WHAnonymous/Chat-API/wiki/Authentication-Overview-(WAUTH-2https://github.com/WHAnonymous/Chat-API/wiki/Authentication-Overview-(WAUTH-2https://github.com/WHAnonymous/Chat-API/wiki/Authentication-Overview-(WAUTH-2https://github.com/WHAnonymous/Chat-API/wiki/Authentication-Overview-(WAUTH-2)https://github.com/WHAnonymous/Chat-API/wiki/Authentication-Overview-(WAUTH-2)https://github.com/WHAnonymous/Chat-API/wiki/Extracting-password-from-devicehttps://github.com/WHAnonymous/Chat-API/wiki/Extracting-password-from-devicehttps://github.com/WHAnonymous/Chat-API/wiki/Extracting-password-from-devicehttps://github.com/WHAnonymous/Chat-API/wiki/FunXMPP-Protocolhttps://github.com/WHAnonymous/Chat-API/wiki/FunXMPP-Protocol

WhatsApp network forensics: Decrypting and understanding the WhatsApp call signaling messagesIntroductionRelated workNetwork protocol forensicsMobile device forensics

WhatsApp protocolAuthentication procedureFull handshakeHalf handshake

Tool for visualizing WhatsApp protocol messagesDescriptionUsage

Network traffic collectionExperimental setupHigh level methodology

DecryptionPrerequisitesTools usedDecryption procedure

FindingsProtocol analysis of call signaling messagesMedia streamsAnalysis summaryForensically relevant artifacts

ConclusionsFuture workAppendix A. Reference filesReferences

WhatsApp network forensics: Decrypting and understanding ...WhatsApp network forensics: Decrypting...

Documents

Transcript of WhatsApp network forensics: Decrypting and understanding ...WhatsApp network forensics: Decrypting...