Forensic Analysis of WhatsApp Messenger on Android Smartphones

TL;DR

This paper provides a comprehensive forensic analysis of WhatsApp artifacts on Android devices, enabling reconstruction of message history, contact lists, and deleted data for investigative purposes.

Contribution

It offers a detailed description of WhatsApp artifacts, decoding methods, and correlation techniques to infer comprehensive user activity information.

Findings

Reconstructed message exchange chronology

Identified artifacts indicating contact addition and deletion

Detected deleted messages and their timestamps

Abstract

We present the forensic analysis of the artifacts left on Android devices by \textit{WhatsApp Messenger}, the client of the WhatsApp instant messaging system. We provide a complete description of all the artifacts generated by WhatsApp Messenger, we discuss the decoding and the interpretation of each one of them, and we show how they can be correlated together to infer various types of information that cannot be obtained by considering each one of them in isolation. By using the results discussed in this paper, an analyst will be able to reconstruct the list of contacts and the chronology of the messages that have been exchanged by users. Furthermore, thanks to the correlation of multiple artifacts, (s)he will be able to infer information like when a specific contact has been added, to recover deleted contacts and their time of deletion, to determine which messages have been deleted, when these messages have been exchanged, and the users that exchanged them.