Obtaining WhatsApp Data

WhatsApp messenger has grown increasingly popular over the years since its release in 2009. It was one of the first mobile apps to offer instant messaging and phone calling, and it still dominates the market of messaging apps, having just recently reached 2 Billion users in February 2020. It’s probably safe to say that you, or someone you know, is using WhatsApp right now.

One of the many attractive qualities of WhatsApp is its encryption. Every message is protected by end-to-end encryption, ensuring that your messages are secure and private. This is great for the user, and less than ideal for the examiner attempting to collect or recover message evidence. Fortunately, there are ways to access and review this data.

Collecting from iPhone

When collecting from an iPhone, WhatsApp data is included in a standard iTunes backup. A forensic examiner can then review the database within a tool like Cellebrite’s UFED Physical Analyzer, which automatically will decrypt the message data. The messages can be exported to a spreadsheet or PDF for review.

Collecting from Android

Obtaining WhatsApp data from an Android requires a physical collection of the phone, and then examination within a forensic suite such as Oxygen Forensic. Oxygen has wide capabilities when it comes to decrypting and accessing this data.

Cloud Backup

As a more remote-friendly option, a backup of WhatsApp data can be created using the user’s device. Depending on the device they have, the backup can be generated & stored in iCloud or Google Drive. This backup will be encrypted, so it would take additional time and possibly even access to the device’s SIM in order to decrypt it.