Forensic Analysis of WhatsApp Messenger on Android Smartphones
This work addresses digital forensics for law enforcement and security professionals, providing incremental improvements in artifact analysis for a specific application.
The paper tackles the problem of extracting forensic evidence from Android devices using WhatsApp Messenger by analyzing and correlating artifacts to reconstruct user activities. It enables analysts to recover deleted contacts and messages, determine timelines, and infer relationships between users.
We present the forensic analysis of the artifacts left on Android devices by \textit{WhatsApp Messenger}, the client of the WhatsApp instant messaging system. We provide a complete description of all the artifacts generated by WhatsApp Messenger, we discuss the decoding and the interpretation of each one of them, and we show how they can be correlated together to infer various types of information that cannot be obtained by considering each one of them in isolation. By using the results discussed in this paper, an analyst will be able to reconstruct the list of contacts and the chronology of the messages that have been exchanged by users. Furthermore, thanks to the correlation of multiple artifacts, (s)he will be able to infer information like when a specific contact has been added, to recover deleted contacts and their time of deletion, to determine which messages have been deleted, when these messages have been exchanged, and the users that exchanged them.