WHATSAPP FORENSICS: LOCATING ARTIFACTS ON WEB …WHATSAPP FORENSICS: LOCATING ARTIFACTS ON WEB...

Preview:

Click to see full reader

Citation preview

WHATSAPP FORENSICS: LOCATING ARTIFACTS ON WEB CLIENTS AND STANDALONE DESKTOP APPLICATIONS

Nicolás Villacís Vukadinović, Dr. Kathryn Seigfried-Spellar, Dr. Marcus Rogers & Dr. Umit Karabiyik Computer and Information Technology

Cyber Forensics Laboratory

Facts

• Most popular instant messaging application worldwide

• 1.5 billion monthly active users (July 2018)

• Used in over 180 countries

Findings:• WhatsApp log file, main source of artifacts• Cached profile pictures• Application run count/time/date• URL visit count/time/date• Overall, Chrome/Firefox web clients log

the most information

WhatsApp web client user interface

Study flowchart

Category Artifact

action,presence,[available/unavailable]

action,chatstate,[composing/paused/recording]

action,message,[image/video/chat/vcard/document/ptt]

action,msgs,delete

action,block,true,18125730324

action,battery,84,false

action,group,create

action,set_pic,17653278892@c

action,pushname

action,status,set

action,chat,read,{"fromMe":false,"remote":18125730324@c.

us…}

action,status,read,{"fromMe":false,"remote":"s&ð>@broadca

st","id":"C259586486C33C79E0482B1F346C9D98…}"

Media:sendToChat chat 18125730324@c.us

Media:sendToChat chat 17653278892-1548963594@g.us

action,msg,relay,[chat,image,video],18125730324@c.us,176

53278892@c.us

action,msg,relay,image,status@broadcast,17653278892@c.u

s,false_status@broadcast_FCECD863D949D0AAD2DFE72

60AD9DC4B,18125730324@c.us"

profilePic:cache-save: profile_pic_thumb

AppUpdate:update current: 0.3.2041 latest: 0.3.2041

webcPhoneOsBuildNumber = PQ1A.181205.002.A1

webcPhoneOsVersion = 9

webcPhoneAppVersion = 2.19.17

webcPhoneDeviceManufacturer = Google

webcPhoneDeviceModel = marlin

webcPhoneCharging = false

Browser user

agent

userAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)

AppleWebKit/537.36 (KHTML, like Gecko)

Chrome/72.0.3626.81 Safari/537.36

Timestamps/

actions

Mobile

device

information

Note. All timestamps/actions begin with a date and time (i.e., YYYY-MM-

DD HH:MM:SS.MS).

WhatsApp log file artifacts

mfocosi
Typewritten Text
mfocosi
Typewritten Text
mfocosi
Typewritten Text
mfocosi
Typewritten Text
mfocosi
Typewritten Text
2019 - AIP - B85-C09 - WhatsApp Forensics: Locating Artifacts on Web Clients and Standalone Desktop Applications - Nicolás Villacís Vukadinović

Recommended

Ultrasound artifacts
Education
Whats App Forensics: Decryption of Encrypted WhatsApp ... · PDF fileKeywords: WhatsApp analysis; Android forensics; WhatsApp ... WhatsApp key/DB extractor (Version 2.2) 3) WhatsApp
Documents
Whatsapp ( history , fb allience and intresting facts about whatsapp)
Internet
Setting up WhatsApp WhatsApp-EinrichtungAndroid).pdfWhatsApp nutzen Click on WhatsApp in the “Accounts” menu and allow permission for Chris to access your WhatsApp notifications
Documents
Locating Facilities
Business
Locating Places
Documents
WhatsApp, política mobile e WhatsApp, mobile politics and
Documents
Locating Pre
Documents
Physics artifacts
Technology
WhatsApp, The Anti-Marketing Growth Phenomenon | Facebook-acquired WhatsApp
Education
Locating stars
Documents
PLAYBOOK DE VENDAS NO WHATSAPP...SUMÁRIO CAPÍTULO 1: WHATSAPP MARKETING • Marketing Digital • É possível fazer Marketing Digital no WhatsApp? • As Principais regras do WhatsApp
Documents
Pipeline Locating
Documents
Locating Zombies
Documents
Large Expansion Locating Pin - wahltec.de · Pneu. Expansion Locating Pin Hyd. Expansion Locating Pin Expansion Locating Pin Digest Cautions Model No. / Spec. (VWH) Ext. Dimensions
Documents
Workplace Artifacts
Documents
Iraqi artifacts
Education
Cable and Pipe Locating Techniquesmultimedia.3m.com/.../cable-and-pipe-locating-techniques-manual.pdf · Cable and Pipe Locating Techniques ... 41 5. Locating Cable Slack Loops
Documents
Locating Resources
Documents
LOCATING PINS -STANDARD TYPE- LOCATING PINS -STANDARD …
Documents