Network Forensics of WhatsApp: A Practical Approach Based on Side-Channel Analysis

Abstract

Nowadays, billions of people use Instant Messaging (IM) applications (called apps for short) to communicate, e.g., WhatsApp, Telegram, etc. These applications have a positive impact in social relations, allowing a real-time communication that is simple and immediate. In this way, users can be available everywhere and at any time. In the state of the art, the most popular instant messaging application in the world is definitely WhatsApp. Given the multiple operational scenarios where they are involved in, to prevent the violation of communication by malicious users, IM applications typically ensure security in terms of confidentiality, integrity and availability. Indeed, in the WhatsApp application as well as in the other IM applications, the communication between the various entities takes place in a protected manner. Therefore, it is practically impossible to break the protection of messages exchanged by such applications and find the content of such messages. On the other hand, due to their security properties, those applications are widely used also by cybercriminals. In this paper we focus on the WhatsApp application and propose an approach based on the side-channel analysis to detect some actions performed by WhatsApp users, such as the starting or rejecting of a call, the joining or leaving from/to a chat group, etc. More precisely, the approach we propose is based on the analysis of some characteristics and patterns present in the traffic generated during typical WhatsApp sessions. The proposed approach does not require particular tools or backgrounds to be completed, but only simple packet capture tools, such as WireShark. Furthermore, we point out that our approach can be very useful in the context of forensic analysis, since it complements all the other tools and methodologies typically used in the state of the art to deal with a cybercrime. Finally, the proposed approach has been tested in real usage scenarios, both as regards the communication between two (unicast) and more endpoints (multicast).