WhatsApp network forensics: Decrypting and understanding the WhatsApp call signaling messages

článek v časopise ve Web of Science, Jimp

angličtina

WhatsApp is a widely adopted mobile messaging application with over 800 million users. Recently, a calling feature was added to the application and no comprehensive digital forensic analysis has been performed with regards to this feature at the time of writing this paper. In this work, we describe how we were able to decrypt the network trac and obtain forensic artifacts that relate to this new calling feature which included the: a) WhatsApp phone numbers, b) Whats- App server IPs, c) WhatsApp audio codec (Opus), d) WhatsApp call duration, and e) WhatsApp's call termination. We explain the methods and tools used to decrypt the trac as well as thoroughly elaborate on our ndings with respect to the WhatsApp signaling messages. Furthermore, we also provide the community with a tool that helps in the visualization of the WhatsApp protocol messages.

WhatsApp, reverse engineering, proprietary protocol, signaling protocols, network forensics, decryption, mobile forensics, digital forensics, cyber security, audio encoding

KARPÍŠEK, F.; BAGGILI, I.; BREITINGER, F.

2015

19. 9. 2015

1742-2876

Digital Investigation

2015

15

Nizozemsko

110

118

11

https://www.fit.vut.cz/research/publication/10979/