Analyzing the Web and UWP versions of WhatsApp for digital forensics

Abstract

WhatsApp is a global secure instant messenger with approximately two billion users. Secure instant messengers use various cryptographic techniques to ensure secure communication. WhatsApp utilizes end-to-end encryption, so even the server owner cannot view internal data. Although this provides strong privacy protection, it can act as a barrier to data collection during digital forensics investigations. We analyze in detail the Web and Universal Windows Platform (UWP) versions of WhatsApp to overcome the collection obstacles that hinder digital forensic investigations. Our analysis showed that for the Web version of WhatsApp, most of the elements needed to decrypt messages are stored in the browser's storage, except for Salt, which is exchanged through communication with the server. We propose a method to obtain Salt by revealing the communication process and the data exchanged, based on which we successfully decrypt the message. For the UWP version of WhatsApp, the database where messages are stored is protected using the identifier value of the application. The identifier value, a unique value assigned to the UWP application, cannot be accessed outside the application. Following a detailed analysis of the UWP API, we developed a method for reproducing the identifier value without calling the API. We also propose a way to decrypt encrypted messages of the UWP version of WhatsApp. Our findings provide a practical solution for forensic investigators analyzing encrypted WhatsApp messages and also provide insights that can be extended to other secure instant messengers.