Blog >> WhatsApp

Investigating WhatsApp

18/06/2021 Friday

WhatsApp is a cross-platform application owned by Facebook. The platform supports sending and receiving text and voice messages, photos, documents, videos, and locations. WhatsApp provides all these features along with voice and video calls for one-to-one chats and group chats.

Digital Forensics Value of WhatsApp Artifacts

Since its early beginnings and till today, WhatsApp remains the market leader and one of the top-ranking messaging applications globally. According to its official website, WhatsApp has more than 2 billion users in over 180 countries. Given its widespread popularity, WhatsApp is considered a significant source of evidentiary information in most investigations.

Location of WhatsApp Artifacts

Like many Windows applications, WhatsApp stores user generated files at C:\Users\%username%\AppData\Roaming\WhatsAppC:\Users\%username%\AppData\Roaming\WhatsApp

Structure of WhatsApp Artifacts

The majority of WhatsApp artifacts are maintained within the cache folder which has the same storage structure as Google Chrome Cache; however, the structure of the file containing WhatsApp cookies is SQLite database.

Analyzing WhatsApp Artifacts with ArtiFast Windows

This section will discuss how to use ArtiFast Windows to analyze WhatsApp artifacts from Windows machines and what kind of digital forensic insights we can gain from the platform.

After you have created your case and added evidence for the investigation, at the Artifact Parser Selection Phase, you can select WhatsApp Artifacts:

ArtiFast can analyze WhatsApp Cache, Profile Pictures, and Cookies. For demonstration purposes, all three artifacts have been chosen; however, you have the option to select one or more artifacts as well.

Once ArtiFast parser plugins complete processing artifacts for analysis, it can be reviewed via "Artifact View" or "Timeline View," with indexing, filtering, and searching capabilities. Below is a detailed description of WhatsApp artifacts in ArtiFast software.

WhatsApp Profile Pictures Artifact

This artifact contains information related to the profile pictures cached by the application. Profile pictures are not cached randomly from all WhatsApp contacts; instead, the cache only stores the profile pictures presented in the current chat section (active chats). This applies to both groups and individual chats. If a chat is deleted or archived, WhatsApp will not cache the profile picture of that specific chat. Moreover, if a chat (group/individual) does not have a profile picture, then there will not be any indication of that chat in the cache (default profile pictures are not cached). The details you can view include:

WhatsApp Cache Artifact

This artifact contains information about WhatsApp Cache. The details you can view include:

WhatsApp Cookies Artifact

This artifact contains the Cookies from WhatsApp application on a Windows device. The details you can view include: