-
ilable at ScienceDirect
Digital Investigation xxx (2015) 1e9
Contents lists ava
Digital Investigation
journal homepage: www.elsevier .com/locate/d i in
WhatsApp network forensics: Decrypting and understandingthe
WhatsApp call signaling messages
F. Karpisek a, I. Baggili b, *, F. Breitinger b
a Faculty of Information Technology, Brno University of
Technology, Czech Republicb Cyber Forensics Research &
Education Group, Tagliatela College of Engineering, ECECS,
University of New Haven, 300 Boston Post Rd.,West Haven, CT, 06516,
USA
a r t i c l e i n f o
Article history:Received 10 July 2015Received in revised form 17
September 2015Accepted 19 September 2015Available online xxxx
Keywords:WhatsAppReverse engineeringProprietary
protocolSignaling protocolsNetwork forensicsDecryptionMobile
forensicsDigital forensicsCyber securityAudio encoding
* Corresponding author.E-mail addresses:
[email protected] (F.
newhaven.edu (I. Baggili), [email protected]:
http://www.unhcfreg.com/, http://www.FB
1 http://money.cnn.com/2014/02/19/technology/swhatsapp/, last
accessed 2015-07-03.
http://dx.doi.org/10.1016/j.diin.2015.09.0021742-2876/© 2015
Elsevier Ltd. All rights reserved.
Please cite this article in press as: Karpisekcall signaling
messages, Digital Investigati
a b s t r a c t
WhatsApp is a widely adopted mobile messaging application with
over 800 million users.Recently, a calling feature was added to the
application and no comprehensive digitalforensic analysis has been
performed with regards to this feature at the time of writing
thispaper. In this work, we describe how we were able to decrypt
the network traffic andobtain forensic artifacts that relate to
this new calling feature which included the: a)WhatsApp phone
numbers, b) WhatsApp server IPs, c) WhatsApp audio codec (Opus),
d)WhatsApp call duration, and e) WhatsApp's call termination. We
explain the methods andtools used to decrypt the traffic as well as
thoroughly elaborate on our findings withrespect to the WhatsApp
signaling messages. Furthermore, we also provide the commu-nity
with a tool that helps in the visualization of the WhatsApp
protocol messages.
© 2015 Elsevier Ltd. All rights reserved.
Introduction
WhatsApp is one of the most widely used personal-messaging
mobile applications for free texting and con-tent sharing (namely
audio, video, images, location andcontacts), boasting over 800
million users worldwide andwas bought by facebook in 2014 for $19
Billion.1 The callingfeature was added recently in version
2.11.552, which wasreleased 2015-03-05 (Arce, 2015).
From its wide adoption, it is obvious how WhastAppcommunication
exchanges may be used during an
Karpisek), IBaggili@u (F.
Breitinger).reitinger.de/ocial/facebook-
F, et al., WhatsApp netwon (2015), http://dx.doi.
investigation, making the artifacts it produces of compel-ling
forensic relevance. Therefore, we see a strong necessityfor both
researchers and practitioners to gain a compre-hensive
understanding of the networking protocol used inWhatsApp, as well
as the type of forensically relevant datait contains. Most
importantly, due to the newly introducedcalling feature, it becomes
essential to understand thesignaling messages used in the
establishment of calls be-tween the WhatsApp clients and servers.
The methods andtools used in this research could be relevant to
in-vestigations where proving that a call wasmade at a certaindate
and time is necessary.
Our contribution outlines the WhatsApp messagingprotocol from a
networking perspective and provides asolution to explore and study
WhatsApp network com-munications. In terms of novelty, to our
knowledge, this isthe first paper that discusses the WhatsApp
signalingmessages used when establishing voice calls. The work
has
ork forensics: Decrypting and understanding the
WhatsApporg/10.1016/j.diin.2015.09.002
http://www.unhcfreg.com/mailto:[email protected]:[email protected]:[email protected]:[email protected]://www.unhcfreg.com/http://www.FBreitinger.de/http://money.cnn.com/2014/02/19/technology/social/facebook-whatsapp/http://money.cnn.com/2014/02/19/technology/social/facebook-whatsapp/www.sciencedirect.com/science/journal/17422876http://www.elsevier.com/locate/diinhttp://dx.doi.org/10.1016/j.diin.2015.09.002http://dx.doi.org/10.1016/j.diin.2015.09.002http://dx.doi.org/10.1016/j.diin.2015.09.002
-
2 https://github.com/WHAnonymous/Chat-API/wiki/FunXMPP-Protocol,
last accessed 2015-07-03.
F. Karpisek et al. / Digital Investigation xxx (2015) 1e92
impact on practitioners in the field that have obtainednetwork
traffic for a potential suspect, as well as providingscientists
literature for better understanding the networkprotocol itself.
The rest of the paper is organized as follows. In SectionRelated
work we review existing work, while SectionWhatsApp protocol
describes the WhatsApp protocol.Then, in Section Tool for
visualizing WhatsApp protocolmessages we describe the tool we
created for visualizingexchanged WhatsApp messages. In Section
Decryption, wedescribe the process of obtaining decrypted
connectionsbetween the WhatsApp client and the WhatsApp server.Then
in Section Findings we examine the message contentsand discuss the
meaning of the signalingmessages during aWhatsApp call. Finally, in
Section Conclusions, we offerconcluding remarks and outline some
future research.
Related work
There has been research conducted on the forensics ofWhatsApp
but the majority of that work focused on thedata that WhatsApp
stores on the mobile device whencompared to our work which focuses
on the network fo-rensics of WhatsApp.
Network protocol forensics
At the time of writing this paper, the work on networkprotocol
forensics of WhatsApp was sparse. The only workthat provided any
detail on WhatsApp's networking pro-tocol was the Hancke (2015)
report. Hancke (2015)'s workfocused more on Realtime Transport
Protocol (RTP) mediastreams (Schulzrinne et al., 2003). The report
fails to un-cover the call signalingmessages used byWhatsApp,
whichis elaborated on by our work.
Mobile device forensics
Anglano (2014) performed an in-depth analysis ofWhatsApp on
Android devices. The work provided acomprehensive description of
the artifacts generated byWhatsApp and discussed the decoding,
interpretation andrelationship between the artifacts. Anglano
(2014) was ableto provide an analyst with the means of
reconstructing thelist of contacts and chronology of the messages
that havebeen exchanged by users.
Theworks by Thakur (2013) andMahajan et al. (2013) aresimilar to
previous studies since they both focused on theforensic analysis of
WhatsApp on Android. These studiesuncovered the forensic
acquisition of the artifacts left byWhatsApp on the device. Thakur
(2013) focused on
theforensicanalysisofWhatsAppartifactsonanAndroidphone'sstorage and
volatile memory. The results showed that one isable to obtain many
artifacts such as phone numbers, mes-sages, media files, locations,
profile pictures, logs and more.Mahajan et al. (2013)
analyzedWhatsApp and Viber artifactsusing theCellebrite Forensic
ExtractionDevice (UFED) toolkit.They were able to recover contact
lists, exchanged messagesand media including their timestamps and
call details.
Walnycky et al. (2015) examined 20 different popularmobile
social-messaging applications for Android including
Please cite this article in press as: Karpisek F, et al.,
WhatsApp netwcall signaling messages, Digital Investigation (2015),
http://dx.doi.
WhatsApp. In their work, they focused on unencryptedtraffic that
could be easily reconstructed. WhatsApp wasfound to be favorable at
encrypting its network traffic whencompared to other mobile
social-messaging applications.Therefore, based on the primarily
findings by Walnyckyet al. (2015), our study aimed at further
investigating anddissecting the WhatsApp protocol, and in specific,
focusingon the signaling messages used when establishing What-sApp
calls given this new feature. However, in order to divedeeper into
the signaling messages, one must understandsome known attributes of
the WhatsApp protocol whichwe discuss in Section WhatsApp protocol
below.
WhatsApp protocol
WhatsApp uses the FunXMPP protocol for message ex-change which
is a binary-efficient encoded ExtensibleMessaging and Presence
Protocol (XMPP) (WHAnonymous,2015c). The WhatsApp protocol is also
briefly described byLowLevel-Studios (2012) from an implementation
perspec-tive. To fully describe the FunXMPP protocol is beyond
thispaper's scope. For more information on the protocol thereaders
may want visit a website outlining the protocol.2
Authentication procedure
There are two types of authentication procedures theWhatsApp
client can use when connecting to the servers. Ifit is the first
time the client is connecting to the server, a fullhandshake is
performed as illustrated in Fig. 1. Subse-quently, for any
consecutive connections, only a halfhandshake is executed using
data provided from the initialfull handshake.
We note that a half handshake therefore results in usingthe same
session keys multiple times, which can bedeemed as a plausible
protocol security weakness.
Full handshakeThe authentication procedure as described by the
de-
velopers of WhatsAPI consists of three messages(WHAnonymous,
2015a). This is synonymous with the wellknown three-way handshake
and is described in detail inthe following paragraphs. These
messages can be observedin Fig. 1 which was created using our
developed tool (formore details see Section Tool for visualizing
WhatsAppprotocol messages).
As shown in Fig. 1, first, the client sends an message to the
server. This message is not encrypted andcontains the client number
and authentication method theclient wants to use.
Then, the server replies with a messagecontaining a 20 byte long
nonce for the session key gener-ation. Session keys are then
generated using the Password-Based Key Derivation Function 2
(PBKDF2) algorithm usingthe password as a passphrase and the nonce
as a salt. Boththe server and the client know the password and
nonce sothe generated keys are the same on both ends. Four keys
are
ork forensics: Decrypting and understanding the
WhatsApporg/10.1016/j.diin.2015.09.002
https://github.com/WHAnonymous/Chat-API/wiki/FunXMPP-Protocolhttps://github.com/WHAnonymous/Chat-API/wiki/FunXMPP-Protocol
-
Fig. 1. Full handshake between WhatsApp client and server. Note:
Numbers on the left side represent packet numbers (see Appendix A
for the source pcap file).Also, there can be multiple messages in
one packet.
F. Karpisek et al. / Digital Investigation xxx (2015) 1e9 3
generated in total: two keys for confidentiality (one for
eachdirection e from the server and to server) and two keys forthe
integrity check (again one for each direction).
The client then creates a message thatconsists of a concatenated
client phone number in ASCII,nonce sent by the server in binary,
current Unix timestampin ASCII and other device description data.
This message isencrypted using the generated session keys and it is
pre-pended by the hash of the message for integrity
checkingpurposes. Decrypted contents of the response message
areillustrated in Fig. 2, where we can see the aforementionedfields
e their hexadecimal value and also the ASCII repre-sentation as
displayed by Wireshark.
If registration is successful, the server replies with amessage
that is encrypted. Otherwise, the serverreplies with a message that
is not encrypted.
Half handshakeA half handshake consists only of an message
that already contains the data of a messagedescribed above, and
the server's reply, a mes-sage. The client uses the nonce from the
earlier session
Please cite this article in press as: Karpisek F, et al.,
WhatsApp netwcall signaling messages, Digital Investigation (2015),
http://dx.doi.
which means that this nonce is not known by outsiders,therefore,
it is not possible to decrypt such a session, assession encryption
keys cannot be determined.
Tool for visualizing WhatsApp protocol messages
Description
Our tool is a command-line program written in Python(version
2.7). It is named convertPDML.py as it converts thePDML file
exported fromWireshark to an HTML report. It isavailable in the
form of source code, see Appendix A formore details. It requires
one input parameter; a path to anXML file containing the details of
dissected packets. See thestep 6 in Section Decryption procedure
for details on howto create the XML file.
The output of the tool is a report file containing all
themessages exchanged between theWhatsApp client and theWhatsApp
servers in HTML format as shown in Fig. 1.Hence, any standard
browser can be used to view the re-sults. Messages are ordered
chronologically as they appearin the input XML file.
ork forensics: Decrypting and understanding the
WhatsApporg/10.1016/j.diin.2015.09.002
-
Fig. 2. Content of message with marked regions.
F. Karpisek et al. / Digital Investigation xxx (2015) 1e94
Usage
As mentioned above, the tool requires am XML file as aninput
parameter. Example: convertPDML.py INPUT.xml.
Network traffic collection
This section explains how we collected the WhatsAppnetwork
traffic. More details are presented in SectionsExperimental setup
and High level methodology.
Experimental setup
We used the setup exemplified in Fig. 3 for capturingnetwork
traffic between the WhatsApp messenger runningon an Android phone
and the WhatsApp servers. Thehardware and software used in the
experimental setup arelisted below:
Equipment used in experimental setup:
� Phone: Lenovo P780, Android 4.2.1, runninge Whatsapp v2.12.84
which was downloaded from
the Google play store.e Password Extractor v1.03.
� Laptop: Lenovo ThinkPad T420s with Windows 7 64-bitwith the
following installed software:e Wireshark v1.12.5, 32-bit, with the
WhatsApp
dissector.4
e Pidgin v2.12.11,5 32-bit, with the WhatsApp plugin.6
High level methodology
First, we disconnected the Android phone from anyInternet
connection and used the Password Extractor
3 https://www.mgp25.com/downloads/pw.apk, last accessed
2015-07-06.
4 https://davidgf.net/page/37/whatsapp-dissector-for-wireshark,
lastaccessed 2015-07-06.
5 https://pidgin.im/, last accessed 2015-07-06.6
https://davidgf.net/whatsapp/, last accessed 2015-07-06.
Please cite this article in press as: Karpisek F, et al.,
WhatsApp netwcall signaling messages, Digital Investigation (2015),
http://dx.doi.
application to gain access to the WhatsApp password. Wenote that
the phone had to be rooted to use this application.We would also
like to mention that there could have beenmultiple ways to gain
access to the password on the devicesuch as using commercially
available tools to acquire aforensic image of the phone, and in
some cases gainingaccess to the password can be achieved without
rooting thephone if the acquisition method allows the investigator
toacquire the image without rooting the device.
We then utilized Pidgin messenger with the WhatsAppplugin and
obtained the WhatsApp password for connect-ing to the WhatsApp
servers in order to desynchronize theWhatsApp client installed on
the Android phone. This wasperformed in order for us to capture the
full handshake (seeSection Full handshake for more details).
The next step included setting up awifi access point (seeFig. 3)
on the laptop and sharing the Internet connectionfrom the Ethernet
port to the wifi adapter. The laptop nowacted as a wifi router. We
then started capturing all thetraffic on the access point's
network. In the next step, weconnected the phone to the created
wifi network and madea WhatsApp call to a user with phone number
1-203-xxx-xxxx. Finally, we finished capturing the traffic and
savedthe created pcap file.
Following the aforementioned methodology allowed usto collect
network traffic enabling us to perform explor-atory analysis. In
the following Section Decryption, weoutline the resultant steps
that we were able to reproducefor decrypting the WhatsApp messaging
traffic.
Decryption
According to LowLevel-Studios (2012) andWHAnonymous (2015a),
encryption and decryption inWhatsApp is performed with a symmetric
RC4 stream ci-pher using keys generated during authentication which
isdescribed in the Section Authentication procedure.
Therefore, in order to decrypt the communication be-tween the
WhatsApp servers and the WhatsApp client,session keys for each
direction (as WhatsApp uses one keyfor communication from device to
the server and adifferent one for communication from the server to
the
ork forensics: Decrypting and understanding the
WhatsApporg/10.1016/j.diin.2015.09.002
https://www.mgp25.com/downloads/pw.apkhttps://davidgf.net/page/37/whatsapp-dissector-for-wiresharkhttps://pidgin.im/https://davidgf.net/whatsapp/
-
Fig. 3. Experimental setup.
F. Karpisek et al. / Digital Investigation xxx (2015) 1e9 5
device) are required. The process of obtaining these keys
isprovided in Section Full handshake.
Prerequisites
Our work showed that there are two mandatory re-quirements for
the successful decryption of WhatsAppmessaging connections:
� The password associated with the WhatsApp account.� The record
of the full handshake between theWhatsApp
client and the server.
Tools used
We outline the list of software tools that were used inthe
decryption process:
� To obtain the password, there are multiple optionsbased on
themobile device being used (WHAnonymous,2015b). As we were using
an already rooted Androidphone, the easiest way was to extract the
passwordusing the Password Extractor application.
� To force WhatsApp to establish a full handshake thenext time
the mobile device connected to the server, itwas necessary to break
the synchronization betweenthe WhatsApp client and the server. The
simplest wayfor doing that was to connect using a different client.
Forthat purpose, we used the IM client Pidgin alongside theWhatsApp
plugin.
� To decrypt theWhatsApp connection between the clientand
server, we usedWireshark and aWhatsApp-specificdissector.
� To visualize the WhatsApp protocol message exchangewe created
a command-line tool described in SectionTool for visualizing
WhatsApp protocol messages.
Decryption procedure
In this section, we elaborate using a step-by-step pro-cedure
describing how to successfully decrypt and visualize
Please cite this article in press as: Karpisek F, et al.,
WhatsApp netwcall signaling messages, Digital Investigation (2015),
http://dx.doi.
the exchange of WhatsApp protocol's messages betweenthe WhatsApp
client and the servers.
1. As the Android phone we were using, was rooted,obtaining the
password was as easy as installing andrunning an application
mentioned in the Section Toolsused. In our case, the username
(phone number) was420xxxxxxxxx with the following extracted
password627XlMqch8i5Ncy2tRSbZLXs2m0¼.
2. After obtaining credentials for the WhatsApp account(phone
number and password), we disconnected themobile device
runningWhatsApp from the wifi networkand used the IM client Pidgin
with the WhatsApp pluginand used the obtained credentials to log
into ourWhatsApp account. This broke the synchronization be-tween
theWhatsApp client on themobile device and theWhatsApp server
forcing the client to authenticate usinga full handshake.
3. We then connected the mobile device running theWhatsApp
client back to the wifi access point capturingall the communication
from and to the mobile device asexplained in Section Experimental
setup. After theWhatsApp client logged into the WhatsApp account,
weplaced a WhatsApp call to another device. All
recordedcommunication was saved to a pcap file. Access to thepcap
file is presented in the Appendix A.
4. After we captured all the communication between theWhatsApp
client and the WhatsApp server, we providedthe WhatsApp dissector
in Wireshark with the creden-tials we obtained in the prior steps.
To do that we usedWireshark's menu Edit e> Preferences and in
the Pro-tocols section we set up the WhatsApp dissector withthe
same options exemplified in Fig. 4.
After setting up the WhatsApp dissector correctly, we wereable
to observe the content of encrypted messages and thecontent of the
message should start with thenumber used in message as shown in
Fig. 2.5. When the communicationwas decrypted we exported it
to XML format usingWireshark's function Filee> ExportPacket
Dissections e> as XML e “PDML” (packet details)file.... We
provide access to this XML file in the AppendixA. Part of this XML
file e namely is illustrated inListing 1 where we can see the same
values as in
ork forensics: Decrypting and understanding the
WhatsApporg/10.1016/j.diin.2015.09.002
-
Fig. 4. WhatsApp Wireshark dissector settings.
Fig. 5. Signaling messages of WhatsApp call (numbers refer to
packetnumbers).
F. Karpisek et al. / Digital Investigation xxx (2015) 1e96
message from Fig. 1 e attribute user with value420xxxxxxxxx
(lines 33e38) and attribute mechanismwith value WAUTH-2 (lines
39e44).
6. The final step involved using our tool to generate areport of
the WhatsApp message exchange between theWhatsApp client and
WhatsApp servers. For that weused the XML file generated in the
previous step. Formore details refer to the Section Tool for
visualizingWhatsApp protocol messages.
Findings
In the following subsections, we describe our findingson the
signaling messages used for call establishment inWhatsApp. For a
visual representation of our findingsreaders may want to refer to
Fig. 5.
Protocol analysis of call signaling messages
In this section we elaborate on messages that we hy-pothesize
are part of the establishment of a WhatsApp callas we observed it
in the decrypted captured communica-tion traffic. We used the
captured pcap file and the HTMLreport generated from the same pcap
file (refer to theSection Decryption procedure for more details).
Both ofthese files can be downloaded from Appendix A. In the restof
this section, we refer to the packet numbers displayed onthe
leftmost side in the flow diagram of signaling messageexchange in
Fig. 5.
First (in packets [8]e[32]), the WhatsApp client con-nects and
authenticates with the first WhatsApp server174.37.231.87 but there
is no activity regarding a call.
Starting with packet [33], theWhatsApp client connectsand
authenticates to a second WhatsApp server174.36.210.45 and starts
placing a call.
Right after connecting to the second server, in packet[41], the
client asks for the presence of the called party
Please cite this article in press as: Karpisek F, et al.,
WhatsApp network forensics: Decrypting and understanding the
WhatsAppcall signaling messages, Digital Investigation (2015),
http://dx.doi.org/10.1016/j.diin.2015.09.002
-
7 http://www.opus-codec.org/, last accessed 2015-07-06.
F. Karpisek et al. / Digital Investigation xxx (2015) 1e9 7
(phone number 1-203-xxx-xxxx) and starts the callestablishment
process by sending message tothe called party. This happens in
packet [42]. There wecan observe the property
call-id¼“1431719979-2” for thefirst time. This property remains
constant throughoutthe rest of the signaling messages during the
wholesignaling process and it identifies the call as it is
uniquefor each call and therefore changes every time a call
isinitiated.
In this first message we can also observe that the caller
isoffering to use the Opus codec (Valin et al., 2012) (in prop-erty
) for voice data in two sampling rates, 8 kHzand 16 kHz. We also
observe the properties (value of16 bytes ¼ 128 bits) and (192 bytes
¼ 1536 bits)values which wewere not able to decode. We postulate
thatthey might be some kind of initialization vectors forencryption
of media streams and/or description of thesestreams. The last
property is contains a 6 byte valuethat we decoded as the endpoint
(IP address and port)where the client announces the endpoint
address for themedia stream. Its value is
192.168.137.208:46416.
The server replies with in packet [43] whichcontains property
(value of 204 bytes ¼ 1632 bits)which we were also unable to
decode, multiple properties that announce endpoint addresses of
relay servers (8servers in total), and properties , (gaincontrol)
and (noise suppression) that we hypothesizefurther specify media
encoding.
Packets [44] and [45] carry messages and ofthe receipt. To the
best of our knowledge, these messagesdo not contain any data of
interest.
Packet [46] going from the server to the client carries
themessage and has the property thatasserts that the used codec for
media streams will be theOpus codec at the sampling rate of 16 kHz.
It also containsthe property that has the same length as the same
property in packet [42] (192 bytes ¼ 1536 bits) butcarries
different value.
Packet [47] carries the message which con-tains the client's
endpoint address but fromanexternal pointofvieweapublic
endpointaddress. This address is foundoutby the
clientusingTraversalUsingRelaysaroundNAT (TURN)mechanism (Mahy et
al., 2010)e client asks the TURN serverwhat is its (client's) IP
address fromtheoutsidepointof view.Its value is 64.251.61.74:62334
which differs from the valuein packet [42] e 192.168.137.208:46416.
Packet [48] carriesthe message to the previous message.
We can observe a relay server election in packets [49]e[65]. The
client finds out latency between itself and therelay servers
obtained from message from packet[43] and one of the servers is
elected.
The last message of the call establishment process ismessage in
packet [70]. It contains the property that confirms that the used
codec is Opus, sam-pling rate 16 kHz, properties and (with thesame
value as in packet [47]) and two endpoint addresses:private e
192.168.1.22:55607 and public e64.251.61.74:55607. These endpoint
addresses are usedwhen trying to establish a direct peer-to-peer
(P2P)connection. Packet [71] contains message con-firming the
previous message.
Please cite this article in press as: Karpisek F, et al.,
WhatsApp netwcall signaling messages, Digital Investigation (2015),
http://dx.doi.
After that, both-way media stream is established
from192.168.137.208:46416 to 31.13.74.48:3478 using RTP.
Theseaddresses were announced in a message in packet [42] andduring
the relay server election.
After about 30 s of the ongoing call, the client connectsto
another WhatsApp server (108.168.180.110) andsignaling messages
start flowing through this server. Theclient then announces new
endpoint addresses in packets[2688] and [2711] and after a new
relay election process, anew media stream is created replacing the
previous oneusing a new endpoint address.
Finally, the client connects to another WhatsApp
server(174.37.231.88) and sends two identical messages in packets
[7921] and [7925] and the call isterminated.
Media streams
Hancke (2015) mentioned in his report that WhatsAppuses a codec
at 16 kHz sampling rate with bandwidth ofabout 20 kbit/s. Unlike
us, Philipp Hancke did not haveaccess to the decrypted
signalingmessages and thuswe cannow declare that WhatsApp is using
the Opus codec forvoice media streams at either 8 kHz or 16 kHz
samplingrate which is decided at call setup.
We attempted to decode the media using the open-source
implementation of the Opus codec7 but the deco-ded result was not
voice audio. From that and from thefact that we can observe
properties (SRTP standsfor Secure Realtime Transport Protocol
(Baugher et al.,2004)) we infer that these media streams are
beingencrypted.
Analysis summary
Through the analysis of signaling messages exchangedduring a
WhatsApp call we were able to:
� Closely examine the authentication process of What-sApp
clients.
� Discover what codec WhatsApp is using for voice mediastreams e
Opus at 8 or 16 kHz sampling rates.
� Understand how relay servers are announced and therelay
election mechanism.
� Understand how clients announce their endpoint ad-dresses for
media streams.
Gaining insight into these signaling messages is essen-tial for
the understanding of the WhatsApp protocolespecially in the area of
WhatsApp call analysis from aforensic networking perspective.
Forensically relevant artifacts
As shown in Table 1, forensically relevant artifacts maybe
extracted from the network traffic using the outlined
ork forensics: Decrypting and understanding the
WhatsApporg/10.1016/j.diin.2015.09.002
http://www.opus-codec.org/
-
Table 1Forensically relevant data, their location and sample
data.
F. Karpisek et al. / Digital Investigation xxx (2015) 1e98
methodology. Most notably (see Fig. 1), we were able toacquire
the following artifacts from the network traffic:
� WhatsApp phone numbers.� WhatsApp phone call establishment
metadata and
datetime stamps.� WhatsApp phone call termination metadata and
date-
time stamps.� WhatsApp phone call duration metadata and
datetime
stamps.� WhatsApp's phone call voice codec (Opus).� WhatsApp's
relay server IP addresses used during the
calls.
Conclusions
In this work, we decrypted the WhatsApp clientconnection to the
WhatsApp servers and visualized mes-sages exchanged through such a
connection using acommand-line tool we created. This tool may be
useful fordeeper analysis of the WhatsApp protocol.
We also uncovered the hypothesized signaling mes-sages of the
WhatsApp call which revealed what codec isbeing actually used for
media transfer (Opus), as well asforensically relevant metadata
about the call establish-ment, termination, duration and phone
numbers associ-ated with the call.
Please cite this article in press as: Karpisek F, et al.,
WhatsApp netwcall signaling messages, Digital Investigation (2015),
http://dx.doi.
Future work
In this work we were unable to decode media RTPstreams as they
seem to be encrypted. However, we hy-pothesize that encryption keys
are most likely beingtransferred inside the signaling messages
during the set upof a WhatsApp call and therefore we postulate that
itshould be possible, in theory, to decrypt these mediastreams as
well. The main challenge for this task is to findout the encryption
keys and encryption algorithm used.
We would also like to note that a limitation of ourwork is that
it was tested on an Android device. Althoughwe hypothesize that the
protocol used in the communi-cation will be constant across
platforms, recreating theexperiments with different devices and
operating sys-tems running WhatsApp is needed to validate that
claim.Also, we would like to note that as more features areadded to
WhatsApp, more experiments need to be con-ducted to ensure that the
design of the protocol does notchange.
We would also like to encourage other researchers toapply the
techniques explained in our work to analyze thenetwork traffic of
other popular messaging applications sothat the forensic community
can gain a better under-standing of the forensically relevant
artifacts that may beextracted from the network traffic, and not
only the datastored on the devices.
ork forensics: Decrypting and understanding the
WhatsApporg/10.1016/j.diin.2015.09.002
-
F. Karpisek et al. / Digital Investigation xxx (2015) 1e9 9
Appendix A. Reference files
These are files that were used throughout this paper.These files
can be provided to researchers by visiting ourwebsite
http://www.unhcfreg.com under Tools & Data.
� whatsapp_register_and_call.pcap e pcap file containinguser
with phone number 420xxxxxxxxx connecting tomultipleWhatsApp
servers and placing a call to the userwith phone number
1-203-xxx-xxxx.
� whatsapp_register_and_call.xml e content of previouspcap file
exported from Wireshark in XML format.
� whatsapp_register_and_call.html e HTML file that wasgenerated
from previous XML file using our tool.
� convertPDML.py e command-line tool for convertingXML files
exported from Wireshark to a visual HTMLreport containing flow
ofWhatsAppmessages exchangedbetween WhatsApp Messenger and the
WhatsAppservers.
References
Anglano C. Forensic analysis of whatsapp messenger on android
smart-phones. Digit Investig 2014;11:201e13. URL,
http://www.sciencedirect.com/science/article/pii/S1742287614000437
[last accessed 06.07.15].
Arce N. Whatsapp calling for android and IOS: How to get it and
what toknow. 2015. URL,
http://www.techtimes.com/articles/38291/20150309/whatsapp-calling-for-android-and-ios-how-to-get-it-and-what-to-know.htm
[last accessed 27.05.15].
Please cite this article in press as: Karpisek F, et al.,
WhatsApp netwcall signaling messages, Digital Investigation (2015),
http://dx.doi.
Baugher M, McGrew D, Naslund M, Carrara E, Norrman K. The secure
real-time transport protocol (SRTP). 2004. URL,
https://www.ietf.org/rfc/rfc3711.txt [last accessed 06.07.15].
Hancke P. Whatsapp exposed: Investigative report. 2015. URL,
https://webrtchacks.com/wp-content/uploads/2015/04/WhatsappReport.pdf[last
accessed 03.06.15].
LowLevel-Studios. Whatsapp protocol 1.2: a brief explanation.
2012.
URL,http://lowlevel-studios.com/whatsapp-protocol-1-2-a-brief-explanation/
[last accessed 03.06.15].
Mahajan A, Dahiya M, Sanghvi H. Forensic analysis of instant
messengerapplications on android devices. 2013. arXiv preprint
arXiv:1304.4915,.URL, http://arxiv.org/abs/1304.4915 [last accessed
06.07.15].
Mahy R, Matthews P, Rosenberg J. Traversal using relays around
NAT(TURN). 2010. URL, https://tools.ietf.org/html/rfc5766 [last
accessed06.07.15].
Schulzrinne H, Casner S, Frederick R, Jacobson V. RTP: a
transport protocolfor real-time applications. 2003. URL,
https://www.ietf.org/rfc/rfc3550.txt [last accessed 06.07.15].
Thakur NS. Forensic analysis of WhatsApp on android
smartphones(Master's thesis). University of New Orleans; 2013. URL,
http://scholarworks.uno.edu/td/1706/ [last accessed 06.07.15].
Valin J, Vos K, Terriberry T. Definition of the opus audio
codec. 2012. URL,http://tools.ietf.org/html/rfc6716 [last accessed
06.07.15].
Walnycky D, Baggili I, Marrington A, Moore J, Breitinger F.
Network anddevice forensic analysis of android social-messaging
applications.Digit Investig 2015;14:S77e84.
WHAnonymous. Authentication overview (WAUTH 2). 2015. URL,
https://github.com/WHAnonymous/Chat-API/wiki/Authentication-Overview-(WAUTH-2.
https://github.com/WHAnonymous/Chat-API/wiki/Authentication-Overview-(WAUTH-2)
[last accessed 03.06.15].
WHAnonymous. Extracting password from device. 2015. URL,
https://github.com/WHAnonymous/Chat-API/wiki/Extracting-password-from-device
[last accessed 12.06.15].
WHAnonymous. Funxmpp-protocol. 2015. URL,
https://github.com/WHAnonymous/Chat-API/wiki/FunXMPP-Protocol [last
accessed03.06.15].
ork forensics: Decrypting and understanding the
WhatsApporg/10.1016/j.diin.2015.09.002
http://www.unhcfreg.comhttp://www.sciencedirect.com/science/article/pii/S1742287614000437http://www.sciencedirect.com/science/article/pii/S1742287614000437http://www.techtimes.com/articles/38291/20150309/whatsapp-calling-for-android-and-ios-how-to-get-it-and-what-to-know.htmhttp://www.techtimes.com/articles/38291/20150309/whatsapp-calling-for-android-and-ios-how-to-get-it-and-what-to-know.htmhttp://www.techtimes.com/articles/38291/20150309/whatsapp-calling-for-android-and-ios-how-to-get-it-and-what-to-know.htmhttps://www.ietf.org/rfc/rfc3711.txthttps://www.ietf.org/rfc/rfc3711.txthttps://webrtchacks.com/wp-content/uploads/2015/04/WhatsappReport.pdfhttps://webrtchacks.com/wp-content/uploads/2015/04/WhatsappReport.pdfhttp://lowlevel-studios.com/whatsapp-protocol-1-2-a-brief-explanation/http://lowlevel-studios.com/whatsapp-protocol-1-2-a-brief-explanation/http://arxiv.org/abs/1304.4915https://tools.ietf.org/html/rfc5766https://www.ietf.org/rfc/rfc3550.txthttps://www.ietf.org/rfc/rfc3550.txthttp://scholarworks.uno.edu/td/1706/http://scholarworks.uno.edu/td/1706/http://tools.ietf.org/html/rfc6716http://refhub.elsevier.com/S1742-2876(15)00098-5/sref11http://refhub.elsevier.com/S1742-2876(15)00098-5/sref11http://refhub.elsevier.com/S1742-2876(15)00098-5/sref11http://refhub.elsevier.com/S1742-2876(15)00098-5/sref11https://github.com/WHAnonymous/Chat-API/wiki/Authentication-Overview-(WAUTH-2https://github.com/WHAnonymous/Chat-API/wiki/Authentication-Overview-(WAUTH-2https://github.com/WHAnonymous/Chat-API/wiki/Authentication-Overview-(WAUTH-2https://github.com/WHAnonymous/Chat-API/wiki/Authentication-Overview-(WAUTH-2)https://github.com/WHAnonymous/Chat-API/wiki/Authentication-Overview-(WAUTH-2)https://github.com/WHAnonymous/Chat-API/wiki/Extracting-password-from-devicehttps://github.com/WHAnonymous/Chat-API/wiki/Extracting-password-from-devicehttps://github.com/WHAnonymous/Chat-API/wiki/Extracting-password-from-devicehttps://github.com/WHAnonymous/Chat-API/wiki/FunXMPP-Protocolhttps://github.com/WHAnonymous/Chat-API/wiki/FunXMPP-Protocol
WhatsApp network forensics: Decrypting and understanding the
WhatsApp call signaling messagesIntroductionRelated workNetwork
protocol forensicsMobile device forensics
WhatsApp protocolAuthentication procedureFull handshakeHalf
handshake
Tool for visualizing WhatsApp protocol
messagesDescriptionUsage
Network traffic collectionExperimental setupHigh level
methodology
DecryptionPrerequisitesTools usedDecryption procedure
FindingsProtocol analysis of call signaling messagesMedia
streamsAnalysis summaryForensically relevant artifacts
ConclusionsFuture workAppendix A. Reference filesReferences