A recent network forensic examination of popular messaging service WhatsApp is offering new details on the data that can be collected from the app’s network from its new calling feature: such as phone numbers and phone call duration, and highlights areas for future research and study.



The study was conducted at the University of New Haven’s Cyber Forensics Research & Education Group, and the results were outlined in a paper published in the scholarly journal, Digital Investigation. The article was co-authored by F. Karpisek of Brno University of Technology in the Czech Republic, Ibrahim (Abe) Baggili and Frank Breitinger, co-directors of the Cyber Forensics Research & Education Group at the University of New Haven.



“Our research demonstrates the type of data that can be gathered through the forensic study of WhatsApp and provides a path for others to conduct additional studies into the network forensics of messaging apps,” said Baggili. Decrypting the network traffic isn’t simple, the authors suggest, as both access to data on the device as well as the full network traffic is needed.



“We decrypted the WhatsApp client connection to the WhatsApp servers and visualized messages exchanged through such a connection using a command-line tool we created,” the authors wrote. “This tool may be useful for deeper analysis of the WhatsApp protocol.”



In fact, Baggili said he hopes others will use the tools his group developed to “analyze the network traffic of other popular messaging applications so that the forensic community can gain a better understanding of the forensically relevant artifacts that may be extracted from the network traffic, and not only the data stored on the devices.”



The researchers provided an outline of the WhatsApp messaging protocol from a networking perspective, making it possible to explore and study WhatsApp network communications. He said he believes they are the first to discuss “WhatsApp signaling messages used when establishing voice calls.”



Specifically, the researchers found that WhatsApp uses the FunXMPP protocol for message exchange, which is a binary-efficient encoded Extensible Messaging and Presence Protocol (XMPP) (WHAnonymous, 2015c).



Through the analysis of signaling messages exchanged during a WhatsApp call using an Android device, the researchers were able to closely examine the authentication process of WhatsApp clients; discover what codec WhatsApp is using for voice media streams (Opus at 8 or 16 kHz sampling rates); understand how relay servers are announced and the relay election mechanism; and understand how clients announce their endpoint addresses for media streams.



“Gaining insight into these signaling messages is essential for the understanding of the WhatsApp protocol, especially in the area of WhatsApp,” the authors wrote.



The researchers were able to acquire a variety of artifacts from network traffic, including WhatsApp phone numbers, WhatsApp phone call establishment metadata and date-time stamps, and WhatsApp phone call duration metadata and date-time stamps. They also were able to acquire WhatsApp’s phone call voice codec (Opus) and WhatsApp’s relay server IP addresses used during the calls.