{"id":354,"date":"2015-10-27T12:01:45","date_gmt":"2015-10-27T17:01:45","guid":{"rendered":"https:\/\/fbreitinger.de\/?p=354"},"modified":"2016-01-27T09:52:38","modified_gmt":"2016-01-27T14:52:38","slug":"whatsapp-paper-accepted-in-digital-investigation","status":"publish","type":"post","link":"https:\/\/fbreitinger.de\/?p=354","title":{"rendered":"Whatsapp paper accepted in Digital Investigation"},"content":{"rendered":"<p>(text copied from <a href=\"http:\/\/www.newhaven.edu\/news-events\/news-releases\/2015-2016\/952112\/\" target=\"_blank\">newhaven.edu<\/a>)<\/p>\n<h1>Popular WhatsApp Collects Phone Numbers, Call Duration, Other Info<\/h1>\n<p>WEST HAVEN, Conn. &#8211; A recent network forensic examination of WhatsApp, a popular messaging service, is offering new details on the data that can be collected from the app\u2019s network from its new calling feature; such as phone numbers and phone call duration, and highlights areas for future research and study.<\/p>\n<p>The study was conducted at the University of New Haven\u2019s Cyber Forensics Research &amp; Education Group (<a href=\"http:\/\/www.unhcfreg.com\" target=\"_blank\">http:\/\/www.unhcfreg.com<\/a>), and the results were outlined in a paper published in the scholarly journal, Digital Investigation.<br \/>\nThe article, \u201cWhatsApp Network Forensics: Decrypting and Understanding WhatsApp Call Signaling Messages,\u201d was co-authored by F. Karpisek of Brno University of Technology in the Czech Republic, Ibrahim (Abe) Baggili and Frank Breitinger, co-directors of the Cyber Forensics Research &amp; Education Group at the University of New Haven.<\/p>\n<p>\u201cOur research demonstrates the type of data that can be gathered through the forensic study of WhatsApp and provides a path for others to conduct additional studies into the network forensics of messaging apps,\u201d said Baggili. Decrypting the network traffic isn\u2019t simple, the authors suggest, as both access to data on the device as well as the full network traffic is needed.<\/p>\n<p>WhatsApp provides free texting, a calling feature that permits calls to be done over the Internet using data rather than toll charges and content sharing. It has more than 800 million users worldwide and was acquired by Facebook in 2014 for $19 billion.<\/p>\n<p>In their paper, the authors point the number of users and the affiliation with Facebook, writing, \u201cWe see a strong necessity for both researchers and practitioners to gain a comprehensive understanding of the networking protocol used in WhatsApp, as well as the type of forensically relevant data it contains.\u201d<\/p>\n<p>\u201cWe decrypted the WhatsApp client connection to the WhatsApp servers and visualized messages exchanged through such a connection using a command-line tool we created,\u201d the authors wrote. \u201cThis tool may be useful for deeper analysis of the WhatsApp protocol.\u201d<\/p>\n<p>In fact, Baggili said he hopes others will use the tools his group developed to \u201canalyze the network traffic of other popular messaging applications so that the forensic community can gain a better understanding of the forensically relevant artifacts that may be extracted from the network traffic, and not only the data stored on the devices.\u201d<\/p>\n<p>The researchers provided an outline of the WhatsApp messaging protocol from a networking perspective, making it possible to explore and study WhatsApp network communications. He said he believes they are the first to discuss \u201cWhatsApp signaling messages used when establishing voice calls.\u201d<\/p>\n<p>Specifically, the researchers found that WhatsApp uses the FunXMPP protocol for message exchange, which is a binary-efficient encoded Extensible Messaging and Presence Protocol (XMPP) (WHAnonymous, 2015c).<\/p>\n<p>Through the analysis of signaling messages exchanged during a WhatsApp call using an Android device, the researchers were able to closely examine the authentication process of WhatsApp clients; discover what codec WhatsApp is using for voice media streams (Opus at 8 or 16 kHz sampling rates); understand how relay servers are announced and the relay election mechanism; and understand how clients announce their endpoint addresses for media streams.<\/p>\n<p>\u201cGaining insight into these signaling messages is essential for the understanding of the WhatsApp protocol, especially in the area of WhatsApp,\u201d the authors wrote.<\/p>\n<p>The researchers were able to acquire a variety of artifacts from network traffic, including WhatsApp phone numbers, WhatsApp phone call establishment metadata and date-time stamps, and WhatsApp phone call duration metadata and date-time stamps. They also were able to acquire WhatsApp&#8217;s phone call voice codec (Opus) and WhatsApp&#8217;s relay server IP addresses used during the calls.<\/p>\n<p>Featured in:<br \/>\n<a href=\"http:\/\/www.techworm.net\/2015\/10\/whatsapp-collects-users-phone-numbers-and-call-duration.html\" target=\"_blank\">techworm.net<\/a>, <a href=\"http:\/\/www.myce.com\/news\/whatsapp-collects-phone-numbers-date-and-time-and-duration-of-phone-calls-77649\/\" target=\"_blank\">myce.com<\/a>, <a href=\"http:\/\/www.theregister.co.uk\/2015\/10\/27\/whatsapp_forensic_analysis\/\" target=\"_blank\">theRegister.co.uk<\/a> and more.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>(text copied from newhaven.edu) Popular WhatsApp Collects Phone Numbers, Call Duration, Other Info WEST HAVEN, Conn. &#8211; A recent network forensic examination of WhatsApp, a popular messaging service, is offering new details on the data that can be collected from the app\u2019s network from its new calling feature; such as phone numbers and phone call [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5,4],"tags":[],"class_list":["post-354","post","type-post","status-publish","format-standard","hentry","category-news-article","category-publication"],"_links":{"self":[{"href":"https:\/\/fbreitinger.de\/index.php?rest_route=\/wp\/v2\/posts\/354","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fbreitinger.de\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fbreitinger.de\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fbreitinger.de\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/fbreitinger.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=354"}],"version-history":[{"count":2,"href":"https:\/\/fbreitinger.de\/index.php?rest_route=\/wp\/v2\/posts\/354\/revisions"}],"predecessor-version":[{"id":356,"href":"https:\/\/fbreitinger.de\/index.php?rest_route=\/wp\/v2\/posts\/354\/revisions\/356"}],"wp:attachment":[{"href":"https:\/\/fbreitinger.de\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=354"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fbreitinger.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=354"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fbreitinger.de\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=354"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}