Jun 07, 2018

whatsapppicThe number of mobile applications enabling voice, text, photo and video communications continues to grow every year. Within an impressive array of offerings, including Facebook Messenger, Telegram, WeChat, Viber, Snapchat, and Google Hangouts, there is one giant that stands out: WhatsApp. WhatsApp Messenger was created in 2009, and was acquired by Facebook in 2014 for approximately $19 billion. To call it popular would be an understatement: it currently has over 1.2 billion monthly active users worldwide [www.statista.com], and as of February 2018, is Facebook’s second-largest property, after its own namesake application [www.investopedia.com].

WhatsApp has risen in international popularity as a relatively cheap – if not free – solution for sharing text, images, video and voice messages (in addition to calling and video calling) for iPhones, Androids, Windows Phones, Nokia Phones, Blackberries, and even desktop computers. Instead of using a mobile phone plan, WhatsApp uses data, so it can connect via the Internet.

But how does this behemoth actually generate revenue? WhatsApp has no in-app advertisements, does not currently charge for downloading, and does not currently charge subscription fees. While it may share certain data points with Facebook (and as the Cambridge Analytica scandal most recently illustrated, personal data is a goldmine), and be a source of users for parent company Facebook, WhatsApp is only recently contemplating charging for tools allowing businesses to direct market to customers within the app. The monetization of WhatsApp is a crucial discussion in the social media and communications applications atmosphere, and people operating in this sector continue to attempt to predict what will happen. As recently as this month, highly respected financial and business journals are suggesting meaningful revenue opportunities within WhatsApp. Its valuation potential leaves people waiting with bated breath.

Attorneys may be looking at the value behind WhatsApp in a different manner. Due to its popularity, WhatsApp is a treasure trove of evidence for attorneys – and digital forensic professionals are the gatekeepers.   Communication technologies are changing at a rapid-fire pace, with no signs of slowing down. As one of the most convenient methods of communicating, apps like WhatsApp have quickly become commonly utilized evidence sources in the courtroom and in corporate dealings. In a digital forensic examination of the subject device (e.g., iPhone, Android Phone, Google Phone, etc.) or the subject backup (e.g., cloud-based storage like iTunes), certain properties can be uncovered, depending on usage, settings, and capacity. Since instant message platforms can potentially provide contact names, contact phone numbers, message content, photographs, videos, time stamps, histories, geolocation data, and usage statistics they should not be overlooked during an investigation.

While courts in the United States are still trying to keep pace with continually advancing technology and digitized sources of evidence, the same discovery rules generally apply. App evidence – including WhatsApp – must have foundation and grounds for admission established. For example, each state has tended to go its own way regarding whether a single text message, versus a chain of text messages, requires separate establishment of foundation and relevance grounds. Additionally, this type of evidence must be authenticated. While at times a contextual review will suffice, digital forensic preservation and analysis remains an effective and efficient solution for this purpose. A forensic report on WhatsApp data authenticates the portions of such data the client deems relevant, and serves as an expert review of what is available.

WhatsApp poses unique challenges to the digital forensic preservation, recovery, and analysis process. Forensic investigators regularly face obstacles regarding instant message collections, like regular operating systems updates, system securities, and storage location access (e.g., hard disk drive versus RAM). WhatsApp has additional complications, like database encryption that continually updates to protect user privacy. One of WhatsApp key security features is end-to-end encryption, meaning only the sender and receiver of messages can view them in a decrypted fashion.

In order to forensically preserve and review such contents, one needs, at minimum, the passcode/password for an iPhone (to unlock the device and all applications on it). Androids are a bit more complex in terms of the forensic collection process – the device passcode/password is necessary, but a decryption code may be required as well. Importantly, different forensic software may allow access only to certain artifacts as well. One of the other features that sets WhatsApp apart is an ability to archive data – allowing users to save data without deleting it. This other layer of data is also encrypted, requiring a different password – posing a new challenge to the forensic team. Therefore, it is necessary to review what aspects of the potential digitized evidence are most relevant and work with the digital forensic team to attempt to uncover those smoking guns.

Digital forensic consultants have a variety of forensic software tools and industry expertise to assist with the capture, preservation, and decryption of WhatsApp data, but must stay ahead of the curve as smartphones and communications apps continue to advance. With every system update and device upgrade, the forensics of application data grows more nuanced. WhatsApp continues to keep the digital forensic field on its toes.