[雙語(yǔ)翻譯]安卓外文翻譯--安卓智能手機(jī)上的whatsapp messenger程序的取證分析（英文）

1、Forensic analysis of WhatsApp Messenger on Android smartphonesCosimo Anglano*DiSIT – Computer Science Institute, Universitá del Piemonte Orientale, Alessandria, Italya r t i c l e i n f oArticle history:Received 15

2、January 2014Received in revised form 17 March 2014Accepted 26 April 2014Available online 27 May 2014Keywords:WhatsAppWhatsApp MessengerInstant messagingAndroidSmartphonesa b s t r a c tWe present the forensic analysis of

3、 the artifacts left on Android devices by WhatsAppMessenger, the client of the WhatsApp instant messaging system. We provide a completedescription of all the artifacts generated by WhatsApp Messenger, we discuss the deco

4、dingand the interpretation of each one of them, and we show how they can be correlatedtogether to infer various types of information that cannot be obtained by considering eachone of them in isolation.By using the result

5、s discussed in this paper, an analyst will be able to reconstruct the list ofcontacts and the chronology of the messages that have been exchanged by users.Furthermore, thanks to the correlation of multiple artifacts, (s)

6、he will be able to inferinformation like when a specific contact has been added, to recover deleted contacts andtheir time of deletion, to determine which messages have been deleted, when thesemessages have been exchange

7、d, and the users that exchanged them.ª 2014 Elsevier Ltd. All rights reserved.IntroductionThe introduction of sophisticated communication ser- vices over the Internet, allowing users to exchange textual messages, as

8、 well as audio, video, and image files, has changed the way people interact among them. The usage of these services, broadly named instant messaging (IM), has undoubtedly exploded in the past few years, mainly thanks to

9、the pervasiveness of smartphones, that provide quite sophisticated IM applications. Smartphones indeed enable users to exploit their data connection to access IM services anywhere and anytime, thus eliminating the costs

10、usually charged by mobile operators for similar services (e.g., for SMS communication). Given their popularity, IM services are being increas- ingly used not only for legitimate activities, but also forillicit ones (The

11、United Nations Office on Drugs and Crime, 2013): criminals may indeed use them either to commu- nicate with potential victims, or with other criminals to escape interception (Bellovin et al., 2013). Therefore, IM applica

12、tions have the potential of being a very rich source of evidentiary information in most investigations. Among IM applications for smartphones, WhatsApp (WhatsApp Inc., 2013) is accredited to be the most wide- spread one

13、(reportedly (Winkler, 2013), it has over 400 million active users that exchange, on average, more than 31 billion messages per day, 325 millions of which are photos (Olivarez-Giles, 2013)). Given its recent acquisition b

14、y Facebook, it is reasonable to expect a further growth in its diffusion. Therefore, the analysis of WhatsApp Messenger, the client of WhatsApp that runs on smartphones, has recently raised the interest of the digital fo

15、rensics com- munity (Thakur, 2013; Mahajan et al., 2013; Tso et al., 2012). In this paper we deal with the forensic analysis of WhatsApp Messenger on Android smartphones. Android users, indeed, arguably represent the lar

16、gest part of the* Tel.: þ39 0131 360188.E-mail addresses: cosimo.anglano@unipmn.it, cosimo.anglano@di.unipmn.it.Contents lists available at ScienceDirectDigital Investigationjournal homepage: www.elsevier.com/locate

17、/diinhttp://dx.doi.org/10.1016/j.diin.2014.04.0031742-2876/ª 2014 Elsevier Ltd. All rights reserved.Digital Investigation 11 (2014) 201–213YouWave virtualization platform (YouWave Corp., 2013) that is able to faithf

18、ully emulate the behavior of a complete Android device. YouWave implements the internal device memory as a VirtualBox storage file (Oracle Corp., 2013), whose format is documented and, therefore, can be parsed by a suita

19、ble tool to extract the files stored inside it. In this way, the acquisition of the internal memory of the device is greatly simplified, as it reduces to inspect the content of this file. In order to ensure the soundness

20、 of our approach, we have made tests in which the behavior of, and the data generated by, WhatsApp Messenger running on YouWave have been compared against those produced when it runs on real smartphones. These tests have

21、 been performed either indirectly, by comparing the data found in the inaccessible memory area of YouWave against those documented in the literature (Thakur, 2013; Mahajan et al., 2013), or directly, by comparing the dat

22、a stored on the emulated SD memory card against those generated on a real smartphone. The results of our tests indicate that, from the perspective of WhatsApp Messenger, YouWave and a real smartphone behave the same way.

23、 Our experimental test-bed consists thus into a set of YouWave virtual machines, namely one for each device involved in the experiments, running Android v. 4.0.4. On each one of these machines we install and use WhatsApp

24、 Messenger v. 2.11. In each experiment, we assign a role to each virtual device (e.g. sender or recipient of a message, group chat leader, etc.), and use it to carry out the corre- sponding activities. Then, at the end o

25、f the experiment, we suspend the virtual device, parse the file implementing the corresponding internal memory (named youwa- ve_vm01.vdi) by means of FTK Imager (v. 3.1) (AccessData Corporation, 2013), and extract the fi

26、les where WhatsApp Messenger stores the data it generates.1 These files are then examined by means of suitable tools. In particular, we use SqliteMan (Vanek and Les, 2013) to examine the databases maintained by WhatsApp

27、Messenger (as discussed later, they are SQLite v.3 databases (SQLite Consortium, 2013)), and notepadþþ (Ho, 2013) to examine textual files. By proceeding as exposed above, (a) we are able to avoid the risks of

28、contamination and of an incomplete acquisition of the data stored in the memory of the device, (b) we ensure repeatability of experiments, as their outcomes do not depend on the availability of a specific software or har

29、dware memory acquisition tool or smartphone model, (c) we obtain a high degree of controllability of experi- ments, as we may suspend and resume at will the virtual device to perform acquisition while a given experiment

30、is being carried out and, last but not less important, (d) we reduce the costs of the study, since neither real smart- phones nor commercial memory acquisition tools are necessary to carry out the experiments.Forensic an

31、alysis of WhatsApp MessengerWhatsApp provides its users with various forms of communications, namely user-to-user communications, broadcast messages, and group chats. When communi- cating, users may exchange plain text m

32、essages, as well as multimedia files (containing images, audio, and video), contact cards, and geolocation information. Each user is associated with a profile, a set of informa- tion that includes his/her WhatsApp name,

33、status line, and avatar (a graphic file, typically a picture). The profile of each user is stored on a central system, from which it is down- loaded by other WhatsApp users that include that user in their contacts. The c

34、entral systems provides also other services, like user registration, authentication, and message relay. As reported in (Thakur, 2013), the artifacts generated by WhatsApp Messenger on an Android device are stored into a

35、set of files, whose name, location, and contents are listed in Table 1. In the rest of this section we discuss how the above artifacts can be analyzed and correlated to ascertain various types of information: we start wi

36、th contact information (Sec. Analysis of contact information), we continue with exchanged messages (Sec. Analysis of exchanged messages), and we end with application settings and user preferences (Sec. Analysis of settin

37、gs and preferences).Analysis of contact informationThe evidentiary value of contact information is noto- rious, as it allows an investigator to determine who the user was in contact with. In this section we first describ

38、e the information that are stored in the contacts database, and then we discuss how this information can be analyzed to determine (a) the list of contacts, (b) when a contact has been added to the data- base, (c) whether

39、 and when a given contact has been blocked and, finally, we show how deleted contacts can be dealt with.Retrieving contact information The contacts database wa.db contains three tables, namely wa_contacts, that stores a

40、record for each con- tact, android_metadata, and sqlite_sequence, both storing housekeeping information having no evidentiary value. The structure of the records in wa_contacts is shown in Table 2, where we distinguish t

41、he fields containing data obtained from the WhatsApp system (and, as such, having potential evidentiary value), from those storing data extracted from the phonebook of the device (that, being set by the user and not by W

42、hatsApp, are not pertinent to our work). As can be observed from this table, each record stores the WhatsApp ID (field jid) of the contact, a string struc- tured as ‘x@s.whatsapp.net’, where ‘x’ is the phone number of th

43、at contact (for the sake of readability, in the following we indicate users by means of their phone numbers instead of their complete WhatsApp IDs). Furthermore, each record stores the profile name (field1 The only excep

44、tion we make to the above methodology is the use of aphysical smartphone to generate messages carrying geolocation co-ordinates, since the Android Location Services, used by WhatsAppMessenger to obtain the coordinates of

45、 the current location of the device,are not available on YouWave because of its lack of a GPS receiver. In thiscase, access to the relevant data is achieved by using the backup mech-anisms described in Sec. The structure