Title: An experimental approach for locating WhatsApp digital forensics artefacts on Windows 10 and the cloud

Authors: Yaman Salem; Majdi Owda; Amani Yousef Owda

Addresses: Faculty of Graduate Studies, Arab American University, Ramallah, Palestine ' Faculty of Data Science, Arab American University, Ramallah, Palestine ' Faculty of Graduate Studies, Arab American University, Ramallah, Palestine

Abstract: The increased popularity of WhatsApp resulted in its extensive use as a tool in planning unlawful activities. In order to conduct an investigation in WhatsApp, the WhatsApp artefact should be located. This poses challenges to digital forensic investigators. This study investigates WhatsApp artefacts on Windows volatile and non-volatile memories. WhatsApp desktop and WhatsApp web were analysed. A set of four experiments were conducted. Experiment 1 investigates WhatsApp web artefacts via the cloud, experiment 2 investigates WhatsApp web artefacts on non-volatile memory, experiment 3 investigates WhatsApp desktop artefacts on non-volatile memory, and experiment 4 investigates WhatsApp web/desktop artefacts on volatile memory. Results demonstrated that all related artefacts were recovered from the WhatsApp web via the cloud. Moreover, a log file containing user's activities, contact numbers, and browser history, were recovered from non-volatile memory. Messages in clear text and part of images were recovered from volatile memory. This study provided a holistic approach for locating and analysing WhatsApp artefacts.

Keywords: instant messaging; IM; WhatsApp artefacts; WAA; non-volatile; volatile; Windows.

DOI: 10.1504/IJESDF.2023.130662

International Journal of Electronic Security and Digital Forensics, 2023 Vol.15 No.3, pp.281 - 300

Received: 06 Mar 2022
Accepted: 05 Oct 2022
Published online: 02 May 2023 *

Full-text access for editors Full-text access for subscribers Purchase this article Comment on this article