The researchers did a forensic examination of popular cross platform messaging service, WhatsApp and found that data that can be collected from the app’s network from its new calling feature: such as phone numbers and phone call duration, and highlights areas for future research and study. The group has detailed its study in a paper published in the scholarly journal, Digital Investigation. The article was co-authored by F. Karpisek of Brno University of Technology in the Czech Republic, Ibrahim (Abe) Baggili and Frank Breitinger, co-directors of the Cyber Forensics Research & Education Group at the University of New Haven. “Our research demonstrates the type of data that can be gathered through the forensic study of WhatsApp and provides a path for others to conduct additional studies into the network forensics of messaging apps,” said Baggili. According to the researchers, decrypting the network traffic isn’t simple, as both access to data on the device as well as the full network traffic is needed. “We decrypted the WhatsApp client connection to the WhatsApp servers and visualized messages exchanged through such a connection using a command-line tool we created,” the authors wrote. “This tool may be useful for deeper analysis of the WhatsApp protocol.” In the paper, the researchers have provided an outline of the WhatsApp messaging protocol from a networking perspective, making it possible to explore and study WhatsApp network communications. He said he believes they are the first to discuss “WhatsApp signaling messages used when establishing voice calls.” Specifically, the researchers found that WhatsApp uses the FunXMPP protocol for message exchange, which is a binary-efficient encoded Extensible Messaging and Presence Protocol (XMPP) (WHAnonymous, 2015c). Through the analysis of signaling messages exchanged during a WhatsApp call using an Android device, the researchers were able to closely examine the authentication process of WhatsApp clients; discover what codec WhatsApp is using for voice media streams (Opus at 8 or 16 kHz sampling rates); understand how relay servers are announced and the relay election mechanism; and understand how clients announce their endpoint addresses for media streams. “Gaining insight into these signaling messages is essential for the understanding of the WhatsApp protocol, especially in the area of WhatsApp,” the authors wrote. The researchers were able to acquire interesting details from network traffic, including WhatsApp phone numbers, WhatsApp phone call establishment metadata and date-time stamps, and WhatsApp phone call duration metadata and date-time stamps. They also were able to acquire WhatsApp’s phone call voice codec (Opus) and WhatsApp’s relay server IP addresses used during the calls. Resource : Help Net Security.