How the Forensic Tools Can Retrieve Deleted WhatsApp Messages


Law enforcement agencies can potentially retrieve deleted data, including from encrypted chat apps like WhatsApp if they acquire and search your iPhone.

Following the disclosure of recent case details published in Forbes, law enforcement officials in Eastern California impounded the mobile device belonging to a suspect involved in an ongoing investigation related to drug trafficking. 

The phone’s data was instrumental in monitoring the transportation of methamphetamine and fentanyl shipments from Mexico to the state.

Outlined in a search warrant, an FBI agent from Sacramento provided a comprehensive account of the suspect’s WhatsApp conversations with an alleged accomplice, highlighting the presence of encryption, rendering some of the messages incomprehensible.

The investigator explained that the messages retrieved by the extraction software appeared disordered or “scrambled” due to the encryption functionalities employed by WhatsApp, thus attributing this phenomenon as the cause.

Retrieve Deleted WhatsApp Messages

Forensic tools, such as those developed by reputable companies like Cellebrite in Israel and Grayshift based in Atlanta, are commonly utilized as “extraction” software to scan various smartphone databases for traces of residual files.

According to online records, for the past two years, law enforcement agencies and private organizations equipped with a Cellebrite Physical Analyzer tool have had access to the technology to retrieve deleted WhatsApp messages from an Apple iOS database.

A self-proclaimed Cellebrite employee on Discord revealed in 2021 that deleted WhatsApp messages on iPhones are fragmented but still stored in an iOS database called “chatsearch” to facilitate faster conversation searching.

Cellebrite’s technology can recover these messages; however, it categorizes them as “scrambled” and presents them in a fragmented format.

Recent evidence suggests that the technology still operates similarly, as a Discord user claiming to be a Cellebrite employee in March 2023 referred to a 2021 post when questioned about deleted WhatsApp messages.

In response to the criminal cases and the specific devices involved, Meta, the owner of WhatsApp, expressed the need for more information before providing any comment or response. Not only that, but even Apple ignored providing any response or comment on the matter.

While Cellebrite and similar devices can yield valuable evidence from phones, their effectiveness is inconsistent, as demonstrated in a DEA case where their Cellebrite tool couldn’t retrieve WhatsApp messages from an iPhone 11 due to limitations specific to that device model, requiring manual data retrieval.

The digital forensics expert Vladimir Katalov affirmed that Google phones are not vulnerable to the same technique for retrieving deleted WhatsApp messages as the “chatsearch” database does not exist on Android, although there may be alternative methods.

Using similar search tools for gathering data on criminal conspiracies can be highly valuable. However, implementing these tools for innocent individuals or those involved in controversial activities raises significant concerns.

Common Security Challenges Facing CISOs? – Download Free CISO’s Guide

EHA



Source link