WhatsApp network forensics: Discovering the communication payloads behind cybercriminals

摘要

The ubiquity of instant messaging (IM) apps on smart phones have provided criminals to communicate with channels which are difficult to decode. Investigators and analysts are increasingly experiencing large data sets when conducting cybercrime investigations. Call record analysis is one of the critical criminal investigation strategies for law enforcement agencies (LEAs). The aim of this paper is to investigate cybercriminals through network forensics and sniffing techniques. The main difficulty of retrieving valuable information from specific IM apps is how to recognize the criminal' IP address records on the Interne t. This paper proposes a packet filter framework to WhatsApp communication patterns from huge collections of network packets in order to locate criminal's identity more effectively. A rule extraction method in sniffing packets is proposed to retrieve relevant attributes from high dimensional analysis regarding to geolocation and pivot table. The results can support LEAs in discovering criminal communication payloads, as well as facilitating the effectiveness of modern call record analysis. It will be helpful for LEAs to prosecute cybercriminals and bring them to justice.