Asynchronous Forensic Investigative Approach to Recover Deleted Data from Instant Messaging Applications

摘要

Proliferation of digital platforms specifically Instant Messaging Applications (IMAs), have introduced new challenges to digital forensic investigations. With the rapidly increased use of WhatsApp application, it is plausible to speculate that WhatsApp became a potential source of threat and/or cybercrime. Some newly added features on WhatsApp, such as ‘delete for everyone’, giving the users the ability to delete messages from both ends (sender and receiver), have resulted in complicating the cybercrime investigation process. Therefore, there is a need to revisit the investigation process and the structure of such updated features to be able to create a comprehensive digital forensic technique. This paper examines the forensic artifacts of the WhatsApp’s ‘delete for everyone’ feature. This feature is a great addition to the overall usability of IMAs, however, it is also crucial to update the digital forensic investigation techniques and test the capability of commercial forensic tools in recovering forensic evidence when a new technology has been introduced. During the course of this research, we tested and validated the digital forensic methodology and compared the investigation results with forensically sound commercial tools. During the data acquisition process, we conducted physical and logical forensic acquisitions of an Android device which led to a breakthrough discovery of a SQLite file called Write-Ahead-Log (WAL) which contains the application’s latest messages, including deleted (allegedly) messages.