Inter national Resear ch Jour nal of Computer Science (IRJCS) Issue 08, Volume 07 (August 2020) ISSN: 2393-9842 https:/ / w w w .ir jcs.com/ ar chives A FORENSIC ANALYSIS OF WHATSAPP ON ANDROID SMART PHONE Dr.Iyobor Egho-Promise* Regional Technical Head, Nor th/ BA Regions Glo Mobile Ghana Limited, Tamale, Region, Ghana eghopr omise@yahoo.com Bamidele Ola Technobeacon Consulting Ltd, London, UK olaw est@technobeacon.com Aaron Arhin Computer Science Depar tment, Kofor idua Technical Univer sity, Ghana Ar hin175@gmail.com Richard Asuming Computer Science Depar tment, Kofor idua Technical Univer sity, Ghana. r ichar dluvly@gmail.com Publication History Manuscr ipt Refer ence No: IRJCS/ RS/ Vol.07/ Issue08/ AUCS10080 Received: 02, August 2020 Accepted: 12, August 2020 Published: 14, August 2020 DOI: https:/ / doi.or g/ 10.26562/ ir jcs.2020.v0708.001 Citation: Dr.Iyobor, Bamidele, Aaron,Richard (2020). A For ensic Analysis of Whatsapp on Andr oid smar tphone. IRJCS:: Inter national Resear ch Jour nal of Computer Science, Volume VII, 209-219. https:/ / doi.or g/ 10.26562/ ir jcs.2020.v0708.001 Peer -r eview : Double-blind Peer -r eview ed Editor : Dr .A.Ar ul Law r ence Selvakumar , Chief Editor , IRJCS, AM Publications, India Copyr ight: © 2020 This is an open access ar ticle distr ibuted under the ter ms of the Cr eative Commons Attr ibution License; Which Per mits unr estr icted use, distr ibution, and r epr oduction in any medium, pr ovided the or iginal author and sour ce ar e cr edited Abstract: Andr oid® for ensics have pr ogr essed over time pr oviding vital oppor tunities as w ell as exi sting challenges. As an open sour ce platfor m, Andr oid pr ovides fr eedom to developer s to make contr ibution tow ar ds the r apid gr ow th of the Andr oid mar ket. On the other hand, user s of Andr oid devices might not be familiar w ith the pr ivacy and secur ity implications of installing mobile application on their cell phones. User s might assume that a device that is passw or d locked pr otects their per sonal infor mation, but the devices might pr eser ve the per sonal infor mation on the devices in w ays the end user s might not be aw ar e of. This r esear ch focuses on one of these applications ‘WhatsApp® ’, a ver y popular social netw or king mobile application. This r esear ch outlines the w ays for ensic investigator s can extr act valuable infor mation fr om WhatsApp and fr om similar mobile applications installed on the Andr oid platfor m. The major focus is the extr act ion and analysis of the data of the application user fr om non-volatile exter nal stor age and the volatile memor y (RAM) of an Andr oid device. Keywords: Analysis; Smar t; For ensic; WhatsApp; Andr oid; I. INTRODUCTION Accor ding to Anglano (2014) [1], WhatsApp Messenger is a r egister ed, cr oss-platfor m instantaneous messaging application for the cell-phones. User s can send text messages along w ith the videos, images and audio media messages. The consumer softw ar e is accessible for Blackber r y OS, Andr oid, Ser ies 40, Blackber r y 10, iOS, Window s Phone, and Symbian (S60) and Ser ies 40. WhatsApp Inc. w as established in the year 2009, in Santa Clar a, Califor nia, by Jan Koum and Br ian Acton w ho ar e specialists of Yahoo!. WhatsApp show ed a huge incr ease in dealing w ith messages, fr om handling tw o billion messages in Apr il 2012 to deal w ith ten billion messages ever y day in August 2012. As per Financial Times, WhatsApp has car r ied out a similar thing to the SMS on the cellular phones that w er e done by Skype to the inter national calling on phone line. WhatsApp has also gr ow n as a social netw or king app in the speed of light. On Andr oid phones, the number of dow nloads for WhatsApp has sur passed one hundr ed mi llion. It is among the top 30 application and among the top five fr ee communication application on Google Play in just thr ee year s [2]. WhatsApp makes use of Wi-Fi or 3G of the user for messaging w ith family and fr iends. The size of the application is 10M and it also has an option for sending and r eceiving unlimited messages fr ee of cost. In ter ms of its char acter istics, WhatsApp can be utilised as an over all solution for simple and economical netw or kin g on mobile phones. ____________________________________________________________________ ____________________________________________________________________________ © 2014-20, IRJCS- All Rights Reser ved Page-209 Inter national Resear ch Jour nal of Computer Science (IRJCS) Issue 08, Volume 07 (August 2020) ISSN: 2393-9842 https:/ / w w w .ir jcs.com/ ar chives For accessing the WhatsApp ser vices, the user has to pr ovide the phone number that is utilised inter nally for cr eating a user account having user -id, for instance, ([poennumber ]@s.w hatsapp.net). WhatsApp can also auto-sync to the addr ess book and show s all of the acquaintances making use of WhatsApp automatically. Ther e has been no constr aint on the length and the quantity of messages that can be inter changed along w ith this, ther e is no car r ier IM fee applicable. Fur ther mor e, the ser vice user does not have to inser t a sim -car d for using WhatsApp, just an inter net connection, suppor ted cellphone, and stor age space on mobile phone is r equir ed for dow nloading the WhatsApp application [3]. WhatsApp utilises a customised for m of the open standar d Extensible Messaging and Pr esence Pr otocol (XMPP) for exchanging infor mation thr ough the inter net. Messages can be in ter ms of plain text, multimedia messages such as contact car ds, audio, addr ess book, video, icon and location. The excess of individual infor mation w hich can be inter changed pr ovides a motive for looking at WhatsApp by a for ensic glass. A. Scope The major emphasis of this r esear ch is r egar ding WhatsApp Messenger enabled and how user s of smar tphone r elate to the application. B. Main Objectives The main objective of this r esear ch is to carr y out the for ensic audit on andr oid sm ar tphones w ith its r elated WhatsApp Messenger data secur ity br eaches. C. Sub Objectives The sub-objectives of this r esear ch w ill sor t for identifying the data secur ity matter s in WhatsApp on Andr oid smar tphones including 1. To under stand Web Malw ar e 2. To under stand unencr ypted backups 3. To under stand encr yption vulner abilities D. Problem Statement With the advancement w ithin the infor mation communication technology, the secur ity issue has gone far beyond the or dinar y passw or d usage. Follow ing ar e some of the secur ity issues r egar ding WhatsApp on an Andr oid smar tphone  Facebook Intr usion and Data Shar ing  Web Malw ar e  Encr yption Vulner abilities  Unencr ypted Backup II. LITERATURE REVIEW The liter atur e has a for ensic examination of IM applications on cell phones as a matter of numer ous w or ks. In compar ison to the pr evious r esear ches, this r esear ch has an extensive scope since it takes into account, all of the ar tifacts pr oduced by the WhatsApp Messenger that is the log files, contacts database, pr eference fi les and the avatar pictur es. This r esear ch also pr ovides a mor e compr ehensive and detailed analysis of these ar tifacts. Mor eover , it also pr ovides an explanation r egar ding how these ar tifacts can be associated for compr ehending differ ent types of mater ial having evidentiar y cost, for instance, w hether a message has been r eally conveyed to the end point after being dir ected, in case a ser vice user left or joined a gr oup chat pr ior or after a par ticular time per iod and w hen a specific ser vice user has been included w ithin the contact list. Husain & Sr idhar (2010) [4] has emphasised on the for ensic investigation of thr ee IM applications including Yahoo!, AIM, Google Talk and Messenger on the iOS platfor m. Their r esear ch w or k is differ ent fr om this r esear ch in ter ms of both the IM applications and the smar tphone platfor m that has been taken into consider ation. The study of Kumar & Shar ma (2016) [5] emphasises on the evaluation of differ ent IM applications along w ith WhatsApp Messenger on differ ent smar tphone platfor ms, involving Andr oid w ith the intent of determining the algor ithms for encr yption utilised by them. How ever , their r esear ch has not dealt w ith identifying, analysing and associating all of the ar tifacts pr oduced by the WhatsApp Messenger . Tso et al. (2012) [6] has focused on the evaluation of iTunes backups for the iOS smar tphones having the objective to deter mine the ar tifacts left by numer ous social netw or k application involving WhatsApp Messenger . Their r esear ch w or k is differ ent in a sense that it is focused tow ar ds iOS and iTunes and the chat database of WhatsApp is taken into consider ation meanw hile just this ar tifact involved in the iTune backup. Mor eover , the infor mation t hat is stor ed w ithin the chat database is evaluated just in par ts. The r esear ch w or k of Thakur (2013) [7] and Mahajan et al. (2013) [8] is r elated to this r esear ch as they have emphasised on the for ensic analysis of the WhatsApp Messenger on Andr oid. On the other hand, theses r esear ches have focused major ly on the for ensic acquir ement of the ar tifact left by the WhatsApp Messenger and deals w ith their evaluation just in par ts. Their r esear ch is limited t o the chat databases and par tial analysis. Similar consider ations ar e applicable to the WhatsApp Xtr act tool by Sangiacomo & Weidner (2012) [9] w hich excer pts cer tain data kept w ithin the chat database and par ticular ly w ithin the contr acts database, though, w ithout giving any kind of descr iption r egar ding the w ays these databases ar e expl ained. A. WhatsApp Database – hardware acquisition Mahajan, Aditya, M.S. Dahiya and h.P. Sanghvi (2013) [8] made use of a physical analyser for analysing the instantaneous messenger applications including Viber and WhatsApp on the Andr oid gadgets. ____________________________________________________________________ ____________________________________________________________________________ © 2014-20, IRJCS- All Rights Reser ved Page-210 Inter national Resear ch Jour nal of Computer Science (IRJCS) Issue 08, Volume 07 (August 2020) ISSN: 2393-9842 https:/ / w w w .ir jcs.com/ ar chives Within the context WhatsApp, timestamps, chat messages ar tifacts and names of documentations r eceived and sent w er e identified. On the contr ar y, the location of those files w her e they w er e stor ed w as not identif ied. After the File System Extr action, on the manual investigation of WhatsApp application, the database r ecor ds including w a.bd and mgstor e.db w er e identified along w ith the minutiae of the chat confer ences. Mostly, for the existing messages, the databases extr action and w ell compr ehensive analysis w er e per for med. For the WhatsApp application data r emnants, the analysis of RAM w as not taken into consider ation. Along w ith this, the recover y of the deleted infor mation w as stated as a for thcoming implication. This r esear ch has taken the extr action of delet ed messages fr om RAM into consider ation and has also been successful in doing so. Fur ther mor e, the database extr action w as car r ied out by utilising the UFED physical analyser , how ever , an unencr ypted ver sion can be attained on r ooting the phone. B. WhatsApp Database - Software Acquisition and Analysis Picasso (2012) [10] also made a contr ibution tow ar ds WhatsApp for ensic by w r iting a tool for decr ypting and or ganising the SQLite databases files w ithin the or ganised HTML for mat. The tool functions for the d ecr ypted and encr ypted database files. The WhatsApp Database Encr yption Pr oject [11] has pr epar ed a w ell-know n susceptibility w ithin the Andr oid application of the AES cypher : the 192-bit key can be noticed car r ying out both active and static investigation on the softw ar e package and the r esult is: 346a23652a46392b4d73257c67317e352e3372482177652c. The python scr ipt utilises this key for decr ypting and encr ypting the db file and pr ovides the r esul ts w ithin the HTML page. The study also infer s that the equal encr yption key has been util ised for all kind of WhatsApp connexions on Andr oid. This r esear ch has made use of python tool for decr ypting as w ell as for inter pr eting the en cr ypted database w hich w as per for med in a successful w ay. Figur e 1 show s the output of the r esear ch. This tool has enabled to r ead the database files alternately by the ‘SQLite br ow ser ’, how ever , the data r epr esentation and timestamps ar e not str aightfor w ar d. Mor eover , one mor e benefit of this instr ument is that the exchange of data r elated to media is exhibited on the HTML page. An individual does not have to explor e the media folder distinctly. This tool can also valuable w ithin the compar ison of the data that this r esear ch analyses. All these featur es of this tool epitomise it w ithin a useful tool; how ever , after messages ar e r emoved fr om the database, the instr ument cannot r ecover or r epr esent them. Only the static infor mation can be pr esented w hich is existent w ithin the r ecor d. Th e databases that ar e on the exter nal stor age par ticular ly the SD car d is updated occasionally r esulting in the r epr esentation of old data. The aim of this r esear ch w as to acquir e the deleted messages; ther efor e, the decision w as made on the volatile memor y acquisition and analysis. Mor eover , for acquir ing the updated user infor mation, li ve analysis on the device should be car r ied out and volatile memor y must be acquir ed for the advance analysis. III. RESEARCH METHODOLOGY The fundamental objective of this r esear ch w as testing the WhatsApp application fr om the scientific per spective on the Andr oid phone. The simple method tow ar ds the acquir ement of Andr oid memor y w as taken into account w ithi n this r esear ch and the steps w er e taken for r educing any sor t of human impr essions on the r etr ieved data. Anglano (2014) [1] WhatsApp 2.9 w as initially installed on mor e Andr oid phone thr ough Google play stor e. The applications ar e put in stor age w ithin the phone’s inter nal memor y. The application r outinely synchr onises w ith t he contacts in phone show ing the individuals w ho ar e alr eady utilising WhatsApp. When the phone in w hich WhatsApp is installed is opened, the ‘com.w hatsapp’ the pr ocedur e obtains the signal for initiating the ‘Exter nal Media Manage’ and ‘Message Ser vice’ ser vice that r uns w ithin backgr ound till the phone is on. The messages that have been exchanged have been stor ed w ithin ‘msgstor e.db’ and ‘w a.db’ w hich ar e the SQLite’s databases. In or der to access the data faster , the databases ar e loaded w ithin RAM. Gener ally, all of the content might not be per sever ed or might be over w r itten because of sw apping w ithin RAM; how ever , this might not be accur ate for the Andr oid. On the basis of the lifecycle pr ocess of Andr oid, the application per for ms for as long as it is possible. Mahajan et al. (2013) [ 8] Andr oid car r y out gar bage collection on the basis of app by app and is established on the pr ocess pr ecedence. If a higher pr ecedence pr ocess r equir es additional memor y r esour ces and the RAM is occup ied, then the data might per sever e w ithin memor y for the long time per iod. This char acter istic has pr oved to be beneficial w ithin this r esear ch for the extr action of WhatsApp matter s fr om the memor y. The WhatsApp app is an immediate messenger ser vice, ther efor e, the user s get infor med r egar ding messages by the push-mechanism once the messages ar e attained, and hence WhatsApp upholds the high pr ecedence w ithin memor y, gener ally the visible pr ocedur e. This pr ovides convenience to the user s for constantly r eceiving the messages w ithin the backgr ound w ithout the r equir ement of dow nloading them fr om a par ticular w eb ser ver similar to the email ser vice. The main issue after acquir ing the file msgstor e.db.cr ypt is its decr yption. The tool made by Fr ancesco Picasso for or gan ising and decr ypting the SQLite database files w ithin the or ganised HTML for m w as helpful. Thi s tool w or ked for the decr ypted and encr ypted files. The WhatsApp Database Encr yption Pr oject has r ecognised a liability w ithin the Andr oid employment of the AES Cipher : the 192-bit key can be per ceived car r ying out the active or static examination on the softw ar e package [12] (Nations, 2013). ____________________________________________________________________ ____________________________________________________________________________ © 2014-20, IRJCS- All Rights Reser ved Page-211 Inter national Resear ch Jour nal of Computer Science (IRJCS) Issue 08, Volume 07 (August 2020) ISSN: 2393-9842 https:/ / w w w .ir jcs.com/ ar chives The python scr ipt utilises the similar key for decr ypting the encoded db file and offer s the r esults w ithin the w ellor ganised HTML page. The r esear ch indicates that for all of the installation of WhatsApp on Andr oid, the same encr yption key is utilised. This r esear ch has utilised the Python tool for decr ypting and r eading the encr ypted the database w hich w as successfully per for med w ith the latest var iety of WhatsApp 2.11.186. The database files can be r ead alter nately by the ‘SQLite br ow ser ’, how ever , the data r epr esentation and timestamps ar e not dir ect. Within WhatsApp Xtr act tool, all of the media subjects w hich ar e inter changed ar e exhibited on the HTML page itself and ther e is no need to sear ch separ ately w ithin t he media folder . This tool can also be beneficial in the compar ison of the data that has been analysed in this r esear ch. A. Finding the Information All of the chats of WhatsApp ar e stor ed on the SQLite database. The path of the database file var ies fr om one platfor m to another platfor m. Android (/ sdcar d/ WhatsApp/ Databases/ mgstor e.db.crypt) iOS (Application/ net.w hatsapp.WhatsApp/ Documents/ ChatStor age.sqlite) How to use: Step 1: Dow nload WhatsApp Xtr act package on the computer and excer pt it. Step 2: Dow nload and install Python pr ogr amming language envir onment on the computer . Step 3: Open the file w her e the WhatsApp Xtr act ar chive is dow nloaded. Discover the file named as !installpyCr ypto.bat, r ight -click on it and click r un as administr ator . This bat file w ill implement the pypm install pycr ypto Python command. This common set up the pycr ypto libr ar y automatically on the computer that w ill be utilised for decr ypting the backup infor mation of WhatsApp. Step 4: Within the similar folder , r un either w hatsapp_xtr act_iphone.bat, w hatsapp_xtr act_andr oid_cr ypted.bat or w hatsapp_xtr act_andr oid.bat based on the backup folder that has been utilised. In or der to execute any of t hese files, just r ight click on it and click r un as an administr ator as done in the above step. In or der to specify the WhatsApp backup file manually, w hatsapp_xtr act_console.bat can also be r un. / *\ For Andr oid DB:*/ Python w hatsapp_xtr act.py -i msgstor e.db -w w a.db / * If w a.db is unavailable */ python w hatsapp_xtr act.py -i msgstor e.db / *For cr ypted DB*/ python w hatsapp_xtr act.py -i msgstor e.db.cr ypt / *For iPhone DB*/ python w hatsapp_xtr act.py -i ChatStor age.sqlite B Results After the completion of command or execution of the bat file, all of the WhatsApp backup data w ill be decoded and w ill be show n w ithin the default br ow ser of the computer . IV. DATA ANALYSIS WhatsApp offer s differ ent communication for ms to the user s that ar e br oadcast messages, the user to user communications as w ell as gr oup chats. Dur ing communication, the user s might exchange the plain text messages and multimedia files compr ising of video, images and audio, geolocation infor mation and contr act car ds. Table 1: WhatsApp Messenger Ar tifacts Row# 1 2 Content chat database Contacts database Directory / data/ data/ com.w hatsapp/ databases / data/ data/ com.w hatsapp/ databases 3 copies of contacts avatar s / mnt/ sdcar d/ WhatsApp/ Pr ofilePictur es 4 avatar s of contacts / data/ data/ com.w hatsapp/ files/ Avatar s 5 backups of the chat database / mnt/ sdcar d/ Whatsapp/ Databases 6 r eceived files / mnt/ sdcar d/ Whatsapp/ Media 7 log files / data/ data/ com.w hatsapp/ files/ Logs 8 9 user settings andpr efer ences sent files / data/ data/ comm.w hatsapp/ files / mnt/ sdcar d/ Whatsapp/ Media/ Sent File msgstor e.db (SQLite v.3) w a.db (SQLite v.3) UID.j, w her e UID is the identifier of the contact UID.j, w her e UID is the identifier of the contact msgstor e.db.cr ypt msgstor e-<date>.cr ypt var ious files w hatsapp.log, w hatsapp-<date>.log var ious files var ious files ____________________________________________________________________ ____________________________________________________________________________ © 2014-20, IRJCS- All Rights Reser ved Page-212 Inter national Resear ch Jour nal of Computer Science (IRJCS) Issue 08, Volume 07 (August 2020) ISSN: 2393-9842 https:/ / w w w .ir jcs.com/ ar chives Ever y user is r elated to its pr ofile, a set of data that involves his/ her name on WhatsApp, status line and avatar that is a visual file gener ally an image. Ever y user s’ pr ofile is kept on the centr al system fr om w her e i t is dow nloaded by other user s of WhatsApp w hich involve user s w ithin their acquaint ances list. The centr al systems also offer other facilities, such as authentication, r egistr ation of user , and message tr ansmission. As stated in [8], the ar tifacts pr oduced by WhatsApp Messenger on the Andr oid gadgets ar e put in stor age w ithin the set of r ecor ds, w hose site, content and name ar e listed in Table 1 above. The ar tefacts of the Whatsapp Messenger ar e given in the above table. In the next section, Analysis and Compar ison of these ar tefacts w ill be pr ovided to gain the insight of differ ent types of data: Initially the discussion w ill star t contact infor mation (Sec. 4.1), then the analysis w ill move on to r etur ned messages (Sec. 4.2), and lastly w e w ill evaluate the settings and user pr ecedence (Sec. 4.3). A. Analysis of Contact Information The contact infor mation’s evidential value is pr ominent and contentious, as it enables an analyst to acquir e the know ledge about w ith w hom the user w as inter connecting or in cor r espondence w ith. Initially, this un it w ill give an account of the data w hich is gather ed and pr eser ved in the contact database. Fur ther mor e, w e w ill addr ess how the data could be evaluated and analyzed to demonstr ate: - The r ecor d of the contacts - When the user w as r egister ed in the database - When (only if) a given contact has been blocked - How to deal w ith the deleted contacts 1) Retrieving Contact Information The contact database (w a.db) encompasses thr ee listings, to be mor e specific, fir st is the w a contacts (w hich gather s and stor es the r ecor d of ever y contact), second is the Andr oid Metadata, and lastly Sqlite Sequence (both, the andr oid metadata and SQLite sequence per for m the function of stor ing housekeeping data w hich have no evident ial value. The configur ation and ar r angement of the r ecor d of w a contacts ar e demonstr ated in the table pr ovided below (Table 2). In that table, w e w ill identify the ar eas w hich contains the data extr acted fr om the What sapp system and w hich possess some evidential value, fr om the stor ing data w hich have been r etr ieved fr om the user ’s phonebook (w hich is r eser ved by the user , not the Whatsapp, is not r elated to the r esear ch study). As it can be identified fr om the given table below , that ever y r ecor d caches the Whatsapp ID (field jid) of the user , a ser ies systematized as ’x@s.w hatsapp.net’, in w hich ‘x’ is denoted as the contact’s cell phone number (on account of the intelligibility, consequentially the user is signified via phone number s r ather than the entir e WhatsApp IDs). Mor eover , ever y best r epor t r eser ves the figur ation name (field w a name), and the status ser ies (data status) of the r espective user . The data is used to distinguish the actual WhatsApp user s fr om the invalid or fake ones. WhatsApp messen ger incor por ates ever y phone number in the database r ecor d w hich is saved in the contact list of the user , despite being the number s is not author ized in the WhatsApp str uctur e. The display pictur e in the WhatsApp plays an integr al par t to deter mine the actual identity of the user . Table 2: Str uctur e of the WA Contacts Table Data deriving from the WhatsApp System Field Name ID JID IS Whatsapp User Count of unseen messages Photo TS Thumb TS Photo ID timestamp WA name Status Sor t Name Number Raw Contact ID Display name Data Deriving from the device’s phonebook Meaning The ar r angement of the r ecor d (ar r anged by SQLite) Contact’s Whatsapp ID ( a ser ies ar r anged as ’x@s.w hatsapp.net’, w her e ‘x’ is denoted as the contact’s cell phone number Integr ates ‘1’ if the contact is associated w ith an actual WhatsApp user , or else ‘0’ Amount of texts tr ansmitted by another contact w hich w er e r eceived but not yet r ead Unfamiliar , ever y time set to ‘0’ Unix epoch time (10 digits) demonstr ating after the user has set their r ecent display pictur e Unix millisecond epoch time (13 digits) demonstr ating w hen the pr esent-day display photo of the user has been locally dow nloaded WhatsApp name of the user w hich is set in the WhatsApp pr ofile of the user Cur r ent status tr ack of the user (as set in their pr ofile) Name of the user utilized in assor ting oper ations Cell Phone number linked w ith the user The ar r angement number of the contact Display name of the user ____________________________________________________________________ ____________________________________________________________________________ © 2014-20, IRJCS- All Rights Reser ved Page-213 Inter national Resear ch Jour nal of Computer Science (IRJCS) Issue 08, Volume 07 (August 2020) Data deriving from the WhatsApp System Field Name Phone type Phone label Pr ovided name Family name ISSN: 2393-9842 https:/ / w w w .ir jcs.com/ ar chives Data Deriving from the device’s phonebook Meaning Sor t of the phone i.e. andr oid, ios Br and connected w ith the phone number Pr ovided name of the handler The family name of the handler Str uctur e of the table could have par ticular ly consor ted w ith that individual. The display image of the user x@s.w hatsapp.net is mobilized as, as a JPEG folder labelled x@s.w hatsapp.net.j, in the r ecords specified in Table 1, r ow 4 and 5. The timestamps ar e r eser ved in the thumbs TS and image ID. The field of thumbs TS demon str ate w hen the cur r ent display pictur e is uploaded or set by the user , and photo ID indicated w hen the existing image of the user has been loaded locally. 2) Determining When a Contact Has Been Added In a few analyses, it is essential to identify at w hat time a given oper ator has been r egister ed in the contact database 2. This data is har dly ar r anged in the table of WA user s, never theless it could be der ived or detected thr ough the evaluation of the log files w hich have been advanced by WhatsApp Messenger (these ar e ar r anged in the r ecor ds scheduled in Table 1, row 6). When user is r egister ed in the database of the w a.db, WhatsApp Messenger tr anscr ipts numer ous actions w hich ar e accompanied w ith the per iod of their tr ansaction and to the Whatsapp ID associated w ith the user . Examples of these actions or affair s, cor r elated to the incor por ation of user 39331xxxxxxx, ar e r ecor ded in Figur e 1, it can be obser ved fr om the Figur e 1 those subsequent occur r ences ar e tr anscr ibed ever y w hile a new consumer is r egister ed: (a) The finding that the oper ator is har dly inter vening up till now in the contact database (line 4) (b) The analyses to the centr al str uctur e to obtain numer ous data r elated to the contact (line 7,10, and 14). (c) The dow nload completion of the cor r elated display pictur e (line 17). When these events occur , it demonstr ates that the consumer w as r egister ed to the contact database (w hich is September . 25, 2013 at 14:14:24, in the specimen pr ovided). 3) Dealing with Blocked Contacts WhatsApp Messenger pr ovides the featur e to its user to block anybody fr om their phonebook, w hich pr events ever y connection or message w ith the blocked user till they ar e unblocked. In an analysis, it is significant to identify if the user w as blocked or not at a specified per iod, to authenticate or eliminate the manipulation or acceptance of a message deliver ed at that time. The r ecor ds associated to the blocked consumer is neither r eser ved in the contact database nor anyw her e else on the device’s memor y (it can be speculated that the r ecor d of blocked contact is located on the fundamental str uctur e of WhatsApp, as w hen then blocking is happening, messages ar e exchanges by WhatsApp Messenger w ith it). How ever , blocked user s could be deter mined, w ithin some conditions, thr ough assessing and analyzing the logbook files. Once a user is blocked, an occur r ence of r ecor ding the WhatsApp ID of the blocked user and the exact per iod of the action’s pr oceeding is cer tainly r epor ted w ithin the r ecor d file Inoppor tunely, once the blocked user is unblocked, the occur r ence w hich is tr anscr ibed is har dly r ep or ted as the WhatsApp ID of the linked user , and it is aggr egated (i.e. it might be r egar ded as the set of user s being unblocked at once) Ther efor e, it is ever y time pr acticable to identify r egar dless if and w hen a giver contact X w as blocked, but if the user is still not unblocked at the pr ovided per iod, it could only be per ceived either ; (a) No actions of blocking ar e r epor ted in the r ecor d file once the occur r ence of blocking, or (b) The blocking occur r ence is existing, but consumer X w as only blocked at that par ticular per iod. It r efer s that w hether a number of consumer s ar e blocked at once, and one or mor e than one events of unblocking is tr anscr ibed, it is never pr acticable to identify in par ticular the user s w ho is still blocked and w ho w as unblocked. It is significant to emphasize that the inter fer ences mentioned above could only be executed w ith the availability of r ecor d files, r ecor ding, blocking and unblocking actions (i.e. is the WhatsApp messenger have not deleted the pr evious r ecor ds to fr ee up space for the new er ones) . Concluding to that, it could be obser ved that if ther e is no data pr esent at all on the side of the user w ho has been blocked, so it is imper ative w ithin the analysis to declar e w hether the user w as blocked or not by anybody fr om their phonebook. 4) Managing deleted contact Usually, contact is deleted by a user for the purpose of concealing an inter action of the past. Hence, w hen a contact is deleted, the confor ming data is r emoved fr om the WhatsApp contact table. In some instances, the r etr ieval of the deleted infor mation is possible by using cer tain appr opr iate techniques and tools. This r ecover y of the r ecor d is made cer tain w hen the above table has not been vacuumed by the SQ lite engine [13]. The possibility of r etr ieving the deleted contact infor mation is indicated by our exper iments that ar e car r ied out employing Oxygen For ensic SQLite View er . Never theless, gener ally, at the time of analysis, it might be the case that the r ecov er y of deleted contact is impossible because the deleted infor mation have been cleaned and vacuumed. In the follow ing cir cumstances, the deter mination of r emoved data might be possible. ____________________________________________________________________ ____________________________________________________________________________ © 2014-20, IRJCS- All Rights Reser ved Page-214 Inter national Resear ch Jour nal of Computer Science (IRJCS) Issue 08, Volume 07 (August 2020) ISSN: 2393-9842 https:/ / w w w .ir jcs.com/ ar chives And this can be accomplished by fir st r egener ating the contacts list that have been in connections ear lier (the list can be r econstr ucted by the analysis of log files as descr ibed in section 4.1.2), follow ed by the compar ison of this list w ith the w a contacts table’ contents: the contacts that exist in the list and ar e absent fr om the r ecor d ar e the ones that have been er adicated. How ever , the r ecover y of deleted contacts is attained if the log file in w hich the addition of a concer ned contact is r epor ted is still accessible at the time of analysis [4]. B) Inspection of exchanged messages All of the text messages that have been conveyed or attained in the chat database msgstor e.db ar e stor ed by Whatsapp Messenger (r evealed in the dir ector y that is listed in Table 1, r ow 2). The investigation of the mentioned database enables to r estor e exchanged messages chr onology, specifically to deter mine the time of message exchange, the gr oup of user s that ar e engaged, the infor mation that it possessed, and also w hen and w hether th e r ecipient has actually r eceived that message. How ever , ever y single step w ill be descr ibed individually in the fol low ing analysis: w e begin w ith the elucidation of the chat database str uctur e i.e. sec. 4.2.1 follow ed by the descr ipt ion of how to (1) (2) (3) (4) (5) Regener ate the chat histor y in section 4.2.2. Discover and extr icate the content of the message in section 4.2.3. Deter mine the message status in section 4.2.4. Identify user ’s set among w hich the message has been r ecipr ocated in section 4.2.5. Manage deleted messages in section 4.2.6. 1) The structure of the chat database Follow ing the thr ee tables ar e associated w ith msgstor e.db database.  Messages, w hich possess data for each and ever y message that have either been conveyed or attained by the user . The fields of these r ecor ds have been classified into tw o categor ies in or der to make it clear er . Tw o of these categor ies include: Fir stly, those pr eser ving the featur es of messages- Listed in table 3, secondly, those pr eser ving the matter s of messages and metadatset that is consistent.  SQLite sequence, that pr eser ves housekeeping data w hich is utilized by the Whatsapp Messenger inter nally. It lacks the value per taining to evidence because its str uctur e is left unr epor ted. As outlined in [13], distinguishing backup copies of the msgstor e.db database is gener ated ar e usually pr oduced by Whatsapp Messenger . These backup copies ar e r eser ved in the dir ector y listed in  Chat list, the infor mation of the conver sation that is held by the user is contained in the chat list (a conver sation is contained in the set of messages that ar e tr aded w ith a specific contact). Table 5 is a descr ipt ion of its fields. Table 3: Str uctur e of the Messages Table: Fields Stor ing Message Attr ibutes Field name Id Key id Key r emote jid timestamp Status r eceived timestamp key fr om me r eceipt device timestamp r eceipt ser ver timestamp send timestamp r emote r esour ce r ecipient count needs push Meaning Recor d sequence number unique message identifier Whatsapp id of the contact (a str ing constr ucted as ‘x@s.w hatsapp.net’, w her e phone number of the contact is denoted by ‘x’) time of sending if the key fr om me=’1’, r ecor d inser tion time other w ise (taken fr om the local device clock, and encoded as a 13-digits millisecond Unix epoch time) message status: ’0’=r eceived, ’4’=w aiting on the the centr al ser ver , ’5’=r eceived by the destination, ’6’=contr ol message time of r eceipt (taken fr om the local device clock, and encoded as a 13-digits millisecond Unix epoch time) if the key fr om me=’0’, ’-1’ other w ise message dir ection: ’0’=incoming, ’1’=outgoing time of r eceipt of the r ecipient ack (taken fr om the local device clock, and encoded as a 13-digits millisecond Unix epoch time) if the key fr om me=’1’, ’-1’ other w ise time of r eceipt of the centr al ser ver ack (taken fr om the local device clock, and encoded as a 13-digits millisecond Unix epoch time) if the key fr om me=’1’, ’1’ other w ise unused (alw ays set to ’-1’) The ID of the sender (only for gr oup chat messages) number of r ecipients (br oadcast message) ’2’ if the br oadcast message, ’0’ other w ise 2) Extricating the contents of a message Along w ith the exchange of plain text messages, messages that contain differ ent types of data namely: contact car ds, multimedia files (videos, audios, and stor ing images) and r ecor d of geo-location ar e per mitted to be exchanged betw een the user s by Whatsapp Messenger . ____________________________________________________________________ ____________________________________________________________________________ © 2014-20, IRJCS- All Rights Reser ved Page-215 Inter national Resear ch Jour nal of Computer Science (IRJCS) Issue 08, Volume 07 (August 2020) ISSN: 2393-9842 https:/ / w w w .ir jcs.com/ ar chives Media w a type field is the indicator of the kind of data that is tr ansfer r ed w ith the message. Wher eas, data about the content of the message is pr olifer ated over var ious fields, for messages that ar e non-textual (r elying on the specific type of data). In actual fact, w hilst the data field pr eser ves the content of the textual messages, for var ious other contents and data types, as elucidated below the situation is mor e complicated. Multimedia Files- As soon as the multimedia file is sent by the user , simultaneousl y var ious activities ar e initiated w ithout even the user s being infor med about it. Step1- The file is copied into the folder by Whatsapp Messenger . Table 1, r ow 8 is its r epr esentation Step2- The multimedia file is uploaded to the Whatsapp ser ver . The function of the Whatsapp ser ver is to r etur n the URL of the cor r esponding location. Step3- The URL confined in the message is sent to the r ecipient by the sender . Finally, w hen the message containing the URL is r eceived by the r ecipient, its acknow ledgement fr om the r ecipient’s side is sent back to the sender .Upon the completion of the above-mentioned steps, the r ecor d is pr eser ved into the sender ’s messages table. The fields w hich ar e r elevant to the message content that is r ecor ded. As it is clear fr om Figur e 1a below that media mime type file indicates the file’s type. Media name field is the location w her e its name is saved. Its size i n bytes by media size (40267 in the example), and its thumbnail in the r aw data field (as a blob, i.e. a binar y lar ge object) is stor ed. The URL location on the ser ver that is centr al w her e the file stor age is tempor ar y is kept in the media URL field. The ser ver is r esponsible to name the file and the last par t cor r esponds to that pr escr ibed name. Lastly , the media hash field stor es the base64-encoded SHA-256 hash of the file that is tr ansmitted. The Exchange of Multimedia File: sender side on the r ecipient side, after w hen the message is r eceived, Whatsapp Messenger show case t he file’s thumbnail that is tr ansmitted. Only on the r equest of the r ecipient, the dow nloading of the actual file can take place after w ar ds. Immediately after the file is r eceived by the r ecipient, stor es in their table of messages a r ecor d like the one displayed in Figur e. 1a. Figur e 1a: Unifor mity of fields Exchange of Multimedia File: r ecipient side to those kept by the sender (in pr ecise, w a media type, media hash media size, r aw data, and media mime type,). With the exception of the name assigned to a file, the URL media content is distinguishing. The media name field is vacant, unlike the sender . Ther efor e, Whatsapp Messenger assigns a local name to that file and this name is unknow n. But the identification of the file is accomplished by the compar ison of all the files that have been r eceived to t he SHA-256 hash pr eser ved in the cor r esponding r ecor d. Finally, it is notified that the compar ison betw een these tw o files yields the cor r elation of the file that is r eceived by t he r ecipient and the file that is sent by the sender . (that ar e saved, as explained above, in the media URL and media hash fields of the cor r esponding r ecor ds). Contact Cards- Some messages contain contact car ds. These contact car ds ar e usually extr icated fr om sender ’s phonebook and cor r espond to r ecor ds of messages that pr eser ves the data w hich is conveyed in VCARD for mat into the data field. It also cor r esponds to the name assigned to that contact pr esent in the media name f ield by the sender . Figur e 1b show s an example VCARD. Figur e 1b: Media file contents in VCARD ____________________________________________________________________ ____________________________________________________________________________ © 2014-20, IRJCS- All Rights Reser ved Page-216 Inter national Resear ch Jour nal of Computer Science (IRJCS) Issue 08, Volume 07 (August 2020) ISSN: 2393-9842 https:/ / w w w .ir jcs.com/ ar chives Geolocation coordinates- The geogr aphic location coor dinates are mostly acquir ed by the Andr oid Location Ser vices that r un on the devices. The exchange of topogr aphical coor dinates betw een the user s is enabled by Whatsapp Messenger [14]. Sender s as w ell as on the r ecipient's side, geogr aphic coor dinates containing messages cor r esponds to {to messages data that encompasses the longitude and the latitude values into the longitude fields, latitude and a JPEG thumbnail of the Google Map show ing the above coor dinates in the field of r aw data. Figur e 2 is a case of this kind of r ecor d. Figur e 2: Recor d of geologica coor dinates 3) Deter mining the state of the message The patter n of message exchange in WhatsApp is such that it is fir st tr ansmitted to the centr al ser ver [ 15]. The centr al ser ver then conveys it to the r ecipient if they ar e available or stor e it other w ise until it can be deliver ed. Hence, ther e is no dir ect exchange of messages among the user s. 5) Determining the Partners of a Message WhatsApp, along w ith user to use communication, pr ovide tw o kinds of collective communications to the user s, involving:  Br oadcast (i.e. one to many) communication, by w hich a user w ho is the sour ce user conveys the same message to a set of other user s i.e. the destination user s who ar e not familiar w ith each other and w hose pr obable answ er s ar e tr ansmitted to just the sour ce user ;  Gr oup Chats, offer ing numer ous communication ser vices, by w hich ever y message conveyed by any of the user w ho is a par t of a chat is attained by all of the user s w ho ar e member s of that chat. Although the WhatsApp ID of the communication companion w ithin a user to user communication is simply r ecover ed fr om the key r em ote jid field, for identifying the set of user s included w ithin a br oadcast or gr oup chat message, numer ous sections have to be associated w hich ar e discussed as follow s: Broadcast Messages – When a user conveys a br oadcast message, a separ ate folder is developed w ithin his or her message table for ever y r ecipient along w ith one for himself or her self as illustr ated w ithin Figur e 3(a) w hich depicts the folder s that ar e pr oduced by a br oadcast message tr ansmitted to the user s 3920xxxxxxx, 39335xxxxxxx and 39333xxxxxxx. As depicted in Figur e 3(a), all of the r ecor ds cor r esponding to the same br oadcast message have the similar message identifier (stor ed w ithin the key id field), so that they can be identified w ithout any difficulty. Ever y r ecor d stor es w ithin the key r emote jid field the WhatsApp ID of the r ecipient (the sender makes use of the keyw or d br oadcast for denoting himself as a r ecipient). Figur e 3 Recor ds pr oduced for a br oadcast message tr ansmitted to thr ee r ecipients on (a) the sender , (b) one of the r ecipients. Only the sections w hich make contr ibution to the identification of the associates ar e show n. ____________________________________________________________________ ____________________________________________________________________________ © 2014-20, IRJCS- All Rights Reser ved Page-217 Inter national Resear ch Jour nal of Computer Science (IRJCS) Issue 08, Volume 07 (August 2020) ISSN: 2393-9842 https:/ / w w w .ir jcs.com/ ar chives Wher eas the r ecipient count fields and r emote r esour ce stor es the WhatsApp ID of the set of destinat ions and their r espective number (field r equir es to push in its place it alw ays stor e the value ‘2’). The state of ever y destination is r ather diver se (Figur e 3(b)) as each one of them stor e w ithin his or her messages table, just a single folder w hich is cr eated w hen it gets the br oadcast message. This folder can be differ entiated fr om those consistent to the nonbr oadcast messages by examining the value that is stor ed w ithin the key id field w hich entails w ithin the concatenation of the %~ char acter s w ith the message identifier fixed by the sender . Group Chat Communication – When a message is conveyed in a gr oup chat, a folder is cr eated w ithin the messages table of all of the gr oup member s (along w ith the sender ). Ever y r ecor d stor es w ithin key r emote jid field, the identifier of the gr oup (the gr oup id), a str ing for matted as fcr eator ’s phone number g-fcr eation timeg@g.us (Wher e the cr eation time is encoded as a Unix epoch time). For illustr ation, take into account a gr oup chat compr ising of thr ee member s that is 3933xxxxxxx, 3936xxxxxxx and 3932xxxxxxx (in the subsequent r epr esented as A, B and C, cor r espondingly for br evity) w her e ever y user , sequentially, sends a message to the gr oup w ith the textual infor mation ‘Message fr om X’ (Wher e ‘X’ is the user ’s name). Let us concentr ate on the files stor ed w ithin the messages table of user A at the end of this inter change w hich is illustr ated w ithin Figur e 4 (the situation for the other user s is identical) Figur e 4: Recor ds cor r esponding to thr ee messages exchanged w ithin a gr oup As it is evident fr om the above image, all of these files stor e the similar gr oup id 3933xxxxxxx-1363078943@g.us w ithin the key r emote-id field. Fr om this value, the initiator of the gr oup (user A) and the date and hour of the for mation of the gr oup (Mar ch 12, 2013, at 09:02:23) can be identified. Mor eover , the WhatsApp ID of the message or iginator is stow ed w ithin the r emote r esour ce field. Although the time of the r eceiving message is kept w ithin the timestamp field. It must also be noted that A also stor es the r ecor ds consistent to the message that he or she has conveyed to the gr oup (r ecor d no. 1 in Figur e 4). The files similar to this can be r ecognised effor tlessly by just examining the contents of their position and r emote r esour ce fields w hich stor es the value ‘4’ and ‘null’ cor r espondingly. It should also be noted that the set of r eceiver s, i.e. of the set of member s of gr oups at the time of conveying is not kept at any place in the r ecor d. On the other hand, it can be identified incidental ly by investigating the files confor ming to the contr ol messages which ar e exchanged r outinely by differ ent gr oup member s each time a user leaves or joins the gr oup. These messages w hich ar e also kept w ithin the messages table continuously compr ises of value ‘6’ w ithin the status field and code w ithin the media size field the par ticular oper ation consistent to the message (in par ticular , the values ‘l’, ‘4’ and ‘5’ indicate cr eation of the gr oup, joining and leaving r espectively). V. CONCLUSION AND RECOMMENDATION WhatsApp has tur n into a w ell-know n application for social netw or king on w hich the individuals might be inter changing their per sonal infor mation and business-r elated data. This r esear ch has depicted that an individual can get w hole access to all of the mater ial in WhatsApp as w ell as in other alike social netw or king applications, for instance, “Viber ”. Major ity of chat applications sur vey the same patter n to stor e messages w ithin the database and per iodically br inging up-to-date database. The method taken in this r esear ch pr ovided a gener al plan for all the same applications w hich r un on the andr oid gadgets. This r esear ch w as able to attain its aim effectively. One must be aw ar e of the fact that a passw or d-locked cellphone is not a black box and one can excer pt valued application user infor mation fr om the file as w ell as volatile memor y [7]. The r esults of this r esear ch can be valuable for Live For ensic Analysis on Andr oid Smar tphones. The databases ar e just updated once each day, ther efor e, the infor m ation obtained might not be up-to-date at the investigation time, w hile live acquisition and evaluation of the volatile memor y can pr ovide cur r ent infor mation. While per for ming for ensic investigation, the existence of the most cur r ent messages for the pur pose of investigation can play a significant r ole [6]. Along w ith the r ecent messages, an individual can also look at the deleted messages. Ther efor e, r ecover ing the ar tefacts after the fact or y r eset of the phone or r ecover ing the deleted data can be consider ed as the futur e char acter istic [16]. Within the futur e, additional w or k can be car r ied out on the explanation of the RAM data w ithin the human -r eadable for m. The tool pr esented in this r esear ch can be customised for displaying the user -specific infor mation on the basis of the r equir ement of an individual. As of now , the technique highlights thr ee significant aspects of user data namely user ’s phone number s, exchanged messages as w ell as database enquir ies pr oviding the basic database fr amew or k for WhatsApp. ____________________________________________________________________ ____________________________________________________________________________ © 2014-20, IRJCS- All Rights Reser ved Page-218 Inter national Resear ch Jour nal of Computer Science (IRJCS) Issue 08, Volume 07 (August 2020) ISSN: 2393-9842 https:/ / w w w .ir jcs.com/ ar chives REFERENCES 1. Anglano, C., 2014. For ensic analysis of WhatsApp Messenger on Andr oid smar tphones.. Digital Investigation, , 11(3), pp. 201-213.. 2. Developer s, 2020. Application Fundamentals. [Online] Available at: https:/ / developer .andr oid.com/ guide/ components/ fundamentals.html [Accessed 31 7 2020]. 3. Developer s, 2020. Pr ocesses and Tr eads. [Online] Available at: https:/ / developer .andr oid.com/ guide/ components/ pr ocesses-andthr eads.html [Accessed 31 7 2020]. 4. Husain, M. & Sr idhar ., R., 2010. iFor ensics: For ensic Analysis of Instant Messaging on Smar t Phones. . In: In Sanjay Goel, editor , Digital Forensics and Cyber Cr ime, volume 31 of Lectur e Notes of the Institute for Computer Sciences, Social Infor mInfor matics and Telecommunications Engineer ing.. s.l.:Spr inger Ber lin Heidelber g. 5. Kumar , N. & Shar ma, S., 2016. Sur vey Analysis on the usage and Impact of Whatsapp Messenger.. Global Jour nal of Enter pr ise Infor mation System,, 8(3), pp. 52-57.. 6. Tso, Y.-C., Wang, S.-J., Huang, C.-T. & Wang., W.-J., 2012. iPhone Social Netw or king for Evidence Investigations Using iTunes For ensics. In Pr oceedings of the 6th Inter national Confer ence on Ubiquitous Infor mation Management and Communication, ICUIMC ’12, New Yor k, NY, USA. 7. Thakur , N., 2013. For ensic Analysis of WhatsApp on Andr oid Smar tphones.. Master ’s thesis, Univer sity of New Or leans, , Volume 1706.. 8. Mahajan, A., Dahiya, M. & Sanghvi., H., 2013. For ensic Analysis of Instant Messenger Applications on Andr oid Devices. Inter national Jour nal of Computer Applications, 68(8). 9. Sangiacomo, F. & Weidner ., M., 2012. WhatsApp Xtr act (v. 2.1),. [Online] Available at: https:/ / code.google.com/ p/ hotoloti/ dow nloads/ list . [Accessed 31 7 2020]. 10.Picasso, F., 2012. Zena For ensics “WhatsAppXtract 2012”. [Online] Available at: http:/ / code.google.com/ p/ hotoloti/ dow nloads/ list http:/ / blog.digital-for ensics.it/ 2012/ 05/ w hatsapp-for ensics.html 11.Cor tjens, D., Spr uyt, A. & Wier inga., W. F. C., n.d. "WhatsApp Database Encr yption Pr oject, s.l.: s.n. 12. United Nations, 2013. The United Nations Office on Dr ugs and Cr ime. Compr ehensive. [Online] Available at: http:/ / w w w .unodc.or g/ documents/ or ganizedcr ime/ UNODCCCPCJEG.42013/ CYBERCRIME STUDY/ [Accessed 31 7 2020]. 13.Kr ynski, L., Goldfar b, G. & Maglio, I., 2018. Technology-mediated communication w ith patients: WhatsApp Messenger , e-mail, patient por tals. A challenge for pediatr icians in the digital er a.. Ar ch Ar gent Pediatr,, 116(4), pp. 554-559.. 14.Bar ghuthi, N. A. & Said., H., 2013. Social Netw or ks IM For ensics: Encr yption Analysis.. Jour nal of Communications, 8(11). 15.Cor tjens, D., Spr uyt, A. & Wier inga., W. F. C., n.d. "WhatsApp Database Encr yption Pr oject, s.l.: s.n. 16.Dor w al, P. et al., 2016. Role of WhatsApp messenger in the labor ator y management system: a boon to communication.. Jour nal of medical systems,, 40(1), p. 14. 17.Sangiacomo, F. & Weidner ., M., 2012. WhatsApp Xtr act (v. 2.1). [Online] . Available at: https:/ / code.google.com/ p/ hotoloti/ dow nloads/ list . [Accessed 27 7 2020]. ____________________________________________________________________ ____________________________________________________________________________ © 2014-20, IRJCS- All Rights Reser ved Page-219