If you haven’t heard, WhatsApp is planning a new feature to be released that could impact the way forensic examiners handle messages.

The planning feature allows a sender of a message to delete that message from the recipients device, either a group or an individual.  They claim is to remove messages sent to the wrong person or to correct a mistake.  While these features sound great to the average user, let’s look at some forensic implications and put the context to that of a forensic examiner by telling a story.

For the sake of the story, the names have been changed 🙂  Sally works a the checkout in your towns grocery story.  Bob, is a bit of a creeper and picks Sally’s line every time.  He has friended her on Facebook and followers her on Twitter.  He starts messaging her on WhatsApp.  The conversation quickly goes from friendly to major creepy and unwelcome. Sally tells Bob that she has a boyfriend and she shouldn’t talk to him anymore.

Bob gets mad and starts sending threatening messages to Sally and deletes them right away using the awesome new feature in Whatsapp that allows you to delete from the receivers device……..   You more than get the idea here.

It will be interesting to see what artifacts if any can be recovered from the database, but until the feature is fully deployed, we will have to wait.  The only small hint of light is that WhatsApp will replace the deleted text with “This message was deleted” in the original chat.  So, examiners will be able to tell that there was a message, just not the content.  And, again, the way this will be set down in the database may prove challenging.

Another caveat for the delete to work is both users (or all in a group) must be running the version of WhatsApp that supports delete.  If you are worried about creepers (not the Minecraft kind), then stay with the current version.

Finally, in the FAQ from Whatsapp, they state “You can only delete messages for everyone for up to seven minutes after sending. Once seven minutes have passed, there is no way to delete messages…”  also, they state that should the message not be deleted the person attempting to delete the message will not be notified of the failure.  Why 7 minutes? Maybe they based it on the movie 7 Minutes, which is a 2014 American crime thriller drama film, written and directed by Jay Martin.  Ironic right?

Application developers are making challenging to recover the data needed for investigations, keep your eyes open!

To read more about the feature in the WhatsApp FAQ, click here. Although this link is for the Android FAQ, we have confirmed that the same entry exists in the iOS FAQ for WhatsApp as well.

For more insight in to mobile forensics, join our mailing list to receive your newsletter.

Categories: Blog