Forensic Traces to Restore Original Data Even When Deleted by User

Last Updated: September 13, 2016

The most popular instant messenger app that has a huge user database is WhatsApp. The messenger app was acquired by the Facebook, the social media network in 2014 and announced that the messages and conversations that take place in the chat window will be secured by the end to end encryption process. Thus, the third party member will not be able to read the conversations of the user. But the app’s security and privacy policy are questioned by the security expert.

Security expert of iOs, Jonathan Zdziarski from Apple revealed that the messages that are deleted from the user’s device have the traces of the message on the device. And the main important factor is that any person who has access to the user’s device can reconstruct the deleted messages to the original form. In general, the user using the expect that the history of the conversation in the chat window disappears the moment when they delete the message, but this news gives the users a bit of a shock because the messenger app’s main focus is to maintain the user details confidential and secured. The app even updated its interface with the end to end encryption, which was welcomed by all the users of the app.

End to End Encryption

This is the process of transmitting the text, which can be read only by the intended user and it cannot be intercepted by accessing the network or the server, through which the text is sent. In the encryption process, the texts or messages are not sent in the form of plain texts, instead they are sent in the form of scrambled series of digits that requires a key which can decrypt the message. The unique key is held by the sender and the intended recipient to understand the text.

The unique key is momentary, so that the moment when the message sent from the user is received by the recipient the key disappears. Therefore, it cannot be once again unlocked by a third party. The users can even test the encryption process, whether it is being intercepted by scanning any of the code on other person’s device.

Insecurity in the privacy policy

Instead of disappearing from the device, the messages that were deleted by the users have their traces on the device that can be easily recovered by another person who has he access to forensic tools either by access to the users device or under the enforcement of the law. Traces of the deleted data being stored in the device are not going to create any problem, but when the data is accessible by others like the database of the instant messenger app and then the point of privacy is at risk.

Even the messages are secured under the end to end encryption feature, it protects them only when the data is travelling in between the devices so that they cannot be read or intercepted by a third party. But the data of the WhatsApp are stored in the iPad or iPhone as an unencrypted form. The WhatsApp data, including the traces of the chats that were deleted by the user also remains in the iCloud, irrespective of the fact that the iCloud is under sync or not. Since the cloud is not encrypted, the third party has the access to the data of user’s message. This shows that, any person who has the access to the Personal computer associated with the device or the device itself can intercept the message or have access to the data.

The app has faced many controversies like, price tags, suspensions, swearing fines and security flaws. One of the biggest security flaws was that around 200 million users were tricked to download malware into their PCs because of the software vulnerability in the app’s web based version. In 2016, the app was blocked in Brazil three times, because they failed to give out the information about the criminals in an investigation, thereby the Judge ordered the telecom providers in the country to block the service.

Testing Phase of WhatsApp’s privacy scheme

Jonathan Zdziarski tested the case by installing the app on his device and started with different threads. He then deleted some threads, cleared some of them and archived the rest. After running the ‘Clear all  chats’ feature from the messenger app, he made a second backup and found out that the deletion, clear or archive option made a difference in preserving the deleted data because the traces of the data remained in the database.

But this purpose is not purposefully made by the messenger app and this is a standard issue faced by the apps that make of the SQLite. The SQLite in general does not vacuum the database to the Apple device, as any record that is deleted is added to the free list. And these free data are not written until the database requires the storage and only affects the apps of the iOs.

WhatsApp is not alone in retaining deleted data

There are many other apps apart from WhatsApp that stores user data in some form. The iMessage from Apple is leaving more information in the device memory. Wickr is a messenger app that has a high level of encryption that leaves the conversation and messages on the app secure, while Signal virtually does not leave any data on the device.

Steps to export the forensic data

Hearing the report that the data that were deleted message in the messenger app still remain on the device might panic many users, but the users can follow these steps to export the data.

  • The users must use the Configurator to pair lock their device, as it will prevent the other person who stole the user’s password or compel them to fingerprint or make use of the forensic tools to access the device. But users following this method must be very careful because it is irreversible without restoring the device.
  • Disabling the iCloud backups because they never honor the backup pass code set by the user, and there are possibilities of obtaining the clear text data by any kind of law enforcement or a warrant.
  • The device holder can make use of the iTunes to help them set a complex and long pass code for the device. The user must both store the information in the keychain or in any other records and even be recovered using the forensic tools of Mac. This will make the device to encrypt all the data backups that are coming out from the desktop.
  • The final and the best option that the user can follow are frequently uninstalling the app from their device and reinstall the app so that it will flush out the database. However, it will not delete the database in the iCloud in the Cloud.

The software developers, when designing and building new products in the future must consider the forensic traces because there are many countries who are against free speech, the political dissenters, journalists and others can face critical implications. So, a poor design of the app might result in innocent people being suffered and sentenced to imprisonment.

Previous articleMarvelous Music Player Apps for Android Devices
Next articleFree Download: Goodnews Responsive WordPress Magazine Theme
Anand Rajendran is CEO and Co-Founder of Zoplay, best PHP scripts development company located in India. I am working with developing , leading innovative and collaborative software development teams to deliver major software applications like SCIMBO - Whatsapp Clone Script. I'm a Tech geek, Digital marketing expert, Entrepreneur, and Atheist who loves to write everything about PHP Scripts and mobile application development.