A comparative study of WhatsApp forensics tools

With the increasing number of mobile phones and mobile applications, there is a noticeable rise in cybercrimes. Hence, an urgent need for mobile forensics. Before starting investigation, the investigator should choose one of the acquisition types; physical acquisition, logical acquisition or manual acquisition. The current mobile acquisition tools use these methods to produce an image of the entire mobile content, files of specific datatypes, or data of a certain application. Unfortunately, the resultant output does not facilitate investigating cases related to specific mobile application, since the tool might acquire more than what is needed which requires investigators to filter data manually, or acquire all the application’s data without sufficient analysis. Both cases are effort and time consuming. This study analyzes and compares currently available forensics tools that are designed to extract WhatsApp data only. The comparative study is based on two aspects; National Institute of Standards and Technology (NIST) Mobile Device Tool Test Assertions and researchers’ requirements. The results of the comparative study showed a shortage in the current WhatsApp forensics tools as they do not satisfy all NIST Test Assertions. Additionally, several researchers’ requirements such as: creating projects, comprehensive analysis, applying filters and validating the extracted files, were not met in the studied tools.