Part 5: VoIP & Messaging App Forensics

Introduction

The Shift to Encrypted Messaging

Traditional telephony evidence (CDR) is being supplemented - and in many cases replaced - by messaging app communications. WhatsApp alone has over 500 million users in India. These platforms present unique challenges for investigators due to end-to-end encryption and cross-border data storage.

Understanding the technical architecture, encryption methods, and data availability of each platform is essential for effective investigation and evidence collection.

🔒 The Encryption Challenge

End-to-end encryption (E2EE) means that message content is encrypted on the sender's device and only decrypted on the recipient's device. The service provider cannot read the messages even if compelled by court order. This fundamentally changes investigation approaches:

Message content cannot be obtained from server-side subpoenas
Device-level forensics becomes primary evidence source
Metadata (who communicated with whom, when) may still be available
Unencrypted backups (cloud/local) may contain decrypted messages

Platform Analysis

Major Messaging Platforms

Most widely used messaging app in India. Owned by Meta. Messages encrypted but extensive metadata available.

Message ContentNot Available
Subscriber InfoAvailable
IP LogsAvailable
Group InfoLimited Metadata
Contact ListsNot Available
Backup AccessIf Unencrypted

Cloud-based messaging with optional secret chats. Regular chats stored on servers (not E2EE by default).

Regular ChatsPotentially Available*
Secret ChatsNot Available
Subscriber InfoLimited
IP LogsCase Dependent
Group InfoAvailable
ChannelsPublic Content

Privacy-focused messenger. Minimal data retention policy. Very limited metadata available.

Message ContentNot Available
Subscriber InfoPhone + Registration Date Only
IP LogsNot Retained
Contact ListsNot Available
Message MetadataNot Available
Last ConnectionLimited

*Telegram's cooperation with law enforcement varies by jurisdiction. The company has historically been reluctant to provide data but policies may change.

Encryption Explained

Understanding End-to-End Encryption

How E2EE Works

📱

Sender's Device
Encrypts Message

→

☁

Server
Cannot Read

→

📱

Recipient's Device
Decrypts Message

💡

Key Investigative Insight

While E2EE prevents server-side access, messages exist in decrypted form at two points:

On the sender's device - Can be extracted through mobile forensics
On the recipient's device - Can be extracted if device is seized
In backups - Cloud backups (Google Drive, iCloud) may store unencrypted messages

The investigation strategy shifts from requesting data from providers to obtaining physical device access and backup data.

Evidence Extraction Methods

📱 Device Forensics

Physical or logical extraction of data from seized devices. WhatsApp databases (msgstore.db) on Android can be extracted if device is unlocked or encrypted backup key is available.

☁ Cloud Backup Access

WhatsApp backs up to Google Drive (Android) or iCloud (iOS). Legal process to Google/Apple may yield unencrypted chat backups if user hasn't enabled E2EE backup.

📋 Export Feature

With suspect cooperation, use in-app export feature. WhatsApp allows exporting individual chats. Document the export process for chain of custody.

🔗 Linked Devices

WhatsApp Web/Desktop sessions may have cached messages. Telegram desktop clients store chat history locally. Examine all linked devices.

👥 Recipient Device

If sender's device is unavailable, messages exist on recipient's device. Victim devices in harassment cases often contain complete evidence.

📄 Metadata Requests

Even without content, metadata (IP addresses, login times, account creation, linked phone numbers) can be valuable for investigations.

VoIP Considerations

VoIP Investigation Considerations

Voice over IP (VoIP) services like WhatsApp calls, Google Voice, Skype, and other internet calling services present unique challenges for investigators:

Aspect	Traditional Phone	VoIP Services
Call Records	Detailed CDR from telecom	Limited or no records from provider
Caller ID	Generally accurate	Easily spoofable
Location	Cell tower triangulation	IP-based only (can use VPN)
Legal Process	Section 91 to Indian telecom	MLAT for foreign providers
Interception	Possible via telecom	E2EE prevents real-time interception

⚠ Spoofing Alert

VoIP services can be used to spoof caller IDs. Criminals use services that allow setting arbitrary caller IDs to impersonate banks, government agencies, or known contacts. When investigating VoIP-related fraud, corroborate caller ID with actual account data from the service provider.

Legal Framework

Legal Process for Messaging Data

📝 Legal Pathways

For Indian Companies:

Section 91 CrPC summons for production of documents
Section 79 IT Act compliance for intermediaries

For Foreign Companies (Meta, Signal, Telegram):

MLAT (Mutual Legal Assistance Treaty): Formal government-to-government request through Ministry of Home Affairs. Takes 6-12+ months.
Direct Request: Many companies accept direct law enforcement requests for basic subscriber information. Response varies.
Emergency Disclosure: For imminent threats to life, most platforms have expedited processes.

WhatsApp Law Enforcement Portal: Available for verified law enforcement. Provides subscriber info, IP logs, but NOT message content.

Key Points

Key Takeaways

End-to-end encryption prevents server-side message access - device forensics is primary evidence source
Cloud backups may contain unencrypted messages - request from Google/Apple
Telegram regular chats are NOT E2EE by default - only "Secret Chats" are encrypted
Signal retains minimal metadata - phone number and registration date only
VoIP caller IDs can be easily spoofed - corroborate with provider records
Metadata (IP addresses, timestamps, account info) remains valuable even without content
MLAT process is slow - prioritize device forensics and backup data
Victim devices often contain complete evidence of communications

Navigation