WhatsApp messages can be retrieved even when deleted on an iPhone, according to court documents. (Photo by Jaap Arriens/NurPhoto via Getty Images)
NurPhoto via Getty Images
This is the web version of this week’s edition of The Wiretap newsletter, which every Tuesday brings exclusives and other news about surveillance, privacy and cybercrime, straight to your inbox. Click here to get on the newsletter list!
If your iPhone is ever obtained by the police, and they have the legal authority to search it, law enforcement can sometimes find information you believe you deleted — even from encrypted chat apps like WhatsApp.
In a recently unsealed case, cops in Eastern California seized the phone of a suspect in a drug trafficking investigation, tracking shipments of meth and fentanyl from Mexico to the state. In a search warrant, an FBI agent in Sacramento detailed how some of the WhatsApp messages between the suspect and an alleged co-conspirator were “scrambled.” The reason? “When the extraction software recovered the messages, the words appear out of order, or ‘scrambled,’ due to encryption features of the WhatsApp messages,” the investigator noted.
Such “extraction” software – typically forensics tools created by the likes of Israel’s Cellebrite and Atlanta-based Grayshift – will look for remnants of files in different smartphone databases. Online records indicate the technology to get deleted WhatsApp messages from an Apple iOS database has been available to law enforcement and private organizations that own a Cellebrite Physical Analyzer tool for at least the last two years.
According to a 2021 post from a Discord user claiming to be a Cellebrite employee in a group for forensics professionals, when WhatsApp messages were deleted on an iPhone, rather than disappear entirely, they were fragmented yet remained stored in an iOS database called “chatsearch,” designed to make searching conversations quicker. Cellebrite’s technology could recover these but returned them in a fragmented format and labeled them “scrambled.” The technology appears to continue to work in the same way today; in March this year, another Discord user claiming to be a Cellebrite staffer pointed users to the 2021 post when queries about deleted WhatsApp messages were raised.
WhatsApp owner Meta said it couldn’t comment without more knowledge of the criminal cases and the phones involved. Apple had not provided comment at the time of publication.
Though they can acquire a lot of useful evidence from a phone, Cellebrite devices and competing products aren’t always effective. Often, their capabilities vary from one phone model to the next. In another search warrant reviewed by Forbes, in October 2022, the DEA noted that their Cellebrite tool couldn’t retrieve WhatsApp messages from an iPhone 11 because of “limitations with respect to this particular device model.” They had to manually go through the phone to gather data.
“Cellebrite is able to legally and lawfully extract WhatsApp data for law enforcement investigations, recognizing that it depends on OS and phone model,” a Cellebrite spokesperson said.
Google phones, meanwhile, may not be susceptible either. The “chatsearch” database doesn’t exist on Android, meaning the same technique doesn’t apply, according to Russian digital forensics expert and Elcomsoft founder Vladimir Katalov. He said there may be other techniques that can acquire deleted WhatsApp messages on Android, however. Google declined to comment.
As in the case above, such searches can be invaluable in gathering data on a criminal conspiracy. However, if the same tools were applied to an innocent party or someone breaking a controversial law (an abortion ban, for instance), they suddenly become a lot more contentious.
THE BIG STORY
Meta Fined Record $1.3 Billion For Violating EU Privacy Rules
The penalty against Meta – issued because of the ways in which it moves personal data from Europe to the U.S. – is the largest fine ever issued under the European Union’s data protection rules. It may threaten the future of Meta’s Facebook, Instagram and WhatsApp across Europe.
STORIES YOU HAVE TO READ TODAY
TikTok has been banned in Montana, where the governor said the move was “to protect Montanans’ personal and private data from the Chinese Communist Party.” TikTok has already launched a legal challenge.
Public housing across the U.S. is being covered in surveillance cameras, powered with facial recognition and artificial intelligence, according to a Washington Post investigation. The residents have little say and there’s minimal oversight of the snooping, even when it singles out those with severe disabilities for eviction.
Customs and Border Protection acquired a tool – Babel X – that can link a person’s Social Security number to their social media posts and location, according to Vice.
The FBI improperly searched a U.S. foreign intelligence database 278,000 times over several years, according to the Office of the Director of National Intelligence. Among the improper searches were those focused on the January 6 Capitol riots and the 2020 George Floyd protests.
WINNER OF THE WEEK
Digital sleuths Joe Stewart and Keegan Keplinger have been hunting a coder believed to be providing malware to two of Russia’s biggest cybercrime crews, Fin6 and Cobalt Group. They say they’ve identified him and handed his information to American police. In an exclusive for Forbes, they also uncovered photos showing the coder’s apparently comfortable life, vacationing in Mexico, London and Italy with his high-fashion wife.
LOSER OF THE WEEK
The Justice Department has filed charges against Russian national Mikhail Pavlovich Matveev for allegedly using three ransomware variants – LockBit, Babuk, and Hive – to hack into and extort a number of critical infrastructure organizations, including hospitals and government agencies. Amongst the alleged victims of his ransomware crew’s attacks was the Metropolitan Police Department in Washington D.C.