Digital Forensics: Artifact Profile – Whisper
APPLICATION NAME: Whisper
CATEGORY: Social Networking
RELATED ARTIFACTS: Whisper Posts, Whisper Messages
OPERATING SYSTEMS: iOS, Android
SOURCE LOCATION:
Android – %root%\data\APPsh.whisper\databases\w.db
Android – %root%\data\APPsh.whisper\databases\c.db
iOS – %root%\var\mobile\Applications\%GUID%\Documents\Messaging.sqlite
iOS – %root%\var\mobile\Applications\%GUID%\Documents\Whisper.sqlite
Importance to Investigators
Whisper is a popular social networking app that allows users to post messages anonymously and send messages to other users. It is available on both iOS and Android devices. Whisper allows users to post random messages anonymously. Prior to posting, the message text gets superimposed over a picture that Whisper randomly selects for the user or the user can use their own image. Users can then choose to publicly reply to the post or send a private message to the poster.
Due to the anonymity of the application, there have been many reports of threats or abuse on the Whisper app. While Whisper users remain anonymous, valuable details are still being stored in SQLite databases on the user’s device, which can be valuable if you’re examining a smartphone with Whisper installed. Examiners can obtain usernames, message data, timestamps, images, and location data as well as several other items of interest depending on the operating system and app version installed.
Whisper Recovery with Magnet Forensics
Whisper Posts
Magnet Forensics tools will recover any posts found on the user’s device. Whisper posts are public messages posted by users using the app and will usually contain a username, text of the message, timestamp of when the message was posted, a URL of the image being used, location data, hearts, and replies.
Unfortunately, the username is not a unique identifier. This means multiple Whisper users can have the same username and can change their username at any time. The user’s device typically does not store the pictures from posts in the application, though it may be cached elsewhere on the device. The user’s device will store a URL to the related picture. Whisper keeps pictures under the domain wimages.net, but in our testing we discovered not all pictures are accessible from the URL.
Location details for the post may be available for Android devices. You may find the general location such as a city/state, or specific GPS data including latitude and longitude for each post found on the device. Unfortunately, Whisper does not store this information on iOS.
Finally, hearts and replies are counters that track likes and responses to a particular post. A heart is similar to a “like” in other social networking apps.
Whisper Messages
Messages are slightly different from posts. A message is sent directly to or from the Whisper user and is private. Magnet Forensics tools will recover the conversation partner, the message, timestamp when the message was sent, the message status, and any picture attachments included.
Like the username in posts, the conversation partner is not unique and may cause problems for examiners trying to confirm users. Also, there is no read confirmation sent to the Whisper user for messages they send. This means any message that has the status of “sent” will have the read status as blank since it’s unknown if the other user has read the message or not.