The WhatsApp QR method introduced by Oxygen Forensics several years ago is widely used for fast and non-technical WhatsApp evidence collection from unlocked mobile devices using Oxygen Forensic® Cloud Extractor. We described our industry-first QR method in detail in this article.
Last year, WhatsApp introduced and started rolling out its multi-device feature. While still in beta, the new feature allows users to link up to four devices, without having to keep their primary mobile device connected to the internet. Previously, the primary mobile device where WhatsApp was installed needed to be connected to the internet, and other WhatsApp sessions were secondary. Following these WhatsApp changes, we had to redesign our WhatsApp QR code method for it to be compatible with the new multi-device feature.
Now Cloud Extractor offers two WhatsApp QR methods – the old one and the new one, for those devices that have the multi-device feature activated.
Let’s take a look at the new WhatsApp QR Multi-device method.
The new service works the same as the WhatsApp QR version. Investigators open it and scan a QR code with a mobile device on which WhatsApp is installed.
Authorization in the WhatsApp QR Multi-device service may take more time than in the WhatsApp QR version. Like with the WhatsApp QR service, once authorization is successfully established, there will be an entry about the new session in the WhatsApp mobile app. Once investigators extract data, they can close this session manually on a mobile device.
After investigators are authorized in WhatsApp, they can set a time period and/or select artifacts for extraction on the right panel of Oxygen Forensic® Cloud Extractor. This cloud service also allows the user to select specific private or group chats for extraction. Click the “Select Chats” option to perform this function.
Please note that due to the specific algorithm of this service, extraction will not be stopped by itself. Users will need to check the “Stop the extraction automatically” option, located on the right sidebar, for extraction to be stopped automatically once all the data is extracted.
Another point that investigators need to keep in mind when working with this service is that not all messages can be extracted. This service is designed by WhatsApp to quickly view the recent communications. That is why complete extraction is not guaranteed. We can never predict how many messages will be extracted, even from the same WhatsApp account, if you repeat extractions.
The final limitation of the method concerns message attachments. Due to various reasons, they cannot always be extracted, the main one being that sometimes these message attachments may already be deleted from the server.
Once extraction is completed, investigators have two options – open it on the computer in Oxygen Forensic® Detective or save it to the OCB file and upload it to Oxygen Forensic® Detective on another computer.
To view our other WhatsApp extraction methods, have a look at our WhatsApp Forensics Brochure. Interested in trying our new WhatsApp multi-device QR feature but don’t have an Oxygen Forensic® Detective license? Request a free, fully-equipped, 20-day trial by clicking here.