With the continuous development of forensics technology, cellphone forensics is no longer limited to the traditional way of extracting data recorded in the cellphone itself. Data can also be extracted through network protocols. In this issue, data recovery experts from the Key Laboratory of Sichuan Province(a subsidiary of SalvationDATA) will explain how to extract cellphone data through router.

I Background Information

Phones are constantly receiving and sending data packets while accessing the network and numerous information on accounts, chats, files sent and received, e-mails, and web-pages viewed are contained in these packets. Although much information is encrypted, a massive amount of information is transmitted in plaintext or can be decrypted through data analysis, these information including accounts, files, e-mails, and partial chats. Data can be extracted through router since all these data packets are distributed through it, at the same time saving the trouble of installing plugins on cellphones.


II Environment Building

Set up a router on a computer that has wireless network adapter by using the Bridge mode or by using the hotspot service provided by software like 360 Free Wifi. Data packets sent from cellphones connected to this router or Wifi can be captured.

III How to Capture Data Packets

Plenty capturing tools are available on the market and Wireshark is one of the well-developed ones that support brief data analysis after successful capture. All capture tools are developed on the same principle by using powerful programming interfaces of winpcap and this issue explains network data packet extraction taking Wireshark as an example.

First, set all relevant parameters in‘Software Settings’, as shown in Picture 1. To filter out irrelevant packets, a filter can be used if protocols are known. Moments in WeChat for example, uses TCP protocol and port number 443 and 80, and these information can be used to set the filter. Then choose the network card that needs to be captured and begin the capturing process.


IV Network Data Packet Analysis

During packet extraction, Wireshark displays results in three different sections (Picture 2), the upper section displaying all the packets captured, the middle a brief analysis of the selected packet, and the lower the hexadecimal value of this packet.


For instance, one of the protocol packets, a complete chat packet of messages sent from the cellphone through WeChat is extracted in Picture 3. Based on the data in this packet, the cellphone (IP as, port number 51005) is transmitting data with the server (IP as, port number 80) through TCP-HTTP protocol.


The first three packets are those used to confirm ID between the cellphone and the server (TCP three-way handshake). The fourth packet contains the following information:

Frame: Data frame information of the physical layer

Ethernet II: DDL Ethernet frame header, including information on MAC addresses of the sender and the receiver

Internet Protocol Version 4: IP packet header in Internet layer

Transmission Control Protocol: Data segment header in transport layer, here as TCP protocol

Hypertext Transfer Protocol: Application layer protocol, here as HTTP protocol

Media Type: Data transmitted


Shown in Picture 5 are contents of the application layer and the data layer, in which the followings are contained: domain name of the server as szextshort.weixin.qq.com, information submission address as /mmtls/04a2f532, and data length of the data layer 834 bytes. The blue area of the hexadecimal panel displays the data sent, which is complexly encrypted and inaccessible.


Other data such as pictures and videos sent can also be analyzed in the same manner, and data extraction after successful capture can be realized through codes.


Router packet capture is a brand new method to extract data and a key direction for future researches that bears practical importance. Data recovery experts from the Key Laboratory of Sichuan Province(a subsidiary of SalvationDATA) already developed relevant application to capture and analyze network data packets. This application supports the analysis of various protocols and corresponding techniques will be used in the manufacture of products in the near future.