International Journal of Computer and Information System (IJCIS) Peer Reviewed Ae International Journal Vol : Vol.
Issue 03.
September 2025 e-ISSN : 2745-9659 https://ijcis.
net/index.
php/ijcis/index Uncovering WhatsApp Fraud Modus Operandi through Digital Artifact Analysis and Cyber Kill Chain Mapping 1st Erika Ramadhani 1Department of Informatics 1Universitas Islam Indonesia 1Yogyakarta.
Indonesia 1erika@uii.
AbstractAiWhatsApp fraud has emerged as a significant cybercrime threat, exploiting the platformAos wide user base through social engineering and malware-based attacks.
This study investigates a WhatsApp fraud case by analyzing digital artifacts to uncover the perpetratorAos modus operandi and provide structured guidance for law enforcement.
Using the Digital Forensics for Incident Response (D4I) Framework in conjunction with Cyber Kill Chain (CKC) mapping, five key artifacts were identified and evaluated quantitatively based on their strength of evidence .
and reliability .
The results show that the malicious APK and source code containing a Telegram bot token constitute primary evidence with the highest probative value, while the Manifest.
xml file and hidden background application serve as supporting evidence, and contextual indicators such as sender information provide limited legal weight.
These findings highlight the importance of differentiating artifacts by evidentiary significance and demonstrate the value of the proposed scoring methodology.
The study has limitations, as it is based on a simulated case and relies partly on expert judgment in scoring criteria.
Future research should apply the approach to other platforms and fraud scenarios, and explore automation to enhance objectivity and scalability.
Beyond its academic contributions, the study offers a structured rubric for prioritizing evidence and emphasizes the need for standardized evaluation frameworks in digital forensic policy and practice, ultimately strengthening the legal robustness and societal trust in digital investigations.
Keywords : Digital Forensics.
WhatsApp Fraud.
Digital Artifact Analysis.
Cyber Kill Chain.
D4I Framework.
Evidence Prioritization.
Forensic Reliability.
Digital Forensic Policy INTRODUCTION.
the attackerAos modus operandi across distinct phases of the By linking these two approaches, this research not only identifies which artifacts hold the highest evidentiary value but also demonstrates how they can be contextualized within a broader attack lifecycle.
The contributions of this study are threefold.
First, it identifies and evaluates key artifacts from WhatsApp scam cases, distinguishing between primary, supporting, and contextual evidence based on their probative strength and Second, it demonstrates the applicability of the D4I Framework in real-world fraud investigations, thereby addressing a critical research gap in forensic methodology.
Finally, it provides a transparent and replicable rubric for law enforcement to assess digital evidence admissibility, ensuring both technical rigor and legal soundness.
By explicitly linking the D4I Framework to the challenges faced in practice, this study underscores why it is the most suitable approach for enhancing the reliability and effectiveness of digital forensic investigations in messaging-based fraud.
WhatsApp fraud has escalated into one of the most pervasive forms of cybercrime in recent years.
According to the Global Anti-Scam Alliance .
, over 70% of internet users worldwide have been exposed to scams through messaging applications, with WhatsApp consistently ranking as one of the most targeted platforms.
In Indonesia alone, the Ministry of Communication and Information reported that digital fraud complaints surged by more than 60% between 2021 and 2023, with WhatsApp scams forming a significant proportion of reported cases.
These scams range from financial theft through social engineering to identity fraud, often resulting in both economic losses and long-term psychological trauma for victims.
Such trends highlight the urgent need for systematic forensic methods that can support law enforcement and restore public trust in digital platforms .
Despite the severity of this phenomenon, law enforcement investigations face persistent challenges in collecting, validating, and prioritizing digital evidence.
Artifacts such as II.
LITERATURE REVIEW
chat logs, file metadata, and hidden application traces often go underutilized due to the absence of structured frameworks Research on fraud in instant messaging platforms has for analysis.
This gap hinders prosecutors from establishing evolved along both social and technical dimensions.
From the strong legal arguments and undermines the admissibility of social perspective.
Lee et al.
demonstrated that digital evidence in court .
Therefore, the central research psychological factors and low user self-efficacy significantly question addressed in this study is: How can digital artifacts increase susceptibility to phishing attempts on messaging from WhatsApp scam cases be identified, analyzed, and apps .
Such findings explain why WhatsApp, with its validated in a way that strengthens their probative value and massive user base, remains a prime target for social supports law enforcement processes? engineering attacks.
However, these studies often stop short To address this gap, this study applies the Digital of linking behavioral vulnerabilities to forensic challenges.
Forensics for Incident Response (D4I) Framework, integrated leaving a gap in how user behavior translates into digital with the Cyber Kill Chain (CKC) model.
The D4I Framework artifacts that can be used in investigations.
offers a systematic, evidence-driven process for discovering.
On the technical side, several works have analyzed documenting, analyzing, and interpreting digital artifacts .
WhatsApp artifacts as potential sources of evidence.
Meng et while the CKC model provides a structured lens for mapping al.
explored IndexedDB in WhatsApp Web as a Journal IJCIS homepage - https://ijcis.
net/index.
php/ijcis/index Page 282 International Journal of Computer and Information System (IJCIS) Peer Reviewed Ae International Journal Vol : Vol.
Issue 03.
September 2025 e-ISSN : 2745-9659 https://ijcis.
net/index.
php/ijcis/index forensic data source .
, while Kim et al.
examined artifacts in the Web and UWP versions of WhatsApp .
Son et al.
extended this line of research by demonstrating decryption methods in other encrypted instant messaging platforms such as Signal and Threema .
Together, these works establish that even with end-to-end encryption, residual digital traces can be extracted and analyzed.
Yet, most of these studies focus on identifying data sources without offering systematic frameworks for evaluating the evidentiary strength and legal admissibility of such artifacts.
Malware exploitation has emerged as another critical theme in WhatsApp-related fraud.
Schmutz et al.
analyzed hook-type Android malware that runs covertly in the background .
, while Faruki et al.
surveyed malware evasion techniques, highlighting the growing sophistication of attacks .
Palma et al.
further introduced explainable machine learning for Android malware detection .
These contributions illustrate the technical complexity of APK-based fraud, such as the AuWedding InvitationAy scam analyzed in this study.
Nevertheless, prior research rarely connects these malwarefocused findings to the broader lifecycle of fraud attacks or considers how they map onto established cybercrime frameworks such as the Cyber Kill Chain.
Finally, the literature also touches on communication channels and legal implications.
Al lelah et al.
revealed how attackers increasingly exploit legitimate cloud servicesAisuch as the Telegram Bot APIAias command-andcontrol (C.
From a legal standpoint.
Heath et al.
emphasized that forensic soundness and chain of custody are essential for ensuring that digital evidence from ephemeral messaging applications is admissible in court .
While these studies underscore important technical and legal considerations, they often treat them in isolation, with limited effort to integrate social, technical, and legal aspects into a unified investigative Taken together, existing studies provide valuable insights into the social engineering tactics, technical artifacts, and legal challenges of instant messaging fraud.
However, three key gaps remain.
First, prior work has primarily summarized artifacts or malware without critically evaluating their relative probative strength or reliability as legal evidence.
Second, little effort has been made to bridge social/behavioral insights with technical forensic analysis, resulting in fragmented understandings of fraud cases.
Third, there is a lack of integrated frameworks that connect digital artifact analysis with structured models of cybercrime progression.
This research addresses these gaps by applying the Digital Forensics for Incident Response (D4I) Framework in conjunction with Cyber Kill Chain (CKC) mapping.
By doing so, it not only identifies key digital artifacts but also evaluates their evidentiary value, integrates social engineering perspectives with technical findings, and demonstrates a replicable methodology that supports both academic inquiry and law enforcement practice.
the Wedding Invitation.
apk file, a malicious Android package depicted in Figure 1.
This case is representative of prevalent fraud schemes in Indonesia over the past two years, where perpetrators employ social engineering to convince victims to install disguised malware.
Once installed, the application requests excessive permissions and operates covertly in the background, enabling the attacker to intercept sensitive data such as one-time passwords (OTP.
Figure 1.
Diagram simulation of Whatsapp Scam 1 Data Collection and Validation The primary data source for this study consists of digital artifacts generated from a controlled simulation of a WhatsApp scam attack.
These include chat messages.
APK files, metadata, and extracted source code.
To ensure reproducibility, the data collection process adhered strictly to the Discovery and Acquisition stages of the D4I Framework.
Each artifact was acquired using write-blocking mechanisms to preserve integrity, while hashing (MD5 and SHA-.
was applied to confirm that no alterations occurred during Validation was achieved by repeating the extraction process on multiple devices and cross-verifying the consistency of the recovered artifacts.
2 Tool selection and Justification The technical analysis was conducted using a combination of Apktool and Show Java for decompiling the APK file.
Autopsy for artifact examination, and FTK Imager for creating forensic disk images.
These tools were selected based on their proven reliability, availability, and acceptance in forensic practice.
Apktool and Show Java were chosen AndroidManifest.
xml and embedded Java code, which are critical for detecting excessive permissions and hidden malicious logic.
Autopsy was preferred over alternatives such as EnCase due to its open-source accessibility and extensibility, making it suitable for academic and law enforcement environments.
FTK Imager was selected for its robustness in generating forensically sound disk images while maintaining the integrity of the original data.
3 Ethical and Legal Considerations All experiments were conducted using simulated data and malware samples in an isolated environment to avoid risk to real users or devices.
No actual victim data was collected.
Ethical compliance was ensured by anonymizing identifiers and restricting the analysis to synthetic or test accounts.
From i.
RESEARCH METHODS
a legal standpoint, the methodology adheres to the principles This study adopts a case study approach focusing on fraud of forensic soundness, including maintaining a clear chain of attacks conducted through the WhatsApp application using custody for all artifacts and ensuring that evidence acquisition Journal IJCIS homepage - https://ijcis.
net/index.
php/ijcis/index Page 283 International Journal of Computer and Information System (IJCIS) Peer Reviewed Ae International Journal Vol : Vol.
Issue 03.
September 2025 e-ISSN : 2745-9659 https://ijcis.
net/index.
php/ijcis/index methods align with standards that support admissibility in 4 Integration of D4I framework and CKC Mapping The forensic investigation followed the four stages of the D4I FrameworkAiDiscovery.
Documentation.
Dynamics, and InterpretationAiand mapped each artifact to the corresponding phase of the Cyber Kill Chain (CKC).
For example, the attackerAos phone number was linked to Reconnaissance, the malicious APK to Weaponization, and the hidden background process to Installation.
This dual approach ensures that both the technical behavior of the malware and the attackerAos modus operandi are systematically reconstructed.
Figure 2 illustrates the methodological flow, showing how each stage of the investigation aligns with the D4I Framework and CKC Figure 2.
Research methodology IV.
RESULT AND ANALYSIS
The results of the study should be written clearly and The discussion should describe the importance of the results of the study, not repeat it.
1 Artefact Identification The forensic investigation produced eight key digital artifacts .
1Aea.
that correspond to different stages of the Cyber Kill Chain (CKC).
These relationships can be formalized in the mathematical relation R, where each pair .
i, a.
indicates that artifact aj plays a role in CKC phase pi.
For example, .
1, a.
maps the WhatsApp senderAos number to Reconnaissance, while .
2, a.
associates the malicious APK file with Weaponization.
This formalization ensures analytical rigor by explicitly linking evidence to the sequential stages of the attack lifecycle.
5 Quantitative Evaluation of Evidence In addition to descriptive artifact analysis, this study employed a quantitative rubric to assess each artifact along two dimensions: .
Strength of Evidence .
: representing the probative value of an artifact in proving the attackerAos actions within the CKC phases.
Reliability .
representing the trustworthiness of an artifact as legal evidence, considering acquisition method, integrity, and R={.
1,a.
, .
2,a.
, .
2,a.
, .
3,a.
, .
4,a.
, .
5,a.
, .
6,a.
, .
7 ,a.
} a.
chain of custody.
Each dimension was further divided into six sub-criteria:
For v: relevance, specificity, connection to CKC where ycy1, .
, ycy7 are the stages in CKC phase and a1,.
phase, causal proximity, corroboration by other are the artifacts, and evidentiary clarity.
a1: victimAos phone number .
For r: integrity, authenticity, acquisition method, a2: APK file chain of custody, reproducibility, and independence a3: Manifest.
xml file from external bias.
a4: android permission a5: hidden installed application Scores were assigned on a scale of 1Ae5 for each suba6: telegram boot token criterion and then normalized to a 0Ae1 range.
Weighted a7: captured SMS averages were calculated to produce final v and r scores for a8: file metadata.
each artifact.
This structured approach ensures transparency, reproducibility, and objectivity in distinguishing between 3.
2 Artefact Analysis primary evidence, supporting evidence, and contextual In this study, there are five main artifacts that were analyzed to uncover the modus operandi of fraud perpetrators Figure 2 illustrates the overall research methodology, using WhatsApp.
The first artifact is the victim's phone structured according to the D4I Framework and Cyber Kill number .
used during the reconnaissance phase, indicating Chain (CKC) mapping.
The process begins with Discovery, that the perpetrator had conducted initial reconnaissance to where suspicious artifacts such as the Wedding Invitation.
apk determine the target.
The second artifact is an APK file are identified and extracted.
This is followed by named "Wedding Invitation" .
, which plays a role in the Documentation, in which each artifact is systematically Weaponization phase, where malicious applications are sent recorded with screenshots, metadata, and tabular mapping to to trap victims.
Next, the Manifest.
xml file .
containing CKC phases to preserve forensic integrity.
The third stage, excessive permission requests was analyzed as part of the Dynamics, analyzes the interaction and progression of Exploitation phase, demonstrating how the attacker exploited artifacts across the CKC phases, showing how the attack Android system vulnerabilities.
The fourth artifact, a hidden evolves from reconnaissance to data exfiltration.
Finally, application running in the background .
, represents the Interpretation answers the 5W1H questions (Who.
What.
Installation phase, proving that the malware was installed When.
Where.
Why, and Ho.
, linking the artifacts back to silently without the user's knowledge.
Finally, the application the attackerAos modus operandi.
Together, the diagram source code and Telegram bot token .
show both emphasizes that the methodology is both systematic and Command and Control (C.
activity and Actions on Targets, reproducible, integrating forensic acquisition with structured as these artifacts serve as a means for the attacker to receive cyberattack analysis.
sensitive data such as OTPs directly from the victim's device.
These five artifacts sequentially depict the systematic stages Journal IJCIS homepage - https://ijcis.
net/index.
php/ijcis/index Page 284 International Journal of Computer and Information System (IJCIS) Peer Reviewed Ae International Journal Vol : Vol.
Issue 03.
September 2025 e-ISSN : 2745-9659 https://ijcis.
net/index.
php/ijcis/index of the attacker in carrying out the attack according to the CKC Based on this assessment methodology, each artifact in this case was then assigned a score for strength of evidence .
and reliability .
, allowing for a clear view of the relative contribution of each artifact in proving the stages of the The assessment results are shown in the following Table 1.
Table 1.
Strength of evidence .
and reliability .
Arte CKC Phase v .
trength r .
of evidenc.
Reconnaissance Weaponization Exploitation Installation C2/Actions of Objective According to Table 1, each artifact was evaluated along two dimensions: strength of evidence .
and reliability .
Table 1 presents the results, showing that the source code containing the Telegram bot token .
scored the highest .
=0.
950, r=0.
, followed by the malicious APK .
with strong values .
=0.
913, r=0.
These results indicate that artifacts directly tied to malware functionality and attacker infrastructure have the strongest probative value and reliability for legal proceedings.
By contrast, reconnaissancerelated artifacts such as the senderAos number .
had lower scores .
=0.
588, r=0.
, demonstrating that contextual indicators alone cannot establish culpability in court.
3 Relevance to Law Enforcement From a legal enforcement perspective, the scoring highlights the differential evidentiary weight of each artifact shown in Table 2.
The a5, with the highest strength and solid reliability, are especially relevant because they establish a direct causal link between the malicious application and the perpetratorAos command-and-control channel.
Such linkage is probative in court, as it can demonstrate not only the presence of malware but also the perpetratorAos active control over the victimAos data.
The a2 also provides strong evidentiary value because it is a tangible artifact that can be verified through hashing, reverse engineering, and reproducibility testing.
Its higher reliability score makes it admissible as digital evidence, since integrity and chain of custody can be more easily This artifact, therefore, can serve as a primary exhibit in legal proceedings.
By contrast, the a3 and the a4, though technically strong in proving exploitation and stealth, carry slightly lower reliability scores.
In legal terms, these artifacts are considered supporting evidence, useful to corroborate the malwareAos behavior but requiring cross-validation with stronger artifacts such as the APK and source code.
Artefact Table 2.
Relevance to law enforcement Legal Relevance Justification Contextual Indicates reconnaissance Evidence but weak probative value Primary Evidence Supporting Evidence Supporting Evidence Primary Evidence and low reliability.
stand alone in court.
Malware payload with verifiable hash.
weaponization and attack Shows exploitation of Android permissions.
corroborates malicious intent but less reliable Confirms stealth relevant but needs corroboration with APK and source code.
Direct causal link to attackerAos C2 channel.
high probative value for proving intent and control.
Finally, the a1, while useful in reconstructing the reconnaissance phase, is the least probative .
It has weaker relevance in court because phone numbers alone do not establish malicious intent or direct perpetrator involvement.
Instead, they function primarily as contextual evidence to frame the beginning of the attack.
The results have three main implications for law enforcement and forensic practitioners:
Evidence Prioritization: By quantifying v and r, investigators can prioritize artifacts with the greatest impact in court, ensuring that primary evidence is foregrounded while contextual artifacts are used strategically to frame the attack.
Forensic Soundness: The scoring highlights the For instance, the APKAos high reliability score reflects that its authenticity can be independently verified through hashing and reverse .
Legal Admissibility: The clear distinction between artifact categories .
rimary, supporting, contextua.
provides prosecutors with a structured rubric for presenting evidence that meets admissibility standards, reducing the risk of dismissal due to weak or unreliable data.
Overall, this scoring system provides law enforcement with a structured method to prioritize digital evidence:
artifacts with high v and high r .
5 and a.
should be presented as primary evidence, while those with moderate scores .
3 and a.
serve to strengthen the narrative, and lower-scoring artifacts .
act as supplementary context.
This ensures that legal arguments rest on the most admissible and probative evidence, thereby enhancing the robustness of the prosecutionAos case.
VI.
CONCLUSION
This study demonstrates that digital artifact analysis can systematically reconstruct the modus operandi of WhatsApp fraud, from reconnaissance to actions on objectives, when Journal IJCIS homepage - https://ijcis.
net/index.
php/ijcis/index Page 285 International Journal of Computer and Information System (IJCIS) Peer Reviewed Ae International Journal Vol : Vol.
Issue 03.
September 2025 e-ISSN : 2745-9659 https://ijcis.
net/index.
php/ijcis/index mapped to the Cyber Kill Chain (CKC) and evaluated through the D4I Framework.
By quantifying artifacts according to strength of evidence .
and reliability .
, the analysis revealed that the malicious APK .
and source code with Telegram bot token .
constitute primary evidence with the highest probative value, while the Manifest.
xml file .
and hidden background application .
function as supporting evidence, and contextual indicators such as sender information .
provide limited legal weight.
These findings underscore the importance of differentiating artifacts by evidentiary significance rather than treating all digital traces as equal.
This study is based on a simulated WhatsApp scam case, which, while representative of real-world attacks, may not capture the full complexity of actual investigations involving diverse devices, operating system versions, or cross-platform Additionally, the quantitative rubric, although systematic, is dependent on expert judgment in scoring subcriteria, which may introduce some subjectivity.
Further studies should validate and refine this methodology across multiple fraud cases and platforms, such as Telegram.
Signal, or Facebook Messenger, to test its The integration of machine learning or automated scoring mechanisms could also reduce subjectivity and enhance reproducibility in assessing artifact reliability and evidentiary strength.
Beyond its academic contributions, this study provides law enforcement and forensic practitioners with a structured rubric for prioritizing digital evidence and improving legal More broadly, the findings highlight the need for standardized frameworks and scoring systems in digital forensics policy, ensuring that courts, investigators, and policymakers adopt consistent criteria when evaluating digital artifacts in cybercrime cases.
By doing so, digital forensic practice can become not only more scientifically rigorous but also more impactful in strengthening public trust in the security and governance of digital ecosystems.
Forensic Science International: Digital Investigation, vol.
Mar.
2025, doi: 10.
1016/j.
Son.
Kim.
Oh, and K.
Kim.
AuForensic analysis of instant messengers: Decrypt Signal.
Wickr, and Threema,Ay Forensic Science International: Digital Investigation, vol.
Mar.
2022, doi: 10.
1016/j.
Schmutz.
Rapp, and B.
Fehrensen.
AuForensic analysis of hook Android malware,Ay Forensic Science International:
Digital Investigation, vol.
49, p.
June 2024, doi:
1016/j.
Faruki.
Bhan.
Jain.
Bhatia.
El Madhoun, and R.
Pamula.
AuA Survey and Evaluation of Android-Based Malware Evasion Techniques and Detection Frameworks,Ay Information, vol.
14, no.
7, p.
June 2023, doi:
3390/info14070374.
Palma.
Ferreira, and M.
Figueiredo.
AuExplainable Machine Learning for Malware Detection on Android Applications,Ay Information, vol.
15, no.
1, p.
Jan.
doi: 10.
3390/info15010025.
Al lelah.
Theodorakopoulos.
Reinecke.
Javed, and Anthi.
AuAbuse of Cloud-Based and Public Legitimate Services Command-and-Control (C&amp.
Infrastructure: A Systematic Literature Review,Ay JCP, vol.
3, pp.
558Ae590.
Sept.
2023, doi: 10.
3390/jcp3030027.
Heath, yA.
MacDermott, and A.
Akinbi.
AuForensic analysis of ephemeral messaging applications: Disappearing messages or evidential data?,Ay Forensic Science International: Digital Investigation, vol.
46, p.
Sept.
2023, doi:
1016/j.
REFERENCES