WhatsApp in Plain Sight: Forensic Artifacts [group-ib]
by CIRT Team
If you are keen to know what kinds of forensic WhatsApp artifacts exist in different operating systems and where exactly they can be found, you have come to the right place. This post is focused on WhatsApp forensics and what data can be obtained from a device during forensic analysis.
We should note at the outset that operating systems differ in the types of artifacts they contain, so extracting certain types of WhatsApp data from one device does not automatically mean that the same data can be extracted from another device. For instance, if you have a desktop computer running Windows, you are unlikely to find WhatsApp chats on its disks (the exception will be iOS backup copies). Laptops and mobile devices, on the other hand, have their own peculiarities. Let’s discuss this topic in more detail.
WhatsApp artifacts on Android devicesTo extract WhatsApp artifacts from an Android device, an investigator needs to have superuser privileges (root) or be able to extract a physical memory dump of the file system by other means (for example, using software vulnerabilities of a particular device).
The application’s files are located in the memory of the phone in the section where user data is stored. As a rule, this section is called Userdata. Subdirectories and program files are located under the path /data/data/com.whatsapp/.
The wa.db and msgstore.db databases are the main files that contain WhatsApp artifacts on Android.
The wa.db database contains a full list of the WhatsApp user’s contacts, including phone numbers, display names, timestamps, and any other information mentioned upon registering in WhatsApp. The wa.db file is located under the path /data/data/com.whatsapp/databases/ and has the following structure:
The most interesting tables in the wa.db database for forensic investigators are:
• wa_contacts
This table contains information about WhatsApp contacts, such as contact ID, status, display name, timestamps, etc. Screenshot of the table:
Table structure:
Field name | Meaning | |
---|---|---|
_id | Sequence number of the record (set by SQLite) | |
jid | WhatsApp ID of the contact (a string structured as | |
’x@s.whatsapp.net’, where ’x’ is the phone number of the | ||
contact) | ||
is_whatsapp_user | Contains ’1’ if the contact corresponds to an actual WhatsApp user, ’0’ otherwise | |
status | Text in the status line of the contact | |
status_timestamp | Contains a timestamp in the Unix Epoch Time (ms) format | |
number | Phone number associated with the contact | |
raw_contact_id | Sequence number of the contact | |
display_name | Display name of the contact | |
phone_type | Type of the phone | |
phone_label | Label associated with the phone number | |
unseen_msg_count | Number of messages sent by the contact that have been | |
received, but have not yet been read | ||
photo_ts | Contains a timestamp in the Unix Epoch Time format | |
thumb_ts | Contains a timestamp in the Unix Epoch Time format | |
photo_id_timestamp | Contains a timestamp in the Unix Epoch Time (ms) format | |
given_name | The field value is the same as in display_name for each contact | |
wa_name | WhatsApp name of the contact (as set in their profile) | |
sort_name | Name of the contact used in sorting operations | |
nickname | WhatsApp nickname of the contact (as set in their profile) | |
company | Company (as set in the contact’s profile) | |
title | Title (Mr/Ms/Mrs | as set in the contact’s profile) |
offset | Offset |
• sqlite_sequence
This table contains information about the number of contacts.
• android_metadata
This table contains information about WhatsApp language localization.
The msgstore.db database contains information about sent messages, such as contact number, message content, status, timestamps, information about attached files, etc. The msgstore.db file is located under the path /data/data/com.whatsapp/databases/ and has the following structure:
The most interesting tables in the msgstore.db file for forensic investigators are:
• sqlite_sequence
This table contains general information about the database, for instance, the total number of stored messages, total number of chats, etc. Screenshot of the table:
- message_fts_content
Contains the content of messages. Screenshot of the table:
- messages
This table contains information, such as contact number, message body, status, timestamps, and information about attached files. Screenshot of the table:
For more, click here.
Recommended Posts
WHAT IS FACIAL RECOGNITION [oxygen-forensic]
04 Nov 2019 - Digital Forensic