WhatsApp in Plain Sight: Forensic Artifacts [group-ib]

If you are keen to know what kinds of forensic WhatsApp artifacts exist in different operating systems and where exactly they can be found, you have come to the right place. This post is focused on WhatsApp forensics and what data can be obtained from a device during forensic analysis.

We should note at the outset that operating systems differ in the types of artifacts they contain, so extracting certain types of WhatsApp data from one device does not automatically mean that the same data can be extracted from another device. For instance, if you have a desktop computer running Windows, you are unlikely to find WhatsApp chats on its disks (the exception will be iOS backup copies). Laptops and mobile devices, on the other hand, have their own peculiarities. Let’s discuss this topic in more detail.
WhatsApp artifacts on Android devicesTo extract WhatsApp artifacts from an Android device, an investigator needs to have superuser privileges (root) or be able to extract a physical memory dump of the file system by other means (for example, using software vulnerabilities of a particular device).

The application’s files are located in the memory of the phone in the section where user data is stored. As a rule, this section is called Userdata. Subdirectories and program files are located under the path /data/data/com.whatsapp/.

The wa.db and msgstore.db databases are the main files that contain WhatsApp artifacts on Android.

The wa.db database contains a full list of the WhatsApp user’s contacts, including phone numbers, display names, timestamps, and any other information mentioned upon registering in WhatsApp. The wa.db file is located under the path /data/data/com.whatsapp/databases/ and has the following structure:

The most interesting tables in the wa.db database for forensic investigators are:
• wa_contacts
This table contains information about WhatsApp contacts, such as contact ID, status, display name, timestamps, etc. Screenshot of the table:

Table structure:

Field name	Meaning
_id	Sequence number of the record (set by SQLite)
jid	WhatsApp ID of the contact (a string structured as
’x@s.whatsapp.net’, where ’x’ is the phone number of the
contact)
is_whatsapp_user	Contains ’1’ if the contact corresponds to an actual WhatsApp user, ’0’ otherwise
status	Text in the status line of the contact
status_timestamp	Contains a timestamp in the Unix Epoch Time (ms) format
number	Phone number associated with the contact
raw_contact_id	Sequence number of the contact
display_name	Display name of the contact
phone_type	Type of the phone
phone_label	Label associated with the phone number
unseen_msg_count	Number of messages sent by the contact that have been
received, but have not yet been read
photo_ts	Contains a timestamp in the Unix Epoch Time format
thumb_ts	Contains a timestamp in the Unix Epoch Time format
photo_id_timestamp	Contains a timestamp in the Unix Epoch Time (ms) format
given_name	The field value is the same as in display_name for each contact
wa_name	WhatsApp name of the contact (as set in their profile)
sort_name	Name of the contact used in sorting operations
nickname	WhatsApp nickname of the contact (as set in their profile)
company	Company (as set in the contact’s profile)
title	Title (Mr/Ms/Mrs	as set in the contact’s profile)
offset	Offset

• sqlite_sequence
This table contains information about the number of contacts.

• android_metadata
This table contains information about WhatsApp language localization.

The msgstore.db database contains information about sent messages, such as contact number, message content, status, timestamps, information about attached files, etc. The msgstore.db file is located under the path /data/data/com.whatsapp/databases/ and has the following structure:

The most interesting tables in the msgstore.db file for forensic investigators are:

• sqlite_sequence
This table contains general information about the database, for instance, the total number of stored messages, total number of chats, etc. Screenshot of the table:

• message_fts_content

Contains the content of messages. Screenshot of the table:

• messages

This table contains information, such as contact number, message body, status, timestamps, and information about attached files. Screenshot of the table:

For more, click here.