WhatsApp in Plain Sight: Forensic Artifacts [group-ib]

If you are keen to know what kinds of forensic WhatsApp artifacts exist in different operating systems and where exactly they can be found, you have come to the right place. This post is focused on WhatsApp forensics and what data can be obtained from a device during forensic analysis.

We should note at the outset that operating systems differ in the types of artifacts they contain, so extracting certain types of WhatsApp data from one device does not automatically mean that the same data can be extracted from another device. For instance, if you have a desktop computer running Windows, you are unlikely to find WhatsApp chats on its disks (the exception will be iOS backup copies). Laptops and mobile devices, on the other hand, have their own peculiarities. Let’s discuss this topic in more detail.
WhatsApp artifacts on Android devicesTo extract WhatsApp artifacts from an Android device, an investigator needs to have superuser privileges (root) or be able to extract a physical memory dump of the file system by other means (for example, using software vulnerabilities of a particular device).

The application’s files are located in the memory of the phone in the section where user data is stored. As a rule, this section is called Userdata. Subdirectories and program files are located under the path /data/data/com.whatsapp/.

The wa.db and msgstore.db databases are the main files that contain WhatsApp artifacts on Android.

The wa.db database contains a full list of the WhatsApp user’s contacts, including phone numbers, display names, timestamps, and any other information mentioned upon registering in WhatsApp. The wa.db file is located under the path /data/data/com.whatsapp/databases/ and has the following structure:

The most interesting tables in the wa.db database for forensic investigators are:
• wa_contacts
This table contains information about WhatsApp contacts, such as contact ID, status, display name, timestamps, etc. Screenshot of the table:

Table structure:

Field nameMeaning
_idSequence number of the record (set by SQLite)
jidWhatsApp ID of the contact (a string structured as
’x@s.whatsapp.net’, where ’x’ is the phone number of the
contact)
is_whatsapp_userContains ’1’ if the contact corresponds to an actual WhatsApp user, ’0’ otherwise
statusText in the status line of the contact
status_timestampContains a timestamp in the Unix Epoch Time (ms) format
numberPhone number associated with the contact
raw_contact_idSequence number of the contact
display_nameDisplay name of the contact
phone_typeType of the phone
phone_labelLabel associated with the phone number
unseen_msg_countNumber of messages sent by the contact that have been
received, but have not yet been read
photo_tsContains a timestamp in the Unix Epoch Time format
thumb_tsContains a timestamp in the Unix Epoch Time format
photo_id_timestampContains a timestamp in the Unix Epoch Time (ms) format
given_nameThe field value is the same as in display_name for each contact
wa_nameWhatsApp name of the contact (as set in their profile)
sort_nameName of the contact used in sorting operations
nicknameWhatsApp nickname of the contact (as set in their profile)
companyCompany (as set in the contact’s profile)
titleTitle (Mr/Ms/Mrsas set in the contact’s profile)
offsetOffset

• sqlite_sequence
This table contains information about the number of contacts.

• android_metadata
This table contains information about WhatsApp language localization.

The msgstore.db database contains information about sent messages, such as contact number, message content, status, timestamps, information about attached files, etc. The msgstore.db file is located under the path /data/data/com.whatsapp/databases/ and has the following structure:

The most interesting tables in the msgstore.db file for forensic investigators are:

• sqlite_sequence
This table contains general information about the database, for instance, the total number of stored messages, total number of chats, etc. Screenshot of the table:

  • message_fts_content

Contains the content of messages. Screenshot of the table:

  • messages

This table contains information, such as contact number, message body, status, timestamps, and information about attached files. Screenshot of the table:

For more, click here.

Share