If you want to know what types of WhatsApp forensic artifacts exist on various operating systems and where exactly they can be found, then you are here. With this article, a specialist of the Group-IB Computer Forensics Laboratory Igor Mikhailov opens a series of posts about the forensic investigation of WhatsApp and what information can be obtained from the analysis of the device.
We note right away that different types of WhatsApp artifacts are stored in different operating systems, and if a researcher can extract certain types of WhatsApp data from one device, this does not mean at all that similar types of data can be extracted from another device. For example, if a system unit running Windows is removed, then WhatsApp chats will probably not be found on its drives (the exception is backup copies of iOS devices that can be found on the same drives). When seizing laptops and mobile devices, there will be some peculiarities. Let's talk about this in more detail.
Whatsapp Artifacts in an Android Device
In order to extract WhatsApp artifacts from an Android device, the researcher must have root privileges ('root') on the device under investigation, or be able to otherwise extract a physical dump of the device's memory, or its file system (for example, using software vulnerabilities in a specific mobile device).
Application files are located in the phone's memory in the section where user data is stored. Typically, this section is named 'userdata'. Subdirectories and files of the program are located along the path: '/data/data/com.whatsapp/'.
The main files that contain WhatsApp forensic artifacts in Android OS are databases 'wa.db' ΠΈ 'msgstore.db'.
In the database 'wa.db' contains a complete list of the user's WhatsApp contacts, including phone number, display name, timestamps, and any other information provided when registering with WhatsApp. File 'wa.db' located along the path: '/data/data/com.whatsapp/databases/' and has the following structure:
The most interesting tables in the database 'wa.db' for the researcher are:
- 'wa_contacts'
This table contains contact information: whatsapp contact id, status information, user display name, timestamps, etc.Table appearance:
Table structureField name Value _id record number (in SQL table) Yiddish WhatsApp contact ID, written in the format <phone number>@s.whatsapp.net is_whatsapp_user contains '1' if the contact is an actual WhatsApp user, '0' otherwise status contains the text displayed in the contact status status_timestamp contains timestamp in Unix Epoch Time (ms) format number phone number associated with the contact raw_contact_id contact number display_name contact display name phone_type phone type phone_label the label associated with the contact number unseen_msg_count the number of messages that were sent by the contact but were not read by the recipient photo_ts contains timestamp in Unix Epoch Time format thumb_ts contains timestamp in Unix Epoch Time format photo_id_timestamp contains timestamp in Unix Epoch Time (ms) format given_name field value matches 'display_name' for each contact wa_name Whatsapp contact name (displays the name in the contact's profile) sort_name contact name used in sort operations nickname contact's WhatsApp nickname (displays the nickname specified in the contact's profile) company company (displays the company listed in the contact's profile) title title (Madam/Mr.; displays the title configured in the contact's profile) offset bias - 'sqlite_sequence'
This table contains information about the number of contacts; - 'android_metadata'
This table contains information about the language localization of WhatsApp.
In the database 'msgstore.db' contains information about transferred messages, such as contact number, message text, message status, timestamps, information about transferred files included in messages, etc. File 'msgstore.db' located along the path: '/data/data/com.whatsapp/databases/' and has the following structure:
The most interesting tables in the file 'msgstore.db' for the researcher are:
- 'sqlite_sequence'
This table contains general information about this database, such as the total number of messages stored, the total number of chats, and so on.Table appearance:
- 'message_fts_content'
Contains the text of the sent messages.Table appearance:
- 'messages'
This table contains information such as contact number, message text, message status, timestamps, information about transferred files included in messages.Table appearance:
Table structureField name Value _id record number (in SQL table) key_remote_jid Whatsapp ID of communication partner key_from_me message direction: '0' β incoming, '1' β outgoing key_id unique message identifier status message status: '0' - delivered, '4' - waiting on the server, '5' - received at destination, '6' - control message, '13' - message opened by recipient (read) need_push is '2' if it is a broadcast message, '0' otherwise date message text (when 'media_wa_type' is '0') timestamp contains a timestamp in Unix Epoch Time (ms) format, the value is taken from the device clock media_url contains the URL of the file being transferred (when the 'media_wa_type' parameter is '1', '2', '3') media_mime_type MIME type of the transferred file (when the 'media_wa_type' parameter is equal to '1', '2', '3') media_wa_type message type: '0' - text, '1' - graphic file, '2' - audio file, '3' - video file, '4' - contact card, '5' - geodata media_size transfer file size (when 'media_wa_type' is '1', '2', '3') media_name file name to be transferred (when 'media_wa_type' is '1', '2', '3') media_caption Contains the words 'audio', 'video' for the corresponding values ββof the 'media_wa_type' parameter (when the 'media_wa_type' parameter is equal to '1', '3') media_hash the base64 encoded hash of the transmitted file calculated using the HAS-256 algorithm (when the 'media_wa_type' parameter is equal to '1', '2', '3') media_duration duration in seconds for the media file (when 'media_wa_type' is '1', '2', '3') origin is '2' if it is a broadcast message, '0' otherwise latitude geodata: latitude (when 'media_wa_type' is '5') longitude geodata: longitude (when 'media_wa_type' is '5') thumb_image service information remote_resource Sender ID (group chats only) received_timestamp time of receipt, contains a timestamp in Unix Epoch Time (ms) format, the value is taken from the device's clock (when the 'key_from_me' parameter is '0', '-1' or another value) send_timestamp not used, usually set to '-1' receipt_server_timestamp time received by the central server, contains a timestamp in the Unix Epoch Time (ms) format, the value is taken from the device clock (when the 'key_from_me' parameter is '1', '-1' or another value receipt_device_timestamp time of receipt of the message by another subscriber, contains a timestamp in the Unix Epoch Time (ms) format, the value is taken from the device clock (when the 'key_from_me' parameter has '1', '-1' or another value read_device_timestamp message opening (reading) time, contains a timestamp in the Unix Epoch Time (ms) format, the value is taken from the device clock played_device_timestamp message playback time, contains a timestamp in the Unix Epoch Time (ms) format, the value is taken from the device clock raw_data thumbnail of the transferred file (when the 'media_wa_type' parameter is equal to '1' or '3') recipient_count number of recipients (for broadcast messages) participant_hash used when sending messages with geodata starred not used quoted_row_id unknown, usually contains the value '0' mentioned_jids not used multicast_id not used offset bias This list of fields is not exhaustive. For different versions of WhatsApp, some of the fields may or may not be present. Additional fields may be present 'media_enc_hash', 'edit_version', 'payment_transaction_id' etc.
- 'messages_thumbnails'
This table contains information about transferred images and timestamps. The 'timestamp' column indicates the time in Unix Epoch Time (ms) format. - 'chat_list'
This table contains information about chats.Table appearance:
Also, when examining WhatsApp on an Android mobile device, you should pay attention to the following files:
- File 'msgstore.db.cryptXX' (where XX is one or two digits from 0 to 12, for example, msgstore.db.crypt12). Contains an encrypted backup of WhatsApp messages (backup file msgstore.db). File (or files) 'msgstore.db.cryptXX' located along the path: '/data/media/0/WhatsApp/Databases/' (virtual SD card), '/mnt/sdcard/WhatsApp/Databases/ (physical SD card)'.
- File 'key'. Contains a cryptographic key. Located along the way: '/data/data/com.whatsapp/files/'. Used to decrypt encrypted WhatsApp backups.
- File 'com.whatsapp_preferences.xml'. Contains information about the WhatsApp account profile. The file is located along the path: '/data/data/com.whatsapp/shared_prefs/'.
File Content Fragment
<?xml version="1.0" encoding="ISO-8859-1"?> β¦ <string name="ph">9123456789</string> (Π½ΠΎΠΌΠ΅Ρ ΡΠ΅Π»Π΅ΡΠΎΠ½Π°, Π°ΡΡΠΎΡΠΈΠΈΡΠΎΠ²Π°Π½Π½ΡΠΉ Ρ Π°ΠΊΠΊΠ°ΡΠ½ΡΠΎΠΌ WhatsApp) β¦ <string name="version">2.17.395</string> (Π²Π΅ΡΡΠΈΡ WhatsApp) β¦ <string name="my_current_status">Hey there! I am using WhatsApp.</string> (ΡΠΎΠΎΠ±ΡΠ΅Π½ΠΈΠ΅, ΠΎΡΠΎΠ±ΡΠ°ΠΆΠ°Π΅ΠΌΠΎΠ΅ Π² ΡΡΠ°ΡΡΡΠ΅ Π°ΠΊΠΊΠ°ΡΠ½ΡΠ°) β¦ <string name="push_name">Alex</string> (ΠΈΠΌΡ Π²Π»Π°Π΄Π΅Π»ΡΡΠ° Π°ΠΊΠΊΠ°ΡΠ½ΡΠ°) β¦ - File 'registration.RegisterPhone.xml'. Contains information about the phone number associated with the WhatsApp account. The file is located along the path: '/data/data/com.whatsapp/shared_prefs/'.
File contents
<?xml version="1.0" encoding="ISO-8859-1"?> <map> <string name="com.whatsapp.registration.RegisterPhone.phone_number">9123456789</string> <int name="com.whatsapp.registration.RegisterPhone.verification_state" value="0"/> <int name="com.whatsapp.registration.RegisterPhone.country_code_position" value="-1"/> <string name="com.whatsapp.registration.RegisterPhone.input_phone_number">912 345-67-89</string> <int name="com.whatsapp.registration.RegisterPhone.phone_number_position" value="10"/> <string name="com.whatsapp.registration.RegisterPhone.input_country_code">7</string> <string name="com.whatsapp.registration.RegisterPhone.country_code">7</string> </map> - File 'axolotl.db'. Contains cryptographic keys and other data that are necessary to identify the account owner. Located along the way: '/data/data/com.whatsapp/databases/'.
- File 'chatsettings.db'. Contains application configuration information.
- File 'wa.db'. Contains contact details. Very interesting (in the forensic aspect) and informative database. Detailed information about deleted contacts can be found in it.
You also need to pay attention to the following directories:
- Catalog '/data/media/0/WhatsApp/Media/WhatsApp Images/'. Contains uploaded graphic files.
- Catalog '/data/media/0/WhatsApp/Media/WhatsApp Voice Notes/'. Contains voice messages in .OPUS format files.
- Catalog '/data/data/com.whatsapp/cache/Profile Pictures/'. Contains graphic files - images of contacts.
- Catalog '/data/data/com.whatsapp/files/Avatars/'. Contains graphic files - thumbnail images of contacts. These files have a '.j' extension, but are still JPEG (JPG) image files.
- Catalog '/data/data/com.whatsapp/files/Avatars/'. Contains graphic files - an image and a thumbnail of an image set as an avatar by the account owner.
- Catalog '/data/data/com.whatsapp/files/Logs/'. Contains the program operation log (the 'whatsapp.log' file) and backup copies of the application operation logs (files with names in the format whatsapp-yyyy-mm-dd.1.log.gz).
Whatsapp log files:
Fragment of a magazine2017-01-10 09:37:09.757 LL_I D [524:WhatsApp Worker #1] missedcallnotification/init count:0 timestamp:0
2017-01-10 09:37:09.758 LL_I D [524:WhatsApp Worker #1] missedcallnotification/update cancel true
2017-01-10 09:37:09.768 LL_I D [1:main] app-init/load-me
2017-01-10 09:37:09.772 LL_I D [1:main] password file missing or unreadable
2017-01-10 09:37:09.782 LL_I D [1:main] statistics Text Messages: 59 sent, 82 received / Media Messages: 1 sent (0 bytes), 0 received (9850158 bytes) / Offline Messages: 81 received ( 19522 msec average delay) / Message Service: 116075 bytes sent, 211729 bytes received / Voip Calls: 1 outgoing calls, 0 incoming calls, 2492 bytes sent, 1530 bytes received / Google Drive: 0 bytes sent, 0 bytes received / Roaming: 1524 bytes sent, 1826 bytes received / Total Data: 118567 bytes sent, 10063417 bytes received
2017-01-10 09:37:09.785 LL_I D [1:main] media-state-manager/refresh-media-state/writable-media
2017-01-10 09:37:09.806 LL_I D [1:main] app-init/initialize/timer/stop: 24
2017-01-10 09:37:09.811 LL_I D [1:main] msgstore/checkhealth
2017-01-10 09:37:09.817 LL_I D [1:main] msgstore/checkhealth/journal/delete false
2017-01-10 09:37:09.818 LL_I D [1:main] msgstore/checkhealth/back/delete false
2017-01-10 09:37:09.818 LL_I D [1:main] msgstore/checkdb/data/data/com.whatsapp/databases/msgstore.db
2017-01-10 09:37:09.819 LL_I D [1:main] msgstore/checkdb/list _jobqueue-WhatsAppJobManager 16384 drw=011
2017-01-10 09:37:09.820 LL_I D [1:main] msgstore/checkdb/list _jobqueue-WhatsAppJobManager-journal 21032 drw=011
2017-01-10 09:37:09.820 LL_I D [1:main] msgstore/checkdb/list axolotl.db 184320 drw=011
2017-01-10 09:37:09.821 LL_I D [1:main] msgstore/checkdb/list axolotl.db-wal 436752 drw=011
2017-01-10 09:37:09.821 LL_I D [1:main] msgstore/checkdb/list axolotl.db-shm 32768 drw=011
2017-01-10 09:37:09.822 LL_I D [1:main] msgstore/checkdb/list msgstore.db 540672 drw=011
2017-01-10 09:37:09.823 LL_I D [1:main] msgstore/checkdb/list msgstore.db-wal 0 drw=011
2017-01-10 09:37:09.823 LL_I D [1:main] msgstore/checkdb/list msgstore.db-shm 32768 drw=011
2017-01-10 09:37:09.824 LL_I D [1:main] msgstore/checkdb/list wa.db 69632 drw=011
2017-01-10 09:37:09.825 LL_I D [1:main] msgstore/checkdb/list wa.db-wal 428512 drw=011
2017-01-10 09:37:09.825 LL_I D [1:main] msgstore/checkdb/list wa.db-shm 32768 drw=011
2017-01-10 09:37:09.826 LL_I D [1:main] msgstore/checkdb/list chatsettings.db 4096 drw=011
2017-01-10 09:37:09.826 LL_I D [1:main] msgstore/checkdb/list chatsettings.db-wal 70072 drw=011
2017-01-10 09:37:09.827 LL_I D [1:main] msgstore/checkdb/list chatsettings.db-shm 32768 drw=011
2017-01-10 09:37:09.838 LL_I D [1:main] msgstore/checkdb/version 1
2017-01-10 09:37:09.839 LL_I D [1:main] msgstore/canquery
2017-01-10 09:37:09.846 LL_I D [1:main] msgstore/canquery/count 1
2017-01-10 09:37:09.847 LL_I D [1:main] msgstore/canquery/timer/stop: 8
2017-01-10 09:37:09.847 LL_I D [1:main] msgstore/canquery 517 | time spent:8
2017-01-10 09:37:09.848 LL_I D [529:WhatsApp Worker #3] media-state-manager/refresh-media-state/internal-storage available:1,345,622,016 total:5,687,922,688
- Catalog '/data/media/0/WhatsApp/Media/WhatsApp Audio/'. Contains received audio files.
- Catalog '/data/media/0/WhatsApp/Media/WhatsApp Audio/Sent/'. Contains sent audio files.
- Catalog '/data/media/0/WhatsApp/Media/WhatsApp Images/'. Contains received graphic files.
- Catalog '/data/media/0/WhatsApp/Media/WhatsApp Images/Sent/'. Contains uploaded graphic files.
- Catalog '/data/media/0/WhatsApp/Media/WhatsApp Video/'. Contains received video files.
- Catalog '/data/media/0/WhatsApp/Media/WhatsApp Video/Sent/'. Contains uploaded video files.
- Catalog '/data/media/0/WhatsApp/Media/WhatsApp Profile Photos/'. Contains image files associated with the owner of the WhatsApp account.
- To save space on your Android smartphone, some WhatsApp data can be stored on the SD card. On the SD card, in the root directory, there is a directory 'whatsapp'where the following artifacts of this program can be found:
- Catalog '.Share' ('/mnt/sdcard/WhatsApp/.Share/'). Contains copies of files that have been shared with other WhatsApp users.
- Catalog '.trash' ('/mnt/sdcard/WhatsApp/.trash/'). Contains deleted files.
- Catalog 'databases' ('/mnt/sdcard/WhatsApp/Databases/'). Contains encrypted backups. They can be decrypted if there is a file 'key', extracted from the memory of the analyzed device.
Files in a subdirectory 'databases':
- Catalog 'Half' ('/mnt/sdcard/WhatsApp/Media/'). Contains subdirectories 'WallPaper', 'WhatsApp Audio', 'WhatsApp Images', 'WhatsApp Profile Photos', 'whatsapp video', 'WhatsApp Voice Notes', which contain received and transferred multimedia files (graphic files, video files, voice messages, photos associated with the profile of the owner of the WhatsApp account, wallpapers).
- Catalog 'Profile Pictures' ('/mnt/sdcard/WhatsApp/Profile Pictures/'). Contains image files associated with the profile of the owner of the WhatsApp account.
- Sometimes there may be a directory on the SD card 'files' ('/mnt/sdcard/WhatsApp/Files/'). This directory contains files that store program settings and user preferences.
Features of data storage in some models of mobile devices
Some Android mobile device models may store WhatsApp artifacts in a different location. This is due to the change in the application data storage space by the system software of the mobile device. So, for example, in Xiaomi mobile devices there is a function to create a second workspace (βSecondSpaceβ). When this function is activated, the location of the data is changed. So, if in a regular mobile device running the Android OS, user data is stored in the directory '/data/user/0/' (which is a reference to the usual '/data/data/'), then in the second workspace, application data is stored in the directory '/data/user/10/'. That is, for example, the location of the file 'wa.db':
- in a regular smartphone running Android OS: /data/user/0/com.whatsapp/databases/wa.db' (which is equivalent to '/data/data/com.whatsapp/databases/wa.db');
- in the second workspace of the Xiaomi smartphone: '/data/user/10/com.whatsapp/databases/wa.db'.
Whatsapp Artifacts on an iOS Device
Unlike Android OS, in iOS, WhatsApp data is transferred to a backup copy (iTunes backup). Therefore, extracting data from this application does not require extracting the file system or creating a physical memory dump of the device under investigation. Most of the relevant information is contained in the database 'ChatStorage.sqlite', which is located along the path: '/private/var/mobile/Applications/group.net.whatsapp.WhatsApp.shared/' (in some programs this path is displayed as 'AppDomainGroup-group.net.whatsapp.WhatsApp.shared').
Structure 'ChatStorage.sqlite':
The most informative in the 'ChatStorage.sqlite' database are the tables 'ZWAMESSAGE' ΠΈ 'ZWAMEDIAITEM'.
Table appearance 'ZWAMESSAGE':
Table structure 'ZWAMESSAGE'
| Field name | Value |
|---|---|
| Z_PK | record number (in SQL table) |
| Z_ENT | table identifier, value '9' |
| Z_OPT | unknown, usually contains values ββfrom '1' to '6' |
| ZCHILDMESSAGESDELIVEREDCOUNT | unknown, usually contains the value '0' |
| ZCHILDMESSAGESPLAYEDCOUNT | unknown, usually contains the value '0' |
| ZCHILDMESSAGESREADCOUNT | unknown, usually contains the value '0' |
| ZDATAITEMVERSION | unknown, usually '3', probably text message pointer |
| ZDOCID | unknown |
| ZENCRETRYCOUNT | unknown, usually contains the value '0' |
| ZFILTEREDRECIPIENTCOUNT | unknown, usually contains the values ββ'0', '2', '256' |
| ZISFROMME | message direction: '0' β incoming, '1' β outgoing |
| ZMESSAGEERRORSTATUS | message transfer status. If the message is sent/received, it has the value '0' |
| ZMESSAGETYPE | message type |
| ZSORT | unknown |
| ZSPOTLIGHSTATUS | unknown |
| ZSTARRED | unknown, not used |
| ZCHATSESSION | unknown |
| ZGROUPMEMBER | unknown, not used |
| ZLASSESSION | unknown |
| ZMEDIAITEM | unknown |
| ZMESSAGEINFO | unknown |
| ZPARENTMESSAGE | unknown, not used |
| ZMESSAGEDATE | timestamp in OS X Epoch Time format |
| ZSENTDATE | the time the message was sent in OS X Epoch Time format |
| ZFROMJID | whatsapp sender id |
| ZMEDIASECTIONID | contains the year and month the media file was sent |
| ZPHASH | unknown, not used |
| ZPUSHPAME | the name of the contact who sent the media file in UTF-8 format |
| ZSTANZID | unique message identifier |
| Ztext | Message text |
| ZTOJID | Recipient's WhatsApp ID |
| OFFSET | bias |
Table appearance 'ZWAMEDIAITEM':
Table structure 'ZWAMEDIAITEM'
| Field name | Value |
|---|---|
| Z_PK | record number (in SQL table) |
| Z_ENT | table identifier, value '8' |
| Z_OPT | unknown, usually contains values ββfrom '1' to '3'. |
| ZCLOUDSTATUS | contains the value '4' if the file is loaded. |
| ZFILESIZE | contains the file length (in bytes) for uploaded files |
| ZMEDIAORIGIN | unknown, usually '0' |
| ZMOVIEDURATION | duration of the media file, for pdf files it can contain the number of pages of the document |
| ZMESSAGE | contains a sequence number (the number differs from the one specified in the 'Z_PK' column) |
| ZASPECTRATIO | aspect ratio, not used, usually set to '0' |
| ZHACCURACY | unknown, usually '0' |
| ZLATTITUDE | width in pixels |
| ZLONGTITUDE | height in pixels |
| ZMEDIAURLDATE | timestamp in OS X Epoch Time format |
| ZAUTHORNAME | author (for documents, may contain file name) |
| ZCOLLECTIONNAME | not used |
| ZMEDIALOCALPATH | file name (with path) in the device's file system |
| ZMEDIAURL | The URL where the media file was located. If the file was transferred from one subscriber to another, it was encrypted, and its extension will be indicated as the extension of the transferred file - .enc |
| ZTHUMBNAILLOCALPATH | path to the file thumbnail in the device's file system |
| ZTITLE | file header |
| ZVCARDNAME | hash of the media file, when transferring a file to a group, it may contain the sender's identifier |
| ZVCARDSTRING | contains information about the type of file being transferred (for example, image/jpeg); when transferring a file to a group, it may contain the recipient identifier |
| ZXMPPTHUMBPATH | path to the file thumbnail in the device's file system |
| ZMEDIAKEY | unknown, probably contains the key to decrypt the encrypted file. |
| ZMETADATA | message metadata |
| Offset | bias |
Other interesting database tables 'ChatStorage.sqlite' are:
- 'ZWAPROFILEPUSHNAME'. Corresponds WhatsApp ID with the name of the contact;
- 'ZWAPROFILEPICTUREITEM'. Corresponds WhatsApp ID with the contact's avatar;
- 'Z_PRIMARYKEY'. The table contains general information about this database, such as the total number of stored messages, the total number of chats, and so on.
Also, when examining WhatsApp on a mobile device running iOS, you should pay attention to the following files:
- File 'BackedUpKeyValue.sqlite'. Contains cryptographic keys and other data that are necessary to identify the account owner. Located along the way: /private/var/mobile/Applications/group.net.whatsapp.WhatsApp.shared/.
- File 'ContactsV2.sqlite'. Contains information about the user's contacts, such as full name, phone number, contact status (as text), WhatsApp ID, etc. Located along the way: /private/var/mobile/Applications/group.net.whatsapp.WhatsApp.shared/.
- File 'consumer_version'. Contains the version number of the installed WhatsApp application. Located along the way: /private/var/mobile/Applications/group.net.whatsapp.WhatsApp.shared/.
- File 'current_wallpaper.jpg'. Contains the current WhatsApp background wallpaper. Located along the way: /private/var/mobile/Applications/group.net.whatsapp.WhatsApp.shared/. Old versions of the application use the file 'wallpaper', which is located along the path: '/private/var/mobile/Applications/net.whatsapp.WhatsApp/Documents/'.
- File 'blockedcontacts.dat'. Contains information about blocked contacts. Located along the way: /private/var/mobile/Applications/net.whatsapp.WhatsApp/Documents/.
- File 'pw.dat'. Contains an encrypted password. Located along the way: '/private/var/mobile/Applications/net.whatsapp.WhatsApp/Library/'.
- File 'net.whatsapp.whatsapp.plist' (or file 'group.net.whatsapp.whatsapp.shared.plist'). Contains information about the WhatsApp account profile. The file is located along the path: '/private/var/mobile/Applications/group.net.whatsapp.WhatsApp.shared/Library/Preferences/'.
Content of 'group.net.whatsapp.WhatsApp.shared.plist' file
You also need to pay attention to the following directories:
- Catalog '/private/var/mobile/Applications/group.net.whatsapp.WhatsApp.shared/Media/Profile/'. Contains thumbnails of contacts, groups (files with extension .thumb), contact avatars, WhatsApp account owner avatar (file 'Photo.jpg').
- Catalog '/private/var/mobile/Applications/group.net.whatsapp.WhatsApp.shared/Message/Media/'. Contains multimedia files and their thumbnails
- Catalog '/private/var/mobile/Applications/net.whatsapp.WhatsApp/Documents/'. Contains the program operation log (file 'calls.log') and backup copies of the program operation logs (file 'calls.backup.log').
- Catalog '/private/var/mobile/Applications/group.net.whatsapp.WhatsApp.shared/stickers/'. Contains stickers (files in '.webp').
- Catalog '/private/var/mobile/Applications/net.whatsapp.WhatsApp/Library/Logs/'. Contains program operation logs.
Whatsapp Artifacts on Windows
WhatsApp Artifacts on Windows can be found in several places. First of all, these are the directories containing the executable and auxiliary files of the program (for Windows 8/10):
- 'C:Program Files (x86)Whatsapp'
- 'C:Users%User profile%AppDataLocalWhatsApp'
- 'C:Users%User profile% AppDataLocalVirtualStore Program Files (x86)WhatsApp'
In the catalog 'C:Users%User profile%AppDataLocalWhatsApp' log file is located 'SquirrelSetup.log', which contains information about checking for updates and installing the program.
In the catalog 'C:Users%User profile%AppDataRoamingWhatsApp' there are several subdirectories:
File 'main-process.log' contains information about the operation of WhatsApp.
Subdirectory 'databases' contains file 'databases.db', but this file does not contain any information about chats or contacts.
The most interesting from a forensic point of view are the files located in the directory 'Cache'. Basically, these are files with names 'f_*******' (where * is a number from 0 to 9) that contain encrypted media files and documents, but there are also unencrypted files among them. Files of particular interest 'data_0', 'data_1', 'data_2', 'data_3'located in the same subdirectory. Files 'data_0', 'data_1', 'data_3' contain external links to transmitted encrypted multimedia files and documents.
An example of the information contained in the file 'data_1'
Also file 'data_3' may contain graphic files.
File 'data_2' contains contact avatars (can be recovered by searching through file titles).
Avatars contained in the file 'data_2':
Thus, chats themselves cannot be found in the computer memory, but you can find:
- multimedia files;
- documents transferred via WhatsApp;
- account holder contact information.
Whatsapp Artifacts on MacOS
On MacOS, you can find types of WhatsApp artifacts similar to those found on Windows.
The program files are located in the following directories:
- 'C:ApplicationsWhatsApp.app'
- 'C:Applications._WhatsApp.app'
- 'C:Users%User profile%LibraryPreferences'
- 'C:Users%User profile%LibraryLogsWhatsApp'
- 'C:Users%User profile%LibrarySaved Application StateWhatsApp.savedState'
- 'C:Users%User profile%LibraryApplicationScripts'
- 'C:Users%User profile%LibraryApplication SupportCloudDocs'
- 'C:Users%User profile%LibraryApplication SupportWhatsApp.ShipIt'
- 'C:Users%User profile%LibraryContainerscom.rockysandstudio.app-for-whatsapp'
- 'C:Users%User profile% Library Mobile Documents <text variable> WhatsApp Accounts'
This directory contains subdirectories whose names are the phone numbers associated with the owner of the WhatsApp account. - 'C:Users%User profile%LibraryCachesWhatsApp.ShipIt'
This directory contains information about installing the program. - 'C:Users%User profile%Pictures iPhoto Library.photolibraryMasters', 'C:Users%User profile%Pictures iPhoto Library.photolibraryThumbnails'
These directories contain the service files of the program, including photos and thumbnails of WhatsApp contacts. - 'C:Users%User profile%LibraryCachesWhatsApp'
This directory contains several SQLite databases that are used for data caching. - 'C:Users%User profile%LibraryApplication SupportWhatsApp'
This directory contains several subdirectories:
In the catalog 'C:Users%User profile%LibraryApplication SupportWhatsAppCache' there are files 'data_0', 'data_1', 'data_2', 'data_3' and files named 'f_*******' (where * is a number between 0 and 9). For information about what information these files contain, see WhatsApp Artifacts on Windows.In the catalog 'C:Users%User profile%LibraryApplication SupportWhatsAppIndexedDB' may contain multimedia files (files do not have extensions).
File 'main-process.log' contains information about the operation of WhatsApp.
Sources of
- Forensic analysis of WhatsApp Messenger on Android smartphones, by Cosimo Anglano, 2014.
- Whatsapp Forensics: Eksplorasi sistem berkas dan basis data pada aplikasi Android dan iOS by Ahmad Pratama, 2014.
In the following articles in this series:
Decryption of encrypted WhatsApp databasesAn article that will provide information on how the WhatsApp encryption key is generated, and give practical examples showing how to decrypt the encrypted bases of this application.
Extract WhatsApp data from cloud storageAn article in which we will explain what WhatsApp data is stored in the clouds and describe methods for extracting this data from cloud storage.
WhatsApp Data Extraction: Practical ExamplesAn article that will describe step by step what programs and how to extract WhatsApp data from various devices.
Source: habr.com