Idan kuna son sanin nau'ikan kayan tarihi na WhatsApp da ke wanzu akan tsarin aiki daban-daban da kuma inda ake iya samun su daidai, to wannan shine wurin ku. Wannan labarin ya fito ne daga ƙwararre a Laboratory Forensics Computer Group-IB Igor Mikhailov fara jerin rubuce-rubuce game da binciken bincike na WhatsApp da kuma irin bayanan da za a iya samu ta hanyar nazarin na'urar.
Mu lura da cewa manhajojin aiki daban-daban na adana kayan tarihi na WhatsApp daban-daban, kuma idan mai bincike zai iya fitar da wasu nau’ikan bayanan WhatsApp daga wata na’ura, wannan ba yana nufin ana iya fitar da nau’ikan bayanan daga wata na’ura ba. Misali, idan an cire sashin tsarin da ke amfani da Windows OS, mai yiwuwa ba za a sami chats na WhatsApp a kan faifan diski ba (ban da kwafin na'urorin iOS, waɗanda za a iya samun su a kan faifan diski iri ɗaya). Kame kwamfutar tafi-da-gidanka da na'urorin tafi-da-gidanka zai kasance yana da halayensa. Bari mu yi magana game da wannan dalla-dalla.
WhatsApp kayan tarihi a cikin na'urar Android
Domin fitar da kayan tarihi na WhatsApp daga na'urar Android, mai binciken dole ne ya sami haƙƙin babban mai amfani ('tushen') akan na'urar da ake bincike ko kuma iya fitar da juji na ƙwaƙwalwar ajiyar na'urar, ko tsarin fayil ɗinta (misali, ta amfani da raunin software na takamaiman na'urar hannu).
Fayilolin aikace-aikacen suna cikin ƙwaƙwalwar ajiyar wayar a sashin da ake adana bayanan mai amfani. A matsayinka na mai mulki, ana kiran wannan sashe 'userdata'. Subdirectories da fayilolin shirin suna kan hanyar: '/data/data/com.whatsapp/'.
Babban fayilolin da ke ɗauke da kayan aikin bincike na WhatsApp a cikin Android OS sune bayanan bayanai 'wa.db' и 'msgstore.db'.
A cikin database 'wa.db' ya ƙunshi cikakken jerin sunayen masu amfani da WhatsApp, gami da lambar waya, sunan nuni, tambarin lokaci, da duk wani bayani da aka bayar yayin yin rijistar WhatsApp. Fayil 'wa.db' dake kan hanyar: '/data/data/com.whatsapp/databases/' kuma yana da tsari kamar haka:
Tebur mafi ban sha'awa a cikin bayanan 'wa.db' ga mai binciken sune:
- 'wa_contacts'
Wannan tebur ɗin ya ƙunshi bayanan tuntuɓar: ID lambar sadarwa ta WhatsApp, bayanin matsayi, sunan nunin mai amfani, tambarin lokaci, da sauransu.Siffar tebur:
Tsarin teburSunan filin Ma'ana _id lambar jerin rikodin (a cikin tebur SQL) jid ID na lamba ta WhatsApp, an rubuta ta hanyar <lambar waya>@s.whatsapp.net shine_whatsapp_mai amfani ya ƙunshi '1' idan lambar sadarwar ta dace da ainihin mai amfani da WhatsApp, '0' in ba haka ba status ya ƙunshi rubutun da aka nuna a matsayin lamba status_timestamp ya ƙunshi tambarin lokaci a tsarin Unix Epoch Time (ms). lambar lambar waya mai alaƙa da lambar sadarwa raw_contact_id lamba serial number nuni_name sunan nunin lamba nau'in waya nau'in waya wayar_label lakabin hade da lambar sadarwa ganuwa_msg_count adadin saƙonnin da abokin hulɗa ya aiko amma mai karɓa bai karanta ba hotuna ya ƙunshi tambarin lokaci a cikin tsarin lokaci na Unix Epoch babban yatsa_ts ya ƙunshi tambarin lokaci a cikin tsarin lokaci na Unix Epoch photo_id_timestamp ya ƙunshi tambarin lokaci a tsarin Unix Epoch Time (ms). aka ba_suna ƙimar filin tayi daidai da 'display_name' ga kowace lamba wa_name Sunan lambar sadarwa ta WhatsApp (sunan da aka ƙayyade a cikin bayanan martaba yana nunawa) iri_suna sunan tuntuɓar da aka yi amfani da shi a nau'ikan ayyuka sunan barkwanci laƙabin lamba a cikin WhatsApp (an nuna sunan laƙabin da aka ƙayyade a cikin bayanan abokin hulɗa) kamfanin kamfani (kamfanin da aka kayyade a cikin bayanan martaba yana nuna) suna take (Ms./Mr.; taken da aka saita a cikin bayanin martaba yana nunawa) biya son zuciya - 'sqlite_sequence'
Wannan tebur ya ƙunshi bayani game da adadin lambobin sadarwa; - 'android_metadata'
Wannan tebur ɗin ya ƙunshi bayani game da gurɓatar harshe na WhatsApp.
A cikin database 'msgstore.db' ya ƙunshi bayani game da saƙonnin da aka aiko, kamar lambar lamba, saƙon rubutu, matsayin saƙo, tambura, cikakkun bayanai na fayilolin da aka canjawa wuri da ke cikin saƙonni, da sauransu. Fayil 'msgstore.db' dake kan hanyar: '/data/data/com.whatsapp/databases/' kuma yana da tsari kamar haka:
Tebur mafi ban sha'awa a cikin fayil ɗin 'msgstore.db' ga mai binciken sune:
- 'sqlite_sequence'
Wannan tebur ya ƙunshi cikakkun bayanai game da wannan ma'ajin bayanai, kamar jimillar adadin saƙonnin da aka adana, jimlar yawan taɗi, da sauransu.Siffar tebur:
- 'saƙon_fts_abun ciki'
Ya ƙunshi rubutun saƙonnin da aka aika.Siffar tebur:
- 'saƙonni'
Wannan tebur ya ƙunshi bayani kamar lambar lamba, saƙon saƙo, matsayin saƙo, tambarin lokaci, bayani game da canja wurin fayilolin da aka haɗa cikin saƙonni.Siffar tebur:
Tsarin teburSunan filin Ma'ana _id lambar jerin rikodin (a cikin tebur SQL) key_remote_jid WhatsApp ID na abokin sadarwa key_daga_ni hanyar saƙo: '0' - mai shigowa, '1' - mai fita key_id mai gano saƙo na musamman status Matsayin saƙo: '0' - isarwa, '4' - jira akan sabar, '5' - karɓa a wurin da aka nufa, '6' - saƙon sarrafawa, '13' - saƙon da mai karɓa ya buɗe (karanta) bukata_turawa yana da darajar '2' idan saƙon watsawa ne, in ba haka ba ya ƙunshi '0' data saƙon rubutu (lokacin 'media_wa_type' sigar '0') timestamp ya ƙunshi tambarin lokaci a tsarin Unix Epoch Time (ms), ana ɗaukar ƙimar daga agogon na'ura mai jarida_url ya ƙunshi URL ɗin fayil ɗin da aka canjawa wuri (lokacin da sigar 'media_wa_type' ita ce '1', '2', '3') media_mime_type Nau'in MIME na fayil ɗin da aka canjawa wuri (lokacin da sigar 'media_wa_type' ta yi daidai da '1', '2', '3') media_wa_type nau'in saƙo: '0' - rubutu, '1' - fayil mai hoto, '2' - fayil mai jiwuwa, '3' - fayil ɗin bidiyo, '4' - katin lamba, '5' - geodata media_size girman fayil ɗin da aka canjawa wuri (lokacin da sigar 'media_wa_type' ita ce '1', '2', '3') media_name sunan fayil ɗin da aka canjawa wuri (lokacin da sigar 'media_wa_type' ita ce '1', '2', '3') mai jarida_taken magana Ya ƙunshi kalmomin 'audio', 'bidiyo' don daidaitattun ƙimar ma'aunin 'media_wa_type' (lokacin da sigar 'media_wa_type' ita ce '1', '3') media_hash base64 faifan hash na fayil ɗin da aka watsa, ƙididdige su ta amfani da algorithm HAS-256 (lokacin da sigar 'media_wa_type' ta yi daidai da '1', '2', '3') media_tsawon lokaci tsawon lokaci a cikin daƙiƙa don fayil ɗin mai jarida (lokacin da 'media_wa_type' shine '1', '2', '3') Asali yana da darajar '2' idan saƙon watsawa ne, in ba haka ba ya ƙunshi '0' latitude Geodata: latitude (lokacin da sigar 'media_wa_type' shine '5') tsayi Geodata: longitude (lokacin da sigar 'media_wa_type' ita ce '5') babban yatsa_hoton bayanin sabis remote_resource ID na mai aikawa (don tattaunawar rukuni kawai) samu_timestamp lokacin karɓa, ya ƙunshi tambarin lokaci a tsarin Unix Epoch Time (ms), ana ɗaukar ƙimar daga agogon na'ura (lokacin da sigar 'key_from_me' tana da '0', '-1' ko wata ƙima) send_timestamp ba a amfani da shi, yawanci yana da ƙimar '-1' receipt_server_timestamp lokacin da uwar garken tsakiya ta karɓa, ya ƙunshi tambarin lokaci a tsarin Unix Epoch Time (ms), ana ɗaukar ƙimar daga agogon na'ura (lokacin da 'key_from_me' parameter yana da '1', '-1' ko wata ƙima. receipt_na'urar_timestamp lokacin da wani mai biyan kuɗi ya karɓi saƙon, ya ƙunshi tambarin lokaci a tsarin Unix Epoch Time (ms), ana ɗaukar ƙimar daga agogon na'urar (lokacin da ma'aunin 'key_from_me' yana da '1', '-1' ko wata ƙima. read_na'urar_timestamp lokacin buɗe (karanta) saƙon, ya ƙunshi tambarin lokaci a tsarin Unix Epoch Time (ms), ana ɗaukar ƙimar daga agogon na'urar. buga_na'urar_timestamp Lokacin sake kunna saƙo, ya ƙunshi tambarin lokaci a tsarin Unix Epoch Time (ms), ana ɗaukar ƙimar daga agogon na'ura raw_data thumbnail na fayil ɗin da aka canjawa wuri (lokacin da sigar 'media_wa_type' ita ce '1' ko '3') mai karɓa_count adadin masu karɓa (don saƙonnin watsa shirye-shirye) ɗan takara_hash ana amfani dashi lokacin aika saƙonni tare da geodata starred ba amfani nakalto_row_id wanda ba a sani ba, yawanci ya ƙunshi ƙimar '0' aka ambata_jids ba amfani multicast_id ba amfani biya son zuciya Wannan jerin filayen ba su ƙare ba. Don nau'ikan WhatsApp daban-daban, wasu filayen na iya kasancewa ko ba su nan. Ƙari ga haka, ana iya kasancewa filaye 'media_enc_hash', 'edit_version', 'payment_transaction_id' da sauransu.
- 'saƙonnin_thumbnails'
Wannan tebur ya ƙunshi bayanai game da abubuwan da aka canjawa wuri da tambura. A cikin rukunin 'timestamp', ana nuna lokacin a cikin tsarin Unix Epoch Time (ms). - 'chat_list'
Wannan tebur ya ƙunshi bayani game da taɗi.Siffar tebur:
Hakanan, lokacin bincika WhatsApp akan na'urar hannu da ke aiki da Android, yakamata ku kula da waɗannan fayilolin:
- fayil 'msgstore.db.cryptXX' (inda XX ke lamba ɗaya ko biyu daga 0 zuwa 12, misali, msgstore.db.crypt12). Ya ƙunshi rufaffen madadin saƙonnin WhatsApp (fayil ɗin madadin msgstore.db). Fayiloli (s) 'msgstore.db.cryptXX' dake kan hanyar: '/data/media/0/WhatsApp/Databases/' (Virtual SD Card), '/mnt/sdcard/WhatsApp/Databases/ (katin SD na zahiri)'.
- fayil 'key'. Ya ƙunshi maɓallin sirri. Wurin da ke kan hanyar: '/data/data/com.whatsapp/files/'. Ana amfani da shi don warware ɓoyayyun madogaran WhatsApp.
- fayil 'com.whatsapp_preferences.xml'. Ya ƙunshi bayani game da bayanan asusun ku na WhatsApp. Fayil ɗin yana kan hanyar: '/data/data/com.whatsapp/shared_prefs/'.
Guntun abun ciki na fayil
<?xml version="1.0" encoding="ISO-8859-1"?> … <string name="ph">9123456789</string> (номер телефона, ассоциированный с аккаунтом WhatsApp) … <string name="version">2.17.395</string> (версия WhatsApp) … <string name="my_current_status">Hey there! I am using WhatsApp.</string> (сообщение, отображаемое в статусе аккаунта) … <string name="push_name">Alex</string> (имя владельца аккаунта) … - fayil 'rejist.RegisterPhone.xml'. Ya ƙunshi bayani game da lambar wayar da ke da alaƙa da asusun WhatsApp. Fayil ɗin yana kan hanyar: '/data/data/com.whatsapp/shared_prefs/'.
Abubuwan da ke cikin fayil
<?xml version="1.0" encoding="ISO-8859-1"?> <map> <string name="com.whatsapp.registration.RegisterPhone.phone_number">9123456789</string> <int name="com.whatsapp.registration.RegisterPhone.verification_state" value="0"/> <int name="com.whatsapp.registration.RegisterPhone.country_code_position" value="-1"/> <string name="com.whatsapp.registration.RegisterPhone.input_phone_number">912 345-67-89</string> <int name="com.whatsapp.registration.RegisterPhone.phone_number_position" value="10"/> <string name="com.whatsapp.registration.RegisterPhone.input_country_code">7</string> <string name="com.whatsapp.registration.RegisterPhone.country_code">7</string> </map> - fayil 'axolotl.db'. Ya ƙunshi maɓallan sirri da sauran bayanan da suka wajaba don gano mai asusun. Wurin da ke kan hanyar: '/data/data/com.whatsapp/databases/'.
- fayil 'chatsets.db'. Ya ƙunshi bayanin tsarin aikace-aikacen.
- fayil 'wa.db'. Ya ƙunshi bayanan tuntuɓar. Mai ban sha'awa mai ban sha'awa (daga yanayin bincike) da bayanan bayanai. Zai iya ƙunsar cikakken bayani game da share lambobi.
Hakanan kuna buƙatar kula da kundayen adireshi masu zuwa:
- Directory '/data/media/0/WhatsApp/Media/Hotunan WhatsApp/'. Ya ƙunshi fayilolin da aka canjawa wuri.
- Directory '/data/media/0/WhatsApp/Media/WhatsApp Bayanan kula Muryar/'. Ya ƙunshi saƙon murya a cikin fayilolin tsarin OPUS.
- Directory '/data/data/com.whatsapp/cache/Hotunan Bayanan/'. Ya ƙunshi fayilolin hoto - hotunan lambobin sadarwa.
- Directory '/data/data/com.whatsapp/files/Avatars/'. Ya ƙunshi fayilolin mai hoto - hotunan lambobi. Waɗannan fayilolin suna da tsawo na '.j' amma duk da haka fayilolin hoton JPEG (JPG) ne.
- Directory '/data/data/com.whatsapp/files/Avatars/'. Ya ƙunshi fayilolin hoto - hoto da thumbnail na hoton da aka saita azaman avatar ta mai asusun.
- Directory '/data/data/com.whatsapp/files/Logs/'. Ya ƙunshi rajistan ayyukan shirin (fayil 'whatsapp.log') da madadin kwafin rajistan ayyukan shirin (fayil ɗin da sunaye a cikin tsarin whatsapp-yyyy-mm-dd.1.log.gz).
Fayilolin log ɗin WhatsApp:
Rukunin jarida2017-01-10 09:37:09.757 LL_I D [524:WhatsApp Ma'aikacin #1] missed call notification/init count:0 timestamp:0
2017-01-10 09:37:09.758 LL_I D [524:WhatsApp Ma'aikacin #1] missed kiran waya/sabuntawa soke gaskiya
2017-01-10 09:37:09.768 LL_I D [1: babba] app-init/load-ni
2017-01-10 09:37:09.772 LL_I D [1: main] kalmar sirri ta ɓace ko ba za a iya karantawa ba
2017-01-10 09:37:09.782 LL_I D [1:main] kididdiga Saƙonnin rubutu: 59 aika, 82 karɓa / Saƙonnin Media: 1 aika (0 bytes), 0 karɓa (9850158 bytes) / Saƙonnin layi: 81 karɓa ( 19522 msec matsakaicin jinkiri) / Sabis na saƙo: 116075 bytes aika, 211729 bytes karɓa / Kiran Voip: kira mai fita 1, kira mai shigowa 0, 2492 bytes da aka aika, 1530 bytes da aka karɓa / Google Drive: 0 bytes da aka aika, 0 bytes da aka karɓa / yawo: 1524 bytes aika, 1826 bytes samu / Jimlar bayanai: 118567 bytes aika, 10063417 bytes samu
2017-01-10 09:37:09.785 LL_I D [1: babba] media-jihar-manajan/sake-kafofin watsa labarai-jihar/rubuta-kafofin watsa labarai
2017-01-10 09:37:09.806 LL_I D [1: babba] app-init/farawa/lokaci/tsayawa: 24
2017-01-10 09:37:09.811 LL_I D [1:main] msgstore/checkhealth
2017-01-10 09:37:09.817 LL_I D [1:main] msgstore/checkhealth/jarida/share karya
2017-01-10 09:37:09.818 LL_I D [1:main] msgstore/checkhealth/baya/share karya
2017-01-10 09:37:09.818 LL_I D [1:main] msgstore/checkdb/data/data/com.whatsapp/databases/msgstore.db
2017-01-10 09:37:09.819 LL_I D [1:main] msgstore/checkdb/list _jobqueue-WhatsAppJobManager 16384 drw=011
2017-01-10 09:37:09.820 LL_I D [1:main] msgstore/checkdb/list _jobqueue-WhatsAppJobManager-jarida 21032 drw=011
2017-01-10 09:37:09.820 LL_I D [1:main] msgstore/checkdb/list axolotl.db 184320 drw=011
2017-01-10 09:37:09.821 LL_I D [1:main] msgstore/checkdb/list axolotl.db-wal 436752 drw=011
2017-01-10 09:37:09.821 LL_I D [1:main] msgstore/checkdb/list axolotl.db-shm 32768 drw=011
2017-01-10 09:37:09.822 LL_I D [1:main] msgstore/checkdb/list msgstore.db 540672 drw=011
2017-01-10 09:37:09.823 LL_I D [1:main] msgstore/checkdb/list msgstore.db-wal 0 drw=011
2017-01-10 09:37:09.823 LL_I D [1:main] msgstore/checkdb/list msgstore.db-shm 32768 drw=011
2017-01-10 09:37:09.824 LL_I D [1:main] msgstore/checkdb/list wa.db 69632 drw=011
2017-01-10 09:37:09.825 LL_I D [1:main] msgstore/checkdb/list wa.db-wal 428512 drw=011
2017-01-10 09:37:09.825 LL_I D [1:main] msgstore/checkdb/list wa.db-shm 32768 drw=011
2017-01-10 09:37:09.826 LL_I D [1:main] msgstore/checkdb/list chatsettings.db 4096 drw=011
2017-01-10 09:37:09.826 LL_I D [1:main] msgstore/checkdb/list chatsettings.db-wal 70072 drw=011
2017-01-10 09:37:09.827 LL_I D [1:main] msgstore/checkdb/list chatsettings.db-shm 32768 drw=011
2017-01-10 09:37:09.838 LL_I D [1:main] msgstore/checkdb/version 1
2017-01-10 09:37:09.839 LL_I D [1:main] msgstore/canquery
2017-01-10 09:37:09.846 LL_I D [1:main] msgstore/canquery/count 1
2017-01-10 09:37:09.847 LL_I D [1:main] msgstore/canquery/timer/stop: 8
2017-01-10 09:37:09.847 LL_I D [1:main] msgstore/canquery 517 | lokaci:8
2017-01-10 09:37:09.848 LL_I D [529:WhatsApp Worker #3] media-state-manager/refresh-media-state/internal-storage available:1,345,622,016 total:5,687,922,688
- Directory '/data/media/0/WhatsApp/Media/WhatsApp Audio/'. Ya ƙunshi fayilolin mai jiwuwa da aka karɓa.
- Directory '/data/media/0/WhatsApp/Media/WhatsApp Audio/Aika/'. Ya ƙunshi fayilolin odiyo da aka aika.
- Directory '/data/media/0/WhatsApp/Media/Hotunan WhatsApp/'. Ya ƙunshi fayilolin mai hoto da aka samu.
- Directory '/data/media/0/WhatsApp/Media/WhatsApp Images/Aika/'. Ya ƙunshi fayilolin hoto da aka aika.
- Directory '/data/media/0/WhatsApp/Media/WhatsApp Video/'. Ya ƙunshi fayilolin bidiyo da aka karɓa.
- Directory '/data/media/0/WhatsApp/Media/WhatsApp Video/An aika/'. Ya ƙunshi fayilolin bidiyo da aka aika.
- Directory '/data/media/0/WhatsApp/Media/WhatsApp Hotunan Bayanan martaba/'. Ya ƙunshi fayilolin hoto masu alaƙa da mai asusun WhatsApp.
- Don adana sararin ƙwaƙwalwar ajiya akan wayar Android ɗin ku, ana iya adana wasu bayanan WhatsApp akan katin SD. A katin SD, a cikin tushen directory, akwai adireshi 'WhatsApp', inda za a iya samun wadannan kayan tarihi na wannan shirin:
- Directory '.Share' ('/mnt/sdcard/WhatsApp/.Share/'). Ya ƙunshi kwafin fayilolin da aka raba tare da sauran masu amfani da WhatsApp.
- Directory '.sharar gida' ('/mnt/sdcard/WhatsApp/.shara/'). Ya ƙunshi share fayiloli.
- Directory 'databases' ('/mnt/sdcard/WhatsApp/Databases/'). Ya ƙunshi rufaffiyar maajiyar. Ana iya ɓoye su idan fayil ɗin yana nan 'key', cirewa daga ƙwaƙwalwar ajiyar na'urar da aka bincika.
Fayilolin da ke cikin babban kundin adireshi 'databases':
- Directory 'Rabi' ('/mnt/sdcard/WhatsApp/Media/'). Ya ƙunshi ƙananan kundin adireshi 'Takardar bango', 'WhatsApp Audio', Hotunan 'WhatsApp', Hotunan 'WhatsApp Profile Photos', 'WhatsApp Video', 'WhatsApp Voice Notes', wanda ya ƙunshi fayilolin multimedia da aka karɓa da watsawa (fayil ɗin hotuna, fayilolin bidiyo, saƙon murya, hotuna masu alaƙa da bayanin martaba na mai asusun WhatsApp, fuskar bangon waya).
- Directory 'Hotunan Bayani' ('/mnt/sdcard/WhatsApp/Hotunan Bayanan/'). Ya ƙunshi fayilolin hoto masu alaƙa da bayanin martabar mai asusun WhatsApp.
- Wani lokaci ana iya samun kundin adireshi a katin SD 'fiyiloli' ('/mnt/sdcard/WhatsApp/Files/'). Wannan jagorar ya ƙunshi fayiloli waɗanda ke adana saitunan shirin da abubuwan zaɓin mai amfani.
Fasalolin ajiyar bayanai a wasu samfuran na'urorin hannu
Wasu nau'ikan na'urorin hannu masu amfani da Android OS na iya adana kayan tarihi na WhatsApp a wani wuri daban. Wannan ya faru ne saboda canje-canje a wurin ajiyar bayanan aikace-aikacen ta hanyar software na na'urar hannu. Misali, na'urorin wayar hannu Xiaomi suna da aiki don ƙirƙirar filin aiki na biyu ("SecondSpace"). Lokacin da aka kunna wannan aikin, wurin bayanan yana canzawa. Don haka, idan a cikin na'urar hannu ta yau da kullun da ke aiki da bayanan mai amfani da Android OS an adana su a cikin kundin adireshi '/data/mai amfani/0/' (wanda yake nuni zuwa ga al'ada '/data/data/'), sannan a cikin na biyu bayanan aikace-aikacen sarari ana adana su a cikin kundin adireshi '/data/mai amfani/10/'. Wato, ta amfani da misalin wurin fayil ɗin 'wa.db':
- a cikin wayoyi na yau da kullun da ke aiki da Android OS: /data/user/0/com.whatsapp/databases/wa.db' (wanda yayi daidai '/data/data/com.whatsapp/databases/wa.db');
- a cikin filin aiki na biyu na wayar hannu Xiaomi: '/data/user/10/com.whatsapp/databases/wa.db'.
WhatsApp kayan tarihi a cikin na'urar iOS
Ba kamar Android OS, a iOS WhatsApp aikace-aikace data canjawa wuri zuwa madadin kwafin (iTunes madadin). Don haka, fitar da bayanai daga wannan aikace-aikacen baya buƙatar cire tsarin fayil ko ƙirƙirar juji na zahiri na na'urar da ake bincike. Yawancin bayanan da suka dace suna kunshe a cikin ma'ajin bayanai 'ChatStorage.sqlite', wanda ke kan hanyar: '/private/var/mobile/Applications/group.net.whatsapp.WhatsApp.shared/' (a wasu shirye-shirye wannan hanyar tana bayyana kamar 'AppDomainGroup-group.net.whatsapp.WhatsApp.shared').
tsarin 'ChatStorage.sqlite':
Mafi kyawun allunan bayanai a cikin bayanan 'ChatStorage.sqlite' sune 'ZWAMESSAGE' и 'ZWAMEDIAITEM'.
Siffar tebur 'ZWAMESSAGE':
Tsarin tebur 'ZWAMESSAGE'
| Sunan filin | Ma'ana |
|---|---|
| Z_PK | lambar jerin rikodin (a cikin tebur SQL) |
| Z_ENT | mai gano tebur, yana da darajar '9' |
| Z_OPT | wanda ba a sani ba, yawanci yana ƙunshe da ƙima daga '1' zuwa '6' |
| ZCHILDMESSAGES DELIVEREDCOUNT | wanda ba a sani ba, yawanci ya ƙunshi ƙimar '0' |
| ZCHILDMESSAGESPLAYEDCOUNT | wanda ba a sani ba, yawanci ya ƙunshi ƙimar '0' |
| ZARASHIN SAUKI | wanda ba a sani ba, yawanci ya ƙunshi ƙimar '0' |
| ZDATAITEMVERSION | wanda ba a sani ba, yawanci yana ƙunshe da ƙimar '3', mai yiwuwa alamar saƙon rubutu |
| ZDOCID | ba a sani ba |
| ZENCRETRYCOUNT | wanda ba a sani ba, yawanci ya ƙunshi ƙimar '0' |
| ZFILTEREDRECIPIENTCOUNT | wanda ba a sani ba, yawanci yana ƙunshe da ƙimar'0', '2', '256' |
| ZISFROMME | hanyar saƙo: '0' - mai shigowa, '1' - mai fita |
| ZMESSAGEERRORSTATUS | Matsayin watsa sakon. Idan an aika/karɓi saƙon, to yana da darajar '0' |
| ZMESSAGETYPE | nau'in sakon da ake watsawa |
| ZSORT | ba a sani ba |
| ZSPOTLIGHSTATUS | ba a sani ba |
| ZSTARRED | wanda ba a sani ba, ba a amfani da shi |
| ZCHATESSION | ba a sani ba |
| ZGROUPMEMBA | wanda ba a sani ba, ba a amfani da shi |
| ZLASTESSION | ba a sani ba |
| ZMEDIAITEM | ba a sani ba |
| ZMESSAGEINFO | ba a sani ba |
| ZPARENTMESSAGE | wanda ba a sani ba, ba a amfani da shi |
| ZMESSAGEDATE | timestamp a cikin tsarin lokaci na OS X Epoch |
| ZSENTDATE | lokacin da aka aiko da sakon a cikin tsarin lokaci na OS X Epoch |
| ZFROMJID | WhatsApp Sender ID |
| ZMEDIASECTIONID | ya ƙunshi shekara da watan da aka aika fayil ɗin mai jarida |
| ZPHASH | wanda ba a sani ba, ba a amfani da shi |
| ZPUSSHPAME | sunan abokin hulɗa wanda ya aika fayil ɗin mai jarida a tsarin UTF-8 |
| ZSTANZID | mai gano saƙo na musamman |
| ZTEXT | Rubutun saƙo |
| ZTOJID | WhatsApp ID na mai karɓa |
| OFFSET | son zuciya |
Siffar tebur 'ZWAMEDIAITEM':
Tsarin tebur 'ZWAMEDIAITEM'
| Sunan filin | Ma'ana |
|---|---|
| Z_PK | lambar jerin rikodin (a cikin tebur SQL) |
| Z_ENT | mai gano tebur, yana da darajar '8' |
| Z_OPT | wanda ba a sani ba, yawanci yana ƙunshe da ƙima daga '1' zuwa '3'. |
| ZCLOUDSTATUS | ya ƙunshi darajar '4' idan an ɗora fayil ɗin. |
| ZFILESIZE | ya ƙunshi tsayin fayil (a cikin bytes) don fayilolin da aka sauke |
| ZMEDIAORIGIN | wanda ba a sani ba, yawanci yana da darajar '0' |
| ZMOVIEDURATION | tsawon lokacin fayil ɗin mai jarida, don fayilolin pdf na iya ƙunsar adadin shafukan daftarin |
| ZMESSAGE | ya ƙunshi serial number (lambar ta bambanta da wadda aka nuna a cikin ginshiƙin 'Z_PK') |
| ZASPECTRATIO | rabon al'amari, ba'a amfani dashi, yawanci saita zuwa '0' |
| ZHACCURACY | wanda ba a sani ba, yawanci yana da darajar '0' |
| ZLATTITITUDE | nisa a cikin pixels |
| ZLONGTITUDE | tsawo a cikin pixels |
| ZMEDIAURLDATE | timestamp a cikin tsarin lokaci na OS X Epoch |
| ZAUTORNAME | marubuci (don takardu, na iya ƙunshi sunan fayil) |
| ZCOLLECTIONNAME | ba amfani |
| ZMEDIALOCALPATH | sunan fayil (ciki har da hanya) a cikin tsarin fayil ɗin na'urar |
| ZMEDIAURL | URL inda fayil ɗin mai jarida yake. Idan an canza fayil ɗin daga wani mai biyan kuɗi zuwa wani, an ɓoye shi kuma za a nuna tsawanta azaman tsawo na fayil ɗin da aka canjawa wuri - .enc |
| ZTHUMBNAILLOCALPATH | hanyar zuwa babban fayil ɗin thumbnail a cikin tsarin fayil ɗin na'urar |
| ZTITLE | taken fayil |
| ZVCARDNAME | hash na fayil ɗin mai jarida; lokacin canja wurin fayil ɗin zuwa ƙungiya, yana iya ƙunsar mai gano mai aikawa |
| ZVCARDSTRING | ya ƙunshi bayani game da nau'in fayil ɗin da ake canjawa wuri (misali, hoto/jpeg); lokacin canja wurin fayil zuwa rukuni, yana iya ƙunshi mai gano mai karɓa. |
| ZXMPPTHUMBPATH | hanyar zuwa babban fayil ɗin thumbnail a cikin tsarin fayil ɗin na'urar |
| ZMEDIAKEY | wanda ba a sani ba, mai yiwuwa ya ƙunshi maɓalli don warware ɓoyayyen fayil ɗin. |
| ZMETADATA | metadata na sakon da aka watsa |
| Offset | son zuciya |
Sauran teburin bayanai masu ban sha'awa 'ChatStorage.sqlite' su ne:
- 'ZWAPROFILEPUSHNAME'. Ya dace da ID na WhatsApp tare da sunan lamba;
- 'ZWAPROFILEPICTURE ITEM'. Ya dace da ID na WhatsApp tare da avatar lamba;
- 'Z_PRIMARYKEY'. Teburin ya ƙunshi cikakkun bayanai game da wannan ma'ajin bayanai, kamar jimillar adadin saƙonnin da aka adana, jimlar yawan taɗi, da sauransu.
Hakanan, lokacin bincika WhatsApp akan na'urar hannu da ke aiki da iOS, yakamata ku kula da waɗannan fayilolin:
- fayil 'BackedUpKeyValue.sqlite'. Ya ƙunshi maɓallan sirri da sauran bayanan da suka wajaba don gano mai asusun. Wurin da ke kan hanyar: /private/var/mobile/Applications/group.net.whatsapp.WhatsApp.shared/.
- fayil 'Lambobin sadarwaV2.sqlite'. Ya ƙunshi bayanai game da lambobin sadarwar mai amfani, kamar cikakken suna, lambar waya, matsayin lamba (a cikin sigar rubutu), ID na WhatsApp, da sauransu. Wurin da ke kan hanyar: /private/var/mobile/Applications/group.net.whatsapp.WhatsApp.shared/.
- fayil 'version_consumer'. Ya ƙunshi lambar sigar aikace-aikacen WhatsApp da aka shigar. Wurin da ke kan hanyar: /private/var/mobile/Applications/group.net.whatsapp.WhatsApp.shared/.
- fayil 'current_wallpaper.jpg'. Ya ƙunshi fuskar bangon waya ta WhatsApp na yanzu. Wurin da ke kan hanyar: /private/var/mobile/Applications/group.net.whatsapp.WhatsApp.shared/. Tsofaffin sigar aikace-aikacen suna amfani da fayil ɗin 'wallpaper', wanda ke kan hanyar: '/private/var/mobile/Applications/net.whatsapp.WhatsApp/Takardu/'.
- fayil 'blocked contacts.dat'. Ya ƙunshi bayani game da katange lambobin sadarwa. Wurin da ke kan hanyar: /private/var/mobile/Applications/net.whatsapp.WhatsApp/Documents/.
- fayil 'pw.dat'. Ya ƙunshi rufaffen kalmar sirri. Wurin da ke kan hanyar: '/private/var/mobile/Applications/net.whatsapp.WhatsApp/Library/'.
- fayil 'net.whatsapp.WhatsApp.plist' (ko fayil 'group.net.whatsapp.WhatsApp.shared.plist'). Ya ƙunshi bayani game da bayanan asusun ku na WhatsApp. Fayil ɗin yana kan hanyar: '/private/var/mobile/Applications/group.net.whatsapp.WhatsApp.shared/Library/Preferences/'.
Abubuwan da ke cikin fayil ɗin 'group.net.whatsapp.WhatsApp.shared.plist'
Hakanan kuna buƙatar kula da kundayen adireshi masu zuwa:
- Directory '/private/var/mobile/Applications/group.net.whatsapp.WhatsApp.shared/Media/Profile/'. Ya ƙunshi takaitaccen siffofi na lambobin sadarwa, ƙungiyoyi (fayil ɗin tare da tsawo .yatsa), tuntuɓar avatars, avatar mai asusun WhatsApp (fayil 'Photo.jpg').
- Directory '/private/var/mobile/Applications/group.net.whatsapp.WhatsApp.shared/Message/Media/'. Ya ƙunshi fayilolin multimedia da thumbnails
- Directory '/private/var/mobile/Applications/net.whatsapp.WhatsApp/Takardu/'. Ya ƙunshi rajistan ayyukan shirin (fayil 'kira.log') da kwafin kwafin rajistan ayyukan shirin (fayil 'calls.backup.log').
- Directory '/private/var/mobile/Applications/group.net.whatsapp.WhatsApp.shared/stickers/'. Ya ƙunshi lambobi (fiyiloli a cikin tsari '.webp').
- Directory '/private/var/mobile/Applications/net.whatsapp.WhatsApp/Library/Logs/'. Ya ƙunshi rajistan ayyukan shirin.
WhatsApp kayan tarihi akan Windows
Ana iya samun kayan tarihi na WhatsApp akan Windows a wurare da yawa. Da farko, waɗannan kundayen adireshi ne waɗanda ke ɗauke da fayilolin shirye-shiryen aiwatarwa da taimako (na Windows 8/10):
- 'C: Fayilolin Shirin (x86)WhatsApp'
- 'C: Users% User profile% AppDataLocalWhatsApp'
- 'C: Users% profile User% AppDataLocalVirtualStore Files Program (x86)WhatsApp'
A cikin kundin bayanai 'C: Users% User profile% AppDataLocalWhatsApp' fayil ɗin log ɗin yana wurin 'SquirrelSetup.log', wanda ya ƙunshi bayanai game da duba sabuntawa da shigar da shirin.
A cikin kundin bayanai 'C: Users% profile User% AppDataRoamingWhatsApp' Akwai subdirectories da yawa:
fayil 'main-process.log' yana dauke da bayanai game da yadda ake tafiyar da shirin WhatsApp.
Subdirectory 'databases' ya ƙunshi fayil 'Databases.db', amma wannan fayil bai ƙunshi kowane bayani game da taɗi ko lambobin sadarwa ba.
Mafi ban sha'awa daga ra'ayi na bincike shine fayilolin da ke cikin kundin adireshi 'Cache'. Waɗannan fayiloli ne masu suna 'f **** (inda * shine lamba daga 0 zuwa 9) mai ɗauke da rufaffiyar fayilolin multimedia da takardu, amma kuma akwai fayilolin da ba a ɓoye a cikinsu. Babban sha'awa shine fayilolin 'data_0', 'data_1', 'data_2', 'data_3', wanda yake a cikin babban kundin adireshi iri ɗaya. Fayiloli 'data_0', 'data_1', 'data_3' ya ƙunshi hanyoyin haɗin waje zuwa fayilolin multimedia rufaffiyar da aka watsa da takardu.
Misalin bayanin da ke cikin fayil 'data_1'
Hakanan fayil 'data_3' zai iya ƙunsar fayilolin mai hoto.
fayil 'data_2' ya ƙunshi avatars lamba (ana iya dawo da su ta hanyar bincike ta masu rubutun fayil).
Avatars da ke cikin fayil ɗin 'data_2':
Don haka, ba za a iya samun taɗi da kansu a cikin ƙwaƙwalwar kwamfuta ba, amma kuna iya samun:
- fayilolin multimedia;
- takardun da aka watsa ta WhatsApp;
- bayani game da abokan hulɗar mai asusun.
WhatsApp kayan tarihi akan MacOS
A cikin MacOS zaku iya samun nau'ikan kayan tarihi na WhatsApp kwatankwacin waɗanda aka samu a cikin Windows OS.
Fayilolin shirin suna cikin kundayen adireshi masu zuwa:
- 'C: ApplicationsWhatsApp.app'
- 'C: Applications._WhatsApp.app'
- 'C: Users% Profile User%Preferences Library'
- 'C: Users% profile User%LibraryLogsWhatsApp'
- 'C: Users% profile User%LibraryAjiye Aikace-aikacen JihaWhatsApp.savedState'
- 'C: Users% User profile%LibraryApplication Scripts'
- 'C: Users% Profile mai amfani%LibraryApplication SupportCloudDocs'
- 'C: Users% profile User%LibraryApplication SupportWhatsApp.ShipIt'
- 'C: Users% profile User%LibraryContainerscom.rockysandstudio.app-for-whatsapp'
- 'C: Users% User profile% Library Mobile Documents <text variable> WhatsApp Accounts'
Wannan kundin adireshi yana ƙunshe da kundin adireshi waɗanda sunayensu lambobin waya ne masu alaƙa da mai asusun WhatsApp. - 'C: Users% profile User%LibraryCachesWhatsApp.ShipIt'
Wannan jagorar ya ƙunshi bayani game da shigar da shirin. - 'C: Users% Profile mai amfani% PicturesiPhoto Library.photolibraryMasters', 'C: Masu amfani% Bayanin mai amfani% Hotunan Laburaren hoto.photolibraryThumbnails'
Waɗannan kundayen adireshi suna ɗauke da fayilolin sabis na shirin, gami da hotuna da thumbnails na lambobin sadarwar WhatsApp. - 'C: Users% Profile mai amfani%LibraryCachesWhatsApp'
Wannan jagorar ya ƙunshi bayanai na SQLite da yawa waɗanda ake amfani da su don ɓoye bayanai. - 'C: Users% User profile%LibraryApplication SupportWhatsApp'
Wannan kundin adireshi yana ƙunshe da kundin adireshi da yawa:
A cikin kundin bayanai 'C: Users% profile User%LibraryApplication SupportWhatsAppCache' akwai fayiloli 'data_0', 'data_1', 'data_2', 'data_3' da fayiloli masu suna 'f **** (inda * shine lamba daga 0 zuwa 9). Don ƙarin bayani game da abin da waɗannan fayilolin suka ƙunshi, duba WhatsApp Artifacts akan Windows.A cikin kundin bayanai 'C: Users% profile User% Library SupportWhatsAppIndexedDB' na iya ƙunsar fayilolin multimedia (fayil ɗin ba su da kari).
fayil 'main-process.log' yana dauke da bayanai game da yadda ake tafiyar da shirin WhatsApp.
Sources
- Binciken shari'a na WhatsApp Messenger akan wayoyin Android, na Cosimo Anglano, 2014.
- WhatsApp Forensics: Eksplorasi tsarin tsarin da tushen data daga aikace-aikace Android da iOS by Ahmad Pratama, 2014.
A cikin labarai masu zuwa a cikin wannan silsilar:
Decryption na rufaffen bayanan bayanan WhatsAppKasidar da za ta ba da bayani kan yadda ake samar da maɓalli na ɓoye WhatsApp da misalai masu amfani da ke nuna yadda ake ɓoye bayanan sirrin wannan aikace-aikacen.
Ciro bayanan WhatsApp daga ma'ajiyar girgijeWata kasida wacce a cikinta za mu gaya muku abubuwan da aka adana bayanan WhatsApp a cikin gajimare tare da bayyana hanyoyin da za a bi don dawo da wannan bayanan daga ma'ajiyar girgije.
Haɓaka Bayanan WhatsApp: Misalai masu AikiKasidar da za ta bayyana mataki-mataki irin shirye-shirye da kuma yadda ake fitar da bayanan WhatsApp daga na'urori daban-daban.
source: www.habr.com