ProHoster > Π‘Π»ΠΎΠ³ > interrete nuntium > Whatsapp in palma manus tuae: ubi et quomodo potes invenire artificia forensia?

Whatsapp in palma manus tuae: ubi et quomodo potes invenire artificia forensia?

Whatsapp in palma manus tuae: ubi et quomodo potes invenire artificia forensia?

Si vis scire quaenam genera artificiorum forensium whatsapp in diversis systematibus operandis existant et ubi exacte inveniri possint, hic locus tibi est. Articulus hic est e speciali apud Group-IB Computer Forensics Laboratory Igor Mikhailov incipit series nuntia de whatsapp forensics et quae notitia haberi potest ex analyzing fabrica.

Statim animadvertemus varias systemata operativas varias artificia whatsapp reponunt, et si indagator quaedam genera notitiarum whatsapp ex una fabrica extrahere potest, hoc non significat quod similia genera notitiarum ex alia arte extrahi possunt. Exempli gratia, si unitas systematis Fenestra OS currens removetur, sermones whatsapp verisimiliter in orbe eius non invenientur (exceptis exemplaribus tergum iOS machinis, quae in eisdem agitationibus inveniri possunt). Laptops captio et machinis mobilibus suas notas habebunt. De hoc fusius dicamus.

Whatsapp artificialibus in Android fabrica

Ut artificia whatsapp extrahere ex MASCULINUS fabrica, indagator iura superuser habere debet ('Radix') de fabrica pervestigationis vel extrahendi memoriam physicam TUBER technae, vel ratio fasciculi eius (exempli gratia, utens vulnerabilitates programmata certae mobilis machinae).

Documenta applicationis sita sunt in memoria telephoni in sectione in qua user notitia salvatur. Pro regula haec sectio nominatur 'userdata'. Subdirectoria et documenta programmatis per semitam sita sunt: '/data/data/com.whatsapp/'.

Whatsapp in palma manus tuae: ubi et quomodo potes invenire artificia forensia?
Pelagus files continentes whatsapp artificia forensia in Android OS sunt databases 'wa.db' ΠΈ 'msgstore.db'.

In database 'wa.db' in indice notorum integrorum whatsapp user, inter phone numerus, nomen ostentationis, indicationes, et alia quaevis informationes dum perscriptum est pro whatsapp. File 'wa.db' per semitam positam; '/data/data/com.whatsapp/databases/' et habet hanc structuram;

Whatsapp in palma manus tuae: ubi et quomodo potes invenire artificia forensia?
Maxime interesting mensae in database 'wa.db' indagator enim sunt:

  • 'wa_contacts'
    Haec mensa contactus notitias continet: whatsapp contactus id, status informationes, user ostentationem nomen, indicationes, etc.

    Mensa species;

    Whatsapp in palma manus tuae: ubi et quomodo potes invenire artificia forensia?
    Table structure

    Nomen agri valorem
    _id recordum serie numerus (in SQL mensa)
    jid Whatsapp contactum ID, scriptum in forma <phone number>@s.whatsapp.net
    is_whatsapp_user contineat 'I' si contactus actuali respondet whatsapp user, '1' aliter
    Status contineat textum ostendi in contactu status
    status_timestamp contineat indicatione temporis in Unix Epochae Time (ms) format
    numerus phone numerus consociata cum contactu
    raw_contact_id Vide numerum contactum
    display_name contactum ostentationem nominis
    phone_type phone type
    phone_label Pittacium cum contactus numerus
    invisibilis_msg_count numerus epistularum quae a contactu missae sunt sed ab recipiente non legebantur
    photo_ts contineat indicatione temporis in Unix Epochae Tempus format
    thumb_ts contineat indicatione temporis in Unix Epochae Tempus format
    photo_id_timestamp contineat indicatione temporis in Unix Epochae Time (ms) format
    nomen dedisse ager valorem compositus 'display_name' per contactum
    wa_name Whatsapp contactum nomen (nomen certa in contactu s profile monstratur)
    sort_name contactus nomen in genere res
    cognomen contactus scriptor cognomen in whatsapp (cognomen in ipso contactu scriptor profile ostenditur)
    consortium societas (contactus certa in contactu scriptor profile monstratur)
    Title: titulus (Ms./Mr.; titulus figuratus in contactu profile monstratur)
    offset studium
  • 'sqlite_sequence'
    Haec tabula informationes continet de numero notorum;
  • 'Android_metadata'
    Haec mensa continet informationem de lingua whatsapp localization.

In database 'msgstore.db' informationes de nuntiis missis continet, sicut numerus contactus, nuntius textus, nuntius status, momenta, singula imaginum translatarum inclusa nuntiis, etc. File 'msgstore.db' per semitam positam; '/data/data/com.whatsapp/databases/' et habet hanc structuram;

Whatsapp in palma manus tuae: ubi et quomodo potes invenire artificia forensia?
Maxime interesting mensae in tabella 'msgstore.db' indagator enim sunt:

  • 'sqlite_sequence'
    Haec tabella generales informationes de hoc datorum continet, ut numerus nuntiorum repositorum, numerum sermonum, etc.

    Mensa species;

    Whatsapp in palma manus tuae: ubi et quomodo potes invenire artificia forensia?

  • 'nuntius_fts_content'
    Continet textum epistulae missae.

    Mensa species;

    Whatsapp in palma manus tuae: ubi et quomodo potes invenire artificia forensia?

  • 'nuntii'
    Haec tabula informationes continet sicut numerus contactus, nuntius textus, nuntius status, momenta, informationes de translationibus imaginum quae in nuntiis continentur.

    Mensa species;

    Whatsapp in palma manus tuae: ubi et quomodo potes invenire artificia forensia?
    Table structure

    Nomen agri valorem
    _id recordum serie numerus (in SQL mensa)
    key_remote_jid Whatsapp id communicationis socium
    key_from_me nuntius directionis: '0' - advenientis, '1' - exitu
    key_id unique nuntius identifier
    Status nuntius status: '0' - traditus, '4' - exspectans in calculonis servi, '5' - in destination accepit, '6' - nuntius imperium, '13' - nuntius a recipiente (legitur) apertus.
    need_push valorem "2" habet, si nuntius iaci emissus est, alioquin "0" continet.
    Data textum relatum (cum 'media_wa_type' parameter est '0')
    indicatione temporis contineat indicationem temporis in Unix Epochae (ms) forma, valorem e fabrica horologii desumptum est
    media_url Domicilium continet documenti translati (cum 'media_wa_type' parameter est '1', '2', '3')
    media_mime_type MIME genus fasciculi translati (cum parameter media_wa_type' = '1', '2', '3' est =
    media_wa_type nuntius generis: '0' - textus, '1' - fasciculus graphicus, '2' - fasciculus audio, '3' - fasciculus video, '4' - contactus chartae, '5' - geodata
    media_size magnitudo fasciculi translati (quando 'media_wa_type' parameter est '1', '2', '3')
    media_name nomen fasciculi translati (cum 'media_wa_type' parameter est '1', '2', '3')
    media_caption Verba "audio", "video" continet pro congruentibus valoribus instrumenti "media_wa_type" (cum "media_wa_type" parameter est '1', '3')
    media_hash base64 notata detrahe fasciculi transmissi, ratione utens algorithmum HAS-256 (cum parameter media_wa_type' = '1', '2', '3' est.
    media_duration durationem in secundis pro instrumentis instrumentis (cum 'media_wa_type' est '1', '2', '3')
    originem, valorem "2" habet, si nuntius iaci emissus est, alioquin "0" continet.
    latitudo geodata: latitudo (cum 'media_wa_type' parameter '5')
    longitudo geodata: longitudo (cum 'media_wa_type' parameter '5')
    thumb_image notitia muneris
    remote_resource Mittens ID (pro chats coetus tantum)
    received_timestamp tempus acceptitionis, indicationem temporis in Unix Epocha (ms) formato continet, valor e horologii fabrica (cum "key_from_me" parameter "0", "-1" vel alius valoris habet)
    send_timestamp non est usus plerumque habet valorem '-1'
    receipt_server_timestamp tempus a servo centrali receptum, indicationem temporis in Unix Epoch (ms) format, continet, valor e horologii fabrica (cum "key_from_me" modulus "1", "-1" vel alius pretii est.
    receipt_device_timestamp nunc nuntius ab alio subscribente receptus, indicationem temporis in Unix Epocha (ms) formato continet, valor e horologii fabrica (cum 'key_from_me' parametrum habet '1', '-1' vel alium valorem
    read_device_timestamp tempus aperiendi (reading) nuntium, indicationem temporis in Unix Epocha (ms) forma continet, valorem horologii e fabrica desumptum est.
    played_device_timestamp nuntius playback temporis, indicationem temporis in Unix Epoch (ms) forma continet, valor e horologii machinis sublatus est.
    rudis notitia image fasciculi translati (cum 'media_wa_type' parameter est '1' vel '3')
    recipient_count numerus recipientium (nam passim epistulae)
    particeps_hash usus est cum nuntiis ad geodata transmittendi
    stellatum non est utendum
    quoted_row_id ignota, plerumque valorem continet '0'
    mentioned_jids non est utendum
    multicast_id non est utendum
    offset studium

    Hic index agrorum non est copiose. Pro diversis versionibus whatsapp, aliquo agrorum sit praesens vel absens. Praeterea, agri adsint 'media_enc_hash', 'edit_version', 'payment_transaction_id' etc.

  • 'nuntii_thumbnails'
    Haec tabella informationes continet de imaginibus translatis et indicationibus. In "columna indicatione", tempus in forma Unix Epoch (ms) indicatum est.
  • 'chat_list'
    Haec tabula informationes de chats continet.

    Mensa species;

    Whatsapp in palma manus tuae: ubi et quomodo potes invenire artificia forensia?

Etiam, cum mobile fabrica currentem Android whatsapp scrutandis, operam dare debetis ad sequentes tabulas:

  • lima 'msgstore.db.cryptXX' (ubi XX est unus vel duo digiti ab 0 ad 12, exempli gratia: msgstore.db.crypt12). Habet encrypted tergum ex whatsapp nuntiis (tergum file msgstore.db). Tabularium(s) 'msgstore.db.cryptXX' per semitam positam; '/data/media/0/Whatsapp/Databases/' (SD card virtual) '/mnt/sdcard/ whatsapp / Databases/ (physical SD card).
  • lima 'clavis'. Clavem cryptographicam continet. Sita per semitam; '/data/data/com.whatsapp/files/'. Minutum ad tergum whatsapp encrypted.
  • lima 'com.whatsapp_preferences.xml'. Informationes de whatsapp ratio profile continet. Tabella per semitam sita est; '/data/data/com.whatsapp/shared_prefs/'.

    File content fragment

    <?xml version="1.0" encoding="ISO-8859-1"?>
…
<string name="ph">9123456789</string> (Π½ΠΎΠΌΠ΅Ρ€ Ρ‚Π΅Π»Π΅Ρ„ΠΎΠ½Π°, ассоциированный с Π°ΠΊΠΊΠ°ΡƒΠ½Ρ‚ΠΎΠΌ WhatsApp)
…
<string name="version">2.17.395</string> (вСрсия WhatsApp)
…
<string name="my_current_status">Hey there! I am using WhatsApp.</string> (сообщСниС, ΠΎΡ‚ΠΎΠ±Ρ€Π°ΠΆΠ°Π΅ΠΌΠΎΠ΅ Π² статусС Π°ΠΊΠΊΠ°ΡƒΠ½Ρ‚Π°)
…
<string name="push_name">Alex</string> (имя Π²Π»Π°Π΄Π΅Π»ΡŒΡ†Π° Π°ΠΊΠΊΠ°ΡƒΠ½Ρ‚Π°)
…
  • lima Registration.RegisterPhone.xml'. Informationes de phone numerus consociata cum whatsapp rationem. Tabella per semitam sita est; '/data/data/com.whatsapp/shared_prefs/'.

    Tabularium contentorum 

    <?xml version="1.0" encoding="ISO-8859-1"?>
<map>
<string name="com.whatsapp.registration.RegisterPhone.phone_number">9123456789</string>
<int name="com.whatsapp.registration.RegisterPhone.verification_state" value="0"/>
<int name="com.whatsapp.registration.RegisterPhone.country_code_position" value="-1"/>
<string name="com.whatsapp.registration.RegisterPhone.input_phone_number">912 345-67-89</string>
<int name="com.whatsapp.registration.RegisterPhone.phone_number_position" value="10"/>
<string name="com.whatsapp.registration.RegisterPhone.input_country_code">7</string>
<string name="com.whatsapp.registration.RegisterPhone.country_code">7</string>
</map>
  • lima 'axolotl.db'. Continet claves cryptographicas et alia notitia, quae necessaria sunt ad cognoscendum dominum rationis. Sita per semitam; '/data/data/com.whatsapp/databases/'.
  • lima 'chatsettings.db'. Configurationis informationes continet application.
  • lima 'wa.db'. Contactus singula continet. Valde interesting (ex aspectu forensi) et datorum informativorum. Continere notitias prolixas de contactibus deletis potest.

Etiam operam dare debes ad sequentes directores:

  • Directory '/ Data/media/0/Whatsapp/Media/Imagines whatsapp/'. Tralatas graphic files continet.
  • Directory '/ Data/media/0/Whatsapp/Media/Whatsapp Voice Praecipua/'. Mandata vocis in .OPUS formato continet.
  • Directory '/data/data/com.whatsapp/cache/Profile Pictures/'. Imagines graphicas continet - imagines notorum.
  • Directory '/data/data/com.whatsapp/files/avatar/'. Imagines graphicas continet - image notorum imagines. Haec fasciculi extensionem '.j habent, sed nihilominus JPEG (JPG) imaginum imaginum sunt.
  • Directory '/data/data/com.whatsapp/files/avatar/'. Imagines graphicas continet - simulacrum et image imaginis pone sicut avatar per dominum compotum.
  • Directory '/data/data/com.whatsapp/files/logs/'. Continet rationem operandi stipes (file 'whatsapp.log') et in tergum exemplaribus tigna programmatis operandi (lima cum nominibus in forma whatsapp-aaaa-mm-dd.1.log.gz).

Log whatsapp Lima:

Whatsapp in palma manus tuae: ubi et quomodo potes invenire artificia forensia?
Journal fragment2017-01-10 09:37:09.757 LL_I D [524: whatsapp opificem # I] desideraricallnotification / init comitem: 1 indicatione: 0
2017-01-10 09:37:09.758 LL_I D [524: whatsapp faciens # I] desideraricallnotification / update inrita vera
2017-01-10 09:37:09.768 LL_I D [1:main] app-init/onus-me
2017-01-10 09:37:09.772 LL_I D [1: main] password file absentis vel unreadable
2017-01-10 09:37:09.782 LL_I D [1:main] statistics Text Messages: 59 missi, 82 receperunt / Media Messages: 1 missi (0 bytes), 0 receperunt (9850158 bytes) / Offline Messages: 81 accepti sunt ( 19522 msec mediocris mora) / Nuntius Service: 116075 bytes missus, 211729 bytes accepit / Voip Vocatus: 1 exitus vocat, 0 advenientis vocat, 2492 bytes missi, 1530 bytes recepta / Google Drive: 0 bytes missi, 0 bytes recepta / Roaming: 1524 bytes missa, 1826 bytes recepta / Total Data: 118567 bytes missi, 10063417 bytes receperunt
2017-01-10 09:37:09.785 LL_I D [1: main] media-statu-media
2017-01-10 09:37:09.806 LL_I D [1:main] app-init/initialize/timer/statur: 24
2017-01-10 09:37:09.811 LL_I D [1:main] msgstore / checkhealth
2017-01-10 09:37:09.817 LL_I D [1: main]
2017-01-10 09:37:09.818 LL_I D [1:main] msgstore/reprehendo/retro/deleto falsum
2017-01-10 09:37:09.818 LL_I D [1:main] msgstore/checkdb/data/data/com.whatsapp/databases/msgstore.db
2017-01-10 09:37:09.819 LL_I D [1:main] msgstore/checkdb/list _jobqueue-WhatsAppJobManager 16384 drw=011
2017-01-10 09:37:09.820 LL_I D [1:main] msgstore/checkdb/list _jobqueue-WhatsAppJobManager-journal 21032 drw=011
2017-01-10 09:37:09.820 LL_I D [1:main] msgstore/checkdb/list axolotl.db 184320 drw=011
2017-01-10 09:37:09.821 LL_I D [1:main] msgstore/checkdb/list axolotl.db-wal 436752 drw=011
2017-01-10 09:37:09.821 LL_I D [1:main] msgstore/checkdb/list axolotl.db-shm 32768 drw=011
2017-01-10 09:37:09.822 LL_I D [1:main] msgstore/checkdb/list msgstore.db 540672 drw=011
2017-01-10 09:37:09.823 LL_I D [1:main] msgstore/checkdb/list msgstore.db-wal 0 drw=011
2017-01-10 09:37:09.823 LL_I D [1:main] msgstore/checkdb/list msgstore.db-shm 32768 drw=011
2017-01-10 09:37:09.824 LL_I D [1:main] msgstore/checkdb/list wa.db 69632 drw=011
2017-01-10 09:37:09.825 LL_I D [1:main] msgstore/checkdb/list wa.db-wal 428512 drw=011
2017-01-10 09:37:09.825 LL_I D [1:main] msgstore/checkdb/list wa.db-shm 32768 drw=011
2017-01-10 09:37:09.826 LL_I D [1:main] msgstore/checkdb/list chatsettings.db 4096 drw=011
2017-01-10 09:37:09.826 LL_I D [1:main] msgstore/checkdb/list chatsettings.db-wal 70072 drw=011
2017-01-10 09:37:09.827 LL_I D [1:main] msgstore/checkdb/list chatsettings.db-shm 32768 drw=011
2017-01-10 09:37:09.838 LL_I D [1:main] msgstore/checkdb/versio 1
2017-01-10 09:37:09.839 LL_I D [1:main] msgstore/canquery
2017-01-10 09:37:09.846 LL_I D [1:main] msgstore/canquery/count 1
2017-01-10 09:37:09.847 LL_I D [1:main] msgstore/canquery/timer/stop: 8
2017-01-10 09:37:09.847 LL_I D [1:main] msgstore/canquery 517 | tempus: VIII "
2017-01-10 09:37:09.848 LL_I D [529: Whatsapp opificem #3] media-statu-procurator/renovare-media-status/repono praesto: 1,345,622,016 total:5,687,922,688

  • Directory '/ Data/media/0/Whatsapp/Media/Whatsapp Audio/'. Audio files receptum continet.
  • Directory '/ Data/media/0/Whatsapp/Media/Whatsapp Audio / Sent/'. Continet missas audio missas.
  • Directory '/ Data/media/0/Whatsapp/Media/Imagines whatsapp/'. Files graphice consequens continet.
  • Directory '/ Data/media/0/Whatsapp/Media/Whatsapp Imagines / Sent/'. graphic files missis continet.
  • Directory '/Data/media/0/Whatsapp/Media/Whatsapp Video/'. Continet files receptum video.
  • Directory '/Data/media/0/Whatsapp/Media/Whatsapp Video/Sent/'. Continet files video missum.
  • Directory '/ Data/media/0/Whatsapp/Media/Whatsapp Profile imaginibus/'. Graphic lima continet dominus de whatsapp rationem consociata.
  • Ut spatium memoriae conservare in MASCULINUS Mauris quis felis, aliqua whatsapp notitia in SD card reponi potest. In SD card, in indice radix est directorium 'Whatsapp'ubi sequentia huius programmatis artificia inveniuntur;

    Whatsapp in palma manus tuae: ubi et quomodo potes invenire artificia forensia?

  • Directory '.Share' ('/mnt/sdcard/Whatsapp/.Share/'). Exemplaria continet files quae communicata sunt cum aliis users whatsapp.
  • Directory '.trash' ('/mnt/sdcard/Whatsapp/.trash/'). Files deletum continet.
  • Directory ' Databases' ('/mnt/sdcard/ whatsapp/ Databases/'). Encrypted tergum continet. Possunt decrypted si tabella praesens est 'clavis'e memoria enucleata.

    Files sita in subdirectory ' Databases':

    Whatsapp in palma manus tuae: ubi et quomodo potes invenire artificia forensia?

  • Directory ' Dimidium ' ; ('/mnt/sdcard/Whatsapp/Media/'). Continet subdirectories 'WallPaper', 'Whatsapp Audio', 'Imagines whatsapp', 'Whatsapp Profile imaginibus', 'Whatsapp Video', 'Whatsapp Voice Praecipua', quae multimedia imagini receptae et traditae continent ( files graphice , tabulae video , nuntiis vocis , imagines consociatae cum profile rationis possessoris whatsapp , wallpaper ) .
  • Directory 'Profile Pictures' ('/mnt/sdcard/Whatsapp/Profile Pictures/'). Graphic files habet consociata cum profano whatsapp rationem domini.
  • Interdum exsistere potest directorium praesens in SD card 'antis' ('/mnt/sdcard/ whatsapp/Lima/'). Hoc directorium continet fasciculi qui programmata reponunt ac optiones usoris.

Features of notitia repono in quibusdam exemplaribus mobilibus adinventiones

Exempla quaedam machinarum mobilium currit Android OS, ut artificia whatsapp reponunt in alio loco. Hoc est propter mutationes in spatio applicationis notitiarum per programmatum systematis machinae mobilis. Exempli gratia, Xiaomi machinis mobilibus munus habent ad creandum secundum workspace ("SecondSpace"). Cum hoc munus reducitur, locus mutationum notitiarum. Itaque, si in regulari mobili fabrica cursus Android OS usoris usoris notitia reponitur in indicem '/data/user/0/' (Quod ad solitum est '/data/data/') , deinde in secunda applicatione workspace data reposita in indicem '/data/user/10/'. Hoc est, exemplo tabellae locationis 'wa.db':

  • in iusto felis cursus Android OS; /data/user/0/com.whatsapp/databases/wa.db' (Quod est equivalent '/data/data/com.whatsapp/databases/wa.db');
  • in secundo workspace Xiaomi Mauris quis felis: '/data/user/10/com.whatsapp/databases/wa.db'.

Whatsapp artificialibus in iOS fabrica

Dissimilis Android OS, in applicatione data whatsapp iOS transfertur ad exemplum tergum (iTunes tergum). Ergo notitia ex hac applicatione extrahendis non eget ratio lima extrahendi aut physicam memoriam creandi machinis quaesitis. Maxime relevant notitia in datorum 'ChatStorage.sqlite'que sita est per viam; '/private/var/mobile/Applications/group.net.whatsapp.WhatsApp.shared/' (In nonnullis programs hoc iter videtur quod 'AppDomainGroup-group.net.whatsapp.WhatsApp.shared').

structure 'ChatStorage.sqlite':

Whatsapp in palma manus tuae: ubi et quomodo potes invenire artificia forensia?
Tabulae informativae in 'ChatStorage.sqlite' database are 'ZWAMESSAGE' ΠΈ 'ZWAMEDIAITEM'.

Mensa species 'ZWAMESSAGE':

Whatsapp in palma manus tuae: ubi et quomodo potes invenire artificia forensia?
Structura mensae ZWAMESSAGE'

Nomen agri valorem
Z_PK recordum serie numerus (in SQL mensa)
Z_ENT mensa identifier, valorem habet '9'
Z_OPT ignota, plerumque valores continet ab '1' ad '6'
ZCHILDMESSAGEDELIVEREDCOUNT ignota, plerumque valorem continet '0'
ZCHILDMESSAGESPLAYEDCOUNT ignota, plerumque valorem continet '0'
ZCHILDMESSAGESREADCOUNT ignota, plerumque valorem continet '0'
ZDATAITEMVERSION ignota, plerumque valorem continet '3', probabiliter nuntius textus indicator
ZDOCID incognita
ZENCRETRYCOUNT ignota, plerumque valorem continet '0'
ZFILTEREDRECIPIENTCOUNT ignota, plerumque valores continet '0', '2', '256'
ZISFROMME nuntius directionis: '0' - advenientis, '1' - exitu
ZMESSAGEERRORSTATUS status nuntius transmissionis. Si nuntius mittitur / recipitur, tunc valorem '0' habet.
ZMESSAGETYPE genus nuntium traducitur
ZSORT incognita
ZSPOTLGHSTATUS incognita
ZSTARRED ignotus, not used
ZCHATSESSION incognita
ZGROUPMEMBER ignotus, not used
ZLASTSESSION incognita
ZMEDIAITEM incognita
ZMESSAGEINFO incognita
ZPARENTMESSAGE ignotus, not used
ZMESSAGEDATE indicatione in OS X Epocha Tempus format
ZSENTDATE nunc nuntius in OS X Epoch Tempus format missus est
ZFROMJID Seneca id whatsapp
ZMEDIASECTIONID continet annum et mensem fasciculus instrumentorum communicationis socialis missus
ZPHASH ignotus, not used
ZPUSHPAME Nomen contactus qui misit instrumentorum communicationis socialis in utf-8 format
ZSTANZID unique nuntius identifier
ZTEXT Nuntius text
ZTOJID Id est recipiens whatsapp
INCREMENTUM studium

Mensa species 'ZWAMEDIAITEM':

Whatsapp in palma manus tuae: ubi et quomodo potes invenire artificia forensia?
Tabulae structura 'ZWAMEDIAITEM'

Nomen agri valorem
Z_PK recordum serie numerus (in SQL mensa)
Z_ENT mensa identifier, valorem habet '8'
Z_OPT ignota, plerumque valores continet ab '1' ad '3'.
ZCLOUDSTATUS valorem continet '4' si tabella onustus est.
ZFILESIZE tabella longitudinem continet (per bytes) pro files downloaded
ZMEDIAORIGIN ignota, plerumque valorem habet '0'
ZMOVIEDURATION durationem instrumentorum instrumentorum communicationis socialis, nam pdf numerum paginarum documenti continere potest
ZMESSAGE numerus serialem continet (differt numerus ab eo qui in columna Z_PK indicata est)
ZASPECTRATIO aspect ratio, not used, usually set to '0'
ZHACCURACY ignota, plerumque valorem habet '0'
ZLATTITUDE latitudine elementa
ZLONGTITUDO altitudo elementa
ZMEDIAURLDATE indicatione in OS X Epocha Tempus format
ZAUTHORNAME auctor (per documenta, nomen tabella continet)
ZCOLLECTIONNAME non est utendum
ZMEDIALOCALPATH file nomen (including iter) in fabrica lima ratio
ZMEDIAURL Domicilium ubi tabella instrumentorum sita erat. Si fasciculus ab uno subscribente in alium translatus est, encryptum fuit et extensio eius indicabitur extensio fasciculi translati - .
ZTHUMBNAILLOCALPATH iter ad lima thumbnail in fabrica lima ratio
ZTITLE file header
ZVCARDNAME media file Nullam; cum transferre lima ut a coetus, ut contineant mittente identifier
ZVCARDSTRING informationes continet de speciebus documenti translati (exempli gratia: image/jpeg), cum fasciculum ad coetum transferens, continere potest identificatorium recipientis
ZXMPPTHUMBPATH iter ad lima thumbnail in fabrica lima ratio
ZMEDIAKEY ignotus, probabiliter clavem tabellae encryptae minuendae continet.
ZMETADATA metadata de traducitur nuntius
offset studium

Alia interesting mensae database 'ChatStorage.sqlite' Sunt;

  • 'ZWAPROFILEPUSHNAME'. Matches whatsapp ID cum contactu nominis;
  • 'ZWAPROFILEPICTUREITEM'. Matches whatsapp ID cum contactu avatar;
  • 'Z_PRIMARYKEY'. Mensa generales informationes de hoc datorum continet, ut numerus nuntiorum repositorum, numerum sermonum, etc.

Item, cum mobile fabrica currit iOS in examine whatsapp, ad sequentia lima attendere debes:

  • lima 'BackUpKeyValue.sqlite'. Continet claves cryptographicas et alia notitia, quae necessaria sunt ad cognoscendum dominum rationis. Sita per semitam; /private/var/mobile/Applications/group.net.whatsapp.WhatsApp.shared/.
  • lima 'ContactsV2.sqlite'. Informationes continet de notionibus utentis, ut plenum nomen, numerus telephonicus, status contactus (in forma textus), whatsapp ID, etc. Sita per semitam; /private/var/mobile/Applications/group.net.whatsapp.WhatsApp.shared/.
  • lima 'consumer_version'. Continet versionem numerus installed whatsapp application. Sita per semitam; /private/var/mobile/Applications/group.net.whatsapp.WhatsApp.shared/.
  • lima 'current_wallpaper.jpg'. Whatsapp background continet hodiernam wallpaper. Sita per semitam; /private/var/mobile/Applications/group.net.whatsapp.WhatsApp.shared/. Antiquiores versiones applicationis uti tabella ' wallpaper 'quae sita est per viam; '/private/var/mobile/Applications/net.whatsapp.WhatsApp/Documents/'.
  • lima 'blockedcontacts.dat'. Informationes de contactibus clausus continet. Sita per semitam; /private/var/mobile/Applications/net.whatsapp.WhatsApp/Documents/.
  • lima 'pw.dat'. Encrypted password continet. Sita per semitam; '/private/var/mobile/Applications/net.whatsapp.WhatsApp/Library/'.
  • lima 'Net.whatsapp.WhatsApp.plist' (Vel file 'group.net.whatsapp.WhatsApp.shared.plist'). Informationes de tuo whatsapp ratio profile. Tabella per semitam sita est; '/private/var/mobile/Applications/group.net.whatsapp.WhatsApp.shared/Library/Preferences/'.

Contenta tabella 'group.net.whatsapp.WhatsApp.shared.plist' Whatsapp in palma manus tuae: ubi et quomodo potes invenire artificia forensia?
Etiam operam dare debes ad sequentes directores:

  • Directory '/private/var/mobile/Applications/group.net.whatsapp.WhatsApp.shared/Media/Profile/'. Ailnthubms continet contactus, coetus (lima cum extensione .thumb) Contactus avatars, whatsapp propter dominus avatar (file 'Photo.jpg').
  • Directory '/private/var/mobile/Applications/group.net.whatsapp.WhatsApp.shared/Message/Media/'. Multimedia continet files et ailnthubms
  • Directory '/private/var/mobile/Applications/net.whatsapp.WhatsApp/Documents/'. Iniuriarum progressio continet operandi (file 'calls.log') Et progressio operandi exempla tergum omnia (file 'vocat.backup.log').
  • Directory '/private/var/mobile/Applications/group.net.whatsapp.WhatsApp.shared/stickers/'. Libelli continet (lima in forma '.webp').
  • Directory '/private/var/mobile/Applications/net.whatsapp.WhatsApp/Library/Logs/'. Programma operandi omnia continet.

Whatsapp artificialibus in Fenestra

Whatsapp artificiata in Fenestra pluribus locis inveniri possunt. Imprimis hae sunt directoria programmatis exsecutabilium et auxiliariorum continentium (pro Fenestra 8/10);

  • 'C: Lima (x86) whatsapp'
  • 'C: Users% User profile% AppDataLocalWhatsApp "
  • 'C: Users% User profile% AppDataLocalVirtualStore Program Lima (x86) whatsapp "

In catalogo 'C: Users% User profile% AppDataLocalWhatsApp " stipes lima sita est 'SquirrelSetup.log'quae informationes continet de reprimendis pro updates et de programmatis instituendis.

In catalogo 'C: Users% User profile% AppDataRoamingWhatsApp " Plures subdirectoriae sunt:

Whatsapp in palma manus tuae: ubi et quomodo potes invenire artificia forensia?
lima 'main-process.log' Informationem quae de operatione whatsapp progressio.

Subdirectory 'databases' contineat lima ' Databases.db', sed hic fasciculus nullam informationem de confabulationibus vel contactibus continet.

Maxime interesting e parte forensi sunt tabulae in indicem collocatae 'Cache'. Hi sunt plerumque files nomine 'f_******' (ubi * numerus est ab 0 ad 9), multimedia fasciculi et documenta encryptae continentur, sed etiam fasciculi in eis unencrypted sunt. Peculiaris cura sunt tabulae 'data_0', 'data_1', 'data_2', 'data_3'sitam in eodem subdirectorio. Files 'data_0', 'data_1', 'data_3' nexus externos continentes ad multimedias tabellas encryptas transmittendas ac documenta.

Exemplum informationum quae in pagina "data_1" continenturWhatsapp in palma manus tuae: ubi et quomodo potes invenire artificia forensia?
Etiam file 'data_3' graphic files continere potest.

lima 'data_2' contactus avatars continet (reparari potest per investigationes fasciculi capitis).

Avatar in tabella 'data_2':

Whatsapp in palma manus tuae: ubi et quomodo potes invenire artificia forensia?
Ita sermones ipsi in memoria computatoris inveniri non possunt, sed invenire potes:

  • multimedia files;
  • documenta per whatsapp traducitur;
  • informationem de causa domini contactus.

Whatsapp artificialibus in MacOS

In MacOS genera artificialium whatsapp invenire potes similes illis qui in Windows OS reperti sunt.

Documenta programmatis in sequentibus directoriis locantur:

  • 'C: ApplicationsWhatsApp.app'
  • 'C: Applications._WhatsApp.app'
  • 'C:Users% User profile%LibraryPreferences'
  • 'C: Users% User profile% LibraryLogsWhatsApp '
  • 'C: Users% User profile% LibrarySaved Application StateWhatsApp.savedState'
  • 'C:Users% User profile% LibraryApplication Scriptores'
  • 'C:Users%User profile%LibraryApplication SupportCloudDocs'
  • 'C: Users% User profile% LibraryApplication SupportWhatsApp.ShipIt "
  • 'C:Users%User profile%LibraryContainerscom.rockysandstudio.app-for-whatsapp'
  • 'C: Users% User profile% Library Mobilis Documenta <textus variabilis> whatsapp Rationes'
    Hoc directorium continet subdirectorias, quarum nomina sunt Numeri telephonici cum domino de whatsapp ratione.
  • 'C: Users% User profile% LibraryCachesWhatsApp.ShipIt'
    Haec indicis notitias de programmatis instituendis continet.
  • 'C:Users%User profile%PicturesiPhoto Library.photolibraryMasters', 'C:Users%User profile%PicturesiPhoto Library.photolibraryThumbnails'
    Haec directoria continent officium programmatis, inter imagines et ailnthubms notorum whatsapp.
  • 'C: Users% User profile% LibraryCachesWhatsApp'
    Hoc indicis complures SQLite databases continet, qui pro notitia caching adhibentur.
  • 'C: Users% User profile% LibraryApplication SupportWhatsApp "
    Hoc directorium plura continet subdirectoria:

    Whatsapp in palma manus tuae: ubi et quomodo potes invenire artificia forensia?
    In catalogo 'C: Users% User profile% LibraryApplication SupportWhatsAppCache' sunt files 'data_0', 'data_1', 'data_2', 'data_3' ac lima per nomina 'f_******' (ubi * numerus est ab 0 ad 9). Ad informationem de quanam informatione harum imaginum continent, vide whatsapp artificia in Fenestra.

    In catalogo 'C: Users% User profile% LibraryApplication SupportWhatsAppIndexedDB " ut multimedia files contineant (limas extensiones non habent).

    lima 'main-process.log' Informationem quae de operatione whatsapp progressio.

fontibus

  1. Forensi analysi whatsapp angelus Android Suspendisse potenti, Cosmo Anglano, MMXIV.
  2. Whatsapp Forensics: Eksplorasi sistem berkas dan basis data pada aplikasi Android dan iOS Ahmad Pratama, MMXIV.

In articulis sequentibus in hac serie:

Decryption encrypted whatsapp databasesArticulus qui informationes praebebit quomodo clavis encryption whatsapp generatur et exempla practica monstrant quomodo decryptas databases huius applicationis.
Eiciendis whatsapp notitia ex nube reponoArticulus in quo indicabimus tibi quid data whatsapp in nubibus condita sit et methodos describendi ad hanc datam ex nube stormata recuperanda.
Whatsapp Data Extraction: De ExemplaArticulus qui gradatim describet quid programmata et quomodo notitias ex variis machinis whatsapp eliciunt.

Source: www.habr.com