Ngati mukufuna kudziwa kuti ndi mitundu yanji yazinthu zakale za WhatsApp zomwe zilipo pamakina osiyanasiyana ogwiritsira ntchito komanso komwe zingapezeke, ndiye awa ndi malo anu. Nkhaniyi yachokera kwa katswiri wa Gulu-IB Computer Forensics Laboratory Igor Mikhailov imayamba zolemba zambiri za WhatsApp forensics ndi zomwe zingapezeke pakuwunika chipangizocho.
Tiyeni tiwone nthawi yomweyo kuti machitidwe osiyanasiyana ogwiritsira ntchito amasunga mitundu yosiyanasiyana ya zinthu zakale za WhatsApp, ndipo ngati wofufuza atha kuchotsa mitundu ina ya data ya WhatsApp ku chipangizo chimodzi, izi sizitanthauza kuti mitundu yofananira ya data imatha kuchotsedwa ku chipangizo china. Mwachitsanzo, ngati chipangizo choyendetsa Windows OS chachotsedwa, macheza a WhatsApp mwina sangapezeke pa disks zake (kupatulapo makope osunga zobwezeretsera a zida za iOS, zomwe zitha kupezeka pama drive omwewo). Kugwidwa kwa laputopu ndi zida zam'manja kudzakhala ndi mawonekedwe ake. Tiyeni tikambirane zimenezi mwatsatanetsatane.
Zithunzi za WhatsApp pazida za Android
Kuti achotse zinthu zakale za WhatsApp pa chipangizo cha Android, wofufuzayo ayenera kukhala ndi ufulu wogwiritsa ntchito kwambiri ('muzu') pa chipangizo chomwe chikufufuzidwa kapena kutha kuchotsa zotayira pamtima pa chipangizocho, kapena fayilo yake (mwachitsanzo, kugwiritsa ntchito kusatetezeka kwa pulogalamu yapa foni inayake).
Mafayilo ogwiritsira ntchito ali m'makumbukidwe a foni mu gawo lomwe deta ya ogwiritsa ntchito imasungidwa. Monga lamulo, gawoli limatchedwa 'userdata'. Ma subdirectories ndi mafayilo amapulogalamu ali panjira: '/data/data/com.whatsapp/'.
Mafayilo akulu omwe ali ndi WhatsApp forensic artific mu Android OS ndi database 'wa.db' ΠΈ 'msgstore.db'.
Mu database 'wa.db' ili ndi mndandanda wathunthu wolumikizana ndi ogwiritsa ntchito a WhatsApp, kuphatikiza nambala yafoni, dzina lowonetsera, masitampu anthawi, ndi zina zilizonse zomwe zimaperekedwa polembetsa pa WhatsApp. Fayilo 'wa.db' ili panjira: '/data/data/com.whatsapp/databases/' ndipo ili ndi dongosolo ili:
Matebulo osangalatsa kwambiri mu database 'wa.db' kwa ofufuza ndi:
- 'wa_contacts'
Gome ili lili ndi zidziwitso: ID yolumikizirana ndi WhatsApp, zidziwitso, dzina la ogwiritsa ntchito, masitampu anthawi, ndi zina.Maonekedwe atebulo:
Mapangidwe a tebuloDzina lamunda mtengo _id Lembani nambala yotsatizana (pa tebulo la SQL) jid ID yolumikizana ndi WhatsApp, yolembedwa mumtundu <foni nambala>@s.whatsapp.net ndi_whatsapp_user ili ndi '1' ngati wolumikizanayo akugwirizana ndi wogwiritsa ntchito wa WhatsApp, '0' apo ayi kachirombo ili ndi mawu omwe akuwonetsedwa muakaunti yanu status_timestamp ili ndi sitampu mumtundu wa Unix Epoch Time (ms). nambala nambala yafoni yogwirizana ndi wolumikizana naye raw_contact_id nambala yolumikizirana dzina lowonetsa dzina lowonetsera foni_mtundu mtundu wa foni phone_label chizindikiro chogwirizana ndi nambala yolumikizirana zosaoneka_msg_count chiwerengero cha mauthenga omwe anatumizidwa ndi wolumikizana naye koma sanawerengedwe ndi wolandira chithunzi_ts ili ndi sitampu yanthawi mumtundu wa Unix Epoch Time thumb_ts ili ndi sitampu yanthawi mumtundu wa Unix Epoch Time chithunzi_id_timestamp ili ndi sitampu mumtundu wa Unix Epoch Time (ms). dzina loyamba mtengo wagawo ukufanana ndi 'display_name' pagulu lililonse wa_dzina Dzina lolumikizana ndi WhatsApp (dzina lotchulidwa mu mbiri ya wolumikizanayo likuwonetsedwa) mtundu_dzina dzina lolumikizana lomwe limagwiritsidwa ntchito posankha dzina lakutchulidwa dzina lakutchulidwira mu WhatsApp (dzina lotchulidwira lomwe lili patsamba la wolumikizana likuwonetsedwa) kampani kampani (kampani yomwe yatchulidwa mu mbiri ya wolumikizanayo ikuwonetsedwa) mutu mutu (Ms./Bambo; mutu wokonzedwa mu mbiri yolumikizana ukuwonetsedwa) kuthetsa kukondera - 'sqlite_sequence'
Gome ili lili ndi zambiri za kuchuluka kwa omwe amalumikizana nawo; - 'android_metadata'
Gome ili lili ndi zambiri zakumasulira kwa zilankhulo za WhatsApp.
Mu database 'msgstore.db' ili ndi zambiri zokhudzana ndi mauthenga otumizidwa, monga nambala yolumikizirana, meseji, momwe mameseji amakhalira, masitampu anthawi, tsatanetsatane wamafayilo omwe adasamutsidwa akuphatikizidwa mu mauthenga, ndi zina. Fayilo 'msgstore.db' ili panjira: '/data/data/com.whatsapp/databases/' ndipo ili ndi dongosolo ili:
Matebulo osangalatsa kwambiri mufayilo 'msgstore.db' kwa ofufuza ndi:
- 'sqlite_sequence'
Gome ili lili ndi zambiri za database iyi, monga kuchuluka kwa mauthenga omwe asungidwa, kuchuluka kwa macheza, ndi zina zambiri.Maonekedwe atebulo:
- 'message_fts_content'
Muli ndi mawu otumizidwa.Maonekedwe atebulo:
- 'mauthenga'
Gome ili lili ndi zidziwitso monga nambala yolumikizirana, meseji, momwe mameseji amakhalira, masitampu anthawi, zambiri zamafayilo omwe adasamutsidwa akuphatikizidwa ndi mauthenga.Maonekedwe atebulo:
Mapangidwe a tebuloDzina lamunda mtengo _id Lembani nambala yotsatizana (pa tebulo la SQL) key_remote_jid WhatsApp ID ya olumikizana nawo key_from_ine mayendedwe a uthenga: '0' - yobwera, '1' - yotuluka key_id chizindikiritso cha uthenga wapadera kachirombo udindo wa uthenga: '0' - waperekedwa, '4' - kudikirira pa seva, '5' - kulandiridwa kopita, '6' - uthenga wowongolera, '13' - uthenga wotsegulidwa ndi wolandira (werengani) kufuna_kankha ali ndi mtengo '2' ngati ndi uthenga wowulutsa, apo ayi uli ndi '0' deta meseji (pamene 'media_wa_type' parameter ili '0') timestamp ili ndi sitampu yanthawi mumtundu wa Unix Epoch Time (ms), mtengo wake umachotsedwa pa wotchi ya chipangizocho media_url ili ndi ulalo wa fayilo yosinthidwa (pamene 'media_wa_type' parameter ili '1', '2', '3') media_mime_mtundu Mtundu wa MIME wa fayilo yosinthidwa (pamene 'media_wa_type' parameter ili yofanana ndi '1', '2', '3') media_wa_type mtundu wa uthenga: '0' - mawu, '1' - fayilo yojambula, '2' - fayilo yomvera, '3' - fayilo ya kanema, '4' - khadi lolumikizana, '5' - geodata media_size kukula kwa fayilo yotumizidwa (pamene 'media_wa_type' parameter ili '1', '2', '3') media_name dzina la fayilo yosinthidwa (pamene 'media_wa_type' parameter ili '1', '2', '3') media_caption Muli mawu oti 'audio', 'kanema' pamakhalidwe ofanana a parameter ya 'media_wa_type' (pamene 'media_wa_type' parameter ili '1', '3') media_hash base64 encoded hash ya fayilo yotumizidwa, yowerengedwa pogwiritsa ntchito HAS-256 algorithm (pamene 'media_wa_type' parameter ndi yofanana ndi '1', '2', '3') media_duration kutalika kwa masekondi a fayilo ya media (pamene 'media_wa_type' ndi '1', '2', '3') chiyambi ali ndi mtengo '2' ngati ndi uthenga wowulutsa, apo ayi uli ndi '0' latitude geodata: latitude (pamene 'media_wa_type' parameter ndi '5') kutalika geodata: longitude (pamene 'media_wa_type' parameter ndi '5') thumb_image zambiri zautumiki remote_source ID ya Wotumiza (ya macheza amagulu okha) receive_timestamp nthawi yolandira, ili ndi sitampu yanthawi ya Unix Epoch Time (ms), mtengo wake umatengedwa pa wotchi ya chipangizo (pamene 'key_from_me' parameter ili ndi '0', '-1' kapena mtengo wina) send_timestamp osagwiritsidwa ntchito, nthawi zambiri amakhala ndi mtengo '-1' receipt_server_timestamp nthawi yolandilidwa ndi seva yapakati, ili ndi sitampu yanthawi mumtundu wa Unix Epoch Time (ms), mtengo wake umatengedwa pa wotchi ya chipangizocho (pamene chizindikiro cha 'key_from_me' chili ndi '1', '-1' kapena mtengo wina. receipt_device_timestamp nthawi yomwe uthenga udalandiridwa ndi wolembetsa wina, ili ndi sitampu yanthawi mumtundu wa Unix Epoch Time (ms), mtengowo umachotsedwa pa wotchi ya chipangizocho (pamene chizindikiro cha 'key_from_me' chili ndi '1', '-1' kapena mtengo wina. read_device_timestamp nthawi yotsegula (kuwerenga) uthengawo, uli ndi chosindikizira chanthawi mumtundu wa Unix Epoch Time (ms), mtengowo umachotsedwa pa wotchi ya chipangizocho. play_device_timestamp nthawi yosewerera uthenga, ili ndi sitampu yanthawi mu mtundu wa Unix Epoch Time (ms), mtengo wake umachotsedwa pa wotchi ya chipangizocho. raw_data thumbnail ya fayilo yosinthidwa (pamene 'media_wa_type' parameter ili '1' kapena '3') recipient_count chiwerengero cha olandira (kwa mauthenga owulutsa) participant_hash amagwiritsidwa ntchito potumiza mauthenga ndi geodata nyenyezi osagwiritsidwa ntchito quoted_row_id osadziwika, nthawi zambiri amakhala ndi mtengo '0' anatchula_jids osagwiritsidwa ntchito multicast_id osagwiritsidwa ntchito kuthetsa kukondera Mndandanda wamagawowa siwokwanira. Pamitundu yosiyanasiyana ya WhatsApp, magawo ena atha kukhalapo kapena kulibe. Kuonjezerapo, minda ikhoza kukhalapo 'media_enc_hash', 'edit_version', 'payment_transaction_id' ndi zina zotero.
- 'messages_thumbnails'
Tebuloli lili ndi zambiri za zithunzi zosamutsidwa ndi masitampu anthawi. Pagawo la 'stamp', nthawi ikuwonetsedwa mumtundu wa Unix Epoch Time (ms). - 'chat_list'
Tebuloli lili ndi zambiri zamacheza.Maonekedwe atebulo:
Komanso, pofufuza WhatsApp pa foni yam'manja yomwe ikuyenda ndi Android, muyenera kulabadira mafayilo awa:
- file 'msgstore.db.cryptXX' (pomwe XX ndi manambala amodzi kapena awiri kuchokera pa 0 mpaka 12, mwachitsanzo, msgstore.db.crypt12). Muli ndi zosunga zobwezeretsera za mauthenga a WhatsApp (fayilo yosunga zobwezeretsera msgstore.db). Fayilo (ma) 'msgstore.db.cryptXX' ili panjira: '/data/media/0/whatsapp/database/' (pafupifupi SD khadi), '/mnt/sdcard/WhatsApp/Databases/ (khadi la SD lakuthupi)'.
- file 'kiyi'. Lili ndi kiyi ya cryptographic. Ili panjira: '/data/data/com.whatsapp/files/'. Amagwiritsidwa ntchito kubisa zosunga zobwezeretsera za WhatsApp.
- file 'com.whatsapp_preferences.xml'. Ili ndi zambiri za akaunti yanu ya WhatsApp. Fayilo ili m'mphepete mwa njira: '/data/data/com.whatsapp/shared_prefs/'.
Chigawo chafayilo
<?xml version="1.0" encoding="ISO-8859-1"?> β¦ <string name="ph">9123456789</string> (Π½ΠΎΠΌΠ΅Ρ ΡΠ΅Π»Π΅ΡΠΎΠ½Π°, Π°ΡΡΠΎΡΠΈΠΈΡΠΎΠ²Π°Π½Π½ΡΠΉ Ρ Π°ΠΊΠΊΠ°ΡΠ½ΡΠΎΠΌ WhatsApp) β¦ <string name="version">2.17.395</string> (Π²Π΅ΡΡΠΈΡ WhatsApp) β¦ <string name="my_current_status">Hey there! I am using WhatsApp.</string> (ΡΠΎΠΎΠ±ΡΠ΅Π½ΠΈΠ΅, ΠΎΡΠΎΠ±ΡΠ°ΠΆΠ°Π΅ΠΌΠΎΠ΅ Π² ΡΡΠ°ΡΡΡΠ΅ Π°ΠΊΠΊΠ°ΡΠ½ΡΠ°) β¦ <string name="push_name">Alex</string> (ΠΈΠΌΡ Π²Π»Π°Π΄Π΅Π»ΡΡΠ° Π°ΠΊΠΊΠ°ΡΠ½ΡΠ°) β¦ - file 'registration.RegisterPhone.xml'. Ili ndi zambiri za nambala yafoni yolumikizidwa ndi akaunti ya WhatsApp. Fayilo ili m'mphepete mwa njira: '/data/data/com.whatsapp/shared_prefs/'.
Zomwe zili mufayilo
<?xml version="1.0" encoding="ISO-8859-1"?> <map> <string name="com.whatsapp.registration.RegisterPhone.phone_number">9123456789</string> <int name="com.whatsapp.registration.RegisterPhone.verification_state" value="0"/> <int name="com.whatsapp.registration.RegisterPhone.country_code_position" value="-1"/> <string name="com.whatsapp.registration.RegisterPhone.input_phone_number">912 345-67-89</string> <int name="com.whatsapp.registration.RegisterPhone.phone_number_position" value="10"/> <string name="com.whatsapp.registration.RegisterPhone.input_country_code">7</string> <string name="com.whatsapp.registration.RegisterPhone.country_code">7</string> </map> - file 'axolotl.db'. Muli makiyi a cryptographic ndi zina zomwe ndizofunikira kuti muzindikire mwini akaunti. Ili panjira: '/data/data/com.whatsapp/databases/'.
- file 'chatsettings.db'. Muli ndi zambiri zosinthidwa ndi pulogalamu.
- file 'wa.db'. Muli ndi ma contact. Chosangalatsa kwambiri (kuchokera kuzamalamulo) komanso nkhokwe yodziwitsa. Iwo akhoza muli mwatsatanetsatane za fufutidwa kulankhula.
Muyeneranso kulabadira akalozera otsatirawa:
- Directory '/data/media/0/WhatsApp/Media/WhatsApp Images/'. Muli mafayilo ojambulidwa osamutsidwa.
- Directory '/data/media/0/WhatsApp/Media/WhatsApp Voice Notes/'. Muli ndi mauthenga amawu amtundu wa .OPUS mafayilo.
- Directory '/data/data/com.whatsapp/cache/Profile Pictures/'. Muli mafayilo ojambulidwa - zithunzi za anzanu.
- Directory '/data/data/com.whatsapp/files/Avatars/'. Muli mafayilo azithunzi - zithunzi zazithunzi za omwe mumalumikizana nawo. Mafayilowa ali ndi chowonjezera cha '.j' koma ndi mafayilo azithunzi a JPEG (JPG).
- Directory '/data/data/com.whatsapp/files/Avatars/'. Lili ndi mafayilo azithunzi - chithunzi ndi chithunzithunzi cha chithunzi chomwe chayikidwa ngati avatar ndi mwini akaunti.
- Directory '/data/data/com.whatsapp/files/Logs/'. Lili ndi chipika cha ntchito ya pulogalamu (fayilo 'whatsapp.log') ndi zosunga zosunga zobwezeretsera zamapologalamu (mafayilo okhala ndi mayina mumtundu wa whatsapp-yyyy-mm-dd.1.log.gz).
Mafayilo a WhatsApp Log:
Chigawo cha Journal2017-01-10 09:37:09.757 LL_I D [524:WhatsApp Worker #1] missedcallnotification/init count:0 timestamp:0
2017-01-10 09:37:09.758 LL_I D [524:WhatsApp Worker #1] missedcallnotification/kusintha kuletsa zoona
2017-01-10 09:37:09.768 LL_I D [1: main] app-init/load-me
2017-01-10 09:37:09.772 LL_I D [1: main] fayilo yachinsinsi ikusowa kapena yosawerengeka
2017-01-10 09:37:09.782 LL_I D [1: main] ziwerengero Mauthenga Olemba: 59 anatumizidwa, 82 analandira / Media Messages: 1 anatumizidwa (0 bytes), 0 analandira (9850158 bytes) / Mauthenga Opanda intaneti: 81 analandira ( 19522 msec avareji kuchedwa) / Ntchito ya Mauthenga: 116075 ma byte atumizidwa, 211729 byte analandilidwa / Maina a Voip: 1 mafoni otuluka, 0 obwera, 2492 mabayiti otumizidwa, 1530 ma byte olandilidwa / Google Drive: 0 ma byte atumizidwa, 0 ma byte adalandira / 1524: ma byte adatumizidwa, ma byte 1826 adalandira / Chiwerengero chonse: 118567 ma byte adatumizidwa, ma byte 10063417 adalandira
2017-01-10 09:37:09.785 LL_I D [1:main] media-state-manager/refresh-media-state/writable-media
2017-01-10 09:37:09.806 LL_I D [1: main] app-init/initialize/timer/stop: 24
2017-01-10 09:37:09.811 LL_I D [1:main] msgstore/checkhealth
2017-01-10 09:37:09.817 LL_I D [1: main] msgstore/checkhealth/journal/chotsa zabodza
2017-01-10 09:37:09.818 LL_I D [1: main] msgstore/checkhealth/back/ delete zabodza
2017-01-10 09:37:09.818 LL_I D [1:main] msgstore/checkdb/data/data/com.whatsapp/databases/msgstore.db
2017-01-10 09:37:09.819 LL_I D [1:main] msgstore/checkdb/list _jobqueue-WhatsAppJobManager 16384 drw=011
2017-01-10 09:37:09.820 LL_I D [1:main] msgstore/checkdb/list _jobqueue-WhatsAppJobManager-journal 21032 drw=011
2017-01-10 09:37:09.820 LL_I D [1:main] msgstore/checkdb/list axolotl.db 184320 drw=011
2017-01-10 09:37:09.821 LL_I D [1:main] msgstore/checkdb/list axolotl.db-wal 436752 drw=011
2017-01-10 09:37:09.821 LL_I D [1:main] msgstore/checkdb/list axolotl.db-shm 32768 drw=011
2017-01-10 09:37:09.822 LL_I D [1:main] msgstore/checkdb/list msgstore.db 540672 drw=011
2017-01-10 09:37:09.823 LL_I D [1:main] msgstore/checkdb/list msgstore.db-wal 0 drw=011
2017-01-10 09:37:09.823 LL_I D [1:main] msgstore/checkdb/list msgstore.db-shm 32768 drw=011
2017-01-10 09:37:09.824 LL_I D [1:main] msgstore/checkdb/mndandanda wa.db 69632 drw=011
2017-01-10 09:37:09.825 LL_I D [1:main] msgstore/checkdb/mndandanda wa.db-wal 428512 drw=011
2017-01-10 09:37:09.825 LL_I D [1:main] msgstore/checkdb/mndandanda wa.db-shm 32768 drw=011
2017-01-10 09:37:09.826 LL_I D [1:main] msgstore/checkdb/list chatsettings.db 4096 drw=011
2017-01-10 09:37:09.826 LL_I D [1:main] msgstore/checkdb/list chatsettings.db-wal 70072 drw=011
2017-01-10 09:37:09.827 LL_I D [1:main] msgstore/checkdb/list chatsettings.db-shm 32768 drw=011
2017-01-10 09:37:09.838 LL_I D [1:main] msgstore/checkdb/version 1
2017-01-10 09:37:09.839 LL_I D [1:main] msgstore/canquery
2017-01-10 09:37:09.846 LL_I D [1:main] msgstore/canquery/count 1
2017-01-10 09:37:09.847 LL_I D [1:main] msgstore/canquery/timer/stop: 8
2017-01-10 09:37:09.847 LL_I D [1: main] msgstore/canquery 517 | nthawi: 8
2017-01-10 09:37:09.848 LL_I D [529:WhatsApp Worker #3] media-state-manager/refresh-media-state/internal-storage zilipo:1,345,622,016 total:5,687,922,688
- Directory '/data/media/0/WhatsApp/Media/WhatsApp Audio/'. Muli mafayilo amawu omwe alandilidwa.
- Directory '/data/media/0/WhatsApp/Media/WhatsApp Audio/Sent/'. Muli mafayilo omvera otumizidwa.
- Directory '/data/media/0/WhatsApp/Media/WhatsApp Images/'. Muli zotsatira zojambulidwa owona.
- Directory '/data/media/0/WhatsApp/Media/WhatsApp Images/Sent/'. Muli mafayilo ojambulidwa otumizidwa.
- Directory '/data/media/0/WhatsApp/Media/WhatsApp Video/'. Muli mafayilo amakanema olandilidwa.
- Directory '/data/media/0/WhatsApp/Media/WhatsApp Video/Sent/'. Muli mafayilo amakanema otumizidwa.
- Directory '/data/media/0/WhatsApp/Media/WhatsApp Profile Photos/'. Muli mafayilo ojambulidwa okhudzana ndi eni ake a akaunti ya WhatsApp.
- Kusunga malo kukumbukira pa foni yanu Android foni, ena WhatsApp deta akhoza kusungidwa pa Sd khadi. Pa khadi la SD, m'ndandanda wa mizu, pali chikwatu 'Whatsapp', pomwe zinthu zotsatirazi za pulogalamuyi zitha kupezeka:
- Directory '.Gawani' ('/mnt/sdcard/WhatsApp/.Share/'). Muli mafayilo omwe adagawidwa ndi ogwiritsa ntchito ena a WhatsApp.
- Directory '.zinyalala' ('/mnt/sdcard/WhatsApp/.trash/'). Muli owona zichotsedwa.
- Directory 'Ma database' ('/mnt/sdcard/WhatsApp/Databases/'). Lili ndi zosunga zobwezeretsera. Zitha kusinthidwa ngati fayilo ilipo 'kiyi', yotengedwa mu kukumbukira kwa chipangizo chofufuzidwa.
Mafayilo omwe ali mu subdirectory 'Ma database':
- Directory 'Hafu' ('/mnt/sdcard/WhatsApp/Media/'). Muli ma subdirectories 'WallPaper', 'WhatsApp Audio', 'Zithunzi za WhatsApp', 'Zithunzi Zambiri za WhatsApp', 'WhatsApp Video', 'Mawu a WhatsApp Voice Notes', yomwe ili ndi mafayilo olandila ndi kufalitsa ma multimedia (mafayilo azithunzi, mafayilo amakanema, mauthenga amawu, zithunzi zolumikizidwa ndi mbiri ya eni akaunti ya WhatsApp, zithunzi).
- Directory 'Zithunzi Zambiri' ('/mnt/sdcard/WhatsApp/Profile Pictures/'). Muli mafayilo ojambulidwa okhudzana ndi mbiri ya eni akaunti ya WhatsApp.
- Nthawi zina pangakhale chikwatu pa SD khadi 'mafayilo' ('/mnt/sdcard/WhatsApp/Files/'). Bukuli lili ndi mafayilo omwe amasunga zokonda za pulogalamuyo komanso zomwe amakonda.
Mawonekedwe osungira deta mumitundu ina yazipangizo zam'manja
Mitundu ina yazida zam'manja zomwe zimagwiritsa ntchito Android OS zimatha kusunga zinthu zakale za WhatsApp kumalo ena. Izi ndi chifukwa cha kusintha kwa malo osungiramo deta yogwiritsira ntchito ndi pulogalamu ya pulogalamu ya foni yam'manja. Mwachitsanzo, zida zam'manja za Xiaomi zili ndi ntchito yopanga malo ogwirira ntchito yachiwiri ("SecondSpace"). Ntchitoyi ikatsegulidwa, malo a data amasintha. Chifukwa chake, ngati mu foni yam'manja yokhazikika yomwe imagwiritsa ntchito Android OS data imasungidwa m'ndandanda '/data/user/0/' (chomwe chikuyimira zanthawi zonse '/data/data/'), ndiye mu gawo lachiwiri logwiritsa ntchito deta imasungidwa m'ndandanda '/data/user/10/'. Ndiko kuti, pogwiritsa ntchito chitsanzo cha malo a fayilo 'wa.db':
- mu foni yamakono yomwe imagwiritsa ntchito Android OS: /data/user/0/com.whatsapp/databases/wa.db' (yomwe ili yofanana '/data/data/com.whatsapp/databases/wa.db');
- m'malo achiwiri ogwirira ntchito a foni yamakono ya Xiaomi: '/data/user/10/com.whatsapp/databases/wa.db'.
Zithunzi za WhatsApp pa iOS
Mosiyana ndi Android Os, mu iOS WhatsApp ntchito deta kusamutsidwa kope zosunga zobwezeretsera (iTunes zosunga zobwezeretsera). Chifukwa chake, kuchotsa zidziwitso kuchokera ku pulogalamuyi sikufuna kuchotsa fayilo kapena kupanga chotayira pamtima pa chipangizocho. Zambiri zokhudzana nazo zili mu database 'ChatStorage.sqlite', yomwe ili m'mphepete mwa njira: '/private/var/mobile/Applications/group.net.whatsapp.WhatsApp.shared/' (mu mapulogalamu ena njira iyi ikuwoneka ngati 'AppDomainGroup-group.net.whatsapp.WhatsApp.shared').
kapangidwe 'ChatStorage.sqlite':
Matebulo odziwitsa kwambiri mu 'ChatStorage.sqlite' database ndi 'ZWAMESSAGE' ΠΈ 'ZWAMEDIAITEM'.
Maonekedwe a tebulo 'ZWAMESSAGE':
Kapangidwe ka tebulo 'ZWAMESSAGE'
| Dzina lamunda | mtengo |
|---|---|
| Z_PK | Lembani nambala yotsatizana (pa tebulo la SQL) |
| Z_ENT | chizindikiritso cha tebulo, chili ndi mtengo '9' |
| Z_OPT | osadziwika, nthawi zambiri amakhala ndi zikhalidwe kuyambira '1' mpaka '6' |
| ZCHILDMESSAGESDELIVEREDCOUNT | osadziwika, nthawi zambiri amakhala ndi mtengo '0' |
| ZCHILDMESSAGESPLAYEDCOUNT | osadziwika, nthawi zambiri amakhala ndi mtengo '0' |
| ZCHILDMESSAGESREADCOUNT | osadziwika, nthawi zambiri amakhala ndi mtengo '0' |
| ZDATAITEMVERSION | osadziwika, nthawi zambiri amakhala ndi mtengo '3', mwina chizindikiro cha meseji |
| ZDOCID | sizikudziwika |
| ZENCRETRYCOUNT | osadziwika, nthawi zambiri amakhala ndi mtengo '0' |
| ZFILTEREDRECIPIENTCOUNT | osadziwika, nthawi zambiri amakhala ndi '0', '2', '256' |
| ZISFROMME | mayendedwe a uthenga: '0' - yobwera, '1' - yotuluka |
| ZMESSAGEERRORSTATUS | mawonekedwe otumizira uthenga. Ngati uthenga watumizidwa/walandilidwa, ndiye kuti uli ndi mtengo wa '0' |
| ZMESSAGETYPE | mtundu wa uthenga womwe ukufalitsidwa |
| ZSORT | sizikudziwika |
| ZSPOTLIGHTATUS | sizikudziwika |
| ZSTARRED | osadziwika, osagwiritsidwa ntchito |
| ZCHATSESSION | sizikudziwika |
| ZGROUPMEMBER | osadziwika, osagwiritsidwa ntchito |
| ZLASTSESSION | sizikudziwika |
| ZMEDIAITEM | sizikudziwika |
| ZMESSAGEINFO | sizikudziwika |
| ZPARENTMESSAGE | osadziwika, osagwiritsidwa ntchito |
| ZMESSAGEDATE | timestamp mu OS X Epoch Time mtundu |
| ZSENTDATE | nthawi yomwe uthengawo unatumizidwa mu mtundu wa OS X Epoch Time |
| ZFROMJID | WhatsApp Sender ID |
| ZMEDIASECTIONID | ili ndi chaka ndi mwezi womwe fayilo ya media idatumizidwa |
| ZPHASH | osadziwika, osagwiritsidwa ntchito |
| ZPUSHPAME | dzina la wolumikizana naye yemwe adatumiza fayilo ya media mu mtundu wa UTF-8 |
| ZSTANZID | chizindikiritso cha uthenga wapadera |
| ZTEXT | Mauthenga a uthenga |
| ZTOJID | ID ya WhatsApp ya wolandila |
| OFFSET | kukondera |
Maonekedwe a tebulo 'ZWAMEDIAITEM':
Kapangidwe ka tebulo 'ZWAMEDIAITEM'
| Dzina lamunda | mtengo |
|---|---|
| Z_PK | Lembani nambala yotsatizana (pa tebulo la SQL) |
| Z_ENT | chizindikiritso cha tebulo, chili ndi mtengo '8' |
| Z_OPT | osadziwika, nthawi zambiri amakhala ndi zikhalidwe kuyambira '1' mpaka '3'. |
| ZCLOUDSTATUS | ili ndi mtengo '4' ngati fayilo yadzaza. |
| ZFILESIZE | ili ndi kutalika kwa fayilo (mu ma byte) pamafayilo otsitsidwa |
| ZMEDIAORIGIN | osadziwika, nthawi zambiri amakhala ndi mtengo '0' |
| ZMOVIEDURATION | Kutalika kwa fayilo ya media, mafayilo a pdf amatha kukhala ndi kuchuluka kwamasamba a chikalatacho |
| ZMESSAGE | ili ndi serial number (nambalayo ndi yosiyana ndi yomwe yasonyezedwa mugawo la 'Z_PK') |
| ZASPECTRATIO | mawonekedwe, osagwiritsidwa ntchito, nthawi zambiri amakhala '0' |
| ZHACCURACY | osadziwika, nthawi zambiri amakhala ndi mtengo '0' |
| ZLATTITUDE | m'lifupi mu pixels |
| ZLONGTITUDE | kutalika kwa ma pixel |
| ZMEDIAURLDATE | timestamp mu OS X Epoch Time mtundu |
| ZAUTHORNAME | wolemba (wazolemba, atha kukhala ndi dzina la fayilo) |
| ZCOLLECTIONNAME | osagwiritsidwa ntchito |
| Malingaliro a kampani ZMEDIALOCALPATH | dzina lafayilo (kuphatikiza njira) mufayilo yamafayilo |
| ZMEDIAURL | Ulalo womwe fayilo ya media inali. Ngati fayilo idasamutsidwa kuchokera kwa wolembetsa kupita ku wina, idabisidwa ndipo kukulitsa kwake kudzawonetsedwa ngati kukulitsa kwa fayilo yomwe yasinthidwa - .enc |
| ZTHUMBNAILLOCALPATH | njira yopita ku chithunzi cha fayilo mu fayilo ya chipangizo |
| ZTITLE | mutu wapamwamba |
| ZVCARDNAME | hash ya fayilo ya media; posamutsa fayilo ku gulu, ikhoza kukhala ndi chozindikiritsa chotumiza |
| ZVCARDSTRING | ili ndi zambiri za mtundu wa fayilo yomwe imasamutsidwa (mwachitsanzo, chithunzi/jpeg); posamutsa fayilo kupita ku gulu, ikhoza kukhala ndi chizindikiritso cha wolandira. |
| ZXMPPTHUMBPATH | njira yopita ku chithunzi cha fayilo mu fayilo ya chipangizo |
| ZMEDIAKEY | osadziwika, mwina ali ndi kiyi yosinthira fayilo yosungidwa. |
| ZMETADATA | metadata ya uthenga wotumizidwa |
| Kutsegula | kukondera |
Ma tebulo ena osangalatsa a database 'ChatStorage.sqlite' Ali:
- 'ZWAPROFILEPUSHNAME'. Kufananiza ID ya WhatsApp ndi dzina lolumikizana;
- 'ZWAPROFILEPICTUREITEM'. Kufananiza ID ya WhatsApp ndi avatar yolumikizana;
- 'Z_PRIMARYKEY'. Tebuloli lili ndi zambiri za database iyi, monga kuchuluka kwa mauthenga omwe asungidwa, kuchuluka kwa macheza, ndi zina zambiri.
Komanso, pofufuza WhatsApp pa foni yam'manja yomwe ikuyendetsa iOS, muyenera kulabadira mafayilo awa:
- file 'BackedUpKeyValue.sqlite'. Muli makiyi a cryptographic ndi zina zomwe ndizofunikira kuti muzindikire mwini akaunti. Ili panjira: /private/var/mobile/Applications/group.net.whatsapp.WhatsApp.shared/.
- file 'ContactsV2.sqlite'. Muli zambiri za omwe amalumikizana nawo, monga dzina lonse, nambala yafoni, malo olumikizirana nawo (m'mawu), ID ya WhatsApp, ndi zina zambiri. Ili panjira: /private/var/mobile/Applications/group.net.whatsapp.WhatsApp.shared/.
- file 'consumer_version'. Ili ndi nambala ya mtundu wa pulogalamu ya WhatsApp yomwe idayikidwa. Ili panjira: /private/var/mobile/Applications/group.net.whatsapp.WhatsApp.shared/.
- file 'current_wallpaper.jpg'. Muli ndi zithunzi zakumbuyo za WhatsApp. Ili panjira: /private/var/mobile/Applications/group.net.whatsapp.WhatsApp.shared/. Mafayilo akale amagwiritsa ntchito fayilo 'wallpaper', yomwe ili m'mphepete mwa njira: '/private/var/mobile/Applications/net.whatsapp.WhatsApp/Documents/'.
- file 'blockedcontacts.dat'. Lili ndi zambiri za olumikizidwa oletsedwa. Ili panjira: /zachinsinsi/var/mobile/Applications/net.whatsapp.WhatsApp/Documents/.
- file 'pw.dat'. Muli ndi mawu achinsinsi obisika. Ili panjira: '/private/var/mobile/Applications/net.whatsapp.WhatsApp/Library/'.
- file 'net.whatsapp.WhatsApp.plist' (kapena file 'group.net.whatsapp.WhatsApp.shared.plist'). Ili ndi zambiri za akaunti yanu ya WhatsApp. Fayilo ili m'mphepete mwa njira: '/private/var/mobile/Applications/group.net.whatsapp.WhatsApp.shared/Library/Preferences/'.
Zomwe zili mufayilo 'group.net.whatsapp.WhatsApp.shared.plist'
Muyeneranso kulabadira akalozera otsatirawa:
- Directory '/private/var/mobile/Applications/group.net.whatsapp.WhatsApp.shared/Media/Profile/'. Muli ndi tizithunzi ta ojambula, magulu (mafayilo ndi extension .chala chachikulu), ma avatar, omwe ali ndi akaunti ya WhatsApp avatar (fayilo 'Photo.jpg').
- Directory '/private/var/mobile/Applications/group.net.whatsapp.WhatsApp.shared/Message/Media/'. Muli mafayilo a multimedia ndi tizithunzi tawo
- Directory '/private/var/mobile/Applications/net.whatsapp.WhatsApp/Documents/'. Muli ndi chipika chogwiritsira ntchito pulogalamu (file 'calls.log') ndi zosunga zobwezeretsera za zipika za pulogalamu (file 'calls.backup.log').
- Directory '/private/var/mobile/Applications/group.net.whatsapp.WhatsApp.shared/stickers/'. Muli zomata (mafayilo mumtundu '.webp').
- Directory '/private/var/mobile/Applications/net.whatsapp.WhatsApp/Library/Logs/'. Muli zipika zamapulogalamu.
Zithunzi za WhatsApp pa Windows
Zithunzi za WhatsApp pa Windows zitha kupezeka m'malo angapo. Choyamba, awa ndi maulalo omwe ali ndi mafayilo apulogalamu omwe angathe kuchitidwa ndi othandizira (a Windows 8/10):
- 'C:Mafayilo a Pulogalamu (x86)WhatsApp'
- 'C: Ogwiritsa% Mbiri Yogwiritsa% AppDataLocalWhatsApp'
- 'C:Ogwiritsa% Mbiri Yawogwiritsa% Mafayilo a Pulogalamu ya AppDataLocalVirtualStore (x86)WhatsApp'
M'ndandanda 'C: Ogwiritsa% Mbiri Yogwiritsa% AppDataLocalWhatsApp' fayilo ya log ilipo 'SquirrelSetup.log', yomwe ili ndi zambiri zokhudzana ndi kuyang'ana zosintha ndi kukhazikitsa pulogalamuyi.
M'ndandanda 'C: Ogwiritsa% Mbiri Yogwiritsa% AppDataRoamingWhatsApp' Pali subdirectories zingapo:
file 'main-process.log' lili ndi zambiri zokhuza magwiridwe antchito a pulogalamu ya WhatsApp.
Subdirectory 'databases' ili ndi fayilo 'Databases.db', koma fayiloyi ilibe chidziwitso chilichonse chokhudza macheza kapena ma contacts.
Chosangalatsa kwambiri pamawonedwe azamalamulo ndi mafayilo omwe ali mu bukhuli 'Cache'. Awa kwenikweni ndi mafayilo otchedwa 'f_*******' (pomwe * ndi nambala yochokera ku 0 mpaka 9) yokhala ndi mafayilo ndi zikalata zobisika za multimedia, koma palinso mafayilo osabisika pakati pawo. Zosangalatsa kwambiri ndi mafayilo 'data_0', 'data_1', 'data_2', 'data_3', yomwe ili mugawo laling'ono lomwelo. Mafayilo 'data_0', 'data_1', 'data_3' ali ndi maulalo akunja amafayilo ndi zikalata zojambulidwa zama multimedia.
Chitsanzo cha zomwe zili mufayilo 'data_1'
Komanso fayilo 'data_3' ikhoza kukhala ndi mafayilo ojambulidwa.
file 'data_2' ili ndi ma avatar (atha kubwezeretsedwanso posaka ndi mitu yamafayilo).
Ma avatar omwe ali mufayilo 'data_2':
Chifukwa chake, macheza omwewo sangathe kupezeka pamakumbukiro apakompyuta, koma mutha kupeza:
- ma multimedia mafayilo;
- zolemba zofalitsidwa kudzera pa WhatsApp;
- zambiri za omwe ali ndi akaunti.
Zithunzi za WhatsApp pa MacOS
Mu MacOS mutha kupeza mitundu yazinthu zakale za WhatsApp zofanana ndi zomwe zimapezeka mu Windows OS.
Mafayilo a pulogalamuyo ali m'makanema otsatirawa:
- 'C:ApplicationsWhatsApp.app'
- 'C:Applications._WhatsApp.app'
- 'C:Ogwiritsa% Mbiri ya ogwiritsa%LibraryPreferences'
- 'C:Ogwiritsa% Mbiri ya ogwiritsa%LibraryLogsWhatsApp'
- 'C:Ogwiritsa% Mbiri Yogwiritsa Ntchito%LibrarySaved Application StateWhatsApp.savedState'
- 'C:Users%User Profile%LibraryApplication Scripts'
- 'C: Ogwiritsa% Mbiri Yogwiritsa%LibraryApplication SupportCloudDocs'
- 'C: Ogwiritsa% Mbiri Yogwiritsa%LibraryApplication SupportWhatsApp.ShipIt'
- 'C:Ogwiritsa%Mbiri Yawogwiritsa%LibraryContainerscom.rockysandstudio.app-for-whatsapp'
- 'C:Ogwiritsa% Mbiri Yawogwiritsa% Zolemba Zam'ma library <text variable> WhatsApp Accounts'
Bukuli lili ndi ma subdirectories omwe mayina awo ndi manambala a foni okhudzana ndi eni ake a akaunti ya WhatsApp. - 'C:Ogwiritsa%Mbiri ya ogwiritsa%LibraryCachesWhatsApp.ShipIt'
Bukuli lili ndi zambiri zokhuza kukhazikitsa pulogalamuyi. - 'C:Ogwiritsa%Mbiri ya ogwiritsa%PicturesiPhoto Library.photolibraryMasters', 'C:Ogwiritsa%Mbiri ya Wogwiritsa%PicturesiPhoto Library.photolibraryThumbnails'
Maulalo awa ali ndi mafayilo amapulogalamu apulogalamuyi, kuphatikiza zithunzi ndi tizithunzi ta omwe amalumikizana ndi WhatsApp. - 'C:Users%User profile%LibraryCachesWhatsApp'
Bukuli lili ndi nkhokwe zingapo za SQLite zomwe zimagwiritsidwa ntchito posungira deta. - 'C: Ogwiritsa% Mbiri Yogwiritsa%LibraryApplication SupportWhatsApp'
Chikwatuchi chili ndi ma subdirectories angapo:
M'ndandanda 'C: Ogwiritsa% Mbiri Yawogwiritsa%LibraryApplication SupportWhatsAppCache' pali mafayilo 'data_0', 'data_1', 'data_2', 'data_3' ndi mafayilo okhala ndi mayina 'f_*******' (pomwe * ndi nambala kuyambira 0 mpaka 9). Kuti mumve zambiri pazomwe mafayilowa ali, onani WhatsApp Artifacts pa Windows.M'ndandanda 'C: Ogwiritsa% Mbiri Yogwiritsa%LibraryApplication SupportWhatsAppIndexedDB' itha kukhala ndi mafayilo omvera (mafayilo alibe zowonjezera).
file 'main-process.log' lili ndi zambiri zokhuza magwiridwe antchito a pulogalamu ya WhatsApp.
Zotsatira
- Kusanthula kwazamalamulo kwa WhatsApp Messenger pa mafoni a m'manja a Android, ndi Cosimo Anglano, 2014.
- Whatsapp Forensics: Kapangidwe kake kamene kamapangidwa ndi maziko a data pa Android ndi iOS yolembedwa ndi Ahmad Pratama, 2014.
Mβnkhani zotsatirazi za mpambowu:
Kusintha kwa ma database obisika a WhatsAppNkhani yomwe ipereka chidziwitso chamomwe kiyi ya encryption ya WhatsApp imapangidwira komanso zitsanzo zothandiza zomwe zikuwonetsa momwe mungasinthire zosunga zobisika za pulogalamuyi.
Kuchotsa deta ya WhatsApp kuchokera kusungirako mitamboNkhani imene ife angakuuzeni zimene WhatsApp deta kusungidwa mu mitambo ndi kufotokoza njira akatengere deta imeneyi ku storages mtambo.
WhatsApp Data Extraction: Zitsanzo ZothandizaNkhani imene idzafotokoza sitepe ndi sitepe zimene mapulogalamu ndi mmene kuchotsa deta WhatsApp ku zipangizo zosiyanasiyana.
Source: www.habr.com