Afai e te fia iloa poʻo a ituaiga WhatsApp forensic artifact o loʻo i ai i luga o faiga faʻaoga eseese ma o fea tonu e mafai ona maua ai, o le nofoaga lea mo oe. O lenei tusiga e mai se tagata tomai faapitoa i le Vaega-IB Computer Forensics Laboratory Igor Mikhailov amata se faasologa o pou e uiga i WhatsApp forensics ma o a faamatalaga e mafai ona maua mai le auiliiliga o le masini.
Sei o tatou vave maitau o faiga faʻaogaina eseese e teu ai ituaiga eseese o mea tau WhatsApp, ma afai e mafai e se tagata suʻesuʻe ona suʻeina ni ituaiga o faʻamatalaga WhatsApp mai se masini e tasi, e le o lona uiga e mafai ona maua mai faʻamatalaga tutusa mai se isi masini. Mo se faʻataʻitaʻiga, afai e aveese se iunite faʻaoga Windows OS, atonu o le a le maua talatalanoaga WhatsApp i luga o ana tisiki (sei vagana ai kopi faʻapipiʻi o masini iOS, lea e mafai ona maua i luga o taʻavale tutusa). O le faoa faamalosi o komepiuta feaveai ma masini feaveai o le ai ai ona lava uiga. Sei o tatou talanoa atili e uiga i lenei mea.
WhatsApp artifacts i masini Android
Ina ia mafai ona aveese mai WhatsApp meafaitino mai se masini Android, e tatau i le tagata suʻesuʻe ona i ai aia tatau sili ('aʻa') i luga o le masini o loʻo suʻesuʻeina poʻo le mafai ona aveese mai se isi mea e teu ai manatuaga faaletino o le masini, poʻo lona faila faila (mo se faʻataʻitaʻiga, faʻaogaina o faʻafitauli faʻaletonu o se masini feaveaʻi).
O faila talosaga o loʻo i totonu o le telefoni i le telefoni i le vaega o loʻo faʻasaoina ai faʻamatalaga o tagata. I le avea ai o se tulafono, ua faaigoa lenei vaega 'userdata'. Subdirectories ma polokalama faila o loʻo i luga o le ala: '/data/data/com.whatsapp/'.
O faila autu o loʻo iai WhatsApp forensic artifacts i le Android OS o faʻamaumauga 'wa.db' и 'msgstore.db'.
I totonu o le database 'wa.db' o loʻo i ai le lisi atoa o fesoʻotaʻiga o se tagata faʻaoga WhatsApp, e aofia ai le numera o le telefoni, faʻaaliga igoa, faʻailoga taimi, ma soʻo se isi faʻamatalaga e tuʻuina atu aʻo lesitala mo WhatsApp. faila 'wa.db' o lo'o i luga o le ala: '/data/data/com.whatsapp/databases/' ma e iai lona fausaga:
O laulau sili ona manaia i totonu o faʻamaumauga 'wa.db' mo tagata suʻesuʻe o:
- 'wa_contacts'
O lenei laulau o loʻo i ai faʻamatalaga faʻafesoʻotaʻi: WhatsApp contact id, faʻamatalaga tulaga, igoa faʻaalia tagata, faʻailoga taimi, ma isi.Fa'aaliga o laulau:
Fa'atulagaina o laulauIgoa fanua tāua _id fa'amaumau numera fa'asologa (i le laulau SQL) jid WhatsApp contact ID, tusia i le faatulagaga <numera telefoni>@s.whatsapp.net is_whatsapp_user o lo'o i ai le '1' pe a fetaui le feso'ota'iga ma se tagata fa'aoga moni WhatsApp, '0' a leai tulaga o lo'o i ai le tusitusiga o lo'o fa'aalia i le tulaga fa'afeso'ota'i status_timestamp o lo'o iai se fa'ailoga taimi i le Unix Epoch Time (ms). nūmera numera telefoni e feso'ota'i ma le feso'ota'iga raw_contact_id fa'afeso'ota'i numera fa'asologa faʻaali_ igoa fa'afeso'ota'i igoa fa'aaliga telefoni_type ituaiga telefoni igoa_telefoni fa'ailoga e feso'ota'i ma le numera fa'afeso'ota'i unseen_msg_count numera o fe'au na lafo mai e se fa'afeso'ota'i ae le'i faitauina e lē na mauaina photo_ts o lo'o iai se fa'ailoga taimi i le Unix Epoch Time format thumb_ts o lo'o iai se fa'ailoga taimi i le Unix Epoch Time format photo_id_timestamp o lo'o iai se fa'ailoga taimi i le Unix Epoch Time (ms). suafa muamua e fetaui le tau o le fanua 'display_name' mo feso'ota'iga ta'itasi wa_igoa WhatsApp igoa fa'afeso'ota'i (o lo'o fa'aalia le igoa o lo'o fa'ailoa mai i le fa'amatalaga o le feso'ota'iga) sort_name igoa fa'afeso'ota'i fa'aoga ile fa'avasegaga igoa tauvalaau igoa tauvalaau a le tagata fa'afeso'ota'i ile WhatsApp (o lo'o fa'aalia le igoa tauvalaau o lo'o fa'ailoa mai ile fa'amatalaga ole feso'ota'iga) kamupani kamupani (o loʻo faʻaalia le kamupani o loʻo faʻamaonia i le faʻamatalaga o fesoʻotaʻiga) Igoa suafa (Ms./Mr.; suafa fa'atulagaina i le fa'amatalaga fa'afeso'ota'i o lo'o fa'aalia) faʻasalaga faʻaituau - 'sqlite_sequence'
O lenei laulau o loʻo i ai faʻamatalaga e uiga i le numera o fesoʻotaʻiga; - 'android_metadata'
O lenei laulau o lo'o iai fa'amatalaga e uiga i le fa'aogaina o le gagana WhatsApp.
I totonu o le database 'msgstore.db' o lo'o i ai fa'amatalaga e uiga i fe'au lafo, e pei o le numera fa'afeso'ota'i, fe'au tusitusia, tulaga fe'au, fa'ailoga taimi, fa'amatalaga o faila fa'aliliu e aofia i fe'au, ma isi. faila 'msgstore.db' o lo'o i luga o le ala: '/data/data/com.whatsapp/databases/' ma e iai lona fausaga:
O laulau sili ona manaia i le faila 'msgstore.db' mo tagata suʻesuʻe o:
- 'sqlite_sequence'
O lenei laulau o loʻo iai faʻamatalaga lautele e uiga i lenei faʻamaumauga, e pei o le aofaʻi o feʻau o loʻo teuina, le aofaʻi o talatalanoaga, ma isi.Fa'aaliga o laulau:
- 'message_fts_content'
O lo'o i ai tusitusiga o fe'au lafo.Fa'aaliga o laulau:
- 'fe'au'
O lenei laulau o loʻo i ai faʻamatalaga e pei o le numera faʻafesoʻotaʻi, feʻau tusitusia, tulaga o feʻau, faʻailoga taimi, faʻamatalaga e uiga i faila fesiitai o loʻo aofia i totonu o feʻau.Fa'aaliga o laulau:
Fa'atulagaina o laulauIgoa fanua tāua _id fa'amaumau numera fa'asologa (i le laulau SQL) key_remote_jid WhatsApp ID o paaga fesoʻotaʻiga ki_mai_a'u faasinoga fe'au: '0' – ulufale mai, '1' – alu i fafo key_id fa'ailoga fe'au tulaga ese tulaga tulaga o fe'au: '0' – tu'uina atu, '4' – fa'atali ile server, '5' - maua ile taunu'uga, '6' - fa'atonu le fe'au, '13' - tatala le fe'au e le tagata e mauaina (faitau) mana'omia_tule ei ai le tau '2' pe a fai o se fe'au fa'asalalau, a leai o lo'o iai '0' faʻamatalaga fe'au tusitusia (pe a 'media_wa_type' parakalafa '0') timestamp o lo'o i ai se fa'ailoga taimi i le Unix Epoch Time (ms), o le tau e maua mai le uati masini media_url o lo'o i ai le URL o le faila na fa'aliliuina (pe a o le 'media_wa_type' parakalafa o le '1', '2', '3') media_mime_type Ituaiga MIME o le faila ua fesiita'i (pe a tutusa le 'media_wa_type' parameter ma le '1', '2', '3') media_wa_type ituaiga savali: '0' - tusitusiga, '1' - faila kalafi, '2' - faila leo, '3' - faila vitio, '4' - kata fa'afeso'ota'i, '5' - geodata media_size lapo'a o le faila na fa'aliliuina (pe a fai o le 'media_wa_type' fa'ailoga o le '1', '2', '3') igoa_media igoa o le faila ua fesiita'i (pe a o le 'media_wa_type' parakalafa o le '1', '2', '3') media_caption O lo'o i ai upu 'leo', 'vitio' mo tulaga tutusa o le 'media_wa_type' parakala (pe a 'media_wa_type' parakalafa o le '1', '3') media_hash base64 faʻailoga hash o le faila lafoina, faʻatatau i le faʻaaogaina o le HAS-256 algorithm (pe a tutusa le 'media_wa_type' parakalafa ma le '1', '2', '3') media_duration umi i sekone mo le faila faila (pe a 'media_wa_type' o le '1', '2', '3') amataga ei ai le tau '2' pe a fai o se fe'au fa'asalalau, a leai o lo'o iai '0' latitu geodata: latitu (pe a 'media_wa_type' parakalafa '5') longitude geodata: longitude (pe a 'media_wa_type' parakalafa '5') thumb_image faamatalaga auaunaga remote_resource Sender ID (mo na'o talanoaga fa'avae) received_timestamp taimi o le mauaina, o loʻo i ai se faʻailoga taimi i le Unix Epoch Time (ms), o le tau e ave mai le uati masini (pe a iai le 'key_from_me' parameter '0', '-1' poʻo isi tau) lafo_timestamp e le fa'aaogaina, e masani ona iai le tau '-1' lisiti_server_timestamp taimi e maua e le 'auʻaunaga tutotonu, o loʻo i ai se faʻailoga taimi i le Unix Epoch Time (ms), o le tau e ave mai le uati masini (pe a iai le 'key_from_me' parameter '1', '-1' poʻo isi tau. lisiti_masini_taimi taimi na maua ai le feʻau e se isi tagata fai saofaga, o loʻo i ai se faʻailoga taimi i le Unix Epoch Time (ms), o le tau e ave mai le uati masini (pe a iai le 'key_from_me' parameter '1', '-1' poʻo se isi tau. faitau_masini_timestamp taimi o le tatalaina (faitau) le savali, o loʻo i ai se faʻailoga taimi i le Unix Epoch Time (ms), o le tau e ave mai le uati masini playing_device_timestamp taimi e toe fa'afo'i ai le fe'au, o lo'o i ai se fa'ailoga taimi i le Unix Epoch Time (ms), o le tau e maua mai le uati o le masini. raw_data ata o le faila ua fesiita'i (pe a o le 'media_wa_type' parakalafa o le '1' po'o le '3') tagata_faitau numera o tagata e mauaina (mo fa'asalalauga fe'au) participant_hash fa'aaoga pe a fa'asalalau fe'au ma geodata faʻanoanoa le faʻaaogaina quoted_row_id le iloa, e masani ona i ai le tau '0' mention_jids le faʻaaogaina multicast_id le faʻaaogaina faʻasalaga faʻaituau O lenei lisi o fanua e le'o atoatoa. Mo ituaiga eseese o WhatsApp, o nisi fanua e mafai ona i ai pe leai. E le gata i lea, e mafai ona iai avanoa 'media_enc_hash', 'edit_version', 'totogi_transaction_id' ma isi.
- 'messages_thumbnails'
O lenei laulau o lo'o iai fa'amatalaga e uiga i ata fa'aliliuina ma fa'ailoga taimi. I le koluma 'timestamp', o le taimi o loʻo faʻaalia i le Unix Epoch Time (ms) format. - 'chat_list'
O lenei laulau o lo'o iai fa'amatalaga e uiga i talatalanoaga.Fa'aaliga o laulau:
E le gata i lea, pe a suʻesuʻeina WhatsApp i luga o se masini feaveaʻi o loʻo faʻaogaina le Android, e tatau ona e gauai atu i faila nei:
- faila 'msgstore.db.cryptXX' (o le XX o le tasi pe lua numera mai le 0 i le 12, mo se faʻataʻitaʻiga, msgstore.db.crypt12). O loʻo i ai se faʻailoga faʻailoga o feʻau WhatsApp (faila faila msgstore.db). faila (s) 'msgstore.db.cryptXX' o lo'o i luga o le ala: '/data/media/0/WhatsApp/Fa'amaumauga/' (kata SD virtual), '/mnt/sdcard/WhatsApp/Databases/ (kata SD faaletino)'.
- faila 'ki'. O lo'o i ai se ki fa'ailoga. O lo'o i luga o le ala: '/data/data/com.whatsapp/files/'. Fa'aaoga e fa'amalo ai fa'ailoga fa'ailoga WhatsApp.
- faila 'com.whatsapp_preferences.xml'. O lo'o iai fa'amatalaga e uiga i lau fa'amatalaga fa'amatalaga WhatsApp. O le faila o loʻo i luga o le ala: '/data/data/com.whatsapp/shared_prefs/'.
Vaega o mea e fai faila
<?xml version="1.0" encoding="ISO-8859-1"?> … <string name="ph">9123456789</string> (номер телефона, ассоциированный с аккаунтом WhatsApp) … <string name="version">2.17.395</string> (версия WhatsApp) … <string name="my_current_status">Hey there! I am using WhatsApp.</string> (сообщение, отображаемое в статусе аккаунта) … <string name="push_name">Alex</string> (имя владельца аккаунта) … - faila 'registration.RegisterPhone.xml'. O loʻo iai faʻamatalaga e uiga i le numera telefoni e fesoʻotaʻi ma le WhatsApp account. O le faila o loʻo i luga o le ala: '/data/data/com.whatsapp/shared_prefs/'.
Fa'amau faila
<?xml version="1.0" encoding="ISO-8859-1"?> <map> <string name="com.whatsapp.registration.RegisterPhone.phone_number">9123456789</string> <int name="com.whatsapp.registration.RegisterPhone.verification_state" value="0"/> <int name="com.whatsapp.registration.RegisterPhone.country_code_position" value="-1"/> <string name="com.whatsapp.registration.RegisterPhone.input_phone_number">912 345-67-89</string> <int name="com.whatsapp.registration.RegisterPhone.phone_number_position" value="10"/> <string name="com.whatsapp.registration.RegisterPhone.input_country_code">7</string> <string name="com.whatsapp.registration.RegisterPhone.country_code">7</string> </map> - faila 'axolotl.db'. O lo'o iai ki cryptographic ma isi fa'amatalaga e mana'omia e fa'ailoa ai lē e ona le teugatupe. O lo'o i luga o le ala: '/data/data/com.whatsapp/databases/'.
- faila 'chatsettings.db'. O lo'o iai fa'amatalaga fa'atulagaina o talosaga.
- faila 'wa.db'. O lo'o iai fa'amatalaga fa'afeso'ota'i. O se mea e sili ona manaia (mai se faʻamatalaga faʻapitoa) ma faʻamatalaga faʻamatalaga. E mafai ona iai fa'amatalaga auiliili e uiga i feso'ota'iga ua tapeina.
E manaʻomia foʻi ona e faʻalogo i faʻamaumauga nei:
- aufaʻatonu '/data/media/0/WhatsApp/Media/WhatsApp Ata/'. O lo'o iai faila fa'akalafi ua fa'aliliuina.
- aufaʻatonu '/data/media/0/WhatsApp/Media/WhatsApp Voice Notes/'. O lo'o iai fe'au leo i faila fa'atulagaina .OPUS.
- aufaʻatonu '/data/data/com.whatsapp/cache/Profile Pictures/'. O lo'o iai faila ata - ata o feso'ota'iga.
- aufaʻatonu '/data/data/com.whatsapp/files/Avatars/'. O lo'o iai faila fa'akalafi - ata o ata o feso'ota'iga. O faila nei e iai le '.j' fa'aopoopoga ae o faila ata JPEG (JPG).
- aufaʻatonu '/data/data/com.whatsapp/files/Avatars/'. O lo'o i ai faila fa'akalafi - o se ata ma se la'ititi o le ata ua fa'atulaga e fai ma avatar e lē e ona le teugatupe.
- aufaʻatonu '/data/data/com.whatsapp/files/Logs/'. O lo'o iai le fa'amaumauga o fa'agaioiga o le polokalame (faila 'whatsapp.log') ma kopi fa'apolopolo o fa'amaumauga o fa'atinoga o polokalame (faila o lo'o iai igoa i le faatulagaga whatsapp-yyyy-mm-dd.1.log.gz).
WhatsApp Log Files:
Vaega o tusi talaaga2017-01-10 09:37:09.757 LL_I D [524:WhatsApp Worker #1] missedcallnotification/init count:0 timestamp:0
2017-01-10 09:37:09.758 LL_I D [524:WhatsApp Worker #1] missedcallnotification/update cancel true
2017-01-10 09:37:09.768 LL_I D [1: autu] app-init/load-me
2017-01-10 09:37:09.772 LL_I D [1:main] upu faila faila e misi pe le mafai ona faitau
2017-01-10 09:37:09.782 LL_I D [1:main] statistics Text Messages: 59 sent, 82 received / Media Messages: 1 sent (0 bytes), 0 received (9850158 bytes) / Offline Messages: 81 received ( 19522 msec averesi tuai) / Auaunaga Fe'au: 116075 bytes lafo, 211729 bytes maua / Voip Vala'au: 1 outgoing calls, 0 incoming calls, 2492 bytes sent, 1530 bytes received / Google Drive: 0 bytes sent, 0 bytes maua / Roaming: bytes lafo, 1524 bytes maua / Aofa'i Fa'amatalaga: 1826 bytes lafo, 118567 bytes maua
2017-01-10 09:37:09.785 LL_I D [1: autu] ala o faasalalauga-setete-pule/refresh-media-state/writable-media
2017-01-10 09:37:09.806 LL_I D [1: autu] app-init/initialize/timer/taofi: 24
2017-01-10 09:37:09.811 LL_I D [1:main] msgstore/checkhealth
2017-01-10 09:37:09.817 LL_I D [1:main] msgstore/checkhealth/journal/tapese sese
2017-01-10 09:37:09.818 LL_I D [1: autu] msgstore/checkhealth/back/delete false
2017-01-10 09:37:09.818 LL_I D [1:main] msgstore/checkdb/data/data/com.whatsapp/databases/msgstore.db
2017-01-10 09:37:09.819 LL_I D [1: autu] msgstore/checkdb/list _jobqueue-WhatsAppJobManager 16384 drw=011
2017-01-10 09:37:09.820 LL_I D [1: autu] msgstore/checkdb/list _jobqueue-WhatsAppJobManager-journal 21032 drw=011
2017-01-10 09:37:09.820 LL_I D [1: autu] msgstore/checkdb/list axolotl.db 184320 drw=011
2017-01-10 09:37:09.821 LL_I D [1: autu] msgstore/checkdb/list axolotl.db-wal 436752 drw=011
2017-01-10 09:37:09.821 LL_I D [1: autu] msgstore/checkdb/list axolotl.db-shm 32768 drw=011
2017-01-10 09:37:09.822 LL_I D [1: autu] msgstore/checkdb/list msgstore.db 540672 drw=011
2017-01-10 09:37:09.823 LL_I D [1: autu] msgstore/checkdb/list msgstore.db-wal 0 drw=011
2017-01-10 09:37:09.823 LL_I D [1: autu] msgstore/checkdb/list msgstore.db-shm 32768 drw=011
2017-01-10 09:37:09.824 LL_I D [1:main] msgstore/checkdb/list wa.db 69632 drw=011
2017-01-10 09:37:09.825 LL_I D [1:main] msgstore/checkdb/list wa.db-wal 428512 drw=011
2017-01-10 09:37:09.825 LL_I D [1: autu] msgstore/checkdb/list wa.db-shm 32768 drw=011
2017-01-10 09:37:09.826 LL_I D [1: autu] msgstore/checkdb/list chatsettings.db 4096 drw=011
2017-01-10 09:37:09.826 LL_I D [1:main] msgstore/checkdb/list chatsettings.db-wal 70072 drw=011
2017-01-10 09:37:09.827 LL_I D [1: autu] msgstore/checkdb/list chatsettings.db-shm 32768 drw=011
2017-01-10 09:37:09.838 LL_I D [1: autu] msgstore/checkdb/version 1
2017-01-10 09:37:09.839 LL_I D [1:main] msgstore/canquery
2017-01-10 09:37:09.846 LL_I D [1: autu] msgstore/canquery/count 1
2017-01-10 09:37:09.847 LL_I D [1: autu] msgstore/canquery/timer/taofi: 8
2017-01-10 09:37:09.847 LL_I D [1: autu] msgstore/canquery 517 | taimi faaalu:8
2017-01-10 09:37:09.848 LL_I D [529:WhatsApp Worker #3] ala o faasalalauga-setete-pule/refresh-media-setete/fale-fale e avanoa:1,345,622,016 aofaiga:5,687,922,688
- aufaʻatonu '/data/media/0/WhatsApp/Media/WhatsApp Audio/'. O lo'o iai faila leo na maua.
- aufaʻatonu '/data/media/0/WhatsApp/Media/WhatsApp Audio/Auina/'. E iai faila leo lafo.
- aufaʻatonu '/data/media/0/WhatsApp/Media/WhatsApp Ata/'. O lo'o iai faila fa'akalafi e maua.
- aufaʻatonu '/data/media/0/WhatsApp/Media/WhatsApp Ata/Auina/'. O lo'o iai faila fa'akalafi na lafo.
- aufaʻatonu '/data/media/0/WhatsApp/Media/WhatsApp Vitio/'. O lo'o iai faila vitio na maua.
- aufaʻatonu '/data/media/0/WhatsApp/Media/WhatsApp Vitio/Auina/'. E i ai faila vitio lafo.
- aufaʻatonu '/data/media/0/WhatsApp/Media/WhatsApp Profile Ata/'. O lo'o iai faila ata e feso'ota'i ma lē e ona le tala WhatsApp.
- Ina ia faʻasaoina avanoa manatua i luga o lau telefoni Android, o nisi faʻamatalaga WhatsApp e mafai ona teuina i luga o se SD card. I luga o le SD card, i le root directory, o loʻo i ai se lisi 'WhatsApp', lea e mafai ona maua ai mea taua nei o lenei polokalame:
- aufaʻatonu '.Fa'asoa' ('/mnt/sdcard/WhatsApp/.Share/'). O loʻo iai kopi o faila na faʻasoa i isi tagata faʻaoga WhatsApp.
- aufaʻatonu '. lapisi' ('/mnt/sdcard/WhatsApp/.trash/'). E iai faila ua tapeina.
- aufaʻatonu 'Fa'amaumauga' ('/mnt/sdcard/WhatsApp/Databases/'). O lo'o iai fa'ailoga fa'ailoga. E mafai ona decrypted pe a iai le faila 'ki', maua mai le manatua o le masini suʻesuʻe.
Faila o lo'o i totonu o se subdirectory 'Fa'amaumauga':
- aufaʻatonu 'Afa' ('/mnt/sdcard/WhatsApp/Media/'). E iai subdirectories 'Pepa puipui', 'WhatsApp Audio', 'WhatsApp Ata', 'WhatsApp Profile Ata', 'WhatsApp Vitio', 'WhatsApp Voice Notes', o loʻo i ai faila multimedia na maua ma tuʻuina atu (faila ata, faila vitio, feʻau leo, ata e fesoʻotaʻi ma le talaaga o le tagata e ona le WhatsApp account, wallpapers).
- aufaʻatonu 'Ata Fa'amatalaga' ('/mnt/sdcard/WhatsApp/Ata Fa'amatalaga/'). O lo'o i ai faila fa'akalafi e feso'ota'i ma fa'amatalaga a lē e ona fa'amatalaga WhatsApp.
- O nisi taimi atonu o lo'o i ai se lisi o lo'o i luga o le SD card 'faila' ('/mnt/sdcard/WhatsApp/Files/'). O lenei lisi o lo'o iai faila e teu ai fa'atulagaga o polokalame ma mea e fiafia i ai tagata.
Vaega o le teuina o faʻamaumauga i nisi faʻataʻitaʻiga o masini feaveaʻi
O nisi fa'ata'ita'iga o masini feavea'i o lo'o fa'aogaina le Android OS e mafai ona teuina fa'amatalaga WhatsApp i se isi nofoaga. E mafua lenei mea ona o suiga i le avanoa e teu ai faʻamatalaga talosaga e le polokalama faakomepiuta a le masini feaveaʻi. Mo se faʻataʻitaʻiga, o masini feaveaʻi Xiaomi o loʻo i ai se galuega mo le fatuina o se avanoa faigaluega lona lua ("SecondSpace"). A fa'agaoioia lenei galuega, e suia le nofoaga o fa'amaumauga. O lea la, afai i se masini feaveaʻi masani o loʻo faʻaogaina faʻamaumauga a le tagata faʻaoga Android OS o loʻo teuina i totonu o le lisi '/data/user/0/' (o se faʻamatalaga i le masani '/fa'amatalaga/fa'amatalaga/'), ona i ai lea i le lona lua o fa'amatalaga talosaga mo avanoa faigaluega o lo'o teuina i totonu o le lisi '/data/user/10/'. O lona uiga, faʻaaogaina le faʻataʻitaʻiga o le nofoaga faila 'wa.db':
- i se telefoni feaveai masani o loʻo faʻaogaina le Android OS: /data/user/0/com.whatsapp/databases/wa.db' (lea e tutusa '/data/data/com.whatsapp/databases/wa.db');
- i le avanoa faigaluega lona lua o le Xiaomi smartphone: '/data/user/10/com.whatsapp/databases/wa.db'.
WhatsApp artifacts i iOS masini
E le pei o le Android OS, i iOS WhatsApp faʻamatalaga talosaga e faʻafeiloaʻi i se kopi faʻamaumauga (iTunes faaleoleo). O le mea lea, o le mauaina o faʻamatalaga mai lenei talosaga e le manaʻomia ai le aveeseina o le faila faila poʻo le fatuina o se faʻamaumauga faʻaletino o le masini o loʻo suʻesuʻeina. Ole tele o fa'amatalaga talafeagai o lo'o iai ile fa'amaumauga 'ChatStorage.sqlite', lea e tu i luga o le ala: '/private/var/mobile/Applications/group.net.whatsapp.WhatsApp.shared/' (i nisi polokalame o lenei ala e aliali mai o 'AppDomainGroup-group.net.whatsapp.WhatsApp.shared').
Faʻavae 'ChatStorage.sqlite':
O laulau sili ona fa'amatalaga i le 'ChatStorage.sqlite' database o 'ZWAMESSAGE' и 'ZWAMEDIAIITEM'.
foliga laulau 'ZWAMESSAGE':
Fa'atulagaina o le laulau 'ZWAMESSAGE'
| Igoa fanua | tāua |
|---|---|
| Z_PK | fa'amaumau numera fa'asologa (i le laulau SQL) |
| Z_ENT | fa'amatalaga laulau, ei ai le tau '9' |
| Z_OPT | le iloa, e masani ona i ai tulaga taua mai le '1' i le '6' |
| ZCHILDMESSAGESDELIVEREDCOUNT | le iloa, e masani ona i ai le tau '0' |
| ZCHILDMESSAGESPLAYEDCOUNT | le iloa, e masani ona i ai le tau '0' |
| ZCHILDMESSAGESREADCOUNT | le iloa, e masani ona i ai le tau '0' |
| ZDATAITEMVERSION | le iloa, e masani ona iai le tau '3', masalo o se fa'ailoga fe'au tusitusia |
| ZDOCID | e le o iloa |
| ZENCRETRYCOUNT | le iloa, e masani ona i ai le tau '0' |
| ZFILTEREDRECIPIENTCOUNT | le iloa, e masani ona i ai tulaga taua '0', '2', '256' |
| ZISFROMME | faasinoga fe'au: '0' – ulufale mai, '1' – alu i fafo |
| ZMESSAGEERRORSTATUS | tulaga fe'au fe'au. Afai e lafo/maua le fe'au, ona iai lea o le tau '0' |
| ZMESSAGETYPE | ituaiga fe'au o lo'o fa'asalalauina |
| ZSORT | e le o iloa |
| ZSPOTLIGHSTATUS | e le o iloa |
| ZSTARRED | le iloa, le fa'aaogaina |
| ZCHATSESSION | e le o iloa |
| ZGROUPMEMBER | le iloa, le fa'aaogaina |
| SAUNIGA | e le o iloa |
| ZMEDIAIITEM | e le o iloa |
| ZMESSAGEINFO | e le o iloa |
| ZPARENTVESSAGE | le iloa, le fa'aaogaina |
| ZMESSAGEDATE | fa'ailoga taimi ile OS X Epoch Time format |
| ZSENTDATE | taimi na lafo ai le fe'au ile OS X Epoch Time format |
| ZFROMJID | WhatsApp Sender ID |
| ZMEDIASECTIONID | o lo'o i ai le tausaga ma le masina na lafo ai le faila a le aufaasālalau |
| ZPHASH | le iloa, le fa'aaogaina |
| ZPUSHPAME | igoa o le tagata fa'afeso'ota'i na lafo le faila fa'asalalau i le fa'atulagaga UTF-8 |
| ZSTANZID | fa'ailoga fe'au tulaga ese |
| ZTEXT | Fa'amatalaga fe'au |
| ZTOJID | WhatsApp ID ole tagata e mauaina |
| FA'AFIA | faʻaituau |
foliga laulau 'ZWAMEDIAIITEM':
Fa'atulagaina o le laulau 'ZWAMEDIAITEM'
| Igoa fanua | tāua |
|---|---|
| Z_PK | fa'amaumau numera fa'asologa (i le laulau SQL) |
| Z_ENT | fa'amatalaga laulau, ei ai le tau '8' |
| Z_OPT | le iloa, e masani ona i ai tau mai le '1' i le '3'. |
| ZCLOUDSTATUS | o lo'o i ai le tau '4' pe a fa'apipi'i le faila. |
| ZFILESIZE | o lo'o i ai le umi o faila (i bytes) mo faila na sii mai |
| ZMEDIAORIGIN | le iloa, e masani ona i ai le tau '0' |
| ZMOVIEDURATION | umi o le faila faila, mo faila pdf e mafai ona i ai le numera o itulau o le pepa |
| ZMESSAGE | o lo'o i ai se numera fa'asologa (o le numera e ese mai le numera o lo'o fa'aalia i le koluma 'Z_PK') |
| FA'AIGA | fua fa'atatau, e le'o fa'aaogaina, e masani ona seti i le '0' |
| ZHACCURACY | le iloa, e masani ona i ai le tau '0' |
| ZLATTITUDE | lautele i pika |
| ZLONGTITUDE | maualuga i pika |
| ZMEDIAURLDATE | faailoga taimi ile OS X Epoch Time format |
| ZAUTHORNAME | tusitala (mo pepa, e mafai ona i ai le igoa faila) |
| ZCOLLECTIONNAME | le faʻaaogaina |
| ZMEDIALOCALPATH | igoa faila (e aofia ai le ala) i le faiga faila o masini |
| ZMEDIAURL | Le URL lea sa iai le faila fa'asalalau. Afai na faʻafeiloaʻi se faila mai le tasi tagata fai saofaga i le isi, na faʻailogaina ma o lona faʻaopoopoga o le a faʻaalia o le faʻaopoopoga o le faila faila - .enc |
| ZTHUMBNAILLOCALPATH | ala i le faila faila i le masini faila faiga |
| ZTITLE | ulutala faila |
| ZVCARDNAME | media file hash; pe a fesiitai se faila i se kulupu, atonu o lo'o i ai le fa'ailoaina o le tagata e auina atu |
| ZVCARDSTRING | o lo'o i ai fa'amatalaga e uiga i le ituaiga faila o lo'o fa'aliliuina (mo se fa'ata'ita'iga, ata/jpeg); pe a fa'aliliuina se faila i se kulupu, atonu o lo'o iai le fa'amatalaga a le tagata e mauaina. |
| ZXMPPTHUMBPATH | ala i le faila faila i le masini faila faiga |
| ZMEDIAKEY | le iloa, masalo o loʻo i ai le ki e faʻamalo ai le faila faʻailoga. |
| ZMETADATA | metadata o le fe'au fa'asalalau |
| Tausiga | faʻaituau |
O isi laulau fa'amatalaga mata'ina 'ChatStorage.sqlite' o:
- 'ZWAPROFILEPUSHNAME'. Faʻafetaui WhatsApp ID ma le igoa faʻafesoʻotaʻi;
- 'ZWAPROFILEPICTUREITEM'. Faʻafetaui WhatsApp ID ma fesoʻotaʻiga avatar;
- 'Z_PRIMARYKEY'. O le laulau o lo'o i ai fa'amatalaga lautele e uiga i lenei fa'amaumauga, e pei o le aofa'i o fe'au o lo'o teuina, le aofa'i o talatalanoaga, ma isi.
E le gata i lea, pe a suʻesuʻeina WhatsApp i luga o se masini feaveaʻi o loʻo faʻaogaina iOS, e tatau ona e gauai atu i faila nei:
- faila 'BackedUpKeyValue.sqlite'. O lo'o iai ki cryptographic ma isi fa'amatalaga e mana'omia e fa'ailoa ai lē e ona le teugatupe. O lo'o i luga o le ala: /private/var/mobile/Applications/group.net.whatsapp.WhatsApp.shared/.
- faila 'ContactsV2.sqlite'. O loʻo i ai faʻamatalaga e uiga i fesoʻotaʻiga a le tagata faʻaoga, e pei o le igoa atoa, numera o le telefoni, tulaga faʻafesoʻotaʻi (i le tusitusiga), WhatsApp ID, ma isi. O lo'o i luga o le ala: /private/var/mobile/Applications/group.net.whatsapp.WhatsApp.shared/.
- faila 'consumer_version'. O loʻo i ai le numera o le faʻaogaina o le WhatsApp app. O lo'o i luga o le ala: /private/var/mobile/Applications/group.net.whatsapp.WhatsApp.shared/.
- faila 'current_wallpaper.jpg'. O lo'o iai le pepa fa'amaufa'ailoga WhatsApp o lo'o iai nei. O lo'o i luga o le ala: /private/var/mobile/Applications/group.net.whatsapp.WhatsApp.shared/. O lomiga tuai o le talosaga e fa'aoga le faila 'pepa puipui', lea e tu i luga o le ala: '/private/var/mobile/Applications/net.whatsapp.WhatsApp/Documents/'.
- faila 'blockedcontacts.dat'. O lo'o iai fa'amatalaga e uiga i feso'ota'iga poloka. O lo'o i luga o le ala: /private/var/mobile/Applications/net.whatsapp.WhatsApp/Documents/.
- faila 'pw.dat'. O lo'o i ai se fa'ailoga fa'ailoga. O lo'o i luga o le ala: '/private/var/mobile/Applications/net.whatsapp.WhatsApp/Library/'.
- faila 'net.whatsapp.WhatsApp.plist' (poʻo faila 'group.net.whatsapp.WhatsApp.shared.plist'). O lo'o iai fa'amatalaga e uiga i lau fa'amatalaga fa'amatalaga WhatsApp. O le faila o loʻo i luga o le ala: '/private/var/mobile/Applications/group.net.whatsapp.WhatsApp.shared/Library/Preferences/'.
I totonu o le faila 'group.net.whatsapp.WhatsApp.shared.plist'
E manaʻomia foʻi ona e faʻalogo i faʻamaumauga nei:
- aufaʻatonu '/private/var/mobile/Applications/group.net.whatsapp.WhatsApp.shared/Media/Profile/'. O loʻo i ai ata laiti o fesoʻotaʻiga, vaega (faila ma le faʻaopoopoga . limamatua), fa'afeso'ota'i avatars, WhatsApp account owner avatar (file 'Photo.jpg').
- aufaʻatonu '/private/var/mobile/Applications/group.net.whatsapp.WhatsApp.shared/Message/Media/'. O lo'o iai faila multimedia ma latou ata
- aufaʻatonu '/private/var/mobile/Applications/net.whatsapp.WhatsApp/Documents/'. O lo'o i ai le fa'amaumauga o fa'agaioiga o polokalame (faila 'calls.log') ma kopi faaleoleo o ogalaau faagaioia polokalame (faila 'calls.backup.log').
- aufaʻatonu '/private/var/mobile/Applications/group.net.whatsapp.WhatsApp.shared/stickers/'. E iai fasi pepa (faila i le faatulagaga '.webp').
- aufaʻatonu '/private/var/mobile/Applications/net.whatsapp.WhatsApp/Library/Logs/'. O lo'o iai fa'amaumauga o fa'atinoga o polokalame.
WhatsApp artifacts i luga ole Windows
WhatsApp artifacts i Windows e mafai ona maua i le tele o nofoaga. Muamua lava, o faʻatonuga ia o loʻo i ai faila faʻapipiʻi ma fesoasoani polokalama (mo Windows 8/10):
- 'C: Polokalama Faila (x86) WhatsApp'
- 'C:Users%User profile% AppDataLocalWhatsApp'
- 'C:Users%User profile% AppDataLocalVirtualStore Polokalama Files (x86)WhatsApp'
I le fa'amaumauga 'C:Users%User profile% AppDataLocalWhatsApp' o lo'o iai le faila ogalaau 'SquirrelSetup.log', o loʻo i ai faʻamatalaga e uiga i le siakiina o faʻafouga ma le faʻapipiʻiina o le polokalame.
I le fa'amaumauga 'C:Users%User profile% AppDataRoamingWhatsApp' E tele subdirectories:
faila 'main-process.log' o loʻo i ai faʻamatalaga e uiga i le faʻaogaina o le polokalama WhatsApp.
Subdirectory 'fa'amaumauga' e iai se faila 'Databases.db', ae o lenei faila e leai ni faʻamatalaga e uiga i talatalanoaga poʻo fesoʻotaʻiga.
O le mea e sili ona manaia mai se vaaiga faʻapitoa o faila o loʻo i totonu o le lisi 'Cache'. O faila ia e fa'aigoaina 'f_********' (lea * o se numera mai le 0 i le 9) o loʻo i ai faila faʻasalalau faʻasalalau ma pepa, ae o loʻo iai foʻi faila e leʻi faʻamaonia i totonu oi latou. E faapitoa le fiafia o faila 'fa'amaumauga_0', 'fa'amaumauga_1', 'fa'amaumauga_2', 'fa'amaumauga_3', o loʻo i totonu o le subdirectory tutusa. Faila 'fa'amaumauga_0', 'fa'amaumauga_1', 'fa'amaumauga_3' o lo'o iai feso'ota'iga i fafo e tu'uina atu fa'ailoga multimedia faila ma pepa.
Fa'ata'ita'iga o fa'amatalaga o lo'o iai ile faila 'data_1'
Faʻapea foʻi faila 'fa'amaumauga_3' atonu e iai faila graphic.
faila 'fa'amaumauga_2' o loʻo i ai faʻamatalaga faʻafesoʻotaʻi (e mafai ona toe faʻaleleia e ala i le suʻeina e ala i faila faila).
Avatar o loʻo i totonu o le faila 'fa'amaumauga_2':
O lea la, o talatalanoaga lava latou e le mafai ona maua i le mafaufau o le komepiuta, ae e mafai ona e mauaina:
- faila multimedia;
- pepa na lafoina e ala i WhatsApp;
- faamatalaga e uiga i fesootaiga a lē e ona le teugatupe.
WhatsApp artifacts ile MacOS
I le MacOS e mafai ona e mauaina ituaiga o WhatsApp artifacts e tutusa ma mea o loʻo maua ile Windows OS.
O faila o le polokalame o loʻo i totonu o faʻamaumauga nei:
- 'C:ApplicationsWhatsApp.app'
- 'C:Talosaga._WhatsApp.app'
- 'C:Users%User profile%LibraryPreferences'
- 'C:Users%User profile%LibraryLogsWhatsApp'
- 'C:Users%User profile%LibrarySaved Application StateWhatsApp.savedState'
- 'C:Users%User profile%LibraryApplication Scripts'
- 'C:Users%User profile%LibraryApplication SupportCloudDocs'
- 'C:Users%User profile%LibraryApplication SupportWhatsApp.ShipIt'
- 'C:Users%User profile%LibraryContainerscom.rockysandstudio.app-for-whatsapp'
- 'C:Users%User profile% Library Mobile Documents <text variable> WhatsApp Accounts'
O lenei lisi o loʻo i ai subdirectories o latou igoa o numera telefoni e fesoʻotaʻi ma lē e ona le WhatsApp account. - 'C:Users%User profile%LibraryCachesWhatsApp.ShipIt'
O lenei lisi o lo'o iai fa'amatalaga e uiga i le fa'apipi'iina o le polokalame. - 'C:Users%User profile%PicturesiPhoto Library.photolibraryMasters', 'C:Users%User profile%PicturesiPhoto Library.photolibraryThumbnails'
O nei lisi o loʻo i ai faila tautua o le polokalame, e aofia ai ata ma ata o fesoʻotaʻiga WhatsApp. - 'C:Users%User profile%LibraryCachesWhatsApp'
O lenei lisi o loʻo i ai le tele o faʻamaumauga SQLite o loʻo faʻaaogaina mo le faʻaogaina o faʻamaumauga. - 'C:Users%User profile%LibraryApplication SupportWhatsApp'
O lenei lisi o lo'o i ai le tele o subdirectories:
I le fa'amaumauga 'C:Users%User profile%LibraryApplication SupportWhatsAppCache' e iai faila 'fa'amaumauga_0', 'fa'amaumauga_1', 'fa'amaumauga_2', 'fa'amaumauga_3' ma faila ma igoa 'f_********' (lea * o se numera mai le 0 i le 9). Mo faʻamatalaga e uiga i faʻamatalaga o loʻo i ai i nei faila, vaʻai WhatsApp Artifacts on Windows.I le fa'amaumauga 'C:Users%User profile%LibraryApplication SupportWhatsAppIndexedDB' atonu e iai faila multimedia (faila e leai ni fa'aopoopoga).
faila 'main-process.log' o loʻo i ai faʻamatalaga e uiga i le faʻaogaina o le polokalama WhatsApp.
Punaoa
- Suʻesuʻega faʻapitoa o WhatsApp Messenger i luga o telefoni feaveaʻi, saunia e Cosimo Anglano, 2014.
- Whatsapp Forensics: Su'esu'ega fa'amaumauga ma fa'amaumauga fa'avae i luga ole talosaga Android ma iOS e Ahmad Pratama, 2014.
I tala o lo'o mulimuli mai i lenei faasologa:
Decryption o fa'ailoga fa'amaumauga WhatsAppO se tusiga o le a tuʻuina atu faʻamatalaga i luga o le auala e faʻatupuina ai le WhatsApp encryption key ma faʻataʻitaʻiga aoga e faʻaalia ai le faʻaogaina o faʻamaumauga faʻamaufaʻailoga o lenei talosaga.
Aveese faʻamatalaga WhatsApp mai le teuina o aoO se tusiga o le a matou taʻuina atu ia te oe le mea o loʻo teuina ai faʻamaumauga a WhatsApp i ao ma faʻamatalaina auala mo le toe maua mai o nei faʻamatalaga mai le teuina o ao.
WhatsApp Fa'amatalaga Fa'amatalaga: Fa'ata'ita'iga Fa'atinoO se tusiga o le a faʻamatalaina laasaga ma lea laasaga poʻo a polokalame ma pe faʻafefea ona aveese faʻamatalaga WhatsApp mai masini eseese.
puna: www.habr.com