Haddii aad rabto inaad ogaato noocyada farshaxanimada forensic WhatsApp ee ka jira nidaamyada hawlgalka kala duwan iyo halka saxda ah ee laga heli karo, markaa tani waa meesha adiga. Maqaalkani waxa uu ka yimid khabiir ku takhasusay kooxda-IB Computer Forensics Laboratory Igor Mikhailov wuxuu bilaabaa qoraallo taxane ah oo ku saabsan baaritaannada WhatsApp-ka iyo macluumaadka laga heli karo falanqaynta aaladda.
Aynu isla markiiba ogaano in nidaamyada hawlgalka ee kala duwan ay ku kaydiyaan noocyada kala duwan ee agabka WhatsApp-ka, haddii cilmi-baaruhu uu ka soo saari karo noocyo ka mid ah xogta WhatsApp hal qalab, taasi macnaheedu maaha in noocyada xogta la mid ah laga soo saari karo qalab kale. Tusaale ahaan, haddii unugga nidaamka ku shaqeeya Windows OS meesha laga saaro, WhatsApp-ku waxay u badan tahay inaan laga helin saxankiisa (marka laga reebo nuqullada kaydka ah ee aaladaha iOS, kuwaas oo laga heli karo isla darawallada). Qabashada laptop-yada iyo aaladaha mobiladu waxay yeelan doonaan astaamo u gaar ah. Aan si faahfaahsan uga hadalno arrintan.
Farshaxanka WhatsApp ee aaladda Android
Si looga soo saaro WhatsApp artifacts aaladda Android, cilmi-baaruhu waa inuu leeyahay xuquuqaha isticmaalahaxidid) qalabka lagu baarayo ama si kale u awoodo inuu soo saaro kaydka xusuusta ee qalabka, ama nidaamkiisa faylka (tusaale, iyadoo la isticmaalayo nuglaanta software ee qalab gaar ah).
Faylasha codsigu waxay ku yaalaan xusuusta telefoonka qaybta ay ku kaydsan yihiin xogta isticmaalaha. Sida caadiga ah, qaybtan ayaa loo magacaabay 'userdata'. Buug-hoosaadyo iyo faylasha barnaamijka waxay ku yaalliin waddada: '/data/data/com.whatsapp/'.
Faylasha ugu muhiimsan ee ay ku jiraan farshaxanada forensic WhatsApp ee ku jira Android OS waa kaydinta xogta 'wa.db' ΠΈ 'msgstore.db'.
In database-ka 'wa.db' ka kooban yahay liiska xiriirka oo dhameystiran ee isticmaale WhatsApp, oo ay ku jiraan lambarka taleefanka, magaca bandhigga, timestamps, iyo macluumaad kasta oo kale oo la bixiyo marka la diiwaan gelinayo WhatsApp. Faylka 'wa.db' ku yaal jidka agtiisa: '/data/data/com.whatsapp/databases/' wuxuuna leeyahay qaabkan soo socda:
Shaxda ugu xiisaha badan ee kaydka 'wa.db' cilmi-baaruhu waa:
- 'wa_xiriirka'
Jadwalkani waxa uu ka kooban yahay macluumaadka xidhiidhka: WhatsApp xidhiidhka ID, macluumaadka heerka, magaca isticmaalaha bandhiga, timestamps, iwm.Muuqashada shaxda:
Qaab dhismeedka miiskaMagaca goobta qiimaha _aqoonsi diiwaanka nambarka isku xigxiga (ee shaxda SQL) jid Aqoonsiga xiriirka WhatsApp, oo u qoran qaabka < phone number>@s.whatsapp.net waa_whatsapp_user wuxuu ka kooban yahay '1' haddii xiriirku u dhigmo isticmaale WhatsApp-ka dhabta ah, '0' haddii kale xaaladda waxa ku jira qoraalka lagu soo bandhigay heerka xidhiidhka status_timestamp waxa ku jira shaambad wakhti ah oo ah qaabka Unix Epoch Time (ms). tirada lambarka taleefoonka ee xiriirka la leh Cayrin_xiriir_id la xidhiidh nambarka taxanaha ah bandhig_name magaca bandhigga xiriirka nooca telefoonka nooca telefoonka sumadda telefoonka calaamada la xidhiidha lambarka xidhiidhka aan la arag_msg_count tirada fariimaha ay soo direen xiriiri laakiin aanu akhriyin qofka qaataha ah sawiro waxa ku jira shaambad wakhti ah oo ah qaabka Unix Epoch Time suulka waxa ku jira shaambad wakhti ah oo ah qaabka Unix Epoch Time sawir_id_timestamp waxa ku jira shaambad wakhti ah oo ah qaabka Unix Epoch Time (ms). Magaca_gudbi qiimaha goobta ayaa u dhigma 'display_name' xiriir kasta wa_name Magaca xiriirka WhatsApp (magaca lagu qeexay profile-ka xiriirka ayaa muuqda) nooca_name Magaca xiriirka ee loo isticmaalo hawlaha kala-soocidda naanaysta Naanaysta qofka lala xidhiidho ee WhatsApp-ka (naanaysta lagu cayimay profile-ka xidhiidhka waa la soo bandhigay) shirkadda shirkadda (shirkadda ku qeexan profile-ka xiriirka ayaa la soo bandhigay) horyaalka ciwaanka (Ms./Mr.; cinwaanka lagu habeeyay astaanta xidhiidhka ayaa la soo bandhigay) offset eex - 'sqlite_sequence'
Shaxdani waxa ay ka kooban tahay macluumaad ku saabsan tirada dadka lagala xidhiidho; - 'android_metadata'
Jadwalkan waxa ku jira macluumaad ku saabsan meelaynta luqadda WhatsApp.
In database-ka 'msgstore.db' ka kooban yahay macluumaadka ku saabsan fariimaha la soo diray, sida lambarka xiriirka, qoraalka fariinta, heerka fariinta, timestamps, faahfaahinta faylasha la wareejiyay oo ku jira fariimaha, iwm. Faylka 'msgstore.db' ku yaal jidka agtiisa: '/data/data/com.whatsapp/databases/' wuxuuna leeyahay qaabkan soo socda:
Shaxda ugu xiisaha badan ee faylka 'msgstore.db' cilmi-baaruhu waa:
- 'sqlite_sequence'
Jadwalkani waxa uu ka kooban yahay xog guud oo ku saabsan kaydkan, sida tirada guud ee fariimaha la kaydiyay, tirada guud ee wada sheekaysiga, iwm.Muuqashada shaxda:
- 'farriin_fts_content'
Waxa ku jira qoraalka fariimaha la soo diray.Muuqashada shaxda:
- 'farriimo'
Jadwalkani waxa uu ka kooban yahay macluumaadka sida lambarka xidhiidhka, qoraalka fariinta, heerka fariinta, timestamps, macluumaadka ku saabsan faylasha la wareejiyay ee ku jira fariimaha.Muuqashada shaxda:
Qaab dhismeedka miiskaMagaca goobta qiimaha _aqoonsi diiwaanka nambarka isku xigxiga (ee shaxda SQL) key_remote_jid Aqoonsiga WhatsApp lammaanaha isgaadhsiinta furaha_aniga jihada fariinta: '0' - soo socota, '1' - bixisa fur_id aqoonsiga fariinta gaarka ah xaaladda heerka fariinta: '0' - la keenay, '4' - sugitaanka server-ka, '5' - la helay meesha loo socdo, '6' - fariinta xakamaynta, '13' - fariinta uu furay qaataha (akhri) baahan_ riix waxay leedahay qiimaha '2' haddii ay tahay fariinta la baahinayo, haddii kale waxay ka kooban tahay '0' data qoraalka fariinta (marka 'media_wa_type' parameter waa '0') timestamp waxa ku jira shaambad wakhti ah oo ah qaabka Unix Epoch Time (ms), qiimaha waxa laga soo qaatay saacada qalabka media_url ka kooban URL faylka la wareejiyay (marka 'media_wa_type' halbeegga '1', '2', '3') nooca_media_mime Nooca MIME ee faylka la wareejiyay (marka 'media_wa_type' cabbirka uu le'eg yahay '1', '2', '3') media_wa_nooca nooca fariinta: '0' - qoraal, '1' - garaafyada, '2' - faylka maqalka, '3' - faylka fiidiyowga, '4' - kaadhka xiriirka, '5' - geodata cabbirka warbaahinta cabbirka faylka la wareejiyay (marka 'media_wa_type' halbeegga uu yahay '1', '2', '3') magaca warbaahinta Magaca faylka la wareejiyay (marka 'media_wa_type' halbeegga uu yahay '1', '2', '3') warbaahinta_caption Ka kooban yahay ereyada 'maqal', 'fiidyow' ee qiimayaasha u dhigma ee 'media_wa_type' halbeegga (marka 'media_wa_type' parameter' waa '1', '3') warbaahinta_hash base64 codeed ee faylka la gudbiyay, la xisaabiyay iyadoo la isticmaalayo HAS-256 algorithm (marka 'media_wa_type' parameter' ay le'eg tahay '1', '2', '3') muddada warbaahinta muddada ilbiriqsiyo gudahood faylka warbaahinta (marka 'media_wa_type' waa '1', '2', '3') asal ahaan waxay leedahay qiimaha '2' haddii ay tahay fariinta la baahinayo, haddii kale waxay ka kooban tahay '0' raxan geodata: loolka (marka 'media_wa_type' parameter is '5') dhaadheer geodata: Longitude (marka 'media_wa_type' halbeegga '5') sawirka suulka macluumaadka adeegga remote_source Aqoonsiga soo diraha (loogu talagalay wada sheekeysiga kooxda kaliya) helay_timestamp wakhtiga rasiidka, waxa uu ka kooban yahay shaambada wakhtiga Unix Epoch Time (ms), qiimaha waxa laga soo qaatay saacada qalabka (marka 'key_from_me' parameter uu leeyahay '0', '-1' ama qiimo kale) dir_timestamp aan la isticmaalin, badanaa wuxuu leeyahay qiimaha '-1' receipt_server_timestamp wakhtiga uu helay server-ka dhexe, waxa uu ka kooban yahay shaambada wakhtiga Unix Epoch Time (ms), qiimaha waxa laga soo qaatay saacada qalabka (marka 'key_from_me' parameter uu leeyahay '1', '-1' ama qiimo kale receipt_qalabka_timestamp wakhtiga fariinta uu helay macaamiil kale, waxa uu ka kooban yahay shaambada wakhtiga Unix Epoch Time (ms), qiimaha waxa laga soo qaadanayaa saacada qalabka (marka 'key_from_me' parameter uu leeyahay '1', '-1' ama qiimo kale akhriska_qalabka_timestamp wakhtiga la furayo (akhrinta) fariinta, waxa uu ka kooban yahay shaambada wakhtiga Unix Epoch Time (ms), qiimaha waxa laga soo qaatay saacada qalabka ciyaaray_qalabka_timestamp wakhtiga dib u soo celinta fariinta, waxa uu ka kooban yahay shaambada wakhtiga Unix Epoch Time (ms), qiimaha waxa laga soo qaatay saacada qalabka xog_ceyd thumbnail ee faylka la wareejiyay (marka 'media_wa_type' halbeegga uu yahay '1' ama '3') Tirada qaataha tirada qaataha (farimaha baahinta) ka qaybqaataha_xash loo isticmaalo marka la gudbinayo fariimaha geodata xiddigeysan aan la isticmaalin xigasho_row_id aan la garanayn, badanaa waxa ku jira qiimaha '0' xusay_jids aan la isticmaalin multicast_id aan la isticmaalin offset eex Liiska goobahan ma aha kuwo dhammaystiran. Noocyada kala duwan ee WhatsApp, meelaha qaar ayaa laga yaabaa inay joogaan ama maqan yihiin. Intaa waxaa dheer, beero ayaa laga yaabaa inay joogaan 'media_enc_hash', 'wax ka bedel_nooca', 'payment_transaction_id' iyo wixii la mid ah.
- 'farimaha_thumbnails'
Jadwalkani waxa uu ka kooban yahay macluumaadka ku saabsan sawirada la wareejiyay iyo waraaqaha wakhtiyada. Tiirka 'timestamp', wakhtiga waxa lagu tilmaamay qaabka Unix Epoch Time (ms). - 'chat_list'
Jadwalkan waxa ku jira macluumaad ku saabsan wada sheekaysigaMuuqashada shaxda:
Sidoo kale, marka aad ku baadhayso WhatsApp aaladda gacanta ee ku socota Android, waa inaad fiiro gaar ah u yeelataa faylasha soo socda:
- file 'msgstore.db.cryptXX' (halka XX uu yahay hal ama laba nambar laga bilaabo 0 ilaa 12, tusaale ahaan, msgstore.db.crypt12). Waxa ku jira kayd sir ah oo fariimaha WhatsApp ah (faylka kaydinta msgstore.db). File(yada) 'msgstore.db.cryptXX' ku yaal jidka agtiisa: '/data/media/0/WhatsApp/Databases/' (kaarka SD Virtual), '/mnt/sdcard/WhatsApp/Databases/ (kaarka SD jireed)'.
- file 'muhiim'. Waxa ku jira fure qarsoodi ah. Waxay ku taal jidka: '/data/data/com.whatsapp/files/'. Loo isticmaalo in lagu furfuro kaydka WhatsApp-ka sir ah.
- file 'com.whatsapp_preferences.xml'. Waxa ku jira macluumaadka ku saabsan astaanta akoonkaaga WhatsApp. Faylku wuxuu ku yaalaa dhinaca wadada: '/data/data/com.whatsapp/shared_prefs/'.
Faylka nuxurka jajabka
<?xml version="1.0" encoding="ISO-8859-1"?> β¦ <string name="ph">9123456789</string> (Π½ΠΎΠΌΠ΅Ρ ΡΠ΅Π»Π΅ΡΠΎΠ½Π°, Π°ΡΡΠΎΡΠΈΠΈΡΠΎΠ²Π°Π½Π½ΡΠΉ Ρ Π°ΠΊΠΊΠ°ΡΠ½ΡΠΎΠΌ WhatsApp) β¦ <string name="version">2.17.395</string> (Π²Π΅ΡΡΠΈΡ WhatsApp) β¦ <string name="my_current_status">Hey there! I am using WhatsApp.</string> (ΡΠΎΠΎΠ±ΡΠ΅Π½ΠΈΠ΅, ΠΎΡΠΎΠ±ΡΠ°ΠΆΠ°Π΅ΠΌΠΎΠ΅ Π² ΡΡΠ°ΡΡΡΠ΅ Π°ΠΊΠΊΠ°ΡΠ½ΡΠ°) β¦ <string name="push_name">Alex</string> (ΠΈΠΌΡ Π²Π»Π°Π΄Π΅Π»ΡΡΠ° Π°ΠΊΠΊΠ°ΡΠ½ΡΠ°) β¦ - file 'diwaangelinta.Diiwaangelinta Phone.xml'. Waxa ku jira macluumaadka ku saabsan lambarka taleefanka ee la xidhiidha koontada WhatsApp. Faylku wuxuu ku yaalaa dhinaca wadada: '/data/data/com.whatsapp/shared_prefs/'.
Waxa ku jira faylka
<?xml version="1.0" encoding="ISO-8859-1"?> <map> <string name="com.whatsapp.registration.RegisterPhone.phone_number">9123456789</string> <int name="com.whatsapp.registration.RegisterPhone.verification_state" value="0"/> <int name="com.whatsapp.registration.RegisterPhone.country_code_position" value="-1"/> <string name="com.whatsapp.registration.RegisterPhone.input_phone_number">912 345-67-89</string> <int name="com.whatsapp.registration.RegisterPhone.phone_number_position" value="10"/> <string name="com.whatsapp.registration.RegisterPhone.input_country_code">7</string> <string name="com.whatsapp.registration.RegisterPhone.country_code">7</string> </map> - file 'axolotl.db'. Waxa ku jira furayaasha cryptographic iyo xogta kale ee lagama maarmaanka u ah in lagu aqoonsado mulkiilaha akoontiga. Waxay ku taal jidka: '/data/data/com.whatsapp/databases/'.
- file 'chatsettings.db'. Waxa ku jira macluumaadka habaynta codsiga
- file 'wa.db'. Waxa ku jira faahfaahinta xidhiidhka Aad u xiisa badan (laga soo bilaabo dhinaca dambi baarista) iyo xog xog uruurin leh. Waxay ka koobnaan kartaa macluumaad faahfaahsan oo ku saabsan xiriirada la tirtiray.
Waxaad sidoo kale u baahan tahay inaad fiiro gaar ah u yeelato hagaha soo socda:
- Directory '/data/media/0/WhatsApp/Media/Sawirada WhatsApp/'. Waxa ku jira faylasha garaafyada la wareejiyay
- Directory '/data/media/0/WhatsApp/Media/WhatsApp Qoraallada Codka/'. Waxa ku jira fariimaha codka ah ee qaabka OPUS.
- Directory '/data/data/com.whatsapp/cache/Sawirada Profile/'. Waxay ka kooban tahay faylal garaafyo - sawirada xiriirada.
- Directory '/data/data/com.whatsapp/files/Avatars/'. Waxa ku jira faylal garaafyo - sawirada thumbnail ee xiriirada. Faylashani waxay leeyihiin kordhin '.j' laakiin si kastaba ha ahaatee waa JPEG (JPG) faylasha sawirka.
- Directory '/data/data/com.whatsapp/files/Avatars/'. Waxa ku jira faylal garaaf ah - sawir iyo thumbnail sawirka uu u dhigay avatar ahaan mulkiilaha akoontiga.
- Directory '/data/data/com.whatsapp/files/Logs/'. Ka kooban yahay diiwaanka hawlgalka barnaamijka (faylka 'whatsapp.log') iyo nuqul ka mid ah diiwaanka hawlgalka barnaamijka (faylalka wata magacyada qaabka whatsapp-yyyy-mm-dd.1.log.gz).
Galalka diiwaanka WhatsApp:
Jajabka joornaalka2017-01-10 09:37:09.757 LL_I D [524:WhatsApp Worker #1] baaqiga baaqashada/initi tirinta:0 timestamp:0
2017-01-10 09:37:09.758 LL_I D [524:WhatsApp Worker #1] ogaysiin seegay/cusbooneysiin baa joojisay run
2017-01-10 09:37:09.768 LL_I D [1: ugu weyn] app-init/load-me
2017-01-10 09:37:09.772 LL_I D [1: main] furaha sirta ah maqan ama aan la akhriyi karin
2017-01-10 09:37:09.782 LL_I D [1: ugu weyn] fariimaha qoraalka ah: 59 diray, 82 helay / Farriimaha Warbaahineed: 1 diray (0 bytes), 0 helay (9850158 bytes) / Farriimaha offline: 81 helay ( Celceliska celceliska 19522 msec) / Adeegga Farriinta: 116075 bytes la diray, 211729 bytes helay / Wicitaannada Voip: 1 wicis baxaya, 0 wicis soo gala, 2492 bytes la diray, 1530 bytes la helay / Google Drive: 0 bytes ayaa la soo diray, 0 bytes helay / wareeg: 1524 bytes diray, 1826 bytes helay / Wadarta xogta: 118567 bytes diray, 10063417 bytes helay
2017-01-10.
2017-01-10 09:37:09.806 LL_I D [1: ugu weyn] app-init/initialize/timer/stop: 24
2017-01-10 09:37:09.811 LL_I D [1: main] msgstore/checkhealth
2017-01-10 09:37:09.817 LL_I D [1: main] msgstore/checkhealth/journal/tirtir been abuur
2017-01-10 09:37:09.818 LL_I D [1: main] msgstore/checkhealth/back/tirtir been abuur
2017-01-10 09:37:09.818 LL_I D [1: main] msgstore/checkdb/data/data/com.whatsapp/databases/msgstore.db
2017-01-10 09:37:09.819 LL_I D [1: main] msgstore/checkdb/list _jobqueue-WhatsAppJobManager 16384 drw=011
2017-01-10 09:37:09.820 LL_I D [1:main] msgstore/checkdb/list _jobqueue-WhatsAppJobManager-journal 21032 drw=011
2017-01-10 09:37:09.820 LL_I D [1:main] msgstore/checkdb/list axolotl.db 184320 drw=011
2017-01-10 09:37:09.821 LL_I D [1:main] msgstore/checkdb/list axolotl.db-wal 436752 drw=011
2017-01-10 09:37:09.821 LL_I D [1:main] msgstore/checkdb/list axolotl.db-shm 32768 drw=011
2017-01-10 09:37:09.822 LL_I D [1:main] msgstore/checkdb/list msgstore.db 540672 drw=011
2017-01-10 09:37:09.823 LL_I D [1:main] msgstore/checkdb/list msgstore.db-wal 0 drw=011
2017-01-10 09:37:09.823 LL_I D [1:main] msgstore/checkdb/list msgstore.db-shm 32768 drw=011
2017-01-10 09:37:09.824 LL_I D [1:main] msgstore/checkdb/list wa.db 69632 drw=011
2017-01-10 09:37:09.825 LL_I D [1:main] msgstore/checkdb/list wa.db-wal 428512 drw=011
2017-01-10 09:37:09.825 LL_I D [1:main] msgstore/checkdb/list wa.db-shm 32768 drw=011
2017-01-10 09:37:09.826 LL_I D [1:main] msgstore/checkdb/list chatsettings.db 4096 drw=011
2017-01-10 09:37:09.826 LL_I D [1:main] msgstore/checkdb/list chatsettings.db-wal 70072 drw=011
2017-01-10 09:37:09.827 LL_I D [1:main] msgstore/checkdb/list chatsettings.db-shm 32768 drw=011
2017-01-10 09:37:09.838 LL_I D [1:main] msgstore/checkdb/version 1
2017-01-10 09:37:09.839 LL_I D [1:main] msgstore/canquery
2017-01-10 09:37:09.846 LL_I D [1:main] msgstore/canquery/count 1
2017-01-10 09:37:09.847 LL_I D [1: main] msgstore/canquery/timer/stop: 8
2017-01-10 09:37:09.847 LL_I D [1: main] msgstore/canquery 517 | waqti ku qaatay:8
2017-01-10 09:37:09.848 LL_I D [529:WhatsApp Worker #3] warbaahinta-dawlad-maamulaha/cusboonaynta-media-state/keydinta gudaha waa la heli karaa:1,345,622,016 wadar:5,687,922,688
- Directory '/data/media/0/WhatsApp/Media/WhatsApp Audio/'. Waxa ku jira faylalka maqalka ah ee la helay
- Directory '/data/media/0/WhatsApp/Media/WhatsApp Audio/la diray/'. Waxa ku jira faylal maqal ah oo la soo diray.
- Directory '/data/media/0/WhatsApp/Media/Sawirada WhatsApp/'. Waxa ku jira faylalka garaafyada ee ka dhashay
- Directory '/data/media/0/WhatsApp/Media/Sawirada WhatsApp/La diray/'. Waxa ku jira faylal garaaf ah oo la soo diray.
- Directory '/data/media/0/WhatsApp/Media/WhatsApp Video/'. Waxa ku jira faylalka fiidyaha ee la helay
- Directory '/data/media/0/WhatsApp/Media/WhatsApp Video/Diray/'. Waxa ku jira faylalka fiidyaha ee la soo diray.
- Directory '/data/media/0/WhatsApp/Media/Sawirada Profile WhatsApp/'. Waxa ku jira faylasha garaafyada ee la xidhiidha mulkiilaha akoontiga WhatsApp.
- Si loo badbaadiyo booska xusuusta ee casrigaaga Android, qaar ka mid ah xogta WhatsApp ayaa lagu kaydin karaa kaarka SD. Kaarka SD, tusaha xididka, waxaa ku yaal hagaha 'Whatsapp', halkaas oo laga heli karo waxyaabaha soo socda ee barnaamijkan:
- Directory '.Share' ('/mnt/sdcard/WhatsApp/.Share/'). Waxa ku jira nuqullo faylal ah oo lala wadaagay isticmaalayaasha kale ee WhatsApp.
- Directory '. qashinka' ('/mnt/sdcard/WhatsApp/.trash/'). Waxa ku jira faylasha la tirtiray
- Directory 'Databases' ('/mnt/sdcard/WhatsApp/Databases/'). Waxa ku jira kaydin sir ah Waa la furfuri karaa haddii faylka uu jiro 'muhiim', oo laga soo saaray xusuusta aaladda la falanqeeyay.
Faylasha ku yaal hage-hoosaad 'Databases':
- Directory 'Badh' ('/mnt/sdcard/WhatsApp/Media/'). Waxa ku jira hage-hoosaadyo 'Waraaqda gidaarka', 'WhatsApp Audio', Sawirada WhatsApp-ka, 'Sawirada Profile WhatsApp', 'WhatsApp Video', 'WhatsApp Voice Notes', oo ay ku jiraan faylalka warbaahinta badan ee la helay oo la kala qaado (faylalka garaafyada, faylalka fiidiyowga, fariimaha codka, sawirrada la xidhiidha astaanta qofka akoontiga WhatsApp, gidaarada).
- Directory 'Sawirro Profile' ('/mnt/sdcard/WhatsApp/Sawirada Profile/'). Waxa ku jira faylalka garaafyada ee la xidhiidha astaanta qofka akoontiga WhatsApp.
- Mararka qaarkood waxaa laga yaabaa inuu jiro hage ku yaal kaadhka SD 'faylal' ('/mnt/sdcard/WhatsApp/Files/'). Hagahani waxa uu ka kooban yahay faylal kaydiya goobaha barnaamijka iyo dookhyada isticmaalaha.
Astaamaha kaydinta xogta ee noocyada aaladaha mobaylada qaarkood
Qaar ka mid ah aaladaha mobilada ee ku shaqeeya Android OS ayaa laga yaabaa inay ku kaydiyaan agabka WhatsApp meel kale. Tan waxa u sabab ah isbeddelada ku yimi goobta kaydinta xogta codsiga ee software-ka qalabka mobaylka. Tusaale ahaan, aaladaha mobilada ee Xiaomi waxay leeyihiin shaqo abuurista goob shaqo oo labaad ("SecondSpace"). Marka shaqadaan la furo, goobta xogta ayaa isbedeleysa. Markaa, haddii aaladda mobilada ee caadiga ah ee ku socota xogta isticmaalaha Android OS lagu kaydiyo buugga '/data/user/0/' (taas oo tixraac u ah sida caadiga ah '/data/data/'), ka dibna goobta labaad xogta codsiga waxa lagu kaydiyaa tusaha '/data/user/10/'. Taasi waa, adoo isticmaalaya tusaalaha goobta faylka 'wa.db':
- ee casriga ah ee caadiga ah ee ku shaqeeya Android OS: /data/user/0/com.whatsapp/databases/wa.db' (oo u dhiganta '/data/data/com.whatsapp/databases/wa.db');
- goobta shaqada labaad ee casriga ah ee Xiaomi: '/data/user/10/com.whatsapp/databases/wa.db'.
WhatsApp artifacts ee aaladaha iOS
Si ka duwan OS Android, macruufka codsiga xogta WhatsApp waxaa loo wareejiyaa nuqul kaabta (iTunes kaabta). Sidaa darteed, ka soo saarida xogta codsigan uma baahna soo saarista nidaamka faylka ama abuurista kaydka xusuusta jirka ee qalabka lagu baarayo. Inta badan macluumaadka khuseeya waxay ku jiraan kaydka xogta 'ChatStorage.sqlite', kaas oo ku yaala jidka: '/private/var/mobile/Applications/group.net.whatsapp.WhatsApp.shared/' (Barnaamijyada qaarkood wadadani waxay u muuqataa sida 'AppDomainGroup-group.net.whatsapp.WhatsApp.shareed').
Qaab-dhismeedka 'ChatStorage.sqlite':
Jadwalka macluumaadka ugu badan ee ku jira kaydka 'ChatStorage.sqlite' waa 'ZWAMESSAGE' ΠΈ 'ZWAMEDIAITEM'.
Muuqashada miiska 'ZWAMESSAGE':
Qaab dhismeedka miiska 'ZWAMESSAGE'
| Magaca goobta | qiimaha |
|---|---|
| Z_PK | diiwaanka nambarka isku xigxiga (ee shaxda SQL) |
| Z_ENT | Aqoonsiga miiska, wuxuu leeyahay qiimaha '9' |
| Z_OPT | aan la aqoon, badanaa waxay ka kooban tahay qiyamka '1' ilaa '6' |
| ZCHILDMESSAGESDELIVEREDCOUNT | aan la garanayn, badanaa waxa ku jira qiimaha '0' |
| ZCHILDMESSAGESLAYEDCOUNT | aan la garanayn, badanaa waxa ku jira qiimaha '0' |
| ZCHILDMESSAGES READCOUNT | aan la garanayn, badanaa waxa ku jira qiimaha '0' |
| ZDATAITEMVERSION | aan la garanayn, badanaa waxa ku jira qiimaha '3', malaha tilmaame fariin qoraal ah |
| ZDOCID | lama yaqaan |
| ZENCRETRYCOUNT | aan la garanayn, badanaa waxa ku jira qiimaha '0' |
| ZFILTEREDRECIPIENTCOUNT | aan la aqoon, badanaa waxa ku jira qiyamka '0', '2', '256' |
| ZISFROMME | jihada fariinta: '0' - soo socota, '1' - bixisa |
| ZMESSAGEERRORSTATUS | heerka gudbinta fariinta. Haddii fariinta la diro/helo, markaas waxay leedahay qiimaha '0' |
| ZMESSAGETYPE | nooca fariinta la gudbiyo |
| ZSORT | lama yaqaan |
| ZSPOTLIGHSTATUS | lama yaqaan |
| ZSTARRED | aan la garanayn, aan la isticmaalin |
| ZCHATESSION | lama yaqaan |
| ZGROUPMEMBER | aan la garanayn, aan la isticmaalin |
| XANUUNKA | lama yaqaan |
| ZMEDIAITEM | lama yaqaan |
| ZMESSAGEINFO | lama yaqaan |
| ZPARENTMESSAGE | aan la garanayn, aan la isticmaalin |
| MESSAGEDATE | timestamp ee qaabka OS X Epoch Time |
| ZSENTDATE | waqtiga fariinta lagu soo diray qaabka OS X Epoch Time |
| ZFROMJID | Aqoonsiga Diraha WhatsApp |
| ZMEDIASECTIONID | ka kooban yahay sanadka iyo bisha faylka warbaahinta la diray |
| ZPHASH | aan la garanayn, aan la isticmaalin |
| ZPUSHPAME | Magaca xiriiriyaha soo diray faylka warbaahinta ee qaabka UTF-8 |
| ZSTANZID | aqoonsiga fariinta gaarka ah |
| ZTEXT | Qoraalka fariinta |
| ZTOJID | Aqoonsiga WhatsApp qaataha |
| OFFSET | eex |
Muuqashada miiska 'ZWAMEDIAITEM':
Qaab dhismeedka miiska 'ZWAMEDIAITEM'
| Magaca goobta | qiimaha |
|---|---|
| Z_PK | diiwaanka nambarka isku xigxiga (ee shaxda SQL) |
| Z_ENT | Aqoonsiga miiska, wuxuu leeyahay qiimaha '8' |
| Z_OPT | aan la garanayn, badanaa waxay ka kooban tahay qiyamka '1' ilaa '3'. |
| ZCLOUDSTATUS | waxa ku jira qiimaha '4' haddii faylka la raro. |
| ZFILESize | waxa ku jira dhererka faylka (bytes) ee faylasha la soo dejiyay |
| ZMEDIAORIGIN | aan la aqoon, badiyaa waxay leedahay qiimaha '0' |
| FILIMANKA | muddada faylka warbaahinta, ee faylasha pdf waxaa ku jiri kara tirada boggaga dukumeentiga |
| ZMESSAGE | ka kooban tiro taxane ah (lambarku wuu ka duwan yahay kan lagu tilmaamay tiirka 'Z_PK') |
| ZASPECTRATIO | saamiga dhinac, aan la isticmaalin, badanaa waxaa loo dhigaa '0' |
| ZHACCURACY | aan la aqoon, badiyaa waxay leedahay qiimaha '0' |
| ZLATTTUDE | ballac ahaan pixels |
| ZLONGTITUDE | dhererka pixels |
| ZMEDIAURLDATE | timestamp ee qaabka OS X Epoch Time |
| ZAUTORNAME | qoraaga (dokumentiyada, waxa ku jiri kara magaca faylka) |
| ZCOLLECTIONNAME | aan la isticmaalin |
| ZMEDIALOCALPATH | Magaca faylka (oo ay ku jirto waddada) ee nidaamka faylka qalabka |
| ZMEDIAURL | URL meesha uu ku yaalay faylka warbaahintu Haddii fayl laga soo wareejiyay mid ka mid ah macaamiisha oo loo wareejiyay mid kale, waa la siray oo kordhintiisa waxaa lagu tilmaami doonaa kordhinta faylka la wareejiyay - .enc |
| ZTHUMBNAILLOCALPATH | waddada loo maro thumbnail-ka faylka ee nidaamka faylka qalabka |
| ZTITLE | madaxa faylka |
| ZVCARDNAME | xashiishka faylka warbaahinta, marka faylka loo wareejinayo koox, waxa ku jiri kara aqoonsiga soo diraha |
| ZVCARDSTRING | ka kooban yahay macluumaadka ku saabsan nooca faylka la wareejinayo (tusaale, image/jpeg); marka faylka loo wareejinayo koox, waxa ku jiri kara aqoonsiga qaataha |
| ZXMPPTHUMBPATH | waddada loo maro thumbnail-ka faylka ee nidaamka faylka qalabka |
| ZMEDIAKEY | aan la garanayn, malaha waxaa ku jira furaha si loo kala saaro faylka sir ah. |
| ZMETADATA | xogta badan ee fariinta la gudbiyay |
| mowjadda | eex |
Miisaska xogta kale ee xiisaha leh 'ChatStorage.sqlite' waa:
- 'ZWAPROFILEPUSHNAME'. U dhigma aqoonsiga WhatsApp oo leh magaca xiriirka;
- 'ZWAPROFILEPICTURE ITEM'. U dhigma aqoonsiga WhatsApp iyo avatar xiriirka;
- 'Z_PRIMARYKEY'. Jadwalku waxa uu ka kooban yahay macluumaad guud oo ku saabsan kaydkan, sida wadarta tirada fariimaha la kaydiyay, tirada guud ee wada sheekaysiga, iwm.
Sidoo kale, marka aad ku baadhayso WhatsApp qalabka gacanta ee ku shaqeeya iOS, waa inaad fiiro gaar ah u yeelataa faylasha soo socda:
- file 'BackedUpKeyValue.sqlite'. Waxa ku jira furayaasha cryptographic iyo xogta kale ee lagama maarmaanka u ah in lagu aqoonsado mulkiilaha akoontiga. Waxay ku taal jidka: /private/var/mobile/Applications/group.net.whatsapp.WhatsApp.shared/.
- file 'ContactsV2.sqlite'. Waxay ka kooban tahay macluumaadka ku saabsan xiriirada isticmaalaha, sida magaca buuxa, lambarka taleefanka, heerka xiriirka (qaab qoraal ah), WhatsApp ID, iwm. Waxay ku taal jidka: /private/var/mobile/Applications/group.net.whatsapp.WhatsApp.shared/.
- file 'nooca_macmiilka'. Waxa ku jira nambarka nooca codsiga WhatsApp-ka lagu rakibay. Waxay ku taal jidka: /private/var/mobile/Applications/group.net.whatsapp.WhatsApp.shared/.
- file 'wallpaper_current.jpg'. Waxa ku jira gidaarka asalka ah ee WhatsApp hadda. Waxay ku taal jidka: /private/var/mobile/Applications/group.net.whatsapp.WhatsApp.shared/. Noocyadii hore ee arjiga ayaa isticmaala faylka 'warqad', kaas oo ku yaala jidka: '/private/var/mobile/Applications/net.whatsapp.WhatsApp/Documents/'.
- file 'xidhiidhka xannibay.dat'. Waxa ku jira macluumaadka ku saabsan xidhiidhada la xidhay. Waxay ku taal jidka: /private/var/mobile/Applications/net.whatsapp.WhatsApp/Documents/.
- file 'pw.dat'. Ka kooban sir sir ah Waxay ku taal jidka: '/private/var/mobile/Applications/net.whatsapp.WhatsApp/Library/'.
- file 'net.whatsapp.WhatsApp.plist' (ama fayl 'group.net.whatsapp.WhatsApp. wadaagay.plist'). Waxa ku jira macluumaadka ku saabsan astaanta akoonkaaga WhatsApp. Faylku wuxuu ku yaalaa dhinaca wadada: '/private/var/mobile/Applications/group.net.whatsapp.WhatsApp.shared/Library/Preferences/'.
Nuxurka faylka 'group.net.whatsapp.WhatsApp.shared.plist'
Waxaad sidoo kale u baahan tahay inaad fiiro gaar ah u yeelato hagaha soo socda:
- Directory '/private/var/mobile/Applications/group.net.whatsapp.WhatsApp.shared/Media/Profile/'. Waxa ku jira thumbnails ee xidhiidhada, kooxaha (faylalka kordhinta .suulka), la xidhiidh avatars, avatar milkiilaha akoonka WhatsApp (faylka 'Sawirka.jpg').
- Directory '/private/var/mobile/Applications/group.net.whatsapp.WhatsApp.shared/Fariin/Media/'. Ka kooban faylal badan oo warbaahin ah iyo sawir gacmeedkooda
- Directory '/private/var/mobile/Applications/net.whatsapp.WhatsApp/Documents/'. Waxa ku jira diiwaanka hawlgalka barnaamijka (faylka 'wacitaanka.log') iyo nuqullo kayd ah ee diiwaannada hawlgalka barnaamijka (faylka 'calls.backup.log').
- Directory '/private/var/mobile/Applications/group.net.whatsapp.WhatsApp.shared/stickers/'. Waxa ku jira dhejisyo (faylal qaabka '.webp').
- Directory '/private/var/mobile/Applications/net.whatsapp.WhatsApp/Library/Logs/'. Waxa ku jira diiwaanka hawlgalka barnaamijka.
Farshaxanka WhatsApp ee Windows
Qalabka WhatsApp-ka ee Windows-ka waxaa laga heli karaa meelo badan. Ugu horreyntii, kuwani waa hagayaal ka kooban faylal la fulin karo iyo kuwa caawiya (Windows 8/10):
- 'C: Files Program (x86)WhatsApp'
- 'C: Users% Profile User% AppDataLocalWhatsApp'
- 'C: Users% profile User% AppDataLocalVirtualStore Files (x86)WhatsApp'
Buug-yaraha 'C: Users% Profile User% AppDataLocalWhatsApp' faylka logu wuxuu yaalaa 'SquirrelSetup.log', kaas oo ka kooban macluumaad ku saabsan hubinta wixii cusub iyo rakibida barnaamijka.
Buug-yaraha 'C: Users% Profile User% AppDataRoamingWhatsApp' Waxaa jira dhowr hage-hoosaadyo:
file 'main-process.log' waxaa ku jira macluumaad ku saabsan hawlgalka barnaamijka WhatsApp.
Buug-hoosaad 'databases' ka kooban yahay fayl 'Databases.db', laakiin faylkan kuma jiro wax macluumaad ah oo ku saabsan wada sheekaysiga ama xidhiidhka.
Waxa ugu xiisaha badan marka la eego aragtida dambi baarista waa faylasha ku yaal buugga hagaha 'Cache'. Kuwani asal ahaan waa faylal la magacaabay 'f_*********' (halkaas oo * ay tahay lambar laga bilaabo 0 ilaa 9) oo ay ku jiraan faylal iyo dukumentiyo warbaahineed sir ah, laakiin sidoo kale waxaa ku jira faylal aan qarsoodi ahayn. Xiise gaar ah ayaa ah faylalka 'xogta_0', 'xogta_1', 'xogta_2', 'xogta_3', oo ku yaal isla buug-hoosaadyo isku mid ah. Faylasha 'xogta_0', 'xogta_1', 'xogta_3' ka kooban xiriiryo dibadeed oo la gudbiyo faylasha iyo dukumeentiyada warbaahinta sir ah.
Tusaalaha macluumaadka ku jira faylka 'data_1'
Sidoo kale fayl garee 'xogta_3' waxaa ku jiri kara faylal garaafyo.
file 'xogta_2' waxaa ku jira avatars xiriir (waxaa lagu soo celin karaa iyadoo la raadinayo madax-faylal).
Avatars ka kooban faylka 'xogta_2':
Markaa, sheekeysiga laftooda lagama heli karo xusuusta kombiyuutarka, laakiin waxaad ka heli kartaa:
- faylasha badan ee warbaahinta;
- dukumentiyada lagu gudbiyo WhatsApp;
- macluumaadka ku saabsan xiriirada milkiilaha akoontiga.
Farshaxanka WhatsApp ee MacOS
MacOS waxaad ka heli kartaa noocyo farshaxan WhatsApp ah oo la mid ah kuwa laga helo Windows OS.
Faylasha barnaamijka waxay ku yaalliin hagaha soo socda:
- 'C:ApplicationsWhatsApp.app'
- 'C: Applications._WhatsApp.app'
- 'C: Users% Profile User%Preferences Library'
- 'C: Users% Profile User%LibraryLogsWhatsApp'
- 'C: Users% Profile User%LibrarySaved Application StateWhatsApp.savedState'
- 'C: Users% Profile User%LibraryApplication Scripts'
- 'C: Users% profile User%LibraryApplication SupportCloudDocs'
- 'C: Users% Profile User% Taageerada Codsiga MaktabaddaWhatsApp.ShipIt'
- 'C: Users% profile User%LibraryContainerscom.rockysandstudio.app-for-whatsapp'
- 'C: Users% profile User% Library Mobile Documents <text variable> WhatsApp Accounts'
Hagahani waxa uu ka kooban yahay hage-hoosaadyo magacyadoodu yihiin lambaro telefoon oo la xidhiidha mulkiilaha akoontiga WhatsApp. - 'C: Users% Profile User%LibraryCachesWhatsApp.ShipIt'
Hagahani waxa uu ka kooban yahay macluumaadka ku saabsan rakibidda barnaamijka. - 'C: Users% profile User% PicturesiPhoto Library.photolibraryMasters', 'C: Users% profile User% PicturesiPhoto Library.photolibraryThumbnails'
Hagahan waxa ay ka kooban yihiin faylalka adeegga ee barnaamijka, oo ay ku jiraan sawirrada iyo thumbnails ee xiriirada WhatsApp. - 'C: Users% Profile User%LibraryCachesWhatsApp'
Hagahani waxa uu ka kooban yahay dhawr kayd oo SQLite ah oo loo isticmaalo kaydinta xogta. - 'C: Users% Profile User%LibraryApplication SupportWhatsApp'
Hagahani waxa uu ka kooban yahay dhawr hage-hoosaadyo:
Buug-yaraha 'C: Users% Profile User% Taageerada Codsiga MaktabaddaWhatsAppCache' waxaa jira faylal 'xogta_0', 'xogta_1', 'xogta_2', 'xogta_3' iyo faylal magacyo leh 'f_*********' (halkaas * waa lambar laga bilaabo 0 ilaa 9). Wixii macluumaad ah ee ku saabsan macluumaadka ay ku jiraan faylalkan, eeg WhatsApp Artifacts on Windows.Buug-yaraha 'C: Users% Profile User% Taageerada Codsiga MaktabadaWhatsAppIndexedDB' waxa ku jiri kara faylal badan oo warbaahin ah (faylalku ma laha kordhin).
file 'main-process.log' waxaa ku jira macluumaad ku saabsan hawlgalka barnaamijka WhatsApp.
Ilaha
- Falanqaynta Forensic ee WhatsApp Messenger ee taleefannada casriga ah ee Android, waxaa qoray Cosimo Anglano, 2014.
- WhatsApp Forensics: Nidaamka Eksplorasi wuxuu ku saleysan yahay xogta asalka ah ee Android iyo iOS ee Ahmad Pratama, 2014.
Qormooyinka soo socda ee taxanahan:
Decryption of sir xogta WhatsAppMaqaal bixin doona macluumaadka ku saabsan sida loo soo saaro furaha sirta WhatsApp-ka iyo tusaalooyin wax ku ool ah oo muujinaya sida loo furfuro xog-ururinta codsigan.
Ka soo saarida xogta WhatsApp kaydinta daruurahaMaqaal kaas oo aan kuugu sheegi doono xogta WhatsApp ku kaydsan daruuraha oo aan ku tilmaami doono hababka lagu soo saaro xogtan kaydinta daruuraha.
Soo Saaridda Xogta WhatsApp: Tusaalayaal Wax ku ool ahMaqaal tallaabo-tallaabo ku tilmaami doona barnaamijyada iyo sida looga soo saaro xogta WhatsApp-ka aaladaha kala duwan.
Source: www.habr.com