🥇WhatsApp ni ọpẹ ọwọ rẹ: ibo ati bawo ni o ṣe le rii awọn ohun-ọṣọ oniwadi?

Ti o ba fẹ mọ kini awọn oriṣi ti awọn ohun-ọṣọ oniwadi WhatsApp wa lori awọn ọna ṣiṣe oriṣiriṣi ati ibiti wọn ti le rii ni deede, lẹhinna eyi ni aaye fun ọ. Nkan yii jẹ lati ọdọ alamọja ni Ẹgbẹ-IB Kọmputa Forensics Laboratory Igor Mikhailov bẹrẹ lẹsẹsẹ awọn ifiweranṣẹ nipa awọn oniwadi WhatsApp ati alaye wo ni o le gba lati itupalẹ ẹrọ naa.

Jẹ ki a ṣe akiyesi lẹsẹkẹsẹ pe awọn ọna ṣiṣe oriṣiriṣi n tọju oriṣiriṣi oriṣi awọn ohun-ọṣọ WhatsApp, ati pe ti oluwadi ba le yọ awọn iru data WhatsApp kan jade lati inu ẹrọ kan, eyi ko tumọ si pe iru iru data le ṣee fa jade lati ẹrọ miiran. Fun apẹẹrẹ, ti ẹyọ eto ti nṣiṣẹ Windows OS ba ti yọkuro, awọn iwiregbe WhatsApp yoo ṣee ko rii lori awọn disiki rẹ (ayafi awọn ẹda afẹyinti ti awọn ẹrọ iOS, eyiti o le rii lori awọn awakọ kanna). Imudani ti awọn kọnputa agbeka ati awọn ẹrọ alagbeka yoo ni awọn abuda tirẹ. Jẹ ki a sọrọ nipa eyi ni awọn alaye diẹ sii.

WhatsApp artifacts ni Android ẹrọ

Lati le jade awọn ohun-ọṣọ WhatsApp lati ẹrọ Android kan, oniwadi gbọdọ ni awọn ẹtọ superuser ('gbongbo') lori ẹrọ ti o wa labẹ iwadii tabi ni anfani lati bibẹẹkọ jade idalẹnu iranti ti ara ẹrọ naa, tabi eto faili rẹ (fun apẹẹrẹ, lilo awọn ailagbara sọfitiwia ti ẹrọ alagbeka kan pato).

Awọn faili ohun elo wa ni iranti foonu ni apakan ti o ti fipamọ data olumulo. Gẹgẹbi ofin, apakan yii ni orukọ 'data olumulo'. Awọn iwe-ilana ati awọn faili eto wa ni ọna: '/data/data/com.whatsapp/'.

Awọn faili akọkọ ti o ni awọn ohun-ọṣọ oniwadi WhatsApp ninu Android OS jẹ awọn apoti isura data 'wa.db' и 'msgstore.db'.

Ninu database 'wa.db' ni atokọ pipe pipe ti olumulo WhatsApp kan, pẹlu nọmba foonu, orukọ ifihan, awọn aami akoko, ati eyikeyi alaye miiran ti a pese lakoko forukọsilẹ fun WhatsApp. Faili 'wa.db' ti o wa ni ọna: '/data/data/com.whatsapp/database/' ati pe o ni eto atẹle:

Awọn julọ awon tabili ni database 'wa.db' fun oluwadi ni:

'wa_olubasọrọ'
Tabili yii ni alaye olubasọrọ ninu: ID olubasọrọ WhatsApp, alaye ipo, orukọ ifihan olumulo, awọn aami akoko, ati bẹbẹ lọ.

Irisi tabili:

Ilana tabili

Orukọ aaye	Itumo
_id	gba nọmba ọkọọkan (ni SQL tabili)
jidi	ID olubasọrọ WhatsApp, ti a kọ ni ọna kika <nọmba foonu>@s.whatsapp.net
is_whatsapp_olumulo	ni '1' ti olubasọrọ ba baamu olumulo WhatsApp gangan, '0' bibẹẹkọ
ipo	ni ọrọ ti o han ni ipo olubasọrọ ninu
status_timestamp	ni awọn timestamp ninu Unix Epoch Time (ms) kika
nọmba	nọmba foonu ni nkan ṣe pẹlu olubasọrọ
raw_contact_id	olubasọrọ nọmba ni tẹlentẹle
fi oruko han	olubasọrọ àpapọ orukọ
phone_type	foonu iru
aami foonu	aami ni nkan ṣe pẹlu nọmba olubasọrọ
airi_msg_count	nọmba awọn ifiranṣẹ ti olubasọrọ kan firanṣẹ ṣugbọn ko ka nipasẹ olugba
Fọto_ts	ni timestamp ninu Unix Epoch Time kika
thumb_ts	ni timestamp ninu Unix Epoch Time kika
photo_id_timestamp	ni awọn timestamp ninu Unix Epoch Time (ms) kika
orukọ afifun	iye aaye ibaamu 'display_name' fun olubasọrọ kọọkan
wa_orukọ	Orukọ olubasọrọ WhatsApp (orukọ ti o pato ninu profaili olubasọrọ ti han)
too_orukọ	orukọ olubasọrọ ti a lo ni too awọn iṣẹ
apeso	Orukọ apeso olubasọrọ ni WhatsApp (orukọ apeso ti o pato ninu profaili olubasọrọ ti han)
ile	ile-iṣẹ (ile-iṣẹ pato ninu profaili olubasọrọ ti han)
akọle	akọle (Ms./Mr.; akọle tunto ni profaili olubasọrọ ti han)
aiṣedeede	irẹjẹ

'sqlite_sequence'
Yi tabili ni alaye nipa awọn nọmba ti awọn olubasọrọ;
'android_metadadata'
Tabili yii ni alaye nipa isọdi ede WhatsApp ninu.

Ninu database 'msgstore.db' ni alaye nipa awọn ifiranšẹ ti a fi ranṣẹ, gẹgẹbi nọmba olubasọrọ, ọrọ ifiranṣẹ, ipo ifiranṣẹ, awọn aami akoko, awọn alaye ti awọn faili gbigbe ti o wa ninu awọn ifiranṣẹ, ati bẹbẹ lọ. Faili 'msgstore.db' ti o wa ni ọna: '/data/data/com.whatsapp/database/' ati pe o ni eto atẹle:

Awọn tabili ti o nifẹ julọ ninu faili naa 'msgstore.db' fun oluwadi ni:

'sqlite_sequence'
Tabili yii ni alaye gbogbogbo ninu data data yii, gẹgẹbi apapọ nọmba awọn ifiranṣẹ ti o fipamọ, nọmba lapapọ ti awọn iwiregbe, ati bẹbẹ lọ.

Irisi tabili:
'ifiranṣẹ_fts_akoonu'
Ni awọn ọrọ ti awọn ifiranṣẹ ranṣẹ.

Irisi tabili:

'awọn ifiranṣẹ'
Tabili yii ni alaye ninu gẹgẹbi nọmba olubasọrọ, ọrọ ifiranṣẹ, ipo ifiranṣẹ, awọn aami akoko, alaye nipa gbigbe awọn faili ti o wa ninu awọn ifiranṣẹ.

Irisi tabili:

Ilana tabili

Orukọ aaye	Itumo
_id	gba nọmba ọkọọkan (ni SQL tabili)
bọtini_remote_jid	WhatsApp ID ti alabaṣepọ ibaraẹnisọrọ
bọtini_lati_mi	ifiranṣẹ itọsọna: '0' - ti nwọle, '1' - ti njade
bọtini_id	oto idamo ifiranṣẹ
ipo	ipo ifiranṣẹ: '0' - ti firanṣẹ, '4' - nduro lori olupin, '5' - ti a gba ni ibiti o nlo, '6' - ifiranṣẹ iṣakoso, '13' - ifiranṣẹ ti o ṣii nipasẹ olugba (ka)
nilo_titari	ni iye '2' ti o ba jẹ ifiranṣẹ igbohunsafefe, bibẹẹkọ ni '0'
data	ọrọ ifiranṣẹ (nigbati 'media_wa_type' paramita jẹ '0')
timestamp	ni awọn timestamp ni ọna kika Unix Epoch Time (ms), iye ti wa ni ya lati awọn ẹrọ aago
media_url	ni URL ti faili ti a gbe lọ (nigbati paramita 'media_wa_type' jẹ '1', '2', '3')
media_mime_type	Iru MIME faili gbigbe (nigbati paramita 'media_wa_type' ba dọgba si '1', '2', '3')
media_wa_type	iru ifiranṣẹ: '0' - ọrọ, '1' - faili ayaworan, '2' - faili ohun, '3' - faili fidio, '4' - kaadi olubasọrọ, '5' - geodata
media_iwọn	iwọn faili gbigbe (nigbati paramita 'media_wa_type' jẹ '1', '2', '3')
media_name	Orukọ faili ti o ti gbe (nigbati paramita 'media_wa_type' jẹ '1', '2', '3')
media_akọsilẹ	Ni ninu awọn ọrọ 'ohun', 'fidio' fun awọn iye ti o baamu ti paramita 'media_wa_type' (nigbati paramita 'media_wa_type' jẹ '1', '3')
media_hash	base64 koodu elile ti faili ti a tan kaakiri, ṣe iṣiro nipa lilo algorithm HAS-256 (nigbati paramita 'media_wa_type' jẹ dogba si '1', '2', '3')
media_iye	Iye akoko ni iṣẹju-aaya fun faili media (nigbati 'media_wa_type' jẹ '1', '2', '3')
Oti	ni iye '2' ti o ba jẹ ifiranṣẹ igbohunsafefe, bibẹẹkọ ni '0'
latitude	geodata: latitude (nigbati paramita 'media_wa_type' jẹ '5')
jijin	geodata: longitude (nigbati paramita 'media_wa_type' jẹ '5')
aworan atanpako	alaye iṣẹ
remote_resource	ID olufiranṣẹ (fun awọn ibaraẹnisọrọ ẹgbẹ nikan)
gba_timestamp	akoko gbigba, ni aami igba kan ninu ọna kika Unix Epoch Time (ms), iye naa ni a mu lati aago ẹrọ (nigbati paramita 'key_from_me' ni '0', '-1' tabi iye miiran)
send_timestamp	ko lo, nigbagbogbo ni iye '-1'
receipt_server_timestamp	akoko ti a gba nipasẹ olupin aarin, ni aami akoko kan ni ọna kika Unix Epoch Time (ms), iye naa ni a mu lati aago ẹrọ (nigbati paramita 'key_from_me' ni '1', '-1' tabi iye miiran
receipt_device_timestamp	ni akoko ti o ti gba ifiranṣẹ naa nipasẹ awọn alabapin miiran, ni akoko kan ninu ọna kika Unix Epoch Time (ms), iye naa ni a mu lati aago ẹrọ (nigbati paramita 'key_from_me' ni '1', '-1' tabi iye miiran
read_device_timestamp	akoko šiši (kika) ifiranṣẹ naa, ni aami akoko kan ni ọna kika Unix Epoch Time (ms), iye naa ni a mu lati aago ẹrọ
dun_device_timestamp	Akoko ṣiṣiṣẹsẹhin ifiranṣẹ, ni aami akoko kan ni ọna kika Unix Epoch Time (ms), iye naa ni a mu lati aago ẹrọ
raw_data	eekanna atanpako faili gbigbe (nigbati paramita 'media_wa_type' jẹ '1' tabi '3')
iye olugba	nọmba awọn olugba (fun awọn ifiranṣẹ igbohunsafefe)
alabaṣe_hash	lo nigba gbigbe awọn ifiranṣẹ pẹlu geodata
irawo	ko lo
sọ_row_id	aimọ, nigbagbogbo ni iye '0' ninu
mẹnuba_jids	ko lo
multicast_id	ko lo
aiṣedeede	irẹjẹ

Atokọ awọn aaye yii ko pari. Fun awọn ẹya oriṣiriṣi ti WhatsApp, diẹ ninu awọn aaye le wa tabi ko si. Ni afikun, awọn aaye le wa 'media_enc_hash', 'atunṣe_version', 'payment_transaction_id' ati bẹbẹ lọ.

'awọn ifiranṣẹ_thumbnails'
Tabili yii ni alaye nipa awọn aworan ti o ti gbe ati awọn iwe akoko. Ninu iwe 'timestamp', akoko naa jẹ itọkasi ni ọna kika Unix Epoch Time (ms).
'akojọ iwiregbe'
Yi tabili ni alaye nipa awọn iwiregbe.

Irisi tabili:

Paapaa, nigbati o ba n ṣayẹwo WhatsApp lori ẹrọ alagbeka ti nṣiṣẹ Android, o yẹ ki o san ifojusi si awọn faili wọnyi:

Ọna 'msgstore.db.cryptXX' (nibiti XX jẹ nọmba kan tabi meji lati 0 si 12, fun apẹẹrẹ, msgstore.db.crypt12). Ni afẹyinti fifi ẹnọ kọ nkan ti awọn ifiranṣẹ WhatsApp (faili afẹyinti msgstore.db). Awọn faili (awọn) 'msgstore.db.cryptXX' ti o wa ni ọna: '/data/media/0/WhatsApp/Awọn ibi ipamọ data/' (kaadi SD foju), '/mnt/sdcard/WhatsApp/Awọn ibi ipamọ data/ (kaadi SD ti ara)'.
Ọna 'bọtini'. Ni bọtini cryptographic kan ninu. Ti o wa ni ọna: '/data/data/com.whatsapp/files/'. Ti a lo lati yo awọn afẹyinti WhatsApp ti paroko.

Ọna 'com.whatsapp_preferences.xml'. Ni alaye nipa profaili akọọlẹ WhatsApp rẹ ninu. Faili naa wa ni ọna: '/data/data/com.whatsapp/shared_prefs/'.

Ajẹkù akoonu faili

<?xml version="1.0" encoding="ISO-8859-1"?>
…
<string name="ph">9123456789</string> (номер телефона, ассоциированный с аккаунтом WhatsApp)
…
<string name="version">2.17.395</string> (версия WhatsApp)
…
<string name="my_current_status">Hey there! I am using WhatsApp.</string> (сообщение, отображаемое в статусе аккаунта)
…
<string name="push_name">Alex</string> (имя владельца аккаунта)
…

Ọna 'registration.RegisterPhone.xml'. Ni alaye nipa nọmba foonu ti o ni nkan ṣe pẹlu akọọlẹ WhatsApp naa. Faili naa wa ni ọna: '/data/data/com.whatsapp/shared_prefs/'.

Awọn akoonu faili

<?xml version="1.0" encoding="ISO-8859-1"?>
<map>
<string name="com.whatsapp.registration.RegisterPhone.phone_number">9123456789</string>
<int name="com.whatsapp.registration.RegisterPhone.verification_state" value="0"/>
<int name="com.whatsapp.registration.RegisterPhone.country_code_position" value="-1"/>
<string name="com.whatsapp.registration.RegisterPhone.input_phone_number">912 345-67-89</string>
<int name="com.whatsapp.registration.RegisterPhone.phone_number_position" value="10"/>
<string name="com.whatsapp.registration.RegisterPhone.input_country_code">7</string>
<string name="com.whatsapp.registration.RegisterPhone.country_code">7</string>
</map>

Ọna 'axolotl.db'. Ni awọn bọtini cryptographic ati data miiran ti o ṣe pataki lati ṣe idanimọ oniwun akọọlẹ naa. Ti o wa ni ọna: '/data/data/com.whatsapp/database/'.
Ọna 'chatsettings.db'. Ni alaye iṣeto ni ohun elo.
Ọna 'wa.db'. Ni awọn alaye olubasọrọ ninu. Iyanilẹnu pupọ (lati abala oniwadi) ati data data alaye. O le ni alaye alaye nipa awọn olubasọrọ ti paarẹ.

O tun nilo lati san ifojusi si awọn ilana wọnyi:

Directory '/data/media/0/WhatsApp/Media/Whatsapp Images/'. Ni awọn faili ayaworan gbigbe.
Directory '/data/media/0/WhatsApp/Media/WhatsApp Awọn akọsilẹ ohun/'. Ni awọn ifiranṣẹ ohun ni .OPUS kika awọn faili.
Directory '/data/data/com.whatsapp/cache/Awọn aworan profaili/'. Ni awọn faili ayaworan ninu – awọn aworan ti awọn olubasọrọ.
Directory '/data/data/com.whatsapp/files/Avatars/'. Ni awọn faili ayaworan ninu – awọn aworan eekanna atanpako ti awọn olubasọrọ. Awọn faili wọnyi ni itẹsiwaju '.j' ṣugbọn wọn jẹ awọn faili aworan JPEG (JPG).
Directory '/data/data/com.whatsapp/files/Avatars/'. Ni awọn faili ayaworan ninu – aworan ati eekanna atanpako ti aworan ti a ṣeto bi avatar nipasẹ oniwun akọọlẹ.
Directory '/data/data/com.whatsapp/files/Logs/'. Ni akọọlẹ iṣiṣẹ eto naa (faili 'whatsapp.log') ati awọn ẹda afẹyinti ti awọn iwe iṣẹ ṣiṣe eto (awọn faili pẹlu awọn orukọ ninu ọna kika whatsapp-yyyy-mm-dd.1.log.gz).

Awọn faili Wọle WhatsApp:

Ajẹkù Akosile2017-01-10 09:37:09.757 LL_I D [524:WhatsApp Osise #1] missedcall iwifunni/init count:0 timestamp:0
2017-01-10 09:37:09.758 LL_I D [524:WhatsApp Osise #1] missedcall iwifunni/imudojuiwọn fagile otito
2017-01-10 09:37:09.768 LL_I D [1: akọkọ] app-init/load-mi
2017-01-10 09:37:09.772 LL_I D [1: akọkọ] faili ọrọ igbaniwọle sonu tabi ko ṣee ka
2017-01-10 09: 37: 09.782 LL_I D [1: akọkọ] Awọn ifọrọranṣẹ: 59 ti a firanṣẹ, 82 ti gba / Awọn ifiranṣẹ Media: 1 ti a firanṣẹ (0 baiti), 0 gba (9850158 awọn baiti) / Awọn ifiranṣẹ offline: 81 gba ( 19522 msec apapọ idaduro) / Ifiranṣẹ: 116075 awọn baiti ti a firanṣẹ, 211729 awọn baiti ti gba / Awọn ipe Voip: Awọn ipe ti njade 1, awọn ipe ti nwọle 0, 2492 awọn baiti ti a firanṣẹ, 1530 awọn baiti ti gba / Google Drive: 0 awọn baiti ti a firanṣẹ, 0 awọn baiti gba / lilọ kiri: 1524 Awọn baiti ti a firanṣẹ, 1826 awọn baiti gba / Lapapọ Data: 118567 awọn baiti ti a firanṣẹ, 10063417 ti gba
2017-01-10 09:37:09.785 LL_I D [1: akọkọ] media-ipinle-oluṣakoso / sọtun-media-ipinle/kikọ
2017-01-10 09:37:09.806 LL_I D [1: akọkọ] app-init / initialize / aago / da: 24
2017-01-10 09:37:09.811 LL_I D [1: akọkọ] msgstore/checkhealth
2017-01-10 09:37:09.817 LL_I D [1: main] msgstore/checkhealth/journal/parẹ eke
2017-01-10 09:37:09.818 LL_I D [1: akọkọ] msgstore/checkhealth/pada/parẹ eke
2017-01-10 09:37:09.818 LL_I D [1: akọkọ] msgstore/checkdb/data/data/com.whatsapp/databases/msgstore.db
2017-01-10 09:37:09.819 LL_I D [1: main] msgstore/checkdb/list _jobqueue-WhatsAppJobManager 16384 drw=011
2017-01-10 09:37:09.820 LL_I D [1: main] msgstore/checkdb/list _jobqueue-WhatsAppJobManager-journal 21032 drw=011
2017-01-10 09:37:09.820 LL_I D [1: akọkọ] msgstore/checkdb/list axolotl.db 184320 drw=011
2017-01-10 09:37:09.821 LL_I D [1: akọkọ] msgstore/checkdb/list axolotl.db-wal 436752 drw=011
2017-01-10 09:37:09.821 LL_I D [1: akọkọ] msgstore/checkdb/list axolotl.db-shm 32768 drw=011
2017-01-10 09:37:09.822 LL_I D [1: akọkọ] msgstore/checkdb/list msgstore.db 540672 drw=011
2017-01-10 09:37:09.823 LL_I D [1: main] msgstore/checkdb/list msgstore.db-wal 0 drw=011
2017-01-10 09:37:09.823 LL_I D [1: main] msgstore/checkdb/list msgstore.db-shm 32768 drw=011
2017-01-10 09:37:09.824 LL_I D [1: main] msgstore/checkdb/list wa.db 69632 drw=011
2017-01-10 09:37:09.825 LL_I D [1: main] msgstore/checkdb/list wa.db-wal 428512 drw=011
2017-01-10 09:37:09.825 LL_I D [1: main] msgstore/checkdb/list wa.db-shm 32768 drw=011
2017-01-10 09:37:09.826 LL_I D [1: main] msgstore/checkdb/list chatsettings.db 4096 drw=011
2017-01-10 09:37:09.826 LL_I D [1: main] msgstore/checkdb/list chatsettings.db-wal 70072 drw=011
2017-01-10 09:37:09.827 LL_I D [1: main] msgstore/checkdb/list chatsettings.db-shm 32768 drw=011
2017-01-10 09:37:09.838 LL_I D [1: main] msgstore/checkdb/ẹya 1
2017-01-10 09:37:09.839 LL_I D [1: akọkọ] msgstore/canquery
2017-01-10 09:37:09.846 LL_I D [1: main] msgstore/canquery/count 1
2017-01-10 09:37:09.847 LL_I D [1: main] msgstore/canquery/timer/stop: 8
2017-01-10 09:37:09.847 LL_I D [1: main] msgstore/canquery 517 | akoko lo:8
2017-01-10 09:37:09.848 LL_I D [529:WhatsApp Worker #3] media-state-manager/refresh-media-state/ipamọ-inu-ipamọ wa:1,345,622,016 lapapọ:5,687,922,688

Directory '/data/media/0/WhatsApp/Media/WhatsApp Audio/'. Ni awọn faili ohun ti o gba wọle.
Directory '/data/media/0/WhatsApp/Media/WhatsApp Audio/Firanṣẹ/'. Ni awọn faili ohun ti a firanṣẹ.
Directory '/data/media/0/WhatsApp/Media/Whatsapp Images/'. Ni awọn faili ayaworan Abajade ninu.
Directory '/data/media/0/WhatsApp/Media/WhatsApp Images/Firanṣẹ/'. Ni awọn faili ayaworan ti a firanṣẹ.
Directory '/data/media/0/WhatsApp/Media/WhatsApp Fidio/'. Ni awọn faili fidio ti o gba wọle.
Directory '/data/media/0/WhatsApp/Media/WhatsApp Fidio/Firanṣẹ/'. Ni awọn faili fidio ti a firanṣẹ.
Directory '/data/media/0/WhatsApp/Media/WhatsApp Awọn fọto Profaili/'. Ni awọn faili ayaworan ti o ni nkan ṣe pẹlu oniwun akọọlẹ WhatsApp naa.
Lati fi aaye iranti pamọ sori foonuiyara Android rẹ, diẹ ninu awọn data WhatsApp le wa ni ipamọ lori kaadi SD kan. Lori kaadi SD, ninu itọsọna gbongbo, itọsọna kan wa 'Whatsapp', nibiti o ti le rii awọn ohun-ini wọnyi ti eto yii:
Directory '.Pin' ('/mnt/sdcard/WhatsApp/.Share/'). Ni awọn ẹda ti awọn faili ti o ti pin pẹlu awọn olumulo WhatsApp miiran ni.
Directory '.idọti' ('/mnt/sdcard/WhatsApp/.trash/'). Ni awọn faili paarẹ ninu.
Directory 'Awọn ibi ipamọ data' ('/mnt/sdcard/WhatsApp/Awọn ibi ipamọ data/'). Ni awọn ifipamọ ti paroko. Wọn le jẹ idinku ti faili ba wa 'bọtini', jade lati iranti ẹrọ ti a ṣe ayẹwo.
Awọn faili ti o wa ni inu iwe-ipamọ 'Awọn ibi ipamọ data':
Directory 'Idaji' ('/mnt/sdcard/WhatsApp/Media/'). Ni ninu awọn iwe-itọsọna 'Paper', 'Whatsapp Audio', 'Awọn aworan WhatsApp', 'Awọn fọto Profaili WhatsApp', 'Fidio WhatsApp', 'Awọn akọsilẹ ohun WhatsApp', eyiti o ni awọn faili multimedia ti o gba ati tan kaakiri (awọn faili ayaworan, awọn faili fidio, awọn ifiranṣẹ ohun, awọn fọto ti o ni nkan ṣe pẹlu profaili ti oniwun akọọlẹ WhatsApp, awọn iṣẹṣọ ogiri).
Directory 'Awọn aworan profaili' ('/mnt/sdcard/WhatsApp/Awọn aworan profaili/'). Ni awọn faili ayaworan ti o ni nkan ṣe pẹlu profaili ti oniwun akọọlẹ WhatsApp naa.
Nigba miran o le jẹ ilana ti o wa lori kaadi SD 'awọn faili' ('/mnt/sdcard/WhatsApp/Awọn faili/'). Itọsọna yii ni awọn faili ti o tọju awọn eto eto ati awọn ayanfẹ olumulo ninu.

Awọn ẹya ti ipamọ data ni diẹ ninu awọn awoṣe ti awọn ẹrọ alagbeka

Diẹ ninu awọn awoṣe ti awọn ẹrọ alagbeka nṣiṣẹ Android OS le tọju awọn ohun-ọṣọ WhatsApp ni ipo ọtọtọ. Eyi jẹ nitori awọn ayipada ninu aaye ibi-itọju ti data ohun elo nipasẹ sọfitiwia eto ti ẹrọ alagbeka. Fun apẹẹrẹ, awọn ẹrọ alagbeka Xiaomi ni iṣẹ kan fun ṣiṣẹda aaye iṣẹ keji (“SecondSpace”). Nigbati iṣẹ yii ba ti muu ṣiṣẹ, ipo data naa yoo yipada. Nitorinaa, ti o ba wa ni ẹrọ alagbeka deede ti nṣiṣẹ data olumulo Android OS ti wa ni ipamọ ninu itọsọna naa '/data/olumulo/0/' (eyiti o jẹ itọkasi si deede '/data/data/'), lẹhinna ni aaye iṣẹ-iṣẹ keji data ohun elo ti wa ni ipamọ sinu ilana '/data/olumulo/10/'. Iyẹn ni, lilo apẹẹrẹ ti ipo faili naa 'wa.db':

ninu foonuiyara deede ti nṣiṣẹ Android OS: /data/user/0/com.whatsapp/databases/wa.db' (eyiti o jẹ deede '/data/data/com.whatsapp/databases/wa.db');
ni aaye iṣẹ keji ti foonuiyara Xiaomi: '/data/user/10/com.whatsapp/databases/wa.db'.

WhatsApp artifacts ni iOS ẹrọ

Ko Android OS, ni iOS Whatsapp ohun elo data ti wa ni ti o ti gbe si a daakọ afẹyinti (iTunes afẹyinti). Nitorinaa, yiyo data lati inu ohun elo yii ko nilo yiyọ eto faili tabi ṣiṣẹda idalẹnu iranti ti ara ti ẹrọ labẹ iwadii. Pupọ julọ alaye ti o yẹ wa ninu ibi ipamọ data 'ChatStorage.sqlite', eyi ti o wa ni ọna: '/private/var/mobile/Applications/group.net.whatsapp.WhatsApp.shared/' (Ni diẹ ninu awọn eto ọna yii han bi 'AppDomainGroup-group.net.whatsapp.WhatsApp.shared').

Ilana 'ChatStorage.sqlite':

Awọn tabili alaye julọ julọ ninu aaye data 'ChatStorage.sqlite' jẹ 'ZWAMESSAGE' и 'ZWAMEDIAITEM'.

Irisi tabili 'ZWAMESSAGE':

Eto tabili 'ZWAMESSAGE'

Orukọ aaye	Itumo
Z_PK	gba nọmba ọkọọkan (ni SQL tabili)
Z_ENT	idamo tabili, ni iye '9'
Z_OPT	aimọ, nigbagbogbo ni awọn iye lati '1' si '6'
ZCHILDMESSAGESDELIVEREDCOUNT	aimọ, nigbagbogbo ni iye '0' ninu
ZCHILDMESSAGESPLAYEDCOUNT	aimọ, nigbagbogbo ni iye '0' ninu
ZCHILDMESSAGESREADCOUNT	aimọ, nigbagbogbo ni iye '0' ninu
ZDATAITEMVERSION	aimọ, nigbagbogbo ni iye '3' ninu, o ṣee ṣe afihan ifọrọranṣẹ
ZDOCID	jẹ aimọ
ZENCRETRYCOUNT	aimọ, nigbagbogbo ni iye '0' ninu
ZFILTEREDRECIPIENTCOUNT	aimọ, nigbagbogbo ni awọn iye '0', '2', '256'
ZISFROMME	ifiranṣẹ itọsọna: '0' - ti nwọle, '1' - ti njade
ZMESSAGEERRORSTATUS	ipo gbigbe ifiranṣẹ. Ti ifiranṣẹ ba ti firanṣẹ / gba, lẹhinna o ni iye '0'
ZMESSAGETYPE	iru ifiranṣẹ ti wa ni gbigbe
ZSORT	jẹ aimọ
ZSPOTLIGHSTATUS	jẹ aimọ
ZSTARRED	aimọ, ko lo
ZCHATSESSION	jẹ aimọ
ZGROUPMEMBER	aimọ, ko lo
ZLASSSESSION	jẹ aimọ
ZMEDIAITEM	jẹ aimọ
ZMESSAGEINFO	jẹ aimọ
ZPARENTMESSAGE	aimọ, ko lo
ZMESSAGEDATE	timestamp ni OS X Epoch Time kika
ZSENTDATE	akoko ti a fi ifiranṣẹ ranṣẹ ni OS X Epoch Time kika
ZFROMJID	Whatsapp Olu ID
ZMEDIASECTIONID	ni ọdun ati oṣu ti a fi faili media ranṣẹ
ZPHASH	aimọ, ko lo
ZPUSSHPAME	orukọ olubasọrọ ti o firanṣẹ faili media ni ọna kika UTF-8
ZSTANZID	oto idamo ifiranṣẹ
ZTEXT	Ọrọ ifiranṣẹ
ZTOJID	WhatsApp ID olugba
TITẸ	irẹjẹ

Irisi tabili 'ZWAMEDIAITEM':

Eto tabili 'ZWAMEDIAITEM'

Orukọ aaye	Itumo
Z_PK	gba nọmba ọkọọkan (ni SQL tabili)
Z_ENT	idamo tabili, ni iye '8'
Z_OPT	aimọ, nigbagbogbo ni awọn iye lati '1' si '3'.
ZCLOUDSTATUS	ni iye '4' ti faili naa ba ti kojọpọ.
ZFILESIZE	ni gigun faili (ni awọn baiti) fun awọn faili ti a gbasile
ZMEDIAORIGIN	aimọ, nigbagbogbo ni iye '0'
ZMOVIEDURATION	iye akoko faili media, fun awọn faili pdf le ni nọmba awọn oju-iwe ti iwe-ipamọ naa ninu
ZMESSAGE	ni nọmba ni tẹlentẹle (nọmba naa yatọ si eyiti a tọka si ninu iwe 'Z_PK')
ZASPECTRATIO	ipin abala, kii ṣe lilo, nigbagbogbo ṣeto si '0'
ZHACCURACY	aimọ, nigbagbogbo ni iye '0'
ZLATTITITUDE	iwọn ni awọn piksẹli
ZLONGTITUDE	iga ni awọn piksẹli
ZMEDIAURLDATE	timestamp ni OS X Epoch Time kika
ZAUTORNAME	onkọwe (fun awọn iwe aṣẹ, le ni orukọ faili ninu)
ZCOLLECTIONNAME	ko lo
ZMEDIALOCALPATH	Orukọ faili (pẹlu ọna) ninu eto faili ẹrọ
ZMEDIAURL	URL nibiti faili media ti wa. Ti o ba ti gbe faili kan lati ọdọ alabapin kan si omiran, o jẹ fifipamọ ati pe itẹsiwaju rẹ yoo jẹ itọkasi bi itẹsiwaju ti faili ti o gbe - .enc
ZTHUMBNAILLOCALPATH	ọna si eekanna atanpako faili ninu eto faili ẹrọ
ZTITLE	akọsori faili
ZVCARDNAME	hash ti faili media nigba gbigbe faili lọ si ẹgbẹ kan, o le ni idamo olufiranṣẹ ninu
ZVCARDSTRING	ni alaye nipa iru faili ti a gbe lọ (fun apẹẹrẹ, aworan/jpeg); nigba gbigbe faili kan si ẹgbẹ kan, o le ni idanimọ olugba ninu
ZXMPPTHUMBPATH	ọna si eekanna atanpako faili ninu eto faili ẹrọ
ZMEDIAKEY	unknown, jasi ni awọn bọtini lati decrypt awọn ti paroko faili.
ZMETADATA	metadata ti ifiranṣẹ ti a firanṣẹ
Aṣedewọn	irẹjẹ

Miiran awon database tabili 'ChatStorage.sqlite' ni:

'ZWAPROFILEPUSHNAME'. Baramu WhatsApp ID pẹlu orukọ olubasọrọ;
'ZWAPROFILEPICTURE NKAN'. Baramu ID WhatsApp pẹlu avatar olubasọrọ;
'Z_PRIMARYKEY'. Tabili ni alaye gbogbogbo nipa data data yii, gẹgẹbi apapọ nọmba awọn ifiranṣẹ ti o fipamọ, nọmba lapapọ ti awọn iwiregbe, ati bẹbẹ lọ.

Paapaa, nigbati o ba n ṣayẹwo WhatsApp lori ẹrọ alagbeka ti n ṣiṣẹ iOS, o yẹ ki o san ifojusi si awọn faili wọnyi:

Ọna 'BackedUpKeyValue.sqlite'. Ni awọn bọtini cryptographic ati data miiran ti o ṣe pataki lati ṣe idanimọ oniwun akọọlẹ naa. Ti o wa ni ọna: /private/var/mobile/Applications/group.net.whatsapp.WhatsApp.shared/.
Ọna 'Awọn olubasọrọV2.sqlite'. Ni alaye ninu awọn olubasọrọ olumulo, gẹgẹbi orukọ kikun, nọmba foonu, ipo olubasọrọ (ni fọọmu ọrọ), ID WhatsApp, ati bẹbẹ lọ. Ti o wa ni ọna: /private/var/mobile/Applications/group.net.whatsapp.WhatsApp.shared/.
Ọna 'Ẹya onibara'. Ni nọmba ẹya ti ohun elo WhatsApp ti a fi sii. Ti o wa ni ọna: /private/var/mobile/Applications/group.net.whatsapp.WhatsApp.shared/.
Ọna 'ogiri_lọwọlọwọ.jpg'. Ni iṣẹṣọ ogiri lẹhin WhatsApp lọwọlọwọ. Ti o wa ni ọna: /private/var/mobile/Applications/group.net.whatsapp.WhatsApp.shared/. Awọn ẹya atijọ ti ohun elo naa lo faili naa 'ogiri', eyi ti o wa ni ọna: '/ ikọkọ/var/mobile/Applications/net.whatsapp.WhatsApp/Documents/'.
Ọna 'blockedcontacts.dat'. Ni alaye nipa awọn olubasọrọ dina mọ. Ti o wa ni ọna: /private/var/mobile/Applications/net.whatsapp.WhatsApp/Documents/.
Ọna 'pw.dat'. Ni ọrọ igbaniwọle ti paroko ninu. Ti o wa ni ọna: '/ ikọkọ/var/mobile/Applications/net.whatsapp.WhatsApp/Library/'.
Ọna 'net.whatsapp.WhatsApp.plist' (tabi faili 'group.net.whatsapp.WhatsApp.shared.plist'). Ni alaye nipa profaili akọọlẹ WhatsApp rẹ ninu. Faili naa wa ni ọna: '/private/var/mobile/Applications/group.net.whatsapp.WhatsApp.shared/Library/Preferences/'.

Awọn akoonu ti faili 'group.net.whatsapp.WhatsApp.shared.plist'
O tun nilo lati san ifojusi si awọn ilana wọnyi:

Directory '/private/var/mobile/Applications/group.net.whatsapp.WhatsApp.shared/Media/Profile/'. Ni awọn eekanna atanpako ti awọn olubasọrọ, awọn ẹgbẹ (awọn faili pẹlu itẹsiwaju .atampako), awọn avatars olubasọrọ, avatar oniwun iroyin WhatsApp (faili 'Fọto.jpg').
Directory '/private/var/mobile/Applications/group.net.whatsapp.WhatsApp.shared/Firanṣẹ/Media/'. Ni awọn faili multimedia ati awọn eekanna atanpako wọn ninu
Directory '/ ikọkọ/var/mobile/Applications/net.whatsapp.WhatsApp/Documents/'. Ni akọọlẹ iṣẹ ṣiṣe eto (faili ' calls.log') ati awọn ẹda afẹyinti ti awọn iwe iṣẹ ṣiṣe eto (faili 'calls.backup.log').
Directory '/private/var/mobile/Applications/group.net.whatsapp.WhatsApp.shared/stickers/'. Ni awọn ohun ilẹmọ (awọn faili ni ọna kika '.webp').
Directory '/ ikọkọ/var/mobile/Applications/net.whatsapp.WhatsApp/Library/Logs/'. Ni awọn akọọlẹ iṣẹ ṣiṣe eto.

WhatsApp artifacts lori Windows

Awọn ohun-ọṣọ WhatsApp lori Windows ni a le rii ni awọn aaye pupọ. Ni akọkọ, iwọnyi jẹ awọn ilana ti o ni ṣiṣe ati awọn faili eto iranlọwọ (fun Windows 8/10):

'C: Awọn faili eto (x86)Whatsapp'
'C: Users% Profaili olumulo% AppDataLocalWhatsApp'
'C: Awọn olumulo% Profaili olumulo% AppDataLocalVirtualStore Awọn faili Eto (x86)WhatsApp'

Ninu iwe akojo oro 'C: Users% Profaili olumulo% AppDataLocalWhatsApp' log faili ti wa ni be 'SquirrelSetup.log', eyiti o ni alaye nipa ṣiṣe ayẹwo fun awọn imudojuiwọn ati fifi sori ẹrọ eto naa.

Ninu iwe akojo oro 'C: Users% Profaili olumulo% AppDataRoamingWhatsApp' Ọpọlọpọ awọn iwe-itọnisọna ni o wa:

Ọna 'akọkọ-process.log' ni alaye nipa iṣẹ ṣiṣe ti eto WhatsApp.

Subdirectory 'awọn ipilẹ data' ni faili kan ninu 'Databases.db', sugbon faili yi ko ni eyikeyi alaye ninu awọn iwiregbe tabi awọn olubasọrọ.

Ohun ti o nifẹ julọ lati oju wiwo oniwadi ni awọn faili ti o wa ninu itọsọna naa 'Kaṣe'. Iwọnyi jẹ ipilẹ awọn faili ti a npè ni 'f ***' (nibiti * jẹ nọmba kan lati 0 si 9) ti o ni awọn faili multimedia ti paroko ati awọn iwe aṣẹ, ṣugbọn awọn faili ti ko pa akoonu tun wa laarin wọn. Ti pato anfani ni awọn faili 'data_0', 'data_1', 'data_2', 'data_3', be ni kanna subdirectory. Awọn faili 'data_0', 'data_1', 'data_3' ni awọn ọna asopọ ita si gbigbe awọn faili multimedia ti paroko ati awọn iwe aṣẹ.

Apẹẹrẹ alaye ti o wa ninu faili 'data_1'
Tun faili 'data_3' le ni awọn faili ayaworan ninu.

Ọna 'data_2' ni awọn avatars olubasọrọ (le ṣe atunṣe nipasẹ wiwa nipasẹ awọn akọle faili).

Avatars ti o wa ninu faili naa 'data_2':

Nitorinaa, awọn iwiregbe funrararẹ ko le rii ni iranti kọnputa, ṣugbọn o le wa:

multimedia awọn faili;
awọn iwe aṣẹ ti a gbejade nipasẹ WhatsApp;
alaye nipa awọn olubasọrọ eni iroyin.

WhatsApp artifacts lori MacOS

Ni MacOS o le wa awọn iru ti WhatsApp artifacts iru si awon ti ri ni Windows OS.

Awọn faili eto wa ninu awọn ilana wọnyi:

'C:ApplicationsWhatsApp.app'
'C: Awọn ohun elo._WhatsApp.app'
'C: Users% Profaili olumulo% Awọn ayanfẹ Library'
'C: Users% Profaili olumulo%LibraryLogsWhatsApp'
'C: Users% Profaili olumulo%LibraryFipamọ Ohun elo StateWhatsApp.savedState'
'C: Users% Profaili olumulo% Awọn iwe afọwọkọ Ohun elo Library'
'C: Users% Profaili olumulo%LibraryApplication SupportCloudDocs'
'C: Users% Profaili olumulo%LibraryApplication SupportWhatsApp.ShipIt'
'C: Awọn olumulo% Profaili olumulo%LibraryContainerscom.rockysandstudio.app-for-whatsapp'
'C: Awọn olumulo% Profaili olumulo% Awọn iwe aṣẹ Alagbeka Ile-ikawe <iyipada ọrọ> Awọn akọọlẹ WhatsApp'
Itọsọna yii ni awọn iwe-itọka-ipin ti orukọ wọn jẹ awọn nọmba foonu ti o ni nkan ṣe pẹlu oniwun akọọlẹ WhatsApp naa.
'C: Users% Profaili olumulo%LibraryCachesWhatsApp.ShipIt'
Itọsọna yii ni alaye nipa fifi sori ẹrọ eto naa.
'C: Users% Profaili olumulo% PicturesiPhoto Library.photolibraryMasters', 'C: Users% Profaili olumulo%ImagesiPhoto Library.photolibraryThumbnails'
Awọn ilana wọnyi ni awọn faili iṣẹ ti eto naa, pẹlu awọn fọto ati awọn eekanna atanpako ti awọn olubasọrọ WhatsApp.
'C: Users% Profaili olumulo%LibraryCachesWhatsApp'
Ilana yii ni ọpọlọpọ awọn apoti isura data SQLite ti a lo fun fifipamọ data.
'C: Users% Profaili olumulo%LibraryApplication SupportWhatsApp'
Itọkasi yii ni ọpọlọpọ awọn iwe-itọnisọna ninu:

Ninu iwe akojo oro 'C: Users% Profaili olumulo%LibraryApplication SupportWhatsAppCache' awọn faili wa 'data_0', 'data_1', 'data_2', 'data_3' ati awọn faili pẹlu awọn orukọ 'f ***' (nibiti * jẹ nọmba lati 0 si 9). Fun alaye nipa kini alaye ni awọn faili wọnyi ni, wo WhatsApp Artifacts lori Windows.

Ninu iwe akojo oro 'C: Users% Profaili olumulo%Atilẹyin Ohun elo LibraryWhatsAppIndexedDB' le ni awọn faili multimedia ninu (awọn faili ko ni awọn amugbooro).

Ọna 'akọkọ-process.log' ni alaye nipa iṣẹ ṣiṣe ti eto WhatsApp.

Awọn orisun

Iwadii oniwadi ti WhatsApp Messenger lori awọn fonutologbolori Android, nipasẹ Cosimo Anglano, 2014.
Whatsapp Forensics: Eksplorasi sistemu berkas and base data to applikasi Android and iOS by Ahmad Pratama, 2014.

Ninu awọn nkan wọnyi ninu jara yii:

Decryption ti awọn data data WhatsApp ti parokoNkan kan ti yoo pese alaye lori bii bọtini fifi ẹnọ kọ nkan WhatsApp ṣe ṣe ipilẹṣẹ ati awọn apẹẹrẹ ti o wulo ti n fihan bi o ṣe le ge awọn apoti isura infomesonu ti paroko ti ohun elo yii.
Yiyọ data WhatsApp lati ibi ipamọ awọsanmaNkan ninu eyiti a yoo sọ fun ọ kini data WhatsApp ti wa ni ipamọ ninu awọn awọsanma ati ṣe apejuwe awọn ọna fun gbigba data yii pada lati awọn ibi ipamọ awọsanma.
Iyọkuro Data WhatsApp: Awọn Apeere WuloNkan kan ti yoo ṣe apejuwe igbese nipasẹ igbese kini awọn eto ati bii o ṣe le jade data WhatsApp lati awọn ẹrọ pupọ.

orisun: www.habr.com

WhatsApp ni ọpẹ ọwọ rẹ: nibo ati bawo ni o ṣe le rii awọn ohun-ọṣọ oniwadi?

WhatsApp artifacts ni Android ẹrọ

Awọn ẹya ti ipamọ data ni diẹ ninu awọn awoṣe ti awọn ẹrọ alagbeka

WhatsApp artifacts ni iOS ẹrọ

WhatsApp artifacts lori Windows

WhatsApp artifacts lori MacOS

Fi ọrọìwòye kun Fagilee esi