Uma ufuna ukwazi ukuthi yiziphi izinhlobo ze-WhatsApp forensic artific ezikhona ezinhlelweni zokusebenza ezihlukene nokuthi zingatholakala kuphi, khona-ke lena yindawo yakho. Lesi sihloko sivela kuchwepheshe we-Group-IB Computer Forensics Laboratory Igor Mikhailov iqala uchungechunge lokuthunyelwe mayelana ne-WhatsApp forensics nokuthi yiluphi ulwazi olungatholwa ekuhlaziyeni idivayisi.
Masiqaphele ngokushesha ukuthi izinhlelo zokusebenza ezihlukene zigcina izinhlobo ezahlukene zezinto zobuciko ze-WhatsApp, futhi uma umcwaningi ekwazi ukukhipha izinhlobo ezithile zedatha ye-WhatsApp kudivayisi eyodwa, lokhu akusho ukuthi izinhlobo ezifanayo zedatha zingakhishwa kwenye idivayisi. Isibonelo, uma iyunithi yesistimu esebenzisa i-Windows OS isusiwe, izingxoxo ze-WhatsApp cishe ngeke zitholakale kumadiski ayo (ngaphandle kwamakhophi ayisipele wamadivayisi we-iOS, angatholakala kumadrayivu afanayo). Ukuthathwa kwama-laptops namadivayisi eselula kuzoba nezakho izici. Ake sixoxe kabanzi ngalokhu.
Ama-artifact e-WhatsApp kudivayisi ye-Android
Ukuze kukhishwe izinto zobuciko ze-WhatsApp kudivayisi ye-Android, umcwaningi kufanele abe namalungelo omsebenzisi omkhulu ('impande') ocingweni olusacwaningwayo noma ukwazi ukukhipha ukulahlwa okungokoqobo kwememori yedivayisi, noma isistimu yayo yefayela (isibonelo, kusetshenziswa ubungozi besofthiwe yedivayisi ethile yeselula).
Amafayela ohlelo lokusebenza atholakala kumemori yefoni esigabeni lapho kugcinwa khona idatha yomsebenzisi. Njengomthetho, lesi sigaba siqanjwe 'idatha yomsebenzisi'. Imibhalo engezansi namafayela ohlelo atholakala endleleni: '/data/data/com.whatsapp/'.
Amafayela amakhulu aqukethe izinto zokwenziwa ze-WhatsApp ze-forensic ku-Android OS ayisizindalwazi 'wa.db' ΠΈ 'msgstore.db'.
Kusizindalwazi 'wa.db' iqukethe uhlu lokuxhumana oluphelele lomsebenzisi we-WhatsApp, okuhlanganisa inombolo yocingo, igama eliboniswayo, izitembu zesikhathi, kanye nanoma yimiphi eminye imininingwane enikeziwe ngenkathi ubhalisela i-WhatsApp. Ifayela 'wa.db' etholakala endleleni: '/data/data/com.whatsapp/databases/' futhi inesakhiwo esilandelayo:
Amathebula athakazelisa kakhulu kusizindalwazi 'wa.db' ngoba umcwaningi yilezi:
- 'wa_contacts'
Leli thebula liqukethe imininingwane yokuxhumana: i-id yokuxhumana ye-WhatsApp, imininingwane yesimo, igama lesibonisi somsebenzisi, izitembu zesikhathi, njll.Ukubukeka kwethebula:
Isakhiwo sethebulaIgama lenkundla Okushoyo _id inombolo yokulandelana kwerekhodi (kuthebula le-SQL) jid I-ID yokuxhumana ye-WhatsApp, ebhalwe ngefomethi <inombolo yocingo>@s.whatsapp.net ungumsebenzisi_we-whatsapp iqukethe '1' uma othintana naye ehambisana nomsebenzisi wangempela we-WhatsApp, '0' uma kungenjalo Isimo iqukethe umbhalo ovezwe esimweni soxhumana naye status_timestamp iqukethe isitembu sesikhathi ngefomethi ye-Unix Epoch Time (ms). inombolo inombolo yocingo ehlotshaniswa noxhumana naye ubunikazi_boxhumana nabo_oluhlaza inombolo ye-serial yokuxhumana Bonisa igama igama lesibonisi soxhumana naye uhlobo_lwefoni uhlobo lwefoni ilebula_yefoni ilebula ehlobene nenombolo yokuxhumana i-msg_count_engabonakali inombolo yemilayezo ethunyelwe othintana naye kodwa engafundwanga umemukeli izithombe_ts iqukethe isitembu sesikhathi ngefomethi ye-Unix Epoch Time isithupha_izithupha iqukethe isitembu sesikhathi ngefomethi ye-Unix Epoch Time isithombe_id_isitembu sesikhathi iqukethe isitembu sesikhathi ngefomethi ye-Unix Epoch Time (ms). igama elinikeziwe inani lenkundla lifana 'negama_lokubonisa' koxhumana naye ngamunye igama Igama lokuxhumana le-WhatsApp (igama elishiwo kuphrofayela yoxhumana naye liyaboniswa) hlunga_igama igama loxhumana naye elisetshenziswa emisebenzini yokuhlunga isidlaliso isidlaliso soxhumana naye ku-WhatsApp (isidlaliso esishiwo kuphrofayela yoxhumana naye siyaboniswa) inkampani inkampani (inkampani eshiwo kuphrofayela yoxhumana naye iyaboniswa) isihloko isihloko (Nks./Mnu.; isihloko esimisiwe kuphrofayela yokuxhumana siyaboniswa) offset ukwenzelela - 'sqlite_sequence'
Leli thebula liqukethe ulwazi mayelana nenani loxhumana nabo; - 'android_metadata'
Leli thebula liqukethe ulwazi mayelana nokwenza kwasendaweni kolimi lwe-WhatsApp.
Kusizindalwazi 'msgstore.db' iqukethe ulwazi mayelana nemiyalezo ethunyelwe, njengenombolo yokuxhumana, umbhalo womlayezo, isimo somlayezo, izitembu zesikhathi, imininingwane yamafayela adlulisiwe afakwe emilayezweni, njll. Ifayela 'msgstore.db' etholakala endleleni: '/data/data/com.whatsapp/databases/' futhi inesakhiwo esilandelayo:
Amathebula athakazelisa kakhulu efayelini 'msgstore.db' ngoba umcwaningi yilezi:
- 'sqlite_sequence'
Leli thebula liqukethe ulwazi olujwayelekile mayelana nalesi sizindalwazi, njengesamba senani lemilayezo egciniwe, inani eliphelele lezingxoxo, njll.Ukubukeka kwethebula:
- 'umlayezo_fts_okuqukethwe'
Iqukethe umbhalo wemilayezo ethunyelwe.Ukubukeka kwethebula:
- 'imiyalezo'
Leli thebula liqukethe ulwazi olufana nenombolo yokuxhumana, umbhalo womyalezo, isimo somlayezo, izitembu zesikhathi, ulwazi mayelana namafayela adlulisiwe afakwe emilayezweni.Ukubukeka kwethebula:
Isakhiwo sethebulaIgama lenkundla Okushoyo _id inombolo yokulandelana kwerekhodi (kuthebula le-SQL) key_remote_jid I-ID ye-WhatsApp yozakwethu wokuxhumana ukhiye_ovela_kimi isiqondiso somlayezo: '0' - engenayo, '1' - ephumayo key_id isihlonzi somlayezo esiyingqayizivele Isimo isimo somlayezo: '0' - ilethiwe, '4' - ukulinda kuseva, '5' - kutholwa lapho kuyiwa khona, '6' - umlayezo wokulawula, '13' - umyalezo ovulwe umemukeli (funda) dinga_phusha inenani '2' uma kungumlayezo osakazwayo, ngaphandle kwalokho iqukethe '0' idatha umbhalo womlayezo (uma ipharamitha ye-'media_wa_type' ingu-'0') isitembu sesikhathi iqukethe isitembu sesikhathi ngefomethi ye-Unix Epoch Time (ms), inani lithathwa ewashini ledivayisi media_url iqukethe i-URL yefayela elidlulisiwe (uma ipharamitha ye-'media_wa_type' ithi '1', '2', '3') media_mime_type Uhlobo lwe-MIME lwefayela elidlulisiwe (uma ipharamitha ye-'media_wa_type' ilingana no-'1', '2', '3') imidiya_wa_uhlobo uhlobo lomlayezo: '0' - umbhalo, '1' - ifayela eliyisithombe, '2' - ifayela lomsindo, '3' - ifayela levidiyo, '4' - ikhadi lokuxhumana, '5' - geodata usayizi_wemidiya usayizi wefayela elidlulisiwe (lapho ipharamitha ye-'media_wa_type' ingu-'1', '2', '3') igama_lemidiya Igama lefayela elidlulisiwe (lapho ipharamitha ye-'media_wa_type' ithi '1', '2', '3') i-media_caption Iqukethe amagama 'umsindo', 'ividiyo' amanani ahambisanayo wepharamitha ye-'media_wa_type' (lapho ipharamitha ye-'media_wa_type' ingu-'1', '3') media_hash I-base64 encoded hash yefayela elidlulisiwe, elibalwa kusetshenziswa i-algorithm ye-HAS-256 (lapho ipharamitha ye-'media_wa_type' ilingana no-'1', '2', '3') ubude_bemidiya ubude besikhathi ngemizuzwana yefayela lemidiya (lapho i-'media_wa_type' ithi '1', '2', '3') Umsuka inenani '2' uma kungumlayezo osakazwayo, ngaphandle kwalokho iqukethe '0' i-latitude i-geodata: i-latitude (uma ipharamitha ye-'media_wa_type' ingu-'5') ubude i-geodata: i-longitude (lapho ipharamitha ye-'media_wa_type' ingu-'5') isithombe_sesithupha ulwazi lwesevisi insiza_ekude I-ID yomthumeli (yezingxoxo zeqembu kuphela) isitembu_sesikhathi esitholiwe isikhathi sokuthola, siqukethe isitembu sesikhathi ngefomethi ye-Unix Epoch Time (ms), inani lithathwa ewashini ledivayisi (uma ipharamitha ethi 'key_from_me' ino-'0', '-1' noma elinye inani) thumela_isitembu sesikhathi ayisetshenziswanga, ngokuvamile inenani '-1' receipt_server_timestamp isikhathi esitholwe iseva emaphakathi, siqukethe isitembu sesikhathi ngefomethi ye-Unix Epoch Time (ms), inani lithathwa ewashini ledivayisi (uma ipharamitha ethi 'key_from_me' ino-'1', '-1' noma elinye inani. receipt_device_timestamp isikhathi umlayezo utholwe ngaso omunye obhalisile, siqukethe isitembu sesikhathi ngefomethi ye-Unix Epoch Time (ms), inani lithathwa ewashini ledivayisi (lapho ipharamitha ethi 'key_from_me' ino-'1', '-1' noma elinye inani. isitembu_sesikhathi_sedivayisi isikhathi sokuvula (ukufunda) umlayezo, siqukethe isitembu sesikhathi ngefomethi ye-Unix Epoch Time (ms), inani lithathwa ewashini ledivayisi play_device_timestamp isikhathi sokudlala umlayezo, siqukethe isitembu sesikhathi ngefomethi ye-Unix Epoch Time (ms), inani lithathwa ewashini ledivayisi idatha_eluhlaza isithonjana sefayela elidlulisiwe (uma ipharamitha ye-'media_wa_type' ingu-'1' noma '3') isibalo_somamukeli inombolo yabamukeli (yemilayezo esakazwayo) hashi_yomhlanganyeli esetshenziswa lapho kuthunyelwa imilayezo nge-geodata inkanyezi ayisetshenzisiwe ubunikazi_bomugqa_ocashuniwe ayaziwa, ngokuvamile iqukethe inani '0' ushilo_ijids ayisetshenzisiwe multicast_id ayisetshenzisiwe offset ukwenzelela Lolu hlu lwezinkambu aluphelele. Ezinguqulweni ezihlukene ze-WhatsApp, ezinye izinkambu zingase zibe khona noma zingabikho. Ukwengeza, izinkambu zingase zibe khona 'media_enc_hash', 'edit_version', 'ubunikazi_bomsebenzi_wokukhokha' nokunye.
- 'imiyalezo_izithonjana'
Leli thebula liqukethe ulwazi mayelana nezithombe ezidlulisiwe nezitembu zesikhathi. Kukholomu 'yesitembu sesikhathi', isikhathi sikhonjiswe ngefomethi ye-Unix Epoch Time (ms). - 'chat_list'
Leli thebula liqukethe ulwazi mayelana nezingxoxo.Ukubukeka kwethebula:
Futhi, lapho uhlola i-WhatsApp kudivayisi yeselula esebenzisa i-Android, kufanele unake amafayela alandelayo:
- Π€Π°ΠΉΠ» 'msgstore.db.cryptXX' (lapho u-XX eyidijithi eyodwa noma amabili ukusuka ku-0 kuye ku-12, isibonelo, msgstore.db.crypt12). Iqukethe isipele esibethelwe semilayezo ye-WhatsApp (ifayela eliyisipele msgstore.db). Amafayela 'msgstore.db.cryptXX' etholakala endleleni: '/data/media/0/WhatsApp/Databases/' (ikhadi le-SD elibonakalayo), '/mnt/sdcard/WhatsApp/Database/ (ikhadi le-SD elingokoqobo)'.
- Π€Π°ΠΉΠ» 'ukhiye'. Iqukethe ukhiye we-cryptographic. Itholakala endleleni: '/data/data/com.whatsapp/files/'. Isetshenziselwa ukususa ukubethela izipele ze-WhatsApp ezibethelwe.
- Π€Π°ΠΉΠ» 'com.whatsapp_preferences.xml'. Iqukethe ulwazi mayelana nephrofayela yakho ye-akhawunti ye-WhatsApp. Ifayela litholakala endleleni: '/data/data/com.whatsapp/shared_prefs/'.
Isiqephu sokuqukethwe kwefayela
<?xml version="1.0" encoding="ISO-8859-1"?> β¦ <string name="ph">9123456789</string> (Π½ΠΎΠΌΠ΅Ρ ΡΠ΅Π»Π΅ΡΠΎΠ½Π°, Π°ΡΡΠΎΡΠΈΠΈΡΠΎΠ²Π°Π½Π½ΡΠΉ Ρ Π°ΠΊΠΊΠ°ΡΠ½ΡΠΎΠΌ WhatsApp) β¦ <string name="version">2.17.395</string> (Π²Π΅ΡΡΠΈΡ WhatsApp) β¦ <string name="my_current_status">Hey there! I am using WhatsApp.</string> (ΡΠΎΠΎΠ±ΡΠ΅Π½ΠΈΠ΅, ΠΎΡΠΎΠ±ΡΠ°ΠΆΠ°Π΅ΠΌΠΎΠ΅ Π² ΡΡΠ°ΡΡΡΠ΅ Π°ΠΊΠΊΠ°ΡΠ½ΡΠ°) β¦ <string name="push_name">Alex</string> (ΠΈΠΌΡ Π²Π»Π°Π΄Π΅Π»ΡΡΠ° Π°ΠΊΠΊΠ°ΡΠ½ΡΠ°) β¦ - Π€Π°ΠΉΠ» 'registration.RegisterPhone.xml'. Iqukethe ulwazi mayelana nenombolo yocingo ehlotshaniswa ne-akhawunti ye-WhatsApp. Ifayela litholakala endleleni: '/data/data/com.whatsapp/shared_prefs/'.
Okuqukethwe kwefayela
<?xml version="1.0" encoding="ISO-8859-1"?> <map> <string name="com.whatsapp.registration.RegisterPhone.phone_number">9123456789</string> <int name="com.whatsapp.registration.RegisterPhone.verification_state" value="0"/> <int name="com.whatsapp.registration.RegisterPhone.country_code_position" value="-1"/> <string name="com.whatsapp.registration.RegisterPhone.input_phone_number">912 345-67-89</string> <int name="com.whatsapp.registration.RegisterPhone.phone_number_position" value="10"/> <string name="com.whatsapp.registration.RegisterPhone.input_country_code">7</string> <string name="com.whatsapp.registration.RegisterPhone.country_code">7</string> </map> - Π€Π°ΠΉΠ» 'axolotl.db'. Iqukethe okhiye be-cryptographic kanye nenye idatha edingekayo ukuze kukhonjwe umnikazi we-akhawunti. Itholakala endleleni: '/data/data/com.whatsapp/databases/'.
- Π€Π°ΠΉΠ» 'chatsettings.db'. Iqukethe imininingwane yokumisa uhlelo lokusebenza.
- Π€Π°ΠΉΠ» 'wa.db'. Iqukethe imininingwane yokuxhumana. Okuthakazelisa kakhulu (kusuka esicini se-forensic) kanye nesizindalwazi esinolwazi. Ingaqukatha imininingwane enemininingwane mayelana noxhumana nabo abasusiwe.
Udinga futhi ukunaka le mibhalo elandelayo:
- Directory '/data/media/0/WhatsApp/Media/WhatsApp Images/'. Iqukethe amafayela wesithombe adlulisiwe.
- Directory '/data/media/0/WhatsApp/Media/WhatsApp Voice Notes/'. Iqukethe imilayezo yezwi kumafayela efomethi ye-.OPUS.
- Directory '/data/data/com.whatsapp/cache/Izithombe Zephrofayela/'. Iqukethe amafayela ayingcaca β izithombe zoxhumana nabo.
- Directory '/data/data/com.whatsapp/files/Avatars/'. Iqukethe amafayela ayingcaca β izithonjana zezithombe zoxhumana nabo. Lawa mafayela anesandiso se-'.j' kodwa angamafayela esithombe e-JPEG (JPG).
- Directory '/data/data/com.whatsapp/files/Avatars/'. Iqukethe amafayela ayingcaca - isithombe nesithonjana sesithombe esisethwe njengesithombe ngumnikazi we-akhawunti.
- Directory '/data/data/com.whatsapp/files/Logs/'. Iqukethe ilogi yokusebenza kohlelo (ifayela 'whatsapp.log') namakhophi ayisipele amalogi okusebenza kohlelo (amafayela anamagama ngefomethi ethi whatsapp-yyyy-mm-dd.1.log.gz).
Amafayela Elogi e-WhatsApp:
Isiqephu sejenali2017-01-10 09:37:09.757 LL_I D [524:WhatsApp Worker #1] missedcallnotification/init count:0 isitembu sesikhathi:0
2017-01-10 09:37:09.758 LL_I D [524:WhatsApp Worker #1] missedcallnotification/update khansela iqiniso
2017-01-10 09:37:09.768 LL_I D [1:main] app-init/load-me
2017-01-10 09:37:09.772 LL_I D [1:main] ifayela lephasiwedi alikho noma alifundeki
2017-01-10 09:37:09.782 LL_I D [1:main] izibalo Imilayezo yombhalo: 59 ithunyelwe, 82 yamukelwe / Imilayezo yemidiya: 1 okuthunyelwe (amabhayithi angu-0), 0 kwamukelwe (9850158 bytes) / Imilayezo engaxhunyiwe ku-intanethi: 81 yamukelwe ( 19522 msec isilinganiso sokulibaziseka) / Isevisi yomlayezo: 116075 bytes ithunyelwe, 211729 bytes wamukelwe / Voip Izingcingo: 1 amakholi aphumayo, 0 amakholi angenayo, 2492 byte ezithunyelwe, 1530 byte wamukelwe / I-Google Drayivu: 0 amabhayithi athunyelwe, 0 bytes wamukelwe / 1524 Ukuzulazula: amabhayithi athunyelwe, amabhayithi angu-1826 atholiwe / Isamba sedatha: amabhayithi angu-118567 athunyelwe, amabhayithi angu-10063417 atholiwe
2017-01-10 09:37:09.785 LL_I D [1:main] media-state-manager/refresh-media-state/writable-media
2017-01-10 09:37:09.806 LL_I D [1:main] app-init/initialize/timer/stop: 24
2017-01-10 09:37:09.811 LL_I D [1:main] msgstore/checkhealth
2017-01-10 09:37:09.817 LL_I D [1:main] msgstore/checkhealth/journal/susa amanga
2017-01-10 09:37:09.818 LL_I D [1:main] msgstore/checkhealth/back/susa amanga
2017-01-10 09:37:09.818 LL_I D [1:main] msgstore/checkdb/data/data/com.whatsapp/databases/msgstore.db
2017-01-10 09:37:09.819 LL_I D [1:main] msgstore/checkdb/list _jobqueue-WhatsAppJobManager 16384 drw=011
2017-01-10 09:37:09.820 LL_I D [1:main] msgstore/checkdb/list _jobqueue-WhatsAppJobManager-journal 21032 drw=011
2017-01-10 09:37:09.820 LL_I D [1:main] msgstore/checkdb/list axolotl.db 184320 drw=011
2017-01-10 09:37:09.821 LL_I D [1:main] msgstore/checkdb/list axolotl.db-wal 436752 drw=011
2017-01-10 09:37:09.821 LL_I D [1:main] msgstore/checkdb/list axolotl.db-shm 32768 drw=011
2017-01-10 09:37:09.822 LL_I D [1:main] msgstore/checkdb/list msgstore.db 540672 drw=011
2017-01-10 09:37:09.823 LL_I D [1:main] msgstore/checkdb/list msgstore.db-wal 0 drw=011
2017-01-10 09:37:09.823 LL_I D [1:main] msgstore/checkdb/list msgstore.db-shm 32768 drw=011
2017-01-10 09:37:09.824 LL_I D [1:main] msgstore/checkdb/list wa.db 69632 drw=011
2017-01-10 09:37:09.825 LL_I D [1:main] msgstore/checkdb/list wa.db-wal 428512 drw=011
2017-01-10 09:37:09.825 LL_I D [1:main] msgstore/checkdb/list wa.db-shm 32768 drw=011
2017-01-10 09:37:09.826 LL_I D [1:main] msgstore/checkdb/list chatsettings.db 4096 drw=011
2017-01-10 09:37:09.826 LL_I D [1:main] msgstore/checkdb/list chatsettings.db-wal 70072 drw=011
2017-01-10 09:37:09.827 LL_I D [1:main] msgstore/checkdb/list chatsettings.db-shm 32768 drw=011
2017-01-10 09:37:09.838 LL_I D [1:main] msgstore/checkdb/version 1
2017-01-10 09:37:09.839 LL_I D [1:main] msgstore/canquery
2017-01-10 09:37:09.846 LL_I D [1:main] msgstore/canquery/count 1
2017-01-10 09:37:09.847 LL_I D [1:main] msgstore/canquery/timer/stop: 8
2017-01-10 09:37:09.847 LL_I D [1:main] msgstore/canquery 517 | isikhathi esichithwa:8
2017-01-10 09:37:09.848 LL_I D [529:WhatsApp Worker #3] media-state-manager/refresh-media-state/internal-storage etholakalayo:1,345,622,016 inani:5,687,922,688
- Directory '/data/media/0/WhatsApp/Media/WhatsApp Audio/'. Iqukethe amafayela alalelwayo atholiwe.
- Directory '/data/media/0/WhatsApp/Media/WhatsApp Audio/Sent/'. Iqukethe amafayela omsindo athunyelwe.
- Directory '/data/media/0/WhatsApp/Media/WhatsApp Images/'. Iqukethe amafayela wesithombe aphumayo.
- Directory '/data/media/0/WhatsApp/Media/WhatsApp Images/Thunyelwe/'. Iqukethe amafayela wesithombe athunyelwe.
- Directory '/data/media/0/WhatsApp/Media/WhatsApp Video/'. Iqukethe amafayela evidiyo atholiwe.
- Directory '/data/media/0/WhatsApp/Media/WhatsApp Video/Sent/'. Iqukethe amafayela evidiyo athunyelwe.
- Directory '/data/media/0/WhatsApp/Media/WhatsApp Profile Photos/'. Iqukethe amafayela ayingcaca ahlotshaniswa nomnikazi we-akhawunti ye-WhatsApp.
- Ukuze wonge isikhala sememori ku-smartphone yakho ye-Android, enye idatha ye-WhatsApp ingagcinwa ekhadini le-SD. Ekhadini le-SD, kumkhombandlela wezimpande, kukhona uhla lwemibhalo 'WhatsApp', lapho kungatholakala khona ama-artifact alandelayo alolu hlelo:
- Directory '.Yabelana' ('/mnt/sdcard/WhatsApp/.Yabelana/'). Iqukethe amakhophi amafayela abelwe nabanye abasebenzisi be-WhatsApp.
- Directory '.udoti' ('/mnt/sdcard/WhatsApp/.trash/'). Iqukethe amafayela asusiwe.
- Directory 'Ama-database' ('/mnt/sdcard/WhatsApp/Databases/'). Iqukethe izipele ezibethelwe. Angasuswa ukubethela uma ifayela likhona 'ukhiye', ekhishwe kumemori yedivayisi ehlaziyiwe.
Amafayela atholakala ohlwini lwemibhalo olungaphansi 'Ama-database':
- Directory 'Isigamu' ('/mnt/sdcard/WhatsApp/Media/'). Iqukethe ama-subdirectory 'Iphephadonga', 'I-WhatsApp Audio', 'Izithombe ze-WhatsApp', 'Izithombe zephrofayela ye-WhatsApp', 'Ividiyo ye-WhatsApp', 'Amanothi ezwi e-WhatsApp', aqukethe amafayela e-multimedia atholiwe futhi adluliswayo (amafayela ehluzo, amafayela evidiyo, imilayezo yezwi, izithombe ezihlotshaniswa nephrofayili yomnikazi we-akhawunti ye-WhatsApp, amaphephadonga).
- Directory 'Izithombe Zephrofayela' ('/mnt/sdcard/WhatsApp/Izithombe Zephrofayela/'). Iqukethe amafayela ayingcaca ahlotshaniswa nephrofayela yomnikazi we-akhawunti ye-WhatsApp.
- Ngezinye izikhathi kungase kube khona uhla lwemibhalo ekhadini le-SD 'amafayela' ('/mnt/sdcard/WhatsApp/Files/'). Lolu hlu lwemibhalo luqukethe amafayela agcina izilungiselelo zohlelo kanye nezintandokazi zabasebenzisi.
Izici zokugcinwa kwedatha kwamanye amamodeli wamadivayisi eselula
Amanye amamodeli wamadivayisi eselula asebenzisa i-Android OS angase agcine ama-artifact e-WhatsApp endaweni ehlukile. Lokhu kungenxa yezinguquko endaweni yokugcina idatha yohlelo lokusebenza ngesofthiwe yesistimu yedivayisi yeselula. Isibonelo, amadivaysi eselula e-Xiaomi anomsebenzi wokudala indawo yokusebenza yesibili (βSecondSpaceβ). Uma lolu hlelo lusebenza, indawo yedatha iyashintsha. Ngakho-ke, uma kudivayisi yeselula evamile esebenzisa idatha yomsebenzisi we-Android OS igcinwa kuhla lwemibhalo '/idatha/umsebenzisi/0/' (okuyinkomba kokujwayelekile '/idatha/idatha/'), bese kudatha yesicelo sendawo yokusebenza yesibili igcinwa ohlwini lwemibhalo '/idatha/umsebenzisi/10/'. Okusho ukuthi, usebenzisa isibonelo sendawo yefayela 'wa.db':
- ku-smartphone evamile esebenzisa i-Android OS: /data/user/0/com.whatsapp/databases/wa.db' (okulingana '/data/data/com.whatsapp/databases/wa.db');
- endaweni yokusebenza yesibili ye-smartphone ye-Xiaomi: '/data/user/10/com.whatsapp/databases/wa.db'.
Ama-artifact e-WhatsApp kudivayisi ye-iOS
Ngokungafani ne-Android OS, ku-iOS WhatsApp idatha yohlelo lokusebenza idluliselwa ekhophi eyisipele (isipele se-iTunes). Ngakho-ke, ukukhipha idatha kulolu hlelo lokusebenza akudingi ukukhipha isistimu yefayela noma ukudala ukulahlwa kwememori ebonakalayo yedivayisi ngaphansi kophenyo. Iningi lolwazi olufanele liqukethwe kusizindalwazi 'ChatStorage.sqlite', etholakala endleleni: '/private/var/mobile/Applications/group.net.whatsapp.WhatsApp.shared/' (kwezinye izinhlelo le ndlela ivela njenge 'AppDomainGroup-group.net.whatsapp.WhatsApp.shared').
isakhiwo 'ChatStorage.sqlite':
Amathebula afundisa kakhulu kusizindalwazi se-'ChatStorage.sqlite' yila 'ZWAMESSAGE' ΠΈ 'ZWAMEDIAITEM'.
Ukubukeka kwetafula 'ZWAMESSAGE':
Ukwakheka kwethebula 'ZWAMESSAGE'
| Igama lenkundla | Okushoyo |
|---|---|
| Z_PK | inombolo yokulandelana kwerekhodi (kuthebula le-SQL) |
| Z_ENT | isihlonzi sethebula, sinenani elingu-'9' |
| Z_OPT | akwaziwa, ngokuvamile iqukethe amanani ukusuka ku-'1' kuya ku-'6' |
| ZCHILDMESSAGESDELIVEREDCOUNT | ayaziwa, ngokuvamile iqukethe inani '0' |
| ZCHILDMESSAGESPLAYEDCOUNT | ayaziwa, ngokuvamile iqukethe inani '0' |
| ZCHILDMESSAGESREADCOUNT | ayaziwa, ngokuvamile iqukethe inani '0' |
| ZDATAITEMVERSION | ayaziwa, ngokuvamile iqukethe inani '3', cishe inkomba yomlayezo wombhalo |
| I-ZDOCID | akwaziwa |
| ZENCRETRYCOUNT | ayaziwa, ngokuvamile iqukethe inani '0' |
| ZFILTEREDRECIPIENTCOUNT | ayaziwa, ngokuvamile iqukethe amanani '0', '2', '256' |
| ZISFROMME | isiqondiso somlayezo: '0' - engenayo, '1' - ephumayo |
| ZMESSAGEERRORSTATUS | isimo sokudlulisa umyalezo. Uma umlayezo uthunyelwe/wamukelwe, kusho ukuthi unenani '0' |
| ZMESSAGETYPE | uhlobo lomlayezo odluliswayo |
| ZSORT | akwaziwa |
| I-ZSPOTLIGHTSTATUS | akwaziwa |
| ZSTARRED | engaziwa, ayisetshenziswa |
| ZCHATSESSION | akwaziwa |
| ZGROUPMEMBER | engaziwa, ayisetshenziswa |
| ZLASTSESSION | akwaziwa |
| ZMEDIAITEM | akwaziwa |
| ZMESSAGEINFO | akwaziwa |
| ZPARENTMESSAGE | engaziwa, ayisetshenziswa |
| ZMESSAGEDATE | isitembu sesikhathi ngefomethi ye-OS X Epoch Time |
| ZSENTDATE | isikhathi lapho umlayezo uthunyelwe ngefomethi ye-OS X Epoch Time |
| ZFROMJID | I-ID yomthumeli we-WhatsApp |
| I-ZMEDIASECTIONID | iqukethe unyaka nenyanga ifayela lemidiya elathunyelwa ngalo |
| ZPHASH | engaziwa, ayisetshenziswa |
| ZPUSHPAME | igama loxhumana naye othumele ifayela lemidiya ngefomethi ye-UTF-8 |
| ZSTANZID | isihlonzi somlayezo esiyingqayizivele |
| ZTEXT | Umbhalo womlayezo |
| I-ZTOJID | I-ID ye-WhatsApp yomamukeli |
| OFFSET | ukwenzelela |
Ukubukeka kwetafula 'ZWAMEDIAITEM':
Ukwakheka kwethebula 'ZWAMEDIAITEM'
| Igama lenkundla | Okushoyo |
|---|---|
| Z_PK | inombolo yokulandelana kwerekhodi (kuthebula le-SQL) |
| Z_ENT | isihlonzi sethebula, sinenani elingu-'8' |
| Z_OPT | akwaziwa, ngokuvamile iqukethe amanani asuka ku-'1' kuya ku-'3'. |
| ZCLOUDSTATUS | iqukethe inani '4' uma ifayela lilayishiwe. |
| ZFILESIZE | iqukethe ubude befayela (ngamabhayithi) kumafayela alandiwe |
| I-ZMEDIAORIGIN | akwaziwa, ngokuvamile kunevelu engu-'0' |
| ZMOVIEDURATION | ubude befayela lemidiya, kumafayela e-pdf angase aqukathe inani lamakhasi edokhumenti |
| ZMESSAGE | iqukethe inombolo yomkhiqizo (inombolo yehlukile kuleyo ekhonjiswe kukholomu ye-'Z_PK') |
| ZASPECTRATIO | I-aspect ratio, engasetshenziswanga, ngokuvamile isethwe ku-'0' |
| I-ZHACCURACY | akwaziwa, ngokuvamile kunevelu engu-'0' |
| UMZLA | ububanzi ngamaphikseli |
| ZLONGTITUDE | ukuphakama ngamaphikseli |
| ZMEDIAURLDATE | isitembu sesikhathi ngefomethi ye-OS X Epoch Time |
| ZAUTHORNAME | umbhali (amadokhumenti, angaqukatha igama lefayela) |
| ZCOLLECTIONNAME | ayisetshenzisiwe |
| I-ZMEDIALOCALPATH | Igama lefayela (kuhlanganise nendlela) ohlelweni lwefayela ledivayisi |
| ZMEDIAURL | I-URL lapho ifayela lemidiya belikhona. Uma ifayela lidluliselwe lisuka kobhalisile liye komunye, belibethelwa futhi isandiso salo sizokhonjiswa njengesandiso sefayela elidlulisiwe - .enc |
| ZTHUMBNAILLOCALPATH | indlela eya kusithonjana sefayela ohlelweni lwefayela ledivayisi |
| ZTITLE | unhlokweni wefayela |
| ZVCARDNAME | i-media file hash; lapho udlulisela ifayela eqenjini, lingase liqukathe isihlonzi somthumeli |
| ZVCARDSTRING | iqukethe ulwazi mayelana nohlobo lwefayela elidluliswayo (isibonelo, isithombe/i-jpeg); lapho udlulisela ifayela eqenjini, lingase libe nesihlonzi somamukeli. |
| ZXMPPTHUMBPATH | indlela eya kusithonjana sefayela ohlelweni lwefayela ledivayisi |
| ZMEDIAKEY | akwaziwa, cishe iqukethe ukhiye wokususa ukubethela kwefayela elibethelwe. |
| ZMETADATA | imethadatha yomlayezo odlulisiwe |
| Ukumiswa | ukwenzelela |
Amanye amathebula esizindalwazi athokozisayo 'ChatStorage.sqlite' yilezi:
- 'ZWAPROFILEPUSHNAME'. Ifanisa i-ID ye-WhatsApp negama lokuxhumana;
- 'ZWAPROFILEPICTUREITEM'. Ifanisa i-ID ye-WhatsApp ne-avatar yokuxhumana;
- 'Z_PRIMARYKEY'. Ithebula liqukethe ulwazi olujwayelekile mayelana nalesi sizindalwazi, njengesamba senani lemilayezo egciniwe, inani eliphelele lezingxoxo, njll.
Futhi, lapho uhlola i-WhatsApp kudivayisi ephathwayo esebenzisa i-iOS, kufanele unake amafayela alandelayo:
- Π€Π°ΠΉΠ» 'BackedUpKeyValue.sqlite'. Iqukethe okhiye be-cryptographic kanye nenye idatha edingekayo ukuze kukhonjwe umnikazi we-akhawunti. Itholakala endleleni: /private/var/mobile/Applications/group.net.whatsapp.WhatsApp.shared/.
- Π€Π°ΠΉΠ» 'ContactsV2.sqlite'. Iqukethe ulwazi mayelana noxhumana nabo bomsebenzisi, njengegama eligcwele, inombolo yocingo, isimo sokuxhumana (ngefomu lombhalo), i-WhatsApp ID, njll. Itholakala endleleni: /private/var/mobile/Applications/group.net.whatsapp.WhatsApp.shared/.
- Π€Π°ΠΉΠ» 'inguqulo_yabathengi'. Iqukethe inombolo yenguqulo yohlelo lokusebenza lwe-WhatsApp olufakiwe. Itholakala endleleni: /private/var/mobile/Applications/group.net.whatsapp.WhatsApp.shared/.
- Π€Π°ΠΉΠ» 'current_wallpaper.jpg'. Iqukethe isithombe sangemuva sangemuva se-WhatsApp. Itholakala endleleni: /private/var/mobile/Applications/group.net.whatsapp.WhatsApp.shared/. Izinguqulo ezindala zohlelo lokusebenza zisebenzisa ifayela 'iphephadonga', etholakala endleleni: '/private/var/mobile/Applications/net.whatsapp.WhatsApp/Documents/'.
- Π€Π°ΠΉΠ» 'blockedcontacts.dat'. Iqukethe ulwazi mayelana noxhumana nabo abavinjiwe. Itholakala endleleni: /okuyimfihlo/var/mobile/Applications/net.whatsapp.WhatsApp/Documents/.
- Π€Π°ΠΉΠ» 'pw.dat'. Iqukethe iphasiwedi ebethelwe. Itholakala endleleni: '/private/var/mobile/Applications/net.whatsapp.WhatsApp/Library/'.
- Π€Π°ΠΉΠ» 'net.whatsapp.WhatsApp.plist' (noma ifayela 'group.net.whatsapp.WhatsApp.shared.plist'). Iqukethe ulwazi mayelana nephrofayela yakho ye-akhawunti ye-WhatsApp. Ifayela litholakala endleleni: '/private/var/mobile/Applications/group.net.whatsapp.WhatsApp.shared/Library/Preferences/'.
Okuqukethwe kwefayela 'group.net.whatsapp.WhatsApp.shared.plist'
Udinga futhi ukunaka le mibhalo elandelayo:
- Directory '/private/var/mobile/Applications/group.net.whatsapp.WhatsApp.shared/Media/Profile/'. Iqukethe izithonjana zoxhumana nabo, amaqembu (amafayela anesandiso .isithupha), ama-avatar oxhumana naye, i-avatar yomnikazi we-akhawunti ye-WhatsApp (ifayela 'Isithombe.jpg').
- Directory '/private/var/mobile/Applications/group.net.whatsapp.WhatsApp.shared/Message/Media/'. Iqukethe amafayela e-multimedia nezithonjana zawo
- Directory '/private/var/mobile/Applications/net.whatsapp.WhatsApp/Documents/'. Iqukethe ilogi yokusebenza kohlelo (file 'calls.log') namakhophi ayisipele amalogi okusebenza kohlelo (ifayela 'calls.backup.log').
- Directory '/private/var/mobile/Applications/group.net.whatsapp.WhatsApp.shared/stickers/'. Iqukethe izitikha (amafayela ngefomethi '.webp').
- Directory '/private/var/mobile/Applications/net.whatsapp.WhatsApp/Library/Logs/'. Iqukethe amalogi okusebenza kohlelo.
Ama-artifact e-WhatsApp ku-Windows
Ama-artifact e-WhatsApp ku-Windows angatholakala ezindaweni eziningana. Okokuqala, lezi izinkomba eziqukethe amafayela ohlelo olusebenzisekayo nolwengeziwe (lweWindows 8/10):
- 'C:Amafayela Ohlelo (x86)WhatsApp'
- 'C:Abasebenzisi%Iphrofayili yomsebenzisi% AppDataLocalWhatsApp'
- 'C:Abasebenzisi%Iphrofayili yomsebenzisi% Amafayela Ohlelo lwe-AppDataLocalVirtualStore (x86)WhatsApp'
Kukhathalogi 'C:Abasebenzisi%Iphrofayili yomsebenzisi% AppDataLocalWhatsApp' ifayela lokungena likhona 'I-SquirrelSetup.log', equkethe ulwazi mayelana nokuhlola izibuyekezo nokufaka uhlelo.
Kukhathalogi 'C:Abasebenzisi%Iphrofayili yomsebenzisi% AppDataRoamingWhatsApp' Kunezinhlobo ezimbalwa zemibhalo engezansi:
Π€Π°ΠΉΠ» 'main-process.log' iqukethe ulwazi mayelana nokusebenza kohlelo lwe-WhatsApp.
Uhlu lwemibhalo engezansi 'isizindalwazi' iqukethe ifayela 'Ama-database.db', kodwa leli fayela aliqukethe noma yiluphi ulwazi mayelana nezingxoxo noma abathintwayo.
Okuthakazelisa kakhulu ngokombono wezobunhloli amafayela atholakala ohlwini lwemibhalo 'Cache'. Lawa amafayela aqanjwe ngokuyisisekelo 'f_*******' (lapho * kuyinombolo esuka ku-0 kuye ku-9) equkethe amafayela emidiya exubile abethelwe kanye nemibhalo, kodwa kukhona namafayela angabhaliwe phakathi kwawo. Okuthakaselwa kakhulu amafayela 'idatha_0', 'idatha_1', 'idatha_2', 'idatha_3', etholakala kuhla lwemibhalo olungaphansi olufanayo. Amafayela 'idatha_0', 'idatha_1', 'idatha_3' ziqukethe izixhumanisi zangaphandle eziya kumafayela e-multimedia abethelwe kanye nemibhalo.
Isibonelo solwazi oluqukethwe kufayela 'data_1'
Futhi ifayela 'idatha_3' ingaqukatha amafayela ayingcaca.
Π€Π°ΠΉΠ» 'idatha_2' iqukethe ama-avatar othintana naye (angabuyiswa ngokusesha izihloko zamafayela).
Izithombe eziqukethwe efayelini 'idatha_2':
Ngakho-ke, izingxoxo ngokwazo azitholakali kumemori yekhompyutha, kodwa ungathola:
- amafayela e-multimedia;
- amadokhumenti asakazwa nge-WhatsApp;
- ulwazi mayelana noxhumana nabo bomnikazi we-akhawunti.
Ama-artifact e-WhatsApp ku-MacOS
Ku-MacOS ungathola izinhlobo ze-WhatsApp zobuciko ezifana nalezo ezitholakala ku-Windows OS.
Amafayela ohlelo atholakala kunkhombandlela elandelayo:
- 'C:IziceloWhatsApp.app'
- 'C:Applications._WhatsApp.app'
- 'C:Abasebenzisi%Iphrofayili yomsebenzisi%LibraryPreferences'
- 'C:Abasebenzisi%Iphrofayili yomsebenzisi%LibraryLogsWhatsApp'
- 'C:Abasebenzisi%Iphrofayili yomsebenzisi%Isimo Sesicelo EsilondoloziweI-WhatsApp.savedState'
- 'C:Abasebenzisi%Iphrofayili yomsebenzisi%Izikripthi zohlelo lokusebenza lwelabhulali'
- 'C:Abasebenzisi%Iphrofayili yomsebenzisi%I-LibraryApplication SupportCloudDocs'
- 'C:Abasebenzisi%Iphrofayili yomsebenzisi%I-Library Application SupportWhatsApp.ShipIt'
- 'C:Abasebenzisi%Iphrofayili yomsebenzisi%LibraryContainerscom.rockysandstudio.app-for-whatsapp'
- 'C:Abasebenzisi%Iphrofayili yomsebenzisi% Imibhalo Ephathwayo Yelabhulali <inguquko yombhalo> Ama-Akhawunti E-WhatsApp'
Lolu hlu lwemibhalo luqukethe izinqolobane amagama azo ayizinombolo zocingo ezihlotshaniswa nomnikazi we-akhawunti ye-WhatsApp. - 'C:Abasebenzisi%Iphrofayili yomsebenzisi%LibraryCachesWhatsApp.ShipIt'
Lolu hlu lwemibhalo luqukethe ulwazi mayelana nokufaka uhlelo. - 'C:Abasebenzisi%Iphrofayili yomsebenzisi%IsithombeI-Photo Library.photolibraryMasters', 'C:Abasebenzisi%Iphrofayili yomsebenzisi%IsithombeI-Photo Library.photolibraryIzithonjana'
Lezi zinkomba ziqukethe amafayela esevisi ohlelo, okuhlanganisa izithombe nezithonjana zoxhumana nabo be-WhatsApp. - 'C:Abasebenzisi%Iphrofayili yomsebenzisi%LibraryCachesWhatsApp'
Lolu hlu lwemibhalo luqukethe imininingo egciniwe ye-SQLite esetshenziselwa ukugcina idatha. - 'C:Abasebenzisi%Iphrofayili yomsebenzisi%I-Library Application SupportWhatsApp'
Lolu hlu lwemibhalo luqukethe izinqolobane ezimbalwa:
Kukhathalogi 'C:Abasebenzisi%Iphrofayili yomsebenzisi%I-Library Application SupportWhatsAppCache' kukhona amafayela 'idatha_0', 'idatha_1', 'idatha_2', 'idatha_3' namafayela anamagama 'f_*******' (lapho * kuyinombolo esuka ku-0 kuye ku-9). Ukuze uthole ulwazi mayelana nokuthi lawa mafayela aqukethe luphi ulwazi, bona I-WhatsApp Artifacts ku-Windows.Kukhathalogi 'C:Abasebenzisi%Iphrofayili yomsebenzisi%Usekelo Lohlelo Lokusebenza LwelabhulaliWhatsAppIndexedDB' ingaqukatha amafayela emidiya exubile (amafayela awanazo izandiso).
Π€Π°ΠΉΠ» 'main-process.log' iqukethe ulwazi mayelana nokusebenza kohlelo lwe-WhatsApp.
Imithombo
- Ukuhlaziywa kwe-Forensic kwe-WhatsApp Messenger kuma-smartphones e-Android, ngu-Cosimo Anglano, 2014.
- I-Whatsapp Forensics: Isistimu etholakalayo kanye nesisekelo sedatha yohlelo lokusebenza lwe-Android ne-iOS ka-Ahmad Pratama, 2014.
Ezihlokweni ezilandelayo kulolu chungechunge:
Ukususwa kwemfihlo yolwazi lwe-WhatsApp olubethelweI-athikili ezohlinzeka ngolwazi lokuthi ukhiye wokubethela we-WhatsApp ukhiqizwa kanjani kanye nezibonelo ezingokoqobo ezibonisa indlela yokususa ukubethela imininingwane yolwazi ebethelwe yalolu hlelo lokusebenza.
Ikhipha idatha ye-WhatsApp kusitoreji samafuIsihloko lapho sizokutshela khona ukuthi iyiphi idatha ye-WhatsApp egcinwe emafini futhi sichaze izindlela zokuthola le datha kusitoreji samafu.
Ukukhishwa Kwedatha ye-WhatsApp: Izibonelo EzisebenzayoIsihloko esizochaza isinyathelo ngesinyathelo ukuthi yiziphi izinhlelo nendlela yokukhipha idatha ye-WhatsApp kumadivayisi ahlukahlukene.
Source: www.habr.com