Recovering WhatsApp Forensic Artifacts

This is the third blog post in a series of five about recovering third-party mobile chat applications for your digital forensics investigations.

Another popular mobile chat application is WhatsApp. Like Kik Messenger, WhatsApp is cross-platform instant messenger service that has over 600 million users. It was purchased by Facebook in February 2014 and continues to grow in popularity.

Why Are WhatsApp Artifacts Important to Your Mobile Forensics Investigations?

Much like other mobile chat applications, WhatsApp contacts, messages, and attachments can be valuable to examiners looking to recover evidence for a variety of different investigation types. Whether you’re analyzing the mobile device of a suspect or a victim, these chat artifacts can contain valuable information to help solve a case.

The Key Artifacts That Need to Be Found When Investigating WhatsApp

Android

For Android devices, there are two SQLite databases of value for investigators recovering WhatsApp artifacts: msgstore.db and wa.db. The msgstore.db contains details on any chat conversations between a user and their contacts. Wa.db stores information on all the WhatsApp user’s contacts. Both of these databases can be found under the databases folder at the following locations:

/data/data/com.whatsapp/databases/msgstore.db

/data/data/com.whatsapp/databases/wa.db

The msgstore.db is a relatively simple SQLite database with two tables: chat_list and messages. The messages table contains a listing of all the messages that a user sends or receives from his/her contacts. Unlike Kik or BBM, where a user is required to have a unique username or PIN, WhatsApp uses the user’s phone number as a unique identifier for both the user and their contacts. This table will include the contact’s phone number, message contents, message status, timestamps, and any details around attachments included in the message. Attachments being sent through WhatsApp have their own table entry and the message contents will contain a null entry with a thumbnail and link to the photo/image being shared. This attachment is stored directly in the msgstore.db file. Additionally, the table may contain latitude and longitude coordinates for messages being sent, allowing the investigator to map out the geolocation details of a user.

Image may be NSFW.
Clik here to view.

The chat_list table contains a listing of all the phone numbers that a user communicated with; however, this is not a complete listing of the user’s contacts. For that we must look at the wa.db.

The wa.db contains a complete listing of a WhatsApp user’s contacts including phone number, display name, timestamp, and any other information given upon registering with WhatsApp.

In order to gain access the the msgstore.db and wa.db, an investigator must root or get a physical acquisition of the Android device otherwise, WhatsApp also stores a copy of the msgstore.db on the SD card, which is used for backups at the following location:

/sdcard/WhatsApp/Databases/msgstore.db.crypt

One caveat with this file is that it is encrypted and must be decrypted prior to analysis. WhatsApp uses several different types of encryption on this database depending on the version of WhatsApp being used.

Recovering WhatsApp contacts, messages, and attachments on Android is relatively straightforward once you have access to the appropriate databases. The process is similar in iOS with some minor differences.

iOS

Unlike Android, which uses multiple SQLite databases, iOS stores all relevant WhatsApp data in one database called ChatStorage.sqlite, stored in the following location:

net.whatsapp.WhatsApp/Documents/ChatStorage.sqlite

The ZWAMESSAGE and ZWAMEDIAITEM tables are excellent locations for collecting items of evidentiary value including messages, sender, recipient, timestamps, geolocation data, and the path/location of any media being shared between two contacts. Many of the same artifacts mentioned for Android are found in these locations; however the table names and structure may be different.

In addition to the ChatStorage.sqlite database, there is also a Contacts.sqlite database in the same location. While there are some extra details about a user’s WhatsApp contacts, this database does not include the JID for each contact that uniquely identifies the user to the WhatsApp servers.

Making WhatsApp Analysis Easier with Internet Evidence Finder (IEF)

IEF supports the recovery of messages, contacts, and attachments from WhatsApp conversations on both Android and iOS. It will parse and carve the artifacts mentioned above and organize them for the investigator in a format that is easy to read and analyze. Below is a sample output from an Android WhatsApp message:

Image may be NSFW.
Clik here to view.

1. Sender and receiver details
2. The message contents
3. Message status
4. All available timestamps
5. Geolocation data (if available)
6. Thumbnail/attachment image and details

In addition to recovering the information listed above, IEF also has a unique feature which helps investigators automatically sort and display WhatsApp chat conversations just as the suspect or victim would have viewed them on their device. This feature is called Chat Threading.

Image may be NSFW.
Clik here to view.

The example above shows a WhatsApp chat conversation as it would be seen using the IEF Chat Threading feature, which supports for both iOS and Android conversations.

Using IEF to recover WhatsApp artifacts from iOS and Android devices can help examiners quickly analyze conversations that might be valuable to an investigation. By searching and organizing the SQLite databases into sortable columns, and using features such as Chat Threading, investigators can easily evaluate the data.

As always, please let me know if you have any questions, suggestions or requests. I can be reached by email at jamie(dot)mcquaid(at)magnetforensics(dot)com.

Here are some related resources you might also be interested in:

1. Read the next blog in our series: Recovering Blackberry Messenger Forensic Artifacts
2. See what IEF is all about: Attend a Demo
3. Try IEF for Free:
   • New to IEF: Request a 30-day trial
   • Current customers: Request a 30-day trial of our Mobile Module

Jamie McQuaid
Forensics Consultant, Magnet Forensics

Image may be NSFW.
Clik here to view.