WhatsApp – A Brief Overview
WhatsApp is reportedly currently used by 1.5 billion people who send 60 billion messages a day. Due to this, a mobile phone forensic investigation often includes evidence identified within WhatsApp messages.
How Does WhatsApp Work?
WhatsApp uses the phone number of the device to form the basis of the account as the unique identifier and messages are sent to it using the account generated from that phone number.
The WhatsApp Files that May Contain Evidence
When dealing with Whatsapp on Android based phones, the SQLite databases named msgstore.db and wa.db are the most important.
The msgstore.db of WhatsApp contains chat messages between a user and contacts and the wa.db file stores all the WhatsApp user’s contact information.
The msgstore.db within WhatsApp contains 2 tables. The messages table contains all Whatsapp messages that have been sent and received and includes the contact’s phone number, the content of the message, the status of the message (whether it has been received), the time/date stamps of the message and the details of any attachments to the message.
If an attachment is sent via WhatsApp then it has its own entry within the table and the message content field is null.
A thumbnail and link to the image is stored and the image itself is also stored within the Whatsapp msgstore.db file.
The table may also include location co-ordinates that can allow an investigator to identify the specific location of an individual at the time.
The table named Chat_list within Whatsapp contains all phone numbers communicated with, however, if communication has not occurred with a stored contact then it will not be stored here, however, it will be stored within the wa.db file.
The file named wa.db contains a list of the WhatsApp user’s contacts including name, number, timestamp and all other information provided when the account was registered.
The WhatsApp database files are stored on the handset memory, however, the msgstore.db file may also be stored as a backup on any memory cards present as msgstore.db.crypt which is encrypted and cannot be examined without first being decrypted from a key that is normally stored on the data partition within the WhatsApp folder.
Apple iOS – WhatsApp Forensics
Apple iOS stores all WhatsApp data within a database named ChatStorage.sqlite which is located within the directory path net.whatsapp.WhatsApp/Documents/ChatStorage.sqlite.
The MESSAGE and MEDIAITEM tables contain messages, sender, recipient, date/time stamps, location information and the location of attachments sent/received within those Whatsapp messages.
The WhatsApp application on Apple iOS also stores a database named contacts.sqlite within the same directory that includes, sender and recipient details, the content of the message, the status of the message (whether it has been received), the time/date stamps of the message and the details of any attachments to the message.
About Athena Forensics
For information on our digital forensic services or if you require any advice or assistance please contact a member of our team on 0845 882 7386 or via email on firstname.lastname@example.org, further details are available on our contact us page.
Our client’s confidentiality is of the utmost importance. All correspondence is treated with discretion, from initial contact to the conclusion of any computer forensics investigation.
Our digital forensics experts are fully aware of the significance and importance of the information that they encounter and we have been accredited to ISO 9001 for 10 years.
Our forensic experts are all security cleared and we offer non-disclosure agreements if required. Our premises along with our security procedures have been inspected and approved by law enforcement agencies.
Athena Forensics do not disclose personal information to other companies or suppliers.