If you are keen to know what kinds of forensic WhatsApp artifacts exist in different operating systems and where exactly they can be found, you have come to the right place. This post is focused on WhatsApp forensics and what data can be obtained from a device during forensic analysis.
We should note at the outset that operating systems differ in the types of artifacts they contain, so extracting certain types of WhatsApp data from one device does not automatically mean that the same data can be extracted from another device. For instance, if you have a desktop computer running Windows, you are unlikely to find WhatsApp chats on its disks (the exception will be iOS backup copies). Laptops and mobile devices, on the other hand, have their own peculiarities. Let’s discuss this topic in more detail.
WhatsApp artifacts on Android devices
To extract WhatsApp artifacts from an Android device, an investigator needs to have superuser privileges (root) or be able to extract a physical memory dump of the file system by other means (for example, using software vulnerabilities of a particular device).
The application’s files are located in the memory of the phone in the section where user data is stored. As a rule, this section is called Userdata. Subdirectories and program files are located under the path /data/data/com.whatsapp/.
The wa.db and msgstore.db databases are the main files that contain WhatsApp artifacts on Android.
The wa.db database contains a full list of the WhatsApp user’s contacts, including phone numbers, display names, timestamps, and any other information mentioned upon registering in WhatsApp. The wa.db file is located under the path /data/data/com.whatsapp/databases/ and has the following structure:
The most interesting tables in the wa.db database for forensic investigators are:
- wa_contacts
This table contains information about WhatsApp contacts, such as contact ID, status, display name, timestamps, etc. Screenshot of the table:
Table structure:
| Field name | Meaning |
|---|---|
| _id | Sequence number of the record (set by SQLite) |
| jid | WhatsApp ID of the contact (a string structured as ’x@s.whatsapp.net’, where ’x’ is the phone number of the contact) |
| is_whatsapp_user | Contains ’1’ if the contact corresponds to an actual WhatsApp user, ’0’ otherwise |
| status | Text in the status line of the contact |
| status_timestamp | Contains a timestamp in the Unix Epoch Time (ms) format |
| number | Phone number associated with the contact |
| raw_contact_id | Sequence number of the contact |
| display_name | Display name of the contact |
| phone_type | Type of the phone |
| phone_label | Label associated with the phone number |
| unseen_msg_count | Number of messages sent by the contact that have been received, but have not yet been read |
| photo_ts | Contains a timestamp in the Unix Epoch Time format |
| thumb_ts | Contains a timestamp in the Unix Epoch Time format |
| photo_id_timestamp | Contains a timestamp in the Unix Epoch Time (ms) format |
| given_name | The field value is the same as in display_name for each contact |
| wa_name | WhatsApp name of the contact (as set in their profile) |
| sort_name | Name of the contact used in sorting operations |
| nickname | WhatsApp nickname of the contact (as set in their profile) |
| company | Company (as set in the contact’s profile) |
| title | Title (Mr/Ms/Mrs as set in the contact’s profile) |
| offset | Offset |
- sqlite_sequence
This table contains information about the number of contacts. - android_metadata
This table contains information about WhatsApp language localization.
The msgstore.db database contains information about sent messages, such as contact number, message content, status, timestamps, information about attached files, etc. The msgstore.db file is located under the path /data/data/com.whatsapp/databases/ and has the following structure:
The most interesting tables in the msgstore.db file for forensic investigators are:
- sqlite_sequence
This table contains general information about the database, for instance, the total number of stored messages, total number of chats, etc. Screenshot of the table:
- message_fts_content
Contains the content of messages. Screenshot of the table:
- messages
This table contains information, such as contact number, message body, status, timestamps, and information about attached files. Screenshot of the table:
Table structure:
| Field name | Meaning |
|---|---|
| _id | Sequence number of the record (set by SQLite) |
| key_remote_jid | WhatsApp ID of the communication partner |
| key_from_me | Message direction: ‘0’=incoming, ‘1’=outgoing |
| key_id | Unique message identifier |
| status | Message status: ‘0’=received, ‘4’=waiting on the server, ‘5’=received at the destination, ‘6’=control message, ‘13’=message opened by the recipient (read) |
| need_push | ‘2’ if broadcast message, ‘0’ otherwise |
| data | Message content when media_wa_type = ‘0’ |
| timestamp | Contains a timestamp in the Unix Epoch Time (ms) format, the value is taken from the device clock |
| media_url | URL of the transmitted file (when media_wa_type={’1’,’2’,’3’}) |
| media_mime_type | MIME type of the transmitted file (when media_wa_type={’1’,’2’,’3’}) |
| media_wa_type | Message type: ’0’=text, ’1’=image, ’2’=audio, ’3’=video, ’4’=contact card, ’5’=geo position) |
| media_size | Size of the transmitted file (when media_wa_type={’1’,’2’,’3’}) |
| media_name | Name of the transmitted file (when media_wa_type={’1’,’2’,’3’}) |
| media_caption | Contains the words “audio” and “video” for corresponding values of media_wa_type (when media_wa_type={’1’,’3’}) |
| media_hash | Base64-encoded SHA-256 hash of the transmitted file (when |
| media_wa_type={’1’,’2’,’3’}) | |
| media_duration | Duration in sec. of the transmitted media file (when media_wa_type={’1’,’2’,’3’}) |
| origin | ‘2’ if broadcast message, ‘0’ otherwise |
| latitude | Latitude of the message sender (when media_wa_type=’5’) |
| longitude | Longitude of the message sender (when media_wa_type=’5’) |
| thumb_image | Housekeeping information |
| remote_recource | ID of the sender (only for group chat messages) |
| received_timestamp | Time of receipt. Contains a timestamp in the Unix Epoch Time (ms) format. The value is taken from the device clock (if key_from_me=’1’, ’-1’ otherwise |
| send_timestamp | Unused (always set to ’-1’) |
| receipt_server_timestamp | Time of receipt of the central server ACK. Contains a timestamp in the Unix Epoch Time (ms) format. The value is taken from the device clock (if key_from_me=’1’, ’-1’ otherwise) |
| receipt_device_timestamp | Time of receipt of the recipient ACK. Contains a timestamp in the Unix Epoch Time (ms) format. The value is taken from the device clock (if key_from_me=’1’, ’-1’ otherwise) |
| read_device_timestamp | Time of opening (reading) the message. Contains a timestamp in the Unix Epoch Time (ms) format. The value is taken from the device clock |
| played_device_timestamp | Time of playing the message. Contains a timestamp in the Unix Epoch Time (ms) format. The value is taken from the device clock |
| raw_data | Thumbnail of the transmitted file when media_wa_type={’1’,’3’} |
| recipient_count | Number of recipients (broadcast message) |
| participant_hash | Used in geodata transmittal |
| starred | Unused |
| quoted_row_id | Unknown, usually contains the value ‘0’ |
| mentioned_jids | Unused |
| multicast_id | Unused |
| offset | Offset |
This list of fields is not exhaustive. Different versions of WhatsApp may have or lack some of the fields. Additionally, there may be the fields media_enc_hash, edit_version, payment_transaction_id, etc.
- messages_thumbnails
This table contains information about transferred images and timestamps. The timestamp column shows time in the Unix Epoch Time (ms) format. - chat_list
This table contains information about chats. Screenshot of the table:
In addition, when examining WhatsApp on an Android device, take note of the following files:
- msgstore.db.cryptXX (where XX is one or two digits from 0 to 12, for example, msgstore.db.crypt12). The file contains an encrypted backup copy of WhatsApp messages (backup of the msgstore.db file). The msgstore.db.cryptXX file (or files) is located under the path /data/media/0/WhatsApp/Databases/ (virtual SD card) and /mnt/sdcard/WhatsApp/Databases/ (physical SD card).
- The key file contains a cryptographic key and is located under the path /data/data/com.whatsapp/files/. It is used for decrypting encrypted WhatsApp backup copies.
- The com.whatsapp_preferences.xml file contains information about the WhatsApp profile and is located under the path /data/data/com.whatsapp/shared_prefs/.
File fragment:
- The registration.RegisterPhone.xml file contains information about the phone number associated with the WhatsApp account and is located under the path /data/data/com.whatsapp/shared_prefs/.
File contents:
- The axolotl.db file contains cryptographic keys and other data required for identifying the account owner. The file is located under the path /data/data/com.whatsapp/databases/.
- The chatsettings.db file contains application configuration information.
- The wa.db file contains contact details, which are very informative and interesting from a forensic perspective. It can reveal information about deleted contacts.
Make sure to examine the following directories:
- /data/media/0/WhatsApp/Media/WhatsApp Images/. Contains transferred graphics files.
- /data/media/0/WhatsApp/Media/WhatsApp Voice Notes/. Contains voice messages in the .opus format.
- /data/data/com.whatsapp/cache/Profile Pictures/. Contains graphics files: contacts’ profile pictures.
- /data/data/com.whatsapp/files/Avatars/. Contains graphics files: thumbnails of contacts’ profile pictures. These files have the .j extension, but are actually JPEG (JPG) files.
- /data/data/com.whatsapp/files/Avatars/.Contains graphics files: the profile picture and its thumbnail set as an avatar by the account owner.
- /data/data/com.whatsapp/files/Logs/. Contains a program operation log (the whatsapp.log file) and backup copies of program operation logs (files with the names in the format whatsapp-yyyy-mm-dd.1.log.gz).
WhatsApp log files:
Log content:
- /data/media/0/WhatsApp/Media/WhatsApp Audio/ Contains received audio files.
- /data/media/0/WhatsApp/Media/WhatsApp Audio/Sent/ Contains sent audio files.
- /data/media/0/WhatsApp/Media/WhatsApp Images/ Contains received graphics files.
- /data/media/0/WhatsApp/Media/WhatsApp Images/Sent/ Contains sent graphics files.
- /data/media/0/WhatsApp/Media/WhatsApp Video/ Contains received video files.
- /data/media/0/WhatsApp/Media/WhatsApp Video/Sent/ Contains sent video files.
- /data/media/0/WhatsApp/Media/WhatsApp Profile Photos/ Contains graphics files associated with the WhatsApp account owner.
To save memory space on an Android device, some of the WhatsApp data may be stored on an SD card. In its root, the SD card may have the WhatsApp directory, where the following artifacts can be found:
- Share (/mnt/sdcard/WhatsApp/.Share/) Contains copies of files that have been sent to other WhatsApp users.
- Trash (/mnt/sdcard/WhatsApp/.trash/) Contains deleted files.
- Databases (/mnt/sdcard/WhatsApp/Databases/) Contains encrypted backup copies. They can be decrypted using the key file extracted from the memory of the device.
Files located in the Databases subdirectory:
- Media (/mnt/sdcard/WhatsApp/Media/) Contains the subdirectories WallPaper, WhatsApp Audio, WhatsApp Images, WhatsApp Profile Photos, WhatsApp Video, and WhatsApp Voice Notes, which store received and sent multimedia files (graphics, videos, audio messages, photos associated with the WhatsApp account owner, and wallpapers).
- Profile Pictures (/mnt/sdcard/WhatsApp/Profile Pictures/) Contains graphics files associated with the WhatsApp account owner’s profile.
- Sometimes the SD card may have a files directory (/mnt/sdcard/WhatsApp/Files/), which contains files that store program settings and user preferences.
Data storage in some mobile devices
In some mobile devices running Android, WhatsApp artifacts can be stored in a different location. This is because the device’s system software can change the storage space of application data. For example, Xiaomi mobile devices have a feature called Second Space, which is designed for creating a second workspace on the device. When this feature is activated, the location of data changes. So, while a regular Android device stores user data in the /data/user/0/ directory (which is a link to the usual /data/data/), the second workspace stores application data in /data/user/10/. Let us compare where wa.db is located:
- Regular Android smartphone: /data/user/0/com.whatsapp/databases/wa.db (which is equivalent to /data/data/com.whatsapp/databases/wa.db)
- Xiaomi Second Space: /data/user/10/com.whatsapp/databases/wa.db.
WhatsApp artifacts in iOS devices
Unlike Android OS, in iOS, WhatsApp data is transferred to a backup copy (iTunes backup), which means that extracting data from the app does not require extracting the file system or creating a physical memory dump. Most of the relevant information is stored in the ChatStorage.sqlite database, which is located under the path /private/var/mobile/Applications/group.net.whatsapp.WhatsApp.shared/ (in some programs this path is displayed as AppDomainGroup-group.net.whatsapp.WhatsApp.shared).
ChatStorage.sqlite structure:
The most informative parts of the ChatStorage.sqlite database are the ZWAMESSAGE and ZWAMEDIAITEM tables.
Screenshot of the ZWAMESSAGE table:
Structure of the ZWAMESSAGE table:
| Field name | Meaning |
|---|---|
| Z_PK | Sequence number of the record (set by SQLite) |
| Z_ENT | Table identifier, has the value ‘9’ |
| Z_OPT | Unknown, usually has values from ‘1’ to ‘6’ |
| ZCHILDMESSAGESDELIVEREDCOUNT | Unknown, usually has the value ‘0’ |
| ZCHILDMESSAGESPLAYEDCOUNT | Unknown, usually has the value ‘0’ |
| ZCHILDMESSAGESREADCOUNT | Unknown, usually has value ‘0’ |
| ZDATAITEMVERSION | Unknown, usually has value ‘3’ and could be a text message indicator |
| ZDOCID | Unknown |
| ZENCRETRYCOUNT | Unknown, usually has value ‘0’ |
| ZFILTEREDRECIPIENTCOUNT | Unknown, usually has values ‘0’, ‘2’, ‘256’ |
| ZISFROMME | Message direction: ‘0’=incoming, ‘1’=outgoing |
| ZMESSAGEERRORSTATUS | Message status. ‘0’ if the message has been sent/received |
| ZMESSAGETYPE | Type of message |
| ZSORT | Unknown |
| ZSPOTLIGHSTATUS | Unknown |
| ZSTARRED | Unknown and unused |
| ZCHATSESSION | Unknown |
| ZGROUPMEMBER | Unknown and unused |
| ZLASTSESSION | Unknown |
| ZMEDIAITEM | Unknown |
| ZMESSAGEINFO | Unknown |
| ZPARENTMESSAGE | Unknown and unused |
| ZMESSAGEDATE | Timestamp in the OS X Epoch Time format |
| ZSENTDATE | Time when the message was sent in the OS X Epoch Time format |
| ZFROMJID | WhatsApp ID of the sender |
| ZMEDIASECTIONID | Contains the month and year when the media file was sent |
| ZPHASH | Unknown and unused |
| ZPUSHPAME | Name of the contact who sent the media file in the UTF-8 format |
| ZSTANZID | Unique message identifier |
| ZTEXT | Message content |
| ZTOJID | WhatsApp ID of the recipient |
| OFFSET | Offset |
Screenshot of the ZWAMEDIAITEM table:
Structure of the ZWAMEDIAITEM table:
| Field name | Meaning |
|---|---|
| Z_PK | Sequence number of the record (set by SQLite) |
| Z_ENT | Table identifier, has value ‘8’ |
| Z_OPT | Unknown, usually has values from ‘1’ to ‘3’ |
| ZCLOUDSTATUS | Has value ‘4’ if the file has been downloaded |
| ZFILESIZE | Contains file length (in bytes) for downloaded files |
| ZMEDIAORIGIN | Unknown, usually has value ‘0’ |
| ZMOVIEDURATION | Media file length, for .pdf files can contain the number of pages |
| ZMESSAGE | Contains a sequence number (differs from the one specified in the Z_PK column) |
| ZASPECTRATIO | Aspect ratio, unused, usually has the value ‘0’ |
| ZHACCURACY | Unknown, usually has value ‘0’ |
| ZLATTITUDE | Width in pixels |
| ZLONGTITUDE | Height in pixels |
| ZMEDIAURLDATE | Timestamp in the OS X Epoch Time format |
| ZAUTHORNAME | Author (for documents can contain file name) |
| ZCOLLECTIONNAME | Unused |
| ZMEDIALOCALPATH | File name (with path specified) in the file system of the device |
| ZMEDIAURL | URL where the media file was located. If the file was transferred from one user to another, it will be encrypted and its extension will be that of the transferred file — .enc |
| ZTHUMBNAILLOCALPATH | Path to the file thumbnail in the file system of the device |
| ZTITLE | File header |
| ZVCARDNAME | Hash of the media file. Can contain sender identifier if the file was sent to a group |
| ZVCARDSTRING | Contains information about the type of transferred file (for example, image/jpeg). Can contain sender identifier if the file was sent to a group. |
| ZXMPPTHUMBPATH | Path to the file thumbnail in the file system of the device |
| ZMEDIAKEY | Unknown. Might contain the encryption key for an encrypted file. |
| ZMETADATA | Transferred message metadata |
| Offset | Offset |
Other interesting tables in the ChatStorage.sqlite database are:
- ZWAPROFILEPUSHNAME. Associates WhatsApp ID with a contact name
- ZWAPROFILEPICTUREITEM. Associates WhatsApp ID with a contact’s avatar
- Z_PRIMARYKEY. Contains general information about the database, such as the total number of stored messages, total number of chats, etc.
In addition, when examining WhatsApp on an iOS mobile device, take note of the following files:
- BackedUpKeyValue.sqlite Contains cryptographical keys and other data required for account owner identification. It is located under the path /private/var/mobile/Applications/group.net.whatsapp.WhatsApp.shared/.
- ContactsV2.sqlite Contains information about user contacts, such as names, phone numbers, contact statuses (as text), WhatsApp ID, etc. It is located under the path /private/var/mobile/Applications/group.net.whatsapp.WhatsApp.shared/.
- consumer_version Contains WhatsApp version number and is located under the path /private/var/mobile/Applications/group.net.whatsapp.WhatsApp.shared/.
- current_wallpaper.jpg Contains current WhatsApp background wallpapers and is located under the path /private/var/mobile/Applications/group.net.whatsapp.WhatsApp.shared/. Older versions of the app use the wallpaper file, which is located under the path /private/var/mobile/Applications/net.whatsapp.WhatsApp/Documents/.
- blockedcontacts.dat Contains information about blocked contacts and is located under the path /private/var/mobile/Applications/net.whatsapp.WhatsApp/Documents/.
- pw.dat. Contains an encrypted password and is located under the path /private/var/mobile/Applications/net.whatsapp.WhatsApp/Library/.
- net.whatsapp.WhatsApp.plist (or group.net.whatsapp.WhatsApp.shared.plist). Contains information about the WhatsApp profile and is located under the path /private/var/mobile/Applications/group.net.whatsapp.WhatsApp.shared/Library/Preferences/.
Contents of the group.net.whatsapp.WhatsApp.shared.plist file:
- /private/var/mobile/Applications/group.net.whatsapp.WhatsApp.shared/Media/Profile/ Contains thumbnails of contacts and groups (files with the .thumb extension), contact avatars, and the WhatsApp account owner’s avatar (the Photo.jpg file).
- /private/var/mobile/Applications/group.net.whatsapp.WhatsApp.shared/ Message/Media/ Contains multimedia files and their thumbnails.
- /private/var/mobile/Applications/net.whatsapp.WhatsApp/Documents/ Contains a program operation log (the calls.log file) and backup copies of program operation logs (the calls.backup.log file).
- /private/var/mobile/Applications/group.net.whatsapp.WhatsApp.shared/stickers/ Contains stickers (the .webp files).
- /private/var/mobile/Applications/net.whatsapp.WhatsApp/Library/Logs/ Contains program operation logs.
WhatsApp artifacts in Windows
WhatsApp artifacts in Windows can be found in several places. Most importantly, these are directories that contain executable and auxiliary files (for Windows 8/10):
- \Program Files (x86)\WhatsApp\
- \Users\%User profile%\ AppData\Local\WhatsApp\
- \Users\%User profile%\ AppData\Local\VirtualStore\ Program Files (x86)\WhatsApp\
The \Users\%User profile%\ AppData\Local\WhatsApp\ directory stores the SquirrelSetup.log log file, which contains information about checks for updates and program installation.
The \Users\%User profile%\ AppData\Roaming\WhatsApp\ directory has several subdirectories:
The main-process.log file contains information about WhatsApp’s operation.
The databases subdirectory contains Databases.db. This file, however, does not have any information about chats or contacts.
The most interesting files from a forensics perspective are those found in the Cache directory. These are files with the name f_******* (where * is a number from 0 to 9) containing encrypted multimedia files and documents. Some of them, however, can be unencrypted. The most interesting files here are data_0, data_1, data_2, and data_3, which are located in the same subdirectory. These files contain external links to encrypted transferred multimedia files and documents.
Example of information contained in the data_1 file:
data_3 can also contain graphics files.
data_2 contains contact avatars (they can be restored by searching for file headers).
Avatars contained in data_2:
Chats cannot be found in computer memory. What can be found, however, is:
- multimedia files
- documents transferred via WhatsApp
- contact information about the account owner
WhatsApp artifacts in MacOS
MacOS has WhatsApp artifacts similar to those found in Windows OS.
For oldest versions MacOS, the program’s files are located in the following directories:
- \Applications\WhatsApp.app
- \Applications\._WhatsApp.app
- \Users\%User profile%\Library\Preferences
- \Users\%User profile%\Library\Logs\WhatsApp
- \Users\%User profile%\Library\Saved Application State\WhatsApp.savedState
- \Users\%User profile%\Library\Application Scripts
- \Users\%User profile%\Library\Application Support\CloudDocs
- \Users\%User profile%\Library\Application Support\WhatsApp.ShipIt
- \Users\%User profile%\Library\Containers\com.rockysandstudio.app-for-whatsapp
- \Users\%User profile%\ Library\ Mobile Documents\ <text variable> WhatsApp\ Accounts
This directory contains subdirectories whose names are phone numbers associated with the WhatsApp account owner. - \Users\%User profile%\Library\Caches\WhatsApp.ShipIt\
This directory contains information about the installation of the program. - \Users\%User profile%\Pictures\ iPhoto.photolibrary\Masters\; C:\Users\%User profile%\Pictures\iPhoto.photolibrary\Thumbnails\
These directories contain the program’s service files, including photos and thumbnails of WhatsApp contacts. - \Users\%User profile%\Library\Caches\WhatsApp\
This directory only contains several SQLite databases, which are used for data caching. - \Users\%User profile%\Library\Application Support\WhatsApp\
This directory contains several subdirectories:
- \Users\%User profile%\Library\Application Support\WhatsApp\Cache\ The directory contains the files data_0, data_1, data_2, data_3 as well as files with the names f_******* (where * is a number from 0 to 9). For information about what kind of data is stored in these files, see the “WhatsApp artifacts in Windows” section of this article.
- \Users\%User profile%\Library\Application Support\WhatsApp\IndexedDB\ The directory can contain multimedia files (without extensions).
- The main-process.log file contains information about WhatsApp’s operation.
Since OS X Yosemite the artefacts may be located in new places:
- \Users\%User profile%\Library\Containers\desktop.WhatsApp
- \Users\%User profile%\Library\Containers\desktop.WhatsApp\Data\Library\Application Support\WhatsApp\Preferences
- \Users\%User profile%\Library\Containers\desktop.WhatsApp\Data\Library\Logs\WhatsApp
- \Users\%User profile%\Library\Containers\desktop.WhatsApp\Data\Library\Saved Application State\desktop.WhatsApp.savedState
- \Users\%User profile%\Library\Containers\desktop.WhatsApp\Data\Library\Application Scripts
- \Users\%User profile%\Library\Containers\desktop.WhatsApp\Data\Library\Application Support\iCloud
- \Users\%User profile%\Library\Containers\desktop.WhatsApp\Data\Library\Application Support\WhatsApp\IndexedDB The directory can contain multimedia files (without extensions).
- \Users\%User profile%\Library\Containers\desktop.WhatsApp\Data\Library\Application Support\WhatsApp\GPUCache
- \Users\%User profile%\Library\Containers\desktop.WhatsApp\Data\Library\Application Support\WhatsApp\Cache The directory contains the files with the names f_******* (where * is a number from 0 to 9). For information about what kind of data is stored in these files, see the “WhatsApp artifacts in Windows” section of this article.
Sources
- Forensic analysis of WhatsApp Messenger on Android smartphones, by Cosimo Anglano, 2014.
- Whatsapp Forensics: Eksplorasi sistem berkas dan basis data pada aplikasi Android dan iOS by Ahmad Pratama, 2014.
